projects / dragonfly.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge from vendor branch LIBARCHIVE:
[dragonfly.git] / sys / net / pf / pf.c
1 /*      $FreeBSD: src/sys/contrib/pf/net/pf.c,v 1.19 2004/09/11 11:18:25 mlaier Exp $   */
2 /*      $OpenBSD: pf.c,v 1.433.2.2 2004/07/17 03:22:34 brad Exp $ */
3 /* add  $OpenBSD: pf.c,v 1.448 2004/05/11 07:34:11 dhartmei Exp $ */
4 /*      $DragonFly: src/sys/net/pf/pf.c,v 1.4 2005/02/11 22:25:57 joerg Exp $ */
5
6 /*
7  * Copyright (c) 2004 The DragonFly Project.  All rights reserved.
8  *
9  * Copyright (c) 2001 Daniel Hartmeier
10  * Copyright (c) 2002,2003 Henning Brauer
11  * All rights reserved.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  *
17  *    - Redistributions of source code must retain the above copyright
18  *      notice, this list of conditions and the following disclaimer.
19  *    - Redistributions in binary form must reproduce the above
20  *      copyright notice, this list of conditions and the following
21  *      disclaimer in the documentation and/or other materials provided
22  *      with the distribution.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
27  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
28  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
29  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
30  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
31  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
32  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
34  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35  * POSSIBILITY OF SUCH DAMAGE.
36  *
37  * Effort sponsored in part by the Defense Advanced Research Projects
38  * Agency (DARPA) and Air Force Research Laboratory, Air Force
39  * Materiel Command, USAF, under agreement number F30602-01-2-0537.
40  *
41  */
42
43 #include "opt_inet.h"
44 #include "opt_inet6.h"
45 #include "use_pfsync.h"
46
47 #include <sys/param.h>
48 #include <sys/systm.h>
49 #include <sys/malloc.h>
50 #include <sys/mbuf.h>
51 #include <sys/filio.h>
52 #include <sys/socket.h>
53 #include <sys/socketvar.h>
54 #include <sys/kernel.h>
55 #include <sys/time.h>
56 #include <sys/sysctl.h>
57 #include <sys/endian.h>
58 #include <vm/vm_zone.h>
59
60 #include <machine/inttypes.h>
61
62 #include <net/if.h>
63 #include <net/if_types.h>
64 #include <net/bpf.h>
65 #include <net/route.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_var.h>
69 #include <netinet/in_systm.h>
70 #include <netinet/ip.h>
71 #include <netinet/ip_var.h>
72 #include <netinet/tcp.h>
73 #include <netinet/tcp_seq.h>
74 #include <netinet/udp.h>
75 #include <netinet/ip_icmp.h>
76 #include <netinet/in_pcb.h>
77 #include <netinet/tcp_timer.h>
78 #include <netinet/tcp_var.h>
79 #include <netinet/udp_var.h>
80 #include <netinet/icmp_var.h>
81
82 #include <net/pf/pfvar.h>
83 #include <net/pf/if_pflog.h>
84
85 #if NPFSYNC > 0
86 #include <net/pf/if_pfsync.h>
87 #endif /* NPFSYNC > 0 */
88
89 #ifdef INET6
90 #include <netinet/ip6.h>
91 #include <netinet/in_pcb.h>
92 #include <netinet/icmp6.h>
93 #include <netinet6/nd6.h>
94 #include <netinet6/ip6_var.h>
95 #include <netinet6/in6_pcb.h>
96 #endif /* INET6 */
97
98 #include <sys/in_cksum.h>
99 #include <machine/limits.h>
100 #include <sys/msgport2.h>
101 #include <sys/ucred.h>
102
103 extern int ip_optcopy(struct ip *, struct ip *);
104
105 #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
106
107 /*
108  * Global variables
109  */
110
111 struct pf_anchorqueue    pf_anchors;
112 struct pf_ruleset        pf_main_ruleset;
113 struct pf_altqqueue      pf_altqs[2];
114 struct pf_palist         pf_pabuf;
115 struct pf_altqqueue     *pf_altqs_active;
116 struct pf_altqqueue     *pf_altqs_inactive;
117 struct pf_status         pf_status;
118
119 u_int32_t                ticket_altqs_active;
120 u_int32_t                ticket_altqs_inactive;
121 int                      altqs_inactive_open;
122 u_int32_t                ticket_pabuf;
123
124 struct callout           pf_expire_to;                  /* expire timeout */
125
126 vm_zone_t                pf_src_tree_pl, pf_rule_pl;
127 vm_zone_t                pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
128
129 void                     pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
130 void                     pf_print_state(struct pf_state *);
131 void                     pf_print_flags(u_int8_t);
132
133 u_int16_t                pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
134                             u_int8_t);
135 void                     pf_change_ap(struct pf_addr *, u_int16_t *,
136                             u_int16_t *, u_int16_t *, struct pf_addr *,
137                             u_int16_t, u_int8_t, sa_family_t);
138 #ifdef INET6
139 void                     pf_change_a6(struct pf_addr *, u_int16_t *,
140                             struct pf_addr *, u_int8_t);
141 #endif /* INET6 */
142 void                     pf_change_icmp(struct pf_addr *, u_int16_t *,
143                             struct pf_addr *, struct pf_addr *, u_int16_t,
144                             u_int16_t *, u_int16_t *, u_int16_t *,
145                             u_int16_t *, u_int8_t, sa_family_t);
146 void                     pf_send_tcp(const struct pf_rule *, sa_family_t,
147                             const struct pf_addr *, const struct pf_addr *,
148                             u_int16_t, u_int16_t, u_int32_t, u_int32_t,
149                             u_int8_t, u_int16_t, u_int16_t, u_int8_t);
150 void                     pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
151                             sa_family_t, struct pf_rule *);
152 struct pf_rule          *pf_match_translation(struct pf_pdesc *, struct mbuf *,
153                             int, int, struct pfi_kif *,
154                             struct pf_addr *, u_int16_t, struct pf_addr *,
155                             u_int16_t, int);
156 struct pf_rule          *pf_get_translation(struct pf_pdesc *, struct mbuf *,
157                             int, int, struct pfi_kif *, struct pf_src_node **,
158                             struct pf_addr *, u_int16_t,
159                             struct pf_addr *, u_int16_t,
160                             struct pf_addr *, u_int16_t *);
161 int                      pf_test_tcp(struct pf_rule **, struct pf_state **,
162                             int, struct pfi_kif *, struct mbuf *, int,
163                             void *, struct pf_pdesc *, struct pf_rule **,
164                             struct pf_ruleset **);
165 int                      pf_test_udp(struct pf_rule **, struct pf_state **,
166                             int, struct pfi_kif *, struct mbuf *, int,
167                             void *, struct pf_pdesc *, struct pf_rule **,
168                             struct pf_ruleset **);
169 int                      pf_test_icmp(struct pf_rule **, struct pf_state **,
170                             int, struct pfi_kif *, struct mbuf *, int,
171                             void *, struct pf_pdesc *, struct pf_rule **,
172                             struct pf_ruleset **);
173 int                      pf_test_other(struct pf_rule **, struct pf_state **,
174                             int, struct pfi_kif *, struct mbuf *, int, void *,
175                             struct pf_pdesc *, struct pf_rule **,
176                             struct pf_ruleset **);
177 int                      pf_test_fragment(struct pf_rule **, int,
178                             struct pfi_kif *, struct mbuf *, void *,
179                             struct pf_pdesc *, struct pf_rule **,
180                             struct pf_ruleset **);
181 int                      pf_test_state_tcp(struct pf_state **, int,
182                             struct pfi_kif *, struct mbuf *, int,
183                             void *, struct pf_pdesc *, u_short *);
184 int                      pf_test_state_udp(struct pf_state **, int,
185                             struct pfi_kif *, struct mbuf *, int,
186                             void *, struct pf_pdesc *);
187 int                      pf_test_state_icmp(struct pf_state **, int,
188                             struct pfi_kif *, struct mbuf *, int,
189                             void *, struct pf_pdesc *);
190 int                      pf_test_state_other(struct pf_state **, int,
191                             struct pfi_kif *, struct pf_pdesc *);
192 static int               pf_match_tag(struct mbuf *, struct pf_rule *,
193                                       struct pf_rule *, int *);
194 void                     pf_hash(struct pf_addr *, struct pf_addr *,
195                             struct pf_poolhashkey *, sa_family_t);
196 int                      pf_map_addr(u_int8_t, struct pf_rule *,
197                             struct pf_addr *, struct pf_addr *,
198                             struct pf_addr *, struct pf_src_node **);
199 int                      pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
200                             struct pf_addr *, struct pf_addr *, u_int16_t,
201                             struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
202                             struct pf_src_node **);
203 void                     pf_route(struct mbuf **, struct pf_rule *, int,
204                             struct ifnet *, struct pf_state *);
205 void                     pf_route6(struct mbuf **, struct pf_rule *, int,
206                             struct ifnet *, struct pf_state *);
207 int                      pf_socket_lookup(uid_t *, gid_t *,
208                             int, struct pf_pdesc *);
209 u_int8_t                 pf_get_wscale(struct mbuf *, int, u_int16_t,
210                             sa_family_t);
211 u_int16_t                pf_get_mss(struct mbuf *, int, u_int16_t,
212                             sa_family_t);
213 u_int16_t                pf_calc_mss(struct pf_addr *, sa_family_t,
214                                 u_int16_t);
215 void                     pf_set_rt_ifp(struct pf_state *,
216                             struct pf_addr *);
217 int                      pf_check_proto_cksum(struct mbuf *, int, int,
218                             u_int8_t, sa_family_t);
219 int                      pf_addr_wrap_neq(struct pf_addr_wrap *,
220                             struct pf_addr_wrap *);
221 struct pf_state         *pf_find_state_recurse(struct pfi_kif *,
222                             struct pf_state *, u_int8_t);
223
224 struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
225
226 #define STATE_LOOKUP()                                                  \
227         do {                                                            \
228                 if (direction == PF_IN)                                 \
229                         *state = pf_find_state_recurse(         \
230                             kif, &key, PF_EXT_GWY);                     \
231                 else                                                    \
232                         *state = pf_find_state_recurse(         \
233                             kif, &key, PF_LAN_EXT);                     \
234                 if (*state == NULL)                                     \
235                         return (PF_DROP);                               \
236                 if (direction == PF_OUT &&                              \
237                     (((*state)->rule.ptr->rt == PF_ROUTETO &&           \
238                     (*state)->rule.ptr->direction == PF_OUT) ||         \
239                     ((*state)->rule.ptr->rt == PF_REPLYTO &&            \
240                     (*state)->rule.ptr->direction == PF_IN)) &&         \
241                     (*state)->rt_kif != NULL &&                         \
242                     (*state)->rt_kif != kif)                            \
243                         return (PF_PASS);                               \
244         } while (0)
245
246 #define STATE_TRANSLATE(s) \
247         (s)->lan.addr.addr32[0] != (s)->gwy.addr.addr32[0] || \
248         ((s)->af == AF_INET6 && \
249         ((s)->lan.addr.addr32[1] != (s)->gwy.addr.addr32[1] || \
250         (s)->lan.addr.addr32[2] != (s)->gwy.addr.addr32[2] || \
251         (s)->lan.addr.addr32[3] != (s)->gwy.addr.addr32[3])) || \
252         (s)->lan.port != (s)->gwy.port
253
254 #define BOUND_IFACE(r, k) (((r)->rule_flag & PFRULE_IFBOUND) ? (k) :   \
255         ((r)->rule_flag & PFRULE_GRBOUND) ? (k)->pfik_parent :         \
256         (k)->pfik_parent->pfik_parent)
257
258 static int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
259 static int pf_state_compare_lan_ext(struct pf_state *,
260         struct pf_state *);
261 static int pf_state_compare_ext_gwy(struct pf_state *,
262         struct pf_state *);
263 static int pf_state_compare_id(struct pf_state *,
264         struct pf_state *);
265
266 struct pf_src_tree tree_src_tracking;
267
268 struct pf_state_tree_id tree_id;
269 struct pf_state_queue state_updates;
270
271 RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
272 RB_GENERATE(pf_state_tree_lan_ext, pf_state,
273     u.s.entry_lan_ext, pf_state_compare_lan_ext);
274 RB_GENERATE(pf_state_tree_ext_gwy, pf_state,
275     u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
276 RB_GENERATE(pf_state_tree_id, pf_state,
277     u.s.entry_id, pf_state_compare_id);
278
279 static int
280 pf_src_compare(struct pf_src_node *a, struct pf_src_node *b)
281 {
282         int     diff;
283
284         if (a->rule.ptr > b->rule.ptr)
285                 return (1);
286         if (a->rule.ptr < b->rule.ptr)
287                 return (-1);
288         if ((diff = a->af - b->af) != 0)
289                 return (diff);
290         switch (a->af) {
291 #ifdef INET
292         case AF_INET:
293                 if (a->addr.addr32[0] > b->addr.addr32[0])
294                         return (1);
295                 if (a->addr.addr32[0] < b->addr.addr32[0])
296                         return (-1);
297                 break;
298 #endif /* INET */
299 #ifdef INET6
300         case AF_INET6:
301                 if (a->addr.addr32[3] > b->addr.addr32[3])
302                         return (1);
303                 if (a->addr.addr32[3] < b->addr.addr32[3])
304                         return (-1);
305                 if (a->addr.addr32[2] > b->addr.addr32[2])
306                         return (1);
307                 if (a->addr.addr32[2] < b->addr.addr32[2])
308                         return (-1);
309                 if (a->addr.addr32[1] > b->addr.addr32[1])
310                         return (1);
311                 if (a->addr.addr32[1] < b->addr.addr32[1])
312                         return (-1);
313                 if (a->addr.addr32[0] > b->addr.addr32[0])
314                         return (1);
315                 if (a->addr.addr32[0] < b->addr.addr32[0])
316                         return (-1);
317                 break;
318 #endif /* INET6 */
319         }
320         return (0);
321 }
322
323 static int
324 pf_state_compare_lan_ext(struct pf_state *a, struct pf_state *b)
325 {
326         int     diff;
327
328         if ((diff = a->proto - b->proto) != 0)
329                 return (diff);
330         if ((diff = a->af - b->af) != 0)
331                 return (diff);
332         switch (a->af) {
333 #ifdef INET
334         case AF_INET:
335                 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
336                         return (1);
337                 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
338                         return (-1);
339                 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
340                         return (1);
341                 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
342                         return (-1);
343                 break;
344 #endif /* INET */
345 #ifdef INET6
346         case AF_INET6:
347                 if (a->lan.addr.addr32[3] > b->lan.addr.addr32[3])
348                         return (1);
349                 if (a->lan.addr.addr32[3] < b->lan.addr.addr32[3])
350                         return (-1);
351                 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
352                         return (1);
353                 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
354                         return (-1);
355                 if (a->lan.addr.addr32[2] > b->lan.addr.addr32[2])
356                         return (1);
357                 if (a->lan.addr.addr32[2] < b->lan.addr.addr32[2])
358                         return (-1);
359                 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
360                         return (1);
361                 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
362                         return (-1);
363                 if (a->lan.addr.addr32[1] > b->lan.addr.addr32[1])
364                         return (1);
365                 if (a->lan.addr.addr32[1] < b->lan.addr.addr32[1])
366                         return (-1);
367                 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
368                         return (1);
369                 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
370                         return (-1);
371                 if (a->lan.addr.addr32[0] > b->lan.addr.addr32[0])
372                         return (1);
373                 if (a->lan.addr.addr32[0] < b->lan.addr.addr32[0])
374                         return (-1);
375                 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
376                         return (1);
377                 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
378                         return (-1);
379                 break;
380 #endif /* INET6 */
381         }
382
383         if ((diff = a->lan.port - b->lan.port) != 0)
384                 return (diff);
385         if ((diff = a->ext.port - b->ext.port) != 0)
386                 return (diff);
387
388         return (0);
389 }
390
391 static int
392 pf_state_compare_ext_gwy(struct pf_state *a, struct pf_state *b)
393 {
394         int     diff;
395
396         if ((diff = a->proto - b->proto) != 0)
397                 return (diff);
398         if ((diff = a->af - b->af) != 0)
399                 return (diff);
400         switch (a->af) {
401 #ifdef INET
402         case AF_INET:
403                 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
404                         return (1);
405                 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
406                         return (-1);
407                 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
408                         return (1);
409                 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
410                         return (-1);
411                 break;
412 #endif /* INET */
413 #ifdef INET6
414         case AF_INET6:
415                 if (a->ext.addr.addr32[3] > b->ext.addr.addr32[3])
416                         return (1);
417                 if (a->ext.addr.addr32[3] < b->ext.addr.addr32[3])
418                         return (-1);
419                 if (a->gwy.addr.addr32[3] > b->gwy.addr.addr32[3])
420                         return (1);
421                 if (a->gwy.addr.addr32[3] < b->gwy.addr.addr32[3])
422                         return (-1);
423                 if (a->ext.addr.addr32[2] > b->ext.addr.addr32[2])
424                         return (1);
425                 if (a->ext.addr.addr32[2] < b->ext.addr.addr32[2])
426                         return (-1);
427                 if (a->gwy.addr.addr32[2] > b->gwy.addr.addr32[2])
428                         return (1);
429                 if (a->gwy.addr.addr32[2] < b->gwy.addr.addr32[2])
430                         return (-1);
431                 if (a->ext.addr.addr32[1] > b->ext.addr.addr32[1])
432                         return (1);
433                 if (a->ext.addr.addr32[1] < b->ext.addr.addr32[1])
434                         return (-1);
435                 if (a->gwy.addr.addr32[1] > b->gwy.addr.addr32[1])
436                         return (1);
437                 if (a->gwy.addr.addr32[1] < b->gwy.addr.addr32[1])
438                         return (-1);
439                 if (a->ext.addr.addr32[0] > b->ext.addr.addr32[0])
440                         return (1);
441                 if (a->ext.addr.addr32[0] < b->ext.addr.addr32[0])
442                         return (-1);
443                 if (a->gwy.addr.addr32[0] > b->gwy.addr.addr32[0])
444                         return (1);
445                 if (a->gwy.addr.addr32[0] < b->gwy.addr.addr32[0])
446                         return (-1);
447                 break;
448 #endif /* INET6 */
449         }
450
451         if ((diff = a->ext.port - b->ext.port) != 0)
452                 return (diff);
453         if ((diff = a->gwy.port - b->gwy.port) != 0)
454                 return (diff);
455
456         return (0);
457 }
458
459 static int
460 pf_state_compare_id(struct pf_state *a, struct pf_state *b)
461 {
462         if (a->id > b->id)
463                 return (1);
464         if (a->id < b->id)
465                 return (-1);
466         if (a->creatorid > b->creatorid)
467                 return (1);
468         if (a->creatorid < b->creatorid)
469                 return (-1);
470
471         return (0);
472 }
473
474 #ifdef INET6
475 void
476 pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af)
477 {
478         switch (af) {
479 #ifdef INET
480         case AF_INET:
481                 dst->addr32[0] = src->addr32[0];
482                 break;
483 #endif /* INET */
484         case AF_INET6:
485                 dst->addr32[0] = src->addr32[0];
486                 dst->addr32[1] = src->addr32[1];
487                 dst->addr32[2] = src->addr32[2];
488                 dst->addr32[3] = src->addr32[3];
489                 break;
490         }
491 }
492 #endif
493
494 struct pf_state *
495 pf_find_state_byid(struct pf_state *key)
496 {
497         pf_status.fcounters[FCNT_STATE_SEARCH]++;
498         return (RB_FIND(pf_state_tree_id, &tree_id, key));
499 }
500
501 struct pf_state *
502 pf_find_state_recurse(struct pfi_kif *kif, struct pf_state *key, u_int8_t tree)
503 {
504         struct pf_state *s;
505
506         pf_status.fcounters[FCNT_STATE_SEARCH]++;
507
508         switch (tree) {
509         case PF_LAN_EXT:
510                 for (; kif != NULL; kif = kif->pfik_parent) {
511                         s = RB_FIND(pf_state_tree_lan_ext,
512                             &kif->pfik_lan_ext, key);
513                         if (s != NULL)
514                                 return (s);
515                 }
516                 return (NULL);
517         case PF_EXT_GWY:
518                 for (; kif != NULL; kif = kif->pfik_parent) {
519                         s = RB_FIND(pf_state_tree_ext_gwy,
520                             &kif->pfik_ext_gwy, key);
521                         if (s != NULL)
522                                 return (s);
523                 }
524                 return (NULL);
525         default:
526                 panic("pf_find_state_recurse");
527         }
528 }
529
530 struct pf_state *
531 pf_find_state_all(struct pf_state *key, u_int8_t tree, int *more)
532 {
533         struct pf_state *s, *ss = NULL;
534         struct pfi_kif  *kif;
535
536         pf_status.fcounters[FCNT_STATE_SEARCH]++;
537
538         switch (tree) {
539         case PF_LAN_EXT:
540                 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
541                         s = RB_FIND(pf_state_tree_lan_ext,
542                             &kif->pfik_lan_ext, key);
543                         if (s == NULL)
544                                 continue;
545                         if (more == NULL)
546                                 return (s);
547                         ss = s;
548                         (*more)++;
549                 }
550                 return (ss);
551         case PF_EXT_GWY:
552                 TAILQ_FOREACH(kif, &pfi_statehead, pfik_w_states) {
553                         s = RB_FIND(pf_state_tree_ext_gwy,
554                             &kif->pfik_ext_gwy, key);
555                         if (s == NULL)
556                                 continue;
557                         if (more == NULL)
558                                 return (s);
559                         ss = s;
560                         (*more)++;
561                 }
562                 return (ss);
563         default:
564                 panic("pf_find_state_all");
565         }
566 }
567
568 int
569 pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,
570     struct pf_addr *src, sa_family_t af)
571 {
572         struct pf_src_node      k;
573
574         if (*sn == NULL) {
575                 k.af = af;
576                 PF_ACPY(&k.addr, src, af);
577                 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
578                     rule->rpool.opts & PF_POOL_STICKYADDR)
579                         k.rule.ptr = rule;
580                 else
581                         k.rule.ptr = NULL;
582                 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
583                 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
584         }
585         if (*sn == NULL) {
586                 if (!rule->max_src_nodes ||
587                     rule->src_nodes < rule->max_src_nodes)
588                         (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT);
589                 if ((*sn) == NULL)
590                         return (-1);
591                 bzero(*sn, sizeof(struct pf_src_node));
592                 (*sn)->af = af;
593                 if (rule->rule_flag & PFRULE_RULESRCTRACK ||
594                     rule->rpool.opts & PF_POOL_STICKYADDR)
595                         (*sn)->rule.ptr = rule;
596                 else
597                         (*sn)->rule.ptr = NULL;
598                 PF_ACPY(&(*sn)->addr, src, af);
599                 if (RB_INSERT(pf_src_tree,
600                     &tree_src_tracking, *sn) != NULL) {
601                         if (pf_status.debug >= PF_DEBUG_MISC) {
602                                 printf("pf: src_tree insert failed: ");
603                                 pf_print_host(&(*sn)->addr, 0, af);
604                                 printf("\n");
605                         }
606                         pool_put(&pf_src_tree_pl, *sn);
607                         return (-1);
608                 }
609                 (*sn)->creation = time_second;
610                 (*sn)->ruletype = rule->action;
611                 if ((*sn)->rule.ptr != NULL)
612                         (*sn)->rule.ptr->src_nodes++;
613                 pf_status.scounters[SCNT_SRC_NODE_INSERT]++;
614                 pf_status.src_nodes++;
615         } else {
616                 if (rule->max_src_states &&
617                     (*sn)->states >= rule->max_src_states)
618                         return (-1);
619         }
620         return (0);
621 }
622
623 int
624 pf_insert_state(struct pfi_kif *kif, struct pf_state *state)
625 {
626         /* Thou MUST NOT insert multiple duplicate keys */
627         state->u.s.kif = kif;
628         if (RB_INSERT(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state)) {
629                 if (pf_status.debug >= PF_DEBUG_MISC) {
630                         printf("pf: state insert failed: tree_lan_ext");
631                         printf(" lan: ");
632                         pf_print_host(&state->lan.addr, state->lan.port,
633                             state->af);
634                         printf(" gwy: ");
635                         pf_print_host(&state->gwy.addr, state->gwy.port,
636                             state->af);
637                         printf(" ext: ");
638                         pf_print_host(&state->ext.addr, state->ext.port,
639                             state->af);
640                         if (state->sync_flags & PFSTATE_FROMSYNC)
641                                 printf(" (from sync)");
642                         printf("\n");
643                 }
644                 return (-1);
645         }
646
647         if (RB_INSERT(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state)) {
648                 if (pf_status.debug >= PF_DEBUG_MISC) {
649                         printf("pf: state insert failed: tree_ext_gwy");
650                         printf(" lan: ");
651                         pf_print_host(&state->lan.addr, state->lan.port,
652                             state->af);
653                         printf(" gwy: ");
654                         pf_print_host(&state->gwy.addr, state->gwy.port,
655                             state->af);
656                         printf(" ext: ");
657                         pf_print_host(&state->ext.addr, state->ext.port,
658                             state->af);
659                         if (state->sync_flags & PFSTATE_FROMSYNC)
660                                 printf(" (from sync)");
661                         printf("\n");
662                 }
663                 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
664                 return (-1);
665         }
666
667         if (state->id == 0 && state->creatorid == 0) {
668                 state->id = htobe64(pf_status.stateid++);
669                 state->creatorid = pf_status.hostid;
670         }
671         if (RB_INSERT(pf_state_tree_id, &tree_id, state) != NULL) {
672                 if (pf_status.debug >= PF_DEBUG_MISC) {
673                         printf("pf: state insert failed: "
674                             "id: %016" PRIx64 " creatorid: %08" PRIx32,
675                             be64toh(state->id), ntohl(state->creatorid));
676                         if (state->sync_flags & PFSTATE_FROMSYNC)
677                                 printf(" (from sync)");
678                         printf("\n");
679                 }
680                 RB_REMOVE(pf_state_tree_lan_ext, &kif->pfik_lan_ext, state);
681                 RB_REMOVE(pf_state_tree_ext_gwy, &kif->pfik_ext_gwy, state);
682                 return (-1);
683         }
684         TAILQ_INSERT_HEAD(&state_updates, state, u.s.entry_updates);
685
686         pf_status.fcounters[FCNT_STATE_INSERT]++;
687         pf_status.states++;
688         pfi_attach_state(kif);
689 #if NPFSYNC
690         pfsync_insert_state(state);
691 #endif
692         return (0);
693 }
694
695 void
696 pf_purge_timeout(void *arg)
697 {
698         struct callout  *to = arg;
699         int              s;
700
701         s = splsoftnet();
702         pf_purge_expired_states();
703         pf_purge_expired_fragments();
704         pf_purge_expired_src_nodes();
705         splx(s);
706
707         callout_reset(to, pf_default_rule.timeout[PFTM_INTERVAL] * hz,
708             pf_purge_timeout, to);
709 }
710
711 u_int32_t
712 pf_state_expires(const struct pf_state *state)
713 {
714         u_int32_t       timeout;
715         u_int32_t       start;
716         u_int32_t       end;
717         u_int32_t       states;
718
719         /* handle all PFTM_* > PFTM_MAX here */
720         if (state->timeout == PFTM_PURGE)
721                 return (time_second);
722         if (state->timeout == PFTM_UNTIL_PACKET)
723                 return (0);
724         KASSERT((state->timeout < PFTM_MAX), 
725             ("pf_state_expires: timeout > PFTM_MAX"));
726         timeout = state->rule.ptr->timeout[state->timeout];
727         if (!timeout)
728                 timeout = pf_default_rule.timeout[state->timeout];
729         start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
730         if (start) {
731                 end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
732                 states = state->rule.ptr->states;
733         } else {
734                 start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
735                 end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
736                 states = pf_status.states;
737         }
738         if (end && states > start && start < end) {
739                 if (states < end)
740                         return (state->expire + timeout * (end - states) /
741                             (end - start));
742                 else
743                         return (time_second);
744         }
745         return (state->expire + timeout);
746 }
747
748 void
749 pf_purge_expired_src_nodes(void)
750 {
751          struct pf_src_node             *cur, *next;
752
753          for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) {
754                  next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur);
755
756                  if (cur->states <= 0 && cur->expire <= time_second) {
757                          if (cur->rule.ptr != NULL) {
758                                  cur->rule.ptr->src_nodes--;
759                                  if (cur->rule.ptr->states <= 0 &&
760                                      cur->rule.ptr->max_src_nodes <= 0)
761                                          pf_rm_rule(NULL, cur->rule.ptr);
762                          }
763                          RB_REMOVE(pf_src_tree, &tree_src_tracking, cur);
764                          pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
765                          pf_status.src_nodes--;
766                          pool_put(&pf_src_tree_pl, cur);
767                  }
768          }
769 }
770
771 void
772 pf_src_tree_remove_state(struct pf_state *s)
773 {
774         u_int32_t timeout;
775
776         if (s->src_node != NULL) {
777                 if (--s->src_node->states <= 0) {
778                         timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
779                         if (!timeout)
780                                 timeout =
781                                     pf_default_rule.timeout[PFTM_SRC_NODE];
782                         s->src_node->expire = time_second + timeout;
783                 }
784         }
785         if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
786                 if (--s->nat_src_node->states <= 0) {
787                         timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
788                         if (!timeout)
789                                 timeout =
790                                     pf_default_rule.timeout[PFTM_SRC_NODE];
791                         s->nat_src_node->expire = time_second + timeout;
792                 }
793         }
794         s->src_node = s->nat_src_node = NULL;
795 }
796
797 void
798 pf_purge_expired_states(void)
799 {
800         struct pf_state         *cur, *next;
801
802         for (cur = RB_MIN(pf_state_tree_id, &tree_id);
803             cur; cur = next) {
804                 next = RB_NEXT(pf_state_tree_id, &tree_id, cur);
805
806                 if (pf_state_expires(cur) <= time_second) {
807                         if (cur->src.state == PF_TCPS_PROXY_DST)
808                                 pf_send_tcp(cur->rule.ptr, cur->af,
809                                     &cur->ext.addr, &cur->lan.addr,
810                                     cur->ext.port, cur->lan.port,
811                                     cur->src.seqhi, cur->src.seqlo + 1, 0,
812                                     TH_RST|TH_ACK, 0, 0);
813                         RB_REMOVE(pf_state_tree_ext_gwy,
814                             &cur->u.s.kif->pfik_ext_gwy, cur);
815                         RB_REMOVE(pf_state_tree_lan_ext,
816                             &cur->u.s.kif->pfik_lan_ext, cur);
817                         RB_REMOVE(pf_state_tree_id, &tree_id, cur);
818 #if NPFSYNC
819                         pfsync_delete_state(cur);
820 #endif
821                         pf_src_tree_remove_state(cur);
822                         if (--cur->rule.ptr->states <= 0 &&
823                             cur->rule.ptr->src_nodes <= 0)
824                                 pf_rm_rule(NULL, cur->rule.ptr);
825                         if (cur->nat_rule.ptr != NULL)
826                                 if (--cur->nat_rule.ptr->states <= 0 &&
827                                         cur->nat_rule.ptr->src_nodes <= 0)
828                                         pf_rm_rule(NULL, cur->nat_rule.ptr);
829                         if (cur->anchor.ptr != NULL)
830                                 if (--cur->anchor.ptr->states <= 0)
831                                         pf_rm_rule(NULL, cur->anchor.ptr);
832                         pf_normalize_tcp_cleanup(cur);
833                         pfi_detach_state(cur->u.s.kif);
834                         TAILQ_REMOVE(&state_updates, cur, u.s.entry_updates);
835                         pool_put(&pf_state_pl, cur);
836                         pf_status.fcounters[FCNT_STATE_REMOVALS]++;
837                         pf_status.states--;
838                 }
839         }
840 }
841
842 int
843 pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
844 {
845         if (aw->type != PF_ADDR_TABLE)
846                 return (0);
847         if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
848                 return (1);
849         return (0);
850 }
851
852 void
853 pf_tbladdr_remove(struct pf_addr_wrap *aw)
854 {
855         if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL)
856                 return;
857         pfr_detach_table(aw->p.tbl);
858         aw->p.tbl = NULL;
859 }
860
861 void
862 pf_tbladdr_copyout(struct pf_addr_wrap *aw)
863 {
864         struct pfr_ktable *kt = aw->p.tbl;
865
866         if (aw->type != PF_ADDR_TABLE || kt == NULL)
867                 return;
868         if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)
869                 kt = kt->pfrkt_root;
870         aw->p.tbl = NULL;
871         aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ?
