4 * Copyright (C) 1993-2003 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
9 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.50 2007/09/20 12:51:50 darrenr Exp $";
13 #if defined(KERNEL) || defined(_KERNEL)
19 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
20 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
21 # include "opt_inet6.h"
23 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \
24 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
25 # include "opt_random_ip_id.h"
27 #include <sys/param.h>
28 #if defined(__FreeBSD__) && !defined(__FreeBSD_version)
29 # if defined(IPFILTER_LKM)
30 # ifndef __FreeBSD_cc_version
31 # include <osreldate.h>
33 # if __FreeBSD_cc_version < 430000
34 # include <osreldate.h>
39 #include <sys/errno.h>
40 #include <sys/types.h>
42 #if __FreeBSD_version >= 220000
43 # include <sys/fcntl.h>
44 # include <sys/filio.h>
46 # include <sys/ioctl.h>
49 #include <sys/systm.h>
50 #if (__FreeBSD_version >= 300000)
51 # include <sys/dirent.h>
56 # include <sys/mbuf.h>
58 #include <sys/protosw.h>
59 #include <sys/socket.h>
60 #if __FreeBSD_version >= 500043
61 # include <sys/selinfo.h>
63 # include <sys/select.h>
65 #if __FreeBSD_version >= 800044
66 # include <sys/vimage.h>
68 #define V_path_mtu_discovery path_mtu_discovery
69 #define V_ipforwarding ipforwarding
73 #if __FreeBSD_version >= 300000
74 # include <net/if_var.h>
75 # if __FreeBSD_version >= 500043
76 # include <net/netisr.h>
78 # if !defined(IPFILTER_LKM)
79 # include "opt_ipfilter.h"
82 #include <net/route.h>
83 #include <netinet/in.h>
84 #include <netinet/in_var.h>
85 #include <netinet/in_systm.h>
86 #include <netinet/ip.h>
87 #include <netinet/ip_var.h>
88 #include <netinet/tcp.h>
90 # include <netinet/tcp_timer.h>
92 #include <netinet/udp.h>
93 #include <netinet/tcpip.h>
94 #include <netinet/ip_icmp.h>
96 # include "netinet/ipf.h"
98 #include "netinet/ip_compat.h"
100 # include <netinet/icmp6.h>
102 #include "netinet/ip_fil.h"
103 #include "netinet/ip_nat.h"
104 #include "netinet/ip_frag.h"
105 #include "netinet/ip_state.h"
106 #include "netinet/ip_proxy.h"
107 #include "netinet/ip_auth.h"
109 #include "netinet/ip_sync.h"
112 #include "netinet/ip_scan.h"
114 #include "netinet/ip_pool.h"
115 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
116 # include <sys/malloc.h>
118 #include <sys/kernel.h>
119 #ifdef CSUM_DATA_VALID
120 #include <machine/in_cksum.h>
122 extern int ip_optcopy __P((struct ip *, struct ip *));
124 #if (__FreeBSD_version > 460000)
125 extern int path_mtu_discovery;
128 # ifdef IPFILTER_M_IPFILTER
129 MALLOC_DEFINE(M_IPFILTER, "ipfilter", "IP Filter packet filter data structures");
133 #if !defined(__osf__)
134 extern struct protosw inetsw[];
137 static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
138 static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
140 ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
141 ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
142 ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache, ipf_tokens;
143 ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
145 int ipf_locks_done = 0;
147 #if (__FreeBSD_version >= 300000)
148 struct callout_handle fr_slowtimer_ch;
150 struct selinfo ipfselwait[IPL_LOGSIZE];
152 #if (__FreeBSD_version >= 500011)
153 # include <sys/conf.h>
154 # if defined(NETBSD_PF)
155 # include <net/pfil.h>
156 # include <netinet/ipprotosw.h>
158 * We provide the fr_checkp name just to minimize changes later.
