View | Details | Raw Unified | Return to bug 176268 | Differences between
and this patch

Collapse All | Expand All

(-)b/sys/net/route.h (+1 lines)
Lines 58-63 struct route { Link Here
58
58
59
#define	RT_CACHING_CONTEXT	0x1	/* XXX: not used anywhere */
59
#define	RT_CACHING_CONTEXT	0x1	/* XXX: not used anywhere */
60
#define	RT_NORTREF		0x2	/* doesn't hold reference on ro_rt */
60
#define	RT_NORTREF		0x2	/* doesn't hold reference on ro_rt */
61
#define	RT_PFROUTE		0x4	/* a fake route created by pf which has no counters */
61
62
62
struct rt_metrics {
63
struct rt_metrics {
63
	u_long	rmx_locks;	/* Kernel must leave these values alone */
64
	u_long	rmx_locks;	/* Kernel must leave these values alone */
(-)b/sys/netinet/ip_output.c (-1 / +2 lines)
Lines 302-308 again: Link Here
302
		}
302
		}
303
		ia = ifatoia(rte->rt_ifa);
303
		ia = ifatoia(rte->rt_ifa);
304
		ifp = rte->rt_ifp;
304
		ifp = rte->rt_ifp;
305
		counter_u64_add(rte->rt_pksent, 1);
305
		if ((ro->ro_flags & RT_PFROUTE) == 0)
306
			counter_u64_add(rte->rt_pksent, 1);
306
		if (rte->rt_flags & RTF_GATEWAY)
307
		if (rte->rt_flags & RTF_GATEWAY)
307
			gw = (struct sockaddr_in *)rte->rt_gateway;
308
			gw = (struct sockaddr_in *)rte->rt_gateway;
308
		if (rte->rt_flags & RTF_HOST)
309
		if (rte->rt_flags & RTF_HOST)
(-)b/sys/netinet6/ip6_output.c (-1 / +2 lines)
Lines 660-666 again: Link Here
660
	}
660
	}
661
	if (rt != NULL) {
661
	if (rt != NULL) {
662
		ia = (struct in6_ifaddr *)(rt->rt_ifa);
662
		ia = (struct in6_ifaddr *)(rt->rt_ifa);
663
		counter_u64_add(rt->rt_pksent, 1);
663
		if ((ro->ro_flags & RT_PFROUTE) == 0)
664
			counter_u64_add(rt->rt_pksent, 1);
664
	}
665
	}
665
666
666
667
(-)b/sys/netpfil/pf/pf.c (-16 / +136 lines)
Lines 139-152 struct pf_send_entry { Link Here
139
		PFSE_ICMP6,
139
		PFSE_ICMP6,
140
	}				pfse_type;
140
	}				pfse_type;
141
	union {
141
	union {
142
		struct route		ro;
142
#ifdef INET
143
		struct {
144
			struct route		ro;
145
			struct rtentry		ro_rt;
146
			struct sockaddr		ro_rt_gw;
147
		} ro;
148
#endif
149
#ifdef INET6
150
		struct {
151
			struct route_in6	ro6;
152
			struct rtentry		ro6_rt;
153
			struct sockaddr		ro6_rt_gw;
154
		} ro6;
155
#endif
143
		struct {
156
		struct {
144
			int		type;
157
			int		type;
145
			int		code;
158
			int		code;
146
			int		mtu;
159
			int		mtu;
147
		} icmpopts;
160
		} icmpopts;
148
	} u;
161
	} u;
149
#define	pfse_ro		u.ro
162
#define	pfse_ro		u.ro.ro
163
#define	pfse_ro_rt	u.ro.ro_rt
164
#define	pfse_ro_rt_gw	u.ro.ro_rt_gw
165
#define	pfse_ro6	u.ro6.ro6
166
#define	pfse_ro6_rt	u.ro6.ro6_rt
167
#define	pfse_ro6_rt_gw	u.ro6.ro6_rt_gw
150
#define	pfse_icmp_type	u.icmpopts.type
168
#define	pfse_icmp_type	u.icmpopts.type
151
#define	pfse_icmp_code	u.icmpopts.code
169
#define	pfse_icmp_code	u.icmpopts.code
152
#define	pfse_icmp_mtu	u.icmpopts.mtu
170
#define	pfse_icmp_mtu	u.icmpopts.mtu
Lines 217-223 static void pf_send_tcp(struct mbuf *, Link Here
217
