};

};

struct pf_pool {

struct pf_pool {

	struct pf_palist	 list;

	struct pf_palist	 list;

	struct pf_pooladdr	*cur;

	struct pf_pooladdr	*cur;

	struct pf_poolhashkey	 key;

	struct pf_poolhashkey	 key;

	struct pf_addr		 counter;

	struct pf_addr		 counter;

	int			 tblidx;

	int			 tblidx;

	u_int16_t		 proxy_port[2];

	u_int16_t		 proxy_port[2];

	u_int8_t		 opts;

	u_int8_t		 opts;

};

};

/* A packed Operating System description for fingerprinting */

/* A packed Operating System description for fingerprinting */

typedef u_int32_t pf_osfp_t;

typedef u_int32_t pf_osfp_t;

#define PF_OSFP_ANY	((pf_osfp_t)0)

#define PF_OSFP_ANY	((pf_osfp_t)0)

#define PF_OSFP_UNKNOWN	((pf_osfp_t)-1)

#define PF_OSFP_UNKNOWN	((pf_osfp_t)-1)

#define PF_OSFP_NOMATCH	((pf_osfp_t)-2)

#define PF_OSFP_NOMATCH	((pf_osfp_t)-2)

struct pf_osfp_entry {

struct pf_osfp_entry {

	u_int32_t	count;

	u_int32_t	count;

	u_int32_t	last;

	u_int32_t	last;

};

};

struct pf_src_node {

struct pf_src_node {

	LIST_ENTRY(pf_src_node) entry;

	LIST_ENTRY(pf_src_node) entry;

	struct pf_addr	 addr;

	struct pf_addr	 addr;

	struct pf_addr	 raddr;

	struct pf_addr	 raddr;

	union pf_rule_ptr rule;

	union pf_rule_ptr rule;

	struct pfi_kif	*kif;

	struct pfi_kif	*kif;

	u_int64_t	 bytes[2];

	u_int64_t	 bytes[2];

	u_int64_t	 packets[2];

	u_int64_t	 packets[2];

	u_int32_t	 states;

	u_int32_t	 states;

	u_int32_t	 conn;

	u_int32_t	 conn;

	struct pf_threshold	conn_rate;

	struct pf_threshold	conn_rate;

	u_int32_t	 creation;

	u_int32_t	 creation;

	u_int32_t	 expire;

	u_int32_t	 expire;

	sa_family_t	 af;

	sa_family_t	 af;

	u_int8_t	 ruletype;

	u_int8_t	 ruletype;

};

};

		pf_free_state(s);

		pf_free_state(s);

		return (1);

		return (1);

	} else

	} else

		return (0);

		return (0);

}

}

extern struct pf_state		*pf_find_state_byid(uint64_t, uint32_t);

extern struct pf_state		*pf_find_state_byid(uint64_t, uint32_t);

extern struct pf_state		*pf_find_state_all(struct pf_state_key_cmp *,

extern struct pf_state		*pf_find_state_all(struct pf_state_key_cmp *,

				    u_int, int *);

				    u_int, int *);

extern struct pf_src_node	*pf_find_src_node(struct pf_addr *,

extern struct pf_src_node	*pf_find_src_node(struct pf_addr *,

extern void			 pf_unlink_src_node(struct pf_src_node *);

extern void			 pf_unlink_src_node(struct pf_src_node *);

extern u_int			 pf_free_src_nodes(struct pf_src_node_list *);

extern u_int			 pf_free_src_nodes(struct pf_src_node_list *);

extern void			 pf_print_state(struct pf_state *);

extern void			 pf_print_state(struct pf_state *);

extern void			 pf_print_flags(u_int8_t);

extern void			 pf_print_flags(u_int8_t);

extern u_int16_t		 pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,

extern u_int16_t		 pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,

				    u_int8_t);

				    u_int8_t);

extern u_int16_t		 pf_proto_cksum_fixup(struct mbuf *, u_int16_t,

extern u_int16_t		 pf_proto_cksum_fixup(struct mbuf *, u_int16_t,

				    u_int16_t, u_int16_t, u_int8_t);

				    u_int16_t, u_int16_t, u_int8_t);

VNET_DECLARE(struct ifnet *,		 sync_ifp);

VNET_DECLARE(struct ifnet *,		 sync_ifp);

void			 pf_step_into_anchor(struct pf_anchor_stackframe *, int *,

void			 pf_step_into_anchor(struct pf_anchor_stackframe *, int *,

			    struct pf_ruleset **, int, struct pf_rule **,

			    struct pf_ruleset **, int, struct pf_rule **,

			    struct pf_rule **, int *);

			    struct pf_rule **, int *);

int			 pf_step_out_of_anchor(struct pf_anchor_stackframe *, int *,

int			 pf_step_out_of_anchor(struct pf_anchor_stackframe *, int *,

			    struct pf_ruleset **, int, struct pf_rule **,

			    struct pf_ruleset **, int, struct pf_rule **,

			    struct pf_rule **, int *);

			    struct pf_rule **, int *);

