41edb306f0
Through fixes and improvements our ipfilter sources have diverged enough to warrant move from contrib into sbin/ipf. Now that I'm planning on implementing MSS clamping as in iptables it makes more sense to move ipfilter to sbin. This is the second of three commits of the ipfilter move. Suggested by glebius on two occaions. Suggested by and discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
195 lines
3.9 KiB
C
195 lines
3.9 KiB
C
/* $FreeBSD$ */
|
|
|
|
/*
|
|
* Copyright (C) 2012 by Darren Reed.
|
|
*
|
|
* See the IPFILTER.LICENCE file for details on licencing.
|
|
*
|
|
*/
|
|
#if !defined(lint)
|
|
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
|
|
static const char rcsid[] = "@(#)$Id$";
|
|
#endif
|
|
#include <sys/param.h>
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <netinet/ip_var.h>
|
|
#include <netinet/tcp.h>
|
|
#include <arpa/inet.h>
|
|
#include "ipsend.h"
|
|
|
|
|
|
#ifndef __P
|
|
# define __P(x) x
|
|
#endif
|
|
|
|
|
|
struct ipopt_names ionames[] = {
|
|
{ IPOPT_EOL, 0x01, 1, "eol" },
|
|
{ IPOPT_NOP, 0x02, 1, "nop" },
|
|
{ IPOPT_RR, 0x04, 3, "rr" }, /* 1 route */
|
|
{ IPOPT_TS, 0x08, 8, "ts" }, /* 1 TS */
|
|
{ IPOPT_SECURITY, 0x08, 11, "sec-level" },
|
|
{ IPOPT_LSRR, 0x10, 7, "lsrr" }, /* 1 route */
|
|
{ IPOPT_SATID, 0x20, 4, "satid" },
|
|
{ IPOPT_SSRR, 0x40, 7, "ssrr" }, /* 1 route */
|
|
{ 0, 0, 0, NULL } /* must be last */
|
|
};
|
|
|
|
struct ipopt_names secnames[] = {
|
|
{ IPOPT_SECUR_UNCLASS, 0x0100, 0, "unclass" },
|
|
{ IPOPT_SECUR_CONFID, 0x0200, 0, "confid" },
|
|
{ IPOPT_SECUR_EFTO, 0x0400, 0, "efto" },
|
|
{ IPOPT_SECUR_MMMM, 0x0800, 0, "mmmm" },
|
|
{ IPOPT_SECUR_RESTR, 0x1000, 0, "restr" },
|
|
{ IPOPT_SECUR_SECRET, 0x2000, 0, "secret" },
|
|
{ IPOPT_SECUR_TOPSECRET, 0x4000,0, "topsecret" },
|
|
{ 0, 0, 0, NULL } /* must be last */
|
|
};
|
|
|
|
|
|
u_short ipseclevel(slevel)
|
|
char *slevel;
|
|
{
|
|
struct ipopt_names *so;
|
|
|
|
for (so = secnames; so->on_name; so++)
|
|
if (!strcasecmp(slevel, so->on_name))
|
|
break;
|
|
|
|
if (!so->on_name) {
|
|
fprintf(stderr, "no such security level: %s\n", slevel);
|
|
return 0;
|
|
}
|
|
return so->on_value;
|
|
}
|
|
|
|
|
|
int addipopt(op, io, len, class)
|
|
char *op;
|
|
struct ipopt_names *io;
|
|
int len;
|
|
char *class;
|
|
{
|
|
struct in_addr ipadr;
|
|
int olen = len, srr = 0;
|
|
u_short val;
|
|
u_char lvl;
|
|
char *s = op, *t;
|
|
|
|
if ((len + io->on_siz) > 48) {
|
|
fprintf(stderr, "options too long\n");
|
|
return 0;
|
|
}
|
|
len += io->on_siz;
|
|
*op++ = io->on_value;
|
|
if (io->on_siz > 1) {
|
|
/*
|
|
* Allow option to specify RR buffer length in bytes.
|
|
*/
|
|
if (io->on_value == IPOPT_RR) {
|
|
val = (class && *class) ? atoi(class) : 4;
|
|
*op++ = val + io->on_siz;
|
|
len += val;
|
|
} else
|
|
*op++ = io->on_siz;
|
|
if (io->on_value == IPOPT_TS)
|
|
*op++ = IPOPT_MINOFF + 1;
|
|
else
|
|
*op++ = IPOPT_MINOFF;
|
|
|
|
while (class && *class) {
|
|
t = NULL;
|
|
switch (io->on_value)
|
|
{
|
|
case IPOPT_SECURITY :
|
|
lvl = ipseclevel(class);
|
|
*(op - 1) = lvl;
|
|
break;
|
|
case IPOPT_LSRR :
|
|
case IPOPT_SSRR :
|
|
if ((t = strchr(class, ',')))
|
|
*t = '\0';
|
|
ipadr.s_addr = inet_addr(class);
|
|
srr++;
|
|
bcopy((char *)&ipadr, op, sizeof(ipadr));
|
|
op += sizeof(ipadr);
|
|
break;
|
|
case IPOPT_SATID :
|
|
val = atoi(class);
|
|
bcopy((char *)&val, op, 2);
|
|
break;
|
|
}
|
|
|
|
if (t)
|
|
*t++ = ',';
|
|
class = t;
|
|
}
|
|
if (srr)
|
|
s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4 * srr;
|
|
if (io->on_value == IPOPT_RR)
|
|
op += val;
|
|
else
|
|
op += io->on_siz - 3;
|
|
}
|
|
return len - olen;
|
|
}
|
|
|
|
|
|
u_32_t buildopts(cp, op, len)
|
|
char *cp, *op;
|
|
int len;
|
|
{
|
|
struct ipopt_names *io;
|
|
u_32_t msk = 0;
|
|
char *s, *t;
|
|
int inc, lastop = -1;
|
|
|
|
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
|
|
if ((t = strchr(s, '=')))
|
|
*t++ = '\0';
|
|
for (io = ionames; io->on_name; io++) {
|
|
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
|
|
continue;
|
|
lastop = io->on_value;
|
|
if ((inc = addipopt(op, io, len, t))) {
|
|
op += inc;
|
|
len += inc;
|
|
}
|
|
msk |= io->on_bit;
|
|
break;
|
|
}
|
|
if (!io->on_name) {
|
|
fprintf(stderr, "unknown IP option name %s\n", s);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
if (len & 3) {
|
|
while (len & 3) {
|
|
*op++ = ((len & 3) == 3) ? IPOPT_EOL : IPOPT_NOP;
|
|
len++;
|
|
}
|
|
} else {
|
|
if (lastop != IPOPT_EOL) {
|
|
if (lastop == IPOPT_NOP)
|
|
*(op - 1) = IPOPT_EOL;
|
|
else {
|
|
*op++ = IPOPT_NOP;
|
|
*op++ = IPOPT_NOP;
|
|
*op++ = IPOPT_NOP;
|
|
*op = IPOPT_EOL;
|
|
len += 4;
|
|
}
|
|
}
|
|
}
|
|
return len;
|
|
}
|