aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Laier <mlaier@FreeBSD.org>2009-08-18 16:13:59 +0000
committerMax Laier <mlaier@FreeBSD.org>2009-08-18 16:13:59 +0000
commitdb8ac25da4805123ac32db61e3d169c9ab7b8966 (patch)
treee80f314eac925df406d19fc873e264a828f896fc
parentbbe43470868206ce791124974947c85b485b8005 (diff)
eri@ wants to start on porting the latest pf in his user space so we canvendor/pf-sys/4.5
finally have a new version in 9.0. Import pf as of OPENBSD_4_5_BASE to help with that.
Notes
Notes: svn path=/vendor-sys/pf/dist/; revision=196360 svn path=/vendor-sys/pf/4.5/; revision=196361; tag=vendor/pf-sys/4.5
Diffstat
-rw-r--r--net/if_pflog.c2
-rw-r--r--net/if_pflog.h2
-rw-r--r--net/if_pflow.c621
-rw-r--r--net/if_pflow.h120
-rw-r--r--net/if_pfsync.c2706
-rw-r--r--net/if_pfsync.h353
-rw-r--r--net/pf.c864
-rw-r--r--net/pf_if.c2
-rw-r--r--net/pf_ioctl.c22
-rw-r--r--net/pf_lb.c695
-rw-r--r--net/pf_norm.c114
-rw-r--r--net/pf_osfp.c2
-rw-r--r--net/pf_ruleset.c27
-rw-r--r--net/pf_table.c49
-rw-r--r--net/pfvar.h51
-rw-r--r--netinet/in4_cksum.c2
16 files changed, 3613 insertions, 2019 deletions
diff --git a/net/if_pflog.c b/net/if_pflog.c
index e8dd67979afa..280a12605c02 100644
--- a/net/if_pflog.c
+++ b/net/if_pflog.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.c,v 1.27 2007/12/20 02:53:02 brad Exp $ */
+/* $OpenBSD: if_pflog.c,v 1.26 2007/10/18 21:58:18 mpf Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
diff --git a/net/if_pflog.h b/net/if_pflog.h
index e9e0b01e5e5f..62c365c7b20c 100644
--- a/net/if_pflog.h
+++ b/net/if_pflog.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */
+/* $OpenBSD: if_pflog.h,v 1.13 2006/10/23 12:46:09 henning Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
diff --git a/net/if_pflow.c b/net/if_pflow.c
new file mode 100644
index 000000000000..243af866582b
--- /dev/null
+++ b/net/if_pflow.c
@@ -0,0 +1,621 @@
+/* $OpenBSD: if_pflow.c,v 1.9 2009/01/03 21:47:32 gollo Exp $ */
+
+/*
+ * Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
+ * Copyright (c) 2008 Joerg Goltermann <jg@osn.de>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/malloc.h>
+#include <sys/param.h>
+#include <sys/mbuf.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/kernel.h>
+#include <sys/sysctl.h>
+#include <dev/rndvar.h>
+
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/bpf.h>
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
+#include <netinet/tcp.h>
+
+#ifdef INET
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_var.h>
+#include <netinet/udp.h>
+#include <netinet/udp_var.h>
+#include <netinet/in_pcb.h>
+#endif /* INET */
+
+#include <net/pfvar.h>
+#include <net/if_pflow.h>
+
+#include "bpfilter.h"
+#include "pflow.h"
+
+#define PFLOW_MINMTU \
+ (sizeof(struct pflow_header) + sizeof(struct pflow_flow))
+
+#ifdef PFLOWDEBUG
+#define DPRINTF(x) do { printf x ; } while (0)
+#else
+#define DPRINTF(x)
+#endif
+
+SLIST_HEAD(, pflow_softc) pflowif_list;
+struct pflowstats pflowstats;
+
+void pflowattach(int);
+int pflow_clone_create(struct if_clone *, int);
+int pflow_clone_destroy(struct ifnet *);
+void pflow_setmtu(struct pflow_softc *, int);
+int pflowoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
+ struct rtentry *);
+int pflowioctl(struct ifnet *, u_long, caddr_t);
+void pflowstart(struct ifnet *);
+
+struct mbuf *pflow_get_mbuf(struct pflow_softc *);
+int pflow_sendout(struct pflow_softc *);
+int pflow_sendout_mbuf(struct pflow_softc *, struct mbuf *);
+void pflow_timeout(void *);
+void copy_flow_data(struct pflow_flow *, struct pflow_flow *,
+ struct pf_state *, int, int);
+int pflow_pack_flow(struct pf_state *, struct pflow_softc *);
+int pflow_get_dynport(void);
+int export_pflow_if(struct pf_state*, struct pflow_softc *);
+int copy_flow_to_m(struct pflow_flow *flow, struct pflow_softc *sc);
+
+struct if_clone pflow_cloner =
+ IF_CLONE_INITIALIZER("pflow", pflow_clone_create,
+ pflow_clone_destroy);
+
+/* from in_pcb.c */
+extern int ipport_hifirstauto;
+extern int ipport_hilastauto;
+
+/* from kern/kern_clock.c; incremented each clock tick. */
+extern int ticks;
+
+void
+pflowattach(int npflow)
+{
+ SLIST_INIT(&pflowif_list);
+ if_clone_attach(&pflow_cloner);
+}
+
+int
+pflow_clone_create(struct if_clone *ifc, int unit)
+{
+ struct ifnet *ifp;
+ struct pflow_softc *pflowif;
+
+ if ((pflowif = malloc(sizeof(*pflowif),
+ M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL)
+ return (ENOMEM);
+
+ pflowif->sc_sender_ip.s_addr = INADDR_ANY;
+ pflowif->sc_sender_port = pflow_get_dynport();
+
+ pflowif->sc_imo.imo_membership = malloc(
+ (sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_IPMOPTS,
+ M_WAITOK|M_ZERO);
+ pflowif->sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS;
+ pflowif->sc_receiver_ip.s_addr = 0;
+ pflowif->sc_receiver_port = 0;
+ pflowif->sc_sender_ip.s_addr = INADDR_ANY;
+ pflowif->sc_sender_port = pflow_get_dynport();
+ ifp = &pflowif->sc_if;
+ snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflow%d", unit);
+ ifp->if_softc = pflowif;
+ ifp->if_ioctl = pflowioctl;
+ ifp->if_output = pflowoutput;
+ ifp->if_start = pflowstart;
+ ifp->if_type = IFT_PFLOW;
+ ifp->if_snd.ifq_maxlen = ifqmaxlen;
+ ifp->if_hdrlen = PFLOW_HDRLEN;
+ ifp->if_flags = IFF_UP;
+ ifp->if_flags &= ~IFF_RUNNING; /* not running, need receiver */
+ pflow_setmtu(pflowif, ETHERMTU);
+ timeout_set(&pflowif->sc_tmo, pflow_timeout, pflowif);
+ if_attach(ifp);
+ if_alloc_sadl(ifp);
+
+#if NBPFILTER > 0
+ bpfattach(&pflowif->sc_if.if_bpf, ifp, DLT_RAW, 0);
+#endif
+
+ /* Insert into list of pflows */
+ SLIST_INSERT_HEAD(&pflowif_list, pflowif, sc_next);
+ return (0);
+}
+
+int
+pflow_clone_destroy(struct ifnet *ifp)
+{
+ struct pflow_softc *sc = ifp->if_softc;
+ int s;
+
+ s = splnet();
+ pflow_sendout(sc);
+#if NBPFILTER > 0
+ bpfdetach(ifp);
+#endif
+ if_detach(ifp);
+ SLIST_REMOVE(&pflowif_list, sc, pflow_softc, sc_next);
+ free(sc->sc_imo.imo_membership, M_IPMOPTS);
+ free(sc, M_DEVBUF);
+ splx(s);
+ return (0);
+}
+
+/*
+ * Start output on the pflow interface.
+ */
+void
+pflowstart(struct ifnet *ifp)
+{
+ struct mbuf *m;
+ int s;
+
+ for (;;) {
+ s = splnet();
+ IF_DROP(&ifp->if_snd);
+ IF_DEQUEUE(&ifp->if_snd, m);
+ splx(s);
+
+ if (m == NULL)
+ return;
+ m_freem(m);
+ }
+}
+
+int
+pflowoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+ struct rtentry *rt)
+{
+ m_freem(m);
+ return (0);
+}
+
+/* ARGSUSED */
+int
+pflowioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+ struct proc *p = curproc;
+ struct pflow_softc *sc = ifp->if_softc;
+ struct ifreq *ifr = (struct ifreq *)data;
+ struct pflowreq pflowr;
+ int s, error;
+
+ switch (cmd) {
+ case SIOCSIFADDR:
+ case SIOCAIFADDR:
+ case SIOCSIFDSTADDR:
+ case SIOCSIFFLAGS:
+ if ((ifp->if_flags & IFF_UP) &&
+ sc->sc_receiver_ip.s_addr != 0 &&
+ sc->sc_receiver_port != 0) {
+ ifp->if_flags |= IFF_RUNNING;
+ sc->sc_gcounter=pflowstats.pflow_flows;
+ } else
+ ifp->if_flags &= ~IFF_RUNNING;
+ break;
+ case SIOCSIFMTU:
+ if (ifr->ifr_mtu < PFLOW_MINMTU)
+ return (EINVAL);
+ if (ifr->ifr_mtu > MCLBYTES)
+ ifr->ifr_mtu = MCLBYTES;
+ s = splnet();
+ if (ifr->ifr_mtu < ifp->if_mtu)
+ pflow_sendout(sc);
+ pflow_setmtu(sc, ifr->ifr_mtu);
+ splx(s);
+ break;
+
+ case SIOCGETPFLOW:
+ bzero(&pflowr, sizeof(pflowr));
+
+ pflowr.sender_ip = sc->sc_sender_ip;
+ pflowr.receiver_ip = sc->sc_receiver_ip;
+ pflowr.receiver_port = sc->sc_receiver_port;
+
+ if ((error = copyout(&pflowr, ifr->ifr_data,
+ sizeof(pflowr))))
+ return (error);
+ break;
+
+ case SIOCSETPFLOW:
+ if ((error = suser(p, p->p_acflag)) != 0)
+ return (error);
+ if ((error = copyin(ifr->ifr_data, &pflowr,
+ sizeof(pflowr))))
+ return (error);
+
+ s = splnet();
+ pflow_sendout(sc);
+ splx(s);
+
+ if (pflowr.addrmask & PFLOW_MASK_DSTIP)
+ sc->sc_receiver_ip = pflowr.receiver_ip;
+ if (pflowr.addrmask & PFLOW_MASK_DSTPRT)
+ sc->sc_receiver_port = pflowr.receiver_port;
+ if (pflowr.addrmask & PFLOW_MASK_SRCIP)
+ sc->sc_sender_ip.s_addr = pflowr.sender_ip.s_addr;
+
+ if ((ifp->if_flags & IFF_UP) &&
+ sc->sc_receiver_ip.s_addr != 0 &&
+ sc->sc_receiver_port != 0) {
+ ifp->if_flags |= IFF_RUNNING;
+ sc->sc_gcounter=pflowstats.pflow_flows;
+ } else
+ ifp->if_flags &= ~IFF_RUNNING;
+
+ break;
+
+ default:
+ return (ENOTTY);
+ }
+ return (0);
+}
+
+void
+pflow_setmtu(struct pflow_softc *sc, int mtu_req)
+{
+ int mtu;
+
+ if (sc->sc_pflow_ifp && sc->sc_pflow_ifp->if_mtu < mtu_req)
+ mtu = sc->sc_pflow_ifp->if_mtu;
+ else
+ mtu = mtu_req;
+
+ sc->sc_maxcount = (mtu - sizeof(struct pflow_header) -
+ sizeof (struct udpiphdr)) / sizeof(struct pflow_flow);
+ if (sc->sc_maxcount > PFLOW_MAXFLOWS)
+ sc->sc_maxcount = PFLOW_MAXFLOWS;
+ sc->sc_if.if_mtu = sizeof(struct pflow_header) +
+ sizeof (struct udpiphdr) +
+ sc->sc_maxcount * sizeof(struct pflow_flow);
+}
+
+struct mbuf *
+pflow_get_mbuf(struct pflow_softc *sc)
+{
+ struct pflow_header h;
+ struct mbuf *m;
+
+ MGETHDR(m, M_DONTWAIT, MT_DATA);
+ if (m == NULL) {
+ pflowstats.pflow_onomem++;
+ return (NULL);
+ }
+
+ MCLGET(m, M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ m_free(m);
+ pflowstats.pflow_onomem++;
+ return (NULL);
+ }
+
+ m->m_len = m->m_pkthdr.len = 0;
+ m->m_pkthdr.rcvif = NULL;
+
+ /* populate pflow_header */
+ h.reserved1 = 0;
+ h.reserved2 = 0;
+ h.count = 0;
+ h.version = htons(PFLOW_VERSION);
+ h.flow_sequence = htonl(sc->sc_gcounter);
+ h.engine_type = PFLOW_ENGINE_TYPE;
+ h.engine_id = PFLOW_ENGINE_ID;
+ m_copyback(m, 0, PFLOW_HDRLEN, &h);
+
+ sc->sc_count = 0;
+ timeout_add_sec(&sc->sc_tmo, PFLOW_TIMEOUT);
+ return (m);
+}
+
+void
+copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2,
+ struct pf_state *st, int src, int dst)
+{
+ struct pf_state_key *sk = st->key[PF_SK_WIRE];
+
+ flow1->src_ip = flow2->dest_ip = sk->addr[src].v4.s_addr;
+ flow1->src_port = flow2->dest_port = sk->port[src];
+ flow1->dest_ip = flow2->src_ip = sk->addr[dst].v4.s_addr;
+ flow1->dest_port = flow2->src_port = sk->port[dst];
+
+ flow1->dest_as = flow2->src_as =
+ flow1->src_as = flow2->dest_as = 0;
+ flow1->if_index_out = flow2->if_index_in =
+ flow1->if_index_in = flow2->if_index_out = 0;
+ flow1->dest_mask = flow2->src_mask =
+ flow1->src_mask = flow2->dest_mask = 0;
+
+ flow1->flow_packets = htonl(st->packets[0]);
+ flow2->flow_packets = htonl(st->packets[1]);
+ flow1->flow_octets = htonl(st->bytes[0]);
+ flow2->flow_octets = htonl(st->bytes[1]);
+
+ flow1->flow_start = flow2->flow_start = htonl(st->creation * 1000);
+ flow1->flow_finish = flow2->flow_finish = htonl(time_second * 1000);
+ flow1->tcp_flags = flow2->tcp_flags = 0;
+ flow1->protocol = flow2->protocol = sk->proto;
+ flow1->tos = flow2->tos = st->rule.ptr->tos;
+}
+
+int
+export_pflow(struct pf_state *st)
+{
+ struct pflow_softc *sc = NULL;
+ struct pf_state_key *sk = st->key[PF_SK_WIRE];
+
+ if (sk->af != AF_INET)
+ return (0);
+
+ SLIST_FOREACH(sc, &pflowif_list, sc_next) {
+ export_pflow_if(st, sc);
+ }
+
+ return (0);
+}
+
+int
+export_pflow_if(struct pf_state *st, struct pflow_softc *sc)
+{
+ struct pf_state pfs_copy;
+ struct ifnet *ifp = &sc->sc_if;
+ u_int64_t bytes[2];
+ int ret = 0;
+
+ if (!(ifp->if_flags & IFF_RUNNING))
+ return (0);
+
+ if ((st->bytes[0] < (u_int64_t)PFLOW_MAXBYTES)
+ && (st->bytes[1] < (u_int64_t)PFLOW_MAXBYTES))
+ return (pflow_pack_flow(st, sc));
+
+ /* flow > PFLOW_MAXBYTES need special handling */
+ bcopy(st, &pfs_copy, sizeof(pfs_copy));
+ bytes[0] = pfs_copy.bytes[0];
+ bytes[1] = pfs_copy.bytes[1];
+
+ while (bytes[0] > PFLOW_MAXBYTES) {
+ pfs_copy.bytes[0] = PFLOW_MAXBYTES;
+ pfs_copy.bytes[1] = 0;
+
+ if ((ret = pflow_pack_flow(&pfs_copy, sc)) != 0)
+ return (ret);
+ if ((bytes[0] - PFLOW_MAXBYTES) > 0)
+ bytes[0] -= PFLOW_MAXBYTES;
+ }
+
+ while (bytes[1] > (u_int64_t)PFLOW_MAXBYTES) {
+ pfs_copy.bytes[1] = PFLOW_MAXBYTES;
+ pfs_copy.bytes[0] = 0;
+
+ if ((ret = pflow_pack_flow(&pfs_copy, sc)) != 0)
+ return (ret);
+ if ((bytes[1] - PFLOW_MAXBYTES) > 0)
+ bytes[1] -= PFLOW_MAXBYTES;
+ }
+
+ pfs_copy.bytes[0] = bytes[0];
+ pfs_copy.bytes[1] = bytes[1];
+
+ return (pflow_pack_flow(&pfs_copy, sc));
+}
+
+int
+copy_flow_to_m(struct pflow_flow *flow, struct pflow_softc *sc)
+{
+ int s, ret = 0;
+
+ s = splnet();
+ if (sc->sc_mbuf == NULL) {
+ if ((sc->sc_mbuf = pflow_get_mbuf(sc)) == NULL) {
+ splx(s);
+ return (ENOBUFS);
+ }
+ }
+ m_copyback(sc->sc_mbuf, PFLOW_HDRLEN +
+ (sc->sc_count * sizeof (struct pflow_flow)),
+ sizeof (struct pflow_flow), flow);
+
+ if (pflowstats.pflow_flows == sc->sc_gcounter)
+ pflowstats.pflow_flows++;
+ sc->sc_gcounter++;
+ sc->sc_count++;
+
+ if (sc->sc_count >= sc->sc_maxcount)
+ ret = pflow_sendout(sc);
+
+ splx(s);
+ return(ret);
+}
+
+int
+pflow_pack_flow(struct pf_state *st, struct pflow_softc *sc)
+{
+ struct pflow_flow flow1;
+ struct pflow_flow flow2;
+ int ret = 0;
+
+ bzero(&flow1, sizeof(flow1));
+ bzero(&flow2, sizeof(flow2));
+
+ if (st->direction == PF_OUT)
+ copy_flow_data(&flow1, &flow2, st, 1, 0);
+ else
+ copy_flow_data(&flow1, &flow2, st, 0, 1);
+
+ if (st->bytes[0] != 0) /* first flow from state */
+ ret = copy_flow_to_m(&flow1, sc);
+
+ if (st->bytes[1] != 0) /* second flow from state */
+ ret = copy_flow_to_m(&flow2, sc);
+
+ return (ret);
+}
+
+void
+pflow_timeout(void *v)
+{
+ struct pflow_softc *sc = v;
+ int s;
+
+ s = splnet();
+ pflow_sendout(sc);
+ splx(s);
+}
+
+/* This must be called in splnet() */
+int
+pflow_sendout(struct pflow_softc *sc)
+{
+ struct mbuf *m = sc->sc_mbuf;
+ struct pflow_header *h;
+ struct ifnet *ifp = &sc->sc_if;
+
+ timeout_del(&sc->sc_tmo);
+
+ if (m == NULL)
+ return (0);
+
+ sc->sc_mbuf = NULL;
+ if (!(ifp->if_flags & IFF_RUNNING)) {
+ m_freem(m);
+ return (0);
+ }
+
+ pflowstats.pflow_packets++;
+ h = mtod(m, struct pflow_header *);
+ h->count = htons(sc->sc_count);
+
+ /* populate pflow_header */
+ h->uptime_ms = htonl(time_uptime * 1000);
+ h->time_sec = htonl(time_second);
+ h->time_nanosec = htonl(ticks);
+
+ return (pflow_sendout_mbuf(sc, m));
+}
+
+int
+pflow_sendout_mbuf(struct pflow_softc *sc, struct mbuf *m)
+{
+ struct udpiphdr *ui;
+ u_int16_t len = m->m_pkthdr.len;
+ struct ifnet *ifp = &sc->sc_if;
+ struct ip *ip;
+ int err;
+
+ /* UDP Header*/
+ M_PREPEND(m, sizeof(struct udpiphdr), M_DONTWAIT);
+ if (m == NULL) {
+ pflowstats.pflow_onomem++;
+ return (ENOBUFS);
+ }
+
+ ui = mtod(m, struct udpiphdr *);
+ ui->ui_pr = IPPROTO_UDP;
+ ui->ui_src = sc->sc_sender_ip;
+ ui->ui_sport = sc->sc_sender_port;
+ ui->ui_dst = sc->sc_receiver_ip;
+ ui->ui_dport = sc->sc_receiver_port;
+ ui->ui_ulen = htons(sizeof (struct udphdr) + len);
+
+ ip = (struct ip *)ui;
+ ip->ip_v = IPVERSION;
+ ip->ip_hl = sizeof(struct ip) >> 2;
+ ip->ip_id = htons(ip_randomid());
+ ip->ip_off = htons(IP_DF);
+ ip->ip_tos = IPTOS_LOWDELAY;
+ ip->ip_ttl = IPDEFTTL;
+ ip->ip_len = htons(sizeof (struct udpiphdr) + len);
+
+ /*
+ * Compute the pseudo-header checksum; defer further checksumming
+ * until ip_output() or hardware (if it exists).
