aboutsummaryrefslogtreecommitdiff
path: root/sys/netpfil/pf/pf.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netpfil/pf/pf.c')
-rw-r--r--sys/netpfil/pf/pf.c234
1 files changed, 116 insertions, 118 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3bf7e0e2077c..ef86d70db760 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -350,11 +350,11 @@ static int pf_create_state(struct pf_krule *, struct pf_krule *,
struct pf_krule_slist *, struct pf_udp_mapping *);
static int pf_state_key_addr_setup(struct pf_pdesc *,
struct pf_state_key_cmp *, int);
-static int pf_tcp_track_full(struct pf_kstate **,
+static int pf_tcp_track_full(struct pf_kstate *,
struct pf_pdesc *, u_short *, int *,
struct pf_state_peer *, struct pf_state_peer *,
u_int8_t, u_int8_t);
-static int pf_tcp_track_sloppy(struct pf_kstate **,
+static int pf_tcp_track_sloppy(struct pf_kstate *,
struct pf_pdesc *, u_short *,
struct pf_state_peer *, struct pf_state_peer *,
u_int8_t, u_int8_t);
@@ -1864,7 +1864,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid)
pf_counter_u64_add(&V_pf_status.fcounters[FCNT_STATE_SEARCH], 1);
- ih = &V_pf_idhash[(be64toh(id) % (V_pf_hashmask + 1))];
+ ih = &V_pf_idhash[PF_IDHASHID(id)];
PF_HASHROW_LOCK(ih);
LIST_FOREACH(s, &ih->states, entry)
@@ -2266,7 +2266,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
*icmp_dir = PF_IN;
*virtual_type = type;
*virtual_id = 0;
- HTONS(*virtual_type);
+ *virtual_type = htons(*virtual_type);
return (1); /* These types match to another state */
/*
@@ -2333,7 +2333,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
*icmp_dir = PF_IN;
*virtual_type = type;
*virtual_id = 0;
- HTONS(*virtual_type);
+ *virtual_type = htons(*virtual_type);
return (1); /* These types match to another state */
/*
* All remaining ICMP6 types get their own states,
@@ -2350,7 +2350,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
default:
unhandled_af(pd->af);
}
- HTONS(*virtual_type);
+ *virtual_type = htons(*virtual_type);
return (0); /* These types match to their own state */
}
@@ -4101,7 +4101,7 @@ pf_build_tcp(const struct pf_krule *r, sa_family_t af,
opt = (char *)(th + 1);
opt[0] = TCPOPT_MAXSEG;
opt[1] = 4;
- HTONS(mss);
+ mss = htons(mss);
memcpy((opt + 2), &mss, 2);
}
@@ -4527,10 +4527,7 @@ pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p)
int
pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p)
{
- NTOHS(a1);
- NTOHS(a2);
- NTOHS(p);
- return (pf_match(op, a1, a2, p));
+ return (pf_match(op, ntohs(a1), ntohs(a2), ntohs(p)));
}
static int
@@ -5034,7 +5031,7 @@ pf_get_mss(struct pf_pdesc *pd)
break;
case TCPOPT_MAXSEG:
memcpy(&mss, (opt + 2), 2);
- NTOHS(mss);
+ mss = ntohs(mss);
/* FALLTHROUGH */
default:
optlen = opt[1];
@@ -6103,7 +6100,6 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
memcpy(&s->match_rules, match_rules, sizeof(s->match_rules));
memcpy(&s->act, &pd->act, sizeof(struct pf_rule_actions));
- STATE_INC_COUNTERS(s);
if (r->allow_opts)
s->state_flags |= PFSTATE_ALLOWOPTS;
if (r->rule_flag & PFRULE_STATESLOPPY)
@@ -6227,6 +6223,8 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
} else
*sm = s;
+ STATE_INC_COUNTERS(s);
+
/*
* Lock order is important: first state, then source node.
