4 * Copyright (C) 1993-2003 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
9 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.50 2007/09/20 12:51:50 darrenr Exp $";
13 #if defined(KERNEL) || defined(_KERNEL)
19 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
20 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
21 # include "opt_inet6.h"
23 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \
24 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
25 # include "opt_random_ip_id.h"
27 #include <sys/param.h>
28 #if defined(__FreeBSD__) && !defined(__FreeBSD_version)
29 # if defined(IPFILTER_LKM)
30 # ifndef __FreeBSD_cc_version
31 # include <osreldate.h>
33 # if __FreeBSD_cc_version < 430000
34 # include <osreldate.h>
39 #include <sys/errno.h>
40 #include <sys/types.h>
42 #if __FreeBSD_version >= 220000
43 # include <sys/fcntl.h>
44 # include <sys/filio.h>
46 # include <sys/ioctl.h>
49 #include <sys/systm.h>
50 #if (__FreeBSD_version >= 300000)
51 # include <sys/dirent.h>
56 # include <sys/mbuf.h>
58 #include <sys/protosw.h>
59 #include <sys/socket.h>
60 #if __FreeBSD_version >= 500043
61 # include <sys/selinfo.h>
63 # include <sys/select.h>
67 #if __FreeBSD_version >= 300000
68 # include <net/if_var.h>
69 # if __FreeBSD_version >= 500043
70 # include <net/netisr.h>
72 # if !defined(IPFILTER_LKM)
73 # include "opt_ipfilter.h"
76 #include <net/route.h>
77 #include <netinet/in.h>
78 #include <netinet/in_var.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip.h>
81 #include <netinet/ip_var.h>
82 #include <netinet/tcp.h>
84 # include <netinet/tcp_timer.h>
86 #include <netinet/udp.h>
87 #include <netinet/tcpip.h>
88 #include <netinet/ip_icmp.h>
90 # include "netinet/ipf.h"
92 #include "netinet/ip_compat.h"
94 # include <netinet/icmp6.h>
96 #include "netinet/ip_fil.h"
97 #include "netinet/ip_nat.h"
98 #include "netinet/ip_frag.h"
99 #include "netinet/ip_state.h"
100 #include "netinet/ip_proxy.h"
101 #include "netinet/ip_auth.h"
103 #include "netinet/ip_sync.h"
106 #include "netinet/ip_scan.h"
108 #include "netinet/ip_pool.h"
109 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
110 # include <sys/malloc.h>
112 #include <sys/kernel.h>
113 #ifdef CSUM_DATA_VALID
114 #include <machine/in_cksum.h>
116 extern int ip_optcopy __P((struct ip *, struct ip *));
118 #if (__FreeBSD_version > 460000)
119 extern int path_mtu_discovery;
122 # ifdef IPFILTER_M_IPFILTER
123 MALLOC_DEFINE(M_IPFILTER, "ipfilter", "IP Filter packet filter data structures");
127 #if !defined(__osf__)
128 extern struct protosw inetsw[];
131 static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
132 static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
134 ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
135 ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
136 ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ipf_frcache, ipf_tokens;
137 ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
139 int ipf_locks_done = 0;
141 #if (__FreeBSD_version >= 300000)
142 struct callout_handle fr_slowtimer_ch;
144 struct selinfo ipfselwait[IPL_LOGSIZE];
146 #if (__FreeBSD_version >= 500011)
147 # include <sys/conf.h>
148 # if defined(NETBSD_PF)
149 # include <net/pfil.h>
150 # include <netinet/ipprotosw.h>
152 * We provide the fr_checkp name just to minimize changes later.
