2 * Copyright (C) 1993-2001 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * @(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed
7 * $FreeBSD: src/sys/contrib/ipfilter/netinet/fil.c,v 1.23.2.7 2004/07/04 09:24:38 darrenr Exp $
8 * $DragonFly: src/sys/contrib/ipfilter/netinet/fil.c,v 1.11 2008/03/07 11:34:19 sephe Exp $
10 #if defined(__sgi) && (IRIX > 602)
11 # include <sys/ptimers.h>
13 #include <sys/errno.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
18 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
20 # include "opt_ipfilter_log.h"
22 #if (defined(KERNEL) || defined(_KERNEL)) && (defined(__DragonFly__) || (defined(__FreeBSD_version) && \
23 (__FreeBSD_version >= 220000)))
24 # if defined(__DragonFly__) || (__FreeBSD_version >= 400000)
26 # include "opt_inet6.h"
28 # if defined(__FreeBSD__) && (__FreeBSD_version == 400019)
29 # define CSUM_DELAY_DATA
32 # include <sys/filio.h>
33 # include <sys/fcntl.h>
35 # include <sys/ioctl.h>
37 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
38 # include <sys/systm.h>
44 #if !defined(__SVR4) && !defined(__svr4__)
46 # include <sys/mbuf.h>
49 # include <sys/cmn_err.h>
50 # include <sys/byteorder.h>
52 # include <sys/dditypes.h>
54 # include <sys/stream.h>
57 # include <sys/protosw.h>
58 # include <sys/socket.h>
64 #include <net/route.h>
65 #include <netinet/in.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/ip.h>
69 # include <netinet/ip_var.h>
71 #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
72 # include <sys/hashing.h>
73 # include <netinet/in_var.h>
75 #include <netinet/tcp.h>
76 #include <netinet/udp.h>
77 #include <netinet/ip_icmp.h>
78 #include "ip_compat.h"
80 # include <netinet/icmp6.h>
81 # if !SOLARIS && defined(_KERNEL)
82 # include <netinet6/in6_var.h>
85 #include <netinet/tcpip.h>
92 # if defined(__DragonFly__) || (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
93 # include <sys/malloc.h>
94 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
95 # include "opt_ipfilter.h"
99 # define MIN(a,b) (((a)<(b))?(a):(b))
103 #include <sys/in_cksum.h>
105 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
112 # define FR_VERBOSE(verb_pr) verbose verb_pr
113 # define FR_DEBUG(verb_pr) debug verb_pr
114 # define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
115 #else /* #ifndef _KERNEL */
116 # define FR_VERBOSE(verb_pr)
117 # define FR_DEBUG(verb_pr)
118 # define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
119 # if SOLARIS || defined(__sgi)
120 extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat;
121 extern kmutex_t ipf_rw;
122 # endif /* SOLARIS || __sgi */
126 # define kprintf printf
129 struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
130 struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
132 *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
133 *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
135 *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
136 struct frgroup *ipfgroups[3][2];
137 int fr_flags = IPF_LOGGING;
141 int fr_minttllog = 1;
142 #if defined(IPFILTER_DEFAULT_BLOCK)
143 int fr_pass = FR_NOMATCH|FR_BLOCK;
145 int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
147 char ipfilter_version[] = IPL_VERSION;
149 fr_info_t frcache[2];
151 static int frflushlist (int, minor_t, int *, frentry_t **);
153 static void frsynclist (frentry_t *);
157 static void *ipf_pullup (mb_t *, fr_info_t *, int, void *);
161 * bit values for identifying presence of individual IP options
163 struct optlist ipopts[20] = {
164 { IPOPT_NOP, 0x000001 },
165 { IPOPT_RR, 0x000002 },
166 { IPOPT_ZSU, 0x000004 },
167 { IPOPT_MTUP, 0x000008 },
168 { IPOPT_MTUR, 0x000010 },
169 { IPOPT_ENCODE, 0x000020 },
170 { IPOPT_TS, 0x000040 },
171 { IPOPT_TR, 0x000080 },
172 { IPOPT_SECURITY, 0x000100 },
173 { IPOPT_LSRR, 0x000200 },
174 { IPOPT_E_SEC, 0x000400 },
175 { IPOPT_CIPSO, 0x000800 },
176 { IPOPT_SATID, 0x001000 },
177 { IPOPT_SSRR, 0x002000 },
178 { IPOPT_ADDEXT, 0x004000 },
179 { IPOPT_VISA, 0x008000 },
180 { IPOPT_IMITD, 0x010000 },
181 { IPOPT_EIP, 0x020000 },
182 { IPOPT_FINN, 0x040000 },
187 * bit values for identifying presence of individual IP security options
189 struct optlist secopt[8] = {
190 { IPSO_CLASS_RES4, 0x01 },
191 { IPSO_CLASS_TOPS, 0x02 },
192 { IPSO_CLASS_SECR, 0x04 },
193 { IPSO_CLASS_RES3, 0x08 },
194 { IPSO_CLASS_CONF, 0x10 },
195 { IPSO_CLASS_UNCL, 0x20 },
196 { IPSO_CLASS_RES2, 0x40 },
197 { IPSO_CLASS_RES1, 0x80 }
202 * compact the IP header into a structure which contains just the info.
203 * which is useful for comparing IP headers with.
205 int fr_makefrip(hlen, ip, fin)
210 u_short optmsk = 0, secmsk = 0, auth = 0;
211 int i, mv, ol, off, p, plen, v;
214 mb_t *m = fin->fin_qfm;
216 mb_t *m = fin->fin_mp ? *fin->fin_mp : NULL;
219 fr_ip_t *fi = &fin->fin_fi;
228 fin->fin_data[0] = 0;
229 fin->fin_data[1] = 0;
232 fin->fin_icode = ipl_unreach;
235 fin->fin_hlen = hlen;
237 fin->fin_id = ip->ip_id;
238 fi->fi_tos = ip->ip_tos;
239 #if (OpenBSD >= 200311) && defined(_KERNEL)
240 ip->ip_off = ntohs(ip->ip_off);
242 off = (ip->ip_off & IP_OFFMASK);
243 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
244 fi->fi_src.i6[1] = 0;
245 fi->fi_src.i6[2] = 0;
246 fi->fi_src.i6[3] = 0;
247 fi->fi_dst.i6[1] = 0;
248 fi->fi_dst.i6[2] = 0;
249 fi->fi_dst.i6[3] = 0;
250 fi->fi_saddr = ip->ip_src.s_addr;
251 fi->fi_daddr = ip->ip_dst.s_addr;
253 fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
254 if (ip->ip_off & (IP_MF|IP_OFFMASK))
255 fi->fi_fl |= FI_FRAG;
256 #if (OpenBSD >= 200311) && defined(_KERNEL)
257 ip->ip_len = ntohs(ip->ip_len);
260 fin->fin_dlen = plen - hlen;
264 ip6_t *ip6 = (ip6_t *)ip;
269 fi->fi_ttl = ip6->ip6_hlim;
270 fi->fi_src.in6 = ip6->ip6_src;
271 fi->fi_dst.in6 = ip6->ip6_dst;
272 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
275 plen = ntohs(ip6->ip6_plen);
276 fin->fin_dlen = plen;
277 plen += sizeof(*ip6);
284 fin->fin_plen = plen;
285 tcp = (tcphdr_t *)((char *)ip + hlen);
290 * For both ICMPV6 & ICMP, we attempt to pullup the entire packet into
291 * a single buffer for recognised error return packets. Why? Because
292 * the entire data section of the ICMP payload is considered to be of
293 * significance and maybe required in NAT/state processing, so rather
294 * than be careful later, attempt to get it all in one buffeer first.
