git: f2064dd1f170 - main - pf: Fix duplicate storage of direction
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 12 Jul 2023 18:06:25 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=f2064dd1f170fc538ea078caba57cd6cd563eea3
commit f2064dd1f170fc538ea078caba57cd6cd563eea3
Author: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
AuthorDate: 2023-07-12 16:04:56 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-07-12 16:05:47 +0000
pf: Fix duplicate storage of direction
The variable storing the direction of a processed packet is passed
around to many functions. Most of those functions already have a pointer
to struct pf_pdesc which also contains the direction. By using the one
in struct pf_pdesc we can reduce the amount of arguments passed around.
Reviewed by: kp
Sponsored by: InnGames GmbH
Differential Revision: https://reviews.freebsd.org/D41008
---
sys/net/if_pflog.h | 4 +-
sys/net/pfvar.h | 14 +--
sys/netpfil/pf/if_pflog.c | 8 +-
sys/netpfil/pf/pf.c | 287 ++++++++++++++++++++++------------------------
sys/netpfil/pf/pf_lb.c | 22 ++--
sys/netpfil/pf/pf_norm.c | 38 +++---
6 files changed, 181 insertions(+), 192 deletions(-)
diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 443c1cc36cf6..508e9c77286d 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -71,9 +71,9 @@ struct pf_ruleset;
struct pfi_kif;
struct pf_pdesc;
-#define PFLOG_PACKET(i,a,b,c,d,e,f,g,h,di) do { \
+#define PFLOG_PACKET(i,a,b,c,d,e,f,g,di) do { \
if (pflog_packet_ptr != NULL) \
- pflog_packet_ptr(i,a,b,c,d,e,f,g,h,di); \
+ pflog_packet_ptr(i,a,b,c,d,e,f,g,di); \
} while (0)
#endif /* _KERNEL */
#endif /* _NET_IF_PFLOG_H_ */
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 57b2383b1549..ed371f61a999 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1214,8 +1214,8 @@ void pf_state_export(struct pf_state_export *,
struct pf_kruleset;
struct pf_pdesc;
typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t,
- u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *,
- struct pf_kruleset *, struct pf_pdesc *, int);
+ u_int8_t, struct pf_krule *, struct pf_krule *, struct pf_kruleset *,
+ struct pf_pdesc *, int);
extern pflog_packet_t *pflog_packet_ptr;
#endif /* _KERNEL */
@@ -2236,14 +2236,14 @@ int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
#ifdef INET
int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *,
struct pf_rule_actions *);
-int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *,
+int pf_normalize_ip(struct mbuf **, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
#endif /* INET */
#ifdef INET6
int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *,
struct pf_rule_actions *);
-int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *,
+int pf_normalize_ip6(struct mbuf **, struct pfi_kkif *, u_short *,
struct pf_pdesc *);
void pf_poolmask(struct pf_addr *, struct pf_addr*,
struct pf_addr *, struct pf_addr *, sa_family_t);
@@ -2271,7 +2271,7 @@ int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
void pf_normalize_init(void);
void pf_normalize_cleanup(void);
-int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void *,
+int pf_normalize_tcp(struct pfi_kkif *, struct mbuf *, int, int, void *,
struct pf_pdesc *);
void pf_normalize_tcp_cleanup(struct pf_kstate *);
int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
@@ -2285,7 +2285,7 @@ void pf_purge_expired_fragments(void);
void pf_purge_fragments(uint32_t);
int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *,
int);
-int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);
+int pf_socket_lookup(struct pf_pdesc *, struct mbuf *);
struct pf_state_key *pf_alloc_state_key(int);
void pfr_initialize(void);
void pfr_cleanup(void);
@@ -2472,7 +2472,7 @@ u_short pf_map_addr(u_int8_t, struct pf_krule *,
struct pf_addr *, struct pf_addr *,
struct pf_addr *, struct pf_ksrc_node **);
struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
- int, int, struct pfi_kkif *, struct pf_ksrc_node **,
+ int, struct pfi_kkif *, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *,
uint16_t, uint16_t, struct pf_kanchor_stackframe *);
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
index 2f687e901a71..68f18b13bafe 100644
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -217,7 +217,7 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
}
static int
-pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
+pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af,
u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
{
@@ -254,7 +254,7 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
* These conditions are very very rare, however.
