aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2005-04-25 18:15:41 +0000
committerDarren Reed <darrenr@FreeBSD.org>2005-04-25 18:15:41 +0000
commit8158c4468d2bf40eabe8e413f647e1dd581bb6e7 (patch)
treec168dd685faadbd403b7bd21475e18410a1896b6
parent866bef8856d9607d136d404359afae7b519a5bb6 (diff)
downloadsrc-8158c4468d2bf40eabe8e413f647e1dd581bb6e7.tar.gz
src-8158c4468d2bf40eabe8e413f647e1dd581bb6e7.zip
import ipfilter 4.1.8 into the kernel source tree
Notes
Notes: svn path=/vendor-sys/ipfilter/dist/; revision=145516
-rw-r--r--sys/contrib/ipfilter/netinet/fil.c6667
-rw-r--r--sys/contrib/ipfilter/netinet/ip_auth.c540
-rw-r--r--sys/contrib/ipfilter/netinet/ip_auth.h29
-rw-r--r--sys/contrib/ipfilter/netinet/ip_compat.h2458
-rw-r--r--sys/contrib/ipfilter/netinet/ip_fil.h1297
-rw-r--r--sys/contrib/ipfilter/netinet/ip_fil_freebsd.c1692
-rw-r--r--sys/contrib/ipfilter/netinet/ip_frag.c789
-rw-r--r--sys/contrib/ipfilter/netinet/ip_frag.h64
-rw-r--r--sys/contrib/ipfilter/netinet/ip_ftp_pxy.c1093
-rw-r--r--sys/contrib/ipfilter/netinet/ip_h323_pxy.c177
-rw-r--r--sys/contrib/ipfilter/netinet/ip_htable.c455
-rw-r--r--sys/contrib/ipfilter/netinet/ip_htable.h71
-rw-r--r--sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c233
-rw-r--r--sys/contrib/ipfilter/netinet/ip_irc_pxy.c435
-rw-r--r--sys/contrib/ipfilter/netinet/ip_log.c586
-rw-r--r--sys/contrib/ipfilter/netinet/ip_lookup.c530
-rw-r--r--sys/contrib/ipfilter/netinet/ip_lookup.h65
-rw-r--r--sys/contrib/ipfilter/netinet/ip_nat.c4779
-rw-r--r--sys/contrib/ipfilter/netinet/ip_nat.h405
-rw-r--r--sys/contrib/ipfilter/netinet/ip_netbios_pxy.c53
-rw-r--r--sys/contrib/ipfilter/netinet/ip_pool.c786
-rw-r--r--sys/contrib/ipfilter/netinet/ip_pool.h87
-rw-r--r--sys/contrib/ipfilter/netinet/ip_pptp_pxy.c527
-rw-r--r--sys/contrib/ipfilter/netinet/ip_proxy.c561
-rw-r--r--sys/contrib/ipfilter/netinet/ip_proxy.h309
-rw-r--r--sys/contrib/ipfilter/netinet/ip_raudio_pxy.c153
-rw-r--r--sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c165
-rw-r--r--sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c1460
-rw-r--r--sys/contrib/ipfilter/netinet/ip_rules.c229
-rw-r--r--sys/contrib/ipfilter/netinet/ip_rules.h16
-rw-r--r--sys/contrib/ipfilter/netinet/ip_scan.c594
-rw-r--r--sys/contrib/ipfilter/netinet/ip_scan.h108
-rw-r--r--sys/contrib/ipfilter/netinet/ip_state.c3851
-rw-r--r--sys/contrib/ipfilter/netinet/ip_state.h199
-rw-r--r--sys/contrib/ipfilter/netinet/ip_sync.c1001
-rw-r--r--sys/contrib/ipfilter/netinet/ip_sync.h117
-rw-r--r--sys/contrib/ipfilter/netinet/ipl.h10
-rw-r--r--sys/contrib/ipfilter/netinet/mlfk_ipl.c308
38 files changed, 25763 insertions, 7136 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 1a1da36a740e..e62b0edf7bba 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -1,24 +1,29 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 1993-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
+#if defined(KERNEL) || defined(_KERNEL)
+# undef KERNEL
+# undef _KERNEL
+# define KERNEL 1
+# define _KERNEL 1
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
-#include <sys/file.h>
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
- defined(_KERNEL)
-# include "opt_ipfilter_log.h"
+#if defined(__NetBSD__)
+# if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
+# include "opt_ipfilter_log.h"
+# endif
#endif
-#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
+#if defined(_KERNEL) && defined(__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
# if (__FreeBSD_version >= 400000)
-# ifndef KLD_MODULE
+# if !defined(IPFILTER_LKM)
# include "opt_inet6.h"
# endif
# if (__FreeBSD_version == 400019)
@@ -26,42 +31,56 @@
# endif
# endif
# include <sys/filio.h>
-# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
-#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
+#include <sys/fcntl.h>
+#if defined(_KERNEL)
# include <sys/systm.h>
+# include <sys/file.h>
#else
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
-#endif
-#if !defined(__SVR4) && !defined(__svr4__)
-# ifndef linux
-# include <sys/mbuf.h>
+# include <stddef.h>
+# include <sys/file.h>
+# define _KERNEL
+# ifdef __OpenBSD__
+struct file;
# endif
+# include <sys/uio.h>
+# undef _KERNEL
+#endif
+#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
+ !defined(linux)
+# include <sys/mbuf.h>
#else
-# include <sys/cmn_err.h>
-# include <sys/byteorder.h>
-# if SOLARIS2 < 5
+# if !defined(linux)
+# include <sys/byteorder.h>
+# endif
+# if (SOLARIS2 < 5) && defined(sun)
# include <sys/dditypes.h>
# endif
-# include <sys/stream.h>
#endif
-#ifndef linux
+#ifdef __hpux
+# define _NET_ROUTE_INCLUDED
+#endif
+#if !defined(linux)
# include <sys/protosw.h>
-# include <sys/socket.h>
#endif
+#include <sys/socket.h>
#include <net/if.h>
#ifdef sun
# include <net/af.h>
#endif
+#if !defined(_KERNEL) && defined(__FreeBSD__)
+# include "radix_ipf.h"
+#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
-#ifndef linux
+#if !defined(linux)
# include <netinet/ip_var.h>
#endif
#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
@@ -69,12 +88,17 @@
# include <netinet/in_var.h>
#endif
#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
+#if !defined(__sgi) || defined(_KERNEL)
+# include <netinet/udp.h>
+# include <netinet/ip_icmp.h>
+#endif
+#ifdef __hpux
+# undef _NET_ROUTE_INCLUDED
+#endif
#include "netinet/ip_compat.h"
#ifdef USE_INET6
# include <netinet/icmp6.h>
-# if !SOLARIS && defined(_KERNEL)
+# if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux)
# include <netinet6/in6_var.h>
# endif
#endif
@@ -85,76 +109,142 @@
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_auth.h"
-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-# include "opt_ipfilter.h"
-# endif
+#ifdef IPFILTER_SCAN
+# include "netinet/ip_scan.h"
+#endif
+#ifdef IPFILTER_SYNC
+# include "netinet/ip_sync.h"
+#endif
+#include "netinet/ip_pool.h"
+#include "netinet/ip_htable.h"
+#ifdef IPFILTER_COMPILED
+# include "netinet/ip_rules.h"
+#endif
+#if defined(IPFILTER_BPF) && defined(_KERNEL)
+# include <net/bpf.h>
+#endif
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+# include "opt_ipfilter.h"
# endif
-#ifndef MIN
-# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
#include "netinet/ipl.h"
+/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.82 2004/06/20 10:27:47 darrenr Exp $";
+static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp";
#endif
#ifndef _KERNEL
# include "ipf.h"
# include "ipt.h"
+# include "bpf-ipf.h"
extern int opts;
# define FR_VERBOSE(verb_pr) verbose verb_pr
# define FR_DEBUG(verb_pr) debug verb_pr
-# define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
#else /* #ifndef _KERNEL */
# define FR_VERBOSE(verb_pr)
# define FR_DEBUG(verb_pr)
-# define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
-# if SOLARIS || defined(__sgi)
-extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat;
-extern kmutex_t ipf_rw;
-# endif /* SOLARIS || __sgi */
#endif /* _KERNEL */
-struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
+fr_info_t frcache[2][8];
+struct filterstats frstats[2] = { { 0, 0, 0, 0, 0 }, { 0, 0, 0, 0, 0 } };
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
-#ifdef USE_INET6
*ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
*ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
-#endif
- *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
-struct frgroup *ipfgroups[3][2];
+ *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } },
+ *ipnatrules[2][2] = { { NULL, NULL }, { NULL, NULL } };
+struct frgroup *ipfgroups[IPL_LOGSIZE][2];
+char ipfilter_version[] = IPL_VERSION;
+int fr_refcnt = 0;
+/*
+ * For fr_running:
+ * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
+ */
+int fr_running = 0;
int fr_flags = IPF_LOGGING;
int fr_active = 0;
-int fr_chksrc = 0;
-int fr_minttl = 3;
-int fr_minttllog = 1;
+int fr_control_forwarding = 0;
+int fr_update_ipid = 0;
+u_short fr_ip_id = 0;
+int fr_chksrc = 0; /* causes a system crash if enabled */
+int fr_minttl = 4;
+u_long fr_frouteok[2] = {0, 0};
+u_long fr_userifqs = 0;
+u_long fr_badcoalesces[2] = {0, 0};
+u_char ipf_iss_secret[32];
#if defined(IPFILTER_DEFAULT_BLOCK)
-int fr_pass = FR_NOMATCH|FR_BLOCK;
+int fr_pass = FR_BLOCK|FR_NOMATCH;
#else
-int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
+int fr_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH;
#endif
-char ipfilter_version[] = IPL_VERSION;
-
-fr_info_t frcache[2];
+int fr_features = 0
+#ifdef IPFILTER_LKM
+ | IPF_FEAT_LKM
+#endif
+#ifdef IPFILTER_LOG
+ | IPF_FEAT_LOG
+#endif
+#ifdef IPFILTER_LOOKUP
+ | IPF_FEAT_LOOKUP
+#endif
+#ifdef IPFILTER_BPF
+ | IPF_FEAT_BPF
+#endif
+#ifdef IPFILTER_COMPILED
+ | IPF_FEAT_COMPILED
+#endif
+#ifdef IPFILTER_CKSUM
+ | IPF_FEAT_CKSUM
+#endif
+#ifdef IPFILTER_SYNC
+ | IPF_FEAT_SYNC
+#endif
+#ifdef IPFILTER_SCAN
+ | IPF_FEAT_SCAN
+#endif
+#ifdef USE_INET6
+ | IPF_FEAT_IPV6
+#endif
+ ;
-static int frflushlist __P((int, minor_t, int *, frentry_t **));
-#ifdef _KERNEL
-static void frsynclist __P((frentry_t *));
-# ifndef __sgi
-static void *ipf_pullup __P((mb_t *, fr_info_t *, int, void *));
-# endif
+static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
+static int fr_portcheck __P((frpcmp_t *, u_short *));
+static int frflushlist __P((int, minor_t, int *, frentry_t **));
+static ipfunc_t fr_findfunc __P((ipfunc_t));
+static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *));
+static int fr_funcinit __P((frentry_t *fr));
+static INLINE void frpr_esp __P((fr_info_t *));
+static INLINE void frpr_gre __P((fr_info_t *));
+static INLINE void frpr_udp __P((fr_info_t *));
+static INLINE void frpr_tcp __P((fr_info_t *));
+static INLINE void frpr_icmp __P((fr_info_t *));
+static INLINE void frpr_ipv4hdr __P((fr_info_t *));
+static INLINE int frpr_pullup __P((fr_info_t *, int));
+static INLINE void frpr_short __P((fr_info_t *, int));
+static INLINE void frpr_tcpcommon __P((fr_info_t *));
+static INLINE void frpr_udpcommon __P((fr_info_t *));
+static INLINE int fr_updateipid __P((fr_info_t *));
+#ifdef IPFILTER_LOOKUP
+static int fr_grpmapinit __P((frentry_t *fr));
+static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *));
#endif
+static void frsynclist __P((frentry_t *, void *));
+static ipftuneable_t *fr_findtunebyname __P((char *));
+static ipftuneable_t *fr_findtunebycookie __P((void *, void **));
/*
* bit values for identifying presence of individual IP options
+ * All of these tables should be ordered by increasing key value on the left
+ * hand side to allow for binary searching of the array and include a trailer
+ * with a 0 for the bitmask for linear searches to easily find the end with.
*/
-struct optlist ipopts[20] = {
+const struct optlist ipopts[20] = {
{ IPOPT_NOP, 0x000001 },
{ IPOPT_RR, 0x000002 },
{ IPOPT_ZSU, 0x000004 },
@@ -177,10 +267,34 @@ struct optlist ipopts[20] = {
{ 0, 0x000000 }
};
+#ifdef USE_INET6
+struct optlist ip6exthdr[] = {
+ { IPPROTO_HOPOPTS, 0x000001 },
+ { IPPROTO_IPV6, 0x000002 },
+ { IPPROTO_ROUTING, 0x000004 },
+ { IPPROTO_FRAGMENT, 0x000008 },
+ { IPPROTO_ESP, 0x000010 },
+ { IPPROTO_AH, 0x000020 },
+ { IPPROTO_NONE, 0x000040 },
+ { IPPROTO_DSTOPTS, 0x000080 },
+ { 0, 0 }
+};
+#endif
+
+struct optlist tcpopts[] = {
+ { TCPOPT_NOP, 0x000001 },
+ { TCPOPT_MAXSEG, 0x000002 },
+ { TCPOPT_WINDOW, 0x000004 },
+ { TCPOPT_SACK_PERMITTED, 0x000008 },
+ { TCPOPT_SACK, 0x000010 },
+ { TCPOPT_TIMESTAMP, 0x000020 },
+ { 0, 0x000000 }
+};
+
/*
* bit values for identifying presence of individual IP security options
*/
-struct optlist secopt[8] = {
+const struct optlist secopt[8] = {
{ IPSO_CLASS_RES4, 0x01 },
{ IPSO_CLASS_TOPS, 0x02 },
{ IPSO_CLASS_SECR, 0x04 },
@@ -193,292 +307,1021 @@ struct optlist secopt[8] = {
/*
- * compact the IP header into a structure which contains just the info.
- * which is useful for comparing IP headers with.
+ * Table of functions available for use with call rules.
*/
-int fr_makefrip(hlen, ip, fin)
-int hlen;
-ip_t *ip;
+static ipfunc_resolve_t fr_availfuncs[] = {
+#ifdef IPFILTER_LOOKUP
+ { "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
+ { "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
+#endif
+ { "", NULL }
+};
+
+
+/*
+ * The next section of code is a a collection of small routines that set
+ * fields in the fr_info_t structure passed based on properties of the
+ * current packet. There are different routines for the same protocol
+ * for each of IPv4 and IPv6. Adding a new protocol, for which there
+ * will "special" inspection for setup, is now more easily done by adding
+ * a new routine and expanding the frpr_ipinit*() function rather than by
+ * adding more code to a growing switch statement.
+ */
+#ifdef USE_INET6
+static INLINE void frpr_udp6 __P((fr_info_t *));
+static INLINE void frpr_tcp6 __P((fr_info_t *));
+static INLINE void frpr_icmp6 __P((fr_info_t *));
+static INLINE void frpr_ipv6hdr __P((fr_info_t *));
+static INLINE void frpr_short6 __P((fr_info_t *, int));
+static INLINE int frpr_hopopts6 __P((fr_info_t *));
+static INLINE int frpr_routing6 __P((fr_info_t *));
+static INLINE int frpr_dstopts6 __P((fr_info_t *));
+static INLINE int frpr_fragment6 __P((fr_info_t *));
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_short6 */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* This is function enforces the 'is a packet too short to be legit' rule */
+/* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
+/* for frpr_short() for more details. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_short6(fin, min)
fr_info_t *fin;
+int min;
{
- u_short optmsk = 0, secmsk = 0, auth = 0;
- int i, mv, ol, off, p, plen, v;
-#if defined(_KERNEL)
-# if SOLARIS
- mb_t *m = fin->fin_qfm;
-# else
- mb_t *m = fin->fin_mp ? *fin->fin_mp : NULL;
-# endif
-#endif
fr_ip_t *fi = &fin->fin_fi;
- struct optlist *op;
- u_char *s, opt;
- tcphdr_t *tcp;
+ int off;
- fin->fin_rev = 0;
- fin->fin_dp = NULL;
- fin->fin_fr = NULL;
- fin->fin_tcpf = 0;
- fin->fin_data[0] = 0;
- fin->fin_data[1] = 0;
- fin->fin_rule = -1;
- fin->fin_group = -1;
- fin->fin_icode = ipl_unreach;
- v = fin->fin_v;
- fi->fi_v = v;
- fin->fin_hlen = hlen;
- if (v == 4) {
- fin->fin_id = ip->ip_id;
- fi->fi_tos = ip->ip_tos;
-#if (OpenBSD >= 200311) && defined(_KERNEL)
- ip->ip_off = ntohs(ip->ip_off);
-#endif
- off = (ip->ip_off & IP_OFFMASK);
- (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
- fi->fi_src.i6[1] = 0;
- fi->fi_src.i6[2] = 0;
- fi->fi_src.i6[3] = 0;
- fi->fi_dst.i6[1] = 0;
- fi->fi_dst.i6[2] = 0;
- fi->fi_dst.i6[3] = 0;
- fi->fi_saddr = ip->ip_src.s_addr;
- fi->fi_daddr = ip->ip_dst.s_addr;
- p = ip->ip_p;
- fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
- if (ip->ip_off & (IP_MF|IP_OFFMASK))
- fi->fi_fl |= FI_FRAG;
-#if (OpenBSD >= 200311) && defined(_KERNEL)
- ip->ip_len = ntohs(ip->ip_len);
-#endif
- plen = ip->ip_len;
- fin->fin_dlen = plen - hlen;
+ off = fin->fin_off;
+ if (off == 0) {
+ if (fin->fin_plen < fin->fin_hlen + min)
+ fi->fi_flx |= FI_SHORT;
+ } else if (off < min) {
+ fi->fi_flx |= FI_SHORT;
}
-#ifdef USE_INET6
- else if (v == 6) {
- ip6_t *ip6 = (ip6_t *)ip;
+}
- off = 0;
- p = ip6->ip6_nxt;
- fi->fi_p = p;
- fi->fi_ttl = ip6->ip6_hlim;
- fi->fi_src.in6 = ip6->ip6_src;
- fi->fi_dst.in6 = ip6->ip6_dst;
- fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
- fi->fi_tos = 0;
- fi->fi_fl = 0;
- plen = ntohs(ip6->ip6_plen);
- fin->fin_dlen = plen;
- plen += sizeof(*ip6);
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_ipv6hdr */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* Copy values from the IPv6 header into the fr_info_t struct and call the */
+/* per-protocol analyzer if it exists. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_ipv6hdr(fin)
+fr_info_t *fin;
+{
+ int p, go = 1, i, hdrcount, coalesced;
+ ip6_t *ip6 = (ip6_t *)fin->fin_ip;
+ fr_ip_t *fi = &fin->fin_fi;
+
+ fin->fin_off = 0;
+
+ fi->fi_tos = 0;
+ fi->fi_optmsk = 0;
+ fi->fi_secmsk = 0;
+ fi->fi_auth = 0;
+
+ coalesced = (fin->fin_flx & FI_COALESCE) ? 1 : 0;
+ p = ip6->ip6_nxt;
+ fi->fi_ttl = ip6->ip6_hlim;
+ fi->fi_src.in6 = ip6->ip6_src;
+ fi->fi_dst.in6 = ip6->ip6_dst;
+ fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
+
+ hdrcount = 0;
+ while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
+ switch (p)
+ {
+ case IPPROTO_UDP :
+ frpr_udp6(fin);
+ go = 0;
+ break;
+
+ case IPPROTO_TCP :
+ frpr_tcp6(fin);
+ go = 0;
+ break;
+
+ case IPPROTO_ICMPV6 :
+ frpr_icmp6(fin);
+ go = 0;
+ break;
+
+ case IPPROTO_GRE :
+ frpr_gre(fin);
+ go = 0;
+ break;
+
+ case IPPROTO_HOPOPTS :
+ /*
+ * Actually, hop by hop header is only allowed right
+ * after IPv6 header!
+ */
+ if (hdrcount != 0)
+ fin->fin_flx |= FI_BAD;
+
+ if (coalesced == 0) {
+ coalesced = fr_coalesce(fin);
+ if (coalesced != 1)
+ return;
+ }
+ p = frpr_hopopts6(fin);
+ break;
+
+ case IPPROTO_DSTOPTS :
+ if (coalesced == 0) {
+ coalesced = fr_coalesce(fin);
+ if (coalesced != 1)
+ return;
+ }
+ p = frpr_dstopts6(fin);
+ break;
+
+ case IPPROTO_ROUTING :
+ if (coalesced == 0) {
+ coalesced = fr_coalesce(fin);
+ if (coalesced != 1)
+ return;
+ }
+ p = frpr_routing6(fin);
+ break;
+
+ case IPPROTO_ESP :
+ frpr_esp(fin);
+ /*FALLTHROUGH*/
+ case IPPROTO_AH :
+ case IPPROTO_IPV6 :
+ for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
+ if (ip6exthdr[i].ol_val == p) {
+ fin->fin_flx |= ip6exthdr[i].ol_bit;
+ break;
+ }
+ go = 0;
+ break;
+
+ case IPPROTO_NONE :
+ go = 0;
+ break;
+
+ case IPPROTO_FRAGMENT :
+ if (coalesced == 0) {
+ coalesced = fr_coalesce(fin);
+ if (coalesced != 1)
+ return;
+ }
+ p = frpr_fragment6(fin);
+ break;
+
+ default :
+ go = 0;
+ break;
+ }
+ hdrcount++;
+
+ /*
+ * It is important to note that at this point, for the
+ * extension headers (go != 0), the entire header may not have
+ * been pulled up when the code gets to this point. This is
+ * only done for "go != 0" because the other header handlers
+ * will all pullup their complete header and the other
+ * indicator of an incomplete header is that this eas just an
+ * extension header.
+ */
+ if ((go != 0) && (p != IPPROTO_NONE) &&
+ (frpr_pullup(fin, 0) == -1)) {
+ p = IPPROTO_NONE;
+ go = 0;
+ }
}
-#endif
- else
- return -1;
+ fi->fi_p = p;
+}
- fin->fin_off = off;
- fin->fin_plen = plen;
- tcp = (tcphdr_t *)((char *)ip + hlen);
- fin->fin_misc = 0;
- off <<= 3;
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_hopopts6 */
+/* Returns: int - value of the next header or IPPROTO_NONE if error */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* This is function checks pending hop by hop options extension header */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_hopopts6(fin)
+fr_info_t *fin;
+{
+ struct ip6_ext *hdr;
+ u_short shift;
+ int i;
+
+ fin->fin_flx |= FI_V6EXTHDR;
+
+ /* 8 is default length of extension hdr */
+ if ((fin->fin_dlen - 8) < 0) {
+ fin->fin_flx |= FI_SHORT;
+ return IPPROTO_NONE;
+ }
+
+ if (frpr_pullup(fin, 8) == -1)
+ return IPPROTO_NONE;
+
+ hdr = fin->fin_dp;
+ shift = 8 + (hdr->ip6e_len << 3);
+ if (shift > fin->fin_dlen) { /* Nasty extension header length? */
+ fin->fin_flx |= FI_BAD;
+ return IPPROTO_NONE;
+ }
+
+ for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
+ if (ip6exthdr[i].ol_val == IPPROTO_HOPOPTS) {
+ fin->fin_optmsk |= ip6exthdr[i].ol_bit;
+ break;
+ }
+
+ fin->fin_dp = (char *)fin->fin_dp + shift;
+ fin->fin_dlen -= shift;
+
+ return hdr->ip6e_nxt;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_routing6 */
+/* Returns: int - value of the next header or IPPROTO_NONE if error */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* This is function checks pending routing extension header */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_routing6(fin)
+fr_info_t *fin;
+{
+ struct ip6_ext *hdr;
+ u_short shift;
+ int i;
+
+ fin->fin_flx |= FI_V6EXTHDR;
+
+ /* 8 is default length of extension hdr */
+ if ((fin->fin_dlen - 8) < 0) {
+ fin->fin_flx |= FI_SHORT;
+ return IPPROTO_NONE;
+ }
+
+ if (frpr_pullup(fin, 8) == -1)
+ return IPPROTO_NONE;
+ hdr = fin->fin_dp;
+
+ shift = 8 + (hdr->ip6e_len << 3);
/*
- * For both ICMPV6 & ICMP, we attempt to pullup the entire packet into
- * a single buffer for recognised error return packets. Why? Because
- * the entire data section of the ICMP payload is considered to be of
- * significance and maybe required in NAT/state processing, so rather
- * than be careful later, attempt to get it all in one buffeer first.
- * For TCP we just make sure the _entire_ TCP header is in the first
- * buffer for convienience.
+ * Nasty extension header length?
*/
- switch (p)
- {
-#ifdef USE_INET6
- case IPPROTO_ICMPV6 :
- {
- int minicmpsz = sizeof(struct icmp6_hdr);
- struct icmp6_hdr *icmp6;
+ if ((shift > fin->fin_dlen) || (shift < sizeof(struct ip6_hdr)) ||
+ ((shift - sizeof(struct ip6_hdr)) & 15)) {
+ fin->fin_flx |= FI_BAD;
+ return IPPROTO_NONE;
+ }
- if (!(fin->fin_fl & FI_SHORT) && (fin->fin_dlen > 1)) {
- fin->fin_data[0] = *(u_short *)tcp;
+ for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
+ if (ip6exthdr[i].ol_val == IPPROTO_ROUTING) {
+ fin->fin_optmsk |= ip6exthdr[i].ol_bit;
+ break;
+ }
- icmp6 = (struct icmp6_hdr *)tcp;
+ fin->fin_dp = (char *)fin->fin_dp + shift;
+ fin->fin_dlen -= shift;
- switch (icmp6->icmp6_type)
- {
- case ICMP6_ECHO_REPLY :
- case ICMP6_ECHO_REQUEST :
- minicmpsz = ICMP6_MINLEN;
- break;
- case ICMP6_DST_UNREACH :
- case ICMP6_PACKET_TOO_BIG :
- case ICMP6_TIME_EXCEEDED :
- case ICMP6_PARAM_PROB :
-# if defined(KERNEL) && !defined(__sgi)
- if ((m != NULL) && (M_BLEN(m) < plen)) {
- ip = ipf_pullup(m, fin, plen, ip);
- if (ip == NULL)
- return -1;
- tcp = (tcphdr_t *)((char *)ip + hlen);
- }
-# endif /* KERNEL && !__sgi */
- minicmpsz = ICMP6ERR_IPICMPHLEN;
- break;
- default :
- break;
+ return hdr->ip6e_nxt;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_fragment6 */
+/* Returns: int - value of the next header or IPPROTO_NONE if error */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* Examine the IPv6 fragment header and extract fragment offset information.*/
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_fragment6(fin)
+fr_info_t *fin;
+{
+ struct ip6_frag *frag;
+ struct ip6_ext *hdr;
+ int i;
+
+ fin->fin_flx |= (FI_FRAG|FI_V6EXTHDR);
+
+ /* 8 is default length of extension hdr */
+ if ((fin->fin_dlen - 8) < 0) {
+ fin->fin_flx |= FI_SHORT;
+ return IPPROTO_NONE;
+ }
+
+ /*
+ * Only one frgament header is allowed per IPv6 packet but it need
+ * not be the first nor last (not possible in some cases.)
+ */
+ for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
+ if (ip6exthdr[i].ol_val == IPPROTO_FRAGMENT)
+ break;
+
+ if (fin->fin_optmsk & ip6exthdr[i].ol_bit) {
+ fin->fin_flx |= FI_BAD;
+ return IPPROTO_NONE;
+ }
+
+ fin->fin_optmsk |= ip6exthdr[i].ol_bit;
+
+ if (frpr_pullup(fin, sizeof(*frag)) == -1)
+ return IPPROTO_NONE;
+ hdr = fin->fin_dp;
+
+ /*
+ * Length must be zero, i.e. it has no length.
+ */
+ if (hdr->ip6e_len != 0) {
+ fin->fin_flx |= FI_BAD;
+ return IPPROTO_NONE;
+ }
+
+ if ((int)(fin->fin_dlen - sizeof(*frag)) < 0) {
+ fin->fin_flx |= FI_SHORT;
+ return IPPROTO_NONE;
+ }
+
+ frag = fin->fin_dp;
+ fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK;
+ fin->fin_off <<= 3;
+ if (fin->fin_off != 0)
+ fin->fin_flx |= FI_FRAGBODY;
+
+ fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag);
+ fin->fin_dlen -= sizeof(*frag);
+
+ return frag->ip6f_nxt;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_dstopts6 */
+/* Returns: int - value of the next header or IPPROTO_NONE if error */
+/* Parameters: fin(I) - pointer to packet information */
+/* nextheader(I) - stores next header value */
+/* */
+/* IPv6 Only */
+/* This is function checks pending destination options extension header */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_dstopts6(fin)
+fr_info_t *fin;
+{
+ struct ip6_ext *hdr;
+ u_short shift;
+ int i;
+
+ /* 8 is default length of extension hdr */
+ if ((fin->fin_dlen - 8) < 0) {
+ fin->fin_flx |= FI_SHORT;
+ return IPPROTO_NONE;
+ }
+
+ if (frpr_pullup(fin, 8) == -1)
+ return IPPROTO_NONE;
+ hdr = fin->fin_dp;
+
+ shift = 8 + (hdr->ip6e_len << 3);
+ if (shift > fin->fin_dlen) { /* Nasty extension header length? */
+ fin->fin_flx |= FI_BAD;
+ return IPPROTO_NONE;
+ }
+
+ for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
+ if (ip6exthdr[i].ol_val == IPPROTO_DSTOPTS)
+ break;
+ fin->fin_optmsk |= ip6exthdr[i].ol_bit;
+ fin->fin_dp = (char *)fin->fin_dp + shift;
+ fin->fin_dlen -= shift;
+
+ return hdr->ip6e_nxt;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_icmp6 */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* This routine is mainly concerned with determining the minimum valid size */
+/* for an ICMPv6 packet. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_icmp6(fin)
+fr_info_t *fin;
+{
+ int minicmpsz = sizeof(struct icmp6_hdr);
+ struct icmp6_hdr *icmp6;
+
+ if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t)) == -1)
+ return;
+
+ if (fin->fin_dlen > 1) {
+ icmp6 = fin->fin_dp;
+
+ fin->fin_data[0] = *(u_short *)icmp6;
+
+ switch (icmp6->icmp6_type)
+ {
+ case ICMP6_ECHO_REPLY :
+ case ICMP6_ECHO_REQUEST :
+ minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
+ break;
+ case ICMP6_DST_UNREACH :
+ case ICMP6_PACKET_TOO_BIG :
+ case ICMP6_TIME_EXCEEDED :
+ case ICMP6_PARAM_PROB :
+ if ((fin->fin_m != NULL) &&
+ (M_LEN(fin->fin_m) < fin->fin_plen)) {
+ if (fr_coalesce(fin) != 1)
+ return;
}
+ fin->fin_flx |= FI_ICMPERR;
+ minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
+ break;
+ default :
+ break;
}
+ }
- if (!(fin->fin_dlen >= minicmpsz))
- fi->fi_fl |= FI_SHORT;
+ frpr_short(fin, minicmpsz);
+}
- break;
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_udp6 */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* Analyse the packet for IPv6/UDP properties. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_udp6(fin)
+fr_info_t *fin;
+{
+
+ fr_checkv6sum(fin);
+
+ frpr_short(fin, sizeof(struct udphdr));
+
+ frpr_udpcommon(fin);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_tcp6 */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv6 Only */
+/* Analyse the packet for IPv6/TCP properties. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_tcp6(fin)
+fr_info_t *fin;
+{
+
+ fr_checkv6sum(fin);
+
+ frpr_short(fin, sizeof(struct tcphdr));
+
+ frpr_tcpcommon(fin);
+}
+#endif /* USE_INET6 */
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_pullup */
+/* Returns: int - 0 == pullup succeeded, -1 == failure */
+/* Parameters: fin(I) - pointer to packet information */
+/* plen(I) - length (excluding L3 header) to pullup */
+/* */
+/* Short inline function to cut down on code duplication to perform a call */
+/* to fr_pullup to ensure there is the required amount of data, */
+/* consecutively in the packet buffer. */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_pullup(fin, plen)
+fr_info_t *fin;
+int plen;
+{
+#if defined(_KERNEL)
+ if (fin->fin_m != NULL) {
+ if (fin->fin_dp != NULL)
+ plen += (char *)fin->fin_dp -
+ ((char *)fin->fin_ip + fin->fin_hlen);
+ plen += fin->fin_hlen;
+ if (M_LEN(fin->fin_m) < plen) {
+ if (fr_pullup(fin->fin_m, fin, plen) == NULL)
+ return -1;
+ }
}
-#endif /* USE_INET6 */
+#endif
+ return 0;
+}
- case IPPROTO_ICMP :
- {
- int minicmpsz = sizeof(struct icmp);
- icmphdr_t *icmp;
- if (!off && (fin->fin_dlen > 1) && !(fin->fin_fl & FI_SHORT)) {
- fin->fin_data[0] = *(u_short *)tcp;
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_short */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* min(I) - minimum header size */
+/* */
+/* Check if a packet is "short" as defined by min. The rule we are */
+/* applying here is that the packet must not be fragmented within the layer */
+/* 4 header. That is, it must not be a fragment that has its offset set to */
+/* start within the layer 4 header (hdrmin) or if it is at offset 0, the */
+/* entire layer 4 header must be present (min). */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_short(fin, min)
+fr_info_t *fin;
+int min;
+{
+ fr_ip_t *fi = &fin->fin_fi;
+ int off;
- icmp = (icmphdr_t *)tcp;
+ off = fin->fin_off;
+ if (off == 0) {
+ if (fin->fin_plen < fin->fin_hlen + min)
+ fi->fi_flx |= FI_SHORT;
+ } else if (off < min) {
+ fi->fi_flx |= FI_SHORT;
+ }
+}
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_icmp */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv4 Only */
+/* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */
+/* except extrememly bad packets, both type and code will be present. */
+/* The expected minimum size of an ICMP packet is very much dependant on */
+/* the type of it. */
+/* */
+/* XXX - other ICMP sanity checks? */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_icmp(fin)
+fr_info_t *fin;
+{
+ int minicmpsz = sizeof(struct icmp);
+ icmphdr_t *icmp;
+
+ if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
+ return;
+
+ fr_checkv4sum(fin);
+
+ if (!fin->fin_off && (fin->fin_dlen > 1)) {
+ icmp = fin->fin_dp;
+
+ fin->fin_data[0] = *(u_short *)icmp;
+
+ switch (icmp->icmp_type)
+ {
+ case ICMP_ECHOREPLY :
+ case ICMP_ECHO :
+ /* Router discovery messaes - RFC 1256 */
+ case ICMP_ROUTERADVERT :
+ case ICMP_ROUTERSOLICIT :
+ minicmpsz = ICMP_MINLEN;
+ break;
+ /*
+ * type(1) + code(1) + cksum(2) + id(2) seq(2) +
+ * 3 * timestamp(3 * 4)
+ */
+ case ICMP_TSTAMP :
+ case ICMP_TSTAMPREPLY :
+ minicmpsz = 20;
+ break;
+ /*
+ * type(1) + code(1) + cksum(2) + id(2) seq(2) +
+ * mask(4)
+ */
+ case ICMP_MASKREQ :
+ case ICMP_MASKREPLY :
+ minicmpsz = 12;
+ break;
+ /*
+ * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
+ */
+ case ICMP_UNREACH :
+ case ICMP_SOURCEQUENCH :
+ case ICMP_REDIRECT :
+ case ICMP_TIMXCEED :
+ case ICMP_PARAMPROB :
+ if (fr_coalesce(fin) != 1)
+ return;
+ fin->fin_flx |= FI_ICMPERR;
+ break;
+ default :
+ break;
+ }
+
+ if (fin->fin_dlen >= 6) /* ID field */
+ fin->fin_data[1] = icmp->icmp_id;
+ }
+
+ frpr_short(fin, minicmpsz);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_tcpcommon */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* TCP header sanity checking. Look for bad combinations of TCP flags, */
+/* and make some checks with how they interact with other fields. */
+/* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */
+/* valid and mark the packet as bad if not. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_tcpcommon(fin)
+fr_info_t *fin;
+{
+ int flags, tlen;
+ tcphdr_t *tcp;
+ fr_ip_t *fi;
+
+ fi = &fin->fin_fi;
+ fi->fi_flx |= FI_TCPUDP;
+ if (fin->fin_off != 0)
+ return;
+
+ if (frpr_pullup(fin, sizeof(*tcp)) == -1)
+ return;
+ tcp = fin->fin_dp;
+
+ if (fin->fin_dlen > 3) {
+ fin->fin_sport = ntohs(tcp->th_sport);
+ fin->fin_dport = ntohs(tcp->th_dport);
+ }
+
+ if ((fi->fi_flx & FI_SHORT) != 0)
+ return;
+
+ /*
+ * Use of the TCP data offset *must* result in a value that is at
+ * least the same size as the TCP header.
+ */
+ tlen = TCP_OFF(tcp) << 2;
+ if (tlen < sizeof(tcphdr_t)) {
+ fin->fin_flx |= FI_BAD;
+ return;
+ }
+
+ flags = tcp->th_flags;
+ fin->fin_tcpf = tcp->th_flags;
+
+ /*
+ * If the urgent flag is set, then the urgent pointer must
+ * also be set and vice versa. Good TCP packets do not have
+ * just one of these set.
+ */
+ if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
+ fin->fin_flx |= FI_BAD;
+ } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
+ /* Ignore this case, it shows up in "real" traffic with */
+ /* bogus values in the urgent pointer field. */
+ ;
+ } else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
+ ((flags & (TH_RST|TH_ACK)) == TH_RST)) {
+ /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
+ fin->fin_flx |= FI_BAD;
+ } else if (!(flags & TH_ACK)) {
+ /*
+ * If the ack bit isn't set, then either the SYN or
+ * RST bit must be set. If the SYN bit is set, then
+ * we expect the ACK field to be 0. If the ACK is
+ * not set and if URG, PSH or FIN are set, consdier
+ * that to indicate a bad TCP packet.
+ */
+ if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
/*
- * Minimum ICMP packet is type(1) code(1) cksum(2)
- * plus 4 bytes following, totalling 8 bytes.
- */
- switch (icmp->icmp_type)
- {
- case ICMP_ECHOREPLY :
- case ICMP_ECHO :
- /* Router discovery messages - RFC 1256 */
- case ICMP_ROUTERADVERT :
- case ICMP_ROUTERSOLICIT :
- minicmpsz = ICMP_MINLEN;
- break;
- /*
- * type(1) + code(1) + cksum(2) + id(2) seq(2) +
- * 3*timestamp(3*4)
- */
- case ICMP_TSTAMP :
- case ICMP_TSTAMPREPLY :
- minicmpsz = ICMP_MINLEN + 12;
- break;
- /*
- * type(1) + code(1) + cksum(2) + id(2) seq(2) +
- * mask(4)
+ * Cisco PIX sets the ACK field to a random value.
+ * In light of this, do not set FI_BAD until a patch
+ * is available from Cisco to ensure that
+ * interoperability between existing systems is
+ * achieved.
*/
- case ICMP_MASKREQ :
- case ICMP_MASKREPLY :
- minicmpsz = ICMP_MINLEN + 4;
+ /*fin->fin_flx |= FI_BAD*/;
+ } else if (!(flags & (TH_RST|TH_SYN))) {
+ fin->fin_flx |= FI_BAD;
+ } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
+ fin->fin_flx |= FI_BAD;
+ }
+ }
+
+ /*
+ * At this point, it's not exactly clear what is to be gained by
+ * marking up which TCP options are and are not present. The one we
+ * are most interested in is the TCP window scale. This is only in
+ * a SYN packet [RFC1323] so we don't need this here...?
+ * Now if we were to analyse the header for passive fingerprinting,
+ * then that might add some weight to adding this...
+ */
+ if (tlen == sizeof(tcphdr_t))
+ return;
+
+ if (frpr_pullup(fin, tlen) == -1)
+ return;
+
+#if 0
+ ip = fin->fin_ip;
+ s = (u_char *)(tcp + 1);
+ off = IP_HL(ip) << 2;
+# ifdef _KERNEL
+ if (fin->fin_mp != NULL) {
+ mb_t *m = *fin->fin_mp;
+
+ if (off + tlen > M_LEN(m))
+ return;
+ }
+# endif
+ for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
+ opt = *s;
+ if (opt == '\0')
+ break;
+ else if (opt == TCPOPT_NOP)
+ ol = 1;
+ else {
+ if (tlen < 2)
break;
- /*
- * type(1) + code(1) + cksum(2) + arg(4) ip(20+)
- */
- case ICMP_UNREACH :
- case ICMP_SOURCEQUENCH :
- case ICMP_REDIRECT :
- case ICMP_TIMXCEED :
- case ICMP_PARAMPROB :
-#if defined(KERNEL) && !defined(__sgi)
- if ((m != NULL) && (M_BLEN(m) < plen)) {
- ip = ipf_pullup(m, fin, plen, ip);
- if (ip == NULL)
- return -1;
- tcp = (tcphdr_t *)((char *)ip + hlen);
- }
-#endif /* KERNEL && !__sgi */
- minicmpsz = ICMPERR_MINPKTLEN - sizeof(ip_t);
+ ol = (int)*(s + 1);
+ if (ol < 2 || ol > tlen)
break;
- default :
- minicmpsz = ICMP_MINLEN;
+ }
+
+ for (i = 9, mv = 4; mv >= 0; ) {
+ op = ipopts + i;
+ if (opt == (u_char)op->ol_val) {
+ optmsk |= op->ol_bit;
break;
}
}
+ tlen -= ol;
+ s += ol;
+ }
+#endif /* 0 */
+}
- if ((!(plen >= hlen + minicmpsz) && !off) ||
- (off && off < sizeof(struct icmp)))
- fi->fi_fl |= FI_SHORT;
- break;
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_udpcommon */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Extract the UDP source and destination ports, if present. If compiled */
+/* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_udpcommon(fin)
+fr_info_t *fin;
+{
+ udphdr_t *udp;
+ fr_ip_t *fi;
+
+ fi = &fin->fin_fi;
+ fi->fi_flx |= FI_TCPUDP;
+
+ if (!fin->fin_off && (fin->fin_dlen > 3)) {
+ if (frpr_pullup(fin, sizeof(*udp)) == -1) {
+ fi->fi_flx |= FI_SHORT;
+ return;
+ }
+
+ udp = fin->fin_dp;
+
+ fin->fin_sport = ntohs(udp->uh_sport);
+ fin->fin_dport = ntohs(udp->uh_dport);
}
+}
- case IPPROTO_TCP :
- fi->fi_fl |= FI_TCPUDP;
-#ifdef USE_INET6
- if (v == 6) {
- if (plen < sizeof(struct tcphdr))
- fi->fi_fl |= FI_SHORT;
- } else
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_tcp */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv4 Only */
+/* Analyse the packet for IPv4/TCP properties. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_tcp(fin)
+fr_info_t *fin;
+{
+
+ fr_checkv4sum(fin);
+
+ frpr_short(fin, sizeof(tcphdr_t));
+
+ frpr_tcpcommon(fin);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_udp */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv4 Only */
+/* Analyse the packet for IPv4/UDP properties. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_udp(fin)
+fr_info_t *fin;
+{
+
+ fr_checkv4sum(fin);
+
+ frpr_short(fin, sizeof(udphdr_t));
+
+ frpr_udpcommon(fin);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_esp */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Analyse the packet for ESP properties. */
+/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
+/* even though the newer ESP packets must also have a sequence number that */
+/* is 32bits as well, it is not possible(?) to determine the version from a */
+/* simple packet header. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_esp(fin)
+fr_info_t *fin;
+{
+ if (frpr_pullup(fin, 8) == -1)
+ return;
+
+ if (fin->fin_v == 4)
+ frpr_short(fin, 8);
+#ifdef USE_INET6
+ else if (fin->fin_v == 6)
+ frpr_short6(fin, sizeof(grehdr_t));
#endif
- if (v == 4) {
- if ((!IPMINLEN(ip, tcphdr) && !off) ||
- (off && off < sizeof(struct tcphdr)))
- fi->fi_fl |= FI_SHORT;
- }
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_gre */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Analyse the packet for GRE properties. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_gre(fin)
+fr_info_t *fin;
+{
+ grehdr_t *gre;
+
+ if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
+ return;
+
+ if (fin->fin_v == 4)
+ frpr_short(fin, sizeof(grehdr_t));
+#ifdef USE_INET6
+ else if (fin->fin_v == 6)
+ frpr_short6(fin, sizeof(grehdr_t));
+#endif
+ gre = fin->fin_dp;
+ if (GRE_REV(gre->gr_flags) == 1)
+ fin->fin_data[0] = gre->gr_call;
+}
-#if defined(KERNEL) && !defined(__sgi)
- if (!off && !(fi->fi_fl & FI_SHORT)) {
- int tlen = hlen + (tcp->th_off << 2);
- if ((m != NULL) && (M_BLEN(m) < tlen)) {
- ip = ipf_pullup(m, fin, tlen, ip);
- if (ip == NULL)
- return -1;
- tcp = (tcphdr_t *)((char *)ip + hlen);
+/* ------------------------------------------------------------------------ */
+/* Function: frpr_ipv4hdr */
+/* Returns: void */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* IPv4 Only */
+/* Analyze the IPv4 header and set fields in the fr_info_t structure. */
+/* Check all options present and flag their presence if any exist. */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_ipv4hdr(fin)
+fr_info_t *fin;
+{
+ u_short optmsk = 0, secmsk = 0, auth = 0;
+ int hlen, ol, mv, p, i;
+ const struct optlist *op;
+ u_char *s, opt;
+ u_short off;
+ fr_ip_t *fi;
+ ip_t *ip;
+
+ fi = &fin->fin_fi;
+ hlen = fin->fin_hlen;
+
+ ip = fin->fin_ip;
+ p = ip->ip_p;
+ fi->fi_p = p;
+ fi->fi_tos = ip->ip_tos;
+ fin->fin_id = ip->ip_id;
+ off = ip->ip_off;
+
+ /* Get both TTL and protocol */
+ fi->fi_p = ip->ip_p;
+ fi->fi_ttl = ip->ip_ttl;
+#if 0
+ (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
+#endif
+
+ /* Zero out bits not used in IPv6 address */
+ fi->fi_src.i6[1] = 0;
+ fi->fi_src.i6[2] = 0;
+ fi->fi_src.i6[3] = 0;
+ fi->fi_dst.i6[1] = 0;
+ fi->fi_dst.i6[2] = 0;
+ fi->fi_dst.i6[3] = 0;
+
+ fi->fi_saddr = ip->ip_src.s_addr;
+ fi->fi_daddr = ip->ip_dst.s_addr;
+
+ /*
+ * set packet attribute flags based on the offset and
+ * calculate the byte offset that it represents.
+ */
+ if ((off & IP_MF) != 0) {
+ fi->fi_flx |= FI_FRAG;
+ if (fin->fin_dlen == 0)
+ fi->fi_flx |= FI_BAD;
+ }
+
+ off &= IP_MF|IP_OFFMASK;
+ if (off != 0) {
+ fi->fi_flx |= FI_FRAG;
+ off &= IP_OFFMASK;
+ if (off != 0) {
+ fin->fin_flx |= FI_FRAGBODY;
+ off <<= 3;
+ if (off + fin->fin_dlen > 0xffff) {
+ fi->fi_flx |= FI_BAD;
}
}
-#endif /* _KERNEL && !_sgi */
+ }
+ fin->fin_off = off;
- if (!(fi->fi_fl & FI_SHORT) && !off)
- fin->fin_tcpf = tcp->th_flags;
- goto getports;
+ /*
+ * Call per-protocol setup and checking
+ */
+ switch (p)
+ {
case IPPROTO_UDP :
- fi->fi_fl |= FI_TCPUDP;
-#ifdef USE_INET6
- if (v == 6) {
- if (plen < sizeof(struct udphdr))
- fi->fi_fl |= FI_SHORT;
- } else
-#endif
- if (v == 4) {
- if ((!IPMINLEN(ip, udphdr) && !off) ||
- (off && off < sizeof(struct udphdr)))
- fi->fi_fl |= FI_SHORT;
- }
-getports:
- if (!off && (fin->fin_dlen > 3)) {
- fin->fin_data[0] = ntohs(tcp->th_sport);
- fin->fin_data[1] = ntohs(tcp->th_dport);
- }
+ frpr_udp(fin);
+ break;
+ case IPPROTO_TCP :
+ frpr_tcp(fin);
+ break;
+ case IPPROTO_ICMP :
+ frpr_icmp(fin);
break;
case IPPROTO_ESP :
-#ifdef USE_INET6
- if (v == 6) {
- if (plen < 8)
- fi->fi_fl |= FI_SHORT;
- } else
-#endif
- if (v == 4) {
- if (((ip->ip_len < hlen + 8) && !off) ||
- (off && off < 8))
- fi->fi_fl |= FI_SHORT;
- }
+ frpr_esp(fin);
break;
- default :
+ case IPPROTO_GRE :
+ frpr_gre(fin);
break;
}
- fin->fin_dp = (char *)tcp;
+ ip = fin->fin_ip;
+ if (ip == NULL)
+ return;
-#ifdef USE_INET6
- if (v == 6) {
+ /*
+ * If it is a standard IP header (no options), set the flag fields
+ * which relate to options to 0.
+ */
+ if (hlen == sizeof(*ip)) {
fi->fi_optmsk = 0;
fi->fi_secmsk = 0;
fi->fi_auth = 0;
- return 0;
+ return;
}
-#endif
+
+ /*
+ * So the IP header has some IP options attached. Walk the entire
+ * list of options present with this packet and set flags to indicate
+ * which ones are here and which ones are not. For the somewhat out
+ * of date and obscure security classification options, set a flag to
+ * represent which classification is present.
+ */
+ fi->fi_flx |= FI_OPTIONS;
for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
opt = *s;
@@ -495,10 +1338,10 @@ getports:
}
for (i = 9, mv = 4; mv >= 0; ) {
op = ipopts + i;
- if (opt == (u_char)op->ol_val) {
+ if ((opt == (u_char)op->ol_val) && (ol > 4)) {
optmsk |= op->ol_bit;
if (opt == IPOPT_SECURITY) {
- struct optlist *sp;
+ const struct optlist *sp;
u_char sec;
int j, m;
@@ -513,98 +1356,174 @@ getports:
break;
}
if (sec < sp->ol_val)
- j -= m--;
+ j -= m;
else
- j += m--;
+ j += m;
+ m--;
}
}
break;
}
if (opt < op->ol_val)
- i -= mv--;
+ i -= mv;
else
- i += mv--;
+ i += mv;
+ mv--;
}
hlen -= ol;
s += ol;
}
+
+ /*
+ *
+ */
if (auth && !(auth & 0x0100))
auth &= 0xff00;
fi->fi_optmsk = optmsk;
fi->fi_secmsk = secmsk;
fi->fi_auth = auth;
- return 0;
}
-/*
- * check an IP packet for TCP/UDP characteristics such as ports and flags.
- */
-int fr_tcpudpchk(ft, fin)
-frtuc_t *ft;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_makefrip */
+/* Returns: void */
+/* Parameters: hlen(I) - length of IP packet header */
+/* ip(I) - pointer to the IP header */
+/* fin(IO) - pointer to packet information */
+/* */
+/* Compact the IP header into a structure which contains just the info. */
+/* which is useful for comparing IP headers with and store this information */
+/* in the fr_info_t structure pointer to by fin. At present, it is assumed */
+/* this function will be called with either an IPv4 or IPv6 packet. */
+/* ------------------------------------------------------------------------ */
+int fr_makefrip(hlen, ip, fin)
+int hlen;
+ip_t *ip;
fr_info_t *fin;
{
- register u_short po, tup;
- register char i;
- register int err = 1;
+ int v;
+
+ fin->fin_nat = NULL;
+ fin->fin_state = NULL;
+ fin->fin_depth = 0;
+ fin->fin_hlen = (u_short)hlen;
+ fin->fin_ip = ip;
+ fin->fin_rule = 0xffffffff;
+ fin->fin_group[0] = -1;
+ fin->fin_group[1] = '\0';
+ fin->fin_dlen = fin->fin_plen - hlen;
+ fin->fin_dp = (char *)ip + hlen;
+
+ v = fin->fin_v;
+ if (v == 4)
+ frpr_ipv4hdr(fin);
+#ifdef USE_INET6
+ else if (v == 6)
+ frpr_ipv6hdr(fin);
+#endif
+ if (fin->fin_ip == NULL)
+ return -1;
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_portcheck */
+/* Returns: int - 1 == port matched, 0 == port match failed */
+/* Parameters: frp(I) - pointer to port check `expression' */
+/* pop(I) - pointer to port number to evaluate */
+/* */
+/* Perform a comparison of a port number against some other(s), using a */
+/* structure with compare information stored in it. */
+/* ------------------------------------------------------------------------ */
+static INLINE int fr_portcheck(frp, pop)
+frpcmp_t *frp;
+u_short *pop;
+{
+ u_short tup, po;
+ int err = 1;
+
+ tup = *pop;
+ po = frp->frp_port;
/*
- * Both ports should *always* be in the first fragment.
- * So far, I cannot find any cases where they can not be.
- *
- * compare destination ports
+ * Do opposite test to that required and continue if that succeeds.
*/
- if ((i = (int)ft->ftu_dcmp)) {
- po = ft->ftu_dport;
- tup = fin->fin_data[1];
- /*
- * Do opposite test to that required and
- * continue if that succeeds.
- */
- if (!--i && tup != po) /* EQUAL */
+ switch (frp->frp_cmp)
+ {
+ case FR_EQUAL :
+ if (tup != po) /* EQUAL */
err = 0;
- else if (!--i && tup == po) /* NOTEQUAL */
+ break;
+ case FR_NEQUAL :
+ if (tup == po) /* NOTEQUAL */
err = 0;
- else if (!--i && tup >= po) /* LESSTHAN */
+ break;
+ case FR_LESST :
+ if (tup >= po) /* LESSTHAN */
+ err = 0;
+ break;
+ case FR_GREATERT :
+ if (tup <= po) /* GREATERTHAN */
err = 0;
- else if (!--i && tup <= po) /* GREATERTHAN */
+ break;
+ case FR_LESSTE :
+ if (tup > po) /* LT or EQ */
err = 0;
- else if (!--i && tup > po) /* LT or EQ */
+ break;
+ case FR_GREATERTE :
+ if (tup < po) /* GT or EQ */
err = 0;
- else if (!--i && tup < po) /* GT or EQ */
+ break;
+ case FR_OUTRANGE :
+ if (tup >= po && tup <= frp->frp_top) /* Out of range */
err = 0;
- else if (!--i && /* Out of range */
- (tup >= po && tup <= ft->ftu_dtop))
+ break;
+ case FR_INRANGE :
+ if (tup <= po || tup >= frp->frp_top) /* In range */
err = 0;
- else if (!--i && /* In range */
- (tup <= po || tup >= ft->ftu_dtop))
+ break;
+ case FR_INCRANGE :
+ if (tup < po || tup > frp->frp_top) /* Inclusive range */
err = 0;
+ break;
+ default :
+ break;
}
+ return err;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_tcpudpchk */
+/* Returns: int - 1 == protocol matched, 0 == check failed */
+/* Parameters: fin(I) - pointer to packet information */
+/* ft(I) - pointer to structure with comparison data */
+/* */
+/* Compares the current pcket (assuming it is TCP/UDP) information with a */
+/* structure containing information that we want to match against. */
+/* ------------------------------------------------------------------------ */
+int fr_tcpudpchk(fin, ft)
+fr_info_t *fin;
+frtuc_t *ft;
+{
+ int err = 1;
+
+ /*
+ * Both ports should *always* be in the first fragment.
+ * So far, I cannot find any cases where they can not be.
+ *
+ * compare destination ports
+ */
+ if (ft->ftu_dcmp)
+ err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
+
/*
* compare source ports
*/
- if (err && (i = (int)ft->ftu_scmp)) {
- po = ft->ftu_sport;
- tup = fin->fin_data[0];
- if (!--i && tup != po)
- err = 0;
- else if (!--i && tup == po)
- err = 0;
- else if (!--i && tup >= po)
- err = 0;
- else if (!--i && tup <= po)
- err = 0;
- else if (!--i && tup > po)
- err = 0;
- else if (!--i && tup < po)
- err = 0;
- else if (!--i && /* Out of range */
- (tup >= po && tup <= ft->ftu_stop))
- err = 0;
- else if (!--i && /* In range */
- (tup <= po || tup >= ft->ftu_stop))
- err = 0;
- }
+ if (err && ft->ftu_scmp)
+ err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
/*
* If we don't have all the TCP/UDP header, then how can we
@@ -612,8 +1531,8 @@ fr_info_t *fin;
* TCP flags, then NO match. If not, then match (which should
* satisfy the "short" class too).
*/
- if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
- if (fin->fin_fl & FI_SHORT)
+ if (err && (fin->fin_p == IPPROTO_TCP)) {
+ if (fin->fin_flx & FI_SHORT)
return !(ft->ftu_tcpf | ft->ftu_tcpfm);
/*
* Match the flags ? If not, abort this match.
@@ -628,38 +1547,246 @@ fr_info_t *fin;
return err;
}
-/*
- * Check the input/output list of rules for a match and result.
- * Could be per interface, but this gets real nasty when you don't have
- * kernel sauce.
- */
-int fr_scanlist(passin, ip, fin, m)
-u_32_t passin;
-ip_t *ip;
-register fr_info_t *fin;
-void *m;
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ipfcheck */
+/* Returns: int - 0 == match, 1 == no match */
+/* Parameters: fin(I) - pointer to packet information */
+/* fr(I) - pointer to filter rule */
+/* portcmp(I) - flag indicating whether to attempt matching on */
+/* TCP/UDP port data. */
+/* */
+/* Check to see if a packet matches an IPFilter rule. Checks of addresses, */
+/* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
+/* this function. */
+/* ------------------------------------------------------------------------ */
+static INLINE int fr_ipfcheck(fin, fr, portcmp)
+fr_info_t *fin;
+frentry_t *fr;
+int portcmp;
+{
+ u_32_t *ld, *lm, *lip;
+ fripf_t *fri;
+ fr_ip_t *fi;
+ int i;
+
+ fi = &fin->fin_fi;
+ fri = fr->fr_ipf;
+ lip = (u_32_t *)fi;
+ lm = (u_32_t *)&fri->fri_mip;
+ ld = (u_32_t *)&fri->fri_ip;
+
+ /*
+ * first 32 bits to check coversion:
+ * IP version, TOS, TTL, protocol
+ */
+ i = ((*lip & *lm) != *ld);
+ FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ if (i)
+ return 1;
+
+ /*
+ * Next 32 bits is a constructed bitmask indicating which IP options
+ * are present (if any) in this packet.
+ */
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ if (i)
+ return 1;
+
+ lip++, lm++, ld++;
+ /*
+ * Unrolled loops (4 each, for 32 bits) for address checks.
+ */
+ /*
+ * Check the source address.
+ */
+#ifdef IPFILTER_LOOKUP
+ if (fr->fr_satype == FRI_LOOKUP) {
+ i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip);
+ if (i == -1)
+ return 1;
+ lip += 3;
+ lm += 3;
+ ld += 3;
+ } else {
+#endif
+ i = ((*lip & *lm) != *ld);
+ FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ if (fi->fi_v == 6) {
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ } else {
+ lip += 3;
+ lm += 3;
+ ld += 3;
+ }
+#ifdef IPFILTER_LOOKUP
+ }
+#endif
+ i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
+ if (i)
+ return 1;
+
+ /*
+ * Check the destination address.
+ */
+ lip++, lm++, ld++;
+#ifdef IPFILTER_LOOKUP
+ if (fr->fr_datype == FRI_LOOKUP) {
+ i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip);
+ if (i == -1)
+ return 1;
+ lip += 3;
+ lm += 3;
+ ld += 3;
+ } else {
+#endif
+ i = ((*lip & *lm) != *ld);
+ FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ if (fi->fi_v == 6) {
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+ } else {
+ lip += 3;
+ lm += 3;
+ ld += 3;
+ }
+#ifdef IPFILTER_LOOKUP
+ }
+#endif
+ i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
+ if (i)
+ return 1;
+ /*
+ * IP addresses matched. The next 32bits contains:
+ * mast of old IP header security & authentication bits.
+ */
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+
+ /*
+ * Next we have 32 bits of packet flags.
+ */
+ lip++, lm++, ld++;
+ i |= ((*lip & *lm) != *ld);
+ FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
+ *lip, *lm, *ld));
+
+ if (i == 0) {
+ /*
+ * If a fragment, then only the first has what we're
+ * looking for here...
+ */
+ if (portcmp) {
+ if (!fr_tcpudpchk(fin, &fr->fr_tuc))
+ i = 1;
+ } else {
+ if (fr->fr_dcmp || fr->fr_scmp ||
+ fr->fr_tcpf || fr->fr_tcpfm)
+ i = 1;
+ if (fr->fr_icmpm || fr->fr_icmp) {
+ if (((fi->fi_p != IPPROTO_ICMP) &&
+ (fi->fi_p != IPPROTO_ICMPV6)) ||
+ fin->fin_off || (fin->fin_dlen < 2))
+ i = 1;
+ else if ((fin->fin_data[0] & fr->fr_icmpm) !=
+ fr->fr_icmp) {
+ FR_DEBUG(("i. %#x & %#x != %#x\n",
+ fin->fin_data[0],
+ fr->fr_icmpm, fr->fr_icmp));
+ i = 1;
+ }
+ }
+ }
+ }
+ return i;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_scanlist */
+/* Returns: int - result flags of scanning filter list */
+/* Parameters: fin(I) - pointer to packet information */
+/* pass(I) - default result to return for filtering */
+/* */
+/* Check the input/output list of rules for a match to the current packet. */
+/* If a match is found, the value of fr_flags from the rule becomes the */
+/* return value and fin->fin_fr points to the matched rule. */
+/* */
+/* This function may be called recusively upto 16 times (limit inbuilt.) */
+/* When unwinding, it should finish up with fin_depth as 0. */
+/* */
+/* Could be per interface, but this gets real nasty when you don't have, */
+/* or can't easily change, the kernel source code to . */
+/* ------------------------------------------------------------------------ */
+int fr_scanlist(fin, pass)
+fr_info_t *fin;
+u_32_t pass;
{
- register struct frentry *fr;
- register fr_ip_t *fi = &fin->fin_fi;
- int rulen, portcmp = 0, off, skip = 0, logged = 0;
- u_32_t pass, passt, passl;
- frentry_t *frl;
+ int rulen, portcmp, off, logged, skip;
+ struct frentry *fr, *fnext;
+ u_32_t passt;
+
+ /*
+ * Do not allow nesting deeper than 16 levels.
+ */
+ if (fin->fin_depth >= 16)
+ return pass;
- frl = NULL;
- pass = passin;
fr = fin->fin_fr;
+
+ /*
+ * If there are no rules in this list, return now.
+ */
+ if (fr == NULL)
+ return pass;
+
+ skip = 0;
+ logged = 0;
+ portcmp = 0;
+ fin->fin_depth++;
fin->fin_fr = NULL;
off = fin->fin_off;
- if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
+ if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
portcmp = 1;
- for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
- if (skip) {
+ for (rulen = 0; fr; fr = fnext, rulen++) {
+ fnext = fr->fr_next;
+ if (skip != 0) {
FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
skip--;
continue;
}
+
/*
* In all checks below, a null (zero) value in the
* filter struture is taken to mean a wildcard.
@@ -667,198 +1794,376 @@ void *m;
* check that we are working for the right interface
*/
#ifdef _KERNEL
-# if (BSD >= 199306)
- if (fin->fin_out != 0) {
- if ((fr->fr_oifa &&
- (fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif)))
- continue;
- }
-# endif
+ if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
+ continue;
#else
if (opts & (OPT_VERBOSE|OPT_DEBUG))
printf("\n");
-#endif
-
- FR_VERBOSE(("%c", fr->fr_skip ? 's' :
- (pass & FR_PASS) ? 'p' :
- (pass & FR_AUTH) ? 'a' :
- (pass & FR_ACCOUNT) ? 'A' :
- (pass & FR_NOMATCH) ? 'n' : 'b'));
-
+ FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
+ FR_ISPASS(pass) ? 'p' :
+ FR_ISACCOUNT(pass) ? 'A' :
+ FR_ISAUTH(pass) ? 'a' :
+ (pass & FR_NOMATCH) ? 'n' :'b'));
if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
continue;
-
FR_VERBOSE((":i"));
+#endif
+
+ switch (fr->fr_type)
{
- register u_32_t *ld, *lm, *lip;
- register int i;
-
- lip = (u_32_t *)fi;
- lm = (u_32_t *)&fr->fr_mip;
- ld = (u_32_t *)&fr->fr_ip;
- i = ((*lip & *lm) != *ld);
- FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- if (i)
+ case FR_T_IPF :
+ case FR_T_IPF|FR_T_BUILTIN :
+ if (fr_ipfcheck(fin, fr, portcmp))
continue;
- /*
- * We now know whether the packet version and the
- * rule version match, along with protocol, ttl and
- * tos.
- */
- lip++, lm++, ld++;
- /*
- * Unrolled loops (4 each, for 32 bits).
- */
- FR_DEBUG(("1a. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 5;
- if (fi->fi_v == 6) {
- FR_DEBUG(("1b. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 5;
- FR_DEBUG(("1c. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 5;
- FR_DEBUG(("1d. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 5;
- } else {
- lip += 3;
- lm += 3;
- ld += 3;
- }
- i ^= (fr->fr_flags & FR_NOTSRCIP);
- if (i)
+ break;
+#if defined(IPFILTER_BPF)
+ case FR_T_BPFOPC :
+ case FR_T_BPFOPC|FR_T_BUILTIN :
+ {
+ u_char *mc;
+ int wlen;
+
+ if (*fin->fin_mp == NULL)
continue;
- FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 6;
- if (fi->fi_v == 6) {
- FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 6;
- FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 6;
- FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++) << 6;
- } else {
- lip += 3;
- lm += 3;
- ld += 3;
- }
- i ^= (fr->fr_flags & FR_NOTDSTIP);
- if (i)
+ if (fin->fin_v != fr->fr_v)
continue;
- FR_DEBUG(("3. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip++ & *lm++) != *ld++);
- FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
- *lip, *lm, *ld));
- i |= ((*lip & *lm) != *ld);
- if (i)
+ mc = (u_char *)fin->fin_m;
+ wlen = fin->fin_dlen + fin->fin_hlen;
+ if (!bpf_filter(fr->fr_data, mc, wlen, 0))
continue;
- }
+ break;
+ }
+#endif
+ case FR_T_CALLFUNC|FR_T_BUILTIN :
+ {
+ frentry_t *f;
- /*
- * If a fragment, then only the first has what we're looking
- * for here...
- */
- if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
- fr->fr_tcpfm))
- continue;
- if (fi->fi_fl & FI_TCPUDP) {
- if (!fr_tcpudpchk(&fr->fr_tuc, fin))
+ f = (*fr->fr_func)(fin, &pass);
+ if (f != NULL)
+ fr = f;
+ else
continue;
- } else if (fr->fr_icmpm || fr->fr_icmp) {
- if (((fi->fi_p != IPPROTO_ICMP) &&
- (fi->fi_p != IPPROTO_ICMPV6)) || off ||
- (fin->fin_dlen < 2))
+ break;
+ }
+ default :
+ break;
+ }
+
+ if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
+ if (fin->fin_nattag == NULL)
continue;
- if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
- FR_DEBUG(("i. %#x & %#x != %#x\n",
- fin->fin_data[0], fr->fr_icmpm,
- fr->fr_icmp));
+ if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
continue;
- }
}
- FR_VERBOSE(("*"));
+ FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
- if (fr->fr_flags & FR_NOMATCH) {
- passt = passl;
- passl = passin;
- fin->fin_fr = frl;
- frl = NULL;
- if (fr->fr_flags & FR_QUICK)
- break;
+ passt = fr->fr_flags;
+
+ /*
+ * Allowing a rule with the "keep state" flag set to match
+ * packets that have been tagged "out of window" by the TCP
+ * state tracking is foolish as the attempt to add a new
+ * state entry to the table will fail.
+ */
+ if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
continue;
+
+ /*
+ * If the rule is a "call now" rule, then call the function
+ * in the rule, if it exists and use the results from that.
+ * If the function pointer is bad, just make like we ignore
+ * it, except for increasing the hit counter.
+ */
+ if ((passt & FR_CALLNOW) != 0) {
+ ATOMIC_INC64(fr->fr_hits);
+ if ((fr->fr_func != NULL) &&
+ (fr->fr_func != (ipfunc_t)-1)) {
+ frentry_t *frs;
+
+ frs = fin->fin_fr;
+ fin->fin_fr = fr;
+ fr = (*fr->fr_func)(fin, &passt);
+ if (fr == NULL) {
+ fin->fin_fr = frs;
+ continue;
+ }
+ passt = fr->fr_flags;
+ fin->fin_fr = fr;
+ }
+ } else {
+ fin->fin_fr = fr;
}
- passl = passt;
- passt = fr->fr_flags;
- frl = fin->fin_fr;
- fin->fin_fr = fr;
-#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
- if (securelevel <= 0)
-#endif
- if ((passt & FR_CALLNOW) && fr->fr_func)
- passt = (*fr->fr_func)(passt, ip, fin);
#ifdef IPFILTER_LOG
/*
* Just log this packet...
*/
if ((passt & FR_LOGMASK) == FR_LOG) {
- if (!IPLLOG(passt, ip, fin, m)) {
- if (passt & FR_LOGORBLOCK)
+ if (ipflog(fin, passt) == -1) {
+ if (passt & FR_LOGORBLOCK) {
+ passt &= ~FR_CMDMASK;
passt |= FR_BLOCK|FR_QUICK;
+ }
ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
}
ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
logged = 1;
}
#endif /* IPFILTER_LOG */
- ATOMIC_INCL(fr->fr_hits);
- if (passt & FR_ACCOUNT)
- fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
- else
+ fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
+ if (FR_ISSKIP(passt))
+ skip = fr->fr_arg;
+ else if ((passt & FR_LOGMASK) != FR_LOG)
+ pass = passt;
+ if (passt & (FR_RETICMP|FR_FAKEICMP))
fin->fin_icode = fr->fr_icode;
+ FR_DEBUG(("pass %#x\n", pass));
+ ATOMIC_INC64(fr->fr_hits);
fin->fin_rule = rulen;
- fin->fin_group = fr->fr_group;
+ (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
if (fr->fr_grp != NULL) {
- fin->fin_fr = fr->fr_grp;
- passt = fr_scanlist(passt, ip, fin, m);
+ fin->fin_fr = *fr->fr_grp;
+ pass = fr_scanlist(fin, pass);
if (fin->fin_fr == NULL) {
fin->fin_rule = rulen;
- fin->fin_group = fr->fr_group;
+ (void) strncpy(fin->fin_group, fr->fr_group,
+ FR_GROUPLEN);
fin->fin_fr = fr;
}
- if (passt & FR_DONTCACHE)
+ if (fin->fin_flx & FI_DONTCACHE)
logged = 1;
}
- if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG)
- pass = passt;
- FR_DEBUG(("pass %#x\n", pass));
- if (passt & FR_QUICK)
+ if (pass & FR_QUICK)
break;
}
if (logged)
- pass |= FR_DONTCACHE;
- pass |= (fi->fi_fl << 24);
+ fin->fin_flx |= FI_DONTCACHE;
+ fin->fin_depth--;
return pass;
}
-/*
- * frcheck - filter check
- * check using source and destination addresses/ports in a packet whether
- * or not to pass it on or not.
- */
+/* ------------------------------------------------------------------------ */
+/* Function: fr_acctpkt */
+/* Returns: frentry_t* - always returns NULL */
+/* Parameters: fin(I) - pointer to packet information */
+/* passp(IO) - pointer to current/new filter decision (unused) */
+/* */
+/* Checks a packet against accounting rules, if there are any for the given */
+/* IP protocol version. */
+/* */
+/* N.B.: this function returns NULL to match the prototype used by other */
+/* functions called from the IPFilter "mainline" in fr_check(). */
+/* ------------------------------------------------------------------------ */
+frentry_t *fr_acctpkt(fin, passp)
+fr_info_t *fin;
+u_32_t *passp;
+{
+ char group[FR_GROUPLEN];
+ frentry_t *fr, *frsave;
+ u_32_t pass, rulen;
+
+ passp = passp;
+#ifdef USE_INET6
+ if (fin->fin_v == 6)
+ fr = ipacct6[fin->fin_out][fr_active];
+ else
+#endif
+ fr = ipacct[fin->fin_out][fr_active];
+
+ if (fr != NULL) {
+ frsave = fin->fin_fr;
+ bcopy(fin->fin_group, group, FR_GROUPLEN);
+ rulen = fin->fin_rule;
+ fin->fin_fr = fr;
+ pass = fr_scanlist(fin, FR_NOMATCH);
+ if (FR_ISACCOUNT(pass)) {
+ ATOMIC_INCL(frstats[0].fr_acct);
+ }
+ fin->fin_fr = frsave;
+ bcopy(group, fin->fin_group, FR_GROUPLEN);
+ fin->fin_rule = rulen;
+ }
+ return NULL;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_firewall */
+/* Returns: frentry_t* - returns pointer to matched rule, if no matches */
+/* were found, returns NULL. */
+/* Parameters: fin(I) - pointer to packet information */
+/* passp(IO) - pointer to current/new filter decision (unused) */
+/* */
+/* Applies an appropriate set of firewall rules to the packet, to see if */
+/* there are any matches. The first check is to see if a match can be seen */
+/* in the cache. If not, then search an appropriate list of rules. Once a */
+/* matching rule is found, take any appropriate actions as defined by the */
+/* rule - except logging. */
+/* ------------------------------------------------------------------------ */
+static frentry_t *fr_firewall(fin, passp)
+fr_info_t *fin;
+u_32_t *passp;
+{
+ frentry_t *fr;
+ fr_info_t *fc;
+ u_32_t pass;
+ int out;
+
+ out = fin->fin_out;
+ pass = *passp;
+
+ /*
+ * If a packet is found in the auth table, then skip checking
+ * the access lists for permission but we do need to consider
+ * the result as if it were from the ACL's.
+ */
+ fc = &frcache[out][CACHE_HASH(fin)];
+ if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
+ /*
+ * copy cached data so we can unlock the mutex
+ * earlier.
+ */
+ bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
+ ATOMIC_INCL(frstats[out].fr_chit);
+ if ((fr = fin->fin_fr) != NULL) {
+ ATOMIC_INC64(fr->fr_hits);
+ pass = fr->fr_flags;
+ }
+ } else {
+#ifdef USE_INET6
+ if (fin->fin_v == 6)
+ fin->fin_fr = ipfilter6[out][fr_active];
+ else
+#endif
+ fin->fin_fr = ipfilter[out][fr_active];
+ if (fin->fin_fr != NULL)
+ pass = fr_scanlist(fin, fr_pass);
+ if (((pass & FR_KEEPSTATE) == 0) &&
+ ((fin->fin_flx & FI_DONTCACHE) == 0))
+ bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
+ if ((pass & FR_NOMATCH)) {
+ ATOMIC_INCL(frstats[out].fr_nom);
+ }
+ fr = fin->fin_fr;
+ }
+
+ /*
+ * Apply packets per second rate-limiting to a rule as required.
