d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pf: Fix duplicate storage of direction

Browse Source 
The variable storing the direction of a processed packet is passed
around to many functions. Most of those functions already have a pointer
to struct pf_pdesc which also contains the direction. By using the one
in struct pf_pdesc we can reduce the amount of arguments passed around.

Reviewed by:	kp
Sponsored by:	InnGames GmbH
Differential Revision:	https://reviews.freebsd.org/D41008
This commit is contained in:
Kajetan Staszkiewicz 2023-07-12 18:04:56 +02:00 committed by Kristof Provost
parent 294c52d969
commit f2064dd1f1
6 changed files with 181 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/net/if_pflog.h
View File

@ -71,9 +71,9 @@ struct pf_ruleset;
struct pfi_kif;
struct pf_pdesc;
#define PFLOG_PACKET(i,a,b,c,d,e,f,g,h,di) do { \
#define PFLOG_PACKET(i,a,b,c,d,e,f,g,di) do { \
if (pflog_packet_ptr != NULL) \
pflog_packet_ptr(i,a,b,c,d,e,f,g,h,di); \
pflog_packet_ptr(i,a,b,c,d,e,f,g,di); \
} while (0)
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */

14
sys/net/pfvar.h
View File

@ -1214,8 +1214,8 @@ void pf_state_export(struct pf_state_export *,
struct pf_kruleset;
struct pf_pdesc;
typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t,
u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *,
struct pf_kruleset *, struct pf_pdesc *, int);
u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr;
#endif /* _KERNEL */
@ -2236,14 +2236,14 @@ int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
#ifdef INET
int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *,
struct pf_rule_actions *);
int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *,
int pf_normalize_ip(struct mbuf **, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
#endif /* INET */
#ifdef INET6
int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *,
struct pf_rule_actions *);
int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *,
int pf_normalize_ip6(struct mbuf **, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
void pf_poolmask(struct pf_addr *, struct pf_addr*,
struct pf_addr *, struct pf_addr *, sa_family_t);
@ -2271,7 +2271,7 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
void pf_normalize_init(void);
void pf_normalize_cleanup(void);
int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void *,
int pf_normalize_tcp(struct pfi_kkif *, struct mbuf *, int, int, void *,
struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_kstate *);
int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
@ -2285,7 +2285,7 @@ void pf_purge_expired_fragments(void);
void pf_purge_fragments(uint32_t);
int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *,
int);
int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);
int pf_socket_lookup(struct pf_pdesc *, struct mbuf *);
struct pf_state_key *pf_alloc_state_key(int);
void pfr_initialize(void);
void pfr_cleanup(void);
@ -2472,7 +2472,7 @@ u_short pf_map_addr(u_int8_t, struct pf_krule *,
struct pf_addr *, struct pf_addr *,
struct pf_addr *, struct pf_ksrc_node **);
struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
int, int, struct pfi_kkif *, struct pf_ksrc_node **,
int, struct pfi_kkif *, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *,
uint16_t, uint16_t, struct pf_kanchor_stackframe *);

8
sys/netpfil/pf/if_pflog.c
View File

@ -217,7 +217,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
}
static int
pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af,
u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{
@ -254,7 +254,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
* These conditions are very very rare, however.
