4 * Copyright (C) 1995-1998 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
18 #if !defined(_KERNEL) && !defined(__KERNEL__)
31 # include <sys/systm.h>
32 # if !defined(__SVR4) && !defined(__svr4__)
33 # include <sys/mbuf.h>
36 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
37 # include <sys/proc.h>
39 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
40 # include <sys/filio.h>
41 # include <sys/fcntl.h>
42 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
43 # include "opt_ipfilter.h"
46 # include <sys/ioctl.h>
50 # include <sys/protosw.h>
52 #include <sys/socket.h>
53 #if defined(__SVR4) || defined(__svr4__)
54 # include <sys/filio.h>
55 # include <sys/byteorder.h>
57 # include <sys/dditypes.h>
59 # include <sys/stream.h>
60 # include <sys/kmem.h>
67 #include <net/route.h>
68 #include <netinet/in.h>
69 #include <netinet/in_systm.h>
70 #include <netinet/ip.h>
71 #include <netinet/tcp.h>
73 # include <netinet/ip_var.h>
75 #if !defined(__hpux) && !defined(linux)
76 # include <netinet/tcp_fsm.h>
78 #include <netinet/udp.h>
79 #include <netinet/ip_icmp.h>
80 #include "netinet/ip_compat.h"
81 #include <netinet/tcpip.h>
82 #include "netinet/ip_fil.h"
83 #include "netinet/ip_nat.h"
84 #include "netinet/ip_frag.h"
85 #include "netinet/ip_state.h"
86 #include "netinet/ip_proxy.h"
87 #include "netinet/ip_sync.h"
89 #include <netinet/icmp6.h>
91 #if (__FreeBSD_version >= 300000)
92 # include <sys/malloc.h>
93 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
94 # include <sys/libkern.h>
95 # include <sys/systm.h>
101 static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.3 2005/02/18 13:06:29 darrenr Exp";
104 #define SYNC_STATETABSZ 256
105 #define SYNC_NATTABSZ 256
108 ipfmutex_t ipf_syncadd, ipsl_mutex;
109 ipfrwlock_t ipf_syncstate, ipf_syncnat;
110 #if SOLARIS && defined(_KERNEL)
113 synclist_t *syncstatetab[SYNC_STATETABSZ];
114 synclist_t *syncnattab[SYNC_NATTABSZ];
115 synclogent_t synclog[SYNCLOG_SZ];
116 syncupdent_t syncupd[SYNCLOG_SZ];
117 u_int ipf_syncnum = 1;
118 u_int ipf_syncwrap = 0;
119 u_int sl_idx = 0, /* next available sync log entry */
120 su_idx = 0, /* next available sync update entry */
121 sl_tail = 0, /* next sync log entry to read */
122 su_tail = 0; /* next sync update entry to read */
123 int ipf_sync_debug = 0;
126 # if !defined(sparc) && !defined(__hppa)
127 void ipfsync_tcporder __P((int, struct tcpdata *));
128 void ipfsync_natorder __P((int, struct nat *));
129 void ipfsync_storder __P((int, struct ipstate *));
133 /* ------------------------------------------------------------------------ */
134 /* Function: ipfsync_init */
135 /* Returns: int - 0 == success, -1 == failure */
136 /* Parameters: Nil */
138 /* Initialise all of the locks required for the sync code and initialise */
139 /* any data structures, as required. */
140 /* ------------------------------------------------------------------------ */
143 RWLOCK_INIT(&ipf_syncstate, "add things to state sync table");
144 RWLOCK_INIT(&ipf_syncnat, "add things to nat sync table");
145 MUTEX_INIT(&ipf_syncadd, "add things to sync table");
146 MUTEX_INIT(&ipsl_mutex, "add things to sync table");
147 # if SOLARIS && defined(_KERNEL)
148 cv_init(&ipslwait, "ipsl condvar", CV_DRIVER, NULL);
151 bzero((char *)syncnattab, sizeof(syncnattab));
152 bzero((char *)syncstatetab, sizeof(syncstatetab));
158 # if !defined(sparc) && !defined(__hppa)
