4 * Copyright (C) 1993-2003 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
18 #if defined(__NetBSD__)
19 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
20 # if (__NetBSD_Version__ < 301000000)
21 # include "opt_ipfilter_log.h"
23 # include "opt_ipfilter.h"
27 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
28 (__FreeBSD_version >= 220000)
29 # if (__FreeBSD_version >= 400000)
30 # if !defined(IPFILTER_LKM)
31 # include "opt_inet6.h"
33 # if (__FreeBSD_version == 400019)
34 # define CSUM_DELAY_DATA
37 # include <sys/filio.h>
39 # include <sys/ioctl.h>
41 #if (defined(__SVR4) || defined(__svr4__)) && defined(sun)
42 # include <sys/filio.h>
45 # include <sys/fcntl.h>
48 # include <sys/systm.h>
49 # include <sys/file.h>
55 # include <sys/file.h>
63 #if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
65 # include <sys/mbuf.h>
68 # include <sys/byteorder.h>
70 # if (SOLARIS2 < 5) && defined(sun)
71 # include <sys/dditypes.h>
75 # define _NET_ROUTE_INCLUDED
78 # include <sys/protosw.h>
80 #include <sys/socket.h>
85 #if !defined(_KERNEL) && (defined(__FreeBSD__) || defined(SOLARIS2))
86 # if (__FreeBSD_version >= 504000)
89 # include "radix_ipf.h"
92 # include "radix_ipf.h"
94 # include <net/route.h>
96 #include <netinet/in.h>
97 #include <netinet/in_systm.h>
98 #include <netinet/ip.h>
100 # include <netinet/ip_var.h>
102 #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
103 # include <sys/hashing.h>
104 # include <netinet/in_var.h>
106 #include <netinet/tcp.h>
107 #if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
108 # include <netinet/udp.h>
109 # include <netinet/ip_icmp.h>
112 # undef _NET_ROUTE_INCLUDED
117 #include "netinet/ip_compat.h"
119 # include <netinet/icmp6.h>
120 # if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux)
121 # include <netinet6/in6_var.h>
124 #include <netinet/tcpip.h>
125 #include "netinet/ip_fil.h"
126 #include "netinet/ip_nat.h"
127 #include "netinet/ip_frag.h"
128 #include "netinet/ip_state.h"
129 #include "netinet/ip_proxy.h"
130 #include "netinet/ip_auth.h"
132 # include "netinet/ip_scan.h"
135 # include "netinet/ip_sync.h"
137 #include "netinet/ip_pool.h"
138 #include "netinet/ip_htable.h"
139 #ifdef IPFILTER_COMPILED
140 # include "netinet/ip_rules.h"
142 #if defined(IPFILTER_BPF) && defined(_KERNEL)
143 # include <net/bpf.h>
145 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
146 # include <sys/malloc.h>
147 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
148 # include "opt_ipfilter.h"
151 #include "netinet/ipl.h"
152 /* END OF INCLUDES */
154 #include <machine/in_cksum.h>
157 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
158 static const char rcsid[] = "@(#)$FreeBSD$";
159 /* static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.125 2007/10/10 09:27:20 darrenr Exp $"; */
165 # include "bpf-ipf.h"
170 fr_info_t frcache[2][8];
171 struct filterstats frstats[2];
172 struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
173 *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
174 *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
175 *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } },
176 *ipnatrules[2][2] = { { NULL, NULL }, { NULL, NULL } };
177 struct frgroup *ipfgroups[IPL_LOGSIZE][2];
178 char ipfilter_version[] = IPL_VERSION;
182 * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
185 int fr_flags = IPF_LOGGING;
187 int fr_control_forwarding = 0;
188 int fr_update_ipid = 0;
189 u_short fr_ip_id = 0;
190 int fr_chksrc = 0; /* causes a system crash if enabled */
192 int fr_icmpminfragmtu = 68;
193 u_long fr_frouteok[2] = {0, 0};
194 u_long fr_userifqs = 0;
195 u_long fr_badcoalesces[2] = {0, 0};
196 u_char ipf_iss_secret[32];
197 #if defined(IPFILTER_DEFAULT_BLOCK)
198 int fr_pass = FR_BLOCK|FR_NOMATCH;
200 int fr_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH;
209 #ifdef IPFILTER_LOOKUP
215 #ifdef IPFILTER_COMPILED
218 #ifdef IPFILTER_CKSUM
232 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
233 static int fr_portcheck __P((frpcmp_t *, u_short *));
234 static int frflushlist __P((int, minor_t, int *, frentry_t **));
235 static ipfunc_t fr_findfunc __P((ipfunc_t));
236 static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *));
237 static int fr_funcinit __P((frentry_t *fr));
238 static INLINE void frpr_ah __P((fr_info_t *));
239 static INLINE void frpr_esp __P((fr_info_t *));
240 static INLINE void frpr_gre __P((fr_info_t *));
241 static INLINE void frpr_udp __P((fr_info_t *));
242 static INLINE void frpr_tcp __P((fr_info_t *));
243 static INLINE void frpr_icmp __P((fr_info_t *));
244 static INLINE void frpr_ipv4hdr __P((fr_info_t *));
245 static INLINE int frpr_pullup __P((fr_info_t *, int));
246 static INLINE void frpr_short __P((fr_info_t *, int));
247 static INLINE int frpr_tcpcommon __P((fr_info_t *));
248 static INLINE int frpr_udpcommon __P((fr_info_t *));
249 static int fr_updateipid __P((fr_info_t *));
250 #ifdef IPFILTER_LOOKUP
251 static int fr_grpmapinit __P((frentry_t *fr));
252 static INLINE void *fr_resolvelookup __P((u_int, u_int, i6addr_t *, lookupfunc_t *));
254 static void frsynclist __P((frentry_t *, void *));
255 static ipftuneable_t *fr_findtunebyname __P((const char *));
256 static ipftuneable_t *fr_findtunebycookie __P((void *, void **));
257 static int ipf_geniter __P((ipftoken_t *, ipfgeniter_t *));
258 static int ipf_frruleiter __P((void *, int, void *));
259 static void ipf_unlinktoken __P((ipftoken_t *));
263 * bit values for identifying presence of individual IP options
264 * All of these tables should be ordered by increasing key value on the left
265 * hand side to allow for binary searching of the array and include a trailer
266 * with a 0 for the bitmask for linear searches to easily find the end with.
268 const struct optlist ipopts[20] = {
269 { IPOPT_NOP, 0x000001 },
270 { IPOPT_RR, 0x000002 },
271 { IPOPT_ZSU, 0x000004 },
272 { IPOPT_MTUP, 0x000008 },
273 { IPOPT_MTUR, 0x000010 },
274 { IPOPT_ENCODE, 0x000020 },
275 { IPOPT_TS, 0x000040 },
276 { IPOPT_TR, 0x000080 },
277 { IPOPT_SECURITY, 0x000100 },
278 { IPOPT_LSRR, 0x000200 },
279 { IPOPT_E_SEC, 0x000400 },
280 { IPOPT_CIPSO, 0x000800 },
281 { IPOPT_SATID, 0x001000 },
282 { IPOPT_SSRR, 0x002000 },
283 { IPOPT_ADDEXT, 0x004000 },
284 { IPOPT_VISA, 0x008000 },
285 { IPOPT_IMITD, 0x010000 },
286 { IPOPT_EIP, 0x020000 },
287 { IPOPT_FINN, 0x040000 },
292 struct optlist ip6exthdr[] = {
293 { IPPROTO_HOPOPTS, 0x000001 },
294 { IPPROTO_IPV6, 0x000002 },
295 { IPPROTO_ROUTING, 0x000004 },
296 { IPPROTO_FRAGMENT, 0x000008 },
297 { IPPROTO_ESP, 0x000010 },
298 { IPPROTO_AH, 0x000020 },
299 { IPPROTO_NONE, 0x000040 },
300 { IPPROTO_DSTOPTS, 0x000080 },
301 { IPPROTO_MOBILITY, 0x000100 },
306 struct optlist tcpopts[] = {
307 { TCPOPT_NOP, 0x000001 },
308 { TCPOPT_MAXSEG, 0x000002 },
309 { TCPOPT_WINDOW, 0x000004 },
310 { TCPOPT_SACK_PERMITTED, 0x000008 },
311 { TCPOPT_SACK, 0x000010 },
312 { TCPOPT_TIMESTAMP, 0x000020 },
317 * bit values for identifying presence of individual IP security options
319 const struct optlist secopt[8] = {
320 { IPSO_CLASS_RES4, 0x01 },
321 { IPSO_CLASS_TOPS, 0x02 },
322 { IPSO_CLASS_SECR, 0x04 },
323 { IPSO_CLASS_RES3, 0x08 },
324 { IPSO_CLASS_CONF, 0x10 },
325 { IPSO_CLASS_UNCL, 0x20 },
326 { IPSO_CLASS_RES2, 0x40 },
327 { IPSO_CLASS_RES1, 0x80 }
332 * Table of functions available for use with call rules.
334 static ipfunc_resolve_t fr_availfuncs[] = {
335 #ifdef IPFILTER_LOOKUP
336 { "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
337 { "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
344 * The next section of code is a a collection of small routines that set
345 * fields in the fr_info_t structure passed based on properties of the
346 * current packet. There are different routines for the same protocol
347 * for each of IPv4 and IPv6. Adding a new protocol, for which there
348 * will "special" inspection for setup, is now more easily done by adding
349 * a new routine and expanding the frpr_ipinit*() function rather than by
350 * adding more code to a growing switch statement.
353 static INLINE int frpr_ah6 __P((fr_info_t *));
354 static INLINE void frpr_esp6 __P((fr_info_t *));
355 static INLINE void frpr_gre6 __P((fr_info_t *));
356 static INLINE void frpr_udp6 __P((fr_info_t *));
357 static INLINE void frpr_tcp6 __P((fr_info_t *));
358 static INLINE void frpr_icmp6 __P((fr_info_t *));
359 static INLINE int frpr_ipv6hdr __P((fr_info_t *));
360 static INLINE void frpr_short6 __P((fr_info_t *, int));
361 static INLINE int frpr_hopopts6 __P((fr_info_t *));
362 static INLINE int frpr_mobility6 __P((fr_info_t *));
363 static INLINE int frpr_routing6 __P((fr_info_t *));
364 static INLINE int frpr_dstopts6 __P((fr_info_t *));
365 static INLINE int frpr_fragment6 __P((fr_info_t *));
366 static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int));
369 /* ------------------------------------------------------------------------ */
370 /* Function: frpr_short6 */
372 /* Parameters: fin(I) - pointer to packet information */
375 /* This is function enforces the 'is a packet too short to be legit' rule */
376 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
377 /* for frpr_short() for more details. */
378 /* ------------------------------------------------------------------------ */
379 static INLINE void frpr_short6(fin, xmin)
384 if (fin->fin_dlen < xmin)
385 fin->fin_flx |= FI_SHORT;
389 /* ------------------------------------------------------------------------ */
390 /* Function: frpr_ipv6hdr */
391 /* Returns: int - 0 = IPv6 packet intact, -1 = packet lost */
392 /* Parameters: fin(I) - pointer to packet information */
395 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
396 /* per-protocol analyzer if it exists. In validating the packet, a protocol*/
397 /* analyzer may pullup or free the packet itself so we need to be vigiliant */
398 /* of that possibility arising. */
399 /* ------------------------------------------------------------------------ */
400 static INLINE int frpr_ipv6hdr(fin)
403 ip6_t *ip6 = (ip6_t *)fin->fin_ip;
404 int p, go = 1, i, hdrcount;
405 fr_ip_t *fi = &fin->fin_fi;
415 fi->fi_ttl = ip6->ip6_hlim;
416 fi->fi_src.in6 = ip6->ip6_src;
417 fi->fi_dst.in6 = ip6->ip6_dst;
418 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
421 while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
434 case IPPROTO_ICMPV6 :
444 case IPPROTO_HOPOPTS :
445 p = frpr_hopopts6(fin);
448 case IPPROTO_MOBILITY :
449 p = frpr_mobility6(fin);
452 case IPPROTO_DSTOPTS :
453 p = frpr_dstopts6(fin);
456 case IPPROTO_ROUTING :
457 p = frpr_routing6(fin);
470 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
471 if (ip6exthdr[i].ol_val == p) {
472 fin->fin_flx |= ip6exthdr[i].ol_bit;
482 case IPPROTO_FRAGMENT :
483 p = frpr_fragment6(fin);
484 if (fin->fin_off != 0)
495 * It is important to note that at this point, for the
496 * extension headers (go != 0), the entire header may not have
497 * been pulled up when the code gets to this point. This is
498 * only done for "go != 0" because the other header handlers
499 * will all pullup their complete header. The other indicator
500 * of an incomplete packet is that this was just an extension
503 if ((go != 0) && (p != IPPROTO_NONE) &&
504 (frpr_pullup(fin, 0) == -1)) {
512 * Some of the above functions, like frpr_esp6(), can call fr_pullup
513 * and destroy whatever packet was here. The caller of this function
514 * expects us to return -1 if there is a problem with fr_pullup.
516 if (fin->fin_m == NULL)
523 /* ------------------------------------------------------------------------ */
524 /* Function: frpr_ipv6exthdr */
525 /* Returns: int - value of the next header or IPPROTO_NONE if error */
526 /* Parameters: fin(I) - pointer to packet information */
527 /* multiple(I) - flag indicating yes/no if multiple occurances */
528 /* of this extension header are allowed. */
529 /* proto(I) - protocol number for this extension header */
532 /* ------------------------------------------------------------------------ */
533 static INLINE int frpr_ipv6exthdr(fin, multiple, proto)
541 fin->fin_flx |= FI_V6EXTHDR;
543 /* 8 is default length of extension hdr */
544 if ((fin->fin_dlen - 8) < 0) {
545 fin->fin_flx |= FI_SHORT;
549 if (frpr_pullup(fin, 8) == -1)
555 case IPPROTO_FRAGMENT :
559 shift = 8 + (hdr->ip6e_len << 3);
563 if (shift > fin->fin_dlen) { /* Nasty extension header length? */
564 fin->fin_flx |= FI_BAD;
568 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
569 if (ip6exthdr[i].ol_val == proto) {
571 * Most IPv6 extension headers are only allowed once.
573 if ((multiple == 0) &&
574 ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0))
575 fin->fin_flx |= FI_BAD;
577 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
581 fin->fin_exthdr = fin->fin_dp;
582 fin->fin_dp = (char *)fin->fin_dp + shift;
583 fin->fin_dlen -= shift;
585 return hdr->ip6e_nxt;
589 /* ------------------------------------------------------------------------ */
590 /* Function: frpr_hopopts6 */
591 /* Returns: int - value of the next header or IPPROTO_NONE if error */
592 /* Parameters: fin(I) - pointer to packet information */
595 /* This is function checks pending hop by hop options extension header */
596 /* ------------------------------------------------------------------------ */
597 static INLINE int frpr_hopopts6(fin)
600 return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS);
604 /* ------------------------------------------------------------------------ */
605 /* Function: frpr_mobility6 */
606 /* Returns: int - value of the next header or IPPROTO_NONE if error */
607 /* Parameters: fin(I) - pointer to packet information */
610 /* This is function checks the IPv6 mobility extension header */
611 /* ------------------------------------------------------------------------ */
612 static INLINE int frpr_mobility6(fin)
615 return frpr_ipv6exthdr(fin, 0, IPPROTO_MOBILITY);
619 /* ------------------------------------------------------------------------ */
620 /* Function: frpr_routing6 */
621 /* Returns: int - value of the next header or IPPROTO_NONE if error */
622 /* Parameters: fin(I) - pointer to packet information */
625 /* This is function checks pending routing extension header */
626 /* ------------------------------------------------------------------------ */
627 static INLINE int frpr_routing6(fin)
632 if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
634 hdr = fin->fin_exthdr;
636 if ((hdr->ip6e_len & 1) != 0) {
638 * The routing header data is made up of 128 bit IPv6 addresses
639 * which means it must be a multiple of 2 lots of 8 in length.
641 fin->fin_flx |= FI_BAD;
643 * Compensate for the changes made in frpr_ipv6exthdr()
645 fin->fin_dlen += 8 + (hdr->ip6e_len << 3);
650 return hdr->ip6e_nxt;
654 /* ------------------------------------------------------------------------ */
655 /* Function: frpr_fragment6 */
656 /* Returns: int - value of the next header or IPPROTO_NONE if error */
657 /* Parameters: fin(I) - pointer to packet information */
660 /* Examine the IPv6 fragment header and extract fragment offset information.*/
662 /* We don't know where the transport layer header (or whatever is next is), */
663 /* as it could be behind destination options (amongst others). Because */
664 /* there is no fragment cache, there is no knowledge about whether or not an*/
665 /* upper layer header has been seen (or where it ends) and thus we are not */
666 /* able to continue processing beyond this header with any confidence. */
667 /* ------------------------------------------------------------------------ */
668 static INLINE int frpr_fragment6(fin)
671 struct ip6_frag *frag;
674 fin->fin_flx |= FI_FRAG;
676 if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
679 extoff = (char *)fin->fin_exthdr - (char *)fin->fin_dp;
681 if (frpr_pullup(fin, sizeof(*frag)) == -1)
684 fin->fin_exthdr = (char *)fin->fin_dp + extoff;
685 frag = fin->fin_exthdr;
687 * Fragment but no fragmentation info set? Bad packet...
689 if (frag->ip6f_offlg == 0) {
690 fin->fin_flx |= FI_BAD;
694 fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK);
696 if (fin->fin_off != 0)
697 fin->fin_flx |= FI_FRAGBODY;
699 fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag);
700 fin->fin_dlen -= sizeof(*frag);
702 return frag->ip6f_nxt;
706 /* ------------------------------------------------------------------------ */
707 /* Function: frpr_dstopts6 */
708 /* Returns: int - value of the next header or IPPROTO_NONE if error */
709 /* Parameters: fin(I) - pointer to packet information */
710 /* nextheader(I) - stores next header value */
713 /* This is function checks pending destination options extension header */
714 /* ------------------------------------------------------------------------ */
715 static INLINE int frpr_dstopts6(fin)
718 return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS);
722 /* ------------------------------------------------------------------------ */
723 /* Function: frpr_icmp6 */
725 /* Parameters: fin(I) - pointer to packet information */
728 /* This routine is mainly concerned with determining the minimum valid size */
729 /* for an ICMPv6 packet. */
730 /* ------------------------------------------------------------------------ */
731 static INLINE void frpr_icmp6(fin)
734 int minicmpsz = sizeof(struct icmp6_hdr);
735 struct icmp6_hdr *icmp6;
737 if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1)
740 if (fin->fin_dlen > 1) {
745 fin->fin_data[0] = *(u_short *)icmp6;
747 switch (icmp6->icmp6_type)
749 case ICMP6_ECHO_REPLY :
750 case ICMP6_ECHO_REQUEST :
751 minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
753 case ICMP6_DST_UNREACH :
754 case ICMP6_PACKET_TOO_BIG :
755 case ICMP6_TIME_EXCEEDED :
756 case ICMP6_PARAM_PROB :
757 fin->fin_flx |= FI_ICMPERR;
758 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
759 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
762 if (M_LEN(fin->fin_m) < fin->fin_plen) {
763 if (fr_coalesce(fin) != 1)
768 * If the destination of this packet doesn't match the
769 * source of the original packet then this packet is
773 ip6 = (ip6_t *)((char *)icmp6 + ICMPERR_ICMPHLEN);
774 if (IP6_NEQ(&fin->fin_fi.fi_dst,
775 (i6addr_t *)&ip6->ip6_src))
776 fin->fin_flx |= FI_BAD;
784 frpr_short6(fin, minicmpsz);
788 /* ------------------------------------------------------------------------ */
789 /* Function: frpr_udp6 */
791 /* Parameters: fin(I) - pointer to packet information */
794 /* Analyse the packet for IPv6/UDP properties. */
795 /* Is not expected to be called for fragmented packets. */
796 /* ------------------------------------------------------------------------ */
797 static INLINE void frpr_udp6(fin)
801 frpr_short6(fin, sizeof(struct udphdr));
803 if (frpr_udpcommon(fin) == 0) {
804 u_char p = fin->fin_p;
806 fin->fin_p = IPPROTO_UDP;
813 /* ------------------------------------------------------------------------ */
814 /* Function: frpr_tcp6 */
816 /* Parameters: fin(I) - pointer to packet information */
819 /* Analyse the packet for IPv6/TCP properties. */
820 /* Is not expected to be called for fragmented packets. */
821 /* ------------------------------------------------------------------------ */
822 static INLINE void frpr_tcp6(fin)
826 frpr_short6(fin, sizeof(struct tcphdr));
828 if (frpr_tcpcommon(fin) == 0) {
829 u_char p = fin->fin_p;
831 fin->fin_p = IPPROTO_TCP;
838 /* ------------------------------------------------------------------------ */
839 /* Function: frpr_esp6 */
841 /* Parameters: fin(I) - pointer to packet information */
844 /* Analyse the packet for ESP properties. */
845 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
846 /* even though the newer ESP packets must also have a sequence number that */
847 /* is 32bits as well, it is not possible(?) to determine the version from a */
848 /* simple packet header. */
849 /* ------------------------------------------------------------------------ */
850 static INLINE void frpr_esp6(fin)
854 frpr_short6(fin, sizeof(grehdr_t));
856 (void) frpr_pullup(fin, 8);
860 /* ------------------------------------------------------------------------ */
861 /* Function: frpr_ah6 */
863 /* Parameters: fin(I) - pointer to packet information */
866 /* Analyse the packet for AH properties. */
867 /* The minimum length is taken to be the combination of all fields in the */
868 /* header being present and no authentication data (null algorithm used.) */
869 /* ------------------------------------------------------------------------ */
870 static INLINE int frpr_ah6(fin)
875 frpr_short6(fin, 12);
877 if (frpr_pullup(fin, sizeof(*ah)) == -1)
880 ah = (authhdr_t *)fin->fin_dp;
885 /* ------------------------------------------------------------------------ */
886 /* Function: frpr_gre6 */
888 /* Parameters: fin(I) - pointer to packet information */
890 /* Analyse the packet for GRE properties. */
891 /* ------------------------------------------------------------------------ */
892 static INLINE void frpr_gre6(fin)
897 frpr_short6(fin, sizeof(grehdr_t));
899 if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
903 if (GRE_REV(gre->gr_flags) == 1)
904 fin->fin_data[0] = gre->gr_call;
906 #endif /* USE_INET6 */
909 /* ------------------------------------------------------------------------ */
910 /* Function: frpr_pullup */
911 /* Returns: int - 0 == pullup succeeded, -1 == failure */
912 /* Parameters: fin(I) - pointer to packet information */
913 /* plen(I) - length (excluding L3 header) to pullup */
915 /* Short inline function to cut down on code duplication to perform a call */
916 /* to fr_pullup to ensure there is the required amount of data, */
917 /* consecutively in the packet buffer. */
919 /* This function pulls up 'extra' data at the location of fin_dp. fin_dp */
920 /* points to the first byte after the complete layer 3 header, which will */
921 /* include all of the known extension headers for IPv6 or options for IPv4. */
923 /* Since fr_pullup() expects the total length of bytes to be pulled up, it */
924 /* is necessary to add those we can already assume to be pulled up (fin_dp */
925 /* - fin_ip) to what is passed through. */
926 /* ------------------------------------------------------------------------ */
927 static INLINE int frpr_pullup(fin, plen)
931 if (fin->fin_m != NULL) {
932 if (fin->fin_dp != NULL)
933 plen += (char *)fin->fin_dp -
934 ((char *)fin->fin_ip + fin->fin_hlen);
935 plen += fin->fin_hlen;
936 if (M_LEN(fin->fin_m) < plen) {
938 if (fr_pullup(fin->fin_m, fin, plen) == NULL)
942 * Fake fr_pullup failing
955 /* ------------------------------------------------------------------------ */
956 /* Function: frpr_short */
958 /* Parameters: fin(I) - pointer to packet information */
959 /* xmin(I) - minimum header size */
961 /* Check if a packet is "short" as defined by xmin. The rule we are */
962 /* applying here is that the packet must not be fragmented within the layer */
963 /* 4 header. That is, it must not be a fragment that has its offset set to */
964 /* start within the layer 4 header (hdrmin) or if it is at offset 0, the */
965 /* entire layer 4 header must be present (min). */
966 /* ------------------------------------------------------------------------ */
967 static INLINE void frpr_short(fin, xmin)
972 if (fin->fin_off == 0) {
973 if (fin->fin_dlen < xmin)
974 fin->fin_flx |= FI_SHORT;
975 } else if (fin->fin_off < xmin) {
976 fin->fin_flx |= FI_SHORT;
981 /* ------------------------------------------------------------------------ */
982 /* Function: frpr_icmp */
984 /* Parameters: fin(I) - pointer to packet information */
987 /* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */
988 /* except extrememly bad packets, both type and code will be present. */
989 /* The expected minimum size of an ICMP packet is very much dependent on */
990 /* the type of it. */
992 /* XXX - other ICMP sanity checks? */
993 /* ------------------------------------------------------------------------ */
994 static INLINE void frpr_icmp(fin)
997 int minicmpsz = sizeof(struct icmp);
1001 if (fin->fin_off != 0) {
1002 frpr_short(fin, ICMPERR_ICMPHLEN);
1006 if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
1009 if (fin->fin_dlen > 1) {
1012 fin->fin_data[0] = *(u_short *)icmp;
1014 if (fin->fin_dlen >= 6) /* ID field */
1015 fin->fin_data[1] = icmp->icmp_id;
1017 switch (icmp->icmp_type)
1019 case ICMP_ECHOREPLY :
1021 /* Router discovery messaes - RFC 1256 */
1022 case ICMP_ROUTERADVERT :
1023 case ICMP_ROUTERSOLICIT :
1024 minicmpsz = ICMP_MINLEN;
1027 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
1028 * 3 * timestamp(3 * 4)
1031 case ICMP_TSTAMPREPLY :
1035 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
1039 case ICMP_MASKREPLY :
1043 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
1047 if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) {
1048 if (icmp->icmp_nextmtu < fr_icmpminfragmtu)
1049 fin->fin_flx |= FI_BAD;
1052 case ICMP_SOURCEQUENCH :
1053 case ICMP_REDIRECT :
1054 case ICMP_TIMXCEED :
1055 case ICMP_PARAMPROB :
1056 fin->fin_flx |= FI_ICMPERR;
1057 if (fr_coalesce(fin) != 1)
1060 * ICMP error packets should not be generated for IP
1061 * packets that are a fragment that isn't the first
1064 oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
1065 if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0)
1066 fin->fin_flx |= FI_BAD;
1069 * If the destination of this packet doesn't match the
1070 * source of the original packet then this packet is
1073 if (oip->ip_src.s_addr != fin->fin_daddr)
1074 fin->fin_flx |= FI_BAD;
1077 * If the destination of this packet doesn't match the
1078 * source of the original packet then this packet is
1081 if (oip->ip_src.s_addr != fin->fin_daddr)
1082 fin->fin_flx |= FI_BAD;
1089 frpr_short(fin, minicmpsz);
1091 if ((fin->fin_flx & FI_FRAG) == 0)
1096 /* ------------------------------------------------------------------------ */
1097 /* Function: frpr_tcpcommon */
1098 /* Returns: int - 0 = header ok, 1 = bad packet, -1 = buffer error */
1099 /* Parameters: fin(I) - pointer to packet information */
1101 /* TCP header sanity checking. Look for bad combinations of TCP flags, */
1102 /* and make some checks with how they interact with other fields. */
1103 /* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */
1104 /* valid and mark the packet as bad if not. */
1105 /* ------------------------------------------------------------------------ */
1106 static INLINE int frpr_tcpcommon(fin)
1112 fin->fin_flx |= FI_TCPUDP;
1113 if (fin->fin_off != 0)
1116 if (frpr_pullup(fin, sizeof(*tcp)) == -1)
1120 if (fin->fin_dlen > 3) {
1121 fin->fin_sport = ntohs(tcp->th_sport);
1122 fin->fin_dport = ntohs(tcp->th_dport);
1125 if ((fin->fin_flx & FI_SHORT) != 0)
1129 * Use of the TCP data offset *must* result in a value that is at
1130 * least the same size as the TCP header.