160 int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
161 # endif /* NETBSD_PF */
162 #endif /* __FreeBSD_version >= 500011 */
165 #if (__FreeBSD_version >= 502103)
166 static eventhandler_tag ipf_arrivetag, ipf_departtag, ipf_clonetag;
168 static void ipf_ifevent(void *arg);
170 static void ipf_ifevent(arg)
178 #if (__FreeBSD_version >= 501108) && defined(_KERNEL)
181 fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
183 struct ip *ip = mtod(*mp, struct ip *);
184 return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
188 # include <netinet/ip6.h>
191 fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
193 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
194 ifp, (dir == PFIL_OUT), mp));
197 #endif /* __FreeBSD_version >= 501108 */
198 #if defined(IPFILTER_LKM)
202 if (strcmp(s, "ipl") == 0)
206 #endif /* IPFILTER_LKM */
216 if (fr_running > 0) {
221 MUTEX_INIT(&ipf_rw, "ipf rw mutex");
222 MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex");
223 RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
224 RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
227 if (fr_initialise() < 0) {
233 if (fr_checkp != fr_check) {
234 fr_savep = fr_checkp;
235 fr_checkp = fr_check;
238 bzero((char *)ipfselwait, sizeof(ipfselwait));
239 bzero((char *)frcache, sizeof(frcache));
242 if (fr_control_forwarding & 1)
246 #if (__FreeBSD_version >= 300000)
247 fr_slowtimer_ch = timeout(fr_slowtimer, NULL,
248 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
250 timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
257 * Disable the filter by removing the hooks from the IP input/output
265 if (fr_control_forwarding & 2)
270 #if (__FreeBSD_version >= 300000)
271 if (fr_slowtimer_ch.callout != NULL)
272 untimeout(fr_slowtimer, NULL, fr_slowtimer_ch);
273 bzero(&fr_slowtimer_ch, sizeof(fr_slowtimer_ch));
275 untimeout(fr_slowtimer, NULL);
279 if (fr_checkp != NULL)
280 fr_checkp = fr_savep;
288 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
289 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
291 if (ipf_locks_done == 1) {
292 MUTEX_DESTROY(&ipf_timeoutlock);
293 MUTEX_DESTROY(&ipf_rw);
294 RW_DESTROY(&ipf_ipidfrag);
295 RW_DESTROY(&ipf_tokens);
306 * Filter ioctl interface.
308 int iplioctl(dev, cmd, data, mode
309 # if defined(_KERNEL) && ((BSD >= 199506) || (__FreeBSD_version >= 220000))
311 # if (__FreeBSD_version >= 500024)
313 # if (__FreeBSD_version >= 500043)
314 # define p_uid td_ucred->cr_ruid
316 # define p_uid t_proc->p_cred->p_ruid
320 # define p_uid p_cred->p_ruid
321 # endif /* __FreeBSD_version >= 500024 */
325 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
334 int error = 0, unit = 0;
337 #if (BSD >= 199306) && defined(_KERNEL)
338 if ((securelevel >= 3) && (mode & FWRITE))
342 unit = GET_MINOR(dev);
343 if ((IPL_LOGMAX < unit) || (unit < 0))
346 if (fr_running <= 0) {
347 if (unit != IPL_LOGIPF)
349 if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
350 cmd != SIOCIPFSET && cmd != SIOCFRENB &&
351 cmd != SIOCGETFS && cmd != SIOCGETFF)
357 error = fr_ioctlswitch(unit, data, cmd, mode, p->p_uid, p);
370 void fr_forgetifp(ifp)
373 register frentry_t *f;
375 WRITE_ENTER(&ipf_mutex);
376 for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
377 if (f->fr_ifa == ifp)
378 f->fr_ifa = (void *)-1;
379 for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
380 if (f->fr_ifa == ifp)
381 f->fr_ifa = (void *)-1;
