1 /* $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.19 2004/09/11 11:18:25 mlaier Exp $ */ 2 /* $OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ */ 3 /* add $OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ */ 4 /* $DragonFly: src/sys/net/pf/pf.c,v 1.8 2005/12/11 13:00:17 swildner Exp $ */ 5 6 /* 7 * Copyright (c) 2004 The DragonFly Project. All rights reserved. 8 * 9 * Copyright (c) 2001 Daniel Hartmeier 10 * Copyright (c) 2002,2003 Henning Brauer 11 * All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 17 * - Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * - Redistributions in binary form must reproduce the above 20 * copyright notice, this list of conditions and the following 21 * disclaimer in the documentation and/or other materials provided 22 * with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 27 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 28 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 30 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 31 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 32 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 34 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 * 37 * Effort sponsored in part by the Defense Advanced Research Projects 38 * Agency (DARPA) and Air Force Research Laboratory, Air Force 39 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 40 * 41 */ 42 43 #include "opt_inet.h" 44 #include "opt_inet6.h" 45 #include "use_pfsync.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/malloc.h> 50 #include <sys/mbuf.h> 51 #include <sys/filio.h> 52 #include <sys/socket.h> 53 #include <sys/socketvar.h> 54 #include <sys/kernel.h> 55 #include <sys/time.h> 56 #include <sys/sysctl.h> 57 #include <sys/endian.h> 58 #include <vm/vm_zone.h> 59 60 #include <machine/inttypes.h> 61 62 #include <net/if.h> 63 #include <net/if_types.h> 64 #include <net/bpf.h> 65 #include <net/route.h> 66 67 #include <netinet/in.h> 68 #include <netinet/in_var.h> 69 #include <netinet/in_systm.h> 70 #include <netinet/ip.h> 71 #include <netinet/ip_var.h> 72 #include <netinet/tcp.h> 73 #include <netinet/tcp_seq.h> 74 #include <netinet/udp.h> 75 #include <netinet/ip_icmp.h> 76 #include <netinet/in_pcb.h> 77 #include <netinet/tcp_timer.h> 78 #include <netinet/tcp_var.h> 79 #include <netinet/udp_var.h> 80 #include <netinet/icmp_var.h> 81 82 #include <net/pf/pfvar.h> 83 #include <net/pf/if_pflog.h> 84 85 #if NPFSYNC > 0 86 #include <net/pf/if_pfsync.h> 87 #endif /* NPFSYNC > 0 */ 88 89 #ifdef INET6 90 #include <netinet/ip6.h> 91 #include <netinet/in_pcb.h> 92 #include <netinet/icmp6.h> 93 #include <netinet6/nd6.h> 94 #include <netinet6/ip6_var.h> 95 #include <netinet6/in6_pcb.h> 96 #endif /* INET6 */ 97 98 #include <sys/in_cksum.h> 99 #include <machine/limits.h> 100 #include <sys/msgport2.h> 101 #include <sys/ucred.h> 102 103 extern int ip_optcopy(struct ip *, struct ip *); 104 105 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 106 107 /* 108 * Global variables 109 */ 110 111 struct pf_anchorqueue pf_anchors; 112 struct pf_ruleset pf_main_ruleset; 113 struct pf_altqqueue pf_altqs[2]; 114 struct pf_palist pf_pabuf; 115 struct pf_altqqueue *pf_altqs_active; 116 struct pf_altqqueue *pf_altqs_inactive; 117 struct pf_status pf_status; 118 119 u_int32_t ticket_altqs_active; 120 u_int32_t ticket_altqs_inactive; 121 int altqs_inactive_open; 122 u_int32_t ticket_pabuf; 123 124 struct callout pf_expire_to; /* expire timeout */ 125 126 vm_zone_t pf_src_tree_pl, pf_rule_pl; 127 vm_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 128 129 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 130 void pf_print_state(struct pf_state *); 131 void pf_print_flags(u_int8_t); 132 133 u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 134 u_int8_t); 135 void pf_change_ap(struct pf_addr *, u_int16_t *, 136 u_int16_t *, u_int16_t *, struct pf_addr *, 137 u_int16_t, u_int8_t, sa_family_t); 138 #ifdef INET6 139 void pf_change_a6(struct pf_addr *, u_int16_t *, 140 struct pf_addr *, u_int8_t); 141 #endif /* INET6 */ 142 void pf_change_icmp(struct pf_addr *, u_int16_t *, 143 struct pf_addr *, struct pf_addr *, u_int16_t, 144 u_int16_t *, u_int16_t *, u_int16_t *, 145 u_int16_t *, u_int8_t, sa_family_t); 146 void pf_send_tcp(const struct pf_rule *, sa_family_t, 147 const struct pf_addr *, const struct pf_addr *, 148 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 149 u_int8_t, u_int16_t, u_int16_t, u_int8_t); 150 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 151 sa_family_t, struct pf_rule *); 152 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 153 int, int, struct pfi_kif *, 154 struct pf_addr *, u_int16_t, struct pf_addr *, 155 u_int16_t, int); 156 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 157 int, int, struct pfi_kif *, struct pf_src_node **, 158 struct pf_addr *, u_int16_t, 159 struct pf_addr *, u_int16_t, 160 struct pf_addr *, u_int16_t *); 161 int pf_test_tcp(struct pf_rule **, struct pf_state **, 162 int, struct pfi_kif *, struct mbuf *, int, 163 void *, struct pf_pdesc *, struct pf_rule **, 164 struct pf_ruleset **); 165 int pf_test_udp(struct pf_rule **, struct pf_state **, 166 int, struct pfi_kif *, struct mbuf *, int, 167 void *, struct pf_pdesc *, struct pf_rule **, 168 struct pf_ruleset **); 169 int pf_test_icmp(struct pf_rule **, struct pf_state **, 170 int, struct pfi_kif *, struct mbuf *, int, 171 void *, struct pf_pdesc *, struct pf_rule **, 172 struct pf_ruleset **); 173 int pf_test_other(struct pf_rule **, struct pf_state **, 174 int, struct pfi_kif *, struct mbuf *, int, void *, 175 struct pf_pdesc *, struct pf_rule **, 176 struct pf_ruleset **); 177 int pf_test_fragment(struct pf_rule **, int, 178 struct pfi_kif *, struct mbuf *, void *, 179 struct pf_pdesc *, struct pf_rule **, 180 struct pf_ruleset **); 181 int pf_test_state_tcp(struct pf_state **, int, 182 struct pfi_kif *, struct mbuf *, int, 183 void *, struct pf_pdesc *, u_short *); 184 int pf_test_state_udp(struct pf_state **, int, 185 struct pfi_kif *, struct mbuf *, int, 186 void *, struct pf_pdesc *); 187 int pf_test_state_icmp(struct pf_state **, int, 188 struct pfi_kif *, struct mbuf *, int, 189 void *, struct pf_pdesc *); 190 int pf_test_state_other(struct pf_state **, int, 191 struct pfi_kif *, struct pf_pdesc *); 192 static int pf_match_tag(struct mbuf *, struct pf_rule *, 193 struct pf_rule *, int *); 194 void pf_hash(struct pf_addr *, struct pf_addr *, 195 struct pf_poolhashkey *, sa_family_t); 196 int pf_map_addr(u_int8_t, struct pf_rule *, 197 struct pf_addr *, struct pf_addr *, 198 struct pf_addr *, struct pf_src_node **); 199 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 200 struct pf_addr *, struct pf_addr *, u_int16_t, 201 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 202 struct pf_src_node **); 203 void pf_route(struct mbuf **, struct pf_rule *, int, 204 struct ifnet *, struct pf_state *); 205 void pf_route6(struct mbuf **, struct pf_rule *, int, 206 struct ifnet *, struct pf_state *); 207 int pf_socket_lookup(uid_t *, gid_t *, 208 int, struct pf_pdesc *); 209 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 210 sa_family_t); 211 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 212 sa_family_t); 213 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 214 u_int16_t); 215 void pf_set_rt_ifp(struct pf_state *, 216 struct pf_addr *); 217 int pf_check_proto_cksum(struct mbuf *, int, int, 218 u_int8_t, sa_family_t); 219 int pf_addr_wrap_neq(struct pf_addr_wrap *, 220 struct pf_addr_wrap *); 221 struct pf_state *pf_find_state_recurse(struct pfi_kif *, 222 struct pf_state *, u_int8_t); 223 224 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 225 226 #define STATE_LOOKUP() \ 227 do { \ 228 if (direction == PF_IN) \ 229 *state = pf_find_state_recurse( \ 230 kif, &key, PF_EXT_GWY); \ 231 else \ 232 *state = pf_find_state_recurse( \ 233 kif, &key, PF_LAN_EXT); \ 234 if (*state == NULL) \ 235 return (PF_DROP); \ 236 if (direction == PF_OUT && \ 237 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 238 (*state)->rule.ptr->direction == PF_OUT) || \ 239 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 240 (*state)->rule.ptr->direction == PF_IN)) && \ 241 (*state)->rt_kif != NULL && \ 242 (*state)->rt_kif != kif) \ 243 return (PF_PASS); \ 244 } while (0) 245 246 #define STATE_TRANSLATE(s) \ 247 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \ 248 ((s)->af == AF_INET6 && \ 249 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \ 250 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \ 251 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \ 252 (s)->lan.port != (s)->gwy.port 253 254 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \ 255 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \ 256 (k)->pfik_parent->pfik_parent) 257 258 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *); 259 static int pf_state_compare_lan_ext(struct pf_state *, 260 struct pf_state *); 261 static int pf_state_compare_ext_gwy(struct pf_state *, 262 struct pf_state *); 263 static int pf_state_compare_id(struct pf_state *, 264 struct pf_state *); 265 266 struct pf_src_tree tree_src_tracking; 267 268 struct pf_state_tree_id tree_id; 269 struct pf_state_queue state_updates; 270 271 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 272 RB_GENERATE(pf_state_tree_lan_ext, pf_state, 273 u.s.entry_lan_ext, pf_state_compare_lan_ext); 274 RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 275 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 276 RB_GENERATE(pf_state_tree_id, pf_state, 277 u.s.entry_id, pf_state_compare_id); 278 279 static int 280 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b) 281 { 282 int diff; 283 284 if (a->rule.ptr > b->rule.ptr) 285 return (1); 286 if (a->rule.ptr < b->rule.ptr) 287 return (-1); 288 if ((diff = a->af - b->af) != 0) 289 return (diff); 290 switch (a->af) { 291 #ifdef INET 292 case AF_INET: 293 if (a->addr.addr32[0] > b->addr.addr32[0]) 294 return (1); 295 if (a->addr.addr32[0] < b->addr.addr32[0]) 296 return (-1); 297 break; 298 #endif /* INET */ 299 #ifdef INET6 300 case AF_INET6: 301 if (a->addr.addr32[3] > b->addr.addr32[3]) 302 return (1); 303 if (a->addr.addr32[3] < b->addr.addr32[3]) 304 return (-1); 305 if (a->addr.addr32[2] > b->addr.addr32[2]) 306 return (1); 307 if (a->addr.addr32[2] < b->addr.addr32[2]) 308 return (-1); 309 if (a->addr.addr32[1] > b->addr.addr32[1]) 310 return (1); 311 if (a->addr.addr32[1] < b->addr.addr32[1]) 312 return (-1); 313 if (a->addr.addr32[0] > b->addr.addr32[0]) 314 return (1); 315 if (a->addr.addr32[0] < b->addr.addr32[0]) 316 return (-1); 317 break; 318 #endif /* INET6 */ 319 } 320 return (0); 321 } 322 323 static int 324 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b) 325 { 326 int diff; 327 328 if ((diff = a->proto - b->proto) != 0) 329 return (diff); 330 if ((diff = a->af - b->af) != 0) 331 return (diff); 332 switch (a->af) { 333 #ifdef INET 334 case AF_INET: 335 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 336 return (1); 337 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 338 return (-1); 339 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 340 return (1); 341 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 342 return (-1); 343 break; 344 #endif /* INET */ 345 #ifdef INET6 346 case AF_INET6: 347 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3]) 348 return (1); 349 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3]) 350 return (-1); 351 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 352 return (1); 353 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 354 return (-1); 355 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2]) 356 return (1); 357 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2]) 358 return (-1); 359 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 360 return (1); 361 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 362 return (-1); 363 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1]) 364 return (1); 365 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1]) 366 return (-1); 367 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 368 return (1); 369 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 370 return (-1); 371 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 372 return (1); 373 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 374 return (-1); 375 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 376 return (1); 377 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 378 return (-1); 379 break; 380 #endif /* INET6 */ 381 } 382 383 if ((diff = a->lan.port - b->lan.port) != 0) 384 return (diff); 385 if ((diff = a->ext.port - b->ext.port) != 0) 386 return (diff); 387 388 return (0); 389 } 390 391 static int 392 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b) 393 { 394 int diff; 395 396 if ((diff = a->proto - b->proto) != 0) 397 return (diff); 398 if ((diff = a->af - b->af) != 0) 399 return (diff); 400 switch (a->af) { 401 #ifdef INET 402 case AF_INET: 403 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 404 return (1); 405 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 406 return (-1); 407 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 408 return (1); 409 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 410 return (-1); 411 break; 412 #endif /* INET */ 413 #ifdef INET6 414 case AF_INET6: 415 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 416 return (1); 417 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 418 return (-1); 419 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3]) 420 return (1); 421 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3]) 422 return (-1); 423 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 424 return (1); 425 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 426 return (-1); 427 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2]) 428 return (1); 429 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2]) 430 return (-1); 431 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 432 return (1); 433 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 434 return (-1); 435 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1]) 436 return (1); 437 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1]) 438 return (-1); 439 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 440 return (1); 441 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 442 return (-1); 443 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 444 return (1); 445 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 446 return (-1); 447 break; 448 #endif /* INET6 */ 449 } 450 451 if ((diff = a->ext.port - b->ext.port) != 0) 452 return (diff); 453 if ((diff = a->gwy.port - b->gwy.port) != 0) 454 return (diff); 455 456 return (0); 457 } 458 459 static int 460 pf_state_compare_id(struct pf_state *a, struct pf_state *b) 461 { 462 if (a->id > b->id) 463 return (1); 464 if (a->id < b->id) 465 return (-1); 466 if (a->creatorid > b->creatorid) 467 return (1); 468 if (a->creatorid < b->creatorid) 469 return (-1); 470 471 return (0); 472 } 473 474 #ifdef INET6 475 void 476 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) 477 { 478 switch (af) { 479 #ifdef INET 480 case AF_INET: 481 dst->addr32[0] = src->addr32[0]; 482 break; 483 #endif /* INET */ 484 case AF_INET6: 485 dst->addr32[0] = src->addr32[0]; 486 dst->addr32[1] = src->addr32[1]; 487 dst->addr32[2] = src->addr32[2]; 488 dst->addr32[3] = src->addr32[3]; 489 break; 490 } 491 } 492 #endif 493 494 struct pf_state * 495 pf_find_state_byid(struct pf_state *key) 496 { 497 pf_status.fcounters[FCNT_STATE_SEARCH]++; 498 return (RB_FIND(pf_state_tree_id, &tree_id, key)); 499 } 500 501 struct pf_state * 502 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree) 503 { 504 struct pf_state *s; 505 506 pf_status.fcounters[FCNT_STATE_SEARCH]++; 507 508 switch (tree) { 509 case PF_LAN_EXT: 510 for (; kif != NULL; kif = kif->pfik_parent) { 511 s = RB_FIND(pf_state_tree_lan_ext, 512 &kif->pfik_lan_ext, key); 513 if (s != NULL) 514 return (s); 515 } 516 return (NULL); 517 case PF_EXT_GWY: 518 for (; kif != NULL; kif = kif->pfik_parent) { 519 s = RB_FIND(pf_state_tree_ext_gwy, 520 &kif->pfik_ext_gwy, key); 521 if (s != NULL) 522 return (s); 523 } 524 return (NULL); 525 default: 526 panic("pf_find_state_recurse"); 527 } 528 } 529 530 struct pf_state * 531 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more) 532 { 533 struct pf_state *s, *ss = NULL; 534 struct pfi_kif *kif; 535 536 pf_status.fcounters[FCNT_STATE_SEARCH]++; 537 538 switch (tree) { 539 case PF_LAN_EXT: 540 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 541 s = RB_FIND(pf_state_tree_lan_ext, 542 &kif->pfik_lan_ext, key); 543 if (s == NULL) 544 continue; 545 if (more == NULL) 546 return (s); 547 ss = s; 548 (*more)++; 549 } 550 return (ss); 551 case PF_EXT_GWY: 552 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 553 s = RB_FIND(pf_state_tree_ext_gwy, 554 &kif->pfik_ext_gwy, key); 555 if (s == NULL) 556 continue; 557 if (more == NULL) 558 return (s); 559 ss = s; 560 (*more)++; 561 } 562 return (ss); 563 default: 564 panic("pf_find_state_all"); 565 } 566 } 567 568 int 569 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, 570 struct pf_addr *src, sa_family_t af) 571 { 572 struct pf_src_node k; 573 574 if (*sn == NULL) { 575 k.af = af; 576 PF_ACPY(&k.addr, src, af); 577 if (rule->rule_flag & PFRULE_RULESRCTRACK || 578 rule->rpool.opts & PF_POOL_STICKYADDR) 579 k.rule.ptr = rule; 580 else 581 k.rule.ptr = NULL; 582 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 583 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 584 } 585 if (*sn == NULL) { 586 if (!rule->max_src_nodes || 587 rule->src_nodes < rule->max_src_nodes) 588 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT); 589 if ((*sn) == NULL) 590 return (-1); 591 bzero(*sn, sizeof(struct pf_src_node)); 592 (*sn)->af = af; 593 if (rule->rule_flag & PFRULE_RULESRCTRACK || 594 rule->rpool.opts & PF_POOL_STICKYADDR) 595 (*sn)->rule.ptr = rule; 596 else 597 (*sn)->rule.ptr = NULL; 598 PF_ACPY(&(*sn)->addr, src, af); 599 if (RB_INSERT(pf_src_tree, 600 &tree_src_tracking, *sn) != NULL) { 601 if (pf_status.debug >= PF_DEBUG_MISC) { 602 printf("pf: src_tree insert failed: "); 603 pf_print_host(&(*sn)->addr, 0, af); 604 printf("\n"); 605 } 606 pool_put(&pf_src_tree_pl, *sn); 607 return (-1); 608 } 609 (*sn)->creation = time_second; 610 (*sn)->ruletype = rule->action; 611 if ((*sn)->rule.ptr != NULL) 612 (*sn)->rule.ptr->src_nodes++; 613 pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 614 pf_status.src_nodes++; 615 } else { 616 if (rule->max_src_states && 617 (*sn)->states >= rule->max_src_states) 618 return (-1); 619 } 620 return (0); 621 } 622 623 int 624 pf_insert_state(struct pfi_kif *kif, struct pf_state *state) 625 { 626 /* Thou MUST NOT insert multiple duplicate keys */ 627 state->u.s.kif = kif; 628 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) { 629 if (pf_status.debug >= PF_DEBUG_MISC) { 630 printf("pf: state insert failed: tree_lan_ext"); 631 printf(" lan: "); 632 pf_print_host(&state->lan.addr, state->lan.port, 633 state->af); 634 printf(" gwy: "); 635 pf_print_host(&state->gwy.addr, state->gwy.port, 636 state->af); 637 printf(" ext: "); 638 pf_print_host(&state->ext.addr, state->ext.port, 639 state->af); 640 if (state->sync_flags & PFSTATE_FROMSYNC) 641 printf(" (from sync)"); 642 printf("\n"); 643 } 644 return (-1); 645 } 646 647 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) { 648 if (pf_status.debug >= PF_DEBUG_MISC) { 649 printf("pf: state insert failed: tree_ext_gwy"); 650 printf(" lan: "); 651 pf_print_host(&state->lan.addr, state->lan.port, 652 state->af); 653 printf(" gwy: "); 654 pf_print_host(&state->gwy.addr, state->gwy.port, 655 state->af); 656 printf(" ext: "); 657 pf_print_host(&state->ext.addr, state->ext.port, 658 state->af); 659 if (state->sync_flags & PFSTATE_FROMSYNC) 660 printf(" (from sync)"); 661 printf("\n"); 662 } 663 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 664 return (-1); 665 } 666 667 if (state->id == 0 && state->creatorid == 0) { 668 state->id = htobe64(pf_status.stateid++); 669 state->creatorid = pf_status.hostid; 670 } 671 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) { 672 if (pf_status.debug >= PF_DEBUG_MISC) { 673 printf("pf: state insert failed: " 674 "id: %016" PRIx64 " creatorid: %08" PRIx32, 675 be64toh(state->id), ntohl(state->creatorid)); 676 if (state->sync_flags & PFSTATE_FROMSYNC) 677 printf(" (from sync)"); 678 printf("\n"); 679 } 680 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 681 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state); 682 return (-1); 683 } 684 TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates); 685 686 pf_status.fcounters[FCNT_STATE_INSERT]++; 687 pf_status.states++; 688 pfi_attach_state(kif); 689 #if NPFSYNC 690 pfsync_insert_state(state); 691 #endif 692 return (0); 693 } 694 695 void 696 