2 * Copyright (C) 1993-1997 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
10 static const char rcsid[] = "@(#)$Id: fil.c,v 1.3 1998/06/20 18:37:49 peter Exp $";
13 #include "opt_ipfilter.h"
15 #include <sys/errno.h>
16 #include <sys/types.h>
17 #include <sys/param.h>
20 #if !defined(__FreeBSD__)
21 # include <sys/ioctl.h>
23 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
24 # include <sys/systm.h>
31 #if !defined(__SVR4) && !defined(__svr4__)
33 # include <sys/mbuf.h>
36 # include <sys/byteorder.h>
37 # include <sys/dditypes.h>
38 # include <sys/stream.h>
40 #if defined(__FreeBSD__)
41 # include <sys/malloc.h>
44 # include <sys/protosw.h>
45 # include <sys/socket.h>
51 #include <net/route.h>
52 #include <netinet/in.h>
53 #include <netinet/in_systm.h>
54 #include <netinet/ip.h>
56 # include <netinet/ip_var.h>
58 #include <netinet/tcp.h>
59 #include <netinet/udp.h>
60 #include <netinet/ip_icmp.h>
61 #include "netinet/ip_compat.h"
62 #include <netinet/tcpip.h>
63 #include "netinet/ip_fil.h"
64 #include "netinet/ip_proxy.h"
65 #include "netinet/ip_nat.h"
66 #include "netinet/ip_frag.h"
67 #include "netinet/ip_state.h"
68 #include "netinet/ip_auth.h"
70 #define MIN(a,b) (((a)<(b))?(a):(b))
78 # define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; \
80 # define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; \
82 # define FR_VERBOSE(verb_pr) verbose verb_pr
83 # define FR_DEBUG(verb_pr) debug verb_pr
84 # define SEND_RESET(ip, qif, if, m) send_reset(ip, if)
85 # define IPLLOG(a, c, d, e) ipllog()
86 # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
88 # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
90 # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
92 #else /* #ifndef _KERNEL */
93 # define FR_IFVERBOSE(ex,second,verb_pr) ;
94 # define FR_IFDEBUG(ex,second,verb_pr) ;
95 # define FR_VERBOSE(verb_pr)
96 # define FR_DEBUG(verb_pr)
97 # define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
98 # if SOLARIS || defined(__sgi)
99 extern kmutex_t ipf_mutex, ipf_auth;
102 # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
104 # define SEND_RESET(ip, qif, if) send_reset(ip, qif)
105 # define ICMP_ERROR(b, ip, t, c, if, src) \
106 icmp_error(ip, t, c, if, src)
108 # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
110 # define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\
113 # define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip)
116 # define ICMP_ERROR(b, ip, t, c, if, src) \
117 icmp_error(b, t, c, if, src, if)
121 # define ICMP_ERROR(b, ip, t, c, if, src) icmp_send(b,t,c,0,if)
123 # define ICMP_ERROR(b, ip, t, c, if, src) \
124 icmp_error(mtod(b, ip_t *), t, c, if, src)
127 # define ICMP_ERROR(b, ip, t, c, if, src) \
128 icmp_error(b, t, c, (src).s_addr, if)
129 # endif /* BSD < 199103 */
131 # endif /* SOLARIS || __sgi */
135 struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
136 struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
137 *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
138 struct frgroup *ipfgroups[3][2];
139 int fr_flags = IPF_LOGGING, fr_active = 0;
140 #if defined(IPFILTER_DEFAULT_BLOCK)
141 int fr_pass = FR_NOMATCH|FR_BLOCK;
143 int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
146 fr_info_t frcache[2];
148 static void fr_makefrip __P((int, ip_t *, fr_info_t *));
149 static int fr_tcpudpchk __P((frentry_t *, fr_info_t *));
150 static int frflushlist __P((int, int, int *, frentry_t *, frentry_t **));
