Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/sys/netinet Pull up revision 1.28 (requested by darrenr):
details: https://anonhg.NetBSD.org/src/rev/40528166b3c5
branches: netbsd-1-4
changeset: 469949:40528166b3c5
user: he <he%NetBSD.org@localhost>
date: Mon Dec 20 21:07:46 1999 +0000
description:
Pull up revision 1.28 (requested by darrenr):
Update IPF to version 3.3.5.
diffstat:
sys/netinet/fil.c | 660 +++++++++++++++++++++++++++++++++++------------------
1 files changed, 434 insertions(+), 226 deletions(-)
diffs (truncated from 1124 to 300 lines):
diff -r d576a9adcad8 -r 40528166b3c5 sys/netinet/fil.c
--- a/sys/netinet/fil.c Mon Dec 20 21:07:41 1999 +0000
+++ b/sys/netinet/fil.c Mon Dec 20 21:07:46 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: fil.c,v 1.27 1999/02/02 19:57:30 cjs Exp $ */
+/* $NetBSD: fil.c,v 1.27.2.1 1999/12/20 21:07:46 he Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -9,10 +9,10 @@
*/
#if !defined(lint)
#if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: fil.c,v 1.27 1999/02/02 19:57:30 cjs Exp $";
+static const char rcsid[] = "$NetBSD: fil.c,v 1.27.2.1 1999/12/20 21:07:46 he Exp $";
#else
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
-static const char rcsid[] = "@(#)Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp ";
+static const char rcsid[] = "@(#)Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp";
#endif
#endif
@@ -21,7 +21,13 @@
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
-#include <sys/ioctl.h>
+#if defined(KERNEL) && defined(__FreeBSD_version) && \
+ (__FreeBSD_version >= 220000)
+# include <sys/filio.h>
+# include <sys/fcntl.h>
+#else
+# include <sys/ioctl.h>
+#endif
#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
# include <sys/systm.h>
#else
@@ -37,9 +43,9 @@
#else
# include <sys/byteorder.h>
# if SOLARIS2 < 5
-# include <sys/dditypes.h>
+# include <sys/dditypes.h>
# endif
-# include <sys/stream.h>
+# include <sys/stream.h>
#endif
#ifndef linux
# include <sys/protosw.h>
@@ -56,6 +62,10 @@
#ifndef linux
# include <netinet/ip_var.h>
#endif
+#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
+# include <sys/hashing.h>
+# include <netinet/in_var.h>
+#endif
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
@@ -67,9 +77,16 @@
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_auth.h"
+# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+# include "opt_ipfilter.h"
+# endif
+# endif
#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
+# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
+#include "netinet/ipl.h"
#ifndef _KERNEL
# include "ipf.h"
@@ -82,14 +99,9 @@
second; }
# define FR_VERBOSE(verb_pr) verbose verb_pr
# define FR_DEBUG(verb_pr) debug verb_pr
-# define SEND_RESET(ip, qif, if, m) send_reset(ip, if)
+# define SEND_RESET(ip, qif, if, m, fin) send_reset(ip, if)
# define IPLLOG(a, c, d, e) ipllog()
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
-# if SOLARIS
-# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
-# else
-# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
-# endif
#else /* #ifndef _KERNEL */
# define FR_IFVERBOSE(ex,second,verb_pr) ;
# define FR_IFDEBUG(ex,second,verb_pr) ;
@@ -97,39 +109,25 @@
# define FR_DEBUG(verb_pr)
# define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
# if SOLARIS || defined(__sgi)
-extern KRWLOCK_T ipf_mutex, ipf_auth;
+extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat;
extern kmutex_t ipf_rw;
# endif
# if SOLARIS
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
ip, qif)
-# define SEND_RESET(ip, qif, if) send_reset(ip, qif)
-# define ICMP_ERROR(b, ip, t, c, if, src) \
- icmp_error(ip, t, c, if, src)
+# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip, qif)
+# define ICMP_ERROR(b, ip, t, c, if, dst) \
+ icmp_error(ip, t, c, if, dst)
# else /* SOLARIS */
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
# ifdef linux
-# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\
- ifp)
-# else
-# define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip)
-# endif
-# ifdef __sgi
-# define ICMP_ERROR(b, ip, t, c, if, src) \
- icmp_error(b, t, c, if, src, if)
+# define SEND_RESET(ip, qif, if, fin) send_reset(ip, ifp)
+# define ICMP_ERROR(b, ip, t, c, if, dst) icmp_send(b,t,c,0,if)
# else
-# if BSD < 199103
-# ifdef linux
-# define ICMP_ERROR(b, ip, t, c, if, src) icmp_send(b,t,c,0,if)
-# else
-# define ICMP_ERROR(b, ip, t, c, if, src) \
- icmp_error(mtod(b, ip_t *), t, c, if, src)
-# endif /* linux */
-# else
-# define ICMP_ERROR(b, ip, t, c, if, src) \
- icmp_error(b, t, c, (src).s_addr, if)
-# endif /* BSD < 199103 */
-# endif /* __sgi */
+# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip)
+# define ICMP_ERROR(b, ip, t, c, if, dst) \
+ send_icmp_err(ip, t, c, if, dst)
+# endif /* linux */
# endif /* SOLARIS || __sgi */
#endif /* _KERNEL */
@@ -144,12 +142,15 @@
#else
int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
#endif
+char ipfilter_version[] = IPL_VERSION;
fr_info_t frcache[2];
-static void fr_makefrip __P((int, ip_t *, fr_info_t *));
static int fr_tcpudpchk __P((frentry_t *, fr_info_t *));
-static int frflushlist __P((int, int, int *, frentry_t *, frentry_t **));
+static int frflushlist __P((int, minor_t, int *, frentry_t **));
+#ifdef _KERNEL
+static void frsynclist __P((frentry_t *));
+#endif
/*
@@ -197,7 +198,7 @@
* compact the IP header into a structure which contains just the info.