int			 pf_map_addr(u_int8_t, struct pf_rule *,

int			 pf_map_addr(u_int8_t, struct pf_rule *,

			    struct pf_addr *, struct pf_addr *,

			    struct pf_addr *, struct pf_addr *,

struct pf_rule		*pf_get_translation(struct pf_pdesc *, struct mbuf *,

struct pf_rule		*pf_get_translation(struct pf_pdesc *, struct mbuf *,

			    int, int, struct pfi_kif *, struct pf_src_node **,

			    int, int, struct pfi_kif *, struct pf_src_node **,

			    struct pf_state_key **, struct pf_state_key **,

			    struct pf_state_key **, struct pf_state_key **,

			    struct pf_addr *, struct pf_addr *,

			    struct pf_addr *, struct pf_addr *,

			    uint16_t, uint16_t, struct pf_anchor_stackframe *);

			    uint16_t, uint16_t, struct pf_anchor_stackframe *);

struct pf_state_key	*pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,

struct pf_state_key	*pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,

			    struct pf_addr *, u_int16_t, u_int16_t);

			    struct pf_addr *, u_int16_t, u_int16_t);

struct pf_state_key	*pf_state_key_clone(struct pf_state_key *);

struct pf_state_key	*pf_state_key_clone(struct pf_state_key *);

#endif /* _KERNEL */

#endif /* _KERNEL */

			    u_int8_t, sa_family_t);

			    u_int8_t, sa_family_t);

static void		 pf_print_state_parts(struct pf_state *,

static void		 pf_print_state_parts(struct pf_state *,

			    struct pf_state_key *, struct pf_state_key *);

			    struct pf_state_key *, struct pf_state_key *);

static int		 pf_addr_wrap_neq(struct pf_addr_wrap *,

static int		 pf_addr_wrap_neq(struct pf_addr_wrap *,

			    struct pf_addr_wrap *);

			    struct pf_addr_wrap *);

static struct pf_state	*pf_find_state(struct pfi_kif *,

static struct pf_state	*pf_find_state(struct pfi_kif *,

			    struct pf_state_key_cmp *, u_int);

			    struct pf_state_key_cmp *, u_int);

static int		 pf_src_connlimit(struct pf_state **);

static int		 pf_src_connlimit(struct pf_state **);

static void		 pf_overload_task(void *v, int pending);

static void		 pf_overload_task(void *v, int pending);

static int		 pf_insert_src_node(struct pf_src_node **,

static int		 pf_insert_src_node(struct pf_src_node **,

static u_int		 pf_purge_expired_states(u_int, int);

static u_int		 pf_purge_expired_states(u_int, int);

static void		 pf_purge_unlinked_rules(void);

static void		 pf_purge_unlinked_rules(void);

static int		 pf_mtag_uminit(void *, int, int);

static int		 pf_mtag_uminit(void *, int, int);

static void		 pf_mtag_free(struct m_tag *);

static void		 pf_mtag_free(struct m_tag *);

#ifdef INET

#ifdef INET

static void		 pf_route(struct mbuf **, struct pf_rule *, int,

static void		 pf_route(struct mbuf **, struct pf_rule *, int,

			    struct ifnet *, struct pf_state *,

			    struct ifnet *, struct pf_state *,

			    struct pf_pdesc *, struct inpcb *);

			    struct pf_pdesc *, struct inpcb *);

#endif /* INET */

#endif /* INET */

#ifdef INET6

#ifdef INET6

	}

	}

	SLIST_FOREACH_SAFE(pfoe, &queue, next, pfoe1)

	SLIST_FOREACH_SAFE(pfoe, &queue, next, pfoe1)

		free(pfoe, M_PFTEMP);

		free(pfoe, M_PFTEMP);

	if (V_pf_status.debug >= PF_DEBUG_MISC)

	if (V_pf_status.debug >= PF_DEBUG_MISC)

		printf("%s: %u states killed", __func__, killed);

		printf("%s: %u states killed", __func__, killed);

	CURVNET_RESTORE();

	CURVNET_RESTORE();

}

}

/*

/*

 */

 */

struct pf_src_node *

struct pf_src_node *

pf_find_src_node(struct pf_addr *src, struct pf_rule *rule, sa_family_t af,

pf_find_src_node(struct pf_addr *src, struct pf_rule *rule, sa_family_t af,

{

{

	struct pf_src_node *n;

	struct pf_src_node *n;

	counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_SEARCH], 1);

	counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_SEARCH], 1);

		if (n->rule.ptr == rule && n->af == af &&

		if (n->rule.ptr == rule && n->af == af &&

		    ((af == AF_INET && n->addr.v4.s_addr == src->v4.s_addr) ||

		    ((af == AF_INET && n->addr.v4.s_addr == src->v4.s_addr) ||

		    (af == AF_INET6 && bcmp(&n->addr, src, sizeof(*src)) == 0)))

		    (af == AF_INET6 && bcmp(&n->addr, src, sizeof(*src)) == 0)))

			break;

			break;

	return (n);

	return (n);

}

}

static int

static int

pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,

pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule,

{

{

	KASSERT((rule->rule_flag & PFRULE_RULESRCTRACK ||

	KASSERT((rule->rule_flag & PFRULE_RULESRCTRACK ||

	    rule->rpool.opts & PF_POOL_STICKYADDR),

	    rule->rpool.opts & PF_POOL_STICKYADDR),

	    ("%s for non-tracking rule %p", __func__, rule));

