| 1/* $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_proxy.c 145522 2005-04-25 18:43:14Z darrenr $ */ 2
|
1/*
| 3/*
|
2 * Copyright (C) 1997-2002 by Darren Reed.
| 4 * Copyright (C) 1997-2003 by Darren Reed.
|
3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 */
| 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */
|
6 7#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) 8# define _KERNEL
| 8#if defined(KERNEL) || defined(_KERNEL) 9# undef KERNEL 10# undef _KERNEL 11# define KERNEL 1 12# define _KERNEL 1
|
9#endif
| 13#endif
|
10 11#if defined(__sgi) && (IRIX > 602) 12# include <sys/ptimers.h> 13#endif
| |
14#include <sys/errno.h> 15#include <sys/types.h> 16#include <sys/param.h> 17#include <sys/time.h> 18#include <sys/file.h>
| 14#include <sys/errno.h> 15#include <sys/types.h> 16#include <sys/param.h> 17#include <sys/time.h> 18#include <sys/file.h>
|
19#if !defined(__FreeBSD_version) 20# include <sys/ioctl.h> 21#endif
| |
22#include <sys/fcntl.h>
| 19#include <sys/fcntl.h>
|
23#if !defined(_KERNEL) && !defined(KERNEL)
| 20#if !defined(_KERNEL) && !defined(__KERNEL__)
|
24# include <stdio.h> 25# include <string.h> 26# include <stdlib.h>
| 21# include <stdio.h> 22# include <string.h> 23# include <stdlib.h>
|
| 24# include <ctype.h> 25# define _KERNEL 26# ifdef __OpenBSD__ 27struct file; 28# endif 29# include <sys/uio.h> 30# undef _KERNEL
|
27#endif
| 31#endif
|
28#ifndef linux
| 32#if !defined(linux)
|
29# include <sys/protosw.h> 30#endif 31#include <sys/socket.h> 32#if defined(_KERNEL)
| 33# include <sys/protosw.h> 34#endif 35#include <sys/socket.h> 36#if defined(_KERNEL)
|
33# if !defined(linux) 34# include <sys/systm.h> 35# else 36# include <linux/string.h>
| 37# if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \ 38 !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) 39# include <sys/ctype.h>
|
37# endif
| 40# endif
|
38#endif 39#if !defined(__SVR4) && !defined(__svr4__) 40# ifndef linux
| 41# include <sys/systm.h> 42# if !defined(__SVR4) && !defined(__svr4__)
|
41# include <sys/mbuf.h> 42# endif
| 43# include <sys/mbuf.h> 44# endif
|
| 45#endif 46#if defined(_KERNEL) && (__FreeBSD_version >= 220000) 47# include <sys/filio.h> 48# include <sys/fcntl.h> 49# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM) 50# include "opt_ipfilter.h" 51# endif
|
43#else
| 52#else
|
| 53# include <sys/ioctl.h> 54#endif 55#if defined(__SVR4) || defined(__svr4__)
|
44# include <sys/byteorder.h> 45# ifdef _KERNEL 46# include <sys/dditypes.h> 47# endif 48# include <sys/stream.h> 49# include <sys/kmem.h> 50#endif 51#if __FreeBSD__ > 2 52# include <sys/queue.h> 53#endif 54#include <net/if.h> 55#ifdef sun 56# include <net/af.h> 57#endif 58#include <net/route.h> 59#include <netinet/in.h> 60#include <netinet/in_systm.h> 61#include <netinet/ip.h> 62#ifndef linux 63# include <netinet/ip_var.h> 64#endif 65#include <netinet/tcp.h> 66#include <netinet/udp.h> 67#include <netinet/ip_icmp.h> 68#include "netinet/ip_compat.h" 69#include <netinet/tcpip.h> 70#include "netinet/ip_fil.h" 71#include "netinet/ip_nat.h" 72#include "netinet/ip_state.h" 73#include "netinet/ip_proxy.h" 74#if (__FreeBSD_version >= 300000) 75# include <sys/malloc.h> 76#endif 77