+ */
+ if ((fr != NULL) && (fr->fr_pps != 0) &&
+ !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
+ pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
+ pass |= FR_BLOCK;
+ ATOMIC_INCL(frstats[out].fr_ppshit);
+ }
+
+ /*
+ * If we fail to add a packet to the authorization queue, then we
+ * drop the packet later. However, if it was added then pretend
+ * we've dropped it already.
+ */
+ if (FR_ISAUTH(pass)) {
+ if (fr_newauth(fin->fin_m, fin) != 0) {
+#ifdef _KERNEL
+ fin->fin_m = *fin->fin_mp = NULL;
+#else
+ ;
+#endif
+ fin->fin_error = 0;
+ } else
+ fin->fin_error = ENOSPC;
+ }
+
+ if ((fr != NULL) && (fr->fr_func != NULL) &&
+ (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
+ (void) (*fr->fr_func)(fin, &pass);
+
+ /*
+ * If a rule is a pre-auth rule, check again in the list of rules
+ * loaded for authenticated use. It does not particulary matter
+ * if this search fails because a "preauth" result, from a rule,
+ * is treated as "not a pass", hence the packet is blocked.
+ */
+ if (FR_ISPREAUTH(pass)) {
+ if ((fin->fin_fr = ipauth) != NULL)
+ pass = fr_scanlist(fin, fr_pass);
+ }
+
+ /*
+ * If the rule has "keep frag" and the packet is actually a fragment,
+ * then create a fragment state entry.
+ */
+ if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
+ if (fin->fin_flx & FI_FRAG) {
+ if (fr_newfrag(fin, pass) == -1) {
+ ATOMIC_INCL(frstats[out].fr_bnfr);
+ } else {
+ ATOMIC_INCL(frstats[out].fr_nfr);
+ }
+ } else {
+ ATOMIC_INCL(frstats[out].fr_cfr);
+ }
+ }
+
+ /*
+ * Finally, if we've asked to track state for this packet, set it up.
+ */
+ if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
+ if (fr_addstate(fin, NULL, 0) != NULL) {
+ ATOMIC_INCL(frstats[out].fr_ads);
+ } else {
+ ATOMIC_INCL(frstats[out].fr_bads);
+ if (FR_ISPASS(pass)) {
+ pass &= ~FR_CMDMASK;
+ pass |= FR_BLOCK;
+ }
+ }
+ }
+
+ fr = fin->fin_fr;
+
+ if (passp != NULL)
+ *passp = pass;
+
+ return fr;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_check */
+/* Returns: int - 0 == packet allowed through, */
+/* User space: */
+/* -1 == packet blocked */
+/* 1 == packet not matched */
+/* -2 == requires authantication */
+/* Kernel: */
+/* > 0 == filter error # for packet */
+/* Parameters: ip(I) - pointer to start of IPv4/6 packet */
+/* hlen(I) - length of header */
+/* ifp(I) - pointer to interface this packet is on */
+/* out(I) - 0 == packet going in, 1 == packet going out */
+/* mp(IO) - pointer to caller's buffer pointer that holds this */
+/* IP packet. */
+/* Solaris & HP-UX ONLY : */
+/* qpi(I) - pointer to STREAMS queue information for this */
+/* interface & direction. */
+/* */
+/* fr_check() is the master function for all IPFilter packet processing. */
+/* It orchestrates: Network Address Translation (NAT), checking for packet */
+/* authorisation (or pre-authorisation), presence of related state info., */
+/* generating log entries, IP packet accounting, routing of packets as */
+/* directed by firewall rules and of course whether or not to allow the */
+/* packet to be further processed by the kernel. */
+/* */
+/* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
+/* freed. Packets passed may be returned with the pointer pointed to by */
+/* by "mp" changed to a new buffer. */
+/* ------------------------------------------------------------------------ */
int fr_check(ip, hlen, ifp, out
-#if defined(_KERNEL) && SOLARIS
+#if defined(_KERNEL) && defined(MENTAT)
, qif, mp)
-qif_t *qif;
+void *qif;
#else
, mp)
#endif
@@ -871,49 +2176,59 @@ int out;
/*
* The above really sucks, but short of writing a diff
*/
- fr_info_t frinfo, *fc;
- register fr_info_t *fin = &frinfo;
- int changed, error = EHOSTUNREACH, v = ip->ip_v;
- frentry_t *fr = NULL, *list;
- u_32_t pass, apass;
-#if !SOLARIS || !defined(_KERNEL)
- register mb_t *m = *mp;
+ fr_info_t frinfo;
+ fr_info_t *fin = &frinfo;
+ u_32_t pass = fr_pass;
+ frentry_t *fr = NULL;
+ int v = IP_V(ip);
+ mb_t *mc = NULL;
+ mb_t *m;
+#ifdef USE_INET6
+ ip6_t *ip6;
#endif
-#ifdef _KERNEL
- int p, len, drop = 0, logit = 0;
- mb_t *mc = NULL;
-# if !defined(__SVR4) && !defined(__svr4__)
/*
- * We don't do this section for Solaris because fr_precheck() does a
- * pullupmsg() instead, effectively achieving the same result as here
- * so no need to duplicate it.
+ * The first part of fr_check() deals with making sure that what goes
+ * into the filtering engine makes some sense. Information about the
+ * the packet is distilled, collected into a fr_info_t structure and
+ * the an attempt to ensure the buffer the packet is in is big enough
+ * to hold all the required packet headers.
*/
-# ifdef __sgi
- char hbuf[128];
-# endif
- int up;
-
-# if !defined(NETBSD_PF) && \
- ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
- defined(__OpenBSD__) || defined(_BSDI_VERSION))
- if (fr_checkp != fr_check && fr_running > 0) {
- static int counter = 0;
-
- if (counter == 0) {
- printf("WARNING: fr_checkp corrupt: value %lx\n",
- (u_long)fr_checkp);
- printf("WARNING: fr_checkp should be %lx\n",
- (u_long)fr_check);
- printf("WARNING: fixing fr_checkp\n");
- }
- fr_checkp = fr_check;
- counter++;
- if (counter == 10000)
- counter = 0;
+#ifdef _KERNEL
+# ifdef MENTAT
+ qpktinfo_t *qpi = qif;
+
+ if ((u_int)ip & 0x3)
+ return 2;
+# endif
+
+ READ_ENTER(&ipf_global);
+
+ if (fr_running <= 0) {
+ RWLOCK_EXIT(&ipf_global);
+ return 0;
}
-# endif
+ bzero((char *)fin, sizeof(*fin));
+
+# ifdef MENTAT
+ if (qpi->qpi_flags & QF_GROUP)
+ fin->fin_flx |= FI_MBCAST;
+ m = qpi->qpi_m;
+ fin->fin_qfm = m;
+ fin->fin_qpi = qpi;
+# else /* MENTAT */
+
+ m = *mp;
+
+# if defined(M_MCAST)
+ if ((m->m_flags & M_MCAST) != 0)
+ fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
+# endif
+# if defined(M_BCAST)
+ if ((m->m_flags & M_BCAST) != 0)
+ fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
+# endif
# ifdef M_CANFASTFWD
/*
* XXX For now, IP Filter and fast-forwarding of cached flows
@@ -926,179 +2241,91 @@ int out;
/*
* disable delayed checksums.
*/
- if ((out != 0) && (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA)) {
+ if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
in_delayed_cksum(m);
m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
}
# endif /* CSUM_DELAY_DATA */
+# endif /* MENTAT */
+#else
+ READ_ENTER(&ipf_global);
-# ifdef USE_INET6
- if (v == 6) {
- len = ntohs(((ip6_t*)ip)->ip6_plen);
- if (!len)
- return -1; /* potential jumbo gram */
- len += sizeof(ip6_t);
- p = ((ip6_t *)ip)->ip6_nxt;
- } else
-# endif
- {
- p = ip->ip_p;
- len = ip->ip_len;
- }
+ bzero((char *)fin, sizeof(*fin));
+ m = *mp;
+#endif /* _KERNEL */
+ fin->fin_v = v;
+ fin->fin_m = m;
+ fin->fin_ip = ip;
fin->fin_mp = mp;
fin->fin_out = out;
+ fin->fin_ifp = ifp;
+ fin->fin_error = ENETUNREACH;
+ fin->fin_hlen = (u_short )hlen;
+ fin->fin_dp = (char *)ip + hlen;
- if ((p == IPPROTO_TCP || p == IPPROTO_UDP ||
- (v == 4 && p == IPPROTO_ICMP)
-# ifdef USE_INET6
- || (v == 6 && p == IPPROTO_ICMPV6)
-# endif
- )) {
- int plen = 0;
-
- if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0)
- switch(p)
- {
- case IPPROTO_TCP:
- plen = sizeof(tcphdr_t);
- break;
- case IPPROTO_UDP:
- plen = sizeof(udphdr_t);
- break;
- /* 96 - enough for complete ICMP error IP header */
- case IPPROTO_ICMP:
- plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
- break;
- case IPPROTO_ESP:
- plen = 8;
- break;
-# ifdef USE_INET6
- case IPPROTO_ICMPV6 :
- /*
- * XXX does not take intermediate header
- * into account
- */
- plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t);
- break;
-# endif
- }
- if ((plen > 0) && (len < hlen + plen))
- fin->fin_fl |= FI_SHORT;
- up = MIN(hlen + plen, len);
-
- if (up > m->m_len) {
-# ifdef __sgi
- /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
- if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
- ATOMIC_INCL(frstats[out].fr_pull[1]);
- return -1;
- }
- m_copydata(m, 0, up, hbuf);
- ATOMIC_INCL(frstats[out].fr_pull[0]);
- ip = (ip_t *)hbuf;
-# else /* __ sgi */
-# ifndef linux
- /*
- * Having determined that we need to pullup some data,
- * try to bring as much of the packet up into a single
- * buffer with the first pullup. This hopefully means
- * less need for doing futher pullups. Not needed for
- * Solaris because fr_precheck() does it anyway.
- *
- * The main potential for trouble here is if MLEN/MHLEN
- * become quite small, lets say < 64 bytes...but if
- * that did happen, BSD networking as a whole would be
- * slow/inefficient.
- */
-# ifdef MHLEN
- /*
- * Assume that M_PKTHDR is set and just work with what
- * is left rather than check.. Should not make any
- * real difference, anyway.
- */
- if ((MHLEN > up) && (len > up))
- up = MIN(len, MHLEN);
-# else
- if ((MLEN > up) && (len > up))
- up = MIN(len, MLEN);
-# endif
- ip = ipf_pullup(m, fin, up, ip);
- if (ip == NULL)
- return -1;
- m = *mp;
-# endif /* !linux */
-# endif /* __sgi */
- } else
- up = 0;
+ fin->fin_ipoff = (char *)ip - MTOD(m, char *);
+
+#ifdef USE_INET6
+ if (v == 6) {
+ ATOMIC_INCL(frstats[out].fr_ipv6);
+ /*
+ * Jumbo grams are quite likely too big for internal buffer
+ * structures to handle comfortably, for now, so just drop
+ * them.
+ */
+ ip6 = (ip6_t *)ip;
+ fin->fin_plen = ntohs(ip6->ip6_plen);
+ if (fin->fin_plen == 0) {
+ pass = FR_BLOCK|FR_NOMATCH;
+ goto filtered;
+ }
+ fin->fin_plen += sizeof(ip6_t);
} else
- up = 0;
-# endif /* !defined(__SVR4) && !defined(__svr4__) */
-# if SOLARIS
- mb_t *m = qif->qf_m;
+#endif
+ {
+#if (OpenBSD >= 200311) && defined(_KERNEL)
+ ip->ip_len = ntohs(ip->ip_len);
+ ip->ip_off = ntohs(ip->ip_off);
+#endif
+ fin->fin_plen = ip->ip_len;
+ }
- if ((u_int)ip & 0x3)
- return 2;
- fin->fin_mp = mp;
- fin->fin_out = out;
- fin->fin_qfm = m;
- fin->fin_qif = qif;
-# endif
-#else
- fin->fin_mp = mp;
- fin->fin_out = out;
-#endif /* _KERNEL */
-
- changed = 0;
- fin->fin_v = v;
- fin->fin_ifp = ifp;
if (fr_makefrip(hlen, ip, fin) == -1)
- return -1;
+ goto finished;
+ /*
+ * For at least IPv6 packets, if a m_pullup() fails then this pointer
+ * becomes NULL and so we have no packet to free.
+ */
+ if (*fin->fin_mp == NULL)
+ goto finished;
+
+ if (!out) {
+ if (v == 4) {
#ifdef _KERNEL
-# ifdef USE_INET6
- if (v == 6) {
- ATOMIC_INCL(frstats[0].fr_ipv6[out]);
- if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
- ATOMIC_INCL(frstats[0].fr_badttl);
- if (fr_minttllog & 1)
- logit = -3;
- if (fr_minttllog & 2)
- drop = 1;
+ if (fr_chksrc && !fr_verifysrc(fin)) {
+ ATOMIC_INCL(frstats[0].fr_badsrc);
+ fin->fin_flx |= FI_BADSRC;
+ }
+#endif
+ if (fin->fin_ip->ip_ttl < fr_minttl) {
+ ATOMIC_INCL(frstats[0].fr_badttl);
+ fin->fin_flx |= FI_LOWTTL;
+ }
}
- } else
-# endif
- if (!out) {
- if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
- ATOMIC_INCL(frstats[0].fr_badsrc);
- if (fr_chksrc & 1)
- drop = 1;
- if (fr_chksrc & 2)
- logit = -2;
- } else if (ip->ip_ttl < fr_minttl) {
- ATOMIC_INCL(frstats[0].fr_badttl);
- if (fr_minttllog & 1)
- logit = -3;
- if (fr_minttllog & 2)
- drop = 1;
- }
- }
- if (drop) {
-# ifdef IPFILTER_LOG
- if (logit) {
- fin->fin_group = logit;
- pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
- (void) IPLLOG(pass, ip, fin, m);
+#ifdef USE_INET6
+ else if (v == 6) {
+ ip6 = (ip6_t *)ip;
+ if (ip6->ip6_hlim < fr_minttl) {
+ ATOMIC_INCL(frstats[0].fr_badttl);
+ fin->fin_flx |= FI_LOWTTL;
+ }
}
-# endif
-# if !SOLARIS
- m_freem(m);
-# endif
- return error;
- }
#endif
- pass = fr_pass;
- if (fin->fin_fl & FI_SHORT) {
+ }
+
+ if (fin->fin_flx & FI_SHORT) {
ATOMIC_INCL(frstats[out].fr_short);
}
@@ -1111,210 +2338,71 @@ int out;
* after it has no auth. table matchup. This also stops NAT from
* occuring until after the packet has been auth'd.
*/
- apass = fr_checkauth(ip, fin);
-
+ fr = fr_checkauth(fin, &pass);
if (!out) {
-#ifdef USE_INET6
- if (v == 6)
- list = ipacct6[0][fr_active];
- else
-#endif
- list = ipacct[0][fr_active];
- changed = ip_natin(ip, fin);
- if (!apass && (fin->fin_fr = list) &&
- (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
- ATOMIC_INCL(frstats[0].fr_acct);
+ if (fr_checknatin(fin, &pass) == -1) {
+ RWLOCK_EXIT(&ipf_mutex);
+ goto finished;
}
}
+ if (!out)
+ (void) fr_acctpkt(fin, NULL);
- if (!apass) {
- if ((fin->fin_fl & FI_FRAG) == FI_FRAG)
- fr = ipfr_knownfrag(ip, fin);
- if (!fr && !(fin->fin_fl & FI_SHORT))
- fr = fr_checkstate(ip, fin);
- if (fr != NULL)
- pass = fr->fr_flags;
- if (fr && (pass & FR_LOGFIRST))
- pass &= ~(FR_LOGFIRST|FR_LOG);
- }
-
- if (apass || !fr) {
- /*
- * If a packet is found in the auth table, then skip checking
- * the access lists for permission but we do need to consider
- * the result as if it were from the ACL's.
- */
- if (!apass) {
- fc = frcache + out;
- if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
- /*
- * copy cached data so we can unlock the mutex
- * earlier.
- */
- bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
- ATOMIC_INCL(frstats[out].fr_chit);
- if ((fr = fin->fin_fr)) {
- ATOMIC_INCL(fr->fr_hits);
- pass = fr->fr_flags;
- }
- } else {
-#ifdef USE_INET6
- if (v == 6)
- list = ipfilter6[out][fr_active];
- else
-#endif
- list = ipfilter[out][fr_active];
- if ((fin->fin_fr = list))
- pass = fr_scanlist(fr_pass, ip, fin, m);
- if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE)))
- bcopy((char *)fin, (char *)fc,
- FI_COPYSIZE);
- if (pass & FR_NOMATCH) {
- ATOMIC_INCL(frstats[out].fr_nom);
- fin->fin_fr = NULL;
- }
- }
- } else
- pass = apass;
- fr = fin->fin_fr;
-
- /*
- * If we fail to add a packet to the authorization queue,
- * then we drop the packet later. However, if it was added
- * then pretend we've dropped it already.
- */
- if ((pass & FR_AUTH)) {
- if (fr_newauth((mb_t *)m, fin, ip) != 0) {
- m = *mp = NULL;
- error = 0;
- } else
- error = ENOSPC;
- }
-
- if (pass & FR_PREAUTH) {
- READ_ENTER(&ipf_auth);
- if ((fin->fin_fr = ipauth) &&
- (pass = fr_scanlist(0, ip, fin, m))) {
- ATOMIC_INCL(fr_authstats.fas_hits);
- } else {
- ATOMIC_INCL(fr_authstats.fas_miss);
- }
- RWLOCK_EXIT(&ipf_auth);
- }
+ if (fr == NULL)
+ if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG)
+ fr = fr_knownfrag(fin, &pass);
+ if (fr == NULL)
+ fr = fr_checkstate(fin, &pass);
- fin->fin_fr = fr;
- if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
- if (fin->fin_fl & FI_FRAG) {
- if (ipfr_newfrag(ip, fin) == -1) {
- ATOMIC_INCL(frstats[out].fr_bnfr);
- } else {
- ATOMIC_INCL(frstats[out].fr_nfr);
- }
- } else {
- ATOMIC_INCL(frstats[out].fr_cfr);
- }
- }
- if (pass & FR_KEEPSTATE) {
- if (fr_addstate(ip, fin, NULL, 0) == NULL) {
- ATOMIC_INCL(frstats[out].fr_bads);
- if (pass & FR_PASS) {
- pass &= ~FR_PASS;
- pass |= FR_BLOCK;
- }
- } else {
- ATOMIC_INCL(frstats[out].fr_ads);
- }
- }
- } else if (fr != NULL) {
- pass = fr->fr_flags;
- if (pass & FR_LOGFIRST)
- pass &= ~(FR_LOGFIRST|FR_LOG);
- }
+ if ((pass & FR_NOMATCH) || (fr == NULL))
+ fr = fr_firewall(fin, &pass);
-#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
- if (securelevel <= 0)
-#endif
- if (fr && fr->fr_func && !(pass & FR_CALLNOW))
- pass = (*fr->fr_func)(pass, ip, fin);
+ fin->fin_fr = fr;
/*
* Only count/translate packets which will be passed on, out the
* interface.
*/
- if (out && (pass & FR_PASS)) {
-#ifdef USE_INET6
- if (v == 6)
- list = ipacct6[1][fr_active];
- else
-#endif
- list = ipacct[1][fr_active];
- if (list != NULL) {
- u_32_t sg, sr;
-
- fin->fin_fr = list;
- sg = fin->fin_group;
- sr = fin->fin_rule;
- if (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT) {
- ATOMIC_INCL(frstats[1].fr_acct);
+ if (out && FR_ISPASS(pass)) {
+ (void) fr_acctpkt(fin, NULL);
+
+ if (fr_checknatout(fin, &pass) == -1) {
+ RWLOCK_EXIT(&ipf_mutex);
+ goto finished;
+ } else if ((fr_update_ipid != 0) && (v == 4)) {
+ if (fr_updateipid(fin) == -1) {
+ ATOMIC_INCL(frstats[1].fr_ipud);
+ pass &= ~FR_CMDMASK;
+ pass |= FR_BLOCK;
+ } else {
+ ATOMIC_INCL(frstats[0].fr_ipud);
}
- fin->fin_group = sg;
- fin->fin_rule = sr;
- fin->fin_fr = fr;
}
- changed = ip_natout(ip, fin);
- } else
- fin->fin_fr = fr;
- RWLOCK_EXIT(&ipf_mutex);
+ }
#ifdef IPFILTER_LOG
if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
- if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
- pass |= FF_LOGNOMATCH;
- ATOMIC_INCL(frstats[out].fr_npkl);
- goto logit;
- } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
- ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
- if ((pass & FR_LOGMASK) != FR_LOGP)
- pass |= FF_LOGPASS;
- ATOMIC_INCL(frstats[out].fr_ppkl);
- goto logit;
- } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
- ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
- if ((pass & FR_LOGMASK) != FR_LOGB)
- pass |= FF_LOGBLOCK;
- ATOMIC_INCL(frstats[out].fr_bpkl);
-logit:
- if (!IPLLOG(pass, ip, fin, m)) {
- ATOMIC_INCL(frstats[out].fr_skip);
- if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
- (FR_PASS|FR_LOGORBLOCK))
- pass ^= FR_PASS|FR_BLOCK;
- }
- }
+ (void) fr_dolog(fin, &pass);
}
-#endif /* IPFILTER_LOG */
+#endif
+
+ if (fin->fin_state != NULL)
+ fr_statederef(fin, (ipstate_t **)&fin->fin_state);
+
+ if (fin->fin_nat != NULL)
+ fr_natderef((nat_t **)&fin->fin_nat);
-#ifdef _KERNEL
/*
* Only allow FR_DUP to work if a rule matched - it makes no sense to
* set FR_DUP as a "default" as there are no instructions about where
- * to send the packet.
+ * to send the packet. Use fin_m here because it may have changed
+ * (without an update of 'm') in prior processing.
*/
- if (fr && (pass & FR_DUP))
-# if SOLARIS
- mc = dupmsg(m);
-# else
-# if defined(__OpenBSD__) && (OpenBSD >= 199905)
- mc = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
-# else
- mc = m_copy(m, 0, M_COPYALL);
-# endif
-# endif
-#endif
- if (pass & FR_PASS) {
- ATOMIC_INCL(frstats[out].fr_pass);
- } else if (pass & FR_BLOCK) {
- ATOMIC_INCL(frstats[out].fr_block);
+ if ((fr != NULL) && (pass & FR_DUP)) {
+ mc = M_DUPLICATE(fin->fin_m);
+ }
+
+ if (pass & (FR_RETRST|FR_RETICMP)) {
/*
* Should we return an ICMP packet to indicate error
* status passing through the packet filter ?
@@ -1324,33 +2412,24 @@ logit:
* some operating systems.
*/
if (!out) {
- if (changed == -1)
- /*
- * If a packet results in a NAT error, do not
- * send a reset or ICMP error as it may disrupt
- * an existing flow. This is the proxy saying
- * the content is bad so just drop the packet
- * silently.
- */
- ;
- else if (pass & FR_RETICMP) {
+ if (pass & FR_RETICMP) {
int dst;
if ((pass & FR_RETMASK) == FR_FAKEICMP)
dst = 1;
else
dst = 0;
- send_icmp_err(ip, ICMP_UNREACH, fin, dst);
+ (void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
ATOMIC_INCL(frstats[0].fr_ret);
} else if (((pass & FR_RETMASK) == FR_RETRST) &&
- !(fin->fin_fl & FI_SHORT)) {
- if (send_reset(ip, fin) == 0) {
+ !(fin->fin_flx & FI_SHORT)) {
+ if (fr_send_reset(fin) == 0) {
ATOMIC_INCL(frstats[1].fr_ret);
}
}
} else {
if (pass & FR_RETRST)
- error = ECONNRESET;
+ fin->fin_error = ECONNRESET;
}
}
@@ -1360,83 +2439,177 @@ logit:
* instructions about what to do with a packet.
* Once we're finished return to our caller, freeing the packet if
* we are dropping it (* BSD ONLY *).
+ * Reassign m from fin_m as we may have a new buffer, now.
*/
- if ((changed == -1) && (pass & FR_PASS)) {
- pass &= ~FR_PASS;
- pass |= FR_BLOCK;
- }
-#if defined(_KERNEL)
-# if !SOLARIS
-# if !defined(linux)
- if (fr) {
- frdest_t *fdp = &fr->fr_tif;
+#if defined(USE_INET6) || (defined(__sgi) && defined(_KERNEL))
+filtered:
+#endif
+ m = fin->fin_m;
+
+ if (fr != NULL) {
+ frdest_t *fdp;
+
+ fdp = &fr->fr_tifs[fin->fin_rev];
- if (((pass & FR_FASTROUTE) && !out) ||
- (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
- (void) ipfr_fastroute(m, mp, fin, fdp);
- m = *mp;
+ if (!out && (pass & FR_FASTROUTE)) {
+ /*
+ * For fastroute rule, no destioation interface defined
+ * so pass NULL as the frdest_t parameter
+ */
+ (void) fr_fastroute(m, mp, fin, NULL);
+ m = *mp = NULL;
+ } else if ((fdp->fd_ifp != NULL) &&
+ (fdp->fd_ifp != (struct ifnet *)-1)) {
+ /* this is for to rules: */
+ (void) fr_fastroute(m, mp, fin, fdp);
+ m = *mp = NULL;
}
+ /*
+ * Generate a duplicated packet.
+ */
if (mc != NULL)
- (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif);
- }
-
- if (!(pass & FR_PASS) && m) {
- m_freem(m);
- m = *mp = NULL;
+ (void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
}
-# ifdef __sgi
- else if (changed && up && m)
- m_copyback(m, 0, up, hbuf);
-# endif
-# endif /* !linux */
-# else /* !SOLARIS */
- if (fr) {
- frdest_t *fdp = &fr->fr_tif;
- if (((pass & FR_FASTROUTE) && !out) ||
- (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1))
- (void) ipfr_fastroute(ip, m, mp, fin, fdp);
+ /*
+ * This late because the likes of fr_fastroute() use fin_fr.
+ */
+ RWLOCK_EXIT(&ipf_mutex);
- if (mc != NULL)
- (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif);
+finished:
+ if (!FR_ISPASS(pass)) {
+ ATOMIC_INCL(frstats[out].fr_block);
+ if (*mp != NULL) {
+ FREE_MB_T(*mp);
+ m = *mp = NULL;
+ }
+ } else {
+ ATOMIC_INCL(frstats[out].fr_pass);
+#if defined(_KERNEL) && defined(__sgi)
+ if ((fin->fin_hbuf != NULL) &&
+ (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
+ COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
+ }
+#endif
}
-# endif /* !SOLARIS */
-#if (OpenBSD >= 200311) && defined(_KERNEL)
- if (pass & FR_PASS) {
- ip->ip_len = htons(ip->ip_len);
- ip->ip_off = htons(ip->ip_off);
+
+ RWLOCK_EXIT(&ipf_global);
+#ifdef _KERNEL
+# if OpenBSD >= 200311
+ if (FR_ISPASS(pass) && (v == 4)) {
+ ip = fin->fin_ip;
+ ip->ip_len = ntohs(ip->ip_len);
+ ip->ip_off = ntohs(ip->ip_off);
}
-#endif
- return (pass & FR_PASS) ? 0 : error;
+# endif
+ return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
#else /* _KERNEL */
- if (pass & FR_NOMATCH)
+ FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
+ if ((pass & FR_NOMATCH) != 0)
return 1;
- if (pass & FR_PASS)
+
+ if ((pass & FR_RETMASK) != 0)
+ switch (pass & FR_RETMASK)
+ {
+ case FR_RETRST :
+ return 3;
+ case FR_RETICMP :
+ return 4;
+ case FR_FAKEICMP :
+ return 5;
+ }
+
+ switch (pass & FR_CMDMASK)
+ {
+ case FR_PASS :
return 0;
- if (pass & FR_AUTH)
+ case FR_BLOCK :
+ return -1;
+ case FR_AUTH :
return -2;
- if ((pass & FR_RETMASK) == FR_RETRST)
+ case FR_ACCOUNT :
return -3;
- if ((pass & FR_RETMASK) == FR_RETICMP)
+ case FR_PREAUTH :
return -4;
- if ((pass & FR_RETMASK) == FR_FAKEICMP)
- return -5;
- return -1;
+ }
+ return 2;
#endif /* _KERNEL */
}
-/*
- * ipf_cksum
- * addr should be 16bit aligned and len is in bytes.
- * length is in bytes
- */
+#ifdef IPFILTER_LOG
+/* ------------------------------------------------------------------------ */
+/* Function: fr_dolog */
+/* Returns: frentry_t* - returns contents of fin_fr (no change made) */
+/* Parameters: fin(I) - pointer to packet information */
+/* passp(IO) - pointer to current/new filter decision (unused) */
+/* */
+/* Checks flags set to see how a packet should be logged, if it is to be */
+/* logged. Adjust statistics based on its success or not. */
+/* ------------------------------------------------------------------------ */
+frentry_t *fr_dolog(fin, passp)
+fr_info_t *fin;
+u_32_t *passp;
+{
+ u_32_t pass;
+ int out;
+
+ out = fin->fin_out;
+ pass = *passp;
+
+ if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
+ pass |= FF_LOGNOMATCH;
+ ATOMIC_INCL(frstats[out].fr_npkl);
+ goto logit;
+ } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
+ (FR_ISPASS(pass) && (fr_flags & FF_LOGPASS))) {
+ if ((pass & FR_LOGMASK) != FR_LOGP)
+ pass |= FF_LOGPASS;
+ ATOMIC_INCL(frstats[out].fr_ppkl);
+ goto logit;
+ } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
+ (FR_ISBLOCK(pass) && (fr_flags & FF_LOGBLOCK))) {
+ if ((pass & FR_LOGMASK) != FR_LOGB)
+ pass |= FF_LOGBLOCK;
+ ATOMIC_INCL(frstats[out].fr_bpkl);
+logit:
+ if (ipflog(fin, pass) == -1) {
+ ATOMIC_INCL(frstats[out].fr_skip);
+
+ /*
+ * If the "or-block" option has been used then
+ * block the packet if we failed to log it.
+ */
+ if ((pass & FR_LOGORBLOCK) &&
+ FR_ISPASS(pass)) {
+ pass &= ~FR_CMDMASK;
+ pass |= FR_BLOCK;
+ }
+ }
+ *passp = pass;
+ }
+
+ return fin->fin_fr;
+}
+#endif /* IPFILTER_LOG */
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: ipf_cksum */
+/* Returns: u_short - IP header checksum */
+/* Parameters: addr(I) - pointer to start of buffer to checksum */
+/* len(I) - length of buffer in bytes */
+/* */
+/* Calculate the two's complement 16 bit checksum of the buffer passed. */
+/* */
+/* N.B.: addr should be 16bit aligned. */
+/* ------------------------------------------------------------------------ */
u_short ipf_cksum(addr, len)
-register u_short *addr;
-register int len;
+u_short *addr;
+int len;
{
- register u_32_t sum = 0;
+ u_32_t sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
@@ -1454,42 +2627,127 @@ register int len;
}
-/*
- * NB: This function assumes we've pullup'd enough for all of the IP header
- * and the TCP header. We also assume that data blocks aren't allocated in
- * odd sizes.
- */
-u_short fr_tcpsum(m, ip, tcp)
+/* ------------------------------------------------------------------------ */
+/* Function: fr_cksum */
+/* Returns: u_short - layer 4 checksum */
+/* Parameters: m(I ) - pointer to buffer holding packet */
+/* ip(I) - pointer to IP header */
+/* l4proto(I) - protocol to caclulate checksum for */
+/* l4hdr(I) - pointer to layer 4 header */
+/* */
+/* Calculates the TCP checksum for the packet held in "m", using the data */
+/* in the IP header "ip" to seed it. */
+/* */
+/* NB: This function assumes we've pullup'd enough for all of the IP header */
+/* and the TCP header. We also assume that data blocks aren't allocated in */
+/* odd sizes. */
+/* */
+/* Expects ip_len to be in host byte order when called. */
+/* ------------------------------------------------------------------------ */
+u_short fr_cksum(m, ip, l4proto, l4hdr)
mb_t *m;
ip_t *ip;
-tcphdr_t *tcp;
+int l4proto;
+void *l4hdr;
{
- u_short *sp, slen, ts;
+ u_short *sp, slen, sumsave, l4hlen, *csump;
u_int sum, sum2;
int hlen;
+#ifdef USE_INET6
+ ip6_t *ip6;
+#endif
+
+ csump = NULL;
+ sumsave = 0;
+ l4hlen = 0;
+ sp = NULL;
+ slen = 0;
+ hlen = 0;
+ sum = 0;
/*
* Add up IP Header portion
*/
- hlen = ip->ip_hl << 2;
- slen = ip->ip_len - hlen;
- sum = htons((u_short)ip->ip_p);
- sum += htons(slen);
- sp = (u_short *)&ip->ip_src;
- sum += *sp++; /* ip_src */
- sum += *sp++;
- sum += *sp++; /* ip_dst */
- sum += *sp++;
- ts = tcp->th_sum;
- tcp->th_sum = 0;
-#ifdef KERNEL
-# if SOLARIS
+#ifdef USE_INET6
+ if (IP_V(ip) == 4) {
+#endif
+ hlen = IP_HL(ip) << 2;
+ slen = ip->ip_len - hlen;
+ sum = htons((u_short)l4proto);
+ sum += htons(slen);
+ sp = (u_short *)&ip->ip_src;
+ sum += *sp++; /* ip_src */
+ sum += *sp++;
+ sum += *sp++; /* ip_dst */
+ sum += *sp++;
+#ifdef USE_INET6
+ } else if (IP_V(ip) == 6) {
+ ip6 = (ip6_t *)ip;
+ hlen = sizeof(*ip6);
+ slen = ntohs(ip6->ip6_plen);
+ sum = htons((u_short)l4proto);
+ sum += htons(slen);
+ sp = (u_short *)&ip6->ip6_src;
+ sum += *sp++; /* ip6_src */
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++; /* ip6_dst */
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ sum += *sp++;
+ }
+#endif
+
+ switch (l4proto)
+ {
+ case IPPROTO_UDP :
+ csump = &((udphdr_t *)l4hdr)->uh_sum;
+ l4hlen = sizeof(udphdr_t);
+ break;
+
+ case IPPROTO_TCP :
+ csump = &((tcphdr_t *)l4hdr)->th_sum;
+ l4hlen = sizeof(tcphdr_t);
+ break;
+ case IPPROTO_ICMP :
+ csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
+ l4hlen = 4;
+ sum = 0;
+ break;
+ default :
+ break;
+ }
+
+ if (csump != NULL) {
+ sumsave = *csump;
+ *csump = 0;
+ }
+
+ l4hlen = l4hlen; /* LINT */
+
+#ifdef _KERNEL
+# ifdef MENTAT
+ {
+ void *rp = m->b_rptr;
+
+ if ((unsigned char *)ip > m->b_rptr && (unsigned char *)ip < m->b_wptr)
+ m->b_rptr = (u_char *)ip;
sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
- sum2 = (sum2 & 0xffff) + (sum2 >> 16);
- sum2 = ~sum2 & 0xffff;
-# else /* SOLARIS */
+ m->b_rptr = rp;
+ sum2 = (u_short)(~sum2 & 0xffff);
+ }
+# else /* MENTAT */
# if defined(BSD) || defined(sun)
-# if BSD >= 199306
+# if BSD >= 199103
m->m_data += hlen;
# else
m->m_off += hlen;
@@ -1497,7 +2755,7 @@ tcphdr_t *tcp;
m->m_len -= hlen;
sum2 = in_cksum(m, slen);
m->m_len += hlen;
-# if BSD >= 199306
+# if BSD >= 199103
m->m_data -= hlen;
# else
m->m_off -= hlen;
@@ -1516,35 +2774,44 @@ tcphdr_t *tcp;
u_short s;
} bytes;
u_short len = ip->ip_len;
-# if defined(__sgi)
+# if defined(__sgi)
int add;
-# endif
+# endif
/*
* Add up IP Header portion
*/
- sp = (u_short *)&ip->ip_src;
- len -= (ip->ip_hl << 2);
- sum = ntohs(IPPROTO_TCP);
- sum += htons(len);
- sum += *sp++; /* ip_src */
- sum += *sp++;
- sum += *sp++; /* ip_dst */
- sum += *sp++;
- if (sp != (u_short *)tcp)
- sp = (u_short *)tcp;
- sum += *sp++; /* sport */
- sum += *sp++; /* dport */
- sum += *sp++; /* seq */
- sum += *sp++;
- sum += *sp++; /* ack */
- sum += *sp++;
- sum += *sp++; /* off */
- sum += *sp++; /* win */
- sum += *sp++; /* Skip over checksum */
- sum += *sp++; /* urp */
-
-# ifdef __sgi
+ if (sp != (u_short *)l4hdr)
+ sp = (u_short *)l4hdr;
+
+ switch (l4proto)
+ {
+ case IPPROTO_UDP :
+ sum += *sp++; /* sport */
+ sum += *sp++; /* dport */
+ sum += *sp++; /* udp length */
+ sum += *sp++; /* checksum */
+ break;
+
+ case IPPROTO_TCP :
+ sum += *sp++; /* sport */
+ sum += *sp++; /* dport */
+ sum += *sp++; /* seq */
+ sum += *sp++;
+ sum += *sp++; /* ack */
+ sum += *sp++;
+ sum += *sp++; /* off */
+ sum += *sp++; /* win */
+ sum += *sp++; /* checksum */
+ sum += *sp++; /* urp */
+ break;
+ case IPPROTO_ICMP :
+ sum = *sp++; /* type/code */
+ sum += *sp++; /* checksum */
+ break;
+ }
+
+# ifdef __sgi
/*
* In case we had to copy the IP & TCP header out of mbufs,
* skip over the mbuf bits which are the header
@@ -1562,24 +2829,26 @@ tcphdr_t *tcp;
break;
sp = mtod(m, u_short *);
}
- PANIC((!m),("fr_tcpsum(1): not enough data"));
+ PANIC((!m),("fr_cksum(1): not enough data"));
}
}
}
-# endif
+# endif
- if (!(len -= sizeof(*tcp)))
+ len -= (l4hlen + hlen);
+ if (len <= 0)
goto nodata;
+
while (len > 1) {
if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
m = m->m_next;
- PANIC((!m),("fr_tcpsum(2): not enough data"));
+ PANIC((!m),("fr_cksum(2): not enough data"));
sp = mtod(m, u_short *);
}
if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
bytes.c[0] = *(u_char *)sp;
m = m->m_next;
- PANIC((!m),("fr_tcpsum(3): not enough data"));
+ PANIC((!m),("fr_cksum(3): not enough data"));
sp = mtod(m, u_short *);
bytes.c[1] = *(u_char *)sp;
sum += bytes.s;
@@ -1592,7 +2861,8 @@ tcphdr_t *tcp;
sum += *sp++;
len -= 2;
}
- if (len)
+
+ if (len != 0)
sum += ntohs(*(u_char *)sp << 8);
nodata:
while (sum > 0xffff)
@@ -1600,22 +2870,24 @@ nodata:
sum2 = (u_short)(~sum & 0xffff);
}
# endif /* defined(BSD) || defined(sun) */
-# endif /* SOLARIS */
-#else /* KERNEL */
+# endif /* MENTAT */
+#else /* _KERNEL */
for (; slen > 1; slen -= 2)
- sum += *sp++;
+ sum += *sp++;
if (slen)
sum += ntohs(*(u_char *)sp << 8);
while (sum > 0xffff)
sum = (sum & 0xffff) + (sum >> 16);
sum2 = (u_short)(~sum & 0xffff);
-#endif /* KERNEL */
- tcp->th_sum = ts;
+#endif /* _KERNEL */
+ if (csump != NULL)
+ *csump = sumsave;
return sum2;
}
-#if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) )
+#if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
+ defined(__sgi) ) && !defined(linux)
/*
* Copyright (c) 1982, 1986, 1988, 1991, 1993
* The Regents of the University of California. All rights reserved.
@@ -1628,11 +2900,7 @@ nodata:
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
+ * 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
@@ -1649,7 +2917,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.82 2004/06/20 10:27:47 darrenr Exp $
+ * Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1657,12 +2925,12 @@ nodata:
*/
void
m_copydata(m, off, len, cp)
- register mb_t *m;
- register int off;
- register int len;
+ mb_t *m;
+ int off;
+ int len;
caddr_t cp;
{
- register unsigned count;
+ unsigned count;
if (off < 0 || len < 0)
panic("m_copydata");
@@ -1687,7 +2955,6 @@ m_copydata(m, off, len, cp)
}
-# ifndef linux
/*
* Copy data from a buffer back into the indicated mbuf chain,
* starting "off" bytes from the beginning, extending the mbuf
@@ -1696,12 +2963,12 @@ m_copydata(m, off, len, cp)
void
m_copyback(m0, off, len, cp)
struct mbuf *m0;
- register int off;
- register int len;
+ int off;
+ int len;
caddr_t cp;
{
- register int mlen;
- register struct mbuf *m = m0, *n;
+ int mlen;
+ struct mbuf *m = m0, *n;
int totlen = 0;
if (m0 == 0)
@@ -1744,169 +3011,322 @@ out:
#endif
return;
}
-# endif /* linux */
-#endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */
-
-
-frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
-u_32_t num, flags;
-minor_t which;
+#endif /* (_KERNEL) && ( ((BSD < 199103) && !MENTAT) || __sgi) */
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_findgroup */
+/* Returns: frgroup_t * - NULL = group not found, else pointer to group */
+/* Parameters: group(I) - group name to search for */
+/* unit(I) - device to which this group belongs */
+/* set(I) - which set of rules (inactive/inactive) this is */
+/* fgpp(O) - pointer to place to store pointer to the pointer */
+/* to where to add the next (last) group or where */
+/* to delete group from. */
+/* */
+/* Search amongst the defined groups for a particular group number. */
+/* ------------------------------------------------------------------------ */
+frgroup_t *fr_findgroup(group, unit, set, fgpp)
+char *group;
+minor_t unit;
int set;
frgroup_t ***fgpp;
{
frgroup_t *fg, **fgp;
- if (which == IPL_LOGAUTH)
- fgp = &ipfgroups[2][set];
- else if (flags & FR_ACCOUNT)
- fgp = &ipfgroups[1][set];
- else if (flags & (FR_OUTQUE|FR_INQUE))
- fgp = &ipfgroups[0][set];
- else
- return NULL;
+ /*
+ * Which list of groups to search in is dependant on which list of
+ * rules are being operated on.
+ */
+ fgp = &ipfgroups[unit][set];
- while ((fg = *fgp))
- if (fg->fg_num == num)
+ while ((fg = *fgp) != NULL) {
+ if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0)
break;
else
fgp = &fg->fg_next;
- if (fgpp)
+ }
+ if (fgpp != NULL)
*fgpp = fgp;
return fg;
}
-frgroup_t *fr_addgroup(num, fp, which, set)
-u_32_t num;
-frentry_t *fp;
-minor_t which;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_addgroup */
+/* Returns: frgroup_t * - NULL == did not create group, */
+/* != NULL == pointer to the group */
+/* Parameters: num(I) - group number to add */
+/* head(I) - rule pointer that is using this as the head */
+/* flags(I) - rule flags which describe the type of rule it is */
+/* unit(I) - device to which this group will belong to */
+/* set(I) - which set of rules (inactive/inactive) this is */
+/* Write Locks: ipf_mutex */
+/* */
+/* Add a new group head, or if it already exists, increase the reference */
+/* count to it. */
+/* ------------------------------------------------------------------------ */
+frgroup_t *fr_addgroup(group, head, flags, unit, set)
+char *group;
+void *head;
+u_32_t flags;
+minor_t unit;
int set;
{
frgroup_t *fg, **fgp;
+ u_32_t gflags;
- if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
- return fg;
+ if (group == NULL)
+ return NULL;
+ if (unit == IPL_LOGIPF && *group == '\0')
+ return NULL;
+
+ fgp = NULL;
+ gflags = flags & FR_INOUT;
+
+ fg = fr_findgroup(group, unit, set, &fgp);
+ if (fg != NULL) {
+ if (fg->fg_flags == 0)
+ fg->fg_flags = gflags;
+ else if (gflags != fg->fg_flags)
+ return NULL;
+ fg->fg_ref++;
+ return fg;
+ }
KMALLOC(fg, frgroup_t *);
- if (fg) {
- fg->fg_num = num;
+ if (fg != NULL) {
+ fg->fg_head = head;
+ fg->fg_start = NULL;
fg->fg_next = *fgp;
- fg->fg_head = fp;
- fg->fg_start = &fp->fr_grp;
+ bcopy(group, fg->fg_name, FR_GROUPLEN);
+ fg->fg_flags = gflags;
+ fg->fg_ref = 1;
*fgp = fg;
}
return fg;
}
-void fr_delgroup(num, flags, which, set)
-u_32_t num, flags;
-minor_t which;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_delgroup */
+/* Returns: Nil */
+/* Parameters: group(I) - group name to delete */
+/* unit(I) - device to which this group belongs */
+/* set(I) - which set of rules (inactive/inactive) this is */
+/* Write Locks: ipf_mutex */
+/* */
+/* Attempt to delete a group head. */
+/* Only do this when its reference count reaches 0. */
+/* ------------------------------------------------------------------------ */
+void fr_delgroup(group, unit, set)
+char *group;
+minor_t unit;
int set;
{
frgroup_t *fg, **fgp;
-
- if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
+
+ fg = fr_findgroup(group, unit, set, &fgp);
+ if (fg == NULL)
return;
-
- *fgp = fg->fg_next;
- KFREE(fg);
+
+ fg->fg_ref--;
+ if (fg->fg_ref == 0) {
+ *fgp = fg->fg_next;
+ KFREE(fg);
+ }
}
+/* ------------------------------------------------------------------------ */
+/* Function: fr_getrulen */
+/* Returns: frentry_t * - NULL == not found, else pointer to rule n */
+/* Parameters: unit(I) - device for which to count the rule's number */
+/* flags(I) - which set of rules to find the rule in */
+/* group(I) - group name */
+/* n(I) - rule number to find */
+/* */
+/* Find rule # n in group # g and return a pointer to it. Return NULl if */
+/* group # g doesn't exist or there are less than n rules in the group. */
+/* ------------------------------------------------------------------------ */
+frentry_t *fr_getrulen(unit, group, n)
+int unit;
+char *group;
+u_32_t n;
+{
+ frentry_t *fr;
+ frgroup_t *fg;
-/*
- * recursively flush rules from the list, descending groups as they are
- * encountered. if a rule is the head of a group and it has lost all its
- * group members, then also delete the group reference.
- */
+ fg = fr_findgroup(group, unit, fr_active, NULL);
+ if (fg == NULL)
+ return NULL;
+ for (fr = fg->fg_head; fr && n; fr = fr->fr_next, n--)
+ ;
+ if (n != 0)
+ return NULL;
+ return fr;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_rulen */
+/* Returns: int - >= 0 - rule number, -1 == search failed */
+/* Parameters: unit(I) - device for which to count the rule's number */
+/* fr(I) - pointer to rule to match */
+/* */
+/* Return the number for a rule on a specific filtering device. */
+/* ------------------------------------------------------------------------ */
+int fr_rulen(unit, fr)
+int unit;
+frentry_t *fr;
+{
+ frentry_t *fh;
+ frgroup_t *fg;
+ u_32_t n = 0;
+
+ if (fr == NULL)
+ return -1;
+ fg = fr_findgroup(fr->fr_group, unit, fr_active, NULL);
+ if (fg == NULL)
+ return -1;
+ for (fh = fg->fg_head; fh; n++, fh = fh->fr_next)
+ if (fh == fr)
+ break;
+ if (fh == NULL)
+ return -1;
+ return n;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: frflushlist */
+/* Returns: int - >= 0 - number of flushed rules */
+/* Parameters: set(I) - which set of rules (inactive/inactive) this is */
+/* unit(I) - device for which to flush rules */
+/* flags(I) - which set of rules to flush */
+/* nfreedp(O) - pointer to int where flush count is stored */
+/* listp(I) - pointer to list to flush pointer */
+/* Write Locks: ipf_mutex */
+/* */
+/* Recursively flush rules from the list, descending groups as they are */
+/* encountered. if a rule is the head of a group and it has lost all its */
+/* group members, then also delete the group reference. nfreedp is needed */
+/* to store the accumulating count of rules removed, whereas the returned */
+/* value is just the number removed from the current list. The latter is */
+/* needed to correctly adjust reference counts on rules that define groups. */
+/* */
+/* NOTE: Rules not loaded from user space cannot be flushed. */
+/* ------------------------------------------------------------------------ */
static int frflushlist(set, unit, nfreedp, listp)
int set;
minor_t unit;
int *nfreedp;
frentry_t **listp;
{
- register int freed = 0, i;
- register frentry_t *fp;
+ int freed = 0, i;
+ frentry_t *fp;
- while ((fp = *listp)) {
+ while ((fp = *listp) != NULL) {
+ if ((fp->fr_type & FR_T_BUILTIN) ||
+ !(fp->fr_flags & FR_COPIED)) {
+ listp = &fp->fr_next;
+ continue;
+ }
*listp = fp->fr_next;
- if (fp->fr_grp) {
- i = frflushlist(set, unit, nfreedp, &fp->fr_grp);
- MUTEX_ENTER(&ipf_rw);
+ if (fp->fr_grp != NULL) {
+ i = frflushlist(set, unit, nfreedp, fp->fr_grp);
fp->fr_ref -= i;
- MUTEX_EXIT(&ipf_rw);
}
- ATOMIC_DEC32(fp->fr_ref);
- if (fp->fr_grhead) {
- fr_delgroup(fp->fr_grhead, fp->fr_flags,
- unit, set);
- fp->fr_grhead = 0;
+ if (fp->fr_grhead != NULL) {
+ fr_delgroup(fp->fr_grhead, unit, set);
+ *fp->fr_grhead = '\0';
}
- if (fp->fr_ref == 0) {
- KFREE(fp);
+
+ ASSERT(fp->fr_ref > 0);
+ fp->fr_next = NULL;
+ if (fr_derefrule(&fp) == 0)
freed++;
- } else
- fp->fr_next = NULL;
}
*nfreedp += freed;
return freed;
}
+/* ------------------------------------------------------------------------ */
+/* Function: frflush */
+/* Returns: int - >= 0 - number of flushed rules */
+/* Parameters: unit(I) - device for which to flush rules */
+/* flags(I) - which set of rules to flush */
+/* */
+/* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */
+/* and IPv6) as defined by the value of flags. */
+/* ------------------------------------------------------------------------ */
int frflush(unit, proto, flags)
minor_t unit;
int proto, flags;
{
int flushed = 0, set;
- if (unit != IPL_LOGIPF)
- return 0;
WRITE_ENTER(&ipf_mutex);
- bzero((char *)frcache, sizeof(frcache[0]) * 2);
+ bzero((char *)frcache, sizeof(frcache));
set = fr_active;
- if (flags & FR_INACTIVE)
+ if ((flags & FR_INACTIVE) == FR_INACTIVE)
set = 1 - set;
if (flags & FR_OUTQUE) {
-#ifdef USE_INET6
if (proto == 0 || proto == 6) {
(void) frflushlist(set, unit,
- &flushed, &ipfilter6[1][set]);
+ &flushed, &ipfilter6[1][set]);
(void) frflushlist(set, unit,
- &flushed, &ipacct6[1][set]);
+ &flushed, &ipacct6[1][set]);
}
-#endif
if (proto == 0 || proto == 4) {
(void) frflushlist(set, unit,
- &flushed, &ipfilter[1][set]);
+ &flushed, &ipfilter[1][set]);
(void) frflushlist(set, unit,
- &flushed, &ipacct[1][set]);
+ &flushed, &ipacct[1][set]);
}
}
if (flags & FR_INQUE) {
-#ifdef USE_INET6
if (proto == 0 || proto == 6) {
(void) frflushlist(set, unit,
- &flushed, &ipfilter6[0][set]);
+ &flushed, &ipfilter6[0][set]);
(void) frflushlist(set, unit,
- &flushed, &ipacct6[0][set]);
+ &flushed, &ipacct6[0][set]);
}
-#endif
if (proto == 0 || proto == 4) {
(void) frflushlist(set, unit,
- &flushed, &ipfilter[0][set]);
+ &flushed, &ipfilter[0][set]);
(void) frflushlist(set, unit,
- &flushed, &ipacct[0][set]);
+ &flushed, &ipacct[0][set]);
}
}
RWLOCK_EXIT(&ipf_mutex);
+
+ if (unit == IPL_LOGIPF) {
+ int tmp;
+
+ tmp = frflush(IPL_LOGCOUNT, proto, flags);
+ if (tmp >= 0)
+ flushed += tmp;
+ }
return flushed;
}
+/* ------------------------------------------------------------------------ */
+/* Function: memstr */
+/* Returns: char * - NULL if failed, != NULL pointer to matching bytes */
+/* Parameters: src(I) - pointer to byte sequence to match */
+/* dst(I) - pointer to byte sequence to search */
+/* slen(I) - match length */
+/* dlen(I) - length available to search in */
+/* */
+/* Search dst for a sequence of bytes matching those at src and extend for */
+/* slen bytes. */
+/* ------------------------------------------------------------------------ */
char *memstr(src, dst, slen, dlen)
char *src, *dst;
int slen, dlen;
@@ -1923,34 +3343,50 @@ int slen, dlen;
}
return s;
}
-
-
-void fixskip(listp, rp, addremove)
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fixskip */
+/* Returns: Nil */
+/* Parameters: listp(IO) - pointer to start of list with skip rule */
+/* rp(I) - rule added/removed with skip in it. */
+/* addremove(I) - adjustment (-1/+1) to make to skip count, */
+/* depending on whether a rule was just added */
+/* or removed. */
+/* */
+/* Adjust all the rules in a list which would have skip'd past the position */
+/* where we are inserting to skip to the right place given the change. */
+/* ------------------------------------------------------------------------ */
+void fr_fixskip(listp, rp, addremove)
frentry_t **listp, *rp;
int addremove;
{
+ int rules, rn;
frentry_t *fp;
- int rules = 0, rn = 0;
- for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++)
- ;
+ rules = 0;
+ for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next)
+ rules++;
if (!fp)
return;
- for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
- if (fp->fr_skip && (rn + fp->fr_skip >= rules))
- fp->fr_skip += addremove;
+ for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
+ if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules))
+ fp->fr_arg += addremove;
}
#ifdef _KERNEL
-/*
- * count consecutive 1's in bit mask. If the mask generated by counting
- * consecutive 1's is different to that passed, return -1, else return #
- * of bits.
- */
-int countbits(ip)
+/* ------------------------------------------------------------------------ */
+/* Function: count4bits */
+/* Returns: int - >= 0 - number of consecutive bits in input */
+/* Parameters: ip(I) - 32bit IP address */
+/* */
+/* IPv4 ONLY */
+/* count consecutive 1's in bit mask. If the mask generated by counting */
+/* consecutive 1's is different to that passed, return -1, else return # */
+/* of bits. */
+/* ------------------------------------------------------------------------ */
+int count4bits(ip)
u_32_t ip;
{
u_32_t ipn;
@@ -1974,192 +3410,156 @@ u_32_t ip;
}
-/*
- * return the first IP Address associated with an interface
- */
-int fr_ifpaddr(v, ifptr, inp)
-int v;
-void *ifptr;
-struct in_addr *inp;
+# if 0
+/* ------------------------------------------------------------------------ */
+/* Function: count6bits */
+/* Returns: int - >= 0 - number of consecutive bits in input */
+/* Parameters: msk(I) - pointer to start of IPv6 bitmask */
+/* */
+/* IPv6 ONLY */
+/* count consecutive 1's in bit mask. */
+/* ------------------------------------------------------------------------ */
+int count6bits(msk)
+u_32_t *msk;
{
-# ifdef USE_INET6
- struct in6_addr *inp6 = NULL;
-# endif
-# if SOLARIS
- ill_t *ill = ifptr;
-# else
- struct ifnet *ifp = ifptr;
-# endif
- struct in_addr in;
-
-# if SOLARIS
-# ifdef USE_INET6
- if (v == 6) {
- struct in6_addr in6;
+ int i = 0, k;
+ u_32_t j;
- /*
- * First is always link local.
- */
- if (ill->ill_ipif->ipif_next)
- in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr;
- else
- bzero((char *)&in6, sizeof(in6));
- bcopy((char *)&in6, (char *)inp, sizeof(in6));
- } else
-# endif
- {
- in.s_addr = ill->ill_ipif->ipif_local_addr;
- *inp = in;
- }
-# else /* SOLARIS */
-# if linux
- ;
-# else /* linux */
- struct sockaddr_in *sin;
- struct ifaddr *ifa;
-
-# if (__FreeBSD_version >= 300000)
- ifa = TAILQ_FIRST(&ifp->if_addrhead);
-# else
-# if defined(__NetBSD__) || defined(__OpenBSD__)
- ifa = ifp->if_addrlist.tqh_first;
-# else
-# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
- ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa;
-# else
- ifa = ifp->if_addrlist;
-# endif
-# endif /* __NetBSD__ || __OpenBSD__ */
-# endif /* __FreeBSD_version >= 300000 */
-# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK))
- sin = (struct sockaddr_in *)&ifa->ifa_addr;
-# else
- sin = (struct sockaddr_in *)ifa->ifa_addr;
- while (sin && ifa) {
- if ((v == 4) && (sin->sin_family == AF_INET))
- break;
-# ifdef USE_INET6
- if ((v == 6) && (sin->sin_family == AF_INET6)) {
- inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
- if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
- !IN6_IS_ADDR_LOOPBACK(inp6))
- break;
+ for (k = 3; k >= 0; k--)
+ if (msk[k] == 0xffffffff)
+ i += 32;
+ else {
+ for (j = msk[k]; j; j <<= 1)
+ if (j & 0x80000000)
+ i++;
}
-# endif
-# if (__FreeBSD_version >= 300000)
- ifa = TAILQ_NEXT(ifa, ifa_link);
-# else
-# if defined(__NetBSD__) || defined(__OpenBSD__)
- ifa = ifa->ifa_list.tqe_next;
-# else
- ifa = ifa->ifa_next;
-# endif
-# endif /* __FreeBSD_version >= 300000 */
- if (ifa)
- sin = (struct sockaddr_in *)ifa->ifa_addr;
- }
- if (ifa == NULL)
- sin = NULL;
- if (sin == NULL)
- return -1;
-# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
-# ifdef USE_INET6
- if (v == 6)
- bcopy((char *)inp6, (char *)inp, sizeof(*inp6));
- else
-# endif
- {
- in = sin->sin_addr;
- *inp = in;
- }
-# endif /* linux */
-# endif /* SOLARIS */
- return 0;
+ return i;
}
+# endif
+#endif /* _KERNEL */
-static void frsynclist(fr)
-register frentry_t *fr;
+/* ------------------------------------------------------------------------ */
+/* Function: frsynclist */
+/* Returns: void */
+/* Parameters: fr(I) - start of filter list to sync interface names for */
+/* ifp(I) - interface pointer for limiting sync lookups */
+/* Write Locks: ipf_mutex */
+/* */
+/* Walk through a list of filter rules and resolve any interface names into */
+/* pointers. Where dynamic addresses are used, also update the IP address */
+/* used in the rule. The interface pointer is used to limit the lookups to */
+/* a specific set of matching names if it is non-NULL. */
+/* ------------------------------------------------------------------------ */
+static void frsynclist(fr, ifp)
+frentry_t *fr;
+void *ifp;
{
frdest_t *fdp;
- int i;
+ int v, i;
for (; fr; fr = fr->fr_next) {
+ v = fr->fr_v;
+
+ /*
+ * Lookup all the interface names that are part of the rule.
+ */
for (i = 0; i < 4; i++) {
- if ((fr->fr_ifnames[i][1] == '\0') &&
- ((fr->fr_ifnames[i][0] == '-') ||
- (fr->fr_ifnames[i][0] == '*'))) {
- fr->fr_ifas[i] = NULL;
- } else if (*fr->fr_ifnames[i]) {
- fr->fr_ifas[i] = GETUNIT(fr->fr_ifnames[i],
- fr->fr_v);
- if (!fr->fr_ifas[i])
- fr->fr_ifas[i] = (void *)-1;
+ if ((ifp != NULL) && (fr->fr_ifas[i] != ifp))
+ continue;
+ fr->fr_ifas[i] = fr_resolvenic(fr->fr_ifnames[i], v);
+ }
+
+ if (fr->fr_type == FR_T_IPF) {
+ if (fr->fr_satype != FRI_NORMAL &&
+ fr->fr_satype != FRI_LOOKUP) {
+ (void)fr_ifpaddr(v, fr->fr_satype,
+ fr->fr_ifas[fr->fr_sifpidx],
+ &fr->fr_src, &fr->fr_smsk);
+ }
+ if (fr->fr_datype != FRI_NORMAL &&
+ fr->fr_datype != FRI_LOOKUP) {
+ (void)fr_ifpaddr(v, fr->fr_datype,
+ fr->fr_ifas[fr->fr_difpidx],
+ &fr->fr_dst, &fr->fr_dmsk);
}
}
+ fdp = &fr->fr_tifs[0];
+ if ((ifp == NULL) || (fdp->fd_ifp == ifp))
+ fr_resolvedest(fdp, v);
+
+ fdp = &fr->fr_tifs[1];
+ if ((ifp == NULL) || (fdp->fd_ifp == ifp))
+ fr_resolvedest(fdp, v);
+
fdp = &fr->fr_dif;
- fr->fr_flags &= ~FR_DUP;
- if (*fdp->fd_ifname) {
- fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
- if (!fdp->fd_ifp)
- fdp->fd_ifp = (struct ifnet *)-1;
- else
+ if ((ifp == NULL) || (fdp->fd_ifp == ifp)) {
+ fr_resolvedest(fdp, v);
+
+ fr->fr_flags &= ~FR_DUP;
+ if ((fdp->fd_ifp != (void *)-1) &&
+ (fdp->fd_ifp != NULL))
fr->fr_flags |= FR_DUP;
}
- fdp = &fr->fr_tif;
- if (*fdp->fd_ifname) {
- fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
- if (!fdp->fd_ifp)
- fdp->fd_ifp = (struct ifnet *)-1;
+#ifdef IPFILTER_LOOKUP
+ if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP &&
+ fr->fr_srcptr == NULL) {
+ fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype,
+ fr->fr_srcnum,
+ &fr->fr_srcfunc);
}
-
- if (fr->fr_grp)
- frsynclist(fr->fr_grp);
+ if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP &&
+ fr->fr_dstptr == NULL) {
+ fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype,
+ fr->fr_dstnum,
+ &fr->fr_dstfunc);
+ }
+#endif
}
}
-void frsync()
+#ifdef _KERNEL
+/* ------------------------------------------------------------------------ */
+/* Function: frsync */
+/* Returns: void */
+/* Parameters: Nil */
+/* */
+/* frsync() is called when we suspect that the interface list or */
+/* information about interfaces (like IP#) has changed. Go through all */
+/* filter rules, NAT entries and the state table and check if anything */
+/* needs to be changed/updated. */
+/* ------------------------------------------------------------------------ */
+void frsync(ifp)
+void *ifp;
{
+ int i;
+
# if !SOLARIS
- register struct ifnet *ifp;
-
-# if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \
- (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
-# if (NetBSD >= 199905) || defined(__OpenBSD__)
- for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next)
-# elif defined(__FreeBSD_version) && (__FreeBSD_version >= 500043)
- IFNET_RLOCK();
- TAILQ_FOREACH(ifp, &ifnet, if_link);
-# else
- for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next)
-# endif
-# else
- for (ifp = ifnet; ifp; ifp = ifp->if_next)
-# endif
- {
- ip_natsync(ifp);
- ip_statesync(ifp);
- }
- ip_natsync((struct ifnet *)-1);
-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 500043)
- IFNET_RUNLOCK();
-# endif
-# endif /* !SOLARIS */
+ fr_natsync(ifp);
+ fr_statesync(ifp);
+# endif
WRITE_ENTER(&ipf_mutex);
- frsynclist(ipacct[0][fr_active]);
- frsynclist(ipacct[1][fr_active]);
- frsynclist(ipfilter[0][fr_active]);
- frsynclist(ipfilter[1][fr_active]);
-#ifdef USE_INET6
- frsynclist(ipacct6[0][fr_active]);
- frsynclist(ipacct6[1][fr_active]);
- frsynclist(ipfilter6[0][fr_active]);
- frsynclist(ipfilter6[1][fr_active]);
-#endif
+ frsynclist(ipacct[0][fr_active], ifp);
+ frsynclist(ipacct[1][fr_active], ifp);
+ frsynclist(ipfilter[0][fr_active], ifp);
+ frsynclist(ipfilter[1][fr_active], ifp);
+ frsynclist(ipacct6[0][fr_active], ifp);
+ frsynclist(ipacct6[1][fr_active], ifp);
+ frsynclist(ipfilter6[0][fr_active], ifp);
+ frsynclist(ipfilter6[1][fr_active], ifp);
+
+ for (i = 0; i < IPL_LOGSIZE; i++) {
+ frgroup_t *g;
+
+ for (g = ipfgroups[i][0]; g != NULL; g = g->fg_next)
+ frsynclist(g->fg_start, ifp);
+ for (g = ipfgroups[i][1]; g != NULL; g = g->fg_next)
+ frsynclist(g->fg_start, ifp);
+ }
RWLOCK_EXIT(&ipf_mutex);
}
@@ -2169,156 +3569,134 @@ void frsync()
* copied _from_ in this instance is a pointer to a char buf (which could
* end up being unaligned) and on the kernel's local stack.
*/
-int ircopyptr(a, b, c)
-void *a, *b;
-size_t c;
+/* ------------------------------------------------------------------------ */
+/* Function: copyinptr */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: src(I) - pointer to the source address */
+/* dst(I) - destination address */
+/* size(I) - number of bytes to copy */
+/* */
+/* Copy a block of data in from user space, given a pointer to the pointer */
+/* to start copying from (src) and a pointer to where to store it (dst). */
+/* NB: src - pointer to user space pointer, dst - kernel space pointer */
+/* ------------------------------------------------------------------------ */
+int copyinptr(src, dst, size)
+void *src, *dst;
+size_t size;
{
caddr_t ca;
int err;
-#if SOLARIS
- if (copyin(a, (char *)&ca, sizeof(ca)))
- return EFAULT;
-#else
- bcopy(a, &ca, sizeof(ca));
-#endif
- err = copyin(ca, b, c);
- if (err)
- err = EFAULT;
+# if SOLARIS
+ err = COPYIN(src, (caddr_t)&ca, sizeof(ca));
+ if (err != 0)
+ return err;
+# else
+ bcopy(src, (caddr_t)&ca, sizeof(ca));
+# endif
+ err = COPYIN(ca, dst, size);
return err;
}
-int iwcopyptr(a, b, c)
-void *a, *b;
-size_t c;
+/* ------------------------------------------------------------------------ */
+/* Function: copyoutptr */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: src(I) - pointer to the source address */
+/* dst(I) - destination address */
+/* size(I) - number of bytes to copy */
+/* */
+/* Copy a block of data out to user space, given a pointer to the pointer */
+/* to start copying from (src) and a pointer to where to store it (dst). */
+/* NB: src - kernel space pointer, dst - pointer to user space pointer. */
+/* ------------------------------------------------------------------------ */
+int copyoutptr(src, dst, size)
+void *src, *dst;
+size_t size;
{
caddr_t ca;
int err;
-#if SOLARIS
- if (copyin(b, (char *)&ca, sizeof(ca)))
- return EFAULT;
-#else
- bcopy(b, &ca, sizeof(ca));
-#endif
- err = copyout(a, ca, c);
- if (err)
- err = EFAULT;
+# if SOLARIS
+ err = COPYIN(dst, (caddr_t)&ca, sizeof(ca));
+ if (err != 0)
+ return err;
+# else
+ bcopy(dst, (caddr_t)&ca, sizeof(ca));
+# endif
+ err = COPYOUT(src, ca, size);
return err;
}
-
-#else /* _KERNEL */
-
-
-/*
- * return the first IP Address associated with an interface
- */
-int fr_ifpaddr(v, ifptr, inp)
-int v;
-void *ifptr;
-struct in_addr *inp;
-{
- return 0;
-}
-
-
-int ircopyptr(a, b, c)
-void *a, *b;
-size_t c;
-{
- caddr_t ca;
-
- bcopy(a, &ca, sizeof(ca));
- bcopy(ca, b, c);
- return 0;
-}
-
-
-int iwcopyptr(a, b, c)
-void *a, *b;
-size_t c;
-{
- caddr_t ca;
-
- bcopy(b, &ca, sizeof(ca));
- bcopy(a, ca, c);
- return 0;
-}
-
-
#endif
-int fr_lock(data, lockp)
+/* ------------------------------------------------------------------------ */
+/* Function: fr_lock */
+/* Returns: (void) */
+/* Parameters: data(I) - pointer to lock value to set */
+/* lockp(O) - pointer to location to store old lock value */
+/* */
+/* Get the new value for the lock integer, set it and return the old value */
+/* in *lockp. */
+/* ------------------------------------------------------------------------ */
+void fr_lock(data, lockp)
caddr_t data;
int *lockp;
{
- int arg, error;
+ int arg;
- error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
- if (!error) {
- error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp));
- if (!error)
- *lockp = arg;
- }
- return error;
+ BCOPYIN(data, (caddr_t)&arg, sizeof(arg));
+ BCOPYOUT((caddr_t)lockp, data, sizeof(*lockp));
+ *lockp = arg;
}
+/* ------------------------------------------------------------------------ */
+/* Function: fr_getstat */
+/* Returns: Nil */
+/* Parameters: fiop(I) - pointer to ipfilter stats structure */
+/* */
+/* Stores a copy of current pointers, counters, etc, in the friostat */
+/* structure. */
+/* ------------------------------------------------------------------------ */
void fr_getstat(fiop)
friostat_t *fiop;
{
+ int i, j;
+
bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
- fiop->f_locks[0] = fr_state_lock;
- fiop->f_locks[1] = fr_nat_lock;
- fiop->f_locks[2] = fr_frag_lock;
- fiop->f_locks[3] = fr_auth_lock;
- fiop->f_fin[0] = ipfilter[0][0];
- fiop->f_fin[1] = ipfilter[0][1];
- fiop->f_fout[0] = ipfilter[1][0];
- fiop->f_fout[1] = ipfilter[1][1];
- fiop->f_acctin[0] = ipacct[0][0];
- fiop->f_acctin[1] = ipacct[0][1];
- fiop->f_acctout[0] = ipacct[1][0];
- fiop->f_acctout[1] = ipacct[1][1];
-#ifdef USE_INET6
- fiop->f_fin6[0] = ipfilter6[0][0];
- fiop->f_fin6[1] = ipfilter6[0][1];
- fiop->f_fout6[0] = ipfilter6[1][0];
- fiop->f_fout6[1] = ipfilter6[1][1];
- fiop->f_acctin6[0] = ipacct6[0][0];
- fiop->f_acctin6[1] = ipacct6[0][1];
- fiop->f_acctout6[0] = ipacct6[1][0];
- fiop->f_acctout6[1] = ipacct6[1][1];
-#else
- fiop->f_fin6[0] = NULL;
- fiop->f_fin6[1] = NULL;
- fiop->f_fout6[0] = NULL;
- fiop->f_fout6[1] = NULL;
- fiop->f_acctin6[0] = NULL;
- fiop->f_acctin6[1] = NULL;
- fiop->f_acctout6[0] = NULL;
- fiop->f_acctout6[1] = NULL;
-#endif
+ fiop->f_locks[IPL_LOGSTATE] = fr_state_lock;
+ fiop->f_locks[IPL_LOGNAT] = fr_nat_lock;
+ fiop->f_locks[IPL_LOGIPF] = fr_frag_lock;
+ fiop->f_locks[IPL_LOGAUTH] = fr_auth_lock;
+
+ for (i = 0; i < 2; i++)
+ for (j = 0; j < 2; j++) {
+ fiop->f_ipf[i][j] = ipfilter[i][j];
+ fiop->f_acct[i][j] = ipacct[i][j];
+ fiop->f_ipf6[i][j] = ipfilter6[i][j];
+ fiop->f_acct6[i][j] = ipacct6[i][j];
+ }
+
+ fiop->f_ticks = fr_ticks;
fiop->f_active = fr_active;
- fiop->f_froute[0] = ipl_frouteok[0];
- fiop->f_froute[1] = ipl_frouteok[1];
+ fiop->f_froute[0] = fr_frouteok[0];
+ fiop->f_froute[1] = fr_frouteok[1];
fiop->f_running = fr_running;
- fiop->f_groups[0][0] = ipfgroups[0][0];
- fiop->f_groups[0][1] = ipfgroups[0][1];
- fiop->f_groups[1][0] = ipfgroups[1][0];
- fiop->f_groups[1][1] = ipfgroups[1][1];
- fiop->f_groups[2][0] = ipfgroups[2][0];
- fiop->f_groups[2][1] = ipfgroups[2][1];
+ for (i = 0; i < IPL_LOGSIZE; i++) {
+ fiop->f_groups[i][0] = ipfgroups[i][0];
+ fiop->f_groups[i][1] = ipfgroups[i][1];
+ }
#ifdef IPFILTER_LOG
fiop->f_logging = 1;
#else
fiop->f_logging = 0;
#endif
fiop->f_defpass = fr_pass;
- strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version));
+ fiop->f_features = fr_features;
+ (void) strncpy(fiop->f_version, ipfilter_version,
+ sizeof(fiop->f_version));
}
@@ -2362,77 +3740,2470 @@ int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
-1, /* 12: ICMP_UNREACH_TOSHOST */
ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
};
+int icmpreplytype6[ICMP6_MAXTYPE + 1];
#endif
+int icmpreplytype4[ICMP_MAXTYPE + 1];
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_matchicmpqueryreply */
+/* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */
+/* Parameters: v(I) - IP protocol version (4 or 6) */
+/* ic(I) - ICMP information */
+/* icmp(I) - ICMP packet header */
+/* rev(I) - direction (0 = forward/1 = reverse) of packet */
+/* */
+/* Check if the ICMP packet defined by the header pointed to by icmp is a */
+/* reply to one as described by what's in ic. If it is a match, return 1, */
+/* else return 0 for no match. */
+/* ------------------------------------------------------------------------ */
+int fr_matchicmpqueryreply(v, ic, icmp, rev)
+int v;
+icmpinfo_t *ic;
+icmphdr_t *icmp;
+int rev;
+{
+ int ictype;
-#ifndef _KERNEL
-int mbuflen(buf)
-mb_t *buf;
+ ictype = ic->ici_type;
+
+ if (v == 4) {
+ /*
+ * If we matched its type on the way in, then when going out
+ * it will still be the same type.
