2 * Copyright (C) 1993-2001 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 #if defined(__sgi) && (IRIX > 602)
7 # include <sys/ptimers.h>
10 #include <sys/types.h>
11 #include <sys/param.h>
14 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
16 # include "opt_ipfilter_log.h"
18 #if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
19 (__FreeBSD_version >= 220000)
20 # if (__FreeBSD_version >= 400000)
22 # include "opt_inet6.h"
24 # if (__FreeBSD_version == 400019)
25 # define CSUM_DELAY_DATA
28 # include <sys/filio.h>
29 # include <sys/fcntl.h>
31 # include <sys/ioctl.h>
33 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
34 # include <sys/systm.h>
40 #if !defined(__SVR4) && !defined(__svr4__)
42 # include <sys/mbuf.h>
45 # include <sys/byteorder.h>
47 # include <sys/dditypes.h>
49 # include <sys/stream.h>
52 # include <sys/protosw.h>
53 # include <sys/socket.h>
59 #include <net/route.h>
60 #include <netinet/in.h>
61 #include <netinet/in_systm.h>
62 #include <netinet/ip.h>
64 # include <netinet/ip_var.h>
66 #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
67 # include <sys/hashing.h>
68 # include <netinet/in_var.h>
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
72 #include <netinet/ip_icmp.h>
73 #include "netinet/ip_compat.h"
75 # include <netinet/icmp6.h>
76 # if !SOLARIS && defined(_KERNEL)
77 # include <netinet6/in6_var.h>
80 #include <netinet/tcpip.h>
81 #include "netinet/ip_fil.h"
82 #include "netinet/ip_nat.h"
83 #include "netinet/ip_frag.h"
84 #include "netinet/ip_state.h"
85 #include "netinet/ip_proxy.h"
86 #include "netinet/ip_auth.h"
87 # if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
88 # include <sys/malloc.h>
89 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
90 # include "opt_ipfilter.h"
94 # define MIN(a,b) (((a)<(b))?(a):(b))
96 #include "netinet/ipl.h"
99 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
100 static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $";
108 # define FR_VERBOSE(verb_pr) verbose verb_pr
109 # define FR_DEBUG(verb_pr) debug verb_pr
110 # define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
111 #else /* #ifndef _KERNEL */
112 # define FR_VERBOSE(verb_pr)
113 # define FR_DEBUG(verb_pr)
114 # define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
115 # if SOLARIS || defined(__sgi)
116 extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat;
117 extern kmutex_t ipf_rw;
118 # endif /* SOLARIS || __sgi */
122 struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
123 struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
125 *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
126 *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
128 *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
129 struct frgroup *ipfgroups[3][2];
130 int fr_flags = IPF_LOGGING;
134 int fr_minttllog = 1;
135 #if defined(IPFILTER_DEFAULT_BLOCK)
136 int fr_pass = FR_NOMATCH|FR_BLOCK;
138 int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
140 char ipfilter_version[] = IPL_VERSION;
142 fr_info_t frcache[2];
144 static int frflushlist __P((int, minor_t, int *, frentry_t **));
146 static void frsynclist __P((frentry_t *));
151 * bit values for identifying presence of individual IP options
153 struct optlist ipopts[20] = {
154 { IPOPT_NOP, 0x000001 },
155 { IPOPT_RR, 0x000002 },
156 { IPOPT_ZSU, 0x000004 },
157 { IPOPT_MTUP, 0x000008 },
158 { IPOPT_MTUR, 0x000010 },
159 { IPOPT_ENCODE, 0x000020 },
160 { IPOPT_TS, 0x000040 },
161 { IPOPT_TR, 0x000080 },
162 { IPOPT_SECURITY, 0x000100 },
163 { IPOPT_LSRR, 0x000200 },
164 { IPOPT_E_SEC, 0x000400 },
165 { IPOPT_CIPSO, 0x000800 },
166 { IPOPT_SATID, 0x001000 },
167 { IPOPT_SSRR, 0x002000 },
168 { IPOPT_ADDEXT, 0x004000 },
169 { IPOPT_VISA, 0x008000 },
170 { IPOPT_IMITD, 0x010000 },
171 { IPOPT_EIP, 0x020000 },
172 { IPOPT_FINN, 0x040000 },
177 * bit values for identifying presence of individual IP security options
179 struct optlist secopt[8] = {
180 { IPSO_CLASS_RES4, 0x01 },
181 { IPSO_CLASS_TOPS, 0x02 },
182 { IPSO_CLASS_SECR, 0x04 },
183 { IPSO_CLASS_RES3, 0x08 },
184 { IPSO_CLASS_CONF, 0x10 },
185 { IPSO_CLASS_UNCL, 0x20 },
186 { IPSO_CLASS_RES2, 0x40 },
187 { IPSO_CLASS_RES1, 0x80 }
192 * compact the IP header into a structure which contains just the info.
193 * which is useful for comparing IP headers with.
