2 * Copyright (C) 1993-2001 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * @(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed
7 * @(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $
8 * $FreeBSD: src/sys/contrib/ipfilter/netinet/ip_fil.c,v 1.25.2.7 2004/07/04 09:24:38 darrenr Exp $
9 * $DragonFly: src/sys/contrib/ipfilter/netinet/ip_fil.c,v 1.23 2006/09/10 01:26:33 dillon Exp $
12 #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
15 #if defined(KERNEL) && !defined(_KERNEL)
18 #if defined(_KERNEL) && (defined(__DragonFly__) || (defined(__FreeBSD_version) && \
19 (__FreeBSD_version >= 400000))) && !defined(KLD_MODULE)
20 #include "opt_inet6.h"
22 #include <sys/param.h>
23 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
24 defined(_KERNEL) && !defined(_LKM)
25 # include "opt_ipfilter_log.h"
27 #if defined(__FreeBSD__) && !defined(__FreeBSD_version)
28 # if !defined(_KERNEL) || defined(IPFILTER_LKM)
29 # include <osreldate.h>
32 #if defined(__sgi) && (IRIX > 602)
34 # include <sys/ptimers.h>
43 #include <sys/errno.h>
44 #include <sys/types.h>
46 #if (defined(__DragonFly__) || __FreeBSD_version >= 220000) && defined(_KERNEL)
47 # include <sys/fcntl.h>
48 # include <sys/filio.h>
50 # include <sys/ioctl.h>
54 # include <sys/systm.h>
57 # if defined(__DragonFly__) || (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
58 # include <sys/dirent.h>
62 # include <sys/mbuf.h>
64 # include <sys/filio.h>
66 #include <sys/protosw.h>
67 #include <sys/socket.h>
68 #if defined(__DragonFly__) && defined(_KERNEL)
69 # include <sys/thread2.h>
76 #if defined(__DragonFly__) || __FreeBSD_version >= 300000
77 # include <net/if_var.h>
78 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
79 # include "opt_ipfilter.h"
83 #include <sys/debug.h>
84 # ifdef IFF_DRVRLOCK /* IRIX6 */
85 #include <sys/hashing.h>
88 #include <net/route.h>
89 #include <netinet/in.h>
90 #if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */
91 # include <netinet/in_var.h>
93 #include <netinet/in_systm.h>
94 #include <netinet/ip.h>
95 #include <netinet/ip_var.h>
96 #include <netinet/tcp.h>
97 #include <netinet/udp.h>
98 #include <netinet/tcpip.h>
99 #include <netinet/ip_icmp.h>
104 #include "ip_compat.h"
106 # include <netinet/icmp6.h>
108 # include <netinet6/ip6protosw.h>
109 # include <netinet6/nd6.h>
115 #include "ip_state.h"
116 #include "ip_proxy.h"
118 #if defined(__DragonFly__) || (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
119 # include <sys/malloc.h>
122 # define MIN(a,b) (((a)<(b))?(a):(b))
124 #if !SOLARIS && defined(_KERNEL) && !defined(__sgi)
125 # include <sys/kernel.h>
126 extern int ip_optcopy (struct ip *, struct ip *);
128 #if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL)
129 extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
130 struct ifnet *, struct in6_addr *, u_long *);
133 #include <sys/in_cksum.h>
135 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
137 extern struct protosw inetsw[];
141 static struct ifnet **ifneta = NULL;
144 # if (BSD < 199306) || defined(__sgi)
149 #ifdef ICMP_UNREACH_FILTER_PROHIB
150 int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
152 int ipl_unreach = ICMP_UNREACH_FILTER;
154 u_long ipl_frouteok[2] = {0, 0};
156 static int frzerostats (caddr_t);
157 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
158 static int frrequest (int, u_long, caddr_t, int);
160 static int frrequest (int, int, caddr_t, int);
163 static int (*fr_savep) (ip_t *, int, void *, int, struct mbuf **);
164 static int send_ip (ip_t *, fr_info_t *, struct mbuf **);
166 static int ipfr_fastroute6 (struct mbuf *, struct mbuf **,
167 fr_info_t *, frdest_t *);
170 extern int tcp_mtudisc;
171 extern kmutex_t ipf_rw;
172 extern KRWLOCK_T ipf_mutex;
175 void init_ifp (void);
176 # if defined(__sgi) && (IRIX < 605)
177 static int no_output (struct ifnet *, struct mbuf *,
179 static int write_output (struct ifnet *, struct mbuf *,
182 static int no_output (struct ifnet *, struct mbuf *,
183 struct sockaddr *, struct rtentry *);
184 static int write_output (struct ifnet *, struct mbuf *,
185 struct sockaddr *, struct rtentry *);
190 #if (defined(__DragonFly__) || __FreeBSD_version >= 300000) && defined(_KERNEL)
191 struct callout ipfr_slowtimer_ch;
193 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
194 # include <sys/callout.h>
195 struct callout ipfr_slowtimer_ch;
197 #if defined(__OpenBSD__)
198 # include <sys/timeout.h>
199 struct timeout ipfr_slowtimer_ch;
201 #if defined(__sgi) && defined(_KERNEL)
202 toid_t ipfr_slowtimer_ch;
205 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
207 # include <sys/conf.h>
208 const struct cdevsw ipl_cdevsw = {
209 iplopen, iplclose, iplread, nowrite, iplioctl,
210 nostop, notty, nopoll, nommap,
214 #if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
215 # include <sys/device.h>
216 # include <sys/conf.h>
218 struct cfdriver iplcd = {
219 NULL, "ipl", NULL, NULL, DV_DULL, 0
222 struct devsw iplsw = {
224 iplopen, iplclose, iplread, nowrite, iplioctl, noselect, nommap,
225 nostrat, nodump, nopsize, 0,
228 #endif /* _BSDI_VERSION >= 199510 && _KERNEL */
230 #if defined(__NetBSD__) || defined(__OpenBSD__) || \
231 (_BSDI_VERSION >= 199701) || (defined(__DragonFly_version) && \
232 (__DragonFly_version >= 100000))
233 # include <sys/conf.h>
234 # if defined(NETBSD_PF)
235 # include <net/pfil.h>
237 * We provide the fr_checkp name just to minimize changes later.