	    ("%s for non-tracking rule %p", __func__, rule));

	if (*sn == NULL)

	if (*sn == NULL)

	if (*sn == NULL) {

	if (*sn == NULL) {

		if (!rule->max_src_nodes ||

		if (!rule->max_src_nodes ||

		    counter_u64_fetch(rule->src_nodes) < rule->max_src_nodes)

		    counter_u64_fetch(rule->src_nodes) < rule->max_src_nodes)

			(*sn) = uma_zalloc(V_pf_sources_z, M_NOWAIT | M_ZERO);

			(*sn) = uma_zalloc(V_pf_sources_z, M_NOWAIT | M_ZERO);

		else

		else

			counter_u64_add(V_pf_status.lcounters[LCNT_SRCNODES],

			counter_u64_add(V_pf_status.lcounters[LCNT_SRCNODES],

			    1);

			    1);

		if ((*sn) == NULL) {

		if ((*sn) == NULL) {

			return (-1);

			return (-1);

		}

		}

		pf_init_threshold(&(*sn)->conn_rate,

		pf_init_threshold(&(*sn)->conn_rate,

		    rule->max_src_conn_rate.limit,

		    rule->max_src_conn_rate.limit,

		    rule->max_src_conn_rate.seconds);

		    rule->max_src_conn_rate.seconds);

		(*sn)->af = af;

		(*sn)->af = af;

		(*sn)->rule.ptr = rule;

		(*sn)->rule.ptr = rule;

		PF_ACPY(&(*sn)->addr, src, af);

		PF_ACPY(&(*sn)->addr, src, af);

		(*sn)->creation = time_uptime;

		(*sn)->creation = time_uptime;

		(*sn)->ruletype = rule->action;

		(*sn)->ruletype = rule->action;

		(*sn)->states = 1;

		(*sn)->states = 1;

		if ((*sn)->rule.ptr != NULL)

		if ((*sn)->rule.ptr != NULL)

			counter_u64_add((*sn)->rule.ptr->src_nodes, 1);

			counter_u64_add((*sn)->rule.ptr->src_nodes, 1);

		counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_INSERT], 1);

		counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_INSERT], 1);

	} else {

	} else {

		if (rule->max_src_states &&

		if (rule->max_src_states &&

		    (*sn)->states >= rule->max_src_states) {

		    (*sn)->states >= rule->max_src_states) {

			counter_u64_add(V_pf_status.lcounters[LCNT_SRCSTATES],

			counter_u64_add(V_pf_status.lcounters[LCNT_SRCSTATES],

			    1);

			    1);

			return (-1);

			return (-1);

		}

		}

	}

	}

	return (0);

	return (0);

}

}

void

void

pf_unlink_src_node(struct pf_src_node *src)

pf_unlink_src_node(struct pf_src_node *src)

{

{

	PF_HASHROW_ASSERT(&V_pf_srchash[pf_hashsrc(&src->addr, src->af)]);

	PF_HASHROW_ASSERT(&V_pf_srchash[pf_hashsrc(&src->addr, src->af)]);

	LIST_REMOVE(src, entry);

	LIST_REMOVE(src, entry);

	if (src->rule.ptr)

	if (src->rule.ptr)

    struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *nk,

    struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *nk,

    struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,

    struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,

    u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,

    u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,

    int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen)

    int tag, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen)

{

{

	struct pf_state		*s = NULL;

	struct pf_state		*s = NULL;

	struct pf_src_node	*sn = NULL;

	struct pf_src_node	*sn = NULL;

	struct tcphdr		*th = pd->hdr.tcp;

	struct tcphdr		*th = pd->hdr.tcp;

	u_int16_t		 mss = V_tcp_mssdflt;

	u_int16_t		 mss = V_tcp_mssdflt;

	u_short			 reason;

	u_short			 reason;

	/* check maximums */

	/* check maximums */

	if (r->max_states &&

	if (r->max_states &&

	    (counter_u64_fetch(r->states_cur) >= r->max_states)) {

	    (counter_u64_fetch(r->states_cur) >= r->max_states)) {

		counter_u64_add(V_pf_status.lcounters[LCNT_STATES], 1);

		counter_u64_add(V_pf_status.lcounters[LCNT_STATES], 1);

		REASON_SET(&reason, PFRES_MAXSTATES);

		REASON_SET(&reason, PFRES_MAXSTATES);

		goto csfailed;

		goto csfailed;

	}

	}

	/* src node for filter rule */

	/* src node for filter rule */

	if ((r->rule_flag & PFRULE_SRCTRACK ||

	if ((r->rule_flag & PFRULE_SRCTRACK ||

	    r->rpool.opts & PF_POOL_STICKYADDR) &&

	    r->rpool.opts & PF_POOL_STICKYADDR) &&

		REASON_SET(&reason, PFRES_SRCLIMIT);

		REASON_SET(&reason, PFRES_SRCLIMIT);

		goto csfailed;

		goto csfailed;

	}

	}

	/* src node for translation rule */

	/* src node for translation rule */

	if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&

	if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) &&

		REASON_SET(&reason, PFRES_SRCLIMIT);

		REASON_SET(&reason, PFRES_SRCLIMIT);

		goto csfailed;

		goto csfailed;

	}

	}

	s = uma_zalloc(V_pf_state_z, M_NOWAIT | M_ZERO);

	s = uma_zalloc(V_pf_state_z, M_NOWAIT | M_ZERO);

	if (s == NULL) {

	if (s == NULL) {

		REASON_SET(&reason, PFRES_MEMORY);