159 /* ------------------------------------------------------------------------ */
160 /* Function: ipfsync_tcporder */
162 /* Parameters: way(I) - direction of byte order conversion. */
163 /* td(IO) - pointer to data to be converted. */
165 /* Do byte swapping on values in the TCP state information structure that */
166 /* need to be used at both ends by the host in their native byte order. */
167 /* ------------------------------------------------------------------------ */
168 void ipfsync_tcporder(way, td)
173 td->td_maxwin = htons(td->td_maxwin);
174 td->td_end = htonl(td->td_end);
175 td->td_maxend = htonl(td->td_maxend);
177 td->td_maxwin = ntohs(td->td_maxwin);
178 td->td_end = ntohl(td->td_end);
179 td->td_maxend = ntohl(td->td_maxend);
184 /* ------------------------------------------------------------------------ */
185 /* Function: ipfsync_natorder */
187 /* Parameters: way(I) - direction of byte order conversion. */
188 /* nat(IO) - pointer to data to be converted. */
190 /* Do byte swapping on values in the NAT data structure that need to be */
191 /* used at both ends by the host in their native byte order. */
192 /* ------------------------------------------------------------------------ */
193 void ipfsync_natorder(way, n)
198 n->nat_age = htonl(n->nat_age);
199 n->nat_flags = htonl(n->nat_flags);
200 n->nat_ipsumd = htonl(n->nat_ipsumd);
201 n->nat_use = htonl(n->nat_use);
202 n->nat_dir = htonl(n->nat_dir);
204 n->nat_age = ntohl(n->nat_age);
205 n->nat_flags = ntohl(n->nat_flags);
206 n->nat_ipsumd = ntohl(n->nat_ipsumd);
207 n->nat_use = ntohl(n->nat_use);
208 n->nat_dir = ntohl(n->nat_dir);
213 /* ------------------------------------------------------------------------ */
214 /* Function: ipfsync_storder */
216 /* Parameters: way(I) - direction of byte order conversion. */
217 /* ips(IO) - pointer to data to be converted. */
219 /* Do byte swapping on values in the IP state data structure that need to */
220 /* be used at both ends by the host in their native byte order. */
221 /* ------------------------------------------------------------------------ */
222 void ipfsync_storder(way, ips)
226 ipfsync_tcporder(way, &ips->is_tcp.ts_data[0]);
227 ipfsync_tcporder(way, &ips->is_tcp.ts_data[1]);
230 ips->is_hv = htonl(ips->is_hv);
231 ips->is_die = htonl(ips->is_die);
232 ips->is_pass = htonl(ips->is_pass);
233 ips->is_flags = htonl(ips->is_flags);
234 ips->is_opt = htonl(ips->is_opt);
235 ips->is_optmsk = htonl(ips->is_optmsk);
236 ips->is_sec = htons(ips->is_sec);
237 ips->is_secmsk = htons(ips->is_secmsk);
238 ips->is_auth = htons(ips->is_auth);
239 ips->is_authmsk = htons(ips->is_authmsk);
240 ips->is_s0[0] = htonl(ips->is_s0[0]);
241 ips->is_s0[1] = htonl(ips->is_s0[1]);
242 ips->is_smsk[0] = htons(ips->is_smsk[0]);
243 ips->is_smsk[1] = htons(ips->is_smsk[1]);
245 ips->is_hv = ntohl(ips->is_hv);
246 ips->is_die = ntohl(ips->is_die);
247 ips->is_pass = ntohl(ips->is_pass);
248 ips->is_flags = ntohl(ips->is_flags);
249 ips->is_opt = ntohl(ips->is_opt);
250 ips->is_optmsk = ntohl(ips->is_optmsk);
251 ips->is_sec = ntohs(ips->is_sec);
252 ips->is_secmsk = ntohs(ips->is_secmsk);
253 ips->is_auth = ntohs(ips->is_auth);
254 ips->is_authmsk = ntohs(ips->is_authmsk);
255 ips->is_s0[0] = ntohl(ips->is_s0[0]);
256 ips->is_s0[1] = ntohl(ips->is_s0[1]);
257 ips->is_smsk[0] = ntohl(ips->is_smsk[0]);
