View | Details | Raw Unified | Return to bug 219803 | Differences between
and this patch

Collapse All | Expand All

(-)b/sys/net/pfvar.h (-1 / +43 lines)
Lines 683-688 struct pf_state_peer { Link Here
683
	u_int8_t	pad[1];
683
	u_int8_t	pad[1];
684
};
684
};
685
685
686
/* Keep synced with struct pf_udp_endpoint. */
687
struct pf_udp_endpoint_cmp {
688
	struct pf_addr	addr;
689
	uint16_t	port;
690
	sa_family_t	af;
691
	uint8_t		pad[1];
692
};
693
694
struct pf_udp_endpoint {
695
	struct pf_addr	addr;
696
	uint16_t	port;
697
	sa_family_t	af;
698
	uint8_t		pad[1];
699
700
	struct pf_udp_mapping *mapping;
701
	LIST_ENTRY(pf_udp_endpoint) entry;
702
};
703
704
struct pf_udp_mapping {
705
	struct pf_udp_endpoint endpoints[2];
706
	u_int refs;
707
};
708
686
/* Keep synced with struct pf_state_key. */
709
/* Keep synced with struct pf_state_key. */
687
struct pf_state_key_cmp {
710
struct pf_state_key_cmp {
688
	struct pf_addr	 addr[2];
711
	struct pf_addr	 addr[2];
Lines 728-733 struct pf_state { Link Here
728
	union pf_rule_ptr	 nat_rule;
751
	union pf_rule_ptr	 nat_rule;
729
	struct pf_addr		 rt_addr;
752
	struct pf_addr		 rt_addr;
730
	struct pf_state_key	*key[2];	/* addresses stack and wire  */
753
	struct pf_state_key	*key[2];	/* addresses stack and wire  */
754
	struct pf_udp_mapping	*udp_mapping;
731
	struct pfi_kif		*kif;
755
	struct pfi_kif		*kif;
732
	struct pfi_kif		*rt_kif;
756
	struct pfi_kif		*rt_kif;
733
	struct pf_src_node	*src_node;
757
	struct pf_src_node	*src_node;
Lines 1452-1457 struct pf_srchash { Link Here
1452
	struct mtx			lock;
1476
	struct mtx			lock;
1453
};
1477
};
1454
1478
1479
struct pf_udpendpointhash {
1480
	LIST_HEAD(, pf_udp_endpoint)	endpoints;
1481
	struct mtx			lock;
1482
};
1483
1455
struct pf_keyhash {
1484
struct pf_keyhash {
1456
	LIST_HEAD(, pf_state_key)	keys;
1485
	LIST_HEAD(, pf_state_key)	keys;
1457
	struct mtx			lock;
1486
	struct mtx			lock;
Lines 1465-1472 struct pf_idhash { Link Here
1465
extern u_long		pf_hashmask;
1494
extern u_long		pf_hashmask;
1466
extern u_long		pf_srchashmask;
1495
extern u_long		pf_srchashmask;
1467
#define	PF_HASHSIZ	(32768)
1496
#define	PF_HASHSIZ	(32768)
1497
VNET_DECLARE(struct pf_udpendpointhash *, pf_udpendpointhash);
1468
VNET_DECLARE(struct pf_keyhash *, pf_keyhash);
1498
VNET_DECLARE(struct pf_keyhash *, pf_keyhash);
1469
VNET_DECLARE(struct pf_idhash *, pf_idhash);
1499
VNET_DECLARE(struct pf_idhash *, pf_idhash);
1500
#define V_pf_udpendpointhash	VNET(pf_udpendpointhash)
1470
#define V_pf_keyhash	VNET(pf_keyhash)
1501
#define V_pf_keyhash	VNET(pf_keyhash)
1471
#define	V_pf_idhash	VNET(pf_idhash)
1502
#define	V_pf_idhash	VNET(pf_idhash)
1472
VNET_DECLARE(struct pf_srchash *, pf_srchash);
1503
VNET_DECLARE(struct pf_srchash *, pf_srchash);
Lines 1517-1522 VNET_DECLARE(uma_zone_t, pf_state_z); Link Here
1517
#define	V_pf_state_z		 VNET(pf_state_z)
1548
#define	V_pf_state_z		 VNET(pf_state_z)
1518
VNET_DECLARE(uma_zone_t,	 pf_state_key_z);
1549
VNET_DECLARE(uma_zone_t,	 pf_state_key_z);
1519
#define	V_pf_state_key_z	 VNET(pf_state_key_z)
1550
#define	V_pf_state_key_z	 VNET(pf_state_key_z)
1551
VNET_DECLARE(uma_zone_t,	 pf_udp_mapping_z);
1552
#define	V_pf_udp_mapping_z	 VNET(pf_udp_mapping_z)
1520
VNET_DECLARE(uma_zone_t,	 pf_state_scrub_z);
1553
VNET_DECLARE(uma_zone_t,	 pf_state_scrub_z);
1521
#define	V_pf_state_scrub_z	 VNET(pf_state_scrub_z)
1554
#define	V_pf_state_scrub_z	 VNET(pf_state_scrub_z)
1522
1555
