4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
20 # include <sys/timeout.h>
33 #if defined(_KERNEL) && \
34 defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
35 # include <sys/filio.h>
36 # include <sys/fcntl.h>
38 # include <sys/ioctl.h>
41 # include <sys/protosw.h>
43 #include <sys/socket.h>
45 # include <sys/systm.h>
46 # if !defined(__SVR4) && !defined(__svr4__)
47 # include <sys/mbuf.h>
50 #if !defined(__SVR4) && !defined(__svr4__)
51 # if defined(_KERNEL) && !defined(__sgi) && !defined(AIX)
52 # include <sys/kernel.h>
55 # include <sys/byteorder.h>
57 # include <sys/dditypes.h>
59 # include <sys/stream.h>
60 # include <sys/kmem.h>
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/ip.h>
70 # include <netinet/ip_var.h>
72 #include <netinet/tcp.h>
73 #include <netinet/udp.h>
74 #include <netinet/ip_icmp.h>
75 #include "netinet/ip_compat.h"
76 #include <netinet/tcpip.h>
77 #include "netinet/ip_fil.h"
78 #include "netinet/ip_nat.h"
79 #include "netinet/ip_frag.h"
80 #include "netinet/ip_state.h"
81 #include "netinet/ip_auth.h"
82 #include "netinet/ip_lookup.h"
83 #include "netinet/ip_proxy.h"
84 #include "netinet/ip_sync.h"
88 static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
89 static const char rcsid[] = "@(#)$FreeBSD$";
90 /* static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.77.2.12 2007/09/20 12:51:51 darrenr Exp $"; */
94 typedef struct ipf_frag_softc_s {
95 ipfrwlock_t ipfr_ipidfrag;
96 ipfrwlock_t ipfr_frag;
97 ipfrwlock_t ipfr_natfrag;
104 ipfr_t *ipfr_natlist;
105 ipfr_t **ipfr_nattail;
106 ipfr_t *ipfr_ipidlist;
107 ipfr_t **ipfr_ipidtail;
109 ipfr_t **ipfr_nattab;
110 ipfr_t **ipfr_ipidtab;
111 ipfrstat_t ipfr_stats;
116 static ipfr_t *ipfr_frag_new __P((ipf_main_softc_t *, ipf_frag_softc_t *,
117 fr_info_t *, u_32_t, ipfr_t **,
119 static ipfr_t *ipf_frag_lookup __P((ipf_main_softc_t *, ipf_frag_softc_t *, fr_info_t *, ipfr_t **, ipfrwlock_t *));
120 static void ipf_frag_deref __P((void *, ipfr_t **, ipfrwlock_t *));
121 static int ipf_frag_next __P((ipf_main_softc_t *, ipftoken_t *, ipfgeniter_t *,
122 ipfr_t **, ipfrwlock_t *));
124 static ipfr_t *ipfr_frag_new __P((ipf_main_softc_t *, ipf_frag_softc_t *,
125 fr_info_t *, u_32_t, ipfr_t **));
126 static ipfr_t *ipf_frag_lookup __P((ipf_main_softc_t *, ipf_frag_softc_t *, fr_info_t *, ipfr_t **));
127 static void ipf_frag_deref __P((void *, ipfr_t **));
128 static int ipf_frag_next __P((ipf_main_softc_t *, ipftoken_t *, ipfgeniter_t *,
131 static void ipf_frag_delete __P((ipf_main_softc_t *, ipfr_t *, ipfr_t ***));
132 static void ipf_frag_free __P((ipf_frag_softc_t *, ipfr_t *));
134 static frentry_t ipfr_block;
136 ipftuneable_t ipf_tuneables[] = {
137 { { (void *)offsetof(ipf_frag_softc_t, ipfr_size) },
138 "frag_size", 1, 0x7fffffff,
139 stsizeof(ipf_frag_softc_t, ipfr_size),
140 IPFT_WRDISABLED, NULL, NULL },
141 { { (void *)offsetof(ipf_frag_softc_t, ipfr_ttl) },
142 "frag_ttl", 1, 0x7fffffff,
143 stsizeof(ipf_frag_softc_t, ipfr_ttl),
151 #define FBUMP(x) softf->ipfr_stats.x++
152 #define FBUMPD(x) do { softf->ipfr_stats.x++; DT(x); } while (0)
155 /* ------------------------------------------------------------------------ */
156 /* Function: ipf_frag_main_load */
157 /* Returns: int - 0 == success, -1 == error */
158 /* Parameters: Nil */
160 /* Initialise the filter rule associted with blocked packets - everyone can */
162 /* ------------------------------------------------------------------------ */
166 bzero((char *)&ipfr_block, sizeof(ipfr_block));
167 ipfr_block.fr_flags = FR_BLOCK|FR_QUICK;
168 ipfr_block.fr_ref = 1;
174 /* ------------------------------------------------------------------------ */