154 * bit values for identifying presence of individual IP options
156 static struct optlist ipopts[20] = {
157 { IPOPT_NOP, 0x000001 },
158 { IPOPT_RR, 0x000002 },
159 { IPOPT_ZSU, 0x000004 },
160 { IPOPT_MTUP, 0x000008 },
161 { IPOPT_MTUR, 0x000010 },
162 { IPOPT_ENCODE, 0x000020 },
163 { IPOPT_TS, 0x000040 },
164 { IPOPT_TR, 0x000080 },
165 { IPOPT_SECURITY, 0x000100 },
166 { IPOPT_LSRR, 0x000200 },
167 { IPOPT_E_SEC, 0x000400 },
168 { IPOPT_CIPSO, 0x000800 },
169 { IPOPT_SATID, 0x001000 },
170 { IPOPT_SSRR, 0x002000 },
171 { IPOPT_ADDEXT, 0x004000 },
172 { IPOPT_VISA, 0x008000 },
173 { IPOPT_IMITD, 0x010000 },
174 { IPOPT_EIP, 0x020000 },
175 { IPOPT_FINN, 0x040000 },
180 * bit values for identifying presence of individual IP security options
182 static struct optlist secopt[8] = {
183 { IPSO_CLASS_RES4, 0x01 },
184 { IPSO_CLASS_TOPS, 0x02 },
185 { IPSO_CLASS_SECR, 0x04 },
186 { IPSO_CLASS_RES3, 0x08 },
187 { IPSO_CLASS_CONF, 0x10 },
188 { IPSO_CLASS_UNCL, 0x20 },
189 { IPSO_CLASS_RES2, 0x40 },
190 { IPSO_CLASS_RES1, 0x80 }
195 * compact the IP header into a structure which contains just the info.
196 * which is useful for comparing IP headers with.
198 static void fr_makefrip(hlen, ip, fin)
206 fr_ip_t *fi = &fin->fin_fi;
207 u_short optmsk = 0, secmsk = 0, auth = 0;
213 fin->fin_data[0] = 0;
214 fin->fin_data[1] = 0;
217 fin->fin_id = ip->ip_id;
219 fin->fin_icode = ipl_unreach;
222 fi->fi_tos = ip->ip_tos;
223 fin->fin_hlen = hlen;
224 fin->fin_dlen = ip->ip_len - hlen;
225 tcp = (tcphdr_t *)((char *)ip + hlen);
226 icmp = (icmphdr_t *)tcp;
227 fin->fin_dp = (void *)tcp;
228 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
229 (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3));
230 (*(((u_32_t *)fi) + 2)) = (*(((u_32_t *)ip) + 4));
232 fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
233 off = (ip->ip_off & 0x1fff) << 3;
234 if (ip->ip_off & 0x3fff)
235 fi->fi_fl |= FI_FRAG;
240 int minicmpsz = sizeof(struct icmp);
242 if (!off && ip->ip_len > ICMP_MINLEN + hlen &&
243 (icmp->icmp_type == ICMP_ECHOREPLY ||
244 icmp->icmp_type == ICMP_UNREACH))
245 minicmpsz = ICMP_MINLEN;
246 if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
247 (off && off < sizeof(struct icmp)))
248 fi->fi_fl |= FI_SHORT;
249 if (fin->fin_dlen > 1)
250 fin->fin_data[0] = *(u_short *)tcp;
254 fi->fi_fl |= FI_TCPUDP;
255 if ((!IPMINLEN(ip, tcphdr) && !off) ||
256 (off && off < sizeof(struct tcphdr)))
257 fi->fi_fl |= FI_SHORT;
258 if (!(fi->fi_fl & FI_SHORT) && !off)
259 fin->fin_tcpf = tcp->th_flags;
262 fi->fi_fl |= FI_TCPUDP;
263 if ((!IPMINLEN(ip, udphdr) && !off) ||
264 (off && off < sizeof(struct udphdr)))
265 fi->fi_fl |= FI_SHORT;
267 if (!off && (fin->fin_dlen > 3)) {
268 fin->fin_data[0] = ntohs(tcp->th_sport);
269 fin->fin_data[1] = ntohs(tcp->th_dport);
277 for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) {
280 ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
281 if (opt > 1 && (ol < 2 || ol > hlen))
283 for (i = 9, mv = 4; mv >= 0; ) {
285 if (opt == (u_char)op->ol_val) {
286 optmsk |= op->ol_bit;
287 if (opt == IPOPT_SECURITY) {
292 sec = *(s + 2); /* classification */
293 for (j = 3, m = 2; m >= 0; ) {
295 if (sec == sp->ol_val) {
296 secmsk |= sp->ol_bit;
302 if (sec < sp->ol_val)
310 if (opt < op->ol_val)
318 if (auth && !(auth & 0x0100))
320 fi->fi_optmsk = optmsk;
321 fi->fi_secmsk = secmsk;
327 * check an IP packet for TCP/UDP characteristics such as ports and flags.
