summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r--sys/net/pf.c202
1 files changed, 125 insertions, 77 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 57bc51437dc..c78d2446654 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.405 2003/12/08 07:07:35 mcbride Exp $ */
+/* $OpenBSD: pf.c,v 1.406 2003/12/11 13:13:27 cedric Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2187,7 +2187,6 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
{
struct pf_rule *nat = NULL, *rdr = NULL;
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
- struct pf_addr baddr, naddr;
struct tcphdr *th = pd->hdr.tcp;
u_int16_t bport, nport = 0;
sa_family_t af = pd->af;
@@ -2209,26 +2208,28 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
/* check outgoing packet for BINAT/NAT */
if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp,
saddr, th->th_sport, daddr, th->th_dport,
- &naddr, &nport)) != NULL) {
- PF_ACPY(&baddr, saddr, af);
+ &pd->naddr, &nport)) != NULL) {
+ PF_ACPY(&pd->baddr, saddr, af);
pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
- &th->th_sum, &naddr, nport, 0, af);
+ &th->th_sum, &pd->naddr, nport, 0, af);
rewrite++;
if (nat->natpass)
r = NULL;
+ pd->nat_rule = nat;
}
} else {
bport = nport = th->th_dport;
/* check incoming packet for BINAT/RDR */
if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr,
th->th_sport, daddr, th->th_dport,
- &naddr, &nport)) != NULL) {
- PF_ACPY(&baddr, daddr, af);
+ &pd->naddr, &nport)) != NULL) {
+ PF_ACPY(&pd->baddr, daddr, af);
pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
- &th->th_sum, &naddr, nport, 0, af);
+ &th->th_sum, &pd->naddr, nport, 0, af);
rewrite++;
if (rdr->natpass)
r = NULL;
+ pd->nat_rule = rdr;
}
}
@@ -2314,11 +2315,11 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
/* undo NAT changes, if they have taken place */
if (nat != NULL) {
pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
- &th->th_sum, &baddr, bport, 0, af);
+ &th->th_sum, &pd->baddr, bport, 0, af);
rewrite++;
} else if (rdr != NULL) {
pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
- &th->th_sum, &baddr, bport, 0, af);
+ &th->th_sum, &pd->baddr, bport, 0, af);
rewrite++;
}
if (((r->rule_flag & PFRULE_RETURNRST) ||
@@ -2386,7 +2387,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->ext.addr, daddr, af);
s->ext.port = th->th_dport;
if (nat != NULL) {
- PF_ACPY(&s->lan.addr, &baddr, af);
+ PF_ACPY(&s->lan.addr, &pd->baddr, af);
s->lan.port = bport;
} else {
PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
@@ -2398,7 +2399,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->ext.addr, saddr, af);
s->ext.port = th->th_sport;
if (rdr != NULL) {
- PF_ACPY(&s->gwy.addr, &baddr, af);
+ PF_ACPY(&s->gwy.addr, &pd->baddr, af);
s->gwy.port = bport;
} else {
PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
@@ -2466,11 +2467,11 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
s->src.state = PF_TCPS_PROXY_SRC;
if (nat != NULL)
pf_change_ap(saddr, &th->th_sport,
- pd->ip_sum, &th->th_sum, &baddr,
+ pd->ip_sum, &th->th_sum, &pd->baddr,
bport, 0, af);
else if (rdr != NULL)
pf_change_ap(daddr, &th->th_dport,
- pd->ip_sum, &th->th_sum, &baddr,
+ pd->ip_sum, &th->th_sum, &pd->baddr,
bport, 0, af);
s->src.seqhi = arc4random();
/* Find mss option */
@@ -2499,7 +2500,6 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
{
struct pf_rule *nat = NULL, *rdr = NULL;
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
- struct pf_addr baddr, naddr;
struct udphdr *uh = pd->hdr.udp;
u_int16_t bport, nport = 0;
sa_family_t af = pd->af;
@@ -2520,26 +2520,28 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
/* check outgoing packet for BINAT/NAT */
if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp,