1132 tlen = TCP_OFF(tcp) << 2;
1133 if (tlen < sizeof(tcphdr_t)) {
1134 fin->fin_flx |= FI_BAD;
1138 flags = tcp->th_flags;
1139 fin->fin_tcpf = tcp->th_flags;
1142 * If the urgent flag is set, then the urgent pointer must
1143 * also be set and vice versa. Good TCP packets do not have
1144 * just one of these set.
1146 if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
1147 fin->fin_flx |= FI_BAD;
1149 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
1151 * Ignore this case (#if 0) as it shows up in "real"
1152 * traffic with bogus values in the urgent pointer field.
1154 fin->fin_flx |= FI_BAD;
1156 } else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
1157 ((flags & (TH_RST|TH_ACK)) == TH_RST)) {
1158 /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
1159 fin->fin_flx |= FI_BAD;
1161 } else if (((flags & TH_SYN) != 0) &&
1162 ((flags & (TH_URG|TH_PUSH)) != 0)) {
1164 * SYN with URG and PUSH set is not for normal TCP but it is
1165 * possible(?) with T/TCP...but who uses T/TCP?
1167 fin->fin_flx |= FI_BAD;
1169 } else if (!(flags & TH_ACK)) {
1171 * If the ack bit isn't set, then either the SYN or
1172 * RST bit must be set. If the SYN bit is set, then
1173 * we expect the ACK field to be 0. If the ACK is
1174 * not set and if URG, PSH or FIN are set, consdier
1175 * that to indicate a bad TCP packet.
1177 if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
1179 * Cisco PIX sets the ACK field to a random value.
1180 * In light of this, do not set FI_BAD until a patch
1181 * is available from Cisco to ensure that
1182 * interoperability between existing systems is
1185 /*fin->fin_flx |= FI_BAD*/;
1186 } else if (!(flags & (TH_RST|TH_SYN))) {
1187 fin->fin_flx |= FI_BAD;
1188 } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
1189 fin->fin_flx |= FI_BAD;
1194 * At this point, it's not exactly clear what is to be gained by
1195 * marking up which TCP options are and are not present. The one we
1196 * are most interested in is the TCP window scale. This is only in
1197 * a SYN packet [RFC1323] so we don't need this here...?
1198 * Now if we were to analyse the header for passive fingerprinting,
1199 * then that might add some weight to adding this...
1201 if (tlen == sizeof(tcphdr_t))
1204 if (frpr_pullup(fin, tlen) == -1)
1210 s = (u_char *)(tcp + 1);
1211 off = IP_HL(ip) << 2;
1213 if (fin->fin_mp != NULL) {
1214 mb_t *m = *fin->fin_mp;
1216 if (off + tlen > M_LEN(m))
1220 for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
1224 else if (opt == TCPOPT_NOP)
1230 if (ol < 2 || ol > tlen)
1234 for (i = 9, mv = 4; mv >= 0; ) {
1236 if (opt == (u_char)op->ol_val) {
1237 optmsk |= op->ol_bit;
1251 /* ------------------------------------------------------------------------ */
1252 /* Function: frpr_udpcommon */
1253 /* Returns: int - 0 = header ok, 1 = bad packet */
1254 /* Parameters: fin(I) - pointer to packet information */
1256 /* Extract the UDP source and destination ports, if present. If compiled */
1257 /* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */
1258 /* ------------------------------------------------------------------------ */
1259 static INLINE int frpr_udpcommon(fin)
1264 fin->fin_flx |= FI_TCPUDP;
1266 if (!fin->fin_off && (fin->fin_dlen > 3)) {
1267 if (frpr_pullup(fin, sizeof(*udp)) == -1) {
1268 fin->fin_flx |= FI_SHORT;
1274 fin->fin_sport = ntohs(udp->uh_sport);
1275 fin->fin_dport = ntohs(udp->uh_dport);
1282 /* ------------------------------------------------------------------------ */
1283 /* Function: frpr_tcp */
1285 /* Parameters: fin(I) - pointer to packet information */
1288 /* Analyse the packet for IPv4/TCP properties. */
1289 /* ------------------------------------------------------------------------ */
1290 static INLINE void frpr_tcp(fin)
1294 frpr_short(fin, sizeof(tcphdr_t));
1296 if (frpr_tcpcommon(fin) == 0) {
1297 if ((fin->fin_flx & FI_FRAG) == 0)
1303 /* ------------------------------------------------------------------------ */
1304 /* Function: frpr_udp */
1306 /* Parameters: fin(I) - pointer to packet information */
1309 /* Analyse the packet for IPv4/UDP properties. */
1310 /* ------------------------------------------------------------------------ */
1311 static INLINE void frpr_udp(fin)
1315 frpr_short(fin, sizeof(udphdr_t));
1317 if (frpr_udpcommon(fin) == 0) {
1318 if ((fin->fin_flx & FI_FRAG) == 0)
1324 /* ------------------------------------------------------------------------ */
1325 /* Function: frpr_esp */
1327 /* Parameters: fin(I) - pointer to packet information */
1329 /* Analyse the packet for ESP properties. */
1330 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
1331 /* even though the newer ESP packets must also have a sequence number that */
1332 /* is 32bits as well, it is not possible(?) to determine the version from a */
1333 /* simple packet header. */
1334 /* ------------------------------------------------------------------------ */
1335 static INLINE void frpr_esp(fin)
1339 if (fin->fin_off == 0) {
1341 (void) frpr_pullup(fin, 8);
1347 /* ------------------------------------------------------------------------ */
1348 /* Function: frpr_ah */
1350 /* Parameters: fin(I) - pointer to packet information */
1352 /* Analyse the packet for AH properties. */
1353 /* The minimum length is taken to be the combination of all fields in the */
1354 /* header being present and no authentication data (null algorithm used.) */
1355 /* ------------------------------------------------------------------------ */
1356 static INLINE void frpr_ah(fin)
1362 frpr_short(fin, sizeof(*ah));
1364 if (((fin->fin_flx & FI_SHORT) != 0) || (fin->fin_off != 0))
1367 if (frpr_pullup(fin, sizeof(*ah)) == -1)
1370 ah = (authhdr_t *)fin->fin_dp;
1372 len = (ah->ah_plen + 2) << 2;
1373 frpr_short(fin, len);
1377 /* ------------------------------------------------------------------------ */
1378 /* Function: frpr_gre */
1380 /* Parameters: fin(I) - pointer to packet information */
1382 /* Analyse the packet for GRE properties. */
1383 /* ------------------------------------------------------------------------ */
1384 static INLINE void frpr_gre(fin)
1389 frpr_short(fin, sizeof(*gre));
1391 if (fin->fin_off != 0)
1394 if (frpr_pullup(fin, sizeof(*gre)) == -1)
1397 if (fin->fin_off == 0) {
1399 if (GRE_REV(gre->gr_flags) == 1)
1400 fin->fin_data[0] = gre->gr_call;
1405 /* ------------------------------------------------------------------------ */
1406 /* Function: frpr_ipv4hdr */
1408 /* Parameters: fin(I) - pointer to packet information */
1411 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
1412 /* Check all options present and flag their presence if any exist. */
1413 /* ------------------------------------------------------------------------ */
1414 static INLINE void frpr_ipv4hdr(fin)
1417 u_short optmsk = 0, secmsk = 0, auth = 0;
1418 int hlen, ol, mv, p, i;
1419 const struct optlist *op;
1426 hlen = fin->fin_hlen;
1431 fi->fi_tos = ip->ip_tos;
1432 fin->fin_id = ip->ip_id;
1435 /* Get both TTL and protocol */
1436 fi->fi_p = ip->ip_p;
1437 fi->fi_ttl = ip->ip_ttl;
1439 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
1442 /* Zero out bits not used in IPv6 address */
1443 fi->fi_src.i6[1] = 0;
1444 fi->fi_src.i6[2] = 0;
1445 fi->fi_src.i6[3] = 0;
1446 fi->fi_dst.i6[1] = 0;
1447 fi->fi_dst.i6[2] = 0;
1448 fi->fi_dst.i6[3] = 0;
1450 fi->fi_saddr = ip->ip_src.s_addr;
1451 fi->fi_daddr = ip->ip_dst.s_addr;
1454 * set packet attribute flags based on the offset and
1455 * calculate the byte offset that it represents.
1457 off &= IP_MF|IP_OFFMASK;
1459 int morefrag = off & IP_MF;
1461 fi->fi_flx |= FI_FRAG;
1464 fin->fin_flx |= FI_FRAGBODY;
1466 if ((off + fin->fin_dlen > 65535) ||
1467 (fin->fin_dlen == 0) ||
1468 ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) {
1470 * The length of the packet, starting at its
1471 * offset cannot exceed 65535 (0xffff) as the
1472 * length of an IP packet is only 16 bits.
1474 * Any fragment that isn't the last fragment
1475 * must have a length greater than 0 and it
1476 * must be an even multiple of 8.
1478 fi->fi_flx |= FI_BAD;
1485 * Call per-protocol setup and checking
1514 * If it is a standard IP header (no options), set the flag fields
1515 * which relate to options to 0.
1517 if (hlen == sizeof(*ip)) {
1525 * So the IP header has some IP options attached. Walk the entire
1526 * list of options present with this packet and set flags to indicate
1527 * which ones are here and which ones are not. For the somewhat out
1528 * of date and obscure security classification options, set a flag to
1529 * represent which classification is present.
1531 fi->fi_flx |= FI_OPTIONS;
1533 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
1537 else if (opt == IPOPT_NOP)
1543 if (ol < 2 || ol > hlen)
1546 for (i = 9, mv = 4; mv >= 0; ) {
1548 if ((opt == (u_char)op->ol_val) && (ol > 4)) {
1549 optmsk |= op->ol_bit;
1550 if (opt == IPOPT_SECURITY) {
1551 const struct optlist *sp;
1555 sec = *(s + 2); /* classification */
1556 for (j = 3, m = 2; m >= 0; ) {
1558 if (sec == sp->ol_val) {
1559 secmsk |= sp->ol_bit;
1565 if (sec < sp->ol_val)
1574 if (opt < op->ol_val)
1587 if (auth && !(auth & 0x0100))
1589 fi->fi_optmsk = optmsk;
1590 fi->fi_secmsk = secmsk;
1595 /* ------------------------------------------------------------------------ */
1596 /* Function: fr_makefrip */
1598 /* Parameters: hlen(I) - length of IP packet header */
1599 /* ip(I) - pointer to the IP header */
1600 /* fin(IO) - pointer to packet information */
1602 /* Compact the IP header into a structure which contains just the info. */
1603 /* which is useful for comparing IP headers with and store this information */
1604 /* in the fr_info_t structure pointer to by fin. At present, it is assumed */
1605 /* this function will be called with either an IPv4 or IPv6 packet. */
1606 /* ------------------------------------------------------------------------ */
1607 int fr_makefrip(hlen, ip, fin)
1614 fin->fin_nat = NULL;
1615 fin->fin_state = NULL;
1617 fin->fin_hlen = (u_short)hlen;
1619 fin->fin_rule = 0xffffffff;
1620 fin->fin_group[0] = -1;
1621 fin->fin_group[1] = '\0';
1622 fin->fin_dp = (char *)ip + hlen;
1626 fin->fin_plen = ip->ip_len;
1627 fin->fin_dlen = fin->fin_plen - hlen;
1631 } else if (v == 6) {
1632 fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen);
1633 fin->fin_dlen = fin->fin_plen;
1634 fin->fin_plen += hlen;
1636 if (frpr_ipv6hdr(fin) == -1)
1640 if (fin->fin_ip == NULL)
1646 /* ------------------------------------------------------------------------ */
1647 /* Function: fr_portcheck */
1648 /* Returns: int - 1 == port matched, 0 == port match failed */
1649 /* Parameters: frp(I) - pointer to port check `expression' */
1650 /* pop(I) - pointer to port number to evaluate */
1652 /* Perform a comparison of a port number against some other(s), using a */
1653 /* structure with compare information stored in it. */
1654 /* ------------------------------------------------------------------------ */
1655 static INLINE int fr_portcheck(frp, pop)
1666 * Do opposite test to that required and continue if that succeeds.
1668 switch (frp->frp_cmp)
1671 if (tup != po) /* EQUAL */
1675 if (tup == po) /* NOTEQUAL */
1679 if (tup >= po) /* LESSTHAN */
1683 if (tup <= po) /* GREATERTHAN */
1687 if (tup > po) /* LT or EQ */
1691 if (tup < po) /* GT or EQ */
1695 if (tup >= po && tup <= frp->frp_top) /* Out of range */
1699 if (tup <= po || tup >= frp->frp_top) /* In range */
1703 if (tup < po || tup > frp->frp_top) /* Inclusive range */
1713 /* ------------------------------------------------------------------------ */
1714 /* Function: fr_tcpudpchk */
1715 /* Returns: int - 1 == protocol matched, 0 == check failed */
1716 /* Parameters: fin(I) - pointer to packet information */
1717 /* ft(I) - pointer to structure with comparison data */
1719 /* Compares the current pcket (assuming it is TCP/UDP) information with a */
1720 /* structure containing information that we want to match against. */
1721 /* ------------------------------------------------------------------------ */
1722 int fr_tcpudpchk(fin, ft)
1729 * Both ports should *always* be in the first fragment.
1730 * So far, I cannot find any cases where they can not be.
1732 * compare destination ports
1735 err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
1738 * compare source ports
1740 if (err && ft->ftu_scmp)
1741 err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
1744 * If we don't have all the TCP/UDP header, then how can we
1745 * expect to do any sort of match on it ? If we were looking for
1746 * TCP flags, then NO match. If not, then match (which should
1747 * satisfy the "short" class too).
1749 if (err && (fin->fin_p == IPPROTO_TCP)) {
1750 if (fin->fin_flx & FI_SHORT)
1751 return !(ft->ftu_tcpf | ft->ftu_tcpfm);
1753 * Match the flags ? If not, abort this match.
1755 if (ft->ftu_tcpfm &&
1756 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
1757 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
1758 ft->ftu_tcpfm, ft->ftu_tcpf));
1767 /* ------------------------------------------------------------------------ */
1768 /* Function: fr_ipfcheck */
1769 /* Returns: int - 0 == match, 1 == no match */
1770 /* Parameters: fin(I) - pointer to packet information */
1771 /* fr(I) - pointer to filter rule */
1772 /* portcmp(I) - flag indicating whether to attempt matching on */
1773 /* TCP/UDP port data. */
1775 /* Check to see if a packet matches an IPFilter rule. Checks of addresses, */
1776 /* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
1777 /* this function. */
1778 /* ------------------------------------------------------------------------ */
1779 static INLINE int fr_ipfcheck(fin, fr, portcmp)
1784 u_32_t *ld, *lm, *lip;
1792 lm = (u_32_t *)&fri->fri_mip;
1793 ld = (u_32_t *)&fri->fri_ip;
1796 * first 32 bits to check coversion:
1797 * IP version, TOS, TTL, protocol
1799 i = ((*lip & *lm) != *ld);
1800 FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
1801 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1806 * Next 32 bits is a constructed bitmask indicating which IP options
1807 * are present (if any) in this packet.
1810 i |= ((*lip & *lm) != *ld);
1811 FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
1812 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1818 * Unrolled loops (4 each, for 32 bits) for address checks.
1821 * Check the source address.
1823 #ifdef IPFILTER_LOOKUP
1824 if (fr->fr_satype == FRI_LOOKUP) {
1825 i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip);
1833 i = ((*lip & *lm) != *ld);
1834 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
1835 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1836 if (fi->fi_v == 6) {
1838 i |= ((*lip & *lm) != *ld);
1839 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
1840 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1842 i |= ((*lip & *lm) != *ld);
1843 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
1844 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1846 i |= ((*lip & *lm) != *ld);
1847 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
1848 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1854 #ifdef IPFILTER_LOOKUP
1857 i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
1862 * Check the destination address.
1865 #ifdef IPFILTER_LOOKUP
1866 if (fr->fr_datype == FRI_LOOKUP) {
1867 i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip);
1875 i = ((*lip & *lm) != *ld);
1876 FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
1877 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1878 if (fi->fi_v == 6) {
1880 i |= ((*lip & *lm) != *ld);
1881 FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
1882 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1884 i |= ((*lip & *lm) != *ld);
1885 FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
1886 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1888 i |= ((*lip & *lm) != *ld);
1889 FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
1890 ntohl(*lip), ntohl(*lm), ntohl(*ld)));
1896 #ifdef IPFILTER_LOOKUP
1899 i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
1903 * IP addresses matched. The next 32bits contains:
1904 * mast of old IP header security & authentication bits.
1907 i |= ((*lip & *lm) != *ld);
1908 FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
1912 * Next we have 32 bits of packet flags.
1915 i |= ((*lip & *lm) != *ld);
1916 FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
1921 * If a fragment, then only the first has what we're
1922 * looking for here...
1925 if (!fr_tcpudpchk(fin, &fr->fr_tuc))
1928 if (fr->fr_dcmp || fr->fr_scmp ||
1929 fr->fr_tcpf || fr->fr_tcpfm)
1931 if (fr->fr_icmpm || fr->fr_icmp) {
1932 if (((fi->fi_p != IPPROTO_ICMP) &&
1933 (fi->fi_p != IPPROTO_ICMPV6)) ||
1934 fin->fin_off || (fin->fin_dlen < 2))
1936 else if ((fin->fin_data[0] & fr->fr_icmpm) !=
1938 FR_DEBUG(("i. %#x & %#x != %#x\n",
1940 fr->fr_icmpm, fr->fr_icmp));
1950 /* ------------------------------------------------------------------------ */
1951 /* Function: fr_scanlist */
1952 /* Returns: int - result flags of scanning filter list */
1953 /* Parameters: fin(I) - pointer to packet information */
1954 /* pass(I) - default result to return for filtering */
1956 /* Check the input/output list of rules for a match to the current packet. */
1957 /* If a match is found, the value of fr_flags from the rule becomes the */
1958 /* return value and fin->fin_fr points to the matched rule. */
1960 /* This function may be called recusively upto 16 times (limit inbuilt.) */
1961 /* When unwinding, it should finish up with fin_depth as 0. */
1963 /* Could be per interface, but this gets real nasty when you don't have, */
1964 /* or can't easily change, the kernel source code to . */
1965 /* ------------------------------------------------------------------------ */
1966 int fr_scanlist(fin, pass)
1970 int rulen, portcmp, off, skip;
1971 struct frentry *fr, *fnext;
1972 u_32_t passt, passo;
1975 * Do not allow nesting deeper than 16 levels.