*/
if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe)
pd->lookup.done = pf_socket_lookup(dir, pd, m);
pd->lookup.done = pf_socket_lookup(pd, m);
if (pd->lookup.done > 0)
hdr.uid = pd->lookup.uid;
else
@ -262,10 +262,10 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
hdr.pid = NO_PID;
hdr.rule_uid = rm->cuid;
hdr.rule_pid = rm->cpid;
hdr.dir = dir;
hdr.dir = pd->dir;
#ifdef INET
if (af == AF_INET && dir == PF_OUT) {
if (af == AF_INET && pd->dir == PF_OUT) {
struct ip *ip;
ip = mtod(m, struct ip *);

287
sys/netpfil/pf/pf.c
View File

@ -277,15 +277,15 @@ static int pf_state_key_ctor(void *, int, void *, int);
static u_int32_t pf_tcp_iss(struct pf_pdesc *);
void pf_rule_to_actions(struct pf_krule *,
struct pf_rule_actions *);
static int pf_dummynet(struct pf_pdesc *, int, struct pf_kstate *,
static int pf_dummynet(struct pf_pdesc *, struct pf_kstate *,
struct pf_krule *, struct mbuf **);
static int pf_dummynet_route(struct pf_pdesc *, int,
static int pf_dummynet_route(struct pf_pdesc *,
struct pf_kstate *, struct pf_krule *,
struct ifnet *, struct sockaddr *, struct mbuf **);
static int pf_test_eth_rule(int, struct pfi_kkif *,
struct mbuf **);
static int pf_test_rule(struct pf_krule **, struct pf_kstate **,
int, struct pfi_kkif *, struct mbuf *, int,
struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **, struct inpcb *);
static int pf_create_state(struct pf_krule *, struct pf_krule *,
@ -295,25 +295,24 @@ static int pf_create_state(struct pf_krule *, struct pf_krule *,
u_int16_t, u_int16_t, int *, struct pfi_kkif *,
struct pf_kstate **, int, u_int16_t, u_int16_t,
int, struct pf_krule_slist *);
static int pf_test_fragment(struct pf_krule **, int,
struct pfi_kkif *, struct mbuf *, void *,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **);
static int pf_test_fragment(struct pf_krule **, struct pfi_kkif *,
struct mbuf *, void *, struct pf_pdesc *,
struct pf_krule **, struct pf_kruleset **);
static int pf_tcp_track_full(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, u_short *, int *);
static int pf_tcp_track_sloppy(struct pf_kstate **,
struct pf_pdesc *, u_short *);
static int pf_test_state_tcp(struct pf_kstate **, int,
static int pf_test_state_tcp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static int pf_test_state_udp(struct pf_kstate **, int,
static int pf_test_state_udp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *);
static int pf_test_state_icmp(struct pf_kstate **, int,
static int pf_test_state_icmp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static int pf_test_state_other(struct pf_kstate **, int,
static int pf_test_state_other(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, struct pf_pdesc *);
static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
int, u_int16_t);
@ -336,14 +335,14 @@ static void pf_mtag_free(struct m_tag *);
static void pf_packet_rework_nat(struct mbuf *, struct pf_pdesc *,
int, struct pf_state_key *);
#ifdef INET
static void pf_route(struct mbuf **, struct pf_krule *, int,
static void pf_route(struct mbuf **, struct pf_krule *,
struct ifnet *, struct pf_kstate *,
struct pf_pdesc *, struct inpcb *);
#endif /* INET */
#ifdef INET6
static void pf_change_a6(struct pf_addr *, u_int16_t *,
struct pf_addr *, u_int8_t);
static void pf_route6(struct mbuf **, struct pf_krule *, int,
static void pf_route6(struct mbuf **, struct pf_krule *,
struct ifnet *, struct pf_kstate *,
struct pf_pdesc *, struct inpcb *);
#endif /* INET6 */
@ -356,10 +355,10 @@ extern struct proc *pf_purge_proc;
VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
#define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \
#define PACKET_UNDO_NAT(_m, _pd, _off, _s) \
do { \
struct pf_state_key *nk; \
if ((_dir) == PF_OUT) \
if ((pd->dir) == PF_OUT) \
nk = (_s)->key[PF_SK_STACK]; \
else \
nk = (_s)->key[PF_SK_WIRE]; \
@ -369,10 +368,10 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
#define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
(pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
#define STATE_LOOKUP(i, k, d, s, pd) \
#define STATE_LOOKUP(i, k, s, pd) \
do { \
(s) = pf_find_state((i), (k), (d)); \
SDT_PROBE5(pf, ip, state, lookup, i, k, d, pd, (s)); \
(s) = pf_find_state((i), (k), (pd->dir)); \
SDT_PROBE5(pf, ip, state, lookup, i, k, (pd->dir), pd, (s)); \
if ((s) == NULL) \
return (PF_DROP); \
if (PACKET_LOOPED(pd)) \
@ -3623,7 +3622,7 @@ pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a)
}
int
pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m)
{
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
@ -3647,7 +3646,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
default:
return (-1);
}
if (direction == PF_IN) {
if (pd->dir == PF_IN) {
saddr = pd->src;
daddr = pd->dst;
} else {
@ -4175,9 +4174,9 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
}
static int
pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp)
pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
struct mbuf *m, int off, struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm, struct inpcb *inp)
{
struct pf_krule *nr = NULL;
struct pf_addr * const saddr = pd->src;
@ -4262,13 +4261,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
/* check packet for BINAT/NAT/RDR */
if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk,
if ((nr = pf_get_translation(pd, m, off, kif, &nsn, &sk,
&nk, saddr, daddr, sport, dport, anchor_stack)) != NULL) {
KASSERT(sk != NULL, ("%s: null sk", __func__));
KASSERT(nk != NULL, ("%s: null nk", __func__));
if (nr->log) {
PFLOG_PACKET(kif, m, af, direction, PFRES_MATCH, nr, a,
PFLOG_PACKET(kif, m, af, PFRES_MATCH, nr, a,
ruleset, pd, 1);
}
@ -4399,7 +4398,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
@ -4434,13 +4433,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
r = TAILQ_NEXT(r, entries);
/* tcp/udp only. uid.op always 0 in other cases */
else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
pf_socket_lookup(direction, pd, m), 1)) &&
pf_socket_lookup(pd, m), 1)) &&
!pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
pd->lookup.uid))
r = TAILQ_NEXT(r, entries);
/* tcp/udp only. gid.op always 0 in other cases */
else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
pf_socket_lookup(direction, pd, m), 1)) &&
pf_socket_lookup(pd, m), 1)) &&
!pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
pd->lookup.gid))
r = TAILQ_NEXT(r, entries);
@ -4471,13 +4470,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
ri->r = r;
SLIST_INSERT_HEAD(&match_rules, ri, entry);
pf_counter_u64_critical_enter();
pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len);
pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
direction, PFRES_MATCH, r,
PFRES_MATCH, r,
a, ruleset, pd, 1);
} else {
match = 1;
@ -4509,8 +4508,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
if (r->log) {
if (rewrite)
m_copyback(m, off, hdrlen, pd->hdr.any);
PFLOG_PACKET(kif, m, af, direction, reason, r, a,
ruleset, pd, 1);
PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1);
}
if ((r->action == PF_DROP) &&
@ -4555,7 +4553,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
m_copyback(m, off, hdrlen, pd->hdr.any);
if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) &&
direction == PF_OUT &&
pd->dir == PF_OUT &&
V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m))
/*
* We want the state created, but we dont
@ -4846,7 +4844,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
}
static int
pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif,
struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm)
{
@ -4869,7 +4867,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
@ -4915,13 +4913,13 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
ri->r = r;
SLIST_INSERT_HEAD(&match_rules, ri, entry);
pf_counter_u64_critical_enter();
pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len);
pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
direction, PFRES_MATCH, r,
PFRES_MATCH, r,
a, ruleset, pd, 1);
} else {
match = 1;
@ -4951,8 +4949,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af, direction, reason, r, a,
ruleset, pd, 1);
PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1);
if (r->action != PF_PASS)
return (PF_DROP);
@ -5494,7 +5491,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
}
static int
pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
pf_test_state_tcp(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
u_short *reason)
{
@ -5507,7 +5504,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
bzero(&key, sizeof(key));
key.af = pd->af;
key.proto = IPPROTO_TCP;
if (direction == PF_IN) { /* wire side, straight */
if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = th->th_sport;
@ -5519,9 +5516,9 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
key.port[0] = th->th_dport;
}
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
if (direction == (*state)->direction) {
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
