diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2338,7 +2338,7 @@ extern void pf_unlink_src_node(struct pf_ksrc_node *); extern u_int pf_free_src_nodes(struct pf_ksrc_node_list *); extern void pf_print_state(struct pf_kstate *); -extern void pf_print_flags(u_int8_t); +extern void pf_print_flags(uint16_t); extern int pf_addr_wrap_neq(struct pf_addr_wrap *, struct pf_addr_wrap *); extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, diff --git a/sys/net/slcompress.c b/sys/net/slcompress.c --- a/sys/net/slcompress.c +++ b/sys/net/slcompress.c @@ -170,7 +170,7 @@ return (TYPE_IP); th = (struct tcphdr *)&((int32_t *)ip)[hlen]; - if ((th->th_flags & (TH_SYN|TH_FIN|TH_RST|TH_ACK)) != TH_ACK) + if ((tcp_get_flags(th) & (TH_SYN|TH_FIN|TH_RST|TH_ACK)) != TH_ACK) return (TYPE_IP); /* * Packet is compressible -- we're going to send either a @@ -271,7 +271,7 @@ * ack, seq (the order minimizes the number of temporaries * needed in this section of code). */ - if (th->th_flags & TH_URG) { + if (tcp_get_flags(th) & TH_URG) { deltaS = ntohs(th->th_urp); ENCODEZ(deltaS); changes |= NEW_U; @@ -351,7 +351,7 @@ ENCODEZ(deltaS); changes |= NEW_I; } - if (th->th_flags & TH_PUSH) + if (tcp_get_flags(th) & TH_PUSH) changes |= TCP_PUSH_BIT; /* * Grab the cksum before we overwrite it below. Then update our @@ -516,9 +516,9 @@ th->th_sum = htons((*cp << 8) | cp[1]); cp += 2; if (changes & TCP_PUSH_BIT) - th->th_flags |= TH_PUSH; + tcp_set_flags(th, tcp_get_flags(th) | TH_PUSH); else - th->th_flags &=~ TH_PUSH; + tcp_set_flags(th, tcp_get_flags(th) & ~TH_PUSH); switch (changes & SPECIALS_MASK) { case SPECIAL_I: @@ -536,10 +536,10 @@ default: if (changes & NEW_U) { - th->th_flags |= TH_URG; + tcp_set_flags(th, tcp_get_flags(th) | TH_URG); DECODEU(th->th_urp) } else - th->th_flags &=~ TH_URG; + tcp_set_flags(th, tcp_get_flags(th) & ~TH_URG); if (changes & NEW_W) DECODES(th->th_win) if (changes & NEW_A) diff --git a/sys/netinet/libalias/alias.c b/sys/netinet/libalias/alias.c --- a/sys/netinet/libalias/alias.c +++ b/sys/netinet/libalias/alias.c @@ -183,12 +183,12 @@ */ /* Local prototypes */ -static void TcpMonitorIn(u_char, struct alias_link *); +static void TcpMonitorIn(u_int, struct alias_link *); -static void TcpMonitorOut(u_char, struct alias_link *); +static void TcpMonitorOut(u_int, struct alias_link *); static void -TcpMonitorIn(u_char th_flags, struct alias_link *lnk) +TcpMonitorIn(u_int th_flags, struct alias_link *lnk) { switch (GetStateIn(lnk)) { case ALIAS_TCP_STATE_NOT_CONNECTED: @@ -205,7 +205,7 @@ } static void -TcpMonitorOut(u_char th_flags, struct alias_link *lnk) +TcpMonitorOut(u_int th_flags, struct alias_link *lnk) { switch (GetStateOut(lnk)) { case ALIAS_TCP_STATE_NOT_CONNECTED: @@ -1053,7 +1053,7 @@ /* Monitor TCP connection state */ tc = (struct tcphdr *)ip_next(pip); - TcpMonitorIn(tc->th_flags, lnk); + TcpMonitorIn(__tcp_get_flags(tc), lnk); return (PKT_ALIAS_OK); } @@ -1142,7 +1142,7 @@ /* Monitor TCP connection state */ tc = (struct tcphdr *)ip_next(pip); - TcpMonitorOut(tc->th_flags, lnk); + TcpMonitorOut(__tcp_get_flags(tc), lnk); /* Walk out chain. */ find_handler(OUT, TCP, la, pip, &ad); diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1263,7 +1263,6 @@ bcopy(opt, th + 1, optlen); th->th_off = (sizeof (struct tcphdr) + optlen) >> 2; } - tcp_set_flags(th, flags); /* * Calculate receive window. Don't shrink window, * but avoid silly window syndrome. @@ -1308,8 +1307,8 @@ tp->t_flags &= ~TF_RXWIN0SENT; if (SEQ_GT(tp->snd_up, tp->snd_nxt)) { th->th_urp = htons((u_short)(tp->snd_up - tp->snd_nxt)); - th->th_flags |= TH_URG; - } else + flags |= TH_URG; + } else { /* * If no urgent pointer to send, then we pull * the urgent pointer to the left edge of the send window @@ -1317,6 +1316,8 @@ * number wraparound. */ tp->snd_up = tp->snd_una; /* drag it along */ + } + tcp_set_flags(th, flags); /* * Put TCP length in extended header, and then diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1330,8 +1330,8 @@ return (1); } - flags = tcp->th_flags; - fin->fin_tcpf = tcp->th_flags; + flags = tcp_get_flags(tcp); + fin->fin_tcpf = tcp_get_flags(tcp); /* * If the urgent flag is set, then the urgent pointer must diff --git a/sys/netpfil/ipfilter/netinet/ip_compat.h b/sys/netpfil/ipfilter/netinet/ip_compat.h --- a/sys/netpfil/ipfilter/netinet/ip_compat.h +++ b/sys/netpfil/ipfilter/netinet/ip_compat.h @@ -696,7 +696,7 @@ #define IPMINLEN(i, h) ((i)->ip_len >= (IP_HL(i) * 4 + sizeof(struct h))) #define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|\ - TH_ECN|TH_CWR) + TH_ECN|TH_CWR|TH_AE) #if !SOLARIS && !defined(m_act) # define m_act m_nextpkt @@ -1128,7 +1128,10 @@ #ifndef TH_CWR # define TH_CWR 0x80 #endif -#define TH_ECNALL (TH_ECN|TH_CWR) +#ifndef TH_AE +# define TH_AE 0x100 +#endif +#define TH_ECNALL (TH_ECN|TH_CWR|TH_AE) /* * TCP States diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c --- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c +++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c @@ -341,15 +341,15 @@ ip_t *ip; tcp = fin->fin_dp; - if (tcp->th_flags & TH_RST) + if (tcp_get_flags(tcp) & TH_RST) return (-1); /* feedback loop */ if (ipf_checkl4sum(fin) == -1) return (-1); tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); + ((tcp_get_flags(tcp) & TH_SYN) ? 1 : 0) + + ((tcp_get_flags(tcp) & TH_FIN) ? 1 : 0); #ifdef USE_INET6 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t); diff --git a/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c --- a/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/netpfil/ipfilter/netinet/ip_ftp_pxy.c @@ -543,7 +543,7 @@ tcp2->th_win = htons(8192); TCP_OFF_A(tcp2, 5); - tcp2->th_flags = TH_SYN; + tcp_set_flags(tcp2, TH_SYN); if (nat->nat_dir == NAT_INBOUND) { fi.fin_out = 1; @@ -873,7 +873,7 @@ fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE; TCP_OFF_A(tcp2, 5); - tcp2->th_flags = TH_SYN; + tcp_set_flags(tcp2, TH_SYN); tcp2->th_win = htons(8192); tcp2->th_dport = htons(port); @@ -1240,9 +1240,9 @@ if (softf->ipf_p_ftp_debug & DEBUG_INFO) printf("ipf_p_ftp_process: %d:%d,%d, mlen %d flags %x\n", fin->fin_out, fin->fin_sport, fin->fin_dport, - mlen, tcp->th_flags); + mlen, tcp_get_flags(tcp)); - if ((mlen == 0) && ((tcp->th_flags & TH_OPENING) == TH_OPENING)) { + if ((mlen == 0) && ((tcp_get_flags(tcp) & TH_OPENING) == TH_OPENING)) { f->ftps_seq[0] = thseq + 1; t->ftps_seq[0] = thack; return (0); @@ -1283,7 +1283,7 @@ } if (softf->ipf_p_ftp_debug & DEBUG_INFO) { printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n", - rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff, + rv ? "IN" : "OUT", tcp_get_flags(tcp), thseq, seqoff, thack, ackoff, mlen, fin->fin_plen, off); printf("sel %d seqmin %x/%x offset %d/%d\n", sel, aps->aps_seqmin[sel], aps->aps_seqmin[sel2], @@ -1357,7 +1357,7 @@ f->ftps_seq[0], f->ftps_seq[1]); } - if (tcp->th_flags & TH_FIN) { + if (tcp_get_flags(tcp) & TH_FIN) { if (thseq == f->ftps_seq[1]) { f->ftps_seq[0] = f->ftps_seq[1] - seqoff; f->ftps_seq[1] = thseq + 1 - seqoff; @@ -1530,7 +1530,7 @@ } /* f->ftps_seq[1] += inc; */ - if (tcp->th_flags & TH_FIN) + if (tcp_get_flags(tcp) & TH_FIN) f->ftps_seq[1]++; if (softf->ipf_p_ftp_debug & DEBUG_PARSE_INFO) { mlen = MSGDSIZE(m); diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -5715,7 +5715,7 @@ * Do a MSS CLAMPING on a SYN packet, * only deal IPv4 for now. */ - if ((nat->nat_mssclamp != 0) && (tcp->th_flags & TH_SYN) != 0) + if ((nat->nat_mssclamp != 0) && (tcp_get_flags(tcp) & TH_SYN) != 0) ipf_nat_mssclamp(tcp, nat->nat_mssclamp, fin, csump); break; diff --git a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c --- a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c +++ b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c @@ -515,7 +515,7 @@ rev = 0; tcp = (tcphdr_t *)fin->fin_dp; - if ((tcp->th_flags & TH_OPENING) == TH_OPENING) { + if ((tcp_get_flags(tcp) & TH_OPENING) == TH_OPENING) { pptp = (pptp_pxy_t *)aps->aps_data; pptp->pptp_side[1 - rev].pptps_next = ntohl(tcp->th_ack); pptp->pptp_side[1 - rev].pptps_nexthdr = ntohl(tcp->th_ack); diff --git a/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c b/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c --- a/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c +++ b/sys/netpfil/ipfilter/netinet/ip_rcmd_pxy.c @@ -263,7 +263,7 @@ bzero((char *)tcp2, sizeof(*tcp2)); tcp2->th_win = htons(8192); TCP_OFF_A(tcp2, 5); - tcp2->th_flags = TH_SYN; + tcp_set_flags(tcp2, TH_SYN); fi.fin_dp = (char *)tcp2; fi.fin_fr = &rcmdfr; diff --git a/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c b/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c --- a/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c +++ b/sys/netpfil/ipfilter/netinet/ip_rpcb_pxy.c @@ -1127,7 +1127,7 @@ tcp.th_win = htons(8192); TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2); fi.fin_dlen = sizeof(tcphdr_t); - tcp.th_flags = TH_SYN; + tcp_set_flags(&tcp, TH_SYN); nflags = NAT_TCP; } else { fi.fin_dlen = sizeof(udphdr_t); diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -1520,7 +1520,7 @@ case IPPROTO_TCP : tcp = fin->fin_dp; - if (tcp->th_flags & TH_RST) { + if (tcp_get_flags(tcp) & TH_RST) { SBUMPD(ipf_state_stats, iss_tcp_rstadd); return (-4); } @@ -1553,15 +1553,15 @@ if ((fin->fin_flx & FI_IGNORE) == 0) { is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); + ((tcp_get_flags(tcp) & TH_SYN) ? 1 : 0) + + ((tcp_get_flags(tcp) & TH_FIN) ? 1 : 0); is->is_maxsend = is->is_send; /* * Window scale option is only present in * SYN/SYN-ACK packet. */ - if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) == + if ((tcp_get_flags(tcp) & ~(TH_FIN|TH_ACK|TH_ECNALL)) == TH_SYN && (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) { if (ipf_tcpoptions(softs, fin, tcp, @@ -1576,7 +1576,7 @@ ipf_fixoutisn(fin, is); } - if ((tcp->th_flags & TH_OPENING) == TH_SYN) + if ((tcp_get_flags(tcp) & TH_OPENING) == TH_SYN) flags |= IS_TCPFSM; else { is->is_maxdwin = is->is_maxswin * 2; @@ -1968,7 +1968,7 @@ * If a SYN packet is received for a connection that is on the way out * but hasn't yet departed then advance this session along the way. */ - if ((tcp->th_flags & TH_OPENING) == TH_SYN) { + if ((tcp_get_flags(tcp) & TH_OPENING) == TH_SYN) { if ((is->is_state[0] > IPF_TCPS_ESTABLISHED) && (is->is_state[1] > IPF_TCPS_ESTABLISHED)) { is->is_state[!source] = IPF_TCPS_CLOSED; @@ -2011,7 +2011,7 @@ * Window scale option is only present in SYN/SYN-ACK packet. * Compare with ~TH_FIN to mask out T/TCP setups. */ - flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL); + flags = tcp_get_flags(tcp) & ~(TH_FIN|TH_ECNALL); if (flags == (TH_SYN|TH_ACK)) { is->is_s0[source] = ntohl(tcp->th_ack); is->is_s0[!source] = ntohl(tcp->th_seq) + 1; @@ -2110,7 +2110,7 @@ /* * Find difference between last checked packet and this packet. */ - tcpflags = tcp->th_flags; + tcpflags = tcp_get_flags(tcp); seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); if (tcpflags & TH_SYN) @@ -2313,8 +2313,8 @@ clone->is_state[0] = 0; clone->is_state[1] = 0; send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); + ((tcp_get_flags(tcp) & TH_SYN) ? 