+ */
+ if ((!rev && (icmp->icmp_type == ictype)) ||
+ (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
+ if (icmp->icmp_type != ICMP_ECHOREPLY)
+ return 1;
+ if (icmp->icmp_id == ic->ici_id)
+ return 1;
+ }
+ }
+#ifdef USE_INET6
+ else if (v == 6) {
+ if ((!rev && (icmp->icmp_type == ictype)) ||
+ (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
+ if (icmp->icmp_type != ICMP6_ECHO_REPLY)
+ return 1;
+ if (icmp->icmp_id == ic->ici_id)
+ return 1;
+ }
+ }
+#endif
+ return 0;
+}
+
+
+#ifdef IPFILTER_LOOKUP
+/* ------------------------------------------------------------------------ */
+/* Function: fr_resolvelookup */
+/* Returns: void * - NULL = failure, else success. */
+/* Parameters: type(I) - type of lookup these parameters are for. */
+/* number(I) - table number to use when searching */
+/* funcptr(IO) - pointer to pointer for storing IP address */
+/* searching function. */
+/* */
+/* Search for the "table" number passed in amongst those configured for */
+/* that particular type. If the type is recognised then the function to */
+/* call to do the IP address search will be change, regardless of whether */
+/* or not the "table" number exists. */
+/* ------------------------------------------------------------------------ */
+static void *fr_resolvelookup(type, number, funcptr)
+u_int type, number;
+lookupfunc_t *funcptr;
{
- ip_t *ip;
+ char name[FR_GROUPLEN];
+ iphtable_t *iph;
+ ip_pool_t *ipo;
+ void *ptr;
+
+#if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(name, sizeof(name), "%u", number);
+#else
+ (void) sprintf(name, "%u", number);
+#endif
+
+ READ_ENTER(&ip_poolrw);
- ip = (ip_t *)buf;
- return ip->ip_len;
+ switch (type)
+ {
+ case IPLT_POOL :
+# if (defined(__osf__) && defined(_KERNEL))
+ ptr = NULL;
+ *funcptr = NULL;
+# else
+ ipo = ip_pool_find(IPL_LOGIPF, name);
+ ptr = ipo;
+ if (ipo != NULL) {
+ ATOMIC_INC32(ipo->ipo_ref);
+ }
+ *funcptr = ip_pool_search;
+# endif
+ break;
+ case IPLT_HASH :
+ iph = fr_findhtable(IPL_LOGIPF, name);
+ ptr = iph;
+ if (iph != NULL) {
+ ATOMIC_INC32(iph->iph_ref);
+ }
+ *funcptr = fr_iphmfindip;
+ break;
+ default:
+ ptr = NULL;
+ *funcptr = NULL;
+ break;
+ }
+ RWLOCK_EXIT(&ip_poolrw);
+
+ return ptr;
}
#endif
-#if defined(_KERNEL) && !defined(__sgi)
-void *ipf_pullup(m, fin, len, ipin)
-mb_t *m;
+/* ------------------------------------------------------------------------ */
+/* Function: frrequest */
+/* Returns: int - 0 == success, > 0 == errno value */
+/* Parameters: unit(I) - device for which this is for */
+/* req(I) - ioctl command (SIOC*) */
+/* data(I) - pointr to ioctl data */
+/* set(I) - 1 or 0 (filter set) */
+/* makecopy(I) - flag indicating whether data points to a rule */
+/* in kernel space & hence doesn't need copying. */
+/* */
+/* This function handles all the requests which operate on the list of */
+/* filter rules. This includes adding, deleting, insertion. It is also */
+/* responsible for creating groups when a "head" rule is loaded. Interface */
+/* names are resolved here and other sanity checks are made on the content */
+/* of the rule structure being loaded. If a rule has user defined timeouts */
+/* then make sure they are created and initialised before exiting. */
+/* ------------------------------------------------------------------------ */
+int frrequest(unit, req, data, set, makecopy)
+int unit;
+ioctlcmd_t req;
+int set, makecopy;
+caddr_t data;
+{
+ frentry_t frd, *fp, *f, **fprev, **ftail;
+ int error = 0, in, v;
+ void *ptr, *uptr;
+ u_int *p, *pp;
+ frgroup_t *fg;
+ char *group;
+
+ fg = NULL;
+ fp = &frd;
+ if (makecopy != 0) {
+ error = fr_inobj(data, fp, IPFOBJ_FRENTRY);
+ if (error)
+ return EFAULT;
+ if ((fp->fr_flags & FR_T_BUILTIN) != 0)
+ return EINVAL;
+ fp->fr_ref = 0;
+ fp->fr_flags |= FR_COPIED;
+ } else {
+ fp = (frentry_t *)data;
+ if ((fp->fr_type & FR_T_BUILTIN) == 0)
+ return EINVAL;
+ fp->fr_flags &= ~FR_COPIED;
+ }
+
+ if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) ||
+ ((fp->fr_dsize != 0) && (fp->fr_data == NULL)))
+ return EINVAL;
+
+ v = fp->fr_v;
+ uptr = fp->fr_data;
+
+ /*
+ * Only filter rules for IPv4 or IPv6 are accepted.
+ */
+ if (v == 4)
+ /*EMPTY*/;
+#ifdef USE_INET6
+ else if (v == 6)
+ /*EMPTY*/;
+#endif
+ else {
+ return EINVAL;
+ }
+
+ /*
+ * If the rule is being loaded from user space, i.e. we had to copy it
+ * into kernel space, then do not trust the function pointer in the
+ * rule.
+ */
+ if ((makecopy == 1) && (fp->fr_func != NULL)) {
+ if (fr_findfunc(fp->fr_func) == NULL)
+ return ESRCH;
+ error = fr_funcinit(fp);
+ if (error != 0)
+ return error;
+ }
+
+ ptr = NULL;
+ /*
+ * Check that the group number does exist and that its use (in/out)
+ * matches what the rule is.
+ */
+ if (!strncmp(fp->fr_grhead, "0", FR_GROUPLEN))
+ *fp->fr_grhead = '\0';
+ group = fp->fr_group;
+ if (!strncmp(group, "0", FR_GROUPLEN))
+ *group = '\0';
+
+ if (FR_ISACCOUNT(fp->fr_flags))
+ unit = IPL_LOGCOUNT;
+
+ if ((req != (int)SIOCZRLST) && (*group != '\0')) {
+ fg = fr_findgroup(group, unit, set, NULL);
+ if (fg == NULL)
+ return ESRCH;
+ if (fg->fg_flags == 0)
+ fg->fg_flags = fp->fr_flags & FR_INOUT;
+ else if (fg->fg_flags != (fp->fr_flags & FR_INOUT))
+ return ESRCH;
+ }
+
+ in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
+
+ /*
+ * Work out which rule list this change is being applied to.
+ */
+ ftail = NULL;
+ fprev = NULL;
+ if (unit == IPL_LOGAUTH)
+ fprev = &ipauth;
+ else if (v == 4) {
+ if (FR_ISACCOUNT(fp->fr_flags))
+ fprev = &ipacct[in][set];
+ else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
+ fprev = &ipfilter[in][set];
+ } else if (v == 6) {
+ if (FR_ISACCOUNT(fp->fr_flags))
+ fprev = &ipacct6[in][set];
+ else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
+ fprev = &ipfilter6[in][set];
+ }
+ if (fprev == NULL)
+ return ESRCH;
+
+ if (*group != '\0') {
+ if (!fg && !(fg = fr_findgroup(group, unit, set, NULL)))
+ return ESRCH;
+ fprev = &fg->fg_start;
+ }
+
+ for (f = *fprev; (f = *fprev) != NULL; fprev = &f->fr_next)
+ if (fp->fr_collect <= f->fr_collect)
+ break;
+ ftail = fprev;
+
+ /*
+ * Copy in extra data for the rule.
+ */
+ if (fp->fr_dsize != 0) {
+ if (makecopy != 0) {
+ KMALLOCS(ptr, void *, fp->fr_dsize);
+ if (!ptr)
+ return ENOMEM;
+ error = COPYIN(uptr, ptr, fp->fr_dsize);
+ } else {
+ ptr = uptr;
+ error = 0;
+ }
+ if (error != 0) {
+ KFREES(ptr, fp->fr_dsize);
+ return ENOMEM;
+ }
+ fp->fr_data = ptr;
+ } else
+ fp->fr_data = NULL;
+
+ /*
+ * Perform per-rule type sanity checks of their members.
+ */
+ switch (fp->fr_type & ~FR_T_BUILTIN)
+ {
+#if defined(IPFILTER_BPF)
+ case FR_T_BPFOPC :
+ if (fp->fr_dsize == 0)
+ return EINVAL;
+ if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) {
+ if (makecopy && fp->fr_data != NULL) {
+ KFREES(fp->fr_data, fp->fr_dsize);
+ }
+ return EINVAL;
+ }
+ break;
+#endif
+ case FR_T_IPF :
+ if (fp->fr_dsize != sizeof(fripf_t))
+ return EINVAL;
+
+ /*
+ * Allowing a rule with both "keep state" and "with oow" is
+ * pointless because adding a state entry to the table will
+ * fail with the out of window (oow) flag set.
+ */
+ if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW))
+ return EINVAL;
+
+ switch (fp->fr_satype)
+ {
+ case FRI_BROADCAST :
+ case FRI_DYNAMIC :
+ case FRI_NETWORK :
+ case FRI_NETMASKED :
+ case FRI_PEERADDR :
+ if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > 3) {
+ if (makecopy && fp->fr_data != NULL) {
+ KFREES(fp->fr_data, fp->fr_dsize);
+ }
+ return EINVAL;
+ }
+ break;
+#ifdef IPFILTER_LOOKUP
+ case FRI_LOOKUP :
+ fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype,
+ fp->fr_srcnum,
+ &fp->fr_srcfunc);
+ break;
+#endif
+ default :
+ break;
+ }
+
+ switch (fp->fr_datype)
+ {
+ case FRI_BROADCAST :
+ case FRI_DYNAMIC :
+ case FRI_NETWORK :
+ case FRI_NETMASKED :
+ case FRI_PEERADDR :
+ if (fp->fr_difpidx < 0 || fp->fr_difpidx > 3) {
+ if (makecopy && fp->fr_data != NULL) {
+ KFREES(fp->fr_data, fp->fr_dsize);
+ }
+ return EINVAL;
+ }
+ break;
+#ifdef IPFILTER_LOOKUP
+ case FRI_LOOKUP :
+ fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype,
+ fp->fr_dstnum,
+ &fp->fr_dstfunc);
+ break;
+#endif
+ default :
+
+ break;
+ }
+ break;
+ case FR_T_NONE :
+ break;
+ case FR_T_CALLFUNC :
+ break;
+ case FR_T_COMPIPF :
+ break;
+ default :
+ if (makecopy && fp->fr_data != NULL) {
+ KFREES(fp->fr_data, fp->fr_dsize);
+ }
+ return EINVAL;
+ }
+
+ /*
+ * Lookup all the interface names that are part of the rule.
+ */
+ frsynclist(fp, NULL);
+ fp->fr_statecnt = 0;
+
+ /*
+ * Look for an existing matching filter rule, but don't include the
+ * next or interface pointer in the comparison (fr_next, fr_ifa).
+ * This elminates rules which are indentical being loaded. Checksum
+ * the constant part of the filter rule to make comparisons quicker
+ * (this meaning no pointers are included).
+ */
+ for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum;
+ p < pp; p++)
+ fp->fr_cksum += *p;
+ pp = (u_int *)(fp->fr_caddr + fp->fr_dsize);
+ for (p = (u_int *)fp->fr_data; p < pp; p++)
+ fp->fr_cksum += *p;
+
+ WRITE_ENTER(&ipf_mutex);
+ bzero((char *)frcache, sizeof(frcache));
+
+ for (; (f = *ftail) != NULL; ftail = &f->fr_next)
+ if ((fp->fr_cksum == f->fr_cksum) &&
+ (f->fr_dsize == fp->fr_dsize) &&
+ !bcmp((char *)&f->fr_func,
+ (char *)&fp->fr_func, FR_CMPSIZ) &&
+ (!ptr || !f->fr_data ||
+ !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
+ break;
+
+ /*
+ * If zero'ing statistics, copy current to caller and zero.
+ */
+ if (req == (ioctlcmd_t)SIOCZRLST) {
+ if (f == NULL)
+ error = ESRCH;
+ else {
+ /*
+ * Copy and reduce lock because of impending copyout.
+ * Well we should, but if we do then the atomicity of
+ * this call and the correctness of fr_hits and
+ * fr_bytes cannot be guaranteed. As it is, this code
+ * only resets them to 0 if they are successfully
+ * copied out into user space.
+ */
+ bcopy((char *)f, (char *)fp, sizeof(*f));
+ /* MUTEX_DOWNGRADE(&ipf_mutex); */
+
+ /*
+ * When we copy this rule back out, set the data
+ * pointer to be what it was in user space.
+ */
+ fp->fr_data = uptr;
+ error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
+
+ if (error == 0) {
+ if ((f->fr_dsize != 0) && (uptr != NULL))
+ error = COPYOUT(f->fr_data, uptr,
+ f->fr_dsize);
+ if (error == 0) {
+ f->fr_hits = 0;
+ f->fr_bytes = 0;
+ }
+ }
+ }
+
+ if ((ptr != NULL) && (makecopy != 0)) {
+ KFREES(ptr, fp->fr_dsize);
+ }
+ RWLOCK_EXIT(&ipf_mutex);
+ return error;
+ }
+
+ if (!f) {
+ if (req == (ioctlcmd_t)SIOCINAFR ||
+ req == (ioctlcmd_t)SIOCINIFR) {
+ ftail = fprev;
+ if (fp->fr_hits != 0) {
+ while (--fp->fr_hits && (f = *ftail))
+ ftail = &f->fr_next;
+ }
+ f = NULL;
+ ptr = NULL;
+ error = 0;
+ }
+ }
+
+ /*
+ * Request to remove a rule.
+ */
+ if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) {
+ if (!f)
+ error = ESRCH;
+ else {
+ /*
+ * Do not allow activity from user space to interfere
+ * with rules not loaded that way.
+ */
+ if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) {
+ error = EPERM;
+ goto done;
+ }
+
+ /*
+ * Return EBUSY if the rule is being reference by
+ * something else (eg state information.
+ */
+ if (f->fr_ref > 1) {
+ error = EBUSY;
+ goto done;
+ }
+#ifdef IPFILTER_SCAN
+ if (f->fr_isctag[0] != '\0' &&
+ (f->fr_isc != (struct ipscan *)-1))
+ ipsc_detachfr(f);
+#endif
+ if ((fg != NULL) && (fg->fg_head != NULL))
+ fg->fg_head->fr_ref--;
+ if (unit == IPL_LOGAUTH) {
+ error = fr_preauthcmd(req, f, ftail);
+ goto done;
+ }
+ if (*f->fr_grhead != '\0')
+ fr_delgroup(f->fr_grhead, unit, set);
+ fr_fixskip(fprev, f, -1);
+ *ftail = f->fr_next;
+ f->fr_next = NULL;
+ (void)fr_derefrule(&f);
+ }
+ } else {
+ /*
+ * Not removing, so we must be adding/inserting a rule.
+ */
+ if (f)
+ error = EEXIST;
+ else {
+ if (unit == IPL_LOGAUTH) {
+ error = fr_preauthcmd(req, fp, ftail);
+ goto done;
+ }
+ if (makecopy) {
+ KMALLOC(f, frentry_t *);
+ } else
+ f = fp;
+ if (f != NULL) {
+ if (fg != NULL && fg->fg_head!= NULL )
+ fg->fg_head->fr_ref++;
+ if (fp != f)
+ bcopy((char *)fp, (char *)f,
+ sizeof(*f));
+ MUTEX_NUKE(&f->fr_lock);
+ MUTEX_INIT(&f->fr_lock, "filter rule lock");
+#ifdef IPFILTER_SCAN
+ if (f->fr_isctag[0] != '\0' &&
+ ipsc_attachfr(f))
+ f->fr_isc = (struct ipscan *)-1;
+#endif
+ f->fr_hits = 0;
+ if (makecopy != 0)
+ f->fr_ref = 1;
+ f->fr_next = *ftail;
+ *ftail = f;
+ if (req == (ioctlcmd_t)SIOCINIFR ||
+ req == (ioctlcmd_t)SIOCINAFR)
+ fr_fixskip(fprev, f, 1);
+ f->fr_grp = NULL;
+ group = f->fr_grhead;
+ if (*group != '\0') {
+ fg = fr_addgroup(group, f, f->fr_flags,
+ unit, set);
+ if (fg != NULL)
+ f->fr_grp = &fg->fg_start;
+ }
+ } else
+ error = ENOMEM;
+ }
+ }
+done:
+ RWLOCK_EXIT(&ipf_mutex);
+ if ((ptr != NULL) && (error != 0) && (makecopy != 0)) {
+ KFREES(ptr, fp->fr_dsize);
+ }
+ return (error);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_funcinit */
+/* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */
+/* Parameters: fr(I) - pointer to filter rule */
+/* */
+/* If a rule is a call rule, then check if the function it points to needs */
+/* an init function to be called now the rule has been loaded. */
+/* ------------------------------------------------------------------------ */
+static int fr_funcinit(fr)
+frentry_t *fr;
+{
+ ipfunc_resolve_t *ft;
+ int err;
+
+ err = ESRCH;
+
+ for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
+ if (ft->ipfu_addr == fr->fr_func) {
+ err = 0;
+ if (ft->ipfu_init != NULL)
+ err = (*ft->ipfu_init)(fr);
+ break;
+ }
+ return err;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_findfunc */
+/* Returns: ipfunc_t - pointer to function if found, else NULL */
+/* Parameters: funcptr(I) - function pointer to lookup */
+/* */
+/* Look for a function in the table of known functions. */
+/* ------------------------------------------------------------------------ */
+static ipfunc_t fr_findfunc(funcptr)
+ipfunc_t funcptr;
+{
+ ipfunc_resolve_t *ft;
+
+ for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
+ if (ft->ipfu_addr == funcptr)
+ return funcptr;
+ return NULL;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_resolvefunc */
+/* Returns: int - 0 == success, else error */
+/* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */
+/* */
+/* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
+/* This will either be the function name (if the pointer is set) or the */
+/* function pointer if the name is set. When found, fill in the other one */
+/* so that the entire, complete, structure can be copied back to user space.*/
+/* ------------------------------------------------------------------------ */
+int fr_resolvefunc(data)
+void *data;
+{
+ ipfunc_resolve_t res, *ft;
+
+ BCOPYIN(data, &res, sizeof(res));
+
+ if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') {
+ for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
+ if (strncmp(res.ipfu_name, ft->ipfu_name,
+ sizeof(res.ipfu_name)) == 0) {
+ res.ipfu_addr = ft->ipfu_addr;
+ res.ipfu_init = ft->ipfu_init;
+ if (COPYOUT(&res, data, sizeof(res)) != 0)
+ return EFAULT;
+ return 0;
+ }
+ }
+ if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') {
+ for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
+ if (ft->ipfu_addr == res.ipfu_addr) {
+ (void) strncpy(res.ipfu_name, ft->ipfu_name,
+ sizeof(res.ipfu_name));
+ res.ipfu_init = ft->ipfu_init;
+ if (COPYOUT(&res, data, sizeof(res)) != 0)
+ return EFAULT;
+ return 0;
+ }
+ }
+ return ESRCH;
+}
+
+
+#if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \
+ (defined(__FreeBSD__) && (__FreeBSD_version < 490000)) || \
+ (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \
+ (defined(__OpenBSD__) && (OpenBSD < 200006))
+/*
+ * From: NetBSD
+ * ppsratecheck(): packets (or events) per second limitation.
+ */
+int
+ppsratecheck(lasttime, curpps, maxpps)
+ struct timeval *lasttime;
+ int *curpps;
+ int maxpps; /* maximum pps allowed */
+{
+ struct timeval tv, delta;
+ int rv;
+
+ GETKTIME(&tv);
+
+ delta.tv_sec = tv.tv_sec - lasttime->tv_sec;
+ delta.tv_usec = tv.tv_usec - lasttime->tv_usec;
+ if (delta.tv_usec < 0) {
+ delta.tv_sec--;
+ delta.tv_usec += 1000000;
+ }
+
+ /*
+ * check for 0,0 is so that the message will be seen at least once.
+ * if more than one second have passed since the last update of
+ * lasttime, reset the counter.
+ *
+ * we do increment *curpps even in *curpps < maxpps case, as some may
+ * try to use *curpps for stat purposes as well.
+ */
+ if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
+ delta.tv_sec >= 1) {
+ *lasttime = tv;
+ *curpps = 0;
+ rv = 1;
+ } else if (maxpps < 0)
+ rv = 1;
+ else if (*curpps < maxpps)
+ rv = 1;
+ else
+ rv = 0;
+ *curpps = *curpps + 1;
+
+ return (rv);
+}
+#endif
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_derefrule */
+/* Returns: int - 0 == rule freed up, else rule not freed */
+/* Parameters: fr(I) - pointer to filter rule */
+/* */
+/* Decrement the reference counter to a rule by one. If it reaches zero, */
+/* free it and any associated storage space being used by it. */
+/* ------------------------------------------------------------------------ */
+int fr_derefrule(frp)
+frentry_t **frp;
+{
+ frentry_t *fr;
+
+ fr = *frp;
+
+ MUTEX_ENTER(&fr->fr_lock);
+ fr->fr_ref--;
+ if (fr->fr_ref == 0) {
+ MUTEX_EXIT(&fr->fr_lock);
+ MUTEX_DESTROY(&fr->fr_lock);
+
+#ifdef IPFILTER_LOOKUP
+ if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
+ ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr);
+ if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
+ ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr);
+#endif
+
+ if (fr->fr_dsize) {
+ KFREES(fr->fr_data, fr->fr_dsize);
+ }
+ if ((fr->fr_flags & FR_COPIED) != 0) {
+ KFREE(fr);
+ return 0;
+ }
+ return 1;
+ } else {
+ MUTEX_EXIT(&fr->fr_lock);
+ }
+ *frp = NULL;
+ return -1;
+}
+
+
+#ifdef IPFILTER_LOOKUP
+/* ------------------------------------------------------------------------ */
+/* Function: fr_grpmapinit */
+/* Returns: int - 0 == success, else ESRCH because table entry not found*/
+/* Parameters: fr(I) - pointer to rule to find hash table for */
+/* */
+/* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
+/* fr_ptr is later used by fr_srcgrpmap and fr_dstgrpmap. */
+/* ------------------------------------------------------------------------ */
+static int fr_grpmapinit(fr)
+frentry_t *fr;
+{
+ char name[FR_GROUPLEN];
+ iphtable_t *iph;
+
+#if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(name, sizeof(name), "%d", fr->fr_arg);
+#else
+ (void) sprintf(name, "%d", fr->fr_arg);
+#endif
+ iph = fr_findhtable(IPL_LOGIPF, name);
+ if (iph == NULL)
+ return ESRCH;
+ if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT))
+ return ESRCH;
+ fr->fr_ptr = iph;
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_srcgrpmap */
+/* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
+/* Parameters: fin(I) - pointer to packet information */
+/* passp(IO) - pointer to current/new filter decision (unused) */
+/* */
+/* Look for a rule group head in a hash table, using the source address as */
+/* the key, and descend into that group and continue matching rules against */
+/* the packet. */
+/* ------------------------------------------------------------------------ */
+frentry_t *fr_srcgrpmap(fin, passp)
fr_info_t *fin;
-int len;
-void *ipin;
+u_32_t *passp;
{
-# if SOLARIS
- qif_t *qf = fin->fin_qif;
-# endif
- int out = fin->fin_out, dpoff, ipoff;
- char *ip;
+ frgroup_t *fg;
+ void *rval;
- if (m == NULL)
+ rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, &fin->fin_src);
+ if (rval == NULL)
return NULL;
- ipoff = (char *)ipin - MTOD(m, char *);
- if (fin->fin_dp != NULL)
- dpoff = (char *)fin->fin_dp - (char *)ipin;
+ fg = rval;
+ fin->fin_fr = fg->fg_start;
+ (void) fr_scanlist(fin, *passp);
+ return fin->fin_fr;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_dstgrpmap */
+/* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
+/* Parameters: fin(I) - pointer to packet information */
+/* passp(IO) - pointer to current/new filter decision (unused) */
+/* */
+/* Look for a rule group head in a hash table, using the destination */
+/* address as the key, and descend into that group and continue matching */
+/* rules against the packet. */
+/* ------------------------------------------------------------------------ */
+frentry_t *fr_dstgrpmap(fin, passp)
+fr_info_t *fin;
+u_32_t *passp;
+{
+ frgroup_t *fg;
+ void *rval;
+
+ rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, &fin->fin_dst);
+ if (rval == NULL)
+ return NULL;
+
+ fg = rval;
+ fin->fin_fr = fg->fg_start;
+ (void) fr_scanlist(fin, *passp);
+ return fin->fin_fr;
+}
+#endif /* IPFILTER_LOOKUP */
+
+/*
+ * Queue functions
+ * ===============
+ * These functions manage objects on queues for efficient timeouts. There are
+ * a number of system defined queues as well as user defined timeouts. It is
+ * expected that a lock is held in the domain in which the queue belongs
+ * (i.e. either state or NAT) when calling any of these functions that prevents
+ * fr_freetimeoutqueue() from being called at the same time as any other.
+ */
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_addtimeoutqueue */
+/* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */
+/* timeout queue with given interval. */
+/* Parameters: parent(I) - pointer to pointer to parent node of this list */
+/* of interface queues. */
+/* seconds(I) - timeout value in seconds for this queue. */
+/* */
+/* This routine first looks for a timeout queue that matches the interval */
+/* being requested. If it finds one, increments the reference counter and */
+/* returns a pointer to it. If none are found, it allocates a new one and */
+/* inserts it at the top of the list. */
+/* */
+/* Locking. */
+/* It is assumed that the caller of this function has an appropriate lock */
+/* held (exclusively) in the domain that encompases 'parent'. */
+/* ------------------------------------------------------------------------ */
+ipftq_t *fr_addtimeoutqueue(parent, seconds)
+ipftq_t **parent;
+u_int seconds;
+{
+ ipftq_t *ifq;
+ u_int period;
+
+ period = seconds * IPF_HZ_DIVIDE;
+
+ MUTEX_ENTER(&ipf_timeoutlock);
+ for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) {
+ if (ifq->ifq_ttl == period) {
+ /*
+ * Reset the delete flag, if set, so the structure
+ * gets reused rather than freed and reallocated.
+ */
+ MUTEX_ENTER(&ifq->ifq_lock);
+ ifq->ifq_flags &= ~IFQF_DELETE;
+ ifq->ifq_ref++;
+ MUTEX_EXIT(&ifq->ifq_lock);
+ MUTEX_EXIT(&ipf_timeoutlock);
+
+ return ifq;
+ }
+ }
+
+ KMALLOC(ifq, ipftq_t *);
+ if (ifq != NULL) {
+ ifq->ifq_ttl = period;
+ ifq->ifq_head = NULL;
+ ifq->ifq_tail = &ifq->ifq_head;
+ ifq->ifq_next = *parent;
+ ifq->ifq_pnext = parent;
+ ifq->ifq_ref = 1;
+ ifq->ifq_flags = IFQF_USER;
+ *parent = ifq;
+ fr_userifqs++;
+ MUTEX_NUKE(&ifq->ifq_lock);
+ MUTEX_INIT(&ifq->ifq_lock, "ipftq mutex");
+ }
+ MUTEX_EXIT(&ipf_timeoutlock);
+ return ifq;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_deletetimeoutqueue */
+/* Returns: int - new reference count value of the timeout queue */
+/* Parameters: ifq(I) - timeout queue which is losing a reference. */
+/* Locks: ifq->ifq_lock */
+/* */
+/* This routine must be called when we're discarding a pointer to a timeout */
+/* queue object, taking care of the reference counter. */
+/* */
+/* Now that this just sets a DELETE flag, it requires the expire code to */
+/* check the list of user defined timeout queues and call the free function */
+/* below (currently commented out) to stop memory leaking. It is done this */
+/* way because the locking may not be sufficient to safely do a free when */
+/* this function is called. */
+/* ------------------------------------------------------------------------ */
+int fr_deletetimeoutqueue(ifq)
+ipftq_t *ifq;
+{
+
+ ifq->ifq_ref--;
+ if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) {
+ ifq->ifq_flags |= IFQF_DELETE;
+ }
+
+ return ifq->ifq_ref;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_freetimeoutqueue */
+/* Parameters: ifq(I) - timeout queue which is losing a reference. */
+/* Returns: Nil */
+/* */
+/* Locking: */
+/* It is assumed that the caller of this function has an appropriate lock */
+/* held (exclusively) in the domain that encompases the callers "domain". */
+/* The ifq_lock for this structure should not be held. */
+/* */
+/* Remove a user definde timeout queue from the list of queues it is in and */
+/* tidy up after this is done. */
+/* ------------------------------------------------------------------------ */
+void fr_freetimeoutqueue(ifq)
+ipftq_t *ifq;
+{
+
+
+ if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) ||
+ ((ifq->ifq_flags & IFQF_USER) == 0)) {
+ printf("fr_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n",
+ (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl,
+ ifq->ifq_ref);
+ return;
+ }
+
+ /*
+ * Remove from its position in the list.
+ */
+ *ifq->ifq_pnext = ifq->ifq_next;
+ if (ifq->ifq_next != NULL)
+ ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
+
+ MUTEX_DESTROY(&ifq->ifq_lock);
+ fr_userifqs--;
+ KFREE(ifq);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_deletequeueentry */
+/* Returns: Nil */
+/* Parameters: tqe(I) - timeout queue entry to delete */
+/* ifq(I) - timeout queue to remove entry from */
+/* */
+/* Remove a tail queue entry from its queue and make it an orphan. */
+/* fr_deletetimeoutqueue is called to make sure the reference count on the */
+/* queue is correct. We can't, however, call fr_freetimeoutqueue because */
+/* the correct lock(s) may not be held that would make it safe to do so. */
+/* ------------------------------------------------------------------------ */
+void fr_deletequeueentry(tqe)
+ipftqent_t *tqe;
+{
+ ipftq_t *ifq;
+
+ ifq = tqe->tqe_ifq;
+ if (ifq == NULL)
+ return;
+
+ MUTEX_ENTER(&ifq->ifq_lock);
+
+ if (tqe->tqe_pnext != NULL) {
+ *tqe->tqe_pnext = tqe->tqe_next;
+ if (tqe->tqe_next != NULL)
+ tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
+ else /* we must be the tail anyway */
+ ifq->ifq_tail = tqe->tqe_pnext;
+
+ tqe->tqe_pnext = NULL;
+ tqe->tqe_ifq = NULL;
+ }
+
+ (void) fr_deletetimeoutqueue(ifq);
+
+ MUTEX_EXIT(&ifq->ifq_lock);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_queuefront */
+/* Returns: Nil */
+/* Parameters: tqe(I) - pointer to timeout queue entry */
+/* */
+/* Move a queue entry to the front of the queue, if it isn't already there. */
+/* ------------------------------------------------------------------------ */
+void fr_queuefront(tqe)
+ipftqent_t *tqe;
+{
+ ipftq_t *ifq;
+
+ ifq = tqe->tqe_ifq;
+ if (ifq == NULL)
+ return;
+
+ MUTEX_ENTER(&ifq->ifq_lock);
+ if (ifq->ifq_head != tqe) {
+ *tqe->tqe_pnext = tqe->tqe_next;
+ if (tqe->tqe_next)
+ tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
+ else
+ ifq->ifq_tail = tqe->tqe_pnext;
+
+ tqe->tqe_next = ifq->ifq_head;
+ ifq->ifq_head->tqe_pnext = &tqe->tqe_next;
+ ifq->ifq_head = tqe;
+ tqe->tqe_pnext = &ifq->ifq_head;
+ }
+ MUTEX_EXIT(&ifq->ifq_lock);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_queueback */
+/* Returns: Nil */
+/* Parameters: tqe(I) - pointer to timeout queue entry */
+/* */
+/* Move a queue entry to the back of the queue, if it isn't already there. */
+/* ------------------------------------------------------------------------ */
+void fr_queueback(tqe)
+ipftqent_t *tqe;
+{
+ ipftq_t *ifq;
+
+ ifq = tqe->tqe_ifq;
+ if (ifq == NULL)
+ return;
+ tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
+
+ MUTEX_ENTER(&ifq->ifq_lock);
+ if (tqe->tqe_next == NULL) { /* at the end already ? */
+ MUTEX_EXIT(&ifq->ifq_lock);
+ return;
+ }
+
+ /*
+ * Remove from list
+ */
+ *tqe->tqe_pnext = tqe->tqe_next;
+ tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
+
+ /*
+ * Make it the last entry.
+ */
+ tqe->tqe_next = NULL;
+ tqe->tqe_pnext = ifq->ifq_tail;
+ *ifq->ifq_tail = tqe;
+ ifq->ifq_tail = &tqe->tqe_next;
+ MUTEX_EXIT(&ifq->ifq_lock);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_queueappend */
+/* Returns: Nil */
+/* Parameters: tqe(I) - pointer to timeout queue entry */
+/* ifq(I) - pointer to timeout queue */
+/* parent(I) - owing object pointer */
+/* */
+/* Add a new item to this queue and put it on the very end. */
+/* ------------------------------------------------------------------------ */
+void fr_queueappend(tqe, ifq, parent)
+ipftqent_t *tqe;
+ipftq_t *ifq;
+void *parent;
+{
+
+ MUTEX_ENTER(&ifq->ifq_lock);
+ tqe->tqe_parent = parent;
+ tqe->tqe_pnext = ifq->ifq_tail;
+ *ifq->ifq_tail = tqe;
+ ifq->ifq_tail = &tqe->tqe_next;
+ tqe->tqe_next = NULL;
+ tqe->tqe_ifq = ifq;
+ tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
+ ifq->ifq_ref++;
+ MUTEX_EXIT(&ifq->ifq_lock);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_movequeue */
+/* Returns: Nil */
+/* Parameters: tq(I) - pointer to timeout queue information */
+/* oifp(I) - old timeout queue entry was on */
+/* nifp(I) - new timeout queue to put entry on */
+/* */
+/* Move a queue entry from one timeout queue to another timeout queue. */
+/* If it notices that the current entry is already last and does not need */
+/* to move queue, the return. */
+/* ------------------------------------------------------------------------ */
+void fr_movequeue(tqe, oifq, nifq)
+ipftqent_t *tqe;
+ipftq_t *oifq, *nifq;
+{
+ /*
+ * Is the operation here going to be a no-op ?
+ */
+ MUTEX_ENTER(&oifq->ifq_lock);
+ if (oifq == nifq && *oifq->ifq_tail == tqe) {
+ MUTEX_EXIT(&oifq->ifq_lock);
+ return;
+ }
+
+ /*
+ * Remove from the old queue
+ */
+ *tqe->tqe_pnext = tqe->tqe_next;
+ if (tqe->tqe_next)
+ tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
else
- dpoff = 0;
+ oifq->ifq_tail = tqe->tqe_pnext;
+ tqe->tqe_next = NULL;
- if (M_BLEN(m) < len) {
-# if SOLARIS
- qif_t *qf = fin->fin_qif;
- int inc = 0;
-
- if (ipoff > 0) {
- if ((ipoff & 3) != 0) {
- inc = 4 - (ipoff & 3);
- if (m->b_rptr - inc >= m->b_datap->db_base)
- m->b_rptr -= inc;
+ /*
+ * If we're moving from one queue to another, release the lock on the
+ * old queue and get a lock on the new queue. For user defined queues,
+ * if we're moving off it, call delete in case it can now be freed.
+ */
+ if (oifq != nifq) {
+ tqe->tqe_ifq = NULL;
+
+ (void) fr_deletetimeoutqueue(oifq);
+
+ MUTEX_EXIT(&oifq->ifq_lock);
+
+ MUTEX_ENTER(&nifq->ifq_lock);
+
+ tqe->tqe_ifq = nifq;
+ nifq->ifq_ref++;
+ }
+
+ /*
+ * Add to the bottom of the new queue
+ */
+ tqe->tqe_die = fr_ticks + nifq->ifq_ttl;
+ tqe->tqe_pnext = nifq->ifq_tail;
+ *nifq->ifq_tail = tqe;
+ nifq->ifq_tail = &tqe->tqe_next;
+ MUTEX_EXIT(&nifq->ifq_lock);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_updateipid */
+/* Returns: int - 0 == success, -1 == error (packet should be droppped) */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* When we are doing NAT, change the IP of every packet to represent a */
+/* single sequence of packets coming from the host, hiding any host */
+/* specific sequencing that might otherwise be revealed. If the packet is */
+/* a fragment, then store the 'new' IPid in the fragment cache and look up */
+/* the fragment cache for non-leading fragments. If a non-leading fragment */
+/* has no match in the cache, return an error. */
+/* ------------------------------------------------------------------------ */
+static INLINE int fr_updateipid(fin)
+fr_info_t *fin;
+{
+ u_short id, ido, sums;
+ u_32_t sumd, sum;
+ ip_t *ip;
+
+ if (fin->fin_off != 0) {
+ sum = fr_ipid_knownfrag(fin);
+ if (sum == 0xffffffff)
+ return -1;
+ sum &= 0xffff;
+ id = (u_short)sum;
+ } else {
+ id = fr_nextipid(fin);
+ if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0)
+ (void) fr_ipid_newfrag(fin, (u_32_t)id);
+ }
+
+ ip = fin->fin_ip;
+ ido = ntohs(ip->ip_id);
+ if (id == ido)
+ return 0;
+ ip->ip_id = htons(id);
+ CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */
+ sum = (~ntohs(ip->ip_sum)) & 0xffff;
+ sum += sumd;
+ sum = (sum >> 16) + (sum & 0xffff);
+ sum = (sum >> 16) + (sum & 0xffff);
+ sums = ~(u_short)sum;
+ ip->ip_sum = htons(sums);
+ return 0;
+}
+
+
+#ifdef NEED_FRGETIFNAME
+/* ------------------------------------------------------------------------ */
+/* Function: fr_getifname */
+/* Returns: char * - pointer to interface name */
+/* Parameters: ifp(I) - pointer to network interface */
+/* buffer(O) - pointer to where to store interface name */
+/* */
+/* Constructs an interface name in the buffer passed. The buffer passed is */
+/* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */
+/* as a NULL pointer then return a pointer to a static array. */
+/* ------------------------------------------------------------------------ */
+char *fr_getifname(ifp, buffer)
+struct ifnet *ifp;
+char *buffer;
+{
+ static char namebuf[LIFNAMSIZ];
+# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
+ defined(__sgi) || defined(linux) || \
+ (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
+ int unit, space;
+ char temp[20];
+ char *s;
+# endif
+
+ if (buffer == NULL)
+ buffer = namebuf;
+ (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
+ buffer[LIFNAMSIZ - 1] = '\0';
+# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
+ defined(__sgi) || \
+ (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
+ for (s = buffer; *s; s++)
+ ;
+ unit = ifp->if_unit;
+ space = LIFNAMSIZ - (s - buffer);
+ if (space > 0) {
+# if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(temp, sizeof(temp), "%d", unit);
+# else
+ (void) sprintf(temp, "%d", unit);
+# endif
+ (void) strncpy(s, temp, space);
+ }
+# endif
+ return buffer;
+}
+#endif
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ioctlswitch */
+/* Returns: int - -1 continue processing, else ioctl return value */
+/* Parameters: unit(I) - device unit opened */
+/* data(I) - pointer to ioctl data */
+/* cmd(I) - ioctl command */
+/* mode(I) - mode value */
+/* */
+/* Based on the value of unit, call the appropriate ioctl handler or return */
+/* EIO if ipfilter is not running. Also checks if write perms are req'd */
+/* for the device in order to execute the ioctl. */
+/* ------------------------------------------------------------------------ */
+int fr_ioctlswitch(unit, data, cmd, mode)
+int unit, mode;
+ioctlcmd_t cmd;
+void *data;
+{
+ int error = 0;
+
+ switch (unit)
+ {
+ case IPL_LOGIPF :
+ error = -1;
+ break;
+ case IPL_LOGNAT :
+ if (fr_running > 0)
+ error = fr_nat_ioctl(data, cmd, mode);
+ else
+ error = EIO;
+ break;
+ case IPL_LOGSTATE :
+ if (fr_running > 0)
+ error = fr_state_ioctl(data, cmd, mode);
+ else
+ error = EIO;
+ break;
+ case IPL_LOGAUTH :
+ if (fr_running > 0) {
+ if ((cmd == (ioctlcmd_t)SIOCADAFR) ||
+ (cmd == (ioctlcmd_t)SIOCRMAFR)) {
+ if (!(mode & FWRITE)) {
+ error = EPERM;
+ } else {
+ error = frrequest(unit, cmd, data,
+ fr_active, 1);
+ }
+ } else {
+ error = fr_auth_ioctl(data, cmd, mode);
+ }
+ } else
+ error = EIO;
+ break;
+ case IPL_LOGSYNC :
+#ifdef IPFILTER_SYNC
+ if (fr_running > 0)
+ error = fr_sync_ioctl(data, cmd, mode);
+ else
+#endif
+ error = EIO;
+ break;
+ case IPL_LOGSCAN :
+#ifdef IPFILTER_SCAN
+ if (fr_running > 0)
+ error = fr_scan_ioctl(data, cmd, mode);
+ else
+#endif
+ error = EIO;
+ break;
+ case IPL_LOGLOOKUP :
+#ifdef IPFILTER_LOOKUP
+ if (fr_running > 0)
+ error = ip_lookup_ioctl(data, cmd, mode);
+ else
+#endif
+ error = EIO;
+ break;
+ default :
+ error = EIO;
+ break;
+ }
+
+ return error;
+}
+
+
+/*
+ * This array defines the expected size of objects coming into the kernel
+ * for the various recognised object types.
+ */
+#define NUM_OBJ_TYPES 14
+
+static int fr_objbytes[NUM_OBJ_TYPES][2] = {
+ { 1, sizeof(struct frentry) }, /* frentry */
+ { 0, sizeof(struct friostat) },
+ { 0, sizeof(struct fr_info) },
+ { 0, sizeof(struct fr_authstat) },
+ { 0, sizeof(struct ipfrstat) },
+ { 0, sizeof(struct ipnat) },
+ { 0, sizeof(struct natstat) },
+ { 0, sizeof(struct ipstate_save) },
+ { 1, sizeof(struct nat_save) }, /* nat_save */
+ { 0, sizeof(struct natlookup) },
+ { 1, sizeof(struct ipstate) }, /* ipstate */
+ { 0, sizeof(struct ips_stat) },
+ { 0, sizeof(struct frauth) },
+ { 0, sizeof(struct ipftune) }
+};
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_inobj */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: data(I) - pointer to ioctl data */
+/* ptr(I) - pointer to store real data in */
+/* type(I) - type of structure being moved */
+/* */
+/* Copy in the contents of what the ipfobj_t points to. In future, we */
+/* add things to check for version numbers, sizes, etc, to make it backward */
+/* compatible at the ABI for user land. */
+/* ------------------------------------------------------------------------ */
+int fr_inobj(data, ptr, type)
+void *data;
+void *ptr;
+int type;
+{
+ ipfobj_t obj;
+ int error = 0;
+
+ if ((type < 0) || (type > NUM_OBJ_TYPES-1))
+ return EINVAL;
+
+ BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
+
+ if (obj.ipfo_type != type)
+ return EINVAL;
+
+#ifndef IPFILTER_COMPAT
+ if ((fr_objbytes[type][0] & 1) != 0) {
+ if (obj.ipfo_size < fr_objbytes[type][1])
+ return EINVAL;
+ } else if (obj.ipfo_size != fr_objbytes[type][1])
+ return EINVAL;
+#else
+ if (obj.ipfo_rev != IPFILTER_VERSION)
+ /* XXX compatibility hook here */
+ ;
+ if ((fr_objbytes[type][0] & 1) != 0) {
+ if (obj.ipfo_size < fr_objbytes[type][1])
+ /* XXX compatibility hook here */
+ return EINVAL;
+ } else if (obj.ipfo_size != fr_objbytes[type][1])
+ /* XXX compatibility hook here */
+ return EINVAL;
+#endif
+
+ if ((fr_objbytes[type][0] & 1) != 0) {
+ error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
+ fr_objbytes[type][1]);
+ } else {
+ error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
+ obj.ipfo_size);
+ }
+ return error;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_inobjsz */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: data(I) - pointer to ioctl data */
+/* ptr(I) - pointer to store real data in */
+/* type(I) - type of structure being moved */
+/* sz(I) - size of data to copy */
+/* */
+/* As per fr_inobj, except the size of the object to copy in is passed in */
+/* but it must not be smaller than the size defined for the type and the */
+/* type must allow for varied sized objects. The extra requirement here is */
+/* that sz must match the size of the object being passed in - this is not */
+/* not possible nor required in fr_inobj(). */
+/* ------------------------------------------------------------------------ */
+int fr_inobjsz(data, ptr, type, sz)
+void *data;
+void *ptr;
+int type, sz;
+{
+ ipfobj_t obj;
+ int error;
+
+ if ((type < 0) || (type > NUM_OBJ_TYPES-1))
+ return EINVAL;
+ if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1]))
+ return EINVAL;
+
+ BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
+
+ if (obj.ipfo_type != type)
+ return EINVAL;
+
+#ifndef IPFILTER_COMPAT
+ if (obj.ipfo_size != sz)
+ return EINVAL;
+#else
+ if (obj.ipfo_rev != IPFILTER_VERSION)
+ /* XXX compatibility hook here */
+ ;
+ if (obj.ipfo_size != sz)
+ /* XXX compatibility hook here */
+ return EINVAL;
+#endif
+
+ error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, sz);
+ return error;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_outobjsz */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: data(I) - pointer to ioctl data */
+/* ptr(I) - pointer to store real data in */
+/* type(I) - type of structure being moved */
+/* sz(I) - size of data to copy */
+/* */
+/* As per fr_outobj, except the size of the object to copy out is passed in */
+/* but it must not be smaller than the size defined for the type and the */
+/* type must allow for varied sized objects. The extra requirement here is */
+/* that sz must match the size of the object being passed in - this is not */
+/* not possible nor required in fr_outobj(). */
+/* ------------------------------------------------------------------------ */
+int fr_outobjsz(data, ptr, type, sz)
+void *data;
+void *ptr;
+int type, sz;
+{
+ ipfobj_t obj;
+ int error;
+
+ if ((type < 0) || (type > NUM_OBJ_TYPES-1) ||
+ ((fr_objbytes[type][0] & 1) == 0) ||
+ (sz < fr_objbytes[type][1]))
+ return EINVAL;
+
+ BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
+
+ if (obj.ipfo_type != type)
+ return EINVAL;
+
+#ifndef IPFILTER_COMPAT
+ if (obj.ipfo_size != sz)
+ return EINVAL;
+#else
+ if (obj.ipfo_rev != IPFILTER_VERSION)
+ /* XXX compatibility hook here */
+ ;
+ if (obj.ipfo_size != sz)
+ /* XXX compatibility hook here */
+ return EINVAL;
+#endif
+
+ error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, sz);
+ return error;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_outobj */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: data(I) - pointer to ioctl data */
+/* ptr(I) - pointer to store real data in */
+/* type(I) - type of structure being moved */
+/* */
+/* Copy out the contents of what ptr is to where ipfobj points to. In */
+/* future, we add things to check for version numbers, sizes, etc, to make */
+/* it backward compatible at the ABI for user land. */
+/* ------------------------------------------------------------------------ */
+int fr_outobj(data, ptr, type)
+void *data;
+void *ptr;
+int type;
+{
+ ipfobj_t obj;
+ int error;
+
+ if ((type < 0) || (type > NUM_OBJ_TYPES-1))
+ return EINVAL;
+
+ BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
+
+ if (obj.ipfo_type != type)
+ return EINVAL;
+
+#ifndef IPFILTER_COMPAT
+ if ((fr_objbytes[type][0] & 1) != 0) {
+ if (obj.ipfo_size < fr_objbytes[type][1])
+ return EINVAL;
+ } else if (obj.ipfo_size != fr_objbytes[type][1])
+ return EINVAL;
+#else
+ if (obj.ipfo_rev != IPFILTER_VERSION)
+ /* XXX compatibility hook here */
+ ;
+ if ((fr_objbytes[type][0] & 1) != 0) {
+ if (obj.ipfo_size < fr_objbytes[type][1])
+ /* XXX compatibility hook here */
+ return EINVAL;
+ } else if (obj.ipfo_size != fr_objbytes[type][1])
+ /* XXX compatibility hook here */
+ return EINVAL;
+#endif
+
+ error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, obj.ipfo_size);
+ return error;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_checkl4sum */
+/* Returns: int - 0 = good, -1 = bad, 1 = cannot check */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* If possible, calculate the layer 4 checksum for the packet. If this is */
+/* not possible, return without indicating a failure or success but in a */
+/* way that is ditinguishable. */
+/* ------------------------------------------------------------------------ */
+int fr_checkl4sum(fin)
+fr_info_t *fin;
+{
+ u_short sum, hdrsum, *csump;
+ udphdr_t *udp;
+ int dosum;
+
+ if ((fin->fin_flx & FI_NOCKSUM) != 0)
+ return 0;
+
+ /*
+ * If the TCP packet isn't a fragment, isn't too short and otherwise
+ * isn't already considered "bad", then validate the checksum. If
+ * this check fails then considered the packet to be "bad".
+ */
+ if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0)
+ return 1;
+
+ csump = NULL;
+ hdrsum = 0;
+ dosum = 0;
+ sum = 0;
+
+#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
+ if (dohwcksum && ((*fin->fin_mp)->b_ick_flag == ICK_VALID)) {
+ hdrsum = 0;
+ sum = 0;
+ } else {
+#endif
+ switch (fin->fin_p)
+ {
+ case IPPROTO_TCP :
+ csump = &((tcphdr_t *)fin->fin_dp)->th_sum;
+ dosum = 1;
+ break;
+
+ case IPPROTO_UDP :
+ udp = fin->fin_dp;
+ if (udp->uh_sum != 0) {
+ csump = &udp->uh_sum;
+ dosum = 1;
+ }
+ break;
+
+ case IPPROTO_ICMP :
+ csump = &((struct icmp *)fin->fin_dp)->icmp_cksum;
+ dosum = 1;
+ break;
+
+ default :
+ return 1;
+ /*NOTREACHED*/
+ }
+
+ if (csump != NULL)
+ hdrsum = *csump;
+
+ if (dosum)
+ sum = fr_cksum(fin->fin_m, fin->fin_ip,
+ fin->fin_p, fin->fin_dp);
+#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
+ }
+#endif
+#if !defined(_KERNEL)
+ if (sum == hdrsum) {
+ FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum));
+ } else {
+ FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum));
+ }
+#endif
+ if (hdrsum == sum)
+ return 0;
+ return -1;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ifpfillv4addr */
+/* Returns: int - 0 = address update, -1 = address not updated */
+/* Parameters: atype(I) - type of network address update to perform */
+/* sin(I) - pointer to source of address information */
+/* mask(I) - pointer to source of netmask information */
+/* inp(I) - pointer to destination address store */
+/* inpmask(I) - pointer to destination netmask store */
+/* */
+/* Given a type of network address update (atype) to perform, copy */
+/* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
+/* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
+/* which case the operation fails. For all values of atype other than */
+/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
+/* value. */
+/* ------------------------------------------------------------------------ */
+int fr_ifpfillv4addr(atype, sin, mask, inp, inpmask)
+int atype;
+struct sockaddr_in *sin, *mask;
+struct in_addr *inp, *inpmask;
+{
+ if (inpmask != NULL && atype != FRI_NETMASKED)
+ inpmask->s_addr = 0xffffffff;
+
+ if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
+ if (atype == FRI_NETMASKED) {
+ if (inpmask == NULL)
+ return -1;
+ inpmask->s_addr = mask->sin_addr.s_addr;
+ }
+ inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr;
+ } else {
+ inp->s_addr = sin->sin_addr.s_addr;
+ }
+ return 0;
+}
+
+
+#ifdef USE_INET6
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ifpfillv6addr */
+/* Returns: int - 0 = address update, -1 = address not updated */
+/* Parameters: atype(I) - type of network address update to perform */
+/* sin(I) - pointer to source of address information */
+/* mask(I) - pointer to source of netmask information */
+/* inp(I) - pointer to destination address store */
+/* inpmask(I) - pointer to destination netmask store */
+/* */
+/* Given a type of network address update (atype) to perform, copy */
+/* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
+/* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
+/* which case the operation fails. For all values of atype other than */
+/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
+/* value. */
+/* ------------------------------------------------------------------------ */
+int fr_ifpfillv6addr(atype, sin, mask, inp, inpmask)
+int atype;
+struct sockaddr_in6 *sin, *mask;
+struct in_addr *inp, *inpmask;
+{
+ i6addr_t *src, *dst, *and, *dmask;
+
+ src = (i6addr_t *)&sin->sin6_addr;
+ and = (i6addr_t *)&mask->sin6_addr;
+ dst = (i6addr_t *)inp;
+ dmask = (i6addr_t *)inpmask;
+
+ if (inpmask != NULL && atype != FRI_NETMASKED) {
+ dmask->i6[0] = 0xffffffff;
+ dmask->i6[1] = 0xffffffff;
+ dmask->i6[2] = 0xffffffff;
+ dmask->i6[3] = 0xffffffff;
+ }
+
+ if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
+ if (atype == FRI_NETMASKED) {
+ if (inpmask == NULL)
+ return -1;
+ dmask->i6[0] = and->i6[0];
+ dmask->i6[1] = and->i6[1];
+ dmask->i6[2] = and->i6[2];
+ dmask->i6[3] = and->i6[3];
+ }
+
+ dst->i6[0] = src->i6[0] & and->i6[0];
+ dst->i6[1] = src->i6[1] & and->i6[1];
+ dst->i6[2] = src->i6[2] & and->i6[2];
+ dst->i6[3] = src->i6[3] & and->i6[3];
+ } else {
+ dst->i6[0] = src->i6[0];
+ dst->i6[1] = src->i6[1];
+ dst->i6[2] = src->i6[2];
+ dst->i6[3] = src->i6[3];
+ }
+ return 0;
+}
+#endif
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_matchtag */
+/* Returns: 0 == mismatch, 1 == match. */
+/* Parameters: tag1(I) - pointer to first tag to compare */
+/* tag2(I) - pointer to second tag to compare */
+/* */
+/* Returns true (non-zero) or false(0) if the two tag structures can be */
+/* considered to be a match or not match, respectively. The tag is 16 */
+/* bytes long (16 characters) but that is overlayed with 4 32bit ints so */
+/* compare the ints instead, for speed. tag1 is the master of the */
+/* comparison. This function should only be called with both tag1 and tag2 */
+/* as non-NULL pointers. */
+/* ------------------------------------------------------------------------ */
+int fr_matchtag(tag1, tag2)
+ipftag_t *tag1, *tag2;
+{
+ if (tag1 == tag2)
+ return 1;
+
+ if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0))
+ return 1;
+
+ if ((tag1->ipt_num[0] == tag2->ipt_num[0]) &&
+ (tag1->ipt_num[1] == tag2->ipt_num[1]) &&
+ (tag1->ipt_num[2] == tag2->ipt_num[2]) &&
+ (tag1->ipt_num[3] == tag2->ipt_num[3]))
+ return 1;
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_coalesce */
+/* Returns: 1 == success, -1 == failure, 0 == no change */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Attempt to get all of the packet data into a single, contiguous buffer. */
+/* If this call returns a failure then the buffers have also been freed. */
+/* ------------------------------------------------------------------------ */
+int fr_coalesce(fin)
+fr_info_t *fin;
+{
+ if ((fin->fin_flx & FI_COALESCE) != 0)
+ return 1;
+
+ /*
+ * If the mbuf pointers indicate that there is no mbuf to work with,
+ * return but do not indicate success or failure.
+ */
+ if (fin->fin_m == NULL || fin->fin_mp == NULL)
+ return 0;
+
+#if defined(_KERNEL)
+ if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
+ ATOMIC_INCL(fr_badcoalesces[fin->fin_out]);
+# ifdef MENTAT
+ FREE_MB_T(*fin->fin_mp);
+# endif
+ *fin->fin_mp = NULL;
+ fin->fin_m = NULL;
+ return -1;
+ }
+#else
+ fin = fin; /* LINT */
+#endif
+ return 1;
+}
+
+
+/*
+ * The following table lists all of the tunable variables that can be
+ * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXt. The format of each row
+ * in the table below is as follows:
+ *
+ * pointer to value, name of value, minimum, maximum, size of the value's
+ * container, value attribute flags
+ *
+ * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED
+ * means the value can only be written to when IPFilter is loaded but disabled.
+ * The obvious implication is if neither of these are set then the value can be
+ * changed at any time without harm.
+ */
+ipftuneable_t ipf_tuneables[] = {
+ /* filtering */
+ { { &fr_flags }, "fr_flags", 0, 0xffffffff,
+ sizeof(fr_flags), 0 },
+ { { &fr_active }, "fr_active", 0, 0,
+ sizeof(fr_active), IPFT_RDONLY },
+ { { &fr_control_forwarding }, "fr_control_forwarding", 0, 1,
+ sizeof(fr_control_forwarding), 0 },
+ { { &fr_update_ipid }, "fr_update_ipid", 0, 1,
+ sizeof(fr_update_ipid), 0 },
+ { { &fr_chksrc }, "fr_chksrc", 0, 1,
+ sizeof(fr_chksrc), 0 },
+ { { &fr_pass }, "fr_pass", 0, 0xffffffff,
+ sizeof(fr_pass), 0 },
+ /* state */
+ { { &fr_tcpidletimeout }, "fr_tcpidletimeout", 1, 0x7fffffff,
+ sizeof(fr_tcpidletimeout), IPFT_WRDISABLED },
+ { { &fr_tcpclosewait }, "fr_tcpclosewait", 1, 0x7fffffff,
+ sizeof(fr_tcpclosewait), IPFT_WRDISABLED },
+ { { &fr_tcplastack }, "fr_tcplastack", 1, 0x7fffffff,
+ sizeof(fr_tcplastack), IPFT_WRDISABLED },
+ { { &fr_tcptimeout }, "fr_tcptimeout", 1, 0x7fffffff,
+ sizeof(fr_tcptimeout), IPFT_WRDISABLED },
+ { { &fr_tcpclosed }, "fr_tcpclosed", 1, 0x7fffffff,
+ sizeof(fr_tcpclosed), IPFT_WRDISABLED },
+ { { &fr_tcphalfclosed }, "fr_tcphalfclosed", 1, 0x7fffffff,
+ sizeof(fr_tcphalfclosed), IPFT_WRDISABLED },
+ { { &fr_udptimeout }, "fr_udptimeout", 1, 0x7fffffff,
+ sizeof(fr_udptimeout), IPFT_WRDISABLED },
+ { { &fr_udpacktimeout }, "fr_udpacktimeout", 1, 0x7fffffff,
+ sizeof(fr_udpacktimeout), IPFT_WRDISABLED },
+ { { &fr_icmptimeout }, "fr_icmptimeout", 1, 0x7fffffff,
+ sizeof(fr_icmptimeout), IPFT_WRDISABLED },
+ { { &fr_icmpacktimeout }, "fr_icmpacktimeout", 1, 0x7fffffff,
+ sizeof(fr_icmpacktimeout), IPFT_WRDISABLED },
+ { { &fr_iptimeout }, "fr_iptimeout", 1, 0x7fffffff,
+ sizeof(fr_iptimeout), IPFT_WRDISABLED },
+ { { &fr_statemax }, "fr_statemax", 1, 0x7fffffff,
+ sizeof(fr_statemax), 0 },
+ { { &fr_statesize }, "fr_statesize", 1, 0x7fffffff,
+ sizeof(fr_statesize), IPFT_WRDISABLED },
+ { { &fr_state_lock }, "fr_state_lock", 0, 1,
+ sizeof(fr_state_lock), IPFT_RDONLY },
+ { { &fr_state_maxbucket }, "fr_state_maxbucket", 1, 0x7fffffff,
+ sizeof(fr_state_maxbucket), IPFT_WRDISABLED },
+ { { &fr_state_maxbucket_reset }, "fr_state_maxbucket_reset", 0, 1,
+ sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED },
+ { { &ipstate_logging }, "ipstate_logging", 0, 1,
+ sizeof(ipstate_logging), 0 },
+ /* nat */
+ { { &fr_nat_lock }, "fr_nat_lock", 0, 1,
+ sizeof(fr_nat_lock), IPFT_RDONLY },
+ { { &ipf_nattable_sz }, "ipf_nattable_sz", 1, 0x7fffffff,
+ sizeof(ipf_nattable_sz), IPFT_WRDISABLED },
+ { { &ipf_nattable_max }, "ipf_nattable_max", 1, 0x7fffffff,
+ sizeof(ipf_nattable_max), 0 },
+ { { &ipf_natrules_sz }, "ipf_natrules_sz", 1, 0x7fffffff,
+ sizeof(ipf_natrules_sz), IPFT_WRDISABLED },
+ { { &ipf_rdrrules_sz }, "ipf_rdrrules_sz", 1, 0x7fffffff,
+ sizeof(ipf_rdrrules_sz), IPFT_WRDISABLED },
+ { { &ipf_hostmap_sz }, "ipf_hostmap_sz", 1, 0x7fffffff,
+ sizeof(ipf_hostmap_sz), IPFT_WRDISABLED },
+ { { &fr_nat_maxbucket }, "fr_nat_maxbucket", 1, 0x7fffffff,
+ sizeof(fr_nat_maxbucket), IPFT_WRDISABLED },
+ { { &fr_nat_maxbucket_reset }, "fr_nat_maxbucket_reset", 0, 1,
+ sizeof(fr_nat_maxbucket_reset), IPFT_WRDISABLED },
+ { { &nat_logging }, "nat_logging", 0, 1,
+ sizeof(nat_logging), 0 },
+ { { &fr_defnatage }, "fr_defnatage", 1, 0x7fffffff,
+ sizeof(fr_defnatage), IPFT_WRDISABLED },
+ { { &fr_defnatipage }, "fr_defnatipage", 1, 0x7fffffff,
+ sizeof(fr_defnatipage), IPFT_WRDISABLED },
+ { { &fr_defnaticmpage }, "fr_defnaticmpage", 1, 0x7fffffff,
+ sizeof(fr_defnaticmpage), IPFT_WRDISABLED },
+ /* frag */
+ { { &ipfr_size }, "ipfr_size", 1, 0x7fffffff,
+ sizeof(ipfr_size), IPFT_WRDISABLED },
+ { { &fr_ipfrttl }, "fr_ipfrttl", 1, 0x7fffffff,
+ sizeof(fr_ipfrttl), IPFT_WRDISABLED },
+#ifdef IPFILTER_LOG
+ /* log */
+ { { &ipl_suppress }, "ipl_suppress", 0, 1,
+ sizeof(ipl_suppress), 0 },
+ { { &ipl_buffer_sz }, "ipl_buffer_sz", 0, 0,
+ sizeof(ipl_buffer_sz), IPFT_RDONLY },
+ { { &ipl_logmax }, "ipl_logmax", 0, 0x7fffffff,
+ sizeof(ipl_logmax), IPFT_WRDISABLED },
+ { { &ipl_logall }, "ipl_logall", 0, 1,
+ sizeof(ipl_logall), 0 },
+ { { &ipl_logsize }, "ipl_logsize", 0, 0x80000,
+ sizeof(ipl_logsize), 0 },
+#endif
+ { { NULL }, NULL, 0, 0 }
+};
+
+static ipftuneable_t *ipf_tunelist = NULL;
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_findtunebycookie */
+/* Returns: NULL = search failed, else pointer to tune struct */
+/* Parameters: cookie(I) - cookie value to search for amongst tuneables */
+/* next(O) - pointer to place to store the cookie for the */
+/* "next" tuneable, if it is desired. */
+/* */
+/* This function is used to walk through all of the existing tunables with */
+/* successive calls. It searches the known tunables for the one which has */
+/* a matching value for "cookie" - ie its address. When returning a match, */
+/* the next one to be found may be returned inside next. */
+/* ------------------------------------------------------------------------ */
+static ipftuneable_t *fr_findtunebycookie(cookie, next)
+void *cookie, **next;
+{
+ ipftuneable_t *ta, **tap;
+
+ for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++)
+ if (ta == cookie) {
+ if (next != NULL) {
+ /*
+ * If the next entry in the array has a name
+ * present, then return a pointer to it for
+ * where to go next, else return a pointer to
+ * the dynaminc list as a key to search there
+ * next. This facilitates a weak linking of
+ * the two "lists" together.
+ */
+ if ((ta + 1)->ipft_name != NULL)
+ *next = ta + 1;
else
- inc = 0;
+ *next = &ipf_tunelist;
}
+ return ta;
}
- if (!pullupmsg(m, len + ipoff + inc)) {
- ATOMIC_INCL(frstats[out].fr_pull[1]);
- return NULL;
+
+ for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
+ if (tap == cookie) {
+ if (next != NULL)
+ *next = &ta->ipft_next;
+ return ta;
}
- m->b_rptr += inc;
- ATOMIC_INCL(frstats[out].fr_pull[0]);
- qf->qf_data = MTOD(m, char *) + ipoff;
-# else
- m = m_pullup(m, len);
- *fin->fin_mp = m;
- if (m == NULL) {
- ATOMIC_INCL(frstats[out].fr_pull[1]);
- return NULL;
+
+ if (next != NULL)
+ *next = NULL;
+ return NULL;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_findtunebyname */
+/* Returns: NULL = search failed, else pointer to tune struct */
+/* Parameters: name(I) - name of the tuneable entry to find. */
+/* */
+/* Search the static array of tuneables and the list of dynamic tuneables */
+/* for an entry with a matching name. If we can find one, return a pointer */
+/* to the matching structure. */
+/* ------------------------------------------------------------------------ */
+static ipftuneable_t *fr_findtunebyname(name)
+char *name;
+{
+ ipftuneable_t *ta;
+
+ for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++)
+ if (!strcmp(ta->ipft_name, name)) {
+ return ta;
+ }
+
+ for (ta = ipf_tunelist; ta != NULL; ta = ta->ipft_next)
+ if (!strcmp(ta->ipft_name, name)) {
+ return ta;
}
- ATOMIC_INCL(frstats[out].fr_pull[0]);
-# endif /* SOLARIS */
+
+ return NULL;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_addipftune */
+/* Returns: int - 0 == success, else failure */
+/* Parameters: newtune - pointer to new tune struct to add to tuneables */
+/* */
+/* Appends the tune structure pointer to by "newtune" to the end of the */
+/* current list of "dynamic" tuneable parameters. Once added, the owner */
+/* of the object is not expected to ever change "ipft_next". */
+/* ------------------------------------------------------------------------ */
+int fr_addipftune(newtune)
+ipftuneable_t *newtune;
+{
+ ipftuneable_t *ta, **tap;
+
+ ta = fr_findtunebyname(newtune->ipft_name);
+ if (ta != NULL)
+ return EEXIST;
+
+ for (tap = &ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next)
+ ;
+
+ newtune->ipft_next = NULL;
+ *tap = newtune;
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_delipftune */
+/* Returns: int - 0 == success, else failure */
+/* Parameters: oldtune - pointer to tune struct to remove from the list of */
+/* current dynamic tuneables */
+/* */
+/* Search for the tune structure, by pointer, in the list of those that are */
+/* dynamically added at run time. If found, adjust the list so that this */
+/* structure is no longer part of it. */
+/* ------------------------------------------------------------------------ */
+int fr_delipftune(oldtune)
+ipftuneable_t *oldtune;
+{
+ ipftuneable_t *ta, **tap;
+
+ for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
+ if (ta == oldtune) {
+ *tap = oldtune->ipft_next;
+ oldtune->ipft_next = NULL;
+ return 0;
+ }
+
+ return ESRCH;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ipftune */
+/* Returns: int - 0 == success, else failure */
+/* Parameters: cmd(I) - ioctl command number */
+/* data(I) - pointer to ioctl data structure */
+/* */
+/* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
+/* three ioctls provide the means to access and control global variables */
+/* within IPFilter, allowing (for example) timeouts and table sizes to be */
+/* changed without rebooting, reloading or recompiling. The initialisation */
+/* and 'destruction' routines of the various components of ipfilter are all */
+/* each responsible for handling their own values being too big. */
+/* ------------------------------------------------------------------------ */
+int fr_ipftune(cmd, data)
+ioctlcmd_t cmd;
+void *data;
+{
+ ipftuneable_t *ta;
+ ipftune_t tu;
+ void *cookie;
+ int error;
+
+ error = fr_inobj(data, &tu, IPFOBJ_TUNEABLE);
+ if (error != 0)
+ return error;
+
+ tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
+ cookie = tu.ipft_cookie;
+ ta = NULL;
+
+ switch (cmd)
+ {
+ case SIOCIPFGETNEXT :
+ /*
+ * If cookie is non-NULL, assume it to be a pointer to the last
+ * entry we looked at, so find it (if possible) and return a
+ * pointer to the next one after it. The last entry in the
+ * the table is a NULL entry, so when we get to it, set cookie
+ * to NULL and return that, indicating end of list, erstwhile
+ * if we come in with cookie set to NULL, we are starting anew
+ * at the front of the list.
+ */
+ if (cookie != NULL) {
+ ta = fr_findtunebycookie(cookie, &tu.ipft_cookie);
+ } else {
+ ta = ipf_tuneables;
+ tu.ipft_cookie = ta + 1;
+ }
+ if (ta != NULL) {
+ /*
+ * Entry found, but does the data pointed to by that
+ * row fit in what we can return?
+ */
+ if (ta->ipft_sz > sizeof(tu.ipft_un))
+ return EINVAL;
+
+ tu.ipft_vlong = 0;
+ if (ta->ipft_sz == sizeof(u_long))
+ tu.ipft_vlong = *ta->ipft_plong;
+ else if (ta->ipft_sz == sizeof(u_int))
+ tu.ipft_vint = *ta->ipft_pint;
+ else if (ta->ipft_sz == sizeof(u_short))
+ tu.ipft_vshort = *ta->ipft_pshort;
+ else if (ta->ipft_sz == sizeof(u_char))
+ tu.ipft_vchar = *ta->ipft_pchar;
+
+ tu.ipft_sz = ta->ipft_sz;
+ tu.ipft_min = ta->ipft_min;
+ tu.ipft_max = ta->ipft_max;
+ tu.ipft_flags = ta->ipft_flags;
+ bcopy(ta->ipft_name, tu.ipft_name,
+ MIN(sizeof(tu.ipft_name),
+ strlen(ta->ipft_name) + 1));
+ }
+ error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
+ break;
+
+ case SIOCIPFGET :
+ case SIOCIPFSET :
+ /*
+ * Search by name or by cookie value for a particular entry
+ * in the tuning paramter table.
+ */
+ error = ESRCH;
+ if (cookie != NULL) {
+ ta = fr_findtunebycookie(cookie, NULL);
+ if (ta != NULL)
+ error = 0;
+ } else if (tu.ipft_name[0] != '\0') {
+ ta = fr_findtunebyname(tu.ipft_name);
+ if (ta != NULL)
+ error = 0;
+ }
+ if (error != 0)
+ break;
+
+ if (cmd == (ioctlcmd_t)SIOCIPFGET) {
+ /*
+ * Fetch the tuning parameters for a particular value
+ */
+ tu.ipft_vlong = 0;
+ if (ta->ipft_sz == sizeof(u_long))
+ tu.ipft_vlong = *ta->ipft_plong;
+ else if (ta->ipft_sz == sizeof(u_int))
+ tu.ipft_vint = *ta->ipft_pint;
+ else if (ta->ipft_sz == sizeof(u_short))
+ tu.ipft_vshort = *ta->ipft_pshort;
+ else if (ta->ipft_sz == sizeof(u_char))
+ tu.ipft_vchar = *ta->ipft_pchar;
+ tu.ipft_sz = ta->ipft_sz;
+ tu.ipft_min = ta->ipft_min;
+ tu.ipft_max = ta->ipft_max;
+ tu.ipft_flags = ta->ipft_flags;
+ error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
+
+ } else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
+ /*
+ * Set an internal parameter. The hard part here is
+ * getting the new value safely and correctly out of
+ * the kernel (given we only know its size, not type.)