*/
@@ -6302,7 +6300,6 @@ drop:
if (s != NULL) {
pf_src_tree_remove_state(s);
s->timeout = PFTM_UNLINKED;
- STATE_DEC_COUNTERS(s);
pf_free_state(s);
}
@@ -6422,7 +6419,7 @@ pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport,
}
static int
-pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
+pf_tcp_track_full(struct pf_kstate *state, struct pf_pdesc *pd,
u_short *reason, int *copyback, struct pf_state_peer *src,
struct pf_state_peer *dst, u_int8_t psrc, u_int8_t pdst)
{
@@ -6448,7 +6445,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
if (src->seqlo == 0) {
/* First packet from this end. Set its state */
- if (((*state)->state_flags & PFSTATE_SCRUB_TCP || dst->scrub) &&
+ if ((state->state_flags & PFSTATE_SCRUB_TCP || dst->scrub) &&
src->scrub == NULL) {
if (pf_normalize_tcp_init(pd, th, src, dst)) {
REASON_SET(reason, PFRES_MEMORY);
@@ -6498,7 +6495,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
src->seqlo = seq;
if (src->state < TCPS_SYN_SENT)
- pf_set_protostate(*state, psrc, TCPS_SYN_SENT);
+ pf_set_protostate(state, psrc, TCPS_SYN_SENT);
/*
* May need to slide the window (seqhi may have been set by
@@ -6582,7 +6579,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
if (dst->scrub || src->scrub) {
if (pf_normalize_tcp_stateful(pd, reason, th,
- *state, src, dst, copyback))
+ state, src, dst, copyback))
return (PF_DROP);
}
@@ -6599,43 +6596,43 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
/* update states */
if (tcp_get_flags(th) & TH_SYN)
if (src->state < TCPS_SYN_SENT)
- pf_set_protostate(*state, psrc, TCPS_SYN_SENT);
+ pf_set_protostate(state, psrc, TCPS_SYN_SENT);
if (tcp_get_flags(th) & TH_FIN)
if (src->state < TCPS_CLOSING)
- pf_set_protostate(*state, psrc, TCPS_CLOSING);
+ pf_set_protostate(state, psrc, TCPS_CLOSING);
if (tcp_get_flags(th) & TH_ACK) {
if (dst->state == TCPS_SYN_SENT) {
- pf_set_protostate(*state, pdst,
+ pf_set_protostate(state, pdst,
TCPS_ESTABLISHED);
if (src->state == TCPS_ESTABLISHED &&
- (*state)->sns[PF_SN_LIMIT] != NULL &&
- pf_src_connlimit(*state)) {
+ state->sns[PF_SN_LIMIT] != NULL &&
+ pf_src_connlimit(state)) {
REASON_SET(reason, PFRES_SRCLIMIT);
return (PF_DROP);
}
} else if (dst->state == TCPS_CLOSING)
- pf_set_protostate(*state, pdst,
+ pf_set_protostate(state, pdst,
TCPS_FIN_WAIT_2);
}
if (tcp_get_flags(th) & TH_RST)
- pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT);
+ pf_set_protostate(state, PF_PEER_BOTH, TCPS_TIME_WAIT);
/* update expire time */
- (*state)->expire = pf_get_uptime();
+ state->expire = pf_get_uptime();
if (src->state >= TCPS_FIN_WAIT_2 &&
dst->state >= TCPS_FIN_WAIT_2)
- (*state)->timeout = PFTM_TCP_CLOSED;
+ state->timeout = PFTM_TCP_CLOSED;
else if (src->state >= TCPS_CLOSING &&
dst->state >= TCPS_CLOSING)
- (*state)->timeout = PFTM_TCP_FIN_WAIT;
+ state->timeout = PFTM_TCP_FIN_WAIT;
else if (src->state < TCPS_ESTABLISHED ||
dst->state < TCPS_ESTABLISHED)
- (*state)->timeout = PFTM_TCP_OPENING;
+ state->timeout = PFTM_TCP_OPENING;
else if (src->state >= TCPS_CLOSING ||
dst->state >= TCPS_CLOSING)
- (*state)->timeout = PFTM_TCP_CLOSING;
+ state->timeout = PFTM_TCP_CLOSING;
else
- (*state)->timeout = PFTM_TCP_ESTABLISHED;
+ state->timeout = PFTM_TCP_ESTABLISHED;
/* Fall through to PASS packet */
@@ -6670,19 +6667,19 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: loose state match: ");
- pf_print_state(*state);
+ pf_print_state(state);
pf_print_flags(tcp_get_flags(th));
printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
- pd->p_len, ackskew, (unsigned long long)(*state)->packets[0],
- (unsigned long long)(*state)->packets[1],
+ pd->p_len, ackskew, (unsigned long long)state->packets[0],
