Page MenuHomeFreeBSD
Files F144344761

D46941.id144590.diff
No OneTemporary
Actions

D46941.id144590.diff
View Options

diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -69,9 +69,9 @@
struct pfi_kif;
struct pf_pdesc;
-#define PFLOG_PACKET(a,b,t,c,d,e,f,g) do { \
+#define PFLOG_PACKET(b,t,c,d,e,f,g) do { \
if (pflog_packet_ptr != NULL) \
- pflog_packet_ptr(a,b,t,c,d,e,f,g); \
+ pflog_packet_ptr(b,t,c,d,e,f,g); \
} while (0)
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1249,7 +1249,7 @@
/* pflog */
struct pf_kruleset;
struct pf_pdesc;
-typedef int pflog_packet_t(struct mbuf *, uint8_t, u_int8_t,
+typedef int pflog_packet_t(uint8_t, u_int8_t,
struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr;
@@ -1598,6 +1598,7 @@
} hdr;
struct pfi_kkif *kif; /* incomming interface */
+ struct mbuf *m;
struct pf_addr *src; /* src address */
struct pf_addr *dst; /* dst address */
@@ -1650,7 +1651,6 @@
struct pf_pdesc pd;
struct pf_addr src;
struct pf_addr dst;
- struct mbuf *m;
int op;
};
@@ -2355,7 +2355,7 @@
void pf_free_rule(struct pf_krule *);
int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
-int pf_scan_sctp(struct mbuf *, struct pf_pdesc *);
+int pf_scan_sctp(struct pf_pdesc *);
#if defined(INET) || defined(INET6)
int pf_test(sa_family_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *,
struct pf_rule_actions *);
@@ -2375,8 +2375,8 @@
int pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool);
#endif /* INET6 */
-int pf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *);
-int pf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *);
+int pf_multihome_scan_init(int, int, struct pf_pdesc *);
+int pf_multihome_scan_asconf(int, int, struct pf_pdesc *);
u_int32_t pf_new_isn(struct pf_kstate *);
void *pf_pull_hdr(const struct mbuf *, int, void *, int, u_short *, u_short *,
@@ -2398,23 +2398,23 @@
void pf_normalize_init(void);
void pf_normalize_cleanup(void);
-int pf_normalize_tcp(struct mbuf *, struct pf_pdesc *);
+int pf_normalize_tcp(struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_kstate *);
-int pf_normalize_tcp_init(struct mbuf *, struct pf_pdesc *,
+int pf_normalize_tcp_init(struct pf_pdesc *,
struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *);
-int pf_normalize_tcp_stateful(struct mbuf *, struct pf_pdesc *,
+int pf_normalize_tcp_stateful(struct pf_pdesc *,
u_short *, struct tcphdr *, struct pf_kstate *,
struct pf_state_peer *, struct pf_state_peer *, int *);
-int pf_normalize_sctp_init(struct mbuf *, struct pf_pdesc *,
+int pf_normalize_sctp_init(struct pf_pdesc *,
struct pf_state_peer *, struct pf_state_peer *);
-int pf_normalize_sctp(struct mbuf *, struct pf_pdesc *);
+int pf_normalize_sctp(struct pf_pdesc *);
u_int32_t
pf_state_expires(const struct pf_kstate *);
void pf_purge_expired_fragments(void);
void pf_purge_fragments(uint32_t);
int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *,
int);
-int pf_socket_lookup(struct pf_pdesc *, struct mbuf *);
+int pf_socket_lookup(struct pf_pdesc *);
struct pf_state_key *pf_alloc_state_key(int);
void pfr_initialize(void);
void pfr_cleanup(void);
@@ -2482,12 +2482,12 @@
int pfi_clear_flags(const char *, int);
int pf_match_tag(struct mbuf *, struct pf_krule *, int *, int);
-int pf_tag_packet(struct mbuf *, struct pf_pdesc *, int);
+int pf_tag_packet(struct pf_pdesc *, int);
int pf_addr_cmp(struct pf_addr *, struct pf_addr *,
sa_family_t);
-u_int16_t pf_get_mss(struct mbuf *, struct pf_pdesc *);
-u_int8_t pf_get_wscale(struct mbuf *, struct pf_pdesc *);
+u_int16_t pf_get_mss(struct pf_pdesc *);
+u_int8_t pf_get_wscale(struct pf_pdesc *);
struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t,
const struct pf_addr *, const struct pf_addr *,
u_int16_t, u_int16_t, u_int32_t, u_int32_t,
@@ -2504,8 +2504,7 @@
int pf_get_syncookies(struct pfioc_nv *);
int pf_set_syncookies(struct pfioc_nv *);
int pf_synflood_check(struct pf_pdesc *);
-void pf_syncookie_send(struct mbuf *m,
- struct pf_pdesc *);
+void pf_syncookie_send(struct pf_pdesc *);
bool pf_syncookie_check(struct pf_pdesc *);
u_int8_t pf_syncookie_validate(struct pf_pdesc *);
struct mbuf * pf_syncookie_recreate_syn(struct pf_pdesc *);
@@ -2590,8 +2589,7 @@
int pf_osfp_add(struct pf_osfp_ioctl *);
#ifdef _KERNEL
struct pf_osfp_enlist *
- pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *,
- const struct tcphdr *);
+ pf_osfp_fingerprint(struct pf_pdesc *, const struct tcphdr *);
#endif /* _KERNEL */
void pf_osfp_flush(void);
int pf_osfp_get(struct pf_osfp_ioctl *);
@@ -2622,7 +2620,7 @@
struct pf_addr *, struct pf_addr *,
struct pfi_kkif **nkif, struct pf_addr *,
struct pf_ksrc_node **);
-u_short pf_get_translation(struct pf_pdesc *, struct mbuf *,
+u_short pf_get_translation(struct pf_pdesc *,
int, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *,
@@ -2630,14 +2628,14 @@
struct pf_krule **,
struct pf_udp_mapping **udp_mapping);
-struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct mbuf *,
+struct pf_state_key *pf_state_key_setup(struct pf_pdesc *,
struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t);
struct pf_state_key *pf_state_key_clone(const struct pf_state_key *);
void pf_rule_to_actions(struct pf_krule *,
struct pf_rule_actions *);
-int pf_normalize_mss(struct mbuf *m, struct pf_pdesc *pd);
+int pf_normalize_mss(struct pf_pdesc *pd);
#if defined(INET) || defined(INET6)
-void pf_scrub(struct mbuf *, struct pf_pdesc *);
+void pf_scrub(struct pf_pdesc *);
#endif
struct pfi_kkif *pf_kkif_create(int);
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -213,14 +213,14 @@
}
static int
-pflog_packet(struct mbuf *m, uint8_t action, u_int8_t reason,
+pflog_packet(uint8_t action, u_int8_t reason,
struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{
struct ifnet *ifn;
struct pfloghdr hdr;
- if (m == NULL || rm == NULL || pd == NULL)
+ if (rm == NULL || pd == NULL)
return (1);
ifn = V_pflogifs[rm->logif];
@@ -251,7 +251,7 @@
* These conditions are very very rare, however.
*/
if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe)
- pd->lookup.done = pf_socket_lookup(pd, m);
+ pd->lookup.done = pf_socket_lookup(pd);
if (pd->lookup.done > 0)
hdr.uid = pd->lookup.uid;
else
@@ -265,15 +265,15 @@
if (pd->af == AF_INET && pd->dir == PF_OUT) {
struct ip *ip;
- ip = mtod(m, struct ip *);
+ ip = mtod(pd->m, struct ip *);
ip->ip_sum = 0;
- ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
+ ip->ip_sum = in_cksum(pd->m, ip->ip_hl << 2);
}
#endif /* INET */
if_inc_counter(ifn, IFCOUNTER_OPACKETS, 1);
- if_inc_counter(ifn, IFCOUNTER_OBYTES, m->m_pkthdr.len);
- bpf_mtap2(ifn->if_bpf, &hdr, PFLOG_HDRLEN, m);
+ if_inc_counter(ifn, IFCOUNTER_OBYTES, pd->m->m_pkthdr.len);
+ bpf_mtap2(ifn->if_bpf, &hdr, PFLOG_HDRLEN, pd->m);
return (0);
}
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -294,7 +294,7 @@
static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *,
u_int16_t *, u_int16_t *, struct pf_addr *,
u_int16_t, u_int8_t, sa_family_t);
-static int pf_modulate_sack(struct mbuf *, struct pf_pdesc *,
+static int pf_modulate_sack(struct pf_pdesc *,
struct tcphdr *, struct pf_state_peer *);
int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *,
int *, u_int16_t *, u_int16_t *);
@@ -320,39 +320,39 @@
static int pf_test_eth_rule(int, struct pfi_kkif *,
struct mbuf **);
static int pf_test_rule(struct pf_krule **, struct pf_kstate **,
- struct mbuf *, struct pf_pdesc *, struct pf_krule **,
+ struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **, struct inpcb *);
static int pf_create_state(struct pf_krule *, struct pf_krule *,
struct pf_krule *, struct pf_pdesc *,
struct pf_ksrc_node *, struct pf_state_key *,
- struct pf_state_key *, struct mbuf *,
+ struct pf_state_key *,
u_int16_t, u_int16_t, int *,
struct pf_kstate **, int, u_int16_t, u_int16_t,
struct pf_krule_slist *, struct pf_udp_mapping *);
-static int pf_state_key_addr_setup(struct pf_pdesc *, struct mbuf *,
+static int pf_state_key_addr_setup(struct pf_pdesc *,
struct pf_state_key_cmp *, int, struct pf_addr *,
int, struct pf_addr *, int);
static int pf_tcp_track_full(struct pf_kstate **,
- struct mbuf *, struct pf_pdesc *, u_short *, int *);
+ struct pf_pdesc *, u_short *, int *);
static int pf_tcp_track_sloppy(struct pf_kstate **,
struct pf_pdesc *, u_short *);
static int pf_test_state_tcp(struct pf_kstate **,
- struct mbuf *, struct pf_pdesc *, u_short *);
+ struct pf_pdesc *, u_short *);
static int pf_test_state_udp(struct pf_kstate **,
- struct mbuf *, struct pf_pdesc *);
+ struct pf_pdesc *);
int pf_icmp_state_lookup(struct pf_state_key_cmp *,
- struct pf_pdesc *, struct pf_kstate **, struct mbuf *,
+ struct pf_pdesc *, struct pf_kstate **,
int, u_int16_t, u_int16_t,
int, int *, int, int);
-static int pf_test_state_icmp(struct pf_kstate **, struct mbuf *,
+static int pf_test_state_icmp(struct pf_kstate **,
struct pf_pdesc *, u_short *);