} else {
@ -5585,7 +5582,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
}
static int
pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
pf_test_state_udp(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@ -5596,7 +5593,7 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
bzero(&key, sizeof(key));
key.af = pd->af;
key.proto = IPPROTO_UDP;
if (direction == PF_IN) { /* wire side, straight */
if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = uh->uh_sport;
@ -5608,9 +5605,9 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
key.port[0] = uh->uh_dport;
}
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
if (direction == (*state)->direction) {
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
psrc = PF_PEER_SRC;
@ -5657,7 +5654,7 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
}
static int
pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
pf_test_state_icmp(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
@ -5707,7 +5704,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
key.af = pd->af;
key.proto = pd->proto;
key.port[0] = key.port[1] = icmpid;
if (direction == PF_IN) { /* wire side, straight */
if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
} else { /* stack side, reverse */
@ -5715,7 +5712,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[0], pd->dst, key.af);
}
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
(*state)->expire = time_uptime;
(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
@ -5795,8 +5792,8 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
pd2.af = pd->af;
/* Payload packet is from the opposite direction. */
pd2.sidx = (direction == PF_IN) ? 1 : 0;
pd2.didx = (direction == PF_IN) ? 0 : 1;
pd2.sidx = (pd->dir == PF_IN) ? 1 : 0;
pd2.didx = (pd->dir == PF_IN) ? 0 : 1;
switch (pd->af) {
#ifdef INET
case AF_INET:
@ -5929,9 +5926,9 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
key.port[pd2.sidx] = th.th_sport;
key.port[pd2.didx] = th.th_dport;
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
if (direction == (*state)->direction) {
if (pd->dir == (*state)->direction) {
src = &(*state)->dst;
dst = &(*state)->src;
} else {
@ -6050,7 +6047,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
key.port[pd2.sidx] = uh.uh_sport;
key.port[pd2.didx] = uh.uh_dport;
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@ -6117,7 +6114,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = iih.icmp_id;
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@ -6169,7 +6166,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = iih.icmp6_id;
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@ -6212,7 +6209,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = 0;
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@ -6261,7 +6258,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
}
static int
pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
pf_test_state_other(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@ -6271,7 +6268,7 @@ pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *ki
bzero(&key, sizeof(key));
key.af = pd->af;
key.proto = pd->proto;
if (direction == PF_IN) {
if (pd->dir == PF_IN) {
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = key.port[1] = 0;
@ -6281,9 +6278,9 @@ pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *ki
key.port[1] = key.port[0] = 0;
}
STATE_LOOKUP(kif, &key, direction, *state, pd);
STATE_LOOKUP(kif, &key, *state, pd);
if (direction == (*state)->direction) {
if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
psrc = PF_PEER_SRC;
@ -6437,7 +6434,7 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif,
#ifdef INET
static void
pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp)
{
struct mbuf *m0, *m1, *md;
@ -6460,7 +6457,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
r_dir = r->direction;
}
KASSERT(dir == PF_IN || dir == PF_OUT ||
KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction",
__func__));
@ -6502,8 +6499,8 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
}
}
} else {
if ((r_rt == PF_REPLYTO) == (r_dir == dir)) {
pf_dummynet(pd, dir, s, r, m);
if ((r_rt == PF_REPLYTO) == (r_dir == pd->dir)) {
pf_dummynet(pd, s, r, m);
if (s)
PF_STATE_UNLOCK(s);
return;
@ -6545,7 +6542,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (ifp == NULL)
goto bad;
if (dir == PF_IN) {
if (pd->dir == PF_IN) {
if (pf_test(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS)
goto bad;
