1 /* $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.19 2004/09/11 11:18:25 mlaier Exp $ */ 2 /* $OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ */ 3 /* add $OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ */ 4 /* $DragonFly: src/sys/net/pf/pf.c,v 1.1 2004/09/19 22:32:47 joerg Exp $ */ 5 6 /* 7 * Copyright (c) 2004 The DragonFly Project. All rights reserved. 8 * 9 * Copyright (c) 2001 Daniel Hartmeier 10 * Copyright (c) 2002,2003 Henning Brauer 11 * All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 17 * - Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * - Redistributions in binary form must reproduce the above 20 * copyright notice, this list of conditions and the following 21 * disclaimer in the documentation and/or other materials provided 22 * with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 27 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 28 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 30 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 31 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 32 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 34 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35 * POSSIBILITY OF SUCH DAMAGE. 36 * 37 * Effort sponsored in part by the Defense Advanced Research Projects 38 * Agency (DARPA) and Air Force Research Laboratory, Air Force 39 * Materiel Command, USAF, under agreement number F30602-01-2-0537. 40 * 41 */ 42 43 #include "opt_inet.h" 44 #include "opt_inet6.h" 45 #include "use_pfsync.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/malloc.h> 50 #include <sys/mbuf.h> 51 #include <sys/filio.h> 52 #include <sys/socket.h> 53 #include <sys/socketvar.h> 54 #include <sys/kernel.h> 55 #include <sys/time.h> 56 #include <sys/sysctl.h> 57 #include <sys/endian.h> 58 #include <vm/vm_zone.h> 59 60 #include <machine/inttypes.h> 61 62 #include <net/if.h> 63 #include <net/if_types.h> 64 #include <net/bpf.h> 65 #include <net/route.h> 66 67 #include <netinet/in.h> 68 #include <netinet/in_var.h> 69 #include <netinet/in_systm.h> 70 #include <netinet/ip.h> 71 #include <netinet/ip_var.h> 72 #include <netinet/tcp.h> 73 #include <netinet/tcp_seq.h> 74 #include <netinet/udp.h> 75 #include <netinet/ip_icmp.h> 76 #include <netinet/in_pcb.h> 77 #include <netinet/tcp_timer.h> 78 #include <netinet/tcp_var.h> 79 #include <netinet/udp_var.h> 80 #include <netinet/icmp_var.h> 81 82 #include <net/pf/pfvar.h> 83 #include <net/pf/if_pflog.h> 84 85 #if NPFSYNC > 0 86 #include <net/pf/if_pfsync.h> 87 #endif /* NPFSYNC > 0 */ 88 89 #ifdef INET6 90 #include <netinet/ip6.h> 91 #include <netinet/in_pcb.h> 92 #include <netinet/icmp6.h> 93 #include <netinet6/nd6.h> 94 #include <netinet6/ip6_var.h> 95 #include <netinet6/in6_pcb.h> 96 #endif /* INET6 */ 97 98 #include <sys/in_cksum.h> 99 #include <machine/limits.h> 100 #include <sys/msgport2.h> 101 #include <sys/ucred.h> 102 103 extern int ip_optcopy(struct ip *, struct ip *); 104 105 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x 106 107 /* 108 * Global variables 109 */ 110 111 struct pf_anchorqueue pf_anchors; 112 struct pf_ruleset pf_main_ruleset; 113 struct pf_altqqueue pf_altqs[2]; 114 struct pf_palist pf_pabuf; 115 struct pf_altqqueue *pf_altqs_active; 116 struct pf_altqqueue *pf_altqs_inactive; 117 struct pf_status pf_status; 118 119 u_int32_t ticket_altqs_active; 120 u_int32_t ticket_altqs_inactive; 121 int altqs_inactive_open; 122 u_int32_t ticket_pabuf; 123 124 struct callout pf_expire_to; /* expire timeout */ 125 126 vm_zone_t pf_src_tree_pl, pf_rule_pl; 127 vm_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 128 129 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 130 void pf_print_state(struct pf_state *); 131 void pf_print_flags(u_int8_t); 132 133 u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 134 u_int8_t); 135 void pf_change_ap(struct pf_addr *, u_int16_t *, 136 u_int16_t *, u_int16_t *, struct pf_addr *, 137 u_int16_t, u_int8_t, sa_family_t); 138 #ifdef INET6 139 void pf_change_a6(struct pf_addr *, u_int16_t *, 140 struct pf_addr *, u_int8_t); 141 #endif /* INET6 */ 142 void pf_change_icmp(struct pf_addr *, u_int16_t *, 143 struct pf_addr *, struct pf_addr *, u_int16_t, 144 u_int16_t *, u_int16_t *, u_int16_t *, 145 u_int16_t *, u_int8_t, sa_family_t); 146 void pf_send_tcp(const struct pf_rule *, sa_family_t, 147 const struct pf_addr *, const struct pf_addr *, 148 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 149 u_int8_t, u_int16_t, u_int16_t, u_int8_t); 150 void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, 151 sa_family_t, struct pf_rule *); 152 struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, 153 int, int, struct pfi_kif *, 154 struct pf_addr *, u_int16_t, struct pf_addr *, 155 u_int16_t, int); 156 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 157 int, int, struct pfi_kif *, struct pf_src_node **, 158 struct pf_addr *, u_int16_t, 159 struct pf_addr *, u_int16_t, 160 struct pf_addr *, u_int16_t *); 161 int pf_test_tcp(struct pf_rule **, struct pf_state **, 162 int, struct pfi_kif *, struct mbuf *, int, 163 void *, struct pf_pdesc *, struct pf_rule **, 164 struct pf_ruleset **); 165 int pf_test_udp(struct pf_rule **, struct pf_state **, 166 int, struct pfi_kif *, struct mbuf *, int, 167 void *, struct pf_pdesc *, struct pf_rule **, 168 struct pf_ruleset **); 169 int pf_test_icmp(struct pf_rule **, struct pf_state **, 170 int, struct pfi_kif *, struct mbuf *, int, 171 void *, struct pf_pdesc *, struct pf_rule **, 172 struct pf_ruleset **); 173 int pf_test_other(struct pf_rule **, struct pf_state **, 174 int, struct pfi_kif *, struct mbuf *, int, void *, 175 struct pf_pdesc *, struct pf_rule **, 176 struct pf_ruleset **); 177 int pf_test_fragment(struct pf_rule **, int, 178 struct pfi_kif *, struct mbuf *, void *, 179 struct pf_pdesc *, struct pf_rule **, 180 struct pf_ruleset **); 181 int pf_test_state_tcp(struct pf_state **, int, 182 struct pfi_kif *, struct mbuf *, int, 183 void *, struct pf_pdesc *, u_short *); 184 int pf_test_state_udp(struct pf_state **, int, 185 struct pfi_kif *, struct mbuf *, int, 186 void *, struct pf_pdesc *); 187 int pf_test_state_icmp(struct pf_state **, int, 188 struct pfi_kif *, struct mbuf *, int, 189 void *, struct pf_pdesc *); 190 int pf_test_state_other(struct pf_state **, int, 191 struct pfi_kif *, struct pf_pdesc *); 192 static int pf_match_tag(struct mbuf *, struct pf_rule *, 193 struct pf_rule *, int *); 194 void pf_hash(struct pf_addr *, struct pf_addr *, 195 struct pf_poolhashkey *, sa_family_t); 196 int pf_map_addr(u_int8_t, struct pf_rule *, 197 struct pf_addr *, struct pf_addr *, 198 struct pf_addr *, struct pf_src_node **); 199 int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, 200 struct pf_addr *, struct pf_addr *, u_int16_t, 201 struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, 202 struct pf_src_node **); 203 void pf_route(struct mbuf **, struct pf_rule *, int, 204 struct ifnet *, struct pf_state *); 205 void pf_route6(struct mbuf **, struct pf_rule *, int, 206 struct ifnet *, struct pf_state *); 207 int pf_socket_lookup(uid_t *, gid_t *, 208 int, struct pf_pdesc *); 209 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, 210 sa_family_t); 211 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, 212 sa_family_t); 213 u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, 214 u_int16_t); 215 void pf_set_rt_ifp(struct pf_state *, 216 struct pf_addr *); 217 int pf_check_proto_cksum(struct mbuf *, int, int, 218 u_int8_t, sa_family_t); 219 int pf_addr_wrap_neq(struct pf_addr_wrap *, 220 struct pf_addr_wrap *); 221 struct pf_state *pf_find_state_recurse(struct pfi_kif *, 222 struct pf_state *, u_int8_t); 223 224 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 225 226 #define STATE_LOOKUP() \ 227 do { \ 228 if (direction == PF_IN) \ 229 *state = pf_find_state_recurse( \ 230 kif, &key, PF_EXT_GWY); \ 231 else \ 232 *state = pf_find_state_recurse( \ 233 kif, &key, PF_LAN_EXT); \ 234 if (*state == NULL) \ 235 return (PF_DROP); \ 236 if (direction == PF_OUT && \ 237 (((*state)->rule.ptr->rt == PF_ROUTETO && \ 238 (*state)->rule.ptr->direction == PF_OUT) || \ 239 ((*state)->rule.ptr->rt == PF_REPLYTO && \ 240 (*state)->rule.ptr->direction == PF_IN)) && \ 241 (*state)->rt_kif != NULL && \ 242 (*state)->rt_kif != kif) \ 243 return (PF_PASS); \ 244 } while (0) 245 246 #define STATE_TRANSLATE(s) \ 247 (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \ 248 ((s)->af == AF_INET6 && \ 249 ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \ 250 (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \ 251 (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \ 252 (s)->lan.port != (s)->gwy.port 253 254 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) : \ 255 ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent : \ 256 (k)->pfik_parent->pfik_parent) 257 258 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *); 259 static int pf_state_compare_lan_ext(struct pf_state *, 260 struct pf_state *); 261 static int pf_state_compare_ext_gwy(struct pf_state *, 262 struct pf_state *); 263 static int pf_state_compare_id(struct pf_state *, 264 struct pf_state *); 265 266 struct pf_src_tree tree_src_tracking; 267 268 struct pf_state_tree_id tree_id; 269 struct pf_state_queue state_updates; 270 271 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); 272 RB_GENERATE(pf_state_tree_lan_ext, pf_state, 273 u.s.entry_lan_ext, pf_state_compare_lan_ext); 274 RB_GENERATE(pf_state_tree_ext_gwy, pf_state, 275 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 276 RB_GENERATE(pf_state_tree_id, pf_state, 277 u.s.entry_id, pf_state_compare_id); 278 279 static int 280 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b) 281 { 282 int diff; 283 284 if (a->rule.ptr > b->rule.ptr) 285 return (1); 286 if (a->rule.ptr < b->rule.ptr) 287 return (-1); 288 if ((diff = a->af - b->af) != 0) 289 return (diff); 290 switch (a->af) { 291 #ifdef INET 292 case AF_INET: 293 if (a->addr.addr32[0] > b->addr.addr32[0]) 294 return (1); 295 if (a->addr.addr32[0] < b->addr.addr32[0]) 296 return (-1); 297 break; 298 #endif /* INET */ 299 #ifdef INET6 300 case AF_INET6: 301 if (a->addr.addr32[3] > b->addr.addr32[3]) 302 return (1); 303 if (a->addr.addr32[3] < b->addr.addr32[3]) 304 return (-1); 305 if (a->addr.addr32[2] > b->addr.addr32[2]) 306 return (1); 307 if (a->addr.addr32[2] < b->addr.addr32[2]) 308 return (-1); 309 if (a->addr.addr32[1] > b->addr.addr32[1]) 310 return (1); 311 if (a->addr.addr32[1] < b->addr.addr32[1]) 312 return (-1); 313 if (a->addr.addr32[0] > b->addr.addr32[0]) 314 return (1); 315 if (a->addr.addr32[0] < b->addr.addr32[0]) 316 return (-1); 317 break; 318 #endif /* INET6 */ 319 } 320 return (0); 321 } 322 323 static int 324 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b) 325 { 326 int diff; 327 328 if ((diff = a->proto - b->proto) != 0) 329 return (diff); 330 if ((diff = a->af - b->af) != 0) 331 return (diff); 332 switch (a->af) { 333 #ifdef INET 334 case AF_INET: 335 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 336 return (1); 337 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 338 return (-1); 339 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 340 return (1); 341 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 342 return (-1); 343 break; 344 #endif /* INET */ 345 #ifdef INET6 346 case AF_INET6: 347 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3]) 348 return (1); 349 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3]) 350 return (-1); 351 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 352 return (1); 353 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 354 return (-1); 355 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2]) 356 return (1); 357 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2]) 358 return (-1); 359 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 360 return (1); 361 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 362 return (-1); 363 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1]) 364 return (1); 365 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1]) 366 return (-1); 367 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 368 return (1); 369 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 370 return (-1); 371 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0]) 372 return (1); 373 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0]) 374 return (-1); 375 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 376 return (1); 377 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 378 return (-1); 379 break; 380 #endif /* INET6 */ 381 } 382 383 if ((diff = a->lan.port - b->lan.port) != 0) 384 return (diff); 385 if ((diff = a->ext.port - b->ext.port) != 0) 386 return (diff); 387 388 return (0); 389 } 390 391 static int 392 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b) 393 { 394 int diff; 395 396 if ((diff = a->proto - b->proto) != 0) 397 return (diff); 398 if ((diff = a->af - b->af) != 0) 399 return (diff); 400 switch (a->af) { 401 #ifdef INET 402 case AF_INET: 403 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 404 return (1); 405 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 406 return (-1); 407 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 408 return (1); 409 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 410 return (-1); 411 break; 412 #endif /* INET */ 413 #ifdef INET6 414 case AF_INET6: 415 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3]) 416 return (1); 417 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3]) 418 return (-1); 419 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3]) 420 return (1); 421 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3]) 422 return (-1); 423 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2]) 424 return (1); 425 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2]) 426 return (-1); 427 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2]) 428 return (1); 429 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2]) 430 return (-1); 431 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1]) 432 return (1); 433 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1]) 434 return (-1); 435 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1]) 436 return (1); 437 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1]) 438 return (-1); 439 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0]) 440 return (1); 441 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0]) 442 return (-1); 443 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0]) 444 return (1); 445 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0]) 446 return (-1); 447 break; 448 #endif /* INET6 */ 449 } 450 451 if ((diff = a->ext.port - b->ext.port) != 0) 452 return (diff); 453 if ((diff = a->gwy.port - b->gwy.port) != 0) 454 return (diff); 455 456 return (0); 457 } 458 459 static int 460 pf_state_compare_id(struct pf_state *a, struct pf_state *b) 461 { 462 if (a->id > b->id) 463 return (1); 464 if (a->id < b->id) 465 return (-1); 466 if (a->creatorid > b->creatorid) 467 return (1); 468 if (a->creatorid < b->creatorid) 469 return (-1); 470 471 return (0); 472 } 473 474 #ifdef INET6 475 void 476 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) 477 { 478 switch (af) { 479 #ifdef INET 480 case AF_INET: 481 dst->addr32[0] = src->addr32[0]; 482 break; 483 #endif /* INET */ 484 case AF_INET6: 485 dst->addr32[0] = src->addr32[0]; 486 dst->addr32[1] = src->addr32[1]; 487 dst->addr32[2] = src->addr32[2]; 488 dst->addr32[3] = src->addr32[3]; 489 break; 490 } 491 } 492 #endif 493 494 struct pf_state * 495 pf_find_state_byid(struct pf_state *key) 496 { 497 pf_status.fcounters[FCNT_STATE_SEARCH]++; 498 return (RB_FIND(pf_state_tree_id, &tree_id, key)); 499 } 500 501 struct pf_state * 502 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree) 503 { 504 struct pf_state *s; 505 506 pf_status.fcounters[FCNT_STATE_SEARCH]++; 507 508 switch (tree) { 509 case PF_LAN_EXT: 510 for (; kif != NULL; kif = kif->pfik_parent) { 511 s = RB_FIND(pf_state_tree_lan_ext, 512 &kif->pfik_lan_ext, key); 513 if (s != NULL) 514 return (s); 515 } 516 return (NULL); 517 case PF_EXT_GWY: 518 for (; kif != NULL; kif = kif->pfik_parent) { 519 s = RB_FIND(pf_state_tree_ext_gwy, 520 &kif->pfik_ext_gwy, key); 521 if (s != NULL) 522 return (s); 523 } 524 return (NULL); 525 default: 526 panic("pf_find_state_recurse"); 527 } 528 } 529 530 struct pf_state * 531 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more) 532 { 533 struct pf_state *s, *ss = NULL; 534 struct pfi_kif *kif; 535 536 pf_status.fcounters[FCNT_STATE_SEARCH]++; 537 538 switch (tree) { 539 case PF_LAN_EXT: 540 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 541 s = RB_FIND(pf_state_tree_lan_ext, 542 &kif->pfik_lan_ext, key); 543 if (s == NULL) 544 continue; 545 if (more == NULL) 546 return (s); 547 ss = s; 548 (*more)++; 549 } 550 return (ss); 551 case PF_EXT_GWY: 552 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) { 553 s = RB_FIND(pf_state_tree_ext_gwy, 554 &kif->pfik_ext_gwy, key); 555 if (s == NULL) 556 continue; 557 if (more == NULL) 558 return (s); 559 ss = s; 560 (*more)++; 561 } 562 return (ss); 563 default: 564 panic("pf_find_state_all"); 565 } 566 } 567 568 int 569 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, 570 struct pf_addr *src, sa_family_t af) 571 { 572 struct pf_src_node k; 573 574 if (*sn == NULL) { 575 k.af = af; 576 PF_ACPY(&k.addr, src, af); 577 if (rule->rule_flag & PFRULE_RULESRCTRACK || 578 rule->rpool.opts & PF_POOL_STICKYADDR) 579 k.rule.ptr = rule; 580 else 581 k.rule.ptr = NULL; 582 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 583 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 584 } 585 if (*sn == NULL) { 586 if (!rule->max_src_nodes || 587 rule->src_nodes < rule->max_src_nodes) 588 (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT); 589 if ((*sn) == NULL) 590 return (-1); 591 bzero(*sn, sizeof(struct pf_src_node)); 592 (*sn)->af = af; 593 if (rule->rule_flag & PFRULE_RULESRCTRACK || 594 rule->rpool.opts & PF_POOL_STICKYADDR) 595 (*sn)->rule.ptr = rule; 596 else 597 (*sn)->rule.ptr = NULL; 598 PF_ACPY(&(*sn)->addr, src, af); 599 if (RB_INSERT(pf_src_tree, 600 &tree_src_tracking, *sn) != NULL) { 601 if (pf_status.debug >= PF_DEBUG_MISC) { 602 printf("pf: src_tree insert failed: "); 603 pf_print_host(&(*sn)->addr, 0, af); 604 printf("\n"); 605 } 606 pool_put(&pf_src_tree_pl, *sn); 607 return (-1); 608 } 609 (*sn)->creation = time_second; 610 (*sn)->ruletype = rule->action; 611 if ((*sn)->rule.ptr != NULL) 612 (*sn)->rule.ptr->src_nodes++; 613 pf_status.scounters[SCNT_SRC_NODE_INSERT]++; 614 pf_status.src_nodes++; 615 } else { 616 if (rule->max_src_states && 617 (*sn)->states >= rule->max_src_states) 618 return (-1); 619 } 620 return (0); 621 } 622 623 int 624 pf_insert_state(struct pfi_kif *kif, struct pf_state *state) 625 { 626 /* Thou MUST NOT insert multiple duplicate keys */ 627 state->u.s.kif = kif; 628 if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) { 629 if (pf_status.debug >= PF_DEBUG_MISC) { 630 printf("pf: state insert failed: tree_lan_ext"); 631 printf(" lan: "); 632 pf_print_host(&state->lan.addr, state->lan.port, 633 state->af); 634 printf(" gwy: "); 635 pf_print_host(&state->gwy.addr, state->gwy.port, 636 state->af); 637 printf(" ext: "); 638 pf_print_host(&state->ext.addr, state->ext.port, 639 state->af); 640 if (state->sync_flags & PFSTATE_FROMSYNC) 641 printf(" (from sync)"); 642 printf("\n"); 643 } 644 return (-1); 645 } 646 647 if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) { 648 if (pf_status.debug >= PF_DEBUG_MISC) { 649 printf("pf: state insert failed: tree_ext_gwy"); 650 printf(" lan: "); 651 pf_print_host(&state->lan.addr, state->lan.port, 652 state->af); 653 printf(" gwy: "); 654 pf_print_host(&state->gwy.addr, state->gwy.port, 655 state->af); 656 printf(" ext: "); 657 pf_print_host(&state->ext.addr, state->ext.port, 658 state->af); 659 if (state->sync_flags & PFSTATE_FROMSYNC) 660 printf(" (from sync)"); 661 printf("\n"); 662 } 663 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 664 return (-1); 665 } 666 667 if (state->id == 0 && state->creatorid == 0) { 668 state->id = htobe64(pf_status.stateid++); 669 state->creatorid = pf_status.hostid; 670 } 671 if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) { 672 if (pf_status.debug >= PF_DEBUG_MISC) { 673 printf("pf: state insert failed: " 674 "id: %016" PRIx64 " creatorid: %08" PRIx32, 675 be64toh(state->id), ntohl(state->creatorid)); 676 if (state->sync_flags & PFSTATE_FROMSYNC) 677 printf(" (from sync)"); 678 printf("\n"); 679 } 680 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state); 681 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state); 682 return (-1); 683 } 684 TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates); 685 686 pf_status.fcounters[FCNT_STATE_INSERT]++; 687 pf_status.states++; 688 pfi_attach_state(kif); 689 #if NPFSYNC 690 pfsync_insert_state(state); 