1 /* $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.19 2004/09/11 11:18:25 mlaier Exp $ */ 2 /* $OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ */ 3 /* add $OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ */ 4 /* $DragonFly: src/sys/net/pf/pf.c,v 1.14 2007/05/23 08:57:10 dillon Exp $ */ 5 6 /* 7 * Copyright (c) 2004 The DragonFly Project. All rights reserved. 8 * 9 * Copyright (c) 2001 Daniel Hartmeier 10 * Copyright (c) 2002,2003 Henning Brauer 11 * All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 17 * - Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * - Redistributions in binary form must reproduce the above 20 * copyright notice, this list of conditions and the following 21 * disclaimer in the documentation and/or other materials provided 22 * with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 27 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 28 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 30 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 31 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 32 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 34 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 * 37 * Effort sponsored in part by the Defense Advanced Research Projects 38 * Agency (DARPA) and Air Force Research Laboratory, Air Force 39 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 40 * 41 */ 42 43 #include "opt_inet.h" 44 #include "opt_inet6.h" 45 #include "use_pfsync.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/malloc.h> 50 #include <sys/mbuf.h> 51 #include <sys/filio.h> 52 #include <sys/socket.h> 53 #include <sys/socketvar.h> 54 #include <sys/kernel.h> 55 #include <sys/time.h> 56 #include <sys/sysctl.h> 57 #include <sys/endian.h> 58 #include <vm/vm_zone.h> 59 60 #include <machine/inttypes.h> 61 62 #include <net/if.h> 63 #include <net/if_types.h> 64 #include <net/bpf.h> 65 #include <net/netisr.h> 66 #include <net/route.h> 67 68 #include <netinet/in.h> 69 #include <netinet/in_var.h> 70 #include <netinet/in_systm.h> 71 #include <netinet/ip.h> 72 #include <netinet/ip_var.h> 73 #include <netinet/tcp.h> 74 #include <netinet/tcp_seq.h> 75 #include <netinet/udp.h> 76 #include <netinet/ip_icmp.h> 77 #include <netinet/in_pcb.h> 78 #include <netinet/tcp_timer.h> 79 #include <netinet/tcp_var.h> 80 #include <netinet/udp_var.h> 81 #include <netinet/icmp_var.h> 82 83 #include <net/pf/pfvar.h> 84 #include <net/pf/if_pflog.h> 85 86 #if NPFSYNC > 0 87 #include <net/pf/if_pfsync.h> 88 #endif /* NPFSYNC > 0 */ 89 90 #ifdef INET6 91 #include <netinet/ip6.h> 92 #include <netinet/in_pcb.h> 93 #include <netinet/icmp6.h> 94 #include <netinet6/nd6.h> 95 #include <netinet6/ip6_var.h> 96 #include <netinet6/in6_pcb.h> 97 #endif /* INET6 */ 98 99 #include <sys/in_cksum.h> 100 #include <sys/ucred.h> 101 #include <machine/limits.h> 102 #include <sys/msgport2.h> 103 #include <net/netmsg2.h> 104 105 extern int ip_optcopy(struct ip *, struct ip *); 106 107 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) kprintf x 108 109 /* 110 * Global variables 111 */ 112 113 struct pf_anchorqueue pf_anchors; 114 struct pf_ruleset pf_main_ruleset; 115 struct pf_altqqueue pf_altqs[2]; 116 struct pf_palist pf_pabuf; 117 struct pf_altqqueue *pf_altqs_active; 118 struct pf_altqqueue *pf_altqs_inactive; 119 struct pf_status pf_status; 120 121 u_int32_t ticket_altqs_active; 122 u_int32_t ticket_altqs_inactive; 123 int altqs_inactive_open; 124 u_int32_t ticket_pabuf; 125 126 struct callout pf_expire_to; /* expire timeout */ 127 128 vm_zone_t pf_src_tree_pl, pf_rule_pl; 129 vm_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 130 131 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 132 void pf_print_state(struct pf_state *); 133 void pf_print_flags(u_int8_t); 134 135 u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 136 u_int8_t); 137 void pf_change_ap(struct pf_addr *, u_int16_t *, 138 u_int16_t *, u_int16_t *, struct pf_addr *, 139 u_int16_t, u_int8_t, sa_family_t); 140 #ifdef INET6 141 void pf_change_a6(struct pf_addr *, u_int16_t *, 142 struct pf_addr *, u_int8_t); 143 #endif /* INET6 */ 144 void pf_change_icmp(struct pf_addr *, u_int16_t *, 145 struct pf_addr *, struct pf_addr *, u_int16_t, 146 u_int16_t *, u_int16_t *, u_int16_t *, 147 u_int16_t *, u_int8_t, sa_family_t); 148 void pf_send_tcp(const struct pf_rule *, sa_family_t, 149 const struct pf_addr *, const struct pf_addr *, 150 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 151 u_int8_t, u_int16_t, u_int16_t, u_int8_t); 152 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 153 sa_family_t, struct pf_rule *); 154 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 155 int, int, struct pfi_kif *, 156 struct pf_addr *, u_int16_t, struct pf_addr *, 157 u_int16_t, int); 158 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 159 int, int, struct pfi_kif *, struct pf_src_node **, 160 struct pf_addr *, u_int16_t, 161 struct pf_addr *, u_int16_t, 162 struct pf_addr *, u_int16_t *); 163 int pf_test_tcp(struct pf_rule **, struct pf_state **, 164 int, struct pfi_kif *, struct mbuf *, int, 165 void *, struct pf_pdesc *, struct pf_rule **, 166 struct pf_ruleset **); 167 int pf_test_udp(struct pf_rule **, struct pf_state **, 168 int, struct pfi_kif *, struct mbuf *, int, 169 void *, struct pf_pdesc *, struct pf_rule **, 170 struct pf_ruleset **); 171 int pf_test_icmp(struct pf_rule **, struct pf_state **, 172 int, struct pfi_kif *, struct mbuf *, int, 173 void *, struct pf_pdesc *, struct pf_rule **, 174 struct pf_ruleset **); 175 int pf_test_other(struct pf_rule **, struct pf_state **, 176 int, struct pfi_kif *, struct mbuf *, int, void *, 177 struct pf_pdesc *, struct pf_rule **, 178 struct pf_ruleset **); 179 int pf_test_fragment(struct pf_rule **, int, 180 struct pfi_kif *, struct mbuf *, void *, 181 struct pf_pdesc *, struct pf_rule **, 182 struct pf_ruleset **); 183 int pf_test_state_tcp(struct pf_state **, int, 184 struct pfi_kif *, struct mbuf *, int, 185 void *, struct pf_pdesc *, u_short *); 186 int pf_test_state_udp(struct pf_state **, int, 187 struct pfi_kif *, struct mbuf *, int, 188 void *, struct pf_pdesc *); 189 int pf_test_state_icmp(struct pf_state **, int, 190 struct pfi_kif *, struct mbuf *, int, 191 void *, struct pf_pdesc *); 192 int pf_test_state_other(struct pf_state **, int, 193 struct pfi_kif *, struct pf_pdesc *); 194 static int pf_match_tag(struct mbuf *, struct pf_rule *, 195 struct pf_rule *, int *); 196 void pf_hash(struct pf_addr *, struct pf_addr *, 197 struct pf_poolhashkey *, sa_family_t); 198 int pf_map_addr(u_int8_t, struct pf_rule *, 199 struct pf_addr *, struct pf_addr *, 200 struct pf_addr *, struct pf_src_node **); 201 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 202 struct pf_addr *, struct pf_addr *, u_int16_t, 203 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 204 struct pf_src_node **); 205 void pf_route(struct mbuf **, struct pf_rule *, int, 206 struct ifnet *, struct pf_state *); 207 void pf_route6(struct mbuf **, struct pf_rule *, int, 208 struct ifnet *, struct pf_state *); 209 int pf_socket_lookup(uid_t *, gid_t *, 210 int, struct pf_pdesc *); 211 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 212 sa_family_t); 213 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 214 sa_family_t); 215 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 216 u_int16_t); 217 void pf_set_rt_ifp(struct pf_state *, 218 struct pf_addr *); 219 int pf_check_proto_cksum(struct mbuf *, int, int, 220 u_int8_t, sa_family_t); 221 int pf_addr_wrap_neq(struct pf_addr_wrap *, 222 struct pf_addr_wrap *); 223 struct pf_state *pf_find_state_recurse(struct pfi_kif *, 224 struct pf_state *, u_int8_t); 225 226 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 227 228 #define STATE_LOOKUP() \ 229 do { \ 230 if (direction == PF_IN) \ 231 *state = pf_find_state_recurse( \ 232 kif, &key, PF_EXT_GWY); \ 233 else \ 234 *state = pf_find_state_recurse( \ 235 kif, &key, PF_LAN_EXT); \ 236 if (*state == NULL) \ 237 return (PF_DROP); \ 238 if (direction == PF_OUT && \ 239 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 240 (*state)->rule.ptr->direction == PF_OUT) || \ 241 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 242 (*state)->rule.ptr->direction == PF_IN)) && \ 243 (*state)->rt_kif != NULL && \ 244 (*state)->rt_kif != kif) \ 245 return (PF_PASS); \ 246 } while (0) 247 248 #define STATE_TRANSLATE(s) \ 249 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \ 250 ((s)->af == AF_INET6 && \ 251 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \ 252 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \ 253 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \ 254 (s)->lan.port != (s)->gwy.port 255 256 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \ 257 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \ 258 (k)->pfik_parent->pfik_parent) 259 260 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *); 261 static int pf_state_compare_lan_ext(struct pf_state *, 262 struct pf_state *); 263 static int pf_state_compare_ext_gwy(struct pf_state *, 264 struct pf_state *); 265 static int pf_state_compare_id(struct pf_state *, 266 struct pf_state *); 267 268 struct pf_src_tree tree_src_tracking; 269 270 struct pf_state_tree_id tree_id; 271 struct pf_state_queue state_updates; 272 273 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 274 RB_GENERATE(pf_state_tree_lan_ext, pf_state, 275 u.s.entry_lan_ext, pf_state_compare_lan_ext); 276 RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 277 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 278 RB_GENERATE(pf_state_tree_id, pf_state, 279 u.s.entry_id, pf_state_compare_id); 280 281 static int 282 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b) 283 { 284 int diff; 285 286 if (a->rule.ptr > b->rule.ptr) 287 return (1); 288 if (a->rule.ptr < b->rule.ptr) 289 return (-1); 290 if ((diff = a->af - b->af) != 0) 291 return (diff); 292 switch (a->af) { 293 #ifdef INET 294 case AF_INET: 295 if (a->addr.addr32[0] > b->addr.addr32[0]) 296 return (1); 297 if (a->addr.addr32[0] < b->addr.addr32[0]) 298 return (-1); 299 break; 300 #endif /* INET */ 301 #ifdef INET6 302 case AF_INET6: 303 if (a->addr.addr32[3] > b->addr.addr32[3]) 304 return (1); 305 if (a->addr.addr32[3] < b->addr.addr32[3]) 306 return (-1); 307 if (a->addr.addr32[2] > b->addr.addr32[2]) 308 return (1); 309 if (a->addr.addr32[2] < b->addr.addr32[2]) 310 return (-1); 311 if (a->addr.addr32[1] > b->addr.addr32[1]) 312 return (1); 313 if (a->addr.addr32[1] < b->addr.addr32[1]) 314 return (-1); 315 if (a->addr.addr32[0] > b->addr.addr32[0]) 316 return (1); 317 if (a->addr.addr32[0] < b->addr.addr32[0]) 318 return (-1); 319 break; 320 #endif /* INET6 */ 321 } 322 return (0); 323 } 324 325 static int 326 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b) 327 { 328 int diff; 329 330 if ((diff = a->proto - b->proto) != 0) 331 return (diff); 332 if ((diff = a->af - b->af) != 0) 333 return (diff); 334 switch (a->af) { 335 #ifdef INET 336 case AF_INET: 337 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 338 return (1); 339 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 340 return (-1); 341 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 342 return (1); 343 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 344 return (-1); 345 break; 346 #endif /* INET */ 347 #ifdef INET6 348 case AF_INET6: 349 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3]) 350 return (1); 351 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3]) 352 return (-1); 353 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 354 return (1); 355 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 356 return (-1); 357 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2]) 358 return (1); 359 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2]) 360 return (-1); 361 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 362 return (1); 363 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 364 return (-1); 365 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1]) 366 return (1); 367 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1]) 368 return (-1); 369 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 370 return (1); 371 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 372 return (-1); 373 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 374 return (1); 375 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 376 return (-1); 377 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 378 return (1); 379 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 380 return (-1); 381 break; 382 #endif /* INET6 */ 383 } 384 385 if ((diff = a->lan.port - b->lan.port) != 0) 386 return (diff); 387 if ((diff = a->ext.port - b->ext.port) != 0) 388 return (diff); 389 390 return (0); 391 } 392 393 static int 394 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b) 395 { 396 int diff; 397 398 if ((diff = a->proto - b->proto) != 0) 399 return (diff); 400 if ((diff = a->af - b->af) != 0) 401 return (diff); 402 switch (a->af) { 403 #ifdef INET 404 case AF_INET: 405 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 406 return (1); 407 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 408 return (-1); 409 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 410 return (1); 411 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 412 return (-1); 413 break; 414 #endif /* INET */ 415 #ifdef INET6 416 case AF_INET6: 417 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 418 return (1); 419 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 420 return (-1); 421 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3]) 422 return (1); 423 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3]) 424 return (-1); 425 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 426 return (1); 427 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 428 return (-1); 429 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2]) 430 return (1); 431 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2]) 432 return (-1); 433 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 434 return (1); 435 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 436 return (-1); 437 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1]) 438 return (1); 439 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1]) 440 return (-1); 441 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 442 return (1); 443 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 444 return (-1); 445 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 446 return (1); 447 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 448 return (-1); 449 break; 450 #endif /* INET6 */ 451 } 452 453 if ((diff = a->ext.port - b->ext.port) != 0) 454 return (diff); 455 if ((diff = a->gwy.port - b->gwy.port) != 0) 456 return (diff); 457 458 return (0); 459 } 460 461 static int 462 pf_state_compare_id(struct pf_state *a, struct pf_state *b) 463 { 464 if (a->id > b->id) 465 return (1); 466 if (a->id < b->id) 467 return (-1); 468 if (a->creatorid > b->creatorid) 469 return (1); 470 if (a->creatorid < b->creatorid) 471 return (-1); 472 473 return (0); 474 } 475 476 #ifdef INET6 477 void 478 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) 479 { 480 switch (af) { 481 #ifdef INET 482 case AF_INET: 483 dst->addr32[0] = src->addr32[0]; 484 break; 485 #endif /* INET */ 486 case AF_INET6: 487 dst->addr32[0] = src->addr32[0]; 488 dst->addr32[1] = src->addr32[1]; 489 dst->addr32[2] = src->addr32[2]; 490 dst->addr32[3] = src->addr32[3]; 491 break; 492 } 493 } 494 #endif 495 496 struct pf_state * 497 pf_find_state_byid(struct pf_state *key) 498 { 499 pf_status.fcounters[FCNT_STATE_SEARCH]++; 500 return (RB_FIND(pf_state_tree_id, &tree_id, key)); 501 } 502 503 struct pf_state * 504 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree) 505 { 506 struct pf_state *s; 507 508 pf_status.fcounters[FCNT_STATE_SEARCH]++; 509 510 switch (tree) { 511 case PF_LAN_EXT: 512 for (; kif != NULL; kif = kif->pfik_parent) { 513 s = RB_FIND(pf_state_tree_lan_ext, 514 &kif->pfik_lan_ext, key); 515 if (s != NULL) 516 return (s); 517 } 518 return (NULL); 519 case PF_EXT_GWY: 520 for (; kif != NULL; kif = kif->pfik_parent) { 521 s = RB_FIND(pf_state_tree_ext_gwy, 522 &kif->pfik_ext_gwy, key); 523 if (s != NULL) 524 return (s); 525 } 526 return (NULL); 527 default: 528 panic("pf_find_state_recurse"); 529 } 530 } 531 532 struct pf_state * 533 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more) 534 { 535 struct pf_state *s, *ss = NULL; 536 struct pfi_kif *kif; 537 538 pf_status.fcounters[FCNT_STATE_SEARCH]++; 539 540 switch (tree) { 541 case PF_LAN_EXT: 542 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 543 s = RB_FIND(pf_state_tree_lan_ext, 544 &kif->pfik_lan_ext, key); 545 if (s == NULL) 546 continue; 547 if (more == NULL) 548 return (s); 549 ss = s; 550 (*more)++; 551 } 552 return (ss); 553 case PF_EXT_GWY: 554 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 555 s = RB_FIND(pf_state_tree_ext_gwy, 556 &kif->pfik_ext_gwy, key); 557 if (s == NULL) 558 continue; 559 if (more == NULL) 560 return (s); 561 ss = s; 562 (*more)++; 563 } 564 return (ss); 565 default: 566 panic("pf_find_state_all"); 567 } 568 } 569 570 int 571 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, 572 struct pf_addr *src, sa_family_t af) 573 { 574 struct pf_src_node k; 575 576 if (*sn == NULL) { 577 k.af = af; 578 PF_ACPY(&k.addr, src, af); 579 if (rule->rule_flag & PFRULE_RULESRCTRACK || 580 rule->rpool.opts & PF_POOL_STICKYADDR) 581 k.rule.ptr = rule; 582 else 583 k.rule.ptr = NULL; 584 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 585 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 586 } 587 if (*sn == NULL) { 588 if (!rule->max_src_nodes || 589 rule->src_nodes < rule->max_src_nodes) 590 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT); 591 if ((*sn) == NULL) 592 return (-1); 593 bzero(*sn, sizeof(struct pf_src_node)); 594 (*sn)->af = af; 595 if (rule->rule_flag & PFRULE_RULESRCTRACK || 596 rule->rpool.opts & PF_POOL_STICKYADDR) 597 (*sn)->rule.ptr = rule; 598 else 599 (*sn)->rule.ptr = NULL; 600 PF_ACPY(&(*sn)->addr, src, af); 601 if (RB_INSERT(pf_src_tree, 602 &tree_src_tracking, *sn) != NULL) { 603 if (pf_status.debug >= PF_DEBUG_MISC) { 604 kprintf("pf: src_tree insert failed: "); 605 pf_print_host(&(*sn)->addr, 0, af); 606 kprintf("\n"); 607 } 608 pool_put(&pf_src_tree_pl, *sn); 609 return (-1); 610 } 611 (*sn)->creation = time_second; 612 (*sn)->ruletype = rule->action; 613 if ((*sn)->rule.ptr != NULL) 614 (*sn)->rule.ptr->src_nodes++; 615 pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 616 pf_status.src_nodes++; 617 } else { 618 if (rule->max_src_states && 619 (*sn)->states >= rule->max_src_states) 620 return (-1); 621 } 622 return (0); 623 } 624 625 int 626 pf_insert_state(struct pfi_kif *kif, struct pf_state *state) 627 { 628 /* Thou MUST NOT insert multiple duplicate keys */ 629 state->u.s.kif = kif; 630 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) { 631 if (pf_status.debug >= PF_DEBUG_MISC) { 632 kprintf("pf: state insert failed: tree_lan_ext"); 633 kprintf(" lan: "); 634 pf_print_host(&state->lan.addr, state->lan.port, 635 state->af); 636 kprintf(" gwy: "); 637 pf_print_host(&state->gwy.addr, state->gwy.port, 638 state->af); 639 kprintf(" ext: "); 640 pf_print_host(&state->ext.addr, state->ext.port, 641 state->af); 642 if (state->sync_flags & PFSTATE_FROMSYNC) 643 kprintf(" (from sync)"); 644 kprintf("\n"); 645 } 646 return (-1); 647 } 648 649 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) { 650 if (pf_status.debug >= PF_DEBUG_MISC) { 651 kprintf("pf: state insert failed: tree_ext_gwy"); 652 kprintf(" lan: "); 653 pf_print_host(&state->lan.addr, state->lan.port, 654 state->af); 655 kprintf(" gwy: "); 656 pf_print_host(&state->gwy.addr, state->gwy.port, 657 state->af); 658 kprintf(" ext: "); 659 pf_print_host(&state->ext.addr, state->ext.port, 660 state->af); 661 if (state->sync_flags & PFSTATE_FROMSYNC) 662 kprintf(" (from sync)"); 663 kprintf("\n"); 664 } 665 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 666 return (-1); 667 } 668 669 if (state->id == 0 && state->creatorid == 0) { 670 state->id = htobe64(pf_status.stateid++); 671 state->creatorid = pf_status.hostid; 672 } 673 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) { 674 if (pf_status.debug >= PF_DEBUG_MISC) { 675 kprintf("pf: state insert failed: " 676 "id: %016" PRIx64 " creatorid: %08" PRIx32, 677 be64toh(state->id), ntohl(state->creatorid)); 678 if (state->sync_flags & PFSTATE_FROMSYNC) 679 kprintf(" (from sync)"); 680 kprintf("\n"); 681 } 682 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 683 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state); 684 return (-1); 685 } 686 TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates); 687 688 pf_status.fcounters[FCNT_STATE_INSERT]++; 689 pf_status.states++; 690 pfi_attach_state(kif); 691 #if NPFSYNC 692 pfsync_insert_state(state); 693 #endif 694 return (0); 695 } 696 697 void 698 pf_purge_timeout(void *arg) 699 { 700 struct callout *to = arg; 701 702 crit_enter(); 703 pf_purge_expired_states(); 704 pf_purge_expired_fragments(); 705 pf_purge_expired_src_nodes(); 706 crit_exit(); 707 708 callout_reset(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz, 709 pf_purge_timeout, to); 710 } 711 712 u_int32_t 713 pf_state_expires(const struct pf_state *state) 714 { 715 u_int32_t timeout; 716 u_int32_t start; 717 u_int32_t end; 718 u_int32_t states; 719 720 /* handle all PFTM_* > PFTM_MAX here */ 721 if (state->timeout == PFTM_PURGE) 722 return (time_second); 723 if (state->timeout == PFTM_UNTIL_PACKET) 724 return (0); 725 KASSERT((state->timeout < PFTM_MAX), 726 ("pf_state_expires: timeout > PFTM_MAX")); 727 timeout = state->rule.ptr->timeout[state->timeout]; 728 if (!timeout) 729 timeout = pf_default_rule.timeout[state->timeout]; 730 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 731 if (start) { 732 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 733 states = state->rule.ptr->states; 734 } else { 735 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 736 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 737 states = pf_status.states; 738 } 739 if (end && states > start && start < end) { 740 if (states < end) 741 return (state->expire + timeout * (end - states) / 742 (end - start)); 743 else 744 return (time_second); 745 } 746 return (state->expire + timeout); 747 } 748 749 void 750 pf_purge_expired_src_nodes(void) 751 { 752 struct pf_src_node *cur, *next; 753 754 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 755 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 756 757 if (cur->states <= 0 && cur->expire <= time_second) { 758 if (cur->rule.ptr != NULL) { 759 cur->rule.ptr->src_nodes--; 760 if (cur->rule.ptr->states <= 0 && 761 cur->rule.ptr->max_src_nodes <= 0) 762 pf_rm_rule(NULL, cur->rule.ptr); 763 } 764 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 765 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 766 pf_status.src_nodes--; 767 pool_put(&pf_src_tree_pl, cur); 768 } 769 } 770 } 771 772 void 773 pf_src_tree_remove_state(struct pf_state *s) 774 { 775 u_int32_t timeout; 776 777 if (s->src_node != NULL) { 778 if (--s->src_node->states <= 0) { 779 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 780 if (!timeout) 781 timeout = 782 pf_default_rule.timeout[PFTM_SRC_NODE]; 783 s->src_node->expire = time_second + timeout; 784 } 785 } 786 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 787 if (--s->nat_src_node->states <= 0) { 788 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 789 if (!timeout) 790 timeout = 791 pf_default_rule.timeout[PFTM_SRC_NODE]; 792 s->nat_src_node->expire = time_second + timeout; 793 } 794 } 795 s->src_node = s->nat_src_node = NULL; 796 } 797 798 static int 799 pf_purge_expired_states_callback(struct pf_state *cur, void *data __unused) 800 { 801 if (pf_state_expires(cur) <= time_second) { 802 RB_REMOVE(pf_state_tree_ext_gwy, 803 &cur->u.s.kif->pfik_ext_gwy, cur); 804 RB_REMOVE(pf_state_tree_lan_ext, 805 &cur->u.s.kif->pfik_lan_ext, cur); 806 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 807 if (cur->src.state == PF_TCPS_PROXY_DST) { 808 pf_send_tcp(cur->rule.ptr, cur->af, 809 &cur->ext.addr, &cur->lan.addr, 810 cur->ext.port, cur->lan.port, 811 cur->src.seqhi, cur->src.seqlo + 1, 0, 812 TH_RST|TH_ACK, 0, 0); 813 } 814 #if NPFSYNC 815 pfsync_delete_state(cur); 816 #endif 817 pf_src_tree_remove_state(cur); 818 if (--cur->rule.ptr->states <= 0 && 819 cur->rule.ptr->src_nodes <= 0) 820 pf_rm_rule(NULL, cur->rule.ptr); 821 if (cur->nat_rule.ptr != NULL) 822 if (--cur->nat_rule.ptr->states <= 0 && 823 cur->nat_rule.ptr->src_nodes <= 0) 824 pf_rm_rule(NULL, cur->nat_rule.ptr); 825 if (cur->anchor.ptr != NULL) 826 if (--cur->anchor.ptr->states <= 0) 827 pf_rm_rule(NULL, cur->anchor.ptr); 828 pf_normalize_tcp_cleanup(cur); 829 pfi_detach_state(cur->u.s.kif); 830 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); 831 pool_put(&pf_state_pl, cur); 832 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 833 pf_status.states--; 834 } 835 return(0); 836 } 837 838 void 839 pf_purge_expired_states(void) 840 { 841 RB_SCAN(pf_state_tree_id, &tree_id, NULL, 842 pf_purge_expired_states_callback, NULL); 843 } 844 845 846 int 847 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 848 { 849 if (aw->type != PF_ADDR_TABLE) 850 return (0); 851 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 852 return (1); 853 return (0); 854 } 855 856 void 857 pf_tbladdr_remove(struct pf_addr_wrap *aw) 858 { 859 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 860 return; 861 pfr_detach_table(aw->p.tbl); 862 aw->p.tbl = NULL; 863 } 864 865 void 866 pf_tbladdr_copyout(struct pf_addr_wrap *aw) 867 { 868 struct pfr_ktable *kt = aw->p.tbl; 869 870 if (aw->type != PF_ADDR_TABLE || kt == NULL) 871 return; 872 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 873 kt = kt->pfrkt_root; 874 aw->p.tbl = NULL; 875 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 876 kt->pfrkt_cnt : -1; 877 } 878 879 void 880 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 881 { 882 switch (af) { 883 #ifdef INET 884 case AF_INET: { 885 u_int32_t a = ntohl(addr->addr32[0]); 886 kprintf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 887 (a>>8)&255, a&255); 888 if (p) { 889 p = ntohs(p); 890 kprintf(":%u", p); 891 } 892 break; 893 } 894 #endif /* INET */ 895 #ifdef INET6 896 case AF_INET6: { 897 u_int16_t b; 898 u_int8_t i, curstart = 255, curend = 0, 899 maxstart = 0, maxend = 0; 900 for (i = 0; i < 8; i++) { 901 if (!addr->addr16[i]) { 902 if (curstart == 255) 903 curstart = i; 904 else 905 curend = i; 906 } else { 907 if (curstart) { 908 if ((curend - curstart) > 909 (maxend - maxstart)) { 910 maxstart = curstart; 911 maxend = curend; 912 curstart = 255; 913 } 914 } 915 } 916 } 917 for (i = 0; i < 8; i++) { 918 if (i >= maxstart && i <= maxend) { 919 if (maxend != 7) { 920 if (i == maxstart) 921 kprintf(":"); 922 } else { 923 if (i == maxend) 924 kprintf(":"); 925 } 926 } else { 927 b = ntohs(addr->addr16[i]); 928 kprintf("%x", b); 929 if (i < 7) 930 kprintf(":"); 931 } 932 } 933 if (p) { 934 p = ntohs(p); 935 kprintf("[%u]", p); 936 } 937 break; 938 } 939 #endif /* INET6 */ 940 } 941 } 942 943 void 944 pf_print_state(struct pf_state *s) 945 { 946 switch (s->proto) { 947 case IPPROTO_TCP: 948 kprintf("TCP "); 949 break; 950 case IPPROTO_UDP: 951 kprintf("UDP "); 952 break; 953 case IPPROTO_ICMP: 954 kprintf("ICMP "); 955 break; 956 case IPPROTO_ICMPV6: 957 kprintf("ICMPV6 "); 958 break; 959 default: 960 kprintf("%u ", s->proto); 961 break; 962 } 963 pf_print_host(&s->lan.addr, s->lan.port, s->af); 964 kprintf(" "); 965 pf_print_host(&s->gwy.addr, s->gwy.port, s->af); 966 kprintf(" "); 967 pf_print_host(&s->ext.addr, s->ext.port, s->af); 968 kprintf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 969 s->src.seqhi, s->src.max_win, s->src.seqdiff); 970 if (s->src.wscale && s->dst.wscale) 971 kprintf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 972 kprintf("]"); 973 kprintf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 974 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 975 if (s->src.wscale && s->dst.wscale) 976 kprintf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 977 kprintf("]"); 978 kprintf(" %u:%u", s->src.state, s->dst.state); 979 } 980 981 void 982 pf_print_flags(u_int8_t f) 983 { 984 if (f) 985 kprintf(" "); 986 if (f & TH_FIN) 987 kprintf("F"); 988 if (f & TH_SYN) 989 kprintf("S"); 990 if (f & TH_RST) 991 kprintf("R"); 992 if (f & TH_PUSH) 993 kprintf("P"); 994 if (f & TH_ACK) 995 kprintf("A"); 996 if (f & TH_URG) 997 kprintf("U"); 998 if (f & TH_ECE) 999 kprintf("E"); 1000 if (f & TH_CWR) 1001 kprintf("W"); 1002 } 1003 1004 #define PF_SET_SKIP_STEPS(i) \ 1005 do { \ 1006 while (head[i] != cur) { \ 1007 head[i]->skip[i].ptr = cur; \ 1008 head[i] = TAILQ_NEXT(head[i], entries); \ 1009 } \ 1010 } while (0) 1011 1012 void 1013 pf_calc_skip_steps(struct pf_rulequeue *rules) 1014 { 1015 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 1016 int i; 1017 1018 cur = TAILQ_FIRST(rules); 1019 prev = cur; 1020 for (i = 0; i < PF_SKIP_COUNT; ++i) 1021 head[i] = cur; 1022 while (cur != NULL) { 1023 1024 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) 1025 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1026 if (cur->direction != prev->direction) 1027 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1028 if (cur->af != prev->af) 1029 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1030 if (cur->proto != prev->proto) 1031 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 1032 if (cur->src.not != prev->src.not || 1033 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1034 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1035 if (cur->src.port[0] != prev->src.port[0] || 1036 cur->src.port[1] != prev->src.port[1] || 1037 cur->src.port_op != prev->src.port_op) 1038 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 1039 if (cur->dst.not != prev->dst.not || 1040 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1041 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1042 if (cur->dst.port[0] != prev->dst.port[0] || 1043 cur->dst.port[1] != prev->dst.port[1] || 1044 cur->dst.port_op != prev->dst.port_op) 1045 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1046 1047 prev = cur; 1048 cur = TAILQ_NEXT(cur, entries); 1049 } 1050 for (i = 0; i < PF_SKIP_COUNT; ++i) 1051 PF_SET_SKIP_STEPS(i); 1052 } 1053 1054 int 1055 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 1056 { 1057 if (aw1->type != aw2->type) 1058 return (1); 1059 switch (aw1->type) { 1060 case PF_ADDR_ADDRMASK: 1061 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 1062 return (1); 1063 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 1064 return (1); 1065 return (0); 1066 case PF_ADDR_DYNIFTL: 1067 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt); 1068 case PF_ADDR_NOROUTE: 1069 return (0); 1070 case PF_ADDR_TABLE: 1071 return (aw1->p.tbl != aw2->p.tbl); 1072 default: 1073 kprintf("invalid address type: %d\n", aw1->type); 1074 return (1); 1075 } 1076 } 1077 1078 void 1079 pf_update_anchor_rules(void) 1080 { 1081 struct pf_rule *rule; 1082 int i; 1083 1084 for (i = 0; i < PF_RULESET_MAX; ++i) 1085 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 1086 entries) 1087 if (rule->anchorname[0]) 1088 rule->anchor = pf_find_anchor(rule->anchorname); 1089 else 1090 rule->anchor = NULL; 1091 } 1092 1093 u_int16_t 1094 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1095 { 1096 u_int32_t l; 1097 1098 if (udp && !cksum) 1099 return (0x0000); 1100 l = cksum + old - new; 1101 l = (l >> 16) + (l & 65535); 1102 l = l & 65535; 1103 if (udp && !l) 1104 return (0xFFFF); 1105 return (l); 1106 } 1107 1108 void 1109 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 1110 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 1111 { 1112 struct pf_addr ao; 1113 u_int16_t po = *p; 1114 1115 PF_ACPY(&ao, a, af); 1116 PF_ACPY(a, an, af); 1117 1118 *p = pn; 1119 1120 switch (af) { 1121 #ifdef INET 1122 case AF_INET: 1123 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1124 ao.addr16[0], an->addr16[0], 0), 1125 ao.addr16[1], an->addr16[1], 0); 1126 *p = pn; 1127 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1128 ao.addr16[0], an->addr16[0], u), 1129 ao.addr16[1], an->addr16[1], u), 1130 po, pn, u); 1131 break; 1132 #endif /* INET */ 1133 #ifdef INET6 1134 case AF_INET6: 1135 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1136 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1137 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1138 ao.addr16[0], an->addr16[0], u), 1139 ao.addr16[1], an->addr16[1], u), 1140 ao.addr16[2], an->addr16[2], u), 1141 ao.addr16[3], an->addr16[3], u), 1142 ao.addr16[4], an->addr16[4], u), 1143 ao.addr16[5], an->addr16[5], u), 1144 ao.addr16[6], an->addr16[6], u), 1145 ao.addr16[7], an->addr16[7], u), 1146 po, pn, u); 1147 break; 1148 #endif /* INET6 */ 1149 } 1150 } 1151 1152 1153 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 1154 void 1155 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1156 { 1157 u_int32_t ao; 1158 1159 memcpy(&ao, a, sizeof(ao)); 1160 memcpy(a, &an, sizeof(u_int32_t)); 1161 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1162 ao % 65536, an % 65536, u); 1163 } 1164 1165 #ifdef INET6 1166 void 1167 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1168 { 1169 struct pf_addr ao; 1170 1171 PF_ACPY(&ao, a, AF_INET6); 1172 PF_ACPY(a, an, AF_INET6); 1173 1174 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1175 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1176 pf_cksum_fixup(pf_cksum_fixup(*c, 1177 ao.addr16[0], an->addr16[0], u), 1178 ao.addr16[1], an->addr16[1], u), 1179 ao.addr16[2], an->addr16[2], u), 1180 ao.addr16[3], an->addr16[3], u), 1181 ao.addr16[4], an->addr16[4], u), 1182 ao.addr16[5], an->addr16[5], u), 1183 ao.addr16[6], an->addr16[6], u), 1184 ao.addr16[7], an->addr16[7], u); 1185 } 1186 #endif /* INET6 */ 1187 1188 void 1189 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1190 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1191 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1192 { 1193 struct pf_addr oia, ooa; 1194 1195 PF_ACPY(&oia, ia, af); 1196 PF_ACPY(&ooa, oa, af); 1197 1198 /* Change inner protocol port, fix inner protocol checksum. */ 1199 if (ip != NULL) { 1200 u_int16_t oip = *ip; 1201 u_int32_t opc = 0; 1202 1203 if (pc != NULL) 1204 opc = *pc; 1205 *ip = np; 1206 if (pc != NULL) 1207 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1208 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1209 if (pc != NULL) 1210 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1211 } 1212 /* Change inner ip address, fix inner ip and icmp checksums. */ 1213 PF_ACPY(ia, na, af); 1214 switch (af) { 1215 #ifdef INET 1216 case AF_INET: { 1217 u_int32_t oh2c = *h2c; 1218 1219 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1220 oia.addr16[0], ia->addr16[0], 0), 1221 oia.addr16[1], ia->addr16[1], 0); 1222 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1223 oia.addr16[0], ia->addr16[0], 0), 1224 oia.addr16[1], ia->addr16[1], 0); 1225 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1226 break; 1227 } 1228 #endif /* INET */ 1229 #ifdef INET6 1230 case AF_INET6: 1231 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1232 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1233 pf_cksum_fixup(pf_cksum_fixup(*ic, 1234 oia.addr16[0], ia->addr16[0], u), 1235 oia.addr16[1], ia->addr16[1], u), 1236 oia.addr16[2], ia->addr16[2], u), 1237 oia.addr16[3], ia->addr16[3], u), 1238 oia.addr16[4], ia->addr16[4], u), 1239 oia.addr16[5], ia->addr16[5], u), 1240 oia.addr16[6], ia->addr16[6], u), 1241 oia.addr16[7], ia->addr16[7], u); 1242 break; 1243 #endif /* INET6 */ 1244 } 1245 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1246 PF_ACPY(oa, na, af); 1247 switch (af) { 1248 #ifdef INET 1249 case AF_INET: 1250 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1251 ooa.addr16[0], oa->addr16[0], 0), 1252 ooa.addr16[1], oa->addr16[1], 0); 1253 break; 1254 #endif /* INET */ 1255 #ifdef INET6 1256 case AF_INET6: 1257 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1258 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1259 pf_cksum_fixup(pf_cksum_fixup(*ic, 1260 ooa.addr16[0], oa->addr16[0], u), 1261 ooa.addr16[1], oa->addr16[1], u), 1262 ooa.addr16[2], oa->addr16[2], u), 1263 ooa.addr16[3], oa->addr16[3], u), 1264 ooa.addr16[4], oa->addr16[4], u), 1265 ooa.addr16[5], oa->addr16[5], u), 1266 ooa.addr16[6], oa->addr16[6], u), 1267 ooa.addr16[7], oa->addr16[7], u); 1268 break; 1269 #endif /* INET6 */ 1270 } 1271 } 1272 1273 void 1274 pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1275 const struct pf_addr *saddr, const struct pf_addr *daddr, 1276 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1277 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) 1278 { 1279 struct mbuf *m; 1280 int len = 0, tlen; 1281 #ifdef INET 1282 struct ip *h = NULL; 1283 #endif /* INET */ 1284 #ifdef INET6 1285 struct ip6_hdr *h6 = NULL; 1286 #endif /* INET6 */ 1287 struct tcphdr *th = NULL; 1288 char *opt; 1289 1290 /* maximum segment size tcp option */ 1291 tlen = sizeof(struct tcphdr); 1292 if (mss) 1293 tlen += 4; 1294 1295 switch (af) { 1296 #ifdef INET 1297 case AF_INET: 1298 len = sizeof(struct ip) + tlen; 1299 break; 1300 #endif /* INET */ 1301 #ifdef INET6 1302 case AF_INET6: 1303 len = sizeof(struct ip6_hdr) + tlen; 1304 break; 1305 #endif /* INET6 */ 1306 } 1307 1308 /* create outgoing mbuf */ 1309 m = m_gethdr(MB_DONTWAIT, MT_HEADER); 1310 if (m == NULL) 1311 return; 1312 m->m_pkthdr.fw_flags = PF_MBUF_GENERATED; 1313 #ifdef ALTQ 1314 if (r != NULL && r->qid) { 1315 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 1316 m->m_pkthdr.altq_qid = r->qid; 1317 m->m_pkthdr.ecn_af = af; 1318 m->m_pkthdr.header = mtod(m, struct ip *); 1319 } 1320 #endif 1321 m->m_data += max_linkhdr; 1322 m->m_pkthdr.len = m->m_len = len; 1323 m->m_pkthdr.rcvif = NULL; 1324 bzero(m->m_data, len); 1325 switch (af) { 1326 #ifdef INET 1327 case AF_INET: 1328 h = mtod(m, struct ip *); 1329 1330 /* IP header fields included in the TCP checksum */ 1331 h->ip_p = IPPROTO_TCP; 1332 h->ip_len = tlen; 1333 h->ip_src.s_addr = saddr->v4.s_addr; 1334 h->ip_dst.s_addr = daddr->v4.s_addr; 1335 1336 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); 1337 break; 1338 #endif /* INET */ 1339 #ifdef INET6 1340 case AF_INET6: 1341 h6 = mtod(m, struct ip6_hdr *); 1342 1343 /* IP header fields included in the TCP checksum */ 1344 h6->ip6_nxt = IPPROTO_TCP; 1345 h6->ip6_plen = htons(tlen); 1346 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1347 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1348 1349 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); 1350 break; 1351 #endif /* INET6 */ 1352 } 1353 1354 /* TCP header */ 1355 th->th_sport = sport; 1356 th->th_dport = dport; 1357 th->th_seq = htonl(seq); 1358 th->th_ack = htonl(ack); 1359 th->th_off = tlen >> 2; 1360 th->th_flags = flags; 1361 th->th_win = htons(win); 1362 1363 if (mss) { 1364 opt = (char *)(th + 1); 1365 opt[0] = TCPOPT_MAXSEG; 1366 opt[1] = 4; 1367 mss = htons(mss); 1368 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); 1369 } 1370 1371 switch (af) { 1372 #ifdef INET 1373 case AF_INET: 1374 /* TCP checksum */ 1375 th->th_sum = in_cksum(m, len); 1376 1377 /* Finish the IP header */ 1378 h->ip_v = 4; 1379 h->ip_hl = sizeof(*h) >> 2; 1380 h->ip_tos = IPTOS_LOWDELAY; 1381 h->ip_len = len; 1382 h->ip_off = path_mtu_discovery ? IP_DF : 0; 1383 h->ip_ttl = ttl ? ttl : ip_defttl; 1384 h->ip_sum = 0; 1385 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1386 (void *)NULL); 1387 break; 1388 #endif /* INET */ 1389 #ifdef INET6 1390 case AF_INET6: 1391 /* TCP checksum */ 1392 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1393 sizeof(struct ip6_hdr), tlen); 1394 1395 h6->ip6_vfc |= IPV6_VERSION; 1396 h6->ip6_hlim = IPV6_DEFHLIM; 1397 1398 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 1399 break; 1400 #endif /* INET6 */ 1401 } 1402 } 1403 1404 void 1405 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1406 struct pf_rule *r) 1407 { 1408 struct mbuf *m0; 1409 1410 m0 = m_copypacket(m, MB_DONTWAIT); 1411 if (m0 == NULL) 1412 return; 1413 m0->m_pkthdr.fw_flags |= PF_MBUF_GENERATED; 1414 1415 #ifdef ALTQ 1416 if (r->qid) { 1417 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 1418 m->m_pkthdr.altq_qid = r->qid; 1419 m->m_pkthdr.ecn_af = af; 1420 m->m_pkthdr.header = mtod(m0, struct ip *); 1421 } 1422 #endif 1423 1424 switch (af) { 1425 #ifdef INET 1426 case AF_INET: 1427 icmp_error(m0, type, code, 0, 0); 1428 break; 1429 #endif /* INET */ 1430 #ifdef INET6 1431 case AF_INET6: 1432 icmp6_error(m0, type, code, 0); 1433 break; 1434 #endif /* INET6 */ 1435 } 1436 } 1437 1438 /* 1439 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1440 * If n is 0, they match if they are equal. If n is != 0, they match if they 1441 * are different. 