239 int (*fr_checkp) (ip_t *ip, int hlen, void *ifp, int out, mb_t **mp);
240 # endif /* NETBSD_PF */
241 #endif /* __NetBSD__ */
244 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000) && \
246 # include <net/pfil.h>
248 static int fr_check_wrapper(void *, struct mbuf **, struct ifnet *, int );
250 static int fr_check_wrapper(arg, mp, ifp, dir)
256 struct ip *ip = mtod(*mp, struct ip *);
257 int rv, hlen = ip->ip_hl << 2;
259 #if defined(M_CSUM_TCPv4)
261 * If the packet is out-bound, we can't delay checksums
262 * here. For in-bound, the checksum has already been
265 if (dir == PFIL_OUT) {
266 if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
267 in_delayed_cksum(*mp);
268 (*mp)->m_pkthdr.csum_flags &=
269 ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
272 #endif /* M_CSUM_TCPv4 */
275 * We get the packet with all fields in network byte
276 * order. We expect ip_len and ip_off to be in host
277 * order. We frob them, call the filter, then frob
280 * Note, we don't need to update the checksum, because
281 * it has already been verified.
283 ip->ip_len = ntohs(ip->ip_len);
284 ip->ip_off = ntohs(ip->ip_off);
286 rv = fr_check(ip, hlen, ifp, (dir == PFIL_OUT), mp);
288 if (rv == 0 && *mp != NULL) {
289 ip = mtod(*mp, struct ip *);
290 ip->ip_len = htons(ip->ip_len);
291 ip->ip_off = htnos(ip->ip_off);
298 # include <netinet/ip6.h>
300 static int fr_check_wrapper6(void *, struct mbuf **, struct ifnet *, int );
302 static int fr_check_wrapper6(arg, mp, ifp, dir)
309 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
310 ifp, (dir == PFIL_OUT), mp));
313 #endif /* __NetBSD_Version >= 105110000 && _KERNEL */
314 #if defined(__DragonFly_version) && (__DragonFly_version >= 100000) && \
318 fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
320 struct ip *ip = mtod(*mp, struct ip *);
321 return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
325 # include <netinet/ip6.h>
328 fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
330 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
331 ifp, (dir == PFIL_OUT), mp));
333 # endif /* USE_INET6 */
334 #endif /* __DragonFly_version >= 100000 && _KERNEL */
336 # if defined(IPFILTER_LKM) && !defined(__sgi)
340 if (strcmp(s, "ipl") == 0)
344 # endif /* IPFILTER_LKM */
348 * Try to detect the case when compiling for NetBSD with pseudo-device
350 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
352 ipfilterattach(count)
357 * Do nothing here, really. The filter will be enabled
358 * by the SIOCFRENB ioctl.
364 # if defined(__NetBSD__) || defined(__OpenBSD__)
371 # if !defined(__DragonFly__)
374 # if defined(__sgi) || (defined(NETBSD_PF) && \
375 (__NetBSD_Version__ >= 104200000)) || \
376 (defined(__DragonFly_version) && (__DragonFly_version >= 100000))
379 #if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)) || \
380 (defined(__DragonFly_version) && (__DragonFly_version >= 100000))
381 struct pfil_head *ph_inet;
383 struct pfil_head *ph_inet6;
388 if (fr_running || (fr_checkp == fr_check)) {
389 printf("IP Filter: already initialized\n");
397 if (nat_init() == -1) {
401 if (fr_stateinit() == -1) {
405 if (appr_init() == -1) {
411 # if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) || \
412 (defined(__DragonFly_version) && (__DragonFly_version >= 100000))
413 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
414 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
416 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
426 error = pfil_add_hook((void *)fr_check_wrapper, NULL,
427 PFIL_IN|PFIL_OUT, ph_inet);
431 error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
432 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
446 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
449 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
450 if (ph_inet6 != NULL)
451 error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
452 PFIL_IN|PFIL_OUT, ph_inet6);
456 pfil_remove_hook((void *)fr_check_wrapper6, NULL,
457 PFIL_IN|PFIL_OUT, ph_inet6);
459 error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
460 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
462 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
463 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
476 error = ipfilter_sgi_attach();
486 bzero((char *)frcache, sizeof(frcache));
487 fr_savep = fr_checkp;
488 fr_checkp = fr_check;
492 if (fr_pass & FR_PASS)
494 else if (fr_pass & FR_BLOCK)
497 defpass = "no-match -> block";
499 printf("%s initialized. Default = %s all, Logging = %s\n",
500 ipfilter_version, defpass,
507 # if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
508 callout_init(&ipfr_slowtimer_ch);
509 callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
511 # if defined(__OpenBSD__)
512 timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL);
513 timeout_add(&ipfr_slowtimer_ch, hz/2);
515 # if (defined(__DragonFly__) || __FreeBSD_version >= 300000) || defined(__sgi)
516 callout_init(&ipfr_slowtimer_ch);
517 callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
519 timeout(ipfr_slowtimer, NULL, hz/2);
529 * Disable the filter by removing the hooks from the IP input/output
532 # if defined(__NetBSD__)
538 # if !defined(__DragonFly__)
542 #if defined(NETBSD_PF) && \
543 ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) || \
544 (defined(__DragonFly_version) && (__DragonFly_version >= 100000)))
546 # if (__NetBSD_Version__ >= 105150000) || (__DragonFly_version >= 100000)
547 struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
549 struct pfil_head *ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
555 # if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
556 callout_stop(&ipfr_slowtimer_ch);
558 # if (defined(__DragonFly__) || __FreeBSD_version >= 300000)
559 callout_stop(&ipfr_slowtimer_ch);
562 untimeout(ipfr_slowtimer_ch);
564 # if defined(__OpenBSD__)
565 timeout_del(&ipfr_slowtimer_ch);
567 untimeout(ipfr_slowtimer, NULL);
568 # endif /* OpenBSD */
570 # endif /* FreeBSD */
576 printf("IP Filter: not initialized\n");
581 printf("%s unloaded\n", ipfilter_version);
583 fr_checkp = fr_savep;
584 i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
585 i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
589 # if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) || \
590 (__DragonFly_version >= 100000))
591 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
593 error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
594 PFIL_IN|PFIL_OUT, ph_inet);
598 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
599 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
606 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
609 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
610 if (ph_inet6 != NULL)
611 error = pfil_remove_hook((void *)fr_check_wrapper6, NULL,
612 PFIL_IN|PFIL_OUT, ph_inet6);
616 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
617 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
627 ipfilter_sgi_detach();
642 static int frzerostats(data)
649 error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
653 bzero((char *)frstats, sizeof(*frstats) * 2);
660 * Filter ioctl interface.