295 * For TCP we just make sure the _entire_ TCP header is in the first
296 * buffer for convienience.
301 case IPPROTO_ICMPV6 :
303 int minicmpsz = sizeof(struct icmp6_hdr);
304 struct icmp6_hdr *icmp6;
306 if (!(fin->fin_fl & FI_SHORT) && (fin->fin_dlen > 1)) {
307 fin->fin_data[0] = *(u_short *)tcp;
309 icmp6 = (struct icmp6_hdr *)tcp;
311 switch (icmp6->icmp6_type)
313 case ICMP6_ECHO_REPLY :
314 case ICMP6_ECHO_REQUEST :
315 minicmpsz = ICMP6_MINLEN;
317 case ICMP6_DST_UNREACH :
318 case ICMP6_PACKET_TOO_BIG :
319 case ICMP6_TIME_EXCEEDED :
320 case ICMP6_PARAM_PROB :
321 # if defined(KERNEL) && !defined(__sgi)
322 if ((m != NULL) && (M_BLEN(m) < plen)) {
323 ip = ipf_pullup(m, fin, plen, ip);
326 tcp = (tcphdr_t *)((char *)ip + hlen);
328 # endif /* KERNEL && !__sgi */
329 minicmpsz = ICMP6ERR_IPICMPHLEN;
336 if (!(fin->fin_dlen >= minicmpsz))
337 fi->fi_fl |= FI_SHORT;
341 #endif /* USE_INET6 */
345 int minicmpsz = sizeof(struct icmp);
348 if (!off && (fin->fin_dlen > 1) && !(fin->fin_fl & FI_SHORT)) {
349 fin->fin_data[0] = *(u_short *)tcp;
351 icmp = (icmphdr_t *)tcp;
354 * Minimum ICMP packet is type(1) code(1) cksum(2)
355 * plus 4 bytes following, totalling 8 bytes.
357 switch (icmp->icmp_type)
359 case ICMP_ECHOREPLY :
361 /* Router discovery messages - RFC 1256 */
362 case ICMP_ROUTERADVERT :
363 case ICMP_ROUTERSOLICIT :
364 minicmpsz = ICMP_MINLEN;
367 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
371 case ICMP_TSTAMPREPLY :
372 minicmpsz = ICMP_MINLEN + 12;
375 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
379 case ICMP_MASKREPLY :
380 minicmpsz = ICMP_MINLEN + 4;
383 * type(1) + code(1) + cksum(2) + arg(4) ip(20+)
386 case ICMP_SOURCEQUENCH :
389 case ICMP_PARAMPROB :
390 #if defined(KERNEL) && !defined(__sgi)
391 if ((m != NULL) && (M_BLEN(m) < plen)) {
392 ip = ipf_pullup(m, fin, plen, ip);
395 tcp = (tcphdr_t *)((char *)ip + hlen);
397 #endif /* KERNEL && !__sgi */
398 minicmpsz = ICMPERR_MINPKTLEN - sizeof(ip_t);
401 minicmpsz = ICMP_MINLEN;
406 if ((!(plen >= hlen + minicmpsz) && !off) ||
407 (off && off < sizeof(struct icmp)))
408 fi->fi_fl |= FI_SHORT;
413 fi->fi_fl |= FI_TCPUDP;
416 if (plen < sizeof(struct tcphdr))
417 fi->fi_fl |= FI_SHORT;
421 if ((!IPMINLEN(ip, tcphdr) && !off) ||
422 (off && off < sizeof(struct tcphdr)))
423 fi->fi_fl |= FI_SHORT;
426 #if defined(KERNEL) && !defined(__sgi)
427 if (!off && !(fi->fi_fl & FI_SHORT)) {
428 int tlen = hlen + (tcp->th_off << 2);
430 if ((m != NULL) && (M_BLEN(m) < tlen)) {
431 ip = ipf_pullup(m, fin, tlen, ip);
434 tcp = (tcphdr_t *)((char *)ip + hlen);
437 #endif /* _KERNEL && !_sgi */
439 if (!(fi->fi_fl & FI_SHORT) && !off)
440 fin->fin_tcpf = tcp->th_flags;
443 fi->fi_fl |= FI_TCPUDP;
446 if (plen < sizeof(struct udphdr))
447 fi->fi_fl |= FI_SHORT;
451 if ((!IPMINLEN(ip, udphdr) && !off) ||
452 (off && off < sizeof(struct udphdr)))
453 fi->fi_fl |= FI_SHORT;
456 if (!off && (fin->fin_dlen > 3)) {
457 fin->fin_data[0] = ntohs(tcp->th_sport);
458 fin->fin_data[1] = ntohs(tcp->th_dport);
465 fi->fi_fl |= FI_SHORT;
469 if (((ip->ip_len < hlen + 8) && !off) ||
471 fi->fi_fl |= FI_SHORT;
478 fin->fin_dp = (char *)tcp;
489 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
493 else if (opt == IPOPT_NOP)
499 if (ol < 2 || ol > hlen)
502 for (i = 9, mv = 4; mv >= 0; ) {
504 if (opt == (u_char)op->ol_val) {
505 optmsk |= op->ol_bit;
506 if (opt == IPOPT_SECURITY) {
511 sec = *(s + 2); /* classification */
512 for (j = 3, m = 2; m >= 0; ) {
514 if (sec == sp->ol_val) {
515 secmsk |= sp->ol_bit;
521 if (sec < sp->ol_val)
529 if (opt < op->ol_val)
537 if (auth && !(auth & 0x0100))
539 fi->fi_optmsk = optmsk;
540 fi->fi_secmsk = secmsk;
547 * check an IP packet for TCP/UDP characteristics such as ports and flags.
549 int fr_tcpudpchk(ft, fin)
558 * Both ports should *always* be in the first fragment.
559 * So far, I cannot find any cases where they can not be.
561 * compare destination ports
563 if ((i = (int)ft->ftu_dcmp)) {
565 tup = fin->fin_data[1];
567 * Do opposite test to that required and
568 * continue if that succeeds.
