summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/if_pflog.c19
-rw-r--r--sys/net/if_pflog.h6
-rw-r--r--sys/net/pf.c248
-rw-r--r--sys/net/pf_norm.c4
-rw-r--r--sys/net/pfvar.h20
5 files changed, 144 insertions, 153 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c
index 0872e9aee19..295e2500471 100644
--- a/sys/net/if_pflog.c
+++ b/sys/net/if_pflog.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.c,v 1.41 2011/09/19 12:51:52 bluhm Exp $ */
+/* $OpenBSD: if_pflog.c,v 1.42 2011/09/20 10:51:18 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -210,15 +210,14 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
}
int
-pflog_packet(struct pfi_kif *kif, struct mbuf *m, u_int8_t dir,
- u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
- struct pf_ruleset *ruleset, struct pf_pdesc *pd)
+pflog_packet(struct mbuf *m, u_int8_t reason, struct pf_rule *rm,
+ struct pf_rule *am, struct pf_ruleset *ruleset, struct pf_pdesc *pd)
{
#if NBPFILTER > 0
struct ifnet *ifn;
struct pfloghdr hdr;
- if (kif == NULL || m == NULL || rm == NULL || pd == NULL)
+ if (m == NULL || rm == NULL || pd == NULL || pd->kif == NULL)
return (-1);
if ((ifn = pflogifs[rm->logif]) == NULL || !ifn->if_bpf)
@@ -229,7 +228,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, u_int8_t dir,
hdr.af = pd->af;
hdr.action = rm->action;
hdr.reason = reason;
- memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
+ memcpy(hdr.ifname, pd->kif->pfik_name, sizeof(hdr.ifname));
if (am == NULL) {
hdr.rulenr = htonl(rm->nr);
@@ -242,7 +241,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, u_int8_t dir,
sizeof(hdr.ruleset));
}
if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
- pd->lookup.done = pf_socket_lookup(dir, pd);
+ pd->lookup.done = pf_socket_lookup(pd);
if (pd->lookup.done > 0) {
hdr.uid = pd->lookup.uid;
hdr.pid = pd->lookup.pid;
@@ -252,7 +251,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, u_int8_t dir,
}
hdr.rule_uid = rm->cuid;
hdr.rule_pid = rm->cpid;
- hdr.dir = dir;
+ hdr.dir = pd->dir;
PF_ACPY(&hdr.saddr, &pd->nsaddr, pd->af);
PF_ACPY(&hdr.daddr, &pd->ndaddr, pd->af);
@@ -333,8 +332,8 @@ pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len)
mfake->m_pkthdr.len = min(mfake->m_pkthdr.len, mfake->m_len);
/* rewrite addresses if needed */
- if (pf_setup_pdesc(pfloghdr->af, pfloghdr->dir, &pd, &pdhdrs, &mfake,
- &action, &reason) == -1)
+ if (pf_setup_pdesc(pfloghdr->af, pfloghdr->dir, NULL, &pd, &pdhdrs,
+ &mfake, &action, &reason) == -1)
return;
PF_ACPY(&osaddr, pd.src, pd.af);
diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 399cc788025..074dddc6ab4 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.h,v 1.19 2011/07/03 19:07:32 henning Exp $ */
+/* $OpenBSD: if_pflog.h,v 1.20 2011/09/20 10:51:18 bluhm Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -70,9 +70,9 @@ struct pfloghdr {
void pflog_bpfcopy(const void *, void *, size_t);
#if NPFLOG > 0
-#define PFLOG_PACKET(i,b,c,d,e,f,g,h) pflog_packet(i,b,c,d,e,f,g,h)
+#define PFLOG_PACKET(b,d,e,f,g,h) pflog_packet(b,d,e,f,g,h)
#else
-#define PFLOG_PACKET(i,b,c,d,e,f,g,h) ((void)0)
+#define PFLOG_PACKET(b,d,e,f,g,h) ((void)0)
#endif /* NPFLOG > 0 */
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 10cdf7956f9..c48ad99c6de 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.777 2011/09/19 12:51:52 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.778 2011/09/20 10:51:18 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -178,39 +178,34 @@ u_int32_t pf_tcp_iss(struct pf_pdesc *);
void pf_rule_to_actions(struct pf_rule *,
struct pf_rule_actions *);
int pf_test_rule(struct pf_rule **, struct pf_state **,
- int, struct pfi_kif *, struct mbuf *,
- struct pf_pdesc *, struct pf_rule **,
+ struct mbuf *, struct pf_pdesc *, struct pf_rule **,
struct pf_ruleset **);
static __inline int pf_create_state(struct pf_rule *, struct pf_rule *,
struct pf_rule *, struct pf_pdesc *,
struct pf_state_key **, struct pf_state_key **,