| 56# include <sys/byteorder.h> 57# ifdef _KERNEL 58# include <sys/dditypes.h> 59# endif 60# include <sys/stream.h> 61# include <sys/kmem.h> 62#endif 63#if __FreeBSD__ > 2 64# include <sys/queue.h> 65#endif 66#include <net/if.h> 67#ifdef sun 68# include <net/af.h> 69#endif 70#include <net/route.h> 71#include <netinet/in.h> 72#include <netinet/in_systm.h> 73#include <netinet/ip.h> 74#ifndef linux 75# include <netinet/ip_var.h> 76#endif 77#include <netinet/tcp.h> 78#include <netinet/udp.h> 79#include <netinet/ip_icmp.h> 80#include "netinet/ip_compat.h" 81#include <netinet/tcpip.h> 82#include "netinet/ip_fil.h" 83#include "netinet/ip_nat.h" 84#include "netinet/ip_state.h" 85#include "netinet/ip_proxy.h" 86#if (__FreeBSD_version >= 300000) 87# include <sys/malloc.h> 88#endif 89
|
78#if !defined(lint) 79/* static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.6 2001/07/15 22:06:15 darrenr Exp $"; */ 80static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_proxy.c 139255 2004-12-24 09:14:26Z darrenr $";
| 90#include "netinet/ip_ftp_pxy.c" 91#include "netinet/ip_rcmd_pxy.c" 92# include "netinet/ip_pptp_pxy.c" 93#if defined(_KERNEL) 94# include "netinet/ip_irc_pxy.c" 95# include "netinet/ip_raudio_pxy.c" 96# include "netinet/ip_h323_pxy.c" 97# ifdef IPFILTER_PRO 98# include "netinet/ip_msnrpc_pxy.c" 99# endif 100# include "netinet/ip_netbios_pxy.c"
|
81#endif
| 101#endif
|
| 102#include "netinet/ip_ipsec_pxy.c" 103#include "netinet/ip_rpcb_pxy.c"
|
82
| 104
|
83#ifdef USE_MUTEX 84extern KRWLOCK_T ipf_nat, ipf_state;
| 105/* END OF INCLUDES */ 106 107#if !defined(lint) 108static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp";
|
85#endif 86 87static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); 88
| 109#endif 110 111static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); 112
|
89 90#define PROXY_DEBUG 0 91
| |
92#define AP_SESS_SIZE 53 93
| 113#define AP_SESS_SIZE 53 114
|
94#include "netinet/ip_ftp_pxy.c"
| |
95#if defined(_KERNEL)
| 115#if defined(_KERNEL)
|
96#include "netinet/ip_rcmd_pxy.c" 97#include "netinet/ip_raudio_pxy.c" 98#include "netinet/ip_netbios_pxy.c" 99#include "netinet/ip_ipsec_pxy.c"
| 116int ipf_proxy_debug = 0; 117#else 118int ipf_proxy_debug = 2;
|
100#endif
| 119#endif
|
101
| |
102ap_session_t *ap_sess_tab[AP_SESS_SIZE]; 103ap_session_t *ap_sess_list = NULL; 104aproxy_t *ap_proxylist = NULL; 105aproxy_t ap_proxies[] = { 106#ifdef IPF_FTP_PROXY
| 120ap_session_t *ap_sess_tab[AP_SESS_SIZE]; 121ap_session_t *ap_sess_list = NULL; 122aproxy_t *ap_proxylist = NULL; 123aproxy_t ap_proxies[] = { 124#ifdef IPF_FTP_PROXY
|
107 { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
| 125 { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini,
|
108 ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL }, 109#endif
| 126 ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL }, 127#endif
|
| 128#ifdef IPF_IRC_PROXY 129 { NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini, 130 ippr_irc_new, NULL, NULL, ippr_irc_out, NULL, NULL }, 131#endif
|
110#ifdef IPF_RCMD_PROXY
| 132#ifdef IPF_RCMD_PROXY
|
111 { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL, 112 ippr_rcmd_new, NULL, NULL, ippr_rcmd_out, NULL },
| 133 { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_fini, 134 ippr_rcmd_new, NULL, ippr_rcmd_in, ippr_rcmd_out, NULL, NULL },
|
113#endif 114#ifdef IPF_RAUDIO_PROXY
| 135#endif 136#ifdef IPF_RAUDIO_PROXY
|
115 { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL, 116 ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL },
| 137 { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, ippr_raudio_fini, 138 ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL, NULL },
|
117#endif
| 139#endif
|
118#ifdef IPF_IPSEC_PROXY 119 { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, ippr_ipsec_init, NULL, 120 ippr_ipsec_new, ippr_ipsec_del, NULL, ippr_ipsec_out, 121 ippr_ipsec_match },
