4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
9 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id$";
13 #if defined(KERNEL) || defined(_KERNEL)
19 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
20 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
21 # include "opt_inet6.h"
23 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \
24 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
25 # include "opt_random_ip_id.h"
27 #include <sys/param.h>
28 #include <sys/errno.h>
29 #include <sys/types.h>
31 # include <sys/fcntl.h>
32 # include <sys/filio.h>
34 #include <sys/systm.h>
35 # include <sys/dirent.h>
36 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 800000)
39 # include <sys/mbuf.h>
40 # include <sys/sockopt.h>
42 # include <sys/mbuf.h>
44 #include <sys/socket.h>
45 # include <sys/selinfo.h>
46 # include <netinet/tcp_var.h>
49 # include <net/if_var.h>
50 # include <net/netisr.h>
51 #include <net/route.h>
52 #include <netinet/in.h>
53 #include <netinet/in_var.h>
54 #include <netinet/in_systm.h>
55 #include <netinet/ip.h>
56 #include <netinet/ip_var.h>
57 #include <netinet/tcp.h>
58 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 800000)
61 #define CURVNET_SET(arg)
62 #define CURVNET_RESTORE()
64 #include <netinet/udp.h>
65 #include <netinet/tcpip.h>
66 #include <netinet/ip_icmp.h>
67 #include "netinet/ip_compat.h"
69 # include <netinet/icmp6.h>
71 #include "netinet/ip_fil.h"
72 #include "netinet/ip_nat.h"
73 #include "netinet/ip_frag.h"
74 #include "netinet/ip_state.h"
75 #include "netinet/ip_proxy.h"
76 #include "netinet/ip_auth.h"
77 #include "netinet/ip_sync.h"
78 #include "netinet/ip_lookup.h"
79 #include "netinet/ip_dstlist.h"
81 #include "netinet/ip_scan.h"
83 #include "netinet/ip_pool.h"
84 # include <sys/malloc.h>
85 #include <sys/kernel.h>
86 #ifdef CSUM_DATA_VALID
87 #include <machine/in_cksum.h>
89 extern int ip_optcopy __P((struct ip *, struct ip *));
91 # ifdef IPFILTER_M_IPFILTER
92 MALLOC_DEFINE(M_IPFILTER, "ipfilter", "IP Filter packet filter data structures");
96 static u_short ipid = 0;
97 static int (*ipf_savep) __P((void *, ip_t *, int, void *, int, struct mbuf **));
98 static int ipf_send_ip __P((fr_info_t *, mb_t *));
99 static void ipf_timer_func __P((void *arg));
100 int ipf_locks_done = 0;
102 ipf_main_softc_t ipfmain;
104 # include <sys/conf.h>
105 # if defined(NETBSD_PF)
106 # include <net/pfil.h>
107 # endif /* NETBSD_PF */
109 * We provide the ipf_checkp name just to minimize changes later.