+ */
+ m->m_pkthdr.csum_flags |= M_UDPV4_CSUM_OUT;
+ ui->ui_sum = in_cksum_phdr(ui->ui_src.s_addr,
+ ui->ui_dst.s_addr, htons(len + sizeof(struct udphdr) +
+ IPPROTO_UDP));
+
+#if NBPFILTER > 0
+ if (ifp->if_bpf) {
+ ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
+ bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT);
+ }
+#endif
+
+ sc->sc_if.if_opackets++;
+ sc->sc_if.if_obytes += m->m_pkthdr.len;
+
+ if ((err = ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))) {
+ pflowstats.pflow_oerrors++;
+ sc->sc_if.if_oerrors++;
+ }
+ return (err);
+}
+
+int
+pflow_get_dynport(void)
+{
+ u_int16_t tmp, low, high, cut;
+
+ low = ipport_hifirstauto; /* sysctl */
+ high = ipport_hilastauto;
+
+ cut = arc4random_uniform(1 + high - low) + low;
+
+ for (tmp = cut; tmp <= high; ++(tmp)) {
+ if (!in_baddynamic(tmp, IPPROTO_UDP))
+ return (htons(tmp));
+ }
+
+ for (tmp = cut - 1; tmp >= low; --(tmp)) {
+ if (!in_baddynamic(tmp, IPPROTO_UDP))
+ return (htons(tmp));
+ }
+
+ return (htons(ipport_hilastauto)); /* XXX */
+}
+
+int
+pflow_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
+ void *newp, size_t newlen)
+{
+ if (namelen != 1)
+ return (ENOTDIR);
+
+ switch (name[0]) {
+ case NET_PFLOW_STATS:
+ if (newp != NULL)
+ return (EPERM);
+ return (sysctl_struct(oldp, oldlenp, newp, newlen,
+ &pflowstats, sizeof(pflowstats)));
+ default:
+ return (EOPNOTSUPP);
+ }
+ return (0);
+}
diff --git a/net/if_pflow.h b/net/if_pflow.h
new file mode 100644
index 000000000000..ce9dd4412a2f
--- /dev/null
+++ b/net/if_pflow.h
@@ -0,0 +1,120 @@
+/* $OpenBSD: if_pflow.h,v 1.4 2009/01/03 21:47:32 gollo Exp $ */
+
+/*
+ * Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
+ * Copyright (c) 2008 Joerg Goltermann <jg@osn.de>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _NET_IF_PFLOW_H_
+#define _NET_IF_PFLOW_H_
+
+#define PFLOW_ID_LEN sizeof(u_int64_t)
+
+#define PFLOW_MAXFLOWS 30
+#define PFLOW_VERSION 5
+#define PFLOW_ENGINE_TYPE 42
+#define PFLOW_ENGINE_ID 42
+#define PFLOW_MAXBYTES 0xffffffff
+#define PFLOW_TIMEOUT 30
+
+struct pflow_flow {
+ u_int32_t src_ip;
+ u_int32_t dest_ip;
+ u_int32_t nexthop_ip;
+ u_int16_t if_index_in;
+ u_int16_t if_index_out;
+ u_int32_t flow_packets;
+ u_int32_t flow_octets;
+ u_int32_t flow_start;
+ u_int32_t flow_finish;
+ u_int16_t src_port;
+ u_int16_t dest_port;
+ u_int8_t pad1;
+ u_int8_t tcp_flags;
+ u_int8_t protocol;
+ u_int8_t tos;
+ u_int16_t src_as;
+ u_int16_t dest_as;
+ u_int8_t src_mask;
+ u_int8_t dest_mask;
+ u_int16_t pad2;
+} __packed;
+
+#ifdef _KERNEL
+
+extern int pflow_ok;
+
+struct pflow_softc {
+ struct ifnet sc_if;
+ struct ifnet *sc_pflow_ifp;
+
+ unsigned int sc_count;
+ unsigned int sc_maxcount;
+ u_int64_t sc_gcounter;
+ struct ip_moptions sc_imo;
+ struct timeout sc_tmo;
+ struct in_addr sc_sender_ip;
+ u_int16_t sc_sender_port;
+ struct in_addr sc_receiver_ip;
+ u_int16_t sc_receiver_port;
+ struct mbuf *sc_mbuf; /* current cumulative mbuf */
+ SLIST_ENTRY(pflow_softc) sc_next;
+};
+
+extern struct pflow_softc *pflowif;
+
+#endif /* _KERNEL */
+
+struct pflow_header {
+ u_int16_t version;
+ u_int16_t count;
+ u_int32_t uptime_ms;
+ u_int32_t time_sec;
+ u_int32_t time_nanosec;
+ u_int32_t flow_sequence;
+ u_int8_t engine_type;
+ u_int8_t engine_id;
+ u_int8_t reserved1;
+ u_int8_t reserved2;
+} __packed;
+
+#define PFLOW_HDRLEN sizeof(struct pflow_header)
+
+struct pflowstats {
+ u_int64_t pflow_flows;
+ u_int64_t pflow_packets;
+ u_int64_t pflow_onomem;
+ u_int64_t pflow_oerrors;
+};
+
+/*
+ * Configuration structure for SIOCSETPFLOW SIOCGETPFLOW
+ */
+struct pflowreq {
+ struct in_addr sender_ip;
+ struct in_addr receiver_ip;
+ u_int16_t receiver_port;
+ u_int16_t addrmask;
+#define PFLOW_MASK_SRCIP 0x01
+#define PFLOW_MASK_DSTIP 0x02
+#define PFLOW_MASK_DSTPRT 0x04
+};
+
+#ifdef _KERNEL
+int export_pflow(struct pf_state *);
+int pflow_sysctl(int *, u_int, void *, size_t *, void *, size_t);
+#endif /* _KERNEL */
+
+#endif /* _NET_IF_PFLOW_H_ */
diff --git a/net/if_pfsync.c b/net/if_pfsync.c
index 68d3ac40877b..f80f93e15142 100644
--- a/net/if_pfsync.c
+++ b/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pfsync.c,v 1.98 2008/06/29 08:42:15 mcbride Exp $ */
+/* $OpenBSD: if_pfsync.c,v 1.110 2009/02/24 05:39:19 dlg Exp $ */
/*
* Copyright (c) 2002 Michael Shalayeff
@@ -26,6 +26,21 @@
* THE POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * Copyright (c) 2009 David Gwynne <dlg@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
#include <sys/param.h>
#include <sys/proc.h>
@@ -37,16 +52,17 @@
#include <sys/timeout.h>
#include <sys/kernel.h>
#include <sys/sysctl.h>
+#include <sys/pool.h>
#include <net/if.h>
#include <net/if_types.h>
#include <net/route.h>
#include <net/bpf.h>
+#include <net/netisr.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/tcp.h>
#include <netinet/tcp_seq.h>
-#include <sys/pool.h>
#ifdef INET
#include <netinet/in_systm.h>
@@ -70,15 +86,132 @@
#include "bpfilter.h"
#include "pfsync.h"
-#define PFSYNC_MINMTU \
- (sizeof(struct pfsync_header) + sizeof(struct pf_state))
+#define PFSYNC_MINPKT ( \
+ sizeof(struct ip) + \
+ sizeof(struct pfsync_header) + \
+ sizeof(struct pfsync_subheader) + \
+ sizeof(struct pfsync_eof))
-#ifdef PFSYNCDEBUG
-#define DPRINTF(x) do { if (pfsyncdebug) printf x ; } while (0)
-int pfsyncdebug;
-#else
-#define DPRINTF(x)
-#endif
+struct pfsync_pkt {
+ struct ip *ip;
+ struct in_addr src;
+ u_int8_t flags;
+};
+
+int pfsync_input_hmac(struct mbuf *, int);
+
+int pfsync_upd_tcp(struct pf_state *, struct pfsync_state_peer *,
+ struct pfsync_state_peer *);
+
+int pfsync_in_clr(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_ins(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_iack(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_upd(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_upd_c(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_ureq(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_del(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_del_c(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_bus(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_tdb(struct pfsync_pkt *, struct mbuf *, int, int);
+int pfsync_in_eof(struct pfsync_pkt *, struct mbuf *, int, int);
+
+int pfsync_in_error(struct pfsync_pkt *, struct mbuf *, int, int);
+
+int (*pfsync_acts[])(struct pfsync_pkt *, struct mbuf *, int, int) = {
+ pfsync_in_clr, /* PFSYNC_ACT_CLR */
+ pfsync_in_ins, /* PFSYNC_ACT_INS */
+ pfsync_in_iack, /* PFSYNC_ACT_INS_ACK */
+ pfsync_in_upd, /* PFSYNC_ACT_UPD */
+ pfsync_in_upd_c, /* PFSYNC_ACT_UPD_C */
+ pfsync_in_ureq, /* PFSYNC_ACT_UPD_REQ */
+ pfsync_in_del, /* PFSYNC_ACT_DEL */
+ pfsync_in_del_c, /* PFSYNC_ACT_DEL_C */
+ pfsync_in_error, /* PFSYNC_ACT_INS_F */
+ pfsync_in_error, /* PFSYNC_ACT_DEL_F */
+ pfsync_in_bus, /* PFSYNC_ACT_BUS */
+ pfsync_in_tdb, /* PFSYNC_ACT_TDB */
+ pfsync_in_eof /* PFSYNC_ACT_EOF */
+};
+
+struct pfsync_q {
+ int (*write)(struct pf_state *, struct mbuf *, int);
+ size_t len;
+ u_int8_t action;
+};
+
+/* we have one of these for every PFSYNC_S_ */
+int pfsync_out_state(struct pf_state *, struct mbuf *, int);
+int pfsync_out_iack(struct pf_state *, struct mbuf *, int);
+int pfsync_out_upd_c(struct pf_state *, struct mbuf *, int);
+int pfsync_out_del(struct pf_state *, struct mbuf *, int);
+
+struct pfsync_q pfsync_qs[] = {
+ { pfsync_out_state, sizeof(struct pfsync_state), PFSYNC_ACT_INS },
+ { pfsync_out_iack, sizeof(struct pfsync_ins_ack), PFSYNC_ACT_INS_ACK },
+ { pfsync_out_state, sizeof(struct pfsync_state), PFSYNC_ACT_UPD },
+ { pfsync_out_upd_c, sizeof(struct pfsync_upd_c), PFSYNC_ACT_UPD_C },
+ { pfsync_out_del, sizeof(struct pfsync_del_c), PFSYNC_ACT_DEL_C }
+};
+
+void pfsync_q_ins(struct pf_state *, int);
+void pfsync_q_del(struct pf_state *);
+
+struct pfsync_upd_req_item {
+ TAILQ_ENTRY(pfsync_upd_req_item) ur_entry;
+ struct pfsync_upd_req ur_msg;
+};
+TAILQ_HEAD(pfsync_upd_reqs, pfsync_upd_req_item);
+
+struct pfsync_deferral {
+ TAILQ_ENTRY(pfsync_deferral) pd_entry;
+ struct pf_state *pd_st;
+ struct mbuf *pd_m;
+ struct timeout pd_tmo;
+};
+TAILQ_HEAD(pfsync_deferrals, pfsync_deferral);
+
+#define PFSYNC_PLSIZE MAX(sizeof(struct pfsync_upd_req_item), \
+ sizeof(struct pfsync_deferral))
+
+int pfsync_out_tdb(struct tdb *, struct mbuf *, int);
+
+struct pfsync_softc {
+ struct ifnet sc_if;
+ struct ifnet *sc_sync_if;
+
+ struct pool sc_pool;
+
+ struct ip_moptions sc_imo;
+
+ struct in_addr sc_sync_peer;
+ u_int8_t sc_maxupdates;
+
+ struct ip sc_template;
+
+ struct pf_state_queue sc_qs[PFSYNC_S_COUNT];
+ size_t sc_len;
+
+ struct pfsync_upd_reqs sc_upd_req_list;
+
+ struct pfsync_deferrals sc_deferrals;
+ u_int sc_deferred;
+
+ void *sc_plus;
+ size_t sc_pluslen;
+
+ u_int32_t sc_ureq_sent;
+ int sc_bulk_tries;
+ struct timeout sc_bulkfail_tmo;
+
+ u_int32_t sc_ureq_received;
+ struct pf_state *sc_bulk_next;
+ struct pf_state *sc_bulk_last;
+ struct timeout sc_bulk_tmo;
+
+ TAILQ_HEAD(, tdb) sc_tdb_q;
+
+ struct timeout sc_tmo;
+};
struct pfsync_softc *pfsyncif = NULL;
struct pfsyncstats pfsyncstats;
@@ -86,7 +219,6 @@ struct pfsyncstats pfsyncstats;
void pfsyncattach(int);
int pfsync_clone_create(struct if_clone *, int);
int pfsync_clone_destroy(struct ifnet *);
-void pfsync_setmtu(struct pfsync_softc *, int);
int pfsync_alloc_scrub_memory(struct pfsync_state_peer *,
struct pf_state_peer *);
void pfsync_update_net_tdb(struct pfsync_tdb *);
@@ -95,17 +227,31 @@ int pfsyncoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
int pfsyncioctl(struct ifnet *, u_long, caddr_t);
void pfsyncstart(struct ifnet *);
-struct mbuf *pfsync_get_mbuf(struct pfsync_softc *, u_int8_t, void **);
-int pfsync_request_update(struct pfsync_state_upd *, struct in_addr *);
-int pfsync_sendout(struct pfsync_softc *);
+struct mbuf *pfsync_if_dequeue(struct ifnet *);
+struct mbuf *pfsync_get_mbuf(struct pfsync_softc *);
+
+void pfsync_deferred(struct pf_state *, int);
+void pfsync_undefer(struct pfsync_deferral *, int);
+void pfsync_defer_tmo(void *);
+
+void pfsync_request_update(u_int32_t, u_int64_t);
+void pfsync_update_state_req(struct pf_state *);
+
+void pfsync_drop(struct pfsync_softc *);
+void pfsync_sendout(void);
+void pfsync_send_plus(void *, size_t);
int pfsync_tdb_sendout(struct pfsync_softc *);
int pfsync_sendout_mbuf(struct pfsync_softc *, struct mbuf *);
void pfsync_timeout(void *);
void pfsync_tdb_timeout(void *);
void pfsync_send_bus(struct pfsync_softc *, u_int8_t);
+
+void pfsync_bulk_start(void);
+void pfsync_bulk_status(u_int8_t);
void pfsync_bulk_update(void *);
-void pfsync_bulkfail(void *);
+void pfsync_bulk_fail(void *);
+#define PFSYNC_MAX_BULKTRIES 12
int pfsync_sync_ok;
struct if_clone pfsync_cloner =
@@ -119,46 +265,52 @@ pfsyncattach(int npfsync)
int
pfsync_clone_create(struct if_clone *ifc, int unit)
{
+ struct pfsync_softc *sc;
struct ifnet *ifp;
+ int q;
if (unit != 0)
return (EINVAL);
pfsync_sync_ok = 1;
- if ((pfsyncif = malloc(sizeof(*pfsyncif), M_DEVBUF,
- M_NOWAIT|M_ZERO)) == NULL)
+
+ sc = malloc(sizeof(*pfsyncif), M_DEVBUF, M_NOWAIT | M_ZERO);
+ if (sc == NULL)
return (ENOMEM);
- pfsyncif->sc_mbuf = NULL;
- pfsyncif->sc_mbuf_net = NULL;
- pfsyncif->sc_mbuf_tdb = NULL;
- pfsyncif->sc_statep.s = NULL;
- pfsyncif->sc_statep_net.s = NULL;
- pfsyncif->sc_statep_tdb.t = NULL;
- pfsyncif->sc_maxupdates = 128;
- pfsyncif->sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP;
- pfsyncif->sc_sendaddr.s_addr = INADDR_PFSYNC_GROUP;
- pfsyncif->sc_ureq_received = 0;
- pfsyncif->sc_ureq_sent = 0;
- pfsyncif->sc_bulk_send_next = NULL;
- pfsyncif->sc_bulk_terminator = NULL;
- pfsyncif->sc_imo.imo_membership = (struct in_multi **)malloc(
+
+ for (q = 0; q < PFSYNC_S_COUNT; q++)
+ TAILQ_INIT(&sc->sc_qs[q]);
+
+ pool_init(&sc->sc_pool, PFSYNC_PLSIZE, 0, 0, 0, "pfsync", NULL);
+ TAILQ_INIT(&sc->sc_upd_req_list);
+ TAILQ_INIT(&sc->sc_deferrals);
+ sc->sc_deferred = 0;
+
+ TAILQ_INIT(&sc->sc_tdb_q);
+
+ sc->sc_len = PFSYNC_MINPKT;
+ sc->sc_maxupdates = 128;
+
+ sc->sc_imo.imo_membership = (struct in_multi **)malloc(
(sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_IPMOPTS,
- M_WAITOK|M_ZERO);
- pfsyncif->sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS;
- ifp = &pfsyncif->sc_if;
+ M_WAITOK | M_ZERO);
+ sc->sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS;
+
+ ifp = &sc->sc_if;
snprintf(ifp->if_xname, sizeof ifp->if_xname, "pfsync%d", unit);
- ifp->if_softc = pfsyncif;
+ ifp->if_softc = sc;
ifp->if_ioctl = pfsyncioctl;
ifp->if_output = pfsyncoutput;
ifp->if_start = pfsyncstart;
ifp->if_type = IFT_PFSYNC;
ifp->if_snd.ifq_maxlen = ifqmaxlen;
- ifp->if_hdrlen = PFSYNC_HDRLEN;
- pfsync_setmtu(pfsyncif, ETHERMTU);
- timeout_set(&pfsyncif->sc_tmo, pfsync_timeout, pfsyncif);
- timeout_set(&pfsyncif->sc_tdb_tmo, pfsync_tdb_timeout, pfsyncif);
- timeout_set(&pfsyncif->sc_bulk_tmo, pfsync_bulk_update, pfsyncif);
- timeout_set(&pfsyncif->sc_bulkfail_tmo, pfsync_bulkfail, pfsyncif);
+ ifp->if_hdrlen = sizeof(struct pfsync_header);
+ ifp->if_mtu = 1500; /* XXX */
+ ifp->if_hardmtu = MCLBYTES; /* XXX */
+ timeout_set(&sc->sc_tmo, pfsync_timeout, sc);
+ timeout_set(&sc->sc_bulk_tmo, pfsync_bulk_update, sc);
+ timeout_set(&sc->sc_bulkfail_tmo, pfsync_bulk_fail, sc);
+
if_attach(ifp);
if_alloc_sadl(ifp);
@@ -167,9 +319,11 @@ pfsync_clone_create(struct if_clone *ifc, int unit)
#endif
#if NBPFILTER > 0
- bpfattach(&pfsyncif->sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
+ bpfattach(&sc->sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
#endif
+ pfsyncif = sc;
+
return (0);
}
@@ -178,10 +332,8 @@ pfsync_clone_destroy(struct ifnet *ifp)
{
struct pfsync_softc *sc = ifp->if_softc;
- timeout_del(&sc->sc_tmo);
- timeout_del(&sc->sc_tdb_tmo);
timeout_del(&sc->sc_bulk_tmo);
- timeout_del(&sc->sc_bulkfail_tmo);
+ timeout_del(&sc->sc_tmo);
#if NCARP > 0
if (!pfsync_sync_ok)
carp_group_demote_adj(&sc->sc_if, -1);
@@ -190,12 +342,34 @@ pfsync_clone_destroy(struct ifnet *ifp)
bpfdetach(ifp);
#endif
if_detach(ifp);
- free(pfsyncif->sc_imo.imo_membership, M_IPMOPTS);
- free(pfsyncif, M_DEVBUF);
+
+ pfsync_drop(sc);
+
+ while (sc->sc_deferred > 0)
+ pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0);
+
+ pool_destroy(&sc->sc_pool);
+ free(sc->sc_imo.imo_membership, M_IPMOPTS);
+ free(sc, M_DEVBUF);
+
pfsyncif = NULL;
+
return (0);
}
+struct mbuf *
+pfsync_if_dequeue(struct ifnet *ifp)
+{
+ struct mbuf *m;
+ int s;
+
+ s = splnet();
+ IF_DEQUEUE(&ifp->if_snd, m);
+ splx(s);
+
+ return (m);
+}
+
/*
* Start output on the pfsync interface.
*/
@@ -203,18 +377,10 @@ void
pfsyncstart(struct ifnet *ifp)
{
struct mbuf *m;
- int s;
- for (;;) {
- s = splnet();
+ while ((m = pfsync_if_dequeue(ifp)) != NULL) {
IF_DROP(&ifp->if_snd);
- IF_DEQUEUE(&ifp->if_snd, m);
- splx(s);
-
- if (m == NULL)
- return;
- else
- m_freem(m);
+ m_freem(m);
}
}
@@ -389,8 +555,6 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
st->log = sp->log;
st->timeout = sp->timeout;
st->state_flags = sp->state_flags;
- if (!(flags & PFSYNC_SI_IOCTL))
- st->sync_flags = PFSTATE_FROMSYNC;
bcopy(sp->id, &st->id, sizeof(st->id));
st->creatorid = sp->creatorid;
@@ -402,19 +566,31 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
st->anchor.ptr = NULL;
st->rt_kif = NULL;
- st->pfsync_time = 0;
-
+ st->pfsync_time = time_second;
+ st->sync_state = PFSYNC_S_NONE;
/* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
r->states_cur++;
r->states_tot++;
+ if (!ISSET(flags, PFSYNC_SI_IOCTL))
+ SET(st->state_flags, PFSTATE_NOSYNC);
+
if ((error = pf_state_insert(kif, skw, sks, st)) != 0) {
/* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */
r->states_cur--;
goto cleanup_state;
}
+ if (!ISSET(flags, PFSYNC_SI_IOCTL)) {
+ CLR(st->state_flags, PFSTATE_NOSYNC);
+ if (ISSET(st->state_flags, PFSTATE_ACK)) {
+ pfsync_q_ins(st, PFSYNC_S_IACK);
+ schednetisr(NETISR_PFSYNC);
+ }
+ }
+ CLR(st->state_flags, PFSTATE_ACK);
+
return (0);
cleanup:
@@ -440,60 +616,50 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
void
pfsync_input(struct mbuf *m, ...)
{
+ struct pfsync_softc *sc = pfsyncif;
+ struct pfsync_pkt pkt;
struct ip *ip = mtod(m, struct ip *);
struct pfsync_header *ph;
- struct pfsync_softc *sc = pfsyncif;
- struct pf_state *st;
- struct pf_state_key *sk;
- struct pf_state_item *si;
- struct pf_state_cmp id_key;
- struct pfsync_state *sp;
- struct pfsync_state_upd *up;
- struct pfsync_state_del *dp;
- struct pfsync_state_clr *cp;
- struct pfsync_state_upd_req *rup;
- struct pfsync_state_bus *bus;
-#ifdef IPSEC
- struct pfsync_tdb *pt;
-#endif
- struct in_addr src;
- struct mbuf *mp;
- int iplen, action, error, i, s, count, offp, sfail, stale = 0;
- u_int8_t flags = 0;
+ struct pfsync_subheader subh;
+
+ int offset;
+ int rv;
pfsyncstats.pfsyncs_ipackets++;
/* verify that we have a sync interface configured */
- if (!sc || !sc->sc_sync_ifp || !pf_status.running)
+ if (!sc || !sc->sc_sync_if || !pf_status.running)
goto done;
/* verify that the packet came in on the right interface */
- if (sc->sc_sync_ifp != m->m_pkthdr.rcvif) {
+ if (sc->sc_sync_if != m->m_pkthdr.rcvif) {
pfsyncstats.pfsyncs_badif++;
goto done;
}
- /* verify that the IP TTL is 255. */
+ sc->sc_if.if_ipackets++;
+ sc->sc_if.if_ibytes += m->m_pkthdr.len;
+
+ /* verify that the IP TTL is 255. */
if (ip->ip_ttl != PFSYNC_DFLTTL) {
pfsyncstats.pfsyncs_badttl++;
goto done;
}
- iplen = ip->ip_hl << 2;
-
- if (m->m_pkthdr.len < iplen + sizeof(*ph)) {
+ offset = ip->ip_hl << 2;
+ if (m->m_pkthdr.len < offset + sizeof(*ph)) {
pfsyncstats.pfsyncs_hdrops++;
goto done;
}
- if (iplen + sizeof(*ph) > m->m_len) {
- if ((m = m_pullup(m, iplen + sizeof(*ph))) == NULL) {
+ if (offset + sizeof(*ph) > m->m_len) {
+ if (m_pullup(m, offset + sizeof(*ph)) == NULL) {
pfsyncstats.pfsyncs_hdrops++;
- goto done;
+ return;
}
ip = mtod(m, struct ip *);
}
- ph = (struct pfsync_header *)((char *)ip + iplen);
+ ph = (struct pfsync_header *)((char *)ip + offset);
/* verify the version */
if (ph->version != PFSYNC_VERSION) {
@@ -501,464 +667,672 @@ pfsync_input(struct mbuf *m, ...)
goto done;
}
- action = ph->action;
- count = ph->count;
-
- /* make sure it's a valid action code */
- if (action >= PFSYNC_ACT_MAX) {
- pfsyncstats.pfsyncs_badact++;
+#if 0
+ if (pfsync_input_hmac(m, offset) != 0) {
+ /* XXX stats */
goto done;
}
+#endif
/* Cheaper to grab this now than having to mess with mbufs later */
- src = ip->ip_src;
-
- if (!bcmp(&ph->pf_chksum, &pf_status.pf_chksum, PF_MD5_DIGEST_LENGTH))
- flags |= PFSYNC_SI_CKSUM;
-
- switch (action) {
- case PFSYNC_ACT_CLR: {
- struct pf_state *nexts;
- struct pf_state_key *nextsk;
- struct pfi_kif *kif;
- u_int32_t creatorid;
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- sizeof(*cp), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
+ pkt.ip = ip;
+ pkt.src = ip->ip_src;
+ pkt.flags = 0;
+
+ if (!bcmp(&ph->pfcksum, &pf_status.pf_chksum, PF_MD5_DIGEST_LENGTH))
+ pkt.flags |= PFSYNC_SI_CKSUM;
+
+ offset += sizeof(*ph);
+ for (;;) {
+ m_copydata(m, offset, sizeof(subh), (caddr_t)&subh);
+ offset += sizeof(subh);
+
+ if (subh.action >= PFSYNC_ACT_MAX) {
+ pfsyncstats.pfsyncs_badact++;
+ goto done;
}
- cp = (struct pfsync_state_clr *)(mp->m_data + offp);
- creatorid = cp->creatorid;
- s = splsoftnet();
- if (cp->ifname[0] == '\0') {
+ rv = (*pfsync_acts[subh.action])(&pkt, m, offset,
+ ntohs(subh.count));
+ if (rv == -1)
+ return;
+
+ offset += rv;
+ }
+
+done:
+ m_freem(m);
+}
+
+int
+pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct pfsync_clr *clr;
+ struct mbuf *mp;
+ int len = sizeof(*clr) * count;
+ int i, offp;
+
+ struct pf_state *st, *nexts;
+ struct pf_state_key *sk, *nextsk;
+ struct pf_state_item *si;
+ u_int32_t creatorid;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ clr = (struct pfsync_clr *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ creatorid = clr[i].creatorid;
+
+ if (clr[i].ifname[0] == '\0') {
for (st = RB_MIN(pf_state_tree_id, &tree_id);
st; st = nexts) {
nexts = RB_NEXT(pf_state_tree_id, &tree_id, st);
if (st->creatorid == creatorid) {
- st->sync_flags |= PFSTATE_FROMSYNC;
+ SET(st->state_flags, PFSTATE_NOSYNC);
pf_unlink_state(st);
}
}
} else {
- if ((kif = pfi_kif_get(cp->ifname)) == NULL) {
- splx(s);
- return;
- }
+ if (pfi_kif_get(clr[i].ifname) == NULL)
+ continue;
+
/* XXX correct? */
- for (sk = RB_MIN(pf_state_tree,
- &pf_statetbl); sk; sk = nextsk) {
+ for (sk = RB_MIN(pf_state_tree, &pf_statetbl);
+ sk; sk = nextsk) {
nextsk = RB_NEXT(pf_state_tree,
&pf_statetbl, sk);
TAILQ_FOREACH(si, &sk->states, entry) {
if (si->s->creatorid == creatorid) {
- si->s->sync_flags |=
- PFSTATE_FROMSYNC;
+ SET(si->s->state_flags,
+ PFSTATE_NOSYNC);
pf_unlink_state(si->s);
}
}
}
}
- splx(s);
-
- break;
}
- case PFSYNC_ACT_INS:
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*sp), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
- }
+ splx(s);
- s = splsoftnet();
- for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
- i < count; i++, sp++) {
- /* check for invalid values */
- if (sp->timeout >= PFTM_MAX ||
- sp->src.state > PF_TCPS_PROXY_DST ||
- sp->dst.state > PF_TCPS_PROXY_DST ||
- sp->direction > PF_OUT ||
- (sp->af != AF_INET && sp->af != AF_INET6)) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync_input: PFSYNC_ACT_INS: "
- "invalid value\n");
- pfsyncstats.pfsyncs_badval++;
- continue;
- }
+ return (len);
+}
- if ((error = pfsync_state_import(sp, flags))) {
- if (error == ENOMEM) {
- splx(s);
- goto done;
- }
- continue;
+int
+pfsync_in_ins(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct mbuf *mp;
+ struct pfsync_state *sa, *sp;
+ int len = sizeof(*sp) * count;
+ int i, offp;
+
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ sa = (struct pfsync_state *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ sp = &sa[i];
+
+ /* check for invalid values */
+ if (sp->timeout >= PFTM_MAX ||
+ sp->src.state > PF_TCPS_PROXY_DST ||
+ sp->dst.state > PF_TCPS_PROXY_DST ||
+ sp->direction > PF_OUT ||
+ (sp->af != AF_INET && sp->af != AF_INET6)) {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pfsync_input: PFSYNC5_ACT_INS: "
+ "invalid value\n");
}
+ pfsyncstats.pfsyncs_badval++;
+ continue;
}
- splx(s);
- break;
- case PFSYNC_ACT_UPD:
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*sp), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
+
+ if (pfsync_state_import(sp, pkt->flags) == ENOMEM) {
+ /* drop out, but process the rest of the actions */
+ break;
}
+ }
+ splx(s);
- s = splsoftnet();
- for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
- i < count; i++, sp++) {
- int flags = PFSYNC_FLAG_STALE;
-
- /* check for invalid values */
- if (sp->timeout >= PFTM_MAX ||
- sp->src.state > PF_TCPS_PROXY_DST ||
- sp->dst.state > PF_TCPS_PROXY_DST) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync_input: PFSYNC_ACT_UPD: "
- "invalid value\n");
- pfsyncstats.pfsyncs_badval++;
- continue;
- }
+ return (len);
+}
- bcopy(sp->id, &id_key.id, sizeof(id_key.id));
- id_key.creatorid = sp->creatorid;
+int
+pfsync_in_iack(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct pfsync_ins_ack *ia, *iaa;
+ struct pf_state_cmp id_key;
+ struct pf_state *st;
- st = pf_find_state_byid(&id_key);
- if (st == NULL) {
- /* insert the update */
- if (pfsync_state_import(sp, flags))
- pfsyncstats.pfsyncs_badstate++;
- continue;
- }
- sk = st->key[PF_SK_WIRE]; /* XXX right one? */
- sfail = 0;
- if (sk->proto == IPPROTO_TCP) {
- /*
- * The state should never go backwards except
- * for syn-proxy states. Neither should the
- * sequence window slide backwards.
- */
- if (st->src.state > sp->src.state &&
- (st->src.state < PF_TCPS_PROXY_SRC ||
- sp->src.state >= PF_TCPS_PROXY_SRC))
- sfail = 1;
- else if (SEQ_GT(st->src.seqlo,
- ntohl(sp->src.seqlo)))
- sfail = 3;
- else if (st->dst.state > sp->dst.state) {
- /* There might still be useful
- * information about the src state here,
- * so import that part of the update,
- * then "fail" so we send the updated
- * state back to the peer who is missing
- * our what we know. */
- pf_state_peer_ntoh(&sp->src, &st->src);
- /* XXX do anything with timeouts? */
- sfail = 7;
- flags = 0;
- } else if (st->dst.state >= TCPS_SYN_SENT &&
- SEQ_GT(st->dst.seqlo, ntohl(sp->dst.seqlo)))
- sfail = 4;
- } else {
- /*
- * Non-TCP protocol state machine always go
- * forwards
- */
- if (st->src.state > sp->src.state)
- sfail = 5;
- else if (st->dst.state > sp->dst.state)
- sfail = 6;
- }
- if (sfail) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: %s stale update "
- "(%d) id: %016llx "
- "creatorid: %08x\n",
- (sfail < 7 ? "ignoring"
- : "partial"), sfail,
- betoh64(st->id),
- ntohl(st->creatorid));
- pfsyncstats.pfsyncs_stale++;
-
- if (!(sp->sync_flags & PFSTATE_STALE)) {
- /* we have a better state, send it */
- if (sc->sc_mbuf != NULL && !stale)
- pfsync_sendout(sc);
- stale++;
- if (!st->sync_flags)
- pfsync_pack_state(
- PFSYNC_ACT_UPD, st, flags);
- }
- continue;
- }
- pfsync_alloc_scrub_memory(&sp->dst, &st->dst);
- pf_state_peer_ntoh(&sp->src, &st->src);
- pf_state_peer_ntoh(&sp->dst, &st->dst);
- st->expire = ntohl(sp->expire) + time_second;
- st->timeout = sp->timeout;
- }
- if (stale && sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
- splx(s);
- break;
+ struct mbuf *mp;
+ int len = count * sizeof(*ia);
+ int offp, i;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ iaa = (struct pfsync_ins_ack *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ ia = &iaa[i];
+
+ bcopy(&ia->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = ia->creatorid;
+
+ st = pf_find_state_byid(&id_key);
+ if (st == NULL)
+ continue;
+
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ pfsync_deferred(st, 0);
+ }
+ splx(s);
/*
- * It's not strictly necessary for us to support the "uncompressed"
- * delete action, but it's relatively simple and maintains consistency.
+ * XXX this is not yet implemented, but we know the size of the
+ * message so we can skip it.
*/
- case PFSYNC_ACT_DEL:
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*sp), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
+
+ return (count * sizeof(struct pfsync_ins_ack));
+}
+
+int
+pfsync_upd_tcp(struct pf_state *st, struct pfsync_state_peer *src,
+ struct pfsync_state_peer *dst)
+{
+ int sfail = 0;
+
+ /*
+ * The state should never go backwards except
+ * for syn-proxy states. Neither should the
+ * sequence window slide backwards.
