Big sweep over the IPFIREWALL and IPACCT code.

Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.

sys/conf/NOTES

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.238 1996/02/06 20:57:46 wollman Exp $
+#	$Id: LINT,v 1.239 1996/02/13 18:16:18 wollman Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -191,9 +191,6 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # IPFIREWALL enables support for IP firewall construction, in
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE does
 # the obvious thing.
-# IPFIREWALL_ORDER_RULES makes the ipfw code sort the rules.  You
-# don't want that, it's only there to be backward compatible.
-# IPACCT enables IP accounting.
 #
 # TCPDEBUG is undocumented.
 #
@@ -202,8 +199,6 @@ options		MROUTING		# Multicast routing
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
-options		IPFIREWALL_ORDER_RULES	# bogusly sort rules.
-options		IPACCT			#ipaccounting
 options		TCPDEBUG
 
 

sys/conf/files

@@ -199,9 +199,7 @@ netinet/ip_input.c	optional inet
 netinet/ip_mroute.c	optional inet
 netinet/ip_output.c	optional inet
 netinet/raw_ip.c	optional inet
-netinet/ip_fwdef.c	optional inet
 netinet/ip_fw.c         optional ipfirewall
-netinet/ip_fw.c         optional ipacct
 netinet/tcp_debug.c	optional tcpdebug
 netinet/tcp_input.c	optional inet
 netinet/tcp_output.c	optional inet

sys/i386/conf/LINT

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.238 1996/02/06 20:57:46 wollman Exp $
+#	$Id: LINT,v 1.239 1996/02/13 18:16:18 wollman Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -191,9 +191,6 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # IPFIREWALL enables support for IP firewall construction, in
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE does
 # the obvious thing.
-# IPFIREWALL_ORDER_RULES makes the ipfw code sort the rules.  You
-# don't want that, it's only there to be backward compatible.
-# IPACCT enables IP accounting.
 #
 # TCPDEBUG is undocumented.
 #
@@ -202,8 +199,6 @@ options		MROUTING		# Multicast routing
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
-options		IPFIREWALL_ORDER_RULES	# bogusly sort rules.
-options		IPACCT			#ipaccounting
 options		TCPDEBUG
 
 

sys/i386/conf/NOTES

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.238 1996/02/06 20:57:46 wollman Exp $
+#	$Id: LINT,v 1.239 1996/02/13 18:16:18 wollman Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -191,9 +191,6 @@ pseudo-device	tun	1		#Tunnel driver(user process ppp)
 # IPFIREWALL enables support for IP firewall construction, in
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE does
 # the obvious thing.
-# IPFIREWALL_ORDER_RULES makes the ipfw code sort the rules.  You
-# don't want that, it's only there to be backward compatible.
-# IPACCT enables IP accounting.
 #
 # TCPDEBUG is undocumented.
 #
@@ -202,8 +199,6 @@ options		MROUTING		# Multicast routing
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
-options		IPFIREWALL_ORDER_RULES	# bogusly sort rules.
-options		IPACCT			#ipaccounting
 options		TCPDEBUG
 
 

sys/netinet/ip_fw.h

@@ -11,7 +11,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.h,v 1.13 1995/07/23 05:36:30 davidg Exp $
+ *	$Id: ip_fw.h,v 1.11.4.2 1996/02/23 15:26:05 phk Exp $
  */
 