195 void fr_makefrip(hlen, ip, fin)
200 u_short optmsk = 0, secmsk = 0, auth = 0;
201 int i, mv, ol, off, p, plen, v;
202 fr_ip_t *fi = &fin->fin_fi;
210 fin->fin_data[0] = 0;
211 fin->fin_data[1] = 0;
214 fin->fin_icode = ipl_unreach;
217 fin->fin_hlen = hlen;
219 fin->fin_id = ip->ip_id;
220 fi->fi_tos = ip->ip_tos;
221 off = (ip->ip_off & IP_OFFMASK);
222 tcp = (tcphdr_t *)((char *)ip + hlen);
223 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
224 fi->fi_src.i6[1] = 0;
225 fi->fi_src.i6[2] = 0;
226 fi->fi_src.i6[3] = 0;
227 fi->fi_dst.i6[1] = 0;
228 fi->fi_dst.i6[2] = 0;
229 fi->fi_dst.i6[3] = 0;
230 fi->fi_saddr = ip->ip_src.s_addr;
231 fi->fi_daddr = ip->ip_dst.s_addr;
233 fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
234 if (ip->ip_off & (IP_MF|IP_OFFMASK))
235 fi->fi_fl |= FI_FRAG;
237 fin->fin_dlen = plen - hlen;
241 ip6_t *ip6 = (ip6_t *)ip;
246 fi->fi_ttl = ip6->ip6_hlim;
247 tcp = (tcphdr_t *)(ip6 + 1);
248 fi->fi_src.in6 = ip6->ip6_src;
249 fi->fi_dst.in6 = ip6->ip6_dst;
250 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
253 plen = ntohs(ip6->ip6_plen);
254 fin->fin_dlen = plen;
255 plen += sizeof(*ip6);
262 fin->fin_plen = plen;
263 fin->fin_dp = (char *)tcp;
270 case IPPROTO_ICMPV6 :
272 int minicmpsz = sizeof(struct icmp6_hdr);
273 struct icmp6_hdr *icmp6;
275 if (fin->fin_dlen > 1) {
276 fin->fin_data[0] = *(u_short *)tcp;
278 icmp6 = (struct icmp6_hdr *)tcp;
280 switch (icmp6->icmp6_type)
282 case ICMP6_ECHO_REPLY :
283 case ICMP6_ECHO_REQUEST :
284 minicmpsz = ICMP6_MINLEN;
286 case ICMP6_DST_UNREACH :
287 case ICMP6_PACKET_TOO_BIG :
288 case ICMP6_TIME_EXCEEDED :
289 case ICMP6_PARAM_PROB :
290 minicmpsz = ICMP6ERR_IPICMPHLEN;
297 if (!(plen >= minicmpsz))
298 fi->fi_fl |= FI_SHORT;
305 int minicmpsz = sizeof(struct icmp);
308 if (!off && (fin->fin_dlen > 1)) {
309 fin->fin_data[0] = *(u_short *)tcp;
311 icmp = (icmphdr_t *)tcp;
313 switch (icmp->icmp_type)
315 case ICMP_ECHOREPLY :
317 /* Router discovery messages - RFC 1256 */
318 case ICMP_ROUTERADVERT :
319 case ICMP_ROUTERSOLICIT :
320 minicmpsz = ICMP_MINLEN;
323 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
327 case ICMP_TSTAMPREPLY :
331 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
335 case ICMP_MASKREPLY :
343 if ((!(plen >= hlen + minicmpsz) && !off) ||
344 (off && off < sizeof(struct icmp)))
345 fi->fi_fl |= FI_SHORT;
350 fi->fi_fl |= FI_TCPUDP;
353 if (plen < sizeof(struct tcphdr))
354 fi->fi_fl |= FI_SHORT;
358 if ((!IPMINLEN(ip, tcphdr) && !off) ||
359 (off && off < sizeof(struct tcphdr)))
360 fi->fi_fl |= FI_SHORT;
362 if (!(fi->fi_fl & FI_SHORT) && !off)
363 fin->fin_tcpf = tcp->th_flags;
366 fi->fi_fl |= FI_TCPUDP;
369 if (plen < sizeof(struct udphdr))
370 fi->fi_fl |= FI_SHORT;
374 if ((!IPMINLEN(ip, udphdr) && !off) ||
375 (off && off < sizeof(struct udphdr)))
376 fi->fi_fl |= FI_SHORT;
379 if (!off && (fin->fin_dlen > 3)) {
380 fin->fin_data[0] = ntohs(tcp->th_sport);
381 fin->fin_data[1] = ntohs(tcp->th_dport);
388 fi->fi_fl |= FI_SHORT;
392 if (((ip->ip_len < hlen + 8) && !off) ||
394 fi->fi_fl |= FI_SHORT;
410 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
414 else if (opt == IPOPT_NOP)
420 if (ol < 2 || ol > hlen)
423 for (i = 9, mv = 4; mv >= 0; ) {
425 if (opt == (u_char)op->ol_val) {
426 optmsk |= op->ol_bit;
427 if (opt == IPOPT_SECURITY) {
432 sec = *(s + 2); /* classification */
433 for (j = 3, m = 2; m >= 0; ) {
435 if (sec == sp->ol_val) {
436 secmsk |= sp->ol_bit;
442 if (sec < sp->ol_val)
450 if (opt < op->ol_val)
458 if (auth && !(auth & 0x0100))
460 fi->fi_optmsk = optmsk;
461 fi->fi_secmsk = secmsk;
467 * check an IP packet for TCP/UDP characteristics such as ports and flags.
469 int fr_tcpudpchk(ft, fin)
473 register u_short po, tup;
475 register int err = 1;
478 * Both ports should *always* be in the first fragment.
479 * So far, I cannot find any cases where they can not be.
481 * compare destination ports
483 if ((i = (int)ft->ftu_dcmp)) {
485 tup = fin->fin_data[1];
487 * Do opposite test to that required and
488 * continue if that succeeds.
490 if (!--i && tup != po) /* EQUAL */
492 else if (!--i && tup == po) /* NOTEQUAL */
494 else if (!--i && tup >= po) /* LESSTHAN */
496 else if (!--i && tup <= po) /* GREATERTHAN */
498 else if (!--i && tup > po) /* LT or EQ */
500 else if (!--i && tup < po) /* GT or EQ */
502 else if (!--i && /* Out of range */
503 (tup >= po && tup <= ft->ftu_dtop))
505 else if (!--i && /* In range */
506 (tup <= po || tup >= ft->ftu_dtop))
510 * compare source ports
512 if (err && (i = (int)ft->ftu_scmp)) {
514 tup = fin->fin_data[0];
515 if (!--i && tup != po)
517 else if (!--i && tup == po)
519 else if (!--i && tup >= po)
521 else if (!--i && tup <= po)
523 else if (!--i && tup > po)
525 else if (!--i && tup < po)
527 else if (!--i && /* Out of range */
528 (tup >= po && tup <= ft->ftu_stop))
530 else if (!--i && /* In range */
531 (tup <= po || tup >= ft->ftu_stop))
536 * If we don't have all the TCP/UDP header, then how can we
537 * expect to do any sort of match on it ? If we were looking for
538 * TCP flags, then NO match. If not, then match (which should
539 * satisfy the "short" class too).