382 for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
383 if (f->fr_ifa == ifp)
384 f->fr_ifa = (void *)-1;
385 for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
386 if (f->fr_ifa == ifp)
387 f->fr_ifa = (void *)-1;
389 for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
390 if (f->fr_ifa == ifp)
391 f->fr_ifa = (void *)-1;
392 for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
393 if (f->fr_ifa == ifp)
394 f->fr_ifa = (void *)-1;
395 for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
396 if (f->fr_ifa == ifp)
397 f->fr_ifa = (void *)-1;
398 for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
399 if (f->fr_ifa == ifp)
400 f->fr_ifa = (void *)-1;
402 RWLOCK_EXIT(&ipf_mutex);
409 * routines below for saving IP headers to buffer
411 int iplopen(dev, flags
412 #if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
415 # if (__FreeBSD_version >= 500024)
419 # endif /* __FreeBSD_version >= 500024 */
423 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
430 u_int min = GET_MINOR(dev);
432 if (IPL_LOGMAX < min)
440 int iplclose(dev, flags
441 #if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
444 # if (__FreeBSD_version >= 500024)
448 # endif /* __FreeBSD_version >= 500024 */
452 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
459 u_int min = GET_MINOR(dev);
461 if (IPL_LOGMAX < min)
470 * both of these must operate with at least splnet() lest they be
471 * called during packet processing and cause an inconsistancy to appear in
475 int iplread(dev, uio, ioflag)
478 int iplread(dev, uio)
480 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
485 register struct uio *uio;
487 u_int xmin = GET_MINOR(dev);
495 # ifdef IPFILTER_SYNC
496 if (xmin == IPL_LOGSYNC)
497 return ipfsync_read(uio);
501 return ipflog_read(xmin, uio);
510 * both of these must operate with at least splnet() lest they be
511 * called during packet processing and cause an inconsistancy to appear in
515 int iplwrite(dev, uio, ioflag)
518 int iplwrite(dev, uio)
520 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
525 register struct uio *uio;
532 if (GET_MINOR(dev) == IPL_LOGSYNC)
533 return ipfsync_write(uio);
540 * fr_send_reset - this could conceivably be a call to tcp_respond(), but that
541 * requires a large amount of setting up and isn't any more efficient.
543 int fr_send_reset(fin)
546 struct tcphdr *tcp, *tcp2;
555 if (tcp->th_flags & TH_RST)
556 return -1; /* feedback loop */
558 if (fr_checkl4sum(fin) == -1)
561 tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
562 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
563 ((tcp->th_flags & TH_FIN) ? 1 : 0);
566 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
571 MGETHDR(m, M_DONTWAIT, MT_HEADER);
573 MGET(m, M_DONTWAIT, MT_HEADER);
577 if (sizeof(*tcp2) + hlen > MLEN) {
578 MCLGET(m, M_DONTWAIT);
579 if ((m->m_flags & M_EXT) == 0) {
585 m->m_len = sizeof(*tcp2) + hlen;
587 m->m_data += max_linkhdr;
588 m->m_pkthdr.len = m->m_len;
589 m->m_pkthdr.rcvif = (struct ifnet *)0;
591 ip = mtod(m, struct ip *);
592 bzero((char *)ip, hlen);
596 tcp2 = (struct tcphdr *)((char *)ip + hlen);
597 tcp2->th_sport = tcp->th_dport;
598 tcp2->th_dport = tcp->th_sport;
600 if (tcp->th_flags & TH_ACK) {
601 tcp2->th_seq = tcp->th_ack;
602 tcp2->th_flags = TH_RST;
606 tcp2->th_ack = ntohl(tcp->th_seq);
607 tcp2->th_ack += tlen;
608 tcp2->th_ack = htonl(tcp2->th_ack);
609 tcp2->th_flags = TH_RST|TH_ACK;
612 TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