154 int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
155 # endif /* NETBSD_PF */
156 #endif /* __FreeBSD_version >= 500011 */
159 #if (__FreeBSD_version >= 502103)
160 static eventhandler_tag ipf_arrivetag, ipf_departtag, ipf_clonetag;
162 static void ipf_ifevent(void *arg);
164 static void ipf_ifevent(arg)
172 #if (__FreeBSD_version >= 501108) && defined(_KERNEL)
175 fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
177 struct ip *ip = mtod(*mp, struct ip *);
178 return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
182 # include <netinet/ip6.h>
185 fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
187 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
188 ifp, (dir == PFIL_OUT), mp));
191 #endif /* __FreeBSD_version >= 501108 */
192 #if defined(IPFILTER_LKM)
196 if (strcmp(s, "ipl") == 0)
200 #endif /* IPFILTER_LKM */
210 if (fr_running > 0) {
215 MUTEX_INIT(&ipf_rw, "ipf rw mutex");
216 MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex");
217 RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
218 RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
221 if (fr_initialise() < 0) {
227 if (fr_checkp != fr_check) {
228 fr_savep = fr_checkp;
229 fr_checkp = fr_check;
232 bzero((char *)ipfselwait, sizeof(ipfselwait));
233 bzero((char *)frcache, sizeof(frcache));
236 if (fr_control_forwarding & 1)
240 #if (__FreeBSD_version >= 300000)
241 fr_slowtimer_ch = timeout(fr_slowtimer, NULL,
242 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
244 timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
251 * Disable the filter by removing the hooks from the IP input/output
259 if (fr_control_forwarding & 2)
264 #if (__FreeBSD_version >= 300000)
265 if (fr_slowtimer_ch.callout != NULL)
266 untimeout(fr_slowtimer, NULL, fr_slowtimer_ch);
267 bzero(&fr_slowtimer_ch, sizeof(fr_slowtimer_ch));
269 untimeout(fr_slowtimer, NULL);
273 if (fr_checkp != NULL)
274 fr_checkp = fr_savep;
282 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
283 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
285 if (ipf_locks_done == 1) {
286 MUTEX_DESTROY(&ipf_timeoutlock);
287 MUTEX_DESTROY(&ipf_rw);
288 RW_DESTROY(&ipf_ipidfrag);
289 RW_DESTROY(&ipf_tokens);
300 * Filter ioctl interface.
302 int iplioctl(dev, cmd, data, mode
303 # if defined(_KERNEL) && ((BSD >= 199506) || (__FreeBSD_version >= 220000))
305 # if (__FreeBSD_version >= 500024)
307 # if (__FreeBSD_version >= 500043)
308 # define p_uid td_ucred->cr_ruid
310 # define p_uid t_proc->p_cred->p_ruid
314 # define p_uid p_cred->p_ruid
315 # endif /* __FreeBSD_version >= 500024 */
319 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
328 int error = 0, unit = 0;
331 #if (BSD >= 199306) && defined(_KERNEL)
332 if ((securelevel >= 3) && (mode & FWRITE))
336 unit = GET_MINOR(dev);
337 if ((IPL_LOGMAX < unit) || (unit < 0))
340 if (fr_running <= 0) {
341 if (unit != IPL_LOGIPF)
343 if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
344 cmd != SIOCIPFSET && cmd != SIOCFRENB &&
345 cmd != SIOCGETFS && cmd != SIOCGETFF)
350 READ_ENTER(&ipf_global);
352 error = fr_ioctlswitch(unit, data, cmd, mode, p->p_uid, p);
354 RWLOCK_EXIT(&ipf_global);
359 RWLOCK_EXIT(&ipf_global);
367 void fr_forgetifp(ifp)
370 register frentry_t *f;
372 WRITE_ENTER(&ipf_mutex);
373 for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
374 if (f->fr_ifa == ifp)
375 f->fr_ifa = (void *)-1;
376 for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