pf_purge_timeout(void *arg) 697 { 698 struct callout *to = arg; 699 700 crit_enter(); 701 pf_purge_expired_states(); 702 pf_purge_expired_fragments(); 703 pf_purge_expired_src_nodes(); 704 crit_exit(); 705 706 callout_reset(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz, 707 pf_purge_timeout, to); 708 } 709 710 u_int32_t 711 pf_state_expires(const struct pf_state *state) 712 { 713 u_int32_t timeout; 714 u_int32_t start; 715 u_int32_t end; 716 u_int32_t states; 717 718 /* handle all PFTM_* > PFTM_MAX here */ 719 if (state->timeout == PFTM_PURGE) 720 return (time_second); 721 if (state->timeout == PFTM_UNTIL_PACKET) 722 return (0); 723 KASSERT((state->timeout < PFTM_MAX), 724 ("pf_state_expires: timeout > PFTM_MAX")); 725 timeout = state->rule.ptr->timeout[state->timeout]; 726 if (!timeout) 727 timeout = pf_default_rule.timeout[state->timeout]; 728 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 729 if (start) { 730 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 731 states = state->rule.ptr->states; 732 } else { 733 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 734 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 735 states = pf_status.states; 736 } 737 if (end && states > start && start < end) { 738 if (states < end) 739 return (state->expire + timeout * (end - states) / 740 (end - start)); 741 else 742 return (time_second); 743 } 744 return (state->expire + timeout); 745 } 746 747 void 748 pf_purge_expired_src_nodes(void) 749 { 750 struct pf_src_node *cur, *next; 751 752 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 753 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 754 755 if (cur->states <= 0 && cur->expire <= time_second) { 756 if (cur->rule.ptr != NULL) { 757 cur->rule.ptr->src_nodes--; 758 if (cur->rule.ptr->states <= 0 && 759 cur->rule.ptr->max_src_nodes <= 0) 760 pf_rm_rule(NULL, cur->rule.ptr); 761 } 762 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 763 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 764 pf_status.src_nodes--; 765 pool_put(&pf_src_tree_pl, cur); 766 } 767 } 768 } 769 770 void 771 pf_src_tree_remove_state(struct pf_state *s) 772 { 773 u_int32_t timeout; 774 775 if (s->src_node != NULL) { 776 if (--s->src_node->states <= 0) { 777 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 778 if (!timeout) 779 timeout = 780 pf_default_rule.timeout[PFTM_SRC_NODE]; 781 s->src_node->expire = time_second + timeout; 782 } 783 } 784 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 785 if (--s->nat_src_node->states <= 0) { 786 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 787 if (!timeout) 788 timeout = 789 pf_default_rule.timeout[PFTM_SRC_NODE]; 790 s->nat_src_node->expire = time_second + timeout; 791 } 792 } 793 s->src_node = s->nat_src_node = NULL; 794 } 795 796 void 797 pf_purge_expired_states(void) 798 { 799 struct pf_state *cur, *next; 800 801 for (cur = RB_MIN(pf_state_tree_id, &tree_id); 802 cur; cur = next) { 803 next = RB_NEXT(pf_state_tree_id, &tree_id, cur); 804 805 if (pf_state_expires(cur) <= time_second) { 806 if (cur->src.state == PF_TCPS_PROXY_DST) 807 pf_send_tcp(cur->rule.ptr, cur->af, 808 &cur->ext.addr, &cur->lan.addr, 809 cur->ext.port, cur->lan.port, 810 cur->src.seqhi, cur->src.seqlo + 1, 0, 811 TH_RST|TH_ACK, 0, 0); 812 RB_REMOVE(pf_state_tree_ext_gwy, 813 &cur->u.s.kif->pfik_ext_gwy, cur); 814 RB_REMOVE(pf_state_tree_lan_ext, 815 &cur->u.s.kif->pfik_lan_ext, cur); 816 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 817 #if NPFSYNC 818 pfsync_delete_state(cur); 819 #endif 820 pf_src_tree_remove_state(cur); 821 if (--cur->rule.ptr->states <= 0 && 822 cur->rule.ptr->src_nodes <= 0) 823 pf_rm_rule(NULL, cur->rule.ptr); 824 if (cur->nat_rule.ptr != NULL) 825 if (--cur->nat_rule.ptr->states <= 0 && 826 cur->nat_rule.ptr->src_nodes <= 0) 827 pf_rm_rule(NULL, cur->nat_rule.ptr); 828 if (cur->anchor.ptr != NULL) 829 if (--cur->anchor.ptr->states <= 0) 830 pf_rm_rule(NULL, cur->anchor.ptr); 831 pf_normalize_tcp_cleanup(cur); 832 pfi_detach_state(cur->u.s.kif); 833 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); 834 pool_put(&pf_state_pl, cur); 835 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 836 pf_status.states--; 837 } 838 } 839 } 840 841 int 842 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 843 { 844 if (aw->type != PF_ADDR_TABLE) 845 return (0); 846 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 847 return (1); 848 return (0); 849 } 850 851 void 852 pf_tbladdr_remove(struct pf_addr_wrap *aw) 853 { 854 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 855 return; 856 pfr_detach_table(aw->p.tbl); 857 aw->p.tbl = NULL; 858 } 859 860 void 861 pf_tbladdr_copyout(struct pf_addr_wrap *aw) 862 { 863 struct pfr_ktable *kt = aw->p.tbl; 864 865 if (aw->type != PF_ADDR_TABLE || kt == NULL) 866 return; 867 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 868 kt = kt->pfrkt_root; 869 aw->p.tbl = NULL; 870 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 871 kt->pfrkt_cnt : -1; 872 } 873 874 void 875 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 876 { 877 switch (af) { 878 #ifdef INET 879 case AF_INET: { 880 u_int32_t a = ntohl(addr->addr32[0]); 881 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 882 (a>>8)&255, a&255); 883 if (p) { 884 p = ntohs(p); 885 printf(":%u", p); 886 } 887 break; 888 } 889 #endif /* INET */ 890 #ifdef INET6 891 case AF_INET6: { 892 u_int16_t b; 893 u_int8_t i, curstart = 255, curend = 0, 894 maxstart = 0, maxend = 0; 895 for (i = 0; i < 8; i++) { 896 if (!addr->addr16[i]) { 897 if (curstart == 255) 898 curstart = i; 899 else 900 curend = i; 901 } else { 902 if (curstart) { 903 if ((curend - curstart) > 904 (maxend - maxstart)) { 905 maxstart = curstart; 906 maxend = curend; 907 curstart = 255; 908 } 909 } 910 } 911 } 912 for (i = 0; i < 8; i++) { 913 if (i >= maxstart && i <= maxend) { 914 if (maxend != 7) { 915 if (i == maxstart) 916 printf(":"); 917 } else { 918 if (i == maxend) 919 printf(":"); 920 } 921 } else { 922 b = ntohs(addr->addr16[i]); 923 printf("%x", b); 924 if (i < 7) 925 printf(":"); 926 } 927 } 928 if (p) { 929 p = ntohs(p); 930 printf("[%u]", p); 931 } 932 break; 933 } 934 #endif /* INET6 */ 935 } 936 } 937 938 void 939 pf_print_state(struct pf_state *s) 940 { 941 switch (s->proto) { 942 case IPPROTO_TCP: 943 printf("TCP "); 944 break; 945 case IPPROTO_UDP: 946 printf("UDP "); 947 break; 948 case IPPROTO_ICMP: 949 printf("ICMP "); 950 break; 951 case IPPROTO_ICMPV6: 952 printf("ICMPV6 "); 953 break; 954 default: 955 printf("%u ", s->proto); 956 break; 957 } 958 pf_print_host(&s->lan.addr, s->lan.port, s->af); 959 printf(" "); 960 pf_print_host(&s->gwy.addr, s->gwy.port, s->af); 961 printf(" "); 962 pf_print_host(&s->ext.addr, s->ext.port, s->af); 963 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 964 s->src.seqhi, s->src.max_win, s->src.seqdiff); 965 if (s->src.wscale && s->dst.wscale) 966 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 967 printf("]"); 968 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 969 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 970 if (s->src.wscale && s->dst.wscale) 971 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 972 printf("]"); 973 printf(" %u:%u", s->src.state, s->dst.state); 974 } 975 976 void 977 pf_print_flags(u_int8_t f) 978 { 979 if (f) 980 printf(" "); 981 if (f & TH_FIN) 982 printf("F"); 983 if (f & TH_SYN) 984 printf("S"); 985 if (f & TH_RST) 986 printf("R"); 987 if (f & TH_PUSH) 988 printf("P"); 989 if (f & TH_ACK) 990 printf("A"); 991 if (f & TH_URG) 992 printf("U"); 993 if (f & TH_ECE) 994 printf("E"); 995 if (f & TH_CWR) 996 printf("W"); 997 } 998 999 #define PF_SET_SKIP_STEPS(i) \ 1000 do { \ 1001 while (head[i] != cur) { \ 1002 head[i]->skip[i].ptr = cur; \ 1003 head[i] = TAILQ_NEXT(head[i], entries); \ 1004 } \ 1005 } while (0) 1006 1007 void 1008 pf_calc_skip_steps(struct pf_rulequeue *rules) 1009 { 1010 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 1011 int i; 1012 1013 cur = TAILQ_FIRST(rules); 1014 prev = cur; 1015 for (i = 0; i < PF_SKIP_COUNT; ++i) 1016 head[i] = cur; 1017 while (cur != NULL) { 1018 1019 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) 1020 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1021 if (cur->direction != prev->direction) 1022 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1023 if (cur->af != prev->af) 1024 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1025 if (cur->proto != prev->proto) 1026 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 1027 if (cur->src.not != prev->src.not || 1028 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1029 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1030 if (cur->src.port[0] != prev->src.port[0] || 1031 cur->src.port[1] != prev->src.port[1] || 1032 cur->src.port_op != prev->src.port_op) 1033 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 1034 if (cur->dst.not != prev->dst.not || 1035 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1036 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1037 if (cur->dst.port[0] != prev->dst.port[0] || 1038 cur->dst.port[1] != prev->dst.port[1] || 1039 cur->dst.port_op != prev->dst.port_op) 1040 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1041 1042 prev = cur; 1043 cur = TAILQ_NEXT(cur, entries); 1044 } 1045 for (i = 0; i < PF_SKIP_COUNT; ++i) 1046 PF_SET_SKIP_STEPS(i); 1047 } 1048 1049 int 1050 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 1051 { 1052 if (aw1->type != aw2->type) 1053 return (1); 1054 switch (aw1->type) { 1055 case PF_ADDR_ADDRMASK: 1056 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 1057 return (1); 1058 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 1059 return (1); 1060 return (0); 1061 case PF_ADDR_DYNIFTL: 1062 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt); 1063 case PF_ADDR_NOROUTE: 1064 return (0); 1065 case PF_ADDR_TABLE: 1066 return (aw1->p.tbl != aw2->p.tbl); 1067 default: 1068 printf("invalid address type: %d\n", aw1->type); 1069 return (1); 1070 } 1071 } 1072 1073 void 1074 pf_update_anchor_rules(void) 1075 { 1076 struct pf_rule *rule; 1077 int i; 1078 1079 for (i = 0; i < PF_RULESET_MAX; ++i) 1080 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 1081 entries) 1082 if (rule->anchorname[0]) 1083 rule->anchor = pf_find_anchor(rule->anchorname); 1084 else 1085 rule->anchor = NULL; 1086 } 1087 1088 u_int16_t 1089 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1090 { 1091 u_int32_t l; 1092 1093 if (udp && !cksum) 1094 return (0x0000); 1095 l = cksum + old - new; 1096 l = (l >> 16) + (l & 65535); 1097 l = l & 65535; 1098 if (udp && !l) 1099 return (0xFFFF); 1100 return (l); 1101 } 1102 1103 void 1104 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 1105 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 1106 { 1107 struct pf_addr ao; 1108 u_int16_t po = *p; 1109 1110 PF_ACPY(&ao, a, af); 1111 PF_ACPY(a, an, af); 1112 1113 *p = pn; 1114 1115 switch (af) { 1116 #ifdef INET 1117 case AF_INET: 1118 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1119 ao.addr16[0], an->addr16[0], 0), 1120 ao.addr16[1], an->addr16[1], 0); 1121 *p = pn; 1122 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1123 ao.addr16[0], an->addr16[0], u), 1124 ao.addr16[1], an->addr16[1], u), 1125 po, pn, u); 1126 break; 1127 #endif /* INET */ 1128 #ifdef INET6 1129 case AF_INET6: 1130 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1131 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1132 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1133 ao.addr16[0], an->addr16[0], u), 1134 ao.addr16[1], an->addr16[1], u), 1135 ao.addr16[2], an->addr16[2], u), 1136 ao.addr16[3], an->addr16[3], u), 1137 ao.addr16[4], an->addr16[4], u), 1138 ao.addr16[5], an->addr16[5], u), 1139 ao.addr16[6], an->addr16[6], u), 1140 ao.addr16[7], an->addr16[7], u), 1141 po, pn, u); 1142 break; 1143 #endif /* INET6 */ 1144 } 1145 } 1146 1147 1148 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 1149 void 1150 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1151 { 1152 u_int32_t ao; 1153 1154 memcpy(&ao, a, sizeof(ao)); 1155 memcpy(a, &an, sizeof(u_int32_t)); 1156 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1157 ao % 65536, an % 65536, u); 1158 } 1159 1160 #ifdef INET6 1161 void 1162 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1163 { 1164 struct pf_addr ao; 1165 1166 PF_ACPY(&ao, a, AF_INET6); 1167 PF_ACPY(a, an, AF_INET6); 1168 1169 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1170 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1171 pf_cksum_fixup(pf_cksum_fixup(*c, 1172 ao.addr16[0], an->addr16[0], u), 1173 ao.addr16[1], an->addr16[1], u), 1174 ao.addr16[2], an->addr16[2], u), 1175 ao.addr16[3], an->addr16[3], u), 1176 ao.addr16[4], an->addr16[4], u), 1177 ao.addr16[5], an->addr16[5], u), 1178 ao.addr16[6], an->addr16[6], u), 1179 ao.addr16[7], an->addr16[7], u); 1180 } 1181 #endif /* INET6 */ 1182 1183 void 1184 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1185 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1186 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1187 { 1188 struct pf_addr oia, ooa; 1189 1190 PF_ACPY(&oia, ia, af); 1191 PF_ACPY(&ooa, oa, af); 1192 1193 /* Change inner protocol port, fix inner protocol checksum. */ 1194 if (ip != NULL) { 1195 u_int16_t oip = *ip; 1196 u_int32_t opc = 0; 1197 1198 if (pc != NULL) 1199 opc = *pc; 1200 *ip = np; 1201 if (pc != NULL) 1202 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1203 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1204 if (pc != NULL) 1205 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1206 } 1207 /* Change inner ip address, fix inner ip and icmp checksums. */ 1208 PF_ACPY(ia, na, af); 1209 switch (af) { 1210 #ifdef INET 1211 case AF_INET: { 1212 u_int32_t oh2c = *h2c; 1213 1214 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1215 oia.addr16[0], ia->addr16[0], 0), 1216 oia.addr16[1], ia->addr16[1], 0); 1217 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1218 oia.addr16[0], ia->addr16[0], 0), 1219 oia.addr16[1], ia->addr16[1], 0); 1220 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1221 break; 1222 } 1223 #endif /* INET */ 1224 #ifdef INET6 1225 case AF_INET6: 1226 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1227 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1228 pf_cksum_fixup(pf_cksum_fixup(*ic, 1229 oia.addr16[0], ia->addr16[0], u), 1230 oia.addr16[1], ia->addr16[1], u), 1231 oia.addr16[2], ia->addr16[2], u), 1232 oia.addr16[3], ia->addr16[3], u), 1233 oia.addr16[4], ia->addr16[4], u), 1234 oia.addr16[5], ia->addr16[5], u), 1235 oia.addr16[6], ia->addr16[6], u), 1236 oia.addr16[7], ia->addr16[7], u); 1237 break; 1238 #endif /* INET6 */ 1239 } 1240 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1241 PF_ACPY(oa, na, af); 1242 switch (af) { 1243 #ifdef INET 1244 case AF_INET: 1245 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1246 ooa.addr16[0], oa->addr16[0], 0), 1247 ooa.addr16[1], oa->addr16[1], 0); 1248 break; 1249 #endif /* INET */ 1250 #ifdef INET6 1251 case AF_INET6: 1252 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1253 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1254 pf_cksum_fixup(pf_cksum_fixup(*ic, 1255 ooa.addr16[0], oa->addr16[0], u), 1256 ooa.addr16[1], oa->addr16[1], u), 1257 ooa.addr16[2], oa->addr16[2], u), 1258 ooa.addr16[3], oa->addr16[3], u), 1259 ooa.addr16[4], oa->addr16[4], u), 1260 ooa.addr16[5], oa->addr16[5], u), 1261 ooa.addr16[6], oa->addr16[6], u), 1262 ooa.addr16[7], oa->addr16[7], u); 1263 break; 1264 #endif /* INET6 */ 1265 } 1266 } 1267 1268 void 1269 pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1270 const struct pf_addr *saddr, const struct pf_addr *daddr, 1271 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1272 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) 1273 { 1274 struct mbuf *m; 1275 int len = 0, tlen; 1276 #ifdef INET 1277 struct ip *h = NULL; 1278 #endif /* INET */ 1279 #ifdef INET6 1280 struct ip6_hdr *h6 = NULL; 1281 #endif /* INET6 */ 1282 struct tcphdr *th = NULL; 1283 char *opt; 1284 1285 /* maximum segment size tcp option */ 1286 tlen = sizeof(struct tcphdr); 1287 if (mss) 1288 tlen += 4; 1289 1290 switch (af) { 1291 #ifdef INET 1292 case AF_INET: 1293 len = sizeof(struct ip) + tlen; 1294 break; 1295 #endif /* INET */ 1296 #ifdef INET6 1297 case AF_INET6: 1298 len = sizeof(struct ip6_hdr) + tlen; 1299 break; 1300 #endif /* INET6 */ 1301 } 1302 1303 /* create outgoing mbuf */ 1304 m = m_gethdr(MB_DONTWAIT, MT_HEADER); 1305 if (m == NULL) 1306 return; 1307 m->m_pkthdr.fw_flags |= PF_MBUF_GENERATED; 1308 #ifdef ALTQ 1309 if (r != NULL && r->qid) { 1310 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 1311 m->m_pkthdr.altq_qid = r->qid; 1312 m->m_pkthdr.ecn_af = af; 1313 m->m_pkthdr.header = mtod(m, struct ip *); 1314 } 1315 #endif 1316 m->m_data += max_linkhdr; 1317 m->m_pkthdr.len = m->m_len = len; 1318 m->m_pkthdr.rcvif = NULL; 1319 bzero(m->m_data, len); 1320 switch (af) { 1321 #ifdef INET 1322 case AF_INET: 1323 h = mtod(m, struct ip *); 1324 1325 /* IP header fields included in the TCP checksum */ 1326 h->ip_p = IPPROTO_TCP; 1327 h->ip_len = tlen; 1328 h->ip_src.s_addr = saddr->v4.s_addr; 1329 h->ip_dst.s_addr = daddr->v4.s_addr; 1330 1331 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); 1332 break; 1333 #endif /* INET */ 1334 #ifdef INET6 1335 case AF_INET6: 1336 h6 = mtod(m, struct ip6_hdr *); 1337 1338 /* IP header fields included in the TCP checksum */ 1339 h6->ip6_nxt = IPPROTO_TCP; 1340 h6->ip6_plen = htons(tlen); 1341 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1342 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1343 1344 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); 1345 break; 1346 #endif /* INET6 */ 1347 } 1348 1349 /* TCP header */ 1350 th->th_sport = sport; 1351 th->th_dport = dport; 1352 th->th_seq = htonl(seq); 1353 th->th_ack = htonl(ack); 1354 th->th_off = tlen >> 2; 1355 th->th_flags = flags; 1356 th->th_win = htons(win); 1357 1358 if (mss) { 1359 opt = (char *)(th + 1); 1360 opt[0] = TCPOPT_MAXSEG; 1361 opt[1] = 4; 1362 mss = htons(mss); 1363 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); 1364 } 1365 1366 switch (af) { 1367 #ifdef INET 1368 case AF_INET: 1369 /* TCP checksum */ 1370 th->th_sum = in_cksum(m, len); 1371 1372 /* Finish the IP header */ 1373 h->ip_v = 4; 1374 h->ip_hl = sizeof(*h) >> 2; 1375 h->ip_tos = IPTOS_LOWDELAY; 1376 h->ip_len = len; 1377 h->ip_off = path_mtu_discovery ? IP_DF : 0; 1378 h->ip_ttl = ttl ? ttl : ip_defttl; 1379 h->ip_sum = 0; 1380 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1381 (void *)NULL); 1382 break; 1383 #endif /* INET */ 1384 #ifdef INET6 1385 case AF_INET6: 1386 /* TCP checksum */ 1387 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1388 sizeof(struct ip6_hdr), tlen); 1389 1390 h6->ip6_vfc |= IPV6_VERSION; 1391 h6->ip6_hlim = IPV6_DEFHLIM; 1392 1393 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 1394 break; 1395 #endif /* INET6 */ 1396 } 1397 } 1398 1399 void 1400 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1401 struct pf_rule *r) 1402 { 1403 struct mbuf *m0; 1404 1405 m0 = m_copypacket(m, MB_DONTWAIT); 1406 if (m0 == NULL) 1407 return; 1408 m0->m_pkthdr.fw_flags |= PF_MBUF_GENERATED; 1409 1410 #ifdef ALTQ 1411 if (r->qid) { 1412 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 1413 m->m_pkthdr.altq_qid = r->qid; 1414 m->m_pkthdr.ecn_af = af; 1415 m->m_pkthdr.header = mtod(m0, struct ip *); 1416 } 1417 #endif 1418 1419 switch (af) { 1420 #ifdef INET 1421 case AF_INET: 1422 icmp_error(m0, type, code, 0, 0); 1423 break; 1424 #endif /* INET */ 1425 #ifdef INET6 1426 case AF_INET6: 1427 icmp6_error(m0, type, code, 0); 1428 break; 1429 #endif /* INET6 */ 1430 } 1431 } 1432 1433 /* 1434 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1435 * If n is 0, they match if they are equal. If n is != 0, they match if they 1436 * are different. 