Page MenuHomeFreeBSD
Differential D27761 Diff 81133 sys/netpfil/pf/pf_norm.c

Changeset View

Standalone View

View Options

sys/netpfil/pf/pf_norm.c

Show First 20 LinesShow All 987 Lines▼ Show 20 Linespf_refragment6(struct ifnet *ifp, struct mbuf **m0, struct m_tag *mtag)
} }
return (action); return (action);
} }
#endif /* INET6 */ #endif /* INET6 */
#ifdef INET #ifdef INET
int int
pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason,
struct pf_pdesc *pd) struct pf_pdesc *pd)
{ {
struct mbuf *m = *m0; struct mbuf *m = *m0;
struct pf_krule *r; struct pf_krule *r;
struct ip *h = mtod(m, struct ip *); struct ip *h = mtod(m, struct ip *);
int mff = (ntohs(h->ip_off) & IP_MF); int mff = (ntohs(h->ip_off) & IP_MF);
int hlen = h->ip_hl << 2; int hlen = h->ip_hl << 2;
u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3;
u_int16_t max; u_int16_t max;
int ip_len; int ip_len;
int ip_off; int ip_off;
int tag = -1; int tag = -1;
int verdict; int verdict;
PF_RULES_RASSERT(); PF_RULES_RASSERT();
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) { while (r != NULL) {
counter_u64_add(r->evaluations, 1); counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot) if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr; r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir) else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr; r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != AF_INET) else if (r->af && r->af != AF_INET)
r = r->skip[PF_SKIP_AF].ptr; r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != h->ip_p) else if (r->proto && r->proto != h->ip_p)
r = r->skip[PF_SKIP_PROTO].ptr; r = r->skip[PF_SKIP_PROTO].ptr;
else if (PF_MISMATCHAW(&r->src.addr, else if (PF_MISMATCHAW(&r->src.addr,
▲ Show 20 LinesShow All 104 Lines▼ Show 20 Lines PFLOG_PACKET(kif, m, AF_INET, dir, *reason, r, NULL, NULL, pd,
1); 1);
return (PF_DROP); return (PF_DROP);
} }
#endif #endif
#ifdef INET6 #ifdef INET6
int int
pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif, pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
u_short *reason, struct pf_pdesc *pd) u_short *reason, struct pf_pdesc *pd)
{ {
struct mbuf *m = *m0; struct mbuf *m = *m0;
struct pf_krule *r; struct pf_krule *r;
struct ip6_hdr *h = mtod(m, struct ip6_hdr *); struct ip6_hdr *h = mtod(m, struct ip6_hdr *);
int extoff; int extoff;
int off; int off;
struct ip6_ext ext; struct ip6_ext ext;
struct ip6_opt opt; struct ip6_opt opt;
struct ip6_frag frag; struct ip6_frag frag;
u_int32_t plen; u_int32_t plen;
int optend; int optend;
int ooff; int ooff;
u_int8_t proto; u_int8_t proto;
int terminal; int terminal;
PF_RULES_RASSERT(); PF_RULES_RASSERT();
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) { while (r != NULL) {
counter_u64_add(r->evaluations, 1); counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot) if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr; r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir) else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr; r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != AF_INET6) else if (r->af && r->af != AF_INET6)
r = r->skip[PF_SKIP_AF].ptr; r = r->skip[PF_SKIP_AF].ptr;
#if 0 /* header chain! */ #if 0 /* header chain! */
else if (r->proto && r->proto != h->ip6_nxt) else if (r->proto && r->proto != h->ip6_nxt)
r = r->skip[PF_SKIP_PROTO].ptr; r = r->skip[PF_SKIP_PROTO].ptr;
▲ Show 20 LinesShow All 122 Lines▼ Show 20 Lines drop:
if (r != NULL && r->log) if (r != NULL && r->log)
PFLOG_PACKET(kif, m, AF_INET6, dir, *reason, r, NULL, NULL, pd, PFLOG_PACKET(kif, m, AF_INET6, dir, *reason, r, NULL, NULL, pd,
1); 1);
return (PF_DROP); return (PF_DROP);
} }
#endif /* INET6 */ #endif /* INET6 */
int int
pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff, pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
int off, void *h, struct pf_pdesc *pd) int off, void *h, struct pf_pdesc *pd)
{ {
struct pf_krule *r, *rm = NULL; struct pf_krule *r, *rm = NULL;
struct tcphdr *th = pd->hdr.tcp; struct tcphdr *th = pd->hdr.tcp;
int rewrite = 0; int rewrite = 0;
u_short reason; u_short reason;
u_int8_t flags; u_int8_t flags;
sa_family_t af = pd->af; sa_family_t af = pd->af;
PF_RULES_RASSERT(); PF_RULES_RASSERT();
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) { while (r != NULL) {
counter_u64_add(r->evaluations, 1); counter_u64_add(r->evaluations, 1);
if (pfi_kif_match(r->kif, kif) == r->ifnot) if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr; r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir) else if (r->direction && r->direction != dir)
r = r->skip[PF_SKIP_DIR].ptr; r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af) else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr; r = r->skip[PF_SKIP_AF].ptr;
else if (r->proto && r->proto != pd->proto) else if (r->proto && r->proto != pd->proto)
r = r->skip[PF_SKIP_PROTO].ptr; r = r->skip[PF_SKIP_PROTO].ptr;
else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
▲ Show 20 LinesShow All 693 LinesShow Last 20 Lines