			    const struct pf_addr *, const struct pf_addr *,
235
			    const struct pf_addr *, const struct pf_addr *,
218
			    u_int16_t, u_int16_t, u_int32_t, u_int32_t,
236
			    u_int16_t, u_int16_t, u_int32_t, u_int32_t,
219
			    u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
237
			    u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
220
			    u_int16_t, struct ifnet *);
238
			    u_int16_t, struct ifnet *, struct pf_state *s);
221
static void		 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
239
static void		 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
222
			    sa_family_t, struct pf_rule *);
240
			    sa_family_t, struct pf_rule *);
223
static void		 pf_detach_state(struct pf_state *);
241
static void		 pf_detach_state(struct pf_state *);
Lines 284-294 static void pf_purge_unlinked_rules(void); Link Here
284
static int		 pf_mtag_uminit(void *, int, int);
302
static int		 pf_mtag_uminit(void *, int, int);
285
static void		 pf_mtag_free(struct m_tag *);
303
static void		 pf_mtag_free(struct m_tag *);
286
#ifdef INET
304
#ifdef INET
305
static void		 pf_rebuild_route(struct pf_send_entry *pfse,
306
			    struct pf_state *state, struct pf_addr *dst);
287
static void		 pf_route(struct mbuf **, struct pf_rule *, int,
307
static void		 pf_route(struct mbuf **, struct pf_rule *, int,
288
			    struct ifnet *, struct pf_state *,
308
			    struct ifnet *, struct pf_state *,
289
			    struct pf_pdesc *);
309
			    struct pf_pdesc *);
290
#endif /* INET */
310
#endif /* INET */
291
#ifdef INET6
311
#ifdef INET6
312
static void		 pf_rebuild_route6(struct pf_send_entry *pfse,
313
			    struct pf_state *state, struct pf_addr *dst);
292
static void		 pf_change_a6(struct pf_addr *, u_int16_t *,
314
static void		 pf_change_a6(struct pf_addr *, u_int16_t *,
293
			    struct pf_addr *, u_int8_t);
315
			    struct pf_addr *, u_int8_t);
294
static void		 pf_route6(struct mbuf **, struct pf_rule *, int,
316
static void		 pf_route6(struct mbuf **, struct pf_rule *, int,
Lines 1344-1349 second_run: Link Here
1344
1366
1345
/* END state table stuff */
1367
/* END state table stuff */
1346
1368
1369
#ifdef INET
1370
static void
1371
pf_rebuild_route(struct pf_send_entry *pfse, struct pf_state *state, struct pf_addr *dst)
1372
{
1373
	if (state->rt_kif && state->rt_kif->pfik_ifp) {
1374
		/* This route can not be freed! */
1375
		pfse->pfse_ro.ro_flags = RT_NORTREF|RT_PFROUTE;
1376
1377
		/* Assign gateway interface and flags. */
1378
		pfse->pfse_ro_rt.rt_flags  = RTF_UP|RTF_HOST|RTF_GATEWAY;
1379
		pfse->pfse_ro_rt.rt_ifp    = state->rt_kif->pfik_ifp;
1380
		pfse->pfse_ro_rt.rt_ifa    = state->rt_kif->pfik_ifp->if_addr;
1381
		pfse->pfse_ro_rt.rt_mtu    = state->rt_kif->pfik_ifp->if_mtu;
1382
		pfse->pfse_ro_rt.rt_fibnum = state->rt_kif->pfik_ifp->if_fib;
1383
1384
		/* Assign gateway address. */
1385
		((struct sockaddr_in*)&pfse->pfse_ro_rt_gw)->sin_family = AF_INET;
1386