		REASON_SET(&reason, PFRES_MEMORY);

		goto csfailed;

		goto csfailed;

	}

	}

	s->rule.ptr = r;

	s->rule.ptr = r;

	s->nat_rule.ptr = nr;

	s->nat_rule.ptr = nr;

	s->anchor.ptr = a;

	s->anchor.ptr = a;

	STATE_INC_COUNTERS(s);

	STATE_INC_COUNTERS(s);

	if (r->allow_opts)

	if (r->allow_opts)

#endif

#endif

		s->timeout = PFTM_ICMP_FIRST_PACKET;

		s->timeout = PFTM_ICMP_FIRST_PACKET;

		break;

		break;

	default:

	default:

		s->src.state = PFOTHERS_SINGLE;

		s->src.state = PFOTHERS_SINGLE;

		s->dst.state = PFOTHERS_NO_TRAFFIC;

		s->dst.state = PFOTHERS_NO_TRAFFIC;

		s->timeout = PFTM_OTHER_FIRST_PACKET;

		s->timeout = PFTM_OTHER_FIRST_PACKET;

	}

	}

	if (r->rt && r->rt != PF_FASTROUTE) {

	if (r->rt && r->rt != PF_FASTROUTE) {

			REASON_SET(&reason, PFRES_MAPFAILED);

			REASON_SET(&reason, PFRES_MAPFAILED);

			pf_src_tree_remove_state(s);

			pf_src_tree_remove_state(s);

			STATE_DEC_COUNTERS(s);

			STATE_DEC_COUNTERS(s);

			uma_zfree(V_pf_state_z, s);

			uma_zfree(V_pf_state_z, s);

			goto csfailed;

			goto csfailed;

		}

		}

	}

	}

	s->creation = time_uptime;

	s->creation = time_uptime;

	s->expire = time_uptime;

	s->expire = time_uptime;

		s->src_node = sn;

		s->src_node = sn;

	if (nsn != NULL) {

	if (nsn != NULL) {

		/* XXX We only modify one side for now. */

		/* XXX We only modify one side for now. */

		PF_ACPY(&nsn->raddr, &nk->addr[1], pd->af);

		PF_ACPY(&nsn->raddr, &nk->addr[1], pd->af);

		s->nat_src_node = nsn;

		s->nat_src_node = nsn;

	}

	}

	if (pd->proto == IPPROTO_TCP) {

	if (pd->proto == IPPROTO_TCP) {

		if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,

		if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m,

		    off, pd, th, &s->src, &s->dst)) {

		    off, pd, th, &s->src, &s->dst)) {

			REASON_SET(&reason, PFRES_MEMORY);

			REASON_SET(&reason, PFRES_MEMORY);

			pf_src_tree_remove_state(s);

			pf_src_tree_remove_state(s);

			STATE_DEC_COUNTERS(s);

			STATE_DEC_COUNTERS(s);

			uma_zfree(V_pf_state_z, s);

			uma_zfree(V_pf_state_z, s);

			return (PF_DROP);

			return (PF_DROP);

		}

		}

	return (PF_PASS);

	return (PF_PASS);

csfailed:

csfailed:

	if (sk != NULL)

	if (sk != NULL)

		uma_zfree(V_pf_state_key_z, sk);

		uma_zfree(V_pf_state_key_z, sk);

	if (nk != NULL)

	if (nk != NULL)

		uma_zfree(V_pf_state_key_z, nk);

		uma_zfree(V_pf_state_key_z, nk);

	if (sn != NULL) {

	if (sn != NULL) {

		if (--sn->states == 0 && sn->expire == 0) {

		if (--sn->states == 0 && sn->expire == 0) {

			pf_unlink_src_node(sn);

			pf_unlink_src_node(sn);

			uma_zfree(V_pf_sources_z, sn);

			uma_zfree(V_pf_sources_z, sn);

			counter_u64_add(

			counter_u64_add(

			    V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS], 1);

			    V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS], 1);

		}

		}

	}

	}

	if (nsn != sn && nsn != NULL) {

	if (nsn != sn && nsn != NULL) {

		if (--nsn->states == 0 && nsn->expire == 0) {

		if (--nsn->states == 0 && nsn->expire == 0) {

			pf_unlink_src_node(nsn);

			pf_unlink_src_node(nsn);

			uma_zfree(V_pf_sources_z, nsn);

			uma_zfree(V_pf_sources_z, nsn);

			counter_u64_add(

			counter_u64_add(

			    V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS], 1);

			    V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS], 1);

		}

		}

	}

	}

	return (PF_DROP);

	return (PF_DROP);

}

}

static int

static int

pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,

pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,

    struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,

    struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,

    struct pf_ruleset **rsm)

    struct pf_ruleset **rsm)

{

{

	struct pf_rule		*r, *a = NULL;

	struct pf_rule		*r, *a = NULL;

}

}

#ifdef INET

#ifdef INET

static void

static void

pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,

pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,

    struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)

    struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)

