diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -69,9 +69,9 @@ struct pfi_kif; struct pf_pdesc; -#define PFLOG_PACKET(a,b,t,c,d,e,f,g) do { \ +#define PFLOG_PACKET(b,t,c,d,e,f,g) do { \ if (pflog_packet_ptr != NULL) \ - pflog_packet_ptr(a,b,t,c,d,e,f,g); \ + pflog_packet_ptr(b,t,c,d,e,f,g); \ } while (0) #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1249,7 +1249,7 @@ /* pflog */ struct pf_kruleset; struct pf_pdesc; -typedef int pflog_packet_t(struct mbuf *, uint8_t, u_int8_t, +typedef int pflog_packet_t(uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *, struct pf_pdesc *, int); extern pflog_packet_t *pflog_packet_ptr; @@ -1598,6 +1598,7 @@ } hdr; struct pfi_kkif *kif; /* incomming interface */ + struct mbuf *m; struct pf_addr *src; /* src address */ struct pf_addr *dst; /* dst address */ @@ -1650,7 +1651,6 @@ struct pf_pdesc pd; struct pf_addr src; struct pf_addr dst; - struct mbuf *m; int op; }; @@ -2355,7 +2355,7 @@ void pf_free_rule(struct pf_krule *); int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *); -int pf_scan_sctp(struct mbuf *, struct pf_pdesc *); +int pf_scan_sctp(struct pf_pdesc *); #if defined(INET) || defined(INET6) int pf_test(sa_family_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *, struct pf_rule_actions *); @@ -2375,8 +2375,8 @@ int pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool); #endif /* INET6 */ -int pf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *); -int pf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *); +int pf_multihome_scan_init(int, int, struct pf_pdesc *); +int pf_multihome_scan_asconf(int, int, struct pf_pdesc *); u_int32_t pf_new_isn(struct pf_kstate *); void *pf_pull_hdr(const struct mbuf *, int, void *, int, u_short *, u_short *, @@ -2398,23 +2398,23 @@ void pf_normalize_init(void); void pf_normalize_cleanup(void); -int pf_normalize_tcp(struct mbuf *, struct pf_pdesc *); +int pf_normalize_tcp(struct pf_pdesc *); void pf_normalize_tcp_cleanup(struct pf_kstate *); -int pf_normalize_tcp_init(struct mbuf *, struct pf_pdesc *, +int pf_normalize_tcp_init(struct pf_pdesc *, struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); -int pf_normalize_tcp_stateful(struct mbuf *, struct pf_pdesc *, +int pf_normalize_tcp_stateful(struct pf_pdesc *, u_short *, struct tcphdr *, struct pf_kstate *, struct pf_state_peer *, struct pf_state_peer *, int *); -int pf_normalize_sctp_init(struct mbuf *, struct pf_pdesc *, +int pf_normalize_sctp_init(struct pf_pdesc *, struct pf_state_peer *, struct pf_state_peer *); -int pf_normalize_sctp(struct mbuf *, struct pf_pdesc *); +int pf_normalize_sctp(struct pf_pdesc *); u_int32_t pf_state_expires(const struct pf_kstate *); void pf_purge_expired_fragments(void); void pf_purge_fragments(uint32_t); int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *, int); -int pf_socket_lookup(struct pf_pdesc *, struct mbuf *); +int pf_socket_lookup(struct pf_pdesc *); struct pf_state_key *pf_alloc_state_key(int); void pfr_initialize(void); void pfr_cleanup(void); @@ -2482,12 +2482,12 @@ int pfi_clear_flags(const char *, int); int pf_match_tag(struct mbuf *, struct pf_krule *, int *, int); -int pf_tag_packet(struct mbuf *, struct pf_pdesc *, int); +int pf_tag_packet(struct pf_pdesc *, int); int pf_addr_cmp(struct pf_addr *, struct pf_addr *, sa_family_t); -u_int16_t pf_get_mss(struct mbuf *, struct pf_pdesc *); -u_int8_t pf_get_wscale(struct mbuf *, struct pf_pdesc *); +u_int16_t pf_get_mss(struct pf_pdesc *); +u_int8_t pf_get_wscale(struct pf_pdesc *); struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t, const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, @@ -2504,8 +2504,7 @@ int pf_get_syncookies(struct pfioc_nv *); int pf_set_syncookies(struct pfioc_nv *); int pf_synflood_check(struct pf_pdesc *); -void pf_syncookie_send(struct mbuf *m, - struct pf_pdesc *); +void pf_syncookie_send(struct pf_pdesc *); bool pf_syncookie_check(struct pf_pdesc *); u_int8_t pf_syncookie_validate(struct pf_pdesc *); struct mbuf * pf_syncookie_recreate_syn(struct pf_pdesc *); @@ -2590,8 +2589,7 @@ int pf_osfp_add(struct pf_osfp_ioctl *); #ifdef _KERNEL struct pf_osfp_enlist * - pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, - const struct tcphdr *); + pf_osfp_fingerprint(struct pf_pdesc *, const struct tcphdr *); #endif /* _KERNEL */ void pf_osfp_flush(void); int pf_osfp_get(struct pf_osfp_ioctl *); @@ -2622,7 +2620,7 @@ struct pf_addr *, struct pf_addr *, struct pfi_kkif **nkif, struct pf_addr *, struct pf_ksrc_node **); -u_short pf_get_translation(struct pf_pdesc *, struct mbuf *, +u_short pf_get_translation(struct pf_pdesc *, int, struct pf_ksrc_node **, struct pf_state_key **, struct pf_state_key **, struct pf_addr *, struct pf_addr *, @@ -2630,14 +2628,14 @@ struct pf_krule **, struct pf_udp_mapping **udp_mapping); -struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct mbuf *, +struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t); struct pf_state_key *pf_state_key_clone(const struct pf_state_key *); void pf_rule_to_actions(struct pf_krule *, struct pf_rule_actions *); -int pf_normalize_mss(struct mbuf *m, struct pf_pdesc *pd); +int pf_normalize_mss(struct pf_pdesc *pd); #if defined(INET) || defined(INET6) -void pf_scrub(struct mbuf *, struct pf_pdesc *); +void pf_scrub(struct pf_pdesc *); #endif struct pfi_kkif *pf_kkif_create(int); diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -213,14 +213,14 @@ } static int -pflog_packet(struct mbuf *m, uint8_t action, u_int8_t reason, +pflog_packet(uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am, struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) { struct ifnet *ifn; struct pfloghdr hdr; - if (m == NULL || rm == NULL || pd == NULL) + if (rm == NULL || pd == NULL) return (1); ifn = V_pflogifs[rm->logif]; @@ -251,7 +251,7 @@ * These conditions are very very rare, however. */ if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe) - pd->lookup.done = pf_socket_lookup(pd, m); + pd->lookup.done = pf_socket_lookup(pd); if (pd->lookup.done > 0) hdr.uid = pd->lookup.uid; else @@ -265,15 +265,15 @@ if (pd->af == AF_INET && pd->dir == PF_OUT) { struct ip *ip; - ip = mtod(m, struct ip *); + ip = mtod(pd->m, struct ip *); ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + ip->ip_sum = in_cksum(pd->m, ip->ip_hl << 2); } #endif /* INET */ if_inc_counter(ifn, IFCOUNTER_OPACKETS, 1); - if_inc_counter(ifn, IFCOUNTER_OBYTES, m->m_pkthdr.len); - bpf_mtap2(ifn->if_bpf, &hdr, PFLOG_HDRLEN, m); + if_inc_counter(ifn, IFCOUNTER_OBYTES, pd->m->m_pkthdr.len); + bpf_mtap2(ifn->if_bpf, &hdr, PFLOG_HDRLEN, pd->m); return (0); } diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -294,7 +294,7 @@ static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *, u_int16_t *, u_int16_t *, struct pf_addr *, u_int16_t, u_int8_t, sa_family_t); -static int pf_modulate_sack(struct mbuf *, struct pf_pdesc *, +static int pf_modulate_sack(struct pf_pdesc *, struct tcphdr *, struct pf_state_peer *); int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *, int *, u_int16_t *, u_int16_t *); @@ -320,39 +320,39 @@ static int pf_test_eth_rule(int, struct pfi_kkif *, struct mbuf **); static int pf_test_rule(struct pf_krule **, struct pf_kstate **, - struct mbuf *, struct pf_pdesc *, struct pf_krule **, + struct pf_pdesc *, struct pf_krule **, struct pf_kruleset **, struct inpcb *); static int pf_create_state(struct pf_krule *, struct pf_krule *, struct pf_krule *, struct pf_pdesc *, struct pf_ksrc_node *, struct pf_state_key *, - struct pf_state_key *, struct mbuf *, + struct pf_state_key *, u_int16_t, u_int16_t, int *, struct pf_kstate **, int, u_int16_t, u_int16_t, struct pf_krule_slist *, struct pf_udp_mapping *); -static int pf_state_key_addr_setup(struct pf_pdesc *, struct mbuf *, +static int pf_state_key_addr_setup(struct pf_pdesc *, struct pf_state_key_cmp *, int, struct pf_addr *, int, struct pf_addr *, int); static int pf_tcp_track_full(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *, u_short *, int *); + struct pf_pdesc *, u_short *, int *); static int pf_tcp_track_sloppy(struct pf_kstate **, struct pf_pdesc *, u_short *); static int pf_test_state_tcp(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *, u_short *); + struct pf_pdesc *, u_short *); static int pf_test_state_udp(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *); + struct pf_pdesc *); int pf_icmp_state_lookup(struct pf_state_key_cmp *, - struct pf_pdesc *, struct pf_kstate **, struct mbuf *, + struct pf_pdesc *, struct pf_kstate **, int, u_int16_t, u_int16_t, int, int *, int, int); -static int pf_test_state_icmp(struct pf_kstate **, struct mbuf *, +static int pf_test_state_icmp(struct pf_kstate **, struct pf_pdesc *, u_short *); static void pf_sctp_multihome_detach_addr(const struct pf_kstate *); static void pf_sctp_multihome_delayed(struct pf_pdesc *, struct pfi_kkif *, struct pf_kstate *, int); -static int pf_test_state_sctp(struct pf_kstate **, struct mbuf *, +static int pf_test_state_sctp(struct pf_kstate **, struct pf_pdesc *, u_short *); static int pf_test_state_other(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *); + struct pf_pdesc *); static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, int, u_int16_t); static int pf_check_proto_cksum(struct mbuf *, int, int, @@ -1561,7 +1561,7 @@ } static int -pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m, +pf_state_key_addr_setup(struct pf_pdesc *pd, struct pf_state_key_cmp *key, int sidx, struct pf_addr *saddr, int didx, struct pf_addr *daddr, int multi) { @@ -1577,7 +1577,7 @@ case ND_NEIGHBOR_SOLICIT: if (multi) return (-1); - if (!pf_pull_hdr(m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) return (-1); target = (struct pf_addr *)&nd.nd_ns_target; daddr = target; @@ -1585,7 +1585,7 @@ case ND_NEIGHBOR_ADVERT: if (multi) return (-1); - if (!pf_pull_hdr(m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) return (-1); target = (struct pf_addr *)&nd.nd_ns_target; saddr = target; @@ -1617,7 +1617,7 @@ } struct pf_state_key * -pf_state_key_setup(struct pf_pdesc *pd, struct mbuf *m, +pf_state_key_setup(struct pf_pdesc *pd, struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t sport, u_int16_t dport) { @@ -1627,7 +1627,7 @@ if (sk == NULL) return (NULL); - if (pf_state_key_addr_setup(pd, m, (struct pf_state_key_cmp *)sk, + if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)sk, pd->sidx, pd->src, pd->didx, pd->dst, 0)) { uma_zfree(V_pf_state_key_z, sk); return (NULL); @@ -3272,8 +3272,8 @@ * (credits to Krzysztof Pfaff for report and patch) */ static int -pf_modulate_sack(struct mbuf *m, struct pf_pdesc *pd, - struct tcphdr *th, struct pf_state_peer *dst) +pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, + struct pf_state_peer *dst) { int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen; u_int8_t opts[TCP_MAXOLEN], *opt = opts; @@ -3282,7 +3282,7 @@ #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) if (hlen < TCPOLEN_SACKLEN || - !pf_pull_hdr(m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) + !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) return 0; while (hlen >= TCPOLEN_SACKLEN) { @@ -3301,12 +3301,12 @@ for (i = 2; i + TCPOLEN_SACK <= olen; i += TCPOLEN_SACK) { memcpy(&sack, &opt[i], sizeof(sack)); - pf_patch_32_unaligned(m, + pf_patch_32_unaligned(pd->m, &th->th_sum, &sack.start, htonl(ntohl(sack.start) - dst->seqdiff), PF_ALGNMNT(startoff), 0); - pf_patch_32_unaligned(m, &th->th_sum, + pf_patch_32_unaligned(pd->m, &th->th_sum, &sack.end, htonl(ntohl(sack.end) - dst->seqdiff), PF_ALGNMNT(startoff), @@ -3325,7 +3325,7 @@ } if (copyback) - m_copyback(m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts); + m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts); return (copyback); } @@ -3634,7 +3634,7 @@ static void pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, - struct pf_state_key *sk, struct mbuf *m, struct tcphdr *th, + struct pf_state_key *sk, struct tcphdr *th, u_int16_t bproto_sum, u_int16_t bip_sum, u_short *reason, int rtableid) { @@ -3653,7 +3653,7 @@ *pd->proto_sum = bproto_sum; if (pd->ip_sum) *pd->ip_sum = bip_sum; - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); } if (pd->proto == IPPROTO_TCP && ((r->rule_flag & PFRULE_RETURNRST) || @@ -3661,7 +3661,7 @@ !(th->th_flags & TH_RST)) { u_int32_t ack = ntohl(th->th_seq) + pd->p_len; - if (pf_check_proto_cksum(m, pd->off, pd->tot_len - pd->off, + if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off, IPPROTO_TCP, pd->af)) REASON_SET(reason, PFRES_PROTCKSUM); else { @@ -3679,11 +3679,11 @@ pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid); } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET && r->return_icmp) - pf_send_icmp(m, r->return_icmp >> 8, + pf_send_icmp(pd->m, r->return_icmp >> 8, r->return_icmp & 255, pd->af, r, rtableid); else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 && r->return_icmp6) - pf_send_icmp(m, r->return_icmp6 >> 8, + pf_send_icmp(pd->m, r->return_icmp6 >> 8, r->return_icmp6 & 255, pd->af, r, rtableid); } @@ -3950,12 +3950,12 @@ } int -pf_tag_packet(struct mbuf *m, struct pf_pdesc *pd, int tag) +pf_tag_packet(struct pf_pdesc *pd, int tag) { KASSERT(tag > 0, ("%s: tag %d", __func__, tag)); - if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(m)) == NULL)) + if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) return (ENOMEM); pd->pf_mtag->tag = tag; @@ -4278,7 +4278,7 @@ } int -pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m) +pf_socket_lookup(struct pf_pdesc *pd) { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; @@ -4318,11 +4318,11 @@ #ifdef INET case AF_INET: inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4, - dport, INPLOOKUP_RLOCKPCB, NULL, m); + dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) { inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4, dport, INPLOOKUP_WILDCARD | - INPLOOKUP_RLOCKPCB, NULL, m); + INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) return (-1); } @@ -4331,11 +4331,11 @@ #ifdef INET6 case AF_INET6: inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6, - dport, INPLOOKUP_RLOCKPCB, NULL, m); + dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) { inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6, dport, INPLOOKUP_WILDCARD | - INPLOOKUP_RLOCKPCB, NULL, m); + INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) return (-1); } @@ -4351,7 +4351,7 @@ } u_int8_t -pf_get_wscale(struct mbuf *m, struct pf_pdesc *pd) +pf_get_wscale(struct pf_pdesc *pd) { struct tcphdr *th = &pd->hdr.tcp; int hlen; @@ -4362,7 +4362,7 @@ hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */ if (hlen <= sizeof(struct tcphdr)) return (0); - if (!pf_pull_hdr(m, pd->off, hdr, hlen, NULL, NULL, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) return (0); opt = hdr + sizeof(struct tcphdr); hlen -= sizeof(struct tcphdr); @@ -4392,7 +4392,7 @@ } u_int16_t -pf_get_mss(struct mbuf *m, struct pf_pdesc *pd) +pf_get_mss(struct pf_pdesc *pd) { struct tcphdr *th = &pd->hdr.tcp; int hlen; @@ -4403,7 +4403,7 @@ hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */ if (hlen <= sizeof(struct tcphdr)) return (0); - if (!pf_pull_hdr(m, pd->off, hdr, hlen, NULL, NULL, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) return (0); opt = hdr + sizeof(struct tcphdr); hlen -= sizeof(struct tcphdr); @@ -4848,7 +4848,7 @@ static int pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, - struct mbuf *m, struct pf_pdesc *pd, struct pf_krule **am, + struct pf_pdesc *pd, struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp) { struct pf_krule *nr = NULL; @@ -4938,7 +4938,7 @@ r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); /* check packet for BINAT/NAT/RDR */ - transerror = pf_get_translation(pd, m, pd->off, &nsn, &sk, + transerror = pf_get_translation(pd, pd->off, &nsn, &sk, &nk, saddr, daddr, sport, dport, anchor_stack, &nr, &udp_mapping); switch (transerror) { default: @@ -4953,7 +4953,7 @@ KASSERT(nk != NULL, ("%s: null nk", __func__)); if (nr->log) { - PFLOG_PACKET(m, PF_PASS, PFRES_MATCH, nr, a, + PFLOG_PACKET(PF_PASS, PFRES_MATCH, nr, a, ruleset, pd, 1); } @@ -4967,7 +4967,7 @@ if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != sport) { - pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum, + pf_change_ap(pd->m, saddr, &th->th_sport, pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 0, pd->af); pd->sport = &th->th_sport; @@ -4976,7 +4976,7 @@ if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != dport) { - pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum, + pf_change_ap(pd->m, daddr, &th->th_dport, pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], nk->port[pd->didx], 0, pd->af); dport = th->th_dport; @@ -4990,7 +4990,7 @@ if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != sport) { - pf_change_ap(m, saddr, &pd->hdr.udp.uh_sport, + pf_change_ap(pd->m, saddr, &pd->hdr.udp.uh_sport, pd->ip_sum, &pd->hdr.udp.uh_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); @@ -5000,7 +5000,7 @@ if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != dport) { - pf_change_ap(m, daddr, &pd->hdr.udp.uh_dport, + pf_change_ap(pd->m, daddr, &pd->hdr.udp.uh_dport, pd->ip_sum, &pd->hdr.udp.uh_sum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); @@ -5014,14 +5014,14 @@ if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != sport) { - pf_change_ap(m, saddr, &pd->hdr.sctp.src_port, + pf_change_ap(pd->m, saddr, &pd->hdr.sctp.src_port, pd->ip_sum, &checksum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); } if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != