From nobody Thu Oct 10 12:37:31 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XPTmW5LrNz5Z08Q; Thu, 10 Oct 2024 12:37:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XPTmW4cv2z4Hb2; Thu, 10 Oct 2024 12:37:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728563851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0TZ3D2BDifNvRVMXFKUzO7PbWlDzVLSWOZySlFKKegA=; b=iB2i/Yc0c7TFVfdGp55H0l9+D12W17uyZbWSo937F6dvTfjEDrFdD5cNJGpOy/ZZtma0hx UlkbqnJhjfqt7xQonX8BKME2JKQyvtEAQjwfFIzNwWg/l5zVjRcN+DjeZcjrhzFj68CkFj zNlEHoZjxDdecameO1sVGMUjtmEKybMPBUk3pcRTjYWUDEzmYvXww9oBsKtURxjYYGa254 34+kenIODCQsqNrfn7AHxlZB1EBPgq/wGFw4TRlat6nFlqsXjaU8RDVCp1A5kjrM/bW11I GRWnsRez7qtTg7TbN20WwHayN3rVv2f+FWZcMRsQ7kEcbk0jG1IWsqf52CiAvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728563851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0TZ3D2BDifNvRVMXFKUzO7PbWlDzVLSWOZySlFKKegA=; b=o8EeLFeavWcMq2N3AZvMWxL3/zF6bWcTcb7gvA0IuQKp+NonAnZcypmsTkjANlRjWWmq1N e/R4ZuuQhZD01MoZgyX/U6j+z+3+wg5j7breg8M7tx8/4Tnx9zVs0r61G8ZmiRnlattoju 5nD3Z9fXy+EctystAjehsQeRUsMbrJjR1x3J9sHldYXyW0V7n2LgSgq1WKktPlGdVtPyBG KbQDrmBiqnrqfEcGBwhtB9oXZWyj9gWbJhF+fwRg4Jj0isR1SmTScyVNNNYZsDghs27PXs W3q9wZQkKN54mbbILY32RR8ANHLuQH1SItzasgqmAu/6qr0H3cxhnaOcg4r+Mg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728563851; a=rsa-sha256; cv=none; b=Xe9kmAkdYAGmw3r3vommxEQdE2Ec2Vu+Dr6Yyob8VH5FJG0Es7f/pwVWPtCzMFQ9le+85a G4J2XmxCX07sf1KY6rbgAKnCGg8TnsEQoRm2xXrc7qPAgRjWckiB75LanjZXpOqEEy8Vkk MHTziT98NXqWD2N6qVgDv3KKNYv5ATjRcb91bKlnbWTRiYfmVhdZi0XW29NpE2svVGzLpe cE+Ue4vhbDt2ugFSIRkHivm1GukOlD1hDv0cEaQ35HaWITKQ8IW6B6qzehJZFpontrwj6q LbPHd9jhUCJp1srsdvcpmAe/fRQ6QwQMotzCvAKMCjOlwaLI4CKhqmkf7SkoCg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XPTmW1kX4zyDY; Thu, 10 Oct 2024 12:37:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49ACbVpi006834; Thu, 10 Oct 2024 12:37:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49ACbVeZ006831; Thu, 10 Oct 2024 12:37:31 GMT (envelope-from git) Date: Thu, 10 Oct 2024 12:37:31 GMT Message-Id: <202410101237.49ACbVeZ006831@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 9a405864e0cf - main - pf: move the mbuf into struct pf_pdesc too List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9a405864e0cf7d794ba067fa762b5d3743cd7db5 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9a405864e0cf7d794ba067fa762b5d3743cd7db5 commit 9a405864e0cf7d794ba067fa762b5d3743cd7db5 Author: Kristof Provost AuthorDate: 2024-10-03 17:53:09 +0000 Commit: Kristof Provost CommitDate: 2024-10-10 12:10:42 +0000 pf: move the mbuf into struct pf_pdesc too As requested by henning, move the mbuf pointer into struct pf_pdesc. Also sort pd to the beginning of the functions' parameter lists for consistency. ok henning Obtained from: OpenBSD, bluhm , 776f210a75 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46941 --- sys/net/if_pflog.h | 4 +- sys/net/pfvar.h | 42 ++-- sys/netpfil/pf/if_pflog.c | 14 +- sys/netpfil/pf/pf.c | 470 ++++++++++++++++++++--------------------- sys/netpfil/pf/pf_lb.c | 30 +-- sys/netpfil/pf/pf_norm.c | 110 +++++----- sys/netpfil/pf/pf_osfp.c | 9 +- sys/netpfil/pf/pf_syncookies.c | 13 +- 8 files changed, 338 insertions(+), 354 deletions(-) diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h index 0f8caef5fe8b..b2052d5bd5f3 100644 --- a/sys/net/if_pflog.h +++ b/sys/net/if_pflog.h @@ -69,9 +69,9 @@ struct pf_ruleset; struct pfi_kif; struct pf_pdesc; -#define PFLOG_PACKET(a,b,t,c,d,e,f,g) do { \ +#define PFLOG_PACKET(b,t,c,d,e,f,g) do { \ if (pflog_packet_ptr != NULL) \ - pflog_packet_ptr(a,b,t,c,d,e,f,g); \ + pflog_packet_ptr(b,t,c,d,e,f,g); \ } while (0) #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index f88a619dd184..30be1128d4d3 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1249,7 +1249,7 @@ void pf_state_export(struct pf_state_export *, /* pflog */ struct pf_kruleset; struct pf_pdesc; -typedef int pflog_packet_t(struct mbuf *, uint8_t, u_int8_t, +typedef int pflog_packet_t(uint8_t, u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *, struct pf_pdesc *, int); extern pflog_packet_t *pflog_packet_ptr; @@ -1598,6 +1598,7 @@ struct pf_pdesc { } hdr; struct pfi_kkif *kif; /* incomming interface */ + struct mbuf *m; struct pf_addr *src; /* src address */ struct pf_addr *dst; /* dst address */ @@ -1650,7 +1651,6 @@ struct pf_sctp_multihome_job { struct pf_pdesc pd; struct pf_addr src; struct pf_addr dst; - struct mbuf *m; int op; }; @@ -2355,7 +2355,7 @@ extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, void pf_free_rule(struct pf_krule *); int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *); -int pf_scan_sctp(struct mbuf *, struct pf_pdesc *); +int pf_scan_sctp(struct pf_pdesc *); #if defined(INET) || defined(INET6) int pf_test(sa_family_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *, struct pf_rule_actions *); @@ -2375,8 +2375,8 @@ int pf_max_frag_size(struct mbuf *); int pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool); #endif /* INET6 */ -int pf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *); -int pf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *); +int pf_multihome_scan_init(int, int, struct pf_pdesc *); +int pf_multihome_scan_asconf(int, int, struct pf_pdesc *); u_int32_t pf_new_isn(struct pf_kstate *); void *pf_pull_hdr(const struct mbuf *, int, void *, int, u_short *, u_short *, @@ -2398,23 +2398,23 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); void pf_normalize_init(void); void pf_normalize_cleanup(void); -int pf_normalize_tcp(struct mbuf *, struct pf_pdesc *); +int pf_normalize_tcp(struct pf_pdesc *); void pf_normalize_tcp_cleanup(struct pf_kstate *); -int pf_normalize_tcp_init(struct mbuf *, struct pf_pdesc *, +int pf_normalize_tcp_init(struct pf_pdesc *, struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); -int pf_normalize_tcp_stateful(struct mbuf *, struct pf_pdesc *, +int pf_normalize_tcp_stateful(struct pf_pdesc *, u_short *, struct tcphdr *, struct pf_kstate *, struct pf_state_peer *, struct pf_state_peer *, int *); -int pf_normalize_sctp_init(struct mbuf *, struct pf_pdesc *, +int pf_normalize_sctp_init(struct pf_pdesc *, struct pf_state_peer *, struct pf_state_peer *); -int pf_normalize_sctp(struct mbuf *, struct pf_pdesc *); +int pf_normalize_sctp(struct pf_pdesc *); u_int32_t pf_state_expires(const struct pf_kstate *); void pf_purge_expired_fragments(void); void pf_purge_fragments(uint32_t); int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *, int); -int pf_socket_lookup(struct pf_pdesc *, struct mbuf *); +int pf_socket_lookup(struct pf_pdesc *); struct pf_state_key *pf_alloc_state_key(int); void pfr_initialize(void); void pfr_cleanup(void); @@ -2482,12 +2482,12 @@ int pfi_set_flags(const char *, int); int pfi_clear_flags(const char *, int); int pf_match_tag(struct mbuf *, struct pf_krule *, int *, int); -int pf_tag_packet(struct mbuf *, struct pf_pdesc *, int); +int pf_tag_packet(struct pf_pdesc *, int); int pf_addr_cmp(struct pf_addr *, struct pf_addr *, sa_family_t); -u_int16_t pf_get_mss(struct mbuf *, struct pf_pdesc *); -u_int8_t pf_get_wscale(struct mbuf *, struct pf_pdesc *); +u_int16_t pf_get_mss(struct pf_pdesc *); +u_int8_t pf_get_wscale(struct pf_pdesc *); struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t, const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, @@ -2504,8 +2504,7 @@ void pf_syncookies_cleanup(void); int pf_get_syncookies(struct pfioc_nv *); int pf_set_syncookies(struct pfioc_nv *); int pf_synflood_check(struct pf_pdesc *); -void pf_syncookie_send(struct mbuf *m, - struct pf_pdesc *); +void pf_syncookie_send(struct pf_pdesc *); bool pf_syncookie_check(struct pf_pdesc *); u_int8_t pf_syncookie_validate(struct pf_pdesc *); struct mbuf * pf_syncookie_recreate_syn(struct pf_pdesc *); @@ -2590,8 +2589,7 @@ void pf_addr_copyout(struct pf_addr_wrap *); int pf_osfp_add(struct pf_osfp_ioctl *); #ifdef _KERNEL struct pf_osfp_enlist * - pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, - const struct tcphdr *); + pf_osfp_fingerprint(struct pf_pdesc *, const struct tcphdr *); #endif /* _KERNEL */ void pf_osfp_flush(void); int pf_osfp_get(struct pf_osfp_ioctl *); @@ -2622,7 +2620,7 @@ u_short pf_map_addr_sn(u_int8_t, struct pf_krule *, struct pf_addr *, struct pf_addr *, struct pfi_kkif **nkif, struct pf_addr *, struct pf_ksrc_node **); -u_short pf_get_translation(struct pf_pdesc *, struct mbuf *, +u_short pf_get_translation(struct pf_pdesc *, int, struct pf_ksrc_node **, struct pf_state_key **, struct pf_state_key **, struct pf_addr *, struct pf_addr *, @@ -2630,14 +2628,14 @@ u_short pf_get_translation(struct pf_pdesc *, struct mbuf *, struct pf_krule **, struct pf_udp_mapping **udp_mapping); -struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct mbuf *, +struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t); struct pf_state_key *pf_state_key_clone(const struct pf_state_key *); void pf_rule_to_actions(struct pf_krule *, struct pf_rule_actions *); -int pf_normalize_mss(struct mbuf *m, struct pf_pdesc *pd); +int pf_normalize_mss(struct pf_pdesc *pd); #if defined(INET) || defined(INET6) -void