613 tcp2->th_win = tcp->th_win;
618 if (fin->fin_v == 6) {
619 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
620 ip6->ip6_plen = htons(sizeof(struct tcphdr));
621 ip6->ip6_nxt = IPPROTO_TCP;
623 ip6->ip6_src = fin->fin_dst6;
624 ip6->ip6_dst = fin->fin_src6;
625 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
626 sizeof(*ip6), sizeof(*tcp2));
627 return fr_send_ip(fin, m, &m);
630 ip->ip_p = IPPROTO_TCP;
631 ip->ip_len = htons(sizeof(struct tcphdr));
632 ip->ip_src.s_addr = fin->fin_daddr;
633 ip->ip_dst.s_addr = fin->fin_saddr;
634 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
635 ip->ip_len = hlen + sizeof(*tcp2);
636 return fr_send_ip(fin, m, &m);
640 static int fr_send_ip(fin, m, mpp)
648 ip = mtod(m, ip_t *);
649 bzero((char *)&fnew, sizeof(fnew));
651 IP_V_A(ip, fin->fin_v);
657 IP_HL_A(ip, sizeof(*oip) >> 2);
658 ip->ip_tos = oip->ip_tos;
659 ip->ip_id = fin->fin_ip->ip_id;
660 #if (__FreeBSD_version > 460000)
661 ip->ip_off = V_path_mtu_discovery ? IP_DF : 0;
665 ip->ip_ttl = V_ip_defttl;
672 ip6_t *ip6 = (ip6_t *)ip;
675 ip6->ip6_hlim = IPDEFTTL;
686 m->m_pkthdr.rcvif = NULL;
689 fnew.fin_ifp = fin->fin_ifp;
690 fnew.fin_flx = FI_NOCKSUM;
694 fnew.fin_hlen = hlen;
695 fnew.fin_dp = (char *)ip + hlen;
696 (void) fr_makefrip(hlen, ip, &fnew);
698 return fr_fastroute(m, mpp, &fnew, NULL);
702 int fr_send_icmp_err(type, fin, dst)
707 int err, hlen, xtra, iclen, ohlen, avail, code;
714 struct in6_addr dst6;
718 if ((type < 0) || (type >= ICMP_MAXTYPE))
721 code = fin->fin_icode;
723 if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
727 if (fr_checkl4sum(fin) == -1)
730 MGETHDR(m, M_DONTWAIT, MT_HEADER);
732 MGET(m, M_DONTWAIT, MT_HEADER);
742 if (fin->fin_v == 4) {
743 if ((fin->fin_p == IPPROTO_ICMP) &&
744 !(fin->fin_flx & FI_SHORT))
745 switch (ntohs(fin->fin_data[0]) >> 8)
758 if (fr_ifpaddr(4, FRI_NORMAL, ifp,
759 &dst4, NULL) == -1) {
764 dst4.s_addr = fin->fin_daddr;
767 ohlen = fin->fin_hlen;
768 if (fin->fin_hlen < fin->fin_plen)
769 xtra = MIN(fin->fin_dlen, 8);
775 else if (fin->fin_v == 6) {
776 hlen = sizeof(ip6_t);
777 ohlen = sizeof(ip6_t);
778 type = icmptoicmp6types[type];
779 if (type == ICMP6_DST_UNREACH)
780 code = icmptoicmp6unreach[code];
782 if (hlen + sizeof(*icmp) + max_linkhdr +
783 fin->fin_plen > avail) {
784 MCLGET(m, M_DONTWAIT);
785 if ((m->m_flags & M_EXT) == 0) {
791 xtra = MIN(fin->fin_plen,
792 avail - hlen - sizeof(*icmp) - max_linkhdr);
794 if (fr_ifpaddr(6, FRI_NORMAL, ifp,
795 (struct in_addr *)&dst6, NULL) == -1) {
800 dst6 = fin->fin_dst6;
808 iclen = hlen + sizeof(*icmp);
809 avail -= (max_linkhdr + iclen);
817 m->m_data += max_linkhdr;
818 m->m_pkthdr.rcvif = (struct ifnet *)0;
819 m->m_pkthdr.len = iclen;
821 ip = mtod(m, ip_t *);
822 icmp = (struct icmp *)((char *)ip + hlen);
823 ip2 = (ip_t *)&icmp->icmp_ip;
825 icmp->icmp_type = type;
826 icmp->icmp_code = fin->fin_icode;
827 icmp->icmp_cksum = 0;
829 if (type == ICMP_UNREACH &&
830 fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
831 icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu);
834 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
838 if (fin->fin_v == 6) {
839 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
840 ip6->ip6_plen = htons(iclen - hlen);
841 ip6->ip6_nxt = IPPROTO_ICMPV6;
844 ip6->ip6_dst = fin->fin_src6;
846 bcopy((char *)fin->fin_ip + ohlen,
847 (char *)&icmp->icmp_ip + ohlen, xtra);