175 /* Function: ipf_frag_main_unload */
176 /* Returns: int - 0 == success, -1 == error */
177 /* Parameters: Nil */
179 /* A null-op function that exists as a placeholder so that the flow in */
180 /* other functions is obvious. */
181 /* ------------------------------------------------------------------------ */
183 ipf_frag_main_unload()
189 /* ------------------------------------------------------------------------ */
190 /* Function: ipf_frag_soft_create */
191 /* Returns: void * - NULL = failure, else pointer to local context */
192 /* Parameters: softc(I) - pointer to soft context main structure */
194 /* Allocate a new soft context structure to track fragment related info. */
195 /* ------------------------------------------------------------------------ */
198 ipf_frag_soft_create(softc)
199 ipf_main_softc_t *softc;
201 ipf_frag_softc_t *softf;
203 KMALLOC(softf, ipf_frag_softc_t *);
207 bzero((char *)softf, sizeof(*softf));
209 RWLOCK_INIT(&softf->ipfr_ipidfrag, "frag ipid lock");
210 RWLOCK_INIT(&softf->ipfr_frag, "ipf fragment rwlock");
211 RWLOCK_INIT(&softf->ipfr_natfrag, "ipf NAT fragment rwlock");
213 softf->ipfr_size = IPFT_SIZE;
214 softf->ipfr_ttl = IPF_TTLVAL(60);
215 softf->ipfr_lock = 1;
216 softf->ipfr_tail = &softf->ipfr_list;
217 softf->ipfr_nattail = &softf->ipfr_natlist;
218 softf->ipfr_ipidtail = &softf->ipfr_ipidlist;
224 /* ------------------------------------------------------------------------ */
225 /* Function: ipf_frag_soft_destroy */
227 /* Parameters: softc(I) - pointer to soft context main structure */
228 /* arg(I) - pointer to local context to use */
230 /* Initialise the hash tables for the fragment cache lookups. */
231 /* ------------------------------------------------------------------------ */
233 ipf_frag_soft_destroy(softc, arg)
234 ipf_main_softc_t *softc;
237 ipf_frag_softc_t *softf = arg;
239 RW_DESTROY(&softf->ipfr_ipidfrag);
240 RW_DESTROY(&softf->ipfr_frag);
241 RW_DESTROY(&softf->ipfr_natfrag);
247 /* ------------------------------------------------------------------------ */
248 /* Function: ipf_frag_soft_init */
249 /* Returns: int - 0 == success, -1 == error */
250 /* Parameters: softc(I) - pointer to soft context main structure */
251 /* arg(I) - pointer to local context to use */
253 /* Initialise the hash tables for the fragment cache lookups. */
254 /* ------------------------------------------------------------------------ */
257 ipf_frag_soft_init(softc, arg)
258 ipf_main_softc_t *softc;
261 ipf_frag_softc_t *softf = arg;
263 KMALLOCS(softf->ipfr_heads, ipfr_t **,
264 softf->ipfr_size * sizeof(ipfr_t *));
265 if (softf->ipfr_heads == NULL)
268 bzero((char *)softf->ipfr_heads, softf->ipfr_size * sizeof(ipfr_t *));
270 KMALLOCS(softf->ipfr_nattab, ipfr_t **,
271 softf->ipfr_size * sizeof(ipfr_t *));
272 if (softf->ipfr_nattab == NULL)
275 bzero((char *)softf->ipfr_nattab, softf->ipfr_size * sizeof(ipfr_t *));
277 KMALLOCS(softf->ipfr_ipidtab, ipfr_t **,
278 softf->ipfr_size * sizeof(ipfr_t *));
279 if (softf->ipfr_ipidtab == NULL)
282 bzero((char *)softf->ipfr_ipidtab,
283 softf->ipfr_size * sizeof(ipfr_t *));
285 softf->ipfr_lock = 0;
286 softf->ipfr_inited = 1;
292 /* ------------------------------------------------------------------------ */
293 /* Function: ipf_frag_soft_fini */
294 /* Returns: int - 0 == success, -1 == error */
295 /* Parameters: softc(I) - pointer to soft context main structure */
296 /* arg(I) - pointer to local context to use */
298 /* Free all memory allocated whilst running and from initialisation. */
299 /* ------------------------------------------------------------------------ */
