]> git.saurik.com Git - apple/xnu.git/blob - bsd/net/pf.c
projects / apple / xnu.git / blob
? search:


0ddbf167a68358c2915779bab18ce0f1f3862cc0
[apple/xnu.git] / bsd / net / pf.c
1 /*
2 * Copyright (c) 2007-2017 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /* $apfw: git commit 6602420f2f101b74305cd78f7cd9e0c8fdedae97 $ */
30 /* $OpenBSD: pf.c,v 1.567 2008/02/20 23:40:13 henning Exp $ */
31
32 /*
33 * Copyright (c) 2001 Daniel Hartmeier
34 * Copyright (c) 2002 - 2013 Henning Brauer
35 * NAT64 - Copyright (c) 2010 Viagenie Inc. (http://www.viagenie.ca)
36 * All rights reserved.
37 *
38 * Redistribution and use in source and binary forms, with or without
39 * modification, are permitted provided that the following conditions
40 * are met:
41 *
42 * - Redistributions of source code must retain the above copyright
43 * notice, this list of conditions and the following disclaimer.
44 * - Redistributions in binary form must reproduce the above
45 * copyright notice, this list of conditions and the following
46 * disclaimer in the documentation and/or other materials provided
47 * with the distribution.
48 *
49 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
50 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
51 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
52 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
53 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
54 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
55 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
56 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
57 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
58 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
59 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
60 * POSSIBILITY OF SUCH DAMAGE.
61 *
62 * Effort sponsored in part by the Defense Advanced Research Projects
63 * Agency (DARPA) and Air Force Research Laboratory, Air Force
64 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
65 *
66 */
67
68 #include <machine/endian.h>
69 #include <sys/param.h>
70 #include <sys/systm.h>
71 #include <sys/filio.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/kernel.h>
75 #include <sys/time.h>
76 #include <sys/proc.h>
77 #include <sys/random.h>
78 #include <sys/mcache.h>
79 #include <sys/protosw.h>
80
81 #include <libkern/crypto/md5.h>
82 #include <libkern/libkern.h>
83
84 #include <mach/thread_act.h>
85 #include <mach/branch_predicates.h>
86
87 #include <net/if.h>
88 #include <net/if_types.h>
89 #include <net/bpf.h>
90 #include <net/route.h>
91 #include <net/dlil.h>
92
93 #include <netinet/in.h>
94 #include <netinet/in_var.h>
95 #include <netinet/in_systm.h>
96 #include <netinet/ip.h>
97 #include <netinet/ip_var.h>
98 #include <netinet/tcp.h>
99 #include <netinet/tcp_seq.h>
100 #include <netinet/udp.h>
101 #include <netinet/ip_icmp.h>
102 #include <netinet/in_pcb.h>
103 #include <netinet/tcp_timer.h>
104 #include <netinet/tcp_var.h>
105 #include <netinet/tcp_fsm.h>
106 #include <netinet/udp_var.h>
107 #include <netinet/icmp_var.h>
108 #include <net/if_ether.h>
109 #include <net/ethernet.h>
110 #include <net/flowhash.h>
111 #include <net/pfvar.h>
112 #include <net/if_pflog.h>
113
114 #if NPFSYNC
115 #include <net/if_pfsync.h>
116 #endif /* NPFSYNC */
117
118 #if INET6
119 #include <netinet/ip6.h>
120 #include <netinet6/in6_pcb.h>
121 #include <netinet6/ip6_var.h>
122 #include <netinet/icmp6.h>
123 #include <netinet6/nd6.h>
124 #endif /* INET6 */
125
126 #if DUMMYNET
127 #include <netinet/ip_dummynet.h>
128 #endif /* DUMMYNET */
129
130 /*
131 * For RandomULong(), to get a 32 bits random value
132 * Note that random() returns a 31 bits value, see rdar://11159750
133 */
134 #include <dev/random/randomdev.h>
135
136 #define DPFPRINTF(n, x) (pf_status.debug >= (n) ? printf x : ((void)0))
137
138 /*
139 * On Mac OS X, the rtableid value is treated as the interface scope
140 * value that is equivalent to the interface index used for scoped
141 * routing. A valid scope value is anything but IFSCOPE_NONE (0),
142 * as per definition of ifindex which is a positive, non-zero number.
143 * The other BSDs treat a negative rtableid value as invalid, hence
144 * the test against INT_MAX to handle userland apps which initialize
145 * the field with a negative number.
146 */
147 #define PF_RTABLEID_IS_VALID(r) \
148 ((r) > IFSCOPE_NONE && (r) <= INT_MAX)
149
150 /*
151 * Global variables
152 */
153 decl_lck_mtx_data(,pf_lock_data);
154 decl_lck_rw_data(,pf_perim_lock_data);
155 lck_mtx_t *pf_lock = &pf_lock_data;
156 lck_rw_t *pf_perim_lock = &pf_perim_lock_data;
157
158 /* state tables */
159 struct pf_state_tree_lan_ext pf_statetbl_lan_ext;
160 struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy;
161
162 struct pf_palist pf_pabuf;
163 struct pf_status pf_status;
164
165 u_int32_t ticket_pabuf;
166
167 static MD5_CTX pf_tcp_secret_ctx;
168 static u_char pf_tcp_secret[16];
169 static int pf_tcp_secret_init;
170 static int pf_tcp_iss_off;
171
172 static struct pf_anchor_stackframe {
173 struct pf_ruleset *rs;
174 struct pf_rule *r;
175 struct pf_anchor_node *parent;
176 struct pf_anchor *child;
177 } pf_anchor_stack[64];
178
179 struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl;
180 struct pool pf_state_pl, pf_state_key_pl;
181
182 typedef void (*hook_fn_t)(void *);
183
184 struct hook_desc {
185 TAILQ_ENTRY(hook_desc) hd_list;
186 hook_fn_t hd_fn;
187 void *hd_arg;
188 };
189
190 #define HOOK_REMOVE 0x01
191 #define HOOK_FREE 0x02
192 #define HOOK_ABORT 0x04
193
194 static void *hook_establish(struct hook_desc_head *, int,
195 hook_fn_t, void *);
196 static void hook_runloop(struct hook_desc_head *, int flags);
197
198 struct pool pf_app_state_pl;
199 static void pf_print_addr(struct pf_addr *addr, sa_family_t af);
200 static void pf_print_sk_host(struct pf_state_host *, u_int8_t, int,
201 u_int8_t);
202
203 static void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
204
205 static void pf_init_threshold(struct pf_threshold *, u_int32_t,
206 u_int32_t);
207 static void pf_add_threshold(struct pf_threshold *);
208 static int pf_check_threshold(struct pf_threshold *);
209
210 static void pf_change_ap(int, pbuf_t *, struct pf_addr *,
211 u_int16_t *, u_int16_t *, u_int16_t *,
212 struct pf_addr *, u_int16_t, u_int8_t, sa_family_t,
213 sa_family_t, int);
214 static int pf_modulate_sack(pbuf_t *, int, struct pf_pdesc *,
215 struct tcphdr *, struct pf_state_peer *);
216 #if INET6
217 static void pf_change_a6(struct pf_addr *, u_int16_t *,
218 struct pf_addr *, u_int8_t);
219 void pf_change_addr(struct pf_addr *a, u_int16_t *c,
220 struct pf_addr *an, u_int8_t u,
221 sa_family_t af, sa_family_t afn);
222 #endif /* INET6 */
223 static void pf_change_icmp(struct pf_addr *, u_int16_t *,
224 struct pf_addr *, struct pf_addr *, u_int16_t,
225 u_int16_t *, u_int16_t *, u_int16_t *,
226 u_int16_t *, u_int8_t, sa_family_t);
227 static void pf_send_tcp(const struct pf_rule *, sa_family_t,
228 const struct pf_addr *, const struct pf_addr *,
229 u_int16_t, u_int16_t, u_int32_t, u_int32_t,
230 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
231 u_int16_t, struct ether_header *, struct ifnet *);
232 static void pf_send_icmp(pbuf_t *, u_int8_t, u_int8_t,
233 sa_family_t, struct pf_rule *);
234 static struct pf_rule *pf_match_translation(struct pf_pdesc *, pbuf_t *,
235 int, int, struct pfi_kif *, struct pf_addr *,
236 union pf_state_xport *, struct pf_addr *,
237 union pf_state_xport *, int);
238 static struct pf_rule *pf_get_translation_aux(struct pf_pdesc *,
239 pbuf_t *, int, int, struct pfi_kif *,
240 struct pf_src_node **, struct pf_addr *,
241 union pf_state_xport *, struct pf_addr *,
242 union pf_state_xport *, union pf_state_xport *
243 );
244 static void pf_attach_state(struct pf_state_key *,
245 struct pf_state *, int);
246 static void pf_detach_state(struct pf_state *, int);
247 static u_int32_t pf_tcp_iss(struct pf_pdesc *);
248 static int pf_test_rule(struct pf_rule **, struct pf_state **,
249 int, struct pfi_kif *, pbuf_t *, int,
250 void *, struct pf_pdesc *, struct pf_rule **,
251 struct pf_ruleset **, struct ifqueue *);
252 #if DUMMYNET
253 static int pf_test_dummynet(struct pf_rule **, int,
254 struct pfi_kif *, pbuf_t **,
255 struct pf_pdesc *, struct ip_fw_args *);
256 #endif /* DUMMYNET */
257 static int pf_test_fragment(struct pf_rule **, int,
258 struct pfi_kif *, pbuf_t *, void *,
259 struct pf_pdesc *, struct pf_rule **,
260 struct pf_ruleset **);
261 static int pf_test_state_tcp(struct pf_state **, int,
262 struct pfi_kif *, pbuf_t *, int,
263 void *, struct pf_pdesc *, u_short *);
264 static int pf_test_state_udp(struct pf_state **, int,
265 struct pfi_kif *, pbuf_t *, int,
266 void *, struct pf_pdesc *, u_short *);
267 static int pf_test_state_icmp(struct pf_state **, int,
268 struct pfi_kif *, pbuf_t *, int,
269 void *, struct pf_pdesc *, u_short *);
270 static int pf_test_state_other(struct pf_state **, int,
271 struct pfi_kif *, struct pf_pdesc *);
272 static int pf_match_tag(struct pf_rule *,
273 struct pf_mtag *, int *);
274 static void pf_hash(struct pf_addr *, struct pf_addr *,
275 struct pf_poolhashkey *, sa_family_t);
276 static int pf_map_addr(u_int8_t, struct pf_rule *,
277 struct pf_addr *, struct pf_addr *,
278 struct pf_addr *, struct pf_src_node **);
279 static int pf_get_sport(struct pf_pdesc *, struct pfi_kif *,
280 struct pf_rule *, struct pf_addr *,
281 union pf_state_xport *, struct pf_addr *,
282 union pf_state_xport *, struct pf_addr *,
283 union pf_state_xport *, struct pf_src_node **
284 );
285 static void pf_route(pbuf_t **, struct pf_rule *, int,
286 struct ifnet *, struct pf_state *,
287 struct pf_pdesc *);
288 #if INET6
289 static void pf_route6(pbuf_t **, struct pf_rule *, int,
290 struct ifnet *, struct pf_state *,
291 struct pf_pdesc *);
292 #endif /* INET6 */
293 static u_int8_t pf_get_wscale(pbuf_t *, int, u_int16_t,
294 sa_family_t);
295 static u_int16_t pf_get_mss(pbuf_t *, int, u_int16_t,
296 sa_family_t);
297 static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
298 u_int16_t);
299 static void pf_set_rt_ifp(struct pf_state *,
300 struct pf_addr *, sa_family_t af);
301 static int pf_check_proto_cksum(pbuf_t *, int, int,
302 u_int8_t, sa_family_t);
303 static int pf_addr_wrap_neq(struct pf_addr_wrap *,
304 struct pf_addr_wrap *);
305 static struct pf_state *pf_find_state(struct pfi_kif *,
306 struct pf_state_key_cmp *, u_int);
307 static int pf_src_connlimit(struct pf_state **);
308 static void pf_stateins_err(const char *, struct pf_state *,
309 struct pfi_kif *);
310 static int pf_check_congestion(struct ifqueue *);
311
312 #if 0
313 static const char *pf_pptp_ctrl_type_name(u_int16_t code);
314 #endif
315 static void pf_pptp_handler(struct pf_state *, int, int,
316 struct pf_pdesc *, struct pfi_kif *);
317 static void pf_pptp_unlink(struct pf_state *);
318 static void pf_grev1_unlink(struct pf_state *);
319 static int pf_test_state_grev1(struct pf_state **, int,
320 struct pfi_kif *, int, struct pf_pdesc *);
321 static int pf_ike_compare(struct pf_app_state *,
322 struct pf_app_state *);
323 static int pf_test_state_esp(struct pf_state **, int,
324 struct pfi_kif *, int, struct pf_pdesc *);
325
326 extern struct pool pfr_ktable_pl;
327 extern struct pool pfr_kentry_pl;
328 extern int path_mtu_discovery;
329
330 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
331 { &pf_state_pl, PFSTATE_HIWAT },
332 { &pf_app_state_pl, PFAPPSTATE_HIWAT },
333 { &pf_src_tree_pl, PFSNODE_HIWAT },
334 { &pf_frent_pl, PFFRAG_FRENT_HIWAT },
335 { &pfr_ktable_pl, PFR_KTABLE_HIWAT },
336 { &pfr_kentry_pl, PFR_KENTRY_HIWAT },
337 };
338
339 void *
340 pf_lazy_makewritable(struct pf_pdesc *pd, pbuf_t *pbuf, int len)
341 {
342 void *p;
343
344 if (pd->lmw < 0)
345 return (NULL);
346
347 VERIFY(pbuf == pd->mp);
348
349 p = pbuf->pb_data;
350 if (len > pd->lmw) {
351 if ((p = pbuf_ensure_writable(pbuf, len)) == NULL)
352 len = -1;
353 pd->lmw = len;
354 if (len >= 0) {
355 pd->pf_mtag = pf_find_mtag_pbuf(pbuf);
356
357 switch (pd->af) {
358 case AF_INET: {
359 struct ip *h = p;
360 pd->src = (struct pf_addr *)(uintptr_t)&h->ip_src;
361 pd->dst = (struct pf_addr *)(uintptr_t)&h->ip_dst;
362 pd->ip_sum = &h->ip_sum;
363 break;
364 }
365 #if INET6
366 case AF_INET6: {
367 struct ip6_hdr *h = p;
368 pd->src = (struct pf_addr *)(uintptr_t)&h->ip6_src;
369 pd->dst = (struct pf_addr *)(uintptr_t)&h->ip6_dst;
370 break;
371 }
372 #endif /* INET6 */
373 }
374 }
375 }
376
377 return (len < 0 ? NULL : p);
378 }
379
380 static const int *
381 pf_state_lookup_aux(struct pf_state **state, struct pfi_kif *kif,
382 int direction, int *action)
383 {
384 if (*state == NULL || (*state)->timeout == PFTM_PURGE) {
385 *action = PF_DROP;
386 return (action);
387 }
388
389 if (direction == PF_OUT &&
390 (((*state)->rule.ptr->rt == PF_ROUTETO &&
391 (*state)->rule.ptr->direction == PF_OUT) ||
392 ((*state)->rule.ptr->rt == PF_REPLYTO &&
393 (*state)->rule.ptr->direction == PF_IN)) &&
394 (*state)->rt_kif != NULL && (*state)->rt_kif != kif) {
395 *action = PF_PASS;
396 return (action);
397 }
398
399 return (0);
400 }
401
402 #define STATE_LOOKUP() \
403 do { \
404 int action; \
405 *state = pf_find_state(kif, &key, direction); \
406 if (*state != NULL && pd != NULL && \
407 !(pd->pktflags & PKTF_FLOW_ID)) { \
408 pd->flowsrc = (*state)->state_key->flowsrc; \
409 pd->flowhash = (*state)->state_key->flowhash; \
410 if (pd->flowhash != 0) { \
411 pd->pktflags |= PKTF_FLOW_ID; \
412 pd->pktflags &= ~PKTF_FLOW_ADV; \
413 } \
414 } \
415 if (pf_state_lookup_aux(state, kif, direction, &action)) \
416 return (action); \
417 } while (0)
418
419 #define STATE_ADDR_TRANSLATE(sk) \
420 (sk)->lan.addr.addr32[0] != (sk)->gwy.addr.addr32[0] || \
421 ((sk)->af_lan == AF_INET6 && \
422 ((sk)->lan.addr.addr32[1] != (sk)->gwy.addr.addr32[1] || \
423 (sk)->lan.addr.addr32[2] != (sk)->gwy.addr.addr32[2] || \
424 (sk)->lan.addr.addr32[3] != (sk)->gwy.addr.addr32[3]))
425
426 #define STATE_TRANSLATE(sk) \
427 ((sk)->af_lan != (sk)->af_gwy || \
428 STATE_ADDR_TRANSLATE(sk) || \
429 (sk)->lan.xport.port != (sk)->gwy.xport.port)
430
431 #define STATE_GRE_TRANSLATE(sk) \
432 (STATE_ADDR_TRANSLATE(sk) || \
433 (sk)->lan.xport.call_id != (sk)->gwy.xport.call_id)
434
435 #define BOUND_IFACE(r, k) \
436 ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all
437
438 #define STATE_INC_COUNTERS(s) \
439 do { \
440 s->rule.ptr->states++; \
441 VERIFY(s->rule.ptr->states != 0); \
442 if (s->anchor.ptr != NULL) { \
443 s->anchor.ptr->states++; \
444 VERIFY(s->anchor.ptr->states != 0); \
445 } \
446 if (s->nat_rule.ptr != NULL) { \
447 s->nat_rule.ptr->states++; \
448 VERIFY(s->nat_rule.ptr->states != 0); \
449 } \
450 } while (0)
451
452 #define STATE_DEC_COUNTERS(s) \
453 do { \
454 if (s->nat_rule.ptr != NULL) { \
455 VERIFY(s->nat_rule.ptr->states > 0); \
456 s->nat_rule.ptr->states--; \
457 } \
458 if (s->anchor.ptr != NULL) { \
459 VERIFY(s->anchor.ptr->states > 0); \
460 s->anchor.ptr->states--; \
461 } \
462 VERIFY(s->rule.ptr->states > 0); \
463 s->rule.ptr->states--; \
464 } while (0)
465
466 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
467 static __inline int pf_state_compare_lan_ext(struct pf_state_key *,
468 struct pf_state_key *);
469 static __inline int pf_state_compare_ext_gwy(struct pf_state_key *,
470 struct pf_state_key *);
471 static __inline int pf_state_compare_id(struct pf_state *,
472 struct pf_state *);
473
474 struct pf_src_tree tree_src_tracking;
475
476 struct pf_state_tree_id tree_id;
477 struct pf_state_queue state_list;
478
479 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
480 RB_GENERATE(pf_state_tree_lan_ext, pf_state_key,
481 entry_lan_ext, pf_state_compare_lan_ext);
482 RB_GENERATE(pf_state_tree_ext_gwy, pf_state_key,
483 entry_ext_gwy, pf_state_compare_ext_gwy);
484 RB_GENERATE(pf_state_tree_id, pf_state,
485 entry_id, pf_state_compare_id);
486
487 #define PF_DT_SKIP_LANEXT 0x01
488 #define PF_DT_SKIP_EXTGWY 0x02
489
490 static const u_int16_t PF_PPTP_PORT = 1723;
491 static const u_int32_t PF_PPTP_MAGIC_NUMBER = 0x1A2B3C4D;
492
493 struct pf_pptp_hdr {
494 u_int16_t length;
495 u_int16_t type;
496 u_int32_t magic;
497 };
498
499 struct pf_pptp_ctrl_hdr {
500 u_int16_t type;
501 u_int16_t reserved_0;
502 };
503
504 struct pf_pptp_ctrl_generic {
505 u_int16_t data[0];
506 };
507
508 #define PF_PPTP_CTRL_TYPE_START_REQ 1
509 struct pf_pptp_ctrl_start_req {
510 u_int16_t protocol_version;
511 u_int16_t reserved_1;
512 u_int32_t framing_capabilities;
513 u_int32_t bearer_capabilities;
514 u_int16_t maximum_channels;
515 u_int16_t firmware_revision;
516 u_int8_t host_name[64];
517 u_int8_t vendor_string[64];
518 };
519
520 #define PF_PPTP_CTRL_TYPE_START_RPY 2
521 struct pf_pptp_ctrl_start_rpy {
522 u_int16_t protocol_version;
523 u_int8_t result_code;
524 u_int8_t error_code;
525 u_int32_t framing_capabilities;
526 u_int32_t bearer_capabilities;
527 u_int16_t maximum_channels;
528 u_int16_t firmware_revision;
529 u_int8_t host_name[64];
530 u_int8_t vendor_string[64];
531 };
532
533 #define PF_PPTP_CTRL_TYPE_STOP_REQ 3
534 struct pf_pptp_ctrl_stop_req {
535 u_int8_t reason;
536 u_int8_t reserved_1;
537 u_int16_t reserved_2;
538 };
539
540 #define PF_PPTP_CTRL_TYPE_STOP_RPY 4
541 struct pf_pptp_ctrl_stop_rpy {
542 u_int8_t reason;
543 u_int8_t error_code;
544 u_int16_t reserved_1;
545 };
546
547 #define PF_PPTP_CTRL_TYPE_ECHO_REQ 5
548 struct pf_pptp_ctrl_echo_req {
549 u_int32_t identifier;
550 };
551
552 #define PF_PPTP_CTRL_TYPE_ECHO_RPY 6
553 struct pf_pptp_ctrl_echo_rpy {
554 u_int32_t identifier;
555 u_int8_t result_code;
556 u_int8_t error_code;
557 u_int16_t reserved_1;
558 };
559
560 #define PF_PPTP_CTRL_TYPE_CALL_OUT_REQ 7
561 struct pf_pptp_ctrl_call_out_req {
562 u_int16_t call_id;
563 u_int16_t call_sernum;
564 u_int32_t min_bps;
565 u_int32_t bearer_type;
566 u_int32_t framing_type;
567 u_int16_t rxwindow_size;
568 u_int16_t proc_delay;
569 u_int8_t phone_num[64];
570 u_int8_t sub_addr[64];
571 };
572
573 #define PF_PPTP_CTRL_TYPE_CALL_OUT_RPY 8
574 struct pf_pptp_ctrl_call_out_rpy {
575 u_int16_t call_id;
576 u_int16_t peer_call_id;
577 u_int8_t result_code;
578 u_int8_t error_code;
579 u_int16_t cause_code;
580 u_int32_t connect_speed;
581 u_int16_t rxwindow_size;
582 u_int16_t proc_delay;
583 u_int32_t phy_channel_id;
584 };
585
586 #define PF_PPTP_CTRL_TYPE_CALL_IN_1ST 9
587 struct pf_pptp_ctrl_call_in_1st {
588 u_int16_t call_id;
589 u_int16_t call_sernum;
590 u_int32_t bearer_type;
591 u_int32_t phy_channel_id;
592 u_int16_t dialed_number_len;
593 u_int16_t dialing_number_len;
594 u_int8_t dialed_num[64];
595 u_int8_t dialing_num[64];
596 u_int8_t sub_addr[64];
597 };
598
599 #define PF_PPTP_CTRL_TYPE_CALL_IN_2ND 10
600 struct pf_pptp_ctrl_call_in_2nd {
601 u_int16_t call_id;
602 u_int16_t peer_call_id;
603 u_int8_t result_code;
604 u_int8_t error_code;
605 u_int16_t rxwindow_size;
606 u_int16_t txdelay;
607 u_int16_t reserved_1;
608 };
609
610 #define PF_PPTP_CTRL_TYPE_CALL_IN_3RD 11
611 struct pf_pptp_ctrl_call_in_3rd {
612 u_int16_t call_id;
613 u_int16_t reserved_1;
614 u_int32_t connect_speed;
615 u_int16_t rxwindow_size;
616 u_int16_t txdelay;
617 u_int32_t framing_type;
618 };
619
620 #define PF_PPTP_CTRL_TYPE_CALL_CLR 12
621 struct pf_pptp_ctrl_call_clr {
622 u_int16_t call_id;
623 u_int16_t reserved_1;
624 };
625
626 #define PF_PPTP_CTRL_TYPE_CALL_DISC 13
627 struct pf_pptp_ctrl_call_disc {
628 u_int16_t call_id;
629 u_int8_t result_code;
630 u_int8_t error_code;
631 u_int16_t cause_code;
632 u_int16_t reserved_1;
633 u_int8_t statistics[128];
634 };
635
636 #define PF_PPTP_CTRL_TYPE_ERROR 14
637 struct pf_pptp_ctrl_error {
638 u_int16_t peer_call_id;
639 u_int16_t reserved_1;
640 u_int32_t crc_errors;
641 u_int32_t fr_errors;
642 u_int32_t hw_errors;
643 u_int32_t buf_errors;
644 u_int32_t tim_errors;
645 u_int32_t align_errors;
646 };
647
648 #define PF_PPTP_CTRL_TYPE_SET_LINKINFO 15
649 struct pf_pptp_ctrl_set_linkinfo {
650 u_int16_t peer_call_id;
651 u_int16_t reserved_1;
652 u_int32_t tx_accm;
653 u_int32_t rx_accm;
654 };
655
656 #if 0
657 static const char *pf_pptp_ctrl_type_name(u_int16_t code)
658 {
659 code = ntohs(code);
660
661 if (code < PF_PPTP_CTRL_TYPE_START_REQ ||
662 code > PF_PPTP_CTRL_TYPE_SET_LINKINFO) {
663 static char reserved[] = "reserved-00";
664
665 sprintf(&reserved[9], "%02x", code);
666 return (reserved);
667 } else {
668 static const char *name[] = {
669 "start_req", "start_rpy", "stop_req", "stop_rpy",
670 "echo_req", "echo_rpy", "call_out_req", "call_out_rpy",
671 "call_in_1st", "call_in_2nd", "call_in_3rd",
672 "call_clr", "call_disc", "error", "set_linkinfo"
673 };
674
675 return (name[code - 1]);
676 }
677 };
678 #endif
679
680 static const size_t PF_PPTP_CTRL_MSG_MINSIZE =
681 sizeof (struct pf_pptp_hdr) + sizeof (struct pf_pptp_ctrl_hdr);
682
683 union pf_pptp_ctrl_msg_union {
684 struct pf_pptp_ctrl_start_req start_req;
685 struct pf_pptp_ctrl_start_rpy start_rpy;
686 struct pf_pptp_ctrl_stop_req stop_req;
687 struct pf_pptp_ctrl_stop_rpy stop_rpy;
688 struct pf_pptp_ctrl_echo_req echo_req;
689 struct pf_pptp_ctrl_echo_rpy echo_rpy;
690 struct pf_pptp_ctrl_call_out_req call_out_req;
691 struct pf_pptp_ctrl_call_out_rpy call_out_rpy;
692 struct pf_pptp_ctrl_call_in_1st call_in_1st;
693 struct pf_pptp_ctrl_call_in_2nd call_in_2nd;
694 struct pf_pptp_ctrl_call_in_3rd call_in_3rd;
695 struct pf_pptp_ctrl_call_clr call_clr;
696 struct pf_pptp_ctrl_call_disc call_disc;
697 struct pf_pptp_ctrl_error error;
698 struct pf_pptp_ctrl_set_linkinfo set_linkinfo;
699 u_int8_t data[0];
700 };
701
702 struct pf_pptp_ctrl_msg {
703 struct pf_pptp_hdr hdr;
704 struct pf_pptp_ctrl_hdr ctrl;
705 union pf_pptp_ctrl_msg_union msg;
706 };
707
708 #define PF_GRE_FLAG_CHECKSUM_PRESENT 0x8000
709 #define PF_GRE_FLAG_VERSION_MASK 0x0007
710 #define PF_GRE_PPP_ETHERTYPE 0x880B
711
712 struct pf_grev1_hdr {
713 u_int16_t flags;
714 u_int16_t protocol_type;
715 u_int16_t payload_length;
716 u_int16_t call_id;
717 /*
718 u_int32_t seqno;
719 u_int32_t ackno;
720 */
721 };
722
723 static const u_int16_t PF_IKE_PORT = 500;
724
725 struct pf_ike_hdr {
726 u_int64_t initiator_cookie, responder_cookie;
727 u_int8_t next_payload, version, exchange_type, flags;
728 u_int32_t message_id, length;
729 };
730
731 #define PF_IKE_PACKET_MINSIZE (sizeof (struct pf_ike_hdr))
732
733 #define PF_IKEv1_EXCHTYPE_BASE 1
734 #define PF_IKEv1_EXCHTYPE_ID_PROTECT 2
735 #define PF_IKEv1_EXCHTYPE_AUTH_ONLY 3
736 #define PF_IKEv1_EXCHTYPE_AGGRESSIVE 4
737 #define PF_IKEv1_EXCHTYPE_INFORMATIONAL 5
738 #define PF_IKEv2_EXCHTYPE_SA_INIT 34
739 #define PF_IKEv2_EXCHTYPE_AUTH 35
740 #define PF_IKEv2_EXCHTYPE_CREATE_CHILD_SA 36
741 #define PF_IKEv2_EXCHTYPE_INFORMATIONAL 37
742
743 #define PF_IKEv1_FLAG_E 0x01
744 #define PF_IKEv1_FLAG_C 0x02
745 #define PF_IKEv1_FLAG_A 0x04
746 #define PF_IKEv2_FLAG_I 0x08
747 #define PF_IKEv2_FLAG_V 0x10
748 #define PF_IKEv2_FLAG_R 0x20
749
750 struct pf_esp_hdr {
751 u_int32_t spi;
752 u_int32_t seqno;
753 u_int8_t payload[];
754 };
755
756 static __inline int
757 pf_addr_compare(struct pf_addr *a, struct pf_addr *b, sa_family_t af)
758 {
759 switch (af) {
760 #ifdef INET
761 case AF_INET:
762 if (a->addr32[0] > b->addr32[0])
763 return (1);
764 if (a->addr32[0] < b->addr32[0])
765 return (-1);
766 break;
767 #endif /* INET */
768 #ifdef INET6
769 case AF_INET6:
770 if (a->addr32[3] > b->addr32[3])
771 return (1);
772 if (a->addr32[3] < b->addr32[3])
773 return (-1);
774 if (a->addr32[2] > b->addr32[2])
775 return (1);
776 if (a->addr32[2] < b->addr32[2])
777 return (-1);
778 if (a->addr32[1] > b->addr32[1])
779 return (1);
780 if (a->addr32[1] < b->addr32[1])
781 return (-1);
782 if (a->addr32[0] > b->addr32[0])
783 return (1);
784 if (a->addr32[0] < b->addr32[0])
785 return (-1);
786 break;
787 #endif /* INET6 */
788 }
789 return (0);
790 }
791
792 static __inline int
793 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
794 {
795 int diff;
796
797 if (a->rule.ptr > b->rule.ptr)
798 return (1);
799 if (a->rule.ptr < b->rule.ptr)
800 return (-1);
801 if ((diff = a->af - b->af) != 0)
802 return (diff);
803 if ((diff = pf_addr_compare(&a->addr, &b->addr, a->af)) != 0)
804 return (diff);
805 return (0);
806 }
807
808 static __inline int
809 pf_state_compare_lan_ext(struct pf_state_key *a, struct pf_state_key *b)
810 {
811 int diff;
812 int extfilter;
813
814 if ((diff = a->proto - b->proto) != 0)
815 return (diff);
816 if ((diff = a->af_lan - b->af_lan) != 0)
817 return (diff);
818
819 extfilter = PF_EXTFILTER_APD;
820
821 switch (a->proto) {
822 case IPPROTO_ICMP:
823 case IPPROTO_ICMPV6:
824 if ((diff = a->lan.xport.port - b->lan.xport.port) != 0)
825 return (diff);
826 break;
827
828 case IPPROTO_TCP:
829 if ((diff = a->lan.xport.port - b->lan.xport.port) != 0)
830 return (diff);
831 if ((diff = a->ext_lan.xport.port - b->ext_lan.xport.port) != 0)
832 return (diff);
833 break;
834
835 case IPPROTO_UDP:
836 if ((diff = a->proto_variant - b->proto_variant))
837 return (diff);
838 extfilter = a->proto_variant;
839 if ((diff = a->lan.xport.port - b->lan.xport.port) != 0)
840 return (diff);
841 if ((extfilter < PF_EXTFILTER_AD) &&
842 (diff = a->ext_lan.xport.port - b->ext_lan.xport.port) != 0)
843 return (diff);
844 break;
845
846 case IPPROTO_GRE:
847 if (a->proto_variant == PF_GRE_PPTP_VARIANT &&
848 a->proto_variant == b->proto_variant) {
849 if (!!(diff = a->ext_lan.xport.call_id -
850 b->ext_lan.xport.call_id))
851 return (diff);
852 }
853 break;
854
855 case IPPROTO_ESP:
856 if (!!(diff = a->ext_lan.xport.spi - b->ext_lan.xport.spi))
857 return (diff);
858 break;
859
860 default:
861 break;
862 }
863
864 switch (a->af_lan) {
865 #if INET
866 case AF_INET:
867 if ((diff = pf_addr_compare(&a->lan.addr, &b->lan.addr,
868 a->af_lan)) != 0)
869 return (diff);
870
871 if (extfilter < PF_EXTFILTER_EI) {
872 if ((diff = pf_addr_compare(&a->ext_lan.addr,
873 &b->ext_lan.addr,
874 a->af_lan)) != 0)
875 return (diff);
876 }
877 break;
878 #endif /* INET */
879 #if INET6
880 case AF_INET6:
881 if ((diff = pf_addr_compare(&a->lan.addr, &b->lan.addr,
882 a->af_lan)) != 0)
883 return (diff);
884
885 if (extfilter < PF_EXTFILTER_EI ||
886 !PF_AZERO(&b->ext_lan.addr, AF_INET6)) {
887 if ((diff = pf_addr_compare(&a->ext_lan.addr,
888 &b->ext_lan.addr,
889 a->af_lan)) != 0)
890 return (diff);
891 }
892 break;
893 #endif /* INET6 */
894 }
895
896 if (a->app_state && b->app_state) {
897 if (a->app_state->compare_lan_ext &&
898 b->app_state->compare_lan_ext) {
899 diff = (const char *)b->app_state->compare_lan_ext -
900 (const char *)a->app_state->compare_lan_ext;
901 if (diff != 0)
902 return (diff);
903 diff = a->app_state->compare_lan_ext(a->app_state,
904 b->app_state);
905 if (diff != 0)
906 return (diff);
907 }
908 }
909
910 return (0);
911 }
912
913 static __inline int
914 pf_state_compare_ext_gwy(struct pf_state_key *a, struct pf_state_key *b)
915 {
916 int diff;
917 int extfilter;
918
919 if ((diff = a->proto - b->proto) != 0)
920 return (diff);
921
922 if ((diff = a->af_gwy - b->af_gwy) != 0)
923 return (diff);
924
925 extfilter = PF_EXTFILTER_APD;
926
927 switch (a->proto) {
928 case IPPROTO_ICMP:
929 case IPPROTO_ICMPV6:
930 if ((diff = a->gwy.xport.port - b->gwy.xport.port) != 0)
931 return (diff);
932 break;
933
934 case IPPROTO_TCP:
935 if ((diff = a->ext_gwy.xport.port - b->ext_gwy.xport.port) != 0)
936 return (diff);
937 if ((diff = a->gwy.xport.port - b->gwy.xport.port) != 0)
938 return (diff);
939 break;
940
941 case IPPROTO_UDP:
942 if ((diff = a->proto_variant - b->proto_variant))
943 return (diff);
944 extfilter = a->proto_variant;
945 if ((diff = a->gwy.xport.port - b->gwy.xport.port) != 0)
946 return (diff);
947 if ((extfilter < PF_EXTFILTER_AD) &&
948 (diff = a->ext_gwy.xport.port - b->ext_gwy.xport.port) != 0)
949 return (diff);
950 break;
951
952 case IPPROTO_GRE:
953 if (a->proto_variant == PF_GRE_PPTP_VARIANT &&
954 a->proto_variant == b->proto_variant) {
955 if (!!(diff = a->gwy.xport.call_id -
956 b->gwy.xport.call_id))
957 return (diff);
958 }
959 break;
960
961 case IPPROTO_ESP:
962 if (!!(diff = a->gwy.xport.spi - b->gwy.xport.spi))
963 return (diff);
964 break;
965
966 default:
967 break;
968 }
969
970 switch (a->af_gwy) {
971 #if INET
972 case AF_INET:
973 if ((diff = pf_addr_compare(&a->gwy.addr, &b->gwy.addr,
974 a->af_gwy)) != 0)
975 return (diff);
976
977 if (extfilter < PF_EXTFILTER_EI) {
978 if ((diff = pf_addr_compare(&a->ext_gwy.addr, &b->ext_gwy.addr,
979 a->af_gwy)) != 0)
980 return (diff);
981 }
982 break;
983 #endif /* INET */
984 #if INET6
985 case AF_INET6:
986 if ((diff = pf_addr_compare(&a->gwy.addr, &b->gwy.addr,
987 a->af_gwy)) != 0)
988 return (diff);
989
990 if (extfilter < PF_EXTFILTER_EI ||
991 !PF_AZERO(&b->ext_gwy.addr, AF_INET6)) {
992 if ((diff = pf_addr_compare(&a->ext_gwy.addr, &b->ext_gwy.addr,
993 a->af_gwy)) != 0)
994 return (diff);
995 }
996 break;
997 #endif /* INET6 */
998 }
999
1000 if (a->app_state && b->app_state) {
1001 if (a->app_state->compare_ext_gwy &&
1002 b->app_state->compare_ext_gwy) {
1003 diff = (const char *)b->app_state->compare_ext_gwy -
1004 (const char *)a->app_state->compare_ext_gwy;
1005 if (diff != 0)
1006 return (diff);
1007 diff = a->app_state->compare_ext_gwy(a->app_state,
1008 b->app_state);
1009 if (diff != 0)
1010 return (diff);
1011 }
1012 }
1013
1014 return (0);
1015 }
1016
1017 static __inline int
1018 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
1019 {
1020 if (a->id > b->id)
1021 return (1);
1022 if (a->id < b->id)
1023 return (-1);
1024 if (a->creatorid > b->creatorid)
1025 return (1);
1026 if (a->creatorid < b->creatorid)
1027 return (-1);
1028
1029 return (0);
1030 }
1031
1032 #if INET6
1033 void
1034 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
1035 {
1036 switch (af) {
1037 #if INET
1038 case AF_INET:
1039 dst->addr32[0] = src->addr32[0];
1040 break;
1041 #endif /* INET */
1042 case AF_INET6:
1043 dst->addr32[0] = src->addr32[0];
1044 dst->addr32[1] = src->addr32[1];
1045 dst->addr32[2] = src->addr32[2];
1046 dst->addr32[3] = src->addr32[3];
1047 break;
1048 }
1049 }
1050 #endif /* INET6 */
1051
1052 struct pf_state *
1053 pf_find_state_byid(struct pf_state_cmp *key)
1054 {
1055 pf_status.fcounters[FCNT_STATE_SEARCH]++;
1056
1057 return (RB_FIND(pf_state_tree_id, &tree_id,
1058 (struct pf_state *)(void *)key));
1059 }
1060
1061 static struct pf_state *
1062 pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir)
1063 {
1064 struct pf_state_key *sk = NULL;
1065 struct pf_state *s;
1066
1067 pf_status.fcounters[FCNT_STATE_SEARCH]++;
1068
1069 switch (dir) {
1070 case PF_OUT:
1071 sk = RB_FIND(pf_state_tree_lan_ext, &pf_statetbl_lan_ext,
1072 (struct pf_state_key *)key);
1073 break;
1074 case PF_IN:
1075 sk = RB_FIND(pf_state_tree_ext_gwy, &pf_statetbl_ext_gwy,
1076 (struct pf_state_key *)key);
1077 /*
1078 * NAT64 is done only on input, for packets coming in from
1079 * from the LAN side, need to lookup the lan_ext tree.
1080 */
1081 if (sk == NULL) {
1082 sk = RB_FIND(pf_state_tree_lan_ext,
1083 &pf_statetbl_lan_ext,
1084 (struct pf_state_key *)key);
1085 if (sk && sk->af_lan == sk->af_gwy)
1086 sk = NULL;
1087 }
1088 break;
1089 default:
1090 panic("pf_find_state");
1091 }
1092
1093 /* list is sorted, if-bound states before floating ones */
1094 if (sk != NULL)
1095 TAILQ_FOREACH(s, &sk->states, next)
1096 if (s->kif == pfi_all || s->kif == kif)
1097 return (s);
1098
1099 return (NULL);
1100 }
1101
1102 struct pf_state *
1103 pf_find_state_all(struct pf_state_key_cmp *key, u_int dir, int *more)
1104 {
1105 struct pf_state_key *sk = NULL;
1106 struct pf_state *s, *ret = NULL;
1107
1108 pf_status.fcounters[FCNT_STATE_SEARCH]++;
1109
1110 switch (dir) {
1111 case PF_OUT:
1112 sk = RB_FIND(pf_state_tree_lan_ext,
1113 &pf_statetbl_lan_ext, (struct pf_state_key *)key);
1114 break;
1115 case PF_IN:
1116 sk = RB_FIND(pf_state_tree_ext_gwy,
1117 &pf_statetbl_ext_gwy, (struct pf_state_key *)key);
1118 /*
1119 * NAT64 is done only on input, for packets coming in from
1120 * from the LAN side, need to lookup the lan_ext tree.
1121 */
1122 if ((sk == NULL) && pf_nat64_configured) {
1123 sk = RB_FIND(pf_state_tree_lan_ext,
1124 &pf_statetbl_lan_ext,
1125 (struct pf_state_key *)key);
1126 if (sk && sk->af_lan == sk->af_gwy)
1127 sk = NULL;
1128 }
1129 break;
1130 default:
1131 panic("pf_find_state_all");
1132 }
1133
1134 if (sk != NULL) {
1135 ret = TAILQ_FIRST(&sk->states);
1136 if (more == NULL)
1137 return (ret);
1138
1139 TAILQ_FOREACH(s, &sk->states, next)
1140 (*more)++;
1141 }
1142
1143 return (ret);
1144 }
1145
1146 static void
1147 pf_init_threshold(struct pf_threshold *threshold,
1148 u_int32_t limit, u_int32_t seconds)
1149 {
1150 threshold->limit = limit * PF_THRESHOLD_MULT;
1151 threshold->seconds = seconds;
1152 threshold->count = 0;
1153 threshold->last = pf_time_second();
1154 }
1155
1156 static void
1157 pf_add_threshold(struct pf_threshold *threshold)
1158 {
1159 u_int32_t t = pf_time_second(), diff = t - threshold->last;
1160
1161 if (diff >= threshold->seconds)
1162 threshold->count = 0;
1163 else
1164 threshold->count -= threshold->count * diff /
1165 threshold->seconds;
1166 threshold->count += PF_THRESHOLD_MULT;
1167 threshold->last = t;
1168 }
1169
1170 static int
1171 pf_check_threshold(struct pf_threshold *threshold)
1172 {
1173 return (threshold->count > threshold->limit);
1174 }
1175
1176 static int
1177 pf_src_connlimit(struct pf_state **state)
1178 {
1179 int bad = 0;
1180 (*state)->src_node->conn++;
1181 VERIFY((*state)->src_node->conn != 0);
1182 (*state)->src.tcp_est = 1;
1183 pf_add_threshold(&(*state)->src_node->conn_rate);
1184
1185 if ((*state)->rule.ptr->max_src_conn &&
1186 (*state)->rule.ptr->max_src_conn <
1187 (*state)->src_node->conn) {
1188 pf_status.lcounters[LCNT_SRCCONN]++;
1189 bad++;
1190 }
1191
1192 if ((*state)->rule.ptr->max_src_conn_rate.limit &&
1193 pf_check_threshold(&(*state)->src_node->conn_rate)) {
1194 pf_status.lcounters[LCNT_SRCCONNRATE]++;
1195 bad++;
1196 }
1197
1198 if (!bad)
1199 return (0);
1200
1201 if ((*state)->rule.ptr->overload_tbl) {
1202 struct pfr_addr p;
1203 u_int32_t killed = 0;
1204
1205 pf_status.lcounters[LCNT_OVERLOAD_TABLE]++;
1206 if (pf_status.debug >= PF_DEBUG_MISC) {
1207 printf("pf_src_connlimit: blocking address ");
1208 pf_print_host(&(*state)->src_node->addr, 0,
1209 (*state)->state_key->af_lan);
1210 }
1211
1212 bzero(&p, sizeof (p));
1213 p.pfra_af = (*state)->state_key->af_lan;
1214 switch ((*state)->state_key->af_lan) {
1215 #if INET
1216 case AF_INET:
1217 p.pfra_net = 32;
1218 p.pfra_ip4addr = (*state)->src_node->addr.v4addr;
1219 break;
1220 #endif /* INET */
1221 #if INET6
1222 case AF_INET6:
1223 p.pfra_net = 128;
1224 p.pfra_ip6addr = (*state)->src_node->addr.v6addr;
1225 break;
1226 #endif /* INET6 */
1227 }
1228
1229 pfr_insert_kentry((*state)->rule.ptr->overload_tbl,
1230 &p, pf_calendar_time_second());
1231
1232 /* kill existing states if that's required. */
1233 if ((*state)->rule.ptr->flush) {
1234 struct pf_state_key *sk;
1235 struct pf_state *st;
1236
1237 pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
1238 RB_FOREACH(st, pf_state_tree_id, &tree_id) {
1239 sk = st->state_key;
1240 /*
1241 * Kill states from this source. (Only those
1242 * from the same rule if PF_FLUSH_GLOBAL is not
1243 * set)
1244 */
1245 if (sk->af_lan ==
1246 (*state)->state_key->af_lan &&
1247 (((*state)->state_key->direction ==
1248 PF_OUT &&
1249 PF_AEQ(&(*state)->src_node->addr,
1250 &sk->lan.addr, sk->af_lan)) ||
1251 ((*state)->state_key->direction == PF_IN &&
1252 PF_AEQ(&(*state)->src_node->addr,
1253 &sk->ext_lan.addr, sk->af_lan))) &&
1254 ((*state)->rule.ptr->flush &
1255 PF_FLUSH_GLOBAL ||
1256 (*state)->rule.ptr == st->rule.ptr)) {
1257 st->timeout = PFTM_PURGE;
1258 st->src.state = st->dst.state =
1259 TCPS_CLOSED;
1260 killed++;
1261 }
1262 }
1263 if (pf_status.debug >= PF_DEBUG_MISC)
1264 printf(", %u states killed", killed);
1265 }
1266 if (pf_status.debug >= PF_DEBUG_MISC)
1267 printf("\n");
1268 }
1269
1270 /* kill this state */
1271 (*state)->timeout = PFTM_PURGE;
1272 (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
1273 return (1);
1274 }
1275
1276 int
1277 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
1278 struct pf_addr *src, sa_family_t af)
1279 {
1280 struct pf_src_node k;
1281
1282 if (*sn == NULL) {
1283 k.af = af;
1284 PF_ACPY(&k.addr, src, af);
1285 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
1286 rule->rpool.opts & PF_POOL_STICKYADDR)
1287 k.rule.ptr = rule;
1288 else
1289 k.rule.ptr = NULL;
1290 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
1291 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
1292 }
1293 if (*sn == NULL) {
1294 if (!rule->max_src_nodes ||
1295 rule->src_nodes < rule->max_src_nodes)
1296 (*sn) = pool_get(&pf_src_tree_pl, PR_WAITOK);
1297 else
1298 pf_status.lcounters[LCNT_SRCNODES]++;
1299 if ((*sn) == NULL)
1300 return (-1);
1301 bzero(*sn, sizeof (struct pf_src_node));
1302
1303 pf_init_threshold(&(*sn)->conn_rate,
1304 rule->max_src_conn_rate.limit,
1305 rule->max_src_conn_rate.seconds);
1306
1307 (*sn)->af = af;
1308 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
1309 rule->rpool.opts & PF_POOL_STICKYADDR)
1310 (*sn)->rule.ptr = rule;
1311 else
1312 (*sn)->rule.ptr = NULL;
1313 PF_ACPY(&(*sn)->addr, src, af);
1314 if (RB_INSERT(pf_src_tree,
1315 &tree_src_tracking, *sn) != NULL) {
1316 if (pf_status.debug >= PF_DEBUG_MISC) {
1317 printf("pf: src_tree insert failed: ");
1318 pf_print_host(&(*sn)->addr, 0, af);
1319 printf("\n");
1320 }
1321 pool_put(&pf_src_tree_pl, *sn);
1322 return (-1);
1323 }
1324 (*sn)->creation = pf_time_second();
1325 (*sn)->ruletype = rule->action;
1326 if ((*sn)->rule.ptr != NULL)
1327 (*sn)->rule.ptr->src_nodes++;
1328 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
1329 pf_status.src_nodes++;
1330 } else {
1331 if (rule->max_src_states &&
1332 (*sn)->states >= rule->max_src_states) {
1333 pf_status.lcounters[LCNT_SRCSTATES]++;
1334 return (-1);
1335 }
1336 }
1337 return (0);
1338 }
1339
1340 static void
1341 pf_stateins_err(const char *tree, struct pf_state *s, struct pfi_kif *kif)
1342 {
1343 struct pf_state_key *sk = s->state_key;
1344
1345 if (pf_status.debug >= PF_DEBUG_MISC) {
1346 printf("pf: state insert failed: %s %s ", tree, kif->pfik_name);
1347 switch (sk->proto) {
1348 case IPPROTO_TCP:
1349 printf("TCP");
1350 break;
1351 case IPPROTO_UDP:
1352 printf("UDP");
1353 break;
1354 case IPPROTO_ICMP:
1355 printf("ICMP4");
1356 break;
1357 case IPPROTO_ICMPV6:
1358 printf("ICMP6");
1359 break;
1360 default:
1361 printf("PROTO=%u", sk->proto);
1362 break;
1363 }
1364 printf(" lan: ");
1365 pf_print_sk_host(&sk->lan, sk->af_lan, sk->proto,
1366 sk->proto_variant);
1367 printf(" gwy: ");
1368 pf_print_sk_host(&sk->gwy, sk->af_gwy, sk->proto,
1369 sk->proto_variant);
1370 printf(" ext_lan: ");
1371 pf_print_sk_host(&sk->ext_lan, sk->af_lan, sk->proto,
1372 sk->proto_variant);
1373 printf(" ext_gwy: ");
1374 pf_print_sk_host(&sk->ext_gwy, sk->af_gwy, sk->proto,
1375 sk->proto_variant);
1376 if (s->sync_flags & PFSTATE_FROMSYNC)
1377 printf(" (from sync)");
1378 printf("\n");
1379 }
1380 }
1381
1382 int
1383 pf_insert_state(struct pfi_kif *kif, struct pf_state *s)
1384 {
1385 struct pf_state_key *cur;
1386 struct pf_state *sp;
1387
1388 VERIFY(s->state_key != NULL);
1389 s->kif = kif;
1390
1391 if ((cur = RB_INSERT(pf_state_tree_lan_ext, &pf_statetbl_lan_ext,
1392 s->state_key)) != NULL) {
1393 /* key exists. check for same kif, if none, add to key */
1394 TAILQ_FOREACH(sp, &cur->states, next)
1395 if (sp->kif == kif) { /* collision! */
1396 pf_stateins_err("tree_lan_ext", s, kif);
1397 pf_detach_state(s,
1398 PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY);
1399 return (-1);
1400 }
1401 pf_detach_state(s, PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY);
1402 pf_attach_state(cur, s, kif == pfi_all ? 1 : 0);
1403 }
1404
1405 /* if cur != NULL, we already found a state key and attached to it */
1406 if (cur == NULL && (cur = RB_INSERT(pf_state_tree_ext_gwy,
1407 &pf_statetbl_ext_gwy, s->state_key)) != NULL) {
1408 /* must not happen. we must have found the sk above! */
1409 pf_stateins_err("tree_ext_gwy", s, kif);
1410 pf_detach_state(s, PF_DT_SKIP_EXTGWY);
1411 return (-1);
1412 }
1413
1414 if (s->id == 0 && s->creatorid == 0) {
1415 s->id = htobe64(pf_status.stateid++);
1416 s->creatorid = pf_status.hostid;
1417 }
1418 if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) {
1419 if (pf_status.debug >= PF_DEBUG_MISC) {
1420 printf("pf: state insert failed: "
1421 "id: %016llx creatorid: %08x",
1422 be64toh(s->id), ntohl(s->creatorid));
1423 if (s->sync_flags & PFSTATE_FROMSYNC)
1424 printf(" (from sync)");
1425 printf("\n");
1426 }
1427 pf_detach_state(s, 0);
1428 return (-1);
1429 }
1430 TAILQ_INSERT_TAIL(&state_list, s, entry_list);
1431 pf_status.fcounters[FCNT_STATE_INSERT]++;
1432 pf_status.states++;
1433 VERIFY(pf_status.states != 0);
1434 pfi_kif_ref(kif, PFI_KIF_REF_STATE);
1435 #if NPFSYNC
1436 pfsync_insert_state(s);
1437 #endif
1438 return (0);
1439 }
1440
1441 static int
1442 pf_purge_thread_cont(int err)
1443 {
1444 #pragma unused(err)
1445 static u_int32_t nloops = 0;
1446 int t = 1; /* 1 second */
1447
1448 /*
1449 * Update coarse-grained networking timestamp (in sec.); the idea
1450 * is to piggy-back on the periodic timeout callout to update
1451 * the counter returnable via net_uptime().