848 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
849 sizeof(*ip6), iclen - hlen);
853 ip2->ip_len = htons(ip2->ip_len);
854 ip2->ip_off = htons(ip2->ip_off);
855 ip->ip_p = IPPROTO_ICMP;
856 ip->ip_src.s_addr = dst4.s_addr;
857 ip->ip_dst.s_addr = fin->fin_saddr;
860 bcopy((char *)fin->fin_ip + ohlen,
861 (char *)&icmp->icmp_ip + ohlen, xtra);
862 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
865 ip->ip_p = IPPROTO_ICMP;
867 err = fr_send_ip(fin, m, &m);
872 #if !defined(IPFILTER_LKM) && (__FreeBSD_version < 300000)
874 int iplinit __P((void));
878 void iplinit __P((void));
884 if (ipfattach() != 0)
885 printf("IP Filter failed to attach\n");
888 #endif /* __FreeBSD_version < 300000 */
892 * m0 - pointer to mbuf where the IP packet starts
893 * mpp - pointer to the mbuf pointer that is the start of the mbuf chain
895 int fr_fastroute(m0, mpp, fin, fdp)
900 register struct ip *ip, *mhip;
901 register struct mbuf *m = *mpp;
902 register struct route *ro;
903 int len, off, error = 0, hlen, code;
904 struct ifnet *ifp, *sifp;
905 struct sockaddr_in *dst;
906 struct route iproute;
916 * If the mbuf we're about to send is not writable (because of
917 * a cluster reference, for example) we'll need to make a copy
918 * of it since this routine modifies the contents.
920 * If you have non-crappy network hardware that can transmit data
921 * from the mbuf, rather than making a copy, this is gonna be a
924 if (M_WRITABLE(m) == 0) {
925 m0 = m_dup(m, M_DONTWAIT);
939 if (fin->fin_v == 6) {
941 * currently "to <if>" and "to <if>:ip#" are not supported
944 #if (__FreeBSD_version >= 490000)
945 return ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
947 return ip6_output(m0, NULL, NULL, 0, NULL, NULL);
952 hlen = fin->fin_hlen;
953 ip = mtod(m0, struct ip *);
959 bzero((caddr_t)ro, sizeof (*ro));
960 dst = (struct sockaddr_in *)&ro->ro_dst;
961 dst->sin_family = AF_INET;
962 dst->sin_addr = ip->ip_dst;
970 if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
975 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
976 dst->sin_addr = fdp->fd_ip;
978 dst->sin_len = sizeof(*dst);
981 if ((ifp == NULL) && (ro->ro_rt != NULL))
982 ifp = ro->ro_rt->rt_ifp;
984 if ((ro->ro_rt == NULL) || (ifp == NULL)) {
985 if (in_localaddr(ip->ip_dst))
986 error = EHOSTUNREACH;
991 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
992 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
997 * For input packets which are being "fastrouted", they won't
998 * go back through output filtering and miss their chance to get
999 * NAT'd and counted. Duplicated packets aren't considered to be
1000 * part of the normal packet stream, so do not NAT them or pass
1001 * them through stateful checking, etc.
1003 if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {
1004 sifp = fin->fin_ifp;
1007 (void) fr_acctpkt(fin, NULL);
1009 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
1012 if (fr_checkstate(fin, &pass) != NULL)
1013 fr_statederef((ipstate_t **)&fin->fin_state);
1016 switch (fr_checknatout(fin, NULL))
1021 fr_natderef((nat_t **)&fin->fin_nat);
1030 fin->fin_ifp = sifp;
1035 * If small enough for interface, can just send directly.
1037 if (ip->ip_len <= ifp->if_mtu) {
1038 ip->ip_len = htons(ip->ip_len);
1039 ip->ip_off = htons(ip->ip_off);
1042 ip->ip_sum = in_cksum(m, hlen);
1043 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
1048 * Too large for interface; fragment if possible.