dport) { - pf_change_ap(m, daddr, &pd->hdr.sctp.dest_port, + pf_change_ap(pd->m, daddr, &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); @@ -5046,7 +5046,7 @@ pd->hdr.icmp.icmp_id = nk->port[pd->sidx]; pd->sport = &pd->hdr.icmp.icmp_id; } - m_copyback(m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); break; #endif /* INET */ #ifdef INET6 @@ -5107,10 +5107,10 @@ PF_TEST_ATTRIB(r->proto && r->proto != pd->proto, r->skip[PF_SKIP_PROTO]); PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, saddr, pd->af, - r->src.neg, pd->kif, M_GETFIB(m)), + r->src.neg, pd->kif, M_GETFIB(pd->m)), r->skip[PF_SKIP_SRC_ADDR]); PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, daddr, pd->af, - r->dst.neg, NULL, M_GETFIB(m)), + r->dst.neg, NULL, M_GETFIB(pd->m)), r->skip[PF_SKIP_DST_ADDR]); switch (pd->virtual_proto) { case PF_VPROTO_FRAGMENT: @@ -5143,13 +5143,13 @@ r->skip[PF_SKIP_DST_PORT]); /* tcp/udp only. uid.op always 0 in other cases */ PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done = - pf_socket_lookup(pd, m), 1)) && + pf_socket_lookup(pd), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], pd->lookup.uid), TAILQ_NEXT(r, entries)); /* tcp/udp only. gid.op always 0 in other cases */ PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done = - pf_socket_lookup(pd, m), 1)) && + pf_socket_lookup(pd), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], pd->lookup.gid), TAILQ_NEXT(r, entries)); @@ -5171,22 +5171,22 @@ PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB(r->prio && - !pf_match_ieee8021q_pcp(r->prio, m), + !pf_match_ieee8021q_pcp(r->prio, pd->m), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB(r->prob && r->prob <= arc4random(), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(m, r, &tag, + PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(m, r), + PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT && pd->virtual_proto != PF_VPROTO_FRAGMENT), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB(r->os_fingerprint != PF_OSFP_ANY && (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match( - pf_osfp_fingerprint(pd, m, th), + pf_osfp_fingerprint(pd, th), r->os_fingerprint)), TAILQ_NEXT(r, entries)); /* FALLTHROUGH */ @@ -5207,8 +5207,7 @@ pf_counter_u64_critical_exit(); pf_rule_to_actions(r, &pd->act); if (r->log || pd->act.log & PF_LOG_MATCHES) - PFLOG_PACKET(m, - r->action, PFRES_MATCH, r, + PFLOG_PACKET(r->action, PFRES_MATCH, r, a, ruleset, pd, 1); } else { match = 1; @@ -5216,8 +5215,7 @@ *am = a; *rsm = ruleset; if (pd->act.log & PF_LOG_MATCHES) - PFLOG_PACKET(m, - r->action, PFRES_MATCH, r, + PFLOG_PACKET(r->action, PFRES_MATCH, r, a, ruleset, pd, 1); } if ((*rm)->quick) @@ -5243,8 +5241,8 @@ if (r->log || pd->act.log & PF_LOG_MATCHES) { if (rewrite) - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); - PFLOG_PACKET(m, r->action, reason, r, a, ruleset, pd, 1); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); + PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1); } if (pd->virtual_proto != PF_VPROTO_FRAGMENT && @@ -5252,32 +5250,32 @@ ((r->rule_flag & PFRULE_RETURNRST) || (r->rule_flag & PFRULE_RETURNICMP) || (r->rule_flag & PFRULE_RETURN))) { - pf_return(r, nr, pd, sk, m, th, bproto_sum, + pf_return(r, nr, pd, sk, th, bproto_sum, bip_sum, &reason, r->rtableid); } if (r->action == PF_DROP) goto cleanup; - if (tag > 0 && pf_tag_packet(m, pd, tag)) { + if (tag > 0 && pf_tag_packet(pd, tag)) { REASON_SET(&reason, PFRES_MEMORY); goto cleanup; } if (pd->act.rtableid >= 0) - M_SETFIB(m, pd->act.rtableid); + M_SETFIB(pd->m, pd->act.rtableid); if (pd->virtual_proto != PF_VPROTO_FRAGMENT && (!state_icmp && (r->keep_state || nr != NULL || (pd->flags & PFDESC_TCP_NORM)))) { int action; - action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, + action = pf_create_state(r, nr, a, pd, nsn, nk, sk, sport, dport, &rewrite, sm, tag, bproto_sum, bip_sum, &match_rules, udp_mapping); if (action != PF_PASS) { pf_udp_mapping_release(udp_mapping); if (action == PF_DROP && (r->rule_flag & PFRULE_RETURN)) - pf_return(r, nr, pd, sk, m, th, + pf_return(r, nr, pd, sk, th, bproto_sum, bip_sum, &reason, pd->act.rtableid); return (action); @@ -5295,11 +5293,11 @@ /* copy back packet headers if we performed NAT operations */ if (rewrite) - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) && pd->dir == PF_OUT && - V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m)) + V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m)) /* * We want the state created, but we dont * want to send this in case a partner @@ -5326,7 +5324,7 @@ static int pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk, - struct pf_state_key *sk, struct mbuf *m, u_int16_t sport, + struct pf_state_key *sk, u_int16_t sport, u_int16_t dport, int *rewrite, struct pf_kstate **sm, int tag, u_int16_t bproto_sum, u_int16_t bip_sum, struct pf_krule_slist *match_rules, struct pf_udp_mapping *udp_mapping) @@ -5397,14 +5395,14 @@ if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == 0) s->src.seqdiff = 1; - pf_change_proto_a(m, &th->th_seq, &th->th_sum, + pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(s->src.seqlo + s->src.seqdiff), 0); *rewrite = 1; } else s->src.seqdiff = 0; if (th->th_flags & TH_SYN) { s->src.seqhi++; - s->src.wscale = pf_get_wscale(m, pd); + s->src.wscale = pf_get_wscale(pd); } s->src.max_win = MAX(ntohs(th->th_win), 1); if (s->src.wscale & PF_WSCALE_MASK) { @@ -5464,12 +5462,12 @@ } if (pd->proto == IPPROTO_TCP) { if (s->state_flags & PFSTATE_SCRUB_TCP && - pf_normalize_tcp_init(m, pd, th, &s->src, &s->dst)) { + pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) { REASON_SET(&reason, PFRES_MEMORY); goto csfailed; } if (s->state_flags & PFSTATE_SCRUB_TCP && s->src.scrub && - pf_normalize_tcp_stateful(m, pd, &reason, th, s, + pf_normalize_tcp_stateful(pd, &reason, th, s, &s->src, &s->dst, rewrite)) { /* This really shouldn't happen!!! */ DPFPRINTF(PF_DEBUG_URGENT, @@ -5478,7 +5476,7 @@ goto csfailed; } } else if (pd->proto == IPPROTO_SCTP) { - if (pf_normalize_sctp_init(m, pd, &s->src, &s->dst)) + if (pf_normalize_sctp_init(pd, &s->src, &s->dst)) goto csfailed; if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP))) goto csfailed; @@ -5491,7 +5489,7 @@ if (nr == NULL) { KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p", __func__, nr, sk, nk)); - sk = pf_state_key_setup(pd, m, pd->src, pd->dst, sport, dport); + sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport); if (sk == NULL) goto csfailed; nk = sk; @@ -5528,12 +5526,12 @@ *pd->proto_sum = bproto_sum; if (pd->ip_sum) *pd->ip_sum = bip_sum; - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); } s->src.seqhi = htonl(arc4random()); /* Find mss option */ - int rtid = M_GETFIB(m); - mss = pf_get_mss(m, pd); + int rtid = M_GETFIB(pd->m); + mss = pf_get_mss(pd); mss = pf_calc_mss(pd->src, pd->af, rtid, mss); mss = pf_calc_mss(pd->dst, pd->af, rtid, mss); s->src.mss = mss; @@ -5592,8 +5590,8 @@ } static int -pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason, int *copyback) +pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason, int *copyback) { struct tcphdr *th = &pd->hdr.tcp; struct pf_state_peer *src, *dst; @@ -5632,7 +5630,7 @@ if (((*state)->state_flags & PFSTATE_SCRUB_TCP || dst->scrub) && src->scrub == NULL) { - if (pf_normalize_tcp_init(m, pd, th, src, dst)) { + if (pf_normalize_tcp_init(pd, th, src, dst)) { REASON_SET(reason, PFRES_MEMORY); return (PF_DROP); } @@ -5644,9 +5642,9 @@ while ((src->seqdiff = arc4random() - seq) == 0) ; ack = ntohl(th->th_ack) - dst->seqdiff; - pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq + + pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + src->seqdiff), 0); - pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0); + pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); *copyback = 1; } else { ack = ntohl(th->th_ack); @@ -5656,7 +5654,7 @@ if (th->th_flags & TH_SYN) { end++; if (dst->wscale & PF_WSCALE_FLAG) { - src->wscale = pf_get_wscale(m, pd); + src->wscale = pf_get_wscale(pd); if (src->wscale & PF_WSCALE_FLAG) { /* Remove scale factor from initial * window */ @@ -5697,9 +5695,9 @@ ack = ntohl(th->th_ack) - dst->seqdiff; if (src->seqdiff) { /* Modulate sequence numbers */ - pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq + + pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + src->seqdiff), 0); - pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0); + pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); *copyback = 1; } end = seq + pd->p_len; @@ -5745,7 +5743,7 @@ * options anyway. */ if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) { - if (pf_modulate_sack(m, pd, th, dst)) + if (pf_modulate_sack(pd, th, dst)) *copyback = 1; } @@ -5763,7 +5761,7 @@ /* Require an exact/+1 sequence match on resets when possible */ if (dst->scrub || src->scrub) { - if (pf_normalize_tcp_stateful(m, pd, reason, th, + if (pf_normalize_tcp_stateful(pd, reason, th, *state, src, dst, copyback)) return (PF_DROP); } @@ -5863,7 +5861,7 @@ } if (dst->scrub || src->scrub) { - if (pf_normalize_tcp_stateful(m, pd, reason, th, + if (pf_normalize_tcp_stateful(pd, reason, th, *state, src, dst, copyback)) return (PF_DROP); } @@ -6112,8 +6110,8 @@ } static int -pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason) +pf_test_state_tcp(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason) { struct pf_state_key_cmp key; struct tcphdr *th = &pd->hdr.tcp; @@ -6171,7 +6169,7 @@ if (pf_tcp_track_sloppy(state, pd, reason) == PF_DROP) return (PF_DROP); } else { - if (pf_tcp_track_full(state, m, pd, reason, + if (pf_tcp_track_full(state, pd, reason, ©back) == PF_DROP) return (PF_DROP); } @@ -6182,13 +6180,13 @@ if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != th->th_sport) - pf_change_ap(m, pd->src, &th->th_sport, + pf_change_ap(pd->m, pd->src, &th->th_sport, pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 0, pd->af); if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != th->th_dport) - pf_change_ap(m, pd->dst, &th->th_dport, + pf_change_ap(pd->m, pd->dst, &th->th_dport, pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], nk->port[pd->didx], 0, pd->af); copyback = 1; @@ -6196,14 +6194,13 @@ /* Copyback sequence modulation or stateful scrub changes if needed */ if (copyback) - m_copyback(m, pd->off, sizeof(*th), (caddr_t)th); + m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th); return (PF_PASS); } static int -pf_test_state_udp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd) +pf_test_state_udp(struct pf_kstate **state, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; struct pf_state_key_cmp key; @@ -6258,24 +6255,24 @@ if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != uh->uh_sport) - pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, + pf_change_ap(pd->m, pd->src, &uh->uh_sport, pd->ip_sum, &uh->uh_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != uh->uh_dport) - pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, + pf_change_ap(pd->m, pd->dst, &uh->uh_dport, pd->ip_sum, &uh->uh_sum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); - m_copyback(m, pd->off, sizeof(*uh), (caddr_t)uh); + m_copyback(pd->m, pd->off, sizeof(*uh), (caddr_t)uh); } return (PF_PASS); } static int -pf_test_state_sctp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason) +pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason) { struct pf_state_key_cmp key; struct pf_state_peer *src, *dst; @@ -6365,14 +6362,14 @@ if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != pd->hdr.sctp.src_port) { - pf_change_ap(m, pd->src, &pd->hdr.sctp.src_port, + pf_change_ap(pd->m, pd->src, &pd->hdr.sctp.src_port, pd->ip_sum, &checksum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); } if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != pd->hdr.sctp.dest_port) { - pf_change_ap(m, pd->dst, &pd->hdr.sctp.dest_port, + pf_change_ap(pd->m, pd->dst, &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); } @@ -6541,9 +6538,9 @@ */ j->pd.kif = V_pfi_all; ret = pf_test_rule(&r, &sm, - j->m, &j->pd, &ra, &rs, NULL); + &j->pd, &ra, &rs, NULL); PF_RULES_RUNLOCK(); - SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->m, ret); + SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret); if (ret != PF_DROP && sm != NULL) { /* Inherit v_tag values. */ if (sm->direction == s->direction) { @@ -6599,7 +6596,7 @@ // New destination address! memcpy(&nj->dst, &i->addr, sizeof(nj->dst)); nj->pd.dst = &nj->dst; - nj->m = j->m; + nj->pd.m = j->pd.m; nj->op = j->op; TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next); @@ -6658,8 +6655,7 @@ } static int -pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd, - int op) +pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op) { int off = 0; struct pf_sctp_multihome_job *job; @@ -6667,7 +6663,7 @@ while (off < len) { struct sctp_paramhdr h; - if (!pf_pull_hdr(m, start + off, &h, sizeof(h), NULL, NULL, + if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, NULL, pd->af)) return (PF_DROP); @@ -6683,7 +6679,7 @@ (sizeof(struct sctp_paramhdr) + sizeof(t))) return (PF_DROP); - if (!pf_pull_hdr(m, start + off + sizeof(h), &t, sizeof(t), + if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), NULL, NULL, pd->af)) return (PF_DROP); @@ -6711,7 +6707,7 @@ job->pd.src = &job->src; memcpy(&job->dst, pd->dst, sizeof(job->dst)); job->pd.dst = &job->dst; - job->m = m; + job->pd.m = pd->m; job->op = op; TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); @@ -6725,7 +6721,7 @@ (sizeof(struct sctp_paramhdr) + sizeof(t))) return (PF_DROP); - if (!pf_pull_hdr(m, start + off + sizeof(h), &t, sizeof(t), + if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t), NULL, NULL, pd->af)) return (PF_DROP); if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0) @@ -6742,7 +6738,7 @@ job->pd.src = &job->src; memcpy(&job->dst, pd->dst, sizeof(job->dst)); job->pd.dst = &job->dst; - job->m = m; + job->pd.m = pd->m; job->op = op; TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next); @@ -6753,11 +6749,11 @@ int ret; struct sctp_asconf_paramhdr ah; - if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah), + if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), NULL, NULL, pd->af)) return (PF_DROP); - ret = pf_multihome_scan(m, start + off + sizeof(ah), + ret = pf_multihome_scan(start + off + sizeof(ah), ntohs(ah.ph.param_length) - sizeof(ah), pd, SCTP_ADD_IP_ADDRESS); if (ret != PF_PASS) @@ -6768,10 +6764,10 @@ int ret; struct sctp_asconf_paramhdr ah; - if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah), + if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), NULL, NULL, pd->af)) return (PF_DROP); - ret = pf_multihome_scan(m, start + off + sizeof(ah), + ret = pf_multihome_scan(start + off + sizeof(ah), ntohs(ah.ph.param_length) - sizeof(ah), pd, SCTP_DEL_IP_ADDRESS); if (ret != PF_PASS) @@ -6788,27 +6784,26 @@ return (PF_PASS); } int -pf_multihome_scan_init(struct mbuf *m, int start, int len, struct pf_pdesc *pd) +pf_multihome_scan_init(int start, int len, struct pf_pdesc *pd) { start += sizeof(struct sctp_init_chunk); len -= sizeof(struct sctp_init_chunk); - return (pf_multihome_scan(m, start, len, pd, SCTP_ADD_IP_ADDRESS)); + return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); } int -pf_multihome_scan_asconf(struct mbuf *m, int start, int len, - struct pf_pdesc *pd) +pf_multihome_scan_asconf(int start, int len, struct pf_pdesc *pd) { start += sizeof(struct sctp_asconf_chunk); len -= sizeof(struct sctp_asconf_chunk); - return (pf_multihome_scan(m, start, len, pd, SCTP_ADD_IP_ADDRESS)); + return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS)); } int pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, - struct pf_kstate **state, struct mbuf *m, int direction, + struct pf_kstate **state, int direction, u_int16_t icmpid, u_int16_t type, int icmp_dir, int *iidx, int multi, int inner) { @@ -6823,7 +6818,7 @@ key->port[pd->sidx] = type; key->port[pd->didx] = icmpid; } - if (pf_state_key_addr_setup(pd, m, key, pd->sidx, pd->src, + if (pf_state_key_addr_setup(pd, key, pd->sidx, pd->src, pd->didx, pd->dst, multi)) return (PF_DROP); @@ -6851,8 +6846,8 @@ } static int -pf_test_state_icmp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason) +pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason) { struct pf_addr *saddr = pd->src, *daddr = pd->dst; u_int16_t *icmpsum, virtual_id, virtual_type; @@ -6893,14 +6888,14 @@ * ICMP query/reply message not related to a TCP/UDP packet. * Search for an ICMP state. */ - ret = pf_icmp_state_lookup(&key, pd, state, m, pd->dir, + ret = pf_icmp_state_lookup(&key, pd, state, pd->dir, virtual_id, virtual_type, icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 0); if (ret >= 0) { MPASS(*state == NULL); if (ret == PF_DROP && pd->af == AF_INET6 && icmp_dir == PF_OUT) { - ret = pf_icmp_state_lookup(&key, pd, state, m, + ret = pf_icmp_state_lookup(&key, pd, state, pd->dir, virtual_id, virtual_type, icmp_dir, &iidx, multi, 0); if (ret >= 0) { @@ -6943,7 +6938,7 @@ nk->port[iidx]; } - m_copyback(m, pd->off, ICMP_MINLEN, + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t )&pd->hdr.icmp); break; #endif /* INET */ @@ -6961,7 +6956,7 @@ &pd->hdr.icmp6.icmp6_cksum, &nk->addr[pd->didx], 0); - m_copyback(m, pd->off, sizeof(struct icmp6_hdr), + m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), (caddr_t )&pd->hdr.icmp6); break; #endif /* INET6 */ @@ -6992,13 +6987,14 @@ /* Payload packet is from the opposite direction. */ pd2.sidx = (pd->dir == PF_IN) ? 1 : 0; pd2.didx = (pd->dir == PF_IN) ? 