static void pf_sctp_multihome_detach_addr(const struct pf_kstate *);
static void pf_sctp_multihome_delayed(struct pf_pdesc *,
struct pfi_kkif *, struct pf_kstate *, int);
-static int pf_test_state_sctp(struct pf_kstate **, struct mbuf *,
+static int pf_test_state_sctp(struct pf_kstate **,
struct pf_pdesc *, u_short *);
static int pf_test_state_other(struct pf_kstate **,
- struct mbuf *, struct pf_pdesc *);
+ struct pf_pdesc *);
static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
int, u_int16_t);
static int pf_check_proto_cksum(struct mbuf *, int, int,
@@ -1561,7 +1561,7 @@
}
static int
-pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m,
+pf_state_key_addr_setup(struct pf_pdesc *pd,
struct pf_state_key_cmp *key, int sidx, struct pf_addr *saddr,
int didx, struct pf_addr *daddr, int multi)
{
@@ -1577,7 +1577,7 @@
case ND_NEIGHBOR_SOLICIT:
if (multi)
return (-1);
- if (!pf_pull_hdr(m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
+ if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
return (-1);
target = (struct pf_addr *)&nd.nd_ns_target;
daddr = target;
@@ -1585,7 +1585,7 @@
case ND_NEIGHBOR_ADVERT:
if (multi)
return (-1);
- if (!pf_pull_hdr(m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
+ if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af))
return (-1);
target = (struct pf_addr *)&nd.nd_ns_target;
saddr = target;
@@ -1617,7 +1617,7 @@
}
struct pf_state_key *
-pf_state_key_setup(struct pf_pdesc *pd, struct mbuf *m,
+pf_state_key_setup(struct pf_pdesc *pd,
struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t sport,
u_int16_t dport)
{
@@ -1627,7 +1627,7 @@
if (sk == NULL)
return (NULL);
- if (pf_state_key_addr_setup(pd, m, (struct pf_state_key_cmp *)sk,
+ if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)sk,
pd->sidx, pd->src, pd->didx, pd->dst, 0)) {
uma_zfree(V_pf_state_key_z, sk);
return (NULL);
@@ -3272,8 +3272,8 @@
* (credits to Krzysztof Pfaff for report and patch)
*/
static int
-pf_modulate_sack(struct mbuf *m, struct pf_pdesc *pd,
- struct tcphdr *th, struct pf_state_peer *dst)
+pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th,
+ struct pf_state_peer *dst)
{
int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
u_int8_t opts[TCP_MAXOLEN], *opt = opts;
@@ -3282,7 +3282,7 @@
#define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2)
if (hlen < TCPOLEN_SACKLEN ||
- !pf_pull_hdr(m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
+ !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
return 0;
while (hlen >= TCPOLEN_SACKLEN) {
@@ -3301,12 +3301,12 @@
for (i = 2; i + TCPOLEN_SACK <= olen;
i += TCPOLEN_SACK) {
memcpy(&sack, &opt[i], sizeof(sack));
- pf_patch_32_unaligned(m,
+ pf_patch_32_unaligned(pd->m,
&th->th_sum, &sack.start,
htonl(ntohl(sack.start) - dst->seqdiff),
PF_ALGNMNT(startoff),
0);
- pf_patch_32_unaligned(m, &th->th_sum,
+ pf_patch_32_unaligned(pd->m, &th->th_sum,
&sack.end,
htonl(ntohl(sack.end) - dst->seqdiff),
PF_ALGNMNT(startoff),
@@ -3325,7 +3325,7 @@
}
if (copyback)
- m_copyback(m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts);
+ m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts);
return (copyback);
}
@@ -3634,7 +3634,7 @@
static void
pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
- struct pf_state_key *sk, struct mbuf *m, struct tcphdr *th,
+ struct pf_state_key *sk, struct tcphdr *th,
u_int16_t bproto_sum, u_int16_t bip_sum,
u_short *reason, int rtableid)
{
@@ -3653,7 +3653,7 @@
*pd->proto_sum = bproto_sum;
if (pd->ip_sum)
*pd->ip_sum = bip_sum;
- m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any);
+ m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
}
if (pd->proto == IPPROTO_TCP &&
((r->rule_flag & PFRULE_RETURNRST) ||
@@ -3661,7 +3661,7 @@
!(th->th_flags & TH_RST)) {
u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
- if (pf_check_proto_cksum(m, pd->off, pd->tot_len - pd->off,
+ if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off,
IPPROTO_TCP, pd->af))
REASON_SET(reason, PFRES_PROTCKSUM);
else {
@@ -3679,11 +3679,11 @@
pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid);
} else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET &&
r->return_icmp)
- pf_send_icmp(m, r->return_icmp >> 8,
+ pf_send_icmp(pd->m, r->return_icmp >> 8,
r->return_icmp & 255, pd->af, r, rtableid);
else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 &&
r->return_icmp6)
- pf_send_icmp(m, r->return_icmp6 >> 8,
+ pf_send_icmp(pd->m, r->return_icmp6 >> 8,
r->return_icmp6 & 255, pd->af, r, rtableid);
}
@@ -3950,12 +3950,12 @@
}
int
-pf_tag_packet(struct mbuf *m, struct pf_pdesc *pd, int tag)
+pf_tag_packet(struct pf_pdesc *pd, int tag)
{
KASSERT(tag > 0, ("%s: tag %d", __func__, tag));
- if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(m)) == NULL))
+ if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL))
return (ENOMEM);
pd->pf_mtag->tag = tag;
@@ -4278,7 +4278,7 @@
}
int
-pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m)
+pf_socket_lookup(struct pf_pdesc *pd)
{
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
@@ -4318,11 +4318,11 @@
#ifdef INET
case AF_INET:
inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4,
- dport, INPLOOKUP_RLOCKPCB, NULL, m);
+ dport, INPLOOKUP_RLOCKPCB, NULL, pd->m);
if (inp == NULL) {
inp = in_pcblookup_mbuf(pi, saddr->v4, sport,
daddr->v4, dport, INPLOOKUP_WILDCARD |
- INPLOOKUP_RLOCKPCB, NULL, m);
+ INPLOOKUP_RLOCKPCB, NULL, pd->m);
if (inp == NULL)
return (-1);
}
@@ -4331,11 +4331,11 @@
#ifdef INET6
case AF_INET6:
inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6,
- dport, INPLOOKUP_RLOCKPCB, NULL, m);
+ dport, INPLOOKUP_RLOCKPCB, NULL, pd->m);
if (inp == NULL) {
inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport,
&daddr->v6, dport, INPLOOKUP_WILDCARD |
- INPLOOKUP_RLOCKPCB, NULL, m);
+ INPLOOKUP_RLOCKPCB, NULL, pd->m);
if (inp == NULL)
return (-1);
}
@@ -4351,7 +4351,7 @@
}
u_int8_t
-pf_get_wscale(struct mbuf *m, struct pf_pdesc *pd)
+pf_get_wscale(struct pf_pdesc *pd)
{
struct tcphdr *th = &pd->hdr.tcp;
int hlen;
@@ -4362,7 +4362,7 @@
hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */
if (hlen <= sizeof(struct tcphdr))
return (0);
- if (!pf_pull_hdr(m, pd->off, hdr, hlen, NULL, NULL, pd->af))
+ if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af))
return (0);
opt = hdr + sizeof(struct tcphdr);
hlen -= sizeof(struct tcphdr);
@@ -4392,7 +4392,7 @@
}
u_int16_t
-pf_get_mss(struct mbuf *m, struct pf_pdesc *pd)
+pf_get_mss(struct pf_pdesc *pd)
{
struct tcphdr *th = &pd->hdr.tcp;
int hlen;
@@ -4403,7 +4403,7 @@
hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */
if (hlen <= sizeof(struct tcphdr))
return (0);
- if (!pf_pull_hdr(m, pd->off, hdr, hlen, NULL, NULL, pd->af))
+ if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af))
return (0);
opt = hdr + sizeof(struct tcphdr);
hlen -= sizeof(struct tcphdr);
@@ -4848,7 +4848,7 @@
static int
pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
- struct mbuf *m, struct pf_pdesc *pd, struct pf_krule **am,
+ struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm, struct inpcb *inp)
{
struct pf_krule *nr = NULL;
@@ -4938,7 +4938,7 @@
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
/* check packet for BINAT/NAT/RDR */
- transerror = pf_get_translation(pd, m, pd->off, &nsn, &sk,
+ transerror = pf_get_translation(pd, pd->off, &nsn, &sk,
&nk, saddr, daddr, sport, dport, anchor_stack, &nr, &udp_mapping);
switch (transerror) {
default:
@@ -4953,7 +4953,7 @@
KASSERT(nk != NULL, ("%s: null nk", __func__));
if (nr->log) {
- PFLOG_PACKET(m, PF_PASS, PFRES_MATCH, nr, a,
+ PFLOG_PACKET(PF_PASS, PFRES_MATCH, nr, a,
ruleset, pd, 1);
}
@@ -4967,7 +4967,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum,
+ pf_change_ap(pd->m, saddr, &th->th_sport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, pd->af);
pd->sport = &th->th_sport;
@@ -4976,7 +4976,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum,
+ pf_change_ap(pd->m, daddr, &th->th_dport, pd->ip_sum,
&th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, pd->af);
dport = th->th_dport;
@@ -4990,7 +4990,7 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(m, saddr, &pd->hdr.udp.uh_sport,
+ pf_change_ap(pd->m, saddr, &pd->hdr.udp.uh_sport,
pd->ip_sum, &pd->hdr.udp.uh_sum,
&nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
@@ -5000,7 +5000,7 @@
if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(m, daddr, &pd->hdr.udp.uh_dport,
+ pf_change_ap(pd->m, daddr, &pd->hdr.udp.uh_dport,
pd->ip_sum, &pd->hdr.udp.uh_sum,
&nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
@@ -5014,14 +5014,14 @@
if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != sport) {
- pf_change_ap(m, saddr, &pd->hdr.sctp.src_port,
+ pf_change_ap(pd->m, saddr, &pd->hdr.sctp.src_port,
pd->ip_sum, &checksum,
&nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
}
if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != dport) {