{

{

	struct mbuf		*m0, *m1;

	struct mbuf		*m0, *m1;

	struct sockaddr_in	dst;

	struct sockaddr_in	dst;

	struct ip		*ip;

	struct ip		*ip;

	struct ifnet		*ifp = NULL;

	struct ifnet		*ifp = NULL;

	struct pf_addr		 naddr;

	struct pf_addr		 naddr;

	struct pf_src_node	*sn = NULL;

	struct pf_src_node	*sn = NULL;

	int			 error = 0;

	int			 error = 0;

	uint16_t		 ip_len, ip_off;

	uint16_t		 ip_len, ip_off;

	KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__));

	KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__));

	KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction",

	KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction",

	    __func__));

	    __func__));

		ifp = nh4.nh_ifp;

		ifp = nh4.nh_ifp;

		dst.sin_addr = nh4.nh_addr;

		dst.sin_addr = nh4.nh_addr;

	} else {

	} else {

		if (TAILQ_EMPTY(&r->rpool.list)) {

		if (TAILQ_EMPTY(&r->rpool.list)) {

			DPFPRINTF(PF_DEBUG_URGENT,

			DPFPRINTF(PF_DEBUG_URGENT,

			    ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));

			    ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));

			goto bad_locked;

			goto bad_locked;

		}

		}

		if (s == NULL) {

		if (s == NULL) {

			pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,

			pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,

			if (!PF_AZERO(&naddr, AF_INET))

			if (!PF_AZERO(&naddr, AF_INET))

				dst.sin_addr.s_addr = naddr.v4.s_addr;

				dst.sin_addr.s_addr = naddr.v4.s_addr;

		} else {

		} else {

			if (!PF_AZERO(&s->rt_addr, AF_INET))

			if (!PF_AZERO(&s->rt_addr, AF_INET))

				dst.sin_addr.s_addr =

				dst.sin_addr.s_addr =

				    s->rt_addr.v4.s_addr;

				    s->rt_addr.v4.s_addr;

			ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;

			ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;

			PF_STATE_UNLOCK(s);

			PF_STATE_UNLOCK(s);

		}

		}

	}

	}

	if (ifp == NULL)

	if (ifp == NULL)

		goto bad;

		goto bad;

#endif /* INET */

#endif /* INET */

#ifdef INET6

#ifdef INET6

static void

static void

pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,

pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,

    struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)

    struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)

{

{

	struct mbuf		*m0;

	struct mbuf		*m0;

	struct sockaddr_in6	dst;

	struct sockaddr_in6	dst;

	struct ip6_hdr		*ip6;

	struct ip6_hdr		*ip6;

	struct ifnet		*ifp = NULL;

	struct ifnet		*ifp = NULL;

	struct pf_addr		 naddr;

	struct pf_addr		 naddr;

	struct pf_src_node	*sn = NULL;

	struct pf_src_node	*sn = NULL;

	KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__));

	KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__));

	KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction",

	KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: invalid direction",

	    __func__));

	    __func__));

	if ((pd->pf_mtag == NULL &&

	if ((pd->pf_mtag == NULL &&

	    ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||

	    ((pd->pf_mtag = pf_get_mtag(*m)) == NULL)) ||

		return;

		return;

	}

	}

	if (TAILQ_EMPTY(&r->rpool.list)) {

	if (TAILQ_EMPTY(&r->rpool.list)) {

		DPFPRINTF(PF_DEBUG_URGENT,

		DPFPRINTF(PF_DEBUG_URGENT,

		    ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));

		    ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));

		goto bad_locked;

		goto bad_locked;

	}

	}

	if (s == NULL) {

	if (s == NULL) {

		pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,

		pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src,

		if (!PF_AZERO(&naddr, AF_INET6))

		if (!PF_AZERO(&naddr, AF_INET6))

			PF_ACPY((struct pf_addr *)&dst.sin6_addr,

			PF_ACPY((struct pf_addr *)&dst.sin6_addr,

			    &naddr, AF_INET6);

			    &naddr, AF_INET6);

	} else {

	} else {

		if (!PF_AZERO(&s->rt_addr, AF_INET6))

		if (!PF_AZERO(&s->rt_addr, AF_INET6))

			PF_ACPY((struct pf_addr *)&dst.sin6_addr,

			PF_ACPY((struct pf_addr *)&dst.sin6_addr,

			    &s->rt_addr, AF_INET6);

			    &s->rt_addr, AF_INET6);

		ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;

		ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;

	}

	}

	if (s)

	if (s)

		PF_STATE_UNLOCK(s);

		PF_STATE_UNLOCK(s);

		break;

		break;

	case PF_ADDR_TABLE:

	case PF_ADDR_TABLE:

		pfr_detach_table(rule->dst.addr.p.tbl);

		pfr_detach_table(rule->dst.addr.p.tbl);

		break;

		break;

	}

	}

	if (rule->overload_tbl)

	if (rule->overload_tbl)

		pfr_detach_table(rule->overload_tbl);

		pfr_detach_table(rule->overload_tbl);

	if (rule->kif)

	if (rule->kif)

		pfi_kif_unref(rule->kif);

		pfi_kif_unref(rule->kif);

	pf_anchor_remove(rule);

	pf_anchor_remove(rule);

	pf_empty_pool(&rule->rpool.list);

	pf_empty_pool(&rule->rpool.list);

	counter_u64_free(rule->states_cur);

	counter_u64_free(rule->states_cur);

	counter_u64_free(rule->states_tot);

	counter_u64_free(rule->states_tot);

	counter_u64_free(rule->src_nodes);

	counter_u64_free(rule->src_nodes);

	free(rule, M_PFRULE);

	free(rule, M_PFRULE);