377 if (f->fr_ifa == ifp)
378 f->fr_ifa = (void *)-1;
379 for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
380 if (f->fr_ifa == ifp)
381 f->fr_ifa = (void *)-1;
382 for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
383 if (f->fr_ifa == ifp)
384 f->fr_ifa = (void *)-1;
386 for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
387 if (f->fr_ifa == ifp)
388 f->fr_ifa = (void *)-1;
389 for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
390 if (f->fr_ifa == ifp)
391 f->fr_ifa = (void *)-1;
392 for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
393 if (f->fr_ifa == ifp)
394 f->fr_ifa = (void *)-1;
395 for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
396 if (f->fr_ifa == ifp)
397 f->fr_ifa = (void *)-1;
399 RWLOCK_EXIT(&ipf_mutex);
406 * routines below for saving IP headers to buffer
408 int iplopen(dev, flags
409 #if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
412 # if (__FreeBSD_version >= 500024)
416 # endif /* __FreeBSD_version >= 500024 */
420 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
427 u_int min = GET_MINOR(dev);
429 if (IPL_LOGMAX < min)
437 int iplclose(dev, flags
438 #if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
441 # if (__FreeBSD_version >= 500024)
445 # endif /* __FreeBSD_version >= 500024 */
449 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
456 u_int min = GET_MINOR(dev);
458 if (IPL_LOGMAX < min)
467 * both of these must operate with at least splnet() lest they be
468 * called during packet processing and cause an inconsistancy to appear in
472 int iplread(dev, uio, ioflag)
475 int iplread(dev, uio)
477 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
482 register struct uio *uio;
484 u_int xmin = GET_MINOR(dev);
492 # ifdef IPFILTER_SYNC
493 if (xmin == IPL_LOGSYNC)
494 return ipfsync_read(uio);
498 return ipflog_read(xmin, uio);
507 * both of these must operate with at least splnet() lest they be
508 * called during packet processing and cause an inconsistancy to appear in
512 int iplwrite(dev, uio, ioflag)
515 int iplwrite(dev, uio)
517 #if defined(_KERNEL) && (__FreeBSD_version >= 502116)
522 register struct uio *uio;
529 if (GET_MINOR(dev) == IPL_LOGSYNC)
530 return ipfsync_write(uio);
537 * fr_send_reset - this could conceivably be a call to tcp_respond(), but that
538 * requires a large amount of setting up and isn't any more efficient.
540 int fr_send_reset(fin)
543 struct tcphdr *tcp, *tcp2;
552 if (tcp->th_flags & TH_RST)
553 return -1; /* feedback loop */
555 if (fr_checkl4sum(fin) == -1)
558 tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
559 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
560 ((tcp->th_flags & TH_FIN) ? 1 : 0);
563 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
568 MGETHDR(m, M_DONTWAIT, MT_HEADER);
570 MGET(m, M_DONTWAIT, MT_HEADER);
574 if (sizeof(*tcp2) + hlen > MLEN) {
575 MCLGET(m, M_DONTWAIT);
576 if ((m->m_flags & M_EXT) == 0) {
582 m->m_len = sizeof(*tcp2) + hlen;
584 m->m_data += max_linkhdr;
585 m->m_pkthdr.len = m->m_len;
586 m->m_pkthdr.rcvif = (struct ifnet *)0;
588 ip = mtod(m, struct ip *);
589 bzero((char *)ip, hlen);
593 tcp2 = (struct tcphdr *)((char *)ip + hlen);
594 tcp2->th_sport = tcp->th_dport;
595 tcp2->th_dport = tcp->th_sport;
597 if (tcp->th_flags & TH_ACK) {
598 tcp2->th_seq = tcp->th_ack;
599 tcp2->th_flags = TH_RST;
603 tcp2->th_ack = ntohl(tcp->th_seq);
604 tcp2->th_ack += tlen;
