4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
9 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id$";
13 #if defined(KERNEL) || defined(_KERNEL)
19 #if defined(__FreeBSD__) && \
20 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
21 # include "opt_inet6.h"
23 #include <sys/param.h>
24 #include <sys/errno.h>
25 #include <sys/types.h>
27 #include <sys/fcntl.h>
28 #include <sys/filio.h>
30 #include <sys/systm.h>
31 #include <sys/dirent.h>
32 #if defined(__FreeBSD__)
33 # include <sys/jail.h>
35 #include <sys/malloc.h>
37 #include <sys/sockopt.h>
38 #include <sys/socket.h>
39 #include <sys/selinfo.h>
40 #include <netinet/tcp_var.h>
42 #include <net/if_var.h>
43 #include <net/netisr.h>
44 #include <net/route.h>
45 #include <netinet/in.h>
46 #include <netinet/in_fib.h>
47 #include <netinet/in_var.h>
48 #include <netinet/in_systm.h>
49 #include <netinet/ip.h>
50 #include <netinet/ip_var.h>
51 #include <netinet/tcp.h>
53 #include <netinet/udp.h>
54 #include <netinet/tcpip.h>
55 #include <netinet/ip_icmp.h>
56 #include "netinet/ip_compat.h"
58 # include <netinet/icmp6.h>
60 #include "netinet/ip_fil.h"
61 #include "netinet/ip_nat.h"
62 #include "netinet/ip_frag.h"
63 #include "netinet/ip_state.h"
64 #include "netinet/ip_proxy.h"
65 #include "netinet/ip_auth.h"
66 #include "netinet/ip_sync.h"
67 #include "netinet/ip_lookup.h"
68 #include "netinet/ip_dstlist.h"
70 # include "netinet/ip_scan.h"
72 #include "netinet/ip_pool.h"
73 #include <sys/malloc.h>
74 #include <sys/kernel.h>
75 #ifdef CSUM_DATA_VALID
76 # include <machine/in_cksum.h>
78 extern int ip_optcopy(struct ip *, struct ip *);
80 #ifdef IPFILTER_M_IPFILTER
81 MALLOC_DEFINE(M_IPFILTER, "ipfilter", "IP Filter packet filter data structures");
85 static int ipf_send_ip(fr_info_t *, mb_t *);
86 static void ipf_timer_func(void *arg);
88 VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
91 #define V_ipfmain VNET(ipfmain)
96 VNET_DEFINE_STATIC(eventhandler_tag, ipf_arrivetag);
97 VNET_DEFINE_STATIC(eventhandler_tag, ipf_departtag);
98 #define V_ipf_arrivetag VNET(ipf_arrivetag)
99 #define V_ipf_departtag VNET(ipf_departtag)
102 * Disable the "cloner" event handler; we are getting interface
103 * events before the firewall is fully initiallized and also no vnet
104 * information thus leading to uninitialised memory accesses.
105 * In addition it is unclear why we need it in first place.
106 * If it turns out to be needed, well need a dedicated event handler
107 * for it to deal with the ifc and the correct vnet.