872                 kt->pfrkt_cnt : -1;
873 }
874
875 void
876 pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
877 {
878         switch (af) {
879 #ifdef INET
880         case AF_INET: {
881                 u_int32_t a = ntohl(addr->addr32[0]);
882                 printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255,
883                     (a>>8)&255, a&255);
884                 if (p) {
885                         p = ntohs(p);
886                         printf(":%u", p);
887                 }
888                 break;
889         }
890 #endif /* INET */
891 #ifdef INET6
892         case AF_INET6: {
893                 u_int16_t b;
894                 u_int8_t i, curstart = 255, curend = 0,
895                     maxstart = 0, maxend = 0;
896                 for (i = 0; i < 8; i++) {
897                         if (!addr->addr16[i]) {
898                                 if (curstart == 255)
899                                         curstart = i;
900                                 else
901                                         curend = i;
902                         } else {
903                                 if (curstart) {
904                                         if ((curend - curstart) >
905                                             (maxend - maxstart)) {
906                                                 maxstart = curstart;
907                                                 maxend = curend;
908                                                 curstart = 255;
909                                         }
910                                 }
911                         }
912                 }
913                 for (i = 0; i < 8; i++) {
914                         if (i >= maxstart && i <= maxend) {
915                                 if (maxend != 7) {
916                                         if (i == maxstart)
917                                                 printf(":");
918                                 } else {
919                                         if (i == maxend)
920                                                 printf(":");
921                                 }
922                         } else {
923                                 b = ntohs(addr->addr16[i]);
924                                 printf("%x", b);
925                                 if (i < 7)
926                                         printf(":");
927                         }
928                 }
929                 if (p) {
930                         p = ntohs(p);
931                         printf("[%u]", p);
932                 }
933                 break;
934         }
935 #endif /* INET6 */
936         }
937 }
938
939 void
940 pf_print_state(struct pf_state *s)
941 {
942         switch (s->proto) {
943         case IPPROTO_TCP:
944                 printf("TCP ");
945                 break;
946         case IPPROTO_UDP:
947                 printf("UDP ");
948                 break;
949         case IPPROTO_ICMP:
950                 printf("ICMP ");
951                 break;
952         case IPPROTO_ICMPV6:
953                 printf("ICMPV6 ");
954                 break;
955         default:
956                 printf("%u ", s->proto);
957                 break;
958         }
959         pf_print_host(&s->lan.addr, s->lan.port, s->af);
960         printf(" ");
961         pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
962         printf(" ");
963         pf_print_host(&s->ext.addr, s->ext.port, s->af);
964         printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
965             s->src.seqhi, s->src.max_win, s->src.seqdiff);
966         if (s->src.wscale && s->dst.wscale)
967                 printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
968         printf("]");
969         printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
970             s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
971         if (s->src.wscale && s->dst.wscale)
972                 printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
973         printf("]");
974         printf(" %u:%u", s->src.state, s->dst.state);
975 }
976
977 void
978 pf_print_flags(u_int8_t f)
979 {
980         if (f)
981                 printf(" ");
982         if (f & TH_FIN)
983                 printf("F");
984         if (f & TH_SYN)
985                 printf("S");
986         if (f & TH_RST)
987                 printf("R");
988         if (f & TH_PUSH)
989                 printf("P");
990         if (f & TH_ACK)
991                 printf("A");
992         if (f & TH_URG)
993                 printf("U");
994         if (f & TH_ECE)
995                 printf("E");
996         if (f & TH_CWR)
997                 printf("W");
998 }
999
1000 #define PF_SET_SKIP_STEPS(i)                                    \
1001         do {                                                    \
1002                 while (head[i] != cur) {                        \
1003                         head[i]->skip[i].ptr = cur;             \
1004                         head[i] = TAILQ_NEXT(head[i], entries); \
1005                 }                                               \
1006         } while (0)
1007
1008 void
1009 pf_calc_skip_steps(struct pf_rulequeue *rules)
1010 {
1011         struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
1012         int i;
1013
1014         cur = TAILQ_FIRST(rules);
1015         prev = cur;
1016         for (i = 0; i < PF_SKIP_COUNT; ++i)
1017                 head[i] = cur;
1018         while (cur != NULL) {
1019
1020                 if (cur->kif != prev->kif || cur->ifnot != prev->ifnot)
1021                         PF_SET_SKIP_STEPS(PF_SKIP_IFP);
1022                 if (cur->direction != prev->direction)
1023                         PF_SET_SKIP_STEPS(PF_SKIP_DIR);
1024                 if (cur->af != prev->af)
1025                         PF_SET_SKIP_STEPS(PF_SKIP_AF);
1026                 if (cur->proto != prev->proto)
1027                         PF_SET_SKIP_STEPS(PF_SKIP_PROTO);
1028                 if (cur->src.not != prev->src.not ||
1029                     pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr))
1030                         PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR);
1031                 if (cur->src.port[0] != prev->src.port[0] ||
1032                     cur->src.port[1] != prev->src.port[1] ||
1033                     cur->src.port_op != prev->src.port_op)
1034                         PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT);
1035                 if (cur->dst.not != prev->dst.not ||
1036                     pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr))
1037                         PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR);
1038                 if (cur->dst.port[0] != prev->dst.port[0] ||
1039                     cur->dst.port[1] != prev->dst.port[1] ||
1040                     cur->dst.port_op != prev->dst.port_op)
1041                         PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT);
1042
1043                 prev = cur;
1044                 cur = TAILQ_NEXT(cur, entries);
1045         }
1046         for (i = 0; i < PF_SKIP_COUNT; ++i)
1047                 PF_SET_SKIP_STEPS(i);
1048 }
1049
1050 int
1051 pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2)
1052 {
1053         if (aw1->type != aw2->type)
1054                 return (1);
1055         switch (aw1->type) {
1056         case PF_ADDR_ADDRMASK:
1057                 if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0))
1058                         return (1);
1059                 if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0))
1060                         return (1);
1061                 return (0);
1062         case PF_ADDR_DYNIFTL:
1063                 return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt);
1064         case PF_ADDR_NOROUTE:
1065                 return (0);
1066         case PF_ADDR_TABLE:
1067                 return (aw1->p.tbl != aw2->p.tbl);
1068         default:
1069                 printf("invalid address type: %d\n", aw1->type);
1070                 return (1);
1071         }
1072 }
1073
1074 void
1075 pf_update_anchor_rules()
1076 {
1077         struct pf_rule  *rule;
1078         int              i;
1079
1080         for (i = 0; i < PF_RULESET_MAX; ++i)
1081                 TAILQ_FOREACH(rule, pf_main_ruleset.rules[i].active.ptr,
1082                     entries)
1083                         if (rule->anchorname[0])
1084                                 rule->anchor = pf_find_anchor(rule->anchorname);
1085                         else
1086                                 rule->anchor = NULL;
1087 }
1088
1089 u_int16_t
1090 pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
1091 {
1092         u_int32_t       l;
1093
1094         if (udp && !cksum)
1095                 return (0x0000);
1096         l = cksum + old - new;
1097         l = (l >> 16) + (l & 65535);
1098         l = l & 65535;
1099         if (udp && !l)
1100                 return (0xFFFF);
1101         return (l);
1102 }
1103
1104 void
1105 pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc,
1106     struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af)
1107 {
1108         struct pf_addr  ao;
1109         u_int16_t       po = *p;
1110
1111         PF_ACPY(&ao, a, af);
1112         PF_ACPY(a, an, af);
1113
1114         *p = pn;
1115
1116         switch (af) {
1117 #ifdef INET
1118         case AF_INET:
1119                 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1120                     ao.addr16[0], an->addr16[0], 0),
1121                     ao.addr16[1], an->addr16[1], 0);
1122                 *p = pn;
1123                 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1124                     ao.addr16[0], an->addr16[0], u),
1125                     ao.addr16[1], an->addr16[1], u),
1126                     po, pn, u);
1127                 break;
1128 #endif /* INET */
1129 #ifdef INET6
1130         case AF_INET6:
1131                 *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1132                     pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1133                     pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc,
1134                     ao.addr16[0], an->addr16[0], u),
1135                     ao.addr16[1], an->addr16[1], u),
1136                     ao.addr16[2], an->addr16[2], u),
1137                     ao.addr16[3], an->addr16[3], u),
1138                     ao.addr16[4], an->addr16[4], u),
1139                     ao.addr16[5], an->addr16[5], u),
1140                     ao.addr16[6], an->addr16[6], u),
1141                     ao.addr16[7], an->addr16[7], u),
1142                     po, pn, u);
1143                 break;
1144 #endif /* INET6 */
1145         }
1146 }
1147
1148
1149 /* Changes a u_int32_t.  Uses a void * so there are no align restrictions */
1150 void
1151 pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u)
1152 {
1153         u_int32_t       ao;
1154
1155         memcpy(&ao, a, sizeof(ao));
1156         memcpy(a, &an, sizeof(u_int32_t));
1157         *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u),
1158             ao % 65536, an % 65536, u);
1159 }
1160
1161 #ifdef INET6
1162 void
1163 pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u)
1164 {
1165         struct pf_addr  ao;
1166
1167         PF_ACPY(&ao, a, AF_INET6);
1168         PF_ACPY(a, an, AF_INET6);
1169
1170         *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1171             pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1172             pf_cksum_fixup(pf_cksum_fixup(*c,
1173             ao.addr16[0], an->addr16[0], u),
1174             ao.addr16[1], an->addr16[1], u),
1175             ao.addr16[2], an->addr16[2], u),
1176             ao.addr16[3], an->addr16[3], u),
1177             ao.addr16[4], an->addr16[4], u),
1178             ao.addr16[5], an->addr16[5], u),
1179             ao.addr16[6], an->addr16[6], u),
1180             ao.addr16[7], an->addr16[7], u);
1181 }
1182 #endif /* INET6 */
1183
1184 void
1185 pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa,
1186     struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c,
1187     u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af)
1188 {
1189         struct pf_addr  oia, ooa;
1190
1191         PF_ACPY(&oia, ia, af);
1192         PF_ACPY(&ooa, oa, af);
1193
1194         /* Change inner protocol port, fix inner protocol checksum. */
1195         if (ip != NULL) {
1196                 u_int16_t       oip = *ip;
1197                 u_int32_t       opc = 0;
1198
1199                 if (pc != NULL)
1200                         opc = *pc;
1201                 *ip = np;
1202                 if (pc != NULL)
1203                         *pc = pf_cksum_fixup(*pc, oip, *ip, u);
1204                 *ic = pf_cksum_fixup(*ic, oip, *ip, 0);
1205                 if (pc != NULL)
1206                         *ic = pf_cksum_fixup(*ic, opc, *pc, 0);
1207         }
1208         /* Change inner ip address, fix inner ip and icmp checksums. */
1209         PF_ACPY(ia, na, af);
1210         switch (af) {
1211 #ifdef INET
1212         case AF_INET: {
1213                 u_int32_t        oh2c = *h2c;
1214
1215                 *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c,
1216                     oia.addr16[0], ia->addr16[0], 0),
1217                     oia.addr16[1], ia->addr16[1], 0);
1218                 *ic = pf_cksum_fixup(pf_cksum_fixup(*ic,
1219                     oia.addr16[0], ia->addr16[0], 0),
1220                     oia.addr16[1], ia->addr16[1], 0);
1221                 *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0);
1222                 break;
1223         }
1224 #endif /* INET */
1225 #ifdef INET6
1226         case AF_INET6:
1227                 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1228                     pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1229                     pf_cksum_fixup(pf_cksum_fixup(*ic,
1230                     oia.addr16[0], ia->addr16[0], u),
1231                     oia.addr16[1], ia->addr16[1], u),
1232                     oia.addr16[2], ia->addr16[2], u),
1233                     oia.addr16[3], ia->addr16[3], u),
1234                     oia.addr16[4], ia->addr16[4], u),
1235                     oia.addr16[5], ia->addr16[5], u),
1236                     oia.addr16[6], ia->addr16[6], u),
1237                     oia.addr16[7], ia->addr16[7], u);
1238                 break;
1239 #endif /* INET6 */
1240         }
1241         /* Change outer ip address, fix outer ip or icmpv6 checksum. */
1242         PF_ACPY(oa, na, af);
1243         switch (af) {
1244 #ifdef INET
1245         case AF_INET:
1246                 *hc = pf_cksum_fixup(pf_cksum_fixup(*hc,
1247                     ooa.addr16[0], oa->addr16[0], 0),
1248                     ooa.addr16[1], oa->addr16[1], 0);
1249                 break;
1250 #endif /* INET */
1251 #ifdef INET6
1252         case AF_INET6:
1253                 *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1254                     pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(
1255                     pf_cksum_fixup(pf_cksum_fixup(*ic,
1256                     ooa.addr16[0], oa->addr16[0], u),
1257                     ooa.addr16[1], oa->addr16[1], u),
1258                     ooa.addr16[2], oa->addr16[2], u),
1259                     ooa.addr16[3], oa->addr16[3], u),
1260                     ooa.addr16[4], oa->addr16[4], u),
1261                     ooa.addr16[5], oa->addr16[5], u),
1262                     ooa.addr16[6], oa->addr16[6], u),
1263                     ooa.addr16[7], oa->addr16[7], u);
1264                 break;
1265 #endif /* INET6 */
1266         }
1267 }
1268
1269 void
1270 pf_send_tcp(const struct pf_rule *r, sa_family_t af,
1271     const struct pf_addr *saddr, const struct pf_addr *daddr,
1272     u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
1273     u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl)
1274 {
1275         struct mbuf     *m;
1276         int              len = 0, tlen;
1277 #ifdef INET
1278         struct ip       *h = NULL;
1279 #endif /* INET */
1280 #ifdef INET6
1281         struct ip6_hdr  *h6 = NULL;
1282 #endif /* INET6 */
1283         struct tcphdr   *th = NULL;
1284         char *opt;
1285
1286         /* maximum segment size tcp option */
1287         tlen = sizeof(struct tcphdr);
1288         if (mss)
1289                 tlen += 4;
1290
1291         switch (af) {
1292 #ifdef INET
1293         case AF_INET:
1294                 len = sizeof(struct ip) + tlen;
1295                 break;
1296 #endif /* INET */
1297 #ifdef INET6
1298         case AF_INET6:
1299                 len = sizeof(struct ip6_hdr) + tlen;
1300                 break;
1301 #endif /* INET6 */
1302         }
1303
1304         /* create outgoing mbuf */
1305         m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1306         if (m == NULL)
1307                 return;
1308         m->m_pkthdr.fw_flags |= PF_MBUF_GENERATED;
1309 #ifdef ALTQ
1310         if (r != NULL && r->qid) {
1311                 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED;
1312                 m->m_pkthdr.altq_qid = r->qid;
1313                 m->m_pkthdr.ecn_af = af;
1314                 m->m_pkthdr.header = mtod(m, struct ip *);
1315         }
1316 #endif
1317         m->m_data += max_linkhdr;
1318         m->m_pkthdr.len = m->m_len = len;
1319         m->m_pkthdr.rcvif = NULL;
1320         bzero(m->m_data, len);
1321         switch (af) {
1322 #ifdef INET
1323         case AF_INET:
1324                 h = mtod(m, struct ip *);
1325
1326                 /* IP header fields included in the TCP checksum */
1327                 h->ip_p = IPPROTO_TCP;
1328                 h->ip_len = tlen;
1329                 h->ip_src.s_addr = saddr->v4.s_addr;
1330                 h->ip_dst.s_addr = daddr->v4.s_addr;
1331
1332                 th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip));
1333                 break;
1334 #endif /* INET */
1335 #ifdef INET6
1336         case AF_INET6:
1337                 h6 = mtod(m, struct ip6_hdr *);
1338
1339                 /* IP header fields included in the TCP checksum */
1340                 h6->ip6_nxt = IPPROTO_TCP;
1341                 h6->ip6_plen = htons(tlen);
1342                 memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr));
1343                 memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr));
1344
1345                 th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr));
1346                 break;
1347 #endif /* INET6 */
1348         }
1349
1350         /* TCP header */
1351         th->th_sport = sport;
1352         th->th_dport = dport;
1353         th->th_seq = htonl(seq);
1354         th->th_ack = htonl(ack);
1355         th->th_off = tlen >> 2;
1356         th->th_flags = flags;
1357         th->th_win = htons(win);
1358
1359         if (mss) {
1360                 opt = (char *)(th + 1);
1361                 opt[0] = TCPOPT_MAXSEG;
1362                 opt[1] = 4;
1363                 mss = htons(mss);
1364                 bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2);
1365         }
1366
1367         switch (af) {
1368 #ifdef INET
1369         case AF_INET:
1370                 /* TCP checksum */
1371                 th->th_sum = in_cksum(m, len);
1372
1373                 /* Finish the IP header */
1374                 h->ip_v = 4;
1375                 h->ip_hl = sizeof(*h) >> 2;
1376                 h->ip_tos = IPTOS_LOWDELAY;
1377                 h->ip_len = len;
1378                 h->ip_off = path_mtu_discovery ? IP_DF : 0;
1379                 h->ip_ttl = ttl ? ttl : ip_defttl;
1380                 h->ip_sum = 0;
1381                 ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
1382                     (void *)NULL);
1383                 break;
1384 #endif /* INET */
1385 #ifdef INET6
1386         case AF_INET6:
1387                 /* TCP checksum */
1388                 th->th_sum = in6_cksum(m, IPPROTO_TCP,
1389                     sizeof(struct ip6_hdr), tlen);
1390
1391                 h6->ip6_vfc |= IPV6_VERSION;
1392                 h6->ip6_hlim = IPV6_DEFHLIM;
1393
1394                 ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
1395                 break;
1396 #endif /* INET6 */
1397         }
1398 }
1399
1400 void
1401 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
1402     struct pf_rule *r)
1403 {
1404         struct mbuf     *m0;
1405
1406         m0 = m_copypacket(m, MB_DONTWAIT);
1407         if (m0 == NULL)
1408                 return;
1409         m0->m_pkthdr.fw_flags |= PF_MBUF_GENERATED;
1410
1411 #ifdef ALTQ
1412         if (r->qid) {
1413                 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED;
1414                 m->m_pkthdr.altq_qid = r->qid;
1415                 m->m_pkthdr.ecn_af = af;
1416                 m->m_pkthdr.header = mtod(m0, struct ip *);
1417         }
1418 #endif
1419
1420         switch (af) {
1421 #ifdef INET
1422         case AF_INET:
1423                 icmp_error(m0, type, code, 0, (void *)NULL);
1424                 break;
1425 #endif /* INET */
1426 #ifdef INET6
1427         case AF_INET6:
1428                 icmp6_error(m0, type, code, 0);
1429                 break;
1430 #endif /* INET6 */
1431         }
1432 }
1433
1434 /*
1435  * Return 1 if the addresses a and b match (with mask m), otherwise return 0.
1436  * If n is 0, they match if they are equal. If n is != 0, they match if they
1437  * are different.