605 tcp2->th_ack = htonl(tcp2->th_ack);
606 tcp2->th_flags = TH_RST|TH_ACK;
609 TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
610 tcp2->th_win = tcp->th_win;
615 if (fin->fin_v == 6) {
616 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
617 ip6->ip6_plen = htons(sizeof(struct tcphdr));
618 ip6->ip6_nxt = IPPROTO_TCP;
620 ip6->ip6_src = fin->fin_dst6;
621 ip6->ip6_dst = fin->fin_src6;
622 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
623 sizeof(*ip6), sizeof(*tcp2));
624 return fr_send_ip(fin, m, &m);
627 ip->ip_p = IPPROTO_TCP;
628 ip->ip_len = htons(sizeof(struct tcphdr));
629 ip->ip_src.s_addr = fin->fin_daddr;
630 ip->ip_dst.s_addr = fin->fin_saddr;
631 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
632 ip->ip_len = hlen + sizeof(*tcp2);
633 return fr_send_ip(fin, m, &m);
637 static int fr_send_ip(fin, m, mpp)
645 ip = mtod(m, ip_t *);
646 bzero((char *)&fnew, sizeof(fnew));
648 IP_V_A(ip, fin->fin_v);
654 IP_HL_A(ip, sizeof(*oip) >> 2);
655 ip->ip_tos = oip->ip_tos;
656 ip->ip_id = fin->fin_ip->ip_id;
657 #if (__FreeBSD_version > 460000)
658 ip->ip_off = path_mtu_discovery ? IP_DF : 0;
662 ip->ip_ttl = ip_defttl;
669 ip6_t *ip6 = (ip6_t *)ip;
672 ip6->ip6_hlim = IPDEFTTL;
683 m->m_pkthdr.rcvif = NULL;
686 fnew.fin_ifp = fin->fin_ifp;
687 fnew.fin_flx = FI_NOCKSUM;
691 fnew.fin_hlen = hlen;
692 fnew.fin_dp = (char *)ip + hlen;
693 (void) fr_makefrip(hlen, ip, &fnew);
695 return fr_fastroute(m, mpp, &fnew, NULL);
699 int fr_send_icmp_err(type, fin, dst)
704 int err, hlen, xtra, iclen, ohlen, avail, code;
711 struct in6_addr dst6;
715 if ((type < 0) || (type >= ICMP_MAXTYPE))
718 code = fin->fin_icode;
720 if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
724 if (fr_checkl4sum(fin) == -1)
727 MGETHDR(m, M_DONTWAIT, MT_HEADER);
729 MGET(m, M_DONTWAIT, MT_HEADER);
739 if (fin->fin_v == 4) {
740 if ((fin->fin_p == IPPROTO_ICMP) &&
741 !(fin->fin_flx & FI_SHORT))
742 switch (ntohs(fin->fin_data[0]) >> 8)
755 if (fr_ifpaddr(4, FRI_NORMAL, ifp,
756 &dst4, NULL) == -1) {
761 dst4.s_addr = fin->fin_daddr;
764 ohlen = fin->fin_hlen;
765 if (fin->fin_hlen < fin->fin_plen)
766 xtra = MIN(fin->fin_dlen, 8);
772 else if (fin->fin_v == 6) {
773 hlen = sizeof(ip6_t);
774 ohlen = sizeof(ip6_t);
775 type = icmptoicmp6types[type];
776 if (type == ICMP6_DST_UNREACH)
777 code = icmptoicmp6unreach[code];
779 if (hlen + sizeof(*icmp) + max_linkhdr +
780 fin->fin_plen > avail) {
781 MCLGET(m, M_DONTWAIT);
782 if ((m->m_flags & M_EXT) == 0) {
788 xtra = MIN(fin->fin_plen,
789 avail - hlen - sizeof(*icmp) - max_linkhdr);
791 if (fr_ifpaddr(6, FRI_NORMAL, ifp,
792 (struct in_addr *)&dst6, NULL) == -1) {
797 dst6 = fin->fin_dst6;
805 iclen = hlen + sizeof(*icmp);
806 avail -= (max_linkhdr + iclen);
814 m->m_data += max_linkhdr;
815 m->m_pkthdr.rcvif = (struct ifnet *)0;
816 m->m_pkthdr.len = iclen;
818 ip = mtod(m, ip_t *);
819 icmp = (struct icmp *)((char *)ip + hlen);
820 ip2 = (ip_t *)&icmp->icmp_ip;
822 icmp->icmp_type = type;
823 icmp->icmp_code = fin->fin_icode;
824 icmp->icmp_cksum = 0;
826 if (type == ICMP_UNREACH &&
827 fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
828 icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu);
831 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
835 if (fin->fin_v == 6) {
836 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
837 ip6->ip6_plen = htons(iclen - hlen);
838 ip6->ip6_nxt = IPPROTO_ICMPV6;
841 ip6->ip6_dst = fin->fin_src6;