109 VNET_DEFINE_STATIC(eventhandler_tag, ipf_clonetag);
110 #define V_ipf_clonetag VNET(ipf_clonetag)
113 static void ipf_ifevent(void *arg, struct ifnet *ifp);
115 static void ipf_ifevent(arg, ifp)
120 CURVNET_SET(ifp->if_vnet);
121 if (V_ipfmain.ipf_running > 0)
122 ipf_sync(&V_ipfmain, NULL);
129 ipf_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
131 struct ip *ip = mtod(*mp, struct ip *);
135 * IPFilter expects evreything in network byte order
137 #if (__FreeBSD_version < 1000019)
138 ip->ip_len = htons(ip->ip_len);
139 ip->ip_off = htons(ip->ip_off);
141 CURVNET_SET(ifp->if_vnet);
142 rv = ipf_check(&V_ipfmain, ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT),
145 #if (__FreeBSD_version < 1000019)
146 if ((rv == 0) && (*mp != NULL)) {
147 ip = mtod(*mp, struct ip *);
148 ip->ip_len = ntohs(ip->ip_len);
149 ip->ip_off = ntohs(ip->ip_off);
156 # include <netinet/ip6.h>
159 ipf_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
163 CURVNET_SET(ifp->if_vnet);
164 error = ipf_check(&V_ipfmain, mtod(*mp, struct ip *),
165 sizeof(struct ip6_hdr), ifp, (dir == PFIL_OUT), mp);
170 #if defined(IPFILTER_LKM)
174 if (strcmp(s, "ipl") == 0)
178 #endif /* IPFILTER_LKM */
185 ipf_main_softc_t *softc = arg;
189 READ_ENTER(&softc->ipf_global);
191 if (softc->ipf_running > 0)
192 ipf_slowtimer(softc);
194 if (softc->ipf_running == -1 || softc->ipf_running == 1) {
196 softc->ipf_slow_ch = timeout(ipf_timer_func, softc, hz/2);
198 callout_init(&softc->ipf_slow_ch, 1);
199 callout_reset(&softc->ipf_slow_ch,
200 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
201 ipf_timer_func, softc);
203 RWLOCK_EXIT(&softc->ipf_global);
210 ipf_main_softc_t *softc;
217 if (softc->ipf_running > 0) {
222 if (ipf_init_all(softc) < 0) {
228 bzero((char *)V_ipfmain.ipf_selwait, sizeof(V_ipfmain.ipf_selwait));
229 softc->ipf_running = 1;
231 if (softc->ipf_control_forwarding & 1)
236 softc->ipf_slow_ch = timeout(ipf_timer_func, softc,
237 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
239 callout_init(&softc->ipf_slow_ch, 1);
240 callout_reset(&softc->ipf_slow_ch, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
241 ipf_timer_func, softc);
247 * Disable the filter by removing the hooks from the IP input/output
252 ipf_main_softc_t *softc;
258 if (softc->ipf_control_forwarding & 2)
264 if (softc->ipf_slow_ch.callout != NULL)
265 untimeout(ipf_timer_func, softc, softc->ipf_slow_ch);
266 bzero(&softc->ipf_slow, sizeof(softc->ipf_slow));
268 callout_drain(&softc->ipf_slow_ch);
272 softc->ipf_running = -2;
281 * Filter ioctl interface.
284 ipfioctl(dev, cmd, data, mode, p)
286 #define p_cred td_ucred
287 #define p_uid td_ucred->cr_ruid
293 int error = 0, unit = 0;
296 CURVNET_SET(TD_TO_VNET(p));
297 if (securelevel_ge(p->p_cred, 3) && (mode & FWRITE))
299 V_ipfmain.ipf_interror = 130001;
304 unit = GET_MINOR(dev);
305 if ((IPL_LOGMAX < unit) || (unit < 0)) {
306 V_ipfmain.ipf_interror = 130002;
311 if (V_ipfmain.ipf_running <= 0) {
312 if (unit != IPL_LOGIPF && cmd != SIOCIPFINTERROR) {
313 V_ipfmain.ipf_interror = 130003;
317 if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
318 cmd != SIOCIPFSET && cmd != SIOCFRENB &&
319 cmd != SIOCGETFS && cmd != SIOCGETFF &&
320 cmd != SIOCIPFINTERROR) {
321 V_ipfmain.ipf_interror = 130004;
329 error = ipf_ioctlswitch(&V_ipfmain, unit, data, cmd, mode, p->p_uid, p);
343 * ipf_send_reset - this could conceivably be a call to tcp_respond(), but that
344 * requires a large amount of setting up and isn't any more efficient.
