Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/pf/pf.c
Show First 20 Lines • Show All 4,446 Lines • ▼ Show 20 Lines | else if (src->state >= TCPS_CLOSING || | ||||
(*state)->timeout = PFTM_TCP_CLOSING; | (*state)->timeout = PFTM_TCP_CLOSING; | ||||
else | else | ||||
(*state)->timeout = PFTM_TCP_ESTABLISHED; | (*state)->timeout = PFTM_TCP_ESTABLISHED; | ||||
return (PF_PASS); | return (PF_PASS); | ||||
} | } | ||||
static int | static int | ||||
pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, | pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) | ||||
struct mbuf *m, int off, void *h, struct pf_pdesc *pd, | |||||
u_short *reason) | |||||
{ | { | ||||
struct pf_state_key_cmp key; | struct pf_state_key *sk = (*state)->key[pd->didx]; | ||||
struct tcphdr *th = &pd->hdr.tcp; | struct tcphdr *th = &pd->hdr.tcp; | ||||
int copyback = 0; | |||||
struct pf_state_peer *src, *dst; | |||||
struct pf_state_key *sk; | |||||
bzero(&key, sizeof(key)); | |||||
key.af = pd->af; | |||||
key.proto = IPPROTO_TCP; | |||||
if (direction == PF_IN) { /* wire side, straight */ | |||||
PF_ACPY(&key.addr[0], pd->src, key.af); | |||||
PF_ACPY(&key.addr[1], pd->dst, key.af); | |||||
key.port[0] = th->th_sport; | |||||
key.port[1] = th->th_dport; | |||||
} else { /* stack side, reverse */ | |||||
PF_ACPY(&key.addr[1], pd->src, key.af); | |||||
PF_ACPY(&key.addr[0], pd->dst, key.af); | |||||
key.port[1] = th->th_sport; | |||||
key.port[0] = th->th_dport; | |||||
} | |||||
STATE_LOOKUP(kif, &key, direction, *state, pd); | |||||
if (direction == (*state)->direction) { | |||||
src = &(*state)->src; | |||||
dst = &(*state)->dst; | |||||
} else { | |||||
src = &(*state)->dst; | |||||
dst = &(*state)->src; | |||||
} | |||||
sk = (*state)->key[pd->didx]; | |||||
if ((*state)->src.state == PF_TCPS_PROXY_SRC) { | if ((*state)->src.state == PF_TCPS_PROXY_SRC) { | ||||
if (direction != (*state)->direction) { | if (pd->dir != (*state)->direction) { | ||||
REASON_SET(reason, PFRES_SYNPROXY); | REASON_SET(reason, PFRES_SYNPROXY); | ||||
return (PF_SYNPROXY_DROP); | return (PF_SYNPROXY_DROP); | ||||
} | } | ||||
if (th->th_flags & TH_SYN) { | if (th->th_flags & TH_SYN) { | ||||
if (ntohl(th->th_seq) != (*state)->src.seqlo) { | if (ntohl(th->th_seq) != (*state)->src.seqlo) { | ||||
REASON_SET(reason, PFRES_SYNPROXY); | REASON_SET(reason, PFRES_SYNPROXY); | ||||
return (PF_DROP); | return (PF_DROP); | ||||
} | } | ||||
Show All 11 Lines | if ((*state)->src.state == PF_TCPS_PROXY_SRC) { | ||||
} else if ((*state)->src_node != NULL && | } else if ((*state)->src_node != NULL && | ||||
pf_src_connlimit(state)) { | pf_src_connlimit(state)) { | ||||
REASON_SET(reason, PFRES_SRCLIMIT); | REASON_SET(reason, PFRES_SRCLIMIT); | ||||
return (PF_DROP); | return (PF_DROP); | ||||
} else | } else | ||||
(*state)->src.state = PF_TCPS_PROXY_DST; | (*state)->src.state = PF_TCPS_PROXY_DST; | ||||
} | } | ||||
if ((*state)->src.state == PF_TCPS_PROXY_DST) { | if ((*state)->src.state == PF_TCPS_PROXY_DST) { | ||||
if (direction == (*state)->direction) { | if (pd->dir == (*state)->direction) { | ||||