+ */
+ if (st->src.state > src->state &&
+ (st->src.state < PF_TCPS_PROXY_SRC ||
+ src->state >= PF_TCPS_PROXY_SRC))
+ sfail = 1;
+ else if (SEQ_GT(st->src.seqlo, ntohl(src->seqlo)))
+ sfail = 3;
+ else if (st->dst.state > dst->state) {
+ /* There might still be useful
+ * information about the src state here,
+ * so import that part of the update,
+ * then "fail" so we send the updated
+ * state back to the peer who is missing
+ * our what we know. */
+ pf_state_peer_ntoh(src, &st->src);
+ /* XXX do anything with timeouts? */
+ sfail = 7;
+ } else if (st->dst.state >= TCPS_SYN_SENT &&
+ SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo)))
+ sfail = 4;
+
+ return (sfail);
+}
+
+int
+pfsync_in_upd(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct pfsync_state *sa, *sp;
+ struct pf_state_cmp id_key;
+ struct pf_state_key *sk;
+ struct pf_state *st;
+ int sfail;
+
+ struct mbuf *mp;
+ int len = count * sizeof(*sp);
+ int offp, i;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ sa = (struct pfsync_state *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ sp = &sa[i];
+
+ /* check for invalid values */
+ if (sp->timeout >= PFTM_MAX ||
+ sp->src.state > PF_TCPS_PROXY_DST ||
+ sp->dst.state > PF_TCPS_PROXY_DST) {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pfsync_input: PFSYNC_ACT_UPD: "
+ "invalid value\n");
+ }
+ pfsyncstats.pfsyncs_badval++;
+ continue;
}
- s = splsoftnet();
- for (i = 0, sp = (struct pfsync_state *)(mp->m_data + offp);
- i < count; i++, sp++) {
- bcopy(sp->id, &id_key.id, sizeof(id_key.id));
- id_key.creatorid = sp->creatorid;
+ bcopy(sp->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = sp->creatorid;
- st = pf_find_state_byid(&id_key);
- if (st == NULL) {
+ st = pf_find_state_byid(&id_key);
+ if (st == NULL) {
+ /* insert the update */
+ if (pfsync_state_import(sp, 0))
pfsyncstats.pfsyncs_badstate++;
- continue;
- }
- st->sync_flags |= PFSTATE_FROMSYNC;
- pf_unlink_state(st);
+ continue;
}
- splx(s);
- break;
- case PFSYNC_ACT_UPD_C: {
- int update_requested = 0;
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*up), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ pfsync_deferred(st, 1);
+
+ sk = st->key[PF_SK_WIRE]; /* XXX right one? */
+ sfail = 0;
+ if (sk->proto == IPPROTO_TCP)
+ sfail = pfsync_upd_tcp(st, &sp->src, &sp->dst);
+ else {
+ /*
+ * Non-TCP protocol state machine always go
+ * forwards
+ */
+ if (st->src.state > sp->src.state)
+ sfail = 5;
+ else if (st->dst.state > sp->dst.state)
+ sfail = 6;
}
- s = splsoftnet();
- for (i = 0, up = (struct pfsync_state_upd *)(mp->m_data + offp);
- i < count; i++, up++) {
- /* check for invalid values */
- if (up->timeout >= PFTM_MAX ||
- up->src.state > PF_TCPS_PROXY_DST ||
- up->dst.state > PF_TCPS_PROXY_DST) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync_input: "
- "PFSYNC_ACT_UPD_C: "
- "invalid value\n");
- pfsyncstats.pfsyncs_badval++;
- continue;
+ if (sfail) {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pfsync: %s stale update (%d)"
+ " id: %016llx creatorid: %08x\n",
+ (sfail < 7 ? "ignoring" : "partial"),
+ sfail, betoh64(st->id),
+ ntohl(st->creatorid));
}
+ pfsyncstats.pfsyncs_stale++;
- bcopy(up->id, &id_key.id, sizeof(id_key.id));
- id_key.creatorid = up->creatorid;
+ pfsync_update_state(st);
+ schednetisr(NETISR_PFSYNC);
+ continue;
+ }
+ pfsync_alloc_scrub_memory(&sp->dst, &st->dst);
+ pf_state_peer_ntoh(&sp->src, &st->src);
+ pf_state_peer_ntoh(&sp->dst, &st->dst);
+ st->expire = ntohl(sp->expire) + time_second;
+ st->timeout = sp->timeout;
+ st->pfsync_time = time_second;
+ }
+ splx(s);
- st = pf_find_state_byid(&id_key);
- if (st == NULL) {
- /* We don't have this state. Ask for it. */
- error = pfsync_request_update(up, &src);
- if (error == ENOMEM) {
- splx(s);
- goto done;
- }
- update_requested = 1;
- pfsyncstats.pfsyncs_badstate++;
- continue;
- }
- sk = st->key[PF_SK_WIRE]; /* XXX right one? */
- sfail = 0;
- if (sk->proto == IPPROTO_TCP) {
- /*
- * The state should never go backwards except
- * for syn-proxy states. Neither should the
- * sequence window slide backwards.
- */
- if (st->src.state > up->src.state &&
- (st->src.state < PF_TCPS_PROXY_SRC ||
- up->src.state >= PF_TCPS_PROXY_SRC))
- sfail = 1;
- else if (st->dst.state > up->dst.state)
- sfail = 2;
- else if (SEQ_GT(st->src.seqlo,
- ntohl(up->src.seqlo)))
- sfail = 3;
- else if (st->dst.state >= TCPS_SYN_SENT &&
- SEQ_GT(st->dst.seqlo, ntohl(up->dst.seqlo)))
- sfail = 4;
- } else {
- /*
- * Non-TCP protocol state machine always go
- * forwards
- */
- if (st->src.state > up->src.state)
- sfail = 5;
- else if (st->dst.state > up->dst.state)
- sfail = 6;
+ return (len);
+}
+
+int
+pfsync_in_upd_c(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct pfsync_upd_c *ua, *up;
+ struct pf_state_key *sk;
+ struct pf_state_cmp id_key;
+ struct pf_state *st;
+
+ int len = count * sizeof(*up);
+ int sfail;
+
+ struct mbuf *mp;
+ int offp, i;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ ua = (struct pfsync_upd_c *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ up = &ua[i];
+
+ /* check for invalid values */
+ if (up->timeout >= PFTM_MAX ||
+ up->src.state > PF_TCPS_PROXY_DST ||
+ up->dst.state > PF_TCPS_PROXY_DST) {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pfsync_input: "
+ "PFSYNC_ACT_UPD_C: "
+ "invalid value\n");
}
- if (sfail) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: ignoring stale update "
- "(%d) id: %016llx "
- "creatorid: %08x\n", sfail,
- betoh64(st->id),
- ntohl(st->creatorid));
- pfsyncstats.pfsyncs_stale++;
-
- /* we have a better state, send it out */
- if ((!stale || update_requested) &&
- sc->sc_mbuf != NULL) {
- pfsync_sendout(sc);
- update_requested = 0;
- }
- stale++;
- if (!st->sync_flags)
- pfsync_pack_state(PFSYNC_ACT_UPD, st,
- PFSYNC_FLAG_STALE);
- continue;
+ pfsyncstats.pfsyncs_badval++;
+ continue;
+ }
+
+ bcopy(&up->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = up->creatorid;
+
+ st = pf_find_state_byid(&id_key);
+ if (st == NULL) {
+ /* We don't have this state. Ask for it. */
+ pfsync_request_update(id_key.creatorid, id_key.id);
+ continue;
+ }
+
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ pfsync_deferred(st, 1);
+
+ sk = st->key[PF_SK_WIRE]; /* XXX right one? */
+ sfail = 0;
+ if (sk->proto == IPPROTO_TCP)
+ sfail = pfsync_upd_tcp(st, &up->src, &up->dst);
+ else {
+ /*
+ * Non-TCP protocol state machine always go forwards
+ */
+ if (st->src.state > up->src.state)
+ sfail = 5;
+ else if (st->dst.state > up->dst.state)
+ sfail = 6;
+ }
+
+ if (sfail) {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pfsync: ignoring stale update "
+ "(%d) id: %016llx "
+ "creatorid: %08x\n", sfail,
+ betoh64(st->id),
+ ntohl(st->creatorid));
}
- pfsync_alloc_scrub_memory(&up->dst, &st->dst);
- pf_state_peer_ntoh(&up->src, &st->src);
- pf_state_peer_ntoh(&up->dst, &st->dst);
- st->expire = ntohl(up->expire) + time_second;
- st->timeout = up->timeout;
+ pfsyncstats.pfsyncs_stale++;
+
+ pfsync_update_state(st);
+ schednetisr(NETISR_PFSYNC);
+ continue;
}
- if ((update_requested || stale) && sc->sc_mbuf)
- pfsync_sendout(sc);
- splx(s);
- break;
+ pfsync_alloc_scrub_memory(&up->dst, &st->dst);
+ pf_state_peer_ntoh(&up->src, &st->src);
+ pf_state_peer_ntoh(&up->dst, &st->dst);
+ st->expire = ntohl(up->expire) + time_second;
+ st->timeout = up->timeout;
+ st->pfsync_time = time_second;
}
- case PFSYNC_ACT_DEL_C:
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*dp), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
- }
+ splx(s);
+
+ return (len);
+}
+
+int
+pfsync_in_ureq(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct pfsync_upd_req *ur, *ura;
+ struct mbuf *mp;
+ int len = count * sizeof(*ur);
+ int i, offp;
+
+ struct pf_state_cmp id_key;
+ struct pf_state *st;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ ura = (struct pfsync_upd_req *)(mp->m_data + offp);
+
+ for (i = 0; i < count; i++) {
+ ur = &ura[i];
- s = splsoftnet();
- for (i = 0, dp = (struct pfsync_state_del *)(mp->m_data + offp);
- i < count; i++, dp++) {
- bcopy(dp->id, &id_key.id, sizeof(id_key.id));
- id_key.creatorid = dp->creatorid;
+ bcopy(&ur->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = ur->creatorid;
+ if (id_key.id == 0 && id_key.creatorid == 0)
+ pfsync_bulk_start();
+ else {
st = pf_find_state_byid(&id_key);
if (st == NULL) {
pfsyncstats.pfsyncs_badstate++;
continue;
}
- st->sync_flags |= PFSTATE_FROMSYNC;
- pf_unlink_state(st);
+ if (ISSET(st->state_flags, PFSTATE_NOSYNC))
+ continue;
+
+ pfsync_update_state_req(st);
}
- splx(s);
- break;
- case PFSYNC_ACT_INS_F:
- case PFSYNC_ACT_DEL_F:
- /* not implemented */
- break;
- case PFSYNC_ACT_UREQ:
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*rup), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
+ }
+
+ return (len);
+}
+
+int
+pfsync_in_del(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct mbuf *mp;
+ struct pfsync_state *sa, *sp;
+ struct pf_state_cmp id_key;
+ struct pf_state *st;
+ int len = count * sizeof(*sp);
+ int offp, i;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ sa = (struct pfsync_state *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ sp = &sa[i];
+
+ bcopy(sp->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = sp->creatorid;
+
+ st = pf_find_state_byid(&id_key);
+ if (st == NULL) {
+ pfsyncstats.pfsyncs_badstate++;
+ continue;
}
+ SET(st->state_flags, PFSTATE_NOSYNC);
+ pf_unlink_state(st);
+ }
+ splx(s);
- s = splsoftnet();
- if (sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
- for (i = 0,
- rup = (struct pfsync_state_upd_req *)(mp->m_data + offp);
- i < count; i++, rup++) {
- bcopy(rup->id, &id_key.id, sizeof(id_key.id));
- id_key.creatorid = rup->creatorid;
-
- if (id_key.id == 0 && id_key.creatorid == 0) {
- sc->sc_ureq_received = time_uptime;
- if (sc->sc_bulk_send_next == NULL)
- sc->sc_bulk_send_next =
- TAILQ_FIRST(&state_list);
- sc->sc_bulk_terminator = sc->sc_bulk_send_next;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received "
- "bulk update request\n");
- pfsync_send_bus(sc, PFSYNC_BUS_START);
- timeout_add(&sc->sc_bulk_tmo, 1 * hz);
- } else {
- st = pf_find_state_byid(&id_key);
- if (st == NULL) {
- pfsyncstats.pfsyncs_badstate++;
- continue;
- }
- if (!st->sync_flags)
- pfsync_pack_state(PFSYNC_ACT_UPD,
- st, 0);
- }
+ return (len);
+}
+
+int
+pfsync_in_del_c(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct mbuf *mp;
+ struct pfsync_del_c *sa, *sp;
+ struct pf_state_cmp id_key;
+ struct pf_state *st;
+ int len = count * sizeof(*sp);
+ int offp, i;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ sa = (struct pfsync_del_c *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++) {
+ sp = &sa[i];
+
+ bcopy(&sp->id, &id_key.id, sizeof(id_key.id));
+ id_key.creatorid = sp->creatorid;
+
+ st = pf_find_state_byid(&id_key);
+ if (st == NULL) {
+ pfsyncstats.pfsyncs_badstate++;
+ continue;
}
- if (sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
- splx(s);
+
+ SET(st->state_flags, PFSTATE_NOSYNC);
+ pf_unlink_state(st);
+ }
+ splx(s);
+
+ return (len);
+}
+
+int
+pfsync_in_bus(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ struct pfsync_softc *sc = pfsyncif;
+ struct pfsync_bus *bus;
+ struct mbuf *mp;
+ int len = count * sizeof(*bus);
+ int offp;
+
+ /* If we're not waiting for a bulk update, who cares. */
+ if (sc->sc_ureq_sent == 0)
+ return (len);
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ bus = (struct pfsync_bus *)(mp->m_data + offp);
+
+ switch (bus->status) {
+ case PFSYNC_BUS_START:
+ timeout_add_sec(&sc->sc_bulkfail_tmo, 5); /* XXX magic */
+#if XXX
+ pf_pool_limits[PF_LIMIT_STATES].limit /
+ (PFSYNC_BULKPACKETS * sc->sc_maxcount));
+#endif
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync: received bulk update start\n");
break;
- case PFSYNC_ACT_BUS:
- /* If we're not waiting for a bulk update, who cares. */
- if (sc->sc_ureq_sent == 0)
- break;
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- sizeof(*bus), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
- }
- bus = (struct pfsync_state_bus *)(mp->m_data + offp);
- switch (bus->status) {
- case PFSYNC_BUS_START:
- timeout_add(&sc->sc_bulkfail_tmo,
- pf_pool_limits[PF_LIMIT_STATES].limit /
- (PFSYNC_BULKPACKETS * sc->sc_maxcount));
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received bulk "
- "update start\n");
- break;
- case PFSYNC_BUS_END:
- if (time_uptime - ntohl(bus->endtime) >=
- sc->sc_ureq_sent) {
- /* that's it, we're happy */
- sc->sc_ureq_sent = 0;
- sc->sc_bulk_tries = 0;
- timeout_del(&sc->sc_bulkfail_tmo);
+ case PFSYNC_BUS_END:
+ if (time_uptime - ntohl(bus->endtime) >=
+ sc->sc_ureq_sent) {
+ /* that's it, we're happy */
+ sc->sc_ureq_sent = 0;
+ sc->sc_bulk_tries = 0;
+ timeout_del(&sc->sc_bulkfail_tmo);
#if NCARP > 0
- if (!pfsync_sync_ok)
- carp_group_demote_adj(&sc->sc_if, -1);
+ if (!pfsync_sync_ok)
+ carp_group_demote_adj(&sc->sc_if, -1);
#endif
- pfsync_sync_ok = 1;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received valid "
- "bulk update end\n");
- } else {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: received invalid "
- "bulk update end: bad timestamp\n");
- }
- break;
- }
- break;
-#ifdef IPSEC
- case PFSYNC_ACT_TDB_UPD:
- if ((mp = m_pulldown(m, iplen + sizeof(*ph),
- count * sizeof(*pt), &offp)) == NULL) {
- pfsyncstats.pfsyncs_badlen++;
- return;
+ pfsync_sync_ok = 1;
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync: received valid "
+ "bulk update end\n");
+ } else {
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync: received invalid "
+ "bulk update end: bad timestamp\n");
}
- s = splsoftnet();
- for (i = 0, pt = (struct pfsync_tdb *)(mp->m_data + offp);
- i < count; i++, pt++)
- pfsync_update_net_tdb(pt);
- splx(s);
break;
+ }
+
+ return (len);
+}
+
+int
+pfsync_in_tdb(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ int len = count * sizeof(struct pfsync_tdb);
+
+#if defined(IPSEC)
+ struct pfsync_tdb *tp;
+ struct mbuf *mp;
+ int offp;
+ int i;
+ int s;
+
+ mp = m_pulldown(m, offset, len, &offp);
+ if (mp == NULL) {
+ pfsyncstats.pfsyncs_badlen++;
+ return (-1);
+ }
+ tp = (struct pfsync_tdb *)(mp->m_data + offp);
+
+ s = splsoftnet();
+ for (i = 0; i < count; i++)
+ pfsync_update_net_tdb(&tp[i]);
+ splx(s);
#endif
+
+ return (len);
+}
+
+#if defined(IPSEC)
+/* Update an in-kernel tdb. Silently fail if no tdb is found. */
+void
+pfsync_update_net_tdb(struct pfsync_tdb *pt)
+{
+ struct tdb *tdb;
+ int s;
+
+ /* check for invalid values */
+ if (ntohl(pt->spi) <= SPI_RESERVED_MAX ||
+ (pt->dst.sa.sa_family != AF_INET &&
+ pt->dst.sa.sa_family != AF_INET6))
+ goto bad;
+
+ s = spltdb();
+ tdb = gettdb(pt->spi, &pt->dst, pt->sproto);
+ if (tdb) {
+ pt->rpl = ntohl(pt->rpl);
+ pt->cur_bytes = betoh64(pt->cur_bytes);
+
+ /* Neither replay nor byte counter should ever decrease. */
+ if (pt->rpl < tdb->tdb_rpl ||
+ pt->cur_bytes < tdb->tdb_cur_bytes) {
+ splx(s);
+ goto bad;
+ }
+
+ tdb->tdb_rpl = pt->rpl;
+ tdb->tdb_cur_bytes = pt->cur_bytes;
}
+ splx(s);
+ return;
-done:
- if (m)
- m_freem(m);
+ bad:
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: "
+ "invalid value\n");
+ pfsyncstats.pfsyncs_badstate++;
+ return;
+}
+#endif
+
+
+int
+pfsync_in_eof(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ /* check if we are at the right place in the packet */
+ if (offset != m->m_pkthdr.len - sizeof(struct pfsync_eof))
+ pfsyncstats.pfsyncs_badact++;
+
+ /* we're done. free and let the caller return */
+ m_freem(m);
+ return (-1);
+}
+
+int
+pfsync_in_error(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count)
+{
+ pfsyncstats.pfsyncs_badact++;
+
+ m_freem(m);
+ return (-1);
}
int
@@ -979,12 +1353,15 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
struct ip_moptions *imo = &sc->sc_imo;
struct pfsyncreq pfsyncr;
struct ifnet *sifp;
+ struct ip *ip;
int s, error;
switch (cmd) {
+#if 0
case SIOCSIFADDR:
case SIOCAIFADDR:
case SIOCSIFDSTADDR:
+#endif
case SIOCSIFFLAGS:
if (ifp->if_flags & IFF_UP)
ifp->if_flags |= IFF_RUNNING;
@@ -992,26 +1369,27 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
ifp->if_flags &= ~IFF_RUNNING;
break;
case SIOCSIFMTU:
- if (ifr->ifr_mtu < PFSYNC_MINMTU)
+ if (ifr->ifr_mtu <= PFSYNC_MINPKT)
return (EINVAL);
- if (ifr->ifr_mtu > MCLBYTES)
+ if (ifr->ifr_mtu > MCLBYTES) /* XXX could be bigger */
ifr->ifr_mtu = MCLBYTES;
- s = splnet();
- if (ifr->ifr_mtu < ifp->if_mtu)
- pfsync_sendout(sc);
- pfsync_setmtu(sc, ifr->ifr_mtu);
- splx(s);
+ if (ifr->ifr_mtu < ifp->if_mtu) {
+ s = splnet();
+ pfsync_sendout();
+ splx(s);
+ }
+ ifp->if_mtu = ifr->ifr_mtu;
break;
case SIOCGETPFSYNC:
bzero(&pfsyncr, sizeof(pfsyncr));
- if (sc->sc_sync_ifp)
+ if (sc->sc_sync_if) {
strlcpy(pfsyncr.pfsyncr_syncdev,
- sc->sc_sync_ifp->if_xname, IFNAMSIZ);
+ sc->sc_sync_if->if_xname, IFNAMSIZ);
+ }
pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer;
pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates;
- if ((error = copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))))
- return (error);
- break;
+ return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr)));
+
case SIOCSETPFSYNC:
if ((error = suser(p, p->p_acflag)) != 0)
return (error);
@@ -1029,17 +1407,10 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates;
if (pfsyncr.pfsyncr_syncdev[0] == 0) {
- sc->sc_sync_ifp = NULL;
- if (sc->sc_mbuf_net != NULL) {
- /* Don't keep stale pfsync packets around. */
- s = splnet();
- m_freem(sc->sc_mbuf_net);
- sc->sc_mbuf_net = NULL;
- sc->sc_statep_net.s = NULL;
- splx(s);
- }
+ sc->sc_sync_if = NULL;
if (imo->imo_num_memberships > 0) {
- in_delmulti(imo->imo_membership[--imo->imo_num_memberships]);
+ in_delmulti(imo->imo_membership[
+ --imo->imo_num_memberships]);
imo->imo_multicast_ifp = NULL;
}
break;
@@ -1050,25 +1421,23 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
s = splnet();
if (sifp->if_mtu < sc->sc_if.if_mtu ||
- (sc->sc_sync_ifp != NULL &&
- sifp->if_mtu < sc->sc_sync_ifp->if_mtu) ||
+ (sc->sc_sync_if != NULL &&
+ sifp->if_mtu < sc->sc_sync_if->if_mtu) ||
sifp->if_mtu < MCLBYTES - sizeof(struct ip))
- pfsync_sendout(sc);
- sc->sc_sync_ifp = sifp;
-
- pfsync_setmtu(sc, sc->sc_if.if_mtu);
+ pfsync_sendout();
+ sc->sc_sync_if = sifp;
if (imo->imo_num_memberships > 0) {
in_delmulti(imo->imo_membership[--imo->imo_num_memberships]);
imo->imo_multicast_ifp = NULL;
}
- if (sc->sc_sync_ifp &&
+ if (sc->sc_sync_if &&
sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) {
struct in_addr addr;
- if (!(sc->sc_sync_ifp->if_flags & IFF_MULTICAST)) {
- sc->sc_sync_ifp = NULL;
+ if (!(sc->sc_sync_if->if_flags & IFF_MULTICAST)) {
+ sc->sc_sync_if = NULL;
splx(s);
return (EADDRNOTAVAIL);
}
@@ -1076,19 +1445,30 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
addr.s_addr = INADDR_PFSYNC_GROUP;
if ((imo->imo_membership[0] =
- in_addmulti(&addr, sc->sc_sync_ifp)) == NULL) {
- sc->sc_sync_ifp = NULL;
+ in_addmulti(&addr, sc->sc_sync_if)) == NULL) {
+ sc->sc_sync_if = NULL;
splx(s);
return (ENOBUFS);
}
imo->imo_num_memberships++;
- imo->imo_multicast_ifp = sc->sc_sync_ifp;
+ imo->imo_multicast_ifp = sc->sc_sync_if;
imo->imo_multicast_ttl = PFSYNC_DFLTTL;
imo->imo_multicast_loop = 0;
}
- if (sc->sc_sync_ifp ||
- sc->sc_sendaddr.s_addr != INADDR_PFSYNC_GROUP) {
+ ip = &sc->sc_template;
+ bzero(ip, sizeof(*ip));
+ ip->ip_v = IPVERSION;
+ ip->ip_hl = sizeof(sc->sc_template) >> 2;
+ ip->ip_tos = IPTOS_LOWDELAY;
+ /* len and id are set later */
+ ip->ip_off = htons(IP_DF);
+ ip->ip_ttl = PFSYNC_DFLTTL;
+ ip->ip_p = IPPROTO_PFSYNC;
+ ip->ip_src.s_addr = INADDR_ANY;
+ ip->ip_dst.s_addr = sc->sc_sync_peer.s_addr;
+
+ if (sc->sc_sync_if) {
/* Request a full state table update. */
sc->sc_ureq_sent = time_uptime;
#if NCARP > 0
@@ -1098,13 +1478,8 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
pfsync_sync_ok = 0;
if (pf_status.debug >= PF_DEBUG_MISC)
printf("pfsync: requesting bulk update\n");
- timeout_add(&sc->sc_bulkfail_tmo, 5 * hz);
- error = pfsync_request_update(NULL, NULL);
- if (error == ENOMEM) {
- splx(s);
- return (ENOMEM);
- }
- pfsync_sendout(sc);
+ timeout_add_sec(&sc->sc_bulkfail_tmo, 5);
+ pfsync_request_update(0, 0);
}
splx(s);
@@ -1117,695 +1492,702 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
return (0);
}
-void
-pfsync_setmtu(struct pfsync_softc *sc, int mtu_req)
+int
+pfsync_out_state(struct pf_state *st, struct mbuf *m, int offset)
+{
+ struct pfsync_state *sp = (struct pfsync_state *)(m->m_data + offset);
+
+ pfsync_state_export(sp, st);
+
+ return (sizeof(*sp));
+}
+
+int
+pfsync_out_iack(struct pf_state *st, struct mbuf *m, int offset)
+{
+ struct pfsync_ins_ack *iack =
+ (struct pfsync_ins_ack *)(m->m_data + offset);
+
+ iack->id = st->id;
+ iack->creatorid = st->creatorid;
+
+ return (sizeof(*iack));
+}
+
+int
+pfsync_out_upd_c(struct pf_state *st, struct mbuf *m, int offset)
{
- int mtu;
+ struct pfsync_upd_c *up = (struct pfsync_upd_c *)(m->m_data + offset);
+
+ up->id = st->id;
+ pf_state_peer_hton(&st->src, &up->src);
+ pf_state_peer_hton(&st->dst, &up->dst);
+ up->creatorid = st->creatorid;
- if (sc->sc_sync_ifp && sc->sc_sync_ifp->if_mtu < mtu_req)
- mtu = sc->sc_sync_ifp->if_mtu;
+ up->expire = pf_state_expires(st);
+ if (up->expire <= time_second)
+ up->expire = htonl(0);
else
- mtu = mtu_req;
-
- sc->sc_maxcount = (mtu - sizeof(struct pfsync_header)) /
- sizeof(struct pfsync_state);
- if (sc->sc_maxcount > 254)
- sc->sc_maxcount = 254;
- sc->sc_if.if_mtu = sizeof(struct pfsync_header) +
- sc->sc_maxcount * sizeof(struct pfsync_state);
+ up->expire = htonl(up->expire - time_second);
+ up->timeout = st->timeout;
+
+ bzero(up->_pad, sizeof(up->_pad)); /* XXX */
+
+ return (sizeof(*up));
}
-struct mbuf *
-pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action, void **sp)
+int
+pfsync_out_del(struct pf_state *st, struct mbuf *m, int offset)
{
- struct pfsync_header *h;
- struct mbuf *m;
- int len;
+ struct pfsync_del_c *dp = (struct pfsync_del_c *)(m->m_data + offset);
- MGETHDR(m, M_DONTWAIT, MT_DATA);
- if (m == NULL) {
- sc->sc_if.if_oerrors++;
- return (NULL);
+ dp->id = st->id;
+ dp->creatorid = st->creatorid;
+
+ SET(st->state_flags, PFSTATE_NOSYNC);
+
+ return (sizeof(*dp));
+}
+
+void
+pfsync_drop(struct pfsync_softc *sc)
+{
+ struct pf_state *st;
+ struct pfsync_upd_req_item *ur;
+ struct tdb *t;
+ int q;
+
+ for (q = 0; q < PFSYNC_S_COUNT; q++) {
+ if (TAILQ_EMPTY(&sc->sc_qs[q]))
+ continue;
+
+ TAILQ_FOREACH(st, &sc->sc_qs[q], sync_list) {
+#ifdef PFSYNC_DEBUG
+ KASSERT(st->sync_state == q);
+#endif
+ st->sync_state = PFSYNC_S_NONE;
+ }
+ TAILQ_INIT(&sc->sc_qs[q]);
}
- switch (action) {
- case PFSYNC_ACT_CLR:
- len = sizeof(struct pfsync_header) +
- sizeof(struct pfsync_state_clr);
- break;
- case PFSYNC_ACT_UPD_C:
- len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd)) +
- sizeof(struct pfsync_header);
- break;
- case PFSYNC_ACT_DEL_C:
- len = (sc->sc_maxcount * sizeof(struct pfsync_state_del)) +
- sizeof(struct pfsync_header);
- break;
- case PFSYNC_ACT_UREQ:
- len = (sc->sc_maxcount * sizeof(struct pfsync_state_upd_req)) +
- sizeof(struct pfsync_header);
- break;
- case PFSYNC_ACT_BUS:
- len = sizeof(struct pfsync_header) +
- sizeof(struct pfsync_state_bus);
- break;
- case PFSYNC_ACT_TDB_UPD:
- len = (sc->sc_maxcount * sizeof(struct pfsync_tdb)) +
- sizeof(struct pfsync_header);
- break;
- default:
- len = (sc->sc_maxcount * sizeof(struct pfsync_state)) +
- sizeof(struct pfsync_header);
- break;
+ while ((ur = TAILQ_FIRST(&sc->sc_upd_req_list)) != NULL) {
+ TAILQ_REMOVE(&sc->sc_upd_req_list, ur, ur_entry);
+ pool_put(&sc->sc_pool, ur);
}
- if (len > MHLEN) {
- MCLGET(m, M_DONTWAIT);
- if ((m->m_flags & M_EXT) == 0) {
- m_free(m);
- sc->sc_if.if_oerrors++;
- return (NULL);
- }
- m->m_data += (MCLBYTES - len) &~ (sizeof(long) - 1);
- } else
- MH_ALIGN(m, len);
-
- m->m_pkthdr.rcvif = NULL;
- m->m_pkthdr.len = m->m_len = sizeof(struct pfsync_header);
- h = mtod(m, struct pfsync_header *);
- h->version = PFSYNC_VERSION;
- h->af = 0;
- h->count = 0;
- h->action = action;
- if (action != PFSYNC_ACT_TDB_UPD)
- bcopy(&pf_status.pf_chksum, &h->pf_chksum,
- PF_MD5_DIGEST_LENGTH);
-
- *sp = (void *)((char *)h + PFSYNC_HDRLEN);
- if (action == PFSYNC_ACT_TDB_UPD)
- timeout_add(&sc->sc_tdb_tmo, hz);
- else
- timeout_add(&sc->sc_tmo, hz);
- return (m);
+ sc->sc_plus = NULL;
+
+ if (!TAILQ_EMPTY(&sc->sc_tdb_q)) {
+ TAILQ_FOREACH(t, &sc->sc_tdb_q, tdb_sync_entry)
+ CLR(t->tdb_flags, TDBF_PFSYNC);
+
+ TAILQ_INIT(&sc->sc_tdb_q);
+ }
+
+ sc->sc_len = PFSYNC_MINPKT;
}
-int
-pfsync_pack_state(u_int8_t action, struct pf_state *st, int flags)
+void
+pfsync_sendout(void)
{
- struct ifnet *ifp = NULL;
struct pfsync_softc *sc = pfsyncif;
- struct pfsync_header *h, *h_net;
- struct pfsync_state *sp = NULL;
- struct pfsync_state_upd *up = NULL;
- struct pfsync_state_del *dp = NULL;
- int s, ret = 0;
- u_int8_t i = 255, newaction = 0;
+#if NBPFILTER > 0
+ struct ifnet *ifp = &sc->sc_if;
+#endif
+ struct mbuf *m;
+ struct ip *ip;
+ struct pfsync_header *ph;
+ struct pfsync_subheader *subh;
+ struct pf_state *st;
+ struct pfsync_upd_req_item *ur;
+ struct tdb *t;
- if (sc == NULL)
- return (0);
- ifp = &sc->sc_if;
+ int offset;
+ int q, count = 0;
- /*
- * If a packet falls in the forest and there's nobody around to
- * hear, does it make a sound?