1437 */ 1438 int 1439 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1440 struct pf_addr *b, sa_family_t af) 1441 { 1442 int match = 0; 1443 1444 switch (af) { 1445 #ifdef INET 1446 case AF_INET: 1447 if ((a->addr32[0] & m->addr32[0]) == 1448 (b->addr32[0] & m->addr32[0])) 1449 match++; 1450 break; 1451 #endif /* INET */ 1452 #ifdef INET6 1453 case AF_INET6: 1454 if (((a->addr32[0] & m->addr32[0]) == 1455 (b->addr32[0] & m->addr32[0])) && 1456 ((a->addr32[1] & m->addr32[1]) == 1457 (b->addr32[1] & m->addr32[1])) && 1458 ((a->addr32[2] & m->addr32[2]) == 1459 (b->addr32[2] & m->addr32[2])) && 1460 ((a->addr32[3] & m->addr32[3]) == 1461 (b->addr32[3] & m->addr32[3]))) 1462 match++; 1463 break; 1464 #endif /* INET6 */ 1465 } 1466 if (match) { 1467 if (n) 1468 return (0); 1469 else 1470 return (1); 1471 } else { 1472 if (n) 1473 return (1); 1474 else 1475 return (0); 1476 } 1477 } 1478 1479 int 1480 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1481 { 1482 switch (op) { 1483 case PF_OP_IRG: 1484 return ((p > a1) && (p < a2)); 1485 case PF_OP_XRG: 1486 return ((p < a1) || (p > a2)); 1487 case PF_OP_RRG: 1488 return ((p >= a1) && (p <= a2)); 1489 case PF_OP_EQ: 1490 return (p == a1); 1491 case PF_OP_NE: 1492 return (p != a1); 1493 case PF_OP_LT: 1494 return (p < a1); 1495 case PF_OP_LE: 1496 return (p <= a1); 1497 case PF_OP_GT: 1498 return (p > a1); 1499 case PF_OP_GE: 1500 return (p >= a1); 1501 } 1502 return (0); /* never reached */ 1503 } 1504 1505 int 1506 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1507 { 1508 a1 = ntohs(a1); 1509 a2 = ntohs(a2); 1510 p = ntohs(p); 1511 return (pf_match(op, a1, a2, p)); 1512 } 1513 1514 int 1515 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1516 { 1517 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1518 return (0); 1519 return (pf_match(op, a1, a2, u)); 1520 } 1521 1522 int 1523 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1524 { 1525 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1526 return (0); 1527 return (pf_match(op, a1, a2, g)); 1528 } 1529 1530 static int 1531 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule, 1532 int *tag) 1533 { 1534 if (*tag == -1) { /* find mbuf tag */ 1535 if (nat_rule != NULL && nat_rule->tag) 1536 *tag = nat_rule->tag; 1537 else if (m->m_pkthdr.fw_flags & PF_MBUF_TAGGED) 1538 *tag = m->m_pkthdr.pf_tag; 1539 else 1540 *tag = 0; 1541 } 1542 1543 return ((!r->match_tag_not && r->match_tag == *tag) || 1544 (r->match_tag_not && r->match_tag != *tag)); 1545 } 1546 1547 void 1548 pf_tag_packet(struct mbuf *m, int tag) 1549 { 1550 if (tag <= 0) 1551 return; 1552 1553 m->m_pkthdr.fw_flags |= PF_MBUF_TAGGED; 1554 m->m_pkthdr.pf_tag = tag; 1555 } 1556 1557 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1558 do { \ 1559 if ((r) == NULL || (r)->anchor == NULL || \ 1560 (s) != NULL || (a) != NULL) \ 1561 panic("PF_STEP_INTO_ANCHOR"); \ 1562 (a) = (r); \ 1563 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1564 (r) = NULL; \ 1565 while ((s) != NULL && ((r) = \ 1566 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1567 (s) = TAILQ_NEXT((s), entries); \ 1568 if ((r) == NULL) { \ 1569 (r) = TAILQ_NEXT((a), entries); \ 1570 (a) = NULL; \ 1571 } \ 1572 } while (0) 1573 1574 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1575 do { \ 1576 if ((r) != NULL || (a) == NULL || (s) == NULL) \ 1577 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1578 (s) = TAILQ_NEXT((s), entries); \ 1579 while ((s) != NULL && ((r) = \ 1580 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1581 (s) = TAILQ_NEXT((s), entries); \ 1582 if ((r) == NULL) { \ 1583 (r) = TAILQ_NEXT((a), entries); \ 1584 (a) = NULL; \ 1585 } \ 1586 } while (0) 1587 1588 #ifdef INET6 1589 void 1590 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 1591 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) 1592 { 1593 switch (af) { 1594 #ifdef INET 1595 case AF_INET: 1596 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1597 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1598 break; 1599 #endif /* INET */ 1600 case AF_INET6: 1601 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1602 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1603 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 1604 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 1605 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 1606 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 1607 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 1608 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 1609 break; 1610 } 1611 } 1612 1613 void 1614 pf_addr_inc(struct pf_addr *addr, sa_family_t af) 1615 { 1616 switch (af) { 1617 #ifdef INET 1618 case AF_INET: 1619 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 1620 break; 1621 #endif /* INET */ 1622 case AF_INET6: 1623 if (addr->addr32[3] == 0xffffffff) { 1624 addr->addr32[3] = 0; 1625 if (addr->addr32[2] == 0xffffffff) { 1626 addr->addr32[2] = 0; 1627 if (addr->addr32[1] == 0xffffffff) { 1628 addr->addr32[1] = 0; 1629 addr->addr32[0] = 1630 htonl(ntohl(addr->addr32[0]) + 1); 1631 } else 1632 addr->addr32[1] = 1633 htonl(ntohl(addr->addr32[1]) + 1); 1634 } else 1635 addr->addr32[2] = 1636 htonl(ntohl(addr->addr32[2]) + 1); 1637 } else 1638 addr->addr32[3] = 1639 htonl(ntohl(addr->addr32[3]) + 1); 1640 break; 1641 } 1642 } 1643 #endif /* INET6 */ 1644 1645 #define mix(a,b,c) \ 1646 do { \ 1647 a -= b; a -= c; a ^= (c >> 13); \ 1648 b -= c; b -= a; b ^= (a << 8); \ 1649 c -= a; c -= b; c ^= (b >> 13); \ 1650 a -= b; a -= c; a ^= (c >> 12); \ 1651 b -= c; b -= a; b ^= (a << 16); \ 1652 c -= a; c -= b; c ^= (b >> 5); \ 1653 a -= b; a -= c; a ^= (c >> 3); \ 1654 b -= c; b -= a; b ^= (a << 10); \ 1655 c -= a; c -= b; c ^= (b >> 15); \ 1656 } while (0) 1657 1658 /* 1659 * hash function based on bridge_hash in if_bridge.c 1660 */ 1661 void 1662 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 1663 struct pf_poolhashkey *key, sa_family_t af) 1664 { 1665 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 1666 1667 switch (af) { 1668 #ifdef INET 1669 case AF_INET: 1670 a += inaddr->addr32[0]; 1671 b += key->key32[1]; 1672 mix(a, b, c); 1673 hash->addr32[0] = c + key->key32[2]; 1674 break; 1675 #endif /* INET */ 1676 #ifdef INET6 1677 case AF_INET6: 1678 a += inaddr->addr32[0]; 1679 b += inaddr->addr32[2]; 1680 mix(a, b, c); 1681 hash->addr32[0] = c; 1682 a += inaddr->addr32[1]; 1683 b += inaddr->addr32[3]; 1684 c += key->key32[1]; 1685 mix(a, b, c); 1686 hash->addr32[1] = c; 1687 a += inaddr->addr32[2]; 1688 b += inaddr->addr32[1]; 1689 c += key->key32[2]; 1690 mix(a, b, c); 1691 hash->addr32[2] = c; 1692 a += inaddr->addr32[3]; 1693 b += inaddr->addr32[0]; 1694 c += key->key32[3]; 1695 mix(a, b, c); 1696 hash->addr32[3] = c; 1697 break; 1698 #endif /* INET6 */ 1699 } 1700 } 1701 1702 int 1703 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 1704 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 1705 { 1706 unsigned char hash[16]; 1707 struct pf_pool *rpool = &r->rpool; 1708 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr; 1709 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask; 1710 struct pf_pooladdr *acur = rpool->cur; 1711 struct pf_src_node k; 1712 1713 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 1714 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1715 k.af = af; 1716 PF_ACPY(&k.addr, saddr, af); 1717 if (r->rule_flag & PFRULE_RULESRCTRACK || 1718 r->rpool.opts & PF_POOL_STICKYADDR) 1719 k.rule.ptr = r; 1720 else 1721 k.rule.ptr = NULL; 1722 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 1723 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 1724 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 1725 PF_ACPY(naddr, &(*sn)->raddr, af); 1726 if (pf_status.debug >= PF_DEBUG_MISC) { 1727 printf("pf_map_addr: src tracking maps "); 1728 pf_print_host(&k.addr, 0, af); 1729 printf(" to "); 1730 pf_print_host(naddr, 0, af); 1731 printf("\n"); 1732 } 1733 return (0); 1734 } 1735 } 1736 1737 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1738 return (1); 1739 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1740 if (af == AF_INET) { 1741 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 1742 (rpool->opts & PF_POOL_TYPEMASK) != 1743 PF_POOL_ROUNDROBIN) 1744 return (1); 1745 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 1746 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 1747 } else { 1748 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 1749 (rpool->opts & PF_POOL_TYPEMASK) != 1750 PF_POOL_ROUNDROBIN) 1751 return (1); 1752 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 1753 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 1754 } 1755 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1756 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1757 return (1); /* unsupported */ 1758 } else { 1759 raddr = &rpool->cur->addr.v.a.addr; 1760 rmask = &rpool->cur->addr.v.a.mask; 1761 } 1762 1763 switch (rpool->opts & PF_POOL_TYPEMASK) { 1764 case PF_POOL_NONE: 1765 PF_ACPY(naddr, raddr, af); 1766 break; 1767 case PF_POOL_BITMASK: 1768 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 1769 break; 1770 case PF_POOL_RANDOM: 1771 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 1772 switch (af) { 1773 #ifdef INET 1774 case AF_INET: 1775 rpool->counter.addr32[0] = arc4random(); 1776 break; 1777 #endif /* INET */ 1778 #ifdef INET6 1779 case AF_INET6: 1780 if (rmask->addr32[3] != 0xffffffff) 1781 rpool->counter.addr32[3] = arc4random(); 1782 else 1783 break; 1784 if (rmask->addr32[2] != 0xffffffff) 1785 rpool->counter.addr32[2] = arc4random(); 1786 else 1787 break; 1788 if (rmask->addr32[1] != 0xffffffff) 1789 rpool->counter.addr32[1] = arc4random(); 1790 else 1791 break; 1792 if (rmask->addr32[0] != 0xffffffff) 1793 rpool->counter.addr32[0] = arc4random(); 1794 break; 1795 #endif /* INET6 */ 1796 } 1797 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1798 PF_ACPY(init_addr, naddr, af); 1799 1800 } else { 1801 PF_AINC(&rpool->counter, af); 1802 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1803 } 1804 break; 1805 case PF_POOL_SRCHASH: 1806 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 1807 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 1808 break; 1809 case PF_POOL_ROUNDROBIN: 1810 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1811 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 1812 &rpool->tblidx, &rpool->counter, 1813 &raddr, &rmask, af)) 1814 goto get_addr; 1815 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1816 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1817 &rpool->tblidx, &rpool->counter, 1818 &raddr, &rmask, af)) 1819 goto get_addr; 1820 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 1821 goto get_addr; 1822 1823 try_next: 1824 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 1825 rpool->cur = TAILQ_FIRST(&rpool->list); 1826 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1827 rpool->tblidx = -1; 1828 if (pfr_pool_get(rpool->cur->addr.p.tbl, 1829 &rpool->tblidx, &rpool->counter, 1830 &raddr, &rmask, af)) { 1831 /* table contains no address of type 'af' */ 1832 if (rpool->cur != acur) 1833 goto try_next; 1834 return (1); 1835 } 1836 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1837 rpool->tblidx = -1; 1838 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1839 &rpool->tblidx, &rpool->counter, 1840 &raddr, &rmask, af)) { 1841 /* table contains no address of type 'af' */ 1842 if (rpool->cur != acur) 1843 goto try_next; 1844 return (1); 1845 } 1846 } else { 1847 raddr = &rpool->cur->addr.v.a.addr; 1848 rmask = &rpool->cur->addr.v.a.mask; 1849 PF_ACPY(&rpool->counter, raddr, af); 1850 } 1851 1852 get_addr: 1853 PF_ACPY(naddr, &rpool->counter, af); 1854 PF_AINC(&rpool->counter, af); 1855 break; 1856 } 1857 if (*sn != NULL) 1858 PF_ACPY(&(*sn)->raddr, naddr, af); 1859 1860 if (pf_status.debug >= PF_DEBUG_MISC && 1861 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1862 printf("pf_map_addr: selected address "); 1863 pf_print_host(naddr, 0, af); 1864 printf("\n"); 1865 } 1866 1867 return (0); 1868 } 1869 1870 int 1871 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 1872 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 1873 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 1874 struct pf_src_node **sn) 1875 { 1876 struct pf_state key; 1877 struct pf_addr init_addr; 1878 u_int16_t cut; 1879 1880 bzero(&init_addr, sizeof(init_addr)); 1881 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1882 return (1); 1883 1884 do { 1885 key.af = af; 1886 key.proto = proto; 1887 PF_ACPY(&key.ext.addr, daddr, key.af); 1888 PF_ACPY(&key.gwy.addr, naddr, key.af); 1889 key.ext.port = dport; 1890 1891 /* 1892 * port search; start random, step; 1893 * similar 2 portloop in in_pcbbind 1894 */ 1895 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { 1896 key.gwy.port = 0; 1897 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1898 return (0); 1899 } else if (low == 0 && high == 0) { 1900 key.gwy.port = *nport; 1901 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1902 return (0); 1903 } else if (low == high) { 1904 key.gwy.port = htons(low); 1905 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) { 1906 *nport = htons(low); 1907 return (0); 1908 } 1909 } else { 1910 u_int16_t tmp; 1911 1912 if (low > high) { 1913 tmp = low; 1914 low = high; 1915 high = tmp; 1916 } 1917 /* low < high */ 1918 cut = arc4random() % (1 + high - low) + low; 1919 /* low <= cut <= high */ 1920 for (tmp = cut; tmp <= high; ++(tmp)) { 1921 key.gwy.port = htons(tmp); 1922 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 1923 NULL) { 1924 *nport = htons(tmp); 1925 return (0); 1926 } 1927 } 1928 for (tmp = cut - 1; tmp >= low; --(tmp)) { 1929 key.gwy.port = htons(tmp); 1930 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 1931 NULL) { 1932 *nport = htons(tmp); 1933 return (0); 1934 } 1935 } 1936 } 1937 1938 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 1939 case PF_POOL_RANDOM: 1940 case PF_POOL_ROUNDROBIN: 1941 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1942 return (1); 1943 break; 1944 case PF_POOL_NONE: 1945 case PF_POOL_SRCHASH: 1946 case PF_POOL_BITMASK: 1947 default: 1948 return (1); 1949 } 1950 } while (! PF_AEQ(&init_addr, naddr, af) ); 1951 1952 return (1); /* none available */ 1953 } 1954 1955 struct pf_rule * 1956 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 1957 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 1958 struct pf_addr *daddr, u_int16_t dport, int rs_num) 1959 { 1960 struct pf_rule *r, *rm = NULL, *anchorrule = NULL; 1961 struct pf_ruleset *ruleset = NULL; 1962 1963 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 1964 while (r && rm == NULL) { 1965 struct pf_rule_addr *src = NULL, *dst = NULL; 1966 struct pf_addr_wrap *xdst = NULL; 1967 1968 if (r->action == PF_BINAT && direction == PF_IN) { 1969 src = &r->dst; 1970 if (r->rpool.cur != NULL) 1971 xdst = &r->rpool.cur->addr; 1972 } else { 1973 src = &r->src; 1974 dst = &r->dst; 1975 } 1976 1977 r->evaluations++; 1978 if (r->kif != NULL && 1979 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 1980 r = r->skip[PF_SKIP_IFP].ptr; 1981 else if (r->direction && r->direction != direction) 1982 r = r->skip[PF_SKIP_DIR].ptr; 1983 else if (r->af && r->af != pd->af) 1984 r = r->skip[PF_SKIP_AF].ptr; 1985 else if (r->proto && r->proto != pd->proto) 1986 r = r->skip[PF_SKIP_PROTO].ptr; 1987 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not)) 1988 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 1989 PF_SKIP_DST_ADDR].ptr; 1990 else if (src->port_op && !pf_match_port(src->port_op, 1991 src->port[0], src->port[1], sport)) 1992 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 1993 PF_SKIP_DST_PORT].ptr; 1994 else if (dst != NULL && 1995 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not)) 1996 r = r->skip[PF_SKIP_DST_ADDR].ptr; 1997 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 1998 r = TAILQ_NEXT(r, entries); 1999 else if (dst != NULL && dst->port_op && 2000 !pf_match_port(dst->port_op, dst->port[0], 2001 dst->port[1], dport)) 2002 r = r->skip[PF_SKIP_DST_PORT].ptr; 2003 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2004 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2005 off, pd->hdr.tcp), r->os_fingerprint))) 2006 r = TAILQ_NEXT(r, entries); 2007 else if (r->anchorname[0] && r->anchor == NULL) 2008 r = TAILQ_NEXT(r, entries); 2009 else if (r->anchor == NULL) 2010 rm = r; 2011 else 2012 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 2013 if (r == NULL && anchorrule != NULL) 2014 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 2015 rs_num); 2016 } 2017 if (rm != NULL && (rm->action == PF_NONAT || 2018 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 2019 return (NULL); 2020 return (rm); 2021 } 2022 2023 struct pf_rule * 2024 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 2025 struct pfi_kif *kif, struct pf_src_node **sn, 2026 struct pf_addr *saddr, u_int16_t sport, 2027 struct pf_addr *daddr, u_int16_t dport, 2028 struct pf_addr *naddr, u_int16_t *nport) 2029 { 2030 struct pf_rule *r = NULL; 2031 2032 if (direction == PF_OUT) { 2033 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2034 sport, daddr, dport, PF_RULESET_BINAT); 2035 if (r == NULL) 2036 r = pf_match_translation(pd, m, off, direction, kif, 2037 saddr, sport, daddr, dport, PF_RULESET_NAT); 2038 } else { 2039 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2040 sport, daddr, dport, PF_RULESET_RDR); 2041 if (r == NULL) 2042 r = pf_match_translation(pd, m, off, direction, kif, 2043 saddr, sport, daddr, dport, PF_RULESET_BINAT); 2044 } 2045 2046 if (r != NULL) { 2047 switch (r->action) { 2048 case PF_NONAT: 2049 case PF_NOBINAT: 2050 case PF_NORDR: 2051 return (NULL); 2052 case PF_NAT: 2053 if (pf_get_sport(pd->af, pd->proto, r, saddr, 2054 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 2055 r->rpool.proxy_port[1], sn)) { 2056 DPFPRINTF(PF_DEBUG_MISC, 2057 ("pf: NAT proxy port allocation " 2058 "(%u-%u) failed\n", 2059 r->rpool.proxy_port[0], 2060 r->rpool.proxy_port[1])); 2061 return (NULL); 2062 } 2063 break; 2064 case PF_BINAT: 2065 switch (direction) { 2066 case PF_OUT: 2067 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2068 if (pd->af == AF_INET) { 2069 if (r->rpool.cur->addr.p.dyn-> 2070 pfid_acnt4 < 1) 2071 return (NULL); 2072 PF_POOLMASK(naddr, 2073 &r->rpool.cur->addr.p.dyn-> 2074 pfid_addr4, 2075 &r->rpool.cur->addr.p.dyn-> 2076 pfid_mask4, 2077 saddr, AF_INET); 2078 } else { 2079 if (r->rpool.cur->addr.p.dyn-> 2080 pfid_acnt6 < 1) 2081 return (NULL); 2082 PF_POOLMASK(naddr, 2083 &r->rpool.cur->addr.p.dyn-> 2084 pfid_addr6, 2085 &r->rpool.cur->addr.p.dyn-> 2086 pfid_mask6, 2087 saddr, AF_INET6); 2088 } 2089 } else 2090 PF_POOLMASK(naddr, 2091 &r->rpool.cur->addr.v.a.addr, 2092 &r->rpool.cur->addr.v.a.mask, 2093 saddr, pd->af); 2094 break; 2095 case PF_IN: 2096 if (r->src.addr.type == PF_ADDR_DYNIFTL){ 2097 if (pd->af == AF_INET) { 2098 if (r->src.addr.p.dyn-> 2099 pfid_acnt4 < 1) 2100 return (NULL); 2101 PF_POOLMASK(naddr, 2102 &r->src.addr.p.dyn-> 2103 pfid_addr4, 2104 &r->src.addr.p.dyn-> 2105 pfid_mask4, 2106 daddr, AF_INET); 2107 } else { 2108 if (r->src.addr.p.dyn-> 2109 pfid_acnt6 < 1) 2110 return (NULL); 2111 PF_POOLMASK(naddr, 2112 &r->src.addr.p.dyn-> 2113 pfid_addr6, 2114 &r->src.addr.p.dyn-> 2115 pfid_mask6, 2116 daddr, AF_INET6); 2117 } 2118 } else 2119 PF_POOLMASK(naddr, 2120 &r->src.addr.v.a.addr, 2121 &r->src.addr.v.a.mask, daddr, 2122 pd->af); 2123 break; 2124 } 2125 break; 2126 case PF_RDR: { 2127 if (pf_map_addr(r->af, r, saddr, naddr, NULL, sn)) 2128 return (NULL); 2129 2130 if (r->rpool.proxy_port[1]) { 2131 u_int32_t tmp_nport; 2132 2133 tmp_nport = ((ntohs(dport) - 2134 ntohs(r->dst.port[0])) % 2135 (r->rpool.proxy_port[1] - 2136 r->rpool.proxy_port[0] + 1)) + 2137 r->rpool.proxy_port[0]; 2138 2139 /* wrap around if necessary */ 2140 if (tmp_nport > 65535) 2141 tmp_nport -= 65535; 2142 *nport = htons((u_int16_t)tmp_nport); 2143 } else if (r->rpool.proxy_port[0]) 2144 *nport = htons(r->rpool.proxy_port[0]); 2145 break; 2146 } 2147 default: 2148 return (NULL); 2149 } 2150 } 2151 2152 return (r); 2153 } 2154 2155 #ifdef SMP 2156 struct netmsg_hashlookup { 2157 struct lwkt_msg nm_lmsg; 2158 struct inpcb **nm_pinp; 2159 struct inpcbinfo *nm_pcbinfo; 2160 struct pf_addr *nm_saddr; 2161 struct pf_addr *nm_daddr; 2162 uint16_t nm_sport; 2163 uint16_t nm_dport; 2164 sa_family_t nm_af; 2165 }; 2166 2167 static int 2168 in_pcblookup_hash_handler(struct lwkt_msg *msg0) 2169 { 2170 struct netmsg_hashlookup *msg = (struct netmsg_hashlookup *)msg0; 2171 2172 if (msg->nm_af == AF_INET) 2173 *msg->nm_pinp = in_pcblookup_hash(msg->nm_pcbinfo, 2174 msg->nm_saddr->v4, msg->nm_sport, msg->nm_daddr->v4, 2175 msg->nm_dport, INPLOOKUP_WILDCARD, NULL); 2176 #ifdef INET6 2177 else 2178 *msg->nm_pinp = in6_pcblookup_hash(msg->nm_pcbinfo, 2179 &msg->nm_saddr->v6, msg->nm_sport, &msg->nm_daddr->v6, 2180 msg->nm_dport, INPLOOKUP_WILDCARD, NULL); 2181 #endif /* INET6 */ 2182 lwkt_replymsg(&msg->nm_lmsg, 0); 2183 return (EASYNC); 2184 } 2185 #endif /* SMP */ 2186 2187 int 2188 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) 2189 { 2190 struct pf_addr *saddr, *daddr; 2191 u_int16_t sport, dport; 2192 struct inpcbinfo *pi; 2193 struct inpcb *inp; 2194 #ifdef SMP 2195 struct netmsg_hashlookup *msg = NULL; 2196 #endif 2197 int pi_cpu = 0; 2198 2199 *uid = UID_MAX; 2200 *gid = GID_MAX; 2201 if (direction == PF_IN) { 2202 saddr = pd->src; 2203 daddr = pd->dst; 2204 } else { 2205 saddr = pd->dst; 2206 daddr = pd->src; 2207 } 2208 switch (pd->proto) { 2209 case IPPROTO_TCP: 2210 sport = pd->hdr.tcp->th_sport; 2211 dport = pd->hdr.tcp->th_dport; 2212 2213 pi_cpu = tcp_addrcpu(saddr->v4.s_addr, sport, daddr->v4.s_addr, dport); 2214 pi = &tcbinfo[pi_cpu]; 2215 #ifdef SMP 2216 /* 2217 * Our netstack runs lockless on MP systems 2218 * (only for TCP connections at the moment). 