d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import IPFilter 3.4.25 (last version 3.4.20)

Browse Source
This commit is contained in:
Darren Reed 2002-03-19 11:30:21 +00:00
parent fb1ae013ab
commit 28613e5584
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor-sys/ipfilter/dist/; revision=92680
3 changed files with 676 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
sys/contrib/ipfilter/netinet/ip_h323_pxy.c Normal file
View File

@ -0,0 +1,275 @@
/*
* Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
*
* This source code has been published by QNX Software Systems Ltd. (QSSL).
* However, any use, reproduction, modification, distribution or transfer of
* this software, or any software which includes or is based upon any of this
* code, is only permitted under the terms of the QNX Open Community License
* version 1.0 (see licensing.qnx.com for details) or as otherwise expressly
* authorized by a written license agreement from QSSL. For more information,
* please email licensing@qnx.com.
*
*/
/*
* Simple H.323 proxy
*
* by xtang@canada.com
* ported to ipfilter 3.4.20 by Michael Grant mg-ipf@grant.org
*/
#if __FreeBSD_version >= 220000 && defined(_KERNEL)
# include <sys/fcntl.h>
# include <sys/filio.h>
#else
# include <sys/ioctl.h>
#endif
#define IPF_H323_PROXY
int ippr_h323_init __P((void));
int ippr_h323_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
void ippr_h323_del __P((ap_session_t *));
int ippr_h323_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h323_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h245_init __P((void));
int ippr_h245_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h245_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_h245_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
static frentry_t h323_fr;
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern KRWLOCK_T ipf_nat;
#endif
static int find_port __P((int, u_char *, int datlen, int *, u_short *));
static int find_port(ipaddr, data, datlen, off, port)
int ipaddr;
unsigned char *data;
int datlen, *off;
unsigned short *port;
{
if (datlen < 6)
return -1;
*port = 0;
for (*off = 0; *off <= datlen - 6; *off = *off + 1) {
if (ipaddr == *(int *)(data + *off))
{
*port = (*(data + *off + 4) << 8) + *(data + *off +5);
break;
}
}
return (*off > datlen - 6) ? -1 : 0;
}
/*
* Initialize local structures.
*/
int ippr_h323_init()
{
bzero((char *)&h323_fr, sizeof(h323_fr));
h323_fr.fr_ref = 1;
h323_fr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
return 0;
}
int ippr_h323_new(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
aps->aps_data = NULL;
aps->aps_psiz = 0;
return 0;
}
void ippr_h323_del(aps)
ap_session_t *aps;
{
int i;
ipnat_t *ipn;
if (aps->aps_data) {
for (i = 0, ipn = aps->aps_data;
i < (aps->aps_psiz / sizeof(ipnat_t));
i++, ipn = (ipnat_t *)((char *)ipn + sizeof(*ipn)))
{
/*
* Check the comment in ippr_h323_in() function,
* just above nat_ioctl() call.
* We are lucky here because this function is not
* called with ipf_nat locked.
*/
if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, FWRITE) == -1) {
/* log the error */
}
}
KFREES(aps->aps_data, aps->aps_psiz);
}
return;
}
int ippr_h323_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
return 0;
}
int ippr_h323_in(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
int ipaddr, off, datlen;
unsigned short port;
unsigned char *data;
tcphdr_t *tcp;
tcp = (tcphdr_t *)fin->fin_dp;
ipaddr = ip->ip_src.s_addr;
data = (unsigned char *)tcp + (tcp->th_off << 2);
datlen = ip->ip_len - (ip->ip_hl << 2) - (tcp->th_off << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
ipnat_t *ipn;
char *newarray;
/* setup a nat rule to set a h245 proxy on tcp-port "port"
* it's like:
* map <if> <inter_ip>/<mask> -> <gate_ip>/<mask> proxy port <port> <port>/tcp
*/
KMALLOCS(newarray, char *, aps->aps_psiz + sizeof(*ipn));
if (newarray == NULL) {
return -1;
}
ipn = (ipnat_t *)&newarray[aps->aps_psiz];
bcopy(nat->nat_ptr, ipn, sizeof(ipnat_t));
strncpy(ipn->in_plabel, "h245", APR_LABELLEN);
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
ipn->in_dport = htons(port);
/*
* we got a problem here. we need to call nat_ioctl() to add
* the h245 proxy rule, but since we already hold (READ locked)
* the nat table rwlock (ipf_nat), if we go into nat_ioctl(),
* it will try to WRITE lock it. This will causing dead lock
* on RTP.