+ */
+ u_long in;
+
+ if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) &&
+ (fr_running > 0)) {
+ error = EBUSY;
+ break;
+ }
+
+ in = tu.ipft_vlong;
+ if (in < ta->ipft_min || in > ta->ipft_max) {
+ error = EINVAL;
+ break;
+ }
+
+ if (ta->ipft_sz == sizeof(u_long)) {
+ tu.ipft_vlong = *ta->ipft_plong;
+ *ta->ipft_plong = in;
+ } else if (ta->ipft_sz == sizeof(u_int)) {
+ tu.ipft_vint = *ta->ipft_pint;
+ *ta->ipft_pint = (u_int)(in & 0xffffffff);
+ } else if (ta->ipft_sz == sizeof(u_short)) {
+ tu.ipft_vshort = *ta->ipft_pshort;
+ *ta->ipft_pshort = (u_short)(in & 0xffff);
+ } else if (ta->ipft_sz == sizeof(u_char)) {
+ tu.ipft_vchar = *ta->ipft_pchar;
+ *ta->ipft_pchar = (u_char)(in & 0xff);
+ }
+ error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
+ }
+ break;
+
+ default :
+ error = EINVAL;
+ break;
}
- ip = MTOD(m, char *) + ipoff;
- if (fin->fin_dp != NULL)
- fin->fin_dp = (char *)ip + dpoff;
- return ip;
+
+ return error;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_initialise */
+/* Returns: int - 0 == success, < 0 == failure */
+/* Parameters: None. */
+/* */
+/* Call of the initialise functions for all the various subsystems inside */
+/* of IPFilter. If any of them should fail, return immeadiately a failure */
+/* BUT do not try to recover from the error here. */
+/* ------------------------------------------------------------------------ */
+int fr_initialise()
+{
+ int i;
+
+#ifdef IPFILTER_LOG
+ i = fr_loginit();
+ if (i < 0)
+ return -10 + i;
+#endif
+ i = fr_natinit();
+ if (i < 0)
+ return -20 + i;
+
+ i = fr_stateinit();
+ if (i < 0)
+ return -30 + i;
+
+ i = fr_authinit();
+ if (i < 0)
+ return -40 + i;
+
+ i = fr_fraginit();
+ if (i < 0)
+ return -50 + i;
+
+ i = appr_init();
+ if (i < 0)
+ return -60 + i;
+
+#ifdef IPFILTER_SYNC
+ i = ipfsync_init();
+ if (i < 0)
+ return -70 + i;
+#endif
+#ifdef IPFILTER_SCAN
+ i = ipsc_init();
+ if (i < 0)
+ return -80 + i;
+#endif
+#ifdef IPFILTER_LOOKUP
+ i = ip_lookup_init();
+ if (i < 0)
+ return -90 + i;
+#endif
+#ifdef IPFILTER_COMPILED
+ ipfrule_add();
+#endif
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_deinitialise */
+/* Returns: None. */
+/* Parameters: None. */
+/* */
+/* Call all the various subsystem cleanup routines to deallocate memory or */
+/* destroy locks or whatever they've done that they need to now undo. */
+/* The order here IS important as there are some cross references of */
+/* internal data structures. */
+/* ------------------------------------------------------------------------ */
+void fr_deinitialise()
+{
+ fr_fragunload();
+ fr_authunload();
+ fr_natunload();
+ fr_stateunload();
+#ifdef IPFILTER_SCAN
+ fr_scanunload();
+#endif
+ appr_unload();
+
+#ifdef IPFILTER_COMPILED
+ ipfrule_remove();
+#endif
+
+ (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+ (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
+ (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+ (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE);
+
+#ifdef IPFILTER_LOOKUP
+ ip_lookup_unload();
+#endif
+
+#ifdef IPFILTER_LOG
+ fr_logunload();
+#endif
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_zerostats */
+/* Returns: int - 0 = success, else failure */
+/* Parameters: data(O) - pointer to pointer for copying data back to */
+/* */
+/* Copies the current statistics out to userspace and then zero's the */
+/* current ones in the kernel. The lock is only held across the bzero() as */
+/* the copyout may result in paging (ie network activity.) */
+/* ------------------------------------------------------------------------ */
+int fr_zerostats(data)
+caddr_t data;
+{
+ friostat_t fio;
+ int error;
+
+ fr_getstat(&fio);
+ error = copyoutptr(&fio, data, sizeof(fio));
+ if (error)
+ return EFAULT;
+
+ WRITE_ENTER(&ipf_mutex);
+ bzero((char *)frstats, sizeof(*frstats) * 2);
+ RWLOCK_EXIT(&ipf_mutex);
+
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_resolvedest */
+/* Returns: Nil */
+/* Parameters: fdp(IO) - pointer to destination information to resolve */
+/* v(I) - IP protocol version to match */
+/* */
+/* Looks up an interface name in the frdest structure pointed to by fdp and */
+/* if a matching name can be found for the particular IP protocol version */
+/* then store the interface pointer in the frdest struct. If no match is */
+/* found, then set the interface pointer to be -1 as NULL is considered to */
+/* indicate there is no information at all in the structure. */
+/* ------------------------------------------------------------------------ */
+void fr_resolvedest(fdp, v)
+frdest_t *fdp;
+int v;
+{
+ void *ifp;
+
+ ifp = NULL;
+ v = v; /* LINT */
+
+ if (*fdp->fd_ifname != '\0') {
+ ifp = GETIFP(fdp->fd_ifname, v);
+ if (ifp == NULL)
+ ifp = (void *)-1;
+ }
+ fdp->fd_ifp = ifp;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_icmp4errortype */
+/* Returns: int - 1 == success, 0 == failure */
+/* Parameters: icmptype(I) - ICMP type number */
+/* */
+/* Tests to see if the ICMP type number passed is an error type or not. */
+/* ------------------------------------------------------------------------ */
+int fr_icmp4errortype(icmptype)
+int icmptype;
+{
+
+ switch (icmptype)
+ {
+ case ICMP_SOURCEQUENCH :
+ case ICMP_PARAMPROB :
+ case ICMP_REDIRECT :
+ case ICMP_TIMXCEED :
+ case ICMP_UNREACH :
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_resolvenic */
+/* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */
+/* pointer to interface structure for NIC */
+/* Parameters: name(I) - complete interface name */
+/* v(I) - IP protocol version */
+/* */
+/* Look for a network interface structure that firstly has a matching name */
+/* to that passed in and that is also being used for that IP protocol */
+/* version (necessary on some platforms where there are separate listings */
+/* for both IPv4 and IPv6 on the same physical NIC. */
+/* */
+/* One might wonder why name gets terminated with a \0 byte in here. The */
+/* reason is an interface name could get into the kernel structures of ipf */
+/* in any number of ways and so long as they all use the same sized array */
+/* to put the name in, it makes sense to ensure it gets null terminated */
+/* before it is used for its intended purpose - finding its match in the */
+/* kernel's list of configured interfaces. */
+/* */
+/* NOTE: This SHOULD ONLY be used with IPFilter structures that have an */
+/* array for the name that is LIFNAMSIZ bytes (at least) in length. */
+/* ------------------------------------------------------------------------ */
+void *fr_resolvenic(name, v)
+char *name;
+int v;
+{
+ void *nic;
+
+ if (name[0] == '\0')
+ return NULL;
+
+ if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) {
+ return NULL;
+ }
+
+ name[LIFNAMSIZ - 1] = '\0';
+
+ nic = GETIFP(name, v);
+ if (nic == NULL)
+ nic = (void *)-1;
+ return nic;
}
-#endif /* _KERNEL */
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c
index 566f2039df97..a1e029af7e55 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.c
+++ b/sys/contrib/ipfilter/netinet/ip_auth.c
@@ -1,39 +1,49 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
+ * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
+#if defined(KERNEL) || defined(_KERNEL)
+# undef KERNEL
+# undef _KERNEL
+# define KERNEL 1
+# define _KERNEL 1
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
-#if !defined(_KERNEL) && !defined(KERNEL)
+#if !defined(_KERNEL)
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
+# define _KERNEL
+# ifdef __OpenBSD__
+struct file;
+# endif
+# include <sys/uio.h>
+# undef _KERNEL
#endif
-#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
+#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
-#ifndef linux
+#if !defined(linux)
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
-#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
+#if defined(_KERNEL)
# include <sys/systm.h>
-#endif
-#if !defined(__SVR4) && !defined(__svr4__)
-# ifndef linux
+# if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
# include <sys/mbuf.h>
# endif
-#else
+#endif
+#if defined(__SVR4) || defined(__svr4__)
# include <sys/filio.h>
# include <sys/byteorder.h>
# ifdef _KERNEL
@@ -48,6 +58,9 @@
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
# include <machine/cpu.h>
#endif
+#if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
+# include <sys/proc.h>
+#endif
#include <net/if.h>
#ifdef sun
# include <net/af.h>
@@ -56,28 +69,29 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
-#ifndef KERNEL
+#if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
# define KERNEL
+# define _KERNEL
# define NOT_KERNEL
#endif
-#ifndef linux
+#if !defined(linux)
# include <netinet/ip_var.h>
#endif
#ifdef NOT_KERNEL
+# undef _KERNEL
# undef KERNEL
#endif
-#ifdef __sgi
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-# include <sys/hashing.h>
-# endif
-#endif
#include <netinet/tcp.h>
-#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
+#if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
extern struct ifqueue ipintrq; /* ip packet input queue */
#else
-# ifndef linux
+# if !defined(__hpux) && !defined(linux)
# if __FreeBSD_version >= 300000
# include <net/if_var.h>
+# if __FreeBSD_version >= 500042
+# define IF_QFULL _IF_QFULL
+# define IF_DROP _IF_DROP
+# endif /* __FreeBSD_version >= 500042 */
# endif
# include <netinet/in_var.h>
# include <netinet/tcp_fsm.h>
@@ -89,7 +103,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_auth.h"
-#if !SOLARIS && !defined(linux)
+#if !defined(MENTAT) && !defined(linux)
# include <net/netisr.h>
# ifdef __FreeBSD__
# include <machine/cpufunc.h>
@@ -97,58 +111,89 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
-# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
+# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
#endif
+/* END OF INCLUDES */
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.26 2003/09/22 12:37:04 darrenr Exp $";
+static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.3 2004/08/26 11:25:21 darrenr Exp";
#endif
-#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T ipf_auth, ipf_mutex;
-extern kmutex_t ipf_authmx;
-# if SOLARIS
+#if SOLARIS
extern kcondvar_t ipfauthwait;
-# endif
-#endif
-#ifdef linux
-static struct wait_queue *ipfauthwait = NULL;
+#endif /* SOLARIS */
+#if defined(linux) && defined(_KERNEL)
+wait_queue_head_t fr_authnext_linux;
#endif
int fr_authsize = FR_NUMAUTH;
int fr_authused = 0;
int fr_defaultauthage = 600;
int fr_auth_lock = 0;
+int fr_auth_init = 0;
fr_authstat_t fr_authstats;
-static frauth_t fr_auth[FR_NUMAUTH];
-mb_t *fr_authpkts[FR_NUMAUTH];
-static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
-static frauthent_t *fae_list = NULL;
+static frauth_t *fr_auth = NULL;
+mb_t **fr_authpkts = NULL;
+int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
+frauthent_t *fae_list = NULL;
frentry_t *ipauth = NULL,
*fr_authlist = NULL;
+int fr_authinit()
+{
+ KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth));
+ if (fr_auth != NULL)
+ bzero((char *)fr_auth, fr_authsize * sizeof(*fr_auth));
+ else
+ return -1;
+
+ KMALLOCS(fr_authpkts, mb_t **, fr_authsize * sizeof(*fr_authpkts));
+ if (fr_authpkts != NULL)
+ bzero((char *)fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
+ else
+ return -2;
+
+ MUTEX_INIT(&ipf_authmx, "ipf auth log mutex");
+ RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock");
+#if SOLARIS && defined(_KERNEL)
+ cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
+#endif
+#if defined(linux) && defined(_KERNEL)
+ init_waitqueue_head(&fr_authnext_linux);
+#endif
+
+ fr_auth_init = 1;
+
+ return 0;
+}
+
+
/*
* Check if a packet has authorization. If the packet is found to match an
* authorization result and that would result in a feedback loop (i.e. it
* will end up returning FR_AUTH) then return FR_BLOCK instead.
*/
-u_32_t fr_checkauth(ip, fin)
-ip_t *ip;
+frentry_t *fr_checkauth(fin, passp)
fr_info_t *fin;
+u_32_t *passp;
{
- u_short id = ip->ip_id;
frentry_t *fr;
frauth_t *fra;
u_32_t pass;
+ u_short id;
+ ip_t *ip;
int i;
if (fr_auth_lock || !fr_authused)
- return 0;
+ return NULL;
+
+ ip = fin->fin_ip;
+ id = ip->ip_id;
READ_ENTER(&ipf_auth);
for (i = fr_authstart; i != fr_authend; ) {
@@ -163,7 +208,7 @@ fr_info_t *fin;
/*
* Avoid feedback loop.
*/
- if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
+ if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass)))
pass = FR_BLOCK;
/*
* Create a dummy rule for the stateful checking to
@@ -171,26 +216,26 @@ fr_info_t *fin;
* trust from userland!
*/
if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
- (fin->fin_fi.fi_fl & FI_FRAG))) {
+ (fin->fin_flx & FI_FRAG))) {
KMALLOC(fr, frentry_t *);
if (fr) {
bcopy((char *)fra->fra_info.fin_fr,
- fr, sizeof(*fr));
+ (char *)fr, sizeof(*fr));
fr->fr_grp = NULL;
fr->fr_ifa = fin->fin_ifp;
fr->fr_func = NULL;
fr->fr_ref = 1;
fr->fr_flags = pass;
-#if BSD >= 199306
- fr->fr_oifa = NULL;
-#endif
+ fr->fr_ifas[1] = NULL;
+ fr->fr_ifas[2] = NULL;
+ fr->fr_ifas[3] = NULL;
}
} else
fr = fra->fra_info.fin_fr;
fin->fin_fr = fr;
RWLOCK_EXIT(&ipf_auth);
WRITE_ENTER(&ipf_auth);
- if (fr && fr != fra->fra_info.fin_fr) {
+ if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
fr->fr_next = fr_authlist;
fr_authlist = fr;
}
@@ -201,7 +246,7 @@ fr_info_t *fin;
while (fra->fra_index == -1) {
i++;
fra++;
- if (i == FR_NUMAUTH) {
+ if (i == fr_authsize) {
i = 0;
fra = fr_auth;
}
@@ -215,15 +260,19 @@ fr_info_t *fin;
}
}
RWLOCK_EXIT(&ipf_auth);
- return pass;
+ if (passp != NULL)
+ *passp = pass;
+ ATOMIC_INC64(fr_authstats.fas_hits);
+ return fr;
}
i++;
- if (i == FR_NUMAUTH)
+ if (i == fr_authsize)
i = 0;
}
fr_authstats.fas_miss++;
RWLOCK_EXIT(&ipf_auth);
- return 0;
+ ATOMIC_INC64(fr_authstats.fas_miss);
+ return NULL;
}
@@ -232,15 +281,17 @@ fr_info_t *fin;
* If we do, store it and wake up any user programs which are waiting to
* hear about these events.
*/
-int fr_newauth(m, fin, ip)
+int fr_newauth(m, fin)
mb_t *m;
fr_info_t *fin;
-ip_t *ip;
{
-#if defined(_KERNEL) && SOLARIS
- qif_t *qif = fin->fin_qif;
+#if defined(_KERNEL) && defined(MENTAT)
+ qpktinfo_t *qpi = fin->fin_qpi;
#endif
frauth_t *fra;
+#if !defined(sparc) && !defined(m68k)
+ ip_t *ip;
+#endif
int i;
if (fr_auth_lock)
@@ -252,7 +303,7 @@ ip_t *ip;
RWLOCK_EXIT(&ipf_auth);
return 0;
} else {
- if (fr_authused == FR_NUMAUTH) {
+ if (fr_authused == fr_authsize) {
fr_authstats.fas_nospace++;
RWLOCK_EXIT(&ipf_auth);
return 0;
@@ -262,21 +313,24 @@ ip_t *ip;
fr_authstats.fas_added++;
fr_authused++;
i = fr_authend++;
- if (fr_authend == FR_NUMAUTH)
+ if (fr_authend == fr_authsize)
fr_authend = 0;
RWLOCK_EXIT(&ipf_auth);
+
fra = fr_auth + i;
fra->fra_index = i;
fra->fra_pass = 0;
fra->fra_age = fr_defaultauthage;
bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
-#if SOLARIS && defined(_KERNEL)
-# if !defined(sparc)
+#if !defined(sparc) && !defined(m68k)
/*
* No need to copyback here as we want to undo the changes, not keep
* them.
*/
- if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
+ ip = fin->fin_ip;
+# if defined(MENTAT) && defined(_KERNEL)
+ if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
+# endif
{
register u_short bo;
@@ -285,42 +339,42 @@ ip_t *ip;
bo = ip->ip_off;
ip->ip_off = htons(bo);
}
-# endif
- m->b_rptr -= qif->qf_off;
+#endif
+#if SOLARIS && defined(_KERNEL)
+ m->b_rptr -= qpi->qpi_off;
fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
- fra->fra_q = qif->qf_q;
+ fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
cv_signal(&ipfauthwait);
#else
# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
- if (fin->fin_out == 0) {
+ if (!fin->fin_out) {
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
}
# endif
fr_authpkts[i] = m;
- WAKEUP(&fr_authnext);
+ WAKEUP(&fr_authnext,0);
#endif
return 1;
}
-int fr_auth_ioctl(data, mode, cmd)
+int fr_auth_ioctl(data, cmd, mode)
caddr_t data;
+ioctlcmd_t cmd;
int mode;
-#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
-u_long cmd;
-#else
-int cmd;
-#endif
{
mb_t *m;
-#if defined(_KERNEL) && !SOLARIS && \
+#if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
(!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
struct ifqueue *ifq;
+# ifdef USE_SPL
int s;
+# endif /* USE_SPL */
#endif
frauth_t auth, *au = &auth, *fra;
- int i, error = 0;
+ int i, error = 0, len;
+ char *t;
switch (cmd)
{
@@ -329,81 +383,119 @@ int cmd;
error = EPERM;
break;
}
- error = fr_lock(data, &fr_auth_lock);
- break;
- case SIOCINIFR :
- case SIOCRMIFR :
- case SIOCADIFR :
- error = EINVAL;
- break;
- case SIOCINAFR :
- error = EINVAL;
- break;
- case SIOCRMAFR :
- case SIOCADAFR :
- /* These commands go via request to fr_preauthcmd */
- error = EINVAL;
+ fr_lock(data, &fr_auth_lock);
break;
+
case SIOCATHST:
fr_authstats.fas_faelist = fae_list;
- error = IWCOPYPTR((char *)&fr_authstats, data,
- sizeof(fr_authstats));
+ error = fr_outobj(data, &fr_authstats, IPFOBJ_AUTHSTAT);
break;
+
+ case SIOCIPFFL:
+ SPL_NET(s);
+ WRITE_ENTER(&ipf_auth);
+ i = fr_authflush();
+ RWLOCK_EXIT(&ipf_auth);
+ SPL_X(s);
+ error = copyoutptr((char *)&i, data, sizeof(i));
+ break;
+
case SIOCAUTHW:
- if (!(mode & FWRITE)) {
- error = EPERM;
- break;
- }
fr_authioctlloop:
+ error = fr_inobj(data, au, IPFOBJ_FRAUTH);
READ_ENTER(&ipf_auth);
if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
- error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
- sizeof(frauth_t));
+ error = fr_outobj(data, &fr_auth[fr_authnext],
+ IPFOBJ_FRAUTH);
+ if (auth.fra_len != 0 && auth.fra_buf != NULL) {
+ /*
+ * Copy packet contents out to user space if
+ * requested. Bail on an error.
+ */
+ m = fr_authpkts[fr_authnext];
+ len = MSGDSIZE(m);
+ if (len > auth.fra_len)
+ len = auth.fra_len;
+ auth.fra_len = len;
+ for (t = auth.fra_buf; m && (len > 0); ) {
+ i = MIN(M_LEN(m), len);
+ error = copyoutptr(MTOD(m, char *),
+ t, i);
+ len -= i;
+ t += i;
+ if (error != 0)
+ break;
+ }
+ }
RWLOCK_EXIT(&ipf_auth);
- if (error)
+ if (error != 0)
break;
- WRITE_ENTER(&ipf_auth);
SPL_NET(s);
+ WRITE_ENTER(&ipf_auth);
fr_authnext++;
- if (fr_authnext == FR_NUMAUTH)
+ if (fr_authnext == fr_authsize)
fr_authnext = 0;
- SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
+ SPL_X(s);
return 0;
}
RWLOCK_EXIT(&ipf_auth);
+ /*
+ * We exit ipf_global here because a program that enters in
+ * here will have a lock on it and goto sleep having this lock.
+ * If someone were to do an 'ipf -D' the system would then
+ * deadlock. The catch with releasing it here is that the
+ * caller of this function expects it to be held when we
+ * return so we have to reacquire it in here.
+ */
+ RWLOCK_EXIT(&ipf_global);
+
+ MUTEX_ENTER(&ipf_authmx);
#ifdef _KERNEL
# if SOLARIS
- mutex_enter(&ipf_authmx);
- if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
- mutex_exit(&ipf_authmx);
- return EINTR;
+ error = 0;
+ if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk))
+ error = EINTR;
+# else /* SOLARIS */
+# ifdef __hpux
+ {
+ lock_t *l;
+
+ l = get_sleep_lock(&fr_authnext);
+ error = sleep(&fr_authnext, PZERO+1);
+ spinunlock(l);
}
- mutex_exit(&ipf_authmx);
-# else
+# else
+# ifdef __osf__
+ error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0,
+ &ipf_authmx, MS_LOCK_SIMPLE);
+# else
error = SLEEP(&fr_authnext, "fr_authnext");
-# endif
+# endif /* __osf__ */
+# endif /* __hpux */
+# endif /* SOLARIS */
#endif
- if (!error)
+ MUTEX_EXIT(&ipf_authmx);
+ READ_ENTER(&ipf_global);
+ if (error == 0) {
+ READ_ENTER(&ipf_auth);
goto fr_authioctlloop;
+ }
break;
+
case SIOCAUTHR:
- if (!(mode & FWRITE)) {
- error = EPERM;
- break;
- }
- error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
- if (error)
+ error = fr_inobj(data, &auth, IPFOBJ_FRAUTH);
+ if (error != 0)
return error;
- WRITE_ENTER(&ipf_auth);
SPL_NET(s);
+ WRITE_ENTER(&ipf_auth);
i = au->fra_index;
fra = fr_auth + i;
- if ((i < 0) || (i > FR_NUMAUTH) ||
+ if ((i < 0) || (i >= fr_authsize) ||
(fra->fra_info.fin_id != au->fra_info.fin_id)) {
- SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
- return EINVAL;
+ SPL_X(s);
+ return ESRCH;
}
m = fr_authpkts[i];
fra->fra_index = -2;
@@ -411,63 +503,67 @@ fr_authioctlloop:
fr_authpkts[i] = NULL;
RWLOCK_EXIT(&ipf_auth);
#ifdef _KERNEL
- if (m && au->fra_info.fin_out) {
-# if SOLARIS
- error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
-# else /* SOLARIS */
- struct route ro;
-
- bzero((char *)&ro, sizeof(ro));
-# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
- defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
- (__FreeBSD_version >= 470102)
- error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
- NULL);
+ if ((m != NULL) && (au->fra_info.fin_out != 0)) {
+# ifdef MENTAT
+ error = !putq(fra->fra_q, m);
+# else /* MENTAT */
+# ifdef linux
# else
- error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
-# endif
- if (ro.ro_rt) {
- RTFREE(ro.ro_rt);
- }
-# endif /* SOLARIS */
- if (error)
+# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \
+ (defined(__sgi) && (IRIX >= 60500) || \
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 470102)))
+ error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
+ NULL);
+# else
+ error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
+# endif
+# endif /* Linux */
+# endif /* MENTAT */
+ if (error != 0)
fr_authstats.fas_sendfail++;
else
fr_authstats.fas_sendok++;
} else if (m) {
-# if SOLARIS
- error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
-# else /* SOLARIS */
-# if __FreeBSD_version >= 501104
- netisr_dispatch(NETISR_IP, m);
+# ifdef MENTAT
+ error = !putq(fra->fra_q, m);
+# else /* MENTAT */
+# ifdef linux
# else
+# if __FreeBSD_version >= 501000
+ netisr_dispatch(NETISR_IP, m);
+# else
+# if IRIX >= 60516
+ ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd;
+# else
ifq = &ipintrq;
+# endif
if (IF_QFULL(ifq)) {
IF_DROP(ifq);
- m_freem(m);
+ FREE_MB_T(m);
error = ENOBUFS;
} else {
IF_ENQUEUE(ifq, m);
-# if IRIX < 605
+# if IRIX < 60500
schednetisr(NETISR_IP);
-# endif
+# endif
}
-# endif
-# endif /* SOLARIS */
- if (error)
+# endif
+# endif /* Linux */
+# endif /* MENTAT */
+ if (error != 0)
fr_authstats.fas_quefail++;
else
fr_authstats.fas_queok++;
} else
error = EINVAL;
-# if SOLARIS
- if (error)
+# ifdef MENTAT
+ if (error != 0)
error = EINVAL;
-# else
+# else /* MENTAT */
/*
* If we experience an error which will result in the packet
* not being processed, make sure we advance to the next one.
- */
+ */
if (error == ENOBUFS) {
fr_authused--;
fra->fra_index = -1;
@@ -475,7 +571,7 @@ fr_authioctlloop:
if (i == fr_authstart) {
while (fra->fra_index == -1) {
i++;
- if (i == FR_NUMAUTH)
+ if (i == fr_authsize)
i = 0;
fr_authstart = i;
if (i == fr_authend)
@@ -487,10 +583,11 @@ fr_authioctlloop:
}
}
}
-# endif
+# endif /* MENTAT */
#endif /* _KERNEL */
SPL_X(s);
break;
+
default :
error = EINVAL;
break;
@@ -509,41 +606,48 @@ void fr_authunload()
frentry_t *fr, **frp;
mb_t *m;
- WRITE_ENTER(&ipf_auth);
- for (i = 0; i < FR_NUMAUTH; i++) {
- if ((m = fr_authpkts[i])) {
- FREE_MB_T(m);
- fr_authpkts[i] = NULL;
- fr_auth[i].fra_index = -1;
- }
+ if (fr_auth != NULL) {
+ KFREES(fr_auth, fr_authsize * sizeof(*fr_auth));
+ fr_auth = NULL;
}
+ if (fr_authpkts != NULL) {
+ for (i = 0; i < fr_authsize; i++) {
+ m = fr_authpkts[i];
+ if (m != NULL) {
+ FREE_MB_T(m);
+ fr_authpkts[i] = NULL;
+ }
+ }
+ KFREES(fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
+ fr_authpkts = NULL;
+ }
- for (faep = &fae_list; (fae = *faep); ) {
+ faep = &fae_list;
+ while ((fae = *faep) != NULL) {
*faep = fae->fae_next;
KFREE(fae);
}
ipauth = NULL;
- RWLOCK_EXIT(&ipf_auth);
- if (fr_authlist) {
- /*
- * We *MuST* reget ipf_auth because otherwise we won't get the
- * locks in the right order and risk deadlock.
- * We need ipf_mutex here to prevent a rule from using it
- * inside fr_check().
- */
- WRITE_ENTER(&ipf_mutex);
- WRITE_ENTER(&ipf_auth);
- for (frp = &fr_authlist; (fr = *frp); ) {
+ if (fr_authlist != NULL) {
+ for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
if (fr->fr_ref == 1) {
*frp = fr->fr_next;
KFREE(fr);
} else
frp = &fr->fr_next;
}
- RWLOCK_EXIT(&ipf_auth);
- RWLOCK_EXIT(&ipf_mutex);
+ }
+
+ if (fr_auth_init == 1) {
+# if SOLARIS && defined(_KERNEL)
+ cv_destroy(&ipfauthwait);
+# endif
+ MUTEX_DESTROY(&ipf_authmx);
+ RW_DESTROY(&ipf_auth);
+
+ fr_auth_init = 0;
}
}
@@ -559,17 +663,18 @@ void fr_authexpire()
register frauthent_t *fae, **faep;
register frentry_t *fr, **frp;
mb_t *m;
-#if !SOLARIS && defined(_KERNEL)
+# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
int s;
-#endif
+# endif
if (fr_auth_lock)
return;
SPL_NET(s);
WRITE_ENTER(&ipf_auth);
- for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
- if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
+ for (i = 0, fra = fr_auth; i < fr_authsize; i++, fra++) {
+ fra->fra_age--;
+ if ((fra->fra_age == 0) && (m = fr_authpkts[i])) {
FREE_MB_T(m);
fr_authpkts[i] = NULL;
fr_auth[i].fra_index = -1;
@@ -578,8 +683,9 @@ void fr_authexpire()
}
}
- for (faep = &fae_list; (fae = *faep); ) {
- if (!--fae->fae_age) {
+ for (faep = &fae_list; ((fae = *faep) != NULL); ) {
+ fae->fae_age--;
+ if (fae->fae_age == 0) {
*faep = fae->fae_next;
KFREE(fae);
fr_authstats.fas_expire++;
@@ -591,7 +697,7 @@ void fr_authexpire()
else
ipauth = NULL;
- for (frp = &fr_authlist; (fr = *frp); ) {
+ for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
if (fr->fr_ref == 1) {
*frp = fr->fr_next;
KFREE(fr);
@@ -603,52 +709,48 @@ void fr_authexpire()
}
int fr_preauthcmd(cmd, fr, frptr)
-#if defined(__NetBSD__) || defined(__OpenBSD__) || \
- (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
-u_long cmd;
-#else
-int cmd;
-#endif
+ioctlcmd_t cmd;
frentry_t *fr, **frptr;
{
frauthent_t *fae, **faep;
int error = 0;
-#if defined(KERNEL) && !SOLARIS
+# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
int s;
#endif
- if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
- /* Should not happen */
- printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
+ if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
return EIO;
- }
- for (faep = &fae_list; (fae = *faep); )
+ for (faep = &fae_list; ((fae = *faep) != NULL); ) {
if (&fae->fae_fr == fr)
break;
else
faep = &fae->fae_next;
- if (cmd == SIOCRMAFR) {
- if (!fr || !frptr)
+ }
+
+ if (cmd == (ioctlcmd_t)SIOCRMAFR) {
+ if (fr == NULL || frptr == NULL)
error = EINVAL;
- else if (!fae)
+ else if (fae == NULL)
error = ESRCH;
else {
- WRITE_ENTER(&ipf_auth);
SPL_NET(s);
+ WRITE_ENTER(&ipf_auth);
*faep = fae->fae_next;
- *frptr = fr->fr_next;
- SPL_X(s);
+ if (ipauth == &fae->fae_fr)
+ ipauth = fae_list ? &fae_list->fae_fr : NULL;
RWLOCK_EXIT(&ipf_auth);
+ SPL_X(s);
+
KFREE(fae);
}
- } else if (fr && frptr) {
+ } else if (fr != NULL && frptr != NULL) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
- WRITE_ENTER(&ipf_auth);
SPL_NET(s);
+ WRITE_ENTER(&ipf_auth);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
@@ -656,11 +758,47 @@ frentry_t *fr, **frptr;
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
- SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
+ SPL_X(s);
} else
error = ENOMEM;
} else
error = EINVAL;
return error;
}
+
+
+/*
+ * Flush held packets.
+ * Must already be properly SPL'ed and Locked on &ipf_auth.
+ *
+ */
+int fr_authflush()
+{
+ register int i, num_flushed;
+ mb_t *m;
+
+ if (fr_auth_lock)
+ return -1;
+
+ num_flushed = 0;
+
+ for (i = 0 ; i < fr_authsize; i++) {
+ m = fr_authpkts[i];
+ if (m != NULL) {
+ FREE_MB_T(m);
+ fr_authpkts[i] = NULL;
+ fr_auth[i].fra_index = -1;
+ /* perhaps add & use a flush counter inst.*/
+ fr_authstats.fas_expire++;
+ fr_authused--;
+ num_flushed++;
+ }
+ }
+
+ fr_authstart = 0;
+ fr_authend = 0;
+ fr_authnext = 0;
+
+ return num_flushed;
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h
index e0cbf048f0a5..8e96f39bd5f1 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.h
+++ b/sys/contrib/ipfilter/netinet/ip_auth.h
@@ -1,9 +1,11 @@
+/* $FreeBSD$ */
+
/*
* Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_auth.h,v 2.3.2.6 2002/10/26 07:03:00 darrenr Exp $
+ * Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp
*
*/
#ifndef __IP_AUTH_H__
@@ -13,10 +15,12 @@
typedef struct frauth {
int fra_age;
+ int fra_len;
int fra_index;
u_32_t fra_pass;
fr_info_t fra_info;
-#if SOLARIS
+ char *fra_buf;
+#ifdef MENTAT
queue_t *fra_q;
#endif
} frauth_t;
@@ -44,20 +48,19 @@ typedef struct fr_authstat {
extern frentry_t *ipauth;
extern struct fr_authstat fr_authstats;
extern int fr_defaultauthage;
+extern int fr_authstart;
+extern int fr_authend;
extern int fr_authsize;
extern int fr_authused;
extern int fr_auth_lock;
-extern u_32_t fr_checkauth __P((ip_t *, fr_info_t *));
+extern frentry_t *fr_checkauth __P((fr_info_t *, u_32_t *));
extern void fr_authexpire __P((void));
+extern int fr_authinit __P((void));
extern void fr_authunload __P((void));
-extern mb_t *fr_authpkts[];
-extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
-#if defined(__NetBSD__) || defined(__OpenBSD__) || \
- (__FreeBSD_version >= 300003)
-extern int fr_preauthcmd __P((u_long, frentry_t *, frentry_t **));
-extern int fr_auth_ioctl __P((caddr_t, int, u_long));
-#else
-extern int fr_preauthcmd __P((int, frentry_t *, frentry_t **));
-extern int fr_auth_ioctl __P((caddr_t, int, int));
-#endif
+extern int fr_authflush __P((void));
+extern mb_t **fr_authpkts;
+extern int fr_newauth __P((mb_t *, fr_info_t *));
+extern int fr_preauthcmd __P((ioctlcmd_t, frentry_t *, frentry_t **));
+extern int fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int));
+
#endif /* __IP_AUTH_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h
index 76744247dda9..dbadfea58136 100644
--- a/sys/contrib/ipfilter/netinet/ip_compat.h
+++ b/sys/contrib/ipfilter/netinet/ip_compat.h
@@ -1,10 +1,12 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.52 2004/06/09 00:01:14 darrenr Exp $
+ * Id: ip_compat.h,v 2.142.2.25 2005/03/28 09:33:36 darrenr Exp
*/
#ifndef __IP_COMPAT_H__
@@ -22,25 +24,6 @@
# define const
#endif
-#ifndef SOLARIS
-#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-#if SOLARIS
-# if !defined(SOLARIS2)
-# define SOLARIS2 3 /* Pick an old version */
-# endif
-# if SOLARIS2 >= 8
-# ifndef USE_INET6
-# define USE_INET6
-# endif
-# else
-# undef USE_INET6
-# endif
-#endif
-#if defined(sun) && !(defined(__svr4__) || defined(__SVR4))
-# undef USE_INET6
-#endif
-
#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__)
# undef KERNEL
# undef _KERNEL
@@ -50,27 +33,53 @@
# define __KERNEL__
#endif
-#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
-#define index strchr
-# if !defined(KERNEL)
-# define bzero(a,b) memset(a,0,b)
-# define bcmp memcmp
-# define bcopy(a,b,c) memmove(b,a,c)
+#ifndef SOLARIS
+#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+#if SOLARIS2 >= 8
+# ifndef USE_INET6
+# define USE_INET6
# endif
#endif
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
+ !defined(_KERNEL) && !defined(USE_INET6) && !defined(NOINET6)
+# define USE_INET6
+#endif
+#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000) && \
+ !defined(_KERNEL) && !defined(USE_INET6)
+# define USE_INET6
+# define IPFILTER_M_IPFILTER
+#endif
+#if defined(OpenBSD) && (OpenBSD >= 200206) && \
+ !defined(_KERNEL) && !defined(USE_INET6)
+# define USE_INET6
+#endif
+#if defined(__osf__)
+# define USE_INET6
+#endif
+#if defined(linux) && (!defined(_KERNEL) || defined(CONFIG_IPV6))
+# define USE_INET6
+#endif
+#if defined(HPUXREV) && (HPUXREV >= 1111)
+# define USE_INET6
+#endif
-#ifndef offsetof
-#define offsetof(t,m) (int)((&((t *)0L)->m))
+#if defined(BSD) && (BSD < 199103) && defined(__osf__)
+# undef BSD
+# define BSD 199103
#endif
-#if defined(__sgi) || defined(bsdi)
-struct ether_addr {
- u_char ether_addr_octet[6];
-};
+#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
+# define index strchr
+# if !defined(_KERNEL)
+# define bzero(a,b) memset(a,0,b)
+# define bcmp memcmp
+# define bcopy(a,b,c) memmove(b,a,c)
+# endif
#endif
-#ifndef LIFNAMSIZ
-# ifdef IF_NAMESIZE
+#ifndef LIFNAMSIZ
+# ifdef IF_NAMESIZE
# define LIFNAMSIZ IF_NAMESIZE
# else
# ifdef IFNAMSIZ
@@ -81,6 +90,12 @@ struct ether_addr {
# endif
#endif
+#if defined(__sgi) || defined(bsdi) || defined(__hpux) || defined(hpux)
+struct ether_addr {
+ u_char ether_addr_octet[6];
+};
+#endif
+
#if defined(__sgi) && !defined(IPFILTER_LKM)
# ifdef __STDC__
# define IPL_EXTERN(ep) ipfilter##ep
@@ -95,233 +110,1543 @@ struct ether_addr {
# endif
#endif
-#ifdef __sgi
-# include <sys/debug.h>
-#endif
-
-#ifdef linux
-# include <sys/sysmacros.h>
-#endif
-
/*
* This is a workaround for <sys/uio.h> troubles on FreeBSD and OpenBSD.
*/
-#ifndef _KERNEL
-# define ADD_KERNEL
-# define _KERNEL
-# define KERNEL
-#endif
-#ifdef __OpenBSD__
+#ifndef linux
+# ifndef _KERNEL
+# define ADD_KERNEL
+# define _KERNEL
+# define KERNEL
+# endif
+# ifdef __OpenBSD__
struct file;
-#endif
-#include <sys/uio.h>
-#ifdef ADD_KERNEL
-# undef _KERNEL
-# undef KERNEL
+# endif
+# include <sys/uio.h>
+# ifdef ADD_KERNEL
+# undef _KERNEL
+# undef KERNEL
+# endif
#endif
-#if SOLARIS
-# define MTYPE(m) ((m)->b_datap->db_type)
-# if SOLARIS2 >= 4
-# include <sys/isa_defs.h>
-# endif
+
+/* ----------------------------------------------------------------------- */
+/* S O L A R I S */
+/* ----------------------------------------------------------------------- */
+#if SOLARIS
+# define MENTAT 1
+# include <sys/cmn_err.h>
+# include <sys/isa_defs.h>
+# include <sys/stream.h>
# include <sys/ioccom.h>
# include <sys/sysmacros.h>
# include <sys/kmem.h>
+# if SOLARIS2 >= 10
+# include <sys/procset.h>
+# include <sys/proc.h>
+# include <sys/devops.h>
+# include <sys/ddi_impldefs.h>
+# endif
/*
* because Solaris 2 defines these in two places :-/
*/
+# ifndef KERNEL
+# define _KERNEL
+# undef RES_INIT
+# endif /* _KERNEL */
+
+# if SOLARIS2 >= 8
+# include <netinet/ip6.h>
+# include <netinet/icmp6.h>
+# endif
+
+# include <inet/common.h>
+/* These 5 are defined in <inet/ip.h> and <netinet/ip.h> */
# undef IPOPT_EOL
# undef IPOPT_NOP
# undef IPOPT_LSRR
# undef IPOPT_RR
# undef IPOPT_SSRR
+# ifdef i386
+# define _SYS_PROMIF_H
+# endif
+# include <inet/ip.h>
+# undef COPYOUT
+# include <inet/ip_ire.h>
# ifndef KERNEL
-# define _KERNEL
-# undef RES_INIT
-# if SOLARIS2 >= 8
-# include <netinet/ip6.h>
-# endif
-# include <inet/common.h>
-# include <inet/ip.h>
-# include <inet/ip_ire.h>
# undef _KERNEL
-# else /* _KERNEL */
-# if SOLARIS2 >= 8
-# include <netinet/ip6.h>
-# endif
-# include <inet/common.h>
-# include <inet/ip.h>
-# include <inet/ip_ire.h>
-# endif /* _KERNEL */
+# endif
# if SOLARIS2 >= 8
+# define SNPRINTF snprintf
+
# include <inet/ip_if.h>
-# include <netinet/ip6.h>
# define ipif_local_addr ipif_lcl_addr
/* Only defined in private include file */
# ifndef V4_PART_OF_V6
# define V4_PART_OF_V6(v6) v6.s6_addr32[3]
# endif
+struct ip6_ext {
+ u_char ip6e_nxt;
+ u_char ip6e_len;
+};
+# endif /* SOLARIS2 >= 8 */
+
+# if SOLARIS2 >= 6
+# include <sys/atomic.h>
+typedef uint32_t u_32_t;
+# else
+typedef unsigned int u_32_t;
# endif
-# define M_BLEN(m) ((m)->b_wptr - (m)->b_rptr)
-
-typedef struct qif {
- struct qif *qf_next;
- ill_t *qf_ill;
- kmutex_t qf_lock;
- void *qf_iptr;
- void *qf_optr;
- queue_t *qf_in;
- queue_t *qf_out;
- void *qf_data; /* layer 3 header pointer */
- struct qinit *qf_wqinfo;
- struct qinit *qf_rqinfo;
- struct qinit qf_wqinit;
- struct qinit qf_rqinit;
- mblk_t *qf_m; /* These three fields are for passing data up from */
- queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */
- size_t qf_off;
- size_t qf_len; /* this field is used for in ipfr_fastroute */
- char qf_name[LIFNAMSIZ];
- /*
- * in case the ILL has disappeared...
- */
- size_t qf_hl; /* header length */
- int qf_sap;
-# if SOLARIS2 >= 8
- int qf_tunoff; /* tunnel offset */
-#endif
- size_t qf_incnt;
- size_t qf_outcnt;
-} qif_t;
-#else /* SOLARIS */
-# if !defined(__sgi)
-typedef int minor_t;
+# define U_32_T 1
+
+# ifdef _KERNEL
+# define KRWLOCK_T krwlock_t
+# define KMUTEX_T kmutex_t
+# include "qif.h"
+# include "pfil.h"
+# if SOLARIS2 >= 6
+# if SOLARIS2 == 6
+# define ATOMIC_INCL(x) atomic_add_long((uint32_t*)&(x), 1)
+# define ATOMIC_DECL(x) atomic_add_long((uint32_t*)&(x), -1)
+# else
+# define ATOMIC_INCL(x) atomic_add_long(&(x), 1)
+# define ATOMIC_DECL(x) atomic_add_long(&(x), -1)
+# endif /* SOLARIS2 == 6 */
+# define ATOMIC_INC64(x) atomic_add_64((uint64_t*)&(x), 1)
+# define ATOMIC_INC32(x) atomic_add_32((uint32_t*)&(x), 1)
+# define ATOMIC_INC16(x) atomic_add_16((uint16_t*)&(x), 1)
+# define ATOMIC_DEC64(x) atomic_add_64((uint64_t*)&(x), -1)
+# define ATOMIC_DEC32(x) atomic_add_32((uint32_t*)&(x), -1)
+# define ATOMIC_DEC16(x) atomic_add_16((uint16_t*)&(x), -1)
+# else
+# define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \
+ mutex_exit(&ipf_rw); }
+# define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \
+ mutex_exit(&ipf_rw); }
+# endif /* SOLARIS2 >= 6 */
+# define USE_MUTEXES
+# define MUTEX_ENTER(x) mutex_enter(&(x)->ipf_lk)
+# define READ_ENTER(x) rw_enter(&(x)->ipf_lk, RW_READER)
+# define WRITE_ENTER(x) rw_enter(&(x)->ipf_lk, RW_WRITER)
+# define MUTEX_DOWNGRADE(x) rw_downgrade(&(x)->ipf_lk)
+# define RWLOCK_INIT(x, y) rw_init(&(x)->ipf_lk, (y), \
+ RW_DRIVER, NULL)
+# define RWLOCK_EXIT(x) rw_exit(&(x)->ipf_lk)
+# define RW_DESTROY(x) rw_destroy(&(x)->ipf_lk)
+# define MUTEX_INIT(x, y) mutex_init(&(x)->ipf_lk, (y), \
+ MUTEX_DRIVER, NULL)
+# define MUTEX_DESTROY(x) mutex_destroy(&(x)->ipf_lk)
+# define MUTEX_NUKE(x) bzero((x), sizeof(*(x)))
+# define MUTEX_EXIT(x) mutex_exit(&(x)->ipf_lk)
+# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYIN(a,b,c) (void) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) (void) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
+# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
+# define KFREES(x,s) kmem_free((char *)(x), (s))
+# define SPL_NET(x) ;
+# define SPL_IMP(x) ;
+# undef SPL_X
+# define SPL_X(x) ;
+# ifdef sparc
+# define ntohs(x) (x)
+# define ntohl(x) (x)
+# define htons(x) (x)
+# define htonl(x) (x)
+# endif /* sparc */
+# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
+# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
+# define GET_MINOR(x) getminor(x)
+extern void *get_unit __P((char *, int));
+# define GETIFP(n, v) get_unit(n, v)
+# define IFNAME(x) ((qif_t *)x)->qf_name
+# define COPYIFNAME(x, b) \
+ (void) strncpy(b, ((qif_t *)x)->qf_name, \
+ LIFNAMSIZ)
+# define GETKTIME(x) uniqtime((struct timeval *)x)
+# define MSGDSIZE(x) msgdsize(x)
+# define M_LEN(x) ((x)->b_wptr - (x)->b_rptr)
+# define M_DUPLICATE(x) dupmsg((x))
+# define MTOD(m,t) ((t)((m)->b_rptr))
+# define MTYPE(m) ((m)->b_datap->db_type)
+# define FREE_MB_T(m) freemsg(m)
+# define m_next b_cont
+# define CACHE_HASH(x) (((qpktinfo_t *)(x)->fin_qpi)->qpi_num & 7)
+# define IPF_PANIC(x,y) if (x) { printf y; cmn_err(CE_PANIC, "ipf_panic"); }
+typedef mblk_t mb_t;
+# endif /* _KERNEL */
+
+# if (SOLARIS2 >= 7)
+# ifdef lint
+# define ALIGN32(ptr) (ptr ? 0L : 0L)
+# define ALIGN16(ptr) (ptr ? 0L : 0L)
+# else
+# define ALIGN32(ptr) (ptr)
+# define ALIGN16(ptr) (ptr)
+# endif
+# endif
+
+# if SOLARIS2 < 6
+typedef struct uio uio_t;
# endif
+typedef int ioctlcmd_t;
+
+# define OS_RECOGNISED 1
+
#endif /* SOLARIS */
-#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
-#ifndef IP_OFFMASK
-#define IP_OFFMASK 0x1fff
-#endif
+/* ----------------------------------------------------------------------- */
+/* H P U X */
+/* ----------------------------------------------------------------------- */
+#ifdef __hpux
+# define MENTAT 1
+# include <sys/sysmacros.h>
+# include <sys/spinlock.h>
+# include <sys/lock.h>
+# include <sys/stream.h>
+# ifdef USE_INET6
+# include <netinet/if_ether.h>
+# include <netinet/ip6.h>
+# include <netinet/icmp6.h>
+typedef struct ip6_hdr ip6_t;
+# endif
-#if BSD > 199306
-# define USE_QUAD_T
-# define U_QUAD_T u_quad_t
-# define QUAD_T quad_t
-#else /* BSD > 199306 */
-# define U_QUAD_T u_long
-# define QUAD_T long
-#endif /* BSD > 199306 */
+# ifdef _KERNEL
+# define SNPRINTF sprintf
+# if (HPUXREV >= 1111)
+# define IPL_SELECT
+# ifdef IPL_SELECT
+# include <machine/sys/user.h>
+# include <sys/kthread_iface.h>
+# define READ_COLLISION 0x01
+
+typedef struct iplog_select_s {
+ kthread_t *read_waiter;
+ int state;
+} iplog_select_t;
+# endif
+# endif
+# define GETKTIME(x) uniqtime((struct timeval *)x)
-#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
-# include <sys/param.h>
-# ifndef __FreeBSD_version
-# ifdef IPFILTER_LKM
-# include <osreldate.h>
+# if HPUXREV == 1111
+# include "kern_svcs.h"
+# else
+# include <sys/kern_svcs.h>
+# endif
+# undef ti_flags
+# undef TCP_NODELAY
+# undef TCP_MAXSEG
+# include <sys/reg.h>
+# include "../netinet/ip_info.h"
+/*
+ * According to /usr/include/sys/spinlock.h on HP-UX 11.00, these functions
+ * are available. Attempting to use them actually results in unresolved
+ * symbols when it comes time to load the module.
+ * This has been fixed! Yipee!
+ */
+# if 1
+# ifdef __LP64__
+# define ATOMIC_INCL(x) lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), 1)
+# define ATOMIC_DECL(x) lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), -1)
+# else
+# define ATOMIC_INCL(x) lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), 1)
+# define ATOMIC_DECL(x) lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), -1)
+# endif
+# define ATOMIC_INC64(x) lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), 1)
+# define ATOMIC_INC32(x) lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), 1)
+# define ATOMIC_INC16(x) lock_and_incr_int16(&ipf_rw.ipf_lk, &(x), 1)
+# define ATOMIC_DEC64(x) lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), -1)
+# define ATOMIC_DEC32(x) lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), -1)
+# define ATOMIC_DEC16(x) lock_and_incr_int16(&ipf_rw.ipf_lk, &(x), -1)
+# else /* 0 */
+# define ATOMIC_INC64(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_DEC64(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_INC32(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_DEC32(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_INCL(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_DECL(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw); }
+# endif
+# define ip_cksum ip_csuma
+# define memcpy(a,b,c) bcopy((caddr_t)b, (caddr_t)a, c)
+# define USE_MUTEXES
+# define MUTEX_INIT(x, y) initlock(&(x)->ipf_lk, 0, 0, (y))
+# define MUTEX_ENTER(x) spinlock(&(x)->ipf_lk)
+# define MUTEX_EXIT(x) spinunlock(&(x)->ipf_lk);
+# define MUTEX_DESTROY(x)
+# define MUTEX_NUKE(x) bzero((char *)(x), sizeof(*(x)))
+# define KMUTEX_T lock_t
+# define kmutex_t lock_t /* for pfil.h */
+# define krwlock_t lock_t /* for pfil.h */
+/*
+ * The read-write lock implementation in HP-UX 11.0 is crippled - it can
+ * only be used by threads working in a user context!
+ * This has been fixed! Yipee! (Or at least it does in 11.00, not 11.11..)
+ */
+# if HPUXREV < 1111
+# define MUTEX_DOWNGRADE(x) lock_write_to_read(x)
+# define KRWLOCK_T struct rw_lock
+# define READ_ENTER(x) lock_read(&(x)->ipf_lk)
+# define WRITE_ENTER(x) lock_write(&(x)->ipf_lk)
+# if HPUXREV >= 1111
+# define RWLOCK_INIT(x, y) rwlock_init4(&(x)->ipf_lk, 0, RWLCK_CANSLEEP, 0, y)
+# else
+# define RWLOCK_INIT(x, y) lock_init3(&(x)->ipf_lk, 0, 1, 0, 0, y)
+# endif
+# define RWLOCK_EXIT(x) lock_done(&(x)->ipf_lk)
# else
-# include <sys/osreldate.h>
+# define KRWLOCK_T lock_t
+# define KMUTEX_T lock_t
+# define READ_ENTER(x) MUTEX_ENTER(x)
+# define WRITE_ENTER(x) MUTEX_ENTER(x)
+# define MUTEX_DOWNGRADE(x)
+# define RWLOCK_INIT(x, y) initlock(&(x)->ipf_lk, 0, 0, y)
+# define RWLOCK_EXIT(x) MUTEX_EXIT(x)
+# endif
+# define RW_DESTROY(x)
+# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# if HPUXREV >= 1111
+# define BCOPYIN(a,b,c) 0; bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) 0; bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# else
+# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# endif
+# define SPL_NET(x) ;
+# define SPL_IMP(x) ;
+# undef SPL_X
+# define SPL_X(x) ;
+extern void *get_unit __P((char *, int));
+# define GETIFP(n, v) get_unit(n, v)
+# define IFNAME(x, b) ((ill_t *)x)->ill_name
+# define COPYIFNAME(x, b) \
+ (void) strncpy(b, ((qif_t *)x)->qf_name, \
+ LIFNAMSIZ)
+# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
+# define SLEEP(id, n) { lock_t *_l = get_sleep_lock((caddr_t)id); \
+ sleep(id, PZERO+1); \
+ spinunlock(_l); \
+ }
+# define WAKEUP(id,x) { lock_t *_l = get_sleep_lock((caddr_t)id); \
+ wakeup(id + x); \
+ spinunlock(_l); \
+ }
+# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_IOSYS, M_NOWAIT)
+# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_IOSYS, M_NOWAIT)
+# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
+# define KFREES(x,s) kmem_free((char *)(x), (s))
+# define MSGDSIZE(x) msgdsize(x)
+# define M_LEN(x) ((x)->b_wptr - (x)->b_rptr)
+# define M_DUPLICATE(x) dupmsg((x))
+# define MTOD(m,t) ((t)((m)->b_rptr))
+# define MTYPE(m) ((m)->b_datap->db_type)
+# define FREE_MB_T(m) freemsg(m)
+# define m_next b_cont
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+typedef mblk_t mb_t;
+
+# define CACHE_HASH(x) (((qpktinfo_t *)(x)->fin_qpi)->qpi_num & 7)
+
+# include "qif.h"
+# include "pfil.h"
+
+# else /* _KERNEL */
+
+typedef unsigned char uchar_t;
+
+# ifndef _SYS_STREAM_INCLUDED
+typedef char * mblk_t;
+typedef void * queue_t;
+typedef u_long ulong;
# endif
+# include <netinet/ip_info.h>
+
+# endif /* _KERNEL */
+
+# ifdef lint
+# define ALIGN32(ptr) (ptr ? 0L : 0L)
+# define ALIGN16(ptr) (ptr ? 0L : 0L)
+# else
+# define ALIGN32(ptr) (ptr)
+# define ALIGN16(ptr) (ptr)
# endif
-# ifdef IPFILTER_LKM
-# define ACTUALLY_LKM_NOT_KERNEL
+
+typedef struct uio uio_t;
+typedef int ioctlcmd_t;
+typedef int minor_t;
+typedef unsigned int u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+
+#endif /* __hpux */
+
+/* ----------------------------------------------------------------------- */
+/* I R I X */
+/* ----------------------------------------------------------------------- */
+#ifdef __sgi
+# undef MENTAT
+# if IRIX < 60500
+typedef struct uio uio_t;
# endif
-# if defined(__FreeBSD_version) && (__FreeBSD_version < 300000)
-# include <machine/spl.h>
+typedef int ioctlcmd_t;
+typedef u_int32_t u_32_t;
+# define U_32_T 1
+
+# ifdef INET6
+# define USE_INET6
+# endif
+
+# define hz HZ
+# include <sys/ksynch.h>
+# define IPF_LOCK_PL plhi
+# include <sys/sema.h>
+# undef kmutex_t
+typedef struct {
+ lock_t *l;
+ int pl;
+} kmutex_t;
+
+# ifdef MUTEX_INIT
+# define KMUTEX_T mutex_t
# else
-# if (__FreeBSD_version >= 300000) && (__FreeBSD_version < 400000)
-# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
-# define ACTUALLY_LKM_NOT_KERNEL
-# endif
+# define KMUTEX_T kmutex_t
+# define KRWLOCK_T kmutex_t
+# endif
+
+# ifdef _KERNEL
+# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); \
+ (x)++; MUTEX_EXIT(&ipf_rw); }
+# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); \
+ (x)--; MUTEX_EXIT(&ipf_rw); }
+# define USE_MUTEXES
+# ifdef MUTEX_INIT
+# include <sys/atomic_ops.h>
+# define ATOMIC_INCL(x) atomicAddUlong(&(x), 1)
+# define ATOMIC_INC64(x) atomicAddUint64(&(x), 1)
+# define ATOMIC_INC32(x) atomicAddUint(&(x), 1)
+# define ATOMIC_INC16 ATOMIC_INC
+# define ATOMIC_DECL(x) atomicAddUlong(&(x), -1)
+# define ATOMIC_DEC64(x) atomicAddUint64(&(x), -1)
+# define ATOMIC_DEC32(x) atomicAddUint(&(x), -1)
+# define ATOMIC_DEC16 ATOMIC_DEC
+# undef MUTEX_INIT
+# define MUTEX_INIT(x, y) mutex_init(&(x)->ipf_lk, \
+ MUTEX_DEFAULT, y)
+# undef MUTEX_ENTER
+# define MUTEX_ENTER(x) mutex_lock(&(x)->ipf_lk, 0)
+# undef MUTEX_EXIT
+# define MUTEX_EXIT(x) mutex_unlock(&(x)->ipf_lk)
+# undef MUTEX_DESTROY
+# define MUTEX_DESTROY(x) mutex_destroy(&(x)->ipf_lk)
+# define MUTEX_DOWNGRADE(x) mrdemote(&(x)->ipf_lk)
+# define KRWLOCK_T mrlock_t
+# define RWLOCK_INIT(x, y) mrinit(&(x)->ipf_lk, y)
+# undef RW_DESTROY
+# define RW_DESTROY(x) mrfree(&(x)->ipf_lk)
+# define READ_ENTER(x) RW_RDLOCK(&(x)->ipf_lk)
+# define WRITE_ENTER(x) RW_WRLOCK(&(x)->ipf_lk)
+# define RWLOCK_EXIT(x) RW_UNLOCK(&(x)->ipf_lk)
+# else
+# define READ_ENTER(x) MUTEX_ENTER(&(x)->ipf_lk)
+# define WRITE_ENTER(x) MUTEX_ENTER(&(x)->ipf_lk)
+# define MUTEX_DOWNGRADE(x) ;
+# define RWLOCK_EXIT(x) MUTEX_EXIT(&(x)->ipf_lk)
+# define MUTEX_EXIT(x) UNLOCK((x)->ipf_lk.l, (x)->ipf_lk.pl);
+# define MUTEX_INIT(x,y) (x)->ipf_lk.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP)
+# define MUTEX_DESTROY(x) LOCK_DEALLOC((x)->ipf_lk.l)
+# define MUTEX_ENTER(x) (x)->ipf_lk.pl = LOCK((x)->ipf_lk.l, \
+ IPF_LOCK_PL);
# endif
+# define MUTEX_NUKE(x) bzero((x), sizeof(*(x)))
+# define FREE_MB_T(m) m_freem(m)
+# define MTOD(m,t) mtod(m,t)
+# define COPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define COPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
+# define SLEEP(id, n) sleep((id), PZERO+1)
+# define WAKEUP(id,x) wakeup(id+x)
+# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
+# define KFREES(x,s) kmem_free((char *)(x), (s))
+# define GETIFP(n,v) ifunit(n)
+# include <sys/kmem.h>
+# include <sys/ddi.h>
+# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
+# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
+# define GET_MINOR(x) getminor(x)
+# define USE_SPL 1
+# define SPL_IMP(x) (x) = splimp()
+# define SPL_NET(x) (x) = splnet()
+# define SPL_X(x) (void) splx(x)
+extern void m_copydata __P((struct mbuf *, int, int, caddr_t));
+extern void m_copyback __P((struct mbuf *, int, int, caddr_t));
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define GETKTIME(x) microtime((struct timeval *)x)
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+typedef struct mbuf mb_t;
+# else
+# undef RW_DESTROY
+# undef MUTEX_INIT
+# undef MUTEX_DESTROY
+# endif /* _KERNEL */
+
+# define OS_RECOGNISED 1
+
+#endif /* __sgi */
+
+/* ----------------------------------------------------------------------- */
+/* T R U 6 4 */
+/* ----------------------------------------------------------------------- */
+#ifdef __osf__
+# undef MENTAT
+
+# include <kern/lock.h>
+# include <sys/sysmacros.h>
+
+# ifdef _KERNEL
+# define KMUTEX_T simple_lock_data_t
+# define KRWLOCK_T lock_data_t
+# include <net/net_globals.h>
+# define USE_MUTEXES
+# define READ_ENTER(x) lock_read(&(x)->ipf_lk)
+# define WRITE_ENTER(x) lock_write(&(x)->ipf_lk)
+# define MUTEX_DOWNGRADE(x) lock_write_to_read(&(x)->ipf_lk)
+# define RWLOCK_INIT(x, y) lock_init(&(x)->ipf_lk, TRUE)
+# define RWLOCK_EXIT(x) lock_done(&(x)->ipf_lk)
+# define RW_DESTROY(x) lock_terminate(&(x)->ipf_lk)
+# define MUTEX_ENTER(x) simple_lock(&(x)->ipf_lk)
+# define MUTEX_INIT(x, y) simple_lock_init(&(x)->ipf_lk)
+# define MUTEX_DESTROY(x) simple_lock_terminate(&(x)->ipf_lk)
+# define MUTEX_EXIT(x) simple_unlock(&(x)->ipf_lk)
+# define MUTEX_NUKE(x) bzero(x, sizeof(*(x)))
+# define ATOMIC_INC64(x) atomic_incq((uint64_t*)&(x))
+# define ATOMIC_DEC64(x) atomic_decq((uint64_t*)&(x))
+# define ATOMIC_INC32(x) atomic_incl((uint32_t*)&(x))
+# define ATOMIC_DEC32(x) atomic_decl((uint32_t*)&(x))
+# define ATOMIC_INC16(x) { simple_lock(&ipf_rw); (x)++; \
+ simple_unlock(&ipf_rw); }
+# define ATOMIC_DEC16(x) { simple_lock(&ipf_rw); (x)--; \
+ simple_unlock(&ipf_rw); }
+# define ATOMIC_INCL(x) atomic_incl((uint32_t*)&(x))
+# define ATOMIC_DECL(x) atomic_decl((uint32_t*)&(x))
+# define ATOMIC_INC(x) { simple_lock(&ipf_rw); (x)++; \
+ simple_unlock(&ipf_rw); }
+# define ATOMIC_DEC(x) { simple_lock(&ipf_rw); (x)--; \
+ simple_unlock(&ipf_rw); }
+# define SPL_NET(x) ;
+# define SPL_IMP(x) ;
+# undef SPL_X
+# define SPL_X(x) ;
+# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a, b, d)
+# define FREE_MB_T(m) m_freem(m)
+# define MTOD(m,t) mtod(m,t)
+# define GETIFP(n, v) ifunit(n)
+# define GET_MINOR getminor
+# define WAKEUP(id,x) wakeup(id + x)
+# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFILT, M_NOWAIT)
+# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFILT, \
+ ((c) > 4096) ? M_WAITOK : M_NOWAIT)
+# define KFREE(x) FREE((x), M_PFILT)
+# define KFREES(x,s) FREE((x), M_PFILT)
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define GETKTIME(x) microtime((struct timeval *)x)
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+typedef struct mbuf mb_t;
+# endif /* _KERNEL */
+
+# if (defined(_KERNEL) || defined(_NO_BITFIELDS) || (__STDC__ == 1))
+# define IP_V(x) ((x)->ip_vhl >> 4)
+# define IP_HL(x) ((x)->ip_vhl & 0xf)
+# define IP_V_A(x,y) (x)->ip_vhl |= (((y) << 4) & 0xf0)
+# define IP_HL_A(x,y) (x)->ip_vhl |= ((y) & 0xf)
+# define TCP_X2(x) ((x)->th_xoff & 0xf)
+# define TCP_X2_A(x,y) (x)->th_xoff |= ((y) & 0xf)
+# define TCP_OFF(x) ((x)->th_xoff >> 4)
+# define TCP_OFF_A(x,y) (x)->th_xoff |= (((y) << 4) & 0xf0)
# endif
-#endif /* __FreeBSD__ && KERNEL */
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 500000) && \
- defined(_KERNEL)
-# include <machine/in_cksum.h>
-#endif
+/*
+ * These are from's Solaris' #defines for little endian.
+ */
+#define IP6F_MORE_FRAG 0x0100
+#define IP6F_RESERVED_MASK 0x0600
+#define IP6F_OFF_MASK 0xf8ff
+
+struct ip6_ext {
+ u_char ip6e_nxt;
+ u_char ip6e_len;
+};
+typedef int ioctlcmd_t;
/*
- * These operating systems already take care of the problem for us.
+ * Really, any arch where sizeof(long) != sizeof(int).
*/
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
- defined(__sgi)
-typedef u_int32_t u_32_t;
+typedef unsigned int u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+#endif /* __osf__ */
+
+/* ----------------------------------------------------------------------- */
+/* N E T B S D */
+/* ----------------------------------------------------------------------- */
+#ifdef __NetBSD__
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+# include "bpfilter.h"
# if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 104110000)
# include "opt_inet.h"
# endif
-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
- !defined(KLD_MODULE)
-# include "opt_inet6.h"
-# endif
# ifdef INET6
-# define USE_INET6
-# endif
+# define USE_INET6
+# endif
+# if (__NetBSD_Version__ >= 105000000)
+# define HAVE_M_PULLDOWN 1
+# endif
+# endif
+
+# ifdef _KERNEL
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define GETKTIME(x) microtime((struct timeval *)x)
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+typedef struct mbuf mb_t;
+# endif /* _KERNEL */
+# if (NetBSD <= 1991011) && (NetBSD >= 199606)
+# define IFNAME(x) ((struct ifnet *)x)->if_xname
+# define COPYIFNAME(x, b) \
+ (void) strncpy(b, \
+ ((struct ifnet *)x)->if_xname, \
+ LIFNAMSIZ)
+# define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index)&7)
+# else
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
# endif
-# if !defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(USE_INET6)
-# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
- !defined(NOINET6)) || \
- (defined(OpenBSD) && (OpenBSD >= 200111)) || \
- (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000))
+
+typedef struct uio uio_t;
+typedef u_long ioctlcmd_t;
+typedef int minor_t;
+typedef u_int32_t u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+#endif /* __NetBSD__ */
+
+
+/* ----------------------------------------------------------------------- */
+/* F R E E B S D */
+/* ----------------------------------------------------------------------- */
+#ifdef __FreeBSD__
+# if defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(KLD_MODULE)
+# if (__FreeBSD_version >= 500000)
+# include "opt_bpf.h"
+# else
+# include "bpf.h"
+# endif
+# if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)
+# include "opt_inet6.h"
+# endif
+# if defined(INET6) && !defined(USE_INET6)
# define USE_INET6
# endif
# endif
-#else
+
+# if defined(_KERNEL)
+# if (__FreeBSD_version >= 400000)
/*
- * Really, any arch where sizeof(long) != sizeof(int).
+ * When #define'd, the 5.2.1 kernel panics when used with the ftp proxy.
+ * There may be other, safe, kernels but this is not extensively tested yet.
*/
-# if defined(__alpha__) || defined(__alpha) || defined(_LP64)
-typedef unsigned int u_32_t;
-# else
-# if SOLARIS2 >= 6
-typedef uint32_t u_32_t;
+# define HAVE_M_PULLDOWN
+# endif
+# if !defined(IPFILTER_LKM) && (__FreeBSD_version >= 300000)
+# include "opt_ipfilter.h"
+# endif
+# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+
+# if (__FreeBSD_version >= 500043)
+# define NETBSD_PF
+# endif
+# endif /* _KERNEL */
+
+# if (__FreeBSD_version >= 500043)
+# include <sys/mutex.h>
+# include <sys/sx.h>
+/*
+ * Whilst the sx(9) locks on FreeBSD have the right semantics and interface
+ * for what we want to use them for, despite testing showing they work -
+ * with a WITNESS kernel, it generates LOR messages.
+ */
+# define KMUTEX_T struct mtx
+# if 1
+# define KRWLOCK_T struct mtx
# else
-typedef unsigned int u_32_t;
+# define KRWLOCK_T struct sx
# endif
# endif
-#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
-#ifdef USE_INET6
-# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
-# include <netinet/ip6.h>
-# ifdef _KERNEL
-# include <netinet6/ip6_var.h>
+# if (__FreeBSD_version >= 501113)
+# include <net/if_var.h>
+# define IFNAME(x) ((struct ifnet *)x)->if_xname
+# define COPYIFNAME(x, b) \
+ (void) strncpy(b, \
+ ((struct ifnet *)x)->if_xname, \
+ LIFNAMSIZ)
+# endif
+# if (__FreeBSD_version >= 500043)
+# define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index) & 7)
+# else
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+# endif
+
+# ifdef _KERNEL
+# define GETKTIME(x) microtime((struct timeval *)x)
+
+# if (__FreeBSD_version >= 500002)
+# include <netinet/in_systm.h>
+# include <netinet/ip.h>
+# include <machine/in_cksum.h>
+# endif
+
+# if (__FreeBSD_version >= 500043)
+# define USE_MUTEXES
+# define MUTEX_ENTER(x) mtx_lock(&(x)->ipf_lk)
+# define MUTEX_EXIT(x) mtx_unlock(&(x)->ipf_lk)
+# define MUTEX_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\
+ MTX_DEF)
+# define MUTEX_DESTROY(x) mtx_destroy(&(x)->ipf_lk)
+# define MUTEX_NUKE(x) bzero((x), sizeof(*(x)))
+/*
+ * Whilst the sx(9) locks on FreeBSD have the right semantics and interface
+ * for what we want to use them for, despite testing showing they work -
+ * with a WITNESS kernel, it generates LOR messages.
+ */
+# if 1
+# define READ_ENTER(x) mtx_lock(&(x)->ipf_lk)
+# define WRITE_ENTER(x) mtx_lock(&(x)->ipf_lk)
+# define RWLOCK_EXIT(x) mtx_unlock(&(x)->ipf_lk)
+# define MUTEX_DOWNGRADE(x) ;
+# define RWLOCK_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\
+ MTX_DEF)
+# define RW_DESTROY(x) mtx_destroy(&(x)->ipf_lk)
+# else
+# define READ_ENTER(x) sx_slock(&(x)->ipf_lk)
+# define WRITE_ENTER(x) sx_xlock(&(x)->ipf_lk)
+# define MUTEX_DOWNGRADE(x) sx_downgrade(&(x)->ipf_lk)
+# define RWLOCK_INIT(x, y) sx_init(&(x)->ipf_lk, (y))
+# define RW_DESTROY(x) sx_destroy(&(x)->ipf_lk)
+# ifdef sx_unlock
+# define RWLOCK_EXIT(x) sx_unlock(x)
+# else
+# define RWLOCK_EXIT(x) do { \
+ if ((x)->ipf_lk.sx_cnt < 0) \
+ sx_xunlock(&(x)->ipf_lk); \
+ else \
+ sx_sunlock(&(x)->ipf_lk); \
+ } while (0)
+# endif
+# endif
+# include <machine/atomic.h>
+# define ATOMIC_INC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)++; \
+ mtx_unlock(&ipf_rw.ipf_lk); }
+# define ATOMIC_DEC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)--; \
+ mtx_unlock(&ipf_rw.ipf_lk); }
+# define ATOMIC_INCL(x) atomic_add_long(&(x), 1)
+# define ATOMIC_INC64(x) ATOMIC_INC(x)
+# define ATOMIC_INC32(x) atomic_add_32(&(x), 1)
+# define ATOMIC_INC16(x) atomic_add_16(&(x), 1)
+# define ATOMIC_DECL(x) atomic_add_long(&(x), -1)
+# define ATOMIC_DEC64(x) ATOMIC_DEC(x)
+# define ATOMIC_DEC32(x) atomic_add_32(&(x), -1)
+# define ATOMIC_DEC16(x) atomic_add_16(&(x), -1)
+# define SPL_X(x) ;
+# define SPL_NET(x) ;
+# define SPL_IMP(x) ;
+extern int in_cksum __P((struct mbuf *, int));
+# endif /* __FreeBSD_version >= 500043 */
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+typedef struct mbuf mb_t;
+# endif /* _KERNEL */
+
+# if __FreeBSD__ < 3
+# include <machine/spl.h>
+# else
+# if __FreeBSD__ == 3
+# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
+# define ACTUALLY_LKM_NOT_KERNEL
+# endif
# endif
-typedef struct ip6_hdr ip6_t;
# endif
-# include <netinet/icmp6.h>
-union i6addr {
- u_32_t i6[4];
- struct in_addr in4;
- struct in6_addr in6;
+
+# if (__FreeBSD_version >= 300000)
+typedef u_long ioctlcmd_t;
+# else
+typedef int ioctlcmd_t;
+# endif
+typedef struct uio uio_t;
+typedef int minor_t;
+typedef u_int32_t u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+#endif /* __FreeBSD__ */
+
+
+/* ----------------------------------------------------------------------- */
+/* O P E N B S D */
+/* ----------------------------------------------------------------------- */
+#ifdef __OpenBSD__
+# ifdef INET6
+# define USE_INET6
+# endif
+
+# ifdef _KERNEL
+# if !defined(IPFILTER_LKM)
+# include "bpfilter.h"
+# endif
+# if (OpenBSD >= 200311)
+# define SNPRINTF snprintf
+# if defined(USE_INET6)
+# include "netinet6/in6_var.h"
+# include "netinet6/nd6.h"
+# endif
+# endif
+# if (OpenBSD >= 200012)
+# define HAVE_M_PULLDOWN 1
+# endif
+# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define GETKTIME(x) microtime((struct timeval *)x)
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+typedef struct mbuf mb_t;
+# endif /* _KERNEL */
+# if (OpenBSD >= 199603)
+# define IFNAME(x, b) ((struct ifnet *)x)->if_xname
+# define COPYIFNAME(x, b) \
+ (void) strncpy(b, \
+ ((struct ifnet *)x)->if_xname, \
+ LIFNAMSIZ)
+# define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index)&7)
+# else
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+# endif
+
+typedef struct uio uio_t;
+typedef u_long ioctlcmd_t;
+typedef int minor_t;
+typedef u_int32_t u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+#endif /* __OpenBSD__ */
+
+
+/* ----------------------------------------------------------------------- */
+/* B S D O S */
+/* ----------------------------------------------------------------------- */
+#ifdef _BSDI_VERSION
+# ifdef INET6
+# define USE_INET6
+# endif
+
+# ifdef _KERNEL
+# define GETKTIME(x) microtime((struct timeval *)x)
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+typedef struct mbuf mb_t;
+# endif /* _KERNEL */
+
+# if (_BSDI_VERSION >= 199701)
+typedef u_long ioctlcmd_t;
+# else
+typedef int ioctlcmd_t;
+# endif
+typedef u_int32_t u_32_t;
+# define U_32_T 1
+
+#endif /* _BSDI_VERSION */
+
+
+/* ----------------------------------------------------------------------- */
+/* S U N O S 4 */
+/* ----------------------------------------------------------------------- */
+#if defined(sun) && !defined(OS_RECOGNISED) /* SunOS4 */
+# ifdef _KERNEL
+# include <sys/kmem_alloc.h>
+# define GETKTIME(x) uniqtime((struct timeval *)x)
+# define MSGDSIZE(x) mbufchainlen(x)
+# define M_LEN(x) (x)->m_len
+# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+# define GETIFP(n, v) ifunit(n, IFNAMSIZ)
+# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
+# define KFREES(x,s) kmem_free((char *)(x), (s))
+# define SLEEP(id, n) sleep((id), PZERO+1)
+# define WAKEUP(id,x) wakeup(id + x)
+# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+
+extern void m_copydata __P((struct mbuf *, int, int, caddr_t));
+extern void m_copyback __P((struct mbuf *, int, int, caddr_t));
+
+typedef struct mbuf mb_t;
+# endif
+
+typedef struct uio uio_t;
+typedef int ioctlcmd_t;
+typedef int minor_t;
+typedef unsigned int u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+
+#endif /* SunOS 4 */
+
+/* ----------------------------------------------------------------------- */
+/* L I N U X */
+/* ----------------------------------------------------------------------- */
+#if defined(linux) && !defined(OS_RECOGNISED)
+#include <linux/config.h>
+#include <linux/version.h>
+# if LINUX >= 20600
+# define HDR_T_PRIVATE 1
+# endif
+# undef USE_INET6
+# ifdef USE_INET6
+struct ip6_ext {
+ u_char ip6e_nxt;
+ u_char ip6e_len;
};
-#else
-union i6addr {
- u_32_t i6[4];
- struct in_addr in4;
+# endif
+
+# ifdef _KERNEL
+# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
+# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
+# define COPYIN(a,b,c) copy_from_user((caddr_t)(b), (caddr_t)(a), (c))
+# define COPYOUT(a,b,c) copy_to_user((caddr_t)(b), (caddr_t)(a), (c))
+# define FREE_MB_T(m) kfree_skb(m)
+# define GETKTIME(x) do_gettimeofday((struct timeval *)x)
+# define SLEEP(x,s) 0, interruptible_sleep_on(x##_linux)
+# define WAKEUP(x,y) wake_up(x##_linux + y)
+# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
+# define USE_MUTEXES
+# define KRWLOCK_T rwlock_t
+# define KMUTEX_T spinlock_t
+# define MUTEX_INIT(x,y) spin_lock_init(&(x)->ipf_lk)
+# define MUTEX_ENTER(x) spin_lock(&(x)->ipf_lk)
+# define MUTEX_EXIT(x) spin_unlock(&(x)->ipf_lk)
+# define MUTEX_DESTROY(x) do { } while (0)
+# define MUTEX_NUKE(x) bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk))
+# define READ_ENTER(x) ipf_read_enter(x)
+# define WRITE_ENTER(x) ipf_write_enter(x)
+# define RWLOCK_INIT(x,y) rwlock_init(&(x)->ipf_lk)
+# define RW_DESTROY(x) do { } while (0)
+# define RWLOCK_EXIT(x) ipf_rw_exit(x)
+# define MUTEX_DOWNGRADE(x) ipf_rw_downgrade(x)
+# define ATOMIC_INCL(x) MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_DECL(x) MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_INC64(x) MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_INC32(x) MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_INC16(x) MUTEX_ENTER(&ipf_rw); (x)++; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_DEC64(x) MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_DEC32(x) MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw)
+# define ATOMIC_DEC16(x) MUTEX_ENTER(&ipf_rw); (x)--; \
+ MUTEX_EXIT(&ipf_rw)
+# define SPL_IMP(x) do { } while (0)
+# define SPL_NET(x) do { } while (0)
+# define SPL_X(x) do { } while (0)
+# define IFNAME(x) ((struct net_device*)x)->name
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct net_device *)fin->fin_ifp)->ifindex) & 7)
+typedef struct sk_buff mb_t;
+extern void m_copydata __P((mb_t *, int, int, caddr_t));
+extern void m_copyback __P((mb_t *, int, int, caddr_t));
+extern void m_adj __P((mb_t *, int));
+extern mb_t *m_pullup __P((mb_t *, int));
+# define mbuf sk_buff
+
+# define mtod(m, t) ((t)(m)->data)
+# define m_len len
+# define m_next next
+# define M_DUPLICATE(m) skb_clone((m), in_interrupt() ? GFP_ATOMIC : \
+ GFP_KERNEL)
+# define MSGDSIZE(m) (m)->len
+# define M_LEN(m) (m)->len
+
+# define splnet(x) ;
+# define printf printk
+# define bcopy(s,d,z) memmove(d, s, z)
+# define bzero(s,z) memset(s, 0, z)
+# define bcmp(a,b,z) memcmp(a, b, z)
+
+# define ifnet net_device
+# define if_xname name
+# define if_unit ifindex
+
+# define KMALLOC(x,t) (x) = (t)kmalloc(sizeof(*(x)), \
+ in_interrupt() ? GFP_ATOMIC : GFP_KERNEL)
+# define KFREE(x) kfree(x)
+# define KMALLOCS(x,t,s) (x) = (t)kmalloc((s), \
+ in_interrupt() ? GFP_ATOMIC : GFP_KERNEL)
+# define KFREES(x,s) kfree(x)
+
+# define GETIFP(n,v) dev_get_by_name(n)
+
+# else
+# include <net/ethernet.h>
+
+struct mbuf {
};
+
+# ifndef _NET_ROUTE_H
+struct rtentry {
+};
+# endif
+
+struct ifnet {
+ char if_xname[IFNAMSIZ];
+ int if_unit;
+ int (* if_output) __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *));
+ struct ifaddr *if_addrlist;
+};
+# define IFNAME(x) ((struct ifnet *)x)->if_xname
+
+# endif /* _KERNEL */
+
+# define COPYIFNAME(x, b) \
+ (void) strncpy(b, \
+ ((struct ifnet *)x)->if_xname, \
+ LIFNAMSIZ)
+
+# include <linux/fs.h>
+# define FWRITE FMODE_WRITE
+# define FREAD FMODE_READ
+
+# define __USE_MISC 1
+# define __FAVOR_BSD 1
+
+typedef struct uio {
+ struct iovec *uio_iov;
+ void *uio_file;
+ char *uio_buf;
+ int uio_iovcnt;
+ int uio_offset;
+ size_t uio_resid;
+ int uio_rw;
+} uio_t;
+
+extern int uiomove __P((caddr_t, size_t, int, struct uio *));
+
+# define UIO_READ 1
+# define UIO_WRITE 2
+
+typedef u_long ioctlcmd_t;
+typedef int minor_t;
+typedef u_int32_t u_32_t;
+# define U_32_T 1
+
+# define OS_RECOGNISED 1
+
+#endif
+
+
+#ifndef OS_RECOGNISED
+#error ip_compat.h does not recognise this platform/OS.