301 ipf_frag_soft_fini(softc, arg)
302 ipf_main_softc_t *softc;
305 ipf_frag_softc_t *softf = arg;
307 softf->ipfr_lock = 1;
309 if (softf->ipfr_inited == 1) {
310 ipf_frag_clear(softc);
312 softf->ipfr_inited = 0;
315 if (softf->ipfr_heads != NULL)
316 KFREES(softf->ipfr_heads,
317 softf->ipfr_size * sizeof(ipfr_t *));
318 softf->ipfr_heads = NULL;
320 if (softf->ipfr_nattab != NULL)
321 KFREES(softf->ipfr_nattab,
322 softf->ipfr_size * sizeof(ipfr_t *));
323 softf->ipfr_nattab = NULL;
325 if (softf->ipfr_ipidtab != NULL)
326 KFREES(softf->ipfr_ipidtab,
327 softf->ipfr_size * sizeof(ipfr_t *));
328 softf->ipfr_ipidtab = NULL;
334 /* ------------------------------------------------------------------------ */
335 /* Function: ipf_frag_set_lock */
337 /* Parameters: arg(I) - pointer to local context to use */
338 /* tmp(I) - new value for lock */
340 /* Stub function that allows for external manipulation of ipfr_lock */
341 /* ------------------------------------------------------------------------ */
343 ipf_frag_setlock(arg, tmp)
347 ipf_frag_softc_t *softf = arg;
349 softf->ipfr_lock = tmp;
353 /* ------------------------------------------------------------------------ */
354 /* Function: ipf_frag_stats */
355 /* Returns: ipfrstat_t* - pointer to struct with current frag stats */
356 /* Parameters: arg(I) - pointer to local context to use */
358 /* Updates ipfr_stats with current information and returns a pointer to it */
359 /* ------------------------------------------------------------------------ */
364 ipf_frag_softc_t *softf = arg;
366 softf->ipfr_stats.ifs_table = softf->ipfr_heads;
367 softf->ipfr_stats.ifs_nattab = softf->ipfr_nattab;
368 return &softf->ipfr_stats;
372 /* ------------------------------------------------------------------------ */
373 /* Function: ipfr_frag_new */
374 /* Returns: ipfr_t * - pointer to fragment cache state info or NULL */
375 /* Parameters: fin(I) - pointer to packet information */
376 /* table(I) - pointer to frag table to add to */
377 /* lock(I) - pointer to lock to get a write hold of */
379 /* Add a new entry to the fragment cache, registering it as having come */
380 /* through this box, with the result of the filter operation. */
382 /* If this function succeeds, it returns with a write lock held on "lock". */
383 /* If it fails, no lock is held on return. */
384 /* ------------------------------------------------------------------------ */
386 ipfr_frag_new(softc, softf, fin, pass, table
391 ipf_main_softc_t *softc;
392 ipf_frag_softc_t *softf;
400 ipfr_t *fra, frag, *fran;
404 if (softf->ipfr_stats.ifs_inuse >= softf->ipfr_size) {
409 if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG) {
414 if (pass & FR_FRSTRICT) {
415 if (fin->fin_off != 0) {
416 FBUMPD(ifs_newrestrictnot0);
421 frag.ipfr_v = fin->fin_v;
423 frag.ipfr_p = fin->fin_p;
425 frag.ipfr_id = fin->fin_id;
427 frag.ipfr_source = fin->fin_fi.fi_src;
428 idx += frag.ipfr_src.s_addr;
429 frag.ipfr_dest = fin->fin_fi.fi_dst;
430 idx += frag.ipfr_dst.s_addr;
431 frag.ipfr_ifp = fin->fin_ifp;
433 idx %= softf->ipfr_size;
435 frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
436 frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
437 frag.ipfr_auth = fin->fin_fi.fi_auth;
439 off = fin->fin_off >> 3;
445 if (fin->fin_v == 6) {
447 ptr = (char *)fin->fin_fraghdr +
448 sizeof(struct ip6_frag);
454 end = fin->fin_plen - (ptr - (char *)fin->fin_ip);
455 frag.ipfr_firstend = end >> 3;
457 frag.ipfr_firstend = 0;
461 * allocate some memory, if possible, if not, just record that we
464 KMALLOC(fran, ipfr_t *);
473 * first, make sure it isn't already there...