- */
- if (ifp->if_bpf == NULL && sc->sc_sync_ifp == NULL &&
- sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) {
- /* Don't leave any stale pfsync packets hanging around. */
- if (sc->sc_mbuf != NULL) {
- m_freem(sc->sc_mbuf);
- sc->sc_mbuf = NULL;
- sc->sc_statep.s = NULL;
- }
- return (0);
+ splassert(IPL_NET);
+
+ if (sc == NULL || sc->sc_len == PFSYNC_MINPKT)
+ return;
+
+#if NBPFILTER > 0
+ if (ifp->if_bpf == NULL && sc->sc_sync_if == NULL) {
+#else
+ if (sc->sc_sync_if == NULL) {
+#endif
+ pfsync_drop(sc);
+ return;
}
- if (action >= PFSYNC_ACT_MAX)
- return (EINVAL);
+ MGETHDR(m, M_DONTWAIT, MT_DATA);
+ if (m == NULL) {
+ sc->sc_if.if_oerrors++;
+ pfsyncstats.pfsyncs_onomem++;
+ pfsync_drop(sc);
+ return;
+ }
- s = splnet();
- if (sc->sc_mbuf == NULL) {
- if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action,
- (void *)&sc->sc_statep.s)) == NULL) {
- splx(s);
- return (ENOMEM);
+ if (max_linkhdr + sc->sc_len > MHLEN) {
+ MCLGETI(m, M_DONTWAIT, NULL, max_linkhdr + sc->sc_len);
+ if (!ISSET(m->m_flags, M_EXT)) {
+ m_free(m);
+ sc->sc_if.if_oerrors++;
+ pfsyncstats.pfsyncs_onomem++;
+ pfsync_drop(sc);
+ return;
}
- h = mtod(sc->sc_mbuf, struct pfsync_header *);
- } else {
- h = mtod(sc->sc_mbuf, struct pfsync_header *);
- if (h->action != action) {
- pfsync_sendout(sc);
- if ((sc->sc_mbuf = pfsync_get_mbuf(sc, action,
- (void *)&sc->sc_statep.s)) == NULL) {
- splx(s);
- return (ENOMEM);
- }
- h = mtod(sc->sc_mbuf, struct pfsync_header *);
- } else {
- /*
- * If it's an update, look in the packet to see if
- * we already have an update for the state.
- */
- if (action == PFSYNC_ACT_UPD && sc->sc_maxupdates) {
- struct pfsync_state *usp =
- (void *)((char *)h + PFSYNC_HDRLEN);
-
- for (i = 0; i < h->count; i++) {
- if (!memcmp(usp->id, &st->id,
- PFSYNC_ID_LEN) &&
- usp->creatorid == st->creatorid) {
- sp = usp;
- sp->updates++;
- break;
- }
- usp++;
- }
- }
+ }
+ m->m_data += max_linkhdr;
+ m->m_len = m->m_pkthdr.len = sc->sc_len;
+
+ /* build the ip header */
+ ip = (struct ip *)m->m_data;
+ bcopy(&sc->sc_template, ip, sizeof(*ip));
+ offset = sizeof(*ip);
+
+ ip->ip_len = htons(m->m_pkthdr.len);
+ ip->ip_id = htons(ip_randomid());
+
+ /* build the pfsync header */
+ ph = (struct pfsync_header *)(m->m_data + offset);
+ bzero(ph, sizeof(*ph));
+ offset += sizeof(*ph);
+
+ ph->version = PFSYNC_VERSION;
+ ph->len = htons(sc->sc_len - sizeof(*ip));
+ bcopy(pf_status.pf_chksum, ph->pfcksum, PF_MD5_DIGEST_LENGTH);
+
+ /* walk the queues */
+ for (q = 0; q < PFSYNC_S_COUNT; q++) {
+ if (TAILQ_EMPTY(&sc->sc_qs[q]))
+ continue;
+
+ subh = (struct pfsync_subheader *)(m->m_data + offset);
+ offset += sizeof(*subh);
+
+ count = 0;
+ TAILQ_FOREACH(st, &sc->sc_qs[q], sync_list) {
+#ifdef PFSYNC_DEBUG
+ KASSERT(st->sync_state == q);
+#endif
+
+ offset += pfsync_qs[q].write(st, m, offset);
+ st->sync_state = PFSYNC_S_NONE;
+ count++;
}
+ TAILQ_INIT(&sc->sc_qs[q]);
+
+ bzero(subh, sizeof(*subh));
+ subh->action = pfsync_qs[q].action;
+ subh->count = htons(count);
}
- st->pfsync_time = time_uptime;
+ if (!TAILQ_EMPTY(&sc->sc_upd_req_list)) {
+ subh = (struct pfsync_subheader *)(m->m_data + offset);
+ offset += sizeof(*subh);
- if (sp == NULL) {
- /* not a "duplicate" update */
- i = 255;
- sp = sc->sc_statep.s++;
- sc->sc_mbuf->m_pkthdr.len =
- sc->sc_mbuf->m_len += sizeof(struct pfsync_state);
- h->count++;
- bzero(sp, sizeof(*sp));
+ count = 0;
+ while ((ur = TAILQ_FIRST(&sc->sc_upd_req_list)) != NULL) {
+ TAILQ_REMOVE(&sc->sc_upd_req_list, ur, ur_entry);
- pfsync_state_export(sp, st);
+ bcopy(&ur->ur_msg, m->m_data + offset,
+ sizeof(ur->ur_msg));
+ offset += sizeof(ur->ur_msg);
- if (flags & PFSYNC_FLAG_STALE)
- sp->sync_flags |= PFSTATE_STALE;
- } else {
- pf_state_peer_hton(&st->src, &sp->src);
- pf_state_peer_hton(&st->dst, &sp->dst);
+ pool_put(&sc->sc_pool, ur);
- if (st->expire <= time_second)
- sp->expire = htonl(0);
- else
- sp->expire = htonl(st->expire - time_second);
+ count++;
+ }
+
+ bzero(subh, sizeof(*subh));
+ subh->action = PFSYNC_ACT_UPD_REQ;
+ subh->count = htons(count);
}
- /* do we need to build "compressed" actions for network transfer? */
- if (sc->sc_sync_ifp && flags & PFSYNC_FLAG_COMPRESS) {
- switch (action) {
- case PFSYNC_ACT_UPD:
- newaction = PFSYNC_ACT_UPD_C;
- break;
- case PFSYNC_ACT_DEL:
- newaction = PFSYNC_ACT_DEL_C;
- break;
- default:
- /* by default we just send the uncompressed states */
- break;
- }
+ /* has someone built a custom region for us to add? */
+ if (sc->sc_plus != NULL) {
+ bcopy(sc->sc_plus, m->m_data + offset, sc->sc_pluslen);
+ offset += sc->sc_pluslen;
+
+ sc->sc_plus = NULL;
}
- if (newaction) {
- if (sc->sc_mbuf_net == NULL) {
- if ((sc->sc_mbuf_net = pfsync_get_mbuf(sc, newaction,
- (void *)&sc->sc_statep_net.s)) == NULL) {
- splx(s);
- return (ENOMEM);
- }
- }
- h_net = mtod(sc->sc_mbuf_net, struct pfsync_header *);
-
- switch (newaction) {
- case PFSYNC_ACT_UPD_C:
- if (i != 255) {
- up = (void *)((char *)h_net +
- PFSYNC_HDRLEN + (i * sizeof(*up)));
- up->updates++;
- } else {
- h_net->count++;
- sc->sc_mbuf_net->m_pkthdr.len =
- sc->sc_mbuf_net->m_len += sizeof(*up);
- up = sc->sc_statep_net.u++;
-
- bzero(up, sizeof(*up));
- bcopy(&st->id, up->id, sizeof(up->id));
- up->creatorid = st->creatorid;
- }
- up->timeout = st->timeout;
- up->expire = sp->expire;
- up->src = sp->src;
- up->dst = sp->dst;
- break;
- case PFSYNC_ACT_DEL_C:
- sc->sc_mbuf_net->m_pkthdr.len =
- sc->sc_mbuf_net->m_len += sizeof(*dp);
- dp = sc->sc_statep_net.d++;
- h_net->count++;
-
- bzero(dp, sizeof(*dp));
- bcopy(&st->id, dp->id, sizeof(dp->id));
- dp->creatorid = st->creatorid;
- break;
+ if (!TAILQ_EMPTY(&sc->sc_tdb_q)) {
+ subh = (struct pfsync_subheader *)(m->m_data + offset);
+ offset += sizeof(*subh);
+
+ count = 0;
+ TAILQ_FOREACH(t, &sc->sc_tdb_q, tdb_sync_entry) {
+ offset += pfsync_out_tdb(t, m, offset);
+ CLR(t->tdb_flags, TDBF_PFSYNC);
+
+ count++;
}
+ TAILQ_INIT(&sc->sc_tdb_q);
+
+ bzero(subh, sizeof(*subh));
+ subh->action = PFSYNC_ACT_TDB;
+ subh->count = htons(count);
}
- if (h->count == sc->sc_maxcount ||
- (sc->sc_maxupdates && (sp->updates >= sc->sc_maxupdates)))
- ret = pfsync_sendout(sc);
+ subh = (struct pfsync_subheader *)(m->m_data + offset);
+ offset += sizeof(*subh);
- splx(s);
- return (ret);
+ bzero(subh, sizeof(*subh));
+ subh->action = PFSYNC_ACT_EOF;
+ subh->count = htons(1);
+
+ /* XXX write checksum in EOF here */
+
+ /* we're done, let's put it on the wire */
+#if NBPFILTER > 0
+ if (ifp->if_bpf) {
+ m->m_data += sizeof(*ip);
+ m->m_len = m->m_pkthdr.len = sc->sc_len - sizeof(*ip);
+ bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT);
+ m->m_data -= sizeof(*ip);
+ m->m_len = m->m_pkthdr.len = sc->sc_len;
+ }
+
+ if (sc->sc_sync_if == NULL) {
+ sc->sc_len = PFSYNC_MINPKT;
+ m_freem(m);
+ return;
+ }
+#endif
+
+ sc->sc_if.if_opackets++;
+ sc->sc_if.if_obytes += m->m_pkthdr.len;
+
+ if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL) == 0)
+ pfsyncstats.pfsyncs_opackets++;
+ else
+ pfsyncstats.pfsyncs_oerrors++;
+
+ /* start again */
+ sc->sc_len = PFSYNC_MINPKT;
}
-/* This must be called in splnet() */
-int
-pfsync_request_update(struct pfsync_state_upd *up, struct in_addr *src)
+void
+pfsync_insert_state(struct pf_state *st)
{
- struct ifnet *ifp = NULL;
- struct pfsync_header *h;
struct pfsync_softc *sc = pfsyncif;
- struct pfsync_state_upd_req *rup;
- int ret = 0;
- if (sc == NULL)
- return (0);
+ splassert(IPL_SOFTNET);
- ifp = &sc->sc_if;
- if (sc->sc_mbuf == NULL) {
- if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ,
- (void *)&sc->sc_statep.s)) == NULL)
- return (ENOMEM);
- h = mtod(sc->sc_mbuf, struct pfsync_header *);
- } else {
- h = mtod(sc->sc_mbuf, struct pfsync_header *);
- if (h->action != PFSYNC_ACT_UREQ) {
- pfsync_sendout(sc);
- if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_UREQ,
- (void *)&sc->sc_statep.s)) == NULL)
- return (ENOMEM);
- h = mtod(sc->sc_mbuf, struct pfsync_header *);
- }
+ if (ISSET(st->rule.ptr->rule_flag, PFRULE_NOSYNC) ||
+ st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC) {
+ SET(st->state_flags, PFSTATE_NOSYNC);
+ return;
}
- if (src != NULL)
- sc->sc_sendaddr = *src;
- sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*rup);
- h->count++;
- rup = sc->sc_statep.r++;
- bzero(rup, sizeof(*rup));
- if (up != NULL) {
- bcopy(up->id, rup->id, sizeof(rup->id));
- rup->creatorid = up->creatorid;
- }
+ if (sc == NULL || ISSET(st->state_flags, PFSTATE_NOSYNC))
+ return;
+
+#ifdef PFSYNC_DEBUG
+ KASSERT(st->sync_state == PFSYNC_S_NONE);
+#endif
+
+ if (sc->sc_len == PFSYNC_MINPKT)
+ timeout_add_sec(&sc->sc_tmo, 1);
- if (h->count == sc->sc_maxcount)
- ret = pfsync_sendout(sc);
+ pfsync_q_ins(st, PFSYNC_S_INS);
- return (ret);
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ schednetisr(NETISR_PFSYNC);
+ else
+ st->sync_updates = 0;
}
+int defer = 10;
+
int
-pfsync_clear_states(u_int32_t creatorid, char *ifname)
+pfsync_defer(struct pf_state *st, struct mbuf *m)
{
- struct ifnet *ifp = NULL;
+ return (0);
+#ifdef notyet
struct pfsync_softc *sc = pfsyncif;
- struct pfsync_state_clr *cp;
- int s, ret;
+ struct pfsync_deferral *pd;
- if (sc == NULL)
+ splassert(IPL_SOFTNET);
+
+ if (sc->sc_deferred >= 128)
+ pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0);
+
+ pd = pool_get(&sc->sc_pool, M_NOWAIT);
+ if (pd == NULL)
return (0);
+ sc->sc_deferred++;
- ifp = &sc->sc_if;
- s = splnet();
- if (sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
- if ((sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_CLR,
- (void *)&sc->sc_statep.c)) == NULL) {
- splx(s);
- return (ENOMEM);
- }
- sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*cp);
- cp = sc->sc_statep.c;
- cp->creatorid = creatorid;
- if (ifname != NULL)
- strlcpy(cp->ifname, ifname, IFNAMSIZ);
+ m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
+ SET(st->state_flags, PFSTATE_ACK);
- ret = (pfsync_sendout(sc));
- splx(s);
- return (ret);
+ pd->pd_st = st;
+ pd->pd_m = m;
+
+ TAILQ_INSERT_TAIL(&sc->sc_deferrals, pd, pd_entry);
+ timeout_set(&pd->pd_tmo, pfsync_defer_tmo, pd);
+ timeout_add(&pd->pd_tmo, defer);
+
+ return (1);
+#endif
}
void
-pfsync_timeout(void *v)
+pfsync_undefer(struct pfsync_deferral *pd, int drop)
{
- struct pfsync_softc *sc = v;
+ struct pfsync_softc *sc = pfsyncif;
int s;
- s = splnet();
- pfsync_sendout(sc);
- splx(s);
+ splassert(IPL_SOFTNET);
+
+ TAILQ_REMOVE(&sc->sc_deferrals, pd, pd_entry);
+ sc->sc_deferred--;
+
+ CLR(pd->pd_st->state_flags, PFSTATE_ACK);
+ timeout_del(&pd->pd_tmo); /* bah */
+ if (drop)
+ m_freem(pd->pd_m);
+ else {
+ s = splnet();
+ ip_output(pd->pd_m, (void *)NULL, (void *)NULL, 0,
+ (void *)NULL, (void *)NULL);
+ splx(s);
+ }
+
+ pool_put(&sc->sc_pool, pd);
}
void
-pfsync_tdb_timeout(void *v)
+pfsync_defer_tmo(void *arg)
{
- struct pfsync_softc *sc = v;
int s;
- s = splnet();
- pfsync_tdb_sendout(sc);
+ s = splsoftnet();
+ pfsync_undefer(arg, 0);
splx(s);
}
-/* This must be called in splnet() */
void
-pfsync_send_bus(struct pfsync_softc *sc, u_int8_t status)
+pfsync_deferred(struct pf_state *st, int drop)
{
- struct pfsync_state_bus *bus;
-
- if (sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
+ struct pfsync_softc *sc = pfsyncif;
+ struct pfsync_deferral *pd;
- if (pfsync_sync_ok &&
- (sc->sc_mbuf = pfsync_get_mbuf(sc, PFSYNC_ACT_BUS,
- (void *)&sc->sc_statep.b)) != NULL) {
- sc->sc_mbuf->m_pkthdr.len = sc->sc_mbuf->m_len += sizeof(*bus);
- bus = sc->sc_statep.b;
- bus->creatorid = pf_status.hostid;
- bus->status = status;
- bus->endtime = htonl(time_uptime - sc->sc_ureq_received);
- pfsync_sendout(sc);
+ TAILQ_FOREACH(pd, &sc->sc_deferrals, pd_entry) {
+ if (pd->pd_st == st) {
+ pfsync_undefer(pd, drop);
+ return;
+ }
}
+
+ panic("pfsync_send_deferred: unable to find deferred state");
}
+u_int pfsync_upds = 0;
+
void
-pfsync_bulk_update(void *v)
+pfsync_update_state(struct pf_state *st)
{
- struct pfsync_softc *sc = v;
- int s, i = 0;
- struct pf_state *state;
+ struct pfsync_softc *sc = pfsyncif;
+ int sync = 0;
- s = splnet();
- if (sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
+ splassert(IPL_SOFTNET);
- /*
- * Grab at most PFSYNC_BULKPACKETS worth of states which have not
- * been sent since the latest request was made.
- */
- state = sc->sc_bulk_send_next;
- if (state)
- do {
- /* send state update if syncable and not already sent */
- if (!state->sync_flags
- && state->timeout < PFTM_MAX
- && state->pfsync_time <= sc->sc_ureq_received) {
- pfsync_pack_state(PFSYNC_ACT_UPD, state, 0);
- i++;
- }
+ if (sc == NULL)
+ return;
+
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ pfsync_deferred(st, 0);
+ if (ISSET(st->state_flags, PFSTATE_NOSYNC)) {
+ if (st->sync_state != PFSYNC_S_NONE)
+ pfsync_q_del(st);
+ return;
+ }
- /* figure next state to send */
- state = TAILQ_NEXT(state, entry_list);
-
- /* wrap to start of list if we hit the end */
- if (!state)
- state = TAILQ_FIRST(&state_list);
- } while (i < sc->sc_maxcount * PFSYNC_BULKPACKETS &&
- state != sc->sc_bulk_terminator);
-
- if (!state || state == sc->sc_bulk_terminator) {
- /* we're done */
- pfsync_send_bus(sc, PFSYNC_BUS_END);
- sc->sc_ureq_received = 0;
- sc->sc_bulk_send_next = NULL;
- sc->sc_bulk_terminator = NULL;
- timeout_del(&sc->sc_bulk_tmo);
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: bulk update complete\n");
- } else {
- /* look again for more in a bit */
- timeout_add(&sc->sc_bulk_tmo, 1);
- sc->sc_bulk_send_next = state;
+ if (sc->sc_len == PFSYNC_MINPKT)
+ timeout_add_sec(&sc->sc_tmo, 1);
+
+ switch (st->sync_state) {
+ case PFSYNC_S_UPD_C:
+ case PFSYNC_S_UPD:
+ case PFSYNC_S_INS:
+ /* we're already handling it */
+
+ st->sync_updates++;
+ if (st->sync_updates >= sc->sc_maxupdates)
+ sync = 1;
+ break;
+
+ case PFSYNC_S_IACK:
+ pfsync_q_del(st);
+ case PFSYNC_S_NONE:
+ pfsync_q_ins(st, PFSYNC_S_UPD_C);
+ st->sync_updates = 0;
+ break;
+
+ default:
+ panic("pfsync_update_state: unexpected sync state %d",
+ st->sync_state);
+ }
+
+ if (sync || (time_second - st->pfsync_time) < 2) {
+ pfsync_upds++;
+ schednetisr(NETISR_PFSYNC);
}
- if (sc->sc_mbuf != NULL)
- pfsync_sendout(sc);
- splx(s);
}
void
-pfsync_bulkfail(void *v)
+pfsync_request_update(u_int32_t creatorid, u_int64_t id)
{
- struct pfsync_softc *sc = v;
- int s, error;
+ struct pfsync_softc *sc = pfsyncif;
+ struct pfsync_upd_req_item *item;
+ size_t nlen = sizeof(struct pfsync_upd_req);
+ int s;
- if (sc->sc_bulk_tries++ < PFSYNC_MAX_BULKTRIES) {
- /* Try again in a bit */
- timeout_add(&sc->sc_bulkfail_tmo, 5 * hz);
+ /*
+ * this code does nothing to prevent multiple update requests for the
+ * same state being generated.