Lines 1555-1560 pf_release_state(struct pf_state *s) Link Here
1555
extern struct pf_state		*pf_find_state_byid(uint64_t, uint32_t);
1588
extern struct pf_state		*pf_find_state_byid(uint64_t, uint32_t);
1556
extern struct pf_state		*pf_find_state_all(struct pf_state_key_cmp *,
1589
extern struct pf_state		*pf_find_state_all(struct pf_state_key_cmp *,
1557
				    u_int, int *);
1590
				    u_int, int *);
1591
extern struct pf_udp_mapping	*pf_udp_mapping_find(struct pf_udp_endpoint_cmp *endpoint);
1592
extern struct pf_udp_mapping	*pf_udp_mapping_create(sa_family_t af,
1593
				    struct pf_addr *src_addr, uint16_t src_port,
1594
				    struct pf_addr *nat_addr, uint16_t nat_port);
1595
extern int			 pf_udp_mapping_insert(struct pf_udp_mapping *mapping);
1596
extern void			 pf_udp_mapping_release(struct pf_udp_mapping *mapping);
1597
1598
1558
extern struct pf_src_node	*pf_find_src_node(struct pf_addr *,
1599
extern struct pf_src_node	*pf_find_src_node(struct pf_addr *,
1559
				    struct pf_rule *, sa_family_t, int);
1600
				    struct pf_rule *, sa_family_t, int);
1560
extern void			 pf_unlink_src_node(struct pf_src_node *);
1601
extern void			 pf_unlink_src_node(struct pf_src_node *);
Lines 1749-1755 struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, Link Here
1749
			    int, int, struct pfi_kif *, struct pf_src_node **,
1790
			    int, int, struct pfi_kif *, struct pf_src_node **,
1750
			    struct pf_state_key **, struct pf_state_key **,
1791
			    struct pf_state_key **, struct pf_state_key **,
1751
			    struct pf_addr *, struct pf_addr *,
1792
			    struct pf_addr *, struct pf_addr *,
1752
			    uint16_t, uint16_t, struct pf_anchor_stackframe *);
1793
			    uint16_t, uint16_t, struct pf_anchor_stackframe *,
1794
			    struct pf_udp_mapping **udp_mapping);
1753
1795
1754
struct pf_state_key	*pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,
1796
struct pf_state_key	*pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,
1755
			    struct pf_addr *, u_int16_t, u_int16_t);
1797
			    struct pf_addr *, u_int16_t, u_int16_t);
(-)b/sys/netpfil/pf/pf.c (-9 / +156 lines)
Lines 194-199 static VNET_DEFINE(uma_zone_t, pf_sources_z); Link Here
194
uma_zone_t		pf_mtag_z;
194
uma_zone_t		pf_mtag_z;
195
VNET_DEFINE(uma_zone_t,	 pf_state_z);
195
VNET_DEFINE(uma_zone_t,	 pf_state_z);
196
VNET_DEFINE(uma_zone_t,	 pf_state_key_z);
196
VNET_DEFINE(uma_zone_t,	 pf_state_key_z);
197
VNET_DEFINE(uma_zone_t,	 pf_udp_mapping_z);
197
198
198
VNET_DEFINE(uint64_t, pf_stateid[MAXCPU]);
199
VNET_DEFINE(uint64_t, pf_stateid[MAXCPU]);
199
#define	PFID_CPUBITS	8
200
#define	PFID_CPUBITS	8
Lines 241-247 static int pf_create_state(struct pf_rule *, struct pf_rule *, Link Here
241
			    struct pf_state_key *, struct mbuf *, int,
242
			    struct pf_state_key *, struct mbuf *, int,
242
			    u_int16_t, u_int16_t, int *, struct pfi_kif *,
243
			    u_int16_t, u_int16_t, int *, struct pfi_kif *,
243
			    struct pf_state **, int, u_int16_t, u_int16_t,
244
			    struct pf_state **, int, u_int16_t, u_int16_t,
244
			    int);
245
			    int, struct pf_udp_mapping *);
245
static int		 pf_test_fragment(struct pf_rule **, int,
246
static int		 pf_test_fragment(struct pf_rule **, int,
246
			    struct pfi_kif *, struct mbuf *, void *,
247
			    struct pfi_kif *, struct mbuf *, void *,
247
			    struct pf_pdesc *, struct pf_rule **,
248
			    struct pf_pdesc *, struct pf_rule **,