541 if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
542 if (fin->fin_fl & FI_SHORT)
543 return !(ft->ftu_tcpf | ft->ftu_tcpfm);
545 * Match the flags ? If not, abort this match.
548 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
549 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
550 ft->ftu_tcpfm, ft->ftu_tcpf));
558 * Check the input/output list of rules for a match and result.
559 * Could be per interface, but this gets real nasty when you don't have
562 int fr_scanlist(passin, ip, fin, m)
565 register fr_info_t *fin;
568 register struct frentry *fr;
569 register fr_ip_t *fi = &fin->fin_fi;
570 int rulen, portcmp = 0, off, skip = 0, logged = 0;
571 u_32_t pass, passt, passl;
580 if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
583 for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
585 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
590 * In all checks below, a null (zero) value in the
591 * filter struture is taken to mean a wildcard.
593 * check that we are working for the right interface
597 if (fin->fin_out != 0) {
599 (fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif)))
604 if (opts & (OPT_VERBOSE|OPT_DEBUG))
608 FR_VERBOSE(("%c", fr->fr_skip ? 's' :
609 (pass & FR_PASS) ? 'p' :
610 (pass & FR_AUTH) ? 'a' :
611 (pass & FR_ACCOUNT) ? 'A' :
612 (pass & FR_NOMATCH) ? 'n' : 'b'));
614 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
619 register u_32_t *ld, *lm, *lip;
623 lm = (u_32_t *)&fr->fr_mip;
624 ld = (u_32_t *)&fr->fr_ip;
625 i = ((*lip & *lm) != *ld);
626 FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
631 * We now know whether the packet version and the
632 * rule version match, along with protocol, ttl and
637 * Unrolled loops (4 each, for 32 bits).
639 FR_DEBUG(("1a. %#08x & %#08x != %#08x\n",
641 i |= ((*lip++ & *lm++) != *ld++) << 5;
643 FR_DEBUG(("1b. %#08x & %#08x != %#08x\n",
645 i |= ((*lip++ & *lm++) != *ld++) << 5;
646 FR_DEBUG(("1c. %#08x & %#08x != %#08x\n",
648 i |= ((*lip++ & *lm++) != *ld++) << 5;
649 FR_DEBUG(("1d. %#08x & %#08x != %#08x\n",
651 i |= ((*lip++ & *lm++) != *ld++) << 5;
657 i ^= (fr->fr_flags & FR_NOTSRCIP);
660 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
662 i |= ((*lip++ & *lm++) != *ld++) << 6;
664 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
666 i |= ((*lip++ & *lm++) != *ld++) << 6;
667 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
669 i |= ((*lip++ & *lm++) != *ld++) << 6;
670 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
672 i |= ((*lip++ & *lm++) != *ld++) << 6;
678 i ^= (fr->fr_flags & FR_NOTDSTIP);
681 FR_DEBUG(("3. %#08x & %#08x != %#08x\n",
683 i |= ((*lip++ & *lm++) != *ld++);
684 FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
686 i |= ((*lip & *lm) != *ld);
692 * If a fragment, then only the first has what we're looking
695 if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
698 if (fi->fi_fl & FI_TCPUDP) {
699 if (!fr_tcpudpchk(&fr->fr_tuc, fin))
701 } else if (fr->fr_icmpm || fr->fr_icmp) {
702 if (((fi->fi_p != IPPROTO_ICMP) &&
703 (fi->fi_p != IPPROTO_ICMPV6)) || off ||
706 if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
707 FR_DEBUG(("i. %#x & %#x != %#x\n",
708 fin->fin_data[0], fr->fr_icmpm,
715 if (fr->fr_flags & FR_NOMATCH) {
720 if (fr->fr_flags & FR_QUICK)
726 passt = fr->fr_flags;
729 #if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
730 if (securelevel <= 0)
732 if ((passt & FR_CALLNOW) && fr->fr_func)
733 passt = (*fr->fr_func)(passt, ip, fin);
736 * Just log this packet...
738 if ((passt & FR_LOGMASK) == FR_LOG) {
739 if (!IPLLOG(passt, ip, fin, m)) {
740 if (passt & FR_LOGORBLOCK)
741 passt |= FR_BLOCK|FR_QUICK;
742 ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
744 ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
747 #endif /* IPFILTER_LOG */
748 ATOMIC_INCL(fr->fr_hits);
749 if (passt & FR_ACCOUNT)
750 fr->fr_bytes += (U_QUAD_T)ip->ip_len;
752 fin->fin_icode = fr->fr_icode;
753 fin->fin_rule = rulen;
754 fin->fin_group = fr->fr_group;
755 if (fr->fr_grp != NULL) {
756 fin->fin_fr = fr->fr_grp;
757 passt = fr_scanlist(passt, ip, fin, m);
758 if (fin->fin_fr == NULL) {
759 fin->fin_rule = rulen;
760 fin->fin_group = fr->fr_group;
763 if (passt & FR_DONTCACHE)
766 if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG)
768 FR_DEBUG(("pass %#x\n", pass));
769 if (passt & FR_QUICK)
773 pass |= FR_DONTCACHE;
774 pass |= (fi->fi_fl << 24);
780 * frcheck - filter check
781 * check using source and destination addresses/ports in a packet whether
782 * or not to pass it on or not.
784 int fr_check(ip, hlen, ifp, out
785 #if defined(_KERNEL) && SOLARIS
798 * The above really sucks, but short of writing a diff
800 fr_info_t frinfo, *fc;
801 register fr_info_t *fin = &frinfo;
802 int changed, error = EHOSTUNREACH, v = ip->ip_v;
803 frentry_t *fr = NULL, *list;
805 #if !SOLARIS || !defined(_KERNEL)
806 register mb_t *m = *mp;
810 int p, len, drop = 0, logit = 0;
812 # if !defined(__SVR4) && !defined(__svr4__)
818 # if !SOLARIS && !defined(NETBSD_PF) && \
819 ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
820 defined(__OpenBSD__) || defined(_BSDI_VERSION))
821 if (fr_checkp != fr_check && fr_running > 0) {
822 static int counter = 0;
825 printf("WARNING: fr_checkp corrupt: value %lx\n",
827 printf("WARNING: fr_checkp should be %lx\n",
829 printf("WARNING: fixing fr_checkp\n");
831 fr_checkp = fr_check;
833 if (counter == 10000)
840 * XXX For now, IP Filter and fast-forwarding of cached flows
841 * XXX are mutually exclusive. Eventually, IP Filter should
842 * XXX get a "can-fast-forward" filter rule.