+ */
+
+ item = pool_get(&sc->sc_pool, PR_NOWAIT);
+ if (item == NULL) {
+ /* XXX stats */
+ return;
+ }
+
+ item->ur_msg.id = id;
+ item->ur_msg.creatorid = creatorid;
+
+ if (TAILQ_EMPTY(&sc->sc_upd_req_list))
+ nlen += sizeof(struct pfsync_subheader);
+
+ if (sc->sc_len + nlen > sc->sc_if.if_mtu) {
s = splnet();
- error = pfsync_request_update(NULL, NULL);
- if (error == ENOMEM) {
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: cannot allocate mbufs for "
- "bulk update\n");
- } else
- pfsync_sendout(sc);
+ pfsync_sendout();
splx(s);
- } else {
- /* Pretend like the transfer was ok */
- sc->sc_ureq_sent = 0;
- sc->sc_bulk_tries = 0;
-#if NCARP > 0
- if (!pfsync_sync_ok)
- carp_group_demote_adj(&sc->sc_if, -1);
-#endif
- pfsync_sync_ok = 1;
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync: failed to receive "
- "bulk update status\n");
- timeout_del(&sc->sc_bulkfail_tmo);
+
+ nlen = sizeof(struct pfsync_subheader) +
+ sizeof(struct pfsync_upd_req);
}
+
+ TAILQ_INSERT_TAIL(&sc->sc_upd_req_list, item, ur_entry);
+ sc->sc_len += nlen;
+
+ schednetisr(NETISR_PFSYNC);
}
-/* This must be called in splnet() */
-int
-pfsync_sendout(struct pfsync_softc *sc)
+void
+pfsync_update_state_req(struct pf_state *st)
{
-#if NBPFILTER > 0
- struct ifnet *ifp = &sc->sc_if;
-#endif
- struct mbuf *m;
+ struct pfsync_softc *sc = pfsyncif;
- timeout_del(&sc->sc_tmo);
+ if (sc == NULL)
+ panic("pfsync_update_state_req: nonexistant instance");
- if (sc->sc_mbuf == NULL)
- return (0);
- m = sc->sc_mbuf;
- sc->sc_mbuf = NULL;
- sc->sc_statep.s = NULL;
+ if (ISSET(st->state_flags, PFSTATE_NOSYNC)) {
+ if (st->sync_state != PFSYNC_S_NONE)
+ pfsync_q_del(st);
+ return;
+ }
-#if NBPFILTER > 0
- if (ifp->if_bpf)
- bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT);
-#endif
+ switch (st->sync_state) {
+ case PFSYNC_S_UPD_C:
+ case PFSYNC_S_IACK:
+ pfsync_q_del(st);
+ case PFSYNC_S_NONE:
+ pfsync_q_ins(st, PFSYNC_S_UPD);
+ schednetisr(NETISR_PFSYNC);
+ return;
+
+ case PFSYNC_S_INS:
+ case PFSYNC_S_UPD:
+ case PFSYNC_S_DEL:
+ /* we're already handling it */
+ return;
- if (sc->sc_mbuf_net) {
- m_freem(m);
- m = sc->sc_mbuf_net;
- sc->sc_mbuf_net = NULL;
- sc->sc_statep_net.s = NULL;
+ default:
+ panic("pfsync_update_state_req: unexpected sync state %d",
+ st->sync_state);
}
-
- return pfsync_sendout_mbuf(sc, m);
}
-int
-pfsync_tdb_sendout(struct pfsync_softc *sc)
+void
+pfsync_delete_state(struct pf_state *st)
{
-#if NBPFILTER > 0
- struct ifnet *ifp = &sc->sc_if;
-#endif
- struct mbuf *m;
+ struct pfsync_softc *sc = pfsyncif;
- timeout_del(&sc->sc_tdb_tmo);
+ splassert(IPL_SOFTNET);
- if (sc->sc_mbuf_tdb == NULL)
- return (0);
- m = sc->sc_mbuf_tdb;
- sc->sc_mbuf_tdb = NULL;
- sc->sc_statep_tdb.t = NULL;
+ if (sc == NULL)
+ return;
+
+ if (ISSET(st->state_flags, PFSTATE_ACK))
+ pfsync_deferred(st, 1);
+ if (ISSET(st->state_flags, PFSTATE_NOSYNC)) {
+ if (st->sync_state != PFSYNC_S_NONE)
+ pfsync_q_del(st);
+ return;
+ }
-#if NBPFILTER > 0
- if (ifp->if_bpf)
- bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT);
-#endif
+ if (sc->sc_len == PFSYNC_MINPKT)
+ timeout_add_sec(&sc->sc_tmo, 1);
+
+ switch (st->sync_state) {
+ case PFSYNC_S_INS:
+ /* we never got to tell the world so just forget about it */
+ pfsync_q_del(st);
+ return;
- return pfsync_sendout_mbuf(sc, m);
+ case PFSYNC_S_UPD_C:
+ case PFSYNC_S_UPD:
+ case PFSYNC_S_IACK:
+ pfsync_q_del(st);
+ /* FALLTHROUGH to putting it on the del list */
+
+ case PFSYNC_S_NONE:
+ pfsync_q_ins(st, PFSYNC_S_DEL);
+ return;
+
+ default:
+ panic("pfsync_delete_state: unexpected sync state %d",
+ st->sync_state);
+ }
}
-int
-pfsync_sendout_mbuf(struct pfsync_softc *sc, struct mbuf *m)
+void
+pfsync_clear_states(u_int32_t creatorid, const char *ifname)
{
- struct sockaddr sa;
- struct ip *ip;
+ struct {
+ struct pfsync_subheader subh;
+ struct pfsync_clr clr;
+ } __packed r;
- if (sc->sc_sync_ifp ||
- sc->sc_sync_peer.s_addr != INADDR_PFSYNC_GROUP) {
- M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
- if (m == NULL) {
- pfsyncstats.pfsyncs_onomem++;
- return (0);
- }
- ip = mtod(m, struct ip *);
- ip->ip_v = IPVERSION;
- ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_tos = IPTOS_LOWDELAY;
- ip->ip_len = htons(m->m_pkthdr.len);
- ip->ip_id = htons(ip_randomid());
- ip->ip_off = htons(IP_DF);
- ip->ip_ttl = PFSYNC_DFLTTL;
- ip->ip_p = IPPROTO_PFSYNC;
- ip->ip_sum = 0;
+ struct pfsync_softc *sc = pfsyncif;
- bzero(&sa, sizeof(sa));
- ip->ip_src.s_addr = INADDR_ANY;
+ splassert(IPL_SOFTNET);
- if (sc->sc_sendaddr.s_addr == INADDR_PFSYNC_GROUP)
- m->m_flags |= M_MCAST;
- ip->ip_dst = sc->sc_sendaddr;
- sc->sc_sendaddr.s_addr = sc->sc_sync_peer.s_addr;
+ if (sc == NULL)
+ return;
- pfsyncstats.pfsyncs_opackets++;
+ bzero(&r, sizeof(r));
- if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))
- pfsyncstats.pfsyncs_oerrors++;
- } else
- m_freem(m);
+ r.subh.action = PFSYNC_ACT_CLR;
+ r.subh.count = htons(1);
- return (0);
+ strlcpy(r.clr.ifname, ifname, sizeof(r.clr.ifname));
+ r.clr.creatorid = creatorid;
+
+ pfsync_send_plus(&r, sizeof(r));
}
-#ifdef IPSEC
-/* Update an in-kernel tdb. Silently fail if no tdb is found. */
void
-pfsync_update_net_tdb(struct pfsync_tdb *pt)
+pfsync_q_ins(struct pf_state *st, int q)
{
- struct tdb *tdb;
- int s;
+ struct pfsync_softc *sc = pfsyncif;
+ size_t nlen = pfsync_qs[q].len;
+ int s;
- /* check for invalid values */
- if (ntohl(pt->spi) <= SPI_RESERVED_MAX ||
- (pt->dst.sa.sa_family != AF_INET &&
- pt->dst.sa.sa_family != AF_INET6))
- goto bad;
+ KASSERT(st->sync_state == PFSYNC_S_NONE);
- s = spltdb();
- tdb = gettdb(pt->spi, &pt->dst, pt->sproto);
- if (tdb) {
- pt->rpl = ntohl(pt->rpl);
- pt->cur_bytes = betoh64(pt->cur_bytes);
+#if 1 || defined(PFSYNC_DEBUG)
+ if (sc->sc_len < PFSYNC_MINPKT)
+ panic("pfsync pkt len is too low %d", sc->sc_len);
+#endif
+ if (TAILQ_EMPTY(&sc->sc_qs[q]))
+ nlen += sizeof(struct pfsync_subheader);
- /* Neither replay nor byte counter should ever decrease. */
- if (pt->rpl < tdb->tdb_rpl ||
- pt->cur_bytes < tdb->tdb_cur_bytes) {
- splx(s);
- goto bad;
- }
+ if (sc->sc_len + nlen > sc->sc_if.if_mtu) {
+ s = splnet();
+ pfsync_sendout();
+ splx(s);
- tdb->tdb_rpl = pt->rpl;
- tdb->tdb_cur_bytes = pt->cur_bytes;
+ nlen = sizeof(struct pfsync_subheader) + pfsync_qs[q].len;
}
- splx(s);
- return;
- bad:
- if (pf_status.debug >= PF_DEBUG_MISC)
- printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: "
- "invalid value\n");
- pfsyncstats.pfsyncs_badstate++;
- return;
+ sc->sc_len += nlen;
+ TAILQ_INSERT_TAIL(&sc->sc_qs[q], st, sync_list);
+ st->sync_state = q;
}
-/* One of our local tdbs have been updated, need to sync rpl with others */
-int
-pfsync_update_tdb(struct tdb *tdb, int output)
+void
+pfsync_q_del(struct pf_state *st)
{
- struct ifnet *ifp = NULL;
struct pfsync_softc *sc = pfsyncif;
- struct pfsync_header *h;
- struct pfsync_tdb *pt = NULL;
- int s, i, ret;
+ int q = st->sync_state;
+
+ KASSERT(st->sync_state != PFSYNC_S_NONE);
+
+ sc->sc_len -= pfsync_qs[q].len;
+ TAILQ_REMOVE(&sc->sc_qs[q], st, sync_list);
+ st->sync_state = PFSYNC_S_NONE;
+
+ if (TAILQ_EMPTY(&sc->sc_qs[q]))
+ sc->sc_len -= sizeof(struct pfsync_subheader);
+}
+
+void
+pfsync_update_tdb(struct tdb *t, int output)
+{
+ struct pfsync_softc *sc = pfsyncif;
+ size_t nlen = sizeof(struct pfsync_tdb);
+ int s;
if (sc == NULL)
- return (0);
+ return;
- ifp = &sc->sc_if;
- if (ifp->if_bpf == NULL && sc->sc_sync_ifp == NULL &&
- sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) {
- /* Don't leave any stale pfsync packets hanging around. */
- if (sc->sc_mbuf_tdb != NULL) {
- m_freem(sc->sc_mbuf_tdb);
- sc->sc_mbuf_tdb = NULL;
- sc->sc_statep_tdb.t = NULL;
- }
- return (0);
- }
+ if (!ISSET(t->tdb_flags, TDBF_PFSYNC)) {
+ if (TAILQ_EMPTY(&sc->sc_tdb_q))
+ nlen += sizeof(struct pfsync_subheader);
- s = splnet();
- if (sc->sc_mbuf_tdb == NULL) {
- if ((sc->sc_mbuf_tdb = pfsync_get_mbuf(sc, PFSYNC_ACT_TDB_UPD,
- (void *)&sc->sc_statep_tdb.t)) == NULL) {
+ if (sc->sc_len + nlen > sc->sc_if.if_mtu) {
+ s = splnet();
+ pfsync_sendout();
splx(s);
- return (ENOMEM);
+
+ nlen = sizeof(struct pfsync_subheader) +
+ sizeof(struct pfsync_tdb);
}
- h = mtod(sc->sc_mbuf_tdb, struct pfsync_header *);
+
+ sc->sc_len += nlen;
+ TAILQ_INSERT_TAIL(&sc->sc_tdb_q, t, tdb_sync_entry);
+ SET(t->tdb_flags, TDBF_PFSYNC);
+ t->tdb_updates = 0;
} else {
- h = mtod(sc->sc_mbuf_tdb, struct pfsync_header *);
- if (h->action != PFSYNC_ACT_TDB_UPD) {
- /*
- * XXX will never happen as long as there's
- * only one "TDB action".
- */
- pfsync_tdb_sendout(sc);
- sc->sc_mbuf_tdb = pfsync_get_mbuf(sc,
- PFSYNC_ACT_TDB_UPD, (void *)&sc->sc_statep_tdb.t);
- if (sc->sc_mbuf_tdb == NULL) {
- splx(s);
- return (ENOMEM);
- }
- h = mtod(sc->sc_mbuf_tdb, struct pfsync_header *);
- } else if (sc->sc_maxupdates) {
- /*
- * If it's an update, look in the packet to see if
- * we already have an update for the state.
- */
- struct pfsync_tdb *u =
- (void *)((char *)h + PFSYNC_HDRLEN);
-
- for (i = 0; !pt && i < h->count; i++) {
- if (tdb->tdb_spi == u->spi &&
- tdb->tdb_sproto == u->sproto &&
- !bcmp(&tdb->tdb_dst, &u->dst,
- SA_LEN(&u->dst.sa))) {
- pt = u;
- pt->updates++;
- }
- u++;
- }
- }
+ if (++t->tdb_updates >= sc->sc_maxupdates)
+ schednetisr(NETISR_PFSYNC);
}
- if (pt == NULL) {
- /* not a "duplicate" update */
- pt = sc->sc_statep_tdb.t++;
- sc->sc_mbuf_tdb->m_pkthdr.len =
- sc->sc_mbuf_tdb->m_len += sizeof(struct pfsync_tdb);
- h->count++;
- bzero(pt, sizeof(*pt));
+ if (output)
+ SET(t->tdb_flags, TDBF_PFSYNC_RPL);
+ else
+ CLR(t->tdb_flags, TDBF_PFSYNC_RPL);
+}
- pt->spi = tdb->tdb_spi;
- memcpy(&pt->dst, &tdb->tdb_dst, sizeof pt->dst);
- pt->sproto = tdb->tdb_sproto;
- }
+void
+pfsync_delete_tdb(struct tdb *t)
+{
+ struct pfsync_softc *sc = pfsyncif;
+
+ if (sc == NULL || !ISSET(t->tdb_flags, TDBF_PFSYNC))
+ return;
+
+ sc->sc_len -= sizeof(struct pfsync_tdb);
+ TAILQ_REMOVE(&sc->sc_tdb_q, t, tdb_sync_entry);
+ CLR(t->tdb_flags, TDBF_PFSYNC);
+ if (TAILQ_EMPTY(&sc->sc_tdb_q))
+ sc->sc_len -= sizeof(struct pfsync_subheader);
+}
+
+int
+pfsync_out_tdb(struct tdb *t, struct mbuf *m, int offset)
+{
+ struct pfsync_tdb *ut = (struct pfsync_tdb *)(m->m_data + offset);
+
+ bzero(ut, sizeof(*ut));
+ ut->spi = t->tdb_spi;
+ bcopy(&t->tdb_dst, &ut->dst, sizeof(ut->dst));
/*
* When a failover happens, the master's rpl is probably above
* what we see here (we may be up to a second late), so
@@ -1824,17 +2206,189 @@ pfsync_update_tdb(struct tdb *tdb, int output)
* this edge case.
*/
#define RPL_INCR 16384
- pt->rpl = htonl(tdb->tdb_rpl + (output ? RPL_INCR : 0));
- pt->cur_bytes = htobe64(tdb->tdb_cur_bytes);
+ ut->rpl = htonl(t->tdb_rpl + (ISSET(t->tdb_flags, TDBF_PFSYNC_RPL) ?
+ RPL_INCR : 0));
+ ut->cur_bytes = htobe64(t->tdb_cur_bytes);
+ ut->sproto = t->tdb_sproto;
+
+ return (sizeof(*ut));
+}
- if (h->count == sc->sc_maxcount ||
- (sc->sc_maxupdates && (pt->updates >= sc->sc_maxupdates)))
- ret = pfsync_tdb_sendout(sc);
+void
+pfsync_bulk_start(void)
+{
+ struct pfsync_softc *sc = pfsyncif;
+
+ sc->sc_ureq_received = time_uptime;
+
+ if (sc->sc_bulk_next == NULL)
+ sc->sc_bulk_next = TAILQ_FIRST(&state_list);
+ sc->sc_bulk_last = sc->sc_bulk_next;
+
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync: received bulk update request\n");
+ pfsync_bulk_status(PFSYNC_BUS_START);
+ pfsync_bulk_update(sc);
+}
+
+void
+pfsync_bulk_update(void *arg)
+{
+ struct pfsync_softc *sc = arg;
+ struct pf_state *st = sc->sc_bulk_next;
+ int i = 0;
+ int s;
+
+ s = splsoftnet();
+ do {
+ if (st->sync_state == PFSYNC_S_NONE &&
+ st->timeout < PFTM_MAX &&
+ st->pfsync_time <= sc->sc_ureq_received) {
+ pfsync_update_state_req(st);
+ i++;
+ }
+
+ st = TAILQ_NEXT(st, entry_list);
+ if (st == NULL)
+ st = TAILQ_FIRST(&state_list);
+
+ if (i > 0 && TAILQ_EMPTY(&sc->sc_qs[PFSYNC_S_UPD])) {
+ sc->sc_bulk_next = st;
+ timeout_add(&sc->sc_bulk_tmo, 1);
+ goto out;
+ }
+ } while (st != sc->sc_bulk_last);
+
+ /* we're done */
+ sc->sc_bulk_next = NULL;
+ sc->sc_bulk_last = NULL;
+ pfsync_bulk_status(PFSYNC_BUS_END);
+
+out:
splx(s);
- return (ret);
}
+
+void
+pfsync_bulk_status(u_int8_t status)
+{
+ struct {
+ struct pfsync_subheader subh;
+ struct pfsync_bus bus;
+ } __packed r;
+
+ struct pfsync_softc *sc = pfsyncif;
+
+ bzero(&r, sizeof(r));
+
+ r.subh.action = PFSYNC_ACT_BUS;
+ r.subh.count = htons(1);
+
+ r.bus.creatorid = pf_status.hostid;
+ r.bus.endtime = htonl(time_uptime - sc->sc_ureq_received);
+ r.bus.status = status;
+
+ pfsync_send_plus(&r, sizeof(r));
+}
+
+void
+pfsync_bulk_fail(void *arg)
+{
+ struct pfsync_softc *sc = arg;
+
+ if (sc->sc_bulk_tries++ < PFSYNC_MAX_BULKTRIES) {
+ /* Try again */
+ timeout_add_sec(&sc->sc_bulkfail_tmo, 5);
+ pfsync_request_update(0, 0);
+ } else {
+ /* Pretend like the transfer was ok */
+ sc->sc_ureq_sent = 0;
+ sc->sc_bulk_tries = 0;
+#if NCARP > 0
+ if (!pfsync_sync_ok)
+ carp_group_demote_adj(&sc->sc_if, -1);
#endif
+ pfsync_sync_ok = 1;
+ if (pf_status.debug >= PF_DEBUG_MISC)
+ printf("pfsync: failed to receive bulk update\n");
+ }
+}
+
+void
+pfsync_send_plus(void *plus, size_t pluslen)
+{
+ struct pfsync_softc *sc = pfsyncif;
+ int s;
+
+ if (sc->sc_len + pluslen > sc->sc_if.if_mtu) {
+ s = splnet();
+ pfsync_sendout();
+ splx(s);
+ }
+
+ sc->sc_plus = plus;
+ sc->sc_len += (sc->sc_pluslen = pluslen);
+
+ s = splnet();
+ pfsync_sendout();
+ splx(s);
+}
+
+int
+pfsync_up(void)
+{
+ struct pfsync_softc *sc = pfsyncif;
+
+ if (sc == NULL || !ISSET(sc->sc_if.if_flags, IFF_RUNNING))
+ return (0);
+
+ return (1);
+}
+
+int
+pfsync_state_in_use(struct pf_state *st)
+{
+ struct pfsync_softc *sc = pfsyncif;
+
+ if (sc == NULL)
+ return (0);
+
+ if (st->sync_state != PFSYNC_S_NONE)
+ return (1);
+
+ if (sc->sc_bulk_next == NULL && sc->sc_bulk_last == NULL)
+ return (0);
+
+ return (1);
+}
+
+u_int pfsync_ints;
+u_int pfsync_tmos;
+
+void
+pfsync_timeout(void *arg)
+{
+ int s;
+
+ pfsync_tmos++;
+
+ s = splnet();
+ pfsync_sendout();
+ splx(s);
+}
+
+/* this is a softnet/netisr handler */
+void
+pfsyncintr(void)
+{
+ int s;
+
+ pfsync_ints++;
+
+ s = splnet();
+ pfsync_sendout();
+ splx(s);
+}
int
pfsync_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
diff --git a/net/if_pfsync.h b/net/if_pfsync.h
index 1fa562c9590d..d9403e7079d1 100644
--- a/net/if_pfsync.h
+++ b/net/if_pfsync.h
@@ -26,154 +26,217 @@
* THE POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * Copyright (c) 2008 David Gwynne <dlg@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
#ifndef _NET_IF_PFSYNC_H_
#define _NET_IF_PFSYNC_H_
+#define PFSYNC_VERSION 5
+#define PFSYNC_DFLTTL 255
+
+#define PFSYNC_ACT_CLR 0 /* clear all states */
+#define PFSYNC_ACT_INS 1 /* insert state */
+#define PFSYNC_ACT_INS_ACK 2 /* ack of insterted state */
+#define PFSYNC_ACT_UPD 3 /* update state */
+#define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */
+#define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */
+#define PFSYNC_ACT_DEL 6 /* delete state */
+#define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */
+#define PFSYNC_ACT_INS_F 8 /* insert fragment */
+#define PFSYNC_ACT_DEL_F 9 /* delete fragments */
+#define PFSYNC_ACT_BUS 10 /* bulk update status */
+#define PFSYNC_ACT_TDB 11 /* TDB replay counter update */
+#define PFSYNC_ACT_EOF 12 /* end of frame */
+#define PFSYNC_ACT_MAX 13
-#define PFSYNC_ID_LEN sizeof(u_int64_t)
+#define PFSYNC_ACTIONS "CLR ST", \
+ "INS ST", \
+ "INS ST ACK", \
+ "UPD ST", \
+ "UPD ST COMP", \
+ "UPD ST REQ", \
+ "DEL ST", \
+ "DEL ST COMP", \
+ "INS FR", \
+ "DEL FR", \
+ "BULK UPD STAT", \
+ "TDB UPD", \
+ "EOF"
-struct pfsync_tdb {
- u_int32_t spi;
- union sockaddr_union dst;
- u_int32_t rpl;
- u_int64_t cur_bytes;
- u_int8_t sproto;
- u_int8_t updates;
- u_int8_t pad[2];
+#define PFSYNC_HMAC_LEN 20
+
+/*
+ * A pfsync frame is built from a header followed by several sections which
+ * are all prefixed with their own subheaders. Frames must be terminated with
+ * an EOF subheader.
+ *
+ * | ... |
+ * | IP header |
+ * +============================+
+ * | pfsync_header |
+ * +----------------------------+
+ * | pfsync_subheader |
+ * +----------------------------+
+ * | first action fields |
+ * | ... |
+ * +----------------------------+
+ * | pfsync_subheader |
+ * +----------------------------+
+ * | second action fields |
+ * | ... |
+ * +----------------------------+
+ * | EOF pfsync_subheader |
+ * +----------------------------+
+ * | HMAC |
+ * +============================+
+ */
+
+/*
+ * Frame header
+ */
+
+struct pfsync_header {
+ u_int8_t version;
+ u_int8_t _pad;
+ u_int16_t len;
+ u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH];
} __packed;
-struct pfsync_state_upd {
- u_int32_t id[2];
- struct pfsync_state_peer src;
- struct pfsync_state_peer dst;
- u_int32_t creatorid;
- u_int32_t expire;
- u_int8_t timeout;
- u_int8_t updates;
- u_int8_t pad[6];
+/*
+ * Frame region subheader
+ */
+
+struct pfsync_subheader {
+ u_int8_t action;
+ u_int8_t _pad;
+ u_int16_t count;
} __packed;
-struct pfsync_state_del {
- u_int32_t id[2];
- u_int32_t creatorid;
- struct {
- u_int8_t state;
- } src;
- struct {
- u_int8_t state;
- } dst;
- u_int8_t pad[2];
+/*
+ * CLR
+ */
+
+struct pfsync_clr {
+ char ifname[IFNAMSIZ];
+ u_int32_t creatorid;
} __packed;
-struct pfsync_state_upd_req {
- u_int32_t id[2];
- u_int32_t creatorid;
- u_int32_t pad;
+/*
+ * INS, UPD, DEL
+ */
+
+/* these use struct pfsync_state in pfvar.h */
+
+/*
+ * INS_ACK
+ */
+
+struct pfsync_ins_ack {
+ u_int64_t id;
+ u_int32_t creatorid;
} __packed;
-struct pfsync_state_clr {
- char ifname[IFNAMSIZ];
- u_int32_t creatorid;
- u_int32_t pad;
+/*
+ * UPD_C
+ */
+
+struct pfsync_upd_c {
+ u_int64_t id;
+ struct pfsync_state_peer src;
+ struct pfsync_state_peer dst;
+ u_int32_t creatorid;
+ u_int32_t expire;
+ u_int8_t timeout;
+ u_int8_t _pad[3];
} __packed;
-struct pfsync_state_bus {
- u_int32_t creatorid;
- u_int32_t endtime;
- u_int8_t status;
-#define PFSYNC_BUS_START 1
-#define PFSYNC_BUS_END 2
- u_int8_t pad[7];
+/*
+ * UPD_REQ
+ */
+
+struct pfsync_upd_req {
+ u_int64_t id;
+ u_int32_t creatorid;
} __packed;
/*
- * Names for PFSYNC sysctl objects
+ * DEL_C
*/
-#define PFSYNCCTL_STATS 1 /* PFSYNC stats */
-#define PFSYNCCTL_MAXID 2
-#define PFSYNCCTL_NAMES { \
- { 0, 0 }, \
- { "stats", CTLTYPE_STRUCT }, \
-}
+struct pfsync_del_c {
+ u_int64_t id;
+ u_int32_t creatorid;
+} __packed;
-#ifdef _KERNEL
+/*
+ * INS_F, DEL_F
+ */
-union sc_statep {
- struct pfsync_state *s;
- struct pfsync_state_upd *u;
- struct pfsync_state_del *d;
- struct pfsync_state_clr *c;
- struct pfsync_state_bus *b;
- struct pfsync_state_upd_req *r;
-};
+/* not implemented (yet) */
-union sc_tdb_statep {
- struct pfsync_tdb *t;
-};
+/*
+ * BUS
+ */
-extern int pfsync_sync_ok;
-
-struct pfsync_softc {
- struct ifnet sc_if;
- struct ifnet *sc_sync_ifp;
-
- struct ip_moptions sc_imo;
- struct timeout sc_tmo;
- struct timeout sc_tdb_tmo;
- struct timeout sc_bulk_tmo;
- struct timeout sc_bulkfail_tmo;
- struct in_addr sc_sync_peer;
- struct in_addr sc_sendaddr;
- struct mbuf *sc_mbuf; /* current cumulative mbuf */
- struct mbuf *sc_mbuf_net; /* current cumulative mbuf */
- struct mbuf *sc_mbuf_tdb; /* dito for TDB updates */
- union sc_statep sc_statep;
- union sc_statep sc_statep_net;
- union sc_tdb_statep sc_statep_tdb;
- u_int32_t sc_ureq_received;
- u_int32_t sc_ureq_sent;
- struct pf_state *sc_bulk_send_next;
- struct pf_state *sc_bulk_terminator;
- int sc_bulk_tries;
- int sc_maxcount; /* number of states in mtu */
- int sc_maxupdates; /* number of updates/state */
-};
+struct pfsync_bus {
+ u_int32_t creatorid;
+ u_int32_t endtime;
+ u_int8_t status;
+#define PFSYNC_BUS_START 1
+#define PFSYNC_BUS_END 2
+ u_int8_t _pad[3];
+} __packed;
-extern struct pfsync_softc *pfsyncif;
-#endif
+/*
+ * TDB
+ */
+struct pfsync_tdb {
+ u_int32_t spi;
+ union sockaddr_union dst;
+ u_int32_t rpl;
+ u_int64_t cur_bytes;
+ u_int8_t sproto;
+ u_int8_t updates;
+ u_int8_t _pad[2];
+} __packed;
-struct pfsync_header {
- u_int8_t version;
-#define PFSYNC_VERSION 4
- u_int8_t af;
- u_int8_t action;
-#define PFSYNC_ACT_CLR 0 /* clear all states */
-#define PFSYNC_ACT_INS 1 /* insert state */
-#define PFSYNC_ACT_UPD 2 /* update state */
-#define PFSYNC_ACT_DEL 3 /* delete state */
-#define PFSYNC_ACT_UPD_C 4 /* "compressed" state update */
-#define PFSYNC_ACT_DEL_C 5 /* "compressed" state delete */
-#define PFSYNC_ACT_INS_F 6 /* insert fragment */
-#define PFSYNC_ACT_DEL_F 7 /* delete fragments */
-#define PFSYNC_ACT_UREQ 8 /* request "uncompressed" state */
-#define PFSYNC_ACT_BUS 9 /* Bulk Update Status */
-#define PFSYNC_ACT_TDB_UPD 10 /* TDB replay counter update */
-#define PFSYNC_ACT_MAX 11
- u_int8_t count;
- u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
+/*
+ * EOF
+ */
+
+struct pfsync_eof {
+ u_int8_t hmac[PFSYNC_HMAC_LEN];
} __packed;
-#define PFSYNC_BULKPACKETS 1 /* # of packets per timeout */
-#define PFSYNC_MAX_BULKTRIES 12
-#define PFSYNC_HDRLEN sizeof(struct pfsync_header)
-#define PFSYNC_ACTIONS \
- "CLR ST", "INS ST", "UPD ST", "DEL ST", \
- "UPD ST COMP", "DEL ST COMP", "INS FR", "DEL FR", \
- "UPD REQ", "BLK UPD STAT", "TDB UPD"
+#define PFSYNC_HDRLEN sizeof(struct pfsync_header)
-#define PFSYNC_DFLTTL 255
+
+
+/*
+ * Names for PFSYNC sysctl objects
+ */
+#define PFSYNCCTL_STATS 1 /* PFSYNC stats */
+#define PFSYNCCTL_MAXID 2
+
+#define PFSYNCCTL_NAMES { \
+ { 0, 0 }, \
+ { "stats", CTLTYPE_STRUCT }, \
+}
struct pfsyncstats {
u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */
@@ -206,39 +269,43 @@ struct pfsyncreq {
};
#ifdef _KERNEL
+
+/*
+ * this shows where a pf state is with respect to the syncing.
