Lines Matching refs:pd
1584 pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
1598 !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
2522 pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
2551 else if (r->af && r->af != pd->af)
2553 else if (r->proto && r->proto != pd->proto)
2555 pd->af,
2564 PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL))
2566 else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af,
2575 else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto !=
2576 IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m,
2577 off, pd->hdr.tcp), r->os_fingerprint)))
2603 pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
2612 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2615 r = pf_match_translation(pd, m, off, direction, kif,
2618 r = pf_match_translation(pd, m, off, direction, kif, saddr,
2621 r = pf_match_translation(pd, m, off, direction, kif,
2632 if (pf_get_sport(pd->af, pd->proto, r, saddr,
2647 switch (pd->af) {
2679 saddr, pd->af);
2683 switch (pd->af) {
2715 pd->af);
2720 if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn))
2726 pd->af);
2754 pf_socket_lookup(int direction, struct pf_pdesc *pd)
2764 if (pd == NULL)
2766 pd->lookup.uid = UID_MAX;
2767 pd->lookup.gid = GID_MAX;
2768 pd->lookup.pid = NO_PID;
2769 switch (pd->proto) {
2771 if (pd->hdr.tcp == NULL)
2773 sport = pd->hdr.tcp->th_sport;
2774 dport = pd->hdr.tcp->th_dport;
2778 if (pd->hdr.udp == NULL)
2780 sport = pd->hdr.udp->uh_sport;
2781 dport = pd->hdr.udp->uh_dport;
2788 saddr = pd->src;
2789 daddr = pd->dst;
2796 saddr = pd->dst;
2797 daddr = pd->src;
2799 switch (pd->af) {
2839 switch (pd->af) {
2853 pd->lookup.uid = kauth_cred_geteuid(so->so_cred);
2854 pd->lookup.gid = kauth_cred_getegid(so->so_cred);
2857 pd->lookup.uid = so->so_euid;
2858 pd->lookup.gid = so->so_egid;
2860 pd->lookup.pid = so->so_cpid;
3072 struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm,
3076 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
3078 sa_family_t af = pd->af;
3082 struct tcphdr *th = pd->hdr.tcp;
3100 switch (pd->proto) {
3107 sport = pd->hdr.udp->uh_sport;
3108 dport = pd->hdr.udp->uh_dport;
3109 hdrlen = sizeof(*pd->hdr.udp);
3113 if (pd->af != AF_INET)
3115 sport = dport = pd->hdr.icmp->icmp_id;
3116 icmptype = pd->hdr.icmp->icmp_type;
3117 icmpcode = pd->hdr.icmp->icmp_code;
3130 if (pd->af != AF_INET6)
3132 sport = dport = pd->hdr.icmp6->icmp6_id;
3133 hdrlen = sizeof(*pd->hdr.icmp6);
3134 icmptype = pd->hdr.icmp6->icmp6_type;
3135 icmpcode = pd->hdr.icmp6->icmp6_code;
3151 if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
3152 saddr, sport, daddr, dport, &pd->naddr, &nport)) != NULL) {
3153 PF_ACPY(&pd->baddr, saddr, af);
3154 switch (pd->proto) {
3156 pf_change_ap(saddr, &th->th_sport, pd->ip_sum,
3157 &th->th_sum, &pd->naddr, nport, 0, af);
3162 pf_change_ap(saddr, &pd->hdr.udp->uh_sport,
3163 pd->ip_sum, &pd->hdr.udp->uh_sum,
3164 &pd->naddr, nport, 1, af);
3165 sport = pd->hdr.udp->uh_sport;
3170 pf_change_a(&saddr->v4.s_addr, pd->ip_sum,
3171 pd->naddr.v4.s_addr, 0);
3172 pd->hdr.icmp->icmp_cksum = pf_cksum_fixup(
3173 pd->hdr.icmp->icmp_cksum, sport, nport, 0);
3174 pd->hdr.icmp->icmp_id = nport;
3175 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp);
3180 pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum,
3181 &pd->naddr, 0);
3190 pd->ip_sum, pd->naddr.v4.s_addr, 0);
3195 PF_ACPY(saddr, &pd->naddr, af);
3204 pd->nat_rule = nr;
3209 if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
3210 saddr, sport, daddr, dport, &pd->naddr, &nport)) != NULL) {
3211 PF_ACPY(&pd->baddr, daddr, af);
3212 switch (pd->proto) {
3214 pf_change_ap(daddr, &th->th_dport, pd->ip_sum,
3215 &th->th_sum, &pd->naddr, nport, 0, af);
3220 pf_change_ap(daddr, &pd->hdr.udp->uh_dport,
3221 pd->ip_sum, &pd->hdr.udp->uh_sum,
3222 &pd->naddr, nport, 1, af);
3223 dport = pd->hdr.udp->uh_dport;