}

}

static u_int16_t

static u_int16_t

tagname2tag(struct pf_tags *head, char *tagname)

tagname2tag(struct pf_tags *head, char *tagname)

{

{

		}

		}

#endif /* INET6 */

#endif /* INET6 */

		rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);

		rule = malloc(sizeof(*rule), M_PFRULE, M_WAITOK);

		bcopy(&pr->rule, rule, sizeof(struct pf_rule));

		bcopy(&pr->rule, rule, sizeof(struct pf_rule));

		if (rule->ifname[0])

		if (rule->ifname[0])

			kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);

			kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);

		rule->states_cur = counter_u64_alloc(M_WAITOK);

		rule->states_cur = counter_u64_alloc(M_WAITOK);

		rule->states_tot = counter_u64_alloc(M_WAITOK);

		rule->states_tot = counter_u64_alloc(M_WAITOK);

		rule->src_nodes = counter_u64_alloc(M_WAITOK);

		rule->src_nodes = counter_u64_alloc(M_WAITOK);

		rule->cuid = td->td_ucred->cr_ruid;

		rule->cuid = td->td_ucred->cr_ruid;

		rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;

		rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;

		TAILQ_INIT(&rule->rpool.list);

		TAILQ_INIT(&rule->rpool.list);

#define	ERROUT(x)	{ error = (x); goto DIOCADDRULE_error; }

#define	ERROUT(x)	{ error = (x); goto DIOCADDRULE_error; }

		PF_RULES_WLOCK();

		PF_RULES_WLOCK();

		pr->anchor[sizeof(pr->anchor) - 1] = 0;

		pr->anchor[sizeof(pr->anchor) - 1] = 0;

		ruleset = pf_find_ruleset(pr->anchor);

		ruleset = pf_find_ruleset(pr->anchor);

		if (ruleset == NULL)

		if (ruleset == NULL)

#include "opt_pf.h"

#include "opt_pf.h"

#include "opt_inet.h"

#include "opt_inet.h"

#include "opt_inet6.h"

#include "opt_inet6.h"

#include <sys/param.h>

#include <sys/param.h>

#include <sys/lock.h>

#include <sys/lock.h>

#include <sys/mbuf.h>

#include <sys/mbuf.h>

#include <sys/rwlock.h>

#include <sys/rwlock.h>

#include <sys/socket.h>

#include <sys/socket.h>

#include <sys/sysctl.h>

#include <sys/sysctl.h>

#include <net/if.h>

#include <net/if.h>

#include <net/vnet.h>

#include <net/vnet.h>

#include <net/pfvar.h>

#include <net/pfvar.h>

#include <net/if_pflog.h>

#include <net/if_pflog.h>

#define DPFPRINTF(n, x)	if (V_pf_status.debug >= (n)) printf x

#define DPFPRINTF(n, x)	if (V_pf_status.debug >= (n)) printf x

static void		 pf_hash(struct pf_addr *, struct pf_addr *,

static void		 pf_hash(struct pf_addr *, struct pf_addr *,

			    struct pf_poolhashkey *, sa_family_t);

			    struct pf_poolhashkey *, sa_family_t);

static int

static int

pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,

pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,

    struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr,

    struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr,

    uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low,

    uint16_t dport, struct pf_addr *naddr, uint16_t *nport, uint16_t low,

    uint16_t high, struct pf_src_node **sn)

    uint16_t high, struct pf_src_node **sn)

{

{

	struct pf_state_key_cmp	key;

	struct pf_state_key_cmp	key;

	struct pf_addr		init_addr;

	struct pf_addr		init_addr;

	bzero(&init_addr, sizeof(init_addr));

	bzero(&init_addr, sizeof(init_addr));

		return (1);

		return (1);

	if (proto == IPPROTO_ICMP) {

	if (proto == IPPROTO_ICMP) {

		low = 1;

		low = 1;

		high = 65535;

		high = 65535;

	}

	}

	bzero(&key, sizeof(key));

	bzero(&key, sizeof(key));

	key.af = af;

	key.af = af;

	key.proto = proto;

	key.proto = proto;

				    NULL) {

				    NULL) {

					*nport = htons(tmp);

					*nport = htons(tmp);

					return (0);

					return (0);

				}

				}

			}

			}

		}

		}

		switch (r->rpool.opts & PF_POOL_TYPEMASK) {

		switch (r->rpool.opts & PF_POOL_TYPEMASK) {

		case PF_POOL_RANDOM:

		case PF_POOL_RANDOM:

		case PF_POOL_ROUNDROBIN:

		case PF_POOL_ROUNDROBIN:

				return (1);

				return (1);

			break;

			break;

		case PF_POOL_NONE:

		case PF_POOL_NONE:

		case PF_POOL_SRCHASH:

		case PF_POOL_SRCHASH:

		case PF_POOL_BITMASK:

		case PF_POOL_BITMASK:

		default:

		default:

			return (1);

			return (1);

		}

		}

	} while (! PF_AEQ(&init_addr, naddr, af) );