else if (m0 == NULL)
@ -6591,7 +6588,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
m_clrprotoflags(m0); /* Avoid confusing lower layers. */
md = m0;
error = pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md);
error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md);
if (md != NULL)
error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL);
goto done;
@ -6605,7 +6602,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (s && pd->nat_rule != NULL)
PACKET_UNDO_NAT(m0, pd,
(ip->ip_hl << 2) + (ip_off & IP_OFFMASK),
s, dir);
s);
icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
ifp->if_mtu);
@ -6624,7 +6621,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (error == 0) {
m_clrprotoflags(m0);
md = m0;
error = pf_dummynet_route(pd, dir, s, r, ifp,
error = pf_dummynet_route(pd, s, r, ifp,
sintosa(&dst), &md);
if (md != NULL)
error = (*ifp->if_output)(ifp, md,
@ -6652,7 +6649,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
#ifdef INET6
static void
pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp)
{
struct mbuf *m0, *md;
@ -6673,7 +6670,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
r_dir = r->direction;
}
KASSERT(dir == PF_IN || dir == PF_OUT ||
KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction",
__func__));
@ -6715,8 +6712,8 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
}
}
} else {
if ((r_rt == PF_REPLYTO) == (r_dir == dir)) {
pf_dummynet(pd, dir, s, r, m);
if ((r_rt == PF_REPLYTO) == (r_dir == pd->dir)) {
pf_dummynet(pd, s, r, m);
if (s)
PF_STATE_UNLOCK(s);
return;
@ -6761,7 +6758,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (ifp == NULL)
goto bad;
if (dir == PF_IN) {
if (pd->dir == PF_IN) {
if (pf_test6(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS)
goto bad;
else if (m0 == NULL)
@ -6793,7 +6790,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
md = m0;
pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md);
pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md);
if (md != NULL)
nd6_output_ifp(ifp, ifp, md, &dst, NULL);
}
@ -6803,7 +6800,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (s && pd->nat_rule != NULL)
PACKET_UNDO_NAT(m0, pd,
((caddr_t)ip6 - m0->m_data) +
sizeof(struct ip6_hdr), s, dir);
sizeof(struct ip6_hdr), s);
icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
} else
@ -6958,9 +6955,8 @@ pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t a
}
static bool
pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd,
const struct pf_krule *r, const struct pf_kstate *s,
struct ip_fw_args *dnflow)
pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r,
const struct pf_kstate *s, struct ip_fw_args *dnflow)
{
int dndir = r->direction;
@ -6969,7 +6965,7 @@ pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd,
} else if (dndir == PF_INOUT) {
/* Assume primary direction. Happens when we've set dnpipe in
* the ethernet level code. */
dndir = dir;
dndir = pd->dir;
}
memset(dnflow, 0, sizeof(*dnflow));
@ -6979,15 +6975,15 @@ pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd,
if (pd->sport != NULL)
dnflow->f_id.src_port = ntohs(*pd->sport);
if (dir == PF_IN)
if (pd->dir == PF_IN)
dnflow->flags |= IPFW_ARGS_IN;
else
dnflow->flags |= IPFW_ARGS_OUT;
if (dir != dndir && pd->act.dnrpipe) {
if (pd->dir != dndir && pd->act.dnrpipe) {
dnflow->rule.info = pd->act.dnrpipe;
}
else if (dir == dndir && pd->act.dnpipe) {
else if (pd->dir == dndir && pd->act.dnpipe) {
dnflow->rule.info = pd->act.dnpipe;
}
else {
@ -7052,14 +7048,14 @@ pf_test_eth(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
}
static int
pf_dummynet(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s,
struct pf_krule *r, struct mbuf **m0)
{
return (pf_dummynet_route(pd, dir, s, r, NULL, NULL, m0));
return (pf_dummynet_route(pd, s, r, NULL, NULL, m0));
}
static int
pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s,
struct pf_krule *r, struct ifnet *ifp, struct sockaddr *sa,
struct mbuf **m0)
{
@ -7105,7 +7101,7 @@ pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
sizeof(struct sockaddr_in6));
}
if (pf_pdesc_to_dnflow(dir, pd, r, s, &dnflow)) {
if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) {
pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET;
ip_dn_io_ptr(m0, &dnflow);
if (*m0 != NULL) {
@ -7213,6 +7209,14 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
return (PF_PASS);
}
pd.sport = pd.dport = NULL;
pd.proto_sum = NULL;
pd.dir = dir;
pd.sidx = (dir == PF_IN) ? 0 : 1;