- struct mbuf *, int *, struct pfi_kif *,
- struct pf_state **, int, struct pf_rule_slist *,
- struct pf_rule_actions *, struct pf_src_node *[]);
+ struct mbuf *, int *, struct pf_state **, int,
+ struct pf_rule_slist *, struct pf_rule_actions *,
+ struct pf_src_node *[]);
int pf_state_key_setup(struct pf_pdesc *, struct
pf_state_key **, struct pf_state_key **, int);
int pf_tcp_track_full(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
- struct pfi_kif *, struct mbuf *,
- struct pf_pdesc *, u_short *, int *);
+ struct mbuf *, struct pf_pdesc *, u_short *, int *);
int pf_tcp_track_sloppy(struct pf_state_peer *,
struct pf_state_peer *, struct pf_state **,
struct pf_pdesc *, u_short *);
-int pf_test_state_tcp(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *,
+int pf_test_state_tcp(struct pf_state **, struct mbuf *,
struct pf_pdesc *, u_short *);
-int pf_test_state_udp(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *,
+int pf_test_state_udp(struct pf_state **, struct mbuf *,
struct pf_pdesc *);
int pf_icmp_state_lookup(struct pf_state_key_cmp *,
struct pf_pdesc *, struct pf_state **,
- struct mbuf *, int, struct pfi_kif *, u_int16_t,
- u_int16_t, int, int *, int, int);
-int pf_test_state_icmp(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *,
+ struct mbuf *, u_int16_t, u_int16_t, int, int *,
+ int, int);
+int pf_test_state_icmp(struct pf_state **, struct mbuf *,
struct pf_pdesc *, u_short *);
-int pf_test_state_other(struct pf_state **, int,
- struct pfi_kif *, struct mbuf *, struct pf_pdesc *);
+int pf_test_state_other(struct pf_state **, struct mbuf *,
+ struct pf_pdesc *);
void pf_route(struct mbuf **, struct pf_rule *, int,
struct ifnet *, struct pf_state *);
void pf_route6(struct mbuf **, struct pf_rule *, int,
@@ -239,8 +234,7 @@ struct pf_state *pf_find_state(struct pfi_kif *,
int pf_src_connlimit(struct pf_state **);
int pf_check_congestion(struct ifqueue *);
int pf_match_rcvif(struct mbuf *, struct pf_rule *);
-void pf_counters_inc(int, int,
- struct pf_pdesc *, struct pfi_kif *,
+void pf_counters_inc(int, struct pf_pdesc *,
struct pf_state *, struct pf_rule *,
struct pf_rule *);
@@ -2432,7 +2426,7 @@ pf_addr_inc(struct pf_addr *addr, sa_family_t af)
#endif /* INET6 */
int
-pf_socket_lookup(int direction, struct pf_pdesc *pd)
+pf_socket_lookup(struct pf_pdesc *pd)
{
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
@@ -2462,7 +2456,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd)
default:
return (-1);
}
- if (direction == PF_IN) {
+ if (pd->dir == PF_IN) {
saddr = pd->src;
daddr = pd->dst;
} else {
@@ -2738,9 +2732,8 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a)
} while (0)
int
-pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
- struct pfi_kif *kif, struct mbuf *m, struct pf_pdesc *pd,
- struct pf_rule **am, struct pf_ruleset **rsm)
+pf_test_rule(struct pf_rule **rm, struct pf_state **sm, struct mbuf *m,
+ struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm)
{
struct pf_rule *lastr = NULL;
struct pf_rule *r;
@@ -2774,7 +2767,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
ifq = &ip6intrq;
#endif
- if (direction == PF_IN && pf_check_congestion(ifq)) {
+ if (pd->dir == PF_IN && pf_check_congestion(ifq)) {
REASON_SET(&reason, PFRES_CONGEST);
return (PF_DROP);
}
@@ -2818,9 +2811,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
r = TAILQ_FIRST(pf_main_ruleset.rules.active.ptr);
while (r != NULL) {
r->evaluations++;
- PF_TEST_ATTRIB((pfi_kif_match(r->kif, kif) == r->ifnot),
+ PF_TEST_ATTRIB((pfi_kif_match(r->kif, pd->kif) == r->ifnot),
r->skip[PF_SKIP_IFP].ptr);
- PF_TEST_ATTRIB((r->direction && r->direction != direction),
+ PF_TEST_ATTRIB((r->direction && r->direction != pd->dir),
r->skip[PF_SKIP_DIR].ptr);
PF_TEST_ATTRIB((r->onrdomain >= 0 &&
(r->onrdomain == pd->rdomain) == r->ifnot),
@@ -2830,7 +2823,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_TEST_ATTRIB((r->proto && r->proto != pd->proto),
r->skip[PF_SKIP_PROTO].ptr);
