aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>1997-04-03 10:39:35 +0000
committerDarren Reed <darrenr@FreeBSD.org>1997-04-03 10:39:35 +0000
commit1fddb84ad639d46f835aa6d5b12abdbbc6934d03 (patch)
tree06c26c4b986f2caa85cf9dbc2e4a480bba2eeff0
parent413e00145c3f486f87ed078f02b03545cc6aec9c (diff)
downloadsrc-1fddb84ad639d46f835aa6d5b12abdbbc6934d03.tar.gz
src-1fddb84ad639d46f835aa6d5b12abdbbc6934d03.zip
Really import sys/netinet changes for IP Filter 3.2alpha4 this time.vendor/ipfilter-sys/V3_2_A4
Notes
Notes: svn path=/vendor-sys/ipfilter/dist-old/; revision=24586 svn path=/vendor-sys/ipfilter/V3_2_A4/; revision=24588; tag=vendor/ipfilter-sys/V3_2_A4
-rw-r--r--sys/netinet/fil.c137
-rw-r--r--sys/netinet/ip_compat.h93
-rw-r--r--sys/netinet/ip_fil.c444
-rw-r--r--sys/netinet/ip_fil.h135
-rw-r--r--sys/netinet/ip_frag.c29
-rw-r--r--sys/netinet/ip_frag.h16
-rw-r--r--sys/netinet/ip_nat.c171
-rw-r--r--sys/netinet/ip_nat.h43
-rw-r--r--sys/netinet/ip_state.c108
-rw-r--r--sys/netinet/ip_state.h48
10 files changed, 905 insertions, 319 deletions
diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c
index 9f953614e42d..118edf225ed5 100644
--- a/sys/netinet/fil.c
+++ b/sys/netinet/fil.c
@@ -7,12 +7,13 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $";
+static char rcsid[] = "$Id: fil.c,v 1.1.1.3 1997/04/03 10:10:10 darrenr Exp $";
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#if defined(_KERNEL) || defined(KERNEL)
@@ -44,8 +45,8 @@ static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $";
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_fil.h"
#include "ip_compat.h"
+#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_frag.h"
#include "ip_state.h"
@@ -54,46 +55,48 @@ static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $";
#endif
#ifndef _KERNEL
-#include "ipf.h"
+# include "ipf.h"
+# include "ipt.h"
extern int opts;
-extern void debug(), verbose();
-#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; }
-#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; }
-#define FR_VERBOSE(verb_pr) verbose verb_pr
-#define FR_DEBUG(verb_pr) debug verb_pr
-#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi)
+# define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; \
+ second; }
+# define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; \
+ second; }
+# define FR_VERBOSE(verb_pr) verbose verb_pr
+# define FR_DEBUG(verb_pr) debug verb_pr
+# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
+# define SEND_RESET(ip, qif, q, if) send_reset(ip, if)
+# define IPLLOG(a, c, d, e) ipllog()
# if SOLARIS
+# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
# define bcmp memcmp
-# endif
-#else
-#define FR_IFVERBOSE(ex,second,verb_pr) ;
-#define FR_IFDEBUG(ex,second,verb_pr) ;
-#define FR_VERBOSE(verb_pr)
-#define FR_DEBUG(verb_pr)
-#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
-extern int send_reset();
-# if SOLARIS
-extern int icmp_error(), ipfr_fastroute();
-extern kmutex_t ipf_mutex, ipl_mutex;
# else
-extern void ipfr_fastroute();
+# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
# endif
-extern int ipl_unreach, ipllog();
-#endif
-#if SOLARIS
-# define SEND_RESET(ip, if, q) send_reset(ip, qif, q)
-# define ICMP_ERROR(b, ip, t, c, if, src) \
- icmp_error(b, ip, t, c, if, src)
-#else
-# define SEND_RESET(ip, if, q) send_reset(ip)
-# if BSD < 199103
+#else /* #ifndef _KERNEL */
+# define FR_IFVERBOSE(ex,second,verb_pr) ;
+# define FR_IFDEBUG(ex,second,verb_pr) ;
+# define FR_VERBOSE(verb_pr)
+# define FR_DEBUG(verb_pr)
+# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
+# define IPLLOG(a, c, d, e) ipllog(a, IPL_LOGIPF, c, d, e)
+# if SOLARIS
+extern kmutex_t ipf_mutex;
+# define SEND_RESET(ip, qif, q, if) send_reset(ip, qif, q)
# define ICMP_ERROR(b, ip, t, c, if, src) \
- icmp_error(mtod(b, ip_t *), t, c, if, src)
+ icmp_error(b, ip, t, c, if, src)
# else
-# define ICMP_ERROR(b, ip, t, c, if, src) \
+# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
+# define SEND_RESET(ip, qif, q, if) send_reset((struct tcpiphdr *)ip)
+# if BSD < 199103
+# define ICMP_ERROR(b, ip, t, c, if, src) \
+ icmp_error(mtod(b, ip_t *), t, c, if, src)
+# else
+# define ICMP_ERROR(b, ip, t, c, if, src) \
icmp_error(b, t, c, (src).s_addr, if)
+# endif
# endif
#endif
@@ -103,7 +106,7 @@ extern int ipl_unreach, ipllog();
#ifdef IPF_DEFAULT_PASS
#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH)
#else
-#define IPF_NOMATCH (FR_NOMATCH)
+#define IPF_NOMATCH (FR_PASS|FR_NOMATCH)
#endif
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
@@ -113,6 +116,10 @@ int fr_flags = IPF_LOGGING, fr_active = 0;
fr_info_t frcache[2];
+static void fr_makefrip __P((int, ip_t *, fr_info_t *));
+static int fr_tcpudpchk __P((frentry_t *, fr_info_t *));
+static int fr_scanlist __P((int, ip_t *, fr_info_t *, void *));
+
/*
* bit values for identifying presence of individual IP options
@@ -159,7 +166,7 @@ struct optlist secopt[8] = {
* compact the IP header into a structure which contains just the info.
* which is useful for comparing IP headers with.
*/
-void fr_makefrip(hlen, ip, fin)
+static void fr_makefrip(hlen, ip, fin)
int hlen;
ip_t *ip;
fr_info_t *fin;
@@ -278,7 +285,7 @@ getports:
/*
* check an IP packet for TCP/UDP characteristics such as ports and flags.
*/
-int fr_tcpudpchk(fr, fin)
+static int fr_tcpudpchk(fr, fin)
frentry_t *fr;
fr_info_t *fin;
{
@@ -371,7 +378,7 @@ fr_info_t *fin;
* Could be per interface, but this gets real nasty when you don't have
* kernel sauce.