#endif
-#define IP6CMP(a,b) bcmp((char *)&(a), (char *)&(b), sizeof(a))
-#define IP6EQ(a,b) (bcmp((char *)&(a), (char *)&(b), sizeof(a)) == 0)
-#define IP6NEQ(a,b) (bcmp((char *)&(a), (char *)&(b), sizeof(a)) != 0)
-#define IP6_ISZERO(a) ((((union i6addr *)(a))->i6[0] | \
- ((union i6addr *)(a))->i6[1] | \
- ((union i6addr *)(a))->i6[2] | \
- ((union i6addr *)(a))->i6[3]) == 0)
-#define IP6_NOTZERO(a) ((((union i6addr *)(a))->i6[0] | \
- ((union i6addr *)(a))->i6[1] | \
- ((union i6addr *)(a))->i6[2] | \
- ((union i6addr *)(a))->i6[3]) != 0)
+
+/* ----------------------------------------------------------------------- */
+/* G E N E R I C */
+/* ----------------------------------------------------------------------- */
+#ifndef OS_RECOGNISED
+#endif
+
+/*
+ * For BSD kernels, if bpf is in the kernel, enable ipfilter to use bpf in
+ * filter rules.
+ */
+#if !defined(IPFILTER_BPF) && ((NBPF > 0) || (NBPFILTER > 0))
+# define IPFILTER_BPF
+#endif
+
+/*
+ * Userland locking primitives
+ */
+typedef struct {
+ char *eMm_owner;
+ char *eMm_heldin;
+ u_int eMm_magic;
+ int eMm_held;
+ int eMm_heldat;
+#ifdef __hpux
+ char eMm_fill[8];
+#endif
+} eMmutex_t;
+
+typedef struct {
+ char *eMrw_owner;
+ char *eMrw_heldin;
+ u_int eMrw_magic;
+ short eMrw_read;
+ short eMrw_write;
+ int eMrw_heldat;
+#ifdef __hpux
+ char eMm_fill[24];
+#endif
+} eMrwlock_t;
+
+typedef union {
+#ifdef KMUTEX_T
+ struct {
+ KMUTEX_T ipf_slk;
+ char *ipf_lname;
+ } ipf_lkun_s;
+#endif
+ eMmutex_t ipf_emu;
+} ipfmutex_t;
+
+typedef union {
+#ifdef KRWLOCK_T
+ struct {
+ KRWLOCK_T ipf_slk;
+ char *ipf_lname;
+ int ipf_sr;
+ int ipf_sw;
+ u_int ipf_magic;
+ } ipf_lkun_s;
+#endif
+ eMrwlock_t ipf_emu;
+} ipfrwlock_t;
+
+#define ipf_lk ipf_lkun_s.ipf_slk
+#define ipf_lname ipf_lkun_s.ipf_lname
+#define ipf_isr ipf_lkun_s.ipf_sr
+#define ipf_isw ipf_lkun_s.ipf_sw
+#define ipf_magic ipf_lkun_s.ipf_magic
+
+#if !defined(__GNUC__) || \
+ (defined(__FreeBSD_version) && (__FreeBSD_version >= 503000))
+# ifndef INLINE
+# define INLINE
+# endif
+#else
+# define INLINE __inline__
+#endif
+
+#if defined(linux) && defined(_KERNEL)
+extern INLINE void ipf_read_enter __P((ipfrwlock_t *));
+extern INLINE void ipf_write_enter __P((ipfrwlock_t *));
+extern INLINE void ipf_rw_exit __P((ipfrwlock_t *));
+extern INLINE void ipf_rw_downgrade __P((ipfrwlock_t *));
+#endif
+
+/*
+ * In a non-kernel environment, there are a lot of macros that need to be
+ * filled in to be null-ops or to point to some compatibility function,
+ * somewhere in userland.
+ */
+#ifndef _KERNEL
+typedef struct mb_s {
+ struct mb_s *mb_next;
+ int mb_len;
+ u_long mb_buf[2048];
+} mb_t;
+# undef m_next
+# define m_next mb_next
+# define MSGDSIZE(x) (x)->mb_len /* XXX - from ipt.c */
+# define M_LEN(x) (x)->mb_len
+# define M_DUPLICATE(x) (x)
+# define GETKTIME(x) gettimeofday((struct timeval *)(x), NULL)
+# define MTOD(m, t) ((t)(m)->mb_buf)
+# define FREE_MB_T(x)
+# define SLEEP(x,y) 1;
+# define WAKEUP(x,y) ;
+# define IPF_PANIC(x,y) ;
+# define PANIC(x,y) ;
+# define SPL_NET(x) ;
+# define SPL_IMP(x) ;
+# define SPL_X(x) ;
+# define KMALLOC(a,b) (a) = (b)malloc(sizeof(*a))
+# define KMALLOCS(a,b,c) (a) = (b)malloc(c)
+# define KFREE(x) free(x)
+# define KFREES(x,s) free(x)
+# define GETIFP(x, v) get_unit(x,v)
+# define COPYIN(a,b,c) (bcopy((a), (b), (c)), 0)
+# define COPYOUT(a,b,c) (bcopy((a), (b), (c)), 0)
+# define BCOPYIN(a,b,c) (bcopy((a), (b), (c)), 0)
+# define BCOPYOUT(a,b,c) (bcopy((a), (b), (c)), 0)
+# define COPYDATA(m, o, l, b) bcopy(MTOD((mb_t *)m, char *) + (o), \
+ (b), (l))
+# define COPYBACK(m, o, l, b) bcopy((b), \
+ MTOD((mb_t *)m, char *) + (o), \
+ (l))
+# define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d)
+extern void m_copydata __P((mb_t *, int, int, caddr_t));
+extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
+# ifndef CACHE_HASH
+# define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \
+ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+# endif
+
+# define MUTEX_DESTROY(x) eMmutex_destroy(&(x)->ipf_emu)
+# define MUTEX_ENTER(x) eMmutex_enter(&(x)->ipf_emu, \
+ __FILE__, __LINE__)
+# define MUTEX_EXIT(x) eMmutex_exit(&(x)->ipf_emu)
+# define MUTEX_INIT(x,y) eMmutex_init(&(x)->ipf_emu, y)
+# define MUTEX_NUKE(x) bzero((x), sizeof(*(x)))
+
+# define MUTEX_DOWNGRADE(x) eMrwlock_downgrade(&(x)->ipf_emu, \
+ __FILE__, __LINE__)
+# define READ_ENTER(x) eMrwlock_read_enter(&(x)->ipf_emu, \
+ __FILE__, __LINE__)
+# define RWLOCK_INIT(x, y) eMrwlock_init(&(x)->ipf_emu, y)
+# define RWLOCK_EXIT(x) eMrwlock_exit(&(x)->ipf_emu)
+# define RW_DESTROY(x) eMrwlock_destroy(&(x)->ipf_emu)
+# define WRITE_ENTER(x) eMrwlock_write_enter(&(x)->ipf_emu, \
+ __FILE__, \
+ __LINE__)
+
+# define USE_MUTEXES 1
+
+extern void eMmutex_destroy __P((eMmutex_t *));
+extern void eMmutex_enter __P((eMmutex_t *, char *, int));
+extern void eMmutex_exit __P((eMmutex_t *));
+extern void eMmutex_init __P((eMmutex_t *, char *));
+extern void eMrwlock_destroy __P((eMrwlock_t *));
+extern void eMrwlock_exit __P((eMrwlock_t *));
+extern void eMrwlock_init __P((eMrwlock_t *, char *));
+extern void eMrwlock_read_enter __P((eMrwlock_t *, char *, int));
+extern void eMrwlock_write_enter __P((eMrwlock_t *, char *, int));
+extern void eMrwlock_downgrade __P((eMrwlock_t *, char *, int));
+
+#endif
+
+#define MAX_IPV4HDR ((0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8)
+
+#ifndef IP_OFFMASK
+# define IP_OFFMASK 0x1fff
+#endif
+
+
+/*
+ * On BSD's use quad_t as a guarantee for getting at least a 64bit sized
+ * object.
+ */
+#if BSD > 199306
+# define USE_QUAD_T
+# define U_QUAD_T u_quad_t
+# define QUAD_T quad_t
+#else /* BSD > 199306 */
+# define U_QUAD_T u_long
+# define QUAD_T long
+#endif /* BSD > 199306 */
+
+
+#ifdef USE_INET6
+# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
+ defined(__osf__) || defined(linux)
+# include <netinet/ip6.h>
+# include <netinet/icmp6.h>
+# if !defined(linux)
+# if defined(_KERNEL) && !defined(__osf__)
+# include <netinet6/ip6_var.h>
+# endif
+# endif
+typedef struct ip6_hdr ip6_t;
+# endif
+#endif
#ifndef MAX
-#define MAX(a,b) (((a) > (b)) ? (a) : (b))
+# define MAX(a,b) (((a) > (b)) ? (a) : (b))
+#endif
+
+#if defined(_KERNEL)
+# ifdef MENTAT
+# define COPYDATA mb_copydata
+# define COPYBACK mb_copyback
+# else
+# define COPYDATA m_copydata
+# define COPYBACK m_copyback
+# endif
+# if (BSD >= 199306) || defined(__FreeBSD__)
+# if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \
+ defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \
+ defined(_BSDI_VERSION)
+# include <vm/vm.h>
+# endif
+# if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \
+ (__FreeBSD_version >= 300000))
+# if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \
+ (defined(OpenBSD) && (OpenBSD >= 200111))
+# include <uvm/uvm_extern.h>
+# else
+# include <vm/vm_extern.h>
+extern vm_map_t kmem_map;
+# endif
+# include <sys/proc.h>
+# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
+# include <vm/vm_kern.h>
+# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
+
+# ifdef IPFILTER_M_IPFILTER
+# include <sys/malloc.h>
+MALLOC_DECLARE(M_IPFILTER);
+# define _M_IPF M_IPFILTER
+# else /* IPFILTER_M_IPFILTER */
+# ifdef M_PFIL
+# define _M_IPF M_PFIL
+# else
+# ifdef M_IPFILTER
+# define _M_IPF M_IPFILTER
+# else
+# define _M_IPF M_TEMP
+# endif /* M_IPFILTER */
+# endif /* M_PFIL */
+# endif /* IPFILTER_M_IPFILTER */
+# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), _M_IPF, M_NOWAIT)
+# define KMALLOCS(a, b, c) MALLOC((a), b, (c), _M_IPF, M_NOWAIT)
+# define KFREE(x) FREE((x), _M_IPF)
+# define KFREES(x,s) FREE((x), _M_IPF)
+# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
+# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
+# define WAKEUP(id,x) wakeup(id+x)
+# define GETIFP(n, v) ifunit(n)
+# endif /* (Free)BSD */
+
+# if !defined(USE_MUTEXES) && !defined(SPL_NET)
+# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \
+ (defined(OpenBSD) && (OpenBSD >= 200006))
+# define SPL_NET(x) x = splsoftnet()
+# else
+# define SPL_IMP(x) x = splimp()
+# define SPL_NET(x) x = splnet()
+# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
+# define SPL_X(x) (void) splx(x)
+# endif /* !USE_MUTEXES */
+
+# ifndef FREE_MB_T
+# define FREE_MB_T(m) m_freem(m)
+# endif
+
+# ifndef MTOD
+# define MTOD(m,t) mtod(m,t)
+# endif
+
+# ifndef COPYIN
+# define COPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define COPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
+# endif
+
+# ifndef KMALLOC
+# define KMALLOC(a,b) (a) = (b)new_kmem_alloc(sizeof(*(a)), \
+ KMEM_NOSLEEP)
+# define KMALLOCS(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP)
+# endif
+
+# ifndef GET_MINOR
+# define GET_MINOR(x) minor(x)
+# endif
+# define PANIC(x,y) if (x) panic y
+#endif /* _KERNEL */
+
+#ifndef IFNAME
+# define IFNAME(x) ((struct ifnet *)x)->if_name
+#endif
+#ifndef COPYIFNAME
+# define NEED_FRGETIFNAME
+extern char *fr_getifname __P((struct ifnet *, char *));
+# define COPYIFNAME(x, b) \
+ fr_getifname((struct ifnet *)x, b)
+#endif
+
+#ifndef ASSERT
+# define ASSERT(x)
#endif
/*
+ * Because the ctype(3) posix definition, if used "safely" in code everywhere,
+ * would mean all normal code that walks through strings needed casts. Yuck.
+ */
+#define ISALNUM(x) isalnum((u_char)(x))
+#define ISALPHA(x) isalpha((u_char)(x))
+#define ISASCII(x) isascii((u_char)(x))
+#define ISDIGIT(x) isdigit((u_char)(x))
+#define ISPRINT(x) isprint((u_char)(x))
+#define ISSPACE(x) isspace((u_char)(x))
+#define ISUPPER(x) isupper((u_char)(x))
+#define ISXDIGIT(x) isxdigit((u_char)(x))
+#define ISLOWER(x) islower((u_char)(x))
+#define TOUPPER(x) toupper((u_char)(x))
+#define TOLOWER(x) tolower((u_char)(x))
+
+/*
+ * If mutexes aren't being used, turn all the mutex functions into null-ops.
+ */
+#if !defined(USE_MUTEXES)
+# define USE_SPL 1
+# undef RW_DESTROY
+# undef MUTEX_INIT
+# undef MUTEX_NUKE
+# undef MUTEX_DESTROY
+# define MUTEX_ENTER(x) ;
+# define READ_ENTER(x) ;
+# define WRITE_ENTER(x) ;
+# define MUTEX_DOWNGRADE(x) ;
+# define RWLOCK_INIT(x, y) ;
+# define RWLOCK_EXIT(x) ;
+# define RW_DESTROY(x) ;
+# define MUTEX_EXIT(x) ;
+# define MUTEX_INIT(x,y) ;
+# define MUTEX_DESTROY(x) ;
+# define MUTEX_NUKE(x) ;
+#endif /* !USE_MUTEXES */
+#ifndef ATOMIC_INC
+# define ATOMIC_INC(x) (x)++
+# define ATOMIC_DEC(x) (x)--
+#endif
+
+/*
+ * If there are no atomic operations for bit sizes defined, define them to all
+ * use a generic one that works for all sizes.
+ */
+#ifndef ATOMIC_INCL
+# define ATOMIC_INCL ATOMIC_INC
+# define ATOMIC_INC64 ATOMIC_INC
+# define ATOMIC_INC32 ATOMIC_INC
+# define ATOMIC_INC16 ATOMIC_INC
+# define ATOMIC_DECL ATOMIC_DEC
+# define ATOMIC_DEC64 ATOMIC_DEC
+# define ATOMIC_DEC32 ATOMIC_DEC
+# define ATOMIC_DEC16 ATOMIC_DEC
+#endif
+
+#ifndef HDR_T_PRIVATE
+typedef struct tcphdr tcphdr_t;
+typedef struct udphdr udphdr_t;
+#endif
+typedef struct icmp icmphdr_t;
+typedef struct ip ip_t;
+typedef struct ether_header ether_header_t;
+typedef struct tcpiphdr tcpiphdr_t;
+
+#ifndef FR_GROUPLEN
+# define FR_GROUPLEN 16
+#endif
+
+#ifdef offsetof
+# undef offsetof
+#endif
+#ifndef offsetof
+# define offsetof(t,m) (int)((&((t *)0L)->m))
+#endif
+
+/*
+ * This set of macros has been brought about because on Tru64 it is not
+ * possible to easily assign or examine values in a structure that are
+ * bit fields.
+ */
+#ifndef IP_V
+# define IP_V(x) (x)->ip_v
+#endif
+#ifndef IP_V_A
+# define IP_V_A(x,y) (x)->ip_v = (y)
+#endif
+#ifndef IP_HL
+# define IP_HL(x) (x)->ip_hl
+#endif
+#ifndef IP_HL_A
+# define IP_HL_A(x,y) (x)->ip_hl = (y)
+#endif
+#ifndef TCP_X2
+# define TCP_X2(x) (x)->th_x2
+#endif
+#ifndef TCP_X2_A
+# define TCP_X2_A(x,y) (x)->th_x2 = (y)
+#endif
+#ifndef TCP_OFF
+# define TCP_OFF(x) (x)->th_off
+#endif
+#ifndef TCP_OFF_A
+# define TCP_OFF_A(x,y) (x)->th_off = (y)
+#endif
+#define IPMINLEN(i, h) ((i)->ip_len >= (IP_HL(i) * 4 + sizeof(struct h)))
+
+
+/*
+ * XXX - This is one of those *awful* hacks which nobody likes
+ */
+#ifdef ultrix
+#define A_A
+#else
+#define A_A &
+#endif
+
+#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|\
+ TH_ECN|TH_CWR)
+
+#if (BSD >= 199306) && !defined(m_act)
+# define m_act m_nextpkt
+#endif
+
+/*
* Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
*
* Basic Option
@@ -355,320 +1680,87 @@ union i6addr {
/*
* IP option #defines
*/
-/*#define IPOPT_RR 7 */
+#undef IPOPT_RR
+#define IPOPT_RR 7
+#undef IPOPT_ZSU
#define IPOPT_ZSU 10 /* ZSU */
+#undef IPOPT_MTUP
#define IPOPT_MTUP 11 /* MTUP */
+#undef IPOPT_MTUR
#define IPOPT_MTUR 12 /* MTUR */
+#undef IPOPT_ENCODE
#define IPOPT_ENCODE 15 /* ENCODE */
-/*#define IPOPT_TS 68 */
+#undef IPOPT_TS
+#define IPOPT_TS 68
+#undef IPOPT_TR
#define IPOPT_TR 82 /* TR */
-/*#define IPOPT_SECURITY 130 */
-/*#define IPOPT_LSRR 131 */
+#undef IPOPT_SECURITY
+#define IPOPT_SECURITY 130
+#undef IPOPT_LSRR
+#define IPOPT_LSRR 131
+#undef IPOPT_E_SEC
#define IPOPT_E_SEC 133 /* E-SEC */
+#undef IPOPT_CIPSO
#define IPOPT_CIPSO 134 /* CIPSO */
-/*#define IPOPT_SATID 136 */
+#undef IPOPT_SATID
+#define IPOPT_SATID 136
#ifndef IPOPT_SID
# define IPOPT_SID IPOPT_SATID
#endif
-/*#define IPOPT_SSRR 137 */
+#undef IPOPT_SSRR
+#define IPOPT_SSRR 137
+#undef IPOPT_ADDEXT
#define IPOPT_ADDEXT 147 /* ADDEXT */
+#undef IPOPT_VISA
#define IPOPT_VISA 142 /* VISA */
+#undef IPOPT_IMITD
#define IPOPT_IMITD 144 /* IMITD */
+#undef IPOPT_EIP
#define IPOPT_EIP 145 /* EIP */
+#undef IPOPT_RTRALRT
+#define IPOPT_RTRALRT 148 /* RTRALRT */
+#undef IPOPT_SDB
+#define IPOPT_SDB 149
+#undef IPOPT_NSAPA
+#define IPOPT_NSAPA 150
+#undef IPOPT_DPS
+#define IPOPT_DPS 151
+#undef IPOPT_UMP
+#define IPOPT_UMP 152
+#undef IPOPT_FINN
#define IPOPT_FINN 205 /* FINN */
-#ifndef TCPOPT_WSCALE
-# define TCPOPT_WSCALE 3
+#ifndef TCPOPT_EOL
+# define TCPOPT_EOL 0
#endif
-
-/*
- * Build some macros and #defines to enable the same code to compile anywhere
- * Well, that's the idea, anyway :-)
- */
-#if SOLARIS
-typedef mblk_t mb_t;
-# if SOLARIS2 >= 7
-# ifdef lint
-# define ALIGN32(ptr) (ptr ? 0L : 0L)
-# define ALIGN16(ptr) (ptr ? 0L : 0L)
-# else
-# define ALIGN32(ptr) (ptr)
-# define ALIGN16(ptr) (ptr)
-# endif
-# endif
-#else
-typedef struct mbuf mb_t;
-#endif /* SOLARIS */
-
-#if !SOLARIS || (SOLARIS2 < 6) || !defined(KERNEL)
-# define ATOMIC_INCL ATOMIC_INC
-# define ATOMIC_INC64 ATOMIC_INC
-# define ATOMIC_INC32 ATOMIC_INC
-# define ATOMIC_INC16 ATOMIC_INC
-# define ATOMIC_DECL ATOMIC_DEC
-# define ATOMIC_DEC64 ATOMIC_DEC
-# define ATOMIC_DEC32 ATOMIC_DEC
-# define ATOMIC_DEC16 ATOMIC_DEC
+#ifndef TCPOPT_NOP
+# define TCPOPT_NOP 1
#endif
-#ifdef __sgi
-# define hz HZ
-# include <sys/ksynch.h>
-# define IPF_LOCK_PL plhi
-# include <sys/sema.h>
-#undef kmutex_t
-typedef struct {
- lock_t *l;
- int pl;
-} kmutex_t;
-# undef MUTEX_INIT
-# undef MUTEX_DESTROY
+#ifndef TCPOPT_MAXSEG
+# define TCPOPT_MAXSEG 2
+#endif
+#ifndef TCPOLEN_MAXSEG
+# define TCPOLEN_MAXSEG 4
+#endif
+#ifndef TCPOPT_WINDOW
+# define TCPOPT_WINDOW 3
+#endif
+#ifndef TCPOLEN_WINDOW
+# define TCPOLEN_WINDOW 3
+#endif
+#ifndef TCPOPT_SACK_PERMITTED
+# define TCPOPT_SACK_PERMITTED 4
+#endif
+#ifndef TCPOLEN_SACK_PERMITTED
+# define TCPOLEN_SACK_PERMITTED 2
+#endif
+#ifndef TCPOPT_SACK
+# define TCPOPT_SACK 5
+#endif
+#ifndef TCPOPT_TIMESTAMP
+# define TCPOPT_TIMESTAMP 8
#endif
-#ifdef KERNEL
-# if SOLARIS
-# if SOLARIS2 >= 6
-# include <sys/atomic.h>
-# if SOLARIS2 == 6
-# define ATOMIC_INCL(x) atomic_add_long((uint32_t*)&(x), 1)
-# define ATOMIC_DECL(x) atomic_add_long((uint32_t*)&(x), -1)
-# else
-# define ATOMIC_INCL(x) atomic_add_long(&(x), 1)
-# define ATOMIC_DECL(x) atomic_add_long(&(x), -1)
-# endif
-# define ATOMIC_INC64(x) atomic_add_64((uint64_t*)&(x), 1)
-# define ATOMIC_INC32(x) atomic_add_32((uint32_t*)&(x), 1)
-# define ATOMIC_INC16(x) atomic_add_16((uint16_t*)&(x), 1)
-# define ATOMIC_DEC64(x) atomic_add_64((uint64_t*)&(x), -1)
-# define ATOMIC_DEC32(x) atomic_add_32((uint32_t*)&(x), -1)
-# define ATOMIC_DEC16(x) atomic_add_16((uint16_t*)&(x), -1)
-# else
-# define IRE_CACHE IRE_ROUTE
-# define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \
- mutex_exit(&ipf_rw); }
-# define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \
- mutex_exit(&ipf_rw); }
-# endif
-# define MUTEX_ENTER(x) mutex_enter(x)
-# if 1
-# define KRWLOCK_T krwlock_t
-# define READ_ENTER(x) rw_enter(x, RW_READER)
-# define WRITE_ENTER(x) rw_enter(x, RW_WRITER)
-# define RW_UPGRADE(x) { if (rw_tryupgrade(x) == 0) { \
- rw_exit(x); \
- rw_enter(x, RW_WRITER); } \
- }
-# define MUTEX_DOWNGRADE(x) rw_downgrade(x)
-# define RWLOCK_INIT(x, y, z) rw_init((x), (y), RW_DRIVER, (z))
-# define RWLOCK_EXIT(x) rw_exit(x)
-# define RW_DESTROY(x) rw_destroy(x)
-# else
-# define KRWLOCK_T kmutex_t
-# define READ_ENTER(x) mutex_enter(x)
-# define WRITE_ENTER(x) mutex_enter(x)
-# define MUTEX_DOWNGRADE(x) ;
-# define RWLOCK_INIT(x, y, z) mutex_init((x), (y), MUTEX_DRIVER, (z))
-# define RWLOCK_EXIT(x) mutex_exit(x)
-# define RW_DESTROY(x) mutex_destroy(x)
-# endif
-# define MUTEX_INIT(x, y, z) mutex_init((x), (y), MUTEX_DRIVER, (z))
-# define MUTEX_DESTROY(x) mutex_destroy(x)
-# define MUTEX_EXIT(x) mutex_exit(x)
-# define MTOD(m,t) (t)((m)->b_rptr)
-# define IRCOPY(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
-# define IWCOPY(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
-# define IRCOPYPTR ircopyptr
-# define IWCOPYPTR iwcopyptr
-# define FREE_MB_T(m) freemsg(m)
-# define SPL_NET(x) ;
-# define SPL_IMP(x) ;
-# undef SPL_X
-# define SPL_X(x) ;
-# ifdef sparc
-# define ntohs(x) (x)
-# define ntohl(x) (x)
-# define htons(x) (x)
-# define htonl(x) (x)
-# endif /* sparc */
-# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
-# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
-# define GET_MINOR(x) getminor(x)
-extern ill_t *get_unit __P((char *, int));
-# define GETUNIT(n, v) get_unit(n, v)
-# define IFNAME(x) ((ill_t *)x)->ill_name
-# else /* SOLARIS */
-# if defined(__sgi)
-# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); \
- (x)++; MUTEX_EXIT(&ipf_rw); }
-# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); \
- (x)--; MUTEX_EXIT(&ipf_rw); }
-# define MUTEX_ENTER(x) (x)->pl = LOCK((x)->l, IPF_LOCK_PL);
-# define KRWLOCK_T kmutex_t
-# define READ_ENTER(x) MUTEX_ENTER(x)
-# define WRITE_ENTER(x) MUTEX_ENTER(x)
-# define RW_UPGRADE(x) ;
-# define MUTEX_DOWNGRADE(x) ;
-# define RWLOCK_EXIT(x) MUTEX_EXIT(x)
-# define MUTEX_EXIT(x) UNLOCK((x)->l, (x)->pl);
-# define MUTEX_INIT(x,y,z) (x)->l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP)
-# define MUTEX_DESTROY(x) LOCK_DEALLOC((x)->l)
-# else /* __sgi */
-# define ATOMIC_INC(x) (x)++
-# define ATOMIC_DEC(x) (x)--
-# define MUTEX_ENTER(x) ;
-# define READ_ENTER(x) ;
-# define WRITE_ENTER(x) ;
-# define RW_UPGRADE(x) ;
-# define MUTEX_DOWNGRADE(x) ;
-# define RWLOCK_EXIT(x) ;
-# define MUTEX_EXIT(x) ;
-# define MUTEX_INIT(x,y,z) ;
-# define MUTEX_DESTROY(x) ;
-# endif /* __sgi */
-# ifndef linux
-# define FREE_MB_T(m) m_freem(m)
-# define MTOD(m,t) mtod(m,t)
-# define M_BLEN(m) (m)->m_len
-# define IRCOPY(a,b,c) (bcopy((a), (b), (c)), 0)
-# define IWCOPY(a,b,c) (bcopy((a), (b), (c)), 0)
-# define IRCOPYPTR ircopyptr
-# define IWCOPYPTR iwcopyptr
-# endif /* !linux */
-# endif /* SOLARIS */
-
-# ifdef sun
-# if !SOLARIS
-# include <sys/time.h>
-# include <sys/kmem_alloc.h>
-# define GETUNIT(n, v) ifunit(n, IFNAMSIZ)
-# define IFNAME(x) ((struct ifnet *)x)->if_name
-# endif
-# else
-# ifndef linux
-# define GETUNIT(n, v) ifunit(n)
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
- (defined(OpenBSD) && (OpenBSD >= 199603))
-# define IFNAME(x) ((struct ifnet *)x)->if_xname
-# else
-# define USE_GETIFNAME 1
-# define IFNAME(x) get_ifname((struct ifnet *)x)
-extern char *get_ifname __P((struct ifnet *));
-# endif
-# endif
-# endif /* sun */
-
-# if defined(sun) && !defined(linux) || defined(__sgi)
-# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
-# define SLEEP(id, n) sleep((id), PZERO+1)
-# define WAKEUP(id) wakeup(id)
-# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
-# define KFREES(x,s) kmem_free((char *)(x), (s))
-# if !SOLARIS
-extern void m_copydata __P((struct mbuf *, int, int, caddr_t));
-extern void m_copyback __P((struct mbuf *, int, int, caddr_t));
-# endif
-# ifdef __sgi
-# include <sys/kmem.h>
-# include <sys/ddi.h>
-# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
-# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
-# define GET_MINOR(x) getminor(x)
-# else
-# if !SOLARIS
-# define KMALLOC(a,b) (a) = (b)new_kmem_alloc(sizeof(*(a)), \
- KMEM_NOSLEEP)
-# define KMALLOCS(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP)
-# endif /* SOLARIS */
-# endif /* __sgi */
-# endif /* sun && !linux */
-# ifndef GET_MINOR
-# define GET_MINOR(x) minor(x)
-# endif
-# if (BSD >= 199306) || defined(__FreeBSD__)
-# if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \
- defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \
- defined(_BSDI_VERSION)
-# include <vm/vm.h>
-# endif
-# if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \
- (__FreeBSD_version >= 300000))
-# if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \
- (defined(OpenBSD) && (OpenBSD >= 200111))
-# include <uvm/uvm_extern.h>
-# else
-# include <vm/vm_extern.h>
-extern vm_map_t kmem_map;
-# endif
-# include <sys/proc.h>
-# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
-# include <vm/vm_kern.h>
-# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
-# ifdef M_PFIL
-# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT)
-# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
-# define KFREE(x) FREE((x), M_PFIL)
-# define KFREES(x,s) FREE((x), M_PFIL)
-# else
-# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT)
-# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
-# define KFREE(x) FREE((x), M_TEMP)
-# define KFREES(x,s) FREE((x), M_TEMP)
-# endif /* M_PFIL */
-# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
-# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
-# define WAKEUP(id) wakeup(id)
-# endif /* BSD */
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \
- (defined(OpenBSD) && (OpenBSD >= 200006))
-# define SPL_NET(x) x = splsoftnet()
-# define SPL_X(x) (void) splx(x)
-# else
-# if !SOLARIS && !defined(linux)
-# define SPL_IMP(x) x = splimp()
-# define SPL_NET(x) x = splnet()
-# define SPL_X(x) (void) splx(x)
-# endif
-# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
-# define PANIC(x,y) if (x) panic y
-#else /* KERNEL */
-# define SLEEP(x,y) 1
-# define WAKEUP(x) ;
-# define PANIC(x,y) ;
-# define ATOMIC_INC(x) (x)++
-# define ATOMIC_DEC(x) (x)--
-# define MUTEX_ENTER(x) ;
-# define READ_ENTER(x) ;
-# define MUTEX_INIT(x,y,z) ;
-# define MUTEX_DESTROY(x) ;
-# define WRITE_ENTER(x) ;
-# define RW_UPGRADE(x) ;
-# define MUTEX_DOWNGRADE(x) ;
-# define RWLOCK_EXIT(x) ;
-# define MUTEX_EXIT(x) ;
-# define SPL_NET(x) ;
-# define SPL_IMP(x) ;
-# undef SPL_X
-# define SPL_X(x) ;
-# define KMALLOC(a,b) (a) = (b)malloc(sizeof(*a))
-# define KMALLOCS(a,b,c) (a) = (b)malloc(c)
-# define KFREE(x) free(x)
-# define KFREES(x,s) free(x)
-# define FREE_MB_T(x) ;
-# define GETUNIT(x, v) get_unit(x,v)
-# define IRCOPY(a,b,c) (bcopy((a), (b), (c)), 0)
-# define IWCOPY(a,b,c) (bcopy((a), (b), (c)), 0)
-# define IRCOPYPTR ircopyptr
-# define IWCOPYPTR iwcopyptr
-# define IFNAME(x) get_ifname((struct ifnet *)x)
-# define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d)
-# include <sys/time.h>
-extern void m_copydata __P((mb_t *, int, int, caddr_t));
-extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
-#endif /* KERNEL */
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
#ifndef ICMP_MINLEN
# define ICMP_MINLEN 8
#endif
@@ -720,6 +1812,9 @@ extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
#ifndef ICMP_UNREACH_ADMIN_PROHIBIT
# define ICMP_UNREACH_ADMIN_PROHIBIT 13
#endif
+#ifndef ICMP_UNREACH_FILTER
+# define ICMP_UNREACH_FILTER 13
+#endif
#ifndef ICMP_UNREACH_HOST_PRECEDENCE
# define ICMP_UNREACH_HOST_PRECEDENCE 14
#endif
@@ -858,6 +1953,9 @@ extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
#ifndef TH_URG
# define TH_URG 0x20
#endif
+#undef TH_ACKMASK
+#define TH_ACKMASK (TH_FIN|TH_SYN|TH_RST|TH_ACK)
+
#ifndef IPOPT_EOL
# define IPOPT_EOL 0
#endif
@@ -906,313 +2004,48 @@ extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
#ifndef IPOPT_OLEN
# define IPOPT_OLEN 1
#endif
+#ifndef IPPROTO_HOPOPTS
+# define IPPROTO_HOPOPTS 0
+#endif
+#ifndef IPPROTO_ENCAP
+# define IPPROTO_ENCAP 4
+#endif
+#ifndef IPPROTO_IPV6
+# define IPPROTO_IPV6 41
+#endif
+#ifndef IPPROTO_ROUTING
+# define IPPROTO_ROUTING 43
+#endif
+#ifndef IPPROTO_FRAGMENT
+# define IPPROTO_FRAGMENT 44
+#endif
#ifndef IPPROTO_GRE
# define IPPROTO_GRE 47 /* GRE encaps RFC 1701 */
#endif
#ifndef IPPROTO_ESP
# define IPPROTO_ESP 50
#endif
+#ifndef IPPROTO_AH
+# define IPPROTO_AH 51
+#endif
#ifndef IPPROTO_ICMPV6
# define IPPROTO_ICMPV6 58
#endif
-
-#ifdef linux
-#include <linux/in_systm.h>
-/*
- * TCP States
- */
-#define TCPS_CLOSED 0 /* closed */
-#define TCPS_LISTEN 1 /* listening for connection */
-#define TCPS_SYN_SENT 2 /* active, have sent syn */
-#define TCPS_SYN_RECEIVED 3 /* have send and received syn */
-/* states < TCPS_ESTABLISHED are those where connections not established */
-#define TCPS_ESTABLISHED 4 /* established */
-#define TCPS_CLOSE_WAIT 5 /* rcvd fin, waiting for close */
-/* states > TCPS_CLOSE_WAIT are those where user has closed */
-#define TCPS_FIN_WAIT_1 6 /* have closed, sent fin */
-#define TCPS_CLOSING 7 /* closed xchd FIN; await FIN ACK */
-#define TCPS_LAST_ACK 8 /* had fin and close; await FIN ACK */
-/* states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await ACK of FIN */
-#define TCPS_FIN_WAIT_2 9 /* have closed, fin is acked */
-#define TCPS_TIME_WAIT 10 /* in 2*msl quiet wait after close */
-
-/*
- * file flags.
- */
-#ifdef WRITE
-#define FWRITE WRITE
-#define FREAD READ
-#else
-#define FWRITE _IOC_WRITE
-#define FREAD _IOC_READ
+#ifndef IPPROTO_NONE
+# define IPPROTO_NONE 59
#endif
-/*
- * mbuf related problems.
- */
-#define mtod(m,t) (t)((m)->data)
-#define m_len len
-#define m_next next
-
-#ifdef IP_DF
-#undef IP_DF
-#endif
-#define IP_DF 0x4000
-
-typedef struct {
- __u16 th_sport;
- __u16 th_dport;
- __u32 th_seq;
- __u32 th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
- defined(__vax__)
- __u8 th_res:4;
- __u8 th_off:4;
-#else
- __u8 th_off:4;
- __u8 th_res:4;
-#endif
- __u8 th_flags;
- __u16 th_win;
- __u16 th_sum;
- __u16 th_urp;
-} tcphdr_t;
-
-typedef struct {
- __u16 uh_sport;
- __u16 uh_dport;
- __u16 uh_ulen;
- __u16 uh_sum;
-} udphdr_t;
-
-typedef struct {
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
- defined(__vax__)
- __u8 ip_hl:4;
- __u8 ip_v:4;
-# else
- __u8 ip_v:4;
- __u8 ip_hl:4;
-# endif
- __u8 ip_tos;
- __u16 ip_len;
- __u16 ip_id;
- __u16 ip_off;
- __u8 ip_ttl;
- __u8 ip_p;
- __u16 ip_sum;
- struct in_addr ip_src;
- struct in_addr ip_dst;
-} ip_t;
-
-/*
- * Structure of an icmp header.
- */
-typedef struct icmp {
- __u8 icmp_type; /* type of message, see below */
- __u8 icmp_code; /* type sub code */
- __u16 icmp_cksum; /* ones complement cksum of struct */
- union {
- __u8 ih_pptr; /* ICMP_PARAMPROB */
- struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
- struct ih_idseq {
- __u16 icd_id;
- __u16 icd_seq;
- } ih_idseq;
- int ih_void;
- } icmp_hun;
-# define icmp_pptr icmp_hun.ih_pptr
-# define icmp_gwaddr icmp_hun.ih_gwaddr
-# define icmp_id icmp_hun.ih_idseq.icd_id
-# define icmp_seq icmp_hun.ih_idseq.icd_seq
-# define icmp_void icmp_hun.ih_void
- union {
- struct id_ts {
- n_time its_otime;
- n_time its_rtime;
- n_time its_ttime;
- } id_ts;
- struct id_ip {
- ip_t idi_ip;
- /* options and then 64 bits of data */
- } id_ip;
- u_long id_mask;
- char id_data[1];
- } icmp_dun;
-# define icmp_otime icmp_dun.id_ts.its_otime
-# define icmp_rtime icmp_dun.id_ts.its_rtime
-# define icmp_ttime icmp_dun.id_ts.its_ttime
-# define icmp_ip icmp_dun.id_ip.idi_ip
-# define icmp_mask icmp_dun.id_mask
-# define icmp_data icmp_dun.id_data
-} icmphdr_t;
-
-# ifndef LINUX_IPOVLY
-# define LINUX_IPOVLY
-struct ipovly {
- caddr_t ih_next, ih_prev; /* for protocol sequence q's */
- u_char ih_x1; /* (unused) */
- u_char ih_pr; /* protocol */
- short ih_len; /* protocol length */
- struct in_addr ih_src; /* source internet address */
- struct in_addr ih_dst; /* destination internet address */
-};
-# endif
-
-typedef struct {
- __u8 ether_dhost[6];
- __u8 ether_shost[6];
- __u16 ether_type;
-} ether_header_t;
-
-typedef struct uio {
- int uio_resid;
- int uio_rw;
- caddr_t uio_buf;
-} uio_t;
-
-# define UIO_READ 0
-# define UIO_WRITE 1
-# define UIOMOVE(a, b, c, d) uiomove(a,b,c,d)
-
-/*
- * For masking struct ifnet onto struct device
- */
-# define if_name name
-
-# ifdef KERNEL
-# define GETUNIT(x, v) dev_get(x)
-# define FREE_MB_T(m) kfree_skb(m, FREE_WRITE)
-# define uniqtime do_gettimeofday
-# undef INT_MAX
-# undef UINT_MAX
-# undef LONG_MAX
-# undef ULONG_MAX
-# include <linux/netdevice.h>
-# define SPL_X(x)
-# define SPL_NET(x)
-# define SPL_IMP(x)
-
-# define bcmp(a,b,c) memcmp(a,b,c)
-# define bcopy(a,b,c) memcpy(b,a,c)
-# define bzero(a,c) memset(a,0,c)
-
-# define UNITNAME(n) dev_get((n))
-
-# define KMALLOC(a,b) (a) = (b)kmalloc(sizeof(*(a)), GFP_ATOMIC)
-# define KMALLOCS(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
-# define KFREE(x) kfree_s((x), sizeof(*(x)))
-# define KFREES(x,s) kfree_s((x), (s))
-#define IRCOPY(const void *a, void *b, size_t c) { \
- int error; \
-
- error = verify_area(VERIFY_READ, a ,c); \
- if (!error) \
- memcpy_fromfs(b, a, c); \
- return error; \
-}
-static inline int IWCOPY(const void *a, void *b, size_t c)
-{
- int error;
-
- error = verify_area(VERIFY_WRITE, b, c);
- if (!error)
- memcpy_tofs(b, a, c);
- return error;
-}
-static inline int IRCOPYPTR(const void *a, void *b, size_t c) {
- caddr_t ca;
- int error;
-
- error = verify_area(VERIFY_READ, a ,sizeof(ca));
- if (!error) {
- memcpy_fromfs(ca, a, sizeof(ca));
- error = verify_area(VERIFY_READ, ca , c);
- if (!error)
- memcpy_fromfs(b, ca, c);
- }
- return error;
-}
-static inline int IWCOPYPTR(const void *a, void *b, size_t c) {
- caddr_t ca;
- int error;
-
-
- error = verify_area(VERIFY_READ, b ,sizeof(ca));
- if (!error) {
- memcpy_fromfs(ca, b, sizeof(ca));
- error = verify_area(VERIFY_WRITE, ca, c);
- if (!error)
- memcpy_tofs(ca, a, c);
- }
- return error;
-}
-# else
-# define __KERNEL__
-# undef INT_MAX
-# undef UINT_MAX
-# undef LONG_MAX
-# undef ULONG_MAX
-# define s8 __s8
-# define u8 __u8
-# define s16 __s16
-# define u16 __u16
-# define s32 __s32
-# define u32 __u32
-# include <linux/netdevice.h>
-# undef __KERNEL__
-# endif
-# define ifnet device
-#else
-typedef struct tcphdr tcphdr_t;
-typedef struct udphdr udphdr_t;
-typedef struct icmp icmphdr_t;
-typedef struct ip ip_t;
-typedef struct ether_header ether_header_t;
-#endif /* linux */
-typedef struct tcpiphdr tcpiphdr_t;
-
-#if defined(hpux) || defined(linux)
-struct ether_addr {
- char ether_addr_octet[6];
-};
+#ifndef IPPROTO_DSTOPTS
+# define IPPROTO_DSTOPTS 60
#endif
-
-/*
- * XXX - This is one of those *awful* hacks which nobody likes
- */
-#ifdef ultrix
-#define A_A
-#else
-#define A_A &
+#ifndef IPPROTO_FRAGMENT
+# define IPPROTO_FRAGMENT 44
#endif
-
-#if (BSD >= 199306) && !defined(m_act)
-# define m_act m_nextpkt
-#endif
-
#ifndef ICMP_ROUTERADVERT
# define ICMP_ROUTERADVERT 9
#endif
#ifndef ICMP_ROUTERSOLICIT
# define ICMP_ROUTERSOLICIT 10
#endif
-#undef ICMP_MAX_UNREACH
-#define ICMP_MAX_UNREACH 14
-#undef ICMP_MAXTYPE
-#define ICMP_MAXTYPE 18
-/*
- * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
- * another IP header and then 64 bits of data, totalling 56. Of course,
- * the last 64 bits is dependant on that being available.
- */
-#define ICMPERR_ICMPHLEN 8
-#define ICMPERR_IPICMPHLEN (20 + 8)
-#define ICMPERR_MINPKTLEN (20 + 8 + 20)
-#define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8)
-#define ICMP6_MINLEN 8
-#define ICMP6ERR_IPICMPHLEN (40 + 8)
-#define ICMP6ERR_MINPKTLEN (40 + 8 + 40)
-
#ifndef ICMP6_DST_UNREACH
# define ICMP6_DST_UNREACH 1
#endif
@@ -1384,6 +2217,79 @@ struct ether_addr {
#endif
#define TH_ECNALL (TH_ECN|TH_CWR)
-#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR)
+/*
+ * TCP States
+ */
+#define IPF_TCPS_CLOSED 0 /* closed */
+#define IPF_TCPS_LISTEN 1 /* listening for connection */
+#define IPF_TCPS_SYN_SENT 2 /* active, have sent syn */
+#define IPF_TCPS_SYN_RECEIVED 3 /* have send and received syn */
+#define IPF_TCPS_HALF_ESTAB 4 /* for connections not fully "up" */
+/* states < IPF_TCPS_ESTABLISHED are those where connections not established */
+#define IPF_TCPS_ESTABLISHED 5 /* established */
+#define IPF_TCPS_CLOSE_WAIT 6 /* rcvd fin, waiting for close */
+/* states > IPF_TCPS_CLOSE_WAIT are those where user has closed */
+#define IPF_TCPS_FIN_WAIT_1 7 /* have closed, sent fin */
+#define IPF_TCPS_CLOSING 8 /* closed xchd FIN; await FIN ACK */
+#define IPF_TCPS_LAST_ACK 9 /* had fin and close; await FIN ACK */
+/* states > IPF_TCPS_CLOSE_WAIT && < IPF_TCPS_FIN_WAIT_2 await ACK of FIN */
+#define IPF_TCPS_FIN_WAIT_2 10 /* have closed, fin is acked */
+#define IPF_TCPS_TIME_WAIT 11 /* in 2*msl quiet wait after close */
+#define IPF_TCP_NSTATES 12
+
+#define TCP_MSL 120
+
+#undef ICMP_MAX_UNREACH
+#define ICMP_MAX_UNREACH 14
+#undef ICMP_MAXTYPE
+#define ICMP_MAXTYPE 18
+
+#ifndef IFNAMSIZ
+#define IFNAMSIZ 16
+#endif
+
+#ifndef LOG_FTP
+# define LOG_FTP (11<<3)
+#endif
+#ifndef LOG_AUTHPRIV
+# define LOG_AUTHPRIV (10<<3)
+#endif
+#ifndef LOG_AUDIT
+# define LOG_AUDIT (13<<3)
+#endif
+#ifndef LOG_NTP
+# define LOG_NTP (12<<3)
+#endif
+#ifndef LOG_SECURITY
+# define LOG_SECURITY (13<<3)
+#endif
+#ifndef LOG_LFMT
+# define LOG_LFMT (14<<3)
+#endif
+#ifndef LOG_CONSOLE
+# define LOG_CONSOLE (14<<3)
+#endif
+
+/*
+ * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
+ * another IP header and then 64 bits of data, totalling 56. Of course,
+ * the last 64 bits is dependant on that being available.
+ */
+#define ICMPERR_ICMPHLEN 8
+#define ICMPERR_IPICMPHLEN (20 + 8)
+#define ICMPERR_MINPKTLEN (20 + 8 + 20)
+#define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8)
+#define ICMP6ERR_MINPKTLEN (40 + 8)
+#define ICMP6ERR_IPICMPHLEN (40 + 8 + 40)
+
+#ifndef MIN
+# define MIN(a,b) (((a)<(b))?(a):(b))
+#endif
+
+#ifdef IPF_DEBUG
+# define DPRINT(x) printf x
+#else
+# define DPRINT(x)
+#endif
#endif /* __IP_COMPAT_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h
index 73099ec5f786..626dddeb2f37 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil.h
+++ b/sys/contrib/ipfilter/netinet/ip_fil.h
@@ -1,31 +1,21 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 1993-2002 by Darren Reed.
+ * Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.35 2003/06/07 11:56:02 darrenr Exp $
+ * Id: ip_fil.h,v 2.170.2.18 2005/03/28 10:47:52 darrenr Exp
*/
#ifndef __IP_FIL_H__
#define __IP_FIL_H__
-/*
- * Pathnames for various IP Filter control devices. Used by LKM
- * and userland, so defined here.
- */
-#define IPNAT_NAME "/dev/ipnat"
-#define IPSTATE_NAME "/dev/ipstate"
-#define IPAUTH_NAME "/dev/ipauth"
-
#ifndef SOLARIS
# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
-#if defined(KERNEL) && !defined(_KERNEL)
-# define _KERNEL
-#endif
-
#ifndef __P
# ifdef __STDC__
# define __P(x) x
@@ -34,137 +24,321 @@
# endif
#endif
-#ifndef offsetof
-# define offsetof(t,m) (int)((&((t *)0L)->m))
-#endif
-
#if defined(__STDC__) || defined(__GNUC__)
-# define SIOCADAFR _IOW('r', 60, struct frentry *)
-# define SIOCRMAFR _IOW('r', 61, struct frentry *)
+# define SIOCADAFR _IOW('r', 60, struct ipfobj)
+# define SIOCRMAFR _IOW('r', 61, struct ipfobj)
# define SIOCSETFF _IOW('r', 62, u_int)
# define SIOCGETFF _IOR('r', 63, u_int)
-# define SIOCGETFS _IOWR('r', 64, struct friostat *)
+# define SIOCGETFS _IOWR('r', 64, struct ipfobj)
# define SIOCIPFFL _IOWR('r', 65, int)
# define SIOCIPFFB _IOR('r', 66, int)
-# define SIOCADIFR _IOW('r', 67, struct frentry *)
-# define SIOCRMIFR _IOW('r', 68, struct frentry *)
+# define SIOCADIFR _IOW('r', 67, struct ipfobj)
+# define SIOCRMIFR _IOW('r', 68, struct ipfobj)
# define SIOCSWAPA _IOR('r', 69, u_int)
-# define SIOCINAFR _IOW('r', 70, struct frentry *)
-# define SIOCINIFR _IOW('r', 71, struct frentry *)
+# define SIOCINAFR _IOW('r', 70, struct ipfobj)
+# define SIOCINIFR _IOW('r', 71, struct ipfobj)
# define SIOCFRENB _IOW('r', 72, u_int)
# define SIOCFRSYN _IOW('r', 73, u_int)
-# define SIOCFRZST _IOWR('r', 74, struct friostat *)
-# define SIOCZRLST _IOWR('r', 75, struct frentry *)
-# define SIOCAUTHW _IOWR('r', 76, struct frauth *)
-# define SIOCAUTHR _IOWR('r', 77, struct frauth *)
-# define SIOCATHST _IOWR('r', 78, struct fr_authstat *)
+# define SIOCFRZST _IOWR('r', 74, struct ipfobj)
+# define SIOCZRLST _IOWR('r', 75, struct ipfobj)
+# define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
+# define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
+# define SIOCATHST _IOWR('r', 78, struct ipfobj)
# define SIOCSTLCK _IOWR('r', 79, u_int)
-# define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *)
-# define SIOCSTGET _IOWR('r', 81, struct ipstate_save *)
-# define SIOCSTGSZ _IOWR('r', 82, struct natget)
-# define SIOCGFRST _IOWR('r', 83, struct ipfrstat *)
-# define SIOCIPFL6 _IOWR('r', 84, int)
+# define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
+# define SIOCSTGET _IOWR('r', 81, struct ipfobj)
+# define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
+# define SIOCGFRST _IOWR('r', 83, struct ipfobj)
+# define SIOCSETLG _IOWR('r', 84, int)
+# define SIOCGETLG _IOWR('r', 85, int)
+# define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
+# define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
+# define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
+# define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
+# define SIOCIPFL6 _IOWR('r', 90, int)
#else
-# define SIOCADAFR _IOW(r, 60, struct frentry *)
-# define SIOCRMAFR _IOW(r, 61, struct frentry *)
+# define SIOCADAFR _IOW(r, 60, struct ipfobj)
+# define SIOCRMAFR _IOW(r, 61, struct ipfobj)
# define SIOCSETFF _IOW(r, 62, u_int)
# define SIOCGETFF _IOR(r, 63, u_int)
-# define SIOCGETFS _IOWR(r, 64, struct friostat *)
+# define SIOCGETFS _IOWR(r, 64, struct ipfobj)
# define SIOCIPFFL _IOWR(r, 65, int)
# define SIOCIPFFB _IOR(r, 66, int)
-# define SIOCADIFR _IOW(r, 67, struct frentry *)
-# define SIOCRMIFR _IOW(r, 68, struct frentry *)
+# define SIOCADIFR _IOW(r, 67, struct ipfobj)
+# define SIOCRMIFR _IOW(r, 68, struct ipfobj)
# define SIOCSWAPA _IOR(r, 69, u_int)
-# define SIOCINAFR _IOW(r, 70, struct frentry *)
-# define SIOCINIFR _IOW(r, 71, struct frentry *)
+# define SIOCINAFR _IOW(r, 70, struct ipfobj)
+# define SIOCINIFR _IOW(r, 71, struct ipfobj)
# define SIOCFRENB _IOW(r, 72, u_int)
# define SIOCFRSYN _IOW(r, 73, u_int)
-# define SIOCFRZST _IOWR(r, 74, struct friostat *)
-# define SIOCZRLST _IOWR(r, 75, struct frentry *)
-# define SIOCAUTHW _IOWR(r, 76, struct frauth *)
-# define SIOCAUTHR _IOWR(r, 77, struct frauth *)
-# define SIOCATHST _IOWR(r, 78, struct fr_authstat *)
+# define SIOCFRZST _IOWR(r, 74, struct ipfobj)
+# define SIOCZRLST _IOWR(r, 75, struct ipfobj)
+# define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
+# define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
+# define SIOCATHST _IOWR(r, 78, struct ipfobj)
# define SIOCSTLCK _IOWR(r, 79, u_int)
-# define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *)
-# define SIOCSTGET _IOWR(r, 81, struct ipstate_save *)
-# define SIOCSTGSZ _IOWR(r, 82, struct natget)
-# define SIOCGFRST _IOWR(r, 83, struct ipfrstat *)
-# define SIOCIPFL6 _IOWR(r, 84, int)
+# define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
+# define SIOCSTGET _IOWR(r, 81, struct ipfobj)
+# define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
+# define SIOCGFRST _IOWR(r, 83, struct ipfobj)
+# define SIOCSETLG _IOWR(r, 84, int)
+# define SIOCGETLG _IOWR(r, 85, int)
+# define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
+# define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
+# define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
+# define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
+# define SIOCIPFL6 _IOWR(r, 90, int)
#endif
#define SIOCADDFR SIOCADAFR
#define SIOCDELFR SIOCRMAFR
#define SIOCINSFR SIOCINAFR
+struct ipscan;
+struct ifnet;
+
+
+typedef int (* lookupfunc_t) __P((void *, int, void *));
+
+/*
+ * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
+ * as other types of objects, depending on its qualifier.
+ */
+#ifdef USE_INET6
+typedef union i6addr {
+ u_32_t i6[4];
+ struct in_addr in4;
+ struct in6_addr in6;
+ void *vptr[2];
+ lookupfunc_t lptr[2];
+} i6addr_t;
+#else
+typedef union i6addr {
+ u_32_t i6[4];
+ struct in_addr in4;
+ void *vptr[2];
+ lookupfunc_t lptr[2];
+} i6addr_t;
+#endif
+
+#define in4_addr in4.s_addr
+#define iplookupnum i6[0]
+#define iplookuptype i6[1]
+/*
+ * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
+ */
+#define iplookupptr vptr[0]
+#define iplookupfunc lptr[1]
+
+#define I60(x) (((i6addr_t *)(x))->i6[0])
+#define I61(x) (((i6addr_t *)(x))->i6[1])
+#define I62(x) (((i6addr_t *)(x))->i6[2])
+#define I63(x) (((i6addr_t *)(x))->i6[3])
+#define HI60(x) ntohl(((i6addr_t *)(x))->i6[0])
+#define HI61(x) ntohl(((i6addr_t *)(x))->i6[1])
+#define HI62(x) ntohl(((i6addr_t *)(x))->i6[2])
+#define HI63(x) ntohl(((i6addr_t *)(x))->i6[3])
+
+#define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
+ (I61(a) == I61(b)) && (I60(a) == I60(b)))
+#define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
+ (I61(a) != I61(b)) || (I60(a) != I60(b)))
+#define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
+#define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
+#define IP6_GT(a,b) (HI60(a) > HI60(b) || (HI60(a) == HI60(b) && \
+ (HI61(a) > HI61(b) || (HI61(a) == HI61(b) && \
+ (HI62(a) > HI62(b) || (HI62(a) == HI62(b) && \
+ HI63(a) > HI63(b)))))))
+#define IP6_LT(a,b) (HI60(a) < HI60(b) || (HI60(a) == HI60(b) && \
+ (HI61(a) < HI61(b) || (HI61(a) == HI61(b) && \
+ (HI62(a) < HI62(b) || (HI62(a) == HI62(b) && \
+ HI63(a) < HI63(b)))))))
+#define NLADD(n,x) htonl(ntohl(n) + (x))
+#define IP6_INC(a) \
+ { i6addr_t *_i6 = (i6addr_t *)(a); \
+ _i6->i6[0] = NLADD(_i6->i6[0], 1); \
+ if (_i6->i6[0] == 0) { \
+ _i6->i6[0] = NLADD(_i6->i6[1], 1); \
+ if (_i6->i6[1] == 0) { \
+ _i6->i6[0] = NLADD(_i6->i6[2], 1); \
+ if (_i6->i6[2] == 0) { \
+ _i6->i6[0] = NLADD(_i6->i6[3], 1); \
+ } \
+ } \
+ } \
+ }
+#define IP6_ADD(a,x,d) \
+ { i6addr_t *_s = (i6addr_t *)(a); \
+ i6addr_t *_d = (i6addr_t *)(d); \
+ _d->i6[0] = NLADD(_s->i6[0], x); \
+ if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \
+ _d->i6[1] = NLADD(_d->i6[1], 1); \
+ if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
+ _d->i6[2] = NLADD(_d->i6[2], 1); \
+ if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
+ _d->i6[3] = NLADD(_d->i6[3], 1); \
+ } \
+ } \
+ } \
+ }
+#define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
+ i6addr_t *_s2 = (i6addr_t *)(d); \
+ i6addr_t *_d = (i6addr_t *)(d); \
+ _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
+ _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
+ _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
+ _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
+ }
+#define IP6_MERGE(a,b,c) \
+ { i6addr_t *_d, *_s1, *_s2; \
+ _d = (i6addr_t *)(a); \
+ _s1 = (i6addr_t *)(b); \
+ _s2 = (i6addr_t *)(c); \
+ _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
+ _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
+ _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
+ _d->i6[2] |= _s1->i6[3] & ~_s2->i6[3]; \
+ }
+
+
typedef struct fr_ip {
u_32_t fi_v:4; /* IP version */
- u_32_t fi_fl:4; /* packet flags */
+ u_32_t fi_xx:4; /* spare */
u_32_t fi_tos:8; /* IP packet TOS */
u_32_t fi_ttl:8; /* IP packet TTL */
u_32_t fi_p:8; /* IP packet protocol */
- union i6addr fi_src; /* source address from packet */
- union i6addr fi_dst; /* destination address from packet */
u_32_t fi_optmsk; /* bitmask composed from IP options */
+ i6addr_t fi_src; /* source address from packet */
+ i6addr_t fi_dst; /* destination address from packet */
u_short fi_secmsk; /* bitmask composed from IP security options */
u_short fi_auth; /* authentication code from IP sec. options */
+ u_32_t fi_flx; /* packet flags */
+ u_32_t fi_tcpmsk; /* TCP options set/reset */
+ u_32_t fi_res1; /* RESERVED */
} fr_ip_t;
-#define FI_OPTIONS (FF_OPTIONS >> 24)
-#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/
-#define FI_FRAG (FF_FRAG >> 24)
-#define FI_SHORT (FF_SHORT >> 24)
-#define FI_CMP (FI_OPTIONS|FI_TCPUDP|FI_SHORT)
+/*
+ * For use in fi_flx
+ */
+#define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
+#define FI_OPTIONS 0x0002
+#define FI_FRAG 0x0004
+#define FI_SHORT 0x0008
+#define FI_NATED 0x0010
+#define FI_MULTICAST 0x0020
+#define FI_BROADCAST 0x0040
+#define FI_MBCAST 0x0080
+#define FI_STATE 0x0100
+#define FI_BADNAT 0x0200
+#define FI_BAD 0x0400
+#define FI_OOW 0x0800 /* Out of state window, else match */
+#define FI_ICMPERR 0x1000
+#define FI_FRAGBODY 0x2000
+#define FI_BADSRC 0x4000
+#define FI_LOWTTL 0x8000
+#define FI_CMP 0xcfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */
+#define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
+#define FI_WITH 0xeffe /* Not FI_TCPUDP */
+#define FI_V6EXTHDR 0x10000
+#define FI_COALESCE 0x20000
+#define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
+#define FI_DONTCACHE 0x40000000 /* don't cache the result */
+#define FI_IGNORE 0x80000000
#define fi_saddr fi_src.in4.s_addr
#define fi_daddr fi_dst.in4.s_addr
+#define fi_srcnum fi_src.iplookupnum
+#define fi_dstnum fi_dst.iplookupnum
+#define fi_srctype fi_src.iplookuptype
+#define fi_dsttype fi_dst.iplookuptype
+#define fi_srcptr fi_src.iplookupptr
+#define fi_dstptr fi_dst.iplookupptr
+#define fi_srcfunc fi_src.iplookupfunc
+#define fi_dstfunc fi_dst.iplookupfunc
/*
* These are both used by the state and NAT code to indicate that one port or
* the other should be treated as a wildcard.
+ * NOTE: When updating, check bit masks in ip_state.h and update there too.
*/
-#define FI_W_SPORT 0x00000100
-#define FI_W_DPORT 0x00000200
-#define FI_WILDP (FI_W_SPORT|FI_W_DPORT)
-#define FI_W_SADDR 0x00000400
-#define FI_W_DADDR 0x00000800
-#define FI_WILDA (FI_W_SADDR|FI_W_DADDR)
-#define FI_NEWFR 0x00001000 /* Create a filter rule */
-#define FI_IGNOREPKT 0x00002000 /* Do not treat as a real packet */
-#define FI_NORULE 0x00004000 /* Not direct a result of a rule */
+#define SI_W_SPORT 0x00000100
+#define SI_W_DPORT 0x00000200
+#define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
+#define SI_W_SADDR 0x00000400
+#define SI_W_DADDR 0x00000800
+#define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
+#define SI_NEWFR 0x00001000
+#define SI_CLONE 0x00002000
+#define SI_CLONED 0x00004000
+
typedef struct fr_info {
void *fin_ifp; /* interface packet is `on' */
- struct fr_ip fin_fi; /* IP Packet summary */
- u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */
- u_int fin_out; /* in or out ? 1 == out, 0 == in */
+ fr_ip_t fin_fi; /* IP Packet summary */
+ union {
+ u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */
+ u_32_t fid_32;
+ } fin_dat;
+ int fin_out; /* in or out ? 1 == out, 0 == in */
+ int fin_rev; /* state only: 1 = reverse */
u_short fin_hlen; /* length of IP header in bytes */
- u_char fin_rev; /* state only: 1 = reverse */
u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
- u_int fin_icode; /* ICMP error to return */
+ u_char fin_icode; /* ICMP error to return */
u_32_t fin_rule; /* rule # last matched */
- u_32_t fin_group; /* group number, -1 for none */
+ char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
struct frentry *fin_fr; /* last matching rule */
- char *fin_dp; /* start of data past IP header */
- u_short fin_plen;
- u_short fin_off;
- u_short fin_dlen; /* length of data portion of packet */
+ void *fin_dp; /* start of data past IP header */
+ int fin_dlen; /* length of data portion of packet */
+ int fin_plen;
+ int fin_ipoff; /* # bytes from buffer start to hdr */
u_short fin_id; /* IP packet id field */
- u_int fin_misc;
+ u_short fin_off;
+ int fin_depth; /* Group nesting depth */
+ int fin_error; /* Error code to return */
+ void *fin_nat;
+ void *fin_state;
+ void *fin_nattag;
+ ip_t *fin_ip;
mb_t **fin_mp; /* pointer to pointer to mbuf */
-#if SOLARIS
- void *fin_qfm; /* pointer to mblk where pkt starts */
- void *fin_qif;
+ mb_t *fin_m; /* pointer to mbuf */
+#ifdef MENTAT
+ mb_t *fin_qfm; /* pointer to mblk where pkt starts */
+ void *fin_qpi;
+#endif
+#ifdef __sgi
+ void *fin_hbuf;
#endif
} fr_info_t;
#define fin_v fin_fi.fi_v
#define fin_p fin_fi.fi_p
-#define fin_saddr fin_fi.fi_saddr
+#define fin_flx fin_fi.fi_flx
+#define fin_optmsk fin_fi.fi_optmsk
+#define fin_secmsk fin_fi.fi_secmsk
+#define fin_auth fin_fi.fi_auth
#define fin_src fin_fi.fi_src.in4
-#define fin_daddr fin_fi.fi_daddr
+#define fin_src6 fin_fi.fi_src.in6
+#define fin_saddr fin_fi.fi_saddr
#define fin_dst fin_fi.fi_dst.in4
-#define fin_fl fin_fi.fi_fl
+#define fin_dst6 fin_fi.fi_dst.in6
+#define fin_daddr fin_fi.fi_daddr
+#define fin_data fin_dat.fid_16
+#define fin_sport fin_dat.fid_16[0]
+#define fin_dport fin_dat.fid_16[1]
+#define fin_ports fin_dat.fid_32
+
+#define IPF_IN 0
+#define IPF_OUT 1
+
+typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
+typedef int (*ipfuncinit_t) __P((struct frentry *));
+
+typedef struct ipfunc_resolve {
+ char ipfu_name[32];
+ ipfunc_t ipfu_addr;
+ ipfuncinit_t ipfu_init;
+} ipfunc_resolve_t;
/*
* Size for compares on fr_info structures
@@ -173,36 +347,66 @@ typedef struct fr_info {
#define FI_LCSIZE offsetof(fr_info_t, fin_dp)
/*
- * For fin_misc
+ * Size for copying cache fr_info structure
*/
-#define FM_BADSTATE 0x00000001
+#define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
/*
- * Size for copying cache fr_info structure
+ * Structure for holding IPFilter's tag information
*/
-#define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
+#define IPFTAG_LEN 16
+typedef struct {
+ union {
+ u_32_t iptu_num[4];
+ char iptu_tag[IPFTAG_LEN];
+ } ipt_un;
+ int ipt_not;
+} ipftag_t;
+
+#define ipt_tag ipt_un.iptu_tag
+#define ipt_num ipt_un.iptu_num
+
+/*
+ * This structure is used to hold information about the next hop for where
+ * to forward a packet.
+ */
typedef struct frdest {
void *fd_ifp;
- union i6addr fd_ip6;
+ i6addr_t fd_ip6;
char fd_ifname[LIFNAMSIZ];
-#if SOLARIS
- mb_t *fd_mp; /* cache resolver for to/dup-to */
-#endif
} frdest_t;
#define fd_ip fd_ip6.in4
+/*
+ * This structure holds information about a port comparison.
+ */
typedef struct frpcmp {
int frp_cmp; /* data for port comparisons */
u_short frp_port; /* top port for <> and >< */
u_short frp_top; /* top port for <> and >< */
} frpcmp_t;
+#define FR_NONE 0
+#define FR_EQUAL 1
+#define FR_NEQUAL 2
+#define FR_LESST 3
+#define FR_GREATERT 4
+#define FR_LESSTE 5
+#define FR_GREATERTE 6
+#define FR_OUTRANGE 7
+#define FR_INRANGE 8
+#define FR_INCRANGE 9
+
+/*
+ * Structure containing all the relevant TCP things that can be checked in
+ * a filter rule.
+ */
typedef struct frtuc {
- u_char ftu_tcpfm; /* tcp flags mask */
- u_char ftu_tcpf; /* tcp flags */
+ u_char ftu_tcpfm; /* tcp flags mask */
+ u_char ftu_tcpf; /* tcp flags */
frpcmp_t ftu_src;
frpcmp_t ftu_dst;
} frtuc_t;
@@ -214,47 +418,123 @@ typedef struct frtuc {
#define ftu_stop ftu_src.frp_top
#define ftu_dtop ftu_dst.frp_top
+#define FR_TCPFMAX 0x3f
+
+/*
+ * This structure makes up what is considered to be the IPFilter specific
+ * matching components of a filter rule, as opposed to the data structures
+ * used to define the result which are in frentry_t and not here.
+ */
+typedef struct fripf {
+ fr_ip_t fri_ip;
+ fr_ip_t fri_mip; /* mask structure */
+
+ u_short fri_icmpm; /* data for ICMP packets (mask) */
+ u_short fri_icmp;
+
+ frtuc_t fri_tuc;
+ int fri_satype; /* addres type */
+ int fri_datype; /* addres type */
+ int fri_sifpidx; /* doing dynamic addressing */
+ int fri_difpidx; /* index into fr_ifps[] to use when */
+} fripf_t;
+
+#define fri_dstnum fri_ip.fi_dstnum
+#define fri_srcnum fri_mip.fi_srcnum
+#define fri_dstptr fri_ip.fi_dstptr
+#define fri_srcptr fri_mip.fi_srcptr
+
+#define FRI_NORMAL 0 /* Normal address */
+#define FRI_DYNAMIC 1 /* dynamic address */
+#define FRI_LOOKUP 2 /* address is a pool # */
+#define FRI_RANGE 3 /* address/mask is a range */
+#define FRI_NETWORK 4 /* network address from if */
+#define FRI_BROADCAST 5 /* broadcast address from if */
+#define FRI_PEERADDR 6 /* Peer address for P-to-P */
+#define FRI_NETMASKED 7 /* network address with netmask from if */
+
+
+typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
+
typedef struct frentry {
+ ipfmutex_t fr_lock;
struct frentry *fr_next;
- struct frentry *fr_grp;
- int fr_ref; /* reference count - for grouping */
+ struct frentry **fr_grp;
+ struct ipscan *fr_isc;
void *fr_ifas[4];
+ void *fr_ptr; /* for use with fr_arg */
+ char *fr_comment; /* text comment for rule */
+ int fr_ref; /* reference count - for grouping */
+ int fr_statecnt; /* state count - for limit rules */
/*
* These are only incremented when a packet matches this rule and
* it is the last match
*/
U_QUAD_T fr_hits;
U_QUAD_T fr_bytes;
+
/*
- * Fields after this may not change whilst in the kernel.
+ * For PPS rate limiting
*/
- struct fr_ip fr_ip;
- struct fr_ip fr_mip; /* mask structure */
-
+ struct timeval fr_lastpkt;
+ int fr_curpps;
- u_short fr_icmpm; /* data for ICMP packets (mask) */
- u_short fr_icmp;
+ union {
+ void *fru_data;
+ caddr_t fru_caddr;
+ fripf_t *fru_ipf;
+ frentfunc_t fru_func;
+ } fr_dun;
- u_int fr_age[2]; /* aging for state */
- frtuc_t fr_tuc;
- u_32_t fr_group; /* group to which this rule belongs */
- u_32_t fr_grhead; /* group # which this rule starts */
+ /*
+ * Fields after this may not change whilst in the kernel.
+ */
+ ipfunc_t fr_func; /* call this function */
+ int fr_dsize;
+ int fr_pps;
+ int fr_statemax; /* max reference count */
+ int fr_flineno; /* line number from conf file */
+ u_32_t fr_type;
u_32_t fr_flags; /* per-rule flags && options (see below) */
- u_int fr_skip; /* # of rules to skip */
+ u_32_t fr_logtag; /* user defined log tag # */
+ u_32_t fr_collect; /* collection number */
+ u_int fr_arg; /* misc. numeric arg for rule */
u_int fr_loglevel; /* syslog log facility + priority */
- int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */
- int fr_sap; /* For solaris only */
+ u_int fr_age[2]; /* non-TCP timeouts */
+ u_char fr_v;
u_char fr_icode; /* return ICMP code */
+ char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
+ char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
+ ipftag_t fr_nattag;
char fr_ifnames[4][LIFNAMSIZ];
- struct frdest fr_tif; /* "to" interface */
- struct frdest fr_dif; /* duplicate packet interfaces */
+ char fr_isctag[16];
+ frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
+ frdest_t fr_dif; /* duplicate packet interface */
+ /*
+ * This must be last and will change after loaded into the kernel.