1438  */
1439 int
1440 pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m,
1441     struct pf_addr *b, sa_family_t af)
1442 {
1443         int     match = 0;
1444
1445         switch (af) {
1446 #ifdef INET
1447         case AF_INET:
1448                 if ((a->addr32[0] & m->addr32[0]) ==
1449                     (b->addr32[0] & m->addr32[0]))
1450                         match++;
1451                 break;
1452 #endif /* INET */
1453 #ifdef INET6
1454         case AF_INET6:
1455                 if (((a->addr32[0] & m->addr32[0]) ==
1456                      (b->addr32[0] & m->addr32[0])) &&
1457                     ((a->addr32[1] & m->addr32[1]) ==
1458                      (b->addr32[1] & m->addr32[1])) &&
1459                     ((a->addr32[2] & m->addr32[2]) ==
1460                      (b->addr32[2] & m->addr32[2])) &&
1461                     ((a->addr32[3] & m->addr32[3]) ==
1462                      (b->addr32[3] & m->addr32[3])))
1463                         match++;
1464                 break;
1465 #endif /* INET6 */
1466         }
1467         if (match) {
1468                 if (n)
1469                         return (0);
1470                 else
1471                         return (1);
1472         } else {
1473                 if (n)
1474                         return (1);
1475                 else
1476                         return (0);
1477         }
1478 }
1479
1480 int
1481 pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
1482 {
1483         switch (op) {
1484         case PF_OP_IRG:
1485                 return ((p > a1) && (p < a2));
1486         case PF_OP_XRG:
1487                 return ((p < a1) || (p > a2));
1488         case PF_OP_RRG:
1489                 return ((p >= a1) && (p <= a2));
1490         case PF_OP_EQ:
1491                 return (p == a1);
1492         case PF_OP_NE:
1493                 return (p != a1);
1494         case PF_OP_LT:
1495                 return (p < a1);
1496         case PF_OP_LE:
1497                 return (p <= a1);
1498         case PF_OP_GT:
1499                 return (p > a1);
1500         case PF_OP_GE:
1501                 return (p >= a1);
1502         }
1503         return (0); /* never reached */
1504 }
1505
1506 int
1507 pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
1508 {
1509         a1 = ntohs(a1);
1510         a2 = ntohs(a2);
1511         p = ntohs(p);
1512         return (pf_match(op, a1, a2, p));
1513 }
1514
1515 int
1516 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
1517 {
1518         if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1519                 return (0);
1520         return (pf_match(op, a1, a2, u));
1521 }
1522
1523 int
1524 pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
1525 {
1526         if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE)
1527                 return (0);
1528         return (pf_match(op, a1, a2, g));
1529 }
1530
1531 static int
1532 pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_rule *nat_rule,
1533              int *tag)
1534 {
1535         if (*tag == -1) {       /* find mbuf tag */
1536                 if (nat_rule != NULL && nat_rule->tag)
1537                         *tag = nat_rule->tag;
1538                 else if (m->m_pkthdr.fw_flags & PF_MBUF_TAGGED)
1539                         *tag = m->m_pkthdr.pf_tag;
1540                 else
1541                         *tag = 0;
1542         }
1543
1544         return ((!r->match_tag_not && r->match_tag == *tag) ||
1545             (r->match_tag_not && r->match_tag != *tag));
1546 }
1547
1548 void
1549 pf_tag_packet(struct mbuf *m, int tag)
1550 {
1551         if (tag <= 0)
1552                 return;
1553
1554         m->m_pkthdr.fw_flags |= PF_MBUF_TAGGED;
1555         m->m_pkthdr.pf_tag = tag;
1556 }
1557
1558 #define PF_STEP_INTO_ANCHOR(r, a, s, n)                                 \
1559         do {                                                            \
1560                 if ((r) == NULL || (r)->anchor == NULL ||               \
1561                     (s) != NULL || (a) != NULL)                         \
1562                         panic("PF_STEP_INTO_ANCHOR");                   \
1563                 (a) = (r);                                              \
1564                 (s) = TAILQ_FIRST(&(r)->anchor->rulesets);              \
1565                 (r) = NULL;                                             \
1566                 while ((s) != NULL && ((r) =                            \
1567                     TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL)     \
1568                         (s) = TAILQ_NEXT((s), entries);                 \
1569                 if ((r) == NULL) {                                      \
1570                         (r) = TAILQ_NEXT((a), entries);                 \
1571                         (a) = NULL;                                     \
1572                 }                                                       \
1573         } while (0)
1574
1575 #define PF_STEP_OUT_OF_ANCHOR(r, a, s, n)                               \
1576         do {                                                            \
1577                 if ((r) != NULL || (a) == NULL || (s) == NULL)          \
1578                         panic("PF_STEP_OUT_OF_ANCHOR");                 \
1579                 (s) = TAILQ_NEXT((s), entries);                         \
1580                 while ((s) != NULL && ((r) =                            \
1581                     TAILQ_FIRST((s)->rules[n].active.ptr)) == NULL)     \
1582                         (s) = TAILQ_NEXT((s), entries);                 \
1583                 if ((r) == NULL) {                                      \
1584                         (r) = TAILQ_NEXT((a), entries);                 \
1585                         (a) = NULL;                                     \
1586                 }                                                       \
1587         } while (0)
1588
1589 #ifdef INET6
1590 void
1591 pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr,
1592     struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af)
1593 {
1594         switch (af) {
1595 #ifdef INET
1596         case AF_INET:
1597                 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
1598                 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
1599                 break;
1600 #endif /* INET */
1601         case AF_INET6:
1602                 naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) |
1603                 ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]);
1604                 naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) |
1605                 ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]);
1606                 naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) |
1607                 ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]);
1608                 naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) |
1609                 ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]);
1610                 break;
1611         }
1612 }
1613
1614 void
1615 pf_addr_inc(struct pf_addr *addr, sa_family_t af)
1616 {
1617         switch (af) {
1618 #ifdef INET
1619         case AF_INET:
1620                 addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1);
1621                 break;
1622 #endif /* INET */
1623         case AF_INET6:
1624                 if (addr->addr32[3] == 0xffffffff) {
1625                         addr->addr32[3] = 0;
1626                         if (addr->addr32[2] == 0xffffffff) {
1627                                 addr->addr32[2] = 0;
1628                                 if (addr->addr32[1] == 0xffffffff) {
1629                                         addr->addr32[1] = 0;
1630                                         addr->addr32[0] =
1631                                             htonl(ntohl(addr->addr32[0]) + 1);
1632                                 } else
1633                                         addr->addr32[1] =
1634                                             htonl(ntohl(addr->addr32[1]) + 1);
1635                         } else
1636                                 addr->addr32[2] =
1637                                     htonl(ntohl(addr->addr32[2]) + 1);
1638                 } else
1639                         addr->addr32[3] =
1640                             htonl(ntohl(addr->addr32[3]) + 1);
1641                 break;
1642         }
1643 }
1644 #endif /* INET6 */
1645
1646 #define mix(a,b,c) \
1647         do {                                    \
1648                 a -= b; a -= c; a ^= (c >> 13); \
1649                 b -= c; b -= a; b ^= (a << 8);  \
1650                 c -= a; c -= b; c ^= (b >> 13); \
1651                 a -= b; a -= c; a ^= (c >> 12); \
1652                 b -= c; b -= a; b ^= (a << 16); \
1653                 c -= a; c -= b; c ^= (b >> 5);  \
1654                 a -= b; a -= c; a ^= (c >> 3);  \
1655                 b -= c; b -= a; b ^= (a << 10); \
1656                 c -= a; c -= b; c ^= (b >> 15); \
1657         } while (0)
1658
1659 /*
1660  * hash function based on bridge_hash in if_bridge.c
1661  */
1662 void
1663 pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
1664     struct pf_poolhashkey *key, sa_family_t af)
1665 {
1666         u_int32_t       a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
1667
1668         switch (af) {
1669 #ifdef INET
1670         case AF_INET:
1671                 a += inaddr->addr32[0];
1672                 b += key->key32[1];
1673                 mix(a, b, c);
1674                 hash->addr32[0] = c + key->key32[2];
1675                 break;
1676 #endif /* INET */
1677 #ifdef INET6
1678         case AF_INET6:
1679                 a += inaddr->addr32[0];
1680                 b += inaddr->addr32[2];
1681                 mix(a, b, c);
1682                 hash->addr32[0] = c;
1683                 a += inaddr->addr32[1];
1684                 b += inaddr->addr32[3];
1685                 c += key->key32[1];
1686                 mix(a, b, c);
1687                 hash->addr32[1] = c;
1688                 a += inaddr->addr32[2];
1689                 b += inaddr->addr32[1];
1690                 c += key->key32[2];
1691                 mix(a, b, c);
1692                 hash->addr32[2] = c;
1693                 a += inaddr->addr32[3];
1694                 b += inaddr->addr32[0];
1695                 c += key->key32[3];
1696                 mix(a, b, c);
1697                 hash->addr32[3] = c;
1698                 break;
1699 #endif /* INET6 */
1700         }
1701 }
1702
1703 int
1704 pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
1705     struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
1706 {
1707         unsigned char            hash[16];
1708         struct pf_pool          *rpool = &r->rpool;
1709         struct pf_addr          *raddr = &rpool->cur->addr.v.a.addr;
1710         struct pf_addr          *rmask = &rpool->cur->addr.v.a.mask;
1711         struct pf_pooladdr      *acur = rpool->cur;
1712         struct pf_src_node       k;
1713
1714         if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
1715             (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
1716                 k.af = af;
1717                 PF_ACPY(&k.addr, saddr, af);
1718                 if (r->rule_flag & PFRULE_RULESRCTRACK ||
1719                     r->rpool.opts & PF_POOL_STICKYADDR)
1720                         k.rule.ptr = r;
1721                 else
1722                         k.rule.ptr = NULL;
1723                 pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
1724                 *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
1725                 if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
1726                         PF_ACPY(naddr, &(*sn)->raddr, af);
1727                         if (pf_status.debug >= PF_DEBUG_MISC) {
1728                                 printf("pf_map_addr: src tracking maps ");
1729                                 pf_print_host(&k.addr, 0, af);
1730                                 printf(" to ");
1731                                 pf_print_host(naddr, 0, af);
1732                                 printf("\n");
1733                         }
1734                         return (0);
1735                 }
1736         }
1737
1738         if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
1739                 return (1);
1740         if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1741                 if (af == AF_INET) {
1742                         if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
1743                             (rpool->opts & PF_POOL_TYPEMASK) !=
1744                             PF_POOL_ROUNDROBIN)
1745                                 return (1);
1746                          raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
1747                          rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
1748                 } else {
1749                         if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
1750                             (rpool->opts & PF_POOL_TYPEMASK) !=
1751                             PF_POOL_ROUNDROBIN)
1752                                 return (1);
1753                         raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
1754                         rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
1755                 }
1756         } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1757                 if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
1758                         return (1); /* unsupported */
1759         } else {
1760                 raddr = &rpool->cur->addr.v.a.addr;
1761                 rmask = &rpool->cur->addr.v.a.mask;
1762         }
1763
1764         switch (rpool->opts & PF_POOL_TYPEMASK) {
1765         case PF_POOL_NONE:
1766                 PF_ACPY(naddr, raddr, af);
1767                 break;
1768         case PF_POOL_BITMASK:
1769                 PF_POOLMASK(naddr, raddr, rmask, saddr, af);
1770                 break;
1771         case PF_POOL_RANDOM:
1772                 if (init_addr != NULL && PF_AZERO(init_addr, af)) {
1773                         switch (af) {
1774 #ifdef INET
1775                         case AF_INET:
1776                                 rpool->counter.addr32[0] = arc4random();
1777                                 break;
1778 #endif /* INET */
1779 #ifdef INET6
1780                         case AF_INET6:
1781                                 if (rmask->addr32[3] != 0xffffffff)
1782                                         rpool->counter.addr32[3] = arc4random();
1783                                 else
1784                                         break;
1785                                 if (rmask->addr32[2] != 0xffffffff)
1786                                         rpool->counter.addr32[2] = arc4random();
1787                                 else
1788                                         break;
1789                                 if (rmask->addr32[1] != 0xffffffff)
1790                                         rpool->counter.addr32[1] = arc4random();
1791                                 else
1792                                         break;
1793                                 if (rmask->addr32[0] != 0xffffffff)
1794                                         rpool->counter.addr32[0] = arc4random();
1795                                 break;
1796 #endif /* INET6 */
1797                         }
1798                         PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
1799                         PF_ACPY(init_addr, naddr, af);
1800
1801                 } else {
1802                         PF_AINC(&rpool->counter, af);
1803                         PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
1804                 }
1805                 break;
1806         case PF_POOL_SRCHASH:
1807                 pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
1808                 PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
1809                 break;
1810         case PF_POOL_ROUNDROBIN:
1811                 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1812                         if (!pfr_pool_get(rpool->cur->addr.p.tbl,
1813                             &rpool->tblidx, &rpool->counter,
1814                             &raddr, &rmask, af))
1815                                 goto get_addr;
1816                 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1817                         if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
1818                             &rpool->tblidx, &rpool->counter,
1819                             &raddr, &rmask, af))
1820                                 goto get_addr;
1821                 } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
1822                         goto get_addr;
1823
1824         try_next:
1825                 if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
1826                         rpool->cur = TAILQ_FIRST(&rpool->list);
1827                 if (rpool->cur->addr.type == PF_ADDR_TABLE) {
1828                         rpool->tblidx = -1;
1829                         if (pfr_pool_get(rpool->cur->addr.p.tbl,
1830                             &rpool->tblidx, &rpool->counter,
1831                             &raddr, &rmask, af)) {
1832                                 /* table contains no address of type 'af' */
1833                                 if (rpool->cur != acur)
1834                                         goto try_next;
1835                                 return (1);
1836                         }
1837                 } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
1838                         rpool->tblidx = -1;
1839                         if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
1840                             &rpool->tblidx, &rpool->counter,
1841                             &raddr, &rmask, af)) {
1842                                 /* table contains no address of type 'af' */
1843                                 if (rpool->cur != acur)
1844                                         goto try_next;
1845                                 return (1);
1846                         }
1847                 } else {
1848                         raddr = &rpool->cur->addr.v.a.addr;
1849                         rmask = &rpool->cur->addr.v.a.mask;
1850                         PF_ACPY(&rpool->counter, raddr, af);
1851                 }
1852
1853         get_addr:
1854                 PF_ACPY(naddr, &rpool->counter, af);
1855                 PF_AINC(&rpool->counter, af);
1856                 break;
1857         }
1858         if (*sn != NULL)
1859                 PF_ACPY(&(*sn)->raddr, naddr, af);
1860
1861         if (pf_status.debug >= PF_DEBUG_MISC &&
1862             (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
1863                 printf("pf_map_addr: selected address ");
1864                 pf_print_host(naddr, 0, af);
1865                 printf("\n");
1866         }
1867
1868         return (0);
1869 }
1870
1871 int
1872 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
1873     struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
1874     struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
1875     struct pf_src_node **sn)
1876 {
1877         struct pf_state         key;
1878         struct pf_addr          init_addr;
1879         u_int16_t               cut;
1880
1881         bzero(&init_addr, sizeof(init_addr));
1882         if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
1883                 return (1);
1884
1885         do {
1886                 key.af = af;
1887                 key.proto = proto;
1888                 PF_ACPY(&key.ext.addr, daddr, key.af);
1889                 PF_ACPY(&key.gwy.addr, naddr, key.af);
1890                 key.ext.port = dport;
1891
1892                 /*
1893                  * port search; start random, step;
1894                  * similar 2 portloop in in_pcbbind
1895                  */
1896                 if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {
1897                         key.gwy.port = 0;
1898                         if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
1899                                 return (0);
1900                 } else if (low == 0 && high == 0) {
1901                         key.gwy.port = *nport;
1902                         if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
1903                                 return (0);
1904                 } else if (low == high) {
1905                         key.gwy.port = htons(low);
1906                         if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) {
1907                                 *nport = htons(low);
1908                                 return (0);
1909                         }
1910                 } else {
1911                         u_int16_t tmp;
1912
1913                         if (low > high) {
1914                                 tmp = low;
1915                                 low = high;
1916                                 high = tmp;
1917                         }
1918                         /* low < high */
1919                         cut = arc4random() % (1 + high - low) + low;
1920                         /* low <= cut <= high */
1921                         for (tmp = cut; tmp <= high; ++(tmp)) {
1922                                 key.gwy.port = htons(tmp);
1923                                 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
1924                                     NULL) {
1925                                         *nport = htons(tmp);
1926                                         return (0);
1927                                 }
1928                         }
1929                         for (tmp = cut - 1; tmp >= low; --(tmp)) {
1930                                 key.gwy.port = htons(tmp);
1931                                 if (pf_find_state_all(&key, PF_EXT_GWY, NULL) ==
1932                                     NULL) {
1933                                         *nport = htons(tmp);
1934                                         return (0);
1935                                 }
1936                         }
1937                 }
1938
1939                 switch (r->rpool.opts & PF_POOL_TYPEMASK) {
1940                 case PF_POOL_RANDOM:
1941                 case PF_POOL_ROUNDROBIN:
1942                         if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
1943                                 return (1);
1944                         break;
1945                 case PF_POOL_NONE:
1946                 case PF_POOL_SRCHASH:
1947                 case PF_POOL_BITMASK:
1948                 default:
1949                         return (1);
1950                 }
1951         } while (! PF_AEQ(&init_addr, naddr, af) );
1952
1953         return (1);                                     /* none available */
1954 }
1955
1956 struct pf_rule *
1957 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
1958     int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
1959     struct pf_addr *daddr, u_int16_t dport, int rs_num)
1960 {
1961         struct pf_rule          *r, *rm = NULL, *anchorrule = NULL;
1962         struct pf_ruleset       *ruleset = NULL;
1963
1964         r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
1965         while (r && rm == NULL) {
1966                 struct pf_rule_addr     *src = NULL, *dst = NULL;
1967                 struct pf_addr_wrap     *xdst = NULL;
1968
1969                 if (r->action == PF_BINAT && direction == PF_IN) {
1970                         src = &r->dst;
1971                         if (r->rpool.cur != NULL)
1972                                 xdst = &r->rpool.cur->addr;
1973                 } else {
1974                         src = &r->src;
1975                         dst = &r->dst;
1976                 }
1977
1978                 r->evaluations++;
1979                 if (r->kif != NULL &&
1980                     (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
1981                         r = r->skip[PF_SKIP_IFP].ptr;
1982                 else if (r->direction && r->direction != direction)
1983                         r = r->skip[PF_SKIP_DIR].ptr;
1984                 else if (r->af && r->af != pd->af)
1985                         r = r->skip[PF_SKIP_AF].ptr;
1986                 else if (r->proto && r->proto != pd->proto)
1987                         r = r->skip[PF_SKIP_PROTO].ptr;
1988                 else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, src->not))
1989                         r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
1990                             PF_SKIP_DST_ADDR].ptr;
1991                 else if (src->port_op && !pf_match_port(src->port_op,
1992                     src->port[0], src->port[1], sport))
1993                         r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
1994                             PF_SKIP_DST_PORT].ptr;
1995                 else if (dst != NULL &&
1996                     PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->not))
1997                         r = r->skip[PF_SKIP_DST_ADDR].ptr;
1998                 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, 0))
1999                         r = TAILQ_NEXT(r, entries);
2000                 else if (dst != NULL && dst->port_op &&
2001                     !pf_match_port(dst->port_op, dst->port[0],
2002                     dst->port[1], dport))
2003                         r = r->skip[PF_SKIP_DST_PORT].ptr;
2004                 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2005                     IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2006                     off, pd->hdr.tcp), r->os_fingerprint)))
2007                         r = TAILQ_NEXT(r, entries);
2008                 else if (r->anchorname[0] && r->anchor == NULL)
2009                         r = TAILQ_NEXT(r, entries);
2010                 else if (r->anchor == NULL)
2011                                 rm = r;
2012                 else
2013                         PF_STEP_INTO_ANCHOR(r, anchorrule, ruleset, rs_num);
2014                 if (r == NULL && anchorrule != NULL)
2015                         PF_STEP_OUT_OF_ANCHOR(r, anchorrule, ruleset,
2016                             rs_num);
2017         }
2018         if (rm != NULL && (rm->action == PF_NONAT ||
2019             rm->action == PF_NORDR || rm->action == PF_NOBINAT))
2020                 return (NULL);
2021         return (rm);
2022 }
2023
2024 struct pf_rule *
2025 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2026     struct pfi_kif *kif, struct pf_src_node **sn,
2027     struct pf_addr *saddr, u_int16_t sport,
2028     struct pf_addr *daddr, u_int16_t dport,
2029     struct pf_addr *naddr, u_int16_t *nport)
2030 {
2031         struct pf_rule  *r = NULL;
2032
2033         if (direction == PF_OUT) {
2034                 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2035                     sport, daddr, dport, PF_RULESET_BINAT);
2036                 if (r == NULL)
2037                         r = pf_match_translation(pd, m, off, direction, kif,
2038                             saddr, sport, daddr, dport, PF_RULESET_NAT);
2039         } else {
2040                 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2041                     sport, daddr, dport, PF_RULESET_RDR);
2042                 if (r == NULL)
2043                         r = pf_match_translation(pd, m, off, direction, kif,
2044                             saddr, sport, daddr, dport, PF_RULESET_BINAT);
2045         }
2046
2047         if (r != NULL) {
2048                 switch (r->action) {
2049                 case PF_NONAT:
2050                 case PF_NOBINAT:
2051                 case PF_NORDR:
2052                         return (NULL);
2053                 case PF_NAT:
2054                         if (pf_get_sport(pd->af, pd->proto, r, saddr,
2055                             daddr, dport, naddr, nport, r->rpool.proxy_port[0],
2056                             r->rpool.proxy_port[1], sn)) {
2057                                 DPFPRINTF(PF_DEBUG_MISC,
2058                                     ("pf: NAT proxy port allocation "
2059                                     "(%u-%u) failed\n",
2060                                     r->rpool.proxy_port[0],
2061                                     r->rpool.proxy_port[1]));
2062                                 return (NULL);
2063                         }
2064                         break;
2065                 case PF_BINAT:
2066                         switch (direction) {
2067                         case PF_OUT:
2068                                 if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
2069                                         if (pd->af == AF_INET) {
2070                                                 if (r->rpool.cur->addr.p.dyn->
2071                                                     pfid_acnt4 < 1)
2072                                                         return (NULL);
2073                                                 PF_POOLMASK(naddr,
2074                                                     &r->rpool.cur->addr.p.dyn->
2075                                                     pfid_addr4,
2076                                                     &r->rpool.cur->addr.p.dyn->
2077                                                     pfid_mask4,
2078                                                     saddr, AF_INET);
2079                                         } else {
2080                                                 if (r->rpool.cur->addr.p.dyn->
2081                                                     pfid_acnt6 < 1)
2082                                                         return (NULL);
2083                                                 PF_POOLMASK(naddr,
2084                                                     &r->rpool.cur->addr.p.dyn->
2085                                                     pfid_addr6,
2086                                                     &r->rpool.cur->addr.p.dyn->
2087                                                     pfid_mask6,
2088                                                     saddr, AF_INET6);
2089                                         }
2090                                 } else
2091                                         PF_POOLMASK(naddr,
2092                                             &r->rpool.cur->addr.v.a.addr,
2093                                             &r->rpool.cur->addr.v.a.mask,
2094                                             saddr, pd->af);
2095                                 break;
2096                         case PF_IN:
2097                                 if (r->src.addr.type == PF_ADDR_DYNIFTL){
2098                                         if (pd->af == AF_INET) {
2099                                                 if (r->src.addr.p.dyn->
2100                                                     pfid_acnt4 < 1)
2101                                                         return (NULL);
2102                                                 PF_POOLMASK(naddr,
2103                                                     &r->src.addr.p.dyn->
2104                                                     pfid_addr4,
2105                                                     &r->src.addr.p.dyn->
2106                                                     pfid_mask4,
2107                                                     daddr, AF_INET);
2108                                         } else {
2109                                                 if (r->src.addr.p.dyn->
2110                                                     pfid_acnt6 < 1)
2111                                                         return (NULL);
2112                                                 PF_POOLMASK(naddr,
2113                                                     &r->src.addr.p.dyn->
2114                                                     pfid_addr6,
2115                                                     &r->src.addr.p.dyn->
2116                                                     pfid_mask6,
2117                                                     daddr, AF_INET6);
2118                                         }
2119                                 } else
2120                                         PF_POOLMASK(naddr,
2121                                             &r->src.addr.v.a.addr,
2122                                             &r->src.addr.v.a.mask, daddr,
2123                                             pd->af);
2124                                 break;
2125                         }
2126                         break;
2127                 case PF_RDR: {
2128                         if (pf_map_addr(r->af, r, saddr, naddr, NULL, sn))
2129                                 return (NULL);
2130
2131                         if (r->rpool.proxy_port[1]) {
2132                                 u_int32_t       tmp_nport;
2133
2134                                 tmp_nport = ((ntohs(dport) -
2135                                     ntohs(r->dst.port[0])) %
2136                                     (r->rpool.proxy_port[1] -
2137                                     r->rpool.proxy_port[0] + 1)) +
2138                                     r->rpool.proxy_port[0];
2139
2140                                 /* wrap around if necessary */
2141                                 if (tmp_nport > 65535)
2142                                         tmp_nport -= 65535;
2143                                 *nport = htons((u_int16_t)tmp_nport);
2144                         } else if (r->rpool.proxy_port[0])
2145                                 *nport = htons(r->rpool.proxy_port[0]);
2146                         break;
2147                 }
2148                 default:
2149                         return (NULL);
2150                 }
2151         }
2152
2153         return (r);
2154 }
2155
2156 #ifdef SMP
2157 struct netmsg_hashlookup {
2158         struct lwkt_msg         nm_lmsg;
2159         struct inpcb            **nm_pinp;
2160         struct inpcbinfo        *nm_pcbinfo;
2161         struct pf_addr          *nm_saddr;
2162         struct pf_addr          *nm_daddr;
2163         uint16_t                nm_sport;
2164         uint16_t                nm_dport;
2165         sa_family_t             nm_af;
2166 };
2167
2168 static int
2169 in_pcblookup_hash_handler(struct lwkt_msg *msg0)
2170 {
2171         struct netmsg_hashlookup *msg = (struct netmsg_hashlookup *)msg0;
2172
2173         if (msg->nm_af == AF_INET)
2174                 *msg->nm_pinp = in_pcblookup_hash(msg->nm_pcbinfo,
2175                     msg->nm_saddr->v4, msg->nm_sport, msg->nm_daddr->v4,
2176                     msg->nm_dport, INPLOOKUP_WILDCARD, NULL);
2177 #ifdef INET6
2178         else
2179                 *msg->nm_pinp = in6_pcblookup_hash(msg->nm_pcbinfo,
2180                     &msg->nm_saddr->v6, msg->nm_sport, &msg->nm_daddr->v6,
2181                     msg->nm_dport, INPLOOKUP_WILDCARD, NULL);
2182 #endif /* INET6 */
2183         lwkt_replymsg(&msg->nm_lmsg, 0);
2184         return (EASYNC);
2185 }
2186 #endif /* SMP */
2187
2188 int
2189 pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd)
2190 {
2191         struct pf_addr          *saddr, *daddr;
2192         u_int16_t                sport, dport;
2193         struct inpcbinfo        *pi;
2194         struct inpcb            *inp;
2195 #ifdef SMP
2196         struct netmsg_hashlookup *msg = NULL;
2197 #endif
2198         int                      pi_cpu = 0;
2199
2200         *uid = UID_MAX;
2201         *gid = GID_MAX;
2202         if (direction == PF_IN) {
2203                 saddr = pd->src;
2204                 daddr = pd->dst;
2205         } else {
2206                 saddr = pd->dst;
2207                 daddr = pd->src;
2208         }
2209         switch (pd->proto) {
2210         case IPPROTO_TCP:
2211                 sport = pd->hdr.tcp->th_sport;
2212                 dport = pd->hdr.tcp->th_dport;
2213
2214                 pi_cpu = tcp_addrcpu(saddr->v4.s_addr, sport, daddr->v4.s_addr, dport);
2215                 pi = &tcbinfo[pi_cpu];
2216 #ifdef SMP
2217                 /*
2218                  * Our netstack runs lockless on MP systems
2219                  * (only for TCP connections at the moment).
2220                  * 
2221                  * As we are not allowed to read another CPU's tcbinfo,
2222                  * we have to ask that CPU via remote call to search the
2223                  * table for us.
2224                  * 
2225                  * Prepare a msg iff data belongs to another CPU.
2226                  */
2227                 if (pi_cpu != mycpu->gd_cpuid) {
2228                         msg = malloc(sizeof(*msg), M_LWKTMSG, M_INTWAIT);
2229                         lwkt_initmsg(&msg->nm_lmsg, &netisr_afree_rport, 0,
2230                             lwkt_cmd_func(in_pcblookup_hash_handler),
2231                             lwkt_cmd_op_none);
2232                         msg->nm_pinp = &inp;
2233                         msg->nm_pcbinfo = pi;
2234                         msg->nm_saddr = saddr;
2235                         msg->nm_sport = sport;
2236                         msg->nm_daddr = daddr;
2237                         msg->nm_dport = dport;
2238                         msg->nm_af = pd->af;
2239                 }
2240 #endif /* SMP */
2241                 break;
2242         case IPPROTO_UDP:
2243                 sport = pd->hdr.udp->uh_sport;
2244                 dport = pd->hdr.udp->uh_dport;
2245                 pi = &udbinfo;
2246                 break;
2247         default:
2248                 return (0);
2249         }
2250         if (direction != PF_IN) {
2251                 u_int16_t       p;
2252
2253                 p = sport;
2254                 sport = dport;
2255                 dport = p;
2256         }
2257         switch (pd->af) {
2258 #ifdef INET6
2259         case AF_INET6:
2260 #ifdef SMP
2261                 /*
2262                  * Query other CPU, second part
2263                  * 
2264                  * msg only gets initialized when:
2265                  * 1) packet is TCP
2266                  * 2) the info belongs to another CPU
2267                  *
2268                  * Use some switch/case magic to avoid code duplication.