1977 if (fin->fin_depth >= 16)
1983 * If there are no rules in this list, return now.
1994 if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
1997 for (rulen = 0; fr; fr = fnext, rulen++) {
1998 fnext = fr->fr_next;
2000 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
2006 * In all checks below, a null (zero) value in the
2007 * filter struture is taken to mean a wildcard.
2009 * check that we are working for the right interface
2012 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
2015 if (opts & (OPT_VERBOSE|OPT_DEBUG))
2017 FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
2018 FR_ISPASS(pass) ? 'p' :
2019 FR_ISACCOUNT(pass) ? 'A' :
2020 FR_ISAUTH(pass) ? 'a' :
2021 (pass & FR_NOMATCH) ? 'n' :'b'));
2022 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
2027 switch (fr->fr_type)
2030 case FR_T_IPF|FR_T_BUILTIN :
2031 if (fr_ipfcheck(fin, fr, portcmp))
2034 #if defined(IPFILTER_BPF)
2036 case FR_T_BPFOPC|FR_T_BUILTIN :
2040 if (*fin->fin_mp == NULL)
2042 if (fin->fin_v != fr->fr_v)
2044 mc = (u_char *)fin->fin_m;
2045 if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0))
2050 case FR_T_CALLFUNC|FR_T_BUILTIN :
2054 f = (*fr->fr_func)(fin, &pass);
2065 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
2066 if (fin->fin_nattag == NULL)
2068 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
2071 FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
2073 passt = fr->fr_flags;
2076 * Allowing a rule with the "keep state" flag set to match
2077 * packets that have been tagged "out of window" by the TCP
2078 * state tracking is foolish as the attempt to add a new
2079 * state entry to the table will fail.
2081 if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
2085 * If the rule is a "call now" rule, then call the function
2086 * in the rule, if it exists and use the results from that.
2087 * If the function pointer is bad, just make like we ignore
2088 * it, except for increasing the hit counter.
2090 if ((passt & FR_CALLNOW) != 0) {
2093 ATOMIC_INC64(fr->fr_hits);
2094 if ((fr->fr_func != NULL) &&
2095 (fr->fr_func == (ipfunc_t)-1))
2100 fr = (*fr->fr_func)(fin, &passt);
2105 passt = fr->fr_flags;
2111 * Just log this packet...
2113 if ((passt & FR_LOGMASK) == FR_LOG) {
2114 if (ipflog(fin, passt) == -1) {
2115 if (passt & FR_LOGORBLOCK) {
2116 passt &= ~FR_CMDMASK;
2117 passt |= FR_BLOCK|FR_QUICK;
2119 ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
2121 ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
2122 fin->fin_flx |= FI_DONTCACHE;
2124 #endif /* IPFILTER_LOG */
2125 fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
2127 if (FR_ISSKIP(passt))
2129 else if ((passt & FR_LOGMASK) != FR_LOG)
2131 if (passt & (FR_RETICMP|FR_FAKEICMP))
2132 fin->fin_icode = fr->fr_icode;
2133 FR_DEBUG(("pass %#x\n", pass));
2134 ATOMIC_INC64(fr->fr_hits);
2135 fin->fin_rule = rulen;
2136 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
2137 if (fr->fr_grp != NULL) {
2138 fin->fin_fr = *fr->fr_grp;
2139 passt = fr_scanlist(fin, pass);
2140 if (fin->fin_fr == NULL) {
2141 fin->fin_rule = rulen;
2142 (void) strncpy(fin->fin_group, fr->fr_group,
2150 if (passt & FR_QUICK) {
2152 * Finally, if we've asked to track state for this
2153 * packet, set it up. Add state for "quick" rules
2154 * here so that if the action fails we can consider
2155 * the rule to "not match" and keep on processing
2158 if ((pass & FR_KEEPSTATE) &&
2159 !(fin->fin_flx & FI_STATE)) {
2160 int out = fin->fin_out;
2163 if (fr_addstate(fin, NULL, 0) != NULL) {
2164 ATOMIC_INCL(frstats[out].fr_ads);
2166 ATOMIC_INCL(frstats[out].fr_bads);
2179 /* ------------------------------------------------------------------------ */
2180 /* Function: fr_acctpkt */
2181 /* Returns: frentry_t* - always returns NULL */
2182 /* Parameters: fin(I) - pointer to packet information */
2183 /* passp(IO) - pointer to current/new filter decision (unused) */
2185 /* Checks a packet against accounting rules, if there are any for the given */
2186 /* IP protocol version. */
2188 /* N.B.: this function returns NULL to match the prototype used by other */
2189 /* functions called from the IPFilter "mainline" in fr_check(). */
2190 /* ------------------------------------------------------------------------ */
2191 frentry_t *fr_acctpkt(fin, passp)
2195 char group[FR_GROUPLEN];
2196 frentry_t *fr, *frsave;
2201 if (fin->fin_v == 6)
2202 fr = ipacct6[fin->fin_out][fr_active];
2205 fr = ipacct[fin->fin_out][fr_active];
2208 frsave = fin->fin_fr;
2209 bcopy(fin->fin_group, group, FR_GROUPLEN);
2210 rulen = fin->fin_rule;
2212 pass = fr_scanlist(fin, FR_NOMATCH);
2213 if (FR_ISACCOUNT(pass)) {
2214 ATOMIC_INCL(frstats[0].fr_acct);
2216 fin->fin_fr = frsave;
2217 bcopy(group, fin->fin_group, FR_GROUPLEN);
2218 fin->fin_rule = rulen;
2224 /* ------------------------------------------------------------------------ */
2225 /* Function: fr_firewall */
2226 /* Returns: frentry_t* - returns pointer to matched rule, if no matches */
2227 /* were found, returns NULL. */
2228 /* Parameters: fin(I) - pointer to packet information */
2229 /* passp(IO) - pointer to current/new filter decision (unused) */
2231 /* Applies an appropriate set of firewall rules to the packet, to see if */
2232 /* there are any matches. The first check is to see if a match can be seen */
2233 /* in the cache. If not, then search an appropriate list of rules. Once a */
2234 /* matching rule is found, take any appropriate actions as defined by the */
2235 /* rule - except logging. */
2236 /* ------------------------------------------------------------------------ */
2237 static frentry_t *fr_firewall(fin, passp)
2250 * If a packet is found in the auth table, then skip checking
2251 * the access lists for permission but we do need to consider
2252 * the result as if it were from the ACL's.
2254 fc = &frcache[out][CACHE_HASH(fin)];
2255 READ_ENTER(&ipf_frcache);
2256 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
2258 * copy cached data so we can unlock the mutexes earlier.
2260 bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
2261 RWLOCK_EXIT(&ipf_frcache);
2262 ATOMIC_INCL(frstats[out].fr_chit);
2264 if ((fr = fin->fin_fr) != NULL) {
2265 ATOMIC_INC64(fr->fr_hits);
2266 pass = fr->fr_flags;
2269 RWLOCK_EXIT(&ipf_frcache);
2272 if (fin->fin_v == 6)
2273 fin->fin_fr = ipfilter6[out][fr_active];
2276 fin->fin_fr = ipfilter[out][fr_active];
2277 if (fin->fin_fr != NULL)
2278 pass = fr_scanlist(fin, fr_pass);
2280 if (((pass & FR_KEEPSTATE) == 0) &&
2281 ((fin->fin_flx & FI_DONTCACHE) == 0)) {
2282 WRITE_ENTER(&ipf_frcache);
2283 bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
2284 RWLOCK_EXIT(&ipf_frcache);
2286 if ((pass & FR_NOMATCH)) {
2287 ATOMIC_INCL(frstats[out].fr_nom);
2293 * Apply packets per second rate-limiting to a rule as required.
2295 if ((fr != NULL) && (fr->fr_pps != 0) &&
2296 !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
2297 pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
2299 ATOMIC_INCL(frstats[out].fr_ppshit);
2303 * If we fail to add a packet to the authorization queue, then we
2304 * drop the packet later. However, if it was added then pretend
2305 * we've dropped it already.
2307 if (FR_ISAUTH(pass)) {
2308 if (fr_newauth(fin->fin_m, fin) != 0) {
2310 fin->fin_m = *fin->fin_mp = NULL;
2316 fin->fin_error = ENOSPC;
2319 if ((fr != NULL) && (fr->fr_func != NULL) &&
2320 (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
2321 (void) (*fr->fr_func)(fin, &pass);
2324 * If a rule is a pre-auth rule, check again in the list of rules
2325 * loaded for authenticated use. It does not particulary matter
2326 * if this search fails because a "preauth" result, from a rule,
2327 * is treated as "not a pass", hence the packet is blocked.
2329 if (FR_ISPREAUTH(pass)) {
2330 if ((fin->fin_fr = ipauth) != NULL)
2331 pass = fr_scanlist(fin, fr_pass);
2335 * If the rule has "keep frag" and the packet is actually a fragment,
2336 * then create a fragment state entry.
2338 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
2339 if (fin->fin_flx & FI_FRAG) {
2340 if (fr_newfrag(fin, pass) == -1) {
2341 ATOMIC_INCL(frstats[out].fr_bnfr);
2343 ATOMIC_INCL(frstats[out].fr_nfr);
2346 ATOMIC_INCL(frstats[out].fr_cfr);
2359 /* ------------------------------------------------------------------------ */
2360 /* Function: fr_check */
2361 /* Returns: int - 0 == packet allowed through, */
2363 /* -1 == packet blocked */
2364 /* 1 == packet not matched */
2365 /* -2 == requires authentication */
2367 /* > 0 == filter error # for packet */
2368 /* Parameters: ip(I) - pointer to start of IPv4/6 packet */
2369 /* hlen(I) - length of header */
2370 /* ifp(I) - pointer to interface this packet is on */
2371 /* out(I) - 0 == packet going in, 1 == packet going out */
2372 /* mp(IO) - pointer to caller's buffer pointer that holds this */
2374 /* Solaris & HP-UX ONLY : */
2375 /* qpi(I) - pointer to STREAMS queue information for this */
2376 /* interface & direction. */
2378 /* fr_check() is the master function for all IPFilter packet processing. */
2379 /* It orchestrates: Network Address Translation (NAT), checking for packet */
2380 /* authorisation (or pre-authorisation), presence of related state info., */
2381 /* generating log entries, IP packet accounting, routing of packets as */
2382 /* directed by firewall rules and of course whether or not to allow the */
2383 /* packet to be further processed by the kernel. */
2385 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
2386 /* freed. Packets passed may be returned with the pointer pointed to by */
2387 /* by "mp" changed to a new buffer. */
2388 /* ------------------------------------------------------------------------ */
2389 int fr_check(ip, hlen, ifp, out
2390 #if defined(_KERNEL) && defined(MENTAT)
2403 * The above really sucks, but short of writing a diff
2406 fr_info_t *fin = &frinfo;
2407 u_32_t pass = fr_pass;
2408 frentry_t *fr = NULL;
2413 * The first part of fr_check() deals with making sure that what goes
2414 * into the filtering engine makes some sense. Information about the
2415 * the packet is distilled, collected into a fr_info_t structure and
2416 * the an attempt to ensure the buffer the packet is in is big enough
2417 * to hold all the required packet headers.
2421 qpktinfo_t *qpi = qif;
2423 # if !defined(_INET_IP_STACK_H)
2424 if ((u_int)ip & 0x3)
2431 READ_ENTER(&ipf_global);
2433 if (fr_running <= 0) {
2434 RWLOCK_EXIT(&ipf_global);
2438 bzero((char *)fin, sizeof(*fin));
2441 if (qpi->qpi_flags & QF_GROUP)
2442 fin->fin_flx |= FI_MBCAST;
2450 # if defined(M_MCAST)
2451 if ((m->m_flags & M_MCAST) != 0)
2452 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
2454 # if defined(M_MLOOP)
2455 if ((m->m_flags & M_MLOOP) != 0)
2456 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
2458 # if defined(M_BCAST)
2459 if ((m->m_flags & M_BCAST) != 0)
2460 fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
2462 # ifdef M_CANFASTFWD
2464 * XXX For now, IP Filter and fast-forwarding of cached flows
2465 * XXX are mutually exclusive. Eventually, IP Filter should
2466 * XXX get a "can-fast-forward" filter rule.
2468 m->m_flags &= ~M_CANFASTFWD;
2469 # endif /* M_CANFASTFWD */
2470 # ifdef CSUM_DELAY_DATA
2472 * disable delayed checksums.
2474 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
2475 in_delayed_cksum(m);
2476 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
2478 # endif /* CSUM_DELAY_DATA */
2479 # endif /* MENTAT */
2481 READ_ENTER(&ipf_global);
2483 bzero((char *)fin, sizeof(*fin));
2485 #endif /* _KERNEL */
2493 fin->fin_error = ENETUNREACH;
2494 fin->fin_hlen = (u_short)hlen;
2495 fin->fin_dp = (char *)ip + hlen;
2497 fin->fin_ipoff = (char *)ip - MTOD(m, char *);
2503 ATOMIC_INCL(frstats[out].fr_ipv6);
2505 * Jumbo grams are quite likely too big for internal buffer
2506 * structures to handle comfortably, for now, so just drop
2509 if (((ip6_t *)ip)->ip6_plen == 0) {
2510 pass = FR_BLOCK|FR_NOMATCH;
2516 #if (defined(OpenBSD) && (OpenBSD >= 200311)) && defined(_KERNEL)
2517 ip->ip_len = ntohs(ip->ip_len);
2518 ip->ip_off = ntohs(ip->ip_off);
2522 if (fr_makefrip(hlen, ip, fin) == -1) {
2523 pass = FR_BLOCK|FR_NOMATCH;
2528 * For at least IPv6 packets, if a m_pullup() fails then this pointer
2529 * becomes NULL and so we have no packet to free.
2531 if (*fin->fin_mp == NULL)
2537 if (fr_chksrc && !fr_verifysrc(fin)) {
2538 ATOMIC_INCL(frstats[0].fr_badsrc);
2539 fin->fin_flx |= FI_BADSRC;
2542 if (fin->fin_ip->ip_ttl < fr_minttl) {
2543 ATOMIC_INCL(frstats[0].fr_badttl);
2544 fin->fin_flx |= FI_LOWTTL;
2549 if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
2550 ATOMIC_INCL(frstats[0].fr_badttl);
2551 fin->fin_flx |= FI_LOWTTL;
2557 if (fin->fin_flx & FI_SHORT) {
2558 ATOMIC_INCL(frstats[out].fr_short);
2561 READ_ENTER(&ipf_mutex);
2564 * Check auth now. This, combined with the check below to see if apass
2565 * is 0 is to ensure that we don't count the packet twice, which can
2566 * otherwise occur when we reprocess it. As it is, we only count it
2567 * after it has no auth. table matchup. This also stops NAT from
2568 * occuring until after the packet has been auth'd.
2570 fr = fr_checkauth(fin, &pass);
2572 if (fr_checknatin(fin, &pass) == -1) {
2577 (void) fr_acctpkt(fin, NULL);
2580 if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG) {
2581 fr = fr_knownfrag(fin, &pass);
2583 * Reset the keep state flag here so that we don't
2584 * try and add a new state entry because of it, leading
2585 * to a blocked packet because the add will fail.
2588 pass &= ~FR_KEEPSTATE;
2591 fr = fr_checkstate(fin, &pass);
2594 if ((pass & FR_NOMATCH) || (fr == NULL))
2595 fr = fr_firewall(fin, &pass);
2598 * If we've asked to track state for this packet, set it up.
2599 * Here rather than fr_firewall because fr_checkauth may decide
2600 * to return a packet for "keep state"
2602 if ((pass & FR_KEEPSTATE) && (fin->fin_m != NULL) &&
2603 !(fin->fin_flx & FI_STATE)) {
2604 if (fr_addstate(fin, NULL, 0) != NULL) {
2605 ATOMIC_INCL(frstats[out].fr_ads);
2607 ATOMIC_INCL(frstats[out].fr_bads);
2608 if (FR_ISPASS(pass)) {
2609 pass &= ~FR_CMDMASK;
2618 * Only count/translate packets which will be passed on, out the
2621 if (out && FR_ISPASS(pass)) {
2622 (void) fr_acctpkt(fin, NULL);
2624 if (fr_checknatout(fin, &pass) == -1) {
2626 } else if ((fr_update_ipid != 0) && (v == 4)) {
2627 if (fr_updateipid(fin) == -1) {
2628 ATOMIC_INCL(frstats[1].fr_ipud);
2629 pass &= ~FR_CMDMASK;
2632 ATOMIC_INCL(frstats[0].fr_ipud);
2639 if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2640 (void) fr_dolog(fin, &pass);
2645 * The FI_STATE flag is cleared here so that calling fr_checkstate
2646 * will work when called from inside of fr_fastroute. Although
2647 * there is a similar flag, FI_NATED, for NAT, it does have the same
2648 * impact on code execution.
2650 if (fin->fin_state != NULL) {
2651 fr_statederef((ipstate_t **)&fin->fin_state);
2652 fin->fin_flx ^= FI_STATE;
2655 if (fin->fin_nat != NULL) {
2656 if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT)) {
2657 WRITE_ENTER(&ipf_nat);
2658 nat_delete((nat_t *)fin->fin_nat, NL_DESTROY);
2659 RWLOCK_EXIT(&ipf_nat);
2660 fin->fin_nat = NULL;
2662 fr_natderef((nat_t **)&fin->fin_nat);
2667 * Up the reference on fr_lock and exit ipf_mutex. fr_fastroute
2668 * only frees up the lock on ipf_global and the generation of a
2669 * packet below could cause a recursive call into IPFilter.
2670 * Hang onto the filter rule just in case someone decides to remove
2671 * or flush it in the meantime.
2674 MUTEX_ENTER(&fr->fr_lock);
2676 MUTEX_EXIT(&fr->fr_lock);
2679 RWLOCK_EXIT(&ipf_mutex);
2681 if ((pass & FR_RETMASK) != 0) {
2683 * Should we return an ICMP packet to indicate error
2684 * status passing through the packet filter ?
2685 * WARNING: ICMP error packets AND TCP RST packets should
2686 * ONLY be sent in repsonse to incoming packets. Sending them
2687 * in response to outbound packets can result in a panic on
2688 * some operating systems.
2691 if (pass & FR_RETICMP) {
2694 if ((pass & FR_RETMASK) == FR_FAKEICMP)
2698 (void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
2699 ATOMIC_INCL(frstats[0].fr_ret);
2700 } else if (((pass & FR_RETMASK) == FR_RETRST) &&
2701 !(fin->fin_flx & FI_SHORT)) {
2702 if (((fin->fin_flx & FI_OOW) != 0) ||
2703 (fr_send_reset(fin) == 0)) {
2704 ATOMIC_INCL(frstats[1].fr_ret);
2709 * When using return-* with auth rules, the auth code
2710 * takes over disposing of this packet.
2712 if (FR_ISAUTH(pass) && (fin->fin_m != NULL)) {
2713 fin->fin_m = *fin->fin_mp = NULL;
2716 if (pass & FR_RETRST)
2717 fin->fin_error = ECONNRESET;
2722 * If we didn't drop off the bottom of the list of rules (and thus
2723 * the 'current' rule fr is not NULL), then we may have some extra
2724 * instructions about what to do with a packet.
2725 * Once we're finished return to our caller, freeing the packet if
2726 * we are dropping it (* BSD ONLY *).
2731 fdp = &fr->fr_tifs[fin->fin_rev];
2733 if (!out && (pass & FR_FASTROUTE)) {
2735 * For fastroute rule, no destioation interface defined
2736 * so pass NULL as the frdest_t parameter
2738 (void) fr_fastroute(fin->fin_m, mp, fin, NULL);
2740 } else if ((fdp->fd_ifp != NULL) &&
2741 (fdp->fd_ifp != (struct ifnet *)-1)) {
2742 /* this is for to rules: */
2743 (void) fr_fastroute(fin->fin_m, mp, fin, fdp);
2748 * Generate a duplicated packet.
2750 if ((pass & FR_DUP) != 0) {
2751 mc = M_DUPLICATE(fin->fin_m);
2753 (void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
2756 (void) fr_derefrule(&fr);
2760 if (!FR_ISPASS(pass)) {
2761 ATOMIC_INCL(frstats[out].fr_block);
2767 ATOMIC_INCL(frstats[out].fr_pass);
2768 #if defined(_KERNEL) && defined(__sgi)
2769 if ((fin->fin_hbuf != NULL) &&
2770 (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
2771 COPYBACK(fin->fin_m, 0, fin->fin_plen, fin->fin_hbuf);
2777 RWLOCK_EXIT(&ipf_global);
2780 # if (defined(OpenBSD) && (OpenBSD >= 200311))
2781 if (FR_ISPASS(pass) && (v == 4)) {
2783 ip->ip_len = ntohs(ip->ip_len);
2784 ip->ip_off = ntohs(ip->ip_off);
2787 return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
2789 FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
2790 if ((pass & FR_NOMATCH) != 0)
2793 if ((pass & FR_RETMASK) != 0)
2794 switch (pass & FR_RETMASK)
2804 switch (pass & FR_CMDMASK)
2818 #endif /* _KERNEL */
2823 /* ------------------------------------------------------------------------ */
2824 /* Function: fr_dolog */
2825 /* Returns: frentry_t* - returns contents of fin_fr (no change made) */
2826 /* Parameters: fin(I) - pointer to packet information */
2827 /* passp(IO) - pointer to current/new filter decision (unused) */
2829 /* Checks flags set to see how a packet should be logged, if it is to be */
2830 /* logged. Adjust statistics based on its success or not. */
2831 /* ------------------------------------------------------------------------ */
2832 frentry_t *fr_dolog(fin, passp)
2842 if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
2843 pass |= FF_LOGNOMATCH;
2844 ATOMIC_INCL(frstats[out].fr_npkl);
2846 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
2847 (FR_ISPASS(pass) && (fr_flags & FF_LOGPASS))) {
2848 if ((pass & FR_LOGMASK) != FR_LOGP)
2850 ATOMIC_INCL(frstats[out].fr_ppkl);
2852 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
2853 (FR_ISBLOCK(pass) && (fr_flags & FF_LOGBLOCK))) {
2854 if ((pass & FR_LOGMASK) != FR_LOGB)
2855 pass |= FF_LOGBLOCK;
2856 ATOMIC_INCL(frstats[out].fr_bpkl);
2858 if (ipflog(fin, pass) == -1) {
2859 ATOMIC_INCL(frstats[out].fr_skip);
2862 * If the "or-block" option has been used then
2863 * block the packet if we failed to log it.