		((struct sockaddr_in*)&pfse->pfse_ro_rt_gw)->sin_len = sizeof(struct sockaddr_in);
1387
		((struct sockaddr_in*)&pfse->pfse_ro_rt_gw)->sin_addr = state->rt_addr.v4;
1388
		/* Assign destination address. */
1389
		((struct sockaddr_in*)&pfse->pfse_ro.ro_dst)->sin_family = AF_INET;
1390
		((struct sockaddr_in*)&pfse->pfse_ro.ro_dst)->sin_len = sizeof(struct sockaddr_in);
1391
		((struct sockaddr_in*)&pfse->pfse_ro.ro_dst)->sin_addr = dst->v4;
1392
1393
		/* Glue things together. */
1394
		pfse->pfse_ro_rt.rt_gateway = &pfse->pfse_ro_rt_gw;
1395
		pfse->pfse_ro.ro_rt = &pfse->pfse_ro_rt;
1396
	}
1397
}
1398
#endif
1399
1400
#ifdef INET6
1401
static void
1402
pf_rebuild_route6(struct pf_send_entry *pfse, struct pf_state *state, struct pf_addr *dst)
1403
{
1404
	if (state->rt_kif && state->rt_kif->pfik_ifp) {
1405
		/* This route can not be freed! */
1406
		pfse->pfse_ro6.ro_flags = RT_NORTREF|RT_PFROUTE;
1407
1408
		/* Assign gateway interface and flags. */
1409
		pfse->pfse_ro6_rt.rt_flags  = RTF_UP|RTF_HOST|RTF_GATEWAY;
1410
		pfse->pfse_ro6_rt.rt_ifp    = state->rt_kif->pfik_ifp;
1411
		pfse->pfse_ro6_rt.rt_ifa    = state->rt_kif->pfik_ifp->if_addr;
1412
		pfse->pfse_ro6_rt.rt_mtu    = state->rt_kif->pfik_ifp->if_mtu;
1413
		pfse->pfse_ro6_rt.rt_fibnum = state->rt_kif->pfik_ifp->if_fib;
1414
1415
		/* Assign gateway address. */
1416
		((struct sockaddr_in6*)&pfse->pfse_ro6_rt_gw)->sin6_family = AF_INET6;
1417
		((struct sockaddr_in6*)&pfse->pfse_ro6_rt_gw)->sin6_len = sizeof(struct sockaddr_in6);
1418
		((struct sockaddr_in6*)&pfse->pfse_ro6_rt_gw)->sin6_addr = state->rt_addr.v6;
1419
		/* Assign destination address. */
1420
		((struct sockaddr_in6*)&pfse->pfse_ro6.ro_dst)->sin6_family = AF_INET6;
1421
		((struct sockaddr_in6*)&pfse->pfse_ro6.ro_dst)->sin6_len = sizeof(struct sockaddr_in6);
1422
		((struct sockaddr_in6*)&pfse->pfse_ro6.ro_dst)->sin6_addr = dst->v6;
1423
1424
		/* Glue things together. */
1425
		pfse->pfse_ro6_rt.rt_gateway = &pfse->pfse_ro6_rt_gw;
1426
		pfse->pfse_ro6.ro_rt = &pfse->pfse_ro6_rt;
1427
	}
1428
}
1429
#endif
1430
1431
1347
static void
1432
static void
1348
pf_send(struct pf_send_entry *pfse)
1433
pf_send(struct pf_send_entry *pfse)
1349
{
1434
{
Lines 1360-1365 pf_intr(void *v) Link Here
1360
	struct pf_send_head queue;
1445
	struct pf_send_head queue;
1361
	struct pf_send_entry *pfse, *next;
1446
	struct pf_send_entry *pfse, *next;
1362
1447
1448
#ifdef INET
1449
	struct route *ro = NULL;
1450
#endif
1451
#ifdef INET
1452
	struct route_in6 *ro6 = NULL;
1453
#endif
1454
1363
	CURVNET_SET((struct vnet *)v);
1455
	CURVNET_SET((struct vnet *)v);
1364
1456
1365
	PF_SENDQ_LOCK();
1457
	PF_SENDQ_LOCK();
Lines 1371-1377 pf_intr(void *v) Link Here
1371
		switch (pfse->pfse_type) {
1463
		switch (pfse->pfse_type) {
1372
#ifdef INET
1464
#ifdef INET
1373
		case PFSE_IP:
1465
		case PFSE_IP:
1374
			ip_output(pfse->pfse_m, NULL, NULL, 0, NULL, NULL);
1466
			// Check if there is a route created by pf_rebuild_route
1467