*/
if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe)
- pd->lookup.done = pf_socket_lookup(dir, pd, m);
+ pd->lookup.done = pf_socket_lookup(pd, m);
if (pd->lookup.done > 0)
hdr.uid = pd->lookup.uid;
else
@@ -262,10 +262,10 @@ pflog_packet(struct pfi_kkif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
hdr.pid = NO_PID;
hdr.rule_uid = rm->cuid;
hdr.rule_pid = rm->cpid;
- hdr.dir = dir;
+ hdr.dir = pd->dir;
#ifdef INET
- if (af == AF_INET && dir == PF_OUT) {
+ if (af == AF_INET && pd->dir == PF_OUT) {
struct ip *ip;
ip = mtod(m, struct ip *);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index df015fd3347b..7c41be4b25fe 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -277,15 +277,15 @@ static int pf_state_key_ctor(void *, int, void *, int);
static u_int32_t pf_tcp_iss(struct pf_pdesc *);
void pf_rule_to_actions(struct pf_krule *,
struct pf_rule_actions *);
-static int pf_dummynet(struct pf_pdesc *, int, struct pf_kstate *,
+static int pf_dummynet(struct pf_pdesc *, struct pf_kstate *,
struct pf_krule *, struct mbuf **);
-static int pf_dummynet_route(struct pf_pdesc *, int,
+static int pf_dummynet_route(struct pf_pdesc *,
struct pf_kstate *, struct pf_krule *,
struct ifnet *, struct sockaddr *, struct mbuf **);
static int pf_test_eth_rule(int, struct pfi_kkif *,
struct mbuf **);
static int pf_test_rule(struct pf_krule **, struct pf_kstate **,
- int, struct pfi_kkif *, struct mbuf *, int,
+ struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, struct pf_krule **,
struct pf_kruleset **, struct inpcb *);
static int pf_create_state(struct pf_krule *, struct pf_krule *,
@@ -295,25 +295,24 @@ static int pf_create_state(struct pf_krule *, struct pf_krule *,
u_int16_t, u_int16_t, int *, struct pfi_kkif *,
struct pf_kstate **, int, u_int16_t, u_int16_t,
int, struct pf_krule_slist *);
-static int pf_test_fragment(struct pf_krule **, int,
- struct pfi_kkif *, struct mbuf *, void *,
- struct pf_pdesc *, struct pf_krule **,
- struct pf_kruleset **);
+static int pf_test_fragment(struct pf_krule **, struct pfi_kkif *,
+ struct mbuf *, void *, struct pf_pdesc *,
+ struct pf_krule **, struct pf_kruleset **);
static int pf_tcp_track_full(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
struct pf_pdesc *, u_short *, int *);
static int pf_tcp_track_sloppy(struct pf_kstate **,
struct pf_pdesc *, u_short *);
-static int pf_test_state_tcp(struct pf_kstate **, int,
+static int pf_test_state_tcp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
-static int pf_test_state_udp(struct pf_kstate **, int,
+static int pf_test_state_udp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *);
-static int pf_test_state_icmp(struct pf_kstate **, int,
+static int pf_test_state_icmp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
-static int pf_test_state_other(struct pf_kstate **, int,
+static int pf_test_state_other(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, struct pf_pdesc *);
static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t,
int, u_int16_t);
@@ -336,14 +335,14 @@ static void pf_mtag_free(struct m_tag *);
static void pf_packet_rework_nat(struct mbuf *, struct pf_pdesc *,
int, struct pf_state_key *);
#ifdef INET
-static void pf_route(struct mbuf **, struct pf_krule *, int,
+static void pf_route(struct mbuf **, struct pf_krule *,
struct ifnet *, struct pf_kstate *,
struct pf_pdesc *, struct inpcb *);
#endif /* INET */
#ifdef INET6
static void pf_change_a6(struct pf_addr *, u_int16_t *,
struct pf_addr *, u_int8_t);
-static void pf_route6(struct mbuf **, struct pf_krule *, int,
+static void pf_route6(struct mbuf **, struct pf_krule *,
struct ifnet *, struct pf_kstate *,
struct pf_pdesc *, struct inpcb *);