2219 * 2220 * As we are not allowed to read another CPU's tcbinfo, 2221 * we have to ask that CPU via remote call to search the 2222 * table for us. 2223 * 2224 * Prepare a msg iff data belongs to another CPU. 2225 */ 2226 if (pi_cpu != mycpu->gd_cpuid) { 2227 msg = malloc(sizeof(*msg), M_LWKTMSG, M_INTWAIT); 2228 lwkt_initmsg(&msg->nm_lmsg, &netisr_afree_rport, 0, 2229 lwkt_cmd_func(in_pcblookup_hash_handler), 2230 lwkt_cmd_op_none); 2231 msg->nm_pinp = &inp; 2232 msg->nm_pcbinfo = pi; 2233 msg->nm_saddr = saddr; 2234 msg->nm_sport = sport; 2235 msg->nm_daddr = daddr; 2236 msg->nm_dport = dport; 2237 msg->nm_af = pd->af; 2238 } 2239 #endif /* SMP */ 2240 break; 2241 case IPPROTO_UDP: 2242 sport = pd->hdr.udp->uh_sport; 2243 dport = pd->hdr.udp->uh_dport; 2244 pi = &udbinfo; 2245 break; 2246 default: 2247 return (0); 2248 } 2249 if (direction != PF_IN) { 2250 u_int16_t p; 2251 2252 p = sport; 2253 sport = dport; 2254 dport = p; 2255 } 2256 switch (pd->af) { 2257 #ifdef INET6 2258 case AF_INET6: 2259 #ifdef SMP 2260 /* 2261 * Query other CPU, second part 2262 * 2263 * msg only gets initialized when: 2264 * 1) packet is TCP 2265 * 2) the info belongs to another CPU 2266 * 2267 * Use some switch/case magic to avoid code duplication. 2268 */ 2269 if (msg == NULL) 2270 #endif /* SMP */ 2271 { 2272 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2273 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL); 2274 2275 if (inp == NULL) 2276 return (0); 2277 break; 2278 } 2279 /* FALLTHROUGH if SMP and on other CPU */ 2280 #endif /* INET6 */ 2281 case AF_INET: 2282 #ifdef SMP 2283 if (msg != NULL) { 2284 lwkt_sendmsg(tcp_cport(pi_cpu), &msg->nm_lmsg); 2285 } else 2286 #endif /* SMP */ 2287 { 2288 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4, 2289 dport, INPLOOKUP_WILDCARD, NULL); 2290 } 2291 if (inp == NULL) 2292 return (0); 2293 break; 2294 2295 default: 2296 return (0); 2297 } 2298 *uid = inp->inp_socket->so_cred->cr_uid; 2299 *gid = inp->inp_socket->so_cred->cr_groups[0]; 2300 return (1); 2301 } 2302 2303 u_int8_t 2304 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2305 { 2306 int hlen; 2307 u_int8_t hdr[60]; 2308 u_int8_t *opt, optlen; 2309 u_int8_t wscale = 0; 2310 2311 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2312 if (hlen <= sizeof(struct tcphdr)) 2313 return (0); 2314 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2315 return (0); 2316 opt = hdr + sizeof(struct tcphdr); 2317 hlen -= sizeof(struct tcphdr); 2318 while (hlen >= 3) { 2319 switch (*opt) { 2320 case TCPOPT_EOL: 2321 case TCPOPT_NOP: 2322 ++opt; 2323 --hlen; 2324 break; 2325 case TCPOPT_WINDOW: 2326 wscale = opt[2]; 2327 if (wscale > TCP_MAX_WINSHIFT) 2328 wscale = TCP_MAX_WINSHIFT; 2329 wscale |= PF_WSCALE_FLAG; 2330 /* FALLTHROUGH */ 2331 default: 2332 optlen = opt[1]; 2333 if (optlen < 2) 2334 optlen = 2; 2335 hlen -= optlen; 2336 opt += optlen; 2337 break; 2338 } 2339 } 2340 return (wscale); 2341 } 2342 2343 u_int16_t 2344 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2345 { 2346 int hlen; 2347 u_int8_t hdr[60]; 2348 u_int8_t *opt, optlen; 2349 u_int16_t mss = tcp_mssdflt; 2350 2351 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2352 if (hlen <= sizeof(struct tcphdr)) 2353 return (0); 2354 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2355 return (0); 2356 opt = hdr + sizeof(struct tcphdr); 2357 hlen -= sizeof(struct tcphdr); 2358 while (hlen >= TCPOLEN_MAXSEG) { 2359 switch (*opt) { 2360 case TCPOPT_EOL: 2361 case TCPOPT_NOP: 2362 ++opt; 2363 --hlen; 2364 break; 2365 case TCPOPT_MAXSEG: 2366 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); 2367 /* FALLTHROUGH */ 2368 default: 2369 optlen = opt[1]; 2370 if (optlen < 2) 2371 optlen = 2; 2372 hlen -= optlen; 2373 opt += optlen; 2374 break; 2375 } 2376 } 2377 return (mss); 2378 } 2379 2380 u_int16_t 2381 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2382 { 2383 #ifdef INET 2384 struct sockaddr_in *dst; 2385 struct route ro; 2386 #endif /* INET */ 2387 #ifdef INET6 2388 struct sockaddr_in6 *dst6; 2389 struct route_in6 ro6; 2390 #endif /* INET6 */ 2391 struct rtentry *rt = NULL; 2392 int hlen = 0; 2393 u_int16_t mss = tcp_mssdflt; 2394 2395 switch (af) { 2396 #ifdef INET 2397 case AF_INET: 2398 hlen = sizeof(struct ip); 2399 bzero(&ro, sizeof(ro)); 2400 dst = (struct sockaddr_in *)&ro.ro_dst; 2401 dst->sin_family = AF_INET; 2402 dst->sin_len = sizeof(*dst); 2403 dst->sin_addr = addr->v4; 2404 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); 2405 rt = ro.ro_rt; 2406 break; 2407 #endif /* INET */ 2408 #ifdef INET6 2409 case AF_INET6: 2410 hlen = sizeof(struct ip6_hdr); 2411 bzero(&ro6, sizeof(ro6)); 2412 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; 2413 dst6->sin6_family = AF_INET6; 2414 dst6->sin6_len = sizeof(*dst6); 2415 dst6->sin6_addr = addr->v6; 2416 rtalloc_ign((struct route *)&ro6, (RTF_CLONING | RTF_PRCLONING)); 2417 rt = ro6.ro_rt; 2418 break; 2419 #endif /* INET6 */ 2420 } 2421 2422 if (rt && rt->rt_ifp) { 2423 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2424 mss = max(tcp_mssdflt, mss); 2425 RTFREE(rt); 2426 } 2427 mss = min(mss, offer); 2428 mss = max(mss, 64); /* sanity - at least max opt space */ 2429 return (mss); 2430 } 2431 2432 void 2433 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2434 { 2435 struct pf_rule *r = s->rule.ptr; 2436 2437 s->rt_kif = NULL; 2438 if (!r->rt || r->rt == PF_FASTROUTE) 2439 return; 2440 switch (s->af) { 2441 #ifdef INET 2442 case AF_INET: 2443 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, 2444 &s->nat_src_node); 2445 s->rt_kif = r->rpool.cur->kif; 2446 break; 2447 #endif /* INET */ 2448 #ifdef INET6 2449 case AF_INET6: 2450 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, 2451 &s->nat_src_node); 2452 s->rt_kif = r->rpool.cur->kif; 2453 break; 2454 #endif /* INET6 */ 2455 } 2456 } 2457 2458 int 2459 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, 2460 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2461 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2462 { 2463 struct pf_rule *nr = NULL; 2464 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2465 struct tcphdr *th = pd->hdr.tcp; 2466 u_int16_t bport, nport = 0; 2467 sa_family_t af = pd->af; 2468 int lookup = -1; 2469 uid_t uid; 2470 gid_t gid; 2471 struct pf_rule *r, *a = NULL; 2472 struct pf_ruleset *ruleset = NULL; 2473 struct pf_src_node *nsn = NULL; 2474 u_short reason; 2475 int rewrite = 0; 2476 int tag = -1; 2477 u_int16_t mss = tcp_mssdflt; 2478 2479 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2480 2481 if (direction == PF_OUT) { 2482 bport = nport = th->th_sport; 2483 /* check outgoing packet for BINAT/NAT */ 2484 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2485 saddr, th->th_sport, daddr, th->th_dport, 2486 &pd->naddr, &nport)) != NULL) { 2487 PF_ACPY(&pd->baddr, saddr, af); 2488 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2489 &th->th_sum, &pd->naddr, nport, 0, af); 2490 rewrite++; 2491 if (nr->natpass) 2492 r = NULL; 2493 pd->nat_rule = nr; 2494 } 2495 } else { 2496 bport = nport = th->th_dport; 2497 /* check incoming packet for BINAT/RDR */ 2498 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2499 saddr, th->th_sport, daddr, th->th_dport, 2500 &pd->naddr, &nport)) != NULL) { 2501 PF_ACPY(&pd->baddr, daddr, af); 2502 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2503 &th->th_sum, &pd->naddr, nport, 0, af); 2504 rewrite++; 2505 if (nr->natpass) 2506 r = NULL; 2507 pd->nat_rule = nr; 2508 } 2509 } 2510 2511 while (r != NULL) { 2512 r->evaluations++; 2513 if (r->kif != NULL && 2514 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2515 r = r->skip[PF_SKIP_IFP].ptr; 2516 else if (r->direction && r->direction != direction) 2517 r = r->skip[PF_SKIP_DIR].ptr; 2518 else if (r->af && r->af != af) 2519 r = r->skip[PF_SKIP_AF].ptr; 2520 else if (r->proto && r->proto != IPPROTO_TCP) 2521 r = r->skip[PF_SKIP_PROTO].ptr; 2522 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2523 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2524 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2525 r->src.port[0], r->src.port[1], th->th_sport)) 2526 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2527 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2528 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2529 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2530 r->dst.port[0], r->dst.port[1], th->th_dport)) 2531 r = r->skip[PF_SKIP_DST_PORT].ptr; 2532 else if (r->tos && !(r->tos & pd->tos)) 2533 r = TAILQ_NEXT(r, entries); 2534 else if (r->rule_flag & PFRULE_FRAGMENT) 2535 r = TAILQ_NEXT(r, entries); 2536 else if ((r->flagset & th->th_flags) != r->flags) 2537 r = TAILQ_NEXT(r, entries); 2538 else if (r->uid.op && (lookup != -1 || (lookup = 2539 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2540 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2541 uid)) 2542 r = TAILQ_NEXT(r, entries); 2543 else if (r->gid.op && (lookup != -1 || (lookup = 2544 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2545 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2546 gid)) 2547 r = TAILQ_NEXT(r, entries); 2548 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 2549 r = TAILQ_NEXT(r, entries); 2550 else if (r->anchorname[0] && r->anchor == NULL) 2551 r = TAILQ_NEXT(r, entries); 2552 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2553 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2554 r = TAILQ_NEXT(r, entries); 2555 else { 2556 if (r->tag) 2557 tag = r->tag; 2558 if (r->anchor == NULL) { 2559 *rm = r; 2560 *am = a; 2561 *rsm = ruleset; 2562 if ((*rm)->quick) 2563 break; 2564 r = TAILQ_NEXT(r, entries); 2565 } else 2566 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2567 PF_RULESET_FILTER); 2568 } 2569 if (r == NULL && a != NULL) 2570 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2571 PF_RULESET_FILTER); 2572 } 2573 r = *rm; 2574 a = *am; 2575 ruleset = *rsm; 2576 2577 REASON_SET(&reason, PFRES_MATCH); 2578 2579 if (r->log) { 2580 if (rewrite) 2581 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2582 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2583 } 2584 2585 if ((r->action == PF_DROP) && 2586 ((r->rule_flag & PFRULE_RETURNRST) || 2587 (r->rule_flag & PFRULE_RETURNICMP) || 2588 (r->rule_flag & PFRULE_RETURN))) { 2589 /* undo NAT changes, if they have taken place */ 2590 if (nr != NULL) { 2591 if (direction == PF_OUT) { 2592 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2593 &th->th_sum, &pd->baddr, bport, 0, af); 2594 rewrite++; 2595 } else { 2596 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2597 &th->th_sum, &pd->baddr, bport, 0, af); 2598 rewrite++; 2599 } 2600 } 2601 if (((r->rule_flag & PFRULE_RETURNRST) || 2602 (r->rule_flag & PFRULE_RETURN)) && 2603 !(th->th_flags & TH_RST)) { 2604 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 2605 2606 if (th->th_flags & TH_SYN) 2607 ack++; 2608 if (th->th_flags & TH_FIN) 2609 ack++; 2610 pf_send_tcp(r, af, pd->dst, 2611 pd->src, th->th_dport, th->th_sport, 2612 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 2613 r->return_ttl); 2614 } else if ((af == AF_INET) && r->return_icmp) 2615 pf_send_icmp(m, r->return_icmp >> 8, 2616 r->return_icmp & 255, af, r); 2617 else if ((af == AF_INET6) && r->return_icmp6) 2618 pf_send_icmp(m, r->return_icmp6 >> 8, 2619 r->return_icmp6 & 255, af, r); 2620 } 2621 2622 if (r->action == PF_DROP) 2623 return (PF_DROP); 2624 2625 pf_tag_packet(m, tag); 2626 2627 if (r->keep_state || nr != NULL || 2628 (pd->flags & PFDESC_TCP_NORM)) { 2629 /* create new state */ 2630 u_int16_t len; 2631 struct pf_state *s = NULL; 2632 struct pf_src_node *sn = NULL; 2633 2634 len = pd->tot_len - off - (th->th_off << 2); 2635 2636 /* check maximums */ 2637 if (r->max_states && (r->states >= r->max_states)) 2638 goto cleanup; 2639 /* src node for flter rule */ 2640 if ((r->rule_flag & PFRULE_SRCTRACK || 2641 r->rpool.opts & PF_POOL_STICKYADDR) && 2642 pf_insert_src_node(&sn, r, saddr, af) != 0) 2643 goto cleanup; 2644 /* src node for translation rule */ 2645 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2646 ((direction == PF_OUT && 2647 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2648 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2649 goto cleanup; 2650 s = pool_get(&pf_state_pl, PR_NOWAIT); 2651 if (s == NULL) { 2652 cleanup: 2653 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2654 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2655 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2656 pf_status.src_nodes--; 2657 pool_put(&pf_src_tree_pl, sn); 2658 } 2659 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2660 nsn->expire == 0) { 2661 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2662 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2663 pf_status.src_nodes--; 2664 pool_put(&pf_src_tree_pl, nsn); 2665 } 2666 REASON_SET(&reason, PFRES_MEMORY); 2667 return (PF_DROP); 2668 } 2669 bzero(s, sizeof(*s)); 2670 r->states++; 2671 if (a != NULL) 2672 a->states++; 2673 s->rule.ptr = r; 2674 s->nat_rule.ptr = nr; 2675 if (s->nat_rule.ptr != NULL) 2676 s->nat_rule.ptr->states++; 2677 s->anchor.ptr = a; 2678 s->allow_opts = r->allow_opts; 2679 s->log = r->log & 2; 2680 s->proto = IPPROTO_TCP; 2681 s->direction = direction; 2682 s->af = af; 2683 if (direction == PF_OUT) { 2684 PF_ACPY(&s->gwy.addr, saddr, af); 2685 s->gwy.port = th->th_sport; /* sport */ 2686 PF_ACPY(&s->ext.addr, daddr, af); 2687 s->ext.port = th->th_dport; 2688 if (nr != NULL) { 2689 PF_ACPY(&s->lan.addr, &pd->baddr, af); 2690 s->lan.port = bport; 2691 } else { 2692 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2693 s->lan.port = s->gwy.port; 2694 } 2695 } else { 2696 PF_ACPY(&s->lan.addr, daddr, af); 2697 s->lan.port = th->th_dport; 2698 PF_ACPY(&s->ext.addr, saddr, af); 2699 s->ext.port = th->th_sport; 2700 if (nr != NULL) { 2701 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 2702 s->gwy.port = bport; 2703 } else { 2704 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2705 s->gwy.port = s->lan.port; 2706 } 2707 } 2708 2709 s->src.seqlo = ntohl(th->th_seq); 2710 s->src.seqhi = s->src.seqlo + len + 1; 2711 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2712 r->keep_state == PF_STATE_MODULATE) { 2713 /* Generate sequence number modulator */ 2714 while ((s->src.seqdiff = arc4random()) == 0) 2715 ; 2716 pf_change_a(&th->th_seq, &th->th_sum, 2717 htonl(s->src.seqlo + s->src.seqdiff), 0); 2718 rewrite = 1; 2719 } else 2720 s->src.seqdiff = 0; 2721 if (th->th_flags & TH_SYN) { 2722 s->src.seqhi++; 2723 s->src.wscale = pf_get_wscale(m, off, th->th_off, af); 2724 } 2725 s->src.max_win = MAX(ntohs(th->th_win), 1); 2726 if (s->src.wscale & PF_WSCALE_MASK) { 2727 /* Remove scale factor from initial window */ 2728 int win = s->src.max_win; 2729 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 2730 s->src.max_win = (win - 1) >> 2731 (s->src.wscale & PF_WSCALE_MASK); 2732 } 2733 if (th->th_flags & TH_FIN) 2734 s->src.seqhi++; 2735 s->dst.seqhi = 1; 2736 s->dst.max_win = 1; 2737 s->src.state = TCPS_SYN_SENT; 2738 s->dst.state = TCPS_CLOSED; 2739 s->creation = time_second; 2740 s->expire = time_second; 2741 s->timeout = PFTM_TCP_FIRST_PACKET; 2742 pf_set_rt_ifp(s, saddr); 2743 if (sn != NULL) { 2744 s->src_node = sn; 2745 s->src_node->states++; 2746 } 2747 if (nsn != NULL) { 2748 PF_ACPY(&nsn->raddr, &pd->naddr, af); 2749 s->nat_src_node = nsn; 2750 s->nat_src_node->states++; 2751 } 2752 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 2753 off, pd, th, &s->src, &s->dst)) { 2754 REASON_SET(&reason, PFRES_MEMORY); 2755 pf_src_tree_remove_state(s); 2756 pool_put(&pf_state_pl, s); 2757 return (PF_DROP); 2758 } 2759 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 2760 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 2761 &s->dst, &rewrite)) { 2762 pf_normalize_tcp_cleanup(s); 2763 pf_src_tree_remove_state(s); 2764 pool_put(&pf_state_pl, s); 2765 return (PF_DROP); 2766 } 2767 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 2768 pf_normalize_tcp_cleanup(s); 2769 REASON_SET(&reason, PFRES_MEMORY); 2770 pf_src_tree_remove_state(s); 2771 pool_put(&pf_state_pl, s); 2772 return (PF_DROP); 2773 } else 2774 *sm = s; 2775 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2776 r->keep_state == PF_STATE_SYNPROXY) { 2777 s->src.state = PF_TCPS_PROXY_SRC; 2778 if (nr != NULL) { 2779 if (direction == PF_OUT) { 2780 pf_change_ap(saddr, &th->th_sport, 2781 pd->ip_sum, &th->th_sum, &pd->baddr, 2782 bport, 0, af); 2783 } else { 2784 pf_change_ap(daddr, &th->th_dport, 2785 pd->ip_sum, &th->th_sum, &pd->baddr, 2786 bport, 0, af); 2787 } 2788 } 2789 s->src.seqhi = arc4random(); 2790 /* Find mss option */ 2791 mss = pf_get_mss(m, off, th->th_off, af); 2792 mss = pf_calc_mss(saddr, af, mss); 2793 mss = pf_calc_mss(daddr, af, mss); 2794 s->src.mss = mss; 2795 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 2796 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, 2797 TH_SYN|TH_ACK, 0, s->src.mss, 0); 2798 return (PF_SYNPROXY_DROP); 2799 } 2800 } 2801 2802 /* copy back packet headers if we performed NAT operations */ 2803 if (rewrite) 2804 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2805 2806 return (PF_PASS); 2807 } 2808 2809 int 2810 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, 2811 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2812 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2813 { 2814 struct pf_rule *nr = NULL; 2815 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2816 struct udphdr *uh = pd->hdr.udp; 2817 u_int16_t bport, nport = 0; 2818 sa_family_t af = pd->af; 2819 int lookup = -1; 2820 uid_t uid; 2821 gid_t gid; 2822 struct pf_rule *r, *a = NULL; 2823 struct pf_ruleset *ruleset = NULL; 2824 struct pf_src_node *nsn = NULL; 2825 u_short reason; 2826 int rewrite = 0; 2827 int tag = -1; 2828 2829 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2830 2831 if (direction == PF_OUT) { 2832 bport = nport = uh->uh_sport; 2833 /* check outgoing packet for BINAT/NAT */ 2834 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2835 saddr, uh->uh_sport, daddr, uh->uh_dport, 2836 &pd->naddr, &nport)) != NULL) { 2837 PF_ACPY(&pd->baddr, saddr, af); 2838 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2839 &uh->uh_sum, &pd->naddr, nport, 1, af); 2840 rewrite++; 2841 if (nr->natpass) 2842 r = NULL; 2843 pd->nat_rule = nr; 2844 } 2845 } else { 2846 bport = nport = uh->uh_dport; 2847 /* check incoming packet for BINAT/RDR */ 2848 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2849 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr, 2850 &nport)) != NULL) { 2851 PF_ACPY(&pd->baddr, daddr, af); 2852 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2853 &uh->uh_sum, &pd->naddr, nport, 1, af); 2854 rewrite++; 2855 if (nr->natpass) 2856 r = NULL; 2857 pd->nat_rule = nr; 2858 } 2859 } 2860 2861 while (r != NULL) { 2862 r->evaluations++; 2863 if (r->kif != NULL && 2864 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2865 r = r->skip[PF_SKIP_IFP].ptr; 2866 else if (r->direction && r->direction != direction) 2867 r = r->skip[PF_SKIP_DIR].ptr; 2868 else if (r->af && r->af != af) 2869 r = r->skip[PF_SKIP_AF].ptr; 2870 else if (r->proto && r->proto != IPPROTO_UDP) 2871 r = r->skip[PF_SKIP_PROTO].ptr; 2872 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2873 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2874 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2875 r->src.port[0], r->src.port[1], uh->uh_sport)) 2876 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2877 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2878 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2879 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2880 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 2881 r = r->skip[PF_SKIP_DST_PORT].ptr; 2882 else if (r->tos && !