Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications. Also fix initializing fr_running in KLD case. Rename ipl_inited to fr_runninhg in mlfk_ipl Approved by: jkh
This commit is contained in:
guido
parent
0af99ab61a
commit
2fb4ae435f
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -20,10 +19,8 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
defined(_KERNEL)
|
||||
# include "opt_ipfilter_log.h"
|
||||
#endif
|
||||
#if ((defined(KERNEL) && defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
@ -248,6 +245,12 @@ fr_info_t *fin;
|
||||
if (!off && (icmp->icmp_type == ICMP_ECHOREPLY ||
|
||||
icmp->icmp_type == ICMP_ECHO))
|
||||
minicmpsz = ICMP_MINLEN;
|
||||
if (!off && (icmp->icmp_type == ICMP_TSTAMP ||
|
||||
icmp->icmp_type == ICMP_TSTAMPREPLY))
|
||||
minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */
|
||||
if (!off && (icmp->icmp_type == ICMP_MASKREQ ||
|
||||
icmp->icmp_type == ICMP_MASKREPLY))
|
||||
minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */
|
||||
if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
|
||||
(off && off < sizeof(struct icmp)))
|
||||
fi->fi_fl |= FI_SHORT;
|
||||
@ -691,6 +694,9 @@ int out;
|
||||
|
||||
READ_ENTER(&ipf_mutex);
|
||||
|
||||
if (fin->fin_fi.fi_fl & FI_SHORT)
|
||||
ATOMIC_INC(frstats[out].fr_short);
|
||||
|
||||
/*
|
||||
* Check auth now. This, combined with the check below to see if apass
|
||||
* is 0 is to ensure that we don't count the packet twice, which can
|
||||
@ -1181,7 +1187,7 @@ tcphdr_t *tcp;
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
|
||||
* $Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $
|
||||
* $Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $
|
||||
*/
|
||||
/*
|
||||
* Copy data from an mbuf chain starting "off" bytes from the beginning,
|
||||
@ -1582,7 +1588,10 @@ void frsync()
|
||||
# else
|
||||
for (ifp = ifnet; ifp; ifp = ifp->if_next)
|
||||
# endif
|
||||
{
|
||||
ip_natsync(ifp);
|
||||
ip_statesync(ifp);
|
||||
}
|
||||
# endif
|
||||
|
||||
WRITE_ENTER(&ipf_mutex);
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -20,8 +19,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <stdlib.h>
|
||||
# include <string.h>
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
@ -32,7 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <sys/protosw.h>
|
||||
#endif
|
||||
#include <sys/socket.h>
|
||||
#if defined(_KERNEL) && !defined(linux)
|
||||
#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
@ -398,7 +396,7 @@ frentry_t *fr, **frptr;
|
||||
# if SOLARIS
|
||||
error = fr_qout(fr_auth[i].fra_q, m);
|
||||
# else /* SOLARIS */
|
||||
# if _BSDI_VERSION >= 199802
|
||||
# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__)
|
||||
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
|
||||
NULL);
|
||||
# else
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*
|
||||
*/
|
||||
#ifndef __IP_AUTH_H__
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
*
|
||||
* @(#)ip_compat.h 1.8 1/14/96
|
||||
* $Id: ip_compat.h,v 2.1.2.3 1999/11/18 13:55:26 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IP_COMPAT_H__
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.14 1999/12/11 05:31:08 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#ifndef SOLARIS
|
||||
@ -127,7 +126,6 @@ extern int tcp_ttl;
|
||||
# endif
|
||||
#endif
|
||||
|
||||
int ipl_inited = 0;
|
||||
int ipl_unreach = ICMP_UNREACH_FILTER;
|
||||
u_long ipl_frouteok[2] = {0, 0};
|
||||
|
||||
@ -159,11 +157,7 @@ static int write_output __P((struct ifnet *, struct mbuf *,
|
||||
struct sockaddr *, struct rtentry *));
|
||||
# endif
|
||||
#endif
|
||||
#if defined(IPFILTER_LKM)
|
||||
int fr_running = 1;
|
||||
#else
|
||||
int fr_running = 0;
|
||||
#endif
|
||||
|
||||
#if (__FreeBSD_version >= 300000) && defined(_KERNEL)
|
||||
struct callout_handle ipfr_slowtimer_ch;
|
||||
@ -231,7 +225,7 @@ int iplattach()
|
||||
# endif
|
||||
|
||||
SPL_NET(s);
|
||||
if (ipl_inited || (fr_checkp == fr_check)) {
|
||||
if (fr_running || (fr_checkp == fr_check)) {
|
||||
printf("IP Filter: already initialized\n");
|
||||
SPL_X(s);
|
||||
return EBUSY;
|
||||
@ -259,7 +253,6 @@ int iplattach()
|
||||
}
|
||||
# endif
|
||||
|
||||
ipl_inited = 1;
|
||||
bzero((char *)frcache, sizeof(frcache));
|
||||
fr_savep = fr_checkp;
|
||||
fr_checkp = fr_check;
|
||||
@ -287,6 +280,7 @@ int iplattach()