111 int (*ipf_checkp) __P((void *, ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
114 static eventhandler_tag ipf_arrivetag, ipf_departtag, ipf_clonetag;
116 static void ipf_ifevent(void *arg);
118 static void ipf_ifevent(arg)
127 ipf_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
129 struct ip *ip = mtod(*mp, struct ip *);
133 * IPFilter expects evreything in network byte order
135 #if (__FreeBSD_version < 1000019)
136 ip->ip_len = htons(ip->ip_len);
137 ip->ip_off = htons(ip->ip_off);
139 rv = ipf_check(&ipfmain, ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT),
141 #if (__FreeBSD_version < 1000019)
142 if ((rv == 0) && (*mp != NULL)) {
143 ip = mtod(*mp, struct ip *);
144 ip->ip_len = ntohs(ip->ip_len);
145 ip->ip_off = ntohs(ip->ip_off);
152 # include <netinet/ip6.h>
155 ipf_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
157 return (ipf_check(&ipfmain, mtod(*mp, struct ip *),
158 sizeof(struct ip6_hdr), ifp, (dir == PFIL_OUT), mp));
161 #if defined(IPFILTER_LKM)
165 if (strcmp(s, "ipl") == 0)
169 #endif /* IPFILTER_LKM */
176 ipf_main_softc_t *softc = arg;
180 READ_ENTER(&softc->ipf_global);
182 if (softc->ipf_running > 0)
183 ipf_slowtimer(softc);
185 if (softc->ipf_running == -1 || softc->ipf_running == 1) {
187 softc->ipf_slow_ch = timeout(ipf_timer_func, softc, hz/2);
189 callout_init(&softc->ipf_slow_ch, 1);
190 callout_reset(&softc->ipf_slow_ch,
191 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
192 ipf_timer_func, softc);
194 RWLOCK_EXIT(&softc->ipf_global);
201 ipf_main_softc_t *softc;
208 if (softc->ipf_running > 0) {
213 if (ipf_init_all(softc) < 0) {
219 if (ipf_checkp != ipf_check) {
220 ipf_savep = ipf_checkp;
221 ipf_checkp = ipf_check;
224 bzero((char *)ipfmain.ipf_selwait, sizeof(ipfmain.ipf_selwait));
225 softc->ipf_running = 1;
227 if (softc->ipf_control_forwarding & 1)
234 softc->ipf_slow_ch = timeout(ipf_timer_func, softc,
235 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
237 callout_init(&softc->ipf_slow_ch, 1);
238 callout_reset(&softc->ipf_slow_ch, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
239 ipf_timer_func, softc);
245 * Disable the filter by removing the hooks from the IP input/output
250 ipf_main_softc_t *softc;
256 if (softc->ipf_control_forwarding & 2)
262 if (softc->ipf_slow_ch.callout != NULL)
263 untimeout(ipf_timer_func, softc, softc->ipf_slow_ch);
264 bzero(&softc->ipf_slow, sizeof(softc->ipf_slow));
266 callout_drain(&softc->ipf_slow_ch);
269 if (ipf_checkp != NULL)
270 ipf_checkp = ipf_savep;
276 softc->ipf_running = -2;
285 * Filter ioctl interface.
288 ipfioctl(dev, cmd, data, mode, p)
290 # define p_cred td_ucred
291 # define p_uid td_ucred->cr_ruid
297 int error = 0, unit = 0;
301 if (securelevel_ge(p->p_cred, 3) && (mode & FWRITE))
303 ipfmain.ipf_interror = 130001;
308 unit = GET_MINOR(dev);
309 if ((IPL_LOGMAX < unit) || (unit < 0)) {
310 ipfmain.ipf_interror = 130002;
314 if (ipfmain.ipf_running <= 0) {
315 if (unit != IPL_LOGIPF && cmd != SIOCIPFINTERROR) {
316 ipfmain.ipf_interror = 130003;
319 if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
320 cmd != SIOCIPFSET && cmd != SIOCFRENB &&
321 cmd != SIOCGETFS && cmd != SIOCGETFF &&
322 cmd != SIOCIPFINTERROR) {
323 ipfmain.ipf_interror = 130004;
330 CURVNET_SET(TD_TO_VNET(p));
331 error = ipf_ioctlswitch(&ipfmain, unit, data, cmd, mode, p->p_uid, p);
345 * ipf_send_reset - this could conceivably be a call to tcp_respond(), but that
346 * requires a large amount of setting up and isn't any more efficient.