saddr, uh->uh_sport, daddr, uh->uh_dport,
- &naddr, &nport)) != NULL) {
- PF_ACPY(&baddr, saddr, af);
+ &pd->naddr, &nport)) != NULL) {
+ PF_ACPY(&pd->baddr, saddr, af);
pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
- &uh->uh_sum, &naddr, nport, 1, af);
+ &uh->uh_sum, &pd->naddr, nport, 1, af);
rewrite++;
if (nat->natpass)
r = NULL;
+ pd->nat_rule = nat;
}
} else {
bport = nport = uh->uh_dport;
/* check incoming packet for BINAT/RDR */
if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr,
- uh->uh_sport, daddr, uh->uh_dport, &naddr, &nport))
+ uh->uh_sport, daddr, uh->uh_dport, &pd->naddr, &nport))
!= NULL) {
- PF_ACPY(&baddr, daddr, af);
+ PF_ACPY(&pd->baddr, daddr, af);
pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
- &uh->uh_sum, &naddr, nport, 1, af);
+ &uh->uh_sum, &pd->naddr, nport, 1, af);
rewrite++;
if (rdr->natpass)
r = NULL;
+ pd->nat_rule = rdr;
}
}
@@ -2621,11 +2623,11 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
/* undo NAT changes, if they have taken place */
if (nat != NULL) {
pf_change_ap(saddr, &uh->uh_sport, pd->ip_sum,
- &uh->uh_sum, &baddr, bport, 1, af);
+ &uh->uh_sum, &pd->baddr, bport, 1, af);
rewrite++;
} else if (rdr != NULL) {
pf_change_ap(daddr, &uh->uh_dport, pd->ip_sum,
- &uh->uh_sum, &baddr, bport, 1, af);
+ &uh->uh_sum, &pd->baddr, bport, 1, af);
rewrite++;
}
if ((af == AF_INET) && r->return_icmp)
@@ -2677,7 +2679,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->ext.addr, daddr, af);
s->ext.port = uh->uh_dport;
if (nat != NULL) {
- PF_ACPY(&s->lan.addr, &baddr, af);
+ PF_ACPY(&s->lan.addr, &pd->baddr, af);
s->lan.port = bport;
} else {
PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
@@ -2689,7 +2691,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->ext.addr, saddr, af);
s->ext.port = uh->uh_sport;
if (rdr != NULL) {
- PF_ACPY(&s->gwy.addr, &baddr, af);
+ PF_ACPY(&s->gwy.addr, &pd->baddr, af);
s->gwy.port = bport;
} else {
PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
@@ -2724,7 +2726,6 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
{
struct pf_rule *nat = NULL, *rdr = NULL;
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
- struct pf_addr baddr, naddr;
struct pf_rule *r, *a = NULL;
struct pf_ruleset *ruleset = NULL;
u_short reason;
@@ -2773,48 +2774,50 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
if (direction == PF_OUT) {
/* check outgoing packet for BINAT/NAT */
if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, saddr, 0,
- daddr, 0, &naddr, NULL)) != NULL) {
- PF_ACPY(&baddr, saddr, af);
+ daddr, 0, &pd->naddr, NULL)) != NULL) {
+ PF_ACPY(&pd->baddr, saddr, af);
switch (af) {
#ifdef INET
case AF_INET:
pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
- naddr.v4.s_addr, 0);
+ pd->naddr.v4.s_addr, 0);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
- &naddr, 0);
+ &pd->naddr, 0);
rewrite++;
break;
#endif /* INET6 */
}
if (nat->natpass)
r = NULL;
+ pd->nat_rule = nat;
}
} else {
/* check incoming packet for BINAT/RDR */
if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 0,
- daddr, 0, &naddr, NULL)) != NULL) {
- PF_ACPY(&baddr, daddr, af);
+ daddr, 0, &pd->naddr, NULL)) != NULL) {
+ PF_ACPY(&pd->baddr, daddr, af);
switch (af) {
#ifdef INET
case AF_INET:
pf_change_a(&daddr->v4.s_addr,
- pd->ip_sum, naddr.v4.s_addr, 0);
+ pd->ip_sum, pd->naddr.v4.s_addr, 0);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
- &naddr, 0);
+ &pd->naddr, 0);
rewrite++;
break;
#endif /* INET6 */
}
if (rdr->natpass)
r = NULL;
+ pd->nat_rule = rdr;
}
}
@@ -2923,7 +2926,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->ext.addr, daddr, af);
s->ext.port = icmpid;
if (nat != NULL)
- PF_ACPY(&s->lan.addr, &baddr, af);
+ PF_ACPY(&s->lan.addr, &pd->baddr, af);