258 ips->is_smsk[1] = ntohl(ips->is_smsk[1]);
261 # else /* !defined(sparc) && !defined(__hppa) */
262 # define ipfsync_tcporder(x,y)
263 # define ipfsync_natorder(x,y)
264 # define ipfsync_storder(x,y)
265 # endif /* !defined(sparc) && !defined(__hppa) */
267 /* enable this for debugging */
270 /* ------------------------------------------------------------------------ */
271 /* Function: ipfsync_write */
272 /* Returns: int - 0 == success, else error value. */
273 /* Parameters: uio(I) - pointer to information about data to write */
275 /* Moves data from user space into the kernel and uses it for updating data */
276 /* structures in the state/NAT tables. */
277 /* ------------------------------------------------------------------------ */
278 int ipfsync_write(uio)
284 * THIS MUST BE SUFFICIENT LARGE TO STORE
285 * ANY POSSIBLE DATA TYPE
291 # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
292 uio->uio_rw = UIO_WRITE;
295 /* Try to get bytes */
296 while (uio->uio_resid > 0) {
298 if (uio->uio_resid >= sizeof(sh)) {
300 err = UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio);
303 if (ipf_sync_debug > 2)
304 printf("uiomove(header) failed: %d\n",
309 /* convert to host order */
310 sh.sm_magic = ntohl(sh.sm_magic);
311 sh.sm_len = ntohl(sh.sm_len);
312 sh.sm_num = ntohl(sh.sm_num);
314 if (ipf_sync_debug > 8)
315 printf("[%d] Read v:%d p:%d cmd:%d table:%d rev:%d len:%d magic:%x\n",
316 sh.sm_num, sh.sm_v, sh.sm_p, sh.sm_cmd,
317 sh.sm_table, sh.sm_rev, sh.sm_len,
320 if (sh.sm_magic != SYNHDRMAGIC) {
321 if (ipf_sync_debug > 2)
322 printf("uiomove(header) invalud %s\n",
327 if (sh.sm_v != 4 && sh.sm_v != 6) {
328 if (ipf_sync_debug > 2)
329 printf("uiomove(header) invalid %s\n",
334 if (sh.sm_cmd > SMC_MAXCMD) {
335 if (ipf_sync_debug > 2)
336 printf("uiomove(header) invalid %s\n",
342 if (sh.sm_table > SMC_MAXTBL) {
343 if (ipf_sync_debug > 2)
344 printf("uiomove(header) invalid %s\n",
350 /* unsufficient data, wait until next call */
351 if (ipf_sync_debug > 2)
352 printf("uiomove(header) insufficient data");
358 * We have a header, so try to read the amount of data
359 * needed for the request
363 if (sh.sm_len == 0) {
364 if (ipf_sync_debug > 2)
365 printf("uiomove(data zero length %s\n",
370 if (uio->uio_resid >= sh.sm_len) {
372 err = UIOMOVE((caddr_t)data, sh.sm_len, UIO_WRITE, uio);
375 if (ipf_sync_debug > 2)
376 printf("uiomove(data) failed: %d\n",
381 if (ipf_sync_debug > 7)
382 printf("uiomove(data) %d bytes read\n",
385 if (sh.sm_table == SMC_STATE)
386 err = ipfsync_state(&sh, data);
387 else if (sh.sm_table == SMC_NAT)
388 err = ipfsync_nat(&sh, data);
389 if (ipf_sync_debug > 7)
390 printf("[%d] Finished with error %d\n",
394 /* insufficient data, wait until next call */
395 if (ipf_sync_debug > 2)
396 printf("uiomove(data) %s %d bytes, got %d\n",
397 "insufficient data, need",
398 sh.sm_len, uio->uio_resid);
408 /* ------------------------------------------------------------------------ */
409 /* Function: ipfsync_read */
410 /* Returns: int - 0 == success, else error value. */
411 /* Parameters: uio(O) - pointer to information about where to store data */
413 /* This function is called when a user program wants to read some data */
414 /* for pending state/NAT updates. If no data is available, the caller is */
415 /* put to sleep, pending a wakeup from the "lower half" of this code. */