350 struct tcphdr *tcp, *tcp2;
359 if (tcp->th_flags & TH_RST)
360 return -1; /* feedback loop */
362 if (ipf_checkl4sum(fin) == -1)
365 tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
366 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
367 ((tcp->th_flags & TH_FIN) ? 1 : 0);
370 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
375 MGETHDR(m, M_NOWAIT, MT_HEADER);
377 MGET(m, M_NOWAIT, MT_HEADER);
381 if (sizeof(*tcp2) + hlen > MLEN) {
382 if (!(MCLGET(m, M_NOWAIT))) {
388 m->m_len = sizeof(*tcp2) + hlen;
389 m->m_data += max_linkhdr;
390 m->m_pkthdr.len = m->m_len;
391 m->m_pkthdr.rcvif = (struct ifnet *)0;
392 ip = mtod(m, struct ip *);
393 bzero((char *)ip, hlen);
397 tcp2 = (struct tcphdr *)((char *)ip + hlen);
398 tcp2->th_sport = tcp->th_dport;
399 tcp2->th_dport = tcp->th_sport;
401 if (tcp->th_flags & TH_ACK) {
402 tcp2->th_seq = tcp->th_ack;
403 tcp2->th_flags = TH_RST;
407 tcp2->th_ack = ntohl(tcp->th_seq);
408 tcp2->th_ack += tlen;
409 tcp2->th_ack = htonl(tcp2->th_ack);
410 tcp2->th_flags = TH_RST|TH_ACK;
413 TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
414 tcp2->th_win = tcp->th_win;
419 if (fin->fin_v == 6) {
420 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
421 ip6->ip6_plen = htons(sizeof(struct tcphdr));
422 ip6->ip6_nxt = IPPROTO_TCP;
424 ip6->ip6_src = fin->fin_dst6.in6;
425 ip6->ip6_dst = fin->fin_src6.in6;
426 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
427 sizeof(*ip6), sizeof(*tcp2));
428 return ipf_send_ip(fin, m);
431 ip->ip_p = IPPROTO_TCP;
432 ip->ip_len = htons(sizeof(struct tcphdr));
433 ip->ip_src.s_addr = fin->fin_daddr;
434 ip->ip_dst.s_addr = fin->fin_saddr;
435 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
436 ip->ip_len = htons(hlen + sizeof(*tcp2));
437 return ipf_send_ip(fin, m);
442 * ip_len must be in network byte order when called.
453 ip = mtod(m, ip_t *);
454 bzero((char *)&fnew, sizeof(fnew));
455 fnew.fin_main_soft = fin->fin_main_soft;
457 IP_V_A(ip, fin->fin_v);
464 fnew.fin_p = ip->ip_p;
465 fnew.fin_plen = ntohs(ip->ip_len);
466 IP_HL_A(ip, sizeof(*oip) >> 2);
467 ip->ip_tos = oip->ip_tos;
468 ip->ip_id = fin->fin_ip->ip_id;
469 ip->ip_off = htons(V_path_mtu_discovery ? IP_DF : 0);
470 ip->ip_ttl = V_ip_defttl;
476 ip6_t *ip6 = (ip6_t *)ip;
479 ip6->ip6_hlim = IPDEFTTL;
482 fnew.fin_p = ip6->ip6_nxt;
484 fnew.fin_plen = ntohs(ip6->ip6_plen) + hlen;
492 m->m_pkthdr.rcvif = NULL;
495 fnew.fin_ifp = fin->fin_ifp;
496 fnew.fin_flx = FI_NOCKSUM;
500 fnew.fin_hlen = hlen;
501 fnew.fin_dp = (char *)ip + hlen;
502 (void) ipf_makefrip(hlen, ip, &fnew);
504 return ipf_fastroute(m, &m, &fnew, NULL);
509 ipf_send_icmp_err(type, fin, dst)
514 int err, hlen, xtra, iclen, ohlen, avail, code;
525 if ((type < 0) || (type >= ICMP_MAXTYPE))
528 code = fin->fin_icode;
530 /* See NetBSD ip_fil_netbsd.c r1.4: */
531 if ((code < 0) || (code >= sizeof(icmptoicmp6unreach)/sizeof(int)))
535 if (ipf_checkl4sum(fin) == -1)
538 MGETHDR(m, M_NOWAIT, MT_HEADER);