*/
-int fr_scanlist(pass, ip, fin, m)
+static int fr_scanlist(pass, ip, fin, m)
int pass;
ip_t *ip;
register fr_info_t *fin;
@@ -404,8 +411,7 @@ void *m;
if (opts & (OPT_VERBOSE|OPT_DEBUG))
printf("\n");
FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b'));
- if (fin->fin_ifp && *fr->fr_ifname &&
- strcasecmp((char *)fin->fin_ifp, fr->fr_ifname))
+ if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
continue;
FR_VERBOSE((":i"));
#endif
@@ -467,7 +473,7 @@ void *m;
pass = (*fr->fr_func)(pass, ip, fin);
#ifdef IPFILTER_LOG
if ((pass & FR_LOGMASK) == FR_LOG) {
- if (!ipllog(fr->fr_flags, ip, fin, m))
+ if (!IPLLOG(fr->fr_flags, ip, fin, m))
frstats[fin->fin_out].fr_skip++;
frstats[fin->fin_out].fr_pkl++;
}
@@ -475,7 +481,7 @@ void *m;
FR_DEBUG(("pass %#x\n", pass));
fr->fr_hits++;
if (pass & FR_ACCOUNT)
- fr->fr_bytes += ip->ip_len;
+ fr->fr_bytes += (U_QUAD_T)ip->ip_len;
else
fin->fin_icode = fr->fr_icode;
fin->fin_rule = rulen;
@@ -504,7 +510,8 @@ mblk_t **mp;
struct mbuf **mp;
# endif
#else
-)
+, mp)
+char *mp;
#endif
ip_t *ip;
int hlen;
@@ -518,8 +525,12 @@ int out;
register fr_info_t *fin = &frinfo;
frentry_t *fr = NULL;
int pass, changed;
+#ifndef _KERNEL
+ char *mc = mp, *m = mp;
+#endif
-#if !defined(__SVR4) && !defined(__svr4__) && defined(_KERNEL)
+#ifdef _KERNEL
+# if !defined(__SVR4) && !defined(__svr4__)
register struct mbuf *m = *mp;
struct mbuf *mc = NULL;
@@ -538,9 +549,10 @@ int out;
}
}
}
-#endif
-#if SOLARIS && defined(_KERNEL)
+# endif
+# if SOLARIS
mblk_t *mc = NULL, *m = qif->qf_m;
+# endif
#endif
fr_makefrip(hlen, ip, fin);
fin->fin_ifp = ifp;
@@ -608,7 +620,7 @@ int out;
}
}
- if (fr && fr->fr_func)
+ if (fr && fr->fr_func && !(pass & FR_CALLNOW))
pass = (*fr->fr_func)(pass, ip, fin);
if (out) {
@@ -639,7 +651,7 @@ int out;
pass |= FF_LOGBLOCK;
frstats[out].fr_bpkl++;
logit:
- if (!ipllog(pass, ip, fin, m)) {
+ if (!IPLLOG(pass, ip, fin, m)) {
frstats[out].fr_skip++;
if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
(FR_PASS|FR_LOGORBLOCK))
@@ -676,7 +688,7 @@ logit:
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
- if (SEND_RESET(ip, qif, q) == 0)
+ if (SEND_RESET(ip, qif, q, ifp) == 0)
frstats[1].fr_ret++;
}
#else
@@ -736,37 +748,32 @@ logit:
#ifdef IPFILTER_LOG
-# if !(defined(_KERNEL))
-static void ipllog()
-{
- verbose("l");
-}
-# endif
-
-
-int fr_copytolog(buf, len)
+int fr_copytolog(dev, buf, len)
+int dev;
char *buf;
int len;
{
- int clen, tail;
+ register char *bufp = iplbuf[dev], *tp = iplt[dev], *hp = iplh[dev];
+ register int clen, tail;
- tail = (iplh >= iplt) ? (iplbuf + IPLLOGSIZE - iplh) : (iplt - iplh);
+ tail = (hp >= tp) ? (bufp + IPLLOGSIZE - hp) : (tp - hp);
clen = MIN(tail, len);
- bcopy(buf, iplh, clen);
+ bcopy(buf, hp, clen);
len -= clen;
tail -= clen;
- iplh += clen;
+ hp += clen;
buf += clen;
- if (iplh == iplbuf + IPLLOGSIZE) {
- iplh = iplbuf;
- tail = iplt - iplh;
+ if (hp == bufp + IPLLOGSIZE) {
+ hp = bufp;
+ tail = tp - hp;
}
if (len && tail) {
clen = MIN(tail, len);
- bcopy(buf, iplh, clen);
+ bcopy(buf, hp, clen);
len -= clen;
- iplh += clen;
+ hp += clen;
}
+ iplh[dev] = hp;
return len;
}
#endif
diff --git a/sys/netinet/ip_compat.h b/sys/netinet/ip_compat.h
index 5a36cc318ad6..615e4d061139 100644
--- a/sys/netinet/ip_compat.h
+++ b/sys/netinet/ip_compat.h
@@ -6,17 +6,48 @@
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.0.1.4 1997/02/04 14:24:25 darrenr Exp $
+ * $Id: ip_compat.h,v 1.1.1.2 1997/04/03 10:10:48 darrenr Exp $
*/
#ifndef __IP_COMPAT_H_
#define __IP_COMPAT_H__
+#ifndef __P
+# ifdef __STDC__
+# define __P(x) x
+# else
+# define __P(x) ()
+# endif
+#endif
+
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
+
#if SOLARIS
-#define MTYPE(m) ((m)->b_datap->db_type)
+# define MTYPE(m) ((m)->b_datap->db_type)
+# include <sys/ioccom.h>
+# include <sys/sysmacros.h>
+/*
+ * because Solaris 2 defines these in two places :-/
+ */
+# undef IPOPT_EOL
+# undef IPOPT_NOP
+# undef IPOPT_LSRR
+# undef IPOPT_RR
+# undef IPOPT_SSRR
+# ifndef _KERNEL
+# define _KERNEL
+# undef RES_INIT
+# include <inet/common.h>
+# include <inet/ip.h>
+# include <inet/ip_ire.h>
+# undef _KERNEL
+# else
+# include <inet/common.h>
+# include <inet/ip.h>
+# include <inet/ip_ire.h>
+# endif
#endif
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
@@ -24,6 +55,13 @@
#define IP_OFFMASK 0x1fff
#endif
+#if BSD > 199306
+# define USE_QUAD_T
+# define U_QUAD_T u_quad_t
+#else
+# define U_QUAD_T u_long
+#endif
+
#ifndef MAX
#define MAX(a,b) (((a) > (b)) ? (a) : (b))
#endif
@@ -85,11 +123,18 @@
#define IPOPT_FINN 205 /* FINN */
+#ifdef __FreeBSD__
+# include <machine/spl.h>
+# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
+# define ACTUALLY_LKM_NOT_KERNEL
+# endif
+#endif
+
/*
* Build some macros and #defines to enable the same code to compile anywhere
* Well, that's the idea, anyway :-)
*/
-#ifdef _KERNEL
+#if defined(_KERNEL) || defined(KERNEL)
# if SOLARIS
# define MUTEX_ENTER(x) mutex_enter(x)
# define MUTEX_EXIT(x) mutex_exit(x)
@@ -108,6 +153,7 @@
# ifdef sun
# if defined(__svr4__) || defined(__SVR4)
+extern ill_t *get_unit __P((char *));
# define GETUNIT(n) get_unit((n))
# else
# include <sys/kmem_alloc.h>
@@ -132,8 +178,8 @@ typedef struct qif {
queue_t *qf_out;
void *qf_wqinfo;
void *qf_rqinfo;
- int (*qf_inp)();
- int (*qf_outp)();
+ int (*qf_inp) __P((queue_t *, mblk_t *));
+ int (*qf_outp) __P((queue_t *, mblk_t *));
mblk_t *qf_m;
int qf_len;
char qf_name[8];
@@ -151,10 +197,10 @@ typedef struct qif {
# define htons(x) (x)
# define htonl(x) (x)
# endif
-# define KMALLOC(x) kmem_alloc((x), KM_NOSLEEP)
+# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
# define GET_MINOR(x) getminor(x)
# else
-# define KMALLOC(x) new_kmem_alloc((x), KMEM_NOSLEEP)
+# define KMALLOC(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP)
# endif /* __svr4__ */
# endif /* sun && !linux */
# ifndef GET_MINOR
@@ -162,7 +208,7 @@ typedef struct qif {
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
# include <vm/vm.h>
-# if !defined(__FreeBSD__)
+# if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3)
# include <vm/vm_extern.h>
# include <sys/proc.h>
extern vm_map_t kmem_map;
@@ -170,15 +216,15 @@ extern vm_map_t kmem_map;
# include <vm/vm_kern.h>
# endif /* __FreeBSD__ */
/*
-** # define KMALLOC(x) kmem_alloc(kmem_map, (x))
-** # define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
+# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c))
+# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