pf_scrub(struct mbuf *, struct pf_pdesc *); +void pf_scrub(struct pf_pdesc *); #endif struct pfi_kkif *pf_kkif_create(int); diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c index 4db178b8f279..3cd7cd1f2ddc 100644 --- a/sys/netpfil/pf/if_pflog.c +++ b/sys/netpfil/pf/if_pflog.c @@ -213,14 +213,14 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } static int -pflog_packet(struct mbuf *m, uint8_t action, u_int8_t reason, +pflog_packet(uint8_t action, u_int8_t reason, struct pf_krule *rm, struct pf_krule *am, struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) { struct ifnet *ifn; struct pfloghdr hdr; - if (m == NULL || rm == NULL || pd == NULL) + if (rm == NULL || pd == NULL) return (1); ifn = V_pflogifs[rm->logif]; @@ -251,7 +251,7 @@ pflog_packet(struct mbuf *m, uint8_t action, u_int8_t reason, * These conditions are very very rare, however. */ if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe) - pd->lookup.done = pf_socket_lookup(pd, m); + pd->lookup.done = pf_socket_lookup(pd); if (pd->lookup.done > 0) hdr.uid = pd->lookup.uid; else @@ -265,15 +265,15 @@ pflog_packet(struct mbuf *m, uint8_t action, u_int8_t reason, if (pd->af == AF_INET && pd->dir == PF_OUT) { struct ip *ip; - ip = mtod(m, struct ip *); + ip = mtod(pd->m, struct ip *); ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + ip->ip_sum = in_cksum(pd->m, ip->ip_hl << 2); } #endif /* INET */ if_inc_counter(ifn, IFCOUNTER_OPACKETS, 1); - if_inc_counter(ifn, IFCOUNTER_OBYTES, m->m_pkthdr.len); - bpf_mtap2(ifn->if_bpf, &hdr, PFLOG_HDRLEN, m); + if_inc_counter(ifn, IFCOUNTER_OBYTES, pd->m->m_pkthdr.len); + bpf_mtap2(ifn->if_bpf, &hdr, PFLOG_HDRLEN, pd->m); return (0); } diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 993feff92233..216d5805b11e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -294,7 +294,7 @@ static int pf_check_threshold(struct pf_threshold *); static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *, u_int16_t *, u_int16_t *, struct pf_addr *, u_int16_t, u_int8_t, sa_family_t); -static int pf_modulate_sack(struct mbuf *, struct pf_pdesc *, +static int pf_modulate_sack(struct pf_pdesc *, struct tcphdr *, struct pf_state_peer *); int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *, int *, u_int16_t *, u_int16_t *); @@ -320,39 +320,39 @@ static int pf_dummynet_route(struct pf_pdesc *, static int pf_test_eth_rule(int, struct pfi_kkif *, struct mbuf **); static int pf_test_rule(struct pf_krule **, struct pf_kstate **, - struct mbuf *, struct pf_pdesc *, struct pf_krule **, + struct pf_pdesc *, struct pf_krule **, struct pf_kruleset **, struct inpcb *); static int pf_create_state(struct pf_krule *, struct pf_krule *, struct pf_krule *, struct pf_pdesc *, struct pf_ksrc_node *, struct pf_state_key *, - struct pf_state_key *, struct mbuf *, + struct pf_state_key *, u_int16_t, u_int16_t, int *, struct pf_kstate **, int, u_int16_t, u_int16_t, struct pf_krule_slist *, struct pf_udp_mapping *); -static int pf_state_key_addr_setup(struct pf_pdesc *, struct mbuf *, +static int pf_state_key_addr_setup(struct pf_pdesc *, struct pf_state_key_cmp *, int, struct pf_addr *, int, struct pf_addr *, int); static int pf_tcp_track_full(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *, u_short *, int *); + struct pf_pdesc *, u_short *, int *); static int pf_tcp_track_sloppy(struct pf_kstate **, struct pf_pdesc *, u_short *); static int pf_test_state_tcp(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *, u_short *); + struct pf_pdesc *, u_short *); static int pf_test_state_udp(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *); + struct pf_pdesc *); int pf_icmp_state_lookup(struct pf_state_key_cmp *, - struct pf_pdesc *, struct pf_kstate **, struct mbuf *, + struct pf_pdesc *, struct pf_kstate **, int, u_int16_t, u_int16_t, int, int *, int, int); -static int pf_test_state_icmp(struct pf_kstate **, struct mbuf *, +static int pf_test_state_icmp(struct pf_kstate **, struct pf_pdesc *, u_short *); static void pf_sctp_multihome_detach_addr(const struct pf_kstate *); static void pf_sctp_multihome_delayed(struct pf_pdesc *, struct pfi_kkif *, struct pf_kstate *, int); -static int pf_test_state_sctp(struct pf_kstate **, struct mbuf *, +static int pf_test_state_sctp(struct pf_kstate **, struct pf_pdesc *, u_short *); static int pf_test_state_other(struct pf_kstate **, - struct mbuf *, struct pf_pdesc *); + struct pf_pdesc *); static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, int, u_int16_t); static int pf_check_proto_cksum(struct mbuf *, int, int, @@ -1561,7 +1561,7 @@ pf_state_key_ctor(void *mem, int size, void *arg, int flags) } static int -pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m, +pf_state_key_addr_setup(struct pf_pdesc *pd, struct pf_state_key_cmp *key, int sidx, struct pf_addr *saddr, int didx, struct pf_addr *daddr, int multi) { @@ -1577,7 +1577,7 @@ pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m, case ND_NEIGHBOR_SOLICIT: if (multi) return (-1); - if (!pf_pull_hdr(m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) return (-1); target = (struct pf_addr *)&nd.nd_ns_target; daddr = target; @@ -1585,7 +1585,7 @@ pf_state_key_addr_setup(struct pf_pdesc *pd, struct mbuf *m, case ND_NEIGHBOR_ADVERT: if (multi) return (-1); - if (!pf_pull_hdr(m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, &nd, sizeof(nd), &action, &reason, pd->af)) return (-1); target = (struct pf_addr *)&nd.nd_ns_target; saddr = target; @@ -1617,7 +1617,7 @@ copy: } struct pf_state_key * -pf_state_key_setup(struct pf_pdesc *pd, struct mbuf *m, +pf_state_key_setup(struct pf_pdesc *pd, struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t sport, u_int16_t dport) { @@ -1627,7 +1627,7 @@ pf_state_key_setup(struct pf_pdesc *pd, struct mbuf *m, if (sk == NULL) return (NULL); - if (pf_state_key_addr_setup(pd, m, (struct pf_state_key_cmp *)sk, + if (pf_state_key_addr_setup(pd, (struct pf_state_key_cmp *)sk, pd->sidx, pd->src, pd->didx, pd->dst, 0)) { uma_zfree(V_pf_state_key_z, sk); return (NULL); @@ -3272,8 +3272,8 @@ pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, * (credits to Krzysztof Pfaff for report and patch) */ static int -pf_modulate_sack(struct mbuf *m, struct pf_pdesc *pd, - struct tcphdr *th, struct pf_state_peer *dst) +pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, + struct pf_state_peer *dst) { int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen; u_int8_t opts[TCP_MAXOLEN], *opt = opts; @@ -3282,7 +3282,7 @@ pf_modulate_sack(struct mbuf *m, struct pf_pdesc *pd, #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) if (hlen < TCPOLEN_SACKLEN || - !pf_pull_hdr(m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) + !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) return 0; while (hlen >= TCPOLEN_SACKLEN) { @@ -3301,12 +3301,12 @@ pf_modulate_sack(struct mbuf *m, struct pf_pdesc *pd, for (i = 2; i + TCPOLEN_SACK <= olen; i += TCPOLEN_SACK) { memcpy(&sack, &opt[i], sizeof(sack)); - pf_patch_32_unaligned(m, + pf_patch_32_unaligned(pd->m, &th->th_sum, &sack.start, htonl(ntohl(sack.start) - dst->seqdiff), PF_ALGNMNT(startoff), 0); - pf_patch_32_unaligned(m, &th->th_sum, + pf_patch_32_unaligned(pd->m, &th->th_sum, &sack.end, htonl(ntohl(sack.end) - dst->seqdiff), PF_ALGNMNT(startoff), @@ -3325,7 +3325,7 @@ pf_modulate_sack(struct mbuf *m, struct pf_pdesc *pd, } if (copyback) - m_copyback(m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts); + m_copyback(pd->m, pd->off + sizeof(*th), thoptlen, (caddr_t)opts); return (copyback); } @@ -3634,7 +3634,7 @@ pf_send_tcp(const struct pf_krule *r, sa_family_t af, static void pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, - struct pf_state_key *sk, struct mbuf *m, struct tcphdr *th, + struct pf_state_key *sk, struct tcphdr *th, u_int16_t bproto_sum, u_int16_t bip_sum, u_short *reason, int rtableid) { @@ -3653,7 +3653,7 @@ pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, *pd->proto_sum = bproto_sum; if (pd->ip_sum) *pd->ip_sum = bip_sum; - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); } if (pd->proto == IPPROTO_TCP && ((r->rule_flag & PFRULE_RETURNRST) || @@ -3661,7 +3661,7 @@ pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, !(th->th_flags & TH_RST)) { u_int32_t ack = ntohl(th->th_seq) + pd->p_len; - if (pf_check_proto_cksum(m, pd->off, pd->tot_len - pd->off, + if (pf_check_proto_cksum(pd->m, pd->off, pd->tot_len - pd->off, IPPROTO_TCP, pd->af)) REASON_SET(reason, PFRES_PROTCKSUM); else { @@ -3679,11 +3679,11 @@ pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd, pf_send_sctp_abort(pd->af, pd, r->return_ttl, rtableid); } else if (pd->proto != IPPROTO_ICMP && pd->af == AF_INET && r->return_icmp) - pf_send_icmp(m, r->return_icmp >> 8, + pf_send_icmp(pd->m, r->return_icmp >> 8, r->return_icmp & 255, pd->af, r, rtableid); else if (pd->proto != IPPROTO_ICMPV6 && pd->af == AF_INET6 && r->return_icmp6) - pf_send_icmp(m, r->return_icmp6 >> 8, + pf_send_icmp(pd->m, r->return_icmp6 >> 8, r->return_icmp6 & 255, pd->af, r, rtableid); } @@ -3950,12 +3950,12 @@ pf_match_rcvif(struct mbuf *m, struct pf_krule *r) } int -pf_tag_packet(struct mbuf *m, struct pf_pdesc *pd, int tag) +pf_tag_packet(struct pf_pdesc *pd, int tag) { KASSERT(tag > 0, ("%s: tag %d", __func__, tag)); - if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(m)) == NULL)) + if (pd->pf_mtag == NULL && ((pd->pf_mtag = pf_get_mtag(pd->m)) == NULL)) return (ENOMEM); pd->pf_mtag->tag = tag; @@ -4278,7 +4278,7 @@ pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a) } int -pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m) +pf_socket_lookup(struct pf_pdesc *pd) { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; @@ -4318,11 +4318,11 @@ pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m) #ifdef INET case AF_INET: inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4, - dport, INPLOOKUP_RLOCKPCB, NULL, m); + dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) { inp = in_pcblookup_mbuf(pi, saddr->v4, sport, daddr->v4, dport, INPLOOKUP_WILDCARD | - INPLOOKUP_RLOCKPCB, NULL, m); + INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) return (-1); } @@ -4331,11 +4331,11 @@ pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m) #ifdef INET6 case AF_INET6: inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6, - dport, INPLOOKUP_RLOCKPCB, NULL, m); + dport, INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) { inp = in6_pcblookup_mbuf(pi, &saddr->v6, sport, &daddr->v6, dport, INPLOOKUP_WILDCARD | - INPLOOKUP_RLOCKPCB, NULL, m); + INPLOOKUP_RLOCKPCB, NULL, pd->m); if (inp == NULL) return (-1); } @@ -4351,7 +4351,7 @@ pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m) } u_int8_t -pf_get_wscale(struct mbuf *m, struct pf_pdesc *pd) +pf_get_wscale(struct pf_pdesc *pd) { struct tcphdr *th = &pd->hdr.tcp; int hlen; @@ -4362,7 +4362,7 @@ pf_get_wscale(struct mbuf *m, struct pf_pdesc *pd) hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */ if (hlen <= sizeof(struct tcphdr)) return (0); - if (!pf_pull_hdr(m, pd->off, hdr, hlen, NULL, NULL, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) return (0); opt = hdr + sizeof(struct tcphdr); hlen -= sizeof(struct tcphdr); @@ -4392,7 +4392,7 @@ pf_get_wscale(struct mbuf *m, struct pf_pdesc *pd) } u_int16_t -pf_get_mss(struct mbuf *m, struct pf_pdesc *pd) +pf_get_mss(struct pf_pdesc *pd) { struct tcphdr *th = &pd->hdr.tcp; int hlen; @@ -4403,7 +4403,7 @@ pf_get_mss(struct mbuf *m, struct pf_pdesc *pd) hlen = th->th_off << 2; /* hlen <= sizeof(hdr) */ if (hlen <= sizeof(struct tcphdr)) return (0); - if (!pf_pull_hdr(m, pd->off, hdr, hlen, NULL, NULL, pd->af)) + if (!pf_pull_hdr(pd->m, pd->off, hdr, hlen, NULL, NULL, pd->af)) return (0); opt = hdr + sizeof(struct tcphdr); hlen -= sizeof(struct tcphdr); @@ -4848,7 +4848,7 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0) static int pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, - struct mbuf *m, struct pf_pdesc *pd, struct pf_krule **am, + struct pf_pdesc *pd, struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp) { struct pf_krule *nr = NULL; @@ -4938,7 +4938,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); /* check packet for BINAT/NAT/RDR */ - transerror = pf_get_translation(pd, m, pd->off, &nsn, &sk, + transerror = pf_get_translation(pd, pd->off, &nsn, &sk, &nk, saddr, daddr, sport, dport, anchor_stack, &nr, &udp_mapping); switch (transerror) { default: @@ -4953,7 +4953,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, KASSERT(nk != NULL, ("%s: null nk", __func__)); if (nr->log) { - PFLOG_PACKET(m, PF_PASS, PFRES_MATCH, nr, a, + PFLOG_PACKET(PF_PASS, PFRES_MATCH, nr, a, ruleset, pd, 1); } @@ -4967,7 +4967,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != sport) { - pf_change_ap(m, saddr, &th->th_sport, pd->ip_sum, + pf_change_ap(pd->m, saddr, &th->th_sport, pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 0, pd->af); pd->sport = &th->th_sport; @@ -4976,7 +4976,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != dport) { - pf_change_ap(m, daddr, &th->th_dport, pd->ip_sum, + pf_change_ap(pd->m, daddr, &th->th_dport, pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], nk->port[pd->didx], 0, pd->af); dport = th->th_dport; @@ -4990,7 +4990,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != sport) { - pf_change_ap(m, saddr, &pd->hdr.udp.uh_sport, + pf_change_ap(pd->m, saddr, &pd->hdr.udp.uh_sport, pd->ip_sum, &pd->hdr.udp.uh_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); @@ -5000,7 +5000,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != dport) { - pf_change_ap(m, daddr, &pd->hdr.udp.uh_dport, + pf_change_ap(pd->m, daddr, &pd->hdr.udp.uh_dport, pd->ip_sum, &pd->hdr.udp.uh_sum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); @@ -5014,14 +5014,14 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, if (PF_ANEQ(saddr, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != sport) { - pf_change_ap(m, saddr, &pd->hdr.sctp.src_port, + pf_change_ap(pd->m, saddr, &pd->hdr.sctp.src_port, pd->ip_sum, &checksum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); } if (PF_ANEQ(daddr, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != dport) { - pf_change_ap(m, daddr, &pd->hdr.sctp.dest_port, + pf_change_ap(pd->m, daddr, &pd->hdr.sctp.dest_port, pd->ip_sum, &checksum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); @@ -5046,7 +5046,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, pd->hdr.icmp.icmp_id = nk->port[pd->sidx]; pd->sport = &pd->hdr.icmp.icmp_id; } - m_copyback(m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); + m_copyback(pd->m, pd->off, ICMP_MINLEN, (caddr_t)&pd->hdr.icmp); break; #endif /* INET */ #ifdef INET6 @@ -5107,10 +5107,10 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, PF_TEST_ATTRIB(r->proto && r->proto != pd->proto, r->skip[PF_SKIP_PROTO]); PF_TEST_ATTRIB(PF_MISMATCHAW(&r->src.addr, saddr, pd->af, - r->src.neg, pd->kif, M_GETFIB(m)), + r->src.neg, pd->kif, M_GETFIB(pd->m)), r->skip[PF_SKIP_SRC_ADDR]); PF_TEST_ATTRIB(PF_MISMATCHAW(&r->dst.addr, daddr, pd->af, - r->dst.neg, NULL, M_GETFIB(m)), + r->dst.neg, NULL, M_GETFIB(pd->m)), r->skip[PF_SKIP_DST_ADDR]); switch (pd->virtual_proto) { case PF_VPROTO_FRAGMENT: @@ -5143,13 +5143,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, r->skip[PF_SKIP_DST_PORT]); /* tcp/udp only. uid.op always 0 in other cases */ PF_TEST_ATTRIB(r->uid.op && (pd->lookup.done || (pd->lookup.done = - pf_socket_lookup(pd, m), 1)) && + pf_socket_lookup(pd), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], pd->lookup.uid), TAILQ_NEXT(r, entries)); /* tcp/udp only. gid.op always 0 in other cases */ PF_TEST_ATTRIB(r->gid.op && (pd->lookup.done || (pd->lookup.done = - pf_socket_lookup(pd, m), 1)) && + pf_socket_lookup(pd), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], pd->lookup.gid), TAILQ_NEXT(r, entries)); @@ -5171,22 +5171,22 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, PF_TEST_ATTRIB(r->tos && !(r->tos == pd->tos), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB(r->prio && - !pf_match_ieee8021q_pcp(r->prio, m), + !pf_match_ieee8021q_pcp(r->prio, pd->m), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB(r->prob && r->prob <= arc4random(), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(m, r, &tag, + PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag, pd->pf_mtag ? pd->pf_mtag->tag : 0), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(m, r), + PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT && pd->virtual_proto != PF_VPROTO_FRAGMENT), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB(r->os_fingerprint != PF_OSFP_ANY && (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match( - pf_osfp_fingerprint(pd, m, th), + pf_osfp_fingerprint(pd, th), r->os_fingerprint)), TAILQ_NEXT(r, entries)); /* FALLTHROUGH */ @@ -5207,8 +5207,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, pf_counter_u64_critical_exit(); pf_rule_to_actions(r, &pd->act); if (r->log || pd->act.log & PF_LOG_MATCHES) - PFLOG_PACKET(m, - r->action, PFRES_MATCH, r, + PFLOG_PACKET(r->action, PFRES_MATCH, r, a, ruleset, pd, 1); } else { match = 1; @@ -5216,8 +5215,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, *am = a; *rsm = ruleset; if (pd->act.log & PF_LOG_MATCHES) - PFLOG_PACKET(m, - r->action, PFRES_MATCH, r, + PFLOG_PACKET(r->action, PFRES_MATCH, r, a, ruleset, pd, 1); } if ((*rm)->quick) @@ -5243,8 +5241,8 @@ nextrule: if (r->log || pd->act.log & PF_LOG_MATCHES) { if (rewrite) - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); - PFLOG_PACKET(m, r->action, reason, r, a, ruleset, pd, 1); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); + PFLOG_PACKET(r->action, reason, r, a, ruleset, pd, 1); } if (pd->virtual_proto != PF_VPROTO_FRAGMENT && @@ -5252,32 +5250,32 @@ nextrule: ((r->rule_flag & PFRULE_RETURNRST) || (r->rule_flag & PFRULE_RETURNICMP) || (r->rule_flag & PFRULE_RETURN))) { - pf_return(r, nr, pd, sk, m, th, bproto_sum, + pf_return(r, nr, pd, sk, th, bproto_sum, bip_sum, &reason, r->rtableid); } if (r->action == PF_DROP) goto cleanup; - if (tag > 0 && pf_tag_packet(m, pd, tag)) { + if (tag > 0 && pf_tag_packet(pd, tag)) { REASON_SET(&reason, PFRES_MEMORY); goto cleanup; } if (pd->act.rtableid >= 0) - M_SETFIB(m, pd->act.rtableid); + M_SETFIB(pd->m, pd->act.rtableid); if (pd->virtual_proto != PF_VPROTO_FRAGMENT && (!state_icmp && (r->keep_state || nr != NULL || (pd->flags & PFDESC_TCP_NORM)))) { int action; - action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, + action = pf_create_state(r, nr, a, pd, nsn, nk, sk, sport, dport, &rewrite, sm, tag, bproto_sum, bip_sum, &match_rules, udp_mapping); if (action != PF_PASS) { pf_udp_mapping_release(udp_mapping); if (action == PF_DROP && (r->rule_flag & PFRULE_RETURN)) - pf_return(r, nr, pd, sk, m, th, + pf_return(r, nr, pd, sk, th, bproto_sum, bip_sum, &reason, pd->act.rtableid); return (action); @@ -5295,11 +5293,11 @@ nextrule: /* copy back packet headers if we performed NAT operations */ if (rewrite) - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) && pd->dir == PF_OUT && - V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m)) + V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, pd->m)) /* * We want the state created, but we dont * want to send this in case a partner @@ -5326,7 +5324,7 @@ cleanup: static int pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk, - struct pf_state_key *sk, struct mbuf *m, u_int16_t sport, + struct pf_state_key *sk, u_int16_t sport, u_int16_t dport, int *rewrite, struct pf_kstate **sm, int tag, u_int16_t bproto_sum, u_int16_t bip_sum, struct pf_krule_slist *match_rules, struct pf_udp_mapping *udp_mapping) @@ -5397,14 +5395,14 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == 0) s->src.seqdiff = 1; - pf_change_proto_a(m, &th->th_seq, &th->th_sum, + pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(s->src.seqlo + s->src.seqdiff), 0); *rewrite = 1; } else s->src.seqdiff = 0; if (th->th_flags & TH_SYN) { s->src.seqhi++; - s->src.wscale = pf_get_wscale(m, pd); + s->src.wscale = pf_get_wscale(pd); } s->src.max_win = MAX(ntohs(th->th_win), 1); if (s->src.wscale & PF_WSCALE_MASK) { @@ -5464,12 +5462,12 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, } if (pd->proto == IPPROTO_TCP) { if (s->state_flags & PFSTATE_SCRUB_TCP && - pf_normalize_tcp_init(m, pd, th, &s->src, &s->dst)) { + pf_normalize_tcp_init(pd, th, &s->src, &s->dst)) { REASON_SET(&reason, PFRES_MEMORY); goto csfailed; } if (s->state_flags & PFSTATE_SCRUB_TCP && s->src.scrub && - pf_normalize_tcp_stateful(m, pd, &reason, th, s, + pf_normalize_tcp_stateful(pd, &reason, th, s, &s->src, &s->dst, rewrite)) { /* This really shouldn't happen!!! */ DPFPRINTF(PF_DEBUG_URGENT, @@ -5478,7 +5476,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, goto csfailed; } } else if (pd->proto == IPPROTO_SCTP) { - if (pf_normalize_sctp_init(m, pd, &s->src, &s->dst)) + if (pf_normalize_sctp_init(pd, &s->src, &s->dst)) goto csfailed; if (! (pd->sctp_flags & (PFDESC_SCTP_INIT | PFDESC_SCTP_ADD_IP))) goto csfailed; @@ -5491,7 +5489,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, if (nr == NULL) { KASSERT((sk == NULL && nk == NULL), ("%s: nr %p sk %p, nk %p", __func__, nr, sk, nk)); - sk = pf_state_key_setup(pd, m, pd->src, pd->dst, sport, dport); + sk = pf_state_key_setup(pd, pd->src, pd->dst, sport, dport); if (sk == NULL) goto csfailed; nk = sk; @@ -5528,12 +5526,12 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, *pd->proto_sum = bproto_sum; if (pd->ip_sum) *pd->ip_sum = bip_sum; - m_copyback(m, pd->off, pd->hdrlen, pd->hdr.any); + m_copyback(pd->m, pd->off, pd->hdrlen, pd->hdr.any); } s->src.seqhi = htonl(arc4random()); /* Find mss option */ - int rtid = M_GETFIB(m); - mss = pf_get_mss(m, pd); + int rtid = M_GETFIB(pd->m); + mss = pf_get_mss(pd); mss = pf_calc_mss(pd->src, pd->af, rtid, mss); mss = pf_calc_mss(pd->dst, pd->af, rtid, mss); s->src.mss = mss; @@ -5592,8 +5590,8 @@ drop: } static int -pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason, int *copyback) +pf_tcp_track_full(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason, int *copyback) { struct tcphdr *th = &pd->hdr.tcp; struct pf_state_peer *src, *dst; @@ -5632,7 +5630,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, if (((*state)->state_flags & PFSTATE_SCRUB_TCP || dst->scrub) && src->scrub == NULL) { - if (pf_normalize_tcp_init(m, pd, th, src, dst)) { + if (pf_normalize_tcp_init(pd, th, src, dst)) { REASON_SET(reason, PFRES_MEMORY); return (PF_DROP); } @@ -5644,9 +5642,9 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, while ((src->seqdiff = arc4random() - seq) == 0) ; ack = ntohl(th->th_ack) - dst->seqdiff; - pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq + + pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + src->seqdiff), 0); - pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0); + pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); *copyback = 1; } else { ack = ntohl(th->th_ack); @@ -5656,7 +5654,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, if (th->th_flags & TH_SYN) { end++; if (dst->wscale & PF_WSCALE_FLAG) { - src->wscale = pf_get_wscale(m, pd); + src->wscale = pf_get_wscale(pd); if (src->wscale & PF_WSCALE_FLAG) { /* Remove scale factor from initial * window */ @@ -5697,9 +5695,9 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, ack = ntohl(th->th_ack) - dst->seqdiff; if (src->seqdiff) { /* Modulate sequence numbers */ - pf_change_proto_a(m, &th->th_seq, &th->th_sum, htonl(seq + + pf_change_proto_a(pd->m, &th->th_seq, &th->th_sum, htonl(seq + src->seqdiff), 0); - pf_change_proto_a(m, &th->th_ack, &th->th_sum, htonl(ack), 0); + pf_change_proto_a(pd->m, &th->th_ack, &th->th_sum, htonl(ack), 0); *copyback = 1; } end = seq + pd->p_len; @@ -5745,7 +5743,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, * options anyway. */ if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) { - if (pf_modulate_sack(m, pd, th, dst)) + if (pf_modulate_sack(pd, th, dst)) *copyback = 1; } @@ -5763,7 +5761,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, /* Require an exact/+1 sequence match on resets when possible */ if (dst->scrub || src->scrub) { - if (pf_normalize_tcp_stateful(m, pd, reason, th, + if (pf_normalize_tcp_stateful(pd, reason, th, *state, src, dst, copyback)) return (PF_DROP); } @@ -5863,7 +5861,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct mbuf *m, } if (dst->scrub || src->scrub) { - if (pf_normalize_tcp_stateful(m, pd, reason, th, + if (pf_normalize_tcp_stateful(pd, reason, th, *state, src, dst, copyback)) return (PF_DROP); } @@ -6112,8 +6110,8 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) } static int -pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason) +pf_test_state_tcp(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason) { struct pf_state_key_cmp key; struct tcphdr *th = &pd->hdr.tcp; @@ -6171,7 +6169,7 @@ pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m, if (pf_tcp_track_sloppy(state, pd, reason) == PF_DROP) return (PF_DROP); } else { - if (pf_tcp_track_full(state, m, pd, reason, + if (pf_tcp_track_full(state, pd, reason, ©back) == PF_DROP) return (PF_DROP); } @@ -6182,13 +6180,13 @@ pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m, if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != th->th_sport) - pf_change_ap(m, pd->src, &th->th_sport, + pf_change_ap(pd->m, pd->src, &th->th_sport, pd->ip_sum, &th->th_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 0, pd->af); if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != th->th_dport) - pf_change_ap(m, pd->dst, &th->th_dport, + pf_change_ap(pd->m, pd->dst, &th->th_dport, pd->ip_sum, &th->th_sum, &nk->addr[pd->didx], nk->port[pd->didx], 0, pd->af); copyback = 1; @@ -6196,14 +6194,13 @@ pf_test_state_tcp(struct pf_kstate **state, struct mbuf *m, /* Copyback sequence modulation or stateful scrub changes if needed */ if (copyback) - m_copyback(m, pd->off, sizeof(*th), (caddr_t)th); + m_copyback(pd->m, pd->off, sizeof(*th), (caddr_t)th); return (PF_PASS); } static int -pf_test_state_udp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd) +pf_test_state_udp(struct pf_kstate **state, struct pf_pdesc *pd) { struct pf_state_peer *src, *dst; struct pf_state_key_cmp key; @@ -6258,24 +6255,24 @@ pf_test_state_udp(struct pf_kstate **state, struct mbuf *m, if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || nk->port[pd->sidx] != uh->uh_sport) - pf_change_ap(m, pd->src, &uh->uh_sport, pd->ip_sum, + pf_change_ap(pd->m, pd->src, &uh->uh_sport, pd->ip_sum, &uh->uh_sum, &nk->addr[pd->sidx], nk->port[pd->sidx], 1, pd->af); if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || nk->port[pd->didx] != uh->uh_dport) - pf_change_ap(m, pd->dst, &uh->uh_dport, pd->ip_sum, + pf_change_ap(pd->m, pd->dst, &uh->uh_dport, pd->ip_sum, &uh->uh_sum, &nk->addr[pd->didx], nk->port[pd->didx], 1, pd->af); - m_copyback(m, pd->off, sizeof(*uh), (caddr_t)uh); + m_copyback(pd->m, pd->off, sizeof(*uh), (caddr_t)uh); } return (PF_PASS); } static int -pf_test_state_sctp(struct pf_kstate **state, struct mbuf *m, - struct pf_pdesc *pd, u_short *reason) +pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd, + u_short *reason) { struct pf_state_key_cmp key; struct pf_state_peer *src, *dst; *** 1556 LINES SKIPPED ***