843 bcopy((char *)fin->fin_ip + ohlen,
844 (char *)&icmp->icmp_ip + ohlen, xtra);
845 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
846 sizeof(*ip6), iclen - hlen);
850 ip2->ip_len = htons(ip2->ip_len);
851 ip2->ip_off = htons(ip2->ip_off);
852 ip->ip_p = IPPROTO_ICMP;
853 ip->ip_src.s_addr = dst4.s_addr;
854 ip->ip_dst.s_addr = fin->fin_saddr;
857 bcopy((char *)fin->fin_ip + ohlen,
858 (char *)&icmp->icmp_ip + ohlen, xtra);
859 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
862 ip->ip_p = IPPROTO_ICMP;
864 err = fr_send_ip(fin, m, &m);
869 #if !defined(IPFILTER_LKM) && (__FreeBSD_version < 300000)
871 int iplinit __P((void));
875 void iplinit __P((void));
881 if (ipfattach() != 0)
882 printf("IP Filter failed to attach\n");
885 #endif /* __FreeBSD_version < 300000 */
888 int fr_fastroute(m0, mpp, fin, fdp)
893 register struct ip *ip, *mhip;
894 register struct mbuf *m = m0;
895 register struct route *ro;
896 int len, off, error = 0, hlen, code;
897 struct ifnet *ifp, *sifp;
898 struct sockaddr_in *dst;
899 struct route iproute;
909 * If the mbuf we're about to send is not writable (because of
910 * a cluster reference, for example) we'll need to make a copy
911 * of it since this routine modifies the contents.
913 * If you have non-crappy network hardware that can transmit data
914 * from the mbuf, rather than making a copy, this is gonna be a
917 if (M_WRITABLE(m) == 0) {
918 m0 = m_dup(m, M_DONTWAIT);
932 if (fin->fin_v == 6) {
934 * currently "to <if>" and "to <if>:ip#" are not supported
937 #if (__FreeBSD_version >= 490000)
938 return ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
940 return ip6_output(m0, NULL, NULL, 0, NULL, NULL);
945 hlen = fin->fin_hlen;
946 ip = mtod(m0, struct ip *);
952 bzero((caddr_t)ro, sizeof (*ro));
953 dst = (struct sockaddr_in *)&ro->ro_dst;
954 dst->sin_family = AF_INET;
955 dst->sin_addr = ip->ip_dst;
963 if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
968 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
969 dst->sin_addr = fdp->fd_ip;
971 dst->sin_len = sizeof(*dst);
974 if ((ifp == NULL) && (ro->ro_rt != NULL))
975 ifp = ro->ro_rt->rt_ifp;
977 if ((ro->ro_rt == NULL) || (ifp == NULL)) {
978 if (in_localaddr(ip->ip_dst))
979 error = EHOSTUNREACH;
984 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
985 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
990 * For input packets which are being "fastrouted", they won't
991 * go back through output filtering and miss their chance to get
992 * NAT'd and counted. Duplicated packets aren't considered to be
993 * part of the normal packet stream, so do not NAT them or pass
994 * them through stateful checking, etc.
996 if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {
1000 (void) fr_acctpkt(fin, NULL);
1002 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
1005 if (fr_checkstate(fin, &pass) != NULL)
1006 fr_statederef((ipstate_t **)&fin->fin_state);
1009 switch (fr_checknatout(fin, NULL))
1014 fr_natderef((nat_t **)&fin->fin_nat);
1023 fin->fin_ifp = sifp;
1028 * If small enough for interface, can just send directly.
1030 if (ip->ip_len <= ifp->if_mtu) {
1031 ip->ip_len = htons(ip->ip_len);
1032 ip->ip_off = htons(ip->ip_off);
1035 ip->ip_sum = in_cksum(m, hlen);
1036 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
1041 * Too large for interface; fragment if possible.
1042 * Must be able to put at least 8 bytes per fragment.