#endif /* INET6 */
@@ -356,10 +355,10 @@ extern struct proc *pf_purge_proc;
VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
-#define PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir) \
+#define PACKET_UNDO_NAT(_m, _pd, _off, _s) \
do { \
struct pf_state_key *nk; \
- if ((_dir) == PF_OUT) \
+ if ((pd->dir) == PF_OUT) \
nk = (_s)->key[PF_SK_STACK]; \
else \
nk = (_s)->key[PF_SK_WIRE]; \
@@ -369,10 +368,10 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
#define PACKET_LOOPED(pd) ((pd)->pf_mtag && \
(pd)->pf_mtag->flags & PF_MTAG_FLAG_PACKET_LOOPED)
-#define STATE_LOOKUP(i, k, d, s, pd) \
+#define STATE_LOOKUP(i, k, s, pd) \
do { \
- (s) = pf_find_state((i), (k), (d)); \
- SDT_PROBE5(pf, ip, state, lookup, i, k, d, pd, (s)); \
+ (s) = pf_find_state((i), (k), (pd->dir)); \
+ SDT_PROBE5(pf, ip, state, lookup, i, k, (pd->dir), pd, (s)); \
if ((s) == NULL) \
return (PF_DROP); \
if (PACKET_LOOPED(pd)) \
@@ -3623,7 +3622,7 @@ pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a)
}
int
-pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
+pf_socket_lookup(struct pf_pdesc *pd, struct mbuf *m)
{
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
@@ -3647,7 +3646,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
default:
return (-1);
}
- if (direction == PF_IN) {
+ if (pd->dir == PF_IN) {
saddr = pd->src;
daddr = pd->dst;
} else {
@@ -4175,9 +4174,9 @@ pf_test_eth_rule(int dir, struct pfi_kkif *kif, struct mbuf **m0)
}
static int
-pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
- struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
- struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp)
+pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
+ struct mbuf *m, int off, struct pf_pdesc *pd, struct pf_krule **am,
+ struct pf_kruleset **rsm, struct inpcb *inp)
{
struct pf_krule *nr = NULL;
struct pf_addr * const saddr = pd->src;
@@ -4262,13 +4261,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
/* check packet for BINAT/NAT/RDR */
- if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, &sk,
+ if ((nr = pf_get_translation(pd, m, off, kif, &nsn, &sk,
&nk, saddr, daddr, sport, dport, anchor_stack)) != NULL) {
KASSERT(sk != NULL, ("%s: null sk", __func__));
KASSERT(nk != NULL, ("%s: null nk", __func__));
if (nr->log) {
- PFLOG_PACKET(kif, m, af, direction, PFRES_MATCH, nr, a,
+ PFLOG_PACKET(kif, m, af, PFRES_MATCH, nr, a,
ruleset, pd, 1);
}
@@ -4399,7 +4398,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
- else if (r->direction && r->direction != direction)
+ else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
@@ -4434,13 +4433,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
r = TAILQ_NEXT(r, entries);
/* tcp/udp only. uid.op always 0 in other cases */
else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
- pf_socket_lookup(direction, pd, m), 1)) &&
+ pf_socket_lookup(pd, m), 1)) &&
!pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
pd->lookup.uid))
r = TAILQ_NEXT(r, entries);
/* tcp/udp only. gid.op always 0 in other cases */
else if (r->gid.op && (pd->lookup.done || (pd->lookup.done =
- pf_socket_lookup(direction, pd, m), 1)) &&
+ pf_socket_lookup(pd, m), 1)) &&
!pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
pd->lookup.gid))
r = TAILQ_NEXT(r, entries);
@@ -4471,13 +4470,13 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
ri->r = r;
SLIST_INSERT_HEAD(&match_rules, ri, entry);
pf_counter_u64_critical_enter();
- pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1);
- pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
- direction, PFRES_MATCH, r,
+ PFRES_MATCH, r,
a, ruleset, pd, 1);
} else {
match = 1;
@@ -4509,8 +4508,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
