Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/pf/pf_lb.c
Show First 20 Lines • Show All 218 Lines • ▼ Show 20 Lines | |||||
{ | { | ||||
struct pf_state_key_cmp key; | struct pf_state_key_cmp key; | ||||
struct pf_addr init_addr; | struct pf_addr init_addr; | ||||
bzero(&init_addr, sizeof(init_addr)); | bzero(&init_addr, sizeof(init_addr)); | ||||
if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) | if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) | ||||
return (1); | return (1); | ||||
if (proto == IPPROTO_ICMP) { | |||||
low = 1; | |||||
high = 65535; | |||||
} | |||||
bzero(&key, sizeof(key)); | bzero(&key, sizeof(key)); | ||||
key.af = af; | key.af = af; | ||||
key.proto = proto; | key.proto = proto; | ||||
key.port[0] = dport; | key.port[0] = dport; | ||||
PF_ACPY(&key.addr[0], daddr, key.af); | PF_ACPY(&key.addr[0], daddr, key.af); | ||||
do { | do { | ||||
PF_ACPY(&key.addr[1], naddr, key.af); | PF_ACPY(&key.addr[1], naddr, key.af); | ||||
▲ Show 20 Lines • Show All 65 Lines • ▼ Show 20 Lines | do { | ||||
case PF_POOL_BITMASK: | case PF_POOL_BITMASK: | ||||
default: | default: | ||||
return (1); | return (1); | ||||
} | } | ||||
} while (! PF_AEQ(&init_addr, naddr, af) ); | } while (! PF_AEQ(&init_addr, naddr, af) ); | ||||
return (1); /* none available */ | return (1); /* none available */ | ||||
} | } | ||||
static int | |||||
pf_get_mape_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, | |||||
struct pf_addr *saddr, uint16_t sport, struct pf_addr *daddr, | |||||
uint16_t dport, struct pf_addr *naddr, uint16_t *nport, | |||||
struct pf_ksrc_node **sn) | |||||
{ | |||||
uint16_t psmask, low, highmask; | |||||
uint16_t i, ahigh, cut; | |||||
int ashift, psidshift; | |||||
ashift = 16 - r->rpool.mape.offset; | |||||
psidshift = ashift - r->rpool.mape.psidlen; | |||||
psmask = r->rpool.mape.psid & ((1U << r->rpool.mape.psidlen) - 1); | |||||
psmask = psmask << psidshift; | |||||
highmask = (1U << psidshift) - 1; | |||||
ahigh = (1U << r->rpool.mape.offset) - 1; | |||||
cut = arc4random() & ahigh; | |||||
takahiro.kurosawa_gmail.com: `i < ahigh` should be `i <= ahigh`.
The line 320 subtract 1 so ahigh should be inclusive.
I… | |||||
if (cut == 0) | |||||
cut = 1; | |||||
for (i = cut; i <= ahigh; i++) { | |||||
low = (i << ashift) | psmask; | |||||
if (!pf_get_sport(af, proto, r, saddr, sport, daddr, dport, | |||||
naddr, nport, low, low | highmask, sn)) | |||||
return (0); | |||||
} | |||||
for (i = cut - 1; i > 0; i--) { | |||||
low = (i << ashift) | psmask; | |||||
if (!pf_get_sport(af, proto, r, saddr, sport, daddr, dport, | |||||
naddr, nport, low, low | highmask, sn)) | |||||
return (0); | |||||
} | |||||
return (1); | |||||
} | |||||
int | int | ||||
pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr, | pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr, | ||||
struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_ksrc_node **sn) | struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_ksrc_node **sn) | ||||
{ | { | ||||
struct pf_kpool *rpool = &r->rpool; | struct pf_kpool *rpool = &r->rpool; | ||||
struct pf_addr *raddr = NULL, *rmask = NULL; | struct pf_addr *raddr = NULL, *rmask = NULL; | ||||
