Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/pf/pf.c
Show First 20 Lines • Show All 6,540 Lines • ▼ Show 20 Lines | pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, | ||||
} | } | ||||
/* If pfsync'd */ | /* If pfsync'd */ | ||||
if (ifp == NULL) | if (ifp == NULL) | ||||
ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; | ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; | ||||
if (ifp == NULL) | if (ifp == NULL) | ||||
goto bad; | goto bad; | ||||
if (dir == PF_IN) { | if (dir == PF_IN) { | ||||
if (pf_test(PF_OUT, 0, ifp, &m0, inp) != PF_PASS) | if (pf_test(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS) | ||||
goto bad; | goto bad; | ||||
else if (m0 == NULL) | else if (m0 == NULL) | ||||
goto done; | goto done; | ||||
if (m0->m_len < sizeof(struct ip)) { | if (m0->m_len < sizeof(struct ip)) { | ||||
DPFPRINTF(PF_DEBUG_URGENT, | DPFPRINTF(PF_DEBUG_URGENT, | ||||
("%s: m0->m_len < sizeof(struct ip)\n", __func__)); | ("%s: m0->m_len < sizeof(struct ip)\n", __func__)); | ||||
goto bad; | goto bad; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 199 Lines • ▼ Show 20 Lines | pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, | ||||
/* If pfsync'd */ | /* If pfsync'd */ | ||||
if (ifp == NULL) | if (ifp == NULL) | ||||
ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; | ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; | ||||
if (ifp == NULL) | if (ifp == NULL) | ||||
goto bad; | goto bad; | ||||
if (dir == PF_IN) { | if (dir == PF_IN) { | ||||
if (pf_test6(PF_OUT, 0, ifp, &m0, inp) != PF_PASS) | if (pf_test6(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS) | ||||
goto bad; | goto bad; | ||||
else if (m0 == NULL) | else if (m0 == NULL) | ||||
goto done; | goto done; | ||||
if (m0->m_len < sizeof(struct ip6_hdr)) { | if (m0->m_len < sizeof(struct ip6_hdr)) { | ||||
DPFPRINTF(PF_DEBUG_URGENT, | DPFPRINTF(PF_DEBUG_URGENT, | ||||
("%s: m0->m_len < sizeof(struct ip6_hdr)\n", | ("%s: m0->m_len < sizeof(struct ip6_hdr)\n", | ||||
__func__)); | __func__)); | ||||
goto bad; | goto bad; | ||||
▲ Show 20 Lines • Show All 341 Lines • ▼ Show 20 Lines | if (pd->act.dnpipe || pd->act.dnrpipe) { | ||||
} | } | ||||
} | } | ||||
return (0); | return (0); | ||||
} | } | ||||
#ifdef INET | #ifdef INET | ||||
int | int | ||||
pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) | pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, | ||||
struct inpcb *inp, struct pf_rule_actions *default_actions) | |||||
{ | { | ||||
struct pfi_kkif *kif; | struct pfi_kkif *kif; | ||||
u_short action, reason = 0, log = 0; | u_short action, reason = 0, log = 0; | ||||
struct mbuf *m = *m0; | struct mbuf *m = *m0; | ||||
struct ip *h = NULL; | struct ip *h = NULL; | ||||
struct m_tag *ipfwtag; | struct m_tag *ipfwtag; | ||||
struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; | struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; | ||||
struct pf_kstate *s = NULL; | struct pf_kstate *s = NULL; | ||||
Show All 35 Lines | #endif | ||||
} | } | ||||
if (m->m_flags & M_SKIP_FIREWALL) { | if (m->m_flags & M_SKIP_FIREWALL) { | ||||
PF_RULES_RUNLOCK(); | PF_RULES_RUNLOCK(); | ||||
return (PF_PASS); | return (PF_PASS); | ||||
} | } | ||||
memset(&pd, 0, sizeof(pd)); | memset(&pd, 0, sizeof(pd)); | ||||
if (default_actions != NULL) | |||||
memcpy(&pd.act, default_actions, sizeof(pd.act)); | |||||
