d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import ipfilter 3.1.8 kernel components

Browse Source
This commit is contained in:
peter 1997-03-02 15:50:35 +00:00
parent f0c7769b1f
commit 240550ea53
5 changed files with 68 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
sys/netinet/fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $";
static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $";
#endif
#include <sys/errno.h>
@ -97,10 +97,19 @@ extern int ipl_unreach, ipllog();
# endif
#endif
#ifndef IPF_LOGGING
#define IPF_LOGGING 0
#endif
#ifdef IPF_DEFAULT_PASS
#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH)
#else
#define IPF_NOMATCH (FR_NOMATCH)
#endif
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
int fr_flags = 0, fr_active = 0;
int fr_flags = IPF_LOGGING, fr_active = 0;
fr_info_t frcache[2];
@ -573,16 +582,12 @@ int out;
frstats[out].fr_chit++;
pass = fin->fin_fr->fr_flags;
} else {
pass = FR_NOMATCH;
pass = IPF_NOMATCH;
if ((fin->fin_fr = ipfilter[out][fr_active]))
pass = FR_SCANLIST(FR_NOMATCH, ip, fin, m);
pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m);
bcopy((char *)fin, (char *)fc, FI_CSIZE);
if (pass & FR_NOMATCH) {
if (pass & FR_NOMATCH)
frstats[out].fr_nom++;
#ifdef NOMATCH
pass |= NOMATCH;
#endif
}
}
fr = fin->fin_fr;
@ -651,34 +656,40 @@ int out;
/*
* Should we return an ICMP packet to indicate error
* status passing through the packet filter ?
* WARNING: ICMP error packets AND TCP RST packets should
* ONLY be sent in repsonse to incoming packets. Sending them
* in response to outbound packets can result in a panic on
* some operating systems.
*/
if (!out) {
#ifdef _KERNEL
if (pass & FR_RETICMP) {
if (pass & FR_RETICMP) {
# if SOLARIS
ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
qif, ip->ip_src);
ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
qif, ip->ip_src);
# else
ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
ifp, ip->ip_src);
m = NULL; /* freed by icmp_error() */
ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
ifp, ip->ip_src);
m = *mp = NULL; /* freed by icmp_error() */
# endif
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
if (SEND_RESET(ip, qif, q) == 0)
frstats[1].fr_ret++;
}
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
if (SEND_RESET(ip, qif, q) == 0)
frstats[1].fr_ret++;
}
#else
if (pass & FR_RETICMP) {
verbose("- ICMP unreachable sent\n");
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
verbose("- TCP RST sent\n");
frstats[1].fr_ret++;
}
if (pass & FR_RETICMP) {
verbose("- ICMP unreachable sent\n");
frstats[0].fr_ret++;
} else if ((pass & FR_RETRST) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
verbose("- TCP RST sent\n");
frstats[1].fr_ret++;
}
#endif
}
}
#ifdef _KERNEL
# if !SOLARIS
@ -691,7 +702,6 @@ int out;
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
ipfr_fastroute(m, fin, fdp);
m = *mp = NULL;
pass = 0;
}
if (mc)
ipfr_fastroute(mc, fin, &fr->fr_dif);

8
sys/netinet/ip_fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $";
static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $";
#endif
#include <sys/errno.h>
@ -70,7 +70,7 @@ static int iplused = 0;
#endif /* IPFILTER_LOG */
static void frflush();
static int frrequest();
static int (*fr_savep)();
static int (*fr_savep)() = NULL;
#if _BSDI_VERSION >= 199501
# include <sys/device.h>
@ -732,6 +732,9 @@ frdest_t *fdp;
dst = (struct sockaddr_in *)&ro->ro_dst;
dst->sin_family = AF_INET;
dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
#ifdef __bsdi__
dst->sin_len = sizeof(*dst);
#endif
#if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__)
# ifdef RTF_CLONING
rtalloc_ign(ro, RTF_CLONING);
@ -780,7 +783,6 @@ frdest_t *fdp;
#if BSD >= 199306
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
ro->ro_rt);
#else
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
#endif

3
sys/netinet/ip_frag.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $";
static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@ -127,7 +127,6 @@ int pass;
fr->ipfr_ttl = fr_ipfrttl;
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
*fp = fr;
ipfr_stats.ifs_new++;
ipfr_inuse++;
MUTEX_EXIT(&ipf_frag);

21
sys/netinet/ip_nat.c
View File

@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $";
static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@ -155,12 +155,13 @@ int cmd, mode;
{
register ipnat_t *nat, *n = NULL, **np = NULL;
ipnat_t natd;
int error = 0, ret;
int error = 0, ret, s;
/*
* For add/delete, look to see if the NAT entry is already present
*/
MUTEX_ENTER(&ipf_nat);
SPLNET(s);
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
IRCOPY(data, (char *)&natd, sizeof(natd));
nat = &natd;
@ -260,6 +261,7 @@ int cmd, mode;
IWCOPY((caddr_t)&ret, data, sizeof(ret));
break;
}
SPLX(s);
MUTEX_EXIT(&ipf_nat);
return error;
}
@ -857,11 +859,13 @@ fr_info_t *fin;
*/
void ip_natunload()
{
MUTEX_ENTER(&ipf_nat);
int s;
MUTEX_ENTER(&ipf_nat);
SPLNET(s);
(void) clear_natlist();
(void) flush_nattable();
SPLX(s)
MUTEX_EXIT(&ipf_nat);
}
@ -873,14 +877,19 @@ void ip_natunload()
void ip_natexpire()
{
register struct nat *nat, **natp;
int s;
MUTEX_ENTER(&ipf_nat);
for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) {
if (--nat->nat_age)
SPLNET(s);
for (natp = &nat_instances; (nat = *natp); ) {
if (--nat->nat_age) {
natp = &nat->nat_next;
continue;
}
*natp = nat->nat_next;
nat_delete(nat);
nat_stats.ns_expire++;
}
SPLX(s);
MUTEX_EXIT(&ipf_nat);
}

8
sys/netinet/ip_state.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
static char rcsid[] = "$Id: ip_state.c,v 2.0.1.2 1997/01/09 15:22:45 darrenr Exp $";
static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@ -411,13 +411,16 @@ void fr_stateunload()
{
register int i;
register ipstate_t *is, **isp;
int s;
MUTEX_ENTER(&ipf_state);
SPLNET(s);
for (i = 0; i < IPSTATE_SIZE; i++)
for (isp = &ips_table[i]; (is = *isp); ) {
*isp = is->is_next;
KFREE(is);
}
SPLX(s);
MUTEX_EXIT(&ipf_state);
}
@ -430,8 +433,10 @@ void fr_timeoutstate()
{
register int i;
register ipstate_t *is, **isp;
int s;
MUTEX_ENTER(&ipf_state);
SPLNET(s);
for (i = 0; i < IPSTATE_SIZE; i++)
for (isp = &ips_table[i]; (is = *isp); )
if (is->is_age && !--is->is_age) {
@ -444,6 +449,7 @@ void fr_timeoutstate()
ips_num--;
} else
isp = &is->is_next;
SPLX(s);
MUTEX_EXIT(&ipf_state);
}