(r->tos & pd->tos)) 2883 r = TAILQ_NEXT(r, entries); 2884 else if (r->rule_flag & PFRULE_FRAGMENT) 2885 r = TAILQ_NEXT(r, entries); 2886 else if (r->uid.op && (lookup != -1 || (lookup = 2887 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2888 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2889 uid)) 2890 r = TAILQ_NEXT(r, entries); 2891 else if (r->gid.op && (lookup != -1 || (lookup = 2892 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2893 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2894 gid)) 2895 r = TAILQ_NEXT(r, entries); 2896 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 2897 r = TAILQ_NEXT(r, entries); 2898 else if (r->anchorname[0] && r->anchor == NULL) 2899 r = TAILQ_NEXT(r, entries); 2900 else if (r->os_fingerprint != PF_OSFP_ANY) 2901 r = TAILQ_NEXT(r, entries); 2902 else { 2903 if (r->tag) 2904 tag = r->tag; 2905 if (r->anchor == NULL) { 2906 *rm = r; 2907 *am = a; 2908 *rsm = ruleset; 2909 if ((*rm)->quick) 2910 break; 2911 r = TAILQ_NEXT(r, entries); 2912 } else 2913 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2914 PF_RULESET_FILTER); 2915 } 2916 if (r == NULL && a != NULL) 2917 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2918 PF_RULESET_FILTER); 2919 } 2920 r = *rm; 2921 a = *am; 2922 ruleset = *rsm; 2923 2924 REASON_SET(&reason, PFRES_MATCH); 2925 2926 if (r->log) { 2927 if (rewrite) 2928 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 2929 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2930 } 2931 2932 if ((r->action == PF_DROP) && 2933 ((r->rule_flag & PFRULE_RETURNICMP) || 2934 (r->rule_flag & PFRULE_RETURN))) { 2935 /* undo NAT changes, if they have taken place */ 2936 if (nr != NULL) { 2937 if (direction == PF_OUT) { 2938 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2939 &uh->uh_sum, &pd->baddr, bport, 1, af); 2940 rewrite++; 2941 } else { 2942 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2943 &uh->uh_sum, &pd->baddr, bport, 1, af); 2944 rewrite++; 2945 } 2946 } 2947 if ((af == AF_INET) && r->return_icmp) 2948 pf_send_icmp(m, r->return_icmp >> 8, 2949 r->return_icmp & 255, af, r); 2950 else if ((af == AF_INET6) && r->return_icmp6) 2951 pf_send_icmp(m, r->return_icmp6 >> 8, 2952 r->return_icmp6 & 255, af, r); 2953 } 2954 2955 if (r->action == PF_DROP) 2956 return (PF_DROP); 2957 2958 pf_tag_packet(m, tag); 2959 2960 if (r->keep_state || nr != NULL) { 2961 /* create new state */ 2962 struct pf_state *s = NULL; 2963 struct pf_src_node *sn = NULL; 2964 2965 /* check maximums */ 2966 if (r->max_states && (r->states >= r->max_states)) 2967 goto cleanup; 2968 /* src node for flter rule */ 2969 if ((r->rule_flag & PFRULE_SRCTRACK || 2970 r->rpool.opts & PF_POOL_STICKYADDR) && 2971 pf_insert_src_node(&sn, r, saddr, af) != 0) 2972 goto cleanup; 2973 /* src node for translation rule */ 2974 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2975 ((direction == PF_OUT && 2976 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2977 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2978 goto cleanup; 2979 s = pool_get(&pf_state_pl, PR_NOWAIT); 2980 if (s == NULL) { 2981 cleanup: 2982 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2983 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2984 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2985 pf_status.src_nodes--; 2986 pool_put(&pf_src_tree_pl, sn); 2987 } 2988 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2989 nsn->expire == 0) { 2990 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2991 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2992 pf_status.src_nodes--; 2993 pool_put(&pf_src_tree_pl, nsn); 2994 } 2995 REASON_SET(&reason, PFRES_MEMORY); 2996 return (PF_DROP); 2997 } 2998 bzero(s, sizeof(*s)); 2999 r->states++; 3000 if (a != NULL) 3001 a->states++; 3002 s->rule.ptr = r; 3003 s->nat_rule.ptr = nr; 3004 if (s->nat_rule.ptr != NULL) 3005 s->nat_rule.ptr->states++; 3006 s->anchor.ptr = a; 3007 s->allow_opts = r->allow_opts; 3008 s->log = r->log & 2; 3009 s->proto = IPPROTO_UDP; 3010 s->direction = direction; 3011 s->af = af; 3012 if (direction == PF_OUT) { 3013 PF_ACPY(&s->gwy.addr, saddr, af); 3014 s->gwy.port = uh->uh_sport; 3015 PF_ACPY(&s->ext.addr, daddr, af); 3016 s->ext.port = uh->uh_dport; 3017 if (nr != NULL) { 3018 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3019 s->lan.port = bport; 3020 } else { 3021 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3022 s->lan.port = s->gwy.port; 3023 } 3024 } else { 3025 PF_ACPY(&s->lan.addr, daddr, af); 3026 s->lan.port = uh->uh_dport; 3027 PF_ACPY(&s->ext.addr, saddr, af); 3028 s->ext.port = uh->uh_sport; 3029 if (nr != NULL) { 3030 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3031 s->gwy.port = bport; 3032 } else { 3033 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3034 s->gwy.port = s->lan.port; 3035 } 3036 } 3037 s->src.state = PFUDPS_SINGLE; 3038 s->dst.state = PFUDPS_NO_TRAFFIC; 3039 s->creation = time_second; 3040 s->expire = time_second; 3041 s->timeout = PFTM_UDP_FIRST_PACKET; 3042 pf_set_rt_ifp(s, saddr); 3043 if (sn != NULL) { 3044 s->src_node = sn; 3045 s->src_node->states++; 3046 } 3047 if (nsn != NULL) { 3048 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3049 s->nat_src_node = nsn; 3050 s->nat_src_node->states++; 3051 } 3052 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3053 REASON_SET(&reason, PFRES_MEMORY); 3054 pf_src_tree_remove_state(s); 3055 pool_put(&pf_state_pl, s); 3056 return (PF_DROP); 3057 } else 3058 *sm = s; 3059 } 3060 3061 /* copy back packet headers if we performed NAT operations */ 3062 if (rewrite) 3063 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 3064 3065 return (PF_PASS); 3066 } 3067 3068 int 3069 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, 3070 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 3071 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 3072 { 3073 struct pf_rule *nr = NULL; 3074 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3075 struct pf_rule *r, *a = NULL; 3076 struct pf_ruleset *ruleset = NULL; 3077 struct pf_src_node *nsn = NULL; 3078 u_short reason; 3079 u_int16_t icmpid = 0; 3080 sa_family_t af = pd->af; 3081 u_int8_t icmptype = 0, icmpcode = 0; 3082 int state_icmp = 0; 3083 int tag = -1; 3084 #ifdef INET6 3085 int rewrite = 0; 3086 #endif /* INET6 */ 3087 3088 switch (pd->proto) { 3089 #ifdef INET 3090 case IPPROTO_ICMP: 3091 icmptype = pd->hdr.icmp->icmp_type; 3092 icmpcode = pd->hdr.icmp->icmp_code; 3093 icmpid = pd->hdr.icmp->icmp_id; 3094 3095 if (icmptype == ICMP_UNREACH || 3096 icmptype == ICMP_SOURCEQUENCH || 3097 icmptype == ICMP_REDIRECT || 3098 icmptype == ICMP_TIMXCEED || 3099 icmptype == ICMP_PARAMPROB) 3100 state_icmp++; 3101 break; 3102 #endif /* INET */ 3103 #ifdef INET6 3104 case IPPROTO_ICMPV6: 3105 icmptype = pd->hdr.icmp6->icmp6_type; 3106 icmpcode = pd->hdr.icmp6->icmp6_code; 3107 icmpid = pd->hdr.icmp6->icmp6_id; 3108 3109 if (icmptype == ICMP6_DST_UNREACH || 3110 icmptype == ICMP6_PACKET_TOO_BIG || 3111 icmptype == ICMP6_TIME_EXCEEDED || 3112 icmptype == ICMP6_PARAM_PROB) 3113 state_icmp++; 3114 break; 3115 #endif /* INET6 */ 3116 } 3117 3118 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3119 3120 if (direction == PF_OUT) { 3121 /* check outgoing packet for BINAT/NAT */ 3122 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3123 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3124 PF_ACPY(&pd->baddr, saddr, af); 3125 switch (af) { 3126 #ifdef INET 3127 case AF_INET: 3128 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3129 pd->naddr.v4.s_addr, 0); 3130 break; 3131 #endif /* INET */ 3132 #ifdef INET6 3133 case AF_INET6: 3134 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 3135 &pd->naddr, 0); 3136 rewrite++; 3137 break; 3138 #endif /* INET6 */ 3139 } 3140 if (nr->natpass) 3141 r = NULL; 3142 pd->nat_rule = nr; 3143 } 3144 } else { 3145 /* check incoming packet for BINAT/RDR */ 3146 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3147 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3148 PF_ACPY(&pd->baddr, daddr, af); 3149 switch (af) { 3150 #ifdef INET 3151 case AF_INET: 3152 pf_change_a(&daddr->v4.s_addr, 3153 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3154 break; 3155 #endif /* INET */ 3156 #ifdef INET6 3157 case AF_INET6: 3158 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 3159 &pd->naddr, 0); 3160 rewrite++; 3161 break; 3162 #endif /* INET6 */ 3163 } 3164 if (nr->natpass) 3165 r = NULL; 3166 pd->nat_rule = nr; 3167 } 3168 } 3169 3170 while (r != NULL) { 3171 r->evaluations++; 3172 if (r->kif != NULL && 3173 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3174 r = r->skip[PF_SKIP_IFP].ptr; 3175 else if (r->direction && r->direction != direction) 3176 r = r->skip[PF_SKIP_DIR].ptr; 3177 else if (r->af && r->af != af) 3178 r = r->skip[PF_SKIP_AF].ptr; 3179 else if (r->proto && r->proto != pd->proto) 3180 r = r->skip[PF_SKIP_PROTO].ptr; 3181 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 3182 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3183 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 3184 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3185 else if (r->type && r->type != icmptype + 1) 3186 r = TAILQ_NEXT(r, entries); 3187 else if (r->code && r->code != icmpcode + 1) 3188 r = TAILQ_NEXT(r, entries); 3189 else if (r->tos && !(r->tos & pd->tos)) 3190 r = TAILQ_NEXT(r, entries); 3191 else if (r->rule_flag & PFRULE_FRAGMENT) 3192 r = TAILQ_NEXT(r, entries); 3193 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 3194 r = TAILQ_NEXT(r, entries); 3195 else if (r->anchorname[0] && r->anchor == NULL) 3196 r = TAILQ_NEXT(r, entries); 3197 else if (r->os_fingerprint != PF_OSFP_ANY) 3198 r = TAILQ_NEXT(r, entries); 3199 else { 3200 if (r->tag) 3201 tag = r->tag; 3202 if (r->anchor == NULL) { 3203 *rm = r; 3204 *am = a; 3205 *rsm = ruleset; 3206 if ((*rm)->quick) 3207 break; 3208 r = TAILQ_NEXT(r, entries); 3209 } else 3210 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3211 PF_RULESET_FILTER); 3212 } 3213 if (r == NULL && a != NULL) 3214 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3215 PF_RULESET_FILTER); 3216 } 3217 r = *rm; 3218 a = *am; 3219 ruleset = *rsm; 3220 3221 REASON_SET(&reason, PFRES_MATCH); 3222 3223 if (r->log) { 3224 #ifdef INET6 3225 if (rewrite) 3226 m_copyback(m, off, sizeof(struct icmp6_hdr), 3227 (caddr_t)pd->hdr.icmp6); 3228 #endif /* INET6 */ 3229 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3230 } 3231 3232 if (r->action != PF_PASS) 3233 return (PF_DROP); 3234 3235 pf_tag_packet(m, tag); 3236 3237 if (!state_icmp && (r->keep_state || nr != NULL)) { 3238 /* create new state */ 3239 struct pf_state *s = NULL; 3240 struct pf_src_node *sn = NULL; 3241 3242 /* check maximums */ 3243 if (r->max_states && (r->states >= r->max_states)) 3244 goto cleanup; 3245 /* src node for flter rule */ 3246 if ((r->rule_flag & PFRULE_SRCTRACK || 3247 r->rpool.opts & PF_POOL_STICKYADDR) && 3248 pf_insert_src_node(&sn, r, saddr, af) != 0) 3249 goto cleanup; 3250 /* src node for translation rule */ 3251 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3252 ((direction == PF_OUT && 3253 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3254 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3255 goto cleanup; 3256 s = pool_get(&pf_state_pl, PR_NOWAIT); 3257 if (s == NULL) { 3258 cleanup: 3259 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3260 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3261 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3262 pf_status.src_nodes--; 3263 pool_put(&pf_src_tree_pl, sn); 3264 } 3265 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3266 nsn->expire == 0) { 3267 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3268 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3269 pf_status.src_nodes--; 3270 pool_put(&pf_src_tree_pl, nsn); 3271 } 3272 REASON_SET(&reason, PFRES_MEMORY); 3273 return (PF_DROP); 3274 } 3275 bzero(s, sizeof(*s)); 3276 r->states++; 3277 if (a != NULL) 3278 a->states++; 3279 s->rule.ptr = r; 3280 s->nat_rule.ptr = nr; 3281 if (s->nat_rule.ptr != NULL) 3282 s->nat_rule.ptr->states++; 3283 s->anchor.ptr = a; 3284 s->allow_opts = r->allow_opts; 3285 s->log = r->log & 2; 3286 s->proto = pd->proto; 3287 s->direction = direction; 3288 s->af = af; 3289 if (direction == PF_OUT) { 3290 PF_ACPY(&s->gwy.addr, saddr, af); 3291 s->gwy.port = icmpid; 3292 PF_ACPY(&s->ext.addr, daddr, af); 3293 s->ext.port = icmpid; 3294 if (nr != NULL) 3295 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3296 else 3297 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3298 s->lan.port = icmpid; 3299 } else { 3300 PF_ACPY(&s->lan.addr, daddr, af); 3301 s->lan.port = icmpid; 3302 PF_ACPY(&s->ext.addr, saddr, af); 3303 s->ext.port = icmpid; 3304 if (nr != NULL) 3305 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3306 else 3307 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3308 s->gwy.port = icmpid; 3309 } 3310 s->creation = time_second; 3311 s->expire = time_second; 3312 s->timeout = PFTM_ICMP_FIRST_PACKET; 3313 pf_set_rt_ifp(s, saddr); 3314 if (sn != NULL) { 3315 s->src_node = sn; 3316 s->src_node->states++; 3317 } 3318 if (nsn != NULL) { 3319 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3320 s->nat_src_node = nsn; 3321 s->nat_src_node->states++; 3322 } 3323 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3324 REASON_SET(&reason, PFRES_MEMORY); 3325 pf_src_tree_remove_state(s); 3326 pool_put(&pf_state_pl, s); 3327 return (PF_DROP); 3328 } else 3329 *sm = s; 3330 } 3331 3332 #ifdef INET6 3333 /* copy back packet headers if we performed IPv6 NAT operations */ 3334 if (rewrite) 3335 m_copyback(m, off, sizeof(struct icmp6_hdr), 3336 (caddr_t)pd->hdr.icmp6); 3337 #endif /* INET6 */ 3338 3339 return (PF_PASS); 3340 } 3341 3342 int 3343 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, 3344 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3345 struct pf_rule **am, struct pf_ruleset **rsm) 3346 { 3347 struct pf_rule *nr = NULL; 3348 struct pf_rule *r, *a = NULL; 3349 struct pf_ruleset *ruleset = NULL; 3350 struct pf_src_node *nsn = NULL; 3351 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3352 sa_family_t af = pd->af; 3353 u_short reason; 3354 int tag = -1; 3355 3356 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3357 3358 if (direction == PF_OUT) { 3359 /* check outgoing packet for BINAT/NAT */ 3360 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3361 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3362 PF_ACPY(&pd->baddr, saddr, af); 3363 switch (af) { 3364 #ifdef INET 3365 case AF_INET: 3366 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3367 pd->naddr.v4.s_addr, 0); 3368 break; 3369 #endif /* INET */ 3370 #ifdef INET6 3371 case AF_INET6: 3372 PF_ACPY(saddr, &pd->naddr, af); 3373 break; 3374 #endif /* INET6 */ 3375 } 3376 if (nr->natpass) 3377 r = NULL; 3378 pd->nat_rule = nr; 3379 } 3380 } else { 3381 /* check incoming packet for BINAT/RDR */ 3382 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3383 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3384 PF_ACPY(&pd->baddr, daddr, af); 3385 switch (af) { 3386 #ifdef INET 3387 case AF_INET: 3388 pf_change_a(&daddr->v4.s_addr, 3389 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3390 break; 3391 #endif /* INET */ 3392 #ifdef INET6 3393 case AF_INET6: 3394 PF_ACPY(daddr, &pd->naddr, af); 3395 break; 3396 #endif /* INET6 */ 3397 } 3398 if (nr->natpass) 3399 r = NULL; 3400 pd->nat_rule = nr; 3401 } 3402 } 3403 3404 while (r != NULL) { 3405 r->evaluations++; 3406 if (r->kif != NULL && 3407 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3408 r = r->skip[PF_SKIP_IFP].ptr; 3409 else if (r->direction && r->direction != direction) 3410 r = r->skip[PF_SKIP_DIR].ptr; 3411 else if (r->af && r->af != af) 3412 r = r->skip[PF_SKIP_AF].ptr; 3413 else if (r->proto && r->proto != pd->proto) 3414 r = r->skip[PF_SKIP_PROTO].ptr; 3415 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3416 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3417 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3418 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3419 else if (r->tos && !(r->tos & pd->tos)) 3420 r = TAILQ_NEXT(r, entries); 3421 else if (r->rule_flag & PFRULE_FRAGMENT) 3422 r = TAILQ_NEXT(r, entries); 3423 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 3424 r = TAILQ_NEXT(r, entries); 3425 else if (r->anchorname[0] && r->anchor == NULL) 3426 r = TAILQ_NEXT(r, entries); 3427 else if (r->os_fingerprint != PF_OSFP_ANY) 3428 r = TAILQ_NEXT(r, entries); 3429 else { 3430 if (r->tag) 3431 tag = r->tag; 3432 if (r->anchor == NULL) { 3433 *rm = r; 3434 *am = a; 3435 *rsm = ruleset; 3436 if ((*rm)->quick) 3437 break; 3438 r = TAILQ_NEXT(r, entries); 3439 } else 3440 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3441 PF_RULESET_FILTER); 3442 } 3443 if (r == NULL && a != NULL) 3444 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3445 PF_RULESET_FILTER); 3446 } 3447 r = *rm; 3448 a = *am; 3449 ruleset = *rsm; 3450 3451 REASON_SET(&reason, PFRES_MATCH); 3452 3453 if (r->log) 3454 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3455 3456 if ((r->action == PF_DROP) && 3457 ((r->rule_flag & PFRULE_RETURNICMP) || 3458 (r->rule_flag & PFRULE_RETURN))) { 3459 struct pf_addr *a = NULL; 3460 3461 if (nr != NULL) { 3462 if (direction == PF_OUT) 3463 a = saddr; 3464 else 3465 a = daddr; 3466 } 3467 if (a != NULL) { 3468 switch (af) { 3469 #ifdef INET 3470 case AF_INET: 3471 pf_change_a(&a->v4.s_addr, pd->ip_sum, 3472 pd->baddr.v4.s_addr, 0); 3473 break; 3474 #endif /* INET */ 3475 #ifdef INET6 3476 case AF_INET6: 3477 PF_ACPY(a, &pd->baddr, af); 3478 break; 3479 #endif /* INET6 */ 3480 } 3481 } 3482 if ((af == AF_INET) && r->return_icmp) 3483 pf_send_icmp(m, r->return_icmp >> 8, 3484 r->return_icmp & 255, af, r); 3485 else if ((af == AF_INET6) && r->return_icmp6) 3486 pf_send_icmp(m, r->return_icmp6 >> 8, 3487 r->return_icmp6 & 255, af, r); 3488 } 3489 3490 if (r->action != PF_PASS) 3491 return (PF_DROP); 3492 3493 pf_tag_packet(m, tag); 3494 3495 if (r->keep_state || nr != NULL) { 3496 /* create new state */ 3497 struct pf_state *s = NULL; 3498 struct pf_src_node *sn = NULL; 3499 3500 /* check maximums */ 3501 if (r->max_states && (r->states >= r->max_states)) 3502 goto cleanup; 3503 /* src node for flter rule */ 3504 if ((r->rule_flag & PFRULE_SRCTRACK || 3505 r->rpool.opts & PF_POOL_STICKYADDR) && 3506 pf_insert_src_node(&sn, r, saddr, af) != 0) 3507 goto cleanup; 3508 /* src node for translation rule */ 3509 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3510 ((direction == PF_OUT && 3511 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3512 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3513 goto cleanup; 3514 s = pool_get(&pf_state_pl, PR_NOWAIT); 3515 if (s == NULL) { 3516 cleanup: 3517 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3518 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3519 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3520 pf_status.src_nodes--; 3521 pool_put(&pf_src_tree_pl, sn); 3522 } 3523 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3524 nsn->expire == 0) { 3525 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3526 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3527 pf_status.src_nodes--; 3528 pool_put(&pf_src_tree_pl, nsn); 3529 } 3530 REASON_SET(&reason, PFRES_MEMORY); 3531 return (PF_DROP); 3532 } 3533 bzero(s, sizeof(*s)); 3534 r->states++; 3535 if (a != NULL) 3536 a->states++; 3537 s->rule.ptr = r; 3538 s->nat_rule.ptr = nr; 3539 if (s->nat_rule.ptr != NULL) 3540 s->nat_rule.ptr->states++; 3541 s->anchor.ptr = a; 3542 s->allow_opts = r->allow_opts; 3543 s->log = r->log & 2; 3544 s->proto = pd->proto; 3545 s->direction = direction; 3546 s->af = af; 3547 if (direction == PF_OUT) { 3548 PF_ACPY(&s->gwy.addr, saddr, af); 3549 PF_ACPY(&s->ext.addr, daddr, af); 3550 if (nr != NULL) 3551 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3552 else 3553 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3554 } else { 3555 PF_ACPY(&s->lan.addr, daddr, af); 3556 PF_ACPY(&s->ext.addr, saddr, af); 3557 if (nr != NULL) 3558 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3559 else 3560 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3561 } 3562 s->src.state = PFOTHERS_SINGLE; 3563 s->dst.state = PFOTHERS_NO_TRAFFIC; 3564 s->creation = time_second; 3565 s->expire = time_second; 3566 s->timeout = PFTM_OTHER_FIRST_PACKET; 3567 pf_set_rt_ifp(s, saddr); 3568 if (sn != NULL) { 3569 s->src_node = sn; 3570 s->src_node->states++; 3571 } 3572 if (nsn != NULL) { 3573 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3574 s->nat_src_node = nsn; 3575 s->nat_src_node->states++; 3576 } 3577 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3578 REASON_SET(&reason, PFRES_MEMORY); 3579 pf_src_tree_remove_state(s); 3580 pool_put(&pf_state_pl, s); 3581 return (PF_DROP); 3582 } else 3583 *sm = s; 3584 } 3585 3586 return (PF_PASS); 3587 } 3588 3589 int 3590 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, 3591 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3592 struct pf_ruleset **rsm) 3593 { 3594 struct pf_rule *r, *a = NULL; 3595 struct pf_ruleset *ruleset = NULL; 3596 sa_family_t af = pd->af; 3597 u_short reason; 3598 int tag = -1; 3599 3600 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3601 while (r != NULL) { 3602 r->evaluations++; 3603 if (r->kif != NULL && 3604 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3605 r = r->skip[PF_SKIP_IFP].ptr; 3606 else if (r->direction && r->direction != direction) 3607 r = r->skip[PF_SKIP_DIR].ptr; 3608 else if (r->af && r->af != af) 3609 r = r->skip[PF_SKIP_AF].ptr; 3610 else if (r->proto && r->proto != pd->proto) 3611 r = r->skip[PF_SKIP_PROTO].ptr; 3612 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3613 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3614 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3615 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3616 else if (r->tos && !