- pf_change_ap(m, daddr, &pd->hdr.sctp.dest_port,
+ pf_change_ap(pd->m, daddr, &pd->hdr.sctp.dest_port,
pd->ip_sum, &checksum,
&nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
@@ -5046,7 +5046,7 @@
pd->hdr.icmp.icmp_id = nk->port[pd->sidx];
pd->sport = &pd->hdr.icmp.icmp_id;
}
- m_copyback(m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
+ m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
break;
#endif /* INET */
#ifdef INET6
@@ -5107,10 +5107,10 @@
PF_TEST_ATTRIB(r->proto && r->proto != pd->proto,
r->skip[PF_SKIP_PROTO]);
PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, saddr, pd->af,
- r->src.neg, pd->kif, M_GETFIB(m)),
+ r->src.neg, pd->kif, M_GETFIB(pd->m)),
r->skip[PF_SKIP_SRC_ADDR]);
PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, daddr, pd->af,
- r->dst.neg, NULL, M_GETFIB(m)),
+ r->dst.neg, NULL, M_GETFIB(pd->m)),
r->skip[PF_SKIP_DST_ADDR]);
switch (pd->virtual_proto) {
case PF_VPROTO_FRAGMENT:
@@ -5143,13 +5143,13 @@
r->skip[PF_SKIP_DST_PORT]);
/* tcp/udp only. uid.op always 0 in other cases */
PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done =
- pf_socket_lookup(pd, m), 1)) &&
+ pf_socket_lookup(pd), 1)) &&
!pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
pd->lookup.uid),
TAILQ_NEXT(r, entries));
/* tcp/udp only. gid.op always 0 in other cases */
PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done =
- pf_socket_lookup(pd, m), 1)) &&
+ pf_socket_lookup(pd), 1)) &&
!pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
pd->lookup.gid),
TAILQ_NEXT(r, entries));
@@ -5171,22 +5171,22 @@
PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB(r->prio &&
- !pf_match_ieee8021q_pcp(r->prio, m),
+ !pf_match_ieee8021q_pcp(r->prio, pd->m),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB(r->prob &&
r->prob <= arc4random(),
TAILQ_NEXT(r, entries));
- PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(m, r, &tag,
+ PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag,
pd->pf_mtag ? pd->pf_mtag->tag : 0),
TAILQ_NEXT(r, entries));
- PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(m, r),
+ PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT &&
pd->virtual_proto != PF_VPROTO_FRAGMENT),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB(r->os_fingerprint != PF_OSFP_ANY &&
(pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match(
- pf_osfp_fingerprint(pd, m, th),
+ pf_osfp_fingerprint(pd, th),
r->os_fingerprint)),
TAILQ_NEXT(r, entries));
/* FALLTHROUGH */
@@ -5207,8 +5207,7 @@
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log || pd->act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(m,
- r->action, PFRES_MATCH, r,
+ PFLOG_PACKET(r->action, PFRES_MATCH, r,
a, ruleset, pd, 1);
} else {
match = 1;
@@ -5216,8 +5215,7 @@
*am = a;
*rsm = ruleset;
if (pd->act.log & PF_LOG_MATCHES)
- PFLOG_PACKET(m,
- r->action, PFRES_MATCH, r,
+ PFLOG_PACKET(r->action, PFRES_MATCH, r,
a, ruleset, pd, 1);
}
if ((*rm)->quick)
@@ -5243,8 +5241,8 @@
if (r->log || pd->act.log & PF_LOG_MATCHES) {
if (rewrite)
- m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any);
- PFLOG_PACKET(m, r->action, reason, r, a, ruleset, pd, 1);
+ m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
+ PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1);
}
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
@@ -5252,32 +5250,32 @@
((r->rule_flag & PFRULE_RETURNRST) ||
(r->rule_flag & PFRULE_RETURNICMP) ||
(r->rule_flag & PFRULE_RETURN))) {
- pf_return(r, nr, pd, sk, m, th, bproto_sum,
+ pf_return(r, nr, pd, sk, th, bproto_sum,
bip_sum, &reason, r->rtableid);
}
if (r->action == PF_DROP)
goto cleanup;
- if (tag > 0 && pf_tag_packet(m, pd, tag)) {
+ if (tag > 0 && pf_tag_packet(pd, tag)) {
REASON_SET(&reason, PFRES_MEMORY);
goto cleanup;
}
if (pd->act.rtableid >= 0)
- M_SETFIB(m, pd->act.rtableid);
+ M_SETFIB(pd->m, pd->act.rtableid);
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
(!state_icmp && (r->keep_state || nr != NULL ||
(pd->flags & PFDESC_TCP_NORM)))) {
int action;
- action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m,
+ action = pf_create_state(r, nr, a, pd, nsn, nk, sk,
sport, dport, &rewrite, sm, tag, bproto_sum, bip_sum,
&match_rules, udp_mapping);
if (action != PF_PASS) {
pf_udp_mapping_release(udp_mapping);
if (action == PF_DROP &&
(r->rule_flag & PFRULE_RETURN))
- pf_return(r, nr, pd, sk, m, th,
+ pf_return(r, nr, pd, sk, th,
bproto_sum, bip_sum, &reason,
pd->act.rtableid);
return (action);
@@ -5295,11 +5293,11 @@
/* copy back packet headers if we performed NAT operations */
if (rewrite)
- m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any);
+ m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) &&
pd->dir == PF_OUT &&
- V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m))
+ V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m))
/*
* We want the state created, but we dont
* want to send this in case a partner
@@ -5326,7 +5324,7 @@
static int
pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk,
- struct pf_state_key *sk, struct mbuf *m, u_int16_t sport,
+ struct pf_state_key *sk, u_int16_t sport,
u_int16_t dport, int *rewrite, struct pf_kstate **sm,
int tag, u_int16_t bproto_sum, u_int16_t bip_sum,
struct pf_krule_slist *match_rules, struct pf_udp_mapping *udp_mapping)
@@ -5397,14 +5395,14 @@
if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) ==
0)
s->src.seqdiff = 1;
- pf_change_proto_a(m, &th->th_seq, &th->th_sum,
+ pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum,
htonl(s->src.seqlo + s->src.seqdiff), 0);
*rewrite = 1;
} else
s->src.seqdiff = 0;
if (th->th_flags & TH_SYN) {
s->src.seqhi++;
- s->src.wscale = pf_get_wscale(m, pd);
+ s->src.wscale = pf_get_wscale(pd);
}
s->src.max_win = MAX(ntohs(th->th_win), 1);
if (s->src.wscale & PF_WSCALE_MASK) {
@@ -5464,12 +5462,12 @@
}
if (pd->proto == IPPROTO_TCP) {
if (s->state_flags & PFSTATE_SCRUB_TCP &&
- pf_normalize_tcp_init(m, pd, th, &s->src, &s->dst)) {
+ pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) {
REASON_SET(&reason, PFRES_MEMORY);
goto csfailed;
}
if (s->state_flags & PFSTATE_SCRUB_TCP && s->src.scrub &&
- pf_normalize_tcp_stateful(m, pd, &reason, th, s,
+ pf_normalize_tcp_stateful(pd, &reason, th, s,
&s->src, &s->dst, rewrite)) {
/* This really shouldn't happen!!! */
DPFPRINTF(PF_DEBUG_URGENT,
@@ -5478,7 +5476,7 @@
goto csfailed;
}
} else if (pd->proto == IPPROTO_SCTP) {
- if (pf_normalize_sctp_init(m, pd, &s->src, &s->dst))
+ if (pf_normalize_sctp_init(pd, &s->src, &s->dst))
goto csfailed;
if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP)))
goto csfailed;
@@ -5491,7 +5489,7 @@
if (nr == NULL) {
KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p",
__func__, nr, sk, nk));
- sk = pf_state_key_setup(pd, m, pd->src, pd->dst, sport, dport);
+ sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport);
if (sk == NULL)
goto csfailed;
nk = sk;
@@ -5528,12 +5526,12 @@
*pd->proto_sum = bproto_sum;
if (pd->ip_sum)
*pd->ip_sum = bip_sum;
- m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any);
+ m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any);
}
s->src.seqhi = htonl(arc4random());
/* Find mss option */
- int rtid = M_GETFIB(m);
- mss = pf_get_mss(m, pd);
+ int rtid = M_GETFIB(pd->m);
+ mss = pf_get_mss(pd);
mss = pf_calc_mss(pd->src, pd->af, rtid, mss);
mss = pf_calc_mss(pd->dst, pd->af, rtid, mss);
s->src.mss = mss;
@@ -5592,8 +5590,8 @@
}
static int
-pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m,
- struct pf_pdesc *pd, u_short *reason, int *copyback)
+pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd,
+ u_short *reason, int *copyback)
{
struct tcphdr *th = &pd->hdr.tcp;
struct pf_state_peer *src, *dst;
@@ -5632,7 +5630,7 @@
if (((*state)->state_flags & PFSTATE_SCRUB_TCP || dst->scrub) &&
src->scrub == NULL) {
- if (pf_normalize_tcp_init(m, pd, th, src, dst)) {
+ if (pf_normalize_tcp_init(pd, th, src, dst)) {
REASON_SET(reason, PFRES_MEMORY);
return (PF_DROP);
}
@@ -5644,9 +5642,9 @@
while ((src->seqdiff = arc4random() - seq) == 0)
;
ack = ntohl(th->th_ack) - dst->seqdiff;
- pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
} else {
ack = ntohl(th->th_ack);
@@ -5656,7 +5654,7 @@
if (th->th_flags & TH_SYN) {
end++;
if (dst->wscale & PF_WSCALE_FLAG) {
- src->wscale = pf_get_wscale(m, pd);
+ src->wscale = pf_get_wscale(pd);
if (src->wscale & PF_WSCALE_FLAG) {
/* Remove scale factor from initial
* window */
@@ -5697,9 +5695,9 @@
ack = ntohl(th->th_ack) - dst->seqdiff;
if (src->seqdiff) {
/* Modulate sequence numbers */
- pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq +
+ pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq +
src->seqdiff), 0);
- pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0);
+ pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0);
*copyback = 1;
}
end = seq + pd->p_len;
@@ -5745,7 +5743,7 @@
* options anyway.