2269                  */
2270                 if (msg == NULL)
2271 #endif /* SMP */
2272                 {
2273                         inp = in6_pcblookup_hash(pi, &saddr->v6, sport,
2274                             &daddr->v6, dport, INPLOOKUP_WILDCARD, NULL);
2275
2276                         if (inp == NULL)
2277                                 return (0);
2278                         break;
2279                 }
2280                 /* FALLTHROUGH if SMP and on other CPU */
2281 #endif /* INET6 */
2282         case AF_INET:
2283 #ifdef SMP
2284                 if (msg != NULL) {
2285                         lwkt_sendmsg(tcp_cport(pi_cpu), &msg->nm_lmsg);
2286                 } else
2287 #endif /* SMP */
2288                 {
2289                         inp = in_pcblookup_hash(pi, saddr->v4, sport, daddr->v4,
2290                             dport, INPLOOKUP_WILDCARD, NULL);
2291                 }
2292                 if (inp == NULL)
2293                         return (0);
2294                 break;
2295
2296         default:
2297                 return (0);
2298         }
2299         *uid = inp->inp_socket->so_cred->cr_uid;
2300         *gid = inp->inp_socket->so_cred->cr_groups[0];
2301         return (1);
2302 }
2303
2304 u_int8_t
2305 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2306 {
2307         int              hlen;
2308         u_int8_t         hdr[60];
2309         u_int8_t        *opt, optlen;
2310         u_int8_t         wscale = 0;
2311
2312         hlen = th_off << 2;             /* hlen <= sizeof(hdr) */
2313         if (hlen <= sizeof(struct tcphdr))
2314                 return (0);
2315         if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2316                 return (0);
2317         opt = hdr + sizeof(struct tcphdr);
2318         hlen -= sizeof(struct tcphdr);
2319         while (hlen >= 3) {
2320                 switch (*opt) {
2321                 case TCPOPT_EOL:
2322                 case TCPOPT_NOP:
2323                         ++opt;
2324                         --hlen;
2325                         break;
2326                 case TCPOPT_WINDOW:
2327                         wscale = opt[2];
2328                         if (wscale > TCP_MAX_WINSHIFT)
2329                                 wscale = TCP_MAX_WINSHIFT;
2330                         wscale |= PF_WSCALE_FLAG;
2331                         /* FALLTHROUGH */
2332                 default:
2333                         optlen = opt[1];
2334                         if (optlen < 2)
2335                                 optlen = 2;
2336                         hlen -= optlen;
2337                         opt += optlen;
2338                         break;
2339                 }
2340         }
2341         return (wscale);
2342 }
2343
2344 u_int16_t
2345 pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
2346 {
2347         int              hlen;
2348         u_int8_t         hdr[60];
2349         u_int8_t        *opt, optlen;
2350         u_int16_t        mss = tcp_mssdflt;
2351
2352         hlen = th_off << 2;     /* hlen <= sizeof(hdr) */
2353         if (hlen <= sizeof(struct tcphdr))
2354                 return (0);
2355         if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af))
2356                 return (0);
2357         opt = hdr + sizeof(struct tcphdr);
2358         hlen -= sizeof(struct tcphdr);
2359         while (hlen >= TCPOLEN_MAXSEG) {
2360                 switch (*opt) {
2361                 case TCPOPT_EOL:
2362                 case TCPOPT_NOP:
2363                         ++opt;
2364                         --hlen;
2365                         break;
2366                 case TCPOPT_MAXSEG:
2367                         bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2);
2368                         /* FALLTHROUGH */
2369                 default:
2370                         optlen = opt[1];
2371                         if (optlen < 2)
2372                                 optlen = 2;
2373                         hlen -= optlen;
2374                         opt += optlen;
2375                         break;
2376                 }
2377         }
2378         return (mss);
2379 }
2380
2381 u_int16_t
2382 pf_calc_mss(struct pf_addr *addr, sa_family_t af, u_int16_t offer)
2383 {
2384 #ifdef INET
2385         struct sockaddr_in      *dst;
2386         struct route             ro;
2387 #endif /* INET */
2388 #ifdef INET6
2389         struct sockaddr_in6     *dst6;
2390         struct route_in6         ro6;
2391 #endif /* INET6 */
2392         struct rtentry          *rt = NULL;
2393         int                      hlen = 0;
2394         u_int16_t                mss = tcp_mssdflt;
2395
2396         switch (af) {
2397 #ifdef INET
2398         case AF_INET:
2399                 hlen = sizeof(struct ip);
2400                 bzero(&ro, sizeof(ro));
2401                 dst = (struct sockaddr_in *)&ro.ro_dst;
2402                 dst->sin_family = AF_INET;
2403                 dst->sin_len = sizeof(*dst);
2404                 dst->sin_addr = addr->v4;
2405                 rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
2406                 rt = ro.ro_rt;
2407                 break;
2408 #endif /* INET */
2409 #ifdef INET6
2410         case AF_INET6:
2411                 hlen = sizeof(struct ip6_hdr);
2412                 bzero(&ro6, sizeof(ro6));
2413                 dst6 = (struct sockaddr_in6 *)&ro6.ro_dst;
2414                 dst6->sin6_family = AF_INET6;
2415                 dst6->sin6_len = sizeof(*dst6);
2416                 dst6->sin6_addr = addr->v6;
2417                 rtalloc_ign((struct route *)&ro6, (RTF_CLONING | RTF_PRCLONING));
2418                 rt = ro6.ro_rt;
2419                 break;
2420 #endif /* INET6 */
2421         }
2422
2423         if (rt && rt->rt_ifp) {
2424                 mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr);
2425                 mss = max(tcp_mssdflt, mss);
2426                 RTFREE(rt);
2427         }
2428         mss = min(mss, offer);
2429         mss = max(mss, 64);             /* sanity - at least max opt space */
2430         return (mss);
2431 }
2432
2433 void
2434 pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
2435 {
2436         struct pf_rule *r = s->rule.ptr;
2437
2438         s->rt_kif = NULL;
2439         if (!r->rt || r->rt == PF_FASTROUTE)
2440                 return;
2441         switch (s->af) {
2442 #ifdef INET
2443         case AF_INET:
2444                 pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
2445                     &s->nat_src_node);
2446                 s->rt_kif = r->rpool.cur->kif;
2447                 break;
2448 #endif /* INET */
2449 #ifdef INET6
2450         case AF_INET6:
2451                 pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
2452                     &s->nat_src_node);
2453                 s->rt_kif = r->rpool.cur->kif;
2454                 break;
2455 #endif /* INET6 */
2456         }
2457 }
2458
2459 int
2460 pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
2461     struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2462     struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
2463 {
2464         struct pf_rule          *nr = NULL;
2465         struct pf_addr          *saddr = pd->src, *daddr = pd->dst;
2466         struct tcphdr           *th = pd->hdr.tcp;
2467         u_int16_t                bport, nport = 0;
2468         sa_family_t              af = pd->af;
2469         int                      lookup = -1;
2470         uid_t                    uid;
2471         gid_t                    gid;
2472         struct pf_rule          *r, *a = NULL;
2473         struct pf_ruleset       *ruleset = NULL;
2474         struct pf_src_node      *nsn = NULL;
2475         u_short                  reason;
2476         int                      rewrite = 0;
2477         int                      tag = -1;
2478         u_int16_t                mss = tcp_mssdflt;
2479
2480         r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2481
2482         if (direction == PF_OUT) {
2483                 bport = nport = th->th_sport;
2484                 /* check outgoing packet for BINAT/NAT */
2485                 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
2486                     saddr, th->th_sport, daddr, th->th_dport,
2487                     &pd->naddr, &nport)) != NULL) {
2488                         PF_ACPY(&pd->baddr, saddr, af);
2489                         pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2490                             &th->th_sum, &pd->naddr, nport, 0, af);
2491                         rewrite++;
2492                         if (nr->natpass)
2493                                 r = NULL;
2494                         pd->nat_rule = nr;
2495                 }
2496         } else {
2497                 bport = nport = th->th_dport;
2498                 /* check incoming packet for BINAT/RDR */
2499                 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
2500                     saddr, th->th_sport, daddr, th->th_dport,
2501                     &pd->naddr, &nport)) != NULL) {
2502                         PF_ACPY(&pd->baddr, daddr, af);
2503                         pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2504                             &th->th_sum, &pd->naddr, nport, 0, af);
2505                         rewrite++;
2506                         if (nr->natpass)
2507                                 r = NULL;
2508                         pd->nat_rule = nr;
2509                 }
2510         }
2511
2512         while (r != NULL) {
2513                 r->evaluations++;
2514                 if (r->kif != NULL &&
2515                     (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2516                         r = r->skip[PF_SKIP_IFP].ptr;
2517                 else if (r->direction && r->direction != direction)
2518                         r = r->skip[PF_SKIP_DIR].ptr;
2519                 else if (r->af && r->af != af)
2520                         r = r->skip[PF_SKIP_AF].ptr;
2521                 else if (r->proto && r->proto != IPPROTO_TCP)
2522                         r = r->skip[PF_SKIP_PROTO].ptr;
2523                 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
2524                         r = r->skip[PF_SKIP_SRC_ADDR].ptr;
2525                 else if (r->src.port_op && !pf_match_port(r->src.port_op,
2526                     r->src.port[0], r->src.port[1], th->th_sport))
2527                         r = r->skip[PF_SKIP_SRC_PORT].ptr;
2528                 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
2529                         r = r->skip[PF_SKIP_DST_ADDR].ptr;
2530                 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
2531                     r->dst.port[0], r->dst.port[1], th->th_dport))
2532                         r = r->skip[PF_SKIP_DST_PORT].ptr;
2533                 else if (r->tos && !(r->tos & pd->tos))
2534                         r = TAILQ_NEXT(r, entries);
2535                 else if (r->rule_flag & PFRULE_FRAGMENT)
2536                         r = TAILQ_NEXT(r, entries);
2537                 else if ((r->flagset & th->th_flags) != r->flags)
2538                         r = TAILQ_NEXT(r, entries);
2539                 else if (r->uid.op && (lookup != -1 || (lookup =
2540                     pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2541                     !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
2542                     uid))
2543                         r = TAILQ_NEXT(r, entries);
2544                 else if (r->gid.op && (lookup != -1 || (lookup =
2545                     pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2546                     !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
2547                     gid))
2548                         r = TAILQ_NEXT(r, entries);
2549                 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
2550                         r = TAILQ_NEXT(r, entries);
2551                 else if (r->anchorname[0] && r->anchor == NULL)
2552                         r = TAILQ_NEXT(r, entries);
2553                 else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
2554                     pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint))
2555                         r = TAILQ_NEXT(r, entries);
2556                 else {
2557                         if (r->tag)
2558                                 tag = r->tag;
2559                         if (r->anchor == NULL) {
2560                                 *rm = r;
2561                                 *am = a;
2562                                 *rsm = ruleset;
2563                                 if ((*rm)->quick)
2564                                         break;
2565                                 r = TAILQ_NEXT(r, entries);
2566                         } else
2567                                 PF_STEP_INTO_ANCHOR(r, a, ruleset,
2568                                     PF_RULESET_FILTER);
2569                 }
2570                 if (r == NULL && a != NULL)
2571                         PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
2572                             PF_RULESET_FILTER);
2573         }
2574         r = *rm;
2575         a = *am;
2576         ruleset = *rsm;
2577
2578         REASON_SET(&reason, PFRES_MATCH);
2579
2580         if (r->log) {
2581                 if (rewrite)
2582                         m_copyback(m, off, sizeof(*th), (caddr_t)th);
2583                 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
2584         }
2585
2586         if ((r->action == PF_DROP) &&
2587             ((r->rule_flag & PFRULE_RETURNRST) ||
2588             (r->rule_flag & PFRULE_RETURNICMP) ||
2589             (r->rule_flag & PFRULE_RETURN))) {
2590                 /* undo NAT changes, if they have taken place */
2591                 if (nr != NULL) {
2592                         if (direction == PF_OUT) {
2593                                 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
2594                                     &th->th_sum, &pd->baddr, bport, 0, af);
2595                                 rewrite++;
2596                         } else {
2597                                 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
2598                                     &th->th_sum, &pd->baddr, bport, 0, af);
2599                                 rewrite++;
2600                         }
2601                 }
2602                 if (((r->rule_flag & PFRULE_RETURNRST) ||
2603                     (r->rule_flag & PFRULE_RETURN)) &&
2604                     !(th->th_flags & TH_RST)) {
2605                         u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
2606
2607                         if (th->th_flags & TH_SYN)
2608                                 ack++;
2609                         if (th->th_flags & TH_FIN)
2610                                 ack++;
2611                         pf_send_tcp(r, af, pd->dst,
2612                             pd->src, th->th_dport, th->th_sport,
2613                             ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
2614                             r->return_ttl);
2615                 } else if ((af == AF_INET) && r->return_icmp)
2616                         pf_send_icmp(m, r->return_icmp >> 8,
2617                             r->return_icmp & 255, af, r);
2618                 else if ((af == AF_INET6) && r->return_icmp6)
2619                         pf_send_icmp(m, r->return_icmp6 >> 8,
2620                             r->return_icmp6 & 255, af, r);
2621         }
2622
2623         if (r->action == PF_DROP)
2624                 return (PF_DROP);
2625
2626         pf_tag_packet(m, tag);
2627
2628         if (r->keep_state || nr != NULL ||
2629             (pd->flags & PFDESC_TCP_NORM)) {
2630                 /* create new state */
2631                 u_int16_t        len;
2632                 struct pf_state *s = NULL;
2633                 struct pf_src_node *sn = NULL;
2634
2635                 len = pd->tot_len - off - (th->th_off << 2);
2636
2637                 /* check maximums */
2638                 if (r->max_states && (r->states >= r->max_states))
2639                         goto cleanup;
2640                 /* src node for flter rule */
2641                 if ((r->rule_flag & PFRULE_SRCTRACK ||
2642                     r->rpool.opts & PF_POOL_STICKYADDR) &&
2643                     pf_insert_src_node(&sn, r, saddr, af) != 0)
2644                         goto cleanup;
2645                 /* src node for translation rule */
2646                 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
2647                     ((direction == PF_OUT &&
2648                     pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
2649                     (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
2650                         goto cleanup;
2651                 s = pool_get(&pf_state_pl, PR_NOWAIT);
2652                 if (s == NULL) {
2653 cleanup:
2654                         if (sn != NULL && sn->states == 0 && sn->expire == 0) {
2655                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
2656                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2657                                 pf_status.src_nodes--;
2658                                 pool_put(&pf_src_tree_pl, sn);
2659                         }
2660                         if (nsn != sn && nsn != NULL && nsn->states == 0 &&
2661                             nsn->expire == 0) {
2662                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
2663                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2664                                 pf_status.src_nodes--;
2665                                 pool_put(&pf_src_tree_pl, nsn);
2666                         }
2667                         REASON_SET(&reason, PFRES_MEMORY);
2668                         return (PF_DROP);
2669                 }
2670                 bzero(s, sizeof(*s));
2671                 r->states++;
2672                 if (a != NULL)
2673                         a->states++;
2674                 s->rule.ptr = r;
2675                 s->nat_rule.ptr = nr;
2676                 if (s->nat_rule.ptr != NULL)
2677                         s->nat_rule.ptr->states++;
2678                 s->anchor.ptr = a;
2679                 s->allow_opts = r->allow_opts;
2680                 s->log = r->log & 2;
2681                 s->proto = IPPROTO_TCP;
2682                 s->direction = direction;
2683                 s->af = af;
2684                 if (direction == PF_OUT) {
2685                         PF_ACPY(&s->gwy.addr, saddr, af);
2686                         s->gwy.port = th->th_sport;             /* sport */
2687                         PF_ACPY(&s->ext.addr, daddr, af);
2688                         s->ext.port = th->th_dport;
2689                         if (nr != NULL) {
2690                                 PF_ACPY(&s->lan.addr, &pd->baddr, af);
2691                                 s->lan.port = bport;
2692                         } else {
2693                                 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
2694                                 s->lan.port = s->gwy.port;
2695                         }
2696                 } else {
2697                         PF_ACPY(&s->lan.addr, daddr, af);
2698                         s->lan.port = th->th_dport;
2699                         PF_ACPY(&s->ext.addr, saddr, af);
2700                         s->ext.port = th->th_sport;
2701                         if (nr != NULL) {
2702                                 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
2703                                 s->gwy.port = bport;
2704                         } else {
2705                                 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
2706                                 s->gwy.port = s->lan.port;
2707                         }
2708                 }
2709
2710                 s->src.seqlo = ntohl(th->th_seq);
2711                 s->src.seqhi = s->src.seqlo + len + 1;
2712                 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
2713                     r->keep_state == PF_STATE_MODULATE) {
2714                         /* Generate sequence number modulator */
2715                         while ((s->src.seqdiff = arc4random()) == 0)
2716                                 ;
2717                         pf_change_a(&th->th_seq, &th->th_sum,
2718                             htonl(s->src.seqlo + s->src.seqdiff), 0);
2719                         rewrite = 1;
2720                 } else
2721                         s->src.seqdiff = 0;
2722                 if (th->th_flags & TH_SYN) {
2723                         s->src.seqhi++;
2724                         s->src.wscale = pf_get_wscale(m, off, th->th_off, af);
2725                 }
2726                 s->src.max_win = MAX(ntohs(th->th_win), 1);
2727                 if (s->src.wscale & PF_WSCALE_MASK) {
2728                         /* Remove scale factor from initial window */
2729                         int win = s->src.max_win;
2730                         win += 1 << (s->src.wscale & PF_WSCALE_MASK);
2731                         s->src.max_win = (win - 1) >>
2732                             (s->src.wscale & PF_WSCALE_MASK);
2733                 }
2734                 if (th->th_flags & TH_FIN)
2735                         s->src.seqhi++;
2736                 s->dst.seqhi = 1;
2737                 s->dst.max_win = 1;
2738                 s->src.state = TCPS_SYN_SENT;
2739                 s->dst.state = TCPS_CLOSED;
2740                 s->creation = time_second;
2741                 s->expire = time_second;
2742                 s->timeout = PFTM_TCP_FIRST_PACKET;
2743                 pf_set_rt_ifp(s, saddr);
2744                 if (sn != NULL) {
2745                         s->src_node = sn;
2746                         s->src_node->states++;
2747                 }
2748                 if (nsn != NULL) {
2749                         PF_ACPY(&nsn->raddr, &pd->naddr, af);
2750                         s->nat_src_node = nsn;
2751                         s->nat_src_node->states++;
2752                 }
2753                 if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,
2754                     off, pd, th, &s->src, &s->dst)) {
2755                         REASON_SET(&reason, PFRES_MEMORY);
2756                         pf_src_tree_remove_state(s);
2757                         pool_put(&pf_state_pl, s);
2758                         return (PF_DROP);
2759                 }
2760                 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
2761                     pf_normalize_tcp_stateful(m, off, pd, &reason, th, &s->src,
2762                     &s->dst, &rewrite)) {
2763                         pf_normalize_tcp_cleanup(s);
2764                         pf_src_tree_remove_state(s);
2765                         pool_put(&pf_state_pl, s);
2766                         return (PF_DROP);
2767                 }
2768                 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
2769                         pf_normalize_tcp_cleanup(s);
2770                         REASON_SET(&reason, PFRES_MEMORY);
2771                         pf_src_tree_remove_state(s);
2772                         pool_put(&pf_state_pl, s);
2773                         return (PF_DROP);
2774                 } else
2775                         *sm = s;
2776                 if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN &&
2777                     r->keep_state == PF_STATE_SYNPROXY) {
2778                         s->src.state = PF_TCPS_PROXY_SRC;
2779                         if (nr != NULL) {
2780                                 if (direction == PF_OUT) {
2781                                         pf_change_ap(saddr, &th->th_sport,
2782                                             pd->ip_sum, &th->th_sum, &pd->baddr,
2783                                             bport, 0, af);
2784                                 } else {
2785                                         pf_change_ap(daddr, &th->th_dport,
2786                                             pd->ip_sum, &th->th_sum, &pd->baddr,
2787                                             bport, 0, af);
2788                                 }
2789                         }
2790                         s->src.seqhi = arc4random();
2791                         /* Find mss option */
2792                         mss = pf_get_mss(m, off, th->th_off, af);
2793                         mss = pf_calc_mss(saddr, af, mss);
2794                         mss = pf_calc_mss(daddr, af, mss);
2795                         s->src.mss = mss;
2796                         pf_send_tcp(r, af, daddr, saddr, th->th_dport,
2797                             th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
2798                             TH_SYN|TH_ACK, 0, s->src.mss, 0);
2799                         return (PF_SYNPROXY_DROP);
2800                 }
2801         }
2802
2803         /* copy back packet headers if we performed NAT operations */
2804         if (rewrite)
2805                 m_copyback(m, off, sizeof(*th), (caddr_t)th);
2806
2807         return (PF_PASS);
2808 }
2809
2810 int
2811 pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
2812     struct pfi_kif *kif, struct mbuf *m, int off, void *h,
2813     struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
2814 {
2815         struct pf_rule          *nr = NULL;
2816         struct pf_addr          *saddr = pd->src, *daddr = pd->dst;
2817         struct udphdr           *uh = pd->hdr.udp;
2818         u_int16_t                bport, nport = 0;
2819         sa_family_t              af = pd->af;
2820         int                      lookup = -1;
2821         uid_t                    uid;
2822         gid_t                    gid;
2823         struct pf_rule          *r, *a = NULL;
2824         struct pf_ruleset       *ruleset = NULL;
2825         struct pf_src_node      *nsn = NULL;
2826         u_short                  reason;
2827         int                      rewrite = 0;
2828         int                      tag = -1;
2829
2830         r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
2831
2832         if (direction == PF_OUT) {
2833                 bport = nport = uh->uh_sport;
2834                 /* check outgoing packet for BINAT/NAT */
2835                 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
2836                     saddr, uh->uh_sport, daddr, uh->uh_dport,
2837                     &pd->naddr, &nport)) != NULL) {
2838                         PF_ACPY(&pd->baddr, saddr, af);
2839                         pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
2840                             &uh->uh_sum, &pd->naddr, nport, 1, af);
2841                         rewrite++;
2842                         if (nr->natpass)
2843                                 r = NULL;
2844                         pd->nat_rule = nr;
2845                 }
2846         } else {
2847                 bport = nport = uh->uh_dport;
2848                 /* check incoming packet for BINAT/RDR */
2849                 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
2850                     saddr, uh->uh_sport, daddr, uh->uh_dport, &pd->naddr,
2851                     &nport)) != NULL) {
2852                         PF_ACPY(&pd->baddr, daddr, af);
2853                         pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
2854                             &uh->uh_sum, &pd->naddr, nport, 1, af);
2855                         rewrite++;
2856                         if (nr->natpass)
2857                                 r = NULL;
2858                         pd->nat_rule = nr;
2859                 }
2860         }
2861
2862         while (r != NULL) {
2863                 r->evaluations++;
2864                 if (r->kif != NULL &&
2865                     (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
2866                         r = r->skip[PF_SKIP_IFP].ptr;
2867                 else if (r->direction && r->direction != direction)
2868                         r = r->skip[PF_SKIP_DIR].ptr;
2869                 else if (r->af && r->af != af)
2870                         r = r->skip[PF_SKIP_AF].ptr;
2871                 else if (r->proto && r->proto != IPPROTO_UDP)
2872                         r = r->skip[PF_SKIP_PROTO].ptr;
2873                 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
2874                         r = r->skip[PF_SKIP_SRC_ADDR].ptr;
2875                 else if (r->src.port_op && !pf_match_port(r->src.port_op,
2876                     r->src.port[0], r->src.port[1], uh->uh_sport))
2877                         r = r->skip[PF_SKIP_SRC_PORT].ptr;
2878                 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
2879                         r = r->skip[PF_SKIP_DST_ADDR].ptr;
2880                 else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
2881                     r->dst.port[0], r->dst.port[1], uh->uh_dport))
2882                         r = r->skip[PF_SKIP_DST_PORT].ptr;
2883                 else if (r->tos && !(r->tos & pd->tos))
2884                         r = TAILQ_NEXT(r, entries);
2885                 else if (r->rule_flag & PFRULE_FRAGMENT)
2886                         r = TAILQ_NEXT(r, entries);
2887                 else if (r->uid.op && (lookup != -1 || (lookup =
2888                     pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2889                     !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
2890                     uid))
2891                         r = TAILQ_NEXT(r, entries);
2892                 else if (r->gid.op && (lookup != -1 || (lookup =
2893                     pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
2894                     !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
2895                     gid))
2896                         r = TAILQ_NEXT(r, entries);
2897                 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
2898                         r = TAILQ_NEXT(r, entries);
2899                 else if (r->anchorname[0] && r->anchor == NULL)
2900                         r = TAILQ_NEXT(r, entries);
2901                 else if (r->os_fingerprint != PF_OSFP_ANY)
2902                         r = TAILQ_NEXT(r, entries);
2903                 else {
2904                         if (r->tag)
2905                                 tag = r->tag;
2906                         if (r->anchor == NULL) {
2907                                 *rm = r;
2908                                 *am = a;
2909                                 *rsm = ruleset;
2910                                 if ((*rm)->quick)
2911                                         break;
2912                                 r = TAILQ_NEXT(r, entries);
2913                         } else
2914                                 PF_STEP_INTO_ANCHOR(r, a, ruleset,
2915                                     PF_RULESET_FILTER);
2916                 }
2917                 if (r == NULL && a != NULL)
2918                         PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
2919                             PF_RULESET_FILTER);
2920         }
2921         r = *rm;
2922         a = *am;
2923         ruleset = *rsm;
2924
2925         REASON_SET(&reason, PFRES_MATCH);
2926
2927         if (r->log) {
2928                 if (rewrite)
2929                         m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
2930                 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
2931         }
2932
2933         if ((r->action == PF_DROP) &&
2934             ((r->rule_flag & PFRULE_RETURNICMP) ||
2935             (r->rule_flag & PFRULE_RETURN))) {
2936                 /* undo NAT changes, if they have taken place */
2937                 if (nr != NULL) {
2938                         if (direction == PF_OUT) {
2939                                 pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
2940                                     &uh->uh_sum, &pd->baddr, bport, 1, af);
2941                                 rewrite++;
2942                         } else {
2943                                 pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
2944                                     &uh->uh_sum, &pd->baddr, bport, 1, af);
2945                                 rewrite++;
2946                         }
2947                 }
2948                 if ((af == AF_INET) && r->return_icmp)
2949                         pf_send_icmp(m, r->return_icmp >> 8,
2950                             r->return_icmp & 255, af, r);
2951                 else if ((af == AF_INET6) && r->return_icmp6)
2952                         pf_send_icmp(m, r->return_icmp6 >> 8,
2953                             r->return_icmp6 & 255, af, r);
2954         }
2955
2956         if (r->action == PF_DROP)
2957                 return (PF_DROP);
2958
2959         pf_tag_packet(m, tag);
2960
2961         if (r->keep_state || nr != NULL) {
2962                 /* create new state */
2963                 struct pf_state *s = NULL;
2964                 struct pf_src_node *sn = NULL;
2965
2966                 /* check maximums */
2967                 if (r->max_states && (r->states >= r->max_states))
2968                         goto cleanup;
2969                 /* src node for flter rule */
2970                 if ((r->rule_flag & PFRULE_SRCTRACK ||
2971                     r->rpool.opts & PF_POOL_STICKYADDR) &&
2972                     pf_insert_src_node(&sn, r, saddr, af) != 0)
