UnivNautes

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y

index 591db6b..01bc089 100644

--- a/sbin/pfctl/parse.y

+++ b/sbin/pfctl/parse.y

@@ -162,6 +162,7 @@ struct node_icmp {

 enum	{ PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,

 	    PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,

 	    PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,

+	    PF_STATE_OPT_MAX_PACKETS, 

 	    PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,

 	    PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, };

@@ -173,6 +174,7 @@ struct node_state_opt {

 		u_int32_t	 max_states;

 		u_int32_t	 max_src_states;

 		u_int32_t	 max_src_conn;

+		u_int32_t	 max_packets;

 		struct {

 			u_int32_t	limit;

 			u_int32_t	seconds;

@@ -472,7 +474,7 @@ int	parseport(char *, struct range *r, int);

 %token	LOAD RULESET_OPTIMIZATION

 %token	STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE

 %token	MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY

-%token	TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS

+%token	TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS MAXPCKT

 %token	IEEE8021QPCP IEEE8021QSETPCP

 %token	DIVERTTO DIVERTREPLY

 %token	<v.string>		STRING

@@ -2132,6 +2134,14 @@ pfrule		: action dir logquick interface route af proto fromto

 					}

 					r.rule_flag |= PFRULE_NOSYNC;

 					break;

+				case PF_STATE_OPT_MAX_PACKETS:

+					if (o->data.max_packets == 0) {

+						yyerror("max_packets must be"

+							"greater than 0");

+						YYERROR;

+					}

+					r.spare2 = o->data.max_packets;

+					break;

 				case PF_STATE_OPT_SRCTRACK:

 					if (srctrack) {

 						yyerror("state option "

@@ -5667,6 +5677,7 @@ lookup(char *s)

 		{ "match",		MATCH},

 		{ "max",		MAXIMUM},

 		{ "max-mss",		MAXMSS},

+		{ "max-packets",	MAXPCKT},

 		{ "max-src-conn",	MAXSRCCONN},

 		{ "max-src-conn-rate",	MAXSRCCONNRATE},

 		{ "max-src-nodes",	MAXSRCNODES},

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c

index 2612b11..735db95 100644

--- a/sbin/pfctl/pfctl_parser.c

+++ b/sbin/pfctl/pfctl_parser.c

@@ -969,6 +969,12 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)

 			printf("max-src-conn %u", r->max_src_conn);

 			opts = 0;

 		}

+		if (r->spare2) {

+                        if (!opts)

+                                printf(", ");

+                        printf("max-packets %u", r->spare2);

+                        opts = 0;

+		}

 		if (r->max_src_conn_rate.limit) {

 			if (!opts)

 				printf(", ");

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h

index 8ecb0d5..d8f6bbe 100644

--- a/sys/net/pfvar.h

+++ b/sys/net/pfvar.h

@@ -761,7 +761,13 @@ struct pf_state {

 	u_int64_t		 id;

 	u_int32_t		 creatorid;

 	u_int8_t		 direction;

-	u_int8_t		 pad[3];

+	u_int8_t		 pad[2];

+	u_int8_t		 local_flags;

+#define PFSTATE_DIVERT_ALTQ	0x10

+#define PFSTATE_DIVERT_DNCOOKIE 0x20

+#define PFSTATE_DIVERT_ACTION   0x40

+#define PFSTATE_DIVERT_TAG      0x80

+#define PFSTATE_DIVERT_MASK	0xFF00

 	u_int			 refs;

 	TAILQ_ENTRY(pf_state)	 sync_list;

@@ -788,6 +794,7 @@ struct pf_state {

 	u_int32_t		 pdnpipe;

 	u_int32_t		 dnpipe;

 	u_int16_t		 tag;

+	u_int16_t		 divert_cookie;

 	u_int8_t		 log;

 	u_int8_t		 state_flags;

 #define	PFSTATE_ALLOWOPTS	0x01

@@ -800,7 +807,7 @@ struct pf_state {

 	/* XXX */

 	u_int8_t		 sync_updates;

-	u_int8_t		_tail[3];

+	u_int8_t		_tail;

 };

 /*

diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c

index e698035..b74d60d 100644

--- a/sys/netinet/ip_divert.c

+++ b/sys/netinet/ip_divert.c

@@ -267,8 +267,7 @@ divert_packet(struct mbuf *m, int incoming)

 		 * this iface name will come along for the ride.