475 for (fra = table[idx]; (fra != NULL); fra = fra->ipfr_hnext)
476 if (!bcmp((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp,
489 MUTEX_ENTER(&fr->fr_lock);
491 MUTEX_EXIT(&fr->fr_lock);
495 * Insert the fragment into the fragment table, copy the struct used
496 * in the search using bcopy rather than reassign each field.
497 * Set the ttl to the default.
499 if ((fra->ipfr_hnext = table[idx]) != NULL)
500 table[idx]->ipfr_hprev = &fra->ipfr_hnext;
501 fra->ipfr_hprev = table + idx;
502 fra->ipfr_data = NULL;
504 bcopy((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp, IPFR_CMPSZ);
505 fra->ipfr_v = fin->fin_v;
506 fra->ipfr_ttl = softc->ipf_ticks + softf->ipfr_ttl;
507 fra->ipfr_firstend = frag.ipfr_firstend;
510 * Compute the offset of the expected start of the next packet.
514 fra->ipfr_off = off + (fin->fin_dlen >> 3);
515 fra->ipfr_pass = pass;
518 fra->ipfr_bytes = fin->fin_plen;
525 /* ------------------------------------------------------------------------ */
526 /* Function: ipf_frag_new */
527 /* Returns: int - 0 == success, -1 == error */
528 /* Parameters: fin(I) - pointer to packet information */
530 /* Add a new entry to the fragment cache table based on the current packet */
531 /* ------------------------------------------------------------------------ */
533 ipf_frag_new(softc, fin, pass)
534 ipf_main_softc_t *softc;
538 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
541 if (softf->ipfr_lock != 0)
545 fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_heads, &softc->ipf_frag);
547 fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_heads);
550 *softf->ipfr_tail = fra;
551 fra->ipfr_prev = softf->ipfr_tail;
552 softf->ipfr_tail = &fra->ipfr_next;
553 fra->ipfr_next = NULL;
554 RWLOCK_EXIT(&softc->ipf_frag);
560 /* ------------------------------------------------------------------------ */
561 /* Function: ipf_frag_natnew */
562 /* Returns: int - 0 == success, -1 == error */
563 /* Parameters: fin(I) - pointer to packet information */
564 /* nat(I) - pointer to NAT structure */
566 /* Create a new NAT fragment cache entry based on the current packet and */
567 /* the NAT structure for this "session". */
568 /* ------------------------------------------------------------------------ */
570 ipf_frag_natnew(softc, fin, pass, nat)
571 ipf_main_softc_t *softc;
576 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
579 if (softf->ipfr_lock != 0)
583 fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_nattab,
584 &softf->ipfr_natfrag);
586 fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_nattab);
589 fra->ipfr_data = nat;
591 *softf->ipfr_nattail = fra;
592 fra->ipfr_prev = softf->ipfr_nattail;
593 softf->ipfr_nattail = &fra->ipfr_next;
594 fra->ipfr_next = NULL;
595 RWLOCK_EXIT(&softf->ipfr_natfrag);
602 /* ------------------------------------------------------------------------ */
603 /* Function: ipf_frag_ipidnew */
604 /* Returns: int - 0 == success, -1 == error */
605 /* Parameters: fin(I) - pointer to packet information */
606 /* ipid(I) - new IP ID for this fragmented packet */
608 /* Create a new fragment cache entry for this packet and store, as a data */
609 /* pointer, the new IP ID value. */
610 /* ------------------------------------------------------------------------ */
612 ipf_frag_ipidnew(fin, ipid)
616 ipf_main_softc_t *softc = fin->fin_main_soft;
617 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
620 if (softf->ipfr_lock)
624 fra = ipfr_frag_new(softc, softf, fin, 0, softf->ipfr_ipidtab, &softf->ipfr_ipidfrag);
626 fra = ipfr_frag_new(softc, softf, fin, 0, softf->ipfr_ipidtab);
629 fra->ipfr_data = (void *)(intptr_t)ipid;
630 *softf->ipfr_ipidtail = fra;
631 fra->ipfr_prev = softf->ipfr_ipidtail;
632 softf->ipfr_ipidtail = &fra->ipfr_next;
633 fra->ipfr_next = NULL;
634 RWLOCK_EXIT(&softf->ipfr_ipidfrag);
640 /* ------------------------------------------------------------------------ */
641 /* Function: ipf_frag_lookup */
642 /* Returns: ipfr_t * - pointer to ipfr_t structure if there's a */
643 /* matching entry in the frag table, else NULL */
644 /* Parameters: fin(I) - pointer to packet information */
645 /* table(I) - pointer to fragment cache table to search */
647 /* Check the fragment cache to see if there is already a record of this */
648 /* packet with its filter result known. */
650 /* If this function succeeds, it returns with a write lock held on "lock". */
651 /* If it fails, no lock is held on return. */
652 /* ------------------------------------------------------------------------ */
654 ipf_frag_lookup(softc, softf, fin, table
659 ipf_main_softc_t *softc;
660 ipf_frag_softc_t *softf;
671 * We don't want to let short packets match because they could be
672 * compromising the security of other rules that want to match on
673 * layer 4 fields (and can't because they have been fragmented off.)