pd.didx = (dir == PF_IN) ? 1 : 0;
pd.af = AF_INET;
pd.act.rtableid = -1;
if (__predict_false(ip_divert_ptr != NULL) &&
((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) {
struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1);
@ -7229,7 +7233,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
m->m_flags |= M_FASTFWD_OURS;
pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
}
} else if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
} else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) {
/* We do IP header normalization and packet reassembly here */
action = PF_DROP;
goto done;
@ -7247,22 +7251,14 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
pd.src = (struct pf_addr *)&h->ip_src;
pd.dst = (struct pf_addr *)&h->ip_dst;
pd.sport = pd.dport = NULL;
pd.ip_sum = &h->ip_sum;
pd.proto_sum = NULL;
pd.proto = h->ip_p;
pd.dir = dir;
pd.sidx = (dir == PF_IN) ? 0 : 1;
pd.didx = (dir == PF_IN) ? 1 : 0;
pd.af = AF_INET;
pd.tos = h->ip_tos & ~IPTOS_ECN_MASK;
pd.tot_len = ntohs(h->ip_len);
pd.act.rtableid = -1;
/* handle fragments that didn't get reassembled by normalization */
if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
action = pf_test_fragment(&r, dir, kif, m, h,
&pd, &a, &ruleset);
action = pf_test_fragment(&r, kif, m, h, &pd, &a, &ruleset);
goto done;
}
@ -7289,11 +7285,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0)
pqid = 1;
action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
action = pf_normalize_tcp(kif, m, 0, off, h, &pd);
if (action == PF_DROP)
goto done;
action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
&reason);
action = pf_test_state_tcp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7319,8 +7314,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
m_freem(msyn);
if (action == PF_PASS) {
action = pf_test_state_tcp(&s, dir,
kif, m, off, h, &pd, &reason);
action = pf_test_state_tcp(&s, kif, m,
off, h, &pd, &reason);
if (action != PF_PASS || s == NULL) {
action = PF_DROP;
break;
@ -7340,7 +7335,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
break;
}
else {
action = pf_test_rule(&r, &s, dir, kif, m, off,
action = pf_test_rule(&r, &s, kif, m, off,
&pd, &a, &ruleset, inp);
}
}
@ -7368,7 +7363,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
REASON_SET(&reason, PFRES_SHORT);
goto done;
}
action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
action = pf_test_state_udp(&s, kif, m, off, h, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7376,7 +7371,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@ -7388,8 +7383,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
log = PF_LOG_FORCE;
goto done;
}
action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
&reason);
action = pf_test_state_icmp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7397,7 +7391,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@ -7412,7 +7406,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
#endif
default:
action = pf_test_state_other(&s, dir, kif, m, &pd);
action = pf_test_state_other(&s, kif, m, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7420,7 +7414,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@ -7574,13 +7568,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
lr = r;
if (log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET, dir, reason, lr, a,
ruleset, &pd, (s == NULL));
PFLOG_PACKET(kif, m, AF_INET, reason, lr, a, ruleset,
&pd, (s == NULL));
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET, dir,
reason, ri->r, a, ruleset, &pd, 0);
PFLOG_PACKET(kif, m, AF_INET, reason,
ri->r, a, ruleset, &pd, 0);
}
}
@ -7664,10 +7658,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
default:
/* pf_route() returns unlocked. */
if (rt) {
pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp);
pf_route(m0, r, kif->pfik_ifp, s, &pd, inp);
return (action);
}
if (pf_dummynet(&pd, dir, s, r, m0) != 0) {
if (pf_dummynet(&pd, s, r, m0) != 0) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
}
@ -7774,8 +7768,17 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
return (PF_PASS);
}
pd.sport = pd.dport = NULL;
pd.ip_sum = NULL;
pd.proto_sum = NULL;
pd.dir = dir;
pd.sidx = (dir == PF_IN) ? 0 : 1;
pd.didx = (dir == PF_IN) ? 1 : 0;
pd.af = AF_INET6;
pd.act.rtableid = -1;
/* We do IP header normalization and packet reassembly here */
if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) {
action = PF_DROP;
goto done;
}
@ -7794,24 +7797,16 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