416 /* ------------------------------------------------------------------------ */
417 int ipfsync_read(uio)
424 if ((uio->uio_resid & 3) || (uio->uio_resid < 8))
427 # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
428 uio->uio_rw = UIO_READ;
431 MUTEX_ENTER(&ipsl_mutex);
432 while ((sl_tail == sl_idx) && (su_tail == su_idx)) {
433 # if SOLARIS && defined(_KERNEL)
434 if (!cv_wait_sig(&ipslwait, &ipsl_mutex)) {
435 MUTEX_EXIT(&ipsl_mutex);
443 l = get_sleep_lock(&sl_tail);
444 err = sleep(&sl_tail, PZERO+1);
449 err = mpsleep(&sl_tail, PSUSP|PCATCH, "ipl sleep", 0,
450 &ipsl_mutex, MS_LOCK_SIMPLE);
452 MUTEX_EXIT(&ipsl_mutex);
453 err = SLEEP(&sl_tail, "ipl sleep");
454 # endif /* __osf__ */
457 MUTEX_EXIT(&ipsl_mutex);
460 # endif /* SOLARIS */
462 MUTEX_EXIT(&ipsl_mutex);
464 READ_ENTER(&ipf_syncstate);
465 while ((sl_tail < sl_idx) && (uio->uio_resid > sizeof(*sl))) {
466 sl = synclog + sl_tail++;
467 err = UIOMOVE((caddr_t)sl, sizeof(*sl), UIO_READ, uio);
472 while ((su_tail < su_idx) && (uio->uio_resid > sizeof(*su))) {
473 su = syncupd + su_tail;
475 err = UIOMOVE((caddr_t)su, sizeof(*su), UIO_READ, uio);
478 if (su->sup_hdr.sm_sl != NULL)
479 su->sup_hdr.sm_sl->sl_idx = -1;
482 MUTEX_ENTER(&ipf_syncadd);
483 if (su_tail == su_idx)
484 su_tail = su_idx = 0;
485 if (sl_tail == sl_idx)
486 sl_tail = sl_idx = 0;
487 MUTEX_EXIT(&ipf_syncadd);
488 RWLOCK_EXIT(&ipf_syncstate);
493 /* ------------------------------------------------------------------------ */
494 /* Function: ipfsync_state */
495 /* Returns: int - 0 == success, else error value. */
496 /* Parameters: sp(I) - pointer to sync packet data header */
497 /* uio(I) - pointer to user data for further information */
499 /* Updates the state table according to information passed in the sync */
500 /* header. As required, more data is fetched from the uio structure but */
501 /* varies depending on the contents of the sync header. This function can */
502 /* create a new state entry or update one. Deletion is left to the state */
503 /* structures being timed out correctly. */
504 /* ------------------------------------------------------------------------ */
505 int ipfsync_state(sp, data)
516 hv = sp->sm_num & (SYNC_STATETABSZ - 1);
522 bcopy(data, &sn, sizeof(sn));
523 KMALLOC(is, ipstate_t *);
529 KMALLOC(sl, synclist_t *);
536 bzero((char *)is, offsetof(ipstate_t, is_die));
537 bcopy((char *)&sn.is_die, (char *)&is->is_die,
538 sizeof(*is) - offsetof(ipstate_t, is_die));
539 ipfsync_storder(0, is);
542 * We need to find the same rule on the slave as was used on
543 * the master to create this state entry.
545 READ_ENTER(&ipf_mutex);
546 fr = fr_getrulen(IPL_LOGIPF, sn.is_group, sn.is_rulen);
548 MUTEX_ENTER(&fr->fr_lock);
551 MUTEX_EXIT(&fr->fr_lock);
553 RWLOCK_EXIT(&ipf_mutex);
555 if (ipf_sync_debug > 4)
556 printf("[%d] Filter rules = %p\n", sp->sm_num, fr);
563 bcopy(sp, &sl->sl_hdr, sizeof(struct synchdr));
565 WRITE_ENTER(&ipf_syncstate);
566 WRITE_ENTER(&ipf_state);
568 sl->sl_pnext = syncstatetab + hv;
569 sl->sl_next = syncstatetab[hv];
570 if (syncstatetab[hv] != NULL)
571 syncstatetab[hv]->sl_pnext = &sl->sl_next;
572 syncstatetab[hv] = sl;
573 MUTEX_DOWNGRADE(&ipf_syncstate);
574 fr_stinsert(is, sp->sm_rev);
576 * Do not initialise the interface pointers for the state
577 * entry as the full complement of interface names may not
580 * Put this state entry on its timeout queue.