|
||||
timeout(ipfr_slowtimer, NULL, hz/2);
|
||||
# endif
|
||||
#endif
|
||||
fr_running = 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -311,18 +305,16 @@ int ipldetach()
|
||||
# endif
|
||||
#endif
|
||||
SPL_NET(s);
|
||||
if (!ipl_inited)
|
||||
if (!fr_running)
|
||||
{
|
||||
printf("IP Filter: not initialized\n");
|
||||
SPL_X(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("IP Filter: unloaded\n");
|
||||
|
||||
fr_checkp = fr_savep;
|
||||
i = frflush(IPL_LOGIPF, i);
|
||||
ipl_inited = 0;
|
||||
fr_running = 0;
|
||||
|
||||
# ifdef NETBSD_PF
|
||||
pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
|
||||
@ -415,11 +407,15 @@ int mode;
|
||||
SPL_NET(s);
|
||||
|
||||
if (unit == IPL_LOGNAT) {
|
||||
if (!fr_running)
|
||||
return EIO;
|
||||
error = nat_ioctl(data, cmd, mode);
|
||||
SPL_X(s);
|
||||
return error;
|
||||
}
|
||||
if (unit == IPL_LOGSTATE) {
|
||||
if (!fr_running)
|
||||
return EIO;
|
||||
error = fr_state_ioctl(data, cmd, mode);
|
||||
SPL_X(s);
|
||||
return error;
|
||||
@ -440,15 +436,10 @@ int mode;
|
||||
error = EPERM;
|
||||
else {
|
||||
IRCOPY(data, (caddr_t)&enable, sizeof(enable));
|
||||
if (enable) {
|
||||
if (enable)
|
||||
error = iplattach();
|
||||
if (error == 0)
|
||||
fr_running = 1;
|
||||
} else {
|
||||
else
|
||||
error = ipldetach();
|
||||
if (error == 0)
|
||||
fr_running = 0;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -705,13 +696,15 @@ caddr_t data;
|
||||
}
|
||||
|
||||
if (!f) {
|
||||
if (req != SIOCINAFR || req != SIOCINIFR)
|
||||
if (req != SIOCINAFR && req != SIOCINIFR)
|
||||
while ((f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
else {
|
||||
if (fp->fr_hits)
|
||||
if (fp->fr_hits) {
|
||||
ftail = fprev;
|
||||
while (--fp->fr_hits && (f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
}
|
||||
f = NULL;
|
||||
}
|
||||
}
|
||||
@ -947,7 +940,11 @@ ip_t *ip;
|
||||
# if _BSDI_VERSION >= 199802
|
||||
return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL);
|
||||
# else
|
||||
# if defined(__OpenBSD__)
|
||||
return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL);
|
||||
# else
|
||||
return ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
||||
# endif
|
||||
# endif
|
||||
# endif
|
||||
}
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_fil.h 1.35 6/5/96
|
||||
* $Id: ip_fil.h,v 2.3.2.6 1999/12/17 12:58:16 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
* $Id: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_FIL_H__
|
||||
@ -83,8 +82,8 @@
|
||||
#define SIOCINSFR SIOCINAFR
|
||||
|
||||
typedef struct fr_ip {
|
||||
u_int fi_v:4; /* IP version */
|
||||
u_int fi_fl:4; /* packet flags */
|
||||
u_char fi_v:4; /* IP version */
|
||||
u_char fi_fl:4; /* packet flags */
|
||||
u_char fi_tos; /* IP packet TOS */
|
||||
u_char fi_ttl; /* IP packet TTL */
|
||||
u_char fi_p; /* IP packet protocol */
|
||||
@ -272,6 +271,7 @@ typedef struct filterstats {
|
||||
u_long fr_pass; /* packets allowed */
|
||||
u_long fr_block; /* packets denied */
|
||||
u_long fr_nom; /* packets which don't match any rule */
|
||||
u_long fr_short; /* packets which are short */
|
||||
u_long fr_ppkl; /* packets allowed and logged */
|
||||
u_long fr_bpkl; /* packets denied and logged */
|
||||
u_long fr_npkl; /* packets unmatched and logged */
|
||||
@ -427,7 +427,6 @@ typedef struct ipflog {
|
||||
|
||||
|
||||
#ifndef _KERNEL
|
||||
struct ifnet;
|
||||
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
|
||||
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
|
||||
extern int send_reset __P((ip_t *, struct ifnet *));
|
||||
@ -554,7 +553,7 @@ extern void fr_makefrip __P((int, ip_t *, fr_info_t *));
|
||||
extern int fr_ifpaddr __P((void *, struct in_addr *));
|
||||
extern char *memstr __P((char *, char *, int, int));
|
||||
extern int ipl_unreach;
|
||||
extern int ipl_inited;
|
||||
extern int fr_running;
|
||||
extern u_long ipl_frouteok[2];
|
||||
extern int fr_pass;
|
||||
extern int fr_flags;
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -25,8 +24,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
*
|
||||
* @(#)ip_frag.h 1.5 3/24/96
|
||||
* $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IP_FRAG_H__
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
/*
|
||||
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
|
||||
* code.