sizeof(*(x)))
*/
# ifdef M_PFIL
-# define KMALLOC(x) malloc((x), M_PFIL, M_NOWAIT)
+# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
# define KFREE(x) FREE((x), M_PFIL)
# else
-# define KMALLOC(x) malloc((x), M_TEMP, M_NOWAIT)
+# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
# define KFREE(x) FREE((x), M_TEMP)
# endif
# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
@@ -193,17 +239,16 @@ extern vm_map_t kmem_map;
# endif
# endif
#else
-# ifndef linux
-# define MUTEX_ENTER(x) ;
-# define MUTEX_EXIT(x) ;
-# define SPLNET(x) ;
-# define SPLX(x) ;
-# define KMALLOC(x) malloc(x)
-# define KFREE(x) free(x)
-# define GETUNIT(x) (x)
-# define IRCOPY(a,b,c) bcopy((a), (b), (c))
-# define IWCOPY(a,b,c) bcopy((a), (b), (c))
-# endif
+# define MUTEX_ENTER(x) ;
+# define MUTEX_EXIT(x) ;
+# define SPLNET(x) ;
+# undef SPLX
+# define SPLX(x) ;
+# define KMALLOC(a,b,c) (a) = (b)malloc(c)
+# define KFREE(x) free(x)
+# define GETUNIT(x) get_unit(x)
+# define IRCOPY(a,b,c) bcopy((a), (b), (c))
+# define IWCOPY(a,b,c) bcopy((a), (b), (c))
#endif /* KERNEL */
#ifdef linux
@@ -318,7 +363,7 @@ struct ipovly {
# define UNITNAME(n) dev_get((n))
# define ifnet device
-# define KMALLOC(x) kmalloc((x), GFP_ATOMIC)
+# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
# define KFREE(x) kfree_s((x), sizeof(*(x)))
# define IRCOPY(a,b,c) { \
error = verify_area(VERIFY_READ, \
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index fec484670f4b..a9c298aedc5b 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -7,17 +7,39 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $";
+static char rcsid[] = "$Id: ip_fil.c,v 1.1.1.3 1997/04/03 10:10:52 darrenr Exp $";
#endif
+#ifndef SOLARIS
+#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+
+#ifdef __FreeBSD__
+#include <osreldate.h>
+#endif
+#ifndef _KERNEL
+#include <stdio.h>
+#include <string.h>
+#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#include <sys/ioctl.h>
+#include <sys/time.h>
+#ifdef _KERNEL
#include <sys/systm.h>
+#endif
#include <sys/uio.h>
+#if !SOLARIS
+#include <sys/dir.h>
#include <sys/mbuf.h>
+#else
+#define bcmp memcmp
+#define bzero(a,b) memset(a,0,b)
+#define bcopy(a,b,c) memcpy(b,a,c)
+#include <sys/filio.h>
+#endif
#include <sys/protosw.h>
#include <sys/socket.h>
@@ -36,8 +58,8 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
#include <syslog.h>
-#include "ip_fil.h"
#include "ip_compat.h"
+#include "ip_fil.h"
#include "ip_frag.h"
#include "ip_nat.h"
#include "ip_state.h"
@@ -47,45 +69,49 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $
extern fr_flags, fr_active;
extern struct protosw inetsw[];
-extern int (*fr_checkp)();
#if BSD < 199306
-extern int ipfr_slowtimer();
-static int (*fr_saveslowtimo)();
+static int (*fr_saveslowtimo) __P((void));
extern int tcp_ttl;
#else
-extern void ipfr_slowtimer();
-static void (*fr_saveslowtimo)();
+static void (*fr_saveslowtimo) __P((void));
#endif
int ipl_inited = 0;
int ipl_unreach = ICMP_UNREACH_FILTER;
-int send_reset();
+
+#ifndef _KERNEL
+#include "ipt.h"
+static struct ifnet **ifneta = NULL;
+static int nifs = 0;
+struct ifnet *get_unit __P((char *));
+#endif
#ifdef IPFILTER_LOG
-# define LOGSIZE 8192
-int ipllog();
-char iplbuf[LOGSIZE];
-caddr_t iplh = iplbuf, iplt = iplbuf;
-static int iplused = 0;
+char iplbuf[3][IPLLOGSIZE];
+caddr_t iplh[3], iplt[3];
+int iplused[3] = {0,0,0};
#endif /* IPFILTER_LOG */
-static void frflush();
-static int frrequest();
-static int (*fr_savep)() = NULL;
+static void frflush __P((caddr_t));
+static int frrequest __P((int, caddr_t, int));
+static void frzerostats __P((caddr_t));
+#ifdef _KERNEL
+static int (*fr_savep) __P((struct ip *, int, struct ifnet *,
+ int, struct mbuf **));
+#else
+void init_ifp __P((void));
+static int (*fr_savep) __P((struct ip *, int, struct ifnet *,
+ int, char *));
+static int no_output __P((struct ifnet *, struct mbuf *,
+ struct sockaddr *, struct rtentry *));
+static int write_output __P((struct ifnet *, struct mbuf *,
+ struct sockaddr *, struct rtentry *));
+#endif
+
-#if _BSDI_VERSION >= 199501
+#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
# include <sys/device.h>
# include <sys/conf.h>
-int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
-int iplopen __P((dev_t, int, int, struct proc *));
-int iplclose __P((dev_t, int, int, struct proc *));
-# ifdef IPFILTER_LOG
-int iplread __P((dev_t, struct uio *, int));
-# else
-# define iplread noread
-# endif
-int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
-
struct cfdriver iplcd = {
NULL, "ipl", NULL, NULL, DV_DULL, 0
};
@@ -96,9 +122,11 @@ struct devsw iplsw = {
nostrat, nodump, nopsize, 0,
nostop
};
-#endif /* _BSDI_VERSION >= 199501 */
+#endif /* _BSDI_VERSION >= 199510 && _KERNEL */
+
-#ifdef IPFILTER_LKM
+#ifdef _KERNEL
+# ifdef IPFILTER_LKM
int iplidentify(s)
char *s;
{
@@ -106,12 +134,12 @@ char *s;
return 1;
return 0;
}
-#endif /* IPFILTER_LKM */
+# endif /* IPFILTER_LKM */
int iplattach()
{
- int s;
+ int s, i;
SPLNET(s);
if (ipl_inited || (fr_checkp == fr_check)) {
@@ -125,6 +153,14 @@ int iplattach()
fr_checkp = fr_check;
fr_saveslowtimo = inetsw[0].pr_slowtimo;
inetsw[0].pr_slowtimo = ipfr_slowtimer;
+
+ /*
+ * Set log buffer pointers for each of the log buffers
+ */
+ for (i = 0; i <= 2; i++) {
+ iplh[i] = iplbuf[i];
+ iplt[i] = iplbuf[i];
+ }
SPLX(s);
return 0;
}
@@ -142,7 +178,9 @@ int ipldetach()
return EBUSY;
}
+#if defined(IPFILTER_LKM) || defined(IPFILTER)
fr_checkp = fr_savep;
+#endif
inetsw[0].pr_slowtimo = fr_saveslowtimo;
frflush((caddr_t)&i);
ipl_inited = 0;
@@ -154,6 +192,7 @@ int ipldetach()
SPLX(s);
return 0;
}
+#endif /* _KERNEL */
static void frzerostats(data)
@@ -219,7 +258,7 @@ caddr_t data;
* Filter ioctl interface.
*/
int iplioctl(dev, cmd, data, mode
-#if _BSDI_VERSION >= 199501
+#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
, p)
struct proc *p;
#else
@@ -232,18 +271,20 @@ int mode;
{
int error = 0, s, unit;
+#ifdef _KERNEL
unit = minor(dev);
- if (unit != 0)
+ if ((2 < unit) || (unit < 0))
return ENXIO;
+#endif
SPLNET(s);
switch (cmd) {
case FIONREAD :
#ifdef IPFILTER_LOG
- *(int *)data = iplused;
+ *(int *)data = iplused[unit];
#endif
break;
-#ifndef IPFILTER_LKM
+#if !defined(IPFILTER_LKM) && defined(_KERNEL)
case SIOCFRENB :
{
u_int enable;
@@ -330,9 +371,9 @@ int mode;
if (!(mode & FWRITE))
error = EPERM;
else {
- *(int *)data = iplused;
- iplh = iplt = iplbuf;
- iplused = 0;
+ *(int *)data = iplused[unit];
+ iplh[unit] = iplt[unit] = iplbuf[unit];
+ iplused[unit] = 0;