+ */
+#define PFSYNC_S_INS 0x00
+#define PFSYNC_S_IACK 0x01
+#define PFSYNC_S_UPD 0x02
+#define PFSYNC_S_UPD_C 0x03
+#define PFSYNC_S_DEL 0x04
+#define PFSYNC_S_COUNT 0x05
+
+#define PFSYNC_S_DEFER 0xfe
+#define PFSYNC_S_NONE 0xff
+
void pfsync_input(struct mbuf *, ...);
-int pfsync_clear_states(u_int32_t, char *);
-int pfsync_pack_state(u_int8_t, struct pf_state *, int);
int pfsync_sysctl(int *, u_int, void *, size_t *,
void *, size_t);
-void pfsync_state_export(struct pfsync_state *,
- struct pf_state *);
#define PFSYNC_SI_IOCTL 0x01
#define PFSYNC_SI_CKSUM 0x02
+#define PFSYNC_SI_ACK 0x04
int pfsync_state_import(struct pfsync_state *, u_int8_t);
+void pfsync_state_export(struct pfsync_state *,
+ struct pf_state *);
+
+void pfsync_insert_state(struct pf_state *);
+void pfsync_update_state(struct pf_state *);
+void pfsync_delete_state(struct pf_state *);
+void pfsync_clear_states(u_int32_t, const char *);
+
+void pfsync_update_tdb(struct tdb *, int);
+void pfsync_delete_tdb(struct tdb *);
+
+int pfsync_defer(struct pf_state *, struct mbuf *);
-#define pfsync_insert_state(st) do { \
- if ((st->rule.ptr->rule_flag & PFRULE_NOSYNC) || \
- (st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC)) \
- st->sync_flags |= PFSTATE_NOSYNC; \
- else if (!st->sync_flags) \
- pfsync_pack_state(PFSYNC_ACT_INS, (st), \
- PFSYNC_FLAG_COMPRESS); \
- st->sync_flags &= ~PFSTATE_FROMSYNC; \
-} while (0)
-#define pfsync_update_state(st) do { \
- if (!st->sync_flags) \
- pfsync_pack_state(PFSYNC_ACT_UPD, (st), \
- PFSYNC_FLAG_COMPRESS); \
- st->sync_flags &= ~PFSTATE_FROMSYNC; \
-} while (0)
-#define pfsync_delete_state(st) do { \
- if (!st->sync_flags) \
- pfsync_pack_state(PFSYNC_ACT_DEL, (st), \
- PFSYNC_FLAG_COMPRESS); \
-} while (0)
-int pfsync_update_tdb(struct tdb *, int);
+int pfsync_up(void);
+int pfsync_state_in_use(struct pf_state *);
#endif
#endif /* _NET_IF_PFSYNC_H_ */
diff --git a/net/pf.c b/net/pf.c
index 0650e422cd22..1eec998bcdc0 100644
--- a/net/pf.c
+++ b/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.614 2008/08/02 12:34:37 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.633 2009/02/16 00:31:25 dlg Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -38,6 +38,7 @@
#include "bpfilter.h"
#include "pflog.h"
#include "pfsync.h"
+#include "pflow.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -78,6 +79,7 @@
#include <dev/rndvar.h>
#include <net/pfvar.h>
#include <net/if_pflog.h>
+#include <net/if_pflow.h>
#if NPFSYNC > 0
#include <net/if_pfsync.h>
@@ -127,8 +129,6 @@ struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl;
struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl;
struct pool pf_altq_pl;
-void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
-
void pf_init_threshold(struct pf_threshold *, u_int32_t,
u_int32_t);
void pf_add_threshold(struct pf_threshold *);
@@ -154,22 +154,7 @@ void pf_send_tcp(const struct pf_rule *, sa_family_t,
u_int16_t, struct ether_header *, struct ifnet *);
void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
sa_family_t, struct pf_rule *);
-struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
- int, int, struct pfi_kif *,
- struct pf_addr *, u_int16_t, struct pf_addr *,
- u_int16_t, int);
-struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
- int, int, struct pfi_kif *, struct pf_src_node **,
- struct pf_state_key **, struct pf_state_key **,
- struct pf_state_key **, struct pf_state_key **,
- struct pf_addr *, struct pf_addr *,
- u_int16_t, u_int16_t);
void pf_detach_state(struct pf_state *);
-int pf_state_key_setup(struct pf_pdesc *, struct pf_rule *,
- struct pf_state_key **, struct pf_state_key **,
- struct pf_state_key **, struct pf_state_key **,
- struct pf_addr *, struct pf_addr *,
- u_int16_t, u_int16_t);
void pf_state_key_detach(struct pf_state *, int);
u_int32_t pf_tcp_iss(struct pf_pdesc *);
int pf_test_rule(struct pf_rule **, struct pf_state **,
@@ -206,20 +191,6 @@ int pf_test_state_icmp(struct pf_state **, int,
void *, struct pf_pdesc *, u_short *);
int pf_test_state_other(struct pf_state **, int,
struct pfi_kif *, struct mbuf *, struct pf_pdesc *);
-void pf_step_into_anchor(int *, struct pf_ruleset **, int,
- struct pf_rule **, struct pf_rule **, int *);
-int pf_step_out_of_anchor(int *, struct pf_ruleset **,
- int, struct pf_rule **, struct pf_rule **,
- int *);
-void pf_hash(struct pf_addr *, struct pf_addr *,
- struct pf_poolhashkey *, sa_family_t);
-int pf_map_addr(u_int8_t, struct pf_rule *,
- struct pf_addr *, struct pf_addr *,
- struct pf_addr *, struct pf_src_node **);
-int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
- struct pf_addr *, struct pf_addr *, u_int16_t,
- struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
- struct pf_src_node **);
void pf_route(struct mbuf **, struct pf_rule *, int,
struct ifnet *, struct pf_state *,
struct pf_pdesc *);
@@ -242,6 +213,8 @@ void pf_print_state_parts(struct pf_state *,
struct pf_state_key *, struct pf_state_key *);
int pf_addr_wrap_neq(struct pf_addr_wrap *,
struct pf_addr_wrap *);
+int pf_compare_state_keys(struct pf_state_key *,
+ struct pf_state_key *, struct pfi_kif *, u_int);
struct pf_state *pf_find_state(struct pfi_kif *,
struct pf_state_key_cmp *, u_int, struct mbuf *);
int pf_src_connlimit(struct pf_state **);
@@ -661,6 +634,7 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx)
{
struct pf_state_item *si;
struct pf_state_key *cur;
+ struct pf_state *olds = NULL;
KASSERT(s->key[idx] == NULL); /* XXX handle this? */
@@ -669,19 +643,36 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx)
TAILQ_FOREACH(si, &cur->states, entry)
if (si->s->kif == s->kif &&
si->s->direction == s->direction) {
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf(
- "pf: %s key attach failed on %s: ",
- (idx == PF_SK_WIRE) ?
- "wire" : "stack",
- s->kif->pfik_name);
- pf_print_state_parts(s,
- (idx == PF_SK_WIRE) ? sk : NULL,
- (idx == PF_SK_STACK) ? sk : NULL);
- printf("\n");
+ if (sk->proto == IPPROTO_TCP &&
+ si->s->src.state >= TCPS_FIN_WAIT_2 &&
+ si->s->dst.state >= TCPS_FIN_WAIT_2) {
+ si->s->src.state = si->s->dst.state =
+ TCPS_CLOSED;
+ /* unlink late or sks can go away */
+ olds = si->s;
+ } else {
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pf: %s key attach "
+ "failed on %s: ",
+ (idx == PF_SK_WIRE) ?
+ "wire" : "stack",
+ s->kif->pfik_name);
+ pf_print_state_parts(s,
+ (idx == PF_SK_WIRE) ?
+ sk : NULL,
+ (idx == PF_SK_STACK) ?
+ sk : NULL);
+ printf(", existing: ");
+ pf_print_state_parts(si->s,
+ (idx == PF_SK_WIRE) ?
+ sk : NULL,
+ (idx == PF_SK_STACK) ?
+ sk : NULL);
+ printf("\n");
+ }
+ pool_put(&pf_state_key_pl, sk);
+ return (-1); /* collision! */
}
- pool_put(&pf_state_key_pl, sk);
- return (-1); /* collision! */
}
pool_put(&pf_state_key_pl, sk);
s->key[idx] = cur;
@@ -699,6 +690,10 @@ pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx)
TAILQ_INSERT_TAIL(&s->key[idx]->states, si, entry);
else
TAILQ_INSERT_HEAD(&s->key[idx]->states, si, entry);
+
+ if (olds)
+ pf_unlink_state(olds);
+
return (0);
}
@@ -800,6 +795,8 @@ int
pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
struct pf_state_key *sks, struct pf_state *s)
{
+ splassert(IPL_SOFTNET);
+
s->kif = kif;
if (skw == sks) {
@@ -826,8 +823,6 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
printf("pf: state insert failed: "
"id: %016llx creatorid: %08x",
betoh64(s->id), ntohl(s->creatorid));
- if (s->sync_flags & PFSTATE_FROMSYNC)
- printf(" (from sync)");
printf("\n");
}
pf_detach_state(s);
@@ -837,7 +832,7 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw,
pf_status.fcounters[FCNT_STATE_INSERT]++;
pf_status.states++;
pfi_kif_ref(kif, PFI_KIF_REF_STATE);
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_insert_state(s);
#endif
return (0);
@@ -851,6 +846,37 @@ pf_find_state_byid(struct pf_state_cmp *key)
return (RB_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key));
}
+/* XXX debug function, intended to be removed one day */
+int
+pf_compare_state_keys(struct pf_state_key *a, struct pf_state_key *b,
+ struct pfi_kif *kif, u_int dir)
+{
+ /* a (from hdr) and b (new) must be exact opposites of each other */
+ if (a->af == b->af && a->proto == b->proto &&
+ PF_AEQ(&a->addr[0], &b->addr[1], a->af) &&
+ PF_AEQ(&a->addr[1], &b->addr[0], a->af) &&
+ a->port[0] == b->port[1] &&
+ a->port[1] == b->port[0])
+ return (0);
+ else {
+ /* mismatch. must not happen. */
+ printf("pf: state key linking mismatch! dir=%s, "
+ "if=%s, stored af=%u, a0: ",
+ dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af);
+ pf_print_host(&a->addr[0], a->port[0], a->af);
+ printf(", a1: ");
+ pf_print_host(&a->addr[1], a->port[1], a->af);
+ printf(", proto=%u", a->proto);
+ printf(", found af=%u, a0: ", b->af);
+ pf_print_host(&b->addr[0], b->port[0], b->af);
+ printf(", a1: ");
+ pf_print_host(&b->addr[1], b->port[1], b->af);
+ printf(", proto=%u", b->proto);
+ printf(".\n");
+ return (-1);
+ }
+}
+
struct pf_state *
pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir,
struct mbuf *m)
@@ -867,7 +893,9 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir,
if ((sk = RB_FIND(pf_state_tree, &pf_statetbl,
(struct pf_state_key *)key)) == NULL)
return (NULL);
- if (dir == PF_OUT && m->m_pkthdr.pf.statekey) {
+ if (dir == PF_OUT && m->m_pkthdr.pf.statekey &&
+ pf_compare_state_keys(m->m_pkthdr.pf.statekey, sk,
+ kif, dir) == 0) {
((struct pf_state_key *)
m->m_pkthdr.pf.statekey)->reverse = sk;
sk->reverse = m->m_pkthdr.pf.statekey;
@@ -1044,6 +1072,8 @@ pf_src_tree_remove_state(struct pf_state *s)
void
pf_unlink_state(struct pf_state *cur)
{
+ splassert(IPL_SOFTNET);
+
if (cur->src.state == PF_TCPS_PROXY_DST) {
/* XXX wire key the right one? */
pf_send_tcp(cur->rule.ptr, cur->key[PF_SK_WIRE]->af,
@@ -1055,9 +1085,12 @@ pf_unlink_state(struct pf_state *cur)
TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);
}
RB_REMOVE(pf_state_tree_id, &tree_id, cur);
-#if NPFSYNC
- if (cur->creatorid == pf_status.hostid)
- pfsync_delete_state(cur);
+#if NPFLOW > 0
+ if (cur->state_flags & PFSTATE_PFLOW)
+ export_pflow(cur);
+#endif
+#if NPFSYNC > 0
+ pfsync_delete_state(cur);
#endif
cur->timeout = PFTM_UNLINKED;
pf_src_tree_remove_state(cur);
@@ -1069,10 +1102,10 @@ pf_unlink_state(struct pf_state *cur)
void
pf_free_state(struct pf_state *cur)
{
-#if NPFSYNC
- if (pfsyncif != NULL &&
- (pfsyncif->sc_bulk_send_next == cur ||
- pfsyncif->sc_bulk_terminator == cur))
+ splassert(IPL_SOFTNET);
+
+#if NPFSYNC > 0
+ if (pfsync_state_in_use(cur))
return;
#endif
KASSERT(cur->timeout == PFTM_UNLINKED);
@@ -1142,7 +1175,7 @@ pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw)
{
if (aw->type != PF_ADDR_TABLE)
return (0);
- if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname)) == NULL)
+ if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname, 1)) == NULL)
return (1);
return (0);
}
@@ -1189,34 +1222,33 @@ pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af)
#ifdef INET6
case AF_INET6: {
u_int16_t b;
- u_int8_t i, curstart = 255, curend = 0,
- maxstart = 0, maxend = 0;
+ u_int8_t i, curstart, curend, maxstart, maxend;
+ curstart = curend = maxstart = maxend = 255;
for (i = 0; i < 8; i++) {
if (!addr->addr16[i]) {
if (curstart == 255)
curstart = i;
- else
- curend = i;
+ curend = i;
} else {
- if (curstart) {
- if ((curend - curstart) >
- (maxend - maxstart)) {
- maxstart = curstart;
- maxend = curend;
- curstart = 255;
- }
+ if ((curend - curstart) >
+ (maxend - maxstart)) {
+ maxstart = curstart;
+ maxend = curend;
}
+ curstart = curend = 255;
}
}
+ if ((curend - curstart) >
+ (maxend - maxstart)) {
+ maxstart = curstart;
+ maxend = curend;
+ }
for (i = 0; i < 8; i++) {
if (i >= maxstart && i <= maxend) {
- if (maxend != 7) {
- if (i == maxstart)
- printf(":");
- } else {
- if (i == maxend)
- printf(":");
- }
+ if (i == 0)
+ printf(":");
+ if (i == maxend)
+ printf(":");
} else {
b = ntohs(addr->addr16[i]);
printf("%x", b);
@@ -1254,6 +1286,12 @@ pf_print_state_parts(struct pf_state *s,
dir = s ? s->direction : 0;
switch (proto) {
+ case IPPROTO_IPV4:
+ printf("IPv4");
+ break;
+ case IPPROTO_IPV6:
+ printf("IPv6");
+ break;
case IPPROTO_TCP:
printf("TCP");
break;
@@ -1264,7 +1302,7 @@ pf_print_state_parts(struct pf_state *s,
printf("ICMP");
break;
case IPPROTO_ICMPV6:
- printf("ICMPV6");
+ printf("ICMPv6");
break;
default:
printf("%u", skw->proto);
@@ -2139,579 +2177,6 @@ pf_addr_inc(struct pf_addr *addr, sa_family_t af)
}
#endif /* INET6 */
-#define mix(a,b,c) \
- do { \
- a -= b; a -= c; a ^= (c >> 13); \
- b -= c; b -= a; b ^= (a << 8); \
- c -= a; c -= b; c ^= (b >> 13); \
- a -= b; a -= c; a ^= (c >> 12); \
- b -= c; b -= a; b ^= (a << 16); \
- c -= a; c -= b; c ^= (b >> 5); \
- a -= b; a -= c; a ^= (c >> 3); \
- b -= c; b -= a; b ^= (a << 10); \
- c -= a; c -= b; c ^= (b >> 15); \
- } while (0)
-
-/*
- * hash function based on bridge_hash in if_bridge.c
- */
-void
-pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
- struct pf_poolhashkey *key, sa_family_t af)
-{
- u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
-
- switch (af) {
-#ifdef INET
- case AF_INET:
- a += inaddr->addr32[0];
- b += key->key32[1];
- mix(a, b, c);
- hash->addr32[0] = c + key->key32[2];
- break;
-#endif /* INET */
-#ifdef INET6
- case AF_INET6:
- a += inaddr->addr32[0];
- b += inaddr->addr32[2];
- mix(a, b, c);
- hash->addr32[0] = c;
- a += inaddr->addr32[1];
- b += inaddr->addr32[3];
- c += key->key32[1];
- mix(a, b, c);
- hash->addr32[1] = c;
- a += inaddr->addr32[2];
- b += inaddr->addr32[1];
- c += key->key32[2];
- mix(a, b, c);
- hash->addr32[2] = c;
- a += inaddr->addr32[3];
- b += inaddr->addr32[0];
- c += key->key32[3];
- mix(a, b, c);
- hash->addr32[3] = c;
- break;
-#endif /* INET6 */
- }
-}
-
-int
-pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
- struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
-{
- unsigned char hash[16];
- struct pf_pool *rpool = &r->rpool;
- struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
- struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
- struct pf_pooladdr *acur = rpool->cur;
- struct pf_src_node k;
-
- if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
- (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
- k.af = af;
- PF_ACPY(&k.addr, saddr, af);
- if (r->rule_flag & PFRULE_RULESRCTRACK ||
- r->rpool.opts & PF_POOL_STICKYADDR)
- k.rule.ptr = r;
- else
- k.rule.ptr = NULL;
- pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
- *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
- if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
- PF_ACPY(naddr, &(*sn)->raddr, af);
- if (pf_status.debug >= PF_DEBUG_MISC) {
- printf("pf_map_addr: src tracking maps ");
- pf_print_host(&k.addr, 0, af);
- printf(" to ");
- pf_print_host(naddr, 0, af);
- printf("\n");
- }
- return (0);
- }
- }
-
- if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
- return (1);
- if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
- switch (af) {
-#ifdef INET
- case AF_INET:
- if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
- (rpool->opts & PF_POOL_TYPEMASK) !=
- PF_POOL_ROUNDROBIN)
- return (1);
- raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
- rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
- break;
-#endif /* INET */
-#ifdef INET6
- case AF_INET6:
- if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
- (rpool->opts & PF_POOL_TYPEMASK) !=
- PF_POOL_ROUNDROBIN)
- return (1);
- raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
- rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
- break;
-#endif /* INET6 */
- }
- } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
- if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
- return (1); /* unsupported */
- } else {
- raddr = &rpool->cur->addr.v.a.addr;
- rmask = &rpool->cur->addr.v.a.mask;
- }
-
- switch (rpool->opts & PF_POOL_TYPEMASK) {
- case PF_POOL_NONE:
- PF_ACPY(naddr, raddr, af);
- break;
- case PF_POOL_BITMASK:
- PF_POOLMASK(naddr, raddr, rmask, saddr, af);
- break;
- case PF_POOL_RANDOM:
- if (init_addr != NULL && PF_AZERO(init_addr, af)) {
- switch (af) {
-#ifdef INET
- case AF_INET:
- rpool->counter.addr32[0] = htonl(arc4random());
- break;
-#endif /* INET */
-#ifdef INET6
- case AF_INET6:
- if (rmask->addr32[3] != 0xffffffff)
- rpool->counter.addr32[3] =
- htonl(arc4random());
- else
- break;
- if (rmask->addr32[2] != 0xffffffff)
- rpool->counter.addr32[2] =
- htonl(arc4random());
- else
- break;
- if (rmask->addr32[1] != 0xffffffff)
- rpool->counter.addr32[1] =
- htonl(arc4random());
- else
- break;
- if (rmask->addr32[0] != 0xffffffff)
- rpool->counter.addr32[0] =
- htonl(arc4random());
- break;
-#endif /* INET6 */
- }
- PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
- PF_ACPY(init_addr, naddr, af);
-
- } else {
- PF_AINC(&rpool->counter, af);
- PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
- }
- break;
- case PF_POOL_SRCHASH:
- pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
- PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
- break;
- case PF_POOL_ROUNDROBIN:
- if (rpool->cur->addr.type == PF_ADDR_TABLE) {
- if (!pfr_pool_get(rpool->cur->addr.p.tbl,
- &rpool->tblidx, &rpool->counter,
- &raddr, &rmask, af))
- goto get_addr;
- } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
- if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
- &rpool->tblidx, &rpool->counter,
- &raddr, &rmask, af))
- goto get_addr;
- } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
- goto get_addr;
-
- try_next:
- if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
- rpool->cur = TAILQ_FIRST(&rpool->list);
- if (rpool->cur->addr.type == PF_ADDR_TABLE) {
- rpool->tblidx = -1;
- if (pfr_pool_get(rpool->cur->addr.p.tbl,
- &rpool->tblidx, &rpool->counter,
- &raddr, &rmask, af)) {
- /* table contains no address of type 'af' */
- if (rpool->cur != acur)
- goto try_next;
- return (1);
- }
- } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
- rpool->tblidx = -1;
- if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
- &rpool->tblidx, &rpool->counter,
- &raddr, &rmask, af)) {
- /* table contains no address of type 'af' */
- if (rpool->cur != acur)
- goto try_next;
- return (1);
- }
- } else {
- raddr = &rpool->cur->addr.v.a.addr;
- rmask = &rpool->cur->addr.v.a.mask;
- PF_ACPY(&rpool->counter, raddr, af);
- }
-
- get_addr:
- PF_ACPY(naddr, &rpool->counter, af);
- if (init_addr != NULL && PF_AZERO(init_addr, af))
- PF_ACPY(init_addr, naddr, af);
- PF_AINC(&rpool->counter, af);
- break;
- }
- if (*sn != NULL)
- PF_ACPY(&(*sn)->raddr, naddr, af);
-
- if (pf_status.debug >= PF_DEBUG_MISC &&
- (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
- printf("pf_map_addr: selected address ");
- pf_print_host(naddr, 0, af);
- printf("\n");
- }
-
- return (0);
-}
-
-int
-pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
- struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
- struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
- struct pf_src_node **sn)
-{
- struct pf_state_key_cmp key;
- struct pf_addr init_addr;
- u_int16_t cut;
-
- bzero(&init_addr, sizeof(init_addr));
- if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
- return (1);
-
- if (proto == IPPROTO_ICMP) {
- low = 1;
- high = 65535;
- }
-
- do {
- key.af = af;
- key.proto = proto;
- PF_ACPY(&key.addr[1], daddr, key.af);
- PF_ACPY(&key.addr[0], naddr, key.af);
- key.port[1] = dport;
-
- /*
- * port search; start random, step;
- * similar 2 portloop in in_pcbbind
- */
- if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
- proto == IPPROTO_ICMP)) {
- key.port[0] = dport;
- if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
- return (0);
- } else if (low == 0 && high == 0) {
- key.port[0] = *nport;
- if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
- return (0);
- } else if (low == high) {
- key.port[0] = htons(low);
- if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
- *nport = htons(low);
- return (0);
- }
- } else {
- u_int16_t tmp;
-
- if (low > high) {
- tmp = low;
- low = high;
- high = tmp;
- }
- /* low < high */
- cut = arc4random_uniform(1 + high - low) + low;
- /* low <= cut <= high */
- for (tmp = cut; tmp <= high; ++(tmp)) {
- key.port[0] = htons(tmp);
- if (pf_find_state_all(&key, PF_IN, NULL) ==
- NULL && !in_baddynamic(tmp, proto)) {
- *nport = htons(tmp);
- return (0);
- }
- }
- for (tmp = cut - 1; tmp >= low; --(tmp)) {
- key.port[0] = htons(tmp);
- if (pf_find_state_all(&key, PF_IN, NULL) ==
- NULL && !in_baddynamic(tmp, proto)) {
- *nport = htons(tmp);
- return (0);
- }
- }
- }
-
- switch (r->rpool.opts & PF_POOL_TYPEMASK) {
- case PF_POOL_RANDOM:
- case PF_POOL_ROUNDROBIN:
- if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
- return (1);
- break;
- case PF_POOL_NONE:
- case PF_POOL_SRCHASH:
- case PF_POOL_BITMASK:
- default:
- return (1);
- }
- } while (! PF_AEQ(&init_addr, naddr, af) );
- return (1); /* none available */
-}
-
-struct pf_rule *
-pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
- int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
- struct pf_addr *daddr, u_int16_t dport, int rs_num)
-{
- struct pf_rule *r, *rm = NULL;
- struct pf_ruleset *ruleset = NULL;
- int tag = -1;
- int rtableid = -1;
- int asd = 0;
-
- r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
- while (r && rm == NULL) {
- struct pf_rule_addr *src = NULL, *dst = NULL;
- struct pf_addr_wrap *xdst = NULL;
-
- if (r->action == PF_BINAT && direction == PF_IN) {
- src = &r->dst;
- if (r->rpool.cur != NULL)
- xdst = &r->rpool.cur->addr;
- } else {
- src = &r->src;
- dst = &r->dst;
- }
-
- r->evaluations++;
- if (pfi_kif_match(r->kif, kif) == r->ifnot)
- r = r->skip[PF_SKIP_IFP].ptr;
- else if (r->direction && r->direction != direction)
- r = r->skip[PF_SKIP_DIR].ptr;
- else if (r->af && r->af != pd->af)
- r = r->skip[PF_SKIP_AF].ptr;
- else if (r->proto && r->proto != pd->proto)
- r = r->skip[PF_SKIP_PROTO].ptr;
- else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
- src->neg, kif))
- r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
- PF_SKIP_DST_ADDR].ptr;
- else if (src->port_op && !pf_match_port(src->port_op,
- src->port[0], src->port[1], sport))
- r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
- PF_SKIP_DST_PORT].ptr;
- else if (dst != NULL &&
- PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
- r = r->skip[PF_SKIP_DST_ADDR].ptr;
- else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
- 0, NULL))
- r = TAILQ_NEXT(r, entries);
- else if (dst != NULL && dst->port_op &&
- !pf_match_port(dst->port_op, dst->port[0],
- dst->port[1], dport))
- r = r->skip[PF_SKIP_DST_PORT].ptr;
- else if (r->match_tag && !pf_match_tag(m, r, &tag))
- r = TAILQ_NEXT(r, entries);
- else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
- IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
- off, pd->hdr.tcp), r->os_fingerprint)))
- r = TAILQ_NEXT(r, entries);
- else {
- if (r->tag)
- tag = r->tag;
- if (r->rtableid >= 0)
- rtableid = r->rtableid;
- if (r->anchor == NULL) {
- rm = r;
- } else
- pf_step_into_anchor(&asd, &ruleset, rs_num,
- &r, NULL, NULL);
- }
- if (r == NULL)
- pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
- NULL, NULL);
- }
- if (pf_tag_packet(m, tag, rtableid))
- return (NULL);
- if (rm != NULL && (rm->action == PF_NONAT ||
- rm->action == PF_NORDR || rm->action == PF_NOBINAT))
- return (NULL);
- return (rm);
-}
-
-struct pf_rule *
-pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
- struct pfi_kif *kif, struct pf_src_node **sn,
- struct pf_state_key **skw, struct pf_state_key **sks,
- struct pf_state_key **skp, struct pf_state_key **nkp,
- struct pf_addr *saddr, struct pf_addr *daddr,
- u_int16_t sport, u_int16_t dport)
-{
- struct pf_rule *r = NULL;
-
-
- if (direction == PF_OUT) {
- r = pf_match_translation(pd, m, off, direction, kif, saddr,
- sport, daddr, dport, PF_RULESET_BINAT);
- if (r == NULL)
- r = pf_match_translation(pd, m, off, direction, kif,
- saddr, sport, daddr, dport, PF_RULESET_NAT);
- } else {
- r = pf_match_translation(pd, m, off, direction, kif, saddr,
- sport, daddr, dport, PF_RULESET_RDR);
- if (r == NULL)
- r = pf_match_translation(pd, m, off, direction, kif,
- saddr, sport, daddr, dport, PF_RULESET_BINAT);
- }
-
- if (r != NULL) {
- struct pf_addr *naddr;
- u_int16_t *nport;
-
- if (pf_state_key_setup(pd, r, skw, sks, skp, nkp,
- saddr, daddr, sport, dport))
- return r;
-
- /* XXX We only modify one side for now. */
- naddr = &(*nkp)->addr[1];
- nport = &(*nkp)->port[1];
-
- switch (r->action) {
- case PF_NONAT:
- case PF_NOBINAT:
- case PF_NORDR:
- return (NULL);
- case PF_NAT:
- if (pf_get_sport(pd->af, pd->proto, r, saddr,
- daddr, dport, naddr, nport, r->rpool.proxy_port[0],
- r->rpool.proxy_port[1], sn)) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: NAT proxy port allocation "
- "(%u-%u) failed\n",
- r->rpool.proxy_port[0],
- r->rpool.proxy_port[1]));
- return (NULL);
- }
- break;
- case PF_BINAT:
- switch (direction) {
- case PF_OUT:
- if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
- switch (pd->af) {
-#ifdef INET
- case AF_INET:
- if (r->rpool.cur->addr.p.dyn->
- pfid_acnt4 < 1)
- return (NULL);
- PF_POOLMASK(naddr,
- &r->rpool.cur->addr.p.dyn->
- pfid_addr4,
- &r->rpool.cur->addr.p.dyn->
- pfid_mask4,
- saddr, AF_INET);
- break;
-#endif /* INET */
-#ifdef INET6
- case AF_INET6:
- if (r->rpool.cur->addr.p.dyn->
- pfid_acnt6 < 1)
- return (NULL);
- PF_POOLMASK(naddr,
- &r->rpool.cur->addr.p.dyn->
- pfid_addr6,
- &r->rpool.cur->addr.p.dyn->
- pfid_mask6,
- saddr, AF_INET6);
- break;
-#endif /* INET6 */
- }
- } else
- PF_POOLMASK(naddr,
- &r->rpool.cur->addr.v.a.addr,
- &r->rpool.cur->addr.v.a.mask,
- saddr, pd->af);
- break;
- case PF_IN:
- if (r->src.addr.type == PF_ADDR_DYNIFTL) {
- switch (pd->af) {
-#ifdef INET
- case AF_INET:
- if (r->src.addr.p.dyn->
- pfid_acnt4 < 1)
- return (NULL);
- PF_POOLMASK(naddr,
- &r->src.addr.p.dyn->
- pfid_addr4,
- &r->src.addr.p.dyn->
- pfid_mask4,
- daddr, AF_INET);
- break;
-#endif /* INET */
-#ifdef INET6
- case AF_INET6:
- if (r->src.addr.p.dyn->
- pfid_acnt6 < 1)
- return (NULL);
- PF_POOLMASK(naddr,
- &r->src.addr.p.dyn->
- pfid_addr6,
- &r->src.addr.p.dyn->
- pfid_mask6,
- daddr, AF_INET6);
- break;
-#endif /* INET6 */
- }
- } else
- PF_POOLMASK(naddr,
- &r->src.addr.v.a.addr,
- &r->src.addr.v.a.mask, daddr,
- pd->af);
- break;
- }
- break;
- case PF_RDR: {
- if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
- return (NULL);
- if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
- PF_POOL_BITMASK)
- PF_POOLMASK(naddr, naddr,
- &r->rpool.cur->addr.v.a.mask, daddr,
- pd->af);
-
- if (r->rpool.proxy_port[1]) {
- u_int32_t tmp_nport;
-
- tmp_nport = ((ntohs(dport) -
- ntohs(r->dst.port[0])) %
- (r->rpool.proxy_port[1] -
- r->rpool.proxy_port[0] + 1)) +
- r->rpool.proxy_port[0];
-
- /* wrap around if necessary */
- if (tmp_nport > 65535)
- tmp_nport -= 65535;
- *nport = htons((u_int16_t)tmp_nport);
- } else if (r->rpool.proxy_port[0])
- *nport = htons(r->rpool.proxy_port[0]);
- break;
- }
- default:
- return (NULL);
- }
- }
-
- return (r);
-}
-
int
pf_socket_lookup(int direction, struct pf_pdesc *pd)
{
@@ -2923,6 +2388,7 @@ void
pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
{
struct pf_rule *r = s->rule.ptr;
+ struct pf_src_node *sn = NULL;
s->rt_kif = NULL;
if (!r->rt || r->rt == PF_FASTROUTE)
@@ -2930,15 +2396,13 @@ pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr)
switch (s->key[PF_SK_WIRE]->af) {
#ifdef INET
case AF_INET:
- pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL,
- &s->nat_src_node);
+ pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, &sn);
s->rt_kif = r->rpool.cur->kif;
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL,
- &s->nat_src_node);
+ pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, &sn);
s->rt_kif = r->rpool.cur->kif;
break;
#endif /* INET6 */
@@ -2996,7 +2460,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
int match = 0;
int state_icmp = 0;
u_int16_t sport, dport;
- u_int16_t nport = 0, bport = 0;
u_int16_t bproto_sum = 0, bip_sum;
u_int8_t icmptype = 0, icmpcode = 0;
@@ -3057,7 +2520,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
- bport = nport = sport;
/* check packet for BINAT/NAT/RDR */
if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn,
&skw, &sks, &sk, &nk, saddr, daddr, sport, dport)) != NULL) {
@@ -3357,12 +2819,31 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
bip_sum, hdrlen);
if (action != PF_PASS)
return (action);
+ } else {
+ if (sk != NULL)
+ pool_put(&pf_state_key_pl, sk);
+ if (nk != NULL)
+ pool_put(&pf_state_key_pl, nk);
}
/* copy back packet headers if we performed NAT operations */
if (rewrite)
m_copyback(m, off, hdrlen, pd->hdr.any);
+#if NPFSYNC > 0
+ if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) &&
+ direction == PF_OUT && pfsync_up()) {
+ /*
+ * We want the state created, but we dont
+ * want to send this in case a partner
+ * firewall has to know about it to allow
+ * replies through it.