570 if (!--i && tup != po) /* EQUAL */
572 else if (!--i && tup == po) /* NOTEQUAL */
574 else if (!--i && tup >= po) /* LESSTHAN */
576 else if (!--i && tup <= po) /* GREATERTHAN */
578 else if (!--i && tup > po) /* LT or EQ */
580 else if (!--i && tup < po) /* GT or EQ */
582 else if (!--i && /* Out of range */
583 (tup >= po && tup <= ft->ftu_dtop))
585 else if (!--i && /* In range */
586 (tup <= po || tup >= ft->ftu_dtop))
590 * compare source ports
592 if (err && (i = (int)ft->ftu_scmp)) {
594 tup = fin->fin_data[0];
595 if (!--i && tup != po)
597 else if (!--i && tup == po)
599 else if (!--i && tup >= po)
601 else if (!--i && tup <= po)
603 else if (!--i && tup > po)
605 else if (!--i && tup < po)
607 else if (!--i && /* Out of range */
608 (tup >= po && tup <= ft->ftu_stop))
610 else if (!--i && /* In range */
611 (tup <= po || tup >= ft->ftu_stop))
616 * If we don't have all the TCP/UDP header, then how can we
617 * expect to do any sort of match on it ? If we were looking for
618 * TCP flags, then NO match. If not, then match (which should
619 * satisfy the "short" class too).
621 if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
622 if (fin->fin_fl & FI_SHORT)
623 return !(ft->ftu_tcpf | ft->ftu_tcpfm);
625 * Match the flags ? If not, abort this match.
628 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
629 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
630 ft->ftu_tcpfm, ft->ftu_tcpf));
638 * Check the input/output list of rules for a match and result.
639 * Could be per interface, but this gets real nasty when you don't have
642 int fr_scanlist(passin, ip, fin, m)
649 fr_ip_t *fi = &fin->fin_fi;
650 int rulen, portcmp = 0, off, skip = 0, logged = 0;
651 u_32_t pass, passt, passl;
660 if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
663 for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
665 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
670 * In all checks below, a null (zero) value in the
671 * filter struture is taken to mean a wildcard.
673 * check that we are working for the right interface
677 if (fin->fin_out != 0) {
679 (fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif)))
684 if (opts & (OPT_VERBOSE|OPT_DEBUG))
688 FR_VERBOSE(("%c", fr->fr_skip ? 's' :
689 (pass & FR_PASS) ? 'p' :
690 (pass & FR_AUTH) ? 'a' :
691 (pass & FR_ACCOUNT) ? 'A' :
692 (pass & FR_NOMATCH) ? 'n' : 'b'));
694 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
699 u_32_t *ld, *lm, *lip;
703 lm = (u_32_t *)&fr->fr_mip;
704 ld = (u_32_t *)&fr->fr_ip;
705 i = ((*lip & *lm) != *ld);
706 FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
711 * We now know whether the packet version and the
712 * rule version match, along with protocol, ttl and
717 * Unrolled loops (4 each, for 32 bits).
719 FR_DEBUG(("1a. %#08x & %#08x != %#08x\n",
721 i |= ((*lip++ & *lm++) != *ld++) << 5;
723 FR_DEBUG(("1b. %#08x & %#08x != %#08x\n",
725 i |= ((*lip++ & *lm++) != *ld++) << 5;
726 FR_DEBUG(("1c. %#08x & %#08x != %#08x\n",
728 i |= ((*lip++ & *lm++) != *ld++) << 5;
729 FR_DEBUG(("1d. %#08x & %#08x != %#08x\n",
731 i |= ((*lip++ & *lm++) != *ld++) << 5;
737 i ^= (fr->fr_flags & FR_NOTSRCIP);
740 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
742 i |= ((*lip++ & *lm++) != *ld++) << 6;
744 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
746 i |= ((*lip++ & *lm++) != *ld++) << 6;
747 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
749 i |= ((*lip++ & *lm++) != *ld++) << 6;
750 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
752 i |= ((*lip++ & *lm++) != *ld++) << 6;
758 i ^= (fr->fr_flags & FR_NOTDSTIP);
761 FR_DEBUG(("3. %#08x & %#08x != %#08x\n",
763 i |= ((*lip++ & *lm++) != *ld++);
764 FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
766 i |= ((*lip & *lm) != *ld);
772 * If a fragment, then only the first has what we're looking
775 if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
778 if (fi->fi_fl & FI_TCPUDP) {
779 if (!fr_tcpudpchk(&fr->fr_tuc, fin))
781 } else if (fr->fr_icmpm || fr->fr_icmp) {
782 if (((fi->fi_p != IPPROTO_ICMP) &&
783 (fi->fi_p != IPPROTO_ICMPV6)) || off ||
786 if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
787 FR_DEBUG(("i. %#x & %#x != %#x\n",
788 fin->fin_data[0], fr->fr_icmpm,
795 if (fr->fr_flags & FR_NOMATCH) {
800 if (fr->fr_flags & FR_QUICK)
806 passt = fr->fr_flags;
809 #if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
810 if (securelevel <= 0)
812 if ((passt & FR_CALLNOW) && fr->fr_func)
813 passt = (*fr->fr_func)(passt, ip, fin);
816 * Just log this packet...
818 if ((passt & FR_LOGMASK) == FR_LOG) {
819 if (!IPLLOG(passt, ip, fin, m)) {
820 if (passt & FR_LOGORBLOCK)
821 passt |= FR_BLOCK|FR_QUICK;
822 ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
824 ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
827 #endif /* IPFILTER_LOG */
828 ATOMIC_INCL(fr->fr_hits);
829 if (passt & FR_ACCOUNT)
830 fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
832 fin->fin_icode = fr->fr_icode;
833 fin->fin_rule = rulen;
834 fin->fin_group = fr->fr_group;
835 if (fr->fr_grp != NULL) {
836 fin->fin_fr = fr->fr_grp;
837 passt = fr_scanlist(passt, ip, fin, m);
838 if (fin->fin_fr == NULL) {
839 fin->fin_rule = rulen;
840 fin->fin_group = fr->fr_group;
843 if (passt & FR_DONTCACHE)
846 if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG)
848 FR_DEBUG(("pass %#x\n", pass));
849 if (passt & FR_QUICK)
853 pass |= FR_DONTCACHE;
854 pass |= (fi->fi_fl << 24);
860 * frcheck - filter check
861 * check using source and destination addresses/ports in a packet whether
862 * or not to pass it on or not.
864 int fr_check(ip, hlen, ifp, out
865 #if defined(_KERNEL) && SOLARIS
878 * The above really sucks, but short of writing a diff
880 fr_info_t frinfo, *fc;
881 fr_info_t *fin = &frinfo;
882 int changed, error = EHOSTUNREACH, v = ip->ip_v;
883 frentry_t *fr = NULL, *list;
885 #if !SOLARIS || !defined(_KERNEL)
890 int p, len, drop = 0, logit = 0;
892 # if !defined(__SVR4) && !defined(__svr4__)
894 * We don't do this section for Solaris because fr_precheck() does a
895 * pullupmsg() instead, effectively achieving the same result as here
896 * so no need to duplicate it.