663 int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode
665 , cred_t *cp, int *rp
669 #if defined(__DragonFly__)
670 # if defined(_KERNEL)
671 int IPL_EXTERN(ioctl)(struct dev_ioctl_args *ap)
673 int IPL_EXTERN(ioctl)(struct cdev *dev, u_long cmd, caddr_t data, int mode)
676 int IPL_EXTERN(ioctl)(dev, cmd, data, mode
677 #if (defined(_KERNEL) && defined(__FreeBSD__))
680 # elif (defined(_KERNEL) && ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || \
681 (NetBSD >= 199511) || (__FreeBSD_version >= 220000) || \
682 defined(__OpenBSD__)))
689 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
690 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
697 #endif /* DragonFly */
700 #if (defined(_KERNEL) && defined(__DragonFly__))
701 struct cdev *dev = ap->a_head.a_dev;
702 u_long cmd = ap->a_cmd;
703 caddr_t data = ap->a_data;
704 int mode = ap->a_fflag;
706 #if defined(_KERNEL) && !SOLARIS && !defined(__DragonFly__)
709 int error = 0, unit = 0, tmp;
711 #if (BSD >= 199306) && defined(_KERNEL)
712 if ((securelevel >= 3) && (mode & FWRITE))
716 unit = GET_MINOR(dev);
717 if ((IPL_LOGMAX < unit) || (unit < 0))
723 if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
728 if (unit == IPL_LOGNAT) {
730 error = nat_ioctl(data, cmd, mode);
736 if (unit == IPL_LOGSTATE) {
738 error = fr_state_ioctl(data, cmd, mode);
744 if (unit == IPL_LOGAUTH) {
748 if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
749 if (!(mode & FWRITE)) {
752 error = frrequest(unit, cmd, data,
756 error = fr_auth_ioctl(data, mode, cmd);
765 error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data,
766 sizeof(iplused[IPL_LOGIPF]));
769 #if (!defined(IPFILTER_LKM) || defined(__NetBSD__)) && defined(_KERNEL)
774 if (!(mode & FWRITE))
777 error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
781 # if defined(__NetBSD__) || defined(__OpenBSD__)
782 error = ipl_enable();
787 # if defined(__NetBSD__)
788 error = ipl_disable();
797 if (!(mode & FWRITE))
800 error = IRCOPY(data, (caddr_t)&fr_flags,
804 error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
810 if (!(mode & FWRITE))
813 error = frrequest(unit, cmd, data, fr_active);
818 if (!(mode & FWRITE))
821 error = frrequest(unit, cmd, data, 1 - fr_active);
824 if (!(mode & FWRITE))
827 bzero((char *)frcache, sizeof(frcache[0]) * 2);
828 *(u_int *)data = fr_active;
829 fr_active = 1 - fr_active;
837 error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
843 if (!(mode & FWRITE))
846 error = frzerostats(data);
849 if (!(mode & FWRITE))
852 error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
854 tmp = frflush(unit, 4, tmp);
855 error = IWCOPY((caddr_t)&tmp, data,
862 if (!(mode & FWRITE))
865 error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
867 tmp = frflush(unit, 6, tmp);
868 error = IWCOPY((caddr_t)&tmp, data,
875 error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
886 if (!(mode & FWRITE))
889 *(int *)data = ipflog_clear(unit);
891 #endif /* IPFILTER_LOG */
893 error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
899 if (!(mode & FWRITE))
902 #if defined(_KERNEL) && defined(__sgi)
917 void fr_forgetifp(ifp)
922 WRITE_ENTER(&ipf_mutex);
923 for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
924 if (f->fr_ifa == ifp)
925 f->fr_ifa = (void *)-1;
926 for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
927 if (f->fr_ifa == ifp)
928 f->fr_ifa = (void *)-1;
929 for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
930 if (f->fr_ifa == ifp)
931 f->fr_ifa = (void *)-1;
932 for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
933 if (f->fr_ifa == ifp)
934 f->fr_ifa = (void *)-1;
936 for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
937 if (f->fr_ifa == ifp)
938 f->fr_ifa = (void *)-1;
939 for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
940 if (f->fr_ifa == ifp)
941 f->fr_ifa = (void *)-1;
942 for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
943 if (f->fr_ifa == ifp)
944 f->fr_ifa = (void *)-1;
945 for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
946 if (f->fr_ifa == ifp)
947 f->fr_ifa = (void *)-1;
949 RWLOCK_EXIT(&ipf_mutex);
954 static int frrequest(unit, req, data, set)
956 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
964 frentry_t *fp, *f, **fprev;
966 frgroup_t *fg = NULL;
967 int error = 0, in, i;
974 error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
978 #if (BSD >= 199306) && defined(_KERNEL)
979 if ((securelevel > 0) && (fp->fr_func != NULL))
984 * Check that the group number does exist and that if a head group
985 * has been specified, doesn't exist.