if (r->log) {
if (rewrite)
m_copyback(m, off, hdrlen, pd->hdr.any);
- PFLOG_PACKET(kif, m, af, direction, reason, r, a,
- ruleset, pd, 1);
+ PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1);
}
if ((r->action == PF_DROP) &&
@@ -4555,7 +4553,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
m_copyback(m, off, hdrlen, pd->hdr.any);
if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) &&
- direction == PF_OUT &&
+ pd->dir == PF_OUT &&
V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m))
/*
* We want the state created, but we dont
@@ -4846,7 +4844,7 @@ csfailed:
}
static int
-pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
+pf_test_fragment(struct pf_krule **rm, struct pfi_kkif *kif,
struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am,
struct pf_kruleset **rsm)
{
@@ -4869,7 +4867,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
- else if (r->direction && r->direction != direction)
+ else if (r->direction && r->direction != pd->dir)
r = r->skip[PF_SKIP_DIR].ptr;
else if (r->af && r->af != af)
r = r->skip[PF_SKIP_AF].ptr;
@@ -4915,13 +4913,13 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
ri->r = r;
SLIST_INSERT_HEAD(&match_rules, ri, entry);
pf_counter_u64_critical_enter();
- pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1);
- pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_add_protected(&r->packets[pd->dir == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[pd->dir == PF_OUT], pd->tot_len);
pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
- direction, PFRES_MATCH, r,
+ PFRES_MATCH, r,
a, ruleset, pd, 1);
} else {
match = 1;
@@ -4951,8 +4949,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
pf_rule_to_actions(r, &pd->act);
if (r->log)
- PFLOG_PACKET(kif, m, af, direction, reason, r, a,
- ruleset, pd, 1);
+ PFLOG_PACKET(kif, m, af, reason, r, a, ruleset, pd, 1);
if (r->action != PF_PASS)
return (PF_DROP);
@@ -5494,7 +5491,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason)
}
static int
-pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
+pf_test_state_tcp(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd,
u_short *reason)
{
@@ -5507,7 +5504,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
bzero(&key, sizeof(key));
key.af = pd->af;
key.proto = IPPROTO_TCP;
- if (direction == PF_IN) { /* wire side, straight */
+ if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = th->th_sport;
@@ -5519,9 +5516,9 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
key.port[0] = th->th_dport;
}
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
} else {
@@ -5585,7 +5582,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
}
static int
-pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
+pf_test_state_udp(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@@ -5596,7 +5593,7 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
bzero(&key, sizeof(key));
key.af = pd->af;
key.proto = IPPROTO_UDP;
- if (direction == PF_IN) { /* wire side, straight */
+ if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = uh->uh_sport;
@@ -5608,9 +5605,9 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
key.port[0] = uh->uh_dport;
}
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
psrc = PF_PEER_SRC;
@@ -5657,7 +5654,7 @@ pf_test_state_udp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
}
static int
-pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
+pf_test_state_icmp(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
{
struct pf_addr *saddr = pd->src, *daddr = pd->dst;
@@ -5707,7 +5704,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
key.af = pd->af;
key.proto = pd->proto;
key.port[0] = key.port[1] = icmpid;