PF_TEST_ATTRIB((PF_MISMATCHAW(&r->src.addr, &pd->nsaddr, pd->af,
- r->src.neg, kif, act.rtableid)),
+ r->src.neg, pd->kif, act.rtableid)),
r->skip[PF_SKIP_SRC_ADDR].ptr);
PF_TEST_ATTRIB((PF_MISMATCHAW(&r->dst.addr, &pd->ndaddr, pd->af,
r->dst.neg, NULL, act.rtableid)),
@@ -2873,14 +2866,14 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
/* tcp/udp only. uid.op always 0 in other cases */
PF_TEST_ATTRIB((r->uid.op && (pd->lookup.done ||
(pd->lookup.done =
- pf_socket_lookup(direction, pd), 1)) &&
+ pf_socket_lookup(pd), 1)) &&
!pf_match_uid(r->uid.op, r->uid.uid[0],
r->uid.uid[1], pd->lookup.uid)),
TAILQ_NEXT(r, entries));
/* tcp/udp only. gid.op always 0 in other cases */
PF_TEST_ATTRIB((r->gid.op && (pd->lookup.done ||
(pd->lookup.done =
- pf_socket_lookup(direction, pd), 1)) &&
+ pf_socket_lookup(pd), 1)) &&
!pf_match_gid(r->gid.op, r->gid.gid[0],
r->gid.gid[1], pd->lookup.gid)),
TAILQ_NEXT(r, entries));
@@ -2933,16 +2926,16 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
goto cleanup;
}
if (r->log || act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m, direction,
- reason, r, a, ruleset, pd);
+ PFLOG_PACKET(m, reason, r, a, ruleset,
+ pd);
} else {
match = 1;
*rm = r;
*am = a;
*rsm = ruleset;
if (act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m, direction,
- reason, r, a, ruleset, pd);
+ PFLOG_PACKET(m, reason, r, a, ruleset,
+ pd);
}
if ((*rm)->quick)
@@ -2970,7 +2963,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
REASON_SET(&reason, PFRES_MATCH);
if (r->log || act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(kif, m, direction, reason, r, a, ruleset, pd);
+ PFLOG_PACKET(m, reason, r, a, ruleset, pd);
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
(r->action == PF_DROP) &&
@@ -2995,7 +2988,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
pd->src, th->th_dport, th->th_sport,
ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
r->return_ttl, 1, 0, pd->rdomain,
- pd->eh, kif->pfik_ifp);
+ pd->eh, pd->kif->pfik_ifp);
}
} else if ((pd->proto != IPPROTO_ICMP ||
ICMP_INFOTYPE(icmptype)) && pd->af == AF_INET &&
@@ -3037,8 +3030,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
goto cleanup;
}
- action = pf_create_state(r, a, nr, pd, &skw, &sks, m,
- &rewrite, kif, sm, tag, &rules, &act, sns);
+ action = pf_create_state(r, a, nr, pd, &skw, &sks, m, &rewrite,
+ sm, tag, &rules, &act, sns);
if (action != PF_PASS)
return (action);
@@ -3067,7 +3060,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
#if NPFSYNC > 0
if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) &&
- direction == PF_OUT && pfsync_up()) {
+ pd->dir == PF_OUT && pfsync_up()) {
/*
* We want the state created, but we dont
* want to send this in case a partner
@@ -3096,9 +3089,9 @@ cleanup:
static __inline int
pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_rule *nr,
struct pf_pdesc *pd, struct pf_state_key **skw, struct pf_state_key **sks,
- struct mbuf *m, int *rewrite, struct pfi_kif *kif,
- struct pf_state **sm, int tag, struct pf_rule_slist *rules,
- struct pf_rule_actions *act, struct pf_src_node *sns[PF_SN_MAX])
+ struct mbuf *m, int *rewrite, struct pf_state **sm, int tag,
+ struct pf_rule_slist *rules, struct pf_rule_actions *act,
+ struct pf_src_node *sns[PF_SN_MAX])
{
struct pf_state *s = NULL;
struct tcphdr *th = pd->hdr.tcp;
@@ -3218,7 +3211,7 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_rule *nr,
goto csfailed;
}
- if (pf_state_insert(BOUND_IFACE(r, kif), *skw, *sks, s)) {
+ if (pf_state_insert(BOUND_IFACE(r, pd->kif), *skw, *sks, s)) {
pf_state_key_detach(s, PF_SK_STACK);
pf_state_key_detach(s, PF_SK_WIRE);
*sks = *skw = NULL;
@@ -3412,8 +3405,8 @@ pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport,
int
pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
- struct pf_state **state, struct pfi_kif *kif, struct mbuf *m,
- struct pf_pdesc *pd, u_short *reason, int *copyback)
+ struct pf_state **state, struct mbuf *m, struct pf_pdesc *pd,