352 struct tcphdr *tcp, *tcp2;
361 if (tcp->th_flags & TH_RST)
362 return -1; /* feedback loop */
364 if (ipf_checkl4sum(fin) == -1)
367 tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
368 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
369 ((tcp->th_flags & TH_FIN) ? 1 : 0);
372 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
377 MGETHDR(m, M_DONTWAIT, MT_HEADER);
379 MGET(m, M_DONTWAIT, MT_HEADER);
383 if (sizeof(*tcp2) + hlen > MLEN) {
384 MCLGET(m, M_DONTWAIT);
385 if ((m->m_flags & M_EXT) == 0) {
391 m->m_len = sizeof(*tcp2) + hlen;
393 m->m_data += max_linkhdr;
394 m->m_pkthdr.len = m->m_len;
395 m->m_pkthdr.rcvif = (struct ifnet *)0;
397 ip = mtod(m, struct ip *);
398 bzero((char *)ip, hlen);
402 tcp2 = (struct tcphdr *)((char *)ip + hlen);
403 tcp2->th_sport = tcp->th_dport;
404 tcp2->th_dport = tcp->th_sport;
406 if (tcp->th_flags & TH_ACK) {
407 tcp2->th_seq = tcp->th_ack;
408 tcp2->th_flags = TH_RST;
412 tcp2->th_ack = ntohl(tcp->th_seq);
413 tcp2->th_ack += tlen;
414 tcp2->th_ack = htonl(tcp2->th_ack);
415 tcp2->th_flags = TH_RST|TH_ACK;
418 TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
419 tcp2->th_win = tcp->th_win;
424 if (fin->fin_v == 6) {
425 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
426 ip6->ip6_plen = htons(sizeof(struct tcphdr));
427 ip6->ip6_nxt = IPPROTO_TCP;
429 ip6->ip6_src = fin->fin_dst6.in6;
430 ip6->ip6_dst = fin->fin_src6.in6;
431 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
432 sizeof(*ip6), sizeof(*tcp2));
433 return ipf_send_ip(fin, m);
436 ip->ip_p = IPPROTO_TCP;
437 ip->ip_len = htons(sizeof(struct tcphdr));
438 ip->ip_src.s_addr = fin->fin_daddr;
439 ip->ip_dst.s_addr = fin->fin_saddr;
440 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
441 ip->ip_len = htons(hlen + sizeof(*tcp2));
442 return ipf_send_ip(fin, m);
447 * ip_len must be in network byte order when called.
458 ip = mtod(m, ip_t *);
459 bzero((char *)&fnew, sizeof(fnew));
460 fnew.fin_main_soft = fin->fin_main_soft;
462 IP_V_A(ip, fin->fin_v);
469 fnew.fin_p = ip->ip_p;
470 fnew.fin_plen = ntohs(ip->ip_len);
471 IP_HL_A(ip, sizeof(*oip) >> 2);
472 ip->ip_tos = oip->ip_tos;
473 ip->ip_id = fin->fin_ip->ip_id;
474 ip->ip_off = htons(V_path_mtu_discovery ? IP_DF : 0);
475 ip->ip_ttl = V_ip_defttl;
481 ip6_t *ip6 = (ip6_t *)ip;
484 ip6->ip6_hlim = IPDEFTTL;
487 fnew.fin_p = ip6->ip6_nxt;
489 fnew.fin_plen = ntohs(ip6->ip6_plen) + hlen;
497 m->m_pkthdr.rcvif = NULL;
500 fnew.fin_ifp = fin->fin_ifp;
501 fnew.fin_flx = FI_NOCKSUM;
505 fnew.fin_hlen = hlen;
506 fnew.fin_dp = (char *)ip + hlen;
507 (void) ipf_makefrip(hlen, ip, &fnew);
509 return ipf_fastroute(m, &m, &fnew, NULL);
514 ipf_send_icmp_err(type, fin, dst)
519 int err, hlen, xtra, iclen, ohlen, avail, code;
530 if ((type < 0) || (type >= ICMP_MAXTYPE))
533 code = fin->fin_icode;
535 /* See NetBSD ip_fil_netbsd.c r1.4: */
536 if ((code < 0) || (code >= sizeof(icmptoicmp6unreach)/sizeof(int)))
540 if (ipf_checkl4sum(fin) == -1)
543 MGETHDR(m, M_DONTWAIT, MT_HEADER);
