/* $OpenBSD: pf.c,v 1.8 2001/06/24 21:50:29 deraadt Exp $ */ /* * Copyright (c) 2001, Daniel Hartmeier * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * - Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * Tree data structure */ struct tree_node { struct tree_key { u_int8_t proto; u_int32_t addr[2]; u_int16_t port[2]; } key; struct state *state; signed char balance; struct tree_node *left, *right; }; /* * Global variables */ struct rule *rulehead = NULL; struct nat *nathead = NULL; struct rdr *rdrhead = NULL; struct state *statehead = NULL; struct tree_node *tree_lan_ext = NULL, *tree_ext_gwy = NULL; struct timeval tv; struct status status; struct ifnet *status_ifp = NULL; u_int32_t last_purge = 0; u_int16_t next_port_tcp = 50001, next_port_udp = 50001; /* * Prototypes */ signed char tree_key_compare (struct tree_key *a, struct tree_key *b); void tree_rotate_left (struct tree_node **p); void tree_rotate_right (struct tree_node **p); int tree_insert (struct tree_node **p, struct tree_key *key, struct state *state); int tree_remove (struct tree_node **p, struct tree_key *key); struct state *find_state (struct tree_node *p, struct tree_key *key); void insert_state (struct state *state); void purge_expired_states (void); void print_ip (struct ifnet *ifp, struct ip *h); void print_host (u_int32_t a, u_int16_t p); void print_state (int direction, struct state *s); void print_flags (u_int8_t f); void pfattach (int num); int pfopen (dev_t dev, int flags, int fmt, struct proc *p); int pfclose (dev_t dev, int flags, int fmt, struct proc *p); int pfioctl (dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p); u_short fix (u_short cksum, u_short old, u_short new); void change_ap (u_int32_t *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, u_int32_t an, u_int16_t pn); void change_a (u_int32_t *a, u_int16_t *c, u_int32_t an); void change_icmp (u_int32_t *ia, u_int16_t *ip, u_int32_t *oa, u_int32_t na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, u_int16_t *ic, u_int16_t *hc); void send_reset (int direction, struct ifnet *ifp, struct ip *h, struct tcphdr *th); int match_addr (u_int8_t n, u_int32_t a, u_int32_t m, u_int32_t b); int match_port (u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p); struct nat *get_nat (struct ifnet *ifp, u_int8_t proto, u_int32_t addr); struct rdr *get_rdr (struct ifnet *ifp, u_int8_t proto, u_int32_t addr, u_int16_t port); int pf_test_tcp (int direction, struct ifnet *ifp, struct ip *h, struct tcphdr *th); int pf_test_udp (int direction, struct ifnet *ifp, struct ip *h, struct udphdr *uh); int pf_test_icmp (int direction, struct ifnet *ifp, struct ip *h, struct icmp *ih); struct state *pf_test_state_tcp (int direction, struct ifnet *ifp, struct ip *h, struct tcphdr *th); struct state *pf_test_state_udp (int direction, struct ifnet *ifp, struct ip *h, struct udphdr *uh); struct state *pf_test_state_icmp (int direction, struct ifnet *ifp, struct ip *h, struct icmp *ih); void *pull_hdr (struct ifnet *ifp, struct mbuf **m, struct ip *h, int off, int *action, u_int8_t len); int pf_test (int direction, struct ifnet *ifp, struct mbuf **m); /* ------------------------------------------------------------------------ */ inline signed char tree_key_compare(struct tree_key *a, struct tree_key *b) { /* * could use memcmp(), but with the best manual order, we can * minimize the number of average compares. what is faster? */ if (a->proto < b->proto ) return -1; if (a->proto > b->proto ) return 1; if (a->addr[0] < b->addr[0]) return -1; if (a->addr[0] > b->addr[0]) return 1; if (a->addr[1] < b->addr[1]) return -1; if (a->addr[1] > b->addr[1]) return 1; if (a->port[0] < b->port[0]) return -1; if (a->port[0] > b->port[0]) return 1; if (a->port[1] < b->port[1]) return -1; if (a->port[1] > b->port[1]) return 1; return 0; } inline void tree_rotate_left(struct tree_node **p) { struct tree_node *q = *p; *p = (*p)->right; q->right = (*p)->left; (*p)->left = q; q->balance--; if ((*p)->balance > 0) q->balance -= (*p)->balance; (*p)->balance--; if (q->balance < 0) (*p)->balance += q->balance; } inline void tree_rotate_right(struct tree_node **p) { struct tree_node *q = *p; *p = (*p)->left; q->left = (*p)->right; (*p)->right = q; q->balance++; if ((*p)->balance < 0) q->balance -= (*p)->balance; (*p)->balance++; if (q->balance > 0) (*p)->balance += q->balance; } int tree_insert(struct tree_node **p, struct tree_key *key, struct state *state) { int deltaH = 0; if (*p == NULL) { *p = malloc(sizeof(struct tree_node), M_DEVBUF, M_NOWAIT); if (*p == NULL) { printf("packetfilter: malloc() failed\n"); return 0; } memcpy(&(*p)->key, key, sizeof(struct tree_key)); (*p)->state = state; (*p)->balance = 0; (*p)->left = (*p)->right = NULL; deltaH = 1; } else if (tree_key_compare(key, &(*p)->key) > 0) { if (tree_insert(&(*p)->right, key, state)) { (*p)->balance++; if ((*p)->balance == 1) deltaH = 1; else if ((*p)->balance == 2) { if ((*p)->right->balance == -1) tree_rotate_right(&(*p)->right); tree_rotate_left(p); } } } else { if (tree_insert(&(*p)->left, key, state)) { (*p)->balance--; if ((*p)->balance == -1) deltaH = 1; else if ((*p)->balance == -2) { if ((*p)->left->balance == 1) tree_rotate_left(&(*p)->left); tree_rotate_right(p); } } } return deltaH; } int tree_remove(struct tree_node **p, struct tree_key *key) { int deltaH = 0; signed char c; if (*p == NULL) return 0; c = tree_key_compare(key, &(*p)->key); if (c < 0) { if (tree_remove(&(*p)->left, key)) { (*p)->balance++; if ((*p)->balance == 0) deltaH = 1; else if ((*p)->balance == 2) { if ((*p)->right->balance == -1) tree_rotate_right(&(*p)->right); tree_rotate_left(p); if ((*p)->balance == 0) deltaH = 1; } } } else if (c > 0) { if (tree_remove(&(*p)->right, key)) { (*p)->balance--; if ((*p)->balance == 0) deltaH = 1; else if ((*p)->balance == -2) { if ((*p)->left->balance == 1) tree_rotate_left(&(*p)->left); tree_rotate_right(p); if ((*p)->balance == 0) deltaH = 1; } } } else { if ((*p)->right == NULL) { struct tree_node *p0 = *p; *p = (*p)->left; free(p0, M_DEVBUF); deltaH = 1; } else if ((*p)->left == NULL) { struct tree_node *p0 = *p; *p = (*p)->right; free(p0, M_DEVBUF); deltaH = 1; } else { struct tree_node **qq = &(*p)->left; while ((*qq)->right != NULL) qq = &(*qq)->right; memcpy(&(*p)->key, &(*qq)->key, sizeof(struct tree_key)); (*p)->state = (*qq)->state; memcpy(&(*qq)->key, key, sizeof(struct tree_key)); if (tree_remove(&(*p)->left, key)) { (*p)->balance++; if ((*p)->balance == 0) deltaH = 1; else if ((*p)->balance == 2) { if ((*p)->right->balance == -1) tree_rotate_right(&(*p)->right); tree_rotate_left(p); if ((*p)->balance == 0) deltaH = 1; } } } } return deltaH; } inline struct state * find_state(struct tree_node *p, struct tree_key *key) { signed char c; while ((p != NULL) && (c = tree_key_compare(&p->key, key))) p = (c > 0) ? p->left : p->right; status.state_searches++; return p ? p->state : NULL; } void insert_state(struct state *state) { struct tree_key key; key.proto = state->proto; key.addr[0] = state->lan.addr; key.port[0] = state->lan.port; key.addr[1] = state->ext.addr; key.port[1] = state->ext.port; /* sanity checks can be removed later, should never occur */ if (find_state(tree_lan_ext, &key) != NULL) printf("packetfilter: ERROR! insert invalid\n"); else { tree_insert(&tree_lan_ext, &key, state); if (find_state(tree_lan_ext, &key) != state) printf("packetfilter: ERROR! insert failed\n"); } key.proto = state->proto; key.addr[0] = state->ext.addr; key.port[0] = state->ext.port; key.addr[1] = state->gwy.addr; key.port[1] = state->gwy.port; if (find_state(tree_ext_gwy, &key) != NULL) printf("packetfilter: ERROR! insert invalid\n"); else { tree_insert(&tree_ext_gwy, &key, state); if (find_state(tree_ext_gwy, &key) != state) printf("packetfilter: ERROR! insert failed\n"); } state->next = statehead; statehead = state; status.state_inserts++; status.states++; } void purge_expired_states(void) { struct tree_key key; struct state *cur = statehead, *prev = NULL; while (cur != NULL) { if (cur->expire <= tv.tv_sec) { key.proto = cur->proto; key.addr[0] = cur->lan.addr; key.port[0] = cur->lan.port; key.addr[1] = cur->ext.addr; key.port[1] = cur->ext.port; /* sanity checks can be removed later */ if (find_state(tree_lan_ext, &key) != cur) printf("packetfilter: ERROR! remove invalid\n"); tree_remove(&tree_lan_ext, &key); if (find_state(tree_lan_ext, &key) != NULL) printf("packetfilter: ERROR! remove failed\n"); key.proto = cur->proto; key.addr[0] = cur->ext.addr; key.port[0] = cur->ext.port; key.addr[1] = cur->gwy.addr; key.port[1] = cur->gwy.port; if (find_state(tree_ext_gwy, &key) != cur) printf("packetfilter: ERROR! remove invalid\n"); tree_remove(&tree_ext_gwy, &key); if (find_state(tree_ext_gwy, &key) != NULL) printf("packetfilter: ERROR! remove failed\n"); (prev ? prev->next : statehead) = cur->next; free(cur, M_DEVBUF); cur = (prev ? prev->next : statehead); status.state_removals++; status.states--; } else { prev = cur; cur = cur->next; } } } /* ------------------------------------------------------------------------ */ inline void print_ip(struct ifnet *ifp, struct ip *h) { u_int32_t a; printf(" %s:", ifp->if_xname); a = ntohl(h->ip_src.s_addr); printf(" %u.%u.%u.%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255); a = ntohl(h->ip_dst.s_addr); printf(" -> %u.%u.%u.%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255); printf(" hl=%u len=%u id=%u", h->ip_hl << 2, h->ip_len - (h->ip_hl << 2), h->ip_id); if (h->ip_off & IP_RF) printf(" RF"); if (h->ip_off & IP_DF) printf(" DF"); if (h->ip_off & IP_MF) printf(" MF"); printf(" off=%u proto=%u\n", (h->ip_off & IP_OFFMASK) << 3, h->ip_p); } void print_host(u_int32_t a, u_int16_t p) { a = ntohl(a); p = ntohs(p); printf("%u.%u.%u.