329 static int fr_tcpudpchk(fr, fin)
333 register u_short po, tup;
335 register int err = 1;
338 * Both ports should *always* be in the first fragment.
339 * So far, I cannot find any cases where they can not be.
341 * compare destination ports
343 if ((i = (int)fr->fr_dcmp)) {
345 tup = fin->fin_data[1];
347 * Do opposite test to that required and
348 * continue if that succeeds.
350 if (!--i && tup != po) /* EQUAL */
352 else if (!--i && tup == po) /* NOTEQUAL */
354 else if (!--i && tup >= po) /* LESSTHAN */
356 else if (!--i && tup <= po) /* GREATERTHAN */
358 else if (!--i && tup > po) /* LT or EQ */
360 else if (!--i && tup < po) /* GT or EQ */
362 else if (!--i && /* Out of range */
363 (tup >= po && tup <= fr->fr_dtop))
365 else if (!--i && /* In range */
366 (tup <= po || tup >= fr->fr_dtop))
370 * compare source ports
372 if (err && (i = (int)fr->fr_scmp)) {
374 tup = fin->fin_data[0];
375 if (!--i && tup != po)
377 else if (!--i && tup == po)
379 else if (!--i && tup >= po)
381 else if (!--i && tup <= po)
383 else if (!--i && tup > po)
385 else if (!--i && tup < po)
387 else if (!--i && /* Out of range */
388 (tup >= po && tup <= fr->fr_stop))
390 else if (!--i && /* In range */
391 (tup <= po || tup >= fr->fr_stop))
396 * If we don't have all the TCP/UDP header, then how can we
397 * expect to do any sort of match on it ? If we were looking for
398 * TCP flags, then NO match. If not, then match (which should
399 * satisfy the "short" class too).
401 if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
402 if (fin->fin_fi.fi_fl & FI_SHORT)
403 return !(fr->fr_tcpf | fr->fr_tcpfm);
405 * Match the flags ? If not, abort this match.
408 fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
409 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
410 fr->fr_tcpfm, fr->fr_tcpf));
418 * Check the input/output list of rules for a match and result.
419 * Could be per interface, but this gets real nasty when you don't have
422 int fr_scanlist(pass, ip, fin, m)
425 register fr_info_t *fin;
428 register struct frentry *fr;
429 register fr_ip_t *fi = &fin->fin_fi;
430 int rulen, portcmp = 0, off, skip = 0;
436 off = ip->ip_off & 0x1fff;
437 pass |= (fi->fi_fl << 24);
439 if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
442 for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
448 * In all checks below, a null (zero) value in the
449 * filter struture is taken to mean a wildcard.
451 * check that we are working for the right interface
454 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
457 if (opts & (OPT_VERBOSE|OPT_DEBUG))
459 FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' :
460 (pass & FR_AUTH) ? 'a' : 'b'));
461 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
466 register u_32_t *ld, *lm, *lip;
470 lm = (u_32_t *)&fr->fr_mip;
471 ld = (u_32_t *)&fr->fr_ip;
472 i = ((lip[0] & lm[0]) != ld[0]);
473 FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
474 lip[0], lm[0], ld[0]));
475 i |= ((lip[1] & lm[1]) != ld[1]) << 21;
476 FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
477 lip[1], lm[1], ld[1]));
478 i |= ((lip[2] & lm[2]) != ld[2]) << 22;
479 FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
480 lip[2], lm[2], ld[2]));
481 i |= ((lip[3] & lm[3]) != ld[3]);
482 FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n",
483 lip[3], lm[3], ld[3]));
484 i |= ((lip[4] & lm[4]) != ld[4]);
485 FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
486 lip[4], lm[4], ld[4]));
487 i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP));
493 * If a fragment, then only the first has what we're looking
496 if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
499 if (fi->fi_fl & FI_TCPUDP) {
500 if (!fr_tcpudpchk(fr, fin))
502 } else if (fr->fr_icmpm || fr->fr_icmp) {
503 if ((fi->fi_p != IPPROTO_ICMP) || off ||
506 if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
507 FR_DEBUG(("i. %#x & %#x != %#x\n",
508 fin->fin_data[0], fr->fr_icmpm,
515 * Just log this packet...