2973                         goto cleanup;
2974                 /* src node for translation rule */
2975                 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
2976                     ((direction == PF_OUT &&
2977                     pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
2978                     (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
2979                         goto cleanup;
2980                 s = pool_get(&pf_state_pl, PR_NOWAIT);
2981                 if (s == NULL) {
2982 cleanup:
2983                         if (sn != NULL && sn->states == 0 && sn->expire == 0) {
2984                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
2985                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2986                                 pf_status.src_nodes--;
2987                                 pool_put(&pf_src_tree_pl, sn);
2988                         }
2989                         if (nsn != sn && nsn != NULL && nsn->states == 0 &&
2990                             nsn->expire == 0) {
2991                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
2992                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
2993                                 pf_status.src_nodes--;
2994                                 pool_put(&pf_src_tree_pl, nsn);
2995                         }
2996                         REASON_SET(&reason, PFRES_MEMORY);
2997                         return (PF_DROP);
2998                 }
2999                 bzero(s, sizeof(*s));
3000                 r->states++;
3001                 if (a != NULL)
3002                         a->states++;
3003                 s->rule.ptr = r;
3004                 s->nat_rule.ptr = nr;
3005                 if (s->nat_rule.ptr != NULL)
3006                         s->nat_rule.ptr->states++;
3007                 s->anchor.ptr = a;
3008                 s->allow_opts = r->allow_opts;
3009                 s->log = r->log & 2;
3010                 s->proto = IPPROTO_UDP;
3011                 s->direction = direction;
3012                 s->af = af;
3013                 if (direction == PF_OUT) {
3014                         PF_ACPY(&s->gwy.addr, saddr, af);
3015                         s->gwy.port = uh->uh_sport;
3016                         PF_ACPY(&s->ext.addr, daddr, af);
3017                         s->ext.port = uh->uh_dport;
3018                         if (nr != NULL) {
3019                                 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3020                                 s->lan.port = bport;
3021                         } else {
3022                                 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3023                                 s->lan.port = s->gwy.port;
3024                         }
3025                 } else {
3026                         PF_ACPY(&s->lan.addr, daddr, af);
3027                         s->lan.port = uh->uh_dport;
3028                         PF_ACPY(&s->ext.addr, saddr, af);
3029                         s->ext.port = uh->uh_sport;
3030                         if (nr != NULL) {
3031                                 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3032                                 s->gwy.port = bport;
3033                         } else {
3034                                 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3035                                 s->gwy.port = s->lan.port;
3036                         }
3037                 }
3038                 s->src.state = PFUDPS_SINGLE;
3039                 s->dst.state = PFUDPS_NO_TRAFFIC;
3040                 s->creation = time_second;
3041                 s->expire = time_second;
3042                 s->timeout = PFTM_UDP_FIRST_PACKET;
3043                 pf_set_rt_ifp(s, saddr);
3044                 if (sn != NULL) {
3045                         s->src_node = sn;
3046                         s->src_node->states++;
3047                 }
3048                 if (nsn != NULL) {
3049                         PF_ACPY(&nsn->raddr, &pd->naddr, af);
3050                         s->nat_src_node = nsn;
3051                         s->nat_src_node->states++;
3052                 }
3053                 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3054                         REASON_SET(&reason, PFRES_MEMORY);
3055                         pf_src_tree_remove_state(s);
3056                         pool_put(&pf_state_pl, s);
3057                         return (PF_DROP);
3058                 } else
3059                         *sm = s;
3060         }
3061
3062         /* copy back packet headers if we performed NAT operations */
3063         if (rewrite)
3064                 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
3065
3066         return (PF_PASS);
3067 }
3068
3069 int
3070 pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
3071     struct pfi_kif *kif, struct mbuf *m, int off, void *h,
3072     struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
3073 {
3074         struct pf_rule          *nr = NULL;
3075         struct pf_addr          *saddr = pd->src, *daddr = pd->dst;
3076         struct pf_rule          *r, *a = NULL;
3077         struct pf_ruleset       *ruleset = NULL;
3078         struct pf_src_node      *nsn = NULL;
3079         u_short                  reason;
3080         u_int16_t                icmpid = 0;
3081         sa_family_t              af = pd->af;
3082         u_int8_t                 icmptype = 0, icmpcode = 0;
3083         int                      state_icmp = 0;
3084         int                      tag = -1;
3085 #ifdef INET6
3086         int                      rewrite = 0;
3087 #endif /* INET6 */
3088
3089         switch (pd->proto) {
3090 #ifdef INET
3091         case IPPROTO_ICMP:
3092                 icmptype = pd->hdr.icmp->icmp_type;
3093                 icmpcode = pd->hdr.icmp->icmp_code;
3094                 icmpid = pd->hdr.icmp->icmp_id;
3095
3096                 if (icmptype == ICMP_UNREACH ||
3097                     icmptype == ICMP_SOURCEQUENCH ||
3098                     icmptype == ICMP_REDIRECT ||
3099                     icmptype == ICMP_TIMXCEED ||
3100                     icmptype == ICMP_PARAMPROB)
3101                         state_icmp++;
3102                 break;
3103 #endif /* INET */
3104 #ifdef INET6
3105         case IPPROTO_ICMPV6:
3106                 icmptype = pd->hdr.icmp6->icmp6_type;
3107                 icmpcode = pd->hdr.icmp6->icmp6_code;
3108                 icmpid = pd->hdr.icmp6->icmp6_id;
3109
3110                 if (icmptype == ICMP6_DST_UNREACH ||
3111                     icmptype == ICMP6_PACKET_TOO_BIG ||
3112                     icmptype == ICMP6_TIME_EXCEEDED ||
3113                     icmptype == ICMP6_PARAM_PROB)
3114                         state_icmp++;
3115                 break;
3116 #endif /* INET6 */
3117         }
3118
3119         r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3120
3121         if (direction == PF_OUT) {
3122                 /* check outgoing packet for BINAT/NAT */
3123                 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3124                     saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3125                         PF_ACPY(&pd->baddr, saddr, af);
3126                         switch (af) {
3127 #ifdef INET
3128                         case AF_INET:
3129                                 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3130                                     pd->naddr.v4.s_addr, 0);
3131                                 break;
3132 #endif /* INET */
3133 #ifdef INET6
3134                         case AF_INET6:
3135                                 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3136                                     &pd->naddr, 0);
3137                                 rewrite++;
3138                                 break;
3139 #endif /* INET6 */
3140                         }
3141                         if (nr->natpass)
3142                                 r = NULL;
3143                         pd->nat_rule = nr;
3144                 }
3145         } else {
3146                 /* check incoming packet for BINAT/RDR */
3147                 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3148                     saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3149                         PF_ACPY(&pd->baddr, daddr, af);
3150                         switch (af) {
3151 #ifdef INET
3152                         case AF_INET:
3153                                 pf_change_a(&daddr->v4.s_addr,
3154                                     pd->ip_sum, pd->naddr.v4.s_addr, 0);
3155                                 break;
3156 #endif /* INET */
3157 #ifdef INET6
3158                         case AF_INET6:
3159                                 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3160                                     &pd->naddr, 0);
3161                                 rewrite++;
3162                                 break;
3163 #endif /* INET6 */
3164                         }
3165                         if (nr->natpass)
3166                                 r = NULL;
3167                         pd->nat_rule = nr;
3168                 }
3169         }
3170
3171         while (r != NULL) {
3172                 r->evaluations++;
3173                 if (r->kif != NULL &&
3174                     (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3175                         r = r->skip[PF_SKIP_IFP].ptr;
3176                 else if (r->direction && r->direction != direction)
3177                         r = r->skip[PF_SKIP_DIR].ptr;
3178                 else if (r->af && r->af != af)
3179                         r = r->skip[PF_SKIP_AF].ptr;
3180                 else if (r->proto && r->proto != pd->proto)
3181                         r = r->skip[PF_SKIP_PROTO].ptr;
3182                 else if (PF_MISMATCHAW(&r->src.addr, saddr, af, r->src.not))
3183                         r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3184                 else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, r->dst.not))
3185                         r = r->skip[PF_SKIP_DST_ADDR].ptr;
3186                 else if (r->type && r->type != icmptype + 1)
3187                         r = TAILQ_NEXT(r, entries);
3188                 else if (r->code && r->code != icmpcode + 1)
3189                         r = TAILQ_NEXT(r, entries);
3190                 else if (r->tos && !(r->tos & pd->tos))
3191                         r = TAILQ_NEXT(r, entries);
3192                 else if (r->rule_flag & PFRULE_FRAGMENT)
3193                         r = TAILQ_NEXT(r, entries);
3194                 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
3195                         r = TAILQ_NEXT(r, entries);
3196                 else if (r->anchorname[0] && r->anchor == NULL)
3197                         r = TAILQ_NEXT(r, entries);
3198                 else if (r->os_fingerprint != PF_OSFP_ANY)
3199                         r = TAILQ_NEXT(r, entries);
3200                 else {
3201                         if (r->tag)
3202                                 tag = r->tag;
3203                         if (r->anchor == NULL) {
3204                                 *rm = r;
3205                                 *am = a;
3206                                 *rsm = ruleset;
3207                                 if ((*rm)->quick)
3208                                         break;
3209                                 r = TAILQ_NEXT(r, entries);
3210                         } else
3211                                 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3212                                     PF_RULESET_FILTER);
3213                 }
3214                 if (r == NULL && a != NULL)
3215                         PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3216                             PF_RULESET_FILTER);
3217         }
3218         r = *rm;
3219         a = *am;
3220         ruleset = *rsm;
3221
3222         REASON_SET(&reason, PFRES_MATCH);
3223
3224         if (r->log) {
3225 #ifdef INET6
3226                 if (rewrite)
3227                         m_copyback(m, off, sizeof(struct icmp6_hdr),
3228                             (caddr_t)pd->hdr.icmp6);
3229 #endif /* INET6 */
3230                 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3231         }
3232
3233         if (r->action != PF_PASS)
3234                 return (PF_DROP);
3235
3236         pf_tag_packet(m, tag);
3237
3238         if (!state_icmp && (r->keep_state || nr != NULL)) {
3239                 /* create new state */
3240                 struct pf_state *s = NULL;
3241                 struct pf_src_node *sn = NULL;
3242
3243                 /* check maximums */
3244                 if (r->max_states && (r->states >= r->max_states))
3245                         goto cleanup;
3246                 /* src node for flter rule */
3247                 if ((r->rule_flag & PFRULE_SRCTRACK ||
3248                     r->rpool.opts & PF_POOL_STICKYADDR) &&
3249                     pf_insert_src_node(&sn, r, saddr, af) != 0)
3250                         goto cleanup;
3251                 /* src node for translation rule */
3252                 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3253                     ((direction == PF_OUT &&
3254                     pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3255                     (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
3256                         goto cleanup;
3257                 s = pool_get(&pf_state_pl, PR_NOWAIT);
3258                 if (s == NULL) {
3259 cleanup:
3260                         if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3261                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3262                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3263                                 pf_status.src_nodes--;
3264                                 pool_put(&pf_src_tree_pl, sn);
3265                         }
3266                         if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3267                             nsn->expire == 0) {
3268                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3269                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3270                                 pf_status.src_nodes--;
3271                                 pool_put(&pf_src_tree_pl, nsn);
3272                         }
3273                         REASON_SET(&reason, PFRES_MEMORY);
3274                         return (PF_DROP);
3275                 }
3276                 bzero(s, sizeof(*s));
3277                 r->states++;
3278                 if (a != NULL)
3279                         a->states++;
3280                 s->rule.ptr = r;
3281                 s->nat_rule.ptr = nr;
3282                 if (s->nat_rule.ptr != NULL)
3283                         s->nat_rule.ptr->states++;
3284                 s->anchor.ptr = a;
3285                 s->allow_opts = r->allow_opts;
3286                 s->log = r->log & 2;
3287                 s->proto = pd->proto;
3288                 s->direction = direction;
3289                 s->af = af;
3290                 if (direction == PF_OUT) {
3291                         PF_ACPY(&s->gwy.addr, saddr, af);
3292                         s->gwy.port = icmpid;
3293                         PF_ACPY(&s->ext.addr, daddr, af);
3294                         s->ext.port = icmpid;
3295                         if (nr != NULL)
3296                                 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3297                         else
3298                                 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3299                         s->lan.port = icmpid;
3300                 } else {
3301                         PF_ACPY(&s->lan.addr, daddr, af);
3302                         s->lan.port = icmpid;
3303                         PF_ACPY(&s->ext.addr, saddr, af);
3304                         s->ext.port = icmpid;
3305                         if (nr != NULL)
3306                                 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3307                         else
3308                                 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3309                         s->gwy.port = icmpid;
3310                 }
3311                 s->creation = time_second;
3312                 s->expire = time_second;
3313                 s->timeout = PFTM_ICMP_FIRST_PACKET;
3314                 pf_set_rt_ifp(s, saddr);
3315                 if (sn != NULL) {
3316                         s->src_node = sn;
3317                         s->src_node->states++;
3318                 }
3319                 if (nsn != NULL) {
3320                         PF_ACPY(&nsn->raddr, &pd->naddr, af);
3321                         s->nat_src_node = nsn;
3322                         s->nat_src_node->states++;
3323                 }
3324                 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3325                         REASON_SET(&reason, PFRES_MEMORY);
3326                         pf_src_tree_remove_state(s);
3327                         pool_put(&pf_state_pl, s);
3328                         return (PF_DROP);
3329                 } else
3330                         *sm = s;
3331         }
3332
3333 #ifdef INET6
3334         /* copy back packet headers if we performed IPv6 NAT operations */
3335         if (rewrite)
3336                 m_copyback(m, off, sizeof(struct icmp6_hdr),
3337                     (caddr_t)pd->hdr.icmp6);
3338 #endif /* INET6 */
3339
3340         return (PF_PASS);
3341 }
3342
3343 int
3344 pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
3345     struct pfi_kif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3346     struct pf_rule **am, struct pf_ruleset **rsm)
3347 {
3348         struct pf_rule          *nr = NULL;
3349         struct pf_rule          *r, *a = NULL;
3350         struct pf_ruleset       *ruleset = NULL;
3351         struct pf_src_node      *nsn = NULL;
3352         struct pf_addr          *saddr = pd->src, *daddr = pd->dst;
3353         sa_family_t              af = pd->af;
3354         u_short                  reason;
3355         int                      tag = -1;
3356
3357         r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3358
3359         if (direction == PF_OUT) {
3360                 /* check outgoing packet for BINAT/NAT */
3361                 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3362                     saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3363                         PF_ACPY(&pd->baddr, saddr, af);
3364                         switch (af) {
3365 #ifdef INET
3366                         case AF_INET:
3367                                 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3368                                     pd->naddr.v4.s_addr, 0);
3369                                 break;
3370 #endif /* INET */
3371 #ifdef INET6
3372                         case AF_INET6:
3373                                 PF_ACPY(saddr, &pd->naddr, af);
3374                                 break;
3375 #endif /* INET6 */
3376                         }
3377                         if (nr->natpass)
3378                                 r = NULL;
3379                         pd->nat_rule = nr;
3380                 }
3381         } else {
3382                 /* check incoming packet for BINAT/RDR */
3383                 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3384                     saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
3385                         PF_ACPY(&pd->baddr, daddr, af);
3386                         switch (af) {
3387 #ifdef INET
3388                         case AF_INET:
3389                                 pf_change_a(&daddr->v4.s_addr,
3390                                     pd->ip_sum, pd->naddr.v4.s_addr, 0);
3391                                 break;
3392 #endif /* INET */
3393 #ifdef INET6
3394                         case AF_INET6:
3395                                 PF_ACPY(daddr, &pd->naddr, af);
3396                                 break;
3397 #endif /* INET6 */
3398                         }
3399                         if (nr->natpass)
3400                                 r = NULL;
3401                         pd->nat_rule = nr;
3402                 }
3403         }
3404
3405         while (r != NULL) {
3406                 r->evaluations++;
3407                 if (r->kif != NULL &&
3408                     (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3409                         r = r->skip[PF_SKIP_IFP].ptr;
3410                 else if (r->direction && r->direction != direction)
3411                         r = r->skip[PF_SKIP_DIR].ptr;
3412                 else if (r->af && r->af != af)
3413                         r = r->skip[PF_SKIP_AF].ptr;
3414                 else if (r->proto && r->proto != pd->proto)
3415                         r = r->skip[PF_SKIP_PROTO].ptr;
3416                 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))
3417                         r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3418                 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))
3419                         r = r->skip[PF_SKIP_DST_ADDR].ptr;
3420                 else if (r->tos && !(r->tos & pd->tos))
3421                         r = TAILQ_NEXT(r, entries);
3422                 else if (r->rule_flag & PFRULE_FRAGMENT)
3423                         r = TAILQ_NEXT(r, entries);
3424                 else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
3425                         r = TAILQ_NEXT(r, entries);
3426                 else if (r->anchorname[0] && r->anchor == NULL)
3427                         r = TAILQ_NEXT(r, entries);
3428                 else if (r->os_fingerprint != PF_OSFP_ANY)
3429                         r = TAILQ_NEXT(r, entries);
3430                 else {
3431                         if (r->tag)
3432                                 tag = r->tag;
3433                         if (r->anchor == NULL) {
3434                                 *rm = r;
3435                                 *am = a;
3436                                 *rsm = ruleset;
3437                                 if ((*rm)->quick)
3438                                         break;
3439                                 r = TAILQ_NEXT(r, entries);
3440                         } else
3441                                 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3442                                     PF_RULESET_FILTER);
3443                 }
3444                 if (r == NULL && a != NULL)
3445                         PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3446                             PF_RULESET_FILTER);
3447         }
3448         r = *rm;
3449         a = *am;
3450         ruleset = *rsm;
3451
3452         REASON_SET(&reason, PFRES_MATCH);
3453
3454         if (r->log)
3455                 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3456
3457         if ((r->action == PF_DROP) &&
3458             ((r->rule_flag & PFRULE_RETURNICMP) ||
3459             (r->rule_flag & PFRULE_RETURN))) {
3460                 struct pf_addr *a = NULL;
3461
3462                 if (nr != NULL) {
3463                         if (direction == PF_OUT)
3464                                 a = saddr;
3465                         else
3466                                 a = daddr;
3467                 }
3468                 if (a != NULL) {
3469                         switch (af) {
3470 #ifdef INET
3471                         case AF_INET:
3472                                 pf_change_a(&a->v4.s_addr, pd->ip_sum,
3473                                     pd->baddr.v4.s_addr, 0);
3474                                 break;
3475 #endif /* INET */
3476 #ifdef INET6
3477                         case AF_INET6:
3478                                 PF_ACPY(a, &pd->baddr, af);
3479                                 break;
3480 #endif /* INET6 */
3481                         }
3482                 }
3483                 if ((af == AF_INET) && r->return_icmp)
3484                         pf_send_icmp(m, r->return_icmp >> 8,
3485                             r->return_icmp & 255, af, r);
3486                 else if ((af == AF_INET6) && r->return_icmp6)
3487                         pf_send_icmp(m, r->return_icmp6 >> 8,
3488                             r->return_icmp6 & 255, af, r);
3489         }
3490
3491         if (r->action != PF_PASS)
3492                 return (PF_DROP);
3493
3494         pf_tag_packet(m, tag);
3495
3496         if (r->keep_state || nr != NULL) {
3497                 /* create new state */
3498                 struct pf_state *s = NULL;
3499                 struct pf_src_node *sn = NULL;
3500
3501                 /* check maximums */
3502                 if (r->max_states && (r->states >= r->max_states))
3503                         goto cleanup;
3504                 /* src node for flter rule */
3505                 if ((r->rule_flag & PFRULE_SRCTRACK ||
3506                     r->rpool.opts & PF_POOL_STICKYADDR) &&
3507                     pf_insert_src_node(&sn, r, saddr, af) != 0)
3508                         goto cleanup;
3509                 /* src node for translation rule */
3510                 if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&
3511                     ((direction == PF_OUT &&
3512                     pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3513                     (pf_insert_src_node(&nsn, nr, saddr, af) != 0)))
3514                         goto cleanup;
3515                 s = pool_get(&pf_state_pl, PR_NOWAIT);
3516                 if (s == NULL) {
3517 cleanup:
3518                         if (sn != NULL && sn->states == 0 && sn->expire == 0) {
3519                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, sn);
3520                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3521                                 pf_status.src_nodes--;
3522                                 pool_put(&pf_src_tree_pl, sn);
3523                         }
3524                         if (nsn != sn && nsn != NULL && nsn->states == 0 &&
3525                             nsn->expire == 0) {
3526                                 RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn);
3527                                 pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++;
3528                                 pf_status.src_nodes--;
3529                                 pool_put(&pf_src_tree_pl, nsn);
3530                         }
3531                         REASON_SET(&reason, PFRES_MEMORY);
3532                         return (PF_DROP);
3533                 }
3534                 bzero(s, sizeof(*s));
3535                 r->states++;
3536                 if (a != NULL)
3537                         a->states++;
3538                 s->rule.ptr = r;
3539                 s->nat_rule.ptr = nr;
3540                 if (s->nat_rule.ptr != NULL)
3541                         s->nat_rule.ptr->states++;
3542                 s->anchor.ptr = a;
3543                 s->allow_opts = r->allow_opts;
3544                 s->log = r->log & 2;
3545                 s->proto = pd->proto;
3546                 s->direction = direction;
3547                 s->af = af;
3548                 if (direction == PF_OUT) {
3549                         PF_ACPY(&s->gwy.addr, saddr, af);
3550                         PF_ACPY(&s->ext.addr, daddr, af);
3551                         if (nr != NULL)
3552                                 PF_ACPY(&s->lan.addr, &pd->baddr, af);
3553                         else
3554                                 PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
3555                 } else {
3556                         PF_ACPY(&s->lan.addr, daddr, af);
3557                         PF_ACPY(&s->ext.addr, saddr, af);
3558                         if (nr != NULL)
3559                                 PF_ACPY(&s->gwy.addr, &pd->baddr, af);
3560                         else
3561                                 PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
3562                 }
3563                 s->src.state = PFOTHERS_SINGLE;
3564                 s->dst.state = PFOTHERS_NO_TRAFFIC;
3565                 s->creation = time_second;
3566                 s->expire = time_second;
3567                 s->timeout = PFTM_OTHER_FIRST_PACKET;
3568                 pf_set_rt_ifp(s, saddr);
3569                 if (sn != NULL) {
3570                         s->src_node = sn;
3571                         s->src_node->states++;
3572                 }
3573                 if (nsn != NULL) {
3574                         PF_ACPY(&nsn->raddr, &pd->naddr, af);
3575                         s->nat_src_node = nsn;
3576                         s->nat_src_node->states++;
3577                 }
3578                 if (pf_insert_state(BOUND_IFACE(r, kif), s)) {
3579                         REASON_SET(&reason, PFRES_MEMORY);
3580                         pf_src_tree_remove_state(s);
3581                         pool_put(&pf_state_pl, s);
3582                         return (PF_DROP);
3583                 } else
3584                         *sm = s;
3585         }
3586
3587         return (PF_PASS);
3588 }
3589
3590 int
3591 pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
3592     struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
3593     struct pf_ruleset **rsm)
3594 {
3595         struct pf_rule          *r, *a = NULL;
3596         struct pf_ruleset       *ruleset = NULL;
3597         sa_family_t              af = pd->af;
3598         u_short                  reason;
3599         int                      tag = -1;
3600
3601         r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
3602         while (r != NULL) {
3603                 r->evaluations++;
3604                 if (r->kif != NULL &&
3605                     (r->kif != kif && r->kif != kif->pfik_parent) == !r->ifnot)
3606                         r = r->skip[PF_SKIP_IFP].ptr;
3607                 else if (r->direction && r->direction != direction)
3608                         r = r->skip[PF_SKIP_DIR].ptr;
3609                 else if (r->af && r->af != af)
3610                         r = r->skip[PF_SKIP_AF].ptr;
3611                 else if (r->proto && r->proto != pd->proto)
3612                         r = r->skip[PF_SKIP_PROTO].ptr;
3613                 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, r->src.not))
3614                         r = r->skip[PF_SKIP_SRC_ADDR].ptr;
3615                 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, r->dst.not))
3616                         r = r->skip[PF_SKIP_DST_ADDR].ptr;
3617                 else if (r->tos && !(r->tos & pd->tos))
3618                         r = TAILQ_NEXT(r, entries);
3619                 else if (r->src.port_op || r->dst.port_op ||
3620                     r->flagset || r->type || r->code ||
3621                     r->os_fingerprint != PF_OSFP_ANY)
3622                         r = TAILQ_NEXT(r, entries);
3623                 else if (r->match_tag && !pf_match_tag(m, r, NULL, &tag))
3624                         r = TAILQ_NEXT(r, entries);
3625                 else if (r->anchorname[0] && r->anchor == NULL)
3626                         r = TAILQ_NEXT(r, entries);
3627                 else {
3628                         if (r->anchor == NULL) {
3629                                 *rm = r;
3630                                 *am = a;
3631                                 *rsm = ruleset;
3632                                 if ((*rm)->quick)
3633                                         break;
3634                                 r = TAILQ_NEXT(r, entries);
3635                         } else
3636                                 PF_STEP_INTO_ANCHOR(r, a, ruleset,
3637                                     PF_RULESET_FILTER);
3638                 }
3639                 if (r == NULL && a != NULL)
3640                         PF_STEP_OUT_OF_ANCHOR(r, a, ruleset,
3641                             PF_RULESET_FILTER);
3642         }
3643         r = *rm;
3644         a = *am;
3645         ruleset = *rsm;
3646
3647         REASON_SET(&reason, PFRES_MATCH);
3648
3649         if (r->log)
3650                 PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset);
3651
3652         if (r->action != PF_PASS)
3653                 return (PF_DROP);
3654
3655         pf_tag_packet(m, tag);
3656
3657         return (PF_PASS);
3658 }
3659
3660 int
3661 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
3662     struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3663     u_short *reason)
3664 {
3665         struct pf_state          key;
3666         struct tcphdr           *th = pd->hdr.tcp;
3667         u_int16_t                win = ntohs(th->th_win);
3668         u_int32_t                ack, end, seq;
3669         u_int8_t                 sws, dws;
3670         int                      ackskew;
3671         int                      copyback = 0;
3672         struct pf_state_peer    *src, *dst;
3673
3674         key.af = pd->af;
3675         key.proto = IPPROTO_TCP;
3676         if (direction == PF_IN) {
3677                 PF_ACPY(&key.ext.addr, pd->src, key.af);
3678                 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
3679                 key.ext.port = th->th_sport;
3680                 key.gwy.port = th->th_dport;
3681         } else {
3682                 PF_ACPY(&key.lan.addr, pd->src, key.af);