0 : 1; + pd2.m = pd->m; switch (pd->af) { #ifdef INET case AF_INET: /* offset of h2 in mbuf chain */ ipoff2 = pd->off + ICMP_MINLEN; - if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), + if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2), NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short " @@ -7027,7 +7023,7 @@ case AF_INET6: ipoff2 = pd->off + sizeof(struct icmp6_hdr); - if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), + if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6), NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short " @@ -7035,7 +7031,7 @@ return (PF_DROP); } pd2.off = ipoff2; - if (pf_walk_header6(m, &h2_6, &pd2.off, &extoff2, + if (pf_walk_header6(pd->m, &h2_6, &pd2.off, &extoff2, &fragoff2, &pd2.proto, &jumbolen, reason) != PF_PASS) return (PF_DROP); @@ -7077,7 +7073,7 @@ * expected. Don't access any TCP header fields after * th_seq, an ackskew test is not possible. */ - if (!pf_pull_hdr(m, pd2.off, &th, 8, NULL, reason, + if (!pf_pull_hdr(pd->m, pd2.off, &th, 8, NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short " @@ -7173,23 +7169,23 @@ switch (pd2.af) { #ifdef INET case AF_INET: - m_copyback(m, pd->off, ICMP_MINLEN, + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t )&pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), + m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t )&h2); break; #endif /* INET */ #ifdef INET6 case AF_INET6: - m_copyback(m, pd->off, + m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), (caddr_t )&pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), + m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t )&h2_6); break; #endif /* INET6 */ } - m_copyback(m, pd2.off, 8, (caddr_t)&th); + m_copyback(pd->m, pd2.off, 8, (caddr_t)&th); } return (PF_PASS); @@ -7198,7 +7194,7 @@ case IPPROTO_UDP: { struct udphdr uh; - if (!pf_pull_hdr(m, pd2.off, &uh, sizeof(uh), + if (!pf_pull_hdr(pd->m, pd2.off, &uh, sizeof(uh), NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short " @@ -7242,22 +7238,22 @@ switch (pd2.af) { #ifdef INET case AF_INET: - m_copyback(m, pd->off, ICMP_MINLEN, + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t )&pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); + m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); break; #endif /* INET */ #ifdef INET6 case AF_INET6: - m_copyback(m, pd->off, + m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), (caddr_t )&pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), + m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t )&h2_6); break; #endif /* INET6 */ } - m_copyback(m, pd2.off, sizeof(uh), (caddr_t)&uh); + m_copyback(pd->m, pd2.off, sizeof(uh), (caddr_t)&uh); } return (PF_PASS); break; @@ -7271,7 +7267,7 @@ return (PF_DROP); } - if (!pf_pull_hdr(m, pd2.off, iih, ICMP_MINLEN, + if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN, NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short i" @@ -7283,7 +7279,7 @@ pf_icmp_mapping(&pd2, iih->icmp_type, &icmp_dir, &multi, &virtual_id, &virtual_type); - ret = pf_icmp_state_lookup(&key, &pd2, state, m, + ret = pf_icmp_state_lookup(&key, &pd2, state, pd2.dir, virtual_id, virtual_type, icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1); if (ret >= 0) { @@ -7317,9 +7313,9 @@ pd2.ip_sum, icmpsum, pd->ip_sum, 0, AF_INET); - m_copyback(m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); - m_copyback(m, pd2.off, ICMP_MINLEN, (caddr_t)iih); + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); + m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); + m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih); } return (PF_PASS); break; @@ -7334,7 +7330,7 @@ return (PF_DROP); } - if (!pf_pull_hdr(m, pd2.off, iih, + if (!pf_pull_hdr(pd->m, pd2.off, iih, sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { DPFPRINTF(PF_DEBUG_MISC, ("pf: ICMP error message too short " @@ -7345,7 +7341,7 @@ pf_icmp_mapping(&pd2, iih->icmp6_type, &icmp_dir, &multi, &virtual_id, &virtual_type); - ret = pf_icmp_state_lookup(&key, &pd2, state, m, + ret = pf_icmp_state_lookup(&key, &pd2, state, pd->dir, virtual_id, virtual_type, icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1); if (ret >= 0) { @@ -7353,7 +7349,7 @@ if (ret == PF_DROP && pd2.af == AF_INET6 && icmp_dir == PF_OUT) { ret = pf_icmp_state_lookup(&key, &pd2, - state, m, pd->dir, + state, pd->dir, virtual_id, virtual_type, icmp_dir, &iidx, multi, 1); if (ret >= 0) { @@ -7390,10 +7386,10 @@ pd2.ip_sum, icmpsum, pd->ip_sum, 0, AF_INET6); - m_copyback(m, pd->off, sizeof(struct icmp6_hdr), + m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), (caddr_t)&pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); - m_copyback(m, pd2.off, sizeof(struct icmp6_hdr), + m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); + m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr), (caddr_t)iih); } return (PF_PASS); @@ -7432,17 +7428,17 @@ switch (pd2.af) { #ifdef INET case AF_INET: - m_copyback(m, pd->off, ICMP_MINLEN, + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); + m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2); break; #endif /* INET */ #ifdef INET6 case AF_INET6: - m_copyback(m, pd->off, + m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr), (caddr_t )&pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), + m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t )&h2_6); break; #endif /* INET6 */ @@ -7456,8 +7452,7 @@ } static int -pf_test_state_other(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd) +pf_test_state_other(struct pf_kstate **state, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; struct pf_state_key_cmp key; @@ -8582,6 +8577,7 @@ { memset(pd, 0, sizeof(*pd)); pd->pf_mtag = pf_find_mtag(m); + pd->m = m; } static int @@ -8589,11 +8585,10 @@ u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_rule_actions *default_actions) { - struct mbuf *m = *m0; - pd->af = af; pd->dir = dir; pd->kif = kif; + pd->m = *m0; pd->sidx = (dir == PF_IN) ? 0 : 1; pd->didx = (dir == PF_IN) ? 1 : 0; @@ -8611,8 +8606,8 @@ case AF_INET: { struct ip *h; - if (__predict_false(m->m_len < sizeof(struct ip)) && - (m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { + if (__predict_false((*m0)->m_len < sizeof(struct ip)) && + (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) { DPFPRINTF(PF_DEBUG_URGENT, ("pf_test: m_len < sizeof(struct ip), pullup failed\n")); *action = PF_DROP; @@ -8625,9 +8620,9 @@ *action = PF_DROP; return (-1); } - m = *m0; + pd->m = *m0; - h = mtod(m, struct ip *); + h = mtod(pd->m, struct ip *); pd->off = h->ip_hl << 2; if (pd->off < (int)sizeof(*h)) { *action = PF_DROP; @@ -8660,8 +8655,8 @@ uint32_t jumbolen; uint8_t nxt; - if (__predict_false(m->m_len < sizeof(struct ip6_hdr)) && - (m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { + if (__predict_false((*m0)->m_len < sizeof(struct ip6_hdr)) && + (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) { DPFPRINTF(PF_DEBUG_URGENT, ("pf_test6: m_len < sizeof(struct ip6_hdr)" ", pullup failed\n")); @@ -8670,15 +8665,15 @@ return (-1); } - h = mtod(m, struct ip6_hdr *); + h = mtod(pd->m, struct ip6_hdr *); pd->off = 0; - if (pf_walk_header6(m, h, &pd->off, &pd->extoff, &fragoff, &nxt, + if (pf_walk_header6(pd->m, h, &pd->off, &pd->extoff, &fragoff, &nxt, &jumbolen, reason) != PF_PASS) { *action = PF_DROP; return (-1); } - h = mtod(m, struct ip6_hdr *); + h = mtod(pd->m, struct ip6_hdr *); pd->src = (struct pf_addr *)&h->ip6_src; pd->dst = (struct pf_addr *)&h->ip6_dst; pd->ip_sum = NULL; @@ -8707,8 +8702,8 @@ *action = PF_DROP; return (-1); } - m = *m0; - if (m == NULL) { + pd->m = *m0; + if (pd->m == NULL) { /* packet sits in reassembly queue, no error */ *action = PF_PASS; return (-1); @@ -8718,14 +8713,11 @@ * Reassembly may have changed the next protocol from fragment * to something else, so update. */ - h = mtod(m, struct ip6_hdr *); + h = mtod(pd->m, struct ip6_hdr *); pd->virtual_proto = pd->proto = h->ip6_nxt; - - /* refetch header, recalc offset, then update pd */ - h = mtod(m, struct ip6_hdr *); pd->off = 0; - if (pf_walk_header6(m, h, &pd->off, &pd->extoff, &fragoff, &nxt, + if (pf_walk_header6(pd->m, h, &pd->off, &pd->extoff, &fragoff, &nxt, &jumbolen, reason) != PF_PASS) { *action = PF_DROP; return (-1); @@ -8745,7 +8737,7 @@ case IPPROTO_TCP: { struct tcphdr *th = &pd->hdr.tcp; - if (!pf_pull_hdr(m, pd->off, th, sizeof(*th), action, + if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8760,7 +8752,7 @@ case IPPROTO_UDP: { struct udphdr *uh = &pd->hdr.udp; - if (!pf_pull_hdr(m, pd->off, uh, sizeof(*uh), action, + if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8768,7 +8760,7 @@ } pd->hdrlen = sizeof(*uh); if (uh->uh_dport == 0 || - ntohs(uh->uh_ulen) > m->m_pkthdr.len - pd->off || + ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off || ntohs(uh->uh_ulen) < sizeof(struct udphdr)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8779,7 +8771,7 @@ break; } case IPPROTO_SCTP: { - if (!pf_pull_hdr(m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), + if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp), action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8795,7 +8787,7 @@ REASON_SET(reason, PFRES_SHORT); return (-1); } - if (pf_scan_sctp(m, pd) != PF_PASS) { + if (pf_scan_sctp(pd) != PF_PASS) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); return (-1); @@ -8803,7 +8795,7 @@ break; } case IPPROTO_ICMP: { - if (!pf_pull_hdr(m, pd->off, &pd->hdr.icmp, ICMP_MINLEN, + if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8816,7 +8808,7 @@ case IPPROTO_ICMPV6: { size_t icmp_hlen = sizeof(struct icmp6_hdr); - if (!pf_pull_hdr(m, pd->off, &pd->hdr.icmp6, icmp_hlen, + if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8834,7 +8826,7 @@ break; } if (icmp_hlen > sizeof(struct icmp6_hdr) && - !pf_pull_hdr(m, pd->off, &pd->hdr.icmp6, icmp_hlen, + !