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
extern kmutex_t ipf_rw;
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#include <sys/param.h>
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -16,7 +15,7 @@
|
||||
# include "opt_ipfilter_log.h"
|
||||
#endif
|
||||
#ifdef __FreeBSD__
|
||||
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||
# if !defined(__FreeBSD_version)
|
||||
# include <sys/osreldate.h>
|
||||
# endif
|
||||
|
||||
@ -9,8 +9,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.11 1999/12/17 13:05:40 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -31,8 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
@ -728,12 +726,22 @@ int direction;
|
||||
port = 0;
|
||||
in.s_addr = np->in_nip;
|
||||
if (l == 0) {
|
||||
/*
|
||||
* Check to see if there is an existing NAT
|
||||
* setup for this IP address pair.
|
||||
*/
|
||||
natl = nat_maplookup(fin->fin_ifp, flags,
|
||||
ip->ip_src, ip->ip_dst);
|
||||
if (natl != NULL) {
|
||||
in = natl->nat_outip;
|
||||
if ((in.s_addr & np->in_outmsk) !=
|
||||
np->in_outip)
|
||||
in.s_addr = 0;
|
||||
else
|
||||
#ifndef sparc
|
||||
in.s_addr = ntohl(in.s_addr);
|
||||
in.s_addr = ntohl(in.s_addr);
|
||||
#else
|
||||
;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@ -1768,6 +1776,7 @@ u_int type;
|
||||
natl.nl_origport = nat->nat_oport;
|
||||
natl.nl_inport = nat->nat_inport;
|
||||
natl.nl_outport = nat->nat_outport;
|
||||
natl.nl_p = nat->nat_p;
|
||||
natl.nl_type = type;
|
||||
natl.nl_rule = -1;
|
||||
#ifndef LARGE_NAT
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_nat.h 1.5 2/4/96
|
||||
* $Id: ip_nat.h,v 2.1.2.2 1999/11/28 11:01:51 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
* $Id: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_NAT_H__
|
||||
@ -187,6 +186,7 @@ typedef struct natlog {
|
||||
int nl_rule;
|
||||
U_QUAD_T nl_pkts;
|
||||
U_QUAD_T nl_bytes;
|
||||
u_char nl_p;
|
||||
} natlog_t;
|
||||
|
||||
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IP_PROXY_H__
|
||||
|
||||
@ -1,6 +1,3 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
extern kmutex_t ipf_rw;
|
||||
#endif
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
/*
|
||||
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
|
||||
* code.
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
extern kmutex_t ipf_rw;
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.16 1999/12/28 05:24:58 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -29,8 +28,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <linux/module.h>
|
||||
# endif
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 400013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
|
||||
@ -45,7 +43,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <sys/protosw.h>
|
||||
#endif
|
||||
#include <sys/socket.h>
|
||||
#if defined(_KERNEL) && !defined(linux)
|
||||
#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
@ -176,11 +174,10 @@ int which;
|
||||
delete = 1;
|
||||
break;
|
||||
case 1 :
|
||||
if ((is->is_p == IPPROTO_TCP) &&
|
||||
(((is->is_state[0] <= TCPS_ESTABLISHED) &&
|
||||
(is->is_state[1] > TCPS_ESTABLISHED)) ||
|
||||
((is->is_state[1] <= TCPS_ESTABLISHED) &&
|
||||
(is->is_state[0] > TCPS_ESTABLISHED))))
|
||||
if (is->is_p != IPPROTO_TCP)
|
||||
break;
|
||||
if ((is->is_state[0] != TCPS_ESTABLISHED) ||
|
||||
(is->is_state[1] != TCPS_ESTABLISHED))
|
||||
delete = 1;
|
||||
break;
|
||||
}
|
||||
@ -459,7 +456,7 @@ tcphdr_t *tcp;
|
||||
win = ntohs(tcp->th_win);
|
||||
end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) +
|
||||
((tcp->th_flags & TH_SYN) ? 1 : 0) +
|
||||
((tcp->th_flags & TH_FIN) ? 1 : 0);
|
||||
((tcp->th_flags & TH_FIN) ? 1 : 0);
|
||||
|
||||
if (fdata->td_end == 0) {
|
||||
/*
|
||||
@ -473,6 +470,8 @@ tcphdr_t *tcp;
|
||||
if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */
|
||||
ack = tdata->td_end;
|
||||
win = 1;
|
||||
if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0))
|
||||
tdata->td_maxwin = 1;
|
||||
} else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
|
||||
(ack == 0)) {
|
||||
/* gross hack to get around certain broken tcp stacks */
|
||||
@ -488,7 +487,7 @@ tcphdr_t *tcp;
|
||||
#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0)
|
||||
#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
|
||||
if ((SEQ_GE(fdata->td_maxend, end)) &&
|
||||
(SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) &&
|
||||
(SEQ_GE(seq, fdata->td_end - maxwin)) &&
|
||||
/* XXX what about big packets */
|
||||
#define MAXACKWINDOW 66000
|
||||
(ackskew >= -MAXACKWINDOW) &&
|
||||
@ -673,8 +672,8 @@ fr_info_t *fin;
|
||||
int type;
|
||||
u_int hv;
|
||||
|
||||
/*
|
||||
* Does it at least have the return (basic) IP header ?