844 m->m_flags &= ~M_CANFASTFWD;
845 # endif /* M_CANFASTFWD */
846 # ifdef CSUM_DELAY_DATA
848 * disable delayed checksums.
850 if ((out != 0) && (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA)) {
852 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
854 # endif /* CSUM_DELAY_DATA */
858 len = ntohs(((ip6_t*)ip)->ip6_plen);
860 return -1; /* potential jumbo gram */
861 len += sizeof(ip6_t);
862 p = ((ip6_t *)ip)->ip6_nxt;
870 if ((p == IPPROTO_TCP || p == IPPROTO_UDP ||
871 (v == 4 && p == IPPROTO_ICMP)
873 || (v == 6 && p == IPPROTO_ICMPV6)
878 if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0)
882 plen = sizeof(tcphdr_t);
885 plen = sizeof(udphdr_t);
887 /* 96 - enough for complete ICMP error IP header */
889 plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
895 case IPPROTO_ICMPV6 :
897 * XXX does not take intermediate header
900 plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t);
904 up = MIN(hlen + plen, len);
908 /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
909 if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
910 ATOMIC_INCL(frstats[out].fr_pull[1]);
913 m_copydata(m, 0, up, hbuf);
914 ATOMIC_INCL(frstats[out].fr_pull[0]);
918 if ((*mp = m_pullup(m, up)) == 0) {
919 ATOMIC_INCL(frstats[out].fr_pull[1]);
922 ATOMIC_INCL(frstats[out].fr_pull[0]);
924 ip = mtod(m, ip_t *);
932 # endif /* !defined(__SVR4) && !defined(__svr4__) */
948 fr_makefrip(hlen, ip, fin);
953 ATOMIC_INCL(frstats[0].fr_ipv6[out]);
954 if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
955 ATOMIC_INCL(frstats[0].fr_badttl);
956 if (fr_minttllog & 1)
958 if (fr_minttllog & 2)
964 if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
965 ATOMIC_INCL(frstats[0].fr_badsrc);
970 } else if (ip->ip_ttl < fr_minttl) {
971 ATOMIC_INCL(frstats[0].fr_badttl);
972 if (fr_minttllog & 1)
974 if (fr_minttllog & 2)
981 fin->fin_group = logit;
982 pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
983 (void) IPLLOG(pass, ip, fin, m);
993 if (fin->fin_fl & FI_SHORT) {
994 ATOMIC_INCL(frstats[out].fr_short);
997 READ_ENTER(&ipf_mutex);
1000 * Check auth now. This, combined with the check below to see if apass
1001 * is 0 is to ensure that we don't count the packet twice, which can
1002 * otherwise occur when we reprocess it. As it is, we only count it
1003 * after it has no auth. table matchup. This also stops NAT from
1004 * occuring until after the packet has been auth'd.
1006 apass = fr_checkauth(ip, fin);
1011 list = ipacct6[0][fr_active];
1014 list = ipacct[0][fr_active];
1015 changed = ip_natin(ip, fin);
1016 if (!apass && (fin->fin_fr = list) &&
1017 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
1018 ATOMIC_INCL(frstats[0].fr_acct);
1023 if ((fin->fin_fl & FI_FRAG) == FI_FRAG)
1024 fr = ipfr_knownfrag(ip, fin);
1025 if (!fr && !(fin->fin_fl & FI_SHORT))
1026 fr = fr_checkstate(ip, fin);
1028 pass = fr->fr_flags;
1029 if (fr && (pass & FR_LOGFIRST))
1030 pass &= ~(FR_LOGFIRST|FR_LOG);
1035 * If a packet is found in the auth table, then skip checking
1036 * the access lists for permission but we do need to consider
1037 * the result as if it were from the ACL's.
1041 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
1043 * copy cached data so we can unlock the mutex
1046 bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
1047 ATOMIC_INCL(frstats[out].fr_chit);
1048 if ((fr = fin->fin_fr)) {
1049 ATOMIC_INCL(fr->fr_hits);
1050 pass = fr->fr_flags;
1055 list = ipfilter6[out][fr_active];
1058 list = ipfilter[out][fr_active];
1059 if ((fin->fin_fr = list))
1060 pass = fr_scanlist(fr_pass, ip, fin, m);
1061 if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE)))
1062 bcopy((char *)fin, (char *)fc,
1064 if (pass & FR_NOMATCH) {
1065 ATOMIC_INCL(frstats[out].fr_nom);
1074 * If we fail to add a packet to the authorization queue,
1075 * then we drop the packet later. However, if it was added
1076 * then pretend we've dropped it already.