903 # if !defined(NETBSD_PF) && \
904 (defined(__DragonFly__) || (defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
905 defined(__OpenBSD__) || defined(_BSDI_VERSION))
906 if (fr_checkp != fr_check && fr_running > 0) {
907 static int counter = 0;
910 kprintf("WARNING: fr_checkp corrupt: value %lx\n",
912 kprintf("WARNING: fr_checkp should be %lx\n",
914 kprintf("WARNING: fixing fr_checkp\n");
916 fr_checkp = fr_check;
918 if (counter == 10000)
925 * XXX For now, IP Filter and fast-forwarding of cached flows
926 * XXX are mutually exclusive. Eventually, IP Filter should
927 * XXX get a "can-fast-forward" filter rule.
929 m->m_flags &= ~M_CANFASTFWD;
930 # endif /* M_CANFASTFWD */
931 # ifdef CSUM_DELAY_DATA
933 * disable delayed checksums.
935 if ((out != 0) && (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA)) {
937 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
939 # endif /* CSUM_DELAY_DATA */
943 len = ntohs(((ip6_t*)ip)->ip6_plen);
945 return -1; /* potential jumbo gram */
946 len += sizeof(ip6_t);
947 p = ((ip6_t *)ip)->ip6_nxt;
958 if ((p == IPPROTO_TCP || p == IPPROTO_UDP ||
959 (v == 4 && p == IPPROTO_ICMP)
961 || (v == 6 && p == IPPROTO_ICMPV6)
966 if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0)
970 plen = sizeof(tcphdr_t);
973 plen = sizeof(udphdr_t);
975 /* 96 - enough for complete ICMP error IP header */
977 plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
983 case IPPROTO_ICMPV6 :
985 * XXX does not take intermediate header
988 plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t);
992 if ((plen > 0) && (len < hlen + plen))
993 fin->fin_fl |= FI_SHORT;
994 up = MIN(hlen + plen, len);
998 /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
999 if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
1000 ATOMIC_INCL(frstats[out].fr_pull[1]);
1003 m_copydata(m, 0, up, hbuf);
1004 ATOMIC_INCL(frstats[out].fr_pull[0]);
1009 * Having determined that we need to pullup some data,
1010 * try to bring as much of the packet up into a single
1011 * buffer with the first pullup. This hopefully means
1012 * less need for doing futher pullups. Not needed for
1013 * Solaris because fr_precheck() does it anyway.
1015 * The main potential for trouble here is if MLEN/MHLEN
1016 * become quite small, lets say < 64 bytes...but if
1017 * that did happen, BSD networking as a whole would be
1022 * Assume that M_PKTHDR is set and just work with what
1023 * is left rather than check.. Should not make any
1024 * real difference, anyway.
1026 if ((MHLEN > up) && (len > up))
1027 up = MIN(len, MHLEN);
1029 if ((MLEN > up) && (len > up))
1030 up = MIN(len, MLEN);
1032 ip = ipf_pullup(m, fin, up, ip);
1036 # endif /* !linux */
1042 # endif /* !defined(__SVR4) && !defined(__svr4__) */
1044 mb_t *m = qif->qf_m;
1046 if ((u_int)ip & 0x3)
1056 #endif /* _KERNEL */
1061 if (fr_makefrip(hlen, ip, fin) == -1)
1067 ATOMIC_INCL(frstats[0].fr_ipv6[out]);
1068 if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
1069 ATOMIC_INCL(frstats[0].fr_badttl);
1070 if (fr_minttllog & 1)
1072 if (fr_minttllog & 2)
1078 if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
1079 ATOMIC_INCL(frstats[0].fr_badsrc);
1084 } else if (ip->ip_ttl < fr_minttl) {
1085 ATOMIC_INCL(frstats[0].fr_badttl);
1086 if (fr_minttllog & 1)
1088 if (fr_minttllog & 2)
1093 # ifdef IPFILTER_LOG
1095 fin->fin_group = logit;
1096 pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
1097 (void) IPLLOG(pass, ip, fin, m);
1107 if (fin->fin_fl & FI_SHORT) {
1108 ATOMIC_INCL(frstats[out].fr_short);
1111 READ_ENTER(&ipf_mutex);
1114 * Check auth now. This, combined with the check below to see if apass
1115 * is 0 is to ensure that we don't count the packet twice, which can
1116 * otherwise occur when we reprocess it. As it is, we only count it
1117 * after it has no auth. table matchup. This also stops NAT from
1118 * occuring until after the packet has been auth'd.
1120 apass = fr_checkauth(ip, fin);
1125 list = ipacct6[0][fr_active];
1128 list = ipacct[0][fr_active];
1129 changed = ip_natin(ip, fin);
1130 if (!apass && (fin->fin_fr = list) &&
1131 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
1132 ATOMIC_INCL(frstats[0].fr_acct);
1137 if ((fin->fin_fl & FI_FRAG) == FI_FRAG)
1138 fr = ipfr_knownfrag(ip, fin);
1139 if (!fr && !(fin->fin_fl & FI_SHORT))
1140 fr = fr_checkstate(ip, fin);
1142 pass = fr->fr_flags;
1143 if (fr && (pass & FR_LOGFIRST))
1144 pass &= ~(FR_LOGFIRST|FR_LOG);
1149 * If a packet is found in the auth table, then skip checking
1150 * the access lists for permission but we do need to consider
1151 * the result as if it were from the ACL's.
1155 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
1157 * copy cached data so we can unlock the mutex
1160 bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
1161 ATOMIC_INCL(frstats[out].fr_chit);
1162 if ((fr = fin->fin_fr)) {
1163 ATOMIC_INCL(fr->fr_hits);
1164 pass = fr->fr_flags;
1169 list = ipfilter6[out][fr_active];
1172 list = ipfilter[out][fr_active];
1173 if ((fin->fin_fr = list))
1174 pass = fr_scanlist(fr_pass, ip, fin, m);
1175 if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE)))
1176 bcopy((char *)fin, (char *)fc,
1178 if (pass & FR_NOMATCH) {
1179 ATOMIC_INCL(frstats[out].fr_nom);
1188 * If we fail to add a packet to the authorization queue,
1189 * then we drop the packet later. However, if it was added
1190 * then pretend we've dropped it already.