1049 * Must be able to put at least 8 bytes per fragment.
1051 ip_off = ntohs(ip->ip_off);
1052 if (ip_off & IP_DF) {
1056 len = (ifp->if_mtu - hlen) &~ 7;
1063 int mhlen, firstlen = len;
1064 struct mbuf **mnext = &m->m_act;
1067 * Loop through length of segment after first fragment,
1068 * make new header and copy data of each part and link onto chain.
1071 mhlen = sizeof (struct ip);
1072 for (off = hlen + len; off < ip->ip_len; off += len) {
1074 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1076 MGET(m, M_DONTWAIT, MT_HEADER);
1083 m->m_data += max_linkhdr;
1084 mhip = mtod(m, struct ip *);
1085 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
1086 if (hlen > sizeof (struct ip)) {
1087 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1088 IP_HL_A(mhip, mhlen >> 2);
1091 mhip->ip_off = ((off - hlen) >> 3) + ip_off;
1092 if (off + len >= ip->ip_len)
1093 len = ip->ip_len - off;
1095 mhip->ip_off |= IP_MF;
1096 mhip->ip_len = htons((u_short)(len + mhlen));
1098 m->m_next = m_copy(m0, off, len);
1099 if (m->m_next == 0) {
1100 error = ENOBUFS; /* ??? */
1103 m->m_pkthdr.len = mhlen + len;
1104 m->m_pkthdr.rcvif = NULL;
1105 mhip->ip_off = htons((u_short)mhip->ip_off);
1107 mhip->ip_sum = in_cksum(m, mhlen);
1111 * Update first fragment by trimming what's been copied out
1112 * and updating header, then send each fragment (in order).
1114 m_adj(m0, hlen + firstlen - ip->ip_len);
1115 ip->ip_len = htons((u_short)(hlen + firstlen));
1116 ip->ip_off = htons((u_short)IP_MF);
1118 ip->ip_sum = in_cksum(m0, hlen);
1120 for (m = m0; m; m = m0) {
1124 error = (*ifp->if_output)(ifp, m,
1125 (struct sockaddr *)dst, ro->ro_rt);
1136 if ((ro != NULL) && (ro->ro_rt != NULL)) {
1142 if (error == EMSGSIZE) {
1143 sifp = fin->fin_ifp;
1144 code = fin->fin_icode;
1145 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
1147 (void) fr_send_icmp_err(ICMP_UNREACH, fin, 1);
1148 fin->fin_ifp = sifp;
1149 fin->fin_icode = code;
1156 int fr_verifysrc(fin)
1159 struct sockaddr_in *dst;
1160 struct route iproute;
1162 bzero((char *)&iproute, sizeof(iproute));
1163 dst = (struct sockaddr_in *)&iproute.ro_dst;
1164 dst->sin_len = sizeof(*dst);
1165 dst->sin_family = AF_INET;
1166 dst->sin_addr = fin->fin_src;
1167 in_rtalloc(&iproute, 0);
1168 if (iproute.ro_rt == NULL)
1170 return (fin->fin_ifp == iproute.ro_rt->rt_ifp);
1175 * return the first IP Address associated with an interface
1177 int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
1180 struct in_addr *inp, *inpmask;
1183 struct in6_addr *inp6 = NULL;
1185 struct sockaddr *sock, *mask;
1186 struct sockaddr_in *sin;
1190 if ((ifptr == NULL) || (ifptr == (void *)-1))
1200 bzero((char *)inp, sizeof(struct in6_addr));
1202 #if (__FreeBSD_version >= 300000)
1203 ifa = TAILQ_FIRST(&ifp->if_addrhead);
1205 ifa = ifp->if_addrlist;
1206 #endif /* __FreeBSD_version >= 300000 */
1208 sock = ifa->ifa_addr;
1209 while (sock != NULL && ifa != NULL) {
1210 sin = (struct sockaddr_in *)sock;
1211 if ((v == 4) && (sin->sin_family == AF_INET))
1214 if ((v == 6) && (sin->sin_family == AF_INET6)) {
1215 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
1216 if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
1217 !IN6_IS_ADDR_LOOPBACK(inp6))
1221 #if (__FreeBSD_version >= 300000)
1222 ifa = TAILQ_NEXT(ifa, ifa_link);
1224 ifa = ifa->ifa_next;
1225 #endif /* __FreeBSD_version >= 300000 */
1227 sock = ifa->ifa_addr;
1230 if (ifa == NULL || sin == NULL)
1233 mask = ifa->ifa_netmask;
1234 if (atype == FRI_BROADCAST)
1235 sock = ifa->ifa_broadaddr;
1236 else if (atype == FRI_PEERADDR)
1237 sock = ifa->ifa_dstaddr;
1244 return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
1245 (struct sockaddr_in6 *)mask,
1249 return fr_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
1250 (struct sockaddr_in *)mask, inp, inpmask);
1254 u_32_t fr_newisn(fin)
1258 #if (__FreeBSD_version >= 400000)
1259 newiss = arc4random();
1261 static iss_seq_off = 0;
1266 * Compute the base value of the ISS. It is a hash
1267 * of (saddr, sport, daddr, dport, secret).