* which is useful for comparing IP headers with.
*/
-static void fr_makefrip(hlen, ip, fin)
+void fr_makefrip(hlen, ip, fin)
int hlen;
ip_t *ip;
fr_info_t *fin;
@@ -209,6 +210,7 @@
int i, mv, ol, off;
u_char *s, opt;
+ fin->fin_rev = 0;
fin->fin_fr = NULL;
fin->fin_tcpf = 0;
fin->fin_data[0] = 0;
@@ -226,8 +228,8 @@
tcp = (tcphdr_t *)((char *)ip + hlen);
fin->fin_dp = (void *)tcp;
(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
- (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3));
- (*(((u_32_t *)fi) + 2)) = (*(((u_32_t *)ip) + 4));
+ fi->fi_src.s_addr = ip->ip_src.s_addr;
+ fi->fi_dst.s_addr = ip->ip_dst.s_addr;
fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
off = (ip->ip_off & IP_OFFMASK) << 3;
@@ -276,8 +278,9 @@
}
- for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) {
- if (!(opt = *s))
+ for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen; ) {
+ opt = *s;
+ if (opt == '\0')
break;
ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
if (opt > 1 && (ol < 2 || ol > hlen))
@@ -406,7 +409,7 @@
/*
* Match the flags ? If not, abort this match.
*/
- if (fr->fr_tcpf &&
+ if (fr->fr_tcpfm &&
fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
fr->fr_tcpfm, fr->fr_tcpf));
@@ -422,14 +425,15 @@
* kernel sauce.
*/
int fr_scanlist(pass, ip, fin, m)
-int pass;
+u_32_t pass;
ip_t *ip;
register fr_info_t *fin;
void *m;
{
register struct frentry *fr;
register fr_ip_t *fi = &fin->fin_fi;
- int rulen, portcmp = 0, off, skip = 0;
+ int rulen, portcmp = 0, off, skip = 0, logged = 0;
+ u_32_t passt;
fr = fin->fin_fr;
fin->fin_fr = NULL;
@@ -438,7 +442,7 @@
off = ip->ip_off & IP_OFFMASK;
pass |= (fi->fi_fl << 24);
- if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
+ if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
portcmp = 1;
for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
@@ -453,8 +457,16 @@
* check that we are working for the right interface
*/
#ifdef _KERNEL
- if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
- continue;
+# if BSD >= 199306
+ if (fin->fin_out != 0) {
+ if ((fr->fr_oifa &&
+ fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif) ||
+ (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp))
+ continue;
+ } else
+# endif
+ if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
+ continue;
#else
if (opts & (OPT_VERBOSE|OPT_DEBUG))
printf("\n");
@@ -474,10 +486,12 @@
i = ((lip[0] & lm[0]) != ld[0]);
FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
lip[0], lm[0], ld[0]));
- i |= ((lip[1] & lm[1]) != ld[1]) << 21;
+ i |= ((lip[1] & lm[1]) != ld[1]) << 19;
+ i ^= (fr->fr_flags & FR_NOTSRCIP);
FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
lip[1], lm[1], ld[1]));
- i |= ((lip[2] & lm[2]) != ld[2]) << 22;
+ i |= ((lip[2] & lm[2]) != ld[2]) << 20;
+ i ^= (fr->fr_flags & FR_NOTDSTIP);
FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
lip[2], lm[2], ld[2]));
i |= ((lip[3] & lm[3]) != ld[3]);
@@ -486,7 +500,6 @@
i |= ((lip[4] & lm[4]) != ld[4]);
FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
lip[4], lm[4], ld[4]));
- i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP));
if (i)
continue;
}
@@ -516,18 +529,21 @@
/*
* Just log this packet...
*/
- if (!(skip = fr->fr_skip))
- pass = fr->fr_flags;
- if ((pass & FR_CALLNOW) && fr->fr_func)
- pass = (*fr->fr_func)(pass, ip, fin);
+ passt = fr->fr_flags;
+ if ((passt & FR_CALLNOW) && fr->fr_func)
+ passt = (*fr->fr_func)(passt, ip, fin);
+ fin->fin_fr = fr;
#ifdef IPFILTER_LOG
- if ((pass & FR_LOGMASK) == FR_LOG) {
- if (!IPLLOG(fr->fr_flags, ip, fin, m)) {
+ if ((passt & FR_LOGMASK) == FR_LOG) {
+ if (!IPLLOG(passt, ip, fin, m)) {
ATOMIC_INC(frstats[fin->fin_out].fr_skip);
}
ATOMIC_INC(frstats[fin->fin_out].fr_pkl);
Home |
Main Index |
Thread Index |
Old Index