+ */
u_int fr_cksum; /* checksum on filter rules for performance */
} frentry_t;
-#define fr_v fr_ip.fi_v
+#define fr_caddr fr_dun.fru_caddr
+#define fr_data fr_dun.fru_data
+#define fr_dfunc fr_dun.fru_func
+#define fr_ipf fr_dun.fru_ipf
+#define fr_ip fr_ipf->fri_ip
+#define fr_mip fr_ipf->fri_mip
+#define fr_icmpm fr_ipf->fri_icmpm
+#define fr_icmp fr_ipf->fri_icmp
+#define fr_tuc fr_ipf->fri_tuc
+#define fr_satype fr_ipf->fri_satype
+#define fr_datype fr_ipf->fri_datype
+#define fr_sifpidx fr_ipf->fri_sifpidx
+#define fr_difpidx fr_ipf->fri_difpidx
#define fr_proto fr_ip.fi_p
+#define fr_mproto fr_mip.fi_p
#define fr_ttl fr_ip.fi_ttl
+#define fr_mttl fr_mip.fi_ttl
#define fr_tos fr_ip.fi_tos
+#define fr_mtos fr_mip.fi_tos
#define fr_tcpfm fr_tuc.ftu_tcpfm
#define fr_tcpf fr_tuc.ftu_tcpf
#define fr_scmp fr_tuc.ftu_scmp
@@ -264,58 +544,110 @@ typedef struct frentry {
#define fr_stop fr_tuc.ftu_stop
#define fr_dtop fr_tuc.ftu_dtop
#define fr_dst fr_ip.fi_dst.in4
+#define fr_daddr fr_ip.fi_dst.in4.s_addr
#define fr_src fr_ip.fi_src.in4
+#define fr_saddr fr_ip.fi_src.in4.s_addr
#define fr_dmsk fr_mip.fi_dst.in4
+#define fr_dmask fr_mip.fi_dst.in4.s_addr
#define fr_smsk fr_mip.fi_src.in4
+#define fr_smask fr_mip.fi_src.in4.s_addr
+#define fr_dstnum fr_ip.fi_dstnum
+#define fr_srcnum fr_ip.fi_srcnum
+#define fr_dsttype fr_ip.fi_dsttype
+#define fr_srctype fr_ip.fi_srctype
+#define fr_dstptr fr_mip.fi_dstptr
+#define fr_srcptr fr_mip.fi_srcptr
+#define fr_dstfunc fr_mip.fi_dstfunc
+#define fr_srcfunc fr_mip.fi_srcfunc
+#define fr_optbits fr_ip.fi_optmsk
+#define fr_optmask fr_mip.fi_optmsk
+#define fr_secbits fr_ip.fi_secmsk
+#define fr_secmask fr_mip.fi_secmsk
+#define fr_authbits fr_ip.fi_auth
+#define fr_authmask fr_mip.fi_auth
+#define fr_flx fr_ip.fi_flx
+#define fr_mflx fr_mip.fi_flx
#define fr_ifname fr_ifnames[0]
#define fr_oifname fr_ifnames[2]
#define fr_ifa fr_ifas[0]
#define fr_oifa fr_ifas[2]
+#define fr_tif fr_tifs[0]
+#define fr_rif fr_tifs[1]
+
+#define FR_NOLOGTAG 0
-#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
+#ifndef offsetof
+#define offsetof(t,m) (int)((&((t *)0L)->m))
+#endif
+#define FR_CMPSIZ (sizeof(struct frentry) - \
+ offsetof(struct frentry, fr_func))
+
+/*
+ * fr_type
+ */
+#define FR_T_NONE 0
+#define FR_T_IPF 1 /* IPF structures */
+#define FR_T_BPFOPC 2 /* BPF opcode */
+#define FR_T_CALLFUNC 3 /* callout to function in fr_func only */
+#define FR_T_COMPIPF 4 /* compiled C code */
+#define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */
/*
* fr_flags
*/
+#define FR_CALL 0x00000 /* call rule */
#define FR_BLOCK 0x00001 /* do not allow packet to pass */
#define FR_PASS 0x00002 /* allow packet to pass */
-#define FR_OUTQUE 0x00004 /* outgoing packets */
-#define FR_INQUE 0x00008 /* ingoing packets */
+#define FR_AUTH 0x00003 /* use authentication */
+#define FR_PREAUTH 0x00004 /* require preauthentication */
+#define FR_ACCOUNT 0x00005 /* Accounting rule */
+#define FR_SKIP 0x00006 /* skip rule */
+#define FR_DIVERT 0x00007 /* divert rule */
+#define FR_CMDMASK 0x0000f
#define FR_LOG 0x00010 /* Log */
#define FR_LOGB 0x00011 /* Log-fail */
#define FR_LOGP 0x00012 /* Log-pass */
-#define FR_NOTSRCIP 0x00020 /* not the src IP# */
-#define FR_NOTDSTIP 0x00040 /* not the dst IP# */
-#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */
-#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */
-#define FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
-#define FR_NOMATCH 0x00200 /* no match occured */
-#define FR_ACCOUNT 0x00400 /* count packet bytes */
-#define FR_KEEPFRAG 0x00800 /* keep fragment information */
-#define FR_KEEPSTATE 0x01000 /* keep `connection' state information */
-#define FR_INACTIVE 0x02000
-#define FR_QUICK 0x04000 /* match & stop processing list */
-#define FR_FASTROUTE 0x08000 /* bypass normal routing */
-#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
-#define FR_DUP 0x20000 /* duplicate packet */
+#define FR_LOGMASK (FR_LOG|FR_CMDMASK)
+#define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
+#define FR_NOTSRCIP 0x00040
+#define FR_NOTDSTIP 0x00080
+#define FR_QUICK 0x00100 /* match & stop processing list */
+#define FR_KEEPFRAG 0x00200 /* keep fragment information */
+#define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
+#define FR_FASTROUTE 0x00800 /* bypass normal routing */
+#define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
+#define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
+#define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
+#define FR_OUTQUE 0x04000 /* outgoing packets */
+#define FR_INQUE 0x08000 /* ingoing packets */
+#define FR_LOGBODY 0x10000 /* Log the body */
+#define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
-#define FR_LOGBODY 0x80000 /* Log the body */
-#define FR_LOGFIRST 0x100000 /* Log the first byte if state held */
-#define FR_AUTH 0x200000 /* use authentication */
-#define FR_PREAUTH 0x400000 /* require preauthentication */
-#define FR_DONTCACHE 0x800000 /* don't cache the result */
+#define FR_DUP 0x80000 /* duplicate packet */
+#define FR_FRSTRICT 0x100000 /* strict frag. cache */
+#define FR_STSTRICT 0x200000 /* strict keep state */
+#define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
+#define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
+#define FR_STATESYNC 0x1000000 /* synchronize state to slave */
+#define FR_NOMATCH 0x8000000 /* no match occured */
+ /* 0x10000000 FF_LOGPASS */
+ /* 0x20000000 FF_LOGBLOCK */
+ /* 0x40000000 FF_LOGNOMATCH */
+ /* 0x80000000 FF_BLOCKNONIP */
+#define FR_COPIED 0x40000000 /* copied from user space */
+#define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
-#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
+#define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
+#define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
+#define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
+#define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
+#define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
+#define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
+#define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
+#define FR_INOUT (FR_INQUE|FR_OUTQUE)
/*
- * These correspond to #define's for FI_* and are stored in fr_flags
- */
-#define FF_OPTIONS 0x01000000
-#define FF_TCPUDP 0x02000000
-#define FF_FRAG 0x04000000
-#define FF_SHORT 0x08000000
-/*
* recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
*/
#define FF_LOGPASS 0x10000000
@@ -324,16 +656,40 @@ typedef struct frentry {
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
-#define FR_NONE 0
-#define FR_EQUAL 1
-#define FR_NEQUAL 2
-#define FR_LESST 3
-#define FR_GREATERT 4
-#define FR_LESSTE 5
-#define FR_GREATERTE 6
-#define FR_OUTRANGE 7
-#define FR_INRANGE 8
+/*
+ * Structure that passes information on what/how to flush to the kernel.
+ */
+typedef struct ipfflush {
+ int ipflu_how;
+ int ipflu_arg;
+} ipfflush_t;
+
+
+/*
+ *
+ */
+typedef struct ipfgetctl {
+ u_int ipfg_min; /* min value */
+ u_int ipfg_current; /* current value */
+ u_int ipfg_max; /* max value */
+ u_int ipfg_default; /* default value */
+ u_int ipfg_steps; /* value increments */
+ char ipfg_name[40]; /* tag name for this control */
+} ipfgetctl_t;
+
+typedef struct ipfsetctl {
+ int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
+ u_int ipfs_value; /* min value */
+ char ipfs_name[40]; /* tag name for this control */
+} ipfsetctl_t;
+
+
+/*
+ * Some of the statistics below are in their own counters, but most are kept
+ * in this single structure so that they can all easily be collected and
+ * copied back as required.
+ */
typedef struct filterstats {
u_long fr_pass; /* packets allowed */
u_long fr_block; /* packets denied */
@@ -356,59 +712,13 @@ typedef struct filterstats {
u_long fr_pull[2]; /* good and bad pullup attempts */
u_long fr_badsrc; /* source received doesn't match route */
u_long fr_badttl; /* TTL in packet doesn't reach minimum */
-#if SOLARIS
- u_long fr_notdata; /* PROTO/PCPROTO that have no data */
- u_long fr_nodata; /* mblks that have no data */
u_long fr_bad; /* bad IP packets to the filter */
- u_long fr_notip; /* packets passed through no on ip queue */
- u_long fr_drop; /* packets dropped - no info for them! */
- u_long fr_copy; /* messages copied due to db_ref > 1 */
-#endif
- u_long fr_ipv6[2]; /* IPv6 packets in/out */
+ u_long fr_ipv6; /* IPv6 packets in/out */
+ u_long fr_ppshit; /* dropped because of pps ceiling */
+ u_long fr_ipud; /* IP id update failures */
} filterstats_t;
/*
- * For SIOCGETFS
- */
-typedef struct friostat {
- struct filterstats f_st[2];
- struct frentry *f_fin[2];
- struct frentry *f_fout[2];
- struct frentry *f_acctin[2];
- struct frentry *f_acctout[2];
- struct frentry *f_fin6[2];
- struct frentry *f_fout6[2];
- struct frentry *f_acctin6[2];
- struct frentry *f_acctout6[2];
- struct frentry *f_auth;
- struct frgroup *f_groups[3][2];
- u_long f_froute[2];
- int f_defpass; /* default pass - from fr_pass */
- char f_active; /* 1 or 0 - active rule set */
- char f_running; /* 1 if running, else 0 */
- char f_logging; /* 1 if enabled, else 0 */
- char f_version[32]; /* version string */
- int f_locks[4];
-} friostat_t;
-
-typedef struct optlist {
- u_short ol_val;
- int ol_bit;
-} optlist_t;
-
-
-/*
- * Group list structure.
- */
-typedef struct frgroup {
- u_32_t fg_num;
- struct frgroup *fg_next;
- struct frentry *fg_head;
- struct frentry **fg_start;
-} frgroup_t;
-
-
-/*
* Log structure. Each packet header logged is prepended by one of these.
* Following this in the log records read from the device will be an ipflog
* structure which is then followed by any packet data.
@@ -416,40 +726,39 @@ typedef struct frgroup {
typedef struct iplog {
u_32_t ipl_magic;
u_int ipl_count;
- struct timeval ipl_tv;
+ struct timeval ipl_time;
size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
-#define ipl_sec ipl_tv.tv_sec
-#define ipl_usec ipl_tv.tv_usec
+#define ipl_sec ipl_time.tv_sec
+#define ipl_usec ipl_time.tv_usec
-#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
+#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
+#define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
+#define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
#define IPLOG_SIZE sizeof(iplog_t)
typedef struct ipflog {
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
- char fl_ifname[LIFNAMSIZ];
#else
u_int fl_unit;
- char fl_ifname[LIFNAMSIZ];
#endif
- u_char fl_plen; /* extra data after hlen */
- u_char fl_hlen; /* length of IP headers saved */
- u_short fl_loglevel; /* syslog log level */
u_32_t fl_rule;
- u_32_t fl_group;
u_32_t fl_flags;
+ u_32_t fl_lflags;
+ u_32_t fl_logtag;
+ ipftag_t fl_nattag;
+ u_short fl_plen; /* extra data after hlen */
+ u_short fl_loglevel; /* syslog log level */
+ char fl_group[FR_GROUPLEN];
+ u_char fl_hlen; /* length of IP headers saved */
u_char fl_dir;
- u_char fl_pad[3];
+ u_char fl_xxx[2]; /* pad */
+ char fl_ifname[LIFNAMSIZ];
} ipflog_t;
-
-#ifndef ICMP_UNREACH_FILTER
-# define ICMP_UNREACH_FILTER 13
-#endif
-
#ifndef IPF_LOGGING
# define IPF_LOGGING 0
#endif
@@ -457,8 +766,14 @@ typedef struct ipflog {
# define IPF_DEFAULT_PASS FR_PASS
#endif
-#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
-#define IPLLOGSIZE 8192
+#define DEFAULT_IPFLOGSIZE 8192
+#ifndef IPFILTER_LOGSIZE
+# define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
+#else
+# if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
+# error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
+# endif
+#endif
#define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
@@ -473,15 +788,309 @@ typedef struct ipflog {
# define IPL_NAME "/dev/ipl"
# endif
#endif
-#define IPL_NAT IPNAT_NAME
-#define IPL_STATE IPSTATE_NAME
-#define IPL_AUTH IPAUTH_NAME
+/*
+ * Pathnames for various IP Filter control devices. Used by LKM
+ * and userland, so defined here.
+ */
+#define IPNAT_NAME "/dev/ipnat"
+#define IPSTATE_NAME "/dev/ipstate"
+#define IPAUTH_NAME "/dev/ipauth"
+#define IPSYNC_NAME "/dev/ipsync"
+#define IPSCAN_NAME "/dev/ipscan"
+#define IPLOOKUP_NAME "/dev/iplookup"
#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
#define IPL_LOGNAT 1
#define IPL_LOGSTATE 2
#define IPL_LOGAUTH 3
-#define IPL_LOGMAX 3
+#define IPL_LOGSYNC 4
+#define IPL_LOGSCAN 5
+#define IPL_LOGLOOKUP 6
+#define IPL_LOGCOUNT 7
+#define IPL_LOGMAX 7
+#define IPL_LOGSIZE IPL_LOGMAX + 1
+#define IPL_LOGALL -1
+#define IPL_LOGNONE -2
+
+/*
+ * For SIOCGETFS
+ */
+typedef struct friostat {
+ struct filterstats f_st[2];
+ struct frentry *f_ipf[2][2];
+ struct frentry *f_acct[2][2];
+ struct frentry *f_ipf6[2][2];
+ struct frentry *f_acct6[2][2];
+ struct frentry *f_auth;
+ struct frgroup *f_groups[IPL_LOGSIZE][2];
+ u_long f_froute[2];
+ u_long f_ticks;
+ int f_locks[IPL_LOGMAX];
+ size_t f_kmutex_sz;
+ size_t f_krwlock_sz;
+ int f_defpass; /* default pass - from fr_pass */
+ int f_active; /* 1 or 0 - active rule set */
+ int f_running; /* 1 if running, else 0 */
+ int f_logging; /* 1 if enabled, else 0 */
+ int f_features;
+ char f_version[32]; /* version string */
+} friostat_t;
+
+#define f_fin f_ipf[0]
+#define f_fin6 f_ipf6[0]
+#define f_fout f_ipf[1]
+#define f_fout6 f_ipf6[1]
+#define f_acctin f_acct[0]
+#define f_acctin6 f_acct6[0]
+#define f_acctout f_acct[1]
+#define f_acctout6 f_acct6[1]
+
+#define IPF_FEAT_LKM 0x001
+#define IPF_FEAT_LOG 0x002
+#define IPF_FEAT_LOOKUP 0x004
+#define IPF_FEAT_BPF 0x008
+#define IPF_FEAT_COMPILED 0x010
+#define IPF_FEAT_CKSUM 0x020
+#define IPF_FEAT_SYNC 0x040
+#define IPF_FEAT_SCAN 0x080
+#define IPF_FEAT_IPV6 0x100
+
+typedef struct optlist {
+ u_short ol_val;
+ int ol_bit;
+} optlist_t;
+
+
+/*
+ * Group list structure.
+ */
+typedef struct frgroup {
+ struct frgroup *fg_next;
+ struct frentry *fg_head;
+ struct frentry *fg_start;
+ u_32_t fg_flags;
+ int fg_ref;
+ char fg_name[FR_GROUPLEN];
+} frgroup_t;
+
+#define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
+
+
+/*
+ * Used by state and NAT tables
+ */
+typedef struct icmpinfo {
+ u_short ici_id;
+ u_short ici_seq;
+ u_char ici_type;
+} icmpinfo_t;
+
+typedef struct udpinfo {
+ u_short us_sport;
+ u_short us_dport;
+} udpinfo_t;
+
+
+typedef struct tcpdata {
+ u_32_t td_end;
+ u_32_t td_maxend;
+ u_32_t td_maxwin;
+ u_32_t td_winscale;
+ u_32_t td_maxseg;
+ int td_winflags;
+} tcpdata_t;
+
+#define TCP_WSCALE_MAX 14
+
+#define TCP_WSCALE_SEEN 0x00000001
+#define TCP_WSCALE_FIRST 0x00000002
+
+
+typedef struct tcpinfo {
+ u_short ts_sport;
+ u_short ts_dport;
+ tcpdata_t ts_data[2];
+} tcpinfo_t;
+
+
+struct grebits {
+ u_32_t grb_C:1;
+ u_32_t grb_R:1;
+ u_32_t grb_K:1;
+ u_32_t grb_S:1;
+ u_32_t grb_s:1;
+ u_32_t grb_recur:1;
+ u_32_t grb_A:1;
+ u_32_t grb_flags:3;
+ u_32_t grb_ver:3;
+ u_short grb_ptype;
+};
+
+typedef struct grehdr {
+ union {
+ struct grebits gru_bits;
+ u_short gru_flags;
+ } gr_un;
+ u_short gr_len;
+ u_short gr_call;
+} grehdr_t;
+
+#define gr_flags gr_un.gru_flags
+#define gr_bits gr_un.gru_bits
+#define gr_ptype gr_bits.grb_ptype
+#define gr_C gr_bits.grb_C
+#define gr_R gr_bits.grb_R
+#define gr_K gr_bits.grb_K
+#define gr_S gr_bits.grb_S
+#define gr_s gr_bits.grb_s
+#define gr_recur gr_bits.grb_recur
+#define gr_A gr_bits.grb_A
+#define gr_ver gr_bits.grb_ver
+
+
+typedef struct greinfo {
+ u_short gs_call[2];
+ u_short gs_flags;
+ u_short gs_ptype;
+} greinfo_t;
+
+#define GRE_REV(x) ((ntohs(x) >> 13) & 7)
+
+
+/*
+ * Timeout tail queue list member
+ */
+typedef struct ipftqent {
+ struct ipftqent **tqe_pnext;
+ struct ipftqent *tqe_next;
+ struct ipftq *tqe_ifq;
+ void *tqe_parent; /* pointer back to NAT/state struct */
+ u_long tqe_die; /* when this entriy is to die */
+ u_long tqe_touched;
+ int tqe_flags;
+ int tqe_state[2]; /* current state of this entry */
+} ipftqent_t;
+
+#define TQE_RULEBASED 0x00000001
+
+
+/*
+ * Timeout tail queue head for IPFilter
+ */
+typedef struct ipftq {
+ ipfmutex_t ifq_lock;
+ u_int ifq_ttl;
+ ipftqent_t *ifq_head;
+ ipftqent_t **ifq_tail;
+ struct ipftq *ifq_next;
+ struct ipftq **ifq_pnext;
+ int ifq_ref;
+ u_int ifq_flags;
+} ipftq_t;
+
+#define IFQF_USER 0x01 /* User defined aging */
+#define IFQF_DELETE 0x02 /* Marked for deletion */
+#define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */
+
+#define IPF_HZ_MULT 1
+#define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
+ /* checks its timeout queues. */
+#define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
+
+/*
+ * Structure to define address for pool lookups.
+ */
+typedef struct {
+ u_char adf_len;
+ i6addr_t adf_addr;
+} addrfamily_t;
+
+
+/*
+ * Object structure description. For passing through in ioctls.
+ */
+typedef struct ipfobj {
+ u_32_t ipfo_rev; /* IPFilter version number */
+ u_32_t ipfo_size; /* size of object at ipfo_ptr */
+ void *ipfo_ptr; /* pointer to object */
+ int ipfo_type; /* type of object being pointed to */
+ int ipfo_offset; /* bytes from ipfo_ptr where to start */
+ u_char ipfo_xxxpad[32]; /* reserved for future use */
+} ipfobj_t;
+
+#define IPFOBJ_FRENTRY 0 /* struct frentry */
+#define IPFOBJ_IPFSTAT 1 /* struct friostat */
+#define IPFOBJ_IPFINFO 2 /* struct fr_info */
+#define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
+#define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
+#define IPFOBJ_IPNAT 5 /* struct ipnat */
+#define IPFOBJ_NATSTAT 6 /* struct natstat */
+#define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
+#define IPFOBJ_NATSAVE 8 /* struct nat_save */
+#define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
+#define IPFOBJ_IPSTATE 10 /* struct ipstate */
+#define IPFOBJ_STATESTAT 11 /* struct ips_stat */
+#define IPFOBJ_FRAUTH 12 /* struct frauth */
+#define IPFOBJ_TUNEABLE 13 /* struct ipftune */
+
+
+typedef union ipftunevalptr {
+ void *ipftp_void;
+ u_long *ipftp_long;
+ u_int *ipftp_int;
+ u_short *ipftp_short;
+ u_char *ipftp_char;
+} ipftunevalptr_t;
+
+typedef struct ipftuneable {
+ ipftunevalptr_t ipft_una;
+ char *ipft_name;
+ u_long ipft_min;
+ u_long ipft_max;
+ int ipft_sz;
+ int ipft_flags;
+ struct ipftuneable *ipft_next;
+} ipftuneable_t;
+
+#define ipft_addr ipft_una.ipftp_void
+#define ipft_plong ipft_una.ipftp_long
+#define ipft_pint ipft_una.ipftp_int
+#define ipft_pshort ipft_una.ipftp_short
+#define ipft_pchar ipft_una.ipftp_char
+
+#define IPFT_RDONLY 1 /* read-only */
+#define IPFT_WRDISABLED 2 /* write when disabled only */
+
+typedef union ipftuneval {
+ u_long ipftu_long;
+ u_int ipftu_int;
+ u_short ipftu_short;
+ u_char ipftu_char;
+} ipftuneval_t;
+
+typedef struct ipftune {
+ void *ipft_cookie;
+ ipftuneval_t ipft_un;
+ u_long ipft_min;
+ u_long ipft_max;
+ int ipft_sz;
+ int ipft_flags;
+ char ipft_name[80];
+} ipftune_t;
+
+#define ipft_vlong ipft_un.ipftu_long
+#define ipft_vint ipft_un.ipftu_int
+#define ipft_vshort ipft_un.ipftu_short
+#define ipft_vchar ipft_un.ipftu_char
+
+
+/*
+** HPUX Port
+*/
+#ifdef __hpux
+/* HP-UX locking sequence deadlock detection module lock MAJOR ID */
+# define IPF_SMAJ 0 /* temp assignment XXX, not critical */
+#endif
#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
@@ -494,7 +1103,8 @@ typedef struct ipflog {
* with this!
*/
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
- (defined(NetBSD1_2) && NetBSD1_2 > 1)
+ (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
+ (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
# if (NetBSD >= 199905)
# define PFIL_HOOKS
# endif
@@ -503,63 +1113,62 @@ typedef struct ipflog {
# endif
#endif
-
#ifndef _KERNEL
-extern char *get_ifname __P((struct ifnet *));
-extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
+extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern int send_reset __P((ip_t *, fr_info_t *));
-extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int));
extern int ipf_log __P((void));
extern struct ifnet *get_unit __P((char *, int));
-extern int mbuflen __P((mb_t *));
+extern char *get_ifname __P((struct ifnet *));
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
-extern int iplioctl __P((dev_t, u_long, caddr_t, int));
+extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
# else
-extern int iplioctl __P((dev_t, int, caddr_t, int));
+extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
# endif
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
+extern void m_freem __P((mb_t *));
#else /* #ifndef _KERNEL */
# if defined(__NetBSD__) && defined(PFIL_HOOKS)
extern void ipfilterattach __P((int));
# endif
-extern int iplattach __P((void));
extern int ipl_enable __P((void));
extern int ipl_disable __P((void));
-extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int));
-extern int send_reset __P((ip_t *, fr_info_t *));
-# if SOLARIS
-extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
-extern int (*fr_checkp) __P((ip_t *, int, void *,
- int, qif_t *, mb_t **));
-# if SOLARIS2 >= 7
+# ifdef MENTAT
+extern int fr_check __P((struct ip *, int, void *, int, void *,
+ mblk_t **));
+# if SOLARIS
+# if SOLARIS2 >= 7
extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
-# else
+# else
extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
-# endif
+# endif
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
+extern int iplread __P((dev_t, uio_t *, cred_t *));
+extern int iplwrite __P((dev_t, uio_t *, cred_t *));
+# endif
+# ifdef __hpux
+extern int iplopen __P((dev_t, int, intptr_t, int));
+extern int iplclose __P((dev_t, int, int));
+extern int iplioctl __P((dev_t, int, caddr_t, int));
+extern int iplread __P((dev_t, uio_t *));
+extern int iplwrite __P((dev_t, uio_t *));
+extern int iplselect __P((dev_t, int));
+# endif
extern int ipfsync __P((void));
-extern int ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **,
- fr_info_t *, frdest_t *));
-extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *));
-extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *));
-extern int fr_qin __P((queue_t *, mblk_t *));
extern int fr_qout __P((queue_t *, mblk_t *));
-extern int iplread __P((dev_t, struct uio *, cred_t *));
-# else /* SOLARIS */
-extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
+# else /* MENTAT */
+extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern int ipfr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
extern size_t mbufchainlen __P((mb_t *));
# ifdef __sgi
# include <sys/cred.h>
extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
-extern int iplread __P((dev_t, struct uio *, cred_t *));
+extern int iplread __P((dev_t, uio_t *, cred_t *));
+extern int iplwrite __P((dev_t, uio_t *, cred_t *));
extern int ipfsync __P((void));
extern int ipfilter_sgi_attach __P((void));
extern void ipfilter_sgi_detach __P((void));
@@ -572,88 +1181,188 @@ extern int iplidentify __P((char *));
(NetBSD >= 199511) || defined(__OpenBSD__)
# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
+# if (__FreeBSD_version >= 500024)
+# if (__FreeBSD_version >= 502116)
+extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
+# else
+extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
+# endif /* __FreeBSD_version >= 502116 */
+# else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
+# endif /* __FreeBSD_version >= 500024 */
# else
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
# endif
+# if (__FreeBSD_version >= 500024)
+# if (__FreeBSD_version >= 502116)
+extern int iplopen __P((struct cdev*, int, int, struct thread *));
+extern int iplclose __P((struct cdev*, int, int, struct thread *));
+# else
+extern int iplopen __P((dev_t, int, int, struct thread *));
+extern int iplclose __P((dev_t, int, int, struct thread *));
+# endif /* __FreeBSD_version >= 502116 */
+# else
extern int iplopen __P((dev_t, int, int, struct proc *));
extern int iplclose __P((dev_t, int, int, struct proc *));
+# endif /* __FreeBSD_version >= 500024 */
# else
-# ifndef linux
+# ifdef linux
+extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
+# else
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
extern int iplioctl __P((dev_t, int, caddr_t, int));
-# else
-extern int iplioctl(struct inode *, struct file *, u_int, u_long);
-extern int iplopen __P((struct inode *, struct file *));
-extern void iplclose __P((struct inode *, struct file *));
-# endif /* !linux */
+# endif
# endif /* (_BSDI_VERSION >= 199510) */
# if BSD >= 199306
+# if (__FreeBSD_version >= 502116)
+extern int iplread __P((struct cdev*, struct uio *, int));
+extern int iplwrite __P((struct cdev*, struct uio *, int));
+# else
extern int iplread __P((dev_t, struct uio *, int));
+extern int iplwrite __P((dev_t, struct uio *, int));
+# endif /* __FreeBSD_version >= 502116 */
# else
# ifndef linux
extern int iplread __P((dev_t, struct uio *));
-# else
-extern int iplread(struct inode *, struct file *, char *, int);
-# endif /* !linux */
+extern int iplwrite __P((dev_t, struct uio *));
+# endif
# endif /* BSD >= 199306 */
# endif /* __ sgi */
-# endif /* SOLARIS */
+# endif /* MENTAT */
+
#endif /* #ifndef _KERNEL */
+extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
+extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
+extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
+extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
+
extern char *memstr __P((char *, char *, int, int));
-extern void fixskip __P((frentry_t **, frentry_t *, int));
-extern int countbits __P((u_32_t));
+extern int count4bits __P((u_32_t));
+extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int));
+extern char *getifname __P((struct ifnet *));
+extern int iplattach __P((void));
extern int ipldetach __P((void));
extern u_short ipf_cksum __P((u_short *, int));
-extern int ircopyptr __P((void *, void *, size_t));
-extern int iwcopyptr __P((void *, void *, size_t));
+extern int copyinptr __P((void *, void *, size_t));
+extern int copyoutptr __P((void *, void *, size_t));
+extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
+extern int fr_inobj __P((void *, void *, int));
+extern int fr_inobjsz __P((void *, void *, int, int));
+extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int));
+extern int fr_ipftune __P((ioctlcmd_t, void *));
+extern int fr_outobj __P((void *, void *, int));
+extern int fr_outobjsz __P((void *, void *, int, int));
+extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
+extern void fr_resolvedest __P((struct frdest *, int));
+extern int fr_resolvefunc __P((void *));
+extern void *fr_resolvenic __P((char *, int));
+extern int fr_send_icmp_err __P((int, fr_info_t *, int));
+extern int fr_send_reset __P((fr_info_t *));
+#if (__FreeBSD_version < 490000) || !defined(_KERNEL)
+extern int ppsratecheck __P((struct timeval *, int *, int));
+#endif
+extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int));
+extern void fr_deletequeueentry __P((ipftqent_t *));
+extern int fr_deletetimeoutqueue __P((ipftq_t *));
+extern void fr_freetimeoutqueue __P((ipftq_t *));
+extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *));
+extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *));
+extern void fr_queueback __P((ipftqent_t *));
+extern void fr_queuefront __P((ipftqent_t *));
+extern void fr_checkv4sum __P((fr_info_t *));
+extern int fr_checkl4sum __P((fr_info_t *));
+extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
+ struct sockaddr_in *, struct in_addr *,
+ struct in_addr *));
+extern int fr_coalesce __P((fr_info_t *));
+#ifdef USE_INET6
+extern void fr_checkv6sum __P((fr_info_t *));
+extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
+ struct sockaddr_in6 *, struct in_addr *,
+ struct in_addr *));
+#endif
+
+extern int fr_addipftune __P((ipftuneable_t *));
+extern int fr_delipftune __P((ipftuneable_t *));
-extern void ipflog_init __P((void));
+extern int frflush __P((minor_t, int, int));
+extern void frsync __P((void *));
+extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int));
+extern int fr_derefrule __P((frentry_t **));
+extern void fr_delgroup __P((char *, minor_t, int));
+extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***));
+
+extern int fr_loginit __P((void));
extern int ipflog_clear __P((minor_t));
-extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
+extern int ipflog_read __P((minor_t, uio_t *));
+extern int ipflog __P((fr_info_t *, u_int));
extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
-extern int ipflog_read __P((minor_t, struct uio *));
+extern void fr_logunload __P((void));
+
+extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
+extern int fr_copytolog __P((int, char *, int));
+extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
+extern void fr_deinitialise __P((void));
+extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
+extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
+extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
+extern void fr_forgetifp __P((void *));
+extern frentry_t *fr_getrulen __P((int, char *, u_32_t));
+extern void fr_getstat __P((struct friostat *));
+extern int fr_icmp4errortype __P((int));
+extern int fr_ifpaddr __P((int, int, void *,
+ struct in_addr *, struct in_addr *));
+extern int fr_initialise __P((void));
+extern void fr_lock __P((caddr_t, int *));
+extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
+extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
+extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
+ struct icmp *, int));
+extern u_32_t fr_newisn __P((fr_info_t *));
+extern u_short fr_nextipid __P((fr_info_t *));
+extern int fr_rulen __P((int, frentry_t *));
+extern int fr_scanlist __P((fr_info_t *, u_32_t));
+extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
+extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
+extern int fr_verifysrc __P((fr_info_t *fin));
+extern int fr_zerostats __P((char *));
-extern int frflush __P((minor_t, int, int));
-extern void frsync __P((void));
-extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int));
-extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int));
-extern frgroup_t *fr_findgroup __P((u_32_t, u_32_t, minor_t, int,
- frgroup_t ***));
-
-extern int fr_copytolog __P((int, char *, int));
-extern void fr_forgetifp __P((void *));
-extern void fr_getstat __P((struct friostat *));
-extern int fr_ifpaddr __P((int, void *, struct in_addr *));
-extern int fr_lock __P((caddr_t, int *));
-extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
-extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
-extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
-extern int fr_tcpudpchk __P((frtuc_t *, fr_info_t *));
-extern int fr_verifysrc __P((struct in_addr, void *));
-
-extern int ipl_unreach;
extern int fr_running;
-extern u_long ipl_frouteok[2];
+extern u_long fr_frouteok[2];
extern int fr_pass;
extern int fr_flags;
extern int fr_active;
extern int fr_chksrc;
extern int fr_minttl;
-extern int fr_minttllog;
-extern fr_info_t frcache[2];
+extern int fr_refcnt;
+extern int fr_control_forwarding;
+extern int fr_update_ipid;
+extern int nat_logging;
+extern int ipstate_logging;
+extern int ipl_suppress;
+extern int ipl_buffer_sz;
+extern int ipl_logmax;
+extern int ipl_logall;
+extern int ipl_logsize;
+extern u_long fr_ticks;
+extern fr_info_t frcache[2][8];
extern char ipfilter_version[];
extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
-extern size_t iplused[IPL_LOGMAX + 1];
+extern int iplused[IPL_LOGMAX + 1];
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
#ifdef USE_INET6
extern struct frentry *ipfilter6[2][2], *ipacct6[2][2];
extern int icmptoicmp6types[ICMP_MAXTYPE+1];
extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
+extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
#endif
-extern struct frgroup *ipfgroups[3][2];
+extern int icmpreplytype4[ICMP_MAXTYPE + 1];
+extern struct frgroup *ipfgroups[IPL_LOGSIZE][2];
extern struct filterstats frstats[];
+extern frentry_t *ipfrule_match __P((fr_info_t *));
+extern u_char ipf_iss_secret[32];
+extern ipftuneable_t ipf_tuneables[];
#endif /* __IP_FIL_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
new file mode 100644
index 000000000000..4ee0d3b23052
--- /dev/null
+++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
@@ -0,0 +1,1692 @@
+/* $FreeBSD$ */
+
+/*
+ * Copyright (C) 1993-2003 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
+#if !defined(lint)
+static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
+static const char rcsid[] = "@(#)Id: ip_fil_freebsd.c,v 2.53.2.25 2005/02/01 03:15:56 darrenr Exp";
+#endif
+
+#if defined(KERNEL) || defined(_KERNEL)
+# undef KERNEL
+# undef _KERNEL
+# define KERNEL 1
+# define _KERNEL 1
+#endif
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
+ !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
+# include "opt_inet6.h"
+#endif
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \
+ !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
+# include "opt_random_ip_id.h"
+#endif
+#include <sys/param.h>
+#if defined(__FreeBSD__) && !defined(__FreeBSD_version)
+# if defined(IPFILTER_LKM)
+# ifndef __FreeBSD_cc_version
+# include <osreldate.h>
+# else
+# if __FreeBSD_cc_version < 430000
+# include <osreldate.h>
+# endif
+# endif
+# endif
+#endif
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/file.h>
+#if __FreeBSD_version >= 220000
+# include <sys/fcntl.h>
+# include <sys/filio.h>
+#else
+# include <sys/ioctl.h>
+#endif
+#include <sys/time.h>
+#include <sys/systm.h>
+#if (__FreeBSD_version >= 300000)
+# include <sys/dirent.h>
+#else
+# include <sys/dir.h>
+#endif
+#if !defined(__hpux)
+# include <sys/mbuf.h>
+#endif
+#include <sys/protosw.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+# if !defined(IPFILTER_LKM)
+# include "opt_ipfilter.h"
+# endif
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_var.h>
+#include <netinet/tcp.h>
+#if defined(__osf__)
+# include <netinet/tcp_timer.h>
+#endif
+#include <netinet/udp.h>
+#include <netinet/tcpip.h>
+#include <netinet/ip_icmp.h>
+#ifndef _KERNEL
+# include "netinet/ipf.h"
+#endif
+#include "netinet/ip_compat.h"
+#ifdef USE_INET6
+# include <netinet/icmp6.h>
+#endif
+#include "netinet/ip_fil.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_auth.h"
+#ifdef IPFILTER_SYNC
+#include "netinet/ip_sync.h"
+#endif
+#ifdef IPFILTER_SCAN
+#include "netinet/ip_scan.h"
+#endif
+#include "netinet/ip_pool.h"
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+#endif
+#include <sys/kernel.h>
+#ifdef CSUM_DATA_VALID
+#include <machine/in_cksum.h>
+#endif
+extern int ip_optcopy __P((struct ip *, struct ip *));
+
+#if (__FreeBSD_version > 460000)
+extern int path_mtu_discovery;
+#endif
+
+# ifdef IPFILTER_M_IPFILTER
+MALLOC_DEFINE(M_IPFILTER, "IP Filter", "IP Filter packet filter data structures");
+# endif
+
+
+#if !defined(__osf__)
+extern struct protosw inetsw[];
+#endif
+
+static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
+static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
+# ifdef USE_MUTEXES
+ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
+ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
+ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag;
+ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
+# endif
+int ipf_locks_done = 0;
+
+#if (__FreeBSD_version >= 300000)
+struct callout_handle fr_slowtimer_ch;
+#endif
+
+#if (__FreeBSD_version >= 500011)
+# include <sys/conf.h>
+# if defined(NETBSD_PF)
+# include <net/pfil.h>
+# include <netinet/ipprotosw.h>
+/*
+ * We provide the fr_checkp name just to minimize changes later.
+ */
+int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
+# endif /* NETBSD_PF */
+#endif /* __FreeBSD_version >= 500011 */
+
+
+#if (__FreeBSD_version >= 501108) && defined(_KERNEL)
+
+static int
+fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
+{
+ struct ip *ip = mtod(*mp, struct ip *);
+ return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
+}
+
+# ifdef USE_INET6
+# include <netinet/ip6.h>
+
+static int
+fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
+{
+ return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
+ ifp, (dir == PFIL_OUT), mp));
+}
+# endif
+#endif /* __FreeBSD_version >= 501108 */
+#if defined(IPFILTER_LKM)
+int iplidentify(s)
+char *s;
+{
+ if (strcmp(s, "ipl") == 0)
+ return 1;
+ return 0;
+}
+#endif /* IPFILTER_LKM */
+
+
+int iplattach()
+{
+#ifdef USE_SPL
+ int s;
+#endif
+#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
+ int error = 0;
+# if __FreeBSD_version >= 501108
+ struct pfil_head *ph_inet;
+# ifdef USE_INET6
+ struct pfil_head *ph_inet6;
+# endif
+# endif
+#endif
+
+ SPL_NET(s);
+ if (fr_running > 0) {
+ SPL_X(s);
+ return EBUSY;
+ }
+
+ MUTEX_INIT(&ipf_rw, "ipf rw mutex");
+ RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
+ MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex");
+ RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
+ RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
+ ipf_locks_done = 1;
+
+ if (fr_initialise() < 0) {
+ SPL_X(s);
+ return EIO;
+ }
+
+
+# ifdef NETBSD_PF
+# if __FreeBSD_version >= 500011
+# if __FreeBSD_version >= 501108
+ ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+# ifdef USE_INET6
+ ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+# endif
+ if (ph_inet == NULL
+# ifdef USE_INET6
+ && ph_inet6 == NULL
+# endif
+ )
+ return ENODEV;
+
+ if (ph_inet != NULL)
+ error = pfil_add_hook((void *)fr_check_wrapper, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet);
+ else
+ error = 0;
+# else
+ error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+ &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+# endif
+ if (error) {
+# ifdef USE_INET6
+ goto pfil_error;
+# else
+ fr_deinitialise();
+ SPL_X(s);
+ return error;
+# endif
+ }
+# else
+ pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
+# endif
+# ifdef USE_INET6
+# if __FreeBSD_version >= 501108
+ if (ph_inet6 != NULL)
+ error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet6);
+ else
+ error = 0;
+ if (error) {
+ pfil_remove_hook((void *)fr_check_wrapper6, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet6);
+# else
+ error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+ &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
+ if (error) {
+ pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+ &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+# endif
+pfil_error:
+ fr_deinitialise();
+ SPL_X(s);
+ return error;
+ }
+# endif
+# endif
+ if (fr_checkp != fr_check) {
+ fr_savep = fr_checkp;
+ fr_checkp = fr_check;
+ }
+
+ bzero((char *)frcache, sizeof(frcache));
+ fr_running = 1;
+
+ if (fr_control_forwarding & 1)
+ ipforwarding = 1;
+
+ SPL_X(s);
+#if (__FreeBSD_version >= 300000)
+ fr_slowtimer_ch = timeout(fr_slowtimer, NULL,
+ (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
+#else
+ timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
+#endif
+ return 0;
+}
+
+
+/*
+ * Disable the filter by removing the hooks from the IP input/output
+ * stream.
+ */
+int ipldetach()
+{
+#ifdef USE_SPL
+ int s;
+#endif
+#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
+ int error = 0;
+# if __FreeBSD_version >= 501108
+ struct pfil_head *ph_inet;
+# ifdef USE_INET6
+ struct pfil_head *ph_inet6;
+# endif
+# endif
+#endif
+
+ if (fr_control_forwarding & 2)
+ ipforwarding = 0;
+
+ SPL_NET(s);
+
+#if (__FreeBSD_version >= 300000)
+ if (fr_slowtimer_ch.callout != NULL)
+ untimeout(fr_slowtimer, NULL, fr_slowtimer_ch);
+ bzero(&fr_slowtimer_ch, sizeof(fr_slowtimer_ch));
+#else
+ untimeout(fr_slowtimer, NULL);
+#endif /* FreeBSD */
+
+#ifndef NETBSD_PF
+ if (fr_checkp != NULL)
+ fr_checkp = fr_savep;
+ fr_savep = NULL;
+#endif
+
+#ifdef NETBSD_PF
+# if (__FreeBSD_version >= 500011)
+# if (__FreeBSD_version >= 501108)
+ ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+ if (ph_inet != NULL)
+ error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet);
+ else
+ error = 0;
+# else
+ error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+ &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+# endif
+ if (error) {
+ SPL_X(s);
+ return error;
+ }
+# else
+ pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
+# endif
+# ifdef USE_INET6
+# if (__FreeBSD_version >= 501108)
+ ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+ if (ph_inet6 != NULL)
+ error = pfil_remove_hook((void *)fr_check_wrapper6, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet6);
+ else
+ error = 0;
+# else
+ error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+ &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
+# endif
+ if (error) {
+ SPL_X(s);
+ return error;
+ }
+# endif
+#endif
+ fr_deinitialise();
+
+ fr_running = -2;
+
+ (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+ (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
+
+ if (ipf_locks_done == 1) {
+ MUTEX_DESTROY(&ipf_timeoutlock);
+ MUTEX_DESTROY(&ipf_rw);
+ RW_DESTROY(&ipf_mutex);
+ RW_DESTROY(&ipf_ipidfrag);
+ RW_DESTROY(&ipf_global);
+ ipf_locks_done = 0;
+ }
+
+ SPL_X(s);
+
+ return 0;
+}
+
+
+/*
+ * Filter ioctl interface.
+ */
+int iplioctl(dev, cmd, data, mode
+# if defined(_KERNEL) && ((BSD >= 199506) || (__FreeBSD_version >= 220000))
+, p)
+# if (__FreeBSD_version >= 500024)
+struct thread *p;
+# else
+struct proc *p;
+# endif /* __FreeBSD_version >= 500024 */
+# else
+)
+# endif
+#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
+struct cdev *dev;
+#else
+dev_t dev;
+#endif
+ioctlcmd_t cmd;
+caddr_t data;
+int mode;
+{
+#ifdef USE_SPL
+ int s;
+#endif
+ int error = 0, unit = 0, tmp;
+ friostat_t fio;
+
+#if (BSD >= 199306) && defined(_KERNEL)
+ if ((securelevel >= 2) && (mode & FWRITE))
+ return EPERM;
+#endif
+
+ unit = GET_MINOR(dev);
+ if ((IPL_LOGMAX < unit) || (unit < 0))
+ return ENXIO;
+
+ if (fr_running <= 0) {
+ if (unit != IPL_LOGIPF)
+ return EIO;
+ if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
+ cmd != SIOCIPFSET && cmd != SIOCFRENB &&
+ cmd != SIOCGETFS && cmd != SIOCGETFF)
+ return EIO;
+ }
+
+ SPL_NET(s);
+
+ error = fr_ioctlswitch(unit, data, cmd, mode);
+ if (error != -1) {
+ SPL_X(s);
+ return error;
+ }
+ error = 0;
+
+ switch (cmd)
+ {
+ case FIONREAD :
+#ifdef IPFILTER_LOG
+ BCOPYOUT(&iplused[IPL_LOGIPF], (caddr_t)data,
+ sizeof(iplused[IPL_LOGIPF]));
+#endif
+ break;
+ case SIOCFRENB :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else {
+ BCOPYIN(data, &tmp, sizeof(tmp));
+ if (tmp) {
+ if (fr_running > 0)
+ error = 0;
+ else
+ error = iplattach();
+ if (error == 0)
+ fr_running = 1;
+ else
+ (void) ipldetach();
+ } else {
+ error = ipldetach();
+ if (error == 0)
+ fr_running = -1;
+ }
+ }
+ break;
+ case SIOCIPFSET :
+ if (!(mode & FWRITE)) {
+ error = EPERM;
+ break;
+ }
+ case SIOCIPFGETNEXT :
+ case SIOCIPFGET :
+ error = fr_ipftune(cmd, data);
+ break;
+ case SIOCSETFF :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else
+ BCOPYIN(data, &fr_flags, sizeof(fr_flags));
+ break;
+ case SIOCGETFF :
+ BCOPYOUT(&fr_flags, data, sizeof(fr_flags));
+ break;
+ case SIOCFUNCL :
+ error = fr_resolvefunc(data);
+ break;
+ case SIOCINAFR :
+ case SIOCRMAFR :
+ case SIOCADAFR :
+ case SIOCZRLST :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else
+ error = frrequest(unit, cmd, data, fr_active, 1);
+ break;
+ case SIOCINIFR :
+ case SIOCRMIFR :
+ case SIOCADIFR :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else
+ error = frrequest(unit, cmd, data, 1 - fr_active, 1);
+ break;
+ case SIOCSWAPA :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else {
+ bzero((char *)frcache, sizeof(frcache[0]) * 2);
+ *(u_int *)data = fr_active;
+ fr_active = 1 - fr_active;
+ }
+ break;
+ case SIOCGETFS :
+ fr_getstat(&fio);
+ error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT);
+ break;
+ case SIOCFRZST :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else
+ error = fr_zerostats(data);
+ break;
+ case SIOCIPFFL :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else {
+ BCOPYIN(data, &tmp, sizeof(tmp));
+ tmp = frflush(unit, 4, tmp);
+ BCOPYOUT(&tmp, data, sizeof(tmp));
+ }
+ break;
+#ifdef USE_INET6
+ case SIOCIPFL6 :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else {
+ BCOPYIN(data, &tmp, sizeof(tmp));
+ tmp = frflush(unit, 6, tmp);
+ BCOPYOUT(&tmp, data, sizeof(tmp));
+ }
+ break;
+#endif
+ case SIOCSTLCK :
+ BCOPYIN(data, &tmp, sizeof(tmp));
+ fr_state_lock = tmp;
+ fr_nat_lock = tmp;
+ fr_frag_lock = tmp;
+ fr_auth_lock = tmp;
+ break;
+#ifdef IPFILTER_LOG
+ case SIOCIPFFB :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else
+ *(int *)data = ipflog_clear(unit);
+ break;
+#endif /* IPFILTER_LOG */
+ case SIOCGFRST :
+ error = fr_outobj(data, fr_fragstats(), IPFOBJ_FRAGSTAT);
+ break;
+ case SIOCFRSYN :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else {
+ frsync(NULL);
+ }
+ break;
+ default :
+ error = EINVAL;
+ break;
+ }
+ SPL_X(s);
+ return error;
+}
+
+
+#if 0
+void fr_forgetifp(ifp)
+void *ifp;
+{
+ register frentry_t *f;
+
+ WRITE_ENTER(&ipf_mutex);
+ for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+ for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+ for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+ for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+#ifdef USE_INET6
+ for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+ for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+ for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+ for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
+ if (f->fr_ifa == ifp)
+ f->fr_ifa = (void *)-1;
+#endif
+ RWLOCK_EXIT(&ipf_mutex);
+ fr_natsync(ifp);
+}
+#endif
+
+
+/*
+ * routines below for saving IP headers to buffer
+ */
+int iplopen(dev, flags
+#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
+, devtype, p)
+int devtype;
+# if (__FreeBSD_version >= 500024)
+struct thread *p;
+# else
+struct proc *p;
+# endif /* __FreeBSD_version >= 500024 */
+#else
+)
+#endif
+#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
+struct cdev *dev;
+#else
+dev_t dev;
+#endif
+int flags;
+{
+ u_int min = GET_MINOR(dev);
+
+ if (IPL_LOGMAX < min)
+ min = ENXIO;
+ else
+ min = 0;
+ return min;
+}
+
+
+int iplclose(dev, flags
+#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
+, devtype, p)
+int devtype;
+# if (__FreeBSD_version >= 500024)
+struct thread *p;
+# else
+struct proc *p;
+# endif /* __FreeBSD_version >= 500024 */
+#else
+)
+#endif
+#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
+struct cdev *dev;
+#else
+dev_t dev;
+#endif
+int flags;
+{
+ u_int min = GET_MINOR(dev);
+
+ if (IPL_LOGMAX < min)
+ min = ENXIO;
+ else
+ min = 0;
+ return min;
+}
+
+/*
+ * iplread/ipllog
+ * both of these must operate with at least splnet() lest they be
+ * called during packet processing and cause an inconsistancy to appear in
+ * the filter lists.
+ */
+#if (BSD >= 199306)
+int iplread(dev, uio, ioflag)
+int ioflag;
+#else
+int iplread(dev, uio)
+#endif
+#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
+struct cdev *dev;
+#else
+dev_t dev;
+#endif
+register struct uio *uio;
+{
+
+# ifdef IPFILTER_SYNC
+ if (GET_MINOR(dev) == IPL_LOGSYNC)
+ return ipfsync_read(uio);
+# endif
+
+#ifdef IPFILTER_LOG
+ return ipflog_read(GET_MINOR(dev), uio);
+#else
+ return ENXIO;
+#endif
+}
+
+
+/*
+ * iplwrite
+ * both of these must operate with at least splnet() lest they be
+ * called during packet processing and cause an inconsistancy to appear in
+ * the filter lists.
+ */
+#if (BSD >= 199306)
+int iplwrite(dev, uio, ioflag)
+int ioflag;
+#else
+int iplwrite(dev, uio)
+#endif
+#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
+struct cdev *dev;
+#else
+dev_t dev;
+#endif
+register struct uio *uio;
+{
+
+#ifdef IPFILTER_SYNC
+ if (GET_MINOR(dev) == IPL_LOGSYNC)
+ return ipfsync_write(uio);
+#endif
+ return ENXIO;
+}
+
+
+/*
+ * fr_send_reset - this could conceivably be a call to tcp_respond(), but that
+ * requires a large amount of setting up and isn't any more efficient.
+ */
+int fr_send_reset(fin)
+fr_info_t *fin;
+{
+ struct tcphdr *tcp, *tcp2;
+ int tlen = 0, hlen;
+ struct mbuf *m;
+#ifdef USE_INET6
+ ip6_t *ip6;
+#endif
+ ip_t *ip;
+
+ tcp = fin->fin_dp;
+ if (tcp->th_flags & TH_RST)
+ return -1; /* feedback loop */
+
+#ifndef IPFILTER_CKSUM
+ if (fr_checkl4sum(fin) == -1)
+ return -1;
+#endif
+
+ tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
+ ((tcp->th_flags & TH_SYN) ? 1 : 0) +
+ ((tcp->th_flags & TH_FIN) ? 1 : 0);
+
+#ifdef USE_INET6
+ hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
+#else
+ hlen = sizeof(ip_t);
+#endif
+#ifdef MGETHDR
+ MGETHDR(m, M_DONTWAIT, MT_HEADER);
+#else
+ MGET(m, M_DONTWAIT, MT_HEADER);
+#endif
+ if (m == NULL)
+ return -1;
+ if (sizeof(*tcp2) + hlen > MLEN) {
+ MCLGET(m, M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ FREE_MB_T(m);
+ return -1;
+ }
+ }
+
+ m->m_len = sizeof(*tcp2) + hlen;
+#if (BSD >= 199103)
+ m->m_data += max_linkhdr;
+ m->m_pkthdr.len = m->m_len;
+ m->m_pkthdr.rcvif = (struct ifnet *)0;
+#endif
+ ip = mtod(m, struct ip *);
+ bzero((char *)ip, hlen);
+#ifdef USE_INET6
+ ip6 = (ip6_t *)ip;
+#endif
+ tcp2 = (struct tcphdr *)((char *)ip + hlen);
+ tcp2->th_sport = tcp->th_dport;
+ tcp2->th_dport = tcp->th_sport;
+
+ if (tcp->th_flags & TH_ACK) {
+ tcp2->th_seq = tcp->th_ack;
+ tcp2->th_flags = TH_RST;
+ tcp2->th_ack = 0;
+ } else {
+ tcp2->th_seq = 0;
+ tcp2->th_ack = ntohl(tcp->th_seq);
+ tcp2->th_ack += tlen;
+ tcp2->th_ack = htonl(tcp2->th_ack);
+ tcp2->th_flags = TH_RST|TH_ACK;
+ }
+ TCP_X2_A(tcp2, 0);
+ TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
+ tcp2->th_win = tcp->th_win;
+ tcp2->th_sum = 0;
+ tcp2->th_urp = 0;
+
+#ifdef USE_INET6
+ if (fin->fin_v == 6) {
+ ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
+ ip6->ip6_plen = htons(sizeof(struct tcphdr));
+ ip6->ip6_nxt = IPPROTO_TCP;
+ ip6->ip6_hlim = 0;
+ ip6->ip6_src = fin->fin_dst6;
+ ip6->ip6_dst = fin->fin_src6;
+ tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
+ sizeof(*ip6), sizeof(*tcp2));
+ return fr_send_ip(fin, m, &m);
+ }
+#endif
+ ip->ip_p = IPPROTO_TCP;
+ ip->ip_len = htons(sizeof(struct tcphdr));
+ ip->ip_src.s_addr = fin->fin_daddr;
+ ip->ip_dst.s_addr = fin->fin_saddr;
+ tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
+ ip->ip_len = hlen + sizeof(*tcp2);
+ return fr_send_ip(fin, m, &m);
+}
+
+
+static int fr_send_ip(fin, m, mpp)
+fr_info_t *fin;
+mb_t *m, **mpp;
+{
+ fr_info_t fnew;
+ ip_t *ip, *oip;
+ int hlen;
+
+ ip = mtod(m, ip_t *);
+ bzero((char *)&fnew, sizeof(fnew));
+
+ IP_V_A(ip, fin->fin_v);
+ switch (fin->fin_v)
+ {
+ case 4 :
+ fnew.fin_v = 4;
+ oip = fin->fin_ip;
+ IP_HL_A(ip, sizeof(*oip) >> 2);
+ ip->ip_tos = oip->ip_tos;
+ ip->ip_id = fin->fin_ip->ip_id;
+#if (__FreeBSD_version > 460000)
+ ip->ip_off = path_mtu_discovery ? IP_DF : 0;
+#else
+ ip->ip_off = 0;
+#endif
+ ip->ip_ttl = ip_defttl;
+ ip->ip_sum = 0;
+ hlen = sizeof(*oip);
+ break;
+#ifdef USE_INET6
+ case 6 :
+ {
+ ip6_t *ip6 = (ip6_t *)ip;
+
+ ip6->ip6_vfc = 0x60;
+ ip6->ip6_hlim = IPDEFTTL;
+
+ fnew.fin_v = 6;
+ hlen = sizeof(*ip6);
+ break;
+ }
+#endif
+ default :
+ return EINVAL;
+ }
+#ifdef IPSEC
+ m->m_pkthdr.rcvif = NULL;
+#endif
+
+ fnew.fin_ifp = fin->fin_ifp;
+ fnew.fin_flx = FI_NOCKSUM;
+ fnew.fin_m = m;
+ fnew.fin_ip = ip;
+ fnew.fin_mp = mpp;
+ fnew.fin_hlen = hlen;
+ fnew.fin_dp = (char *)ip + hlen;
+ (void) fr_makefrip(hlen, ip, &fnew);
+
+ return fr_fastroute(m, mpp, &fnew, NULL);
+}
+
+
+int fr_send_icmp_err(type, fin, dst)
+int type;
+fr_info_t *fin;
+int dst;
+{
+ int err, hlen, xtra, iclen, ohlen, avail, code;
+ struct in_addr dst4;
+ struct icmp *icmp;
+ struct mbuf *m;
+ void *ifp;
+#ifdef USE_INET6
+ ip6_t *ip6;
+ struct in6_addr dst6;
+#endif
+ ip_t *ip, *ip2;
+
+ if ((type < 0) || (type > ICMP_MAXTYPE))
+ return -1;
+
+ code = fin->fin_icode;
+#ifdef USE_INET6
+ if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
+ return -1;
+#endif
+
+#ifndef IPFILTER_CKSUM
+ if (fr_checkl4sum(fin) == -1)
+ return -1;
+#endif
+#ifdef MGETHDR
+ MGETHDR(m, M_DONTWAIT, MT_HEADER);
+#else
+ MGET(m, M_DONTWAIT, MT_HEADER);
+#endif
+ if (m == NULL)
+ return -1;
+ avail = MHLEN;
+
+ xtra = 0;
+ hlen = 0;
+ ohlen = 0;
+ ifp = fin->fin_ifp;
+ if (fin->fin_v == 4) {
+ if ((fin->fin_p == IPPROTO_ICMP) &&
+ !(fin->fin_flx & FI_SHORT))
+ switch (ntohs(fin->fin_data[0]) >> 8)
+ {
+ case ICMP_ECHO :
+ case ICMP_TSTAMP :
+ case ICMP_IREQ :
+ case ICMP_MASKREQ :
+ break;
+ default :
+ FREE_MB_T(m);
+ return 0;
+ }
+
+ if (dst == 0) {
+ if (fr_ifpaddr(4, FRI_NORMAL, ifp,
+ &dst4, NULL) == -1) {
+ FREE_MB_T(m);
+ return -1;
+ }
+ } else
+ dst4.s_addr = fin->fin_daddr;
+
+ hlen = sizeof(ip_t);
+ ohlen = fin->fin_hlen;
+ if (fin->fin_hlen < fin->fin_plen)
+ xtra = MIN(fin->fin_dlen, 8);
+ else
+ xtra = 0;
+ }
+
+#ifdef USE_INET6
+ else if (fin->fin_v == 6) {
+ hlen = sizeof(ip6_t);
+ ohlen = sizeof(ip6_t);
+ type = icmptoicmp6types[type];
+ if (type == ICMP6_DST_UNREACH)
+ code = icmptoicmp6unreach[code];
+
+ if (hlen + sizeof(*icmp) + max_linkhdr +
+ fin->fin_plen > avail) {
+ MCLGET(m, M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ FREE_MB_T(m);
+ return -1;
+ }
+ avail = MCLBYTES;
+ }
+ xtra = MIN(fin->fin_plen,
+ avail - hlen - sizeof(*icmp) - max_linkhdr);
+ if (dst == 0) {
+ if (fr_ifpaddr(6, FRI_NORMAL, ifp,
+ (struct in_addr *)&dst6, NULL) == -1) {
+ FREE_MB_T(m);
+ return -1;
+ }
+ } else
+ dst6 = fin->fin_dst6;
+ }
+#endif
+ else {
+ FREE_MB_T(m);
+ return -1;
+ }
+
+ iclen = hlen + sizeof(*icmp);
+ avail -= (max_linkhdr + iclen);
+ if (avail < 0) {
+ FREE_MB_T(m);
+ return -1;
+ }
+ if (xtra > avail)
+ xtra = avail;
+ iclen += xtra;
+ m->m_data += max_linkhdr;
+ m->m_pkthdr.rcvif = (struct ifnet *)0;
+ m->m_pkthdr.len = iclen;
+ m->m_len = iclen;
+ ip = mtod(m, ip_t *);
+ icmp = (struct icmp *)((char *)ip + hlen);
+ ip2 = (ip_t *)&icmp->icmp_ip;
+
+ icmp->icmp_type = type;
+ icmp->icmp_code = fin->fin_icode;
+ icmp->icmp_cksum = 0;
+#ifdef icmp_nextmtu
+ if (type == ICMP_UNREACH &&
+ fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
+ icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu);
+#endif
+
+ bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
+
+#ifdef USE_INET6
+ ip6 = (ip6_t *)ip;
+ if (fin->fin_v == 6) {
+ ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
+ ip6->ip6_plen = htons(iclen - hlen);
+ ip6->ip6_nxt = IPPROTO_ICMPV6;
+ ip6->ip6_hlim = 0;
+ ip6->ip6_src = dst6;
+ ip6->ip6_dst = fin->fin_src6;
+ if (xtra > 0)
+ bcopy((char *)fin->fin_ip + ohlen,
+ (char *)&icmp->icmp_ip + ohlen, xtra);
+ icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
+ sizeof(*ip6), iclen - hlen);
+ } else
+#endif
+ {
+ ip2->ip_len = htons(ip2->ip_len);
+ ip2->ip_off = htons(ip2->ip_off);
+ ip->ip_p = IPPROTO_ICMP;
+ ip->ip_src.s_addr = dst4.s_addr;
+ ip->ip_dst.s_addr = fin->fin_saddr;
+
+ if (xtra > 0)
+ bcopy((char *)fin->fin_ip + ohlen,
+ (char *)&icmp->icmp_ip + ohlen, xtra);
+ icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
+ sizeof(*icmp) + 8);
+ ip->ip_len = iclen;
+ ip->ip_p = IPPROTO_ICMP;
+ }
+ err = fr_send_ip(fin, m, &m);
+ return err;
+}
+
+
+#if !defined(IPFILTER_LKM) && (__FreeBSD_version < 300000)
+# if (BSD < 199306)
+int iplinit __P((void));
+
+int
+# else
+void iplinit __P((void));
+
+void
+# endif
+iplinit()
+{
+ if (iplattach() != 0)
+ printf("IP Filter failed to attach\n");
+ ip_init();
+}
+#endif /* __FreeBSD_version < 300000 */
+
+
+int fr_fastroute(m0, mpp, fin, fdp)
+mb_t *m0, **mpp;
+fr_info_t *fin;
+frdest_t *fdp;
+{
+ register struct ip *ip, *mhip;
+ register struct mbuf *m = m0;
+ register struct route *ro;
+ int len, off, error = 0, hlen, code;
+ struct ifnet *ifp, *sifp;
+ struct sockaddr_in *dst;
+ struct route iproute;
+ u_short ip_off;
+ frentry_t *fr;
+
+#ifdef M_WRITABLE
+ /*
+ * HOT FIX/KLUDGE:
+ *
+ * If the mbuf we're about to send is not writable (because of
+ * a cluster reference, for example) we'll need to make a copy
+ * of it since this routine modifies the contents.
+ *
+ * If you have non-crappy network hardware that can transmit data
+ * from the mbuf, rather than making a copy, this is gonna be a
+ * problem.
+ */
+ if (M_WRITABLE(m) == 0) {
+ if ((m0 = m_dup(m, M_DONTWAIT)) != 0) {
+ FREE_MB_T(m);
+ m = m0;
+ *mpp = m;
+ } else {
+ error = ENOBUFS;
+ FREE_MB_T(m);
+ *mpp = NULL;
+ fr_frouteok[1]++;
+ }
+ }
+#endif
+
+#ifdef USE_INET6
+ if (fin->fin_v == 6) {
+ /*
+ * currently "to <if>" and "to <if>:ip#" are not supported
+ * for IPv6
+ */
+#if (__FreeBSD_version >= 490000)
+ return ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
+#else
+ return ip6_output(m0, NULL, NULL, 0, NULL, NULL);
+#endif
+ }
+#endif
+
+ hlen = fin->fin_hlen;
+ ip = mtod(m0, struct ip *);
+
+ /*
+ * Route packet.
+ */
+ ro = &iproute;
+ bzero((caddr_t)ro, sizeof (*ro));
+ dst = (struct sockaddr_in *)&ro->ro_dst;
+ dst->sin_family = AF_INET;
+ dst->sin_addr = ip->ip_dst;
+
+ fr = fin->fin_fr;
+ if (fdp != NULL)
+ ifp = fdp->fd_ifp;
+ else
+ ifp = fin->fin_ifp;
+
+ if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
+ error = -2;
+ goto bad;
+ }
+
+ /*
+ * In case we're here due to "to <if>" being used with "keep state",
+ * check that we're going in the correct direction.
+ */
+ if ((fr != NULL) && (fin->fin_rev != 0)) {
+ if ((ifp != NULL) && (fdp == &fr->fr_tif))
+ return -1;
+ }
+ if (fdp != NULL) {
+ if (fdp->fd_ip.s_addr != 0)
+ dst->sin_addr = fdp->fd_ip;
+ }
+
+ dst->sin_len = sizeof(*dst);
+ rtalloc(ro);
+
+ if ((ifp == NULL) && (ro->ro_rt != NULL))
+ ifp = ro->ro_rt->rt_ifp;
+
+ if ((ro->ro_rt == NULL) || (ifp == NULL)) {
+ if (in_localaddr(ip->ip_dst))
+ error = EHOSTUNREACH;
+ else
+ error = ENETUNREACH;
+ goto bad;
+ }
+ if (ro->ro_rt->rt_flags & RTF_GATEWAY)
+ dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
+ if (ro->ro_rt)
+ ro->ro_rt->rt_use++;
+
+ /*
+ * For input packets which are being "fastrouted", they won't
+ * go back through output filtering and miss their chance to get
+ * NAT'd and counted.
+ */
+ if (fin->fin_out == 0) {
+ sifp = fin->fin_ifp;
+ fin->fin_ifp = ifp;
+ fin->fin_out = 1;
+ (void) fr_acctpkt(fin, NULL);
+ fin->fin_fr = NULL;
+ if (!fr || !(fr->fr_flags & FR_RETMASK)) {
+ u_32_t pass;
+
+ (void) fr_checkstate(fin, &pass);
+ }
+
+ switch (fr_checknatout(fin, NULL))
+ {
+ case 0 :
+ break;
+ case 1 :
+ ip->ip_sum = 0;
+ break;
+ case -1 :
+ error = -1;
+ goto done;
+ break;
+ }
+
+ fin->fin_ifp = sifp;
+ fin->fin_out = 0;
+ } else
+ ip->ip_sum = 0;
+ /*
+ * If small enough for interface, can just send directly.
+ */
+ if (ip->ip_len <= ifp->if_mtu) {
+ ip->ip_len = htons(ip->ip_len);
+ ip->ip_off = htons(ip->ip_off);
+
+ if (!ip->ip_sum)
+ ip->ip_sum = in_cksum(m, hlen);
+ error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
+ ro->ro_rt);
+ goto done;
+ }
+ /*
+ * Too large for interface; fragment if possible.
+ * Must be able to put at least 8 bytes per fragment.
+ */
+ ip_off = ntohs(ip->ip_off);
+ if (ip_off & IP_DF) {
+ error = EMSGSIZE;
+ goto bad;
+ }
+ len = (ifp->if_mtu - hlen) &~ 7;
+ if (len < 8) {
+ error = EMSGSIZE;
+ goto bad;
+ }
+
+ {
+ int mhlen, firstlen = len;
+ struct mbuf **mnext = &m->m_act;
+
+ /*
+ * Loop through length of segment after first fragment,
+ * make new header and copy data of each part and link onto chain.
+ */
+ m0 = m;
+ mhlen = sizeof (struct ip);
+ for (off = hlen + len; off < ip->ip_len; off += len) {
+#ifdef MGETHDR
+ MGETHDR(m, M_DONTWAIT, MT_HEADER);
+#else
+ MGET(m, M_DONTWAIT, MT_HEADER);
+#endif
+ if (m == 0) {
+ m = m0;
+ error = ENOBUFS;
+ goto bad;
+ }
+ m->m_data += max_linkhdr;
+ mhip = mtod(m, struct ip *);
+ bcopy((char *)ip, (char *)mhip, sizeof(*ip));
+ if (hlen > sizeof (struct ip)) {
+ mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
+ IP_HL_A(mhip, mhlen >> 2);
+ }
+ m->m_len = mhlen;
+ mhip->ip_off = ((off - hlen) >> 3) + ip_off;
+ if (off + len >= ip->ip_len)
+ len = ip->ip_len - off;
+ else
+ mhip->ip_off |= IP_MF;
+ mhip->ip_len = htons((u_short)(len + mhlen));
+ m->m_next = m_copy(m0, off, len);
+ if (m->m_next == 0) {
+ error = ENOBUFS; /* ??? */
+ goto sendorfree;
+ }
+ m->m_pkthdr.len = mhlen + len;
+ m->m_pkthdr.rcvif = NULL;
+ mhip->ip_off = htons((u_short)mhip->ip_off);
+ mhip->ip_sum = 0;
+ mhip->ip_sum = in_cksum(m, mhlen);
+ *mnext = m;
+ mnext = &m->m_act;
+ }
+ /*
+ * Update first fragment by trimming what's been copied out
+ * and updating header, then send each fragment (in order).
+ */
+ m_adj(m0, hlen + firstlen - ip->ip_len);
+ ip->ip_len = htons((u_short)(hlen + firstlen));
+ ip->ip_off = htons((u_short)IP_MF);
+ ip->ip_sum = 0;
+ ip->ip_sum = in_cksum(m0, hlen);
+sendorfree:
+ for (m = m0; m; m = m0) {
+ m0 = m->m_act;
+ m->m_act = 0;
+ if (error == 0)
+ error = (*ifp->if_output)(ifp, m,
+ (struct sockaddr *)dst, ro->ro_rt);
+ else
+ FREE_MB_T(m);
+ }
+ }
+done:
+ if (!error)
+ fr_frouteok[0]++;
+ else
+ fr_frouteok[1]++;
+
+ if (ro->ro_rt) {
+ RTFREE(ro->ro_rt);
+ }
+ *mpp = NULL;
+ return 0;
+bad:
+ if (error == EMSGSIZE) {
+ sifp = fin->fin_ifp;
+ code = fin->fin_icode;
+ fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
+ fin->fin_ifp = ifp;
+ (void) fr_send_icmp_err(ICMP_UNREACH, fin, 1);
+ fin->fin_ifp = sifp;
+ fin->fin_icode = code;
+ }
+ FREE_MB_T(m);
+ goto done;
+}
+
+
+int fr_verifysrc(fin)
+fr_info_t *fin;
+{
+ struct sockaddr_in *dst;
+ struct route iproute;
+
+ bzero((char *)&iproute, sizeof(iproute));
+ dst = (struct sockaddr_in *)&iproute.ro_dst;
+ dst->sin_len = sizeof(*dst);
+ dst->sin_family = AF_INET;
+ dst->sin_addr = fin->fin_src;
+ rtalloc(&iproute);
+ if (iproute.ro_rt == NULL)
+ return 0;
+ return (fin->fin_ifp == iproute.ro_rt->rt_ifp);
+}
+
+
+/*
+ * return the first IP Address associated with an interface
+ */
+int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
+int v, atype;
+void *ifptr;
+struct in_addr *inp, *inpmask;
+{
+#ifdef USE_INET6
+ struct in6_addr *inp6 = NULL;
+#endif
+ struct sockaddr *sock, *mask;
+ struct sockaddr_in *sin;
+ struct ifaddr *ifa;
+ struct ifnet *ifp;
+
+ if ((ifptr == NULL) || (ifptr == (void *)-1))
+ return -1;
+
+ sin = NULL;
+ ifp = ifptr;
+
+ if (v == 4)
+ inp->s_addr = 0;
+#ifdef USE_INET6
+ else if (v == 6)
+ bzero((char *)inp, sizeof(struct in6_addr));
+#endif
+#if (__FreeBSD_version >= 300000)
+ ifa = TAILQ_FIRST(&ifp->if_addrhead);
+#else
+ ifa = ifp->if_addrlist;
+#endif /* __FreeBSD_version >= 300000 */
+
+ sock = ifa->ifa_addr;
+ while (sock != NULL && ifa != NULL) {
+ sin = (struct sockaddr_in *)sock;
+ if ((v == 4) && (sin->sin_family == AF_INET))
+ break;
+#ifdef USE_INET6
+ if ((v == 6) && (sin->sin_family == AF_INET6)) {
+ inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
+ if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
+ !IN6_IS_ADDR_LOOPBACK(inp6))
+ break;
+ }
+#endif
+#if (__FreeBSD_version >= 300000)
+ ifa = TAILQ_NEXT(ifa, ifa_link);
+#else
+ ifa = ifa->ifa_next;
+#endif /* __FreeBSD_version >= 300000 */
+ if (ifa != NULL)
+ sock = ifa->ifa_addr;
+ }
+
+ if (ifa == NULL || sin == NULL)
+ return -1;
+
+ mask = ifa->ifa_netmask;
+ if (atype == FRI_BROADCAST)
+ sock = ifa->ifa_broadaddr;
+ else if (atype == FRI_PEERADDR)
+ sock = ifa->ifa_dstaddr;
+
+#ifdef USE_INET6
+ if (v == 6) {
+ return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
+ (struct sockaddr_in6 *)mask,
+ inp, inpmask);
+ }
+#endif
+ return fr_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
+ (struct sockaddr_in *)mask, inp, inpmask);
+}
+
+
+u_32_t fr_newisn(fin)
+fr_info_t *fin;
+{
+ u_32_t newiss;
+#if (__FreeBSD_version >= 400000)
+ newiss = arc4random();
+#else
+ static iss_seq_off = 0;
+ u_char hash[16];
+ MD5_CTX ctx;
+
+ /*
+ * Compute the base value of the ISS. It is a hash
+ * of (saddr, sport, daddr, dport, secret).
+ */
+ MD5Init(&ctx);
+
+ MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
+ sizeof(fin->fin_fi.fi_src));
+ MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
+ sizeof(fin->fin_fi.fi_dst));
+ MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
+
+ MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret));
+
+ MD5Final(hash, &ctx);
+
+ memcpy(&newiss, hash, sizeof(newiss));
+
+ /*
+ * Now increment our "timer", and add it in to
+ * the computed value.
+ *
+ * XXX Use `addin'?
+ * XXX TCP_ISSINCR too large to use?
+ */
+ iss_seq_off += 0x00010000;
+ newiss += iss_seq_off;
+#endif
+ return newiss;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_nextipid */
+/* Returns: int - 0 == success, -1 == error (packet should be droppped) */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Returns the next IPv4 ID to use for this packet. */
+/* ------------------------------------------------------------------------ */
+u_short fr_nextipid(fin)
+fr_info_t *fin;
+{
+#ifndef RANDOM_IP_ID
+ static u_short ipid = 0;
+ u_short id;
+
+ MUTEX_ENTER(&ipf_rw);
+ id = ipid++;
+ MUTEX_EXIT(&ipf_rw);
+#else
+ u_short id;
+
+ id = ip_randomid();
+#endif
+
+ return id;
+}
+
+
+INLINE void fr_checkv4sum(fin)
+fr_info_t *fin;
+{
+#ifdef CSUM_DATA_VALID
+ int manual = 0;
+ u_short sum;
+ ip_t *ip;
+ mb_t *m;
+
+ if ((fin->fin_flx & FI_NOCKSUM) != 0)
+ return;
+
+ m = fin->fin_m;
+ if (m == NULL) {
+ manual = 1;
+ goto skipauto;
+ }
+ ip = fin->fin_ip;
+
+ if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
+ if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
+ sum = m->m_pkthdr.csum_data;
+ else
+ sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
+ htonl(m->m_pkthdr.csum_data +
+ fin->fin_ip->ip_len + fin->fin_p));
+ sum ^= 0xffff;
+ if (sum != 0)
+ fin->fin_flx |= FI_BAD;
+ } else
+ manual = 1;
+skipauto:
+# ifdef IPFILTER_CKSUM
+ if (manual != 0)
+ if (fr_checkl4sum(fin) == -1)
+ fin->fin_flx |= FI_BAD;
+# else
+ ;
+# endif
+#else
+# ifdef IPFILTER_CKSUM
+ if (fr_checkl4sum(fin) == -1)
+ fin->fin_flx |= FI_BAD;
+# endif
+#endif
+}
+
+
+#ifdef USE_INET6
+INLINE void fr_checkv6sum(fin)
+fr_info_t *fin;
+{
+# ifdef IPFILTER_CKSUM
+ if (fr_checkl4sum(fin) == -1)
+ fin->fin_flx |= FI_BAD;
+# endif
+}
+#endif /* USE_INET6 */
+
+
+size_t mbufchainlen(m0)
+struct mbuf *m0;
+{
+ size_t len;
+
+ if ((m0->m_flags & M_PKTHDR) != 0) {
+ len = m0->m_pkthdr.len;
+ } else {
+ struct mbuf *m;
+
+ for (m = m0, len = 0; m != NULL; m = m->m_next)
+ len += m->m_len;
+ }
+ return len;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_pullup */
+/* Returns: NULL == pullup failed, else pointer to protocol header */
+/* Parameters: m(I) - pointer to buffer where data packet starts */
+/* fin(I) - pointer to packet information */
+/* len(I) - number of bytes to pullup */
+/* */
+/* Attempt to move at least len bytes (from the start of the buffer) into a */
+/* single buffer for ease of access. Operating system native functions are */
+/* used to manage buffers - if necessary. If the entire packet ends up in */
+/* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */
+/* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
+/* and ONLY if the pullup succeeds. */
+/* */
+/* We assume that 'min' is a pointer to a buffer that is part of the chain */
+/* of buffers that starts at *fin->fin_mp. */
+/* ------------------------------------------------------------------------ */
+void *fr_pullup(min, fin, len)
+mb_t *min;
+fr_info_t *fin;
+int len;
+{
+ int out = fin->fin_out, dpoff, ipoff;
+ mb_t *m = min;
+ char *ip;
+
+ if (m == NULL)
+ return NULL;
+
+ ip = (char *)fin->fin_ip;
+ if ((fin->fin_flx & FI_COALESCE) != 0)
+ return ip;
+
+ ipoff = fin->fin_ipoff;
+ if (fin->fin_dp != NULL)
+ dpoff = (char *)fin->fin_dp - (char *)ip;
+ else
+ dpoff = 0;
+
+ if (M_LEN(m) < len) {
+#ifdef MHLEN
+ /*
+ * Assume that M_PKTHDR is set and just work with what is left
+ * rather than check..
