377 	int direction, int *action)
380 		*action = PF_DROP;
381 		return (action);
390 		*action = PF_PASS;
391 		return (action);
399 		int action;						 \
405 		if (pf_state_lookup_aux(state, kif, direction, &action)) \
406 			return (action);				 \
1352 		(*sn)->ruletype = rule->action;
3354 		if (r->action == PF_BINAT && direction == PF_IN) {
3358 		} else if (r->action == PF_RDR && direction == PF_OUT) {
3426 	if (rm != NULL && (rm->action == PF_NONAT ||
3427 	    rm->action == PF_NORDR || rm->action == PF_NOBINAT))
3459 		switch (r->action) {
4417 	if ((r->action == PF_DROP) &&
4623 	if (r->action == PF_DROP)
4778 		    nr->action != PF_RDR &&
5264 	if (r->action == PF_NODUMMYNET) {
5433 	if (r->action != PF_PASS)
6322 	int dx, action, extfilter;
6390 	if (pf_state_lookup_aux(state, kif, direction, &action))
6391 		return (action);
6835 			int dx, action;
6906 			if (pf_state_lookup_aux(state, kif, direction, &action))
6907 				return (action);
7234 	int action;
7318 	if (pf_state_lookup_aux(state, kif, direction, &action))
7319 		return (action);
8053 	u_short			 action = PF_PASS, reason = 0, log = 0;
8111 		action = PF_DROP;
8123 	action = pf_normalize_ip(m0, dir, kif, &reason, &pd);
8125 	if (action != PF_PASS || pd.lmw < 0) {
8126 		action = PF_DROP;
8138 		action = PF_DROP;
8169 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8170 		if (action == PF_DROP || m == NULL) {
8172 			return (action);
8175 		action = pf_test_fragment(&r, dir, kif, m, h,
8186 		    &action, &reason, AF_INET)) {
8187 			log = action != PF_PASS;
8195 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8196 		if (action == PF_DROP || m == NULL) {
8198 			return (action);
8201 		action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
8205 		if (action == PF_DROP)
8207 		action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
8212 		if (action == PF_PASS) {
8220 			action = pf_test_rule(&r, &s, dir, kif,
8230 		    &action, &reason, AF_INET)) {
8231 			log = action != PF_PASS;
8237 			action = PF_DROP;
8243 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8244 		if (action == PF_DROP || m == NULL) {
8246 			return (action);
8249 		action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd,
8254 		if (action == PF_PASS) {
8262 			action = pf_test_rule(&r, &s, dir, kif,
8272 		    &action, &reason, AF_INET)) {
8273 			log = action != PF_PASS;
8278 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8279 		if (action == PF_DROP || m == NULL) {
8281 			return (action);
8284 		action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
8289 		if (action == PF_PASS) {
8297 			action = pf_test_rule(&r, &s, dir, kif,
8306 		if (!pf_pull_hdr(m, off, &esp, sizeof (esp), &action, &reason,
8308 			log = action != PF_PASS;
8313 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8314 		if (action == PF_DROP || m == NULL) {
8316 			return (action);
8319 		action = pf_test_state_esp(&s, dir, kif, off, &pd);
8323 		if (action == PF_PASS) {
8331 			action = pf_test_rule(&r, &s, dir, kif,
8339 		if (!pf_pull_hdr(m, off, &grev1, sizeof (grev1), &action,
8341 			log = (action != PF_PASS);
8346 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8347 		if (action == PF_DROP || m == NULL) {
8349 			return (action);
8356 				action = PF_DROP;
8361 			action = pf_test_state_grev1(&s, dir, kif, off, &pd);
8364 			if (action == PF_PASS) {
8373 				action = pf_test_rule(&r, &s, dir, kif, m, off,
8375 				if (action == PF_PASS)
8386 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8387 		if (action == PF_DROP || m == NULL) {
8389 			return (action);
8392 		action = pf_test_state_other(&s, dir, kif, &pd);
8396 		if (action == PF_PASS) {
8404 			action = pf_test_rule(&r, &s, dir, kif, m, off, h,
8413 	if (action == PF_PASS && h->ip_hl > 5 &&
8415 		action = PF_DROP;
8428 	if (action == PF_PASS) {
8454 	if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
8456 	    (s->nat_rule.ptr->action == PF_RDR ||
8457 	    s->nat_rule.ptr->action == PF_BINAT) &&