(r->tos & pd->tos)) 3617 r = TAILQ_NEXT(r, entries); 3618 else if (r->src.port_op || r->dst.port_op || 3619 r->flagset || r->type || r->code || 3620 r->os_fingerprint != PF_OSFP_ANY) 3621 r = TAILQ_NEXT(r, entries); 3622 else if (r->match_tag && !pf_match_tag(m, r, NULL, &tag)) 3623 r = TAILQ_NEXT(r, entries); 3624 else if (r->anchorname[0] && r->anchor == NULL) 3625 r = TAILQ_NEXT(r, entries); 3626 else { 3627 if (r->anchor == NULL) { 3628 *rm = r; 3629 *am = a; 3630 *rsm = ruleset; 3631 if ((*rm)->quick) 3632 break; 3633 r = TAILQ_NEXT(r, entries); 3634 } else 3635 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3636 PF_RULESET_FILTER); 3637 } 3638 if (r == NULL && a != NULL) 3639 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3640 PF_RULESET_FILTER); 3641 } 3642 r = *rm; 3643 a = *am; 3644 ruleset = *rsm; 3645 3646 REASON_SET(&reason, PFRES_MATCH); 3647 3648 if (r->log) 3649 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3650 3651 if (r->action != PF_PASS) 3652 return (PF_DROP); 3653 3654 pf_tag_packet(m, tag); 3655 3656 return (PF_PASS); 3657 } 3658 3659 int 3660 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, 3661 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3662 u_short *reason) 3663 { 3664 struct pf_state key; 3665 struct tcphdr *th = pd->hdr.tcp; 3666 u_int16_t win = ntohs(th->th_win); 3667 u_int32_t ack, end, seq; 3668 u_int8_t sws, dws; 3669 int ackskew; 3670 int copyback = 0; 3671 struct pf_state_peer *src, *dst; 3672 3673 key.af = pd->af; 3674 key.proto = IPPROTO_TCP; 3675 if (direction == PF_IN) { 3676 PF_ACPY(&key.ext.addr, pd->src, key.af); 3677 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3678 key.ext.port = th->th_sport; 3679 key.gwy.port = th->th_dport; 3680 } else { 3681 PF_ACPY(&key.lan.addr, pd->src, key.af); 3682 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3683 key.lan.port = th->th_sport; 3684 key.ext.port = th->th_dport; 3685 } 3686 3687 STATE_LOOKUP(); 3688 3689 if (direction == (*state)->direction) { 3690 src = &(*state)->src; 3691 dst = &(*state)->dst; 3692 } else { 3693 src = &(*state)->dst; 3694 dst = &(*state)->src; 3695 } 3696 3697 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3698 if (direction != (*state)->direction) 3699 return (PF_SYNPROXY_DROP); 3700 if (th->th_flags & TH_SYN) { 3701 if (ntohl(th->th_seq) != (*state)->src.seqlo) 3702 return (PF_DROP); 3703 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3704 pd->src, th->th_dport, th->th_sport, 3705 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3706 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0); 3707 return (PF_SYNPROXY_DROP); 3708 } else if (!(th->th_flags & TH_ACK) || 3709 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3710 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3711 return (PF_DROP); 3712 else 3713 (*state)->src.state = PF_TCPS_PROXY_DST; 3714 } 3715 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3716 struct pf_state_host *src, *dst; 3717 3718 if (direction == PF_OUT) { 3719 src = &(*state)->gwy; 3720 dst = &(*state)->ext; 3721 } else { 3722 src = &(*state)->ext; 3723 dst = &(*state)->lan; 3724 } 3725 if (direction == (*state)->direction) { 3726 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3727 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3728 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3729 return (PF_DROP); 3730 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3731 if ((*state)->dst.seqhi == 1) 3732 (*state)->dst.seqhi = arc4random(); 3733 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3734 &dst->addr, src->port, dst->port, 3735 (*state)->dst.seqhi, 0, TH_SYN, 0, 3736 (*state)->src.mss, 0); 3737 return (PF_SYNPROXY_DROP); 3738 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3739 (TH_SYN|TH_ACK)) || 3740 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) 3741 return (PF_DROP); 3742 else { 3743 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3744 (*state)->dst.seqlo = ntohl(th->th_seq); 3745 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3746 pd->src, th->th_dport, th->th_sport, 3747 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3748 TH_ACK, (*state)->src.max_win, 0, 0); 3749 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3750 &dst->addr, src->port, dst->port, 3751 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3752 TH_ACK, (*state)->dst.max_win, 0, 0); 3753 (*state)->src.seqdiff = (*state)->dst.seqhi - 3754 (*state)->src.seqlo; 3755 (*state)->dst.seqdiff = (*state)->src.seqhi - 3756 (*state)->dst.seqlo; 3757 (*state)->src.seqhi = (*state)->src.seqlo + 3758 (*state)->src.max_win; 3759 (*state)->dst.seqhi = (*state)->dst.seqlo + 3760 (*state)->dst.max_win; 3761 (*state)->src.wscale = (*state)->dst.wscale = 0; 3762 (*state)->src.state = (*state)->dst.state = 3763 TCPS_ESTABLISHED; 3764 return (PF_SYNPROXY_DROP); 3765 } 3766 } 3767 3768 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3769 sws = src->wscale & PF_WSCALE_MASK; 3770 dws = dst->wscale & PF_WSCALE_MASK; 3771 } else 3772 sws = dws = 0; 3773 3774 /* 3775 * Sequence tracking algorithm from Guido van Rooij's paper: 3776 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3777 * tcp_filtering.ps 3778 */ 3779 3780 seq = ntohl(th->th_seq); 3781 if (src->seqlo == 0) { 3782 /* First packet from this end. Set its state */ 3783 3784 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3785 src->scrub == NULL) { 3786 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3787 REASON_SET(reason, PFRES_MEMORY); 3788 return (PF_DROP); 3789 } 3790 } 3791 3792 /* Deferred generation of sequence number modulator */ 3793 if (dst->seqdiff && !src->seqdiff) { 3794 while ((src->seqdiff = arc4random()) == 0) 3795 ; 3796 ack = ntohl(th->th_ack) - dst->seqdiff; 3797 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3798 src->seqdiff), 0); 3799 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3800 copyback = 1; 3801 } else { 3802 ack = ntohl(th->th_ack); 3803 } 3804 3805 end = seq + pd->p_len; 3806 if (th->th_flags & TH_SYN) { 3807 end++; 3808 if (dst->wscale & PF_WSCALE_FLAG) { 3809 src->wscale = pf_get_wscale(m, off, th->th_off, 3810 pd->af); 3811 if (src->wscale & PF_WSCALE_FLAG) { 3812 /* Remove scale factor from initial 3813 * window */ 3814 sws = src->wscale & PF_WSCALE_MASK; 3815 win = ((u_int32_t)win + (1 << sws) - 1) 3816 >> sws; 3817 dws = dst->wscale & PF_WSCALE_MASK; 3818 } else { 3819 /* fixup other window */ 3820 dst->max_win <<= dst->wscale & 3821 PF_WSCALE_MASK; 3822 /* in case of a retrans SYN|ACK */ 3823 dst->wscale = 0; 3824 } 3825 } 3826 } 3827 if (th->th_flags & TH_FIN) 3828 end++; 3829 3830 src->seqlo = seq; 3831 if (src->state < TCPS_SYN_SENT) 3832 src->state = TCPS_SYN_SENT; 3833 3834 /* 3835 * May need to slide the window (seqhi may have been set by 3836 * the crappy stack check or if we picked up the connection 3837 * after establishment) 3838 */ 3839 if (src->seqhi == 1 || 3840 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 3841 src->seqhi = end + MAX(1, dst->max_win << dws); 3842 if (win > src->max_win) 3843 src->max_win = win; 3844 3845 } else { 3846 ack = ntohl(th->th_ack) - dst->seqdiff; 3847 if (src->seqdiff) { 3848 /* Modulate sequence numbers */ 3849 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3850 src->seqdiff), 0); 3851 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3852 copyback = 1; 3853 } 3854 end = seq + pd->p_len; 3855 if (th->th_flags & TH_SYN) 3856 end++; 3857 if (th->th_flags & TH_FIN) 3858 end++; 3859 } 3860 3861 if ((th->th_flags & TH_ACK) == 0) { 3862 /* Let it pass through the ack skew check */ 3863 ack = dst->seqlo; 3864 } else if ((ack == 0 && 3865 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 3866 /* broken tcp stacks do not set ack */ 3867 (dst->state < TCPS_SYN_SENT)) { 3868 /* 3869 * Many stacks (ours included) will set the ACK number in an 3870 * FIN|ACK if the SYN times out -- no sequence to ACK. 3871 */ 3872 ack = dst->seqlo; 3873 } 3874 3875 if (seq == end) { 3876 /* Ease sequencing restrictions on no data packets */ 3877 seq = src->seqlo; 3878 end = seq; 3879 } 3880 3881 ackskew = dst->seqlo - ack; 3882 3883 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 3884 if (SEQ_GEQ(src->seqhi, end) && 3885 /* Last octet inside other's window space */ 3886 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 3887 /* Retrans: not more than one window back */ 3888 (ackskew >= -MAXACKWINDOW) && 3889 /* Acking not more than one reassembled fragment backwards */ 3890 (ackskew <= (MAXACKWINDOW << sws))) { 3891 /* Acking not more than one window forward */ 3892 3893 /* update max window */ 3894 if (src->max_win < win) 3895 src->max_win = win; 3896 /* synchronize sequencing */ 3897 if (SEQ_GT(end, src->seqlo)) 3898 src->seqlo = end; 3899 /* slide the window of what the other end can send */ 3900 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3901 dst->seqhi = ack + MAX((win << sws), 1); 3902 3903 3904 /* update states */ 3905 if (th->th_flags & TH_SYN) 3906 if (src->state < TCPS_SYN_SENT) 3907 src->state = TCPS_SYN_SENT; 3908 if (th->th_flags & TH_FIN) 3909 if (src->state < TCPS_CLOSING) 3910 src->state = TCPS_CLOSING; 3911 if (th->th_flags & TH_ACK) { 3912 if (dst->state == TCPS_SYN_SENT) 3913 dst->state = TCPS_ESTABLISHED; 3914 else if (dst->state == TCPS_CLOSING) 3915 dst->state = TCPS_FIN_WAIT_2; 3916 } 3917 if (th->th_flags & TH_RST) 3918 src->state = dst->state = TCPS_TIME_WAIT; 3919 3920 /* update expire time */ 3921 (*state)->expire = time_second; 3922 if (src->state >= TCPS_FIN_WAIT_2 && 3923 dst->state >= TCPS_FIN_WAIT_2) 3924 (*state)->timeout = PFTM_TCP_CLOSED; 3925 else if (src->state >= TCPS_FIN_WAIT_2 || 3926 dst->state >= TCPS_FIN_WAIT_2) 3927 (*state)->timeout = PFTM_TCP_FIN_WAIT; 3928 else if (src->state < TCPS_ESTABLISHED || 3929 dst->state < TCPS_ESTABLISHED) 3930 (*state)->timeout = PFTM_TCP_OPENING; 3931 else if (src->state >= TCPS_CLOSING || 3932 dst->state >= TCPS_CLOSING) 3933 (*state)->timeout = PFTM_TCP_CLOSING; 3934 else 3935 (*state)->timeout = PFTM_TCP_ESTABLISHED; 3936 3937 /* Fall through to PASS packet */ 3938 3939 } else if ((dst->state < TCPS_SYN_SENT || 3940 dst->state >= TCPS_FIN_WAIT_2 || 3941 src->state >= TCPS_FIN_WAIT_2) && 3942 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 3943 /* Within a window forward of the originating packet */ 3944 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 3945 /* Within a window backward of the originating packet */ 3946 3947 /* 3948 * This currently handles three situations: 3949 * 1) Stupid stacks will shotgun SYNs before their peer 3950 * replies. 3951 * 2) When PF catches an already established stream (the 3952 * firewall rebooted, the state table was flushed, routes 3953 * changed...) 3954 * 3) Packets get funky immediately after the connection 3955 * closes (this should catch Solaris spurious ACK|FINs 3956 * that web servers like to spew after a close) 3957 * 3958 * This must be a little more careful than the above code 3959 * since packet floods will also be caught here. We don't 3960 * update the TTL here to mitigate the damage of a packet 3961 * flood and so the same code can handle awkward establishment 3962 * and a loosened connection close. 3963 * In the establishment case, a correct peer response will 3964 * validate the connection, go through the normal state code 3965 * and keep updating the state TTL. 3966 */ 3967 3968 if (pf_status.debug >= PF_DEBUG_MISC) { 3969 printf("pf: loose state match: "); 3970 pf_print_state(*state); 3971 pf_print_flags(th->th_flags); 3972 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 3973 seq, ack, pd->p_len, ackskew, 3974 (*state)->packets[0], (*state)->packets[1]); 3975 } 3976 3977 /* update max window */ 3978 if (src->max_win < win) 3979 src->max_win = win; 3980 /* synchronize sequencing */ 3981 if (SEQ_GT(end, src->seqlo)) 3982 src->seqlo = end; 3983 /* slide the window of what the other end can send */ 3984 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3985 dst->seqhi = ack + MAX((win << sws), 1); 3986 3987 /* 3988 * Cannot set dst->seqhi here since this could be a shotgunned 3989 * SYN and not an already established connection. 3990 */ 3991 3992 if (th->th_flags & TH_FIN) 3993 if (src->state < TCPS_CLOSING) 3994 src->state = TCPS_CLOSING; 3995 if (th->th_flags & TH_RST) 3996 src->state = dst->state = TCPS_TIME_WAIT; 3997 3998 /* Fall through to PASS packet */ 3999 4000 } else { 4001 if ((*state)->dst.state == TCPS_SYN_SENT && 4002 (*state)->src.state == TCPS_SYN_SENT) { 4003 /* Send RST for state mismatches during handshake */ 4004 if (!(th->th_flags & TH_RST)) { 4005 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 4006 4007 if (th->th_flags & TH_SYN) 4008 ack++; 4009 if (th->th_flags & TH_FIN) 4010 ack++; 4011 pf_send_tcp((*state)->rule.ptr, pd->af, 4012 pd->dst, pd->src, th->th_dport, 4013 th->th_sport, ntohl(th->th_ack), ack, 4014 TH_RST|TH_ACK, 0, 0, 4015 (*state)->rule.ptr->return_ttl); 4016 } 4017 src->seqlo = 0; 4018 src->seqhi = 1; 4019 src->max_win = 1; 4020 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4021 printf("pf: BAD state: "); 4022 pf_print_state(*state); 4023 pf_print_flags(th->th_flags); 4024 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " 4025 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, 4026 (*state)->packets[0], (*state)->packets[1], 4027 direction == PF_IN ? "in" : "out", 4028 direction == (*state)->direction ? "fwd" : "rev"); 4029 printf("pf: State failure on: %c %c %c %c | %c %c\n", 4030 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4031 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4032 ' ': '2', 4033 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4034 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4035 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4036 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4037 } 4038 return (PF_DROP); 4039 } 4040 4041 if (dst->scrub || src->scrub) { 4042 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4043 src, dst, ©back)) 4044 return (PF_DROP); 4045 } 4046 4047 /* Any packets which have gotten here are to be passed */ 4048 4049 /* translate source/destination address, if necessary */ 4050 if (STATE_TRANSLATE(*state)) { 4051 if (direction == PF_OUT) 4052 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4053 &th->th_sum, &(*state)->gwy.addr, 4054 (*state)->gwy.port, 0, pd->af); 4055 else 4056 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 4057 &th->th_sum, &(*state)->lan.addr, 4058 (*state)->lan.port, 0, pd->af); 4059 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4060 } else if (copyback) { 4061 /* Copyback sequence modulation or stateful scrub changes */ 4062 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4063 } 4064 4065 return (PF_PASS); 4066 } 4067 4068 int 4069 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, 4070 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4071 { 4072 struct pf_state_peer *src, *dst; 4073 struct pf_state key; 4074 struct udphdr *uh = pd->hdr.udp; 4075 4076 key.af = pd->af; 4077 key.proto = IPPROTO_UDP; 4078 if (direction == PF_IN) { 4079 PF_ACPY(&key.ext.addr, pd->src, key.af); 4080 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4081 key.ext.port = uh->uh_sport; 4082 key.gwy.port = uh->uh_dport; 4083 } else { 4084 PF_ACPY(&key.lan.addr, pd->src, key.af); 4085 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4086 key.lan.port = uh->uh_sport; 4087 key.ext.port = uh->uh_dport; 4088 } 4089 4090 STATE_LOOKUP(); 4091 4092 if (direction == (*state)->direction) { 4093 src = &(*state)->src; 4094 dst = &(*state)->dst; 4095 } else { 4096 src = &(*state)->dst; 4097 dst = &(*state)->src; 4098 } 4099 4100 /* update states */ 4101 if (src->state < PFUDPS_SINGLE) 4102 src->state = PFUDPS_SINGLE; 4103 if (dst->state == PFUDPS_SINGLE) 4104 dst->state = PFUDPS_MULTIPLE; 4105 4106 /* update expire time */ 4107 (*state)->expire = time_second; 4108 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4109 (*state)->timeout = PFTM_UDP_MULTIPLE; 4110 else 4111 (*state)->timeout = PFTM_UDP_SINGLE; 4112 4113 /* translate source/destination address, if necessary */ 4114 if (STATE_TRANSLATE(*state)) { 4115 if (direction == PF_OUT) 4116 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 4117 &uh->uh_sum, &(*state)->gwy.addr, 4118 (*state)->gwy.port, 1, pd->af); 4119 else 4120 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 4121 &uh->uh_sum, &(*state)->lan.addr, 4122 (*state)->lan.port, 1, pd->af); 4123 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 4124 } 4125 4126 return (PF_PASS); 4127 } 4128 4129 int 4130 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, 4131 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4132 { 4133 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 4134 u_int16_t icmpid = 0; 4135 u_int16_t *icmpsum = NULL; 4136 u_int8_t icmptype = 0; 4137 int state_icmp = 0; 4138 4139 switch (pd->proto) { 4140 #ifdef INET 4141 case IPPROTO_ICMP: 4142 icmptype = pd->hdr.icmp->icmp_type; 4143 icmpid = pd->hdr.icmp->icmp_id; 4144 icmpsum = &pd->hdr.icmp->icmp_cksum; 4145 4146 if (icmptype == ICMP_UNREACH || 4147 icmptype == ICMP_SOURCEQUENCH || 4148 icmptype == ICMP_REDIRECT || 4149 icmptype == ICMP_TIMXCEED || 4150 icmptype == ICMP_PARAMPROB) 4151 state_icmp++; 4152 break; 4153 #endif /* INET */ 4154 #ifdef INET6 4155 case IPPROTO_ICMPV6: 4156 icmptype = pd->hdr.icmp6->icmp6_type; 4157 icmpid = pd->hdr.icmp6->icmp6_id; 4158 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 4159 4160 if (icmptype == ICMP6_DST_UNREACH || 4161 icmptype == ICMP6_PACKET_TOO_BIG || 4162 icmptype == ICMP6_TIME_EXCEEDED || 4163 icmptype == ICMP6_PARAM_PROB) 4164 state_icmp++; 4165 break; 4166 #endif /* INET6 */ 4167 } 4168 4169 if (!state_icmp) { 4170 4171 /* 4172 * ICMP query/reply message not related to a TCP/UDP packet. 4173 * Search for an ICMP state. 4174 */ 4175 struct pf_state key; 4176 4177 key.af = pd->af; 4178 key.proto = pd->proto; 4179 if (direction == PF_IN) { 4180 PF_ACPY(&key.ext.addr, pd->src, key.af); 4181 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4182 key.ext.port = icmpid; 4183 key.gwy.port = icmpid; 4184 } else { 4185 PF_ACPY(&key.lan.addr, pd->src, key.af); 4186 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4187 key.lan.port = icmpid; 4188 key.ext.port = icmpid; 4189 } 4190 4191 STATE_LOOKUP(); 4192 4193 (*state)->expire = time_second; 4194 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 4195 4196 /* translate source/destination address, if necessary */ 4197 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { 4198 if (direction == PF_OUT) { 4199 switch (pd->af) { 4200 #ifdef INET 4201 case AF_INET: 4202 pf_change_a(&saddr->v4.s_addr, 4203 pd->ip_sum, 4204 (*state)->gwy.addr.v4.s_addr, 0); 4205 break; 4206 #endif /* INET */ 4207 #ifdef INET6 4208 case AF_INET6: 4209 pf_change_a6(saddr, 4210 &pd->hdr.icmp6->icmp6_cksum, 4211 &(*state)->gwy.addr, 0); 4212 m_copyback(m, off, 4213 sizeof(struct icmp6_hdr), 4214 (caddr_t)pd->hdr.icmp6); 4215 break; 4216 #endif /* INET6 */ 4217 } 4218 } else { 4219 switch (pd->af) { 4220 #ifdef INET 4221 case AF_INET: 4222 pf_change_a(&daddr->v4.s_addr, 4223 pd->ip_sum, 4224 (*state)->lan.addr.v4.s_addr, 0); 4225 break; 4226 #endif /* INET */ 4227 #ifdef INET6 4228 case AF_INET6: 4229 pf_change_a6(daddr, 4230 &pd->hdr.icmp6->icmp6_cksum, 4231 &(*state)->lan.addr, 0); 4232 m_copyback(m, off, 4233 sizeof(struct icmp6_hdr), 4234 (caddr_t)pd->hdr.icmp6); 4235 break; 4236 #endif /* INET6 */ 4237 } 4238 } 4239 } 4240 4241 return (PF_PASS); 4242 4243 } else { 4244 /* 4245 * ICMP error message in response to a TCP/UDP packet. 4246 * Extract the inner TCP/UDP header and search for that state. 4247 */ 4248 4249 struct pf_pdesc pd2; 4250 #ifdef INET 4251 struct ip h2; 4252 #endif /* INET */ 4253 #ifdef INET6 4254 struct ip6_hdr h2_6; 4255 int terminal = 0; 4256 #endif /* INET6 */ 4257 int ipoff2 = 0; 4258 int off2 = 0; 4259 4260 pd2.af = pd->af; 4261 switch (pd->af) { 4262 #ifdef INET 4263 case AF_INET: 4264 /* offset of h2 in mbuf chain */ 4265 ipoff2 = off + ICMP_MINLEN; 4266 4267 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 4268 NULL, NULL, pd2.af)) { 4269 DPFPRINTF(PF_DEBUG_MISC, 4270 ("pf: ICMP error message too short " 4271 "(ip)\n")); 4272 return (PF_DROP); 4273 } 4274 /* 4275 * ICMP error messages don't refer to non-first 4276 * fragments 4277 */ 4278 /* 4279 * Note: We are dealing with an encapsulated 4280 * header. This means ip_off/ip_len are not 4281 * in host byte order! 