1452 */
1453 net_update_uptime();
1454
1455 lck_rw_lock_shared(pf_perim_lock);
1456 lck_mtx_lock(pf_lock);
1457
1458 /* purge everything if not running */
1459 if (!pf_status.running) {
1460 pf_purge_expired_states(pf_status.states);
1461 pf_purge_expired_fragments();
1462 pf_purge_expired_src_nodes();
1463
1464 /* terminate thread (we don't currently do this) */
1465 if (pf_purge_thread == NULL) {
1466 lck_mtx_unlock(pf_lock);
1467 lck_rw_done(pf_perim_lock);
1468
1469 thread_deallocate(current_thread());
1470 thread_terminate(current_thread());
1471 /* NOTREACHED */
1472 return (0);
1473 } else {
1474 /* if there's nothing left, sleep w/o timeout */
1475 if (pf_status.states == 0 &&
1476 pf_normalize_isempty() &&
1477 RB_EMPTY(&tree_src_tracking)) {
1478 nloops = 0;
1479 t = 0;
1480 }
1481 goto done;
1482 }
1483 }
1484
1485 /* process a fraction of the state table every second */
1486 pf_purge_expired_states(1 + (pf_status.states
1487 / pf_default_rule.timeout[PFTM_INTERVAL]));
1488
1489 /* purge other expired types every PFTM_INTERVAL seconds */
1490 if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) {
1491 pf_purge_expired_fragments();
1492 pf_purge_expired_src_nodes();
1493 nloops = 0;
1494 }
1495 done:
1496 lck_mtx_unlock(pf_lock);
1497 lck_rw_done(pf_perim_lock);
1498
1499 (void) tsleep0(pf_purge_thread_fn, PWAIT, "pf_purge_cont",
1500 t * hz, pf_purge_thread_cont);
1501 /* NOTREACHED */
1502 VERIFY(0);
1503
1504 return (0);
1505 }
1506
1507 void
1508 pf_purge_thread_fn(void *v, wait_result_t w)
1509 {
1510 #pragma unused(v, w)
1511 (void) tsleep0(pf_purge_thread_fn, PWAIT, "pf_purge", 0,
1512 pf_purge_thread_cont);
1513 /*
1514 * tsleep0() shouldn't have returned as PCATCH was not set;
1515 * therefore assert in this case.
1516 */
1517 VERIFY(0);
1518 }
1519
1520 u_int64_t
1521 pf_state_expires(const struct pf_state *state)
1522 {
1523 u_int32_t t;
1524 u_int32_t start;
1525 u_int32_t end;
1526 u_int32_t states;
1527
1528 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1529
1530 /* handle all PFTM_* > PFTM_MAX here */
1531 if (state->timeout == PFTM_PURGE)
1532 return (pf_time_second());
1533
1534 VERIFY(state->timeout != PFTM_UNLINKED);
1535 VERIFY(state->timeout < PFTM_MAX);
1536 t = state->rule.ptr->timeout[state->timeout];
1537 if (!t)
1538 t = pf_default_rule.timeout[state->timeout];
1539 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
1540 if (start) {
1541 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
1542 states = state->rule.ptr->states;
1543 } else {
1544 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
1545 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
1546 states = pf_status.states;
1547 }
1548 if (end && states > start && start < end) {
1549 if (states < end)
1550 return (state->expire + t * (end - states) /
1551 (end - start));
1552 else
1553 return (pf_time_second());
1554 }
1555 return (state->expire + t);
1556 }
1557
1558 void
1559 pf_purge_expired_src_nodes(void)
1560 {
1561 struct pf_src_node *cur, *next;
1562
1563 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1564
1565 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
1566 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
1567
1568 if (cur->states <= 0 && cur->expire <= pf_time_second()) {
1569 if (cur->rule.ptr != NULL) {
1570 cur->rule.ptr->src_nodes--;
1571 if (cur->rule.ptr->states <= 0 &&
1572 cur->rule.ptr->max_src_nodes <= 0)
1573 pf_rm_rule(NULL, cur->rule.ptr);
1574 }
1575 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
1576 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
1577 pf_status.src_nodes--;
1578 pool_put(&pf_src_tree_pl, cur);
1579 }
1580 }
1581 }
1582
1583 void
1584 pf_src_tree_remove_state(struct pf_state *s)
1585 {
1586 u_int32_t t;
1587
1588 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1589
1590 if (s->src_node != NULL) {
1591 if (s->src.tcp_est) {
1592 VERIFY(s->src_node->conn > 0);
1593 --s->src_node->conn;
1594 }
1595 VERIFY(s->src_node->states > 0);
1596 if (--s->src_node->states <= 0) {
1597 t = s->rule.ptr->timeout[PFTM_SRC_NODE];
1598 if (!t)
1599 t = pf_default_rule.timeout[PFTM_SRC_NODE];
1600 s->src_node->expire = pf_time_second() + t;
1601 }
1602 }
1603 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
1604 VERIFY(s->nat_src_node->states > 0);
1605 if (--s->nat_src_node->states <= 0) {
1606 t = s->rule.ptr->timeout[PFTM_SRC_NODE];
1607 if (!t)
1608 t = pf_default_rule.timeout[PFTM_SRC_NODE];
1609 s->nat_src_node->expire = pf_time_second() + t;
1610 }
1611 }
1612 s->src_node = s->nat_src_node = NULL;
1613 }
1614
1615 void
1616 pf_unlink_state(struct pf_state *cur)
1617 {
1618 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1619
1620 if (cur->src.state == PF_TCPS_PROXY_DST) {
1621 pf_send_tcp(cur->rule.ptr, cur->state_key->af_lan,
1622 &cur->state_key->ext_lan.addr, &cur->state_key->lan.addr,
1623 cur->state_key->ext_lan.xport.port,
1624 cur->state_key->lan.xport.port,
1625 cur->src.seqhi, cur->src.seqlo + 1,
1626 TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);
1627 }
1628
1629 hook_runloop(&cur->unlink_hooks, HOOK_REMOVE|HOOK_FREE);
1630 RB_REMOVE(pf_state_tree_id, &tree_id, cur);
1631 #if NPFSYNC
1632 if (cur->creatorid == pf_status.hostid)
1633 pfsync_delete_state(cur);
1634 #endif
1635 cur->timeout = PFTM_UNLINKED;
1636 pf_src_tree_remove_state(cur);
1637 pf_detach_state(cur, 0);
1638 }
1639
1640 /* callers should be at splpf and hold the
1641 * write_lock on pf_consistency_lock */
1642 void
1643 pf_free_state(struct pf_state *cur)
1644 {
1645 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1646 #if NPFSYNC
1647 if (pfsyncif != NULL &&
1648 (pfsyncif->sc_bulk_send_next == cur ||
1649 pfsyncif->sc_bulk_terminator == cur))
1650 return;
1651 #endif
1652 VERIFY(cur->timeout == PFTM_UNLINKED);
1653 VERIFY(cur->rule.ptr->states > 0);
1654 if (--cur->rule.ptr->states <= 0 &&
1655 cur->rule.ptr->src_nodes <= 0)
1656 pf_rm_rule(NULL, cur->rule.ptr);
1657 if (cur->nat_rule.ptr != NULL) {
1658 VERIFY(cur->nat_rule.ptr->states > 0);
1659 if (--cur->nat_rule.ptr->states <= 0 &&
1660 cur->nat_rule.ptr->src_nodes <= 0)
1661 pf_rm_rule(NULL, cur->nat_rule.ptr);
1662 }
1663 if (cur->anchor.ptr != NULL) {
1664 VERIFY(cur->anchor.ptr->states > 0);
1665 if (--cur->anchor.ptr->states <= 0)
1666 pf_rm_rule(NULL, cur->anchor.ptr);
1667 }
1668 pf_normalize_tcp_cleanup(cur);
1669 pfi_kif_unref(cur->kif, PFI_KIF_REF_STATE);
1670 TAILQ_REMOVE(&state_list, cur, entry_list);
1671 if (cur->tag)
1672 pf_tag_unref(cur->tag);
1673 pool_put(&pf_state_pl, cur);
1674 pf_status.fcounters[FCNT_STATE_REMOVALS]++;
1675 VERIFY(pf_status.states > 0);
1676 pf_status.states--;
1677 }
1678
1679 void
1680 pf_purge_expired_states(u_int32_t maxcheck)
1681 {
1682 static struct pf_state *cur = NULL;
1683 struct pf_state *next;
1684
1685 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1686
1687 while (maxcheck--) {
1688 /* wrap to start of list when we hit the end */
1689 if (cur == NULL) {
1690 cur = TAILQ_FIRST(&state_list);
1691 if (cur == NULL)
1692 break; /* list empty */
1693 }
1694
1695 /* get next state, as cur may get deleted */
1696 next = TAILQ_NEXT(cur, entry_list);
1697
1698 if (cur->timeout == PFTM_UNLINKED) {
1699 pf_free_state(cur);
1700 } else if (pf_state_expires(cur) <= pf_time_second()) {
1701 /* unlink and free expired state */
1702 pf_unlink_state(cur);
1703 pf_free_state(cur);
1704 }
1705 cur = next;
1706 }
1707 }
1708
1709 int
1710 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
1711 {
1712 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1713
1714 if (aw->type != PF_ADDR_TABLE)
1715 return (0);
1716 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
1717 return (1);
1718 return (0);
1719 }
1720
1721 void
1722 pf_tbladdr_remove(struct pf_addr_wrap *aw)
1723 {
1724 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1725
1726 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
1727 return;
1728 pfr_detach_table(aw->p.tbl);
1729 aw->p.tbl = NULL;
1730 }
1731
1732 void
1733 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
1734 {
1735 struct pfr_ktable *kt = aw->p.tbl;
1736
1737 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
1738
1739 if (aw->type != PF_ADDR_TABLE || kt == NULL)
1740 return;
1741 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
1742 kt = kt->pfrkt_root;
1743 aw->p.tbl = NULL;
1744 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
1745 kt->pfrkt_cnt : -1;
1746 }
1747
1748 static void
1749 pf_print_addr(struct pf_addr *addr, sa_family_t af)
1750 {
1751 switch (af) {
1752 #if INET
1753 case AF_INET: {
1754 u_int32_t a = ntohl(addr->addr32[0]);
1755 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
1756 (a>>8)&255, a&255);
1757 break;
1758 }
1759 #endif /* INET */
1760 #if INET6
1761 case AF_INET6: {
1762 u_int16_t b;
1763 u_int8_t i, curstart = 255, curend = 0,
1764 maxstart = 0, maxend = 0;
1765 for (i = 0; i < 8; i++) {
1766 if (!addr->addr16[i]) {
1767 if (curstart == 255)
1768 curstart = i;
1769 else
1770 curend = i;
1771 } else {
1772 if (curstart) {
1773 if ((curend - curstart) >
1774 (maxend - maxstart)) {
1775 maxstart = curstart;
1776 maxend = curend;
1777 curstart = 255;
1778 }
1779 }
1780 }
1781 }
1782 for (i = 0; i < 8; i++) {
1783 if (i >= maxstart && i <= maxend) {
1784 if (maxend != 7) {
1785 if (i == maxstart)
1786 printf(":");
1787 } else {
1788 if (i == maxend)
1789 printf(":");
1790 }
1791 } else {
1792 b = ntohs(addr->addr16[i]);
1793 printf("%x", b);
1794 if (i < 7)
1795 printf(":");
1796 }
1797 }
1798 break;
1799 }
1800 #endif /* INET6 */
1801 }
1802 }
1803
1804 static void
1805 pf_print_sk_host(struct pf_state_host *sh, sa_family_t af, int proto,
1806 u_int8_t proto_variant)
1807 {
1808 pf_print_addr(&sh->addr, af);
1809
1810 switch (proto) {
1811 case IPPROTO_ESP:
1812 if (sh->xport.spi)
1813 printf("[%08x]", ntohl(sh->xport.spi));
1814 break;
1815
1816 case IPPROTO_GRE:
1817 if (proto_variant == PF_GRE_PPTP_VARIANT)
1818 printf("[%u]", ntohs(sh->xport.call_id));
1819 break;
1820
1821 case IPPROTO_TCP:
1822 case IPPROTO_UDP:
1823 printf("[%u]", ntohs(sh->xport.port));
1824 break;
1825
1826 default:
1827 break;
1828 }
1829 }
1830
1831 static void
1832 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
1833 {
1834 pf_print_addr(addr, af);
1835 if (p)
1836 printf("[%u]", ntohs(p));
1837 }
1838
1839 void
1840 pf_print_state(struct pf_state *s)
1841 {
1842 struct pf_state_key *sk = s->state_key;
1843 switch (sk->proto) {
1844 case IPPROTO_ESP:
1845 printf("ESP ");
1846 break;
1847 case IPPROTO_GRE:
1848 printf("GRE%u ", sk->proto_variant);
1849 break;
1850 case IPPROTO_TCP:
1851 printf("TCP ");
1852 break;
1853 case IPPROTO_UDP:
1854 printf("UDP ");
1855 break;
1856 case IPPROTO_ICMP:
1857 printf("ICMP ");
1858 break;
1859 case IPPROTO_ICMPV6:
1860 printf("ICMPV6 ");
1861 break;
1862 default:
1863 printf("%u ", sk->proto);
1864 break;
1865 }
1866 pf_print_sk_host(&sk->lan, sk->af_lan, sk->proto, sk->proto_variant);
1867 printf(" ");
1868 pf_print_sk_host(&sk->gwy, sk->af_gwy, sk->proto, sk->proto_variant);
1869 printf(" ");
1870 pf_print_sk_host(&sk->ext_lan, sk->af_lan, sk->proto,
1871 sk->proto_variant);
1872 printf(" ");
1873 pf_print_sk_host(&sk->ext_gwy, sk->af_gwy, sk->proto,
1874 sk->proto_variant);
1875 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
1876 s->src.seqhi, s->src.max_win, s->src.seqdiff);
1877 if (s->src.wscale && s->dst.wscale)
1878 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
1879 printf("]");
1880 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
1881 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
1882 if (s->src.wscale && s->dst.wscale)
1883 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
1884 printf("]");
1885 printf(" %u:%u", s->src.state, s->dst.state);
1886 }
1887
1888 void
1889 pf_print_flags(u_int8_t f)
1890 {
1891 if (f)
1892 printf(" ");
1893 if (f & TH_FIN)
1894 printf("F");
1895 if (f & TH_SYN)
1896 printf("S");
1897 if (f & TH_RST)
1898 printf("R");
1899 if (f & TH_PUSH)
1900 printf("P");
1901 if (f & TH_ACK)
1902 printf("A");
1903 if (f & TH_URG)
1904 printf("U");
1905 if (f & TH_ECE)
1906 printf("E");
1907 if (f & TH_CWR)
1908 printf("W");
1909 }
1910
1911 #define PF_SET_SKIP_STEPS(i) \
1912 do { \
1913 while (head[i] != cur) { \
1914 head[i]->skip[i].ptr = cur; \
1915 head[i] = TAILQ_NEXT(head[i], entries); \
1916 } \
1917 } while (0)
1918
1919 void
1920 pf_calc_skip_steps(struct pf_rulequeue *rules)
1921 {
1922 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1923 int i;
1924
1925 cur = TAILQ_FIRST(rules);
1926 prev = cur;
1927 for (i = 0; i < PF_SKIP_COUNT; ++i)
1928 head[i] = cur;
1929 while (cur != NULL) {
1930
1931 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1932 PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1933 if (cur->direction != prev->direction)
1934 PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1935 if (cur->af != prev->af)
1936 PF_SET_SKIP_STEPS(PF_SKIP_AF);
1937 if (cur->proto != prev->proto)
1938 PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1939 if (cur->src.neg != prev->src.neg ||
1940 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1941 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1942 {
1943 union pf_rule_xport *cx = &cur->src.xport;
1944 union pf_rule_xport *px = &prev->src.xport;
1945
1946 switch (cur->proto) {
1947 case IPPROTO_GRE:
1948 case IPPROTO_ESP:
1949 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1950 break;
1951 default:
1952 if (prev->proto == IPPROTO_GRE ||
1953 prev->proto == IPPROTO_ESP ||
1954 cx->range.op != px->range.op ||
1955 cx->range.port[0] != px->range.port[0] ||
1956 cx->range.port[1] != px->range.port[1])
1957 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1958 break;
1959 }
1960 }
1961 if (cur->dst.neg != prev->dst.neg ||
1962 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1963 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1964 {
1965 union pf_rule_xport *cx = &cur->dst.xport;
1966 union pf_rule_xport *px = &prev->dst.xport;
1967
1968 switch (cur->proto) {
1969 case IPPROTO_GRE:
1970 if (cur->proto != prev->proto ||
1971 cx->call_id != px->call_id)
1972 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1973 break;
1974 case IPPROTO_ESP:
1975 if (cur->proto != prev->proto ||
1976 cx->spi != px->spi)
1977 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1978 break;
1979 default:
1980 if (prev->proto == IPPROTO_GRE ||
1981 prev->proto == IPPROTO_ESP ||
1982 cx->range.op != px->range.op ||
1983 cx->range.port[0] != px->range.port[0] ||
1984 cx->range.port[1] != px->range.port[1])
1985 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1986 break;
1987 }
1988 }
1989
1990 prev = cur;
1991 cur = TAILQ_NEXT(cur, entries);
1992 }
1993 for (i = 0; i < PF_SKIP_COUNT; ++i)
1994 PF_SET_SKIP_STEPS(i);
1995 }
1996
1997 u_int32_t
1998 pf_calc_state_key_flowhash(struct pf_state_key *sk)
1999 {
2000 struct pf_flowhash_key fh __attribute__((aligned(8)));
2001 uint32_t flowhash = 0;
2002
2003 bzero(&fh, sizeof (fh));
2004 if (PF_ALEQ(&sk->lan.addr, &sk->ext_lan.addr, sk->af_lan)) {
2005 bcopy(&sk->lan.addr, &fh.ap1.addr, sizeof (fh.ap1.addr));
2006 bcopy(&sk->ext_lan.addr, &fh.ap2.addr, sizeof (fh.ap2.addr));
2007 } else {
2008 bcopy(&sk->ext_lan.addr, &fh.ap1.addr, sizeof (fh.ap1.addr));
2009 bcopy(&sk->lan.addr, &fh.ap2.addr, sizeof (fh.ap2.addr));
2010 }
2011 if (sk->lan.xport.spi <= sk->ext_lan.xport.spi) {
2012 fh.ap1.xport.spi = sk->lan.xport.spi;
2013 fh.ap2.xport.spi = sk->ext_lan.xport.spi;
2014 } else {
2015 fh.ap1.xport.spi = sk->ext_lan.xport.spi;
2016 fh.ap2.xport.spi = sk->lan.xport.spi;
2017 }
2018 fh.af = sk->af_lan;
2019 fh.proto = sk->proto;
2020
2021 try_again:
2022 flowhash = net_flowhash(&fh, sizeof (fh), pf_hash_seed);
2023 if (flowhash == 0) {
2024 /* try to get a non-zero flowhash */
2025 pf_hash_seed = RandomULong();
2026 goto try_again;
2027 }
2028
2029 return (flowhash);
2030 }
2031
2032 static int
2033 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
2034 {
2035 if (aw1->type != aw2->type)
2036 return (1);
2037 switch (aw1->type) {
2038 case PF_ADDR_ADDRMASK:
2039 case PF_ADDR_RANGE:
2040 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
2041 return (1);
2042 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
2043 return (1);
2044 return (0);
2045 case PF_ADDR_DYNIFTL:
2046 return (aw1->p.dyn == NULL || aw2->p.dyn == NULL ||
2047 aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
2048 case PF_ADDR_NOROUTE:
2049 case PF_ADDR_URPFFAILED:
2050 return (0);
2051 case PF_ADDR_TABLE:
2052 return (aw1->p.tbl != aw2->p.tbl);
2053 case PF_ADDR_RTLABEL:
2054 return (aw1->v.rtlabel != aw2->v.rtlabel);
2055 default:
2056 printf("invalid address type: %d\n", aw1->type);
2057 return (1);
2058 }
2059 }
2060
2061 u_int16_t
2062 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
2063 {
2064 u_int32_t l;
2065
2066 if (udp && !cksum)
2067 return (0);
2068 l = cksum + old - new;
2069 l = (l >> 16) + (l & 0xffff);
2070 l = l & 0xffff;
2071 if (udp && !l)
2072 return (0xffff);
2073 return (l);
2074 }
2075
2076 /*
2077 * change ip address & port
2078 * dir : packet direction
2079 * a : address to be changed
2080 * p : port to be changed
2081 * ic : ip header checksum
2082 * pc : protocol checksum
2083 * an : new ip address
2084 * pn : new port
2085 * u : should be 1 if UDP packet else 0
2086 * af : address family of the packet
2087 * afn : address family of the new address
2088 * ua : should be 1 if ip address needs to be updated in the packet else
2089 * only the checksum is recalculated & updated.
2090 */
2091 static void
2092 pf_change_ap(int dir, pbuf_t *pbuf, struct pf_addr *a, u_int16_t *p,
2093 u_int16_t *ic, u_int16_t *pc, struct pf_addr *an, u_int16_t pn,
2094 u_int8_t u, sa_family_t af, sa_family_t afn, int ua)
2095 {
2096 struct pf_addr ao;
2097 u_int16_t po = *p;
2098
2099 PF_ACPY(&ao, a, af);
2100 if (ua)
2101 PF_ACPY(a, an, afn);
2102
2103 *p = pn;
2104
2105 switch (af) {
2106 #if INET
2107 case AF_INET:
2108 switch (afn) {
2109 case AF_INET:
2110 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
2111 ao.addr16[0], an->addr16[0], 0),
2112 ao.addr16[1], an->addr16[1], 0);
2113 *p = pn;
2114 /*
2115 * If the packet is originated from an ALG on the NAT gateway
2116 * (source address is loopback or local), in which case the
2117 * TCP/UDP checksum field contains the pseudo header checksum
2118 * that's not yet complemented. A packet generated locally
2119 * will have UDP/TCP CSUM flag set (gets set in protocol
2120 * output).
2121 */
2122 if (dir == PF_OUT && pbuf != NULL &&
2123 (*pbuf->pb_csum_flags & (CSUM_TCP | CSUM_UDP))) {
2124 /* Pseudo-header checksum does not include ports */
2125 *pc = ~pf_cksum_fixup(pf_cksum_fixup(~*pc,
2126 ao.addr16[0], an->addr16[0], u),
2127 ao.addr16[1], an->addr16[1], u);
2128 } else {
2129 *pc =
2130 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2131 *pc, ao.addr16[0], an->addr16[0], u),
2132 ao.addr16[1], an->addr16[1], u),
2133 po, pn, u);
2134 }
2135 break;
2136 #ifdef INET6
2137 case AF_INET6:
2138 *p = pn;
2139 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2140 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2141
2142 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
2143 ao.addr16[0], an->addr16[0], u),
2144 ao.addr16[1], an->addr16[1], u),
2145 0, an->addr16[2], u),
2146 0, an->addr16[3], u),
2147 0, an->addr16[4], u),
2148 0, an->addr16[5], u),
2149 0, an->addr16[6], u),
2150 0, an->addr16[7], u),
2151 po, pn, u);
2152 break;
2153 #endif /* INET6 */
2154 }
2155 break;
2156 #endif /* INET */
2157 #if INET6
2158 case AF_INET6:
2159 switch (afn) {
2160 case AF_INET6:
2161 /*
2162 * If the packet is originated from an ALG on the NAT gateway
2163 * (source address is loopback or local), in which case the
2164 * TCP/UDP checksum field contains the pseudo header checksum
2165 * that's not yet complemented.
2166 * A packet generated locally
2167 * will have UDP/TCP CSUM flag set (gets set in protocol
2168 * output).
2169 */
2170 if (dir == PF_OUT && pbuf != NULL &&
2171 (*pbuf->pb_csum_flags & (CSUM_TCPIPV6 |
2172 CSUM_UDPIPV6))) {
2173 /* Pseudo-header checksum does not include ports */
2174 *pc =
2175 ~pf_cksum_fixup(pf_cksum_fixup(
2176 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2177 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2178 ~*pc,
2179 ao.addr16[0], an->addr16[0], u),
2180 ao.addr16[1], an->addr16[1], u),
2181 ao.addr16[2], an->addr16[2], u),
2182 ao.addr16[3], an->addr16[3], u),
2183 ao.addr16[4], an->addr16[4], u),
2184 ao.addr16[5], an->addr16[5], u),
2185 ao.addr16[6], an->addr16[6], u),
2186 ao.addr16[7], an->addr16[7], u);
2187 } else {
2188 *pc =
2189 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2190 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2191 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2192 *pc,
2193 ao.addr16[0], an->addr16[0], u),
2194 ao.addr16[1], an->addr16[1], u),
2195 ao.addr16[2], an->addr16[2], u),
2196 ao.addr16[3], an->addr16[3], u),
2197 ao.addr16[4], an->addr16[4], u),
2198 ao.addr16[5], an->addr16[5], u),
2199 ao.addr16[6], an->addr16[6], u),
2200 ao.addr16[7], an->addr16[7], u),
2201 po, pn, u);
2202 }
2203 break;
2204 #ifdef INET
2205 case AF_INET:
2206 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2207 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2208 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
2209 ao.addr16[0], an->addr16[0], u),
2210 ao.addr16[1], an->addr16[1], u),
2211 ao.addr16[2], 0, u),
2212 ao.addr16[3], 0, u),
2213 ao.addr16[4], 0, u),
2214 ao.addr16[5], 0, u),
2215 ao.addr16[6], 0, u),
2216 ao.addr16[7], 0, u),
2217 po, pn, u);
2218 break;
2219 #endif /* INET */
2220 }
2221 break;
2222 #endif /* INET6 */
2223 }
2224 }
2225
2226
2227 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */
2228 void
2229 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
2230 {
2231 u_int32_t ao;
2232
2233 memcpy(&ao, a, sizeof (ao));
2234 memcpy(a, &an, sizeof (u_int32_t));
2235 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
2236 ao % 65536, an % 65536, u);
2237 }
2238
2239 #if INET6
2240 static void
2241 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
2242 {
2243 struct pf_addr ao;
2244
2245 PF_ACPY(&ao, a, AF_INET6);
2246 PF_ACPY(a, an, AF_INET6);
2247
2248 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2249 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2250 pf_cksum_fixup(pf_cksum_fixup(*c,
2251 ao.addr16[0], an->addr16[0], u),
2252 ao.addr16[1], an->addr16[1], u),
2253 ao.addr16[2], an->addr16[2], u),
2254 ao.addr16[3], an->addr16[3], u),
2255 ao.addr16[4], an->addr16[4], u),
2256 ao.addr16[5], an->addr16[5], u),
2257 ao.addr16[6], an->addr16[6], u),
2258 ao.addr16[7], an->addr16[7], u);
2259 }
2260
2261 void
2262 pf_change_addr(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u,
2263 sa_family_t af, sa_family_t afn)
2264 {
2265 struct pf_addr ao;
2266
2267 PF_ACPY(&ao, a, af);
2268 PF_ACPY(a, an, afn);
2269
2270 switch (af) {
2271 case AF_INET:
2272 switch (afn) {
2273 case AF_INET:
2274 pf_change_a(a, c, an->v4addr.s_addr, u);
2275 break;
2276 case AF_INET6:
2277 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2278 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2279 pf_cksum_fixup(pf_cksum_fixup(*c,
2280 ao.addr16[0], an->addr16[0], u),
2281 ao.addr16[1], an->addr16[1], u),
2282 0, an->addr16[2], u),
2283 0, an->addr16[3], u),
2284 0, an->addr16[4], u),
2285 0, an->addr16[5], u),
2286 0, an->addr16[6], u),
2287 0, an->addr16[7], u);
2288 break;
2289 }
2290 break;
2291 case AF_INET6:
2292 switch (afn) {
2293 case AF_INET:
2294 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2295 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2296 pf_cksum_fixup(pf_cksum_fixup(*c,
2297 ao.addr16[0], an->addr16[0], u),
2298 ao.addr16[1], an->addr16[1], u),
2299 ao.addr16[2], 0, u),
2300 ao.addr16[3], 0, u),
2301 ao.addr16[4], 0, u),
2302 ao.addr16[5], 0, u),
2303 ao.addr16[6], 0, u),
2304 ao.addr16[7], 0, u);
2305 break;
2306 case AF_INET6:
2307 pf_change_a6(a, c, an, u);
2308 break;
2309 }
2310 break;
2311 }
2312 }
2313
2314 #endif /* INET6 */
2315
2316 static void
2317 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
2318 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
2319 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
2320 {
2321 struct pf_addr oia, ooa;
2322
2323 PF_ACPY(&oia, ia, af);
2324 PF_ACPY(&ooa, oa, af);
2325
2326 /* Change inner protocol port, fix inner protocol checksum. */
2327 if (ip != NULL) {
2328 u_int16_t oip = *ip;
2329 u_int32_t opc = 0;
2330
2331 if (pc != NULL)
2332 opc = *pc;
2333 *ip = np;
2334 if (pc != NULL)
2335 *pc = pf_cksum_fixup(*pc, oip, *ip, u);
2336 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
2337 if (pc != NULL)
2338 *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
2339 }
2340 /* Change inner ip address, fix inner ip and icmp checksums. */
2341 PF_ACPY(ia, na, af);
2342 switch (af) {
2343 #if INET
2344 case AF_INET: {
2345 u_int32_t oh2c = *h2c;
2346
2347 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
2348 oia.addr16[0], ia->addr16[0], 0),
2349 oia.addr16[1], ia->addr16[1], 0);
2350 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
2351 oia.addr16[0], ia->addr16[0], 0),
2352 oia.addr16[1], ia->addr16[1], 0);
2353 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
2354 break;
2355 }
2356 #endif /* INET */
2357 #if INET6
2358 case AF_INET6:
2359 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2360 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2361 pf_cksum_fixup(pf_cksum_fixup(*ic,
2362 oia.addr16[0], ia->addr16[0], u),
2363 oia.addr16[1], ia->addr16[1], u),
2364 oia.addr16[2], ia->addr16[2], u),
2365 oia.addr16[3], ia->addr16[3], u),
2366 oia.addr16[4], ia->addr16[4], u),
2367 oia.addr16[5], ia->addr16[5], u),
2368 oia.addr16[6], ia->addr16[6], u),
2369 oia.addr16[7], ia->addr16[7], u);
2370 break;
2371 #endif /* INET6 */
2372 }
2373 /* Change outer ip address, fix outer ip or icmpv6 checksum. */
2374 PF_ACPY(oa, na, af);
2375 switch (af) {
2376 #if INET
2377 case AF_INET:
2378 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
2379 ooa.addr16[0], oa->addr16[0], 0),
2380 ooa.addr16[1], oa->addr16[1], 0);
2381 break;
2382 #endif /* INET */
2383 #if INET6
2384 case AF_INET6:
2385 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2386 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
2387 pf_cksum_fixup(pf_cksum_fixup(*ic,
2388 ooa.addr16[0], oa->addr16[0], u),
2389 ooa.addr16[1], oa->addr16[1], u),
2390 ooa.addr16[2], oa->addr16[2], u),
2391 ooa.addr16[3], oa->addr16[3], u),
2392 ooa.addr16[4], oa->addr16[4], u),
2393 ooa.addr16[5], oa->addr16[5], u),
2394 ooa.addr16[6], oa->addr16[6], u),
2395 ooa.addr16[7], oa->addr16[7], u);
2396 break;
2397 #endif /* INET6 */
2398 }
2399 }
2400
2401
2402 /*
2403 * Need to modulate the sequence numbers in the TCP SACK option
2404 * (credits to Krzysztof Pfaff for report and patch)
2405 */
2406 static int
2407 pf_modulate_sack(pbuf_t *pbuf, int off, struct pf_pdesc *pd,
2408 struct tcphdr *th, struct pf_state_peer *dst)
2409 {
2410 int hlen = (th->th_off << 2) - sizeof (*th), thoptlen = hlen;
2411 u_int8_t opts[MAX_TCPOPTLEN], *opt = opts;
2412 int copyback = 0, i, olen;
2413 struct sackblk sack;
2414
2415 #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
2416 if (hlen < TCPOLEN_SACKLEN ||
2417 !pf_pull_hdr(pbuf, off + sizeof (*th), opts, hlen, NULL, NULL, pd->af))
2418 return (0);
2419
2420 while (hlen >= TCPOLEN_SACKLEN) {
2421 olen = opt[1];
2422 switch (*opt) {
2423 case TCPOPT_EOL: /* FALLTHROUGH */
2424 case TCPOPT_NOP:
2425 opt++;
2426 hlen--;
2427 break;
2428 case TCPOPT_SACK:
2429 if (olen > hlen)
2430 olen = hlen;
2431 if (olen >= TCPOLEN_SACKLEN) {
2432 for (i = 2; i + TCPOLEN_SACK <= olen;
2433 i += TCPOLEN_SACK) {
2434 memcpy(&sack, &opt[i], sizeof (sack));
2435 pf_change_a(&sack.start, &th->th_sum,
2436 htonl(ntohl(sack.start) -
2437 dst->seqdiff), 0);
2438 pf_change_a(&sack.end, &th->th_sum,
2439 htonl(ntohl(sack.end) -
2440 dst->seqdiff), 0);
2441 memcpy(&opt[i], &sack, sizeof (sack));
2442 }
2443 copyback = off + sizeof (*th) + thoptlen;
2444 }
2445 /* FALLTHROUGH */
2446 default:
2447 if (olen < 2)
2448 olen = 2;
2449 hlen -= olen;
2450 opt += olen;
2451 }
2452 }
2453
2454 if (copyback) {
2455 if (pf_lazy_makewritable(pd, pbuf, copyback) == NULL)
2456 return (-1);
2457 pbuf_copy_back(pbuf, off + sizeof (*th), thoptlen, opts);
2458 }
2459 return (copyback);
2460 }
2461
2462 /*
2463 * XXX
2464 *
2465 * The following functions (pf_send_tcp and pf_send_icmp) are somewhat
2466 * special in that they originate "spurious" packets rather than
2467 * filter/NAT existing packets. As such, they're not a great fit for
2468 * the 'pbuf' shim, which assumes the underlying packet buffers are
2469 * allocated elsewhere.
2470 *
2471 * Since these functions are rarely used, we'll carry on allocating mbufs
2472 * and passing them to the IP stack for eventual routing.
2473 */
2474 static void
2475 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
2476 const struct pf_addr *saddr, const struct pf_addr *daddr,
2477 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
2478 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
2479 u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp)
2480 {
2481 #pragma unused(eh, ifp)
2482 struct mbuf *m;
2483 int len, tlen;
2484 #if INET
2485 struct ip *h = NULL;
2486 #endif /* INET */
2487 #if INET6
2488 struct ip6_hdr *h6 = NULL;
2489 #endif /* INET6 */
2490 struct tcphdr *th = NULL;
2491 char *opt;
2492 struct pf_mtag *pf_mtag;
2493
2494 /* maximum segment size tcp option */
2495 tlen = sizeof (struct tcphdr);
2496 if (mss)
2497 tlen += 4;
2498
2499 switch (af) {
2500 #if INET
2501 case AF_INET:
2502 len = sizeof (struct ip) + tlen;
2503 break;
2504 #endif /* INET */
2505 #if INET6
2506 case AF_INET6:
2507 len = sizeof (struct ip6_hdr) + tlen;
2508 break;
2509 #endif /* INET6 */
2510 default:
2511 panic("pf_send_tcp: not AF_INET or AF_INET6!");
2512 return;
2513 }
2514
2515 /* create outgoing mbuf */
2516 m = m_gethdr(M_DONTWAIT, MT_HEADER);
2517 if (m == NULL)
2518 return;
2519
2520 if ((pf_mtag = pf_get_mtag(m)) == NULL)
2521 return;
2522
2523 if (tag)
2524 pf_mtag->pftag_flags |= PF_TAG_GENERATED;
2525 pf_mtag->pftag_tag = rtag;
2526
2527 if (r != NULL && PF_RTABLEID_IS_VALID(r->rtableid))
2528 pf_mtag->pftag_rtableid = r->rtableid;
2529
2530 #if PF_ECN
2531 /* add hints for ecn */
2532 pf_mtag->pftag_hdr = mtod(m, struct ip *);
2533 /* record address family */
2534 pf_mtag->pftag_flags &= ~(PF_TAG_HDR_INET | PF_TAG_HDR_INET6);
2535 switch (af) {
2536 #if INET
2537 case AF_INET:
2538 pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
2539 break;
2540 #endif /* INET */
2541 #if INET6
2542 case AF_INET6:
2543 pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
2544 break;
2545 #endif /* INET6 */
2546 }
2547 #endif /* PF_ECN */
2548
2549 /* indicate this is TCP */
2550 m->m_pkthdr.pkt_proto = IPPROTO_TCP;
2551
2552 /* Make sure headers are 32-bit aligned */
2553 m->m_data += max_linkhdr;
2554 m->m_pkthdr.len = m->m_len = len;
2555 m->m_pkthdr.rcvif = NULL;
2556 bzero(m->m_data, len);
2557 switch (af) {
2558 #if INET
2559 case AF_INET:
2560 h = mtod(m, struct ip *);
2561
2562 /* IP header fields included in the TCP checksum */
2563 h->ip_p = IPPROTO_TCP;
2564 h->ip_len = htons(tlen);
2565 h->ip_src.s_addr = saddr->v4addr.s_addr;
2566 h->ip_dst.s_addr = daddr->v4addr.s_addr;
2567
2568 th = (struct tcphdr *)(void *)((caddr_t)h + sizeof (struct ip));
2569 break;
2570 #endif /* INET */
2571 #if INET6
2572 case AF_INET6:
2573 h6 = mtod(m, struct ip6_hdr *);
2574
2575 /* IP header fields included in the TCP checksum */
2576 h6->ip6_nxt = IPPROTO_TCP;
2577 h6->ip6_plen = htons(tlen);
2578 memcpy(&h6->ip6_src, &saddr->v6addr, sizeof (struct in6_addr));
2579 memcpy(&h6->ip6_dst, &daddr->v6addr, sizeof (struct in6_addr));
2580
2581 th = (struct tcphdr *)(void *)
2582 ((caddr_t)h6 + sizeof (struct ip6_hdr));
2583 break;
2584 #endif /* INET6 */
2585 }
2586
2587 /* TCP header */
2588 th->th_sport = sport;
2589 th->th_dport = dport;
2590 th->th_seq = htonl(seq);
2591 th->th_ack = htonl(ack);
2592 th->th_off = tlen >> 2;
2593 th->th_flags = flags;
2594 th->th_win = htons(win);
2595
2596 if (mss) {
2597 opt = (char *)(th + 1);
2598 opt[0] = TCPOPT_MAXSEG;
2599 opt[1] = 4;
2600 #if BYTE_ORDER != BIG_ENDIAN
2601 HTONS(mss);
2602 #endif
2603 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
2604 }
2605
2606 switch (af) {
2607 #if INET
2608 case AF_INET: {
2609 struct route ro;
2610
2611 /* TCP checksum */
2612 th->th_sum = in_cksum(m, len);
2613
2614 /* Finish the IP header */
2615 h->ip_v = 4;
2616 h->ip_hl = sizeof (*h) >> 2;
2617 h->ip_tos = IPTOS_LOWDELAY;
2618 /*
2619 * ip_output() expects ip_len and ip_off to be in host order.
2620 */
2621 h->ip_len = len;
2622 h->ip_off = (path_mtu_discovery ? IP_DF : 0);
2623 h->ip_ttl = ttl ? ttl : ip_defttl;
2624 h->ip_sum = 0;
2625
2626 bzero(&ro, sizeof (ro));
2627 ip_output(m, NULL, &ro, 0, NULL, NULL);
2628 ROUTE_RELEASE(&ro);
2629 break;
2630 }
2631 #endif /* INET */
2632 #if INET6
2633 case AF_INET6: {
2634 struct route_in6 ro6;
2635
2636 /* TCP checksum */
2637 th->th_sum = in6_cksum(m, IPPROTO_TCP,
2638 sizeof (struct ip6_hdr), tlen);
2639
2640 h6->ip6_vfc |= IPV6_VERSION;
2641 h6->ip6_hlim = IPV6_DEFHLIM;
2642
2643 bzero(&ro6, sizeof (ro6));
2644 ip6_output(m, NULL, &ro6, 0, NULL, NULL, NULL);
2645 ROUTE_RELEASE(&ro6);
2646 break;
2647 }
2648 #endif /* INET6 */
2649 }
2650 }
2651
2652 static void
2653 pf_send_icmp(pbuf_t *pbuf, u_int8_t type, u_int8_t code, sa_family_t af,
2654 struct pf_rule *r)
2655 {
2656 struct mbuf *m0;
2657 struct pf_mtag *pf_mtag;
2658
2659 m0 = pbuf_clone_to_mbuf(pbuf);
2660 if (m0 == NULL)
2661 return;
2662
2663 if ((pf_mtag = pf_get_mtag(m0)) == NULL)
2664 return;
2665
2666 pf_mtag->pftag_flags |= PF_TAG_GENERATED;
2667
2668 if (PF_RTABLEID_IS_VALID(r->rtableid))
2669 pf_mtag->pftag_rtableid = r->rtableid;
2670
2671 #if PF_ECN
2672 /* add hints for ecn */
2673 pf_mtag->pftag_hdr = mtod(m0, struct ip *);
2674 /* record address family */
2675 pf_mtag->pftag_flags &= ~(PF_TAG_HDR_INET | PF_TAG_HDR_INET6);
2676 switch (af) {
2677 #if INET
2678 case AF_INET:
2679 pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
2680 m0->m_pkthdr.pkt_proto = IPPROTO_ICMP;
2681 break;
2682 #endif /* INET */
2683 #if INET6
2684 case AF_INET6:
2685 pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
2686 m0->m_pkthdr.pkt_proto = IPPROTO_ICMPV6;
2687 break;
2688 #endif /* INET6 */
2689 }
2690 #endif /* PF_ECN */
2691
2692 switch (af) {
2693 #if INET
2694 case AF_INET:
2695 icmp_error(m0, type, code, 0, 0);
2696 break;
2697 #endif /* INET */
2698 #if INET6
2699 case AF_INET6:
2700 icmp6_error(m0, type, code, 0);
2701 break;
2702 #endif /* INET6 */
2703 }
2704 }
2705
2706 /*
2707 * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
2708 * If n is 0, they match if they are equal. If n is != 0, they match if they
2709 * are different.
2710 */
2711 int
2712 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
2713 struct pf_addr *b, sa_family_t af)
2714 {
2715 int match = 0;
2716
2717 switch (af) {
2718 #if INET
2719 case AF_INET:
2720 if ((a->addr32[0] & m->addr32[0]) ==
2721 (b->addr32[0] & m->addr32[0]))
2722 match++;
2723 break;
2724 #endif /* INET */
2725 #if INET6
2726 case AF_INET6:
2727 if (((a->addr32[0] & m->addr32[0]) ==
2728 (b->addr32[0] & m->addr32[0])) &&
2729 ((a->addr32[1] & m->addr32[1]) ==
2730 (b->addr32[1] & m->addr32[1])) &&
2731 ((a->addr32[2] & m->addr32[2]) ==
2732 (b->addr32[2] & m->addr32[2])) &&
2733 ((a->addr32[3] & m->addr32[3]) ==
2734 (b->addr32[3] & m->addr32[3])))
2735 match++;
2736 break;
2737 #endif /* INET6 */
2738 }
2739 if (match) {
2740 if (n)
2741 return (0);
2742 else
2743 return (1);
2744 } else {
2745 if (n)
2746 return (1);
2747 else
2748 return (0);
2749 }
2750 }
2751
2752 /*
2753 * Return 1 if b <= a <= e, otherwise return 0.
