Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus hopefully also support other ip filtering implementations.
This commit is contained in:
Poul-Henning Kamp
parent
6cece43912
commit
23bf99538c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=15026
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)in.h 8.3 (Berkeley) 1/3/94
|
||||
* $Id: in.h,v 1.15 1996/02/22 21:32:17 peter Exp $
|
||||
* $Id: in.h,v 1.16 1996/03/14 16:59:18 fenner Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NETINET_IN_H_
|
||||
@ -310,7 +310,13 @@ int in_canforward __P((struct in_addr));
|
||||
int in_cksum __P((struct mbuf *, int));
|
||||
int in_localaddr __P((struct in_addr));
|
||||
char *inet_ntoa __P((struct in_addr)); /* in libkern */
|
||||
#endif
|
||||
|
||||
/* Firewall hooks */
|
||||
struct ip;
|
||||
typedef int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**));
|
||||
typedef int ip_fw_ctl_t __P((int, struct mbuf**));
|
||||
extern ip_fw_chk_t *ip_fw_chk_ptr;
|
||||
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
|
||||
#endif /* KERNEL */
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
* $Id: ip_fw.c,v 1.32 1996/02/24 13:38:26 phk Exp $
|
||||
* $Id: ip_fw.c,v 1.33 1996/02/26 15:28:15 phk Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -70,8 +70,8 @@ static int port_match __P((u_short *portptr, int nports, u_short port,
|
||||
static int tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f));
|
||||
static void ipfw_report __P((char *txt, int rule, struct ip *ip));
|
||||
|
||||
static int (*old_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir);
|
||||
static int (*old_ctl_ptr)(int,struct mbuf **);
|
||||
static ip_fw_chk_t *old_chk_ptr;
|
||||
static ip_fw_ctl_t *old_ctl_ptr;
|
||||
|
||||
/*
|
||||
* Returns 1 if the port is matched by the vector, 0 otherwise
|
||||
@ -107,6 +107,10 @@ tcpflg_match(tcp, f)
|
||||
{
|
||||
u_char flg_set, flg_clr;
|
||||
|
||||
if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) &&
|
||||
(tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK)))
|
||||
return 1;
|
||||
|
||||
flg_set = tcp->th_flags & f->fw_tcpf;
|
||||
flg_clr = tcp->th_flags & f->fw_tcpnf;
|
||||
|
||||
@ -225,14 +229,15 @@ ipfw_report(char *txt, int rule, struct ip *ip)
|
||||
*/
|
||||
|
||||
int
|
||||
ip_fw_chk(m, ip, rif, dir)
|
||||
struct mbuf *m;
|
||||
struct ip *ip;
|
||||
ip_fw_chk(pip, hlen, rif, dir, m)
|
||||
struct ip **pip;
|
||||
struct ifnet *rif;
|
||||
int dir;
|
||||
int hlen, dir;
|
||||
struct mbuf **m;
|
||||
{
|
||||
struct ip_fw_chain *chain;
|
||||
register struct ip_fw *f = NULL;
|
||||
struct ip *ip = *pip;
|
||||
struct tcphdr *tcp = (struct tcphdr *) ((u_long *) ip + ip->ip_hl);
|
||||
struct udphdr *udp = (struct udphdr *) ((u_long *) ip + ip->ip_hl);
|
||||
struct icmp *icmp = (struct icmp *) ((u_long *) ip + ip->ip_hl);
|
||||
@ -247,7 +252,7 @@ ip_fw_chk(m, ip, rif, dir)
|
||||
*/
|
||||
if ((ip->ip_off & IP_OFFMASK) == 1) {
|
||||
ipfw_report("Refuse", -1, ip);
|
||||
m_freem(m);
|
||||
m_freem(*m);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -422,15 +427,15 @@ ip_fw_chk(m, ip, rif, dir)
|
||||
*/
|
||||
if ((f_prt != IP_FW_F_ICMP) && (f->fw_flg & IP_FW_F_ICMPRPL)) {
|
||||
if (f_prt == IP_FW_F_ALL)
|
||||
icmp_error(m, ICMP_UNREACH,
|
||||
icmp_error(*m, ICMP_UNREACH,
|
||||
ICMP_UNREACH_HOST, 0L, 0);
|
||||
else
|
||||
icmp_error(m, ICMP_UNREACH,
|
||||
icmp_error(*m, ICMP_UNREACH,
|
||||
ICMP_UNREACH_PORT, 0L, 0);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
m_freem(m);
|
||||
m_freem(*m);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
* $Id: ip_fw.h,v 1.16 1996/02/24 00:17:33 phk Exp $
|
||||
* $Id: ip_fw.h,v 1.17 1996/02/24 13:38:27 phk Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -105,6 +105,7 @@ struct ip_fw_chain {
|
||||
#define IP_FW_TCPF_PSH TH_PUSH
|
||||
#define IP_FW_TCPF_ACK TH_ACK
|
||||
#define IP_FW_TCPF_URG TH_URG
|
||||
#define IP_FW_TCPF_ESTAB 0x40
|
||||
|
||||
/*
|
||||
* New IP firewall options for [gs]etsockopt at the RAW IP level.