Lines 356-361 static MALLOC_DEFINE(M_PFHASH, "pf_hash", "pf(4) hash header structures"); Link Here
356
VNET_DEFINE(struct pf_keyhash *, pf_keyhash);
357
VNET_DEFINE(struct pf_keyhash *, pf_keyhash);
357
VNET_DEFINE(struct pf_idhash *, pf_idhash);
358
VNET_DEFINE(struct pf_idhash *, pf_idhash);
358
VNET_DEFINE(struct pf_srchash *, pf_srchash);
359
VNET_DEFINE(struct pf_srchash *, pf_srchash);
360
VNET_DEFINE(struct pf_udpendpointhash *, pf_udpendpointhash);
359
361
360
SYSCTL_NODE(_net, OID_AUTO, pf, CTLFLAG_RW, 0, "pf(4)");
362
SYSCTL_NODE(_net, OID_AUTO, pf, CTLFLAG_RW, 0, "pf(4)");
361
363
Lines 425-430 pf_hashkey(struct pf_state_key *sk) Link Here
425
	return (h & pf_hashmask);
427
	return (h & pf_hashmask);
426
}
428
}
427
429
430
static inline uint32_t
431
pf_hashudpendpoint(struct pf_udp_endpoint *endpoint)
432
{
433
	uint32_t h;
434
435
	h = murmur3_32_hash32((uint32_t *)endpoint,
436
	    sizeof(struct pf_udp_endpoint_cmp)/sizeof(uint32_t),
437
	    V_pf_hashseed);
438
439
	return (h & pf_hashmask);
440
}
441
428
static __inline uint32_t
442
static __inline uint32_t
429
pf_hashsrc(struct pf_addr *addr, sa_family_t af)
443
pf_hashsrc(struct pf_addr *addr, sa_family_t af)
430
{
444
{
Lines 779-784 pf_initialize() Link Here
779
{
793
{
780
	struct pf_keyhash	*kh;
794
	struct pf_keyhash	*kh;
781
	struct pf_idhash	*ih;
795
	struct pf_idhash	*ih;
796
	struct pf_udpendpointhash *uh;
782
	struct pf_srchash	*sh;
797
	struct pf_srchash	*sh;
783
	u_int i;
798
	u_int i;
784
799
Lines 799-813 pf_initialize() Link Here
799
	V_pf_state_key_z = uma_zcreate("pf state keys",
814
	V_pf_state_key_z = uma_zcreate("pf state keys",
800
	    sizeof(struct pf_state_key), pf_state_key_ctor, NULL, NULL, NULL,
815
	    sizeof(struct pf_state_key), pf_state_key_ctor, NULL, NULL, NULL,
801
	    UMA_ALIGN_PTR, 0);
816
	    UMA_ALIGN_PTR, 0);
817
	V_pf_udp_mapping_z = uma_zcreate("pf UDP mappings",
818
	    sizeof(struct pf_udp_mapping), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
802
	V_pf_keyhash = malloc(pf_hashsize * sizeof(struct pf_keyhash),
819
	V_pf_keyhash = malloc(pf_hashsize * sizeof(struct pf_keyhash),
803
	    M_PFHASH, M_WAITOK | M_ZERO);
820
	    M_PFHASH, M_WAITOK | M_ZERO);
804
	V_pf_idhash = malloc(pf_hashsize * sizeof(struct pf_idhash),
821
	V_pf_idhash = malloc(pf_hashsize * sizeof(struct pf_idhash),
805
	    M_PFHASH, M_WAITOK | M_ZERO);
822
	    M_PFHASH, M_WAITOK | M_ZERO);
823
	V_pf_udpendpointhash = malloc(pf_hashsize * sizeof(struct pf_udpendpointhash),
824
	    M_PFHASH, M_WAITOK | M_ZERO);
806
	pf_hashmask = pf_hashsize - 1;
825
	pf_hashmask = pf_hashsize - 1;
807
	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask;
826
	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash, uh=V_pf_udpendpointhash; i <= pf_hashmask;
808
	    i++, kh++, ih++) {
827
	    i++, kh++, ih++, uh++) {
809
		mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK);
828
		mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK);
810
		mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF);
829
		mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF);
830
		mtx_init(&uh->lock, "pf_udpendpointhash", NULL, MTX_DEF | MTX_DUPOK);
811
	}
831
	}
812
832
813
	/* Source nodes. */
833
	/* Source nodes. */
Lines 851-871 pf_cleanup() Link Here
851
{
871
{
852
	struct pf_keyhash	*kh;
872
	struct pf_keyhash	*kh;
853
	struct pf_idhash	*ih;
873
	struct pf_idhash	*ih;
874
	struct pf_udpendpointhash *uh;
854