1 : 0) + + ((tcp_get_flags(tcp) & TH_FIN) ? 1 : 0); if (fin->fin_rev == 1) { clone->is_dend = send; @@ -3954,7 +3954,7 @@ rval = 0; dir = fin->fin_rev; - tcpflags = tcp->th_flags; + tcpflags = tcp_get_flags(tcp); dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2); ostate = tqe->tqe_state[1 - dir]; nstate = tqe->tqe_state[dir]; diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -719,12 +719,12 @@ if (flags & TH_RST) { if (flags & TH_ACK) { th->th_seq = htonl(ack); - th->th_flags = TH_RST; + tcp_set_flags(th, TH_RST); } else { if (flags & TH_SYN) seq++; th->th_ack = htonl(seq); - th->th_flags = TH_RST | TH_ACK; + tcp_set_flags(th, TH_RST | TH_ACK); } } else { /* @@ -732,7 +732,7 @@ */ th->th_seq = htonl(seq); th->th_ack = htonl(ack); - th->th_flags = TH_ACK; + tcp_set_flags(th, TH_ACK); } switch (id->addr_type) { @@ -893,11 +893,11 @@ struct tcphdr *tcp; tcp = (struct tcphdr *)((char *)ip6 + hlen); - if ((tcp->th_flags & TH_RST) == 0) { + if ((tcp_get_flags(tcp) & TH_RST) == 0) { struct mbuf *m0; m0 = ipfw_send_pkt(args->m, &(args->f_id), ntohl(tcp->th_seq), ntohl(tcp->th_ack), - tcp->th_flags | TH_RST); + tcp_get_flags(tcp) | TH_RST); if (m0 != NULL) ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); @@ -1021,11 +1021,11 @@ } else if (code == ICMP_REJECT_RST && args->f_id.proto == IPPROTO_TCP) { struct tcphdr *const tcp = L3HDR(struct tcphdr, mtod(args->m, struct ip *)); - if ( (tcp->th_flags & TH_RST) == 0) { + if ( (tcp_get_flags(tcp) & TH_RST) == 0) { struct mbuf *m; m = ipfw_send_pkt(args->m, &(args->f_id), ntohl(tcp->th_seq), ntohl(tcp->th_ack), - tcp->th_flags | TH_RST); + tcp_get_flags(tcp) | TH_RST); if (m != NULL) ip_output(m, NULL, NULL, 0, NULL, NULL); } @@ -1571,7 +1571,7 @@ dst_port = TCP(ulp)->th_dport; src_port = TCP(ulp)->th_sport; /* save flags for dynamic rules */ - args->f_id._flags = TCP(ulp)->th_flags; + args->f_id._flags = tcp_get_flags(TCP(ulp)); break; case IPPROTO_SCTP: @@ -1762,7 +1762,7 @@ dst_port = TCP(ulp)->th_dport; src_port = TCP(ulp)->th_sport; /* save flags for dynamic rules */ - args->f_id._flags = TCP(ulp)->th_flags; + args->f_id._flags = tcp_get_flags(TCP(ulp)); break; case IPPROTO_SCTP: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -2891,7 +2891,7 @@ } void -pf_print_flags(u_int8_t f) +pf_print_flags(uint16_t f) { if (f) printf(" "); @@ -2911,6 +2911,8 @@ printf("E"); if (f & TH_CWR) printf("W"); + if (f & TH_AE) + printf("e"); } #define PF_SET_SKIP_STEPS(i) \ @@ -3437,7 +3439,7 @@ th->th_seq = htonl(seq); th->th_ack = htonl(ack); th->th_off = tlen >> 2; - th->th_flags = tcp_flags; + tcp_set_flags(th, tcp_flags); th->th_win = htons(win); if (mss) { @@ -3658,16 +3660,16 @@ if (pd->proto == IPPROTO_TCP && ((r->rule_flag & PFRULE_RETURNRST) || (r->rule_flag & PFRULE_RETURN)) && - !(th->th_flags & TH_RST)) { + !