|
||||
/*
|
||||
* Does it at least have the return (basic) IP header ?
|
||||
* Only a basic IP header (no options) should be with
|
||||
* an ICMP error header.
|
||||
*/
|
||||
@ -708,10 +707,10 @@ fr_info_t *fin;
|
||||
if ((icmp->icmp_type != ICMP_ECHO) &&
|
||||
(icmp->icmp_type != ICMP_TSTAMP) &&
|
||||
(icmp->icmp_type != ICMP_IREQ) &&
|
||||
(icmp->icmp_type != ICMP_MASKREQ))
|
||||
(icmp->icmp_type != ICMP_MASKREQ))
|
||||
return NULL;
|
||||
|
||||
/*
|
||||
/*
|
||||
* perform a lookup of the ICMP packet in the state table
|
||||
*/
|
||||
|
||||
@ -735,9 +734,9 @@ fr_info_t *fin;
|
||||
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
|
||||
if ((is->is_p == pr) &&
|
||||
fr_matchsrcdst(is, src, dst, &ofin, NULL)) {
|
||||
/*
|
||||
/*
|
||||
* in the state table ICMP query's are stored
|
||||
* with the type of the corresponding ICMP
|
||||
* with the type of the corresponding ICMP
|
||||
* response. Correct here
|
||||
*/
|
||||
if (((is->is_type == ICMP_ECHOREPLY) &&
|
||||
@ -747,7 +746,7 @@ fr_info_t *fin;
|
||||
(is->is_type - 1 == ic->icmp_type)) {
|
||||
ips_stats.iss_hits++;
|
||||
is->is_pkts++;
|
||||
is->is_bytes += ip->ip_len;
|
||||
is->is_bytes += ip->ip_len;
|
||||
fr = is->is_rule;
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
return fr;
|
||||
@ -805,7 +804,7 @@ fr_info_t *fin;
|
||||
* comes the other way around
|
||||
*/
|
||||
is->is_pkts++;
|
||||
is->is_bytes += ip->ip_len;
|
||||
is->is_bytes += ip->ip_len;
|
||||
/*
|
||||
* we deliberately do not touch the timeouts
|
||||
* for the accompanying state table entry.
|
||||
@ -1040,12 +1039,12 @@ void fr_timeoutstate()
|
||||
ips_num--;
|
||||
} else
|
||||
isp = &is->is_next;
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
SPL_X(s);
|
||||
if (fr_state_doflush) {
|
||||
(void) fr_state_flush(1);
|
||||
fr_state_doflush = 0;
|
||||
}
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
SPL_X(s);
|
||||
}
|
||||
|
||||
|
||||
@ -1182,3 +1181,21 @@ u_int type;
|
||||
(void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
void ip_statesync(ifp)
|
||||
void *ifp;
|
||||
{
|
||||
register ipstate_t *is;
|
||||
register int i;
|
||||
|
||||
WRITE_ENTER(&ipf_state);
|
||||
for (i = fr_statesize - 1; i >= 0; i--)
|
||||
for (is = ips_table[i]; is != NULL; is = is->is_next) {
|
||||
if (is->is_ifpin == ifp)
|
||||
is->is_ifpin = NULL;
|
||||
if (is->is_ifpout == ifp)
|
||||
is->is_ifpout = NULL;
|
||||
}
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
}
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
|
||||
* $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
* $Id: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $
|
||||
*/
|
||||
#ifndef __IP_STATE_H__
|
||||
#define __IP_STATE_H__
|
||||
@ -152,6 +151,7 @@ extern int fr_stateinit __P((void));
|
||||
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
|
||||
extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int));
|
||||
extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *));
|
||||
extern void ip_statesync __P((void *));
|
||||
extern void fr_timeoutstate __P((void));
|
||||
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
|
||||
extern void fr_stateunload __P((void));
|
||||
|
||||
@ -6,12 +6,11 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ipl.h 1.21 6/5/96
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IPL_H__
|
||||
#define __IPL_H__
|
||||
|
||||
#define IPL_VERSION "IP Filter: v3.3.6"
|
||||
#define IPL_VERSION "IP Filter: v3.3.8"
|
||||
|
||||
#endif
|
||||
|
||||
@ -73,8 +73,8 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
|
||||
&fr_ipfrttl, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW,
|
||||
&ipl_unreach, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD,
|
||||
&ipl_inited, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
|
||||
&fr_running, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RD,
|
||||
&fr_authsize, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -20,10 +19,8 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
defined(_KERNEL)
|
||||
# include "opt_ipfilter_log.h"
|
||||
#endif
|
||||