1442 */ 1443 int 1444 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1445 struct pf_addr *b, sa_family_t af) 1446 { 1447 int match = 0; 1448 1449 switch (af) { 1450 #ifdef INET 1451 case AF_INET: 1452 if ((a->addr32[0] & m->addr32[0]) == 1453 (b->addr32[0] & m->addr32[0])) 1454 match++; 1455 break; 1456 #endif /* INET */ 1457 #ifdef INET6 1458 case AF_INET6: 1459 if (((a->addr32[0] & m->addr32[0]) == 1460 (b->addr32[0] & m->addr32[0])) && 1461 ((a->addr32[1] & m->addr32[1]) == 1462 (b->addr32[1] & m->addr32[1])) && 1463 ((a->addr32[2] & m->addr32[2]) == 1464 (b->addr32[2] & m->addr32[2])) && 1465 ((a->addr32[3] & m->addr32[3]) == 1466 (b->addr32[3] & m->addr32[3]))) 1467 match++; 1468 break; 1469 #endif /* INET6 */ 1470 } 1471 if (match) { 1472 if (n) 1473 return (0); 1474 else 1475 return (1); 1476 } else { 1477 if (n) 1478 return (1); 1479 else 1480 return (0); 1481 } 1482 } 1483 1484 int 1485 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1486 { 1487 switch (op) { 1488 case PF_OP_IRG: 1489 return ((p > a1) && (p < a2)); 1490 case PF_OP_XRG: 1491 return ((p < a1) || (p > a2)); 1492 case PF_OP_RRG: 1493 return ((p >= a1) && (p <= a2)); 1494 case PF_OP_EQ: 1495 return (p == a1); 1496 case PF_OP_NE: 1497 return (p != a1); 1498 case PF_OP_LT: 1499 return (p < a1); 1500 case PF_OP_LE: 1501 return (p <= a1); 1502 case PF_OP_GT: 1503 return (p > a1); 1504 case PF_OP_GE: 1505 return (p >= a1); 1506 } 1507 return (0); /* never reached */ 1508 } 1509 1510 int 1511 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1512 { 1513 a1 = ntohs(a1); 1514 a2 = ntohs(a2); 1515 p = ntohs(p); 1516 return (pf_match(op, a1, a2, p)); 1517 } 1518 1519 int 1520 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1521 { 1522 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1523 return (0); 1524 return (pf_match(op, a1, a2, u)); 1525 } 1526 1527 int 1528 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1529 { 1530 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1531 return (0); 1532 return (pf_match(op, a1, a2, g)); 1533 } 1534 1535 static int 1536 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule, 1537 int *tag) 1538 { 1539 if (*tag == -1) { /* find mbuf tag */ 1540 if (nat_rule != NULL && nat_rule->tag) 1541 *tag = nat_rule->tag; 1542 else if (m->m_pkthdr.fw_flags & PF_MBUF_TAGGED) 1543 *tag = m->m_pkthdr.pf_tag; 1544 else 1545 *tag = 0; 1546 } 1547 1548 return ((!r->match_tag_not && r->match_tag == *tag) || 1549 (r->match_tag_not && r->match_tag != *tag)); 1550 } 1551 1552 void 1553 pf_tag_packet(struct mbuf *m, int tag) 1554 { 1555 if (tag <= 0) 1556 return; 1557 1558 m->m_pkthdr.fw_flags |= PF_MBUF_TAGGED; 1559 m->m_pkthdr.pf_tag = tag; 1560 } 1561 1562 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1563 do { \ 1564 if ((r) == NULL || (r)->anchor == NULL || \ 1565 (s) != NULL || (a) != NULL) \ 1566 panic("PF_STEP_INTO_ANCHOR"); \ 1567 (a) = (r); \ 1568 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1569 (r) = NULL; \ 1570 while ((s) != NULL && ((r) = \ 1571 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1572 (s) = TAILQ_NEXT((s), entries); \ 1573 if ((r) == NULL) { \ 1574 (r) = TAILQ_NEXT((a), entries); \ 1575 (a) = NULL; \ 1576 } \ 1577 } while (0) 1578 1579 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1580 do { \ 1581 if ((r) != NULL || (a) == NULL || (s) == NULL) \ 1582 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1583 (s) = TAILQ_NEXT((s), entries); \ 1584 while ((s) != NULL && ((r) = \ 1585 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1586 (s) = TAILQ_NEXT((s), entries); \ 1587 if ((r) == NULL) { \ 1588 (r) = TAILQ_NEXT((a), entries); \ 1589 (a) = NULL; \ 1590 } \ 1591 } while (0) 1592 1593 #ifdef INET6 1594 void 1595 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 1596 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) 1597 { 1598 switch (af) { 1599 #ifdef INET 1600 case AF_INET: 1601 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1602 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1603 break; 1604 #endif /* INET */ 1605 case AF_INET6: 1606 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1607 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1608 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 1609 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 1610 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 1611 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 1612 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 1613 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 1614 break; 1615 } 1616 } 1617 1618 void 1619 pf_addr_inc(struct pf_addr *addr, sa_family_t af) 1620 { 1621 switch (af) { 1622 #ifdef INET 1623 case AF_INET: 1624 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 1625 break; 1626 #endif /* INET */ 1627 case AF_INET6: 1628 if (addr->addr32[3] == 0xffffffff) { 1629 addr->addr32[3] = 0; 1630 if (addr->addr32[2] == 0xffffffff) { 1631 addr->addr32[2] = 0; 1632 if (addr->addr32[1] == 0xffffffff) { 1633 addr->addr32[1] = 0; 1634 addr->addr32[0] = 1635 htonl(ntohl(addr->addr32[0]) + 1); 1636 } else 1637 addr->addr32[1] = 1638 htonl(ntohl(addr->addr32[1]) + 1); 1639 } else 1640 addr->addr32[2] = 1641 htonl(ntohl(addr->addr32[2]) + 1); 1642 } else 1643 addr->addr32[3] = 1644 htonl(ntohl(addr->addr32[3]) + 1); 1645 break; 1646 } 1647 } 1648 #endif /* INET6 */ 1649 1650 #define mix(a,b,c) \ 1651 do { \ 1652 a -= b; a -= c; a ^= (c >> 13); \ 1653 b -= c; b -= a; b ^= (a << 8); \ 1654 c -= a; c -= b; c ^= (b >> 13); \ 1655 a -= b; a -= c; a ^= (c >> 12); \ 1656 b -= c; b -= a; b ^= (a << 16); \ 1657 c -= a; c -= b; c ^= (b >> 5); \ 1658 a -= b; a -= c; a ^= (c >> 3); \ 1659 b -= c; b -= a; b ^= (a << 10); \ 1660 c -= a; c -= b; c ^= (b >> 15); \ 1661 } while (0) 1662 1663 /* 1664 * hash function based on bridge_hash in if_bridge.c 1665 */ 1666 void 1667 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 1668 struct pf_poolhashkey *key, sa_family_t af) 1669 { 1670 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 1671 1672 switch (af) { 1673 #ifdef INET 1674 case AF_INET: 1675 a += inaddr->addr32[0]; 1676 b += key->key32[1]; 1677 mix(a, b, c); 1678 hash->addr32[0] = c + key->key32[2]; 1679 break; 1680 #endif /* INET */ 1681 #ifdef INET6 1682 case AF_INET6: 1683 a += inaddr->addr32[0]; 1684 b += inaddr->addr32[2]; 1685 mix(a, b, c); 1686 hash->addr32[0] = c; 1687 a += inaddr->addr32[1]; 1688 b += inaddr->addr32[3]; 1689 c += key->key32[1]; 1690 mix(a, b, c); 1691 hash->addr32[1] = c; 1692 a += inaddr->addr32[2]; 1693 b += inaddr->addr32[1]; 1694 c += key->key32[2]; 1695 mix(a, b, c); 1696 hash->addr32[2] = c; 1697 a += inaddr->addr32[3]; 1698 b += inaddr->addr32[0]; 1699 c += key->key32[3]; 1700 mix(a, b, c); 1701 hash->addr32[3] = c; 1702 break; 1703 #endif /* INET6 */ 1704 } 1705 } 1706 1707 int 1708 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 1709 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 1710 { 1711 unsigned char hash[16]; 1712 struct pf_pool *rpool = &r->rpool; 1713 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr; 1714 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask; 1715 struct pf_pooladdr *acur = rpool->cur; 1716 struct pf_src_node k; 1717 1718 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 1719 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1720 k.af = af; 1721 PF_ACPY(&k.addr, saddr, af); 1722 if (r->rule_flag & PFRULE_RULESRCTRACK || 1723 r->rpool.opts & PF_POOL_STICKYADDR) 1724 k.rule.ptr = r; 1725 else 1726 k.rule.ptr = NULL; 1727 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 1728 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 1729 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 1730 PF_ACPY(naddr, &(*sn)->raddr, af); 1731 if (pf_status.debug >= PF_DEBUG_MISC) { 1732 kprintf("pf_map_addr: src tracking maps "); 1733 pf_print_host(&k.addr, 0, af); 1734 kprintf(" to "); 1735 pf_print_host(naddr, 0, af); 1736 kprintf("\n"); 1737 } 1738 return (0); 1739 } 1740 } 1741 1742 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1743 return (1); 1744 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1745 if (af == AF_INET) { 1746 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 1747 (rpool->opts & PF_POOL_TYPEMASK) != 1748 PF_POOL_ROUNDROBIN) 1749 return (1); 1750 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 1751 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 1752 } else { 1753 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 1754 (rpool->opts & PF_POOL_TYPEMASK) != 1755 PF_POOL_ROUNDROBIN) 1756 return (1); 1757 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 1758 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 1759 } 1760 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1761 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1762 return (1); /* unsupported */ 1763 } else { 1764 raddr = &rpool->cur->addr.v.a.addr; 1765 rmask = &rpool->cur->addr.v.a.mask; 1766 } 1767 1768 switch (rpool->opts & PF_POOL_TYPEMASK) { 1769 case PF_POOL_NONE: 1770 PF_ACPY(naddr, raddr, af); 1771 break; 1772 case PF_POOL_BITMASK: 1773 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 1774 break; 1775 case PF_POOL_RANDOM: 1776 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 1777 switch (af) { 1778 #ifdef INET 1779 case AF_INET: 1780 rpool->counter.addr32[0] = karc4random(); 1781 break; 1782 #endif /* INET */ 1783 #ifdef INET6 1784 case AF_INET6: 1785 if (rmask->addr32[3] != 0xffffffff) 1786 rpool->counter.addr32[3] = karc4random(); 1787 else 1788 break; 1789 if (rmask->addr32[2] != 0xffffffff) 1790 rpool->counter.addr32[2] = karc4random(); 1791 else 1792 break; 1793 if (rmask->addr32[1] != 0xffffffff) 1794 rpool->counter.addr32[1] = karc4random(); 1795 else 1796 break; 1797 if (rmask->addr32[0] != 0xffffffff) 1798 rpool->counter.addr32[0] = karc4random(); 1799 break; 1800 #endif /* INET6 */ 1801 } 1802 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1803 PF_ACPY(init_addr, naddr, af); 1804 1805 } else { 1806 PF_AINC(&rpool->counter, af); 1807 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1808 } 1809 break; 1810 case PF_POOL_SRCHASH: 1811 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 1812 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 1813 break; 1814 case PF_POOL_ROUNDROBIN: 1815 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1816 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 1817 &rpool->tblidx, &rpool->counter, 1818 &raddr, &rmask, af)) 1819 goto get_addr; 1820 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1821 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1822 &rpool->tblidx, &rpool->counter, 1823 &raddr, &rmask, af)) 1824 goto get_addr; 1825 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 1826 goto get_addr; 1827 1828 try_next: 1829 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 1830 rpool->cur = TAILQ_FIRST(&rpool->list); 1831 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1832 rpool->tblidx = -1; 1833 if (pfr_pool_get(rpool->cur->addr.p.tbl, 1834 &rpool->tblidx, &rpool->counter, 1835 &raddr, &rmask, af)) { 1836 /* table contains no address of type 'af' */ 1837 if (rpool->cur != acur) 1838 goto try_next; 1839 return (1); 1840 } 1841 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1842 rpool->tblidx = -1; 1843 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1844 &rpool->tblidx, &rpool->counter, 1845 &raddr, &rmask, af)) { 1846 /* table contains no address of type 'af' */ 1847 if (rpool->cur != acur) 1848 goto try_next; 1849 return (1); 1850 } 1851 } else { 1852 raddr = &rpool->cur->addr.v.a.addr; 1853 rmask = &rpool->cur->addr.v.a.mask; 1854 PF_ACPY(&rpool->counter, raddr, af); 1855 } 1856 1857 get_addr: 1858 PF_ACPY(naddr, &rpool->counter, af); 1859 PF_AINC(&rpool->counter, af); 1860 break; 1861 } 1862 if (*sn != NULL) 1863 PF_ACPY(&(*sn)->raddr, naddr, af); 1864 1865 if (pf_status.debug >= PF_DEBUG_MISC && 1866 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1867 kprintf("pf_map_addr: selected address "); 1868 pf_print_host(naddr, 0, af); 1869 kprintf("\n"); 1870 } 1871 1872 return (0); 1873 } 1874 1875 int 1876 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 1877 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 1878 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 1879 struct pf_src_node **sn) 1880 { 1881 struct pf_state key; 1882 struct pf_addr init_addr; 1883 u_int16_t cut; 1884 1885 bzero(&init_addr, sizeof(init_addr)); 1886 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1887 return (1); 1888 1889 do { 1890 key.af = af; 1891 key.proto = proto; 1892 PF_ACPY(&key.ext.addr, daddr, key.af); 1893 PF_ACPY(&key.gwy.addr, naddr, key.af); 1894 key.ext.port = dport; 1895 1896 /* 1897 * port search; start random, step; 1898 * similar 2 portloop in in_pcbbind 1899 */ 1900 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { 1901 key.gwy.port = 0; 1902 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1903 return (0); 1904 } else if (low == 0 && high == 0) { 1905 key.gwy.port = *nport; 1906 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1907 return (0); 1908 } else if (low == high) { 1909 key.gwy.port = htons(low); 1910 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) { 1911 *nport = htons(low); 1912 return (0); 1913 } 1914 } else { 1915 u_int16_t tmp; 1916 1917 if (low > high) { 1918 tmp = low; 1919 low = high; 1920 high = tmp; 1921 } 1922 /* low < high */ 1923 cut = karc4random() % (1 + high - low) + low; 1924 /* low <= cut <= high */ 1925 for (tmp = cut; tmp <= high; ++(tmp)) { 1926 key.gwy.port = htons(tmp); 1927 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 1928 NULL) { 1929 *nport = htons(tmp); 1930 return (0); 1931 } 1932 } 1933 for (tmp = cut - 1; tmp >= low; --(tmp)) { 1934 key.gwy.port = htons(tmp); 1935 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 1936 NULL) { 1937 *nport = htons(tmp); 1938 return (0); 1939 } 1940 } 1941 } 1942 1943 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 1944 case PF_POOL_RANDOM: 1945 case PF_POOL_ROUNDROBIN: 1946 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1947 return (1); 1948 break; 1949 case PF_POOL_NONE: 1950 case PF_POOL_SRCHASH: 1951 case PF_POOL_BITMASK: 1952 default: 1953 return (1); 1954 } 1955 } while (! PF_AEQ(&init_addr, naddr, af) ); 1956 1957 return (1); /* none available */ 1958 } 1959 1960 struct pf_rule * 1961 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 1962 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 1963 struct pf_addr *daddr, u_int16_t dport, int rs_num) 1964 { 1965 struct pf_rule *r, *rm = NULL, *anchorrule = NULL; 1966 struct pf_ruleset *ruleset = NULL; 1967 1968 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 1969 while (r && rm == NULL) { 1970 struct pf_rule_addr *src = NULL, *dst = NULL; 1971 struct pf_addr_wrap *xdst = NULL; 1972 1973 if (r->action == PF_BINAT && direction == PF_IN) { 1974 src = &r->dst; 1975 if (r->rpool.cur != NULL) 1976 xdst = &r->rpool.cur->addr; 1977 } else { 1978 src = &r->src; 1979 dst = &r->dst; 1980 } 1981 1982 r->evaluations++; 1983 if (r->kif != NULL && 1984 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 1985 r = r->skip[PF_SKIP_IFP].ptr; 1986 else if (r->direction && r->direction != direction) 1987 r = r->skip[PF_SKIP_DIR].ptr; 1988 else if (r->af && r->af != pd->af) 1989 r = r->skip[PF_SKIP_AF].ptr; 1990 else if (r->proto && r->proto != pd->proto) 1991 r = r->skip[PF_SKIP_PROTO].ptr; 1992 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not)) 1993 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 1994 PF_SKIP_DST_ADDR].ptr; 1995 else if (src->port_op && !pf_match_port(src->port_op, 1996 src->port[0], src->port[1], sport)) 1997 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 1998 PF_SKIP_DST_PORT].ptr; 1999 else if (dst != NULL && 2000 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not)) 2001 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2002 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 2003 r = TAILQ_NEXT(r, entries); 2004 else if (dst != NULL && dst->port_op && 2005 !pf_match_port(dst->port_op, dst->port[0], 2006 dst->port[1], dport)) 2007 r = r->skip[PF_SKIP_DST_PORT].ptr; 2008 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2009 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2010 off, pd->hdr.tcp), r->os_fingerprint))) 2011 r = TAILQ_NEXT(r, entries); 2012 else if (r->anchorname[0] && r->anchor == NULL) 2013 r = TAILQ_NEXT(r, entries); 2014 else if (r->anchor == NULL) 2015 rm = r; 2016 else 2017 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 2018 if (r == NULL && anchorrule != NULL) 2019 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 2020 rs_num); 2021 } 2022 if (rm != NULL && (rm->action == PF_NONAT || 2023 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 2024 return (NULL); 2025 return (rm); 2026 } 2027 2028 struct pf_rule * 2029 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 2030 struct pfi_kif *kif, struct pf_src_node **sn, 2031 struct pf_addr *saddr, u_int16_t sport, 2032 struct pf_addr *daddr, u_int16_t dport, 2033 struct pf_addr *naddr, u_int16_t *nport) 2034 { 2035 struct pf_rule *r = NULL; 2036 2037 if (direction == PF_OUT) { 2038 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2039 sport, daddr, dport, PF_RULESET_BINAT); 2040 if (r == NULL) 2041 r = pf_match_translation(pd, m, off, direction, kif, 2042 saddr, sport, daddr, dport, PF_RULESET_NAT); 2043 } else { 2044 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2045 sport, daddr, dport, PF_RULESET_RDR); 2046 if (r == NULL) 2047 r = pf_match_translation(pd, m, off, direction, kif, 2048 saddr, sport, daddr, dport, PF_RULESET_BINAT); 2049 } 2050 2051 if (r != NULL) { 2052 switch (r->action) { 2053 case PF_NONAT: 2054 case PF_NOBINAT: 2055 case PF_NORDR: 2056 return (NULL); 2057 case PF_NAT: 2058 if (pf_get_sport(pd->af, pd->proto, r, saddr, 2059 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 2060 r->rpool.proxy_port[1], sn)) { 2061 DPFPRINTF(PF_DEBUG_MISC, 2062 ("pf: NAT proxy port allocation " 2063 "(%u-%u) failed\n", 2064 r->rpool.proxy_port[0], 2065 r->rpool.proxy_port[1])); 2066 return (NULL); 2067 } 2068 break; 2069 case PF_BINAT: 2070 switch (direction) { 2071 case PF_OUT: 2072 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2073 if (pd->af == AF_INET) { 2074 if (r->rpool.cur->addr.p.dyn-> 2075 pfid_acnt4 < 1) 2076 return (NULL); 2077 PF_POOLMASK(naddr, 2078 &r->rpool.cur->addr.p.dyn-> 2079 pfid_addr4, 2080 &r->rpool.cur->addr.p.dyn-> 2081 pfid_mask4, 2082 saddr, AF_INET); 2083 } else { 2084 if (r->rpool.cur->addr.p.dyn-> 2085 pfid_acnt6 < 1) 2086 return (NULL); 2087 PF_POOLMASK(naddr, 2088 &r->rpool.cur->addr.p.dyn-> 2089 pfid_addr6, 2090 &r->rpool.cur->addr.p.dyn-> 2091 pfid_mask6, 2092 saddr, AF_INET6); 2093 } 2094 } else 2095 PF_POOLMASK(naddr, 2096 &r->rpool.cur->addr.v.a.addr, 2097 &r->rpool.cur->addr.v.a.mask, 2098 saddr, pd->af); 2099 break; 2100 case PF_IN: 2101 if (r->src.addr.type == PF_ADDR_DYNIFTL){ 2102 if (pd->af == AF_INET) { 2103 if (r->src.addr.p.dyn-> 2104 pfid_acnt4 < 1) 2105 return (NULL); 2106 PF_POOLMASK(naddr, 2107 &r->src.addr.p.dyn-> 2108 pfid_addr4, 2109 &r->src.addr.p.dyn-> 2110 pfid_mask4, 2111 daddr, AF_INET); 2112 } else { 2113 if (r->src.addr.p.dyn-> 2114 pfid_acnt6 < 1) 2115 return (NULL); 2116 PF_POOLMASK(naddr, 2117 &r->src.addr.p.dyn-> 2118 pfid_addr6, 2119 &r->src.addr.p.dyn-> 2120 pfid_mask6, 2121 daddr, AF_INET6); 2122 } 2123 } else 2124 PF_POOLMASK(naddr, 2125 &r->src.addr.v.a.addr, 2126 &r->src.addr.v.a.mask, daddr, 2127 pd->af); 2128 break; 2129 } 2130 break; 2131 case PF_RDR: { 2132 if (pf_map_addr(r->af, r, saddr, naddr, NULL, sn)) 2133 return (NULL); 2134 2135 if (r->rpool.proxy_port[1]) { 2136 u_int32_t tmp_nport; 2137 2138 tmp_nport = ((ntohs(dport) - 2139 ntohs(r->dst.port[0])) % 2140 (r->rpool.proxy_port[1] - 2141 r->rpool.proxy_port[0] + 1)) + 2142 r->rpool.proxy_port[0]; 2143 2144 /* wrap around if necessary */ 2145 if (tmp_nport > 65535) 2146 tmp_nport -= 65535; 2147 *nport = htons((u_int16_t)tmp_nport); 2148 } else if (r->rpool.proxy_port[0]) 2149 *nport = htons(r->rpool.proxy_port[0]); 2150 break; 2151 } 2152 default: 2153 return (NULL); 2154 } 2155 } 2156 2157 return (r); 2158 } 2159 2160 #ifdef SMP 2161 struct netmsg_hashlookup { 2162 struct netmsg nm_netmsg; 2163 struct inpcb **nm_pinp; 2164 struct inpcbinfo *nm_pcbinfo; 2165 struct pf_addr *nm_saddr; 2166 struct pf_addr *nm_daddr; 2167 uint16_t nm_sport; 2168 uint16_t nm_dport; 2169 sa_family_t nm_af; 2170 }; 2171 2172 static void 2173 in_pcblookup_hash_handler(struct netmsg *msg0) 2174 { 2175 struct netmsg_hashlookup *msg = (struct netmsg_hashlookup *)msg0; 2176 2177 if (msg->nm_af == AF_INET) 2178 *msg->nm_pinp = in_pcblookup_hash(msg->nm_pcbinfo, 2179 msg->nm_saddr->v4, msg->nm_sport, msg->nm_daddr->v4, 2180 msg->nm_dport, INPLOOKUP_WILDCARD, NULL); 2181 #ifdef INET6 2182 else 2183 *msg->nm_pinp = in6_pcblookup_hash(msg->nm_pcbinfo, 2184 &msg->nm_saddr->v6, msg->nm_sport, &msg->nm_daddr->v6, 2185 msg->nm_dport, INPLOOKUP_WILDCARD, NULL); 2186 #endif /* INET6 */ 2187 lwkt_replymsg(&msg->nm_netmsg.nm_lmsg, 0); 2188 } 2189 #endif /* SMP */ 2190 2191 int 2192 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) 2193 { 2194 struct pf_addr *saddr, *daddr; 2195 u_int16_t sport, dport; 2196 struct inpcbinfo *pi; 2197 struct inpcb *inp; 2198 #ifdef SMP 2199 struct netmsg_hashlookup *msg = NULL; 2200 #endif 2201 int pi_cpu = 0; 2202 2203 *uid = UID_MAX; 2204 *gid = GID_MAX; 2205 if (direction == PF_IN) { 2206 saddr = pd->src; 2207 daddr = pd->dst; 2208 } else { 2209 saddr = pd->dst; 2210 daddr = pd->src; 2211 } 2212 switch (pd->proto) { 2213 case IPPROTO_TCP: 2214 sport = pd->hdr.tcp->th_sport; 2215 dport = pd->hdr.tcp->th_dport; 2216 2217 pi_cpu = tcp_addrcpu(saddr->v4.s_addr, sport, daddr->v4.s_addr, dport); 2218 pi = &tcbinfo[pi_cpu]; 2219 #ifdef SMP 2220 /* 2221 * Our netstack runs lockless on MP systems 2222 * (only for TCP connections at the moment). 