691 #endif 692 return (0); 693 } 694 695 void 696 pf_purge_timeout(void *arg) 697 { 698 struct callout *to = arg; 699 int s; 700 701 s = splsoftnet(); 702 pf_purge_expired_states(); 703 pf_purge_expired_fragments(); 704 pf_purge_expired_src_nodes(); 705 splx(s); 706 707 callout_reset(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz, 708 pf_purge_timeout, to); 709 } 710 711 u_int32_t 712 pf_state_expires(const struct pf_state *state) 713 { 714 u_int32_t timeout; 715 u_int32_t start; 716 u_int32_t end; 717 u_int32_t states; 718 719 /* handle all PFTM_* > PFTM_MAX here */ 720 if (state->timeout == PFTM_PURGE) 721 return (time_second); 722 if (state->timeout == PFTM_UNTIL_PACKET) 723 return (0); 724 KASSERT((state->timeout < PFTM_MAX), 725 ("pf_state_expires: timeout > PFTM_MAX")); 726 timeout = state->rule.ptr->timeout[state->timeout]; 727 if (!timeout) 728 timeout = pf_default_rule.timeout[state->timeout]; 729 start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; 730 if (start) { 731 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; 732 states = state->rule.ptr->states; 733 } else { 734 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; 735 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; 736 states = pf_status.states; 737 } 738 if (end && states > start && start < end) { 739 if (states < end) 740 return (state->expire + timeout * (end - states) / 741 (end - start)); 742 else 743 return (time_second); 744 } 745 return (state->expire + timeout); 746 } 747 748 void 749 pf_purge_expired_src_nodes(void) 750 { 751 struct pf_src_node *cur, *next; 752 753 for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { 754 next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); 755 756 if (cur->states <= 0 && cur->expire <= time_second) { 757 if (cur->rule.ptr != NULL) { 758 cur->rule.ptr->src_nodes--; 759 if (cur->rule.ptr->states <= 0 && 760 cur->rule.ptr->max_src_nodes <= 0) 761 pf_rm_rule(NULL, cur->rule.ptr); 762 } 763 RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); 764 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 765 pf_status.src_nodes--; 766 pool_put(&pf_src_tree_pl, cur); 767 } 768 } 769 } 770 771 void 772 pf_src_tree_remove_state(struct pf_state *s) 773 { 774 u_int32_t timeout; 775 776 if (s->src_node != NULL) { 777 if (--s->src_node->states <= 0) { 778 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 779 if (!timeout) 780 timeout = 781 pf_default_rule.timeout[PFTM_SRC_NODE]; 782 s->src_node->expire = time_second + timeout; 783 } 784 } 785 if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { 786 if (--s->nat_src_node->states <= 0) { 787 timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; 788 if (!timeout) 789 timeout = 790 pf_default_rule.timeout[PFTM_SRC_NODE]; 791 s->nat_src_node->expire = time_second + timeout; 792 } 793 } 794 s->src_node = s->nat_src_node = NULL; 795 } 796 797 void 798 pf_purge_expired_states(void) 799 { 800 struct pf_state *cur, *next; 801 802 for (cur = RB_MIN(pf_state_tree_id, &tree_id); 803 cur; cur = next) { 804 next = RB_NEXT(pf_state_tree_id, &tree_id, cur); 805 806 if (pf_state_expires(cur) <= time_second) { 807 if (cur->src.state == PF_TCPS_PROXY_DST) 808 pf_send_tcp(cur->rule.ptr, cur->af, 809 &cur->ext.addr, &cur->lan.addr, 810 cur->ext.port, cur->lan.port, 811 cur->src.seqhi, cur->src.seqlo + 1, 0, 812 TH_RST|TH_ACK, 0, 0); 813 RB_REMOVE(pf_state_tree_ext_gwy, 814 &cur->u.s.kif->pfik_ext_gwy, cur); 815 RB_REMOVE(pf_state_tree_lan_ext, 816 &cur->u.s.kif->pfik_lan_ext, cur); 817 RB_REMOVE(pf_state_tree_id, &tree_id, cur); 818 #if NPFSYNC 819 pfsync_delete_state(cur); 820 #endif 821 pf_src_tree_remove_state(cur); 822 if (--cur->rule.ptr->states <= 0 && 823 cur->rule.ptr->src_nodes <= 0) 824 pf_rm_rule(NULL, cur->rule.ptr); 825 if (cur->nat_rule.ptr != NULL) 826 if (--cur->nat_rule.ptr->states <= 0 && 827 cur->nat_rule.ptr->src_nodes <= 0) 828 pf_rm_rule(NULL, cur->nat_rule.ptr); 829 if (cur->anchor.ptr != NULL) 830 if (--cur->anchor.ptr->states <= 0) 831 pf_rm_rule(NULL, cur->anchor.ptr); 832 pf_normalize_tcp_cleanup(cur); 833 pfi_detach_state(cur->u.s.kif); 834 TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates); 835 pool_put(&pf_state_pl, cur); 836 pf_status.fcounters[FCNT_STATE_REMOVALS]++; 837 pf_status.states--; 838 } 839 } 840 } 841 842 int 843 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) 844 { 845 if (aw->type != PF_ADDR_TABLE) 846 return (0); 847 if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL) 848 return (1); 849 return (0); 850 } 851 852 void 853 pf_tbladdr_remove(struct pf_addr_wrap *aw) 854 { 855 if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) 856 return; 857 pfr_detach_table(aw->p.tbl); 858 aw->p.tbl = NULL; 859 } 860 861 void 862 pf_tbladdr_copyout(struct pf_addr_wrap *aw) 863 { 864 struct pfr_ktable *kt = aw->p.tbl; 865 866 if (aw->type != PF_ADDR_TABLE || kt == NULL) 867 return; 868 if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) 869 kt = kt->pfrkt_root; 870 aw->p.tbl = NULL; 871 aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? 872 kt->pfrkt_cnt : -1; 873 } 874 875 void 876 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) 877 { 878 switch (af) { 879 #ifdef INET 880 case AF_INET: { 881 u_int32_t a = ntohl(addr->addr32[0]); 882 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, 883 (a>>8)&255, a&255); 884 if (p) { 885 p = ntohs(p); 886 printf(":%u", p); 887 } 888 break; 889 } 890 #endif /* INET */ 891 #ifdef INET6 892 case AF_INET6: { 893 u_int16_t b; 894 u_int8_t i, curstart = 255, curend = 0, 895 maxstart = 0, maxend = 0; 896 for (i = 0; i < 8; i++) { 897 if (!addr->addr16[i]) { 898 if (curstart == 255) 899 curstart = i; 900 else 901 curend = i; 902 } else { 903 if (curstart) { 904 if ((curend - curstart) > 905 (maxend - maxstart)) { 906 maxstart = curstart; 907 maxend = curend; 908 curstart = 255; 909 } 910 } 911 } 912 } 913 for (i = 0; i < 8; i++) { 914 if (i >= maxstart && i <= maxend) { 915 if (maxend != 7) { 916 if (i == maxstart) 917 printf(":"); 918 } else { 919 if (i == maxend) 920 printf(":"); 921 } 922 } else { 923 b = ntohs(addr->addr16[i]); 924 printf("%x", b); 925 if (i < 7) 926 printf(":"); 927 } 928 } 929 if (p) { 930 p = ntohs(p); 931 printf("[%u]", p); 932 } 933 break; 934 } 935 #endif /* INET6 */ 936 } 937 } 938 939 void 940 pf_print_state(struct pf_state *s) 941 { 942 switch (s->proto) { 943 case IPPROTO_TCP: 944 printf("TCP "); 945 break; 946 case IPPROTO_UDP: 947 printf("UDP "); 948 break; 949 case IPPROTO_ICMP: 950 printf("ICMP "); 951 break; 952 case IPPROTO_ICMPV6: 953 printf("ICMPV6 "); 954 break; 955 default: 956 printf("%u ", s->proto); 957 break; 958 } 959 pf_print_host(&s->lan.addr, s->lan.port, s->af); 960 printf(" "); 961 pf_print_host(&s->gwy.addr, s->gwy.port, s->af); 962 printf(" "); 963 pf_print_host(&s->ext.addr, s->ext.port, s->af); 964 printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo, 965 s->src.seqhi, s->src.max_win, s->src.seqdiff); 966 if (s->src.wscale && s->dst.wscale) 967 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK); 968 printf("]"); 969 printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo, 970 s->dst.seqhi, s->dst.max_win, s->dst.seqdiff); 971 if (s->src.wscale && s->dst.wscale) 972 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK); 973 printf("]"); 974 printf(" %u:%u", s->src.state, s->dst.state); 975 } 976 977 void 978 pf_print_flags(u_int8_t f) 979 { 980 if (f) 981 printf(" "); 982 if (f & TH_FIN) 983 printf("F"); 984 if (f & TH_SYN) 985 printf("S"); 986 if (f & TH_RST) 987 printf("R"); 988 if (f & TH_PUSH) 989 printf("P"); 990 if (f & TH_ACK) 991 printf("A"); 992 if (f & TH_URG) 993 printf("U"); 994 if (f & TH_ECE) 995 printf("E"); 996 if (f & TH_CWR) 997 printf("W"); 998 } 999 1000 #define PF_SET_SKIP_STEPS(i) \ 1001 do { \ 1002 while (head[i] != cur) { \ 1003 head[i]->skip[i].ptr = cur; \ 1004 head[i] = TAILQ_NEXT(head[i], entries); \ 1005 } \ 1006 } while (0) 1007 1008 void 1009 pf_calc_skip_steps(struct pf_rulequeue *rules) 1010 { 1011 struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; 1012 int i; 1013 1014 cur = TAILQ_FIRST(rules); 1015 prev = cur; 1016 for (i = 0; i < PF_SKIP_COUNT; ++i) 1017 head[i] = cur; 1018 while (cur != NULL) { 1019 1020 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) 1021 PF_SET_SKIP_STEPS(PF_SKIP_IFP); 1022 if (cur->direction != prev->direction) 1023 PF_SET_SKIP_STEPS(PF_SKIP_DIR); 1024 if (cur->af != prev->af) 1025 PF_SET_SKIP_STEPS(PF_SKIP_AF); 1026 if (cur->proto != prev->proto) 1027 PF_SET_SKIP_STEPS(PF_SKIP_PROTO); 1028 if (cur->src.not != prev->src.not || 1029 pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) 1030 PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); 1031 if (cur->src.port[0] != prev->src.port[0] || 1032 cur->src.port[1] != prev->src.port[1] || 1033 cur->src.port_op != prev->src.port_op) 1034 PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); 1035 if (cur->dst.not != prev->dst.not || 1036 pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) 1037 PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); 1038 if (cur->dst.port[0] != prev->dst.port[0] || 1039 cur->dst.port[1] != prev->dst.port[1] || 1040 cur->dst.port_op != prev->dst.port_op) 1041 PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); 1042 1043 prev = cur; 1044 cur = TAILQ_NEXT(cur, entries); 1045 } 1046 for (i = 0; i < PF_SKIP_COUNT; ++i) 1047 PF_SET_SKIP_STEPS(i); 1048 } 1049 1050 int 1051 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) 1052 { 1053 if (aw1->type != aw2->type) 1054 return (1); 1055 switch (aw1->type) { 1056 case PF_ADDR_ADDRMASK: 1057 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) 1058 return (1); 1059 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) 1060 return (1); 1061 return (0); 1062 case PF_ADDR_DYNIFTL: 1063 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt); 1064 case PF_ADDR_NOROUTE: 1065 return (0); 1066 case PF_ADDR_TABLE: 1067 return (aw1->p.tbl != aw2->p.tbl); 1068 default: 1069 printf("invalid address type: %d\n", aw1->type); 1070 return (1); 1071 } 1072 } 1073 1074 void 1075 pf_update_anchor_rules() 1076 { 1077 struct pf_rule *rule; 1078 int i; 1079 1080 for (i = 0; i < PF_RULESET_MAX; ++i) 1081 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr, 1082 entries) 1083 if (rule->anchorname[0]) 1084 rule->anchor = pf_find_anchor(rule->anchorname); 1085 else 1086 rule->anchor = NULL; 1087 } 1088 1089 u_int16_t 1090 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) 1091 { 1092 u_int32_t l; 1093 1094 if (udp && !cksum) 1095 return (0x0000); 1096 l = cksum + old - new; 1097 l = (l >> 16) + (l & 65535); 1098 l = l & 65535; 1099 if (udp && !l) 1100 return (0xFFFF); 1101 return (l); 1102 } 1103 1104 void 1105 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, 1106 struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) 1107 { 1108 struct pf_addr ao; 1109 u_int16_t po = *p; 1110 1111 PF_ACPY(&ao, a, af); 1112 PF_ACPY(a, an, af); 1113 1114 *p = pn; 1115 1116 switch (af) { 1117 #ifdef INET 1118 case AF_INET: 1119 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1120 ao.addr16[0], an->addr16[0], 0), 1121 ao.addr16[1], an->addr16[1], 0); 1122 *p = pn; 1123 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1124 ao.addr16[0], an->addr16[0], u), 1125 ao.addr16[1], an->addr16[1], u), 1126 po, pn, u); 1127 break; 1128 #endif /* INET */ 1129 #ifdef INET6 1130 case AF_INET6: 1131 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1132 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1133 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, 1134 ao.addr16[0], an->addr16[0], u), 1135 ao.addr16[1], an->addr16[1], u), 1136 ao.addr16[2], an->addr16[2], u), 1137 ao.addr16[3], an->addr16[3], u), 1138 ao.addr16[4], an->addr16[4], u), 1139 ao.addr16[5], an->addr16[5], u), 1140 ao.addr16[6], an->addr16[6], u), 1141 ao.addr16[7], an->addr16[7], u), 1142 po, pn, u); 1143 break; 1144 #endif /* INET6 */ 1145 } 1146 } 1147 1148 1149 /* Changes a u_int32_t. Uses a void * so there are no align restrictions */ 1150 void 1151 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) 1152 { 1153 u_int32_t ao; 1154 1155 memcpy(&ao, a, sizeof(ao)); 1156 memcpy(a, &an, sizeof(u_int32_t)); 1157 *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), 1158 ao % 65536, an % 65536, u); 1159 } 1160 1161 #ifdef INET6 1162 void 1163 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) 1164 { 1165 struct pf_addr ao; 1166 1167 PF_ACPY(&ao, a, AF_INET6); 1168 PF_ACPY(a, an, AF_INET6); 1169 1170 *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1171 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1172 pf_cksum_fixup(pf_cksum_fixup(*c, 1173 ao.addr16[0], an->addr16[0], u), 1174 ao.addr16[1], an->addr16[1], u), 1175 ao.addr16[2], an->addr16[2], u), 1176 ao.addr16[3], an->addr16[3], u), 1177 ao.addr16[4], an->addr16[4], u), 1178 ao.addr16[5], an->addr16[5], u), 1179 ao.addr16[6], an->addr16[6], u), 1180 ao.addr16[7], an->addr16[7], u); 1181 } 1182 #endif /* INET6 */ 1183 1184 void 1185 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, 1186 struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, 1187 u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) 1188 { 1189 struct pf_addr oia, ooa; 1190 1191 PF_ACPY(&oia, ia, af); 1192 PF_ACPY(&ooa, oa, af); 1193 1194 /* Change inner protocol port, fix inner protocol checksum. */ 1195 if (ip != NULL) { 1196 u_int16_t oip = *ip; 1197 u_int32_t opc = 0; 1198 1199 if (pc != NULL) 1200 opc = *pc; 1201 *ip = np; 1202 if (pc != NULL) 1203 *pc = pf_cksum_fixup(*pc, oip, *ip, u); 1204 *ic = pf_cksum_fixup(*ic, oip, *ip, 0); 1205 if (pc != NULL) 1206 *ic = pf_cksum_fixup(*ic, opc, *pc, 0); 1207 } 1208 /* Change inner ip address, fix inner ip and icmp checksums. */ 1209 PF_ACPY(ia, na, af); 1210 switch (af) { 1211 #ifdef INET 1212 case AF_INET: { 1213 u_int32_t oh2c = *h2c; 1214 1215 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, 1216 oia.addr16[0], ia->addr16[0], 0), 1217 oia.addr16[1], ia->addr16[1], 0); 1218 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, 1219 oia.addr16[0], ia->addr16[0], 0), 1220 oia.addr16[1], ia->addr16[1], 0); 1221 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); 1222 break; 1223 } 1224 #endif /* INET */ 1225 #ifdef INET6 1226 case AF_INET6: 1227 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1228 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1229 pf_cksum_fixup(pf_cksum_fixup(*ic, 1230 oia.addr16[0], ia->addr16[0], u), 1231 oia.addr16[1], ia->addr16[1], u), 1232 oia.addr16[2], ia->addr16[2], u), 1233 oia.addr16[3], ia->addr16[3], u), 1234 oia.addr16[4], ia->addr16[4], u), 1235 oia.addr16[5], ia->addr16[5], u), 1236 oia.addr16[6], ia->addr16[6], u), 1237 oia.addr16[7], ia->addr16[7], u); 1238 break; 1239 #endif /* INET6 */ 1240 } 1241 /* Change outer ip address, fix outer ip or icmpv6 checksum. */ 1242 PF_ACPY(oa, na, af); 1243 switch (af) { 1244 #ifdef INET 1245 case AF_INET: 1246 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, 1247 ooa.addr16[0], oa->addr16[0], 0), 1248 ooa.addr16[1], oa->addr16[1], 0); 1249 break; 1250 #endif /* INET */ 1251 #ifdef INET6 1252 case AF_INET6: 1253 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1254 pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( 1255 pf_cksum_fixup(pf_cksum_fixup(*ic, 1256 ooa.addr16[0], oa->addr16[0], u), 1257 ooa.addr16[1], oa->addr16[1], u), 1258 ooa.addr16[2], oa->addr16[2], u), 1259 ooa.addr16[3], oa->addr16[3], u), 1260 ooa.addr16[4], oa->addr16[4], u), 1261 ooa.addr16[5], oa->addr16[5], u), 1262 ooa.addr16[6], oa->addr16[6], u), 1263 ooa.addr16[7], oa->addr16[7], u); 1264 break; 1265 #endif /* INET6 */ 1266 } 1267 } 1268 1269 void 1270 pf_send_tcp(const struct pf_rule *r, sa_family_t af, 1271 const struct pf_addr *saddr, const struct pf_addr *daddr, 1272 u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, 1273 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) 1274 { 1275 struct mbuf *m; 1276 int len = 0, tlen; 1277 #ifdef INET 1278 struct ip *h = NULL; 1279 #endif /* INET */ 1280 #ifdef INET6 1281 struct ip6_hdr *h6 = NULL; 1282 #endif /* INET6 */ 1283 struct tcphdr *th = NULL; 1284 char *opt; 1285 1286 /* maximum segment size tcp option */ 1287 tlen = sizeof(struct tcphdr); 1288 if (mss) 1289 tlen += 4; 1290 1291 switch (af) { 1292 #ifdef INET 1293 case AF_INET: 1294 len = sizeof(struct ip) + tlen; 1295 break; 1296 #endif /* INET */ 1297 #ifdef INET6 1298 case AF_INET6: 1299 len = sizeof(struct ip6_hdr) + tlen; 1300 break; 1301 #endif /* INET6 */ 1302 } 1303 1304 /* create outgoing mbuf */ 1305 m = m_gethdr(MB_DONTWAIT, MT_HEADER); 1306 if (m == NULL) 1307 return; 1308 m->m_pkthdr.pf_flags |= PF_MBUF_GENERATED; 1309 #ifdef ALTQ 1310 if (r != NULL && r->qid) { 1311 struct altq_tag *atag; 1312 1313 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT); 1314 if (mtag != NULL) { 1315 atag = (struct altq_tag *)(mtag + 1); 1316 atag->qid = r->qid; 1317 /* add hints for ecn */ 1318 atag->af = af; 1319 atag->hdr = mtod(m, struct ip *); 1320 m_tag_prepend(m, mtag); 1321 } 1322 } 1323 #endif 1324 m->m_data += max_linkhdr; 1325 m->m_pkthdr.len = m->m_len = len; 1326 m->m_pkthdr.rcvif = NULL; 1327 bzero(m->m_data, len); 1328 switch (af) { 1329 #ifdef INET 1330 case AF_INET: 1331 h = mtod(m, struct ip *); 1332 1333 /* IP header fields included in the TCP checksum */ 1334 h->ip_p = IPPROTO_TCP; 1335 h->ip_len = tlen; 1336 h->ip_src.s_addr = saddr->v4.s_addr; 1337 h->ip_dst.s_addr = daddr->v4.s_addr; 1338 1339 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); 1340 break; 1341 #endif /* INET */ 1342 #ifdef INET6 1343 case AF_INET6: 1344 h6 = mtod(m, struct ip6_hdr *); 1345 1346 /* IP header fields included in the TCP checksum */ 1347 h6->ip6_nxt = IPPROTO_TCP; 1348 h6->ip6_plen = htons(tlen); 1349 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); 1350 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); 1351 1352 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); 1353 break; 1354 #endif /* INET6 */ 1355 } 1356 1357 /* TCP header */ 1358 th->th_sport = sport; 1359 th->th_dport = dport; 1360 th->th_seq = htonl(seq); 1361 th->th_ack = htonl(ack); 1362 th->th_off = tlen >> 2; 1363 th->th_flags = flags; 1364 th->th_win = htons(win); 1365 1366 if (mss) { 1367 opt = (char *)(th + 1); 1368 opt[0] = TCPOPT_MAXSEG; 1369 opt[1] = 4; 1370 mss = htons(mss); 1371 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); 1372 } 1373 1374 switch (af) { 1375 #ifdef INET 1376 case AF_INET: 1377 /* TCP checksum */ 1378 th->th_sum = in_cksum(m, len); 1379 1380 /* Finish the IP header */ 1381 h->ip_v = 4; 1382 h->ip_hl = sizeof(*h) >> 2; 1383 h->ip_tos = IPTOS_LOWDELAY; 1384 h->ip_len = len; 1385 h->ip_off = path_mtu_discovery ? IP_DF : 0; 1386 h->ip_ttl = ttl ? ttl : ip_defttl; 1387 h->ip_sum = 0; 1388 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, 1389 (void *)NULL); 1390 break; 1391 #endif /* INET */ 1392 #ifdef INET6 1393 case AF_INET6: 1394 /* TCP checksum */ 1395 th->th_sum = in6_cksum(m, IPPROTO_TCP, 1396 sizeof(struct ip6_hdr), tlen); 1397 1398 h6->ip6_vfc |= IPV6_VERSION; 1399 h6->ip6_hlim = IPV6_DEFHLIM; 1400 1401 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 1402 break; 1403 #endif /* INET6 */ 1404 } 1405 } 1406 1407 void 1408 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, 1409 struct pf_rule *r) 1410 { 1411 struct mbuf *m0; 1412 1413 m0 = m_copypacket(m, MB_DONTWAIT); 1414 if (m0 == NULL) 1415 return; 1416 m0->m_pkthdr.pf_flags |= PF_MBUF_GENERATED; 1417 1418 #ifdef ALTQ 1419 if (r->qid) { 1420 struct altq_tag *atag; 1421 1422 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT); 1423 if (mtag != NULL) { 1424 atag = (struct altq_tag *)(mtag + 1); 1425 atag->qid = r->qid; 1426 /* add hints for ecn */ 1427 atag->af = af; 1428 atag->hdr = mtod(m0, struct ip *); 1429 m_tag_prepend(m0, mtag); 1430 } 1431 } 1432 #endif 1433 1434 switch (af) { 1435 #ifdef INET 1436 case AF_INET: 1437 icmp_error(m0, type, code, 0, (void *)NULL); 1438 break; 1439 #endif /* INET */ 1440 #ifdef INET6 1441 case AF_INET6: 1442 icmp6_error(m0, type, code, 0); 1443 break; 1444 #endif /* INET6 */ 1445 } 1446 } 1447 1448 /* 1449 * Return 1 if the addresses a and b match (with mask m), otherwise return 0. 1450 * If n is 0, they match if they are equal. If n is != 0, they match if they 1451 * are different. 