+ (unsigned long long)state->packets[1],
pd->dir == PF_IN ? "in" : "out",
- pd->dir == (*state)->direction ? "fwd" : "rev");
+ pd->dir == state->direction ? "fwd" : "rev");
}
if (dst->scrub || src->scrub) {
if (pf_normalize_tcp_stateful(pd, reason, th,
- *state, src, dst, copyback))
+ state, src, dst, copyback))
return (PF_DROP);
}
@@ -6703,37 +6700,37 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
if (tcp_get_flags(th) & TH_FIN)
if (src->state < TCPS_CLOSING)
- pf_set_protostate(*state, psrc, TCPS_CLOSING);
+ pf_set_protostate(state, psrc, TCPS_CLOSING);
if (tcp_get_flags(th) & TH_RST)
- pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT);
+ pf_set_protostate(state, PF_PEER_BOTH, TCPS_TIME_WAIT);
/* Fall through to PASS packet */
} else {
- if ((*state)->dst.state == TCPS_SYN_SENT &&
- (*state)->src.state == TCPS_SYN_SENT) {
+ if (state->dst.state == TCPS_SYN_SENT &&
+ state->src.state == TCPS_SYN_SENT) {
/* Send RST for state mismatches during handshake */
if (!(tcp_get_flags(th) & TH_RST))
- pf_send_tcp((*state)->rule, pd->af,
+ pf_send_tcp(state->rule, pd->af,
pd->dst, pd->src, th->th_dport,
th->th_sport, ntohl(th->th_ack), 0,
TH_RST, 0, 0,
- (*state)->rule->return_ttl, M_SKIP_FIREWALL,
- 0, 0, (*state)->act.rtableid);
+ state->rule->return_ttl, M_SKIP_FIREWALL,
+ 0, 0, state->act.rtableid);
src->seqlo = 0;
src->seqhi = 1;
src->max_win = 1;
} else if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: BAD state: ");
- pf_print_state(*state);
+ pf_print_state(state);
pf_print_flags(tcp_get_flags(th));
printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n",
seq, orig_seq, ack, pd->p_len, ackskew,
- (unsigned long long)(*state)->packets[0],
- (unsigned long long)(*state)->packets[1],
+ (unsigned long long)state->packets[0],
+ (unsigned long long)state->packets[1],
pd->dir == PF_IN ? "in" : "out",
- pd->dir == (*state)->direction ? "fwd" : "rev");
+ pd->dir == state->direction ? "fwd" : "rev");
printf("pf: State failure on: %c %c %c %c | %c %c\n",
SEQ_GEQ(src->seqhi, data_end) ? ' ' : '1',
SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
@@ -6751,7 +6748,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
}
static int
-pf_tcp_track_sloppy(struct pf_kstate **state, struct pf_pdesc *pd,
+pf_tcp_track_sloppy(struct pf_kstate *state, struct pf_pdesc *pd,
u_short *reason, struct pf_state_peer *src, struct pf_state_peer *dst,
u_int8_t psrc, u_int8_t pdst)
{
@@ -6759,21 +6756,21 @@ pf_tcp_track_sloppy(struct pf_kstate **state, struct pf_pdesc *pd,
if (tcp_get_flags(th) & TH_SYN)
if (src->state < TCPS_SYN_SENT)
- pf_set_protostate(*state, psrc, TCPS_SYN_SENT);
+ pf_set_protostate(state, psrc, TCPS_SYN_SENT);
if (tcp_get_flags(th) & TH_FIN)
if (src->state < TCPS_CLOSING)
- pf_set_protostate(*state, psrc, TCPS_CLOSING);
+ pf_set_protostate(state, psrc, TCPS_CLOSING);
if (tcp_get_flags(th) & TH_ACK) {
if (dst->state == TCPS_SYN_SENT) {
- pf_set_protostate(*state, pdst, TCPS_ESTABLISHED);
+ pf_set_protostate(state, pdst, TCPS_ESTABLISHED);
if (src->state == TCPS_ESTABLISHED &&
- (*state)->sns[PF_SN_LIMIT] != NULL &&
- pf_src_connlimit(*state)) {
+ state->sns[PF_SN_LIMIT] != NULL &&
+ pf_src_connlimit(state)) {
REASON_SET(reason, PFRES_SRCLIMIT);
return (PF_DROP);
}
} else if (dst->state == TCPS_CLOSING) {
- pf_set_protostate(*state, pdst, TCPS_FIN_WAIT_2);
+ pf_set_protostate(state, pdst, TCPS_FIN_WAIT_2);
} else if (src->state == TCPS_SYN_SENT &&
dst->state < TCPS_SYN_SENT) {
/*
@@ -6782,11 +6779,11 @@ pf_tcp_track_sloppy(struct pf_kstate **state, struct pf_pdesc *pd,
* the initial SYN without ever seeing a packet from
* the destination, set the connection to established.