674 * Why do this check here? The counter acts as an indicator of this
675 * kind of attack, whereas if it was elsewhere, it wouldn't know if
676 * other matching packets had been seen.
678 if (fin->fin_flx & FI_SHORT) {
683 if ((fin->fin_flx & FI_BAD) != 0) {
689 * For fragments, we record protocol, packet id, TOS and both IP#'s
690 * (these should all be the same for all fragments of a packet).
692 * build up a hash value to index the table with.
694 frag.ipfr_v = fin->fin_v;
696 frag.ipfr_p = fin->fin_p;
698 frag.ipfr_id = fin->fin_id;
700 frag.ipfr_source = fin->fin_fi.fi_src;
701 idx += frag.ipfr_src.s_addr;
702 frag.ipfr_dest = fin->fin_fi.fi_dst;
703 idx += frag.ipfr_dst.s_addr;
704 frag.ipfr_ifp = fin->fin_ifp;
706 idx %= softf->ipfr_size;
708 frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
709 frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
710 frag.ipfr_auth = fin->fin_fi.fi_auth;
715 * check the table, careful to only compare the right amount of data
717 for (f = table[idx]; f; f = f->ipfr_hnext) {
718 if (!bcmp((char *)&frag.ipfr_ifp, (char *)&f->ipfr_ifp,
723 * XXX - We really need to be guarding against the
724 * retransmission of (src,dst,id,offset-range) here
725 * because a fragmented packet is never resent with
726 * the same IP ID# (or shouldn't).
728 off = fin->fin_off >> 3;
731 FBUMPD(ifs_retrans0);
736 * Case 3. See comment for frpr_fragment6.
738 if ((f->ipfr_firstend != 0) &&
739 (off < f->ipfr_firstend)) {
741 DT2(ifs_overlap, u_short, off,
743 fin->fin_flx |= FI_BAD;
749 if (f != table[idx]) {
753 * Move fragment info. to the top of the list
754 * to speed up searches. First, delink...
757 (*fp) = f->ipfr_hnext;
758 if (f->ipfr_hnext != NULL)
759 f->ipfr_hnext->ipfr_hprev = fp;
761 * Then put back at the top of the chain.
763 f->ipfr_hnext = table[idx];
764 table[idx]->ipfr_hprev = &f->ipfr_hnext;
765 f->ipfr_hprev = table + idx;
770 * If we've follwed the fragments, and this is the
771 * last (in order), shrink expiration time.
773 if (off == f->ipfr_off) {
774 f->ipfr_off = (fin->fin_dlen >> 3) + off;
777 * Well, we could shrink the expiration time
778 * but only if every fragment has been seen
779 * in order upto this, the last. ipfr_badorder
780 * is used here to count those out of order
781 * and if it equals 0 when we get to the last
782 * fragment then we can assume all of the
783 * fragments have been seen and in order.
787 * Doing this properly requires moving it to
788 * the head of the list which is infesible.
790 if ((more == 0) && (f->ipfr_badorder == 0))
791 f->ipfr_ttl = softc->ipf_ticks + 1;
795 FBUMPD(ifs_unordered);
796 if (f->ipfr_pass & FR_FRSTRICT) {
802 f->ipfr_bytes += fin->fin_plen;
814 /* ------------------------------------------------------------------------ */
815 /* Function: ipf_frag_natknown */
816 /* Returns: nat_t* - pointer to 'parent' NAT structure if frag table */
817 /* match found, else NULL */
818 /* Parameters: fin(I) - pointer to packet information */
820 /* Functional interface for NAT lookups of the NAT fragment cache */
821 /* ------------------------------------------------------------------------ */
823 ipf_frag_natknown(fin)
826 ipf_main_softc_t *softc = fin->fin_main_soft;
827 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
831 if ((softf->ipfr_lock) || !softf->ipfr_natlist)
834 ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_nattab,
835 &softf->ipfr_natfrag);
837 ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_nattab);
840 nat = ipf->ipfr_data;
842 * This is the last fragment for this packet.