1452 */ 1453 int 1454 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, 1455 struct pf_addr *b, sa_family_t af) 1456 { 1457 int match = 0; 1458 1459 switch (af) { 1460 #ifdef INET 1461 case AF_INET: 1462 if ((a->addr32[0] & m->addr32[0]) == 1463 (b->addr32[0] & m->addr32[0])) 1464 match++; 1465 break; 1466 #endif /* INET */ 1467 #ifdef INET6 1468 case AF_INET6: 1469 if (((a->addr32[0] & m->addr32[0]) == 1470 (b->addr32[0] & m->addr32[0])) && 1471 ((a->addr32[1] & m->addr32[1]) == 1472 (b->addr32[1] & m->addr32[1])) && 1473 ((a->addr32[2] & m->addr32[2]) == 1474 (b->addr32[2] & m->addr32[2])) && 1475 ((a->addr32[3] & m->addr32[3]) == 1476 (b->addr32[3] & m->addr32[3]))) 1477 match++; 1478 break; 1479 #endif /* INET6 */ 1480 } 1481 if (match) { 1482 if (n) 1483 return (0); 1484 else 1485 return (1); 1486 } else { 1487 if (n) 1488 return (1); 1489 else 1490 return (0); 1491 } 1492 } 1493 1494 int 1495 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) 1496 { 1497 switch (op) { 1498 case PF_OP_IRG: 1499 return ((p > a1) && (p < a2)); 1500 case PF_OP_XRG: 1501 return ((p < a1) || (p > a2)); 1502 case PF_OP_RRG: 1503 return ((p >= a1) && (p <= a2)); 1504 case PF_OP_EQ: 1505 return (p == a1); 1506 case PF_OP_NE: 1507 return (p != a1); 1508 case PF_OP_LT: 1509 return (p < a1); 1510 case PF_OP_LE: 1511 return (p <= a1); 1512 case PF_OP_GT: 1513 return (p > a1); 1514 case PF_OP_GE: 1515 return (p >= a1); 1516 } 1517 return (0); /* never reached */ 1518 } 1519 1520 int 1521 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) 1522 { 1523 a1 = ntohs(a1); 1524 a2 = ntohs(a2); 1525 p = ntohs(p); 1526 return (pf_match(op, a1, a2, p)); 1527 } 1528 1529 int 1530 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) 1531 { 1532 if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1533 return (0); 1534 return (pf_match(op, a1, a2, u)); 1535 } 1536 1537 int 1538 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) 1539 { 1540 if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) 1541 return (0); 1542 return (pf_match(op, a1, a2, g)); 1543 } 1544 1545 static int 1546 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule, 1547 int *tag) 1548 { 1549 if (*tag == -1) { /* find mbuf tag */ 1550 if (nat_rule != NULL && nat_rule->tag) 1551 *tag = nat_rule->tag; 1552 else if (m->m_pkthdr.pf_flags & PF_MBUF_TAGGED) 1553 *tag = m->m_pkthdr.pf_tag; 1554 else 1555 *tag = 0; 1556 } 1557 1558 return ((!r->match_tag_not && r->match_tag == *tag) || 1559 (r->match_tag_not && r->match_tag != *tag)); 1560 } 1561 1562 void 1563 pf_tag_packet(struct mbuf *m, int tag) 1564 { 1565 if (tag <= 0) 1566 return; 1567 1568 m->m_pkthdr.pf_flags |= PF_MBUF_TAGGED; 1569 m->m_pkthdr.pf_tag = tag; 1570 } 1571 1572 #define PF_STEP_INTO_ANCHOR(r, a, s, n) \ 1573 do { \ 1574 if ((r) == NULL || (r)->anchor == NULL || \ 1575 (s) != NULL || (a) != NULL) \ 1576 panic("PF_STEP_INTO_ANCHOR"); \ 1577 (a) = (r); \ 1578 (s) = TAILQ_FIRST(&(r)->anchor->rulesets); \ 1579 (r) = NULL; \ 1580 while ((s) != NULL && ((r) = \ 1581 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1582 (s) = TAILQ_NEXT((s), entries); \ 1583 if ((r) == NULL) { \ 1584 (r) = TAILQ_NEXT((a), entries); \ 1585 (a) = NULL; \ 1586 } \ 1587 } while (0) 1588 1589 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n) \ 1590 do { \ 1591 if ((r) != NULL || (a) == NULL || (s) == NULL) \ 1592 panic("PF_STEP_OUT_OF_ANCHOR"); \ 1593 (s) = TAILQ_NEXT((s), entries); \ 1594 while ((s) != NULL && ((r) = \ 1595 TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL) \ 1596 (s) = TAILQ_NEXT((s), entries); \ 1597 if ((r) == NULL) { \ 1598 (r) = TAILQ_NEXT((a), entries); \ 1599 (a) = NULL; \ 1600 } \ 1601 } while (0) 1602 1603 #ifdef INET6 1604 void 1605 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, 1606 struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) 1607 { 1608 switch (af) { 1609 #ifdef INET 1610 case AF_INET: 1611 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1612 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1613 break; 1614 #endif /* INET */ 1615 case AF_INET6: 1616 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | 1617 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); 1618 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | 1619 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); 1620 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | 1621 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); 1622 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | 1623 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); 1624 break; 1625 } 1626 } 1627 1628 void 1629 pf_addr_inc(struct pf_addr *addr, sa_family_t af) 1630 { 1631 switch (af) { 1632 #ifdef INET 1633 case AF_INET: 1634 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); 1635 break; 1636 #endif /* INET */ 1637 case AF_INET6: 1638 if (addr->addr32[3] == 0xffffffff) { 1639 addr->addr32[3] = 0; 1640 if (addr->addr32[2] == 0xffffffff) { 1641 addr->addr32[2] = 0; 1642 if (addr->addr32[1] == 0xffffffff) { 1643 addr->addr32[1] = 0; 1644 addr->addr32[0] = 1645 htonl(ntohl(addr->addr32[0]) + 1); 1646 } else 1647 addr->addr32[1] = 1648 htonl(ntohl(addr->addr32[1]) + 1); 1649 } else 1650 addr->addr32[2] = 1651 htonl(ntohl(addr->addr32[2]) + 1); 1652 } else 1653 addr->addr32[3] = 1654 htonl(ntohl(addr->addr32[3]) + 1); 1655 break; 1656 } 1657 } 1658 #endif /* INET6 */ 1659 1660 #define mix(a,b,c) \ 1661 do { \ 1662 a -= b; a -= c; a ^= (c >> 13); \ 1663 b -= c; b -= a; b ^= (a << 8); \ 1664 c -= a; c -= b; c ^= (b >> 13); \ 1665 a -= b; a -= c; a ^= (c >> 12); \ 1666 b -= c; b -= a; b ^= (a << 16); \ 1667 c -= a; c -= b; c ^= (b >> 5); \ 1668 a -= b; a -= c; a ^= (c >> 3); \ 1669 b -= c; b -= a; b ^= (a << 10); \ 1670 c -= a; c -= b; c ^= (b >> 15); \ 1671 } while (0) 1672 1673 /* 1674 * hash function based on bridge_hash in if_bridge.c 1675 */ 1676 void 1677 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, 1678 struct pf_poolhashkey *key, sa_family_t af) 1679 { 1680 u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; 1681 1682 switch (af) { 1683 #ifdef INET 1684 case AF_INET: 1685 a += inaddr->addr32[0]; 1686 b += key->key32[1]; 1687 mix(a, b, c); 1688 hash->addr32[0] = c + key->key32[2]; 1689 break; 1690 #endif /* INET */ 1691 #ifdef INET6 1692 case AF_INET6: 1693 a += inaddr->addr32[0]; 1694 b += inaddr->addr32[2]; 1695 mix(a, b, c); 1696 hash->addr32[0] = c; 1697 a += inaddr->addr32[1]; 1698 b += inaddr->addr32[3]; 1699 c += key->key32[1]; 1700 mix(a, b, c); 1701 hash->addr32[1] = c; 1702 a += inaddr->addr32[2]; 1703 b += inaddr->addr32[1]; 1704 c += key->key32[2]; 1705 mix(a, b, c); 1706 hash->addr32[2] = c; 1707 a += inaddr->addr32[3]; 1708 b += inaddr->addr32[0]; 1709 c += key->key32[3]; 1710 mix(a, b, c); 1711 hash->addr32[3] = c; 1712 break; 1713 #endif /* INET6 */ 1714 } 1715 } 1716 1717 int 1718 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, 1719 struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) 1720 { 1721 unsigned char hash[16]; 1722 struct pf_pool *rpool = &r->rpool; 1723 struct pf_addr *raddr = &rpool->cur->addr.v.a.addr; 1724 struct pf_addr *rmask = &rpool->cur->addr.v.a.mask; 1725 struct pf_pooladdr *acur = rpool->cur; 1726 struct pf_src_node k; 1727 1728 if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && 1729 (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1730 k.af = af; 1731 PF_ACPY(&k.addr, saddr, af); 1732 if (r->rule_flag & PFRULE_RULESRCTRACK || 1733 r->rpool.opts & PF_POOL_STICKYADDR) 1734 k.rule.ptr = r; 1735 else 1736 k.rule.ptr = NULL; 1737 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; 1738 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); 1739 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { 1740 PF_ACPY(naddr, &(*sn)->raddr, af); 1741 if (pf_status.debug >= PF_DEBUG_MISC) { 1742 printf("pf_map_addr: src tracking maps "); 1743 pf_print_host(&k.addr, 0, af); 1744 printf(" to "); 1745 pf_print_host(naddr, 0, af); 1746 printf("\n"); 1747 } 1748 return (0); 1749 } 1750 } 1751 1752 if (rpool->cur->addr.type == PF_ADDR_NOROUTE) 1753 return (1); 1754 if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1755 if (af == AF_INET) { 1756 if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && 1757 (rpool->opts & PF_POOL_TYPEMASK) != 1758 PF_POOL_ROUNDROBIN) 1759 return (1); 1760 raddr = &rpool->cur->addr.p.dyn->pfid_addr4; 1761 rmask = &rpool->cur->addr.p.dyn->pfid_mask4; 1762 } else { 1763 if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && 1764 (rpool->opts & PF_POOL_TYPEMASK) != 1765 PF_POOL_ROUNDROBIN) 1766 return (1); 1767 raddr = &rpool->cur->addr.p.dyn->pfid_addr6; 1768 rmask = &rpool->cur->addr.p.dyn->pfid_mask6; 1769 } 1770 } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1771 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) 1772 return (1); /* unsupported */ 1773 } else { 1774 raddr = &rpool->cur->addr.v.a.addr; 1775 rmask = &rpool->cur->addr.v.a.mask; 1776 } 1777 1778 switch (rpool->opts & PF_POOL_TYPEMASK) { 1779 case PF_POOL_NONE: 1780 PF_ACPY(naddr, raddr, af); 1781 break; 1782 case PF_POOL_BITMASK: 1783 PF_POOLMASK(naddr, raddr, rmask, saddr, af); 1784 break; 1785 case PF_POOL_RANDOM: 1786 if (init_addr != NULL && PF_AZERO(init_addr, af)) { 1787 switch (af) { 1788 #ifdef INET 1789 case AF_INET: 1790 rpool->counter.addr32[0] = arc4random(); 1791 break; 1792 #endif /* INET */ 1793 #ifdef INET6 1794 case AF_INET6: 1795 if (rmask->addr32[3] != 0xffffffff) 1796 rpool->counter.addr32[3] = arc4random(); 1797 else 1798 break; 1799 if (rmask->addr32[2] != 0xffffffff) 1800 rpool->counter.addr32[2] = arc4random(); 1801 else 1802 break; 1803 if (rmask->addr32[1] != 0xffffffff) 1804 rpool->counter.addr32[1] = arc4random(); 1805 else 1806 break; 1807 if (rmask->addr32[0] != 0xffffffff) 1808 rpool->counter.addr32[0] = arc4random(); 1809 break; 1810 #endif /* INET6 */ 1811 } 1812 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1813 PF_ACPY(init_addr, naddr, af); 1814 1815 } else { 1816 PF_AINC(&rpool->counter, af); 1817 PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); 1818 } 1819 break; 1820 case PF_POOL_SRCHASH: 1821 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); 1822 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); 1823 break; 1824 case PF_POOL_ROUNDROBIN: 1825 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1826 if (!pfr_pool_get(rpool->cur->addr.p.tbl, 1827 &rpool->tblidx, &rpool->counter, 1828 &raddr, &rmask, af)) 1829 goto get_addr; 1830 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1831 if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1832 &rpool->tblidx, &rpool->counter, 1833 &raddr, &rmask, af)) 1834 goto get_addr; 1835 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) 1836 goto get_addr; 1837 1838 try_next: 1839 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) 1840 rpool->cur = TAILQ_FIRST(&rpool->list); 1841 if (rpool->cur->addr.type == PF_ADDR_TABLE) { 1842 rpool->tblidx = -1; 1843 if (pfr_pool_get(rpool->cur->addr.p.tbl, 1844 &rpool->tblidx, &rpool->counter, 1845 &raddr, &rmask, af)) { 1846 /* table contains no address of type 'af' */ 1847 if (rpool->cur != acur) 1848 goto try_next; 1849 return (1); 1850 } 1851 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { 1852 rpool->tblidx = -1; 1853 if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, 1854 &rpool->tblidx, &rpool->counter, 1855 &raddr, &rmask, af)) { 1856 /* table contains no address of type 'af' */ 1857 if (rpool->cur != acur) 1858 goto try_next; 1859 return (1); 1860 } 1861 } else { 1862 raddr = &rpool->cur->addr.v.a.addr; 1863 rmask = &rpool->cur->addr.v.a.mask; 1864 PF_ACPY(&rpool->counter, raddr, af); 1865 } 1866 1867 get_addr: 1868 PF_ACPY(naddr, &rpool->counter, af); 1869 PF_AINC(&rpool->counter, af); 1870 break; 1871 } 1872 if (*sn != NULL) 1873 PF_ACPY(&(*sn)->raddr, naddr, af); 1874 1875 if (pf_status.debug >= PF_DEBUG_MISC && 1876 (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { 1877 printf("pf_map_addr: selected address "); 1878 pf_print_host(naddr, 0, af); 1879 printf("\n"); 1880 } 1881 1882 return (0); 1883 } 1884 1885 int 1886 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, 1887 struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, 1888 struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, 1889 struct pf_src_node **sn) 1890 { 1891 struct pf_state key; 1892 struct pf_addr init_addr; 1893 u_int16_t cut; 1894 1895 bzero(&init_addr, sizeof(init_addr)); 1896 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1897 return (1); 1898 1899 do { 1900 key.af = af; 1901 key.proto = proto; 1902 PF_ACPY(&key.ext.addr, daddr, key.af); 1903 PF_ACPY(&key.gwy.addr, naddr, key.af); 1904 key.ext.port = dport; 1905 1906 /* 1907 * port search; start random, step; 1908 * similar 2 portloop in in_pcbbind 1909 */ 1910 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { 1911 key.gwy.port = 0; 1912 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1913 return (0); 1914 } else if (low == 0 && high == 0) { 1915 key.gwy.port = *nport; 1916 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) 1917 return (0); 1918 } else if (low == high) { 1919 key.gwy.port = htons(low); 1920 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) { 1921 *nport = htons(low); 1922 return (0); 1923 } 1924 } else { 1925 u_int16_t tmp; 1926 1927 if (low > high) { 1928 tmp = low; 1929 low = high; 1930 high = tmp; 1931 } 1932 /* low < high */ 1933 cut = arc4random() % (1 + high - low) + low; 1934 /* low <= cut <= high */ 1935 for (tmp = cut; tmp <= high; ++(tmp)) { 1936 key.gwy.port = htons(tmp); 1937 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 1938 NULL) { 1939 *nport = htons(tmp); 1940 return (0); 1941 } 1942 } 1943 for (tmp = cut - 1; tmp >= low; --(tmp)) { 1944 key.gwy.port = htons(tmp); 1945 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == 1946 NULL) { 1947 *nport = htons(tmp); 1948 return (0); 1949 } 1950 } 1951 } 1952 1953 switch (r->rpool.opts & PF_POOL_TYPEMASK) { 1954 case PF_POOL_RANDOM: 1955 case PF_POOL_ROUNDROBIN: 1956 if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) 1957 return (1); 1958 break; 1959 case PF_POOL_NONE: 1960 case PF_POOL_SRCHASH: 1961 case PF_POOL_BITMASK: 1962 default: 1963 return (1); 1964 } 1965 } while (! PF_AEQ(&init_addr, naddr, af) ); 1966 1967 return (1); /* none available */ 1968 } 1969 1970 struct pf_rule * 1971 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, 1972 int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, 1973 struct pf_addr *daddr, u_int16_t dport, int rs_num) 1974 { 1975 struct pf_rule *r, *rm = NULL, *anchorrule = NULL; 1976 struct pf_ruleset *ruleset = NULL; 1977 1978 r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); 1979 while (r && rm == NULL) { 1980 struct pf_rule_addr *src = NULL, *dst = NULL; 1981 struct pf_addr_wrap *xdst = NULL; 1982 1983 if (r->action == PF_BINAT && direction == PF_IN) { 1984 src = &r->dst; 1985 if (r->rpool.cur != NULL) 1986 xdst = &r->rpool.cur->addr; 1987 } else { 1988 src = &r->src; 1989 dst = &r->dst; 1990 } 1991 1992 r->evaluations++; 1993 if (r->kif != NULL && 1994 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 1995 r = r->skip[PF_SKIP_IFP].ptr; 1996 else if (r->direction && r->direction != direction) 1997 r = r->skip[PF_SKIP_DIR].ptr; 1998 else if (r->af && r->af != pd->af) 1999 r = r->skip[PF_SKIP_AF].ptr; 2000 else if (r->proto && r->proto != pd->proto) 2001 r = r->skip[PF_SKIP_PROTO].ptr; 2002 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not)) 2003 r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : 2004 PF_SKIP_DST_ADDR].ptr; 2005 else if (src->port_op && !pf_match_port(src->port_op, 2006 src->port[0], src->port[1], sport)) 2007 r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : 2008 PF_SKIP_DST_PORT].ptr; 2009 else if (dst != NULL && 2010 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not)) 2011 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2012 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0)) 2013 r = TAILQ_NEXT(r, entries); 2014 else if (dst != NULL && dst->port_op && 2015 !pf_match_port(dst->port_op, dst->port[0], 2016 dst->port[1], dport)) 2017 r = r->skip[PF_SKIP_DST_PORT].ptr; 2018 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != 2019 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, 2020 off, pd->hdr.tcp), r->os_fingerprint))) 2021 r = TAILQ_NEXT(r, entries); 2022 else if (r->anchorname[0] && r->anchor == NULL) 2023 r = TAILQ_NEXT(r, entries); 2024 else if (r->anchor == NULL) 2025 rm = r; 2026 else 2027 PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num); 2028 if (r == NULL && anchorrule != NULL) 2029 PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset, 2030 rs_num); 2031 } 2032 if (rm != NULL && (rm->action == PF_NONAT || 2033 rm->action == PF_NORDR || rm->action == PF_NOBINAT)) 2034 return (NULL); 2035 return (rm); 2036 } 2037 2038 struct pf_rule * 2039 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, 2040 struct pfi_kif *kif, struct pf_src_node **sn, 2041 struct pf_addr *saddr, u_int16_t sport, 2042 struct pf_addr *daddr, u_int16_t dport, 2043 struct pf_addr *naddr, u_int16_t *nport) 2044 { 2045 struct pf_rule *r = NULL; 2046 2047 if (direction == PF_OUT) { 2048 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2049 sport, daddr, dport, PF_RULESET_BINAT); 2050 if (r == NULL) 2051 r = pf_match_translation(pd, m, off, direction, kif, 2052 saddr, sport, daddr, dport, PF_RULESET_NAT); 2053 } else { 2054 r = pf_match_translation(pd, m, off, direction, kif, saddr, 2055 sport, daddr, dport, PF_RULESET_RDR); 2056 if (r == NULL) 2057 r = pf_match_translation(pd, m, off, direction, kif, 2058 saddr, sport, daddr, dport, PF_RULESET_BINAT); 2059 } 2060 2061 if (r != NULL) { 2062 switch (r->action) { 2063 case PF_NONAT: 2064 case PF_NOBINAT: 2065 case PF_NORDR: 2066 return (NULL); 2067 case PF_NAT: 2068 if (pf_get_sport(pd->af, pd->proto, r, saddr, 2069 daddr, dport, naddr, nport, r->rpool.proxy_port[0], 2070 r->rpool.proxy_port[1], sn)) { 2071 DPFPRINTF(PF_DEBUG_MISC, 2072 ("pf: NAT proxy port allocation " 2073 "(%u-%u) failed\n", 2074 r->rpool.proxy_port[0], 2075 r->rpool.proxy_port[1])); 2076 return (NULL); 2077 } 2078 break; 2079 case PF_BINAT: 2080 switch (direction) { 2081 case PF_OUT: 2082 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2083 if (pd->af == AF_INET) { 2084 if (r->rpool.cur->addr.p.dyn-> 2085 pfid_acnt4 < 1) 2086 return (NULL); 2087 PF_POOLMASK(naddr, 2088 &r->rpool.cur->addr.p.dyn-> 2089 pfid_addr4, 2090 &r->rpool.cur->addr.p.dyn-> 2091 pfid_mask4, 2092 saddr, AF_INET); 2093 } else { 2094 if (r->rpool.cur->addr.p.dyn-> 2095 pfid_acnt6 < 1) 2096 return (NULL); 2097 PF_POOLMASK(naddr, 2098 &r->rpool.cur->addr.p.dyn-> 2099 pfid_addr6, 2100 &r->rpool.cur->addr.p.dyn-> 2101 pfid_mask6, 2102 saddr, AF_INET6); 2103 } 2104 } else 2105 PF_POOLMASK(naddr, 2106 &r->rpool.cur->addr.v.a.addr, 2107 &r->rpool.cur->addr.v.a.mask, 2108 saddr, pd->af); 2109 break; 2110 case PF_IN: 2111 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ 2112 if (pd->af == AF_INET) { 2113 if (r->src.addr.p.dyn-> 2114 pfid_acnt4 < 1) 2115 return (NULL); 2116 PF_POOLMASK(naddr, 2117 &r->src.addr.p.dyn-> 2118 pfid_addr4, 2119 &r->src.addr.p.dyn-> 2120 pfid_mask4, 2121 daddr, AF_INET); 2122 } else { 2123 if (r->src.addr.p.dyn-> 2124 pfid_acnt6 < 1) 2125 return (NULL); 2126 PF_POOLMASK(naddr, 2127 &r->src.addr.p.dyn-> 2128 pfid_addr6, 2129 &r->src.addr.p.dyn-> 2130 pfid_mask6, 2131 daddr, AF_INET6); 2132 } 2133 } else 2134 PF_POOLMASK(naddr, 2135 &r->src.addr.v.a.addr, 2136 &r->src.addr.v.a.mask, daddr, 2137 pd->af); 2138 break; 2139 } 2140 break; 2141 case PF_RDR: { 2142 if (pf_map_addr(r->af, r, saddr, naddr, NULL, sn)) 2143 return (NULL); 2144 2145 if (r->rpool.proxy_port[1]) { 2146 u_int32_t tmp_nport; 2147 2148 tmp_nport = ((ntohs(dport) - 2149 ntohs(r->dst.port[0])) % 2150 (r->rpool.proxy_port[1] - 2151 r->rpool.proxy_port[0] + 1)) + 2152 r->rpool.proxy_port[0]; 2153 2154 /* wrap around if necessary */ 2155 if (tmp_nport > 65535) 2156 tmp_nport -= 65535; 2157 *nport = htons((u_int16_t)tmp_nport); 2158 } else if (r->rpool.proxy_port[0]) 2159 *nport = htons(r->rpool.proxy_port[0]); 2160 break; 2161 } 2162 default: 2163 return (NULL); 2164 } 2165 } 2166 2167 return (r); 2168 } 2169 2170 #ifdef SMP 2171 struct netmsg_hashlookup { 2172 struct lwkt_msg nm_lmsg; 2173 struct inpcb **nm_pinp; 2174 struct inpcbinfo *nm_pcbinfo; 2175 struct pf_addr *nm_saddr; 2176 struct pf_addr *nm_daddr; 2177 uint16_t nm_sport; 2178 uint16_t nm_dport; 2179 sa_family_t nm_af; 2180 }; 2181 2182 static int 2183 in_pcblookup_hash_handler(struct lwkt_msg *msg0) 2184 { 2185 struct netmsg_hashlookup *msg = (struct netmsg_hashlookup *)msg0; 2186 2187 if (msg->nm_af == AF_INET) 2188 *msg->nm_pinp = in_pcblookup_hash(msg->nm_pcbinfo, 2189 msg->nm_saddr->v4, msg->nm_sport, msg->nm_daddr->v4, 2190 msg->nm_dport, INPLOOKUP_WILDCARD, NULL); 2191 #ifdef INET6 2192 else 2193 *msg->nm_pinp = in6_pcblookup_hash(msg->nm_pcbinfo, 2194 &msg->nm_saddr->v6, msg->nm_sport, &msg->nm_daddr->v6, 2195 msg->nm_dport, INPLOOKUP_WILDCARD, NULL); 2196 #endif /* INET6 */ 2197 lwkt_replymsg(&msg->nm_lmsg, 0); 2198 return (EASYNC); 2199 } 2200 #endif /* SMP */ 2201 2202 int 2203 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) 2204 { 2205 struct pf_addr *saddr, *daddr; 2206 u_int16_t sport, dport; 2207 struct inpcbinfo *pi; 2208 struct inpcb *inp; 2209 #ifdef SMP 2210 struct netmsg_hashlookup *msg = NULL; 2211 #endif 2212 int pi_cpu = 0; 2213 2214 *uid = UID_MAX; 2215 *gid = GID_MAX; 2216 if (direction == PF_IN) { 2217 saddr = pd->src; 2218 daddr = pd->dst; 2219 } else { 2220 saddr = pd->dst; 2221 daddr = pd->src; 2222 } 2223 switch (pd->proto) { 2224 case IPPROTO_TCP: 2225 sport = pd->hdr.tcp->th_sport; 2226 dport = pd->hdr.tcp->th_dport; 2227 2228 pi_cpu = tcp_addrcpu(saddr->v4.s_addr, sport, daddr->v4.s_addr, dport); 2229 pi = &tcbinfo[pi_cpu]; 2230 #ifdef SMP 2231 /* 2232 * Our netstack runs lockless on MP systems 2233 * (only for TCP connections at the moment). 