1192 if ((pass & FR_AUTH)) {
1193 if (fr_newauth((mb_t *)m, fin, ip) != 0) {
1200 if (pass & FR_PREAUTH) {
1201 READ_ENTER(&ipf_auth);
1202 if ((fin->fin_fr = ipauth) &&
1203 (pass = fr_scanlist(0, ip, fin, m))) {
1204 ATOMIC_INCL(fr_authstats.fas_hits);
1206 ATOMIC_INCL(fr_authstats.fas_miss);
1208 RWLOCK_EXIT(&ipf_auth);
1212 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
1213 if (fin->fin_fl & FI_FRAG) {
1214 if (ipfr_newfrag(ip, fin) == -1) {
1215 ATOMIC_INCL(frstats[out].fr_bnfr);
1217 ATOMIC_INCL(frstats[out].fr_nfr);
1220 ATOMIC_INCL(frstats[out].fr_cfr);
1223 if (pass & FR_KEEPSTATE) {
1224 if (fr_addstate(ip, fin, NULL, 0) == NULL) {
1225 ATOMIC_INCL(frstats[out].fr_bads);
1226 if (pass & FR_PASS) {
1231 ATOMIC_INCL(frstats[out].fr_ads);
1234 } else if (fr != NULL) {
1235 pass = fr->fr_flags;
1236 if (pass & FR_LOGFIRST)
1237 pass &= ~(FR_LOGFIRST|FR_LOG);
1240 #if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
1241 if (securelevel <= 0)
1243 if (fr && fr->fr_func && !(pass & FR_CALLNOW))
1244 pass = (*fr->fr_func)(pass, ip, fin);
1247 * Only count/translate packets which will be passed on, out the
1250 if (out && (pass & FR_PASS)) {
1253 list = ipacct6[1][fr_active];
1256 list = ipacct[1][fr_active];
1261 sg = fin->fin_group;
1263 if (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT) {
1264 ATOMIC_INCL(frstats[1].fr_acct);
1266 fin->fin_group = sg;
1270 changed = ip_natout(ip, fin);
1273 RWLOCK_EXIT(&ipf_mutex);
1276 if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
1277 if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
1278 pass |= FF_LOGNOMATCH;
1279 ATOMIC_INCL(frstats[out].fr_npkl);
1281 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
1282 ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
1283 if ((pass & FR_LOGMASK) != FR_LOGP)
1285 ATOMIC_INCL(frstats[out].fr_ppkl);
1287 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
1288 ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
1289 if ((pass & FR_LOGMASK) != FR_LOGB)
1290 pass |= FF_LOGBLOCK;
1291 ATOMIC_INCL(frstats[out].fr_bpkl);
1293 if (!IPLLOG(pass, ip, fin, m)) {
1294 ATOMIC_INCL(frstats[out].fr_skip);
1295 if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
1296 (FR_PASS|FR_LOGORBLOCK))
1297 pass ^= FR_PASS|FR_BLOCK;
1301 #endif /* IPFILTER_LOG */
1305 * Only allow FR_DUP to work if a rule matched - it makes no sense to
1306 * set FR_DUP as a "default" as there are no instructions about where
1307 * to send the packet.
1309 if (fr && (pass & FR_DUP))
1313 # if defined(__OpenBSD__) && (OpenBSD >= 199905)
1314 mc = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
1316 mc = m_copy(m, 0, M_COPYALL);
1320 if (pass & FR_PASS) {
1321 ATOMIC_INCL(frstats[out].fr_pass);
1322 } else if (pass & FR_BLOCK) {
1323 ATOMIC_INCL(frstats[out].fr_block);
1325 * Should we return an ICMP packet to indicate error
1326 * status passing through the packet filter ?
1327 * WARNING: ICMP error packets AND TCP RST packets should
1328 * ONLY be sent in repsonse to incoming packets. Sending them
1329 * in response to outbound packets can result in a panic on
1330 * some operating systems.
1335 * If a packet results in a NAT error, do not
1336 * send a reset or ICMP error as it may disrupt
1337 * an existing flow. This is the proxy saying
1338 * the content is bad so just drop the packet
1342 else if (pass & FR_RETICMP) {
1345 if ((pass & FR_RETMASK) == FR_FAKEICMP)
1349 send_icmp_err(ip, ICMP_UNREACH, fin, dst);
1350 ATOMIC_INCL(frstats[0].fr_ret);
1351 } else if (((pass & FR_RETMASK) == FR_RETRST) &&
1352 !(fin->fin_fl & FI_SHORT)) {
1353 if (send_reset(ip, fin) == 0) {
1354 ATOMIC_INCL(frstats[1].fr_ret);
1358 if (pass & FR_RETRST)
1364 * If we didn't drop off the bottom of the list of rules (and thus
1365 * the 'current' rule fr is not NULL), then we may have some extra
1366 * instructions about what to do with a packet.
1367 * Once we're finished return to our caller, freeing the packet if
1368 * we are dropping it (* BSD ONLY *).
1370 if ((changed == -1) && (pass & FR_PASS)) {
1374 #if defined(_KERNEL)
1376 # if !defined(linux)
1378 frdest_t *fdp = &fr->fr_tif;
1380 if (((pass & FR_FASTROUTE) && !out) ||
1381 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
1382 (void) ipfr_fastroute(m, mp, fin, fdp);
1387 (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif);
1390 if (!(pass & FR_PASS) && m) {
1395 else if (changed && up && m)
1396 m_copyback(m, 0, up, hbuf);
1398 # endif /* !linux */
1399 # else /* !SOLARIS */
1401 frdest_t *fdp = &fr->fr_tif;
1403 if (((pass & FR_FASTROUTE) && !out) ||
1404 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1))
1405 (void) ipfr_fastroute(ip, m, mp, fin, fdp);
1408 (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif);
1410 # endif /* !SOLARIS */
1411 #if (OpenBSD >= 200311) && defined(_KERNEL)
1412 if (pass & FR_PASS) {
1413 ip->ip_len = htons(ip->ip_len);
1414 ip->ip_off = htons(ip->ip_off);
1417 return (pass & FR_PASS) ? 0 : error;
1419 if (pass & FR_NOMATCH)
1425 if ((pass & FR_RETMASK) == FR_RETRST)
1427 if ((pass & FR_RETMASK) == FR_RETICMP)
1429 if ((pass & FR_RETMASK) == FR_FAKEICMP)
1432 #endif /* _KERNEL */
1438 * addr should be 16bit aligned and len is in bytes.
1439 * length is in bytes
1441 u_short ipf_cksum(addr, len)
1447 for (sum = 0; len > 1; len -= 2)
1450 /* mop up an odd byte, if necessary */
1452 sum += *(u_char *)addr;
1455 * add back carry outs from top 16 bits to low 16 bits
1457 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
1458 sum += (sum >> 16); /* add carry */
1459 return (u_short)(~sum);
1464 * NB: This function assumes we've pullup'd enough for all of the IP header
1465 * and the TCP header. We also assume that data blocks aren't allocated in
1468 u_short fr_tcpsum(m, ip, tcp)
1473 u_short *sp, slen, ts;
1478 * Add up IP Header portion
1480 hlen = ip->ip_hl << 2;
1481 slen = ip->ip_len - hlen;
1482 sum = htons((u_short)ip->ip_p);
1484 sp = (u_short *)&ip->ip_src;
1485 sum += *sp++; /* ip_src */
1487 sum += *sp++; /* ip_dst */
1493 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
1494 sum2 = (sum2 & 0xffff) + (sum2 >> 16);
1495 sum2 = ~sum2 & 0xffff;
1496 # else /* SOLARIS */
1497 # if defined(BSD) || defined(sun)
1504 sum2 = in_cksum(m, slen);
1512 * Both sum and sum2 are partial sums, so combine them together.