2223 * 2224 * As we are not allowed to read another CPU's tcbinfo, 2225 * we have to ask that CPU via remote call to search the 2226 * table for us. 2227 * 2228 * Prepare a msg iff data belongs to another CPU. 2229 */ 2230 if (pi_cpu != mycpu->gd_cpuid) { 2231 msg = kmalloc(sizeof(*msg), M_LWKTMSG, M_INTWAIT); 2232 netmsg_init(&msg->nm_netmsg, &netisr_afree_rport, 0, 2233 in_pcblookup_hash_handler); 2234 msg->nm_pinp = &inp; 2235 msg->nm_pcbinfo = pi; 2236 msg->nm_saddr = saddr; 2237 msg->nm_sport = sport; 2238 msg->nm_daddr = daddr; 2239 msg->nm_dport = dport; 2240 msg->nm_af = pd->af; 2241 } 2242 #endif /* SMP */ 2243 break; 2244 case IPPROTO_UDP: 2245 sport = pd->hdr.udp->uh_sport; 2246 dport = pd->hdr.udp->uh_dport; 2247 pi = &udbinfo; 2248 break; 2249 default: 2250 return (0); 2251 } 2252 if (direction != PF_IN) { 2253 u_int16_t p; 2254 2255 p = sport; 2256 sport = dport; 2257 dport = p; 2258 } 2259 switch (pd->af) { 2260 #ifdef INET6 2261 case AF_INET6: 2262 #ifdef SMP 2263 /* 2264 * Query other CPU, second part 2265 * 2266 * msg only gets initialized when: 2267 * 1) packet is TCP 2268 * 2) the info belongs to another CPU 2269 * 2270 * Use some switch/case magic to avoid code duplication. 2271 */ 2272 if (msg == NULL) 2273 #endif /* SMP */ 2274 { 2275 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2276 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL); 2277 2278 if (inp == NULL) 2279 return (0); 2280 break; 2281 } 2282 /* FALLTHROUGH if SMP and on other CPU */ 2283 #endif /* INET6 */ 2284 case AF_INET: 2285 #ifdef SMP 2286 if (msg != NULL) { 2287 lwkt_sendmsg(tcp_cport(pi_cpu), 2288 &msg->nm_netmsg.nm_lmsg); 2289 } else 2290 #endif /* SMP */ 2291 { 2292 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4, 2293 dport, INPLOOKUP_WILDCARD, NULL); 2294 } 2295 if (inp == NULL) 2296 return (0); 2297 break; 2298 2299 default: 2300 return (0); 2301 } 2302 *uid = inp->inp_socket->so_cred->cr_uid; 2303 *gid = inp->inp_socket->so_cred->cr_groups[0]; 2304 return (1); 2305 } 2306 2307 u_int8_t 2308 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2309 { 2310 int hlen; 2311 u_int8_t hdr[60]; 2312 u_int8_t *opt, optlen; 2313 u_int8_t wscale = 0; 2314 2315 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2316 if (hlen <= sizeof(struct tcphdr)) 2317 return (0); 2318 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2319 return (0); 2320 opt = hdr + sizeof(struct tcphdr); 2321 hlen -= sizeof(struct tcphdr); 2322 while (hlen >= 3) { 2323 switch (*opt) { 2324 case TCPOPT_EOL: 2325 case TCPOPT_NOP: 2326 ++opt; 2327 --hlen; 2328 break; 2329 case TCPOPT_WINDOW: 2330 wscale = opt[2]; 2331 if (wscale > TCP_MAX_WINSHIFT) 2332 wscale = TCP_MAX_WINSHIFT; 2333 wscale |= PF_WSCALE_FLAG; 2334 /* FALLTHROUGH */ 2335 default: 2336 optlen = opt[1]; 2337 if (optlen < 2) 2338 optlen = 2; 2339 hlen -= optlen; 2340 opt += optlen; 2341 break; 2342 } 2343 } 2344 return (wscale); 2345 } 2346 2347 u_int16_t 2348 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2349 { 2350 int hlen; 2351 u_int8_t hdr[60]; 2352 u_int8_t *opt, optlen; 2353 u_int16_t mss = tcp_mssdflt; 2354 2355 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2356 if (hlen <= sizeof(struct tcphdr)) 2357 return (0); 2358 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2359 return (0); 2360 opt = hdr + sizeof(struct tcphdr); 2361 hlen -= sizeof(struct tcphdr); 2362 while (hlen >= TCPOLEN_MAXSEG) { 2363 switch (*opt) { 2364 case TCPOPT_EOL: 2365 case TCPOPT_NOP: 2366 ++opt; 2367 --hlen; 2368 break; 2369 case TCPOPT_MAXSEG: 2370 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); 2371 /* FALLTHROUGH */ 2372 default: 2373 optlen = opt[1]; 2374 if (optlen < 2) 2375 optlen = 2; 2376 hlen -= optlen; 2377 opt += optlen; 2378 break; 2379 } 2380 } 2381 return (mss); 2382 } 2383 2384 u_int16_t 2385 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2386 { 2387 #ifdef INET 2388 struct sockaddr_in *dst; 2389 struct route ro; 2390 #endif /* INET */ 2391 #ifdef INET6 2392 struct sockaddr_in6 *dst6; 2393 struct route_in6 ro6; 2394 #endif /* INET6 */ 2395 struct rtentry *rt = NULL; 2396 int hlen = 0; 2397 u_int16_t mss = tcp_mssdflt; 2398 2399 switch (af) { 2400 #ifdef INET 2401 case AF_INET: 2402 hlen = sizeof(struct ip); 2403 bzero(&ro, sizeof(ro)); 2404 dst = (struct sockaddr_in *)&ro.ro_dst; 2405 dst->sin_family = AF_INET; 2406 dst->sin_len = sizeof(*dst); 2407 dst->sin_addr = addr->v4; 2408 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); 2409 rt = ro.ro_rt; 2410 break; 2411 #endif /* INET */ 2412 #ifdef INET6 2413 case AF_INET6: 2414 hlen = sizeof(struct ip6_hdr); 2415 bzero(&ro6, sizeof(ro6)); 2416 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; 2417 dst6->sin6_family = AF_INET6; 2418 dst6->sin6_len = sizeof(*dst6); 2419 dst6->sin6_addr = addr->v6; 2420 rtalloc_ign((struct route *)&ro6, (RTF_CLONING | RTF_PRCLONING)); 2421 rt = ro6.ro_rt; 2422 break; 2423 #endif /* INET6 */ 2424 } 2425 2426 if (rt && rt->rt_ifp) { 2427 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2428 mss = max(tcp_mssdflt, mss); 2429 RTFREE(rt); 2430 } 2431 mss = min(mss, offer); 2432 mss = max(mss, 64); /* sanity - at least max opt space */ 2433 return (mss); 2434 } 2435 2436 void 2437 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2438 { 2439 struct pf_rule *r = s->rule.ptr; 2440 2441 s->rt_kif = NULL; 2442 if (!r->rt || r->rt == PF_FASTROUTE) 2443 return; 2444 switch (s->af) { 2445 #ifdef INET 2446 case AF_INET: 2447 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, 2448 &s->nat_src_node); 2449 s->rt_kif = r->rpool.cur->kif; 2450 break; 2451 #endif /* INET */ 2452 #ifdef INET6 2453 case AF_INET6: 2454 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, 2455 &s->nat_src_node); 2456 s->rt_kif = r->rpool.cur->kif; 2457 break; 2458 #endif /* INET6 */ 2459 } 2460 } 2461 2462 int 2463 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, 2464 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2465 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2466 { 2467 struct pf_rule *nr = NULL; 2468 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2469 struct tcphdr *th = pd->hdr.tcp; 2470 u_int16_t bport, nport = 0; 2471 sa_family_t af = pd->af; 2472 int lookup = -1; 2473 uid_t uid; 2474 gid_t gid; 2475 struct pf_rule *r, *a = NULL; 2476 struct pf_ruleset *ruleset = NULL; 2477 struct pf_src_node *nsn = NULL; 2478 u_short reason; 2479 int rewrite = 0; 2480 int tag = -1; 2481 u_int16_t mss = tcp_mssdflt; 2482 2483 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2484 2485 if (direction == PF_OUT) { 2486 bport = nport = th->th_sport; 2487 /* check outgoing packet for BINAT/NAT */ 2488 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2489 saddr, th->th_sport, daddr, th->th_dport, 2490 &pd->naddr, &nport)) != NULL) { 2491 PF_ACPY(&pd->baddr, saddr, af); 2492 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2493 &th->th_sum, &pd->naddr, nport, 0, af); 2494 rewrite++; 2495 if (nr->natpass) 2496 r = NULL; 2497 pd->nat_rule = nr; 2498 } 2499 } else { 2500 bport = nport = th->th_dport; 2501 /* check incoming packet for BINAT/RDR */ 2502 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2503 saddr, th->th_sport, daddr, th->th_dport, 2504 &pd->naddr, &nport)) != NULL) { 2505 PF_ACPY(&pd->baddr, daddr, af); 2506 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2507 &th->th_sum, &pd->naddr, nport, 0, af); 2508 rewrite++; 2509 if (nr->natpass) 2510 r = NULL; 2511 pd->nat_rule = nr; 2512 } 2513 } 2514 2515 while (r != NULL) { 2516 r->evaluations++; 2517 if (r->kif != NULL && 2518 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2519 r = r->skip[PF_SKIP_IFP].ptr; 2520 else if (r->direction && r->direction != direction) 2521 r = r->skip[PF_SKIP_DIR].ptr; 2522 else if (r->af && r->af != af) 2523 r = r->skip[PF_SKIP_AF].ptr; 2524 else if (r->proto && r->proto != IPPROTO_TCP) 2525 r = r->skip[PF_SKIP_PROTO].ptr; 2526 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2527 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2528 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2529 r->src.port[0], r->src.port[1], th->th_sport)) 2530 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2531 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2532 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2533 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2534 r->dst.port[0], r->dst.port[1], th->th_dport)) 2535 r = r->skip[PF_SKIP_DST_PORT].ptr; 2536 else if (r->tos && !(r->tos & pd->tos)) 2537 r = TAILQ_NEXT(r, entries); 2538 else if (r->rule_flag & PFRULE_FRAGMENT) 2539 r = TAILQ_NEXT(r, entries); 2540 else if ((r->flagset & th->th_flags) != r->flags) 2541 r = TAILQ_NEXT(r, entries); 2542 else if (r->uid.op && (lookup != -1 || (lookup = 2543 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2544 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2545 uid)) 2546 r = TAILQ_NEXT(r, entries); 2547 else if (r->gid.op && (lookup != -1 || (lookup = 2548 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2549 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2550 gid)) 2551 r = TAILQ_NEXT(r, entries); 2552 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 2553 r = TAILQ_NEXT(r, entries); 2554 else if (r->anchorname[0] && r->anchor == NULL) 2555 r = TAILQ_NEXT(r, entries); 2556 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2557 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2558 r = TAILQ_NEXT(r, entries); 2559 else { 2560 if (r->tag) 2561 tag = r->tag; 2562 if (r->anchor == NULL) { 2563 *rm = r; 2564 *am = a; 2565 *rsm = ruleset; 2566 if ((*rm)->quick) 2567 break; 2568 r = TAILQ_NEXT(r, entries); 2569 } else 2570 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2571 PF_RULESET_FILTER); 2572 } 2573 if (r == NULL && a != NULL) 2574 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2575 PF_RULESET_FILTER); 2576 } 2577 r = *rm; 2578 a = *am; 2579 ruleset = *rsm; 2580 2581 REASON_SET(&reason, PFRES_MATCH); 2582 2583 if (r->log) { 2584 if (rewrite) 2585 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2586 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2587 } 2588 2589 if ((r->action == PF_DROP) && 2590 ((r->rule_flag & PFRULE_RETURNRST) || 2591 (r->rule_flag & PFRULE_RETURNICMP) || 2592 (r->rule_flag & PFRULE_RETURN))) { 2593 /* undo NAT changes, if they have taken place */ 2594 if (nr != NULL) { 2595 if (direction == PF_OUT) { 2596 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2597 &th->th_sum, &pd->baddr, bport, 0, af); 2598 rewrite++; 2599 } else { 2600 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2601 &th->th_sum, &pd->baddr, bport, 0, af); 2602 rewrite++; 2603 } 2604 } 2605 if (((r->rule_flag & PFRULE_RETURNRST) || 2606 (r->rule_flag & PFRULE_RETURN)) && 2607 !(th->th_flags & TH_RST)) { 2608 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 2609 2610 if (th->th_flags & TH_SYN) 2611 ack++; 2612 if (th->th_flags & TH_FIN) 2613 ack++; 2614 pf_send_tcp(r, af, pd->dst, 2615 pd->src, th->th_dport, th->th_sport, 2616 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 2617 r->return_ttl); 2618 } else if ((af == AF_INET) && r->return_icmp) 2619 pf_send_icmp(m, r->return_icmp >> 8, 2620 r->return_icmp & 255, af, r); 2621 else if ((af == AF_INET6) && r->return_icmp6) 2622 pf_send_icmp(m, r->return_icmp6 >> 8, 2623 r->return_icmp6 & 255, af, r); 2624 } 2625 2626 if (r->action == PF_DROP) 2627 return (PF_DROP); 2628 2629 pf_tag_packet(m, tag); 2630 2631 if (r->keep_state || nr != NULL || 2632 (pd->flags & PFDESC_TCP_NORM)) { 2633 /* create new state */ 2634 u_int16_t len; 2635 struct pf_state *s = NULL; 2636 struct pf_src_node *sn = NULL; 2637 2638 len = pd->tot_len - off - (th->th_off << 2); 2639 2640 /* check maximums */ 2641 if (r->max_states && (r->states >= r->max_states)) 2642 goto cleanup; 2643 /* src node for flter rule */ 2644 if ((r->rule_flag & PFRULE_SRCTRACK || 2645 r->rpool.opts & PF_POOL_STICKYADDR) && 2646 pf_insert_src_node(&sn, r, saddr, af) != 0) 2647 goto cleanup; 2648 /* src node for translation rule */ 2649 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2650 ((direction == PF_OUT && 2651 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2652 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2653 goto cleanup; 2654 s = pool_get(&pf_state_pl, PR_NOWAIT); 2655 if (s == NULL) { 2656 cleanup: 2657 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2658 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2659 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2660 pf_status.src_nodes--; 2661 pool_put(&pf_src_tree_pl, sn); 2662 } 2663 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2664 nsn->expire == 0) { 2665 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2666 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2667 pf_status.src_nodes--; 2668 pool_put(&pf_src_tree_pl, nsn); 2669 } 2670 REASON_SET(&reason, PFRES_MEMORY); 2671 return (PF_DROP); 2672 } 2673 bzero(s, sizeof(*s)); 2674 r->states++; 2675 if (a != NULL) 2676 a->states++; 2677 s->rule.ptr = r; 2678 s->nat_rule.ptr = nr; 2679 if (s->nat_rule.ptr != NULL) 2680 s->nat_rule.ptr->states++; 2681 s->anchor.ptr = a; 2682 s->allow_opts = r->allow_opts; 2683 s->log = r->log & 2; 2684 s->proto = IPPROTO_TCP; 2685 s->direction = direction; 2686 s->af = af; 2687 if (direction == PF_OUT) { 2688 PF_ACPY(&s->gwy.addr, saddr, af); 2689 s->gwy.port = th->th_sport; /* sport */ 2690 PF_ACPY(&s->ext.addr, daddr, af); 2691 s->ext.port = th->th_dport; 2692 if (nr != NULL) { 2693 PF_ACPY(&s->lan.addr, &pd->baddr, af); 2694 s->lan.port = bport; 2695 } else { 2696 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2697 s->lan.port = s->gwy.port; 2698 } 2699 } else { 2700 PF_ACPY(&s->lan.addr, daddr, af); 2701 s->lan.port = th->th_dport; 2702 PF_ACPY(&s->ext.addr, saddr, af); 2703 s->ext.port = th->th_sport; 2704 if (nr != NULL) { 2705 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 2706 s->gwy.port = bport; 2707 } else { 2708 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2709 s->gwy.port = s->lan.port; 2710 } 2711 } 2712 2713 s->src.seqlo = ntohl(th->th_seq); 2714 s->src.seqhi = s->src.seqlo + len + 1; 2715 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2716 r->keep_state == PF_STATE_MODULATE) { 2717 /* Generate sequence number modulator */ 2718 while ((s->src.seqdiff = karc4random()) == 0) 2719 ; 2720 pf_change_a(&th->th_seq, &th->th_sum, 2721 htonl(s->src.seqlo + s->src.seqdiff), 0); 2722 rewrite = 1; 2723 } else 2724 s->src.seqdiff = 0; 2725 if (th->th_flags & TH_SYN) { 2726 s->src.seqhi++; 2727 s->src.wscale = pf_get_wscale(m, off, th->th_off, af); 2728 } 2729 s->src.max_win = MAX(ntohs(th->th_win), 1); 2730 if (s->src.wscale & PF_WSCALE_MASK) { 2731 /* Remove scale factor from initial window */ 2732 int win = s->src.max_win; 2733 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 2734 s->src.max_win = (win - 1) >> 2735 (s->src.wscale & PF_WSCALE_MASK); 2736 } 2737 if (th->th_flags & TH_FIN) 2738 s->src.seqhi++; 2739 s->dst.seqhi = 1; 2740 s->dst.max_win = 1; 2741 s->src.state = TCPS_SYN_SENT; 2742 s->dst.state = TCPS_CLOSED; 2743 s->creation = time_second; 2744 s->expire = time_second; 2745 s->timeout = PFTM_TCP_FIRST_PACKET; 2746 pf_set_rt_ifp(s, saddr); 2747 if (sn != NULL) { 2748 s->src_node = sn; 2749 s->src_node->states++; 2750 } 2751 if (nsn != NULL) { 2752 PF_ACPY(&nsn->raddr, &pd->naddr, af); 2753 s->nat_src_node = nsn; 2754 s->nat_src_node->states++; 2755 } 2756 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 2757 off, pd, th, &s->src, &s->dst)) { 2758 REASON_SET(&reason, PFRES_MEMORY); 2759 pf_src_tree_remove_state(s); 2760 pool_put(&pf_state_pl, s); 2761 return (PF_DROP); 2762 } 2763 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 2764 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 2765 &s->dst, &rewrite)) { 2766 pf_normalize_tcp_cleanup(s); 2767 pf_src_tree_remove_state(s); 2768 pool_put(&pf_state_pl, s); 2769 return (PF_DROP); 2770 } 2771 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 2772 pf_normalize_tcp_cleanup(s); 2773 REASON_SET(&reason, PFRES_MEMORY); 2774 pf_src_tree_remove_state(s); 2775 pool_put(&pf_state_pl, s); 2776 return (PF_DROP); 2777 } else 2778 *sm = s; 2779 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2780 r->keep_state == PF_STATE_SYNPROXY) { 2781 s->src.state = PF_TCPS_PROXY_SRC; 2782 if (nr != NULL) { 2783 if (direction == PF_OUT) { 2784 pf_change_ap(saddr, &th->th_sport, 2785 pd->ip_sum, &th->th_sum, &pd->baddr, 2786 bport, 0, af); 2787 } else { 2788 pf_change_ap(daddr, &th->th_dport, 2789 pd->ip_sum, &th->th_sum, &pd->baddr, 2790 bport, 0, af); 2791 } 2792 } 2793 s->src.seqhi = karc4random(); 2794 /* Find mss option */ 2795 mss = pf_get_mss(m, off, th->th_off, af); 2796 mss = pf_calc_mss(saddr, af, mss); 2797 mss = pf_calc_mss(daddr, af, mss); 2798 s->src.mss = mss; 2799 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 2800 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, 2801 TH_SYN|TH_ACK, 0, s->src.mss, 0); 2802 return (PF_SYNPROXY_DROP); 2803 } 2804 } 2805 2806 /* copy back packet headers if we performed NAT operations */ 2807 if (rewrite) 2808 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2809 2810 return (PF_PASS); 2811 } 2812 2813 int 2814 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, 2815 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2816 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2817 { 2818 struct pf_rule *nr = NULL; 2819 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2820 struct udphdr *uh = pd->hdr.udp; 2821 u_int16_t bport, nport = 0; 2822 sa_family_t af = pd->af; 2823 int lookup = -1; 2824 uid_t uid; 2825 gid_t gid; 2826 struct pf_rule *r, *a = NULL; 2827 struct pf_ruleset *ruleset = NULL; 2828 struct pf_src_node *nsn = NULL; 2829 u_short reason; 2830 int rewrite = 0; 2831 int tag = -1; 2832 2833 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2834 2835 if (direction == PF_OUT) { 2836 bport = nport = uh->uh_sport; 2837 /* check outgoing packet for BINAT/NAT */ 2838 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2839 saddr, uh->uh_sport, daddr, uh->uh_dport, 2840 &pd->naddr, &nport)) != NULL) { 2841 PF_ACPY(&pd->baddr, saddr, af); 2842 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2843 &uh->uh_sum, &pd->naddr, nport, 1, af); 2844 rewrite++; 2845 if (nr->natpass) 2846 r = NULL; 2847 pd->nat_rule = nr; 2848 } 2849 } else { 2850 bport = nport = uh->uh_dport; 2851 /* check incoming packet for BINAT/RDR */ 2852 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2853 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr, 2854 &nport)) != NULL) { 2855 PF_ACPY(&pd->baddr, daddr, af); 2856 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2857 &uh->uh_sum, &pd->naddr, nport, 1, af); 2858 rewrite++; 2859 if (nr->natpass) 2860 r = NULL; 2861 pd->nat_rule = nr; 2862 } 2863 } 2864 2865 while (r != NULL) { 2866 r->evaluations++; 2867 if (r->kif != NULL && 2868 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2869 r = r->skip[PF_SKIP_IFP].ptr; 2870 else if (r->direction && r->direction != direction) 2871 r = r->skip[PF_SKIP_DIR].ptr; 2872 else if (r->af && r->af != af) 2873 r = r->skip[PF_SKIP_AF].ptr; 2874 else if (r->proto && r->proto != IPPROTO_UDP) 2875 r = r->skip[PF_SKIP_PROTO].ptr; 2876 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2877 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2878 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2879 r->src.port[0], r->src.port[1], uh->uh_sport)) 2880 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2881 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2882 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2883 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2884 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 2885 r = r->skip[PF_SKIP_DST_PORT].ptr; 2886 else if (r->tos && !