The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=f2064dd1f170fc538ea078caba57cd6cd563eea3
commit f2064dd1f170fc538ea078caba57cd6cd563eea3 Author: Kajetan Staszkiewicz <[email protected]> AuthorDate: 2023-07-12 16:04:56 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2023-07-12 16:05:47 +0000 pf: Fix duplicate storage of direction The variable storing the direction of a processed packet is passed around to many functions. Most of those functions already have a pointer to struct pf_pdesc which also contains the direction. By using the one in struct pf_pdesc we can reduce the amount of arguments passed around. Reviewed by: kp Sponsored by: InnGames GmbH Differential Revision: https://reviews.freebsd.org/D41008 --- sys/net/if_pflog.h | 4 +- sys/net/pfvar.h | 14 +-- sys/netpfil/pf/if_pflog.c | 8 +- sys/netpfil/pf/pf.c | 287 ++++++++++++++++++++++------------------------ sys/netpfil/pf/pf_lb.c | 22 ++-- sys/netpfil/pf/pf_norm.c | 38 +++--- 6 files changed, 181 insertions(+), 192 deletions(-) diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 443c1cc36cf6..508e9c77286d 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -71,9 +71,9 @@ struct pf_ruleset; struct pfi_kif; struct pf_pdesc; -#define PFLOG_PACKET(i,a,b,c,d,e,f,g,h,di) do { \ +#define PFLOG_PACKET(i,a,b,c,d,e,f,g,di) do { \ if (pflog_packet_ptr != NULL) \ - pflog_packet_ptr(i,a,b,c,d,e,f,g,h,di); \ + pflog_packet_ptr(i,a,b,c,d,e,f,g,di); \ } while (0) #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 57b2383b1549..ed371f61a999 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1214,8 +1214,8 @@ void pf_state_export(struct pf_state_export *, struct pf_kruleset; struct pf_pdesc; typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t, - u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *, - struct pf_kruleset *, struct pf_pdesc *, int); + u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *, + struct pf_pdesc *, int); extern pflog_packet_t *pflog_packet_ptr; #endif /* _KERNEL */ @@ -2236,14 +2236,14 @@ int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *); #ifdef INET int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *, struct pf_rule_actions *); -int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *, +int pf_normalize_ip(struct mbuf **, struct pfi_kkif *, u_short *, struct pf_pdesc *); #endif /* INET */ #ifdef INET6 int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *, struct pf_rule_actions *); -int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *, +int pf_normalize_ip6(struct mbuf **, struct pfi_kkif *, u_short *, struct pf_pdesc *); void pf_poolmask(struct pf_addr *, struct pf_addr*, struct pf_addr *, struct pf_addr *, sa_family_t); @@ -2271,7 +2271,7 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); void pf_normalize_init(void); void pf_normalize_cleanup(void); -int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void *, +int pf_normalize_tcp(struct pfi_kkif *, struct mbuf *, int, int, void *, struct pf_pdesc *); void pf_normalize_tcp_cleanup(struct pf_kstate *); int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, @@ -2285,7 +2285,7 @@ void pf_purge_expired_fragments(void); void pf_purge_fragments(uint32_t); int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *, int); -int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *); +int pf_socket_lookup(struct pf_pdesc *, struct mbuf *); struct pf_state_key *pf_alloc_state_key(int); void pfr_initialize(void); void pfr_cleanup(void); @@ -2472,7 +2472,7 @@ u_short pf_map_addr(u_int8_t, struct pf_krule *, struct pf_addr *, struct pf_addr *, struct pf_addr *, struct pf_ksrc_node **); struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *, - int, int, struct pfi_kkif *, struct pf_ksrc_node **, + int, struct pfi_kkif *, struct pf_ksrc_node **, struct pf_state_key **, struct pf_state_key **, struct pf_addr *, struct pf_addr *, uint16_t, uint16_t, struct pf_kanchor_stackframe *); diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 2f687e901a71..68f18b13bafe 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -217,7 +217,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } static int -pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, +pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am, struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) { @@ -254,7 +254,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, * These conditions are very very rare, however. */ if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe) - pd->lookup.done = pf_socket_lookup(dir, pd, m); + pd->lookup.done = pf_socket_lookup(pd, m); if (pd->lookup.done > 0) hdr.uid = pd->lookup.uid; else @@ -262,10 +262,10 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, hdr.pid = NO_PID; hdr.rule_uid = rm->cuid; hdr.rule_pid = rm->cpid; - hdr.dir = dir; + hdr.dir = pd->dir; #ifdef INET - if (af == AF_INET && dir == PF_OUT) { + if (af == AF_INET && pd->dir == PF_OUT) { struct ip *ip; ip = mtod(m, struct ip *); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index df015fd3347b..7c41be4b25fe 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -277,15 +277,15 @@ static int pf_state_key_ctor(void *, int, void *, int); static u_int32_t pf_tcp_iss(struct pf_pdesc *); void pf_rule_to_actions(struct pf_krule *, struct pf_rule_actions *); -static int pf_dummynet(struct pf_pdesc *, int, struct pf_kstate *, +static int pf_dummynet(struct pf_pdesc *, struct pf_kstate *, struct pf_krule *, struct mbuf **); -static int pf_dummynet_route(struct pf_pdesc *, int, +static int pf_dummynet_route(struct pf_pdesc *, struct pf_kstate *, struct pf_krule *, struct ifnet *, struct sockaddr *, struct mbuf **); static int pf_test_eth_rule(int, struct pfi_kkif *, struct mbuf **); static int pf_test_rule(struct pf_krule **, struct pf_kstate **, - int, struct pfi_kkif *, struct mbuf *, int, + struct pfi_kkif *, struct mbuf *, int, struct pf_pdesc *, struct pf_krule **, struct pf_kruleset **, struct inpcb *); static int pf_create_state(struct pf_krule *, struct pf_krule *, @@ -295,25 +295,24 @@ static int pf_create_state(struct pf_krule *, struct pf_krule *, u_int16_t, u_int16_t, int *, struct pfi_kkif *, struct pf_kstate **, int, u_int16_t, u_int16_t, int, struct pf_krule_slist *); -static int pf_test_fragment(struct pf_krule **, int, - struct pfi_kkif *, struct mbuf *, void *, - struct pf_pdesc *, struct pf_krule **, - struct pf_kruleset **); +static int pf_test_fragment(struct pf_krule **, struct pfi_kkif *, + struct mbuf *, void *, struct pf_pdesc *, + struct pf_krule **, struct pf_kruleset **); static int pf_tcp_track_full(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, int, struct pf_pdesc *, u_short *, int *); static int pf_tcp_track_sloppy(struct pf_kstate **, struct pf_pdesc *, u_short *); -static int pf_test_state_tcp(struct pf_kstate **, int, +static int pf_test_state_tcp(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); -static int pf_test_state_udp(struct pf_kstate **, int, +static int pf_test_state_udp(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *); -static int pf_test_state_icmp(struct pf_kstate **, int, +static int pf_test_state_icmp(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); -static int pf_test_state_other(struct pf_kstate **, int, +static int pf_test_state_other(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, struct pf_pdesc *); static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, int, u_int16_t); @@ -336,14 +335,14 @@ static void pf_mtag_free(struct m_tag *); static void pf_packet_rework_nat(struct mbuf *, struct pf_pdesc *, int, struct pf_state_key *); #ifdef INET -static void pf_route(struct mbuf **, struct pf_krule *, int, +static void pf_route(struct mbuf **, struct pf_krule *, struct ifnet *, struct pf_kstate *, struct pf_pdesc *, struct inpcb *); #endif /* INET */ #ifdef INET6 static void pf_change_a6(struct pf_addr *, u_int16_t *, struct pf_addr *, u_int8_t); -static void pf_route6(struct mbuf **, struct pf_krule *, int, +static void pf_route6(struct mbuf **, struct pf_krule *, struct ifnet *, struct pf_kstate *, struct pf_pdesc *, struct inpcb *); #endif /* INET6 */ @@ -356,10 +355,10 @@ extern struct proc *pf_purge_proc; VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); -#define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \ +#define PACKET_UNDO_NAT(_m, _pd, _off, _s) \ do { \ struct pf_state_key *nk; \ - if ((_dir) == PF_OUT) \ + if ((pd->dir) == PF_OUT) \ nk = (_s)->key[PF_SK_STACK]; \ else \ nk = (_s)->key[PF_SK_WIRE]; \ @@ -369,10 +368,10 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); #define PACKET_LOOPED(pd) ((pd)->pf_mtag && \ (pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED) -#define STATE_LOOKUP(i, k, d, s, pd) \ +#define STATE_LOOKUP(i, k, s, pd) \ do { \ - (s) = pf_find_state((i), (k), (d)); \ - SDT_PROBE5(pf, ip, state, lookup, i, k, d, pd, (s)); \ + (s) = pf_find_state((i), (k), (pd->dir)); \ + SDT_PROBE5(pf, ip, state, lookup, i, k, (pd->dir), pd, (s)); \ if ((s) == NULL) \ return (PF_DROP); \ if (PACKET_LOOPED(pd)) \ @@ -3623,7 +3622,7 @@ pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a) } int -pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) +pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m) { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; @@ -3647,7 +3646,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m) default: return (-1); } - if (direction == PF_IN) { + if (pd->dir == PF_IN) { saddr = pd->src; daddr = pd->dst; } else { @@ -4175,9 +4174,9 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0) } static int -pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, - struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, - struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp) +pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif, + struct mbuf *m, int off, struct pf_pdesc *pd, struct pf_krule **am, + struct pf_kruleset **rsm, struct inpcb *inp) { struct pf_krule *nr = NULL; struct pf_addr * const saddr = pd->src; @@ -4262,13 +4261,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); /* check packet for BINAT/NAT/RDR */ - if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk, + if ((nr = pf_get_translation(pd, m, off, kif, &nsn, &sk, &nk, saddr, daddr, sport, dport, anchor_stack)) != NULL) { KASSERT(sk != NULL, ("%s: null sk", __func__)); KASSERT(nk != NULL, ("%s: null nk", __func__)); if (nr->log) { - PFLOG_PACKET(kif, m, af, direction, PFRES_MATCH, nr, a, + PFLOG_PACKET(kif, m, af, PFRES_MATCH, nr, a, ruleset, pd, 1); } @@ -4399,7 +4398,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != direction) + else if (r->direction && r->direction != pd->dir) r = r->skip[PF_SKIP_DIR].ptr; else if (r->af && r->af != af) r = r->skip[PF_SKIP_AF].ptr; @@ -4434,13 +4433,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, r = TAILQ_NEXT(r, entries); /* tcp/udp only. uid.op always 0 in other cases */ else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = - pf_socket_lookup(direction, pd, m), 1)) && + pf_socket_lookup(pd, m), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], pd->lookup.uid)) r = TAILQ_NEXT(r, entries); /* tcp/udp only. gid.op always 0 in other cases */ else if (r->gid.op && (pd->lookup.done || (pd->lookup.done = - pf_socket_lookup(direction, pd, m), 1)) && + pf_socket_lookup(pd, m), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], pd->lookup.gid)) r = TAILQ_NEXT(r, entries); @@ -4471,13 +4470,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, ri->r = r; SLIST_INSERT_HEAD(&match_rules, ri, entry); pf_counter_u64_critical_enter(); - pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1); - pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); pf_counter_u64_critical_exit(); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, - direction, PFRES_MATCH, r, + PFRES_MATCH, r, a, ruleset, pd, 1); } else { match = 1; @@ -4509,8 +4508,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, if (r->log) { if (rewrite) m_copyback(m, off, hdrlen, pd->hdr.any); - PFLOG_PACKET(kif, m, af, direction, reason, r, a, - ruleset, pd, 1); + PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1); } if ((r->action == PF_DROP) && @@ -4555,7 +4553,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, m_copyback(m, off, hdrlen, pd->hdr.any); if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) && - direction == PF_OUT && + pd->dir == PF_OUT && V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m)) /* * We want the state created, but we dont @@ -4846,7 +4844,7 @@ csfailed: } static int -pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, +pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif, struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am, struct pf_kruleset **rsm) { @@ -4869,7 +4867,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != direction) + else if (r->direction && r->direction != pd->dir) r = r->skip[PF_SKIP_DIR].ptr; else if (r->af && r->af != af) r = r->skip[PF_SKIP_AF].ptr; @@ -4915,13 +4913,13 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, ri->r = r; SLIST_INSERT_HEAD(&match_rules, ri, entry); pf_counter_u64_critical_enter(); - pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1); - pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len); pf_counter_u64_critical_exit(); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, - direction, PFRES_MATCH, r, + PFRES_MATCH, r, a, ruleset, pd, 1); } else { match = 1; @@ -4951,8 +4949,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, pf_rule_to_actions(r, &pd->act); if (r->log) - PFLOG_PACKET(kif, m, af, direction, reason, r, a, - ruleset, pd, 1); + PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1); if (r->action != PF_PASS) return (PF_DROP); @@ -5494,7 +5491,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) } static int -pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, +pf_test_state_tcp(struct pf_kstate **state, struct pfi_kkif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason) { @@ -5507,7 +5504,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, bzero(&key, sizeof(key)); key.af = pd->af; key.proto = IPPROTO_TCP; - if (direction == PF_IN) { /* wire side, straight */ + if (pd->dir == PF_IN) { /* wire side, straight */ PF_ACPY(&key.addr[0], pd->src, key.af); PF_ACPY(&key.addr[1], pd->dst, key.af); key.port[0] = th->th_sport; @@ -5519,9 +5516,9 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, key.port[0] = th->th_dport; } - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); - if (direction == (*state)->direction) { + if (pd->dir == (*state)->direction) { src = &(*state)->src; dst = &(*state)->dst; } else { @@ -5585,7 +5582,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, } static int -pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, +pf_test_state_udp(struct pf_kstate **state, struct pfi_kkif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; @@ -5596,7 +5593,7 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, bzero(&key, sizeof(key)); key.af = pd->af; key.proto = IPPROTO_UDP; - if (direction == PF_IN) { /* wire side, straight */ + if (pd->dir == PF_IN) { /* wire side, straight */ PF_ACPY(&key.addr[0], pd->src, key.af); PF_ACPY(&key.addr[1], pd->dst, key.af); key.port[0] = uh->uh_sport; @@ -5608,9 +5605,9 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, key.port[0] = uh->uh_dport; } - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); - if (direction == (*state)->direction) { + if (pd->dir == (*state)->direction) { src = &(*state)->src; dst = &(*state)->dst; psrc = PF_PEER_SRC; @@ -5657,7 +5654,7 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, } static int -pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, +pf_test_state_icmp(struct pf_kstate **state, struct pfi_kkif *kif, struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason) { struct pf_addr *saddr = pd->src, *daddr = pd->dst; @@ -5707,7 +5704,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif key.af = pd->af; key.proto = pd->proto; key.port[0] = key.port[1] = icmpid; - if (direction == PF_IN) { /* wire side, straight */ + if (pd->dir == PF_IN) { /* wire side, straight */ PF_ACPY(&key.addr[0], pd->src, key.af); PF_ACPY(&key.addr[1], pd->dst, key.af); } else { /* stack side, reverse */ @@ -5715,7 +5712,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif PF_ACPY(&key.addr[0], pd->dst, key.af); } - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); (*state)->expire = time_uptime; (*state)->timeout = PFTM_ICMP_ERROR_REPLY; @@ -5795,8 +5792,8 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif pd2.af = pd->af; /* Payload packet is from the opposite direction. */ - pd2.sidx = (direction == PF_IN) ? 1 : 0; - pd2.didx = (direction == PF_IN) ? 0 : 1; + pd2.sidx = (pd->dir == PF_IN) ? 1 : 0; + pd2.didx = (pd->dir == PF_IN) ? 0 : 1; switch (pd->af) { #ifdef INET case AF_INET: @@ -5929,9 +5926,9 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif key.port[pd2.sidx] = th.th_sport; key.port[pd2.didx] = th.th_dport; - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); - if (direction == (*state)->direction) { + if (pd->dir == (*state)->direction) { src = &(*state)->dst; dst = &(*state)->src; } else { @@ -6050,7 +6047,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif key.port[pd2.sidx] = uh.uh_sport; key.port[pd2.didx] = uh.uh_dport; - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); /* translate source/destination address, if necessary */ if ((*state)->key[PF_SK_WIRE] != @@ -6117,7 +6114,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); key.port[0] = key.port[1] = iih.icmp_id; - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); /* translate source/destination address, if necessary */ if ((*state)->key[PF_SK_WIRE] != @@ -6169,7 +6166,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); key.port[0] = key.port[1] = iih.icmp6_id; - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); /* translate source/destination address, if necessary */ if ((*state)->key[PF_SK_WIRE] != @@ -6212,7 +6209,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); key.port[0] = key.port[1] = 0; - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); /* translate source/destination address, if necessary */ if ((*state)->key[PF_SK_WIRE] != @@ -6261,7 +6258,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif } static int -pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *kif, +pf_test_state_other(struct pf_kstate **state, struct pfi_kkif *kif, struct mbuf *m, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; @@ -6271,7 +6268,7 @@ pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *ki bzero(&key, sizeof(key)); key.af = pd->af; key.proto = pd->proto; - if (direction == PF_IN) { + if (pd->dir == PF_IN) { PF_ACPY(&key.addr[0], pd->src, key.af); PF_ACPY(&key.addr[1], pd->dst, key.af); key.port[0] = key.port[1] = 0; @@ -6281,9 +6278,9 @@ pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *ki key.port[1] = key.port[0] = 0; } - STATE_LOOKUP(kif, &key, direction, *state, pd); + STATE_LOOKUP(kif, &key, *state, pd); - if (direction == (*state)->direction) { + if (pd->dir == (*state)->direction) { src = &(*state)->src; dst = &(*state)->dst; psrc = PF_PEER_SRC; @@ -6437,7 +6434,7 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif, #ifdef INET static void -pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, +pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) { struct mbuf *m0, *m1, *md; @@ -6460,7 +6457,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, r_dir = r->direction; } - KASSERT(dir == PF_IN || dir == PF_OUT || + KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction", __func__)); @@ -6502,8 +6499,8 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, } } } else { - if ((r_rt == PF_REPLYTO) == (r_dir == dir)) { - pf_dummynet(pd, dir, s, r, m); + if ((r_rt == PF_REPLYTO) == (r_dir == pd->dir)) { + pf_dummynet(pd, s, r, m); if (s) PF_STATE_UNLOCK(s); return; @@ -6545,7 +6542,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (ifp == NULL) goto bad; - if (dir == PF_IN) { + if (pd->dir == PF_IN) { if (pf_test(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS) goto bad; else if (m0 == NULL) @@ -6591,7 +6588,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, m_clrprotoflags(m0); /* Avoid confusing lower layers. */ md = m0; - error = pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md); + error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); if (md != NULL) error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL); goto done; @@ -6605,7 +6602,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (s && pd->nat_rule != NULL) PACKET_UNDO_NAT(m0, pd, (ip->ip_hl << 2) + (ip_off & IP_OFFMASK), - s, dir); + s); icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, ifp->if_mtu); @@ -6624,7 +6621,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (error == 0) { m_clrprotoflags(m0); md = m0; - error = pf_dummynet_route(pd, dir, s, r, ifp, + error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); if (md != NULL) error = (*ifp->if_output)(ifp, md, @@ -6652,7 +6649,7 @@ bad: #ifdef INET6 static void -pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, +pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp) { struct mbuf *m0, *md; @@ -6673,7 +6670,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, r_dir = r->direction; } - KASSERT(dir == PF_IN || dir == PF_OUT || + KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT || r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction", __func__)); @@ -6715,8 +6712,8 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, } } } else { - if ((r_rt == PF_REPLYTO) == (r_dir == dir)) { - pf_dummynet(pd, dir, s, r, m); + if ((r_rt == PF_REPLYTO) == (r_dir == pd->dir)) { + pf_dummynet(pd, s, r, m); if (s) PF_STATE_UNLOCK(s); return; @@ -6761,7 +6758,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (ifp == NULL) goto bad; - if (dir == PF_IN) { + if (pd->dir == PF_IN) { if (pf_test6(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS) goto bad; else if (m0 == NULL) @@ -6793,7 +6790,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index); if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { md = m0; - pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md); + pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); if (md != NULL) nd6_output_ifp(ifp, ifp, md, &dst, NULL); } @@ -6803,7 +6800,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (s && pd->nat_rule != NULL) PACKET_UNDO_NAT(m0, pd, ((caddr_t)ip6 - m0->m_data) + - sizeof(struct