}
break;
#endif /* IPFILTER_LOG */
@@ -365,16 +406,13 @@ caddr_t data;
{
register frentry_t *fp, *f, **fprev;
register frentry_t **ftail;
- frentry_t fr;
+ frentry_t frd;
frdest_t *fdp;
- struct frentry frd;
int error = 0, in;
- fp = &fr;
+ fp = &frd;
IRCOPY(data, (caddr_t)fp, sizeof(*fp));
- bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
if (fp->fr_flags & FR_ACCOUNT) {
ftail = fprev = &ipacct[in][set];
@@ -383,8 +421,8 @@ caddr_t data;
else
return ESRCH;
- IRCOPY((char *)fp, (char *)&frd, sizeof(frd));
- fp = &frd;
+ bzero((char *)frcache, sizeof(frcache[0]) * 2);
+
if (*fp->fr_ifname) {
fp->fr_ifa = GETUNIT(fp->fr_ifname);
if (!fp->fr_ifa)
@@ -451,7 +489,8 @@ caddr_t data;
if (f)
error = EEXIST;
else {
- if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) {
+ KMALLOC(f, frentry_t *, sizeof(*f));
+ if (f != NULL) {
bcopy((char *)fp, (char *)f, sizeof(*f));
f->fr_hits = 0;
f->fr_next = *ftail;
@@ -464,44 +503,48 @@ caddr_t data;
}
-#if !defined(linux)
+#ifdef _KERNEL
/*
* routines below for saving IP headers to buffer
*/
int iplopen(dev, flags
-#if _BSDI_VERSION >= 199501
+#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
, devtype, p)
int devtype;
struct proc *p;
-#else
+# else
)
-#endif
+# endif
dev_t dev;
int flags;
{
u_int min = minor(dev);
- if (min)
+ if (2 < min)
min = ENXIO;
+ else
+ min = 0;
return min;
}
int iplclose(dev, flags
-#if _BSDI_VERSION >= 199501
+#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
, devtype, p)
int devtype;
struct proc *p;
-#else
+# else
)
-#endif
+# endif
dev_t dev;
int flags;
{
u_int min = minor(dev);
- if (min)
+ if (2 < min)
min = ENXIO;
+ else
+ min = 0;
return min;
}
@@ -521,52 +564,57 @@ int iplread(dev, uio)
dev_t dev;
register struct uio *uio;
{
- register int ret, s;
+ register int ret, s, unit;
register size_t sz, sx;
int error;
+ unit = minor(dev);
+ if ((2 < unit) || (unit < 0))
+ return ENXIO;
+
if (!uio->uio_resid)
return 0;
- while (!iplused) {
- error = SLEEP(iplbuf, "ipl sleep");
+
+ while (!iplused[unit]) {
+ error = SLEEP(iplbuf[unit], "ipl sleep");
if (error)
return error;
}
SPLNET(s);
- sx = sz = MIN(uio->uio_resid, iplused);
- if (iplh < iplt)
- sz = MIN(sz, LOGSIZE - (iplt - iplbuf));
+ sx = sz = MIN(uio->uio_resid, iplused[unit]);
+ if (iplh[unit] < iplt[unit])
+ sz = MIN(sz, IPLLOGSIZE - (iplt[unit] - iplbuf[unit]));
sx -= sz;
# if BSD >= 199306 || defined(__FreeBSD__)
uio->uio_rw = UIO_READ;
# endif
- if (!(ret = UIOMOVE(iplt, sz, UIO_READ, uio))) {
- iplt += sz;
- iplused -= sz;
- if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
- iplt = iplbuf;
-
- if (sx && !(ret = UIOMOVE(iplt, sx, UIO_READ, uio))) {
- iplt += sx;
- iplused -= sx;
- if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
- iplt = iplbuf;
+ if (!(ret = UIOMOVE(iplt[unit], sz, UIO_READ, uio))) {
+ iplt[unit] += sz;
+ iplused[unit] -= sz;
+ if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE))
+ iplt[unit] = iplbuf[unit];
+
+ if (sx && !(ret = UIOMOVE(iplt[unit], sx, UIO_READ, uio))) {
+ iplt[unit] += sx;
+ iplused[unit] -= sx;
+ if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE))
+ iplt[unit] = iplbuf[unit];
}
- if (!iplused) /* minimise wrapping around the end */
- iplh = iplt = iplbuf;
+ if (!iplused[unit]) /* minimise wrapping around the end */
+ iplh[unit] = iplt[unit] = iplbuf[unit];
}
SPLX(s);
return ret;
}
# endif /* IPFILTER_LOG */
-#endif /* linux */
-#ifdef IPFILTER_LOG
-int ipllog(flags, ip, fin, m)
+# ifdef IPFILTER_LOG
+int ipllog(flags, dev, ip, fin, m)
u_int flags;
+int dev;
ip_t *ip;
register fr_info_t *fin;
struct mbuf *m;
@@ -597,16 +645,16 @@ struct mbuf *m;
mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
len = hlen + sizeof(iplci) + mlen;
- if (iplused + len > LOGSIZE)
+ if (iplused[dev] + len > IPLLOGSIZE)
return 0;
- iplused += len;
+ iplused[dev] += len;
-# ifdef sun
+# ifdef sun
uniqtime(&iplci);
-# endif
-# if BSD >= 199306 || defined(__FreeBSD__)
+# endif
+# if BSD >= 199306 || defined(__FreeBSD__)
microtime((struct timeval *)&iplci);
-# endif
+# endif
iplci.flags = flags;
iplci.hlen = (u_char)hlen;
iplci.plen = (u_char)mlen;
@@ -619,22 +667,25 @@ struct mbuf *m;
if ((iplci.ifname[1] = ifp->if_name[1]))
if ((iplci.ifname[2] = ifp->if_name[2]))
iplci.ifname[3] = ifp->if_name[3];
-# endif
+# endif
+ if (iplh[dev] == iplbuf[dev] + IPLLOGSIZE)
+ iplh[dev] = iplbuf[dev];
+
/*
* Gauranteed to succeed from above
*/
- (void) fr_copytolog(&iplci, sizeof(iplci));
+ (void) fr_copytolog(dev, (char *)&iplci, sizeof(iplci));
for (len -= sizeof(iplci); m && len > 0; m = m->m_next, len -= hlen) {
hlen = MIN(len, m->m_len);
- if (fr_copytolog(mtod(m, char *), hlen))
+ if (fr_copytolog(dev, mtod(m, char *), hlen))
break;
}
- wakeup(iplbuf);
+ wakeup(iplbuf[dev]);
return 1;
}
-#endif /* IPFILTER_LOG */
+# endif /* IPFILTER_LOG */
/*
* send_reset - this could conceivably be a call to tcp_respond(), but that
@@ -651,22 +702,22 @@ struct tcpiphdr *ti;
if (ti->ti_flags & TH_RST)
return -1; /* feedback loop */
-#if BSD < 199306
+# if BSD < 199306
m = m_get(M_DONTWAIT, MT_HEADER);
-#else
+# else
m = m_gethdr(M_DONTWAIT, MT_HEADER);
m->m_data += max_linkhdr;
-#endif
+# endif
if (m == NULL)
return -1;
if (ti->ti_flags & TH_SYN)
tlen = 1;
m->m_len = sizeof (struct tcpiphdr);
-#if BSD >= 199306
+# if BSD >= 199306
m->m_pkthdr.len = sizeof (struct tcpiphdr);
m->m_pkthdr.rcvif = (struct ifnet *)0;
-#endif
+# endif
bzero(mtod(m, char *), sizeof(struct tcpiphdr));
ip = mtod(m, struct ip *);
tp = mtod(m, struct tcpiphdr *);
@@ -686,11 +737,11 @@ struct tcpiphdr *ti;
ip->ip_tos = ((struct ip *)ti)->ip_tos;
ip->ip_p = ((struct ip *)ti)->ip_p;
ip->ip_len = sizeof (struct tcpiphdr);
-#if BSD < 199306
+# if BSD < 199306
ip->ip_ttl = tcp_ttl;
-#else
+# else
ip->ip_ttl = ip_defttl;
-#endif
+# endif
/*
* extra 0 in case of multicast
@@ -700,13 +751,18 @@ struct tcpiphdr *ti;
}
-#ifndef IPFILTER_LKM
-void iplinit()
+# ifndef IPFILTER_LKM
+# if BSD < 199306
+int
+# else
+void
+# endif
+iplinit()
{
(void) iplattach();
ip_init();
}
-#endif
+# endif
void ipfr_fastroute(m0, fin, fdp)
@@ -738,12 +794,12 @@ frdest_t *fdp;
#if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__)
# ifdef RTF_CLONING
rtalloc_ign(ro, RTF_CLONING);
-# else
+# else
rtalloc_ign(ro, RTF_PRCLONING);
-# endif
-#else
+# endif
+# else
rtalloc(ro);
-#endif
+# endif
if (!ifp) {
if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) {
error = -2;
@@ -773,19 +829,19 @@ frdest_t *fdp;
* If small enough for interface, can just send directly.
