Differential D27696 Diff 81047 sys/netpfil/pf/pf_norm.c

Changeset View

Standalone View

sys/netpfil/pf/pf_norm.c

Show First 20 Lines • Show All 1,511 Lines • ▼ Show 20 Lines
{		{
struct timeval uptime;		struct timeval uptime;
u_int32_t tsval, tsecr;		u_int32_t tsval, tsecr;
u_int tsval_from_last;		u_int tsval_from_last;
u_int8_t hdr[60];		u_int8_t hdr[60];
u_int8_t *opt;		u_int8_t *opt;
int copyback = 0;		int copyback = 0;
int got_ts = 0;		int got_ts = 0;
		size_t startoff;

KASSERT((src->scrub \|\| dst->scrub),		KASSERT((src->scrub \|\| dst->scrub),
("%s: src->scrub && dst->scrub!", __func__));		("%s: src->scrub && dst->scrub!", __func__));

/*		/*
* Enforce the minimum TTL seen for this connection. Negate a common		* Enforce the minimum TTL seen for this connection. Negate a common
* technique to evade an intrusion detection system and confuse		* technique to evade an intrusion detection system and confuse
* firewall state code.		* firewall state code.
Show All 27 Lines	if (th->th_off > (sizeof(struct tcphdr) >> 2) &&
((src->scrub && (src->scrub->pfss_flags & PFSS_TIMESTAMP)) \|\|		((src->scrub && (src->scrub->pfss_flags & PFSS_TIMESTAMP)) \|\|
(dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP))) &&		(dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP))) &&
pf_pull_hdr(m, off, hdr, th->th_off << 2, NULL, NULL, pd->af)) {		pf_pull_hdr(m, off, hdr, th->th_off << 2, NULL, NULL, pd->af)) {
/* Diddle with TCP options */		/* Diddle with TCP options */
int hlen;		int hlen;
opt = hdr + sizeof(struct tcphdr);		opt = hdr + sizeof(struct tcphdr);
hlen = (th->th_off << 2) - sizeof(struct tcphdr);		hlen = (th->th_off << 2) - sizeof(struct tcphdr);
while (hlen >= TCPOLEN_TIMESTAMP) {		while (hlen >= TCPOLEN_TIMESTAMP) {
		startoff = opt - (hdr + sizeof(struct tcphdr));
switch (*opt) {		switch (*opt) {
case TCPOPT_EOL: /* FALLTHROUGH */		case TCPOPT_EOL: /* FALLTHROUGH */
case TCPOPT_NOP:		case TCPOPT_NOP:
opt++;		opt++;
hlen--;		hlen--;
break;		break;
case TCPOPT_TIMESTAMP:		case TCPOPT_TIMESTAMP:
/* Modulate the timestamps. Can be used for		/* Modulate the timestamps. Can be used for
Show All 13 Lines	while (hlen >= TCPOLEN_TIMESTAMP) {
}		}
if (opt[1] >= TCPOLEN_TIMESTAMP) {		if (opt[1] >= TCPOLEN_TIMESTAMP) {
memcpy(&tsval, &opt[2],		memcpy(&tsval, &opt[2],
sizeof(u_int32_t));		sizeof(u_int32_t));
if (tsval && src->scrub &&		if (tsval && src->scrub &&
(src->scrub->pfss_flags &		(src->scrub->pfss_flags &
PFSS_TIMESTAMP)) {		PFSS_TIMESTAMP)) {
tsval = ntohl(tsval);		tsval = ntohl(tsval);
pf_change_proto_a(m, &opt[2],		pf_patch_32_unaligned(m,
&th->th_sum,		&th->th_sum,
		&opt[2],
htonl(tsval +		htonl(tsval +
src->scrub->pfss_ts_mod),		src->scrub->pfss_ts_mod),
		PF_ALGNMNT(startoff),
0);		0);
copyback = 1;		copyback = 1;
}		}