+ u_short *reason, int *copyback)
{
struct tcphdr *th = pd->hdr.tcp;
u_int16_t win = ntohs(th->th_win);
@@ -3702,7 +3695,7 @@ pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst,
th->th_sport, ntohl(th->th_ack), 0,
TH_RST, 0, 0,
(*state)->rule.ptr->return_ttl, 1, 0,
- pd->rdomain, pd->eh, kif->pfik_ifp);
+ pd->rdomain, pd->eh, pd->kif->pfik_ifp);
src->seqlo = 0;
src->seqhi = 1;
src->max_win = 1;
@@ -3804,8 +3797,8 @@ pf_tcp_track_sloppy(struct pf_state_peer *src, struct pf_state_peer *dst,
}
int
-pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
- struct mbuf *m, struct pf_pdesc *pd, u_short *reason)
+pf_test_state_tcp(struct pf_state **state, struct mbuf *m, struct pf_pdesc *pd,
+ u_short *reason)
{
struct pf_state_key_cmp key;
struct tcphdr *th = pd->hdr.tcp;
@@ -3816,7 +3809,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
key.af = pd->af;
key.proto = IPPROTO_TCP;
key.rdomain = pd->rdomain;
- if (direction == PF_IN) { /* wire side, straight */
+ if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = th->th_sport;
@@ -3828,9 +3821,9 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
key.port[0] = th->th_dport;
}
- STATE_LOOKUP(kif, &key, direction, *state, m);
+ STATE_LOOKUP(pd->kif, &key, pd->dir, *state, m);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
} else {
@@ -3841,7 +3834,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
sk = (*state)->key[pd->didx];
if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
- if (direction != (*state)->direction) {
+ if (pd->dir != (*state)->direction) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
}
@@ -3870,7 +3863,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
(*state)->src.state = PF_TCPS_PROXY_DST;
}
if ((*state)->src.state == PF_TCPS_PROXY_DST) {
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) ||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
@@ -3943,7 +3936,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
if (pf_tcp_track_sloppy(src, dst, state, pd, reason) == PF_DROP)
return (PF_DROP);
} else {
- if (pf_tcp_track_full(src, dst, state, kif, m, pd, reason,
+ if (pf_tcp_track_full(src, dst, state, m, pd, reason,
&copyback) == PF_DROP)
return (PF_DROP);
}
@@ -3975,8 +3968,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
}
int
-pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
- struct mbuf *m, struct pf_pdesc *pd)
+pf_test_state_udp(struct pf_state **state, struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
struct pf_state_key_cmp key;
@@ -3985,7 +3977,7 @@ pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
key.af = pd->af;
key.proto = IPPROTO_UDP;
key.rdomain = pd->rdomain;
- if (direction == PF_IN) { /* wire side, straight */
+ if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = uh->uh_sport;
@@ -3997,9 +3989,9 @@ pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
key.port[0] = uh->uh_dport;
}
- STATE_LOOKUP(kif, &key, direction, *state, m);
+ STATE_LOOKUP(pd->kif, &key, pd->dir, *state, m);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
} else {
@@ -4044,9 +4036,8 @@ pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif,
int
pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
- struct pf_state **state, struct mbuf *m, int direction, struct pfi_kif *kif,
- u_int16_t icmpid, u_int16_t type, int icmp_dir, int *iidx, int multi,
- int inner)
+ struct pf_state **state, struct mbuf *m, u_int16_t icmpid, u_int16_t type,
+ int icmp_dir, int *iidx, int multi, int inner)
{
key->af = pd->af;
key->proto = pd->proto;
@@ -4080,12 +4071,12 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
PF_ACPY(&key->addr[pd->sidx], pd->src, key->af);
PF_ACPY(&key->addr[pd->didx], pd->dst, key->af);
- STATE_LOOKUP(kif, key, direction, *state, m);
+ STATE_LOOKUP(pd->kif, key, pd->dir, *state, m);
/* Is this ICMP message flowing in right direction? */
if ((*state)->rule.ptr->type &&
- (((!inner && (*state)->direction == direction) ||
- (inner && (*state)->direction != direction)) ?