*/
if (ip->ip_len <= ifp->if_mtu) {
-#ifndef sparc
+# ifndef sparc
ip->ip_id = htons(ip->ip_id);
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
-#endif
+# endif
if (!ip->ip_sum)
ip->ip_sum = in_cksum(m, hlen);
-#if BSD >= 199306
+# if BSD >= 199306
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
ro->ro_rt);
-#else
+# else
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
-#endif
+# endif
goto done;
}
/*
@@ -818,11 +874,11 @@ frdest_t *fdp;
error = ENOBUFS;
goto bad;
}
-#if BSD >= 199306
+# if BSD >= 199306
m->m_data += max_linkhdr;
-#else
+# else
m->m_off = MMAXOFF - hlen;
-#endif
+# endif
mhip = mtod(m, struct ip *);
bcopy((char *)ip, (char *)mhip, sizeof(*ip));
if (hlen > sizeof (struct ip)) {
@@ -843,9 +899,9 @@ frdest_t *fdp;
error = ENOBUFS; /* ??? */
goto sendorfree;
}
-#ifndef sparc
+# ifndef sparc
mhip->ip_off = htons((u_short)mhip->ip_off);
-#endif
+# endif
mhip->ip_sum = 0;
mhip->ip_sum = in_cksum(m, mhlen);
*mnext = m;
@@ -865,13 +921,13 @@ sendorfree:
m0 = m->m_act;
m->m_act = 0;
if (error == 0)
-#if BSD >= 199306
+# if BSD >= 199306
error = (*ifp->if_output)(ifp, m,
(struct sockaddr *)dst, ro->ro_rt);
-#else
+# else
error = (*ifp->if_output)(ifp, m,
(struct sockaddr *)dst);
-#endif
+# endif
else
m_freem(m);
}
@@ -885,3 +941,159 @@ bad:
m_freem(m);
goto done;
}
+#else /* #ifdef _KERNEL */
+
+
+static int no_output __P((struct ifnet *ifp, struct mbuf *m,
+ struct sockaddr *s, struct rtentry *rt))
+{
+ return 0;
+}
+
+
+# ifdef __STDC__
+static int write_output __P((struct ifnet *ifp, struct mbuf *m,
+ struct sockaddr *s, struct rtentry *rt))
+{
+ ip_t *ip = (ip_t *)m;
+# else
+static int write_output(ifp, ip)
+struct ifnet *ifp;
+ip_t *ip;
+{
+# endif
+ FILE *fp;
+ char fname[32];
+
+#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
+ sprintf(fname, "/tmp/%s", ifp->if_xname);
+ if ((fp = fopen(fname, "a"))) {
+ fclose(fp);
+ }
+#else
+ sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
+ if ((fp = fopen(fname, "a"))) {
+ fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
+ fclose(fp);
+ }
+#endif
+}
+
+
+struct ifnet *get_unit(name)
+char *name;
+{
+ struct ifnet *ifp, **ifa;
+#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
+ for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
+ if (!strcmp(name, ifp->if_xname))
+ return ifp;
+ }
+#else
+ char ifname[32], *s;
+
+ for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
+ (void) sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit);
+ if (!strcmp(name, ifname))
+ return ifp;
+ }
+#endif
+
+ if (!ifneta) {
+ ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
+ ifneta[1] = NULL;
+ ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
+ nifs = 1;
+ } else {
+ nifs++;
+ ifneta = (struct ifnet **)realloc(ifneta,
+ (nifs + 1) * sizeof(*ifa));
+ ifneta[nifs] = NULL;
+ ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
+ }
+ ifp = ifneta[nifs - 1];
+
+#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
+ strncpy(ifp->if_xname, name, sizeof(ifp->if_xname));
+#else
+ for (s = name; *s && !isdigit(*s); s++)
+ ;
+ if (*s && isdigit(*s)) {
+ ifp->if_unit = atoi(s);
+ ifp->if_name = (char *)malloc(s - name + 1);
+ strncpy(ifp->if_name, name, s - name);
+ ifp->if_name[s - name] = '\0';
+ } else {
+ ifp->if_name = strdup(name);
+ ifp->if_unit = -1;
+ }
+#endif
+ ifp->if_output = no_output;
+ return ifp;
+}
+
+
+void init_ifp()
+{
+ FILE *fp;
+ struct ifnet *ifp, **ifa;
+ char fname[32];
+#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
+ for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
+ ifp->if_output = write_output;
+ sprintf(fname, "/tmp/%s", ifp->if_xname);
+ if ((fp = fopen(fname, "w")))
+ fclose(fp);
+ }
+#else
+
+ for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
+ ifp->if_output = write_output;
+ sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
+ if ((fp = fopen(fname, "w")))
+ fclose(fp);
+ }
+#endif
+}
+
+
+void ipfr_fastroute(ip, fin, fdp)
+ip_t *ip;
+fr_info_t *fin;
+frdest_t *fdp;
+{
+ struct ifnet *ifp = fdp->fd_ifp;
+
+ if (!ifp)
+ return; /* no routing table out here */
+
+ ip->ip_len = htons((u_short)ip->ip_len);
+ ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
+ ip->ip_sum = 0;
+ (*ifp->if_output)(ifp, (void *)ip, NULL, 0);
+}
+
+
+void ipllog()
+{
+ verbose("l");
+}
+
+
+int send_reset(ip, ifp)
+ip_t *ip;
+struct ifnet *ifp;
+{
+ verbose("- TCP RST sent\n");
+ return 0;
+}
+
+
+int icmp_error(ip, ifp)
+ip_t *ip;
+struct ifnet *ifp;
+{
+ verbose("- TCP RST sent\n");
+ return 0;
+}
+#endif /* _KERNEL */
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h
index 389a161bc2df..4f0bfa98d09d 100644
--- a/sys/netinet/ip_fil.h
+++ b/sys/netinet/ip_fil.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.0.1.2 1997/01/10 00:28:15 darrenr Exp $
+ * $Id: ip_fil.h,v 1.1.1.2 1997/04/03 10:10:58 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -19,20 +19,12 @@
#if defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL
#endif
-#if SOLARIS
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-# ifdef _KERNEL
-# include <inet/common.h>
-/*
- * because Solaris 2 defines these in two places :-/
- */
-#undef IPOPT_EOL
-#undef IPOPT_NOP
-#undef IPOPT_LSRR
-#undef IPOPT_RR
-#undef IPOPT_SSRR
-# include <inet/ip.h>
+
+#ifndef __P
+# ifdef __STDC__
+# define __P(x) x
+# else
+# define __P(x) ()
# endif
#endif
@@ -118,9 +110,12 @@ typedef struct frdest {
typedef struct frentry {
struct frentry *fr_next;
struct ifnet *fr_ifa;
- u_long fr_hits;
- u_long fr_bytes; /* this is only incremented when a packet */
- /* matches this rule and it is the last match*/
+ /*
+ * There are only incremented when a packet matches this rule and
+ * it is the last match
+ */
+ U_QUAD_T fr_hits;
+ U_QUAD_T fr_bytes;
/*
* Fields after this may not change whilst in the kernel.
*/
@@ -140,7 +135,7 @@ typedef struct frentry {
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_long fr_flags; /* per-rule flags && options (see below) */
- int (*fr_func)(); /* call this function */
+ int (*fr_func) __P((int, struct ip *, fr_info_t *)); /* call this function */
char fr_icode; /* return ICMP code */
char fr_ifname[IFNAMSIZ];
struct frdest fr_tif; /* "to" interface */
@@ -162,7 +157,7 @@ typedef struct frentry {
/*
* fr_flags
-*/
+ */
#define FR_BLOCK 0x00001
#define FR_PASS 0x00002
#define FR_OUTQUE 0x00004
@@ -276,18 +271,100 @@ typedef struct ipl_ci {
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define IPLLOGSIZE 8192
-extern int fr_check();
-extern int fr_copytolog();
-extern fr_info_t frcache[];
-extern char *iplh, *iplt;
-extern char iplbuf[IPLLOGSIZE];
+/*
+ * Device filenames. Use ipf on Solaris2 because ipl is already a name used
+ * by something else.
+ */
+#ifndef IPL_NAME
+# if SOLARIS
+# define IPL_NAME "/dev/ipf"
+# else
+# define IPL_NAME "/dev/ipl"
+# endif
+#endif
+#define IPL_NAT "/dev/ipnat"
+#define IPL_STATE "/dev/ipstate"
+#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
+#define IPL_LOGNAT 1
+#define IPL_LOGSTATE 2
-#ifdef _KERNEL
+#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
+ (__FreeBSD_version >= 220000)
+# define CDEV_MAJOR 79
+#endif
-extern struct frentry *ipfilter[2][2], *ipacct[2][2];
-extern struct filterstats frstats[];
+#ifndef _KERNEL
+extern int fr_check __P((struct ip *, int, struct ifnet *, int, char *));
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
+ int, char *));
+extern int send_reset __P((struct ip *, struct ifnet *));
+extern int icmp_error __P((struct ip *, struct ifnet *));
+extern void ipllog __P((void));
+extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *));
+#else
# if SOLARIS
-extern int ipfsync();
+extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *,
+ queue_t *, mblk_t **));
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
+ int, qif_t *, queue_t *, mblk_t *));
+extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *,
+ struct in_addr));
+# else
+extern int fr_check __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
+extern int send_reset __P((struct tcpiphdr *));
+extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
+extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
# endif
+#endif
+extern int fr_copytolog __P((int, char *, int));
+extern int ipl_unreach;
+extern fr_info_t frcache[];
+extern char *iplh[3], *iplt[3];
+extern char iplbuf[3][IPLLOGSIZE];
+extern int iplused[3];
+extern struct frentry *ipfilter[2][2], *ipacct[2][2];
+extern struct filterstats frstats[];
+
+#ifndef _KERNEL
+extern int iplioctl __P((dev_t, int, caddr_t, int));
+extern int iplopen __P((dev_t, int));
+extern int iplclose __P((dev_t, int));
+#else
+extern int iplattach __P((void));
+extern int ipldetach __P((void));
+# if SOLARIS
+extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
+extern int iplopen __P((dev_t *, int, int, cred_t *));
+extern int iplclose __P((dev_t, int, int, cred_t *));
+extern int ipfsync __P((void));
+# ifdef IPFILTER_LOG
+extern int iplread __P((dev_t, struct uio *, cred_t *));
+# endif
+# else
+# ifdef IPFILTER_LKM
+extern int iplidentify __P((char *));
+# endif
+# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612)
+extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
+extern int iplopen __P((dev_t, int, int, struct proc *));
+extern int iplclose __P((dev_t, int, int, struct proc *));
+# else
+extern int iplioctl __P((dev_t, int, caddr_t, int));
+extern int iplopen __P((dev_t, int));
+extern int iplclose __P((dev_t, int));
+# endif /* (_BSDI_VERSION >= 199510) */
+# ifdef IPFILTER_LOG
+# if BSD >= 199306
+extern int iplread __P((dev_t, struct uio *, int));
+# else
+extern int iplread __P((dev_t, struct uio *));
+# endif /* BSD >= 199306 */
+# else
+# define iplread noread
+# endif /* IPFILTER_LOG */
+# endif /* SOLARIS */
#endif /* _KERNEL */
#endif /* __IP_FIL_H__ */
diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c
index 7ed97ceb56fd..dbe852e9cd82 100644
--- a/sys/netinet/ip_frag.c
+++ b/sys/netinet/ip_frag.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $";
+static char rcsid[] = "$Id: ip_frag.c,v 1.1.1.3 1997/04/03 10:11:03 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -17,12 +17,19 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <sys/file.h>
+#if defined(__FreeBSD__) && (__FreeBSD__ >= 3)
+#include <sys/ioccom.h>
+#include <sys/filio.h>
+#include <sys/fcntl.h>
+#else
#include <sys/ioctl.h>
+#endif
#include <sys/uio.h>
#include <sys/protosw.h>
#include <sys/socket.h>
-#ifdef _KERNEL
+#ifdef _KERNEL
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
@@ -47,8 +54,8 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_fil.h"
#include "ip_compat.h"
+#include "ip_fil.h"
#include "ip_frag.h"
#include "ip_nat.h"
#include "ip_state.h"
@@ -69,6 +76,13 @@ extern kmutex_t ipf_frag;
# endif
#endif
+#ifdef __FreeBSD__
+# if BSD < 199306
+int ipfr_slowtimer __P((void));
+# else
+void ipfr_slowtimer __P((void));
+# endif
+#endif /* __FreeBSD__ */
ipfrstat_t *ipfr_fragstats()
{
@@ -114,7 +128,8 @@ int pass;
return -1;
}
- if (!(fr = (ipfr_t *)KMALLOC(sizeof(*fr)))) {
+ KMALLOC(fr, ipfr_t *, sizeof(*fr));
+ if (fr == NULL) {
ipfr_stats.ifs_nomem++;
MUTEX_EXIT(&ipf_frag);
return -1;
@@ -230,10 +245,10 @@ void ipfr_unload()
* Slowly expire held state for fragments. Timeouts are set * in expectation
* of this being called twice per second.