540 MGET(m, M_NOWAIT, MT_HEADER);
551 if (fin->fin_v == 4) {
552 if ((fin->fin_p == IPPROTO_ICMP) && !(fin->fin_flx & FI_SHORT))
553 switch (ntohs(fin->fin_data[0]) >> 8)
566 if (ipf_ifpaddr(&V_ipfmain, 4, FRI_NORMAL, ifp,
567 &dst6, NULL) == -1) {
573 dst4.s_addr = fin->fin_daddr;
576 ohlen = fin->fin_hlen;
577 iclen = hlen + offsetof(struct icmp, icmp_ip) + ohlen;
578 if (fin->fin_hlen < fin->fin_plen)
579 xtra = MIN(fin->fin_dlen, 8);
585 else if (fin->fin_v == 6) {
586 hlen = sizeof(ip6_t);
587 ohlen = sizeof(ip6_t);
588 iclen = hlen + offsetof(struct icmp, icmp_ip) + ohlen;
589 type = icmptoicmp6types[type];
590 if (type == ICMP6_DST_UNREACH)
591 code = icmptoicmp6unreach[code];
593 if (iclen + max_linkhdr + fin->fin_plen > avail) {
594 if (!(MCLGET(m, M_NOWAIT))) {
600 xtra = MIN(fin->fin_plen, avail - iclen - max_linkhdr);
601 xtra = MIN(xtra, IPV6_MMTU - iclen);
603 if (ipf_ifpaddr(&V_ipfmain, 6, FRI_NORMAL, ifp,
604 &dst6, NULL) == -1) {
609 dst6 = fin->fin_dst6;
617 avail -= (max_linkhdr + iclen);
625 m->m_data += max_linkhdr;
626 m->m_pkthdr.rcvif = (struct ifnet *)0;
627 m->m_pkthdr.len = iclen;
629 ip = mtod(m, ip_t *);
630 icmp = (struct icmp *)((char *)ip + hlen);
631 ip2 = (ip_t *)&icmp->icmp_ip;
633 icmp->icmp_type = type;
634 icmp->icmp_code = fin->fin_icode;
635 icmp->icmp_cksum = 0;
637 if (type == ICMP_UNREACH && fin->fin_icode == ICMP_UNREACH_NEEDFRAG) {
638 if (fin->fin_mtu != 0) {
639 icmp->icmp_nextmtu = htons(fin->fin_mtu);
641 } else if (ifp != NULL) {
642 icmp->icmp_nextmtu = htons(GETIFMTU_4(ifp));
644 } else { /* make up a number... */
645 icmp->icmp_nextmtu = htons(fin->fin_plen - 20);
650 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
654 if (fin->fin_v == 6) {
655 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
656 ip6->ip6_plen = htons(iclen - hlen);
657 ip6->ip6_nxt = IPPROTO_ICMPV6;
659 ip6->ip6_src = dst6.in6;
660 ip6->ip6_dst = fin->fin_src6.in6;
662 bcopy((char *)fin->fin_ip + ohlen,
663 (char *)&icmp->icmp_ip + ohlen, xtra);
664 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
665 sizeof(*ip6), iclen - hlen);
669 ip->ip_p = IPPROTO_ICMP;
670 ip->ip_src.s_addr = dst4.s_addr;
671 ip->ip_dst.s_addr = fin->fin_saddr;
674 bcopy((char *)fin->fin_ip + ohlen,
675 (char *)&icmp->icmp_ip + ohlen, xtra);
676 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
678 ip->ip_len = htons(iclen);
679 ip->ip_p = IPPROTO_ICMP;
681 err = ipf_send_ip(fin, m);
689 * m0 - pointer to mbuf where the IP packet starts
690 * mpp - pointer to the mbuf pointer that is the start of the mbuf chain
693 ipf_fastroute(m0, mpp, fin, fdp)
698 register struct ip *ip, *mhip;
699 register struct mbuf *m = *mpp;
700 int len, off, error = 0, hlen, code;
701 struct ifnet *ifp, *sifp;
702 struct sockaddr_in dst;
703 struct nhop4_extended nh4;
713 * If the mbuf we're about to send is not writable (because of
714 * a cluster reference, for example) we'll need to make a copy
715 * of it since this routine modifies the contents.