2754 */
2755 int
2756 pf_match_addr_range(struct pf_addr *b, struct pf_addr *e,
2757 struct pf_addr *a, sa_family_t af)
2758 {
2759 switch (af) {
2760 #if INET
2761 case AF_INET:
2762 if ((a->addr32[0] < b->addr32[0]) ||
2763 (a->addr32[0] > e->addr32[0]))
2764 return (0);
2765 break;
2766 #endif /* INET */
2767 #if INET6
2768 case AF_INET6: {
2769 int i;
2770
2771 /* check a >= b */
2772 for (i = 0; i < 4; ++i)
2773 if (a->addr32[i] > b->addr32[i])
2774 break;
2775 else if (a->addr32[i] < b->addr32[i])
2776 return (0);
2777 /* check a <= e */
2778 for (i = 0; i < 4; ++i)
2779 if (a->addr32[i] < e->addr32[i])
2780 break;
2781 else if (a->addr32[i] > e->addr32[i])
2782 return (0);
2783 break;
2784 }
2785 #endif /* INET6 */
2786 }
2787 return (1);
2788 }
2789
2790 int
2791 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
2792 {
2793 switch (op) {
2794 case PF_OP_IRG:
2795 return ((p > a1) && (p < a2));
2796 case PF_OP_XRG:
2797 return ((p < a1) || (p > a2));
2798 case PF_OP_RRG:
2799 return ((p >= a1) && (p <= a2));
2800 case PF_OP_EQ:
2801 return (p == a1);
2802 case PF_OP_NE:
2803 return (p != a1);
2804 case PF_OP_LT:
2805 return (p < a1);
2806 case PF_OP_LE:
2807 return (p <= a1);
2808 case PF_OP_GT:
2809 return (p > a1);
2810 case PF_OP_GE:
2811 return (p >= a1);
2812 }
2813 return (0); /* never reached */
2814 }
2815
2816 int
2817 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
2818 {
2819 #if BYTE_ORDER != BIG_ENDIAN
2820 NTOHS(a1);
2821 NTOHS(a2);
2822 NTOHS(p);
2823 #endif
2824 return (pf_match(op, a1, a2, p));
2825 }
2826
2827 int
2828 pf_match_xport(u_int8_t proto, u_int8_t proto_variant, union pf_rule_xport *rx,
2829 union pf_state_xport *sx)
2830 {
2831 int d = !0;
2832
2833 if (sx) {
2834 switch (proto) {
2835 case IPPROTO_GRE:
2836 if (proto_variant == PF_GRE_PPTP_VARIANT)
2837 d = (rx->call_id == sx->call_id);
2838 break;
2839
2840 case IPPROTO_ESP:
2841 d = (rx->spi == sx->spi);
2842 break;
2843
2844 case IPPROTO_TCP:
2845 case IPPROTO_UDP:
2846 case IPPROTO_ICMP:
2847 case IPPROTO_ICMPV6:
2848 if (rx->range.op)
2849 d = pf_match_port(rx->range.op,
2850 rx->range.port[0], rx->range.port[1],
2851 sx->port);
2852 break;
2853
2854 default:
2855 break;
2856 }
2857 }
2858
2859 return (d);
2860 }
2861
2862 int
2863 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
2864 {
2865 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2866 return (0);
2867 return (pf_match(op, a1, a2, u));
2868 }
2869
2870 int
2871 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
2872 {
2873 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
2874 return (0);
2875 return (pf_match(op, a1, a2, g));
2876 }
2877
2878 static int
2879 pf_match_tag(struct pf_rule *r, struct pf_mtag *pf_mtag,
2880 int *tag)
2881 {
2882 if (*tag == -1)
2883 *tag = pf_mtag->pftag_tag;
2884
2885 return ((!r->match_tag_not && r->match_tag == *tag) ||
2886 (r->match_tag_not && r->match_tag != *tag));
2887 }
2888
2889 int
2890 pf_tag_packet(pbuf_t *pbuf, struct pf_mtag *pf_mtag, int tag,
2891 unsigned int rtableid, struct pf_pdesc *pd)
2892 {
2893 if (tag <= 0 && !PF_RTABLEID_IS_VALID(rtableid) &&
2894 (pd == NULL || !(pd->pktflags & PKTF_FLOW_ID)))
2895 return (0);
2896
2897 if (pf_mtag == NULL && (pf_mtag = pf_get_mtag_pbuf(pbuf)) == NULL)
2898 return (1);
2899
2900 if (tag > 0)
2901 pf_mtag->pftag_tag = tag;
2902 if (PF_RTABLEID_IS_VALID(rtableid))
2903 pf_mtag->pftag_rtableid = rtableid;
2904 if (pd != NULL && (pd->pktflags & PKTF_FLOW_ID)) {
2905 *pbuf->pb_flowsrc = pd->flowsrc;
2906 *pbuf->pb_flowid = pd->flowhash;
2907 *pbuf->pb_flags |= pd->pktflags;
2908 *pbuf->pb_proto = pd->proto;
2909 }
2910
2911 return (0);
2912 }
2913
2914 void
2915 pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n,
2916 struct pf_rule **r, struct pf_rule **a, int *match)
2917 {
2918 struct pf_anchor_stackframe *f;
2919
2920 (*r)->anchor->match = 0;
2921 if (match)
2922 *match = 0;
2923 if (*depth >= (int)sizeof (pf_anchor_stack) /
2924 (int)sizeof (pf_anchor_stack[0])) {
2925 printf("pf_step_into_anchor: stack overflow\n");
2926 *r = TAILQ_NEXT(*r, entries);
2927 return;
2928 } else if (*depth == 0 && a != NULL)
2929 *a = *r;
2930 f = pf_anchor_stack + (*depth)++;
2931 f->rs = *rs;
2932 f->r = *r;
2933 if ((*r)->anchor_wildcard) {
2934 f->parent = &(*r)->anchor->children;
2935 if ((f->child = RB_MIN(pf_anchor_node, f->parent)) ==
2936 NULL) {
2937 *r = NULL;
2938 return;
2939 }
2940 *rs = &f->child->ruleset;
2941 } else {
2942 f->parent = NULL;
2943 f->child = NULL;
2944 *rs = &(*r)->anchor->ruleset;
2945 }
2946 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2947 }
2948
2949 int
2950 pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n,
2951 struct pf_rule **r, struct pf_rule **a, int *match)
2952 {
2953 struct pf_anchor_stackframe *f;
2954 int quick = 0;
2955
2956 do {
2957 if (*depth <= 0)
2958 break;
2959 f = pf_anchor_stack + *depth - 1;
2960 if (f->parent != NULL && f->child != NULL) {
2961 if (f->child->match ||
2962 (match != NULL && *match)) {
2963 f->r->anchor->match = 1;
2964 if (match)
2965 *match = 0;
2966 }
2967 f->child = RB_NEXT(pf_anchor_node, f->parent, f->child);
2968 if (f->child != NULL) {
2969 *rs = &f->child->ruleset;
2970 *r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
2971 if (*r == NULL)
2972 continue;
2973 else
2974 break;
2975 }
2976 }
2977 (*depth)--;
2978 if (*depth == 0 && a != NULL)
2979 *a = NULL;
2980 *rs = f->rs;
2981 if (f->r->anchor->match || (match != NULL && *match))
2982 quick = f->r->quick;
2983 *r = TAILQ_NEXT(f->r, entries);
2984 } while (*r == NULL);
2985
2986 return (quick);
2987 }
2988
2989 #if INET6
2990 void
2991 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
2992 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
2993 {
2994 switch (af) {
2995 #if INET
2996 case AF_INET:
2997 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
2998 ((rmask->addr32[0] ^ 0xffffffff) & saddr->addr32[0]);
2999 break;
3000 #endif /* INET */
3001 case AF_INET6:
3002 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
3003 ((rmask->addr32[0] ^ 0xffffffff) & saddr->addr32[0]);
3004 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
3005 ((rmask->addr32[1] ^ 0xffffffff) & saddr->addr32[1]);
3006 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
3007 ((rmask->addr32[2] ^ 0xffffffff) & saddr->addr32[2]);
3008 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
3009 ((rmask->addr32[3] ^ 0xffffffff) & saddr->addr32[3]);
3010 break;
3011 }
3012 }
3013
3014 void
3015 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
3016 {
3017 switch (af) {
3018 #if INET
3019 case AF_INET:
3020 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
3021 break;
3022 #endif /* INET */
3023 case AF_INET6:
3024 if (addr->addr32[3] == 0xffffffff) {
3025 addr->addr32[3] = 0;
3026 if (addr->addr32[2] == 0xffffffff) {
3027 addr->addr32[2] = 0;
3028 if (addr->addr32[1] == 0xffffffff) {
3029 addr->addr32[1] = 0;
3030 addr->addr32[0] =
3031 htonl(ntohl(addr->addr32[0]) + 1);
3032 } else
3033 addr->addr32[1] =
3034 htonl(ntohl(addr->addr32[1]) + 1);
3035 } else
3036 addr->addr32[2] =
3037 htonl(ntohl(addr->addr32[2]) + 1);
3038 } else
3039 addr->addr32[3] =
3040 htonl(ntohl(addr->addr32[3]) + 1);
3041 break;
3042 }
3043 }
3044 #endif /* INET6 */
3045
3046 #define mix(a, b, c) \
3047 do { \
3048 a -= b; a -= c; a ^= (c >> 13); \
3049 b -= c; b -= a; b ^= (a << 8); \
3050 c -= a; c -= b; c ^= (b >> 13); \
3051 a -= b; a -= c; a ^= (c >> 12); \
3052 b -= c; b -= a; b ^= (a << 16); \
3053 c -= a; c -= b; c ^= (b >> 5); \
3054 a -= b; a -= c; a ^= (c >> 3); \
3055 b -= c; b -= a; b ^= (a << 10); \
3056 c -= a; c -= b; c ^= (b >> 15); \
3057 } while (0)
3058
3059 /*
3060 * hash function based on bridge_hash in if_bridge.c
3061 */
3062 static void
3063 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
3064 struct pf_poolhashkey *key, sa_family_t af)
3065 {
3066 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
3067
3068 switch (af) {
3069 #if INET
3070 case AF_INET:
3071 a += inaddr->addr32[0];
3072 b += key->key32[1];
3073 mix(a, b, c);
3074 hash->addr32[0] = c + key->key32[2];
3075 break;
3076 #endif /* INET */
3077 #if INET6
3078 case AF_INET6:
3079 a += inaddr->addr32[0];
3080 b += inaddr->addr32[2];
3081 mix(a, b, c);
3082 hash->addr32[0] = c;
3083 a += inaddr->addr32[1];
3084 b += inaddr->addr32[3];
3085 c += key->key32[1];
3086 mix(a, b, c);
3087 hash->addr32[1] = c;
3088 a += inaddr->addr32[2];
3089 b += inaddr->addr32[1];
3090 c += key->key32[2];
3091 mix(a, b, c);
3092 hash->addr32[2] = c;
3093 a += inaddr->addr32[3];
3094 b += inaddr->addr32[0];
3095 c += key->key32[3];
3096 mix(a, b, c);
3097 hash->addr32[3] = c;
3098 break;
3099 #endif /* INET6 */
3100 }
3101 }
3102
3103 static int
3104 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
3105 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
3106 {
3107 unsigned char hash[16];
3108 struct pf_pool *rpool = &r->rpool;
3109 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
3110 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
3111 struct pf_pooladdr *acur = rpool->cur;
3112 struct pf_src_node k;
3113
3114 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
3115 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
3116 k.af = af;
3117 PF_ACPY(&k.addr, saddr, af);
3118 if (r->rule_flag & PFRULE_RULESRCTRACK ||
3119 r->rpool.opts & PF_POOL_STICKYADDR)
3120 k.rule.ptr = r;
3121 else
3122 k.rule.ptr = NULL;
3123 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
3124 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
3125 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, rpool->af)) {
3126 PF_ACPY(naddr, &(*sn)->raddr, rpool->af);
3127 if (pf_status.debug >= PF_DEBUG_MISC) {
3128 printf("pf_map_addr: src tracking maps ");
3129 pf_print_host(&k.addr, 0, af);
3130 printf(" to ");
3131 pf_print_host(naddr, 0, rpool->af);
3132 printf("\n");
3133 }
3134 return (0);
3135 }
3136 }
3137
3138 if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
3139 return (1);
3140 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
3141 if (rpool->cur->addr.p.dyn == NULL)
3142 return (1);
3143 switch (rpool->af) {
3144 #if INET
3145 case AF_INET:
3146 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
3147 (rpool->opts & PF_POOL_TYPEMASK) !=
3148 PF_POOL_ROUNDROBIN)
3149 return (1);
3150 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
3151 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
3152 break;
3153 #endif /* INET */
3154 #if INET6
3155 case AF_INET6:
3156 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
3157 (rpool->opts & PF_POOL_TYPEMASK) !=
3158 PF_POOL_ROUNDROBIN)
3159 return (1);
3160 raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
3161 rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
3162 break;
3163 #endif /* INET6 */
3164 }
3165 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
3166 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
3167 return (1); /* unsupported */
3168 } else {
3169 raddr = &rpool->cur->addr.v.a.addr;
3170 rmask = &rpool->cur->addr.v.a.mask;
3171 }
3172
3173 switch (rpool->opts & PF_POOL_TYPEMASK) {
3174 case PF_POOL_NONE:
3175 PF_ACPY(naddr, raddr, rpool->af);
3176 break;
3177 case PF_POOL_BITMASK:
3178 ASSERT(af == rpool->af);
3179 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
3180 break;
3181 case PF_POOL_RANDOM:
3182 if (init_addr != NULL && PF_AZERO(init_addr, rpool->af)) {
3183 switch (af) {
3184 #if INET
3185 case AF_INET:
3186 rpool->counter.addr32[0] = htonl(random());
3187 break;
3188 #endif /* INET */
3189 #if INET6
3190 case AF_INET6:
3191 if (rmask->addr32[3] != 0xffffffff)
3192 rpool->counter.addr32[3] =
3193 RandomULong();
3194 else
3195 break;
3196 if (rmask->addr32[2] != 0xffffffff)
3197 rpool->counter.addr32[2] =
3198 RandomULong();
3199 else
3200 break;
3201 if (rmask->addr32[1] != 0xffffffff)
3202 rpool->counter.addr32[1] =
3203 RandomULong();
3204 else
3205 break;
3206 if (rmask->addr32[0] != 0xffffffff)
3207 rpool->counter.addr32[0] =
3208 RandomULong();
3209 break;
3210 #endif /* INET6 */
3211 }
3212 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter,
3213 rpool->af);
3214 PF_ACPY(init_addr, naddr, rpool->af);
3215
3216 } else {
3217 PF_AINC(&rpool->counter, rpool->af);
3218 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter,
3219 rpool->af);
3220 }
3221 break;
3222 case PF_POOL_SRCHASH:
3223 ASSERT(af == rpool->af);
3224 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
3225 pf_hash(saddr, (struct pf_addr *)(void *)&hash,
3226 &rpool->key, af);
3227 PF_POOLMASK(naddr, raddr, rmask,
3228 (struct pf_addr *)(void *)&hash, af);
3229 break;
3230 case PF_POOL_ROUNDROBIN:
3231 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
3232 if (!pfr_pool_get(rpool->cur->addr.p.tbl,
3233 &rpool->tblidx, &rpool->counter,
3234 &raddr, &rmask, rpool->af))
3235 goto get_addr;
3236 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
3237 if (rpool->cur->addr.p.dyn != NULL &&
3238 !pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
3239 &rpool->tblidx, &rpool->counter,
3240 &raddr, &rmask, af))
3241 goto get_addr;
3242 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter,
3243 rpool->af))
3244 goto get_addr;
3245
3246 try_next:
3247 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
3248 rpool->cur = TAILQ_FIRST(&rpool->list);
3249 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
3250 rpool->tblidx = -1;
3251 if (pfr_pool_get(rpool->cur->addr.p.tbl,
3252 &rpool->tblidx, &rpool->counter,
3253 &raddr, &rmask, rpool->af)) {
3254 /* table contains no address of type
3255 * 'rpool->af' */
3256 if (rpool->cur != acur)
3257 goto try_next;
3258 return (1);
3259 }
3260 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
3261 rpool->tblidx = -1;
3262 if (rpool->cur->addr.p.dyn == NULL)
3263 return (1);
3264 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
3265 &rpool->tblidx, &rpool->counter,
3266 &raddr, &rmask, rpool->af)) {
3267 /* table contains no address of type
3268 * 'rpool->af' */
3269 if (rpool->cur != acur)
3270 goto try_next;
3271 return (1);
3272 }
3273 } else {
3274 raddr = &rpool->cur->addr.v.a.addr;
3275 rmask = &rpool->cur->addr.v.a.mask;
3276 PF_ACPY(&rpool->counter, raddr, rpool->af);
3277 }
3278
3279 get_addr:
3280 PF_ACPY(naddr, &rpool->counter, rpool->af);
3281 if (init_addr != NULL && PF_AZERO(init_addr, rpool->af))
3282 PF_ACPY(init_addr, naddr, rpool->af);
3283 PF_AINC(&rpool->counter, rpool->af);
3284 break;
3285 }
3286 if (*sn != NULL)
3287 PF_ACPY(&(*sn)->raddr, naddr, rpool->af);
3288
3289 if (pf_status.debug >= PF_DEBUG_MISC &&
3290 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
3291 printf("pf_map_addr: selected address ");
3292 pf_print_host(naddr, 0, rpool->af);
3293 printf("\n");
3294 }
3295
3296 return (0);
3297 }
3298
3299 static int
3300 pf_get_sport(struct pf_pdesc *pd, struct pfi_kif *kif, struct pf_rule *r,
3301 struct pf_addr *saddr, union pf_state_xport *sxport, struct pf_addr *daddr,
3302 union pf_state_xport *dxport, struct pf_addr *naddr,
3303 union pf_state_xport *nxport, struct pf_src_node **sn
3304 )
3305 {
3306 #pragma unused(kif)
3307 struct pf_state_key_cmp key;
3308 struct pf_addr init_addr;
3309 unsigned int cut;
3310 sa_family_t af = pd->af;
3311 u_int8_t proto = pd->proto;
3312 unsigned int low = r->rpool.proxy_port[0];
3313 unsigned int high = r->rpool.proxy_port[1];
3314
3315 bzero(&init_addr, sizeof (init_addr));
3316 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
3317 return (1);
3318
3319 if (proto == IPPROTO_ICMP) {
3320 low = 1;
3321 high = 65535;
3322 }
3323
3324 if (!nxport)
3325 return (0); /* No output necessary. */
3326
3327 /*--- Special mapping rules for UDP ---*/
3328 if (proto == IPPROTO_UDP) {
3329
3330 /*--- Never float IKE source port ---*/
3331 if (ntohs(sxport->port) == PF_IKE_PORT) {
3332 nxport->port = sxport->port;
3333 return (0);
3334 }
3335
3336 /*--- Apply exterior mapping options ---*/
3337 if (r->extmap > PF_EXTMAP_APD) {
3338 struct pf_state *s;
3339
3340 TAILQ_FOREACH(s, &state_list, entry_list) {
3341 struct pf_state_key *sk = s->state_key;
3342 if (!sk)
3343 continue;
3344 if (s->nat_rule.ptr != r)
3345 continue;
3346 if (sk->proto != IPPROTO_UDP ||
3347 sk->af_lan != af)
3348 continue;
3349 if (sk->lan.xport.port != sxport->port)
3350 continue;
3351 if (PF_ANEQ(&sk->lan.addr, saddr, af))
3352 continue;
3353 if (r->extmap < PF_EXTMAP_EI &&
3354 PF_ANEQ(&sk->ext_lan.addr, daddr, af))
3355 continue;
3356
3357 nxport->port = sk->gwy.xport.port;
3358 return (0);
3359 }
3360 }
3361 } else if (proto == IPPROTO_TCP) {
3362 struct pf_state* s;
3363 /*
3364 * APPLE MODIFICATION: <rdar://problem/6546358>
3365 * Fix allows....NAT to use a single binding for TCP session
3366 * with same source IP and source port
3367 */
3368 TAILQ_FOREACH(s, &state_list, entry_list) {
3369 struct pf_state_key* sk = s->state_key;
3370 if (!sk)
3371 continue;
3372 if (s->nat_rule.ptr != r)
3373 continue;
3374 if (sk->proto != IPPROTO_TCP || sk->af_lan != af)
3375 continue;
3376 if (sk->lan.xport.port != sxport->port)
3377 continue;
3378 if (!(PF_AEQ(&sk->lan.addr, saddr, af)))
3379 continue;
3380 nxport->port = sk->gwy.xport.port;
3381 return (0);
3382 }
3383 }
3384 do {
3385 key.af_gwy = af;
3386 key.proto = proto;
3387 PF_ACPY(&key.ext_gwy.addr, daddr, key.af_gwy);
3388 PF_ACPY(&key.gwy.addr, naddr, key.af_gwy);
3389 switch (proto) {
3390 case IPPROTO_UDP:
3391 key.proto_variant = r->extfilter;
3392 break;
3393 default:
3394 key.proto_variant = 0;
3395 break;
3396 }
3397 if (dxport)
3398 key.ext_gwy.xport = *dxport;
3399 else
3400 memset(&key.ext_gwy.xport, 0,
3401 sizeof (key.ext_gwy.xport));
3402 /*
3403 * port search; start random, step;
3404 * similar 2 portloop in in_pcbbind
3405 */
3406 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
3407 proto == IPPROTO_ICMP)) {
3408 if (dxport)
3409 key.gwy.xport = *dxport;
3410 else
3411 memset(&key.gwy.xport, 0,
3412 sizeof (key.gwy.xport));
3413 if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
3414 return (0);
3415 } else if (low == 0 && high == 0) {
3416 key.gwy.xport = *nxport;
3417 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3418 ) {
3419 return (0);
3420 }
3421 } else if (low == high) {
3422 key.gwy.xport.port = htons(low);
3423 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3424 ) {
3425 nxport->port = htons(low);
3426 return (0);
3427 }
3428 } else {
3429 unsigned int tmp;
3430 if (low > high) {
3431 tmp = low;
3432 low = high;
3433 high = tmp;
3434 }
3435 /* low < high */
3436 cut = htonl(random()) % (1 + high - low) + low;
3437 /* low <= cut <= high */
3438 for (tmp = cut; tmp <= high; ++(tmp)) {
3439 key.gwy.xport.port = htons(tmp);
3440 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3441 ) {
3442 nxport->port = htons(tmp);
3443 return (0);
3444 }
3445 }
3446 for (tmp = cut - 1; tmp >= low; --(tmp)) {
3447 key.gwy.xport.port = htons(tmp);
3448 if (pf_find_state_all(&key, PF_IN, NULL) == NULL
3449 ) {
3450 nxport->port = htons(tmp);
3451 return (0);
3452 }
3453 }
3454 }
3455
3456 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
3457 case PF_POOL_RANDOM:
3458 case PF_POOL_ROUNDROBIN:
3459 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
3460 return (1);
3461 break;
3462 case PF_POOL_NONE:
3463 case PF_POOL_SRCHASH:
3464 case PF_POOL_BITMASK:
3465 default:
3466 return (1);
3467 }
3468 } while (!PF_AEQ(&init_addr, naddr, af));
3469
3470 return (1); /* none available */
3471 }
3472
3473 static struct pf_rule *
3474 pf_match_translation(struct pf_pdesc *pd, pbuf_t *pbuf, int off,
3475 int direction, struct pfi_kif *kif, struct pf_addr *saddr,
3476 union pf_state_xport *sxport, struct pf_addr *daddr,
3477 union pf_state_xport *dxport, int rs_num)
3478 {
3479 struct pf_rule *r, *rm = NULL;
3480 struct pf_ruleset *ruleset = NULL;
3481 int tag = -1;
3482 unsigned int rtableid = IFSCOPE_NONE;
3483 int asd = 0;
3484
3485 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
3486 while (r && rm == NULL) {
3487 struct pf_rule_addr *src = NULL, *dst = NULL;
3488 struct pf_addr_wrap *xdst = NULL;
3489 struct pf_addr_wrap *xsrc = NULL;
3490 union pf_rule_xport rdrxport;
3491
3492 if (r->action == PF_BINAT && direction == PF_IN) {
3493 src = &r->dst;
3494 if (r->rpool.cur != NULL)
3495 xdst = &r->rpool.cur->addr;
3496 } else if (r->action == PF_RDR && direction == PF_OUT) {
3497 dst = &r->src;
3498 src = &r->dst;
3499 if (r->rpool.cur != NULL) {
3500 rdrxport.range.op = PF_OP_EQ;
3501 rdrxport.range.port[0] =
3502 htons(r->rpool.proxy_port[0]);
3503 xsrc = &r->rpool.cur->addr;
3504 }
3505 } else {
3506 src = &r->src;
3507 dst = &r->dst;
3508 }
3509
3510 r->evaluations++;
3511 if (pfi_kif_match(r->kif, kif) == r->ifnot)
3512 r = r->skip[PF_SKIP_IFP].ptr;
3513 else if (r->direction && r->direction != direction)
3514 r = r->skip[PF_SKIP_DIR].ptr;
3515 else if (r->af && r->af != pd->af)
3516 r = r->skip[PF_SKIP_AF].ptr;
3517 else if (r->proto && r->proto != pd->proto)
3518 r = r->skip[PF_SKIP_PROTO].ptr;
3519 else if (xsrc && PF_MISMATCHAW(xsrc, saddr, pd->af, 0, NULL))
3520 r = TAILQ_NEXT(r, entries);
3521 else if (!xsrc && PF_MISMATCHAW(&src->addr, saddr, pd->af,
3522 src->neg, kif))
3523 r = TAILQ_NEXT(r, entries);
3524 else if (xsrc && (!rdrxport.range.port[0] ||
3525 !pf_match_xport(r->proto, r->proto_variant, &rdrxport,
3526 sxport)))
3527 r = TAILQ_NEXT(r, entries);
3528 else if (!xsrc && !pf_match_xport(r->proto,
3529 r->proto_variant, &src->xport, sxport))
3530 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
3531 PF_SKIP_DST_PORT].ptr;
3532 else if (dst != NULL &&
3533 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
3534 r = r->skip[PF_SKIP_DST_ADDR].ptr;
3535 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
3536 0, NULL))
3537 r = TAILQ_NEXT(r, entries);
3538 else if (dst && !pf_match_xport(r->proto, r->proto_variant,
3539 &dst->xport, dxport))
3540 r = r->skip[PF_SKIP_DST_PORT].ptr;
3541 else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag))
3542 r = TAILQ_NEXT(r, entries);
3543 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
3544 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, pbuf,
3545 off, pd->hdr.tcp), r->os_fingerprint)))
3546 r = TAILQ_NEXT(r, entries);
3547 else {
3548 if (r->tag)
3549 tag = r->tag;
3550 if (PF_RTABLEID_IS_VALID(r->rtableid))
3551 rtableid = r->rtableid;
3552 if (r->anchor == NULL) {
3553 rm = r;
3554 } else
3555 pf_step_into_anchor(&asd, &ruleset, rs_num,
3556 &r, NULL, NULL);
3557 }
3558 if (r == NULL)
3559 pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
3560 NULL, NULL);
3561 }
3562 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, rtableid, NULL))
3563 return (NULL);
3564 if (rm != NULL && (rm->action == PF_NONAT ||
3565 rm->action == PF_NORDR || rm->action == PF_NOBINAT ||
3566 rm->action == PF_NONAT64))
3567 return (NULL);
3568 return (rm);
3569 }
3570
3571 /*
3572 * Get address translation information for NAT/BINAT/RDR
3573 * pd : pf packet descriptor
3574 * pbuf : pbuf holding the packet
3575 * off : offset to protocol header
3576 * direction : direction of packet
3577 * kif : pf interface info obtained from the packet's recv interface
3578 * sn : source node pointer (output)
3579 * saddr : packet source address
3580 * sxport : packet source port
3581 * daddr : packet destination address
3582 * dxport : packet destination port
3583 * nsxport : translated source port (output)
3584 *
3585 * Translated source & destination address are updated in pd->nsaddr &
3586 * pd->ndaddr
3587 */
3588 static struct pf_rule *
3589 pf_get_translation_aux(struct pf_pdesc *pd, pbuf_t *pbuf, int off,
3590 int direction, struct pfi_kif *kif, struct pf_src_node **sn,
3591 struct pf_addr *saddr, union pf_state_xport *sxport, struct pf_addr *daddr,
3592 union pf_state_xport *dxport, union pf_state_xport *nsxport
3593 )
3594 {
3595 struct pf_rule *r = NULL;
3596 pd->naf = pd->af;
3597
3598 if (direction == PF_OUT) {
3599 r = pf_match_translation(pd, pbuf, off, direction, kif, saddr,
3600 sxport, daddr, dxport, PF_RULESET_BINAT);
3601 if (r == NULL)
3602 r = pf_match_translation(pd, pbuf, off, direction, kif,
3603 saddr, sxport, daddr, dxport, PF_RULESET_RDR);
3604 if (r == NULL)
3605 r = pf_match_translation(pd, pbuf, off, direction, kif,
3606 saddr, sxport, daddr, dxport, PF_RULESET_NAT);
3607 } else {
3608 r = pf_match_translation(pd, pbuf, off, direction, kif, saddr,
3609 sxport, daddr, dxport, PF_RULESET_RDR);
3610 if (r == NULL)
3611 r = pf_match_translation(pd, pbuf, off, direction, kif,
3612 saddr, sxport, daddr, dxport, PF_RULESET_BINAT);
3613 }
3614
3615 if (r != NULL) {
3616 struct pf_addr *nsaddr = &pd->naddr;
3617 struct pf_addr *ndaddr = &pd->ndaddr;
3618
3619 *nsaddr = *saddr;
3620 *ndaddr = *daddr;
3621
3622 switch (r->action) {
3623 case PF_NONAT:
3624 case PF_NONAT64:
3625 case PF_NOBINAT:
3626 case PF_NORDR:
3627 return (NULL);
3628 case PF_NAT:
3629 case PF_NAT64:
3630 /*
3631 * we do NAT64 on incoming path and we call ip_input
3632 * which asserts receive interface to be not NULL.
3633 * The below check is to prevent NAT64 action on any
3634 * packet generated by local entity using synthesized
3635 * IPv6 address.
3636 */
3637 if ((r->action == PF_NAT64) && (direction == PF_OUT))
3638 return (NULL);
3639
3640 if (pf_get_sport(pd, kif, r, saddr, sxport, daddr,
3641 dxport, nsaddr, nsxport, sn
3642 ))
3643 {
3644 DPFPRINTF(PF_DEBUG_MISC,
3645 ("pf: NAT proxy port allocation "
3646 "(%u-%u) failed\n",
3647 r->rpool.proxy_port[0],
3648 r->rpool.proxy_port[1]));
3649 return (NULL);
3650 }
3651 /*
3652 * For NAT64 the destination IPv4 address is derived
3653 * from the last 32 bits of synthesized IPv6 address
3654 */
3655 if (r->action == PF_NAT64) {
3656 ndaddr->v4addr.s_addr = daddr->addr32[3];
3657 pd->naf = AF_INET;
3658 }
3659 break;
3660 case PF_BINAT:
3661 switch (direction) {
3662 case PF_OUT:
3663 if (r->rpool.cur->addr.type ==
3664 PF_ADDR_DYNIFTL) {
3665 if (r->rpool.cur->addr.p.dyn == NULL)
3666 return (NULL);
3667 switch (pd->af) {
3668 #if INET
3669 case AF_INET:
3670 if (r->rpool.cur->addr.p.dyn->
3671 pfid_acnt4 < 1)
3672 return (NULL);
3673 PF_POOLMASK(nsaddr,
3674 &r->rpool.cur->addr.p.dyn->
3675 pfid_addr4,
3676 &r->rpool.cur->addr.p.dyn->
3677 pfid_mask4,
3678 saddr, AF_INET);
3679 break;
3680 #endif /* INET */
3681 #if INET6
3682 case AF_INET6:
3683 if (r->rpool.cur->addr.p.dyn->
3684 pfid_acnt6 < 1)
3685 return (NULL);
3686 PF_POOLMASK(nsaddr,
3687 &r->rpool.cur->addr.p.dyn->
3688 pfid_addr6,
3689 &r->rpool.cur->addr.p.dyn->
3690 pfid_mask6,
3691 saddr, AF_INET6);
3692 break;
3693 #endif /* INET6 */
3694 }
3695 } else {
3696 PF_POOLMASK(nsaddr,
3697 &r->rpool.cur->addr.v.a.addr,
3698 &r->rpool.cur->addr.v.a.mask,
3699 saddr, pd->af);
3700 }
3701 break;
3702 case PF_IN:
3703 if (r->src.addr.type == PF_ADDR_DYNIFTL) {
3704 if (r->src.addr.p.dyn == NULL)
3705 return (NULL);
3706 switch (pd->af) {
3707 #if INET
3708 case AF_INET:
3709 if (r->src.addr.p.dyn->
3710 pfid_acnt4 < 1)
3711 return (NULL);
3712 PF_POOLMASK(ndaddr,
3713 &r->src.addr.p.dyn->
3714 pfid_addr4,
3715 &r->src.addr.p.dyn->
3716 pfid_mask4,
3717 daddr, AF_INET);
3718 break;
3719 #endif /* INET */
3720 #if INET6
3721 case AF_INET6:
3722 if (r->src.addr.p.dyn->
3723 pfid_acnt6 < 1)
3724 return (NULL);
3725 PF_POOLMASK(ndaddr,
3726 &r->src.addr.p.dyn->
3727 pfid_addr6,
3728 &r->src.addr.p.dyn->
3729 pfid_mask6,
3730 daddr, AF_INET6);
3731 break;
3732 #endif /* INET6 */
3733 }
3734 } else
3735 PF_POOLMASK(ndaddr,
3736 &r->src.addr.v.a.addr,
3737 &r->src.addr.v.a.mask, daddr,
3738 pd->af);
3739 break;
3740 }
3741 break;
3742 case PF_RDR: {
3743 switch (direction) {
3744 case PF_OUT:
3745 if (r->dst.addr.type == PF_ADDR_DYNIFTL) {
3746 if (r->dst.addr.p.dyn == NULL)
3747 return (NULL);
3748 switch (pd->af) {
3749 #if INET
3750 case AF_INET:
3751 if (r->dst.addr.p.dyn->
3752 pfid_acnt4 < 1)
3753 return (NULL);
3754 PF_POOLMASK(nsaddr,
3755 &r->dst.addr.p.dyn->
3756 pfid_addr4,
3757 &r->dst.addr.p.dyn->
3758 pfid_mask4,
3759 daddr, AF_INET);
3760 break;
3761 #endif /* INET */
3762 #if INET6
3763 case AF_INET6:
3764 if (r->dst.addr.p.dyn->
3765 pfid_acnt6 < 1)
3766 return (NULL);
3767 PF_POOLMASK(nsaddr,
3768 &r->dst.addr.p.dyn->
3769 pfid_addr6,
3770 &r->dst.addr.p.dyn->
3771 pfid_mask6,
3772 daddr, AF_INET6);
3773 break;
3774 #endif /* INET6 */
3775 }
3776 } else {
3777 PF_POOLMASK(nsaddr,
3778 &r->dst.addr.v.a.addr,
3779 &r->dst.addr.v.a.mask,
3780 daddr, pd->af);
3781 }
3782 if (nsxport && r->dst.xport.range.port[0])
3783 nsxport->port =
3784 r->dst.xport.range.port[0];
3785 break;
3786 case PF_IN:
3787 if (pf_map_addr(pd->af, r, saddr,
3788 ndaddr, NULL, sn))
3789 return (NULL);
3790 if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
3791 PF_POOL_BITMASK)
3792 PF_POOLMASK(ndaddr, ndaddr,
3793 &r->rpool.cur->addr.v.a.mask, daddr,
3794 pd->af);
3795
3796 if (nsxport && dxport) {
3797 if (r->rpool.proxy_port[1]) {
3798 u_int32_t tmp_nport;
3799
3800 tmp_nport =
3801 ((ntohs(dxport->port) -
3802 ntohs(r->dst.xport.range.
3803 port[0])) %
3804 (r->rpool.proxy_port[1] -
3805 r->rpool.proxy_port[0] +
3806 1)) + r->rpool.proxy_port[0];
3807
3808 /* wrap around if necessary */
3809 if (tmp_nport > 65535)
3810 tmp_nport -= 65535;
3811 nsxport->port =
3812 htons((u_int16_t)tmp_nport);
3813 } else if (r->rpool.proxy_port[0]) {
3814 nsxport->port = htons(r->rpool.
3815 proxy_port[0]);
3816 }
3817 }
3818 break;
3819 }
3820 break;
3821 }
3822 default:
3823 return (NULL);
3824 }
3825 }
3826
3827 return (r);
3828 }
3829
3830 int
3831 pf_socket_lookup(int direction, struct pf_pdesc *pd)
3832 {
3833 struct pf_addr *saddr, *daddr;
3834 u_int16_t sport, dport;
3835 struct inpcbinfo *pi;
3836 int inp = 0;
3837
3838 if (pd == NULL)
3839 return (-1);
3840 pd->lookup.uid = UID_MAX;
3841 pd->lookup.gid = GID_MAX;
3842 pd->lookup.pid = NO_PID;
3843
3844 switch (pd->proto) {
3845 case IPPROTO_TCP:
3846 if (pd->hdr.tcp == NULL)
3847 return (-1);
3848 sport = pd->hdr.tcp->th_sport;
3849 dport = pd->hdr.tcp->th_dport;
3850 pi = &tcbinfo;
3851 break;
3852 case IPPROTO_UDP:
3853 if (pd->hdr.udp == NULL)
3854 return (-1);
3855 sport = pd->hdr.udp->uh_sport;
3856 dport = pd->hdr.udp->uh_dport;
3857 pi = &udbinfo;
3858 break;
3859 default:
3860 return (-1);
3861 }
3862 if (direction == PF_IN) {
3863 saddr = pd->src;
3864 daddr = pd->dst;
3865 } else {
3866 u_int16_t p;
3867
3868 p = sport;
3869 sport = dport;
3870 dport = p;
3871 saddr = pd->dst;
3872 daddr = pd->src;
3873 }
3874 switch (pd->af) {
3875 #if INET
3876 case AF_INET:
3877 inp = in_pcblookup_hash_exists(pi, saddr->v4addr, sport, daddr->v4addr, dport,
3878 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
3879 #if INET6
3880 if (inp == 0) {
3881 struct in6_addr s6, d6;
3882
3883 memset(&s6, 0, sizeof (s6));
3884 s6.s6_addr16[5] = htons(0xffff);
3885 memcpy(&s6.s6_addr32[3], &saddr->v4addr,
3886 sizeof (saddr->v4addr));
3887
3888 memset(&d6, 0, sizeof (d6));
3889 d6.s6_addr16[5] = htons(0xffff);
3890 memcpy(&d6.s6_addr32[3], &daddr->v4addr,
3891 sizeof (daddr->v4addr));
3892
3893 inp = in6_pcblookup_hash_exists(pi, &s6, sport,
3894 &d6, dport, 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
3895 if (inp == 0) {
3896 inp = in_pcblookup_hash_exists(pi, saddr->v4addr, sport,
3897 daddr->v4addr, dport, INPLOOKUP_WILDCARD, &pd->lookup.uid, &pd->lookup.gid, NULL);
3898 if (inp == 0) {
3899 inp = in6_pcblookup_hash_exists(pi, &s6, sport,
3900 &d6, dport, INPLOOKUP_WILDCARD,
3901 &pd->lookup.uid, &pd->lookup.gid, NULL);
3902 if (inp == 0)
3903 return (-1);
3904 }
3905 }
3906 }
3907 #else
3908 if (inp == 0) {
3909 inp = in_pcblookup_hash_exists(pi, saddr->v4addr, sport,
3910 daddr->v4addr, dport, INPLOOKUP_WILDCARD,
3911 &pd->lookup.uid, &pd->lookup.gid, NULL);
3912 if (inp == 0)
3913 return (-1);
3914 }
3915 #endif /* !INET6 */
3916 break;
3917 #endif /* INET */
3918 #if INET6
3919 case AF_INET6:
3920 inp = in6_pcblookup_hash_exists(pi, &saddr->v6addr, sport, &daddr->v6addr,
3921 dport, 0, &pd->lookup.uid, &pd->lookup.gid, NULL);
3922 if (inp == 0) {
3923 inp = in6_pcblookup_hash_exists(pi, &saddr->v6addr, sport,
3924 &daddr->v6addr, dport, INPLOOKUP_WILDCARD,
3925 &pd->lookup.uid, &pd->lookup.gid, NULL);
3926 if (inp == 0)
3927 return (-1);
3928 }
3929 break;
3930 #endif /* INET6 */
3931
3932 default:
3933 return (-1);
3934 }
3935
3936 return (1);
3937 }
3938
3939 static u_int8_t
3940 pf_get_wscale(pbuf_t *pbuf, int off, u_int16_t th_off, sa_family_t af)
3941 {
3942 int hlen;
3943 u_int8_t hdr[60];
3944 u_int8_t *opt, optlen;
3945 u_int8_t wscale = 0;
3946
3947 hlen = th_off << 2; /* hlen <= sizeof (hdr) */
3948 if (hlen <= (int)sizeof (struct tcphdr))
3949 return (0);
3950 if (!pf_pull_hdr(pbuf, off, hdr, hlen, NULL, NULL, af))
3951 return (0);
3952 opt = hdr + sizeof (struct tcphdr);
3953 hlen -= sizeof (struct tcphdr);
3954 while (hlen >= 3) {
3955 switch (*opt) {
3956 case TCPOPT_EOL:
3957 case TCPOPT_NOP:
3958 ++opt;
3959 --hlen;
3960 break;
3961 case TCPOPT_WINDOW:
3962 wscale = opt[2];
3963 if (wscale > TCP_MAX_WINSHIFT)
3964 wscale = TCP_MAX_WINSHIFT;
3965 wscale |= PF_WSCALE_FLAG;
3966 /* FALLTHROUGH */
3967 default:
3968 optlen = opt[1];
3969 if (optlen < 2)
3970 optlen = 2;
3971 hlen -= optlen;
3972 opt += optlen;
3973 break;
3974 }
3975 }
3976 return (wscale);
3977 }
3978
3979 static u_int16_t
3980 pf_get_mss(pbuf_t *pbuf, int off, u_int16_t th_off, sa_family_t af)
3981 {
3982 int hlen;
3983 u_int8_t hdr[60];
3984 u_int8_t *opt, optlen;
3985 u_int16_t mss = tcp_mssdflt;
3986
3987 hlen = th_off << 2; /* hlen <= sizeof (hdr) */
3988 if (hlen <= (int)sizeof (struct tcphdr))
3989 return (0);
3990 if (!pf_pull_hdr(pbuf, off, hdr, hlen, NULL, NULL, af))
3991 return (0);
3992 opt = hdr + sizeof (struct tcphdr);
3993 hlen -= sizeof (struct tcphdr);
3994 while (hlen >= TCPOLEN_MAXSEG) {
3995 switch (*opt) {
3996 case TCPOPT_EOL:
3997 case TCPOPT_NOP:
3998 ++opt;
3999 --hlen;
4000 break;
4001 case TCPOPT_MAXSEG:
4002 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
4003 #if BYTE_ORDER != BIG_ENDIAN
4004 NTOHS(mss);
4005 #endif
4006 /* FALLTHROUGH */
4007 default:
4008 optlen = opt[1];
4009 if (optlen < 2)
4010 optlen = 2;
4011 hlen -= optlen;
4012 opt += optlen;
4013 break;
4014 }
4015 }
4016 return (mss);
4017 }
4018
4019 static u_int16_t
4020 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
4021 {
4022 #if INET
4023 struct sockaddr_in *dst;
4024 struct route ro;
4025 #endif /* INET */
4026 #if INET6
4027 struct sockaddr_in6 *dst6;
4028 struct route_in6 ro6;
4029 #endif /* INET6 */
4030 struct rtentry *rt = NULL;
4031 int hlen;
4032 u_int16_t mss = tcp_mssdflt;
4033
4034 switch (af) {
4035 #if INET
4036 case AF_INET:
4037 hlen = sizeof (struct ip);
4038 bzero(&ro, sizeof (ro));
4039 dst = (struct sockaddr_in *)(void *)&ro.ro_dst;
4040 dst->sin_family = AF_INET;
4041 dst->sin_len = sizeof (*dst);
4042 dst->sin_addr = addr->v4addr;
4043 rtalloc(&ro);
4044 rt = ro.ro_rt;
4045 break;
4046 #endif /* INET */
4047 #if INET6
4048 case AF_INET6:
4049 hlen = sizeof (struct ip6_hdr);
4050 bzero(&ro6, sizeof (ro6));
4051 dst6 = (struct sockaddr_in6 *)(void *)&ro6.ro_dst;
4052 dst6->sin6_family = AF_INET6;
4053 dst6->sin6_len = sizeof (*dst6);
4054 dst6->sin6_addr = addr->v6addr;
4055 rtalloc((struct route *)&ro);
4056 rt = ro6.ro_rt;
4057 break;
4058 #endif /* INET6 */
4059 default:
4060 panic("pf_calc_mss: not AF_INET or AF_INET6!");
4061 return (0);
4062 }
4063
4064 if (rt && rt->rt_ifp) {
4065 mss = rt->rt_ifp->if_mtu - hlen - sizeof (struct tcphdr);
4066 mss = max(tcp_mssdflt, mss);
4067 rtfree(rt);
4068 }
4069 mss = min(mss, offer);
4070 mss = max(mss, 64); /* sanity - at least max opt space */
4071 return (mss);
4072 }
4073
4074 static void
4075 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr, sa_family_t af)
4076 {
4077 struct pf_rule *r = s->rule.ptr;
4078
4079 s->rt_kif = NULL;
4080
4081 if (!r->rt || r->rt == PF_FASTROUTE)
4082 return;
4083 if ((af == AF_INET) || (af == AF_INET6)) {
4084 pf_map_addr(af, r, saddr, &s->rt_addr, NULL,
4085 &s->nat_src_node);
4086 s->rt_kif = r->rpool.cur->kif;
4087 }
4088
4089 return;
4090 }
4091
4092 static void
4093 pf_attach_state(struct pf_state_key *sk, struct pf_state *s, int tail)
4094 {
4095 s->state_key = sk;
4096 sk->refcnt++;
4097
4098 /* list is sorted, if-bound states before floating */
4099 if (tail)
4100 TAILQ_INSERT_TAIL(&sk->states, s, next);
4101 else
4102 TAILQ_INSERT_HEAD(&sk->states, s, next);
4103 }
4104
4105 static void
4106 pf_detach_state(struct pf_state *s, int flags)
4107 {
4108 struct pf_state_key *sk = s->state_key;
4109
4110 if (sk == NULL)
4111 return;
4112
4113 s->state_key = NULL;
4114 TAILQ_REMOVE(&sk->states, s, next);
4115 if (--sk->refcnt == 0) {
4116 if (!(flags & PF_DT_SKIP_EXTGWY))
4117 RB_REMOVE(pf_state_tree_ext_gwy,
4118 &pf_statetbl_ext_gwy, sk);
4119 if (!(flags & PF_DT_SKIP_LANEXT))
4120 RB_REMOVE(pf_state_tree_lan_ext,
4121 &pf_statetbl_lan_ext, sk);
4122 if (sk->app_state)
4123 pool_put(&pf_app_state_pl, sk->app_state);
4124 pool_put(&pf_state_key_pl, sk);
4125 }
4126 }
4127
4128 struct pf_state_key *
4129 pf_alloc_state_key(struct pf_state *s, struct pf_state_key *psk)
4130 {
4131 struct pf_state_key *sk;
4132
4133 if ((sk = pool_get(&pf_state_key_pl, PR_WAITOK)) == NULL)
4134 return (NULL);
4135 bzero(sk, sizeof (*sk));
4136 TAILQ_INIT(&sk->states);
4137 pf_attach_state(sk, s, 0);
4138
4139 /* initialize state key from psk, if provided */
4140 if (psk != NULL) {
4141 bcopy(&psk->lan, &sk->lan, sizeof (sk->lan));
4142 bcopy(&psk->gwy, &sk->gwy, sizeof (sk->gwy));
4143 bcopy(&psk->ext_lan, &sk->ext_lan, sizeof (sk->ext_lan));
4144 bcopy(&psk->ext_gwy, &sk->ext_gwy, sizeof (sk->ext_gwy));
4145 sk->af_lan = psk->af_lan;
4146 sk->af_gwy = psk->af_gwy;
4147 sk->proto = psk->proto;
4148 sk->direction = psk->direction;
4149 sk->proto_variant = psk->proto_variant;
4150 VERIFY(psk->app_state == NULL);
4151 sk->flowsrc = psk->flowsrc;
4152 sk->flowhash = psk->flowhash;
4153 /* don't touch tree entries, states and refcnt on sk */
4154 }
4155
4156 return (sk);
4157 }
4158
4159 static u_int32_t
4160 pf_tcp_iss(struct pf_pdesc *pd)
4161 {
4162 MD5_CTX ctx;
4163 u_int32_t digest[4];
4164
4165 if (pf_tcp_secret_init == 0) {
4166 read_frandom(pf_tcp_secret, sizeof (pf_tcp_secret));
4167 MD5Init(&pf_tcp_secret_ctx);
4168 MD5Update(&pf_tcp_secret_ctx, pf_tcp_secret,
4169 sizeof (pf_tcp_secret));
4170 pf_tcp_secret_init = 1;
4171 }
4172 ctx = pf_tcp_secret_ctx;
4173
4174 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof (u_short));
4175 MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof (u_short));
4176 if (pd->af == AF_INET6) {
4177 MD5Update(&ctx, (char *)&pd->src->v6addr, sizeof (struct in6_addr));
4178 MD5Update(&ctx, (char *)&pd->dst->v6addr, sizeof (struct in6_addr));
4179 } else {
4180 MD5Update(&ctx, (char *)&pd->src->v4addr, sizeof (struct in_addr));
4181 MD5Update(&ctx, (char *)&pd->dst->v4addr, sizeof (struct in_addr));
4182 }
4183 MD5Final((u_char *)digest, &ctx);
4184 pf_tcp_iss_off += 4096;
4185 return (digest[0] + random() + pf_tcp_iss_off);
4186 }
4187
4188 /*
4189 * This routine is called to perform address family translation on the
4190 * inner IP header (that may come as payload) of an ICMP(v4addr/6) error
4191 * response.