517 if (!(skip = fr->fr_skip))
519 if ((pass & FR_CALLNOW) && fr->fr_func)
520 pass = (*fr->fr_func)(pass, ip, fin);
522 if ((pass & FR_LOGMASK) == FR_LOG) {
523 if (!IPLLOG(fr->fr_flags, ip, fin, m))
524 frstats[fin->fin_out].fr_skip++;
525 frstats[fin->fin_out].fr_pkl++;
527 #endif /* IPFILTER_LOG */
528 FR_DEBUG(("pass %#x\n", pass));
530 if (pass & FR_ACCOUNT)
531 fr->fr_bytes += (U_QUAD_T)ip->ip_len;
533 fin->fin_icode = fr->fr_icode;
534 fin->fin_rule = rulen;
535 fin->fin_group = fr->fr_group;
538 fin->fin_fr = fr->fr_grp;
539 pass = fr_scanlist(pass, ip, fin, m);
540 if (fin->fin_fr == NULL) {
541 fin->fin_rule = rulen;
542 fin->fin_group = fr->fr_group;
554 * frcheck - filter check
555 * check using source and destination addresses/pors in a packet whether
556 * or not to pass it on or not.
558 int fr_check(ip, hlen, ifp, out
559 #if defined(_KERNEL) && SOLARIS
572 * The above really sucks, but short of writing a diff
574 fr_info_t frinfo, *fc;
575 register fr_info_t *fin = &frinfo;
576 frentry_t *fr = NULL;
577 int pass, changed, apass, error = EHOSTUNREACH;
578 #if !SOLARIS || !defined(_KERNEL)
579 register mb_t *m = *mp;
584 # if !defined(__SVR4) && !defined(__svr4__)
586 char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8];
592 * XXX For now, IP Filter and fast-forwarding of cached flows
593 * XXX are mutually exclusive. Eventually, IP Filter should
594 * XXX get a "can-fast-forward" filter rule.
596 m->m_flags &= ~M_CANFASTFWD;
597 #endif /* M_CANFASTFWD */
599 if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
600 ip->ip_p == IPPROTO_ICMP)) {
606 plen = sizeof(tcphdr_t);
609 plen = sizeof(udphdr_t);
612 /* 96 - enough for complete ICMP error IP header */
613 plen = sizeof(struct icmp) + sizeof(ip_t) + 8;
616 up = MIN(hlen + plen, ip->ip_len);
619 #ifdef __sgi /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
620 if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
621 frstats[out].fr_pull[1]++;
624 m_copydata(m, 0, up, hbuf);
625 frstats[out].fr_pull[0]++;
629 if ((*mp = m_pullup(m, up)) == 0) {
630 frstats[out].fr_pull[1]++;
633 frstats[out].fr_pull[0]++;
635 ip = mtod(m, ip_t *);
648 fr_makefrip(hlen, ip, fin);
653 MUTEX_ENTER(&ipf_mutex);
656 * Check auth now. This, combined with the check below to see if apass
657 * is 0 is to ensure that we don't count the packet twice, which can
658 * otherwise occur when we reprocess it. As it is, we only count it
659 * after it has no auth. table matchup. This also stops NAT from
660 * occuring until after the packet has been auth'd.
662 apass = fr_checkauth(ip, fin);
665 changed = ip_natin(ip, hlen, fin);
666 if (!apass && (fin->fin_fr = ipacct[0][fr_active]) &&
667 (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT))
668 frstats[0].fr_acct++;
671 if (apass || (!(pass = ipfr_knownfrag(ip, fin)) &&
672 !(pass = fr_checkstate(ip, fin)))) {
674 * If a packet is found in the auth table, then skip checking
675 * the access lists for permission but we do need to consider
676 * the result as if it were from the ACL's.
