 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_state_tcp.c,v 1.1 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf_state_tcp.c,v 1.2 2011/12/05 00:34:25 rmind Exp $	*/
 /*-
  * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,27 +24,27 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF TCP state engine for connection tracking.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.1 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.2 2011/12/05 00:34:25 rmind Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #ifndef _KERNEL
 #include <stdio.h>
 #include <stdbool.h>
 #include <inttypes.h>
 #endif
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_seq.h>
 @@ -69,197 +69,210 @@ void	npf_state_sample(npf_state_t *);
 #define	NPF_TCPS_ESTABLISHED	4
 #define	NPF_TCPS_FIN_SEEN	5
 #define	NPF_TCPS_CLOSE_WAIT	6
 #define	NPF_TCPS_FIN_WAIT	7
 #define	NPF_TCPS_CLOSING	8
 #define	NPF_TCPS_LAST_ACK	9
 #define	NPF_TCPS_TIME_WAIT	10
 #define	NPF_TCP_NSTATES		11
 /*
  * TCP connection timeout table (in seconds).
  */
-static const u_int npf_tcp_timeouts[] __read_mostly = {
+static u_int npf_tcp_timeouts[] __read_mostly = {
 	/* Closed, timeout nearly immediately. */
 	[NPF_TCPS_CLOSED]	= 10,
 	/* Unsynchronised states. */
 	[NPF_TCPS_SYN_SENT]	= 30,
 	[NPF_TCPS_SIMSYN_SENT]	= 30,
 	[NPF_TCPS_SYN_RECEIVED]	= 60,
 	/* Established, timeout: 24 hours. */
 	[NPF_TCPS_ESTABLISHED]	= 60 * 60 * 24,
 	/* Closure cases, timeout: 4 minutes (2 * MSL). */
 	[NPF_TCPS_FIN_SEEN]	= 60 * 2 * 2,
 	[NPF_TCPS_CLOSE_WAIT]	= 60 * 2 * 2,
 	[NPF_TCPS_FIN_WAIT]	= 60 * 2 * 2,
 	[NPF_TCPS_CLOSING]	= 30,
 	[NPF_TCPS_LAST_ACK]	= 30,
 	[NPF_TCPS_TIME_WAIT]	= 60 * 2 * 2,
 };
 #define	NPF_TCP_MAXACKWIN	66000
-#define	TH_STATE_MASK		(TH_SYN | TH_ACK | TH_FIN)
+/*
-#define	TH_SYNACK		(TH_SYN | TH_ACK)
+ * List of TCP flag cases and conversion of flags to a case (index).
-#define	TH_FINACK		(TH_FIN | TH_ACK)
+ */
 #define	TCPFC_INVALID		0
 #define	TCPFC_SYN		1
 #define	TCPFC_SYNACK		2
 #define	TCPFC_ACK		3
 #define	TCPFC_FIN		4
 #define	TCPFC_COUNT		5
 static inline u_int
 npf_tcpfl2case(const int tcpfl)
+{
 	u_int i, c;
 	/*
 	 * Magic value maps flag combinations to TCPFC case numbers.
 	 * Other cases are zero.  Note: FIN-ACK is mapped to FIN.
 	 */
 	i = (tcpfl & (TH_SYN | TH_FIN)) | ((tcpfl & TH_ACK) >> 2);
 	c = (0x2430140 >> (i << 2)) & 7;
 	KASSERT(c < TCPFC_COUNT);
 	return c;
+}
 /*
  * NPF transition table of a tracked TCP connection.
+ *
  * There is a single state, which is changed in the following way:
+ *
- * new_state = npf_tcp_fsm[old_state][direction][tcp_flags & TH_STATE_MASK];
+ * new_state = npf_tcp_fsm[old_state][direction][npf_tcpfl2case(tcp_flags)];
+ *
  * Note that this state is different from the state in each end (host).