2234 * 2235 * As we are not allowed to read another CPU's tcbinfo, 2236 * we have to ask that CPU via remote call to search the 2237 * table for us. 2238 * 2239 * Prepare a msg iff data belongs to another CPU. 2240 */ 2241 if (pi_cpu != mycpu->gd_cpuid) { 2242 msg = malloc(sizeof(*msg), M_LWKTMSG, M_INTWAIT); 2243 lwkt_initmsg(&msg->nm_lmsg, &netisr_afree_rport, 0, 2244 lwkt_cmd_func(in_pcblookup_hash_handler), 2245 lwkt_cmd_op_none); 2246 msg->nm_pinp = &inp; 2247 msg->nm_pcbinfo = pi; 2248 msg->nm_saddr = saddr; 2249 msg->nm_sport = sport; 2250 msg->nm_daddr = daddr; 2251 msg->nm_dport = dport; 2252 msg->nm_af = pd->af; 2253 } 2254 #endif /* SMP */ 2255 break; 2256 case IPPROTO_UDP: 2257 sport = pd->hdr.udp->uh_sport; 2258 dport = pd->hdr.udp->uh_dport; 2259 pi = &udbinfo; 2260 break; 2261 default: 2262 return (0); 2263 } 2264 if (direction != PF_IN) { 2265 u_int16_t p; 2266 2267 p = sport; 2268 sport = dport; 2269 dport = p; 2270 } 2271 switch (pd->af) { 2272 #ifdef INET6 2273 case AF_INET6: 2274 #ifdef SMP 2275 /* 2276 * Query other CPU, second part 2277 * 2278 * msg only gets initialized when: 2279 * 1) packet is TCP 2280 * 2) the info belongs to another CPU 2281 * 2282 * Use some switch/case magic to avoid code duplication. 2283 */ 2284 if (msg == NULL) 2285 #endif /* SMP */ 2286 { 2287 inp = in6_pcblookup_hash(pi, &saddr->v6, sport, 2288 &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL); 2289 2290 if (inp == NULL) 2291 return (0); 2292 break; 2293 } 2294 /* FALLTHROUGH if SMP and on other CPU */ 2295 #endif /* INET6 */ 2296 case AF_INET: 2297 #ifdef SMP 2298 if (msg != NULL) { 2299 lwkt_sendmsg(tcp_cport(pi_cpu), &msg->nm_lmsg); 2300 } else 2301 #endif /* SMP */ 2302 { 2303 inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4, 2304 dport, INPLOOKUP_WILDCARD, NULL); 2305 } 2306 if (inp == NULL) 2307 return (0); 2308 break; 2309 2310 default: 2311 return (0); 2312 } 2313 *uid = inp->inp_socket->so_cred->cr_uid; 2314 *gid = inp->inp_socket->so_cred->cr_groups[0]; 2315 return (1); 2316 } 2317 2318 u_int8_t 2319 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2320 { 2321 int hlen; 2322 u_int8_t hdr[60]; 2323 u_int8_t *opt, optlen; 2324 u_int8_t wscale = 0; 2325 2326 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2327 if (hlen <= sizeof(struct tcphdr)) 2328 return (0); 2329 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2330 return (0); 2331 opt = hdr + sizeof(struct tcphdr); 2332 hlen -= sizeof(struct tcphdr); 2333 while (hlen >= 3) { 2334 switch (*opt) { 2335 case TCPOPT_EOL: 2336 case TCPOPT_NOP: 2337 ++opt; 2338 --hlen; 2339 break; 2340 case TCPOPT_WINDOW: 2341 wscale = opt[2]; 2342 if (wscale > TCP_MAX_WINSHIFT) 2343 wscale = TCP_MAX_WINSHIFT; 2344 wscale |= PF_WSCALE_FLAG; 2345 /* FALLTHROUGH */ 2346 default: 2347 optlen = opt[1]; 2348 if (optlen < 2) 2349 optlen = 2; 2350 hlen -= optlen; 2351 opt += optlen; 2352 break; 2353 } 2354 } 2355 return (wscale); 2356 } 2357 2358 u_int16_t 2359 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) 2360 { 2361 int hlen; 2362 u_int8_t hdr[60]; 2363 u_int8_t *opt, optlen; 2364 u_int16_t mss = tcp_mssdflt; 2365 2366 hlen = th_off << 2; /* hlen <= sizeof(hdr) */ 2367 if (hlen <= sizeof(struct tcphdr)) 2368 return (0); 2369 if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) 2370 return (0); 2371 opt = hdr + sizeof(struct tcphdr); 2372 hlen -= sizeof(struct tcphdr); 2373 while (hlen >= TCPOLEN_MAXSEG) { 2374 switch (*opt) { 2375 case TCPOPT_EOL: 2376 case TCPOPT_NOP: 2377 ++opt; 2378 --hlen; 2379 break; 2380 case TCPOPT_MAXSEG: 2381 bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); 2382 /* FALLTHROUGH */ 2383 default: 2384 optlen = opt[1]; 2385 if (optlen < 2) 2386 optlen = 2; 2387 hlen -= optlen; 2388 opt += optlen; 2389 break; 2390 } 2391 } 2392 return (mss); 2393 } 2394 2395 u_int16_t 2396 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer) 2397 { 2398 #ifdef INET 2399 struct sockaddr_in *dst; 2400 struct route ro; 2401 #endif /* INET */ 2402 #ifdef INET6 2403 struct sockaddr_in6 *dst6; 2404 struct route_in6 ro6; 2405 #endif /* INET6 */ 2406 struct rtentry *rt = NULL; 2407 int hlen = 0; 2408 u_int16_t mss = tcp_mssdflt; 2409 2410 switch (af) { 2411 #ifdef INET 2412 case AF_INET: 2413 hlen = sizeof(struct ip); 2414 bzero(&ro, sizeof(ro)); 2415 dst = (struct sockaddr_in *)&ro.ro_dst; 2416 dst->sin_family = AF_INET; 2417 dst->sin_len = sizeof(*dst); 2418 dst->sin_addr = addr->v4; 2419 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); 2420 rt = ro.ro_rt; 2421 break; 2422 #endif /* INET */ 2423 #ifdef INET6 2424 case AF_INET6: 2425 hlen = sizeof(struct ip6_hdr); 2426 bzero(&ro6, sizeof(ro6)); 2427 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; 2428 dst6->sin6_family = AF_INET6; 2429 dst6->sin6_len = sizeof(*dst6); 2430 dst6->sin6_addr = addr->v6; 2431 rtalloc_ign((struct route *)&ro6, (RTF_CLONING | RTF_PRCLONING)); 2432 rt = ro6.ro_rt; 2433 break; 2434 #endif /* INET6 */ 2435 } 2436 2437 if (rt && rt->rt_ifp) { 2438 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); 2439 mss = max(tcp_mssdflt, mss); 2440 RTFREE(rt); 2441 } 2442 mss = min(mss, offer); 2443 mss = max(mss, 64); /* sanity - at least max opt space */ 2444 return (mss); 2445 } 2446 2447 void 2448 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) 2449 { 2450 struct pf_rule *r = s->rule.ptr; 2451 2452 s->rt_kif = NULL; 2453 if (!r->rt || r->rt == PF_FASTROUTE) 2454 return; 2455 switch (s->af) { 2456 #ifdef INET 2457 case AF_INET: 2458 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, 2459 &s->nat_src_node); 2460 s->rt_kif = r->rpool.cur->kif; 2461 break; 2462 #endif /* INET */ 2463 #ifdef INET6 2464 case AF_INET6: 2465 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, 2466 &s->nat_src_node); 2467 s->rt_kif = r->rpool.cur->kif; 2468 break; 2469 #endif /* INET6 */ 2470 } 2471 } 2472 2473 int 2474 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, 2475 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2476 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2477 { 2478 struct pf_rule *nr = NULL; 2479 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2480 struct tcphdr *th = pd->hdr.tcp; 2481 u_int16_t bport, nport = 0; 2482 sa_family_t af = pd->af; 2483 int lookup = -1; 2484 uid_t uid; 2485 gid_t gid; 2486 struct pf_rule *r, *a = NULL; 2487 struct pf_ruleset *ruleset = NULL; 2488 struct pf_src_node *nsn = NULL; 2489 u_short reason; 2490 int rewrite = 0; 2491 int tag = -1; 2492 u_int16_t mss = tcp_mssdflt; 2493 2494 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2495 2496 if (direction == PF_OUT) { 2497 bport = nport = th->th_sport; 2498 /* check outgoing packet for BINAT/NAT */ 2499 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2500 saddr, th->th_sport, daddr, th->th_dport, 2501 &pd->naddr, &nport)) != NULL) { 2502 PF_ACPY(&pd->baddr, saddr, af); 2503 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2504 &th->th_sum, &pd->naddr, nport, 0, af); 2505 rewrite++; 2506 if (nr->natpass) 2507 r = NULL; 2508 pd->nat_rule = nr; 2509 } 2510 } else { 2511 bport = nport = th->th_dport; 2512 /* check incoming packet for BINAT/RDR */ 2513 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2514 saddr, th->th_sport, daddr, th->th_dport, 2515 &pd->naddr, &nport)) != NULL) { 2516 PF_ACPY(&pd->baddr, daddr, af); 2517 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2518 &th->th_sum, &pd->naddr, nport, 0, af); 2519 rewrite++; 2520 if (nr->natpass) 2521 r = NULL; 2522 pd->nat_rule = nr; 2523 } 2524 } 2525 2526 while (r != NULL) { 2527 r->evaluations++; 2528 if (r->kif != NULL && 2529 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2530 r = r->skip[PF_SKIP_IFP].ptr; 2531 else if (r->direction && r->direction != direction) 2532 r = r->skip[PF_SKIP_DIR].ptr; 2533 else if (r->af && r->af != af) 2534 r = r->skip[PF_SKIP_AF].ptr; 2535 else if (r->proto && r->proto != IPPROTO_TCP) 2536 r = r->skip[PF_SKIP_PROTO].ptr; 2537 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2538 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2539 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2540 r->src.port[0], r->src.port[1], th->th_sport)) 2541 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2542 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2543 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2544 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2545 r->dst.port[0], r->dst.port[1], th->th_dport)) 2546 r = r->skip[PF_SKIP_DST_PORT].ptr; 2547 else if (r->tos && !(r->tos & pd->tos)) 2548 r = TAILQ_NEXT(r, entries); 2549 else if (r->rule_flag & PFRULE_FRAGMENT) 2550 r = TAILQ_NEXT(r, entries); 2551 else if ((r->flagset & th->th_flags) != r->flags) 2552 r = TAILQ_NEXT(r, entries); 2553 else if (r->uid.op && (lookup != -1 || (lookup = 2554 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2555 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2556 uid)) 2557 r = TAILQ_NEXT(r, entries); 2558 else if (r->gid.op && (lookup != -1 || (lookup = 2559 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2560 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2561 gid)) 2562 r = TAILQ_NEXT(r, entries); 2563 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 2564 r = TAILQ_NEXT(r, entries); 2565 else if (r->anchorname[0] && r->anchor == NULL) 2566 r = TAILQ_NEXT(r, entries); 2567 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( 2568 pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) 2569 r = TAILQ_NEXT(r, entries); 2570 else { 2571 if (r->tag) 2572 tag = r->tag; 2573 if (r->anchor == NULL) { 2574 *rm = r; 2575 *am = a; 2576 *rsm = ruleset; 2577 if ((*rm)->quick) 2578 break; 2579 r = TAILQ_NEXT(r, entries); 2580 } else 2581 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2582 PF_RULESET_FILTER); 2583 } 2584 if (r == NULL && a != NULL) 2585 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2586 PF_RULESET_FILTER); 2587 } 2588 r = *rm; 2589 a = *am; 2590 ruleset = *rsm; 2591 2592 REASON_SET(&reason, PFRES_MATCH); 2593 2594 if (r->log) { 2595 if (rewrite) 2596 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2597 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2598 } 2599 2600 if ((r->action == PF_DROP) && 2601 ((r->rule_flag & PFRULE_RETURNRST) || 2602 (r->rule_flag & PFRULE_RETURNICMP) || 2603 (r->rule_flag & PFRULE_RETURN))) { 2604 /* undo NAT changes, if they have taken place */ 2605 if (nr != NULL) { 2606 if (direction == PF_OUT) { 2607 pf_change_ap(saddr, &th->th_sport, pd->ip_sum, 2608 &th->th_sum, &pd->baddr, bport, 0, af); 2609 rewrite++; 2610 } else { 2611 pf_change_ap(daddr, &th->th_dport, pd->ip_sum, 2612 &th->th_sum, &pd->baddr, bport, 0, af); 2613 rewrite++; 2614 } 2615 } 2616 if (((r->rule_flag & PFRULE_RETURNRST) || 2617 (r->rule_flag & PFRULE_RETURN)) && 2618 !(th->th_flags & TH_RST)) { 2619 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 2620 2621 if (th->th_flags & TH_SYN) 2622 ack++; 2623 if (th->th_flags & TH_FIN) 2624 ack++; 2625 pf_send_tcp(r, af, pd->dst, 2626 pd->src, th->th_dport, th->th_sport, 2627 ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, 2628 r->return_ttl); 2629 } else if ((af == AF_INET) && r->return_icmp) 2630 pf_send_icmp(m, r->return_icmp >> 8, 2631 r->return_icmp & 255, af, r); 2632 else if ((af == AF_INET6) && r->return_icmp6) 2633 pf_send_icmp(m, r->return_icmp6 >> 8, 2634 r->return_icmp6 & 255, af, r); 2635 } 2636 2637 if (r->action == PF_DROP) 2638 return (PF_DROP); 2639 2640 pf_tag_packet(m, tag); 2641 2642 if (r->keep_state || nr != NULL || 2643 (pd->flags & PFDESC_TCP_NORM)) { 2644 /* create new state */ 2645 u_int16_t len; 2646 struct pf_state *s = NULL; 2647 struct pf_src_node *sn = NULL; 2648 2649 len = pd->tot_len - off - (th->th_off << 2); 2650 2651 /* check maximums */ 2652 if (r->max_states && (r->states >= r->max_states)) 2653 goto cleanup; 2654 /* src node for flter rule */ 2655 if ((r->rule_flag & PFRULE_SRCTRACK || 2656 r->rpool.opts & PF_POOL_STICKYADDR) && 2657 pf_insert_src_node(&sn, r, saddr, af) != 0) 2658 goto cleanup; 2659 /* src node for translation rule */ 2660 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2661 ((direction == PF_OUT && 2662 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2663 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2664 goto cleanup; 2665 s = pool_get(&pf_state_pl, PR_NOWAIT); 2666 if (s == NULL) { 2667 cleanup: 2668 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2669 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2670 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2671 pf_status.src_nodes--; 2672 pool_put(&pf_src_tree_pl, sn); 2673 } 2674 if (nsn != sn && nsn != NULL && nsn->states == 0 && 2675 nsn->expire == 0) { 2676 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 2677 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 2678 pf_status.src_nodes--; 2679 pool_put(&pf_src_tree_pl, nsn); 2680 } 2681 REASON_SET(&reason, PFRES_MEMORY); 2682 return (PF_DROP); 2683 } 2684 bzero(s, sizeof(*s)); 2685 r->states++; 2686 if (a != NULL) 2687 a->states++; 2688 s->rule.ptr = r; 2689 s->nat_rule.ptr = nr; 2690 if (s->nat_rule.ptr != NULL) 2691 s->nat_rule.ptr->states++; 2692 s->anchor.ptr = a; 2693 s->allow_opts = r->allow_opts; 2694 s->log = r->log & 2; 2695 s->proto = IPPROTO_TCP; 2696 s->direction = direction; 2697 s->af = af; 2698 if (direction == PF_OUT) { 2699 PF_ACPY(&s->gwy.addr, saddr, af); 2700 s->gwy.port = th->th_sport; /* sport */ 2701 PF_ACPY(&s->ext.addr, daddr, af); 2702 s->ext.port = th->th_dport; 2703 if (nr != NULL) { 2704 PF_ACPY(&s->lan.addr, &pd->baddr, af); 2705 s->lan.port = bport; 2706 } else { 2707 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 2708 s->lan.port = s->gwy.port; 2709 } 2710 } else { 2711 PF_ACPY(&s->lan.addr, daddr, af); 2712 s->lan.port = th->th_dport; 2713 PF_ACPY(&s->ext.addr, saddr, af); 2714 s->ext.port = th->th_sport; 2715 if (nr != NULL) { 2716 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 2717 s->gwy.port = bport; 2718 } else { 2719 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 2720 s->gwy.port = s->lan.port; 2721 } 2722 } 2723 2724 s->src.seqlo = ntohl(th->th_seq); 2725 s->src.seqhi = s->src.seqlo + len + 1; 2726 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2727 r->keep_state == PF_STATE_MODULATE) { 2728 /* Generate sequence number modulator */ 2729 while ((s->src.seqdiff = arc4random()) == 0) 2730 ; 2731 pf_change_a(&th->th_seq, &th->th_sum, 2732 htonl(s->src.seqlo + s->src.seqdiff), 0); 2733 rewrite = 1; 2734 } else 2735 s->src.seqdiff = 0; 2736 if (th->th_flags & TH_SYN) { 2737 s->src.seqhi++; 2738 s->src.wscale = pf_get_wscale(m, off, th->th_off, af); 2739 } 2740 s->src.max_win = MAX(ntohs(th->th_win), 1); 2741 if (s->src.wscale & PF_WSCALE_MASK) { 2742 /* Remove scale factor from initial window */ 2743 int win = s->src.max_win; 2744 win += 1 << (s->src.wscale & PF_WSCALE_MASK); 2745 s->src.max_win = (win - 1) >> 2746 (s->src.wscale & PF_WSCALE_MASK); 2747 } 2748 if (th->th_flags & TH_FIN) 2749 s->src.seqhi++; 2750 s->dst.seqhi = 1; 2751 s->dst.max_win = 1; 2752 s->src.state = TCPS_SYN_SENT; 2753 s->dst.state = TCPS_CLOSED; 2754 s->creation = time_second; 2755 s->expire = time_second; 2756 s->timeout = PFTM_TCP_FIRST_PACKET; 2757 pf_set_rt_ifp(s, saddr); 2758 if (sn != NULL) { 2759 s->src_node = sn; 2760 s->src_node->states++; 2761 } 2762 if (nsn != NULL) { 2763 PF_ACPY(&nsn->raddr, &pd->naddr, af); 2764 s->nat_src_node = nsn; 2765 s->nat_src_node->states++; 2766 } 2767 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, 2768 off, pd, th, &s->src, &s->dst)) { 2769 REASON_SET(&reason, PFRES_MEMORY); 2770 pf_src_tree_remove_state(s); 2771 pool_put(&pf_state_pl, s); 2772 return (PF_DROP); 2773 } 2774 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && 2775 pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src, 2776 &s->dst, &rewrite)) { 2777 pf_normalize_tcp_cleanup(s); 2778 pf_src_tree_remove_state(s); 2779 pool_put(&pf_state_pl, s); 2780 return (PF_DROP); 2781 } 2782 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 2783 pf_normalize_tcp_cleanup(s); 2784 REASON_SET(&reason, PFRES_MEMORY); 2785 pf_src_tree_remove_state(s); 2786 pool_put(&pf_state_pl, s); 2787 return (PF_DROP); 2788 } else 2789 *sm = s; 2790 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && 2791 r->keep_state == PF_STATE_SYNPROXY) { 2792 s->src.state = PF_TCPS_PROXY_SRC; 2793 if (nr != NULL) { 2794 if (direction == PF_OUT) { 2795 pf_change_ap(saddr, &th->th_sport, 2796 pd->ip_sum, &th->th_sum, &pd->baddr, 2797 bport, 0, af); 2798 } else { 2799 pf_change_ap(daddr, &th->th_dport, 2800 pd->ip_sum, &th->th_sum, &pd->baddr, 2801 bport, 0, af); 2802 } 2803 } 2804 s->src.seqhi = arc4random(); 2805 /* Find mss option */ 2806 mss = pf_get_mss(m, off, th->th_off, af); 2807 mss = pf_calc_mss(saddr, af, mss); 2808 mss = pf_calc_mss(daddr, af, mss); 2809 s->src.mss = mss; 2810 pf_send_tcp(r, af, daddr, saddr, th->th_dport, 2811 th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, 2812 TH_SYN|TH_ACK, 0, s->src.mss, 0); 2813 return (PF_SYNPROXY_DROP); 2814 } 2815 } 2816 2817 /* copy back packet headers if we performed NAT operations */ 2818 if (rewrite) 2819 m_copyback(m, off, sizeof(*th), (caddr_t)th); 2820 2821 return (PF_PASS); 2822 } 2823 2824 int 2825 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, 2826 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 2827 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 2828 { 2829 struct pf_rule *nr = NULL; 2830 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 2831 struct udphdr *uh = pd->hdr.udp; 2832 u_int16_t bport, nport = 0; 2833 sa_family_t af = pd->af; 2834 int lookup = -1; 2835 uid_t uid; 2836 gid_t gid; 2837 struct pf_rule *r, *a = NULL; 2838 struct pf_ruleset *ruleset = NULL; 2839 struct pf_src_node *nsn = NULL; 2840 u_short reason; 2841 int rewrite = 0; 2842 int tag = -1; 2843 2844 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 2845 2846 if (direction == PF_OUT) { 2847 bport = nport = uh->uh_sport; 2848 /* check outgoing packet for BINAT/NAT */ 2849 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 2850 saddr, uh->uh_sport, daddr, uh->uh_dport, 2851 &pd->naddr, &nport)) != NULL) { 2852 PF_ACPY(&pd->baddr, saddr, af); 2853 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2854 &uh->uh_sum, &pd->naddr, nport, 1, af); 2855 rewrite++; 2856 if (nr->natpass) 2857 r = NULL; 2858 pd->nat_rule = nr; 2859 } 2860 } else { 2861 bport = nport = uh->uh_dport; 2862 /* check incoming packet for BINAT/RDR */ 2863 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 2864 saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr, 2865 &nport)) != NULL) { 2866 PF_ACPY(&pd->baddr, daddr, af); 2867 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2868 &uh->uh_sum, &pd->naddr, nport, 1, af); 2869 rewrite++; 2870 if (nr->natpass) 2871 r = NULL; 2872 pd->nat_rule = nr; 2873 } 2874 } 2875 2876 while (r != NULL) { 2877 r->evaluations++; 2878 if (r->kif != NULL && 2879 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 2880 r = r->skip[PF_SKIP_IFP].ptr; 2881 else if (r->direction && r->direction != direction) 2882 r = r->skip[PF_SKIP_DIR].ptr; 2883 else if (r->af && r->af != af) 2884 r = r->skip[PF_SKIP_AF].ptr; 2885 else if (r->proto && r->proto != IPPROTO_UDP) 2886 r = r->skip[PF_SKIP_PROTO].ptr; 2887 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 2888 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 2889 else if (r->src.port_op && !pf_match_port(r->src.port_op, 2890 r->src.port[0], r->src.port[1], uh->uh_sport)) 2891 r = r->skip[PF_SKIP_SRC_PORT].ptr; 2892 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 2893 r = r->skip[PF_SKIP_DST_ADDR].ptr; 2894 else if (r->dst.port_op && !pf_match_port(r->dst.port_op, 2895 r->dst.port[0], r->dst.port[1], uh->uh_dport)) 2896 r = r->skip[PF_SKIP_DST_PORT].ptr; 2897 else if (r->tos && !(r->tos & pd->tos)) 2898 r = TAILQ_NEXT(r, entries); 2899 else if (r->rule_flag & PFRULE_FRAGMENT) 2900 r = TAILQ_NEXT(r, entries); 2901 else if (r->uid.op && (lookup != -1 || (lookup = 2902 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2903 !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], 2904 uid)) 2905 r = TAILQ_NEXT(r, entries); 2906 else if (r->gid.op && (lookup != -1 || (lookup = 2907 pf_socket_lookup(&uid, &gid, direction, pd), 1)) && 2908 !