680 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
682 * copy cached data so we can unlock the mutex
685 bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
686 frstats[out].fr_chit++;
687 if ((fr = fin->fin_fr)) {
694 if ((fin->fin_fr = ipfilter[out][fr_active]))
695 pass = FR_SCANLIST(fr_pass, ip, fin, m);
696 bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
697 if (pass & FR_NOMATCH)
698 frstats[out].fr_nom++;
705 * If we fail to add a packet to the authorization queue,
706 * then we drop the packet later. However, if it was added
707 * then pretend we've dropped it already.
709 if ((pass & FR_AUTH))
710 if (FR_NEWAUTH(m, fin, ip, qif) != 0)
717 if (pass & FR_PREAUTH) {
718 MUTEX_ENTER(&ipf_auth);
719 if ((fin->fin_fr = ipauth) &&
720 (pass = FR_SCANLIST(0, ip, fin, m)))
721 fr_authstats.fas_hits++;
723 fr_authstats.fas_miss++;
724 MUTEX_EXIT(&ipf_auth);
727 if (pass & FR_KEEPFRAG) {
728 if (fin->fin_fi.fi_fl & FI_FRAG) {
729 if (ipfr_newfrag(ip, fin, pass) == -1)
730 frstats[out].fr_bnfr++;
732 frstats[out].fr_nfr++;
734 frstats[out].fr_cfr++;
736 if (pass & FR_KEEPSTATE) {
737 if (fr_addstate(ip, fin, pass) == -1)
738 frstats[out].fr_bads++;
740 frstats[out].fr_ads++;
744 if (fr && fr->fr_func && !(pass & FR_CALLNOW))
745 pass = (*fr->fr_func)(pass, ip, fin);
748 * Only count/translate packets which will be passed on, out the
751 if (out && (pass & FR_PASS)) {
752 if ((fin->fin_fr = ipacct[1][fr_active]) &&
753 (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT))
754 frstats[1].fr_acct++;
756 changed = ip_natout(ip, hlen, fin);
759 MUTEX_EXIT(&ipf_mutex);
762 if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
763 if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
764 pass |= FF_LOGNOMATCH;
765 frstats[out].fr_npkl++;
767 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
768 ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
769 if ((pass & FR_LOGMASK) != FR_LOGP)
771 frstats[out].fr_ppkl++;
773 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
774 ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
775 if ((pass & FR_LOGMASK) != FR_LOGB)
777 frstats[out].fr_bpkl++;
779 if (!IPLLOG(pass, ip, fin, m)) {
780 frstats[out].fr_skip++;
781 if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
782 (FR_PASS|FR_LOGORBLOCK))
783 pass ^= FR_PASS|FR_BLOCK;
787 #endif /* IPFILTER_LOG */
790 * Only allow FR_DUP to work if a rule matched - it makes no sense to
791 * set FR_DUP as a "default" as there are no instructions about where
792 * to send the packet.
794 if (fr && (pass & FR_DUP))
799 mc = m_copy(m, 0, M_COPYALL);
806 frstats[out].fr_pass++;
807 else if (pass & FR_BLOCK) {
808 frstats[out].fr_block++;
810 * Should we return an ICMP packet to indicate error
811 * status passing through the packet filter ?
812 * WARNING: ICMP error packets AND TCP RST packets should
813 * ONLY be sent in repsonse to incoming packets. Sending them
814 * in response to outbound packets can result in a panic on
815 * some operating systems.
819 if (pass & FR_RETICMP) {
821 ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
824 ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
826 m = *mp = NULL; /* freed by icmp_error() */
830 } else if ((pass & FR_RETRST) &&
831 !(fin->fin_fi.fi_fl & FI_SHORT)) {
832 if (SEND_RESET(ip, qif, ifp) == 0)
836 if (pass & FR_RETICMP) {
837 verbose("- ICMP unreachable sent\n");
839 } else if ((pass & FR_RETRST) &&
840 !(fin->fin_fi.fi_fl & FI_SHORT)) {
841 verbose("- TCP RST sent\n");
846 if (pass & FR_RETRST)
852 * If we didn't drop off the bottom of the list of rules (and thus
853 * the 'current' rule fr is not NULL), then we may have some extra
854 * instructions about what to do with a packet.
855 * Once we're finished return to our caller, freeing the packet if
856 * we are dropping it (* BSD ONLY *).