/* Modulate TS reply iff valid (!0) */		/* Modulate TS reply iff valid (!0) */
memcpy(&tsecr, &opt[6],		memcpy(&tsecr, &opt[6],
sizeof(u_int32_t));		sizeof(u_int32_t));
if (tsecr && dst->scrub &&		if (tsecr && dst->scrub &&
(dst->scrub->pfss_flags &		(dst->scrub->pfss_flags &
PFSS_TIMESTAMP)) {		PFSS_TIMESTAMP)) {
tsecr = ntohl(tsecr)		tsecr = ntohl(tsecr)
- dst->scrub->pfss_ts_mod;		- dst->scrub->pfss_ts_mod;
pf_change_proto_a(m, &opt[6],		pf_patch_32_unaligned(m,
&th->th_sum, htonl(tsecr),		&th->th_sum,
		&opt[6],
		htonl(tsecr),
		PF_ALGNMNT(startoff),
0);		0);
copyback = 1;		copyback = 1;
}		}
got_ts = 1;		got_ts = 1;
}		}
/* FALLTHROUGH */		/* FALLTHROUGH */
default:		default:
hlen -= MAX(opt[1], 2);		hlen -= MAX(opt[1], 2);
▲ Show 20 Lines • Show All 280 Lines • ▼ Show 20 Lines	pf_normalize_tcpopt(struct pf_rule r, struct mbuf m, struct tcphdr *th,
int off, sa_family_t af)		int off, sa_family_t af)
{		{
u_int16_t *mss;		u_int16_t *mss;
int thoff;		int thoff;
int opt, cnt, optlen = 0;		int opt, cnt, optlen = 0;
int rewrite = 0;		int rewrite = 0;
u_char opts[TCP_MAXOLEN];		u_char opts[TCP_MAXOLEN];
u_char *optp = opts;		u_char *optp = opts;
		size_t startoff;

thoff = th->th_off << 2;		thoff = th->th_off << 2;
cnt = thoff - sizeof(struct tcphdr);		cnt = thoff - sizeof(struct tcphdr);

if (cnt > 0 && !pf_pull_hdr(m, off + sizeof(*th), opts, cnt,		if (cnt > 0 && !pf_pull_hdr(m, off + sizeof(*th), opts, cnt,
NULL, NULL, af))		NULL, NULL, af))
return (rewrite);		return (rewrite);

for (; cnt > 0; cnt -= optlen, optp += optlen) {		for (; cnt > 0; cnt -= optlen, optp += optlen) {
		startoff = optp - opts;
opt = optp[0];		opt = optp[0];
if (opt == TCPOPT_EOL)		if (opt == TCPOPT_EOL)
break;		break;
if (opt == TCPOPT_NOP)		if (opt == TCPOPT_NOP)
optlen = 1;		optlen = 1;
else {		else {
if (cnt < 2)		if (cnt < 2)
break;		break;
optlen = optp[1];		optlen = optp[1];
if (optlen < 2 \|\| optlen > cnt)		if (optlen < 2 \|\| optlen > cnt)
break;		break;
}		}
switch (opt) {		switch (opt) {
case TCPOPT_MAXSEG:		case TCPOPT_MAXSEG:
mss = (u_int16_t *)(optp + 2);		mss = (u_int16_t *)(optp + 2);
if ((ntohs(*mss)) > r->max_mss) {		if ((ntohs(*mss)) > r->max_mss) {
th->th_sum = pf_proto_cksum_fixup(m,		pf_patch_16_unaligned(m,
th->th_sum, *mss, htons(r->max_mss), 0);		&th->th_sum,
*mss = htons(r->max_mss);		mss, htons(r->max_mss),
		PF_ALGNMNT(startoff),
		0);
rewrite = 1;		rewrite = 1;
}		}
break;		break;
default:		default:
break;		break;
}		}
}		}

▲ Show 20 Lines • Show All 62 Lines • Show Last 20 Lines