%u:%u", (a>>24)&255, (a>>16)&255, (a>>8)&255, a&255, p); } void print_state(int direction, struct state *s) { print_host(s->lan.addr, s->lan.port); printf(" "); print_host(s->gwy.addr, s->gwy.port); printf(" "); print_host(s->ext.addr, s->ext.port); printf(" [%lu+%lu]", s->src.seqlo, s->src.seqhi - s->src.seqlo); printf(" [%lu+%lu]", s->dst.seqlo, s->dst.seqhi - s->dst.seqlo); printf(" %u:%u", s->src.state, s->dst.state); } void print_flags(u_int8_t f) { if (f) printf(" "); if (f & TH_FIN ) printf("F"); if (f & TH_SYN ) printf("S"); if (f & TH_RST ) printf("R"); if (f & TH_PUSH) printf("P"); if (f & TH_ACK ) printf("A"); if (f & TH_URG ) printf("U"); } /* ------------------------------------------------------------------------ */ void pfattach(int num) { memset(&status, 0, sizeof(struct status)); printf("packetfilter: attached\n"); } /* ------------------------------------------------------------------------ */ int pfopen(dev_t dev, int flags, int fmt, struct proc *p) { if (minor(dev) >= 1) return ENXIO; return NO_ERROR; } /* ------------------------------------------------------------------------ */ int pfclose(dev_t dev, int flags, int fmt, struct proc *p) { if (minor(dev) >= 1) return ENXIO; return NO_ERROR; } /* ------------------------------------------------------------------------ */ int pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) { int error = NO_ERROR; struct ioctlbuffer *ub; void *kb = NULL; int s; if (!(flags & FWRITE)) return EACCES; if ((cmd != DIOCSTART) && (cmd != DIOCSTOP) && (cmd != DIOCCLRSTATES)) { ub = (struct ioctlbuffer *)addr; if (ub == NULL) return ERROR_INVALID_PARAMETERS; kb = malloc(ub->size, M_DEVBUF, M_NOWAIT); if (kb == NULL) return ERROR_MALLOC; if (copyin(ub->buffer, kb, ub->size)) { free(kb, M_DEVBUF); return ERROR_INVALID_PARAMETERS; } } s = splsoftnet(); microtime(&tv); if (tv.tv_sec - last_purge >= 10) { purge_expired_states(); last_purge = tv.tv_sec; } switch (cmd) { case DIOCSTART: if (status.running) error = ERROR_ALREADY_RUNNING; else { u_int32_t states = status.states; memset(&status, 0, sizeof(struct status)); status.running = 1; status.states = states; status.since = tv.tv_sec; printf("packetfilter: started\n"); } break; case DIOCSTOP: if (!status.running) error = ERROR_NOT_RUNNING; else { status.running = 0; printf("packetfilter: stopped\n"); } break; case DIOCSETRULES: { struct rule *rules = (struct rule *)kb, *ruletail = NULL; u_int16_t n; while (rulehead != NULL) { struct rule *next = rulehead->next; free(rulehead, M_DEVBUF); rulehead = next; } for (n = 0; n < ub->entries; ++n) { struct rule *rule; rule = malloc(sizeof(struct rule), M_DEVBUF, M_NOWAIT); if (rule == NULL) { error = ERROR_MALLOC; goto done; } memcpy(rule, rules + n, sizeof(struct rule)); rule->ifp = NULL; if (rule->ifname[0]) { rule->ifp = ifunit(rule->ifname); if (rule->ifp == NULL) { free(rule, M_DEVBUF); error = ERROR_INVALID_PARAMETERS; goto done; } } rule->next = NULL; if (ruletail != NULL) { ruletail->next = rule; ruletail = rule; } else rulehead = ruletail = rule; } break; } case DIOCGETRULES: { struct rule *rules = (struct rule *)kb; struct rule *rule = rulehead; u_int16_t n = 0; while ((rule != NULL) && (n < ub->entries)) { memcpy(rules + n, rule, sizeof(struct rule)); n++; rule = rule->next; } ub->entries = n; break; } case DIOCSETNAT: { struct nat *nats = (struct nat *)kb; u_int16_t n; while (nathead != NULL) { struct nat *next = nathead->next; free(nathead, M_DEVBUF); nathead = next; } for (n = 0; n < ub->entries; ++n) { struct nat *nat; nat = malloc(sizeof(struct nat), M_DEVBUF, M_NOWAIT); if (nat == NULL) { error = ERROR_MALLOC; goto done; } memcpy(nat, nats + n, sizeof(struct nat)); nat->ifp = ifunit(nat->ifname); if (nat->ifp == NULL) { free(nat, M_DEVBUF); error = ERROR_INVALID_PARAMETERS; goto done; } nat->next = nathead; nathead = nat; } break; } case DIOCGETNAT: { struct nat *nats = (struct nat *)kb; struct nat *nat = nathead; u_int16_t n = 0; while ((nat != NULL) && (n < ub->entries)) { memcpy(nats + n, nat, sizeof(struct nat)); n++; nat = nat->next; } ub->entries = n; break; } case DIOCSETRDR: { struct rdr *rdrs = (struct rdr *)kb; u_int16_t n; while (rdrhead != NULL) { struct rdr *next = rdrhead->next; free(rdrhead, M_DEVBUF); rdrhead = next; } for (n = 0; n < ub->entries; ++n) { struct rdr *rdr; rdr = malloc(sizeof(struct rdr), M_DEVBUF, M_NOWAIT); if (rdr == NULL) { error = ERROR_MALLOC; goto done; } memcpy(rdr, rdrs + n, sizeof(struct rdr)); rdr->ifp = ifunit(rdr->ifname); if (rdr->ifp == NULL) { free(rdr, M_DEVBUF); error = ERROR_INVALID_PARAMETERS; goto done; } rdr->next = rdrhead; rdrhead = rdr; } break; } case DIOCGETRDR: { struct rdr *rdrs = (struct rdr *)kb; struct rdr *rdr = rdrhead; u_int16_t n = 0; while ((rdr != NULL) && (n < ub->entries)) { memcpy(rdrs + n, rdr, sizeof(struct rdr)); n++; rdr = rdr->next; } ub->entries = n; break; } case DIOCCLRSTATES: { struct state *state = statehead; while (state != NULL) { state->expire = 0; state = state->next; } purge_expired_states(); break; } case DIOCGETSTATES: { struct state *states = (struct state *)kb; struct state *state; u_int16_t n = 0; state = statehead; while ((state != NULL) && (n < ub->entries)) { memcpy(states + n, state, sizeof(struct state)); states[n].creation = tv.tv_sec - states[n].creation; if (states[n].expire <= tv.tv_sec) states[n].expire = 0; else states[n].expire -= tv.tv_sec; n++; state = state->next; } ub->entries = n; break; } case DIOCSETSTATUSIF: { char *ifname = (char *)kb; struct ifnet *ifp = ifunit(ifname); if (ifp == NULL) error = ERROR_INVALID_PARAMETERS; else status_ifp = ifp; break; } case DIOCGETSTATUS: { struct status *st = (struct status *)kb; u_int8_t running = status.running; u_int32_t states = status.states; memcpy(st, &status, sizeof(struct status)); st->since = st->since ? tv.tv_sec - st->since : 0; ub->entries = 1; memset(&status, 0, sizeof(struct status)); status.running = running; status.states = states; status.since = tv.tv_sec; break; } default: error = ERROR_INVALID_OP; break; } done: splx(s); if (kb != NULL) { if (copyout(kb, ub->buffer, ub->size)) error = ERROR_INVALID_PARAMETERS; free(kb, M_DEVBUF); } return error; } /* ------------------------------------------------------------------------ */ inline u_short fix(u_short cksum, u_short old, u_short new) { u_long l = cksum + old - new; l = (l >> 16) + (l & 65535); l = l & 65535; return l ? l : 65535; } void change_ap(u_int32_t *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, u_int32_t an, u_int16_t pn) { u_int32_t ao = *a; u_int16_t po = *p; *a = an; *ic = fix(fix(*ic, ao / 65536, an / 65536), ao % 65536, an % 65536); *p = pn; *pc = fix(fix(fix(*pc, ao / 65536, an / 65536), ao % 65536, an % 65536), po, pn); } void change_a(u_int32_t *a, u_int16_t *c, u_int32_t an) { u_int32_t ao = *a; *a = an; *c = fix(fix(*c, ao / 65536, an / 65536), ao % 65536, an % 65536); } void change_icmp(u_int32_t *ia, u_int16_t *ip, u_int32_t *oa, u_int32_t na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, u_int16_t *ic, u_int16_t *hc) { u_int32_t oia = *ia, ooa = *oa, opc = *pc, oh2c = *h2c; u_int16_t oip = *ip; // change inner protocol port, fix inner protocol checksum *ip = np; *pc = fix(*pc, oip, *ip); *ic = fix(*ic, oip, *ip); *ic = fix(*ic, opc, *pc); // change inner ip address, fix inner ip checksum and icmp checksum *ia = na; *h2c = fix(fix(*h2c, oia / 65536, *ia / 65536), oia % 65536, *ia % 65536); *ic = fix(fix(*ic, oia / 65536, *ia / 65536), oia % 65536, *ia % 65536); *ic = fix(*ic, oh2c, *h2c); // change outer ip address, fix outer ip checksum *oa = na; *hc = fix(fix(*hc, ooa / 65536, *oa / 65536), ooa % 65536, *oa % 65536); } /* ------------------------------------------------------------------------ */ void send_reset(int direction, struct ifnet *ifp, struct ip *h, struct tcphdr *th) { struct mbuf *m; int len = sizeof(struct ip) + sizeof(struct tcphdr); struct ip *h2; struct tcphdr *th2; /* don't reply to RST packets */ if (th->th_flags & TH_RST) return; /* create outgoing mbuf */ m = m_gethdr(M_DONTWAIT, MT_HEADER); if (m == NULL) return; m->m_data += max_linkhdr; m->m_pkthdr.len = m->m_len = len; m->m_pkthdr.rcvif = NULL; bzero((caddr_t)m->m_data, len); h2 = mtod(m, struct ip *); /* IP header fields included in the TCP checksum */ h2->ip_p = IPPROTO_TCP; h2->ip_len = htons(sizeof(struct tcphdr)); h2->ip_src.s_addr = h->ip_dst.s_addr; h2->ip_dst.s_addr = h->ip_src.s_addr; /* TCP header */ th2 = (struct tcphdr *)((caddr_t)h2 + sizeof(struct ip)); th2->th_sport = th->th_dport; th2->th_dport = th->th_sport; if (th->th_flags & TH_ACK) { th2->th_seq = th->th_ack; th2->th_flags = TH_RST; } else { int tlen = h->ip_len - ((h->ip_hl + th->th_off) << 2) + ((th->th_flags & TH_SYN) ? 1 : 0) + ((th->th_flags & TH_FIN) ? 1 : 0); th2->th_ack = htonl(ntohl(th->th_seq) + tlen); th2->th_flags = TH_RST | TH_ACK; } th2->th_off = sizeof(*th2) >> 2; /* TCP checksum */ th2->th_sum = in_cksum(m, len); /* Finish the IP header */ h2->ip_v = 4; h2->ip_hl = sizeof(struct ip) >> 2; h2->ip_len = htons(len); h2->ip_ttl = 128; h2->ip_sum = 0; /* IP header checksum */ h2->ip_sum = in_cksum(m, sizeof(struct ip)); if (direction == PF_IN) { /* set up route and send RST out through the same interface */ struct route iproute; struct route *ro = &iproute; struct sockaddr_in *dst; int error; bzero((caddr_t)ro, sizeof(*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; dst->sin_addr = h2->ip_dst; dst->sin_len = sizeof(*dst); rtalloc(ro); if (ro->ro_rt != NULL) ro->ro_rt->rt_use++; error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); } else { /* send RST through the loopback interface */ struct sockaddr_in dst; dst.sin_family = AF_INET; dst.sin_addr = h2->ip_dst; dst.sin_len = sizeof(struct sockaddr_in); m->m_pkthdr.rcvif = ifp; looutput(lo0ifp, m, sintosa(&dst), NULL); } return; } /* ------------------------------------------------------------------------ */ inline int match_addr(u_int8_t n, u_int32_t a, u_int32_t m, u_int32_t b) { return n == !