3228 pf_change_a(&daddr->v4.s_addr, pd->ip_sum,
3229 pd->naddr.v4.s_addr, 0);
3234 pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum,
3235 &pd->naddr, 0);
3244 pd->ip_sum, pd->naddr.v4.s_addr, 0);
3249 PF_ACPY(daddr, &pd->naddr, af);
3258 pd->nat_rule = nr;
3270 else if (r->proto && r->proto != pd->proto)
3292 else if (r->tos && !(r->tos == pd->tos))
3296 else if (pd->proto == IPPROTO_TCP &&
3300 else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
3301 pf_socket_lookup(direction, pd), 1)) &&
3303 pd->lookup.uid))
3306 else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
3307 pf_socket_lookup(direction, pd), 1)) &&
3309 pd->lookup.gid))
3316 (pd->proto != IPPROTO_TCP || !pf_osfp_match(
3317 pf_osfp_fingerprint(pd, m, off, th),
3349 m_copyback(m, off, hdrlen, pd->hdr.any);
3351 a, ruleset, pd);
3366 switch (pd->proto) {
3369 pd->ip_sum, &th->th_sum,
3370 &pd->baddr, bport, 0, af);
3376 &pd->hdr.udp->uh_sport, pd->ip_sum,
3377 &pd->hdr.udp->uh_sum, &pd->baddr,
3379 sport = pd->hdr.udp->uh_sport;
3392 pd->ip_sum,
3393 pd->baddr.v4.s_addr, 0);
3396 PF_ACPY(saddr, &pd->baddr, af);
3401 switch (pd->proto) {
3404 pd->ip_sum, &th->th_sum,
3405 &pd->baddr, bport, 0, af);
3411 &pd->hdr.udp->uh_dport, pd->ip_sum,
3412 &pd->hdr.udp->uh_sum, &pd->baddr,
3414 dport = pd->hdr.udp->uh_dport;
3427 pd->ip_sum,
3428 pd->baddr.v4.s_addr, 0);
3431 PF_ACPY(daddr, &pd->baddr, af);
3437 if (pd->proto == IPPROTO_TCP &&
3441 u_int32_t ack = ntohl(th->th_seq) + pd->p_len;
3457 pf_send_tcp(r, af, pd->dst,
3458 pd->src, th->th_dport, th->th_sport,
3460 r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);
3479 (pd->flags & PFDESC_TCP_NORM))) {
3502 pf_insert_src_node(&nsn, nr, &pd->baddr, af) != 0) ||
3538 switch (pd->proto) {
3540 len = pd->tot_len - off - (th->th_off << 2);
3600 PF_ACPY(&nsn->raddr, &pd->naddr, af);
3604 if (pd->proto == IPPROTO_TCP) {
3605 if ((pd->flags & PFDESC_TCP_NORM) &&
3606 pf_normalize_tcp_init(m, off, pd, th, &s->src,
3614 if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub &&
3615 pf_normalize_tcp_stateful(m, off, pd, &reason,
3634 sk->proto = pd->proto;
3640 switch (pd->proto) {
3653 PF_ACPY(&sk->lan.addr, &pd->baddr, af);
3662 switch (pd->proto) {
3675 PF_ACPY(&sk->gwy.addr, &pd->baddr, af);
3686 if (pd->proto == IPPROTO_TCP)
3699 if (pd->proto == IPPROTO_TCP &&
3706 pd->ip_sum, &th->th_sum, &pd->baddr,
3711 pd->ip_sum, &th->th_sum, &pd->baddr,
3732 m_copyback(m, off, hdrlen, pd->hdr.any);
3739 struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
3744 sa_family_t af = pd->af;
3759 else if (r->proto && r->proto != pd->proto)
3761 else if (PF_MISMATCHAW(&r->src.addr, pd->src, af,
3764 else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af,
3767 else if (r->tos && !(r->tos == pd->tos))
3802 pd);
3817 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
3821 struct tcphdr *th = pd->hdr.tcp;
3829 key.af = pd->af;
3832 PF_ACPY(&key.ext.addr, pd->src, key.af);
3833 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
3837 PF_ACPY(&key.lan.addr, pd->src, key.af);
3838 PF_ACPY(&key.ext.addr, pd->dst, key.af);
3863 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3864 pd->src, th->th_dport, th->th_sport,
3902 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
3916 pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst,
3917 pd->src, th->th_dport, th->th_sport,
3921 pf_send_tcp((*state)->rule.ptr, pd->af, &psrc->addr,
3958 if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) &&
3960 if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) {
3979 end = seq + pd->p_len;
3984 pd->af);
4028 end = seq + pd->p_len;
4071 if (pf_modulate_sack(m, off, pd, th, dst))
4086 (orig_seq == src->seqlo + 1) || (pd->flags & PFDESC_IP_REAS) == 0)) {
4090 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4181 "pkts=%llu:%llu\n", seq, orig_seq, ack, pd->p_len,