*/
-# if BSD < 199306
-int ipfr_slowtimer()
-# else
+# if (BSD >= 199306) || SOLARIS
void ipfr_slowtimer()
+# else
+int ipfr_slowtimer()
# endif
{
ipfr_t **fp, *fr;
diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h
index a356785e528c..0e8fe90ccc54 100644
--- a/sys/netinet/ip_frag.h
+++ b/sys/netinet/ip_frag.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
- * $Id: ip_frag.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
+ * $Id: ip_frag.h,v 1.1.1.2 1997/04/03 10:11:06 darrenr Exp $
*/
#ifndef __IP_FRAG_H_
@@ -39,9 +39,13 @@ typedef struct ipfrstat {
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
-extern ipfrstat_t *ipfr_fragstats();
-extern int ipfr_newfrag(), ipfr_knownfrag();
-# ifdef _KERNEL
-extern void ipfr_unload();
-# endif
+extern ipfrstat_t *ipfr_fragstats __P((void));
+extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int));
+extern int ipfr_knownfrag __P((ip_t *, fr_info_t *));
+extern void ipfr_unload __P((void));
+#if (BSD >= 199306) || SOLARIS
+extern void ipfr_slowtimer __P((void));
+#else
+extern int ipfr_slowtimer __P((void));
+#endif
#endif /* __IP_FIL_H__ */
diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index ee59a6cda1dd..146b4906c60d 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
@@ -9,7 +9,11 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $";
+static char rcsid[] = "$Id: ip_nat.c,v 1.1.1.3 1997/04/03 10:11:11 darrenr Exp $";
+#endif
+
+#if defined(__FreeBSD__) && defined(KERNEL)
+#define _KERNEL
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -20,12 +24,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <sys/uio.h>
#include <sys/protosw.h>
#include <sys/socket.h>
-#ifdef _KERNEL
+#ifdef _KERNEL
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
@@ -57,8 +62,8 @@ extern struct ifnet vpnif;
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_fil.h"
#include "ip_compat.h"
+#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#ifndef MIN
@@ -80,10 +85,13 @@ extern kmutex_t ipf_nat;
# endif
#endif
-static int flush_nattable(), clear_natlist();
-static void nattable_sync();
+static int flush_nattable __P((void)), clear_natlist __P((void));
+static void nattable_sync __P((void)), nat_delete __P((struct nat *));
+static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
+static void fix_outcksum __P((u_short *, u_long));
+static void fix_incksum __P((u_short *, u_long));
-void fix_outcksum(sp, n)
+static void fix_outcksum(sp, n)
u_short *sp;
u_long n;
{
@@ -104,7 +112,7 @@ u_long n;
}
-void fix_incksum(sp, n)
+static void fix_incksum(sp, n)
u_short *sp;
u_long n;
{
@@ -182,7 +190,8 @@ int cmd, mode;
error = EEXIST;
break;
}
- if (!(n = (ipnat_t *)KMALLOC(sizeof(*n)))) {
+ KMALLOC(n, ipnat_t *, sizeof(*n));
+ if (n == NULL) {
error = ENOMEM;
break;
}
@@ -365,7 +374,7 @@ static int clear_natlist()
/*
* Create a new NAT table entry.
*/
-nat_t *nat_new(np, ip, fin, flags, direction)
+static nat_t *nat_new(np, ip, fin, flags, direction)
ipnat_t *np;
ip_t *ip;
fr_info_t *fin;
@@ -387,15 +396,22 @@ int direction;
}
/* Give me a new nat */
- if (!(nat = (nat_t *)KMALLOC(sizeof(*nat))))
+ KMALLOC(nat, nat_t *, sizeof(*nat));
+ if (nat == NULL)
return NULL;
bzero((char *)nat, sizeof(*nat));
+ nat->nat_flags = flags;
/*
* Search the current table for a match.
*/
if (direction == NAT_OUTBOUND) {
+#if SOLARIS
+ ill_t *ill = fin->fin_ifp;
+#else
+ struct ifnet *ifp = fin->fin_ifp;
+#endif
/*
* If it's an outbound packet which doesn't match any existing
* record, then create a new port
@@ -403,6 +419,34 @@ int direction;
do {
port = 0;
in.s_addr = np->in_nip;
+ if (!in.s_addr && (np->in_outmsk == 0xffffffff)) {
+#if SOLARIS
+ in.s_addr = ill->ill_ipif->ipif_local_addr;
+#else
+ struct ifaddr *ifa;
+ struct sockaddr_in *sin;
+
+ ifa = ifp->if_addrlist;
+# if BSD < 199306
+ sin = (struct sockaddr_in *)&ifa->ifa_addr;
+# else
+ sin = (struct sockaddr_in *)ifa->ifa_addr;
+ while (sin && ifa &&
+ sin->sin_family != AF_INET) {
+ ifa = ifa->ifa_next;
+ sin = (struct sockaddr_in *)ifa->ifa_addr;
+ }
+ if (!ifa)
+ sin = NULL;
+ if (!sin) {
+ KFREE(nat);
+ return NULL;
+ }
+# endif
+ in = sin->sin_addr;
+ in.s_addr = ntohl(in.s_addr);
+#endif
+ }
if (nflags & IPN_TCPUDP) {
port = htons(np->in_pnext++);
if (np->in_pnext >= ntohs(np->in_pmax)) {
@@ -555,8 +599,9 @@ u_short sport, mapdport;
for (; nat; nat = nat->nat_hnext[1])
if (nat->nat_oip.s_addr == src.s_addr &&
nat->nat_outip.s_addr == mapdst.s_addr &&
- (!flags || (nat->nat_oport == sport &&
- nat->nat_outport == mapdport)))
+ flags == nat->nat_flags && (!flags ||
+ (nat->nat_oport == sport &&
+ nat->nat_outport == mapdport)))
return nat;
return NULL;
}
@@ -581,8 +626,8 @@ u_short sport, dport;
for (; nat; nat = nat->nat_hnext[0])
if (nat->nat_inip.s_addr == src.s_addr &&
nat->nat_oip.s_addr == dst.s_addr &&
- (!flags || (nat->nat_inport == sport &&
- nat->nat_oport == dport)))
+ flags == nat->nat_flags && (!flags ||
+ (nat->nat_inport == sport && nat->nat_oport == dport)))
return nat;
return NULL;
}
@@ -606,8 +651,9 @@ u_short mapsport, dport;
for (; nat; nat = nat->nat_hnext[0])
if (nat->nat_outip.s_addr == mapsrc.s_addr &&
nat->nat_oip.s_addr == dst.s_addr &&
- (!flags || (nat->nat_outport == mapsport &&
- nat->nat_oport == dport)))
+ flags == nat->nat_flags && (!flags ||
+ (nat->nat_outport == mapsport &&
+ nat->nat_oport == dport)))
return nat;
return NULL;
}
@@ -684,17 +730,20 @@ fr_info_t *fin;
*/
if (!(nat = nat_outlookup(nflags, ip->ip_src, sport,
ip->ip_dst, dport))) {
- if (np->in_redir == NAT_REDIRECT)
- continue;
/*
- * if it's a redirection, then we don't want
+ * If it's a redirection, then we don't want
* to create new outgoing port stuff.