717 * If you have non-crappy network hardware that can transmit data
718 * from the mbuf, rather than making a copy, this is gonna be a
721 if (M_WRITABLE(m) == 0) {
722 m0 = m_dup(m, M_NOWAIT);
736 if (fin->fin_v == 6) {
738 * currently "to <if>" and "to <if>:ip#" are not supported
741 return ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
745 hlen = fin->fin_hlen;
746 ip = mtod(m0, struct ip *);
752 bzero(&dst, sizeof (dst));
753 dst.sin_family = AF_INET;
754 dst.sin_addr = ip->ip_dst;
755 dst.sin_len = sizeof(dst);
758 if ((fr != NULL) && !(fr->fr_flags & FR_KEEPSTATE) && (fdp != NULL) &&
759 (fdp->fd_type == FRD_DSTLIST)) {
760 if (ipf_dstlist_select_node(fin, fdp->fd_ptr, NULL, &node) == 0)
769 if ((ifp == NULL) && ((fr == NULL) || !(fr->fr_flags & FR_FASTROUTE))) {
774 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
775 dst.sin_addr = fdp->fd_ip;
777 fibnum = M_GETFIB(m0);
778 if (fib4_lookup_nh_ext(fibnum, dst.sin_addr, NHR_REF, 0, &nh4) != 0) {
779 if (in_localaddr(ip->ip_dst))
780 error = EHOSTUNREACH;
788 if (nh4.nh_flags & NHF_GATEWAY)
789 dst.sin_addr = nh4.nh_addr;
792 * For input packets which are being "fastrouted", they won't
793 * go back through output filtering and miss their chance to get
794 * NAT'd and counted. Duplicated packets aren't considered to be
795 * part of the normal packet stream, so do not NAT them or pass
796 * them through stateful checking, etc.
798 if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {
802 (void) ipf_acctpkt(fin, NULL);
804 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
807 (void) ipf_state_check(fin, &pass);
810 switch (ipf_nat_checkout(fin, NULL))
828 * If small enough for interface, can just send directly.
830 if (ntohs(ip->ip_len) <= ifp->if_mtu) {
832 ip->ip_sum = in_cksum(m, hlen);
833 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)&dst,
839 * Too large for interface; fragment if possible.
840 * Must be able to put at least 8 bytes per fragment.
842 ip_off = ntohs(ip->ip_off);
843 if (ip_off & IP_DF) {
847 len = (ifp->if_mtu - hlen) &~ 7;
854 int mhlen, firstlen = len;
855 struct mbuf **mnext = &m->m_act;
858 * Loop through length of segment after first fragment,
859 * make new header and copy data of each part and link onto chain.
862 mhlen = sizeof (struct ip);
863 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) {
865 MGETHDR(m, M_NOWAIT, MT_HEADER);
867 MGET(m, M_NOWAIT, MT_HEADER);
874 m->m_data += max_linkhdr;
875 mhip = mtod(m, struct ip *);
876 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
877 if (hlen > sizeof (struct ip)) {
878 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
879 IP_HL_A(mhip, mhlen >> 2);
882 mhip->ip_off = ((off - hlen) >> 3) + ip_off;
883 if (off + len >= ntohs(ip->ip_len))
884 len = ntohs(ip->ip_len) - off;
886 mhip->ip_off |= IP_MF;
887 mhip->ip_len = htons((u_short)(len + mhlen));
889 m->m_next = m_copym(m0, off, len, M_NOWAIT);
890 if (m->m_next == 0) {
891 error = ENOBUFS; /* ??? */
894 m->m_pkthdr.len = mhlen + len;
895 m->m_pkthdr.rcvif = NULL;
896 mhip->ip_off = htons((u_short)mhip->ip_off);
898 mhip->ip_sum = in_cksum(m, mhlen);
902 * Update first fragment by trimming what's been copied out
903 * and updating header, then send each fragment (in order).