else
PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
s->lan.port = icmpid;
@@ -2933,7 +2936,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->ext.addr, saddr, af);
s->ext.port = icmpid;
if (rdr != NULL)
- PF_ACPY(&s->gwy.addr, &baddr, af);
+ PF_ACPY(&s->gwy.addr, &pd->baddr, af);
else
PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
s->gwy.port = icmpid;
@@ -2969,7 +2972,6 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
struct pf_rule *r, *a = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
- struct pf_addr baddr, naddr;
sa_family_t af = pd->af;
u_short reason;
struct pf_tag *pftag = NULL;
@@ -2980,44 +2982,46 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
if (direction == PF_OUT) {
/* check outgoing packet for BINAT/NAT */
if ((nat = pf_get_translation(pd, m, off, PF_OUT, ifp, saddr, 0,
- daddr, 0, &naddr, NULL)) != NULL) {
- PF_ACPY(&baddr, saddr, af);
+ daddr, 0, &pd->naddr, NULL)) != NULL) {
+ PF_ACPY(&pd->baddr, saddr, af);
switch (af) {
#ifdef INET
case AF_INET:
pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
- naddr.v4.s_addr, 0);
+ pd->naddr.v4.s_addr, 0);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- PF_ACPY(saddr, &naddr, af);
+ PF_ACPY(saddr, &pd->naddr, af);
break;
#endif /* INET6 */
}
if (nat->natpass)
r = NULL;
+ pd->nat_rule = nat;
}
} else {
/* check incoming packet for BINAT/RDR */
if ((rdr = pf_get_translation(pd, m, off, PF_IN, ifp, saddr, 0,
- daddr, 0, &naddr, NULL)) != NULL) {
- PF_ACPY(&baddr, daddr, af);
+ daddr, 0, &pd->naddr, NULL)) != NULL) {
+ PF_ACPY(&pd->baddr, daddr, af);
switch (af) {
#ifdef INET
case AF_INET:
pf_change_a(&daddr->v4.s_addr,
- pd->ip_sum, naddr.v4.s_addr, 0);
+ pd->ip_sum, pd->naddr.v4.s_addr, 0);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- PF_ACPY(daddr, &naddr, af);
+ PF_ACPY(daddr, &pd->naddr, af);
break;
#endif /* INET6 */
}
if (rdr->natpass)
r = NULL;
+ pd->nat_rule = rdr;
}
}
@@ -3088,12 +3092,12 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
#ifdef INET
case AF_INET:
pf_change_a(&a->v4.s_addr, pd->ip_sum,
- baddr.v4.s_addr, 0);
+ pd->baddr.v4.s_addr, 0);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- PF_ACPY(a, &baddr, af);
+ PF_ACPY(a, &pd->baddr, af);
break;
#endif /* INET6 */
}
@@ -3145,14 +3149,14 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->gwy.addr, saddr, af);
PF_ACPY(&s->ext.addr, daddr, af);
if (nat != NULL)
- PF_ACPY(&s->lan.addr, &baddr, af);
+ PF_ACPY(&s->lan.addr, &pd->baddr, af);
else
PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
} else {
PF_ACPY(&s->lan.addr, daddr, af);
PF_ACPY(&s->ext.addr, saddr, af);
if (rdr != NULL)
- PF_ACPY(&s->gwy.addr, &baddr, af);
+ PF_ACPY(&s->gwy.addr, &pd->baddr, af);
else
PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
}
@@ -4851,7 +4855,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0;
struct ip *h;
- struct pf_rule *a = NULL, *r = &pf_default_rule, *tr;
+ struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
struct pf_state *s = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
@@ -4892,6 +4896,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
pd.src = (struct pf_addr *)&h->ip_src;
pd.dst = (struct pf_addr *)&h->ip_dst;
+ PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
pd.ip_sum = &h->ip_sum;
pd.proto = h->ip_p;
pd.af = AF_INET;
@@ -5070,20 +5075,41 @@ done:
s->nat_rule.ptr->bytes += pd.tot_len;
}
}
+ tr = r;
+ nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
+ if (nr != NULL) {
+ struct pf_addr *x;
+ /*
+ * XXX: we need to make sure that the addresses
+ * passed to pfr_update_stats() are the same than
+ * the addresses used during matching (pfr_match)
+ */
+ if (r == &pf_default_rule) {
+ tr = nr;
+ x = (s == NULL || s->direction == dir) ?