4192 */
4193 static int
4194 pf_change_icmp_af(pbuf_t *pbuf, int off,
4195 struct pf_pdesc *pd, struct pf_pdesc *pd2, struct pf_addr *src,
4196 struct pf_addr *dst, sa_family_t af, sa_family_t naf)
4197 {
4198 struct ip *ip4 = NULL;
4199 struct ip6_hdr *ip6 = NULL;
4200 void *hdr;
4201 int hlen, olen;
4202
4203 if (af == naf || (af != AF_INET && af != AF_INET6) ||
4204 (naf != AF_INET && naf != AF_INET6))
4205 return (-1);
4206
4207 /* old header */
4208 olen = pd2->off - off;
4209 /* new header */
4210 hlen = naf == AF_INET ? sizeof(*ip4) : sizeof(*ip6);
4211
4212 /* Modify the pbuf to accommodate the new header */
4213 hdr = pbuf_resize_segment(pbuf, off, olen, hlen);
4214 if (hdr == NULL)
4215 return (-1);
4216
4217 /* translate inner ip/ip6 header */
4218 switch (naf) {
4219 case AF_INET:
4220 ip4 = hdr;
4221 bzero(ip4, sizeof(*ip4));
4222 ip4->ip_v = IPVERSION;
4223 ip4->ip_hl = sizeof(*ip4) >> 2;
4224 ip4->ip_len = htons(sizeof(*ip4) + pd2->tot_len - olen);
4225 ip4->ip_id = rfc6864 ? 0 : htons(ip_randomid());
4226 ip4->ip_off = htons(IP_DF);
4227 ip4->ip_ttl = pd2->ttl;
4228 if (pd2->proto == IPPROTO_ICMPV6)
4229 ip4->ip_p = IPPROTO_ICMP;
4230 else
4231 ip4->ip_p = pd2->proto;
4232 ip4->ip_src = src->v4addr;
4233 ip4->ip_dst = dst->v4addr;
4234 ip4->ip_sum = pbuf_inet_cksum(pbuf, 0, 0, ip4->ip_hl << 2);
4235 break;
4236 case AF_INET6:
4237 ip6 = hdr;
4238 bzero(ip6, sizeof(*ip6));
4239 ip6->ip6_vfc = IPV6_VERSION;
4240 ip6->ip6_plen = htons(pd2->tot_len - olen);
4241 if (pd2->proto == IPPROTO_ICMP)
4242 ip6->ip6_nxt = IPPROTO_ICMPV6;
4243 else
4244 ip6->ip6_nxt = pd2->proto;
4245 if (!pd2->ttl || pd2->ttl > IPV6_DEFHLIM)
4246 ip6->ip6_hlim = IPV6_DEFHLIM;
4247 else
4248 ip6->ip6_hlim = pd2->ttl;
4249 ip6->ip6_src = src->v6addr;
4250 ip6->ip6_dst = dst->v6addr;
4251 break;
4252 }
4253
4254 /* adjust payload offset and total packet length */
4255 pd2->off += hlen - olen;
4256 pd->tot_len += hlen - olen;
4257
4258 return (0);
4259 }
4260
4261 #define PTR_IP(field) ((int32_t)offsetof(struct ip, field))
4262 #define PTR_IP6(field) ((int32_t)offsetof(struct ip6_hdr, field))
4263
4264 static int
4265 pf_translate_icmp_af(int af, void *arg)
4266 {
4267 struct icmp *icmp4;
4268 struct icmp6_hdr *icmp6;
4269 u_int32_t mtu;
4270 int32_t ptr = -1;
4271 u_int8_t type;
4272 u_int8_t code;
4273
4274 switch (af) {
4275 case AF_INET:
4276 icmp6 = arg;
4277 type = icmp6->icmp6_type;
4278 code = icmp6->icmp6_code;
4279 mtu = ntohl(icmp6->icmp6_mtu);
4280
4281 switch (type) {
4282 case ICMP6_ECHO_REQUEST:
4283 type = ICMP_ECHO;
4284 break;
4285 case ICMP6_ECHO_REPLY:
4286 type = ICMP_ECHOREPLY;
4287 break;
4288 case ICMP6_DST_UNREACH:
4289 type = ICMP_UNREACH;
4290 switch (code) {
4291 case ICMP6_DST_UNREACH_NOROUTE:
4292 case ICMP6_DST_UNREACH_BEYONDSCOPE:
4293 case ICMP6_DST_UNREACH_ADDR:
4294 code = ICMP_UNREACH_HOST;
4295 break;
4296 case ICMP6_DST_UNREACH_ADMIN:
4297 code = ICMP_UNREACH_HOST_PROHIB;
4298 break;
4299 case ICMP6_DST_UNREACH_NOPORT:
4300 code = ICMP_UNREACH_PORT;
4301 break;
4302 default:
4303 return (-1);
4304 }
4305 break;
4306 case ICMP6_PACKET_TOO_BIG:
4307 type = ICMP_UNREACH;
4308 code = ICMP_UNREACH_NEEDFRAG;
4309 mtu -= 20;
4310 break;
4311 case ICMP6_TIME_EXCEEDED:
4312 type = ICMP_TIMXCEED;
4313 break;
4314 case ICMP6_PARAM_PROB:
4315 switch (code) {
4316 case ICMP6_PARAMPROB_HEADER:
4317 type = ICMP_PARAMPROB;
4318 code = ICMP_PARAMPROB_ERRATPTR;
4319 ptr = ntohl(icmp6->icmp6_pptr);
4320
4321 if (ptr == PTR_IP6(ip6_vfc))
4322 ; /* preserve */
4323 else if (ptr == PTR_IP6(ip6_vfc) + 1)
4324 ptr = PTR_IP(ip_tos);
4325 else if (ptr == PTR_IP6(ip6_plen) ||
4326 ptr == PTR_IP6(ip6_plen) + 1)
4327 ptr = PTR_IP(ip_len);
4328 else if (ptr == PTR_IP6(ip6_nxt))
4329 ptr = PTR_IP(ip_p);
4330 else if (ptr == PTR_IP6(ip6_hlim))
4331 ptr = PTR_IP(ip_ttl);
4332 else if (ptr >= PTR_IP6(ip6_src) &&
4333 ptr < PTR_IP6(ip6_dst))
4334 ptr = PTR_IP(ip_src);
4335 else if (ptr >= PTR_IP6(ip6_dst) &&
4336 ptr < (int32_t)sizeof(struct ip6_hdr))
4337 ptr = PTR_IP(ip_dst);
4338 else {
4339 return (-1);
4340 }
4341 break;
4342 case ICMP6_PARAMPROB_NEXTHEADER:
4343 type = ICMP_UNREACH;
4344 code = ICMP_UNREACH_PROTOCOL;
4345 break;
4346 default:
4347 return (-1);
4348 }
4349 break;
4350 default:
4351 return (-1);
4352 }
4353 icmp6->icmp6_type = type;
4354 icmp6->icmp6_code = code;
4355 /* aligns well with a icmpv4 nextmtu */
4356 icmp6->icmp6_mtu = htonl(mtu);
4357 /* icmpv4 pptr is a one most significant byte */
4358 if (ptr >= 0)
4359 icmp6->icmp6_pptr = htonl(ptr << 24);
4360 break;
4361
4362 case AF_INET6:
4363 icmp4 = arg;
4364 type = icmp4->icmp_type;
4365 code = icmp4->icmp_code;
4366 mtu = ntohs(icmp4->icmp_nextmtu);
4367
4368 switch (type) {
4369 case ICMP_ECHO:
4370 type = ICMP6_ECHO_REQUEST;
4371 break;
4372 case ICMP_ECHOREPLY:
4373 type = ICMP6_ECHO_REPLY;
4374 break;
4375 case ICMP_UNREACH:
4376 type = ICMP6_DST_UNREACH;
4377 switch (code) {
4378 case ICMP_UNREACH_NET:
4379 case ICMP_UNREACH_HOST:
4380 case ICMP_UNREACH_NET_UNKNOWN:
4381 case ICMP_UNREACH_HOST_UNKNOWN:
4382 case ICMP_UNREACH_ISOLATED:
4383 case ICMP_UNREACH_TOSNET:
4384 case ICMP_UNREACH_TOSHOST:
4385 code = ICMP6_DST_UNREACH_NOROUTE;
4386 break;
4387 case ICMP_UNREACH_PORT:
4388 code = ICMP6_DST_UNREACH_NOPORT;
4389 break;
4390 case ICMP_UNREACH_NET_PROHIB:
4391 case ICMP_UNREACH_HOST_PROHIB:
4392 case ICMP_UNREACH_FILTER_PROHIB:
4393 case ICMP_UNREACH_PRECEDENCE_CUTOFF:
4394 code = ICMP6_DST_UNREACH_ADMIN;
4395 break;
4396 case ICMP_UNREACH_PROTOCOL:
4397 type = ICMP6_PARAM_PROB;
4398 code = ICMP6_PARAMPROB_NEXTHEADER;
4399 ptr = offsetof(struct ip6_hdr, ip6_nxt);
4400 break;
4401 case ICMP_UNREACH_NEEDFRAG:
4402 type = ICMP6_PACKET_TOO_BIG;
4403 code = 0;
4404 mtu += 20;
4405 break;
4406 default:
4407 return (-1);
4408 }
4409 break;
4410 case ICMP_TIMXCEED:
4411 type = ICMP6_TIME_EXCEEDED;
4412 break;
4413 case ICMP_PARAMPROB:
4414 type = ICMP6_PARAM_PROB;
4415 switch (code) {
4416 case ICMP_PARAMPROB_ERRATPTR:
4417 code = ICMP6_PARAMPROB_HEADER;
4418 break;
4419 case ICMP_PARAMPROB_LENGTH:
4420 code = ICMP6_PARAMPROB_HEADER;
4421 break;
4422 default:
4423 return (-1);
4424 }
4425
4426 ptr = icmp4->icmp_pptr;
4427 if (ptr == 0 || ptr == PTR_IP(ip_tos))
4428 ; /* preserve */
4429 else if (ptr == PTR_IP(ip_len) ||
4430 ptr == PTR_IP(ip_len) + 1)
4431 ptr = PTR_IP6(ip6_plen);
4432 else if (ptr == PTR_IP(ip_ttl))
4433 ptr = PTR_IP6(ip6_hlim);
4434 else if (ptr == PTR_IP(ip_p))
4435 ptr = PTR_IP6(ip6_nxt);
4436 else if (ptr >= PTR_IP(ip_src) &&
4437 ptr < PTR_IP(ip_dst))
4438 ptr = PTR_IP6(ip6_src);
4439 else if (ptr >= PTR_IP(ip_dst) &&
4440 ptr < (int32_t)sizeof(struct ip))
4441 ptr = PTR_IP6(ip6_dst);
4442 else {
4443 return (-1);
4444 }
4445 break;
4446 default:
4447 return (-1);
4448 }
4449 icmp4->icmp_type = type;
4450 icmp4->icmp_code = code;
4451 icmp4->icmp_nextmtu = htons(mtu);
4452 if (ptr >= 0)
4453 icmp4->icmp_void = htonl(ptr);
4454 break;
4455 }
4456
4457 return (0);
4458 }
4459
4460 /* Note: frees pbuf if PF_NAT64 is returned */
4461 static int
4462 pf_nat64_ipv6(pbuf_t *pbuf, int off, struct pf_pdesc *pd)
4463 {
4464 struct ip *ip4;
4465 struct mbuf *m;
4466
4467 /*
4468 * ip_input asserts for rcvif to be not NULL
4469 * That may not be true for two corner cases
4470 * 1. If for some reason a local app sends DNS
4471 * AAAA query to local host
4472 * 2. If IPv6 stack in kernel internally generates a
4473 * message destined for a synthesized IPv6 end-point.
4474 */
4475 if (pbuf->pb_ifp == NULL)
4476 return (PF_DROP);
4477
4478 ip4 = (struct ip *)pbuf_resize_segment(pbuf, 0, off, sizeof(*ip4));
4479 if (ip4 == NULL)
4480 return (PF_DROP);
4481
4482 ip4->ip_v = 4;
4483 ip4->ip_hl = 5;
4484 ip4->ip_tos = pd->tos & htonl(0x0ff00000);
4485 ip4->ip_len = htons(sizeof(*ip4) + (pd->tot_len - off));
4486 ip4->ip_id = 0;
4487 ip4->ip_off = htons(IP_DF);
4488 ip4->ip_ttl = pd->ttl;
4489 ip4->ip_p = pd->proto;
4490 ip4->ip_sum = 0;
4491 ip4->ip_src = pd->naddr.v4addr;
4492 ip4->ip_dst = pd->ndaddr.v4addr;
4493 ip4->ip_sum = pbuf_inet_cksum(pbuf, 0, 0, ip4->ip_hl << 2);
4494
4495 /* recalculate icmp checksums */
4496 if (pd->proto == IPPROTO_ICMP) {
4497 struct icmp *icmp;
4498 int hlen = sizeof(*ip4);
4499
4500 icmp = (struct icmp *)pbuf_contig_segment(pbuf, hlen,
4501 ICMP_MINLEN);
4502 if (icmp == NULL)
4503 return (PF_NAT64);
4504
4505 icmp->icmp_cksum = 0;
4506 icmp->icmp_cksum = pbuf_inet_cksum(pbuf, 0, hlen,
4507 ntohs(ip4->ip_len) - hlen);
4508 }
4509
4510 if ((m = pbuf_to_mbuf(pbuf, TRUE)) != NULL)
4511 ip_input(m);
4512
4513 return (PF_NAT64);
4514 }
4515
4516 static int
4517 pf_nat64_ipv4(pbuf_t *pbuf, int off, struct pf_pdesc *pd)
4518 {
4519 struct ip6_hdr *ip6;
4520 struct mbuf *m;
4521
4522 if (pbuf->pb_ifp == NULL)
4523 return (PF_DROP);
4524
4525 ip6 = (struct ip6_hdr *)pbuf_resize_segment(pbuf, 0, off, sizeof(*ip6));
4526 if (ip6 == NULL)
4527 return (PF_DROP);
4528
4529 ip6->ip6_vfc = htonl((6 << 28) | (pd->tos << 20));
4530 ip6->ip6_plen = htons(pd->tot_len - off);
4531 ip6->ip6_nxt = pd->proto;
4532 ip6->ip6_hlim = pd->ttl;
4533 ip6->ip6_src = pd->naddr.v6addr;
4534 ip6->ip6_dst = pd->ndaddr.v6addr;
4535
4536 /* recalculate icmp6 checksums */
4537 if (pd->proto == IPPROTO_ICMPV6) {
4538 struct icmp6_hdr *icmp6;
4539 int hlen = sizeof(*ip6);
4540
4541 icmp6 = (struct icmp6_hdr *)pbuf_contig_segment(pbuf, hlen,
4542 sizeof(*icmp6));
4543 if (icmp6 == NULL)
4544 return (PF_DROP);
4545
4546 icmp6->icmp6_cksum = 0;
4547 icmp6->icmp6_cksum = pbuf_inet6_cksum(pbuf,
4548 IPPROTO_ICMPV6, hlen,
4549 ntohs(ip6->ip6_plen));
4550 } else if (pd->proto == IPPROTO_UDP) {
4551 struct udphdr *uh;
4552 int hlen = sizeof(*ip6);
4553
4554 uh = (struct udphdr *)pbuf_contig_segment(pbuf, hlen,
4555 sizeof(*uh));
4556 if (uh == NULL)
4557 return (PF_DROP);
4558
4559 if (uh->uh_sum == 0)
4560 uh->uh_sum = pbuf_inet6_cksum(pbuf, IPPROTO_UDP,
4561 hlen, ntohs(ip6->ip6_plen));
4562 }
4563
4564 if ((m = pbuf_to_mbuf(pbuf, TRUE)) != NULL)
4565 ip6_input(m);
4566
4567 return (PF_NAT64);
4568 }
4569
4570 static int
4571 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
4572 struct pfi_kif *kif, pbuf_t *pbuf, int off, void *h,
4573 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
4574 struct ifqueue *ifq)
4575 {
4576 #pragma unused(h)
4577 struct pf_rule *nr = NULL;
4578 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4579 sa_family_t af = pd->af;
4580 struct pf_rule *r, *a = NULL;
4581 struct pf_ruleset *ruleset = NULL;
4582 struct pf_src_node *nsn = NULL;
4583 struct tcphdr *th = pd->hdr.tcp;
4584 struct udphdr *uh = pd->hdr.udp;
4585 u_short reason;
4586 int rewrite = 0, hdrlen = 0;
4587 int tag = -1;
4588 unsigned int rtableid = IFSCOPE_NONE;
4589 int asd = 0;
4590 int match = 0;
4591 int state_icmp = 0;
4592 u_int16_t mss = tcp_mssdflt;
4593 u_int8_t icmptype = 0, icmpcode = 0;
4594
4595 struct pf_grev1_hdr *grev1 = pd->hdr.grev1;
4596 union pf_state_xport bxport, bdxport, nxport, sxport, dxport;
4597 struct pf_state_key psk;
4598
4599 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
4600
4601 if (direction == PF_IN && pf_check_congestion(ifq)) {
4602 REASON_SET(&reason, PFRES_CONGEST);
4603 return (PF_DROP);
4604 }
4605
4606 hdrlen = 0;
4607 sxport.spi = 0;
4608 dxport.spi = 0;
4609 nxport.spi = 0;
4610
4611 switch (pd->proto) {
4612 case IPPROTO_TCP:
4613 sxport.port = th->th_sport;
4614 dxport.port = th->th_dport;
4615 hdrlen = sizeof (*th);
4616 break;
4617 case IPPROTO_UDP:
4618 sxport.port = uh->uh_sport;
4619 dxport.port = uh->uh_dport;
4620 hdrlen = sizeof (*uh);
4621 break;
4622 #if INET
4623 case IPPROTO_ICMP:
4624 if (pd->af != AF_INET)
4625 break;
4626 sxport.port = dxport.port = pd->hdr.icmp->icmp_id;
4627 hdrlen = ICMP_MINLEN;
4628 icmptype = pd->hdr.icmp->icmp_type;
4629 icmpcode = pd->hdr.icmp->icmp_code;
4630
4631 if (icmptype == ICMP_UNREACH ||
4632 icmptype == ICMP_SOURCEQUENCH ||
4633 icmptype == ICMP_REDIRECT ||
4634 icmptype == ICMP_TIMXCEED ||
4635 icmptype == ICMP_PARAMPROB)
4636 state_icmp++;
4637 break;
4638 #endif /* INET */
4639 #if INET6
4640 case IPPROTO_ICMPV6:
4641 if (pd->af != AF_INET6)
4642 break;
4643 sxport.port = dxport.port = pd->hdr.icmp6->icmp6_id;
4644 hdrlen = sizeof (*pd->hdr.icmp6);
4645 icmptype = pd->hdr.icmp6->icmp6_type;
4646 icmpcode = pd->hdr.icmp6->icmp6_code;
4647
4648 if (icmptype == ICMP6_DST_UNREACH ||
4649 icmptype == ICMP6_PACKET_TOO_BIG ||
4650 icmptype == ICMP6_TIME_EXCEEDED ||
4651 icmptype == ICMP6_PARAM_PROB)
4652 state_icmp++;
4653 break;
4654 #endif /* INET6 */
4655 case IPPROTO_GRE:
4656 if (pd->proto_variant == PF_GRE_PPTP_VARIANT) {
4657 sxport.call_id = dxport.call_id =
4658 pd->hdr.grev1->call_id;
4659 hdrlen = sizeof (*pd->hdr.grev1);
4660 }
4661 break;
4662 case IPPROTO_ESP:
4663 sxport.spi = 0;
4664 dxport.spi = pd->hdr.esp->spi;
4665 hdrlen = sizeof (*pd->hdr.esp);
4666 break;
4667 }
4668
4669 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
4670
4671 bxport = sxport;
4672 bdxport = dxport;
4673
4674 if (direction == PF_OUT)
4675 nxport = sxport;
4676 else
4677 nxport = dxport;
4678
4679 /* check packet for BINAT/NAT/RDR */
4680 if ((nr = pf_get_translation_aux(pd, pbuf, off, direction, kif, &nsn,
4681 saddr, &sxport, daddr, &dxport, &nxport
4682 )) != NULL) {
4683 int ua;
4684 u_int16_t dport;
4685
4686 if (pd->af != pd->naf)
4687 ua = 0;
4688 else
4689 ua = 1;
4690
4691 PF_ACPY(&pd->baddr, saddr, af);
4692 PF_ACPY(&pd->bdaddr, daddr, af);
4693
4694 switch (pd->proto) {
4695 case IPPROTO_TCP:
4696 if (pd->af != pd->naf ||
4697 PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4698 pf_change_ap(direction, pd->mp, saddr,
4699 &th->th_sport, pd->ip_sum, &th->th_sum,
4700 &pd->naddr, nxport.port, 0, af,
4701 pd->naf, ua);
4702 sxport.port = th->th_sport;
4703 }
4704
4705 if (pd->af != pd->naf ||
4706 PF_ANEQ(daddr, &pd->ndaddr, pd->af) ||
4707 (nr && (nr->action == PF_RDR) &&
4708 (th->th_dport != nxport.port))) {
4709 if (nr && nr->action == PF_RDR)
4710 dport = nxport.port;
4711 else
4712 dport = th->th_dport;
4713 pf_change_ap(direction, pd->mp, daddr,
4714 &th->th_dport, pd->ip_sum,
4715 &th->th_sum, &pd->ndaddr,
4716 dport, 0, af, pd->naf, ua);
4717 dxport.port = th->th_dport;
4718 }
4719 rewrite++;
4720 break;
4721
4722 case IPPROTO_UDP:
4723 if (pd->af != pd->naf ||
4724 PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4725 pf_change_ap(direction, pd->mp, saddr,
4726 &uh->uh_sport, pd->ip_sum,
4727 &uh->uh_sum, &pd->naddr,
4728 nxport.port, 1, af, pd->naf, ua);
4729 sxport.port = uh->uh_sport;
4730 }
4731
4732 if (pd->af != pd->naf ||
4733 PF_ANEQ(daddr, &pd->ndaddr, pd->af) ||
4734 (nr && (nr->action == PF_RDR) &&
4735 (uh->uh_dport != nxport.port))) {
4736 if (nr && nr->action == PF_RDR)
4737 dport = nxport.port;
4738 else
4739 dport = uh->uh_dport;
4740 pf_change_ap(direction, pd->mp, daddr,
4741 &uh->uh_dport, pd->ip_sum,
4742 &uh->uh_sum, &pd->ndaddr,
4743 dport, 0, af, pd->naf, ua);
4744 dxport.port = uh->uh_dport;
4745 }
4746 rewrite++;
4747 break;
4748 #if INET
4749 case IPPROTO_ICMP:
4750 if (pd->af != AF_INET)
4751 break;
4752 /*
4753 * TODO:
4754 * pd->af != pd->naf not handled yet here and would be
4755 * needed for NAT46 needed to support XLAT.
4756 * Will cross the bridge when it comes.
4757 */
4758 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4759 pf_change_a(&saddr->v4addr.s_addr, pd->ip_sum,
4760 pd->naddr.v4addr.s_addr, 0);
4761 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
4762 pd->hdr.icmp->icmp_cksum, sxport.port,
4763 nxport.port, 0);
4764 pd->hdr.icmp->icmp_id = nxport.port;
4765 }
4766
4767 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
4768 pf_change_a(&daddr->v4addr.s_addr, pd->ip_sum,
4769 pd->ndaddr.v4addr.s_addr, 0);
4770 }
4771 ++rewrite;
4772 break;
4773 #endif /* INET */
4774 #if INET6
4775 case IPPROTO_ICMPV6:
4776 if (pd->af != AF_INET6)
4777 break;
4778
4779 if (pd->af != pd->naf ||
4780 PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4781 pf_change_addr(saddr,
4782 &pd->hdr.icmp6->icmp6_cksum,
4783 &pd->naddr, 0, pd->af, pd->naf);
4784 }
4785
4786 if (pd->af != pd->naf ||
4787 PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
4788 pf_change_addr(daddr,
4789 &pd->hdr.icmp6->icmp6_cksum,
4790 &pd->ndaddr, 0, pd->af, pd->naf);
4791 }
4792
4793 if (pd->af != pd->naf) {
4794 if (pf_translate_icmp_af(AF_INET,
4795 pd->hdr.icmp6))
4796 return (PF_DROP);
4797 pd->proto = IPPROTO_ICMP;
4798 }
4799 rewrite++;
4800 break;
4801 #endif /* INET */
4802 case IPPROTO_GRE:
4803 if ((direction == PF_IN) &&
4804 (pd->proto_variant == PF_GRE_PPTP_VARIANT))
4805 grev1->call_id = nxport.call_id;
4806
4807 switch (pd->af) {
4808 #if INET
4809 case AF_INET:
4810 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4811 pf_change_a(&saddr->v4addr.s_addr,
4812 pd->ip_sum,
4813 pd->naddr.v4addr.s_addr, 0);
4814 }
4815 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
4816 pf_change_a(&daddr->v4addr.s_addr,
4817 pd->ip_sum,
4818 pd->ndaddr.v4addr.s_addr, 0);
4819 }
4820 break;
4821 #endif /* INET */
4822 #if INET6
4823 case AF_INET6:
4824 if (PF_ANEQ(saddr, &pd->naddr, pd->af))
4825 PF_ACPY(saddr, &pd->naddr, AF_INET6);
4826 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af))
4827 PF_ACPY(daddr, &pd->ndaddr, AF_INET6);
4828 break;
4829 #endif /* INET6 */
4830 }
4831 ++rewrite;
4832 break;
4833 case IPPROTO_ESP:
4834 if (direction == PF_OUT)
4835 bxport.spi = 0;
4836
4837 switch (pd->af) {
4838 #if INET
4839 case AF_INET:
4840 if (PF_ANEQ(saddr, &pd->naddr, pd->af)) {
4841 pf_change_a(&saddr->v4addr.s_addr,
4842 pd->ip_sum, pd->naddr.v4addr.s_addr, 0);
4843 }
4844 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af)) {
4845 pf_change_a(&daddr->v4addr.s_addr,
4846 pd->ip_sum,
4847 pd->ndaddr.v4addr.s_addr, 0);
4848 }
4849 break;
4850 #endif /* INET */
4851 #if INET6
4852 case AF_INET6:
4853 if (PF_ANEQ(saddr, &pd->naddr, pd->af))
4854 PF_ACPY(saddr, &pd->naddr, AF_INET6);
4855 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af))
4856 PF_ACPY(daddr, &pd->ndaddr, AF_INET6);
4857 break;
4858 #endif /* INET6 */
4859 }
4860 break;
4861 default:
4862 switch (pd->af) {
4863 #if INET
4864 case AF_INET:
4865 if ((pd->naf != AF_INET) ||
4866 (PF_ANEQ(saddr, &pd->naddr, pd->af))) {
4867 pf_change_addr(saddr, pd->ip_sum,
4868 &pd->naddr, 0, af, pd->naf);
4869 }
4870
4871 if ((pd->naf != AF_INET) ||
4872 (PF_ANEQ(daddr, &pd->ndaddr, pd->af))) {
4873 pf_change_addr(daddr, pd->ip_sum,
4874 &pd->ndaddr, 0, af, pd->naf);
4875 }
4876 break;
4877 #endif /* INET */
4878 #if INET6
4879 case AF_INET6:
4880 if (PF_ANEQ(saddr, &pd->naddr, pd->af))
4881 PF_ACPY(saddr, &pd->naddr, af);
4882 if (PF_ANEQ(daddr, &pd->ndaddr, pd->af))
4883 PF_ACPY(daddr, &pd->ndaddr, af);
4884 break;
4885 #endif /* INET */
4886 }
4887 break;
4888 }
4889
4890 if (nr->natpass)
4891 r = NULL;
4892 pd->nat_rule = nr;
4893 pd->af = pd->naf;
4894 } else {
4895 }
4896
4897 if (nr && nr->tag > 0)
4898 tag = nr->tag;
4899
4900 while (r != NULL) {
4901 r->evaluations++;
4902 if (pfi_kif_match(r->kif, kif) == r->ifnot)
4903 r = r->skip[PF_SKIP_IFP].ptr;
4904 else if (r->direction && r->direction != direction)
4905 r = r->skip[PF_SKIP_DIR].ptr;
4906 else if (r->af && r->af != pd->af)
4907 r = r->skip[PF_SKIP_AF].ptr;
4908 else if (r->proto && r->proto != pd->proto)
4909 r = r->skip[PF_SKIP_PROTO].ptr;
4910 else if (PF_MISMATCHAW(&r->src.addr, saddr, pd->af,
4911 r->src.neg, kif))
4912 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
4913 /* tcp/udp only. port_op always 0 in other cases */
4914 else if (r->proto == pd->proto &&
4915 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
4916 r->src.xport.range.op &&
4917 !pf_match_port(r->src.xport.range.op,
4918 r->src.xport.range.port[0], r->src.xport.range.port[1],
4919 th->th_sport))
4920 r = r->skip[PF_SKIP_SRC_PORT].ptr;
4921 else if (PF_MISMATCHAW(&r->dst.addr, daddr, pd->af,
4922 r->dst.neg, NULL))
4923 r = r->skip[PF_SKIP_DST_ADDR].ptr;
4924 /* tcp/udp only. port_op always 0 in other cases */
4925 else if (r->proto == pd->proto &&
4926 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
4927 r->dst.xport.range.op &&
4928 !pf_match_port(r->dst.xport.range.op,
4929 r->dst.xport.range.port[0], r->dst.xport.range.port[1],
4930 th->th_dport))
4931 r = r->skip[PF_SKIP_DST_PORT].ptr;
4932 /* icmp only. type always 0 in other cases */
4933 else if (r->type && r->type != icmptype + 1)
4934 r = TAILQ_NEXT(r, entries);
4935 /* icmp only. type always 0 in other cases */
4936 else if (r->code && r->code != icmpcode + 1)
4937 r = TAILQ_NEXT(r, entries);
4938 else if ((r->rule_flag & PFRULE_TOS) && r->tos &&
4939 !(r->tos & pd->tos))
4940 r = TAILQ_NEXT(r, entries);
4941 else if ((r->rule_flag & PFRULE_DSCP) && r->tos &&
4942 !(r->tos & (pd->tos & DSCP_MASK)))
4943 r = TAILQ_NEXT(r, entries);
4944 else if ((r->rule_flag & PFRULE_SC) && r->tos &&
4945 ((r->tos & SCIDX_MASK) != pd->sc))
4946 r = TAILQ_NEXT(r, entries);
4947 else if (r->rule_flag & PFRULE_FRAGMENT)
4948 r = TAILQ_NEXT(r, entries);
4949 else if (pd->proto == IPPROTO_TCP &&
4950 (r->flagset & th->th_flags) != r->flags)
4951 r = TAILQ_NEXT(r, entries);
4952 /* tcp/udp only. uid.op always 0 in other cases */
4953 else if (r->uid.op && (pd->lookup.done || ((void)(pd->lookup.done =
4954 pf_socket_lookup(direction, pd)), 1)) &&
4955 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
4956 pd->lookup.uid))
4957 r = TAILQ_NEXT(r, entries);
4958 /* tcp/udp only. gid.op always 0 in other cases */
4959 else if (r->gid.op && (pd->lookup.done || ((void)(pd->lookup.done =
4960 pf_socket_lookup(direction, pd)), 1)) &&
4961 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
4962 pd->lookup.gid))
4963 r = TAILQ_NEXT(r, entries);
4964 else if (r->prob && r->prob <= (RandomULong() % (UINT_MAX - 1) + 1))
4965 r = TAILQ_NEXT(r, entries);
4966 else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag))
4967 r = TAILQ_NEXT(r, entries);
4968 else if (r->os_fingerprint != PF_OSFP_ANY &&
4969 (pd->proto != IPPROTO_TCP || !pf_osfp_match(
4970 pf_osfp_fingerprint(pd, pbuf, off, th),
4971 r->os_fingerprint)))
4972 r = TAILQ_NEXT(r, entries);
4973 else {
4974 if (r->tag)
4975 tag = r->tag;
4976 if (PF_RTABLEID_IS_VALID(r->rtableid))
4977 rtableid = r->rtableid;
4978 if (r->anchor == NULL) {
4979 match = 1;
4980 *rm = r;
4981 *am = a;
4982 *rsm = ruleset;
4983 if ((*rm)->quick)
4984 break;
4985 r = TAILQ_NEXT(r, entries);
4986 } else
4987 pf_step_into_anchor(&asd, &ruleset,
4988 PF_RULESET_FILTER, &r, &a, &match);
4989 }
4990 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
4991 PF_RULESET_FILTER, &r, &a, &match))
4992 break;
4993 }
4994 r = *rm;
4995 a = *am;
4996 ruleset = *rsm;
4997
4998 REASON_SET(&reason, PFRES_MATCH);
4999
5000 if (r->log || (nr != NULL && nr->log)) {
5001 if (rewrite > 0) {
5002 if (rewrite < off + hdrlen)
5003 rewrite = off + hdrlen;
5004
5005 if (pf_lazy_makewritable(pd, pbuf, rewrite) == NULL) {
5006 REASON_SET(&reason, PFRES_MEMORY);
5007 return (PF_DROP);
5008 }
5009
5010 pbuf_copy_back(pbuf, off, hdrlen, pd->hdr.any);
5011 }
5012 PFLOG_PACKET(kif, h, pbuf, pd->af, direction, reason,
5013 r->log ? r : nr, a, ruleset, pd);
5014 }
5015
5016 if ((r->action == PF_DROP) &&
5017 ((r->rule_flag & PFRULE_RETURNRST) ||
5018 (r->rule_flag & PFRULE_RETURNICMP) ||
5019 (r->rule_flag & PFRULE_RETURN))) {
5020 /* undo NAT changes, if they have taken place */
5021 /* XXX For NAT64 we are not reverting the changes */
5022 if (nr != NULL && nr->action != PF_NAT64) {
5023 if (direction == PF_OUT) {
5024 pd->af = af;
5025 switch (pd->proto) {
5026 case IPPROTO_TCP:
5027 pf_change_ap(direction, pd->mp, saddr,
5028 &th->th_sport, pd->ip_sum,
5029 &th->th_sum, &pd->baddr,
5030 bxport.port, 0, af, pd->af, 1);
5031 sxport.port = th->th_sport;
5032 rewrite++;
5033 break;
5034 case IPPROTO_UDP:
5035 pf_change_ap(direction, pd->mp, saddr,
5036 &pd->hdr.udp->uh_sport, pd->ip_sum,
5037 &pd->hdr.udp->uh_sum, &pd->baddr,
5038 bxport.port, 1, af, pd->af, 1);
5039 sxport.port = pd->hdr.udp->uh_sport;
5040 rewrite++;
5041 break;
5042 case IPPROTO_ICMP:
5043 #if INET6
5044 case IPPROTO_ICMPV6:
5045 #endif
5046 /* nothing! */
5047 break;
5048 case IPPROTO_GRE:
5049 PF_ACPY(&pd->baddr, saddr, af);
5050 ++rewrite;
5051 switch (af) {
5052 #if INET
5053 case AF_INET:
5054 pf_change_a(&saddr->v4addr.s_addr,
5055 pd->ip_sum,
5056 pd->baddr.v4addr.s_addr, 0);
5057 break;
5058 #endif /* INET */
5059 #if INET6
5060 case AF_INET6:
5061 PF_ACPY(saddr, &pd->baddr,
5062 AF_INET6);
5063 break;
5064 #endif /* INET6 */
5065 }
5066 break;
5067 case IPPROTO_ESP:
5068 PF_ACPY(&pd->baddr, saddr, af);
5069 switch (af) {
5070 #if INET
5071 case AF_INET:
5072 pf_change_a(&saddr->v4addr.s_addr,
5073 pd->ip_sum,
5074 pd->baddr.v4addr.s_addr, 0);
5075 break;
5076 #endif /* INET */
5077 #if INET6
5078 case AF_INET6:
5079 PF_ACPY(saddr, &pd->baddr,
5080 AF_INET6);
5081 break;
5082 #endif /* INET6 */
5083 }
5084 break;
5085 default:
5086 switch (af) {
5087 case AF_INET:
5088 pf_change_a(&saddr->v4addr.s_addr,
5089 pd->ip_sum,
5090 pd->baddr.v4addr.s_addr, 0);
5091 break;
5092 case AF_INET6:
5093 PF_ACPY(saddr, &pd->baddr, af);
5094 break;
5095 }
5096 }
5097 } else {
5098 switch (pd->proto) {
5099 case IPPROTO_TCP:
5100 pf_change_ap(direction, pd->mp, daddr,
5101 &th->th_dport, pd->ip_sum,
5102 &th->th_sum, &pd->bdaddr,
5103 bdxport.port, 0, af, pd->af, 1);
5104 dxport.port = th->th_dport;
5105 rewrite++;
5106 break;
5107 case IPPROTO_UDP:
5108 pf_change_ap(direction, pd->mp, daddr,
5109 &pd->hdr.udp->uh_dport, pd->ip_sum,
5110 &pd->hdr.udp->uh_sum, &pd->bdaddr,
5111 bdxport.port, 1, af, pd->af, 1);
5112 dxport.port = pd->hdr.udp->uh_dport;
5113 rewrite++;
5114 break;
5115 case IPPROTO_ICMP:
5116 #if INET6
5117 case IPPROTO_ICMPV6:
5118 #endif
5119 /* nothing! */
5120 break;
5121 case IPPROTO_GRE:
5122 if (pd->proto_variant ==
5123 PF_GRE_PPTP_VARIANT)
5124 grev1->call_id =
5125 bdxport.call_id;
5126 ++rewrite;
5127 switch (af) {
5128 #if INET
5129 case AF_INET:
5130 pf_change_a(&daddr->v4addr.s_addr,
5131 pd->ip_sum,
5132 pd->bdaddr.v4addr.s_addr, 0);
5133 break;
5134 #endif /* INET */
5135 #if INET6
5136 case AF_INET6:
5137 PF_ACPY(daddr, &pd->bdaddr,
5138 AF_INET6);
5139 break;
5140 #endif /* INET6 */
5141 }
5142 break;
5143 case IPPROTO_ESP:
5144 switch (af) {
5145 #if INET
5146 case AF_INET:
5147 pf_change_a(&daddr->v4addr.s_addr,
5148 pd->ip_sum,
5149 pd->bdaddr.v4addr.s_addr, 0);
5150 break;
5151 #endif /* INET */
5152 #if INET6
5153 case AF_INET6:
5154 PF_ACPY(daddr, &pd->bdaddr,
5155 AF_INET6);
5156 break;
5157 #endif /* INET6 */
5158 }
5159 break;
5160 default:
5161 switch (af) {
5162 case AF_INET:
5163 pf_change_a(&daddr->v4addr.s_addr,
5164 pd->ip_sum,
5165 pd->bdaddr.v4addr.s_addr, 0);
5166 break;
5167 #if INET6
5168 case AF_INET6:
5169 PF_ACPY(daddr, &pd->bdaddr, af);
5170 break;
5171 #endif /* INET6 */
5172 }
5173 }
5174 }
5175 }
5176 if (pd->proto == IPPROTO_TCP &&
5177 ((r->rule_flag & PFRULE_RETURNRST) ||
5178 (r->rule_flag & PFRULE_RETURN)) &&
5179 !(th->th_flags & TH_RST)) {
5180 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
5181 int len = 0;
5182 struct ip *h4;
5183 #if INET6
5184 struct ip6_hdr *h6;
5185 #endif /* INET6 */
5186
5187 switch (pd->af) {
5188 case AF_INET:
5189 h4 = pbuf->pb_data;
5190 len = ntohs(h4->ip_len) - off;
5191 break;
5192 #if INET6
5193 case AF_INET6:
5194 h6 = pbuf->pb_data;
5195 len = ntohs(h6->ip6_plen) -
5196 (off - sizeof (*h6));
5197 break;
5198 #endif /* INET6 */
5199 }
5200
5201 if (pf_check_proto_cksum(pbuf, off, len, IPPROTO_TCP,
5202 pd->af))
5203 REASON_SET(&reason, PFRES_PROTCKSUM);
5204 else {
5205 if (th->th_flags & TH_SYN)
5206 ack++;
5207 if (th->th_flags & TH_FIN)
5208 ack++;
5209 pf_send_tcp(r, pd->af, pd->dst,
5210 pd->src, th->th_dport, th->th_sport,
5211 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
5212 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
5213 }
5214 } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET &&
5215 pd->proto != IPPROTO_ESP && pd->proto != IPPROTO_AH &&
5216 r->return_icmp)
5217 pf_send_icmp(pbuf, r->return_icmp >> 8,
5218 r->return_icmp & 255, pd->af, r);
5219 else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 &&
5220 pd->proto != IPPROTO_ESP && pd->proto != IPPROTO_AH &&
5221 r->return_icmp6)
5222 pf_send_icmp(pbuf, r->return_icmp6 >> 8,
5223 r->return_icmp6 & 255, pd->af, r);
5224 }
5225
5226 if (r->action == PF_DROP) {
5227 return (PF_DROP);
5228 }
5229
5230 /* prepare state key, for flowhash and/or the state (if created) */
5231 bzero(&psk, sizeof (psk));
5232 psk.proto = pd->proto;
5233 psk.direction = direction;
5234 if (pd->proto == IPPROTO_UDP) {
5235 if (ntohs(pd->hdr.udp->uh_sport) == PF_IKE_PORT &&
5236 ntohs(pd->hdr.udp->uh_dport) == PF_IKE_PORT) {
5237 psk.proto_variant = PF_EXTFILTER_APD;
5238 } else {
5239 psk.proto_variant = nr ? nr->extfilter : r->extfilter;
5240 if (psk.proto_variant < PF_EXTFILTER_APD)
5241 psk.proto_variant = PF_EXTFILTER_APD;
5242 }
5243 } else if (pd->proto == IPPROTO_GRE) {
5244 psk.proto_variant = pd->proto_variant;
5245 }
5246 if (direction == PF_OUT) {
5247 psk.af_gwy = af;
5248 PF_ACPY(&psk.gwy.addr, saddr, af);
5249 PF_ACPY(&psk.ext_gwy.addr, daddr, af);
5250 switch (pd->proto) {
5251 case IPPROTO_ESP:
5252 psk.gwy.xport.spi = 0;
5253 psk.ext_gwy.xport.spi = pd->hdr.esp->spi;
5254 break;
5255 case IPPROTO_ICMP:
5256 #if INET6
5257 case IPPROTO_ICMPV6:
5258 #endif
5259 /*
5260 * NAT64 requires protocol translation between ICMPv4
5261 * and ICMPv6. TCP and UDP do not require protocol
5262 * translation. To avoid adding complexity just to
5263 * handle ICMP(v4addr/v6addr), we always lookup for
5264 * proto = IPPROTO_ICMP on both LAN and WAN side
5265 */
5266 psk.proto = IPPROTO_ICMP;
5267 psk.gwy.xport.port = nxport.port;
5268 psk.ext_gwy.xport.spi = 0;
5269 break;
5270 default:
5271 psk.gwy.xport = sxport;
5272 psk.ext_gwy.xport = dxport;
5273 break;
5274 }
5275 psk.af_lan = af;
5276 if (nr != NULL) {
5277 PF_ACPY(&psk.lan.addr, &pd->baddr, af);
5278 psk.lan.xport = bxport;
5279 PF_ACPY(&psk.ext_lan.addr, &pd->bdaddr, af);
5280 psk.ext_lan.xport = bdxport;
5281 } else {
5282 PF_ACPY(&psk.lan.addr, &psk.gwy.addr, af);
5283 psk.lan.xport = psk.gwy.xport;
5284 PF_ACPY(&psk.ext_lan.addr, &psk.ext_gwy.addr, af);
5285 psk.ext_lan.xport = psk.ext_gwy.xport;
5286 }
5287 } else {
5288 psk.af_lan = af;
5289 if (nr && nr->action == PF_NAT64) {
5290 PF_ACPY(&psk.lan.addr, &pd->baddr, af);
5291 PF_ACPY(&psk.ext_lan.addr, &pd->bdaddr, af);
5292 } else {
5293 PF_ACPY(&psk.lan.addr, daddr, af);
5294 PF_ACPY(&psk.ext_lan.addr, saddr, af);
5295 }
5296 switch (pd->proto) {
5297 case IPPROTO_ICMP:
5298 #if INET6
5299 case IPPROTO_ICMPV6:
5300 #endif
5301 /*
5302 * NAT64 requires protocol translation between ICMPv4
5303 * and ICMPv6. TCP and UDP do not require protocol
5304 * translation. To avoid adding complexity just to
5305 * handle ICMP(v4addr/v6addr), we always lookup for
5306 * proto = IPPROTO_ICMP on both LAN and WAN side
5307 */
5308 psk.proto = IPPROTO_ICMP;
5309 if (nr && nr->action == PF_NAT64) {
5310 psk.lan.xport = bxport;
5311 psk.ext_lan.xport = bxport;
5312 } else {
5313 psk.lan.xport = nxport;
5314 psk.ext_lan.xport.spi = 0;
5315 }
5316 break;
5317 case IPPROTO_ESP:
5318 psk.ext_lan.xport.spi = 0;
5319 psk.lan.xport.spi = pd->hdr.esp->spi;
5320 break;
5321 default:
5322 if (nr != NULL) {
5323 if (nr->action == PF_NAT64) {
5324 psk.lan.xport = bxport;
5325 psk.ext_lan.xport = bdxport;
5326 } else {
5327 psk.lan.xport = dxport;
5328 psk.ext_lan.xport = sxport;
5329 }
5330 } else {
5331 psk.lan.xport = dxport;
5332 psk.ext_lan.xport = sxport;
5333 }
5334 break;
5335 }
5336 psk.af_gwy = pd->naf;
5337 if (nr != NULL) {
5338 if (nr->action == PF_NAT64) {
5339 PF_ACPY(&psk.gwy.addr, &pd->naddr, pd->naf);
5340 PF_ACPY(&psk.ext_gwy.addr, &pd->ndaddr,
5341 pd->naf);
5342 if ((pd->proto == IPPROTO_ICMPV6) ||
5343 (pd->proto == IPPROTO_ICMP)) {
5344 psk.gwy.xport = nxport;
5345 psk.ext_gwy.xport = nxport;
5346 } else {
5347 psk.gwy.xport = sxport;
5348 psk.ext_gwy.xport = dxport;
5349 }
5350 } else {
5351 PF_ACPY(&psk.gwy.addr, &pd->bdaddr, af);
5352 psk.gwy.xport = bdxport;
5353 PF_ACPY(&psk.ext_gwy.addr, saddr, af);
5354 psk.ext_gwy.xport = sxport;
5355 }
5356 } else {
5357 PF_ACPY(&psk.gwy.addr, &psk.lan.addr, af);
5358 psk.gwy.xport = psk.lan.xport;
5359 PF_ACPY(&psk.ext_gwy.addr, &psk.ext_lan.addr, af);
5360 psk.ext_gwy.xport = psk.ext_lan.xport;
5361 }
5362 }
5363 if (pd->pktflags & PKTF_FLOW_ID) {
5364 /* flow hash was already computed outside of PF */
5365 psk.flowsrc = pd->flowsrc;
5366 psk.flowhash = pd->flowhash;
5367 } else {
5368 /* compute flow hash and store it in state key */
5369 psk.flowsrc = FLOWSRC_PF;
5370 psk.flowhash = pf_calc_state_key_flowhash(&psk);
5371 pd->flowsrc = psk.flowsrc;
5372 pd->flowhash = psk.flowhash;
5373 pd->pktflags |= PKTF_FLOW_ID;
5374 pd->pktflags &= ~PKTF_FLOW_ADV;
5375 }
5376
5377 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, rtableid, pd)) {
5378 REASON_SET(&reason, PFRES_MEMORY);
5379 return (PF_DROP);
5380 }
5381
5382 if (!state_icmp && (r->keep_state || nr != NULL ||
5383 (pd->flags & PFDESC_TCP_NORM))) {
5384 /* create new state */
5385 struct pf_state *s = NULL;
5386 struct pf_state_key *sk = NULL;
5387 struct pf_src_node *sn = NULL;
5388 struct pf_ike_hdr ike;
5389
5390 if (pd->proto == IPPROTO_UDP) {
5391 size_t plen = pbuf->pb_packet_len - off - sizeof(*uh);
5392
5393 if (ntohs(uh->uh_sport) == PF_IKE_PORT &&
5394 ntohs(uh->uh_dport) == PF_IKE_PORT &&
5395 plen >= PF_IKE_PACKET_MINSIZE) {
5396 if (plen > PF_IKE_PACKET_MINSIZE)
5397 plen = PF_IKE_PACKET_MINSIZE;
5398 pbuf_copy_data(pbuf, off + sizeof (*uh), plen,
5399 &ike);
5400 }
5401 }
5402
5403 if (nr != NULL && pd->proto == IPPROTO_ESP &&
5404 direction == PF_OUT) {
5405 struct pf_state_key_cmp sk0;
5406 struct pf_state *s0;
5407
5408 /*
5409 * <jhw@apple.com>
5410 * This squelches state creation if the external
5411 * address matches an existing incomplete state with a
5412 * different internal address. Only one 'blocking'
5413 * partial state is allowed for each external address.