545 MGET(m, M_DONTWAIT, MT_HEADER);
556 if (fin->fin_v == 4) {
557 if ((fin->fin_p == IPPROTO_ICMP) && !(fin->fin_flx & FI_SHORT))
558 switch (ntohs(fin->fin_data[0]) >> 8)
571 if (ipf_ifpaddr(&ipfmain, 4, FRI_NORMAL, ifp,
572 &dst6, NULL) == -1) {
578 dst4.s_addr = fin->fin_daddr;
581 ohlen = fin->fin_hlen;
582 iclen = hlen + offsetof(struct icmp, icmp_ip) + ohlen;
583 if (fin->fin_hlen < fin->fin_plen)
584 xtra = MIN(fin->fin_dlen, 8);
590 else if (fin->fin_v == 6) {
591 hlen = sizeof(ip6_t);
592 ohlen = sizeof(ip6_t);
593 iclen = hlen + offsetof(struct icmp, icmp_ip) + ohlen;
594 type = icmptoicmp6types[type];
595 if (type == ICMP6_DST_UNREACH)
596 code = icmptoicmp6unreach[code];
598 if (iclen + max_linkhdr + fin->fin_plen > avail) {
599 MCLGET(m, M_DONTWAIT);
600 if ((m->m_flags & M_EXT) == 0) {
606 xtra = MIN(fin->fin_plen, avail - iclen - max_linkhdr);
607 xtra = MIN(xtra, IPV6_MMTU - iclen);
609 if (ipf_ifpaddr(&ipfmain, 6, FRI_NORMAL, ifp,
610 &dst6, NULL) == -1) {
615 dst6 = fin->fin_dst6;
623 avail -= (max_linkhdr + iclen);
631 m->m_data += max_linkhdr;
632 m->m_pkthdr.rcvif = (struct ifnet *)0;
633 m->m_pkthdr.len = iclen;
635 ip = mtod(m, ip_t *);
636 icmp = (struct icmp *)((char *)ip + hlen);
637 ip2 = (ip_t *)&icmp->icmp_ip;
639 icmp->icmp_type = type;
640 icmp->icmp_code = fin->fin_icode;
641 icmp->icmp_cksum = 0;
643 if (type == ICMP_UNREACH && fin->fin_icode == ICMP_UNREACH_NEEDFRAG) {
644 if (fin->fin_mtu != 0) {
645 icmp->icmp_nextmtu = htons(fin->fin_mtu);
647 } else if (ifp != NULL) {
648 icmp->icmp_nextmtu = htons(GETIFMTU_4(ifp));
650 } else { /* make up a number... */
651 icmp->icmp_nextmtu = htons(fin->fin_plen - 20);
656 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
660 if (fin->fin_v == 6) {
661 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
662 ip6->ip6_plen = htons(iclen - hlen);
663 ip6->ip6_nxt = IPPROTO_ICMPV6;
665 ip6->ip6_src = dst6.in6;
666 ip6->ip6_dst = fin->fin_src6.in6;
668 bcopy((char *)fin->fin_ip + ohlen,
669 (char *)&icmp->icmp_ip + ohlen, xtra);
670 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
671 sizeof(*ip6), iclen - hlen);
675 ip->ip_p = IPPROTO_ICMP;
676 ip->ip_src.s_addr = dst4.s_addr;
677 ip->ip_dst.s_addr = fin->fin_saddr;
680 bcopy((char *)fin->fin_ip + ohlen,
681 (char *)&icmp->icmp_ip + ohlen, xtra);
682 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
684 ip->ip_len = htons(iclen);
685 ip->ip_p = IPPROTO_ICMP;
687 err = ipf_send_ip(fin, m);
695 * m0 - pointer to mbuf where the IP packet starts
696 * mpp - pointer to the mbuf pointer that is the start of the mbuf chain
699 ipf_fastroute(m0, mpp, fin, fdp)
704 register struct ip *ip, *mhip;
705 register struct mbuf *m = *mpp;
706 register struct route *ro;
707 int len, off, error = 0, hlen, code;
708 struct ifnet *ifp, *sifp;
709 struct sockaddr_in *dst;
710 struct route iproute;
721 * If the mbuf we're about to send is not writable (because of
722 * a cluster reference, for example) we'll need to make a copy
723 * of it since this routine modifies the contents.