1044 ip_off = ntohs(ip->ip_off);
1045 if (ip_off & IP_DF) {
1049 len = (ifp->if_mtu - hlen) &~ 7;
1056 int mhlen, firstlen = len;
1057 struct mbuf **mnext = &m->m_act;
1060 * Loop through length of segment after first fragment,
1061 * make new header and copy data of each part and link onto chain.
1064 mhlen = sizeof (struct ip);
1065 for (off = hlen + len; off < ip->ip_len; off += len) {
1067 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1069 MGET(m, M_DONTWAIT, MT_HEADER);
1076 m->m_data += max_linkhdr;
1077 mhip = mtod(m, struct ip *);
1078 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
1079 if (hlen > sizeof (struct ip)) {
1080 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1081 IP_HL_A(mhip, mhlen >> 2);
1084 mhip->ip_off = ((off - hlen) >> 3) + ip_off;
1085 if (off + len >= ip->ip_len)
1086 len = ip->ip_len - off;
1088 mhip->ip_off |= IP_MF;
1089 mhip->ip_len = htons((u_short)(len + mhlen));
1091 m->m_next = m_copy(m0, off, len);
1092 if (m->m_next == 0) {
1093 error = ENOBUFS; /* ??? */
1096 m->m_pkthdr.len = mhlen + len;
1097 m->m_pkthdr.rcvif = NULL;
1098 mhip->ip_off = htons((u_short)mhip->ip_off);
1100 mhip->ip_sum = in_cksum(m, mhlen);
1104 * Update first fragment by trimming what's been copied out
1105 * and updating header, then send each fragment (in order).
1107 m_adj(m0, hlen + firstlen - ip->ip_len);
1108 ip->ip_len = htons((u_short)(hlen + firstlen));
1109 ip->ip_off = htons((u_short)IP_MF);
1111 ip->ip_sum = in_cksum(m0, hlen);
1113 for (m = m0; m; m = m0) {
1117 error = (*ifp->if_output)(ifp, m,
1118 (struct sockaddr *)dst, ro->ro_rt);
1129 if ((ro != NULL) && (ro->ro_rt != NULL)) {
1135 if (error == EMSGSIZE) {
1136 sifp = fin->fin_ifp;
1137 code = fin->fin_icode;
1138 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
1140 (void) fr_send_icmp_err(ICMP_UNREACH, fin, 1);
1141 fin->fin_ifp = sifp;
1142 fin->fin_icode = code;
1149 int fr_verifysrc(fin)
1152 struct sockaddr_in *dst;
1153 struct route iproute;
1155 bzero((char *)&iproute, sizeof(iproute));
1156 dst = (struct sockaddr_in *)&iproute.ro_dst;
1157 dst->sin_len = sizeof(*dst);
1158 dst->sin_family = AF_INET;
1159 dst->sin_addr = fin->fin_src;
1160 in_rtalloc(&iproute, 0);
1161 if (iproute.ro_rt == NULL)
1163 return (fin->fin_ifp == iproute.ro_rt->rt_ifp);
1168 * return the first IP Address associated with an interface
1170 int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
1173 struct in_addr *inp, *inpmask;
1176 struct in6_addr *inp6 = NULL;
1178 struct sockaddr *sock, *mask;
1179 struct sockaddr_in *sin;
1183 if ((ifptr == NULL) || (ifptr == (void *)-1))
1193 bzero((char *)inp, sizeof(struct in6_addr));
1195 #if (__FreeBSD_version >= 300000)
1196 ifa = TAILQ_FIRST(&ifp->if_addrhead);
1198 ifa = ifp->if_addrlist;
1199 #endif /* __FreeBSD_version >= 300000 */
1201 sock = ifa->ifa_addr;
1202 while (sock != NULL && ifa != NULL) {
1203 sin = (struct sockaddr_in *)sock;
1204 if ((v == 4) && (sin->sin_family == AF_INET))
1207 if ((v == 6) && (sin->sin_family == AF_INET6)) {
1208 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
1209 if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
1210 !IN6_IS_ADDR_LOOPBACK(inp6))
1214 #if (__FreeBSD_version >= 300000)
1215 ifa = TAILQ_NEXT(ifa, ifa_link);
1217 ifa = ifa->ifa_next;
1218 #endif /* __FreeBSD_version >= 300000 */
1220 sock = ifa->ifa_addr;
1223 if (ifa == NULL || sin == NULL)
1226 mask = ifa->ifa_netmask;
1227 if (atype == FRI_BROADCAST)
1228 sock = ifa->ifa_broadaddr;
1229 else if (atype == FRI_PEERADDR)
1230 sock = ifa->ifa_dstaddr;
1237 return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
1238 (struct sockaddr_in6 *)mask,
1242 return fr_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
1243 (struct sockaddr_in *)mask, inp, inpmask);
1247 u_32_t fr_newisn(fin)
1251 #if (__FreeBSD_version >= 400000)
1252 newiss = arc4random();
1254 static iss_seq_off = 0;
1259 * Compute the base value of the ISS. It is a hash
1260 * of (saddr, sport, daddr, dport, secret).