#if ((defined(KERNEL) && defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
@ -248,6 +245,12 @@ fr_info_t *fin;
|
||||
if (!off && (icmp->icmp_type == ICMP_ECHOREPLY ||
|
||||
icmp->icmp_type == ICMP_ECHO))
|
||||
minicmpsz = ICMP_MINLEN;
|
||||
if (!off && (icmp->icmp_type == ICMP_TSTAMP ||
|
||||
icmp->icmp_type == ICMP_TSTAMPREPLY))
|
||||
minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */
|
||||
if (!off && (icmp->icmp_type == ICMP_MASKREQ ||
|
||||
icmp->icmp_type == ICMP_MASKREPLY))
|
||||
minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */
|
||||
if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
|
||||
(off && off < sizeof(struct icmp)))
|
||||
fi->fi_fl |= FI_SHORT;
|
||||
@ -691,6 +694,9 @@ int out;
|
||||
|
||||
READ_ENTER(&ipf_mutex);
|
||||
|
||||
if (fin->fin_fi.fi_fl & FI_SHORT)
|
||||
ATOMIC_INC(frstats[out].fr_short);
|
||||
|
||||
/*
|
||||
* Check auth now. This, combined with the check below to see if apass
|
||||
* is 0 is to ensure that we don't count the packet twice, which can
|
||||
@ -1181,7 +1187,7 @@ tcphdr_t *tcp;
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
|
||||
* $Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $
|
||||
* $Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $
|
||||
*/
|
||||
/*
|
||||
* Copy data from an mbuf chain starting "off" bytes from the beginning,
|
||||
@ -1582,7 +1588,10 @@ void frsync()
|
||||
# else
|
||||
for (ifp = ifnet; ifp; ifp = ifp->if_next)
|
||||
# endif
|
||||
{
|
||||
ip_natsync(ifp);
|
||||
ip_statesync(ifp);
|
||||
}
|
||||
# endif
|
||||
|
||||
WRITE_ENTER(&ipf_mutex);
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -20,8 +19,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <stdlib.h>
|
||||
# include <string.h>
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
@ -32,7 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <sys/protosw.h>
|
||||
#endif
|
||||
#include <sys/socket.h>
|
||||
#if defined(_KERNEL) && !defined(linux)
|
||||
#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
@ -398,7 +396,7 @@ frentry_t *fr, **frptr;
|
||||
# if SOLARIS
|
||||
error = fr_qout(fr_auth[i].fra_q, m);
|
||||
# else /* SOLARIS */
|
||||
# if _BSDI_VERSION >= 199802
|
||||
# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__)
|
||||
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
|
||||
NULL);
|
||||
# else
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*
|
||||
*/
|
||||
#ifndef __IP_AUTH_H__
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
*
|
||||
* @(#)ip_compat.h 1.8 1/14/96
|
||||
* $Id: ip_compat.h,v 2.1.2.3 1999/11/18 13:55:26 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IP_COMPAT_H__
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.14 1999/12/11 05:31:08 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#ifndef SOLARIS
|
||||
@ -127,7 +126,6 @@ extern int tcp_ttl;
|
||||
# endif
|
||||
#endif
|
||||
|
||||
int ipl_inited = 0;
|
||||
int ipl_unreach = ICMP_UNREACH_FILTER;
|
||||
u_long ipl_frouteok[2] = {0, 0};
|
||||
|
||||
@ -159,11 +157,7 @@ static int write_output __P((struct ifnet *, struct mbuf *,
|
||||
struct sockaddr *, struct rtentry *));
|
||||
# endif
|
||||
#endif
|
||||
#if defined(IPFILTER_LKM)
|
||||
int fr_running = 1;
|
||||
#else
|
||||
int fr_running = 0;
|
||||
#endif
|
||||
|
||||
#if (__FreeBSD_version >= 300000) && defined(_KERNEL)
|
||||
struct callout_handle ipfr_slowtimer_ch;
|
||||
@ -231,7 +225,7 @@ int iplattach()
|
||||
# endif
|
||||
|
||||
SPL_NET(s);
|
||||
if (ipl_inited || (fr_checkp == fr_check)) {
|
||||
if (fr_running || (fr_checkp == fr_check)) {
|
||||
printf("IP Filter: already initialized\n");
|
||||
SPL_X(s);
|
||||
return EBUSY;
|
||||
@ -259,7 +253,6 @@ int iplattach()
|
||||
}
|
||||
# endif
|
||||
|
||||
ipl_inited = 1;
|
||||
bzero((char *)frcache, sizeof(frcache));
|
||||
fr_savep = fr_checkp;
|
||||
fr_checkp = fr_check;
|
||||
@ -287,6 +280,7 @@ int iplattach()
|
||||
timeout(ipfr_slowtimer, NULL, hz/2);
|
||||
# endif
|
||||
#endif
|
||||
fr_running = 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -311,18 +305,16 @@ int ipldetach()
|
||||
# endif
|
||||
#endif
|
||||