2865 if ((pass & FR_LOGORBLOCK) &&
2867 pass &= ~FR_CMDMASK;
2876 #endif /* IPFILTER_LOG */
2879 /* ------------------------------------------------------------------------ */
2880 /* Function: ipf_cksum */
2881 /* Returns: u_short - IP header checksum */
2882 /* Parameters: addr(I) - pointer to start of buffer to checksum */
2883 /* len(I) - length of buffer in bytes */
2885 /* Calculate the two's complement 16 bit checksum of the buffer passed. */
2887 /* N.B.: addr should be 16bit aligned. */
2888 /* ------------------------------------------------------------------------ */
2889 u_short ipf_cksum(addr, len)
2895 for (sum = 0; len > 1; len -= 2)
2898 /* mop up an odd byte, if necessary */
2900 sum += *(u_char *)addr;
2903 * add back carry outs from top 16 bits to low 16 bits
2905 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
2906 sum += (sum >> 16); /* add carry */
2907 return (u_short)(~sum);
2911 /* ------------------------------------------------------------------------ */
2912 /* Function: fr_cksum */
2913 /* Returns: u_short - layer 4 checksum */
2914 /* Parameters: m(I ) - pointer to buffer holding packet */
2915 /* ip(I) - pointer to IP header */
2916 /* l4proto(I) - protocol to caclulate checksum for */
2917 /* l4hdr(I) - pointer to layer 4 header */
2918 /* l3len(I) - length of layer 4 data plus layer 3 header */
2920 /* Calculates the TCP checksum for the packet held in "m", using the data */
2921 /* in the IP header "ip" to seed it. */
2923 /* NB: This function assumes we've pullup'd enough for all of the IP header */
2924 /* and the TCP header. We also assume that data blocks aren't allocated in */
2927 /* For IPv6, l3len excludes extension header size. */
2929 /* Expects ip_len to be in host byte order when called. */
2930 /* ------------------------------------------------------------------------ */
2931 u_short fr_cksum(m, ip, l4proto, l4hdr, l3len)
2937 u_short *sp, slen, sumsave, l4hlen, *csump;
2953 * Add up IP Header portion
2956 if (IP_V(ip) == 4) {
2958 hlen = IP_HL(ip) << 2;
2959 slen = l3len - hlen;
2960 sum = htons((u_short)l4proto);
2962 sp = (u_short *)&ip->ip_src;
2963 sum += *sp++; /* ip_src */
2965 sum += *sp++; /* ip_dst */
2968 } else if (IP_V(ip) == 6) {
2970 hlen = sizeof(*ip6);
2971 slen = l3len - hlen;
2972 sum = htons((u_short)l4proto);
2974 sp = (u_short *)&ip6->ip6_src;
2975 sum += *sp++; /* ip6_src */
2983 sum += *sp++; /* ip6_dst */
2997 csump = &((udphdr_t *)l4hdr)->uh_sum;
2998 l4hlen = sizeof(udphdr_t);
3002 csump = &((tcphdr_t *)l4hdr)->th_sum;
3003 l4hlen = sizeof(tcphdr_t);
3006 csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
3014 if (csump != NULL) {
3019 l4hlen = l4hlen; /* LINT */
3024 void *rp = m->b_rptr;
3026 if ((unsigned char *)ip > m->b_rptr && (unsigned char *)ip < m->b_wptr)
3027 m->b_rptr = (u_char *)ip;
3028 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
3030 sum2 = (u_short)(~sum2 & 0xffff);
3033 # if defined(BSD) || defined(sun)
3040 sum2 = in_cksum(m, slen);
3048 * Both sum and sum2 are partial sums, so combine them together.
3050 sum += ~sum2 & 0xffff;
3051 while (sum > 0xffff)
3052 sum = (sum & 0xffff) + (sum >> 16);
3053 sum2 = ~sum & 0xffff;
3054 # else /* defined(BSD) || defined(sun) */
3060 u_short len = ip->ip_len;
3066 * Add up IP Header portion
3068 if (sp != (u_short *)l4hdr)
3069 sp = (u_short *)l4hdr;
3074 sum += *sp++; /* sport */
3075 sum += *sp++; /* dport */
3076 sum += *sp++; /* udp length */
3077 sum += *sp++; /* checksum */
3081 sum += *sp++; /* sport */
3082 sum += *sp++; /* dport */
3083 sum += *sp++; /* seq */
3085 sum += *sp++; /* ack */
3087 sum += *sp++; /* off */
3088 sum += *sp++; /* win */
3089 sum += *sp++; /* checksum */
3090 sum += *sp++; /* urp */
3093 sum = *sp++; /* type/code */
3094 sum += *sp++; /* checksum */
3100 * In case we had to copy the IP & TCP header out of mbufs,
3101 * skip over the mbuf bits which are the header
3103 if ((char *)ip != mtod(m, char *)) {
3104 hlen = (char *)sp - (char *)ip;
3106 add = MIN(hlen, m->m_len);
3107 sp = (u_short *)(mtod(m, caddr_t) + add);
3109 if (add == m->m_len) {
3114 sp = mtod(m, u_short *);
3116 PANIC((!m),("fr_cksum(1): not enough data"));
3122 len -= (l4hlen + hlen);
3127 if (((char *)sp - mtod(m, char *)) >= m->m_len) {
3129 PANIC((!m),("fr_cksum(2): not enough data"));
3130 sp = mtod(m, u_short *);
3132 if (((char *)(sp + 1) - mtod(m, char *)) > m->m_len) {
3133 bytes.c[0] = *(u_char *)sp;
3135 PANIC((!m),("fr_cksum(3): not enough data"));
3136 sp = mtod(m, u_short *);
3137 bytes.c[1] = *(u_char *)sp;
3139 sp = (u_short *)((u_char *)sp + 1);
3141 if ((u_long)sp & 1) {
3142 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
3150 sum += ntohs(*(u_char *)sp << 8);
3152 while (sum > 0xffff)
3153 sum = (sum & 0xffff) + (sum >> 16);
3154 sum2 = (u_short)(~sum & 0xffff);
3156 # endif /* defined(BSD) || defined(sun) */
3157 # endif /* MENTAT */
3160 * Add up IP Header portion
3162 if (sp != (u_short *)l4hdr)
3163 sp = (u_short *)l4hdr;
3165 for (; slen > 1; slen -= 2)
3168 sum += ntohs(*(u_char *)sp << 8);
3169 while (sum > 0xffff)
3170 sum = (sum & 0xffff) + (sum >> 16);
3171 sum2 = (u_short)(~sum & 0xffff);
3172 #endif /* _KERNEL */
3179 #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
3180 defined(__sgi) ) && !defined(linux) && !defined(_AIX51)
3182 * Copyright (c) 1982, 1986, 1988, 1991, 1993
3183 * The Regents of the University of California. All rights reserved.
3185 * Redistribution and use in source and binary forms, with or without
3186 * modification, are permitted provided that the following conditions
3188 * 1. Redistributions of source code must retain the above copyright
3189 * notice, this list of conditions and the following disclaimer.
3190 * 2. Redistributions in binary form must reproduce the above copyright
3191 * notice, this list of conditions and the following disclaimer in the
3192 * documentation and/or other materials provided with the distribution.
3193 * 3. Neither the name of the University nor the names of its contributors
3194 * may be used to endorse or promote products derived from this software
3195 * without specific prior written permission.
3197 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
3198 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3199 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3200 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
3201 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3202 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3203 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3204 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3205 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3206 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3209 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
3210 * $Id: fil.c,v 2.243.2.125 2007/10/10 09:27:20 darrenr Exp $
3213 * Copy data from an mbuf chain starting "off" bytes from the beginning,
3214 * continuing for "len" bytes, into the indicated buffer.
3217 m_copydata(m, off, len, cp)
3225 if (off < 0 || len < 0)
3226 panic("m_copydata");
3229 panic("m_copydata");
3237 panic("m_copydata");
3238 count = MIN(m->m_len - off, len);
3239 bcopy(mtod(m, caddr_t) + off, cp, count);
3249 * Copy data from a buffer back into the indicated mbuf chain,
3250 * starting "off" bytes from the beginning, extending the mbuf
3251 * chain if necessary.
3254 m_copyback(m0, off, len, cp)
3261 struct mbuf *m = m0, *n;
3266 while (off > (mlen = m->m_len)) {
3269 if (m->m_next == 0) {
3270 n = m_getclr(M_DONTWAIT, m->m_type);
3273 n->m_len = min(MLEN, len + off);
3279 mlen = min(m->m_len - off, len);
3280 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
3288 if (m->m_next == 0) {
3289 n = m_get(M_DONTWAIT, m->m_type);
3292 n->m_len = min(MLEN, len);
3299 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
3300 m->m_pkthdr.len = totlen;
3304 #endif /* (_KERNEL) && ( ((BSD < 199103) && !MENTAT) || __sgi) */
3307 /* ------------------------------------------------------------------------ */
3308 /* Function: fr_findgroup */
3309 /* Returns: frgroup_t * - NULL = group not found, else pointer to group */
3310 /* Parameters: group(I) - group name to search for */
3311 /* unit(I) - device to which this group belongs */
3312 /* set(I) - which set of rules (inactive/inactive) this is */
3313 /* fgpp(O) - pointer to place to store pointer to the pointer */
3314 /* to where to add the next (last) group or where */
3315 /* to delete group from. */
3317 /* Search amongst the defined groups for a particular group number. */
3318 /* ------------------------------------------------------------------------ */
3319 frgroup_t *fr_findgroup(group, unit, set, fgpp)
3325 frgroup_t *fg, **fgp;
3328 * Which list of groups to search in is dependent on which list of
3329 * rules are being operated on.
3331 fgp = &ipfgroups[unit][set];
3333 while ((fg = *fgp) != NULL) {
3334 if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0)
3345 /* ------------------------------------------------------------------------ */
3346 /* Function: fr_addgroup */
3347 /* Returns: frgroup_t * - NULL == did not create group, */
3348 /* != NULL == pointer to the group */
3349 /* Parameters: num(I) - group number to add */
3350 /* head(I) - rule pointer that is using this as the head */
3351 /* flags(I) - rule flags which describe the type of rule it is */
3352 /* unit(I) - device to which this group will belong to */
3353 /* set(I) - which set of rules (inactive/inactive) this is */
3354 /* Write Locks: ipf_mutex */
3356 /* Add a new group head, or if it already exists, increase the reference */
3358 /* ------------------------------------------------------------------------ */
3359 frgroup_t *fr_addgroup(group, head, flags, unit, set)
3366 frgroup_t *fg, **fgp;
3372 if (unit == IPL_LOGIPF && *group == '\0')
3376 gflags = flags & FR_INOUT;
3378 fg = fr_findgroup(group, unit, set, &fgp);
3380 if (fg->fg_flags == 0)
3381 fg->fg_flags = gflags;
3382 else if (gflags != fg->fg_flags)
3387 KMALLOC(fg, frgroup_t *);
3390 fg->fg_start = NULL;
3392 bcopy(group, fg->fg_name, FR_GROUPLEN);
3393 fg->fg_flags = gflags;
3401 /* ------------------------------------------------------------------------ */
3402 /* Function: fr_delgroup */
3404 /* Parameters: group(I) - group name to delete */
3405 /* unit(I) - device to which this group belongs */
3406 /* set(I) - which set of rules (inactive/inactive) this is */
3407 /* Write Locks: ipf_mutex */
3409 /* Attempt to delete a group head. */
3410 /* Only do this when its reference count reaches 0. */
3411 /* ------------------------------------------------------------------------ */
3412 void fr_delgroup(group, unit, set)
3417 frgroup_t *fg, **fgp;
3419 fg = fr_findgroup(group, unit, set, &fgp);
3424 if (fg->fg_ref == 0) {
3431 /* ------------------------------------------------------------------------ */
3432 /* Function: fr_getrulen */
3433 /* Returns: frentry_t * - NULL == not found, else pointer to rule n */
3434 /* Parameters: unit(I) - device for which to count the rule's number */
3435 /* flags(I) - which set of rules to find the rule in */
3436 /* group(I) - group name */
3437 /* n(I) - rule number to find */
3439 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
3440 /* group # g doesn't exist or there are less than n rules in the group. */
3441 /* ------------------------------------------------------------------------ */
3442 frentry_t *fr_getrulen(unit, group, n)
3450 fg = fr_findgroup(group, unit, fr_active, NULL);
3453 for (fr = fg->fg_head; fr && n; fr = fr->fr_next, n--)
3461 /* ------------------------------------------------------------------------ */
3462 /* Function: fr_rulen */
3463 /* Returns: int - >= 0 - rule number, -1 == search failed */
3464 /* Parameters: unit(I) - device for which to count the rule's number */
3465 /* fr(I) - pointer to rule to match */
3467 /* Return the number for a rule on a specific filtering device. */
3468 /* ------------------------------------------------------------------------ */
3469 int fr_rulen(unit, fr)
3479 fg = fr_findgroup(fr->fr_group, unit, fr_active, NULL);
3482 for (fh = fg->fg_head; fh; n++, fh = fh->fr_next)
3491 /* ------------------------------------------------------------------------ */
3492 /* Function: frflushlist */
3493 /* Returns: int - >= 0 - number of flushed rules */
3494 /* Parameters: set(I) - which set of rules (inactive/inactive) this is */
3495 /* unit(I) - device for which to flush rules */
3496 /* flags(I) - which set of rules to flush */
3497 /* nfreedp(O) - pointer to int where flush count is stored */
3498 /* listp(I) - pointer to list to flush pointer */
3499 /* Write Locks: ipf_mutex */
3501 /* Recursively flush rules from the list, descending groups as they are */
3502 /* encountered. if a rule is the head of a group and it has lost all its */
3503 /* group members, then also delete the group reference. nfreedp is needed */
3504 /* to store the accumulating count of rules removed, whereas the returned */
3505 /* value is just the number removed from the current list. The latter is */
3506 /* needed to correctly adjust reference counts on rules that define groups. */
3508 /* NOTE: Rules not loaded from user space cannot be flushed. */
3509 /* ------------------------------------------------------------------------ */
3510 static int frflushlist(set, unit, nfreedp, listp)
3519 while ((fp = *listp) != NULL) {
3520 if ((fp->fr_type & FR_T_BUILTIN) ||
3521 !(fp->fr_flags & FR_COPIED)) {
3522 listp = &fp->fr_next;
3525 *listp = fp->fr_next;
3526 if (fp->fr_grp != NULL) {
3527 (void) frflushlist(set, unit, nfreedp, fp->fr_grp);
3530 if (fp->fr_grhead != NULL) {
3531 fr_delgroup(fp->fr_grhead, unit, set);
3532 *fp->fr_grhead = '\0';
3535 ASSERT(fp->fr_ref > 0);
3537 if (fr_derefrule(&fp) == 0)
3545 /* ------------------------------------------------------------------------ */
3546 /* Function: frflush */
3547 /* Returns: int - >= 0 - number of flushed rules */
3548 /* Parameters: unit(I) - device for which to flush rules */
3549 /* flags(I) - which set of rules to flush */
3551 /* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */
3552 /* and IPv6) as defined by the value of flags. */
3553 /* ------------------------------------------------------------------------ */
3554 int frflush(unit, proto, flags)
3558 int flushed = 0, set;
3560 WRITE_ENTER(&ipf_mutex);
3561 bzero((char *)frcache, sizeof(frcache));
3564 if ((flags & FR_INACTIVE) == FR_INACTIVE)
3567 if (flags & FR_OUTQUE) {
3568 if (proto == 0 || proto == 6) {
3569 (void) frflushlist(set, unit,
3570 &flushed, &ipfilter6[1][set]);
3571 (void) frflushlist(set, unit,
3572 &flushed, &ipacct6[1][set]);
3574 if (proto == 0 || proto == 4) {
3575 (void) frflushlist(set, unit,
3576 &flushed, &ipfilter[1][set]);
3577 (void) frflushlist(set, unit,
3578 &flushed, &ipacct[1][set]);
3581 if (flags & FR_INQUE) {
3582 if (proto == 0 || proto == 6) {
3583 (void) frflushlist(set, unit,
3584 &flushed, &ipfilter6[0][set]);
3585 (void) frflushlist(set, unit,
3586 &flushed, &ipacct6[0][set]);
3588 if (proto == 0 || proto == 4) {
3589 (void) frflushlist(set, unit,
3590 &flushed, &ipfilter[0][set]);
3591 (void) frflushlist(set, unit,
3592 &flushed, &ipacct[0][set]);
3595 RWLOCK_EXIT(&ipf_mutex);
3597 if (unit == IPL_LOGIPF) {
3600 tmp = frflush(IPL_LOGCOUNT, proto, flags);
3608 /* ------------------------------------------------------------------------ */
3609 /* Function: memstr */
3610 /* Returns: char * - NULL if failed, != NULL pointer to matching bytes */
3611 /* Parameters: src(I) - pointer to byte sequence to match */
3612 /* dst(I) - pointer to byte sequence to search */
3613 /* slen(I) - match length */
3614 /* dlen(I) - length available to search in */
3616 /* Search dst for a sequence of bytes matching those at src and extend for */
3618 /* ------------------------------------------------------------------------ */
3619 char *memstr(src, dst, slen, dlen)
3626 while (dlen >= slen) {
3627 if (bcmp(src, dst, slen) == 0) {
3636 /* ------------------------------------------------------------------------ */
3637 /* Function: fr_fixskip */
3639 /* Parameters: listp(IO) - pointer to start of list with skip rule */
3640 /* rp(I) - rule added/removed with skip in it. */
3641 /* addremove(I) - adjustment (-1/+1) to make to skip count, */
3642 /* depending on whether a rule was just added */
3645 /* Adjust all the rules in a list which would have skip'd past the position */
3646 /* where we are inserting to skip to the right place given the change. */
3647 /* ------------------------------------------------------------------------ */
3648 void fr_fixskip(listp, rp, addremove)
3649 frentry_t **listp, *rp;
3656 for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next)
3662 for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
3663 if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules))
3664 fp->fr_arg += addremove;
3669 /* ------------------------------------------------------------------------ */
3670 /* Function: count4bits */
3671 /* Returns: int - >= 0 - number of consecutive bits in input */
3672 /* Parameters: ip(I) - 32bit IP address */
3675 /* count consecutive 1's in bit mask. If the mask generated by counting */
3676 /* consecutive 1's is different to that passed, return -1, else return # */
3678 /* ------------------------------------------------------------------------ */
3685 ip = ipn = ntohl(ip);
3686 for (i = 32; i; i--, ipn *= 2)
3687 if (ipn & 0x80000000)
3692 for (i = 32, j = cnt; i; i--, j--) {
3704 /* ------------------------------------------------------------------------ */
3705 /* Function: count6bits */
3706 /* Returns: int - >= 0 - number of consecutive bits in input */
3707 /* Parameters: msk(I) - pointer to start of IPv6 bitmask */
3710 /* count consecutive 1's in bit mask. */
3711 /* ------------------------------------------------------------------------ */
3718 for (k = 3; k >= 0; k--)
3719 if (msk[k] == 0xffffffff)
3722 for (j = msk[k]; j; j <<= 1)
3729 #endif /* _KERNEL */
3732 /* ------------------------------------------------------------------------ */
3733 /* Function: frsynclist */
3735 /* Parameters: fr(I) - start of filter list to sync interface names for */
3736 /* ifp(I) - interface pointer for limiting sync lookups */
3737 /* Write Locks: ipf_mutex */
3739 /* Walk through a list of filter rules and resolve any interface names into */
3740 /* pointers. Where dynamic addresses are used, also update the IP address */
3741 /* used in the rule. The interface pointer is used to limit the lookups to */
3742 /* a specific set of matching names if it is non-NULL. */
3743 /* ------------------------------------------------------------------------ */
3744 static void frsynclist(fr, ifp)
3751 for (; fr; fr = fr->fr_next) {
3755 * Lookup all the interface names that are part of the rule.
3757 for (i = 0; i < 4; i++) {
3758 if ((ifp != NULL) && (fr->fr_ifas[i] != ifp))
3760 fr->fr_ifas[i] = fr_resolvenic(fr->fr_ifnames[i], v);
3763 if (fr->fr_type == FR_T_IPF) {
3764 if (fr->fr_satype != FRI_NORMAL &&
3765 fr->fr_satype != FRI_LOOKUP) {
3766 (void)fr_ifpaddr(v, fr->fr_satype,
3767 fr->fr_ifas[fr->fr_sifpidx],
3768 &fr->fr_src, &fr->fr_smsk);
3770 if (fr->fr_datype != FRI_NORMAL &&
3771 fr->fr_datype != FRI_LOOKUP) {
3772 (void)fr_ifpaddr(v, fr->fr_datype,
3773 fr->fr_ifas[fr->fr_difpidx],
3774 &fr->fr_dst, &fr->fr_dmsk);
3778 fdp = &fr->fr_tifs[0];
3779 if ((ifp == NULL) || (fdp->fd_ifp == ifp))
3780 fr_resolvedest(fdp, v);
3782 fdp = &fr->fr_tifs[1];
3783 if ((ifp == NULL) || (fdp->fd_ifp == ifp))
3784 fr_resolvedest(fdp, v);
3787 if ((ifp == NULL) || (fdp->fd_ifp == ifp)) {
3788 fr_resolvedest(fdp, v);
3790 fr->fr_flags &= ~FR_DUP;
3791 if ((fdp->fd_ifp != (void *)-1) &&
3792 (fdp->fd_ifp != NULL))
3793 fr->fr_flags |= FR_DUP;
3796 #ifdef IPFILTER_LOOKUP
3797 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP &&
3798 fr->fr_srcptr == NULL) {
3799 fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype,
3804 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP &&
3805 fr->fr_dstptr == NULL) {
3806 fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype,
3817 /* ------------------------------------------------------------------------ */
3818 /* Function: frsync */
3820 /* Parameters: Nil */
3822 /* frsync() is called when we suspect that the interface list or */
3823 /* information about interfaces (like IP#) has changed. Go through all */
3824 /* filter rules, NAT entries and the state table and check if anything */
3825 /* needs to be changed/updated. */
3826 /* ------------------------------------------------------------------------ */
3837 WRITE_ENTER(&ipf_mutex);
3838 frsynclist(ipacct[0][fr_active], ifp);
3839 frsynclist(ipacct[1][fr_active], ifp);
3840 frsynclist(ipfilter[0][fr_active], ifp);
3841 frsynclist(ipfilter[1][fr_active], ifp);
3842 frsynclist(ipacct6[0][fr_active], ifp);
3843 frsynclist(ipacct6[1][fr_active], ifp);
3844 frsynclist(ipfilter6[0][fr_active], ifp);
3845 frsynclist(ipfilter6[1][fr_active], ifp);
3847 for (i = 0; i < IPL_LOGSIZE; i++) {
3850 for (g = ipfgroups[i][0]; g != NULL; g = g->fg_next)
3851 frsynclist(g->fg_start, ifp);
3852 for (g = ipfgroups[i][1]; g != NULL; g = g->fg_next)
3853 frsynclist(g->fg_start, ifp);
3855 RWLOCK_EXIT(&ipf_mutex);
3860 * In the functions below, bcopy() is called because the pointer being
3861 * copied _from_ in this instance is a pointer to a char buf (which could
3862 * end up being unaligned) and on the kernel's local stack.