+ (((!inner && (*state)->direction == pd->dir) ||
+ (inner && (*state)->direction != pd->dir)) ?
PF_IN : PF_OUT) != icmp_dir) {
if (pf_status.debug >= LOG_NOTICE) {
log(LOG_NOTICE,
@@ -4100,8 +4091,8 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
}
int
-pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
- struct mbuf *m, struct pf_pdesc *pd, u_short *reason)
+pf_test_state_icmp(struct pf_state **state, struct mbuf *m,
+ struct pf_pdesc *pd, u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
u_int16_t icmpid, *icmpsum, virtual_id, virtual_type;
@@ -4132,15 +4123,15 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
* ICMP query/reply message not related to a TCP/UDP packet.
* Search for an ICMP state.
*/
- ret = pf_icmp_state_lookup(&key, pd, state, m, direction,
- kif, virtual_id, virtual_type, icmp_dir, &iidx,
+ ret = pf_icmp_state_lookup(&key, pd, state, m,
+ virtual_id, virtual_type, icmp_dir, &iidx,
PF_ICMP_MULTI_NONE, 0);
if (ret >= 0) {
if (ret == PF_DROP && pd->af == AF_INET6 &&
icmp_dir == PF_OUT) {
ret = pf_icmp_state_lookup(&key, pd, state, m,
- direction, kif, virtual_id, virtual_type,
- icmp_dir, &iidx, multi, 0);
+ virtual_id, virtual_type, icmp_dir, &iidx,
+ multi, 0);
if (ret >= 0)
return (ret);
} else
@@ -4229,11 +4220,15 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
u_int16_t *ipsum2;
int ipoff2;
+ /* Initialize pd2 fields valid for both packets with pd. */
+ bzero(&pd2, sizeof(pd2));
pd2.af = pd->af;
+ pd2.dir = pd->dir;
+ pd2.kif = pd->kif;
pd2.rdomain = pd->rdomain;
/* Payload packet is from the opposite direction. */
- pd2.sidx = (direction == PF_IN) ? 1 : 0;
- pd2.didx = (direction == PF_IN) ? 0 : 1;
+ pd2.sidx = (pd2.dir == PF_IN) ? 1 : 0;
+ pd2.didx = (pd2.dir == PF_IN) ? 0 : 1;
switch (pd->af) {
#ifdef INET
case AF_INET:
@@ -4316,9 +4311,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
key.port[pd2.sidx] = th.th_sport;
key.port[pd2.didx] = th.th_dport;
- STATE_LOOKUP(kif, &key, direction, *state, m);
+ STATE_LOOKUP(pd2.kif, &key, pd2.dir, *state, m);
- if (direction == (*state)->direction) {
+ if (pd2.dir == (*state)->direction) {
src = &(*state)->dst;
dst = &(*state)->src;
} else {
@@ -4442,7 +4437,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
key.port[pd2.sidx] = uh.uh_sport;
key.port[pd2.didx] = uh.uh_dport;
- STATE_LOOKUP(kif, &key, direction, *state, m);
+ STATE_LOOKUP(pd2.kif, &key, pd2.dir, *state, m);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -4517,8 +4512,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
&icmp_dir, &multi, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&key, &pd2, state, m,
- direction, kif, virtual_id, virtual_type,
- icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
+ virtual_id, virtual_type, icmp_dir, &iidx,
+ PF_ICMP_MULTI_NONE, 1);
if (ret >= 0)
return (ret);
@@ -4582,14 +4577,13 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
pf_icmp_mapping(&pd2, iih.icmp6_type,
&icmp_dir, &multi, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&key, &pd2, state, m,
- direction, kif, virtual_id, virtual_type,
- icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
+ virtual_id, virtual_type, icmp_dir, &iidx,
+ PF_ICMP_MULTI_NONE, 1);
if (ret >= 0) {
if (ret == PF_DROP && pd->af == AF_INET6 &&
icmp_dir == PF_OUT) {
ret = pf_icmp_state_lookup(&key, pd,
- state, m, direction, kif,
- virtual_id, virtual_type,
+ state, m, virtual_id, virtual_type,
icmp_dir, &iidx, multi, 1);
if (ret >= 0)
return (ret);
@@ -4648,7 +4642,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = 0;
- STATE_LOOKUP(kif, &key, direction, *state, m);
+ STATE_LOOKUP(pd2.kif, &key, pd2.dir, *state, m);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -4701,8 +4695,8 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif,
}
int
-pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