8473 	kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
8474 	kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++;
8476 	if (action == PF_PASS || r->action == PF_DROP) {
8530 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
8535 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
8544 			action = PF_DROP;
8547 		if (action == PF_DROP) {
8556 	if (action == PF_SYNPROXY_DROP) {
8559 		action = PF_PASS;
8564 	return (action);
8587 	u_short			 action = PF_PASS, reason = 0, log = 0;
8655 		action = PF_DROP;
8667 	action = pf_normalize_ip6(m0, dir, kif, &reason, &pd);
8669 	if (action != PF_PASS || pd.lmw < 0) {
8670 		action = PF_DROP;
8685 		action = PF_DROP;
8717 				action = PF_DROP;
8725 			action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8726 			if (action == PF_DROP || m == NULL) {
8728 				return (action);
8731 			action = pf_test_fragment(&r, dir, kif, m, h, &pd, &a,
8733 			if (action == PF_DROP) {
8753 				action = PF_DROP;
8782 		    &action, &reason, AF_INET6)) {
8783 			log = action != PF_PASS;
8789 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8790 		if (action == PF_DROP || m == NULL) {
8792 			return (action);
8795 		action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
8799 		if (action == PF_DROP)
8801 		action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
8806 		if (action == PF_PASS) {
8814 			action = pf_test_rule(&r, &s, dir, kif,
8824 		    &action, &reason, AF_INET6)) {
8825 			log = action != PF_PASS;
8831 			action = PF_DROP;
8837 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8838 		if (action == PF_DROP || m == NULL) {
8840 			return (action);
8843 		action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd,
8848 		if (action == PF_PASS) {
8856 			action = pf_test_rule(&r, &s, dir, kif,
8866 		    &action, &reason, AF_INET6)) {
8867 			log = action != PF_PASS;
8872 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8873 		if (action == PF_DROP || m == NULL) {
8875 			return (action);
8878 		action = pf_test_state_icmp(&s, dir, kif,
8883 		if (action == PF_PASS) {
8891 			action = pf_test_rule(&r, &s, dir, kif,
8900 		if (!pf_pull_hdr(m, off, &esp, sizeof (esp), &action, &reason,
8902 			log = action != PF_PASS;
8907 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8908 		if (action == PF_DROP || m == NULL) {
8910 			return (action);
8913 		action = pf_test_state_esp(&s, dir, kif, off, &pd);
8917 		if (action == PF_PASS) {
8925 			action = pf_test_rule(&r, &s, dir, kif,
8934 		if (!pf_pull_hdr(m, off, &grev1, sizeof (grev1), &action,
8936 			log = (action != PF_PASS);
8941 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8942 		if (action == PF_DROP || m == NULL) {
8944 			return (action);
8951 				action = PF_DROP;
8955 			action = pf_test_state_grev1(&s, dir, kif, off, &pd);
8959 			if (action == PF_PASS) {
8968 				action = pf_test_rule(&r, &s, dir, kif, m, off,
8970 				if (action == PF_PASS)
8981 		action = pf_test_dummynet(&r, dir, kif, &m, &pd, fwa);
8982 		if (action == PF_DROP || m == NULL) {
8984 			return (action);
8987 		action = pf_test_state_other(&s, dir, kif, &pd);
8991 		if (action == PF_PASS) {
8999 			action = pf_test_rule(&r, &s, dir, kif, m, off, h,
9014 	if (action == PF_PASS && rh_cnt &&
9016 		action = PF_DROP;
9027 	if (action == PF_PASS) {
9048 	if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP ||
9050 	    (s->nat_rule.ptr->action == PF_RDR ||
9051 	    s->nat_rule.ptr->action == PF_BINAT) &&
9067 	kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
9068 	kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
9070 	if (action == PF_PASS || r->action == PF_DROP) {
9123 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
9128 			    pd.tot_len, dir == PF_OUT, r->action == PF_PASS,
9133 	if (action == PF_SYNPROXY_DROP) {
9136 		action = PF_PASS;
9146 			action = PF_DROP;
9149 		if (action == PF_DROP) {
9158 	if (action == PF_SYNPROXY_DROP) {
9161 		action = PF_PASS;
9163 		if (action == PF_PASS) {
9173 	return (action);

Indexes created Tue Jun 11 21:59:41 MDT 2024