*
* The quick & dirty solution here is release the read lock,
* call nat_ioctl() and re-lock it.
* A (maybe better) solution is do a UPGRADE(), and instead
* of calling nat_ioctl(), we add the nat rule ourself.
*/
RWLOCK_EXIT(&ipf_nat);
if (nat_ioctl((caddr_t)ipn, SIOCADNAT, FWRITE) == -1) {
READ_ENTER(&ipf_nat);
return -1;
}
READ_ENTER(&ipf_nat);
bcopy(aps->aps_data, newarray, aps->aps_psiz);
KFREES(aps->aps_data, aps->aps_psiz);
aps->aps_data = newarray;
aps->aps_psiz += sizeof(*ipn);
}
return 0;
}
int ippr_h245_init()
{
return 0;
}
int ippr_h245_new(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
aps->aps_data = NULL;
aps->aps_psiz = 0;
return 0;
}
int ippr_h245_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
int ipaddr, off, datlen;
u_short port;
unsigned char *data;
tcphdr_t *tcp;
tcp = (tcphdr_t *)fin->fin_dp;
ipaddr = nat->nat_inip.s_addr;
data = (unsigned char *)tcp + (tcp->th_off << 2);
datlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
fr_info_t fi;
nat_t *ipn;
/* port = htons(port); */
ipn = nat_outlookup(fin->fin_ifp, IPN_UDP, IPPROTO_UDP,
ip->ip_src, ip->ip_dst, 1);
if (ipn == NULL) {
struct ip newip;
struct udphdr udp;
bcopy(ip, &newip, sizeof(newip));
newip.ip_len = fin->fin_hlen + sizeof(udp);
newip.ip_p = IPPROTO_UDP;
newip.ip_src = nat->nat_inip;
bzero(&udp, sizeof(udp));
udp.uh_sport = port;
bcopy(fin, &fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_UDP;
fi.fin_data[0] = port;
fi.fin_data[1] = 0;
fi.fin_dp = (char *)&udp;
ipn = nat_new(&fi, &newip, nat->nat_ptr, NULL,
IPN_UDP|FI_W_DPORT, NAT_OUTBOUND);
if (ipn != NULL) {
ipn->nat_ptr->in_hits++;
#ifdef IPFILTER_LOG
nat_log(ipn, (u_int)(nat->nat_ptr->in_redir));
#endif
*(int *)(data + off) = ip->ip_src.s_addr;
*(short *)(data + off + 4) = ipn->nat_outport;
}
}
}
return 0;
}
int ippr_h245_in(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
return 0;
}

292
sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c Normal file
View File

@ -0,0 +1,292 @@
/*
* Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* $Id: ip_ipsec_pxy.c,v 1.1.2.10 2002/01/13 04:58:29 darrenr Exp $
*
*/
#define IPF_IPSEC_PROXY
int ippr_ipsec_init __P((void));
int ippr_ipsec_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
void ippr_ipsec_del __P((ap_session_t *));
int ippr_ipsec_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
static frentry_t ipsecfr;
static char ipsec_buffer[1500];
/*
* RCMD application proxy initialization.
*/
int ippr_ipsec_init()
{
bzero((char *)&ipsecfr, sizeof(ipsecfr));
ipsecfr.fr_ref = 1;
ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
return 0;
}
/*
* Setup for a new IPSEC proxy.
*/
int ippr_ipsec_new(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
fr_info_t fi;
ipnat_t *ipn;
char *ptr;
int p, off, dlen;
mb_t *m;
bzero(ipsec_buffer, sizeof(ipsec_buffer));
off = fin->fin_hlen + sizeof(udphdr_t);
#ifdef _KERNEL
# if SOLARIS
m = fin->fin_qfm;
dlen = msgdsize(m) - off;
if (dlen < 16)
return -1;
copyout_mblk(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
# else
m = *(mb_t **)fin->fin_mp;
dlen = mbufchainlen(m) - off;
if (dlen < 16)
return -1;
m_copydata(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
# endif
#else
m = *(mb_t **)fin->fin_mp;
dlen = ip->ip_len - off;
ptr = (char *)m;
ptr += off;
bcopy(ptr, ipsec_buffer, MIN(sizeof(ipsec_buffer), dlen));
#endif
/*
* Because _new() gets called from nat_new(), ipf_nat is held with a
* write lock so pass rw=1 to nat_outlookup().