725 * If you have non-crappy network hardware that can transmit data
726 * from the mbuf, rather than making a copy, this is gonna be a
729 if (M_WRITABLE(m) == 0) {
730 m0 = m_dup(m, M_DONTWAIT);
744 if (fin->fin_v == 6) {
746 * currently "to <if>" and "to <if>:ip#" are not supported
749 return ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
753 hlen = fin->fin_hlen;
754 ip = mtod(m0, struct ip *);
761 bzero(ro, sizeof (*ro));
762 dst = (struct sockaddr_in *)&ro->ro_dst;
763 dst->sin_family = AF_INET;
764 dst->sin_addr = ip->ip_dst;
767 if ((fr != NULL) && !(fr->fr_flags & FR_KEEPSTATE) && (fdp != NULL) &&
768 (fdp->fd_type == FRD_DSTLIST)) {
769 if (ipf_dstlist_select_node(fin, fdp->fd_ptr, NULL, &node) == 0)
778 if ((ifp == NULL) && ((fr == NULL) || !(fr->fr_flags & FR_FASTROUTE))) {
783 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
784 dst->sin_addr = fdp->fd_ip;
786 dst->sin_len = sizeof(*dst);
787 in_rtalloc(ro, M_GETFIB(m0));
789 if ((ifp == NULL) && (ro->ro_rt != NULL))
790 ifp = ro->ro_rt->rt_ifp;
792 if ((ro->ro_rt == NULL) || (ifp == NULL)) {
793 if (in_localaddr(ip->ip_dst))
794 error = EHOSTUNREACH;
799 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
800 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
802 counter_u64_add(ro->ro_rt->rt_pksent, 1);
805 * For input packets which are being "fastrouted", they won't
806 * go back through output filtering and miss their chance to get
807 * NAT'd and counted. Duplicated packets aren't considered to be
808 * part of the normal packet stream, so do not NAT them or pass
809 * them through stateful checking, etc.
811 if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {
815 (void) ipf_acctpkt(fin, NULL);
817 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
820 (void) ipf_state_check(fin, &pass);
823 switch (ipf_nat_checkout(fin, NULL))
841 * If small enough for interface, can just send directly.
843 if (ntohs(ip->ip_len) <= ifp->if_mtu) {
845 ip->ip_sum = in_cksum(m, hlen);
846 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
852 * Too large for interface; fragment if possible.
853 * Must be able to put at least 8 bytes per fragment.
855 ip_off = ntohs(ip->ip_off);
856 if (ip_off & IP_DF) {
860 len = (ifp->if_mtu - hlen) &~ 7;
867 int mhlen, firstlen = len;
868 struct mbuf **mnext = &m->m_act;
871 * Loop through length of segment after first fragment,
872 * make new header and copy data of each part and link onto chain.
875 mhlen = sizeof (struct ip);
876 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) {
878 MGETHDR(m, M_DONTWAIT, MT_HEADER);
880 MGET(m, M_DONTWAIT, MT_HEADER);
887 m->m_data += max_linkhdr;
888 mhip = mtod(m, struct ip *);
889 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
890 if (hlen > sizeof (struct ip)) {
891 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
892 IP_HL_A(mhip, mhlen >> 2);
895 mhip->ip_off = ((off - hlen) >> 3) + ip_off;
896 if (off + len >= ntohs(ip->ip_len))
897 len = ntohs(ip->ip_len) - off;
899 mhip->ip_off |= IP_MF;
900 mhip->ip_len = htons((u_short)(len + mhlen));
902 m->m_next = m_copy(m0, off, len);
903 if (m->m_next == 0) {
904 error = ENOBUFS; /* ??? */
907 m->m_pkthdr.len = mhlen + len;
908 m->m_pkthdr.rcvif = NULL;
909 mhip->ip_off = htons((u_short)mhip->ip_off);
911 mhip->ip_sum = in_cksum(m, mhlen);
915 * Update first fragment by trimming what's been copied out
916 * and updating header, then send each fragment (in order).