1264 MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
1265 sizeof(fin->fin_fi.fi_src));
1266 MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
1267 sizeof(fin->fin_fi.fi_dst));
1268 MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
1270 MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret));
1272 MD5Final(hash, &ctx);
1274 memcpy(&newiss, hash, sizeof(newiss));
1277 * Now increment our "timer", and add it in to
1278 * the computed value.
1281 * XXX TCP_ISSINCR too large to use?
1283 iss_seq_off += 0x00010000;
1284 newiss += iss_seq_off;
1290 /* ------------------------------------------------------------------------ */
1291 /* Function: fr_nextipid */
1292 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
1293 /* Parameters: fin(I) - pointer to packet information */
1295 /* Returns the next IPv4 ID to use for this packet. */
1296 /* ------------------------------------------------------------------------ */
1297 u_short fr_nextipid(fin)
1300 #ifndef RANDOM_IP_ID
1301 static u_short ipid = 0;
1304 MUTEX_ENTER(&ipf_rw);
1306 MUTEX_EXIT(&ipf_rw);
1317 INLINE void fr_checkv4sum(fin)
1320 #ifdef CSUM_DATA_VALID
1326 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1329 if (fin->fin_cksum != 0)
1339 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
1340 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
1341 sum = m->m_pkthdr.csum_data;
1343 sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1344 htonl(m->m_pkthdr.csum_data +
1345 fin->fin_ip->ip_len + fin->fin_p));
1348 fin->fin_flx |= FI_BAD;
1349 fin->fin_cksum = -1;
1356 # ifdef IPFILTER_CKSUM
1358 if (fr_checkl4sum(fin) == -1)
1359 fin->fin_flx |= FI_BAD;
1364 # ifdef IPFILTER_CKSUM
1365 if (fr_checkl4sum(fin) == -1)
1366 fin->fin_flx |= FI_BAD;
1373 INLINE void fr_checkv6sum(fin)
1376 # ifdef IPFILTER_CKSUM
1377 if (fr_checkl4sum(fin) == -1)
1378 fin->fin_flx |= FI_BAD;
1381 #endif /* USE_INET6 */
1384 size_t mbufchainlen(m0)
1389 if ((m0->m_flags & M_PKTHDR) != 0) {
1390 len = m0->m_pkthdr.len;
1394 for (m = m0, len = 0; m != NULL; m = m->m_next)
1401 /* ------------------------------------------------------------------------ */
1402 /* Function: fr_pullup */
1403 /* Returns: NULL == pullup failed, else pointer to protocol header */
1404 /* Parameters: m(I) - pointer to buffer where data packet starts */
1405 /* fin(I) - pointer to packet information */
1406 /* len(I) - number of bytes to pullup */
1408 /* Attempt to move at least len bytes (from the start of the buffer) into a */
1409 /* single buffer for ease of access. Operating system native functions are */
1410 /* used to manage buffers - if necessary. If the entire packet ends up in */
1411 /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */
1412 /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
1413 /* and ONLY if the pullup succeeds. */
1415 /* We assume that 'min' is a pointer to a buffer that is part of the chain */
1416 /* of buffers that starts at *fin->fin_mp. */
1417 /* ------------------------------------------------------------------------ */
1418 void *fr_pullup(min, fin, len)
1423 int out = fin->fin_out, dpoff, ipoff;
1430 ip = (char *)fin->fin_ip;
1431 if ((fin->fin_flx & FI_COALESCE) != 0)
1434 ipoff = fin->fin_ipoff;
1435 if (fin->fin_dp != NULL)
1436 dpoff = (char *)fin->fin_dp - (char *)ip;
1440 if (M_LEN(m) < len) {
1443 * Assume that M_PKTHDR is set and just work with what is left
1444 * rather than check..