987 if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
988 (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
989 fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
991 if ((req != SIOCZRLST) && fp->fr_group &&
992 !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL))
995 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
997 if (unit == IPL_LOGAUTH)
998 ftail = fprev = &ipauth;
999 else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
1000 ftail = fprev = &ipacct[in][set];
1001 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
1002 ftail = fprev = &ipfilter[in][set];
1004 else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
1005 ftail = fprev = &ipacct6[in][set];
1006 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
1007 ftail = fprev = &ipfilter6[in][set];
1012 if ((group = fp->fr_group)) {
1013 if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
1015 ftail = fprev = fg->fg_start;
1018 bzero((char *)frcache, sizeof(frcache[0]) * 2);
1020 for (i = 0; i < 4; i++) {
1021 if ((fp->fr_ifnames[i][1] == '\0') &&
1022 ((fp->fr_ifnames[i][0] == '-') ||
1023 (fp->fr_ifnames[i][0] == '*'))) {
1024 fp->fr_ifas[i] = NULL;
1025 } else if (*fp->fr_ifnames[i]) {
1026 fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
1027 if (!fp->fr_ifas[i])
1028 fp->fr_ifas[i] = (void *)-1;
1033 fp->fr_flags &= ~FR_DUP;
1034 if (*fdp->fd_ifname) {
1035 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
1037 fdp->fd_ifp = (struct ifnet *)-1;
1039 fp->fr_flags |= FR_DUP;
1043 if (*fdp->fd_ifname) {
1044 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
1046 fdp->fd_ifp = (struct ifnet *)-1;
1050 * Look for a matching filter rule, but don't include the next or
1051 * interface pointer in the comparison (fr_next, fr_ifa).
1053 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
1057 for (; (f = *ftail); ftail = &f->fr_next)
1058 if ((fp->fr_cksum == f->fr_cksum) &&
1059 !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
1063 * If zero'ing statistics, copy current to caller and zero.
1065 if (req == SIOCZRLST) {
1068 error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
1077 if (req != SIOCINAFR && req != SIOCINIFR)
1078 while ((f = *ftail))
1079 ftail = &f->fr_next;
1083 while (--fp->fr_hits && (f = *ftail))
1084 ftail = &f->fr_next;
1090 if (req == SIOCRMAFR || req == SIOCRMIFR) {
1095 * Only return EBUSY if there is a group list, else
1096 * it's probably just state information referencing
1099 if ((f->fr_ref > 1) && f->fr_grp)
1101 if (fg && fg->fg_head)
1102 fg->fg_head->fr_ref--;
1103 if (unit == IPL_LOGAUTH) {
1104 return fr_preauthcmd(req, f, ftail);
1107 fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
1109 fixskip(fprev, f, -1);
1110 *ftail = f->fr_next;
1120 if (unit == IPL_LOGAUTH) {
1121 return fr_preauthcmd(req, fp, ftail);
1123 KMALLOC(f, frentry_t *);
1125 if (fg && fg->fg_head)
1126 fg->fg_head->fr_ref++;
1127 bcopy((char *)fp, (char *)f, sizeof(*f));
1130 f->fr_next = *ftail;
1132 if (req == SIOCINIFR || req == SIOCINAFR)
1133 fixskip(fprev, f, 1);
1135 if ((group = f->fr_grhead))
1136 fg = fr_addgroup(group, f, unit, set);
1147 * routines below for saving IP headers to buffer
1149 #ifdef __DragonFly__
1150 int IPL_EXTERN(open)(struct dev_open_args *ap)
1153 int IPL_EXTERN(open)(dev_t *pdev, int flags, int devtype, cred_t *cp)
1155 int IPL_EXTERN(open)(dev, flags
1156 #if defined(__FreeBSD__)
1160 #elif ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
1161 (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
1171 #endif /* DragonFly */
1173 #ifdef __DragonFly__
1174 struct cdev *dev = ap->a_head.a_dev;
1176 # if defined(__sgi) && defined(_KERNEL)
1177 u_int min = geteminor(*pdev);
1179 u_int min = GET_MINOR(dev);
1182 if (IPL_LOGMAX < min)
1190 #ifdef __DragonFly__
1191 int IPL_EXTERN(close)(struct dev_close_args *ap)
1194 int IPL_EXTERN(close)(dev_t dev, int flags, int devtype, cred_t *cp)
1196 int IPL_EXTERN(close)(dev, flags
1197 #if defined(__FreeBSD__)
1201 #elif ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
1202 (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
1212 #endif /* DragonFly */
1214 #ifdef __DragonFly__
1215 struct cdev *dev = ap->a_head.a_dev;
1217 u_int min = GET_MINOR(dev);
1219 if (IPL_LOGMAX < min)
1228 * both of these must operate with at least splnet() lest they be
1229 * called during packet processing and cause an inconsistancy to appear in
1232 #ifdef __DragonFly__
1233 int IPL_EXTERN(read)(struct dev_read_args *ap)
1236 int IPL_EXTERN(read)(dev_t dev, uio_t *uio, cred_t *crp)
1239 int IPL_EXTERN(read)(dev, uio, ioflag)
1242 int IPL_EXTERN(read)(dev, uio)
1247 #endif /* DragonFly */
1249 #ifdef __DragonFly__
1250 struct cdev *dev = ap->a_head.a_dev;
1251 struct uio *uio = ap->a_uio;
1253 # ifdef IPFILTER_LOG
1254 return ipflog_read(GET_MINOR(dev), uio);
1262 * send_reset - this could conceivably be a call to tcp_respond(), but that
1263 * requires a large amount of setting up and isn't any more efficient.