918 m_adj(m0, hlen + firstlen - ip->ip_len);
919 ip->ip_len = htons((u_short)(hlen + firstlen));
920 ip->ip_off = htons((u_short)IP_MF);
922 ip->ip_sum = in_cksum(m0, hlen);
924 for (m = m0; m; m = m0) {
928 error = (*ifp->if_output)(ifp, m,
929 (struct sockaddr *)dst,
938 ipfmain.ipf_frouteok[0]++;
940 ipfmain.ipf_frouteok[1]++;
942 if ((ro != NULL) && (ro->ro_rt != NULL)) {
947 if (error == EMSGSIZE) {
949 code = fin->fin_icode;
950 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
952 (void) ipf_send_icmp_err(ICMP_UNREACH, fin, 1);
954 fin->fin_icode = code;
965 struct sockaddr_in *dst;
966 struct route iproute;
968 bzero((char *)&iproute, sizeof(iproute));
969 dst = (struct sockaddr_in *)&iproute.ro_dst;
970 dst->sin_len = sizeof(*dst);
971 dst->sin_family = AF_INET;
972 dst->sin_addr = fin->fin_src;
973 in_rtalloc(&iproute, 0);
974 if (iproute.ro_rt == NULL)
976 return (fin->fin_ifp == iproute.ro_rt->rt_ifp);
981 * return the first IP Address associated with an interface
984 ipf_ifpaddr(softc, v, atype, ifptr, inp, inpmask)
985 ipf_main_softc_t *softc;
988 i6addr_t *inp, *inpmask;
991 struct in6_addr *inp6 = NULL;
993 struct sockaddr *sock, *mask;
994 struct sockaddr_in *sin;
998 if ((ifptr == NULL) || (ifptr == (void *)-1))
1005 inp->in4.s_addr = 0;
1008 bzero((char *)inp, sizeof(*inp));
1010 ifa = TAILQ_FIRST(&ifp->if_addrhead);
1012 sock = ifa->ifa_addr;
1013 while (sock != NULL && ifa != NULL) {
1014 sin = (struct sockaddr_in *)sock;
1015 if ((v == 4) && (sin->sin_family == AF_INET))
1018 if ((v == 6) && (sin->sin_family == AF_INET6)) {
1019 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
1020 if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
1021 !IN6_IS_ADDR_LOOPBACK(inp6))
1025 ifa = TAILQ_NEXT(ifa, ifa_link);
1027 sock = ifa->ifa_addr;
1030 if (ifa == NULL || sin == NULL)
1033 mask = ifa->ifa_netmask;
1034 if (atype == FRI_BROADCAST)
1035 sock = ifa->ifa_broadaddr;
1036 else if (atype == FRI_PEERADDR)
1037 sock = ifa->ifa_dstaddr;
1044 return ipf_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
1045 (struct sockaddr_in6 *)mask,
1049 return ipf_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
1050 (struct sockaddr_in *)mask,
1051 &inp->in4, &inpmask->in4);
1060 newiss = arc4random();
1065 /* ------------------------------------------------------------------------ */
1066 /* Function: ipf_nextipid */
1067 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
1068 /* Parameters: fin(I) - pointer to packet information */
1070 /* Returns the next IPv4 ID to use for this packet. */
1071 /* ------------------------------------------------------------------------ */
1078 #ifndef RANDOM_IP_ID
1079 MUTEX_ENTER(&ipfmain.ipf_rw);
1081 MUTEX_EXIT(&ipfmain.ipf_rw);
1094 #ifdef CSUM_DATA_VALID
1100 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1103 if ((fin->fin_flx & FI_SHORT) != 0)
1106 if (fin->fin_cksum != FI_CK_NEEDED)
1107 return (fin->fin_cksum > FI_CK_NEEDED) ? 0 : -1;
1116 if ((m->m_pkthdr.csum_flags & (CSUM_IP_CHECKED|CSUM_IP_VALID)) ==
1118 fin->fin_cksum = FI_CK_BAD;