862 frdest_t *fdp = &fr->fr_tif;
864 if ((pass & FR_FASTROUTE) ||
865 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
866 ipfr_fastroute(m, fin, fdp);
870 ipfr_fastroute(mc, fin, &fr->fr_dif);
872 if (!(pass & FR_PASS) && m)
875 else if (changed && up && m)
876 m_copyback(m, 0, up, hbuf);
879 return (pass & FR_PASS) ? 0 : error;
880 # else /* !SOLARIS */
882 frdest_t *fdp = &fr->fr_tif;
884 if ((pass & FR_FASTROUTE) ||
885 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
886 ipfr_fastroute(qif, ip, m, mp, fin, fdp);
890 ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
892 return (pass & FR_PASS) ? changed : error;
893 # endif /* !SOLARIS */
895 if (pass & FR_NOMATCH)
908 * addr should be 16bit aligned and len is in bytes.
911 u_short ipf_cksum(addr, len)
912 register u_short *addr;
915 register u_32_t sum = 0;
917 for (sum = 0; len > 1; len -= 2)
920 /* mop up an odd byte, if necessary */
922 sum += *(u_char *)addr;
925 * add back carry outs from top 16 bits to low 16 bits
927 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
928 sum += (sum >> 16); /* add carry */
929 return (u_short)(~sum);
934 * NB: This function assumes we've pullup'd enough for all of the IP header
935 * and the TCP header. We also assume that data blocks aren't allocated in
938 u_short fr_tcpsum(m, ip, tcp, len)
950 # if SOLARIS || defined(__sgi)
955 /* skip any leading M_PROTOs */
956 while(m && (MTYPE(m) != M_DATA))
958 PANIC((!m),("fr_tcpsum: no M_DATA"));
962 * Add up IP Header portion
965 bytes.c[1] = IPPROTO_TCP;
966 len -= (ip->ip_hl << 2);
968 sum += htons((u_short)len);
969 sp = (u_short *)&ip->ip_src;
974 if (sp != (u_short *)tcp)
984 sp += 2; /* Skip over checksum */
989 * In case we had to copy the IP & TCP header out of mblks,
990 * skip over the mblk bits which are the header
992 if ((caddr_t)ip != (caddr_t)m->b_rptr) {
993 hlen = (caddr_t)sp - (caddr_t)ip;
995 add = MIN(hlen, m->b_wptr - m->b_rptr);
996 sp = (u_short *)((caddr_t)m->b_rptr + add);
998 if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
1000 PANIC((!m),("fr_tcpsum: not enough data"));
1002 sp = (u_short *)m->b_rptr;
1009 * In case we had to copy the IP & TCP header out of mbufs,
1010 * skip over the mbuf bits which are the header
1012 if ((caddr_t)ip != mtod(m, caddr_t)) {
1013 hlen = (caddr_t)sp - (caddr_t)ip;
1015 add = MIN(hlen, m->m_len);
1016 sp = (u_short *)(mtod(m, caddr_t) + add);
1018 if (add >= m->m_len) {
1020 PANIC((!m),("fr_tcpsum: not enough data"));
1022 sp = mtod(m, u_short *);
1028 if (!(len -= sizeof(*tcp)))
1032 while ((caddr_t)sp >= (caddr_t)m->b_wptr) {
1034 PANIC((!m),("fr_tcpsum: not enough data"));
1035 sp = (u_short *)m->b_rptr;
1038 while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len)
1041 PANIC((!m),("fr_tcpsum: not enough data"));
1042 sp = mtod(m, u_short *);
1044 #endif /* SOLARIS */
1047 if((u_32_t)sp & 1) {
1048 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
1056 bytes.c[0] = *(u_char *)sp;
1060 sum = (sum >> 16) + (sum & 0xffff);
1062 sum = (u_short)((~sum) & 0xffff);
1067 #if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) )
1069 * Copyright (c) 1982, 1986, 1988, 1991, 1993
1070 * The Regents of the University of California. All rights reserved.
1072 * Redistribution and use in source and binary forms, with or without
1073 * modification, are permitted provided that the following conditions
1075 * 1. Redistributions of source code must retain the above copyright
1076 * notice, this list of conditions and the following disclaimer.