+ */
+ if (pfsync_defer(*sm, m))
+ return (PF_DEFER);
+ }
+#endif
+
return (PF_PASS);
cleanup:
@@ -3419,7 +2900,10 @@ pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a,
s->state_flags |= PFSTATE_ALLOWOPTS;
if (r->rule_flag & PFRULE_STATESLOPPY)
s->state_flags |= PFSTATE_SLOPPY;
+ if (r->rule_flag & PFRULE_PFLOW)
+ s->state_flags |= PFSTATE_PFLOW;
s->log = r->log & PF_LOG_ALL;
+ s->sync_state = PFSYNC_S_NONE;
if (nr != NULL)
s->log |= nr->log & PF_LOG_ALL;
switch (pd->proto) {
@@ -5062,6 +4546,12 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
break;
#ifdef INET6
case AF_INET6:
+ /*
+ * Skip check for addresses with embedded interface scope,
+ * as they would always match anyway.
+ */
+ if (IN6_IS_SCOPE_EMBED(&addr->v6))
+ goto out;
dst6 = (struct sockaddr_in6 *)&ro.ro_dst;
dst6->sin6_family = AF_INET6;
dst6->sin6_len = sizeof(*dst6);
@@ -5102,7 +4592,7 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif)
if (kif->pfik_ifp == ifp)
ret = 1;
- rn = rn_mpath_next(rn);
+ rn = rn_mpath_next(rn, 0);
} while (check_mpath == 1 && rn != NULL && ret == 0);
} else
ret = 0;
@@ -5285,14 +4775,13 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
}
if (ntohs(ip->ip_len) <= ifp->if_mtu) {
+ ip->ip_sum = 0;
if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
ifp->if_bridge == NULL) {
m0->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
ipstat.ips_outhwcsum++;
- } else {
- ip->ip_sum = 0;
+ } else
ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
- }
/* Update relevant hardware checksum stats for TCP/UDP */
if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT)
tcpstat.tcps_outhwcsum++;
@@ -5362,7 +4851,6 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
struct ifnet *ifp = NULL;
struct pf_addr naddr;
struct pf_src_node *sn = NULL;
- int error = 0;
if (m == NULL || *m == NULL || r == NULL ||
(dir != PF_IN && dir != PF_OUT) || oifp == NULL)
@@ -5445,7 +4933,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr))
dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
- error = nd6_output(ifp, ifp, m0, dst, NULL);
+ nd6_output(ifp, ifp, m0, dst, NULL);
} else {
in6_ifstat_inc(ifp, ifs6_in_toobig);
if (r->rt != PF_DUPTO)
@@ -5689,7 +5177,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
&reason);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -5719,7 +5207,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
}
action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -5743,7 +5231,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
&reason);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -5758,7 +5246,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
default:
action = pf_test_state_other(&s, dir, kif, m, &pd);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -5783,10 +5271,8 @@ done:
if ((s && s->tag) || r->rtableid)
pf_tag_packet(m, s ? s->tag : 0, r->rtableid);
-#if 0
if (dir == PF_IN && s && s->key[PF_SK_STACK])
m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK];
-#endif
#ifdef ALTQ
if (action == PF_PASS && r->qid) {
@@ -5881,14 +5367,19 @@ done:
r->action == PF_PASS, tr->dst.neg);
}
-
- if (action == PF_SYNPROXY_DROP) {
+ switch (action) {
+ case PF_SYNPROXY_DROP:
m_freem(*m0);
+ case PF_DEFER:
*m0 = NULL;
action = PF_PASS;
- } else if (r->rt)
+ break;
+ default:
/* pf_route can free the mbuf causing *m0 to become NULL */
- pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
+ if (r->rt)
+ pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
+ break;
+ }
return (action);
}
@@ -6064,7 +5555,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
&reason);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -6094,7 +5585,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
}
action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -6118,7 +5609,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
action = pf_test_state_icmp(&s, dir, kif,
m, off, h, &pd, &reason);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -6133,7 +5624,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
default:
action = pf_test_state_other(&s, dir, kif, m, &pd);
if (action == PF_PASS) {
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_update_state(s);
#endif /* NPFSYNC */
r = s->rule.ptr;
@@ -6164,10 +5655,8 @@ done:
if ((s && s->tag) || r->rtableid)
pf_tag_packet(m, s ? s->tag : 0, r->rtableid);
-#if 0
if (dir == PF_IN && s && s->key[PF_SK_STACK])
m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK];
-#endif
#ifdef ALTQ
if (action == PF_PASS && r->qid) {
@@ -6255,14 +5744,19 @@ done:
r->action == PF_PASS, tr->dst.neg);
}
-
- if (action == PF_SYNPROXY_DROP) {
+ switch (action) {
+ case PF_SYNPROXY_DROP:
m_freem(*m0);
+ case PF_DEFER:
*m0 = NULL;
action = PF_PASS;
- } else if (r->rt)
+ break;
+ default:
/* pf_route6 can free the mbuf causing *m0 to become NULL */
- pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
+ if (r->rt)
+ pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
+ break;
+ }
return (action);
}
@@ -6276,3 +5770,13 @@ pf_check_congestion(struct ifqueue *ifq)
else
return (0);
}
+
+/*
+ * must be called whenever any addressing information such as
+ * address, port, protocol has changed
+ */
+void
+pf_pkt_addr_changed(struct mbuf *m)
+{
+ m->m_pkthdr.pf.statekey = NULL;
+}
diff --git a/net/pf_if.c b/net/pf_if.c
index e39a9d6501e6..11d0690d40ec 100644
--- a/net/pf_if.c
+++ b/net/pf_if.c
@@ -367,7 +367,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
goto _bad;
}
- if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname)) == NULL) {
+ if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname, 1)) == NULL) {
rv = 1;
goto _bad;
}
diff --git a/net/pf_ioctl.c b/net/pf_ioctl.c
index 4c1e18c89d6e..a7546e3649b8 100644
--- a/net/pf_ioctl.c
+++ b/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.209 2008/06/29 08:42:15 mcbride Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1164,7 +1164,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
if (rule->overload_tblname[0]) {
if ((rule->overload_tbl = pfr_attach_table(ruleset,
- rule->overload_tblname)) == NULL)
+ rule->overload_tblname, 0)) == NULL)
error = EINVAL;
else
rule->overload_tbl->pfrkt_flags |=
@@ -1401,7 +1401,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
if (newrule->overload_tblname[0]) {
if ((newrule->overload_tbl = pfr_attach_table(
- ruleset, newrule->overload_tblname)) ==
+ ruleset, newrule->overload_tblname, 0)) ==
NULL)
error = EINVAL;
else
@@ -1489,16 +1489,16 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
s->kif->pfik_name)) {
-#if NPFSYNC
+#if NPFSYNC > 0
/* don't send out individual delete messages */
- s->sync_flags = PFSTATE_NOSYNC;
+ SET(s->state_flags, PFSTATE_NOSYNC);
#endif
pf_unlink_state(s);
killed++;
}
}
psk->psk_killed = killed;
-#if NPFSYNC
+#if NPFSYNC > 0
pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
#endif
break;
@@ -1516,11 +1516,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
if (psk->psk_pfcmp.creatorid == 0)
psk->psk_pfcmp.creatorid = pf_status.hostid;
if ((s = pf_find_state_byid(&psk->psk_pfcmp))) {
-#if NPFSYNC > 0
- /* send immediate delete of state */
- pfsync_delete_state(s);
- s->sync_flags |= PFSTATE_NOSYNC;
-#endif
pf_unlink_state(s);
psk->psk_killed = 1;
}
@@ -1566,11 +1561,6 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
!strcmp(psk->psk_label, s->rule.ptr->label))) &&
(!psk->psk_ifname[0] || !strcmp(psk->psk_ifname,
s->kif->pfik_name))) {
-#if NPFSYNC > 0
- /* send immediate delete of state */
- pfsync_delete_state(s);
- s->sync_flags |= PFSTATE_NOSYNC;
-#endif
pf_unlink_state(s);
killed++;
}
diff --git a/net/pf_lb.c b/net/pf_lb.c
new file mode 100644
index 000000000000..b1a709223bf4
--- /dev/null
+++ b/net/pf_lb.c
@@ -0,0 +1,695 @@
+/* $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ */
+
+/*
+ * Copyright (c) 2001 Daniel Hartmeier
+ * Copyright (c) 2002 - 2008 Henning Brauer
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * - Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Effort sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F30602-01-2-0537.
+ *
+ */
+
+#include "bpfilter.h"
+#include "pflog.h"
+#include "pfsync.h"
+#include "pflow.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/mbuf.h>
+#include <sys/filio.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/kernel.h>
+#include <sys/time.h>
+#include <sys/pool.h>
+#include <sys/proc.h>
+#include <sys/rwlock.h>
+
+#include <crypto/md5.h>
+
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/bpf.h>
+#include <net/route.h>
+#include <net/radix_mpath.h>
+
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_var.h>
+#include <netinet/tcp.h>
+#include <netinet/tcp_seq.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/in_pcb.h>
+#include <netinet/tcp_timer.h>
+#include <netinet/tcp_var.h>
+#include <netinet/udp_var.h>
+#include <netinet/icmp_var.h>
+#include <netinet/if_ether.h>
+
+#include <dev/rndvar.h>
+#include <net/pfvar.h>
+#include <net/if_pflog.h>
+#include <net/if_pflow.h>
+
+#if NPFSYNC > 0
+#include <net/if_pfsync.h>
+#endif /* NPFSYNC > 0 */
+
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet/in_pcb.h>
+#include <netinet/icmp6.h>
+#include <netinet6/nd6.h>
+#endif /* INET6 */
+
+
+#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
+
+/*
+ * Global variables
+ */
+
+void pf_hash(struct pf_addr *, struct pf_addr *,
+ struct pf_poolhashkey *, sa_family_t);
+struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
+ int, int, struct pfi_kif *,
+ struct pf_addr *, u_int16_t, struct pf_addr *,
+ u_int16_t, int);
+int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *,
+ struct pf_addr *, struct pf_addr *, u_int16_t,
+ struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t,
+ struct pf_src_node **);
+
+#define mix(a,b,c) \
+ do { \
+ a -= b; a -= c; a ^= (c >> 13); \
+ b -= c; b -= a; b ^= (a << 8); \
+ c -= a; c -= b; c ^= (b >> 13); \
+ a -= b; a -= c; a ^= (c >> 12); \
+ b -= c; b -= a; b ^= (a << 16); \
+ c -= a; c -= b; c ^= (b >> 5); \
+ a -= b; a -= c; a ^= (c >> 3); \
+ b -= c; b -= a; b ^= (a << 10); \
+ c -= a; c -= b; c ^= (b >> 15); \
+ } while (0)
+
+/*
+ * hash function based on bridge_hash in if_bridge.c
+ */
+void
+pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
+ struct pf_poolhashkey *key, sa_family_t af)
+{
+ u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
+
+ switch (af) {
+#ifdef INET
+ case AF_INET:
+ a += inaddr->addr32[0];
+ b += key->key32[1];
+ mix(a, b, c);
+ hash->addr32[0] = c + key->key32[2];
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ a += inaddr->addr32[0];
+ b += inaddr->addr32[2];
+ mix(a, b, c);
+ hash->addr32[0] = c;
+ a += inaddr->addr32[1];
+ b += inaddr->addr32[3];
+ c += key->key32[1];
+ mix(a, b, c);
+ hash->addr32[1] = c;
+ a += inaddr->addr32[2];
+ b += inaddr->addr32[1];
+ c += key->key32[2];
+ mix(a, b, c);
+ hash->addr32[2] = c;
+ a += inaddr->addr32[3];
+ b += inaddr->addr32[0];
+ c += key->key32[3];
+ mix(a, b, c);
+ hash->addr32[3] = c;
+ break;
+#endif /* INET6 */
+ }
+}
+
+struct pf_rule *
+pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
+ int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport,
+ struct pf_addr *daddr, u_int16_t dport, int rs_num)
+{
+ struct pf_rule *r, *rm = NULL;
+ struct pf_ruleset *ruleset = NULL;
+ int tag = -1;
+ int rtableid = -1;
+ int asd = 0;
+
+ r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr);
+ while (r && rm == NULL) {
+ struct pf_rule_addr *src = NULL, *dst = NULL;
+ struct pf_addr_wrap *xdst = NULL;
+
+ if (r->action == PF_BINAT && direction == PF_IN) {
+ src = &r->dst;
+ if (r->rpool.cur != NULL)
+ xdst = &r->rpool.cur->addr;
+ } else {
+ src = &r->src;
+ dst = &r->dst;
+ }
+
+ r->evaluations++;
+ if (pfi_kif_match(r->kif, kif) == r->ifnot)
+ r = r->skip[PF_SKIP_IFP].ptr;
+ else if (r->direction && r->direction != direction)
+ r = r->skip[PF_SKIP_DIR].ptr;
+ else if (r->af && r->af != pd->af)
+ r = r->skip[PF_SKIP_AF].ptr;
+ else if (r->proto && r->proto != pd->proto)
+ r = r->skip[PF_SKIP_PROTO].ptr;
+ else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
+ src->neg, kif))
+ r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
+ PF_SKIP_DST_ADDR].ptr;
+ else if (src->port_op && !pf_match_port(src->port_op,
+ src->port[0], src->port[1], sport))
+ r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT :
+ PF_SKIP_DST_PORT].ptr;
+ else if (dst != NULL &&
+ PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
+ r = r->skip[PF_SKIP_DST_ADDR].ptr;
+ else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
+ 0, NULL))
+ r = TAILQ_NEXT(r, entries);
+ else if (dst != NULL && dst->port_op &&
+ !pf_match_port(dst->port_op, dst->port[0],
+ dst->port[1], dport))
+ r = r->skip[PF_SKIP_DST_PORT].ptr;
+ else if (r->match_tag && !pf_match_tag(m, r, &tag))
+ r = TAILQ_NEXT(r, entries);
+ else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
+ IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
+ off, pd->hdr.tcp), r->os_fingerprint)))
+ r = TAILQ_NEXT(r, entries);
+ else {
+ if (r->tag)
+ tag = r->tag;
+ if (r->rtableid >= 0)
+ rtableid = r->rtableid;
+ if (r->anchor == NULL) {
+ rm = r;
+ } else
+ pf_step_into_anchor(&asd, &ruleset, rs_num,
+ &r, NULL, NULL);
+ }
+ if (r == NULL)
+ pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r,
+ NULL, NULL);
+ }
+ if (pf_tag_packet(m, tag, rtableid))
+ return (NULL);
+ if (rm != NULL && (rm->action == PF_NONAT ||
+ rm->action == PF_NORDR || rm->action == PF_NOBINAT))
+ return (NULL);
+ return (rm);
+}
+
+int
+pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
+ struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport,
+ struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high,
+ struct pf_src_node **sn)
+{
+ struct pf_state_key_cmp key;
+ struct pf_addr init_addr;
+ u_int16_t cut;
+
+ bzero(&init_addr, sizeof(init_addr));
+ if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
+ return (1);
+
+ if (proto == IPPROTO_ICMP) {
+ low = 1;
+ high = 65535;
+ }
+
+ do {
+ key.af = af;
+ key.proto = proto;
+ PF_ACPY(&key.addr[1], daddr, key.af);
+ PF_ACPY(&key.addr[0], naddr, key.af);
+ key.port[1] = dport;
+
+ /*
+ * port search; start random, step;
+ * similar 2 portloop in in_pcbbind
+ */
+ if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP ||
+ proto == IPPROTO_ICMP)) {
+ key.port[0] = dport;
+ if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
+ return (0);
+ } else if (low == 0 && high == 0) {
+ key.port[0] = *nport;
+ if (pf_find_state_all(&key, PF_IN, NULL) == NULL)
+ return (0);
+ } else if (low == high) {
+ key.port[0] = htons(low);
+ if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
+ *nport = htons(low);
+ return (0);
+ }
+ } else {
+ u_int16_t tmp;
+
+ if (low > high) {
+ tmp = low;
+ low = high;
+ high = tmp;
+ }
+ /* low < high */
+ cut = arc4random_uniform(1 + high - low) + low;
+ /* low <= cut <= high */
+ for (tmp = cut; tmp <= high; ++(tmp)) {
+ key.port[0] = htons(tmp);
+ if (pf_find_state_all(&key, PF_IN, NULL) ==
+ NULL && !in_baddynamic(tmp, proto)) {
+ *nport = htons(tmp);
+ return (0);
+ }
+ }
+ for (tmp = cut - 1; tmp >= low; --(tmp)) {
+ key.port[0] = htons(tmp);
+ if (pf_find_state_all(&key, PF_IN, NULL) ==
+ NULL && !in_baddynamic(tmp, proto)) {
+ *nport = htons(tmp);
+ return (0);
+ }
+ }
+ }
+
+ switch (r->rpool.opts & PF_POOL_TYPEMASK) {
+ case PF_POOL_RANDOM:
+ case PF_POOL_ROUNDROBIN:
+ if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
+ return (1);
+ break;
+ case PF_POOL_NONE:
+ case PF_POOL_SRCHASH:
+ case PF_POOL_BITMASK:
+ default:
+ return (1);
+ }
+ } while (! PF_AEQ(&init_addr, naddr, af) );
+ return (1); /* none available */
+}
+
+int
+pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,
+ struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn)
+{
+ unsigned char hash[16];
+ struct pf_pool *rpool = &r->rpool;
+ struct pf_addr *raddr = &rpool->cur->addr.v.a.addr;
+ struct pf_addr *rmask = &rpool->cur->addr.v.a.mask;
+ struct pf_pooladdr *acur = rpool->cur;
+ struct pf_src_node k;
+
+ if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
+ (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
+ k.af = af;
+ PF_ACPY(&k.addr, saddr, af);
+ if (r->rule_flag & PFRULE_RULESRCTRACK ||
+ r->rpool.opts & PF_POOL_STICKYADDR)
+ k.rule.ptr = r;
+ else
+ k.rule.ptr = NULL;
+ pf_status.scounters[SCNT_SRC_NODE_SEARCH]++;
+ *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k);
+ if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {
+ PF_ACPY(naddr, &(*sn)->raddr, af);
+ if (pf_status.debug >= PF_DEBUG_MISC) {
+ printf("pf_map_addr: src tracking maps ");
+ pf_print_host(&k.addr, 0, af);
+ printf(" to ");
+ pf_print_host(naddr, 0, af);
+ printf("\n");
+ }
+ return (0);
+ }
+ }
+
+ if (rpool->cur->addr.type == PF_ADDR_NOROUTE)
+ return (1);
+ if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
+ switch (af) {
+#ifdef INET
+ case AF_INET:
+ if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&
+ (rpool->opts & PF_POOL_TYPEMASK) !=
+ PF_POOL_ROUNDROBIN)
+ return (1);
+ raddr = &rpool->cur->addr.p.dyn->pfid_addr4;
+ rmask = &rpool->cur->addr.p.dyn->pfid_mask4;
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&
+ (rpool->opts & PF_POOL_TYPEMASK) !=
+ PF_POOL_ROUNDROBIN)
+ return (1);
+ raddr = &rpool->cur->addr.p.dyn->pfid_addr6;
+ rmask = &rpool->cur->addr.p.dyn->pfid_mask6;
+ break;
+#endif /* INET6 */
+ }
+ } else if (rpool->cur->addr.type == PF_ADDR_TABLE) {
+ if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)
+ return (1); /* unsupported */
+ } else {
+ raddr = &rpool->cur->addr.v.a.addr;
+ rmask = &rpool->cur->addr.v.a.mask;
+ }
+
+ switch (rpool->opts & PF_POOL_TYPEMASK) {
+ case PF_POOL_NONE:
+ PF_ACPY(naddr, raddr, af);
+ break;
+ case PF_POOL_BITMASK:
+ PF_POOLMASK(naddr, raddr, rmask, saddr, af);
+ break;
+ case PF_POOL_RANDOM:
+ if (init_addr != NULL && PF_AZERO(init_addr, af)) {
+ switch (af) {
+#ifdef INET
+ case AF_INET:
+ rpool->counter.addr32[0] = htonl(arc4random());
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ if (rmask->addr32[3] != 0xffffffff)
+ rpool->counter.addr32[3] =
+ htonl(arc4random());
+ else
+ break;
+ if (rmask->addr32[2] != 0xffffffff)
+ rpool->counter.addr32[2] =
+ htonl(arc4random());
+ else
+ break;
+ if (rmask->addr32[1] != 0xffffffff)
+ rpool->counter.addr32[1] =
+ htonl(arc4random());
+ else
+ break;
+ if (rmask->addr32[0] != 0xffffffff)
+ rpool->counter.addr32[0] =
+ htonl(arc4random());
+ break;
+#endif /* INET6 */
+ }
+ PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
+ PF_ACPY(init_addr, naddr, af);
+
+ } else {
+ PF_AINC(&rpool->counter, af);
+ PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af);
+ }
+ break;
+ case PF_POOL_SRCHASH:
+ pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);
+ PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);
+ break;
+ case PF_POOL_ROUNDROBIN:
+ if (rpool->cur->addr.type == PF_ADDR_TABLE) {
+ if (!pfr_pool_get(rpool->cur->addr.p.tbl,
+ &rpool->tblidx, &rpool->counter,
+ &raddr, &rmask, af))
+ goto get_addr;
+ } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
+ if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
+ &rpool->tblidx, &rpool->counter,
+ &raddr, &rmask, af))
+ goto get_addr;
+ } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
+ goto get_addr;
+
+ try_next:
+ if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL)
+ rpool->cur = TAILQ_FIRST(&rpool->list);
+ if (rpool->cur->addr.type == PF_ADDR_TABLE) {
+ rpool->tblidx = -1;
+ if (pfr_pool_get(rpool->cur->addr.p.tbl,
+ &rpool->tblidx, &rpool->counter,
+ &raddr, &rmask, af)) {
+ /* table contains no address of type 'af' */
+ if (rpool->cur != acur)
+ goto try_next;
+ return (1);
+ }
+ } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {
+ rpool->tblidx = -1;
+ if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,
+ &rpool->tblidx, &rpool->counter,
+ &raddr, &rmask, af)) {
+ /* table contains no address of type 'af' */
+ if (rpool->cur != acur)
+ goto try_next;
+ return (1);
+ }
+ } else {
+ raddr = &rpool->cur->addr.v.a.addr;
+ rmask = &rpool->cur->addr.v.a.mask;
+ PF_ACPY(&rpool->counter, raddr, af);
+ }
+
+ get_addr:
+ PF_ACPY(naddr, &rpool->counter, af);
+ if (init_addr != NULL && PF_AZERO(init_addr, af))
+ PF_ACPY(init_addr, naddr, af);
+ PF_AINC(&rpool->counter, af);
+ break;
+ }
+ if (*sn != NULL)
+ PF_ACPY(&(*sn)->raddr, naddr, af);
+
+ if (pf_status.debug >= PF_DEBUG_MISC &&
+ (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {
+ printf("pf_map_addr: selected address ");
+ pf_print_host(naddr, 0, af);
+ printf("\n");
+ }
+
+ return (0);
+}
+
+struct pf_rule *
+pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
+ struct pfi_kif *kif, struct pf_src_node **sn,
+ struct pf_state_key **skw, struct pf_state_key **sks,
+ struct pf_state_key **skp, struct pf_state_key **nkp,
+ struct pf_addr *saddr, struct pf_addr *daddr,
+ u_int16_t sport, u_int16_t dport)
+{
+ struct pf_rule *r = NULL;
+
+
+ if (direction == PF_OUT) {
+ r = pf_match_translation(pd, m, off, direction, kif, saddr,
+ sport, daddr, dport, PF_RULESET_BINAT);
+ if (r == NULL)
+ r = pf_match_translation(pd, m, off, direction, kif,
+ saddr, sport, daddr, dport, PF_RULESET_NAT);
+ } else {
+ r = pf_match_translation(pd, m, off, direction, kif, saddr,
+ sport, daddr, dport, PF_RULESET_RDR);
+ if (r == NULL)
+ r = pf_match_translation(pd, m, off, direction, kif,
+ saddr, sport, daddr, dport, PF_RULESET_BINAT);
+ }
+
+ if (r != NULL) {
+ struct pf_addr *naddr;
+ u_int16_t *nport;
+
+ if (pf_state_key_setup(pd, r, skw, sks, skp, nkp,
+ saddr, daddr, sport, dport))
+ return r;
+
+ /* XXX We only modify one side for now. */
+ naddr = &(*nkp)->addr[1];
+ nport = &(*nkp)->port[1];
+
+ switch (r->action) {
+ case PF_NONAT:
+ case PF_NOBINAT:
+ case PF_NORDR:
+ return (NULL);
+ case PF_NAT:
+ if (pf_get_sport(pd->af, pd->proto, r, saddr,
+ daddr, dport, naddr, nport, r->rpool.proxy_port[0],
+ r->rpool.proxy_port[1], sn)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: NAT proxy port allocation "
+ "(%u-%u) failed\n",
+ r->rpool.proxy_port[0],
+ r->rpool.proxy_port[1]));
+ return (NULL);
+ }
+ break;
+ case PF_BINAT:
+ switch (direction) {
+ case PF_OUT:
+ if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){
+ switch (pd->af) {
+#ifdef INET
+ case AF_INET:
+ if (r->rpool.cur->addr.p.dyn->
+ pfid_acnt4 < 1)
+ return (NULL);
+ PF_POOLMASK(naddr,
+ &r->rpool.cur->addr.p.dyn->
+ pfid_addr4,
+ &r->rpool.cur->addr.p.dyn->
+ pfid_mask4,
+ saddr, AF_INET);
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ if (r->rpool.cur->addr.p.dyn->
+ pfid_acnt6 < 1)
+ return (NULL);
+ PF_POOLMASK(naddr,
+ &r->rpool.cur->addr.p.dyn->
+ pfid_addr6,
+ &r->rpool.cur->addr.p.dyn->
+ pfid_mask6,
+ saddr, AF_INET6);
+ break;
+#endif /* INET6 */
+ }
+ } else
+ PF_POOLMASK(naddr,
+ &r->rpool.cur->addr.v.a.addr,
+ &r->rpool.cur->addr.v.a.mask,
+ saddr, pd->af);
+ break;
+ case PF_IN:
+ if (r->src.addr.type == PF_ADDR_DYNIFTL) {
+ switch (pd->af) {
+#ifdef INET
+ case AF_INET:
+ if (r->src.addr.p.dyn->
+ pfid_acnt4 < 1)
+ return (NULL);
+ PF_POOLMASK(naddr,
+ &r->src.addr.p.dyn->
+ pfid_addr4,
+ &r->src.addr.p.dyn->
+ pfid_mask4,
+ daddr, AF_INET);
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ if (r->src.addr.p.dyn->
+ pfid_acnt6 < 1)
+ return (NULL);
+ PF_POOLMASK(naddr,
+ &r->src.addr.p.dyn->
+ pfid_addr6,
+ &r->src.addr.p.dyn->
+ pfid_mask6,
+ daddr, AF_INET6);
+ break;
+#endif /* INET6 */
+ }
+ } else
+ PF_POOLMASK(naddr,
+ &r->src.addr.v.a.addr,
+ &r->src.addr.v.a.mask, daddr,
+ pd->af);
+ break;
+ }
+ break;
+ case PF_RDR: {
+ if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
+ return (NULL);
+ if ((r->rpool.opts & PF_POOL_TYPEMASK) ==
+ PF_POOL_BITMASK)
+ PF_POOLMASK(naddr, naddr,
+ &r->rpool.cur->addr.v.a.mask, daddr,
+ pd->af);
+
+ if (r->rpool.proxy_port[1]) {
+ u_int32_t tmp_nport;
+
+ tmp_nport = ((ntohs(dport) -
+ ntohs(r->dst.port[0])) %
+ (r->rpool.proxy_port[1] -
+ r->rpool.proxy_port[0] + 1)) +
+ r->rpool.proxy_port[0];
+
+ /* wrap around if necessary */
+ if (tmp_nport > 65535)
+ tmp_nport -= 65535;
+ *nport = htons((u_int16_t)tmp_nport);
+ } else if (r->rpool.proxy_port[0])
+ *nport = htons(r->rpool.proxy_port[0]);
+ break;
+ }
+ default:
+ return (NULL);
+ }
+ /*
+ * Translation was a NOP.