*/
if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) {
- if (pf_modulate_sack(m, pd, th, dst))
+ if (pf_modulate_sack(pd, th, dst))
*copyback = 1;
}
@@ -5763,7 +5761,7 @@
/* Require an exact/+1 sequence match on resets when possible */
if (dst->scrub || src->scrub) {
- if (pf_normalize_tcp_stateful(m, pd, reason, th,
+ if (pf_normalize_tcp_stateful(pd, reason, th,
*state, src, dst, copyback))
return (PF_DROP);
}
@@ -5863,7 +5861,7 @@
}
if (dst->scrub || src->scrub) {
- if (pf_normalize_tcp_stateful(m, pd, reason, th,
+ if (pf_normalize_tcp_stateful(pd, reason, th,
*state, src, dst, copyback))
return (PF_DROP);
}
@@ -6112,8 +6110,8 @@
}
static int
-pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m,
- struct pf_pdesc *pd, u_short *reason)
+pf_test_state_tcp(struct pf_kstate **state, struct pf_pdesc *pd,
+ u_short *reason)
{
struct pf_state_key_cmp key;
struct tcphdr *th = &pd->hdr.tcp;
@@ -6171,7 +6169,7 @@
if (pf_tcp_track_sloppy(state, pd, reason) == PF_DROP)
return (PF_DROP);
} else {
- if (pf_tcp_track_full(state, m, pd, reason,
+ if (pf_tcp_track_full(state, pd, reason,
&copyback) == PF_DROP)
return (PF_DROP);
}
@@ -6182,13 +6180,13 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != th->th_sport)
- pf_change_ap(m, pd->src, &th->th_sport,
+ pf_change_ap(pd->m, pd->src, &th->th_sport,
pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 0, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != th->th_dport)
- pf_change_ap(m, pd->dst, &th->th_dport,
+ pf_change_ap(pd->m, pd->dst, &th->th_dport,
pd->ip_sum, &th->th_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 0, pd->af);
copyback = 1;
@@ -6196,14 +6194,13 @@
/* Copyback sequence modulation or stateful scrub changes if needed */
if (copyback)
- m_copyback(m, pd->off, sizeof(*th), (caddr_t)th);
+ m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th);
return (PF_PASS);
}
static int
-pf_test_state_udp(struct pf_kstate **state, struct mbuf *m,
- struct pf_pdesc *pd)
+pf_test_state_udp(struct pf_kstate **state, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
struct pf_state_key_cmp key;
@@ -6258,24 +6255,24 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != uh->uh_sport)
- pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum,
+ pf_change_ap(pd->m, pd->src, &uh->uh_sport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != uh->uh_dport)
- pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum,
+ pf_change_ap(pd->m, pd->dst, &uh->uh_dport, pd->ip_sum,
&uh->uh_sum, &nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
- m_copyback(m, pd->off, sizeof(*uh), (caddr_t)uh);
+ m_copyback(pd->m, pd->off, sizeof(*uh), (caddr_t)uh);
}
return (PF_PASS);
}
static int
-pf_test_state_sctp(struct pf_kstate **state, struct mbuf *m,
- struct pf_pdesc *pd, u_short *reason)
+pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd,
+ u_short *reason)
{
struct pf_state_key_cmp key;
struct pf_state_peer *src, *dst;
@@ -6365,14 +6362,14 @@
if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) ||
nk->port[pd->sidx] != pd->hdr.sctp.src_port) {
- pf_change_ap(m, pd->src, &pd->hdr.sctp.src_port,
+ pf_change_ap(pd->m, pd->src, &pd->hdr.sctp.src_port,
pd->ip_sum, &checksum, &nk->addr[pd->sidx],
nk->port[pd->sidx], 1, pd->af);
}
if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) ||
nk->port[pd->didx] != pd->hdr.sctp.dest_port) {
- pf_change_ap(m, pd->dst, &pd->hdr.sctp.dest_port,
+ pf_change_ap(pd->m, pd->dst, &pd->hdr.sctp.dest_port,
pd->ip_sum, &checksum, &nk->addr[pd->didx],
nk->port[pd->didx], 1, pd->af);
}
@@ -6541,9 +6538,9 @@
*/
j->pd.kif = V_pfi_all;
ret = pf_test_rule(&r, &sm,
- j->m, &j->pd, &ra, &rs, NULL);
+ &j->pd, &ra, &rs, NULL);
PF_RULES_RUNLOCK();
- SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->m, ret);
+ SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->pd.m, ret);
if (ret != PF_DROP && sm != NULL) {
/* Inherit v_tag values. */
if (sm->direction == s->direction) {
@@ -6599,7 +6596,7 @@
// New destination address!
memcpy(&nj->dst, &i->addr, sizeof(nj->dst));
nj->pd.dst = &nj->dst;
- nj->m = j->m;
+ nj->pd.m = j->pd.m;
nj->op = j->op;
TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, nj, next);
@@ -6658,8 +6655,7 @@
}
static int
-pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
- int op)
+pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op)
{
int off = 0;
struct pf_sctp_multihome_job *job;
@@ -6667,7 +6663,7 @@
while (off < len) {
struct sctp_paramhdr h;
- if (!pf_pull_hdr(m, start + off, &h, sizeof(h), NULL, NULL,
+ if (!pf_pull_hdr(pd->m, start + off, &h, sizeof(h), NULL, NULL,
pd->af))
return (PF_DROP);
@@ -6683,7 +6679,7 @@
(sizeof(struct sctp_paramhdr) + sizeof(t)))
return (PF_DROP);
- if (!pf_pull_hdr(m, start + off + sizeof(h), &t, sizeof(t),
+ if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t),
NULL, NULL, pd->af))
return (PF_DROP);
@@ -6711,7 +6707,7 @@
job->pd.src = &job->src;
memcpy(&job->dst, pd->dst, sizeof(job->dst));
job->pd.dst = &job->dst;
- job->m = m;
+ job->pd.m = pd->m;
job->op = op;
TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next);
@@ -6725,7 +6721,7 @@
(sizeof(struct sctp_paramhdr) + sizeof(t)))
return (PF_DROP);
- if (!pf_pull_hdr(m, start + off + sizeof(h), &t, sizeof(t),
+ if (!pf_pull_hdr(pd->m, start + off + sizeof(h), &t, sizeof(t),
NULL, NULL, pd->af))
return (PF_DROP);
if (memcmp(&t, &pd->src->v6, sizeof(t)) == 0)
@@ -6742,7 +6738,7 @@
job->pd.src = &job->src;
memcpy(&job->dst, pd->dst, sizeof(job->dst));
job->pd.dst = &job->dst;
- job->m = m;
+ job->pd.m = pd->m;
job->op = op;
TAILQ_INSERT_TAIL(&pd->sctp_multihome_jobs, job, next);
@@ -6753,11 +6749,11 @@
int ret;
struct sctp_asconf_paramhdr ah;
- if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah),
+ if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
NULL, NULL, pd->af))
return (PF_DROP);
- ret = pf_multihome_scan(m, start + off + sizeof(ah),
+ ret = pf_multihome_scan(start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_ADD_IP_ADDRESS);
if (ret != PF_PASS)
@@ -6768,10 +6764,10 @@
int ret;
struct sctp_asconf_paramhdr ah;
- if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah),
+ if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
NULL, NULL, pd->af))
return (PF_DROP);
- ret = pf_multihome_scan(m, start + off + sizeof(ah),
+ ret = pf_multihome_scan(start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_DEL_IP_ADDRESS);
if (ret != PF_PASS)
@@ -6788,27 +6784,26 @@
return (PF_PASS);
}
int
-pf_multihome_scan_init(struct mbuf *m, int start, int len, struct pf_pdesc *pd)
+pf_multihome_scan_init(int start, int len, struct pf_pdesc *pd)
{
start += sizeof(struct sctp_init_chunk);
len -= sizeof(struct sctp_init_chunk);
- return (pf_multihome_scan(m, start, len, pd, SCTP_ADD_IP_ADDRESS));
+ return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS));
}
int
-pf_multihome_scan_asconf(struct mbuf *m, int start, int len,
- struct pf_pdesc *pd)
+pf_multihome_scan_asconf(int start, int len, struct pf_pdesc *pd)
{
start += sizeof(struct sctp_asconf_chunk);
len -= sizeof(struct sctp_asconf_chunk);
- return (pf_multihome_scan(m, start, len, pd, SCTP_ADD_IP_ADDRESS));
+ return (pf_multihome_scan(start, len, pd, SCTP_ADD_IP_ADDRESS));
}
int
pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
- struct pf_kstate **state, struct mbuf *m, int direction,
+ struct pf_kstate **state, int direction,
u_int16_t icmpid, u_int16_t type, int icmp_dir,
int *iidx, int multi, int inner)
{
@@ -6823,7 +6818,7 @@
key->port[pd->sidx] = type;
key->port[pd->didx] = icmpid;
}
- if (pf_state_key_addr_setup(pd, m, key, pd->sidx, pd->src,
+ if (pf_state_key_addr_setup(pd, key, pd->sidx, pd->src,
pd->didx, pd->dst, multi))
return (PF_DROP);
@@ -6851,8 +6846,8 @@
}
static int
-pf_test_state_icmp(struct pf_kstate **state, struct mbuf *m,
- struct pf_pdesc *pd, u_short *reason)
+pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
+ u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
u_int16_t *icmpsum, virtual_id, virtual_type;
@@ -6893,14 +6888,14 @@
* ICMP query/reply message not related to a TCP/UDP packet.
* Search for an ICMP state.
*/
- ret = pf_icmp_state_lookup(&key, pd, state, m, pd->dir,
+ ret = pf_icmp_state_lookup(&key, pd, state, pd->dir,
virtual_id, virtual_type, icmp_dir, &iidx,
PF_ICMP_MULTI_NONE, 0);
if (ret >= 0) {
MPASS(*state == NULL);
if (ret == PF_DROP && pd->af == AF_INET6 &&
icmp_dir == PF_OUT) {
- ret = pf_icmp_state_lookup(&key, pd, state, m,
+ ret = pf_icmp_state_lookup(&key, pd, state,
pd->dir, virtual_id, virtual_type,
icmp_dir, &iidx, multi, 0);
if (ret >= 0) {
@@ -6943,7 +6938,7 @@
nk->port[iidx];
}
- m_copyback(m, pd->off, ICMP_MINLEN,
+ m_copyback(pd->m, pd->off, ICMP_MINLEN,
(caddr_t )&pd->hdr.icmp);
break;
#endif /* INET */
@@ -6961,7 +6956,7 @@
&pd->hdr.icmp6.icmp6_cksum,
&nk->addr[pd->didx], 0);
- m_copyback(m, pd->off, sizeof(struct icmp6_hdr),
+ m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr),
(caddr_t )&pd->hdr.icmp6);
break;
#endif /* INET6 */
@@ -6992,13 +6987,14 @@
/* Payload packet is from the opposite direction. */
pd2.sidx = (pd->dir == PF_IN) ? 1 : 0;
pd2.didx = (pd->dir == PF_IN) ? 0 : 1;
+ pd2.m = pd->m;
switch (pd->af) {
#ifdef INET
case AF_INET:
/* offset of h2 in mbuf chain */
ipoff2 = pd->off + ICMP_MINLEN;
- if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2),
+ if (!pf_pull_hdr(pd->m, ipoff2, &h2, sizeof(h2),
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
("pf: ICMP error message too short "
@@ -7027,7 +7023,7 @@
case AF_INET6:
ipoff2 = pd->off + sizeof(struct icmp6_hdr);
- if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6),
+ if (!pf_pull_hdr(pd->m, ipoff2, &h2_6, sizeof(h2_6),
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
("pf: ICMP error message too short "
@@ -7035,7 +7031,7 @@
return (PF_DROP);
}
pd2.off = ipoff2;
- if (pf_walk_header6(m, &h2_6, &pd2.off, &extoff2,
+ if (pf_walk_header6(pd->m, &h2_6, &pd2.off, &extoff2,
&fragoff2, &pd2.proto, &jumbolen,
reason) != PF_PASS)
return (PF_DROP);
@@ -7077,7 +7073,7 @@
* expected. Don't access any TCP header fields after
* th_seq, an ackskew test is not possible.