3864 /* ------------------------------------------------------------------------ */
3865 /* Function: copyinptr */
3866 /* Returns: int - 0 = success, else failure */
3867 /* Parameters: src(I) - pointer to the source address */
3868 /* dst(I) - destination address */
3869 /* size(I) - number of bytes to copy */
3871 /* Copy a block of data in from user space, given a pointer to the pointer */
3872 /* to start copying from (src) and a pointer to where to store it (dst). */
3873 /* NB: src - pointer to user space pointer, dst - kernel space pointer */
3874 /* ------------------------------------------------------------------------ */
3875 int copyinptr(src, dst, size)
3883 error = COPYIN(src, &ca, sizeof(ca));
3887 bcopy(src, (caddr_t)&ca, sizeof(ca));
3889 error = COPYIN(ca, dst, size);
3896 /* ------------------------------------------------------------------------ */
3897 /* Function: copyoutptr */
3898 /* Returns: int - 0 = success, else failure */
3899 /* Parameters: src(I) - pointer to the source address */
3900 /* dst(I) - destination address */
3901 /* size(I) - number of bytes to copy */
3903 /* Copy a block of data out to user space, given a pointer to the pointer */
3904 /* to start copying from (src) and a pointer to where to store it (dst). */
3905 /* NB: src - kernel space pointer, dst - pointer to user space pointer. */
3906 /* ------------------------------------------------------------------------ */
3907 int copyoutptr(src, dst, size)
3914 bcopy(dst, (caddr_t)&ca, sizeof(ca));
3915 error = COPYOUT(src, ca, size);
3923 /* ------------------------------------------------------------------------ */
3924 /* Function: fr_lock */
3925 /* Returns: int - 0 = success, else error */
3926 /* Parameters: data(I) - pointer to lock value to set */
3927 /* lockp(O) - pointer to location to store old lock value */
3929 /* Get the new value for the lock integer, set it and return the old value */
3931 /* ------------------------------------------------------------------------ */
3932 int fr_lock(data, lockp)
3938 err = BCOPYIN(data, &arg, sizeof(arg));
3941 err = BCOPYOUT(lockp, data, sizeof(*lockp));
3949 /* ------------------------------------------------------------------------ */
3950 /* Function: fr_getstat */
3952 /* Parameters: fiop(I) - pointer to ipfilter stats structure */
3954 /* Stores a copy of current pointers, counters, etc, in the friostat */
3956 /* ------------------------------------------------------------------------ */
3957 void fr_getstat(fiop)
3962 bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
3963 fiop->f_locks[IPL_LOGSTATE] = fr_state_lock;
3964 fiop->f_locks[IPL_LOGNAT] = fr_nat_lock;
3965 fiop->f_locks[IPL_LOGIPF] = fr_frag_lock;
3966 fiop->f_locks[IPL_LOGAUTH] = fr_auth_lock;
3968 for (i = 0; i < 2; i++)
3969 for (j = 0; j < 2; j++) {
3970 fiop->f_ipf[i][j] = ipfilter[i][j];
3971 fiop->f_acct[i][j] = ipacct[i][j];
3972 fiop->f_ipf6[i][j] = ipfilter6[i][j];
3973 fiop->f_acct6[i][j] = ipacct6[i][j];
3976 fiop->f_ticks = fr_ticks;
3977 fiop->f_active = fr_active;
3978 fiop->f_froute[0] = fr_frouteok[0];
3979 fiop->f_froute[1] = fr_frouteok[1];
3981 fiop->f_running = fr_running;
3982 for (i = 0; i < IPL_LOGSIZE; i++) {
3983 fiop->f_groups[i][0] = ipfgroups[i][0];
3984 fiop->f_groups[i][1] = ipfgroups[i][1];
3987 fiop->f_logging = 1;
3989 fiop->f_logging = 0;
3991 fiop->f_defpass = fr_pass;
3992 fiop->f_features = fr_features;
3993 (void) strncpy(fiop->f_version, ipfilter_version,
3994 sizeof(fiop->f_version));
3999 int icmptoicmp6types[ICMP_MAXTYPE+1] = {
4000 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */
4003 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */
4004 -1, /* 4: ICMP_SOURCEQUENCH */
4005 ND_REDIRECT, /* 5: ICMP_REDIRECT */
4008 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */
4010 -1, /* 10: UNUSED */
4011 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */
4012 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */
4013 -1, /* 13: ICMP_TSTAMP */
4014 -1, /* 14: ICMP_TSTAMPREPLY */
4015 -1, /* 15: ICMP_IREQ */
4016 -1, /* 16: ICMP_IREQREPLY */
4017 -1, /* 17: ICMP_MASKREQ */
4018 -1, /* 18: ICMP_MASKREPLY */
4022 int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
4023 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */
4024 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */
4025 -1, /* 2: ICMP_UNREACH_PROTOCOL */
4026 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */
4027 -1, /* 4: ICMP_UNREACH_NEEDFRAG */
4028 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */
4029 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */
4030 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */
4031 -1, /* 8: ICMP_UNREACH_ISOLATED */
4032 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */
4033 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */
4034 -1, /* 11: ICMP_UNREACH_TOSNET */
4035 -1, /* 12: ICMP_UNREACH_TOSHOST */
4036 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
4038 int icmpreplytype6[ICMP6_MAXTYPE + 1];
4041 int icmpreplytype4[ICMP_MAXTYPE + 1];
4044 /* ------------------------------------------------------------------------ */
4045 /* Function: fr_matchicmpqueryreply */
4046 /* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */
4047 /* Parameters: v(I) - IP protocol version (4 or 6) */
4048 /* ic(I) - ICMP information */
4049 /* icmp(I) - ICMP packet header */
4050 /* rev(I) - direction (0 = forward/1 = reverse) of packet */
4052 /* Check if the ICMP packet defined by the header pointed to by icmp is a */
4053 /* reply to one as described by what's in ic. If it is a match, return 1, */
4054 /* else return 0 for no match. */
4055 /* ------------------------------------------------------------------------ */
4056 int fr_matchicmpqueryreply(v, ic, icmp, rev)
4064 ictype = ic->ici_type;
4068 * If we matched its type on the way in, then when going out
4069 * it will still be the same type.
4071 if ((!rev && (icmp->icmp_type == ictype)) ||
4072 (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
4073 if (icmp->icmp_type != ICMP_ECHOREPLY)
4075 if (icmp->icmp_id == ic->ici_id)
4081 if ((!rev && (icmp->icmp_type == ictype)) ||
4082 (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
4083 if (icmp->icmp_type != ICMP6_ECHO_REPLY)
4085 if (icmp->icmp_id == ic->ici_id)
4094 #ifdef IPFILTER_LOOKUP
4095 /* ------------------------------------------------------------------------ */
4096 /* Function: fr_resolvelookup */
4097 /* Returns: void * - NULL = failure, else success. */
4098 /* Parameters: type(I) - type of lookup these parameters are for. */
4099 /* subtype(I) - whether the info below contains number/name */
4100 /* info(I) - pointer to name/number of the lookup data */
4101 /* funcptr(IO) - pointer to pointer for storing IP address */
4102 /* searching function. */
4104 /* Search for the "table" number passed in amongst those configured for */
4105 /* that particular type. If the type is recognised then the function to */
4106 /* call to do the IP address search will be change, regardless of whether */
4107 /* or not the "table" number exists. */
4108 /* ------------------------------------------------------------------------ */
4109 static void *fr_resolvelookup(type, subtype, info, funcptr)
4110 u_int type, subtype;
4112 lookupfunc_t *funcptr;
4114 char label[FR_GROUPLEN], *name;
4120 #if defined(SNPRINTF) && defined(_KERNEL)
4121 SNPRINTF(label, sizeof(label), "%u", info->iplookupnum);
4123 (void) sprintf(label, "%u", info->iplookupnum);
4126 } else if (subtype == 1) {
4128 * Because iplookupname is currently only a 12 character
4129 * string and FR_GROUPLEN is 16, copy all of it into the
4130 * label buffer and add on a NULL at the end.
4132 strncpy(label, info->iplookupname, sizeof(info->iplookupname));
4133 label[sizeof(info->iplookupname)] = '\0';
4139 READ_ENTER(&ip_poolrw);
4144 # if (defined(__osf__) && defined(_KERNEL))
4148 ipo = ip_pool_find(IPL_LOGIPF, name);
4151 ATOMIC_INC32(ipo->ipo_ref);
4153 *funcptr = ip_pool_search;
4157 iph = fr_findhtable(IPL_LOGIPF, name);
4160 ATOMIC_INC32(iph->iph_ref);
4162 *funcptr = fr_iphmfindip;
4169 RWLOCK_EXIT(&ip_poolrw);
4176 /* ------------------------------------------------------------------------ */
4177 /* Function: frrequest */
4178 /* Returns: int - 0 == success, > 0 == errno value */
4179 /* Parameters: unit(I) - device for which this is for */
4180 /* req(I) - ioctl command (SIOC*) */
4181 /* data(I) - pointr to ioctl data */
4182 /* set(I) - 1 or 0 (filter set) */
4183 /* makecopy(I) - flag indicating whether data points to a rule */
4184 /* in kernel space & hence doesn't need copying. */
4186 /* This function handles all the requests which operate on the list of */
4187 /* filter rules. This includes adding, deleting, insertion. It is also */
4188 /* responsible for creating groups when a "head" rule is loaded. Interface */
4189 /* names are resolved here and other sanity checks are made on the content */
4190 /* of the rule structure being loaded. If a rule has user defined timeouts */
4191 /* then make sure they are created and initialised before exiting. */
4192 /* ------------------------------------------------------------------------ */
4193 int frrequest(unit, req, data, set, makecopy)
4199 frentry_t frd, *fp, *f, **fprev, **ftail;
4200 int error = 0, in, v;
4208 if (makecopy != 0) {
4209 error = fr_inobj(data, fp, IPFOBJ_FRENTRY);
4212 if ((fp->fr_flags & FR_T_BUILTIN) != 0)
4215 fp->fr_flags |= FR_COPIED;
4217 fp = (frentry_t *)data;
4218 if ((fp->fr_type & FR_T_BUILTIN) == 0)
4220 fp->fr_flags &= ~FR_COPIED;
4223 if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) ||
4224 ((fp->fr_dsize != 0) && (fp->fr_data == NULL)))
4231 * Only filter rules for IPv4 or IPv6 are accepted.
4244 * If the rule is being loaded from user space, i.e. we had to copy it
4245 * into kernel space, then do not trust the function pointer in the
4248 if ((makecopy == 1) && (fp->fr_func != NULL)) {
4249 if (fr_findfunc(fp->fr_func) == NULL)
4251 error = fr_funcinit(fp);
4258 * Check that the group number does exist and that its use (in/out)
4259 * matches what the rule is.
4261 if (!strncmp(fp->fr_grhead, "0", FR_GROUPLEN))
4262 *fp->fr_grhead = '\0';
4263 group = fp->fr_group;
4264 if (!strncmp(group, "0", FR_GROUPLEN))
4267 if (FR_ISACCOUNT(fp->fr_flags))
4268 unit = IPL_LOGCOUNT;
4270 if ((req != (int)SIOCZRLST) && (*group != '\0')) {
4271 fg = fr_findgroup(group, unit, set, NULL);
4274 if (fg->fg_flags == 0)
4275 fg->fg_flags = fp->fr_flags & FR_INOUT;
4276 else if (fg->fg_flags != (fp->fr_flags & FR_INOUT))
4280 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
4283 * Work out which rule list this change is being applied to.
4287 if (unit == IPL_LOGAUTH)
4290 if (FR_ISACCOUNT(fp->fr_flags))
4291 fprev = &ipacct[in][set];
4292 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
4293 fprev = &ipfilter[in][set];
4294 } else if (v == 6) {
4295 if (FR_ISACCOUNT(fp->fr_flags))
4296 fprev = &ipacct6[in][set];
4297 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
4298 fprev = &ipfilter6[in][set];
4303 if (*group != '\0') {
4304 if (!fg && !(fg = fr_findgroup(group, unit, set, NULL)))
4306 fprev = &fg->fg_start;
4310 * Copy in extra data for the rule.
4312 if (fp->fr_dsize != 0) {
4313 if (makecopy != 0) {
4314 KMALLOCS(ptr, void *, fp->fr_dsize);
4317 error = COPYIN(uptr, ptr, fp->fr_dsize);
4325 KFREES(ptr, fp->fr_dsize);
4333 * Perform per-rule type sanity checks of their members.
4335 switch (fp->fr_type & ~FR_T_BUILTIN)
4337 #if defined(IPFILTER_BPF)
4339 if (fp->fr_dsize == 0)
4341 if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) {
4342 if (makecopy && fp->fr_data != NULL) {
4343 KFREES(fp->fr_data, fp->fr_dsize);
4350 if (fp->fr_dsize != sizeof(fripf_t))
4354 * Allowing a rule with both "keep state" and "with oow" is
4355 * pointless because adding a state entry to the table will
4356 * fail with the out of window (oow) flag set.
4358 if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW))
4361 switch (fp->fr_satype)
4363 case FRI_BROADCAST :
4366 case FRI_NETMASKED :
4368 if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > 3) {
4369 if (makecopy && fp->fr_data != NULL) {
4370 KFREES(fp->fr_data, fp->fr_dsize);
4375 #ifdef IPFILTER_LOOKUP
4377 fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype,
4381 if (fp->fr_srcptr == NULL)
4389 switch (fp->fr_datype)
4391 case FRI_BROADCAST :
4394 case FRI_NETMASKED :
4396 if (fp->fr_difpidx < 0 || fp->fr_difpidx > 3) {
4397 if (makecopy && fp->fr_data != NULL) {
4398 KFREES(fp->fr_data, fp->fr_dsize);
4403 #ifdef IPFILTER_LOOKUP
4405 fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype,
4409 if (fp->fr_dstptr == NULL)
4419 case FR_T_CALLFUNC :
4424 if (makecopy && fp->fr_data != NULL) {
4425 KFREES(fp->fr_data, fp->fr_dsize);
4431 * Lookup all the interface names that are part of the rule.
4433 frsynclist(fp, NULL);
4434 fp->fr_statecnt = 0;
4437 * Look for an existing matching filter rule, but don't include the
4438 * next or interface pointer in the comparison (fr_next, fr_ifa).
4439 * This elminates rules which are indentical being loaded. Checksum
4440 * the constant part of the filter rule to make comparisons quicker
4441 * (this meaning no pointers are included).
4443 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum;
4446 pp = (u_int *)(fp->fr_caddr + fp->fr_dsize);
4447 for (p = (u_int *)fp->fr_data; p < pp; p++)
4450 WRITE_ENTER(&ipf_mutex);
4453 * Now that the filter rule lists are locked, we can walk the
4454 * chain of them without fear.
4457 for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) {
4458 if (fp->fr_collect <= f->fr_collect) {
4465 bzero((char *)frcache, sizeof(frcache));
4467 for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
4468 if ((fp->fr_cksum != f->fr_cksum) ||
4469 (f->fr_dsize != fp->fr_dsize))
4471 if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, FR_CMPSIZ))
4473 if ((!ptr && !f->fr_data) ||
4474 (ptr && f->fr_data &&
4475 !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
4480 * If zero'ing statistics, copy current to caller and zero.
4482 if (req == (ioctlcmd_t)SIOCZRLST) {
4487 * Copy and reduce lock because of impending copyout.
4488 * Well we should, but if we do then the atomicity of
4489 * this call and the correctness of fr_hits and
4490 * fr_bytes cannot be guaranteed. As it is, this code
4491 * only resets them to 0 if they are successfully
4492 * copied out into user space.
4494 bcopy((char *)f, (char *)fp, sizeof(*f));
4495 /* MUTEX_DOWNGRADE(&ipf_mutex); */
4498 * When we copy this rule back out, set the data
4499 * pointer to be what it was in user space.
4502 error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
4505 if ((f->fr_dsize != 0) && (uptr != NULL))
4506 error = COPYOUT(f->fr_data, uptr,
4517 if ((ptr != NULL) && (makecopy != 0)) {
4518 KFREES(ptr, fp->fr_dsize);
4520 RWLOCK_EXIT(&ipf_mutex);
4526 * At the end of this, ftail must point to the place where the
4527 * new rule is to be saved/inserted/added.
4528 * For SIOCAD*FR, this should be the last rule in the group of
4529 * rules that have equal fr_collect fields.
4530 * For SIOCIN*FR, ...
4532 if (req == (ioctlcmd_t)SIOCADAFR ||
4533 req == (ioctlcmd_t)SIOCADIFR) {
4535 for (ftail = fprev; (f = *ftail) != NULL; ) {
4536 if (f->fr_collect > fp->fr_collect)
4538 ftail = &f->fr_next;
4543 } else if (req == (ioctlcmd_t)SIOCINAFR ||
4544 req == (ioctlcmd_t)SIOCINIFR) {
4545 while ((f = *fprev) != NULL) {
4546 if (f->fr_collect >= fp->fr_collect)
4548 fprev = &f->fr_next;
4551 if (fp->fr_hits != 0) {
4552 while (fp->fr_hits && (f = *ftail)) {
4553 if (f->fr_collect != fp->fr_collect)
4556 ftail = &f->fr_next;
4567 * Request to remove a rule.
4569 if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) {
4574 * Do not allow activity from user space to interfere
4575 * with rules not loaded that way.
4577 if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) {
4583 * Return EBUSY if the rule is being reference by
4584 * something else (eg state information.)
4586 if (f->fr_ref > 1) {
4590 #ifdef IPFILTER_SCAN
4591 if (f->fr_isctag[0] != '\0' &&
4592 (f->fr_isc != (struct ipscan *)-1))
4595 if (unit == IPL_LOGAUTH) {
4596 error = fr_preauthcmd(req, f, ftail);
4599 if (*f->fr_grhead != '\0')
4600 fr_delgroup(f->fr_grhead, unit, set);
4601 fr_fixskip(ftail, f, -1);
4602 *ftail = f->fr_next;
4604 (void) fr_derefrule(&f);
4608 * Not removing, so we must be adding/inserting a rule.
4613 if (unit == IPL_LOGAUTH) {
4614 error = fr_preauthcmd(req, fp, ftail);
4618 KMALLOC(f, frentry_t *);
4623 bcopy((char *)fp, (char *)f,
4625 MUTEX_NUKE(&f->fr_lock);
4626 MUTEX_INIT(&f->fr_lock, "filter rule lock");
4627 #ifdef IPFILTER_SCAN
4628 if (f->fr_isctag[0] != '\0' &&
4630 f->fr_isc = (struct ipscan *)-1;
4635 f->fr_next = *ftail;
4637 if (req == (ioctlcmd_t)SIOCINIFR ||
4638 req == (ioctlcmd_t)SIOCINAFR)
4639 fr_fixskip(ftail, f, 1);
4641 group = f->fr_grhead;
4642 if (*group != '\0') {
4643 fg = fr_addgroup(group, f, f->fr_flags,
4646 f->fr_grp = &fg->fg_start;
4653 RWLOCK_EXIT(&ipf_mutex);
4654 if ((ptr != NULL) && (error != 0) && (makecopy != 0)) {
4655 KFREES(ptr, fp->fr_dsize);
4661 /* ------------------------------------------------------------------------ */
4662 /* Function: fr_funcinit */
4663 /* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */
4664 /* Parameters: fr(I) - pointer to filter rule */
4666 /* If a rule is a call rule, then check if the function it points to needs */
4667 /* an init function to be called now the rule has been loaded. */
4668 /* ------------------------------------------------------------------------ */
4669 static int fr_funcinit(fr)
4672 ipfunc_resolve_t *ft;
4677 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4678 if (ft->ipfu_addr == fr->fr_func) {
4680 if (ft->ipfu_init != NULL)
4681 err = (*ft->ipfu_init)(fr);
4688 /* ------------------------------------------------------------------------ */
4689 /* Function: fr_findfunc */
4690 /* Returns: ipfunc_t - pointer to function if found, else NULL */
4691 /* Parameters: funcptr(I) - function pointer to lookup */
4693 /* Look for a function in the table of known functions. */
4694 /* ------------------------------------------------------------------------ */
4695 static ipfunc_t fr_findfunc(funcptr)
4698 ipfunc_resolve_t *ft;
4700 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4701 if (ft->ipfu_addr == funcptr)
4707 /* ------------------------------------------------------------------------ */
4708 /* Function: fr_resolvefunc */
4709 /* Returns: int - 0 == success, else error */
4710 /* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */
4712 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
4713 /* This will either be the function name (if the pointer is set) or the */
4714 /* function pointer if the name is set. When found, fill in the other one */
4715 /* so that the entire, complete, structure can be copied back to user space.*/
4716 /* ------------------------------------------------------------------------ */
4717 int fr_resolvefunc(data)
4720 ipfunc_resolve_t res, *ft;
4723 err = BCOPYIN(data, &res, sizeof(res));
4727 if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') {
4728 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4729 if (strncmp(res.ipfu_name, ft->ipfu_name,
4730 sizeof(res.ipfu_name)) == 0) {
4731 res.ipfu_addr = ft->ipfu_addr;
4732 res.ipfu_init = ft->ipfu_init;
4733 if (COPYOUT(&res, data, sizeof(res)) != 0)
4738 if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') {
4739 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4740 if (ft->ipfu_addr == res.ipfu_addr) {
4741 (void) strncpy(res.ipfu_name, ft->ipfu_name,
4742 sizeof(res.ipfu_name));
4743 res.ipfu_init = ft->ipfu_init;
4744 if (COPYOUT(&res, data, sizeof(res)) != 0)
4753 #if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \
4754 (defined(__FreeBSD__) && (__FreeBSD_version < 501000)) || \
4755 (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \
4756 (defined(__OpenBSD__) && (OpenBSD < 200006))
4759 * ppsratecheck(): packets (or events) per second limitation.
4762 ppsratecheck(lasttime, curpps, maxpps)
4763 struct timeval *lasttime;
4765 int maxpps; /* maximum pps allowed */
4767 struct timeval tv, delta;
4772 delta.tv_sec = tv.tv_sec - lasttime->tv_sec;
4773 delta.tv_usec = tv.tv_usec - lasttime->tv_usec;
4774 if (delta.tv_usec < 0) {
4776 delta.tv_usec += 1000000;
4780 * check for 0,0 is so that the message will be seen at least once.
4781 * if more than one second have passed since the last update of
4782 * lasttime, reset the counter.
4784 * we do increment *curpps even in *curpps < maxpps case, as some may
4785 * try to use *curpps for stat purposes as well.