+ * Pretend there was no match.
+ */
+ if (!bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) {
+ pool_put(&pf_state_key_pl, *nkp);
+ pool_put(&pf_state_key_pl, *skp);
+ *skw = *sks = *nkp = *skp = NULL;
+ return (NULL);
+ }
+ }
+
+ return (r);
+}
+
diff --git a/net/pf_norm.c b/net/pf_norm.c
index a6837a209fc0..9d7b69510358 100644
--- a/net/pf_norm.c
+++ b/net/pf_norm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.113 2008/05/07 07:07:29 markus Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.114 2009/01/29 14:11:45 henning Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -116,7 +116,11 @@ struct mbuf *pf_fragcache(struct mbuf **, struct ip*,
struct pf_fragment **, int, int, int *);
int pf_normalize_tcpopt(struct pf_rule *, struct mbuf *,
struct tcphdr *, int, sa_family_t);
-
+void pf_scrub_ip(struct mbuf **, u_int32_t, u_int8_t,
+ u_int8_t);
+#ifdef INET6
+void pf_scrub_ip6(struct mbuf **, u_int8_t);
+#endif
#define DPFPRINTF(x) do { \
if (pf_status.debug >= PF_DEBUG_MISC) { \
printf("%s: ", __func__); \
@@ -984,54 +988,11 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0);
}
- /* Enforce a minimum ttl, may cause endless packet loops */
- if (r->min_ttl && h->ip_ttl < r->min_ttl) {
- u_int16_t ip_ttl = h->ip_ttl;
-
- h->ip_ttl = r->min_ttl;
- h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0);
- }
-
- /* Enforce tos */
- if (r->rule_flag & PFRULE_SET_TOS) {
- u_int16_t ov, nv;
-
- ov = *(u_int16_t *)h;
- h->ip_tos = r->set_tos;
- nv = *(u_int16_t *)h;
-
- h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0);
- }
-
- if (r->rule_flag & PFRULE_RANDOMID) {
- u_int16_t ip_id = h->ip_id;
-
- h->ip_id = ip_randomid();
- h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0);
- }
- if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0)
- pd->flags |= PFDESC_IP_REAS;
-
- return (PF_PASS);
+ /* not missing a return here */
fragment_pass:
- /* Enforce a minimum ttl, may cause endless packet loops */
- if (r->min_ttl && h->ip_ttl < r->min_ttl) {
- u_int16_t ip_ttl = h->ip_ttl;
+ pf_scrub_ip(&m, r->rule_flag, r->min_ttl, r->set_tos);
- h->ip_ttl = r->min_ttl;
- h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0);
- }
- /* Enforce tos */
- if (r->rule_flag & PFRULE_SET_TOS) {
- u_int16_t ov, nv;
-
- ov = *(u_int16_t *)h;
- h->ip_tos = r->set_tos;
- nv = *(u_int16_t *)h;
-
- h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0);
- }
if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0)
pd->flags |= PFDESC_IP_REAS;
return (PF_PASS);
@@ -1200,9 +1161,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif,
if (sizeof(struct ip6_hdr) + plen > m->m_pkthdr.len)
goto shortpkt;
- /* Enforce a minimum ttl, may cause endless packet loops */
- if (r->min_ttl && h->ip6_hlim < r->min_ttl)
- h->ip6_hlim = r->min_ttl;
+ pf_scrub_ip6(&m, r->min_ttl);
return (PF_PASS);
@@ -1892,3 +1851,58 @@ pf_normalize_tcpopt(struct pf_rule *r, struct mbuf *m, struct tcphdr *th,
return (rewrite);
}
+
+void
+pf_scrub_ip(struct mbuf **m0, u_int32_t flags, u_int8_t min_ttl, u_int8_t tos)
+{
+ struct mbuf *m = *m0;
+ struct ip *h = mtod(m, struct ip *);
+
+ /* Clear IP_DF if no-df was requested */
+ if (flags & PFRULE_NODF && h->ip_off & htons(IP_DF)) {
+ u_int16_t ip_off = h->ip_off;
+
+ h->ip_off &= htons(~IP_DF);
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0);
+ }
+
+ /* Enforce a minimum ttl, may cause endless packet loops */
+ if (min_ttl && h->ip_ttl < min_ttl) {
+ u_int16_t ip_ttl = h->ip_ttl;
+
+ h->ip_ttl = min_ttl;
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0);
+ }
+
+ /* Enforce tos */
+ if (flags & PFRULE_SET_TOS) {
+ u_int16_t ov, nv;
+
+ ov = *(u_int16_t *)h;
+ h->ip_tos = tos;
+ nv = *(u_int16_t *)h;
+
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0);
+ }
+
+ /* random-id, but not for fragments */
+ if (flags & PFRULE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) {
+ u_int16_t ip_id = h->ip_id;
+
+ h->ip_id = ip_randomid();
+ h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0);
+ }
+}
+
+#ifdef INET6
+void
+pf_scrub_ip6(struct mbuf **m0, u_int8_t min_ttl)
+{
+ struct mbuf *m = *m0;
+ struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
+
+ /* Enforce a minimum ttl, may cause endless packet loops */
+ if (min_ttl && h->ip6_hlim < min_ttl)
+ h->ip6_hlim = min_ttl;
+}
+#endif
diff --git a/net/pf_osfp.c b/net/pf_osfp.c
index 75f33032e1a2..bb0968380aea 100644
--- a/net/pf_osfp.c
+++ b/net/pf_osfp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_osfp.c,v 1.15 2008/06/14 02:22:13 henning Exp $ */
+/* $OpenBSD: pf_osfp.c,v 1.14 2008/06/12 18:17:01 henning Exp $ */
/*
* Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
diff --git a/net/pf_ruleset.c b/net/pf_ruleset.c
index 0db7b1aea6dc..590576967347 100644
--- a/net/pf_ruleset.c
+++ b/net/pf_ruleset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ruleset.c,v 1.1 2006/10/27 13:56:51 mcbride Exp $ */
+/* $OpenBSD: pf_ruleset.c,v 1.2 2008/12/18 15:31:37 dhill Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -59,7 +59,7 @@
# define DPFPRINTF(format, x...) \
if (pf_status.debug >= PF_DEBUG_NOISY) \
printf(format , ##x)
-#define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK)
+#define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK|M_CANFAIL|M_ZERO)
#define rs_free(x) free(x, M_TEMP)
#else
@@ -70,7 +70,7 @@
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
-# define rs_malloc(x) malloc(x)
+# define rs_malloc(x) calloc(1, x)
# define rs_free(x) free(x)
# ifdef PFDEBUG
@@ -85,14 +85,6 @@
struct pf_anchor_global pf_anchors;
struct pf_anchor pf_main_anchor;
-int pf_get_ruleset_number(u_int8_t);
-void pf_init_ruleset(struct pf_ruleset *);
-int pf_anchor_setup(struct pf_rule *,
- const struct pf_ruleset *, const char *);
-int pf_anchor_copyout(const struct pf_ruleset *,
- const struct pf_rule *, struct pfioc_rule *);
-void pf_anchor_remove(struct pf_rule *);
-
static __inline int pf_anchor_compare(struct pf_anchor *, struct pf_anchor *);
RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
@@ -156,7 +148,8 @@ pf_find_anchor(const char *path)
struct pf_anchor *key, *found;
key = (struct pf_anchor *)rs_malloc(sizeof(*key));
- memset(key, 0, sizeof(*key));
+ if (key == NULL)
+ return (NULL);
strlcpy(key->path, path, sizeof(key->path));
found = RB_FIND(pf_anchor_global, &pf_anchors, key);
rs_free(key);
@@ -194,7 +187,8 @@ pf_find_or_create_ruleset(const char *path)
if (ruleset != NULL)
return (ruleset);
p = (char *)rs_malloc(MAXPATHLEN);
- bzero(p, MAXPATHLEN);
+ if (p == NULL)
+ return (NULL);
strlcpy(p, path, MAXPATHLEN);
while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
*q = 0;
@@ -226,7 +220,6 @@ pf_find_or_create_ruleset(const char *path)
rs_free(p);
return (NULL);
}
- memset(anchor, 0, sizeof(*anchor));
RB_INIT(&anchor->children);
strlcpy(anchor->name, q, sizeof(anchor->name));
if (parent != NULL) {
@@ -312,7 +305,8 @@ pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
if (!name[0])
return (0);
path = (char *)rs_malloc(MAXPATHLEN);
- bzero(path, MAXPATHLEN);
+ if (path == NULL)
+ return (1);
if (name[0] == '/')
strlcpy(path, name + 1, MAXPATHLEN);
else {
@@ -370,7 +364,8 @@ pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r,
int i;
a = (char *)rs_malloc(MAXPATHLEN);
- bzero(a, MAXPATHLEN);
+ if (a == NULL)
+ return (1);
if (rs->anchor == NULL)
a[0] = 0;
else
diff --git a/net/pf_table.c b/net/pf_table.c
index c8ac76fc53da..244797505d2b 100644
--- a/net/pf_table.c
+++ b/net/pf_table.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_table.c,v 1.78 2008/06/14 03:50:14 art Exp $ */
+/* $OpenBSD: pf_table.c,v 1.79 2008/10/08 06:24:50 mcbride Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@@ -126,7 +126,6 @@ struct pfr_walktree {
struct pool pfr_ktable_pl;
struct pool pfr_kentry_pl;
-struct pool pfr_kentry_pl2;
struct pool pfr_kcounters_pl;
struct sockaddr_in pfr_sin;
struct sockaddr_in6 pfr_sin6;
@@ -167,7 +166,7 @@ void pfr_setflags_ktable(struct pfr_ktable *, int);
void pfr_clstats_ktables(struct pfr_ktableworkq *, long,
int);
void pfr_clstats_ktable(struct pfr_ktable *, long, int);
-struct pfr_ktable *pfr_create_ktable(struct pfr_table *, long, int);
+struct pfr_ktable *pfr_create_ktable(struct pfr_table *, long, int, int);
void pfr_destroy_ktables(struct pfr_ktableworkq *, int);
void pfr_destroy_ktable(struct pfr_ktable *, int);
int pfr_ktable_compare(struct pfr_ktable *,
@@ -194,8 +193,6 @@ pfr_initialize(void)
"pfrktable", NULL);
pool_init(&pfr_kentry_pl, sizeof(struct pfr_kentry), 0, 0, 0,
"pfrkentry", NULL);
- pool_init(&pfr_kentry_pl2, sizeof(struct pfr_kentry), 0, 0, 0,
- "pfrkentry2", NULL);
pool_init(&pfr_kcounters_pl, sizeof(struct pfr_kcounters), 0, 0, 0,
"pfrkcounters", NULL);
@@ -259,7 +256,8 @@ pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
return (ESRCH);
if (kt->pfrkt_flags & PFR_TFLAG_CONST)
return (EPERM);
- tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
+ tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0,
+ !(flags & PFR_FLAG_USERIOCTL));
if (tmpkt == NULL)
return (ENOMEM);
SLIST_INIT(&workq);
@@ -431,7 +429,8 @@ pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size,
return (ESRCH);
if (kt->pfrkt_flags & PFR_TFLAG_CONST)
return (EPERM);
- tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0);
+ tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0,
+ !(flags & PFR_FLAG_USERIOCTL));
if (tmpkt == NULL)
return (ENOMEM);
pfr_mark_addrs(kt);
@@ -811,7 +810,7 @@ pfr_create_kentry(struct pfr_addr *ad, int intr)
struct pfr_kentry *ke;
if (intr)
- ke = pool_get(&pfr_kentry_pl2, PR_NOWAIT | PR_ZERO);
+ ke = pool_get(&pfr_kentry_pl, PR_NOWAIT | PR_ZERO);
else
ke = pool_get(&pfr_kentry_pl, PR_WAITOK|PR_ZERO|PR_LIMITFAIL);
if (ke == NULL)
@@ -824,7 +823,6 @@ pfr_create_kentry(struct pfr_addr *ad, int intr)
ke->pfrke_af = ad->pfra_af;
ke->pfrke_net = ad->pfra_net;
ke->pfrke_not = ad->pfra_not;
- ke->pfrke_intrpool = intr;
return (ke);
}
@@ -844,10 +842,7 @@ pfr_destroy_kentry(struct pfr_kentry *ke)
{
if (ke->pfrke_counters)
pool_put(&pfr_kcounters_pl, ke->pfrke_counters);
- if (ke->pfrke_intrpool)
- pool_put(&pfr_kentry_pl2, ke);
- else
- pool_put(&pfr_kentry_pl, ke);
+ pool_put(&pfr_kentry_pl, ke);
}
void
@@ -1188,7 +1183,8 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
key.pfrkt_flags |= PFR_TFLAG_ACTIVE;
p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key);
if (p == NULL) {
- p = pfr_create_ktable(&key.pfrkt_t, tzero, 1);
+ p = pfr_create_ktable(&key.pfrkt_t, tzero, 1,
+ !(flags & PFR_FLAG_USERIOCTL));
if (p == NULL)
senderr(ENOMEM);
SLIST_FOREACH(q, &addq, pfrkt_workq) {
@@ -1214,7 +1210,8 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
}
}
key.pfrkt_flags = 0;
- r = pfr_create_ktable(&key.pfrkt_t, 0, 1);
+ r = pfr_create_ktable(&key.pfrkt_t, 0, 1,
+ !(flags & PFR_FLAG_USERIOCTL));
if (r == NULL)
senderr(ENOMEM);
SLIST_INSERT_HEAD(&addq, r, pfrkt_workq);
@@ -1518,7 +1515,8 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
SLIST_INIT(&tableq);
kt = RB_FIND(pfr_ktablehead, &pfr_ktables, (struct pfr_ktable *)tbl);
if (kt == NULL) {
- kt = pfr_create_ktable(tbl, 0, 1);
+ kt = pfr_create_ktable(tbl, 0, 1,
+ !(flags & PFR_FLAG_USERIOCTL));
if (kt == NULL)
return (ENOMEM);
SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq);
@@ -1534,7 +1532,8 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
kt->pfrkt_root = rt;
goto _skip;
}
- rt = pfr_create_ktable(&key.pfrkt_t, 0, 1);
+ rt = pfr_create_ktable(&key.pfrkt_t, 0, 1,
+ !(flags & PFR_FLAG_USERIOCTL));
if (rt == NULL) {
pfr_destroy_ktables(&tableq, 0);
return (ENOMEM);
@@ -1544,7 +1543,7 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size,
} else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE))
xadd++;
_skip:
- shadow = pfr_create_ktable(tbl, 0, 0);
+ shadow = pfr_create_ktable(tbl, 0, 0, !(flags & PFR_FLAG_USERIOCTL));
if (shadow == NULL) {
pfr_destroy_ktables(&tableq, 0);
return (ENOMEM);
@@ -1895,12 +1894,16 @@ pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)
}
struct pfr_ktable *
-pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)
+pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset,
+ int intr)
{
struct pfr_ktable *kt;
struct pf_ruleset *rs;
- kt = pool_get(&pfr_ktable_pl, PR_WAITOK | PR_ZERO | PR_LIMITFAIL);
+ if (intr)
+ kt = pool_get(&pfr_ktable_pl, PR_NOWAIT|PR_ZERO|PR_LIMITFAIL);
+ else
+ kt = pool_get(&pfr_ktable_pl, PR_WAITOK|PR_ZERO|PR_LIMITFAIL);
if (kt == NULL)
return (NULL);
kt->pfrkt_t = *tbl;
@@ -2067,7 +2070,7 @@ pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,
}
struct pfr_ktable *
-pfr_attach_table(struct pf_ruleset *rs, char *name)
+pfr_attach_table(struct pf_ruleset *rs, char *name, int intr)
{
struct pfr_ktable *kt, *rt;
struct pfr_table tbl;
@@ -2079,14 +2082,14 @@ pfr_attach_table(struct pf_ruleset *rs, char *name)
strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
kt = pfr_lookup_table(&tbl);
if (kt == NULL) {
- kt = pfr_create_ktable(&tbl, time_second, 1);
+ kt = pfr_create_ktable(&tbl, time_second, 1, intr);
if (kt == NULL)
return (NULL);
if (ac != NULL) {
bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
rt = pfr_lookup_table(&tbl);
if (rt == NULL) {
- rt = pfr_create_ktable(&tbl, 0, 1);
+ rt = pfr_create_ktable(&tbl, 0, 1, intr);
if (rt == NULL) {
pfr_destroy_ktable(kt, 0);
return (NULL);
diff --git a/net/pfvar.h b/net/pfvar.h
index f8103d88976e..f309eece645d 100644
--- a/net/pfvar.h
+++ b/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.276 2008/07/03 15:46:23 henning Exp $ */
+/* $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -59,7 +59,7 @@ struct ip6_hdr;
enum { PF_INOUT, PF_IN, PF_OUT };
enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
- PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP };
+ PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
@@ -627,6 +627,7 @@ struct pf_rule {
/* rule flags again */
#define PFRULE_IFBOUND 0x00010000 /* if-bound */
#define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */
+#define PFRULE_PFLOW 0x00040000
#define PFSTATE_HIWAT 10000 /* default state table size */
#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
@@ -741,6 +742,7 @@ struct pf_state {
u_int8_t direction;
u_int8_t pad[3];
+ TAILQ_ENTRY(pf_state) sync_list;
TAILQ_ENTRY(pf_state) entry_list;
RB_ENTRY(pf_state) entry_id;
struct pf_state_peer src;
@@ -764,11 +766,15 @@ struct pf_state {
u_int8_t state_flags;
#define PFSTATE_ALLOWOPTS 0x01
#define PFSTATE_SLOPPY 0x02
+#define PFSTATE_PFLOW 0x04
+#define PFSTATE_NOSYNC 0x08
+#define PFSTATE_ACK 0x10
u_int8_t timeout;
- u_int8_t sync_flags;
-#define PFSTATE_NOSYNC 0x01
-#define PFSTATE_FROMSYNC 0x02
-#define PFSTATE_STALE 0x04
+ u_int8_t sync_state; /* PFSYNC_S_x */
+
+ /* XXX */
+ u_int8_t sync_updates;
+ u_int8_t _tail[3];
};
/*
@@ -825,8 +831,6 @@ struct pfsync_state {
u_int8_t updates;
} __packed;
-#define PFSYNC_FLAG_COMPRESS 0x01
-#define PFSYNC_FLAG_STALE 0x02
#define PFSYNC_FLAG_SRCNODE 0x04
#define PFSYNC_FLAG_NATSRCNODE 0x08
@@ -1003,7 +1007,6 @@ struct pfr_kentry {
u_int8_t pfrke_net;
u_int8_t pfrke_not;
u_int8_t pfrke_mark;
- u_int8_t pfrke_intrpool;
};
#define pfrke_counters u.pfrke_counters
#define pfrke_route u.pfrke_route
@@ -1656,6 +1659,7 @@ void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
struct pf_pdesc *);
+void pf_send_deferred_syn(struct pf_state *);
int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
int pf_match_addr_range(struct pf_addr *, struct pf_addr *,
@@ -1685,6 +1689,7 @@ int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
int pf_socket_lookup(int, struct pf_pdesc *);
struct pf_state_key *pf_alloc_state_key(int);
+void pf_pkt_addr_changed(struct mbuf *);
int pf_state_key_attach(struct pf_state_key *, struct pf_state *, int);
void pfr_initialize(void);
int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
@@ -1694,7 +1699,7 @@ int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *,
struct pf_addr **, struct pf_addr **, sa_family_t);
void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
struct pfr_ktable *
- pfr_attach_table(struct pf_ruleset *, char *);
+ pfr_attach_table(struct pf_ruleset *, char *, int);
void pfr_detach_table(struct pfr_ktable *);
int pfr_clr_tables(struct pfr_table *, int *, int);
int pfr_add_tables(struct pfr_table *, int, int *, int);
@@ -1809,5 +1814,31 @@ int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
struct pf_os_fingerprint *
pf_osfp_validate(void);
+#ifdef _KERNEL
+void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
+
+void pf_step_into_anchor(int *, struct pf_ruleset **, int,
+ struct pf_rule **, struct pf_rule **, int *);
+int pf_step_out_of_anchor(int *, struct pf_ruleset **,
+ int, struct pf_rule **, struct pf_rule **,
+ int *);
+
+int pf_map_addr(u_int8_t, struct pf_rule *,
+ struct pf_addr *, struct pf_addr *,
+ struct pf_addr *, struct pf_src_node **);
+struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
+ int, int, struct pfi_kif *, struct pf_src_node **,
+ struct pf_state_key **, struct pf_state_key **,
+ struct pf_state_key **, struct pf_state_key **,
+ struct pf_addr *, struct pf_addr *,
+ u_int16_t, u_int16_t);
+
+int pf_state_key_setup(struct pf_pdesc *, struct pf_rule *,
+ struct pf_state_key **, struct pf_state_key **,
+ struct pf_state_key **, struct pf_state_key **,
+ struct pf_addr *, struct pf_addr *,
+ u_int16_t, u_int16_t);
+#endif /* _KERNEL */
+
#endif /* _NET_PFVAR_H_ */
diff --git a/netinet/in4_cksum.c b/netinet/in4_cksum.c
index 1c40f2e05b6e..d4a9b56a05f6 100644
--- a/netinet/in4_cksum.c
+++ b/netinet/in4_cksum.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: in4_cksum.c,v 1.7 2003/06/02 23:28:13 millert Exp $ */
+/* $OpenBSD: in4_cksum.c,v 1.6 2002/07/29 09:26:15 itojun Exp $ */
/* $KAME: in4_cksum.c,v 1.10 2001/11/30 10:06:15 itojun Exp $ */
/* $NetBSD: in_cksum.c,v 1.13 1996/10/13 02:03:03 christos Exp $ */
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-22 17:54:34 +0000