Importing pfSense patch divert.RELENG_10.diff

2 files changed, 105 insertions, 52 deletions

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 76cfebc..0fcb0d7 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -90,6 +90,7 @@ __FBSDID("$FreeBSD$");
 #include <netpfil/ipfw/ip_fw_private.h> /* XXX: only for DIR_IN/DIR_OUT */
 #include <netinet/ip_fw.h>
 #include <netinet/ip_dummynet.h>
+#include <netinet/ip_divert.h>
 
 #ifdef INET6
 #include <netinet/ip6.h>
@@ -313,6 +314,14 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
 
 #define        PACKET_LOOPED(mtag)     ((mtag)->flags & PF_PACKET_LOOPED)
 
+#define	PF_DIVERT_MAXPACKETS_REACHED()			\
+do {							\
+	if (r->spare2 &&				\
+		s->packets[dir == PF_OUT] > r->spare2)	\
+		/* fake that divert already happened */	\
+		pd.pf_mtag->flags |= PF_PACKET_LOOPED;	\
+} while(0)
+
 #define	STATE_LOOKUP(i, k, d, s, pd)					\
 	do {								\
 		(s) = pf_find_state((i), (k), (d));			\
@@ -6128,6 +6137,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
 	struct pf_pdesc		 pd;
 	int			 off = 0, dirndx, pqid = 0;
 	int                      loopedfrom = 0;
+	u_int16_t		 divertcookie = 0;
+	u_int8_t		 divflags = 0;
 	struct ip_fw_args        dnflow;
 
 	M_ASSERTPKTHDR(m);
@@ -6160,12 +6171,10 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
 		pd.pf_mtag->flags |= PF_PACKET_LOOPED;
 		if (rr->info & IPFW_IS_DUMMYNET)
 			loopedfrom = 1;
-		if (rr->info & IPFW_IS_DIVERT && rr->rulenum == 0) {
-			if (pd.pf_mtag == NULL &&
-			    ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
-				action = PF_DROP;
-				goto done;
-			}
+		if (rr->info & IPFW_IS_DIVERT) {
+			divertcookie = rr->rulenum;
+			divflags = (u_int8_t)(divertcookie >> 8);
+			divertcookie &= ~PFSTATE_DIVERT_MASK;
 		}
 		if (pd.pf_mtag && pd.pf_mtag->flags & PF_FASTFWD_OURS_PRESENT) {
 			m->m_flags |= M_FASTFWD_OURS;
@@ -6332,6 +6341,17 @@ done:
 		    ("pf: dropping packet with ip options\n"));
 	}
 
+	if (s) {
+		PF_DIVERT_MAXPACKETS_REACHED();
+
+		if (divflags) {
+			s->divert_cookie = divertcookie;
+			s->local_flags |= divflags;
+		} else {
+			divertcookie = s->divert_cookie;
+			divflags = s->local_flags;
+		}
+	}
 	if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) {
 		action = PF_DROP;
 		REASON_SET(&reason, PFRES_MEMORY);
@@ -6359,7 +6379,33 @@ done:
 	}
 #endif /* ALTQ */
 
-	if (s && (s->dnpipe || s->pdnpipe)) {
+	if (divflags & PFSTATE_DIVERT_TAG)
+		pd.pf_mtag->tag = divertcookie;
+	else if (divflags & PFSTATE_DIVERT_ALTQ)
+		pd.pf_mtag->qid = divertcookie;
+	else if (divflags & PFSTATE_DIVERT_ACTION) {
+		struct pf_rule *dlr;
+		action = PF_DROP;
+		if (s)
+			pf_unlink_state(s, PF_ENTER_LOCKED);
+		REASON_SET(&reason, PFRES_DIVERT);
+		log = 1;
+		DPFPRINTF(PF_DEBUG_MISC,
+			("pf: changing action to with overload from divert.\n"));
+		dlr = r;
+		PFLOG_PACKET(kif, m, AF_INET, dir, reason, dlr, a,
+			ruleset, &pd, (s == NULL));
+		m_freem(*m0);
+		*m0 = NULL;
+		/* NOTE: Fake this to avoid divert giving errors to the application. */
+		return (PF_PASS);
+	}
+
+	if (divflags & PFSTATE_DIVERT_DNCOOKIE) {
+		pd.act.dnpipe = divertcookie;
+		pd.act.pdnpipe = divertcookie;
+		pd.act.flags |= PFRULE_DN_IS_PIPE;
+	} else if (s && (s->dnpipe || s->pdnpipe)) {
 		pd.act.dnpipe = s->dnpipe;
 		pd.act.pdnpipe = s->pdnpipe;
 		pd.act.flags = s->state_flags;
@@ -6414,10 +6460,51 @@ done:
 				PF_STATE_UNLOCK(s);
 			return (action);
 		}
-	} else
-		pd.pf_mtag->flags &= ~PF_PACKET_LOOPED;
+	}
 continueprocessing:
 