- if (direction == PF_IN) { /* wire side, straight */
+ if (pd->dir == PF_IN) { /* wire side, straight */
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
} else { /* stack side, reverse */
@@ -5715,7 +5712,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[0], pd->dst, key.af);
}
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
(*state)->expire = time_uptime;
(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
@@ -5795,8 +5792,8 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
pd2.af = pd->af;
/* Payload packet is from the opposite direction. */
- pd2.sidx = (direction == PF_IN) ? 1 : 0;
- pd2.didx = (direction == PF_IN) ? 0 : 1;
+ pd2.sidx = (pd->dir == PF_IN) ? 1 : 0;
+ pd2.didx = (pd->dir == PF_IN) ? 0 : 1;
switch (pd->af) {
#ifdef INET
case AF_INET:
@@ -5929,9 +5926,9 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
key.port[pd2.sidx] = th.th_sport;
key.port[pd2.didx] = th.th_dport;
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->dst;
dst = &(*state)->src;
} else {
@@ -6050,7 +6047,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
key.port[pd2.sidx] = uh.uh_sport;
key.port[pd2.didx] = uh.uh_dport;
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -6117,7 +6114,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = iih.icmp_id;
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -6169,7 +6166,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = iih.icmp6_id;
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -6212,7 +6209,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af);
key.port[0] = key.port[1] = 0;
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
@@ -6261,7 +6258,7 @@ pf_test_state_icmp(struct pf_kstate **state, int direction, struct pfi_kkif *kif
}
static int
-pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *kif,
+pf_test_state_other(struct pf_kstate **state, struct pfi_kkif *kif,
struct mbuf *m, struct pf_pdesc *pd)
{
struct pf_state_peer *src, *dst;
@@ -6271,7 +6268,7 @@ pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *ki
bzero(&key, sizeof(key));
key.af = pd->af;
key.proto = pd->proto;
- if (direction == PF_IN) {
+ if (pd->dir == PF_IN) {
PF_ACPY(&key.addr[0], pd->src, key.af);
PF_ACPY(&key.addr[1], pd->dst, key.af);
key.port[0] = key.port[1] = 0;
@@ -6281,9 +6278,9 @@ pf_test_state_other(struct pf_kstate **state, int direction, struct pfi_kkif *ki
key.port[1] = key.port[0] = 0;
}
- STATE_LOOKUP(kif, &key, direction, *state, pd);
+ STATE_LOOKUP(kif, &key, *state, pd);
- if (direction == (*state)->direction) {
+ if (pd->dir == (*state)->direction) {
src = &(*state)->src;
dst = &(*state)->dst;
psrc = PF_PEER_SRC;
@@ -6437,7 +6434,7 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif,
#ifdef INET
static void
-pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
+pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp)
{
struct mbuf *m0, *m1, *md;
@@ -6460,7 +6457,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
r_dir = r->direction;
}
- KASSERT(dir == PF_IN || dir == PF_OUT ||
+ KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction",
__func__));
@@ -6502,8 +6499,8 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
}
}
} else {
- if ((r_rt == PF_REPLYTO) == (r_dir == dir)) {
- pf_dummynet(pd, dir, s, r, m);
+ if ((r_rt == PF_REPLYTO) == (r_dir == pd->dir)) {
+ pf_dummynet(pd, s, r, m);
if (s)
PF_STATE_UNLOCK(s);
return;
@@ -6545,7 +6542,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (ifp == NULL)
goto bad;
- if (dir == PF_IN) {
+ if (pd->dir == PF_IN) {
if (pf_test(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS)
goto bad;
else if (m0 == NULL)
@@ -6591,7 +6588,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