3683                 PF_ACPY(&key.ext.addr, pd->dst, key.af);
3684                 key.lan.port = th->th_sport;
3685                 key.ext.port = th->th_dport;
3686         }
3687
3688         STATE_LOOKUP();
3689
3690         if (direction == (*state)->direction) {
3691                 src = &(*state)->src;
3692                 dst = &(*state)->dst;
3693         } else {
3694                 src = &(*state)->dst;
3695                 dst = &(*state)->src;
3696         }
3697
3698         if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
3699                 if (direction != (*state)->direction)
3700                         return (PF_SYNPROXY_DROP);
3701                 if (th->th_flags & TH_SYN) {
3702                         if (ntohl(th->th_seq) != (*state)->src.seqlo)
3703                                 return (PF_DROP);
3704                         pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3705                             pd->src, th->th_dport, th->th_sport,
3706                             (*state)->src.seqhi, ntohl(th->th_seq) + 1,
3707                             TH_SYN|TH_ACK, 0, (*state)->src.mss, 0);
3708                         return (PF_SYNPROXY_DROP);
3709                 } else if (!(th->th_flags & TH_ACK) ||
3710                     (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
3711                     (ntohl(th->th_seq) != (*state)->src.seqlo + 1))
3712                         return (PF_DROP);
3713                 else
3714                         (*state)->src.state = PF_TCPS_PROXY_DST;
3715         }
3716         if ((*state)->src.state == PF_TCPS_PROXY_DST) {
3717                 struct pf_state_host *src, *dst;
3718
3719                 if (direction == PF_OUT) {
3720                         src = &(*state)->gwy;
3721                         dst = &(*state)->ext;
3722                 } else {
3723                         src = &(*state)->ext;
3724                         dst = &(*state)->lan;
3725                 }
3726                 if (direction == (*state)->direction) {
3727                         if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
3728                             (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
3729                             (ntohl(th->th_seq) != (*state)->src.seqlo + 1))
3730                                 return (PF_DROP);
3731                         (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
3732                         if ((*state)->dst.seqhi == 1)
3733                                 (*state)->dst.seqhi = arc4random();
3734                         pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
3735                             &dst->addr, src->port, dst->port,
3736                             (*state)->dst.seqhi, 0, TH_SYN, 0,
3737                             (*state)->src.mss, 0);
3738                         return (PF_SYNPROXY_DROP);
3739                 } else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
3740                     (TH_SYN|TH_ACK)) ||
3741                     (ntohl(th->th_ack) != (*state)->dst.seqhi + 1))
3742                         return (PF_DROP);
3743                 else {
3744                         (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
3745                         (*state)->dst.seqlo = ntohl(th->th_seq);
3746                         pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3747                             pd->src, th->th_dport, th->th_sport,
3748                             ntohl(th->th_ack), ntohl(th->th_seq) + 1,
3749                             TH_ACK, (*state)->src.max_win, 0, 0);
3750                         pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,
3751                             &dst->addr, src->port, dst->port,
3752                             (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
3753                             TH_ACK, (*state)->dst.max_win, 0, 0);
3754                         (*state)->src.seqdiff = (*state)->dst.seqhi -
3755                             (*state)->src.seqlo;
3756                         (*state)->dst.seqdiff = (*state)->src.seqhi -
3757                             (*state)->dst.seqlo;
3758                         (*state)->src.seqhi = (*state)->src.seqlo +
3759                             (*state)->src.max_win;
3760                         (*state)->dst.seqhi = (*state)->dst.seqlo +
3761                             (*state)->dst.max_win;
3762                         (*state)->src.wscale = (*state)->dst.wscale = 0;
3763                         (*state)->src.state = (*state)->dst.state =
3764                             TCPS_ESTABLISHED;
3765                         return (PF_SYNPROXY_DROP);
3766                 }
3767         }
3768
3769         if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
3770                 sws = src->wscale & PF_WSCALE_MASK;
3771                 dws = dst->wscale & PF_WSCALE_MASK;
3772         } else
3773                 sws = dws = 0;
3774
3775         /*
3776          * Sequence tracking algorithm from Guido van Rooij's paper:
3777          *   http://www.madison-gurkha.com/publications/tcp_filtering/
3778          *      tcp_filtering.ps
3779          */
3780
3781         seq = ntohl(th->th_seq);
3782         if (src->seqlo == 0) {
3783                 /* First packet from this end. Set its state */
3784
3785                 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
3786                     src->scrub == NULL) {
3787                         if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
3788                                 REASON_SET(reason, PFRES_MEMORY);
3789                                 return (PF_DROP);
3790                         }
3791                 }
3792
3793                 /* Deferred generation of sequence number modulator */
3794                 if (dst->seqdiff && !src->seqdiff) {
3795                         while ((src->seqdiff = arc4random()) == 0)
3796                                 ;
3797                         ack = ntohl(th->th_ack) - dst->seqdiff;
3798                         pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3799                             src->seqdiff), 0);
3800                         pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3801                         copyback = 1;
3802                 } else {
3803                         ack = ntohl(th->th_ack);
3804                 }
3805
3806                 end = seq + pd->p_len;
3807                 if (th->th_flags & TH_SYN) {
3808                         end++;
3809                         if (dst->wscale & PF_WSCALE_FLAG) {
3810                                 src->wscale = pf_get_wscale(m, off, th->th_off,
3811                                     pd->af);
3812                                 if (src->wscale & PF_WSCALE_FLAG) {
3813                                         /* Remove scale factor from initial
3814                                          * window */
3815                                         sws = src->wscale & PF_WSCALE_MASK;
3816                                         win = ((u_int32_t)win + (1 << sws) - 1)
3817                                             >> sws;
3818                                         dws = dst->wscale & PF_WSCALE_MASK;
3819                                 } else {
3820                                         /* fixup other window */
3821                                         dst->max_win <<= dst->wscale &
3822                                             PF_WSCALE_MASK;
3823                                         /* in case of a retrans SYN|ACK */
3824                                         dst->wscale = 0;
3825                                 }
3826                         }
3827                 }
3828                 if (th->th_flags & TH_FIN)
3829                         end++;
3830
3831                 src->seqlo = seq;
3832                 if (src->state < TCPS_SYN_SENT)
3833                         src->state = TCPS_SYN_SENT;
3834
3835                 /*
3836                  * May need to slide the window (seqhi may have been set by
3837                  * the crappy stack check or if we picked up the connection
3838                  * after establishment)
3839                  */
3840                 if (src->seqhi == 1 ||
3841                     SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi))
3842                         src->seqhi = end + MAX(1, dst->max_win << dws);
3843                 if (win > src->max_win)
3844                         src->max_win = win;
3845
3846         } else {
3847                 ack = ntohl(th->th_ack) - dst->seqdiff;
3848                 if (src->seqdiff) {
3849                         /* Modulate sequence numbers */
3850                         pf_change_a(&th->th_seq, &th->th_sum, htonl(seq +
3851                             src->seqdiff), 0);
3852                         pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0);
3853                         copyback = 1;
3854                 }
3855                 end = seq + pd->p_len;
3856                 if (th->th_flags & TH_SYN)
3857                         end++;
3858                 if (th->th_flags & TH_FIN)
3859                         end++;
3860         }
3861
3862         if ((th->th_flags & TH_ACK) == 0) {
3863                 /* Let it pass through the ack skew check */
3864                 ack = dst->seqlo;
3865         } else if ((ack == 0 &&
3866             (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) ||
3867             /* broken tcp stacks do not set ack */
3868             (dst->state < TCPS_SYN_SENT)) {
3869                 /*
3870                  * Many stacks (ours included) will set the ACK number in an
3871                  * FIN|ACK if the SYN times out -- no sequence to ACK.
3872                  */
3873                 ack = dst->seqlo;
3874         }
3875
3876         if (seq == end) {
3877                 /* Ease sequencing restrictions on no data packets */
3878                 seq = src->seqlo;
3879                 end = seq;
3880         }
3881
3882         ackskew = dst->seqlo - ack;
3883
3884 #define MAXACKWINDOW (0xffff + 1500)    /* 1500 is an arbitrary fudge factor */
3885         if (SEQ_GEQ(src->seqhi, end) &&
3886             /* Last octet inside other's window space */
3887             SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) &&
3888             /* Retrans: not more than one window back */
3889             (ackskew >= -MAXACKWINDOW) &&
3890             /* Acking not more than one reassembled fragment backwards */
3891             (ackskew <= (MAXACKWINDOW << sws))) {
3892             /* Acking not more than one window forward */
3893
3894                 /* update max window */
3895                 if (src->max_win < win)
3896                         src->max_win = win;
3897                 /* synchronize sequencing */
3898                 if (SEQ_GT(end, src->seqlo))
3899                         src->seqlo = end;
3900                 /* slide the window of what the other end can send */
3901                 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3902                         dst->seqhi = ack + MAX((win << sws), 1);
3903
3904
3905                 /* update states */
3906                 if (th->th_flags & TH_SYN)
3907                         if (src->state < TCPS_SYN_SENT)
3908                                 src->state = TCPS_SYN_SENT;
3909                 if (th->th_flags & TH_FIN)
3910                         if (src->state < TCPS_CLOSING)
3911                                 src->state = TCPS_CLOSING;
3912                 if (th->th_flags & TH_ACK) {
3913                         if (dst->state == TCPS_SYN_SENT)
3914                                 dst->state = TCPS_ESTABLISHED;
3915                         else if (dst->state == TCPS_CLOSING)
3916                                 dst->state = TCPS_FIN_WAIT_2;
3917                 }
3918                 if (th->th_flags & TH_RST)
3919                         src->state = dst->state = TCPS_TIME_WAIT;
3920
3921                 /* update expire time */
3922                 (*state)->expire = time_second;
3923                 if (src->state >= TCPS_FIN_WAIT_2 &&
3924                     dst->state >= TCPS_FIN_WAIT_2)
3925                         (*state)->timeout = PFTM_TCP_CLOSED;
3926                 else if (src->state >= TCPS_FIN_WAIT_2 ||
3927                     dst->state >= TCPS_FIN_WAIT_2)
3928                         (*state)->timeout = PFTM_TCP_FIN_WAIT;
3929                 else if (src->state < TCPS_ESTABLISHED ||
3930                     dst->state < TCPS_ESTABLISHED)
3931                         (*state)->timeout = PFTM_TCP_OPENING;
3932                 else if (src->state >= TCPS_CLOSING ||
3933                     dst->state >= TCPS_CLOSING)
3934                         (*state)->timeout = PFTM_TCP_CLOSING;
3935                 else
3936                         (*state)->timeout = PFTM_TCP_ESTABLISHED;
3937
3938                 /* Fall through to PASS packet */
3939
3940         } else if ((dst->state < TCPS_SYN_SENT ||
3941                 dst->state >= TCPS_FIN_WAIT_2 ||
3942                 src->state >= TCPS_FIN_WAIT_2) &&
3943             SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
3944             /* Within a window forward of the originating packet */
3945             SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
3946             /* Within a window backward of the originating packet */
3947
3948                 /*
3949                  * This currently handles three situations:
3950                  *  1) Stupid stacks will shotgun SYNs before their peer
3951                  *     replies.
3952                  *  2) When PF catches an already established stream (the
3953                  *     firewall rebooted, the state table was flushed, routes
3954                  *     changed...)
3955                  *  3) Packets get funky immediately after the connection
3956                  *     closes (this should catch Solaris spurious ACK|FINs
3957                  *     that web servers like to spew after a close)
3958                  *
3959                  * This must be a little more careful than the above code
3960                  * since packet floods will also be caught here. We don't
3961                  * update the TTL here to mitigate the damage of a packet
3962                  * flood and so the same code can handle awkward establishment
3963                  * and a loosened connection close.
3964                  * In the establishment case, a correct peer response will
3965                  * validate the connection, go through the normal state code
3966                  * and keep updating the state TTL.
3967                  */
3968
3969                 if (pf_status.debug >= PF_DEBUG_MISC) {
3970                         printf("pf: loose state match: ");
3971                         pf_print_state(*state);
3972                         pf_print_flags(th->th_flags);
3973                         printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n",
3974                             seq, ack, pd->p_len, ackskew,
3975                             (*state)->packets[0], (*state)->packets[1]);
3976                 }
3977
3978                 /* update max window */
3979                 if (src->max_win < win)
3980                         src->max_win = win;
3981                 /* synchronize sequencing */
3982                 if (SEQ_GT(end, src->seqlo))
3983                         src->seqlo = end;
3984                 /* slide the window of what the other end can send */
3985                 if (SEQ_GEQ(ack + (win << sws), dst->seqhi))
3986                         dst->seqhi = ack + MAX((win << sws), 1);
3987
3988                 /*
3989                  * Cannot set dst->seqhi here since this could be a shotgunned
3990                  * SYN and not an already established connection.
3991                  */
3992
3993                 if (th->th_flags & TH_FIN)
3994                         if (src->state < TCPS_CLOSING)
3995                                 src->state = TCPS_CLOSING;
3996                 if (th->th_flags & TH_RST)
3997                         src->state = dst->state = TCPS_TIME_WAIT;
3998
3999                 /* Fall through to PASS packet */
4000
4001         } else {
4002                 if ((*state)->dst.state == TCPS_SYN_SENT &&
4003                     (*state)->src.state == TCPS_SYN_SENT) {
4004                         /* Send RST for state mismatches during handshake */
4005                         if (!(th->th_flags & TH_RST)) {
4006                                 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
4007
4008                                 if (th->th_flags & TH_SYN)
4009                                         ack++;
4010                                 if (th->th_flags & TH_FIN)
4011                                         ack++;
4012                                 pf_send_tcp((*state)->rule.ptr, pd->af,
4013                                     pd->dst, pd->src, th->th_dport,
4014                                     th->th_sport, ntohl(th->th_ack), ack,
4015                                     TH_RST|TH_ACK, 0, 0,
4016                                     (*state)->rule.ptr->return_ttl);
4017                         }
4018                         src->seqlo = 0;
4019                         src->seqhi = 1;
4020                         src->max_win = 1;
4021                 } else if (pf_status.debug >= PF_DEBUG_MISC) {
4022                         printf("pf: BAD state: ");
4023                         pf_print_state(*state);
4024                         pf_print_flags(th->th_flags);
4025                         printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d "
4026                             "dir=%s,%s\n", seq, ack, pd->p_len, ackskew,
4027                             (*state)->packets[0], (*state)->packets[1],
4028                             direction == PF_IN ? "in" : "out",
4029                             direction == (*state)->direction ? "fwd" : "rev");
4030                         printf("pf: State failure on: %c %c %c %c | %c %c\n",
4031                             SEQ_GEQ(src->seqhi, end) ? ' ' : '1',
4032                             SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
4033                             ' ': '2',
4034                             (ackskew >= -MAXACKWINDOW) ? ' ' : '3',
4035                             (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
4036                             SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
4037                             SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
4038                 }
4039                 return (PF_DROP);
4040         }
4041
4042         if (dst->scrub || src->scrub) {
4043                 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4044                     src, dst, &copyback))
4045                         return (PF_DROP);
4046         }
4047
4048         /* Any packets which have gotten here are to be passed */
4049
4050         /* translate source/destination address, if necessary */
4051         if (STATE_TRANSLATE(*state)) {
4052                 if (direction == PF_OUT)
4053                         pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
4054                             &th->th_sum, &(*state)->gwy.addr,
4055                             (*state)->gwy.port, 0, pd->af);
4056                 else
4057                         pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
4058                             &th->th_sum, &(*state)->lan.addr,
4059                             (*state)->lan.port, 0, pd->af);
4060                 m_copyback(m, off, sizeof(*th), (caddr_t)th);
4061         } else if (copyback) {
4062                 /* Copyback sequence modulation or stateful scrub changes */
4063                 m_copyback(m, off, sizeof(*th), (caddr_t)th);
4064         }
4065
4066         return (PF_PASS);
4067 }
4068
4069 int
4070 pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
4071     struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4072 {
4073         struct pf_state_peer    *src, *dst;
4074         struct pf_state          key;
4075         struct udphdr           *uh = pd->hdr.udp;
4076
4077         key.af = pd->af;
4078         key.proto = IPPROTO_UDP;
4079         if (direction == PF_IN) {
4080                 PF_ACPY(&key.ext.addr, pd->src, key.af);
4081                 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4082                 key.ext.port = uh->uh_sport;
4083                 key.gwy.port = uh->uh_dport;
4084         } else {
4085                 PF_ACPY(&key.lan.addr, pd->src, key.af);
4086                 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4087                 key.lan.port = uh->uh_sport;
4088                 key.ext.port = uh->uh_dport;
4089         }
4090
4091         STATE_LOOKUP();
4092
4093         if (direction == (*state)->direction) {
4094                 src = &(*state)->src;
4095                 dst = &(*state)->dst;
4096         } else {
4097                 src = &(*state)->dst;
4098                 dst = &(*state)->src;
4099         }
4100
4101         /* update states */
4102         if (src->state < PFUDPS_SINGLE)
4103                 src->state = PFUDPS_SINGLE;
4104         if (dst->state == PFUDPS_SINGLE)
4105                 dst->state = PFUDPS_MULTIPLE;
4106
4107         /* update expire time */
4108         (*state)->expire = time_second;
4109         if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE)
4110                 (*state)->timeout = PFTM_UDP_MULTIPLE;
4111         else
4112                 (*state)->timeout = PFTM_UDP_SINGLE;
4113
4114         /* translate source/destination address, if necessary */
4115         if (STATE_TRANSLATE(*state)) {
4116                 if (direction == PF_OUT)
4117                         pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
4118                             &uh->uh_sum, &(*state)->gwy.addr,
4119                             (*state)->gwy.port, 1, pd->af);
4120                 else
4121                         pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
4122                             &uh->uh_sum, &(*state)->lan.addr,
4123                             (*state)->lan.port, 1, pd->af);
4124                 m_copyback(m, off, sizeof(*uh), (caddr_t)uh);
4125         }
4126
4127         return (PF_PASS);
4128 }
4129
4130 int
4131 pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
4132     struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4133 {
4134         struct pf_addr  *saddr = pd->src, *daddr = pd->dst;
4135         u_int16_t        icmpid = 0;
4136         u_int16_t       *icmpsum = NULL;
4137         u_int8_t         icmptype = 0;
4138         int              state_icmp = 0;
4139
4140         switch (pd->proto) {
4141 #ifdef INET
4142         case IPPROTO_ICMP:
4143                 icmptype = pd->hdr.icmp->icmp_type;
4144                 icmpid = pd->hdr.icmp->icmp_id;
4145                 icmpsum = &pd->hdr.icmp->icmp_cksum;
4146
4147                 if (icmptype == ICMP_UNREACH ||
4148                     icmptype == ICMP_SOURCEQUENCH ||
4149                     icmptype == ICMP_REDIRECT ||
4150                     icmptype == ICMP_TIMXCEED ||
4151                     icmptype == ICMP_PARAMPROB)
4152                         state_icmp++;
4153                 break;
4154 #endif /* INET */
4155 #ifdef INET6
4156         case IPPROTO_ICMPV6:
4157                 icmptype = pd->hdr.icmp6->icmp6_type;
4158                 icmpid = pd->hdr.icmp6->icmp6_id;
4159                 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4160
4161                 if (icmptype == ICMP6_DST_UNREACH ||
4162                     icmptype == ICMP6_PACKET_TOO_BIG ||
4163                     icmptype == ICMP6_TIME_EXCEEDED ||
4164                     icmptype == ICMP6_PARAM_PROB)
4165                         state_icmp++;
4166                 break;
4167 #endif /* INET6 */
4168         }
4169
4170         if (!state_icmp) {
4171
4172                 /*
4173                  * ICMP query/reply message not related to a TCP/UDP packet.
4174                  * Search for an ICMP state.
4175                  */
4176                 struct pf_state         key;
4177
4178                 key.af = pd->af;
4179                 key.proto = pd->proto;
4180                 if (direction == PF_IN) {
4181                         PF_ACPY(&key.ext.addr, pd->src, key.af);
4182                         PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4183                         key.ext.port = icmpid;
4184                         key.gwy.port = icmpid;
4185                 } else {
4186                         PF_ACPY(&key.lan.addr, pd->src, key.af);
4187                         PF_ACPY(&key.ext.addr, pd->dst, key.af);
4188                         key.lan.port = icmpid;
4189                         key.ext.port = icmpid;
4190                 }
4191
4192                 STATE_LOOKUP();
4193
4194                 (*state)->expire = time_second;
4195                 (*state)->timeout = PFTM_ICMP_ERROR_REPLY;
4196
4197                 /* translate source/destination address, if necessary */
4198                 if (PF_ANEQ(&(*state)->lan.addr, &(*state)->gwy.addr, pd->af)) {
4199                         if (direction == PF_OUT) {
4200                                 switch (pd->af) {
4201 #ifdef INET
4202                                 case AF_INET:
4203                                         pf_change_a(&saddr->v4.s_addr,
4204                                             pd->ip_sum,
4205                                             (*state)->gwy.addr.v4.s_addr, 0);
4206                                         break;
4207 #endif /* INET */
4208 #ifdef INET6
4209                                 case AF_INET6:
4210                                         pf_change_a6(saddr,
4211                                             &pd->hdr.icmp6->icmp6_cksum,
4212                                             &(*state)->gwy.addr, 0);
4213                                         m_copyback(m, off,
4214                                             sizeof(struct icmp6_hdr),
4215                                             (caddr_t)pd->hdr.icmp6);
4216                                         break;
4217 #endif /* INET6 */
4218                                 }
4219                         } else {
4220                                 switch (pd->af) {
4221 #ifdef INET
4222                                 case AF_INET:
4223                                         pf_change_a(&daddr->v4.s_addr,
4224                                             pd->ip_sum,
4225                                             (*state)->lan.addr.v4.s_addr, 0);
4226                                         break;
4227 #endif /* INET */
4228 #ifdef INET6
4229                                 case AF_INET6:
4230                                         pf_change_a6(daddr,
4231                                             &pd->hdr.icmp6->icmp6_cksum,
4232                                             &(*state)->lan.addr, 0);
4233                                         m_copyback(m, off,
4234                                             sizeof(struct icmp6_hdr),
4235                                             (caddr_t)pd->hdr.icmp6);
4236                                         break;
4237 #endif /* INET6 */
4238                                 }
4239                         }
4240                 }
4241
4242                 return (PF_PASS);
4243
4244         } else {
4245                 /*
4246                  * ICMP error message in response to a TCP/UDP packet.
4247                  * Extract the inner TCP/UDP header and search for that state.
4248                  */
4249
4250                 struct pf_pdesc pd2;
4251 #ifdef INET
4252                 struct ip       h2;
4253 #endif /* INET */
4254 #ifdef INET6
4255                 struct ip6_hdr  h2_6;
4256                 int             terminal = 0;
4257 #endif /* INET6 */
4258                 int             ipoff2 = 0;
4259                 int             off2 = 0;
4260
4261                 pd2.af = pd->af;
4262                 switch (pd->af) {
4263 #ifdef INET
4264                 case AF_INET:
4265                         /* offset of h2 in mbuf chain */
4266                         ipoff2 = off + ICMP_MINLEN;
4267
4268                         if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
4269                             NULL, NULL, pd2.af)) {
4270                                 DPFPRINTF(PF_DEBUG_MISC,
4271                                     ("pf: ICMP error message too short "
4272                                     "(ip)\n"));
4273                                 return (PF_DROP);
4274                         }
4275                         /*
4276                          * ICMP error messages don't refer to non-first
4277                          * fragments
4278                          */
4279                         /* 
4280                          * Note: We are dealing with an encapsulated
4281                          * header. This means ip_off/ip_len are not
4282                          * in host byte order!
4283                          */
4284                         if (h2.ip_off & htons(IP_OFFMASK))
4285                                 return (PF_DROP);
4286
4287                         /* offset of protocol header that follows h2 */
4288                         off2 = ipoff2 + (h2.ip_hl << 2);
4289
4290                         pd2.proto = h2.ip_p;
4291                         pd2.src = (struct pf_addr *)&h2.ip_src;
4292                         pd2.dst = (struct pf_addr *)&h2.ip_dst;
4293                         pd2.ip_sum = &h2.ip_sum;
4294                         break;
4295 #endif /* INET */
4296 #ifdef INET6
4297                 case AF_INET6:
4298                         ipoff2 = off + sizeof(struct icmp6_hdr);
4299
4300                         if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
4301                             NULL, NULL, pd2.af)) {
4302                                 DPFPRINTF(PF_DEBUG_MISC,
4303                                     ("pf: ICMP error message too short "
4304                                     "(ip6)\n"));
4305                                 return (PF_DROP);
4306                         }
4307                         pd2.proto = h2_6.ip6_nxt;
4308                         pd2.src = (struct pf_addr *)&h2_6.ip6_src;
4309                         pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
4310                         pd2.ip_sum = NULL;
4311                         off2 = ipoff2 + sizeof(h2_6);
4312                         do {
4313                                 switch (pd2.proto) {
4314                                 case IPPROTO_FRAGMENT:
4315                                         /*
4316                                          * ICMPv6 error messages for
4317                                          * non-first fragments
4318                                          */
4319                                         return (PF_DROP);
4320                                 case IPPROTO_AH:
4321                                 case IPPROTO_HOPOPTS:
4322                                 case IPPROTO_ROUTING:
4323                                 case IPPROTO_DSTOPTS: {
4324                                         /* get next header and header length */
4325                                         struct ip6_ext opt6;
4326
4327                                         if (!pf_pull_hdr(m, off2, &opt6,
4328                                             sizeof(opt6), NULL, NULL, pd2.af)) {
4329                                                 DPFPRINTF(PF_DEBUG_MISC,
4330                                                     ("pf: ICMPv6 short opt\n"));
4331                                                 return (PF_DROP);
4332                                         }
4333                                         if (pd2.proto == IPPROTO_AH)
4334                                                 off2 += (opt6.ip6e_len + 2) * 4;
4335                                         else
4336                                                 off2 += (opt6.ip6e_len + 1) * 8;
4337                                         pd2.proto = opt6.ip6e_nxt;
4338                                         /* goto the next header */
4339                                         break;
4340                                 }
4341                                 default:
4342                                         terminal++;
4343                                         break;
4344                                 }
4345                         } while (!terminal);
4346                         break;
4347 #endif /* INET6 */
4348                 }
4349
4350                 switch (pd2.proto) {
4351                 case IPPROTO_TCP: {
4352                         struct tcphdr            th;
4353                         u_int32_t                seq;
4354                         struct pf_state          key;
4355                         struct pf_state_peer    *src, *dst;
4356                         u_int8_t                 dws;
4357                         int                      copyback = 0;
4358
4359                         /*
4360                          * Only the first 8 bytes of the TCP header can be
4361                          * expected. Don't access any TCP header fields after
4362                          * th_seq, an ackskew test is not possible.