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); @@ -8935,7 +8927,6 @@ { struct pfi_kkif *kif; u_short action, reason = 0; - struct mbuf *m = *m0; struct m_tag *mtag; struct pf_krule *a = NULL, *r = &V_pf_default_rule; struct pf_kstate *s = NULL; @@ -8947,7 +8938,7 @@ PF_RULES_RLOCK_TRACKER; KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); - M_ASSERTPKTHDR(m); + M_ASSERTPKTHDR(*m0); if (!V_pf_status.running) return (PF_PASS); @@ -8967,7 +8958,7 @@ return (PF_PASS); } - if (m->m_flags & M_SKIP_FIREWALL) { + if ((*m0)->m_flags & M_SKIP_FIREWALL) { PF_RULES_RUNLOCK(); return (PF_PASS); } @@ -8979,21 +8970,21 @@ * it here, before we do any NAT. */ if (af == AF_INET6 && dir == PF_OUT && pflags & PFIL_FWD && - IN6_LINKMTU(ifp) < pf_max_frag_size(m)) { + IN6_LINKMTU(ifp) < pf_max_frag_size(*m0)) { PF_RULES_RUNLOCK(); + icmp6_error(*m0, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp)); *m0 = NULL; - icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp)); return (PF_DROP); } #endif if (__predict_false(! M_WRITABLE(*m0))) { - m = *m0 = m_unshare(*m0, M_NOWAIT); + *m0 = m_unshare(*m0, M_NOWAIT); if (*m0 == NULL) return (PF_DROP); } - pf_init_pdesc(&pd, m); + pf_init_pdesc(&pd, *m0); if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) { pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; @@ -9007,7 +8998,7 @@ return (PF_PASS); } PF_RULES_RUNLOCK(); - (ifp->if_output)(ifp, m, sintosa(&pd.pf_mtag->dst), NULL); + (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL); *m0 = NULL; return (PF_PASS); } @@ -9020,7 +9011,7 @@ /* But only once. We may see the packet multiple times (e.g. * PFIL_IN/PFIL_OUT). */ - pf_dummynet_flag_remove(m, pd.pf_mtag); + pf_dummynet_flag_remove(pd.m, pd.pf_mtag); PF_RULES_RUNLOCK(); return (PF_PASS); @@ -9032,29 +9023,28 @@ pd.act.log |= PF_LOG_FORCE; goto done; } - m = *m0; if (__predict_false(ip_divert_ptr != NULL) && - ((mtag = m_tag_locate(m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) { + ((mtag = m_tag_locate(pd.m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) { struct pf_divert_mtag *dt = (struct pf_divert_mtag *)(mtag+1); if ((dt->idir == PF_DIVERT_MTAG_DIR_IN && dir == PF_IN) || (dt->idir == PF_DIVERT_MTAG_DIR_OUT && dir == PF_OUT)) { if (pd.pf_mtag == NULL && - ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { + ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { action = PF_DROP; goto done; } pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED; } if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) { - m->m_flags |= M_FASTFWD_OURS; + pd.m->m_flags |= M_FASTFWD_OURS; pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT; } - m_tag_delete(m, mtag); + m_tag_delete(pd.m, mtag); - mtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL); + mtag = m_tag_locate(pd.m, MTAG_IPFW_RULE, 0, NULL); if (mtag != NULL) - m_tag_delete(m, mtag); + m_tag_delete(pd.m, mtag); } switch (pd.virtual_proto) { @@ -9066,7 +9056,7 @@ if (kif == NULL || r == NULL) /* pflog */ action = PF_DROP; else - action = pf_test_rule(&r, &s, m, &pd, &a, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); if (action != PF_PASS) REASON_SET(&reason, PFRES_FRAG); @@ -9076,17 +9066,17 @@ /* Respond to SYN with a syncookie. */ if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && pd.dir == PF_IN && pf_synflood_check(&pd)) { - pf_syncookie_send(m, &pd); + pf_syncookie_send(&pd); action = PF_DROP; break; } if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0) use_2nd_queue = 1; - action = pf_normalize_tcp(m, &pd); + action = pf_normalize_tcp(&pd); if (action == PF_DROP) goto done; - action = pf_test_state_tcp(&s, m, &pd, &reason); + action = pf_test_state_tcp(&s, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); @@ -9112,8 +9102,7 @@ if (action != PF_PASS) break; - action = pf_test_state_tcp(&s, m, - &pd, &reason); + action = pf_test_state_tcp(&s, &pd, &reason); if (action != PF_PASS || s == NULL) { action = PF_DROP; break; @@ -9125,7 +9114,7 @@ action = pf_synproxy(&pd, &s, &reason); break; } else { - action = pf_test_rule(&r, &s, m, &pd, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); } } @@ -9133,30 +9122,30 @@ } case IPPROTO_UDP: { - action = pf_test_state_udp(&s, m, &pd); + action = pf_test_state_udp(&s, &pd); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); r = s->rule; a = s->anchor; } else if (s == NULL) - action = pf_test_rule(&r, &s, m, &pd, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); break; } case IPPROTO_SCTP: { - action = pf_normalize_sctp(m, &pd); + action = pf_normalize_sctp(&pd); if (action == PF_DROP) goto done; - action = pf_test_state_sctp(&s, m, &pd, &reason); + action = pf_test_state_sctp(&s, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); r = s->rule; a = s->anchor; } else if (s == NULL) { - action = pf_test_rule(&r, &s, m, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); } break; @@ -9170,14 +9159,14 @@ ("dropping IPv6 packet with ICMPv4 payload")); goto done; } - action = pf_test_state_icmp(&s, m, &pd, &reason); + action = pf_test_state_icmp(&s, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); r = s->rule; a = s->anchor; } else if (s == NULL) - action = pf_test_rule(&r, &s, m, &pd, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); break; } @@ -9190,36 +9179,35 @@ ("pf: dropping IPv4 packet with ICMPv6 payload\n")); goto done; } - action = pf_test_state_icmp(&s, m, &pd, &reason); + action = pf_test_state_icmp(&s, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); r = s->rule; a = s->anchor; } else if (s == NULL) - action = pf_test_rule(&r, &s, m, &pd, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); break; } default: - action = pf_test_state_other(&s, m, &pd); + action = pf_test_state_other(&s, &pd); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); r = s->rule; a = s->anchor; } else if (s == NULL) - action = pf_test_rule(&r, &s, m, &pd, + action = pf_test_rule(&r, &s, &pd, &a, &ruleset, inp); break; } done: - m = *m0; PF_RULES_RUNLOCK(); - if (m == NULL) + if (pd.m == NULL) goto eat_pkt; if (action == PF_PASS && pd.badopts && @@ -9242,22 +9230,22 @@ rt = r->rt; } - if (tag > 0 && pf_tag_packet(m, &pd, tag)) { + if (tag > 0 && pf_tag_packet(&pd, tag)) { action = PF_DROP; REASON_SET(&reason, PFRES_MEMORY); } - pf_scrub(m, &pd); + pf_scrub(&pd); if (pd.proto == IPPROTO_TCP && pd.act.max_mss) - pf_normalize_mss(m, &pd); + pf_normalize_mss(&pd); if (pd.act.rtableid >= 0) - M_SETFIB(m, pd.act.rtableid); + M_SETFIB(pd.m, pd.act.rtableid); if (pd.act.flags & PFSTATE_SETPRIO) { if (pd.tos & IPTOS_LOWDELAY) use_2nd_queue = 1; - if (vlan_set_pcp(m, pd.act.set_prio[use_2nd_queue])) { + if (vlan_set_pcp(pd.m, pd.act.set_prio[use_2nd_queue])) { action = PF_DROP; REASON_SET(&reason, PFRES_MEMORY); pd.act.log = PF_LOG_FORCE; @@ -9269,7 +9257,7 @@ #ifdef ALTQ if (action == PF_PASS && pd.act.qid) { if (pd.pf_mtag == NULL && - ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { + ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { action = PF_DROP; REASON_SET(&reason, PFRES_MEMORY); } else { @@ -9280,7 +9268,7 @@ else pd.pf_mtag->qid = pd.act.qid; /* Add hints for ecn. */ - pd.pf_mtag->hdr = mtod(m, void *); + pd.pf_mtag->hdr = mtod(pd.m, void *); } } #endif /* ALTQ */ @@ -9295,7 +9283,7 @@ (s->nat_rule->action == PF_RDR || s->nat_rule->action == PF_BINAT) && pf_is_loopback(af, pd.dst)) - m->m_flags |= M_SKIP_FIREWALL; + pd.m->m_flags |= M_SKIP_FIREWALL; if (af == AF_INET && __predict_false(ip_divert_ptr != NULL) && action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { @@ -9311,10 +9299,10 @@ if (s) PF_STATE_UNLOCK(s); - m_tag_prepend(m, mtag); - if (m->m_flags & M_FASTFWD_OURS) { + m_tag_prepend(pd.m, mtag); + if (pd.m->m_flags & M_FASTFWD_OURS) { if (pd.pf_mtag == NULL && - ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) { + ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) { action = PF_DROP; REASON_SET(&reason, PFRES_MEMORY); pd.act.log = PF_LOG_FORCE; @@ -9323,7 +9311,7 @@ } else { pd.pf_mtag->flags |= PF_MTAG_FLAG_FASTFWD_OURS_PRESENT; - m->m_flags &= ~M_FASTFWD_OURS; + pd.m->m_flags &= ~M_FASTFWD_OURS; } } ip_divert_ptr(*m0, dir == PF_IN); @@ -9358,12 +9346,12 @@ lr = r; if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) - PFLOG_PACKET(m, action, reason, lr, a, + PFLOG_PACKET(action, reason, lr, a, ruleset, &pd, (s == NULL)); if (s) { SLIST_FOREACH(ri, &s->match_rules, entry) if (ri->r->log & PF_LOG_ALL) - PFLOG_PACKET(m, action, + PFLOG_PACKET(action, reason, ri->r, a, ruleset, &pd, 0); } } @@ -9422,7 +9410,7 @@ #ifdef INET6 /* If reassembled packet passed, create new fragments. */ if (af == AF_INET6 && action == PF_PASS && *m0 && dir == PF_OUT && - (mtag = m_tag_find(m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL) + (mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL) action = pf_refragment6(ifp, m0, mtag, pflags & PFIL_FWD); #endif diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -63,7 +63,7 @@ static void pf_hash(struct pf_addr *, struct pf_addr *, struct pf_poolhashkey *, sa_family_t); -static struct pf_krule *pf_match_translation(struct pf_pdesc *, struct mbuf *, +static struct pf_krule *pf_match_translation(struct pf_pdesc *, struct pf_addr *, u_int16_t, struct pf_addr *, uint16_t, int, struct pf_kanchor_stackframe *); @@ -131,7 +131,7 @@ } static struct pf_krule * -pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, +pf_match_translation(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport, struct pf_addr *daddr, uint16_t dport, int rs_num, struct pf_kanchor_stackframe *anchor_stack) @@ -166,7 +166,7 @@ else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, - src->neg, pd->kif, M_GETFIB(m))) + src->neg, pd->kif, M_GETFIB(pd->m))) r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : PF_SKIP_DST_ADDR]; else if (src->port_op && !pf_match_port(src->port_op, @@ -175,20 +175,20 @@ PF_SKIP_DST_PORT]; else if (dst != NULL && PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, - M_GETFIB(m))) + M_GETFIB(pd->m))) r = r->skip[PF_SKIP_DST_ADDR]; else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, - 0, NULL, M_GETFIB(m))) + 0, NULL, M_GETFIB(pd->m))) r = TAILQ_NEXT(r, entries); else if (dst != NULL && dst->port_op && !pf_match_port(dst->port_op, dst->port[0], dst->port[1], dport)) r = r->skip[PF_SKIP_DST_PORT]; - else if (r->match_tag && !pf_match_tag(m, r, &tag, + else if (r->match_tag && !pf_match_tag(pd->m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != - IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, + IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, &pd->hdr.tcp), r->os_fingerprint))) r = TAILQ_NEXT(r, entries); else { @@ -213,10 +213,10 @@ rs_num, &r, NULL, NULL); } - if (tag > 0 && pf_tag_packet(m, pd, tag)) + if (tag > 0 && pf_tag_packet(pd, tag)) return (NULL); if (rtableid >= 0) - M_SETFIB(m, rtableid); + M_SETFIB(pd->m, rtableid); return (rm); } @@ -696,7 +696,7 @@ } u_short -pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, +pf_get_translation(struct pf_pdesc *pd, int off, struct pf_ksrc_node **sn, struct pf_state_key **skp, struct pf_state_key **nkp, struct pf_addr *saddr, struct pf_addr *daddr, uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack, @@ -716,17 +716,17 @@ *rp = NULL; if (pd->dir == PF_OUT) { - r = pf_match_translation(pd, m, saddr, + r = pf_match_translation(pd, saddr, sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); if (r == NULL) - r = pf_match_translation(pd, m, + r = pf_match_translation(pd, saddr, sport, daddr, dport, PF_RULESET_NAT, anchor_stack); } else { - r = pf_match_translation(pd, m, saddr, + r = pf_match_translation(pd, saddr, sport, daddr, dport, PF_RULESET_RDR, anchor_stack); if (r == NULL) - r = pf_match_translation(pd, m, + r = pf_match_translation(pd, saddr, sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); } @@ -741,7 +741,7 @@ return (PFRES_MAX); } - *skp = pf_state_key_setup(pd, m, saddr, daddr, sport, dport); + *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport); if (*skp == NULL) return (PFRES_MEMORY); *nkp = pf_state_key_clone(*skp); diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1050,9 +1050,8 @@ pf_normalize_ip(struct mbuf **m0, u_short *reason, struct pf_pdesc *pd) { - struct mbuf *m = *m0; struct pf_krule *r; - struct ip *h = mtod(m, struct ip *); + struct ip *h = mtod(*m0, struct ip *); int mff = (ntohs(h->ip_off) & IP_MF); int hlen = h->ip_hl << 2; u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; @@ -1064,6 +1063,8 @@ PF_RULES_RASSERT(); + MPASS(pd->m == *m0); + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); /* * Check if there are any scrub rules, matching or not. @@ -1088,13 +1089,13 @@ r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, (struct pf_addr *)&h->ip_src.s_addr, AF_INET, - r->src.neg, pd->kif, M_GETFIB(m))) + r->src.neg, pd->kif, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_SRC_ADDR]; else if (PF_MISMATCHAW(&r->dst.addr, (struct pf_addr *)&h->ip_dst.s_addr, AF_INET, - r->dst.neg, NULL, M_GETFIB(m))) + r->dst.neg, NULL, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_DST_ADDR]; - else if (r->match_tag && !pf_match_tag(m, r, &tag, + else if (r->match_tag && !pf_match_tag(pd->m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0)) r = TAILQ_NEXT(r, entries); else @@ -1178,11 +1179,11 @@ if (verdict != PF_PASS) return (PF_DROP); - m = *m0; - if (m == NULL) + pd->m = *m0; + if (pd->m == NULL) return (PF_DROP); - h = mtod(m, struct ip *); + h = mtod(pd->m, struct ip *); no_fragment: /* At this point, only IP_DF is allowed in ip_off */ @@ -1201,7 +1202,7 @@ REASON_SET(reason, PFRES_FRAG); drop: if (r != NULL && r->log) - PFLOG_PACKET(m, PF_DROP, *reason, r, NULL, NULL, pd, 1); + PFLOG_PACKET(PF_DROP, *reason, r, NULL, NULL, pd, 1); return (PF_DROP); } @@ -1212,14 +1213,13 @@ pf_normalize_ip6(struct mbuf **m0, int off, u_short *reason, struct pf_pdesc *pd) { - struct mbuf *m; struct pf_krule *r; struct ip6_frag frag; bool scrub_compat; PF_RULES_RASSERT(); - m = *m0; + pd->m = *m0; r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); /* @@ -1243,11 +1243,11 @@ r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, (struct pf_addr *)&pd->src, AF_INET6, - r->src.neg, pd->kif, M_GETFIB(m))) + r->src.neg, pd->kif, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_SRC_ADDR]; else if (PF_MISMATCHAW(&r->dst.addr, (struct pf_addr *)&pd->dst, AF_INET6, - r->dst.neg, NULL, M_GETFIB(m))) + r->dst.neg, NULL, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_DST_ADDR]; else break; @@ -1266,7 +1266,7 @@ pf_rule_to_actions(r, &pd->act); } - if (!pf_pull_hdr(m, off, &frag, sizeof(frag), NULL, reason, AF_INET6)) + if (!pf_pull_hdr(pd->m, off, &frag, sizeof(frag), NULL, reason, AF_INET6)) return (PF_DROP); /* Offset now points to data portion. */ @@ -1277,8 +1277,8 @@ * mbuf. */ if (pf_reassemble6(m0, &frag, off, pd->extoff, reason) != PF_PASS) return (PF_DROP); - m = *m0; - if (m == NULL) + pd->m = *m0; + if (pd->m == NULL) return (PF_DROP); } @@ -1287,7 +1287,7 @@ #endif /* INET6 */ int -pf_normalize_tcp(struct mbuf *m, struct pf_pdesc *pd) +pf_normalize_tcp(struct pf_pdesc *pd) { struct pf_krule *r, *rm = NULL; struct tcphdr *th = &pd->hdr.tcp; @@ -1314,19 +1314,19 @@ else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, - r->src.neg, pd->kif, M_GETFIB(m))) + r->src.neg, pd->kif, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_SRC_ADDR]; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], th->th_sport)) r = r->skip[PF_SKIP_SRC_PORT]; else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, - r->dst.neg, NULL, M_GETFIB(m))) + r->dst.neg, NULL, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_DST_ADDR]; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], th->th_dport)) r = r->skip[PF_SKIP_DST_PORT]; else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( - pf_osfp_fingerprint(pd, m, th), + pf_osfp_fingerprint(pd, th), r->os_fingerprint)) r = TAILQ_NEXT(r, entries); else { @@ -1385,13 +1385,13 @@ tcp_set_flags(th, flags); nv = *(u_int16_t *)(&th->th_ack + 1); - th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0); + th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, ov, nv, 0); rewrite = 1; } /* Remove urgent pointer, if TH_URG is not set */ if (!