+ &pd.baddr : &pd.naddr;
+ } else
+ x = (s == NULL || s->direction == dir) ?
+ &pd.naddr : &pd.baddr;
+ if (x == &pd.baddr || s == NULL) {
+ /* we need to change the address */
+ if (dir == PF_OUT)
+ pd.src = x;
+ else
+ pd.dst = x;
+ }
+ }
+ if (tr->src.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
+ s->direction == dir) ? pd.src : pd.dst, pd.af,
+ pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
+ tr->src.not);
+ if (tr->dst.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
+ s->direction == dir) ? pd.dst : pd.src, pd.af,
+ pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
+ tr->dst.not);
}
- tr = r;
- if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL)
- tr = s->nat_rule.ptr;
- if (tr->src.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(tr->src.addr.p.tbl,
- (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af,
- pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- tr->src.not);
- if (tr->dst.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(tr->dst.addr.p.tbl,
- (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af,
- pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- tr->dst.not);
if (action == PF_SYNPROXY_DROP) {
@@ -5105,7 +5131,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
u_short action, reason = 0, log = 0;
struct mbuf *m = *m0;
struct ip6_hdr *h;
- struct pf_rule *a = NULL, *r = &pf_default_rule, *tr;
+ struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr;
struct pf_state *s = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
@@ -5138,6 +5164,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
pd.src = (struct pf_addr *)&h->ip6_src;
pd.dst = (struct pf_addr *)&h->ip6_dst;
+ PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
pd.ip_sum = NULL;
pd.af = AF_INET6;
pd.tos = 0;
@@ -5335,20 +5362,41 @@ done:
s->nat_rule.ptr->bytes += pd.tot_len;
}
}
+ tr = r;
+ nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
+ if (nr != NULL) {
+ struct pf_addr *x;
+ /*
+ * XXX: we need to make sure that the addresses
+ * passed to pfr_update_stats() are the same than
+ * the addresses used during matching (pfr_match)
+ */
+ if (r == &pf_default_rule) {
+ tr = nr;
+ x = (s == NULL || s->direction == dir) ?
+ &pd.baddr : &pd.naddr;
+ } else {
+ x = (s == NULL || s->direction == dir) ?
+ &pd.naddr : &pd.baddr;
+ }
+ if (x == &pd.baddr || s == NULL) {
+ if (dir == PF_OUT)
+ pd.src = x;
+ else
+ pd.dst = x;
+ }
+ }
+ if (tr->src.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->src.addr.p.tbl, (s == NULL ||
+ s->direction == dir) ? pd.src : pd.dst, pd.af,
+ pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
+ tr->src.not);
+ if (tr->dst.addr.type == PF_ADDR_TABLE)
+ pfr_update_stats(tr->dst.addr.p.tbl, (s == NULL ||
+ s->direction == dir) ? pd.dst : pd.src, pd.af,
+ pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
+ tr->dst.not);
}
- tr = r;
- if (r == &pf_default_rule && s != NULL && s->nat_rule.ptr != NULL)
- tr = s->nat_rule.ptr;
- if (tr->src.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(tr->src.addr.p.tbl,
- (s == NULL || s->direction == dir) ? pd.src : pd.dst, pd.af,
- pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- tr->src.not);
- if (tr->dst.addr.type == PF_ADDR_TABLE)
- pfr_update_stats(tr->dst.addr.p.tbl,
- (s == NULL || s->direction == dir) ? pd.dst : pd.src, pd.af,
- pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
- tr->dst.not);
if (action == PF_SYNPROXY_DROP) {