582 /*fr_setstatequeue(is, sp->sm_rev);*/
586 bcopy(data, &su, sizeof(su));
588 if (ipf_sync_debug > 4)
589 printf("[%d] Update age %lu state %d/%d \n",
590 sp->sm_num, su.stu_age, su.stu_state[0],
593 READ_ENTER(&ipf_syncstate);
594 for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
595 if (sl->sl_hdr.sm_num == sp->sm_num)
598 if (ipf_sync_debug > 1)
599 printf("[%d] State not found - can't update\n",
601 RWLOCK_EXIT(&ipf_syncstate);
606 READ_ENTER(&ipf_state);
608 if (ipf_sync_debug > 6)
609 printf("[%d] Data from state v:%d p:%d cmd:%d table:%d rev:%d\n",
610 sp->sm_num, sl->sl_hdr.sm_v, sl->sl_hdr.sm_p,
611 sl->sl_hdr.sm_cmd, sl->sl_hdr.sm_table,
616 MUTEX_ENTER(&is->is_lock);
620 /* XXX FV --- shouldn't we do ntohl/htonl???? XXX */
621 is->is_send = su.stu_data[0].td_end;
622 is->is_maxsend = su.stu_data[0].td_maxend;
623 is->is_maxswin = su.stu_data[0].td_maxwin;
624 is->is_state[0] = su.stu_state[0];
625 is->is_dend = su.stu_data[1].td_end;
626 is->is_maxdend = su.stu_data[1].td_maxend;
627 is->is_maxdwin = su.stu_data[1].td_maxwin;
628 is->is_state[1] = su.stu_state[1];
634 if (ipf_sync_debug > 6)
635 printf("[%d] Setting timers for state\n", sp->sm_num);
637 fr_setstatequeue(is, sp->sm_rev);
639 MUTEX_EXIT(&is->is_lock);
648 RWLOCK_EXIT(&ipf_state);
649 RWLOCK_EXIT(&ipf_syncstate);
652 if (ipf_sync_debug > 6)
653 printf("[%d] Update completed with error %d\n",
658 # endif /* _KERNEL */
661 /* ------------------------------------------------------------------------ */
662 /* Function: ipfsync_del */
664 /* Parameters: sl(I) - pointer to synclist object to delete */
666 /* Deletes an object from the synclist table and free's its memory. */
667 /* ------------------------------------------------------------------------ */
671 WRITE_ENTER(&ipf_syncstate);
672 *sl->sl_pnext = sl->sl_next;
673 if (sl->sl_next != NULL)
674 sl->sl_next->sl_pnext = sl->sl_pnext;
675 if (sl->sl_idx != -1)
676 syncupd[sl->sl_idx].sup_hdr.sm_sl = NULL;
677 RWLOCK_EXIT(&ipf_syncstate);
682 /* ------------------------------------------------------------------------ */
683 /* Function: ipfsync_nat */
684 /* Returns: int - 0 == success, else error value. */
685 /* Parameters: sp(I) - pointer to sync packet data header */
686 /* uio(I) - pointer to user data for further information */
688 /* Updates the NAT table according to information passed in the sync */
689 /* header. As required, more data is fetched from the uio structure but */
690 /* varies depending on the contents of the sync header. This function can */
691 /* create a new NAT entry or update one. Deletion is left to the NAT */
692 /* structures being timed out correctly. */
693 /* ------------------------------------------------------------------------ */
694 int ipfsync_nat(sp, data)
705 READ_ENTER(&ipf_syncstate);
710 bcopy(data, &sle, sizeof(sle));
718 KMALLOC(sl, synclist_t *);
725 WRITE_ENTER(&ipf_nat);