5414 */
5415 memset(&sk0, 0, sizeof (sk0));
5416 sk0.af_gwy = pd->af;
5417 sk0.proto = IPPROTO_ESP;
5418 PF_ACPY(&sk0.gwy.addr, saddr, sk0.af_gwy);
5419 PF_ACPY(&sk0.ext_gwy.addr, daddr, sk0.af_gwy);
5420 s0 = pf_find_state(kif, &sk0, PF_IN);
5421
5422 if (s0 && PF_ANEQ(&s0->state_key->lan.addr,
5423 pd->src, pd->af)) {
5424 nsn = 0;
5425 goto cleanup;
5426 }
5427 }
5428
5429 /* check maximums */
5430 if (r->max_states && (r->states >= r->max_states)) {
5431 pf_status.lcounters[LCNT_STATES]++;
5432 REASON_SET(&reason, PFRES_MAXSTATES);
5433 goto cleanup;
5434 }
5435 /* src node for filter rule */
5436 if ((r->rule_flag & PFRULE_SRCTRACK ||
5437 r->rpool.opts & PF_POOL_STICKYADDR) &&
5438 pf_insert_src_node(&sn, r, saddr, af) != 0) {
5439 REASON_SET(&reason, PFRES_SRCLIMIT);
5440 goto cleanup;
5441 }
5442 /* src node for translation rule */
5443 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
5444 ((direction == PF_OUT &&
5445 nr->action != PF_RDR &&
5446 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
5447 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) {
5448 REASON_SET(&reason, PFRES_SRCLIMIT);
5449 goto cleanup;
5450 }
5451 s = pool_get(&pf_state_pl, PR_WAITOK);
5452 if (s == NULL) {
5453 REASON_SET(&reason, PFRES_MEMORY);
5454 cleanup:
5455 if (sn != NULL && sn->states == 0 && sn->expire == 0) {
5456 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
5457 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
5458 pf_status.src_nodes--;
5459 pool_put(&pf_src_tree_pl, sn);
5460 }
5461 if (nsn != sn && nsn != NULL && nsn->states == 0 &&
5462 nsn->expire == 0) {
5463 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
5464 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
5465 pf_status.src_nodes--;
5466 pool_put(&pf_src_tree_pl, nsn);
5467 }
5468 if (sk != NULL) {
5469 if (sk->app_state)
5470 pool_put(&pf_app_state_pl,
5471 sk->app_state);
5472 pool_put(&pf_state_key_pl, sk);
5473 }
5474 return (PF_DROP);
5475 }
5476 bzero(s, sizeof (*s));
5477 TAILQ_INIT(&s->unlink_hooks);
5478 s->rule.ptr = r;
5479 s->nat_rule.ptr = nr;
5480 s->anchor.ptr = a;
5481 STATE_INC_COUNTERS(s);
5482 s->allow_opts = r->allow_opts;
5483 s->log = r->log & PF_LOG_ALL;
5484 if (nr != NULL)
5485 s->log |= nr->log & PF_LOG_ALL;
5486 switch (pd->proto) {
5487 case IPPROTO_TCP:
5488 s->src.seqlo = ntohl(th->th_seq);
5489 s->src.seqhi = s->src.seqlo + pd->p_len + 1;
5490 if ((th->th_flags & (TH_SYN|TH_ACK)) ==
5491 TH_SYN && r->keep_state == PF_STATE_MODULATE) {
5492 /* Generate sequence number modulator */
5493 if ((s->src.seqdiff = pf_tcp_iss(pd) -
5494 s->src.seqlo) == 0)
5495 s->src.seqdiff = 1;
5496 pf_change_a(&th->th_seq, &th->th_sum,
5497 htonl(s->src.seqlo + s->src.seqdiff), 0);
5498 rewrite = off + sizeof (*th);
5499 } else
5500 s->src.seqdiff = 0;
5501 if (th->th_flags & TH_SYN) {
5502 s->src.seqhi++;
5503 s->src.wscale = pf_get_wscale(pbuf, off,
5504 th->th_off, af);
5505 }
5506 s->src.max_win = MAX(ntohs(th->th_win), 1);
5507 if (s->src.wscale & PF_WSCALE_MASK) {
5508 /* Remove scale factor from initial window */
5509 int win = s->src.max_win;
5510 win += 1 << (s->src.wscale & PF_WSCALE_MASK);
5511 s->src.max_win = (win - 1) >>
5512 (s->src.wscale & PF_WSCALE_MASK);
5513 }
5514 if (th->th_flags & TH_FIN)
5515 s->src.seqhi++;
5516 s->dst.seqhi = 1;
5517 s->dst.max_win = 1;
5518 s->src.state = TCPS_SYN_SENT;
5519 s->dst.state = TCPS_CLOSED;
5520 s->timeout = PFTM_TCP_FIRST_PACKET;
5521 break;
5522 case IPPROTO_UDP:
5523 s->src.state = PFUDPS_SINGLE;
5524 s->dst.state = PFUDPS_NO_TRAFFIC;
5525 s->timeout = PFTM_UDP_FIRST_PACKET;
5526 break;
5527 case IPPROTO_ICMP:
5528 #if INET6
5529 case IPPROTO_ICMPV6:
5530 #endif
5531 s->timeout = PFTM_ICMP_FIRST_PACKET;
5532 break;
5533 case IPPROTO_GRE:
5534 s->src.state = PFGRE1S_INITIATING;
5535 s->dst.state = PFGRE1S_NO_TRAFFIC;
5536 s->timeout = PFTM_GREv1_INITIATING;
5537 break;
5538 case IPPROTO_ESP:
5539 s->src.state = PFESPS_INITIATING;
5540 s->dst.state = PFESPS_NO_TRAFFIC;
5541 s->timeout = PFTM_ESP_FIRST_PACKET;
5542 break;
5543 default:
5544 s->src.state = PFOTHERS_SINGLE;
5545 s->dst.state = PFOTHERS_NO_TRAFFIC;
5546 s->timeout = PFTM_OTHER_FIRST_PACKET;
5547 }
5548
5549 s->creation = pf_time_second();
5550 s->expire = pf_time_second();
5551
5552 if (sn != NULL) {
5553 s->src_node = sn;
5554 s->src_node->states++;
5555 VERIFY(s->src_node->states != 0);
5556 }
5557 if (nsn != NULL) {
5558 PF_ACPY(&nsn->raddr, &pd->naddr, af);
5559 s->nat_src_node = nsn;
5560 s->nat_src_node->states++;
5561 VERIFY(s->nat_src_node->states != 0);
5562 }
5563 if (pd->proto == IPPROTO_TCP) {
5564 if ((pd->flags & PFDESC_TCP_NORM) &&
5565 pf_normalize_tcp_init(pbuf, off, pd, th, &s->src,
5566 &s->dst)) {
5567 REASON_SET(&reason, PFRES_MEMORY);
5568 pf_src_tree_remove_state(s);
5569 STATE_DEC_COUNTERS(s);
5570 pool_put(&pf_state_pl, s);
5571 return (PF_DROP);
5572 }
5573 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
5574 pf_normalize_tcp_stateful(pbuf, off, pd, &reason,
5575 th, s, &s->src, &s->dst, &rewrite)) {
5576 /* This really shouldn't happen!!! */
5577 DPFPRINTF(PF_DEBUG_URGENT,
5578 ("pf_normalize_tcp_stateful failed on "
5579 "first pkt"));
5580 pf_normalize_tcp_cleanup(s);
5581 pf_src_tree_remove_state(s);
5582 STATE_DEC_COUNTERS(s);
5583 pool_put(&pf_state_pl, s);
5584 return (PF_DROP);
5585 }
5586 }
5587
5588 /* allocate state key and import values from psk */
5589 if ((sk = pf_alloc_state_key(s, &psk)) == NULL) {
5590 REASON_SET(&reason, PFRES_MEMORY);
5591 /*
5592 * XXXSCW: This will leak the freshly-allocated
5593 * state structure 's'. Although it should
5594 * eventually be aged-out and removed.
5595 */
5596 goto cleanup;
5597 }
5598
5599 pf_set_rt_ifp(s, saddr, af); /* needs s->state_key set */
5600
5601 pbuf = pd->mp; // XXXSCW: Why?
5602
5603 if (sk->app_state == 0) {
5604 switch (pd->proto) {
5605 case IPPROTO_TCP: {
5606 u_int16_t dport = (direction == PF_OUT) ?
5607 sk->ext_gwy.xport.port : sk->gwy.xport.port;
5608
5609 if (nr != NULL &&
5610 ntohs(dport) == PF_PPTP_PORT) {
5611 struct pf_app_state *as;
5612
5613 as = pool_get(&pf_app_state_pl,
5614 PR_WAITOK);
5615 if (!as) {
5616 REASON_SET(&reason,
5617 PFRES_MEMORY);
5618 goto cleanup;
5619 }
5620
5621 bzero(as, sizeof (*as));
5622 as->handler = pf_pptp_handler;
5623 as->compare_lan_ext = 0;
5624 as->compare_ext_gwy = 0;
5625 as->u.pptp.grev1_state = 0;
5626 sk->app_state = as;
5627 (void) hook_establish(&s->unlink_hooks,
5628 0, (hook_fn_t) pf_pptp_unlink, s);
5629 }
5630 break;
5631 }
5632
5633 case IPPROTO_UDP: {
5634 if (nr != NULL &&
5635 ntohs(uh->uh_sport) == PF_IKE_PORT &&
5636 ntohs(uh->uh_dport) == PF_IKE_PORT) {
5637 struct pf_app_state *as;
5638
5639 as = pool_get(&pf_app_state_pl,
5640 PR_WAITOK);
5641 if (!as) {
5642 REASON_SET(&reason,
5643 PFRES_MEMORY);
5644 goto cleanup;
5645 }
5646
5647 bzero(as, sizeof (*as));
5648 as->compare_lan_ext = pf_ike_compare;
5649 as->compare_ext_gwy = pf_ike_compare;
5650 as->u.ike.cookie = ike.initiator_cookie;
5651 sk->app_state = as;
5652 }
5653 break;
5654 }
5655
5656 default:
5657 break;
5658 }
5659 }
5660
5661 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
5662 if (pd->proto == IPPROTO_TCP)
5663 pf_normalize_tcp_cleanup(s);
5664 REASON_SET(&reason, PFRES_STATEINS);
5665 pf_src_tree_remove_state(s);
5666 STATE_DEC_COUNTERS(s);
5667 pool_put(&pf_state_pl, s);
5668 return (PF_DROP);
5669 } else {
5670 *sm = s;
5671 }
5672 if (tag > 0) {
5673 pf_tag_ref(tag);
5674 s->tag = tag;
5675 }
5676 if (pd->proto == IPPROTO_TCP &&
5677 (th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
5678 r->keep_state == PF_STATE_SYNPROXY) {
5679 int ua = (sk->af_lan == sk->af_gwy) ? 1 : 0;
5680 s->src.state = PF_TCPS_PROXY_SRC;
5681 if (nr != NULL) {
5682 if (direction == PF_OUT) {
5683 pf_change_ap(direction, pd->mp, saddr,
5684 &th->th_sport, pd->ip_sum,
5685 &th->th_sum, &pd->baddr,
5686 bxport.port, 0, af, pd->af, ua);
5687 sxport.port = th->th_sport;
5688 } else {
5689 pf_change_ap(direction, pd->mp, daddr,
5690 &th->th_dport, pd->ip_sum,
5691 &th->th_sum, &pd->baddr,
5692 bxport.port, 0, af, pd->af, ua);
5693 sxport.port = th->th_dport;
5694 }
5695 }
5696 s->src.seqhi = htonl(random());
5697 /* Find mss option */
5698 mss = pf_get_mss(pbuf, off, th->th_off, af);
5699 mss = pf_calc_mss(saddr, af, mss);
5700 mss = pf_calc_mss(daddr, af, mss);
5701 s->src.mss = mss;
5702 pf_send_tcp(r, af, daddr, saddr, th->th_dport,
5703 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
5704 TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);
5705 REASON_SET(&reason, PFRES_SYNPROXY);
5706 return (PF_SYNPROXY_DROP);
5707 }
5708
5709 if (sk->app_state && sk->app_state->handler) {
5710 int offx = off;
5711
5712 switch (pd->proto) {
5713 case IPPROTO_TCP:
5714 offx += th->th_off << 2;
5715 break;
5716 case IPPROTO_UDP:
5717 offx += pd->hdr.udp->uh_ulen << 2;
5718 break;
5719 default:
5720 /* ALG handlers only apply to TCP and UDP rules */
5721 break;
5722 }
5723
5724 if (offx > off) {
5725 sk->app_state->handler(s, direction, offx,
5726 pd, kif);
5727 if (pd->lmw < 0) {
5728 REASON_SET(&reason, PFRES_MEMORY);
5729 return (PF_DROP);
5730 }
5731 pbuf = pd->mp; // XXXSCW: Why?
5732 }
5733 }
5734 }
5735
5736 /* copy back packet headers if we performed NAT operations */
5737 if (rewrite) {
5738 if (rewrite < off + hdrlen)
5739 rewrite = off + hdrlen;
5740
5741 if (pf_lazy_makewritable(pd, pd->mp, rewrite) == NULL) {
5742 REASON_SET(&reason, PFRES_MEMORY);
5743 return (PF_DROP);
5744 }
5745
5746 pbuf_copy_back(pbuf, off, hdrlen, pd->hdr.any);
5747 if (af == AF_INET6 && pd->naf == AF_INET)
5748 return pf_nat64_ipv6(pbuf, off, pd);
5749 else if (af == AF_INET && pd->naf == AF_INET6)
5750 return pf_nat64_ipv4(pbuf, off, pd);
5751
5752 }
5753
5754 return (PF_PASS);
5755 }
5756
5757 boolean_t is_nlc_enabled_glb = FALSE;
5758
5759 static inline boolean_t
5760 pf_is_dummynet_enabled(void)
5761 {
5762 #if DUMMYNET
5763 if (__probable(!PF_IS_ENABLED))
5764 return (FALSE);
5765
5766 if (__probable(!DUMMYNET_LOADED))
5767 return (FALSE);
5768
5769 if (__probable(TAILQ_EMPTY(pf_main_ruleset.
5770 rules[PF_RULESET_DUMMYNET].active.ptr)))
5771 return (FALSE);
5772
5773 return (TRUE);
5774 #else
5775 return (FALSE);
5776 #endif /* DUMMYNET */
5777 }
5778
5779 boolean_t
5780 pf_is_nlc_enabled(void)
5781 {
5782 #if DUMMYNET
5783 if (__probable(!pf_is_dummynet_enabled()))
5784 return (FALSE);
5785
5786 if (__probable(!is_nlc_enabled_glb))
5787 return (FALSE);
5788
5789 return (TRUE);
5790 #else
5791 return (FALSE);
5792 #endif /* DUMMYNET */
5793 }
5794
5795 #if DUMMYNET
5796 /*
5797 * When pf_test_dummynet() returns PF_PASS, the rule matching parameter "rm"
5798 * remains unchanged, meaning the packet did not match a dummynet rule.
5799 * when the packet does match a dummynet rule, pf_test_dummynet() returns
5800 * PF_PASS and zero out the mbuf rule as the packet is effectively siphoned
5801 * out by dummynet.
5802 */
5803 static int
5804 pf_test_dummynet(struct pf_rule **rm, int direction, struct pfi_kif *kif,
5805 pbuf_t **pbuf0, struct pf_pdesc *pd, struct ip_fw_args *fwa)
5806 {
5807 pbuf_t *pbuf = *pbuf0;
5808 struct pf_rule *am = NULL;
5809 struct pf_ruleset *rsm = NULL;
5810 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
5811 sa_family_t af = pd->af;
5812 struct pf_rule *r, *a = NULL;
5813 struct pf_ruleset *ruleset = NULL;
5814 struct tcphdr *th = pd->hdr.tcp;
5815 u_short reason;
5816 int hdrlen = 0;
5817 int tag = -1;
5818 unsigned int rtableid = IFSCOPE_NONE;
5819 int asd = 0;
5820 int match = 0;
5821 u_int8_t icmptype = 0, icmpcode = 0;
5822 struct ip_fw_args dnflow;
5823 struct pf_rule *prev_matching_rule = fwa ? fwa->fwa_pf_rule : NULL;
5824 int found_prev_rule = (prev_matching_rule) ? 0 : 1;
5825
5826 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
5827
5828 if (!pf_is_dummynet_enabled())
5829 return (PF_PASS);
5830
5831 bzero(&dnflow, sizeof(dnflow));
5832
5833 hdrlen = 0;
5834
5835 /* Fragments don't gave protocol headers */
5836 if (!(pd->flags & PFDESC_IP_FRAG))
5837 switch (pd->proto) {
5838 case IPPROTO_TCP:
5839 dnflow.fwa_id.flags = pd->hdr.tcp->th_flags;
5840 dnflow.fwa_id.dst_port = ntohs(pd->hdr.tcp->th_dport);
5841 dnflow.fwa_id.src_port = ntohs(pd->hdr.tcp->th_sport);
5842 hdrlen = sizeof (*th);
5843 break;
5844 case IPPROTO_UDP:
5845 dnflow.fwa_id.dst_port = ntohs(pd->hdr.udp->uh_dport);
5846 dnflow.fwa_id.src_port = ntohs(pd->hdr.udp->uh_sport);
5847 hdrlen = sizeof (*pd->hdr.udp);
5848 break;
5849 #if INET
5850 case IPPROTO_ICMP:
5851 if (af != AF_INET)
5852 break;
5853 hdrlen = ICMP_MINLEN;
5854 icmptype = pd->hdr.icmp->icmp_type;
5855 icmpcode = pd->hdr.icmp->icmp_code;
5856 break;
5857 #endif /* INET */
5858 #if INET6
5859 case IPPROTO_ICMPV6:
5860 if (af != AF_INET6)
5861 break;
5862 hdrlen = sizeof (*pd->hdr.icmp6);
5863 icmptype = pd->hdr.icmp6->icmp6_type;
5864 icmpcode = pd->hdr.icmp6->icmp6_code;
5865 break;
5866 #endif /* INET6 */
5867 case IPPROTO_GRE:
5868 if (pd->proto_variant == PF_GRE_PPTP_VARIANT)
5869 hdrlen = sizeof (*pd->hdr.grev1);
5870 break;
5871 case IPPROTO_ESP:
5872 hdrlen = sizeof (*pd->hdr.esp);
5873 break;
5874 }
5875
5876 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_DUMMYNET].active.ptr);
5877
5878 while (r != NULL) {
5879 r->evaluations++;
5880 if (pfi_kif_match(r->kif, kif) == r->ifnot)
5881 r = r->skip[PF_SKIP_IFP].ptr;
5882 else if (r->direction && r->direction != direction)
5883 r = r->skip[PF_SKIP_DIR].ptr;
5884 else if (r->af && r->af != af)
5885 r = r->skip[PF_SKIP_AF].ptr;
5886 else if (r->proto && r->proto != pd->proto)
5887 r = r->skip[PF_SKIP_PROTO].ptr;
5888 else if (PF_MISMATCHAW(&r->src.addr, saddr, af,
5889 r->src.neg, kif))
5890 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
5891 /* tcp/udp only. port_op always 0 in other cases */
5892 else if (r->proto == pd->proto &&
5893 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
5894 ((pd->flags & PFDESC_IP_FRAG) ||
5895 ((r->src.xport.range.op &&
5896 !pf_match_port(r->src.xport.range.op,
5897 r->src.xport.range.port[0], r->src.xport.range.port[1],
5898 th->th_sport)))))
5899 r = r->skip[PF_SKIP_SRC_PORT].ptr;
5900 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af,
5901 r->dst.neg, NULL))
5902 r = r->skip[PF_SKIP_DST_ADDR].ptr;
5903 /* tcp/udp only. port_op always 0 in other cases */
5904 else if (r->proto == pd->proto &&
5905 (r->proto == IPPROTO_TCP || r->proto == IPPROTO_UDP) &&
5906 r->dst.xport.range.op &&
5907 ((pd->flags & PFDESC_IP_FRAG) ||
5908 !pf_match_port(r->dst.xport.range.op,
5909 r->dst.xport.range.port[0], r->dst.xport.range.port[1],
5910 th->th_dport)))
5911 r = r->skip[PF_SKIP_DST_PORT].ptr;
5912 /* icmp only. type always 0 in other cases */
5913 else if (r->type &&
5914 ((pd->flags & PFDESC_IP_FRAG) ||
5915 r->type != icmptype + 1))
5916 r = TAILQ_NEXT(r, entries);
5917 /* icmp only. type always 0 in other cases */
5918 else if (r->code &&
5919 ((pd->flags & PFDESC_IP_FRAG) ||
5920 r->code != icmpcode + 1))
5921 r = TAILQ_NEXT(r, entries);
5922 else if (r->tos && !(r->tos == pd->tos))
5923 r = TAILQ_NEXT(r, entries);
5924 else if (r->rule_flag & PFRULE_FRAGMENT)
5925 r = TAILQ_NEXT(r, entries);
5926 else if (pd->proto == IPPROTO_TCP &&
5927 ((pd->flags & PFDESC_IP_FRAG) ||
5928 (r->flagset & th->th_flags) != r->flags))
5929 r = TAILQ_NEXT(r, entries);
5930 else if (r->prob && r->prob <= (RandomULong() % (UINT_MAX - 1) + 1))
5931 r = TAILQ_NEXT(r, entries);
5932 else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag))
5933 r = TAILQ_NEXT(r, entries);
5934 else {
5935 /*
5936 * Need to go past the previous dummynet matching rule
5937 */
5938 if (r->anchor == NULL) {
5939 if (found_prev_rule) {
5940 if (r->tag)
5941 tag = r->tag;
5942 if (PF_RTABLEID_IS_VALID(r->rtableid))
5943 rtableid = r->rtableid;
5944 match = 1;
5945 *rm = r;
5946 am = a;
5947 rsm = ruleset;
5948 if ((*rm)->quick)
5949 break;
5950 } else if (r == prev_matching_rule) {
5951 found_prev_rule = 1;
5952 }
5953 r = TAILQ_NEXT(r, entries);
5954 } else {
5955 pf_step_into_anchor(&asd, &ruleset,
5956 PF_RULESET_DUMMYNET, &r, &a, &match);
5957 }
5958 }
5959 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
5960 PF_RULESET_DUMMYNET, &r, &a, &match))
5961 break;
5962 }
5963 r = *rm;
5964 a = am;
5965 ruleset = rsm;
5966
5967 if (!match)
5968 return (PF_PASS);
5969
5970 REASON_SET(&reason, PFRES_DUMMYNET);
5971
5972 if (r->log) {
5973 PFLOG_PACKET(kif, h, pbuf, af, direction, reason, r,
5974 a, ruleset, pd);
5975 }
5976
5977 if (r->action == PF_NODUMMYNET) {
5978 int dirndx = (direction == PF_OUT);
5979
5980 r->packets[dirndx]++;
5981 r->bytes[dirndx] += pd->tot_len;
5982
5983 return (PF_PASS);
5984 }
5985 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, rtableid, pd)) {
5986 REASON_SET(&reason, PFRES_MEMORY);
5987
5988 return (PF_DROP);
5989 }
5990
5991 if (r->dnpipe && ip_dn_io_ptr != NULL) {
5992 struct mbuf *m;
5993 int dirndx = (direction == PF_OUT);
5994
5995 r->packets[dirndx]++;
5996 r->bytes[dirndx] += pd->tot_len;
5997
5998 dnflow.fwa_cookie = r->dnpipe;
5999 dnflow.fwa_pf_rule = r;
6000 dnflow.fwa_id.proto = pd->proto;
6001 dnflow.fwa_flags = r->dntype;
6002 switch (af) {
6003 case AF_INET:
6004 dnflow.fwa_id.addr_type = 4;
6005 dnflow.fwa_id.src_ip = ntohl(saddr->v4addr.s_addr);
6006 dnflow.fwa_id.dst_ip = ntohl(daddr->v4addr.s_addr);
6007 break;
6008 case AF_INET6:
6009 dnflow.fwa_id.addr_type = 6;
6010 dnflow.fwa_id.src_ip6 = saddr->v6addr;
6011 dnflow.fwa_id.dst_ip6 = saddr->v6addr;
6012 break;
6013 }
6014
6015 if (fwa != NULL) {
6016 dnflow.fwa_oif = fwa->fwa_oif;
6017 dnflow.fwa_oflags = fwa->fwa_oflags;
6018 /*
6019 * Note that fwa_ro, fwa_dst and fwa_ipoa are
6020 * actually in a union so the following does work
6021 * for both IPv4 and IPv6
6022 */
6023 dnflow.fwa_ro = fwa->fwa_ro;
6024 dnflow.fwa_dst = fwa->fwa_dst;
6025 dnflow.fwa_ipoa = fwa->fwa_ipoa;
6026 dnflow.fwa_ro6_pmtu = fwa->fwa_ro6_pmtu;
6027 dnflow.fwa_origifp = fwa->fwa_origifp;
6028 dnflow.fwa_mtu = fwa->fwa_mtu;
6029 dnflow.fwa_alwaysfrag = fwa->fwa_alwaysfrag;
6030 dnflow.fwa_unfragpartlen = fwa->fwa_unfragpartlen;
6031 dnflow.fwa_exthdrs = fwa->fwa_exthdrs;
6032 }
6033
6034 if (af == AF_INET) {
6035 struct ip *iphdr = pbuf->pb_data;
6036 NTOHS(iphdr->ip_len);
6037 NTOHS(iphdr->ip_off);
6038 }
6039 /*
6040 * Don't need to unlock pf_lock as NET_THREAD_HELD_PF
6041 * allows for recursive behavior
6042 */
6043 m = pbuf_to_mbuf(pbuf, TRUE);
6044 if (m != NULL) {
6045 ip_dn_io_ptr(m,
6046 dnflow.fwa_cookie, (af == AF_INET) ?
6047 ((direction==PF_IN) ? DN_TO_IP_IN : DN_TO_IP_OUT) :
6048 ((direction==PF_IN) ? DN_TO_IP6_IN : DN_TO_IP6_OUT),
6049 &dnflow, DN_CLIENT_PF);
6050 }
6051
6052 /*
6053 * The packet is siphoned out by dummynet so return a NULL
6054 * pbuf so the caller can still return success.
6055 */
6056 *pbuf0 = NULL;
6057
6058 return (PF_PASS);
6059 }
6060
6061 return (PF_PASS);
6062 }
6063 #endif /* DUMMYNET */
6064
6065 static int
6066 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
6067 pbuf_t *pbuf, void *h, struct pf_pdesc *pd, struct pf_rule **am,
6068 struct pf_ruleset **rsm)
6069 {
6070 #pragma unused(h)
6071 struct pf_rule *r, *a = NULL;
6072 struct pf_ruleset *ruleset = NULL;
6073 sa_family_t af = pd->af;
6074 u_short reason;
6075 int tag = -1;
6076 int asd = 0;
6077 int match = 0;
6078
6079 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
6080 while (r != NULL) {
6081 r->evaluations++;
6082 if (pfi_kif_match(r->kif, kif) == r->ifnot)
6083 r = r->skip[PF_SKIP_IFP].ptr;
6084 else if (r->direction && r->direction != direction)
6085 r = r->skip[PF_SKIP_DIR].ptr;
6086 else if (r->af && r->af != af)
6087 r = r->skip[PF_SKIP_AF].ptr;
6088 else if (r->proto && r->proto != pd->proto)
6089 r = r->skip[PF_SKIP_PROTO].ptr;
6090 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
6091 r->src.neg, kif))
6092 r = r->skip[PF_SKIP_SRC_ADDR].ptr;
6093 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
6094 r->dst.neg, NULL))
6095 r = r->skip[PF_SKIP_DST_ADDR].ptr;
6096 else if ((r->rule_flag & PFRULE_TOS) && r->tos &&
6097 !(r->tos & pd->tos))
6098 r = TAILQ_NEXT(r, entries);
6099 else if ((r->rule_flag & PFRULE_DSCP) && r->tos &&
6100 !(r->tos & (pd->tos & DSCP_MASK)))
6101 r = TAILQ_NEXT(r, entries);
6102 else if ((r->rule_flag & PFRULE_SC) && r->tos &&
6103 ((r->tos & SCIDX_MASK) != pd->sc))
6104 r = TAILQ_NEXT(r, entries);
6105 else if (r->os_fingerprint != PF_OSFP_ANY)
6106 r = TAILQ_NEXT(r, entries);
6107 else if (pd->proto == IPPROTO_UDP &&
6108 (r->src.xport.range.op || r->dst.xport.range.op))
6109 r = TAILQ_NEXT(r, entries);
6110 else if (pd->proto == IPPROTO_TCP &&
6111 (r->src.xport.range.op || r->dst.xport.range.op ||
6112 r->flagset))
6113 r = TAILQ_NEXT(r, entries);
6114 else if ((pd->proto == IPPROTO_ICMP ||
6115 pd->proto == IPPROTO_ICMPV6) &&
6116 (r->type || r->code))
6117 r = TAILQ_NEXT(r, entries);
6118 else if (r->prob && r->prob <= (RandomULong() % (UINT_MAX - 1) + 1))
6119 r = TAILQ_NEXT(r, entries);
6120 else if (r->match_tag && !pf_match_tag(r, pd->pf_mtag, &tag))
6121 r = TAILQ_NEXT(r, entries);
6122 else {
6123 if (r->anchor == NULL) {
6124 match = 1;
6125 *rm = r;
6126 *am = a;
6127 *rsm = ruleset;
6128 if ((*rm)->quick)
6129 break;
6130 r = TAILQ_NEXT(r, entries);
6131 } else
6132 pf_step_into_anchor(&asd, &ruleset,
6133 PF_RULESET_FILTER, &r, &a, &match);
6134 }
6135 if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset,
6136 PF_RULESET_FILTER, &r, &a, &match))
6137 break;
6138 }
6139 r = *rm;
6140 a = *am;
6141 ruleset = *rsm;
6142
6143 REASON_SET(&reason, PFRES_MATCH);
6144
6145 if (r->log)
6146 PFLOG_PACKET(kif, h, pbuf, af, direction, reason, r, a, ruleset,
6147 pd);
6148
6149 if (r->action != PF_PASS)
6150 return (PF_DROP);
6151
6152 if (pf_tag_packet(pbuf, pd->pf_mtag, tag, -1, NULL)) {
6153 REASON_SET(&reason, PFRES_MEMORY);
6154 return (PF_DROP);
6155 }
6156
6157 return (PF_PASS);
6158 }
6159
6160 static void
6161 pf_pptp_handler(struct pf_state *s, int direction, int off,
6162 struct pf_pdesc *pd, struct pfi_kif *kif)
6163 {
6164 #pragma unused(direction)
6165 struct tcphdr *th;
6166 struct pf_pptp_state *pptps;
6167 struct pf_pptp_ctrl_msg cm;
6168 size_t plen, tlen;
6169 struct pf_state *gs;
6170 u_int16_t ct;
6171 u_int16_t *pac_call_id;
6172 u_int16_t *pns_call_id;
6173 u_int16_t *spoof_call_id;
6174 u_int8_t *pac_state;
6175 u_int8_t *pns_state;
6176 enum { PF_PPTP_PASS, PF_PPTP_INSERT_GRE, PF_PPTP_REMOVE_GRE } op;
6177 pbuf_t *pbuf;
6178 struct pf_state_key *sk;
6179 struct pf_state_key *gsk;
6180 struct pf_app_state *gas;
6181
6182 sk = s->state_key;
6183 pptps = &sk->app_state->u.pptp;
6184 gs = pptps->grev1_state;
6185
6186 if (gs)
6187 gs->expire = pf_time_second();
6188
6189 pbuf = pd->mp;
6190 plen = min(sizeof (cm), pbuf->pb_packet_len - off);
6191 if (plen < PF_PPTP_CTRL_MSG_MINSIZE)
6192 return;
6193 tlen = plen - PF_PPTP_CTRL_MSG_MINSIZE;
6194 pbuf_copy_data(pbuf, off, plen, &cm);
6195
6196 if (ntohl(cm.hdr.magic) != PF_PPTP_MAGIC_NUMBER)
6197 return;
6198 if (ntohs(cm.hdr.type) != 1)
6199 return;
6200
6201 #define TYPE_LEN_CHECK(_type, _name) \
6202 case PF_PPTP_CTRL_TYPE_##_type: \
6203 if (tlen < sizeof(struct pf_pptp_ctrl_##_name)) \
6204 return; \
6205 break;
6206
6207 switch (cm.ctrl.type) {
6208 TYPE_LEN_CHECK(START_REQ, start_req);
6209 TYPE_LEN_CHECK(START_RPY, start_rpy);
6210 TYPE_LEN_CHECK(STOP_REQ, stop_req);
6211 TYPE_LEN_CHECK(STOP_RPY, stop_rpy);
6212 TYPE_LEN_CHECK(ECHO_REQ, echo_req);
6213 TYPE_LEN_CHECK(ECHO_RPY, echo_rpy);
6214 TYPE_LEN_CHECK(CALL_OUT_REQ, call_out_req);
6215 TYPE_LEN_CHECK(CALL_OUT_RPY, call_out_rpy);
6216 TYPE_LEN_CHECK(CALL_IN_1ST, call_in_1st);
6217 TYPE_LEN_CHECK(CALL_IN_2ND, call_in_2nd);
6218 TYPE_LEN_CHECK(CALL_IN_3RD, call_in_3rd);
6219 TYPE_LEN_CHECK(CALL_CLR, call_clr);
6220 TYPE_LEN_CHECK(CALL_DISC, call_disc);
6221 TYPE_LEN_CHECK(ERROR, error);
6222 TYPE_LEN_CHECK(SET_LINKINFO, set_linkinfo);
6223 default:
6224 return;
6225 }
6226 #undef TYPE_LEN_CHECK
6227
6228 if (!gs) {
6229 gs = pool_get(&pf_state_pl, PR_WAITOK);
6230 if (!gs)
6231 return;
6232
6233 memcpy(gs, s, sizeof (*gs));
6234
6235 memset(&gs->entry_id, 0, sizeof (gs->entry_id));
6236 memset(&gs->entry_list, 0, sizeof (gs->entry_list));
6237
6238 TAILQ_INIT(&gs->unlink_hooks);
6239 gs->rt_kif = NULL;
6240 gs->creation = 0;
6241 gs->pfsync_time = 0;
6242 gs->packets[0] = gs->packets[1] = 0;
6243 gs->bytes[0] = gs->bytes[1] = 0;
6244 gs->timeout = PFTM_UNLINKED;
6245 gs->id = gs->creatorid = 0;
6246 gs->src.state = gs->dst.state = PFGRE1S_NO_TRAFFIC;
6247 gs->src.scrub = gs->dst.scrub = 0;
6248
6249 gas = pool_get(&pf_app_state_pl, PR_NOWAIT);
6250 if (!gas) {
6251 pool_put(&pf_state_pl, gs);
6252 return;
6253 }
6254
6255 gsk = pf_alloc_state_key(gs, NULL);
6256 if (!gsk) {
6257 pool_put(&pf_app_state_pl, gas);
6258 pool_put(&pf_state_pl, gs);
6259 return;
6260 }
6261
6262 memcpy(&gsk->lan, &sk->lan, sizeof (gsk->lan));
6263 memcpy(&gsk->gwy, &sk->gwy, sizeof (gsk->gwy));
6264 memcpy(&gsk->ext_lan, &sk->ext_lan, sizeof (gsk->ext_lan));
6265 memcpy(&gsk->ext_gwy, &sk->ext_gwy, sizeof (gsk->ext_gwy));
6266 gsk->af_lan = sk->af_lan;
6267 gsk->af_gwy = sk->af_gwy;
6268 gsk->proto = IPPROTO_GRE;
6269 gsk->proto_variant = PF_GRE_PPTP_VARIANT;
6270 gsk->app_state = gas;
6271 gsk->lan.xport.call_id = 0;
6272 gsk->gwy.xport.call_id = 0;
6273 gsk->ext_lan.xport.call_id = 0;
6274 gsk->ext_gwy.xport.call_id = 0;
6275 gsk->flowsrc = FLOWSRC_PF;
6276 gsk->flowhash = pf_calc_state_key_flowhash(gsk);
6277 memset(gas, 0, sizeof (*gas));
6278 gas->u.grev1.pptp_state = s;
6279 STATE_INC_COUNTERS(gs);
6280 pptps->grev1_state = gs;
6281 (void) hook_establish(&gs->unlink_hooks, 0,
6282 (hook_fn_t) pf_grev1_unlink, gs);
6283 } else {
6284 gsk = gs->state_key;
6285 }
6286
6287 switch (sk->direction) {
6288 case PF_IN:
6289 pns_call_id = &gsk->ext_lan.xport.call_id;
6290 pns_state = &gs->dst.state;
6291 pac_call_id = &gsk->lan.xport.call_id;
6292 pac_state = &gs->src.state;
6293 break;
6294
6295 case PF_OUT:
6296 pns_call_id = &gsk->lan.xport.call_id;
6297 pns_state = &gs->src.state;
6298 pac_call_id = &gsk->ext_lan.xport.call_id;
6299 pac_state = &gs->dst.state;
6300 break;
6301
6302 default:
6303 DPFPRINTF(PF_DEBUG_URGENT,
6304 ("pf_pptp_handler: bad directional!\n"));
6305 return;
6306 }
6307
6308 spoof_call_id = 0;
6309 op = PF_PPTP_PASS;
6310
6311 ct = ntohs(cm.ctrl.type);
6312
6313 switch (ct) {
6314 case PF_PPTP_CTRL_TYPE_CALL_OUT_REQ:
6315 *pns_call_id = cm.msg.call_out_req.call_id;
6316 *pns_state = PFGRE1S_INITIATING;
6317 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id)
6318 spoof_call_id = &cm.msg.call_out_req.call_id;
6319 break;
6320
6321 case PF_PPTP_CTRL_TYPE_CALL_OUT_RPY:
6322 *pac_call_id = cm.msg.call_out_rpy.call_id;
6323 if (s->nat_rule.ptr)
6324 spoof_call_id =
6325 (pac_call_id == &gsk->lan.xport.call_id) ?
6326 &cm.msg.call_out_rpy.call_id :
6327 &cm.msg.call_out_rpy.peer_call_id;
6328 if (gs->timeout == PFTM_UNLINKED) {
6329 *pac_state = PFGRE1S_INITIATING;
6330 op = PF_PPTP_INSERT_GRE;
6331 }
6332 break;
6333
6334 case PF_PPTP_CTRL_TYPE_CALL_IN_1ST:
6335 *pns_call_id = cm.msg.call_in_1st.call_id;
6336 *pns_state = PFGRE1S_INITIATING;
6337 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id)
6338 spoof_call_id = &cm.msg.call_in_1st.call_id;
6339 break;
6340
6341 case PF_PPTP_CTRL_TYPE_CALL_IN_2ND:
6342 *pac_call_id = cm.msg.call_in_2nd.call_id;
6343 *pac_state = PFGRE1S_INITIATING;
6344 if (s->nat_rule.ptr)
6345 spoof_call_id =
6346 (pac_call_id == &gsk->lan.xport.call_id) ?
6347 &cm.msg.call_in_2nd.call_id :
6348 &cm.msg.call_in_2nd.peer_call_id;
6349 break;
6350
6351 case PF_PPTP_CTRL_TYPE_CALL_IN_3RD:
6352 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id)
6353 spoof_call_id = &cm.msg.call_in_3rd.call_id;
6354 if (cm.msg.call_in_3rd.call_id != *pns_call_id) {
6355 break;
6356 }
6357 if (gs->timeout == PFTM_UNLINKED)
6358 op = PF_PPTP_INSERT_GRE;
6359 break;
6360
6361 case PF_PPTP_CTRL_TYPE_CALL_CLR:
6362 if (cm.msg.call_clr.call_id != *pns_call_id)
6363 op = PF_PPTP_REMOVE_GRE;
6364 break;
6365
6366 case PF_PPTP_CTRL_TYPE_CALL_DISC:
6367 if (cm.msg.call_clr.call_id != *pac_call_id)
6368 op = PF_PPTP_REMOVE_GRE;
6369 break;
6370
6371 case PF_PPTP_CTRL_TYPE_ERROR:
6372 if (s->nat_rule.ptr && pns_call_id == &gsk->lan.xport.call_id)
6373 spoof_call_id = &cm.msg.error.peer_call_id;
6374 break;
6375
6376 case PF_PPTP_CTRL_TYPE_SET_LINKINFO:
6377 if (s->nat_rule.ptr && pac_call_id == &gsk->lan.xport.call_id)
6378 spoof_call_id = &cm.msg.set_linkinfo.peer_call_id;
6379 break;
6380
6381 default:
6382 op = PF_PPTP_PASS;
6383 break;
6384 }
6385
6386 if (!gsk->gwy.xport.call_id && gsk->lan.xport.call_id) {
6387 gsk->gwy.xport.call_id = gsk->lan.xport.call_id;
6388 if (spoof_call_id) {
6389 u_int16_t call_id = 0;
6390 int n = 0;
6391 struct pf_state_key_cmp key;
6392
6393 key.af_gwy = gsk->af_gwy;
6394 key.proto = IPPROTO_GRE;
6395 key.proto_variant = PF_GRE_PPTP_VARIANT;
6396 PF_ACPY(&key.gwy.addr, &gsk->gwy.addr, key.af_gwy);
6397 PF_ACPY(&key.ext_gwy.addr, &gsk->ext_gwy.addr, key.af_gwy);
6398 key.gwy.xport.call_id = gsk->gwy.xport.call_id;
6399 key.ext_gwy.xport.call_id = gsk->ext_gwy.xport.call_id;
6400 do {
6401 call_id = htonl(random());
6402 } while (!call_id);
6403
6404 while (pf_find_state_all(&key, PF_IN, 0)) {
6405 call_id = ntohs(call_id);
6406 --call_id;
6407 if (--call_id == 0) call_id = 0xffff;
6408 call_id = htons(call_id);
6409
6410 key.gwy.xport.call_id = call_id;
6411
6412 if (++n > 65535) {
6413 DPFPRINTF(PF_DEBUG_URGENT,
6414 ("pf_pptp_handler: failed to spoof "
6415 "call id\n"));
6416 key.gwy.xport.call_id = 0;
6417 break;
6418 }
6419 }
6420
6421 gsk->gwy.xport.call_id = call_id;
6422 }
6423 }
6424
6425 th = pd->hdr.tcp;
6426
6427 if (spoof_call_id && gsk->lan.xport.call_id != gsk->gwy.xport.call_id) {
6428 if (*spoof_call_id == gsk->gwy.xport.call_id) {
6429 *spoof_call_id = gsk->lan.xport.call_id;
6430 th->th_sum = pf_cksum_fixup(th->th_sum,
6431 gsk->gwy.xport.call_id, gsk->lan.xport.call_id, 0);
6432 } else {
6433 *spoof_call_id = gsk->gwy.xport.call_id;
6434 th->th_sum = pf_cksum_fixup(th->th_sum,
6435 gsk->lan.xport.call_id, gsk->gwy.xport.call_id, 0);
6436 }
6437
6438 if (pf_lazy_makewritable(pd, pbuf, off + plen) == NULL) {
6439 pptps->grev1_state = NULL;
6440 STATE_DEC_COUNTERS(gs);
6441 pool_put(&pf_state_pl, gs);
6442 return;
6443 }
6444 pbuf_copy_back(pbuf, off, plen, &cm);
6445 }
6446
6447 switch (op) {
6448 case PF_PPTP_REMOVE_GRE:
6449 gs->timeout = PFTM_PURGE;
6450 gs->src.state = gs->dst.state = PFGRE1S_NO_TRAFFIC;
6451 gsk->lan.xport.call_id = 0;
6452 gsk->gwy.xport.call_id = 0;
6453 gsk->ext_lan.xport.call_id = 0;
6454 gsk->ext_gwy.xport.call_id = 0;
6455 gs->id = gs->creatorid = 0;
6456 break;
6457
6458 case PF_PPTP_INSERT_GRE:
6459 gs->creation = pf_time_second();
6460 gs->expire = pf_time_second();
6461 gs->timeout = PFTM_TCP_ESTABLISHED;
6462 if (gs->src_node != NULL) {
6463 ++gs->src_node->states;
6464 VERIFY(gs->src_node->states != 0);
6465 }
6466 if (gs->nat_src_node != NULL) {
6467 ++gs->nat_src_node->states;
6468 VERIFY(gs->nat_src_node->states != 0);
6469 }
6470 pf_set_rt_ifp(gs, &sk->lan.addr, sk->af_lan);
6471 if (pf_insert_state(BOUND_IFACE(s->rule.ptr, kif), gs)) {
6472
6473 /*
6474 * <jhw@apple.com>
6475 * FIX ME: insertion can fail when multiple PNS
6476 * behind the same NAT open calls to the same PAC
6477 * simultaneously because spoofed call ID numbers
6478 * are chosen before states are inserted. This is
6479 * hard to fix and happens infrequently enough that
6480 * users will normally try again and this ALG will
6481 * succeed. Failures are expected to be rare enough
6482 * that fixing this is a low priority.
6483 */
6484 pptps->grev1_state = NULL;
6485 pd->lmw = -1; /* Force PF_DROP on PFRES_MEMORY */
6486 pf_src_tree_remove_state(gs);
6487 STATE_DEC_COUNTERS(gs);
6488 pool_put(&pf_state_pl, gs);
6489 DPFPRINTF(PF_DEBUG_URGENT, ("pf_pptp_handler: error "
6490 "inserting GREv1 state.\n"));
6491 }
6492 break;
6493
6494 default:
6495 break;
6496 }
6497 }
6498
6499 static void
6500 pf_pptp_unlink(struct pf_state *s)
6501 {
6502 struct pf_app_state *as = s->state_key->app_state;
6503 struct pf_state *grev1s = as->u.pptp.grev1_state;
6504
6505 if (grev1s) {
6506 struct pf_app_state *gas = grev1s->state_key->app_state;
6507
6508 if (grev1s->timeout < PFTM_MAX)
6509 grev1s->timeout = PFTM_PURGE;
6510 gas->u.grev1.pptp_state = NULL;
6511 as->u.pptp.grev1_state = NULL;
6512 }
6513 }
6514
6515 static void
6516 pf_grev1_unlink(struct pf_state *s)
6517 {
6518 struct pf_app_state *as = s->state_key->app_state;
6519 struct pf_state *pptps = as->u.grev1.pptp_state;
6520
6521 if (pptps) {
6522 struct pf_app_state *pas = pptps->state_key->app_state;
6523
6524 pas->u.pptp.grev1_state = NULL;
6525 as->u.grev1.pptp_state = NULL;
6526 }
6527 }
6528
6529 static int
6530 pf_ike_compare(struct pf_app_state *a, struct pf_app_state *b)
6531 {
6532 int64_t d = a->u.ike.cookie - b->u.ike.cookie;
6533 return ((d > 0) ? 1 : ((d < 0) ? -1 : 0));
6534 }
6535
6536 static int
6537 pf_do_nat64(struct pf_state_key *sk, struct pf_pdesc *pd, pbuf_t *pbuf,
6538 int off)
6539 {
6540 if (pd->af == AF_INET) {
6541 if (pd->af != sk->af_lan) {
6542 pd->ndaddr = sk->lan.addr;
6543 pd->naddr = sk->ext_lan.addr;
6544 } else {
6545 pd->naddr = sk->gwy.addr;
6546 pd->ndaddr = sk->ext_gwy.addr;
6547 }
6548 return (pf_nat64_ipv4(pbuf, off, pd));
6549 }
6550 else if (pd->af == AF_INET6) {
6551 if (pd->af != sk->af_lan) {
6552 pd->ndaddr = sk->lan.addr;
6553 pd->naddr = sk->ext_lan.addr;
6554 } else {
6555 pd->naddr = sk->gwy.addr;
6556 pd->ndaddr = sk->ext_gwy.addr;
6557 }
6558 return (pf_nat64_ipv6(pbuf, off, pd));
6559 }
6560 return (PF_DROP);
6561 }
6562
6563 static int
6564 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
6565 pbuf_t *pbuf, int off, void *h, struct pf_pdesc *pd,
6566 u_short *reason)
6567 {
6568 #pragma unused(h)
6569 struct pf_state_key_cmp key;
6570 struct tcphdr *th = pd->hdr.tcp;
6571 u_int16_t win = ntohs(th->th_win);
6572 u_int32_t ack, end, seq, orig_seq;
6573 u_int8_t sws, dws;
6574 int ackskew;
6575 int copyback = 0;
6576 struct pf_state_peer *src, *dst;
6577 struct pf_state_key *sk;
6578
6579 key.app_state = 0;
6580 key.proto = IPPROTO_TCP;
6581 key.af_lan = key.af_gwy = pd->af;
6582
6583 /*
6584 * For NAT64 the first time rule search and state creation
6585 * is done on the incoming side only.