SPL_NET(s);
|
||||
if (!ipl_inited)
|
||||
if (!fr_running)
|
||||
{
|
||||
printf("IP Filter: not initialized\n");
|
||||
SPL_X(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("IP Filter: unloaded\n");
|
||||
|
||||
fr_checkp = fr_savep;
|
||||
i = frflush(IPL_LOGIPF, i);
|
||||
ipl_inited = 0;
|
||||
fr_running = 0;
|
||||
|
||||
# ifdef NETBSD_PF
|
||||
pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
|
||||
@ -415,11 +407,15 @@ int mode;
|
||||
SPL_NET(s);
|
||||
|
||||
if (unit == IPL_LOGNAT) {
|
||||
if (!fr_running)
|
||||
return EIO;
|
||||
error = nat_ioctl(data, cmd, mode);
|
||||
SPL_X(s);
|
||||
return error;
|
||||
}
|
||||
if (unit == IPL_LOGSTATE) {
|
||||
if (!fr_running)
|
||||
return EIO;
|
||||
error = fr_state_ioctl(data, cmd, mode);
|
||||
SPL_X(s);
|
||||
return error;
|
||||
@ -440,15 +436,10 @@ int mode;
|
||||
error = EPERM;
|
||||
else {
|
||||
IRCOPY(data, (caddr_t)&enable, sizeof(enable));
|
||||
if (enable) {
|
||||
if (enable)
|
||||
error = iplattach();
|
||||
if (error == 0)
|
||||
fr_running = 1;
|
||||
} else {
|
||||
else
|
||||
error = ipldetach();
|
||||
if (error == 0)
|
||||
fr_running = 0;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -705,13 +696,15 @@ caddr_t data;
|
||||
}
|
||||
|
||||
if (!f) {
|
||||
if (req != SIOCINAFR || req != SIOCINIFR)
|
||||
if (req != SIOCINAFR && req != SIOCINIFR)
|
||||
while ((f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
else {
|
||||
if (fp->fr_hits)
|
||||
if (fp->fr_hits) {
|
||||
ftail = fprev;
|
||||
while (--fp->fr_hits && (f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
}
|
||||
f = NULL;
|
||||
}
|
||||
}
|
||||
@ -947,7 +940,11 @@ ip_t *ip;
|
||||
# if _BSDI_VERSION >= 199802
|
||||
return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL);
|
||||
# else
|
||||
# if defined(__OpenBSD__)
|
||||
return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL);
|
||||
# else
|
||||
return ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
||||
# endif
|
||||
# endif
|
||||
# endif
|
||||
}
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_fil.h 1.35 6/5/96
|
||||
* $Id: ip_fil.h,v 2.3.2.6 1999/12/17 12:58:16 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
* $Id: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_FIL_H__
|
||||
@ -83,8 +82,8 @@
|
||||
#define SIOCINSFR SIOCINAFR
|
||||
|
||||
typedef struct fr_ip {
|
||||
u_int fi_v:4; /* IP version */
|
||||
u_int fi_fl:4; /* packet flags */
|
||||
u_char fi_v:4; /* IP version */
|
||||
u_char fi_fl:4; /* packet flags */
|
||||
u_char fi_tos; /* IP packet TOS */
|
||||
u_char fi_ttl; /* IP packet TTL */
|
||||
u_char fi_p; /* IP packet protocol */
|
||||
@ -272,6 +271,7 @@ typedef struct filterstats {
|
||||
u_long fr_pass; /* packets allowed */
|
||||
u_long fr_block; /* packets denied */
|
||||
u_long fr_nom; /* packets which don't match any rule */
|
||||
u_long fr_short; /* packets which are short */
|
||||
u_long fr_ppkl; /* packets allowed and logged */
|
||||
u_long fr_bpkl; /* packets denied and logged */
|
||||
u_long fr_npkl; /* packets unmatched and logged */
|
||||
@ -427,7 +427,6 @@ typedef struct ipflog {
|
||||
|
||||
|
||||
#ifndef _KERNEL
|
||||
struct ifnet;
|
||||
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
|
||||
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
|
||||
extern int send_reset __P((ip_t *, struct ifnet *));
|
||||
@ -554,7 +553,7 @@ extern void fr_makefrip __P((int, ip_t *, fr_info_t *));
|
||||
extern int fr_ifpaddr __P((void *, struct in_addr *));
|
||||
extern char *memstr __P((char *, char *, int, int));
|
||||
extern int ipl_unreach;
|
||||
extern int ipl_inited;
|
||||
extern int fr_running;
|
||||
extern u_long ipl_frouteok[2];
|
||||
extern int fr_pass;
|
||||
extern int fr_flags;
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -25,8 +24,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
*
|
||||
* @(#)ip_frag.h 1.5 3/24/96
|
||||
* $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IP_FRAG_H__
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
/*
|
||||
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
|
||||
* code.