pd.src = (struct pf_addr *)&h->ip6_src;
pd.dst = (struct pf_addr *)&h->ip6_dst;
pd.sport = pd.dport = NULL;
pd.ip_sum = NULL;
pd.proto_sum = NULL;
pd.dir = dir;
pd.sidx = (dir == PF_IN) ? 0 : 1;
pd.didx = (dir == PF_IN) ? 1 : 0;
pd.af = AF_INET6;
pd.tos = IPV6_DSCP(h);
pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
pd.act.rtableid = -1;
off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
pd.proto = h->ip6_nxt;
do {
switch (pd.proto) {
case IPPROTO_FRAGMENT:
action = pf_test_fragment(&r, dir, kif, m, h,
&pd, &a, &ruleset);
action = pf_test_fragment(&r, kif, m, h, &pd, &a,
&ruleset);
if (action == PF_DROP)
REASON_SET(&reason, PFRES_FRAG);
goto done;
@ -7888,11 +7883,10 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
pd.p_len = pd.tot_len - off - (pd.hdr.tcp.th_off << 2);
pd.sport = &pd.hdr.tcp.th_sport;
pd.dport = &pd.hdr.tcp.th_dport;
action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
action = pf_normalize_tcp(kif, m, 0, off, h, &pd);
if (action == PF_DROP)
goto done;
action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
&reason);
action = pf_test_state_tcp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7900,7 +7894,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
if (s) {
if (s->max_mss)
@ -7926,7 +7920,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
REASON_SET(&reason, PFRES_SHORT);
goto done;
}
action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
action = pf_test_state_udp(&s, kif, m, off, h, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7934,7 +7928,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@ -7953,8 +7947,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
log |= PF_LOG_FORCE;
goto done;
}
action = pf_test_state_icmp(&s, dir, kif,
m, off, h, &pd, &reason);
action = pf_test_state_icmp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7962,13 +7955,13 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
default:
action = pf_test_state_other(&s, dir, kif, m, &pd);
action = pf_test_state_other(&s, kif, m, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@ -7976,7 +7969,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@ -8094,13 +8087,13 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
lr = r;
if (log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET6, dir, reason, lr, a,
ruleset, &pd, (s == NULL));
PFLOG_PACKET(kif, m, AF_INET6, reason, lr, a, ruleset,
&pd, (s == NULL));
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
PFLOG_PACKET(kif, m, AF_INET6, dir,
reason, ri->r, a, ruleset, &pd, 0);
PFLOG_PACKET(kif, m, AF_INET6, reason,
ri->r, a, ruleset, &pd, 0);
}
}
@ -8174,10 +8167,10 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
default:
/* pf_route6() returns unlocked. */
if (rt) {
pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd, inp);
pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp);
return (action);
}
if (pf_dummynet(&pd, dir, s, r, m0) != 0) {
if (pf_dummynet(&pd, s, r, m0) != 0) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
}

22
sys/netpfil/pf/pf_lb.c
View File

@ -59,7 +59,7 @@ __FBSDID("$FreeBSD$");
static void pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
static struct pf_krule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
int, int, struct pfi_kkif *,
int, struct pfi_kkif *,
struct pf_addr *, u_int16_t, struct pf_addr *,
uint16_t, int, struct pf_kanchor_stackframe *);
static int pf_get_sport(sa_family_t, uint8_t, struct pf_krule *,
@ -125,7 +125,7 @@ pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
static struct pf_krule *
pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
int direction, struct pfi_kkif *kif, struct pf_addr *saddr, u_int16_t sport,
struct pfi_kkif *kif, struct pf_addr *saddr, u_int16_t sport,
struct pf_addr *daddr, uint16_t dport, int rs_num,
struct pf_kanchor_stackframe *anchor_stack)
{
@ -140,7 +140,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
struct pf_rule_addr *src = NULL, *dst = NULL;
struct pf_addr_wrap *xdst = NULL;
if (r->action == PF_BINAT && direction == PF_IN) {
if (r->action == PF_BINAT && pd->dir == PF_IN) {
src = &r->dst;
if (r->rpool.cur != NULL)
xdst = &r->rpool.cur->addr;
@ -152,7 +152,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != pd->af)
r = r->skip[PF_SKIP_AF].ptr;
@ -555,7 +555,7 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr,
}
struct pf_krule *
pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
struct pfi_kkif *kif, struct pf_ksrc_node **sn,