6586 * Once the state gets created, NAT64's LAN side (ipv6) will
6587 * not be able to find the state in ext-gwy tree as that normally
6588 * is intended to be looked up for incoming traffic from the
6589 * WAN side.
6590 * Therefore to handle NAT64 case we init keys here for both
6591 * lan-ext as well as ext-gwy trees.
6592 * In the state lookup we attempt a lookup on both trees if
6593 * first one does not return any result and return a match if
6594 * the match state's was created by NAT64 rule.
6595 */
6596 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
6597 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
6598 key.ext_gwy.xport.port = th->th_sport;
6599 key.gwy.xport.port = th->th_dport;
6600
6601 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
6602 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
6603 key.lan.xport.port = th->th_sport;
6604 key.ext_lan.xport.port = th->th_dport;
6605
6606 STATE_LOOKUP();
6607
6608 sk = (*state)->state_key;
6609 /*
6610 * In case of NAT64 the translation is first applied on the LAN
6611 * side. Therefore for stack's address family comparison
6612 * we use sk->af_lan.
6613 */
6614 if ((direction == sk->direction) && (pd->af == sk->af_lan)) {
6615 src = &(*state)->src;
6616 dst = &(*state)->dst;
6617 } else {
6618 src = &(*state)->dst;
6619 dst = &(*state)->src;
6620 }
6621
6622 if (src->state == PF_TCPS_PROXY_SRC) {
6623 if (direction != sk->direction) {
6624 REASON_SET(reason, PFRES_SYNPROXY);
6625 return (PF_SYNPROXY_DROP);
6626 }
6627 if (th->th_flags & TH_SYN) {
6628 if (ntohl(th->th_seq) != src->seqlo) {
6629 REASON_SET(reason, PFRES_SYNPROXY);
6630 return (PF_DROP);
6631 }
6632 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
6633 pd->src, th->th_dport, th->th_sport,
6634 src->seqhi, ntohl(th->th_seq) + 1,
6635 TH_SYN|TH_ACK, 0, src->mss, 0, 1,
6636 0, NULL, NULL);
6637 REASON_SET(reason, PFRES_SYNPROXY);
6638 return (PF_SYNPROXY_DROP);
6639 } else if (!(th->th_flags & TH_ACK) ||
6640 (ntohl(th->th_ack) != src->seqhi + 1) ||
6641 (ntohl(th->th_seq) != src->seqlo + 1)) {
6642 REASON_SET(reason, PFRES_SYNPROXY);
6643 return (PF_DROP);
6644 } else if ((*state)->src_node != NULL &&
6645 pf_src_connlimit(state)) {
6646 REASON_SET(reason, PFRES_SRCLIMIT);
6647 return (PF_DROP);
6648 } else
6649 src->state = PF_TCPS_PROXY_DST;
6650 }
6651 if (src->state == PF_TCPS_PROXY_DST) {
6652 struct pf_state_host *psrc, *pdst;
6653
6654 if (direction == PF_OUT) {
6655 psrc = &sk->gwy;
6656 pdst = &sk->ext_gwy;
6657 } else {
6658 psrc = &sk->ext_lan;
6659 pdst = &sk->lan;
6660 }
6661 if (direction == sk->direction) {
6662 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
6663 (ntohl(th->th_ack) != src->seqhi + 1) ||
6664 (ntohl(th->th_seq) != src->seqlo + 1)) {
6665 REASON_SET(reason, PFRES_SYNPROXY);
6666 return (PF_DROP);
6667 }
6668 src->max_win = MAX(ntohs(th->th_win), 1);
6669 if (dst->seqhi == 1)
6670 dst->seqhi = htonl(random());
6671 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
6672 &pdst->addr, psrc->xport.port, pdst->xport.port,
6673 dst->seqhi, 0, TH_SYN, 0,
6674 src->mss, 0, 0, (*state)->tag, NULL, NULL);
6675 REASON_SET(reason, PFRES_SYNPROXY);
6676 return (PF_SYNPROXY_DROP);
6677 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
6678 (TH_SYN|TH_ACK)) ||
6679 (ntohl(th->th_ack) != dst->seqhi + 1)) {
6680 REASON_SET(reason, PFRES_SYNPROXY);
6681 return (PF_DROP);
6682 } else {
6683 dst->max_win = MAX(ntohs(th->th_win), 1);
6684 dst->seqlo = ntohl(th->th_seq);
6685 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
6686 pd->src, th->th_dport, th->th_sport,
6687 ntohl(th->th_ack), ntohl(th->th_seq) + 1,
6688 TH_ACK, src->max_win, 0, 0, 0,
6689 (*state)->tag, NULL, NULL);
6690 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
6691 &pdst->addr, psrc->xport.port, pdst->xport.port,
6692 src->seqhi + 1, src->seqlo + 1,
6693 TH_ACK, dst->max_win, 0, 0, 1,
6694 0, NULL, NULL);
6695 src->seqdiff = dst->seqhi -
6696 src->seqlo;
6697 dst->seqdiff = src->seqhi -
6698 dst->seqlo;
6699 src->seqhi = src->seqlo +
6700 dst->max_win;
6701 dst->seqhi = dst->seqlo +
6702 src->max_win;
6703 src->wscale = dst->wscale = 0;
6704 src->state = dst->state =
6705 TCPS_ESTABLISHED;
6706 REASON_SET(reason, PFRES_SYNPROXY);
6707 return (PF_SYNPROXY_DROP);
6708 }
6709 }
6710
6711 if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
6712 dst->state >= TCPS_FIN_WAIT_2 &&
6713 src->state >= TCPS_FIN_WAIT_2) {
6714 if (pf_status.debug >= PF_DEBUG_MISC) {
6715 printf("pf: state reuse ");
6716 pf_print_state(*state);
6717 pf_print_flags(th->th_flags);
6718 printf("\n");
6719 }
6720 /* XXX make sure it's the same direction ?? */
6721 src->state = dst->state = TCPS_CLOSED;
6722 pf_unlink_state(*state);
6723 *state = NULL;
6724 return (PF_DROP);
6725 }
6726
6727 if ((th->th_flags & TH_SYN) == 0) {
6728 sws = (src->wscale & PF_WSCALE_FLAG) ?
6729 (src->wscale & PF_WSCALE_MASK) : TCP_MAX_WINSHIFT;
6730 dws = (dst->wscale & PF_WSCALE_FLAG) ?
6731 (dst->wscale & PF_WSCALE_MASK) : TCP_MAX_WINSHIFT;
6732 }
6733 else
6734 sws = dws = 0;
6735
6736 /*
6737 * Sequence tracking algorithm from Guido van Rooij's paper:
6738 * http://www.madison-gurkha.com/publications/tcp_filtering/
6739 * tcp_filtering.ps
6740 */
6741
6742 orig_seq = seq = ntohl(th->th_seq);
6743 if (src->seqlo == 0) {
6744 /* First packet from this end. Set its state */
6745
6746 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
6747 src->scrub == NULL) {
6748 if (pf_normalize_tcp_init(pbuf, off, pd, th, src, dst)) {
6749 REASON_SET(reason, PFRES_MEMORY);
6750 return (PF_DROP);
6751 }
6752 }
6753
6754 /* Deferred generation of sequence number modulator */
6755 if (dst->seqdiff && !src->seqdiff) {
6756 /* use random iss for the TCP server */
6757 while ((src->seqdiff = random() - seq) == 0)
6758 ;
6759 ack = ntohl(th->th_ack) - dst->seqdiff;
6760 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
6761 src->seqdiff), 0);
6762 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
6763 copyback = off + sizeof (*th);
6764 } else {
6765 ack = ntohl(th->th_ack);
6766 }
6767
6768 end = seq + pd->p_len;
6769 if (th->th_flags & TH_SYN) {
6770 end++;
6771 if (dst->wscale & PF_WSCALE_FLAG) {
6772 src->wscale = pf_get_wscale(pbuf, off,
6773 th->th_off, pd->af);
6774 if (src->wscale & PF_WSCALE_FLAG) {
6775 /*
6776 * Remove scale factor from initial
6777 * window
6778 */
6779 sws = src->wscale & PF_WSCALE_MASK;
6780 win = ((u_int32_t)win + (1 << sws) - 1)
6781 >> sws;
6782 dws = dst->wscale & PF_WSCALE_MASK;
6783 } else {
6784 /*
6785 * Window scale negotiation has failed,
6786 * therefore we must restore the window
6787 * scale in the state record that we
6788 * optimistically removed in
6789 * pf_test_rule(). Care is required to
6790 * prevent arithmetic overflow from
6791 * zeroing the window when it's
6792 * truncated down to 16-bits.
6793 */
6794 u_int32_t max_win = dst->max_win;
6795 max_win <<=
6796 dst->wscale & PF_WSCALE_MASK;
6797 dst->max_win = MIN(0xffff, max_win);
6798 /* in case of a retrans SYN|ACK */
6799 dst->wscale = 0;
6800 }
6801 }
6802 }
6803 if (th->th_flags & TH_FIN)
6804 end++;
6805
6806 src->seqlo = seq;
6807 if (src->state < TCPS_SYN_SENT)
6808 src->state = TCPS_SYN_SENT;
6809
6810 /*
6811 * May need to slide the window (seqhi may have been set by
6812 * the crappy stack check or if we picked up the connection
6813 * after establishment)
6814 */
6815 if (src->seqhi == 1 ||
6816 SEQ_GEQ(end + MAX(1, (u_int32_t)dst->max_win << dws),
6817 src->seqhi))
6818 src->seqhi = end + MAX(1, (u_int32_t)dst->max_win << dws);
6819 if (win > src->max_win)
6820 src->max_win = win;
6821
6822 } else {
6823 ack = ntohl(th->th_ack) - dst->seqdiff;
6824 if (src->seqdiff) {
6825 /* Modulate sequence numbers */
6826 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
6827 src->seqdiff), 0);
6828 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
6829 copyback = off+ sizeof (*th);
6830 }
6831 end = seq + pd->p_len;
6832 if (th->th_flags & TH_SYN)
6833 end++;
6834 if (th->th_flags & TH_FIN)
6835 end++;
6836 }
6837
6838 if ((th->th_flags & TH_ACK) == 0) {
6839 /* Let it pass through the ack skew check */
6840 ack = dst->seqlo;
6841 } else if ((ack == 0 &&
6842 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
6843 /* broken tcp stacks do not set ack */
6844 (dst->state < TCPS_SYN_SENT)) {
6845 /*
6846 * Many stacks (ours included) will set the ACK number in an
6847 * FIN|ACK if the SYN times out -- no sequence to ACK.
6848 */
6849 ack = dst->seqlo;
6850 }
6851
6852 if (seq == end) {
6853 /* Ease sequencing restrictions on no data packets */
6854 seq = src->seqlo;
6855 end = seq;
6856 }
6857
6858 ackskew = dst->seqlo - ack;
6859
6860
6861 /*
6862 * Need to demodulate the sequence numbers in any TCP SACK options
6863 * (Selective ACK). We could optionally validate the SACK values
6864 * against the current ACK window, either forwards or backwards, but
6865 * I'm not confident that SACK has been implemented properly
6866 * everywhere. It wouldn't surprise me if several stacks accidently
6867 * SACK too far backwards of previously ACKed data. There really aren't
6868 * any security implications of bad SACKing unless the target stack
6869 * doesn't validate the option length correctly. Someone trying to
6870 * spoof into a TCP connection won't bother blindly sending SACK
6871 * options anyway.
6872 */
6873 if (dst->seqdiff && (th->th_off << 2) > (int)sizeof (struct tcphdr)) {
6874 copyback = pf_modulate_sack(pbuf, off, pd, th, dst);
6875 if (copyback == -1) {
6876 REASON_SET(reason, PFRES_MEMORY);
6877 return (PF_DROP);
6878 }
6879
6880 pbuf = pd->mp; // XXXSCW: Why?
6881 }
6882
6883
6884 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */
6885 if (SEQ_GEQ(src->seqhi, end) &&
6886 /* Last octet inside other's window space */
6887 SEQ_GEQ(seq, src->seqlo - ((u_int32_t)dst->max_win << dws)) &&
6888 /* Retrans: not more than one window back */
6889 (ackskew >= -MAXACKWINDOW) &&
6890 /* Acking not more than one reassembled fragment backwards */
6891 (ackskew <= (MAXACKWINDOW << sws)) &&
6892 /* Acking not more than one window forward */
6893 ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
6894 (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) ||
6895 (pd->flags & PFDESC_IP_REAS) == 0)) {
6896 /* Require an exact/+1 sequence match on resets when possible */
6897
6898 if (dst->scrub || src->scrub) {
6899 if (pf_normalize_tcp_stateful(pbuf, off, pd, reason, th,
6900 *state, src, dst, &copyback))
6901 return (PF_DROP);
6902
6903 pbuf = pd->mp; // XXXSCW: Why?
6904 }
6905
6906 /* update max window */
6907 if (src->max_win < win)
6908 src->max_win = win;
6909 /* synchronize sequencing */
6910 if (SEQ_GT(end, src->seqlo))
6911 src->seqlo = end;
6912 /* slide the window of what the other end can send */
6913 if (SEQ_GEQ(ack + ((u_int32_t)win << sws), dst->seqhi))
6914 dst->seqhi = ack + MAX(((u_int32_t)win << sws), 1);
6915
6916 /* update states */
6917 if (th->th_flags & TH_SYN)
6918 if (src->state < TCPS_SYN_SENT)
6919 src->state = TCPS_SYN_SENT;
6920 if (th->th_flags & TH_FIN)
6921 if (src->state < TCPS_CLOSING)
6922 src->state = TCPS_CLOSING;
6923 if (th->th_flags & TH_ACK) {
6924 if (dst->state == TCPS_SYN_SENT) {
6925 dst->state = TCPS_ESTABLISHED;
6926 if (src->state == TCPS_ESTABLISHED &&
6927 (*state)->src_node != NULL &&
6928 pf_src_connlimit(state)) {
6929 REASON_SET(reason, PFRES_SRCLIMIT);
6930 return (PF_DROP);
6931 }
6932 } else if (dst->state == TCPS_CLOSING)
6933 dst->state = TCPS_FIN_WAIT_2;
6934 }
6935 if (th->th_flags & TH_RST)
6936 src->state = dst->state = TCPS_TIME_WAIT;
6937
6938 /* update expire time */
6939 (*state)->expire = pf_time_second();
6940 if (src->state >= TCPS_FIN_WAIT_2 &&
6941 dst->state >= TCPS_FIN_WAIT_2)
6942 (*state)->timeout = PFTM_TCP_CLOSED;
6943 else if (src->state >= TCPS_CLOSING &&
6944 dst->state >= TCPS_CLOSING)
6945 (*state)->timeout = PFTM_TCP_FIN_WAIT;
6946 else if (src->state < TCPS_ESTABLISHED ||
6947 dst->state < TCPS_ESTABLISHED)
6948 (*state)->timeout = PFTM_TCP_OPENING;
6949 else if (src->state >= TCPS_CLOSING ||
6950 dst->state >= TCPS_CLOSING)
6951 (*state)->timeout = PFTM_TCP_CLOSING;
6952 else
6953 (*state)->timeout = PFTM_TCP_ESTABLISHED;
6954
6955 /* Fall through to PASS packet */
6956
6957 } else if ((dst->state < TCPS_SYN_SENT ||
6958 dst->state >= TCPS_FIN_WAIT_2 || src->state >= TCPS_FIN_WAIT_2) &&
6959 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
6960 /* Within a window forward of the originating packet */
6961 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
6962 /* Within a window backward of the originating packet */
6963
6964 /*
6965 * This currently handles three situations:
6966 * 1) Stupid stacks will shotgun SYNs before their peer
6967 * replies.
6968 * 2) When PF catches an already established stream (the
6969 * firewall rebooted, the state table was flushed, routes
6970 * changed...)
6971 * 3) Packets get funky immediately after the connection
6972 * closes (this should catch Solaris spurious ACK|FINs
6973 * that web servers like to spew after a close)
6974 *
6975 * This must be a little more careful than the above code
6976 * since packet floods will also be caught here. We don't
6977 * update the TTL here to mitigate the damage of a packet
6978 * flood and so the same code can handle awkward establishment
6979 * and a loosened connection close.
6980 * In the establishment case, a correct peer response will
6981 * validate the connection, go through the normal state code
6982 * and keep updating the state TTL.
6983 */
6984
6985 if (pf_status.debug >= PF_DEBUG_MISC) {
6986 printf("pf: loose state match: ");
6987 pf_print_state(*state);
6988 pf_print_flags(th->th_flags);
6989 printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
6990 "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
6991 pd->p_len, ackskew, (*state)->packets[0],
6992 (*state)->packets[1],
6993 direction == PF_IN ? "in" : "out",
6994 direction == sk->direction ?
6995 "fwd" : "rev");
6996 }
6997
6998 if (dst->scrub || src->scrub) {
6999 if (pf_normalize_tcp_stateful(pbuf, off, pd, reason, th,
7000 *state, src, dst, &copyback))
7001 return (PF_DROP);
7002 pbuf = pd->mp; // XXXSCW: Why?
7003 }
7004
7005 /* update max window */
7006 if (src->max_win < win)
7007 src->max_win = win;
7008 /* synchronize sequencing */
7009 if (SEQ_GT(end, src->seqlo))
7010 src->seqlo = end;
7011 /* slide the window of what the other end can send */
7012 if (SEQ_GEQ(ack + ((u_int32_t)win << sws), dst->seqhi))
7013 dst->seqhi = ack + MAX(((u_int32_t)win << sws), 1);
7014
7015 /*
7016 * Cannot set dst->seqhi here since this could be a shotgunned
7017 * SYN and not an already established connection.
7018 */
7019
7020 if (th->th_flags & TH_FIN)
7021 if (src->state < TCPS_CLOSING)
7022 src->state = TCPS_CLOSING;
7023 if (th->th_flags & TH_RST)
7024 src->state = dst->state = TCPS_TIME_WAIT;
7025
7026 /* Fall through to PASS packet */
7027
7028 } else {
7029 if (dst->state == TCPS_SYN_SENT &&
7030 src->state == TCPS_SYN_SENT) {
7031 /* Send RST for state mismatches during handshake */
7032 if (!(th->th_flags & TH_RST))
7033 pf_send_tcp((*state)->rule.ptr, pd->af,
7034 pd->dst, pd->src, th->th_dport,
7035 th->th_sport, ntohl(th->th_ack), 0,
7036 TH_RST, 0, 0,
7037 (*state)->rule.ptr->return_ttl, 1, 0,
7038 pd->eh, kif->pfik_ifp);
7039 src->seqlo = 0;
7040 src->seqhi = 1;
7041 src->max_win = 1;
7042 } else if (pf_status.debug >= PF_DEBUG_MISC) {
7043 printf("pf: BAD state: ");
7044 pf_print_state(*state);
7045 pf_print_flags(th->th_flags);
7046 printf("\n seq=%u (%u) ack=%u len=%u ackskew=%d "
7047 "sws=%u dws=%u pkts=%llu:%llu dir=%s,%s\n",
7048 seq, orig_seq, ack, pd->p_len, ackskew,
7049 (unsigned int)sws, (unsigned int)dws,
7050 (*state)->packets[0], (*state)->packets[1],
7051 direction == PF_IN ? "in" : "out",
7052 direction == sk->direction ?
7053 "fwd" : "rev");
7054 printf("pf: State failure on: %c %c %c %c | %c %c\n",
7055 SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
7056 SEQ_GEQ(seq,
7057 src->seqlo - ((u_int32_t)dst->max_win << dws)) ?
7058 ' ': '2',
7059 (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
7060 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
7061 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
7062 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
7063 }
7064 REASON_SET(reason, PFRES_BADSTATE);
7065 return (PF_DROP);
7066 }
7067
7068 /* Any packets which have gotten here are to be passed */
7069
7070 if (sk->app_state &&
7071 sk->app_state->handler) {
7072 sk->app_state->handler(*state, direction,
7073 off + (th->th_off << 2), pd, kif);
7074 if (pd->lmw < 0) {
7075 REASON_SET(reason, PFRES_MEMORY);
7076 return (PF_DROP);
7077 }
7078 pbuf = pd->mp; // XXXSCW: Why?
7079 }
7080
7081 /* translate source/destination address, if necessary */
7082 if (STATE_TRANSLATE(sk)) {
7083 pd->naf = (pd->af == sk->af_lan) ? sk->af_gwy : sk->af_lan;
7084
7085 if (direction == PF_OUT) {
7086 pf_change_ap(direction, pd->mp, pd->src, &th->th_sport,
7087 pd->ip_sum, &th->th_sum, &sk->gwy.addr,
7088 sk->gwy.xport.port, 0, pd->af, pd->naf, 1);
7089 } else {
7090 if (pd->af != pd->naf) {
7091 if (pd->af == sk->af_gwy) {
7092 pf_change_ap(direction, pd->mp, pd->dst,
7093 &th->th_dport, pd->ip_sum,
7094 &th->th_sum, &sk->lan.addr,
7095 sk->lan.xport.port, 0,
7096 pd->af, pd->naf, 0);
7097
7098 pf_change_ap(direction, pd->mp, pd->src,
7099 &th->th_sport, pd->ip_sum,
7100 &th->th_sum, &sk->ext_lan.addr,
7101 th->th_sport, 0, pd->af,
7102 pd->naf, 0);
7103
7104 } else {
7105 pf_change_ap(direction, pd->mp, pd->dst,
7106 &th->th_dport, pd->ip_sum,
7107 &th->th_sum, &sk->ext_gwy.addr,
7108 th->th_dport, 0, pd->af,
7109 pd->naf, 0);
7110
7111 pf_change_ap(direction, pd->mp, pd->src,
7112 &th->th_sport, pd->ip_sum,
7113 &th->th_sum, &sk->gwy.addr,
7114 sk->gwy.xport.port, 0, pd->af,
7115 pd->naf, 0);
7116 }
7117 } else {
7118 pf_change_ap(direction, pd->mp, pd->dst,
7119 &th->th_dport, pd->ip_sum,
7120 &th->th_sum, &sk->lan.addr,
7121 sk->lan.xport.port, 0, pd->af,
7122 pd->naf, 1);
7123 }
7124 }
7125
7126 copyback = off + sizeof (*th);
7127 }
7128
7129 if (copyback) {
7130 if (pf_lazy_makewritable(pd, pbuf, copyback) == NULL) {
7131 REASON_SET(reason, PFRES_MEMORY);
7132 return (PF_DROP);
7133 }
7134
7135 /* Copyback sequence modulation or stateful scrub changes */
7136 pbuf_copy_back(pbuf, off, sizeof (*th), th);
7137
7138 if (sk->af_lan != sk->af_gwy)
7139 return (pf_do_nat64(sk, pd, pbuf, off));
7140 }
7141 return (PF_PASS);
7142 }
7143
7144 static int
7145 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
7146 pbuf_t *pbuf, int off, void *h, struct pf_pdesc *pd, u_short *reason)
7147 {
7148 #pragma unused(h)
7149 struct pf_state_peer *src, *dst;
7150 struct pf_state_key_cmp key;
7151 struct pf_state_key *sk;
7152 struct udphdr *uh = pd->hdr.udp;
7153 struct pf_app_state as;
7154 int action, extfilter;
7155 key.app_state = 0;
7156 key.proto_variant = PF_EXTFILTER_APD;
7157
7158 key.proto = IPPROTO_UDP;
7159 key.af_lan = key.af_gwy = pd->af;
7160
7161 /*
7162 * For NAT64 the first time rule search and state creation
7163 * is done on the incoming side only.
7164 * Once the state gets created, NAT64's LAN side (ipv6) will
7165 * not be able to find the state in ext-gwy tree as that normally
7166 * is intended to be looked up for incoming traffic from the
7167 * WAN side.
7168 * Therefore to handle NAT64 case we init keys here for both
7169 * lan-ext as well as ext-gwy trees.
7170 * In the state lookup we attempt a lookup on both trees if
7171 * first one does not return any result and return a match if
7172 * the match state's was created by NAT64 rule.
7173 */
7174 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
7175 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
7176 key.ext_gwy.xport.port = uh->uh_sport;
7177 key.gwy.xport.port = uh->uh_dport;
7178
7179 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
7180 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
7181 key.lan.xport.port = uh->uh_sport;
7182 key.ext_lan.xport.port = uh->uh_dport;
7183
7184 if (ntohs(uh->uh_sport) == PF_IKE_PORT &&
7185 ntohs(uh->uh_dport) == PF_IKE_PORT) {
7186 struct pf_ike_hdr ike;
7187 size_t plen = pbuf->pb_packet_len - off - sizeof (*uh);
7188 if (plen < PF_IKE_PACKET_MINSIZE) {
7189 DPFPRINTF(PF_DEBUG_MISC,
7190 ("pf: IKE message too small.\n"));
7191 return (PF_DROP);
7192 }
7193
7194 if (plen > sizeof (ike))
7195 plen = sizeof (ike);
7196 pbuf_copy_data(pbuf, off + sizeof (*uh), plen, &ike);
7197
7198 if (ike.initiator_cookie) {
7199 key.app_state = &as;
7200 as.compare_lan_ext = pf_ike_compare;
7201 as.compare_ext_gwy = pf_ike_compare;
7202 as.u.ike.cookie = ike.initiator_cookie;
7203 } else {
7204 /*
7205 * <http://tools.ietf.org/html/\
7206 * draft-ietf-ipsec-nat-t-ike-01>
7207 * Support non-standard NAT-T implementations that
7208 * push the ESP packet over the top of the IKE packet.
7209 * Do not drop packet.
7210 */
7211 DPFPRINTF(PF_DEBUG_MISC,
7212 ("pf: IKE initiator cookie = 0.\n"));
7213 }
7214 }
7215
7216 *state = pf_find_state(kif, &key, direction);
7217
7218 if (!key.app_state && *state == 0) {
7219 key.proto_variant = PF_EXTFILTER_AD;
7220 *state = pf_find_state(kif, &key, direction);
7221 }
7222
7223 if (!key.app_state && *state == 0) {
7224 key.proto_variant = PF_EXTFILTER_EI;
7225 *state = pf_find_state(kif, &key, direction);
7226 }
7227
7228 /* similar to STATE_LOOKUP() */
7229 if (*state != NULL && pd != NULL && !(pd->pktflags & PKTF_FLOW_ID)) {
7230 pd->flowsrc = (*state)->state_key->flowsrc;
7231 pd->flowhash = (*state)->state_key->flowhash;
7232 if (pd->flowhash != 0) {
7233 pd->pktflags |= PKTF_FLOW_ID;
7234 pd->pktflags &= ~PKTF_FLOW_ADV;
7235 }
7236 }
7237
7238 if (pf_state_lookup_aux(state, kif, direction, &action))
7239 return (action);
7240
7241 sk = (*state)->state_key;
7242
7243 /*
7244 * In case of NAT64 the translation is first applied on the LAN
7245 * side. Therefore for stack's address family comparison
7246 * we use sk->af_lan.
7247 */
7248 if ((direction == sk->direction) && (pd->af == sk->af_lan)) {
7249 src = &(*state)->src;
7250 dst = &(*state)->dst;
7251 } else {
7252 src = &(*state)->dst;
7253 dst = &(*state)->src;
7254 }
7255
7256 /* update states */
7257 if (src->state < PFUDPS_SINGLE)
7258 src->state = PFUDPS_SINGLE;
7259 if (dst->state == PFUDPS_SINGLE)
7260 dst->state = PFUDPS_MULTIPLE;
7261
7262 /* update expire time */
7263 (*state)->expire = pf_time_second();
7264 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
7265 (*state)->timeout = PFTM_UDP_MULTIPLE;
7266 else
7267 (*state)->timeout = PFTM_UDP_SINGLE;
7268
7269 extfilter = sk->proto_variant;
7270 if (extfilter > PF_EXTFILTER_APD) {
7271 if (direction == PF_OUT) {
7272 sk->ext_lan.xport.port = key.ext_lan.xport.port;
7273 if (extfilter > PF_EXTFILTER_AD)
7274 PF_ACPY(&sk->ext_lan.addr, &key.ext_lan.addr,
7275 key.af_lan);
7276 } else {
7277 sk->ext_gwy.xport.port = key.ext_gwy.xport.port;
7278 if (extfilter > PF_EXTFILTER_AD)
7279 PF_ACPY(&sk->ext_gwy.addr, &key.ext_gwy.addr,
7280 key.af_gwy);
7281 }
7282 }
7283
7284 if (sk->app_state && sk->app_state->handler) {
7285 sk->app_state->handler(*state, direction, off + uh->uh_ulen,
7286 pd, kif);
7287 if (pd->lmw < 0) {
7288 REASON_SET(reason, PFRES_MEMORY);
7289 return (PF_DROP);
7290 }
7291 pbuf = pd->mp; // XXXSCW: Why?
7292 }
7293
7294 /* translate source/destination address, if necessary */
7295 if (STATE_TRANSLATE(sk)) {
7296 if (pf_lazy_makewritable(pd, pbuf, off + sizeof (*uh)) == NULL) {
7297 REASON_SET(reason, PFRES_MEMORY);
7298 return (PF_DROP);
7299 }
7300
7301 pd->naf = (pd->af == sk->af_lan) ? sk->af_gwy : sk->af_lan;
7302
7303 if (direction == PF_OUT) {
7304 pf_change_ap(direction, pd->mp, pd->src, &uh->uh_sport,
7305 pd->ip_sum, &uh->uh_sum, &sk->gwy.addr,
7306 sk->gwy.xport.port, 1, pd->af, pd->naf, 1);
7307 } else {
7308 if (pd->af != pd->naf) {
7309
7310 if (pd->af == sk->af_gwy) {
7311 pf_change_ap(direction, pd->mp, pd->dst,
7312 &uh->uh_dport, pd->ip_sum,
7313 &uh->uh_sum, &sk->lan.addr,
7314 sk->lan.xport.port, 1,
7315 pd->af, pd->naf, 0);
7316
7317 pf_change_ap(direction, pd->mp, pd->src,
7318 &uh->uh_sport, pd->ip_sum,
7319 &uh->uh_sum, &sk->ext_lan.addr,
7320 uh->uh_sport, 1, pd->af,
7321 pd->naf, 0);
7322
7323 } else {
7324 pf_change_ap(direction, pd->mp, pd->dst,
7325 &uh->uh_dport, pd->ip_sum,
7326 &uh->uh_sum, &sk->ext_gwy.addr,
7327 uh->uh_dport, 1, pd->af,
7328 pd->naf, 0);
7329
7330 pf_change_ap(direction, pd->mp, pd->src,
7331 &uh->uh_sport, pd->ip_sum,
7332 &uh->uh_sum, &sk->gwy.addr,
7333 sk->gwy.xport.port, 1, pd->af,
7334 pd->naf, 0);
7335 }
7336 } else {
7337 pf_change_ap(direction, pd->mp, pd->dst,
7338 &uh->uh_dport, pd->ip_sum,
7339 &uh->uh_sum, &sk->lan.addr,
7340 sk->lan.xport.port, 1,
7341 pd->af, pd->naf, 1);
7342 }
7343 }
7344
7345 pbuf_copy_back(pbuf, off, sizeof (*uh), uh);
7346 if (sk->af_lan != sk->af_gwy)
7347 return (pf_do_nat64(sk, pd, pbuf, off));
7348 }
7349 return (PF_PASS);
7350 }
7351
7352 static int
7353 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
7354 pbuf_t *pbuf, int off, void *h, struct pf_pdesc *pd, u_short *reason)
7355 {
7356 #pragma unused(h)
7357 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
7358 struct in_addr srcv4_inaddr = saddr->v4addr;
7359 u_int16_t icmpid = 0, *icmpsum = NULL;
7360 u_int8_t icmptype = 0;
7361 int state_icmp = 0;
7362 struct pf_state_key_cmp key;
7363 struct pf_state_key *sk;
7364
7365 struct pf_app_state as;
7366 key.app_state = 0;
7367
7368 pd->off = off;
7369
7370 switch (pd->proto) {
7371 #if INET
7372 case IPPROTO_ICMP:
7373 icmptype = pd->hdr.icmp->icmp_type;
7374 icmpid = pd->hdr.icmp->icmp_id;
7375 icmpsum = &pd->hdr.icmp->icmp_cksum;
7376
7377 if (icmptype == ICMP_UNREACH ||
7378 icmptype == ICMP_SOURCEQUENCH ||
7379 icmptype == ICMP_REDIRECT ||
7380 icmptype == ICMP_TIMXCEED ||
7381 icmptype == ICMP_PARAMPROB)
7382 state_icmp++;
7383 break;
7384 #endif /* INET */
7385 #if INET6
7386 case IPPROTO_ICMPV6:
7387 icmptype = pd->hdr.icmp6->icmp6_type;
7388 icmpid = pd->hdr.icmp6->icmp6_id;
7389 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
7390
7391 if (icmptype == ICMP6_DST_UNREACH ||
7392 icmptype == ICMP6_PACKET_TOO_BIG ||
7393 icmptype == ICMP6_TIME_EXCEEDED ||
7394 icmptype == ICMP6_PARAM_PROB)
7395 state_icmp++;
7396 break;
7397 #endif /* INET6 */
7398 }
7399
7400 if (!state_icmp) {
7401
7402 /*
7403 * ICMP query/reply message not related to a TCP/UDP packet.
7404 * Search for an ICMP state.
7405 */
7406 /*
7407 * NAT64 requires protocol translation between ICMPv4
7408 * and ICMPv6. TCP and UDP do not require protocol
7409 * translation. To avoid adding complexity just to
7410 * handle ICMP(v4addr/v6addr), we always lookup for
7411 * proto = IPPROTO_ICMP on both LAN and WAN side
7412 */
7413 key.proto = IPPROTO_ICMP;
7414 key.af_lan = key.af_gwy = pd->af;
7415
7416 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
7417 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
7418 key.ext_gwy.xport.port = 0;
7419 key.gwy.xport.port = icmpid;
7420
7421 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
7422 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
7423 key.lan.xport.port = icmpid;
7424 key.ext_lan.xport.port = 0;
7425
7426 STATE_LOOKUP();
7427
7428 sk = (*state)->state_key;
7429 (*state)->expire = pf_time_second();
7430 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
7431
7432 /* translate source/destination address, if necessary */
7433 if (STATE_TRANSLATE(sk)) {
7434 pd->naf = (pd->af == sk->af_lan) ?
7435 sk->af_gwy : sk->af_lan;
7436 if (direction == PF_OUT) {
7437 switch (pd->af) {
7438 #if INET
7439 case AF_INET:
7440 pf_change_a(&saddr->v4addr.s_addr,
7441 pd->ip_sum,
7442 sk->gwy.addr.v4addr.s_addr, 0);
7443 pd->hdr.icmp->icmp_cksum =
7444 pf_cksum_fixup(
7445 pd->hdr.icmp->icmp_cksum, icmpid,
7446 sk->gwy.xport.port, 0);
7447 pd->hdr.icmp->icmp_id =
7448 sk->gwy.xport.port;
7449 if (pf_lazy_makewritable(pd, pbuf,
7450 off + ICMP_MINLEN) == NULL)
7451 return (PF_DROP);
7452 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
7453 pd->hdr.icmp);
7454 break;
7455 #endif /* INET */
7456 #if INET6
7457 case AF_INET6:
7458 pf_change_a6(saddr,
7459 &pd->hdr.icmp6->icmp6_cksum,
7460 &sk->gwy.addr, 0);
7461 if (pf_lazy_makewritable(pd, NULL,
7462 off + sizeof (struct icmp6_hdr)) ==
7463 NULL)
7464 return (PF_DROP);
7465 pbuf_copy_back(pbuf, off,
7466 sizeof (struct icmp6_hdr),
7467 pd->hdr.icmp6);
7468 break;
7469 #endif /* INET6 */
7470 }
7471 } else {
7472 switch (pd->af) {
7473 #if INET
7474 case AF_INET:
7475 if (pd->naf != AF_INET) {
7476 if (pf_translate_icmp_af(
7477 AF_INET6, pd->hdr.icmp))
7478 return (PF_DROP);
7479
7480 pd->proto = IPPROTO_ICMPV6;
7481
7482 } else {
7483
7484 pf_change_a(&daddr->v4addr.s_addr,
7485 pd->ip_sum,
7486 sk->lan.addr.v4addr.s_addr, 0);
7487
7488 pd->hdr.icmp->icmp_cksum =
7489 pf_cksum_fixup(
7490 pd->hdr.icmp->icmp_cksum,
7491 icmpid, sk->lan.xport.port, 0);
7492
7493 pd->hdr.icmp->icmp_id =
7494 sk->lan.xport.port;
7495 }
7496
7497 if (pf_lazy_makewritable(pd, pbuf,
7498 off + ICMP_MINLEN) == NULL)
7499 return (PF_DROP);
7500 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
7501 pd->hdr.icmp);
7502 if (sk->af_lan != sk->af_gwy)
7503 return (pf_do_nat64(sk, pd,
7504 pbuf, off));
7505 break;
7506 #endif /* INET */
7507 #if INET6
7508 case AF_INET6:
7509 if (pd->naf != AF_INET6) {
7510 if (pf_translate_icmp_af(
7511 AF_INET, pd->hdr.icmp6))
7512 return (PF_DROP);
7513
7514 pd->proto = IPPROTO_ICMP;
7515 } else {
7516 pf_change_a6(daddr,
7517 &pd->hdr.icmp6->icmp6_cksum,
7518 &sk->lan.addr, 0);
7519 }
7520 if (pf_lazy_makewritable(pd, pbuf,
7521 off + sizeof (struct icmp6_hdr)) ==
7522 NULL)
7523 return (PF_DROP);
7524 pbuf_copy_back(pbuf, off,
7525 sizeof (struct icmp6_hdr),
7526 pd->hdr.icmp6);
7527 if (sk->af_lan != sk->af_gwy)
7528 return (pf_do_nat64(sk, pd,
7529 pbuf, off));
7530 break;
7531 #endif /* INET6 */
7532 }
7533 }
7534 }
7535
7536 return (PF_PASS);
7537
7538 } else {
7539 /*
7540 * ICMP error message in response to a TCP/UDP packet.
7541 * Extract the inner TCP/UDP header and search for that state.
7542 */
7543 struct pf_pdesc pd2; /* For inner (original) header */
7544 #if INET
7545 struct ip h2;
7546 #endif /* INET */
7547 #if INET6
7548 struct ip6_hdr h2_6;
7549 int terminal = 0;
7550 #endif /* INET6 */
7551 int ipoff2 = 0;
7552 int off2 = 0;
7553
7554 memset(&pd2, 0, sizeof (pd2));
7555
7556 pd2.af = pd->af;
7557 switch (pd->af) {
7558 #if INET
7559 case AF_INET:
7560 /* offset of h2 in mbuf chain */
7561 ipoff2 = off + ICMP_MINLEN;
7562
7563 if (!pf_pull_hdr(pbuf, ipoff2, &h2, sizeof (h2),
7564 NULL, reason, pd2.af)) {
7565 DPFPRINTF(PF_DEBUG_MISC,
7566 ("pf: ICMP error message too short "
7567 "(ip)\n"));
7568 return (PF_DROP);
7569 }
7570 /*
7571 * ICMP error messages don't refer to non-first
7572 * fragments
7573 */
7574 if (h2.ip_off & htons(IP_OFFMASK)) {
7575 REASON_SET(reason, PFRES_FRAG);
7576 return (PF_DROP);
7577 }
7578
7579 /* offset of protocol header that follows h2 */
7580 off2 = ipoff2 + (h2.ip_hl << 2);
7581 /* TODO */
7582 pd2.off = ipoff2 + (h2.ip_hl << 2);
7583
7584 pd2.proto = h2.ip_p;
7585 pd2.src = (struct pf_addr *)&h2.ip_src;
7586 pd2.dst = (struct pf_addr *)&h2.ip_dst;
7587 pd2.ip_sum = &h2.ip_sum;
7588 break;
7589 #endif /* INET */
7590 #if INET6
7591 case AF_INET6:
7592 ipoff2 = off + sizeof (struct icmp6_hdr);
7593
7594 if (!pf_pull_hdr(pbuf, ipoff2, &h2_6, sizeof (h2_6),
7595 NULL, reason, pd2.af)) {
7596 DPFPRINTF(PF_DEBUG_MISC,
7597 ("pf: ICMP error message too short "
7598 "(ip6)\n"));
7599 return (PF_DROP);
7600 }
7601 pd2.proto = h2_6.ip6_nxt;
7602 pd2.src = (struct pf_addr *)(uintptr_t)&h2_6.ip6_src;
7603 pd2.dst = (struct pf_addr *)(uintptr_t)&h2_6.ip6_dst;
7604 pd2.ip_sum = NULL;
7605 off2 = ipoff2 + sizeof (h2_6);
7606 do {
7607 switch (pd2.proto) {
7608 case IPPROTO_FRAGMENT:
7609 /*
7610 * ICMPv6 error messages for
7611 * non-first fragments
7612 */
7613 REASON_SET(reason, PFRES_FRAG);
7614 return (PF_DROP);
7615 case IPPROTO_AH:
7616 case IPPROTO_HOPOPTS:
7617 case IPPROTO_ROUTING:
7618 case IPPROTO_DSTOPTS: {
7619 /* get next header and header length */
7620 struct ip6_ext opt6;
7621
7622 if (!pf_pull_hdr(pbuf, off2, &opt6,
7623 sizeof (opt6), NULL, reason,
7624 pd2.af)) {
7625 DPFPRINTF(PF_DEBUG_MISC,
7626 ("pf: ICMPv6 short opt\n"));
7627 return (PF_DROP);
7628 }
7629 if (pd2.proto == IPPROTO_AH)
7630 off2 += (opt6.ip6e_len + 2) * 4;
7631 else
7632 off2 += (opt6.ip6e_len + 1) * 8;
7633 pd2.proto = opt6.ip6e_nxt;
7634 /* goto the next header */
7635 break;
7636 }
7637 default:
7638 terminal++;
7639 break;
7640 }
7641 } while (!terminal);
7642 /* TODO */
7643 pd2.off = ipoff2;
7644 break;
7645 #endif /* INET6 */
7646 }
7647
7648 switch (pd2.proto) {
7649 case IPPROTO_TCP: {
7650 struct tcphdr th;
7651 u_int32_t seq;
7652 struct pf_state_peer *src, *dst;
7653 u_int8_t dws;
7654 int copyback = 0;
7655
7656 /*
7657 * Only the first 8 bytes of the TCP header can be
7658 * expected. Don't access any TCP header fields after
7659 * th_seq, an ackskew test is not possible.
7660 */
7661 if (!pf_pull_hdr(pbuf, off2, &th, 8, NULL, reason,
7662 pd2.af)) {
7663 DPFPRINTF(PF_DEBUG_MISC,
7664 ("pf: ICMP error message too short "
7665 "(tcp)\n"));
7666 return (PF_DROP);
7667 }
7668
7669 key.proto = IPPROTO_TCP;
7670 key.af_gwy = pd2.af;
7671 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
7672 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
7673 key.ext_gwy.xport.port = th.th_dport;
7674 key.gwy.xport.port = th.th_sport;
7675
7676 key.af_lan = pd2.af;
7677 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
7678 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
7679 key.lan.xport.port = th.th_dport;
7680 key.ext_lan.xport.port = th.th_sport;
7681
7682 STATE_LOOKUP();
7683
7684 sk = (*state)->state_key;
7685 if ((direction == sk->direction) &&
7686 ((sk->af_lan == sk->af_gwy) ||
7687 (pd2.af == sk->af_lan))) {
7688 src = &(*state)->dst;
7689 dst = &(*state)->src;
7690 } else {
7691 src = &(*state)->src;
7692 dst = &(*state)->dst;
7693 }
7694
7695 if (src->wscale && (dst->wscale & PF_WSCALE_FLAG))
7696 dws = dst->wscale & PF_WSCALE_MASK;
7697 else
7698 dws = TCP_MAX_WINSHIFT;
7699
7700 /* Demodulate sequence number */
7701 seq = ntohl(th.th_seq) - src->seqdiff;
7702 if (src->seqdiff) {
7703 pf_change_a(&th.th_seq, icmpsum,
7704 htonl(seq), 0);
7705 copyback = 1;
7706 }
7707
7708 if (!SEQ_GEQ(src->seqhi, seq) ||
7709 !SEQ_GEQ(seq,
7710 src->seqlo - ((u_int32_t)dst->max_win << dws))) {
7711 if (pf_status.debug >= PF_DEBUG_MISC) {
7712 printf("pf: BAD ICMP %d:%d ",
7713 icmptype, pd->hdr.icmp->icmp_code);
7714 pf_print_host(pd->src, 0, pd->af);
7715 printf(" -> ");
7716 pf_print_host(pd->dst, 0, pd->af);
7717 printf(" state: ");
7718 pf_print_state(*state);
7719 printf(" seq=%u\n", seq);
7720 }
7721 REASON_SET(reason, PFRES_BADSTATE);
7722 return (PF_DROP);
7723 }
7724
7725 pd->naf = pd2.naf = (pd2.af == sk->af_lan) ?