*/
if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
ip->ip_dst, 1) != NULL)
return -1;
aps->aps_psiz = sizeof(*ipsec);
KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
if (aps->aps_data == NULL)
return -1;
ipsec = aps->aps_data;
bzero((char *)ipsec, sizeof(*ipsec));
/*
* Create NAT rule against which the tunnel/transport mapping is
* created. This is required because the current NAT rule does not
* describe ESP but UDP instead.
*/
ipn = &ipsec->ipsc_rule;
ipn->in_ifp = fin->fin_ifp;
ipn->in_apr = NULL;
ipn->in_use = 1;
ipn->in_hits = 1;
ipn->in_nip = ntohl(nat->nat_outip.s_addr);
ipn->in_ippip = 1;
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
ipn->in_outip = nat->nat_outip.s_addr;
ipn->in_outmsk = 0xffffffff;
ipn->in_srcip = fin->fin_saddr;
ipn->in_srcmsk = 0xffffffff;
ipn->in_redir = NAT_MAP;
bcopy(nat->nat_ptr->in_ifname, ipn->in_ifname, sizeof(ipn->in_ifname));
ipn->in_p = IPPROTO_ESP;
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_ESP;
fi.fin_fr = &ipsecfr;
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
p = ip->ip_p;
ip->ip_p = IPPROTO_ESP;
fi.fin_fl &= ~FI_TCPUDP;
ptr = ipsec_buffer;
bcopy(ptr, ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
ptr += sizeof(ipsec_cookie_t);
bcopy(ptr, ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
/*
* The responder cookie should only be non-zero if the initiator
* cookie is non-zero. Therefore, it is safe to assume(!) that the
* cookies are both set after copying if the responder is non-zero.
*/
if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
ipsec->ipsc_rckset = 1;
else
nat->nat_age = 60; /* 30 seconds */
ipsec->ipsc_nat = nat_new(&fi, ip, ipn, &ipsec->ipsc_nat, FI_IGNOREPKT,
NAT_OUTBOUND);
if (ipsec->ipsc_nat != NULL) {
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
ipsec->ipsc_state = fr_addstate(ip, &fi, &ipsec->ipsc_state,
FI_IGNOREPKT|FI_NORULE);
}
ip->ip_p = p;
return 0;
}
/*
* For outgoing IKE packets. refresh timeouts for NAT & stat entries, if
* we can. If they have disappeared, recreate them.
*/
int ippr_ipsec_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
fr_info_t fi;
int p;
bcopy((char *)fin, (char *)&fi, sizeof(fi));
fi.fin_fi.fi_p = IPPROTO_ESP;
fi.fin_fr = &ipsecfr;
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
p = ip->ip_p;
ip->ip_p = IPPROTO_ESP;
fi.fin_fl &= ~FI_TCPUDP;
ipsec = aps->aps_data;
if (ipsec != NULL) {
/*
* Update NAT timeout/create NAT if missing.
*/
if (ipsec->ipsc_rckset == 0)
nat->nat_age = 60; /* 30 seconds */
if (ipsec->ipsc_nat != NULL)
ipsec->ipsc_nat->nat_age = nat->nat_age;
else
ipsec->ipsc_nat = nat_new(&fi, ip, &ipsec->ipsc_rule,
&ipsec->ipsc_nat,
FI_IGNOREPKT, NAT_OUTBOUND);
/*
* Update state timeout/create state if missing.
*/
READ_ENTER(&ipf_state);
if (ipsec->ipsc_state != NULL) {
ipsec->ipsc_state->is_age = nat->nat_age;
RWLOCK_EXIT(&ipf_state);
} else {
RWLOCK_EXIT(&ipf_state);
fi.fin_data[0] = 0;
fi.fin_data[1] = 0;
ipsec->ipsc_state = fr_addstate(ip, &fi,
&ipsec->ipsc_state,
FI_IGNOREPKT|FI_NORULE);
}
}
ip->ip_p = p;
return 0;
}
/*
* This extends the NAT matching to be based on the cookies associated with
* a session and found at the front of IKE packets. The cookies are always
* in the same order (not reversed depending on packet flow direction as with
* UDP/TCP port numbers).