844 if ((ipf->ipfr_ttl == softc->ipf_ticks + 1) && (nat != NULL)) {
845 nat->nat_data = NULL;
846 ipf->ipfr_data = NULL;
848 RWLOCK_EXIT(&softf->ipfr_natfrag);
855 /* ------------------------------------------------------------------------ */
856 /* Function: ipf_frag_ipidknown */
857 /* Returns: u_32_t - IPv4 ID for this packet if match found, else */
858 /* return 0xfffffff to indicate no match. */
859 /* Parameters: fin(I) - pointer to packet information */
861 /* Functional interface for IP ID lookups of the IP ID fragment cache */
862 /* ------------------------------------------------------------------------ */
864 ipf_frag_ipidknown(fin)
867 ipf_main_softc_t *softc = fin->fin_main_soft;
868 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
872 if (softf->ipfr_lock || !softf->ipfr_ipidlist)
876 ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_ipidtab,
877 &softf->ipfr_ipidfrag);
879 ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_ipidtab);
882 id = (u_32_t)(intptr_t)ipf->ipfr_data;
883 RWLOCK_EXIT(&softf->ipfr_ipidfrag);
890 /* ------------------------------------------------------------------------ */
891 /* Function: ipf_frag_known */
892 /* Returns: frentry_t* - pointer to filter rule if a match is found in */
893 /* the frag cache table, else NULL. */
894 /* Parameters: fin(I) - pointer to packet information */
895 /* passp(O) - pointer to where to store rule flags resturned */
897 /* Functional interface for normal lookups of the fragment cache. If a */
898 /* match is found, return the rule pointer and flags from the rule, except */
899 /* that if FR_LOGFIRST is set, reset FR_LOG. */
900 /* ------------------------------------------------------------------------ */
902 ipf_frag_known(fin, passp)
906 ipf_main_softc_t *softc = fin->fin_main_soft;
907 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
908 frentry_t *fr = NULL;
912 if ((softf->ipfr_lock) || (softf->ipfr_list == NULL))
916 fra = ipf_frag_lookup(softc, softf, fin, softf->ipfr_heads,
919 fra = ipf_frag_lookup(softc, softf, fin, softf->ipfr_heads);
922 if (fin->fin_flx & FI_BAD) {
924 fin->fin_reason = FRB_BADFRAG;
931 if ((pass & FR_KEEPSTATE) != 0) {
932 fin->fin_flx |= FI_STATE;
934 * Reset the keep state flag here so that we
935 * don't try and add a new state entry because
936 * of a match here. That leads to blocking of
937 * the packet later because the add fails.
939 pass &= ~FR_KEEPSTATE;
941 if ((pass & FR_LOGFIRST) != 0)
942 pass &= ~(FR_LOGFIRST|FR_LOG);
945 RWLOCK_EXIT(&softc->ipf_frag);
951 /* ------------------------------------------------------------------------ */
952 /* Function: ipf_frag_natforget */
954 /* Parameters: ptr(I) - pointer to data structure */
956 /* Search through all of the fragment cache entries for NAT and wherever a */
957 /* pointer is found to match ptr, reset it to NULL. */
958 /* ------------------------------------------------------------------------ */
960 ipf_frag_natforget(softc, ptr)
961 ipf_main_softc_t *softc;
964 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
967 WRITE_ENTER(&softf->ipfr_natfrag);
968 for (fr = softf->ipfr_natlist; fr; fr = fr->ipfr_next)
969 if (fr->ipfr_data == ptr)
970 fr->ipfr_data = NULL;
971 RWLOCK_EXIT(&softf->ipfr_natfrag);
975 /* ------------------------------------------------------------------------ */
976 /* Function: ipf_frag_delete */
978 /* Parameters: fra(I) - pointer to fragment structure to delete */
979 /* tail(IO) - pointer to the pointer to the tail of the frag */
982 /* Remove a fragment cache table entry from the table & list. Also free */