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
extern kmutex_t ipf_rw;
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#include <sys/param.h>
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -16,7 +15,7 @@
|
||||
# include "opt_ipfilter_log.h"
|
||||
#endif
|
||||
#ifdef __FreeBSD__
|
||||
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||
# if !defined(__FreeBSD_version)
|
||||
# include <sys/osreldate.h>
|
||||
# endif
|
||||
|
||||
@ -9,8 +9,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.11 1999/12/17 13:05:40 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||
@ -31,8 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 40013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
#else
|
||||
@ -728,12 +726,22 @@ int direction;
|
||||
port = 0;
|
||||
in.s_addr = np->in_nip;
|
||||
if (l == 0) {
|
||||
/*
|
||||
* Check to see if there is an existing NAT
|
||||
* setup for this IP address pair.
|
||||
*/
|
||||
natl = nat_maplookup(fin->fin_ifp, flags,
|
||||
ip->ip_src, ip->ip_dst);
|
||||
if (natl != NULL) {
|
||||
in = natl->nat_outip;
|
||||
if ((in.s_addr & np->in_outmsk) !=
|
||||
np->in_outip)
|
||||
in.s_addr = 0;
|
||||
else
|
||||
#ifndef sparc
|
||||
in.s_addr = ntohl(in.s_addr);
|
||||
in.s_addr = ntohl(in.s_addr);
|
||||
#else
|
||||
;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@ -1768,6 +1776,7 @@ u_int type;
|
||||
natl.nl_origport = nat->nat_oport;
|
||||
natl.nl_inport = nat->nat_inport;
|
||||
natl.nl_outport = nat->nat_outport;
|
||||
natl.nl_p = nat->nat_p;
|
||||
natl.nl_type = type;
|
||||
natl.nl_rule = -1;
|
||||
#ifndef LARGE_NAT
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_nat.h 1.5 2/4/96
|
||||
* $Id: ip_nat.h,v 2.1.2.2 1999/11/28 11:01:51 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
* $Id: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_NAT_H__
|
||||
@ -187,6 +186,7 @@ typedef struct natlog {
|
||||
int nl_rule;
|
||||
U_QUAD_T nl_pkts;
|
||||
U_QUAD_T nl_bytes;
|
||||
u_char nl_p;
|
||||
} natlog_t;
|
||||
|
||||
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IP_PROXY_H__
|
||||
|
||||
@ -1,6 +1,3 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
extern kmutex_t ipf_rw;
|
||||
#endif
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
/*
|
||||
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
|
||||
* code.
|
||||
* $FreeBSD$
|
||||
*/
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
extern kmutex_t ipf_rw;
|
||||
|
||||
@ -7,8 +7,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
/*static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.16 1999/12/28 05:24:58 darrenr Exp $";*/
|
||||
static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
@ -29,8 +28,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <linux/module.h>
|
||||
# endif
|
||||
#endif
|
||||
#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \
|
||||
(defined(_KERNEL) && (__FreeBSD_version >= 400013)))
|
||||
#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
|
||||
# include <sys/filio.h>
|
||||
# include <sys/fcntl.h>
|
||||
# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
|
||||
@ -45,7 +43,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
|
||||
# include <sys/protosw.h>
|
||||
#endif
|
||||
#include <sys/socket.h>
|
||||
#if defined(_KERNEL) && !defined(linux)
|
||||
#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
@ -176,11 +174,10 @@ int which;
|
||||
delete = 1;
|
||||
break;
|
||||
case 1 :
|
||||
if ((is->is_p == IPPROTO_TCP) &&
|
||||
(((is->is_state[0] <= TCPS_ESTABLISHED) &&
|
||||
(is->is_state[1] > TCPS_ESTABLISHED)) ||
|
||||
((is->is_state[1] <= TCPS_ESTABLISHED) &&
|
||||
(is->is_state[0] > TCPS_ESTABLISHED))))
|
||||
if (is->is_p != IPPROTO_TCP)
|
||||
break;
|
||||
if ((is->is_state[0] != TCPS_ESTABLISHED) ||
|
||||
(is->is_state[1] != TCPS_ESTABLISHED))
|
||||
delete = 1;
|
||||
break;
|
||||
}
|
||||
@ -459,7 +456,7 @@ tcphdr_t *tcp;
|
||||
win = ntohs(tcp->th_win);
|
||||
end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) +
|
||||
((tcp->th_flags & TH_SYN) ? 1 : 0) +
|
||||
((tcp->th_flags & TH_FIN) ? 1 : 0);
|
||||
((tcp->th_flags & TH_FIN) ? 1 : 0);
|
||||
|
||||
if (fdata->td_end == 0) {
|
||||
/*
|
||||
@ -473,6 +470,8 @@ tcphdr_t *tcp;
|
||||
if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */
|
||||
ack = tdata->td_end;
|
||||
win = 1;
|
||||
if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0))
|
||||
tdata->td_maxwin = 1;
|
||||
} else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
|
||||
(ack == 0)) {
|
||||
/* gross hack to get around certain broken tcp stacks */
|
||||
@ -488,7 +487,7 @@ tcphdr_t *tcp;
|
||||
#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0)
|
||||
#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
|
||||
if ((SEQ_GE(fdata->td_maxend, end)) &&
|
||||
(SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) &&
|
||||
(SEQ_GE(seq, fdata->td_end - maxwin)) &&
|
||||
/* XXX what about big packets */
|
||||
#define MAXACKWINDOW 66000
|
||||
(ackskew >= -MAXACKWINDOW) &&
|
||||
@ -673,8 +672,8 @@ fr_info_t *fin;
|
||||
int type;
|
||||
u_int hv;
|
||||
|
||||
/*
|
||||
* Does it at least have the return (basic) IP header ?