if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || | if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || | ||||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) || | (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || | ||||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { | (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { | ||||
REASON_SET(reason, PFRES_SYNPROXY); | REASON_SET(reason, PFRES_SYNPROXY); | ||||
return (PF_DROP); | return (PF_DROP); | ||||
} | } | ||||
(*state)->src.max_win = MAX(ntohs(th->th_win), 1); | (*state)->src.max_win = MAX(ntohs(th->th_win), 1); | ||||
if ((*state)->dst.seqhi == 1) | if ((*state)->dst.seqhi == 1) | ||||
Show All 33 Lines | if (pd->dir == (*state)->direction) { | ||||
(*state)->src.max_win; | (*state)->src.max_win; | ||||
(*state)->src.wscale = (*state)->dst.wscale = 0; | (*state)->src.wscale = (*state)->dst.wscale = 0; | ||||
(*state)->src.state = (*state)->dst.state = | (*state)->src.state = (*state)->dst.state = | ||||
TCPS_ESTABLISHED; | TCPS_ESTABLISHED; | ||||
REASON_SET(reason, PFRES_SYNPROXY); | REASON_SET(reason, PFRES_SYNPROXY); | ||||
return (PF_SYNPROXY_DROP); | return (PF_SYNPROXY_DROP); | ||||
} | } | ||||
} | } | ||||
return (PF_PASS); | |||||
} | |||||
static int | |||||
pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, | |||||
struct mbuf *m, int off, void *h, struct pf_pdesc *pd, | |||||
u_short *reason) | |||||
{ | |||||
struct pf_state_key_cmp key; | |||||
struct tcphdr *th = &pd->hdr.tcp; | |||||
int copyback = 0; | |||||
int action; | |||||
struct pf_state_peer *src, *dst; | |||||
struct pf_state_key *sk; | |||||
bzero(&key, sizeof(key)); | |||||
key.af = pd->af; | |||||
key.proto = IPPROTO_TCP; | |||||
if (direction == PF_IN) { /* wire side, straight */ | |||||
PF_ACPY(&key.addr[0], pd->src, key.af); | |||||
PF_ACPY(&key.addr[1], pd->dst, key.af); | |||||
key.port[0] = th->th_sport; | |||||
key.port[1] = th->th_dport; | |||||
} else { /* stack side, reverse */ | |||||
PF_ACPY(&key.addr[1], pd->src, key.af); | |||||
PF_ACPY(&key.addr[0], pd->dst, key.af); | |||||
key.port[1] = th->th_sport; | |||||
key.port[0] = th->th_dport; | |||||
} | |||||
STATE_LOOKUP(kif, &key, direction, *state, pd); | |||||
if (direction == (*state)->direction) { | |||||
src = &(*state)->src; | |||||
dst = &(*state)->dst; | |||||
} else { | |||||
src = &(*state)->dst; | |||||
dst = &(*state)->src; | |||||
} | |||||
sk = (*state)->key[pd->didx]; | |||||
if ((action = pf_synproxy(pd, state, reason)) != PF_PASS) | |||||
return (action); | |||||
if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && | if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && | ||||
dst->state >= TCPS_FIN_WAIT_2 && | dst->state >= TCPS_FIN_WAIT_2 && | ||||
src->state >= TCPS_FIN_WAIT_2) { | src->state >= TCPS_FIN_WAIT_2) { | ||||
if (V_pf_status.debug >= PF_DEBUG_MISC) { | if (V_pf_status.debug >= PF_DEBUG_MISC) { | ||||
printf("pf: state reuse "); | printf("pf: state reuse "); | ||||
pf_print_state(*state); | pf_print_state(*state); | ||||
pf_print_flags(th->th_flags); | pf_print_flags(th->th_flags); | ||||
▲ Show 20 Lines • Show All 2,142 Lines • Show Last 20 Lines |