1445 * Should not make any real difference, anyway.
1452 #ifdef HAVE_M_PULLDOWN
1453 if (m_pulldown(m, 0, len, NULL) == NULL)
1456 FREE_MB_T(*fin->fin_mp);
1461 m = m_pullup(m, len);
1466 ATOMIC_INCL(frstats[out].fr_pull[1]);
1470 while (M_LEN(m) == 0) {
1474 ip = MTOD(m, char *) + ipoff;
1477 ATOMIC_INCL(frstats[out].fr_pull[0]);
1478 fin->fin_ip = (ip_t *)ip;
1479 if (fin->fin_dp != NULL)
1480 fin->fin_dp = (char *)fin->fin_ip + dpoff;
1482 if (len == fin->fin_plen)
1483 fin->fin_flx |= FI_COALESCE;
1488 int ipf_inject(fin, m)
1494 if (fin->fin_out == 0) {
1495 #if (__FreeBSD_version >= 501000)
1496 netisr_dispatch(NETISR_IP, m);
1498 struct ifqueue *ifq;
1520 fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
1521 fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
1522 #if (__FreeBSD_version >= 470102)
1523 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
1525 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
1532 int ipf_pfil_unhook(void) {
1533 #if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
1534 # if __FreeBSD_version >= 501108
1535 struct pfil_head *ph_inet;
1537 struct pfil_head *ph_inet6;
1543 # if (__FreeBSD_version >= 500011)
1544 # if (__FreeBSD_version >= 501108)
1545 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1546 if (ph_inet != NULL)
1547 pfil_remove_hook((void *)fr_check_wrapper, NULL,
1548 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1550 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1551 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
1554 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK);
1557 # if (__FreeBSD_version >= 501108)
1558 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1559 if (ph_inet6 != NULL)
1560 pfil_remove_hook((void *)fr_check_wrapper6, NULL,
1561 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1563 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1564 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
1572 int ipf_pfil_hook(void) {
1573 #if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
1574 # if __FreeBSD_version >= 501108
1575 struct pfil_head *ph_inet;
1577 struct pfil_head *ph_inet6;
1583 # if __FreeBSD_version >= 500011
1584 # if __FreeBSD_version >= 501108
1585 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1587 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1596 if (ph_inet != NULL)
1597 pfil_add_hook((void *)fr_check_wrapper, NULL,
1598 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1600 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1601 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
1604 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK);
1607 # if __FreeBSD_version >= 501108
1608 if (ph_inet6 != NULL)
1609 pfil_add_hook((void *)fr_check_wrapper6, NULL,
1610 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1612 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT|PFIL_WAITOK,
1613 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
1623 #if (__FreeBSD_version >= 502103)
1624 ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
1625 ipf_ifevent, NULL, \
1626 EVENTHANDLER_PRI_ANY);
1627 ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
1628 ipf_ifevent, NULL, \
1629 EVENTHANDLER_PRI_ANY);
1630 ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
1631 NULL, EVENTHANDLER_PRI_ANY);
1636 ipf_event_dereg(void)
1638 #if (__FreeBSD_version >= 502103)
1639 if (ipf_arrivetag != NULL) {
1640 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
1642 if (ipf_departtag != NULL) {
1643 EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
1645 if (ipf_clonetag != NULL) {
1646 EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);