 /*
@@ -25,14 +25,9 @@
 #define _IP_FW_H
 
 struct ip_fw {
-    struct ip_fw *fw_next;		/* Next firewall on chain */
+    u_long fw_pcnt,fw_bcnt;		/* Packet and byte counters */
     struct in_addr fw_src, fw_dst;	/* Source and destination IP addr */
     struct in_addr fw_smsk, fw_dmsk;	/* Mask for src and dest IP addr */
-	/*
-	 * This union keeps all "via" information.
-	 * If ever fu_via_ip is 0,or IP_FW_F_IFNAME set and
-	 * fu_via_name[0] is 0 - match any packet.
-	 */
     union {
 	struct in_addr fu_via_ip;
 	struct {
@@ -41,6 +36,10 @@ struct ip_fw {
 		short fu_via_unit;
 	} fu_via_if;
     } fu_via_un;
+#define fw_via_ip	fu_via_un.fu_via_ip
+#define fw_via_name	fu_via_un.fu_via_if.fu_via_name
+#define fw_via_unit	fu_via_un.fu_via_if.fu_via_unit
+    u_short fw_number;
     u_short fw_flg;			/* Flags word */
     u_short fw_nsp, fw_ndp;             /* N'of src ports and # of dst ports */
     					/* in ports array (dst ports follow */
@@ -48,46 +47,40 @@ struct ip_fw {
     					/* count of 0 means match all ports) */
 #define IP_FW_MAX_PORTS	10      	/* A reasonable maximum */
     u_short fw_pts[IP_FW_MAX_PORTS];    /* Array of port numbers to match */
-    u_long fw_pcnt,fw_bcnt;		/* Packet and byte counters */
     u_char fw_ipopt,fw_ipnopt;		/* IP options set/unset */
     u_char fw_tcpf,fw_tcpnf;		/* TCP flags sen/unset */
 };
 
-
-/*
- * Definitions to make expressions
- * for "via" stuff shorter.
- */
-#define fw_via_ip	fu_via_un.fu_via_ip
-#define fw_via_name	fu_via_un.fu_via_if.fu_via_name
-#define fw_via_unit	fu_via_un.fu_via_if.fu_via_unit
+struct ip_fw_chain {
+        LIST_ENTRY(ip_fw_chain) chain;
+        struct ip_fw    *rule;
+};
 
 /*
  * Values for "flags" field .
  */
 
-#define IP_FW_F_ALL	0x000	/* This is a universal packet firewall*/
-#define IP_FW_F_TCP	0x001	/* This is a TCP packet firewall      */
-#define IP_FW_F_UDP	0x002	/* This is a UDP packet firewall      */
-#define IP_FW_F_ICMP	0x003	/* This is a ICMP packet firewall     */
-#define IP_FW_F_KIND	0x003	/* Mask to isolate firewall kind      */
-#define IP_FW_F_ACCEPT	0x004	/* This is an accept firewall (as     *
-				 *         opposed to a deny firewall)*
-				 *                                    */
-#define IP_FW_F_SRNG	0x008	/* The first two src ports are a min  *
+#define IP_FW_F_ALL	0x000	/* This is a universal packet rule    */
+#define IP_FW_F_TCP	0x001	/* This is a TCP packet rule          */
+#define IP_FW_F_UDP	0x002	/* This is a UDP packet rule          */
+#define IP_FW_F_ICMP	0x003	/* This is a ICMP packet rule         */
+#define IP_FW_F_KIND	0x003	/* Mask to isolate rule kind          */
+
+#define IP_FW_F_ACCEPT	0x004	/* This is an accept rule	      */
+#define IP_FW_F_PRN	0x008	/* Print if this rule matches	      */
+#define IP_FW_F_ICMPRPL	0x010	/* Send back icmp unreachable packet  */
+				 
+#define IP_FW_F_SRNG	0x020	/* The first two src ports are a min  *
 				 * and max range (stored in host byte *
-				 * order).                            *
-				 *                                    */
-#define IP_FW_F_DRNG	0x010	/* The first two dst ports are a min  *
+				 * order).                            */
+
+#define IP_FW_F_DRNG	0x040	/* The first two dst ports are a min  *
 				 * and max range (stored in host byte *
-				 * order).                            *
-				 * (ports[0] <= port <= ports[1])     *
-				 *                                    */
-#define IP_FW_F_PRN	0x020	/* In verbose mode print this firewall*/
-#define IP_FW_F_BIDIR	0x040	/* For accounting-count two way       */
-#define IP_FW_F_ICMPRPL	0x100	/* Send back icmp unreachable packet  */
-#define IP_FW_F_IFNAME	0x200	/* Use interface name/unit (not IP)   */
-#define IP_FW_F_MASK	0x3FF	/* All possible flag bits mask        */
+				 * order).                            */
+
+#define IP_FW_F_IFNAME	0x080	/* Use interface name/unit (not IP)   */
+
+#define IP_FW_F_MASK	0x0FF	/* All possible flag bits mask        */
 