4787 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
4788 delta.tv_sec >= 1) {
4792 } else if (maxpps < 0)
4794 else if (*curpps < maxpps)
4798 *curpps = *curpps + 1;
4805 /* ------------------------------------------------------------------------ */
4806 /* Function: fr_derefrule */
4807 /* Returns: int - 0 == rule freed up, else rule not freed */
4808 /* Parameters: fr(I) - pointer to filter rule */
4810 /* Decrement the reference counter to a rule by one. If it reaches zero, */
4811 /* free it and any associated storage space being used by it. */
4812 /* ------------------------------------------------------------------------ */
4813 int fr_derefrule(frp)
4821 MUTEX_ENTER(&fr->fr_lock);
4823 if (fr->fr_ref == 0) {
4824 MUTEX_EXIT(&fr->fr_lock);
4825 MUTEX_DESTROY(&fr->fr_lock);
4827 #ifdef IPFILTER_LOOKUP
4828 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
4829 ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr);
4830 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
4831 ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr);
4835 KFREES(fr->fr_data, fr->fr_dsize);
4837 if ((fr->fr_flags & FR_COPIED) != 0) {
4843 MUTEX_EXIT(&fr->fr_lock);
4849 #ifdef IPFILTER_LOOKUP
4850 /* ------------------------------------------------------------------------ */
4851 /* Function: fr_grpmapinit */
4852 /* Returns: int - 0 == success, else ESRCH because table entry not found*/
4853 /* Parameters: fr(I) - pointer to rule to find hash table for */
4855 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
4856 /* fr_ptr is later used by fr_srcgrpmap and fr_dstgrpmap. */
4857 /* ------------------------------------------------------------------------ */
4858 static int fr_grpmapinit(fr)
4861 char name[FR_GROUPLEN];
4864 #if defined(SNPRINTF) && defined(_KERNEL)
4865 SNPRINTF(name, sizeof(name), "%d", fr->fr_arg);
4867 (void) sprintf(name, "%d", fr->fr_arg);
4869 iph = fr_findhtable(IPL_LOGIPF, name);
4872 if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT))
4879 /* ------------------------------------------------------------------------ */
4880 /* Function: fr_srcgrpmap */
4881 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
4882 /* Parameters: fin(I) - pointer to packet information */
4883 /* passp(IO) - pointer to current/new filter decision (unused) */
4885 /* Look for a rule group head in a hash table, using the source address as */
4886 /* the key, and descend into that group and continue matching rules against */
4888 /* ------------------------------------------------------------------------ */
4889 frentry_t *fr_srcgrpmap(fin, passp)
4896 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, &fin->fin_src);
4901 fin->fin_fr = fg->fg_start;
4902 (void) fr_scanlist(fin, *passp);
4907 /* ------------------------------------------------------------------------ */
4908 /* Function: fr_dstgrpmap */
4909 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
4910 /* Parameters: fin(I) - pointer to packet information */
4911 /* passp(IO) - pointer to current/new filter decision (unused) */
4913 /* Look for a rule group head in a hash table, using the destination */
4914 /* address as the key, and descend into that group and continue matching */
4915 /* rules against the packet. */
4916 /* ------------------------------------------------------------------------ */
4917 frentry_t *fr_dstgrpmap(fin, passp)
4924 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, &fin->fin_dst);
4929 fin->fin_fr = fg->fg_start;
4930 (void) fr_scanlist(fin, *passp);
4933 #endif /* IPFILTER_LOOKUP */
4938 * These functions manage objects on queues for efficient timeouts. There are
4939 * a number of system defined queues as well as user defined timeouts. It is
4940 * expected that a lock is held in the domain in which the queue belongs
4941 * (i.e. either state or NAT) when calling any of these functions that prevents
4942 * fr_freetimeoutqueue() from being called at the same time as any other.
4946 /* ------------------------------------------------------------------------ */
4947 /* Function: fr_addtimeoutqueue */
4948 /* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */
4949 /* timeout queue with given interval. */
4950 /* Parameters: parent(I) - pointer to pointer to parent node of this list */
4951 /* of interface queues. */
4952 /* seconds(I) - timeout value in seconds for this queue. */
4954 /* This routine first looks for a timeout queue that matches the interval */
4955 /* being requested. If it finds one, increments the reference counter and */
4956 /* returns a pointer to it. If none are found, it allocates a new one and */
4957 /* inserts it at the top of the list. */
4960 /* It is assumed that the caller of this function has an appropriate lock */
4961 /* held (exclusively) in the domain that encompases 'parent'. */
4962 /* ------------------------------------------------------------------------ */
4963 ipftq_t *fr_addtimeoutqueue(parent, seconds)
4970 period = seconds * IPF_HZ_DIVIDE;
4972 MUTEX_ENTER(&ipf_timeoutlock);
4973 for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) {
4974 if (ifq->ifq_ttl == period) {
4976 * Reset the delete flag, if set, so the structure
4977 * gets reused rather than freed and reallocated.
4979 MUTEX_ENTER(&ifq->ifq_lock);
4980 ifq->ifq_flags &= ~IFQF_DELETE;
4982 MUTEX_EXIT(&ifq->ifq_lock);
4983 MUTEX_EXIT(&ipf_timeoutlock);
4989 KMALLOC(ifq, ipftq_t *);
4991 ifq->ifq_ttl = period;
4992 ifq->ifq_head = NULL;
4993 ifq->ifq_tail = &ifq->ifq_head;
4994 ifq->ifq_next = *parent;
4995 ifq->ifq_pnext = parent;
4997 ifq->ifq_flags = IFQF_USER;
5000 MUTEX_NUKE(&ifq->ifq_lock);
5001 MUTEX_INIT(&ifq->ifq_lock, "ipftq mutex");
5003 MUTEX_EXIT(&ipf_timeoutlock);
5008 /* ------------------------------------------------------------------------ */
5009 /* Function: fr_deletetimeoutqueue */
5010 /* Returns: int - new reference count value of the timeout queue */
5011 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
5012 /* Locks: ifq->ifq_lock */
5014 /* This routine must be called when we're discarding a pointer to a timeout */
5015 /* queue object, taking care of the reference counter. */
5017 /* Now that this just sets a DELETE flag, it requires the expire code to */
5018 /* check the list of user defined timeout queues and call the free function */
5019 /* below (currently commented out) to stop memory leaking. It is done this */
5020 /* way because the locking may not be sufficient to safely do a free when */
5021 /* this function is called. */
5022 /* ------------------------------------------------------------------------ */
5023 int fr_deletetimeoutqueue(ifq)
5028 if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) {
5029 ifq->ifq_flags |= IFQF_DELETE;
5032 return ifq->ifq_ref;
5036 /* ------------------------------------------------------------------------ */
5037 /* Function: fr_freetimeoutqueue */
5038 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
5042 /* It is assumed that the caller of this function has an appropriate lock */
5043 /* held (exclusively) in the domain that encompases the callers "domain". */
5044 /* The ifq_lock for this structure should not be held. */
5046 /* Remove a user definde timeout queue from the list of queues it is in and */
5047 /* tidy up after this is done. */
5048 /* ------------------------------------------------------------------------ */
5049 void fr_freetimeoutqueue(ifq)
5054 if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) ||
5055 ((ifq->ifq_flags & IFQF_USER) == 0)) {
5056 printf("fr_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n",
5057 (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl,
5063 * Remove from its position in the list.
5065 *ifq->ifq_pnext = ifq->ifq_next;
5066 if (ifq->ifq_next != NULL)
5067 ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
5069 MUTEX_DESTROY(&ifq->ifq_lock);
5070 ATOMIC_DEC(fr_userifqs);
5075 /* ------------------------------------------------------------------------ */
5076 /* Function: fr_deletequeueentry */
5078 /* Parameters: tqe(I) - timeout queue entry to delete */
5079 /* ifq(I) - timeout queue to remove entry from */
5081 /* Remove a tail queue entry from its queue and make it an orphan. */
5082 /* fr_deletetimeoutqueue is called to make sure the reference count on the */
5083 /* queue is correct. We can't, however, call fr_freetimeoutqueue because */
5084 /* the correct lock(s) may not be held that would make it safe to do so. */
5085 /* ------------------------------------------------------------------------ */
5086 void fr_deletequeueentry(tqe)
5093 MUTEX_ENTER(&ifq->ifq_lock);
5095 if (tqe->tqe_pnext != NULL) {
5096 *tqe->tqe_pnext = tqe->tqe_next;
5097 if (tqe->tqe_next != NULL)
5098 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5099 else /* we must be the tail anyway */
5100 ifq->ifq_tail = tqe->tqe_pnext;
5102 tqe->tqe_pnext = NULL;
5103 tqe->tqe_ifq = NULL;
5106 (void) fr_deletetimeoutqueue(ifq);
5108 MUTEX_EXIT(&ifq->ifq_lock);
5112 /* ------------------------------------------------------------------------ */
5113 /* Function: fr_queuefront */
5115 /* Parameters: tqe(I) - pointer to timeout queue entry */
5117 /* Move a queue entry to the front of the queue, if it isn't already there. */
5118 /* ------------------------------------------------------------------------ */
5119 void fr_queuefront(tqe)
5128 MUTEX_ENTER(&ifq->ifq_lock);
5129 if (ifq->ifq_head != tqe) {
5130 *tqe->tqe_pnext = tqe->tqe_next;
5132 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5134 ifq->ifq_tail = tqe->tqe_pnext;
5136 tqe->tqe_next = ifq->ifq_head;
5137 ifq->ifq_head->tqe_pnext = &tqe->tqe_next;
5138 ifq->ifq_head = tqe;
5139 tqe->tqe_pnext = &ifq->ifq_head;
5141 MUTEX_EXIT(&ifq->ifq_lock);
5145 /* ------------------------------------------------------------------------ */
5146 /* Function: fr_queueback */
5148 /* Parameters: tqe(I) - pointer to timeout queue entry */
5150 /* Move a queue entry to the back of the queue, if it isn't already there. */
5151 /* ------------------------------------------------------------------------ */
5152 void fr_queueback(tqe)
5160 tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
5162 MUTEX_ENTER(&ifq->ifq_lock);
5163 if (tqe->tqe_next != NULL) { /* at the end already ? */
5167 *tqe->tqe_pnext = tqe->tqe_next;
5168 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5171 * Make it the last entry.
5173 tqe->tqe_next = NULL;
5174 tqe->tqe_pnext = ifq->ifq_tail;
5175 *ifq->ifq_tail = tqe;
5176 ifq->ifq_tail = &tqe->tqe_next;
5178 MUTEX_EXIT(&ifq->ifq_lock);
5182 /* ------------------------------------------------------------------------ */
5183 /* Function: fr_queueappend */
5185 /* Parameters: tqe(I) - pointer to timeout queue entry */
5186 /* ifq(I) - pointer to timeout queue */
5187 /* parent(I) - owing object pointer */
5189 /* Add a new item to this queue and put it on the very end. */
5190 /* ------------------------------------------------------------------------ */
5191 void fr_queueappend(tqe, ifq, parent)
5197 MUTEX_ENTER(&ifq->ifq_lock);
5198 tqe->tqe_parent = parent;
5199 tqe->tqe_pnext = ifq->ifq_tail;
5200 *ifq->ifq_tail = tqe;
5201 ifq->ifq_tail = &tqe->tqe_next;
5202 tqe->tqe_next = NULL;
5204 tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
5206 MUTEX_EXIT(&ifq->ifq_lock);
5210 /* ------------------------------------------------------------------------ */
5211 /* Function: fr_movequeue */
5213 /* Parameters: tq(I) - pointer to timeout queue information */
5214 /* oifp(I) - old timeout queue entry was on */
5215 /* nifp(I) - new timeout queue to put entry on */
5217 /* Move a queue entry from one timeout queue to another timeout queue. */
5218 /* If it notices that the current entry is already last and does not need */
5219 /* to move queue, the return. */
5220 /* ------------------------------------------------------------------------ */
5221 void fr_movequeue(tqe, oifq, nifq)
5223 ipftq_t *oifq, *nifq;
5226 * Is the operation here going to be a no-op ?
5228 MUTEX_ENTER(&oifq->ifq_lock);
5229 if ((oifq != nifq) || (*oifq->ifq_tail != tqe)) {
5231 * Remove from the old queue
5233 *tqe->tqe_pnext = tqe->tqe_next;
5235 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5237 oifq->ifq_tail = tqe->tqe_pnext;
5238 tqe->tqe_next = NULL;
5241 * If we're moving from one queue to another, release the
5242 * lock on the old queue and get a lock on the new queue.
5243 * For user defined queues, if we're moving off it, call
5244 * delete in case it can now be freed.
5247 tqe->tqe_ifq = NULL;
5249 (void) fr_deletetimeoutqueue(oifq);
5251 MUTEX_EXIT(&oifq->ifq_lock);
5253 MUTEX_ENTER(&nifq->ifq_lock);
5255 tqe->tqe_ifq = nifq;
5260 * Add to the bottom of the new queue
5262 tqe->tqe_die = fr_ticks + nifq->ifq_ttl;
5263 tqe->tqe_pnext = nifq->ifq_tail;
5264 *nifq->ifq_tail = tqe;
5265 nifq->ifq_tail = &tqe->tqe_next;
5267 MUTEX_EXIT(&nifq->ifq_lock);
5271 /* ------------------------------------------------------------------------ */
5272 /* Function: fr_updateipid */
5273 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
5274 /* Parameters: fin(I) - pointer to packet information */
5276 /* When we are doing NAT, change the IP of every packet to represent a */
5277 /* single sequence of packets coming from the host, hiding any host */
5278 /* specific sequencing that might otherwise be revealed. If the packet is */
5279 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
5280 /* the fragment cache for non-leading fragments. If a non-leading fragment */
5281 /* has no match in the cache, return an error. */
5282 /* ------------------------------------------------------------------------ */
5283 static int fr_updateipid(fin)
5286 u_short id, ido, sums;
5290 if (fin->fin_off != 0) {
5291 sum = fr_ipid_knownfrag(fin);
5292 if (sum == 0xffffffff)
5297 id = fr_nextipid(fin);
5298 if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0)
5299 (void) fr_ipid_newfrag(fin, (u_32_t)id);
5303 ido = ntohs(ip->ip_id);
5306 ip->ip_id = htons(id);
5307 CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */
5308 sum = (~ntohs(ip->ip_sum)) & 0xffff;
5310 sum = (sum >> 16) + (sum & 0xffff);
5311 sum = (sum >> 16) + (sum & 0xffff);
5312 sums = ~(u_short)sum;
5313 ip->ip_sum = htons(sums);
5318 #ifdef NEED_FRGETIFNAME
5319 /* ------------------------------------------------------------------------ */
5320 /* Function: fr_getifname */
5321 /* Returns: char * - pointer to interface name */
5322 /* Parameters: ifp(I) - pointer to network interface */
5323 /* buffer(O) - pointer to where to store interface name */
5325 /* Constructs an interface name in the buffer passed. The buffer passed is */
5326 /* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */
5327 /* as a NULL pointer then return a pointer to a static array. */
5328 /* ------------------------------------------------------------------------ */
5329 char *fr_getifname(ifp, buffer)
5333 static char namebuf[LIFNAMSIZ];
5334 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
5335 defined(__sgi) || defined(linux) || defined(_AIX51) || \
5336 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
5344 (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
5345 buffer[LIFNAMSIZ - 1] = '\0';
5346 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
5347 defined(__sgi) || defined(_AIX51) || \
5348 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
5349 for (s = buffer; *s; s++)
5351 unit = ifp->if_unit;
5352 space = LIFNAMSIZ - (s - buffer);
5354 # if defined(SNPRINTF) && defined(_KERNEL)
5355 SNPRINTF(temp, sizeof(temp), "%d", unit);
5357 (void) sprintf(temp, "%d", unit);
5359 (void) strncpy(s, temp, space);
5367 /* ------------------------------------------------------------------------ */
5368 /* Function: fr_ioctlswitch */
5369 /* Returns: int - -1 continue processing, else ioctl return value */
5370 /* Parameters: unit(I) - device unit opened */
5371 /* data(I) - pointer to ioctl data */
5372 /* cmd(I) - ioctl command */
5373 /* mode(I) - mode value */
5374 /* uid(I) - uid making the ioctl call */
5375 /* ctx(I) - pointer to context data */
5377 /* Based on the value of unit, call the appropriate ioctl handler or return */
5378 /* EIO if ipfilter is not running. Also checks if write perms are req'd */
5379 /* for the device in order to execute the ioctl. */
5380 /* ------------------------------------------------------------------------ */
5381 int fr_ioctlswitch(unit, data, cmd, mode, uid, ctx)
5382 int unit, mode, uid;
5391 error = fr_ipf_ioctl(data, cmd, mode, uid, ctx);
5395 error = fr_nat_ioctl(data, cmd, mode, uid, ctx);
5401 error = fr_state_ioctl(data, cmd, mode, uid, ctx);
5407 error = fr_auth_ioctl(data, cmd, mode, uid, ctx);
5412 #ifdef IPFILTER_SYNC
5414 error = fr_sync_ioctl(data, cmd, mode, uid, ctx);
5420 #ifdef IPFILTER_SCAN
5422 error = fr_scan_ioctl(data, cmd, mode, uid, ctx);
5427 case IPL_LOGLOOKUP :
5428 #ifdef IPFILTER_LOOKUP
5430 error = ip_lookup_ioctl(data, cmd, mode, uid, ctx);
5445 * This array defines the expected size of objects coming into the kernel
5446 * for the various recognised object types.
5448 static int fr_objbytes[IPFOBJ_COUNT][2] = {
5449 { 1, sizeof(struct frentry) }, /* frentry */
5450 { 0, sizeof(struct friostat) },
5451 { 0, sizeof(struct fr_info) },
5452 { 0, sizeof(struct fr_authstat) },
5453 { 0, sizeof(struct ipfrstat) },
5454 { 0, sizeof(struct ipnat) },
5455 { 0, sizeof(struct natstat) },
5456 { 0, sizeof(struct ipstate_save) },
5457 { 1, sizeof(struct nat_save) }, /* nat_save */
5458 { 0, sizeof(struct natlookup) },
5459 { 1, sizeof(struct ipstate) }, /* ipstate */
5460 { 0, sizeof(struct ips_stat) },
5461 { 0, sizeof(struct frauth) },
5462 { 0, sizeof(struct ipftune) },
5463 { 0, sizeof(struct nat) }, /* nat_t */
5464 { 0, sizeof(struct ipfruleiter) },
5465 { 0, sizeof(struct ipfgeniter) },
5466 { 0, sizeof(struct ipftable) },
5467 { 0, sizeof(struct ipflookupiter) },
5468 { 0, sizeof(struct ipftq) * IPF_TCP_NSTATES },
5472 /* ------------------------------------------------------------------------ */
5473 /* Function: fr_inobj */
5474 /* Returns: int - 0 = success, else failure */
5475 /* Parameters: data(I) - pointer to ioctl data */
5476 /* ptr(I) - pointer to store real data in */
5477 /* type(I) - type of structure being moved */
5479 /* Copy in the contents of what the ipfobj_t points to. In future, we */
5480 /* add things to check for version numbers, sizes, etc, to make it backward */
5481 /* compatible at the ABI for user land. */
5482 /* ------------------------------------------------------------------------ */
5483 int fr_inobj(data, ptr, type)
5491 if ((type < 0) || (type >= IPFOBJ_COUNT))
5494 error = BCOPYIN(data, &obj, sizeof(obj));
5498 if (obj.ipfo_type != type)
5501 #ifndef IPFILTER_COMPAT
5502 if ((fr_objbytes[type][0] & 1) != 0) {
5503 if (obj.ipfo_size < fr_objbytes[type][1])
5505 } else if (obj.ipfo_size != fr_objbytes[type][1]) {
5509 if (obj.ipfo_rev != IPFILTER_VERSION)
5510 /* XXX compatibility hook here */
5512 if ((fr_objbytes[type][0] & 1) != 0) {
5513 if (obj.ipfo_size < fr_objbytes[type][1])
5514 /* XXX compatibility hook here */
5516 } else if (obj.ipfo_size != fr_objbytes[type][1])
5517 /* XXX compatibility hook here */
5521 if ((fr_objbytes[type][0] & 1) != 0) {
5522 error = COPYIN(obj.ipfo_ptr, ptr, fr_objbytes[type][1]);
5524 error = COPYIN(obj.ipfo_ptr, ptr, obj.ipfo_size);
5532 /* ------------------------------------------------------------------------ */
5533 /* Function: fr_inobjsz */
5534 /* Returns: int - 0 = success, else failure */
5535 /* Parameters: data(I) - pointer to ioctl data */
5536 /* ptr(I) - pointer to store real data in */
5537 /* type(I) - type of structure being moved */
5538 /* sz(I) - size of data to copy */
5540 /* As per fr_inobj, except the size of the object to copy in is passed in */
5541 /* but it must not be smaller than the size defined for the type and the */
5542 /* type must allow for varied sized objects. The extra requirement here is */
5543 /* that sz must match the size of the object being passed in - this is not */
5544 /* not possible nor required in fr_inobj(). */
5545 /* ------------------------------------------------------------------------ */
5546 int fr_inobjsz(data, ptr, type, sz)
5554 if ((type < 0) || (type >= IPFOBJ_COUNT))
5556 if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1]))
5559 error = BCOPYIN(data, &obj, sizeof(obj));
5563 if (obj.ipfo_type != type)
5566 #ifndef IPFILTER_COMPAT
5567 if (obj.ipfo_size != sz)
5570 if (obj.ipfo_rev != IPFILTER_VERSION)
5571 /* XXX compatibility hook here */
5573 if (obj.ipfo_size != sz)
5574 /* XXX compatibility hook here */
5578 error = COPYIN(obj.ipfo_ptr, ptr, sz);
5585 /* ------------------------------------------------------------------------ */
5586 /* Function: fr_outobjsz */
5587 /* Returns: int - 0 = success, else failure */
5588 /* Parameters: data(I) - pointer to ioctl data */
5589 /* ptr(I) - pointer to store real data in */
5590 /* type(I) - type of structure being moved */
5591 /* sz(I) - size of data to copy */
5593 /* As per fr_outobj, except the size of the object to copy out is passed in */
5594 /* but it must not be smaller than the size defined for the type and the */
5595 /* type must allow for varied sized objects. The extra requirement here is */
5596 /* that sz must match the size of the object being passed in - this is not */
5597 /* not possible nor required in fr_outobj(). */
5598 /* ------------------------------------------------------------------------ */
5599 int fr_outobjsz(data, ptr, type, sz)
5607 if ((type < 0) || (type >= IPFOBJ_COUNT) ||
5608 ((fr_objbytes[type][0] & 1) == 0) ||
5609 (sz < fr_objbytes[type][1]))
5612 error = BCOPYIN(data, &obj, sizeof(obj));
5616 if (obj.ipfo_type != type)
5619 #ifndef IPFILTER_COMPAT
5620 if (obj.ipfo_size != sz)
5623 if (obj.ipfo_rev != IPFILTER_VERSION)
5624 /* XXX compatibility hook here */
5626 if (obj.ipfo_size != sz)
5627 /* XXX compatibility hook here */
5631 error = COPYOUT(ptr, obj.ipfo_ptr, sz);
5638 /* ------------------------------------------------------------------------ */
5639 /* Function: fr_outobj */
5640 /* Returns: int - 0 = success, else failure */
5641 /* Parameters: data(I) - pointer to ioctl data */
5642 /* ptr(I) - pointer to store real data in */
5643 /* type(I) - type of structure being moved */
5645 /* Copy out the contents of what ptr is to where ipfobj points to. In */
5646 /* future, we add things to check for version numbers, sizes, etc, to make */
5647 /* it backward compatible at the ABI for user land. */
5648 /* ------------------------------------------------------------------------ */
5649 int fr_outobj(data, ptr, type)
5657 if ((type < 0) || (type >= IPFOBJ_COUNT))
5660 error = BCOPYIN(data, &obj, sizeof(obj));
5664 if (obj.ipfo_type != type)
5667 #ifndef IPFILTER_COMPAT
5668 if ((fr_objbytes[type][0] & 1) != 0) {
5669 if (obj.ipfo_size < fr_objbytes[type][1])
5671 } else if (obj.ipfo_size != fr_objbytes[type][1])
5674 if (obj.ipfo_rev != IPFILTER_VERSION)
5675 /* XXX compatibility hook here */
5677 if ((fr_objbytes[type][0] & 1) != 0) {
5678 if (obj.ipfo_size < fr_objbytes[type][1])
5679 /* XXX compatibility hook here */
5681 } else if (obj.ipfo_size != fr_objbytes[type][1])
5682 /* XXX compatibility hook here */
5686 error = COPYOUT(ptr, obj.ipfo_ptr, obj.ipfo_size);
5693 /* ------------------------------------------------------------------------ */
5694 /* Function: fr_checkl4sum */
5695 /* Returns: int - 0 = good, -1 = bad, 1 = cannot check */
5696 /* Parameters: fin(I) - pointer to packet information */
5698 /* If possible, calculate the layer 4 checksum for the packet. If this is */
5699 /* not possible, return without indicating a failure or success but in a */
5700 /* way that is ditinguishable. */
5701 /* ------------------------------------------------------------------------ */
5702 int fr_checkl4sum(fin)
5705 u_short sum, hdrsum, *csump;
5709 if ((fin->fin_flx & FI_NOCKSUM) != 0)
5712 if (fin->fin_cksum == 1)
5715 if (fin->fin_cksum == -1)
5719 * If the TCP packet isn't a fragment, isn't too short and otherwise
5720 * isn't already considered "bad", then validate the checksum. If
5721 * this check fails then considered the packet to be "bad".