|
||||
@ -122,12 +123,6 @@ struct ip_fw_chain {
|
||||
*/
|
||||
#ifdef KERNEL
|
||||
|
||||
/*
|
||||
* Function pointers.
|
||||
*/
|
||||
extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir);
|
||||
extern int (*ip_fw_ctl_ptr)(int,struct mbuf **);
|
||||
|
||||
/*
|
||||
* Function definitions.
|
||||
*/
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ip_input.c 8.2 (Berkeley) 1/4/94
|
||||
* $Id: ip_input.c,v 1.38 1996/02/24 13:38:28 phk Exp $
|
||||
* $Id: ip_input.c,v 1.39 1996/03/25 17:41:23 phk Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -60,8 +60,6 @@
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
|
||||
#include <netinet/ip_fw.h>
|
||||
|
||||
#include <sys/socketvar.h>
|
||||
int rsvp_on = 0;
|
||||
static int ip_rsvp_on;
|
||||
@ -105,23 +103,9 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
|
||||
&ip_mtu, 0, "");
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The dummy IP-firewall function, and the pointer we access it through
|
||||
*/
|
||||
static int
|
||||
dummy_ip_fw_chk(m, ip, rif, dir)
|
||||
struct mbuf *m;
|
||||
struct ip *ip;
|
||||
struct ifnet *rif;
|
||||
int dir;
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *, struct ifnet *, int dir) =
|
||||
dummy_ip_fw_chk;
|
||||
|
||||
int (*ip_fw_ctl_ptr)(int, struct mbuf **);
|
||||
/* Firewall hooks */
|
||||
ip_fw_chk_t *ip_fw_chk_ptr;
|
||||
ip_fw_ctl_t *ip_fw_ctl_ptr;
|
||||
|
||||
/*
|
||||
* We need to save the IP options in case a protocol wants to respond
|
||||
@ -187,9 +171,9 @@ static struct route ipforward_rt;
|
||||
void
|
||||
ip_input(struct mbuf *m)
|
||||
{
|
||||
register struct ip *ip;
|
||||
register struct ipq *fp;
|
||||
register struct in_ifaddr *ia;
|
||||
struct ip *ip;
|
||||
struct ipq *fp;
|
||||
struct in_ifaddr *ia;
|
||||
int hlen;
|
||||
|
||||
#ifdef DIAGNOSTIC
|
||||
@ -269,8 +253,9 @@ ip_input(struct mbuf *m)
|
||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||
*/
|
||||
|
||||
if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,0))
|
||||
return;
|
||||
if (ip_fw_chk_ptr &&
|
||||
!(*ip_fw_chk_ptr)(&ip, hlen, m->m_pkthdr.rcvif, 0, &m))
|
||||
goto bad;
|
||||
|
||||
/*
|
||||
* Process options and, if not destined for us,
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ip_output.c 8.3 (Berkeley) 1/21/94
|
||||
* $Id: ip_output.c,v 1.32 1996/03/13 08:02:43 pst Exp $
|
||||
* $Id: ip_output.c,v 1.33 1996/03/26 18:56:51 fenner Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -54,8 +54,6 @@
|
||||
#include <netinet/in_var.h>
|
||||
#include <netinet/ip_var.h>
|
||||
|
||||
#include <netinet/ip_fw.h>
|
||||
|
||||
#ifdef vax
|
||||
#include <machine/mtpr.h>
|
||||
#endif
|
||||
@ -86,10 +84,10 @@ ip_output(m0, opt, ro, flags, imo)
|
||||
int flags;
|
||||
struct ip_moptions *imo;
|
||||
{
|
||||
register struct ip *ip, *mhip;
|
||||
register struct ifnet *ifp;
|
||||
register struct mbuf *m = m0;
|
||||
register int hlen = sizeof (struct ip);
|
||||
struct ip *ip, *mhip;
|
||||
struct ifnet *ifp;
|
||||
struct mbuf *m = m0;
|
||||
int hlen = sizeof (struct ip);
|
||||
int len, off, error = 0;
|
||||
/*
|
||||
* It might seem obvious at first glance that one could easily
|
||||
@ -339,7 +337,7 @@ ip_output(m0, opt, ro, flags, imo)
|
||||
/*
|
||||
* Check with the firewall...
|
||||
*/
|
||||
if (!(*ip_fw_chk_ptr)(m,ip,ifp,1)) {
|
||||
if (ip_fw_chk_ptr && !(*ip_fw_chk_ptr)(&ip, hlen, ifp, 1, &m)) {
|
||||
error = EACCES;
|
||||
goto done;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user