(r->tos & pd->tos)) 2887 r = TAILQ_NEXT(r, entries); 2888 else if (r->rule_flag & PFRULE_FRAGMENT) 2889 r = TAILQ_NEXT(r, entries); 2890 else if (r->uid.op && (lookup != -1 || (lookup = 2891 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2892 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2893 uid)) 2894 r = TAILQ_NEXT(r, entries); 2895 else if (r->gid.op && (lookup != -1 || (lookup = 2896 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2897 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2898 gid)) 2899 r = TAILQ_NEXT(r, entries); 2900 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 2901 r = TAILQ_NEXT(r, entries); 2902 else if (r->anchorname[0] && r->anchor == NULL) 2903 r = TAILQ_NEXT(r, entries); 2904 else if (r->os_fingerprint != PF_OSFP_ANY) 2905 r = TAILQ_NEXT(r, entries); 2906 else { 2907 if (r->tag) 2908 tag = r->tag; 2909 if (r->anchor == NULL) { 2910 *rm = r; 2911 *am = a; 2912 *rsm = ruleset; 2913 if ((*rm)->quick) 2914 break; 2915 r = TAILQ_NEXT(r, entries); 2916 } else 2917 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2918 PF_RULESET_FILTER); 2919 } 2920 if (r == NULL && a != NULL) 2921 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2922 PF_RULESET_FILTER); 2923 } 2924 r = *rm; 2925 a = *am; 2926 ruleset = *rsm; 2927 2928 REASON_SET(&reason, PFRES_MATCH); 2929 2930 if (r->log) { 2931 if (rewrite) 2932 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 2933 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2934 } 2935 2936 if ((r->action == PF_DROP) && 2937 ((r->rule_flag & PFRULE_RETURNICMP) || 2938 (r->rule_flag & PFRULE_RETURN))) { 2939 /* undo NAT changes, if they have taken place */ 2940 if (nr != NULL) { 2941 if (direction == PF_OUT) { 2942 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2943 &uh->uh_sum, &pd->baddr, bport, 1, af); 2944 rewrite++; 2945 } else { 2946 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2947 &uh->uh_sum, &pd->baddr, bport, 1, af); 2948 rewrite++; 2949 } 2950 } 2951 if ((af == AF_INET) && r->return_icmp) 2952 pf_send_icmp(m, r->return_icmp >> 8, 2953 r->return_icmp & 255, af, r); 2954 else if ((af == AF_INET6) && r->return_icmp6) 2955 pf_send_icmp(m, r->return_icmp6 >> 8, 2956 r->return_icmp6 & 255, af, r); 2957 } 2958 2959 if (r->action == PF_DROP) 2960 return (PF_DROP); 2961 2962 pf_tag_packet(m, tag); 2963 2964 if (r->keep_state || nr != NULL) { 2965 /* create new state */ 2966 struct pf_state *s = NULL; 2967 struct pf_src_node *sn = NULL; 2968 2969 /* check maximums */ 2970 if (r->max_states && (r->states >= r->max_states)) 2971 goto cleanup; 2972 /* src node for flter rule */ 2973 if ((r->rule_flag & PFRULE_SRCTRACK || 2974 r->rpool.opts & PF_POOL_STICKYADDR) && 2975 pf_insert_src_node(&sn, r, saddr, af) != 0) 2976 goto cleanup; 2977 /* src node for translation rule */ 2978 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2979 ((direction == PF_OUT && 2980 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2981 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2982 goto cleanup; 2983 s = pool_get(&pf_state_pl, PR_NOWAIT); 2984 if (s == NULL) { 2985 cleanup: 2986 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2987 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2988 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2989 pf_status.src_nodes--; 2990 pool_put(&pf_src_tree_pl, sn); 2991 } 2992 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2993 nsn->expire == 0) { 2994 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2995 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2996 pf_status.src_nodes--; 2997 pool_put(&pf_src_tree_pl, nsn); 2998 } 2999 REASON_SET(&reason, PFRES_MEMORY); 3000 return (PF_DROP); 3001 } 3002 bzero(s, sizeof(*s)); 3003 r->states++; 3004 if (a != NULL) 3005 a->states++; 3006 s->rule.ptr = r; 3007 s->nat_rule.ptr = nr; 3008 if (s->nat_rule.ptr != NULL) 3009 s->nat_rule.ptr->states++; 3010 s->anchor.ptr = a; 3011 s->allow_opts = r->allow_opts; 3012 s->log = r->log & 2; 3013 s->proto = IPPROTO_UDP; 3014 s->direction = direction; 3015 s->af = af; 3016 if (direction == PF_OUT) { 3017 PF_ACPY(&s->gwy.addr, saddr, af); 3018 s->gwy.port = uh->uh_sport; 3019 PF_ACPY(&s->ext.addr, daddr, af); 3020 s->ext.port = uh->uh_dport; 3021 if (nr != NULL) { 3022 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3023 s->lan.port = bport; 3024 } else { 3025 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3026 s->lan.port = s->gwy.port; 3027 } 3028 } else { 3029 PF_ACPY(&s->lan.addr, daddr, af); 3030 s->lan.port = uh->uh_dport; 3031 PF_ACPY(&s->ext.addr, saddr, af); 3032 s->ext.port = uh->uh_sport; 3033 if (nr != NULL) { 3034 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3035 s->gwy.port = bport; 3036 } else { 3037 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3038 s->gwy.port = s->lan.port; 3039 } 3040 } 3041 s->src.state = PFUDPS_SINGLE; 3042 s->dst.state = PFUDPS_NO_TRAFFIC; 3043 s->creation = time_second; 3044 s->expire = time_second; 3045 s->timeout = PFTM_UDP_FIRST_PACKET; 3046 pf_set_rt_ifp(s, saddr); 3047 if (sn != NULL) { 3048 s->src_node = sn; 3049 s->src_node->states++; 3050 } 3051 if (nsn != NULL) { 3052 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3053 s->nat_src_node = nsn; 3054 s->nat_src_node->states++; 3055 } 3056 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3057 REASON_SET(&reason, PFRES_MEMORY); 3058 pf_src_tree_remove_state(s); 3059 pool_put(&pf_state_pl, s); 3060 return (PF_DROP); 3061 } else 3062 *sm = s; 3063 } 3064 3065 /* copy back packet headers if we performed NAT operations */ 3066 if (rewrite) 3067 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 3068 3069 return (PF_PASS); 3070 } 3071 3072 int 3073 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, 3074 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 3075 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 3076 { 3077 struct pf_rule *nr = NULL; 3078 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3079 struct pf_rule *r, *a = NULL; 3080 struct pf_ruleset *ruleset = NULL; 3081 struct pf_src_node *nsn = NULL; 3082 u_short reason; 3083 u_int16_t icmpid = 0; 3084 sa_family_t af = pd->af; 3085 u_int8_t icmptype = 0, icmpcode = 0; 3086 int state_icmp = 0; 3087 int tag = -1; 3088 #ifdef INET6 3089 int rewrite = 0; 3090 #endif /* INET6 */ 3091 3092 switch (pd->proto) { 3093 #ifdef INET 3094 case IPPROTO_ICMP: 3095 icmptype = pd->hdr.icmp->icmp_type; 3096 icmpcode = pd->hdr.icmp->icmp_code; 3097 icmpid = pd->hdr.icmp->icmp_id; 3098 3099 if (icmptype == ICMP_UNREACH || 3100 icmptype == ICMP_SOURCEQUENCH || 3101 icmptype == ICMP_REDIRECT || 3102 icmptype == ICMP_TIMXCEED || 3103 icmptype == ICMP_PARAMPROB) 3104 state_icmp++; 3105 break; 3106 #endif /* INET */ 3107 #ifdef INET6 3108 case IPPROTO_ICMPV6: 3109 icmptype = pd->hdr.icmp6->icmp6_type; 3110 icmpcode = pd->hdr.icmp6->icmp6_code; 3111 icmpid = pd->hdr.icmp6->icmp6_id; 3112 3113 if (icmptype == ICMP6_DST_UNREACH || 3114 icmptype == ICMP6_PACKET_TOO_BIG || 3115 icmptype == ICMP6_TIME_EXCEEDED || 3116 icmptype == ICMP6_PARAM_PROB) 3117 state_icmp++; 3118 break; 3119 #endif /* INET6 */ 3120 } 3121 3122 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3123 3124 if (direction == PF_OUT) { 3125 /* check outgoing packet for BINAT/NAT */ 3126 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3127 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3128 PF_ACPY(&pd->baddr, saddr, af); 3129 switch (af) { 3130 #ifdef INET 3131 case AF_INET: 3132 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3133 pd->naddr.v4.s_addr, 0); 3134 break; 3135 #endif /* INET */ 3136 #ifdef INET6 3137 case AF_INET6: 3138 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 3139 &pd->naddr, 0); 3140 rewrite++; 3141 break; 3142 #endif /* INET6 */ 3143 } 3144 if (nr->natpass) 3145 r = NULL; 3146 pd->nat_rule = nr; 3147 } 3148 } else { 3149 /* check incoming packet for BINAT/RDR */ 3150 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3151 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3152 PF_ACPY(&pd->baddr, daddr, af); 3153 switch (af) { 3154 #ifdef INET 3155 case AF_INET: 3156 pf_change_a(&daddr->v4.s_addr, 3157 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3158 break; 3159 #endif /* INET */ 3160 #ifdef INET6 3161 case AF_INET6: 3162 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 3163 &pd->naddr, 0); 3164 rewrite++; 3165 break; 3166 #endif /* INET6 */ 3167 } 3168 if (nr->natpass) 3169 r = NULL; 3170 pd->nat_rule = nr; 3171 } 3172 } 3173 3174 while (r != NULL) { 3175 r->evaluations++; 3176 if (r->kif != NULL && 3177 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3178 r = r->skip[PF_SKIP_IFP].ptr; 3179 else if (r->direction && r->direction != direction) 3180 r = r->skip[PF_SKIP_DIR].ptr; 3181 else if (r->af && r->af != af) 3182 r = r->skip[PF_SKIP_AF].ptr; 3183 else if (r->proto && r->proto != pd->proto) 3184 r = r->skip[PF_SKIP_PROTO].ptr; 3185 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 3186 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3187 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 3188 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3189 else if (r->type && r->type != icmptype + 1) 3190 r = TAILQ_NEXT(r, entries); 3191 else if (r->code && r->code != icmpcode + 1) 3192 r = TAILQ_NEXT(r, entries); 3193 else if (r->tos && !(r->tos & pd->tos)) 3194 r = TAILQ_NEXT(r, entries); 3195 else if (r->rule_flag & PFRULE_FRAGMENT) 3196 r = TAILQ_NEXT(r, entries); 3197 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 3198 r = TAILQ_NEXT(r, entries); 3199 else if (r->anchorname[0] && r->anchor == NULL) 3200 r = TAILQ_NEXT(r, entries); 3201 else if (r->os_fingerprint != PF_OSFP_ANY) 3202 r = TAILQ_NEXT(r, entries); 3203 else { 3204 if (r->tag) 3205 tag = r->tag; 3206 if (r->anchor == NULL) { 3207 *rm = r; 3208 *am = a; 3209 *rsm = ruleset; 3210 if ((*rm)->quick) 3211 break; 3212 r = TAILQ_NEXT(r, entries); 3213 } else 3214 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3215 PF_RULESET_FILTER); 3216 } 3217 if (r == NULL && a != NULL) 3218 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3219 PF_RULESET_FILTER); 3220 } 3221 r = *rm; 3222 a = *am; 3223 ruleset = *rsm; 3224 3225 REASON_SET(&reason, PFRES_MATCH); 3226 3227 if (r->log) { 3228 #ifdef INET6 3229 if (rewrite) 3230 m_copyback(m, off, sizeof(struct icmp6_hdr), 3231 (caddr_t)pd->hdr.icmp6); 3232 #endif /* INET6 */ 3233 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3234 } 3235 3236 if (r->action != PF_PASS) 3237 return (PF_DROP); 3238 3239 pf_tag_packet(m, tag); 3240 3241 if (!state_icmp && (r->keep_state || nr != NULL)) { 3242 /* create new state */ 3243 struct pf_state *s = NULL; 3244 struct pf_src_node *sn = NULL; 3245 3246 /* check maximums */ 3247 if (r->max_states && (r->states >= r->max_states)) 3248 goto cleanup; 3249 /* src node for flter rule */ 3250 if ((r->rule_flag & PFRULE_SRCTRACK || 3251 r->rpool.opts & PF_POOL_STICKYADDR) && 3252 pf_insert_src_node(&sn, r, saddr, af) != 0) 3253 goto cleanup; 3254 /* src node for translation rule */ 3255 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3256 ((direction == PF_OUT && 3257 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3258 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3259 goto cleanup; 3260 s = pool_get(&pf_state_pl, PR_NOWAIT); 3261 if (s == NULL) { 3262 cleanup: 3263 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3264 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3265 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3266 pf_status.src_nodes--; 3267 pool_put(&pf_src_tree_pl, sn); 3268 } 3269 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3270 nsn->expire == 0) { 3271 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3272 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3273 pf_status.src_nodes--; 3274 pool_put(&pf_src_tree_pl, nsn); 3275 } 3276 REASON_SET(&reason, PFRES_MEMORY); 3277 return (PF_DROP); 3278 } 3279 bzero(s, sizeof(*s)); 3280 r->states++; 3281 if (a != NULL) 3282 a->states++; 3283 s->rule.ptr = r; 3284 s->nat_rule.ptr = nr; 3285 if (s->nat_rule.ptr != NULL) 3286 s->nat_rule.ptr->states++; 3287 s->anchor.ptr = a; 3288 s->allow_opts = r->allow_opts; 3289 s->log = r->log & 2; 3290 s->proto = pd->proto; 3291 s->direction = direction; 3292 s->af = af; 3293 if (direction == PF_OUT) { 3294 PF_ACPY(&s->gwy.addr, saddr, af); 3295 s->gwy.port = icmpid; 3296 PF_ACPY(&s->ext.addr, daddr, af); 3297 s->ext.port = icmpid; 3298 if (nr != NULL) 3299 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3300 else 3301 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3302 s->lan.port = icmpid; 3303 } else { 3304 PF_ACPY(&s->lan.addr, daddr, af); 3305 s->lan.port = icmpid; 3306 PF_ACPY(&s->ext.addr, saddr, af); 3307 s->ext.port = icmpid; 3308 if (nr != NULL) 3309 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3310 else 3311 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3312 s->gwy.port = icmpid; 3313 } 3314 s->creation = time_second; 3315 s->expire = time_second; 3316 s->timeout = PFTM_ICMP_FIRST_PACKET; 3317 pf_set_rt_ifp(s, saddr); 3318 if (sn != NULL) { 3319 s->src_node = sn; 3320 s->src_node->states++; 3321 } 3322 if (nsn != NULL) { 3323 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3324 s->nat_src_node = nsn; 3325 s->nat_src_node->states++; 3326 } 3327 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3328 REASON_SET(&reason, PFRES_MEMORY); 3329 pf_src_tree_remove_state(s); 3330 pool_put(&pf_state_pl, s); 3331 return (PF_DROP); 3332 } else 3333 *sm = s; 3334 } 3335 3336 #ifdef INET6 3337 /* copy back packet headers if we performed IPv6 NAT operations */ 3338 if (rewrite) 3339 m_copyback(m, off, sizeof(struct icmp6_hdr), 3340 (caddr_t)pd->hdr.icmp6); 3341 #endif /* INET6 */ 3342 3343 return (PF_PASS); 3344 } 3345 3346 int 3347 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, 3348 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3349 struct pf_rule **am, struct pf_ruleset **rsm) 3350 { 3351 struct pf_rule *nr = NULL; 3352 struct pf_rule *r, *a = NULL; 3353 struct pf_ruleset *ruleset = NULL; 3354 struct pf_src_node *nsn = NULL; 3355 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3356 sa_family_t af = pd->af; 3357 u_short reason; 3358 int tag = -1; 3359 3360 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3361 3362 if (direction == PF_OUT) { 3363 /* check outgoing packet for BINAT/NAT */ 3364 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3365 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3366 PF_ACPY(&pd->baddr, saddr, af); 3367 switch (af) { 3368 #ifdef INET 3369 case AF_INET: 3370 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3371 pd->naddr.v4.s_addr, 0); 3372 break; 3373 #endif /* INET */ 3374 #ifdef INET6 3375 case AF_INET6: 3376 PF_ACPY(saddr, &pd->naddr, af); 3377 break; 3378 #endif /* INET6 */ 3379 } 3380 if (nr->natpass) 3381 r = NULL; 3382 pd->nat_rule = nr; 3383 } 3384 } else { 3385 /* check incoming packet for BINAT/RDR */ 3386 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3387 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3388 PF_ACPY(&pd->baddr, daddr, af); 3389 switch (af) { 3390 #ifdef INET 3391 case AF_INET: 3392 pf_change_a(&daddr->v4.s_addr, 3393 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3394 break; 3395 #endif /* INET */ 3396 #ifdef INET6 3397 case AF_INET6: 3398 PF_ACPY(daddr, &pd->naddr, af); 3399 break; 3400 #endif /* INET6 */ 3401 } 3402 if (nr->natpass) 3403 r = NULL; 3404 pd->nat_rule = nr; 3405 } 3406 } 3407 3408 while (r != NULL) { 3409 r->evaluations++; 3410 if (r->kif != NULL && 3411 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3412 r = r->skip[PF_SKIP_IFP].ptr; 3413 else if (r->direction && r->direction != direction) 3414 r = r->skip[PF_SKIP_DIR].ptr; 3415 else if (r->af && r->af != af) 3416 r = r->skip[PF_SKIP_AF].ptr; 3417 else if (r->proto && r->proto != pd->proto) 3418 r = r->skip[PF_SKIP_PROTO].ptr; 3419 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3420 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3421 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3422 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3423 else if (r->tos && !(r->tos & pd->tos)) 3424 r = TAILQ_NEXT(r, entries); 3425 else if (r->rule_flag & PFRULE_FRAGMENT) 3426 r = TAILQ_NEXT(r, entries); 3427 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 3428 r = TAILQ_NEXT(r, entries); 3429 else if (r->anchorname[0] && r->anchor == NULL) 3430 r = TAILQ_NEXT(r, entries); 3431 else if (r->os_fingerprint != PF_OSFP_ANY) 3432 r = TAILQ_NEXT(r, entries); 3433 else { 3434 if (r->tag) 3435 tag = r->tag; 3436 if (r->anchor == NULL) { 3437 *rm = r; 3438 *am = a; 3439 *rsm = ruleset; 3440 if ((*rm)->quick) 3441 break; 3442 r = TAILQ_NEXT(r, entries); 3443 } else 3444 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3445 PF_RULESET_FILTER); 3446 } 3447 if (r == NULL && a != NULL) 3448 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3449 PF_RULESET_FILTER); 3450 } 3451 r = *rm; 3452 a = *am; 3453 ruleset = *rsm; 3454 3455 REASON_SET(&reason, PFRES_MATCH); 3456 3457 if (r->log) 3458 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3459 3460 if ((r->action == PF_DROP) && 3461 ((r->rule_flag & PFRULE_RETURNICMP) || 3462 (r->rule_flag & PFRULE_RETURN))) { 3463 struct pf_addr *a = NULL; 3464 3465 if (nr != NULL) { 3466 if (direction == PF_OUT) 3467 a = saddr; 3468 else 3469 a = daddr; 3470 } 3471 if (a != NULL) { 3472 switch (af) { 3473 #ifdef INET 3474 case AF_INET: 3475 pf_change_a(&a->v4.s_addr, pd->ip_sum, 3476 pd->baddr.v4.s_addr, 0); 3477 break; 3478 #endif /* INET */ 3479 #ifdef INET6 3480 case AF_INET6: 3481 PF_ACPY(a, &pd->baddr, af); 3482 break; 3483 #endif /* INET6 */ 3484 } 3485 } 3486 if ((af == AF_INET) && r->return_icmp) 3487 pf_send_icmp(m, r->return_icmp >> 8, 3488 r->return_icmp & 255, af, r); 3489 else if ((af == AF_INET6) && r->return_icmp6) 3490 pf_send_icmp(m, r->return_icmp6 >> 8, 3491 r->return_icmp6 & 255, af, r); 3492 } 3493 3494 if (r->action != PF_PASS) 3495 return (PF_DROP); 3496 3497 pf_tag_packet(m, tag); 3498 3499 if (r->keep_state || nr != NULL) { 3500 /* create new state */ 3501 struct pf_state *s = NULL; 3502 struct pf_src_node *sn = NULL; 3503 3504 /* check maximums */ 3505 if (r->max_states && (r->states >= r->max_states)) 3506 goto cleanup; 3507 /* src node for flter rule */ 3508 if ((r->rule_flag & PFRULE_SRCTRACK || 3509 r->rpool.opts & PF_POOL_STICKYADDR) && 3510 pf_insert_src_node(&sn, r, saddr, af) != 0) 3511 goto cleanup; 3512 /* src node for translation rule */ 3513 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3514 ((direction == PF_OUT && 3515 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3516 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3517 goto cleanup; 3518 s = pool_get(&pf_state_pl, PR_NOWAIT); 3519 if (s == NULL) { 3520 cleanup: 3521 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3522 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3523 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3524 pf_status.src_nodes--; 3525 pool_put(&pf_src_tree_pl, sn); 3526 } 3527 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3528 nsn->expire == 0) { 3529 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3530 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3531 pf_status.src_nodes--; 3532 pool_put(&pf_src_tree_pl, nsn); 3533 } 3534 REASON_SET(&reason, PFRES_MEMORY); 3535 return (PF_DROP); 3536 } 3537 bzero(s, sizeof(*s)); 3538 r->states++; 3539 if (a != NULL) 3540 a->states++; 3541 s->rule.ptr = r; 3542 s->nat_rule.ptr = nr; 3543 if (s->nat_rule.ptr != NULL) 3544 s->nat_rule.ptr->states++; 3545 s->anchor.ptr = a; 3546 s->allow_opts = r->allow_opts; 3547 s->log = r->log & 2; 3548 s->proto = pd->proto; 3549 s->direction = direction; 3550 s->af = af; 3551 if (direction == PF_OUT) { 3552 PF_ACPY(&s->gwy.addr, saddr, af); 3553 PF_ACPY(&s->ext.addr, daddr, af); 3554 if (nr != NULL) 3555 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3556 else 3557 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3558 } else { 3559 PF_ACPY(&s->lan.addr, daddr, af); 3560 PF_ACPY(&s->ext.addr, saddr, af); 3561 if (nr != NULL) 3562 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3563 else 3564 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3565 } 3566 s->src.state = PFOTHERS_SINGLE; 3567 s->dst.state = PFOTHERS_NO_TRAFFIC; 3568 s->creation = time_second; 3569 s->expire = time_second; 3570 s->timeout = PFTM_OTHER_FIRST_PACKET; 3571 pf_set_rt_ifp(s, saddr); 3572 if (sn != NULL) { 3573 s->src_node = sn; 3574 s->src_node->states++; 3575 } 3576 if (nsn != NULL) { 3577 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3578 s->nat_src_node = nsn; 3579 s->nat_src_node->states++; 3580 } 3581 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3582 REASON_SET(&reason, PFRES_MEMORY); 3583 pf_src_tree_remove_state(s); 3584 pool_put(&pf_state_pl, s); 3585 return (PF_DROP); 3586 } else 3587 *sm = s; 3588 } 3589 3590 return (PF_PASS); 3591 } 3592 3593 int 3594 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, 3595 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3596 struct pf_ruleset **rsm) 3597 { 3598 struct pf_rule *r, *a = NULL; 3599 struct pf_ruleset *ruleset = NULL; 3600 sa_family_t af = pd->af; 3601 u_short reason; 3602 int tag = -1; 3603 3604 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3605 while (r != NULL) { 3606 r->evaluations++; 3607 if (r->kif != NULL && 3608 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3609 r = r->skip[PF_SKIP_IFP].ptr; 3610 else if (r->direction && r->direction != direction) 3611 r = r->skip[PF_SKIP_DIR].ptr; 3612 else if (r->af && r->af != af) 3613 r = r->skip[PF_SKIP_AF].ptr; 3614 else if (r->proto && r->proto != pd->proto) 3615 r = r->skip[PF_SKIP_PROTO].ptr; 3616 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3617 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3618 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3619 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3620 else if (r->tos && !