1514 sum += ~sum2 & 0xffff;
1515 while (sum > 0xffff)
1516 sum = (sum & 0xffff) + (sum >> 16);
1517 sum2 = ~sum & 0xffff;
1518 # else /* defined(BSD) || defined(sun) */
1524 u_short len = ip->ip_len;
1530 * Add up IP Header portion
1532 sp = (u_short *)&ip->ip_src;
1533 len -= (ip->ip_hl << 2);
1534 sum = ntohs(IPPROTO_TCP);
1536 sum += *sp++; /* ip_src */
1538 sum += *sp++; /* ip_dst */
1540 if (sp != (u_short *)tcp)
1541 sp = (u_short *)tcp;
1542 sum += *sp++; /* sport */
1543 sum += *sp++; /* dport */
1544 sum += *sp++; /* seq */
1546 sum += *sp++; /* ack */
1548 sum += *sp++; /* off */
1549 sum += *sp++; /* win */
1550 sum += *sp++; /* Skip over checksum */
1551 sum += *sp++; /* urp */
1555 * In case we had to copy the IP & TCP header out of mbufs,
1556 * skip over the mbuf bits which are the header
1558 if ((caddr_t)ip != mtod(m, caddr_t)) {
1559 hlen = (caddr_t)sp - (caddr_t)ip;
1561 add = MIN(hlen, m->m_len);
1562 sp = (u_short *)(mtod(m, caddr_t) + add);
1564 if (add == m->m_len) {
1569 sp = mtod(m, u_short *);
1571 PANIC((!m),("fr_tcpsum(1): not enough data"));
1577 if (!(len -= sizeof(*tcp)))
1580 if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
1582 PANIC((!m),("fr_tcpsum(2): not enough data"));
1583 sp = mtod(m, u_short *);
1585 if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
1586 bytes.c[0] = *(u_char *)sp;
1588 PANIC((!m),("fr_tcpsum(3): not enough data"));
1589 sp = mtod(m, u_short *);
1590 bytes.c[1] = *(u_char *)sp;
1592 sp = (u_short *)((u_char *)sp + 1);
1594 if ((u_long)sp & 1) {
1595 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
1602 sum += ntohs(*(u_char *)sp << 8);
1604 while (sum > 0xffff)
1605 sum = (sum & 0xffff) + (sum >> 16);
1606 sum2 = (u_short)(~sum & 0xffff);
1608 # endif /* defined(BSD) || defined(sun) */
1609 # endif /* SOLARIS */
1611 for (; slen > 1; slen -= 2)
1614 sum += ntohs(*(u_char *)sp << 8);
1615 while (sum > 0xffff)
1616 sum = (sum & 0xffff) + (sum >> 16);
1617 sum2 = (u_short)(~sum & 0xffff);
1624 #if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) )
1626 * Copyright (c) 1982, 1986, 1988, 1991, 1993
1627 * The Regents of the University of California. All rights reserved.
1629 * Redistribution and use in source and binary forms, with or without
1630 * modification, are permitted provided that the following conditions
1632 * 1. Redistributions of source code must retain the above copyright
1633 * notice, this list of conditions and the following disclaimer.
1634 * 2. Redistributions in binary form must reproduce the above copyright
1635 * notice, this list of conditions and the following disclaimer in the
1636 * documentation and/or other materials provided with the distribution.
1637 * 3. All advertising materials mentioning features or use of this software
1638 * must display the following acknowledgement:
1639 * This product includes software developed by the University of
1640 * California, Berkeley and its contributors.
1641 * 4. Neither the name of the University nor the names of its contributors
1642 * may be used to endorse or promote products derived from this software
1643 * without specific prior written permission.
1645 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1646 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1647 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1648 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1649 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1650 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1651 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1652 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1653 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1654 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1657 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
1658 * $Id: fil.c,v 2.35.2.82 2004/06/20 10:27:47 darrenr Exp $
1661 * Copy data from an mbuf chain starting "off" bytes from the beginning,
1662 * continuing for "len" bytes, into the indicated buffer.
1665 m_copydata(m, off, len, cp)
1673 if (off < 0 || len < 0)
1674 panic("m_copydata");
1677 panic("m_copydata");
1685 panic("m_copydata");
1686 count = MIN(m->m_len - off, len);
1687 bcopy(mtod(m, caddr_t) + off, cp, count);
1698 * Copy data from a buffer back into the indicated mbuf chain,
1699 * starting "off" bytes from the beginning, extending the mbuf
1700 * chain if necessary.
1703 m_copyback(m0, off, len, cp)
1710 struct mbuf *m = m0, *n;
1715 while (off > (mlen = m->m_len)) {
1718 if (m->m_next == 0) {
1719 #ifdef __DragonFly__
1720 n = m_getclr(MB_DONTWAIT, m->m_type);
1722 n = m_getclr(M_DONTWAIT, m->m_type);
1726 n->m_len = min(MLEN, len + off);
1732 mlen = min (m->m_len - off, len);
1733 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
1741 if (m->m_next == 0) {
1742 #ifdef __DragonFly__
1743 n = m_get(MB_DONTWAIT, m->m_type);
1745 n = m_get(M_DONTWAIT, m->m_type);
1749 n->m_len = min(MLEN, len);
1756 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
1757 m->m_pkthdr.len = totlen;
1762 #endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */
1765 frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
1771 frgroup_t *fg, **fgp;
1773 if (which == IPL_LOGAUTH)
1774 fgp = &ipfgroups[2][set];
1775 else if (flags & FR_ACCOUNT)
1776 fgp = &ipfgroups[1][set];
1777 else if (flags & (FR_OUTQUE|FR_INQUE))
1778 fgp = &ipfgroups[0][set];
1783 if (fg->fg_num == num)
1793 frgroup_t *fr_addgroup(num, fp, which, set)
1799 frgroup_t *fg, **fgp;
1801 if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
1804 KMALLOC(fg, frgroup_t *);
1809 fg->fg_start = &fp->fr_grp;
1816 void fr_delgroup(num, flags, which, set)
1821 frgroup_t *fg, **fgp;
1823 if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
1833 * recursively flush rules from the list, descending groups as they are
1834 * encountered. if a rule is the head of a group and it has lost all its
1835 * group members, then also delete the group reference.