5723 if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0)
5731 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
5732 if (dohwcksum && ((*fin->fin_mp)->b_ick_flag == ICK_VALID)) {
5740 csump = &((tcphdr_t *)fin->fin_dp)->th_sum;
5746 if (udp->uh_sum != 0) {
5747 csump = &udp->uh_sum;
5753 csump = &((struct icmp *)fin->fin_dp)->icmp_cksum;
5766 sum = fr_cksum(fin->fin_m, fin->fin_ip,
5767 fin->fin_p, fin->fin_dp,
5768 fin->fin_dlen + fin->fin_hlen);
5770 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
5773 #if !defined(_KERNEL)
5774 if (sum == hdrsum) {
5775 FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum));
5777 FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum));
5780 if (hdrsum == sum) {
5784 fin->fin_cksum = -1;
5789 /* ------------------------------------------------------------------------ */
5790 /* Function: fr_ifpfillv4addr */
5791 /* Returns: int - 0 = address update, -1 = address not updated */
5792 /* Parameters: atype(I) - type of network address update to perform */
5793 /* sin(I) - pointer to source of address information */
5794 /* mask(I) - pointer to source of netmask information */
5795 /* inp(I) - pointer to destination address store */
5796 /* inpmask(I) - pointer to destination netmask store */
5798 /* Given a type of network address update (atype) to perform, copy */
5799 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
5800 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
5801 /* which case the operation fails. For all values of atype other than */
5802 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
5804 /* ------------------------------------------------------------------------ */
5805 int fr_ifpfillv4addr(atype, sin, mask, inp, inpmask)
5807 struct sockaddr_in *sin, *mask;
5808 struct in_addr *inp, *inpmask;
5810 if (inpmask != NULL && atype != FRI_NETMASKED)
5811 inpmask->s_addr = 0xffffffff;
5813 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
5814 if (atype == FRI_NETMASKED) {
5815 if (inpmask == NULL)
5817 inpmask->s_addr = mask->sin_addr.s_addr;
5819 inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr;
5821 inp->s_addr = sin->sin_addr.s_addr;
5828 /* ------------------------------------------------------------------------ */
5829 /* Function: fr_ifpfillv6addr */
5830 /* Returns: int - 0 = address update, -1 = address not updated */
5831 /* Parameters: atype(I) - type of network address update to perform */
5832 /* sin(I) - pointer to source of address information */
5833 /* mask(I) - pointer to source of netmask information */
5834 /* inp(I) - pointer to destination address store */
5835 /* inpmask(I) - pointer to destination netmask store */
5837 /* Given a type of network address update (atype) to perform, copy */
5838 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
5839 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
5840 /* which case the operation fails. For all values of atype other than */
5841 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
5843 /* ------------------------------------------------------------------------ */
5844 int fr_ifpfillv6addr(atype, sin, mask, inp, inpmask)
5846 struct sockaddr_in6 *sin, *mask;
5847 struct in_addr *inp, *inpmask;
5849 i6addr_t *src, *dst, *and, *dmask;
5851 src = (i6addr_t *)&sin->sin6_addr;
5852 and = (i6addr_t *)&mask->sin6_addr;
5853 dst = (i6addr_t *)inp;
5854 dmask = (i6addr_t *)inpmask;
5856 if (inpmask != NULL && atype != FRI_NETMASKED) {
5857 dmask->i6[0] = 0xffffffff;
5858 dmask->i6[1] = 0xffffffff;
5859 dmask->i6[2] = 0xffffffff;
5860 dmask->i6[3] = 0xffffffff;
5863 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
5864 if (atype == FRI_NETMASKED) {
5865 if (inpmask == NULL)
5867 dmask->i6[0] = and->i6[0];
5868 dmask->i6[1] = and->i6[1];
5869 dmask->i6[2] = and->i6[2];
5870 dmask->i6[3] = and->i6[3];
5873 dst->i6[0] = src->i6[0] & and->i6[0];
5874 dst->i6[1] = src->i6[1] & and->i6[1];
5875 dst->i6[2] = src->i6[2] & and->i6[2];
5876 dst->i6[3] = src->i6[3] & and->i6[3];
5878 dst->i6[0] = src->i6[0];
5879 dst->i6[1] = src->i6[1];
5880 dst->i6[2] = src->i6[2];
5881 dst->i6[3] = src->i6[3];
5888 /* ------------------------------------------------------------------------ */
5889 /* Function: fr_matchtag */
5890 /* Returns: 0 == mismatch, 1 == match. */
5891 /* Parameters: tag1(I) - pointer to first tag to compare */
5892 /* tag2(I) - pointer to second tag to compare */
5894 /* Returns true (non-zero) or false(0) if the two tag structures can be */
5895 /* considered to be a match or not match, respectively. The tag is 16 */
5896 /* bytes long (16 characters) but that is overlayed with 4 32bit ints so */
5897 /* compare the ints instead, for speed. tag1 is the master of the */
5898 /* comparison. This function should only be called with both tag1 and tag2 */
5899 /* as non-NULL pointers. */
5900 /* ------------------------------------------------------------------------ */
5901 int fr_matchtag(tag1, tag2)
5902 ipftag_t *tag1, *tag2;
5907 if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0))
5910 if ((tag1->ipt_num[0] == tag2->ipt_num[0]) &&
5911 (tag1->ipt_num[1] == tag2->ipt_num[1]) &&
5912 (tag1->ipt_num[2] == tag2->ipt_num[2]) &&
5913 (tag1->ipt_num[3] == tag2->ipt_num[3]))
5919 /* ------------------------------------------------------------------------ */
5920 /* Function: fr_coalesce */
5921 /* Returns: 1 == success, -1 == failure, 0 == no change */
5922 /* Parameters: fin(I) - pointer to packet information */
5924 /* Attempt to get all of the packet data into a single, contiguous buffer. */
5925 /* If this call returns a failure then the buffers have also been freed. */
5926 /* ------------------------------------------------------------------------ */
5927 int fr_coalesce(fin)
5930 if ((fin->fin_flx & FI_COALESCE) != 0)
5934 * If the mbuf pointers indicate that there is no mbuf to work with,
5935 * return but do not indicate success or failure.
5937 if (fin->fin_m == NULL || fin->fin_mp == NULL)
5940 #if defined(_KERNEL)
5941 if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
5942 ATOMIC_INCL(fr_badcoalesces[fin->fin_out]);
5944 FREE_MB_T(*fin->fin_mp);
5946 *fin->fin_mp = NULL;
5951 fin = fin; /* LINT */
5958 * The following table lists all of the tunable variables that can be
5959 * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXt. The format of each row
5960 * in the table below is as follows:
5962 * pointer to value, name of value, minimum, maximum, size of the value's
5963 * container, value attribute flags
5965 * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED
5966 * means the value can only be written to when IPFilter is loaded but disabled.
5967 * The obvious implication is if neither of these are set then the value can be
5968 * changed at any time without harm.
5970 ipftuneable_t ipf_tuneables[] = {
5972 { { &fr_flags }, "fr_flags", 0, 0xffffffff,
5973 sizeof(fr_flags), 0, NULL },
5974 { { &fr_active }, "fr_active", 0, 0,
5975 sizeof(fr_active), IPFT_RDONLY, NULL },
5976 { { &fr_control_forwarding }, "fr_control_forwarding", 0, 1,
5977 sizeof(fr_control_forwarding), 0, NULL },
5978 { { &fr_update_ipid }, "fr_update_ipid", 0, 1,
5979 sizeof(fr_update_ipid), 0, NULL },
5980 { { &fr_chksrc }, "fr_chksrc", 0, 1,
5981 sizeof(fr_chksrc), 0, NULL },
5982 { { &fr_minttl }, "fr_minttl", 0, 1,
5983 sizeof(fr_minttl), 0, NULL },
5984 { { &fr_icmpminfragmtu }, "fr_icmpminfragmtu", 0, 1,
5985 sizeof(fr_icmpminfragmtu), 0, NULL },
5986 { { &fr_pass }, "fr_pass", 0, 0xffffffff,
5987 sizeof(fr_pass), 0, NULL },
5989 { { &fr_tcpidletimeout }, "fr_tcpidletimeout", 1, 0x7fffffff,
5990 sizeof(fr_tcpidletimeout), IPFT_WRDISABLED, NULL },
5991 { { &fr_tcpclosewait }, "fr_tcpclosewait", 1, 0x7fffffff,
5992 sizeof(fr_tcpclosewait), IPFT_WRDISABLED, NULL },
5993 { { &fr_tcplastack }, "fr_tcplastack", 1, 0x7fffffff,
5994 sizeof(fr_tcplastack), IPFT_WRDISABLED, NULL },
5995 { { &fr_tcptimeout }, "fr_tcptimeout", 1, 0x7fffffff,
5996 sizeof(fr_tcptimeout), IPFT_WRDISABLED, NULL },
5997 { { &fr_tcpclosed }, "fr_tcpclosed", 1, 0x7fffffff,
5998 sizeof(fr_tcpclosed), IPFT_WRDISABLED, NULL },
5999 { { &fr_tcphalfclosed }, "fr_tcphalfclosed", 1, 0x7fffffff,
6000 sizeof(fr_tcphalfclosed), IPFT_WRDISABLED, NULL },
6001 { { &fr_udptimeout }, "fr_udptimeout", 1, 0x7fffffff,
6002 sizeof(fr_udptimeout), IPFT_WRDISABLED, NULL },
6003 { { &fr_udpacktimeout }, "fr_udpacktimeout", 1, 0x7fffffff,
6004 sizeof(fr_udpacktimeout), IPFT_WRDISABLED, NULL },
6005 { { &fr_icmptimeout }, "fr_icmptimeout", 1, 0x7fffffff,
6006 sizeof(fr_icmptimeout), IPFT_WRDISABLED, NULL },
6007 { { &fr_icmpacktimeout }, "fr_icmpacktimeout", 1, 0x7fffffff,
6008 sizeof(fr_icmpacktimeout), IPFT_WRDISABLED, NULL },
6009 { { &fr_iptimeout }, "fr_iptimeout", 1, 0x7fffffff,
6010 sizeof(fr_iptimeout), IPFT_WRDISABLED, NULL },
6011 { { &fr_statemax }, "fr_statemax", 1, 0x7fffffff,
6012 sizeof(fr_statemax), 0, NULL },
6013 { { &fr_statesize }, "fr_statesize", 1, 0x7fffffff,
6014 sizeof(fr_statesize), IPFT_WRDISABLED, NULL },
6015 { { &fr_state_lock }, "fr_state_lock", 0, 1,
6016 sizeof(fr_state_lock), IPFT_RDONLY, NULL },
6017 { { &fr_state_maxbucket }, "fr_state_maxbucket", 1, 0x7fffffff,
6018 sizeof(fr_state_maxbucket), IPFT_WRDISABLED, NULL },
6019 { { &fr_state_maxbucket_reset }, "fr_state_maxbucket_reset", 0, 1,
6020 sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED, NULL },
6021 { { &ipstate_logging }, "ipstate_logging", 0, 1,
6022 sizeof(ipstate_logging), 0, NULL },
6024 { { &fr_nat_lock }, "fr_nat_lock", 0, 1,
6025 sizeof(fr_nat_lock), IPFT_RDONLY, NULL },
6026 { { &ipf_nattable_sz }, "ipf_nattable_sz", 1, 0x7fffffff,
6027 sizeof(ipf_nattable_sz), IPFT_WRDISABLED, NULL },
6028 { { &ipf_nattable_max }, "ipf_nattable_max", 1, 0x7fffffff,
6029 sizeof(ipf_nattable_max), 0, NULL },
6030 { { &ipf_natrules_sz }, "ipf_natrules_sz", 1, 0x7fffffff,
6031 sizeof(ipf_natrules_sz), IPFT_WRDISABLED, NULL },
6032 { { &ipf_rdrrules_sz }, "ipf_rdrrules_sz", 1, 0x7fffffff,
6033 sizeof(ipf_rdrrules_sz), IPFT_WRDISABLED, NULL },
6034 { { &ipf_hostmap_sz }, "ipf_hostmap_sz", 1, 0x7fffffff,
6035 sizeof(ipf_hostmap_sz), IPFT_WRDISABLED, NULL },
6036 { { &fr_nat_maxbucket }, "fr_nat_maxbucket", 1, 0x7fffffff,
6037 sizeof(fr_nat_maxbucket), 0, NULL },
6038 { { &fr_nat_maxbucket_reset }, "fr_nat_maxbucket_reset", 0, 1,
6039 sizeof(fr_nat_maxbucket_reset), IPFT_WRDISABLED, NULL },
6040 { { &nat_logging }, "nat_logging", 0, 1,
6041 sizeof(nat_logging), 0, NULL },
6042 { { &fr_defnatage }, "fr_defnatage", 1, 0x7fffffff,
6043 sizeof(fr_defnatage), IPFT_WRDISABLED, NULL },
6044 { { &fr_defnatipage }, "fr_defnatipage", 1, 0x7fffffff,
6045 sizeof(fr_defnatipage), IPFT_WRDISABLED, NULL },
6046 { { &fr_defnaticmpage }, "fr_defnaticmpage", 1, 0x7fffffff,
6047 sizeof(fr_defnaticmpage), IPFT_WRDISABLED, NULL },
6048 { { &fr_nat_doflush }, "fr_nat_doflush", 0, 1,
6049 sizeof(fr_nat_doflush), 0, NULL },
6051 { { &ipf_proxy_debug }, "ipf_proxy_debug", 0, 10,
6052 sizeof(ipf_proxy_debug), 0, 0 },
6054 { { &ipfr_size }, "ipfr_size", 1, 0x7fffffff,
6055 sizeof(ipfr_size), IPFT_WRDISABLED, NULL },
6056 { { &fr_ipfrttl }, "fr_ipfrttl", 1, 0x7fffffff,
6057 sizeof(fr_ipfrttl), IPFT_WRDISABLED, NULL },
6060 { { &ipl_suppress }, "ipl_suppress", 0, 1,
6061 sizeof(ipl_suppress), 0, NULL },
6062 { { &ipl_logmax }, "ipl_logmax", 0, 0x7fffffff,
6063 sizeof(ipl_logmax), IPFT_WRDISABLED, NULL },
6064 { { &ipl_logall }, "ipl_logall", 0, 1,
6065 sizeof(ipl_logall), 0, NULL },
6066 { { &ipl_logsize }, "ipl_logsize", 0, 0x80000,
6067 sizeof(ipl_logsize), 0, NULL },
6069 { { NULL }, NULL, 0, 0,
6073 static ipftuneable_t *ipf_tunelist = NULL;
6076 /* ------------------------------------------------------------------------ */
6077 /* Function: fr_findtunebycookie */
6078 /* Returns: NULL = search failed, else pointer to tune struct */
6079 /* Parameters: cookie(I) - cookie value to search for amongst tuneables */
6080 /* next(O) - pointer to place to store the cookie for the */
6081 /* "next" tuneable, if it is desired. */
6083 /* This function is used to walk through all of the existing tunables with */
6084 /* successive calls. It searches the known tunables for the one which has */
6085 /* a matching value for "cookie" - ie its address. When returning a match, */
6086 /* the next one to be found may be returned inside next. */
6087 /* ------------------------------------------------------------------------ */
6088 static ipftuneable_t *fr_findtunebycookie(cookie, next)
6089 void *cookie, **next;
6091 ipftuneable_t *ta, **tap;
6093 for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++)
6097 * If the next entry in the array has a name
6098 * present, then return a pointer to it for
6099 * where to go next, else return a pointer to
6100 * the dynaminc list as a key to search there
6101 * next. This facilitates a weak linking of
6102 * the two "lists" together.
6104 if ((ta + 1)->ipft_name != NULL)
6107 *next = &ipf_tunelist;
6112 for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
6113 if (tap == cookie) {
6115 *next = &ta->ipft_next;
6125 /* ------------------------------------------------------------------------ */
6126 /* Function: fr_findtunebyname */
6127 /* Returns: NULL = search failed, else pointer to tune struct */
6128 /* Parameters: name(I) - name of the tuneable entry to find. */
6130 /* Search the static array of tuneables and the list of dynamic tuneables */
6131 /* for an entry with a matching name. If we can find one, return a pointer */
6132 /* to the matching structure. */
6133 /* ------------------------------------------------------------------------ */
6134 static ipftuneable_t *fr_findtunebyname(name)
6139 for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++)
6140 if (!strcmp(ta->ipft_name, name)) {
6144 for (ta = ipf_tunelist; ta != NULL; ta = ta->ipft_next)
6145 if (!strcmp(ta->ipft_name, name)) {
6153 /* ------------------------------------------------------------------------ */
6154 /* Function: fr_addipftune */
6155 /* Returns: int - 0 == success, else failure */
6156 /* Parameters: newtune - pointer to new tune struct to add to tuneables */
6158 /* Appends the tune structure pointer to by "newtune" to the end of the */
6159 /* current list of "dynamic" tuneable parameters. Once added, the owner */
6160 /* of the object is not expected to ever change "ipft_next". */
6161 /* ------------------------------------------------------------------------ */
6162 int fr_addipftune(newtune)
6163 ipftuneable_t *newtune;
6165 ipftuneable_t *ta, **tap;
6167 ta = fr_findtunebyname(newtune->ipft_name);
6171 for (tap = &ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next)
6174 newtune->ipft_next = NULL;
6180 /* ------------------------------------------------------------------------ */
6181 /* Function: fr_delipftune */
6182 /* Returns: int - 0 == success, else failure */
6183 /* Parameters: oldtune - pointer to tune struct to remove from the list of */
6184 /* current dynamic tuneables */
6186 /* Search for the tune structure, by pointer, in the list of those that are */
6187 /* dynamically added at run time. If found, adjust the list so that this */
6188 /* structure is no longer part of it. */
6189 /* ------------------------------------------------------------------------ */
6190 int fr_delipftune(oldtune)
6191 ipftuneable_t *oldtune;
6193 ipftuneable_t *ta, **tap;
6195 for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
6196 if (ta == oldtune) {
6197 *tap = oldtune->ipft_next;
6198 oldtune->ipft_next = NULL;
6206 /* ------------------------------------------------------------------------ */
6207 /* Function: fr_ipftune */
6208 /* Returns: int - 0 == success, else failure */
6209 /* Parameters: cmd(I) - ioctl command number */
6210 /* data(I) - pointer to ioctl data structure */
6212 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
6213 /* three ioctls provide the means to access and control global variables */
6214 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
6215 /* changed without rebooting, reloading or recompiling. The initialisation */
6216 /* and 'destruction' routines of the various components of ipfilter are all */
6217 /* each responsible for handling their own values being too big. */
6218 /* ------------------------------------------------------------------------ */
6219 int fr_ipftune(cmd, data)
6228 error = fr_inobj(data, &tu, IPFOBJ_TUNEABLE);
6232 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
6233 cookie = tu.ipft_cookie;
6238 case SIOCIPFGETNEXT :
6240 * If cookie is non-NULL, assume it to be a pointer to the last
6241 * entry we looked at, so find it (if possible) and return a
6242 * pointer to the next one after it. The last entry in the
6243 * the table is a NULL entry, so when we get to it, set cookie
6244 * to NULL and return that, indicating end of list, erstwhile
6245 * if we come in with cookie set to NULL, we are starting anew
6246 * at the front of the list.
6248 if (cookie != NULL) {
6249 ta = fr_findtunebycookie(cookie, &tu.ipft_cookie);
6252 tu.ipft_cookie = ta + 1;
6256 * Entry found, but does the data pointed to by that
6257 * row fit in what we can return?
6259 if (ta->ipft_sz > sizeof(tu.ipft_un))
6263 if (ta->ipft_sz == sizeof(u_long))
6264 tu.ipft_vlong = *ta->ipft_plong;
6265 else if (ta->ipft_sz == sizeof(u_int))
6266 tu.ipft_vint = *ta->ipft_pint;
6267 else if (ta->ipft_sz == sizeof(u_short))
6268 tu.ipft_vshort = *ta->ipft_pshort;
6269 else if (ta->ipft_sz == sizeof(u_char))
6270 tu.ipft_vchar = *ta->ipft_pchar;
6272 tu.ipft_sz = ta->ipft_sz;
6273 tu.ipft_min = ta->ipft_min;
6274 tu.ipft_max = ta->ipft_max;
6275 tu.ipft_flags = ta->ipft_flags;
6276 bcopy(ta->ipft_name, tu.ipft_name,
6277 MIN(sizeof(tu.ipft_name),
6278 strlen(ta->ipft_name) + 1));
6280 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6286 * Search by name or by cookie value for a particular entry
6287 * in the tuning paramter table.
6290 if (cookie != NULL) {
6291 ta = fr_findtunebycookie(cookie, NULL);
6294 } else if (tu.ipft_name[0] != '\0') {
6295 ta = fr_findtunebyname(tu.ipft_name);
6302 if (cmd == (ioctlcmd_t)SIOCIPFGET) {
6304 * Fetch the tuning parameters for a particular value
6307 if (ta->ipft_sz == sizeof(u_long))
6308 tu.ipft_vlong = *ta->ipft_plong;
6309 else if (ta->ipft_sz == sizeof(u_int))
6310 tu.ipft_vint = *ta->ipft_pint;
6311 else if (ta->ipft_sz == sizeof(u_short))
6312 tu.ipft_vshort = *ta->ipft_pshort;
6313 else if (ta->ipft_sz == sizeof(u_char))
6314 tu.ipft_vchar = *ta->ipft_pchar;
6315 tu.ipft_cookie = ta;
6316 tu.ipft_sz = ta->ipft_sz;
6317 tu.ipft_min = ta->ipft_min;
6318 tu.ipft_max = ta->ipft_max;
6319 tu.ipft_flags = ta->ipft_flags;
6320 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6322 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
6324 * Set an internal parameter. The hard part here is
6325 * getting the new value safely and correctly out of
6326 * the kernel (given we only know its size, not type.)