m_clrprotoflags(m0); /* Avoid confusing lower layers. */
md = m0;
- error = pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md);
+ error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md);
if (md != NULL)
error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL);
goto done;
@@ -6605,7 +6602,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (s && pd->nat_rule != NULL)
PACKET_UNDO_NAT(m0, pd,
(ip->ip_hl << 2) + (ip_off & IP_OFFMASK),
- s, dir);
+ s);
icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0,
ifp->if_mtu);
@@ -6624,7 +6621,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (error == 0) {
m_clrprotoflags(m0);
md = m0;
- error = pf_dummynet_route(pd, dir, s, r, ifp,
+ error = pf_dummynet_route(pd, s, r, ifp,
sintosa(&dst), &md);
if (md != NULL)
error = (*ifp->if_output)(ifp, md,
@@ -6652,7 +6649,7 @@ bad:
#ifdef INET6
static void
-pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
+pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
struct pf_kstate *s, struct pf_pdesc *pd, struct inpcb *inp)
{
struct mbuf *m0, *md;
@@ -6673,7 +6670,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
r_dir = r->direction;
}
- KASSERT(dir == PF_IN || dir == PF_OUT ||
+ KASSERT(pd->dir == PF_IN || pd->dir == PF_OUT ||
r_dir == PF_IN || r_dir == PF_OUT, ("%s: invalid direction",
__func__));
@@ -6715,8 +6712,8 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
}
}
} else {
- if ((r_rt == PF_REPLYTO) == (r_dir == dir)) {
- pf_dummynet(pd, dir, s, r, m);
+ if ((r_rt == PF_REPLYTO) == (r_dir == pd->dir)) {
+ pf_dummynet(pd, s, r, m);
if (s)
PF_STATE_UNLOCK(s);
return;
@@ -6761,7 +6758,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (ifp == NULL)
goto bad;
- if (dir == PF_IN) {
+ if (pd->dir == PF_IN) {
if (pf_test6(PF_OUT, 0, ifp, &m0, inp, &pd->act) != PF_PASS)
goto bad;
else if (m0 == NULL)
@@ -6793,7 +6790,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) {
md = m0;
- pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md);
+ pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md);
if (md != NULL)
nd6_output_ifp(ifp, ifp, md, &dst, NULL);
}
@@ -6803,7 +6800,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (s && pd->nat_rule != NULL)
PACKET_UNDO_NAT(m0, pd,
((caddr_t)ip6 - m0->m_data) +
- sizeof(struct ip6_hdr), s, dir);
+ sizeof(struct ip6_hdr), s);
icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu);
} else
@@ -6958,9 +6955,8 @@ pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t a
}
static bool
-pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd,
- const struct pf_krule *r, const struct pf_kstate *s,
- struct ip_fw_args *dnflow)
+pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r,
+ const struct pf_kstate *s, struct ip_fw_args *dnflow)
{
int dndir = r->direction;
@@ -6969,7 +6965,7 @@ pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd,
} else if (dndir == PF_INOUT) {
/* Assume primary direction. Happens when we've set dnpipe in
* the ethernet level code. */
- dndir = dir;
+ dndir = pd->dir;
}
memset(dnflow, 0, sizeof(*dnflow));
@@ -6979,15 +6975,15 @@ pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd,
if (pd->sport != NULL)
dnflow->f_id.src_port = ntohs(*pd->sport);
- if (dir == PF_IN)
+ if (pd->dir == PF_IN)
dnflow->flags |= IPFW_ARGS_IN;
else
dnflow->flags |= IPFW_ARGS_OUT;
- if (dir != dndir && pd->act.dnrpipe) {
+ if (pd->dir != dndir && pd->act.dnrpipe) {
dnflow->rule.info = pd->act.dnrpipe;
}
- else if (dir == dndir && pd->act.dnpipe) {
+ else if (pd->dir == dndir && pd->act.dnpipe) {
dnflow->rule.info = pd->act.dnpipe;
}
else {
@@ -7052,14 +7048,14 @@ pf_test_eth(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
}
static int