 		 * (see div_output for the other half of this.)

 		 */ 

-		strlcpy(divsrc.sin_zero, m->m_pkthdr.rcvif->if_xname,

-		    sizeof(divsrc.sin_zero));

+		*((u_short *)divsrc.sin_zero) = m->m_pkthdr.rcvif->if_index;

 	}

 	/* Put packet on socket queue, if any */

@@ -342,7 +341,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,

 	/* Loopback avoidance and state recovery */

 	if (sin) {

-		int i;

+		u_short idx;

 		/* set the starting point. We provide a non-zero slot,

 		 * but a non_matching chain_id to skip that info and use

@@ -350,7 +349,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,

 		 */

 		dt->slot = 1; /* dummy, chain_id is invalid */

 		dt->chain_id = 0;

-		dt->rulenum = sin->sin_port+1; /* host format ? */

+		dt->rulenum = sin->sin_port; /* host format ? */

 		dt->rule_id = 0;

 		/*

 		 * Find receive interface with the given name, stuffed

@@ -358,10 +357,9 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,

 		 * The name is user supplied data so don't trust its size

 		 * or that it is zero terminated.

 		 */

-		for (i = 0; i < sizeof(sin->sin_zero) && sin->sin_zero[i]; i++)

-			;

-		if ( i > 0 && i < sizeof(sin->sin_zero))

-			m->m_pkthdr.rcvif = ifunit(sin->sin_zero);

+		idx = *((u_short *)sin->sin_zero);

+		if ( idx > 0 )

+			m->m_pkthdr.rcvif = ifnet_byindex(idx);

 	}

 	/* Reinject packet into the system as incoming or outgoing */

@@ -832,5 +830,4 @@ static moduledata_t ipdivertmod = {

 };

 DECLARE_MODULE(ipdivert, ipdivertmod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);

-MODULE_DEPEND(ipdivert, ipfw, 2, 2, 2);

 MODULE_VERSION(ipdivert, 1);

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c

index cb38fcb..4303676 100644

--- a/sys/netpfil/pf/pf.c

+++ b/sys/netpfil/pf/pf.c

@@ -90,6 +90,7 @@ __FBSDID("$FreeBSD$");

 #include <netpfil/ipfw/ip_fw_private.h> /* XXX: only for DIR_IN/DIR_OUT */

 #include <netinet/ip_fw.h>

 #include <netinet/ip_dummynet.h>

+#include <netinet/ip_divert.h>

 #ifdef INET6

 #include <netinet/ip6.h>

@@ -316,6 +317,14 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);

 #define        PACKET_LOOPED(mtag)     ((mtag)->flags & PF_PACKET_LOOPED)

+#define	PF_DIVERT_MAXPACKETS_REACHED()			\

+do {							\

+	if (r->spare2 &&				\

+		s->packets[dir == PF_OUT] > r->spare2)	\

+		/* fake that divert already happened */	\

+		pd.pf_mtag->flags |= PF_PACKET_LOOPED;	\

+} while(0)

+

 #define	STATE_LOOKUP(i, k, d, s, pd)					\

 	do {								\

 		(s) = pf_find_state((i), (k), (d));			\

@@ -6069,6 +6078,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)

 	struct pf_pdesc		 pd;

 	int			 off = 0, dirndx, pqid = 0;

 	int                      loopedfrom = 0;

+	u_int16_t		 divertcookie = 0;

+	u_int8_t		 divflags = 0;

 	struct ip_fw_args        dnflow;

 	M_ASSERTPKTHDR(m);

@@ -6101,12 +6112,10 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)

 		pd.pf_mtag->flags |= PF_PACKET_LOOPED;

 		if (rr->info & IPFW_IS_DUMMYNET)

 			loopedfrom = 1;

-		if (rr->info & IPFW_IS_DIVERT && rr->rulenum == 0) {

-			if (pd.pf_mtag == NULL &&

-			    ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {

-				action = PF_DROP;