983 /* the filter rule it is associated with it if it is no longer used as a */
984 /* result of decreasing the reference count. */
985 /* ------------------------------------------------------------------------ */
987 ipf_frag_delete(softc, fra, tail)
988 ipf_main_softc_t *softc;
989 ipfr_t *fra, ***tail;
991 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
994 fra->ipfr_next->ipfr_prev = fra->ipfr_prev;
995 *fra->ipfr_prev = fra->ipfr_next;
996 if (*tail == &fra->ipfr_next)
997 *tail = fra->ipfr_prev;
1000 fra->ipfr_hnext->ipfr_hprev = fra->ipfr_hprev;
1001 *fra->ipfr_hprev = fra->ipfr_hnext;
1003 if (fra->ipfr_rule != NULL) {
1004 (void) ipf_derefrule(softc, &fra->ipfr_rule);
1007 if (fra->ipfr_ref <= 0)
1008 ipf_frag_free(softf, fra);
1012 /* ------------------------------------------------------------------------ */
1013 /* Function: ipf_frag_free */
1016 /* ------------------------------------------------------------------------ */
1018 ipf_frag_free(softf, fra)
1019 ipf_frag_softc_t *softf;
1024 softf->ipfr_stats.ifs_inuse--;
1028 /* ------------------------------------------------------------------------ */
1029 /* Function: ipf_frag_clear */
1031 /* Parameters: Nil */
1033 /* Free memory in use by fragment state information kept. Do the normal */
1034 /* fragment state stuff first and then the NAT-fragment table. */
1035 /* ------------------------------------------------------------------------ */
1037 ipf_frag_clear(softc)
1038 ipf_main_softc_t *softc;
1040 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
1044 WRITE_ENTER(&softc->ipf_frag);
1045 while ((fra = softf->ipfr_list) != NULL) {
1047 ipf_frag_delete(softc, fra, &softf->ipfr_tail);
1049 softf->ipfr_tail = &softf->ipfr_list;
1050 RWLOCK_EXIT(&softc->ipf_frag);
1052 WRITE_ENTER(&softc->ipf_nat);
1053 WRITE_ENTER(&softf->ipfr_natfrag);
1054 while ((fra = softf->ipfr_natlist) != NULL) {
1055 nat = fra->ipfr_data;
1057 if (nat->nat_data == fra)
1058 nat->nat_data = NULL;
1061 ipf_frag_delete(softc, fra, &softf->ipfr_nattail);
1063 softf->ipfr_nattail = &softf->ipfr_natlist;
1064 RWLOCK_EXIT(&softf->ipfr_natfrag);
1065 RWLOCK_EXIT(&softc->ipf_nat);
1069 /* ------------------------------------------------------------------------ */
1070 /* Function: ipf_frag_expire */
1072 /* Parameters: Nil */
1074 /* Expire entries in the fragment cache table that have been there too long */
1075 /* ------------------------------------------------------------------------ */
1077 ipf_frag_expire(softc)
1078 ipf_main_softc_t *softc;
1080 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
1085 if (softf->ipfr_lock)
1089 WRITE_ENTER(&softc->ipf_frag);
1091 * Go through the entire table, looking for entries to expire,
1092 * which is indicated by the ttl being less than or equal to ipf_ticks.
1094 for (fp = &softf->ipfr_list; ((fra = *fp) != NULL); ) {
1095 if (fra->ipfr_ttl > softc->ipf_ticks)
1098 ipf_frag_delete(softc, fra, &softf->ipfr_tail);
1100 RWLOCK_EXIT(&softc->ipf_frag);
1102 WRITE_ENTER(&softf->ipfr_ipidfrag);
1103 for (fp = &softf->ipfr_ipidlist; ((fra = *fp) != NULL); ) {
1104 if (fra->ipfr_ttl > softc->ipf_ticks)
1107 ipf_frag_delete(softc, fra, &softf->ipfr_ipidtail);
1109 RWLOCK_EXIT(&softf->ipfr_ipidfrag);
1112 * Same again for the NAT table, except that if the structure also
1113 * still points to a NAT structure, and the NAT structure points back
1114 * at the one to be free'd, NULL the reference from the NAT struct.
1115 * NOTE: We need to grab both mutex's early, and in this order so as
1116 * to prevent a deadlock if both try to expire at the same time.