(tcp_get_flags(th) & TH_RST)) { u_int32_t ack = ntohl(th->th_seq) + pd->p_len; if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off, IPPROTO_TCP, pd->af)) REASON_SET(reason, PFRES_PROTCKSUM); else { - if (th->th_flags & TH_SYN) + if (tcp_get_flags(th) & TH_SYN) ack++; - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) ack++; pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport, th->th_sport, @@ -5128,7 +5130,7 @@ break; case IPPROTO_TCP: - PF_TEST_ATTRIB((r->flagset & th->th_flags) != r->flags, + PF_TEST_ATTRIB((r->flagset & tcp_get_flags(th)) != r->flags, TAILQ_NEXT(r, entries)); /* FALLTHROUGH */ case IPPROTO_SCTP: @@ -5389,7 +5391,7 @@ case IPPROTO_TCP: s->src.seqlo = ntohl(th->th_seq); s->src.seqhi = s->src.seqlo + pd->p_len + 1; - if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && + if ((tcp_get_flags(th) & (TH_SYN|TH_ACK)) == TH_SYN && r->keep_state == PF_STATE_MODULATE) { /* Generate sequence number modulator */ if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == @@ -5400,7 +5402,7 @@ *rewrite = 1; } else s->src.seqdiff = 0; - if (th->th_flags & TH_SYN) { + if (tcp_get_flags(th) & TH_SYN) { s->src.seqhi++; s->src.wscale = pf_get_wscale(pd); } @@ -5412,7 +5414,7 @@ s->src.max_win = (win - 1) >> (s->src.wscale & PF_WSCALE_MASK); } - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) s->src.seqhi++; s->dst.seqhi = 1; s->dst.max_win = 1; @@ -5508,7 +5510,7 @@ if (tag > 0) s->tag = tag; - if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) == + if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) == TH_SYN && r->keep_state == PF_STATE_SYNPROXY) { pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_SRC); /* undo NAT changes, if they have taken place */ @@ -5612,7 +5614,7 @@ pdst = PF_PEER_SRC; } - if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { + if (src->wscale && dst->wscale && !(tcp_get_flags(th) & TH_SYN)) { sws = src->wscale & PF_WSCALE_MASK; dws = dst->wscale & PF_WSCALE_MASK; } else @@ -5651,7 +5653,7 @@ } end = seq + pd->p_len; - if (th->th_flags & TH_SYN) { + if (tcp_get_flags(th) & TH_SYN) { end++; if (dst->wscale & PF_WSCALE_FLAG) { src->wscale = pf_get_wscale(pd); @@ -5673,7 +5675,7 @@ } } data_end = end; - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) end++; src->seqlo = seq; @@ -5701,18 +5703,18 @@ *copyback = 1; } end = seq + pd->p_len; - if (th->th_flags & TH_SYN) + if (tcp_get_flags(th) & TH_SYN) end++; data_end = end; - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) end++; } - if ((th->th_flags & TH_ACK) == 0) { + if ((tcp_get_flags(th) & TH_ACK) == 0) { /* Let it pass through the ack skew check */ ack = dst->seqlo; } else if ((ack == 0 && - (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || + (tcp_get_flags(th) & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || /* broken tcp stacks do not set ack */ (dst->state < TCPS_SYN_SENT)) { /* @@ -5756,7 +5758,7 @@ /* Acking not more than one reassembled fragment backwards */ (ackskew <= (MAXACKWINDOW << sws)) && /* Acking not more than one window forward */ - ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || + ((tcp_get_flags(th) & TH_RST) == 0 || orig_seq == src->seqlo || (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { /* Require an exact/+1 sequence match on resets when possible */ @@ -5777,13 +5779,13 @@ dst->seqhi = ack + MAX((win << sws), 1); /* update states */ - if (th->th_flags & TH_SYN) + if (tcp_get_flags(th) & TH_SYN) if (src->state < TCPS_SYN_SENT) pf_set_protostate(*state, psrc, TCPS_SYN_SENT); - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) if (src->state < TCPS_CLOSING) pf_set_protostate(*state, psrc, TCPS_CLOSING); - if (th->th_flags & TH_ACK) { + if (tcp_get_flags(th) & TH_ACK) { if (dst->state == TCPS_SYN_SENT) { pf_set_protostate(*state, pdst, TCPS_ESTABLISHED); @@ -5797,7 +5799,7 @@ pf_set_protostate(*state, pdst, TCPS_FIN_WAIT_2); } - if (th->th_flags & TH_RST) + if (tcp_get_flags(th) & TH_RST) pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT); /* update expire time */ @@ -5851,7 +5853,7 @@ if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("pf: loose state match: "); pf_print_state(*state); - pf_print_flags(th->th_flags); + pf_print_flags(tcp_get_flags(th)); printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, (unsigned long long)(*state)->packets[0], @@ -5881,10 +5883,10 @@ * SYN and not an already established connection. */ - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) if (src->state < TCPS_CLOSING) pf_set_protostate(*state, psrc, TCPS_CLOSING); - if (th->th_flags & TH_RST) + if (tcp_get_flags(th) & TH_RST) pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT); /* Fall through to PASS packet */ @@ -5893,7 +5895,7 @@ if ((*state)->dst.state == TCPS_SYN_SENT && (*state)->src.state == TCPS_SYN_SENT) { /* Send RST for state mismatches during handshake */ - if (!(th->th_flags & TH_RST)) + if (!(tcp_get_flags(th) & TH_RST)) pf_send_tcp((*state)->rule, pd->af, pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), 0, @@ -5906,7 +5908,7 @@ } else if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("pf: BAD state: "); pf_print_state(*state); - pf_print_flags(th->th_flags); + pf_print_flags(tcp_get_flags(th)); printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, @@ -5949,13 +5951,13 @@ pdst = PF_PEER_SRC; } - if (th->th_flags & TH_SYN) + if (tcp_get_flags(th) & TH_SYN) if (src->state < TCPS_SYN_SENT) pf_set_protostate(*state, psrc, TCPS_SYN_SENT); - if (th->th_flags & TH_FIN) + if (tcp_get_flags(th) & TH_FIN) if (src->state < TCPS_CLOSING) pf_set_protostate(*state, psrc, TCPS_CLOSING); - if (th->th_flags & TH_ACK) { + if (tcp_get_flags(th) & TH_ACK) { if (dst->state == TCPS_SYN_SENT) { pf_set_protostate(*state, pdst, TCPS_ESTABLISHED); if (src->state == TCPS_ESTABLISHED && @@ -5993,7 +5995,7 @@ pf_set_protostate(*state, pdst, TCPS_CLOSING); } } - if (th->th_flags & TH_RST) + if (tcp_get_flags(th) & TH_RST) pf_set_protostate(*state, PF_PEER_BOTH, TCPS_TIME_WAIT); /* update expire time */ @@ -6027,7 +6029,7 @@ REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); } - if (th->th_flags & TH_SYN) { + if (tcp_get_flags(th) & TH_SYN) { if (ntohl(th->th_seq) != (*state)->src.seqlo) { REASON_SET(reason, PFRES_SYNPROXY); return (PF_DROP); @@ -6039,7 +6041,7 @@ (*state)->act.rtableid); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || + } else if ((tcp_get_flags(th) & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY); @@ -6054,7 +6056,7 @@ } if ((*state)->src.state == PF_TCPS_PROXY_DST) { if (pd->dir == (*state)->direction) { - if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || + if (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) != TH_ACK) || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY); @@ -6071,7 +6073,7 @@ (*state)->act.rtableid); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if (((th->th_flags & (TH_SYN|TH_ACK)) != + } else if (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) != (TH_SYN|TH_ACK)) || (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) { REASON_SET(reason, PFRES_SYNPROXY); @@ -6149,13 +6151,13 @@ if (dst->state >= TCPS_FIN_WAIT_2 && src->state >= TCPS_FIN_WAIT_2 && - (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) || - ((th->th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_ACK && + (((tcp_get_flags(th) & (TH_SYN|TH_ACK)) == TH_SYN) || + ((tcp_get_flags(th) & (TH_SYN|TH_ACK|TH_RST)) == TH_ACK && pf_syncookie_check(pd) && pd->dir == PF_IN))) { if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("pf: state reuse "); pf_print_state(*state); - pf_print_flags(th->th_flags); + pf_print_flags(tcp_get_flags(th)); printf("\n"); } /* XXX make sure it's the same direction ?? */ @@ -9063,14 +9065,14 @@ case IPPROTO_TCP: { /* Respond to SYN with a syncookie. */ - if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && + if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN && pd.dir == PF_IN && pf_synflood_check(&pd)) { pf_syncookie_send(&pd); action = PF_DROP; break; } - if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0) + if ((tcp_get_flags(&pd.hdr.tcp) & TH_ACK) && pd.p_len == 0) use_2nd_queue = 1; action = pf_normalize_tcp(&pd); if (action == PF_DROP) @@ -9084,7 +9086,7 @@ } else if (s == NULL) { /* Validate remote SYN|ACK, re-create original SYN if * valid. */ - if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == + if ((tcp_get_flags(&pd.hdr.tcp) & (TH_SYN|TH_ACK|TH_RST)) == TH_ACK && pf_syncookie_validate(&pd) && pd.dir == PF_IN) { struct mbuf *msyn; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1446,7 +1446,7 @@ * All normalizations below are only begun if we see the start of * the connections. They must all set an enabled bit in pfss_flags */ - if ((th->th_flags & TH_SYN) == 0) + if ((tcp_get_flags(th) & TH_SYN) == 0) return (0); if (th->th_off > (sizeof(struct tcphdr) >> 2) && src->scrub && @@ -1797,7 +1797,7 @@ dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0)); if (V_pf_status.debug >= PF_DEBUG_MISC) { pf_print_state(state); - pf_print_flags(th->th_flags); + pf_print_flags(tcp_get_flags(th)); printf("\n"); } REASON_SET(reason, PFRES_TS); @@ -1806,9 +1806,9 @@ /* XXX I'd really like to require tsecr but it's optional */ - } else if (!got_ts && (th->th_flags & TH_RST) == 0 && + } else if (!got_ts && (tcp_get_flags(th) & TH_RST) == 0 && ((src->state == TCPS_ESTABLISHED && dst->state == TCPS_ESTABLISHED) - || pd->p_len > 0 || (th->th_flags & TH_SYN)) && + || pd->p_len > 0 || (tcp_get_flags(th) & TH_SYN)) && src->scrub && dst->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && (dst->scrub->pfss_flags & PFSS_PAWS)) { @@ -1847,7 +1847,7 @@ DPFPRINTF(("Did not receive expected RFC1323 " "timestamp\n")); pf_print_state(state); - pf_print_flags(th->th_flags); + pf_print_flags(tcp_get_flags(th)); printf("\n"); } REASON_SET(reason, PFRES_TS); @@ -1876,7 +1876,7 @@ "timestamp data packet. Disabled PAWS " "security.\n")); pf_print_state(state); - pf_print_flags(th->th_flags); + pf_print_flags(tcp_get_flags(th)); printf("\n"); } } diff --git a/sys/netpfil/pf/pf_osfp.c b/sys/netpfil/pf/pf_osfp.c --- a/sys/netpfil/pf/pf_osfp.c +++ b/sys/netpfil/pf/pf_osfp.c @@ -103,7 +103,7 @@ char srcname[INET_ADDRSTRLEN]; #endif - if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN) + if ((tcp_get_flags(tcp) & (TH_SYN|TH_ACK)) != TH_SYN) return (NULL); if (ip) { if ((ip->ip_off & htons(IP_OFFMASK)) != 0) diff --git a/usr.sbin/ppp/ip.c b/usr.sbin/ppp/ip.c --- a/usr.sbin/ppp/ip.c +++ b/usr.sbin/ppp/ip.c @@ -371,14 +371,14 @@ } sport = ntohs(th->th_sport); dport = ntohs(th->th_dport); - estab = (th->th_flags & TH_ACK); - syn = (th->th_flags & TH_SYN); - finrst = (th->th_flags & (TH_FIN|TH_RST)); + estab = (__tcp_get_flags(th) & TH_ACK); + syn = (__tcp_get_flags(th) & TH_SYN); + finrst = (__tcp_get_flags(th) & (TH_FIN|TH_RST)); if (log_IsKept(LogDEBUG)) { if (!estab) snprintf(dbuff, sizeof dbuff, - "flags = %02x, sport = %d, dport = %d", - th->th_flags, sport, dport); + "flags = %03x, sport = %d, dport = %d", + __tcp_get_flags(th), sport, dport); else *dbuff = '\0'; } @@ -561,7 +561,7 @@ { char logbuf[200]; static const char *const TcpFlags[] = { - "FIN", "SYN", "RST", "PSH", "ACK", "URG" + "FIN", "SYN", "RST", "PSH", "ACK", "URG", "ECE", "CWR", "AE" }; const struct tcphdr *th; const struct udphdr *uh; @@ -831,7 +831,7 @@ loglen += strlen(logbuf + loglen); n = 0; for (mask = TH_FIN; mask != 0x40; mask <<= 1) { - if (th->th_flags & mask) { + if (__tcp_get_flags(th) & mask) { snprintf(logbuf + loglen, sizeof logbuf - loglen, " %s", TcpFlags[n]); loglen += strlen(logbuf + loglen); } @@ -841,7 +841,7 @@ " seq:%lx ack:%lx (%d/%d)", (u_long)ntohl(th->th_seq), (u_long)ntohl(th->th_ack), len, nb); loglen += strlen(logbuf + loglen); - if ((th->th_flags & TH_SYN) && nb > 40) { + if ((__tcp_get_flags(th) & TH_SYN) && nb > 40) { const u_short *sp; sp = (const u_short *)(payload + 20); diff --git a/usr.sbin/ppp/slcompress.c b/usr.sbin/ppp/slcompress.c --- a/usr.sbin/ppp/slcompress.c +++ b/usr.sbin/ppp/slcompress.c @@ -179,8 +179,8 @@ return (TYPE_IP); } th = (struct tcphdr *) & ((int *) ip)[hlen]; - if ((th->th_flags & (TH_SYN | TH_FIN | TH_RST | TH_ACK)) != TH_ACK) { - log_Printf(LogDEBUG, "??? 2 th_flags = %x\n", th->th_flags); + if ((__tcp_get_flags(th) & (TH_SYN | TH_FIN | TH_RST | TH_ACK)) != TH_ACK) { + log_Printf(LogDEBUG, "??? 2 th_flags = %x\n", __tcp_get_flags(th)); log_DumpBp(LogDEBUG, "", m); return (TYPE_IP); } @@ -283,7 +283,7 @@ * changes in the order: urgent, window, ack, seq (the order minimizes the * number of temporaries needed in this section of code). */ - if (th->th_flags & TH_URG) { + if (__tcp_get_flags(th) & TH_URG) { deltaS = ntohs(th->th_urp); ENCODEZ(deltaS); changes |= NEW_U; @@ -366,7 +366,7 @@ ENCODEZ(deltaS); changes |= NEW_I; } - if (th->th_flags & TH_PUSH) + if (__tcp_get_flags(th) & TH_PUSH) changes |= TCP_PUSH_BIT; /* @@ -501,9 +501,9 @@ th->th_sum = htons((*cp << 8) | cp[1]); cp += 2; if (changes & TCP_PUSH_BIT) - th->th_flags |= TH_PUSH; + __tcp_set_flags(th, __tcp_get_flags(th) | TH_PUSH); else - th->th_flags &= ~TH_PUSH; + __tcp_set_flags(th, __tcp_get_flags(th) & ~TH_PUSH); switch (changes & SPECIALS_MASK) { case SPECIAL_I: @@ -522,10 +522,10 @@ default: if (changes & NEW_U) { - th->th_flags |= TH_URG; + __tcp_set_flags(th, __tcp_get_flags(th) | TH_URG); DECODEU(th->th_urp) } else - th->th_flags &= ~TH_URG; + __tcp_set_flags(th, __tcp_get_flags(th) & ~TH_URG); if (changes & NEW_W) DECODES(th->th_win) if (changes & NEW_A) diff --git a/usr.sbin/ppp/tcpmss.c b/usr.sbin/ppp/tcpmss.c --- a/usr.sbin/ppp/tcpmss.c +++ b/usr.sbin/ppp/tcpmss.c @@ -115,7 +115,7 @@ return; /* MSS option only allowed within SYN packets. */ - if (!(tc->th_flags & TH_SYN)) + if (!(__tcp_get_flags(tc) & TH_SYN)) return; for (olen = hlen - sizeof(struct tcphdr), opt = (u_char *)(tc + 1); diff --git a/usr.sbin/traceroute/traceroute.c b/usr.sbin/traceroute/traceroute.c --- a/usr.sbin/traceroute/traceroute.c +++ b/usr.sbin/traceroute/traceroute.c @@ -1497,7 +1497,7 @@ tcp->th_seq = (tcp->th_sport << 16) | tcp->th_dport; tcp->th_ack = 0; tcp->th_off = 5; - tcp->th_flags = TH_SYN; + __tcp_set_flags(tcp, TH_SYN); tcp->th_sum = 0; if (doipcksum) diff --git a/usr.sbin/traceroute6/traceroute6.c b/usr.sbin/traceroute6/traceroute6.c --- a/usr.sbin/traceroute6/traceroute6.c +++ b/usr.sbin/traceroute6/traceroute6.c @@ -1213,7 +1213,7 @@ tcp->th_seq = (tcp->th_sport << 16) | tcp->th_dport; tcp->th_ack = 0; tcp->th_off = 5; - tcp->th_flags = TH_SYN; + __tcp_set_flags(tcp, TH_SYN); tcp->th_sum = 0; tcp->th_sum = tcp_chksum(&Src, &Dst, outpacket, datalen); break;