(r->tos & pd->tos)) 3621 r = TAILQ_NEXT(r, entries); 3622 else if (r->src.port_op || r->dst.port_op || 3623 r->flagset || r->type || r->code || 3624 r->os_fingerprint != PF_OSFP_ANY) 3625 r = TAILQ_NEXT(r, entries); 3626 else if (r->match_tag && !pf_match_tag(m, r, NULL, &tag)) 3627 r = TAILQ_NEXT(r, entries); 3628 else if (r->anchorname[0] && r->anchor == NULL) 3629 r = TAILQ_NEXT(r, entries); 3630 else { 3631 if (r->anchor == NULL) { 3632 *rm = r; 3633 *am = a; 3634 *rsm = ruleset; 3635 if ((*rm)->quick) 3636 break; 3637 r = TAILQ_NEXT(r, entries); 3638 } else 3639 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3640 PF_RULESET_FILTER); 3641 } 3642 if (r == NULL && a != NULL) 3643 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3644 PF_RULESET_FILTER); 3645 } 3646 r = *rm; 3647 a = *am; 3648 ruleset = *rsm; 3649 3650 REASON_SET(&reason, PFRES_MATCH); 3651 3652 if (r->log) 3653 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3654 3655 if (r->action != PF_PASS) 3656 return (PF_DROP); 3657 3658 pf_tag_packet(m, tag); 3659 3660 return (PF_PASS); 3661 } 3662 3663 int 3664 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, 3665 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3666 u_short *reason) 3667 { 3668 struct pf_state key; 3669 struct tcphdr *th = pd->hdr.tcp; 3670 u_int16_t win = ntohs(th->th_win); 3671 u_int32_t ack, end, seq; 3672 u_int8_t sws, dws; 3673 int ackskew; 3674 int copyback = 0; 3675 struct pf_state_peer *src, *dst; 3676 3677 key.af = pd->af; 3678 key.proto = IPPROTO_TCP; 3679 if (direction == PF_IN) { 3680 PF_ACPY(&key.ext.addr, pd->src, key.af); 3681 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3682 key.ext.port = th->th_sport; 3683 key.gwy.port = th->th_dport; 3684 } else { 3685 PF_ACPY(&key.lan.addr, pd->src, key.af); 3686 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3687 key.lan.port = th->th_sport; 3688 key.ext.port = th->th_dport; 3689 } 3690 3691 STATE_LOOKUP(); 3692 3693 if (direction == (*state)->direction) { 3694 src = &(*state)->src; 3695 dst = &(*state)->dst; 3696 } else { 3697 src = &(*state)->dst; 3698 dst = &(*state)->src; 3699 } 3700 3701 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3702 if (direction != (*state)->direction) 3703 return (PF_SYNPROXY_DROP); 3704 if (th->th_flags & TH_SYN) { 3705 if (ntohl(th->th_seq) != (*state)->src.seqlo) 3706 return (PF_DROP); 3707 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3708 pd->src, th->th_dport, th->th_sport, 3709 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3710 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0); 3711 return (PF_SYNPROXY_DROP); 3712 } else if (!(th->th_flags & TH_ACK) || 3713 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3714 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3715 return (PF_DROP); 3716 else 3717 (*state)->src.state = PF_TCPS_PROXY_DST; 3718 } 3719 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3720 struct pf_state_host *src, *dst; 3721 3722 if (direction == PF_OUT) { 3723 src = &(*state)->gwy; 3724 dst = &(*state)->ext; 3725 } else { 3726 src = &(*state)->ext; 3727 dst = &(*state)->lan; 3728 } 3729 if (direction == (*state)->direction) { 3730 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3731 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3732 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3733 return (PF_DROP); 3734 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3735 if ((*state)->dst.seqhi == 1) 3736 (*state)->dst.seqhi = karc4random(); 3737 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3738 &dst->addr, src->port, dst->port, 3739 (*state)->dst.seqhi, 0, TH_SYN, 0, 3740 (*state)->src.mss, 0); 3741 return (PF_SYNPROXY_DROP); 3742 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3743 (TH_SYN|TH_ACK)) || 3744 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) 3745 return (PF_DROP); 3746 else { 3747 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3748 (*state)->dst.seqlo = ntohl(th->th_seq); 3749 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3750 pd->src, th->th_dport, th->th_sport, 3751 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3752 TH_ACK, (*state)->src.max_win, 0, 0); 3753 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3754 &dst->addr, src->port, dst->port, 3755 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3756 TH_ACK, (*state)->dst.max_win, 0, 0); 3757 (*state)->src.seqdiff = (*state)->dst.seqhi - 3758 (*state)->src.seqlo; 3759 (*state)->dst.seqdiff = (*state)->src.seqhi - 3760 (*state)->dst.seqlo; 3761 (*state)->src.seqhi = (*state)->src.seqlo + 3762 (*state)->src.max_win; 3763 (*state)->dst.seqhi = (*state)->dst.seqlo + 3764 (*state)->dst.max_win; 3765 (*state)->src.wscale = (*state)->dst.wscale = 0; 3766 (*state)->src.state = (*state)->dst.state = 3767 TCPS_ESTABLISHED; 3768 return (PF_SYNPROXY_DROP); 3769 } 3770 } 3771 3772 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3773 sws = src->wscale & PF_WSCALE_MASK; 3774 dws = dst->wscale & PF_WSCALE_MASK; 3775 } else 3776 sws = dws = 0; 3777 3778 /* 3779 * Sequence tracking algorithm from Guido van Rooij's paper: 3780 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3781 * tcp_filtering.ps 3782 */ 3783 3784 seq = ntohl(th->th_seq); 3785 if (src->seqlo == 0) { 3786 /* First packet from this end. Set its state */ 3787 3788 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3789 src->scrub == NULL) { 3790 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3791 REASON_SET(reason, PFRES_MEMORY); 3792 return (PF_DROP); 3793 } 3794 } 3795 3796 /* Deferred generation of sequence number modulator */ 3797 if (dst->seqdiff && !src->seqdiff) { 3798 while ((src->seqdiff = karc4random()) == 0) 3799 ; 3800 ack = ntohl(th->th_ack) - dst->seqdiff; 3801 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3802 src->seqdiff), 0); 3803 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3804 copyback = 1; 3805 } else { 3806 ack = ntohl(th->th_ack); 3807 } 3808 3809 end = seq + pd->p_len; 3810 if (th->th_flags & TH_SYN) { 3811 end++; 3812 if (dst->wscale & PF_WSCALE_FLAG) { 3813 src->wscale = pf_get_wscale(m, off, th->th_off, 3814 pd->af); 3815 if (src->wscale & PF_WSCALE_FLAG) { 3816 /* Remove scale factor from initial 3817 * window */ 3818 sws = src->wscale & PF_WSCALE_MASK; 3819 win = ((u_int32_t)win + (1 << sws) - 1) 3820 >> sws; 3821 dws = dst->wscale & PF_WSCALE_MASK; 3822 } else { 3823 /* fixup other window */ 3824 dst->max_win <<= dst->wscale & 3825 PF_WSCALE_MASK; 3826 /* in case of a retrans SYN|ACK */ 3827 dst->wscale = 0; 3828 } 3829 } 3830 } 3831 if (th->th_flags & TH_FIN) 3832 end++; 3833 3834 src->seqlo = seq; 3835 if (src->state < TCPS_SYN_SENT) 3836 src->state = TCPS_SYN_SENT; 3837 3838 /* 3839 * May need to slide the window (seqhi may have been set by 3840 * the crappy stack check or if we picked up the connection 3841 * after establishment) 3842 */ 3843 if (src->seqhi == 1 || 3844 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 3845 src->seqhi = end + MAX(1, dst->max_win << dws); 3846 if (win > src->max_win) 3847 src->max_win = win; 3848 3849 } else { 3850 ack = ntohl(th->th_ack) - dst->seqdiff; 3851 if (src->seqdiff) { 3852 /* Modulate sequence numbers */ 3853 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3854 src->seqdiff), 0); 3855 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3856 copyback = 1; 3857 } 3858 end = seq + pd->p_len; 3859 if (th->th_flags & TH_SYN) 3860 end++; 3861 if (th->th_flags & TH_FIN) 3862 end++; 3863 } 3864 3865 if ((th->th_flags & TH_ACK) == 0) { 3866 /* Let it pass through the ack skew check */ 3867 ack = dst->seqlo; 3868 } else if ((ack == 0 && 3869 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 3870 /* broken tcp stacks do not set ack */ 3871 (dst->state < TCPS_SYN_SENT)) { 3872 /* 3873 * Many stacks (ours included) will set the ACK number in an 3874 * FIN|ACK if the SYN times out -- no sequence to ACK. 3875 */ 3876 ack = dst->seqlo; 3877 } 3878 3879 if (seq == end) { 3880 /* Ease sequencing restrictions on no data packets */ 3881 seq = src->seqlo; 3882 end = seq; 3883 } 3884 3885 ackskew = dst->seqlo - ack; 3886 3887 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 3888 if (SEQ_GEQ(src->seqhi, end) && 3889 /* Last octet inside other's window space */ 3890 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 3891 /* Retrans: not more than one window back */ 3892 (ackskew >= -MAXACKWINDOW) && 3893 /* Acking not more than one reassembled fragment backwards */ 3894 (ackskew <= (MAXACKWINDOW << sws))) { 3895 /* Acking not more than one window forward */ 3896 3897 /* update max window */ 3898 if (src->max_win < win) 3899 src->max_win = win; 3900 /* synchronize sequencing */ 3901 if (SEQ_GT(end, src->seqlo)) 3902 src->seqlo = end; 3903 /* slide the window of what the other end can send */ 3904 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3905 dst->seqhi = ack + MAX((win << sws), 1); 3906 3907 3908 /* update states */ 3909 if (th->th_flags & TH_SYN) 3910 if (src->state < TCPS_SYN_SENT) 3911 src->state = TCPS_SYN_SENT; 3912 if (th->th_flags & TH_FIN) 3913 if (src->state < TCPS_CLOSING) 3914 src->state = TCPS_CLOSING; 3915 if (th->th_flags & TH_ACK) { 3916 if (dst->state == TCPS_SYN_SENT) 3917 dst->state = TCPS_ESTABLISHED; 3918 else if (dst->state == TCPS_CLOSING) 3919 dst->state = TCPS_FIN_WAIT_2; 3920 } 3921 if (th->th_flags & TH_RST) 3922 src->state = dst->state = TCPS_TIME_WAIT; 3923 3924 /* update expire time */ 3925 (*state)->expire = time_second; 3926 if (src->state >= TCPS_FIN_WAIT_2 && 3927 dst->state >= TCPS_FIN_WAIT_2) 3928 (*state)->timeout = PFTM_TCP_CLOSED; 3929 else if (src->state >= TCPS_FIN_WAIT_2 || 3930 dst->state >= TCPS_FIN_WAIT_2) 3931 (*state)->timeout = PFTM_TCP_FIN_WAIT; 3932 else if (src->state < TCPS_ESTABLISHED || 3933 dst->state < TCPS_ESTABLISHED) 3934 (*state)->timeout = PFTM_TCP_OPENING; 3935 else if (src->state >= TCPS_CLOSING || 3936 dst->state >= TCPS_CLOSING) 3937 (*state)->timeout = PFTM_TCP_CLOSING; 3938 else 3939 (*state)->timeout = PFTM_TCP_ESTABLISHED; 3940 3941 /* Fall through to PASS packet */ 3942 3943 } else if ((dst->state < TCPS_SYN_SENT || 3944 dst->state >= TCPS_FIN_WAIT_2 || 3945 src->state >= TCPS_FIN_WAIT_2) && 3946 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 3947 /* Within a window forward of the originating packet */ 3948 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 3949 /* Within a window backward of the originating packet */ 3950 3951 /* 3952 * This currently handles three situations: 3953 * 1) Stupid stacks will shotgun SYNs before their peer 3954 * replies. 3955 * 2) When PF catches an already established stream (the 3956 * firewall rebooted, the state table was flushed, routes 3957 * changed...) 3958 * 3) Packets get funky immediately after the connection 3959 * closes (this should catch Solaris spurious ACK|FINs 3960 * that web servers like to spew after a close) 3961 * 3962 * This must be a little more careful than the above code 3963 * since packet floods will also be caught here. We don't 3964 * update the TTL here to mitigate the damage of a packet 3965 * flood and so the same code can handle awkward establishment 3966 * and a loosened connection close. 3967 * In the establishment case, a correct peer response will 3968 * validate the connection, go through the normal state code 3969 * and keep updating the state TTL. 3970 */ 3971 3972 if (pf_status.debug >= PF_DEBUG_MISC) { 3973 kprintf("pf: loose state match: "); 3974 pf_print_state(*state); 3975 pf_print_flags(th->th_flags); 3976 kprintf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 3977 seq, ack, pd->p_len, ackskew, 3978 (*state)->packets[0], (*state)->packets[1]); 3979 } 3980 3981 /* update max window */ 3982 if (src->max_win < win) 3983 src->max_win = win; 3984 /* synchronize sequencing */ 3985 if (SEQ_GT(end, src->seqlo)) 3986 src->seqlo = end; 3987 /* slide the window of what the other end can send */ 3988 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3989 dst->seqhi = ack + MAX((win << sws), 1); 3990 3991 /* 3992 * Cannot set dst->seqhi here since this could be a shotgunned 3993 * SYN and not an already established connection. 3994 */ 3995 3996 if (th->th_flags & TH_FIN) 3997 if (src->state < TCPS_CLOSING) 3998 src->state = TCPS_CLOSING; 3999 if (th->th_flags & TH_RST) 4000 src->state = dst->state = TCPS_TIME_WAIT; 4001 4002 /* Fall through to PASS packet */ 4003 4004 } else { 4005 if ((*state)->dst.state == TCPS_SYN_SENT && 4006 (*state)->src.state == TCPS_SYN_SENT) { 4007 /* Send RST for state mismatches during handshake */ 4008 if (!(th->th_flags & TH_RST)) { 4009 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 4010 4011 if (th->th_flags & TH_SYN) 4012 ack++; 4013 if (th->th_flags & TH_FIN) 4014 ack++; 4015 pf_send_tcp((*state)->rule.ptr, pd->af, 4016 pd->dst, pd->src, th->th_dport, 4017 th->th_sport, ntohl(th->th_ack), ack, 4018 TH_RST|TH_ACK, 0, 0, 4019 (*state)->rule.ptr->return_ttl); 4020 } 4021 src->seqlo = 0; 4022 src->seqhi = 1; 4023 src->max_win = 1; 4024 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4025 kprintf("pf: BAD state: "); 4026 pf_print_state(*state); 4027 pf_print_flags(th->th_flags); 4028 kprintf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " 4029 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, 4030 (*state)->packets[0], (*state)->packets[1], 4031 direction == PF_IN ? "in" : "out", 4032 direction == (*state)->direction ? "fwd" : "rev"); 4033 kprintf("pf: State failure on: %c %c %c %c | %c %c\n", 4034 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4035 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4036 ' ': '2', 4037 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4038 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4039 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4040 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4041 } 4042 return (PF_DROP); 4043 } 4044 4045 if (dst->scrub || src->scrub) { 4046 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4047 src, dst, ©back)) 4048 return (PF_DROP); 4049 } 4050 4051 /* Any packets which have gotten here are to be passed */ 4052 4053 /* translate source/destination address, if necessary */ 4054 if (STATE_TRANSLATE(*state)) { 4055 if (direction == PF_OUT) 4056 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4057 &th->th_sum, &(*state)->gwy.addr, 4058 (*state)->gwy.port, 0, pd->af); 4059 else 4060 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 4061 &th->th_sum, &(*state)->lan.addr, 4062 (*state)->lan.port, 0, pd->af); 4063 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4064 } else if (copyback) { 4065 /* Copyback sequence modulation or stateful scrub changes */ 4066 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4067 } 4068 4069 return (PF_PASS); 4070 } 4071 4072 int 4073 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, 4074 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4075 { 4076 struct pf_state_peer *src, *dst; 4077 struct pf_state key; 4078 struct udphdr *uh = pd->hdr.udp; 4079 4080 key.af = pd->af; 4081 key.proto = IPPROTO_UDP; 4082 if (direction == PF_IN) { 4083 PF_ACPY(&key.ext.addr, pd->src, key.af); 4084 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4085 key.ext.port = uh->uh_sport; 4086 key.gwy.port = uh->uh_dport; 4087 } else { 4088 PF_ACPY(&key.lan.addr, pd->src, key.af); 4089 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4090 key.lan.port = uh->uh_sport; 4091 key.ext.port = uh->uh_dport; 4092 } 4093 4094 STATE_LOOKUP(); 4095 4096 if (direction == (*state)->direction) { 4097 src = &(*state)->src; 4098 dst = &(*state)->dst; 4099 } else { 4100 src = &(*state)->dst; 4101 dst = &(*state)->src; 4102 } 4103 4104 /* update states */ 4105 if (src->state < PFUDPS_SINGLE) 4106 src->state = PFUDPS_SINGLE; 4107 if (dst->state == PFUDPS_SINGLE) 4108 dst->state = PFUDPS_MULTIPLE; 4109 4110 /* update expire time */ 4111 (*state)->expire = time_second; 4112 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4113 (*state)->timeout = PFTM_UDP_MULTIPLE; 4114 else 4115 (*state)->timeout = PFTM_UDP_SINGLE; 4116 4117 /* translate source/destination address, if necessary */ 4118 if (STATE_TRANSLATE(*state)) { 4119 if (direction == PF_OUT) 4120 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 4121 &uh->uh_sum, &(*state)->gwy.addr, 4122 (*state)->gwy.port, 1, pd->af); 4123 else 4124 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 4125 &uh->uh_sum, &(*state)->lan.addr, 4126 (*state)->lan.port, 1, pd->af); 4127 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 4128 } 4129 4130 return (PF_PASS); 4131 } 4132 4133 int 4134 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, 4135 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4136 { 4137 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 4138 u_int16_t icmpid = 0; 4139 u_int16_t *icmpsum = NULL; 4140 u_int8_t icmptype = 0; 4141 int state_icmp = 0; 4142 4143 switch (pd->proto) { 4144 #ifdef INET 4145 case IPPROTO_ICMP: 4146 icmptype = pd->hdr.icmp->icmp_type; 4147 icmpid = pd->hdr.icmp->icmp_id; 4148 icmpsum = &pd->hdr.icmp->icmp_cksum; 4149 4150 if (icmptype == ICMP_UNREACH || 4151 icmptype == ICMP_SOURCEQUENCH || 4152 icmptype == ICMP_REDIRECT || 4153 icmptype == ICMP_TIMXCEED || 4154 icmptype == ICMP_PARAMPROB) 4155 state_icmp++; 4156 break; 4157 #endif /* INET */ 4158 #ifdef INET6 4159 case IPPROTO_ICMPV6: 4160 icmptype = pd->hdr.icmp6->icmp6_type; 4161 icmpid = pd->hdr.icmp6->icmp6_id; 4162 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 4163 4164 if (icmptype == ICMP6_DST_UNREACH || 4165 icmptype == ICMP6_PACKET_TOO_BIG || 4166 icmptype == ICMP6_TIME_EXCEEDED || 4167 icmptype == ICMP6_PARAM_PROB) 4168 state_icmp++; 4169 break; 4170 #endif /* INET6 */ 4171 } 4172 4173 if (!state_icmp) { 4174 4175 /* 4176 * ICMP query/reply message not related to a TCP/UDP packet. 4177 * Search for an ICMP state. 4178 */ 4179 struct pf_state key; 4180 4181 key.af = pd->af; 4182 key.proto = pd->proto; 4183 if (direction == PF_IN) { 4184 PF_ACPY(&key.ext.addr, pd->src, key.af); 4185 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4186 key.ext.port = icmpid; 4187 key.gwy.port = icmpid; 4188 } else { 4189 PF_ACPY(&key.lan.addr, pd->src, key.af); 4190 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4191 key.lan.port = icmpid; 4192 key.ext.port = icmpid; 4193 } 4194 4195 STATE_LOOKUP(); 4196 4197 (*state)->expire = time_second; 4198 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 4199 4200 /* translate source/destination address, if necessary */ 4201 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { 4202 if (direction == PF_OUT) { 4203 switch (pd->af) { 4204 #ifdef INET 4205 case AF_INET: 4206 pf_change_a(&saddr->v4.s_addr, 4207 pd->ip_sum, 4208 (*state)->gwy.addr.v4.s_addr, 0); 4209 break; 4210 #endif /* INET */ 4211 #ifdef INET6 4212 case AF_INET6: 4213 pf_change_a6(saddr, 4214 &pd->hdr.icmp6->icmp6_cksum, 4215 &(*state)->gwy.addr, 0); 4216 m_copyback(m, off, 4217 sizeof(struct icmp6_hdr), 4218 (caddr_t)pd->hdr.icmp6); 4219 break; 4220 #endif /* INET6 */ 4221 } 4222 } else { 4223 switch (pd->af) { 4224 #ifdef INET 4225 case AF_INET: 4226 pf_change_a(&daddr->v4.s_addr, 4227 pd->ip_sum, 4228 (*state)->lan.addr.v4.s_addr, 0); 4229 break; 4230 #endif /* INET */ 4231 #ifdef INET6 4232 case AF_INET6: 4233 pf_change_a6(daddr, 4234 &pd->hdr.icmp6->icmp6_cksum, 4235 &(*state)->lan.addr, 0); 4236 m_copyback(m, off, 4237 sizeof(struct icmp6_hdr), 4238 (caddr_t)pd->hdr.icmp6); 4239 break; 4240 #endif /* INET6 */ 4241 } 4242 } 4243 } 4244 4245 return (PF_PASS); 4246 4247 } else { 4248 /* 4249 * ICMP error message in response to a TCP/UDP packet. 4250 * Extract the inner TCP/UDP header and search for that state. 4251 */ 4252 4253 struct pf_pdesc pd2; 4254 #ifdef INET 4255 struct ip h2; 4256 #endif /* INET */ 4257 #ifdef INET6 4258 struct ip6_hdr h2_6; 4259 int terminal = 0; 4260 #endif /* INET6 */ 4261 int ipoff2 = 0; 4262 int off2 = 0; 4263 4264 pd2.af = pd->af; 4265 switch (pd->af) { 4266 #ifdef INET 4267 case AF_INET: 4268 /* offset of h2 in mbuf chain */ 4269 ipoff2 = off + ICMP_MINLEN; 4270 4271 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 4272 NULL, NULL, pd2.af)) { 4273 DPFPRINTF(PF_DEBUG_MISC, 4274 ("pf: ICMP error message too short " 4275 "(ip)\n")); 4276 return (PF_DROP); 4277 } 4278 /* 4279 * ICMP error messages don't refer to non-first 4280 * fragments 4281 */ 4282 /* 4283 * Note: We are dealing with an encapsulated 4284 * header. This means ip_off/ip_len are not 4285 * in host byte order! 