(flags & TH_URG) && th->th_urp) { - th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, th->th_urp, + th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, th->th_urp, 0, 0); th->th_urp = 0; rewrite = 1; @@ -1399,20 +1399,20 @@ /* copy back packet headers if we sanitized */ if (rewrite) - m_copyback(m, pd->off, sizeof(*th), (caddr_t)th); + m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th); return (PF_PASS); tcp_drop: REASON_SET(&reason, PFRES_NORM); if (rm != NULL && r->log) - PFLOG_PACKET(m, PF_DROP, reason, r, NULL, NULL, pd, 1); + PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1); return (PF_DROP); } int -pf_normalize_tcp_init(struct mbuf *m, struct pf_pdesc *pd, - struct tcphdr *th, struct pf_state_peer *src, struct pf_state_peer *dst) +pf_normalize_tcp_init(struct pf_pdesc *pd, struct tcphdr *th, + struct pf_state_peer *src, struct pf_state_peer *dst) { u_int32_t tsval, tsecr; u_int8_t hdr[60]; @@ -1428,14 +1428,14 @@ switch (pd->af) { #ifdef INET case AF_INET: { - struct ip *h = mtod(m, struct ip *); + struct ip *h = mtod(pd->m, struct ip *); src->scrub->pfss_ttl = h->ip_ttl; break; } #endif /* INET */ #ifdef INET6 case AF_INET6: { - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); + struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *); src->scrub->pfss_ttl = h->ip6_hlim; break; } @@ -1450,7 +1450,7 @@ return (0); if (th->th_off > (sizeof(struct tcphdr) >> 2) && src->scrub && - pf_pull_hdr(m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { + pf_pull_hdr(pd->m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { /* Diddle with TCP options */ int hlen; opt = hdr + sizeof(struct tcphdr); @@ -1501,8 +1501,8 @@ /* Someday... flush the TCP segment reassembly descriptors. */ } int -pf_normalize_sctp_init(struct mbuf *m, struct pf_pdesc *pd, - struct pf_state_peer *src, struct pf_state_peer *dst) +pf_normalize_sctp_init(struct pf_pdesc *pd, struct pf_state_peer *src, + struct pf_state_peer *dst) { src->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT); if (src->scrub == NULL) @@ -1520,7 +1520,7 @@ } int -pf_normalize_tcp_stateful(struct mbuf *m, struct pf_pdesc *pd, +pf_normalize_tcp_stateful(struct pf_pdesc *pd, u_short *reason, struct tcphdr *th, struct pf_kstate *state, struct pf_state_peer *src, struct pf_state_peer *dst, int *writeback) { @@ -1545,7 +1545,7 @@ #ifdef INET case AF_INET: { if (src->scrub) { - struct ip *h = mtod(m, struct ip *); + struct ip *h = mtod(pd->m, struct ip *); if (h->ip_ttl > src->scrub->pfss_ttl) src->scrub->pfss_ttl = h->ip_ttl; h->ip_ttl = src->scrub->pfss_ttl; @@ -1556,7 +1556,7 @@ #ifdef INET6 case AF_INET6: { if (src->scrub) { - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); + struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *); if (h->ip6_hlim > src->scrub->pfss_ttl) src->scrub->pfss_ttl = h->ip6_hlim; h->ip6_hlim = src->scrub->pfss_ttl; @@ -1569,7 +1569,7 @@ if (th->th_off > (sizeof(struct tcphdr) >> 2) && ((src->scrub && (src->scrub->pfss_flags & PFSS_TIMESTAMP)) || (dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP))) && - pf_pull_hdr(m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { + pf_pull_hdr(pd->m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { /* Diddle with TCP options */ int hlen; opt = hdr + sizeof(struct tcphdr); @@ -1605,7 +1605,7 @@ (src->scrub->pfss_flags & PFSS_TIMESTAMP)) { tsval = ntohl(tsval); - pf_patch_32_unaligned(m, + pf_patch_32_unaligned(pd->m, &th->th_sum, &opt[2], htonl(tsval + @@ -1623,7 +1623,7 @@ PFSS_TIMESTAMP)) { tsecr = ntohl(tsecr) - dst->scrub->pfss_ts_mod; - pf_patch_32_unaligned(m, + pf_patch_32_unaligned(pd->m, &th->th_sum, &opt[6], htonl(tsecr), @@ -1643,7 +1643,7 @@ if (copyback) { /* Copyback the options, caller copys back header */ *writeback = 1; - m_copyback(m, pd->off + sizeof(struct tcphdr), + m_copyback(pd->m, pd->off + sizeof(struct tcphdr), (th->th_off << 2) - sizeof(struct tcphdr), hdr + sizeof(struct tcphdr)); } @@ -1915,7 +1915,7 @@ } int -pf_normalize_mss(struct mbuf *m, struct pf_pdesc *pd) +pf_normalize_mss(struct pf_pdesc *pd) { struct tcphdr *th = &pd->hdr.tcp; u_int16_t *mss; @@ -1928,7 +1928,7 @@ thoff = th->th_off << 2; cnt = thoff - sizeof(struct tcphdr); - if (cnt > 0 && !pf_pull_hdr(m, pd->off + sizeof(*th), opts, cnt, + if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt, NULL, NULL, pd->af)) return (0); @@ -1950,14 +1950,14 @@ case TCPOPT_MAXSEG: mss = (u_int16_t *)(optp + 2); if ((ntohs(*mss)) > pd->act.max_mss) { - pf_patch_16_unaligned(m, + pf_patch_16_unaligned(pd->m, &th->th_sum, mss, htons(pd->act.max_mss), PF_ALGNMNT(startoff), 0); - m_copyback(m, pd->off + sizeof(*th), + m_copyback(pd->m, pd->off + sizeof(*th), thoff - sizeof(*th), opts); - m_copyback(m, pd->off, sizeof(*th), (caddr_t)th); + m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th); } break; default: @@ -1969,7 +1969,7 @@ } int -pf_scan_sctp(struct mbuf *m, struct pf_pdesc *pd) +pf_scan_sctp(struct pf_pdesc *pd) { struct sctp_chunkhdr ch = { }; int chunk_off = sizeof(struct sctphdr); @@ -1977,7 +1977,7 @@ int ret; while (pd->off + chunk_off < pd->tot_len) { - if (!pf_pull_hdr(m, pd->off + chunk_off, &ch, sizeof(ch), NULL, + if (!pf_pull_hdr(pd->m, pd->off + chunk_off, &ch, sizeof(ch), NULL, NULL, pd->af)) return (PF_DROP); @@ -1993,7 +1993,7 @@ case SCTP_INITIATION_ACK: { struct sctp_init_chunk init; - if (!pf_pull_hdr(m, pd->off + chunk_start, &init, + if (!pf_pull_hdr(pd->m, pd->off + chunk_start, &init, sizeof(init), NULL, NULL, pd->af)) return (PF_DROP); @@ -2025,7 +2025,7 @@ else pd->sctp_flags |= PFDESC_SCTP_INIT_ACK; - ret = pf_multihome_scan_init(m, pd->off + chunk_start, + ret = pf_multihome_scan_init(pd->off + chunk_start, ntohs(init.ch.chunk_length), pd); if (ret != PF_PASS) return (ret); @@ -2060,7 +2060,7 @@ case SCTP_ASCONF: pd->sctp_flags |= PFDESC_SCTP_ASCONF; - ret = pf_multihome_scan_asconf(m, pd->off + chunk_start, + ret = pf_multihome_scan_asconf(pd->off + chunk_start, ntohs(ch.chunk_length), pd); if (ret != PF_PASS) return (ret); @@ -2093,7 +2093,7 @@ } int -pf_normalize_sctp(struct mbuf *m, struct pf_pdesc *pd) +pf_normalize_sctp(struct pf_pdesc *pd) { struct pf_krule *r, *rm = NULL; struct sctphdr *sh = &pd->hdr.sctp; @@ -2118,13 +2118,13 @@ else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO]; else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, - r->src.neg, pd->kif, M_GETFIB(m))) + r->src.neg, pd->kif, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_SRC_ADDR]; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], sh->src_port)) r = r->skip[PF_SKIP_SRC_PORT]; else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, - r->dst.neg, NULL, M_GETFIB(m))) + r->dst.neg, NULL, M_GETFIB(pd->m))) r = r->skip[PF_SKIP_DST_ADDR]; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], sh->dest_port)) @@ -2161,7 +2161,7 @@ sctp_drop: REASON_SET(&reason, PFRES_NORM); if (rm != NULL && r->log) - PFLOG_PACKET(m, PF_DROP, reason, r, NULL, NULL, pd, + PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1); return (PF_DROP); @@ -2169,12 +2169,12 @@ #if defined(INET) || defined(INET6) void -pf_scrub(struct mbuf *m, struct pf_pdesc *pd) +pf_scrub(struct pf_pdesc *pd) { - struct ip *h = mtod(m, struct ip *); + struct ip *h = mtod(pd->m, struct ip *); #ifdef INET6 - struct ip6_hdr *h6 = mtod(m, struct ip6_hdr *); + struct ip6_hdr *h6 = mtod(pd->m, struct ip6_hdr *); #endif /* Clear IP_DF if no-df was requested */ diff --git a/sys/netpfil/pf/pf_osfp.c b/sys/netpfil/pf/pf_osfp.c --- a/sys/netpfil/pf/pf_osfp.c +++ b/sys/netpfil/pf/pf_osfp.c @@ -67,8 +67,7 @@ * Returns the list of possible OSes. */ struct pf_osfp_enlist * -pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, - const struct tcphdr *tcp) +pf_osfp_fingerprint(struct pf_pdesc *pd, const struct tcphdr *tcp) { struct ip *ip = NULL; struct ip6_hdr *ip6 = NULL; @@ -79,14 +78,14 @@ switch (pd->af) { case AF_INET: - ip = mtod(m, struct ip *); + ip = mtod(pd->m, struct ip *); ip6 = (struct ip6_hdr *)NULL; break; case AF_INET6: - ip6 = mtod(m, struct ip6_hdr *); + ip6 = mtod(pd->m, struct ip6_hdr *); break; } - if (!pf_pull_hdr(m, pd->off, hdr, tcp->th_off << 2, NULL, NULL, + if (!pf_pull_hdr(pd->m, pd->off, hdr, tcp->th_off << 2, NULL, NULL, pd->af)) return (NULL); return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr)); diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -119,8 +119,7 @@ void pf_syncookie_newkey(void); uint32_t pf_syncookie_mac(struct pf_pdesc *, union pf_syncookie, uint32_t); -uint32_t pf_syncookie_generate(struct mbuf *m, struct pf_pdesc *, - uint16_t); +uint32_t pf_syncookie_generate(struct pf_pdesc *, uint16_t); void pf_syncookies_init(void) @@ -290,13 +289,13 @@ } void -pf_syncookie_send(struct mbuf *m, struct pf_pdesc *pd) +pf_syncookie_send(struct pf_pdesc *pd) { uint16_t mss; uint32_t iss; - mss = max(V_tcp_mssdflt, pf_get_mss(m, pd)); - iss = pf_syncookie_generate(m, pd, mss); + mss = max(V_tcp_mssdflt, pf_get_mss(pd)); + iss = pf_syncookie_generate(pd, mss); pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport, iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss, 0, true, 0, 0, pd->act.rtableid); @@ -457,7 +456,7 @@ } uint32_t -pf_syncookie_generate(struct mbuf *m, struct pf_pdesc *pd, uint16_t mss) +pf_syncookie_generate(struct pf_pdesc *pd, uint16_t mss) { uint8_t i, wscale; uint32_t iss, hash; @@ -474,7 +473,7 @@ cookie.flags.mss_idx = i; /* map WSCALE */ - wscale = pf_get_wscale(m, pd); + wscale = pf_get_wscale(pd); for (i = nitems(pf_syncookie_wstab) - 1; pf_syncookie_wstab[i] > wscale && i > 0; i--) /* nada */;