4188 if (pf_normalize_tcp_stateful(m, off, pd, reason, th,
4221 pf_send_tcp((*state)->rule.ptr, pd->af,
4222 pd->dst, pd->src, th->th_dport,
4226 pd->eh, kif->pfik_ifp);
4236 seq, orig_seq, ack, pd->p_len, ackskew,
4260 pf_change_ap(pd->src, &th->th_sport, pd->ip_sum,
4262 (*state)->state_key->gwy.port, 0, pd->af);
4264 pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum,
4266 (*state)->state_key->lan.port, 0, pd->af);
4278 struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
4282 struct udphdr *uh = pd->hdr.udp;
4284 key.af = pd->af;
4287 PF_ACPY(&key.ext.addr, pd->src, key.af);
4288 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4292 PF_ACPY(&key.lan.addr, pd->src, key.af);
4293 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4324 pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum,
4326 (*state)->state_key->gwy.port, 1, pd->af);
4328 pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum,
4330 pd->af);
4339 struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
4342 struct pf_addr *saddr = pd->src, *daddr = pd->dst;
4351 switch (pd->proto) {
4354 icmptype = pd->hdr.icmp->icmp_type;
4355 icmpid = pd->hdr.icmp->icmp_id;
4356 icmpsum = &pd->hdr.icmp->icmp_cksum;
4368 icmptype = pd->hdr.icmp6->icmp6_type;
4369 icmpid = pd->hdr.icmp6->icmp6_id;
4370 icmpsum = &pd->hdr.icmp6->icmp6_cksum;
4387 key.af = pd->af;
4388 key.proto = pd->proto;
4390 PF_ACPY(&key.ext.addr, pd->src, key.af);
4391 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4395 PF_ACPY(&key.lan.addr, pd->src, key.af);
4396 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4409 switch (pd->af) {
4413 pd->ip_sum,
4415 pd->hdr.icmp->icmp_cksum =
4417 pd->hdr.icmp->icmp_cksum, icmpid,
4419 pd->hdr.icmp->icmp_id =
4422 pd->hdr.icmp);
4428 &pd->hdr.icmp6->icmp6_cksum,
4432 pd->hdr.icmp6);
4437 switch (pd->af) {
4441 pd->ip_sum,
4443 pd->hdr.icmp->icmp_cksum =
4445 pd->hdr.icmp->icmp_cksum, icmpid,
4447 pd->hdr.icmp->icmp_id =
4450 pd->hdr.icmp);
4456 &pd->hdr.icmp6->icmp6_cksum,
4460 pd->hdr.icmp6);
4488 pd2.af = pd->af;
4489 switch (pd->af) {
4638 icmptype, pd->hdr.icmp->icmp_code);
4639 pf_print_host(pd->src, 0, pd->af);
4641 pf_print_host(pd->dst, 0, pd->af);
4656 pd->ip_sum, 0, pd2.af);
4662 pd->ip_sum, 0, pd2.af);
4672 pd->hdr.icmp);
4681 pd->hdr.icmp6);
4728 pd->ip_sum, 1, pd2.af);
4735 pd->ip_sum, 1, pd2.af);
4741 pd->hdr.icmp);
4749 pd->hdr.icmp6);
4796 pd->ip_sum, 0, AF_INET);
4803 pd->ip_sum, 0, AF_INET);
4805 m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp);
4849 pd->ip_sum, 0, AF_INET6);
4855 pd->ip_sum, 0, AF_INET6);
4858 pd->hdr.icmp6);
4892 pd->ip_sum, 0, pd2.af);
4899 pd->ip_sum, 0, pd2.af);
4905 pd->hdr.icmp);
4913 pd->hdr.icmp6);
4930 struct pf_pdesc *pd)
4935 key.af = pd->af;
4936 key.proto = pd->proto;
4938 PF_ACPY(&key.ext.addr, pd->src, key.af);
4939 PF_ACPY(&key.gwy.addr, pd->dst, key.af);
4943 PF_ACPY(&key.lan.addr, pd->src, key.af);
4944 PF_ACPY(&key.ext.addr, pd->dst, key.af);
4975 switch (pd->af) {
4978 pf_change_a(&pd->src->v4.s_addr,
4979 pd->ip_sum,
4986 PF_ACPY(pd->src,
4987 &(*state)->state_key->gwy.addr, pd->af);
4992 switch (pd->af) {
4995 pf_change_a(&pd->dst->v4.s_addr,
4996 pd->ip_sum,
5003 PF_ACPY(pd->dst,
5004 &(*state)->state_key->lan.addr, pd->af);
5231 struct pf_state *s, struct pf_pdesc *pd)
5452 struct pf_state *s, struct pf_pdesc *pd)
5720 struct pf_pdesc pd;
5732 memset(&pd, 0, sizeof(pd));
5772 if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
5787 pd.src = (struct pf_addr *)&h->ip_src;
5788 pd.dst = (struct pf_addr *)&h->ip_dst;
5789 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET);
5790 pd.ip_sum = &h->ip_sum;
5791 pd.proto = h->ip_p;
5792 pd.af = AF_INET;
5793 pd.tos = h->ip_tos;
5794 pd.tot_len = ntohs(h->ip_len);
5795 pd.eh = eh;
5800 &pd, &a, &ruleset);
5809 pd.hdr.tcp = &th;
5815 pd.p_len = pd.tot_len - off - (th.th_off << 2);
5817 if ((th.th_flags & TH_ACK) && pd.p_len == 0)