1271 MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
1272 sizeof(fin->fin_fi.fi_src));
1273 MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
1274 sizeof(fin->fin_fi.fi_dst));
1275 MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
1277 MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret));
1279 MD5Final(hash, &ctx);
1281 memcpy(&newiss, hash, sizeof(newiss));
1284 * Now increment our "timer", and add it in to
1285 * the computed value.
1288 * XXX TCP_ISSINCR too large to use?
1290 iss_seq_off += 0x00010000;
1291 newiss += iss_seq_off;
1297 /* ------------------------------------------------------------------------ */
1298 /* Function: fr_nextipid */
1299 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
1300 /* Parameters: fin(I) - pointer to packet information */
1302 /* Returns the next IPv4 ID to use for this packet. */
1303 /* ------------------------------------------------------------------------ */
1304 u_short fr_nextipid(fin)
1307 #ifndef RANDOM_IP_ID
1308 static u_short ipid = 0;
1311 MUTEX_ENTER(&ipf_rw);
1313 MUTEX_EXIT(&ipf_rw);
1324 INLINE void fr_checkv4sum(fin)
1327 #ifdef CSUM_DATA_VALID
1333 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1336 if (fin->fin_cksum != 0)
1346 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
1347 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
1348 sum = m->m_pkthdr.csum_data;
1350 sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1351 htonl(m->m_pkthdr.csum_data +
1352 fin->fin_ip->ip_len + fin->fin_p));
1355 fin->fin_flx |= FI_BAD;
1356 fin->fin_cksum = -1;
1363 # ifdef IPFILTER_CKSUM
1365 if (fr_checkl4sum(fin) == -1)
1366 fin->fin_flx |= FI_BAD;
1371 # ifdef IPFILTER_CKSUM
1372 if (fr_checkl4sum(fin) == -1)
1373 fin->fin_flx |= FI_BAD;
1380 INLINE void fr_checkv6sum(fin)
1383 # ifdef IPFILTER_CKSUM
1384 if (fr_checkl4sum(fin) == -1)
1385 fin->fin_flx |= FI_BAD;
1388 #endif /* USE_INET6 */
1391 size_t mbufchainlen(m0)
1396 if ((m0->m_flags & M_PKTHDR) != 0) {
1397 len = m0->m_pkthdr.len;
1401 for (m = m0, len = 0; m != NULL; m = m->m_next)
1408 /* ------------------------------------------------------------------------ */
1409 /* Function: fr_pullup */
1410 /* Returns: NULL == pullup failed, else pointer to protocol header */
1411 /* Parameters: m(I) - pointer to buffer where data packet starts */
1412 /* fin(I) - pointer to packet information */
1413 /* len(I) - number of bytes to pullup */
1415 /* Attempt to move at least len bytes (from the start of the buffer) into a */
1416 /* single buffer for ease of access. Operating system native functions are */
1417 /* used to manage buffers - if necessary. If the entire packet ends up in */
1418 /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */
1419 /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
1420 /* and ONLY if the pullup succeeds. */
1422 /* We assume that 'min' is a pointer to a buffer that is part of the chain */
1423 /* of buffers that starts at *fin->fin_mp. */
1424 /* ------------------------------------------------------------------------ */
1425 void *fr_pullup(min, fin, len)
1430 int out = fin->fin_out, dpoff, ipoff;
1437 ip = (char *)fin->fin_ip;
1438 if ((fin->fin_flx & FI_COALESCE) != 0)
1441 ipoff = fin->fin_ipoff;
1442 if (fin->fin_dp != NULL)
1443 dpoff = (char *)fin->fin_dp - (char *)ip;
1447 if (M_LEN(m) < len) {
1450 * Assume that M_PKTHDR is set and just work with what is left
1451 * rather than check..