  */
-static const int npf_tcp_fsm[NPF_TCP_NSTATES][2][TH_STATE_MASK + 1]
+static const int npf_tcp_fsm[NPF_TCP_NSTATES][2][TCPFC_COUNT] = {
     __read_mostly = {
 	[NPF_TCPS_CLOSED] = {
 		[NPF_FLOW_FORW] = {
 			/* Handshake (1): initial SYN. */
-			[TH_SYN]	= NPF_TCPS_SYN_SENT,
+			[TCPFC_SYN]	= NPF_TCPS_SYN_SENT,
 		},
 	},
 	[NPF_TCPS_SYN_SENT] = {
 		[NPF_FLOW_FORW] = {
 			/* SYN may be retransmitted. */
-			[TH_SYN]	= NPF_TCPS_OK,
+			[TCPFC_SYN]	= NPF_TCPS_OK,
 		},
 		[NPF_FLOW_BACK] = {
 			/* Handshake (2): SYN-ACK is expected. */
-			[TH_SYNACK]	= NPF_TCPS_SYN_RECEIVED,
+			[TCPFC_SYNACK]	= NPF_TCPS_SYN_RECEIVED,
 			/* Simultaneous initiation - SYN. */
-			[TH_SYN]	= NPF_TCPS_SIMSYN_SENT,
+			[TCPFC_SYN]	= NPF_TCPS_SIMSYN_SENT,
 		},
 	},
 	[NPF_TCPS_SIMSYN_SENT] = {
 		[NPF_FLOW_FORW] = {
 			/* Original SYN re-transmission. */
-			[TH_SYN]	= NPF_TCPS_OK,
+			[TCPFC_SYN]	= NPF_TCPS_OK,
 			/* SYN-ACK response to simultaneous SYN. */
-			[TH_SYNACK]	= NPF_TCPS_SYN_RECEIVED,
+			[TCPFC_SYNACK]	= NPF_TCPS_SYN_RECEIVED,
 		},
 		[NPF_FLOW_BACK] = {
 			/* Simultaneous SYN re-transmission.*/
-			[TH_SYN]	= NPF_TCPS_OK,
+			[TCPFC_SYN]	= NPF_TCPS_OK,
 			/* SYN-ACK response to original SYN. */
-			[TH_SYNACK]	= NPF_TCPS_SYN_RECEIVED,
+			[TCPFC_SYNACK]	= NPF_TCPS_SYN_RECEIVED,
-			/* FIN may be sent at this point. */
+			/* FIN may be sent early. */
-			[TH_FIN]	= NPF_TCPS_FIN_SEEN,
+			[TCPFC_FIN]	= NPF_TCPS_FIN_SEEN,
 			[TH_FINACK]	= NPF_TCPS_FIN_SEEN,
 		},
 	},
 	[NPF_TCPS_SYN_RECEIVED] = {
 		[NPF_FLOW_FORW] = {
 			/* Handshake (3): ACK is expected. */
-			[TH_ACK]	= NPF_TCPS_ESTABLISHED,
+			[TCPFC_ACK]	= NPF_TCPS_ESTABLISHED,
-			[TH_FIN]	= NPF_TCPS_CLOSING,
+			/* FIN may be sent early. */
-			[TH_FINACK]	= NPF_TCPS_CLOSING,
+			[TCPFC_FIN]	= NPF_TCPS_FIN_SEEN,
 		},
 		[NPF_FLOW_BACK] = {
 			/* SYN-ACK may be retransmitted. */
-			[TH_SYNACK]	= NPF_TCPS_OK,
+			[TCPFC_SYNACK]	= NPF_TCPS_OK,
 			/* XXX: ACK of late SYN in simultaneous case? */
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
-			/* XXX: Can this happen?
+			/* FIN may be sent early. */
-			[TH_FIN]	= NPF_TCPS_CLOSING, */
+			[TCPFC_FIN]	= NPF_TCPS_FIN_SEEN,
 		},
 	},
 	[NPF_TCPS_ESTABLISHED] = {
 		/*
 		 * Regular ACKs (data exchange) or FIN.
 		 * FIN packets may have ACK set.