- struct mbuf *m, struct pf_pdesc *pd)
+pf_test_state_other(struct pf_state **state, struct mbuf *m,
+ struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
struct pf_state_key_cmp key;
@@ -4710,7 +4704,7 @@ pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
key.af = pd->af;
key.proto = pd->proto;
key.rdomain = pd->rdomain;
- if (direction == PF_IN) {
+ if (pd->dir == PF_IN) {
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = key.port[1] = 0;
@@ -4720,9 +4714,9 @@ pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif,
key.port[1] = key.port[0] = 0;
}
- STATE_LOOKUP(kif, &key, direction, *state, m);
+ STATE_LOOKUP(pd->kif, &key, pd->dir, *state, m);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
} else {
@@ -5571,8 +5565,9 @@ pf_walk_header6(struct mbuf *m, struct ip6_hdr *h, int *off, int *extoff,
}
int
-pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, void *pdhdrs,
- struct mbuf **m0, u_short *action, u_short *reason)
+pf_setup_pdesc(sa_family_t af, int dir, struct pfi_kif *kif,
+ struct pf_pdesc *pd, void *pdhdrs, struct mbuf **m0, u_short *action,
+ u_short *reason)
{
struct mbuf *m = *m0;
@@ -5580,6 +5575,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, void *pdhdrs,
pd->hdr.any = pdhdrs;
pd->af = af;
pd->dir = dir;
+ pd->kif = kif; /* kif is NULL when called by pflog */
pd->sidx = (dir == PF_IN) ? 0 : 1;
pd->didx = (dir == PF_IN) ? 1 : 0;
@@ -5800,17 +5796,17 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, void *pdhdrs,
}
void
-pf_counters_inc(int dir, int action, struct pf_pdesc *pd,
- struct pfi_kif *kif, struct pf_state *s,
+pf_counters_inc(int action, struct pf_pdesc *pd, struct pf_state *s,
struct pf_rule *r, struct pf_rule *a)
{
int dirndx;
- kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS]
- += pd->tot_len;
- kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS]++;
+ pd->kif->pfik_bytes[pd->af == AF_INET6][pd->dir == PF_OUT]
+ [action != PF_PASS] += pd->tot_len;
+ pd->kif->pfik_packets[pd->af == AF_INET6][pd->dir == PF_OUT]
+ [action != PF_PASS]++;
if (action == PF_PASS || r->action == PF_DROP) {
- dirndx = (dir == PF_OUT);
+ dirndx = (pd->dir == PF_OUT);
r->packets[dirndx]++;
r->bytes[dirndx] += pd->tot_len;
if (a != NULL) {
@@ -5825,7 +5821,7 @@ pf_counters_inc(int dir, int action, struct pf_pdesc *pd,
sni->sn->packets[dirndx]++;
sni->sn->bytes[dirndx] += pd->tot_len;
}
- dirndx = (dir == s->direction) ? 0 : 1;
+ dirndx = (pd->dir == s->direction) ? 0 : 1;
s->packets[dirndx]++;
s->bytes[dirndx] += pd->tot_len;
@@ -5839,14 +5835,14 @@ pf_counters_inc(int dir, int action, struct pf_pdesc *pd,
(s == NULL) ? pd->src :
&s->key[(s->direction == PF_IN)]->
addr[(s->direction == PF_OUT)],
- pd->af, pd->tot_len, dir == PF_OUT,
+ pd->af, pd->tot_len, pd->dir == PF_OUT,
r->action == PF_PASS, r->src.neg);
if (r->dst.addr.type == PF_ADDR_TABLE)
pfr_update_stats(r->dst.addr.p.tbl,
(s == NULL) ? pd->dst :
&s->key[(s->direction == PF_IN)]->
addr[(s->direction == PF_IN)],
- pd->af, pd->tot_len, dir == PF_OUT,
+ pd->af, pd->tot_len, pd->dir == PF_OUT,
r->action == PF_PASS, r->dst.neg);
}
}
@@ -5898,7 +5894,8 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
return (PF_PASS);
}
- if (pf_setup_pdesc(af, dir, &pd, &pdhdrs, m0, &action, &reason) == -1) {
+ if (pf_setup_pdesc(af, dir, kif, &pd, &pdhdrs, m0, &action, &reason)
+ == -1) {
if (action == PF_PASS)
return (PF_PASS);
m = *m0;
@@ -5915,7 +5912,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
* handle fragments that aren't reassembled by
* normalization
*/
- action = pf_test_rule(&r, &s, dir, kif, m, &pd, &a, &ruleset);
+ action = pf_test_rule(&r, &s, m, &pd, &a, &ruleset);
if (action != PF_PASS)
REASON_SET(&reason, PFRES_FRAG);
break;
@@ -5924,10 +5921,10 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
case IPPROTO_TCP: {
if ((pd.hdr.tcp->th_flags & TH_ACK) && pd.p_len == 0)