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], 2909 gid)) 2910 r = TAILQ_NEXT(r, entries); 2911 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 2912 r = TAILQ_NEXT(r, entries); 2913 else if (r->anchorname[0] && r->anchor == NULL) 2914 r = TAILQ_NEXT(r, entries); 2915 else if (r->os_fingerprint != PF_OSFP_ANY) 2916 r = TAILQ_NEXT(r, entries); 2917 else { 2918 if (r->tag) 2919 tag = r->tag; 2920 if (r->anchor == NULL) { 2921 *rm = r; 2922 *am = a; 2923 *rsm = ruleset; 2924 if ((*rm)->quick) 2925 break; 2926 r = TAILQ_NEXT(r, entries); 2927 } else 2928 PF_STEP_INTO_ANCHOR(r, a, ruleset, 2929 PF_RULESET_FILTER); 2930 } 2931 if (r == NULL && a != NULL) 2932 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 2933 PF_RULESET_FILTER); 2934 } 2935 r = *rm; 2936 a = *am; 2937 ruleset = *rsm; 2938 2939 REASON_SET(&reason, PFRES_MATCH); 2940 2941 if (r->log) { 2942 if (rewrite) 2943 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 2944 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 2945 } 2946 2947 if ((r->action == PF_DROP) && 2948 ((r->rule_flag & PFRULE_RETURNICMP) || 2949 (r->rule_flag & PFRULE_RETURN))) { 2950 /* undo NAT changes, if they have taken place */ 2951 if (nr != NULL) { 2952 if (direction == PF_OUT) { 2953 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum, 2954 &uh->uh_sum, &pd->baddr, bport, 1, af); 2955 rewrite++; 2956 } else { 2957 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum, 2958 &uh->uh_sum, &pd->baddr, bport, 1, af); 2959 rewrite++; 2960 } 2961 } 2962 if ((af == AF_INET) && r->return_icmp) 2963 pf_send_icmp(m, r->return_icmp >> 8, 2964 r->return_icmp & 255, af, r); 2965 else if ((af == AF_INET6) && r->return_icmp6) 2966 pf_send_icmp(m, r->return_icmp6 >> 8, 2967 r->return_icmp6 & 255, af, r); 2968 } 2969 2970 if (r->action == PF_DROP) 2971 return (PF_DROP); 2972 2973 pf_tag_packet(m, tag); 2974 2975 if (r->keep_state || nr != NULL) { 2976 /* create new state */ 2977 struct pf_state *s = NULL; 2978 struct pf_src_node *sn = NULL; 2979 2980 /* check maximums */ 2981 if (r->max_states && (r->states >= r->max_states)) 2982 goto cleanup; 2983 /* src node for flter rule */ 2984 if ((r->rule_flag & PFRULE_SRCTRACK || 2985 r->rpool.opts & PF_POOL_STICKYADDR) && 2986 pf_insert_src_node(&sn, r, saddr, af) != 0) 2987 goto cleanup; 2988 /* src node for translation rule */ 2989 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 2990 ((direction == PF_OUT && 2991 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 2992 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 2993 goto cleanup; 2994 s = pool_get(&pf_state_pl, PR_NOWAIT); 2995 if (s == NULL) { 2996 cleanup: 2997 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 2998 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 2999 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3000 pf_status.src_nodes--; 3001 pool_put(&pf_src_tree_pl, sn); 3002 } 3003 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3004 nsn->expire == 0) { 3005 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3006 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3007 pf_status.src_nodes--; 3008 pool_put(&pf_src_tree_pl, nsn); 3009 } 3010 REASON_SET(&reason, PFRES_MEMORY); 3011 return (PF_DROP); 3012 } 3013 bzero(s, sizeof(*s)); 3014 r->states++; 3015 if (a != NULL) 3016 a->states++; 3017 s->rule.ptr = r; 3018 s->nat_rule.ptr = nr; 3019 if (s->nat_rule.ptr != NULL) 3020 s->nat_rule.ptr->states++; 3021 s->anchor.ptr = a; 3022 s->allow_opts = r->allow_opts; 3023 s->log = r->log & 2; 3024 s->proto = IPPROTO_UDP; 3025 s->direction = direction; 3026 s->af = af; 3027 if (direction == PF_OUT) { 3028 PF_ACPY(&s->gwy.addr, saddr, af); 3029 s->gwy.port = uh->uh_sport; 3030 PF_ACPY(&s->ext.addr, daddr, af); 3031 s->ext.port = uh->uh_dport; 3032 if (nr != NULL) { 3033 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3034 s->lan.port = bport; 3035 } else { 3036 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3037 s->lan.port = s->gwy.port; 3038 } 3039 } else { 3040 PF_ACPY(&s->lan.addr, daddr, af); 3041 s->lan.port = uh->uh_dport; 3042 PF_ACPY(&s->ext.addr, saddr, af); 3043 s->ext.port = uh->uh_sport; 3044 if (nr != NULL) { 3045 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3046 s->gwy.port = bport; 3047 } else { 3048 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3049 s->gwy.port = s->lan.port; 3050 } 3051 } 3052 s->src.state = PFUDPS_SINGLE; 3053 s->dst.state = PFUDPS_NO_TRAFFIC; 3054 s->creation = time_second; 3055 s->expire = time_second; 3056 s->timeout = PFTM_UDP_FIRST_PACKET; 3057 pf_set_rt_ifp(s, saddr); 3058 if (sn != NULL) { 3059 s->src_node = sn; 3060 s->src_node->states++; 3061 } 3062 if (nsn != NULL) { 3063 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3064 s->nat_src_node = nsn; 3065 s->nat_src_node->states++; 3066 } 3067 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3068 REASON_SET(&reason, PFRES_MEMORY); 3069 pf_src_tree_remove_state(s); 3070 pool_put(&pf_state_pl, s); 3071 return (PF_DROP); 3072 } else 3073 *sm = s; 3074 } 3075 3076 /* copy back packet headers if we performed NAT operations */ 3077 if (rewrite) 3078 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 3079 3080 return (PF_PASS); 3081 } 3082 3083 int 3084 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, 3085 struct pfi_kif *kif, struct mbuf *m, int off, void *h, 3086 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm) 3087 { 3088 struct pf_rule *nr = NULL; 3089 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3090 struct pf_rule *r, *a = NULL; 3091 struct pf_ruleset *ruleset = NULL; 3092 struct pf_src_node *nsn = NULL; 3093 u_short reason; 3094 u_int16_t icmpid = 0; 3095 sa_family_t af = pd->af; 3096 u_int8_t icmptype = 0, icmpcode = 0; 3097 int state_icmp = 0; 3098 int tag = -1; 3099 #ifdef INET6 3100 int rewrite = 0; 3101 #endif /* INET6 */ 3102 3103 switch (pd->proto) { 3104 #ifdef INET 3105 case IPPROTO_ICMP: 3106 icmptype = pd->hdr.icmp->icmp_type; 3107 icmpcode = pd->hdr.icmp->icmp_code; 3108 icmpid = pd->hdr.icmp->icmp_id; 3109 3110 if (icmptype == ICMP_UNREACH || 3111 icmptype == ICMP_SOURCEQUENCH || 3112 icmptype == ICMP_REDIRECT || 3113 icmptype == ICMP_TIMXCEED || 3114 icmptype == ICMP_PARAMPROB) 3115 state_icmp++; 3116 break; 3117 #endif /* INET */ 3118 #ifdef INET6 3119 case IPPROTO_ICMPV6: 3120 icmptype = pd->hdr.icmp6->icmp6_type; 3121 icmpcode = pd->hdr.icmp6->icmp6_code; 3122 icmpid = pd->hdr.icmp6->icmp6_id; 3123 3124 if (icmptype == ICMP6_DST_UNREACH || 3125 icmptype == ICMP6_PACKET_TOO_BIG || 3126 icmptype == ICMP6_TIME_EXCEEDED || 3127 icmptype == ICMP6_PARAM_PROB) 3128 state_icmp++; 3129 break; 3130 #endif /* INET6 */ 3131 } 3132 3133 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3134 3135 if (direction == PF_OUT) { 3136 /* check outgoing packet for BINAT/NAT */ 3137 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3138 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3139 PF_ACPY(&pd->baddr, saddr, af); 3140 switch (af) { 3141 #ifdef INET 3142 case AF_INET: 3143 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3144 pd->naddr.v4.s_addr, 0); 3145 break; 3146 #endif /* INET */ 3147 #ifdef INET6 3148 case AF_INET6: 3149 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, 3150 &pd->naddr, 0); 3151 rewrite++; 3152 break; 3153 #endif /* INET6 */ 3154 } 3155 if (nr->natpass) 3156 r = NULL; 3157 pd->nat_rule = nr; 3158 } 3159 } else { 3160 /* check incoming packet for BINAT/RDR */ 3161 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3162 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3163 PF_ACPY(&pd->baddr, daddr, af); 3164 switch (af) { 3165 #ifdef INET 3166 case AF_INET: 3167 pf_change_a(&daddr->v4.s_addr, 3168 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3169 break; 3170 #endif /* INET */ 3171 #ifdef INET6 3172 case AF_INET6: 3173 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, 3174 &pd->naddr, 0); 3175 rewrite++; 3176 break; 3177 #endif /* INET6 */ 3178 } 3179 if (nr->natpass) 3180 r = NULL; 3181 pd->nat_rule = nr; 3182 } 3183 } 3184 3185 while (r != NULL) { 3186 r->evaluations++; 3187 if (r->kif != NULL && 3188 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3189 r = r->skip[PF_SKIP_IFP].ptr; 3190 else if (r->direction && r->direction != direction) 3191 r = r->skip[PF_SKIP_DIR].ptr; 3192 else if (r->af && r->af != af) 3193 r = r->skip[PF_SKIP_AF].ptr; 3194 else if (r->proto && r->proto != pd->proto) 3195 r = r->skip[PF_SKIP_PROTO].ptr; 3196 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not)) 3197 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3198 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not)) 3199 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3200 else if (r->type && r->type != icmptype + 1) 3201 r = TAILQ_NEXT(r, entries); 3202 else if (r->code && r->code != icmpcode + 1) 3203 r = TAILQ_NEXT(r, entries); 3204 else if (r->tos && !(r->tos & pd->tos)) 3205 r = TAILQ_NEXT(r, entries); 3206 else if (r->rule_flag & PFRULE_FRAGMENT) 3207 r = TAILQ_NEXT(r, entries); 3208 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 3209 r = TAILQ_NEXT(r, entries); 3210 else if (r->anchorname[0] && r->anchor == NULL) 3211 r = TAILQ_NEXT(r, entries); 3212 else if (r->os_fingerprint != PF_OSFP_ANY) 3213 r = TAILQ_NEXT(r, entries); 3214 else { 3215 if (r->tag) 3216 tag = r->tag; 3217 if (r->anchor == NULL) { 3218 *rm = r; 3219 *am = a; 3220 *rsm = ruleset; 3221 if ((*rm)->quick) 3222 break; 3223 r = TAILQ_NEXT(r, entries); 3224 } else 3225 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3226 PF_RULESET_FILTER); 3227 } 3228 if (r == NULL && a != NULL) 3229 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3230 PF_RULESET_FILTER); 3231 } 3232 r = *rm; 3233 a = *am; 3234 ruleset = *rsm; 3235 3236 REASON_SET(&reason, PFRES_MATCH); 3237 3238 if (r->log) { 3239 #ifdef INET6 3240 if (rewrite) 3241 m_copyback(m, off, sizeof(struct icmp6_hdr), 3242 (caddr_t)pd->hdr.icmp6); 3243 #endif /* INET6 */ 3244 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3245 } 3246 3247 if (r->action != PF_PASS) 3248 return (PF_DROP); 3249 3250 pf_tag_packet(m, tag); 3251 3252 if (!state_icmp && (r->keep_state || nr != NULL)) { 3253 /* create new state */ 3254 struct pf_state *s = NULL; 3255 struct pf_src_node *sn = NULL; 3256 3257 /* check maximums */ 3258 if (r->max_states && (r->states >= r->max_states)) 3259 goto cleanup; 3260 /* src node for flter rule */ 3261 if ((r->rule_flag & PFRULE_SRCTRACK || 3262 r->rpool.opts & PF_POOL_STICKYADDR) && 3263 pf_insert_src_node(&sn, r, saddr, af) != 0) 3264 goto cleanup; 3265 /* src node for translation rule */ 3266 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3267 ((direction == PF_OUT && 3268 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3269 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3270 goto cleanup; 3271 s = pool_get(&pf_state_pl, PR_NOWAIT); 3272 if (s == NULL) { 3273 cleanup: 3274 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3275 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3276 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3277 pf_status.src_nodes--; 3278 pool_put(&pf_src_tree_pl, sn); 3279 } 3280 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3281 nsn->expire == 0) { 3282 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3283 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3284 pf_status.src_nodes--; 3285 pool_put(&pf_src_tree_pl, nsn); 3286 } 3287 REASON_SET(&reason, PFRES_MEMORY); 3288 return (PF_DROP); 3289 } 3290 bzero(s, sizeof(*s)); 3291 r->states++; 3292 if (a != NULL) 3293 a->states++; 3294 s->rule.ptr = r; 3295 s->nat_rule.ptr = nr; 3296 if (s->nat_rule.ptr != NULL) 3297 s->nat_rule.ptr->states++; 3298 s->anchor.ptr = a; 3299 s->allow_opts = r->allow_opts; 3300 s->log = r->log & 2; 3301 s->proto = pd->proto; 3302 s->direction = direction; 3303 s->af = af; 3304 if (direction == PF_OUT) { 3305 PF_ACPY(&s->gwy.addr, saddr, af); 3306 s->gwy.port = icmpid; 3307 PF_ACPY(&s->ext.addr, daddr, af); 3308 s->ext.port = icmpid; 3309 if (nr != NULL) 3310 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3311 else 3312 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3313 s->lan.port = icmpid; 3314 } else { 3315 PF_ACPY(&s->lan.addr, daddr, af); 3316 s->lan.port = icmpid; 3317 PF_ACPY(&s->ext.addr, saddr, af); 3318 s->ext.port = icmpid; 3319 if (nr != NULL) 3320 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3321 else 3322 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3323 s->gwy.port = icmpid; 3324 } 3325 s->creation = time_second; 3326 s->expire = time_second; 3327 s->timeout = PFTM_ICMP_FIRST_PACKET; 3328 pf_set_rt_ifp(s, saddr); 3329 if (sn != NULL) { 3330 s->src_node = sn; 3331 s->src_node->states++; 3332 } 3333 if (nsn != NULL) { 3334 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3335 s->nat_src_node = nsn; 3336 s->nat_src_node->states++; 3337 } 3338 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3339 REASON_SET(&reason, PFRES_MEMORY); 3340 pf_src_tree_remove_state(s); 3341 pool_put(&pf_state_pl, s); 3342 return (PF_DROP); 3343 } else 3344 *sm = s; 3345 } 3346 3347 #ifdef INET6 3348 /* copy back packet headers if we performed IPv6 NAT operations */ 3349 if (rewrite) 3350 m_copyback(m, off, sizeof(struct icmp6_hdr), 3351 (caddr_t)pd->hdr.icmp6); 3352 #endif /* INET6 */ 3353 3354 return (PF_PASS); 3355 } 3356 3357 int 3358 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, 3359 struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3360 struct pf_rule **am, struct pf_ruleset **rsm) 3361 { 3362 struct pf_rule *nr = NULL; 3363 struct pf_rule *r, *a = NULL; 3364 struct pf_ruleset *ruleset = NULL; 3365 struct pf_src_node *nsn = NULL; 3366 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 3367 sa_family_t af = pd->af; 3368 u_short reason; 3369 int tag = -1; 3370 3371 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3372 3373 if (direction == PF_OUT) { 3374 /* check outgoing packet for BINAT/NAT */ 3375 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, 3376 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3377 PF_ACPY(&pd->baddr, saddr, af); 3378 switch (af) { 3379 #ifdef INET 3380 case AF_INET: 3381 pf_change_a(&saddr->v4.s_addr, pd->ip_sum, 3382 pd->naddr.v4.s_addr, 0); 3383 break; 3384 #endif /* INET */ 3385 #ifdef INET6 3386 case AF_INET6: 3387 PF_ACPY(saddr, &pd->naddr, af); 3388 break; 3389 #endif /* INET6 */ 3390 } 3391 if (nr->natpass) 3392 r = NULL; 3393 pd->nat_rule = nr; 3394 } 3395 } else { 3396 /* check incoming packet for BINAT/RDR */ 3397 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, 3398 saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { 3399 PF_ACPY(&pd->baddr, daddr, af); 3400 switch (af) { 3401 #ifdef INET 3402 case AF_INET: 3403 pf_change_a(&daddr->v4.s_addr, 3404 pd->ip_sum, pd->naddr.v4.s_addr, 0); 3405 break; 3406 #endif /* INET */ 3407 #ifdef INET6 3408 case AF_INET6: 3409 PF_ACPY(daddr, &pd->naddr, af); 3410 break; 3411 #endif /* INET6 */ 3412 } 3413 if (nr->natpass) 3414 r = NULL; 3415 pd->nat_rule = nr; 3416 } 3417 } 3418 3419 while (r != NULL) { 3420 r->evaluations++; 3421 if (r->kif != NULL && 3422 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3423 r = r->skip[PF_SKIP_IFP].ptr; 3424 else if (r->direction && r->direction != direction) 3425 r = r->skip[PF_SKIP_DIR].ptr; 3426 else if (r->af && r->af != af) 3427 r = r->skip[PF_SKIP_AF].ptr; 3428 else if (r->proto && r->proto != pd->proto) 3429 r = r->skip[PF_SKIP_PROTO].ptr; 3430 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3431 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3432 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3433 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3434 else if (r->tos && !(r->tos & pd->tos)) 3435 r = TAILQ_NEXT(r, entries); 3436 else if (r->rule_flag & PFRULE_FRAGMENT) 3437 r = TAILQ_NEXT(r, entries); 3438 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) 3439 r = TAILQ_NEXT(r, entries); 3440 else if (r->anchorname[0] && r->anchor == NULL) 3441 r = TAILQ_NEXT(r, entries); 3442 else if (r->os_fingerprint != PF_OSFP_ANY) 3443 r = TAILQ_NEXT(r, entries); 3444 else { 3445 if (r->tag) 3446 tag = r->tag; 3447 if (r->anchor == NULL) { 3448 *rm = r; 3449 *am = a; 3450 *rsm = ruleset; 3451 if ((*rm)->quick) 3452 break; 3453 r = TAILQ_NEXT(r, entries); 3454 } else 3455 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3456 PF_RULESET_FILTER); 3457 } 3458 if (r == NULL && a != NULL) 3459 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3460 PF_RULESET_FILTER); 3461 } 3462 r = *rm; 3463 a = *am; 3464 ruleset = *rsm; 3465 3466 REASON_SET(&reason, PFRES_MATCH); 3467 3468 if (r->log) 3469 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3470 3471 if ((r->action == PF_DROP) && 3472 ((r->rule_flag & PFRULE_RETURNICMP) || 3473 (r->rule_flag & PFRULE_RETURN))) { 3474 struct pf_addr *a = NULL; 3475 3476 if (nr != NULL) { 3477 if (direction == PF_OUT) 3478 a = saddr; 3479 else 3480 a = daddr; 3481 } 3482 if (a != NULL) { 3483 switch (af) { 3484 #ifdef INET 3485 case AF_INET: 3486 pf_change_a(&a->v4.s_addr, pd->ip_sum, 3487 pd->baddr.v4.s_addr, 0); 3488 break; 3489 #endif /* INET */ 3490 #ifdef INET6 3491 case AF_INET6: 3492 PF_ACPY(a, &pd->baddr, af); 3493 break; 3494 #endif /* INET6 */ 3495 } 3496 } 3497 if ((af == AF_INET) && r->return_icmp) 3498 pf_send_icmp(m, r->return_icmp >> 8, 3499 r->return_icmp & 255, af, r); 3500 else if ((af == AF_INET6) && r->return_icmp6) 3501 pf_send_icmp(m, r->return_icmp6 >> 8, 3502 r->return_icmp6 & 255, af, r); 3503 } 3504 3505 if (r->action != PF_PASS) 3506 return (PF_DROP); 3507 3508 pf_tag_packet(m, tag); 3509 3510 if (r->keep_state || nr != NULL) { 3511 /* create new state */ 3512 struct pf_state *s = NULL; 3513 struct pf_src_node *sn = NULL; 3514 3515 /* check maximums */ 3516 if (r->max_states && (r->states >= r->max_states)) 3517 goto cleanup; 3518 /* src node for flter rule */ 3519 if ((r->rule_flag & PFRULE_SRCTRACK || 3520 r->rpool.opts & PF_POOL_STICKYADDR) && 3521 pf_insert_src_node(&sn, r, saddr, af) != 0) 3522 goto cleanup; 3523 /* src node for translation rule */ 3524 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && 3525 ((direction == PF_OUT && 3526 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) || 3527 (pf_insert_src_node(&nsn, nr, saddr, af) != 0))) 3528 goto cleanup; 3529 s = pool_get(&pf_state_pl, PR_NOWAIT); 3530 if (s == NULL) { 3531 cleanup: 3532 if (sn != NULL && sn->states == 0 && sn->expire == 0) { 3533 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); 3534 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3535 pf_status.src_nodes--; 3536 pool_put(&pf_src_tree_pl, sn); 3537 } 3538 if (nsn != sn && nsn != NULL && nsn->states == 0 && 3539 nsn->expire == 0) { 3540 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); 3541 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; 3542 pf_status.src_nodes--; 3543 pool_put(&pf_src_tree_pl, nsn); 3544 } 3545 REASON_SET(&reason, PFRES_MEMORY); 3546 return (PF_DROP); 3547 } 3548 bzero(s, sizeof(*s)); 3549 r->states++; 3550 if (a != NULL) 3551 a->states++; 3552 s->rule.ptr = r; 3553 s->nat_rule.ptr = nr; 3554 if (s->nat_rule.ptr != NULL) 3555 s->nat_rule.ptr->states++; 3556 s->anchor.ptr = a; 3557 s->allow_opts = r->allow_opts; 3558 s->log = r->log & 2; 3559 s->proto = pd->proto; 3560 s->direction = direction; 3561 s->af = af; 3562 if (direction == PF_OUT) { 3563 PF_ACPY(&s->gwy.addr, saddr, af); 3564 PF_ACPY(&s->ext.addr, daddr, af); 3565 if (nr != NULL) 3566 PF_ACPY(&s->lan.addr, &pd->baddr, af); 3567 else 3568 PF_ACPY(&s->lan.addr, &s->gwy.addr, af); 3569 } else { 3570 PF_ACPY(&s->lan.addr, daddr, af); 3571 PF_ACPY(&s->ext.addr, saddr, af); 3572 if (nr != NULL) 3573 PF_ACPY(&s->gwy.addr, &pd->baddr, af); 3574 else 3575 PF_ACPY(&s->gwy.addr, &s->lan.addr, af); 3576 } 3577 s->src.state = PFOTHERS_SINGLE; 3578 s->dst.state = PFOTHERS_NO_TRAFFIC; 3579 s->creation = time_second; 3580 s->expire = time_second; 3581 s->timeout = PFTM_OTHER_FIRST_PACKET; 3582 pf_set_rt_ifp(s, saddr); 3583 if (sn != NULL) { 3584 s->src_node = sn; 3585 s->src_node->states++; 3586 } 3587 if (nsn != NULL) { 3588 PF_ACPY(&nsn->raddr, &pd->naddr, af); 3589 s->nat_src_node = nsn; 3590 s->nat_src_node->states++; 3591 } 3592 if (pf_insert_state(BOUND_IFACE(r, kif), s)) { 3593 REASON_SET(&reason, PFRES_MEMORY); 3594 pf_src_tree_remove_state(s); 3595 pool_put(&pf_state_pl, s); 3596 return (PF_DROP); 3597 } else 3598 *sm = s; 3599 } 3600 3601 return (PF_PASS); 3602 } 3603 3604 int 3605 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, 3606 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, 3607 struct pf_ruleset **rsm) 3608 { 3609 struct pf_rule *r, *a = NULL; 3610 struct pf_ruleset *ruleset = NULL; 3611 sa_family_t af = pd->af; 3612 u_short reason; 3613 int tag = -1; 3614 3615 r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); 3616 while (r != NULL) { 3617 r->evaluations++; 3618 if (r->kif != NULL && 3619 (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot) 3620 r = r->skip[PF_SKIP_IFP].ptr; 3621 else if (r->direction && r->direction != direction) 3622 r = r->skip[PF_SKIP_DIR].ptr; 3623 else if (r->af && r->af != af) 3624 r = r->skip[PF_SKIP_AF].ptr; 3625 else if (r->proto && r->proto != pd->proto) 3626 r = r->skip[PF_SKIP_PROTO].ptr; 3627 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not)) 3628 r = r->skip[PF_SKIP_SRC_ADDR].ptr; 3629 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not)) 3630 r = r->skip[PF_SKIP_DST_ADDR].ptr; 3631 else if (r->tos && !