 		 */
 		[NPF_FLOW_FORW] = {
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
 			/* FIN by the sender. */
-			[TH_FIN]	= NPF_TCPS_FIN_SEEN,
+			[TCPFC_FIN]	= NPF_TCPS_FIN_SEEN,
 			[TH_FINACK]	= NPF_TCPS_FIN_SEEN,
 		},
 		[NPF_FLOW_BACK] = {
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
 			/* FIN by the receiver. */
-			[TH_FIN]	= NPF_TCPS_FIN_SEEN,
+			[TCPFC_FIN]	= NPF_TCPS_FIN_SEEN,
 			[TH_FINACK]	= NPF_TCPS_FIN_SEEN,
 		},
 	},
 	[NPF_TCPS_FIN_SEEN] = {
 		/*
 		 * FIN was seen.  If ACK only, connection is half-closed now,
 		 * need to determine which end is closed (sender or receiver).
 		 * However, both FIN and FIN-ACK may race here - in which
 		 * case we are closing immediately.
 		 */
 		[NPF_FLOW_FORW] = {
-			[TH_ACK]	= NPF_TCPS_CLOSE_WAIT,
+			[TCPFC_ACK]	= NPF_TCPS_CLOSE_WAIT,
-			[TH_FIN]	= NPF_TCPS_CLOSING,
+			[TCPFC_FIN]	= NPF_TCPS_CLOSING,
 			[TH_FINACK]	= NPF_TCPS_CLOSING,
 		},
 		[NPF_FLOW_BACK] = {
-			[TH_ACK]	= NPF_TCPS_FIN_WAIT,
+			[TCPFC_ACK]	= NPF_TCPS_FIN_WAIT,
-			[TH_FIN]	= NPF_TCPS_CLOSING,
+			[TCPFC_FIN]	= NPF_TCPS_CLOSING,
 			[TH_FINACK]	= NPF_TCPS_CLOSING,
 		},
 	},
 	[NPF_TCPS_CLOSE_WAIT] = {
 		/* Sender has sent the FIN and closed its end. */
 		[NPF_FLOW_FORW] = {
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
-			[TH_FIN]	= NPF_TCPS_LAST_ACK,
+			[TCPFC_FIN]	= NPF_TCPS_LAST_ACK,
 			[TH_FINACK]	= NPF_TCPS_LAST_ACK,
 		},
 		[NPF_FLOW_BACK] = {
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
-			[TH_FIN]	= NPF_TCPS_LAST_ACK,
+			[TCPFC_FIN]	= NPF_TCPS_LAST_ACK,
 			[TH_FINACK]	= NPF_TCPS_LAST_ACK,
 		},
 	},
 	[NPF_TCPS_FIN_WAIT] = {
 		/* Receiver has closed its end. */
 		[NPF_FLOW_FORW] = {
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
-			[TH_FIN]	= NPF_TCPS_LAST_ACK,
+			[TCPFC_FIN]	= NPF_TCPS_LAST_ACK,
 			[TH_FINACK]	= NPF_TCPS_LAST_ACK,
 		},
 		[NPF_FLOW_BACK] = {
-			[TH_ACK]	= NPF_TCPS_OK,
+			[TCPFC_ACK]	= NPF_TCPS_OK,
-			[TH_FIN]	= NPF_TCPS_LAST_ACK,
+			[TCPFC_FIN]	= NPF_TCPS_LAST_ACK,
 			[TH_FINACK]	= NPF_TCPS_LAST_ACK,
 		},
 	},
 	[NPF_TCPS_CLOSING] = {
 		/* Race of FINs - expecting ACK. */
 		[NPF_FLOW_FORW] = {
-			[TH_ACK]	= NPF_TCPS_LAST_ACK,
+			[TCPFC_ACK]	= NPF_TCPS_LAST_ACK,
 		},
 		[NPF_FLOW_BACK] = {
-			[TH_ACK]	= NPF_TCPS_LAST_ACK,
+			[TCPFC_ACK]	= NPF_TCPS_LAST_ACK,
 		},
 	},
 	[NPF_TCPS_LAST_ACK] = {
 		/* FINs exchanged - expecting last ACK. */
 		[NPF_FLOW_FORW] = {
-			[TH_ACK]	= NPF_TCPS_TIME_WAIT,
+			[TCPFC_ACK]	= NPF_TCPS_TIME_WAIT,
 		},
 		[NPF_FLOW_BACK] = {
-			[TH_ACK]	= NPF_TCPS_TIME_WAIT,
+			[TCPFC_ACK]	= NPF_TCPS_TIME_WAIT,
 		},
 	},
 	[NPF_TCPS_TIME_WAIT] = {
 		/* May re-open the connection as per RFC 1122. */
 		[NPF_FLOW_FORW] = {
-			[TH_SYN]	= NPF_TCPS_SYN_SENT,
+			[TCPFC_SYN]	= NPF_TCPS_SYN_SENT,
 		},
 	},
 };
 /*
  * npf_tcp_inwindow: determine whether the packet is in the TCP window
  * and thus part of the connection we are tracking.