* Redirections are only for incoming
* connections.
*/
+ if (np->in_redir == NAT_REDIRECT)
+ continue;
if (!(nat = nat_new(np, ip, fin, nflags,
NAT_OUTBOUND)))
break;
+#ifdef IPFILTER_LOG
+ nat_log(nat, (u_short)np->in_redir);
+#endif
}
ip->ip_src = nat->nat_outip;
@@ -719,8 +768,8 @@ fr_info_t *fin;
if (ip->ip_p == IPPROTO_TCP) {
csump = &tcp->th_sum;
- set_tcp_age(&nat->nat_age,
- nat->nat_state, ip, fin,1);
+ fr_tcp_age(&nat->nat_age,
+ nat->nat_state, ip, fin,1);
} else if (ip->ip_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@@ -787,20 +836,20 @@ fr_info_t *fin;
(np->in_redir == NAT_MAP || np->in_pmin == dport)) {
if (!(nat = nat_inlookup(nflags, ip->ip_src, sport,
ip->ip_dst, dport))) {
+ /*
+ * If this rule (np) is a redirection, rather
+ * than a mapping, then do a nat_new.
+ * Otherwise, if it's just a mapping, do a
+ * continue;
+ */
if (np->in_redir == NAT_MAP)
continue;
- else {
- /*
- * If this rule (np) is a redirection,
- * rather than a mapping, then do a
- * nat_new. Otherwise, if it's just a
- * mapping, do a continue;
- */
- if (!(nat = nat_new(np, ip, fin,
- nflags,
- NAT_INBOUND)))
- break;
- }
+ if (!(nat = nat_new(np, ip, fin, nflags,
+ NAT_INBOUND)))
+ break;
+#ifdef IPFILTER_LOG
+ nat_log(nat, (u_short)np->in_redir);
+#endif
}
ip->ip_dst = nat->nat_inip;
@@ -824,8 +873,8 @@ fr_info_t *fin;
if (ip->ip_p == IPPROTO_TCP) {
csump = &tcp->th_sum;
- set_tcp_age(&nat->nat_age,
- nat->nat_state, ip, fin,0);
+ fr_tcp_age(&nat->nat_age,
+ nat->nat_state, ip, fin,0);
} else if (ip->ip_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@@ -887,9 +936,61 @@ void ip_natexpire()
continue;
}
*natp = nat->nat_next;
+#ifdef IPFILTER_LOG
+ nat_log(nat, NL_EXPIRE);
+#endif
nat_delete(nat);
nat_stats.ns_expire++;
}
SPLX(s);
MUTEX_EXIT(&ipf_nat);
}
+
+
+#ifdef IPFILTER_LOG
+void nat_log(nat, type)
+struct nat *nat;
+u_short type;
+{
+ struct ipnat *np;
+ struct natlog natl;
+ int rulen;
+
+ if (iplused[IPL_LOGNAT] + sizeof(natl) > IPLLOGSIZE) {
+ nat_stats.ns_logfail++;
+ return;
+ }
+
+ if (iplh[IPL_LOGNAT] == iplbuf[IPL_LOGNAT] + IPLLOGSIZE)
+ iplh[IPL_LOGNAT] = iplbuf[IPL_LOGNAT];
+
+# ifdef sun
+ uniqtime(&natl);
+# endif
+# if BSD >= 199306 || defined(__FreeBSD__)
+ microtime((struct timeval *)&natl);
+# endif
+ natl.nl_origport = nat->nat_oport;
+ natl.nl_outport = nat->nat_outport;
+ natl.nl_inport = nat->nat_inport;
+ natl.nl_origip = nat->nat_oip;
+ natl.nl_outip = nat->nat_outip;
+ natl.nl_inip = nat->nat_inip;
+ natl.nl_type = type;
+ natl.nl_rule = -1;
+ if (nat->nat_ptr) {
+ for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++)
+ if (np == nat->nat_ptr) {
+ natl.nl_rule = rulen;
+ break;
+ }
+ }
+
+ if (!fr_copytolog(IPL_LOGNAT, (char *)&natl, sizeof(natl))) {
+ iplused[IPL_LOGNAT] += sizeof(natl);
+ nat_stats.ns_logged++;
+ } else
+ nat_stats.ns_logfail++;
+ wakeup(iplbuf[IPL_LOGNAT]);
+}
+#endif
diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h
index d64183ac3920..6dcd28be4185 100644
--- a/sys/netinet/ip_nat.h
+++ b/sys/netinet/ip_nat.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.0.1.7 1997/01/30 12:39:41 darrenr Exp $
+ * $Id: ip_nat.h,v 1.1.1.2 1997/04/03 10:11:19 darrenr Exp $
*/
#ifndef __IP_NAT_H_
@@ -40,7 +40,8 @@
#define NAT_SIZE 367
typedef struct nat {
- int nat_age;
+ u_long nat_age;
+ int nat_flags;
u_long nat_sumd;
u_long nat_ipsumd;
struct in_addr nat_inip;
@@ -101,6 +102,8 @@ typedef struct natstat {
u_long ns_added;
u_long ns_expire;
u_long ns_inuse;
+ u_long ns_logged;
+ u_long ns_logfail;
nat_t **ns_table[2];
ipnat_t *ns_list;
} natstat_t;
@@ -110,9 +113,37 @@ typedef struct natstat {
#define IPN_UDP 2
#define IPN_TCPUDP 3
+
+typedef struct natlog {
+ struct timeval nl_tv;
+ struct in_addr nl_origip;
+ struct in_addr nl_outip;
+ struct in_addr nl_inip;
+ u_short nl_origport;
+ u_short nl_outport;
+ u_short nl_inport;
+ u_short nl_type;
+ int nl_rule;
+} natlog_t;
+
+
+#define NL_NEWMAP NAT_MAP
+#define NL_NEWRDR NAT_REDIRECT
+#define NL_EXPIRE 0xffff
+
+
extern nat_t *nat_table[2][NAT_SIZE];
-extern int nat_ioctl();
-extern nat_t *nat_outlookup(), *nat_inlookup(), *nat_lookupredir();
-extern int ip_natout(), ip_natin();
-extern void ip_natunload(), ip_natexpire();
+extern int nat_ioctl __P((caddr_t, int, int));
+extern nat_t *nat_outlookup __P((int, struct in_addr, u_short,
+ struct in_addr, u_short));
+extern nat_t *nat_inlookup __P((int, struct in_addr, u_short,
+ struct in_addr, u_short));
+extern nat_t *nat_lookupredir __P((natlookup_t *));
+extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short,
+ struct in_addr, u_short));
+
+extern int ip_natout __P((ip_t *, int, fr_info_t *));
+extern int ip_natin __P((ip_t *, int, fr_info_t *));
+extern void ip_natunload __P((void)), ip_natexpire __P((void));
+extern void nat_log __P((struct nat *, u_short));
#endif /* __IP_NAT_H__ */
diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c
index 2643ce95a633..e26b4f3c400b 100644
--- a/sys/netinet/ip_state.c
+++ b/sys/netinet/ip_state.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $";
+static char rcsid[] = "$Id: ip_state.c,v 1.1.1.3 1997/04/03 10:11:29 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -17,12 +17,19 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/time.h>
#include <sys/file.h>
+#if defined(__FreeBSD__) && (__FreeBSD__ >= 3)
+#include <sys/ioccom.h>
+#include <sys/filio.h>
+#include <sys/fcntl.h>
+#else
#include <sys/ioctl.h>
+#endif
#include <sys/uio.h>
#include <sys/protosw.h>
#include <sys/socket.h>
-#ifdef _KERNEL
+#ifdef _KERNEL
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
@@ -48,15 +55,13 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp
#include <netinet/udp.h>
#include <netinet/tcpip.h>
#include <netinet/ip_icmp.h>
-#include "ip_fil.h"
#include "ip_compat.h"
+#include "ip_fil.h"
#include "ip_state.h"
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
-void set_tcp_age();
-
#define TCP_CLOSE (TH_FIN|TH_RST)
ipstate_t *ips_table[IPSTATE_SIZE];
@@ -169,8 +174,8 @@ u_int pass;
*/
if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN)
is->is_ack = 0; /* Trumpet WinSock 'ism */
- set_tcp_age(&is->is_age, is->is_state, ip, fin,
- tcp->th_sport == is->is_sport);
+ fr_tcp_age(&is->is_age, is->is_state, ip, fin,
+ tcp->th_sport == is->is_sport);
break;
}
case IPPROTO_UDP :
@@ -187,7 +192,8 @@ u_int pass;
return -1;
}
- if (!(is = (ipstate_t *)KMALLOC(sizeof(*is)))) {
+ KMALLOC(is, ipstate_t *, sizeof(*is));
+ if (is == NULL) {
ips_stats.iss_nomem++;
return -1;
}
@@ -197,9 +203,14 @@ u_int pass;
is->is_next = ips_table[hv];
ips_table[hv] = is;
is->is_pass = pass;
+ is->is_pkts = 1;
+ is->is_bytes = ip->ip_len;
if (pass & FR_LOGFIRST)
is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
ips_num++;
+#ifdef IPFILTER_LOG
+ ipstate_log(is, ISL_NEW);
+#endif
MUTEX_EXIT(&ipf_state);
return 0;
}
@@ -210,13 +221,7 @@ u_int pass;
* change timeout depending on whether new packet is a SYN-ACK returning for a
* SYN or a RST or FIN which indicate time to close up shop.