			if (pfse->pfse_ro.ro_flags & RT_PFROUTE) {
1468
				ro = &pfse->pfse_ro;
1469
			}
1470
			ip_output(pfse->pfse_m, NULL, ro, 0, NULL, NULL);
1375
			break;
1471
			break;
1376
		case PFSE_ICMP:
1472
		case PFSE_ICMP:
1377
			icmp_error(pfse->pfse_m, pfse->pfse_icmp_type,
1473
			icmp_error(pfse->pfse_m, pfse->pfse_icmp_type,
Lines 1380-1386 pf_intr(void *v) Link Here
1380
#endif /* INET */
1476
#endif /* INET */
1381
#ifdef INET6
1477
#ifdef INET6
1382
		case PFSE_IP6:
1478
		case PFSE_IP6:
1383
			ip6_output(pfse->pfse_m, NULL, NULL, 0, NULL, NULL,
1479
			// Check if there is a route created by pf_rebuild_route
1480
			if (pfse->pfse_ro6.ro_flags & RT_PFROUTE) {
1481
				ro6 = &pfse->pfse_ro6;
1482
			}
1483
			ip6_output(pfse->pfse_m, NULL, ro6, 0, NULL, NULL,
1384
			    NULL);
1484
			    NULL);
1385
			break;
1485
			break;
1386
		case PFSE_ICMP6:
1486
		case PFSE_ICMP6:
Lines 1587-1593 pf_unlink_state(struct pf_state *s, u_int flags, u_int kill_flags) Link Here
1587
		    s->key[PF_SK_WIRE]->port[1],
1687
		    s->key[PF_SK_WIRE]->port[1],
1588
		    s->key[PF_SK_WIRE]->port[0],
1688
		    s->key[PF_SK_WIRE]->port[0],
1589
		    s->src.seqhi, s->src.seqlo + 1,
1689
		    s->src.seqhi, s->src.seqlo + 1,
1590
		    TH_RST|TH_ACK, 0, 0, 0, 1, s->tag, NULL);
1690
		    TH_RST|TH_ACK, 0, 0, 0, 1, s->tag, NULL, NULL);
1591
	}
1691
	}
1592
1692
1593
	LIST_REMOVE(s, entry);
1693
	LIST_REMOVE(s, entry);
Lines 2213-2219 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, Link Here
2213
    const struct pf_addr *saddr, const struct pf_addr *daddr,
2313
    const struct pf_addr *saddr, const struct pf_addr *daddr,
2214
    u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
2314
    u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
2215
    u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
2315
    u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
2216
    u_int16_t rtag, struct ifnet *ifp)
2316
    u_int16_t rtag, struct ifnet *ifp, struct pf_state *s)
2217
{
2317
{
2218
	struct pf_send_entry *pfse;
2318
	struct pf_send_entry *pfse;
2219
	struct mbuf	*m;
2319
	struct mbuf	*m;
Lines 2252-2258 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, Link Here
2252
	}
2352
	}
2253
2353
2254
	/* Allocate outgoing queue entry, mbuf and mbuf tag. */
2354
	/* Allocate outgoing queue entry, mbuf and mbuf tag. */
2255
	pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT);
2355
	pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT|M_ZERO);
2256
	if (pfse == NULL)
2356
	if (pfse == NULL)
2257
		return;
2357
		return;
2258
	m = m_gethdr(M_NOWAIT, MT_DATA);
2358
	m = m_gethdr(M_NOWAIT, MT_DATA);
Lines 2349-2354 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, Link Here
2349
		h->ip_sum = 0;
2449
		h->ip_sum = 0;
2350
2450
2351
		pfse->pfse_type = PFSE_IP;
2451
		pfse->pfse_type = PFSE_IP;
2452
2453
		/*
2454
		 * If a state was given, it might contain
2455
		 * a route used for loadbalancing.