1078 if ((pass & FR_AUTH)) {
1079 if (fr_newauth((mb_t *)m, fin, ip) != 0) {
1086 if (pass & FR_PREAUTH) {
1087 READ_ENTER(&ipf_auth);
1088 if ((fin->fin_fr = ipauth) &&
1089 (pass = fr_scanlist(0, ip, fin, m))) {
1090 ATOMIC_INCL(fr_authstats.fas_hits);
1092 ATOMIC_INCL(fr_authstats.fas_miss);
1094 RWLOCK_EXIT(&ipf_auth);
1098 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
1099 if (fin->fin_fl & FI_FRAG) {
1100 if (ipfr_newfrag(ip, fin) == -1) {
1101 ATOMIC_INCL(frstats[out].fr_bnfr);
1103 ATOMIC_INCL(frstats[out].fr_nfr);
1106 ATOMIC_INCL(frstats[out].fr_cfr);
1109 if (pass & FR_KEEPSTATE) {
1110 if (fr_addstate(ip, fin, NULL, 0) == NULL) {
1111 ATOMIC_INCL(frstats[out].fr_bads);
1113 ATOMIC_INCL(frstats[out].fr_ads);
1116 } else if (fr != NULL) {
1117 pass = fr->fr_flags;
1118 if (pass & FR_LOGFIRST)
1119 pass &= ~(FR_LOGFIRST|FR_LOG);
1122 #if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
1123 if (securelevel <= 0)
1125 if (fr && fr->fr_func && !(pass & FR_CALLNOW))
1126 pass = (*fr->fr_func)(pass, ip, fin);
1129 * Only count/translate packets which will be passed on, out the
1132 if (out && (pass & FR_PASS)) {
1135 list = ipacct6[1][fr_active];
1138 list = ipacct[1][fr_active];
1143 sg = fin->fin_group;
1145 if (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT) {
1146 ATOMIC_INCL(frstats[1].fr_acct);
1148 fin->fin_group = sg;
1152 changed = ip_natout(ip, fin);
1155 RWLOCK_EXIT(&ipf_mutex);
1158 if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
1159 if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
1160 pass |= FF_LOGNOMATCH;
1161 ATOMIC_INCL(frstats[out].fr_npkl);
1163 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
1164 ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
1165 if ((pass & FR_LOGMASK) != FR_LOGP)
1167 ATOMIC_INCL(frstats[out].fr_ppkl);
1169 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
1170 ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
1171 if ((pass & FR_LOGMASK) != FR_LOGB)
1172 pass |= FF_LOGBLOCK;
1173 ATOMIC_INCL(frstats[out].fr_bpkl);
1175 if (!IPLLOG(pass, ip, fin, m)) {
1176 ATOMIC_INCL(frstats[out].fr_skip);
1177 if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
1178 (FR_PASS|FR_LOGORBLOCK))
1179 pass ^= FR_PASS|FR_BLOCK;
1183 #endif /* IPFILTER_LOG */
1187 * Only allow FR_DUP to work if a rule matched - it makes no sense to
1188 * set FR_DUP as a "default" as there are no instructions about where
1189 * to send the packet.
1191 if (fr && (pass & FR_DUP))
1195 # if defined(__OpenBSD__) && (OpenBSD >= 199905)
1196 mc = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
1198 mc = m_copy(m, 0, M_COPYALL);
1202 if (pass & FR_PASS) {
1203 ATOMIC_INCL(frstats[out].fr_pass);
1204 } else if (pass & FR_BLOCK) {
1205 ATOMIC_INCL(frstats[out].fr_block);
1207 * Should we return an ICMP packet to indicate error
1208 * status passing through the packet filter ?
1209 * WARNING: ICMP error packets AND TCP RST packets should
1210 * ONLY be sent in repsonse to incoming packets. Sending them
1211 * in response to outbound packets can result in a panic on
1212 * some operating systems.
1217 * If a packet results in a NAT error, do not
1218 * send a reset or ICMP error as it may disrupt
1219 * an existing flow. This is the proxy saying
1220 * the content is bad so just drop the packet
1224 else if (pass & FR_RETICMP) {
1227 if ((pass & FR_RETMASK) == FR_FAKEICMP)
1231 send_icmp_err(ip, ICMP_UNREACH, fin, dst);
1232 ATOMIC_INCL(frstats[0].fr_ret);
1233 } else if (((pass & FR_RETMASK) == FR_RETRST) &&
1234 !(fin->fin_fl & FI_SHORT)) {
1235 if (send_reset(ip, fin) == 0) {
1236 ATOMIC_INCL(frstats[1].fr_ret);
1240 if (pass & FR_RETRST)
1246 * If we didn't drop off the bottom of the list of rules (and thus
1247 * the 'current' rule fr is not NULL), then we may have some extra
1248 * instructions about what to do with a packet.
1249 * Once we're finished return to our caller, freeing the packet if
1250 * we are dropping it (* BSD ONLY *).
1252 if ((changed == -1) && (pass & FR_PASS)) {
1256 #if defined(_KERNEL)
1258 # if !defined(linux)
1260 frdest_t *fdp = &fr->fr_tif;
1262 if (((pass & FR_FASTROUTE) && !out) ||
1263 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
1264 (void) ipfr_fastroute(m, mp, fin, fdp);
1269 (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif);
1272 if (!(pass & FR_PASS) && m) {
1277 else if (changed && up && m)
1278 m_copyback(m, 0, up, hbuf);
1280 # endif /* !linux */
1281 # else /* !SOLARIS */
1283 frdest_t *fdp = &fr->fr_tif;
1285 if (((pass & FR_FASTROUTE) && !out) ||
1286 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1))
1287 (void) ipfr_fastroute(ip, m, mp, fin, fdp);
1290 (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif);
1292 # endif /* !SOLARIS */
1293 return (pass & FR_PASS) ? 0 : error;
1295 if (pass & FR_NOMATCH)
1301 if ((pass & FR_RETMASK) == FR_RETRST)
1303 if ((pass & FR_RETMASK) == FR_RETICMP)
1305 if ((pass & FR_RETMASK) == FR_FAKEICMP)
1308 #endif /* _KERNEL */
1314 * addr should be 16bit aligned and len is in bytes.