|
||||
/*
|
||||
* Does it at least have the return (basic) IP header ?
|
||||
* Only a basic IP header (no options) should be with
|
||||
* an ICMP error header.
|
||||
*/
|
||||
@ -708,10 +707,10 @@ fr_info_t *fin;
|
||||
if ((icmp->icmp_type != ICMP_ECHO) &&
|
||||
(icmp->icmp_type != ICMP_TSTAMP) &&
|
||||
(icmp->icmp_type != ICMP_IREQ) &&
|
||||
(icmp->icmp_type != ICMP_MASKREQ))
|
||||
(icmp->icmp_type != ICMP_MASKREQ))
|
||||
return NULL;
|
||||
|
||||
/*
|
||||
/*
|
||||
* perform a lookup of the ICMP packet in the state table
|
||||
*/
|
||||
|
||||
@ -735,9 +734,9 @@ fr_info_t *fin;
|
||||
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
|
||||
if ((is->is_p == pr) &&
|
||||
fr_matchsrcdst(is, src, dst, &ofin, NULL)) {
|
||||
/*
|
||||
/*
|
||||
* in the state table ICMP query's are stored
|
||||
* with the type of the corresponding ICMP
|
||||
* with the type of the corresponding ICMP
|
||||
* response. Correct here
|
||||
*/
|
||||
if (((is->is_type == ICMP_ECHOREPLY) &&
|
||||
@ -747,7 +746,7 @@ fr_info_t *fin;
|
||||
(is->is_type - 1 == ic->icmp_type)) {
|
||||
ips_stats.iss_hits++;
|
||||
is->is_pkts++;
|
||||
is->is_bytes += ip->ip_len;
|
||||
is->is_bytes += ip->ip_len;
|
||||
fr = is->is_rule;
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
return fr;
|
||||
@ -805,7 +804,7 @@ fr_info_t *fin;
|
||||
* comes the other way around
|
||||
*/
|
||||
is->is_pkts++;
|
||||
is->is_bytes += ip->ip_len;
|
||||
is->is_bytes += ip->ip_len;
|
||||
/*
|
||||
* we deliberately do not touch the timeouts
|
||||
* for the accompanying state table entry.
|
||||
@ -1040,12 +1039,12 @@ void fr_timeoutstate()
|
||||
ips_num--;
|
||||
} else
|
||||
isp = &is->is_next;
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
SPL_X(s);
|
||||
if (fr_state_doflush) {
|
||||
(void) fr_state_flush(1);
|
||||
fr_state_doflush = 0;
|
||||
}
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
SPL_X(s);
|
||||
}
|
||||
|
||||
|
||||
@ -1182,3 +1181,21 @@ u_int type;
|
||||
(void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
void ip_statesync(ifp)
|
||||
void *ifp;
|
||||
{
|
||||
register ipstate_t *is;
|
||||
register int i;
|
||||
|
||||
WRITE_ENTER(&ipf_state);
|
||||
for (i = fr_statesize - 1; i >= 0; i--)
|
||||
for (is = ips_table[i]; is != NULL; is = is->is_next) {
|
||||
if (is->is_ifpin == ifp)
|
||||
is->is_ifpin = NULL;
|
||||
if (is->is_ifpout == ifp)
|
||||
is->is_ifpout = NULL;
|
||||
}
|
||||
RWLOCK_EXIT(&ipf_state);
|
||||
}
|
||||
|
||||
@ -6,8 +6,7 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
|
||||
* $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $
|
||||
* $FreeBSD$
|
||||
* $Id: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $
|
||||
*/
|
||||
#ifndef __IP_STATE_H__
|
||||
#define __IP_STATE_H__
|
||||
@ -152,6 +151,7 @@ extern int fr_stateinit __P((void));
|
||||
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
|
||||
extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int));
|
||||
extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *));
|
||||
extern void ip_statesync __P((void *));
|
||||
extern void fr_timeoutstate __P((void));
|
||||
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
|
||||
extern void fr_stateunload __P((void));
|
||||
|
||||
@ -6,12 +6,11 @@
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ipl.h 1.21 6/5/96
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef __IPL_H__
|
||||
#define __IPL_H__
|
||||
|
||||
#define IPL_VERSION "IP Filter: v3.3.6"
|
||||
#define IPL_VERSION "IP Filter: v3.3.8"
|
||||
|
||||
#endif
|
||||
|
||||
@ -73,8 +73,8 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
|
||||
&fr_ipfrttl, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW,
|
||||
&ipl_unreach, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD,
|
||||
&ipl_inited, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
|
||||
&fr_running, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RD,
|
||||
&fr_authsize, 0, "");
|
||||
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user