struct pf_state_key **skp, struct pf_state_key **nkp,
struct pf_addr *saddr, struct pf_addr *daddr,
@ -570,18 +570,18 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
KASSERT(*skp == NULL, ("*skp not NULL"));
KASSERT(*nkp == NULL, ("*nkp not NULL"));
if (direction == PF_OUT) {
r = pf_match_translation(pd, m, off, direction, kif, saddr,
if (pd->dir == PF_OUT) {
r = pf_match_translation(pd, m, off, kif, saddr,
sport, daddr, dport, PF_RULESET_BINAT, anchor_stack);
if (r == NULL)
r = pf_match_translation(pd, m, off, direction, kif,
r = pf_match_translation(pd, m, off, kif,
saddr, sport, daddr, dport, PF_RULESET_NAT,
anchor_stack);
} else {
r = pf_match_translation(pd, m, off, direction, kif, saddr,
r = pf_match_translation(pd, m, off, kif, saddr,
sport, daddr, dport, PF_RULESET_RDR, anchor_stack);
if (r == NULL)
r = pf_match_translation(pd, m, off, direction, kif,
r = pf_match_translation(pd, m, off, kif,
saddr, sport, daddr, dport, PF_RULESET_BINAT,
anchor_stack);
}
@ -639,7 +639,7 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
}
break;
case PF_BINAT:
switch (direction) {
switch (pd->dir) {
case PF_OUT:
if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
switch (pd->af) {

38
sys/netpfil/pf/pf_norm.c
View File

@ -1030,7 +1030,7 @@ pf_refragment6(struct ifnet *ifp, struct mbuf **m0, struct m_tag *mtag,
#ifdef INET
int
pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason,
pf_normalize_ip(struct mbuf **m0, struct pfi_kkif *kif, u_short *reason,
struct pf_pdesc *pd)
{
struct mbuf *m = *m0;
@ -1055,7 +1055,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != AF_INET)
r = r->skip[PF_SKIP_AF].ptr;
@ -1083,8 +1083,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
return (PF_PASS);
pf_counter_u64_critical_enter();
pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len);
pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
} else if ((!V_pf_status.reass && (h->ip_off & htons(IP_MF | IP_OFFMASK)))) {
/* With no scrub rules IPv4 fragment reassembly depends on the
@ -1149,7 +1149,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
* Might return a completely reassembled mbuf, or NULL */
PF_FRAG_LOCK();
DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max));
verdict = pf_reassemble(m0, h, dir, reason);
verdict = pf_reassemble(m0, h, pd->dir, reason);
PF_FRAG_UNLOCK();
if (verdict != PF_PASS)
@ -1182,8 +1182,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
REASON_SET(reason, PFRES_FRAG);
drop:
if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET, dir, *reason, r, NULL, NULL, pd,
1);
PFLOG_PACKET(kif, m, AF_INET, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}
@ -1191,7 +1190,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
#ifdef INET6
int
pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
u_short *reason, struct pf_pdesc *pd)
{
struct mbuf *m = *m0;
@ -1219,7 +1218,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != AF_INET6)
r = r->skip[PF_SKIP_AF].ptr;
@ -1246,8 +1245,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
return (PF_PASS);
pf_counter_u64_critical_enter();
pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len);
pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
}
@ -1350,21 +1349,19 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
shortpkt:
REASON_SET(reason, PFRES_SHORT);
if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET6, dir, *reason, r, NULL, NULL, pd,
1);
PFLOG_PACKET(kif, m, AF_INET6, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
drop:
REASON_SET(reason, PFRES_NORM);
if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET6, dir, *reason, r, NULL, NULL, pd,
1);
PFLOG_PACKET(kif, m, AF_INET6, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}
#endif /* INET6 */
int
pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, int ipoff,
int off, void *h, struct pf_pdesc *pd)
{
struct pf_krule *r, *rm = NULL;
@ -1385,7 +1382,7 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
@ -1420,8 +1417,8 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
return (PF_PASS);
pf_counter_u64_critical_enter();
pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len);
pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
}
@ -1487,8 +1484,7 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
tcp_drop:
REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET, dir, reason, r, NULL, NULL, pd,
1);
PFLOG_PACKET(kif, m, AF_INET, reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}