  */
 static bool
 npf_tcp_inwindow(const npf_cache_t *npc, nbuf_t *nbuf, npf_state_t *nst,
     const int di)
+{
 	const struct tcphdr * const th = &npc->npc_l4.tcp;
 @@ -270,27 +283,27 @@ npf_tcp_inwindow(const npf_cache_t *npc,
 	uint32_t win;
 	KASSERT(npf_iscached(npc, NPC_TCP));
 	KASSERT(di == NPF_FLOW_FORW || di == NPF_FLOW_BACK);
 	/*
 	 * Perform SEQ/ACK numbers check against boundaries.  Reference:
+	 *
 	 *	Rooij G., "Real stateful TCP packet filtering in IP Filter",
 	 *	10th USENIX Security Symposium invited talk, Aug. 2001.
+	 *
 	 * There four boundaries are defined as following:
 	 *	I)   SEQ + LEN	<= MAX { SND.ACK + MAX(SND.WIN, 1) }
-	 *	II)  SEQ	>= MAX { SND.SEQ + SND.LEN }
+	 *	II)  SEQ	>= MAX { SND.SEQ + SND.LEN - MAX(RCV.WIN, 1) }
 	 *	III) ACK	<= MAX { RCV.SEQ + RCV.LEN }
 	 *	IV)  ACK	>= MAX { RCV.SEQ + RCV.LEN } - MAXACKWIN
+	 *
 	 * Let these members of npf_tcpstate_t be the maximum seen values of:
 	 *	nst_end		- SEQ + LEN
 	 *	nst_maxend	- ACK + MAX(WIN, 1)
 	 *	nst_maxwin	- MAX(WIN, 1)
 	 */
 	tcpdlen = npf_tcpsaw(__UNCONST(npc), &seq, &ack, &win);
 	end = seq + tcpdlen;
 	if (tcpfl & TH_SYN) {
 		end++;
 @@ -417,27 +430,28 @@ npf_tcp_inwindow(const npf_cache_t *npc,
+	}
 	return true;
+}
 bool
 npf_state_tcp(const npf_cache_t *npc, nbuf_t *nbuf, npf_state_t *nst, int di)
+{
 	const struct tcphdr * const th = &npc->npc_l4.tcp;
 	const int tcpfl = th->th_flags, state = nst->nst_state;
 	int nstate;
 	/* Look for a transition to a new state. */
 	if (__predict_true((tcpfl & TH_RST) == 0)) {
-		nstate = npf_tcp_fsm[state][di][tcpfl & TH_STATE_MASK];
+		const int flagcase = npf_tcpfl2case(tcpfl);
 		nstate = npf_tcp_fsm[state][di][flagcase];
 	} else if (state == NPF_TCPS_TIME_WAIT) {
 		/* Prevent TIME-WAIT assassination (RFC 1337). */
 		nstate = NPF_TCPS_OK;
 	} else {
 		nstate = NPF_TCPS_CLOSED;
+	}
 	/* Determine whether TCP packet really belongs to this connection. */
 	if (!npf_tcp_inwindow(npc, nbuf, nst, di)) {
 		return false;
+	}
 	if (__predict_true(nstate == NPF_TCPS_OK)) {
 		return true;
+	}