1315 * length is in bytes
1317 u_short ipf_cksum(addr, len)
1318 register u_short *addr;
1321 register u_32_t sum = 0;
1323 for (sum = 0; len > 1; len -= 2)
1326 /* mop up an odd byte, if necessary */
1328 sum += *(u_char *)addr;
1331 * add back carry outs from top 16 bits to low 16 bits
1333 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
1334 sum += (sum >> 16); /* add carry */
1335 return (u_short)(~sum);
1340 * NB: This function assumes we've pullup'd enough for all of the IP header
1341 * and the TCP header. We also assume that data blocks aren't allocated in
1344 u_short fr_tcpsum(m, ip, tcp)
1349 u_short *sp, slen, ts;
1354 * Add up IP Header portion
1356 hlen = ip->ip_hl << 2;
1357 slen = ip->ip_len - hlen;
1358 sum = htons((u_short)ip->ip_p);
1360 sp = (u_short *)&ip->ip_src;
1361 sum += *sp++; /* ip_src */
1363 sum += *sp++; /* ip_dst */
1369 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
1370 sum2 = (sum2 & 0xffff) + (sum2 >> 16);
1371 sum2 = ~sum2 & 0xffff;
1372 # else /* SOLARIS */
1373 # if defined(BSD) || defined(sun)
1380 sum2 = in_cksum(m, slen);
1388 * Both sum and sum2 are partial sums, so combine them together.
1390 sum = (sum & 0xffff) + (sum >> 16);
1391 sum = ~sum & 0xffff;
1393 sum2 = (sum2 & 0xffff) + (sum2 >> 16);
1394 # else /* defined(BSD) || defined(sun) */
1400 u_short len = ip->ip_len;
1406 * Add up IP Header portion
1408 sp = (u_short *)&ip->ip_src;
1409 len -= (ip->ip_hl << 2);
1410 sum = ntohs(IPPROTO_TCP);
1412 sum += *sp++; /* ip_src */
1414 sum += *sp++; /* ip_dst */
1416 if (sp != (u_short *)tcp)
1417 sp = (u_short *)tcp;
1418 sum += *sp++; /* sport */
1419 sum += *sp++; /* dport */
1420 sum += *sp++; /* seq */
1422 sum += *sp++; /* ack */
1424 sum += *sp++; /* off */
1425 sum += *sp++; /* win */
1426 sum += *sp++; /* Skip over checksum */
1427 sum += *sp++; /* urp */
1431 * In case we had to copy the IP & TCP header out of mbufs,
1432 * skip over the mbuf bits which are the header
1434 if ((caddr_t)ip != mtod(m, caddr_t)) {
1435 hlen = (caddr_t)sp - (caddr_t)ip;
1437 add = MIN(hlen, m->m_len);
1438 sp = (u_short *)(mtod(m, caddr_t) + add);
1440 if (add == m->m_len) {
1445 sp = mtod(m, u_short *);
1447 PANIC((!m),("fr_tcpsum(1): not enough data"));
1453 if (!(len -= sizeof(*tcp)))
1456 if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
1458 PANIC((!m),("fr_tcpsum(2): not enough data"));
1459 sp = mtod(m, u_short *);
1461 if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
1462 bytes.c[0] = *(u_char *)sp;
1464 PANIC((!m),("fr_tcpsum(3): not enough data"));
1465 sp = mtod(m, u_short *);
1466 bytes.c[1] = *(u_char *)sp;
1468 sp = (u_short *)((u_char *)sp + 1);
1470 if ((u_long)sp & 1) {
1471 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
1478 sum += ntohs(*(u_char *)sp << 8);
1480 while (sum > 0xffff)
1481 sum = (sum & 0xffff) + (sum >> 16);
1482 sum2 = (u_short)(~sum & 0xffff);
1484 # endif /* defined(BSD) || defined(sun) */
1485 # endif /* SOLARIS */
1487 for (; slen > 1; slen -= 2)
1490 sum += ntohs(*(u_char *)sp << 8);
1491 while (sum > 0xffff)
1492 sum = (sum & 0xffff) + (sum >> 16);
1493 sum2 = (u_short)(~sum & 0xffff);
1500 #if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) )
1502 * Copyright (c) 1982, 1986, 1988, 1991, 1993
1503 * The Regents of the University of California. All rights reserved.
1505 * Redistribution and use in source and binary forms, with or without
1506 * modification, are permitted provided that the following conditions
1508 * 1. Redistributions of source code must retain the above copyright
1509 * notice, this list of conditions and the following disclaimer.
1510 * 2. Redistributions in binary form must reproduce the above copyright
1511 * notice, this list of conditions and the following disclaimer in the
1512 * documentation and/or other materials provided with the distribution.
1513 * 3. All advertising materials mentioning features or use of this software
1514 * must display the following acknowledgement:
1515 * This product includes software developed by the University of
1516 * California, Berkeley and its contributors.
1517 * 4. Neither the name of the University nor the names of its contributors
1518 * may be used to endorse or promote products derived from this software
1519 * without specific prior written permission.
1521 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1522 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1523 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1524 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1525 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1526 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1527 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1528 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1529 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1530 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1533 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
1534 * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
1537 * Copy data from an mbuf chain starting "off" bytes from the beginning,
1538 * continuing for "len" bytes, into the indicated buffer.
1541 m_copydata(m, off, len, cp)
1547 register unsigned count;
1549 if (off < 0 || len < 0)
1550 panic("m_copydata");
1553 panic("m_copydata");
1561 panic("m_copydata");
1562 count = MIN(m->m_len - off, len);
1563 bcopy(mtod(m, caddr_t) + off, cp, count);
1574 * Copy data from a buffer back into the indicated mbuf chain,
1575 * starting "off" bytes from the beginning, extending the mbuf
1576 * chain if necessary.
1579 m_copyback(m0, off, len, cp)
1586 register struct mbuf *m = m0, *n;
1591 while (off > (mlen = m->m_len)) {
1594 if (m->m_next == 0) {
1595 n = m_getclr(M_DONTWAIT, m->m_type);
1598 n->m_len = min(MLEN, len + off);
1604 mlen = min (m->m_len - off, len);
1605 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
1613 if (m->m_next == 0) {
1614 n = m_get(M_DONTWAIT, m->m_type);
1617 n->m_len = min(MLEN, len);
1624 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
1625 m->m_pkthdr.len = totlen;
1630 #endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */
1633 frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
1639 frgroup_t *fg, **fgp;
1641 if (which == IPL_LOGAUTH)
1642 fgp = &ipfgroups[2][set];
1643 else if (flags & FR_ACCOUNT)
1644 fgp = &ipfgroups[1][set];
1645 else if (flags & (FR_OUTQUE|FR_INQUE))
1646 fgp = &ipfgroups[0][set];
1651 if (fg->fg_num == num)
1661 frgroup_t *fr_addgroup(num, fp, which, set)
1667 frgroup_t *fg, **fgp;
1669 if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
1672 KMALLOC(fg, frgroup_t *);
1677 fg->fg_start = &fp->fr_grp;
1684 void fr_delgroup(num, flags, which, set)
1689 frgroup_t *fg, **fgp;
1691 if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
1701 * recursively flush rules from the list, descending groups as they are
1702 * encountered. if a rule is the head of a group and it has lost all its
1703 * group members, then also delete the group reference.