 /*
  * Definitions for IP option names.
@@ -110,18 +103,12 @@ struct ip_fw {
 /*
  * New IP firewall options for [gs]etsockopt at the RAW IP level.
  */
-#define IP_FW_BASE_CTL	53
+#define IP_FW_BASE_CTL	50
 
-#define IP_FW_ADD     (IP_FW_BASE_CTL)
-#define IP_FW_DEL     (IP_FW_BASE_CTL+4)
-#define IP_FW_FLUSH   (IP_FW_BASE_CTL+6)
-#define IP_FW_POLICY  (IP_FW_BASE_CTL+7)
-
-#define IP_ACCT_ADD   (IP_FW_BASE_CTL+10)
-#define IP_ACCT_DEL   (IP_FW_BASE_CTL+11)
-#define IP_ACCT_FLUSH (IP_FW_BASE_CTL+12)
-#define IP_ACCT_ZERO  (IP_FW_BASE_CTL+13)
-#define IP_ACCT_CLR   (IP_FW_BASE_CTL+14)
+#define IP_FW_ADD     (IP_FW_BASE_CTL+0)
+#define IP_FW_DEL     (IP_FW_BASE_CTL+1)
+#define IP_FW_FLUSH   (IP_FW_BASE_CTL+2)
+#define IP_FW_ZERO    (IP_FW_BASE_CTL+3)
 
 /*
  * Policy flags...
@@ -137,31 +124,16 @@ struct ip_fw {
  */
 #ifdef KERNEL
 
-/*
- * Variables/chain.
- */
-extern struct  ip_fw *ip_fw_chain;
-extern u_short ip_fw_policy;
-
-extern struct  ip_fw *ip_acct_chain;
-
 /*
  * Function pointers.
  */
-extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *,struct ip_fw *);
+extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir);
 extern int (*ip_fw_ctl_ptr)(int,struct mbuf *);
 
-extern void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int);
-extern int  (*ip_acct_ctl_ptr)(int,struct mbuf *);
-
 /*
  * Function definitions.
  */
-int ip_fw_chk(struct mbuf *, struct ip *,struct ifnet *,struct ip_fw *);
-int ip_fw_ctl(int,struct mbuf *);
-
-void ip_acct_cnt(struct ip *,struct ifnet *,struct ip_fw *,int);
-int  ip_acct_ctl(int,struct mbuf *);
+void ip_fw_init(void);
 
 #endif /* KERNEL */
 

sys/netinet/ip_input.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- * $Id: ip_input.c,v 1.34 1996/01/05 20:46:53 wollman Exp $
+ * $Id: ip_input.c,v 1.35 1996/02/05 20:36:02 wollman Exp $
  */
 
 #include <sys/param.h>
@@ -105,6 +105,24 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
 	&ip_mtu, 0, "");
 #endif
 
+/*
+ * The dummy IP-firewall function, and the pointer we access it through
+ */
+static int 
+dummy_ip_fw_chk(m, ip, rif, dir)
+	struct mbuf *m;
+	struct ip *ip;
+	struct ifnet *rif;
+	int dir;
+{
+	return 1;
+}
+
+int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *, struct ifnet *, int dir) = 
+	dummy_ip_fw_chk;
+
+int (*ip_fw_ctl_ptr)(int, struct mbuf *);
+
 /*
  * We need to save the IP options in case a protocol wants to respond
  * to an incoming packet over the same route if the packet got here
@@ -248,10 +266,8 @@ ip_input(struct mbuf *m)
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
  	 */
 