-pf_dummynet(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
+pf_dummynet(struct pf_pdesc *pd, struct pf_kstate *s,
struct pf_krule *r, struct mbuf **m0)
{
- return (pf_dummynet_route(pd, dir, s, r, NULL, NULL, m0));
+ return (pf_dummynet_route(pd, s, r, NULL, NULL, m0));
}
static int
-pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
+pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s,
struct pf_krule *r, struct ifnet *ifp, struct sockaddr *sa,
struct mbuf **m0)
{
@@ -7105,7 +7101,7 @@ pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
sizeof(struct sockaddr_in6));
}
- if (pf_pdesc_to_dnflow(dir, pd, r, s, &dnflow)) {
+ if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) {
pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET;
ip_dn_io_ptr(m0, &dnflow);
if (*m0 != NULL) {
@@ -7213,6 +7209,14 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
return (PF_PASS);
}
+ pd.sport = pd.dport = NULL;
+ pd.proto_sum = NULL;
+ pd.dir = dir;
+ pd.sidx = (dir == PF_IN) ? 0 : 1;
+ pd.didx = (dir == PF_IN) ? 1 : 0;
+ pd.af = AF_INET;
+ pd.act.rtableid = -1;
+
if (__predict_false(ip_divert_ptr != NULL) &&
((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) {
struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1);
@@ -7229,7 +7233,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
m->m_flags |= M_FASTFWD_OURS;
pd.pf_mtag->flags &= ~PF_MTAG_FLAG_FASTFWD_OURS_PRESENT;
}
- } else if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
+ } else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) {
/* We do IP header normalization and packet reassembly here */
action = PF_DROP;
goto done;
@@ -7247,22 +7251,14 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
pd.src = (struct pf_addr *)&h->ip_src;
pd.dst = (struct pf_addr *)&h->ip_dst;
- pd.sport = pd.dport = NULL;
pd.ip_sum = &h->ip_sum;
- pd.proto_sum = NULL;
pd.proto = h->ip_p;
- pd.dir = dir;
- pd.sidx = (dir == PF_IN) ? 0 : 1;
- pd.didx = (dir == PF_IN) ? 1 : 0;
- pd.af = AF_INET;
pd.tos = h->ip_tos & ~IPTOS_ECN_MASK;
pd.tot_len = ntohs(h->ip_len);
- pd.act.rtableid = -1;
/* handle fragments that didn't get reassembled by normalization */
if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
- action = pf_test_fragment(&r, dir, kif, m, h,
- &pd, &a, &ruleset);
+ action = pf_test_fragment(&r, kif, m, h, &pd, &a, &ruleset);
goto done;
}
@@ -7289,11 +7285,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
if ((pd.hdr.tcp.th_flags & TH_ACK) && pd.p_len == 0)
pqid = 1;
- action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
+ action = pf_normalize_tcp(kif, m, 0, off, h, &pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
- &reason);
+ action = pf_test_state_tcp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -7319,8 +7314,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
m_freem(msyn);
if (action == PF_PASS) {
- action = pf_test_state_tcp(&s, dir,
- kif, m, off, h, &pd, &reason);
+ action = pf_test_state_tcp(&s, kif, m,
+ off, h, &pd, &reason);
if (action != PF_PASS || s == NULL) {
action = PF_DROP;
break;
@@ -7340,7 +7335,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
break;
}
else {
- action = pf_test_rule(&r, &s, dir, kif, m, off,
+ action = pf_test_rule(&r, &s, kif, m, off,
&pd, &a, &ruleset, inp);
}
}
@@ -7368,7 +7363,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
REASON_SET(&reason, PFRES_SHORT);
goto done;
}
- action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
+ action = pf_test_state_udp(&s, kif, m, off, h, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -7376,7 +7371,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
+ action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@@ -7388,8 +7383,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