4286 */ 4287 if (h2.ip_off & htons(IP_OFFMASK)) 4288 return (PF_DROP); 4289 4290 /* offset of protocol header that follows h2 */ 4291 off2 = ipoff2 + (h2.ip_hl << 2); 4292 4293 pd2.proto = h2.ip_p; 4294 pd2.src = (struct pf_addr *)&h2.ip_src; 4295 pd2.dst = (struct pf_addr *)&h2.ip_dst; 4296 pd2.ip_sum = &h2.ip_sum; 4297 break; 4298 #endif /* INET */ 4299 #ifdef INET6 4300 case AF_INET6: 4301 ipoff2 = off + sizeof(struct icmp6_hdr); 4302 4303 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 4304 NULL, NULL, pd2.af)) { 4305 DPFPRINTF(PF_DEBUG_MISC, 4306 ("pf: ICMP error message too short " 4307 "(ip6)\n")); 4308 return (PF_DROP); 4309 } 4310 pd2.proto = h2_6.ip6_nxt; 4311 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 4312 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 4313 pd2.ip_sum = NULL; 4314 off2 = ipoff2 + sizeof(h2_6); 4315 do { 4316 switch (pd2.proto) { 4317 case IPPROTO_FRAGMENT: 4318 /* 4319 * ICMPv6 error messages for 4320 * non-first fragments 4321 */ 4322 return (PF_DROP); 4323 case IPPROTO_AH: 4324 case IPPROTO_HOPOPTS: 4325 case IPPROTO_ROUTING: 4326 case IPPROTO_DSTOPTS: { 4327 /* get next header and header length */ 4328 struct ip6_ext opt6; 4329 4330 if (!pf_pull_hdr(m, off2, &opt6, 4331 sizeof(opt6), NULL, NULL, pd2.af)) { 4332 DPFPRINTF(PF_DEBUG_MISC, 4333 ("pf: ICMPv6 short opt\n")); 4334 return (PF_DROP); 4335 } 4336 if (pd2.proto == IPPROTO_AH) 4337 off2 += (opt6.ip6e_len + 2) * 4; 4338 else 4339 off2 += (opt6.ip6e_len + 1) * 8; 4340 pd2.proto = opt6.ip6e_nxt; 4341 /* goto the next header */ 4342 break; 4343 } 4344 default: 4345 terminal++; 4346 break; 4347 } 4348 } while (!terminal); 4349 break; 4350 #endif /* INET6 */ 4351 } 4352 4353 switch (pd2.proto) { 4354 case IPPROTO_TCP: { 4355 struct tcphdr th; 4356 u_int32_t seq; 4357 struct pf_state key; 4358 struct pf_state_peer *src, *dst; 4359 u_int8_t dws; 4360 int copyback = 0; 4361 4362 /* 4363 * Only the first 8 bytes of the TCP header can be 4364 * expected. Don't access any TCP header fields after 4365 * th_seq, an ackskew test is not possible. 4366 */ 4367 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) { 4368 DPFPRINTF(PF_DEBUG_MISC, 4369 ("pf: ICMP error message too short " 4370 "(tcp)\n")); 4371 return (PF_DROP); 4372 } 4373 4374 key.af = pd2.af; 4375 key.proto = IPPROTO_TCP; 4376 if (direction == PF_IN) { 4377 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4378 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4379 key.ext.port = th.th_dport; 4380 key.gwy.port = th.th_sport; 4381 } else { 4382 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4383 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4384 key.lan.port = th.th_dport; 4385 key.ext.port = th.th_sport; 4386 } 4387 4388 STATE_LOOKUP(); 4389 4390 if (direction == (*state)->direction) { 4391 src = &(*state)->dst; 4392 dst = &(*state)->src; 4393 } else { 4394 src = &(*state)->src; 4395 dst = &(*state)->dst; 4396 } 4397 4398 if (src->wscale && dst->wscale && 4399 !(th.th_flags & TH_SYN)) 4400 dws = dst->wscale & PF_WSCALE_MASK; 4401 else 4402 dws = 0; 4403 4404 /* Demodulate sequence number */ 4405 seq = ntohl(th.th_seq) - src->seqdiff; 4406 if (src->seqdiff) { 4407 pf_change_a(&th.th_seq, icmpsum, 4408 htonl(seq), 0); 4409 copyback = 1; 4410 } 4411 4412 if (!SEQ_GEQ(src->seqhi, seq) || 4413 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 4414 if (pf_status.debug >= PF_DEBUG_MISC) { 4415 kprintf("pf: BAD ICMP %d:%d ", 4416 icmptype, pd->hdr.icmp->icmp_code); 4417 pf_print_host(pd->src, 0, pd->af); 4418 kprintf(" -> "); 4419 pf_print_host(pd->dst, 0, pd->af); 4420 kprintf(" state: "); 4421 pf_print_state(*state); 4422 kprintf(" seq=%u\n", seq); 4423 } 4424 return (PF_DROP); 4425 } 4426 4427 if (STATE_TRANSLATE(*state)) { 4428 if (direction == PF_IN) { 4429 pf_change_icmp(pd2.src, &th.th_sport, 4430 daddr, &(*state)->lan.addr, 4431 (*state)->lan.port, NULL, 4432 pd2.ip_sum, icmpsum, 4433 pd->ip_sum, 0, pd2.af); 4434 } else { 4435 pf_change_icmp(pd2.dst, &th.th_dport, 4436 saddr, &(*state)->gwy.addr, 4437 (*state)->gwy.port, NULL, 4438 pd2.ip_sum, icmpsum, 4439 pd->ip_sum, 0, pd2.af); 4440 } 4441 copyback = 1; 4442 } 4443 4444 if (copyback) { 4445 switch (pd2.af) { 4446 #ifdef INET 4447 case AF_INET: 4448 m_copyback(m, off, ICMP_MINLEN, 4449 (caddr_t)pd->hdr.icmp); 4450 m_copyback(m, ipoff2, sizeof(h2), 4451 (caddr_t)&h2); 4452 break; 4453 #endif /* INET */ 4454 #ifdef INET6 4455 case AF_INET6: 4456 m_copyback(m, off, 4457 sizeof(struct icmp6_hdr), 4458 (caddr_t)pd->hdr.icmp6); 4459 m_copyback(m, ipoff2, sizeof(h2_6), 4460 (caddr_t)&h2_6); 4461 break; 4462 #endif /* INET6 */ 4463 } 4464 m_copyback(m, off2, 8, (caddr_t)&th); 4465 } 4466 4467 return (PF_PASS); 4468 break; 4469 } 4470 case IPPROTO_UDP: { 4471 struct udphdr uh; 4472 struct pf_state key; 4473 4474 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4475 NULL, NULL, pd2.af)) { 4476 DPFPRINTF(PF_DEBUG_MISC, 4477 ("pf: ICMP error message too short " 4478 "(udp)\n")); 4479 return (PF_DROP); 4480 } 4481 4482 key.af = pd2.af; 4483 key.proto = IPPROTO_UDP; 4484 if (direction == PF_IN) { 4485 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4486 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4487 key.ext.port = uh.uh_dport; 4488 key.gwy.port = uh.uh_sport; 4489 } else { 4490 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4491 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4492 key.lan.port = uh.uh_dport; 4493 key.ext.port = uh.uh_sport; 4494 } 4495 4496 STATE_LOOKUP(); 4497 4498 if (STATE_TRANSLATE(*state)) { 4499 if (direction == PF_IN) { 4500 pf_change_icmp(pd2.src, &uh.uh_sport, 4501 daddr, &(*state)->lan.addr, 4502 (*state)->lan.port, &uh.uh_sum, 4503 pd2.ip_sum, icmpsum, 4504 pd->ip_sum, 1, pd2.af); 4505 } else { 4506 pf_change_icmp(pd2.dst, &uh.uh_dport, 4507 saddr, &(*state)->gwy.addr, 4508 (*state)->gwy.port, &uh.uh_sum, 4509 pd2.ip_sum, icmpsum, 4510 pd->ip_sum, 1, pd2.af); 4511 } 4512 switch (pd2.af) { 4513 #ifdef INET 4514 case AF_INET: 4515 m_copyback(m, off, ICMP_MINLEN, 4516 (caddr_t)pd->hdr.icmp); 4517 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4518 break; 4519 #endif /* INET */ 4520 #ifdef INET6 4521 case AF_INET6: 4522 m_copyback(m, off, 4523 sizeof(struct icmp6_hdr), 4524 (caddr_t)pd->hdr.icmp6); 4525 m_copyback(m, ipoff2, sizeof(h2_6), 4526 (caddr_t)&h2_6); 4527 break; 4528 #endif /* INET6 */ 4529 } 4530 m_copyback(m, off2, sizeof(uh), (caddr_t)&uh); 4531 } 4532 4533 return (PF_PASS); 4534 break; 4535 } 4536 #ifdef INET 4537 case IPPROTO_ICMP: { 4538 struct icmp iih; 4539 struct pf_state key; 4540 4541 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4542 NULL, NULL, pd2.af)) { 4543 DPFPRINTF(PF_DEBUG_MISC, 4544 ("pf: ICMP error message too short i" 4545 "(icmp)\n")); 4546 return (PF_DROP); 4547 } 4548 4549 key.af = pd2.af; 4550 key.proto = IPPROTO_ICMP; 4551 if (direction == PF_IN) { 4552 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4553 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4554 key.ext.port = iih.icmp_id; 4555 key.gwy.port = iih.icmp_id; 4556 } else { 4557 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4558 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4559 key.lan.port = iih.icmp_id; 4560 key.ext.port = iih.icmp_id; 4561 } 4562 4563 STATE_LOOKUP(); 4564 4565 if (STATE_TRANSLATE(*state)) { 4566 if (direction == PF_IN) { 4567 pf_change_icmp(pd2.src, &iih.icmp_id, 4568 daddr, &(*state)->lan.addr, 4569 (*state)->lan.port, NULL, 4570 pd2.ip_sum, icmpsum, 4571 pd->ip_sum, 0, AF_INET); 4572 } else { 4573 pf_change_icmp(pd2.dst, &iih.icmp_id, 4574 saddr, &(*state)->gwy.addr, 4575 (*state)->gwy.port, NULL, 4576 pd2.ip_sum, icmpsum, 4577 pd->ip_sum, 0, AF_INET); 4578 } 4579 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp); 4580 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4581 m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih); 4582 } 4583 4584 return (PF_PASS); 4585 break; 4586 } 4587 #endif /* INET */ 4588 #ifdef INET6 4589 case IPPROTO_ICMPV6: { 4590 struct icmp6_hdr iih; 4591 struct pf_state key; 4592 4593 if (!pf_pull_hdr(m, off2, &iih, 4594 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) { 4595 DPFPRINTF(PF_DEBUG_MISC, 4596 ("pf: ICMP error message too short " 4597 "(icmp6)\n")); 4598 return (PF_DROP); 4599 } 4600 4601 key.af = pd2.af; 4602 key.proto = IPPROTO_ICMPV6; 4603 if (direction == PF_IN) { 4604 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4605 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4606 key.ext.port = iih.icmp6_id; 4607 key.gwy.port = iih.icmp6_id; 4608 } else { 4609 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4610 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4611 key.lan.port = iih.icmp6_id; 4612 key.ext.port = iih.icmp6_id; 4613 } 4614 4615 STATE_LOOKUP(); 4616 4617 if (STATE_TRANSLATE(*state)) { 4618 if (direction == PF_IN) { 4619 pf_change_icmp(pd2.src, &iih.icmp6_id, 4620 daddr, &(*state)->lan.addr, 4621 (*state)->lan.port, NULL, 4622 pd2.ip_sum, icmpsum, 4623 pd->ip_sum, 0, AF_INET6); 4624 } else { 4625 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4626 saddr, &(*state)->gwy.addr, 4627 (*state)->gwy.port, NULL, 4628 pd2.ip_sum, icmpsum, 4629 pd->ip_sum, 0, AF_INET6); 4630 } 4631 m_copyback(m, off, sizeof(struct icmp6_hdr), 4632 (caddr_t)pd->hdr.icmp6); 4633 m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); 4634 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4635 (caddr_t)&iih); 4636 } 4637 4638 return (PF_PASS); 4639 break; 4640 } 4641 #endif /* INET6 */ 4642 default: { 4643 struct pf_state key; 4644 4645 key.af = pd2.af; 4646 key.proto = pd2.proto; 4647 if (direction == PF_IN) { 4648 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4649 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4650 key.ext.port = 0; 4651 key.gwy.port = 0; 4652 } else { 4653 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4654 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4655 key.lan.port = 0; 4656 key.ext.port = 0; 4657 } 4658 4659 STATE_LOOKUP(); 4660 4661 if (STATE_TRANSLATE(*state)) { 4662 if (direction == PF_IN) { 4663 pf_change_icmp(pd2.src, NULL, 4664 daddr, &(*state)->lan.addr, 4665 0, NULL, 4666 pd2.ip_sum, icmpsum, 4667 pd->ip_sum, 0, pd2.af); 4668 } else { 4669 pf_change_icmp(pd2.dst, NULL, 4670 saddr, &(*state)->gwy.addr, 4671 0, NULL, 4672 pd2.ip_sum, icmpsum, 4673 pd->ip_sum, 0, pd2.af); 4674 } 4675 switch (pd2.af) { 4676 #ifdef INET 4677 case AF_INET: 4678 m_copyback(m, off, ICMP_MINLEN, 4679 (caddr_t)pd->hdr.icmp); 4680 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4681 break; 4682 #endif /* INET */ 4683 #ifdef INET6 4684 case AF_INET6: 4685 m_copyback(m, off, 4686 sizeof(struct icmp6_hdr), 4687 (caddr_t)pd->hdr.icmp6); 4688 m_copyback(m, ipoff2, sizeof(h2_6), 4689 (caddr_t)&h2_6); 4690 break; 4691 #endif /* INET6 */ 4692 } 4693 } 4694 4695 return (PF_PASS); 4696 break; 4697 } 4698 } 4699 } 4700 } 4701 4702 int 4703 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, 4704 struct pf_pdesc *pd) 4705 { 4706 struct pf_state_peer *src, *dst; 4707 struct pf_state key; 4708 4709 key.af = pd->af; 4710 key.proto = pd->proto; 4711 if (direction == PF_IN) { 4712 PF_ACPY(&key.ext.addr, pd->src, key.af); 4713 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4714 key.ext.port = 0; 4715 key.gwy.port = 0; 4716 } else { 4717 PF_ACPY(&key.lan.addr, pd->src, key.af); 4718 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4719 key.lan.port = 0; 4720 key.ext.port = 0; 4721 } 4722 4723 STATE_LOOKUP(); 4724 4725 if (direction == (*state)->direction) { 4726 src = &(*state)->src; 4727 dst = &(*state)->dst; 4728 } else { 4729 src = &(*state)->dst; 4730 dst = &(*state)->src; 4731 } 4732 4733 /* update states */ 4734 if (src->state < PFOTHERS_SINGLE) 4735 src->state = PFOTHERS_SINGLE; 4736 if (dst->state == PFOTHERS_SINGLE) 4737 dst->state = PFOTHERS_MULTIPLE; 4738 4739 /* update expire time */ 4740 (*state)->expire = time_second; 4741 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4742 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4743 else 4744 (*state)->timeout = PFTM_OTHER_SINGLE; 4745 4746 /* translate source/destination address, if necessary */ 4747 if (STATE_TRANSLATE(*state)) { 4748 if (direction == PF_OUT) 4749 switch (pd->af) { 4750 #ifdef INET 4751 case AF_INET: 4752 pf_change_a(&pd->src->v4.s_addr, 4753 pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 4754 0); 4755 break; 4756 #endif /* INET */ 4757 #ifdef INET6 4758 case AF_INET6: 4759 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af); 4760 break; 4761 #endif /* INET6 */ 4762 } 4763 else 4764 switch (pd->af) { 4765 #ifdef INET 4766 case AF_INET: 4767 pf_change_a(&pd->dst->v4.s_addr, 4768 pd->ip_sum, (*state)->lan.addr.v4.s_addr, 4769 0); 4770 break; 4771 #endif /* INET */ 4772 #ifdef INET6 4773 case AF_INET6: 4774 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af); 4775 break; 4776 #endif /* INET6 */ 4777 } 4778 } 4779 4780 return (PF_PASS); 4781 } 4782 4783 /* 4784 * ipoff and off are measured from the start of the mbuf chain. 4785 * h must be at "ipoff" on the mbuf chain. 4786 */ 4787 void * 4788 pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 4789 u_short *actionp, u_short *reasonp, sa_family_t af) 4790 { 4791 switch (af) { 4792 #ifdef INET 4793 case AF_INET: { 4794 struct ip *h = mtod(m, struct ip *); 4795 u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3; 4796 4797 if (fragoff) { 4798 if (fragoff >= len) 4799 ACTION_SET(actionp, PF_PASS); 4800 else { 4801 ACTION_SET(actionp, PF_DROP); 4802 REASON_SET(reasonp, PFRES_FRAG); 4803 } 4804 return (NULL); 4805 } 4806 if (m->m_pkthdr.len < off + len || 4807 h->ip_len < off + len) { 4808 ACTION_SET(actionp, PF_DROP); 4809 REASON_SET(reasonp, PFRES_SHORT); 4810 return (NULL); 4811 } 4812 break; 4813 } 4814 #endif /* INET */ 4815 #ifdef INET6 4816 case AF_INET6: { 4817 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 4818 4819 if (m->m_pkthdr.len < off + len || 4820 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 4821 (unsigned)(off + len)) { 4822 ACTION_SET(actionp, PF_DROP); 4823 REASON_SET(reasonp, PFRES_SHORT); 4824 return (NULL); 4825 } 4826 break; 4827 } 4828 #endif /* INET6 */ 4829 } 4830 m_copydata(m, off, len, p); 4831 return (p); 4832 } 4833 4834 int 4835 pf_routable(struct pf_addr *addr, sa_family_t af) 4836 { 4837 struct sockaddr_in *dst; 4838 struct route ro; 4839 int ret = 0; 4840 4841 bzero(&ro, sizeof(ro)); 4842 dst = satosin(&ro.ro_dst); 4843 dst->sin_family = af; 4844 dst->sin_len = sizeof(*dst); 4845 dst->sin_addr = addr->v4; 4846 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); 4847 4848 if (ro.ro_rt != NULL) { 4849 ret = 1; 4850 RTFREE(ro.ro_rt); 4851 } 4852 4853 return (ret); 4854 } 4855 4856 #ifdef INET 4857 void 4858 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4859 struct pf_state *s) 4860 { 4861 struct mbuf *m0, *m1; 4862 struct route iproute; 4863 struct route *ro = NULL; 4864 struct sockaddr_in *dst; 4865 struct ip *ip; 4866 struct ifnet *ifp = NULL; 4867 struct pf_addr naddr; 4868 struct pf_src_node *sn = NULL; 4869 int error = 0; 4870 int sw_csum; 4871 4872 if (m == NULL || *m == NULL || r == NULL || 4873 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4874 panic("pf_route: invalid parameters"); 4875 4876 if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) { 4877 (*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED; 4878 (*m)->m_pkthdr.pf_routed = 1; 4879 } else { 4880 if ((*m)->m_pkthdr.pf_routed > 3) { 4881 m0 = *m; 4882 *m = NULL; 4883 goto bad; 4884 } 4885 (*m)->m_pkthdr.pf_routed++; 4886 } 4887 4888 if (r->rt == PF_DUPTO) { 4889 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL) 4890 return; 4891 } else { 4892 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4893 return; 4894 m0 = *m; 4895 } 4896 4897 if (m0->m_len < sizeof(struct ip)) 4898 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4899 ip = mtod(m0, struct ip *); 4900 4901 ro = &iproute; 4902 bzero((caddr_t)ro, sizeof(*ro)); 4903 dst = satosin(&ro->ro_dst); 4904 dst->sin_family = AF_INET; 4905 dst->sin_len = sizeof(*dst); 4906 dst->sin_addr = ip->ip_dst; 4907 4908 if (r->rt == PF_FASTROUTE) { 4909 rtalloc(ro); 4910 if (ro->ro_rt == 0) { 4911 ipstat.ips_noroute++; 4912 goto bad; 4913 } 4914 4915 ifp = ro->ro_rt->rt_ifp; 4916 ro->ro_rt->rt_use++; 4917 4918 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 4919 dst = satosin(ro->ro_rt->rt_gateway); 4920 } else { 4921 if (TAILQ_EMPTY(&r->rpool.list)) 4922 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)"); 4923 if (s == NULL) { 4924 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, 4925 &naddr, NULL, &sn); 4926 if (!PF_AZERO(&naddr, AF_INET)) 4927 dst->sin_addr.s_addr = naddr.v4.s_addr; 4928 ifp = r->rpool.cur->kif ? 4929 r->rpool.cur->kif->pfik_ifp : NULL; 4930 } else { 4931 if (!PF_AZERO(&s->rt_addr, AF_INET)) 4932 dst->sin_addr.s_addr = 4933 s->rt_addr.v4.s_addr; 4934 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 4935 } 4936 } 4937 if (ifp == NULL) 4938 goto bad; 4939 4940 if (oifp != ifp) { 4941 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) 4942 goto bad; 4943 else if (m0 == NULL) 4944 goto done; 4945 if (m0->m_len < sizeof(struct ip)) 4946 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4947 ip = mtod(m0, struct ip *); 4948 } 4949 4950 /* Copied from ip_output. */ 4951 m0->m_pkthdr.csum_flags |= CSUM_IP; 4952 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; 4953 if (sw_csum & CSUM_DELAY_DATA) { 4954 in_delayed_cksum(m0); 4955 sw_csum &= ~CSUM_DELAY_DATA; 4956 } 4957 m0->m_pkthdr.csum_flags &= ifp->if_hwassist; 4958 4959 /* 4960 * If small enough for interface, or the interface will take 4961 * care of the fragmentation for us, can just send directly. 4962 */ 4963 if (ip->ip_len <= ifp->if_mtu || ((ifp->if_hwassist & CSUM_FRAGMENT) && 4964 (ip->ip_off & IP_DF) == 0)) { 4965 ip->ip_len = htons(ip->ip_len); 4966 ip->ip_off = htons(ip->ip_off); 4967 ip->ip_sum = 0; 4968 if (sw_csum & CSUM_DELAY_IP) { 4969 /* From KAME */ 4970 if (ip->ip_v == IPVERSION && 4971 (ip->ip_hl << 2) == sizeof(*ip)) { 4972 ip->ip_sum = in_cksum_hdr(ip); 4973 } else { 4974 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 4975 } 4976 } 4977 4978 lwkt_serialize_enter(ifp->if_serializer); 4979 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); 4980 lwkt_serialize_exit(ifp->if_serializer); 4981 goto done; 4982 } 4983 4984 /* 4985 * Too large for interface; fragment if possible. 4986 * Must be able to put at least 8 bytes per fragment. 4987 */ 4988 if (ip->ip_off & IP_DF) { 4989 ipstat.ips_cantfrag++; 4990 if (r->rt != PF_DUPTO) { 4991 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 4992 ifp->if_mtu); 4993 goto done; 4994 } else 4995 goto bad; 4996 } 4997 4998 m1 = m0; 4999 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum); 5000 if (error) 5001 goto bad; 5002 5003 for (m0 = m1; m0; m0 = m1) { 5004 m1 = m0->m_nextpkt; 5005 m0->m_nextpkt = 0; 5006 if (error == 0) { 5007 lwkt_serialize_enter(ifp->if_serializer); 5008 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 5009 NULL); 5010 lwkt_serialize_exit(ifp->if_serializer); 5011 } else { 5012 m_freem(m0); 5013 } 5014 } 5015 5016 if (error == 0) 5017 ipstat.ips_fragmented++; 5018 5019 done: 5020 if (r->rt != PF_DUPTO) 5021 *m = NULL; 5022 if (ro == &iproute && ro->ro_rt) 5023 RTFREE(ro->ro_rt); 5024 return; 5025 5026 bad: 5027 m_freem(m0); 5028 goto done; 5029 } 5030 #endif /* INET */ 5031 5032 #ifdef INET6 5033 void 5034 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5035 struct pf_state *s) 5036 { 5037 struct mbuf *m0; 5038 struct route_in6 ip6route; 5039 struct route_in6 *ro; 5040 struct sockaddr_in6 *dst; 5041 struct ip6_hdr *ip6; 5042 struct ifnet *ifp = NULL; 5043 struct pf_addr naddr; 5044 struct pf_src_node *sn = NULL; 5045 int error = 0; 5046 5047 if (m == NULL || *m == NULL || r == NULL || 5048 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5049 panic("pf_route6: invalid parameters"); 5050 5051 if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) { 5052 (*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED; 5053 (*m)->m_pkthdr.pf_routed = 1; 5054 } else { 5055 if ((*m)->m_pkthdr.pf_routed > 3) { 5056 m0 = *m; 5057 *m = NULL; 5058 goto bad; 5059 } 5060 (*m)->m_pkthdr.pf_routed++; 5061 } 5062 5063 if (r->rt == PF_DUPTO) { 5064 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL) 5065 return; 5066 } else { 5067 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5068 return; 5069 m0 = *m; 5070 } 5071 5072 if (m0->m_len < sizeof(struct ip6_hdr)) 5073 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5074 ip6 = mtod(m0, struct ip6_hdr *); 5075 5076 ro = &ip6route; 5077 bzero((caddr_t)ro, sizeof(*ro)); 5078 dst = (struct sockaddr_in6 *)&ro->ro_dst; 5079 dst->sin6_family = AF_INET6; 5080 dst->sin6_len = sizeof(*dst); 5081 dst->sin6_addr = ip6->ip6_dst; 5082 5083 /* Cheat. */ 5084 if (r->rt == PF_FASTROUTE) { 5085 m0->m_pkthdr.fw_flags |= PF_MBUF_GENERATED; 5086 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); 5087 return; 5088 } 5089 5090 if (TAILQ_EMPTY(&r->rpool.list)) 5091 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)"); 5092 if (s == NULL) { 5093 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, 5094 &naddr, NULL, &sn); 5095 if (!PF_AZERO(&naddr, AF_INET6)) 5096 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5097 &naddr, AF_INET6); 5098 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5099 } else { 5100 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5101 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5102 &s->rt_addr, AF_INET6); 5103 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5104 } 5105 if (ifp == NULL) 5106 goto bad; 5107 5108 if (oifp != ifp) { 5109 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) 5110 goto bad; 5111 else if (m0 == NULL) 5112 goto done; 5113 if (m0->m_len < sizeof(struct ip6_hdr)) 5114 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5115 ip6 = mtod(m0, struct ip6_hdr *); 5116 } 5117 5118 /* 5119 * If the packet is too large for the outgoing interface, 5120 * send back an icmp6 error. 