+ * Should not make any real difference, anyway.
+ */
+ if (len > MHLEN)
+#else
+ if (len > MLEN)
+#endif
+ {
+#ifdef HAVE_M_PULLDOWN
+ if (m_pulldown(m, 0, len, NULL) == NULL)
+ m = NULL;
+#else
+ FREE_MB_T(*fin->fin_mp);
+ m = NULL;
+#endif
+ } else
+ {
+ m = m_pullup(m, len);
+ }
+ *fin->fin_mp = m;
+ fin->fin_m = m;
+ if (m == NULL) {
+ ATOMIC_INCL(frstats[out].fr_pull[1]);
+ return NULL;
+ }
+ ip = MTOD(m, char *) + ipoff;
+ }
+
+ ATOMIC_INCL(frstats[out].fr_pull[0]);
+ fin->fin_ip = (ip_t *)ip;
+ if (fin->fin_dp != NULL)
+ fin->fin_dp = (char *)fin->fin_ip + dpoff;
+
+ if (len == fin->fin_plen)
+ fin->fin_flx |= FI_COALESCE;
+ return ip;
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c
index 73f98c46e3d0..6baa57013879 100644
--- a/sys/contrib/ipfilter/netinet/ip_frag.c
+++ b/sys/contrib/ipfilter/netinet/ip_frag.c
@@ -1,45 +1,55 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 1993-2001 by Darren Reed.
+ * Copyright (C) 1993-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#if defined(KERNEL) && !defined(_KERNEL)
-# define _KERNEL
-#endif
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
+#if defined(KERNEL) || defined(_KERNEL)
+# undef KERNEL
+# undef _KERNEL
+# define KERNEL 1
+# define _KERNEL 1
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
-#if !defined(_KERNEL) && !defined(KERNEL)
+#ifdef __hpux
+# include <sys/timeout.h>
+#endif
+#if !defined(_KERNEL)
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
+# define _KERNEL
+# ifdef __OpenBSD__
+struct file;
+# endif
+# include <sys/uio.h>
+# undef _KERNEL
#endif
-#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
+#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
-#ifndef linux
+#if !defined(linux)
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
-#if defined(_KERNEL) && !defined(linux)
+#if defined(_KERNEL)
# include <sys/systm.h>
+# if !defined(__SVR4) && !defined(__svr4__)
+# include <sys/mbuf.h>
+# endif
#endif
#if !defined(__SVR4) && !defined(__svr4__)
# if defined(_KERNEL) && !defined(__sgi)
# include <sys/kernel.h>
# endif
-# ifndef linux
-# include <sys/mbuf.h>
-# endif
#else
# include <sys/byteorder.h>
# ifdef _KERNEL
@@ -56,7 +66,7 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
-#ifndef linux
+#if !defined(linux)
# include <netinet/ip_var.h>
#endif
#include <netinet/tcp.h>
@@ -69,63 +79,129 @@
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_auth.h"
+#include "netinet/ip_proxy.h"
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
-# if (defined(KERNEL) || defined(_KERNEL))
+# if defined(_KERNEL)
# ifndef IPFILTER_LKM
# include <sys/libkern.h>
# include <sys/systm.h>
# endif
-extern struct callout_handle ipfr_slowtimer_ch;
+extern struct callout_handle fr_slowtimer_ch;
# endif
#endif
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
# include <sys/callout.h>
-extern struct callout ipfr_slowtimer_ch;
+extern struct callout fr_slowtimer_ch;
#endif
#if defined(__OpenBSD__)
# include <sys/timeout.h>
-extern struct timeout ipfr_slowtimer_ch;
+extern struct timeout fr_slowtimer_ch;
#endif
+/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.28 2003/06/11 22:28:15 darrenr Exp $";
+static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77 2004/01/27 00:24:54 darrenr Exp";
#endif
-static ipfr_t *ipfr_heads[IPFT_SIZE];
-static ipfr_t *ipfr_nattab[IPFT_SIZE];
+static ipfr_t *ipfr_list = NULL;
+static ipfr_t **ipfr_tail = &ipfr_list;
+static ipfr_t **ipfr_heads;
+
+static ipfr_t *ipfr_natlist = NULL;
+static ipfr_t **ipfr_nattail = &ipfr_natlist;
+static ipfr_t **ipfr_nattab;
+
+static ipfr_t *ipfr_ipidlist = NULL;
+static ipfr_t **ipfr_ipidtail = &ipfr_ipidlist;
+static ipfr_t **ipfr_ipidtab;
+
static ipfrstat_t ipfr_stats;
static int ipfr_inuse = 0;
+int ipfr_size = IPFT_SIZE;
int fr_ipfrttl = 120; /* 60 seconds */
int fr_frag_lock = 0;
+int fr_frag_init = 0;
+u_long fr_ticks = 0;
-#ifdef _KERNEL
-# if SOLARIS2 >= 7
-extern timeout_id_t ipfr_timer_id;
-# else
-extern int ipfr_timer_id;
-# endif
-#endif
-#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T ipf_frag, ipf_natfrag, ipf_nat, ipf_mutex;
-# if SOLARIS
-extern KRWLOCK_T ipf_solaris;
-# else
-KRWLOCK_T ipf_solaris;
-# endif
-extern kmutex_t ipf_rw;
-#endif
+static ipfr_t *ipfr_newfrag __P((fr_info_t *, u_32_t, ipfr_t **));
+static ipfr_t *fr_fraglookup __P((fr_info_t *, ipfr_t **));
+static void fr_fragdelete __P((ipfr_t *, ipfr_t ***));
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fraginit */
+/* Returns: int - 0 == success, -1 == error */
+/* Parameters: Nil */
+/* */
+/* Initialise the hash tables for the fragment cache lookups. */
+/* ------------------------------------------------------------------------ */
+int fr_fraginit()
+{
+ KMALLOCS(ipfr_heads, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
+ if (ipfr_heads == NULL)
+ return -1;
+ bzero((char *)ipfr_heads, ipfr_size * sizeof(ipfr_t *));
+
+ KMALLOCS(ipfr_nattab, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
+ if (ipfr_nattab == NULL)
+ return -1;
+ bzero((char *)ipfr_nattab, ipfr_size * sizeof(ipfr_t *));
+
+ KMALLOCS(ipfr_ipidtab, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
+ if (ipfr_ipidtab == NULL)
+ return -1;
+ bzero((char *)ipfr_ipidtab, ipfr_size * sizeof(ipfr_t *));
+
+ RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock");
+ fr_frag_init = 1;
+
+ return 0;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fragunload */
+/* Returns: Nil */
+/* Parameters: Nil */
+/* */
+/* Free all memory allocated whilst running and from initialisation. */
+/* ------------------------------------------------------------------------ */
+void fr_fragunload()
+{
+ if (fr_frag_init == 1) {
+ fr_fragclear();
+
+ RW_DESTROY(&ipf_frag);
+ fr_frag_init = 0;
+ }
+
+ if (ipfr_heads != NULL)
+ KFREES(ipfr_heads, ipfr_size * sizeof(ipfr_t *));
+ ipfr_heads = NULL;
+
+ if (ipfr_nattab != NULL)
+ KFREES(ipfr_nattab, ipfr_size * sizeof(ipfr_t *));
+ ipfr_nattab = NULL;
-static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **));
-static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
-static void ipfr_delete __P((ipfr_t *));
+ if (ipfr_ipidtab != NULL)
+ KFREES(ipfr_ipidtab, ipfr_size * sizeof(ipfr_t *));
+ ipfr_ipidtab = NULL;
+}
-ipfrstat_t *ipfr_fragstats()
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fragstats */
+/* Returns: ipfrstat_t* - pointer to struct with current frag stats */
+/* Parameters: Nil */
+/* */
+/* Updates ipfr_stats with current information and returns a pointer to it */
+/* ------------------------------------------------------------------------ */
+ipfrstat_t *fr_fragstats()
{
ipfr_stats.ifs_table = ipfr_heads;
ipfr_stats.ifs_nattab = ipfr_nattab;
@@ -134,24 +210,36 @@ ipfrstat_t *ipfr_fragstats()
}
-/*
- * add a new entry to the fragment cache, registering it as having come
- * through this box, with the result of the filter operation.
- */
-static ipfr_t *ipfr_new(ip, fin, table)
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: ipfr_newfrag */
+/* Returns: ipfr_t * - pointer to fragment cache state info or NULL */
+/* Parameters: fin(I) - pointer to packet information */
+/* table(I) - pointer to frag table to add to */
+/* */
+/* Add a new entry to the fragment cache, registering it as having come */
+/* through this box, with the result of the filter operation. */
+/* ------------------------------------------------------------------------ */
+static ipfr_t *ipfr_newfrag(fin, pass, table)
fr_info_t *fin;
+u_32_t pass;
ipfr_t *table[];
{
- ipfr_t **fp, *fra, frag;
+ ipfr_t *fra, frag;
u_int idx, off;
+ ip_t *ip;
if (ipfr_inuse >= IPFT_SIZE)
return NULL;
- if (!(fin->fin_fl & FI_FRAG))
+ if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG)
return NULL;
+ ip = fin->fin_ip;
+
+ if (pass & FR_FRSTRICT)
+ if ((ip->ip_off & IP_OFFMASK) != 0)
+ return NULL;
+
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
frag.ipfr_id = ip->ip_id;
@@ -172,10 +260,10 @@ ipfr_t *table[];
/*
* first, make sure it isn't already there...
*/
- for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next)
- if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src,
+ for (fra = table[idx]; (fra != NULL); fra = fra->ipfr_hnext)
+ if (!bcmp((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp,
IPFR_CMPSZ)) {
- ATOMIC_INCL(ipfr_stats.ifs_exists);
+ ipfr_stats.ifs_exists++;
return NULL;
}
@@ -185,105 +273,165 @@ ipfr_t *table[];
*/
KMALLOC(fra, ipfr_t *);
if (fra == NULL) {
- ATOMIC_INCL(ipfr_stats.ifs_nomem);
+ ipfr_stats.ifs_nomem++;
return NULL;
}
- if ((fra->ipfr_rule = fin->fin_fr) != NULL) {
- ATOMIC_INC32(fin->fin_fr->fr_ref);
- }
-
+ if ((fra->ipfr_rule = fin->fin_fr) != NULL)
+ fin->fin_fr->fr_ref++;
/*
* Insert the fragment into the fragment table, copy the struct used
* in the search using bcopy rather than reassign each field.
* Set the ttl to the default.
*/
- if ((fra->ipfr_next = table[idx]))
- table[idx]->ipfr_prev = fra;
- fra->ipfr_prev = NULL;
+ if ((fra->ipfr_hnext = table[idx]) != NULL)
+ table[idx]->ipfr_hprev = &fra->ipfr_hnext;
+ fra->ipfr_hprev = table + idx;
fra->ipfr_data = NULL;
table[idx] = fra;
- bcopy((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ);
- fra->ipfr_ttl = fr_ipfrttl;
+ bcopy((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp, IPFR_CMPSZ);
+ fra->ipfr_ttl = fr_ticks + fr_ipfrttl;
+
/*
* Compute the offset of the expected start of the next packet.
*/
off = ip->ip_off & IP_OFFMASK;
- if (!off)
+ if (off == 0)
fra->ipfr_seen0 = 1;
fra->ipfr_off = off + (fin->fin_dlen >> 3);
- ATOMIC_INCL(ipfr_stats.ifs_new);
- ATOMIC_INC32(ipfr_inuse);
+ fra->ipfr_pass = pass;
+ ipfr_stats.ifs_new++;
+ ipfr_inuse++;
return fra;
}
-int ipfr_newfrag(ip, fin)
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_newfrag */
+/* Returns: int - 0 == success, -1 == error */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Add a new entry to the fragment cache table based on the current packet */
+/* ------------------------------------------------------------------------ */
+int fr_newfrag(fin, pass)
+u_32_t pass;
fr_info_t *fin;
{
- ipfr_t *ipf;
+ ipfr_t *fra;
- if ((ip->ip_v != 4) || (fr_frag_lock))
+ if ((fin->fin_v != 4) || (fr_frag_lock != 0))
return -1;
+
WRITE_ENTER(&ipf_frag);
- ipf = ipfr_new(ip, fin, ipfr_heads);
- RWLOCK_EXIT(&ipf_frag);
- if (ipf == NULL) {
- ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr);
- return -1;
+ fra = ipfr_newfrag(fin, pass, ipfr_heads);
+ if (fra != NULL) {
+ *ipfr_tail = fra;
+ fra->ipfr_prev = ipfr_tail;
+ ipfr_tail = &fra->ipfr_next;
+ if (ipfr_list == NULL)
+ ipfr_list = fra;
+ fra->ipfr_next = NULL;
}
- ATOMIC_INCL(frstats[fin->fin_out].fr_nfr);
- return 0;
+ RWLOCK_EXIT(&ipf_frag);
+ return fra ? 0 : -1;
}
-int ipfr_nat_newfrag(ip, fin, nat)
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_nat_newfrag */
+/* Returns: int - 0 == success, -1 == error */
+/* Parameters: fin(I) - pointer to packet information */
+/* nat(I) - pointer to NAT structure */
+/* */
+/* Create a new NAT fragment cache entry based on the current packet and */
+/* the NAT structure for this "session". */
+/* ------------------------------------------------------------------------ */
+int fr_nat_newfrag(fin, pass, nat)
fr_info_t *fin;
+u_32_t pass;
nat_t *nat;
{
- ipfr_t *ipf;
- int off;
+ ipfr_t *fra;
- if ((ip->ip_v != 4) || (fr_frag_lock))
- return -1;
-
- off = fin->fin_off;
- off <<= 3;
- if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
- return -1;
+ if ((fin->fin_v != 4) || (fr_frag_lock != 0))
+ return 0;
WRITE_ENTER(&ipf_natfrag);
- ipf = ipfr_new(ip, fin, ipfr_nattab);
- if (ipf != NULL) {
- ipf->ipfr_data = nat;
- nat->nat_data = ipf;
+ fra = ipfr_newfrag(fin, pass, ipfr_nattab);
+ if (fra != NULL) {
+ fra->ipfr_data = nat;
+ nat->nat_data = fra;
+ *ipfr_nattail = fra;
+ fra->ipfr_prev = ipfr_nattail;
+ ipfr_nattail = &fra->ipfr_next;
+ fra->ipfr_next = NULL;
}
RWLOCK_EXIT(&ipf_natfrag);
- return ipf ? 0 : -1;
+ return fra ? 0 : -1;
}
-/*
- * check the fragment cache to see if there is already a record of this packet
- * with its filter result known.
- */
-static ipfr_t *ipfr_lookup(ip, fin, table)
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ipid_newfrag */
+/* Returns: int - 0 == success, -1 == error */
+/* Parameters: fin(I) - pointer to packet information */
+/* ipid(I) - new IP ID for this fragmented packet */
+/* */
+/* Create a new fragment cache entry for this packet and store, as a data */
+/* pointer, the new IP ID value. */
+/* ------------------------------------------------------------------------ */
+int fr_ipid_newfrag(fin, ipid)
+fr_info_t *fin;
+u_32_t ipid;
+{
+ ipfr_t *fra;
+
+ if ((fin->fin_v != 4) || (fr_frag_lock))
+ return 0;
+
+ WRITE_ENTER(&ipf_ipidfrag);
+ fra = ipfr_newfrag(fin, 0, ipfr_ipidtab);
+ if (fra != NULL) {
+ fra->ipfr_data = (void *)ipid;
+ *ipfr_ipidtail = fra;
+ fra->ipfr_prev = ipfr_ipidtail;
+ ipfr_ipidtail = &fra->ipfr_next;
+ fra->ipfr_next = NULL;
+ }
+ RWLOCK_EXIT(&ipf_ipidfrag);
+ return fra ? 0 : -1;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fraglookup */
+/* Returns: ipfr_t * - pointer to ipfr_t structure if there's a */
+/* matching entry in the frag table, else NULL */
+/* Parameters: fin(I) - pointer to packet information */
+/* table(I) - pointer to fragment cache table to search */
+/* */
+/* Check the fragment cache to see if there is already a record of this */
+/* packet with its filter result known. */
+/* ------------------------------------------------------------------------ */
+static ipfr_t *fr_fraglookup(fin, table)
fr_info_t *fin;
ipfr_t *table[];
{
- ipfr_t *f, frag;
+ ipfr_t *f, frag;
u_int idx;
-
+ ip_t *ip;
+
+ if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG)
+ return NULL;
+
/*
* For fragments, we record protocol, packet id, TOS and both IP#'s
* (these should all be the same for all fragments of a packet).
*
* build up a hash value to index the table with.
*/
+ ip = fin->fin_ip;
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
frag.ipfr_id = ip->ip_id;
@@ -304,48 +452,71 @@ ipfr_t *table[];
/*
* check the table, careful to only compare the right amount of data
*/
- for (f = table[idx]; f; f = f->ipfr_next)
- if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
+ for (f = table[idx]; f; f = f->ipfr_hnext)
+ if (!bcmp((char *)&frag.ipfr_ifp, (char *)&f->ipfr_ifp,
IPFR_CMPSZ)) {
- u_short atoff, off;
+ u_short off;
- off = fin->fin_off;
+ /*
+ * We don't want to let short packets match because
+ * they could be compromising the security of other
+ * rules that want to match on layer 4 fields (and
+ * can't because they have been fragmented off.)
+ * Why do this check here? The counter acts as an
+ * indicator of this kind of attack, whereas if it was
+ * elsewhere, it wouldn't know if other matching
+ * packets had been seen.
+ */
+ if (fin->fin_flx & FI_SHORT) {
+ ATOMIC_INCL(ipfr_stats.ifs_short);
+ continue;
+ }
/*
* XXX - We really need to be guarding against the
* retransmission of (src,dst,id,offset-range) here
* because a fragmented packet is never resent with
- * the same IP ID#.
+ * the same IP ID# (or shouldn't).
*/
+ off = ip->ip_off & IP_OFFMASK;
if (f->ipfr_seen0) {
- if (!off || (fin->fin_fl & FI_SHORT))
+ if (off == 0) {
+ ATOMIC_INCL(ipfr_stats.ifs_retrans0);
continue;
- } else if (!off)
+ }
+ } else if (off == 0)
f->ipfr_seen0 = 1;
if (f != table[idx]) {
+ ipfr_t **fp;
+
+ /*
+ * Move fragment info. to the top of the list
+ * to speed up searches. First, delink...
+ */
+ fp = f->ipfr_hprev;
+ (*fp) = f->ipfr_hnext;
+ if (f->ipfr_hnext != NULL)
+ f->ipfr_hnext->ipfr_hprev = fp;
/*
- * move fragment info. to the top of the list
- * to speed up searches.
+ * Then put back at the top of the chain.
*/
- if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
- f->ipfr_next->ipfr_prev = f->ipfr_prev;
- f->ipfr_next = table[idx];
- table[idx]->ipfr_prev = f;
- f->ipfr_prev = NULL;
+ f->ipfr_hnext = table[idx];
+ table[idx]->ipfr_hprev = &f->ipfr_hnext;
+ f->ipfr_hprev = table + idx;
table[idx] = f;
}
- atoff = off + (fin->fin_dlen >> 3);
+
/*
* If we've follwed the fragments, and this is the
* last (in order), shrink expiration time.
*/
if (off == f->ipfr_off) {
if (!(ip->ip_off & IP_MF))
- f->ipfr_ttl = 1;
- else
- f->ipfr_off = atoff;
- }
+ f->ipfr_ttl = fr_ticks + 1;
+ f->ipfr_off = (fin->fin_dlen >> 3) + off;
+ } else if (f->ipfr_pass & FR_FRSTRICT)
+ continue;
ATOMIC_INCL(ipfr_stats.ifs_hits);
return f;
}
@@ -353,33 +524,30 @@ ipfr_t *table[];
}
-/*
- * functional interface for NAT lookups of the NAT fragment cache
- */
-nat_t *ipfr_nat_knownfrag(ip, fin)
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_nat_knownfrag */
+/* Returns: nat_t* - pointer to 'parent' NAT structure if frag table */
+/* match found, else NULL */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Functional interface for NAT lookups of the NAT fragment cache */
+/* ------------------------------------------------------------------------ */
+nat_t *fr_nat_knownfrag(fin)
fr_info_t *fin;
{
- ipfr_t *ipf;
- nat_t *nat;
- int off;
-
- if ((fin->fin_v != 4) || (fr_frag_lock))
- return NULL;
+ nat_t *nat;
+ ipfr_t *ipf;
- off = fin->fin_off;
- off <<= 3;
- if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
+ if ((fin->fin_v != 4) || (fr_frag_lock) || !ipfr_natlist)
return NULL;
-
READ_ENTER(&ipf_natfrag);
- ipf = ipfr_lookup(ip, fin, ipfr_nattab);
+ ipf = fr_fraglookup(fin, ipfr_nattab);
if (ipf != NULL) {
nat = ipf->ipfr_data;
/*
* This is the last fragment for this packet.
*/
- if ((ipf->ipfr_ttl == 1) && (nat != NULL)) {
+ if ((ipf->ipfr_ttl == fr_ticks + 1) && (nat != NULL)) {
nat->nat_data = NULL;
ipf->ipfr_data = NULL;
}
@@ -390,136 +558,196 @@ fr_info_t *fin;
}
-/*
- * functional interface for normal lookups of the fragment cache
- */
-frentry_t *ipfr_knownfrag(ip, fin)
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_ipid_knownfrag */
+/* Returns: u_32_t - IPv4 ID for this packet if match found, else */
+/* return 0xfffffff to indicate no match. */
+/* Parameters: fin(I) - pointer to packet information */
+/* */
+/* Functional interface for IP ID lookups of the IP ID fragment cache */
+/* ------------------------------------------------------------------------ */
+u_32_t fr_ipid_knownfrag(fin)
fr_info_t *fin;
{
- frentry_t *fr;
- ipfr_t *fra;
- int off;
+ ipfr_t *ipf;
+ u_32_t id;
- if ((fin->fin_v != 4) || (fr_frag_lock))
- return NULL;
+ if ((fin->fin_v != 4) || (fr_frag_lock) || !ipfr_ipidlist)
+ return 0xffffffff;
+
+ READ_ENTER(&ipf_ipidfrag);
+ ipf = fr_fraglookup(fin, ipfr_ipidtab);
+ if (ipf != NULL)
+ id = (u_32_t)ipf->ipfr_data;
+ else
+ id = 0xffffffff;
+ RWLOCK_EXIT(&ipf_ipidfrag);
+ return id;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_knownfrag */
+/* Returns: frentry_t* - pointer to filter rule if a match is found in */
+/* the frag cache table, else NULL. */
+/* Parameters: fin(I) - pointer to packet information */
+/* passp(O) - pointer to where to store rule flags resturned */
+/* */
+/* Functional interface for normal lookups of the fragment cache. If a */
+/* match is found, return the rule pointer and flags from the rule, except */
+/* that if FR_LOGFIRST is set, reset FR_LOG. */
+/* ------------------------------------------------------------------------ */
+frentry_t *fr_knownfrag(fin, passp)
+fr_info_t *fin;
+u_32_t *passp;
+{
+ frentry_t *fr = NULL;
+ ipfr_t *fra;
+ u_32_t pass;
- off = fin->fin_off;
- off <<= 3;
- if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
+ if ((fin->fin_v != 4) || (fr_frag_lock) || (ipfr_list == NULL))
return NULL;
READ_ENTER(&ipf_frag);
- fra = ipfr_lookup(ip, fin, ipfr_heads);
- if (fra != NULL)
+ fra = fr_fraglookup(fin, ipfr_heads);
+ if (fra != NULL) {
fr = fra->ipfr_rule;
- else
- fr = NULL;
+ fin->fin_fr = fr;
+ if (fr != NULL) {
+ pass = fr->fr_flags;
+ if ((pass & FR_LOGFIRST) != 0)
+ pass &= ~(FR_LOGFIRST|FR_LOG);
+ *passp = pass;
+ }
+ }
RWLOCK_EXIT(&ipf_frag);
return fr;
}
-/*
- * forget any references to this external object.
- */
-void ipfr_forget(ptr)
+/* ------------------------------------------------------------------------ */
+/* Function: fr_forget */
+/* Returns: Nil */
+/* Parameters: ptr(I) - pointer to data structure */
+/* */
+/* Search through all of the fragment cache entries and wherever a pointer */
+/* is found to match ptr, reset it to NULL. */
+/* ------------------------------------------------------------------------ */
+void fr_forget(ptr)
void *ptr;
{
ipfr_t *fr;
- int idx;
WRITE_ENTER(&ipf_frag);
- for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
- for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next)
- if (fr->ipfr_data == ptr)
- fr->ipfr_data = NULL;
-
+ for (fr = ipfr_list; fr; fr = fr->ipfr_next)
+ if (fr->ipfr_data == ptr)
+ fr->ipfr_data = NULL;
RWLOCK_EXIT(&ipf_frag);
}
-/*
- * forget any references to this external object.
- */
-void ipfr_forgetnat(nat)
-void *nat;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_forgetnat */
+/* Returns: Nil */
+/* Parameters: ptr(I) - pointer to data structure */
+/* */
+/* Search through all of the fragment cache entries for NAT and wherever a */
+/* pointer is found to match ptr, reset it to NULL. */
+/* ------------------------------------------------------------------------ */
+void fr_forgetnat(ptr)
+void *ptr;
{
ipfr_t *fr;
- int idx;
WRITE_ENTER(&ipf_natfrag);
- for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
- for (fr = ipfr_nattab[idx]; fr; fr = fr->ipfr_next)
- if (fr->ipfr_data == nat)
- fr->ipfr_data = NULL;
-
+ for (fr = ipfr_natlist; fr; fr = fr->ipfr_next)
+ if (fr->ipfr_data == ptr)
+ fr->ipfr_data = NULL;
RWLOCK_EXIT(&ipf_natfrag);
}
-static void ipfr_delete(fra)
-ipfr_t *fra;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fragdelete */
+/* Returns: Nil */
+/* Parameters: fra(I) - pointer to fragment structure to delete */
+/* tail(IO) - pointer to the pointer to the tail of the frag */
+/* list */
+/* */
+/* Remove a fragment cache table entry from the table & list. Also free */
+/* the filter rule it is associated with it if it is no longer used as a */
+/* result of decreasing the reference count. */
+/* ------------------------------------------------------------------------ */
+static void fr_fragdelete(fra, tail)
+ipfr_t *fra, ***tail;
{
frentry_t *fr;
fr = fra->ipfr_rule;
- if (fr != NULL) {
- ATOMIC_DEC32(fr->fr_ref);
- if (fr->fr_ref == 0)
- KFREE(fr);
- }
- if (fra->ipfr_prev)
- fra->ipfr_prev->ipfr_next = fra->ipfr_next;
+ if (fr != NULL)
+ (void)fr_derefrule(&fr);
+
if (fra->ipfr_next)
fra->ipfr_next->ipfr_prev = fra->ipfr_prev;
+ *fra->ipfr_prev = fra->ipfr_next;
+ if (*tail == &fra->ipfr_next)
+ *tail = fra->ipfr_prev;
+
+ if (fra->ipfr_hnext)
+ fra->ipfr_hnext->ipfr_hprev = fra->ipfr_hprev;
+ *fra->ipfr_hprev = fra->ipfr_hnext;
KFREE(fra);
}
-/*
- * Free memory in use by fragment state info. kept.
- */
-void ipfr_unload()
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fragclear */
+/* Returns: Nil */
+/* Parameters: Nil */
+/* */
+/* Free memory in use by fragment state information kept. Do the normal */
+/* fragment state stuff first and then the NAT-fragment table. */
+/* ------------------------------------------------------------------------ */
+void fr_fragclear()
{
- ipfr_t **fp, *fra;
+ ipfr_t *fra;
nat_t *nat;
- int idx;
WRITE_ENTER(&ipf_frag);
- for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
- for (fp = &ipfr_heads[idx]; (fra = *fp); ) {
- *fp = fra->ipfr_next;
- ipfr_delete(fra);
- }
+ while ((fra = ipfr_list) != NULL)
+ fr_fragdelete(fra, &ipfr_tail);
+ ipfr_tail = &ipfr_list;
RWLOCK_EXIT(&ipf_frag);
WRITE_ENTER(&ipf_nat);
WRITE_ENTER(&ipf_natfrag);
- for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
- for (fp = &ipfr_nattab[idx]; (fra = *fp); ) {
- *fp = fra->ipfr_next;
- nat = fra->ipfr_data;
- if (nat != NULL) {
- if (nat->nat_data == fra)
- nat->nat_data = NULL;
- }
- ipfr_delete(fra);
+ while ((fra = ipfr_natlist) != NULL) {
+ nat = fra->ipfr_data;
+ if (nat != NULL) {
+ if (nat->nat_data == fra)
+ nat->nat_data = NULL;
}
+ fr_fragdelete(fra, &ipfr_nattail);
+ }
+ ipfr_nattail = &ipfr_natlist;
RWLOCK_EXIT(&ipf_natfrag);
RWLOCK_EXIT(&ipf_nat);
}
-void ipfr_fragexpire()
+/* ------------------------------------------------------------------------ */
+/* Function: fr_fragexpire */
+/* Returns: Nil */
+/* Parameters: Nil */
+/* */
+/* Expire entries in the fragment cache table that have been there too long */
+/* ------------------------------------------------------------------------ */
+void fr_fragexpire()
{
ipfr_t **fp, *fra;
nat_t *nat;
- int idx;
-#if defined(_KERNEL)
-# if !SOLARIS
+#if defined(USE_SPL) && defined(_KERNEL)
int s;
-# endif
#endif
if (fr_frag_lock)
@@ -527,25 +755,29 @@ void ipfr_fragexpire()
SPL_NET(s);
WRITE_ENTER(&ipf_frag);
-
/*
* Go through the entire table, looking for entries to expire,
- * decreasing the ttl by one for each entry. If it reaches 0,
- * remove it from the chain and free it.
+ * which is indicated by the ttl being less than or equal to fr_ticks.
*/
- for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
- for (fp = &ipfr_heads[idx]; (fra = *fp); ) {
- --fra->ipfr_ttl;
- if (fra->ipfr_ttl == 0) {
- *fp = fra->ipfr_next;
- ipfr_delete(fra);
- ATOMIC_INCL(ipfr_stats.ifs_expire);
- ATOMIC_DEC32(ipfr_inuse);
- } else
- fp = &fra->ipfr_next;
- }
+ for (fp = &ipfr_list; ((fra = *fp) != NULL); ) {
+ if (fra->ipfr_ttl > fr_ticks)
+ break;
+ fr_fragdelete(fra, &ipfr_tail);
+ ipfr_stats.ifs_expire++;
+ ipfr_inuse--;
+ }
RWLOCK_EXIT(&ipf_frag);
+ WRITE_ENTER(&ipf_ipidfrag);
+ for (fp = &ipfr_ipidlist; ((fra = *fp) != NULL); ) {
+ if (fra->ipfr_ttl > fr_ticks)
+ break;
+ fr_fragdelete(fra, &ipfr_ipidtail);
+ ipfr_stats.ifs_expire++;
+ ipfr_inuse--;
+ }
+ RWLOCK_EXIT(&ipf_ipidfrag);
+
/*
* Same again for the NAT table, except that if the structure also
* still points to a NAT structure, and the NAT structure points back
@@ -555,83 +787,72 @@ void ipfr_fragexpire()
*/
WRITE_ENTER(&ipf_nat);
WRITE_ENTER(&ipf_natfrag);
- for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
- for (fp = &ipfr_nattab[idx]; (fra = *fp); ) {
- --fra->ipfr_ttl;
- if (fra->ipfr_ttl == 0) {
- ATOMIC_INCL(ipfr_stats.ifs_expire);
- ATOMIC_DEC32(ipfr_inuse);
- nat = fra->ipfr_data;
- if (nat != NULL) {
- if (nat->nat_data == fra)
- nat->nat_data = NULL;
- }
- *fp = fra->ipfr_next;
- ipfr_delete(fra);
- } else
- fp = &fra->ipfr_next;
+ for (fp = &ipfr_natlist; ((fra = *fp) != NULL); ) {
+ if (fra->ipfr_ttl > fr_ticks)
+ break;
+ nat = fra->ipfr_data;
+ if (nat != NULL) {
+ if (nat->nat_data == fra)
+ nat->nat_data = NULL;
}
+ fr_fragdelete(fra, &ipfr_nattail);
+ ipfr_stats.ifs_expire++;
+ ipfr_inuse--;
+ }
RWLOCK_EXIT(&ipf_natfrag);
RWLOCK_EXIT(&ipf_nat);
SPL_X(s);
}
-/*
- * Slowly expire held state for fragments. Timeouts are set * in expectation
- * of this being called twice per second.
- */
-#ifdef _KERNEL
-# if (BSD >= 199306) || SOLARIS || defined(__sgi)
-# if defined(SOLARIS2) && (SOLARIS2 < 7)
-void ipfr_slowtimer()
-# else
-void ipfr_slowtimer __P((void *ptr))
-# endif
+/* ------------------------------------------------------------------------ */
+/* Function: fr_slowtimer */
+/* Returns: Nil */
+/* Parameters: Nil */
+/* */
+/* Slowly expire held state for fragments. Timeouts are set * in */
+/* expectation of this being called twice per second. */
+/* ------------------------------------------------------------------------ */
+#if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \
+ !defined(__osf__))
+# if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi))
+void fr_slowtimer __P((void *ptr))
# else
-int ipfr_slowtimer()
+int fr_slowtimer()
# endif
-#else
-void ipfr_slowtimer()
-#endif
{
-#if defined(_KERNEL) && SOLARIS
- extern int fr_running;
-
- if (fr_running <= 0)
- return;
- READ_ENTER(&ipf_solaris);
-#endif
+ READ_ENTER(&ipf_global);
-#if defined(__sgi) && defined(_KERNEL)
- ipfilter_sgi_intfsync();
-#endif
-
- ipfr_fragexpire();
+ fr_fragexpire();
fr_timeoutstate();
- ip_natexpire();
+ fr_natexpire();
fr_authexpire();
-#if defined(_KERNEL)
-# if SOLARIS
- ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
- RWLOCK_EXIT(&ipf_solaris);
-# else
+ fr_ticks++;
+ if (fr_running <= 0)
+ goto done;
+# ifdef _KERNEL
# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104240000)
- callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
+ callout_reset(&fr_slowtimer_ch, hz / 2, fr_slowtimer, NULL);
# else
-# if (__FreeBSD_version >= 300000)
- ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
+# if defined(__OpenBSD__)
+ timeout_add(&fr_slowtimer_ch, hz/2);
# else
-# if defined(__OpenBSD__)
- timeout_add(&ipfr_slowtimer_ch, hz/2);
+# if (__FreeBSD_version >= 300000)
+ fr_slowtimer_ch = timeout(fr_slowtimer, NULL, hz/2);
# else
- timeout(ipfr_slowtimer, NULL, hz/2);
-# endif
-# endif
-# if (BSD < 199306) && !defined(__sgi)
- return 0;
-# endif /* FreeBSD */
+# ifdef linux
+ ;
+# else
+ timeout(fr_slowtimer, NULL, hz/2);
+# endif
+# endif /* FreeBSD */
+# endif /* OpenBSD */
# endif /* NetBSD */
-# endif /* SOLARIS */
-#endif /* defined(_KERNEL) */
+# endif
+done:
+ RWLOCK_EXIT(&ipf_global);
+# if (BSD < 199103) || !defined(_KERNEL)
+ return 0;
+# endif
}
+#endif /* !SOLARIS && !defined(__hpux) && !defined(__sgi) */
diff --git a/sys/contrib/ipfilter/netinet/ip_frag.h b/sys/contrib/ipfilter/netinet/ip_frag.h
index 925f285c4a07..7861507d36a3 100644
--- a/sys/contrib/ipfilter/netinet/ip_frag.h
+++ b/sys/contrib/ipfilter/netinet/ip_frag.h
@@ -1,10 +1,12 @@
+/* $FreeBSD$ */
+
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_frag.h 1.5 3/24/96
- * $Id: ip_frag.h,v 2.4.2.8 2003/06/11 22:28:16 darrenr Exp $
+ * Id: ip_frag.h,v 2.23.2.1 2004/03/29 16:21:56 darrenr Exp
*/
#ifndef __IP_FRAG_H__
@@ -13,17 +15,19 @@
#define IPFT_SIZE 257
typedef struct ipfr {
- struct ipfr *ipfr_next, *ipfr_prev;
+ struct ipfr *ipfr_hnext, **ipfr_hprev;
+ struct ipfr *ipfr_next, **ipfr_prev;
void *ipfr_data;
+ void *ipfr_ifp;
struct in_addr ipfr_src;
struct in_addr ipfr_dst;
- void *ipfr_ifp;
u_32_t ipfr_optmsk;
u_short ipfr_secmsk;
u_short ipfr_auth;
u_short ipfr_id;
u_char ipfr_p;
u_char ipfr_tos;
+ u_32_t ipfr_pass;
u_short ipfr_off;
u_char ipfr_ttl;
u_char ipfr_seen0;
@@ -38,37 +42,45 @@ typedef struct ipfrstat {
u_long ifs_hits;
u_long ifs_expire;
u_long ifs_inuse;
+ u_long ifs_retrans0;
+ u_long ifs_short;
struct ipfr **ifs_table;
struct ipfr **ifs_nattab;
} ipfrstat_t;
-#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \
- offsetof(ipfr_t, ipfr_src))
+#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_pass) - \
+ offsetof(ipfr_t, ipfr_ifp))
+extern int ipfr_size;
extern int fr_ipfrttl;
extern int fr_frag_lock;
-extern ipfrstat_t *ipfr_fragstats __P((void));
-extern int ipfr_newfrag __P((ip_t *, fr_info_t *));
-extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *));
-extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
-extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
-extern void ipfr_forget __P((void *));
-extern void ipfr_forgetnat __P((void *));
-extern void ipfr_unload __P((void));
-extern void ipfr_fragexpire __P((void));
+extern int fr_fraginit __P((void));
+extern void fr_fragunload __P((void));
+extern ipfrstat_t *fr_fragstats __P((void));
+
+extern int fr_newfrag __P((fr_info_t *, u_32_t));
+extern frentry_t *fr_knownfrag __P((fr_info_t *, u_32_t *));
+
+extern int fr_nat_newfrag __P((fr_info_t *, u_32_t, struct nat *));
+extern nat_t *fr_nat_knownfrag __P((fr_info_t *));
+
+extern int fr_ipid_newfrag __P((fr_info_t *, u_32_t));
+extern u_32_t fr_ipid_knownfrag __P((fr_info_t *));
+
+extern void fr_forget __P((void *));
+extern void fr_forgetnat __P((void *));
+extern void fr_fragclear __P((void));
+extern void fr_fragexpire __P((void));
-#ifdef _KERNEL
-# if (BSD >= 199306) || SOLARIS || defined(__sgi)
-# if defined(SOLARIS2) && (SOLARIS2 < 7)
-extern void ipfr_slowtimer __P((void));
-# else
-extern void ipfr_slowtimer __P((void *));
-# endif
+#if defined(_KERNEL) && ((BSD >= 199306) || SOLARIS || defined(__sgi) \
+ || defined(__osf__) || (defined(__sgi) && (IRIX >= 60500)))
+# if defined(SOLARIS2) && (SOLARIS2 < 7)
+extern void fr_slowtimer __P((void));
# else
-extern int ipfr_slowtimer __P((void));
-# endif /* (BSD >= 199306) || SOLARIS */
+extern void fr_slowtimer __P((void *));
+# endif
#else
-extern void ipfr_slowtimer __P((void));
-#endif /* _KERNEL */
+extern int fr_slowtimer __P((void));
+#endif
-#endif /* __IP_FIL_H__ */
+#endif /* __IP_FRAG_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
index ae158de93879..ab866ac2d539 100644
--- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
@@ -1,18 +1,15 @@
+/* $FreeBSD$ */
+
/*
+ * Copyright (C) 1997-2003 by Darren Reed
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ftp_pxy.c,v 2.7.2.47 2004/06/21 11:48:07 darrenr Exp $
+ * Id: ip_ftp_pxy.c,v 2.88.2.15 2005/03/19 19:38:10 darrenr Exp
*/
-#if SOLARIS && defined(_KERNEL)
-extern kmutex_t ipf_rw;
-#endif
-
-#define isdigit(x) ((x) >= '0' && (x) <= '9')
-#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
-#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
-#define isalpha(x) (isupper(x) || islower(x))
-#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A')
#define IPF_FTP_PROXY
@@ -20,7 +17,8 @@ extern kmutex_t ipf_rw;
#define IPF_MAXPORTLEN 30
#define IPF_MIN227LEN 39
#define IPF_MAX227LEN 51
-#define IPF_FTPBUFSZ 96 /* This *MUST* be >= 53! */
+#define IPF_MIN229LEN 47
+#define IPF_MAX229LEN 51
#define FTPXY_GO 0
#define FTPXY_INIT 1
@@ -46,23 +44,53 @@ extern kmutex_t ipf_rw;
int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_complete __P((char *, size_t));
-int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_ftp_in __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_ftp_init __P((void));
-int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+void ippr_ftp_fini __P((void));
+int ippr_ftp_new __P((fr_info_t *, ap_session_t *, nat_t *));
+int ippr_ftp_out __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
+int ippr_ftp_epsv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
-int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
+int ippr_ftp_process __P((fr_info_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t));
int ippr_ftp_server_valid __P((ftpside_t *, char *, size_t));
int ippr_ftp_client_valid __P((ftpside_t *, char *, size_t));
u_short ippr_ftp_atoi __P((char **));
+int ippr_ftp_pasvreply __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *,
+ u_int, char *, char *, u_int));
-static frentry_t ftppxyfr;
+
+int ftp_proxy_init = 0;
int ippr_ftp_pasvonly = 0;
-int ippr_ftp_insecure = 0;
-int ippr_ftp_forcepasv = 0;
+int ippr_ftp_insecure = 0; /* Do not require logins before transfers */
+int ippr_ftp_pasvrdr = 0;
+int ippr_ftp_forcepasv = 0; /* PASV must be last command prior to 227 */
+#if defined(_KERNEL)
+int ippr_ftp_debug = 0;
+#else
+int ippr_ftp_debug = 2;
+#endif
+/*
+ * 1 - security
+ * 2 - errors
+ * 3 - error debugging
+ * 4 - parsing errors
+ * 5 - parsing info
+ * 6 - parsing debug
+ */
+
+static frentry_t ftppxyfr;
+static ipftuneable_t ftptune = {
+ { &ippr_ftp_debug },
+ "ippr_ftp_debug",
+ 0,
+ 10,
+ sizeof(ippr_ftp_debug),
+ 0,
+ NULL
+};
/*
@@ -73,13 +101,27 @@ int ippr_ftp_init()
bzero((char *)&ftppxyfr, sizeof(ftppxyfr));
ftppxyfr.fr_ref = 1;
ftppxyfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+ MUTEX_INIT(&ftppxyfr.fr_lock, "FTP Proxy Mutex");
+ ftp_proxy_init = 1;
+ (void) fr_addipftune(&ftptune);
+
return 0;
}
-int ippr_ftp_new(fin, ip, aps, nat)
+void ippr_ftp_fini()
+{
+ (void) fr_delipftune(&ftptune);
+
+ if (ftp_proxy_init == 1) {
+ MUTEX_DESTROY(&ftppxyfr.fr_lock);
+ ftp_proxy_init = 0;
+ }
+}
+
+
+int ippr_ftp_new(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
@@ -89,6 +131,10 @@ nat_t *nat;
KMALLOC(ftp, ftpinfo_t *);
if (ftp == NULL)
return -1;
+
+ fin = fin; /* LINT */
+ nat = nat; /* LINT */
+
aps->aps_data = ftp;
aps->aps_psiz = sizeof(ftpinfo_t);
@@ -100,6 +146,7 @@ nat_t *nat;
f->ftps_rptr = f->ftps_buf;
f->ftps_wptr = f->ftps_buf;
ftp->ftp_passok = FTPXY_INIT;
+ ftp->ftp_incok = 0;
return 0;
}
@@ -113,30 +160,28 @@ int dlen;
{
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
char newbuf[IPF_FTPBUFSZ], *s;
+ struct in_addr swip, swip2;
u_int a1, a2, a3, a4;
- struct in_addr swip;
+ int inc, off, flags;
u_short a5, a6, sp;
size_t nlen, olen;
fr_info_t fi;
- int inc, off;
- nat_t *ipn;
+ nat_t *nat2;
mb_t *m;
-#if SOLARIS && defined(_KERNEL)
- mb_t *m1;
-#endif
+ m = fin->fin_m;
tcp = (tcphdr_t *)fin->fin_dp;
+ off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
+
/*
* Check for client sending out PORT message.
*/
if (dlen < IPF_MINPORTLEN) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen);
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n",
+ dlen);
return 0;
}
- off = fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
*/
@@ -146,36 +191,36 @@ int dlen;
*/
a1 = ippr_ftp_atoi(&s);
if (s == NULL) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(1) failed\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 1);
return 0;
}
a2 = ippr_ftp_atoi(&s);
if (s == NULL) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(2) failed\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 2);
return 0;
}
+
/*
- * check that IP address in the PORT/PASV reply is the same as the
+ * Check that IP address in the PORT/PASV reply is the same as the
* sender of the command - prevents using PORT for port scanning.
*/
a1 <<= 16;
a1 |= a2;
- if (a1 != ntohl(nat->nat_inip.s_addr)) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_port:a1 != nat->nat_inip\n");
-#endif
- return 0;
+ if (((nat->nat_dir == NAT_OUTBOUND) &&
+ (a1 != ntohl(nat->nat_inip.s_addr))) ||
+ ((nat->nat_dir == NAT_INBOUND) &&
+ (a1 != ntohl(nat->nat_oip.s_addr)))) {
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_port:%s != nat->nat_inip\n", "a1");
+ return APR_ERR(1);
}
a5 = ippr_ftp_atoi(&s);
if (s == NULL) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(3) failed\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 3);
return 0;
}
if (*s == ')')
@@ -190,26 +235,39 @@ int dlen;
s += 2;
a6 = a5 & 0xff;
} else {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_port:missing cr-lf\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_port:missing %s\n", "cr-lf");
return 0;
}
+
a5 >>= 8;
a5 &= 0xff;
+ sp = a5 << 8 | a6;
+ /*
+ * Don't allow the PORT command to specify a port < 1024 due to
+ * security crap.
+ */
+ if (sp < 1024) {
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_port:sp(%d) < 1024\n", sp);
+ return 0;
+ }
/*
* Calculate new address parts for PORT command
*/
- a1 = ntohl(ip->ip_src.s_addr);
+ if (nat->nat_dir == NAT_INBOUND)
+ a1 = ntohl(nat->nat_oip.s_addr);
+ else
+ a1 = ntohl(ip->ip_src.s_addr);
a2 = (a1 >> 16) & 0xff;
a3 = (a1 >> 8) & 0xff;
a4 = a1 & 0xff;
a1 >>= 24;
olen = s - f->ftps_rptr;
/* DO NOT change this to snprintf! */
-#if defined(OpenBSD) && (200311 >= 200311)
- (void) snprintf(newbuf, sizeof(newbuf), "%s %u,%u,%u,%u,%u,%u\r\n",
- "PORT", a1, a2, a3, a4, a5, a6);
+#if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(newbuf, sizeof(newbuf), "%s %u,%u,%u,%u,%u,%u\r\n",
+ "PORT", a1, a2, a3, a4, a5, a6);
#else
(void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
"PORT", a1, a2, a3, a4, a5, a6);
@@ -218,87 +276,34 @@ int dlen;
nlen = strlen(newbuf);
inc = nlen - olen;
if ((inc + ip->ip_len) > 65535) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc);
-#endif
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n",
+ inc);
return 0;
}
#if !defined(_KERNEL)
- m = *fin->fin_mp;
- bcopy(newbuf, (char *)m + off, nlen);
+ bcopy(newbuf, MTOD(m, char *) + off, nlen);
#else
-# if SOLARIS
- m = fin->fin_qfm;
- for (m1 = m; m1->b_cont; m1 = m1->b_cont)
- ;
- if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
- mblk_t *nm;
-
- /* alloc enough to keep same trailer space for lower driver */
- nm = allocb(nlen, BPRI_MED);
- PANIC((!nm),("ippr_ftp_out: allocb failed"));
-
- nm->b_band = m1->b_band;
- nm->b_wptr += nlen;
-
- m1->b_wptr -= olen;
- PANIC((m1->b_wptr < m1->b_rptr),
- ("ippr_ftp_out: cannot handle fragmented data block"));
-
- linkb(m1, nm);
- } else {
- if (m1->b_datap->db_struiolim == m1->b_wptr)
- m1->b_datap->db_struiolim += inc;
- m1->b_datap->db_struioflag &= ~STRUIO_IP;
- m1->b_wptr += inc;
- }
- copyin_mblk(m, off, nlen, newbuf);
-# else
- m = *fin->fin_mp;
+# if defined(MENTAT)
+ if (inc < 0)
+ (void)adjmsg(m, inc);
+# else /* defined(MENTAT) */
+ /*
+ * m_adj takes care of pkthdr.len, if required and treats inc<0 to
+ * mean remove -len bytes from the end of the packet.
+ * The mbuf chain will be extended if necessary by m_copyback().
+ */
if (inc < 0)
m_adj(m, inc);
- /* the mbuf chain will be extended if necessary by m_copyback() */
- m_copyback(m, off, nlen, newbuf);
-# ifdef M_PKTHDR
- if (!(m->m_flags & M_PKTHDR))
- m->m_pkthdr.len += inc;
-# endif
-# endif
-#endif
- if (inc != 0) {
-#if ((SOLARIS || defined(__sgi)) && defined(_KERNEL)) || !defined(_KERNEL)
- register u_32_t sum1, sum2;
-
- sum1 = ip->ip_len;
- sum2 = ip->ip_len + inc;
+# endif /* defined(MENTAT) */
+#endif /* !defined(_KERNEL) */
+ COPYBACK(m, off, nlen, newbuf);
- /* Because ~1 == -2, We really need ~1 == -1 */
- if (sum1 > sum2)
- sum2--;
- sum2 -= sum1;
- sum2 = (sum2 & 0xffff) + (sum2 >> 16);
-
- fix_outcksum(fin, &ip->ip_sum, sum2);
-#endif
+ if (inc != 0) {
ip->ip_len += inc;
- }
-
- /*
- * Add skeleton NAT entry for connection which will come back the
- * other way.
- */
- sp = (a5 << 8 | a6);
- /*
- * Don't allow the PORT command to specify a port < 1024 due to
- * security crap.
- */
- if (sp < 1024) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_port:sp(%d) < 1024\n", sp);
-#endif
- return 0;
+ fin->fin_dlen += inc;
+ fin->fin_plen += inc;
}
/*
@@ -307,11 +312,22 @@ int dlen;
* mapping.
*/
bcopy((char *)fin, (char *)&fi, sizeof(fi));
+ fi.fin_state = NULL;
+ fi.fin_nat = NULL;
+ fi.fin_flx |= FI_IGNORE;
fi.fin_data[0] = sp;
fi.fin_data[1] = fin->fin_data[1] - 1;
- ipn = nat_outlookup(&fi, IPN_TCP, nat->nat_p, nat->nat_inip,
- ip->ip_dst, 0);
- if (ipn == NULL) {
+ /*
+ * Add skeleton NAT entry for connection which will come back the
+ * other way.
+ */
+ if (nat->nat_dir == NAT_OUTBOUND)
+ nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
+ nat->nat_inip, nat->nat_oip);
+ else
+ nat2 = nat_inlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
+ nat->nat_inip, nat->nat_oip);
+ if (nat2 == NULL) {
int slen;
slen = ip->ip_len;
@@ -319,28 +335,61 @@ int dlen;
bzero((char *)tcp2, sizeof(*tcp2));
tcp2->th_win = htons(8192);
tcp2->th_sport = htons(sp);
- tcp2->th_off = 5;
+ TCP_OFF_A(tcp2, 5);
tcp2->th_flags = TH_SYN;
tcp2->th_dport = 0; /* XXX - don't specify remote port */
fi.fin_data[1] = 0;
fi.fin_dlen = sizeof(*tcp2);
+ fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
fi.fin_dp = (char *)tcp2;
fi.fin_fr = &ftppxyfr;
- fi.fin_out = 1;
+ fi.fin_out = nat->nat_dir;
+ fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
swip = ip->ip_src;
- fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
- ip->ip_src = nat->nat_inip;
- ipn = nat_new(&fi, ip, nat->nat_ptr, NULL, IPN_TCP|FI_W_DPORT,
- NAT_OUTBOUND);
- if (ipn != NULL) {
- ipn->nat_age = fr_defnatage;
- (void) fr_addstate(ip, &fi, NULL,
- FI_W_DPORT|FI_IGNOREPKT);
+ swip2 = ip->ip_dst;
+ if (nat->nat_dir == NAT_OUTBOUND) {
+ fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
+ ip->ip_src = nat->nat_inip;
+ } else if (nat->nat_dir == NAT_INBOUND) {
+ fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
+ ip->ip_src = nat->nat_oip;
+ }
+
+ flags = NAT_SLAVE|IPN_TCP|SI_W_DPORT;
+ if (nat->nat_dir == NAT_INBOUND)
+ flags |= NAT_NOTRULEPORT;
+ nat2 = nat_new(&fi, nat->nat_ptr, NULL, flags, nat->nat_dir);
+
+ if (nat2 != NULL) {
+ (void) nat_proto(&fi, nat2, IPN_TCP);
+ nat_update(&fi, nat2, nat->nat_ptr);
+ fi.fin_ifp = NULL;
+ if (nat->nat_dir == NAT_INBOUND) {
+ fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
+ ip->ip_dst = nat->nat_inip;
+ }
+ (void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
+ if (fi.fin_state != NULL)
+ fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_len = slen;
ip->ip_src = swip;
+ ip->ip_dst = swip2;
+ } else {
+ ipstate_t *is;
+
+ nat_update(&fi, nat2, nat->nat_ptr);
+ READ_ENTER(&ipf_state);
+ is = nat2->nat_state;
+ if (is != NULL) {
+ MUTEX_ENTER(&is->is_lock);
+ (void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb,
+ is->is_flags);
+ MUTEX_EXIT(&is->is_lock);
+ }
+ RWLOCK_EXIT(&ipf_state);
}
- return inc;
+ return APR_INC(inc);
}
@@ -362,8 +411,8 @@ int dlen;
for (i = 0; (i < 5) && (i < dlen); i++) {
c = rptr[i];
- if (isalpha(c)) {
- cmd[i] = toupper(c);
+ if (ISALPHA(c)) {
+ cmd[i] = TOUPPER(c);
} else {
cmd[i] = c;
}
@@ -422,23 +471,17 @@ nat_t *nat;
ftpinfo_t *ftp;
int dlen;
{
- tcphdr_t *tcp, tcph, *tcp2 = &tcph;
- struct in_addr swip, swip2;
- u_int a1, a2, a3, a4;
- u_short a5, a6, dp;
- fr_info_t fi;
+ u_int a1, a2, a3, a4, data_ip;
+ char newbuf[IPF_FTPBUFSZ];
+ char *s, *brackets[2];
+ u_short a5, a6;
ftpside_t *f;
- nat_t *ipn;
- int inc;
- char *s;
if (ippr_ftp_forcepasv != 0 &&
ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
- ftp->ftp_side[0].ftps_cmds);
-#endif
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
+ ftp->ftp_side[0].ftps_cmds);
return 0;
}
@@ -449,63 +492,67 @@ int dlen;
* Check for PASV reply message.
*/
if (dlen < IPF_MIN227LEN) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen);
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n",
+ dlen);
return 0;
} else if (strncmp(f->ftps_rptr,
"227 Entering Passive Mod", PASV_REPLEN)) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_pasv:227 reply wrong\n");
-#endif
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_pasv:%d reply wrong\n", 227);
return 0;
}
- tcp = (tcphdr_t *)fin->fin_dp;
-
+ brackets[0] = "";
+ brackets[1] = "";
/*
* Skip the PASV reply + space
*/
s = f->ftps_rptr + PASV_REPLEN;
- while (*s && !isdigit(*s))
+ while (*s && !ISDIGIT(*s)) {
+ if (*s == '(') {
+ brackets[0] = "(";
+ brackets[1] = ")";
+ }
s++;
+ }
+
/*
* Pick out the address components, two at a time.
*/
a1 = ippr_ftp_atoi(&s);
if (s == NULL) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(1) failed\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 1);
return 0;
}
a2 = ippr_ftp_atoi(&s);
if (s == NULL) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(2) failed\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 2);
return 0;
}
/*
- * check that IP address in the PORT/PASV reply is the same as the
- * sender of the command - prevents using PORT for port scanning.
+ * check that IP address in the PASV reply is the same as the
+ * sender of the command - prevents using PASV for port scanning.
*/
a1 <<= 16;
a1 |= a2;
- if (a1 != ntohl(nat->nat_oip.s_addr)) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_pasv:a1 != nat->nat_oip\n");
-#endif
+
+ if (((nat->nat_dir == NAT_INBOUND) &&
+ (a1 != ntohl(nat->nat_inip.s_addr))) ||
+ ((nat->nat_dir == NAT_OUTBOUND) &&
+ (a1 != ntohl(nat->nat_oip.s_addr)))) {
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_pasv:%s != nat->nat_oip\n", "a1");
return 0;
}
a5 = ippr_ftp_atoi(&s);
if (s == NULL) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(3) failed\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 3);
return 0;
}
@@ -520,97 +567,123 @@ int dlen;
*/
if ((*s == '\r') && (*(s + 1) == '\n')) {
s += 2;
- a6 = a5 & 0xff;
} else {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_pasv:missing cr-lf\n");
-#endif
+ if (ippr_ftp_debug > 1)
+ printf("ippr_ftp_pasv:missing %s", "cr-lf\n");
return 0;
}
+
+ a6 = a5 & 0xff;
a5 >>= 8;
/*
* Calculate new address parts for 227 reply
*/
- a1 = ntohl(ip->ip_src.s_addr);
+ if (nat->nat_dir == NAT_INBOUND) {
+ data_ip = nat->nat_outip.s_addr;
+ a1 = ntohl(data_ip);
+ } else
+ data_ip = htonl(a1);
+
a2 = (a1 >> 16) & 0xff;
a3 = (a1 >> 8) & 0xff;
a4 = a1 & 0xff;
a1 >>= 24;
- inc = 0;
-#if 0
- olen = s - f->ftps_rptr;
- (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
- "227 Entering Passive Mode", a1, a2, a3, a4, a5, a6);
- nlen = strlen(newbuf);
- inc = nlen - olen;
- if ((inc + ip->ip_len) > 65535)
- return 0;
-#if !defined(_KERNEL)
- m = *fin->fin_mp;
- m_copyback(m, off, nlen, newbuf);
+#if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(newbuf, sizeof(newbuf), "%s %s%u,%u,%u,%u,%u,%u%s\r\n",
+ "227 Entering Passive Mode", brackets[0], a1, a2, a3, a4,
+ a5, a6, brackets[1]);
#else
-# if SOLARIS
- m = fin->fin_qfm;
- for (m1 = m; m1->b_cont; m1 = m1->b_cont)
- ;
- if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
- mblk_t *nm;
+ (void) sprintf(newbuf, "%s %s%u,%u,%u,%u,%u,%u%s\r\n",
+ "227 Entering Passive Mode", brackets[0], a1, a2, a3, a4,
+ a5, a6, brackets[1]);
+#endif
+ return ippr_ftp_pasvreply(fin, ip, nat, f, (a5 << 8 | a6),
+ newbuf, s, data_ip);
+}
- /* alloc enough to keep same trailer space for lower driver */
- nm = allocb(nlen, BPRI_MED);
- PANIC((!nm),("ippr_ftp_out: allocb failed"));
+int ippr_ftp_pasvreply(fin, ip, nat, f, port, newmsg, s, data_ip)
+fr_info_t *fin;
+ip_t *ip;
+nat_t *nat;
+ftpside_t *f;
+u_int port;
+char *newmsg;
+char *s;
+u_int data_ip;
+{
+ int inc, off, nflags, sflags;
+ tcphdr_t *tcp, tcph, *tcp2;
+ struct in_addr swip, swip2;
+ struct in_addr data_addr;
+ size_t nlen, olen;
+ fr_info_t fi;
+ nat_t *nat2;
+ mb_t *m;
- nm->b_band = m1->b_band;
- nm->b_wptr += nlen;
+ m = fin->fin_m;
+ tcp = (tcphdr_t *)fin->fin_dp;
+ off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
- m1->b_wptr -= olen;
- PANIC((m1->b_wptr < m1->b_rptr),
- ("ippr_ftp_out: cannot handle fragmented data block"));
+ data_addr.s_addr = data_ip;
+ tcp2 = &tcph;
+ inc = 0;
- linkb(m1, nm);
- } else {
- m1->b_wptr += inc;
+
+ olen = s - f->ftps_rptr;
+ nlen = strlen(newmsg);
+ inc = nlen - olen;
+ if ((inc + ip->ip_len) > 65535) {
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_pasv:inc(%d) + ip->ip_len > 65535\n",
+ inc);
+ return 0;
}
- /*copyin_mblk(m, off, nlen, newbuf);*/
-# else /* SOLARIS */
- m = *fin->fin_mp;
+
+#if !defined(_KERNEL)
+ bcopy(newmsg, MTOD(m, char *) + off, nlen);
+#else
+# if defined(MENTAT)
+ if (inc < 0)
+ (void)adjmsg(m, inc);
+# else /* defined(MENTAT) */
+ /*
+ * m_adj takes care of pkthdr.len, if required and treats inc<0 to
+ * mean remove -len bytes from the end of the packet.
+ * The mbuf chain will be extended if necessary by m_copyback().
+ */
if (inc < 0)
m_adj(m, inc);
- /* the mbuf chain will be extended if necessary by m_copyback() */
- /*m_copyback(m, off, nlen, newbuf);*/
-# endif /* SOLARIS */
-#endif /* _KERNEL */
- if (inc != 0) {
-#if ((SOLARIS || defined(__sgi)) && defined(_KERNEL)) || !defined(_KERNEL)
- register u_32_t sum1, sum2;
+# endif /* defined(MENTAT) */
+#endif /* !defined(_KERNEL) */
+ COPYBACK(m, off, nlen, newmsg);
- sum1 = ip->ip_len;
- sum2 = ip->ip_len + inc;
-
- /* Because ~1 == -2, We really need ~1 == -1 */
- if (sum1 > sum2)
- sum2--;
- sum2 -= sum1;
- sum2 = (sum2 & 0xffff) + (sum2 >> 16);
-
- fix_outcksum(fin, &ip->ip_sum, sum2);
-#endif /* SOLARIS || defined(__sgi) */
+ if (inc != 0) {
ip->ip_len += inc;
+ fin->fin_dlen += inc;
+ fin->fin_plen += inc;
}
-#endif /* 0 */
/*
* Add skeleton NAT entry for connection which will come back the
* other way.
*/
bcopy((char *)fin, (char *)&fi, sizeof(fi));
+ fi.fin_state = NULL;
+ fi.fin_nat = NULL;
+ fi.fin_flx |= FI_IGNORE;
fi.fin_data[0] = 0;
- dp = htons(fin->fin_data[1] - 1);
- fi.fin_data[1] = ntohs(dp);
- ipn = nat_outlookup(&fi, IPN_TCP, nat->nat_p, nat->nat_inip,
- ip->ip_dst, 0);
- if (ipn == NULL) {
+ fi.fin_data[1] = port;
+ nflags = IPN_TCP|SI_W_SPORT;
+ if (ippr_ftp_pasvrdr && f->ftps_ifp)
+ nflags |= SI_W_DPORT;
+ if (nat->nat_dir == NAT_OUTBOUND)
+ nat2 = nat_outlookup(&fi, nflags|NAT_SEARCH,
+ nat->nat_p, nat->nat_inip, nat->nat_oip);
+ else
+ nat2 = nat_inlookup(&fi, nflags|NAT_SEARCH,
+ nat->nat_p, nat->nat_inip, nat->nat_oip);
+ if (nat2 == NULL) {
int slen;
slen = ip->ip_len;
@@ -618,31 +691,65 @@ int dlen;
bzero((char *)tcp2, sizeof(*tcp2));
tcp2->th_win = htons(8192);
tcp2->th_sport = 0; /* XXX - fake it for nat_new */
- tcp2->th_off = 5;
+ TCP_OFF_A(tcp2, 5);
tcp2->th_flags = TH_SYN;
- fi.fin_data[1] = a5 << 8 | a6;
+ fi.fin_data[1] = port;
fi.fin_dlen = sizeof(*tcp2);
- tcp2->th_dport = htons(fi.fin_data[1]);
+ tcp2->th_dport = htons(port);
fi.fin_data[0] = 0;
fi.fin_dp = (char *)tcp2;
+ fi.fin_plen = fi.fin_hlen + sizeof(*tcp);
fi.fin_fr = &ftppxyfr;
- fi.fin_out = 1;
+ fi.fin_out = nat->nat_dir;
+ fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
swip = ip->ip_src;
swip2 = ip->ip_dst;
- fi.fin_fi.fi_daddr = ip->ip_src.s_addr;
- fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
- ip->ip_dst = ip->ip_src;
- ip->ip_src = nat->nat_inip;
- ipn = nat_new(&fi, ip, nat->nat_ptr, NULL, IPN_TCP|FI_W_SPORT,
- NAT_OUTBOUND);
- if (ipn != NULL) {
- ipn->nat_age = fr_defnatage;
- (void) fr_addstate(ip, &fi, NULL,
- FI_W_SPORT|FI_IGNOREPKT);
+ if (nat->nat_dir == NAT_OUTBOUND) {
+ fi.fin_fi.fi_daddr = data_addr.s_addr;
+ fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
+ ip->ip_dst = data_addr;
+ ip->ip_src = nat->nat_inip;
+ } else if (nat->nat_dir == NAT_INBOUND) {
+ fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
+ fi.fin_fi.fi_daddr = nat->nat_outip.s_addr;
+ ip->ip_src = nat->nat_oip;
+ ip->ip_dst = nat->nat_outip;
}
+
+ sflags = nflags;
+ nflags |= NAT_SLAVE;
+ if (nat->nat_dir == NAT_INBOUND)
+ nflags |= NAT_NOTRULEPORT;
+ nat2 = nat_new(&fi, nat->nat_ptr, NULL, nflags, nat->nat_dir);
+ if (nat2 != NULL) {
+ (void) nat_proto(&fi, nat2, IPN_TCP);
+ nat_update(&fi, nat2, nat->nat_ptr);
+ fi.fin_ifp = NULL;
+ if (nat->nat_dir == NAT_INBOUND) {
+ fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
+ ip->ip_dst = nat->nat_inip;
+ }
+ (void) fr_addstate(&fi, &nat2->nat_state, sflags);
+ if (fi.fin_state != NULL)
+ fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
+ }
+
ip->ip_len = slen;
ip->ip_src = swip;
ip->ip_dst = swip2;
+ } else {
+ ipstate_t *is;
+
+ nat_update(&fi, nat2, nat->nat_ptr);
+ READ_ENTER(&ipf_state);
+ is = nat2->nat_state;
+ if (is != NULL) {
+ MUTEX_ENTER(&is->is_lock);
+ (void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb,
+ is->is_flags);
+ MUTEX_EXIT(&is->is_lock);
+ }
+ RWLOCK_EXIT(&ipf_state);
}
return inc;
}
@@ -664,13 +771,19 @@ int dlen;
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
- if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2)))
+ if (*rptr == ' ')
+ goto server_cmd_ok;
+ if (!ISDIGIT(*rptr) || !ISDIGIT(*(rptr + 1)) || !ISDIGIT(*(rptr + 2)))
return 0;
if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4))
inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
+ else if (!strncmp(rptr, "229 ", 4))
+ inc = ippr_ftp_epsv(fin, ip, nat, f, dlen);
} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
+ } else if (ippr_ftp_insecure && !strncmp(rptr, "229 ", 4)) {
+ inc = ippr_ftp_epsv(fin, ip, nat, f, dlen);
} else if (*rptr == '5' || *rptr == '4')
ftp->ftp_passok = FTPXY_INIT;
else if (ftp->ftp_incok) {
@@ -695,6 +808,7 @@ int dlen;
}
}
}
+server_cmd_ok:
ftp->ftp_incok = 0;
while ((*rptr++ != '\n') && (rptr < wptr))
@@ -713,35 +827,38 @@ ftpside_t *ftps;
char *buf;
size_t len;
{
- register char *s, c;
+ register char *s, c, pc;
register size_t i = len;
char cmd[5];
+ s = buf;
+
+ if (ftps->ftps_junk == 1)
+ return 1;
+
if (i < 5) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_client_valid:i(%lu) < 5\n",
- (u_long)i);
-#endif
+ if (ippr_ftp_debug > 3)
+ printf("ippr_ftp_client_valid:i(%d) < 5\n", (int)i);
return 2;
}
- s = buf;
- c = *s++;
+
i--;
+ c = *s++;
- if (isalpha(c)) {
- cmd[0] = toupper(c);
+ if (ISALPHA(c)) {
+ cmd[0] = TOUPPER(c);
c = *s++;
i--;
- if (isalpha(c)) {
- cmd[1] = toupper(c);
+ if (ISALPHA(c)) {
+ cmd[1] = TOUPPER(c);
c = *s++;
i--;
- if (isalpha(c)) {
- cmd[2] = toupper(c);
+ if (ISALPHA(c)) {
+ cmd[2] = TOUPPER(c);
c = *s++;
i--;
- if (isalpha(c)) {
- cmd[3] = toupper(c);
+ if (ISALPHA(c)) {
+ cmd[3] = TOUPPER(c);
c = *s++;
i--;
if ((c != ' ') && (c != '\r'))
@@ -754,17 +871,18 @@ size_t len;
goto bad_client_command;
} else {
bad_client_command:
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_client_valid:bad cmd:len %lu i %lu c 0x%x\n",
- (u_long)i, (u_long)len, c);
-#endif
+ if (ippr_ftp_debug > 3)
+ printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
+ "ippr_ftp_client_valid",
+ ftps->ftps_junk, (int)len, (int)i, c,
+ (int)len, (int)len, buf);
return 1;
}
for (; i; i--) {
+ pc = c;
c = *s++;
- if (c == '\n') {
+ if ((pc == '\r') && (c == '\n')) {
cmd[4] = '\0';
if (!strcmp(cmd, "PASV"))
ftps->ftps_cmds = FTPXY_C_PASV;
@@ -773,8 +891,9 @@ bad_client_command:
return 0;
}
}
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_client_valid:junk after cmd[%s]\n", buf);
+#if !defined(_KERNEL)
+ printf("ippr_ftp_client_valid:junk after cmd[%*.*s]\n",
+ (int)len, (int)len, buf);
#endif
return 2;
}
@@ -785,26 +904,36 @@ ftpside_t *ftps;
char *buf;
size_t len;
{
- register char *s, c;
+ register char *s, c, pc;
register size_t i = len;
int cmd;
- if (i < 5)
- return 2;
s = buf;
- c = *s++;
cmd = 0;
+
+ if (ftps->ftps_junk == 1)
+ return 1;
+
+ if (i < 5) {
+ if (ippr_ftp_debug > 3)
+ printf("ippr_ftp_servert_valid:i(%d) < 5\n", (int)i);
+ return 2;
+ }
+
+ c = *s++;
i--;
+ if (c == ' ')
+ goto search_eol;
- if (isdigit(c)) {
+ if (ISDIGIT(c)) {
cmd = (c - '0') * 100;
c = *s++;
i--;
- if (isdigit(c)) {
+ if (ISDIGIT(c)) {
cmd += (c - '0') * 10;
c = *s++;
i--;
- if (isdigit(c)) {
+ if (ISDIGIT(c)) {
cmd += (c - '0');
c = *s++;
i--;
@@ -816,24 +945,25 @@ size_t len;
goto bad_server_command;
} else {
bad_server_command:
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_server_valid:bad cmd:len %lu i %lu c 0x%x\n",
- (u_long)i, (u_long)len, c);
-#endif
+ if (ippr_ftp_debug > 3)
+ printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
+ "ippr_ftp_server_valid",
+ ftps->ftps_junk, (int)len, (int)i,
+ c, (int)len, (int)len, buf);
return 1;
}
-
+search_eol:
for (; i; i--) {
+ pc = c;
c = *s++;
- if (c == '\n') {
+ if ((pc == '\r') && (c == '\n')) {
ftps->ftps_cmds = cmd;
return 0;
}
}
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout, "ippr_ftp_server_valid:junk after cmd[%s]\n", buf);
-#endif
+ if (ippr_ftp_debug > 3)
+ printf("ippr_ftp_server_valid:junk after cmd[%*.*s]\n",
+ (int)len, (int)len, buf);
return 2;
}
@@ -858,48 +988,54 @@ size_t len;
/*
+ * For map rules, the following applies:
* rv == 0 for outbound processing,
* rv == 1 for inbound processing.
+ * For rdr rules, the following applies:
+ * rv == 0 for inbound processing,
+ * rv == 1 for outbound processing.