-				goto done;

-			}

+		if (rr->info & IPFW_IS_DIVERT) {

+			divertcookie = rr->rulenum;

+			divflags = (u_int8_t)(divertcookie >> 8);

+			divertcookie &= ~PFSTATE_DIVERT_MASK;

 		}

 		if (pd.pf_mtag && pd.pf_mtag->flags & PF_FASTFWD_OURS_PRESENT) {

 			m->m_flags |= M_FASTFWD_OURS;

@@ -6273,6 +6282,17 @@ done:

 		    ("pf: dropping packet with ip options\n"));

 	}

+	if (s) {

+		PF_DIVERT_MAXPACKETS_REACHED();

+

+		if (divflags) {

+			s->divert_cookie = divertcookie;

+			s->local_flags |= divflags;

+		} else {

+			divertcookie = s->divert_cookie;

+			divflags = s->local_flags;

+		}

+	}

 	if (s && s->tag > 0 && pf_tag_packet(m, &pd, s->tag)) {

 		action = PF_DROP;

 		REASON_SET(&reason, PFRES_MEMORY);

@@ -6300,7 +6320,33 @@ done:

 	}

 #endif /* ALTQ */

-	if (s && (s->dnpipe || s->pdnpipe)) {

+	if (divflags & PFSTATE_DIVERT_TAG)

+		pd.pf_mtag->tag = divertcookie;

+	else if (divflags & PFSTATE_DIVERT_ALTQ)

+		pd.pf_mtag->qid = divertcookie;

+	else if (divflags & PFSTATE_DIVERT_ACTION) {

+		struct pf_rule *dlr;

+		action = PF_DROP;

+		if (s)

+			pf_unlink_state(s, PF_ENTER_LOCKED);

+		REASON_SET(&reason, PFRES_DIVERT);

+		log = 1;

+		DPFPRINTF(PF_DEBUG_MISC,

+			("pf: changing action to with overload from divert.\n"));

+		dlr = r;

+		PFLOG_PACKET(kif, m, AF_INET, dir, reason, dlr, a,

+			ruleset, &pd, (s == NULL));

+		m_freem(*m0);

+		*m0 = NULL;

+		/* NOTE: Fake this to avoid divert giving errors to the application. */

+		return (PF_PASS);

+	}

+

+	if (divflags & PFSTATE_DIVERT_DNCOOKIE) {

+		pd.act.dnpipe = divertcookie;

+		pd.act.pdnpipe = divertcookie;

+		pd.act.flags |= PFRULE_DN_IS_PIPE;

+	} else if (s && (s->dnpipe || s->pdnpipe)) {

 		pd.act.dnpipe = s->dnpipe;

 		pd.act.pdnpipe = s->pdnpipe;

 		pd.act.flags = s->state_flags;

@@ -6355,10 +6401,51 @@ done:

 				PF_STATE_UNLOCK(s);

 			return (action);

 		}

-	} else

-		pd.pf_mtag->flags &= ~PF_PACKET_LOOPED;

+	}

 continueprocessing:

+	if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&

+	    !PACKET_LOOPED(&pd)) {

+		if (!r->spare2 ||

+		    (s && s->packets[dir == PF_OUT] <= r->spare2)) {

+			ipfwtag = m_tag_alloc(MTAG_IPFW_RULE, 0,

+				sizeof(struct ipfw_rule_ref), M_NOWAIT | M_ZERO);

+			if (ipfwtag != NULL) {

+				((struct ipfw_rule_ref *)(ipfwtag+1))->info =

+					ntohs(r->divert.port);

+				((struct ipfw_rule_ref *)(ipfwtag+1))->rulenum = dir;

+

+				if (s)

+					PF_STATE_UNLOCK(s);

+

+				m_tag_prepend(m, ipfwtag);

+				if (m->m_flags & M_FASTFWD_OURS) {

+					if (pd.pf_mtag == NULL &&

+					    ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {

+						action = PF_DROP;

+						REASON_SET(&reason, PFRES_MEMORY);

+						log = 1;

+						DPFPRINTF(PF_DEBUG_MISC,

+						   ("pf: failed to allocate tag\n"));

+					}

+					pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT;