5121 */ 5122 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) 5123 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5124 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 5125 error = nd6_output(ifp, ifp, m0, dst, NULL); 5126 } else { 5127 in6_ifstat_inc(ifp, ifs6_in_toobig); 5128 if (r->rt != PF_DUPTO) 5129 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5130 else 5131 goto bad; 5132 } 5133 5134 done: 5135 if (r->rt != PF_DUPTO) 5136 *m = NULL; 5137 return; 5138 5139 bad: 5140 m_freem(m0); 5141 goto done; 5142 } 5143 #endif /* INET6 */ 5144 5145 5146 /* 5147 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 5148 * off is the offset where the protocol header starts 5149 * len is the total length of protocol header plus payload 5150 * returns 0 when the checksum is valid, otherwise returns 1. 5151 */ 5152 /* 5153 * XXX 5154 * FreeBSD supports cksum offload for the following drivers. 5155 * em(4), gx(4), lge(4), nge(4), ti(4), xl(4) 5156 * If we can make full use of it we would outperform ipfw/ipfilter in 5157 * very heavy traffic. 5158 * I have not tested 'cause I don't have NICs that supports cksum offload. 5159 * (There might be problems. Typical phenomena would be 5160 * 1. No route message for UDP packet. 5161 * 2. No connection acceptance from external hosts regardless of rule set.) 5162 */ 5163 int 5164 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, 5165 sa_family_t af) 5166 { 5167 u_int16_t sum = 0; 5168 int hw_assist = 0; 5169 struct ip *ip; 5170 5171 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5172 return (1); 5173 if (m->m_pkthdr.len < off + len) 5174 return (1); 5175 5176 switch (p) { 5177 case IPPROTO_TCP: 5178 case IPPROTO_UDP: 5179 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { 5180 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { 5181 sum = m->m_pkthdr.csum_data; 5182 } else { 5183 ip = mtod(m, struct ip *); 5184 sum = in_pseudo(ip->ip_src.s_addr, 5185 ip->ip_dst.s_addr, htonl((u_short)len + 5186 m->m_pkthdr.csum_data + p)); 5187 } 5188 sum ^= 0xffff; 5189 ++hw_assist; 5190 } 5191 break; 5192 case IPPROTO_ICMP: 5193 #ifdef INET6 5194 case IPPROTO_ICMPV6: 5195 #endif /* INET6 */ 5196 break; 5197 default: 5198 return (1); 5199 } 5200 5201 if (!hw_assist) { 5202 switch (af) { 5203 case AF_INET: 5204 if (p == IPPROTO_ICMP) { 5205 if (m->m_len < off) 5206 return (1); 5207 m->m_data += off; 5208 m->m_len -= off; 5209 sum = in_cksum(m, len); 5210 m->m_data -= off; 5211 m->m_len += off; 5212 } else { 5213 if (m->m_len < sizeof(struct ip)) 5214 return (1); 5215 sum = in_cksum_range(m, p, off, len); 5216 if (sum == 0) { 5217 m->m_pkthdr.csum_flags |= 5218 (CSUM_DATA_VALID | 5219 CSUM_PSEUDO_HDR); 5220 m->m_pkthdr.csum_data = 0xffff; 5221 } 5222 } 5223 break; 5224 #ifdef INET6 5225 case AF_INET6: 5226 if (m->m_len < sizeof(struct ip6_hdr)) 5227 return (1); 5228 sum = in6_cksum(m, p, off, len); 5229 /* 5230 * XXX 5231 * IPv6 H/W cksum off-load not supported yet! 5232 * 5233 * if (sum == 0) { 5234 * m->m_pkthdr.csum_flags |= 5235 * (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); 5236 * m->m_pkthdr.csum_data = 0xffff; 5237 *} 5238 */ 5239 break; 5240 #endif /* INET6 */ 5241 default: 5242 return (1); 5243 } 5244 } 5245 if (sum) { 5246 switch (p) { 5247 case IPPROTO_TCP: 5248 tcpstat.tcps_rcvbadsum++; 5249 break; 5250 case IPPROTO_UDP: 5251 udpstat.udps_badsum++; 5252 break; 5253 case IPPROTO_ICMP: 5254 icmpstat.icps_checksum++; 5255 break; 5256 #ifdef INET6 5257 case IPPROTO_ICMPV6: 5258 icmp6stat.icp6s_checksum++; 5259 break; 5260 #endif /* INET6 */ 5261 } 5262 return (1); 5263 } 5264 return (0); 5265 } 5266 5267 #ifdef INET 5268 int 5269 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) 5270 { 5271 struct pfi_kif *kif; 5272 u_short action, reason = 0, log = 0; 5273 struct mbuf *m = *m0; 5274 struct ip *h = NULL; 5275 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5276 struct pf_state *s = NULL; 5277 struct pf_ruleset *ruleset = NULL; 5278 struct pf_pdesc pd; 5279 int off, dirndx, pqid = 0; 5280 5281 if (!pf_status.running || (m->m_pkthdr.fw_flags & PF_MBUF_GENERATED)) 5282 return (PF_PASS); 5283 5284 kif = pfi_index2kif[ifp->if_index]; 5285 if (kif == NULL) 5286 return (PF_DROP); 5287 5288 #ifdef DIAGNOSTIC 5289 if ((m->m_flags & M_PKTHDR) == 0) 5290 panic("non-M_PKTHDR is passed to pf_test"); 5291 #endif 5292 5293 memset(&pd, 0, sizeof(pd)); 5294 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5295 action = PF_DROP; 5296 REASON_SET(&reason, PFRES_SHORT); 5297 log = 1; 5298 goto done; 5299 } 5300 5301 /* We do IP header normalization and packet reassembly here */ 5302 if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) { 5303 action = PF_DROP; 5304 goto done; 5305 } 5306 m = *m0; 5307 h = mtod(m, struct ip *); 5308 5309 off = h->ip_hl << 2; 5310 if (off < (int)sizeof(*h)) { 5311 action = PF_DROP; 5312 REASON_SET(&reason, PFRES_SHORT); 5313 log = 1; 5314 goto done; 5315 } 5316 5317 pd.src = (struct pf_addr *)&h->ip_src; 5318 pd.dst = (struct pf_addr *)&h->ip_dst; 5319 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 5320 pd.ip_sum = &h->ip_sum; 5321 pd.proto = h->ip_p; 5322 pd.af = AF_INET; 5323 pd.tos = h->ip_tos; 5324 pd.tot_len = h->ip_len; 5325 5326 /* handle fragments that didn't get reassembled by normalization */ 5327 if (h->ip_off & (IP_MF | IP_OFFMASK)) { 5328 action = pf_test_fragment(&r, dir, kif, m, h, 5329 &pd, &a, &ruleset); 5330 goto done; 5331 } 5332 5333 switch (h->ip_p) { 5334 5335 case IPPROTO_TCP: { 5336 struct tcphdr th; 5337 5338 pd.hdr.tcp = &th; 5339 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5340 &action, &reason, AF_INET)) { 5341 log = action != PF_PASS; 5342 goto done; 5343 } 5344 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5345 h->ip_len - off, IPPROTO_TCP, AF_INET)) { 5346 action = PF_DROP; 5347 goto done; 5348 } 5349 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5350 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 5351 pqid = 1; 5352 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5353 if (action == PF_DROP) 5354 goto done; 5355 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5356 &reason); 5357 if (action == PF_PASS) { 5358 #if NPFSYNC 5359 pfsync_update_state(s); 5360 #endif 5361 r = s->rule.ptr; 5362 a = s->anchor.ptr; 5363 log = s->log; 5364 } else if (s == NULL) 5365 action = pf_test_tcp(&r, &s, dir, kif, 5366 m, off, h, &pd, &a, &ruleset); 5367 break; 5368 } 5369 5370 case IPPROTO_UDP: { 5371 struct udphdr uh; 5372 5373 pd.hdr.udp = &uh; 5374 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5375 &action, &reason, AF_INET)) { 5376 log = action != PF_PASS; 5377 goto done; 5378 } 5379 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5380 off, h->ip_len - off, IPPROTO_UDP, AF_INET)) { 5381 action = PF_DROP; 5382 goto done; 5383 } 5384 if (uh.uh_dport == 0 || 5385 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5386 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5387 action = PF_DROP; 5388 goto done; 5389 } 5390 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5391 if (action == PF_PASS) { 5392 #if NPFSYNC 5393 pfsync_update_state(s); 5394 #endif 5395 r = s->rule.ptr; 5396 a = s->anchor.ptr; 5397 log = s->log; 5398 } else if (s == NULL) 5399 action = pf_test_udp(&r, &s, dir, kif, 5400 m, off, h, &pd, &a, &ruleset); 5401 break; 5402 } 5403 5404 case IPPROTO_ICMP: { 5405 struct icmp ih; 5406 5407 pd.hdr.icmp = &ih; 5408 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 5409 &action, &reason, AF_INET)) { 5410 log = action != PF_PASS; 5411 goto done; 5412 } 5413 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5414 h->ip_len - off, IPPROTO_ICMP, AF_INET)) { 5415 action = PF_DROP; 5416 goto done; 5417 } 5418 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd); 5419 if (action == PF_PASS) { 5420 #if NPFSYNC 5421 pfsync_update_state(s); 5422 #endif 5423 r = s->rule.ptr; 5424 a = s->anchor.ptr; 5425 log = s->log; 5426 } else if (s == NULL) 5427 action = pf_test_icmp(&r, &s, dir, kif, 5428 m, off, h, &pd, &a, &ruleset); 5429 break; 5430 } 5431 5432 default: 5433 action = pf_test_state_other(&s, dir, kif, &pd); 5434 if (action == PF_PASS) { 5435 #if NPFSYNC 5436 pfsync_update_state(s); 5437 #endif 5438 r = s->rule.ptr; 5439 a = s->anchor.ptr; 5440 log = s->log; 5441 } else if (s == NULL) 5442 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5443 &pd, &a, &ruleset); 5444 break; 5445 } 5446 5447 done: 5448 if (action == PF_PASS && h->ip_hl > 5 && 5449 !((s && s->allow_opts) || r->allow_opts)) { 5450 action = PF_DROP; 5451 REASON_SET(&reason, PFRES_SHORT); 5452 log = 1; 5453 DPFPRINTF(PF_DEBUG_MISC, 5454 ("pf: dropping packet with ip options\n")); 5455 } 5456 5457 #ifdef ALTQ 5458 if (action == PF_PASS && r->qid) { 5459 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 5460 if (pd.tos == IPTOS_LOWDELAY) 5461 m->m_pkthdr.altq_qid = r->pqid; 5462 else 5463 m->m_pkthdr.altq_qid = r->qid; 5464 m->m_pkthdr.ecn_af = AF_INET; 5465 m->m_pkthdr.header = h; 5466 } 5467 #endif 5468 5469 /* 5470 * connections redirected to loopback should not match sockets 5471 * bound specifically to loopback due to security implications, 5472 * see tcp_input() and in_pcblookup_listen(). 5473 */ 5474 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5475 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5476 (s->nat_rule.ptr->action == PF_RDR || 5477 s->nat_rule.ptr->action == PF_BINAT) && 5478 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { 5479 action = PF_DROP; 5480 REASON_SET(&reason, PFRES_MEMORY); 5481 } 5482 5483 m->m_pkthdr.fw_flags |= PF_MBUF_TRANSLATE_LOCALHOST; 5484 5485 if (log) 5486 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset); 5487 5488 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5489 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; 5490 5491 if (action == PF_PASS || r->action == PF_DROP) { 5492 r->packets++; 5493 r->bytes += pd.tot_len; 5494 if (a != NULL) { 5495 a->packets++; 5496 a->bytes += pd.tot_len; 5497 } 5498 if (s != NULL) { 5499 dirndx = (dir == s->direction) ? 0 : 1; 5500 s->packets[dirndx]++; 5501 s->bytes[dirndx] += pd.tot_len; 5502 if (s->nat_rule.ptr != NULL) { 5503 s->nat_rule.ptr->packets++; 5504 s->nat_rule.ptr->bytes += pd.tot_len; 5505 } 5506 if (s->src_node != NULL) { 5507 s->src_node->packets++; 5508 s->src_node->bytes += pd.tot_len; 5509 } 5510 if (s->nat_src_node != NULL) { 5511 s->nat_src_node->packets++; 5512 s->nat_src_node->bytes += pd.tot_len; 5513 } 5514 } 5515 tr = r; 5516 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5517 if (nr != NULL) { 5518 struct pf_addr *x; 5519 /* 5520 * XXX: we need to make sure that the addresses 5521 * passed to pfr_update_stats() are the same than 5522 * the addresses used during matching (pfr_match) 5523 */ 5524 if (r == &pf_default_rule) { 5525 tr = nr; 5526 x = (s == NULL || s->direction == dir) ? 5527 &pd.baddr : &pd.naddr; 5528 } else 5529 x = (s == NULL || s->direction == dir) ? 5530 &pd.naddr : &pd.baddr; 5531 if (x == &pd.baddr || s == NULL) { 5532 /* we need to change the address */ 5533 if (dir == PF_OUT) 5534 pd.src = x; 5535 else 5536 pd.dst = x; 5537 } 5538 } 5539 if (tr->src.addr.type == PF_ADDR_TABLE) 5540 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5541 s->direction == dir) ? pd.src : pd.dst, pd.af, 5542 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5543 tr->src.not); 5544 if (tr->dst.addr.type == PF_ADDR_TABLE) 5545 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5546 s->direction == dir) ? pd.dst : pd.src, pd.af, 5547 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5548 tr->dst.not); 5549 } 5550 5551 5552 if (action == PF_SYNPROXY_DROP) { 5553 m_freem(*m0); 5554 *m0 = NULL; 5555 action = PF_PASS; 5556 } else if (r->rt) 5557 /* pf_route can free the mbuf causing *m0 to become NULL */ 5558 pf_route(m0, r, dir, ifp, s); 5559 5560 return (action); 5561 } 5562 #endif /* INET */ 5563 5564 #ifdef INET6 5565 int 5566 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) 5567 { 5568 struct pfi_kif *kif; 5569 u_short action, reason = 0, log = 0; 5570 struct mbuf *m = *m0; 5571 struct ip6_hdr *h = NULL; 5572 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5573 struct pf_state *s = NULL; 5574 struct pf_ruleset *ruleset = NULL; 5575 struct pf_pdesc pd; 5576 int off, terminal = 0, dirndx; 5577 5578 if (!pf_status.running || (m->m_pkthdr.fw_flags & PF_MBUF_GENERATED)) 5579 return (PF_PASS); 5580 5581 kif = pfi_index2kif[ifp->if_index]; 5582 if (kif == NULL) 5583 return (PF_DROP); 5584 5585 #ifdef DIAGNOSTIC 5586 if ((m->m_flags & M_PKTHDR) == 0) 5587 panic("non-M_PKTHDR is passed to pf_test"); 5588 #endif 5589 5590 memset(&pd, 0, sizeof(pd)); 5591 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5592 action = PF_DROP; 5593 REASON_SET(&reason, PFRES_SHORT); 5594 log = 1; 5595 goto done; 5596 } 5597 5598 /* We do IP header normalization and packet reassembly here */ 5599 if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) { 5600 action = PF_DROP; 5601 goto done; 5602 } 5603 m = *m0; 5604 h = mtod(m, struct ip6_hdr *); 5605 5606 pd.src = (struct pf_addr *)&h->ip6_src; 5607 pd.dst = (struct pf_addr *)&h->ip6_dst; 5608 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 5609 pd.ip_sum = NULL; 5610 pd.af = AF_INET6; 5611 pd.tos = 0; 5612 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 5613 5614 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 5615 pd.proto = h->ip6_nxt; 5616 do { 5617 switch (pd.proto) { 5618 case IPPROTO_FRAGMENT: 5619 action = pf_test_fragment(&r, dir, kif, m, h, 5620 &pd, &a, &ruleset); 5621 if (action == PF_DROP) 5622 REASON_SET(&reason, PFRES_FRAG); 5623 goto done; 5624 case IPPROTO_AH: 5625 case IPPROTO_HOPOPTS: 5626 case IPPROTO_ROUTING: 5627 case IPPROTO_DSTOPTS: { 5628 /* get next header and header length */ 5629 struct ip6_ext opt6; 5630 5631 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 5632 NULL, NULL, pd.af)) { 5633 DPFPRINTF(PF_DEBUG_MISC, 5634 ("pf: IPv6 short opt\n")); 5635 action = PF_DROP; 5636 REASON_SET(&reason, PFRES_SHORT); 5637 log = 1; 5638 goto done; 5639 } 5640 if (pd.proto == IPPROTO_AH) 5641 off += (opt6.ip6e_len + 2) * 4; 5642 else 5643 off += (opt6.ip6e_len + 1) * 8; 5644 pd.proto = opt6.ip6e_nxt; 5645 /* goto the next header */ 5646 break; 5647 } 5648 default: 5649 terminal++; 5650 break; 5651 } 5652 } while (!terminal); 5653 5654 switch (pd.proto) { 5655 5656 case IPPROTO_TCP: { 5657 struct tcphdr th; 5658 5659 pd.hdr.tcp = &th; 5660 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5661 &action, &reason, AF_INET6)) { 5662 log = action != PF_PASS; 5663 goto done; 5664 } 5665 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5666 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { 5667 action = PF_DROP; 5668 goto done; 5669 } 5670 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5671 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5672 if (action == PF_DROP) 5673 goto done; 5674 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5675 &reason); 5676 if (action == PF_PASS) { 5677 #if NPFSYNC 5678 pfsync_update_state(s); 5679 #endif 5680 r = s->rule.ptr; 5681 a = s->anchor.ptr; 5682 log = s->log; 5683 } else if (s == NULL) 5684 action = pf_test_tcp(&r, &s, dir, kif, 5685 m, off, h, &pd, &a, &ruleset); 5686 break; 5687 } 5688 5689 case IPPROTO_UDP: { 5690 struct udphdr uh; 5691 5692 pd.hdr.udp = &uh; 5693 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5694 &action, &reason, AF_INET6)) { 5695 log = action != PF_PASS; 5696 goto done; 5697 } 5698 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5699 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { 5700 action = PF_DROP; 5701 goto done; 5702 } 5703 if (uh.uh_dport == 0 || 5704 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5705 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5706 action = PF_DROP; 5707 goto done; 5708 } 5709 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5710 if (action == PF_PASS) { 5711 #if NPFSYNC 5712 pfsync_update_state(s); 5713 #endif 5714 r = s->rule.ptr; 5715 a = s->anchor.ptr; 5716 log = s->log; 5717 } else if (s == NULL) 5718 action = pf_test_udp(&r, &s, dir, kif, 5719 m, off, h, &pd, &a, &ruleset); 5720 break; 5721 } 5722 5723 case IPPROTO_ICMPV6: { 5724 struct icmp6_hdr ih; 5725 5726 pd.hdr.icmp6 = &ih; 5727 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 5728 &action, &reason, AF_INET6)) { 5729 log = action != PF_PASS; 5730 goto done; 5731 } 5732 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5733 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { 5734 action = PF_DROP; 5735 goto done; 5736 } 5737 action = pf_test_state_icmp(&s, dir, kif, 5738 m, off, h, &pd); 5739 if (action == PF_PASS) { 5740 #if NPFSYNC 5741 pfsync_update_state(s); 5742 #endif 5743 r = s->rule.ptr; 5744 a = s->anchor.ptr; 5745 log = s->log; 5746 } else if (s == NULL) 5747 action = pf_test_icmp(&r, &s, dir, kif, 5748 m, off, h, &pd, &a, &ruleset); 5749 break; 5750 } 5751 5752 default: 5753 action = pf_test_state_other(&s, dir, kif, &pd); 5754 if (action == PF_PASS) { 5755 r = s->rule.ptr; 5756 a = s->anchor.ptr; 5757 log = s->log; 5758 } else if (s == NULL) 5759 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5760 &pd, &a, &ruleset); 5761 break; 5762 } 5763 5764 done: 5765 /* XXX handle IPv6 options, if not allowed. not implemented. */ 5766 5767 #ifdef ALTQ 5768 if (action == PF_PASS && r->qid) { 5769 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED; 5770 if (pd.tos == IPTOS_LOWDELAY) 5771 m->m_pkthdr.altq_qid = r->pqid; 5772 else 5773 m->m_pkthdr.altq_qid = r->qid; 5774 m->m_pkthdr.ecn_af = AF_INET6; 5775 m->m_pkthdr.header = h; 5776 } 5777 #endif 5778 5779 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5780 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5781 (s->nat_rule.ptr->action == PF_RDR || 5782 s->nat_rule.ptr->action == PF_BINAT) && 5783 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) { 5784 action = PF_DROP; 5785 REASON_SET(&reason, PFRES_MEMORY); 5786 } 5787 5788 m->m_pkthdr.fw_flags |= PF_MBUF_TRANSLATE_LOCALHOST; 5789 5790 if (log) 5791 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset); 5792 5793 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5794 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; 5795 5796 if (action == PF_PASS || r->action == PF_DROP) { 5797 r->packets++; 5798 r->bytes += pd.tot_len; 5799 if (a != NULL) { 5800 a->packets++; 5801 a->bytes += pd.tot_len; 5802 } 5803 if (s != NULL) { 5804 dirndx = (dir == s->direction) ? 0 : 1; 5805 s->packets[dirndx]++; 5806 s->bytes[dirndx] += pd.tot_len; 5807 if (s->nat_rule.ptr != NULL) { 5808 s->nat_rule.ptr->packets++; 5809 s->nat_rule.ptr->bytes += pd.tot_len; 5810 } 5811 if (s->src_node != NULL) { 5812 s->src_node->packets++; 5813 s->src_node->bytes += pd.tot_len; 5814 } 5815 if (s->nat_src_node != NULL) { 5816 s->nat_src_node->packets++; 5817 s->nat_src_node->bytes += pd.tot_len; 5818 } 5819 } 5820 tr = r; 5821 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5822 if (nr != NULL) { 5823 struct pf_addr *x; 5824 /* 5825 * XXX: we need to make sure that the addresses 5826 * passed to pfr_update_stats() are the same than 5827 * the addresses used during matching (pfr_match) 5828 */ 5829 if (r == &pf_default_rule) { 5830 tr = nr; 5831 x = (s == NULL || s->direction == dir) ? 5832 &pd.baddr : &pd.naddr; 5833 } else { 5834 x = (s == NULL || s->direction == dir) ? 5835 &pd.naddr : &pd.baddr; 5836 } 5837 if (x == &pd.baddr || s == NULL) { 5838 if (dir == PF_OUT) 5839 pd.src = x; 5840 else 5841 pd.dst = x; 5842 } 5843 } 5844 if (tr->src.addr.type == PF_ADDR_TABLE) 5845 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5846 s->direction == dir) ? pd.src : pd.dst, pd.af, 5847 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5848 tr->src.not); 5849 if (tr->dst.addr.type == PF_ADDR_TABLE) 5850 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5851 s->direction == dir) ? pd.dst : pd.src, pd.af, 5852 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5853 tr->dst.not); 5854 } 5855 5856 5857 if (action == PF_SYNPROXY_DROP) { 5858 m_freem(*m0); 5859 *m0 = NULL; 5860 action = PF_PASS; 5861 } else if (r->rt) 5862 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 5863 pf_route6(m0, r, dir, ifp, s); 5864 5865 return (action); 5866 } 5867 #endif /* INET6 */ 5868