ip6_hdr), s, dir); + sizeof(struct ip6_hdr), s); icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); } else @@ -6958,9 +6955,8 @@ pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t a } static bool -pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd, - const struct pf_krule *r, const struct pf_kstate *s, - struct ip_fw_args *dnflow) +pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r, + const struct pf_kstate *s, struct ip_fw_args *dnflow) { int dndir = r->direction; @@ -6969,7 +6965,7 @@ pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd, } else if (dndir == PF_INOUT) { /* Assume primary direction. Happens when we've set dnpipe in * the ethernet level code. */ - dndir = dir; + dndir = pd->dir; } memset(dnflow, 0, sizeof(*dnflow)); @@ -6979,15 +6975,15 @@ pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd, if (pd->sport != NULL) dnflow->f_id.src_port = ntohs(*pd->sport); - if (dir == PF_IN) + if (pd->dir == PF_IN) dnflow->flags |= IPFW_ARGS_IN; else dnflow->flags |= IPFW_ARGS_OUT; - if (dir != dndir && pd->act.dnrpipe) { + if (pd->dir != dndir && pd->act.dnrpipe) { dnflow->rule.info = pd->act.dnrpipe; } - else if (dir == dndir && pd->act.dnpipe) { + else if (pd->dir == dndir && pd->act.dnpipe) { dnflow->rule.info = pd->act.dnpipe; } else { @@ -7052,14 +7048,14 @@ pf_test_eth(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, } static int -pf_dummynet(struct pf_pdesc *pd, int dir, struct pf_kstate *s, +pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s, struct pf_krule *r, struct mbuf **m0) { - return (pf_dummynet_route(pd, dir, s, r, NULL, NULL, m0)); + return (pf_dummynet_route(pd, s, r, NULL, NULL, m0)); } static int -pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s, +pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, struct pf_krule *r, struct ifnet *ifp, struct sockaddr *sa, struct mbuf **m0) { @@ -7105,7 +7101,7 @@ pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s, sizeof(struct sockaddr_in6)); } - if (pf_pdesc_to_dnflow(dir, pd, r, s, &dnflow)) { + if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; ip_dn_io_ptr(m0, &dnflow); if (*m0 != NULL) { @@ -7213,6 +7209,14 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, return (PF_PASS); } + pd.sport = pd.dport = NULL; + pd.proto_sum = NULL; + pd.dir = dir; + pd.sidx = (dir == PF_IN) ? 0 : 1; + pd.didx = (dir == PF_IN) ? 1 : 0; + pd.af = AF_INET; + pd.act.rtableid = -1; + if (__predict_false(ip_divert_ptr != NULL) && ((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) { struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1); @@ -7229,7 +7233,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, m->m_flags |= M_FASTFWD_OURS; pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT; } - } else if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { + } else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) { /* We do IP header normalization and packet reassembly here */ action = PF_DROP; goto done; @@ -7247,22 +7251,14 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, pd.src = (struct pf_addr *)&h->ip_src; pd.dst = (struct pf_addr *)&h->ip_dst; - pd.sport = pd.dport = NULL; pd.ip_sum = &h->ip_sum; - pd.proto_sum = NULL; pd.proto = h->ip_p; - pd.dir = dir; - pd.sidx = (dir == PF_IN) ? 0 : 1; - pd.didx = (dir == PF_IN) ? 1 : 0; - pd.af = AF_INET; pd.tos = h->ip_tos & ~IPTOS_ECN_MASK; pd.tot_len = ntohs(h->ip_len); - pd.act.rtableid = -1; /* handle fragments that didn't get reassembled by normalization */ if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { - action = pf_test_fragment(&r, dir, kif, m, h, - &pd, &a, &ruleset); + action = pf_test_fragment(&r, kif, m, h, &pd, &a, &ruleset); goto done; } @@ -7289,11 +7285,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0) pqid = 1; - action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); + action = pf_normalize_tcp(kif, m, 0, off, h, &pd); if (action == PF_DROP) goto done; - action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, - &reason); + action = pf_test_state_tcp(&s, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); @@ -7319,8 +7314,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, m_freem(msyn); if (action == PF_PASS) { - action = pf_test_state_tcp(&s, dir, - kif, m, off, h, &pd, &reason); + action = pf_test_state_tcp(&s, kif, m, + off, h, &pd, &reason); if (action != PF_PASS || s == NULL) { action = PF_DROP; break; @@ -7340,7 +7335,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, break; } else { - action = pf_test_rule(&r, &s, dir, kif, m, off, + action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp); } } @@ -7368,7 +7363,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, REASON_SET(&reason, PFRES_SHORT); goto done; } - action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); + action = pf_test_state_udp(&s, kif, m, off, h, &pd); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); @@ -7376,7 +7371,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, a = s->anchor.ptr; log = s->log; } else if (s == NULL) - action = pf_test_rule(&r, &s, dir, kif, m, off, &pd, + action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp); break; } @@ -7388,8 +7383,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, log = PF_LOG_FORCE; goto done; } - action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, - &reason); + action = pf_test_state_icmp(&s, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); @@ -7397,7 +7391,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, a = s->anchor.ptr; log = s->log; } else if (s == NULL) - action = pf_test_rule(&r, &s, dir, kif, m, off, &pd, + action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp); break; } @@ -7412,7 +7406,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, #endif default: - action = pf_test_state_other(&s, dir, kif, m, &pd); + action = pf_test_state_other(&s, kif, m, &pd); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); @@ -7420,7 +7414,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, a = s->anchor.ptr; log = s->log; } else if (s == NULL) - action = pf_test_rule(&r, &s, dir, kif, m, off, &pd, + action = pf_test_rule(&r, &s, kif, m, off, &pd, &a, &ruleset, inp); break; } @@ -7574,13 +7568,13 @@ done: lr = r; if (log & PF_LOG_FORCE || lr->log & PF_LOG_ALL) - PFLOG_PACKET(kif, m, AF_INET, dir, reason, lr, a, - ruleset, &pd, (s == NULL)); + PFLOG_PACKET(kif, m, AF_INET, reason, lr, a, ruleset, + &pd, (s == NULL)); if (s) { SLIST_FOREACH(ri, &s->match_rules, entry) if (ri->r->log & PF_LOG_ALL) - PFLOG_PACKET(kif, m, AF_INET, dir, - reason, ri->r, a, ruleset, &pd, 0); + PFLOG_PACKET(kif, m, AF_INET, reason, + ri->r, a, ruleset, &pd, 0); } } @@ -7664,10 +7658,10 @@ done: default: /* pf_route() returns unlocked. */ if (rt) { - pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp); + pf_route(m0, r, kif->pfik_ifp, s, &pd, inp); return (action); } - if (pf_dummynet(&pd, dir, s, r, m0) != 0) { + if (pf_dummynet(&pd, s, r, m0) != 0) { action = PF_DROP; REASON_SET(&reason, PFRES_MEMORY); } @@ -7774,8 +7768,17 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb return (PF_PASS); } + pd.sport = pd.dport = NULL; + pd.ip_sum = NULL; + pd.proto_sum = NULL; + pd.dir = dir; + pd.sidx = (dir == PF_IN) ? 0 : 1; + pd.didx = (dir == PF_IN) ? 1 : 0; + pd.af = AF_INET6; + pd.act.rtableid = -1; + /* We do IP header normalization and packet reassembly here */ - if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { + if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; goto done; } @@ -7794,24 +7797,16 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb pd.src = (struct pf_addr *)&h->ip6_src; pd.dst = (struct pf_addr *)&h->ip6_dst; - pd.sport = pd.dport = NULL; - pd.ip_sum = NULL; - pd.proto_sum = NULL; - pd.dir = dir; - pd.sidx = (dir == PF_IN) ? 0 : 1; - pd.didx = (dir == PF_IN) ? 1 : 0; - pd.af = AF_INET6; pd.tos = IPV6_DSCP(h); pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); - pd.act.rtableid = -1; off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); pd.proto = h->ip6_nxt; do { switch (pd.proto) { case IPPROTO_FRAGMENT: - action = pf_test_fragment(&r, dir, kif, m, h, - &pd, &a, &ruleset); + action = pf_test_fragment(&r, kif, m, h, &pd, &a, + &ruleset); if (action == PF_DROP) REASON_SET(&reason, PFRES_FRAG); goto done; @@ -7888,11 +7883,10 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb pd.p_len = pd.tot_len - off - (pd.hdr.tcp.th_off << 2); pd.sport = &pd.hdr.tcp.th_sport; pd.dport = &pd.hdr.tcp.th_dport; - action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); + action = pf_normalize_tcp(kif, m, 0, off, h, &pd); if (action == PF_DROP) goto done; - action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, - &reason); + action = pf_test_state_tcp(&s, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { if (V_pfsync_update_state_ptr != NULL) V_pfsync_update_state_ptr(s); @@ -7900,7 +7894,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb a = s->anchor.ptr; log = s->log; *** 308 LINES SKIPPED ***