1119 fin->fin_flx |= FI_BAD;
1122 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
1123 /* Depending on the driver, UDP may have zero checksum */
1124 if (fin->fin_p == IPPROTO_UDP && (fin->fin_flx &
1125 (FI_FRAG|FI_SHORT|FI_BAD)) == 0) {
1126 udphdr_t *udp = fin->fin_dp;
1127 if (udp->uh_sum == 0) {
1129 * we're good no matter what the hardware
1130 * checksum flags and csum_data say (handling
1131 * of csum_data for zero UDP checksum is not
1132 * consistent across all drivers)
1139 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
1140 sum = m->m_pkthdr.csum_data;
1142 sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1143 htonl(m->m_pkthdr.csum_data +
1144 fin->fin_dlen + fin->fin_p));
1147 fin->fin_cksum = FI_CK_BAD;
1148 fin->fin_flx |= FI_BAD;
1150 fin->fin_cksum = FI_CK_SUMOK;
1154 if (m->m_pkthdr.csum_flags == CSUM_DELAY_DATA) {
1155 fin->fin_cksum = FI_CK_L4FULL;
1157 } else if (m->m_pkthdr.csum_flags == CSUM_TCP ||
1158 m->m_pkthdr.csum_flags == CSUM_UDP) {
1159 fin->fin_cksum = FI_CK_L4PART;
1161 } else if (m->m_pkthdr.csum_flags == CSUM_IP) {
1162 fin->fin_cksum = FI_CK_L4PART;
1170 if (ipf_checkl4sum(fin) == -1) {
1171 fin->fin_flx |= FI_BAD;
1176 if (ipf_checkl4sum(fin) == -1) {
1177 fin->fin_flx |= FI_BAD;
1190 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1193 if ((fin->fin_flx & FI_SHORT) != 0)
1196 if (fin->fin_cksum != FI_CK_NEEDED)
1197 return (fin->fin_cksum > FI_CK_NEEDED) ? 0 : -1;
1199 if (ipf_checkl4sum(fin) == -1) {
1200 fin->fin_flx |= FI_BAD;
1205 #endif /* USE_INET6 */
1214 if ((m0->m_flags & M_PKTHDR) != 0) {
1215 len = m0->m_pkthdr.len;
1219 for (m = m0, len = 0; m != NULL; m = m->m_next)
1226 /* ------------------------------------------------------------------------ */
1227 /* Function: ipf_pullup */
1228 /* Returns: NULL == pullup failed, else pointer to protocol header */
1229 /* Parameters: xmin(I)- pointer to buffer where data packet starts */
1230 /* fin(I) - pointer to packet information */
1231 /* len(I) - number of bytes to pullup */
1233 /* Attempt to move at least len bytes (from the start of the buffer) into a */
1234 /* single buffer for ease of access. Operating system native functions are */
1235 /* used to manage buffers - if necessary. If the entire packet ends up in */
1236 /* a single buffer, set the FI_COALESCE flag even though ipf_coalesce() has */
1237 /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
1238 /* and ONLY if the pullup succeeds. */
1240 /* We assume that 'xmin' is a pointer to a buffer that is part of the chain */
1241 /* of buffers that starts at *fin->fin_mp. */
1242 /* ------------------------------------------------------------------------ */
1244 ipf_pullup(xmin, fin, len)
1256 ip = (char *)fin->fin_ip;
1257 if ((fin->fin_flx & FI_COALESCE) != 0)
1260 ipoff = fin->fin_ipoff;
1261 if (fin->fin_dp != NULL)
1262 dpoff = (char *)fin->fin_dp - (char *)ip;
1266 if (M_LEN(m) < len) {
1267 mb_t *n = *fin->fin_mp;
1269 * Assume that M_PKTHDR is set and just work with what is left
1270 * rather than check..