	} while (! PF_AEQ(&init_addr, naddr, af) );

	return (1);					/* none available */

	return (1);					/* none available */

}

}

int

int

pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,

pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr,

{

{

	struct pf_pool		*rpool = &r->rpool;

	struct pf_pool		*rpool = &r->rpool;

	struct pf_addr		*raddr = NULL, *rmask = NULL;

	struct pf_addr		*raddr = NULL, *rmask = NULL;

	/* Try to find a src_node if none was given and this

	/* Try to find a src_node if none was given and this

	   is a sticky-address rule. */

	   is a sticky-address rule. */

	if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&

	if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR &&

	    (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE)

	    (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE)

	/* If a src_node was found or explicitly given and it has a non-zero

	/* If a src_node was found or explicitly given and it has a non-zero

	   route address, use this address. A zeroed address is found if the

	   route address, use this address. A zeroed address is found if the

	   src node was created just a moment ago in pf_create_state and it

	   src node was created just a moment ago in pf_create_state and it

	   needs to be filled in with routing decision calculated here. */

	   needs to be filled in with routing decision calculated here. */

	if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {

	if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) {

		PF_ACPY(naddr, &(*sn)->raddr, af);

		PF_ACPY(naddr, &(*sn)->raddr, af);

		if (V_pf_status.debug >= PF_DEBUG_MISC) {

		if (V_pf_status.debug >= PF_DEBUG_MISC) {

			printf("pf_map_addr: src tracking maps ");

			printf("pf_map_addr: src tracking maps ");

			pf_print_host(saddr, 0, af);

			pf_print_host(saddr, 0, af);

			printf(" to ");

			printf(" to ");

			pf_print_host(naddr, 0, af);

			pf_print_host(naddr, 0, af);

			printf("\n");

			printf("\n");

		}

		}

		return (0);

		return (0);

	}

	}

	/* Find the route using chosen algorithm. Store the found route

	/* Find the route using chosen algorithm. Store the found route

	   in src_node if it was given or found. */

	   in src_node if it was given or found. */

		return (1);

		return (1);

	if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {

	if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {

		switch (af) {

		switch (af) {

#ifdef INET

#ifdef INET

		case AF_INET:

		case AF_INET:

			if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&

			if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 &&

			    (rpool->opts & PF_POOL_TYPEMASK) !=

			    (rpool->opts & PF_POOL_TYPEMASK) !=

				return (1);

				return (1);

			 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;

			 raddr = &rpool->cur->addr.p.dyn->pfid_addr4;

			 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;

			 rmask = &rpool->cur->addr.p.dyn->pfid_mask4;

			break;

			break;

#endif /* INET */

#endif /* INET */

#ifdef INET6

#ifdef INET6

		case AF_INET6:

		case AF_INET6:

			if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&

			if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 &&

			    (rpool->opts & PF_POOL_TYPEMASK) !=

			    (rpool->opts & PF_POOL_TYPEMASK) !=

				return (1);

				return (1);

			raddr = &rpool->cur->addr.p.dyn->pfid_addr6;

			raddr = &rpool->cur->addr.p.dyn->pfid_addr6;

			rmask = &rpool->cur->addr.p.dyn->pfid_mask6;

			rmask = &rpool->cur->addr.p.dyn->pfid_mask6;

			break;

			break;

#endif /* INET6 */

#endif /* INET6 */

		}

		}

	} else if (rpool->cur->addr.type == PF_ADDR_TABLE) {

	} else if (rpool->cur->addr.type == PF_ADDR_TABLE) {

			return (1); /* unsupported */

			return (1); /* unsupported */

	} else {

	} else {

		raddr = &rpool->cur->addr.v.a.addr;

		raddr = &rpool->cur->addr.v.a.addr;

		rmask = &rpool->cur->addr.v.a.mask;

		rmask = &rpool->cur->addr.v.a.mask;

	}

	}

	switch (rpool->opts & PF_POOL_TYPEMASK) {

	switch (rpool->opts & PF_POOL_TYPEMASK) {

	case PF_POOL_NONE:

	case PF_POOL_NONE:

		PF_ACPY(naddr, raddr, af);

		PF_ACPY(naddr, raddr, af);

		break;

		break;

	case PF_POOL_BITMASK:

	case PF_POOL_BITMASK:

	case PF_POOL_SRCHASH:

	case PF_POOL_SRCHASH:

	    {

	    {

		unsigned char hash[16];

		unsigned char hash[16];

		pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);

		pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af);

		PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);

		PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af);

		break;

		break;

	    }

	    }

	case PF_POOL_ROUNDROBIN:

	case PF_POOL_ROUNDROBIN:

	    {

	    {

		struct pf_pooladdr *acur = rpool->cur;

		struct pf_pooladdr *acur = rpool->cur;

		/*

		/*

		 * XXXGL: in the round-robin case we need to store

		 * XXXGL: in the round-robin case we need to store

		 * the round-robin machine state in the rule, thus

		 * the round-robin machine state in the rule, thus

		 * forwarding thread needs to modify rule.

		 * forwarding thread needs to modify rule.