1265 int send_reset(oip, fin)
1269 struct tcphdr *tcp, *tcp2;
1273 ip6_t *ip6, *oip6 = (ip6_t *)oip;
1277 tcp = (struct tcphdr *)fin->fin_dp;
1278 if (tcp->th_flags & TH_RST)
1279 return -1; /* feedback loop */
1280 # if (BSD < 199306) || defined(__sgi)
1281 m = m_get(M_DONTWAIT, MT_HEADER);
1282 # elif defined(__DragonFly__)
1283 m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1285 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1292 tlen = fin->fin_dlen - (tcp->th_off << 2) +
1293 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
1294 ((tcp->th_flags & TH_FIN) ? 1 : 0);
1297 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
1299 hlen = sizeof(ip_t);
1301 m->m_len = sizeof(*tcp2) + hlen;
1303 m->m_data += max_linkhdr;
1304 m->m_pkthdr.len = m->m_len;
1305 m->m_pkthdr.rcvif = (struct ifnet *)0;
1307 ip = mtod(m, struct ip *);
1311 bzero((char *)ip, sizeof(*tcp2) + hlen);
1312 tcp2 = (struct tcphdr *)((char *)ip + hlen);
1314 tcp2->th_sport = tcp->th_dport;
1315 tcp2->th_dport = tcp->th_sport;
1316 if (tcp->th_flags & TH_ACK) {
1317 tcp2->th_seq = tcp->th_ack;
1318 tcp2->th_flags = TH_RST;
1320 tcp2->th_ack = ntohl(tcp->th_seq);
1321 tcp2->th_ack += tlen;
1322 tcp2->th_ack = htonl(tcp2->th_ack);
1323 tcp2->th_flags = TH_RST|TH_ACK;
1325 tcp2->th_off = sizeof(*tcp2) >> 2;
1327 if (fin->fin_v == 6) {
1328 ip6->ip6_plen = htons(sizeof(struct tcphdr));
1329 ip6->ip6_nxt = IPPROTO_TCP;
1330 ip6->ip6_src = oip6->ip6_dst;
1331 ip6->ip6_dst = oip6->ip6_src;
1332 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
1333 sizeof(*ip6), sizeof(*tcp2));
1334 return send_ip(oip, fin, &m);
1337 ip->ip_p = IPPROTO_TCP;
1338 ip->ip_len = htons(sizeof(struct tcphdr));
1339 ip->ip_src.s_addr = oip->ip_dst.s_addr;
1340 ip->ip_dst.s_addr = oip->ip_src.s_addr;
1341 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
1342 ip->ip_len = hlen + sizeof(*tcp2);
1343 return send_ip(oip, fin, &m);
1348 * Send an IP(v4/v6) datagram out into the network
1350 static int send_ip(oip, fin, mp)
1355 struct mbuf *m = *mp;
1360 bzero((char *)&frn, sizeof(frn));
1361 frn.fin_ifp = fin->fin_ifp;
1362 frn.fin_v = fin->fin_v;
1363 frn.fin_out = fin->fin_out;
1366 ip = mtod(m, ip_t *);
1369 ip->ip_v = fin->fin_v;
1370 if (ip->ip_v == 4) {
1371 ip->ip_hl = (sizeof(*oip) >> 2);
1372 ip->ip_v = IPVERSION;
1373 ip->ip_tos = oip->ip_tos;
1374 ip->ip_id = oip->ip_id;
1376 # if defined(__NetBSD__) || \
1377 (defined(__OpenBSD__) && (OpenBSD >= 200012))
1378 if (ip_mtudisc != 0)
1382 if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0)
1387 # if (BSD < 199306) || defined(__sgi)
1388 ip->ip_ttl = tcp_ttl;
1390 ip->ip_ttl = ip_defttl;
1393 frn.fin_dp = (char *)(ip + 1);
1396 else if (ip->ip_v == 6) {
1397 ip6_t *ip6 = (ip6_t *)ip;
1399 hlen = sizeof(*ip6);
1400 ip6->ip6_hlim = 127;
1401 frn.fin_dp = (char *)(ip6 + 1);
1405 m->m_pkthdr.rcvif = NULL;
1408 if (fr_makefrip(hlen, ip, &frn) == 0)
1409 error = ipfr_fastroute(m, mp, &frn, NULL);
1416 int send_icmp_err(oip, type, fin, dst)
1422 int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code;
1423 u_short shlen, slen = 0, soff = 0;
1424 struct in_addr dst4;
1429 ip6_t *ip6, *oip6 = (ip6_t *)oip;
1430 struct in6_addr dst6;
1434 if ((type < 0) || (type > ICMP_MAXTYPE))
1437 code = fin->fin_icode;
1439 if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
1446 if (fin->fin_v == 4) {
1447 if ((oip->ip_p == IPPROTO_ICMP) &&
1448 !(fin->fin_fi.fi_fl & FI_SHORT))
1449 switch (ntohs(fin->fin_data[0]) >> 8)
1460 # if (BSD < 199306) || defined(__sgi)
1462 m = m_get(M_DONTWAIT, MT_HEADER);
1463 # elif defined(__DragonFly__)
1465 m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1468 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1474 if (fr_ifpaddr(4, ifp, &dst4) == -1)
1477 dst4.s_addr = oip->ip_dst.s_addr;
1479 hlen = sizeof(ip_t);
1480 ohlen = oip->ip_hl << 2;
1485 else if (fin->fin_v == 6) {
1486 hlen = sizeof(ip6_t);
1487 ohlen = sizeof(ip6_t);
1488 type = icmptoicmp6types[type];
1489 if (type == ICMP6_DST_UNREACH)
1490 code = icmptoicmp6unreach[code];
1492 #ifdef __DragonFly__
1493 MGETHDR(m, MB_DONTWAIT, MT_HEADER);
1495 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1500 #ifdef __DragonFly__
1501 MCLGET(m, MB_DONTWAIT);
1503 MCLGET(m, M_DONTWAIT);
1505 if ((m->m_flags & M_EXT) == 0) {
1509 # ifdef M_TRAILINGSPACE
1511 avail = M_TRAILINGSPACE(m);
1513 avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN;
1515 xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t),
1516 avail - hlen - sizeof(*icmp) - max_linkhdr);
1518 if (fr_ifpaddr(6, ifp, (struct in_addr *)&dst6) == -1)
1521 dst6 = oip6->ip6_dst;
1525 iclen = hlen + sizeof(*icmp);
1527 avail -= (max_linkhdr + iclen);
1528 m->m_data += max_linkhdr;
1529 m->m_pkthdr.rcvif = (struct ifnet *)0;
1533 m->m_pkthdr.len = iclen;
1535 avail -= (m->m_off + iclen);
1541 ip = mtod(m, ip_t *);