1705 static int frflushlist(set, unit, nfreedp, listp)
1711 register int freed = 0, i;
1712 register frentry_t *fp;
1714 while ((fp = *listp)) {
1715 *listp = fp->fr_next;
1717 i = frflushlist(set, unit, nfreedp, &fp->fr_grp);
1718 MUTEX_ENTER(&ipf_rw);
1720 MUTEX_EXIT(&ipf_rw);
1723 ATOMIC_DEC32(fp->fr_ref);
1724 if (fp->fr_grhead) {
1725 fr_delgroup(fp->fr_grhead, fp->fr_flags,
1729 if (fp->fr_ref == 0) {
1740 int frflush(unit, proto, flags)
1744 int flushed = 0, set;
1746 if (unit != IPL_LOGIPF)
1748 WRITE_ENTER(&ipf_mutex);
1749 bzero((char *)frcache, sizeof(frcache[0]) * 2);
1752 if (flags & FR_INACTIVE)
1755 if (flags & FR_OUTQUE) {
1757 if (proto == 0 || proto == 6) {
1758 (void) frflushlist(set, unit,
1759 &flushed, &ipfilter6[1][set]);
1760 (void) frflushlist(set, unit,
1761 &flushed, &ipacct6[1][set]);
1764 if (proto == 0 || proto == 4) {
1765 (void) frflushlist(set, unit,
1766 &flushed, &ipfilter[1][set]);
1767 (void) frflushlist(set, unit,
1768 &flushed, &ipacct[1][set]);
1771 if (flags & FR_INQUE) {
1773 if (proto == 0 || proto == 6) {
1774 (void) frflushlist(set, unit,
1775 &flushed, &ipfilter6[0][set]);
1776 (void) frflushlist(set, unit,
1777 &flushed, &ipacct6[0][set]);
1780 if (proto == 0 || proto == 4) {
1781 (void) frflushlist(set, unit,
1782 &flushed, &ipfilter[0][set]);
1783 (void) frflushlist(set, unit,
1784 &flushed, &ipacct[0][set]);
1787 RWLOCK_EXIT(&ipf_mutex);
1792 char *memstr(src, dst, slen, dlen)
1798 while (dlen >= slen) {
1799 if (bcmp(src, dst, slen) == 0) {
1810 void fixskip(listp, rp, addremove)
1811 frentry_t **listp, *rp;
1815 int rules = 0, rn = 0;
1817 for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++)
1823 for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
1824 if (fp->fr_skip && (rn + fp->fr_skip >= rules))
1825 fp->fr_skip += addremove;
1831 * count consecutive 1's in bit mask. If the mask generated by counting
1832 * consecutive 1's is different to that passed, return -1, else return #
1841 ip = ipn = ntohl(ip);
1842 for (i = 32; i; i--, ipn *= 2)
1843 if (ipn & 0x80000000)
1848 for (i = 32, j = cnt; i; i--, j--) {
1860 * return the first IP Address associated with an interface
1862 int fr_ifpaddr(v, ifptr, inp)
1865 struct in_addr *inp;
1868 struct in6_addr *inp6 = NULL;
1873 struct ifnet *ifp = ifptr;
1880 struct in6_addr in6;
1883 * First is always link local.
1885 if (ill->ill_ipif->ipif_next)
1886 in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr;
1888 bzero((char *)&in6, sizeof(in6));
1889 bcopy((char *)&in6, (char *)inp, sizeof(in6));
1893 in.s_addr = ill->ill_ipif->ipif_local_addr;
1896 # else /* SOLARIS */
1900 struct sockaddr_in *sin;
1903 # if (__FreeBSD_version >= 300000)
1904 ifa = TAILQ_FIRST(&ifp->if_addrhead);
1906 # if defined(__NetBSD__) || defined(__OpenBSD__)
1907 ifa = ifp->if_addrlist.tqh_first;
1909 # if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
1910 ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa;
1912 ifa = ifp->if_addrlist;
1914 # endif /* __NetBSD__ || __OpenBSD__ */
1915 # endif /* __FreeBSD_version >= 300000 */
1916 # if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK))
1917 sin = (struct sockaddr_in *)&ifa->ifa_addr;
1919 sin = (struct sockaddr_in *)ifa->ifa_addr;
1920 while (sin && ifa) {
1921 if ((v == 4) && (sin->sin_family == AF_INET))
1924 if ((v == 6) && (sin->sin_family == AF_INET6)) {
1925 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
1926 if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
1927 !IN6_IS_ADDR_LOOPBACK(inp6))
1931 # if (__FreeBSD_version >= 300000)
1932 ifa = TAILQ_NEXT(ifa, ifa_link);
1934 # if defined(__NetBSD__) || defined(__OpenBSD__)
1935 ifa = ifa->ifa_list.tqe_next;
1937 ifa = ifa->ifa_next;
1939 # endif /* __FreeBSD_version >= 300000 */
1941 sin = (struct sockaddr_in *)ifa->ifa_addr;
1947 # endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
1950 bcopy((char *)inp6, (char *)inp, sizeof(*inp6));
1958 # endif /* SOLARIS */
1963 static void frsynclist(fr)
1964 register frentry_t *fr;
1966 for (; fr; fr = fr->fr_next) {
1967 if (fr->fr_ifa != NULL) {
1968 fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_ip.fi_v);
1969 if (fr->fr_ifa == NULL)
1970 fr->fr_ifa = (void *)-1;
1973 frsynclist(fr->fr_grp);
1981 register struct ifnet *ifp;
1983 # if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \
1984 (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
1985 # if (NetBSD >= 199905) || defined(__OpenBSD__)
1986 for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next)
1988 for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next)
1991 for (ifp = ifnet; ifp; ifp = ifp->if_next)
1997 ip_natsync((struct ifnet *)-1);
1998 # endif /* !SOLARIS */
2000 WRITE_ENTER(&ipf_mutex);
2001 frsynclist(ipacct[0][fr_active]);
2002 frsynclist(ipacct[1][fr_active]);
2003 frsynclist(ipfilter[0][fr_active]);
2004 frsynclist(ipfilter[1][fr_active]);
2006 frsynclist(ipacct6[0][fr_active]);
2007 frsynclist(ipacct6[1][fr_active]);
2008 frsynclist(ipfilter6[0][fr_active]);
2009 frsynclist(ipfilter6[1][fr_active]);
2011 RWLOCK_EXIT(&ipf_mutex);
2016 * In the functions below, bcopy() is called because the pointer being
2017 * copied _from_ in this instance is a pointer to a char buf (which could
2018 * end up being unaligned) and on the kernel's local stack.