	struct pf_srchash	*sh;
875
	struct pf_srchash	*sh;
855
	struct pf_send_entry	*pfse, *next;
876
	struct pf_send_entry	*pfse, *next;
856
	u_int i;
877
	u_int i;
857
878
858
	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask;
879
	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash, uh=V_pf_udpendpointhash; i <= pf_hashmask;
859
	    i++, kh++, ih++) {
880
	    i++, kh++, ih++, uh++) {
860
		KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty",
881
		KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty",
861
		    __func__));
882
		    __func__));
862
		KASSERT(LIST_EMPTY(&ih->states), ("%s: id hash not empty",
883
		KASSERT(LIST_EMPTY(&ih->states), ("%s: id hash not empty",
863
		    __func__));
884
		    __func__));
885
		KASSERT(LIST_EMPTY(&uh->endpoints), ("%s: udpendpoint hash not empty",
886
		    __func__));
864
		mtx_destroy(&kh->lock);
887
		mtx_destroy(&kh->lock);
865
		mtx_destroy(&ih->lock);
888
		mtx_destroy(&ih->lock);
889
		mtx_destroy(&uh->lock);
866
	}
890
	}
867
	free(V_pf_keyhash, M_PFHASH);
891
	free(V_pf_keyhash, M_PFHASH);
868
	free(V_pf_idhash, M_PFHASH);
892
	free(V_pf_idhash, M_PFHASH);
893
	free(V_pf_udpendpointhash, M_PFHASH);
869
894
870
	for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) {
895
	for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) {
871
		KASSERT(LIST_EMPTY(&sh->nodes),
896
		KASSERT(LIST_EMPTY(&sh->nodes),
Lines 882-887 pf_cleanup() Link Here
882
	uma_zdestroy(V_pf_sources_z);
907
	uma_zdestroy(V_pf_sources_z);
883
	uma_zdestroy(V_pf_state_z);
908
	uma_zdestroy(V_pf_state_z);
884
	uma_zdestroy(V_pf_state_key_z);
909
	uma_zdestroy(V_pf_state_key_z);
910
	uma_zdestroy(V_pf_udp_mapping_z);
885
}
911
}
886
912
887
static int
913
static int
Lines 1369-1374 second_run: Link Here
1369
	return (ret);
1395
	return (ret);
1370
}
1396
}
1371
1397
1398
struct pf_udp_mapping*
1399
pf_udp_mapping_create(sa_family_t af, struct pf_addr *src_addr, uint16_t src_port,
1400
    struct pf_addr *nat_addr, uint16_t nat_port)
1401
{
1402
	struct pf_udp_mapping *mapping;
1403
1404
	mapping = uma_zalloc(V_pf_udp_mapping_z, M_NOWAIT | M_ZERO);
1405
	if (mapping == NULL)
1406
		return NULL;
1407
	PF_ACPY(&mapping->endpoints[0].addr, src_addr, af);
1408
	mapping->endpoints[0].port = src_port;
1409
	mapping->endpoints[0].af = af;
1410
	mapping->endpoints[0].mapping = mapping;
1411
	PF_ACPY(&mapping->endpoints[1].addr, nat_addr, af);
1412
	mapping->endpoints[1].port = nat_port;
1413
	mapping->endpoints[1].af = af;
1414
	mapping->endpoints[1].mapping = mapping;
1415
	refcount_init(&mapping->refs, 1);
1416
	return (mapping);
1417
}
1418
1419
int
1420
pf_udp_mapping_insert(struct pf_udp_mapping *mapping)
1421
{
1422
	struct pf_udpendpointhash *h0, *h1;
1423
	struct pf_udp_endpoint *endpoint;
1424
	int ret = 1;
1425
1426
	h0 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[0])];
1427
	h1 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[1])];
1428
	if (h0 == h1) {
1429
		PF_HASHROW_LOCK(h0);
1430
	} else if (h0 < h1) {
1431
		PF_HASHROW_LOCK(h0);
1432
		PF_HASHROW_LOCK(h1);
1433
	} else {
1434
		PF_HASHROW_LOCK(h1);
1435
		PF_HASHROW_LOCK(h0);
1436
	}
1437
1438
	LIST_FOREACH(endpoint, &h0->endpoints, entry)
1439
		if (bcmp(endpoint, &mapping->endpoints[0], sizeof(struct pf_udp_endpoint_cmp)) == 0)
1440
			break;
1441
	if (endpoint != NULL)
1442
		goto cleanup;
1443
	LIST_FOREACH(endpoint, &h1->endpoints, entry)
1444