4282 */ 4283 if (h2.ip_off & htons(IP_OFFMASK)) 4284 return (PF_DROP); 4285 4286 /* offset of protocol header that follows h2 */ 4287 off2 = ipoff2 + (h2.ip_hl << 2); 4288 4289 pd2.proto = h2.ip_p; 4290 pd2.src = (struct pf_addr *)&h2.ip_src; 4291 pd2.dst = (struct pf_addr *)&h2.ip_dst; 4292 pd2.ip_sum = &h2.ip_sum; 4293 break; 4294 #endif /* INET */ 4295 #ifdef INET6 4296 case AF_INET6: 4297 ipoff2 = off + sizeof(struct icmp6_hdr); 4298 4299 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 4300 NULL, NULL, pd2.af)) { 4301 DPFPRINTF(PF_DEBUG_MISC, 4302 ("pf: ICMP error message too short " 4303 "(ip6)\n")); 4304 return (PF_DROP); 4305 } 4306 pd2.proto = h2_6.ip6_nxt; 4307 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 4308 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 4309 pd2.ip_sum = NULL; 4310 off2 = ipoff2 + sizeof(h2_6); 4311 do { 4312 switch (pd2.proto) { 4313 case IPPROTO_FRAGMENT: 4314 /* 4315 * ICMPv6 error messages for 4316 * non-first fragments 4317 */ 4318 return (PF_DROP); 4319 case IPPROTO_AH: 4320 case IPPROTO_HOPOPTS: 4321 case IPPROTO_ROUTING: 4322 case IPPROTO_DSTOPTS: { 4323 /* get next header and header length */ 4324 struct ip6_ext opt6; 4325 4326 if (!pf_pull_hdr(m, off2, &opt6, 4327 sizeof(opt6), NULL, NULL, pd2.af)) { 4328 DPFPRINTF(PF_DEBUG_MISC, 4329 ("pf: ICMPv6 short opt\n")); 4330 return (PF_DROP); 4331 } 4332 if (pd2.proto == IPPROTO_AH) 4333 off2 += (opt6.ip6e_len + 2) * 4; 4334 else 4335 off2 += (opt6.ip6e_len + 1) * 8; 4336 pd2.proto = opt6.ip6e_nxt; 4337 /* goto the next header */ 4338 break; 4339 } 4340 default: 4341 terminal++; 4342 break; 4343 } 4344 } while (!terminal); 4345 break; 4346 #endif /* INET6 */ 4347 } 4348 4349 switch (pd2.proto) { 4350 case IPPROTO_TCP: { 4351 struct tcphdr th; 4352 u_int32_t seq; 4353 struct pf_state key; 4354 struct pf_state_peer *src, *dst; 4355 u_int8_t dws; 4356 int copyback = 0; 4357 4358 /* 4359 * Only the first 8 bytes of the TCP header can be 4360 * expected. Don't access any TCP header fields after 4361 * th_seq, an ackskew test is not possible. 4362 */ 4363 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) { 4364 DPFPRINTF(PF_DEBUG_MISC, 4365 ("pf: ICMP error message too short " 4366 "(tcp)\n")); 4367 return (PF_DROP); 4368 } 4369 4370 key.af = pd2.af; 4371 key.proto = IPPROTO_TCP; 4372 if (direction == PF_IN) { 4373 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4374 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4375 key.ext.port = th.th_dport; 4376 key.gwy.port = th.th_sport; 4377 } else { 4378 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4379 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4380 key.lan.port = th.th_dport; 4381 key.ext.port = th.th_sport; 4382 } 4383 4384 STATE_LOOKUP(); 4385 4386 if (direction == (*state)->direction) { 4387 src = &(*state)->dst; 4388 dst = &(*state)->src; 4389 } else { 4390 src = &(*state)->src; 4391 dst = &(*state)->dst; 4392 } 4393 4394 if (src->wscale && dst->wscale && 4395 !(th.th_flags & TH_SYN)) 4396 dws = dst->wscale & PF_WSCALE_MASK; 4397 else 4398 dws = 0; 4399 4400 /* Demodulate sequence number */ 4401 seq = ntohl(th.th_seq) - src->seqdiff; 4402 if (src->seqdiff) { 4403 pf_change_a(&th.th_seq, icmpsum, 4404 htonl(seq), 0); 4405 copyback = 1; 4406 } 4407 4408 if (!SEQ_GEQ(src->seqhi, seq) || 4409 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 4410 if (pf_status.debug >= PF_DEBUG_MISC) { 4411 printf("pf: BAD ICMP %d:%d ", 4412 icmptype, pd->hdr.icmp->icmp_code); 4413 pf_print_host(pd->src, 0, pd->af); 4414 printf(" -> "); 4415 pf_print_host(pd->dst, 0, pd->af); 4416 printf(" state: "); 4417 pf_print_state(*state); 4418 printf(" seq=%u\n", seq); 4419 } 4420 return (PF_DROP); 4421 } 4422 4423 if (STATE_TRANSLATE(*state)) { 4424 if (direction == PF_IN) { 4425 pf_change_icmp(pd2.src, &th.th_sport, 4426 daddr, &(*state)->lan.addr, 4427 (*state)->lan.port, NULL, 4428 pd2.ip_sum, icmpsum, 4429 pd->ip_sum, 0, pd2.af); 4430 } else { 4431 pf_change_icmp(pd2.dst, &th.th_dport, 4432 saddr, &(*state)->gwy.addr, 4433 (*state)->gwy.port, NULL, 4434 pd2.ip_sum, icmpsum, 4435 pd->ip_sum, 0, pd2.af); 4436 } 4437 copyback = 1; 4438 } 4439 4440 if (copyback) { 4441 switch (pd2.af) { 4442 #ifdef INET 4443 case AF_INET: 4444 m_copyback(m, off, ICMP_MINLEN, 4445 (caddr_t)pd->hdr.icmp); 4446 m_copyback(m, ipoff2, sizeof(h2), 4447 (caddr_t)&h2); 4448 break; 4449 #endif /* INET */ 4450 #ifdef INET6 4451 case AF_INET6: 4452 m_copyback(m, off, 4453 sizeof(struct icmp6_hdr), 4454 (caddr_t)pd->hdr.icmp6); 4455 m_copyback(m, ipoff2, sizeof(h2_6), 4456 (caddr_t)&h2_6); 4457 break; 4458 #endif /* INET6 */ 4459 } 4460 m_copyback(m, off2, 8, (caddr_t)&th); 4461 } 4462 4463 return (PF_PASS); 4464 break; 4465 } 4466 case IPPROTO_UDP: { 4467 struct udphdr uh; 4468 struct pf_state key; 4469 4470 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4471 NULL, NULL, pd2.af)) { 4472 DPFPRINTF(PF_DEBUG_MISC, 4473 ("pf: ICMP error message too short " 4474 "(udp)\n")); 4475 return (PF_DROP); 4476 } 4477 4478 key.af = pd2.af; 4479 key.proto = IPPROTO_UDP; 4480 if (direction == PF_IN) { 4481 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4482 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4483 key.ext.port = uh.uh_dport; 4484 key.gwy.port = uh.uh_sport; 4485 } else { 4486 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4487 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4488 key.lan.port = uh.uh_dport; 4489 key.ext.port = uh.uh_sport; 4490 } 4491 4492 STATE_LOOKUP(); 4493 4494 if (STATE_TRANSLATE(*state)) { 4495 if (direction == PF_IN) { 4496 pf_change_icmp(pd2.src, &uh.uh_sport, 4497 daddr, &(*state)->lan.addr, 4498 (*state)->lan.port, &uh.uh_sum, 4499 pd2.ip_sum, icmpsum, 4500 pd->ip_sum, 1, pd2.af); 4501 } else { 4502 pf_change_icmp(pd2.dst, &uh.uh_dport, 4503 saddr, &(*state)->gwy.addr, 4504 (*state)->gwy.port, &uh.uh_sum, 4505 pd2.ip_sum, icmpsum, 4506 pd->ip_sum, 1, pd2.af); 4507 } 4508 switch (pd2.af) { 4509 #ifdef INET 4510 case AF_INET: 4511 m_copyback(m, off, ICMP_MINLEN, 4512 (caddr_t)pd->hdr.icmp); 4513 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4514 break; 4515 #endif /* INET */ 4516 #ifdef INET6 4517 case AF_INET6: 4518 m_copyback(m, off, 4519 sizeof(struct icmp6_hdr), 4520 (caddr_t)pd->hdr.icmp6); 4521 m_copyback(m, ipoff2, sizeof(h2_6), 4522 (caddr_t)&h2_6); 4523 break; 4524 #endif /* INET6 */ 4525 } 4526 m_copyback(m, off2, sizeof(uh), (caddr_t)&uh); 4527 } 4528 4529 return (PF_PASS); 4530 break; 4531 } 4532 #ifdef INET 4533 case IPPROTO_ICMP: { 4534 struct icmp iih; 4535 struct pf_state key; 4536 4537 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4538 NULL, NULL, pd2.af)) { 4539 DPFPRINTF(PF_DEBUG_MISC, 4540 ("pf: ICMP error message too short i" 4541 "(icmp)\n")); 4542 return (PF_DROP); 4543 } 4544 4545 key.af = pd2.af; 4546 key.proto = IPPROTO_ICMP; 4547 if (direction == PF_IN) { 4548 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4549 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4550 key.ext.port = iih.icmp_id; 4551 key.gwy.port = iih.icmp_id; 4552 } else { 4553 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4554 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4555 key.lan.port = iih.icmp_id; 4556 key.ext.port = iih.icmp_id; 4557 } 4558 4559 STATE_LOOKUP(); 4560 4561 if (STATE_TRANSLATE(*state)) { 4562 if (direction == PF_IN) { 4563 pf_change_icmp(pd2.src, &iih.icmp_id, 4564 daddr, &(*state)->lan.addr, 4565 (*state)->lan.port, NULL, 4566 pd2.ip_sum, icmpsum, 4567 pd->ip_sum, 0, AF_INET); 4568 } else { 4569 pf_change_icmp(pd2.dst, &iih.icmp_id, 4570 saddr, &(*state)->gwy.addr, 4571 (*state)->gwy.port, NULL, 4572 pd2.ip_sum, icmpsum, 4573 pd->ip_sum, 0, AF_INET); 4574 } 4575 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp); 4576 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4577 m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih); 4578 } 4579 4580 return (PF_PASS); 4581 break; 4582 } 4583 #endif /* INET */ 4584 #ifdef INET6 4585 case IPPROTO_ICMPV6: { 4586 struct icmp6_hdr iih; 4587 struct pf_state key; 4588 4589 if (!pf_pull_hdr(m, off2, &iih, 4590 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) { 4591 DPFPRINTF(PF_DEBUG_MISC, 4592 ("pf: ICMP error message too short " 4593 "(icmp6)\n")); 4594 return (PF_DROP); 4595 } 4596 4597 key.af = pd2.af; 4598 key.proto = IPPROTO_ICMPV6; 4599 if (direction == PF_IN) { 4600 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4601 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4602 key.ext.port = iih.icmp6_id; 4603 key.gwy.port = iih.icmp6_id; 4604 } else { 4605 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4606 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4607 key.lan.port = iih.icmp6_id; 4608 key.ext.port = iih.icmp6_id; 4609 } 4610 4611 STATE_LOOKUP(); 4612 4613 if (STATE_TRANSLATE(*state)) { 4614 if (direction == PF_IN) { 4615 pf_change_icmp(pd2.src, &iih.icmp6_id, 4616 daddr, &(*state)->lan.addr, 4617 (*state)->lan.port, NULL, 4618 pd2.ip_sum, icmpsum, 4619 pd->ip_sum, 0, AF_INET6); 4620 } else { 4621 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4622 saddr, &(*state)->gwy.addr, 4623 (*state)->gwy.port, NULL, 4624 pd2.ip_sum, icmpsum, 4625 pd->ip_sum, 0, AF_INET6); 4626 } 4627 m_copyback(m, off, sizeof(struct icmp6_hdr), 4628 (caddr_t)pd->hdr.icmp6); 4629 m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); 4630 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4631 (caddr_t)&iih); 4632 } 4633 4634 return (PF_PASS); 4635 break; 4636 } 4637 #endif /* INET6 */ 4638 default: { 4639 struct pf_state key; 4640 4641 key.af = pd2.af; 4642 key.proto = pd2.proto; 4643 if (direction == PF_IN) { 4644 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4645 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4646 key.ext.port = 0; 4647 key.gwy.port = 0; 4648 } else { 4649 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4650 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4651 key.lan.port = 0; 4652 key.ext.port = 0; 4653 } 4654 4655 STATE_LOOKUP(); 4656 4657 if (STATE_TRANSLATE(*state)) { 4658 if (direction == PF_IN) { 4659 pf_change_icmp(pd2.src, NULL, 4660 daddr, &(*state)->lan.addr, 4661 0, NULL, 4662 pd2.ip_sum, icmpsum, 4663 pd->ip_sum, 0, pd2.af); 4664 } else { 4665 pf_change_icmp(pd2.dst, NULL, 4666 saddr, &(*state)->gwy.addr, 4667 0, NULL, 4668 pd2.ip_sum, icmpsum, 4669 pd->ip_sum, 0, pd2.af); 4670 } 4671 switch (pd2.af) { 4672 #ifdef INET 4673 case AF_INET: 4674 m_copyback(m, off, ICMP_MINLEN, 4675 (caddr_t)pd->hdr.icmp); 4676 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4677 break; 4678 #endif /* INET */ 4679 #ifdef INET6 4680 case AF_INET6: 4681 m_copyback(m, off, 4682 sizeof(struct icmp6_hdr), 4683 (caddr_t)pd->hdr.icmp6); 4684 m_copyback(m, ipoff2, sizeof(h2_6), 4685 (caddr_t)&h2_6); 4686 break; 4687 #endif /* INET6 */ 4688 } 4689 } 4690 4691 return (PF_PASS); 4692 break; 4693 } 4694 } 4695 } 4696 } 4697 4698 int 4699 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, 4700 struct pf_pdesc *pd) 4701 { 4702 struct pf_state_peer *src, *dst; 4703 struct pf_state key; 4704 4705 key.af = pd->af; 4706 key.proto = pd->proto; 4707 if (direction == PF_IN) { 4708 PF_ACPY(&key.ext.addr, pd->src, key.af); 4709 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4710 key.ext.port = 0; 4711 key.gwy.port = 0; 4712 } else { 4713 PF_ACPY(&key.lan.addr, pd->src, key.af); 4714 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4715 key.lan.port = 0; 4716 key.ext.port = 0; 4717 } 4718 4719 STATE_LOOKUP(); 4720 4721 if (direction == (*state)->direction) { 4722 src = &(*state)->src; 4723 dst = &(*state)->dst; 4724 } else { 4725 src = &(*state)->dst; 4726 dst = &(*state)->src; 4727 } 4728 4729 /* update states */ 4730 if (src->state < PFOTHERS_SINGLE) 4731 src->state = PFOTHERS_SINGLE; 4732 if (dst->state == PFOTHERS_SINGLE) 4733 dst->state = PFOTHERS_MULTIPLE; 4734 4735 /* update expire time */ 4736 (*state)->expire = time_second; 4737 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4738 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4739 else 4740 (*state)->timeout = PFTM_OTHER_SINGLE; 4741 4742 /* translate source/destination address, if necessary */ 4743 if (STATE_TRANSLATE(*state)) { 4744 if (direction == PF_OUT) 4745 switch (pd->af) { 4746 #ifdef INET 4747 case AF_INET: 4748 pf_change_a(&pd->src->v4.s_addr, 4749 pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 4750 0); 4751 break; 4752 #endif /* INET */ 4753 #ifdef INET6 4754 case AF_INET6: 4755 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af); 4756 break; 4757 #endif /* INET6 */ 4758 } 4759 else 4760 switch (pd->af) { 4761 #ifdef INET 4762 case AF_INET: 4763 pf_change_a(&pd->dst->v4.s_addr, 4764 pd->ip_sum, (*state)->lan.addr.v4.s_addr, 4765 0); 4766 break; 4767 #endif /* INET */ 4768 #ifdef INET6 4769 case AF_INET6: 4770 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af); 4771 break; 4772 #endif /* INET6 */ 4773 } 4774 } 4775 4776 return (PF_PASS); 4777 } 4778 4779 /* 4780 * ipoff and off are measured from the start of the mbuf chain. 4781 * h must be at "ipoff" on the mbuf chain. 4782 */ 4783 void * 4784 pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 4785 u_short *actionp, u_short *reasonp, sa_family_t af) 4786 { 4787 switch (af) { 4788 #ifdef INET 4789 case AF_INET: { 4790 struct ip *h = mtod(m, struct ip *); 4791 u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3; 4792 4793 if (fragoff) { 4794 if (fragoff >= len) 4795 ACTION_SET(actionp, PF_PASS); 4796 else { 4797 ACTION_SET(actionp, PF_DROP); 4798 REASON_SET(reasonp, PFRES_FRAG); 4799 } 4800 return (NULL); 4801 } 4802 if (m->m_pkthdr.len < off + len || 4803 h->ip_len < off + len) { 4804 ACTION_SET(actionp, PF_DROP); 4805 REASON_SET(reasonp, PFRES_SHORT); 4806 return (NULL); 4807 } 4808 break; 4809 } 4810 #endif /* INET */ 4811 #ifdef INET6 4812 case AF_INET6: { 4813 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 4814 4815 if (m->m_pkthdr.len < off + len || 4816 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 4817 (unsigned)(off + len)) { 4818 ACTION_SET(actionp, PF_DROP); 4819 REASON_SET(reasonp, PFRES_SHORT); 4820 return (NULL); 4821 } 4822 break; 4823 } 4824 #endif /* INET6 */ 4825 } 4826 m_copydata(m, off, len, p); 4827 return (p); 4828 } 4829 4830 int 4831 pf_routable(struct pf_addr *addr, sa_family_t af) 4832 { 4833 struct sockaddr_in *dst; 4834 struct route ro; 4835 int ret = 0; 4836 4837 bzero(&ro, sizeof(ro)); 4838 dst = satosin(&ro.ro_dst); 4839 dst->sin_family = af; 4840 dst->sin_len = sizeof(*dst); 4841 dst->sin_addr = addr->v4; 4842 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); 4843 4844 if (ro.ro_rt != NULL) { 4845 ret = 1; 4846 RTFREE(ro.ro_rt); 4847 } 4848 4849 return (ret); 4850 } 4851 4852 #ifdef INET 4853 void 4854 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4855 struct pf_state *s) 4856 { 4857 struct mbuf *m0, *m1; 4858 struct route iproute; 4859 struct route *ro = NULL; 4860 struct sockaddr_in *dst; 4861 struct ip *ip; 4862 struct ifnet *ifp = NULL; 4863 struct pf_addr naddr; 4864 struct pf_src_node *sn = NULL; 4865 int error = 0; 4866 int sw_csum; 4867 4868 if (m == NULL || *m == NULL || r == NULL || 4869 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4870 panic("pf_route: invalid parameters"); 4871 4872 if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) { 4873 (*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED; 4874 (*m)->m_pkthdr.pf_routed = 1; 4875 } else { 4876 if ((*m)->m_pkthdr.pf_routed > 3) { 4877 m0 = *m; 4878 *m = NULL; 4879 goto bad; 4880 } 4881 (*m)->m_pkthdr.pf_routed++; 4882 } 4883 4884 if (r->rt == PF_DUPTO) { 4885 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL) 4886 return; 4887 } else { 4888 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4889 return; 4890 m0 = *m; 4891 } 4892 4893 if (m0->m_len < sizeof(struct ip)) 4894 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4895 ip = mtod(m0, struct ip *); 4896 4897 ro = &iproute; 4898 bzero((caddr_t)ro, sizeof(*ro)); 4899 dst = satosin(&ro->ro_dst); 4900 dst->sin_family = AF_INET; 4901 dst->sin_len = sizeof(*dst); 4902 dst->sin_addr = ip->ip_dst; 4903 4904 if (r->rt == PF_FASTROUTE) { 4905 rtalloc(ro); 4906 if (ro->ro_rt == 0) { 4907 ipstat.ips_noroute++; 4908 goto bad; 4909 } 4910 4911 ifp = ro->ro_rt->rt_ifp; 4912 ro->ro_rt->rt_use++; 4913 4914 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 4915 dst = satosin(ro->ro_rt->rt_gateway); 4916 } else { 4917 if (TAILQ_EMPTY(&r->rpool.list)) 4918 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)"); 4919 if (s == NULL) { 4920 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, 4921 &naddr, NULL, &sn); 4922 if (!PF_AZERO(&naddr, AF_INET)) 4923 dst->sin_addr.s_addr = naddr.v4.s_addr; 4924 ifp = r->rpool.cur->kif ? 4925 r->rpool.cur->kif->pfik_ifp : NULL; 4926 } else { 4927 if (!PF_AZERO(&s->rt_addr, AF_INET)) 4928 dst->sin_addr.s_addr = 4929 s->rt_addr.v4.s_addr; 4930 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 4931 } 4932 } 4933 if (ifp == NULL) 4934 goto bad; 4935 4936 if (oifp != ifp) { 4937 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) 4938 goto bad; 4939 else if (m0 == NULL) 4940 goto done; 4941 if (m0->m_len < sizeof(struct ip)) 4942 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4943 ip = mtod(m0, struct ip *); 4944 } 4945 4946 /* Copied from ip_output. */ 4947 m0->m_pkthdr.csum_flags |= CSUM_IP; 4948 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; 4949 if (sw_csum & CSUM_DELAY_DATA) { 4950 in_delayed_cksum(m0); 4951 sw_csum &= ~CSUM_DELAY_DATA; 4952 } 4953 m0->m_pkthdr.csum_flags &= ifp->if_hwassist; 4954 4955 /* 4956 * If small enough for interface, or the interface will take 4957 * care of the fragmentation for us, can just send directly. 4958 */ 4959 if (ip->ip_len <= ifp->if_mtu || ((ifp->if_hwassist & CSUM_FRAGMENT) && 4960 (ip->ip_off & IP_DF) == 0)) { 4961 ip->ip_len = htons(ip->ip_len); 4962 ip->ip_off = htons(ip->ip_off); 4963 ip->ip_sum = 0; 4964 if (sw_csum & CSUM_DELAY_IP) { 4965 /* From KAME */ 4966 if (ip->ip_v == IPVERSION && 4967 (ip->ip_hl << 2) == sizeof(*ip)) { 4968 ip->ip_sum = in_cksum_hdr(ip); 4969 } else { 4970 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 4971 } 4972 } 4973 4974 lwkt_serialize_enter(ifp->if_serializer); 4975 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); 4976 lwkt_serialize_exit(ifp->if_serializer); 4977 goto done; 4978 } 4979 4980 /* 4981 * Too large for interface; fragment if possible. 4982 * Must be able to put at least 8 bytes per fragment. 4983 */ 4984 if (ip->ip_off & IP_DF) { 4985 ipstat.ips_cantfrag++; 4986 if (r->rt != PF_DUPTO) { 4987 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 4988 ifp->if_mtu); 4989 goto done; 4990 } else 4991 goto bad; 4992 } 4993 4994 m1 = m0; 4995 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum); 4996 if (error) 4997 goto bad; 4998 4999 for (m0 = m1; m0; m0 = m1) { 5000 m1 = m0->m_nextpkt; 5001 m0->m_nextpkt = 0; 5002 if (error == 0) { 5003 lwkt_serialize_enter(ifp->if_serializer); 5004 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 5005 NULL); 5006 lwkt_serialize_exit(ifp->if_serializer); 5007 } else { 5008 m_freem(m0); 5009 } 5010 } 5011 5012 if (error == 0) 5013 ipstat.ips_fragmented++; 5014 5015 done: 5016 if (r->rt != PF_DUPTO) 5017 *m = NULL; 5018 if (ro == &iproute && ro->ro_rt) 5019 RTFREE(ro->ro_rt); 5020 return; 5021 5022 bad: 5023 m_freem(m0); 5024 goto done; 5025 } 5026 #endif /* INET */ 5027 5028 #ifdef INET6 5029 void 5030 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5031 struct pf_state *s) 5032 { 5033 struct mbuf *m0; 5034 struct route_in6 ip6route; 5035 struct route_in6 *ro; 5036 struct sockaddr_in6 *dst; 5037 struct ip6_hdr *ip6; 5038 struct ifnet *ifp = NULL; 5039 struct pf_addr naddr; 5040 struct pf_src_node *sn = NULL; 5041 int error = 0; 5042 5043 if (m == NULL || *m == NULL || r == NULL || 5044 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5045 panic("pf_route6: invalid parameters"); 5046 5047 if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) { 5048 (*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED; 5049 (*m)->m_pkthdr.pf_routed = 1; 5050 } else { 5051 if ((*m)->m_pkthdr.pf_routed > 3) { 5052 m0 = *m; 5053 *m = NULL; 5054 goto bad; 5055 } 5056 (*m)->m_pkthdr.pf_routed++; 5057 } 5058 5059 if (r->rt == PF_DUPTO) { 5060 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL) 5061 return; 5062 } else { 5063 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5064 return; 5065 m0 = *m; 5066 } 5067 5068 if (m0->m_len < sizeof(struct ip6_hdr)) 5069 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5070 ip6 = mtod(m0, struct ip6_hdr *); 5071 5072 ro = &ip6route; 5073 bzero((caddr_t)ro, sizeof(*ro)); 5074 dst = (struct sockaddr_in6 *)&ro->ro_dst; 5075 dst->sin6_family = AF_INET6; 5076 dst->sin6_len = sizeof(*dst); 5077 dst->sin6_addr = ip6->ip6_dst; 5078 5079 /* Cheat. */ 5080 if (r->rt == PF_FASTROUTE) { 5081 m0->m_pkthdr.fw_flags |= PF_MBUF_GENERATED; 5082 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); 5083 return; 5084 } 5085 5086 if (TAILQ_EMPTY(&r->rpool.list)) 5087 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)"); 5088 if (s == NULL) { 5089 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, 5090 &naddr, NULL, &sn); 5091 if (!PF_AZERO(&naddr, AF_INET6)) 5092 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5093 &naddr, AF_INET6); 5094 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5095 } else { 5096 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5097 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5098 &s->rt_addr, AF_INET6); 5099 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5100 } 5101 if (ifp == NULL) 5102 goto bad; 5103 5104 if (oifp != ifp) { 5105 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) 5106 goto bad; 5107 else if (m0 == NULL) 5108 goto done; 5109 if (m0->m_len < sizeof(struct ip6_hdr)) 5110 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5111 ip6 = mtod(m0, struct ip6_hdr *); 5112 } 5113 5114 /* 5115 * If the packet is too large for the outgoing interface, 5116 * send back an icmp6 error. 