pqid = 1;
- action = pf_normalize_tcp(dir, m, &pd);
+ action = pf_normalize_tcp(m, &pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_tcp(&s, dir, kif, m, &pd, &reason);
+ action = pf_test_state_tcp(&s, m, &pd, &reason);
if (action == PF_PASS) {
#if NPFSYNC > 0
pfsync_update_state(s);
@@ -5936,8 +5933,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
pd.pflog |= s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif,
- m, &pd, &a, &ruleset);
+ action = pf_test_rule(&r, &s, m, &pd, &a, &ruleset);
if (s) {
if (s->max_mss)
@@ -5949,7 +5945,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
}
case IPPROTO_UDP: {
- action = pf_test_state_udp(&s, dir, kif, m, &pd);
+ action = pf_test_state_udp(&s, m, &pd);
if (action == PF_PASS) {
#if NPFSYNC > 0
pfsync_update_state(s);
@@ -5958,8 +5954,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
pd.pflog |= s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif,
- m, &pd, &a, &ruleset);
+ action = pf_test_rule(&r, &s, m, &pd, &a, &ruleset);
break;
}
@@ -5971,7 +5966,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
"dropping IPv6 packet with ICMPv4 payload");
goto done;
}
- action = pf_test_state_icmp(&s, dir, kif, m, &pd, &reason);
+ action = pf_test_state_icmp(&s, m, &pd, &reason);
if (action == PF_PASS) {
#if NPFSYNC > 0
pfsync_update_state(s);
@@ -5980,8 +5975,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
pd.pflog |= s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif,
- m, &pd, &a, &ruleset);
+ action = pf_test_rule(&r, &s, m, &pd, &a, &ruleset);
break;
}
@@ -5993,7 +5987,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
"dropping IPv4 packet with ICMPv6 payload");
goto done;
}
- action = pf_test_state_icmp(&s, dir, kif, m, &pd, &reason);
+ action = pf_test_state_icmp(&s, m, &pd, &reason);
if (action == PF_PASS) {
#if NPFSYNC > 0
pfsync_update_state(s);
@@ -6002,13 +5996,12 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
pd.pflog |= s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif,
- m, &pd, &a, &ruleset);
+ action = pf_test_rule(&r, &s, m, &pd, &a, &ruleset);
break;
}
default:
- action = pf_test_state_other(&s, dir, kif, m, &pd);
+ action = pf_test_state_other(&s, m, &pd);
if (action == PF_PASS) {
#if NPFSYNC > 0
pfsync_update_state(s);
@@ -6017,8 +6010,7 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
pd.pflog |= s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif,
- m, &pd, &a, &ruleset);
+ action = pf_test_rule(&r, &s, m, &pd, &a, &ruleset);
break;
}
@@ -6062,7 +6054,7 @@ done:
}
}
- if (dir == PF_IN && s && s->key[PF_SK_STACK])
+ if (pd.dir == PF_IN && s && s->key[PF_SK_STACK])
m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK];
#ifdef ALTQ
@@ -6083,10 +6075,10 @@ done:
(pd.af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)))
m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST;
/* We need to redo the route lookup on outgoing routes. */
- if (pd.destchg && dir == PF_OUT)
+ if (pd.destchg && pd.dir == PF_OUT)
m->m_pkthdr.pf.flags |= PF_TAG_REROUTE;
- if (dir == PF_IN && action == PF_PASS && r->divert.port) {
+ if (pd.dir == PF_IN && action == PF_PASS && r->divert.port) {
struct pf_divert *divert;
if ((divert = pf_get_divert(m))) {
@@ -6110,16 +6102,16 @@ done:
struct pf_rule_item *ri;
if (pd.pflog & PF_LOG_FORCE || r->log & PF_LOG_ALL)
- PFLOG_PACKET(kif, m, dir, reason, r, a, ruleset, &pd);
+ PFLOG_PACKET(m, reason, r, a, ruleset, &pd);
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
- PFLOG_PACKET(kif, m, dir, reason,
+ PFLOG_PACKET(m, reason,
ri->r, a, ruleset, &pd);
}
}
- pf_counters_inc(dir, action, &pd, kif, s, r, a);
+ pf_counters_inc(action, &pd, s, r, a);
switch (action) {
case PF_SYNPROXY_DROP:
@@ -6130,10 +6122,10 @@ done:
break;
case PF_DIVERT:
if (pd.af == AF_INET)
- divert_packet(m, dir);
+ divert_packet(m, pd.dir);
#ifdef INET6