*/
- if (!pf_pull_hdr(m, pd2.off, &th, 8, NULL, reason,
+ if (!pf_pull_hdr(pd->m, pd2.off, &th, 8, NULL, reason,
pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
("pf: ICMP error message too short "
@@ -7173,23 +7169,23 @@
switch (pd2.af) {
#ifdef INET
case AF_INET:
- m_copyback(m, pd->off, ICMP_MINLEN,
+ m_copyback(pd->m, pd->off, ICMP_MINLEN,
(caddr_t )&pd->hdr.icmp);
- m_copyback(m, ipoff2, sizeof(h2),
+ m_copyback(pd->m, ipoff2, sizeof(h2),
(caddr_t )&h2);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- m_copyback(m, pd->off,
+ m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
(caddr_t )&pd->hdr.icmp6);
- m_copyback(m, ipoff2, sizeof(h2_6),
+ m_copyback(pd->m, ipoff2, sizeof(h2_6),
(caddr_t )&h2_6);
break;
#endif /* INET6 */
}
- m_copyback(m, pd2.off, 8, (caddr_t)&th);
+ m_copyback(pd->m, pd2.off, 8, (caddr_t)&th);
}
return (PF_PASS);
@@ -7198,7 +7194,7 @@
case IPPROTO_UDP: {
struct udphdr uh;
- if (!pf_pull_hdr(m, pd2.off, &uh, sizeof(uh),
+ if (!pf_pull_hdr(pd->m, pd2.off, &uh, sizeof(uh),
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
("pf: ICMP error message too short "
@@ -7242,22 +7238,22 @@
switch (pd2.af) {
#ifdef INET
case AF_INET:
- m_copyback(m, pd->off, ICMP_MINLEN,
+ m_copyback(pd->m, pd->off, ICMP_MINLEN,
(caddr_t )&pd->hdr.icmp);
- m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
+ m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- m_copyback(m, pd->off,
+ m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
(caddr_t )&pd->hdr.icmp6);
- m_copyback(m, ipoff2, sizeof(h2_6),
+ m_copyback(pd->m, ipoff2, sizeof(h2_6),
(caddr_t )&h2_6);
break;
#endif /* INET6 */
}
- m_copyback(m, pd2.off, sizeof(uh), (caddr_t)&uh);
+ m_copyback(pd->m, pd2.off, sizeof(uh), (caddr_t)&uh);
}
return (PF_PASS);
break;
@@ -7271,7 +7267,7 @@
return (PF_DROP);
}
- if (!pf_pull_hdr(m, pd2.off, iih, ICMP_MINLEN,
+ if (!pf_pull_hdr(pd->m, pd2.off, iih, ICMP_MINLEN,
NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
("pf: ICMP error message too short i"
@@ -7283,7 +7279,7 @@
pf_icmp_mapping(&pd2, iih->icmp_type,
&icmp_dir, &multi, &virtual_id, &virtual_type);
- ret = pf_icmp_state_lookup(&key, &pd2, state, m,
+ ret = pf_icmp_state_lookup(&key, &pd2, state,
pd2.dir, virtual_id, virtual_type,
icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
if (ret >= 0) {
@@ -7317,9 +7313,9 @@
pd2.ip_sum, icmpsum, pd->ip_sum, 0,
AF_INET);
- m_copyback(m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
- m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
- m_copyback(m, pd2.off, ICMP_MINLEN, (caddr_t)iih);
+ m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp);
+ m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
+ m_copyback(pd->m, pd2.off, ICMP_MINLEN, (caddr_t)iih);
}
return (PF_PASS);
break;
@@ -7334,7 +7330,7 @@
return (PF_DROP);
}
- if (!pf_pull_hdr(m, pd2.off, iih,
+ if (!pf_pull_hdr(pd->m, pd2.off, iih,
sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
DPFPRINTF(PF_DEBUG_MISC,
("pf: ICMP error message too short "
@@ -7345,7 +7341,7 @@
pf_icmp_mapping(&pd2, iih->icmp6_type,
&icmp_dir, &multi, &virtual_id, &virtual_type);
- ret = pf_icmp_state_lookup(&key, &pd2, state, m,
+ ret = pf_icmp_state_lookup(&key, &pd2, state,
pd->dir, virtual_id, virtual_type,
icmp_dir, &iidx, PF_ICMP_MULTI_NONE, 1);
if (ret >= 0) {
@@ -7353,7 +7349,7 @@
if (ret == PF_DROP && pd2.af == AF_INET6 &&
icmp_dir == PF_OUT) {
ret = pf_icmp_state_lookup(&key, &pd2,
- state, m, pd->dir,
+ state, pd->dir,
virtual_id, virtual_type,
icmp_dir, &iidx, multi, 1);
if (ret >= 0) {
@@ -7390,10 +7386,10 @@
pd2.ip_sum, icmpsum,
pd->ip_sum, 0, AF_INET6);
- m_copyback(m, pd->off, sizeof(struct icmp6_hdr),
+ m_copyback(pd->m, pd->off, sizeof(struct icmp6_hdr),
(caddr_t)&pd->hdr.icmp6);
- m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
- m_copyback(m, pd2.off, sizeof(struct icmp6_hdr),
+ m_copyback(pd->m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6);
+ m_copyback(pd->m, pd2.off, sizeof(struct icmp6_hdr),
(caddr_t)iih);
}
return (PF_PASS);
@@ -7432,17 +7428,17 @@
switch (pd2.af) {
#ifdef INET
case AF_INET:
- m_copyback(m, pd->off, ICMP_MINLEN,
+ m_copyback(pd->m, pd->off, ICMP_MINLEN,
(caddr_t)&pd->hdr.icmp);
- m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2);
+ m_copyback(pd->m, ipoff2, sizeof(h2), (caddr_t)&h2);
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- m_copyback(m, pd->off,
+ m_copyback(pd->m, pd->off,
sizeof(struct icmp6_hdr),
(caddr_t )&pd->hdr.icmp6);
- m_copyback(m, ipoff2, sizeof(h2_6),
+ m_copyback(pd->m, ipoff2, sizeof(h2_6),
(caddr_t )&h2_6);
break;
#endif /* INET6 */
@@ -7456,8 +7452,7 @@
}
static int
-pf_test_state_other(struct pf_kstate **state, struct mbuf *m,
- struct pf_pdesc *pd)
+pf_test_state_other(struct pf_kstate **state, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
struct pf_state_key_cmp key;
@@ -8582,6 +8577,7 @@
{
memset(pd, 0, sizeof(*pd));
pd->pf_mtag = pf_find_mtag(m);
+ pd->m = m;
}
static int
@@ -8589,11 +8585,10 @@
u_short *action, u_short *reason, struct pfi_kkif *kif,
struct pf_rule_actions *default_actions)
{
- struct mbuf *m = *m0;
-
pd->af = af;
pd->dir = dir;
pd->kif = kif;
+ pd->m = *m0;
pd->sidx = (dir == PF_IN) ? 0 : 1;
pd->didx = (dir == PF_IN) ? 1 : 0;
@@ -8611,8 +8606,8 @@
case AF_INET: {
struct ip *h;
- if (__predict_false(m->m_len < sizeof(struct ip)) &&
- (m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) {
+ if (__predict_false((*m0)->m_len < sizeof(struct ip)) &&
+ (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip))) == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
("pf_test: m_len < sizeof(struct ip), pullup failed\n"));
*action = PF_DROP;
@@ -8625,9 +8620,9 @@
*action = PF_DROP;
return (-1);
}
- m = *m0;
+ pd->m = *m0;
- h = mtod(m, struct ip *);
+ h = mtod(pd->m, struct ip *);
pd->off = h->ip_hl << 2;
if (pd->off < (int)sizeof(*h)) {
*action = PF_DROP;
@@ -8660,8 +8655,8 @@
uint32_t jumbolen;
uint8_t nxt;
- if (__predict_false(m->m_len < sizeof(struct ip6_hdr)) &&
- (m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) {
+ if (__predict_false((*m0)->m_len < sizeof(struct ip6_hdr)) &&
+ (pd->m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) {
DPFPRINTF(PF_DEBUG_URGENT,
("pf_test6: m_len < sizeof(struct ip6_hdr)"
", pullup failed\n"));
@@ -8670,15 +8665,15 @@
return (-1);
}
- h = mtod(m, struct ip6_hdr *);
+ h = mtod(pd->m, struct ip6_hdr *);
pd->off = 0;
- if (pf_walk_header6(m, h, &pd->off, &pd->extoff, &fragoff, &nxt,
+ if (pf_walk_header6(pd->m, h, &pd->off, &pd->extoff, &fragoff, &nxt,
&jumbolen, reason) != PF_PASS) {
*action = PF_DROP;
return (-1);
}
- h = mtod(m, struct ip6_hdr *);
+ h = mtod(pd->m, struct ip6_hdr *);
pd->src = (struct pf_addr *)&h->ip6_src;
pd->dst = (struct pf_addr *)&h->ip6_dst;
pd->ip_sum = NULL;
@@ -8707,8 +8702,8 @@
*action = PF_DROP;
return (-1);
}
- m = *m0;
- if (m == NULL) {
+ pd->m = *m0;
+ if (pd->m == NULL) {
/* packet sits in reassembly queue, no error */
*action = PF_PASS;
return (-1);
@@ -8718,14 +8713,11 @@
* Reassembly may have changed the next protocol from fragment
* to something else, so update.
*/
- h = mtod(m, struct ip6_hdr *);
+ h = mtod(pd->m, struct ip6_hdr *);
pd->virtual_proto = pd->proto = h->ip6_nxt;
-
- /* refetch header, recalc offset, then update pd */
- h = mtod(m, struct ip6_hdr *);
pd->off = 0;
- if (pf_walk_header6(m, h, &pd->off, &pd->extoff, &fragoff, &nxt,
+ if (pf_walk_header6(pd->m, h, &pd->off, &pd->extoff, &fragoff, &nxt,
&jumbolen, reason) != PF_PASS) {
*action = PF_DROP;
return (-1);
@@ -8745,7 +8737,7 @@
case IPPROTO_TCP: {
struct tcphdr *th = &pd->hdr.tcp;
- if (!pf_pull_hdr(m, pd->off, th, sizeof(*th), action,
+ if (!pf_pull_hdr(pd->m, pd->off, th, sizeof(*th), action,
reason, af)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8760,7 +8752,7 @@
case IPPROTO_UDP: {
struct udphdr *uh = &pd->hdr.udp;
- if (!pf_pull_hdr(m, pd->off, uh, sizeof(*uh), action,
+ if (!pf_pull_hdr(pd->m, pd->off, uh, sizeof(*uh), action,
reason, af)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8768,7 +8760,7 @@
}
pd->hdrlen = sizeof(*uh);
if (uh->uh_dport == 0 ||
- ntohs(uh->uh_ulen) > m->m_pkthdr.len - pd->off ||
+ ntohs(uh->uh_ulen) > pd->m->m_pkthdr.len - pd->off ||
ntohs(uh->uh_ulen) < sizeof(struct udphdr)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8779,7 +8771,7 @@
break;
}
case IPPROTO_SCTP: {
- if (!pf_pull_hdr(m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp),
+ if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.sctp, sizeof(pd->hdr.sctp),
action, reason, af)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8795,7 +8787,7 @@
REASON_SET(reason, PFRES_SHORT);
return (-1);
}
- if (pf_scan_sctp(m, pd) != PF_PASS) {
+ if (pf_scan_sctp(pd) != PF_PASS) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
return (-1);
@@ -8803,7 +8795,7 @@
break;
}
case IPPROTO_ICMP: {
- if (!pf_pull_hdr(m, pd->off, &pd->hdr.icmp, ICMP_MINLEN,
+ if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp, ICMP_MINLEN,
action, reason, af)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8816,7 +8808,7 @@
case IPPROTO_ICMPV6: {
size_t icmp_hlen = sizeof(struct icmp6_hdr);
- if (!pf_pull_hdr(m, pd->off, &pd->hdr.icmp6, icmp_hlen,
+ if (!pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
action, reason, af)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8834,7 +8826,7 @@
break;
}
if (icmp_hlen > sizeof(struct icmp6_hdr) &&
- !pf_pull_hdr(m, pd->off, &pd->hdr.icmp6, icmp_hlen,
+ !pf_pull_hdr(pd->m, pd->off, &pd->hdr.icmp6, icmp_hlen,
action, reason, af)) {
*action = PF_DROP;
REASON_SET(reason, PFRES_SHORT);
@@ -8935,7 +8927,6 @@
{
struct pfi_kkif *kif;
u_short action, reason = 0;
- struct mbuf *m = *m0;
struct m_tag *mtag;
struct pf_krule *a = NULL, *r = &V_pf_default_rule;
struct pf_kstate *s = NULL;
@@ -8947,7 +8938,7 @@
PF_RULES_RLOCK_TRACKER;
KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir));
- M_ASSERTPKTHDR(m);
+ M_ASSERTPKTHDR(*m0);
if (!V_pf_status.running)
return (PF_PASS);
@@ -8967,7 +8958,7 @@
return (PF_PASS);
}
- if (m->m_flags & M_SKIP_FIREWALL) {
+ if ((*m0)->m_flags & M_SKIP_FIREWALL) {
PF_RULES_RUNLOCK();
return (PF_PASS);
}
@@ -8979,21 +8970,21 @@
* it here, before we do any NAT.