5117 */ 5118 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) 5119 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5120 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 5121 error = nd6_output(ifp, ifp, m0, dst, NULL); 5122 } else { 5123 in6_ifstat_inc(ifp, ifs6_in_toobig); 5124 if (r->rt != PF_DUPTO) 5125 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5126 else 5127 goto bad; 5128 } 5129 5130 done: 5131 if (r->rt != PF_DUPTO) 5132 *m = NULL; 5133 return; 5134 5135 bad: 5136 m_freem(m0); 5137 goto done; 5138 } 5139 #endif /* INET6 */ 5140 5141 5142 /* 5143 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 5144 * off is the offset where the protocol header starts 5145 * len is the total length of protocol header plus payload 5146 * returns 0 when the checksum is valid, otherwise returns 1. 5147 */ 5148 /* 5149 * XXX 5150 * FreeBSD supports cksum offload for the following drivers. 5151 * em(4), gx(4), lge(4), nge(4), ti(4), xl(4) 5152 * If we can make full use of it we would outperform ipfw/ipfilter in 5153 * very heavy traffic. 5154 * I have not tested 'cause I don't have NICs that supports cksum offload. 5155 * (There might be problems. Typical phenomena would be 5156 * 1. No route message for UDP packet. 5157 * 2. No connection acceptance from external hosts regardless of rule set.) 5158 */ 5159 int 5160 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, 5161 sa_family_t af) 5162 { 5163 u_int16_t sum = 0; 5164 int hw_assist = 0; 5165 struct ip *ip; 5166 5167 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5168 return (1); 5169 if (m->m_pkthdr.len < off + len) 5170 return (1); 5171 5172 switch (p) { 5173 case IPPROTO_TCP: 5174 case IPPROTO_UDP: 5175 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { 5176 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { 5177 sum = m->m_pkthdr.csum_data; 5178 } else { 5179 ip = mtod(m, struct ip *); 5180 sum = in_pseudo(ip->ip_src.s_addr, 5181 ip->ip_dst.s_addr, htonl((u_short)len + 5182 m->m_pkthdr.csum_data + p)); 5183 } 5184 sum ^= 0xffff; 5185 ++hw_assist; 5186 } 5187 break; 5188 case IPPROTO_ICMP: 5189 #ifdef INET6 5190 case IPPROTO_ICMPV6: 5191 #endif /* INET6 */ 5192 break; 5193 default: 5194 return (1); 5195 } 5196 5197 if (!hw_assist) { 5198 switch (af) { 5199 case AF_INET: 5200 if (p == IPPROTO_ICMP) { 5201 if (m->m_len < off) 5202 return (1); 5203 m->m_data += off; 5204 m->m_len -= off; 5205 sum = in_cksum(m, len); 5206 m->m_data -= off; 5207 m->m_len += off; 5208 } else { 5209 if (m->m_len < sizeof(struct ip)) 5210 return (1); 5211 sum = in_cksum_range(m, p, off, len); 5212 if (sum == 0) { 5213 m->m_pkthdr.csum_flags |= 5214 (CSUM_DATA_VALID | 5215 CSUM_PSEUDO_HDR); 5216 m->m_pkthdr.csum_data = 0xffff; 5217 } 5218 } 5219 break; 5220 #ifdef INET6 5221 case AF_INET6: 5222 if (m->m_len < sizeof(struct ip6_hdr)) 5223 return (1); 5224 sum = in6_cksum(m, p, off, len); 5225 /* 5226 * XXX 5227 * IPv6 H/W cksum off-load not supported yet! 5228 * 5229 * if (sum == 0) { 5230 * m->m_pkthdr.csum_flags |= 5231 * (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); 5232 * m->m_pkthdr.csum_data = 0xffff; 5233 *} 5234 */ 5235 break; 5236 #endif /* INET6 */ 5237 default: 5238 return (1); 5239 } 5240 } 5241 if (sum) { 5242 switch (p) { 5243 case IPPROTO_TCP: 5244 tcpstat.tcps_rcvbadsum++; 5245 break; 5246 case IPPROTO_UDP: 5247 udpstat.udps_badsum++; 5248 break; 5249 case IPPROTO_ICMP: 5250 icmpstat.icps_checksum++; 5251 break; 5252 #ifdef INET6 5253 case IPPROTO_ICMPV6: 5254 icmp6stat.icp6s_checksum++; 5255 break; 5256 #endif /* INET6 */ 5257 } 5258 return (1); 5259 } 5260 return (0); 5261 } 5262 5263 #ifdef INET 5264 int 5265 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) 5266 { 5267 struct pfi_kif *kif; 5268 u_short action, reason = 0, log = 0; 5269 struct mbuf *m = *m0; 5270 struct ip *h = NULL; 5271 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5272 struct pf_state *s = NULL; 5273 struct pf_ruleset *ruleset = NULL; 5274 struct pf_pdesc pd; 5275 int off, dirndx, pqid = 0; 5276 5277 if (!pf_status.running || (m->m_pkthdr.fw_flags & PF_MBUF_GENERATED)) 5278 return (PF_PASS); 5279 5280 kif = pfi_index2kif[ifp->if_index]; 5281 if (kif == NULL) 5282 return (PF_DROP); 5283 5284 #ifdef DIAGNOSTIC 5285 if ((m->m_flags & M_PKTHDR) == 0) 5286 panic("non-M_PKTHDR is passed to pf_test"); 5287 #endif 5288 5289 memset(&pd, 0, sizeof(pd)); 5290 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5291 action = PF_DROP; 5292 REASON_SET(&reason, PFRES_SHORT); 5293 log = 1; 5294 goto done; 5295 } 5296 5297 /* We do IP header normalization and packet reassembly here */ 5298 if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) { 5299 action = PF_DROP; 5300 goto done; 5301 } 5302 m = *m0; 5303 h = mtod(m, struct ip *); 5304 5305 off = h->ip_hl << 2; 5306 if (off < (int)sizeof(*h)) { 5307 action = PF_DROP; 5308 REASON_SET(&reason, PFRES_SHORT); 5309 log = 1; 5310 goto done; 5311 } 5312 5313 pd.src = (struct pf_addr *)&h->ip_src; 5314 pd.dst = (struct pf_addr *)&h->ip_dst; 5315 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 5316 pd.ip_sum = &h->ip_sum; 5317 pd.proto = h->ip_p; 5318 pd.af = AF_INET; 5319 pd.tos = h->ip_tos; 5320 pd.tot_len = h->ip_len; 5321 5322 /* handle fragments that didn't get reassembled by normalization */ 5323 if (h->ip_off & (IP_MF | IP_OFFMASK)) { 5324 action = pf_test_fragment(&r, dir, kif, m, h, 5325 &pd, &a, &ruleset); 5326 goto done; 5327 } 5328 5329 switch (h->ip_p) { 5330 5331 case IPPROTO_TCP: { 5332 struct tcphdr th; 5333 5334 pd.hdr.tcp = &th; 5335 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5336 &action, &reason, AF_INET)) { 5337 log = action != PF_PASS; 5338 goto done; 5339 } 5340 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5341 h->ip_len - off, IPPROTO_TCP, AF_INET)) { 5342 action = PF_DROP; 5343 goto done; 5344 } 5345 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5346 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 5347 pqid = 1; 5348 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5349 if (action == PF_DROP) 5350 goto done; 5351 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5352 &reason); 5353 if (action == PF_PASS) { 5354 #if NPFSYNC 5355 pfsync_update_state(s); 5356 #endif 5357 r = s->rule.ptr; 5358 a = s->anchor.ptr; 5359 log = s->log; 5360 } else if (s == NULL) 5361 action = pf_test_tcp(&r, &s, dir, kif, 5362 m, off, h, &pd, &a, &ruleset); 5363 break; 5364 } 5365 5366 case IPPROTO_UDP: { 5367 struct udphdr uh; 5368 5369 pd.hdr.udp = &uh; 5370 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5371 &action, &reason, AF_INET)) { 5372 log = action != PF_PASS; 5373 goto done; 5374 } 5375 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5376 off, h->ip_len - off, IPPROTO_UDP, AF_INET)) { 5377 action = PF_DROP; 5378 goto done; 5379 } 5380 if (uh.uh_dport == 0 || 5381 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5382 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5383 action = PF_DROP; 5384 goto done; 5385 } 5386 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5387 if (action == PF_PASS) { 5388 #if NPFSYNC 5389 pfsync_update_state(s); 5390 #endif 5391 r = s->rule.ptr; 5392 a = s->anchor.ptr; 5393 log = s->log; 5394 } else if (s == NULL) 5395 action = pf_test_udp(&r, &s, dir, kif, 5396 m, off, h, &pd, &a, &ruleset); 5397 break; 5398 } 5399 5400 case IPPROTO_ICMP: { 5401 struct icmp ih; 5402 5403 pd.hdr.icmp = &ih; 5404 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 5405 &action, &reason, AF_INET)) { 5406 log = action != PF_PASS; 5407 goto done; 5408 } 5409 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5410 h->ip_len - off, IPPROTO_ICMP, AF_INET)) { 5411 action = PF_DROP; 5412 goto done; 5413 } 5414 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd); 5415 if (action == PF_PASS) { 5416 #if NPFSYNC 5417 pfsync_update_state(s); 5418 #endif 5419 r = s->rule.ptr; 5420 a = s->anchor.ptr; 5421 log = s->log; 5422 } else if (s == NULL) 5423 action = pf_test_icmp(&r, &s, dir, kif, 5424 m, off, h, &pd, &a, &ruleset); 5425 break; 5426 } 5427 5428 default: 5429 action = pf_test_state_other(&s, dir, kif, &pd); 5430 if (action == PF_PASS) { 5431 #if NPFSYNC 5432 pfsync_update_state(s); 5433 #endif 5434 r = s->rule.ptr; 5435 a = s->anchor.ptr; 5436 log = s->log; 5437 } else if (s == NULL) 5438 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5439 &pd, &a, &ruleset); 5440 break; 5441 } 5442 5443 done: 5444 if (action == PF_PASS && h->ip_hl > 5 && 5445 !((s && s->allow_opts) || r->allow_opts)) { 5446 action = PF_DROP; 5447 REASON_SET(&reason, PFRES_SHORT); 5448 log = 1; 5449 DPFPRINTF(PF_DEBUG_MISC, 5450 ("pf: dropping packet with ip options\n")); 5451 } 5452 5453 #ifdef ALTQ 5454 if (action == PF_PASS && r->qid) { 5455 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 5456 if (pd.tos == IPTOS_LOWDELAY) 5457 m->m_pkthdr.altq_qid = r->pqid; 5458 else 5459 m->m_pkthdr.altq_qid = r->qid; 5460 m->m_pkthdr.ecn_af = AF_INET; 5461 m->m_pkthdr.header = h; 5462 } 5463 #endif 5464 5465 /* 5466 * connections redirected to loopback should not match sockets 5467 * bound specifically to loopback due to security implications, 5468 * see tcp_input() and in_pcblookup_listen(). 5469 */ 5470 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5471 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5472 (s->nat_rule.ptr->action == PF_RDR || 5473 s->nat_rule.ptr->action == PF_BINAT) && 5474 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { 5475 action = PF_DROP; 5476 REASON_SET(&reason, PFRES_MEMORY); 5477 } 5478 5479 m->m_pkthdr.fw_flags |= PF_MBUF_TRANSLATE_LOCALHOST; 5480 5481 if (log) 5482 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset); 5483 5484 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5485 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; 5486 5487 if (action == PF_PASS || r->action == PF_DROP) { 5488 r->packets++; 5489 r->bytes += pd.tot_len; 5490 if (a != NULL) { 5491 a->packets++; 5492 a->bytes += pd.tot_len; 5493 } 5494 if (s != NULL) { 5495 dirndx = (dir == s->direction) ? 0 : 1; 5496 s->packets[dirndx]++; 5497 s->bytes[dirndx] += pd.tot_len; 5498 if (s->nat_rule.ptr != NULL) { 5499 s->nat_rule.ptr->packets++; 5500 s->nat_rule.ptr->bytes += pd.tot_len; 5501 } 5502 if (s->src_node != NULL) { 5503 s->src_node->packets++; 5504 s->src_node->bytes += pd.tot_len; 5505 } 5506 if (s->nat_src_node != NULL) { 5507 s->nat_src_node->packets++; 5508 s->nat_src_node->bytes += pd.tot_len; 5509 } 5510 } 5511 tr = r; 5512 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5513 if (nr != NULL) { 5514 struct pf_addr *x; 5515 /* 5516 * XXX: we need to make sure that the addresses 5517 * passed to pfr_update_stats() are the same than 5518 * the addresses used during matching (pfr_match) 5519 */ 5520 if (r == &pf_default_rule) { 5521 tr = nr; 5522 x = (s == NULL || s->direction == dir) ? 5523 &pd.baddr : &pd.naddr; 5524 } else 5525 x = (s == NULL || s->direction == dir) ? 5526 &pd.naddr : &pd.baddr; 5527 if (x == &pd.baddr || s == NULL) { 5528 /* we need to change the address */ 5529 if (dir == PF_OUT) 5530 pd.src = x; 5531 else 5532 pd.dst = x; 5533 } 5534 } 5535 if (tr->src.addr.type == PF_ADDR_TABLE) 5536 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5537 s->direction == dir) ? pd.src : pd.dst, pd.af, 5538 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5539 tr->src.not); 5540 if (tr->dst.addr.type == PF_ADDR_TABLE) 5541 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5542 s->direction == dir) ? pd.dst : pd.src, pd.af, 5543 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5544 tr->dst.not); 5545 } 5546 5547 5548 if (action == PF_SYNPROXY_DROP) { 5549 m_freem(*m0); 5550 *m0 = NULL; 5551 action = PF_PASS; 5552 } else if (r->rt) 5553 /* pf_route can free the mbuf causing *m0 to become NULL */ 5554 pf_route(m0, r, dir, ifp, s); 5555 5556 return (action); 5557 } 5558 #endif /* INET */ 5559 5560 #ifdef INET6 5561 int 5562 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) 5563 { 5564 struct pfi_kif *kif; 5565 u_short action, reason = 0, log = 0; 5566 struct mbuf *m = *m0; 5567 struct ip6_hdr *h = NULL; 5568 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5569 struct pf_state *s = NULL; 5570 struct pf_ruleset *ruleset = NULL; 5571 struct pf_pdesc pd; 5572 int off, terminal = 0, dirndx; 5573 5574 if (!pf_status.running || (m->m_pkthdr.fw_flags & PF_MBUF_GENERATED)) 5575 return (PF_PASS); 5576 5577 kif = pfi_index2kif[ifp->if_index]; 5578 if (kif == NULL) 5579 return (PF_DROP); 5580 5581 #ifdef DIAGNOSTIC 5582 if ((m->m_flags & M_PKTHDR) == 0) 5583 panic("non-M_PKTHDR is passed to pf_test"); 5584 #endif 5585 5586 memset(&pd, 0, sizeof(pd)); 5587 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5588 action = PF_DROP; 5589 REASON_SET(&reason, PFRES_SHORT); 5590 log = 1; 5591 goto done; 5592 } 5593 5594 /* We do IP header normalization and packet reassembly here */ 5595 if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) { 5596 action = PF_DROP; 5597 goto done; 5598 } 5599 m = *m0; 5600 h = mtod(m, struct ip6_hdr *); 5601 5602 pd.src = (struct pf_addr *)&h->ip6_src; 5603 pd.dst = (struct pf_addr *)&h->ip6_dst; 5604 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 5605 pd.ip_sum = NULL; 5606 pd.af = AF_INET6; 5607 pd.tos = 0; 5608 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 5609 5610 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 5611 pd.proto = h->ip6_nxt; 5612 do { 5613 switch (pd.proto) { 5614 case IPPROTO_FRAGMENT: 5615 action = pf_test_fragment(&r, dir, kif, m, h, 5616 &pd, &a, &ruleset); 5617 if (action == PF_DROP) 5618 REASON_SET(&reason, PFRES_FRAG); 5619 goto done; 5620 case IPPROTO_AH: 5621 case IPPROTO_HOPOPTS: 5622 case IPPROTO_ROUTING: 5623 case IPPROTO_DSTOPTS: { 5624 /* get next header and header length */ 5625 struct ip6_ext opt6; 5626 5627 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 5628 NULL, NULL, pd.af)) { 5629 DPFPRINTF(PF_DEBUG_MISC, 5630 ("pf: IPv6 short opt\n")); 5631 action = PF_DROP; 5632 REASON_SET(&reason, PFRES_SHORT); 5633 log = 1; 5634 goto done; 5635 } 5636 if (pd.proto == IPPROTO_AH) 5637 off += (opt6.ip6e_len + 2) * 4; 5638 else 5639 off += (opt6.ip6e_len + 1) * 8; 5640 pd.proto = opt6.ip6e_nxt; 5641 /* goto the next header */ 5642 break; 5643 } 5644 default: 5645 terminal++; 5646 break; 5647 } 5648 } while (!terminal); 5649 5650 switch (pd.proto) { 5651 5652 case IPPROTO_TCP: { 5653 struct tcphdr th; 5654 5655 pd.hdr.tcp = &th; 5656 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5657 &action, &reason, AF_INET6)) { 5658 log = action != PF_PASS; 5659 goto done; 5660 } 5661 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5662 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { 5663 action = PF_DROP; 5664 goto done; 5665 } 5666 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5667 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5668 if (action == PF_DROP) 5669 goto done; 5670 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5671 &reason); 5672 if (action == PF_PASS) { 5673 #if NPFSYNC 5674 pfsync_update_state(s); 5675 #endif 5676 r = s->rule.ptr; 5677 a = s->anchor.ptr; 5678 log = s->log; 5679 } else if (s == NULL) 5680 action = pf_test_tcp(&r, &s, dir, kif, 5681 m, off, h, &pd, &a, &ruleset); 5682 break; 5683 } 5684 5685 case IPPROTO_UDP: { 5686 struct udphdr uh; 5687 5688 pd.hdr.udp = &uh; 5689 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5690 &action, &reason, AF_INET6)) { 5691 log = action != PF_PASS; 5692 goto done; 5693 } 5694 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5695 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { 5696 action = PF_DROP; 5697 goto done; 5698 } 5699 if (uh.uh_dport == 0 || 5700 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5701 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5702 action = PF_DROP; 5703 goto done; 5704 } 5705 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5706 if (action == PF_PASS) { 5707 #if NPFSYNC 5708 pfsync_update_state(s); 5709 #endif 5710 r = s->rule.ptr; 5711 a = s->anchor.ptr; 5712 log = s->log; 5713 } else if (s == NULL) 5714 action = pf_test_udp(&r, &s, dir, kif, 5715 m, off, h, &pd, &a, &ruleset); 5716 break; 5717 } 5718 5719 case IPPROTO_ICMPV6: { 5720 struct icmp6_hdr ih; 5721 5722 pd.hdr.icmp6 = &ih; 5723 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 5724 &action, &reason, AF_INET6)) { 5725 log = action != PF_PASS; 5726 goto done; 5727 } 5728 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5729 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { 5730 action = PF_DROP; 5731 goto done; 5732 } 5733 action = pf_test_state_icmp(&s, dir, kif, 5734 m, off, h, &pd); 5735 if (action == PF_PASS) { 5736 #if NPFSYNC 5737 pfsync_update_state(s); 5738 #endif 5739 r = s->rule.ptr; 5740 a = s->anchor.ptr; 5741 log = s->log; 5742 } else if (s == NULL) 5743 action = pf_test_icmp(&r, &s, dir, kif, 5744 m, off, h, &pd, &a, &ruleset); 5745 break; 5746 } 5747 5748 default: 5749 action = pf_test_state_other(&s, dir, kif, &pd); 5750 if (action == PF_PASS) { 5751 r = s->rule.ptr; 5752 a = s->anchor.ptr; 5753 log = s->log; 5754 } else if (s == NULL) 5755 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5756 &pd, &a, &ruleset); 5757 break; 5758 } 5759 5760 done: 5761 /* XXX handle IPv6 options, if not allowed. not implemented. */ 5762 5763 #ifdef ALTQ 5764 if (action == PF_PASS && r->qid) { 5765 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 5766 if (pd.tos == IPTOS_LOWDELAY) 5767 m->m_pkthdr.altq_qid = r->pqid; 5768 else 5769 m->m_pkthdr.altq_qid = r->qid; 5770 m->m_pkthdr.ecn_af = AF_INET6; 5771 m->m_pkthdr.header = h; 5772 } 5773 #endif 5774 5775 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5776 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5777 (s->nat_rule.ptr->action == PF_RDR || 5778 s->nat_rule.ptr->action == PF_BINAT) && 5779 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) { 5780 action = PF_DROP; 5781 REASON_SET(&reason, PFRES_MEMORY); 5782 } 5783 5784 m->m_pkthdr.fw_flags |= PF_MBUF_TRANSLATE_LOCALHOST; 5785 5786 if (log) 5787 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset); 5788 5789 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5790 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; 5791 5792 if (action == PF_PASS || r->action == PF_DROP) { 5793 r->packets++; 5794 r->bytes += pd.tot_len; 5795 if (a != NULL) { 5796 a->packets++; 5797 a->bytes += pd.tot_len; 5798 } 5799 if (s != NULL) { 5800 dirndx = (dir == s->direction) ? 0 : 1; 5801 s->packets[dirndx]++; 5802 s->bytes[dirndx] += pd.tot_len; 5803 if (s->nat_rule.ptr != NULL) { 5804 s->nat_rule.ptr->packets++; 5805 s->nat_rule.ptr->bytes += pd.tot_len; 5806 } 5807 if (s->src_node != NULL) { 5808 s->src_node->packets++; 5809 s->src_node->bytes += pd.tot_len; 5810 } 5811 if (s->nat_src_node != NULL) { 5812 s->nat_src_node->packets++; 5813 s->nat_src_node->bytes += pd.tot_len; 5814 } 5815 } 5816 tr = r; 5817 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5818 if (nr != NULL) { 5819 struct pf_addr *x; 5820 /* 5821 * XXX: we need to make sure that the addresses 5822 * passed to pfr_update_stats() are the same than 5823 * the addresses used during matching (pfr_match) 5824 */ 5825 if (r == &pf_default_rule) { 5826 tr = nr; 5827 x = (s == NULL || s->direction == dir) ? 5828 &pd.baddr : &pd.naddr; 5829 } else { 5830 x = (s == NULL || s->direction == dir) ? 5831 &pd.naddr : &pd.baddr; 5832 } 5833 if (x == &pd.baddr || s == NULL) { 5834 if (dir == PF_OUT) 5835 pd.src = x; 5836 else 5837 pd.dst = x; 5838 } 5839 } 5840 if (tr->src.addr.type == PF_ADDR_TABLE) 5841 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5842 s->direction == dir) ? pd.src : pd.dst, pd.af, 5843 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5844 tr->src.not); 5845 if (tr->dst.addr.type == PF_ADDR_TABLE) 5846 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5847 s->direction == dir) ? pd.dst : pd.src, pd.af, 5848 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5849 tr->dst.not); 5850 } 5851 5852 5853 if (action == PF_SYNPROXY_DROP) { 5854 m_freem(*m0); 5855 *m0 = NULL; 5856 action = PF_PASS; 5857 } else if (r->rt) 5858 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 5859 pf_route6(m0, r, dir, ifp, s); 5860 5861 return (action); 5862 } 5863 #endif /* INET6 */ 5864