*/
int ippr_ipsec_match(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
ipsec_pxy_t *ipsec;
u_32_t cookies[4];
mb_t *m;
int off;
if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_fl & FI_FRAG))
return -1;
ipsec = aps->aps_data;
off = fin->fin_hlen + sizeof(udphdr_t);
#ifdef _KERNEL
# if SOLARIS
m = fin->fin_qfm;
copyout_mblk(m, off, sizeof(cookies), (char *)cookies);
# else
m = *(mb_t **)fin->fin_mp;
m_copydata(m, off, sizeof(cookies), (char *)cookies);
# endif
#else
m = *(mb_t **)fin->fin_mp;
bcopy((char *)m + off, cookies, sizeof(cookies));
#endif
if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
(cookies[1] != ipsec->ipsc_icookie[1]))
return -1;
if (ipsec->ipsc_rckset == 0) {
if ((cookies[2]|cookies[3]) == 0) {
nat->nat_age = 60; /* 30 seconds */
return 0;
}
ipsec->ipsc_rckset = 1;
ipsec->ipsc_rcookie[0] = cookies[2];
ipsec->ipsc_rcookie[1] = cookies[3];
return 0;
}
if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
(cookies[3] != ipsec->ipsc_rcookie[1]))
return -1;
return 0;
}
/*
* clean up after ourselves.
*/
void ippr_ipsec_del(aps)
ap_session_t *aps;
{
ipsec_pxy_t *ipsec;
ipsec = aps->aps_data;
if (ipsec != NULL) {
/*
* Don't delete it from here, just schedule it to be
* deleted ASAP.
*/
if (ipsec->ipsc_nat != NULL) {
ipsec->ipsc_nat->nat_age = 1;
ipsec->ipsc_nat->nat_ptr = NULL;
}
READ_ENTER(&ipf_state);
if (ipsec->ipsc_state != NULL)
ipsec->ipsc_state->is_age = 1;
RWLOCK_EXIT(&ipf_state);
ipsec->ipsc_state = NULL;
ipsec->ipsc_nat = NULL;
}
}

109
sys/contrib/ipfilter/netinet/ip_netbios_pxy.c Normal file
View File

@ -0,0 +1,109 @@
/*
* Simple netbios-dgm transparent proxy for in-kernel use.
* For use with the NAT code.
* $Id: ip_netbios_pxy.c,v 1.1.2.3 2002/01/09 09:28:37 darrenr Exp $
*/
/*-
* Copyright (c) 2002 Paul J. Ledbetter III
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: ip_netbios_pxy.c,v 1.1.2.3 2002/01/09 09:28:37 darrenr Exp $
*/
#define IPF_NETBIOS_PROXY
int ippr_netbios_init __P((void));
int ippr_netbios_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
static frentry_t netbiosfr;
/*
* Initialize local structures.
*/
int ippr_netbios_init()
{
bzero((char *)&netbiosfr, sizeof(netbiosfr));
netbiosfr.fr_ref = 1;
netbiosfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
return 0;
}
int ippr_netbios_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
char dgmbuf[6];
int off, dlen;
udphdr_t *udp;
mb_t *m;
m = *(mb_t **)fin->fin_mp;
off = fin->fin_hlen + sizeof(udphdr_t);
#if SOLARIS
dlen = msgdsize(m);
#else
dlen = mbufchainlen(m);
#endif
dlen -= off;
/*
* no net bios datagram could possibly be shorter than this
*/
if (dlen < 11)
return 0;
udp = (udphdr_t *)fin->fin_dp;
/*
* move past the
* ip header;
* udp header;
* 4 bytes into the net bios dgm header.
* According to rfc1002, this should be the exact location of
* the source address/port
*/
off += 4;
/* Copy NATed source Address/port*/
dgmbuf[0] = (char)((ip->ip_src.s_addr ) &0xFF);
dgmbuf[1] = (char)((ip->ip_src.s_addr >> 8) &0xFF);
dgmbuf[2] = (char)((ip->ip_src.s_addr >> 16)&0xFF);
dgmbuf[3] = (char)((ip->ip_src.s_addr >> 24)&0xFF);
dgmbuf[4] = (char)((udp->uh_sport )&0xFF);
dgmbuf[5] = (char)((udp->uh_sport >> 8)&0xFF);
/* replace data in packet */
#if SOLARIS
copyin_mblk(m, off, sizeof(dgmbuf), dgmbuf);
#else
m_copyback(m, off, sizeof(dgmbuf), dgmbuf);
#endif
return 0;
}