1452 * Should not make any real difference, anyway.
1459 #ifdef HAVE_M_PULLDOWN
1460 if (m_pulldown(m, 0, len, NULL) == NULL)
1463 FREE_MB_T(*fin->fin_mp);
1468 m = m_pullup(m, len);
1473 ATOMIC_INCL(frstats[out].fr_pull[1]);
1477 while (M_LEN(m) == 0) {
1481 ip = MTOD(m, char *) + ipoff;
1484 ATOMIC_INCL(frstats[out].fr_pull[0]);
1485 fin->fin_ip = (ip_t *)ip;
1486 if (fin->fin_dp != NULL)
1487 fin->fin_dp = (char *)fin->fin_ip + dpoff;
1489 if (len == fin->fin_plen)
1490 fin->fin_flx |= FI_COALESCE;
1495 int ipf_inject(fin, m)
1501 if (fin->fin_out == 0) {
1502 #if (__FreeBSD_version >= 501000)
1503 netisr_dispatch(NETISR_IP, m);
1505 struct ifqueue *ifq;
1527 fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
1528 fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
1529 #if (__FreeBSD_version >= 470102)
1530 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
1532 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
1539 int ipf_pfil_unhook(void) {
1540 #if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
1541 # if __FreeBSD_version >= 501108
1542 struct pfil_head *ph_inet;
1544 struct pfil_head *ph_inet6;
1550 # if (__FreeBSD_version >= 500011)
1551 # if (__FreeBSD_version >= 501108)
1552 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1553 if (ph_inet != NULL)
1554 pfil_remove_hook((void *)fr_check_wrapper, NULL,
1555 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1557 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1558 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
1561 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK);
1564 # if (__FreeBSD_version >= 501108)
1565 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1566 if (ph_inet6 != NULL)
1567 pfil_remove_hook((void *)fr_check_wrapper6, NULL,
1568 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1570 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1571 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
1579 int ipf_pfil_hook(void) {
1580 #if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
1581 # if __FreeBSD_version >= 501108
1582 struct pfil_head *ph_inet;
1584 struct pfil_head *ph_inet6;
1590 # if __FreeBSD_version >= 500011
1591 # if __FreeBSD_version >= 501108
1592 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1594 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1603 if (ph_inet != NULL)
1604 pfil_add_hook((void *)fr_check_wrapper, NULL,
1605 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1607 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1608 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
1611 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK);
1614 # if __FreeBSD_version >= 501108
1615 if (ph_inet6 != NULL)
1616 pfil_add_hook((void *)fr_check_wrapper6, NULL,
1617 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1619 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1620 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
1630 #if (__FreeBSD_version >= 502103)
1631 ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
1632 ipf_ifevent, NULL, \
1633 EVENTHANDLER_PRI_ANY);
1634 ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
1635 ipf_ifevent, NULL, \
1636 EVENTHANDLER_PRI_ANY);
1637 ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
1638 NULL, EVENTHANDLER_PRI_ANY);
1643 ipf_event_dereg(void)
1645 #if (__FreeBSD_version >= 502103)
1646 if (ipf_arrivetag != NULL) {
1647 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
1649 if (ipf_departtag != NULL) {
1650 EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
1652 if (ipf_clonetag != NULL) {
1653 EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
projects / FreeBSD / FreeBSD.git / blob