905 m_adj(m0, hlen + firstlen - ip->ip_len);
906 ip->ip_len = htons((u_short)(hlen + firstlen));
907 ip->ip_off = htons((u_short)IP_MF);
909 ip->ip_sum = in_cksum(m0, hlen);
911 for (m = m0; m; m = m0) {
915 error = (*ifp->if_output)(ifp, m,
916 (struct sockaddr *)&dst,
925 V_ipfmain.ipf_frouteok[0]++;
927 V_ipfmain.ipf_frouteok[1]++;
931 if (error == EMSGSIZE) {
933 code = fin->fin_icode;
934 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
936 (void) ipf_send_icmp_err(ICMP_UNREACH, fin, 1);
938 fin->fin_icode = code;
949 struct nhop4_basic nh4;
951 if (fib4_lookup_nh_basic(0, fin->fin_src, 0, 0, &nh4) != 0)
953 return (fin->fin_ifp == nh4.nh_ifp);
958 * return the first IP Address associated with an interface
961 ipf_ifpaddr(softc, v, atype, ifptr, inp, inpmask)
962 ipf_main_softc_t *softc;
965 i6addr_t *inp, *inpmask;
968 struct in6_addr *ia6 = NULL;
970 struct sockaddr *sock, *mask;
971 struct sockaddr_in *sin;
975 if ((ifptr == NULL) || (ifptr == (void *)-1))
985 bzero((char *)inp, sizeof(*inp));
987 ifa = CK_STAILQ_FIRST(&ifp->if_addrhead);
989 sock = ifa->ifa_addr;
990 while (sock != NULL && ifa != NULL) {
991 sin = (struct sockaddr_in *)sock;
992 if ((v == 4) && (sin->sin_family == AF_INET))
995 if ((v == 6) && (sin->sin_family == AF_INET6)) {
996 ia6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
997 if (!IN6_IS_ADDR_LINKLOCAL(ia6) &&
998 !IN6_IS_ADDR_LOOPBACK(ia6))
1002 ifa = CK_STAILQ_NEXT(ifa, ifa_link);
1004 sock = ifa->ifa_addr;
1007 if (ifa == NULL || sin == NULL)
1010 mask = ifa->ifa_netmask;
1011 if (atype == FRI_BROADCAST)
1012 sock = ifa->ifa_broadaddr;
1013 else if (atype == FRI_PEERADDR)
1014 sock = ifa->ifa_dstaddr;
1021 return ipf_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
1022 (struct sockaddr_in6 *)mask,
1026 return ipf_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
1027 (struct sockaddr_in *)mask,
1028 &inp->in4, &inpmask->in4);
1037 newiss = arc4random();
1046 #ifdef CSUM_DATA_VALID
1052 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1055 if ((fin->fin_flx & FI_SHORT) != 0)
1058 if (fin->fin_cksum != FI_CK_NEEDED)
1059 return (fin->fin_cksum > FI_CK_NEEDED) ? 0 : -1;
1068 if ((m->m_pkthdr.csum_flags & (CSUM_IP_CHECKED|CSUM_IP_VALID)) ==
1070 fin->fin_cksum = FI_CK_BAD;
1071 fin->fin_flx |= FI_BAD;
1072 DT2(ipf_fi_bad_checkv4sum_csum_ip_checked, fr_info_t *, fin, u_int, m->m_pkthdr.csum_flags & (CSUM_IP_CHECKED|CSUM_IP_VALID));
1075 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
1076 /* Depending on the driver, UDP may have zero checksum */
1077 if (fin->fin_p == IPPROTO_UDP && (fin->fin_flx &
1078 (FI_FRAG|FI_SHORT|FI_BAD)) == 0) {
1079 udphdr_t *udp = fin->fin_dp;
1080 if (udp->uh_sum == 0) {
1082 * we're good no matter what the hardware
1083 * checksum flags and csum_data say (handling
1084 * of csum_data for zero UDP checksum is not
1085 * consistent across all drivers)