1542 icmp = (struct icmp *)((char *)ip + hlen);
1543 bzero((char *)ip, iclen);
1545 icmp->icmp_type = type;
1546 icmp->icmp_code = fin->fin_icode;
1547 icmp->icmp_cksum = 0;
1549 if (type == ICMP_UNREACH &&
1550 fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
1551 icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu);
1556 oip->ip_len = htons(oip->ip_len);
1558 oip->ip_off = htons(oip->ip_off);
1559 bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail));
1562 avail -= MIN(ohlen, avail);
1567 if (fin->fin_v == 6) {
1569 ip6->ip6_plen = htons(iclen - hlen);
1570 ip6->ip6_nxt = IPPROTO_ICMPV6;
1572 ip6->ip6_src = dst6;
1573 ip6->ip6_dst = oip6->ip6_src;
1575 bcopy((char *)oip + ohlen,
1576 (char *)&icmp->icmp_ip + ohlen, avail);
1577 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
1578 sizeof(*ip6), iclen - hlen);
1583 ip->ip_src.s_addr = dst4.s_addr;
1584 ip->ip_dst.s_addr = oip->ip_src.s_addr;
1589 bcopy((char *)oip + ohlen,
1590 (char *)&icmp->icmp_ip + ohlen, avail);
1591 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
1594 ip->ip_p = IPPROTO_ICMP;
1597 shlen = fin->fin_hlen;
1598 fin->fin_hlen = hlen;
1599 err = send_ip(oip, fin, &m);
1600 fin->fin_hlen = shlen;
1606 # if !defined(IPFILTER_LKM) && !defined(__sgi) && \
1607 (!defined(__DragonFly__) || !defined(__FreeBSD_version) || (__FreeBSD_version < 300000))
1613 void iplinit (void);
1620 # if defined(__NetBSD__) || defined(__OpenBSD__)
1621 if (ipl_enable() != 0)
1623 if (iplattach() != 0)
1626 printf("IP Filter failed to attach\n");
1630 # endif /* ! __NetBSD__ */
1634 * Return the length of the entire mbuf.
1636 size_t mbufchainlen(m0)
1640 return m0->m_pkthdr.len;
1644 for (; m0; m0 = m0->m_next)
1651 int ipfr_fastroute(m0, mpp, fin, fdp)
1652 struct mbuf *m0, **mpp;
1656 struct ip *ip, *mhip;
1657 struct mbuf *m = m0;
1659 int len, off, error = 0, hlen, code, sout;
1660 struct ifnet *ifp, *sifp;
1661 struct sockaddr_in *dst;
1662 struct route iproute;
1672 if (fin->fin_v == 6) {
1673 error = ipfr_fastroute6(m0, mpp, fin, fdp);
1679 if (fin->fin_v == 6)
1687 * If the mbuf we're about to send is not writable (because of
1688 * a cluster reference, for example) we'll need to make a copy
1689 * of it since this routine modifies the contents.
1691 * If you have non-crappy network hardware that can transmit data
1692 * from the mbuf, rather than making a copy, this is gonna be a
1695 if (M_WRITABLE(m) == 0) {
1696 #ifdef __DragonFly__
1697 if ((m0 = m_dup(m, MB_DONTWAIT)) != NULL) {
1699 if ((m0 = m_dup(m, M_DONTWAIT)) != NULL) {
1712 hlen = fin->fin_hlen;
1713 ip = mtod(m0, struct ip *);
1715 #if defined(__NetBSD__) && defined(M_CSUM_IPv4)
1717 * Clear any in-bound checksum flags for this packet.
1719 # if (__NetBSD_Version__ > 105009999)
1720 m0->m_pkthdr.csum_flags = 0;
1722 m0->m_pkthdr.csuminfo = 0;
1724 #endif /* __NetBSD__ && M_CSUM_IPv4 */
1729 #if (defined(IRIX) && (IRIX >= 605))
1732 bzero((caddr_t)ro, sizeof (*ro));
1733 dst = (struct sockaddr_in *)&ro->ro_dst;
1734 dst->sin_family = AF_INET;
1735 dst->sin_addr = ip->ip_dst;
1744 * In case we're here due to "to <if>" being used with "keep state",
1745 * check that we're going in the correct direction.
1747 if ((fr != NULL) && (fin->fin_rev != 0)) {
1748 if ((ifp != NULL) && (fdp == &fr->fr_tif)) {
1749 # if (defined(IRIX) && (IRIX >= 605))
1754 } else if (fdp != NULL) {
1755 if (fdp->fd_ip.s_addr != 0)
1756 dst->sin_addr = fdp->fd_ip;
1760 dst->sin_len = sizeof(*dst);
1762 # if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
1763 !defined(__OpenBSD__)
1765 rtalloc_ign(ro, RTF_CLONING);
1767 rtalloc_ign(ro, RTF_PRCLONING);
1774 if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
1776 # if (defined(IRIX) && (IRIX >= 605))
1783 if ((ifp == NULL) && (ro->ro_rt != NULL))
1784 ifp = ro->ro_rt->rt_ifp;
1786 if ((ro->ro_rt == NULL) || (ifp == NULL)) {
1787 if (in_localaddr(ip->ip_dst))
1788 error = EHOSTUNREACH;
1790 error = ENETUNREACH;
1791 # if (defined(IRIX) && (IRIX >= 605))
1797 if (ro->ro_rt->rt_flags & RTF_GATEWAY) {
1798 #if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
1799 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
1801 dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
1804 ro->ro_rt->rt_use++;
1806 #if (defined(IRIX) && (IRIX > 602))
1811 * For input packets which are being "fastrouted", they won't
1812 * go back through output filtering and miss their chance to get
1813 * NAT'd and counted.
1815 if (fin->fin_out == 0) {
1816 sifp = fin->fin_ifp;
1817 sout = fin->fin_out;
1820 if ((fin->fin_fr = ipacct[1][fr_active]) &&
1821 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
1822 ATOMIC_INCL(frstats[1].fr_acct);
1825 if (!fr || !(fr->fr_flags & FR_RETMASK))
1826 (void) fr_checkstate(ip, fin);
1828 switch (ip_natout(ip, fin))
1841 fin->fin_ifp = sifp;
1842 fin->fin_out = sout;
1847 * If small enough for interface, can just send directly.