*/
- pf_set_protostate(*state, PF_PEER_BOTH,
+ pf_set_protostate(state, PF_PEER_BOTH,
TCPS_ESTABLISHED);
dst->state = src->state = TCPS_ESTABLISHED;
- if ((*state)->sns[PF_SN_LIMIT] != NULL &&
- pf_src_connlimit(*state)) {
+ if (state->sns[PF_SN_LIMIT] != NULL &&
+ pf_src_connlimit(state)) {
REASON_SET(reason, PFRES_SRCLIMIT);
return (PF_DROP);
}
@@ -6798,117 +6795,117 @@ pf_tcp_track_sloppy(struct pf_kstate **state, struct pf_pdesc *pd,
* don't see the full bidirectional FIN/ACK+ACK
* handshake.
*/
- pf_set_protostate(*state, pdst, TCPS_CLOSING);
+ pf_set_protostate(state, pdst, TCPS_CLOSING);
}
}
if (tcp_get_flags(th) & TH_RST)
- pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT);
+ pf_set_protostate(state, PF_PEER_BOTH, TCPS_TIME_WAIT);
/* update expire time */
- (*state)->expire = pf_get_uptime();
+ state->expire = pf_get_uptime();
if (src->state >= TCPS_FIN_WAIT_2 &&
dst->state >= TCPS_FIN_WAIT_2)
- (*state)->timeout = PFTM_TCP_CLOSED;
+ state->timeout = PFTM_TCP_CLOSED;
else if (src->state >= TCPS_CLOSING &&
dst->state >= TCPS_CLOSING)
- (*state)->timeout = PFTM_TCP_FIN_WAIT;
+ state->timeout = PFTM_TCP_FIN_WAIT;
else if (src->state < TCPS_ESTABLISHED ||
dst->state < TCPS_ESTABLISHED)
- (*state)->timeout = PFTM_TCP_OPENING;
+ state->timeout = PFTM_TCP_OPENING;
else if (src->state >= TCPS_CLOSING ||
dst->state >= TCPS_CLOSING)
- (*state)->timeout = PFTM_TCP_CLOSING;
+ state->timeout = PFTM_TCP_CLOSING;
else
- (*state)->timeout = PFTM_TCP_ESTABLISHED;
+ state->timeout = PFTM_TCP_ESTABLISHED;
return (PF_PASS);
}
static int
-pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
+pf_synproxy(struct pf_pdesc *pd, struct pf_kstate *state, u_short *reason)
{
- struct pf_state_key *sk = (*state)->key[pd->didx];
+ struct pf_state_key *sk = state->key[pd->didx];
struct tcphdr *th = &pd->hdr.tcp;
- if ((*state)->src.state == PF_TCPS_PROXY_SRC) {
- if (pd->dir != (*state)->direction) {
+ if (state->src.state == PF_TCPS_PROXY_SRC) {
+ if (pd->dir != state->direction) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
}
if (tcp_get_flags(th) & TH_SYN) {
- if (ntohl(th->th_seq) != (*state)->src.seqlo) {
+ if (ntohl(th->th_seq) != state->src.seqlo) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_DROP);
}
- pf_send_tcp((*state)->rule, pd->af, pd->dst,
+ pf_send_tcp(state->rule, pd->af, pd->dst,
pd->src, th->th_dport, th->th_sport,
- (*state)->src.seqhi, ntohl(th->th_seq) + 1,
- TH_SYN|TH_ACK, 0, (*state)->src.mss, 0,
- M_SKIP_FIREWALL, 0, 0, (*state)->act.rtableid);
+ state->src.seqhi, ntohl(th->th_seq) + 1,
+ TH_SYN|TH_ACK, 0, state->src.mss, 0,
+ M_SKIP_FIREWALL, 0, 0, state->act.rtableid);
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
} else if ((tcp_get_flags(th) & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
- (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
- (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