2456
		 */
2457
		if (s) {
2458
			pf_rebuild_route(pfse, s, &s->key[PF_SK_WIRE]->addr[1]);
2459
		}
2352
		break;
2460
		break;
2353
#endif /* INET */
2461
#endif /* INET */
2354
#ifdef INET6
2462
#ifdef INET6
Lines 2361-2366 pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, Link Here
2361
		h6->ip6_hlim = IPV6_DEFHLIM;
2469
		h6->ip6_hlim = IPV6_DEFHLIM;
2362
2470
2363
		pfse->pfse_type = PFSE_IP6;
2471
		pfse->pfse_type = PFSE_IP6;
2472
2473
		/*
2474
		 * If a state was given, it might contain
2475
		 * a route used for loadbalancing.
2476
		 */
2477
		if (s) {
2478
			pf_rebuild_route6(pfse, s, &s->key[PF_SK_WIRE]->addr[1]);
2479
		}
2480
2364
		break;
2481
		break;
2365
#endif /* INET6 */
2482
#endif /* INET6 */
2366
	}
2483
	}
Lines 2377-2383 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, Link Here
2377
	struct pf_mtag *pf_mtag;
2494
	struct pf_mtag *pf_mtag;
2378
2495
2379
	/* Allocate outgoing queue entry, mbuf and mbuf tag. */
2496
	/* Allocate outgoing queue entry, mbuf and mbuf tag. */
2380
	pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT);
2497
	pfse = malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT|M_ZERO);
2381
	if (pfse == NULL)
2498
	if (pfse == NULL)
2382
		return;
2499
		return;
2383
2500
Lines 3381-3387 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, Link Here
3381
				pf_send_tcp(m, r, af, pd->dst,
3498
				pf_send_tcp(m, r, af, pd->dst,
3382
				    pd->src, th->th_dport, th->th_sport,
3499
				    pd->src, th->th_dport, th->th_sport,
3383
				    ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
3500
				    ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
3384
				    r->return_ttl, 1, 0, kif->pfik_ifp);
3501
				    r->return_ttl, 1, 0, kif->pfik_ifp, NULL);
3385
			}
3502
			}
3386
		} else if (pd->proto != IPPROTO_ICMP && af == AF_INET &&
3503
		} else if (pd->proto != IPPROTO_ICMP && af == AF_INET &&
3387
		    r->return_icmp)
3504
		    r->return_icmp)
Lines 3643-3649 pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, Link Here
3643
		s->src.mss = mss;
3760
		s->src.mss = mss;
3644
		pf_send_tcp(NULL, r, pd->af, pd->dst, pd->src, th->th_dport,
3761
		pf_send_tcp(NULL, r, pd->af, pd->dst, pd->src, th->th_dport,
3645
		    th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3762
		    th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
3646
		    TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL);
3763
		    TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);
3647
		REASON_SET(&reason, PFRES_SYNPROXY);
3764
		REASON_SET(&reason, PFRES_SYNPROXY);
3648
		return (PF_SYNPROXY_DROP);
3765
		return (PF_SYNPROXY_DROP);
3649
	}
3766
	}
Lines 4059-4065 pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, Link Here
4059
				    th->th_sport, ntohl(th->th_ack), 0,
4176
				    th->th_sport, ntohl(th->th_ack), 0,
4060
				    TH_RST, 0, 0,
4177
				    TH_RST, 0, 0,
4061
				    (*state)->rule.ptr->return_ttl, 1, 0,
4178
				    (*state)->rule.ptr->return_ttl, 1, 0,
4062
				    kif->pfik_ifp);
4179
				    kif->pfik_ifp, NULL);
4063
			src->seqlo = 0;
4180
			src->seqlo = 0;
4064
			src->seqhi = 1;
4181
			src->seqhi = 1;
4065
			src->max_win = 1;
4182
			src->max_win = 1;
Lines 4212-4218 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, Link Here
4212
			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4329