1849 if (ip->ip_len <= ifp->if_mtu) {
1851 # if (!defined(__DragonFly__) && !defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \
1852 !(__NetBSD_Version__ >= 105110000)
1853 ip->ip_id = htons(ip->ip_id);
1855 ip->ip_len = htons(ip->ip_len);
1856 ip->ip_off = htons(ip->ip_off);
1858 # if defined(__NetBSD__) && defined(M_CSUM_IPv4)
1859 # if (__NetBSD_Version__ > 105009999)
1860 if (ifp->if_csum_flags_tx & IFCAP_CSUM_IPv4)
1861 m->m_pkthdr.csum_flags |= M_CSUM_IPv4;
1862 else if (ip->ip_sum == 0)
1863 ip->ip_sum = in_cksum(m, hlen);
1865 if (ifp->if_capabilities & IFCAP_CSUM_IPv4)
1866 m->m_pkthdr.csuminfo |= M_CSUM_IPv4;
1867 else if (ip->ip_sum == 0)
1868 ip->ip_sum = in_cksum(m, hlen);
1872 ip->ip_sum = in_cksum(m, hlen);
1873 # endif /* __NetBSD__ && M_CSUM_IPv4 */
1874 # if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
1876 IFNET_UPPERLOCK(ifp);
1878 lwkt_serialize_enter(ifp->if_serializer);
1879 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
1881 lwkt_serialize_exit(ifp->if_serializer);
1883 IFNET_UPPERUNLOCK(ifp);
1886 lwkt_serialize_enter(ifp->if_serializer);
1887 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
1888 lwkt_serialize_exit(ifp->if_serializer);
1894 * Too large for interface; fragment if possible.
1895 * Must be able to put at least 8 bytes per fragment.
1897 if (ip->ip_off & IP_DF) {
1901 len = (ifp->if_mtu - hlen) &~ 7;
1908 int mhlen, firstlen = len;
1909 struct mbuf **mnext = &m->m_act;
1912 * Loop through length of segment after first fragment,
1913 * make new header and copy data of each part and link onto chain.
1916 mhlen = sizeof (struct ip);
1917 for (off = hlen + len; off < ip->ip_len; off += len) {
1918 # ifdef __DragonFly__
1919 MGETHDR(m, MB_DONTWAIT, MT_HEADER);
1920 # elif defined(MGETHDR)
1921 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1923 MGET(m, M_DONTWAIT, MT_HEADER);
1930 m->m_data += max_linkhdr;
1932 m->m_off = MMAXOFF - hlen;
1934 mhip = mtod(m, struct ip *);
1935 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
1936 if (hlen > sizeof (struct ip)) {
1937 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1938 mhip->ip_hl = mhlen >> 2;
1941 mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
1942 if (ip->ip_off & IP_MF)
1943 mhip->ip_off |= IP_MF;
1944 if (off + len >= ip->ip_len)
1945 len = ip->ip_len - off;
1947 mhip->ip_off |= IP_MF;
1948 mhip->ip_len = htons((u_short)(len + mhlen));
1949 m->m_next = m_copy(m0, off, len);
1950 if (m->m_next == 0) {
1951 error = ENOBUFS; /* ??? */
1955 m->m_pkthdr.len = mhlen + len;
1956 m->m_pkthdr.rcvif = NULL;
1958 mhip->ip_off = htons((u_short)mhip->ip_off);
1960 mhip->ip_sum = in_cksum(m, mhlen);
1965 * Update first fragment by trimming what's been copied out
1966 * and updating header, then send each fragment (in order).
1968 m_adj(m0, hlen + firstlen - ip->ip_len);
1969 ip->ip_len = htons((u_short)(hlen + firstlen));
1970 ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
1972 ip->ip_sum = in_cksum(m0, hlen);
1974 for (m = m0; m; m = m0) {
1978 lwkt_serialize_enter(ifp->if_serializer);
1979 # if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
1980 error = (*ifp->if_output)(ifp, m,
1981 (struct sockaddr *)dst, ro->ro_rt);
1983 error = (*ifp->if_output)(ifp, m,
1984 (struct sockaddr *)dst);
1986 lwkt_serialize_exit(ifp->if_serializer);
1998 if (ro->ro_rt != NULL) {
2004 if ((error == EMSGSIZE) && (fin->fin_v == 4)) {
2005 sifp = fin->fin_ifp;
2006 code = fin->fin_icode;
2007 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
2009 (void) send_icmp_err(ip, ICMP_UNREACH, fin, 1);
2010 fin->fin_ifp = sifp;
2011 fin->fin_icode = code;
2019 * Return true or false depending on whether the route to the
2020 * given IP address uses the same interface as the one passed.
2022 int fr_verifysrc(ipa, ifp)
2026 struct sockaddr_in *dst;
2027 struct route iproute;
2029 bzero((char *)&iproute, sizeof(iproute));
2030 dst = (struct sockaddr_in *)&iproute.ro_dst;
2031 # if (BSD >= 199306)
2032 dst->sin_len = sizeof(*dst);
2034 dst->sin_family = AF_INET;
2035 dst->sin_addr = ipa;
2036 # if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
2037 !defined(__OpenBSD__)
2039 rtalloc_ign(&iproute, RTF_CLONING);
2041 rtalloc_ign(&iproute, RTF_PRCLONING);
2046 if (iproute.ro_rt == NULL)
2048 return (ifp == iproute.ro_rt->rt_ifp);
2052 # ifdef USE_GETIFNAME
2057 static char workbuf[64];
2059 sprintf(workbuf, "%s%d", ifp->if_name, ifp->if_unit);
2065 # if defined(USE_INET6)
2067 * This is the IPv6 specific fastroute code. It doesn't clean up the mbuf's
2068 * or ensure that it is an IPv6 packet that is being forwarded, those are
2069 * expected to be done by the called (ipfr_fastroute).