((a & m) == (b & m)); } inline int match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) { switch (op) { case 1: return (p >= a1) && (p <= a2); case 2: return p == a1; case 3: return p != a1; case 4: return p < a1; case 5: return p <= a1; case 6: return p > a1; case 7: return p >= a1; } return 0; /* never reached */ } /* ------------------------------------------------------------------------ */ struct nat * get_nat(struct ifnet *ifp, u_int8_t proto, u_int32_t addr) { struct nat *n = nathead, *nm = NULL; while ((n != NULL) && (nm == NULL)) { if ((n->ifp == ifp) && (!n->proto || (n->proto == proto)) && match_addr(n->not, n->saddr, n->smask, addr)) nm = n; else n = n->next; } return nm; } struct rdr * get_rdr(struct ifnet *ifp, u_int8_t proto, u_int32_t addr, u_int16_t port) { struct rdr *r = rdrhead, *rm = NULL; while ((r != NULL) && (rm == NULL)) { if ((r->ifp == ifp) && (!r->proto || (r->proto == proto)) && match_addr(r->not, r->daddr, r->dmask, addr) && (r->dport == port)) rm = r; else r = r->next; } return rm; } /* ------------------------------------------------------------------------ */ int pf_test_tcp(int direction, struct ifnet *ifp, struct ip *h, struct tcphdr *th) { struct nat *nat = NULL; struct rdr *rdr = NULL; u_int32_t baddr; u_int16_t bport; struct rule *r = rulehead, *rm = NULL; u_int16_t nr = 1, mnr = 0; if (direction == PF_OUT) { /* check outgoing packet for NAT */ if ((nat = get_nat(ifp, IPPROTO_TCP, h->ip_src.s_addr)) != NULL) { baddr = h->ip_src.s_addr; bport = th->th_sport; change_ap(&h->ip_src.s_addr, &th->th_sport, &h->ip_sum, &th->th_sum, nat->daddr, htons(next_port_tcp)); } } else { /* check incoming packet for RDR */ if ((rdr = get_rdr(ifp, IPPROTO_TCP, h->ip_dst.s_addr, th->th_dport)) != NULL) { baddr = h->ip_dst.s_addr; bport = th->th_dport; change_ap(&h->ip_dst.s_addr, &th->th_dport, &h->ip_sum, &th->th_sum, rdr->raddr, rdr->rport); } } while (r != NULL) { if ((r->direction == direction) && ((r->ifp == NULL) || (r->ifp == ifp)) && (!r->proto || (r->proto == IPPROTO_TCP)) && ((th->th_flags & r->flagset) == r->flags) && (!r->src.addr || match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) && (!r->dst.addr || match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) && (!r->dst.port_op || match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], th->th_dport)) && (!r->src.port_op || match_port(r->src.port_op, r->src.port[0], r->src.port[1], th->th_sport)) ) { rm = r; mnr = nr; if (r->quick) break; } r = r->next; nr++; } if ((rm != NULL) && rm->log) { u_int32_t seq = ntohl(th->th_seq); u_int16_t len = h->ip_len - ((h->ip_hl + th->th_off) << 2); printf("packetfilter: @%u", mnr); printf(" %s %s", rm->action ? "block" : "pass", direction ? "in" : "out"); printf(" on %s proto tcp", ifp->if_xname); printf(" from "); print_host(h->ip_src.s_addr, th->th_sport); printf(" to "); print_host(h->ip_dst.s_addr, th->th_dport); print_flags(th->th_flags); if (len || (th->th_flags & (TH_SYN | TH_FIN | TH_RST))) printf(" %lu:%lu(%u)", seq, seq + len, len); if (th->th_ack) printf(" ack=%lu", ntohl(th->th_ack)); printf("\n"); } if ((rm != NULL) && (rm->action == PF_DROP_RST)) { /* undo NAT/RST changes, if they have taken place */ if (nat != NULL) change_ap(&h->ip_src.s_addr, &th->th_sport, &h->ip_sum, &th->th_sum, baddr, bport); else if (rdr != NULL) change_ap(&h->ip_dst.s_addr, &th->th_dport, &h->ip_sum, &th->th_sum, baddr, bport); send_reset(direction, ifp, h, th); return PF_DROP; } if ((rm != NULL) && (rm->action == PF_DROP)) return PF_DROP; if (((rm != NULL) && rm->keep_state) || (nat != NULL) || (rdr != NULL)) { /* create new state */ u_int16_t len = h->ip_len - ((h->ip_hl + th->th_off) << 2); struct state *s = malloc(sizeof(struct state), M_DEVBUF, M_NOWAIT); if (s == NULL) { printf("packetfilter: malloc() failed\n"); return PF_DROP; } s->proto = IPPROTO_TCP; s->direction = direction; if (direction == PF_OUT) { s->gwy.addr = h->ip_src.s_addr; s->gwy.port = th->th_sport; s->ext.addr = h->ip_dst.s_addr; s->ext.port = th->th_dport; if (nat != NULL) { s->lan.addr = baddr; s->lan.port = bport; next_port_tcp++; if (next_port_tcp == 65535) next_port_tcp = 50001; } else { s->lan.addr = s->gwy.addr; s->lan.port = s->gwy.port; } } else { s->lan.addr = h->ip_dst.s_addr; s->lan.port = th->th_dport; s->ext.addr = h->ip_src.s_addr; s->ext.port = th->th_sport; if (rdr != NULL) { s->gwy.addr = baddr; s->gwy.port = bport; } else { s->gwy.addr = s->lan.addr; s->gwy.port = s->lan.port; } } s->src.seqlo = ntohl(th->th_seq) + len; // ??? s->src.seqhi = s->src.seqlo + 1; s->src.state = 1; s->dst.seqlo = 0; s->dst.seqhi = 0; s->dst.state = 0; s->creation = tv.tv_sec; s->expire = tv.tv_sec + 60; s->packets = 1; s->bytes = len; insert_state(s); } return PF_PASS; } int pf_test_udp(int direction, struct ifnet *ifp, struct ip *h, struct udphdr *uh) { struct nat *nat = NULL; struct rdr *rdr = NULL; u_int32_t baddr; u_int16_t bport; struct rule *r = rulehead, *rm = NULL; u_int16_t nr = 1, mnr = 0; if (direction == PF_OUT) { /* check outgoing packet for NAT */ if ((nat = get_nat(ifp, IPPROTO_UDP, h->ip_src.s_addr)) != NULL) { baddr = h->ip_src.s_addr; bport = uh->uh_sport; change_ap(&h->ip_src.s_addr, &uh->uh_sport, &h->ip_sum, &uh->uh_sum, nat->daddr, htons(next_port_udp)); } } else { /* check incoming packet for RDR */ if ((rdr = get_rdr(ifp, IPPROTO_UDP, h->ip_dst.s_addr, uh->uh_dport)) != NULL) { baddr = h->ip_dst.s_addr; bport = uh->uh_dport; change_ap(&h->ip_dst.s_addr, &uh->uh_dport, &h->ip_sum, &uh->uh_sum, rdr->raddr, rdr->rport); } } while (r != NULL) { if ((r->direction == direction) && ((r->ifp == NULL) || (r->ifp == ifp)) && (!r->proto || (r->proto == IPPROTO_UDP)) && (!r->src.addr || match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) && (!r->dst.addr || match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) && (!r->dst.port_op || match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], uh->uh_dport)) && (!r->src.port_op || match_port(r->src.port_op, r->src.port[0], r->src.port[1], uh->uh_sport)) ) { rm = r; mnr = nr; if (r->quick) break; } r = r->next; nr++; } if ((rm != NULL) && rm->log) { printf("packetfilter: @%u", mnr); printf(" %s %s", rm->action ? "block" : "pass", direction ? "in" : "out"); printf(" on %s proto udp", ifp->if_xname); printf(" from "); print_host(h->ip_src.s_addr, uh->uh_sport); printf(" to "); print_host(h->ip_dst.s_addr, uh->uh_dport); printf("\n"); } if ((rm != NULL) && (rm->action != PF_PASS)) return PF_DROP; if (((rm != NULL) && rm->keep_state) || (nat != NULL) || (rdr != NULL)) { /* create new state */ u_int16_t len = h->ip_len - (h->ip_hl << 2) - 8; struct state *s = malloc(sizeof(struct state), M_DEVBUF, M_NOWAIT); if (s == NULL) { printf("packetfilter: malloc() failed\n"); return PF_DROP; } s->proto = IPPROTO_UDP; s->direction = direction; if (direction == PF_OUT) { s->gwy.addr = h->ip_src.s_addr; s->gwy.port = uh->uh_sport; s->ext.addr = h->ip_dst.s_addr; s->ext.port = uh->uh_dport; if (nat != NULL) { s->lan.addr = baddr; s->lan.port = bport; next_port_udp++; if (next_port_udp == 65535) next_port_udp = 50001; } else { s->lan.addr = s->gwy.addr; s->lan.port = s->gwy.port; } } else { s->lan.addr = h->ip_dst.s_addr; s->lan.port = uh->uh_dport; s->ext.addr = h->ip_src.s_addr; s->ext.port = uh->uh_sport; if (rdr != NULL) { s->gwy.addr = baddr; s->gwy.port = bport; } else { s->gwy.addr = s->lan.addr; s->gwy.port = s->lan.port; } } s->src.seqlo = 0; s->src.seqhi = 0; s->src.state = 1; s->dst.seqlo = 0; s->dst.seqhi = 0; s->dst.state = 0; s->creation = tv.tv_sec; s->expire = tv.tv_sec + 30; s->packets = 1; s->bytes = len; insert_state(s); } return PF_PASS; } int pf_test_icmp(int direction, struct ifnet *ifp, struct ip *h, struct icmp *ih) { struct nat *nat = NULL; u_int32_t baddr; struct rule *r = rulehead, *rm = NULL; u_int16_t nr = 1, mnr = 0; if (direction == PF_OUT) { /* check outgoing packet for NAT */ if ((nat = get_nat(ifp, IPPROTO_ICMP, h->ip_src.s_addr)) != NULL) { baddr = h->ip_src.s_addr; change_a(&h->ip_src.s_addr, &h->ip_sum, nat->daddr); } } while (r != NULL) { if ((r->direction == direction) && ((r->ifp == NULL) || (r->ifp == ifp)) && (!r->proto || (r->proto == IPPROTO_ICMP)) && (!r->src.addr || match_addr(r->src.not, r->src.addr, r->src.mask, h->ip_src.s_addr)) && (!r->dst.addr || match_addr(r->dst.not, r->dst.addr, r->dst.mask, h->ip_dst.s_addr)) && (!r->type || (r->type == ih->icmp_type + 1)) && (!r->code || (r->code == ih->icmp_code + 1)) ) { rm = r; mnr = nr; if (r->quick) break; } r = r->next; nr++; } if ((rm != NULL) && rm->log) { printf("packetfilter: @%u", mnr); printf(" %s %s", rm->action ? "block" : "pass", direction ? "in" : "out"); printf(" on %s proto icmp", ifp->if_xname); printf(" from "); print_host(h->ip_src.s_addr, 0); printf(" to "); print_host(h->ip_dst.s_addr, 0); printf(" type %u/%u", ih->icmp_type, ih->icmp_code); printf("\n"); } if ((rm != NULL) && (rm->action != PF_PASS)) return PF_DROP; if (((rm != NULL) && rm->keep_state) || (nat != NULL)) { /* create new state */ u_int16_t len = h->ip_len - (h->ip_hl << 2) - 8; u_int16_t id = ih->icmp_hun.ih_idseq.icd_id; struct state *s = malloc(sizeof(struct state), M_DEVBUF, M_NOWAIT); if (s == NULL) { printf("packetfilter: malloc() failed\n"); return PF_DROP; } s->proto = IPPROTO_ICMP; s->direction = direction; if (direction == PF_OUT) { s->gwy.addr = h->ip_src.s_addr; s->gwy.port = id; s->ext.addr = h->ip_dst.s_addr; s->ext.port = id; s->lan.addr = nat ? baddr : s->gwy.addr; s->lan.port = id; } else { s->lan.addr = h->ip_dst.s_addr; s->lan.port = id; s->ext.addr = h->ip_src.s_addr; s->ext.port = id; s->gwy.addr = s->lan.addr; s->gwy.port = id; } s->src.seqlo = 0; s->src.seqhi = 0; s->src.state = 0; s->dst.seqlo = 0; s->dst.seqhi = 0; s->dst.state = 0; s->creation = tv.tv_sec; s->expire = tv.tv_sec + 20; s->packets = 1; s->bytes = len; insert_state(s); } return PF_PASS; } /* ------------------------------------------------------------------------ */ struct state * pf_test_state_tcp(int direction, struct ifnet *ifp, struct ip *h, struct tcphdr *th) { struct state *s; struct tree_key key; key.proto = IPPROTO_TCP; key.addr[0] = h->ip_src.s_addr; key.port[0] = th->th_sport; key.addr[1] = h->ip_dst.s_addr; key.port[1] = th->th_dport; s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key); if (s != NULL) { u_int16_t len = h->ip_len - ((h->ip_hl + th->th_off) << 2); u_int32_t seq = ntohl(th->th_seq), ack = ntohl(th->th_ack); struct state_peer *src, *dst; if (direction == s->direction) { src = &s->src; dst = &s->dst; } else { src = &s->dst; dst = &s->src; } /* some senders do that instead of ACKing FIN */ if ((th->th_flags == TH_RST) && !ack && !len && ((seq == src->seqhi) || (seq == src->seqhi-1)) && (src->state >= 4) && (dst->state >= 3)) ack = dst->seqhi; if ((dst->seqhi >= dst->seqlo ? (ack >= dst->seqlo) && (ack <= dst->seqhi) : (ack >= dst->seqlo) || (ack <= dst->seqhi)) || (seq == src->seqlo) || (seq == src->seqlo-1)) { s->packets++; s->bytes += len; /* update sequence number range */ if (th->th_flags & TH_ACK) dst->seqlo = ack; if (th->th_flags & (TH_SYN | TH_FIN)) len++; if (th->th_flags & TH_SYN) { src->seqhi = seq + len; src->seqlo = src->seqhi - 1; } else if ((seq + len) - src->seqhi < 65536) src->seqhi = seq + len; /* update states */ if (th->th_flags & TH_SYN) if (src->state < 1) src->state = 1; if (th->th_flags & TH_FIN) if (src->state < 3) src->state = 3; if ((th->th_flags & TH_ACK) && (ack == dst->seqhi)) { if (dst->state == 1) dst->state = 2; else if (dst->state == 3) dst->state = 4; } if (th->th_flags & TH_RST) src->state = dst->state = 5; /* update expire time */ if ((src->state >= 4) && (dst->state >= 4)) s->expire = tv.tv_sec + 5; else if ((src->state >= 3) || (dst->state >= 3)) s->expire = tv.tv_sec + 300; else if ((src->state < 2) || (dst->state < 2)) s->expire = tv.tv_sec + 30; else s->expire = tv.tv_sec + 24*60*60; /* translate source/destination address, if necessary */ if ((s->lan.addr != s->gwy.addr) || (s->lan.port != s->gwy.port)) { if (direction == PF_OUT) change_ap(&h->ip_src.s_addr, &th->th_sport, &h->ip_sum, &th->th_sum, s->gwy.addr, s->gwy.port); else change_ap(&h->ip_dst.s_addr, &th->th_dport, &h->ip_sum, &th->th_sum, s->lan.addr, s->lan.port); } } else { printf("packetfilter: BAD state: "); print_state(direction, s); print_flags(th->th_flags); printf(" seq=%lu ack=%lu len=%u ", seq, ack, len); printf("\n"); s = NULL; } return s; } return NULL; } struct state * pf_test_state_udp(int direction, struct ifnet *ifp, struct ip *h, struct udphdr *uh) { struct state *s; struct tree_key key; key.proto = IPPROTO_UDP; key.addr[0] = h->ip_src.s_addr; key.port[0] = uh->uh_sport; key.addr[1] = h->ip_dst.s_addr; key.port[1] = uh->uh_dport; s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key); if (s != NULL) { u_int16_t len = h->ip_len - (h->ip_hl << 2) - 8; struct state_peer *src, *dst; if (direction == s->direction) { src = &s->src; dst = &s->dst; } else { src = &s->dst; dst = &s->src; } s->packets++; s->bytes += len; /* update states */ if (src->state < 1) src->state = 1; if (dst->state == 1) dst->state = 2; /* update expire time */ if ((src->state == 2) && (dst->state == 2)) s->expire = tv.tv_sec + 60; else s->expire = tv.tv_sec + 20; /* translate source/destination address, if necessary */ if ((s->lan.addr != s->gwy.addr) || (s->lan.port != s->gwy.port)) { if (direction == PF_OUT) change_ap(&h->ip_src.s_addr, &uh->uh_sport, &h->ip_sum, &uh->uh_sum, s->gwy.addr, s->gwy.port); else change_ap(&h->ip_dst.s_addr, &uh->uh_dport, &h->ip_sum, &uh->uh_sum, s->lan.addr, s->lan.port); } return s; } return NULL; } struct state * pf_test_state_icmp(int direction, struct ifnet *ifp, struct ip *h, struct icmp *ih) { u_int16_t len = h->ip_len - (h->ip_hl << 2) - 8; if ((ih->icmp_type != ICMP_UNREACH) && (ih->icmp_type != ICMP_SOURCEQUENCH) && (ih->icmp_type != ICMP_REDIRECT) && (ih->icmp_type != ICMP_TIMXCEED) && (ih->icmp_type != ICMP_PARAMPROB)) { /* * ICMP query/reply message not related to a TCP/UDP packet. * Search for an ICMP state. */ struct state *s; struct tree_key key; key.proto = IPPROTO_ICMP; key.addr[0] = h->ip_src.s_addr; key.port[0] = ih->icmp_hun.ih_idseq.icd_id; key.addr[1] = h->ip_dst.s_addr; key.port[1] = ih->icmp_hun.ih_idseq.icd_id; s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key); if (s != NULL) { s->packets++; s->bytes += len; s->expire = tv.tv_sec + 10; /* translate source/destination address, if necessary */ if (s->lan.addr != s->gwy.addr) { if (direction == PF_OUT) change_a(&h->ip_src.s_addr, &h->ip_sum, s->gwy.addr); else change_a(&h->ip_dst.s_addr, &h->ip_sum, s->lan.addr); } return