			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst,
4213
			    pd->src, th->th_dport, th->th_sport,
4330
			    pd->src, th->th_dport, th->th_sport,
4214
			    (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4331
			    (*state)->src.seqhi, ntohl(th->th_seq) + 1,
4215
			    TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
4332
			    TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL, NULL);
4216
			REASON_SET(reason, PFRES_SYNPROXY);
4333
			REASON_SET(reason, PFRES_SYNPROXY);
4217
			return (PF_SYNPROXY_DROP);
4334
			return (PF_SYNPROXY_DROP);
4218
		} else if (!(th->th_flags & TH_ACK) ||
4335
		} else if (!(th->th_flags & TH_ACK) ||
Lines 4242-4248 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, Link Here
4242
			    &sk->addr[pd->sidx], &sk->addr[pd->didx],
4359
			    &sk->addr[pd->sidx], &sk->addr[pd->didx],
4243
			    sk->port[pd->sidx], sk->port[pd->didx],
4360
			    sk->port[pd->sidx], sk->port[pd->didx],
4244
			    (*state)->dst.seqhi, 0, TH_SYN, 0,
4361
			    (*state)->dst.seqhi, 0, TH_SYN, 0,
4245
			    (*state)->src.mss, 0, 0, (*state)->tag, NULL);
4362
			    (*state)->src.mss, 0, 0, (*state)->tag, NULL, *state);
4246
			REASON_SET(reason, PFRES_SYNPROXY);
4363
			REASON_SET(reason, PFRES_SYNPROXY);
4247
			return (PF_SYNPROXY_DROP);
4364
			return (PF_SYNPROXY_DROP);
4248
		} else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
4365
		} else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
Lines 4257-4268 pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, Link Here
4257
			    pd->src, th->th_dport, th->th_sport,
4374
			    pd->src, th->th_dport, th->th_sport,
4258
			    ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4375
			    ntohl(th->th_ack), ntohl(th->th_seq) + 1,
4259
			    TH_ACK, (*state)->src.max_win, 0, 0, 0,
4376
			    TH_ACK, (*state)->src.max_win, 0, 0, 0,
4260
			    (*state)->tag, NULL);
4377
			    (*state)->tag, NULL, NULL);
4261
			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4378
			pf_send_tcp(NULL, (*state)->rule.ptr, pd->af,
4262
			    &sk->addr[pd->sidx], &sk->addr[pd->didx],
4379
			    &sk->addr[pd->sidx], &sk->addr[pd->didx],
4263
			    sk->port[pd->sidx], sk->port[pd->didx],
4380
			    sk->port[pd->sidx], sk->port[pd->didx],
4264
			    (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4381
			    (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
4265
			    TH_ACK, (*state)->dst.max_win, 0, 0, 1, 0, NULL);
4382
			    TH_ACK, (*state)->dst.max_win, 0, 0, 1, 0, NULL, *state);
4266
			(*state)->src.seqdiff = (*state)->dst.seqhi -
4383
			(*state)->src.seqdiff = (*state)->dst.seqhi -
4267
			    (*state)->src.seqlo;
4384
			    (*state)->src.seqlo;
4268
			(*state)->dst.seqdiff = (*state)->src.seqhi -
4385
			(*state)->dst.seqdiff = (*state)->src.seqhi -
Lines 6068-6073 pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) Link Here
6068
	if (kif->pfik_flags & PFI_IFLAG_SKIP)
6185
	if (kif->pfik_flags & PFI_IFLAG_SKIP)
6069
		return (PF_PASS);
6186
		return (PF_PASS);
6070
6187
6188
	if (m->m_flags & M_SKIP_FIREWALL)
6189
		return (PF_PASS);
6190
6071
	PF_RULES_RLOCK();
6191
	PF_RULES_RLOCK();
6072
6192
6073
	/* We do IP header normalization and packet reassembly here */
6193
	/* We do IP header normalization and packet reassembly here */

Return to bug 176268