727 nat = &sle.sle_un.sleu_ipn;
728 bzero((char *)n, offsetof(nat_t, nat_age));
729 bcopy((char *)&nat->nat_age, (char *)&n->nat_age,
730 sizeof(*n) - offsetof(nat_t, nat_age));
731 ipfsync_natorder(0, n);
736 sl->sl_num = ntohl(sp->sm_num);
737 sl->sl_pnext = syncstatetab + hv;
738 sl->sl_next = syncstatetab[hv];
739 if (syncstatetab[hv] != NULL)
740 syncstatetab[hv]->sl_pnext = &sl->sl_next;
741 syncstatetab[hv] = sl;
742 nat_insert(n, sl->sl_rev);
743 RWLOCK_EXIT(&ipf_nat);
747 bcopy(data, &su, sizeof(su));
749 READ_ENTER(&ipf_syncstate);
750 for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
751 if (sl->sl_hdr.sm_num == sp->sm_num)
758 READ_ENTER(&ipf_nat);
762 MUTEX_ENTER(&nat->nat_lock);
763 fr_setnatqueue(nat, sl->sl_rev);
764 MUTEX_EXIT(&nat->nat_lock);
766 RWLOCK_EXIT(&ipf_nat);
775 RWLOCK_EXIT(&ipf_syncstate);
780 /* ------------------------------------------------------------------------ */
781 /* Function: ipfsync_new */
782 /* Returns: synclist_t* - NULL == failure, else pointer to new synclist */
783 /* data structure. */
784 /* Parameters: tab(I) - type of synclist_t to create */
785 /* fin(I) - pointer to packet information */
786 /* ptr(I) - pointer to owning object */
788 /* Creates a new sync table entry and notifies any sleepers that it's there */
789 /* waiting to be processed. */
790 /* ------------------------------------------------------------------------ */
791 synclist_t *ipfsync_new(tab, fin, ptr)
800 if (sl_idx == SYNCLOG_SZ)
802 KMALLOC(sl, synclist_t *);
806 MUTEX_ENTER(&ipf_syncadd);
808 * Get a unique number for this synclist_t. The number is only meant
809 * to be unique for the lifetime of the structure and may be reused
813 if (ipf_syncnum == 0) {
818 hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
819 while (ipf_syncwrap != 0) {
820 for (ss = syncstatetab[hv]; ss; ss = ss->sl_next)
821 if (ss->sl_hdr.sm_num == ipf_syncnum)
826 hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
829 * Use the synch number of the object as the hash key. Should end up
830 * with relatively even distribution over time.
831 * XXX - an attacker could lunch an DoS attack, of sorts, if they are
832 * the only one causing new table entries by only keeping open every
833 * nth connection they make, where n is a value in the interval
834 * [0, SYNC_STATETABSZ-1].
836 sl->sl_pnext = syncstatetab + hv;
837 sl->sl_next = syncstatetab[hv];
838 syncstatetab[hv] = sl;
839 sl->sl_num = ipf_syncnum;
840 MUTEX_EXIT(&ipf_syncadd);
842 sl->sl_magic = htonl(SYNHDRMAGIC);
843 sl->sl_v = fin->fin_v;
844 sl->sl_p = fin->fin_p;
845 sl->sl_cmd = SMC_CREATE;
848 sl->sl_rev = fin->fin_rev;
849 if (tab == SMC_STATE) {
851 sz = sizeof(*sl->sl_ips);
852 } else if (tab == SMC_NAT) {
854 sz = sizeof(*sl->sl_ipn);
862 * Create the log entry to be read by a user daemon. When it has been
863 * finished and put on the queue, send a signal to wakeup any waiters.