1092 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
1093 sum = m->m_pkthdr.csum_data;
1095 sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1096 htonl(m->m_pkthdr.csum_data +
1097 fin->fin_dlen + fin->fin_p));
1100 fin->fin_cksum = FI_CK_BAD;
1101 fin->fin_flx |= FI_BAD;
1102 DT2(ipf_fi_bad_checkv4sum_sum, fr_info_t *, fin, u_int, sum);
1104 fin->fin_cksum = FI_CK_SUMOK;
1108 if (m->m_pkthdr.csum_flags == CSUM_DELAY_DATA) {
1109 fin->fin_cksum = FI_CK_L4FULL;
1111 } else if (m->m_pkthdr.csum_flags == CSUM_TCP ||
1112 m->m_pkthdr.csum_flags == CSUM_UDP) {
1113 fin->fin_cksum = FI_CK_L4PART;
1115 } else if (m->m_pkthdr.csum_flags == CSUM_IP) {
1116 fin->fin_cksum = FI_CK_L4PART;
1124 if (ipf_checkl4sum(fin) == -1) {
1125 fin->fin_flx |= FI_BAD;
1126 DT2(ipf_fi_bad_checkv4sum_manual, fr_info_t *, fin, u_int, manual);
1131 if (ipf_checkl4sum(fin) == -1) {
1132 fin->fin_flx |= FI_BAD;
1133 DT2(ipf_fi_bad_checkv4sum_checkl4sum, fr_info_t *, fin, u_int, -1);
1146 if ((fin->fin_flx & FI_NOCKSUM) != 0) {
1147 DT(ipf_checkv6sum_fi_nocksum);
1151 if ((fin->fin_flx & FI_SHORT) != 0) {
1152 DT(ipf_checkv6sum_fi_short);
1156 if (fin->fin_cksum != FI_CK_NEEDED) {
1157 DT(ipf_checkv6sum_fi_ck_needed);
1158 return (fin->fin_cksum > FI_CK_NEEDED) ? 0 : -1;
1161 if (ipf_checkl4sum(fin) == -1) {
1162 fin->fin_flx |= FI_BAD;
1163 DT2(ipf_fi_bad_checkv6sum_checkl4sum, fr_info_t *, fin, u_int, -1);
1168 #endif /* USE_INET6 */
1177 if ((m0->m_flags & M_PKTHDR) != 0) {
1178 len = m0->m_pkthdr.len;
1182 for (m = m0, len = 0; m != NULL; m = m->m_next)
1189 /* ------------------------------------------------------------------------ */
1190 /* Function: ipf_pullup */
1191 /* Returns: NULL == pullup failed, else pointer to protocol header */
1192 /* Parameters: xmin(I)- pointer to buffer where data packet starts */
1193 /* fin(I) - pointer to packet information */
1194 /* len(I) - number of bytes to pullup */
1196 /* Attempt to move at least len bytes (from the start of the buffer) into a */
1197 /* single buffer for ease of access. Operating system native functions are */
1198 /* used to manage buffers - if necessary. If the entire packet ends up in */
1199 /* a single buffer, set the FI_COALESCE flag even though ipf_coalesce() has */
1200 /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
1201 /* and ONLY if the pullup succeeds. */
1203 /* We assume that 'xmin' is a pointer to a buffer that is part of the chain */
1204 /* of buffers that starts at *fin->fin_mp. */
1205 /* ------------------------------------------------------------------------ */
1207 ipf_pullup(xmin, fin, len)
1219 ip = (char *)fin->fin_ip;
1220 if ((fin->fin_flx & FI_COALESCE) != 0)
1223 ipoff = fin->fin_ipoff;
1224 if (fin->fin_dp != NULL)
1225 dpoff = (char *)fin->fin_dp - (char *)ip;
1229 if (M_LEN(m) < len) {
1230 mb_t *n = *fin->fin_mp;
1232 * Assume that M_PKTHDR is set and just work with what is left
1233 * rather than check..