(r->tos & pd->tos)) 3632 r = TAILQ_NEXT(r, entries); 3633 else if (r->src.port_op || r->dst.port_op || 3634 r->flagset || r->type || r->code || 3635 r->os_fingerprint != PF_OSFP_ANY) 3636 r = TAILQ_NEXT(r, entries); 3637 else if (r->match_tag && !pf_match_tag(m, r, NULL, &tag)) 3638 r = TAILQ_NEXT(r, entries); 3639 else if (r->anchorname[0] && r->anchor == NULL) 3640 r = TAILQ_NEXT(r, entries); 3641 else { 3642 if (r->anchor == NULL) { 3643 *rm = r; 3644 *am = a; 3645 *rsm = ruleset; 3646 if ((*rm)->quick) 3647 break; 3648 r = TAILQ_NEXT(r, entries); 3649 } else 3650 PF_STEP_INTO_ANCHOR(r, a, ruleset, 3651 PF_RULESET_FILTER); 3652 } 3653 if (r == NULL && a != NULL) 3654 PF_STEP_OUT_OF_ANCHOR(r, a, ruleset, 3655 PF_RULESET_FILTER); 3656 } 3657 r = *rm; 3658 a = *am; 3659 ruleset = *rsm; 3660 3661 REASON_SET(&reason, PFRES_MATCH); 3662 3663 if (r->log) 3664 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset); 3665 3666 if (r->action != PF_PASS) 3667 return (PF_DROP); 3668 3669 pf_tag_packet(m, tag); 3670 3671 return (PF_PASS); 3672 } 3673 3674 int 3675 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, 3676 struct mbuf *m, int off, void *h, struct pf_pdesc *pd, 3677 u_short *reason) 3678 { 3679 struct pf_state key; 3680 struct tcphdr *th = pd->hdr.tcp; 3681 u_int16_t win = ntohs(th->th_win); 3682 u_int32_t ack, end, seq; 3683 u_int8_t sws, dws; 3684 int ackskew; 3685 int copyback = 0; 3686 struct pf_state_peer *src, *dst; 3687 3688 key.af = pd->af; 3689 key.proto = IPPROTO_TCP; 3690 if (direction == PF_IN) { 3691 PF_ACPY(&key.ext.addr, pd->src, key.af); 3692 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 3693 key.ext.port = th->th_sport; 3694 key.gwy.port = th->th_dport; 3695 } else { 3696 PF_ACPY(&key.lan.addr, pd->src, key.af); 3697 PF_ACPY(&key.ext.addr, pd->dst, key.af); 3698 key.lan.port = th->th_sport; 3699 key.ext.port = th->th_dport; 3700 } 3701 3702 STATE_LOOKUP(); 3703 3704 if (direction == (*state)->direction) { 3705 src = &(*state)->src; 3706 dst = &(*state)->dst; 3707 } else { 3708 src = &(*state)->dst; 3709 dst = &(*state)->src; 3710 } 3711 3712 if ((*state)->src.state == PF_TCPS_PROXY_SRC) { 3713 if (direction != (*state)->direction) 3714 return (PF_SYNPROXY_DROP); 3715 if (th->th_flags & TH_SYN) { 3716 if (ntohl(th->th_seq) != (*state)->src.seqlo) 3717 return (PF_DROP); 3718 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3719 pd->src, th->th_dport, th->th_sport, 3720 (*state)->src.seqhi, ntohl(th->th_seq) + 1, 3721 TH_SYN|TH_ACK, 0, (*state)->src.mss, 0); 3722 return (PF_SYNPROXY_DROP); 3723 } else if (!(th->th_flags & TH_ACK) || 3724 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3725 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3726 return (PF_DROP); 3727 else 3728 (*state)->src.state = PF_TCPS_PROXY_DST; 3729 } 3730 if ((*state)->src.state == PF_TCPS_PROXY_DST) { 3731 struct pf_state_host *src, *dst; 3732 3733 if (direction == PF_OUT) { 3734 src = &(*state)->gwy; 3735 dst = &(*state)->ext; 3736 } else { 3737 src = &(*state)->ext; 3738 dst = &(*state)->lan; 3739 } 3740 if (direction == (*state)->direction) { 3741 if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || 3742 (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || 3743 (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) 3744 return (PF_DROP); 3745 (*state)->src.max_win = MAX(ntohs(th->th_win), 1); 3746 if ((*state)->dst.seqhi == 1) 3747 (*state)->dst.seqhi = arc4random(); 3748 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3749 &dst->addr, src->port, dst->port, 3750 (*state)->dst.seqhi, 0, TH_SYN, 0, 3751 (*state)->src.mss, 0); 3752 return (PF_SYNPROXY_DROP); 3753 } else if (((th->th_flags & (TH_SYN|TH_ACK)) != 3754 (TH_SYN|TH_ACK)) || 3755 (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) 3756 return (PF_DROP); 3757 else { 3758 (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); 3759 (*state)->dst.seqlo = ntohl(th->th_seq); 3760 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, 3761 pd->src, th->th_dport, th->th_sport, 3762 ntohl(th->th_ack), ntohl(th->th_seq) + 1, 3763 TH_ACK, (*state)->src.max_win, 0, 0); 3764 pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, 3765 &dst->addr, src->port, dst->port, 3766 (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, 3767 TH_ACK, (*state)->dst.max_win, 0, 0); 3768 (*state)->src.seqdiff = (*state)->dst.seqhi - 3769 (*state)->src.seqlo; 3770 (*state)->dst.seqdiff = (*state)->src.seqhi - 3771 (*state)->dst.seqlo; 3772 (*state)->src.seqhi = (*state)->src.seqlo + 3773 (*state)->src.max_win; 3774 (*state)->dst.seqhi = (*state)->dst.seqlo + 3775 (*state)->dst.max_win; 3776 (*state)->src.wscale = (*state)->dst.wscale = 0; 3777 (*state)->src.state = (*state)->dst.state = 3778 TCPS_ESTABLISHED; 3779 return (PF_SYNPROXY_DROP); 3780 } 3781 } 3782 3783 if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { 3784 sws = src->wscale & PF_WSCALE_MASK; 3785 dws = dst->wscale & PF_WSCALE_MASK; 3786 } else 3787 sws = dws = 0; 3788 3789 /* 3790 * Sequence tracking algorithm from Guido van Rooij's paper: 3791 * http://www.madison-gurkha.com/publications/tcp_filtering/ 3792 * tcp_filtering.ps 3793 */ 3794 3795 seq = ntohl(th->th_seq); 3796 if (src->seqlo == 0) { 3797 /* First packet from this end. Set its state */ 3798 3799 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && 3800 src->scrub == NULL) { 3801 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { 3802 REASON_SET(reason, PFRES_MEMORY); 3803 return (PF_DROP); 3804 } 3805 } 3806 3807 /* Deferred generation of sequence number modulator */ 3808 if (dst->seqdiff && !src->seqdiff) { 3809 while ((src->seqdiff = arc4random()) == 0) 3810 ; 3811 ack = ntohl(th->th_ack) - dst->seqdiff; 3812 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3813 src->seqdiff), 0); 3814 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3815 copyback = 1; 3816 } else { 3817 ack = ntohl(th->th_ack); 3818 } 3819 3820 end = seq + pd->p_len; 3821 if (th->th_flags & TH_SYN) { 3822 end++; 3823 if (dst->wscale & PF_WSCALE_FLAG) { 3824 src->wscale = pf_get_wscale(m, off, th->th_off, 3825 pd->af); 3826 if (src->wscale & PF_WSCALE_FLAG) { 3827 /* Remove scale factor from initial 3828 * window */ 3829 sws = src->wscale & PF_WSCALE_MASK; 3830 win = ((u_int32_t)win + (1 << sws) - 1) 3831 >> sws; 3832 dws = dst->wscale & PF_WSCALE_MASK; 3833 } else { 3834 /* fixup other window */ 3835 dst->max_win <<= dst->wscale & 3836 PF_WSCALE_MASK; 3837 /* in case of a retrans SYN|ACK */ 3838 dst->wscale = 0; 3839 } 3840 } 3841 } 3842 if (th->th_flags & TH_FIN) 3843 end++; 3844 3845 src->seqlo = seq; 3846 if (src->state < TCPS_SYN_SENT) 3847 src->state = TCPS_SYN_SENT; 3848 3849 /* 3850 * May need to slide the window (seqhi may have been set by 3851 * the crappy stack check or if we picked up the connection 3852 * after establishment) 3853 */ 3854 if (src->seqhi == 1 || 3855 SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) 3856 src->seqhi = end + MAX(1, dst->max_win << dws); 3857 if (win > src->max_win) 3858 src->max_win = win; 3859 3860 } else { 3861 ack = ntohl(th->th_ack) - dst->seqdiff; 3862 if (src->seqdiff) { 3863 /* Modulate sequence numbers */ 3864 pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + 3865 src->seqdiff), 0); 3866 pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); 3867 copyback = 1; 3868 } 3869 end = seq + pd->p_len; 3870 if (th->th_flags & TH_SYN) 3871 end++; 3872 if (th->th_flags & TH_FIN) 3873 end++; 3874 } 3875 3876 if ((th->th_flags & TH_ACK) == 0) { 3877 /* Let it pass through the ack skew check */ 3878 ack = dst->seqlo; 3879 } else if ((ack == 0 && 3880 (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || 3881 /* broken tcp stacks do not set ack */ 3882 (dst->state < TCPS_SYN_SENT)) { 3883 /* 3884 * Many stacks (ours included) will set the ACK number in an 3885 * FIN|ACK if the SYN times out -- no sequence to ACK. 3886 */ 3887 ack = dst->seqlo; 3888 } 3889 3890 if (seq == end) { 3891 /* Ease sequencing restrictions on no data packets */ 3892 seq = src->seqlo; 3893 end = seq; 3894 } 3895 3896 ackskew = dst->seqlo - ack; 3897 3898 #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ 3899 if (SEQ_GEQ(src->seqhi, end) && 3900 /* Last octet inside other's window space */ 3901 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && 3902 /* Retrans: not more than one window back */ 3903 (ackskew >= -MAXACKWINDOW) && 3904 /* Acking not more than one reassembled fragment backwards */ 3905 (ackskew <= (MAXACKWINDOW << sws))) { 3906 /* Acking not more than one window forward */ 3907 3908 /* update max window */ 3909 if (src->max_win < win) 3910 src->max_win = win; 3911 /* synchronize sequencing */ 3912 if (SEQ_GT(end, src->seqlo)) 3913 src->seqlo = end; 3914 /* slide the window of what the other end can send */ 3915 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 3916 dst->seqhi = ack + MAX((win << sws), 1); 3917 3918 3919 /* update states */ 3920 if (th->th_flags & TH_SYN) 3921 if (src->state < TCPS_SYN_SENT) 3922 src->state = TCPS_SYN_SENT; 3923 if (th->th_flags & TH_FIN) 3924 if (src->state < TCPS_CLOSING) 3925 src->state = TCPS_CLOSING; 3926 if (th->th_flags & TH_ACK) { 3927 if (dst->state == TCPS_SYN_SENT) 3928 dst->state = TCPS_ESTABLISHED; 3929 else if (dst->state == TCPS_CLOSING) 3930 dst->state = TCPS_FIN_WAIT_2; 3931 } 3932 if (th->th_flags & TH_RST) 3933 src->state = dst->state = TCPS_TIME_WAIT; 3934 3935 /* update expire time */ 3936 (*state)->expire = time_second; 3937 if (src->state >= TCPS_FIN_WAIT_2 && 3938 dst->state >= TCPS_FIN_WAIT_2) 3939 (*state)->timeout = PFTM_TCP_CLOSED; 3940 else if (src->state >= TCPS_FIN_WAIT_2 || 3941 dst->state >= TCPS_FIN_WAIT_2) 3942 (*state)->timeout = PFTM_TCP_FIN_WAIT; 3943 else if (src->state < TCPS_ESTABLISHED || 3944 dst->state < TCPS_ESTABLISHED) 3945 (*state)->timeout = PFTM_TCP_OPENING; 3946 else if (src->state >= TCPS_CLOSING || 3947 dst->state >= TCPS_CLOSING) 3948 (*state)->timeout = PFTM_TCP_CLOSING; 3949 else 3950 (*state)->timeout = PFTM_TCP_ESTABLISHED; 3951 3952 /* Fall through to PASS packet */ 3953 3954 } else if ((dst->state < TCPS_SYN_SENT || 3955 dst->state >= TCPS_FIN_WAIT_2 || 3956 src->state >= TCPS_FIN_WAIT_2) && 3957 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && 3958 /* Within a window forward of the originating packet */ 3959 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { 3960 /* Within a window backward of the originating packet */ 3961 3962 /* 3963 * This currently handles three situations: 3964 * 1) Stupid stacks will shotgun SYNs before their peer 3965 * replies. 3966 * 2) When PF catches an already established stream (the 3967 * firewall rebooted, the state table was flushed, routes 3968 * changed...) 3969 * 3) Packets get funky immediately after the connection 3970 * closes (this should catch Solaris spurious ACK|FINs 3971 * that web servers like to spew after a close) 3972 * 3973 * This must be a little more careful than the above code 3974 * since packet floods will also be caught here. We don't 3975 * update the TTL here to mitigate the damage of a packet 3976 * flood and so the same code can handle awkward establishment 3977 * and a loosened connection close. 3978 * In the establishment case, a correct peer response will 3979 * validate the connection, go through the normal state code 3980 * and keep updating the state TTL. 3981 */ 3982 3983 if (pf_status.debug >= PF_DEBUG_MISC) { 3984 printf("pf: loose state match: "); 3985 pf_print_state(*state); 3986 pf_print_flags(th->th_flags); 3987 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", 3988 seq, ack, pd->p_len, ackskew, 3989 (*state)->packets[0], (*state)->packets[1]); 3990 } 3991 3992 /* update max window */ 3993 if (src->max_win < win) 3994 src->max_win = win; 3995 /* synchronize sequencing */ 3996 if (SEQ_GT(end, src->seqlo)) 3997 src->seqlo = end; 3998 /* slide the window of what the other end can send */ 3999 if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) 4000 dst->seqhi = ack + MAX((win << sws), 1); 4001 4002 /* 4003 * Cannot set dst->seqhi here since this could be a shotgunned 4004 * SYN and not an already established connection. 4005 */ 4006 4007 if (th->th_flags & TH_FIN) 4008 if (src->state < TCPS_CLOSING) 4009 src->state = TCPS_CLOSING; 4010 if (th->th_flags & TH_RST) 4011 src->state = dst->state = TCPS_TIME_WAIT; 4012 4013 /* Fall through to PASS packet */ 4014 4015 } else { 4016 if ((*state)->dst.state == TCPS_SYN_SENT && 4017 (*state)->src.state == TCPS_SYN_SENT) { 4018 /* Send RST for state mismatches during handshake */ 4019 if (!(th->th_flags & TH_RST)) { 4020 u_int32_t ack = ntohl(th->th_seq) + pd->p_len; 4021 4022 if (th->th_flags & TH_SYN) 4023 ack++; 4024 if (th->th_flags & TH_FIN) 4025 ack++; 4026 pf_send_tcp((*state)->rule.ptr, pd->af, 4027 pd->dst, pd->src, th->th_dport, 4028 th->th_sport, ntohl(th->th_ack), ack, 4029 TH_RST|TH_ACK, 0, 0, 4030 (*state)->rule.ptr->return_ttl); 4031 } 4032 src->seqlo = 0; 4033 src->seqhi = 1; 4034 src->max_win = 1; 4035 } else if (pf_status.debug >= PF_DEBUG_MISC) { 4036 printf("pf: BAD state: "); 4037 pf_print_state(*state); 4038 pf_print_flags(th->th_flags); 4039 printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " 4040 "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, 4041 (*state)->packets[0], (*state)->packets[1], 4042 direction == PF_IN ? "in" : "out", 4043 direction == (*state)->direction ? "fwd" : "rev"); 4044 printf("pf: State failure on: %c %c %c %c | %c %c\n", 4045 SEQ_GEQ(src->seqhi, end) ? ' ' : '1', 4046 SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? 4047 ' ': '2', 4048 (ackskew >= -MAXACKWINDOW) ? ' ' : '3', 4049 (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', 4050 SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', 4051 SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); 4052 } 4053 return (PF_DROP); 4054 } 4055 4056 if (dst->scrub || src->scrub) { 4057 if (pf_normalize_tcp_stateful(m, off, pd, reason, th, 4058 src, dst, ©back)) 4059 return (PF_DROP); 4060 } 4061 4062 /* Any packets which have gotten here are to be passed */ 4063 4064 /* translate source/destination address, if necessary */ 4065 if (STATE_TRANSLATE(*state)) { 4066 if (direction == PF_OUT) 4067 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, 4068 &th->th_sum, &(*state)->gwy.addr, 4069 (*state)->gwy.port, 0, pd->af); 4070 else 4071 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, 4072 &th->th_sum, &(*state)->lan.addr, 4073 (*state)->lan.port, 0, pd->af); 4074 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4075 } else if (copyback) { 4076 /* Copyback sequence modulation or stateful scrub changes */ 4077 m_copyback(m, off, sizeof(*th), (caddr_t)th); 4078 } 4079 4080 return (PF_PASS); 4081 } 4082 4083 int 4084 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, 4085 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4086 { 4087 struct pf_state_peer *src, *dst; 4088 struct pf_state key; 4089 struct udphdr *uh = pd->hdr.udp; 4090 4091 key.af = pd->af; 4092 key.proto = IPPROTO_UDP; 4093 if (direction == PF_IN) { 4094 PF_ACPY(&key.ext.addr, pd->src, key.af); 4095 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4096 key.ext.port = uh->uh_sport; 4097 key.gwy.port = uh->uh_dport; 4098 } else { 4099 PF_ACPY(&key.lan.addr, pd->src, key.af); 4100 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4101 key.lan.port = uh->uh_sport; 4102 key.ext.port = uh->uh_dport; 4103 } 4104 4105 STATE_LOOKUP(); 4106 4107 if (direction == (*state)->direction) { 4108 src = &(*state)->src; 4109 dst = &(*state)->dst; 4110 } else { 4111 src = &(*state)->dst; 4112 dst = &(*state)->src; 4113 } 4114 4115 /* update states */ 4116 if (src->state < PFUDPS_SINGLE) 4117 src->state = PFUDPS_SINGLE; 4118 if (dst->state == PFUDPS_SINGLE) 4119 dst->state = PFUDPS_MULTIPLE; 4120 4121 /* update expire time */ 4122 (*state)->expire = time_second; 4123 if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) 4124 (*state)->timeout = PFTM_UDP_MULTIPLE; 4125 else 4126 (*state)->timeout = PFTM_UDP_SINGLE; 4127 4128 /* translate source/destination address, if necessary */ 4129 if (STATE_TRANSLATE(*state)) { 4130 if (direction == PF_OUT) 4131 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, 4132 &uh->uh_sum, &(*state)->gwy.addr, 4133 (*state)->gwy.port, 1, pd->af); 4134 else 4135 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, 4136 &uh->uh_sum, &(*state)->lan.addr, 4137 (*state)->lan.port, 1, pd->af); 4138 m_copyback(m, off, sizeof(*uh), (caddr_t)uh); 4139 } 4140 4141 return (PF_PASS); 4142 } 4143 4144 int 4145 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, 4146 struct mbuf *m, int off, void *h, struct pf_pdesc *pd) 4147 { 4148 struct pf_addr *saddr = pd->src, *daddr = pd->dst; 4149 u_int16_t icmpid = 0; 4150 u_int16_t *icmpsum = NULL; 4151 u_int8_t icmptype = 0; 4152 int state_icmp = 0; 4153 4154 switch (pd->proto) { 4155 #ifdef INET 4156 case IPPROTO_ICMP: 4157 icmptype = pd->hdr.icmp->icmp_type; 4158 icmpid = pd->hdr.icmp->icmp_id; 4159 icmpsum = &pd->hdr.icmp->icmp_cksum; 4160 4161 if (icmptype == ICMP_UNREACH || 4162 icmptype == ICMP_SOURCEQUENCH || 4163 icmptype == ICMP_REDIRECT || 4164 icmptype == ICMP_TIMXCEED || 4165 icmptype == ICMP_PARAMPROB) 4166 state_icmp++; 4167 break; 4168 #endif /* INET */ 4169 #ifdef INET6 4170 case IPPROTO_ICMPV6: 4171 icmptype = pd->hdr.icmp6->icmp6_type; 4172 icmpid = pd->hdr.icmp6->icmp6_id; 4173 icmpsum = &pd->hdr.icmp6->icmp6_cksum; 4174 4175 if (icmptype == ICMP6_DST_UNREACH || 4176 icmptype == ICMP6_PACKET_TOO_BIG || 4177 icmptype == ICMP6_TIME_EXCEEDED || 4178 icmptype == ICMP6_PARAM_PROB) 4179 state_icmp++; 4180 break; 4181 #endif /* INET6 */ 4182 } 4183 4184 if (!state_icmp) { 4185 4186 /* 4187 * ICMP query/reply message not related to a TCP/UDP packet. 4188 * Search for an ICMP state. 4189 */ 4190 struct pf_state key; 4191 4192 key.af = pd->af; 4193 key.proto = pd->proto; 4194 if (direction == PF_IN) { 4195 PF_ACPY(&key.ext.addr, pd->src, key.af); 4196 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4197 key.ext.port = icmpid; 4198 key.gwy.port = icmpid; 4199 } else { 4200 PF_ACPY(&key.lan.addr, pd->src, key.af); 4201 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4202 key.lan.port = icmpid; 4203 key.ext.port = icmpid; 4204 } 4205 4206 STATE_LOOKUP(); 4207 4208 (*state)->expire = time_second; 4209 (*state)->timeout = PFTM_ICMP_ERROR_REPLY; 4210 4211 /* translate source/destination address, if necessary */ 4212 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) { 4213 if (direction == PF_OUT) { 4214 switch (pd->af) { 4215 #ifdef INET 4216 case AF_INET: 4217 pf_change_a(&saddr->v4.s_addr, 4218 pd->ip_sum, 4219 (*state)->gwy.addr.v4.s_addr, 0); 4220 break; 4221 #endif /* INET */ 4222 #ifdef INET6 4223 case AF_INET6: 4224 pf_change_a6(saddr, 4225 &pd->hdr.icmp6->icmp6_cksum, 4226 &(*state)->gwy.addr, 0); 4227 m_copyback(m, off, 4228 sizeof(struct icmp6_hdr), 4229 (caddr_t)pd->hdr.icmp6); 4230 break; 4231 #endif /* INET6 */ 4232 } 4233 } else { 4234 switch (pd->af) { 4235 #ifdef INET 4236 case AF_INET: 4237 pf_change_a(&daddr->v4.s_addr, 4238 pd->ip_sum, 4239 (*state)->lan.addr.v4.s_addr, 0); 4240 break; 4241 #endif /* INET */ 4242 #ifdef INET6 4243 case AF_INET6: 4244 pf_change_a6(daddr, 4245 &pd->hdr.icmp6->icmp6_cksum, 4246 &(*state)->lan.addr, 0); 4247 m_copyback(m, off, 4248 sizeof(struct icmp6_hdr), 4249 (caddr_t)pd->hdr.icmp6); 4250 break; 4251 #endif /* INET6 */ 4252 } 4253 } 4254 } 4255 4256 return (PF_PASS); 4257 4258 } else { 4259 /* 4260 * ICMP error message in response to a TCP/UDP packet. 4261 * Extract the inner TCP/UDP header and search for that state. 4262 */ 4263 4264 struct pf_pdesc pd2; 4265 #ifdef INET 4266 struct ip h2; 4267 #endif /* INET */ 4268 #ifdef INET6 4269 struct ip6_hdr h2_6; 4270 int terminal = 0; 4271 #endif /* INET6 */ 4272 int ipoff2 = 0; 4273 int off2 = 0; 4274 4275 pd2.af = pd->af; 4276 switch (pd->af) { 4277 #ifdef INET 4278 case AF_INET: 4279 /* offset of h2 in mbuf chain */ 4280 ipoff2 = off + ICMP_MINLEN; 4281 4282 if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), 4283 NULL, NULL, pd2.af)) { 4284 DPFPRINTF(PF_DEBUG_MISC, 4285 ("pf: ICMP error message too short " 4286 "(ip)\n")); 4287 return (PF_DROP); 4288 } 4289 /* 4290 * ICMP error messages don't refer to non-first 4291 * fragments 4292 */ 4293 /* 4294 * Note: We are dealing with an encapsulated 4295 * header. This means ip_off/ip_len are not 4296 * in host byte order! 