if (pd.af == AF_INET6)
- divert6_packet(m, dir);
+ divert6_packet(m, pd.dir);
#endif
*m0 = NULL;
action = PF_PASS;
@@ -6142,10 +6134,10 @@ done:
/* pf_route can free the mbuf causing *m0 to become NULL */
if (r->rt) {
if (pd.af == AF_INET)
- pf_route(m0, r, dir, kif->pfik_ifp, s);
+ pf_route(m0, r, pd.dir, pd.kif->pfik_ifp, s);
#ifdef INET6
if (pd.af == AF_INET6)
- pf_route6(m0, r, dir, kif->pfik_ifp, s);
+ pf_route6(m0, r, pd.dir, pd.kif->pfik_ifp, s);
#endif
}
break;
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 276ce078c63..f0602fe581b 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.142 2011/09/19 12:51:52 bluhm Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.143 2011/09/20 10:51:18 bluhm Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -808,7 +808,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, int off, int extoff,
#endif /* INET6 */
int
-pf_normalize_tcp(int dir, struct mbuf *m, struct pf_pdesc *pd)
+pf_normalize_tcp(struct mbuf *m, struct pf_pdesc *pd)
{
struct tcphdr *th = pd->hdr.tcp;
u_short reason;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 03059b22d78..54ddabd9984 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.348 2011/09/19 12:51:52 bluhm Exp $ */
+/* $OpenBSD: pfvar.h,v 1.349 2011/09/20 10:51:18 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1234,6 +1234,7 @@ struct pf_pdesc {
struct pf_addr nsaddr; /* src address after NAT */
struct pf_addr ndaddr; /* dst address after NAT */
+ struct pfi_kif *kif; /* incomming interface */
struct ether_header
*eh;
struct pf_addr *src; /* src address */
@@ -1772,8 +1773,8 @@ void pf_purge_rule(struct pf_ruleset *,
struct pf_rule *);
struct pf_divert *pf_find_divert(struct mbuf *);
int pf_setup_pdesc(sa_family_t, int,
- struct pf_pdesc *, void *, struct mbuf **,
- u_short *, u_short *);
+ struct pfi_kif *, struct pf_pdesc *, void *,
+ struct mbuf **, u_short *, u_short *);
int pf_test(sa_family_t, int, struct ifnet *, struct mbuf **,
struct ether_header *);
@@ -1787,9 +1788,8 @@ void pf_addr_inc(struct pf_addr *, sa_family_t);
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
-int pflog_packet(struct pfi_kif *, struct mbuf *, u_int8_t,
- u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
- struct pf_pdesc *);
+int pflog_packet(struct mbuf *, u_int8_t, struct pf_rule *,
+ struct pf_rule *, struct pf_ruleset *, struct pf_pdesc *);
void pf_send_deferred_syn(struct pf_state *);
int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
@@ -1804,13 +1804,13 @@ int pf_refragment6(struct mbuf **, struct m_tag *mtag, int);
void pf_normalize_init(void);
int pf_normalize_ip(struct mbuf **, int, u_short *);
int pf_normalize_ip6(struct mbuf **, int, int, int, u_short *);
-int pf_normalize_tcp(int, struct mbuf *, struct pf_pdesc *);
+int pf_normalize_tcp(struct mbuf *, struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_state *);
int pf_normalize_tcp_init(struct mbuf *, struct pf_pdesc *,
struct pf_state_peer *, struct pf_state_peer *);
int pf_normalize_tcp_stateful(struct mbuf *, struct pf_pdesc *,
- u_short *, struct pf_state *,
- struct pf_state_peer *, struct pf_state_peer *, int *);
+ u_short *, struct pf_state *, struct pf_state_peer *,
+ struct pf_state_peer *, int *);
int pf_normalize_mss(struct mbuf *, struct pf_pdesc *, u_int16_t);
void pf_scrub(struct mbuf *, u_int16_t, sa_family_t, u_int8_t, u_int8_t);
u_int32_t
@@ -1820,7 +1820,7 @@ int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
int);
int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *,
int);
-int pf_socket_lookup(int, struct pf_pdesc *);
+int pf_socket_lookup(struct pf_pdesc *);
struct pf_state_key *pf_alloc_state_key(int);
void pf_pkt_addr_changed(struct mbuf *);
int pf_state_key_attach(struct pf_state_key *, struct pf_state *, int);
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-14 05:08:09 +0000