*/
-int ippr_ftp_process(fin, ip, nat, ftp, rv)
+int ippr_ftp_process(fin, nat, ftp, rv)
fr_info_t *fin;
-ip_t *ip;
nat_t *nat;
ftpinfo_t *ftp;
int rv;
{
int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff;
+ char *rptr, *wptr, *s;
u_32_t thseq, thack;
- char *rptr, *wptr;
ap_session_t *aps;
ftpside_t *f, *t;
tcphdr_t *tcp;
+ ip_t *ip;
mb_t *m;
+ m = fin->fin_m;
+ ip = fin->fin_ip;
tcp = (tcphdr_t *)fin->fin_dp;
- off = fin->fin_hlen + (tcp->th_off << 2);
-#if SOLARIS && defined(_KERNEL)
- m = fin->fin_qfm;
-#else
- m = *fin->fin_mp;
-#endif
+ off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
+
+ f = &ftp->ftp_side[rv];
+ t = &ftp->ftp_side[1 - rv];
+ thseq = ntohl(tcp->th_seq);
+ thack = ntohl(tcp->th_ack);
-#ifndef _KERNEL
- mlen = mbuflen(m);
+#ifdef __sgi
+ mlen = fin->fin_plen - off;
#else
-# if SOLARIS
- mlen = msgdsize(m);
-# else
- mlen = mbufchainlen(m);
-# endif
+ mlen = MSGDSIZE(m) - off;
#endif
- mlen -= off;
+ if (ippr_ftp_debug > 4)
+ printf("ippr_ftp_process: mlen %d\n", mlen);
+ if (mlen <= 0) {
+ if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
+ f->ftps_seq[0] = thseq + 1;
+ t->ftps_seq[0] = thack;
+ }
+ return 0;
+ }
aps = nat->nat_aps;
- t = &ftp->ftp_side[1 - rv];
- f = &ftp->ftp_side[rv];
- thseq = ntohl(tcp->th_seq);
- thack = ntohl(tcp->th_ack);
sel = aps->aps_sel[1 - rv];
sel2 = aps->aps_sel[rv];
@@ -911,19 +1047,17 @@ int rv;
if (aps->aps_ackmin[sel2] > ackoff + thack)
ackoff = aps->aps_ackoff[!sel2];
} else {
-#if PROXY_DEBUG
- printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
- aps->aps_ackmin[sel]);
-#endif
seqoff = aps->aps_ackoff[sel];
+ if (ippr_ftp_debug > 2)
+ printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
+ aps->aps_ackmin[sel]);
if (aps->aps_ackmin[sel] > seqoff + thseq)
seqoff = aps->aps_ackoff[!sel];
-#if PROXY_DEBUG
- printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
- aps->aps_seqmin[sel2]);
-#endif
ackoff = aps->aps_seqoff[sel2];
+ if (ippr_ftp_debug > 2)
+ printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
+ aps->aps_seqmin[sel2]);
if (ackoff > 0) {
if (aps->aps_seqmin[sel2] > ackoff + thack)
ackoff = aps->aps_seqoff[!sel2];
@@ -932,26 +1066,27 @@ int rv;
ackoff = aps->aps_seqoff[!sel2];
}
}
-#if PROXY_DEBUG
- printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT",
- tcp->th_flags, thseq, seqoff, thack, ackoff, mlen);
- printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
- aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
- aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
- printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
- aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
- aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
-#endif
+ if (ippr_ftp_debug > 2) {
+ printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n",
+ rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff,
+ thack, ackoff, mlen, fin->fin_plen, off);
+ printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
+ aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
+ aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
+ printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
+ aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
+ aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
+ }
/*
* XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered).
*/
-#if PROXY_DEBUG
- printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
- rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
-#endif
+ if (ippr_ftp_debug > 2) {
+ printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
+ rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
+ }
ok = 0;
if (t->ftps_seq[0] == 0) {
@@ -980,33 +1115,35 @@ int rv;
}
}
-#if PROXY_DEBUG
- if (!ok)
- printf("not ok\n");
-#endif
+ if (ippr_ftp_debug > 2) {
+ if (!ok)
+ printf("%s ok\n", "not");
+ }
if (!mlen) {
if (t->ftps_seq[0] + ackoff != thack) {
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n",
- t->ftps_seq[0], ackoff, thack);
-#endif
+ if (ippr_ftp_debug > 1) {
+ printf("%s:seq[0](%x) + (%x) != (%x)\n",
+ "ippr_ftp_process", t->ftps_seq[0],
+ ackoff, thack);
+ }
return APR_ERR(1);
}
-#if PROXY_DEBUG
- printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]);
-#endif
+ if (ippr_ftp_debug > 2) {
+ printf("ippr_ftp_process:f:seq[0] %x seq[1] %x\n",
+ f->ftps_seq[0], f->ftps_seq[1]);
+ }
+
if (tcp->th_flags & TH_FIN) {
if (thseq == f->ftps_seq[1]) {
f->ftps_seq[0] = f->ftps_seq[1] - seqoff;
f->ftps_seq[1] = thseq + 1 - seqoff;
} else {
-#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
- printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
- thseq, seqoff, f->ftps_seq[0]);
-#endif
+ if (ippr_ftp_debug > 1) {
+ printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
+ thseq, seqoff, f->ftps_seq[0]);
+ }
return APR_ERR(1);
}
}
@@ -1027,15 +1164,15 @@ int rv;
if (ok == 0) {
inc = thseq - f->ftps_seq[0];
-#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
- printf("inc %d sel %d rv %d\n", inc, sel, rv);
- printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0],
- f->ftps_seq[1]);
- printf("ackmin %x ackoff %d\n", (u_int)aps->aps_ackmin[sel],
- aps->aps_ackoff[sel]);
- printf("seqmin %x seqoff %d\n", (u_int)aps->aps_seqmin[sel],
- aps->aps_seqoff[sel]);
-#endif
+ if (ippr_ftp_debug > 1) {
+ printf("inc %d sel %d rv %d\n", inc, sel, rv);
+ printf("th_seq %x ftps_seq %x/%x\n",
+ thseq, f->ftps_seq[0], f->ftps_seq[1]);
+ printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel],
+ aps->aps_ackoff[sel]);
+ printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel],
+ aps->aps_seqoff[sel]);
+ }
return APR_ERR(1);
}
@@ -1048,31 +1185,62 @@ int rv;
f->ftps_len = mlen;
while (mlen > 0) {
- len = MIN(mlen, FTP_BUFSZ / 2);
-
-#if !defined(_KERNEL)
- bcopy((char *)m + off, wptr, len);
-#else
-# if SOLARIS
- copyout_mblk(m, off, len, wptr);
-# else
- m_copydata(m, off, len, wptr);
-# endif
-#endif
+ len = MIN(mlen, sizeof(f->ftps_buf) - (wptr - rptr));
+ COPYDATA(m, off, len, wptr);
mlen -= len;
off += len;
wptr += len;
+
+ if (ippr_ftp_debug > 3)
+ printf("%s:len %d/%d off %d wptr %lx junk %d [%*.*s]\n",
+ "ippr_ftp_process",
+ len, mlen, off, (u_long)wptr, f->ftps_junk,
+ len, len, rptr);
+
f->ftps_wptr = wptr;
- if (f->ftps_junk == 2)
+ if (f->ftps_junk != 0) {
+ i = f->ftps_junk;
f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
wptr - rptr);
+ if (ippr_ftp_debug > 5)
+ printf("%s:junk %d -> %d\n",
+ "ippr_ftp_process", i, f->ftps_junk);
+
+ if (f->ftps_junk != 0) {
+ if (wptr - rptr == sizeof(f->ftps_buf)) {
+ if (ippr_ftp_debug > 4)
+ printf("%s:full buffer\n",
+ "ippr_ftp_process");
+ f->ftps_rptr = f->ftps_buf;
+ f->ftps_wptr = f->ftps_buf;
+ rptr = f->ftps_rptr;
+ wptr = f->ftps_wptr;
+ /*
+ * Because we throw away data here that
+ * we would otherwise parse, set the
+ * junk flag to indicate just ignore
+ * any data upto the next CRLF.
+ */
+ f->ftps_junk = 1;
+ continue;
+ }
+ }
+ }
+
while ((f->ftps_junk == 0) && (wptr > rptr)) {
- f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
- wptr - rptr);
+ len = wptr - rptr;
+ f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, len);
+
+ if (ippr_ftp_debug > 3) {
+ printf("%s=%d len %d rv %d ptr %lx/%lx ",
+ "ippr_ftp_valid",
+ f->ftps_junk, len, rv, (u_long)rptr,
+ (u_long)wptr);
+ printf("buf [%*.*s]\n", len, len, rptr);
+ }
+
if (f->ftps_junk == 0) {
- f->ftps_cmds++;
- len = wptr - rptr;
f->ftps_rptr = rptr;
if (rv)
inc += ippr_ftp_server(fin, ip, nat,
@@ -1091,66 +1259,56 @@ int rv;
*/
if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
/* f->ftps_seq[1] += inc; */
-#if !defined(_KERNEL) && !defined(KERNEL)
- fprintf(stdout,
- "ippr_ftp_process:cmds == 0 junk == 1\n");
-#endif
+
+ if (ippr_ftp_debug > 1)
+ printf("%s:cmds == 0 junk == 1\n",
+ "ippr_ftp_process");
return APR_ERR(2);
}
- while ((f->ftps_junk == 1) && (rptr < wptr)) {
- while ((rptr < wptr) && (*rptr != '\r'))
- rptr++;
-
- if (*rptr == '\r') {
- if (rptr + 1 < wptr) {
- if (*(rptr + 1) == '\n') {
- rptr += 2;
- f->ftps_junk = 0;
- } else
- rptr++;
- } else
+ if ((f->ftps_junk != 0) && (rptr < wptr)) {
+ for (s = rptr; s < wptr; s++) {
+ if ((*s == '\r') && (s + 1 < wptr) &&
+ (*(s + 1) == '\n')) {
+ rptr = s + 2;
+ f->ftps_junk = 0;
break;
+ }
}
}
- f->ftps_rptr = rptr;
if (rptr == wptr) {
rptr = wptr = f->ftps_buf;
} else {
- if ((wptr > f->ftps_buf + FTP_BUFSZ / 2)) {
- i = wptr - rptr;
- if ((rptr == f->ftps_buf) ||
- (wptr - rptr > FTP_BUFSZ / 2)) {
- f->ftps_junk = 1;
- rptr = wptr = f->ftps_buf;
- } else {
- bcopy(rptr, f->ftps_buf, i);
- wptr = f->ftps_buf + i;
- rptr = f->ftps_buf;
- }
+ /*
+ * Compact the buffer back to the start. The junk
+ * flag should already be set and because we're not
+ * throwing away any data, it is preserved from its
+ * current state.
+ */
+ if (rptr > f->ftps_buf) {
+ bcopy(rptr, f->ftps_buf, len);
+ wptr -= rptr - f->ftps_buf;
+ rptr = f->ftps_buf;
}
- f->ftps_rptr = rptr;
- f->ftps_wptr = wptr;
}
+ f->ftps_rptr = rptr;
+ f->ftps_wptr = wptr;
}
/* f->ftps_seq[1] += inc; */
if (tcp->th_flags & TH_FIN)
f->ftps_seq[1]++;
-#if PROXY_DEBUG
-# ifndef _KERNEL
- mlen = mbuflen(m);
-# else
-# if SOLARIS
- mlen = msgdsize(m);
-# else
- mlen = mbufchainlen(m);
-# endif
-# endif
- mlen -= off;
- printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen);
+ if (ippr_ftp_debug > 3) {
+#ifdef __sgi
+ mlen = fin->fin_plen;
+#else
+ mlen = MSGDSIZE(m);
#endif
+ mlen -= off;
+ printf("ftps_seq[1] = %x inc %d len %d\n",
+ f->ftps_seq[1], inc, mlen);
+ }
f->ftps_rptr = rptr;
f->ftps_wptr = wptr;
@@ -1158,33 +1316,43 @@ int rv;
}
-int ippr_ftp_out(fin, ip, aps, nat)
+int ippr_ftp_out(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ftpinfo_t *ftp;
+ int rev;
ftp = aps->aps_data;
if (ftp == NULL)
return 0;
- return ippr_ftp_process(fin, ip, nat, ftp, 0);
+
+ rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1;
+ if (ftp->ftp_side[1 - rev].ftps_ifp == NULL)
+ ftp->ftp_side[1 - rev].ftps_ifp = fin->fin_ifp;
+
+ return ippr_ftp_process(fin, nat, ftp, rev);
}
-int ippr_ftp_in(fin, ip, aps, nat)
+int ippr_ftp_in(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ftpinfo_t *ftp;
+ int rev;
ftp = aps->aps_data;
if (ftp == NULL)
return 0;
- return ippr_ftp_process(fin, ip, nat, ftp, 1);
+
+ rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1;
+ if (ftp->ftp_side[rev].ftps_ifp == NULL)
+ ftp->ftp_side[rev].ftps_ifp = fin->fin_ifp;
+
+ return ippr_ftp_process(fin, nat, ftp, 1 - rev);
}
@@ -1200,7 +1368,7 @@ char **ptr;
register char *s = *ptr, c;
register u_char i = 0, j = 0;
- while ((c = *s++) && isdigit(c)) {
+ while (((c = *s++) != '\0') && ISDIGIT(c)) {
i *= 10;
i += c - '0';
}
@@ -1208,7 +1376,7 @@ char **ptr;
*ptr = NULL;
return 0;
}
- while ((c = *s++) && isdigit(c)) {
+ while (((c = *s++) != '\0') && ISDIGIT(c)) {
j *= 10;
j += c - '0';
}
@@ -1217,3 +1385,70 @@ char **ptr;
j &= 0xff;
return (i << 8) | j;
}
+
+
+int ippr_ftp_epsv(fin, ip, nat, f, dlen)
+fr_info_t *fin;
+ip_t *ip;
+nat_t *nat;
+ftpside_t *f;
+int dlen;
+{
+ char newbuf[IPF_FTPBUFSZ];
+ char *s;
+ u_short ap = 0;
+
+#define EPSV_REPLEN 33
+ /*
+ * Check for EPSV reply message.
+ */
+ if (dlen < IPF_MIN229LEN)
+ return (0);
+ else if (strncmp(f->ftps_rptr,
+ "229 Entering Extended Passive Mode", EPSV_REPLEN))
+ return (0);
+
+ /*
+ * Skip the EPSV command + space
+ */
+ s = f->ftps_rptr + 33;
+ while (*s && !ISDIGIT(*s))
+ s++;
+
+ /*
+ * As per RFC 2428, there are no addres components in the EPSV
+ * response. So we'll go straight to getting the port.
+ */
+ while (*s && ISDIGIT(*s)) {
+ ap *= 10;
+ ap += *s++ - '0';
+ }
+
+ if (!s)
+ return 0;
+
+ if (*s == '|')
+ s++;
+ if (*s == ')')
+ s++;
+ if (*s == '\n')
+ s--;
+ /*
+ * check for CR-LF at the end.
+ */
+ if ((*s == '\r') && (*(s + 1) == '\n')) {
+ s += 2;
+ } else
+ return 0;
+
+#if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(newbuf, sizeof(newbuf), "%s (|||%u|)\r\n",
+ "229 Entering Extended Passive Mode", ap);
+#else
+ (void) sprintf(newbuf, "%s (|||%u|)\r\n",
+ "229 Entering Extended Passive Mode", ap);
+#endif
+
+ return ippr_ftp_pasvreply(fin, ip, nat, f, (u_int)ap, newbuf, s,
+ ip->ip_src.s_addr);
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c
index 8d8ef923f7ac..1933203e05cd 100644
--- a/sys/contrib/ipfilter/netinet/ip_h323_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_h323_pxy.c
@@ -1,6 +1,8 @@
+/* $FreeBSD$ */
+
/*
* Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
- *
+ *
* This source code has been published by QNX Software Systems Ltd. (QSSL).
* However, any use, reproduction, modification, distribution or transfer of
* this software, or any software which includes or is based upon any of this
@@ -14,7 +16,7 @@
/*
* Simple H.323 proxy
- *
+ *
* by xtang@canada.com
* ported to ipfilter 3.4.20 by Michael Grant mg-ipf@grant.org
*/
@@ -23,33 +25,34 @@
# include <sys/fcntl.h>
# include <sys/filio.h>
#else
-# include <sys/ioctl.h>
+# ifndef linux
+# include <sys/ioctl.h>
+# endif
#endif
#define IPF_H323_PROXY
int ippr_h323_init __P((void));
-int ippr_h323_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+void ippr_h323_fini __P((void));
+int ippr_h323_new __P((fr_info_t *, ap_session_t *, nat_t *));
void ippr_h323_del __P((ap_session_t *));
-int ippr_h323_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_h323_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_h323_out __P((fr_info_t *, ap_session_t *, nat_t *));
+int ippr_h323_in __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_h245_init __P((void));
-int ippr_h245_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_h245_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_h245_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_h245_new __P((fr_info_t *, ap_session_t *, nat_t *));
+int ippr_h245_out __P((fr_info_t *, ap_session_t *, nat_t *));
+int ippr_h245_in __P((fr_info_t *, ap_session_t *, nat_t *));
static frentry_t h323_fr;
-#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T ipf_nat;
-#endif
-static int find_port __P((int, u_char *, int datlen, int *, u_short *));
+int h323_proxy_init = 0;
+
+static int find_port __P((int, caddr_t, int datlen, int *, u_short *));
static int find_port(ipaddr, data, datlen, off, port)
int ipaddr;
-unsigned char *data;
+caddr_t data;
int datlen, *off;
unsigned short *port;
{
@@ -85,17 +88,30 @@ int ippr_h323_init()
bzero((char *)&h323_fr, sizeof(h323_fr));
h323_fr.fr_ref = 1;
h323_fr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+ MUTEX_INIT(&h323_fr.fr_lock, "H323 proxy rule lock");
+ h323_proxy_init = 1;
return 0;
}
-int ippr_h323_new(fin, ip, aps, nat)
+void ippr_h323_fini()
+{
+ if (h323_proxy_init == 1) {
+ MUTEX_DESTROY(&h323_fr.fr_lock);
+ h323_proxy_init = 0;
+ }
+}
+
+
+int ippr_h323_new(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
+ fin = fin; /* LINT */
+ nat = nat; /* LINT */
+
aps->aps_data = NULL;
aps->aps_psiz = 0;
@@ -111,17 +127,18 @@ ap_session_t *aps;
if (aps->aps_data) {
for (i = 0, ipn = aps->aps_data;
- i < (aps->aps_psiz / sizeof(ipnat_t));
+ i < (aps->aps_psiz / sizeof(ipnat_t));
i++, ipn = (ipnat_t *)((char *)ipn + sizeof(*ipn)))
{
- /*
+ /*
* Check the comment in ippr_h323_in() function,
- * just above nat_ioctl() call.
+ * just above fr_nat_ioctl() call.
* We are lucky here because this function is not
* called with ipf_nat locked.
*/
- if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, NAT_SYSSPACE|
- NAT_LOCKHELD|FWRITE) == -1) {
+ if (fr_nat_ioctl((caddr_t)ipn, SIOCRMNAT, NAT_SYSSPACE|
+ NAT_LOCKHELD|FWRITE) == -1) {
+ /*EMPTY*/;
/* log the error */
}
}
@@ -134,32 +151,23 @@ ap_session_t *aps;
}
-int ippr_h323_out(fin, ip, aps, nat)
+int ippr_h323_in(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
-ap_session_t *aps;
-nat_t *nat;
-{
- return 0;
-}
-
-
-int ippr_h323_in(fin, ip, aps, nat)
-fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
int ipaddr, off, datlen;
unsigned short port;
- unsigned char *data;
+ caddr_t data;
tcphdr_t *tcp;
-
+ ip_t *ip;
+
+ ip = fin->fin_ip;
tcp = (tcphdr_t *)fin->fin_dp;
ipaddr = ip->ip_src.s_addr;
- data = (unsigned char *)tcp + (tcp->th_off << 2);
- datlen = fin->fin_dlen - (tcp->th_off << 2);
+ data = (caddr_t)tcp + (TCP_OFF(tcp) << 2);
+ datlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
ipnat_t *ipn;
char *newarray;
@@ -173,27 +181,27 @@ nat_t *nat;
return -1;
}
ipn = (ipnat_t *)&newarray[aps->aps_psiz];
- bcopy(nat->nat_ptr, ipn, sizeof(ipnat_t));
- strncpy(ipn->in_plabel, "h245", APR_LABELLEN);
+ bcopy((caddr_t)nat->nat_ptr, (caddr_t)ipn, sizeof(ipnat_t));
+ (void) strncpy(ipn->in_plabel, "h245", APR_LABELLEN);
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
ipn->in_dport = htons(port);
- /*
- * we got a problem here. we need to call nat_ioctl() to add
+ /*
+ * we got a problem here. we need to call fr_nat_ioctl() to add
* the h245 proxy rule, but since we already hold (READ locked)
- * the nat table rwlock (ipf_nat), if we go into nat_ioctl(),
+ * the nat table rwlock (ipf_nat), if we go into fr_nat_ioctl(),
* it will try to WRITE lock it. This will causing dead lock
* on RTP.
- *
+ *
* The quick & dirty solution here is release the read lock,
- * call nat_ioctl() and re-lock it.
+ * call fr_nat_ioctl() and re-lock it.
* A (maybe better) solution is do a UPGRADE(), and instead
- * of calling nat_ioctl(), we add the nat rule ourself.
+ * of calling fr_nat_ioctl(), we add the nat rule ourself.
*/
RWLOCK_EXIT(&ipf_nat);
- if (nat_ioctl((caddr_t)ipn, SIOCADNAT,
- NAT_SYSSPACE|FWRITE) == -1) {
+ if (fr_nat_ioctl((caddr_t)ipn, SIOCADNAT,
+ NAT_SYSSPACE|FWRITE) == -1) {
READ_ENTER(&ipf_nat);
return -1;
}
@@ -209,87 +217,80 @@ nat_t *nat;
}
-int ippr_h245_init()
-{
- return 0;
-}
-
-
-int ippr_h245_new(fin, ip, aps, nat)
+int ippr_h245_new(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
+ fin = fin; /* LINT */
+ nat = nat; /* LINT */
+
aps->aps_data = NULL;
aps->aps_psiz = 0;
return 0;
}
-int ippr_h245_out(fin, ip, aps, nat)
+int ippr_h245_out(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
int ipaddr, off, datlen;
- u_short port;
- unsigned char *data;
tcphdr_t *tcp;
-
+ caddr_t data;
+ u_short port;
+ ip_t *ip;
+
+ aps = aps; /* LINT */
+
+ ip = fin->fin_ip;
tcp = (tcphdr_t *)fin->fin_dp;
ipaddr = nat->nat_inip.s_addr;
- data = (unsigned char *)tcp + (tcp->th_off << 2);
- datlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
+ data = (caddr_t)tcp + (TCP_OFF(tcp) << 2);
+ datlen = ip->ip_len - fin->fin_hlen - (TCP_OFF(tcp) << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
fr_info_t fi;
- nat_t *ipn;
+ nat_t *nat2;
/* port = htons(port); */
- ipn = nat_outlookup(fin->fin_ifp, IPN_UDP, IPPROTO_UDP,
- ip->ip_src, ip->ip_dst, 1);
- if (ipn == NULL) {
+ nat2 = nat_outlookup(fin->fin_ifp, IPN_UDP, IPPROTO_UDP,
+ ip->ip_src, ip->ip_dst);
+ if (nat2 == NULL) {
struct ip newip;
struct udphdr udp;
- bcopy(ip, &newip, sizeof(newip));
+ bcopy((caddr_t)ip, (caddr_t)&newip, sizeof(newip));
newip.ip_len = fin->fin_hlen + sizeof(udp);
newip.ip_p = IPPROTO_UDP;
newip.ip_src = nat->nat_inip;
- bzero(&udp, sizeof(udp));
+ bzero((char *)&udp, sizeof(udp));
udp.uh_sport = port;
- bcopy(fin, &fi, sizeof(fi));
+ bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_UDP;
fi.fin_data[0] = port;
fi.fin_data[1] = 0;
fi.fin_dp = (char *)&udp;
-
- ipn = nat_new(&fi, &newip, nat->nat_ptr, NULL,
- IPN_UDP|FI_W_DPORT, NAT_OUTBOUND);
- if (ipn != NULL) {
- ipn->nat_ptr->in_hits++;
+
+ nat2 = nat_new(&fi, nat->nat_ptr, NULL,
+ NAT_SLAVE|IPN_UDP|SI_W_DPORT,
+ NAT_OUTBOUND);
+ if (nat2 != NULL) {
+ (void) nat_proto(&fi, nat2, IPN_UDP);
+ nat_update(&fi, nat2, nat2->nat_ptr);
+
+ nat2->nat_ptr->in_hits++;
#ifdef IPFILTER_LOG
- nat_log(ipn, (u_int)(nat->nat_ptr->in_redir));
+ nat_log(nat2, (u_int)(nat->nat_ptr->in_redir));
#endif
- bcopy((u_char*)&ip->ip_src.s_addr,
+ bcopy((caddr_t)&ip->ip_src.s_addr,
data + off, 4);
- bcopy((u_char*)&ipn->nat_outport,
+ bcopy((caddr_t)&nat2->nat_outport,
data + off + 4, 2);
}
}
}
return 0;
}
-
-
-int ippr_h245_in(fin, ip, aps, nat)
-fr_info_t *fin;
-ip_t *ip;
-ap_session_t *aps;
-nat_t *nat;
-{
- return 0;
-}
diff --git a/sys/contrib/ipfilter/netinet/ip_htable.c b/sys/contrib/ipfilter/netinet/ip_htable.c
new file mode 100644
index 000000000000..22acbec764ca
--- /dev/null
+++ b/sys/contrib/ipfilter/netinet/ip_htable.c
@@ -0,0 +1,455 @@
+/* $FreeBSD$ */
+
+/*
+ * Copyright (C) 1993-2001, 2003 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
+#if defined(KERNEL) || defined(_KERNEL)
+# undef KERNEL
+# undef _KERNEL
+# define KERNEL 1
+# define _KERNEL 1
+#endif
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/errno.h>
+#include <sys/time.h>
+#include <sys/file.h>
+#if !defined(_KERNEL)
+# include <stdlib.h>
+# include <string.h>
+# define _KERNEL
+# ifdef __OpenBSD__
+struct file;
+# endif
+# include <sys/uio.h>
+# undef _KERNEL
+#endif
+#include <sys/socket.h>
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+#endif
+#if defined(__FreeBSD__)
+# include <sys/cdefs.h>
+# include <sys/proc.h>
+#endif
+#if !defined(__svr4__) && !defined(__SVR4) && !defined(__hpux) && \
+ !defined(linux)
+# include <sys/mbuf.h>
+#endif
+#if defined(_KERNEL)
+# include <sys/systm.h>
+#else
+# include <stdio.h>
+#endif
+#include <netinet/in.h>
+#include <net/if.h>
+
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_lookup.h"
+#include "netinet/ip_htable.h"
+/* END OF INCLUDES */
+
+#if !defined(lint)
+static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
+#endif
+
+#ifdef IPFILTER_LOOKUP
+static iphtent_t *fr_iphmfind __P((iphtable_t *, struct in_addr *));
+static u_long ipht_nomem[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+static u_long ipf_nhtables[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+static u_long ipf_nhtnodes[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+iphtable_t *ipf_htables[IPL_LOGSIZE] = { NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL };
+
+
+void fr_htable_unload()
+{
+ iplookupflush_t fop;
+
+ fop.iplf_unit = IPL_LOGALL;
+ (void)fr_flushhtable(&fop);
+}
+
+
+int fr_gethtablestat(op)
+iplookupop_t *op;
+{
+ iphtstat_t stats;
+
+ if (op->iplo_size != sizeof(stats))
+ return EINVAL;
+
+ stats.iphs_tables = ipf_htables[op->iplo_unit];
+ stats.iphs_numtables = ipf_nhtables[op->iplo_unit];
+ stats.iphs_numnodes = ipf_nhtnodes[op->iplo_unit];
+ stats.iphs_nomem = ipht_nomem[op->iplo_unit];
+
+ return COPYOUT(&stats, op->iplo_struct, sizeof(stats));
+
+}
+
+
+/*
+ * Create a new hash table using the template passed.
+ */
+int fr_newhtable(op)
+iplookupop_t *op;
+{
+ iphtable_t *iph, *oiph;
+ char name[FR_GROUPLEN];
+ int err, i, unit;
+
+ KMALLOC(iph, iphtable_t *);
+ if (iph == NULL)
+ return ENOMEM;
+
+ err = COPYIN(op->iplo_struct, iph, sizeof(*iph));
+ if (err != 0) {
+ KFREE(iph);
+ return EFAULT;
+ }
+
+ unit = op->iplo_unit;
+ if (iph->iph_unit != unit) {
+ KFREE(iph);
+ return EINVAL;
+ }
+
+ if ((op->iplo_arg & IPHASH_ANON) == 0) {
+ if (fr_findhtable(op->iplo_unit, op->iplo_name) != NULL) {
+ KFREE(iph);
+ return EEXIST;
+ }
+ } else {
+ i = IPHASH_ANON;
+ do {
+ i++;
+#if defined(SNPRINTF) && defined(_KERNEL)
+ SNPRINTF(name, sizeof(name), "%u", i);
+#else
+ (void)sprintf(name, "%u", i);
+#endif
+ for (oiph = ipf_htables[unit]; oiph != NULL;
+ oiph = oiph->iph_next)
+ if (strncmp(oiph->iph_name, name,
+ sizeof(oiph->iph_name)) == 0)
+ break;
+ } while (oiph != NULL);
+ (void)strncpy(iph->iph_name, name, sizeof(iph->iph_name));
+ err = COPYOUT(iph, op->iplo_struct, sizeof(*iph));
+ if (err != 0) {
+ KFREE(iph);
+ return EFAULT;
+ }
+ iph->iph_type |= IPHASH_ANON;
+ }
+
+ KMALLOCS(iph->iph_table, iphtent_t **,
+ iph->iph_size * sizeof(*iph->iph_table));
+ if (iph->iph_table == NULL) {
+ KFREE(iph);
+ ipht_nomem[unit]++;
+ return ENOMEM;
+ }
+
+ bzero((char *)iph->iph_table, iph->iph_size * sizeof(*iph->iph_table));
+ iph->iph_masks = 0;
+
+ iph->iph_next = ipf_htables[unit];
+ iph->iph_pnext = &ipf_htables[unit];
+ if (ipf_htables[unit] != NULL)
+ ipf_htables[unit]->iph_pnext = &iph->iph_next;
+ ipf_htables[unit] = iph;
+
+ ipf_nhtables[unit]++;
+
+ return 0;
+}
+
+
+/*
+ */
+int fr_removehtable(op)
+iplookupop_t *op;
+{
+ iphtable_t *iph;
+
+
+ iph = fr_findhtable(op->iplo_unit, op->iplo_name);
+ if (iph == NULL)
+ return ESRCH;
+
+ if (iph->iph_unit != op->iplo_unit) {
+ return EINVAL;
+ }
+
+ if (iph->iph_ref != 0) {
+ return EBUSY;
+ }
+
+ fr_delhtable(iph);
+
+ return 0;
+}
+
+
+void fr_delhtable(iph)
+iphtable_t *iph;
+{
+ iphtent_t *ipe;
+ int i;
+
+ for (i = 0; i < iph->iph_size; i++)
+ while ((ipe = iph->iph_table[i]) != NULL)
+ if (fr_delhtent(iph, ipe) != 0)
+ return;
+
+ *iph->iph_pnext = iph->iph_next;
+ if (iph->iph_next != NULL)
+ iph->iph_next->iph_pnext = iph->iph_pnext;
+
+ ipf_nhtables[iph->iph_unit]--;
+
+ if (iph->iph_ref == 0) {
+ KFREES(iph->iph_table, iph->iph_size * sizeof(*iph->iph_table));
+ KFREE(iph);
+ }
+}
+
+
+void fr_derefhtable(iph)
+iphtable_t *iph;
+{
+ iph->iph_ref--;
+ if (iph->iph_ref == 0)
+ fr_delhtable(iph);
+}
+
+
+iphtable_t *fr_findhtable(unit, name)
+int unit;
+char *name;
+{
+ iphtable_t *iph;
+
+ for (iph = ipf_htables[unit]; iph != NULL; iph = iph->iph_next)
+ if (strncmp(iph->iph_name, name, sizeof(iph->iph_name)) == 0)
+ break;
+ return iph;
+}
+
+
+size_t fr_flushhtable(op)
+iplookupflush_t *op;
+{
+ iphtable_t *iph;
+ size_t freed;
+ int i;
+
+ freed = 0;
+
+ for (i = 0; i <= IPL_LOGMAX; i++) {
+ if (op->iplf_unit == i || op->iplf_unit == IPL_LOGALL) {
+ while ((iph = ipf_htables[i]) != NULL) {
+ fr_delhtable(iph);
+ freed++;
+ }
+ }
+ }
+
+ return freed;
+}
+
+
+/*
+ * Add an entry to a hash table.
+ */
+int fr_addhtent(iph, ipeo)
+iphtable_t *iph;
+iphtent_t *ipeo;
+{
+ iphtent_t *ipe;
+ u_int hv;
+ int bits;
+
+ KMALLOC(ipe, iphtent_t *);
+ if (ipe == NULL)
+ return -1;
+
+ bcopy((char *)ipeo, (char *)ipe, sizeof(*ipe));
+ ipe->ipe_addr.in4_addr &= ipe->ipe_mask.in4_addr;
+ ipe->ipe_addr.in4_addr = ntohl(ipe->ipe_addr.in4_addr);
+ bits = count4bits(ipe->ipe_mask.in4_addr);
+ ipe->ipe_mask.in4_addr = ntohl(ipe->ipe_mask.in4_addr);
+
+ hv = IPE_HASH_FN(ipe->ipe_addr.in4_addr, ipe->ipe_mask.in4_addr,
+ iph->iph_size);
+ ipe->ipe_ref = 0;
+ ipe->ipe_next = iph->iph_table[hv];
+ ipe->ipe_pnext = iph->iph_table + hv;
+
+ if (iph->iph_table[hv] != NULL)
+ iph->iph_table[hv]->ipe_pnext = &ipe->ipe_next;
+ iph->iph_table[hv] = ipe;
+ if ((bits >= 0) && (bits != 32))
+ iph->iph_masks |= 1 << bits;
+
+ switch (iph->iph_type & ~IPHASH_ANON)
+ {
+ case IPHASH_GROUPMAP :
+ ipe->ipe_ptr = fr_addgroup(ipe->ipe_group, NULL,
+ iph->iph_flags, IPL_LOGIPF,
+ fr_active);
+ break;
+
+ default :
+ ipe->ipe_ptr = NULL;
+ ipe->ipe_value = 0;
+ break;
+ }
+
+ ipf_nhtnodes[iph->iph_unit]++;
+
+ return 0;
+}
+
+
+/*
+ * Delete an entry from a hash table.
+ */
+int fr_delhtent(iph, ipe)
+iphtable_t *iph;
+iphtent_t *ipe;
+{
+
+ if (ipe->ipe_ref != 0)
+ return EBUSY;
+
+
+ *ipe->ipe_pnext = ipe->ipe_next;
+ if (ipe->ipe_next != NULL)
+ ipe->ipe_next->ipe_pnext = ipe->ipe_pnext;
+
+ switch (iph->iph_type & ~IPHASH_ANON)
+ {
+ case IPHASH_GROUPMAP :
+ if (ipe->ipe_group != NULL)
+ fr_delgroup(ipe->ipe_group, IPL_LOGIPF, fr_active);
+ break;
+
+ default :
+ ipe->ipe_ptr = NULL;
+ ipe->ipe_value = 0;
+ break;
+ }
+
+ KFREE(ipe);
+
+ ipf_nhtnodes[iph->iph_unit]--;
+
+ return 0;
+}
+
+
+void *fr_iphmfindgroup(tptr, aptr)
+void *tptr, *aptr;
+{
+ struct in_addr *addr;
+ iphtable_t *iph;
+ iphtent_t *ipe;
+ void *rval;
+
+ READ_ENTER(&ip_poolrw);
+ iph = tptr;
+ addr = aptr;
+
+ ipe = fr_iphmfind(iph, addr);
+ if (ipe != NULL)
+ rval = ipe->ipe_ptr;
+ else
+ rval = NULL;
+ RWLOCK_EXIT(&ip_poolrw);
+ return rval;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function: fr_iphmfindip */
+/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
+/* Parameters: tptr(I) - pointer to the pool to search */
+/* version(I) - IP protocol version (4 or 6) */
+/* aptr(I) - pointer to address information */
+/* */
+/* Search the hash table for a given address and return a search result. */
+/* ------------------------------------------------------------------------ */
+int fr_iphmfindip(tptr, version, aptr)
+void *tptr, *aptr;
+int version;
+{
+ struct in_addr *addr;
+ iphtable_t *iph;
+ iphtent_t *ipe;
+ int rval;
+
+ if (version != 4)
+ return -1;
+
+ if (tptr == NULL || aptr == NULL)
+ return -1;
+
+ iph = tptr;
+ addr = aptr;
+
+ READ_ENTER(&ip_poolrw);
+ ipe = fr_iphmfind(iph, addr);
+ if (ipe != NULL)
+ rval = 0;
+ else
+ rval = 1;
+ RWLOCK_EXIT(&ip_poolrw);
+ return rval;
+}
+
+
+/* Locks: ip_poolrw */
+static iphtent_t *fr_iphmfind(iph, addr)
+iphtable_t *iph;
+struct in_addr *addr;
+{
+ u_32_t hmsk, msk, ips;
+ iphtent_t *ipe;
+ u_int hv;
+
+ hmsk = iph->iph_masks;
+ msk = 0xffffffff;
+maskloop:
+ ips = ntohl(addr->s_addr) & msk;
+ hv = IPE_HASH_FN(ips, msk, iph->iph_size);
+ for (ipe = iph->iph_table[hv]; (ipe != NULL); ipe = ipe->ipe_next) {
+ if (ipe->ipe_mask.in4_addr != msk ||
+ ipe->ipe_addr.in4_addr != ips) {
+ continue;
+ }
+ break;
+ }
+
+ if ((ipe == NULL) && (hmsk != 0)) {
+ while (hmsk != 0) {
+ msk <<= 1;
+ if (hmsk & 0x80000000)
+ break;
+ hmsk <<= 1;
+ }
+ if (hmsk != 0) {
+ hmsk <<= 1;
+ goto maskloop;
+ }
+ }
+ return ipe;
+}
+
+#endif /* IPFILTER_LOOKUP */
diff --git a/sys/contrib/ipfilter/netinet/ip_htable.h b/sys/contrib/ipfilter/netinet/ip_htable.h
new file mode 100644
index 000000000000..1bc40876dcb5
--- /dev/null
+++ b/sys/contrib/ipfilter/netinet/ip_htable.h
@@ -0,0 +1,71 @@
+/* $FreeBSD$ */
+
+#ifndef __IP_HTABLE_H__
+#define __IP_HTABLE_H__
+
+#include "netinet/ip_lookup.h"
+
+typedef struct iphtent_s {
+ struct iphtent_s *ipe_next, **ipe_pnext;
+ void *ipe_ptr;
+ i6addr_t ipe_addr;
+ i6addr_t ipe_mask;
+ int ipe_ref;
+ union {
+ char ipeu_char[16];
+ u_long ipeu_long;
+ u_int ipeu_int;
+ }ipe_un;
+} iphtent_t;
+
+#define ipe_value ipe_un.ipeu_int
+#define ipe_group ipe_un.ipeu_char
+
+#define IPE_HASH_FN(a, m, s) (((a) * (m)) % (s))
+
+
+typedef struct iphtable_s {
+ ipfrwlock_t iph_rwlock;
+ struct iphtable_s *iph_next, **iph_pnext;
+ struct iphtent_s **iph_table;
+ size_t iph_size; /* size of hash table */
+ u_long iph_seed; /* hashing seed */
+ u_32_t iph_flags;
+ u_int iph_unit; /* IPL_LOG* */
+ u_int iph_ref;
+ u_int iph_type; /* lookup or group map - IPHASH_* */
+ u_int iph_masks; /* IPv4 netmasks in use */
+ char iph_name[FR_GROUPLEN]; /* hash table number */
+} iphtable_t;
+
+/* iph_type */
+#define IPHASH_LOOKUP 0
+#define IPHASH_GROUPMAP 1
+#define IPHASH_ANON 0x80000000
+
+
+typedef struct iphtstat_s {
+ iphtable_t *iphs_tables;
+ u_long iphs_numtables;
+ u_long iphs_numnodes;
+ u_long iphs_nomem;
+ u_long iphs_pad[16];
+} iphtstat_t;
+
+
+extern iphtable_t *ipf_htables[IPL_LOGSIZE];
+
+extern void fr_htable_unload __P((void));
+extern int fr_newhtable __P((iplookupop_t *));
+extern iphtable_t *fr_findhtable __P((int, char *));
+extern int fr_removehtable __P((iplookupop_t *));
+extern size_t fr_flushhtable __P((iplookupflush_t *));
+extern int fr_addhtent __P((iphtable_t *, iphtent_t *));
+extern int fr_delhtent __P((iphtable_t *, iphtent_t *));
+extern void fr_derefhtable __P((iphtable_t *));
+extern void fr_delhtable __P((iphtable_t *));
+extern void *fr_iphmfindgroup __P((void *, void *));
+extern int fr_iphmfindip __P((void *, int, void *));
+extern int fr_gethtablestat __P((iplookupop_t *));
+
+#endif /* __IP_HTABLE_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c b/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c
index 40ce131961a3..b54961113012 100644
--- a/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c
@@ -1,42 +1,90 @@
+/* $FreeBSD$ */
+
/*
+ * Copyright (C) 2001-2003 by Darren Reed
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
* Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ipsec_pxy.c,v 1.1.2.10 2002/01/13 04:58:29 darrenr Exp $
+ * Id: ip_ipsec_pxy.c,v 2.20.2.6 2005/03/28 10:47:53 darrenr Exp
*
*/
#define IPF_IPSEC_PROXY
int ippr_ipsec_init __P((void));
-int ippr_ipsec_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+void ippr_ipsec_fini __P((void));
+int ippr_ipsec_new __P((fr_info_t *, ap_session_t *, nat_t *));
void ippr_ipsec_del __P((ap_session_t *));
-int ippr_ipsec_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_ipsec_inout __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
static frentry_t ipsecfr;
-
-
+static ipftq_t *ipsecnattqe;
+static ipftq_t *ipsecstatetqe;
static char ipsec_buffer[1500];
+int ipsec_proxy_init = 0;
+int ipsec_proxy_ttl = 60;
+
/*
- * RCMD application proxy initialization.
+ * IPSec application proxy initialization.
*/
int ippr_ipsec_init()
{
bzero((char *)&ipsecfr, sizeof(ipsecfr));
ipsecfr.fr_ref = 1;
ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+ MUTEX_INIT(&ipsecfr.fr_lock, "IPsec proxy rule lock");
+ ipsec_proxy_init = 1;
+
+ ipsecnattqe = fr_addtimeoutqueue(&nat_utqe, ipsec_proxy_ttl);
+ if (ipsecnattqe == NULL)
+ return -1;
+ ipsecstatetqe = fr_addtimeoutqueue(&ips_utqe, ipsec_proxy_ttl);
+ if (ipsecstatetqe == NULL) {
+ if (fr_deletetimeoutqueue(ipsecnattqe) == 0)
+ fr_freetimeoutqueue(ipsecnattqe);
+ ipsecnattqe = NULL;
+ return -1;
+ }
+
+ ipsecnattqe->ifq_flags |= IFQF_PROXY;
+ ipsecstatetqe->ifq_flags |= IFQF_PROXY;
+
+ ipsecfr.fr_age[0] = ipsec_proxy_ttl;
+ ipsecfr.fr_age[1] = ipsec_proxy_ttl;
return 0;
}
+void ippr_ipsec_fini()
+{
+ if (ipsecnattqe != NULL) {
+ if (fr_deletetimeoutqueue(ipsecnattqe) == 0)
+ fr_freetimeoutqueue(ipsecnattqe);
+ }
+ ipsecnattqe = NULL;
+ if (ipsecstatetqe != NULL) {
+ if (fr_deletetimeoutqueue(ipsecstatetqe) == 0)
+ fr_freetimeoutqueue(ipsecstatetqe);
+ }
+ ipsecstatetqe = NULL;
+
+ if (ipsec_proxy_init == 1) {
+ MUTEX_DESTROY(&ipsecfr.fr_lock);
+ ipsec_proxy_init = 0;
+ }
+}
+
+
/*
* Setup for a new IPSEC proxy.
*/
-int ippr_ipsec_new(fin, ip, aps, nat)
+int ippr_ipsec_new(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
@@ -44,40 +92,22 @@ nat_t *nat;
fr_info_t fi;
ipnat_t *ipn;
char *ptr;
- int p, off, dlen;
+ int p, off, dlen, ttl;
mb_t *m;
+ ip_t *ip;
bzero(ipsec_buffer, sizeof(ipsec_buffer));
off = fin->fin_hlen + sizeof(udphdr_t);
-#ifdef _KERNEL
-# if SOLARIS
- m = fin->fin_qfm;
+ ip = fin->fin_ip;
+ m = fin->fin_m;
- dlen = msgdsize(m) - off;
+ dlen = M_LEN(m) - off;
if (dlen < 16)
return -1;
- copyout_mblk(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
-# else
- m = *(mb_t **)fin->fin_mp;
- dlen = mbufchainlen(m) - off;
- if (dlen < 16)
- return -1;
- m_copydata(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
-# endif
-#else
- m = *(mb_t **)fin->fin_mp;
- dlen = ip->ip_len - off;
- ptr = (char *)m;
- ptr += off;
- bcopy(ptr, ipsec_buffer, MIN(sizeof(ipsec_buffer), dlen));
-#endif
+ COPYDATA(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
- /*
- * Because _new() gets called from nat_new(), ipf_nat is held with a
- * write lock so pass rw=1 to nat_outlookup().
- */
if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
- ip->ip_dst, 1) != NULL)
+ ip->ip_dst) != NULL)
return -1;
aps->aps_psiz = sizeof(*ipsec);
@@ -94,7 +124,10 @@ nat_t *nat;
* describe ESP but UDP instead.
*/
ipn = &ipsec->ipsc_rule;
- ipn->in_ifp = fin->fin_ifp;
+ ttl = IPF_TTLVAL(ipsecnattqe->ifq_ttl);
+ ipn->in_tqehead[0] = fr_addtimeoutqueue(&nat_utqe, ttl);
+ ipn->in_tqehead[1] = fr_addtimeoutqueue(&nat_utqe, ttl);
+ ipn->in_ifps[0] = fin->fin_ifp;
ipn->in_apr = NULL;
ipn->in_use = 1;
ipn->in_hits = 1;
@@ -102,27 +135,31 @@ nat_t *nat;
ipn->in_ippip = 1;
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
- ipn->in_outip = nat->nat_outip.s_addr;
- ipn->in_outmsk = 0xffffffff;
+ ipn->in_outip = fin->fin_saddr;
+ ipn->in_outmsk = nat->nat_outip.s_addr;
ipn->in_srcip = fin->fin_saddr;
ipn->in_srcmsk = 0xffffffff;
ipn->in_redir = NAT_MAP;
- bcopy(nat->nat_ptr->in_ifname, ipn->in_ifname, sizeof(ipn->in_ifname));
+ bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
+ sizeof(ipn->in_ifnames[0]));
ipn->in_p = IPPROTO_ESP;
bcopy((char *)fin, (char *)&fi, sizeof(fi));
+ fi.fin_state = NULL;
+ fi.fin_nat = NULL;
fi.fin_fi.fi_p = IPPROTO_ESP;
fi.fin_fr = &ipsecfr;
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
p = ip->ip_p;
ip->ip_p = IPPROTO_ESP;
- fi.fin_fl &= ~FI_TCPUDP;
+ fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
+ fi.fin_flx |= FI_IGNORE;
ptr = ipsec_buffer;
- bcopy(ptr, ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
+ bcopy(ptr, (char *)ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
ptr += sizeof(ipsec_cookie_t);
- bcopy(ptr, ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
+ bcopy(ptr, (char *)ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
/*
* The responder cookie should only be non-zero if the initiator
* cookie is non-zero. Therefore, it is safe to assume(!) that the
@@ -130,76 +167,101 @@ nat_t *nat;
*/
if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
ipsec->ipsc_rckset = 1;
- else
- nat->nat_age = 60; /* 30 seconds */
- ipsec->ipsc_nat = nat_new(&fi, ip, ipn, &ipsec->ipsc_nat, FI_IGNOREPKT,
- NAT_OUTBOUND);
+ ipsec->ipsc_nat = nat_new(&fi, ipn, &ipsec->ipsc_nat,
+ NAT_SLAVE|SI_WILDP, NAT_OUTBOUND);
if (ipsec->ipsc_nat != NULL) {
+ (void) nat_proto(&fi, ipsec->ipsc_nat, 0);
+ nat_update(&fi, ipsec->ipsc_nat, ipn);
+
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
- ipsec->ipsc_state = fr_addstate(ip, &fi, &ipsec->ipsc_state,
- FI_IGNOREPKT|FI_NORULE);
+ ipsec->ipsc_state = fr_addstate(&fi, &ipsec->ipsc_state,
+ SI_WILDP);
+ if (fi.fin_state != NULL)
+ fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
- ip->ip_p = p;
+ ip->ip_p = p & 0xff;
return 0;
}
/*
- * For outgoing IKE packets. refresh timeouts for NAT & stat entries, if
+ * For outgoing IKE packets. refresh timeouts for NAT & state entries, if
* we can. If they have disappeared, recreate them.
*/
-int ippr_ipsec_out(fin, ip, aps, nat)
+int ippr_ipsec_inout(fin, aps, nat)
fr_info_t *fin;
-ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
fr_info_t fi;
+ ip_t *ip;
int p;
- bcopy((char *)fin, (char *)&fi, sizeof(fi));
- fi.fin_fi.fi_p = IPPROTO_ESP;
- fi.fin_fr = &ipsecfr;
- fi.fin_data[0] = 0;
- fi.fin_data[1] = 0;
- p = ip->ip_p;
- ip->ip_p = IPPROTO_ESP;
- fi.fin_fl &= ~FI_TCPUDP;
+ if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
+ return 0;
+
+ if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
+ return 0;
ipsec = aps->aps_data;
+
if (ipsec != NULL) {
+ ip = fin->fin_ip;
+ p = ip->ip_p;
+
+ if ((ipsec->ipsc_nat == NULL) || (ipsec->ipsc_state == NULL)) {
+ bcopy((char *)fin, (char *)&fi, sizeof(fi));
+ fi.fin_state = NULL;
+ fi.fin_nat = NULL;
+ fi.fin_fi.fi_p = IPPROTO_ESP;
+ fi.fin_fr = &ipsecfr;
+ fi.fin_data[0] = 0;
+ fi.fin_data[1] = 0;
+ ip->ip_p = IPPROTO_ESP;
+ fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
+ fi.fin_flx |= FI_IGNORE;
+ }
+
/*
* Update NAT timeout/create NAT if missing.
*/
- if (ipsec->ipsc_rckset == 0)
- nat->nat_age = 60; /* 30 seconds */
if (ipsec->ipsc_nat != NULL)
- ipsec->ipsc_nat->nat_age = nat->nat_age;
- else
- ipsec->ipsc_nat = nat_new(&fi, ip, &ipsec->ipsc_rule,
+ fr_queueback(&ipsec->ipsc_nat->nat_tqe);
+ else {
+ ipsec->ipsc_nat = nat_new(&fi, &ipsec->ipsc_rule,
&ipsec->ipsc_nat,
- FI_IGNOREPKT, NAT_OUTBOUND);
+ NAT_SLAVE|SI_WILDP,
+ nat->nat_dir);
+ if (ipsec->ipsc_nat != NULL) {
+ (void) nat_proto(&fi, ipsec->ipsc_nat, 0);
+ nat_update(&fi, ipsec->ipsc_nat,
+ &ipsec->ipsc_rule);
+ }
+ }
/*
* Update state timeout/create state if missing.
*/
READ_ENTER(&ipf_state);
if (ipsec->ipsc_state != NULL) {
- ipsec->ipsc_state->is_age = nat->nat_age;
+ fr_queueback(&ipsec->ipsc_state->is_sti);
+ ipsec->ipsc_state->is_die = nat->nat_age;
RWLOCK_EXIT(&ipf_state);
} else {
RWLOCK_EXIT(&ipf_state);
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
- ipsec->ipsc_state = fr_addstate(ip, &fi,
+ ipsec->ipsc_state = fr_addstate(&fi,
&ipsec->ipsc_state,
- FI_IGNOREPKT|FI_NORULE);
+ SI_WILDP);
+ if (fi.fin_state != NULL)
+ fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
+ ip->ip_p = p;
}
- ip->ip_p = p;
return 0;
}
@@ -220,24 +282,15 @@ nat_t *nat;
mb_t *m;
int off;
- if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_fl & FI_FRAG))
+ nat = nat; /* LINT */
+
+ if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG))
return -1;
ipsec = aps->aps_data;
off = fin->fin_hlen + sizeof(udphdr_t);
-#ifdef _KERNEL
-# if SOLARIS
- m = fin->fin_qfm;
-
- copyout_mblk(m, off, sizeof(cookies), (char *)cookies);
-# else
- m = *(mb_t **)fin->fin_mp;
- m_copydata(m, off, sizeof(cookies), (char *)cookies);
-# endif
-#else
- m = *(mb_t **)fin->fin_mp;
- bcopy((char *)m + off, cookies, sizeof(cookies));
-#endif
+ m = fin->fin_m;
+ COPYDATA(m, off, sizeof(cookies), (char *)cookies);
if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
(cookies[1] != ipsec->ipsc_icookie[1]))
@@ -245,7 +298,6 @@ nat_t *nat;
if (ipsec->ipsc_rckset == 0) {
if ((cookies[2]|cookies[3]) == 0) {
- nat->nat_age = 60; /* 30 seconds */
return 0;
}
ipsec->ipsc_rckset = 1;
@@ -273,17 +325,16 @@ ap_session_t *aps;
if (ipsec != NULL) {
/*
- * Don't delete it from here, just schedule it to be
- * deleted ASAP.
+ * Don't bother changing any of the NAT structure details,
+ * *_del() is on a callback from aps_free(), from nat_delete()
*/
- if (ipsec->ipsc_nat != NULL) {
- ipsec->ipsc_nat->nat_age = 1;
- ipsec->ipsc_nat->nat_ptr = NULL;
- }
READ_ENTER(&ipf_state);
- if (ipsec->ipsc_state != NULL)
- ipsec->ipsc_state->is_age = 1;
+ if (ipsec->ipsc_state != NULL) {
+ ipsec->ipsc_state->is_die = fr_ticks + 1;
+ ipsec->ipsc_state->is_me = NULL;
+ fr_queuefront(&ipsec->ipsc_state->is_sti);
+ }
RWLOCK_EXIT(&ipf_state);
ipsec->ipsc_state = NULL;
diff --git a/sys/contrib/ipfilter/netinet/ip_irc_pxy.c b/sys/contrib/ipfilter/netinet/ip_irc_pxy.c
new file mode 100644
index 000000000000..0f61d767ba71
--- /dev/null
+++ b/sys/contrib/ipfilter/netinet/ip_irc_pxy.c
@@ -0,0 +1,435 @@
+/* $FreeBSD$ */
+
+/*
+ * Copyright (C) 2000-2003 Darren Reed
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
+ */
+
+#define IPF_IRC_PROXY
+
+#define IPF_IRCBUFSZ 96 /* This *MUST* be >= 64! */
+
+
+int ippr_irc_init __P((void));
+void ippr_irc_fini __P((void));
+int ippr_irc_new __P((fr_info_t *, ap_session_t *, nat_t *));
+int ippr_irc_out __P((fr_info_t *, ap_session_t *, nat_t *));
+int ippr_irc_send __P((fr_info_t *, nat_t *));
+int ippr_irc_complete __P((ircinfo_t *, char *, size_t));
+u_short ipf_irc_atoi __P((char **));
+
+static frentry_t ircnatfr;
+
+int irc_proxy_init = 0;
+
+
+/*
+ * Initialize local structures.
+ */
+int ippr_irc_init()
+{
+ bzero((char *)&ircnatfr, sizeof(ircnatfr));
+ ircnatfr.fr_ref = 1;
+ ircnatfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+ MUTEX_INIT(&ircnatfr.fr_lock, "IRC proxy rule lock");
+ irc_proxy_init = 1;
+
+ return 0;
+}
+
+
+void ippr_irc_fini()
+{
+ if (irc_proxy_init == 1) {
+ MUTEX_DESTROY(&ircnatfr.fr_lock);
+ irc_proxy_init = 0;
+ }
+}
+
+
+char *ippr_irc_dcctypes[] = {
+ "CHAT ", /* CHAT chat ipnumber portnumber */
+ "SEND ", /* SEND filename ipnumber portnumber */
+ "MOVE ",
+ "TSEND ",
+ "SCHAT ",
+ NULL,
+};
+
+
+/*
+ * :A PRIVMSG B :^ADCC CHAT chat 0 0^A\r\n
+ * PRIVMSG B ^ADCC CHAT chat 0 0^A\r\n
+ */
+
+
+int ippr_irc_complete(ircp, buf, len)
+ircinfo_t *ircp;
+char *buf;
+size_t len;
+{
+ register char *s, c;
+ register size_t i;
+ u_32_t l;
+ int j, k;
+
+ ircp->irc_ipnum = 0;
+ ircp->irc_port = 0;
+
+ if (len < 31)
+ return 0;
+ s = buf;
+ c = *s++;
+ i = len - 1;
+
+ if ((c != ':') && (c != 'P'))
+ return 0;
+
+ if (c == ':') {
+ /*
+ * Loosely check that the source is a nickname of some sort
+ */
+ s++;
+ c = *s;
+ ircp->irc_snick = s;
+ if (!ISALPHA(c))
+ return 0;
+ i--;
+ for (c = *s; !ISSPACE(c) && (i > 0); i--)
+ c = *s++;
+ if (i < 31)
+ return 0;
+ if (c != 'P')
+ return 0;
+ } else
+ ircp->irc_snick = NULL;
+
+ /*
+ * Check command string
+ */
+ if (strncmp(s, "PRIVMSG ", 8))
+ return 0;
+ i -= 8;
+ s += 8;
+ c = *s;
+ ircp->irc_dnick = s;
+
+ /*
+ * Loosely check that the destination is a nickname of some sort
+ */
+ if (!ISALPHA(c))
+ return 0;
+ for (; !ISSPACE(c) && (i > 0); i--)
+ c = *s++;
+ if (i < 20)
+ return 0;
+ s++,
+ i--;
+
+ /*
+ * Look for a ^A to start the DCC
+ */
+ c = *s;
+ if (c == ':') {
+ s++;
+ c = *s;
+ }
+
+ if (strncmp(s, "\001DCC ", 4))
+ return 0;
+
+ i -= 4;
+ s += 4;
+
+ /*
+ * Check for a recognised DCC command
+ */
+ for (j = 0, k = 0; ippr_irc_dcctypes[j]; j++) {
+ k = MIN(strlen(ippr_irc_dcctypes[j]), i);
+ if (!strncmp(ippr_irc_dcctypes[j], s, k))
+ break;
+ }
+ if (!ippr_irc_dcctypes[j])
+ return 0;
+
+ ircp->irc_type = s;
+ i -= k;
+ s += k;
+
+ if (i < 11)
+ return 0;
+
+ /*
+ * Check for the arg
+ */
+ c = *s;
+ if (ISSPACE(c))
+ return 0;
+ ircp->irc_arg = s;
+ for (; (c != ' ') && (c != '\001') && (i > 0); i--)
+ c = *s++;
+
+ if (c == '\001') /* In reality a ^A can quote another ^A...*/
+ return 0;
+
+ if (i < 5)
+ return 0;
+
+ s++;
+ i--;
+ c = *s;
+ if (!ISDIGIT(c))
+ return 0;
+ ircp->irc_addr = s;
+ /*
+ * Get the IP#
+ */
+ for (l = 0; ISDIGIT(c) && (i > 0); i--) {
+ l *= 10;
+ l += c - '0';
+ c = *s++;
+ }
+
+ if (i < 4)
+ return 0;
+
+ if (c != ' ')
+ return 0;
+
+ ircp->irc_ipnum = l;
+ s++;
+ i--;
+ c = *s;
+ if (!ISDIGIT(c))
+ return 0;
+ /*
+ * Get the port#
+ */
+ for (l = 0; ISDIGIT(c) && (i > 0); i--) {
+ l *= 10;
+ l += c - '0';
+ c = *s++;
+ }
+ if (i < 3)
+ return 0;
+ if (strncmp(s, "\001\r\n", 3))
+ return 0;
+ s += 3;
+ ircp->irc_len = s - buf;
+ ircp->irc_port = l;
+ return 1;
+}
+
+
+int ippr_irc_new(fin, aps, nat)
+fr_info_t *fin;
+ap_session_t *aps;
+nat_t *nat;
+{
+ ircinfo_t *irc;
+
+ KMALLOC(irc, ircinfo_t *);
+ if (irc == NULL)
+ return -1;
+
+ fin = fin; /* LINT */
+ nat = nat; /* LINT */
+
+ aps->aps_data = irc;
+ aps->aps_psiz = sizeof(ircinfo_t);
+
+ bzero((char *)irc, sizeof(*irc));
+ return 0;
+}
+
+
+int ippr_irc_send(fin, nat)
+fr_info_t *fin;
+nat_t *nat;
+{
+ char ctcpbuf[IPF_IRCBUFSZ], newbuf[IPF_IRCBUFSZ];
+ tcphdr_t *tcp, tcph, *tcp2 = &tcph;
+ int off, inc = 0, i, dlen;
+ size_t nlen = 0, olen;
+ struct in_addr swip;
+ u_short a5, sp;
+ ircinfo_t *irc;
+ fr_info_t fi;
+ nat_t *nat2;
+ u_int a1;
+ ip_t *ip;
+ mb_t *m;
+#ifdef MENTAT
+ mb_t *m1;
+#endif
+
+ m = fin->fin_m;
+ ip = fin->fin_ip;
+ tcp = (tcphdr_t *)fin->fin_dp;
+ bzero(ctcpbuf, sizeof(ctcpbuf));
+ off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
+
+#ifdef __sgi
+ dlen = fin->fin_plen - off;
+#else
+ dlen = MSGDSIZE(m) - off;
+#endif
+ if (dlen <= 0)
+ return 0;
+ COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);
+
+ if (dlen <= 0)
+ return 0;
+ ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
+ *newbuf = '\0';
+
+ irc = nat->nat_aps->aps_data;
+ if (ippr_irc_complete(irc, ctcpbuf, dlen) == 0)
+ return 0;
+
+ /*
+ * check that IP address in the PORT/PASV reply is the same as the
+ * sender of the command - prevents using PORT for port scanning.
+ */
+ if (irc->irc_ipnum != ntohl(nat->nat_inip.s_addr))
+ return 0;
+
+ a5 = irc->irc_port;
+
+ /*
+ * Calculate new address parts for the DCC command
+ */
+ a1 = ntohl(ip->ip_src.s_addr);
+ olen = irc->irc_len;
+ i = irc->irc_addr - ctcpbuf;
+ i++;
+ (void) strncpy(newbuf, ctcpbuf, i);
+ /* DO NOT change these! */
+#if defined(SNPRINTF) && defined(KERNEL)
+ SNPRINTF(newbuf, sizeof(newbuf) - i, "%u %u\001\r\n", a1, a5);
+#else
+ (void) sprintf(newbuf, "%u %u\001\r\n", a1, a5);
+#endif
+
+ nlen = strlen(newbuf);
+ inc = nlen - olen;
+
+ if ((inc + ip->ip_len) > 65535)
+ return 0;
+
+#ifdef MENTAT
+ for (m1 = m; m1->b_cont; m1 = m1->b_cont)
+ ;
+ if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
+ mblk_t *nm;
+
+ /* alloc enough to keep same trailer space for lower driver */
+ nm = allocb(nlen, BPRI_MED);
+ PANIC((!nm),("ippr_irc_out: allocb failed"));
+
+ nm->b_band = m1->b_band;
+ nm->b_wptr += nlen;
+
+ m1->b_wptr -= olen;
+ PANIC((m1->b_wptr < m1->b_rptr),
+ ("ippr_irc_out: cannot handle fragmented data block"));
+
+ linkb(m1, nm);
+ } else {
+# if SOLARIS && defined(ICK_VALID)
+ if (m1->b_datap->db_struiolim == m1->b_wptr)
+ m1->b_datap->db_struiolim += inc;
+ m1->b_datap->db_struioflag &= ~STRUIO_IP;
+# endif
+ m1->b_wptr += inc;
+ }
+#else
+ if (inc < 0)
+ m_adj(m, inc);
+ /* the mbuf chain will be extended if necessary by m_copyback() */
+#endif
+ COPYBACK(m, off, nlen, newbuf);
+
+ if (inc != 0) {
+#if defined(MENTAT) || defined(__sgi)
+ register u_32_t sum1, sum2;
+
+ sum1 = ip->ip_len;
+ sum2 = ip->ip_len + inc;
+
+ /* Because ~1 == -2, We really need ~1 == -1 */
+ if (sum1 > sum2)
+ sum2--;
+ sum2 -= sum1;
+ sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+
+ fix_outcksum(fin, &ip->ip_sum, sum2);
+#endif
+ ip->ip_len += inc;
+ }
+
+ /*
+ * Add skeleton NAT entry for connection which will come back the
+ * other way.
+ */
+ sp = htons(a5);
+ /*
+ * Don't allow the PORT command to specify a port < 1024 due to
+ * security crap.
+ */
+ if (ntohs(sp) < 1024)
+ return 0;
+
+ /*
+ * The server may not make the connection back from port 20, but
+ * it is the most likely so use it here to check for a conflicting
+ * mapping.
+ */
+ bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
+ fi.fin_data[0] = sp;
+ fi.fin_data[1] = fin->fin_data[1];
+ nat2 = nat_outlookup(fin, IPN_TCP, nat->nat_p, nat->nat_inip,
+ ip->ip_dst);
+ if (nat2 == NULL) {
+ bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
+ bzero((char *)tcp2, sizeof(*tcp2));
+ tcp2->th_win = htons(8192);
+ tcp2->th_sport = sp;
+ tcp2->th_dport = 0; /* XXX - don't specify remote port */
+ fi.fin_state = NULL;
+ fi.fin_nat = NULL;
+ fi.fin_data[0] = ntohs(sp);
+ fi.fin_data[1] = 0;
+ fi.fin_dp = (char *)tcp2;
+ fi.fin_fr = &ircnatfr;
+ fi.fin_dlen = sizeof(*tcp2);
+ fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
+ swip = ip->ip_src;
+ ip->ip_src = nat->nat_inip;
+ nat2 = nat_new(&fi, nat->nat_ptr, NULL,
+ NAT_SLAVE|IPN_TCP|SI_W_DPORT, NAT_OUTBOUND);
+ if (nat2 != NULL) {
+ (void) nat_proto(&fi, nat2, 0);
+ nat_update(&fi, nat2, nat2->nat_ptr);
+
+ (void) fr_addstate(&fi, NULL, SI_W_DPORT);
+ if (fi.fin_state != NULL)
+ fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
+ }
+ ip->ip_src = swip;
+ }
+ return inc;
+}
+
+
+int ippr_irc_out(fin, aps, nat)
+fr_info_t *fin;
+ap_session_t *aps;
+nat_t *nat;
+{
+ aps = aps; /* LINT */
+ return ippr_irc_send(fin, nat);
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c
index 3628a58bf4a0..804f7c7c23fb 100644
--- a/sys/contrib/ipfilter/netinet/ip_log.c
+++ b/sys/contrib/ipfilter/netinet/ip_log.c
@@ -1,144 +1,177 @@
+/* $FreeBSD$ */
+
/*
- * Copyright (C) 1997-2001 by Darren Reed.
+ * Copyright (C) 1997-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_log.c,v 2.5.2.26 2004/06/20 01:59:01 darrenr Exp $
+ * Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp
*/
#include <sys/param.h>
-#if defined(KERNEL) && !defined(_KERNEL)
-# define _KERNEL
+#if defined(KERNEL) || defined(_KERNEL)
+# undef KERNEL
+# undef _KERNEL
+# define KERNEL 1
+# define _KERNEL 1
#endif
#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
defined(_KERNEL)
# include "opt_ipfilter_log.h"
#endif
-#ifdef __FreeBSD__
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+#if defined(__FreeBSD__) && !defined(IPFILTER_LKM)
+# if defined(_KERNEL)
# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include "opt_ipfilter.h"
# endif
# else
-# ifdef KLD_MODULE
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
-# endif
+# include <osreldate.h>
# endif
#endif
-#ifdef IPFILTER_LOG
-# ifndef SOLARIS
-# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#ifndef SOLARIS
+# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/file.h>
+#ifndef _KERNEL
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <ctype.h>
+# define _KERNEL
+# define KERNEL
+# ifdef __OpenBSD__
+struct file;
# endif
-# ifndef _KERNEL
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
+# include <sys/uio.h>
+# undef _KERNEL
+# undef KERNEL
+#endif
+#if __FreeBSD_version >= 220000 && defined(_KERNEL)
+# include <sys/fcntl.h>
+# include <sys/filio.h>
+#else
+# include <sys/ioctl.h>
+#endif
+#include <sys/time.h>
+#if defined(_KERNEL)
+# include <sys/systm.h>
+# if defined(NetBSD) && (__NetBSD_Version__ >= 104000000)
+# include <sys/proc.h>
# endif
-# include <sys/errno.h>
-# include <sys/types.h>
-# include <sys/file.h>
-# if __FreeBSD_version >= 220000 && defined(_KERNEL)
-# include <sys/fcntl.h>
-# include <sys/filio.h>
+#endif /* _KERNEL */
+#if !SOLARIS && !defined(__hpux) && !defined(linux)
+# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
+# include <sys/dirent.h>
# else
-# include <sys/ioctl.h>
-# endif
-# include <sys/time.h>
-# if defined(_KERNEL)
-# include <sys/systm.h>
+# include <sys/dir.h>
# endif
-# if !SOLARIS
-# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
-# include <sys/dirent.h>
-# else
-# include <sys/dir.h>
-# endif
-# include <sys/mbuf.h>
-# else
+# include <sys/mbuf.h>
+#else
+# if !defined(__hpux) && defined(_KERNEL)
# include <sys/filio.h>
# include <sys/cred.h>
+# include <sys/ddi.h>
+# include <sys/sunddi.h>
+# include <sys/ksynch.h>
# include <sys/kmem.h>
-# ifdef _KERNEL
-# include <sys/ddi.h>
-# include <sys/sunddi.h>
-# include <sys/ksynch.h>
-# include <sys/dditypes.h>
-# include <sys/cmn_err.h>
-# endif
-# endif
+# include <sys/mkdev.h>
+# include <sys/dditypes.h>
+# include <sys/cmn_err.h>
+# endif /* !__hpux */
+#endif /* !SOLARIS && !__hpux */
+#if !defined(linux)
# include <sys/protosw.h>
-# include <sys/socket.h>
+#endif
+#include <sys/socket.h>
-# include <net/if.h>
-# ifdef sun
-# include <net/af.h>
-# endif
-# if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-# endif
-# include <net/route.h>
-# include <netinet/in.h>
-# ifdef __sgi
-# define _KMEMUSER
-# include <sys/ddi.h>
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-# include <sys/hashing.h>
-# endif
-# endif
-# if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/
-# include <netinet/in_var.h>
-# endif
-# include <netinet/in_systm.h>
-# include <netinet/ip.h>
-# include <netinet/tcp.h>
-# include <netinet/udp.h>
-# include <netinet/ip_icmp.h>
-# ifdef USE_INET6
-# include <netinet/icmp6.h>
+#include <net/if.h>
+#ifdef sun
+# include <net/af.h>
+#endif
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#ifdef __sgi
+# include <sys/ddi.h>
+# ifdef IFF_DRVRLOCK /* IRIX6 */
+# include <sys/hashing.h>
# endif
+#endif
+#if !defined(__hpux) && !defined(linux) && \
+ !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/
+# include <netinet/in_var.h>
+#endif
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#ifdef USE_INET6
+# include <netinet/icmp6.h>
+#endif
+#if !defined(linux)
# include <netinet/ip_var.h>
-# ifndef _KERNEL
-# include <syslog.h>
-# endif
-# include "netinet/ip_compat.h"
-# include <netinet/tcpip.h>
-# include "netinet/ip_fil.h"
-# if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# endif
+#endif
+#ifndef _KERNEL
+# include <syslog.h>
+#endif
+#include "netinet/ip_compat.h"
+#include <netinet/tcpip.h>
+#include "netinet/ip_fil.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
+#include "netinet/ip_auth.h"
+#if (__FreeBSD_version >= 300000) || defined(__NetBSD__)
+# include <sys/malloc.h>
+#endif
+/* END OF INCLUDES */
-# ifndef MIN
-# define MIN(a,b) (((a)<(b))?(a):(b))
-# endif
-# ifdef IPFILTER_LOGSIZE
-# undef IPLLOGSIZE
-# define IPLLOGSIZE IPFILTER_LOGSIZE
-# endif
+#ifdef IPFILTER_LOG
+# if defined(IPL_SELECT)
+# include <machine/sys/user.h>
+# include <sys/kthread_iface.h>
+# define READ_COLLISION 0x001
-# if SOLARIS || defined(__sgi)
-extern kmutex_t ipl_mutex;
-# if SOLARIS
+iplog_select_t iplog_ss[IPL_LOGMAX+1];
+
+extern int selwait;
+# endif /* IPL_SELECT */
+
+# if defined(linux) && defined(_KERNEL)
+wait_queue_head_t iplh_linux[IPL_LOGSIZE];
+# endif
+# if SOLARIS
extern kcondvar_t iplwait;
-# endif
# endif
-iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1];
-size_t iplused[IPL_LOGMAX+1];
-static fr_info_t iplcrc[IPL_LOGMAX+1];
+iplog_t **iplh[IPL_LOGSIZE], *iplt[IPL_LOGSIZE], *ipll[IPL_LOGSIZE];
+int iplused[IPL_LOGSIZE];
+static fr_info_t iplcrc[IPL_LOGSIZE];
+int ipl_suppress = 1;
+int ipl_buffer_sz;
+int ipl_logmax = IPL_LOGMAX;
+int ipl_logall = 0;
+int ipl_log_init = 0;
+int ipl_logsize = IPFILTER_LOGSIZE;
+int ipl_magic[IPL_LOGSIZE] = { IPL_MAGIC, IPL_MAGIC_NAT, IPL_MAGIC_STATE,
+ IPL_MAGIC, IPL_MAGIC, IPL_MAGIC,
+ IPL_MAGIC, IPL_MAGIC };
-/*
- * Initialise log buffers & pointers. Also iniialised the CRC to a local
- * secret for use in calculating the "last log checksum".
- */
-void ipflog_init()
+/* ------------------------------------------------------------------------ */
+/* Function: fr_loginit */
+/* Returns: int - 0 == success (always returned) */
+/* Parameters: Nil */
+/* */
+/* Initialise log buffers & pointers. Also iniialised the CRC to a local */
+/* secret for use in calculating the "last log checksum". */
+/* ------------------------------------------------------------------------ */
+int fr_loginit()
{
int i;
@@ -148,40 +181,88 @@ void ipflog_init()
iplh[i] = &iplt[i];
iplused[i] = 0;
bzero((char *)&iplcrc[i], sizeof(iplcrc[i]));
+# ifdef IPL_SELECT
+ iplog_ss[i].read_waiter = 0;
+ iplog_ss[i].state = 0;
+# endif
+# if defined(linux) && defined(_KERNEL)
+ init_waitqueue_head(iplh_linux + i);
+# endif
}
+
+# if SOLARIS && defined(_KERNEL)
+ cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
+# endif
+ MUTEX_INIT(&ipl_mutex, "ipf log mutex");
+
+ ipl_log_init = 1;
+
+ return 0;
}
-/*
- * ipflog
- * Create a log record for a packet given that it has been triggered by a
- * rule (or the default setting). Calculate the transport protocol header
- * size using predetermined size of a couple of popular protocols and thus
- * how much data to copy into the log, including part of the data body if
- * requested.
- */
-int ipflog(flags, ip, fin, m)
-u_int flags;
-ip_t *ip;
+/* ------------------------------------------------------------------------ */
+/* Function: fr_logunload */
+/* Returns: Nil */
+/* Parameters: Nil