1077 * 2. Redistributions in binary form must reproduce the above copyright
1078 * notice, this list of conditions and the following disclaimer in the
1079 * documentation and/or other materials provided with the distribution.
1080 * 3. All advertising materials mentioning features or use of this software
1081 * must display the following acknowledgement:
1082 * This product includes software developed by the University of
1083 * California, Berkeley and its contributors.
1084 * 4. Neither the name of the University nor the names of its contributors
1085 * may be used to endorse or promote products derived from this software
1086 * without specific prior written permission.
1088 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1089 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1090 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1091 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1092 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1093 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1094 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1095 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1096 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1097 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1100 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
1101 * $Id: fil.c,v 1.3 1998/06/20 18:37:49 peter Exp $
1104 * Copy data from an mbuf chain starting "off" bytes from the beginning,
1105 * continuing for "len" bytes, into the indicated buffer.
1108 m_copydata(m, off, len, cp)
1114 register unsigned count;
1116 if (off < 0 || len < 0)
1117 panic("m_copydata");
1120 panic("m_copydata");
1128 panic("m_copydata");
1129 count = MIN(m->m_len - off, len);
1130 bcopy(mtod(m, caddr_t) + off, cp, count);
1141 * Copy data from a buffer back into the indicated mbuf chain,
1142 * starting "off" bytes from the beginning, extending the mbuf
1143 * chain if necessary.
1146 m_copyback(m0, off, len, cp)
1153 register struct mbuf *m = m0, *n;
1158 while (off > (mlen = m->m_len)) {
1161 if (m->m_next == 0) {
1162 n = m_getclr(M_DONTWAIT, m->m_type);
1165 n->m_len = min(MLEN, len + off);
1171 mlen = min (m->m_len - off, len);
1172 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
1180 if (m->m_next == 0) {
1181 n = m_get(M_DONTWAIT, m->m_type);
1184 n->m_len = min(MLEN, len);
1191 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
1192 m->m_pkthdr.len = totlen;
1197 #endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */
1200 frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
1206 frgroup_t *fg, **fgp;
1208 if (which == IPL_LOGAUTH)
1209 fgp = &ipfgroups[2][set];
1210 else if (flags & FR_ACCOUNT)
1211 fgp = &ipfgroups[1][set];
1212 else if (flags & (FR_OUTQUE|FR_INQUE))
1213 fgp = &ipfgroups[0][set];
1218 if (fg->fg_num == num)
1228 frgroup_t *fr_addgroup(num, fp, which, set)
1233 frgroup_t *fg, **fgp;
1235 if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
1238 KMALLOC(fg, frgroup_t *, sizeof(*fg));
1243 fg->fg_start = &fp->fr_grp;
1250 void fr_delgroup(num, flags, which, set)
1255 frgroup_t *fg, **fgp;
1257 if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
1267 * recursively flush rules from the list, descending groups as they are
1268 * encountered. if a rule is the head of a group and it has lost all its
1269 * group members, then also delete the group reference.
1271 static int frflushlist(set, unit, nfreedp, list, listp)
1272 int set, unit, *nfreedp;
1273 frentry_t *list, **listp;
1275 register frentry_t *fp = list, *fpn;
1276 register int freed = 0;
1281 fp->fr_ref -= frflushlist(set, unit, nfreedp,
1282 fp->fr_grp, &fp->fr_grp);
1285 if (fp->fr_ref == 1) {
1287 fr_delgroup(fp->fr_grhead, fp->fr_flags, unit,
1300 void frflush(unit, result)
1304 int flags = *result, flushed = 0, set = fr_active;
1306 bzero((char *)frcache, sizeof(frcache[0]) * 2);
1308 if (flags & FR_INACTIVE)
1311 if (unit == IPL_LOGIPF) {
1312 if (flags & FR_OUTQUE) {
1313 (void) frflushlist(set, unit, &flushed,
1316 (void) frflushlist(set, unit, &flushed,
1317 ipacct[1][set], &ipacct[1][set]);
1319 if (flags & FR_INQUE) {
1320 (void) frflushlist(set, unit, &flushed,
1323 (void) frflushlist(set, unit, &flushed,
1324 ipacct[0][set], &ipacct[0][set]);
projects / FreeBSD / FreeBSD.git / blob