4363                          */
4364                         if (!pf_pull_hdr(m, off2, &th, 8, NULL, NULL, pd2.af)) {
4365                                 DPFPRINTF(PF_DEBUG_MISC,
4366                                     ("pf: ICMP error message too short "
4367                                     "(tcp)\n"));
4368                                 return (PF_DROP);
4369                         }
4370
4371                         key.af = pd2.af;
4372                         key.proto = IPPROTO_TCP;
4373                         if (direction == PF_IN) {
4374                                 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4375                                 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4376                                 key.ext.port = th.th_dport;
4377                                 key.gwy.port = th.th_sport;
4378                         } else {
4379                                 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4380                                 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4381                                 key.lan.port = th.th_dport;
4382                                 key.ext.port = th.th_sport;
4383                         }
4384
4385                         STATE_LOOKUP();
4386
4387                         if (direction == (*state)->direction) {
4388                                 src = &(*state)->dst;
4389                                 dst = &(*state)->src;
4390                         } else {
4391                                 src = &(*state)->src;
4392                                 dst = &(*state)->dst;
4393                         }
4394
4395                         if (src->wscale && dst->wscale &&
4396                             !(th.th_flags & TH_SYN))
4397                                 dws = dst->wscale & PF_WSCALE_MASK;
4398                         else
4399                                 dws = 0;
4400
4401                         /* Demodulate sequence number */
4402                         seq = ntohl(th.th_seq) - src->seqdiff;
4403                         if (src->seqdiff) {
4404                                 pf_change_a(&th.th_seq, icmpsum,
4405                                     htonl(seq), 0);
4406                                 copyback = 1;
4407                         }
4408
4409                         if (!SEQ_GEQ(src->seqhi, seq) ||
4410                             !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws))) {
4411                                 if (pf_status.debug >= PF_DEBUG_MISC) {
4412                                         printf("pf: BAD ICMP %d:%d ",
4413                                             icmptype, pd->hdr.icmp->icmp_code);
4414                                         pf_print_host(pd->src, 0, pd->af);
4415                                         printf(" -> ");
4416                                         pf_print_host(pd->dst, 0, pd->af);
4417                                         printf(" state: ");
4418                                         pf_print_state(*state);
4419                                         printf(" seq=%u\n", seq);
4420                                 }
4421                                 return (PF_DROP);
4422                         }
4423
4424                         if (STATE_TRANSLATE(*state)) {
4425                                 if (direction == PF_IN) {
4426                                         pf_change_icmp(pd2.src, &th.th_sport,
4427                                             daddr, &(*state)->lan.addr,
4428                                             (*state)->lan.port, NULL,
4429                                             pd2.ip_sum, icmpsum,
4430                                             pd->ip_sum, 0, pd2.af);
4431                                 } else {
4432                                         pf_change_icmp(pd2.dst, &th.th_dport,
4433                                             saddr, &(*state)->gwy.addr,
4434                                             (*state)->gwy.port, NULL,
4435                                             pd2.ip_sum, icmpsum,
4436                                             pd->ip_sum, 0, pd2.af);
4437                                 }
4438                                 copyback = 1;
4439                         }
4440
4441                         if (copyback) {
4442                                 switch (pd2.af) {
4443 #ifdef INET
4444                                 case AF_INET:
4445                                         m_copyback(m, off, ICMP_MINLEN,
4446                                             (caddr_t)pd->hdr.icmp);
4447                                         m_copyback(m, ipoff2, sizeof(h2),
4448                                             (caddr_t)&h2);
4449                                         break;
4450 #endif /* INET */
4451 #ifdef INET6
4452                                 case AF_INET6:
4453                                         m_copyback(m, off,
4454                                             sizeof(struct icmp6_hdr),
4455                                             (caddr_t)pd->hdr.icmp6);
4456                                         m_copyback(m, ipoff2, sizeof(h2_6),
4457                                             (caddr_t)&h2_6);
4458                                         break;
4459 #endif /* INET6 */
4460                                 }
4461                                 m_copyback(m, off2, 8, (caddr_t)&th);
4462                         }
4463
4464                         return (PF_PASS);
4465                         break;
4466                 }
4467                 case IPPROTO_UDP: {
4468                         struct udphdr           uh;
4469                         struct pf_state         key;
4470
4471                         if (!pf_pull_hdr(m, off2, &uh, sizeof(uh),
4472                             NULL, NULL, pd2.af)) {
4473                                 DPFPRINTF(PF_DEBUG_MISC,
4474                                     ("pf: ICMP error message too short "
4475                                     "(udp)\n"));
4476                                 return (PF_DROP);
4477                         }
4478
4479                         key.af = pd2.af;
4480                         key.proto = IPPROTO_UDP;
4481                         if (direction == PF_IN) {
4482                                 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4483                                 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4484                                 key.ext.port = uh.uh_dport;
4485                                 key.gwy.port = uh.uh_sport;
4486                         } else {
4487                                 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4488                                 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4489                                 key.lan.port = uh.uh_dport;
4490                                 key.ext.port = uh.uh_sport;
4491                         }
4492
4493                         STATE_LOOKUP();
4494
4495                         if (STATE_TRANSLATE(*state)) {
4496                                 if (direction == PF_IN) {
4497                                         pf_change_icmp(pd2.src, &uh.uh_sport,
4498                                             daddr, &(*state)->lan.addr,
4499                                             (*state)->lan.port, &uh.uh_sum,
4500                                             pd2.ip_sum, icmpsum,
4501                                             pd->ip_sum, 1, pd2.af);
4502                                 } else {
4503                                         pf_change_icmp(pd2.dst, &uh.uh_dport,
4504                                             saddr, &(*state)->gwy.addr,
4505                                             (*state)->gwy.port, &uh.uh_sum,
4506                                             pd2.ip_sum, icmpsum,
4507                                             pd->ip_sum, 1, pd2.af);
4508                                 }
4509                                 switch (pd2.af) {
4510 #ifdef INET
4511                                 case AF_INET:
4512                                         m_copyback(m, off, ICMP_MINLEN,
4513                                             (caddr_t)pd->hdr.icmp);
4514                                         m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4515                                         break;
4516 #endif /* INET */
4517 #ifdef INET6
4518                                 case AF_INET6:
4519                                         m_copyback(m, off,
4520                                             sizeof(struct icmp6_hdr),
4521                                             (caddr_t)pd->hdr.icmp6);
4522                                         m_copyback(m, ipoff2, sizeof(h2_6),
4523                                             (caddr_t)&h2_6);
4524                                         break;
4525 #endif /* INET6 */
4526                                 }
4527                                 m_copyback(m, off2, sizeof(uh), (caddr_t)&uh);
4528                         }
4529
4530                         return (PF_PASS);
4531                         break;
4532                 }
4533 #ifdef INET
4534                 case IPPROTO_ICMP: {
4535                         struct icmp             iih;
4536                         struct pf_state         key;
4537
4538                         if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN,
4539                             NULL, NULL, pd2.af)) {
4540                                 DPFPRINTF(PF_DEBUG_MISC,
4541                                     ("pf: ICMP error message too short i"
4542                                     "(icmp)\n"));
4543                                 return (PF_DROP);
4544                         }
4545
4546                         key.af = pd2.af;
4547                         key.proto = IPPROTO_ICMP;
4548                         if (direction == PF_IN) {
4549                                 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4550                                 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4551                                 key.ext.port = iih.icmp_id;
4552                                 key.gwy.port = iih.icmp_id;
4553                         } else {
4554                                 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4555                                 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4556                                 key.lan.port = iih.icmp_id;
4557                                 key.ext.port = iih.icmp_id;
4558                         }
4559
4560                         STATE_LOOKUP();
4561
4562                         if (STATE_TRANSLATE(*state)) {
4563                                 if (direction == PF_IN) {
4564                                         pf_change_icmp(pd2.src, &iih.icmp_id,
4565                                             daddr, &(*state)->lan.addr,
4566                                             (*state)->lan.port, NULL,
4567                                             pd2.ip_sum, icmpsum,
4568                                             pd->ip_sum, 0, AF_INET);
4569                                 } else {
4570                                         pf_change_icmp(pd2.dst, &iih.icmp_id,
4571                                             saddr, &(*state)->gwy.addr,
4572                                             (*state)->gwy.port, NULL,
4573                                             pd2.ip_sum, icmpsum,
4574                                             pd->ip_sum, 0, AF_INET);
4575                                 }
4576                                 m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp);
4577                                 m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4578                                 m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih);
4579                         }
4580
4581                         return (PF_PASS);
4582                         break;
4583                 }
4584 #endif /* INET */
4585 #ifdef INET6
4586                 case IPPROTO_ICMPV6: {
4587                         struct icmp6_hdr        iih;
4588                         struct pf_state         key;
4589
4590                         if (!pf_pull_hdr(m, off2, &iih,
4591                             sizeof(struct icmp6_hdr), NULL, NULL, pd2.af)) {
4592                                 DPFPRINTF(PF_DEBUG_MISC,
4593                                     ("pf: ICMP error message too short "
4594                                     "(icmp6)\n"));
4595                                 return (PF_DROP);
4596                         }
4597
4598                         key.af = pd2.af;
4599                         key.proto = IPPROTO_ICMPV6;
4600                         if (direction == PF_IN) {
4601                                 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4602                                 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4603                                 key.ext.port = iih.icmp6_id;
4604                                 key.gwy.port = iih.icmp6_id;
4605                         } else {
4606                                 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4607                                 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4608                                 key.lan.port = iih.icmp6_id;
4609                                 key.ext.port = iih.icmp6_id;
4610                         }
4611
4612                         STATE_LOOKUP();
4613
4614                         if (STATE_TRANSLATE(*state)) {
4615                                 if (direction == PF_IN) {
4616                                         pf_change_icmp(pd2.src, &iih.icmp6_id,
4617                                             daddr, &(*state)->lan.addr,
4618                                             (*state)->lan.port, NULL,
4619                                             pd2.ip_sum, icmpsum,
4620                                             pd->ip_sum, 0, AF_INET6);
4621                                 } else {
4622                                         pf_change_icmp(pd2.dst, &iih.icmp6_id,
4623                                             saddr, &(*state)->gwy.addr,
4624                                             (*state)->gwy.port, NULL,
4625                                             pd2.ip_sum, icmpsum,
4626                                             pd->ip_sum, 0, AF_INET6);
4627                                 }
4628                                 m_copyback(m, off, sizeof(struct icmp6_hdr),
4629                                     (caddr_t)pd->hdr.icmp6);
4630                                 m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
4631                                 m_copyback(m, off2, sizeof(struct icmp6_hdr),
4632                                     (caddr_t)&iih);
4633                         }
4634
4635                         return (PF_PASS);
4636                         break;
4637                 }
4638 #endif /* INET6 */
4639                 default: {
4640                         struct pf_state         key;
4641
4642                         key.af = pd2.af;
4643                         key.proto = pd2.proto;
4644                         if (direction == PF_IN) {
4645                                 PF_ACPY(&key.ext.addr, pd2.dst, key.af);
4646                                 PF_ACPY(&key.gwy.addr, pd2.src, key.af);
4647                                 key.ext.port = 0;
4648                                 key.gwy.port = 0;
4649                         } else {
4650                                 PF_ACPY(&key.lan.addr, pd2.dst, key.af);
4651                                 PF_ACPY(&key.ext.addr, pd2.src, key.af);
4652                                 key.lan.port = 0;
4653                                 key.ext.port = 0;
4654                         }
4655
4656                         STATE_LOOKUP();
4657
4658                         if (STATE_TRANSLATE(*state)) {
4659                                 if (direction == PF_IN) {
4660                                         pf_change_icmp(pd2.src, NULL,
4661                                             daddr, &(*state)->lan.addr,
4662                                             0, NULL,
4663                                             pd2.ip_sum, icmpsum,
4664                                             pd->ip_sum, 0, pd2.af);
4665                                 } else {
4666                                         pf_change_icmp(pd2.dst, NULL,
4667                                             saddr, &(*state)->gwy.addr,
4668                                             0, NULL,
4669                                             pd2.ip_sum, icmpsum,
4670                                             pd->ip_sum, 0, pd2.af);
4671                                 }
4672                                 switch (pd2.af) {
4673 #ifdef INET
4674                                 case AF_INET:
4675                                         m_copyback(m, off, ICMP_MINLEN,
4676                                             (caddr_t)pd->hdr.icmp);
4677                                         m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
4678                                         break;
4679 #endif /* INET */
4680 #ifdef INET6
4681                                 case AF_INET6:
4682                                         m_copyback(m, off,
4683                                             sizeof(struct icmp6_hdr),
4684                                             (caddr_t)pd->hdr.icmp6);
4685                                         m_copyback(m, ipoff2, sizeof(h2_6),
4686                                             (caddr_t)&h2_6);
4687                                         break;
4688 #endif /* INET6 */
4689                                 }
4690                         }
4691
4692                         return (PF_PASS);
4693                         break;
4694                 }
4695                 }
4696         }
4697 }
4698
4699 int
4700 pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
4701     struct pf_pdesc *pd)
4702 {
4703         struct pf_state_peer    *src, *dst;
4704         struct pf_state          key;
4705
4706         key.af = pd->af;
4707         key.proto = pd->proto;
4708         if (direction == PF_IN) {
4709                 PF_ACPY(&key.ext.addr, pd->src, key.af);
4710                 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4711                 key.ext.port = 0;
4712                 key.gwy.port = 0;
4713         } else {
4714                 PF_ACPY(&key.lan.addr, pd->src, key.af);
4715                 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4716                 key.lan.port = 0;
4717                 key.ext.port = 0;
4718         }
4719
4720         STATE_LOOKUP();
4721
4722         if (direction == (*state)->direction) {
4723                 src = &(*state)->src;
4724                 dst = &(*state)->dst;
4725         } else {
4726                 src = &(*state)->dst;
4727                 dst = &(*state)->src;
4728         }
4729
4730         /* update states */
4731         if (src->state < PFOTHERS_SINGLE)
4732                 src->state = PFOTHERS_SINGLE;
4733         if (dst->state == PFOTHERS_SINGLE)
4734                 dst->state = PFOTHERS_MULTIPLE;
4735
4736         /* update expire time */
4737         (*state)->expire = time_second;
4738         if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE)
4739                 (*state)->timeout = PFTM_OTHER_MULTIPLE;
4740         else
4741                 (*state)->timeout = PFTM_OTHER_SINGLE;
4742
4743         /* translate source/destination address, if necessary */
4744         if (STATE_TRANSLATE(*state)) {
4745                 if (direction == PF_OUT)
4746                         switch (pd->af) {
4747 #ifdef INET
4748                         case AF_INET:
4749                                 pf_change_a(&pd->src->v4.s_addr,
4750                                     pd->ip_sum, (*state)->gwy.addr.v4.s_addr,
4751                                     0);
4752                                 break;
4753 #endif /* INET */
4754 #ifdef INET6
4755                         case AF_INET6:
4756                                 PF_ACPY(pd->src, &(*state)->gwy.addr, pd->af);
4757                                 break;
4758 #endif /* INET6 */
4759                         }
4760                 else
4761                         switch (pd->af) {
4762 #ifdef INET
4763                         case AF_INET:
4764                                 pf_change_a(&pd->dst->v4.s_addr,
4765                                     pd->ip_sum, (*state)->lan.addr.v4.s_addr,
4766                                     0);
4767                                 break;
4768 #endif /* INET */
4769 #ifdef INET6
4770                         case AF_INET6:
4771                                 PF_ACPY(pd->dst, &(*state)->lan.addr, pd->af);
4772                                 break;
4773 #endif /* INET6 */
4774                         }
4775         }
4776
4777         return (PF_PASS);
4778 }
4779
4780 /*
4781  * ipoff and off are measured from the start of the mbuf chain.
4782  * h must be at "ipoff" on the mbuf chain.
4783  */
4784 void *
4785 pf_pull_hdr(struct mbuf *m, int off, void *p, int len,
4786     u_short *actionp, u_short *reasonp, sa_family_t af)
4787 {
4788         switch (af) {
4789 #ifdef INET
4790         case AF_INET: {
4791                 struct ip       *h = mtod(m, struct ip *);
4792                 u_int16_t        fragoff = (h->ip_off & IP_OFFMASK) << 3;
4793
4794                 if (fragoff) {
4795                         if (fragoff >= len)
4796                                 ACTION_SET(actionp, PF_PASS);
4797                         else {
4798                                 ACTION_SET(actionp, PF_DROP);
4799                                 REASON_SET(reasonp, PFRES_FRAG);
4800                         }
4801                         return (NULL);
4802                 }
4803                 if (m->m_pkthdr.len < off + len ||
4804                     h->ip_len < off + len) {
4805                         ACTION_SET(actionp, PF_DROP);
4806                         REASON_SET(reasonp, PFRES_SHORT);
4807                         return (NULL);
4808                 }
4809                 break;
4810         }
4811 #endif /* INET */
4812 #ifdef INET6
4813         case AF_INET6: {
4814                 struct ip6_hdr  *h = mtod(m, struct ip6_hdr *);
4815
4816                 if (m->m_pkthdr.len < off + len ||
4817                     (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) <
4818                     (unsigned)(off + len)) {
4819                         ACTION_SET(actionp, PF_DROP);
4820                         REASON_SET(reasonp, PFRES_SHORT);
4821                         return (NULL);
4822                 }
4823                 break;
4824         }
4825 #endif /* INET6 */
4826         }
4827         m_copydata(m, off, len, p);
4828         return (p);
4829 }
4830
4831 int
4832 pf_routable(struct pf_addr *addr, sa_family_t af)
4833 {
4834         struct sockaddr_in      *dst;
4835         struct route             ro;
4836         int                      ret = 0;
4837
4838         bzero(&ro, sizeof(ro));
4839         dst = satosin(&ro.ro_dst);
4840         dst->sin_family = af;
4841         dst->sin_len = sizeof(*dst);
4842         dst->sin_addr = addr->v4;
4843         rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
4844
4845         if (ro.ro_rt != NULL) {
4846                 ret = 1;
4847                 RTFREE(ro.ro_rt);
4848         }
4849
4850         return (ret);
4851 }
4852
4853 #ifdef INET
4854 void
4855 pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
4856     struct pf_state *s)
4857 {
4858         struct mbuf             *m0, *m1;
4859         struct route             iproute;
4860         struct route            *ro = NULL;
4861         struct sockaddr_in      *dst;
4862         struct ip               *ip;
4863         struct ifnet            *ifp = NULL;
4864         struct pf_addr           naddr;
4865         struct pf_src_node      *sn = NULL;
4866         int                      error = 0;
4867         int sw_csum;
4868
4869         if (m == NULL || *m == NULL || r == NULL ||
4870             (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
4871                 panic("pf_route: invalid parameters");
4872
4873         if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) {
4874                 (*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED;
4875                 (*m)->m_pkthdr.pf_routed = 1;
4876         } else {
4877                 if ((*m)->m_pkthdr.pf_routed > 3) {
4878                         m0 = *m;
4879                         *m = NULL;
4880                         goto bad;
4881                 }
4882                 (*m)->m_pkthdr.pf_routed++;
4883         }
4884
4885         if (r->rt == PF_DUPTO) {
4886                 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL)
4887                         return;
4888         } else {
4889                 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
4890                         return;
4891                 m0 = *m;
4892         }
4893
4894         if (m0->m_len < sizeof(struct ip))
4895                 panic("pf_route: m0->m_len < sizeof(struct ip)");
4896         ip = mtod(m0, struct ip *);
4897
4898         ro = &iproute;
4899         bzero((caddr_t)ro, sizeof(*ro));
4900         dst = satosin(&ro->ro_dst);
4901         dst->sin_family = AF_INET;
4902         dst->sin_len = sizeof(*dst);
4903         dst->sin_addr = ip->ip_dst;
4904
4905         if (r->rt == PF_FASTROUTE) {
4906                 rtalloc(ro);
4907                 if (ro->ro_rt == 0) {
4908                         ipstat.ips_noroute++;
4909                         goto bad;
4910                 }
4911
4912                 ifp = ro->ro_rt->rt_ifp;
4913                 ro->ro_rt->rt_use++;
4914
4915                 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
4916                         dst = satosin(ro->ro_rt->rt_gateway);
4917         } else {
4918                 if (TAILQ_EMPTY(&r->rpool.list))
4919                         panic("pf_route: TAILQ_EMPTY(&r->rpool.list)");
4920                 if (s == NULL) {
4921                         pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
4922                             &naddr, NULL, &sn);
4923                         if (!PF_AZERO(&naddr, AF_INET))
4924                                 dst->sin_addr.s_addr = naddr.v4.s_addr;
4925                         ifp = r->rpool.cur->kif ?
4926                             r->rpool.cur->kif->pfik_ifp : NULL;
4927                 } else {
4928                         if (!PF_AZERO(&s->rt_addr, AF_INET))
4929                                 dst->sin_addr.s_addr =
4930                                     s->rt_addr.v4.s_addr;
4931                         ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
4932                 }
4933         }
4934         if (ifp == NULL)
4935                 goto bad;
4936
4937         if (oifp != ifp) {
4938                 if (pf_test(PF_OUT, ifp, &m0) != PF_PASS)
4939                         goto bad;
4940                 else if (m0 == NULL)
4941                         goto done;
4942                 if (m0->m_len < sizeof(struct ip))
4943                         panic("pf_route: m0->m_len < sizeof(struct ip)");
4944                 ip = mtod(m0, struct ip *);
4945         }
4946
4947         /* Copied from ip_output. */
4948         m0->m_pkthdr.csum_flags |= CSUM_IP;
4949         sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist;
4950         if (sw_csum & CSUM_DELAY_DATA) {
4951                 in_delayed_cksum(m0);
4952                 sw_csum &= ~CSUM_DELAY_DATA;
4953         }
4954         m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
4955
4956         /*
4957          * If small enough for interface, or the interface will take
4958          * care of the fragmentation for us, can just send directly.
4959          */
4960         if (ip->ip_len <= ifp->if_mtu || ((ifp->if_hwassist & CSUM_FRAGMENT) &&
4961                 (ip->ip_off & IP_DF) == 0)) {
4962                 ip->ip_len = htons(ip->ip_len);
4963                 ip->ip_off = htons(ip->ip_off);
4964                 ip->ip_sum = 0;
4965                 if (sw_csum & CSUM_DELAY_IP) {
4966                         /* From KAME */
4967                         if (ip->ip_v == IPVERSION &&
4968                             (ip->ip_hl << 2) == sizeof(*ip)) {
4969                                 ip->ip_sum = in_cksum_hdr(ip);
4970                         } else {
4971                                 ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
4972                         }
4973                 }
4974
4975                 error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt);
4976                 goto done;
4977         }
4978
4979         /*
4980          * Too large for interface; fragment if possible.
4981          * Must be able to put at least 8 bytes per fragment.
4982          */
4983         if (ip->ip_off & IP_DF) {
4984                 ipstat.ips_cantfrag++;
4985                 if (r->rt != PF_DUPTO) {
4986                         icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
4987                             ifp);
4988                         goto done;
4989                 } else
4990                         goto bad;
4991         }
4992
4993         m1 = m0;
4994         error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum);
4995         if (error)
4996                 goto bad;
4997
4998         for (m0 = m1; m0; m0 = m1) {
4999                 m1 = m0->m_nextpkt;
5000                 m0->m_nextpkt = 0;
5001                 if (error == 0)
5002                         error = (*ifp->if_output)(ifp, m0, sintosa(dst),
5003                             NULL);
5004                 else
5005                         m_freem(m0);
5006         }
5007
5008         if (error == 0)
5009                 ipstat.ips_fragmented++;
5010
5011 done:
5012         if (r->rt != PF_DUPTO)
5013                 *m = NULL;
5014         if (ro == &iproute && ro->ro_rt)
5015                 RTFREE(ro->ro_rt);
5016         return;
5017
5018 bad:
5019         m_freem(m0);
5020         goto done;
5021 }
5022 #endif /* INET */
5023
5024 #ifdef INET6
5025 void
5026 pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
5027     struct pf_state *s)
5028 {
5029         struct mbuf             *m0;
5030         struct route_in6         ip6route;
5031         struct route_in6        *ro;
5032         struct sockaddr_in6     *dst;
5033         struct ip6_hdr          *ip6;
5034         struct ifnet            *ifp = NULL;
5035         struct pf_addr           naddr;
5036         struct pf_src_node      *sn = NULL;
5037         int                      error = 0;
5038
5039         if (m == NULL || *m == NULL || r == NULL ||
5040             (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
5041                 panic("pf_route6: invalid parameters");
5042
5043         if (((*m)->m_pkthdr.fw_flags & PF_MBUF_ROUTED) == 0) {
5044                 (*m)->m_pkthdr.fw_flags |= PF_MBUF_ROUTED;
5045                 (*m)->m_pkthdr.pf_routed = 1;
5046         } else {
5047                 if ((*m)->m_pkthdr.pf_routed > 3) {
5048                         m0 = *m;
5049                         *m = NULL;
5050                         goto bad;
5051                 }
5052                 (*m)->m_pkthdr.pf_routed++;
5053         }
5054
5055         if (r->rt == PF_DUPTO) {
5056                 if ((m0 = m_dup(*m, MB_DONTWAIT)) == NULL)
5057                         return;
5058         } else {
5059                 if ((r->rt == PF_REPLYTO) == (r->direction == dir))
5060                         return;
5061                 m0 = *m;
5062         }
5063
5064         if (m0->m_len < sizeof(struct ip6_hdr))
5065                 panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
5066         ip6 = mtod(m0, struct ip6_hdr *);
5067
5068         ro = &ip6route;
5069         bzero((caddr_t)ro, sizeof(*ro));
5070         dst = (struct sockaddr_in6 *)&ro->ro_dst;
5071         dst->sin6_family = AF_INET6;
5072         dst->sin6_len = sizeof(*dst);
5073         dst->sin6_addr = ip6->ip6_dst;
5074
5075         /* Cheat. */
5076         if (r->rt == PF_FASTROUTE) {
5077                 m0->m_pkthdr.fw_flags |= PF_MBUF_GENERATED;
5078                 ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
5079                 return;
5080         }
5081
5082         if (TAILQ_EMPTY(&r->rpool.list))
5083                 panic("pf_route6: TAILQ_EMPTY(&r->rpool.list)");
5084         if (s == NULL) {
5085                 pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,
5086                     &naddr, NULL, &sn);
5087                 if (!PF_AZERO(&naddr, AF_INET6))
5088                         PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5089                             &naddr, AF_INET6);
5090                 ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
5091         } else {
5092                 if (!PF_AZERO(&s->rt_addr, AF_INET6))
5093                         PF_ACPY((struct pf_addr *)&dst->sin6_addr,
5094                             &s->rt_addr, AF_INET6);
5095                 ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
5096         }
5097         if (ifp == NULL)
5098                 goto bad;
5099
5100         if (oifp != ifp) {
5101                 if (pf_test6(PF_OUT, ifp, &m0) != PF_PASS)
5102                         goto bad;
5103                 else if (m0 == NULL)
5104                         goto done;
5105                 if (m0->m_len < sizeof(struct ip6_hdr))
5106                         panic("pf_route6: m0->m_len < sizeof(struct ip6_hdr)");
5107                 ip6 = mtod(m0, struct ip6_hdr *);
5108         }
5109
5110         /*
5111          * If the packet is too large for the outgoing interface,
5112          * send back an icmp6 error.