+	if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&
+	    !PACKET_LOOPED(&pd)) {
+		if (!r->spare2 ||
+		    (s && s->packets[dir == PF_OUT] <= r->spare2)) {
+			ipfwtag = m_tag_alloc(MTAG_IPFW_RULE, 0,
+				sizeof(struct ipfw_rule_ref), M_NOWAIT | M_ZERO);
+			if (ipfwtag != NULL) {
+				((struct ipfw_rule_ref *)(ipfwtag+1))->info =
+					ntohs(r->divert.port);
+				((struct ipfw_rule_ref *)(ipfwtag+1))->rulenum = dir;
+
+				if (s)
+					PF_STATE_UNLOCK(s);
+
+				m_tag_prepend(m, ipfwtag);
+				if (m->m_flags & M_FASTFWD_OURS) {
+					if (pd.pf_mtag == NULL &&
+					    ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
+						action = PF_DROP;
+						REASON_SET(&reason, PFRES_MEMORY);
+						log = 1;
+						DPFPRINTF(PF_DEBUG_MISC,
+						   ("pf: failed to allocate tag\n"));
+					}
+					pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT;
+					m->m_flags &= ~M_FASTFWD_OURS;
+				}
+				ip_divert_ptr(*m0, dir ==  PF_IN ? DIR_IN : DIR_OUT);
+				*m0 = NULL;
+
+				return (action);
+			} else {
+				/* XXX: ipfw has the same behaviour! */
+				action = PF_DROP;
+				REASON_SET(&reason, PFRES_MEMORY);
+				log = 1;
+				DPFPRINTF(PF_DEBUG_MISC,
+				    ("pf: failed to allocate divert tag\n"));
+			}
+		}
+	}
+
 	/*
 	 * connections redirected to loopback should not match sockets
 	 * bound specifically to loopback due to security implications,
@@ -6427,51 +6514,15 @@ continueprocessing:
 	    pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
 	    (s->nat_rule.ptr->action == PF_RDR ||
 	    s->nat_rule.ptr->action == PF_BINAT) &&
-	    (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+	    (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
 		m->m_flags |= M_SKIP_FIREWALL;
 
-	if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&
-	    !PACKET_LOOPED(&pd)) {
-
-		ipfwtag = m_tag_alloc(MTAG_IPFW_RULE, 0,
-		    sizeof(struct ipfw_rule_ref), M_NOWAIT | M_ZERO);
-		if (ipfwtag != NULL) {
-			((struct ipfw_rule_ref *)(ipfwtag+1))->info =
-			    ntohs(r->divert.port);
-			((struct ipfw_rule_ref *)(ipfwtag+1))->rulenum = dir;
-
-			if (s)
-				PF_STATE_UNLOCK(s);
-
-			m_tag_prepend(m, ipfwtag);
-			if (m->m_flags & M_FASTFWD_OURS) {
-				if (pd.pf_mtag == NULL &&
-				    ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {
-					action = PF_DROP;
-					REASON_SET(&reason, PFRES_MEMORY);
-					log = 1;
-					DPFPRINTF(PF_DEBUG_MISC,
-					    ("pf: failed to allocate tag\n"));
-				} else {
-					pd.pf_mtag->flags |=
-					    PF_FASTFWD_OURS_PRESENT;
-					m->m_flags &= ~M_FASTFWD_OURS;
-				}
-			}
-			ip_divert_ptr(*m0, dir ==  PF_IN ? DIR_IN : DIR_OUT);
-			*m0 = NULL;
-
-			return (action);
-		} else {
-			/* XXX: ipfw has the same behaviour! */
-			action = PF_DROP;
-			REASON_SET(&reason, PFRES_MEMORY);
-			log = 1;
-			DPFPRINTF(PF_DEBUG_MISC,
-			    ("pf: failed to allocate divert tag\n"));
-		}
+		if (PACKET_LOOPED(pd.pf_mtag) && !loopedfrom)
+			m->m_flags |= M_FASTFWD_OURS;
 	}
 
+	pd.pf_mtag->flags &= ~PF_PACKET_LOOPED;
+
 	if (log) {
 		struct pf_rule *lr;
 
@@ -6605,7 +6656,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
 
 	PF_RULES_RLOCK();
 
-	if (ip_dn_io_ptr != NULL &&
+	if (((ip_dn_io_ptr != NULL) || (ip_divert_ptr != NULL)) &&
 	    ((dn_tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) {
 		struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(dn_tag+1);
 		pd.pf_mtag->flags |= PF_PACKET_LOOPED;
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index e588eb1..5351786 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -126,7 +126,8 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 #define PFRES_MAXSTATES	12		/* State limit */
 #define PFRES_SRCLIMIT	13		/* Source node/conn limit */
 #define PFRES_SYNPROXY	14		/* SYN proxy */
-#define PFRES_MAX	15		/* total+1 */
+#define	PFRES_DIVERT    15              /* Divert override */
+#define PFRES_MAX	16		/* total+1 */
 
 #define PFRES_NAMES { \
 	"match", \
@@ -144,6 +145,7 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
 	"state-limit", \
 	"src-limit", \
 	"synproxy", \
+	"divert", \
 	NULL \
 }