*/
if (af == AF_INET6 && dir == PF_OUT && pflags & PFIL_FWD &&
- IN6_LINKMTU(ifp) < pf_max_frag_size(m)) {
+ IN6_LINKMTU(ifp) < pf_max_frag_size(*m0)) {
PF_RULES_RUNLOCK();
+ icmp6_error(*m0, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp));
*m0 = NULL;
- icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, IN6_LINKMTU(ifp));
return (PF_DROP);
}
#endif
if (__predict_false(! M_WRITABLE(*m0))) {
- m = *m0 = m_unshare(*m0, M_NOWAIT);
+ *m0 = m_unshare(*m0, M_NOWAIT);
if (*m0 == NULL)
return (PF_DROP);
}
- pf_init_pdesc(&pd, m);
+ pf_init_pdesc(&pd, *m0);
if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_MTAG_FLAG_ROUTE_TO)) {
pd.pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO;
@@ -9007,7 +8998,7 @@
return (PF_PASS);
}
PF_RULES_RUNLOCK();
- (ifp->if_output)(ifp, m, sintosa(&pd.pf_mtag->dst), NULL);
+ (ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL);
*m0 = NULL;
return (PF_PASS);
}
@@ -9020,7 +9011,7 @@
/* But only once. We may see the packet multiple times (e.g.
* PFIL_IN/PFIL_OUT). */
- pf_dummynet_flag_remove(m, pd.pf_mtag);
+ pf_dummynet_flag_remove(pd.m, pd.pf_mtag);
PF_RULES_RUNLOCK();
return (PF_PASS);
@@ -9032,29 +9023,28 @@
pd.act.log |= PF_LOG_FORCE;
goto done;
}
- m = *m0;
if (__predict_false(ip_divert_ptr != NULL) &&
- ((mtag = m_tag_locate(m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) {
+ ((mtag = m_tag_locate(pd.m, MTAG_PF_DIVERT, 0, NULL)) != NULL)) {
struct pf_divert_mtag *dt = (struct pf_divert_mtag *)(mtag+1);
if ((dt->idir == PF_DIVERT_MTAG_DIR_IN && dir == PF_IN) ||
(dt->idir == PF_DIVERT_MTAG_DIR_OUT && dir == PF_OUT)) {
if (pd.pf_mtag == NULL &&
- ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
+ ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) {
action = PF_DROP;
goto done;
}
pd.pf_mtag->flags |= PF_MTAG_FLAG_PACKET_LOOPED;
}
if (pd.pf_mtag && pd.pf_mtag->flags & PF_MTAG_FLAG_FASTFWD_OURS_PRESENT) {
- m->m_flags |= M_FASTFWD_OURS;
+ pd.m->m_flags |= M_FASTFWD_OURS;
pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
}
- m_tag_delete(m, mtag);
+ m_tag_delete(pd.m, mtag);
- mtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
+ mtag = m_tag_locate(pd.m, MTAG_IPFW_RULE, 0, NULL);
if (mtag != NULL)
- m_tag_delete(m, mtag);
+ m_tag_delete(pd.m, mtag);
}
switch (pd.virtual_proto) {
@@ -9066,7 +9056,7 @@
if (kif == NULL || r == NULL) /* pflog */
action = PF_DROP;
else
- action = pf_test_rule(&r, &s, m, &pd, &a,
+ action = pf_test_rule(&r, &s, &pd, &a,
&ruleset, inp);
if (action != PF_PASS)
REASON_SET(&reason, PFRES_FRAG);
@@ -9076,17 +9066,17 @@
/* Respond to SYN with a syncookie. */
if ((pd.hdr.tcp.th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_SYN &&
pd.dir == PF_IN && pf_synflood_check(&pd)) {
- pf_syncookie_send(m, &pd);
+ pf_syncookie_send(&pd);
action = PF_DROP;
break;
}
if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0)
use_2nd_queue = 1;
- action = pf_normalize_tcp(m, &pd);
+ action = pf_normalize_tcp(&pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_tcp(&s, m, &pd, &reason);
+ action = pf_test_state_tcp(&s, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -9112,8 +9102,7 @@
if (action != PF_PASS)
break;
- action = pf_test_state_tcp(&s, m,
- &pd, &reason);
+ action = pf_test_state_tcp(&s, &pd, &reason);
if (action != PF_PASS || s == NULL) {
action = PF_DROP;
break;
@@ -9125,7 +9114,7 @@
action = pf_synproxy(&pd, &s, &reason);
break;
} else {
- action = pf_test_rule(&r, &s, m, &pd,
+ action = pf_test_rule(&r, &s, &pd,
&a, &ruleset, inp);
}
}
@@ -9133,30 +9122,30 @@
}
case IPPROTO_UDP: {
- action = pf_test_state_udp(&s, m, &pd);
+ action = pf_test_state_udp(&s, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, m, &pd,
+ action = pf_test_rule(&r, &s, &pd,
&a, &ruleset, inp);
break;
}
case IPPROTO_SCTP: {
- action = pf_normalize_sctp(m, &pd);
+ action = pf_normalize_sctp(&pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_sctp(&s, m, &pd, &reason);
+ action = pf_test_state_sctp(&s, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL) {
- action = pf_test_rule(&r, &s, m,
+ action = pf_test_rule(&r, &s,
&pd, &a, &ruleset, inp);
}
break;
@@ -9170,14 +9159,14 @@
("dropping IPv6 packet with ICMPv4 payload"));
goto done;
}
- action = pf_test_state_icmp(&s, m, &pd, &reason);
+ action = pf_test_state_icmp(&s, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, m, &pd,
+ action = pf_test_rule(&r, &s, &pd,
&a, &ruleset, inp);
break;
}
@@ -9190,36 +9179,35 @@
("pf: dropping IPv4 packet with ICMPv6 payload\n"));
goto done;
}
- action = pf_test_state_icmp(&s, m, &pd, &reason);
+ action = pf_test_state_icmp(&s, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, m, &pd,
+ action = pf_test_rule(&r, &s, &pd,
&a, &ruleset, inp);
break;
}
default:
- action = pf_test_state_other(&s, m, &pd);
+ action = pf_test_state_other(&s, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
r = s->rule;
a = s->anchor;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, m, &pd,
+ action = pf_test_rule(&r, &s, &pd,
&a, &ruleset, inp);
break;
}
done:
- m = *m0;
PF_RULES_RUNLOCK();
- if (m == NULL)
+ if (pd.m == NULL)
goto eat_pkt;
if (action == PF_PASS && pd.badopts &&
@@ -9242,22 +9230,22 @@
rt = r->rt;
}
- if (tag > 0 && pf_tag_packet(m, &pd, tag)) {
+ if (tag > 0 && pf_tag_packet(&pd, tag)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
}
- pf_scrub(m, &pd);
+ pf_scrub(&pd);
if (pd.proto == IPPROTO_TCP && pd.act.max_mss)
- pf_normalize_mss(m, &pd);
+ pf_normalize_mss(&pd);
if (pd.act.rtableid >= 0)
- M_SETFIB(m, pd.act.rtableid);
+ M_SETFIB(pd.m, pd.act.rtableid);
if (pd.act.flags & PFSTATE_SETPRIO) {
if (pd.tos & IPTOS_LOWDELAY)
use_2nd_queue = 1;
- if (vlan_set_pcp(m, pd.act.set_prio[use_2nd_queue])) {
+ if (vlan_set_pcp(pd.m, pd.act.set_prio[use_2nd_queue])) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
pd.act.log = PF_LOG_FORCE;
@@ -9269,7 +9257,7 @@
#ifdef ALTQ
if (action == PF_PASS && pd.act.qid) {
if (pd.pf_mtag == NULL &&
- ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
+ ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
} else {
@@ -9280,7 +9268,7 @@
else
pd.pf_mtag->qid = pd.act.qid;
/* Add hints for ecn. */
- pd.pf_mtag->hdr = mtod(m, void *);
+ pd.pf_mtag->hdr = mtod(pd.m, void *);
}
}
#endif /* ALTQ */
@@ -9295,7 +9283,7 @@
(s->nat_rule->action == PF_RDR ||
s->nat_rule->action == PF_BINAT) &&
pf_is_loopback(af, pd.dst))
- m->m_flags |= M_SKIP_FIREWALL;
+ pd.m->m_flags |= M_SKIP_FIREWALL;
if (af == AF_INET && __predict_false(ip_divert_ptr != NULL) &&
action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) {
@@ -9311,10 +9299,10 @@
if (s)
PF_STATE_UNLOCK(s);
- m_tag_prepend(m, mtag);
- if (m->m_flags & M_FASTFWD_OURS) {
+ m_tag_prepend(pd.m, mtag);
+ if (pd.m->m_flags & M_FASTFWD_OURS) {
if (pd.pf_mtag == NULL &&
- ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
+ ((pd.pf_mtag = pf_get_mtag(pd.m)) == NULL)) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
pd.act.log = PF_LOG_FORCE;
@@ -9323,7 +9311,7 @@
} else {
pd.pf_mtag->flags |=
PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
- m->m_flags &= ~M_FASTFWD_OURS;
+ pd.m->m_flags &= ~M_FASTFWD_OURS;
}
}
ip_divert_ptr(*m0, dir == PF_IN);
@@ -9358,12 +9346,12 @@
lr = r;
if (pd.act.log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
- PFLOG_PACKET(m, action, reason, lr, a,
+ PFLOG_PACKET(action, reason, lr, a,
ruleset, &pd, (s == NULL));
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
- PFLOG_PACKET(m, action,
+ PFLOG_PACKET(action,
reason, ri->r, a, ruleset, &pd, 0);
}
}
@@ -9422,7 +9410,7 @@
#ifdef INET6
/* If reassembled packet passed, create new fragments. */
if (af == AF_INET6 && action == PF_PASS && *m0 && dir == PF_OUT &&
- (mtag = m_tag_find(m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL)
+ (mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)) != NULL)
action = pf_refragment6(ifp, m0, mtag, pflags & PFIL_FWD);
#endif
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -63,7 +63,7 @@
static void pf_hash(struct pf_addr *, struct pf_addr *,
struct pf_poolhashkey *, sa_family_t);
-static struct pf_krule *pf_match_translation(struct pf_pdesc *, struct mbuf *,
+static struct pf_krule *pf_match_translation(struct pf_pdesc *,
struct pf_addr *, u_int16_t,
struct pf_addr *, uint16_t, int,
struct pf_kanchor_stackframe *);
@@ -131,7 +131,7 @@
}
static struct pf_krule *