+ (ntohl(th->th_ack) != state->src.seqhi + 1) ||
+ (ntohl(th->th_seq) != state->src.seqlo + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_DROP);
- } else if ((*state)->sns[PF_SN_LIMIT] != NULL &&
- pf_src_connlimit(*state)) {
+ } else if (state->sns[PF_SN_LIMIT] != NULL &&
+ pf_src_connlimit(state)) {
REASON_SET(reason, PFRES_SRCLIMIT);
return (PF_DROP);
} else
- pf_set_protostate(*state, PF_PEER_SRC,
+ pf_set_protostate(state, PF_PEER_SRC,
PF_TCPS_PROXY_DST);
}
- if ((*state)->src.state == PF_TCPS_PROXY_DST) {
- if (pd->dir == (*state)->direction) {
+ if (state->src.state == PF_TCPS_PROXY_DST) {
+ if (pd->dir == state->direction) {
if (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) != TH_ACK) ||
- (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
- (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
+ (ntohl(th->th_ack) != state->src.seqhi + 1) ||
+ (ntohl(th->th_seq) != state->src.seqlo + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_DROP);
}
- (*state)->src.max_win = MAX(ntohs(th->th_win), 1);
- if ((*state)->dst.seqhi == 1)
- (*state)->dst.seqhi = htonl(arc4random());
- pf_send_tcp((*state)->rule, pd->af,
+ state->src.max_win = MAX(ntohs(th->th_win), 1);
+ if (state->dst.seqhi == 1)
+ state->dst.seqhi = htonl(arc4random());
+ pf_send_tcp(state->rule, pd->af,
&sk->addr[pd->sidx], &sk->addr[pd->didx],
sk->port[pd->sidx], sk->port[pd->didx],
- (*state)->dst.seqhi, 0, TH_SYN, 0,
- (*state)->src.mss, 0,
- (*state)->orig_kif->pfik_ifp == V_loif ? M_LOOP : 0,
- (*state)->tag, 0, (*state)->act.rtableid);
+ state->dst.seqhi, 0, TH_SYN, 0,
+ state->src.mss, 0,
+ state->orig_kif->pfik_ifp == V_loif ? M_LOOP : 0,
+ state->tag, 0, state->act.rtableid);
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
} else if (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) !=
(TH_SYN|TH_ACK)) ||
- (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) {
+ (ntohl(th->th_ack) != state->dst.seqhi + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_DROP);
} else {
- (*state)->dst.max_win = MAX(ntohs(th->th_win), 1);
- (*state)->dst.seqlo = ntohl(th->th_seq);
- pf_send_tcp((*state)->rule, pd->af, pd->dst,
+ state->dst.max_win = MAX(ntohs(th->th_win), 1);
+ state->dst.seqlo = ntohl(th->th_seq);
+ pf_send_tcp(state->rule, pd->af, pd->dst,
pd->src, th->th_dport, th->th_sport,
ntohl(th->th_ack), ntohl(th->th_seq) + 1,
- TH_ACK, (*state)->src.max_win, 0, 0, 0,
- (*state)->tag, 0, (*state)->act.rtableid);
- pf_send_tcp((*state)->rule, pd->af,
+ TH_ACK, state->src.max_win, 0, 0, 0,
+ state->tag, 0, state->act.rtableid);
+ pf_send_tcp(state->rule, pd->af,
&sk->addr[pd->sidx], &sk->addr[pd->didx],
sk->port[pd->sidx], sk->port[pd->didx],
- (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
- TH_ACK, (*state)->dst.max_win, 0, 0,
- M_SKIP_FIREWALL, 0, 0, (*state)->act.rtableid);
- (*state)->src.seqdiff = (*state)->dst.seqhi -
- (*state)->src.seqlo;