		if (bcmp(endpoint, &mapping->endpoints[1], sizeof(struct pf_udp_endpoint_cmp)) == 0)
1445
			break;
1446
	if (endpoint != NULL)
1447
		goto cleanup;
1448
	LIST_INSERT_HEAD(&h0->endpoints, &mapping->endpoints[0], entry);
1449
	LIST_INSERT_HEAD(&h1->endpoints, &mapping->endpoints[1], entry);
1450
	ret = 0;
1451
1452
cleanup:
1453
	if (h0 != h1) {
1454
		PF_HASHROW_UNLOCK(h0);
1455
		PF_HASHROW_UNLOCK(h1);
1456
	} else {
1457
		PF_HASHROW_UNLOCK(h0);
1458
	}
1459
	return (ret);
1460
}
1461
1462
void
1463
pf_udp_mapping_release(struct pf_udp_mapping *mapping)
1464
{
1465
	/* refcount is synchronized on the source endpoint's row lock */
1466
	struct pf_udpendpointhash *h0, *h1;
1467
1468
	h0 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[0])];
1469
	PF_HASHROW_LOCK(h0);
1470
	if (refcount_release(&mapping->refs)) {
1471
		LIST_REMOVE(&mapping->endpoints[0], entry);
1472
		PF_HASHROW_UNLOCK(h0);
1473
		h1 = &V_pf_udpendpointhash[pf_hashudpendpoint(&mapping->endpoints[1])];
1474
		PF_HASHROW_LOCK(h1);
1475
		LIST_REMOVE(&mapping->endpoints[1], entry);
1476
		PF_HASHROW_UNLOCK(h1);
1477
1478
		uma_zfree(V_pf_udp_mapping_z, mapping);
1479
	} else {
1480
		PF_HASHROW_UNLOCK(h0);
1481
	}
1482
}
1483
1484
struct pf_udp_mapping *
1485
pf_udp_mapping_find(struct pf_udp_endpoint_cmp *key)
1486
{
1487
	struct pf_udpendpointhash *uh;
1488
	struct pf_udp_endpoint *endpoint;
1489
1490
	uh = &V_pf_udpendpointhash[pf_hashudpendpoint((struct pf_udp_endpoint*)key)];
1491
1492
	PF_HASHROW_LOCK(uh);
1493
	LIST_FOREACH(endpoint, &uh->endpoints, entry)
1494
		if (bcmp(endpoint, key, sizeof(struct pf_udp_endpoint_cmp)) == 0 &&
1495
				bcmp(endpoint, &endpoint->mapping->endpoints[0], sizeof(struct pf_udp_endpoint_cmp)) == 0)
1496
			break;
1497
	if (endpoint == NULL) {
1498
		PF_HASHROW_UNLOCK(uh);
1499
		return NULL;
1500
	}
1501
	refcount_acquire(&endpoint->mapping->refs);
1502
	PF_HASHROW_UNLOCK(uh);
1503
	return (endpoint->mapping);
1504
}
1505
1372
/* END state table stuff */
1506
/* END state table stuff */
1373
1507
1374
static void
1508
static void
Lines 1650-1655 pf_unlink_state(struct pf_state *s, u_int flags) Link Here
1650
	pf_detach_state(s);
1784
	pf_detach_state(s);
1651
	refcount_release(&s->refs);
1785
	refcount_release(&s->refs);
1652
1786
1787
	if (s->udp_mapping)
1788
		pf_udp_mapping_release(s->udp_mapping);
1789
1653
	return (pf_release_state(s));
1790
	return (pf_release_state(s));
1654
}
1791
}
1655
1792
Lines 3136-3141 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, Link Here
3136
	u_int16_t		 bproto_sum = 0, bip_sum = 0;
3273
	u_int16_t		 bproto_sum = 0, bip_sum = 0;
3137
	u_int8_t		 icmptype = 0, icmpcode = 0;
3274
	u_int8_t		 icmptype = 0, icmpcode = 0;
3138
	struct pf_anchor_stackframe	anchor_stack[PF_ANCHOR_STACKSIZE];
3275
	struct pf_anchor_stackframe	anchor_stack[PF_ANCHOR_STACKSIZE];
3276
	struct pf_udp_mapping	*udp_mapping = NULL;
3139
3277
3140
	PF_RULES_RASSERT();
3278
	PF_RULES_RASSERT();
3141
3279
Lines 3199-3205 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, Link Here
3199
3337
3200
	/* check packet for BINAT/NAT/RDR */
3338
	/* check packet for BINAT/NAT/RDR */
3201
	if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk,
3339
	if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk,
3202
	    &nk, saddr, daddr, sport, dport, anchor_stack)) != NULL) {
3340
	    &nk, saddr, daddr, sport, dport, anchor_stack, &udp_mapping)) != NULL) {
3203
		KASSERT(sk != NULL, ("%s: null sk", __func__));