-pf_match_translation(struct pf_pdesc *pd, struct mbuf *m,
+pf_match_translation(struct pf_pdesc *pd,
struct pf_addr *saddr, u_int16_t sport,
struct pf_addr *daddr, uint16_t dport, int rs_num,
struct pf_kanchor_stackframe *anchor_stack)
@@ -166,7 +166,7 @@
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&src->addr, saddr, pd->af,
- src->neg, pd->kif, M_GETFIB(m)))
+ src->neg, pd->kif, M_GETFIB(pd->m)))
r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR :
PF_SKIP_DST_ADDR];
else if (src->port_op && !pf_match_port(src->port_op,
@@ -175,20 +175,20 @@
PF_SKIP_DST_PORT];
else if (dst != NULL &&
PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL,
- M_GETFIB(m)))
+ M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_DST_ADDR];
else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
- 0, NULL, M_GETFIB(m)))
+ 0, NULL, M_GETFIB(pd->m)))
r = TAILQ_NEXT(r, entries);
else if (dst != NULL && dst->port_op &&
!pf_match_port(dst->port_op, dst->port[0],
dst->port[1], dport))
r = r->skip[PF_SKIP_DST_PORT];
- else if (r->match_tag && !pf_match_tag(m, r, &tag,
+ else if (r->match_tag && !pf_match_tag(pd->m, r, &tag,
pd->pf_mtag ? pd->pf_mtag->tag : 0))
r = TAILQ_NEXT(r, entries);
else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
- IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
+ IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd,
&pd->hdr.tcp), r->os_fingerprint)))
r = TAILQ_NEXT(r, entries);
else {
@@ -213,10 +213,10 @@
rs_num, &r, NULL, NULL);
}
- if (tag > 0 && pf_tag_packet(m, pd, tag))
+ if (tag > 0 && pf_tag_packet(pd, tag))
return (NULL);
if (rtableid >= 0)
- M_SETFIB(m, rtableid);
+ M_SETFIB(pd->m, rtableid);
return (rm);
}
@@ -696,7 +696,7 @@
}
u_short
-pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
+pf_get_translation(struct pf_pdesc *pd, int off,
struct pf_ksrc_node **sn, struct pf_state_key **skp,
struct pf_state_key **nkp, struct pf_addr *saddr, struct pf_addr *daddr,
uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack,
@@ -716,17 +716,17 @@
*rp = NULL;
if (pd->dir == PF_OUT) {
- r = pf_match_translation(pd, m, saddr,
+ r = pf_match_translation(pd, saddr,
sport, daddr, dport, PF_RULESET_BINAT, anchor_stack);
if (r == NULL)
- r = pf_match_translation(pd, m,
+ r = pf_match_translation(pd,
saddr, sport, daddr, dport, PF_RULESET_NAT,
anchor_stack);
} else {
- r = pf_match_translation(pd, m, saddr,
+ r = pf_match_translation(pd, saddr,
sport, daddr, dport, PF_RULESET_RDR, anchor_stack);
if (r == NULL)
- r = pf_match_translation(pd, m,
+ r = pf_match_translation(pd,
saddr, sport, daddr, dport, PF_RULESET_BINAT,
anchor_stack);
}
@@ -741,7 +741,7 @@
return (PFRES_MAX);
}
- *skp = pf_state_key_setup(pd, m, saddr, daddr, sport, dport);
+ *skp = pf_state_key_setup(pd, saddr, daddr, sport, dport);
if (*skp == NULL)
return (PFRES_MEMORY);
*nkp = pf_state_key_clone(*skp);
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1050,9 +1050,8 @@
pf_normalize_ip(struct mbuf **m0, u_short *reason,
struct pf_pdesc *pd)
{
- struct mbuf *m = *m0;
struct pf_krule *r;
- struct ip *h = mtod(m, struct ip *);
+ struct ip *h = mtod(*m0, struct ip *);
int mff = (ntohs(h->ip_off) & IP_MF);
int hlen = h->ip_hl << 2;
u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
@@ -1064,6 +1063,8 @@
PF_RULES_RASSERT();
+ MPASS(pd->m == *m0);
+
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
/*
* Check if there are any scrub rules, matching or not.
@@ -1088,13 +1089,13 @@
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr,
(struct pf_addr *)&h->ip_src.s_addr, AF_INET,
- r->src.neg, pd->kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (PF_MISMATCHAW(&r->dst.addr,
(struct pf_addr *)&h->ip_dst.s_addr, AF_INET,
- r->dst.neg, NULL, M_GETFIB(m)))
+ r->dst.neg, NULL, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_DST_ADDR];
- else if (r->match_tag && !pf_match_tag(m, r, &tag,
+ else if (r->match_tag && !pf_match_tag(pd->m, r, &tag,
pd->pf_mtag ? pd->pf_mtag->tag : 0))
r = TAILQ_NEXT(r, entries);
else
@@ -1178,11 +1179,11 @@
if (verdict != PF_PASS)
return (PF_DROP);
- m = *m0;
- if (m == NULL)
+ pd->m = *m0;
+ if (pd->m == NULL)
return (PF_DROP);
- h = mtod(m, struct ip *);
+ h = mtod(pd->m, struct ip *);
no_fragment:
/* At this point, only IP_DF is allowed in ip_off */
@@ -1201,7 +1202,7 @@
REASON_SET(reason, PFRES_FRAG);
drop:
if (r != NULL && r->log)
- PFLOG_PACKET(m, PF_DROP, *reason, r, NULL, NULL, pd, 1);
+ PFLOG_PACKET(PF_DROP, *reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}
@@ -1212,14 +1213,13 @@
pf_normalize_ip6(struct mbuf **m0, int off, u_short *reason,
struct pf_pdesc *pd)
{
- struct mbuf *m;
struct pf_krule *r;
struct ip6_frag frag;
bool scrub_compat;
PF_RULES_RASSERT();
- m = *m0;
+ pd->m = *m0;
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
/*
@@ -1243,11 +1243,11 @@
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr,
(struct pf_addr *)&pd->src, AF_INET6,
- r->src.neg, pd->kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (PF_MISMATCHAW(&r->dst.addr,
(struct pf_addr *)&pd->dst, AF_INET6,
- r->dst.neg, NULL, M_GETFIB(m)))
+ r->dst.neg, NULL, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_DST_ADDR];
else
break;
@@ -1266,7 +1266,7 @@
pf_rule_to_actions(r, &pd->act);
}
- if (!pf_pull_hdr(m, off, &frag, sizeof(frag), NULL, reason, AF_INET6))
+ if (!pf_pull_hdr(pd->m, off, &frag, sizeof(frag), NULL, reason, AF_INET6))
return (PF_DROP);
/* Offset now points to data portion. */
@@ -1277,8 +1277,8 @@
* mbuf. */
if (pf_reassemble6(m0, &frag, off, pd->extoff, reason) != PF_PASS)
return (PF_DROP);
- m = *m0;
- if (m == NULL)
+ pd->m = *m0;
+ if (pd->m == NULL)
return (PF_DROP);
}
@@ -1287,7 +1287,7 @@
#endif /* INET6 */
int
-pf_normalize_tcp(struct mbuf *m, struct pf_pdesc *pd)
+pf_normalize_tcp(struct pf_pdesc *pd)
{
struct pf_krule *r, *rm = NULL;
struct tcphdr *th = &pd->hdr.tcp;
@@ -1314,19 +1314,19 @@
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
- r->src.neg, pd->kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], th->th_sport))
r = r->skip[PF_SKIP_SRC_PORT];
else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
- r->dst.neg, NULL, M_GETFIB(m)))
+ r->dst.neg, NULL, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_DST_ADDR];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], th->th_dport))
r = r->skip[PF_SKIP_DST_PORT];
else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match(
- pf_osfp_fingerprint(pd, m, th),
+ pf_osfp_fingerprint(pd, th),
r->os_fingerprint))
r = TAILQ_NEXT(r, entries);
else {
@@ -1385,13 +1385,13 @@
tcp_set_flags(th, flags);
nv = *(u_int16_t *)(&th->th_ack + 1);
- th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0);
+ th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, ov, nv, 0);
rewrite = 1;
}
/* Remove urgent pointer, if TH_URG is not set */
if (!(flags & TH_URG) && th->th_urp) {
- th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, th->th_urp,
+ th->th_sum = pf_proto_cksum_fixup(pd->m, th->th_sum, th->th_urp,
0, 0);
th->th_urp = 0;
rewrite = 1;
@@ -1399,20 +1399,20 @@
/* copy back packet headers if we sanitized */
if (rewrite)
- m_copyback(m, pd->off, sizeof(*th), (caddr_t)th);
+ m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th);
return (PF_PASS);
tcp_drop:
REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log)
- PFLOG_PACKET(m, PF_DROP, reason, r, NULL, NULL, pd, 1);
+ PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd, 1);
return (PF_DROP);
}
int
-pf_normalize_tcp_init(struct mbuf *m, struct pf_pdesc *pd,
- struct tcphdr *th, struct pf_state_peer *src, struct pf_state_peer *dst)
+pf_normalize_tcp_init(struct pf_pdesc *pd, struct tcphdr *th,
+ struct pf_state_peer *src, struct pf_state_peer *dst)
{
u_int32_t tsval, tsecr;
u_int8_t hdr[60];
@@ -1428,14 +1428,14 @@
switch (pd->af) {
#ifdef INET
case AF_INET: {
- struct ip *h = mtod(m, struct ip *);
+ struct ip *h = mtod(pd->m, struct ip *);
src->scrub->pfss_ttl = h->ip_ttl;
break;
}
#endif /* INET */
#ifdef INET6
case AF_INET6: {
- struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
+ struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *);
src->scrub->pfss_ttl = h->ip6_hlim;
break;
}
@@ -1450,7 +1450,7 @@
return (0);
if (th->th_off > (sizeof(struct tcphdr) >> 2) && src->scrub &&
- pf_pull_hdr(m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) {