+					m->m_flags &= ~M_FASTFWD_OURS;

+				}

+				ip_divert_ptr(*m0, dir ==  PF_IN ? DIR_IN : DIR_OUT);

+				*m0 = NULL;

+

+				return (action);

+			} else {

+				/* XXX: ipfw has the same behaviour! */

+				action = PF_DROP;

+				REASON_SET(&reason, PFRES_MEMORY);

+				log = 1;

+				DPFPRINTF(PF_DEBUG_MISC,

+				    ("pf: failed to allocate divert tag\n"));

+			}

+		}

+	}

+

 	/*

 	 * connections redirected to loopback should not match sockets

 	 * bound specifically to loopback due to security implications,

@@ -6368,49 +6455,14 @@ continueprocessing:

 	    pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&

 	    (s->nat_rule.ptr->action == PF_RDR ||

 	    s->nat_rule.ptr->action == PF_BINAT) &&

-	    (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)

+	    (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {

 		m->m_flags |= M_SKIP_FIREWALL;

-

-	if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&

-	    !PACKET_LOOPED(&pd)) {

-

-		ipfwtag = m_tag_alloc(MTAG_IPFW_RULE, 0,

-		    sizeof(struct ipfw_rule_ref), M_NOWAIT | M_ZERO);

-		if (ipfwtag != NULL) {

-			((struct ipfw_rule_ref *)(ipfwtag+1))->info =

-			    ntohs(r->divert.port);

-			((struct ipfw_rule_ref *)(ipfwtag+1))->rulenum = dir;

-

-			if (s)

-				PF_STATE_UNLOCK(s);

-

-			m_tag_prepend(m, ipfwtag);

-			if (m->m_flags & M_FASTFWD_OURS) {

-				if (pd.pf_mtag == NULL &&

-				    ((pd.pf_mtag = pf_get_mtag(m)) == NULL)) {

-					action = PF_DROP;

-					REASON_SET(&reason, PFRES_MEMORY);

-					log = 1;

-					DPFPRINTF(PF_DEBUG_MISC,

-					    ("pf: failed to allocate tag\n"));

-				}

-				pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT;

-				m->m_flags &= ~M_FASTFWD_OURS;

-			}

-			ip_divert_ptr(*m0, dir ==  PF_IN ? DIR_IN : DIR_OUT);

-			*m0 = NULL;

-

-			return (action);

-		} else {

-			/* XXX: ipfw has the same behaviour! */

-			action = PF_DROP;

-			REASON_SET(&reason, PFRES_MEMORY);

-			log = 1;

-			DPFPRINTF(PF_DEBUG_MISC,

-			    ("pf: failed to allocate divert tag\n"));

-		}

+		if (PACKET_LOOPED(pd.pf_mtag) && !loopedfrom)

+			m->m_flags |= M_FASTFWD_OURS;

 	}

+	pd.pf_mtag->flags &= ~PF_PACKET_LOOPED;

+

 	if (log) {

 		struct pf_rule *lr;

@@ -6532,7 +6584,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)

 	PF_RULES_RLOCK();

-	if (ip_dn_io_ptr != NULL &&

+	if (((ip_dn_io_ptr != NULL) || (ip_divert_ptr != NULL)) &&

 	    ((dn_tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) {

 		struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(dn_tag+1);

 		pd.pf_mtag->flags |= PF_PACKET_LOOPED;

diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h

index f25adde..0a768ba 100644

--- a/sys/netpfil/pf/pf.h

+++ b/sys/netpfil/pf/pf.h

@@ -126,7 +126,8 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,

 #define PFRES_MAXSTATES	12		/* State limit */

 #define PFRES_SRCLIMIT	13		/* Source node/conn limit */

 #define PFRES_SYNPROXY	14		/* SYN proxy */

-#define PFRES_MAX	15		/* total+1 */

+#define	PFRES_DIVERT    15              /* Divert override */

+#define PFRES_MAX	16		/* total+1 */

 #define PFRES_NAMES { \

 	"match", \

@@ -144,6 +145,7 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,

 	"state-limit", \

 	"src-limit", \

 	"synproxy", \

+	"divert", \

 	NULL \

 }