1271 * Should not make any real difference, anyway.
1275 * Record the mbuf that points to the mbuf that we're
1276 * about to go to work on so that we can update the
1277 * m_next appropriately later.
1279 for (; n->m_next != m; n = n->m_next)
1291 #ifdef HAVE_M_PULLDOWN
1292 if (m_pulldown(m, 0, len, NULL) == NULL)
1295 FREE_MB_T(*fin->fin_mp);
1301 m = m_pullup(m, len);
1307 * When n is non-NULL, it indicates that m pointed to
1308 * a sub-chain (tail) of the mbuf and that the head
1309 * of this chain has not yet been free'd.
1312 FREE_MB_T(*fin->fin_mp);
1315 *fin->fin_mp = NULL;
1323 while (M_LEN(m) == 0) {
1327 ip = MTOD(m, char *) + ipoff;
1329 fin->fin_ip = (ip_t *)ip;
1330 if (fin->fin_dp != NULL)
1331 fin->fin_dp = (char *)fin->fin_ip + dpoff;
1332 if (fin->fin_fraghdr != NULL)
1333 fin->fin_fraghdr = (char *)ip +
1334 ((char *)fin->fin_fraghdr -
1335 (char *)fin->fin_ip);
1338 if (len == fin->fin_plen)
1339 fin->fin_flx |= FI_COALESCE;
1351 if (fin->fin_out == 0) {
1352 netisr_dispatch(NETISR_IP, m);
1354 fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
1355 fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
1356 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
1362 int ipf_pfil_unhook(void) {
1363 #if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
1364 struct pfil_head *ph_inet;
1366 struct pfil_head *ph_inet6;
1371 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1372 if (ph_inet != NULL)
1373 pfil_remove_hook((void *)ipf_check_wrapper, NULL,
1374 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1376 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1377 if (ph_inet6 != NULL)
1378 pfil_remove_hook((void *)ipf_check_wrapper6, NULL,
1379 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1386 int ipf_pfil_hook(void) {
1387 #if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
1388 struct pfil_head *ph_inet;
1390 struct pfil_head *ph_inet6;
1395 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
1397 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
1407 if (ph_inet != NULL)
1408 pfil_add_hook((void *)ipf_check_wrapper, NULL,
1409 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet);
1411 if (ph_inet6 != NULL)
1412 pfil_add_hook((void *)ipf_check_wrapper6, NULL,
1413 PFIL_IN|PFIL_OUT|PFIL_WAITOK, ph_inet6);
1422 ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
1423 ipf_ifevent, &ipfmain, \
1424 EVENTHANDLER_PRI_ANY);
1425 ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
1426 ipf_ifevent, &ipfmain, \
1427 EVENTHANDLER_PRI_ANY);
1428 ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
1429 &ipfmain, EVENTHANDLER_PRI_ANY);
1433 ipf_event_dereg(void)
1435 if (ipf_arrivetag != NULL) {
1436 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
1438 if (ipf_departtag != NULL) {
1439 EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
1441 if (ipf_clonetag != NULL) {
1442 EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
1450 return arc4random();
1455 ipf_pcksum(fin, hlen, sum)
1465 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
1468 sum2 = in_cksum(fin->fin_m, fin->fin_plen - off);
1473 * Both sum and sum2 are partial sums, so combine them together.
1475 sum += ~sum2 & 0xffff;
1476 while (sum > 0xffff)
1477 sum = (sum & 0xffff) + (sum >> 16);
1478 sum2 = ~sum & 0xffff;