s; } return NULL; } else { /* * ICMP error message in response to a TCP/UDP packet. * Extract the inner TCP/UDP header and search for that state. */ struct ip *h2 = (struct ip *)(((char *)ih) + 8); if (len < 28) { printf("packetfilter: ICMP error message too short\n"); return NULL; } switch (h2->ip_p) { case IPPROTO_TCP: { struct tcphdr *th = (struct tcphdr *)(((char *)h2) + 20); u_int32_t seq = ntohl(th->th_seq); struct state *s; struct tree_key key; struct state_peer *src; key.proto = IPPROTO_TCP; key.addr[0] = h2->ip_dst.s_addr; key.port[0] = th->th_dport; key.addr[1] = h2->ip_src.s_addr; key.port[1] = th->th_sport; s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key); if (s == NULL) return NULL; src = (direction == s->direction) ? &s->dst : &s->src; if ((src->seqhi >= src->seqlo ? (seq < src->seqlo) || (seq > src->seqhi) : (seq < src->seqlo) && (seq > src->seqhi))) { printf("packetfilter: BAD ICMP state: "); print_state(direction, s); print_flags(th->th_flags); printf(" seq=%lu\n", seq); return NULL; } if ((s->lan.addr != s->gwy.addr) || (s->lan.port != s->gwy.port)) { if (direction == PF_IN) { change_icmp(&h2->ip_src.s_addr, &th->th_sport, &h->ip_dst.s_addr, s->lan.addr, s->lan.port, &th->th_sum, &h2->ip_sum, &ih->icmp_cksum, &h->ip_sum); } else { change_icmp(&h2->ip_dst.s_addr, &th->th_dport, &h->ip_src.s_addr, s->gwy.addr, s->gwy.port, &th->th_sum, &h2->ip_sum, &ih->icmp_cksum, &h->ip_sum); } } return s; break; } case IPPROTO_UDP: { struct udphdr *uh = (struct udphdr *)(((char *)h2) + 20); struct state *s; struct tree_key key; key.proto = IPPROTO_UDP; key.addr[0] = h2->ip_dst.s_addr; key.port[0] = uh->uh_dport; key.addr[1] = h2->ip_src.s_addr; key.port[1] = uh->uh_sport; s = find_state((direction == PF_IN) ? tree_ext_gwy : tree_lan_ext, &key); if (s == NULL) return NULL; if ((s->lan.addr != s->gwy.addr) || (s->lan.port != s->gwy.port)) { if (direction == PF_IN) { change_icmp(&h2->ip_src.s_addr, &uh->uh_sport, &h->ip_dst.s_addr, s->lan.addr, s->lan.port, &uh->uh_sum, &h2->ip_sum, &ih->icmp_cksum, &h->ip_sum); } else { change_icmp(&h2->ip_dst.s_addr, &uh->uh_dport, &h->ip_src.s_addr, s->gwy.addr, s->gwy.port, &uh->uh_sum, &h2->ip_sum, &ih->icmp_cksum, &h->ip_sum); } } return s; break; } default: printf("packetfilter: ICMP error message for bad proto\n"); return NULL; } return NULL; } } /* ------------------------------------------------------------------------ */ inline void * pull_hdr(struct ifnet *ifp, struct mbuf **m, struct ip *h, int off, int *action, u_int8_t len) { u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3; struct mbuf *n; int newoff; if (fragoff) { if (fragoff >= len) *action = PF_PASS; else { *action = PF_DROP; printf("packetfilter: dropping following fragment"); print_ip(ifp, h); } return NULL; } if ((*m)->m_pkthdr.len < off + len || h->ip_len < off + len) { *action = PF_DROP; printf("packetfilter: dropping short packet"); print_ip(ifp, h); return NULL; } /* * XXX should use m_copydata, but NAT portion tries to touch mbuf * directly */ n = m_pulldown((*m), off, len, &newoff); if (!n) { printf("packetfilter: pullup proto header failed\n"); *action = PF_DROP; *m = NULL; return NULL; } return mtod(n, char *) + newoff; } int pf_test(int direction, struct ifnet *ifp, struct mbuf **m) { int action; struct ip *h = mtod(*m, struct ip *); int off; if (!status.running) return PF_PASS; #ifdef DIAGNOSTIC if (((*m)->m_flags & M_PKTHDR) == 0) panic("non-M_PKTHDR is passed to pf_test"); #endif /* purge expire states, at most once every 10 seconds */ microtime(&tv); if ((tv.tv_sec - last_purge) >= 10) { purge_expired_states(); last_purge = tv.tv_sec; } off = h->ip_hl << 2; /* ensure we have at least the complete ip header pulled up */ if ((*m)->m_len < off) if ((*m = m_pullup(*m, off)) == NULL) { printf("packetfilter: pullup ip header failed\n"); action = PF_DROP; goto done; } switch (h->ip_p) { case IPPROTO_TCP: { struct tcphdr *th = pull_hdr(ifp, m, h, off, &action, sizeof(*th)); if (th == NULL) goto done; if (pf_test_state_tcp(direction, ifp, h, th)) action = PF_PASS; else action = pf_test_tcp(direction, ifp, h, th); break; } case IPPROTO_UDP: { struct udphdr *uh = pull_hdr(ifp, m, h, off, &action, sizeof(*uh)); if (uh == NULL) goto done; if (pf_test_state_udp(direction, ifp, h, uh)) action = PF_PASS; else action = pf_test_udp(direction, ifp, h, uh); break; } case IPPROTO_ICMP: { struct icmp *ih = pull_hdr(ifp, m, h, off, &action, sizeof(*ih)); if (ih == NULL) goto done; if (pf_test_state_icmp(direction, ifp, h, ih)) action = PF_PASS; else action = pf_test_icmp(direction, ifp, h, ih); break; } default: printf("packetfilter: dropping unsupported protocol"); print_ip(ifp, h); action = PF_DROP; break; } done: if (ifp == status_ifp) { status.bytes[direction] += h->ip_len; status.packets[direction][action]++; } return action; } /* ------------------------------------------------------------------------ */