pd.pf_mtag = pf_find_mtag(m); | pd.pf_mtag = pf_find_mtag(m); | ||||
if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { | if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { | ||||
pd.pf_mtag->flags &= ~PF_TAG_ROUTE_TO; | pd.pf_mtag->flags &= ~PF_TAG_ROUTE_TO; | ||||
ifp = ifnet_byindexgen(pd.pf_mtag->if_index, | ifp = ifnet_byindexgen(pd.pf_mtag->if_index, | ||||
pd.pf_mtag->if_idxgen); | pd.pf_mtag->if_idxgen); | ||||
if (ifp == NULL || ifp->if_flags & IFF_DYING) { | if (ifp == NULL || ifp->if_flags & IFF_DYING) { | ||||
▲ Show 20 Lines • Show All 124 Lines • ▼ Show 20 Lines | if (action == PF_PASS) { | ||||
msyn = pf_syncookie_recreate_syn(h->ip_ttl, | msyn = pf_syncookie_recreate_syn(h->ip_ttl, | ||||
off,&pd); | off,&pd); | ||||
if (msyn == NULL) { | if (msyn == NULL) { | ||||
action = PF_DROP; | action = PF_DROP; | ||||
break; | break; | ||||
} | } | ||||
action = pf_test(dir, pflags, ifp, &msyn, inp); | action = pf_test(dir, pflags, ifp, &msyn, inp, &pd.act); | ||||
m_freem(msyn); | m_freem(msyn); | ||||
if (action == PF_PASS) { | if (action == PF_PASS) { | ||||
action = pf_test_state_tcp(&s, dir, | action = pf_test_state_tcp(&s, dir, | ||||
kif, m, off, h, &pd, &reason); | kif, m, off, h, &pd, &reason); | ||||
if (action != PF_PASS || s == NULL) { | if (action != PF_PASS || s == NULL) { | ||||
action = PF_DROP; | action = PF_DROP; | ||||
break; | break; | ||||
▲ Show 20 Lines • Show All 353 Lines • ▼ Show 20 Lines | if (s) | ||||
PF_STATE_UNLOCK(s); | PF_STATE_UNLOCK(s); | ||||
return (action); | return (action); | ||||
} | } | ||||
#endif /* INET */ | #endif /* INET */ | ||||
#ifdef INET6 | #ifdef INET6 | ||||
int | int | ||||
pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) | pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp, | ||||
struct pf_rule_actions *default_actions) | |||||
{ | { | ||||
struct pfi_kkif *kif; | struct pfi_kkif *kif; | ||||
u_short action, reason = 0, log = 0; | u_short action, reason = 0, log = 0; | ||||
struct mbuf *m = *m0, *n = NULL; | struct mbuf *m = *m0, *n = NULL; | ||||
struct m_tag *mtag; | struct m_tag *mtag; | ||||
struct ip6_hdr *h = NULL; | struct ip6_hdr *h = NULL; | ||||
struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; | struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; | ||||
struct pf_kstate *s = NULL; | struct pf_kstate *s = NULL; | ||||
Show All 34 Lines | #endif | ||||
} | } | ||||
if (m->m_flags & M_SKIP_FIREWALL) { | if (m->m_flags & M_SKIP_FIREWALL) { | ||||
PF_RULES_RUNLOCK(); | PF_RULES_RUNLOCK(); | ||||
return (PF_PASS); | return (PF_PASS); | ||||
} | } | ||||
memset(&pd, 0, sizeof(pd)); | memset(&pd, 0, sizeof(pd)); | ||||
if (default_actions != NULL) | |||||
memcpy(&pd.act, default_actions, sizeof(pd.act)); | |||||
pd.pf_mtag = pf_find_mtag(m); | pd.pf_mtag = pf_find_mtag(m); | ||||
if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { | if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { | ||||
pd.pf_mtag->flags &= ~PF_TAG_ROUTE_TO; | pd.pf_mtag->flags &= ~PF_TAG_ROUTE_TO; | ||||
ifp = ifnet_byindexgen(pd.pf_mtag->if_index, | ifp = ifnet_byindexgen(pd.pf_mtag->if_index, | ||||
pd.pf_mtag->if_idxgen); | pd.pf_mtag->if_idxgen); | ||||
if (ifp == NULL || ifp->if_flags & IFF_DYING) { | if (ifp == NULL || ifp->if_flags & IFF_DYING) { | ||||
▲ Show 20 Lines • Show All 450 Lines • Show Last 20 Lines |