2020 int ircopyptr(a, b, c)
2028 if (copyin(a, (char *)&ca, sizeof(ca)))
2031 bcopy(a, &ca, sizeof(ca));
2033 err = copyin(ca, b, c);
2040 int iwcopyptr(a, b, c)
2048 if (copyin(b, (char *)&ca, sizeof(ca)))
2051 bcopy(b, &ca, sizeof(ca));
2053 err = copyout(a, ca, c);
2063 * return the first IP Address associated with an interface
2065 int fr_ifpaddr(v, ifptr, inp)
2068 struct in_addr *inp;
2074 int ircopyptr(a, b, c)
2080 bcopy(a, &ca, sizeof(ca));
2086 int iwcopyptr(a, b, c)
2092 bcopy(b, &ca, sizeof(ca));
2101 int fr_lock(data, lockp)
2107 error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
2109 error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp));
2117 void fr_getstat(fiop)
2120 bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
2121 fiop->f_locks[0] = fr_state_lock;
2122 fiop->f_locks[1] = fr_nat_lock;
2123 fiop->f_locks[2] = fr_frag_lock;
2124 fiop->f_locks[3] = fr_auth_lock;
2125 fiop->f_fin[0] = ipfilter[0][0];
2126 fiop->f_fin[1] = ipfilter[0][1];
2127 fiop->f_fout[0] = ipfilter[1][0];
2128 fiop->f_fout[1] = ipfilter[1][1];
2129 fiop->f_acctin[0] = ipacct[0][0];
2130 fiop->f_acctin[1] = ipacct[0][1];
2131 fiop->f_acctout[0] = ipacct[1][0];
2132 fiop->f_acctout[1] = ipacct[1][1];
2134 fiop->f_fin6[0] = ipfilter6[0][0];
2135 fiop->f_fin6[1] = ipfilter6[0][1];
2136 fiop->f_fout6[0] = ipfilter6[1][0];
2137 fiop->f_fout6[1] = ipfilter6[1][1];
2138 fiop->f_acctin6[0] = ipacct6[0][0];
2139 fiop->f_acctin6[1] = ipacct6[0][1];
2140 fiop->f_acctout6[0] = ipacct6[1][0];
2141 fiop->f_acctout6[1] = ipacct6[1][1];
2143 fiop->f_fin6[0] = NULL;
2144 fiop->f_fin6[1] = NULL;
2145 fiop->f_fout6[0] = NULL;
2146 fiop->f_fout6[1] = NULL;
2147 fiop->f_acctin6[0] = NULL;
2148 fiop->f_acctin6[1] = NULL;
2149 fiop->f_acctout6[0] = NULL;
2150 fiop->f_acctout6[1] = NULL;
2152 fiop->f_active = fr_active;
2153 fiop->f_froute[0] = ipl_frouteok[0];
2154 fiop->f_froute[1] = ipl_frouteok[1];
2156 fiop->f_running = fr_running;
2157 fiop->f_groups[0][0] = ipfgroups[0][0];
2158 fiop->f_groups[0][1] = ipfgroups[0][1];
2159 fiop->f_groups[1][0] = ipfgroups[1][0];
2160 fiop->f_groups[1][1] = ipfgroups[1][1];
2161 fiop->f_groups[2][0] = ipfgroups[2][0];
2162 fiop->f_groups[2][1] = ipfgroups[2][1];
2164 fiop->f_logging = 1;
2166 fiop->f_logging = 0;
2168 fiop->f_defpass = fr_pass;
2169 strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version));
2174 int icmptoicmp6types[ICMP_MAXTYPE+1] = {
2175 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */
2178 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */
2179 -1, /* 4: ICMP_SOURCEQUENCH */
2180 ND_REDIRECT, /* 5: ICMP_REDIRECT */
2183 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */
2185 -1, /* 10: UNUSED */
2186 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */
2187 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */
2188 -1, /* 13: ICMP_TSTAMP */
2189 -1, /* 14: ICMP_TSTAMPREPLY */
2190 -1, /* 15: ICMP_IREQ */
2191 -1, /* 16: ICMP_IREQREPLY */
2192 -1, /* 17: ICMP_MASKREQ */
2193 -1, /* 18: ICMP_MASKREPLY */
2197 int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
2198 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */
2199 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */
2200 -1, /* 2: ICMP_UNREACH_PROTOCOL */
2201 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */
2202 -1, /* 4: ICMP_UNREACH_NEEDFRAG */
2203 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */
2204 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */
2205 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */
2206 -1, /* 8: ICMP_UNREACH_ISOLATED */
2207 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */
2208 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */
2209 -1, /* 11: ICMP_UNREACH_TOSNET */
2210 -1, /* 12: ICMP_UNREACH_TOSHOST */
2211 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
projects / dragonfly.git / blob