7726 sk->af_gwy : sk->af_lan;
7727
7728 if (STATE_TRANSLATE(sk)) {
7729 /* NAT64 case */
7730 if (sk->af_lan != sk->af_gwy) {
7731 struct pf_state_host *saddr2, *daddr2;
7732
7733 if (pd2.naf == sk->af_lan) {
7734 saddr2 = &sk->lan;
7735 daddr2 = &sk->ext_lan;
7736 } else {
7737 saddr2 = &sk->ext_gwy;
7738 daddr2 = &sk->gwy;
7739 }
7740
7741 /* translate ICMP message types and codes */
7742 if (pf_translate_icmp_af(pd->naf,
7743 pd->hdr.icmp))
7744 return (PF_DROP);
7745
7746 if (pf_lazy_makewritable(pd, pbuf,
7747 off2 + 8) == NULL)
7748 return (PF_DROP);
7749
7750 pbuf_copy_back(pbuf, pd->off,
7751 sizeof(struct icmp6_hdr),
7752 pd->hdr.icmp6);
7753
7754 /*
7755 * translate inner ip header within the
7756 * ICMP message
7757 */
7758 if (pf_change_icmp_af(pbuf, ipoff2, pd,
7759 &pd2, &saddr2->addr, &daddr2->addr,
7760 pd->af, pd->naf))
7761 return (PF_DROP);
7762
7763 if (pd->naf == AF_INET)
7764 pd->proto = IPPROTO_ICMP;
7765 else
7766 pd->proto = IPPROTO_ICMPV6;
7767
7768 /*
7769 * translate inner tcp header within
7770 * the ICMP message
7771 */
7772 pf_change_ap(direction, NULL, pd2.src,
7773 &th.th_sport, pd2.ip_sum,
7774 &th.th_sum, &daddr2->addr,
7775 saddr2->xport.port, 0, pd2.af,
7776 pd2.naf, 0);
7777
7778 pf_change_ap(direction, NULL, pd2.dst,
7779 &th.th_dport, pd2.ip_sum,
7780 &th.th_sum, &saddr2->addr,
7781 daddr2->xport.port, 0, pd2.af,
7782 pd2.naf, 0);
7783
7784 pbuf_copy_back(pbuf, pd2.off, 8, &th);
7785
7786 /* translate outer ip header */
7787 PF_ACPY(&pd->naddr, &daddr2->addr,
7788 pd->naf);
7789 PF_ACPY(&pd->ndaddr, &saddr2->addr,
7790 pd->naf);
7791 if (pd->af == AF_INET) {
7792 memcpy(&pd->naddr.addr32[3],
7793 &srcv4_inaddr,
7794 sizeof(pd->naddr.addr32[3]));
7795 return (pf_nat64_ipv4(pbuf, off,
7796 pd));
7797 } else {
7798 return (pf_nat64_ipv6(pbuf, off,
7799 pd));
7800 }
7801 }
7802 if (direction == PF_IN) {
7803 pf_change_icmp(pd2.src, &th.th_sport,
7804 daddr, &sk->lan.addr,
7805 sk->lan.xport.port, NULL,
7806 pd2.ip_sum, icmpsum,
7807 pd->ip_sum, 0, pd2.af);
7808 } else {
7809 pf_change_icmp(pd2.dst, &th.th_dport,
7810 saddr, &sk->gwy.addr,
7811 sk->gwy.xport.port, NULL,
7812 pd2.ip_sum, icmpsum,
7813 pd->ip_sum, 0, pd2.af);
7814 }
7815 copyback = 1;
7816 }
7817
7818 if (copyback) {
7819 if (pf_lazy_makewritable(pd, pbuf, off2 + 8) ==
7820 NULL)
7821 return (PF_DROP);
7822 switch (pd2.af) {
7823 #if INET
7824 case AF_INET:
7825 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
7826 pd->hdr.icmp);
7827 pbuf_copy_back(pbuf, ipoff2, sizeof(h2),
7828 &h2);
7829 break;
7830 #endif /* INET */
7831 #if INET6
7832 case AF_INET6:
7833 pbuf_copy_back(pbuf, off,
7834 sizeof (struct icmp6_hdr),
7835 pd->hdr.icmp6);
7836 pbuf_copy_back(pbuf, ipoff2,
7837 sizeof (h2_6), &h2_6);
7838 break;
7839 #endif /* INET6 */
7840 }
7841 pbuf_copy_back(pbuf, off2, 8, &th);
7842 }
7843
7844 return (PF_PASS);
7845 }
7846 case IPPROTO_UDP: {
7847 struct udphdr uh;
7848 int dx, action;
7849 if (!pf_pull_hdr(pbuf, off2, &uh, sizeof (uh),
7850 NULL, reason, pd2.af)) {
7851 DPFPRINTF(PF_DEBUG_MISC,
7852 ("pf: ICMP error message too short "
7853 "(udp)\n"));
7854 return (PF_DROP);
7855 }
7856
7857 key.af_gwy = pd2.af;
7858 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
7859 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
7860 key.ext_gwy.xport.port = uh.uh_dport;
7861 key.gwy.xport.port = uh.uh_sport;
7862
7863 key.af_lan = pd2.af;
7864 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
7865 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
7866 key.lan.xport.port = uh.uh_dport;
7867 key.ext_lan.xport.port = uh.uh_sport;
7868
7869 key.proto = IPPROTO_UDP;
7870 key.proto_variant = PF_EXTFILTER_APD;
7871 dx = direction;
7872
7873 if (ntohs(uh.uh_sport) == PF_IKE_PORT &&
7874 ntohs(uh.uh_dport) == PF_IKE_PORT) {
7875 struct pf_ike_hdr ike;
7876 size_t plen = pbuf->pb_packet_len - off2 -
7877 sizeof (uh);
7878 if (direction == PF_IN &&
7879 plen < 8 /* PF_IKE_PACKET_MINSIZE */) {
7880 DPFPRINTF(PF_DEBUG_MISC, ("pf: "
7881 "ICMP error, embedded IKE message "
7882 "too small.\n"));
7883 return (PF_DROP);
7884 }
7885
7886 if (plen > sizeof (ike))
7887 plen = sizeof (ike);
7888 pbuf_copy_data(pbuf, off + sizeof (uh), plen,
7889 &ike);
7890
7891 key.app_state = &as;
7892 as.compare_lan_ext = pf_ike_compare;
7893 as.compare_ext_gwy = pf_ike_compare;
7894 as.u.ike.cookie = ike.initiator_cookie;
7895 }
7896
7897 *state = pf_find_state(kif, &key, dx);
7898
7899 if (key.app_state && *state == 0) {
7900 key.app_state = 0;
7901 *state = pf_find_state(kif, &key, dx);
7902 }
7903
7904 if (*state == 0) {
7905 key.proto_variant = PF_EXTFILTER_AD;
7906 *state = pf_find_state(kif, &key, dx);
7907 }
7908
7909 if (*state == 0) {
7910 key.proto_variant = PF_EXTFILTER_EI;
7911 *state = pf_find_state(kif, &key, dx);
7912 }
7913
7914 /* similar to STATE_LOOKUP() */
7915 if (*state != NULL && pd != NULL &&
7916 !(pd->pktflags & PKTF_FLOW_ID)) {
7917 pd->flowsrc = (*state)->state_key->flowsrc;
7918 pd->flowhash = (*state)->state_key->flowhash;
7919 if (pd->flowhash != 0) {
7920 pd->pktflags |= PKTF_FLOW_ID;
7921 pd->pktflags &= ~PKTF_FLOW_ADV;
7922 }
7923 }
7924
7925 if (pf_state_lookup_aux(state, kif, direction, &action))
7926 return (action);
7927
7928 sk = (*state)->state_key;
7929 pd->naf = pd2.naf = (pd2.af == sk->af_lan) ?
7930 sk->af_gwy : sk->af_lan;
7931
7932 if (STATE_TRANSLATE(sk)) {
7933 /* NAT64 case */
7934 if (sk->af_lan != sk->af_gwy) {
7935 struct pf_state_host *saddr2, *daddr2;
7936
7937 if (pd2.naf == sk->af_lan) {
7938 saddr2 = &sk->lan;
7939 daddr2 = &sk->ext_lan;
7940 } else {
7941 saddr2 = &sk->ext_gwy;
7942 daddr2 = &sk->gwy;
7943 }
7944
7945 /* translate ICMP message */
7946 if (pf_translate_icmp_af(pd->naf,
7947 pd->hdr.icmp))
7948 return (PF_DROP);
7949 if (pf_lazy_makewritable(pd, pbuf,
7950 off2 + 8) == NULL)
7951 return (PF_DROP);
7952
7953 pbuf_copy_back(pbuf, pd->off,
7954 sizeof(struct icmp6_hdr),
7955 pd->hdr.icmp6);
7956
7957 /*
7958 * translate inner ip header within the
7959 * ICMP message
7960 */
7961 if (pf_change_icmp_af(pbuf, ipoff2, pd,
7962 &pd2, &saddr2->addr, &daddr2->addr,
7963 pd->af, pd->naf))
7964 return (PF_DROP);
7965
7966 if (pd->naf == AF_INET)
7967 pd->proto = IPPROTO_ICMP;
7968 else
7969 pd->proto = IPPROTO_ICMPV6;
7970
7971 /*
7972 * translate inner udp header within
7973 * the ICMP message
7974 */
7975 pf_change_ap(direction, NULL, pd2.src,
7976 &uh.uh_sport, pd2.ip_sum,
7977 &uh.uh_sum, &daddr2->addr,
7978 saddr2->xport.port, 0, pd2.af,
7979 pd2.naf, 0);
7980
7981 pf_change_ap(direction, NULL, pd2.dst,
7982 &uh.uh_dport, pd2.ip_sum,
7983 &uh.uh_sum, &saddr2->addr,
7984 daddr2->xport.port, 0, pd2.af,
7985 pd2.naf, 0);
7986
7987 pbuf_copy_back(pbuf, pd2.off,
7988 sizeof(uh), &uh);
7989
7990 /* translate outer ip header */
7991 PF_ACPY(&pd->naddr, &daddr2->addr,
7992 pd->naf);
7993 PF_ACPY(&pd->ndaddr, &saddr2->addr,
7994 pd->naf);
7995 if (pd->af == AF_INET) {
7996 memcpy(&pd->naddr.addr32[3],
7997 &srcv4_inaddr,
7998 sizeof(pd->naddr.addr32[3]));
7999 return (pf_nat64_ipv4(pbuf, off,
8000 pd));
8001 } else {
8002 return (pf_nat64_ipv6(pbuf, off,
8003 pd));
8004 }
8005 }
8006 if (direction == PF_IN) {
8007 pf_change_icmp(pd2.src, &uh.uh_sport,
8008 daddr, &sk->lan.addr,
8009 sk->lan.xport.port, &uh.uh_sum,
8010 pd2.ip_sum, icmpsum,
8011 pd->ip_sum, 1, pd2.af);
8012 } else {
8013 pf_change_icmp(pd2.dst, &uh.uh_dport,
8014 saddr, &sk->gwy.addr,
8015 sk->gwy.xport.port, &uh.uh_sum,
8016 pd2.ip_sum, icmpsum,
8017 pd->ip_sum, 1, pd2.af);
8018 }
8019 if (pf_lazy_makewritable(pd, pbuf,
8020 off2 + sizeof (uh)) == NULL)
8021 return (PF_DROP);
8022 switch (pd2.af) {
8023 #if INET
8024 case AF_INET:
8025 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8026 pd->hdr.icmp);
8027 pbuf_copy_back(pbuf, ipoff2,
8028 sizeof (h2), &h2);
8029 break;
8030 #endif /* INET */
8031 #if INET6
8032 case AF_INET6:
8033 pbuf_copy_back(pbuf, off,
8034 sizeof (struct icmp6_hdr),
8035 pd->hdr.icmp6);
8036 pbuf_copy_back(pbuf, ipoff2,
8037 sizeof (h2_6), &h2_6);
8038 break;
8039 #endif /* INET6 */
8040 }
8041 pbuf_copy_back(pbuf, off2, sizeof (uh), &uh);
8042 }
8043
8044 return (PF_PASS);
8045 }
8046 #if INET
8047 case IPPROTO_ICMP: {
8048 struct icmp iih;
8049
8050 if (!pf_pull_hdr(pbuf, off2, &iih, ICMP_MINLEN,
8051 NULL, reason, pd2.af)) {
8052 DPFPRINTF(PF_DEBUG_MISC,
8053 ("pf: ICMP error message too short i"
8054 "(icmp)\n"));
8055 return (PF_DROP);
8056 }
8057
8058 key.proto = IPPROTO_ICMP;
8059 if (direction == PF_IN) {
8060 key.af_gwy = pd2.af;
8061 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8062 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8063 key.ext_gwy.xport.port = 0;
8064 key.gwy.xport.port = iih.icmp_id;
8065 } else {
8066 key.af_lan = pd2.af;
8067 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8068 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8069 key.lan.xport.port = iih.icmp_id;
8070 key.ext_lan.xport.port = 0;
8071 }
8072
8073 STATE_LOOKUP();
8074
8075 sk = (*state)->state_key;
8076 if (STATE_TRANSLATE(sk)) {
8077 if (direction == PF_IN) {
8078 pf_change_icmp(pd2.src, &iih.icmp_id,
8079 daddr, &sk->lan.addr,
8080 sk->lan.xport.port, NULL,
8081 pd2.ip_sum, icmpsum,
8082 pd->ip_sum, 0, AF_INET);
8083 } else {
8084 pf_change_icmp(pd2.dst, &iih.icmp_id,
8085 saddr, &sk->gwy.addr,
8086 sk->gwy.xport.port, NULL,
8087 pd2.ip_sum, icmpsum,
8088 pd->ip_sum, 0, AF_INET);
8089 }
8090 if (pf_lazy_makewritable(pd, pbuf,
8091 off2 + ICMP_MINLEN) == NULL)
8092 return (PF_DROP);
8093 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8094 pd->hdr.icmp);
8095 pbuf_copy_back(pbuf, ipoff2, sizeof (h2), &h2);
8096 pbuf_copy_back(pbuf, off2, ICMP_MINLEN, &iih);
8097 }
8098
8099 return (PF_PASS);
8100 }
8101 #endif /* INET */
8102 #if INET6
8103 case IPPROTO_ICMPV6: {
8104 struct icmp6_hdr iih;
8105
8106 if (!pf_pull_hdr(pbuf, off2, &iih,
8107 sizeof (struct icmp6_hdr), NULL, reason, pd2.af)) {
8108 DPFPRINTF(PF_DEBUG_MISC,
8109 ("pf: ICMP error message too short "
8110 "(icmp6)\n"));
8111 return (PF_DROP);
8112 }
8113
8114 key.proto = IPPROTO_ICMPV6;
8115 if (direction == PF_IN) {
8116 key.af_gwy = pd2.af;
8117 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8118 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8119 key.ext_gwy.xport.port = 0;
8120 key.gwy.xport.port = iih.icmp6_id;
8121 } else {
8122 key.af_lan = pd2.af;
8123 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8124 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8125 key.lan.xport.port = iih.icmp6_id;
8126 key.ext_lan.xport.port = 0;
8127 }
8128
8129 STATE_LOOKUP();
8130
8131 sk = (*state)->state_key;
8132 if (STATE_TRANSLATE(sk)) {
8133 if (direction == PF_IN) {
8134 pf_change_icmp(pd2.src, &iih.icmp6_id,
8135 daddr, &sk->lan.addr,
8136 sk->lan.xport.port, NULL,
8137 pd2.ip_sum, icmpsum,
8138 pd->ip_sum, 0, AF_INET6);
8139 } else {
8140 pf_change_icmp(pd2.dst, &iih.icmp6_id,
8141 saddr, &sk->gwy.addr,
8142 sk->gwy.xport.port, NULL,
8143 pd2.ip_sum, icmpsum,
8144 pd->ip_sum, 0, AF_INET6);
8145 }
8146 if (pf_lazy_makewritable(pd, pbuf, off2 +
8147 sizeof (struct icmp6_hdr)) == NULL)
8148 return (PF_DROP);
8149 pbuf_copy_back(pbuf, off,
8150 sizeof (struct icmp6_hdr), pd->hdr.icmp6);
8151 pbuf_copy_back(pbuf, ipoff2, sizeof (h2_6),
8152 &h2_6);
8153 pbuf_copy_back(pbuf, off2,
8154 sizeof (struct icmp6_hdr), &iih);
8155 }
8156
8157 return (PF_PASS);
8158 }
8159 #endif /* INET6 */
8160 default: {
8161 key.proto = pd2.proto;
8162 if (direction == PF_IN) {
8163 key.af_gwy = pd2.af;
8164 PF_ACPY(&key.ext_gwy.addr, pd2.dst, key.af_gwy);
8165 PF_ACPY(&key.gwy.addr, pd2.src, key.af_gwy);
8166 key.ext_gwy.xport.port = 0;
8167 key.gwy.xport.port = 0;
8168 } else {
8169 key.af_lan = pd2.af;
8170 PF_ACPY(&key.lan.addr, pd2.dst, key.af_lan);
8171 PF_ACPY(&key.ext_lan.addr, pd2.src, key.af_lan);
8172 key.lan.xport.port = 0;
8173 key.ext_lan.xport.port = 0;
8174 }
8175
8176 STATE_LOOKUP();
8177
8178 sk = (*state)->state_key;
8179 if (STATE_TRANSLATE(sk)) {
8180 if (direction == PF_IN) {
8181 pf_change_icmp(pd2.src, NULL, daddr,
8182 &sk->lan.addr, 0, NULL,
8183 pd2.ip_sum, icmpsum,
8184 pd->ip_sum, 0, pd2.af);
8185 } else {
8186 pf_change_icmp(pd2.dst, NULL, saddr,
8187 &sk->gwy.addr, 0, NULL,
8188 pd2.ip_sum, icmpsum,
8189 pd->ip_sum, 0, pd2.af);
8190 }
8191 switch (pd2.af) {
8192 #if INET
8193 case AF_INET:
8194 if (pf_lazy_makewritable(pd, pbuf,
8195 ipoff2 + sizeof (h2)) == NULL)
8196 return (PF_DROP);
8197 /*
8198 * <XXXSCW>
8199 * Xnu was missing the following...
8200 */
8201 pbuf_copy_back(pbuf, off, ICMP_MINLEN,
8202 pd->hdr.icmp);
8203 pbuf_copy_back(pbuf, ipoff2,
8204 sizeof(h2), &h2);
8205 break;
8206 /*
8207 * </XXXSCW>
8208 */
8209 #endif /* INET */
8210 #if INET6
8211 case AF_INET6:
8212 if (pf_lazy_makewritable(pd, pbuf,
8213 ipoff2 + sizeof (h2_6)) == NULL)
8214 return (PF_DROP);
8215 pbuf_copy_back(pbuf, off,
8216 sizeof (struct icmp6_hdr),
8217 pd->hdr.icmp6);
8218 pbuf_copy_back(pbuf, ipoff2,
8219 sizeof (h2_6), &h2_6);
8220 break;
8221 #endif /* INET6 */
8222 }
8223 }
8224
8225 return (PF_PASS);
8226 }
8227 }
8228 }
8229 }
8230
8231 static int
8232 pf_test_state_grev1(struct pf_state **state, int direction,
8233 struct pfi_kif *kif, int off, struct pf_pdesc *pd)
8234 {
8235 struct pf_state_peer *src;
8236 struct pf_state_peer *dst;
8237 struct pf_state_key_cmp key;
8238 struct pf_grev1_hdr *grev1 = pd->hdr.grev1;
8239
8240 key.app_state = 0;
8241 key.proto = IPPROTO_GRE;
8242 key.proto_variant = PF_GRE_PPTP_VARIANT;
8243 if (direction == PF_IN) {
8244 key.af_gwy = pd->af;
8245 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
8246 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
8247 key.gwy.xport.call_id = grev1->call_id;
8248 } else {
8249 key.af_lan = pd->af;
8250 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
8251 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
8252 key.ext_lan.xport.call_id = grev1->call_id;
8253 }
8254
8255 STATE_LOOKUP();
8256
8257 if (direction == (*state)->state_key->direction) {
8258 src = &(*state)->src;
8259 dst = &(*state)->dst;
8260 } else {
8261 src = &(*state)->dst;
8262 dst = &(*state)->src;
8263 }
8264
8265 /* update states */
8266 if (src->state < PFGRE1S_INITIATING)
8267 src->state = PFGRE1S_INITIATING;
8268
8269 /* update expire time */
8270 (*state)->expire = pf_time_second();
8271 if (src->state >= PFGRE1S_INITIATING &&
8272 dst->state >= PFGRE1S_INITIATING) {
8273 if ((*state)->timeout != PFTM_TCP_ESTABLISHED)
8274 (*state)->timeout = PFTM_GREv1_ESTABLISHED;
8275 src->state = PFGRE1S_ESTABLISHED;
8276 dst->state = PFGRE1S_ESTABLISHED;
8277 } else {
8278 (*state)->timeout = PFTM_GREv1_INITIATING;
8279 }
8280
8281 if ((*state)->state_key->app_state)
8282 (*state)->state_key->app_state->u.grev1.pptp_state->expire =
8283 pf_time_second();
8284
8285 /* translate source/destination address, if necessary */
8286 if (STATE_GRE_TRANSLATE((*state)->state_key)) {
8287 if (direction == PF_OUT) {
8288 switch (pd->af) {
8289 #if INET
8290 case AF_INET:
8291 pf_change_a(&pd->src->v4addr.s_addr,
8292 pd->ip_sum,
8293 (*state)->state_key->gwy.addr.v4addr.s_addr, 0);
8294 break;
8295 #endif /* INET */
8296 #if INET6
8297 case AF_INET6:
8298 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
8299 pd->af);
8300 break;
8301 #endif /* INET6 */
8302 }
8303 } else {
8304 grev1->call_id = (*state)->state_key->lan.xport.call_id;
8305
8306 switch (pd->af) {
8307 #if INET
8308 case AF_INET:
8309 pf_change_a(&pd->dst->v4addr.s_addr,
8310 pd->ip_sum,
8311 (*state)->state_key->lan.addr.v4addr.s_addr, 0);
8312 break;
8313 #endif /* INET */
8314 #if INET6
8315 case AF_INET6:
8316 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
8317 pd->af);
8318 break;
8319 #endif /* INET6 */
8320 }
8321 }
8322
8323 if (pf_lazy_makewritable(pd, pd->mp, off + sizeof (*grev1)) ==
8324 NULL)
8325 return (PF_DROP);
8326 pbuf_copy_back(pd->mp, off, sizeof (*grev1), grev1);
8327 }
8328
8329 return (PF_PASS);
8330 }
8331
8332 static int
8333 pf_test_state_esp(struct pf_state **state, int direction, struct pfi_kif *kif,
8334 int off, struct pf_pdesc *pd)
8335 {
8336 #pragma unused(off)
8337 struct pf_state_peer *src;
8338 struct pf_state_peer *dst;
8339 struct pf_state_key_cmp key;
8340 struct pf_esp_hdr *esp = pd->hdr.esp;
8341 int action;
8342
8343 memset(&key, 0, sizeof (key));
8344 key.proto = IPPROTO_ESP;
8345 if (direction == PF_IN) {
8346 key.af_gwy = pd->af;
8347 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
8348 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
8349 key.gwy.xport.spi = esp->spi;
8350 } else {
8351 key.af_lan = pd->af;
8352 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
8353 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
8354 key.ext_lan.xport.spi = esp->spi;
8355 }
8356
8357 *state = pf_find_state(kif, &key, direction);
8358
8359 if (*state == 0) {
8360 struct pf_state *s;
8361
8362 /*
8363 * <jhw@apple.com>
8364 * No matching state. Look for a blocking state. If we find
8365 * one, then use that state and move it so that it's keyed to
8366 * the SPI in the current packet.
8367 */
8368 if (direction == PF_IN) {
8369 key.gwy.xport.spi = 0;
8370
8371 s = pf_find_state(kif, &key, direction);
8372 if (s) {
8373 struct pf_state_key *sk = s->state_key;
8374
8375 RB_REMOVE(pf_state_tree_ext_gwy,
8376 &pf_statetbl_ext_gwy, sk);
8377 sk->lan.xport.spi = sk->gwy.xport.spi =
8378 esp->spi;
8379
8380 if (RB_INSERT(pf_state_tree_ext_gwy,
8381 &pf_statetbl_ext_gwy, sk))
8382 pf_detach_state(s, PF_DT_SKIP_EXTGWY);
8383 else
8384 *state = s;
8385 }
8386 } else {
8387 key.ext_lan.xport.spi = 0;
8388
8389 s = pf_find_state(kif, &key, direction);
8390 if (s) {
8391 struct pf_state_key *sk = s->state_key;
8392
8393 RB_REMOVE(pf_state_tree_lan_ext,
8394 &pf_statetbl_lan_ext, sk);
8395 sk->ext_lan.xport.spi = esp->spi;
8396
8397 if (RB_INSERT(pf_state_tree_lan_ext,
8398 &pf_statetbl_lan_ext, sk))
8399 pf_detach_state(s, PF_DT_SKIP_LANEXT);
8400 else
8401 *state = s;
8402 }
8403 }
8404
8405 if (s) {
8406 if (*state == 0) {
8407 #if NPFSYNC
8408 if (s->creatorid == pf_status.hostid)
8409 pfsync_delete_state(s);
8410 #endif
8411 s->timeout = PFTM_UNLINKED;
8412 hook_runloop(&s->unlink_hooks,
8413 HOOK_REMOVE|HOOK_FREE);
8414 pf_src_tree_remove_state(s);
8415 pf_free_state(s);
8416 return (PF_DROP);
8417 }
8418 }
8419 }
8420
8421 /* similar to STATE_LOOKUP() */
8422 if (*state != NULL && pd != NULL && !(pd->pktflags & PKTF_FLOW_ID)) {
8423 pd->flowsrc = (*state)->state_key->flowsrc;
8424 pd->flowhash = (*state)->state_key->flowhash;
8425 if (pd->flowhash != 0) {
8426 pd->pktflags |= PKTF_FLOW_ID;
8427 pd->pktflags &= ~PKTF_FLOW_ADV;
8428 }
8429 }
8430
8431 if (pf_state_lookup_aux(state, kif, direction, &action))
8432 return (action);
8433
8434 if (direction == (*state)->state_key->direction) {
8435 src = &(*state)->src;
8436 dst = &(*state)->dst;
8437 } else {
8438 src = &(*state)->dst;
8439 dst = &(*state)->src;
8440 }
8441
8442 /* update states */
8443 if (src->state < PFESPS_INITIATING)
8444 src->state = PFESPS_INITIATING;
8445
8446 /* update expire time */
8447 (*state)->expire = pf_time_second();
8448 if (src->state >= PFESPS_INITIATING &&
8449 dst->state >= PFESPS_INITIATING) {
8450 (*state)->timeout = PFTM_ESP_ESTABLISHED;
8451 src->state = PFESPS_ESTABLISHED;
8452 dst->state = PFESPS_ESTABLISHED;
8453 } else {
8454 (*state)->timeout = PFTM_ESP_INITIATING;
8455 }
8456 /* translate source/destination address, if necessary */
8457 if (STATE_ADDR_TRANSLATE((*state)->state_key)) {
8458 if (direction == PF_OUT) {
8459 switch (pd->af) {
8460 #if INET
8461 case AF_INET:
8462 pf_change_a(&pd->src->v4addr.s_addr,
8463 pd->ip_sum,
8464 (*state)->state_key->gwy.addr.v4addr.s_addr, 0);
8465 break;
8466 #endif /* INET */
8467 #if INET6
8468 case AF_INET6:
8469 PF_ACPY(pd->src, &(*state)->state_key->gwy.addr,
8470 pd->af);
8471 break;
8472 #endif /* INET6 */
8473 }
8474 } else {
8475 switch (pd->af) {
8476 #if INET
8477 case AF_INET:
8478 pf_change_a(&pd->dst->v4addr.s_addr,
8479 pd->ip_sum,
8480 (*state)->state_key->lan.addr.v4addr.s_addr, 0);
8481 break;
8482 #endif /* INET */
8483 #if INET6
8484 case AF_INET6:
8485 PF_ACPY(pd->dst, &(*state)->state_key->lan.addr,
8486 pd->af);
8487 break;
8488 #endif /* INET6 */
8489 }
8490 }
8491 }
8492
8493 return (PF_PASS);
8494 }
8495
8496 static int
8497 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
8498 struct pf_pdesc *pd)
8499 {
8500 struct pf_state_peer *src, *dst;
8501 struct pf_state_key_cmp key;
8502
8503 key.app_state = 0;
8504 key.proto = pd->proto;
8505 if (direction == PF_IN) {
8506 key.af_gwy = pd->af;
8507 PF_ACPY(&key.ext_gwy.addr, pd->src, key.af_gwy);
8508 PF_ACPY(&key.gwy.addr, pd->dst, key.af_gwy);
8509 key.ext_gwy.xport.port = 0;
8510 key.gwy.xport.port = 0;
8511 } else {
8512 key.af_lan = pd->af;
8513 PF_ACPY(&key.lan.addr, pd->src, key.af_lan);
8514 PF_ACPY(&key.ext_lan.addr, pd->dst, key.af_lan);
8515 key.lan.xport.port = 0;
8516 key.ext_lan.xport.port = 0;
8517 }
8518
8519 STATE_LOOKUP();
8520
8521 if (direction == (*state)->state_key->direction) {
8522 src = &(*state)->src;
8523 dst = &(*state)->dst;
8524 } else {
8525 src = &(*state)->dst;
8526 dst = &(*state)->src;
8527 }
8528
8529 /* update states */
8530 if (src->state < PFOTHERS_SINGLE)
8531 src->state = PFOTHERS_SINGLE;
8532 if (dst->state == PFOTHERS_SINGLE)
8533 dst->state = PFOTHERS_MULTIPLE;
8534
8535 /* update expire time */
8536 (*state)->expire = pf_time_second();
8537 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
8538 (*state)->timeout = PFTM_OTHER_MULTIPLE;
8539 else
8540 (*state)->timeout = PFTM_OTHER_SINGLE;
8541
8542 /* translate source/destination address, if necessary */
8543 if (STATE_ADDR_TRANSLATE((*state)->state_key)) {
8544 if (direction == PF_OUT) {
8545 switch (pd->af) {
8546 #if INET
8547 case AF_INET:
8548 pf_change_a(&pd->src->v4addr.s_addr,
8549 pd->ip_sum,
8550 (*state)->state_key->gwy.addr.v4addr.s_addr,
8551 0);
8552 break;
8553 #endif /* INET */
8554 #if INET6
8555 case AF_INET6:
8556 PF_ACPY(pd->src,
8557 &(*state)->state_key->gwy.addr, pd->af);
8558 break;
8559 #endif /* INET6 */
8560 }
8561 } else {
8562 switch (pd->af) {
8563 #if INET
8564 case AF_INET:
8565 pf_change_a(&pd->dst->v4addr.s_addr,
8566 pd->ip_sum,
8567 (*state)->state_key->lan.addr.v4addr.s_addr,
8568 0);
8569 break;
8570 #endif /* INET */
8571 #if INET6
8572 case AF_INET6:
8573 PF_ACPY(pd->dst,
8574 &(*state)->state_key->lan.addr, pd->af);
8575 break;
8576 #endif /* INET6 */
8577 }
8578 }
8579 }
8580
8581 return (PF_PASS);
8582 }
8583
8584 /*
8585 * ipoff and off are measured from the start of the mbuf chain.
8586 * h must be at "ipoff" on the mbuf chain.
8587 */
8588 void *
8589 pf_pull_hdr(pbuf_t *pbuf, int off, void *p, int len,
8590 u_short *actionp, u_short *reasonp, sa_family_t af)
8591 {
8592 switch (af) {
8593 #if INET
8594 case AF_INET: {
8595 struct ip *h = pbuf->pb_data;
8596 u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
8597
8598 if (fragoff) {
8599 if (fragoff >= len) {
8600 ACTION_SET(actionp, PF_PASS);
8601 } else {
8602 ACTION_SET(actionp, PF_DROP);
8603 REASON_SET(reasonp, PFRES_FRAG);
8604 }
8605 return (NULL);
8606 }
8607 if (pbuf->pb_packet_len < (unsigned)(off + len) ||
8608 ntohs(h->ip_len) < off + len) {
8609 ACTION_SET(actionp, PF_DROP);
8610 REASON_SET(reasonp, PFRES_SHORT);
8611 return (NULL);
8612 }
8613 break;
8614 }
8615 #endif /* INET */
8616 #if INET6
8617 case AF_INET6: {
8618 struct ip6_hdr *h = pbuf->pb_data;
8619
8620 if (pbuf->pb_packet_len < (unsigned)(off + len) ||
8621 (ntohs(h->ip6_plen) + sizeof (struct ip6_hdr)) <
8622 (unsigned)(off + len)) {
8623 ACTION_SET(actionp, PF_DROP);
8624 REASON_SET(reasonp, PFRES_SHORT);
8625 return (NULL);
8626 }
8627 break;
8628 }
8629 #endif /* INET6 */
8630 }
8631 pbuf_copy_data(pbuf, off, len, p);
8632 return (p);
8633 }
8634
8635 int
8636 pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
8637 {
8638 #pragma unused(kif)
8639 struct sockaddr_in *dst;
8640 int ret = 1;
8641 #if INET6
8642 struct sockaddr_in6 *dst6;
8643 struct route_in6 ro;
8644 #else
8645 struct route ro;
8646 #endif
8647
8648 bzero(&ro, sizeof (ro));
8649 switch (af) {
8650 case AF_INET:
8651 dst = satosin(&ro.ro_dst);
8652 dst->sin_family = AF_INET;
8653 dst->sin_len = sizeof (*dst);
8654 dst->sin_addr = addr->v4addr;
8655 break;
8656 #if INET6
8657 case AF_INET6:
8658 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
8659 dst6->sin6_family = AF_INET6;
8660 dst6->sin6_len = sizeof (*dst6);
8661 dst6->sin6_addr = addr->v6addr;
8662 break;
8663 #endif /* INET6 */
8664 default:
8665 return (0);
8666 }
8667
8668 /* XXX: IFT_ENC is not currently used by anything*/
8669 /* Skip checks for ipsec interfaces */
8670 if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
8671 goto out;
8672
8673 /* XXX: what is the point of this? */
8674 rtalloc((struct route *)&ro);
8675
8676 out:
8677 ROUTE_RELEASE(&ro);
8678 return (ret);
8679 }
8680
8681 int
8682 pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw)
8683 {
8684 #pragma unused(aw)
8685 struct sockaddr_in *dst;
8686 #if INET6
8687 struct sockaddr_in6 *dst6;
8688 struct route_in6 ro;
8689 #else
8690 struct route ro;
8691 #endif
8692 int ret = 0;
8693
8694 bzero(&ro, sizeof (ro));
8695 switch (af) {
8696 case AF_INET:
8697 dst = satosin(&ro.ro_dst);
8698 dst->sin_family = AF_INET;
8699 dst->sin_len = sizeof (*dst);
8700 dst->sin_addr = addr->v4addr;
8701 break;
8702 #if INET6
8703 case AF_INET6:
8704 dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
8705 dst6->sin6_family = AF_INET6;
8706 dst6->sin6_len = sizeof (*dst6);
8707 dst6->sin6_addr = addr->v6addr;
8708 break;
8709 #endif /* INET6 */
8710 default:
8711 return (0);
8712 }
8713
8714 /* XXX: what is the point of this? */
8715 rtalloc((struct route *)&ro);
8716
8717 ROUTE_RELEASE(&ro);
8718
8719 return (ret);
8720 }
8721
8722 #if INET
8723 static void
8724 pf_route(pbuf_t **pbufp, struct pf_rule *r, int dir, struct ifnet *oifp,
8725 struct pf_state *s, struct pf_pdesc *pd)
8726 {
8727 #pragma unused(pd)
8728 struct mbuf *m0, *m1;
8729 struct route iproute;
8730 struct route *ro = &iproute;
8731 struct sockaddr_in *dst;
8732 struct ip *ip;
8733 struct ifnet *ifp = NULL;
8734 struct pf_addr naddr;
8735 struct pf_src_node *sn = NULL;
8736 int error = 0;
8737 uint32_t sw_csum;
8738
8739 bzero(&iproute, sizeof (iproute));
8740
8741 if (pbufp == NULL || !pbuf_is_valid(*pbufp) || r == NULL ||
8742 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
8743 panic("pf_route: invalid parameters");
8744
8745 if (pd->pf_mtag->pftag_routed++ > 3) {
8746 pbuf_destroy(*pbufp);
8747 *pbufp = NULL;
8748 m0 = NULL;
8749 goto bad;
8750 }
8751
8752 /*
8753 * Since this is something of an edge case and may involve the
8754 * host stack (for routing, at least for now), we convert the
8755 * incoming pbuf into an mbuf.
8756 */
8757 if (r->rt == PF_DUPTO)
8758 m0 = pbuf_clone_to_mbuf(*pbufp);
8759 else
8760 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
8761 return;
8762 else {
8763 /* We're going to consume this packet */
8764 m0 = pbuf_to_mbuf(*pbufp, TRUE);
8765 *pbufp = NULL;
8766 }
8767
8768 if (m0 == NULL)
8769 goto bad;
8770
8771 /* We now have the packet in an mbuf (m0) */
8772
8773 if (m0->m_len < (int)sizeof (struct ip)) {
8774 DPFPRINTF(PF_DEBUG_URGENT,
8775 ("pf_route: packet length < sizeof (struct ip)\n"));
8776 goto bad;
8777 }
8778
8779 ip = mtod(m0, struct ip *);
8780
8781 dst = satosin((void *)&ro->ro_dst);
8782 dst->sin_family = AF_INET;
8783 dst->sin_len = sizeof (*dst);
8784 dst->sin_addr = ip->ip_dst;
8785
8786 if (r->rt == PF_FASTROUTE) {
8787 rtalloc(ro);
8788 if (ro->ro_rt == NULL) {
8789 ipstat.ips_noroute++;
8790 goto bad;
8791 }
8792
8793 ifp = ro->ro_rt->rt_ifp;
8794 RT_LOCK(ro->ro_rt);
8795 ro->ro_rt->rt_use++;
8796
8797 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
8798 dst = satosin((void *)ro->ro_rt->rt_gateway);
8799 RT_UNLOCK(ro->ro_rt);
8800 } else {
8801 if (TAILQ_EMPTY(&r->rpool.list)) {
8802 DPFPRINTF(PF_DEBUG_URGENT,
8803 ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n"));
8804 goto bad;
8805 }
8806 if (s == NULL) {
8807 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
8808 &naddr, NULL, &sn);
8809 if (!PF_AZERO(&naddr, AF_INET))
8810 dst->sin_addr.s_addr = naddr.v4addr.s_addr;
8811 ifp = r->rpool.cur->kif ?
8812 r->rpool.cur->kif->pfik_ifp : NULL;
8813 } else {
8814 if (!PF_AZERO(&s->rt_addr, AF_INET))
8815 dst->sin_addr.s_addr =
8816 s->rt_addr.v4addr.s_addr;
8817 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
8818 }
8819 }
8820 if (ifp == NULL)
8821 goto bad;
8822
8823 if (oifp != ifp) {
8824 if (pf_test_mbuf(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS)
8825 goto bad;
8826 else if (m0 == NULL)
8827 goto done;
8828 if (m0->m_len < (int)sizeof (struct ip)) {
8829 DPFPRINTF(PF_DEBUG_URGENT,
8830 ("pf_route: packet length < sizeof (struct ip)\n"));
8831 goto bad;
8832 }
8833 ip = mtod(m0, struct ip *);
8834 }
8835
8836 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
8837 ip_output_checksum(ifp, m0, ((ip->ip_hl) << 2), ntohs(ip->ip_len),
8838 &sw_csum);
8839
8840 if (ntohs(ip->ip_len) <= ifp->if_mtu || TSO_IPV4_OK(ifp, m0) ||
8841 (!(ip->ip_off & htons(IP_DF)) &&
8842 (ifp->if_hwassist & CSUM_FRAGMENT))) {
8843 ip->ip_sum = 0;
8844 if (sw_csum & CSUM_DELAY_IP) {
8845 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
8846 sw_csum &= ~CSUM_DELAY_IP;
8847 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_IP;
8848 }
8849 error = ifnet_output(ifp, PF_INET, m0, ro->ro_rt, sintosa(dst));
8850 goto done;
8851 }
8852
8853 /*
8854 * Too large for interface; fragment if possible.
8855 * Must be able to put at least 8 bytes per fragment.
8856 * Balk when DF bit is set or the interface didn't support TSO.
8857 */
8858 if ((ip->ip_off & htons(IP_DF)) ||
8859 (m0->m_pkthdr.csum_flags & CSUM_TSO_IPV4)) {
8860 ipstat.ips_cantfrag++;
8861 if (r->rt != PF_DUPTO) {
8862 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
8863 ifp->if_mtu);
8864 goto done;
8865 } else
8866 goto bad;
8867 }
8868
8869 m1 = m0;
8870
8871 /* PR-8933605: send ip_len,ip_off to ip_fragment in host byte order */
8872 #if BYTE_ORDER != BIG_ENDIAN
8873 NTOHS(ip->ip_off);
8874 NTOHS(ip->ip_len);
8875 #endif
8876 error = ip_fragment(m0, ifp, ifp->if_mtu, sw_csum);
8877
8878 if (error) {
8879 m0 = NULL;
8880 goto bad;
8881 }
8882
8883 for (m0 = m1; m0; m0 = m1) {
8884 m1 = m0->m_nextpkt;
8885 m0->m_nextpkt = 0;
8886 if (error == 0)
8887 error = ifnet_output(ifp, PF_INET, m0, ro->ro_rt,
8888 sintosa(dst));
8889 else
8890 m_freem(m0);
8891 }
8892
8893 if (error == 0)
8894 ipstat.ips_fragmented++;
8895
8896 done:
8897 ROUTE_RELEASE(&iproute);
8898 return;
8899
8900 bad:
8901 if (m0)
8902 m_freem(m0);
8903 goto done;
8904 }
8905 #endif /* INET */
8906
8907 #if INET6
8908 static void
8909 pf_route6(pbuf_t **pbufp, struct pf_rule *r, int dir, struct ifnet *oifp,
8910 struct pf_state *s, struct pf_pdesc *pd)
8911 {
8912 #pragma unused(pd)
8913 struct mbuf *m0;
8914 struct route_in6 ip6route;
8915 struct route_in6 *ro;
8916 struct sockaddr_in6 *dst;
8917 struct ip6_hdr *ip6;
8918 struct ifnet *ifp = NULL;
8919 struct pf_addr naddr;
8920 struct pf_src_node *sn = NULL;
8921 int error = 0;
8922
8923 if (pbufp == NULL || !pbuf_is_valid(*pbufp) || r == NULL ||
8924 (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
8925 panic("pf_route6: invalid parameters");
8926
8927 if (pd->pf_mtag->pftag_routed++ > 3) {
8928 pbuf_destroy(*pbufp);
8929 *pbufp = NULL;
8930 m0 = NULL;
8931 goto bad;
8932 }
8933
8934 /*
8935 * Since this is something of an edge case and may involve the
8936 * host stack (for routing, at least for now), we convert the
8937 * incoming pbuf into an mbuf.
8938 */
8939 if (r->rt == PF_DUPTO) {
8940 m0 = pbuf_clone_to_mbuf(*pbufp);
8941 } else
8942 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
8943 return;
8944 else {
8945 /* We're about to consume this packet */
8946 m0 = pbuf_to_mbuf(*pbufp, TRUE);
8947 *pbufp = NULL;
8948 }
8949
8950 if (m0 == NULL)
8951 goto bad;
8952
8953 if (m0->m_len < (int)sizeof (struct ip6_hdr)) {
8954 DPFPRINTF(PF_DEBUG_URGENT,
8955 ("pf_route6: m0->m_len < sizeof (struct ip6_hdr)\n"));
8956 goto bad;
8957 }
8958 ip6 = mtod(m0, struct ip6_hdr *);
8959
8960 ro = &ip6route;
8961 bzero((caddr_t)ro, sizeof (*ro));
8962 dst = (struct sockaddr_in6 *)&ro->ro_dst;
8963 dst->sin6_family = AF_INET6;
8964 dst->sin6_len = sizeof (*dst);
8965 dst->sin6_addr = ip6->ip6_dst;
8966
8967 /* Cheat. XXX why only in the v6addr case??? */
8968 if (r->rt == PF_FASTROUTE) {
8969 struct pf_mtag *pf_mtag;
8970
8971 if ((pf_mtag = pf_get_mtag(m0)) == NULL)
8972 goto bad;
8973 pf_mtag->pftag_flags |= PF_TAG_GENERATED;
8974 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
8975 return;
8976 }
8977
8978 if (TAILQ_EMPTY(&r->rpool.list)) {
8979 DPFPRINTF(PF_DEBUG_URGENT,
8980 ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n"));
8981 goto bad;
8982 }
8983 if (s == NULL) {
8984 pf_map_addr(AF_INET6, r, (struct pf_addr *)(uintptr_t)&ip6->ip6_src,
8985 &naddr, NULL, &sn);
8986 if (!PF_AZERO(&naddr, AF_INET6))
8987 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
8988 &naddr, AF_INET6);
8989 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
8990 } else {
8991 if (!PF_AZERO(&s->rt_addr, AF_INET6))
8992 PF_ACPY((struct pf_addr *)&dst->sin6_addr,
8993 &s->rt_addr, AF_INET6);
8994 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
8995 }
8996 if (ifp == NULL)
8997 goto bad;
8998
8999 if (oifp != ifp) {
9000 if (pf_test6_mbuf(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS)
9001 goto bad;
9002 else if (m0 == NULL)
9003 goto done;
9004 if (m0->m_len < (int)sizeof (struct ip6_hdr)) {
9005 DPFPRINTF(PF_DEBUG_URGENT, ("pf_route6: m0->m_len "
9006 "< sizeof (struct ip6_hdr)\n"));
9007 goto bad;
9008 }
9009 ip6 = mtod(m0, struct ip6_hdr *);
9010 }
9011
9012 /*
9013 * If the packet is too large for the outgoing interface,
9014 * send back an icmp6 error.
9015 */
9016 if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr))
9017 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
9018 if ((unsigned)m0->m_pkthdr.len <= ifp->if_mtu) {
9019 error = nd6_output(ifp, ifp, m0, dst, NULL, NULL);
9020 } else {
9021 in6_ifstat_inc(ifp, ifs6_in_toobig);
9022 if (r->rt != PF_DUPTO)
9023 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
9024 else
9025 goto bad;
9026 }
9027
9028 done:
9029 return;
9030
9031 bad:
9032 if (m0)
9033 m_freem(m0);
9034 goto done;
9035 }
9036 #endif /* INET6 */
9037
9038
9039 /*
9040 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
9041 * off is the offset where the protocol header starts
9042 * len is the total length of protocol header plus payload
9043 * returns 0 when the checksum is valid, otherwise returns 1.
9044 */
9045 static int
9046 pf_check_proto_cksum(pbuf_t *pbuf, int off, int len, u_int8_t p,
9047 sa_family_t af)
9048 {
9049 u_int16_t sum;
9050
9051 switch (p) {
9052 case IPPROTO_TCP:
9053 case IPPROTO_UDP:
9054 /*
9055 * Optimize for the common case; if the hardware calculated
9056 * value doesn't include pseudo-header checksum, or if it
9057 * is partially-computed (only 16-bit summation), do it in
9058 * software below.
