diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index de776f9fc5c8..9f953614e42d 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $"; +static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #endif #include @@ -97,10 +97,19 @@ extern int ipl_unreach, ipllog(); # endif #endif +#ifndef IPF_LOGGING +#define IPF_LOGGING 0 +#endif +#ifdef IPF_DEFAULT_PASS +#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH) +#else +#define IPF_NOMATCH (FR_NOMATCH) +#endif + struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; -int fr_flags = 0, fr_active = 0; +int fr_flags = IPF_LOGGING, fr_active = 0; fr_info_t frcache[2]; @@ -573,16 +582,12 @@ int out; frstats[out].fr_chit++; pass = fin->fin_fr->fr_flags; } else { - pass = FR_NOMATCH; + pass = IPF_NOMATCH; if ((fin->fin_fr = ipfilter[out][fr_active])) - pass = FR_SCANLIST(FR_NOMATCH, ip, fin, m); + pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m); bcopy((char *)fin, (char *)fc, FI_CSIZE); - if (pass & FR_NOMATCH) { + if (pass & FR_NOMATCH) frstats[out].fr_nom++; -#ifdef NOMATCH - pass |= NOMATCH; -#endif - } } fr = fin->fin_fr; @@ -651,34 +656,40 @@ int out; /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? + * WARNING: ICMP error packets AND TCP RST packets should + * ONLY be sent in repsonse to incoming packets. Sending them + * in response to outbound packets can result in a panic on + * some operating systems. */ + if (!out) { #ifdef _KERNEL - if (pass & FR_RETICMP) { + if (pass & FR_RETICMP) { # if SOLARIS - ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, - qif, ip->ip_src); + ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, + qif, ip->ip_src); # else - ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, - ifp, ip->ip_src); - m = NULL; /* freed by icmp_error() */ + ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, + ifp, ip->ip_src); + m = *mp = NULL; /* freed by icmp_error() */ # endif - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (SEND_RESET(ip, qif, q) == 0) - frstats[1].fr_ret++; - } + frstats[0].fr_ret++; + } else if ((pass & FR_RETRST) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + if (SEND_RESET(ip, qif, q) == 0) + frstats[1].fr_ret++; + } #else - if (pass & FR_RETICMP) { - verbose("- ICMP unreachable sent\n"); - frstats[0].fr_ret++; - } else if ((pass & FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - verbose("- TCP RST sent\n"); - frstats[1].fr_ret++; - } + if (pass & FR_RETICMP) { + verbose("- ICMP unreachable sent\n"); + frstats[0].fr_ret++; + } else if ((pass & FR_RETRST) && + !(fin->fin_fi.fi_fl & FI_SHORT)) { + verbose("- TCP RST sent\n"); + frstats[1].fr_ret++; + } #endif + } } #ifdef _KERNEL # if !SOLARIS @@ -691,7 +702,6 @@ int out; (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { ipfr_fastroute(m, fin, fdp); m = *mp = NULL; - pass = 0; } if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index 7a244345640e..fec484670f4b 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $"; +static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $"; #endif #include @@ -70,7 +70,7 @@ static int iplused = 0; #endif /* IPFILTER_LOG */ static void frflush(); static int frrequest(); -static int (*fr_savep)(); +static int (*fr_savep)() = NULL; #if _BSDI_VERSION >= 199501 # include @@ -732,6 +732,9 @@ frdest_t *fdp; dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; +#ifdef __bsdi__ + dst->sin_len = sizeof(*dst); +#endif #if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) # ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); @@ -780,7 +783,6 @@ frdest_t *fdp; #if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); - #else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); #endif diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 6665404b9830..7ed97ceb56fd 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; +static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -127,7 +127,6 @@ int pass; fr->ipfr_ttl = fr_ipfrttl; fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); - *fp = fr; ipfr_stats.ifs_new++; ipfr_inuse++; MUTEX_EXIT(&ipf_frag); diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index afe9761bc093..ee59a6cda1dd 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $"; +static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -155,12 +155,13 @@ int cmd, mode; { register ipnat_t *nat, *n = NULL, **np = NULL; ipnat_t natd; - int error = 0, ret; + int error = 0, ret, s; /* * For add/delete, look to see if the NAT entry is already present */ MUTEX_ENTER(&ipf_nat); + SPLNET(s); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; @@ -260,6 +261,7 @@ int cmd, mode; IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; } + SPLX(s); MUTEX_EXIT(&ipf_nat); return error; } @@ -857,11 +859,13 @@ fr_info_t *fin; */ void ip_natunload() { - MUTEX_ENTER(&ipf_nat); + int s; + MUTEX_ENTER(&ipf_nat); + SPLNET(s); (void) clear_natlist(); (void) flush_nattable(); - + SPLX(s) MUTEX_EXIT(&ipf_nat); } @@ -873,14 +877,19 @@ void ip_natunload() void ip_natexpire() { register struct nat *nat, **natp; + int s; MUTEX_ENTER(&ipf_nat); - for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) { - if (--nat->nat_age) + SPLNET(s); + for (natp = &nat_instances; (nat = *natp); ) { + if (--nat->nat_age) { + natp = &nat->nat_next; continue; + } *natp = nat->nat_next; nat_delete(nat); nat_stats.ns_expire++; } + SPLX(s); MUTEX_EXIT(&ipf_nat); } diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 62a49aa250ed..2643ce95a633 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_state.c,v 2.0.1.2 1997/01/09 15:22:45 darrenr Exp $"; +static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -411,13 +411,16 @@ void fr_stateunload() { register int i; register ipstate_t *is, **isp; + int s; MUTEX_ENTER(&ipf_state); + SPLNET(s); for (i = 0; i < IPSTATE_SIZE; i++) for (isp = &ips_table[i]; (is = *isp); ) { *isp = is->is_next; KFREE(is); } + SPLX(s); MUTEX_EXIT(&ipf_state); } @@ -430,8 +433,10 @@ void fr_timeoutstate() { register int i; register ipstate_t *is, **isp; + int s; MUTEX_ENTER(&ipf_state); + SPLNET(s); for (i = 0; i < IPSTATE_SIZE; i++) for (isp = &ips_table[i]; (is = *isp); ) if (is->is_age && !--is->is_age) { @@ -444,6 +449,7 @@ void fr_timeoutstate() ips_num--; } else isp = &is->is_next; + SPLX(s); MUTEX_EXIT(&ipf_state); }