3341
		KASSERT(sk != NULL, ("%s: null sk", __func__));
3204
		KASSERT(nk != NULL, ("%s: null nk", __func__));
3342
		KASSERT(nk != NULL, ("%s: null nk", __func__));
3205
3343
Lines 3506-3519 pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, Link Here
3506
		int action;
3644
		int action;
3507
		action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
3645
		action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
3508
		    sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
3646
		    sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
3509
		    hdrlen);
3647
		    hdrlen, udp_mapping);
3510
		if (action != PF_PASS)
3648
		if (action != PF_PASS) {
3649
			if (udp_mapping != NULL)
3650
				pf_udp_mapping_release(udp_mapping);
3511
			return (action);
3651
			return (action);
3652
		}
3512
	} else {
3653
	} else {
3513
		if (sk != NULL)
3654
		if (sk != NULL)
3514
			uma_zfree(V_pf_state_key_z, sk);
3655
			uma_zfree(V_pf_state_key_z, sk);
3515
		if (nk != NULL)
3656
		if (nk != NULL)
3516
			uma_zfree(V_pf_state_key_z, nk);
3657
			uma_zfree(V_pf_state_key_z, nk);
3658
		if (udp_mapping != NULL)
3659
			pf_udp_mapping_release(udp_mapping);
3517
	}
3660
	}
3518
3661
3519
	/* copy back packet headers if we performed NAT operations */
3662
	/* copy back packet headers if we performed NAT operations */
Lines 3538-3543 cleanup: Link Here
3538
		uma_zfree(V_pf_state_key_z, sk);
3681
		uma_zfree(V_pf_state_key_z, sk);
3539
	if (nk != NULL)
3682
	if (nk != NULL)
3540
		uma_zfree(V_pf_state_key_z, nk);
3683
		uma_zfree(V_pf_state_key_z, nk);
3684
	if (udp_mapping != NULL)
3685
		pf_udp_mapping_release(udp_mapping);
3541
	return (PF_DROP);
3686
	return (PF_DROP);
3542
}
3687
}
3543
3688
Lines 3546-3552 pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, Link Here
3546
    struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *nk,
3691
    struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *nk,
3547
    struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,
3692
    struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,
3548
    u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
3693
    u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
3549
    int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen)
3694
    int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
3695
    struct pf_udp_mapping *udp_mapping)
3550
{
3696
{
3551
	struct pf_state		*s = NULL;
3697
	struct pf_state		*s = NULL;
3552
	struct pf_src_node	*sn = NULL;
3698
	struct pf_src_node	*sn = NULL;
Lines 3752-3757 pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, Link Here
3752
		REASON_SET(&reason, PFRES_SYNPROXY);
3898
		REASON_SET(&reason, PFRES_SYNPROXY);
3753
		return (PF_SYNPROXY_DROP);
3899
		return (PF_SYNPROXY_DROP);
3754
	}
3900
	}
3901
	s->udp_mapping = udp_mapping;
3755
3902
3756
	return (PF_PASS);
3903
	return (PF_PASS);
3757
3904
(-)b/sys/netpfil/pf/pf_lb.c (-19 / +75 lines)
Lines 63-69 static struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, Link Here
63
			    uint16_t, int, struct pf_anchor_stackframe *);
63
			    uint16_t, int, struct pf_anchor_stackframe *);
64
static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *,
64
static int pf_get_sport(sa_family_t, uint8_t, struct pf_rule *,
65
    struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *,
65
    struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *,
66