9059 */
9060 if ((*pbuf->pb_csum_flags &
9061 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR)) ==
9062 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR) &&
9063 (*pbuf->pb_csum_data ^ 0xffff) == 0) {
9064 return (0);
9065 }
9066 break;
9067 case IPPROTO_ICMP:
9068 #if INET6
9069 case IPPROTO_ICMPV6:
9070 #endif /* INET6 */
9071 break;
9072 default:
9073 return (1);
9074 }
9075 if (off < (int)sizeof (struct ip) || len < (int)sizeof (struct udphdr))
9076 return (1);
9077 if (pbuf->pb_packet_len < (unsigned)(off + len))
9078 return (1);
9079 switch (af) {
9080 #if INET
9081 case AF_INET:
9082 if (p == IPPROTO_ICMP) {
9083 #if 0
9084 if (m->m_len < off)
9085 return (1);
9086 m->m_data += off;
9087 m->m_len -= off;
9088 sum = in_cksum(m, len);
9089 m->m_data -= off;
9090 m->m_len += off;
9091 #else
9092 if (pbuf->pb_contig_len < (unsigned)off)
9093 return (1);
9094 sum = pbuf_inet_cksum(pbuf, 0, off, len);
9095 #endif
9096 } else {
9097 if (pbuf->pb_contig_len < (int)sizeof (struct ip))
9098 return (1);
9099 sum = pbuf_inet_cksum(pbuf, p, off, len);
9100 }
9101 break;
9102 #endif /* INET */
9103 #if INET6
9104 case AF_INET6:
9105 if (pbuf->pb_contig_len < (int)sizeof (struct ip6_hdr))
9106 return (1);
9107 sum = pbuf_inet6_cksum(pbuf, p, off, len);
9108 break;
9109 #endif /* INET6 */
9110 default:
9111 return (1);
9112 }
9113 if (sum) {
9114 switch (p) {
9115 case IPPROTO_TCP:
9116 tcpstat.tcps_rcvbadsum++;
9117 break;
9118 case IPPROTO_UDP:
9119 udpstat.udps_badsum++;
9120 break;
9121 case IPPROTO_ICMP:
9122 icmpstat.icps_checksum++;
9123 break;
9124 #if INET6
9125 case IPPROTO_ICMPV6:
9126 icmp6stat.icp6s_checksum++;
9127 break;
9128 #endif /* INET6 */
9129 }
9130 return (1);
9131 }
9132 return (0);
9133 }
9134
9135 #if INET
9136 #define PF_APPLE_UPDATE_PDESC_IPv4() \
9137 do { \
9138 if (pbuf && pd.mp && pbuf != pd.mp) { \
9139 pbuf = pd.mp; \
9140 h = pbuf->pb_data; \
9141 pd.pf_mtag = pf_get_mtag_pbuf(pbuf); \
9142 } \
9143 } while (0)
9144
9145 int
9146 pf_test_mbuf(int dir, struct ifnet *ifp, struct mbuf **m0,
9147 struct ether_header *eh, struct ip_fw_args *fwa)
9148 {
9149 pbuf_t pbuf_store, *pbuf;
9150 int rv;
9151
9152 pbuf_init_mbuf(&pbuf_store, *m0, (*m0)->m_pkthdr.rcvif);
9153 pbuf = &pbuf_store;
9154
9155 rv = pf_test(dir, ifp, &pbuf, eh, fwa);
9156
9157 if (pbuf_is_valid(pbuf)) {
9158 *m0 = pbuf->pb_mbuf;
9159 pbuf->pb_mbuf = NULL;
9160 pbuf_destroy(pbuf);
9161 } else
9162 *m0 = NULL;
9163
9164 return (rv);
9165 }
9166
9167 int
9168 pf_test(int dir, struct ifnet *ifp, pbuf_t **pbufp,
9169 struct ether_header *eh, struct ip_fw_args *fwa)
9170 {
9171 #if !DUMMYNET
9172 #pragma unused(fwa)
9173 #endif
9174 struct pfi_kif *kif;
9175 u_short action = PF_PASS, reason = 0, log = 0;
9176 pbuf_t *pbuf = *pbufp;
9177 struct ip *h = 0;
9178 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
9179 struct pf_state *s = NULL;
9180 struct pf_state_key *sk = NULL;
9181 struct pf_ruleset *ruleset = NULL;
9182 struct pf_pdesc pd;
9183 int off, dirndx, pqid = 0;
9184
9185 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
9186
9187 if (!pf_status.running)
9188 return (PF_PASS);
9189
9190 memset(&pd, 0, sizeof (pd));
9191
9192 if ((pd.pf_mtag = pf_get_mtag_pbuf(pbuf)) == NULL) {
9193 DPFPRINTF(PF_DEBUG_URGENT,
9194 ("pf_test: pf_get_mtag_pbuf returned NULL\n"));
9195 return (PF_DROP);
9196 }
9197
9198 if (pd.pf_mtag->pftag_flags & PF_TAG_GENERATED)
9199 return (PF_PASS);
9200
9201 kif = (struct pfi_kif *)ifp->if_pf_kif;
9202
9203 if (kif == NULL) {
9204 DPFPRINTF(PF_DEBUG_URGENT,
9205 ("pf_test: kif == NULL, if_name %s\n", ifp->if_name));
9206 return (PF_DROP);
9207 }
9208 if (kif->pfik_flags & PFI_IFLAG_SKIP)
9209 return (PF_PASS);
9210
9211 /* initialize enough of pd for the done label */
9212 h = pbuf->pb_data;
9213 pd.mp = pbuf;
9214 pd.lmw = 0;
9215 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
9216 pd.src = (struct pf_addr *)&h->ip_src;
9217 pd.dst = (struct pf_addr *)&h->ip_dst;
9218 PF_ACPY(&pd.baddr, pd.src, AF_INET);
9219 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET);
9220 pd.ip_sum = &h->ip_sum;
9221 pd.proto = h->ip_p;
9222 pd.proto_variant = 0;
9223 pd.af = AF_INET;
9224 pd.tos = h->ip_tos;
9225 pd.ttl = h->ip_ttl;
9226 pd.tot_len = ntohs(h->ip_len);
9227 pd.eh = eh;
9228
9229 if (pbuf->pb_packet_len < (int)sizeof (*h)) {
9230 action = PF_DROP;
9231 REASON_SET(&reason, PFRES_SHORT);
9232 log = 1;
9233 goto done;
9234 }
9235
9236 #if DUMMYNET
9237 if (fwa != NULL && fwa->fwa_pf_rule != NULL)
9238 goto nonormalize;
9239 #endif /* DUMMYNET */
9240
9241 /* We do IP header normalization and packet reassembly here */
9242 action = pf_normalize_ip(pbuf, dir, kif, &reason, &pd);
9243 if (action != PF_PASS || pd.lmw < 0) {
9244 action = PF_DROP;
9245 goto done;
9246 }
9247
9248 #if DUMMYNET
9249 nonormalize:
9250 #endif /* DUMMYNET */
9251 /* pf_normalize can mess with pb_data */
9252 h = pbuf->pb_data;
9253
9254 off = h->ip_hl << 2;
9255 if (off < (int)sizeof (*h)) {
9256 action = PF_DROP;
9257 REASON_SET(&reason, PFRES_SHORT);
9258 log = 1;
9259 goto done;
9260 }
9261
9262 pd.src = (struct pf_addr *)&h->ip_src;
9263 pd.dst = (struct pf_addr *)&h->ip_dst;
9264 PF_ACPY(&pd.baddr, pd.src, AF_INET);
9265 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET);
9266 pd.ip_sum = &h->ip_sum;
9267 pd.proto = h->ip_p;
9268 pd.proto_variant = 0;
9269 pd.mp = pbuf;
9270 pd.lmw = 0;
9271 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
9272 pd.af = AF_INET;
9273 pd.tos = h->ip_tos;
9274 pd.ttl = h->ip_ttl;
9275 pd.sc = MBUF_SCIDX(pbuf_get_service_class(pbuf));
9276 pd.tot_len = ntohs(h->ip_len);
9277 pd.eh = eh;
9278
9279 if (*pbuf->pb_flags & PKTF_FLOW_ID) {
9280 pd.flowsrc = *pbuf->pb_flowsrc;
9281 pd.flowhash = *pbuf->pb_flowid;
9282 pd.pktflags = *pbuf->pb_flags & PKTF_FLOW_MASK;
9283 }
9284
9285 /* handle fragments that didn't get reassembled by normalization */
9286 if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
9287 pd.flags |= PFDESC_IP_FRAG;
9288 #if DUMMYNET
9289 /* Traffic goes through dummynet first */
9290 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9291 if (action == PF_DROP || pbuf == NULL) {
9292 *pbufp = NULL;
9293 return (action);
9294 }
9295 #endif /* DUMMYNET */
9296 action = pf_test_fragment(&r, dir, kif, pbuf, h,
9297 &pd, &a, &ruleset);
9298 goto done;
9299 }
9300
9301 switch (h->ip_p) {
9302
9303 case IPPROTO_TCP: {
9304 struct tcphdr th;
9305 pd.hdr.tcp = &th;
9306 if (!pf_pull_hdr(pbuf, off, &th, sizeof (th),
9307 &action, &reason, AF_INET)) {
9308 log = action != PF_PASS;
9309 goto done;
9310 }
9311 pd.p_len = pd.tot_len - off - (th.th_off << 2);
9312 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
9313 pqid = 1;
9314 #if DUMMYNET
9315 /* Traffic goes through dummynet first */
9316 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9317 if (action == PF_DROP || pbuf == NULL) {
9318 *pbufp = NULL;
9319 return (action);
9320 }
9321 #endif /* DUMMYNET */
9322 action = pf_normalize_tcp(dir, kif, pbuf, 0, off, h, &pd);
9323 if (pd.lmw < 0)
9324 goto done;
9325 PF_APPLE_UPDATE_PDESC_IPv4();
9326 if (action == PF_DROP)
9327 goto done;
9328 action = pf_test_state_tcp(&s, dir, kif, pbuf, off, h, &pd,
9329 &reason);
9330 if (action == PF_NAT64)
9331 goto done;
9332 if (pd.lmw < 0)
9333 goto done;
9334 PF_APPLE_UPDATE_PDESC_IPv4();
9335 if (action == PF_PASS) {
9336 #if NPFSYNC
9337 pfsync_update_state(s);
9338 #endif /* NPFSYNC */
9339 r = s->rule.ptr;
9340 a = s->anchor.ptr;
9341 log = s->log;
9342 } else if (s == NULL)
9343 action = pf_test_rule(&r, &s, dir, kif,
9344 pbuf, off, h, &pd, &a, &ruleset, NULL);
9345 break;
9346 }
9347
9348 case IPPROTO_UDP: {
9349 struct udphdr uh;
9350
9351 pd.hdr.udp = &uh;
9352 if (!pf_pull_hdr(pbuf, off, &uh, sizeof (uh),
9353 &action, &reason, AF_INET)) {
9354 log = action != PF_PASS;
9355 goto done;
9356 }
9357 if (uh.uh_dport == 0 ||
9358 ntohs(uh.uh_ulen) > pbuf->pb_packet_len - off ||
9359 ntohs(uh.uh_ulen) < sizeof (struct udphdr)) {
9360 action = PF_DROP;
9361 REASON_SET(&reason, PFRES_SHORT);
9362 goto done;
9363 }
9364 #if DUMMYNET
9365 /* Traffic goes through dummynet first */
9366 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9367 if (action == PF_DROP || pbuf == NULL) {
9368 *pbufp = NULL;
9369 return (action);
9370 }
9371 #endif /* DUMMYNET */
9372 action = pf_test_state_udp(&s, dir, kif, pbuf, off, h, &pd,
9373 &reason);
9374 if (action == PF_NAT64)
9375 goto done;
9376 if (pd.lmw < 0)
9377 goto done;
9378 PF_APPLE_UPDATE_PDESC_IPv4();
9379 if (action == PF_PASS) {
9380 #if NPFSYNC
9381 pfsync_update_state(s);
9382 #endif /* NPFSYNC */
9383 r = s->rule.ptr;
9384 a = s->anchor.ptr;
9385 log = s->log;
9386 } else if (s == NULL)
9387 action = pf_test_rule(&r, &s, dir, kif,
9388 pbuf, off, h, &pd, &a, &ruleset, NULL);
9389 break;
9390 }
9391
9392 case IPPROTO_ICMP: {
9393 struct icmp ih;
9394
9395 pd.hdr.icmp = &ih;
9396 if (!pf_pull_hdr(pbuf, off, &ih, ICMP_MINLEN,
9397 &action, &reason, AF_INET)) {
9398 log = action != PF_PASS;
9399 goto done;
9400 }
9401 #if DUMMYNET
9402 /* Traffic goes through dummynet first */
9403 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9404 if (action == PF_DROP || pbuf == NULL) {
9405 *pbufp = NULL;
9406 return (action);
9407 }
9408 #endif /* DUMMYNET */
9409 action = pf_test_state_icmp(&s, dir, kif, pbuf, off, h, &pd,
9410 &reason);
9411 if (action == PF_NAT64)
9412 goto done;
9413 if (pd.lmw < 0)
9414 goto done;
9415 PF_APPLE_UPDATE_PDESC_IPv4();
9416 if (action == PF_PASS) {
9417 #if NPFSYNC
9418 pfsync_update_state(s);
9419 #endif /* NPFSYNC */
9420 r = s->rule.ptr;
9421 a = s->anchor.ptr;
9422 log = s->log;
9423 } else if (s == NULL)
9424 action = pf_test_rule(&r, &s, dir, kif,
9425 pbuf, off, h, &pd, &a, &ruleset, NULL);
9426 break;
9427 }
9428
9429 case IPPROTO_ESP: {
9430 struct pf_esp_hdr esp;
9431
9432 pd.hdr.esp = &esp;
9433 if (!pf_pull_hdr(pbuf, off, &esp, sizeof (esp), &action, &reason,
9434 AF_INET)) {
9435 log = action != PF_PASS;
9436 goto done;
9437 }
9438 #if DUMMYNET
9439 /* Traffic goes through dummynet first */
9440 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9441 if (action == PF_DROP || pbuf == NULL) {
9442 *pbufp = NULL;
9443 return (action);
9444 }
9445 #endif /* DUMMYNET */
9446 action = pf_test_state_esp(&s, dir, kif, off, &pd);
9447 if (pd.lmw < 0)
9448 goto done;
9449 PF_APPLE_UPDATE_PDESC_IPv4();
9450 if (action == PF_PASS) {
9451 #if NPFSYNC
9452 pfsync_update_state(s);
9453 #endif /* NPFSYNC */
9454 r = s->rule.ptr;
9455 a = s->anchor.ptr;
9456 log = s->log;
9457 } else if (s == NULL)
9458 action = pf_test_rule(&r, &s, dir, kif,
9459 pbuf, off, h, &pd, &a, &ruleset, NULL);
9460 break;
9461 }
9462
9463 case IPPROTO_GRE: {
9464 struct pf_grev1_hdr grev1;
9465 pd.hdr.grev1 = &grev1;
9466 if (!pf_pull_hdr(pbuf, off, &grev1, sizeof (grev1), &action,
9467 &reason, AF_INET)) {
9468 log = (action != PF_PASS);
9469 goto done;
9470 }
9471 #if DUMMYNET
9472 /* Traffic goes through dummynet first */
9473 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9474 if (action == PF_DROP || pbuf == NULL) {
9475 *pbufp = NULL;
9476 return (action);
9477 }
9478 #endif /* DUMMYNET */
9479 if ((ntohs(grev1.flags) & PF_GRE_FLAG_VERSION_MASK) == 1 &&
9480 ntohs(grev1.protocol_type) == PF_GRE_PPP_ETHERTYPE) {
9481 if (ntohs(grev1.payload_length) >
9482 pbuf->pb_packet_len - off) {
9483 action = PF_DROP;
9484 REASON_SET(&reason, PFRES_SHORT);
9485 goto done;
9486 }
9487 pd.proto_variant = PF_GRE_PPTP_VARIANT;
9488 action = pf_test_state_grev1(&s, dir, kif, off, &pd);
9489 if (pd.lmw < 0) goto done;
9490 PF_APPLE_UPDATE_PDESC_IPv4();
9491 if (action == PF_PASS) {
9492 #if NPFSYNC
9493 pfsync_update_state(s);
9494 #endif /* NPFSYNC */
9495 r = s->rule.ptr;
9496 a = s->anchor.ptr;
9497 log = s->log;
9498 break;
9499 } else if (s == NULL) {
9500 action = pf_test_rule(&r, &s, dir, kif, pbuf,
9501 off, h, &pd, &a, &ruleset, NULL);
9502 if (action == PF_PASS)
9503 break;
9504 }
9505 }
9506
9507 /* not GREv1/PPTP, so treat as ordinary GRE... */
9508 }
9509
9510 default:
9511 #if DUMMYNET
9512 /* Traffic goes through dummynet first */
9513 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9514 if (action == PF_DROP || pbuf == NULL) {
9515 *pbufp = NULL;
9516 return (action);
9517 }
9518 #endif /* DUMMYNET */
9519 action = pf_test_state_other(&s, dir, kif, &pd);
9520 if (pd.lmw < 0)
9521 goto done;
9522 PF_APPLE_UPDATE_PDESC_IPv4();
9523 if (action == PF_PASS) {
9524 #if NPFSYNC
9525 pfsync_update_state(s);
9526 #endif /* NPFSYNC */
9527 r = s->rule.ptr;
9528 a = s->anchor.ptr;
9529 log = s->log;
9530 } else if (s == NULL)
9531 action = pf_test_rule(&r, &s, dir, kif, pbuf, off, h,
9532 &pd, &a, &ruleset, NULL);
9533 break;
9534 }
9535
9536 done:
9537 if (action == PF_NAT64) {
9538 *pbufp = NULL;
9539 return (action);
9540 }
9541
9542 *pbufp = pd.mp;
9543 PF_APPLE_UPDATE_PDESC_IPv4();
9544
9545 if (action != PF_DROP) {
9546 if (action == PF_PASS && h->ip_hl > 5 &&
9547 !((s && s->allow_opts) || r->allow_opts)) {
9548 action = PF_DROP;
9549 REASON_SET(&reason, PFRES_IPOPTIONS);
9550 log = 1;
9551 DPFPRINTF(PF_DEBUG_MISC,
9552 ("pf: dropping packet with ip options [hlen=%u]\n",
9553 (unsigned int) h->ip_hl));
9554 }
9555
9556 if ((s && s->tag) || PF_RTABLEID_IS_VALID(r->rtableid) ||
9557 (pd.pktflags & PKTF_FLOW_ID))
9558 (void) pf_tag_packet(pbuf, pd.pf_mtag, s ? s->tag : 0,
9559 r->rtableid, &pd);
9560
9561 if (action == PF_PASS) {
9562 #if PF_ECN
9563 /* add hints for ecn */
9564 pd.pf_mtag->pftag_hdr = h;
9565 /* record address family */
9566 pd.pf_mtag->pftag_flags &= ~PF_TAG_HDR_INET6;
9567 pd.pf_mtag->pftag_flags |= PF_TAG_HDR_INET;
9568 #endif /* PF_ECN */
9569 /* record protocol */
9570 *pbuf->pb_proto = pd.proto;
9571
9572 /*
9573 * connections redirected to loopback should not match sockets
9574 * bound specifically to loopback due to security implications,
9575 * see tcp_input() and in_pcblookup_listen().
9576 */
9577 if (dir == PF_IN && (pd.proto == IPPROTO_TCP ||
9578 pd.proto == IPPROTO_UDP) && s != NULL &&
9579 s->nat_rule.ptr != NULL &&
9580 (s->nat_rule.ptr->action == PF_RDR ||
9581 s->nat_rule.ptr->action == PF_BINAT) &&
9582 (ntohl(pd.dst->v4addr.s_addr) >> IN_CLASSA_NSHIFT)
9583 == IN_LOOPBACKNET)
9584 pd.pf_mtag->pftag_flags |= PF_TAG_TRANSLATE_LOCALHOST;
9585 }
9586 }
9587
9588 if (log) {
9589 struct pf_rule *lr;
9590
9591 if (s != NULL && s->nat_rule.ptr != NULL &&
9592 s->nat_rule.ptr->log & PF_LOG_ALL)
9593 lr = s->nat_rule.ptr;
9594 else
9595 lr = r;
9596 PFLOG_PACKET(kif, h, pbuf, AF_INET, dir, reason, lr, a, ruleset,
9597 &pd);
9598 }
9599
9600 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
9601 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
9602
9603 if (action == PF_PASS || r->action == PF_DROP) {
9604 dirndx = (dir == PF_OUT);
9605 r->packets[dirndx]++;
9606 r->bytes[dirndx] += pd.tot_len;
9607 if (a != NULL) {
9608 a->packets[dirndx]++;
9609 a->bytes[dirndx] += pd.tot_len;
9610 }
9611 if (s != NULL) {
9612 sk = s->state_key;
9613 if (s->nat_rule.ptr != NULL) {
9614 s->nat_rule.ptr->packets[dirndx]++;
9615 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
9616 }
9617 if (s->src_node != NULL) {
9618 s->src_node->packets[dirndx]++;
9619 s->src_node->bytes[dirndx] += pd.tot_len;
9620 }
9621 if (s->nat_src_node != NULL) {
9622 s->nat_src_node->packets[dirndx]++;
9623 s->nat_src_node->bytes[dirndx] += pd.tot_len;
9624 }
9625 dirndx = (dir == sk->direction) ? 0 : 1;
9626 s->packets[dirndx]++;
9627 s->bytes[dirndx] += pd.tot_len;
9628 }
9629 tr = r;
9630 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
9631 if (nr != NULL) {
9632 struct pf_addr *x;
9633 /*
9634 * XXX: we need to make sure that the addresses
9635 * passed to pfr_update_stats() are the same than
9636 * the addresses used during matching (pfr_match)
9637 */
9638 if (r == &pf_default_rule) {
9639 tr = nr;
9640 x = (sk == NULL || sk->direction == dir) ?
9641 &pd.baddr : &pd.naddr;
9642 } else
9643 x = (sk == NULL || sk->direction == dir) ?
9644 &pd.naddr : &pd.baddr;
9645 if (x == &pd.baddr || s == NULL) {
9646 /* we need to change the address */
9647 if (dir == PF_OUT)
9648 pd.src = x;
9649 else
9650 pd.dst = x;
9651 }
9652 }
9653 if (tr->src.addr.type == PF_ADDR_TABLE)
9654 pfr_update_stats(tr->src.addr.p.tbl, (sk == NULL ||
9655 sk->direction == dir) ?
9656 pd.src : pd.dst, pd.af,
9657 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
9658 tr->src.neg);
9659 if (tr->dst.addr.type == PF_ADDR_TABLE)
9660 pfr_update_stats(tr->dst.addr.p.tbl, (sk == NULL ||
9661 sk->direction == dir) ? pd.dst : pd.src, pd.af,
9662 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
9663 tr->dst.neg);
9664 }
9665
9666 VERIFY(pbuf == NULL || pd.mp == NULL || pd.mp == pbuf);
9667
9668 if (*pbufp) {
9669 if (pd.lmw < 0) {
9670 REASON_SET(&reason, PFRES_MEMORY);
9671 action = PF_DROP;
9672 }
9673
9674 if (action == PF_DROP) {
9675 pbuf_destroy(*pbufp);
9676 *pbufp = NULL;
9677 return (PF_DROP);
9678 }
9679
9680 *pbufp = pbuf;
9681 }
9682
9683 if (action == PF_SYNPROXY_DROP) {
9684 pbuf_destroy(*pbufp);
9685 *pbufp = NULL;
9686 action = PF_PASS;
9687 } else if (r->rt)
9688 /* pf_route can free the pbuf causing *pbufp to become NULL */
9689 pf_route(pbufp, r, dir, kif->pfik_ifp, s, &pd);
9690
9691 return (action);
9692 }
9693 #endif /* INET */
9694
9695 #if INET6
9696 #define PF_APPLE_UPDATE_PDESC_IPv6() \
9697 do { \
9698 if (pbuf && pd.mp && pbuf != pd.mp) { \
9699 pbuf = pd.mp; \
9700 } \
9701 h = pbuf->pb_data; \
9702 } while (0)
9703
9704 int
9705 pf_test6_mbuf(int dir, struct ifnet *ifp, struct mbuf **m0,
9706 struct ether_header *eh, struct ip_fw_args *fwa)
9707 {
9708 pbuf_t pbuf_store, *pbuf;
9709 int rv;
9710
9711 pbuf_init_mbuf(&pbuf_store, *m0, (*m0)->m_pkthdr.rcvif);
9712 pbuf = &pbuf_store;
9713
9714 rv = pf_test6(dir, ifp, &pbuf, eh, fwa);
9715
9716 if (pbuf_is_valid(pbuf)) {
9717 *m0 = pbuf->pb_mbuf;
9718 pbuf->pb_mbuf = NULL;
9719 pbuf_destroy(pbuf);
9720 } else
9721 *m0 = NULL;
9722
9723 return (rv);
9724 }
9725
9726 int
9727 pf_test6(int dir, struct ifnet *ifp, pbuf_t **pbufp,
9728 struct ether_header *eh, struct ip_fw_args *fwa)
9729 {
9730 #if !DUMMYNET
9731 #pragma unused(fwa)
9732 #endif
9733 struct pfi_kif *kif;
9734 u_short action = PF_PASS, reason = 0, log = 0;
9735 pbuf_t *pbuf = *pbufp;
9736 struct ip6_hdr *h;
9737 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
9738 struct pf_state *s = NULL;
9739 struct pf_state_key *sk = NULL;
9740 struct pf_ruleset *ruleset = NULL;
9741 struct pf_pdesc pd;
9742 int off, terminal = 0, dirndx, rh_cnt = 0;
9743 u_int8_t nxt;
9744
9745 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
9746
9747 if (!pf_status.running)
9748 return (PF_PASS);
9749
9750 memset(&pd, 0, sizeof (pd));
9751
9752 if ((pd.pf_mtag = pf_get_mtag_pbuf(pbuf)) == NULL) {
9753 DPFPRINTF(PF_DEBUG_URGENT,
9754 ("pf_test6: pf_get_mtag_pbuf returned NULL\n"));
9755 return (PF_DROP);
9756 }
9757
9758 if (pd.pf_mtag->pftag_flags & PF_TAG_GENERATED)
9759 return (PF_PASS);
9760
9761 kif = (struct pfi_kif *)ifp->if_pf_kif;
9762
9763 if (kif == NULL) {
9764 DPFPRINTF(PF_DEBUG_URGENT,
9765 ("pf_test6: kif == NULL, if_name %s\n", ifp->if_name));
9766 return (PF_DROP);
9767 }
9768 if (kif->pfik_flags & PFI_IFLAG_SKIP)
9769 return (PF_PASS);
9770
9771 h = pbuf->pb_data;
9772
9773 nxt = h->ip6_nxt;
9774 off = ((caddr_t)h - (caddr_t)pbuf->pb_data) + sizeof(struct ip6_hdr);
9775 pd.mp = pbuf;
9776 pd.lmw = 0;
9777 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
9778 pd.src = (struct pf_addr *)(uintptr_t)&h->ip6_src;
9779 pd.dst = (struct pf_addr *)(uintptr_t)&h->ip6_dst;
9780 PF_ACPY(&pd.baddr, pd.src, AF_INET6);
9781 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET6);
9782 pd.ip_sum = NULL;
9783 pd.af = AF_INET6;
9784 pd.proto = nxt;
9785 pd.proto_variant = 0;
9786 pd.tos = 0;
9787 pd.ttl = h->ip6_hlim;
9788 pd.sc = MBUF_SCIDX(pbuf_get_service_class(pbuf));
9789 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
9790 pd.eh = eh;
9791
9792 if (*pbuf->pb_flags & PKTF_FLOW_ID) {
9793 pd.flowsrc = *pbuf->pb_flowsrc;
9794 pd.flowhash = *pbuf->pb_flowid;
9795 pd.pktflags = (*pbuf->pb_flags & PKTF_FLOW_MASK);
9796 }
9797
9798 if (pbuf->pb_packet_len < (int)sizeof (*h)) {
9799 action = PF_DROP;
9800 REASON_SET(&reason, PFRES_SHORT);
9801 log = 1;
9802 goto done;
9803 }
9804
9805 #if DUMMYNET
9806 if (fwa != NULL && fwa->fwa_pf_rule != NULL)
9807 goto nonormalize;
9808 #endif /* DUMMYNET */
9809
9810 /* We do IP header normalization and packet reassembly here */
9811 action = pf_normalize_ip6(pbuf, dir, kif, &reason, &pd);
9812 if (action != PF_PASS || pd.lmw < 0) {
9813 action = PF_DROP;
9814 goto done;
9815 }
9816
9817 #if DUMMYNET
9818 nonormalize:
9819 #endif /* DUMMYNET */
9820 h = pbuf->pb_data;
9821
9822 #if 1
9823 /*
9824 * we do not support jumbogram yet. if we keep going, zero ip6_plen
9825 * will do something bad, so drop the packet for now.
9826 */
9827 if (htons(h->ip6_plen) == 0) {
9828 action = PF_DROP;
9829 REASON_SET(&reason, PFRES_NORM); /*XXX*/
9830 goto done;
9831 }
9832 #endif
9833
9834 pd.src = (struct pf_addr *)(uintptr_t)&h->ip6_src;
9835 pd.dst = (struct pf_addr *)(uintptr_t)&h->ip6_dst;
9836 PF_ACPY(&pd.baddr, pd.src, AF_INET6);
9837 PF_ACPY(&pd.bdaddr, pd.dst, AF_INET6);
9838 pd.ip_sum = NULL;
9839 pd.af = AF_INET6;
9840 pd.tos = 0;
9841 pd.ttl = h->ip6_hlim;
9842 pd.tot_len = ntohs(h->ip6_plen) + sizeof (struct ip6_hdr);
9843 pd.eh = eh;
9844
9845 off = ((caddr_t)h - (caddr_t)pbuf->pb_data) + sizeof (struct ip6_hdr);
9846 pd.proto = h->ip6_nxt;
9847 pd.proto_variant = 0;
9848 pd.mp = pbuf;
9849 pd.lmw = 0;
9850 pd.pf_mtag = pf_get_mtag_pbuf(pbuf);
9851
9852 do {
9853 switch (nxt) {
9854 case IPPROTO_FRAGMENT: {
9855 struct ip6_frag ip6f;
9856
9857 pd.flags |= PFDESC_IP_FRAG;
9858 if (!pf_pull_hdr(pbuf, off, &ip6f, sizeof ip6f, NULL,
9859 &reason, pd.af)) {
9860 DPFPRINTF(PF_DEBUG_MISC,
9861 ("pf: IPv6 short fragment header\n"));
9862 action = PF_DROP;
9863 REASON_SET(&reason, PFRES_SHORT);
9864 log = 1;
9865 goto done;
9866 }
9867 pd.proto = nxt = ip6f.ip6f_nxt;
9868 #if DUMMYNET
9869 /* Traffic goes through dummynet first */
9870 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd,
9871 fwa);
9872 if (action == PF_DROP || pbuf == NULL) {
9873 *pbufp = NULL;
9874 return (action);
9875 }
9876 #endif /* DUMMYNET */
9877 action = pf_test_fragment(&r, dir, kif, pbuf, h, &pd,
9878 &a, &ruleset);
9879 if (action == PF_DROP) {
9880 REASON_SET(&reason, PFRES_FRAG);
9881 log = 1;
9882 }
9883 goto done;
9884 }
9885 case IPPROTO_ROUTING:
9886 ++rh_cnt;
9887 /* FALL THROUGH */
9888
9889 case IPPROTO_AH:
9890 case IPPROTO_HOPOPTS:
9891 case IPPROTO_DSTOPTS: {
9892 /* get next header and header length */
9893 struct ip6_ext opt6;
9894
9895 if (!pf_pull_hdr(pbuf, off, &opt6, sizeof(opt6),
9896 NULL, &reason, pd.af)) {
9897 DPFPRINTF(PF_DEBUG_MISC,
9898 ("pf: IPv6 short opt\n"));
9899 action = PF_DROP;
9900 log = 1;
9901 goto done;
9902 }
9903 if (pd.proto == IPPROTO_AH)
9904 off += (opt6.ip6e_len + 2) * 4;
9905 else
9906 off += (opt6.ip6e_len + 1) * 8;
9907 nxt = opt6.ip6e_nxt;
9908 /* goto the next header */
9909 break;
9910 }
9911 default:
9912 terminal++;
9913 break;
9914 }
9915 } while (!terminal);
9916
9917
9918 switch (pd.proto) {
9919
9920 case IPPROTO_TCP: {
9921 struct tcphdr th;
9922
9923 pd.hdr.tcp = &th;
9924 if (!pf_pull_hdr(pbuf, off, &th, sizeof (th),
9925 &action, &reason, AF_INET6)) {
9926 log = action != PF_PASS;
9927 goto done;
9928 }
9929 pd.p_len = pd.tot_len - off - (th.th_off << 2);
9930 #if DUMMYNET
9931 /* Traffic goes through dummynet first */
9932 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9933 if (action == PF_DROP || pbuf == NULL) {
9934 *pbufp = NULL;
9935 return (action);
9936 }
9937 #endif /* DUMMYNET */
9938 action = pf_normalize_tcp(dir, kif, pbuf, 0, off, h, &pd);
9939 if (pd.lmw < 0)
9940 goto done;
9941 PF_APPLE_UPDATE_PDESC_IPv6();
9942 if (action == PF_DROP)
9943 goto done;
9944 action = pf_test_state_tcp(&s, dir, kif, pbuf, off, h, &pd,
9945 &reason);
9946 if (action == PF_NAT64)
9947 goto done;
9948 if (pd.lmw < 0)
9949 goto done;
9950 PF_APPLE_UPDATE_PDESC_IPv6();
9951 if (action == PF_PASS) {
9952 #if NPFSYNC
9953 pfsync_update_state(s);
9954 #endif /* NPFSYNC */
9955 r = s->rule.ptr;
9956 a = s->anchor.ptr;
9957 log = s->log;
9958 } else if (s == NULL)
9959 action = pf_test_rule(&r, &s, dir, kif,
9960 pbuf, off, h, &pd, &a, &ruleset, NULL);
9961 break;
9962 }
9963
9964 case IPPROTO_UDP: {
9965 struct udphdr uh;
9966
9967 pd.hdr.udp = &uh;
9968 if (!pf_pull_hdr(pbuf, off, &uh, sizeof (uh),
9969 &action, &reason, AF_INET6)) {
9970 log = action != PF_PASS;
9971 goto done;
9972 }
9973 if (uh.uh_dport == 0 ||
9974 ntohs(uh.uh_ulen) > pbuf->pb_packet_len - off ||
9975 ntohs(uh.uh_ulen) < sizeof (struct udphdr)) {
9976 action = PF_DROP;
9977 REASON_SET(&reason, PFRES_SHORT);
9978 goto done;
9979 }
9980 #if DUMMYNET
9981 /* Traffic goes through dummynet first */
9982 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
9983 if (action == PF_DROP || pbuf == NULL) {
9984 *pbufp = NULL;
9985 return (action);
9986 }
9987 #endif /* DUMMYNET */
9988 action = pf_test_state_udp(&s, dir, kif, pbuf, off, h, &pd,
9989 &reason);
9990 if (action == PF_NAT64)
9991 goto done;
9992 if (pd.lmw < 0)
9993 goto done;
9994 PF_APPLE_UPDATE_PDESC_IPv6();
9995 if (action == PF_PASS) {
9996 #if NPFSYNC
9997 pfsync_update_state(s);
9998 #endif /* NPFSYNC */
9999 r = s->rule.ptr;
10000 a = s->anchor.ptr;
10001 log = s->log;
10002 } else if (s == NULL)
10003 action = pf_test_rule(&r, &s, dir, kif,
10004 pbuf, off, h, &pd, &a, &ruleset, NULL);
10005 break;
10006 }
10007
10008 case IPPROTO_ICMPV6: {
10009 struct icmp6_hdr ih;
10010
10011 pd.hdr.icmp6 = &ih;
10012 if (!pf_pull_hdr(pbuf, off, &ih, sizeof (ih),
10013 &action, &reason, AF_INET6)) {
10014 log = action != PF_PASS;
10015 goto done;
10016 }
10017 #if DUMMYNET
10018 /* Traffic goes through dummynet first */
10019 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10020 if (action == PF_DROP || pbuf == NULL) {
10021 *pbufp = NULL;
10022 return (action);
10023 }
10024 #endif /* DUMMYNET */
10025 action = pf_test_state_icmp(&s, dir, kif,
10026 pbuf, off, h, &pd, &reason);
10027 if (action == PF_NAT64)
10028 goto done;
10029 if (pd.lmw < 0)
10030 goto done;
10031 PF_APPLE_UPDATE_PDESC_IPv6();
10032 if (action == PF_PASS) {
10033 #if NPFSYNC
10034 pfsync_update_state(s);
10035 #endif /* NPFSYNC */
10036 r = s->rule.ptr;
10037 a = s->anchor.ptr;
10038 log = s->log;
10039 } else if (s == NULL)
10040 action = pf_test_rule(&r, &s, dir, kif,
10041 pbuf, off, h, &pd, &a, &ruleset, NULL);
10042 break;
10043 }
10044
10045 case IPPROTO_ESP: {
10046 struct pf_esp_hdr esp;
10047
10048 pd.hdr.esp = &esp;
10049 if (!pf_pull_hdr(pbuf, off, &esp, sizeof (esp), &action,
10050 &reason, AF_INET6)) {
10051 log = action != PF_PASS;
10052 goto done;
10053 }
10054 #if DUMMYNET
10055 /* Traffic goes through dummynet first */
10056 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10057 if (action == PF_DROP || pbuf == NULL) {
10058 *pbufp = NULL;
10059 return (action);
10060 }
10061 #endif /* DUMMYNET */
10062 action = pf_test_state_esp(&s, dir, kif, off, &pd);
10063 if (pd.lmw < 0)
10064 goto done;
10065 PF_APPLE_UPDATE_PDESC_IPv6();
10066 if (action == PF_PASS) {
10067 #if NPFSYNC
10068 pfsync_update_state(s);
10069 #endif /* NPFSYNC */
10070 r = s->rule.ptr;
10071 a = s->anchor.ptr;
10072 log = s->log;
10073 } else if (s == NULL)
10074 action = pf_test_rule(&r, &s, dir, kif,
10075 pbuf, off, h, &pd, &a, &ruleset, NULL);
10076 break;
10077 }
10078
10079 case IPPROTO_GRE: {
10080 struct pf_grev1_hdr grev1;
10081
10082 pd.hdr.grev1 = &grev1;
10083 if (!pf_pull_hdr(pbuf, off, &grev1, sizeof (grev1), &action,
10084 &reason, AF_INET6)) {
10085 log = (action != PF_PASS);
10086 goto done;
10087 }
10088 #if DUMMYNET
10089 /* Traffic goes through dummynet first */
10090 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10091 if (action == PF_DROP || pbuf == NULL) {
10092 *pbufp = NULL;
10093 return (action);
10094 }
10095 #endif /* DUMMYNET */
10096 if ((ntohs(grev1.flags) & PF_GRE_FLAG_VERSION_MASK) == 1 &&
10097 ntohs(grev1.protocol_type) == PF_GRE_PPP_ETHERTYPE) {
10098 if (ntohs(grev1.payload_length) >
10099 pbuf->pb_packet_len - off) {
10100 action = PF_DROP;
10101 REASON_SET(&reason, PFRES_SHORT);
10102 goto done;
10103 }
10104 action = pf_test_state_grev1(&s, dir, kif, off, &pd);
10105 if (pd.lmw < 0)
10106 goto done;
10107 PF_APPLE_UPDATE_PDESC_IPv6();
10108 if (action == PF_PASS) {
10109 #if NPFSYNC
10110 pfsync_update_state(s);
10111 #endif /* NPFSYNC */
10112 r = s->rule.ptr;
10113 a = s->anchor.ptr;
10114 log = s->log;
10115 break;
10116 } else if (s == NULL) {
10117 action = pf_test_rule(&r, &s, dir, kif, pbuf,
10118 off, h, &pd, &a, &ruleset, NULL);
10119 if (action == PF_PASS)
10120 break;
10121 }
10122 }
10123
10124 /* not GREv1/PPTP, so treat as ordinary GRE... */
10125 }
10126
10127 default:
10128 #if DUMMYNET
10129 /* Traffic goes through dummynet first */
10130 action = pf_test_dummynet(&r, dir, kif, &pbuf, &pd, fwa);
10131 if (action == PF_DROP || pbuf == NULL) {
10132 *pbufp = NULL;
10133 return (action);
10134 }
10135 #endif /* DUMMYNET */
10136 action = pf_test_state_other(&s, dir, kif, &pd);
10137 if (pd.lmw < 0)
10138 goto done;
10139 PF_APPLE_UPDATE_PDESC_IPv6();
10140 if (action == PF_PASS) {
10141 #if NPFSYNC
10142 pfsync_update_state(s);
10143 #endif /* NPFSYNC */
10144 r = s->rule.ptr;
10145 a = s->anchor.ptr;
10146 log = s->log;
10147 } else if (s == NULL)
10148 action = pf_test_rule(&r, &s, dir, kif, pbuf, off, h,
10149 &pd, &a, &ruleset, NULL);
10150 break;
10151 }
10152
10153 done:
10154 if (action == PF_NAT64) {
10155 *pbufp = NULL;
10156 return (action);
10157 }
10158
10159 *pbufp = pd.mp;
10160 PF_APPLE_UPDATE_PDESC_IPv6();
10161
10162 /* handle dangerous IPv6 extension headers. */
10163 if (action != PF_DROP) {
10164 if (action == PF_PASS && rh_cnt &&
10165 !((s && s->allow_opts) || r->allow_opts)) {
10166 action = PF_DROP;
10167 REASON_SET(&reason, PFRES_IPOPTIONS);
10168 log = 1;
10169 DPFPRINTF(PF_DEBUG_MISC,
10170 ("pf: dropping packet with dangerous v6addr headers\n"));
10171 }
10172
10173 if ((s && s->tag) || PF_RTABLEID_IS_VALID(r->rtableid) ||
10174 (pd.pktflags & PKTF_FLOW_ID))
10175 (void) pf_tag_packet(pbuf, pd.pf_mtag, s ? s->tag : 0,
10176 r->rtableid, &pd);
10177
10178 if (action == PF_PASS) {
10179 #if PF_ECN
10180 /* add hints for ecn */
10181 pd.pf_mtag->pftag_hdr = h;
10182 /* record address family */
10183 pd.pf_mtag->pftag_flags &= ~PF_TAG_HDR_INET;
10184 pd.pf_mtag->pftag_flags |= PF_TAG_HDR_INET6;
10185 #endif /* PF_ECN */
10186 /* record protocol */
10187 *pbuf->pb_proto = pd.proto;
10188 if (dir == PF_IN && (pd.proto == IPPROTO_TCP ||
10189 pd.proto == IPPROTO_UDP) && s != NULL &&
10190 s->nat_rule.ptr != NULL &&
10191 (s->nat_rule.ptr->action == PF_RDR ||
10192 s->nat_rule.ptr->action == PF_BINAT) &&
10193 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6addr))
10194 pd.pf_mtag->pftag_flags |= PF_TAG_TRANSLATE_LOCALHOST;
10195 }
10196 }
10197
10198
10199 if (log) {
10200 struct pf_rule *lr;
10201
10202 if (s != NULL && s->nat_rule.ptr != NULL &&
10203 s->nat_rule.ptr->log & PF_LOG_ALL)
10204 lr = s->nat_rule.ptr;
10205 else
10206 lr = r;
10207 PFLOG_PACKET(kif, h, pbuf, AF_INET6, dir, reason, lr, a, ruleset,
10208 &pd);
10209 }
10210
10211 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
10212 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
10213
10214 if (action == PF_PASS || r->action == PF_DROP) {
10215 dirndx = (dir == PF_OUT);
10216 r->packets[dirndx]++;
10217 r->bytes[dirndx] += pd.tot_len;
10218 if (a != NULL) {
10219 a->packets[dirndx]++;
10220 a->bytes[dirndx] += pd.tot_len;
10221 }
10222 if (s != NULL) {
10223 sk = s->state_key;
10224 if (s->nat_rule.ptr != NULL) {
10225 s->nat_rule.ptr->packets[dirndx]++;
10226 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
10227 }
10228 if (s->src_node != NULL) {
10229 s->src_node->packets[dirndx]++;
10230 s->src_node->bytes[dirndx] += pd.tot_len;
10231 }
10232 if (s->nat_src_node != NULL) {
10233 s->nat_src_node->packets[dirndx]++;
10234 s->nat_src_node->bytes[dirndx] += pd.tot_len;
10235 }
10236 dirndx = (dir == sk->direction) ? 0 : 1;
10237 s->packets[dirndx]++;
10238 s->bytes[dirndx] += pd.tot_len;
10239 }
10240 tr = r;
10241 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
10242 if (nr != NULL) {
10243 struct pf_addr *x;
10244 /*
10245 * XXX: we need to make sure that the addresses
10246 * passed to pfr_update_stats() are the same than
10247 * the addresses used during matching (pfr_match)
10248 */
10249 if (r == &pf_default_rule) {
10250 tr = nr;
10251 x = (s == NULL || sk->direction == dir) ?
10252 &pd.baddr : &pd.naddr;
10253 } else {
10254 x = (s == NULL || sk->direction == dir) ?
10255 &pd.naddr : &pd.baddr;
10256 }
10257 if (x == &pd.baddr || s == NULL) {
10258 if (dir == PF_OUT)
10259 pd.src = x;
10260 else
10261 pd.dst = x;
10262 }
10263 }
10264 if (tr->src.addr.type == PF_ADDR_TABLE)
10265 pfr_update_stats(tr->src.addr.p.tbl, (sk == NULL ||
10266 sk->direction == dir) ? pd.src : pd.dst, pd.af,
10267 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
10268 tr->src.neg);
10269 if (tr->dst.addr.type == PF_ADDR_TABLE)
10270 pfr_update_stats(tr->dst.addr.p.tbl, (sk == NULL ||
10271 sk->direction == dir) ? pd.dst : pd.src, pd.af,
10272 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
10273 tr->dst.neg);
10274 }
10275
10276 #if 0
10277 if (action == PF_SYNPROXY_DROP) {
10278 m_freem(*m0);
10279 *m0 = NULL;
10280 action = PF_PASS;
10281 } else if (r->rt)
10282 /* pf_route6 can free the mbuf causing *m0 to become NULL */
10283 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
10284 #else
10285 VERIFY(pbuf == NULL || pd.mp == NULL || pd.mp == pbuf);
10286
10287 if (*pbufp) {
10288 if (pd.lmw < 0) {
10289 REASON_SET(&reason, PFRES_MEMORY);
10290 action = PF_DROP;
10291 }
10292
10293 if (action == PF_DROP) {
10294 pbuf_destroy(*pbufp);
10295 *pbufp = NULL;
10296 return (PF_DROP);
10297 }
10298
10299 *pbufp = pbuf;
10300 }
10301
10302 if (action == PF_SYNPROXY_DROP) {
10303 pbuf_destroy(*pbufp);
10304 *pbufp = NULL;
10305 action = PF_PASS;
10306 } else if (r->rt) {
10307 /* pf_route6 can free the mbuf causing *m0 to become NULL */
10308 pf_route6(pbufp, r, dir, kif->pfik_ifp, s, &pd);
10309 }
10310 #endif /* 0 */
10311
10312 return (action);
10313 }
10314 #endif /* INET6 */
10315
10316 static int
10317 pf_check_congestion(struct ifqueue *ifq)
10318 {
10319 #pragma unused(ifq)
10320 return (0);
10321 }
10322
10323 void
10324 pool_init(struct pool *pp, size_t size, unsigned int align, unsigned int ioff,
10325 int flags, const char *wchan, void *palloc)
10326 {
10327 #pragma unused(align, ioff, flags, palloc)
10328 bzero(pp, sizeof (*pp));
10329 pp->pool_zone = zinit(size, 1024 * size, PAGE_SIZE, wchan);
10330 if (pp->pool_zone != NULL) {
10331 zone_change(pp->pool_zone, Z_EXPAND, TRUE);
10332 zone_change(pp->pool_zone, Z_CALLERACCT, FALSE);
10333 pp->pool_hiwat = pp->pool_limit = (unsigned int)-1;
10334 pp->pool_name = wchan;
10335 }
10336 }
10337
10338 /* Zones cannot be currently destroyed */
10339 void
10340 pool_destroy(struct pool *pp)
10341 {
10342 #pragma unused(pp)
10343 }
10344
10345 void
10346 pool_sethiwat(struct pool *pp, int n)
10347 {
10348 pp->pool_hiwat = n; /* Currently unused */
10349 }
10350
10351 void
10352 pool_sethardlimit(struct pool *pp, int n, const char *warnmess, int ratecap)
10353 {
10354 #pragma unused(warnmess, ratecap)
10355 pp->pool_limit = n;
10356 }
10357
10358 void *
10359 pool_get(struct pool *pp, int flags)
10360 {
10361 void *buf;
10362
10363 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
10364
10365 if (pp->pool_count > pp->pool_limit) {
10366 DPFPRINTF(PF_DEBUG_NOISY,
10367 ("pf: pool %s hard limit reached (%d)\n",
10368 pp->pool_name != NULL ? pp->pool_name : "unknown",
10369 pp->pool_limit));
10370 pp->pool_fails++;
10371 return (NULL);
10372 }
10373
10374 buf = zalloc_canblock(pp->pool_zone, (flags & (PR_NOWAIT | PR_WAITOK)));
10375 if (buf != NULL) {
10376 pp->pool_count++;
10377 VERIFY(pp->pool_count != 0);
10378 }
10379 return (buf);
10380 }
10381
10382 void
10383 pool_put(struct pool *pp, void *v)
10384 {
10385 LCK_MTX_ASSERT(pf_lock, LCK_MTX_ASSERT_OWNED);
10386
10387 zfree(pp->pool_zone, v);
10388 VERIFY(pp->pool_count != 0);
10389 pp->pool_count--;
10390 }
10391
10392 struct pf_mtag *
10393 pf_find_mtag_pbuf(pbuf_t *pbuf)
10394 {
10395
10396 return (pbuf->pb_pftag);
10397 }
10398
10399 struct pf_mtag *
10400 pf_find_mtag(struct mbuf *m)
10401 {
10402
10403 return (m_pftag(m));
10404 }
10405
10406 struct pf_mtag *
10407 pf_get_mtag(struct mbuf *m)
10408 {
10409 return (pf_find_mtag(m));
10410 }
10411
10412 struct pf_mtag *
10413 pf_get_mtag_pbuf(pbuf_t *pbuf)
10414 {
10415 return (pf_find_mtag_pbuf(pbuf));
10416 }
10417
10418 uint64_t
10419 pf_time_second(void)
10420 {
10421 struct timeval t;
10422
10423 microuptime(&t);
10424 return (t.tv_sec);
10425 }
10426
10427 uint64_t
10428 pf_calendar_time_second(void)
10429 {
10430 struct timeval t;
10431
10432 getmicrotime(&t);
10433 return (t.tv_sec);
10434 }
10435
10436 static void *
10437 hook_establish(struct hook_desc_head *head, int tail, hook_fn_t fn, void *arg)
10438 {
10439 struct hook_desc *hd;
10440
10441 hd = _MALLOC(sizeof(*hd), M_DEVBUF, M_WAITOK);
10442 if (hd == NULL)
10443 return (NULL);
10444
10445 hd->hd_fn = fn;
10446 hd->hd_arg = arg;
10447 if (tail)
10448 TAILQ_INSERT_TAIL(head, hd, hd_list);
10449 else
10450 TAILQ_INSERT_HEAD(head, hd, hd_list);
10451
10452 return (hd);
10453 }
10454
10455 static void
10456 hook_runloop(struct hook_desc_head *head, int flags)
10457 {
10458 struct hook_desc *hd;
10459
10460 if (!(flags & HOOK_REMOVE)) {
10461 if (!(flags & HOOK_ABORT))
10462 TAILQ_FOREACH(hd, head, hd_list)
10463 hd->hd_fn(hd->hd_arg);
10464 } else {
10465 while (!!(hd = TAILQ_FIRST(head))) {
10466 TAILQ_REMOVE(head, hd, hd_list);
10467 if (!(flags & HOOK_ABORT))
10468 hd->hd_fn(hd->hd_arg);
10469 if (flags & HOOK_FREE)
10470 _FREE(hd, M_DEVBUF);
10471 }
10472 }
10473 }
mirror of XNU