1117 * The extra if() statement here is because it locks out all NAT
1118 * operations - no need to do that if there are no entries in this
1121 if (softf->ipfr_natlist != NULL) {
1122 WRITE_ENTER(&softc->ipf_nat);
1123 WRITE_ENTER(&softf->ipfr_natfrag);
1124 for (fp = &softf->ipfr_natlist; ((fra = *fp) != NULL); ) {
1125 if (fra->ipfr_ttl > softc->ipf_ticks)
1127 nat = fra->ipfr_data;
1129 if (nat->nat_data == fra)
1130 nat->nat_data = NULL;
1133 ipf_frag_delete(softc, fra, &softf->ipfr_nattail);
1135 RWLOCK_EXIT(&softf->ipfr_natfrag);
1136 RWLOCK_EXIT(&softc->ipf_nat);
1142 /* ------------------------------------------------------------------------ */
1143 /* Function: ipf_frag_pkt_next */
1144 /* ------------------------------------------------------------------------ */
1146 ipf_frag_pkt_next(softc, token, itp)
1147 ipf_main_softc_t *softc;
1151 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
1154 return ipf_frag_next(softc, token, itp, &softf->ipfr_list,
1157 return ipf_frag_next(softc, token, itp, &softf->ipfr_list);
1162 /* ------------------------------------------------------------------------ */
1163 /* Function: ipf_frag_nat_next */
1164 /* ------------------------------------------------------------------------ */
1166 ipf_frag_nat_next(softc, token, itp)
1167 ipf_main_softc_t *softc;
1171 ipf_frag_softc_t *softf = softc->ipf_frag_soft;;
1174 return ipf_frag_next(softc, token, itp, &softf->ipfr_natlist,
1175 &softf->ipfr_natfrag);
1177 return ipf_frag_next(softc, token, itp, &softf->ipfr_natlist);
1181 /* ------------------------------------------------------------------------ */
1182 /* Function: ipf_frag_next */
1183 /* Returns: int - 0 == success, else error */
1184 /* Parameters: token(I) - pointer to token information for this caller */
1185 /* itp(I) - pointer to generic iterator from caller */
1186 /* top(I) - top of the fragment list */
1187 /* lock(I) - fragment cache lock */
1189 /* This function is used to interate through the list of entries in the */
1190 /* fragment cache. It increases the reference count on the one currently */
1191 /* being returned so that the caller can come back and resume from it later.*/
1193 /* This function is used for both the NAT fragment cache as well as the ipf */
1194 /* fragment cache - hence the reason for passing in top and lock. */
1195 /* ------------------------------------------------------------------------ */
1197 ipf_frag_next(softc, token, itp, top
1202 ipf_main_softc_t *softc;
1210 ipfr_t *frag, *next, zero;
1213 if (itp->igi_data == NULL) {
1218 if (itp->igi_nitems != 1) {
1223 frag = token->ipt_data;
1230 next = frag->ipfr_next;
1233 ATOMIC_INC(next->ipfr_ref);
1234 token->ipt_data = next;
1236 bzero(&zero, sizeof(zero));
1238 token->ipt_data = NULL;
1240 if (next->ipfr_next == NULL)
1241 ipf_token_mark_complete(token);
1245 error = COPYOUT(next, itp->igi_data, sizeof(*next));
1251 ipf_frag_deref(softc, &frag, lock);
1253 ipf_frag_deref(softc, &frag);
1260 /* ------------------------------------------------------------------------ */
1261 /* Function: ipf_frag_pkt_deref */
1264 /* ------------------------------------------------------------------------ */
1266 ipf_frag_pkt_deref(softc, data)
1267 ipf_main_softc_t *softc;
1270 ipfr_t **frp = data;
1273 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
1275 ipf_frag_deref(softc->ipf_frag_soft, frp, &softf->ipfr_frag);
1277 ipf_frag_deref(softc->ipf_frag_soft, frp);
1282 /* ------------------------------------------------------------------------ */
1283 /* Function: ipf_frag_nat_deref */
1286 /* ------------------------------------------------------------------------ */
1288 ipf_frag_nat_deref(softc, data)
1289 ipf_main_softc_t *softc;
1292 ipfr_t **frp = data;
1295 ipf_frag_softc_t *softf = softc->ipf_frag_soft;
1297 ipf_frag_deref(softc->ipf_frag_soft, frp, &softf->ipfr_natfrag);
1299 ipf_frag_deref(softc->ipf_frag_soft, frp);
1304 /* ------------------------------------------------------------------------ */
1305 /* Function: ipf_frag_deref */
1307 /* Parameters: frp(IO) - pointer to fragment structure to deference */
1308 /* lock(I) - lock associated with the fragment */
1310 /* This function dereferences a fragment structure (ipfr_t). The pointer */
1311 /* passed in will always be reset back to NULL, even if the structure is */
1312 /* not freed, to enforce the notion that the caller is no longer entitled */
1313 /* to use the pointer it is dropping the reference to. */
1314 /* ------------------------------------------------------------------------ */
1316 ipf_frag_deref(arg, frp
1327 ipf_frag_softc_t *softf = arg;
1335 if (fra->ipfr_ref <= 0)
1336 ipf_frag_free(softf, fra);