		 *

		 *

		 * In the simpliest case we just update the "rpool->cur"

		 * In the simpliest case we just update the "rpool->cur"

		 * pointer. However, if pool contains tables or dynamic

		 * pointer. However, if pool contains tables or dynamic

		 * addresses, then "tblidx" is also used to store machine

		 * addresses, then "tblidx" is also used to store machine

		 */

		 */

		if (rpool->cur->addr.type == PF_ADDR_TABLE) {

		if (rpool->cur->addr.type == PF_ADDR_TABLE) {

			if (!pfr_pool_get(rpool->cur->addr.p.tbl,

			if (!pfr_pool_get(rpool->cur->addr.p.tbl,

			    &rpool->tblidx, &rpool->counter, af))

			    &rpool->tblidx, &rpool->counter, af))

				goto get_addr;

				goto get_addr;

		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {

		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {

			if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,

			if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,

			    &rpool->tblidx, &rpool->counter, af))

			    &rpool->tblidx, &rpool->counter, af))

				goto get_addr;

				goto get_addr;

			rpool->cur = TAILQ_FIRST(&rpool->list);

			rpool->cur = TAILQ_FIRST(&rpool->list);

		else

		else

			rpool->cur = TAILQ_NEXT(rpool->cur, entries);

			rpool->cur = TAILQ_NEXT(rpool->cur, entries);

		if (rpool->cur->addr.type == PF_ADDR_TABLE) {

		if (rpool->cur->addr.type == PF_ADDR_TABLE) {

			rpool->tblidx = -1;

			rpool->tblidx = -1;

			if (pfr_pool_get(rpool->cur->addr.p.tbl,

			if (pfr_pool_get(rpool->cur->addr.p.tbl,

			    &rpool->tblidx, &rpool->counter, af)) {

			    &rpool->tblidx, &rpool->counter, af)) {

				/* table contains no address of type 'af' */

				/* table contains no address of type 'af' */

				if (rpool->cur != acur)

				if (rpool->cur != acur)

					goto try_next;

					goto try_next;

				return (1);

				return (1);

			}

			}

		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {

		} else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) {

			rpool->tblidx = -1;

			rpool->tblidx = -1;

			if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,

			if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt,

			    &rpool->tblidx, &rpool->counter, af)) {

			    &rpool->tblidx, &rpool->counter, af)) {

				/* table contains no address of type 'af' */

				/* table contains no address of type 'af' */

				if (rpool->cur != acur)

				if (rpool->cur != acur)

					goto try_next;

					goto try_next;

				return (1);

				return (1);

			}

			}

		} else {

		} else {

			raddr = &rpool->cur->addr.v.a.addr;

			raddr = &rpool->cur->addr.v.a.addr;

			rmask = &rpool->cur->addr.v.a.mask;

			rmask = &rpool->cur->addr.v.a.mask;

			PF_ACPY(&rpool->counter, raddr, af);

			PF_ACPY(&rpool->counter, raddr, af);

		}

		}

	get_addr:

	get_addr:

		PF_ACPY(naddr, &rpool->counter, af);

		PF_ACPY(naddr, &rpool->counter, af);

		if (init_addr != NULL && PF_AZERO(init_addr, af))

		if (init_addr != NULL && PF_AZERO(init_addr, af))

			PF_ACPY(init_addr, naddr, af);

			PF_ACPY(init_addr, naddr, af);

		PF_AINC(&rpool->counter, af);

		PF_AINC(&rpool->counter, af);

		break;

		break;

	    }

	    }

	}

	}

		PF_ACPY(&(*sn)->raddr, naddr, af);

		PF_ACPY(&(*sn)->raddr, naddr, af);

	if (V_pf_status.debug >= PF_DEBUG_MISC &&

	if (V_pf_status.debug >= PF_DEBUG_MISC &&

	    (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {

	    (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) {

		printf("pf_map_addr: selected address ");

		printf("pf_map_addr: selected address ");

		pf_print_host(naddr, 0, af);

		pf_print_host(naddr, 0, af);

		printf("\n");

		printf("\n");

	}

	}

	return (0);

	return (0);

}

}

struct pf_rule *

struct pf_rule *

pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,

pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,

    struct pfi_kif *kif, struct pf_src_node **sn,

    struct pfi_kif *kif, struct pf_src_node **sn,

    struct pf_state_key **skp, struct pf_state_key **nkp,

    struct pf_state_key **skp, struct pf_state_key **nkp,

    struct pf_addr *saddr, struct pf_addr *daddr,

    struct pf_addr *saddr, struct pf_addr *daddr,

    uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack)

    uint16_t sport, uint16_t dport, struct pf_anchor_stackframe *anchor_stack)

{

{

					break;

					break;

#endif /* INET6 */

#endif /* INET6 */

				}

				}

			} else

			} else

				PF_POOLMASK(naddr, &r->src.addr.v.a.addr,

				PF_POOLMASK(naddr, &r->src.addr.v.a.addr,

				    &r->src.addr.v.a.mask, daddr, pd->af);

				    &r->src.addr.v.a.mask, daddr, pd->af);

			break;

			break;

		}

		}

		break;

		break;

	case PF_RDR: {

	case PF_RDR: {

			goto notrans;

			goto notrans;

		if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)

		if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK)

			PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask,

			PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask,

			    daddr, pd->af);

			    daddr, pd->af);

		if (r->rpool.proxy_port[1]) {

		if (r->rpool.proxy_port[1]) {

			uint32_t	tmp_nport;

			uint32_t	tmp_nport;

			tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) %

			tmp_nport = ((ntohs(dport) - ntohs(r->dst.port[0])) %

			    (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] +

			    (r->rpool.proxy_port[1] - r->rpool.proxy_port[0] +