5113          */
5114         if (IN6_IS_ADDR_LINKLOCAL(&dst->sin6_addr))
5115                 dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
5116         if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
5117                 error = nd6_output(ifp, ifp, m0, dst, NULL);
5118         } else {
5119                 in6_ifstat_inc(ifp, ifs6_in_toobig);
5120                 if (r->rt != PF_DUPTO)
5121                         icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
5122                 else
5123                         goto bad;
5124         }
5125
5126 done:
5127         if (r->rt != PF_DUPTO)
5128                 *m = NULL;
5129         return;
5130
5131 bad:
5132         m_freem(m0);
5133         goto done;
5134 }
5135 #endif /* INET6 */
5136
5137
5138 /*
5139  * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag
5140  *   off is the offset where the protocol header starts
5141  *   len is the total length of protocol header plus payload
5142  * returns 0 when the checksum is valid, otherwise returns 1.
5143  */
5144 /*
5145  * XXX
5146  * FreeBSD supports cksum offload for the following drivers.
5147  * em(4), gx(4), lge(4), nge(4), ti(4), xl(4)
5148  * If we can make full use of it we would outperform ipfw/ipfilter in
5149  * very heavy traffic. 
5150  * I have not tested 'cause I don't have NICs that supports cksum offload.
5151  * (There might be problems. Typical phenomena would be
5152  *   1. No route message for UDP packet.
5153  *   2. No connection acceptance from external hosts regardless of rule set.)
5154  */
5155 int
5156 pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p,
5157     sa_family_t af)
5158 {
5159         u_int16_t sum = 0;
5160         int hw_assist = 0;
5161         struct ip *ip;
5162
5163         if (off < sizeof(struct ip) || len < sizeof(struct udphdr))
5164                 return (1);
5165         if (m->m_pkthdr.len < off + len)
5166                 return (1);
5167
5168         switch (p) {
5169         case IPPROTO_TCP:
5170         case IPPROTO_UDP:
5171                 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
5172                         if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) {
5173                                 sum = m->m_pkthdr.csum_data;
5174                         } else {
5175                                 ip = mtod(m, struct ip *);      
5176                                 sum = in_pseudo(ip->ip_src.s_addr,
5177                                         ip->ip_dst.s_addr, htonl((u_short)len +
5178                                         m->m_pkthdr.csum_data + p));
5179                         }
5180                         sum ^= 0xffff;
5181                         ++hw_assist;
5182                 }
5183                 break;
5184         case IPPROTO_ICMP:
5185 #ifdef INET6
5186         case IPPROTO_ICMPV6:
5187 #endif /* INET6 */
5188                 break;
5189         default:
5190                 return (1);
5191         }
5192
5193         if (!hw_assist) {
5194                 switch (af) {
5195                 case AF_INET:
5196                         if (p == IPPROTO_ICMP) {
5197                                 if (m->m_len < off)
5198                                         return (1);
5199                                 m->m_data += off;
5200                                 m->m_len -= off;
5201                                 sum = in_cksum(m, len);
5202                                 m->m_data -= off;
5203                                 m->m_len += off;
5204                         } else {
5205                                 if (m->m_len < sizeof(struct ip))
5206                                         return (1);
5207                                 sum = in_cksum_range(m, p, off, len);
5208                                 if (sum == 0) {
5209                                         m->m_pkthdr.csum_flags |=
5210                                             (CSUM_DATA_VALID |
5211                                              CSUM_PSEUDO_HDR);
5212                                         m->m_pkthdr.csum_data = 0xffff;
5213                                 }
5214                         }
5215                         break;
5216 #ifdef INET6
5217                 case AF_INET6:
5218                         if (m->m_len < sizeof(struct ip6_hdr))
5219                                 return (1);
5220                         sum = in6_cksum(m, p, off, len);
5221                         /*
5222                          * XXX
5223                          * IPv6 H/W cksum off-load not supported yet!
5224                          *
5225                          * if (sum == 0) {
5226                          *      m->m_pkthdr.csum_flags |=
5227                          *          (CSUM_DATA_VALID|CSUM_PSEUDO_HDR);
5228                          *      m->m_pkthdr.csum_data = 0xffff;
5229                          *}
5230                          */
5231                         break;
5232 #endif /* INET6 */
5233                 default:
5234                         return (1);
5235                 }
5236         }
5237         if (sum) {
5238                 switch (p) {
5239                 case IPPROTO_TCP:
5240                         tcpstat.tcps_rcvbadsum++;
5241                         break;
5242                 case IPPROTO_UDP:
5243                         udpstat.udps_badsum++;
5244                         break;
5245                 case IPPROTO_ICMP:
5246                         icmpstat.icps_checksum++;
5247                         break;
5248 #ifdef INET6
5249                 case IPPROTO_ICMPV6:
5250                         icmp6stat.icp6s_checksum++;
5251                         break;
5252 #endif /* INET6 */
5253                 }
5254                 return (1);
5255         }
5256         return (0);
5257 }
5258
5259 #ifdef INET
5260 int
5261 pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
5262 {
5263         struct pfi_kif          *kif;
5264         u_short                  action, reason = 0, log = 0;
5265         struct mbuf             *m = *m0;
5266         struct ip               *h = NULL;
5267         struct pf_rule          *a = NULL, *r = &pf_default_rule, *tr, *nr;
5268         struct pf_state         *s = NULL;
5269         struct pf_ruleset       *ruleset = NULL;
5270         struct pf_pdesc          pd;
5271         int                      off, dirndx, pqid = 0;
5272
5273         if (!pf_status.running || (m->m_pkthdr.fw_flags & PF_MBUF_GENERATED))
5274                 return (PF_PASS);
5275
5276         kif = pfi_index2kif[ifp->if_index];
5277         if (kif == NULL)
5278                 return (PF_DROP);
5279
5280 #ifdef DIAGNOSTIC
5281         if ((m->m_flags & M_PKTHDR) == 0)
5282                 panic("non-M_PKTHDR is passed to pf_test");
5283 #endif
5284
5285         memset(&pd, 0, sizeof(pd));
5286         if (m->m_pkthdr.len < (int)sizeof(*h)) {
5287                 action = PF_DROP;
5288                 REASON_SET(&reason, PFRES_SHORT);
5289                 log = 1;
5290                 goto done;
5291         }
5292
5293         /* We do IP header normalization and packet reassembly here */
5294         if (pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) {
5295                 action = PF_DROP;
5296                 goto done;
5297         }
5298         m = *m0;
5299         h = mtod(m, struct ip *);
5300
5301         off = h->ip_hl << 2;
5302         if (off < (int)sizeof(*h)) {
5303                 action = PF_DROP;
5304                 REASON_SET(&reason, PFRES_SHORT);
5305                 log = 1;
5306                 goto done;
5307         }
5308
5309         pd.src = (struct pf_addr *)&h->ip_src;
5310         pd.dst = (struct pf_addr *)&h->ip_dst;
5311         PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
5312         pd.ip_sum = &h->ip_sum;
5313         pd.proto = h->ip_p;
5314         pd.af = AF_INET;
5315         pd.tos = h->ip_tos;
5316         pd.tot_len = h->ip_len;
5317
5318         /* handle fragments that didn't get reassembled by normalization */
5319         if (h->ip_off & (IP_MF | IP_OFFMASK)) {
5320                 action = pf_test_fragment(&r, dir, kif, m, h,
5321                     &pd, &a, &ruleset);
5322                 goto done;
5323         }
5324
5325         switch (h->ip_p) {
5326
5327         case IPPROTO_TCP: {
5328                 struct tcphdr   th;
5329
5330                 pd.hdr.tcp = &th;
5331                 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5332                     &action, &reason, AF_INET)) {
5333                         log = action != PF_PASS;
5334                         goto done;
5335                 }
5336                 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5337                     h->ip_len - off, IPPROTO_TCP, AF_INET)) {
5338                         action = PF_DROP;
5339                         goto done;
5340                 }
5341                 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5342                 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
5343                         pqid = 1;
5344                 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5345                 if (action == PF_DROP)
5346                         goto done;
5347                 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5348                     &reason);
5349                 if (action == PF_PASS) {
5350 #if NPFSYNC
5351                         pfsync_update_state(s);
5352 #endif
5353                         r = s->rule.ptr;
5354                         a = s->anchor.ptr;
5355                         log = s->log;
5356                 } else if (s == NULL)
5357                         action = pf_test_tcp(&r, &s, dir, kif,
5358                             m, off, h, &pd, &a, &ruleset);
5359                 break;
5360         }
5361
5362         case IPPROTO_UDP: {
5363                 struct udphdr   uh;
5364
5365                 pd.hdr.udp = &uh;
5366                 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5367                     &action, &reason, AF_INET)) {
5368                         log = action != PF_PASS;
5369                         goto done;
5370                 }
5371                 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
5372                     off, h->ip_len - off, IPPROTO_UDP, AF_INET)) {
5373                         action = PF_DROP;
5374                         goto done;
5375                 }
5376                 if (uh.uh_dport == 0 ||
5377                     ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5378                     ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5379                         action = PF_DROP;
5380                         goto done;
5381                 }
5382                 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5383                 if (action == PF_PASS) {
5384 #if NPFSYNC
5385                         pfsync_update_state(s);
5386 #endif
5387                         r = s->rule.ptr;
5388                         a = s->anchor.ptr;
5389                         log = s->log;
5390                 } else if (s == NULL)
5391                         action = pf_test_udp(&r, &s, dir, kif,
5392                             m, off, h, &pd, &a, &ruleset);
5393                 break;
5394         }
5395
5396         case IPPROTO_ICMP: {
5397                 struct icmp     ih;
5398
5399                 pd.hdr.icmp = &ih;
5400                 if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN,
5401                     &action, &reason, AF_INET)) {
5402                         log = action != PF_PASS;
5403                         goto done;
5404                 }
5405                 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5406                     h->ip_len - off, IPPROTO_ICMP, AF_INET)) {
5407                         action = PF_DROP;
5408                         goto done;
5409                 }
5410                 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd);
5411                 if (action == PF_PASS) {
5412 #if NPFSYNC
5413                         pfsync_update_state(s);
5414 #endif
5415                         r = s->rule.ptr;
5416                         a = s->anchor.ptr;
5417                         log = s->log;
5418                 } else if (s == NULL)
5419                         action = pf_test_icmp(&r, &s, dir, kif,
5420                             m, off, h, &pd, &a, &ruleset);
5421                 break;
5422         }
5423
5424         default:
5425                 action = pf_test_state_other(&s, dir, kif, &pd);
5426                 if (action == PF_PASS) {
5427 #if NPFSYNC
5428                         pfsync_update_state(s);
5429 #endif
5430                         r = s->rule.ptr;
5431                         a = s->anchor.ptr;
5432                         log = s->log;
5433                 } else if (s == NULL)
5434                         action = pf_test_other(&r, &s, dir, kif, m, off, h,
5435                             &pd, &a, &ruleset);
5436                 break;
5437         }
5438
5439 done:
5440         if (action == PF_PASS && h->ip_hl > 5 &&
5441             !((s && s->allow_opts) || r->allow_opts)) {
5442                 action = PF_DROP;
5443                 REASON_SET(&reason, PFRES_SHORT);
5444                 log = 1;
5445                 DPFPRINTF(PF_DEBUG_MISC,
5446                     ("pf: dropping packet with ip options\n"));
5447         }
5448
5449 #ifdef ALTQ
5450         if (action == PF_PASS && r->qid) {
5451                 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED;
5452                 if (pd.tos == IPTOS_LOWDELAY)
5453                         m->m_pkthdr.altq_qid = r->pqid;
5454                 else
5455                         m->m_pkthdr.altq_qid = r->qid;
5456                 m->m_pkthdr.ecn_af = AF_INET;
5457                 m->m_pkthdr.header = h;
5458         }
5459 #endif
5460
5461         /*
5462          * connections redirected to loopback should not match sockets
5463          * bound specifically to loopback due to security implications,
5464          * see tcp_input() and in_pcblookup_listen().
5465          */
5466         if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5467             pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5468             (s->nat_rule.ptr->action == PF_RDR ||
5469             s->nat_rule.ptr->action == PF_BINAT) &&
5470             (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
5471                 action = PF_DROP;
5472                 REASON_SET(&reason, PFRES_MEMORY);
5473         }
5474
5475         m->m_pkthdr.fw_flags |= PF_MBUF_TRANSLATE_LOCALHOST;
5476
5477         if (log)
5478                 PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a, ruleset);
5479
5480         kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5481         kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
5482
5483         if (action == PF_PASS || r->action == PF_DROP) {
5484                 r->packets++;
5485                 r->bytes += pd.tot_len;
5486                 if (a != NULL) {
5487                         a->packets++;
5488                         a->bytes += pd.tot_len;
5489                 }
5490                 if (s != NULL) {
5491                         dirndx = (dir == s->direction) ? 0 : 1;
5492                         s->packets[dirndx]++;
5493                         s->bytes[dirndx] += pd.tot_len;
5494                         if (s->nat_rule.ptr != NULL) {
5495                                 s->nat_rule.ptr->packets++;
5496                                 s->nat_rule.ptr->bytes += pd.tot_len;
5497                         }
5498                         if (s->src_node != NULL) {
5499                                 s->src_node->packets++;
5500                                 s->src_node->bytes += pd.tot_len;
5501                         }
5502                         if (s->nat_src_node != NULL) {
5503                                 s->nat_src_node->packets++;
5504                                 s->nat_src_node->bytes += pd.tot_len;
5505                         }
5506                 }
5507                 tr = r;
5508                 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5509                 if (nr != NULL) {
5510                         struct pf_addr *x;
5511                         /*
5512                          * XXX: we need to make sure that the addresses
5513                          * passed to pfr_update_stats() are the same than
5514                          * the addresses used during matching (pfr_match)
5515                          */
5516                         if (r == &pf_default_rule) {
5517                                 tr = nr;
5518                                 x = (s == NULL || s->direction == dir) ?
5519                                     &pd.baddr : &pd.naddr;
5520                         } else
5521                                 x = (s == NULL || s->direction == dir) ?
5522                                     &pd.naddr : &pd.baddr;
5523                         if (x == &pd.baddr || s == NULL) {
5524                                 /* we need to change the address */
5525                                 if (dir == PF_OUT)
5526                                         pd.src = x;
5527                                 else
5528                                         pd.dst = x;
5529                         }
5530                 }
5531                 if (tr->src.addr.type == PF_ADDR_TABLE)
5532                         pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
5533                             s->direction == dir) ? pd.src : pd.dst, pd.af,
5534                             pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5535                             tr->src.not);
5536                 if (tr->dst.addr.type == PF_ADDR_TABLE)
5537                         pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
5538                             s->direction == dir) ? pd.dst : pd.src, pd.af,
5539                             pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5540                             tr->dst.not);
5541         }
5542
5543
5544         if (action == PF_SYNPROXY_DROP) {
5545                 m_freem(*m0);
5546                 *m0 = NULL;
5547                 action = PF_PASS;
5548         } else if (r->rt)
5549                 /* pf_route can free the mbuf causing *m0 to become NULL */
5550                 pf_route(m0, r, dir, ifp, s);
5551
5552         return (action);
5553 }
5554 #endif /* INET */
5555
5556 #ifdef INET6
5557 int
5558 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
5559 {
5560         struct pfi_kif          *kif;
5561         u_short                  action, reason = 0, log = 0;
5562         struct mbuf             *m = *m0;
5563         struct ip6_hdr          *h = NULL;
5564         struct pf_rule          *a = NULL, *r = &pf_default_rule, *tr, *nr;
5565         struct pf_state         *s = NULL;
5566         struct pf_ruleset       *ruleset = NULL;
5567         struct pf_pdesc          pd;
5568         int                      off, terminal = 0, dirndx;
5569
5570         if (!pf_status.running || (m->m_pkthdr.fw_flags & PF_MBUF_GENERATED))
5571                 return (PF_PASS);
5572
5573         kif = pfi_index2kif[ifp->if_index];
5574         if (kif == NULL)
5575                 return (PF_DROP);
5576
5577 #ifdef DIAGNOSTIC
5578         if ((m->m_flags & M_PKTHDR) == 0)
5579                 panic("non-M_PKTHDR is passed to pf_test");
5580 #endif
5581
5582         memset(&pd, 0, sizeof(pd));
5583         if (m->m_pkthdr.len < (int)sizeof(*h)) {
5584                 action = PF_DROP;
5585                 REASON_SET(&reason, PFRES_SHORT);
5586                 log = 1;
5587                 goto done;
5588         }
5589
5590         /* We do IP header normalization and packet reassembly here */
5591         if (pf_normalize_ip6(m0, dir, kif, &reason) != PF_PASS) {
5592                 action = PF_DROP;
5593                 goto done;
5594         }
5595         m = *m0;
5596         h = mtod(m, struct ip6_hdr *);
5597
5598         pd.src = (struct pf_addr *)&h->ip6_src;
5599         pd.dst = (struct pf_addr *)&h->ip6_dst;
5600         PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
5601         pd.ip_sum = NULL;
5602         pd.af = AF_INET6;
5603         pd.tos = 0;
5604         pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
5605
5606         off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
5607         pd.proto = h->ip6_nxt;
5608         do {
5609                 switch (pd.proto) {
5610                 case IPPROTO_FRAGMENT:
5611                         action = pf_test_fragment(&r, dir, kif, m, h,
5612                             &pd, &a, &ruleset);
5613                         if (action == PF_DROP)
5614                                 REASON_SET(&reason, PFRES_FRAG);
5615                         goto done;
5616                 case IPPROTO_AH:
5617                 case IPPROTO_HOPOPTS:
5618                 case IPPROTO_ROUTING:
5619                 case IPPROTO_DSTOPTS: {
5620                         /* get next header and header length */
5621                         struct ip6_ext  opt6;
5622
5623                         if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6),
5624                             NULL, NULL, pd.af)) {
5625                                 DPFPRINTF(PF_DEBUG_MISC,
5626                                     ("pf: IPv6 short opt\n"));
5627                                 action = PF_DROP;
5628                                 REASON_SET(&reason, PFRES_SHORT);
5629                                 log = 1;
5630                                 goto done;
5631                         }
5632                         if (pd.proto == IPPROTO_AH)
5633                                 off += (opt6.ip6e_len + 2) * 4;
5634                         else
5635                                 off += (opt6.ip6e_len + 1) * 8;
5636                         pd.proto = opt6.ip6e_nxt;
5637                         /* goto the next header */
5638                         break;
5639                 }
5640                 default:
5641                         terminal++;
5642                         break;
5643                 }
5644         } while (!terminal);
5645
5646         switch (pd.proto) {
5647
5648         case IPPROTO_TCP: {
5649                 struct tcphdr   th;
5650
5651                 pd.hdr.tcp = &th;
5652                 if (!pf_pull_hdr(m, off, &th, sizeof(th),
5653                     &action, &reason, AF_INET6)) {
5654                         log = action != PF_PASS;
5655                         goto done;
5656                 }
5657                 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5658                     ntohs(h->ip6_plen), IPPROTO_TCP, AF_INET6)) {
5659                         action = PF_DROP;
5660                         goto done;
5661                 }
5662                 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5663                 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5664                 if (action == PF_DROP)
5665                         goto done;
5666                 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5667                     &reason);
5668                 if (action == PF_PASS) {
5669 #if NPFSYNC
5670                         pfsync_update_state(s);
5671 #endif
5672                         r = s->rule.ptr;
5673                         a = s->anchor.ptr;
5674                         log = s->log;
5675                 } else if (s == NULL)
5676                         action = pf_test_tcp(&r, &s, dir, kif,
5677                             m, off, h, &pd, &a, &ruleset);
5678                 break;
5679         }
5680
5681         case IPPROTO_UDP: {
5682                 struct udphdr   uh;
5683
5684                 pd.hdr.udp = &uh;
5685                 if (!pf_pull_hdr(m, off, &uh, sizeof(uh),
5686                     &action, &reason, AF_INET6)) {
5687                         log = action != PF_PASS;
5688                         goto done;
5689                 }
5690                 if (dir == PF_IN && uh.uh_sum && pf_check_proto_cksum(m,
5691                     off, ntohs(h->ip6_plen), IPPROTO_UDP, AF_INET6)) {
5692                         action = PF_DROP;
5693                         goto done;
5694                 }
5695                 if (uh.uh_dport == 0 ||
5696                     ntohs(uh.uh_ulen) > m->m_pkthdr.len - off ||
5697                     ntohs(uh.uh_ulen) < sizeof(struct udphdr)) {
5698                         action = PF_DROP;
5699                         goto done;
5700                 }
5701                 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5702                 if (action == PF_PASS) {
5703 #if NPFSYNC
5704                         pfsync_update_state(s);
5705 #endif
5706                         r = s->rule.ptr;
5707                         a = s->anchor.ptr;
5708                         log = s->log;
5709                 } else if (s == NULL)
5710                         action = pf_test_udp(&r, &s, dir, kif,
5711                             m, off, h, &pd, &a, &ruleset);
5712                 break;
5713         }
5714
5715         case IPPROTO_ICMPV6: {
5716                 struct icmp6_hdr        ih;
5717
5718                 pd.hdr.icmp6 = &ih;
5719                 if (!pf_pull_hdr(m, off, &ih, sizeof(ih),
5720                     &action, &reason, AF_INET6)) {
5721                         log = action != PF_PASS;
5722                         goto done;
5723                 }
5724                 if (dir == PF_IN && pf_check_proto_cksum(m, off,
5725                     ntohs(h->ip6_plen), IPPROTO_ICMPV6, AF_INET6)) {
5726                         action = PF_DROP;
5727                         goto done;
5728                 }
5729                 action = pf_test_state_icmp(&s, dir, kif,
5730                     m, off, h, &pd);
5731                 if (action == PF_PASS) {
5732 #if NPFSYNC
5733                         pfsync_update_state(s);
5734 #endif
5735                         r = s->rule.ptr;
5736                         a = s->anchor.ptr;
5737                         log = s->log;
5738                 } else if (s == NULL)
5739                         action = pf_test_icmp(&r, &s, dir, kif,
5740                             m, off, h, &pd, &a, &ruleset);
5741                 break;
5742         }
5743
5744         default:
5745                 action = pf_test_state_other(&s, dir, kif, &pd);
5746                 if (action == PF_PASS) {
5747                         r = s->rule.ptr;
5748                         a = s->anchor.ptr;
5749                         log = s->log;
5750                 } else if (s == NULL)
5751                         action = pf_test_other(&r, &s, dir, kif, m, off, h,
5752                             &pd, &a, &ruleset);
5753                 break;
5754         }
5755
5756 done:
5757         /* XXX handle IPv6 options, if not allowed. not implemented. */
5758
5759 #ifdef ALTQ
5760         if (action == PF_PASS && r->qid) {
5761                 m->m_pkthdr.fw_flags |= ALTQ_MBUF_TAGGED;
5762                 if (pd.tos == IPTOS_LOWDELAY)
5763                         m->m_pkthdr.altq_qid = r->pqid;
5764                 else
5765                         m->m_pkthdr.altq_qid = r->qid;
5766                 m->m_pkthdr.ecn_af = AF_INET6;
5767                 m->m_pkthdr.header = h;
5768         }
5769 #endif
5770
5771         if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5772             pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5773             (s->nat_rule.ptr->action == PF_RDR ||
5774             s->nat_rule.ptr->action == PF_BINAT) &&
5775             IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) {
5776                 action = PF_DROP;
5777                 REASON_SET(&reason, PFRES_MEMORY);
5778         }
5779
5780         m->m_pkthdr.fw_flags |= PF_MBUF_TRANSLATE_LOCALHOST;
5781
5782         if (log)
5783                 PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset);
5784
5785         kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5786         kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
5787
5788         if (action == PF_PASS || r->action == PF_DROP) {
5789                 r->packets++;
5790                 r->bytes += pd.tot_len;
5791                 if (a != NULL) {
5792                         a->packets++;
5793                         a->bytes += pd.tot_len;
5794                 }
5795                 if (s != NULL) {
5796                         dirndx = (dir == s->direction) ? 0 : 1;
5797                         s->packets[dirndx]++;
5798                         s->bytes[dirndx] += pd.tot_len;
5799                         if (s->nat_rule.ptr != NULL) {
5800                                 s->nat_rule.ptr->packets++;
5801                                 s->nat_rule.ptr->bytes += pd.tot_len;
5802                         }
5803                         if (s->src_node != NULL) {
5804                                 s->src_node->packets++;
5805                                 s->src_node->bytes += pd.tot_len;
5806                         }
5807                         if (s->nat_src_node != NULL) {
5808                                 s->nat_src_node->packets++;
5809                                 s->nat_src_node->bytes += pd.tot_len;
5810                         }
5811                 }
5812                 tr = r;
5813                 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
5814                 if (nr != NULL) {
5815                         struct pf_addr *x;
5816                         /*
5817                          * XXX: we need to make sure that the addresses
5818                          * passed to pfr_update_stats() are the same than
5819                          * the addresses used during matching (pfr_match)
5820                          */
5821                         if (r == &pf_default_rule) {
5822                                 tr = nr;
5823                                 x = (s == NULL || s->direction == dir) ?
5824                                     &pd.baddr : &pd.naddr;
5825                         } else {
5826                                 x = (s == NULL || s->direction == dir) ?
5827                                     &pd.naddr : &pd.baddr;
5828                         }
5829                         if (x == &pd.baddr || s == NULL) {
5830                                 if (dir == PF_OUT)
5831                                         pd.src = x;
5832                                 else
5833                                         pd.dst = x;
5834                         }
5835                 }
5836                 if (tr->src.addr.type == PF_ADDR_TABLE)
5837                         pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
5838                             s->direction == dir) ? pd.src : pd.dst, pd.af,
5839                             pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5840                             tr->src.not);
5841                 if (tr->dst.addr.type == PF_ADDR_TABLE)
5842                         pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
5843                             s->direction == dir) ? pd.dst : pd.src, pd.af,
5844                             pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
5845                             tr->dst.not);
5846         }
5847
5848
5849         if (action == PF_SYNPROXY_DROP) {
5850                 m_freem(*m0);
5851                 *m0 = NULL;
5852                 action = PF_PASS;
5853         } else if (r->rt)
5854                 /* pf_route6 can free the mbuf causing *m0 to become NULL */
5855                 pf_route6(m0, r, dir, ifp, s);
5856
5857         return (action);
5858 }
5859 #endif /* INET6 */
DragonFly Project Source