-        if (ip_fw_chk_ptr!=NULL)
-               if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,ip_fw_chain) ) {
-		       return;
-               }
+	if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,0)) 
+	       return;
 
 	/*
 	 * Process options and, if not destined for us,
@@ -364,16 +380,6 @@ ip_input(struct mbuf *m)
 
 ours:
 
-		/*
-		 * If packet came to us we count it...
-		 * This way we count all incoming packets which has 
-		 * not been forwarded...
-		 * Do not convert ip_len to host byte order when 
-		 * counting,ppl already made it for us before..
-		 */
-	if (ip_acct_cnt_ptr!=NULL)
-		(*ip_acct_cnt_ptr)(ip,m->m_pkthdr.rcvif,ip_acct_chain,0);
-
 	/*
 	 * If offset or IP_MF are set, must reassemble.
 	 * Otherwise, nothing need be done.

sys/netinet/ip_output.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- *	$Id: ip_output.c,v 1.27 1995/12/19 21:24:19 wollman Exp $
+ *	$Id: ip_output.c,v 1.28 1996/02/22 21:32:23 peter Exp $
  */
 
 #include <sys/param.h>
@@ -336,6 +336,14 @@ ip_output(m0, opt, ro, flags, imo)
 		m->m_flags &= ~M_BCAST;
 
 sendit:
+	/*
+	 * Check with the firewall...
+	 */
+	if (!(*ip_fw_chk_ptr)(m,ip,ifp,1)) {
+		error = 0;
+		goto done;
+	}
+
 	/*
 	 * If small enough for interface, can just send directly.
 	 */
@@ -454,16 +462,6 @@ ip_output(m0, opt, ro, flags, imo)
 done:
 	if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt)
 		RTFREE(ro->ro_rt);
-	/*
-	 * Count outgoing packet,here we count both our packets and
-	 * those we forward.
-	 * Here we want to convert ip_len to host byte order when counting
-	 * so we set 3rd arg to 1.
-	 * This is locally generated packet so it has not
-	 * incoming interface.
-	 */
-	if (ip_acct_cnt_ptr!=NULL)
-		(*ip_acct_cnt_ptr)(ip,NULL,ip_acct_chain,1);
 
 	return (error);
 bad:

sys/netinet/raw_ip.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ip.c,v 1.24 1995/11/14 20:34:23 phk Exp $
+ *	$Id: raw_ip.c,v 1.25 1995/12/09 20:43:53 phk Exp $
  */
 
 #include <sys/param.h>
@@ -221,7 +221,7 @@ rip_ctloutput(op, so, level, optname, m)
 	case IP_FW_ADD:
 	case IP_FW_DEL:
 	case IP_FW_FLUSH:
-	case IP_FW_POLICY:
+	case IP_FW_ZERO:
 		if (ip_fw_ctl_ptr==NULL) {
 			if (*m)
 				(void)m_free(*m);
@@ -237,26 +237,6 @@ rip_ctloutput(op, so, level, optname, m)
 			error=EINVAL;
 		return(error);
 
-	case IP_ACCT_DEL:
-	case IP_ACCT_ADD:
-	case IP_ACCT_CLR:
-	case IP_ACCT_FLUSH:
-	case IP_ACCT_ZERO: 
-		if (ip_acct_ctl_ptr==NULL) {
-			if (*m)
-				(void)m_free(*m);
-			return(EINVAL);
-		}
-	
-		if (op == PRCO_SETOPT) {
-			error=(*ip_acct_ctl_ptr)(optname, *m);
-			if (*m)
-				(void)m_free(*m);
-		}
-		else
-			error=EINVAL;
-		return(error);
-
 	case IP_RSVP_ON:
 		return ip_rsvp_init(so);
 		break;