log = PF_LOG_FORCE;
goto done;
}
- action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd,
- &reason);
+ action = pf_test_state_icmp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -7397,7 +7391,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
+ action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@@ -7412,7 +7406,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
#endif
default:
- action = pf_test_state_other(&s, dir, kif, m, &pd);
+ action = pf_test_state_other(&s, kif, m, &pd);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -7420,7 +7414,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
a = s->anchor.ptr;
log = s->log;
} else if (s == NULL)
- action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
+ action = pf_test_rule(&r, &s, kif, m, off, &pd,
&a, &ruleset, inp);
break;
}
@@ -7574,13 +7568,13 @@ done:
lr = r;
if (log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
- PFLOG_PACKET(kif, m, AF_INET, dir, reason, lr, a,
- ruleset, &pd, (s == NULL));
+ PFLOG_PACKET(kif, m, AF_INET, reason, lr, a, ruleset,
+ &pd, (s == NULL));
if (s) {
SLIST_FOREACH(ri, &s->match_rules, entry)
if (ri->r->log & PF_LOG_ALL)
- PFLOG_PACKET(kif, m, AF_INET, dir,
- reason, ri->r, a, ruleset, &pd, 0);
+ PFLOG_PACKET(kif, m, AF_INET, reason,
+ ri->r, a, ruleset, &pd, 0);
}
}
@@ -7664,10 +7658,10 @@ done:
default:
/* pf_route() returns unlocked. */
if (rt) {
- pf_route(m0, r, dir, kif->pfik_ifp, s, &pd, inp);
+ pf_route(m0, r, kif->pfik_ifp, s, &pd, inp);
return (action);
}
- if (pf_dummynet(&pd, dir, s, r, m0) != 0) {
+ if (pf_dummynet(&pd, s, r, m0) != 0) {
action = PF_DROP;
REASON_SET(&reason, PFRES_MEMORY);
}
@@ -7774,8 +7768,17 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
return (PF_PASS);
}
+ pd.sport = pd.dport = NULL;
+ pd.ip_sum = NULL;
+ pd.proto_sum = NULL;
+ pd.dir = dir;
+ pd.sidx = (dir == PF_IN) ? 0 : 1;
+ pd.didx = (dir == PF_IN) ? 1 : 0;
+ pd.af = AF_INET6;
+ pd.act.rtableid = -1;
+
/* We do IP header normalization and packet reassembly here */
- if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
+ if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) {
action = PF_DROP;
goto done;
}
@@ -7794,24 +7797,16 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
pd.src = (struct pf_addr *)&h->ip6_src;
pd.dst = (struct pf_addr *)&h->ip6_dst;
- pd.sport = pd.dport = NULL;
- pd.ip_sum = NULL;
- pd.proto_sum = NULL;
- pd.dir = dir;
- pd.sidx = (dir == PF_IN) ? 0 : 1;
- pd.didx = (dir == PF_IN) ? 1 : 0;
- pd.af = AF_INET6;
pd.tos = IPV6_DSCP(h);
pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
- pd.act.rtableid = -1;
off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
pd.proto = h->ip6_nxt;
do {
switch (pd.proto) {
case IPPROTO_FRAGMENT:
- action = pf_test_fragment(&r, dir, kif, m, h,
- &pd, &a, &ruleset);
+ action = pf_test_fragment(&r, kif, m, h, &pd, &a,
+ &ruleset);
if (action == PF_DROP)
REASON_SET(&reason, PFRES_FRAG);
goto done;
@@ -7888,11 +7883,10 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
pd.p_len = pd.tot_len - off - (pd.hdr.tcp.th_off << 2);
pd.sport = &pd.hdr.tcp.th_sport;
pd.dport = &pd.hdr.tcp.th_dport;
- action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd);
+ action = pf_normalize_tcp(kif, m, 0, off, h, &pd);
if (action == PF_DROP)
goto done;
- action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
- &reason);
+ action = pf_test_state_tcp(&s, kif, m, off, h, &pd, &reason);
if (action == PF_PASS) {
if (V_pfsync_update_state_ptr != NULL)
V_pfsync_update_state_ptr(s);
@@ -7900,7 +7894,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
a = s->anchor.ptr;
log = s->log;
*** 308 LINES SKIPPED ***