2 * Copyright (C) 2000 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/kernel.h>
11 #include <sys/module.h>
13 #include <sys/socket.h>
14 #include <sys/sysctl.h>
15 #include <sys/select.h>
16 #if __FreeBSD_version >= 500000
17 # include <sys/selinfo.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/in.h>
24 #include <netinet/ipl.h>
25 #include <netinet/ip_compat.h>
26 #include <netinet/ip_fil.h>
27 #include <netinet/ip_state.h>
28 #include <netinet/ip_nat.h>
29 #include <netinet/ip_auth.h>
30 #include <netinet/ip_frag.h>
31 #include <netinet/ip_sync.h>
33 #if __FreeBSD_version >= 502116
34 static struct cdev *ipf_devs[IPL_LOGSIZE];
36 static dev_t ipf_devs[IPL_LOGSIZE];
39 static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
40 static int ipf_modload(void);
41 static int ipf_modunload(void);
43 SYSCTL_DECL(_net_inet);
44 #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
45 SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \
46 ptr, val, sysctl_ipf_int, "I", descr);
47 #define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */
48 #define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF)
49 SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
50 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
51 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
52 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
53 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
54 &fr_tcpidletimeout, 0, "");
55 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
56 &fr_tcphalfclosed, 0, "");
57 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
58 &fr_tcpclosewait, 0, "");
59 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
60 &fr_tcplastack, 0, "");
61 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
62 &fr_tcptimeout, 0, "");
63 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
64 &fr_tcpclosed, 0, "");
65 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
66 &fr_udptimeout, 0, "");
67 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
68 &fr_udpacktimeout, 0, "");
69 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
70 &fr_icmptimeout, 0, "");
71 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
72 &fr_defnatage, 0, "");
73 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
75 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
77 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
78 &fr_statesize, 0, "");
79 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
81 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO,
82 &ipf_nattable_sz, 0, "");
83 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO,
84 &ipf_natrules_sz, 0, "");
85 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO,
86 &ipf_rdrrules_sz, 0, "");
87 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO,
88 &ipf_hostmap_sz, 0, "");
89 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
91 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
93 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
94 &fr_defaultauthage, 0, "");
95 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
96 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
100 #if __FreeBSD_version >= 500043
101 # include <sys/select.h>
102 static int iplpoll(struct cdev *dev, int events, struct thread *td);
104 static struct cdevsw ipl_cdevsw = {
105 # if __FreeBSD_version >= 502103
106 .d_version = D_VERSION,
107 .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */
115 # if __FreeBSD_version >= 500043
118 # if __FreeBSD_version < 600000
123 static int iplpoll(dev_t dev, int events, struct proc *p);
125 static struct cdevsw ipl_cdevsw = {
127 /* close */ iplclose,
129 /* write */ iplwrite,
130 /* ioctl */ iplioctl,
133 /* strategy */ nostrategy,
135 /* maj */ CDEV_MAJOR,
139 # if (__FreeBSD_version < 500043)
142 # if (__FreeBSD_version > 430000)
148 static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
149 IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };
153 ipfilter_modevent(module_t mod, int type, void *unused)
160 error = ipf_modload();
164 error = ipf_modunload();
177 char *defpass, *c, *str;
180 RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
181 RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
182 RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock");
186 RW_DESTROY(&ipf_global);
187 RW_DESTROY(&ipf_mutex);
188 RW_DESTROY(&ipf_frcache);
192 for (i = 0; i < IPL_LOGSIZE; i++)
195 for (i = 0; (str = ipf_devfiles[i]); i++) {
197 for(j = strlen(str); j > 0; j--)
204 ipf_devs[i] = make_dev(&ipl_cdevsw, i, 0, 0, 0600, c);
207 if (FR_ISPASS(fr_pass))
209 else if (FR_ISBLOCK(fr_pass))
212 defpass = "no-match -> block";
214 printf("%s initialized. Default = %s all, Logging = %s%s\n",
215 ipfilter_version, defpass,
221 #ifdef IPFILTER_COMPILED
239 if (fr_running >= 0) {
246 RW_DESTROY(&ipf_global);
247 RW_DESTROY(&ipf_mutex);
248 RW_DESTROY(&ipf_frcache);
252 for (i = 0; ipf_devfiles[i]; i++) {
253 if (ipf_devs[i] != NULL)
254 destroy_dev(ipf_devs[i]);
257 printf("%s unloaded\n", ipfilter_version);
263 static moduledata_t ipfiltermod = {
270 DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
271 #ifdef MODULE_VERSION
272 MODULE_VERSION(ipfilter, 1);
278 sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
283 error = SYSCTL_OUT(req, arg1, sizeof(int));
285 error = SYSCTL_OUT(req, &arg2, sizeof(int));
287 if (error || !req->newptr)
293 if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0))
296 error = SYSCTL_IN(req, arg1, sizeof(int));
304 #if __FreeBSD_version >= 500043
305 iplpoll(struct cdev *dev, int events, struct thread *td)
307 iplpoll(dev_t dev, int events, struct proc *td)
310 u_int xmin = GET_MINOR(dev);
313 if (xmin < 0 || xmin > IPL_LOGMAX)
324 if ((events & (POLLIN | POLLRDNORM)) && ipflog_canread(xmin))
325 revents |= events & (POLLIN | POLLRDNORM);
329 if ((events & (POLLIN | POLLRDNORM)) && fr_auth_waiting())
330 revents |= events & (POLLIN | POLLRDNORM);
334 if ((events & (POLLIN | POLLRDNORM)) && ipfsync_canread())
335 revents |= events & (POLLIN | POLLRDNORM);
336 if ((events & (POLLOUT | POLLWRNORM)) && ipfsync_canwrite())
337 revents |= events & (POLLOUT | POLLWRNORM);
346 if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0))
347 selrecord(td, &ipfselwait[xmin]);