4297 */ 4298 if (h2.ip_off & htons(IP_OFFMASK)) 4299 return (PF_DROP); 4300 4301 /* offset of protocol header that follows h2 */ 4302 off2 = ipoff2 + (h2.ip_hl << 2); 4303 4304 pd2.proto = h2.ip_p; 4305 pd2.src = (struct pf_addr *)&h2.ip_src; 4306 pd2.dst = (struct pf_addr *)&h2.ip_dst; 4307 pd2.ip_sum = &h2.ip_sum; 4308 break; 4309 #endif /* INET */ 4310 #ifdef INET6 4311 case AF_INET6: 4312 ipoff2 = off + sizeof(struct icmp6_hdr); 4313 4314 if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), 4315 NULL, NULL, pd2.af)) { 4316 DPFPRINTF(PF_DEBUG_MISC, 4317 ("pf: ICMP error message too short " 4318 "(ip6)\n")); 4319 return (PF_DROP); 4320 } 4321 pd2.proto = h2_6.ip6_nxt; 4322 pd2.src = (struct pf_addr *)&h2_6.ip6_src; 4323 pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; 4324 pd2.ip_sum = NULL; 4325 off2 = ipoff2 + sizeof(h2_6); 4326 do { 4327 switch (pd2.proto) { 4328 case IPPROTO_FRAGMENT: 4329 /* 4330 * ICMPv6 error messages for 4331 * non-first fragments 4332 */ 4333 return (PF_DROP); 4334 case IPPROTO_AH: 4335 case IPPROTO_HOPOPTS: 4336 case IPPROTO_ROUTING: 4337 case IPPROTO_DSTOPTS: { 4338 /* get next header and header length */ 4339 struct ip6_ext opt6; 4340 4341 if (!pf_pull_hdr(m, off2, &opt6, 4342 sizeof(opt6), NULL, NULL, pd2.af)) { 4343 DPFPRINTF(PF_DEBUG_MISC, 4344 ("pf: ICMPv6 short opt\n")); 4345 return (PF_DROP); 4346 } 4347 if (pd2.proto == IPPROTO_AH) 4348 off2 += (opt6.ip6e_len + 2) * 4; 4349 else 4350 off2 += (opt6.ip6e_len + 1) * 8; 4351 pd2.proto = opt6.ip6e_nxt; 4352 /* goto the next header */ 4353 break; 4354 } 4355 default: 4356 terminal++; 4357 break; 4358 } 4359 } while (!terminal); 4360 break; 4361 #endif /* INET6 */ 4362 } 4363 4364 switch (pd2.proto) { 4365 case IPPROTO_TCP: { 4366 struct tcphdr th; 4367 u_int32_t seq; 4368 struct pf_state key; 4369 struct pf_state_peer *src, *dst; 4370 u_int8_t dws; 4371 int copyback = 0; 4372 4373 /* 4374 * Only the first 8 bytes of the TCP header can be 4375 * expected. Don't access any TCP header fields after 4376 * th_seq, an ackskew test is not possible. 4377 */ 4378 if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) { 4379 DPFPRINTF(PF_DEBUG_MISC, 4380 ("pf: ICMP error message too short " 4381 "(tcp)\n")); 4382 return (PF_DROP); 4383 } 4384 4385 key.af = pd2.af; 4386 key.proto = IPPROTO_TCP; 4387 if (direction == PF_IN) { 4388 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4389 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4390 key.ext.port = th.th_dport; 4391 key.gwy.port = th.th_sport; 4392 } else { 4393 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4394 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4395 key.lan.port = th.th_dport; 4396 key.ext.port = th.th_sport; 4397 } 4398 4399 STATE_LOOKUP(); 4400 4401 if (direction == (*state)->direction) { 4402 src = &(*state)->dst; 4403 dst = &(*state)->src; 4404 } else { 4405 src = &(*state)->src; 4406 dst = &(*state)->dst; 4407 } 4408 4409 if (src->wscale && dst->wscale && 4410 !(th.th_flags & TH_SYN)) 4411 dws = dst->wscale & PF_WSCALE_MASK; 4412 else 4413 dws = 0; 4414 4415 /* Demodulate sequence number */ 4416 seq = ntohl(th.th_seq) - src->seqdiff; 4417 if (src->seqdiff) { 4418 pf_change_a(&th.th_seq, icmpsum, 4419 htonl(seq), 0); 4420 copyback = 1; 4421 } 4422 4423 if (!SEQ_GEQ(src->seqhi, seq) || 4424 !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) { 4425 if (pf_status.debug >= PF_DEBUG_MISC) { 4426 printf("pf: BAD ICMP %d:%d ", 4427 icmptype, pd->hdr.icmp->icmp_code); 4428 pf_print_host(pd->src, 0, pd->af); 4429 printf(" -> "); 4430 pf_print_host(pd->dst, 0, pd->af); 4431 printf(" state: "); 4432 pf_print_state(*state); 4433 printf(" seq=%u\n", seq); 4434 } 4435 return (PF_DROP); 4436 } 4437 4438 if (STATE_TRANSLATE(*state)) { 4439 if (direction == PF_IN) { 4440 pf_change_icmp(pd2.src, &th.th_sport, 4441 daddr, &(*state)->lan.addr, 4442 (*state)->lan.port, NULL, 4443 pd2.ip_sum, icmpsum, 4444 pd->ip_sum, 0, pd2.af); 4445 } else { 4446 pf_change_icmp(pd2.dst, &th.th_dport, 4447 saddr, &(*state)->gwy.addr, 4448 (*state)->gwy.port, NULL, 4449 pd2.ip_sum, icmpsum, 4450 pd->ip_sum, 0, pd2.af); 4451 } 4452 copyback = 1; 4453 } 4454 4455 if (copyback) { 4456 switch (pd2.af) { 4457 #ifdef INET 4458 case AF_INET: 4459 m_copyback(m, off, ICMP_MINLEN, 4460 (caddr_t)pd->hdr.icmp); 4461 m_copyback(m, ipoff2, sizeof(h2), 4462 (caddr_t)&h2); 4463 break; 4464 #endif /* INET */ 4465 #ifdef INET6 4466 case AF_INET6: 4467 m_copyback(m, off, 4468 sizeof(struct icmp6_hdr), 4469 (caddr_t)pd->hdr.icmp6); 4470 m_copyback(m, ipoff2, sizeof(h2_6), 4471 (caddr_t)&h2_6); 4472 break; 4473 #endif /* INET6 */ 4474 } 4475 m_copyback(m, off2, 8, (caddr_t)&th); 4476 } 4477 4478 return (PF_PASS); 4479 break; 4480 } 4481 case IPPROTO_UDP: { 4482 struct udphdr uh; 4483 struct pf_state key; 4484 4485 if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), 4486 NULL, NULL, pd2.af)) { 4487 DPFPRINTF(PF_DEBUG_MISC, 4488 ("pf: ICMP error message too short " 4489 "(udp)\n")); 4490 return (PF_DROP); 4491 } 4492 4493 key.af = pd2.af; 4494 key.proto = IPPROTO_UDP; 4495 if (direction == PF_IN) { 4496 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4497 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4498 key.ext.port = uh.uh_dport; 4499 key.gwy.port = uh.uh_sport; 4500 } else { 4501 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4502 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4503 key.lan.port = uh.uh_dport; 4504 key.ext.port = uh.uh_sport; 4505 } 4506 4507 STATE_LOOKUP(); 4508 4509 if (STATE_TRANSLATE(*state)) { 4510 if (direction == PF_IN) { 4511 pf_change_icmp(pd2.src, &uh.uh_sport, 4512 daddr, &(*state)->lan.addr, 4513 (*state)->lan.port, &uh.uh_sum, 4514 pd2.ip_sum, icmpsum, 4515 pd->ip_sum, 1, pd2.af); 4516 } else { 4517 pf_change_icmp(pd2.dst, &uh.uh_dport, 4518 saddr, &(*state)->gwy.addr, 4519 (*state)->gwy.port, &uh.uh_sum, 4520 pd2.ip_sum, icmpsum, 4521 pd->ip_sum, 1, pd2.af); 4522 } 4523 switch (pd2.af) { 4524 #ifdef INET 4525 case AF_INET: 4526 m_copyback(m, off, ICMP_MINLEN, 4527 (caddr_t)pd->hdr.icmp); 4528 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4529 break; 4530 #endif /* INET */ 4531 #ifdef INET6 4532 case AF_INET6: 4533 m_copyback(m, off, 4534 sizeof(struct icmp6_hdr), 4535 (caddr_t)pd->hdr.icmp6); 4536 m_copyback(m, ipoff2, sizeof(h2_6), 4537 (caddr_t)&h2_6); 4538 break; 4539 #endif /* INET6 */ 4540 } 4541 m_copyback(m, off2, sizeof(uh), (caddr_t)&uh); 4542 } 4543 4544 return (PF_PASS); 4545 break; 4546 } 4547 #ifdef INET 4548 case IPPROTO_ICMP: { 4549 struct icmp iih; 4550 struct pf_state key; 4551 4552 if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, 4553 NULL, NULL, pd2.af)) { 4554 DPFPRINTF(PF_DEBUG_MISC, 4555 ("pf: ICMP error message too short i" 4556 "(icmp)\n")); 4557 return (PF_DROP); 4558 } 4559 4560 key.af = pd2.af; 4561 key.proto = IPPROTO_ICMP; 4562 if (direction == PF_IN) { 4563 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4564 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4565 key.ext.port = iih.icmp_id; 4566 key.gwy.port = iih.icmp_id; 4567 } else { 4568 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4569 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4570 key.lan.port = iih.icmp_id; 4571 key.ext.port = iih.icmp_id; 4572 } 4573 4574 STATE_LOOKUP(); 4575 4576 if (STATE_TRANSLATE(*state)) { 4577 if (direction == PF_IN) { 4578 pf_change_icmp(pd2.src, &iih.icmp_id, 4579 daddr, &(*state)->lan.addr, 4580 (*state)->lan.port, NULL, 4581 pd2.ip_sum, icmpsum, 4582 pd->ip_sum, 0, AF_INET); 4583 } else { 4584 pf_change_icmp(pd2.dst, &iih.icmp_id, 4585 saddr, &(*state)->gwy.addr, 4586 (*state)->gwy.port, NULL, 4587 pd2.ip_sum, icmpsum, 4588 pd->ip_sum, 0, AF_INET); 4589 } 4590 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp); 4591 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4592 m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih); 4593 } 4594 4595 return (PF_PASS); 4596 break; 4597 } 4598 #endif /* INET */ 4599 #ifdef INET6 4600 case IPPROTO_ICMPV6: { 4601 struct icmp6_hdr iih; 4602 struct pf_state key; 4603 4604 if (!pf_pull_hdr(m, off2, &iih, 4605 sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) { 4606 DPFPRINTF(PF_DEBUG_MISC, 4607 ("pf: ICMP error message too short " 4608 "(icmp6)\n")); 4609 return (PF_DROP); 4610 } 4611 4612 key.af = pd2.af; 4613 key.proto = IPPROTO_ICMPV6; 4614 if (direction == PF_IN) { 4615 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4616 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4617 key.ext.port = iih.icmp6_id; 4618 key.gwy.port = iih.icmp6_id; 4619 } else { 4620 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4621 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4622 key.lan.port = iih.icmp6_id; 4623 key.ext.port = iih.icmp6_id; 4624 } 4625 4626 STATE_LOOKUP(); 4627 4628 if (STATE_TRANSLATE(*state)) { 4629 if (direction == PF_IN) { 4630 pf_change_icmp(pd2.src, &iih.icmp6_id, 4631 daddr, &(*state)->lan.addr, 4632 (*state)->lan.port, NULL, 4633 pd2.ip_sum, icmpsum, 4634 pd->ip_sum, 0, AF_INET6); 4635 } else { 4636 pf_change_icmp(pd2.dst, &iih.icmp6_id, 4637 saddr, &(*state)->gwy.addr, 4638 (*state)->gwy.port, NULL, 4639 pd2.ip_sum, icmpsum, 4640 pd->ip_sum, 0, AF_INET6); 4641 } 4642 m_copyback(m, off, sizeof(struct icmp6_hdr), 4643 (caddr_t)pd->hdr.icmp6); 4644 m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); 4645 m_copyback(m, off2, sizeof(struct icmp6_hdr), 4646 (caddr_t)&iih); 4647 } 4648 4649 return (PF_PASS); 4650 break; 4651 } 4652 #endif /* INET6 */ 4653 default: { 4654 struct pf_state key; 4655 4656 key.af = pd2.af; 4657 key.proto = pd2.proto; 4658 if (direction == PF_IN) { 4659 PF_ACPY(&key.ext.addr, pd2.dst, key.af); 4660 PF_ACPY(&key.gwy.addr, pd2.src, key.af); 4661 key.ext.port = 0; 4662 key.gwy.port = 0; 4663 } else { 4664 PF_ACPY(&key.lan.addr, pd2.dst, key.af); 4665 PF_ACPY(&key.ext.addr, pd2.src, key.af); 4666 key.lan.port = 0; 4667 key.ext.port = 0; 4668 } 4669 4670 STATE_LOOKUP(); 4671 4672 if (STATE_TRANSLATE(*state)) { 4673 if (direction == PF_IN) { 4674 pf_change_icmp(pd2.src, NULL, 4675 daddr, &(*state)->lan.addr, 4676 0, NULL, 4677 pd2.ip_sum, icmpsum, 4678 pd->ip_sum, 0, pd2.af); 4679 } else { 4680 pf_change_icmp(pd2.dst, NULL, 4681 saddr, &(*state)->gwy.addr, 4682 0, NULL, 4683 pd2.ip_sum, icmpsum, 4684 pd->ip_sum, 0, pd2.af); 4685 } 4686 switch (pd2.af) { 4687 #ifdef INET 4688 case AF_INET: 4689 m_copyback(m, off, ICMP_MINLEN, 4690 (caddr_t)pd->hdr.icmp); 4691 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); 4692 break; 4693 #endif /* INET */ 4694 #ifdef INET6 4695 case AF_INET6: 4696 m_copyback(m, off, 4697 sizeof(struct icmp6_hdr), 4698 (caddr_t)pd->hdr.icmp6); 4699 m_copyback(m, ipoff2, sizeof(h2_6), 4700 (caddr_t)&h2_6); 4701 break; 4702 #endif /* INET6 */ 4703 } 4704 } 4705 4706 return (PF_PASS); 4707 break; 4708 } 4709 } 4710 } 4711 } 4712 4713 int 4714 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, 4715 struct pf_pdesc *pd) 4716 { 4717 struct pf_state_peer *src, *dst; 4718 struct pf_state key; 4719 4720 key.af = pd->af; 4721 key.proto = pd->proto; 4722 if (direction == PF_IN) { 4723 PF_ACPY(&key.ext.addr, pd->src, key.af); 4724 PF_ACPY(&key.gwy.addr, pd->dst, key.af); 4725 key.ext.port = 0; 4726 key.gwy.port = 0; 4727 } else { 4728 PF_ACPY(&key.lan.addr, pd->src, key.af); 4729 PF_ACPY(&key.ext.addr, pd->dst, key.af); 4730 key.lan.port = 0; 4731 key.ext.port = 0; 4732 } 4733 4734 STATE_LOOKUP(); 4735 4736 if (direction == (*state)->direction) { 4737 src = &(*state)->src; 4738 dst = &(*state)->dst; 4739 } else { 4740 src = &(*state)->dst; 4741 dst = &(*state)->src; 4742 } 4743 4744 /* update states */ 4745 if (src->state < PFOTHERS_SINGLE) 4746 src->state = PFOTHERS_SINGLE; 4747 if (dst->state == PFOTHERS_SINGLE) 4748 dst->state = PFOTHERS_MULTIPLE; 4749 4750 /* update expire time */ 4751 (*state)->expire = time_second; 4752 if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) 4753 (*state)->timeout = PFTM_OTHER_MULTIPLE; 4754 else 4755 (*state)->timeout = PFTM_OTHER_SINGLE; 4756 4757 /* translate source/destination address, if necessary */ 4758 if (STATE_TRANSLATE(*state)) { 4759 if (direction == PF_OUT) 4760 switch (pd->af) { 4761 #ifdef INET 4762 case AF_INET: 4763 pf_change_a(&pd->src->v4.s_addr, 4764 pd->ip_sum, (*state)->gwy.addr.v4.s_addr, 4765 0); 4766 break; 4767 #endif /* INET */ 4768 #ifdef INET6 4769 case AF_INET6: 4770 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af); 4771 break; 4772 #endif /* INET6 */ 4773 } 4774 else 4775 switch (pd->af) { 4776 #ifdef INET 4777 case AF_INET: 4778 pf_change_a(&pd->dst->v4.s_addr, 4779 pd->ip_sum, (*state)->lan.addr.v4.s_addr, 4780 0); 4781 break; 4782 #endif /* INET */ 4783 #ifdef INET6 4784 case AF_INET6: 4785 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af); 4786 break; 4787 #endif /* INET6 */ 4788 } 4789 } 4790 4791 return (PF_PASS); 4792 } 4793 4794 /* 4795 * ipoff and off are measured from the start of the mbuf chain. 4796 * h must be at "ipoff" on the mbuf chain. 4797 */ 4798 void * 4799 pf_pull_hdr(struct mbuf *m, int off, void *p, int len, 4800 u_short *actionp, u_short *reasonp, sa_family_t af) 4801 { 4802 switch (af) { 4803 #ifdef INET 4804 case AF_INET: { 4805 struct ip *h = mtod(m, struct ip *); 4806 u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3; 4807 4808 if (fragoff) { 4809 if (fragoff >= len) 4810 ACTION_SET(actionp, PF_PASS); 4811 else { 4812 ACTION_SET(actionp, PF_DROP); 4813 REASON_SET(reasonp, PFRES_FRAG); 4814 } 4815 return (NULL); 4816 } 4817 if (m->m_pkthdr.len < off + len || 4818 h->ip_len < off + len) { 4819 ACTION_SET(actionp, PF_DROP); 4820 REASON_SET(reasonp, PFRES_SHORT); 4821 return (NULL); 4822 } 4823 break; 4824 } 4825 #endif /* INET */ 4826 #ifdef INET6 4827 case AF_INET6: { 4828 struct ip6_hdr *h = mtod(m, struct ip6_hdr *); 4829 4830 if (m->m_pkthdr.len < off + len || 4831 (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < 4832 (unsigned)(off + len)) { 4833 ACTION_SET(actionp, PF_DROP); 4834 REASON_SET(reasonp, PFRES_SHORT); 4835 return (NULL); 4836 } 4837 break; 4838 } 4839 #endif /* INET6 */ 4840 } 4841 m_copydata(m, off, len, p); 4842 return (p); 4843 } 4844 4845 int 4846 pf_routable(struct pf_addr *addr, sa_family_t af) 4847 { 4848 struct sockaddr_in *dst; 4849 struct route ro; 4850 int ret = 0; 4851 4852 bzero(&ro, sizeof(ro)); 4853 dst = satosin(&ro.ro_dst); 4854 dst->sin_family = af; 4855 dst->sin_len = sizeof(*dst); 4856 dst->sin_addr = addr->v4; 4857 rtalloc_ign(&ro, (RTF_CLONING|RTF_PRCLONING)); 4858 4859 if (ro.ro_rt != NULL) { 4860 ret = 1; 4861 RTFREE(ro.ro_rt); 4862 } 4863 4864 return (ret); 4865 } 4866 4867 #ifdef INET 4868 void 4869 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 4870 struct pf_state *s) 4871 { 4872 struct mbuf *m0, *m1; 4873 struct route iproute; 4874 struct route *ro = NULL; 4875 struct sockaddr_in *dst; 4876 struct ip *ip; 4877 struct ifnet *ifp = NULL; 4878 struct pf_addr naddr; 4879 struct pf_src_node *sn = NULL; 4880 int error = 0; 4881 int sw_csum; 4882 4883 if (m == NULL || *m == NULL || r == NULL || 4884 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 4885 panic("pf_route: invalid parameters"); 4886 4887 if (((*m)->m_pkthdr.pf_flags & PF_MBUF_ROUTED) == 0) { 4888 (*m)->m_pkthdr.pf_flags |= PF_MBUF_ROUTED; 4889 (*m)->m_pkthdr.pf_routed = 1; 4890 } else { 4891 if ((*m)->m_pkthdr.pf_routed > 3) { 4892 m0 = *m; 4893 *m = NULL; 4894 goto bad; 4895 } 4896 (*m)->m_pkthdr.pf_routed++; 4897 } 4898 4899 if (r->rt == PF_DUPTO) { 4900 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL) 4901 return; 4902 } else { 4903 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 4904 return; 4905 m0 = *m; 4906 } 4907 4908 if (m0->m_len < sizeof(struct ip)) 4909 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4910 ip = mtod(m0, struct ip *); 4911 4912 ro = &iproute; 4913 bzero((caddr_t)ro, sizeof(*ro)); 4914 dst = satosin(&ro->ro_dst); 4915 dst->sin_family = AF_INET; 4916 dst->sin_len = sizeof(*dst); 4917 dst->sin_addr = ip->ip_dst; 4918 4919 if (r->rt == PF_FASTROUTE) { 4920 rtalloc(ro); 4921 if (ro->ro_rt == 0) { 4922 ipstat.ips_noroute++; 4923 goto bad; 4924 } 4925 4926 ifp = ro->ro_rt->rt_ifp; 4927 ro->ro_rt->rt_use++; 4928 4929 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 4930 dst = satosin(ro->ro_rt->rt_gateway); 4931 } else { 4932 if (TAILQ_EMPTY(&r->rpool.list)) 4933 panic("pf_route: TAILQ_EMPTY(&r->rpool.list)"); 4934 if (s == NULL) { 4935 pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, 4936 &naddr, NULL, &sn); 4937 if (!PF_AZERO(&naddr, AF_INET)) 4938 dst->sin_addr.s_addr = naddr.v4.s_addr; 4939 ifp = r->rpool.cur->kif ? 4940 r->rpool.cur->kif->pfik_ifp : NULL; 4941 } else { 4942 if (!PF_AZERO(&s->rt_addr, AF_INET)) 4943 dst->sin_addr.s_addr = 4944 s->rt_addr.v4.s_addr; 4945 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 4946 } 4947 } 4948 if (ifp == NULL) 4949 goto bad; 4950 4951 if (oifp != ifp) { 4952 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) 4953 goto bad; 4954 else if (m0 == NULL) 4955 goto done; 4956 if (m0->m_len < sizeof(struct ip)) 4957 panic("pf_route: m0->m_len < sizeof(struct ip)"); 4958 ip = mtod(m0, struct ip *); 4959 } 4960 4961 /* Copied from ip_output. */ 4962 m0->m_pkthdr.csum_flags |= CSUM_IP; 4963 sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; 4964 if (sw_csum & CSUM_DELAY_DATA) { 4965 in_delayed_cksum(m0); 4966 sw_csum &= ~CSUM_DELAY_DATA; 4967 } 4968 m0->m_pkthdr.csum_flags &= ifp->if_hwassist; 4969 4970 /* 4971 * If small enough for interface, or the interface will take 4972 * care of the fragmentation for us, can just send directly. 4973 */ 4974 if (ip->ip_len <= ifp->if_mtu || ((ifp->if_hwassist & CSUM_FRAGMENT) && 4975 (ip->ip_off & IP_DF) == 0)) { 4976 ip->ip_len = htons(ip->ip_len); 4977 ip->ip_off = htons(ip->ip_off); 4978 ip->ip_sum = 0; 4979 if (sw_csum & CSUM_DELAY_IP) { 4980 /* From KAME */ 4981 if (ip->ip_v == IPVERSION && 4982 (ip->ip_hl << 2) == sizeof(*ip)) { 4983 ip->ip_sum = in_cksum_hdr(ip); 4984 } else { 4985 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); 4986 } 4987 } 4988 4989 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); 4990 goto done; 4991 } 4992 4993 /* 4994 * Too large for interface; fragment if possible. 4995 * Must be able to put at least 8 bytes per fragment. 4996 */ 4997 if (ip->ip_off & IP_DF) { 4998 ipstat.ips_cantfrag++; 4999 if (r->rt != PF_DUPTO) { 5000 icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, 5001 ifp); 5002 goto done; 5003 } else 5004 goto bad; 5005 } 5006 5007 m1 = m0; 5008 error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum); 5009 if (error) 5010 goto bad; 5011 5012 for (m0 = m1; m0; m0 = m1) { 5013 m1 = m0->m_nextpkt; 5014 m0->m_nextpkt = 0; 5015 if (error == 0) 5016 error = (*ifp->if_output)(ifp, m0, sintosa(dst), 5017 NULL); 5018 else 5019 m_freem(m0); 5020 } 5021 5022 if (error == 0) 5023 ipstat.ips_fragmented++; 5024 5025 done: 5026 if (r->rt != PF_DUPTO) 5027 *m = NULL; 5028 if (ro == &iproute && ro->ro_rt) 5029 RTFREE(ro->ro_rt); 5030 return; 5031 5032 bad: 5033 m_freem(m0); 5034 goto done; 5035 } 5036 #endif /* INET */ 5037 5038 #ifdef INET6 5039 void 5040 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, 5041 struct pf_state *s) 5042 { 5043 struct mbuf *m0; 5044 struct route_in6 ip6route; 5045 struct route_in6 *ro; 5046 struct sockaddr_in6 *dst; 5047 struct ip6_hdr *ip6; 5048 struct ifnet *ifp = NULL; 5049 struct pf_addr naddr; 5050 struct pf_src_node *sn = NULL; 5051 int error = 0; 5052 5053 if (m == NULL || *m == NULL || r == NULL || 5054 (dir != PF_IN && dir != PF_OUT) || oifp == NULL) 5055 panic("pf_route6: invalid parameters"); 5056 5057 if (((*m)->m_pkthdr.pf_flags & PF_MBUF_ROUTED) == 0) { 5058 (*m)->m_pkthdr.pf_flags |= PF_MBUF_ROUTED; 5059 (*m)->m_pkthdr.pf_routed = 1; 5060 } else { 5061 if ((*m)->m_pkthdr.pf_routed > 3) { 5062 m0 = *m; 5063 *m = NULL; 5064 goto bad; 5065 } 5066 (*m)->m_pkthdr.pf_routed++; 5067 } 5068 5069 if (r->rt == PF_DUPTO) { 5070 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL) 5071 return; 5072 } else { 5073 if ((r->rt == PF_REPLYTO) == (r->direction == dir)) 5074 return; 5075 m0 = *m; 5076 } 5077 5078 if (m0->m_len < sizeof(struct ip6_hdr)) 5079 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5080 ip6 = mtod(m0, struct ip6_hdr *); 5081 5082 ro = &ip6route; 5083 bzero((caddr_t)ro, sizeof(*ro)); 5084 dst = (struct sockaddr_in6 *)&ro->ro_dst; 5085 dst->sin6_family = AF_INET6; 5086 dst->sin6_len = sizeof(*dst); 5087 dst->sin6_addr = ip6->ip6_dst; 5088 5089 /* Cheat. */ 5090 if (r->rt == PF_FASTROUTE) { 5091 m0->m_pkthdr.pf_flags |= PF_MBUF_GENERATED; 5092 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); 5093 return; 5094 } 5095 5096 if (TAILQ_EMPTY(&r->rpool.list)) 5097 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)"); 5098 if (s == NULL) { 5099 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, 5100 &naddr, NULL, &sn); 5101 if (!PF_AZERO(&naddr, AF_INET6)) 5102 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5103 &naddr, AF_INET6); 5104 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; 5105 } else { 5106 if (!PF_AZERO(&s->rt_addr, AF_INET6)) 5107 PF_ACPY((struct pf_addr *)&dst->sin6_addr, 5108 &s->rt_addr, AF_INET6); 5109 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; 5110 } 5111 if (ifp == NULL) 5112 goto bad; 5113 5114 if (oifp != ifp) { 5115 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS) 5116 goto bad; 5117 else if (m0 == NULL) 5118 goto done; 5119 if (m0->m_len < sizeof(struct ip6_hdr)) 5120 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)"); 5121 ip6 = mtod(m0, struct ip6_hdr *); 5122 } 5123 5124 /* 5125 * If the packet is too large for the outgoing interface, 5126 * send back an icmp6 error. 