1837 static int frflushlist(set, unit, nfreedp, listp)
1846 while ((fp = *listp)) {
1847 *listp = fp->fr_next;
1849 i = frflushlist(set, unit, nfreedp, &fp->fr_grp);
1850 MUTEX_ENTER(&ipf_rw);
1852 MUTEX_EXIT(&ipf_rw);
1855 ATOMIC_DEC32(fp->fr_ref);
1856 if (fp->fr_grhead) {
1857 fr_delgroup(fp->fr_grhead, fp->fr_flags,
1861 if (fp->fr_ref == 0) {
1872 int frflush(unit, proto, flags)
1876 int flushed = 0, set;
1878 if (unit != IPL_LOGIPF)
1880 WRITE_ENTER(&ipf_mutex);
1881 bzero((char *)frcache, sizeof(frcache[0]) * 2);
1884 if (flags & FR_INACTIVE)
1887 if (flags & FR_OUTQUE) {
1889 if (proto == 0 || proto == 6) {
1890 (void) frflushlist(set, unit,
1891 &flushed, &ipfilter6[1][set]);
1892 (void) frflushlist(set, unit,
1893 &flushed, &ipacct6[1][set]);
1896 if (proto == 0 || proto == 4) {
1897 (void) frflushlist(set, unit,
1898 &flushed, &ipfilter[1][set]);
1899 (void) frflushlist(set, unit,
1900 &flushed, &ipacct[1][set]);
1903 if (flags & FR_INQUE) {
1905 if (proto == 0 || proto == 6) {
1906 (void) frflushlist(set, unit,
1907 &flushed, &ipfilter6[0][set]);
1908 (void) frflushlist(set, unit,
1909 &flushed, &ipacct6[0][set]);
1912 if (proto == 0 || proto == 4) {
1913 (void) frflushlist(set, unit,
1914 &flushed, &ipfilter[0][set]);
1915 (void) frflushlist(set, unit,
1916 &flushed, &ipacct[0][set]);
1919 RWLOCK_EXIT(&ipf_mutex);
1924 char *memstr(src, dst, slen, dlen)
1930 while (dlen >= slen) {
1931 if (bcmp(src, dst, slen) == 0) {
1942 void fixskip(listp, rp, addremove)
1943 frentry_t **listp, *rp;
1947 int rules = 0, rn = 0;
1949 for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++)
1955 for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
1956 if (fp->fr_skip && (rn + fp->fr_skip >= rules))
1957 fp->fr_skip += addremove;
1963 * count consecutive 1's in bit mask. If the mask generated by counting
1964 * consecutive 1's is different to that passed, return -1, else return #
1973 ip = ipn = ntohl(ip);
1974 for (i = 32; i; i--, ipn *= 2)
1975 if (ipn & 0x80000000)
1980 for (i = 32, j = cnt; i; i--, j--) {
1992 * return the first IP Address associated with an interface
1994 int fr_ifpaddr(v, ifptr, inp)
1997 struct in_addr *inp;
2000 struct in6_addr *inp6 = NULL;
2005 struct ifnet *ifp = ifptr;
2012 struct in6_addr in6;
2015 * First is always link local.
2017 if (ill->ill_ipif->ipif_next)
2018 in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr;
2020 bzero((char *)&in6, sizeof(in6));
2021 bcopy((char *)&in6, (char *)inp, sizeof(in6));
2025 in.s_addr = ill->ill_ipif->ipif_local_addr;
2028 # else /* SOLARIS */
2032 struct sockaddr_in *sin;
2034 #ifdef __DragonFly__
2035 struct ifaddr_container *ifac;
2038 # if defined(__DragonFly__)
2039 ifac = TAILQ_FIRST(&ifp->if_addrheads[mycpuid]);
2044 # elif defined(__FreeBSD__) && (__FreeBSD_version >= 300000)
2045 ifa = TAILQ_FIRST(&ifp->if_addrhead);
2047 # if defined(__NetBSD__) || defined(__OpenBSD__)
2048 ifa = ifp->if_addrlist.tqh_first;
2050 # if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
2051 ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa;
2053 ifa = ifp->if_addrlist;
2055 # endif /* __NetBSD__ || __OpenBSD__ */
2056 # endif /* __FreeBSD_version >= 300000 */
2057 # if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK))
2058 sin = (struct sockaddr_in *)&ifa->ifa_addr;
2060 sin = (struct sockaddr_in *)ifa->ifa_addr;
2061 while (sin && ifa) {
2062 if ((v == 4) && (sin->sin_family == AF_INET))
2065 if ((v == 6) && (sin->sin_family == AF_INET6)) {
2066 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
2067 if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
2068 !IN6_IS_ADDR_LOOPBACK(inp6))
2072 # if defined(__DragonFly__)
2073 ifac = TAILQ_NEXT(ifac, ifa_link);
2078 # elif defined(__FreeBSD__) && (__FreeBSD_version >= 300000)
2079 ifa = TAILQ_NEXT(ifa, ifa_link);
2081 # if defined(__NetBSD__) || defined(__OpenBSD__)
2082 ifa = ifa->ifa_list.tqe_next;
2084 ifa = ifa->ifa_next;
2086 # endif /* __FreeBSD_version >= 300000 */
2088 sin = (struct sockaddr_in *)ifa->ifa_addr;
2094 # endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
2097 bcopy((char *)inp6, (char *)inp, sizeof(*inp6));
2105 # endif /* SOLARIS */
2110 static void frsynclist(fr)
2116 for (; fr; fr = fr->fr_next) {
2117 for (i = 0; i < 4; i++) {
2118 if ((fr->fr_ifnames[i][1] == '\0') &&
2119 ((fr->fr_ifnames[i][0] == '-') ||
2120 (fr->fr_ifnames[i][0] == '*'))) {
2121 fr->fr_ifas[i] = NULL;
2122 } else if (*fr->fr_ifnames[i]) {
2123 fr->fr_ifas[i] = GETUNIT(fr->fr_ifnames[i],
2125 if (!fr->fr_ifas[i])
2126 fr->fr_ifas[i] = (void *)-1;
2131 fr->fr_flags &= ~FR_DUP;
2132 if (*fdp->fd_ifname) {
2133 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
2135 fdp->fd_ifp = (struct ifnet *)-1;
2137 fr->fr_flags |= FR_DUP;
2141 if (*fdp->fd_ifname) {
2142 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
2144 fdp->fd_ifp = (struct ifnet *)-1;
2148 frsynclist(fr->fr_grp);
2158 # if defined(__DragonFly__) || defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \
2159 (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
2160 # if (NetBSD >= 199905) || defined(__OpenBSD__)
2161 for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next)
2163 for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next)
2166 for (ifp = ifnet; ifp; ifp = ifp->if_next)
2172 ip_natsync((struct ifnet *)-1);
2173 # endif /* !SOLARIS */
2175 WRITE_ENTER(&ipf_mutex);
2176 frsynclist(ipacct[0][fr_active]);
2177 frsynclist(ipacct[1][fr_active]);
2178 frsynclist(ipfilter[0][fr_active]);
2179 frsynclist(ipfilter[1][fr_active]);
2181 frsynclist(ipacct6[0][fr_active]);
2182 frsynclist(ipacct6[1][fr_active]);
2183 frsynclist(ipfilter6[0][fr_active]);
2184 frsynclist(ipfilter6[1][fr_active]);
2186 RWLOCK_EXIT(&ipf_mutex);
2191 * In the functions below, bcopy() is called because the pointer being
2192 * copied _from_ in this instance is a pointer to a char buf (which could
2193 * end up being unaligned) and on the kernel's local stack.