1234 * Should not make any real difference, anyway.
1238 * Record the mbuf that points to the mbuf that we're
1239 * about to go to work on so that we can update the
1240 * m_next appropriately later.
1242 for (; n->m_next != m; n = n->m_next)
1254 #ifdef HAVE_M_PULLDOWN
1255 if (m_pulldown(m, 0, len, NULL) == NULL)
1258 FREE_MB_T(*fin->fin_mp);
1264 m = m_pullup(m, len);
1270 * When n is non-NULL, it indicates that m pointed to
1271 * a sub-chain (tail) of the mbuf and that the head
1272 * of this chain has not yet been free'd.
1275 FREE_MB_T(*fin->fin_mp);
1278 *fin->fin_mp = NULL;
1286 while (M_LEN(m) == 0) {
1290 ip = MTOD(m, char *) + ipoff;
1292 fin->fin_ip = (ip_t *)ip;
1293 if (fin->fin_dp != NULL)
1294 fin->fin_dp = (char *)fin->fin_ip + dpoff;
1295 if (fin->fin_fraghdr != NULL)
1296 fin->fin_fraghdr = (char *)ip +
1297 ((char *)fin->fin_fraghdr -
1298 (char *)fin->fin_ip);
1301 if (len == fin->fin_plen)
1302 fin->fin_flx |= FI_COALESCE;
1314 if (fin->fin_out == 0) {
1315 netisr_dispatch(NETISR_IP, m);
1317 fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
1318 fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
1319 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
1325 int ipf_pfil_unhook(void) {
1326 struct pfil_head *ph_inet;
1328 struct pfil_head *ph_inet6;
1331 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1332 if (ph_inet != NULL)
1333 pfil_remove_hook((void *)ipf_check_wrapper, NULL,
1334 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1336 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1337 if (ph_inet6 != NULL)
1338 pfil_remove_hook((void *)ipf_check_wrapper6, NULL,
1339 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1345 int ipf_pfil_hook(void) {
1346 struct pfil_head *ph_inet;
1348 struct pfil_head *ph_inet6;
1351 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1353 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1363 if (ph_inet != NULL)
1364 pfil_add_hook((void *)ipf_check_wrapper, NULL,
1365 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1367 if (ph_inet6 != NULL)
1368 pfil_add_hook((void *)ipf_check_wrapper6, NULL,
1369 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1377 V_ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
1378 ipf_ifevent, NULL, \
1379 EVENTHANDLER_PRI_ANY);
1380 V_ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
1381 ipf_ifevent, NULL, \
1382 EVENTHANDLER_PRI_ANY);
1384 V_ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
1385 NULL, EVENTHANDLER_PRI_ANY);
1390 ipf_event_dereg(void)
1392 if (V_ipf_arrivetag != NULL) {
1393 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, V_ipf_arrivetag);
1395 if (V_ipf_departtag != NULL) {
1396 EVENTHANDLER_DEREGISTER(ifnet_departure_event, V_ipf_departtag);
1399 if (V_ipf_clonetag != NULL) {
1400 EVENTHANDLER_DEREGISTER(if_clone_event, V_ipf_clonetag);
1409 return arc4random();
1414 ipf_pcksum(fin, hlen, sum)
1424 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
1427 sum2 = in_cksum(fin->fin_m, fin->fin_plen - off);
1432 * Both sum and sum2 are partial sums, so combine them together.
1434 sum += ~sum2 & 0xffff;
1435 while (sum > 0xffff)
1436 sum = (sum & 0xffff) + (sum >> 16);
1437 sum2 = ~sum & 0xffff;
1443 ipf_pcksum6(m, ip6, off, len)
1452 if (m->m_len < sizeof(struct ip6_hdr)) {
1456 sum = in6_cksum(m, ip6->ip6_nxt, off, len);
1462 sp = (u_short *)&ip6->ip6_src;
1463 sum = *sp++; /* ip6_src */
1471 sum += *sp++; /* ip6_dst */
1479 return(ipf_pcksum(fin, off, sum));