5820 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
5823 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
5834 m, off, h, &pd, &a, &ruleset, NULL);
5841 pd.hdr.udp = &uh;
5854 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
5864 m, off, h, &pd, &a, &ruleset, NULL);
5871 pd.hdr.icmp = &ih;
5877 action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
5888 m, off, h, &pd, &a, &ruleset, NULL);
5902 action = pf_test_state_other(&s, dir, kif, &pd);
5912 &pd, &a, &ruleset, NULL);
5938 if (pqid || (pd.tos & IPTOS_LOWDELAY))
5948 if (pqid || (pd.tos & IPTOS_LOWDELAY))
5963 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
5964 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
5967 (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
5984 &pd);
5988 kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
5994 r->bytes[dirndx] += pd.tot_len;
5997 a->bytes[dirndx] += pd.tot_len;
6003 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6007 s->src_node->bytes[dirndx] += pd.tot_len;
6011 s->nat_src_node->bytes[dirndx] += pd.tot_len;
6015 s->bytes[dirndx] += pd.tot_len;
6018 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6029 &pd.baddr : &pd.naddr;
6032 &pd.naddr : &pd.baddr;
6033 if (x == &pd.baddr || s == NULL) {
6036 pd.src = x;
6038 pd.dst = x;
6044 pd.src : pd.dst, pd.af,
6045 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6049 sk->direction == dir) ? pd.dst : pd.src, pd.af,
6050 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6061 pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
6080 struct pf_pdesc pd;
6089 memset(&pd, 0, sizeof(pd));
6129 if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
6148 pd.src = (struct pf_addr *)&h->ip6_src;
6149 pd.dst = (struct pf_addr *)&h->ip6_dst;
6150 PF_ACPY(&pd.baddr, dir == PF_OUT ? pd.src : pd.dst, AF_INET6);
6151 pd.ip_sum = NULL;
6152 pd.af = AF_INET6;
6153 pd.tos = 0;
6154 pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
6155 pd.eh = eh;
6158 pd.proto = h->ip6_nxt;
6160 switch (pd.proto) {
6163 &pd, &a, &ruleset);
6179 &reason, pd.af)) {
6204 NULL, &reason, pd.af)) {
6211 if (pd.proto == IPPROTO_AH)
6215 pd.proto = opt6.ip6e_nxt;
6229 switch (pd.proto) {
6234 pd.hdr.tcp = &th;
6240 pd.p_len = pd.tot_len - off - (th.th_off << 2);
6241 action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
6244 action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
6255 m, off, h, &pd, &a, &ruleset, NULL);
6262 pd.hdr.udp = &uh;
6275 action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
6285 m, off, h, &pd, &a, &ruleset, NULL);
6301 pd.hdr.icmp6 = &ih;
6308 m, off, h, &pd, &reason);
6318 m, off, h, &pd, &a, &ruleset, NULL);
6323 action = pf_test_state_other(&s, dir, kif, &pd);
6333 &pd, &a, &ruleset, NULL);
6365 if (pd.tos & IPTOS_LOWDELAY)
6375 if (pd.tos & IPTOS_LOWDELAY)
6385 if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
6386 pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
6389 IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
6406 &pd);
6410 kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
6416 r->bytes[dirndx] += pd.tot_len;
6419 a->bytes[dirndx] += pd.tot_len;
6425 s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
6429 s->src_node->bytes[dirndx] += pd.tot_len;
6433 s->nat_src_node->bytes[dirndx] += pd.tot_len;
6437 s->bytes[dirndx] += pd.tot_len;
6440 nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
6451 &pd.baddr : &pd.naddr;
6454 &pd.naddr : &pd.baddr;
6456 if (x == &pd.baddr || s == NULL) {
6458 pd.src = x;
6460 pd.dst = x;
6465 sk->direction == dir) ? pd.src : pd.dst, pd.af,
6466 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6470 sk->direction == dir) ? pd.dst : pd.src, pd.af,
6471 pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
6482 pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
Indexes created Sun Oct 19 22:09:57 GMT 2025