5127 */ 5128 if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr)) 5129 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); 5130 if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { 5131 error = nd6_output(ifp, ifp, m0, dst, NULL); 5132 } else { 5133 in6_ifstat_inc(ifp, ifs6_in_toobig); 5134 if (r->rt != PF_DUPTO) 5135 icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); 5136 else 5137 goto bad; 5138 } 5139 5140 done: 5141 if (r->rt != PF_DUPTO) 5142 *m = NULL; 5143 return; 5144 5145 bad: 5146 m_freem(m0); 5147 goto done; 5148 } 5149 #endif /* INET6 */ 5150 5151 5152 /* 5153 * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag 5154 * off is the offset where the protocol header starts 5155 * len is the total length of protocol header plus payload 5156 * returns 0 when the checksum is valid, otherwise returns 1. 5157 */ 5158 /* 5159 * XXX 5160 * FreeBSD supports cksum offload for the following drivers. 5161 * em(4), gx(4), lge(4), nge(4), ti(4), xl(4) 5162 * If we can make full use of it we would outperform ipfw/ipfilter in 5163 * very heavy traffic. 5164 * I have not tested 'cause I don't have NICs that supports cksum offload. 5165 * (There might be problems. Typical phenomena would be 5166 * 1. No route message for UDP packet. 5167 * 2. No connection acceptance from external hosts regardless of rule set.) 5168 */ 5169 int 5170 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, 5171 sa_family_t af) 5172 { 5173 u_int16_t sum = 0; 5174 int hw_assist = 0; 5175 struct ip *ip; 5176 5177 if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) 5178 return (1); 5179 if (m->m_pkthdr.len < off + len) 5180 return (1); 5181 5182 switch (p) { 5183 case IPPROTO_TCP: 5184 case IPPROTO_UDP: 5185 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { 5186 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { 5187 sum = m->m_pkthdr.csum_data; 5188 } else { 5189 ip = mtod(m, struct ip *); 5190 sum = in_pseudo(ip->ip_src.s_addr, 5191 ip->ip_dst.s_addr, htonl((u_short)len + 5192 m->m_pkthdr.csum_data + p)); 5193 } 5194 sum ^= 0xffff; 5195 ++hw_assist; 5196 } 5197 break; 5198 case IPPROTO_ICMP: 5199 #ifdef INET6 5200 case IPPROTO_ICMPV6: 5201 #endif /* INET6 */ 5202 break; 5203 default: 5204 return (1); 5205 } 5206 5207 if (!hw_assist) { 5208 switch (af) { 5209 case AF_INET: 5210 if (p == IPPROTO_ICMP) { 5211 if (m->m_len < off) 5212 return (1); 5213 m->m_data += off; 5214 m->m_len -= off; 5215 sum = in_cksum(m, len); 5216 m->m_data -= off; 5217 m->m_len += off; 5218 } else { 5219 if (m->m_len < sizeof(struct ip)) 5220 return (1); 5221 sum = in_cksum_range(m, p, off, len); 5222 if (sum == 0) { 5223 m->m_pkthdr.csum_flags |= 5224 (CSUM_DATA_VALID | 5225 CSUM_PSEUDO_HDR); 5226 m->m_pkthdr.csum_data = 0xffff; 5227 } 5228 } 5229 break; 5230 #ifdef INET6 5231 case AF_INET6: 5232 if (m->m_len < sizeof(struct ip6_hdr)) 5233 return (1); 5234 sum = in6_cksum(m, p, off, len); 5235 /* 5236 * XXX 5237 * IPv6 H/W cksum off-load not supported yet! 5238 * 5239 * if (sum == 0) { 5240 * m->m_pkthdr.csum_flags |= 5241 * (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); 5242 * m->m_pkthdr.csum_data = 0xffff; 5243 *} 5244 */ 5245 break; 5246 #endif /* INET6 */ 5247 default: 5248 return (1); 5249 } 5250 } 5251 if (sum) { 5252 switch (p) { 5253 case IPPROTO_TCP: 5254 tcpstat.tcps_rcvbadsum++; 5255 break; 5256 case IPPROTO_UDP: 5257 udpstat.udps_badsum++; 5258 break; 5259 case IPPROTO_ICMP: 5260 icmpstat.icps_checksum++; 5261 break; 5262 #ifdef INET6 5263 case IPPROTO_ICMPV6: 5264 icmp6stat.icp6s_checksum++; 5265 break; 5266 #endif /* INET6 */ 5267 } 5268 return (1); 5269 } 5270 return (0); 5271 } 5272 5273 #ifdef INET 5274 int 5275 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) 5276 { 5277 struct pfi_kif *kif; 5278 u_short action, reason = 0, log = 0; 5279 struct mbuf *m = *m0; 5280 struct ip *h = NULL; 5281 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5282 struct pf_state *s = NULL; 5283 struct pf_ruleset *ruleset = NULL; 5284 struct pf_pdesc pd; 5285 int off, dirndx, pqid = 0; 5286 5287 if (!pf_status.running || (m->m_pkthdr.pf_flags & PF_MBUF_GENERATED)) 5288 return (PF_PASS); 5289 5290 kif = pfi_index2kif[ifp->if_index]; 5291 if (kif == NULL) 5292 return (PF_DROP); 5293 5294 #ifdef DIAGNOSTIC 5295 if ((m->m_flags & M_PKTHDR) == 0) 5296 panic("non-M_PKTHDR is passed to pf_test"); 5297 #endif 5298 5299 memset(&pd, 0, sizeof(pd)); 5300 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5301 action = PF_DROP; 5302 REASON_SET(&reason, PFRES_SHORT); 5303 log = 1; 5304 goto done; 5305 } 5306 5307 /* We do IP header normalization and packet reassembly here */ 5308 if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) { 5309 action = PF_DROP; 5310 goto done; 5311 } 5312 m = *m0; 5313 h = mtod(m, struct ip *); 5314 5315 off = h->ip_hl << 2; 5316 if (off < (int)sizeof(*h)) { 5317 action = PF_DROP; 5318 REASON_SET(&reason, PFRES_SHORT); 5319 log = 1; 5320 goto done; 5321 } 5322 5323 pd.src = (struct pf_addr *)&h->ip_src; 5324 pd.dst = (struct pf_addr *)&h->ip_dst; 5325 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET); 5326 pd.ip_sum = &h->ip_sum; 5327 pd.proto = h->ip_p; 5328 pd.af = AF_INET; 5329 pd.tos = h->ip_tos; 5330 pd.tot_len = h->ip_len; 5331 5332 /* handle fragments that didn't get reassembled by normalization */ 5333 if (h->ip_off & (IP_MF | IP_OFFMASK)) { 5334 action = pf_test_fragment(&r, dir, kif, m, h, 5335 &pd, &a, &ruleset); 5336 goto done; 5337 } 5338 5339 switch (h->ip_p) { 5340 5341 case IPPROTO_TCP: { 5342 struct tcphdr th; 5343 5344 pd.hdr.tcp = &th; 5345 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5346 &action, &reason, AF_INET)) { 5347 log = action != PF_PASS; 5348 goto done; 5349 } 5350 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5351 h->ip_len - off, IPPROTO_TCP, AF_INET)) { 5352 action = PF_DROP; 5353 goto done; 5354 } 5355 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5356 if ((th.th_flags & TH_ACK) && pd.p_len == 0) 5357 pqid = 1; 5358 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5359 if (action == PF_DROP) 5360 goto done; 5361 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5362 &reason); 5363 if (action == PF_PASS) { 5364 #if NPFSYNC 5365 pfsync_update_state(s); 5366 #endif 5367 r = s->rule.ptr; 5368 a = s->anchor.ptr; 5369 log = s->log; 5370 } else if (s == NULL) 5371 action = pf_test_tcp(&r, &s, dir, kif, 5372 m, off, h, &pd, &a, &ruleset); 5373 break; 5374 } 5375 5376 case IPPROTO_UDP: { 5377 struct udphdr uh; 5378 5379 pd.hdr.udp = &uh; 5380 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5381 &action, &reason, AF_INET)) { 5382 log = action != PF_PASS; 5383 goto done; 5384 } 5385 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5386 off, h->ip_len - off, IPPROTO_UDP, AF_INET)) { 5387 action = PF_DROP; 5388 goto done; 5389 } 5390 if (uh.uh_dport == 0 || 5391 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5392 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5393 action = PF_DROP; 5394 goto done; 5395 } 5396 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5397 if (action == PF_PASS) { 5398 #if NPFSYNC 5399 pfsync_update_state(s); 5400 #endif 5401 r = s->rule.ptr; 5402 a = s->anchor.ptr; 5403 log = s->log; 5404 } else if (s == NULL) 5405 action = pf_test_udp(&r, &s, dir, kif, 5406 m, off, h, &pd, &a, &ruleset); 5407 break; 5408 } 5409 5410 case IPPROTO_ICMP: { 5411 struct icmp ih; 5412 5413 pd.hdr.icmp = &ih; 5414 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, 5415 &action, &reason, AF_INET)) { 5416 log = action != PF_PASS; 5417 goto done; 5418 } 5419 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5420 h->ip_len - off, IPPROTO_ICMP, AF_INET)) { 5421 action = PF_DROP; 5422 goto done; 5423 } 5424 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd); 5425 if (action == PF_PASS) { 5426 #if NPFSYNC 5427 pfsync_update_state(s); 5428 #endif 5429 r = s->rule.ptr; 5430 a = s->anchor.ptr; 5431 log = s->log; 5432 } else if (s == NULL) 5433 action = pf_test_icmp(&r, &s, dir, kif, 5434 m, off, h, &pd, &a, &ruleset); 5435 break; 5436 } 5437 5438 default: 5439 action = pf_test_state_other(&s, dir, kif, &pd); 5440 if (action == PF_PASS) { 5441 #if NPFSYNC 5442 pfsync_update_state(s); 5443 #endif 5444 r = s->rule.ptr; 5445 a = s->anchor.ptr; 5446 log = s->log; 5447 } else if (s == NULL) 5448 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5449 &pd, &a, &ruleset); 5450 break; 5451 } 5452 5453 done: 5454 if (action == PF_PASS && h->ip_hl > 5 && 5455 !((s && s->allow_opts) || r->allow_opts)) { 5456 action = PF_DROP; 5457 REASON_SET(&reason, PFRES_SHORT); 5458 log = 1; 5459 DPFPRINTF(PF_DEBUG_MISC, 5460 ("pf: dropping packet with ip options\n")); 5461 } 5462 5463 #ifdef ALTQ 5464 if (action == PF_PASS && r->qid) { 5465 struct m_tag *mtag; 5466 struct altq_tag *atag; 5467 5468 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT); 5469 if (mtag != NULL) { 5470 atag = (struct altq_tag *)(mtag + 1); 5471 if (pqid || pd.tos == IPTOS_LOWDELAY) 5472 atag->qid = r->pqid; 5473 else 5474 atag->qid = r->qid; 5475 /* add hints for ecn */ 5476 atag->af = AF_INET; 5477 atag->hdr = h; 5478 m_tag_prepend(m, mtag); 5479 } 5480 } 5481 #endif 5482 5483 /* 5484 * connections redirected to loopback should not match sockets 5485 * bound specifically to loopback due to security implications, 5486 * see tcp_input() and in_pcblookup_listen(). 5487 */ 5488 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5489 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5490 (s->nat_rule.ptr->action == PF_RDR || 5491 s->nat_rule.ptr->action == PF_BINAT) && 5492 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { 5493 action = PF_DROP; 5494 REASON_SET(&reason, PFRES_MEMORY); 5495 } 5496 5497 m->m_pkthdr.pf_flags |= PF_MBUF_TRANSLATE_LOCALHOST; 5498 5499 if (log) 5500 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset); 5501 5502 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5503 kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; 5504 5505 if (action == PF_PASS || r->action == PF_DROP) { 5506 r->packets++; 5507 r->bytes += pd.tot_len; 5508 if (a != NULL) { 5509 a->packets++; 5510 a->bytes += pd.tot_len; 5511 } 5512 if (s != NULL) { 5513 dirndx = (dir == s->direction) ? 0 : 1; 5514 s->packets[dirndx]++; 5515 s->bytes[dirndx] += pd.tot_len; 5516 if (s->nat_rule.ptr != NULL) { 5517 s->nat_rule.ptr->packets++; 5518 s->nat_rule.ptr->bytes += pd.tot_len; 5519 } 5520 if (s->src_node != NULL) { 5521 s->src_node->packets++; 5522 s->src_node->bytes += pd.tot_len; 5523 } 5524 if (s->nat_src_node != NULL) { 5525 s->nat_src_node->packets++; 5526 s->nat_src_node->bytes += pd.tot_len; 5527 } 5528 } 5529 tr = r; 5530 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5531 if (nr != NULL) { 5532 struct pf_addr *x; 5533 /* 5534 * XXX: we need to make sure that the addresses 5535 * passed to pfr_update_stats() are the same than 5536 * the addresses used during matching (pfr_match) 5537 */ 5538 if (r == &pf_default_rule) { 5539 tr = nr; 5540 x = (s == NULL || s->direction == dir) ? 5541 &pd.baddr : &pd.naddr; 5542 } else 5543 x = (s == NULL || s->direction == dir) ? 5544 &pd.naddr : &pd.baddr; 5545 if (x == &pd.baddr || s == NULL) { 5546 /* we need to change the address */ 5547 if (dir == PF_OUT) 5548 pd.src = x; 5549 else 5550 pd.dst = x; 5551 } 5552 } 5553 if (tr->src.addr.type == PF_ADDR_TABLE) 5554 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5555 s->direction == dir) ? pd.src : pd.dst, pd.af, 5556 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5557 tr->src.not); 5558 if (tr->dst.addr.type == PF_ADDR_TABLE) 5559 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5560 s->direction == dir) ? pd.dst : pd.src, pd.af, 5561 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5562 tr->dst.not); 5563 } 5564 5565 5566 if (action == PF_SYNPROXY_DROP) { 5567 m_freem(*m0); 5568 *m0 = NULL; 5569 action = PF_PASS; 5570 } else if (r->rt) 5571 /* pf_route can free the mbuf causing *m0 to become NULL */ 5572 pf_route(m0, r, dir, ifp, s); 5573 5574 return (action); 5575 } 5576 #endif /* INET */ 5577 5578 #ifdef INET6 5579 int 5580 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) 5581 { 5582 struct pfi_kif *kif; 5583 u_short action, reason = 0, log = 0; 5584 struct mbuf *m = *m0; 5585 struct ip6_hdr *h; 5586 struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; 5587 struct pf_state *s = NULL; 5588 struct pf_ruleset *ruleset = NULL; 5589 struct pf_pdesc pd; 5590 int off, terminal = 0, dirndx; 5591 5592 if (!pf_status.running || (m->m_pkthdr.pf_flags & PF_MBUF_GENERATED)) 5593 return (PF_PASS); 5594 5595 kif = pfi_index2kif[ifp->if_index]; 5596 if (kif == NULL) 5597 return (PF_DROP); 5598 5599 #ifdef DIAGNOSTIC 5600 if ((m->m_flags & M_PKTHDR) == 0) 5601 panic("non-M_PKTHDR is passed to pf_test"); 5602 #endif 5603 5604 memset(&pd, 0, sizeof(pd)); 5605 if (m->m_pkthdr.len < (int)sizeof(*h)) { 5606 action = PF_DROP; 5607 REASON_SET(&reason, PFRES_SHORT); 5608 log = 1; 5609 goto done; 5610 } 5611 5612 /* We do IP header normalization and packet reassembly here */ 5613 if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) { 5614 action = PF_DROP; 5615 goto done; 5616 } 5617 m = *m0; 5618 h = mtod(m, struct ip6_hdr *); 5619 5620 pd.src = (struct pf_addr *)&h->ip6_src; 5621 pd.dst = (struct pf_addr *)&h->ip6_dst; 5622 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6); 5623 pd.ip_sum = NULL; 5624 pd.af = AF_INET6; 5625 pd.tos = 0; 5626 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); 5627 5628 off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); 5629 pd.proto = h->ip6_nxt; 5630 do { 5631 switch (pd.proto) { 5632 case IPPROTO_FRAGMENT: 5633 action = pf_test_fragment(&r, dir, kif, m, h, 5634 &pd, &a, &ruleset); 5635 if (action == PF_DROP) 5636 REASON_SET(&reason, PFRES_FRAG); 5637 goto done; 5638 case IPPROTO_AH: 5639 case IPPROTO_HOPOPTS: 5640 case IPPROTO_ROUTING: 5641 case IPPROTO_DSTOPTS: { 5642 /* get next header and header length */ 5643 struct ip6_ext opt6; 5644 5645 if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), 5646 NULL, NULL, pd.af)) { 5647 DPFPRINTF(PF_DEBUG_MISC, 5648 ("pf: IPv6 short opt\n")); 5649 action = PF_DROP; 5650 REASON_SET(&reason, PFRES_SHORT); 5651 log = 1; 5652 goto done; 5653 } 5654 if (pd.proto == IPPROTO_AH) 5655 off += (opt6.ip6e_len + 2) * 4; 5656 else 5657 off += (opt6.ip6e_len + 1) * 8; 5658 pd.proto = opt6.ip6e_nxt; 5659 /* goto the next header */ 5660 break; 5661 } 5662 default: 5663 terminal++; 5664 break; 5665 } 5666 } while (!terminal); 5667 5668 switch (pd.proto) { 5669 5670 case IPPROTO_TCP: { 5671 struct tcphdr th; 5672 5673 pd.hdr.tcp = &th; 5674 if (!pf_pull_hdr(m, off, &th, sizeof(th), 5675 &action, &reason, AF_INET6)) { 5676 log = action != PF_PASS; 5677 goto done; 5678 } 5679 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5680 ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) { 5681 action = PF_DROP; 5682 goto done; 5683 } 5684 pd.p_len = pd.tot_len - off - (th.th_off << 2); 5685 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); 5686 if (action == PF_DROP) 5687 goto done; 5688 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, 5689 &reason); 5690 if (action == PF_PASS) { 5691 #if NPFSYNC 5692 pfsync_update_state(s); 5693 #endif 5694 r = s->rule.ptr; 5695 a = s->anchor.ptr; 5696 log = s->log; 5697 } else if (s == NULL) 5698 action = pf_test_tcp(&r, &s, dir, kif, 5699 m, off, h, &pd, &a, &ruleset); 5700 break; 5701 } 5702 5703 case IPPROTO_UDP: { 5704 struct udphdr uh; 5705 5706 pd.hdr.udp = &uh; 5707 if (!pf_pull_hdr(m, off, &uh, sizeof(uh), 5708 &action, &reason, AF_INET6)) { 5709 log = action != PF_PASS; 5710 goto done; 5711 } 5712 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m, 5713 off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) { 5714 action = PF_DROP; 5715 goto done; 5716 } 5717 if (uh.uh_dport == 0 || 5718 ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || 5719 ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { 5720 action = PF_DROP; 5721 goto done; 5722 } 5723 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); 5724 if (action == PF_PASS) { 5725 #if NPFSYNC 5726 pfsync_update_state(s); 5727 #endif 5728 r = s->rule.ptr; 5729 a = s->anchor.ptr; 5730 log = s->log; 5731 } else if (s == NULL) 5732 action = pf_test_udp(&r, &s, dir, kif, 5733 m, off, h, &pd, &a, &ruleset); 5734 break; 5735 } 5736 5737 case IPPROTO_ICMPV6: { 5738 struct icmp6_hdr ih; 5739 5740 pd.hdr.icmp6 = &ih; 5741 if (!pf_pull_hdr(m, off, &ih, sizeof(ih), 5742 &action, &reason, AF_INET6)) { 5743 log = action != PF_PASS; 5744 goto done; 5745 } 5746 if (dir == PF_IN && pf_check_proto_cksum(m, off, 5747 ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) { 5748 action = PF_DROP; 5749 goto done; 5750 } 5751 action = pf_test_state_icmp(&s, dir, kif, 5752 m, off, h, &pd); 5753 if (action == PF_PASS) { 5754 #if NPFSYNC 5755 pfsync_update_state(s); 5756 #endif 5757 r = s->rule.ptr; 5758 a = s->anchor.ptr; 5759 log = s->log; 5760 } else if (s == NULL) 5761 action = pf_test_icmp(&r, &s, dir, kif, 5762 m, off, h, &pd, &a, &ruleset); 5763 break; 5764 } 5765 5766 default: 5767 action = pf_test_state_other(&s, dir, kif, &pd); 5768 if (action == PF_PASS) { 5769 r = s->rule.ptr; 5770 a = s->anchor.ptr; 5771 log = s->log; 5772 } else if (s == NULL) 5773 action = pf_test_other(&r, &s, dir, kif, m, off, h, 5774 &pd, &a, &ruleset); 5775 break; 5776 } 5777 5778 done: 5779 /* XXX handle IPv6 options, if not allowed. not implemented. */ 5780 5781 #ifdef ALTQ 5782 if (action == PF_PASS && r->qid) { 5783 struct m_tag *mtag; 5784 struct altq_tag *atag; 5785 5786 mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(*atag), MB_DONTWAIT); 5787 if (mtag != NULL) { 5788 atag = (struct altq_tag *)(mtag + 1); 5789 if (pd.tos == IPTOS_LOWDELAY) 5790 atag->qid = r->pqid; 5791 else 5792 atag->qid = r->qid; 5793 /* add hints for ecn */ 5794 atag->af = AF_INET6; 5795 atag->hdr = h; 5796 m_tag_prepend(m, mtag); 5797 } 5798 } 5799 #endif 5800 5801 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || 5802 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && 5803 (s->nat_rule.ptr->action == PF_RDR || 5804 s->nat_rule.ptr->action == PF_BINAT) && 5805 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) { 5806 action = PF_DROP; 5807 REASON_SET(&reason, PFRES_MEMORY); 5808 } 5809 5810 m->m_pkthdr.pf_flags |= PF_MBUF_TRANSLATE_LOCALHOST; 5811 5812 if (log) 5813 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset); 5814 5815 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; 5816 kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; 5817 5818 if (action == PF_PASS || r->action == PF_DROP) { 5819 r->packets++; 5820 r->bytes += pd.tot_len; 5821 if (a != NULL) { 5822 a->packets++; 5823 a->bytes += pd.tot_len; 5824 } 5825 if (s != NULL) { 5826 dirndx = (dir == s->direction) ? 0 : 1; 5827 s->packets[dirndx]++; 5828 s->bytes[dirndx] += pd.tot_len; 5829 if (s->nat_rule.ptr != NULL) { 5830 s->nat_rule.ptr->packets++; 5831 s->nat_rule.ptr->bytes += pd.tot_len; 5832 } 5833 if (s->src_node != NULL) { 5834 s->src_node->packets++; 5835 s->src_node->bytes += pd.tot_len; 5836 } 5837 if (s->nat_src_node != NULL) { 5838 s->nat_src_node->packets++; 5839 s->nat_src_node->bytes += pd.tot_len; 5840 } 5841 } 5842 tr = r; 5843 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; 5844 if (nr != NULL) { 5845 struct pf_addr *x; 5846 /* 5847 * XXX: we need to make sure that the addresses 5848 * passed to pfr_update_stats() are the same than 5849 * the addresses used during matching (pfr_match) 5850 */ 5851 if (r == &pf_default_rule) { 5852 tr = nr; 5853 x = (s == NULL || s->direction == dir) ? 5854 &pd.baddr : &pd.naddr; 5855 } else { 5856 x = (s == NULL || s->direction == dir) ? 5857 &pd.naddr : &pd.baddr; 5858 } 5859 if (x == &pd.baddr || s == NULL) { 5860 if (dir == PF_OUT) 5861 pd.src = x; 5862 else 5863 pd.dst = x; 5864 } 5865 } 5866 if (tr->src.addr.type == PF_ADDR_TABLE) 5867 pfr_update_stats(tr->src.addr.p.tbl, (s == NULL || 5868 s->direction == dir) ? pd.src : pd.dst, pd.af, 5869 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5870 tr->src.not); 5871 if (tr->dst.addr.type == PF_ADDR_TABLE) 5872 pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL || 5873 s->direction == dir) ? pd.dst : pd.src, pd.af, 5874 pd.tot_len, dir == PF_OUT, r->action == PF_PASS, 5875 tr->dst.not); 5876 } 5877 5878 5879 if (action == PF_SYNPROXY_DROP) { 5880 m_freem(*m0); 5881 *m0 = NULL; 5882 action = PF_PASS; 5883 } else if (r->rt) 5884 /* pf_route6 can free the mbuf causing *m0 to become NULL */ 5885 pf_route6(m0, r, dir, ifp, s); 5886 5887 return (action); 5888 } 5889 #endif /* INET6 */ 5890