865 MUTEX_ENTER(&ipf_syncadd);
866 sle = synclog + sl_idx++;
867 bcopy((char *)&sl->sl_hdr, (char *)&sle->sle_hdr,
868 sizeof(sle->sle_hdr));
869 sle->sle_hdr.sm_num = htonl(sle->sle_hdr.sm_num);
870 sle->sle_hdr.sm_len = htonl(sle->sle_hdr.sm_len);
872 bcopy((char *)ptr, (char *)&sle->sle_un, sz);
873 if (tab == SMC_STATE) {
874 ipfsync_storder(1, &sle->sle_un.sleu_ips);
875 } else if (tab == SMC_NAT) {
876 ipfsync_natorder(1, &sle->sle_un.sleu_ipn);
879 MUTEX_EXIT(&ipf_syncadd);
881 MUTEX_ENTER(&ipsl_mutex);
884 cv_signal(&ipslwait);
886 MUTEX_EXIT(&ipsl_mutex);
888 MUTEX_EXIT(&ipsl_mutex);
897 /* ------------------------------------------------------------------------ */
898 /* Function: ipfsync_update */
900 /* Parameters: tab(I) - type of synclist_t to create */
901 /* fin(I) - pointer to packet information */
902 /* sl(I) - pointer to synchronisation object */
904 /* For outbound packets, only, create an sync update record for the user */
905 /* process to read. */
906 /* ------------------------------------------------------------------------ */
907 void ipfsync_update(tab, fin, sl)
912 synctcp_update_t *st;
917 if (fin->fin_out == 0 || sl == NULL)
920 WRITE_ENTER(&ipf_syncstate);
921 MUTEX_ENTER(&ipf_syncadd);
922 if (sl->sl_idx == -1) {
923 slu = syncupd + su_idx;
924 sl->sl_idx = su_idx++;
925 bcopy((char *)&sl->sl_hdr, (char *)&slu->sup_hdr,
926 sizeof(slu->sup_hdr));
927 slu->sup_hdr.sm_magic = htonl(SYNHDRMAGIC);
928 slu->sup_hdr.sm_sl = sl;
929 slu->sup_hdr.sm_cmd = SMC_UPDATE;
930 slu->sup_hdr.sm_table = tab;
931 slu->sup_hdr.sm_num = htonl(sl->sl_num);
932 slu->sup_hdr.sm_len = htonl(sizeof(struct synctcp_update));
933 slu->sup_hdr.sm_rev = fin->fin_rev;
935 if (fin->fin_p == IPPROTO_TCP) {
941 slu = syncupd + sl->sl_idx;
942 MUTEX_EXIT(&ipf_syncadd);
943 MUTEX_DOWNGRADE(&ipf_syncstate);
946 * Only TCP has complex timeouts, others just use default timeouts.
947 * For TCP, we only need to track the connection state and window.
949 if (fin->fin_p == IPPROTO_TCP) {
951 if (tab == SMC_STATE) {
953 st->stu_age = htonl(ips->is_die);
954 st->stu_data[0].td_end = ips->is_send;
955 st->stu_data[0].td_maxend = ips->is_maxsend;
956 st->stu_data[0].td_maxwin = ips->is_maxswin;
957 st->stu_state[0] = ips->is_state[0];
958 st->stu_data[1].td_end = ips->is_dend;
959 st->stu_data[1].td_maxend = ips->is_maxdend;
960 st->stu_data[1].td_maxwin = ips->is_maxdwin;
961 st->stu_state[1] = ips->is_state[1];
962 } else if (tab == SMC_NAT) {
964 st->stu_age = htonl(nat->nat_age);
967 RWLOCK_EXIT(&ipf_syncstate);
969 MUTEX_ENTER(&ipsl_mutex);
972 cv_signal(&ipslwait);
974 MUTEX_EXIT(&ipsl_mutex);
976 MUTEX_EXIT(&ipsl_mutex);
984 /* ------------------------------------------------------------------------ */
985 /* Function: fr_sync_ioctl */
986 /* Returns: int - 0 == success, != 0 == failure */
987 /* Parameters: data(I) - pointer to ioctl data */
988 /* cmd(I) - ioctl command integer */
989 /* mode(I) - file mode bits used with open */
991 /* This function currently does not handle any ioctls and so just returns */
992 /* EINVAL on all occasions. */
993 /* ------------------------------------------------------------------------ */
994 int fr_sync_ioctl(data, cmd, mode)
1001 #endif /* IPFILTER_SYNC */
projects / FreeBSD / FreeBSD.git / blob