2195 int ircopyptr(a, b, c)
2203 if (copyin(a, (char *)&ca, sizeof(ca)))
2206 bcopy(a, &ca, sizeof(ca));
2208 err = copyin(ca, b, c);
2215 int iwcopyptr(a, b, c)
2223 if (copyin(b, (char *)&ca, sizeof(ca)))
2226 bcopy(b, &ca, sizeof(ca));
2228 err = copyout(a, ca, c);
2238 * return the first IP Address associated with an interface
2240 int fr_ifpaddr(v, ifptr, inp)
2243 struct in_addr *inp;
2249 int ircopyptr(a, b, c)
2255 bcopy(a, &ca, sizeof(ca));
2261 int iwcopyptr(a, b, c)
2267 bcopy(b, &ca, sizeof(ca));
2276 int fr_lock(data, lockp)
2282 error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
2284 error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp));
2292 void fr_getstat(fiop)
2295 bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
2296 fiop->f_locks[0] = fr_state_lock;
2297 fiop->f_locks[1] = fr_nat_lock;
2298 fiop->f_locks[2] = fr_frag_lock;
2299 fiop->f_locks[3] = fr_auth_lock;
2300 fiop->f_fin[0] = ipfilter[0][0];
2301 fiop->f_fin[1] = ipfilter[0][1];
2302 fiop->f_fout[0] = ipfilter[1][0];
2303 fiop->f_fout[1] = ipfilter[1][1];
2304 fiop->f_acctin[0] = ipacct[0][0];
2305 fiop->f_acctin[1] = ipacct[0][1];
2306 fiop->f_acctout[0] = ipacct[1][0];
2307 fiop->f_acctout[1] = ipacct[1][1];
2309 fiop->f_fin6[0] = ipfilter6[0][0];
2310 fiop->f_fin6[1] = ipfilter6[0][1];
2311 fiop->f_fout6[0] = ipfilter6[1][0];
2312 fiop->f_fout6[1] = ipfilter6[1][1];
2313 fiop->f_acctin6[0] = ipacct6[0][0];
2314 fiop->f_acctin6[1] = ipacct6[0][1];
2315 fiop->f_acctout6[0] = ipacct6[1][0];
2316 fiop->f_acctout6[1] = ipacct6[1][1];
2318 fiop->f_fin6[0] = NULL;
2319 fiop->f_fin6[1] = NULL;
2320 fiop->f_fout6[0] = NULL;
2321 fiop->f_fout6[1] = NULL;
2322 fiop->f_acctin6[0] = NULL;
2323 fiop->f_acctin6[1] = NULL;
2324 fiop->f_acctout6[0] = NULL;
2325 fiop->f_acctout6[1] = NULL;
2327 fiop->f_active = fr_active;
2328 fiop->f_froute[0] = ipl_frouteok[0];
2329 fiop->f_froute[1] = ipl_frouteok[1];
2331 fiop->f_running = fr_running;
2332 fiop->f_groups[0][0] = ipfgroups[0][0];
2333 fiop->f_groups[0][1] = ipfgroups[0][1];
2334 fiop->f_groups[1][0] = ipfgroups[1][0];
2335 fiop->f_groups[1][1] = ipfgroups[1][1];
2336 fiop->f_groups[2][0] = ipfgroups[2][0];
2337 fiop->f_groups[2][1] = ipfgroups[2][1];
2339 fiop->f_logging = 1;
2341 fiop->f_logging = 0;
2343 fiop->f_defpass = fr_pass;
2344 strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version));
2349 int icmptoicmp6types[ICMP_MAXTYPE+1] = {
2350 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */
2353 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */
2354 -1, /* 4: ICMP_SOURCEQUENCH */
2355 ND_REDIRECT, /* 5: ICMP_REDIRECT */
2358 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */
2360 -1, /* 10: UNUSED */
2361 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */
2362 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */
2363 -1, /* 13: ICMP_TSTAMP */
2364 -1, /* 14: ICMP_TSTAMPREPLY */
2365 -1, /* 15: ICMP_IREQ */
2366 -1, /* 16: ICMP_IREQREPLY */
2367 -1, /* 17: ICMP_MASKREQ */
2368 -1, /* 18: ICMP_MASKREPLY */
2372 int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
2373 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */
2374 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */
2375 -1, /* 2: ICMP_UNREACH_PROTOCOL */
2376 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */
2377 -1, /* 4: ICMP_UNREACH_NEEDFRAG */
2378 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */
2379 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */
2380 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */
2381 -1, /* 8: ICMP_UNREACH_ISOLATED */
2382 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */
2383 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */
2384 -1, /* 11: ICMP_UNREACH_TOSNET */
2385 -1, /* 12: ICMP_UNREACH_TOSHOST */
2386 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
2403 #if defined(_KERNEL) && !defined(__sgi)
2404 void *ipf_pullup(m, fin, len, ipin)
2411 qif_t *qf = fin->fin_qif;
2413 int out = fin->fin_out, dpoff, ipoff;
2419 ipoff = (char *)ipin - MTOD(m, char *);
2420 if (fin->fin_dp != NULL)
2421 dpoff = (char *)fin->fin_dp - (char *)ipin;
2425 if (M_BLEN(m) < len) {
2427 qif_t *qf = fin->fin_qif;
2431 if ((ipoff & 3) != 0) {
2432 inc = 4 - (ipoff & 3);
2433 if (m->b_rptr - inc >= m->b_datap->db_base)
2439 if (!pullupmsg(m, len + ipoff + inc)) {
2440 ATOMIC_INCL(frstats[out].fr_pull[1]);
2444 ATOMIC_INCL(frstats[out].fr_pull[0]);
2445 qf->qf_data = MTOD(m, char *) + ipoff;
2447 m = m_pullup(m, len);
2450 ATOMIC_INCL(frstats[out].fr_pull[1]);
2453 ATOMIC_INCL(frstats[out].fr_pull[0]);
2454 # endif /* SOLARIS */
2456 ip = MTOD(m, char *) + ipoff;
2457 if (fin->fin_dp != NULL)
2458 fin->fin_dp = (char *)ip + dpoff;
2461 #endif /* _KERNEL */