2071 static int ipfr_fastroute6(m0, mpp, fin, fdp)
2072 struct mbuf *m0, **mpp;
2076 struct route_in6 ip6route;
2077 struct sockaddr_in6 *dst6;
2078 struct route_in6 *ro;
2081 #if defined(OpenBSD) && (OpenBSD >= 200211)
2082 struct route_in6 *ro_pmtu = NULL;
2083 struct in6_addr finaldst;
2091 bzero((caddr_t)ro, sizeof(*ro));
2092 dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
2093 dst6->sin6_family = AF_INET6;
2094 dst6->sin6_len = sizeof(struct sockaddr_in6);
2095 dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
2102 if ((fr != NULL) && (fin->fin_rev != 0)) {
2103 if ((ifp != NULL) && (fdp == &fr->fr_tif))
2105 } else if (fdp != NULL) {
2106 if (IP6_NOTZERO(&fdp->fd_ip6))
2107 dst6->sin6_addr = fdp->fd_ip6.in6;
2112 #if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__)
2114 if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
2115 dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
2117 rtalloc((struct route *)ro);
2119 if ((ifp == NULL) && (ro->ro_rt != NULL))
2120 ifp = ro->ro_rt->rt_ifp;
2122 if ((ro->ro_rt == NULL) || (ifp == NULL) ||
2123 (ifp != ro->ro_rt->rt_ifp)) {
2124 error = EHOSTUNREACH;
2126 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
2127 dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
2128 ro->ro_rt->rt_use++;
2130 #if defined(OpenBSD) && (OpenBSD >= 200211)
2131 ip6 = mtod(m0, ip6_t *);
2133 finaldst = ip6->ip6_dst;
2134 error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu);
2138 mtu = ND_IFINFO(ifp)->linkmtu;
2140 mtu = nd_ifinfo[ifp->if_index].linkmtu;
2143 if (m0->m_pkthdr.len <= mtu)
2144 error = nd6_output(ifp, fin->fin_ifp, m0,
2148 #if defined(OpenBSD) && (OpenBSD >= 200211)
2153 if (ro->ro_rt != NULL) {
2159 #else /* #ifdef _KERNEL */
2162 # if defined(__sgi) && (IRIX < 605)
2163 static int no_output (struct ifnet *ifp, struct mbuf *m,
2166 static int no_output (struct ifnet *ifp, struct mbuf *m,
2167 struct sockaddr *s, struct rtentry *rt)
2175 # if defined(__sgi) && (IRIX < 605)
2176 static int write_output (struct ifnet *ifp, struct mbuf *m,
2179 static int write_output (struct ifnet *ifp, struct mbuf *m,
2180 struct sockaddr *s, struct rtentry *rt)
2183 ip_t *ip = (ip_t *)m;
2185 static int write_output(ifp, ip)
2193 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2194 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2195 (defined(__DragonFly__))
2196 sprintf(fname, "%s", ifp->if_xname);
2198 sprintf(fname, "%s%d", ifp->if_name, ifp->if_unit);
2200 fd = open(fname, O_WRONLY|O_APPEND);
2205 write(fd, (char *)ip, ntohs(ip->ip_len));
2211 char *get_ifname(ifp)
2214 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2215 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2216 (defined(__DragonFly__))
2217 return ifp->if_xname;
2219 static char fullifname[LIFNAMSIZ];
2221 sprintf(fullifname, "%s%d", ifp->if_name, ifp->if_unit);
2227 struct ifnet *get_unit(ifname, v)
2231 struct ifnet *ifp, **ifa, **old_ifneta;
2233 for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
2234 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2235 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2236 (defined(__DragonFly__))
2237 if (!strncmp(ifname, ifp->if_xname, sizeof(ifp->if_xname)))
2239 char fullname[LIFNAMSIZ];
2241 sprintf(fullname, "%s%d", ifp->if_name, ifp->if_unit);
2242 if (!strcmp(ifname, fullname))
2248 ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
2252 ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
2259 old_ifneta = ifneta;
2261 ifneta = (struct ifnet **)realloc(ifneta,
2262 (nifs + 1) * sizeof(*ifa));
2268 ifneta[nifs] = NULL;
2269 ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
2270 if (!ifneta[nifs - 1]) {
2275 ifp = ifneta[nifs - 1];
2277 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2278 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2279 (defined(__DragonFly__))
2280 strncpy(ifp->if_xname, ifname, sizeof(ifp->if_xname));
2282 ifp->if_name = strdup(ifname);
2284 ifname = ifp->if_name;
2285 while (*ifname && !isdigit(*ifname))
2287 if (*ifname && isdigit(*ifname)) {
2288 ifp->if_unit = atoi(ifname);
2293 ifp->if_output = no_output;
2301 struct ifnet *ifp, **ifa;
2305 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2306 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2307 (defined(__DragonFly__))
2308 for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
2309 ifp->if_output = write_output;
2310 sprintf(fname, "/tmp/%s", ifp->if_xname);
2311 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
2319 for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
2320 ifp->if_output = write_output;
2321 sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
2322 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
2332 int send_reset(ip, fin)
2336 verbose("- TCP RST sent\n");
2341 int send_icmp_err(ip, code, fin, dst)
2347 verbose("- ICMP UNREACHABLE sent\n");
2357 void m_copydata(m, off, len, cp)
2362 bcopy((char *)m + off, cp, len);
2366 int ipfuiomove(buf, len, rwflag, uio)
2371 int left, ioc, num, offset;
2375 if (rwflag == UIO_READ) {
2379 offset = uio->uio_offset;
2381 while ((left > 0) && (ioc < uio->uio_iovcnt)) {
2382 io = uio->uio_iov + ioc;
2386 start = (char *)io->iov_base + offset;
2387 if (start > (char *)io->iov_base + io->iov_len) {
2388 offset -= io->iov_len;
2392 bcopy(buf, start, num);
2393 uio->uio_resid -= num;
2394 uio->uio_offset += num;
2404 #endif /* _KERNEL */