*/
-int fr_tcpstate(is, fin, ip, tcp, sport
-#ifndef _KERNEL
-,isp)
-ipstate_t **isp;
-#else
-)
-#endif
+int fr_tcpstate(is, fin, ip, tcp, sport)
register ipstate_t *is;
fr_info_t *fin;
ip_t *ip;
@@ -278,11 +283,13 @@ u_short sport;
is->is_dwin = ntohs(tcp->th_win);
}
ips_stats.iss_hits++;
+ is->is_pkts++;
+ is->is_bytes += ip->ip_len;
/*
* Nearing end of connection, start timeout.
*/
- set_tcp_age(&is->is_age, is->is_state, ip, fin,
- tcp->th_sport == is->is_sport);
+ fr_tcp_age(&is->is_age, is->is_state, ip, fin,
+ tcp->th_sport == is->is_sport);
return 1;
}
return 0;
@@ -301,7 +308,7 @@ fr_info_t *fin;
register u_char pr;
struct icmp *ic;
tcphdr_t *tcp;
- u_int hv, hlen;
+ u_int hv, hlen, pass;
if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT))
return 0;
@@ -336,6 +343,8 @@ fr_info_t *fin;
is->is_icmp.ics_type != ic->icmp_type)
continue;
is->is_age = fr_icmptimeout;
+ is->is_pkts++;
+ is->is_bytes += ip->ip_len;
ips_stats.iss_hits++;
MUTEX_EXIT(&ipf_state);
return is->is_pass;
@@ -357,7 +366,6 @@ fr_info_t *fin;
if (fr_tcpstate(is, fin, ip, tcp, sport)) {
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
- return is->is_pass;
#else
int pass = is->is_pass;
@@ -366,8 +374,8 @@ fr_info_t *fin;
isp = &ips_table[hv];
KFREE(is);
}
- return pass;
#endif
+ return pass;
}
}
MUTEX_EXIT(&ipf_state);
@@ -389,9 +397,12 @@ fr_info_t *fin;
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
IPPAIR(src, dst, is->is_src, is->is_dst)) {
ips_stats.iss_hits++;
+ is->is_pkts++;
+ is->is_bytes += ip->ip_len;
is->is_age = fr_udptimeout;
+ pass = is->is_pass;
MUTEX_EXIT(&ipf_state);
- return is->is_pass;
+ return pass;
}
MUTEX_EXIT(&ipf_state);
break;
@@ -445,6 +456,9 @@ void fr_timeoutstate()
ips_stats.iss_fin++;
else
ips_stats.iss_expire++;
+#ifdef IPFILTER_LOG
+ ipstate_log(is, ISL_EXPIRE);
+#endif
KFREE(is);
ips_num--;
} else
@@ -458,8 +472,8 @@ void fr_timeoutstate()
* Original idea freom Pradeep Krishnan for use primarily with NAT code.
* (pkrishna@netcom.com)
*/
-void set_tcp_age(age, state, ip, fin, dir)
-int *age;
+void fr_tcp_age(age, state, ip, fin, dir)
+u_long *age;
u_char *state;
ip_t *ip;
fr_info_t *fin;
@@ -540,3 +554,51 @@ int dir;
break;
}
}
+
+
+#ifdef IPFILTER_LOG
+void ipstate_log(is, type)
+struct ipstate *is;
+u_short type;
+{
+ struct ipslog ipsl;
+
+ if (iplused[IPL_LOGSTATE] + sizeof(ipsl) > IPLLOGSIZE) {
+ ips_stats.iss_logfail++;
+ return;
+ }
+
+ if (iplh[IPL_LOGSTATE] == iplbuf[IPL_LOGSTATE] + IPLLOGSIZE)
+ iplh[IPL_LOGSTATE] = iplbuf[IPL_LOGSTATE];
+
+# ifdef sun
+ uniqtime(&ipsl);
+# endif
+# if BSD >= 199306 || defined(__FreeBSD__)
+ microtime((struct timeval *)&ipsl);
+# endif
+ ipsl.isl_pkts = is->is_pkts;
+ ipsl.isl_bytes = is->is_bytes;
+ ipsl.isl_src = is->is_src;
+ ipsl.isl_dst = is->is_dst;
+ ipsl.isl_p = is->is_p;
+ ipsl.isl_flags = is->is_flags;
+ ipsl.isl_type = type;
+ if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
+ ipsl.isl_sport = is->is_sport;
+ ipsl.isl_dport = is->is_dport;
+ } else if (ipsl.isl_p == IPPROTO_ICMP)
+ ipsl.isl_itype = is->is_icmp.ics_type;
+ else {
+ ipsl.isl_ps.isl_filler[0] = 0;
+ ipsl.isl_ps.isl_filler[1] = 0;
+ }
+
+ if (!fr_copytolog(IPL_LOGSTATE, (char *)&ipsl, sizeof(ipsl))) {
+ iplused[IPL_LOGSTATE] += sizeof(ipsl);
+ ips_stats.iss_logged++;
+ } else
+ ips_stats.iss_logfail++;
+ wakeup(iplbuf[IPL_LOGSTATE]);
+}
+#endif
diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h
index ee30b986d844..b92f8c23e434 100644
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $Id: ip_state.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
+ * $Id: ip_state.h,v 1.1.1.2 1997/04/03 10:11:33 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@@ -37,8 +37,10 @@ typedef struct tcpstate {
typedef struct ipstate {
struct ipstate *is_next;
- int is_age;
+ u_long is_age;
u_int is_pass;
+ U_QUAD_T is_pkts;
+ U_QUAD_T is_bytes;
struct in_addr is_src;
struct in_addr is_dst;
u_char is_p;
@@ -63,6 +65,31 @@ typedef struct ipstate {
#define TH_OPENING (TH_SYN|TH_ACK)
+
+typedef struct ipslog {
+ struct timeval isl_tv;
+ U_QUAD_T isl_pkts;
+ U_QUAD_T isl_bytes;
+ struct in_addr isl_src;
+ struct in_addr isl_dst;
+ u_char isl_p;
+ u_char isl_flags;
+ u_short isl_type;
+ union {
+ u_short isl_filler[2];
+ u_short isl_ports[2];
+ u_short isl_icmp;
+ } isl_ps;
+} ipslog_t;
+
+#define isl_sport isl_ps.isl_ports[0]
+#define isl_dport isl_ps.isl_ports[1]
+#define isl_itype isl_ps.isl_icmp
+
+#define ISL_NEW 0
+#define ISL_EXPIRE 0xffff
+
+
typedef struct ips_stat {
u_long iss_hits;
u_long iss_miss;
@@ -74,13 +101,18 @@ typedef struct ips_stat {
u_long iss_expire;
u_long iss_fin;
u_long iss_active;
+ u_long iss_logged;
+ u_long iss_logfail;
ipstate_t **iss_table;
} ips_stat_t;
-extern ips_stat_t *fr_statetstats();
-extern int fr_addstate(), fr_checkstate();
-extern void fr_timeoutstate(), set_tcp_age();
-# ifdef _KERNEL
-extern void fr_stateunload();
-# endif
+extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
+ tcphdr_t *, u_short));
+extern ips_stat_t *fr_statetstats __P((void));
+extern int fr_addstate __P((ip_t *, fr_info_t *, u_int));
+extern int fr_checkstate __P((ip_t *, fr_info_t *));
+extern void fr_timeoutstate __P((void));
+extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
+extern void fr_stateunload __P((void));
+extern void ipstate_log __P((struct ipstate *, u_short));
#endif /* __IP_STATE_H__ */