    uint16_t *, uint16_t, uint16_t, struct pf_src_node **);
66
    uint16_t *, uint16_t, uint16_t, struct pf_src_node **,
67
    struct pf_udp_mapping**);
67
68
68
#define mix(a,b,c) \
69
#define mix(a,b,c) \
69
	do {					\
70
	do {					\
Lines 214-227 static int Link Here
214
pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
215
pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
215
    struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr,
216
    struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr,
216
    uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low,
217
    uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low,
217
    uint16_t high, struct pf_src_node **sn)
218
    uint16_t high, struct pf_src_node **sn, struct pf_udp_mapping **udp_mapping)
218
{
219
{
219
	struct pf_state_key_cmp	key;
220
	struct pf_state_key_cmp	key;
220
	struct pf_addr		init_addr;
221
	struct pf_addr		init_addr;
221
222
223
	if (proto == IPPROTO_UDP) {
224
		struct pf_udp_endpoint_cmp udp_source;
225
226
		bzero(&udp_source, sizeof(udp_source));
227
		udp_source.af = af;
228
		PF_ACPY(&udp_source.addr, saddr, af);
229
		udp_source.port = sport;
230
		*udp_mapping = pf_udp_mapping_find(&udp_source);
231
		if (*udp_mapping) {
232
			PF_ACPY(naddr, &(*udp_mapping)->endpoints[1].addr, af);
233
			*nport = (*udp_mapping)->endpoints[1].port;
234
			/* as per pf_map_addr(): */
235
			if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&
236
			    (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE)
237
				*sn = pf_find_src_node(saddr, r, af, 0);
238
			return (0);
239
		} else {
240
			*udp_mapping = pf_udp_mapping_create(af, saddr, sport, &init_addr, 0);
241
			if (*udp_mapping == NULL)
242
				return (1);
243
		}
244
	}
245
222
	bzero(&init_addr, sizeof(init_addr));
246
	bzero(&init_addr, sizeof(init_addr));
223
	if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
247
	if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn))
224
		return (1);
248
		goto failed;
225
249
226
	if (proto == IPPROTO_ICMP) {
250
	if (proto == IPPROTO_ICMP) {
227
		low = 1;
251
		low = 1;
Lines 236-241 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, Link Here
236
260
237
	do {
261
	do {
238
		PF_ACPY(&key.addr[1], naddr, key.af);
262
		PF_ACPY(&key.addr[1], naddr, key.af);
263
		if ((*udp_mapping))
264
			PF_ACPY(&(*udp_mapping)->endpoints[1].addr, naddr, af);
239
265
240
		/*
266
		/*
241
		 * port search; start random, step;
267
		 * port search; start random, step;
Lines 255-262 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, Link Here
255
		} else if (low == high) {
281
		} else if (low == high) {
256
			key.port[1] = htons(low);
282
			key.port[1] = htons(low);
257
			if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
283
			if (pf_find_state_all(&key, PF_IN, NULL) == NULL) {
258
				*nport = htons(low);
284
				if (proto == IPPROTO_UDP) {
259
				return (0);
285
					(*udp_mapping)->endpoints[1].port = htons(low);
286
					if (pf_udp_mapping_insert(*udp_mapping) == 0) {
287
						*nport = htons(low);
288
						return (0);
289
					}
290
				} else {
291
					*nport = htons(low);
292
					return (0);
293
				}
260
			}
294
			}
261
		} else {
295
		} else {
262
			uint16_t tmp, cut;
296
			uint16_t tmp, cut;
Lines 270-288 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, Link Here
270
			cut = arc4random() % (1 + high - low) + low;
304
			cut = arc4random() % (1 + high - low) + low;
271