/* Try to find a src_node if none was given and this | /* Try to find a src_node if none was given and this | ||||
▲ Show 20 Lines • Show All 204 Lines • ▼ Show 20 Lines | pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, | ||||
struct pfi_kkif *kif, struct pf_ksrc_node **sn, | struct pfi_kkif *kif, struct pf_ksrc_node **sn, | ||||
struct pf_state_key **skp, struct pf_state_key **nkp, | struct pf_state_key **skp, struct pf_state_key **nkp, | ||||
struct pf_addr *saddr, struct pf_addr *daddr, | struct pf_addr *saddr, struct pf_addr *daddr, | ||||
uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack) | uint16_t sport, uint16_t dport, struct pf_kanchor_stackframe *anchor_stack) | ||||
{ | { | ||||
struct pf_krule *r = NULL; | struct pf_krule *r = NULL; | ||||
struct pf_addr *naddr; | struct pf_addr *naddr; | ||||
uint16_t *nport; | uint16_t *nport; | ||||
uint16_t low, high; | |||||
PF_RULES_RASSERT(); | PF_RULES_RASSERT(); | ||||
KASSERT(*skp == NULL, ("*skp not NULL")); | KASSERT(*skp == NULL, ("*skp not NULL")); | ||||
KASSERT(*nkp == NULL, ("*nkp not NULL")); | KASSERT(*nkp == NULL, ("*nkp not NULL")); | ||||
if (direction == PF_OUT) { | if (direction == PF_OUT) { | ||||
r = pf_match_translation(pd, m, off, direction, kif, saddr, | r = pf_match_translation(pd, m, off, direction, kif, saddr, | ||||
sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); | sport, daddr, dport, PF_RULESET_BINAT, anchor_stack); | ||||
Show All 31 Lines | pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, | ||||
} | } | ||||
/* XXX We only modify one side for now. */ | /* XXX We only modify one side for now. */ | ||||
naddr = &(*nkp)->addr[1]; | naddr = &(*nkp)->addr[1]; | ||||
nport = &(*nkp)->port[1]; | nport = &(*nkp)->port[1]; | ||||
switch (r->action) { | switch (r->action) { | ||||
case PF_NAT: | case PF_NAT: | ||||
if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, daddr, | if (pd->proto == IPPROTO_ICMP) { | ||||
dport, naddr, nport, r->rpool.proxy_port[0], | low = 1; | ||||
r->rpool.proxy_port[1], sn)) { | high = 65535; | ||||
} else { | |||||
low = r->rpool.proxy_port[0]; | |||||
high = r->rpool.proxy_port[1]; | |||||
} | |||||
if (r->rpool.mape.offset > 0) { | |||||
if (pf_get_mape_sport(pd->af, pd->proto, r, saddr, | |||||
sport, daddr, dport, naddr, nport, sn)) { | |||||
DPFPRINTF(PF_DEBUG_MISC, | |||||
("pf: MAP-E port allocation (%u/%u/%u)" | |||||
" failed\n", | |||||
r->rpool.mape.offset, | |||||
r->rpool.mape.psidlen, | |||||
r->rpool.mape.psid)); | |||||
goto notrans; | |||||
} | |||||
} else if (pf_get_sport(pd->af, pd->proto, r, saddr, sport, | |||||
daddr, dport, naddr, nport, low, high, sn)) { | |||||
DPFPRINTF(PF_DEBUG_MISC, | DPFPRINTF(PF_DEBUG_MISC, | ||||
("pf: NAT proxy port allocation (%u-%u) failed\n", | ("pf: NAT proxy port allocation (%u-%u) failed\n", | ||||
r->rpool.proxy_port[0], r->rpool.proxy_port[1])); | r->rpool.proxy_port[0], r->rpool.proxy_port[1])); | ||||
goto notrans; | goto notrans; | ||||
} | } | ||||
break; | break; | ||||
case PF_BINAT: | case PF_BINAT: | ||||
switch (direction) { | switch (direction) { | ||||
▲ Show 20 Lines • Show All 102 Lines • Show Last 20 Lines |
i < ahigh should be i <= ahigh.
The line 320 subtract 1 so ahigh should be inclusive.
I will fix the code.