Page MenuHomeFreeBSD
Differential D27760 Diff 81132 sys/netpfil/pf/pf_norm.c

Changeset View

Standalone View

View Options

sys/netpfil/pf/pf_norm.c

Show First 20 LinesShow All 1,006 Lines▼ Show 20 Linespf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason,
int ip_off; int ip_off;
int tag = -1; int tag = -1;
int verdict; int verdict;
PF_RULES_RASSERT(); PF_RULES_RASSERT();
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) { while (r != NULL) {
r->evaluations++; counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot) if (pfi_kif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr; r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir) else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr; r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != AF_INET) else if (r->af && r->af != AF_INET)
r = r->skip[PF_SKIP_AF].ptr; r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != h->ip_p) else if (r->proto && r->proto != h->ip_p)
r = r->skip[PF_SKIP_PROTO].ptr; r = r->skip[PF_SKIP_PROTO].ptr;
Show All 10 Lines else if (r->match_tag && !pf_match_tag(m, r, &tag,
r = TAILQ_NEXT(r, entries); r = TAILQ_NEXT(r, entries);
else else
break; break;
} }
if (r == NULL || r->action == PF_NOSCRUB) if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS); return (PF_PASS);
else { else {
r->packets[dir == PF_OUT]++; counter_u64_add(r->packets[dir == PF_OUT], 1);
r->bytes[dir == PF_OUT] += pd->tot_len; counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
} }
/* Check for illegal packets */ /* Check for illegal packets */
if (hlen < (int)sizeof(struct ip)) { if (hlen < (int)sizeof(struct ip)) {
REASON_SET(reason, PFRES_NORM); REASON_SET(reason, PFRES_NORM);
goto drop; goto drop;
} }
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Linespf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif,
int ooff; int ooff;
u_int8_t proto; u_int8_t proto;
int terminal; int terminal;
PF_RULES_RASSERT(); PF_RULES_RASSERT();
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) { while (r != NULL) {
r->evaluations++; counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot) if (pfi_kif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr; r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir) else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr; r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != AF_INET6) else if (r->af && r->af != AF_INET6)
r = r->skip[PF_SKIP_AF].ptr; r = r->skip[PF_SKIP_AF].ptr;
#if 0 /* header chain! */ #if 0 /* header chain! */
else if (r->proto && r->proto != h->ip6_nxt) else if (r->proto && r->proto != h->ip6_nxt)
Show All 9 Lines else if (PF_MISMATCHAW(&r->dst.addr,
r = r->skip[PF_SKIP_DST_ADDR].ptr; r = r->skip[PF_SKIP_DST_ADDR].ptr;
else else
break; break;
} }
if (r == NULL || r->action == PF_NOSCRUB) if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS); return (PF_PASS);
else { else {
r->packets[dir == PF_OUT]++; counter_u64_add(r->packets[dir == PF_OUT], 1);
r->bytes[dir == PF_OUT] += pd->tot_len; counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
} }
/* Check for illegal packets */ /* Check for illegal packets */
if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len)
goto drop; goto drop;
plen = ntohs(h->ip6_plen); plen = ntohs(h->ip6_plen);
/* jumbo payload option not supported */ /* jumbo payload option not supported */
▲ Show 20 LinesShow All 110 Lines▼ Show 20 Linespf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
u_short reason; u_short reason;
u_int8_t flags; u_int8_t flags;
sa_family_t af = pd->af; sa_family_t af = pd->af;
PF_RULES_RASSERT(); PF_RULES_RASSERT();
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) { while (r != NULL) {
r->evaluations++; counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot) if (pfi_kif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr; r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir) else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr; r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af) else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr; r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != pd->proto) else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO].ptr; r = r->skip[PF_SKIP_PROTO].ptr;
Show All 17 Lines else {
rm = r; rm = r;
break; break;
} }
} }
if (rm == NULL || rm->action == PF_NOSCRUB) if (rm == NULL || rm->action == PF_NOSCRUB)
return (PF_PASS); return (PF_PASS);
else { else {
r->packets[dir == PF_OUT]++; counter_u64_add(r->packets[dir == PF_OUT], 1);
r->bytes[dir == PF_OUT] += pd->tot_len; counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
} }
if (rm->rule_flag & PFRULE_REASSEMBLE_TCP) if (rm->rule_flag & PFRULE_REASSEMBLE_TCP)
pd->flags |= PFDESC_TCP_NORM; pd->flags |= PFDESC_TCP_NORM;
flags = th->th_flags; flags = th->th_flags;
if (flags & TH_SYN) { if (flags & TH_SYN) {
/* Illegal packet */ /* Illegal packet */
▲ Show 20 LinesShow All 659 LinesShow Last 20 Lines