6330 if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) &&
6337 if (in < ta->ipft_min || in > ta->ipft_max) {
6342 if (ta->ipft_sz == sizeof(u_long)) {
6343 tu.ipft_vlong = *ta->ipft_plong;
6344 *ta->ipft_plong = in;
6345 } else if (ta->ipft_sz == sizeof(u_int)) {
6346 tu.ipft_vint = *ta->ipft_pint;
6347 *ta->ipft_pint = (u_int)(in & 0xffffffff);
6348 } else if (ta->ipft_sz == sizeof(u_short)) {
6349 tu.ipft_vshort = *ta->ipft_pshort;
6350 *ta->ipft_pshort = (u_short)(in & 0xffff);
6351 } else if (ta->ipft_sz == sizeof(u_char)) {
6352 tu.ipft_vchar = *ta->ipft_pchar;
6353 *ta->ipft_pchar = (u_char)(in & 0xff);
6355 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6368 /* ------------------------------------------------------------------------ */
6369 /* Function: fr_initialise */
6370 /* Returns: int - 0 == success, < 0 == failure */
6371 /* Parameters: None. */
6373 /* Call of the initialise functions for all the various subsystems inside */
6374 /* of IPFilter. If any of them should fail, return immeadiately a failure */
6375 /* BUT do not try to recover from the error here. */
6376 /* ------------------------------------------------------------------------ */
6381 bzero(&frstats, sizeof(frstats));
6408 #ifdef IPFILTER_SYNC
6413 #ifdef IPFILTER_SCAN
6418 #ifdef IPFILTER_LOOKUP
6419 i = ip_lookup_init();
6423 #ifdef IPFILTER_COMPILED
6430 /* ------------------------------------------------------------------------ */
6431 /* Function: fr_deinitialise */
6432 /* Returns: None. */
6433 /* Parameters: None. */
6435 /* Call all the various subsystem cleanup routines to deallocate memory or */
6436 /* destroy locks or whatever they've done that they need to now undo. */
6437 /* The order here IS important as there are some cross references of */
6438 /* internal data structures. */
6439 /* ------------------------------------------------------------------------ */
6440 void fr_deinitialise()
6446 #ifdef IPFILTER_SCAN
6451 #ifdef IPFILTER_COMPILED
6455 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
6456 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
6457 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
6458 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE);
6460 #ifdef IPFILTER_LOOKUP
6470 /* ------------------------------------------------------------------------ */
6471 /* Function: fr_zerostats */
6472 /* Returns: int - 0 = success, else failure */
6473 /* Parameters: data(O) - pointer to pointer for copying data back to */
6475 /* Copies the current statistics out to userspace and then zero's the */
6476 /* current ones in the kernel. The lock is only held across the bzero() as */
6477 /* the copyout may result in paging (ie network activity.) */
6478 /* ------------------------------------------------------------------------ */
6479 int fr_zerostats(data)
6486 error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT);
6490 WRITE_ENTER(&ipf_mutex);
6491 bzero(&frstats, sizeof(frstats));
6492 RWLOCK_EXIT(&ipf_mutex);
6498 /* ------------------------------------------------------------------------ */
6499 /* Function: fr_resolvedest */
6501 /* Parameters: fdp(IO) - pointer to destination information to resolve */
6502 /* v(I) - IP protocol version to match */
6504 /* Looks up an interface name in the frdest structure pointed to by fdp and */
6505 /* if a matching name can be found for the particular IP protocol version */
6506 /* then store the interface pointer in the frdest struct. If no match is */
6507 /* found, then set the interface pointer to be -1 as NULL is considered to */
6508 /* indicate there is no information at all in the structure. */
6509 /* ------------------------------------------------------------------------ */
6510 void fr_resolvedest(fdp, v)
6519 if (*fdp->fd_ifname != '\0') {
6520 ifp = GETIFP(fdp->fd_ifname, v);
6528 /* ------------------------------------------------------------------------ */
6529 /* Function: fr_resolvenic */
6530 /* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */
6531 /* pointer to interface structure for NIC */
6532 /* Parameters: name(I) - complete interface name */
6533 /* v(I) - IP protocol version */
6535 /* Look for a network interface structure that firstly has a matching name */
6536 /* to that passed in and that is also being used for that IP protocol */
6537 /* version (necessary on some platforms where there are separate listings */
6538 /* for both IPv4 and IPv6 on the same physical NIC. */
6540 /* One might wonder why name gets terminated with a \0 byte in here. The */
6541 /* reason is an interface name could get into the kernel structures of ipf */
6542 /* in any number of ways and so long as they all use the same sized array */
6543 /* to put the name in, it makes sense to ensure it gets null terminated */
6544 /* before it is used for its intended purpose - finding its match in the */
6545 /* kernel's list of configured interfaces. */
6547 /* NOTE: This SHOULD ONLY be used with IPFilter structures that have an */
6548 /* array for the name that is LIFNAMSIZ bytes (at least) in length. */
6549 /* ------------------------------------------------------------------------ */
6550 void *fr_resolvenic(name, v)
6556 if (name[0] == '\0')
6559 if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) {
6563 name[LIFNAMSIZ - 1] = '\0';
6565 nic = GETIFP(name, v);
6572 ipftoken_t *ipftokenhead = NULL, **ipftokentail = &ipftokenhead;
6575 /* ------------------------------------------------------------------------ */
6576 /* Function: ipf_expiretokens */
6577 /* Returns: None. */
6578 /* Parameters: None. */
6580 /* This function is run every ipf tick to see if there are any tokens that */
6581 /* have been held for too long and need to be freed up. */
6582 /* ------------------------------------------------------------------------ */
6583 void ipf_expiretokens()
6587 WRITE_ENTER(&ipf_tokens);
6588 while ((it = ipftokenhead) != NULL) {
6589 if (it->ipt_die > fr_ticks)
6594 RWLOCK_EXIT(&ipf_tokens);
6598 /* ------------------------------------------------------------------------ */
6599 /* Function: ipf_deltoken */
6600 /* Returns: int - 0 = success, else error */
6601 /* Parameters: type(I) - the token type to match */
6602 /* uid(I) - uid owning the token */
6603 /* ptr(I) - context pointer for the token */
6605 /* This function looks for a a token in the current list that matches up */
6606 /* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */
6607 /* call ipf_freetoken() to remove it from the list. */
6608 /* ------------------------------------------------------------------------ */
6609 int ipf_deltoken(type, uid, ptr)
6616 WRITE_ENTER(&ipf_tokens);
6617 for (it = ipftokenhead; it != NULL; it = it->ipt_next)
6618 if (ptr == it->ipt_ctx && type == it->ipt_type &&
6619 uid == it->ipt_uid) {
6624 RWLOCK_EXIT(&ipf_tokens);
6630 /* ------------------------------------------------------------------------ */
6631 /* Function: ipf_findtoken */
6632 /* Returns: ipftoken_t * - NULL if no memory, else pointer to token */
6633 /* Parameters: type(I) - the token type to match */
6634 /* uid(I) - uid owning the token */
6635 /* ptr(I) - context pointer for the token */
6637 /* This function looks for a live token in the list of current tokens that */
6638 /* matches the tuple (type, uid, ptr). If one cannot be found then one is */
6639 /* allocated. If one is found then it is moved to the top of the list of */
6640 /* currently active tokens. */
6642 /* NOTE: It is by design that this function returns holding a read lock on */
6643 /* ipf_tokens. Callers must make sure they release it! */
6644 /* ------------------------------------------------------------------------ */
6645 ipftoken_t *ipf_findtoken(type, uid, ptr)
6649 ipftoken_t *it, *new;
6651 KMALLOC(new, ipftoken_t *);
6653 WRITE_ENTER(&ipf_tokens);
6654 for (it = ipftokenhead; it != NULL; it = it->ipt_next) {
6655 if (it->ipt_alive == 0)
6657 if (ptr == it->ipt_ctx && type == it->ipt_type &&
6667 it->ipt_data = NULL;
6670 it->ipt_type = type;
6671 it->ipt_next = NULL;
6679 ipf_unlinktoken(it);
6681 it->ipt_pnext = ipftokentail;
6683 ipftokentail = &it->ipt_next;
6684 it->ipt_next = NULL;
6686 it->ipt_die = fr_ticks + 2;
6688 MUTEX_DOWNGRADE(&ipf_tokens);
6694 /* ------------------------------------------------------------------------ */
6695 /* Function: ipf_unlinktoken */
6696 /* Returns: None. */
6697 /* Parameters: token(I) - pointer to token structure */
6699 /* This function unlinks a token structure from the linked list of tokens */
6700 /* that "own" it. The head pointer never needs to be explicitly adjusted */
6701 /* but the tail does due to the linked list implementation. */
6702 /* ------------------------------------------------------------------------ */
6703 static void ipf_unlinktoken(token)
6707 if (ipftokentail == &token->ipt_next)
6708 ipftokentail = token->ipt_pnext;
6710 *token->ipt_pnext = token->ipt_next;
6711 if (token->ipt_next != NULL)
6712 token->ipt_next->ipt_pnext = token->ipt_pnext;
6716 /* ------------------------------------------------------------------------ */
6717 /* Function: ipf_freetoken */
6718 /* Returns: None. */
6719 /* Parameters: token(I) - pointer to token structure */
6721 /* This function unlinks a token from the linked list and on the path to */
6722 /* free'ing the data, it calls the dereference function that is associated */
6723 /* with the type of data pointed to by the token as it is considered to */
6724 /* hold a reference to it. */
6725 /* ------------------------------------------------------------------------ */
6726 void ipf_freetoken(token)
6729 void *data, **datap;
6731 ipf_unlinktoken(token);
6733 data = token->ipt_data;
6736 if ((data != NULL) && (data != (void *)-1)) {
6737 switch (token->ipt_type)
6739 case IPFGENITER_IPF :
6740 (void) fr_derefrule((frentry_t **)datap);
6742 case IPFGENITER_IPNAT :
6743 WRITE_ENTER(&ipf_nat);
6744 fr_ipnatderef((ipnat_t **)datap);
6745 RWLOCK_EXIT(&ipf_nat);
6747 case IPFGENITER_NAT :
6748 fr_natderef((nat_t **)datap);
6750 case IPFGENITER_STATE :
6751 fr_statederef((ipstate_t **)datap);
6753 case IPFGENITER_FRAG :
6755 fr_fragderef((ipfr_t **)datap, &ipf_frag);
6757 fr_fragderef((ipfr_t **)datap);
6760 case IPFGENITER_NATFRAG :
6762 fr_fragderef((ipfr_t **)datap, &ipf_natfrag);
6764 fr_fragderef((ipfr_t **)datap);
6767 case IPFGENITER_HOSTMAP :
6768 WRITE_ENTER(&ipf_nat);
6769 fr_hostmapdel((hostmap_t **)datap);
6770 RWLOCK_EXIT(&ipf_nat);
6773 #ifdef IPFILTER_LOOKUP
6774 ip_lookup_iterderef(token->ipt_type, data);
6784 /* ------------------------------------------------------------------------ */
6785 /* Function: ipf_getnextrule */
6786 /* Returns: int - 0 = success, else error */
6787 /* Parameters: t(I) - pointer to destination information to resolve */
6788 /* ptr(I) - pointer to ipfobj_t to copyin from user space */
6790 /* This function's first job is to bring in the ipfruleiter_t structure via */
6791 /* the ipfobj_t structure to determine what should be the next rule to */
6792 /* return. Once the ipfruleiter_t has been brought in, it then tries to */
6793 /* find the 'next rule'. This may include searching rule group lists or */
6794 /* just be as simple as looking at the 'next' field in the rule structure. */
6795 /* When we have found the rule to return, increase its reference count and */
6796 /* if we used an existing rule to get here, decrease its reference count. */
6797 /* ------------------------------------------------------------------------ */
6798 int ipf_getnextrule(ipftoken_t *t, void *ptr)
6800 frentry_t *fr, *next, zero;
6801 int error, count, out;
6806 if (t == NULL || ptr == NULL)
6808 error = fr_inobj(ptr, &it, IPFOBJ_IPFITER);
6811 if ((it.iri_inout < 0) || (it.iri_inout > 3))
6813 if ((it.iri_active != 0) && (it.iri_active != 1))
6815 if (it.iri_nrules == 0)
6817 if (it.iri_rule == NULL)
6820 out = it.iri_inout & F_OUT;
6822 READ_ENTER(&ipf_mutex);
6824 if (*it.iri_group == '\0') {
6825 if ((it.iri_inout & F_ACIN) != 0) {
6827 next = ipacct[out][it.iri_active];
6829 next = ipacct6[out][it.iri_active];
6832 next = ipfilter[out][it.iri_active];
6834 next = ipfilter6[out][it.iri_active];
6837 fg = fr_findgroup(it.iri_group, IPL_LOGIPF,
6838 it.iri_active, NULL);
6840 next = fg->fg_start;
6848 dst = (char *)it.iri_rule;
6849 count = it.iri_nrules;
6851 * The ipfruleiter may ask for more than 1 rule at a time to be
6852 * copied out, so long as that many exist in the list to start with!
6857 MUTEX_ENTER(&next->fr_lock);
6859 MUTEX_EXIT(&next->fr_lock);
6863 bzero(&zero, sizeof(zero));
6868 RWLOCK_EXIT(&ipf_mutex);
6870 error = COPYOUT(next, dst, sizeof(*next));
6874 if (next->fr_data != NULL) {
6875 dst += sizeof(*next);
6876 error = COPYOUT(next->fr_data, dst, next->fr_dsize);
6880 dst += next->fr_dsize;
6883 if ((count == 1) || (error != 0))
6888 READ_ENTER(&ipf_mutex);
6889 next = next->fr_next;
6893 (void) fr_derefrule(&fr);
6900 /* ------------------------------------------------------------------------ */
6901 /* Function: fr_frruleiter */
6902 /* Returns: int - 0 = success, else error */
6903 /* Parameters: data(I) - the token type to match */
6904 /* uid(I) - uid owning the token */
6905 /* ptr(I) - context pointer for the token */
6907 /* This function serves as a stepping stone between fr_ipf_ioctl and */
6908 /* ipf_getnextrule. It's role is to find the right token in the kernel for */
6909 /* the process doing the ioctl and use that to ask for the next rule. */
6910 /* ------------------------------------------------------------------------ */
6911 static int ipf_frruleiter(data, uid, ctx)
6918 token = ipf_findtoken(IPFGENITER_IPF, uid, ctx);
6920 error = ipf_getnextrule(token, data);
6923 RWLOCK_EXIT(&ipf_tokens);
6929 /* ------------------------------------------------------------------------ */
6930 /* Function: fr_geniter */
6931 /* Returns: int - 0 = success, else error */
6932 /* Parameters: token(I) - pointer to ipftoken_t structure */
6935 /* ------------------------------------------------------------------------ */
6936 static int ipf_geniter(token, itp)
6942 switch (itp->igi_type)
6944 case IPFGENITER_FRAG :
6946 error = fr_nextfrag(token, itp,
6947 &ipfr_list, &ipfr_tail, &ipf_frag);
6949 error = fr_nextfrag(token, itp, &ipfr_list, &ipfr_tail);
6961 /* ------------------------------------------------------------------------ */
6962 /* Function: fr_genericiter */
6963 /* Returns: int - 0 = success, else error */
6964 /* Parameters: data(I) - the token type to match */
6965 /* uid(I) - uid owning the token */
6966 /* ptr(I) - context pointer for the token */
6968 /* ------------------------------------------------------------------------ */
6969 int ipf_genericiter(data, uid, ctx)
6977 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
6981 token = ipf_findtoken(iter.igi_type, uid, ctx);
6982 if (token != NULL) {
6983 token->ipt_subtype = iter.igi_type;
6984 error = ipf_geniter(token, &iter);
6987 RWLOCK_EXIT(&ipf_tokens);
6993 /* ------------------------------------------------------------------------ */
6994 /* Function: fr_ipf_ioctl */
6995 /* Returns: int - 0 = success, else error */
6996 /* Parameters: data(I) - the token type to match */
6997 /* cmd(I) - the ioctl command number */
6998 /* mode(I) - mode flags for the ioctl */
6999 /* uid(I) - uid owning the token */
7000 /* ptr(I) - context pointer for the token */
7002 /* This function handles all of the ioctl command that are actually isssued */
7003 /* to the /dev/ipl device. */
7004 /* ------------------------------------------------------------------------ */
7005 int fr_ipf_ioctl(data, cmd, mode, uid, ctx)
7018 if (!(mode & FWRITE))
7021 error = BCOPYIN(data, &tmp, sizeof(tmp));
7027 WRITE_ENTER(&ipf_global);
7032 error = ipfattach();
7038 error = ipfdetach();
7042 RWLOCK_EXIT(&ipf_global);
7047 if (!(mode & FWRITE)) {
7052 case SIOCIPFGETNEXT :
7054 error = fr_ipftune(cmd, (void *)data);
7058 if (!(mode & FWRITE))
7061 error = BCOPYIN(data, &fr_flags, sizeof(fr_flags));
7068 error = BCOPYOUT(&fr_flags, data, sizeof(fr_flags));
7074 error = fr_resolvefunc((void *)data);
7081 if (!(mode & FWRITE))
7084 error = frrequest(IPL_LOGIPF, cmd, data, fr_active, 1);
7090 if (!(mode & FWRITE))
7093 error = frrequest(IPL_LOGIPF, cmd, data,
7098 if (!(mode & FWRITE))
7101 WRITE_ENTER(&ipf_mutex);
7102 bzero((char *)frcache, sizeof(frcache[0]) * 2);
7103 error = BCOPYOUT(&fr_active, data, sizeof(fr_active));
7107 fr_active = 1 - fr_active;
7108 RWLOCK_EXIT(&ipf_mutex);
7114 error = fr_outobj((void *)data, &fio, IPFOBJ_IPFSTAT);
7118 if (!(mode & FWRITE))
7121 error = fr_zerostats(data);
7125 if (!(mode & FWRITE))
7128 error = BCOPYIN(data, &tmp, sizeof(tmp));
7130 tmp = frflush(IPL_LOGIPF, 4, tmp);
7131 error = BCOPYOUT(&tmp, data, sizeof(tmp));
7141 if (!(mode & FWRITE))
7144 error = BCOPYIN(data, &tmp, sizeof(tmp));
7146 tmp = frflush(IPL_LOGIPF, 6, tmp);
7147 error = BCOPYOUT(&tmp, data, sizeof(tmp));
7157 error = BCOPYIN(data, &tmp, sizeof(tmp));
7159 fr_state_lock = tmp;
7169 if (!(mode & FWRITE))
7172 tmp = ipflog_clear(IPL_LOGIPF);
7173 error = BCOPYOUT(&tmp, data, sizeof(tmp));
7178 #endif /* IPFILTER_LOG */
7181 if (!(mode & FWRITE))
7184 WRITE_ENTER(&ipf_global);
7191 RWLOCK_EXIT(&ipf_global);
7197 error = fr_outobj((void *)data, fr_fragstats(),
7203 tmp = (int)iplused[IPL_LOGIPF];
7205 error = BCOPYOUT(&tmp, data, sizeof(tmp));
7211 error = ipf_frruleiter(data, uid, ctx);
7217 error = ipf_genericiter(data, uid, ctx);
7221 case SIOCIPFDELTOK :
7223 error = BCOPYIN(data, &tmp, sizeof(tmp));
7225 error = ipf_deltoken(tmp, uid, ctx);
7238 /* ------------------------------------------------------------------------ */
7239 /* Function: ipf_queueflush */
7240 /* Returns: int - number of entries flushed (0 = none) */
7241 /* Parameters: deletefn(I) - function to call to delete entry */
7242 /* ipfqs(I) - top of the list of ipf internal queues */
7243 /* userqs(I) - top of the list of user defined timeouts */
7245 /* This fucntion gets called when the state/NAT hash tables fill up and we */
7246 /* need to try a bit harder to free up some space. The algorithm used is */
7247 /* to look for the oldest entries on each timeout queue and free them if */
7248 /* they are within the given window we are considering. Where the window */
7249 /* starts and the steps taken to increase its size depend upon how long ipf */
7250 /* has been running (fr_ticks.) Anything modified in the last 30 seconds */
7251 /* is not touched. */
7253 /* die fr_ticks 30*1.5 1800*1.5 | 43200*1.5 */
7255 /* future <--+----------+--------+-----------+-----+-----+-----------> past */
7256 /* now \_int=30s_/ \_int=1hr_/ \_int=12hr */
7258 /* Points to note: */
7259 /* - tqe_die is the time, in the future, when entries die. */
7260 /* - tqe_die - fr_ticks is how long left the connection has to live in ipf */
7262 /* - tqe_touched is when the entry was last used by NAT/state */
7263 /* - the closer tqe_touched is to fr_ticks, the further tqe_die will be for */
7264 /* any given timeout queue and vice versa. */
7265 /* - both tqe_die and tqe_touched increase over time */
7266 /* - timeout queues are sorted with the highest value of tqe_die at the */
7267 /* bottom and therefore the smallest values of each are at the top */
7269 /* We start by setting up a maximum range to scan for things to move of */
7270 /* iend (newest) to istart (oldest) in chunks of "interval". If nothing is */
7271 /* found in that range, "interval" is adjusted (so long as it isn't 30) and */
7272 /* we start again with a new value for "iend" and "istart". The downside */
7273 /* of the current implementation is that it may return removing just 1 entry*/
7274 /* every time (pathological case) where it could remove more. */
7275 /* ------------------------------------------------------------------------ */
7276 int ipf_queueflush(deletefn, ipfqs, userqs)
7277 ipftq_delete_fn_t deletefn;
7278 ipftq_t *ipfqs, *userqs;
7280 u_long interval, istart, iend;
7281 ipftq_t *ifq, *ifqnext;
7282 ipftqent_t *tqe, *tqn;
7286 * NOTE: Use of "* 15 / 10" is required here because if "* 1.5" is
7287 * used then the operations are upgraded to floating point
7288 * and kernels don't like floating point...
7290 if (fr_ticks > IPF_TTLVAL(43200 * 15 / 10)) {
7291 istart = IPF_TTLVAL(86400 * 4);
7292 interval = IPF_TTLVAL(43200);
7293 } else if (fr_ticks > IPF_TTLVAL(1800 * 15 / 10)) {
7294 istart = IPF_TTLVAL(43200);
7295 interval = IPF_TTLVAL(1800);
7296 } else if (fr_ticks > IPF_TTLVAL(30 * 15 / 10)) {
7297 istart = IPF_TTLVAL(1800);
7298 interval = IPF_TTLVAL(30);
7302 if (istart > fr_ticks) {
7303 if (fr_ticks - interval < interval)
7306 istart = (fr_ticks / interval) * interval;
7309 iend = fr_ticks - interval;
7315 try = fr_ticks - istart;
7317 for (ifq = ipfqs; ifq != NULL; ifq = ifq->ifq_next) {
7318 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
7319 if (try < tqe->tqe_touched)
7321 tqn = tqe->tqe_next;
7322 if ((*deletefn)(tqe->tqe_parent) == 0)
7327 for (ifq = userqs; ifq != NULL; ifq = ifqnext) {
7328 ifqnext = ifq->ifq_next;
7330 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
7331 if (try < tqe->tqe_touched)
7333 tqn = tqe->tqe_next;
7334 if ((*deletefn)(tqe->tqe_parent) == 0)
7342 if (interval == IPF_TTLVAL(43200)) {
7343 interval = IPF_TTLVAL(1800);
7344 } else if (interval == IPF_TTLVAL(1800)) {
7345 interval = IPF_TTLVAL(30);
7349 if (interval >= fr_ticks)
7352 iend = fr_ticks - interval;
projects / FreeBSD / releng / 9.2.git / blob