+ pf_pull_hdr(pd->m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) {
/* Diddle with TCP options */
int hlen;
opt = hdr + sizeof(struct tcphdr);
@@ -1501,8 +1501,8 @@
/* Someday... flush the TCP segment reassembly descriptors. */
}
int
-pf_normalize_sctp_init(struct mbuf *m, struct pf_pdesc *pd,
- struct pf_state_peer *src, struct pf_state_peer *dst)
+pf_normalize_sctp_init(struct pf_pdesc *pd, struct pf_state_peer *src,
+ struct pf_state_peer *dst)
{
src->scrub = uma_zalloc(V_pf_state_scrub_z, M_ZERO | M_NOWAIT);
if (src->scrub == NULL)
@@ -1520,7 +1520,7 @@
}
int
-pf_normalize_tcp_stateful(struct mbuf *m, struct pf_pdesc *pd,
+pf_normalize_tcp_stateful(struct pf_pdesc *pd,
u_short *reason, struct tcphdr *th, struct pf_kstate *state,
struct pf_state_peer *src, struct pf_state_peer *dst, int *writeback)
{
@@ -1545,7 +1545,7 @@
#ifdef INET
case AF_INET: {
if (src->scrub) {
- struct ip *h = mtod(m, struct ip *);
+ struct ip *h = mtod(pd->m, struct ip *);
if (h->ip_ttl > src->scrub->pfss_ttl)
src->scrub->pfss_ttl = h->ip_ttl;
h->ip_ttl = src->scrub->pfss_ttl;
@@ -1556,7 +1556,7 @@
#ifdef INET6
case AF_INET6: {
if (src->scrub) {
- struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
+ struct ip6_hdr *h = mtod(pd->m, struct ip6_hdr *);
if (h->ip6_hlim > src->scrub->pfss_ttl)
src->scrub->pfss_ttl = h->ip6_hlim;
h->ip6_hlim = src->scrub->pfss_ttl;
@@ -1569,7 +1569,7 @@
if (th->th_off > (sizeof(struct tcphdr) >> 2) &&
((src->scrub && (src->scrub->pfss_flags & PFSS_TIMESTAMP)) ||
(dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP))) &&
- pf_pull_hdr(m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) {
+ pf_pull_hdr(pd->m, pd->off, hdr, th->th_off << 2, NULL, NULL, pd->af)) {
/* Diddle with TCP options */
int hlen;
opt = hdr + sizeof(struct tcphdr);
@@ -1605,7 +1605,7 @@
(src->scrub->pfss_flags &
PFSS_TIMESTAMP)) {
tsval = ntohl(tsval);
- pf_patch_32_unaligned(m,
+ pf_patch_32_unaligned(pd->m,
&th->th_sum,
&opt[2],
htonl(tsval +
@@ -1623,7 +1623,7 @@
PFSS_TIMESTAMP)) {
tsecr = ntohl(tsecr)
- dst->scrub->pfss_ts_mod;
- pf_patch_32_unaligned(m,
+ pf_patch_32_unaligned(pd->m,
&th->th_sum,
&opt[6],
htonl(tsecr),
@@ -1643,7 +1643,7 @@
if (copyback) {
/* Copyback the options, caller copys back header */
*writeback = 1;
- m_copyback(m, pd->off + sizeof(struct tcphdr),
+ m_copyback(pd->m, pd->off + sizeof(struct tcphdr),
(th->th_off << 2) - sizeof(struct tcphdr), hdr +
sizeof(struct tcphdr));
}
@@ -1915,7 +1915,7 @@
}
int
-pf_normalize_mss(struct mbuf *m, struct pf_pdesc *pd)
+pf_normalize_mss(struct pf_pdesc *pd)
{
struct tcphdr *th = &pd->hdr.tcp;
u_int16_t *mss;
@@ -1928,7 +1928,7 @@
thoff = th->th_off << 2;
cnt = thoff - sizeof(struct tcphdr);
- if (cnt > 0 && !pf_pull_hdr(m, pd->off + sizeof(*th), opts, cnt,
+ if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt,
NULL, NULL, pd->af))
return (0);
@@ -1950,14 +1950,14 @@
case TCPOPT_MAXSEG:
mss = (u_int16_t *)(optp + 2);
if ((ntohs(*mss)) > pd->act.max_mss) {
- pf_patch_16_unaligned(m,
+ pf_patch_16_unaligned(pd->m,
&th->th_sum,
mss, htons(pd->act.max_mss),
PF_ALGNMNT(startoff),
0);
- m_copyback(m, pd->off + sizeof(*th),
+ m_copyback(pd->m, pd->off + sizeof(*th),
thoff - sizeof(*th), opts);
- m_copyback(m, pd->off, sizeof(*th), (caddr_t)th);
+ m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th);
}
break;
default:
@@ -1969,7 +1969,7 @@
}
int
-pf_scan_sctp(struct mbuf *m, struct pf_pdesc *pd)
+pf_scan_sctp(struct pf_pdesc *pd)
{
struct sctp_chunkhdr ch = { };
int chunk_off = sizeof(struct sctphdr);
@@ -1977,7 +1977,7 @@
int ret;
while (pd->off + chunk_off < pd->tot_len) {
- if (!pf_pull_hdr(m, pd->off + chunk_off, &ch, sizeof(ch), NULL,
+ if (!pf_pull_hdr(pd->m, pd->off + chunk_off, &ch, sizeof(ch), NULL,
NULL, pd->af))
return (PF_DROP);
@@ -1993,7 +1993,7 @@
case SCTP_INITIATION_ACK: {
struct sctp_init_chunk init;
- if (!pf_pull_hdr(m, pd->off + chunk_start, &init,
+ if (!pf_pull_hdr(pd->m, pd->off + chunk_start, &init,
sizeof(init), NULL, NULL, pd->af))
return (PF_DROP);
@@ -2025,7 +2025,7 @@
else
pd->sctp_flags |= PFDESC_SCTP_INIT_ACK;
- ret = pf_multihome_scan_init(m, pd->off + chunk_start,
+ ret = pf_multihome_scan_init(pd->off + chunk_start,
ntohs(init.ch.chunk_length), pd);
if (ret != PF_PASS)
return (ret);
@@ -2060,7 +2060,7 @@
case SCTP_ASCONF:
pd->sctp_flags |= PFDESC_SCTP_ASCONF;
- ret = pf_multihome_scan_asconf(m, pd->off + chunk_start,
+ ret = pf_multihome_scan_asconf(pd->off + chunk_start,
ntohs(ch.chunk_length), pd);
if (ret != PF_PASS)
return (ret);
@@ -2093,7 +2093,7 @@
}
int
-pf_normalize_sctp(struct mbuf *m, struct pf_pdesc *pd)
+pf_normalize_sctp(struct pf_pdesc *pd)
{
struct pf_krule *r, *rm = NULL;
struct sctphdr *sh = &pd->hdr.sctp;
@@ -2118,13 +2118,13 @@
else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO];
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
- r->src.neg, pd->kif, M_GETFIB(m)))
+ r->src.neg, pd->kif, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_SRC_ADDR];
else if (r->src.port_op && !pf_match_port(r->src.port_op,
r->src.port[0], r->src.port[1], sh->src_port))
r = r->skip[PF_SKIP_SRC_PORT];
else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
- r->dst.neg, NULL, M_GETFIB(m)))
+ r->dst.neg, NULL, M_GETFIB(pd->m)))
r = r->skip[PF_SKIP_DST_ADDR];
else if (r->dst.port_op && !pf_match_port(r->dst.port_op,
r->dst.port[0], r->dst.port[1], sh->dest_port))
@@ -2161,7 +2161,7 @@
sctp_drop:
REASON_SET(&reason, PFRES_NORM);
if (rm != NULL && r->log)
- PFLOG_PACKET(m, PF_DROP, reason, r, NULL, NULL, pd,
+ PFLOG_PACKET(PF_DROP, reason, r, NULL, NULL, pd,
1);
return (PF_DROP);
@@ -2169,12 +2169,12 @@
#if defined(INET) || defined(INET6)
void
-pf_scrub(struct mbuf *m, struct pf_pdesc *pd)
+pf_scrub(struct pf_pdesc *pd)
{
- struct ip *h = mtod(m, struct ip *);
+ struct ip *h = mtod(pd->m, struct ip *);
#ifdef INET6
- struct ip6_hdr *h6 = mtod(m, struct ip6_hdr *);
+ struct ip6_hdr *h6 = mtod(pd->m, struct ip6_hdr *);
#endif
/* Clear IP_DF if no-df was requested */
diff --git a/sys/netpfil/pf/pf_osfp.c b/sys/netpfil/pf/pf_osfp.c
--- a/sys/netpfil/pf/pf_osfp.c
+++ b/sys/netpfil/pf/pf_osfp.c
@@ -67,8 +67,7 @@
* Returns the list of possible OSes.
*/
struct pf_osfp_enlist *
-pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m,
- const struct tcphdr *tcp)
+pf_osfp_fingerprint(struct pf_pdesc *pd, const struct tcphdr *tcp)
{
struct ip *ip = NULL;
struct ip6_hdr *ip6 = NULL;
@@ -79,14 +78,14 @@
switch (pd->af) {
case AF_INET:
- ip = mtod(m, struct ip *);
+ ip = mtod(pd->m, struct ip *);
ip6 = (struct ip6_hdr *)NULL;
break;
case AF_INET6:
- ip6 = mtod(m, struct ip6_hdr *);
+ ip6 = mtod(pd->m, struct ip6_hdr *);
break;
}
- if (!pf_pull_hdr(m, pd->off, hdr, tcp->th_off << 2, NULL, NULL,
+ if (!pf_pull_hdr(pd->m, pd->off, hdr, tcp->th_off << 2, NULL, NULL,
pd->af)) return (NULL);
return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr));
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -119,8 +119,7 @@
void pf_syncookie_newkey(void);
uint32_t pf_syncookie_mac(struct pf_pdesc *, union pf_syncookie,
uint32_t);
-uint32_t pf_syncookie_generate(struct mbuf *m, struct pf_pdesc *,
- uint16_t);
+uint32_t pf_syncookie_generate(struct pf_pdesc *, uint16_t);
void
pf_syncookies_init(void)
@@ -290,13 +289,13 @@
}
void
-pf_syncookie_send(struct mbuf *m, struct pf_pdesc *pd)
+pf_syncookie_send(struct pf_pdesc *pd)
{
uint16_t mss;
uint32_t iss;
- mss = max(V_tcp_mssdflt, pf_get_mss(m, pd));
- iss = pf_syncookie_generate(m, pd, mss);
+ mss = max(V_tcp_mssdflt, pf_get_mss(pd));
+ iss = pf_syncookie_generate(pd, mss);
pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport,
iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
0, true, 0, 0, pd->act.rtableid);
@@ -457,7 +456,7 @@
}
uint32_t
-pf_syncookie_generate(struct mbuf *m, struct pf_pdesc *pd, uint16_t mss)
+pf_syncookie_generate(struct pf_pdesc *pd, uint16_t mss)
{
uint8_t i, wscale;
uint32_t iss, hash;
@@ -474,7 +473,7 @@
cookie.flags.mss_idx = i;
/* map WSCALE */
- wscale = pf_get_wscale(m, pd);
+ wscale = pf_get_wscale(pd);
for (i = nitems(pf_syncookie_wstab) - 1;
pf_syncookie_wstab[i] > wscale && i > 0; i--)
/* nada */;

File Metadata

Mime Type
text/plain
Expires
Sun, Feb 8, 11:18 PM (15 h, 9 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28509373
Default Alt Text
D46941.id144590.diff (79 KB)

Event Timeline