			/* low <= cut <= high */
305
			/* low <= cut <= high */
272
			for (tmp = cut; tmp <= high; ++(tmp)) {
306
			for (tmp = cut; tmp <= high; ++(tmp)) {
273
				key.port[1] = htons(tmp);
307
				if (proto == IPPROTO_UDP) {
274
				if (pf_find_state_all(&key, PF_IN, NULL) ==
308
					(*udp_mapping)->endpoints[1].port = htons(tmp);
275
				    NULL) {
309
					if (pf_udp_mapping_insert(*udp_mapping) == 0) {
276
					*nport = htons(tmp);
310
						*nport = htons(tmp);
277
					return (0);
311
						return (0);
312
					}
313
				} else {
314
					key.port[1] = htons(tmp);
315
					if (pf_find_state_all(&key, PF_IN, NULL) ==
316
					    NULL) {
317
						*nport = htons(tmp);
318
						return (0);
319
					}
278
				}
320
				}
279
			}
321
			}
280
			for (tmp = cut - 1; tmp >= low; --(tmp)) {
322
			for (tmp = cut - 1; tmp >= low; --(tmp)) {
281
				key.port[1] = htons(tmp);
323
				if (proto == IPPROTO_UDP) {
282
				if (pf_find_state_all(&key, PF_IN, NULL) ==
324
					(*udp_mapping)->endpoints[1].port = htons(tmp);
283
				    NULL) {
325
					if (pf_udp_mapping_insert(*udp_mapping) == 0) {
284
					*nport = htons(tmp);
326
						*nport = htons(tmp);
285
					return (0);
327
						return (0);
328
					}
329
				} else {
330
					key.port[1] = htons(tmp);
331
					if (pf_find_state_all(&key, PF_IN, NULL) ==
332
					    NULL) {
333
						*nport = htons(tmp);
334
						return (0);
335
					}
286
				}
336
				}
287
			}
337
			}
288
		}
338
		}
Lines 300-306 pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, Link Here
300
			return (1);
350
			return (1);
301
		}
351
		}
302
	} while (! PF_AEQ(&init_addr, naddr, af) );
352
	} while (! PF_AEQ(&init_addr, naddr, af) );
303
	return (1);					/* none available */
353
	/* none available */
354
failed:
355
	if (*udp_mapping) {
356
		uma_zfree(V_pf_udp_mapping_z, *udp_mapping);
357
		*udp_mapping = NULL;
358
	}
359
	return (1);
304
}
360
}
305
361
306
int
362
int
Lines 512-518 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, Link Here
512
    struct pfi_kif *kif, struct pf_src_node **sn,
568
    struct pfi_kif *kif, struct pf_src_node **sn,
513
    struct pf_state_key **skp, struct pf_state_key **nkp,
569
    struct pf_state_key **skp, struct pf_state_key **nkp,
514
    struct pf_addr *saddr, struct pf_addr *daddr,
570
    struct pf_addr *saddr, struct pf_addr *daddr,
515
    uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack)
571
    uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack,
572
    struct pf_udp_mapping **udp_mapping)
516
{
573
{
517
	struct pf_rule	*r = NULL;
574
	struct pf_rule	*r = NULL;
518
	struct pf_addr	*naddr;
575
	struct pf_addr	*naddr;
Lines 566-572 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, Link Here
566
	case PF_NAT:
623
	case PF_NAT:
567
		if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr,
624
		if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr,
568
		    dport, naddr, nport, r->rpool.proxy_port[0],
625
		    dport, naddr, nport, r->rpool.proxy_port[0],
569
		    r->rpool.proxy_port[1], sn)) {
626
		    r->rpool.proxy_port[1], sn, udp_mapping)) {
570
			DPFPRINTF(PF_DEBUG_MISC,
627
			DPFPRINTF(PF_DEBUG_MISC,
571
			    ("pf: NAT proxy port allocation (%u-%u) failed\n",
628
			    ("pf: NAT proxy port allocation (%u-%u) failed\n",
572
			    r->rpool.proxy_port[0], r->rpool.proxy_port[1]));
629
			    r->rpool.proxy_port[0], r->rpool.proxy_port[1]));
573
- 

Return to bug 219803