- (*state)->dst.seqdiff = (*state)->src.seqhi -
- (*state)->dst.seqlo;
- (*state)->src.seqhi = (*state)->src.seqlo +
- (*state)->dst.max_win;
- (*state)->dst.seqhi = (*state)->dst.seqlo +
- (*state)->src.max_win;
- (*state)->src.wscale = (*state)->dst.wscale = 0;
- pf_set_protostate(*state, PF_PEER_BOTH,
+ state->src.seqhi + 1, state->src.seqlo + 1,
+ TH_ACK, state->dst.max_win, 0, 0,
+ M_SKIP_FIREWALL, 0, 0, state->act.rtableid);
+ state->src.seqdiff = state->dst.seqhi -
+ state->src.seqlo;
+ state->dst.seqdiff = state->src.seqhi -
+ state->dst.seqlo;
+ state->src.seqhi = state->src.seqlo +
+ state->dst.max_win;
+ state->dst.seqhi = state->dst.seqlo +
+ state->src.max_win;
+ state->src.wscale = state->dst.wscale = 0;
+ pf_set_protostate(state, PF_PEER_BOTH,
TCPS_ESTABLISHED);
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
@@ -6967,7 +6964,7 @@ pf_test_state(struct pf_kstate **state, struct pf_pdesc *pd, u_short *reason)
case IPPROTO_TCP: {
struct tcphdr *th = &pd->hdr.tcp;
- if ((action = pf_synproxy(pd, state, reason)) != PF_PASS)
+ if ((action = pf_synproxy(pd, *state, reason)) != PF_PASS)
return (action);
if ((*state)->src.state >= TCPS_FIN_WAIT_2 &&
(*state)->dst.state >= TCPS_FIN_WAIT_2 &&
@@ -6987,13 +6984,13 @@ pf_test_state(struct pf_kstate **state, struct pf_pdesc *pd, u_short *reason)
return (PF_DROP);
}
if ((*state)->state_flags & PFSTATE_SLOPPY) {
- if (pf_tcp_track_sloppy(state, pd, reason, src, dst,
+ if (pf_tcp_track_sloppy(*state, pd, reason, src, dst,
psrc, pdst) == PF_DROP)
return (PF_DROP);
} else {
int ret;
- ret = pf_tcp_track_full(state, pd, reason,
+ ret = pf_tcp_track_full(*state, pd, reason,
&copyback, src, dst, psrc, pdst);
if (ret == PF_DROP)
return (PF_DROP);
@@ -8001,7 +7998,8 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
nk = (*state)->key[pd->didx];
#if defined(INET) && defined(INET6)
- int afto, sidx, didx;
+ int afto, sidx, didx;
+ u_int16_t dummy_cksum = 0;
afto = pd->af != nk->af;
@@ -8026,10 +8024,10 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
nk->af))
return (PF_DROP);
pf_change_ap(pd->m, pd2.src, &th.th_sport,
- pd->ip_sum, &th.th_sum, &nk->addr[pd2.sidx],
+ pd->ip_sum, &dummy_cksum, &nk->addr[pd2.sidx],
nk->port[sidx], 1, pd->af, nk->af);
pf_change_ap(pd->m, pd2.dst, &th.th_dport,
- pd->ip_sum, &th.th_sum, &nk->addr[pd2.didx],
+ pd->ip_sum, &dummy_cksum, &nk->addr[pd2.didx],
nk->port[didx], 1, pd->af, nk->af);
m_copyback(pd2.m, pd2.off, 8, (c_caddr_t)&th);
PF_ACPY(&pd->nsaddr, &nk->addr[pd2.sidx],
@@ -10416,7 +10414,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
s->src.seqhi = ntohl(pd.hdr.tcp.th_ack) - 1;
s->src.seqlo = ntohl(pd.hdr.tcp.th_seq) - 1;
pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_DST);
- action = pf_synproxy(&pd, &s, &reason);
+ action = pf_synproxy(&pd, s, &reason);
break;
} else {
action = pf_test_rule(&r, &s, &pd,
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-30 08:54:50 +0000