| 140#ifdef IPF_MSNRPC_PROXY 141 { NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, ippr_msnrpc_init, ippr_msnrpc_fini, 142 ippr_msnrpc_new, NULL, ippr_msnrpc_in, ippr_msnrpc_out, NULL, NULL },
|
122#endif 123#ifdef IPF_NETBIOS_PROXY
| 143#endif 144#ifdef IPF_NETBIOS_PROXY
|
124 { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL, 125 NULL, NULL, NULL, ippr_netbios_out, NULL },
| 145 { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, ippr_netbios_fini, 146 NULL, NULL, NULL, ippr_netbios_out, NULL, NULL },
|
126#endif
| 147#endif
|
| 148#ifdef IPF_IPSEC_PROXY 149 { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, 150 ippr_ipsec_init, ippr_ipsec_fini, ippr_ipsec_new, ippr_ipsec_del, 151 ippr_ipsec_inout, ippr_ipsec_inout, ippr_ipsec_match, NULL }, 152#endif 153#ifdef IPF_PPTP_PROXY 154 { NULL, "pptp", (char)IPPROTO_TCP, 0, 0, 155 ippr_pptp_init, ippr_pptp_fini, ippr_pptp_new, ippr_pptp_del, 156 ippr_pptp_inout, ippr_pptp_inout, NULL, NULL }, 157#endif
|
127#ifdef IPF_H323_PROXY
| 158#ifdef IPF_H323_PROXY
|
128 { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, NULL, 129 ippr_h323_new, ippr_h323_del, ippr_h323_in, ippr_h323_out, NULL }, 130 { NULL, "h245", (char)IPPROTO_TCP, 0, 0, ippr_h245_init, NULL, 131 ippr_h245_new, NULL, NULL, ippr_h245_out, NULL }, 132#endif 133 { NULL, "", '\0', 0, 0, NULL, NULL, NULL }
| 159 { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini, 160 ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL }, 161 { NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL, 162 ippr_h245_new, NULL, NULL, ippr_h245_out, NULL }, 163#endif 164#ifdef IPF_RPCB_PROXY 165# if 0 166 { NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0, 167 ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del, 168 ippr_rpcb_in, ippr_rpcb_out, NULL, NULL }, 169# endif 170 { NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0, 171 ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del, 172 ippr_rpcb_in, ippr_rpcb_out, NULL, NULL }, 173#endif 174 { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL }
|
134}; 135
| 175}; 176
|
136
| |
137/* 138 * Dynamically add a new kernel proxy. Ensure that it is unique in the 139 * collection compiled in and dynamically added. 140 */ 141int appr_add(ap) 142aproxy_t *ap; 143{ 144 aproxy_t *a; 145 146 for (a = ap_proxies; a->apr_p; a++) 147 if ((a->apr_p == ap->apr_p) && 148 !strncmp(a->apr_label, ap->apr_label,
| 177/* 178 * Dynamically add a new kernel proxy. Ensure that it is unique in the 179 * collection compiled in and dynamically added. 180 */ 181int appr_add(ap) 182aproxy_t *ap; 183{ 184 aproxy_t *a; 185 186 for (a = ap_proxies; a->apr_p; a++) 187 if ((a->apr_p == ap->apr_p) && 188 !strncmp(a->apr_label, ap->apr_label,
|
149 sizeof(ap->apr_label)))
| 189 sizeof(ap->apr_label))) { 190 if (ipf_proxy_debug > 1) 191 printf("appr_add: %s/%d already present (B)\n", 192 a->apr_label, a->apr_p);
|
150 return -1;
| 193 return -1;
|
| 194 }
|
151
| 195
|
152 for (a = ap_proxylist; a && a->apr_p; a = a->apr_next)
| 196 for (a = ap_proxylist; a->apr_p; a = a->apr_next)
|
153 if ((a->apr_p == ap->apr_p) && 154 !strncmp(a->apr_label, ap->apr_label,
| 197 if ((a->apr_p == ap->apr_p) && 198 !strncmp(a->apr_label, ap->apr_label,
|
155 sizeof(ap->apr_label)))
| 199 sizeof(ap->apr_label))) { 200 if (ipf_proxy_debug > 1) 201 printf("appr_add: %s/%d already present (D)\n", 202 a->apr_label, a->apr_p);
|
156 return -1;
| 203 return -1;
|
| 204 }
|
157 ap->apr_next = ap_proxylist; 158 ap_proxylist = ap;
| 205 ap->apr_next = ap_proxylist; 206 ap_proxylist = ap;
|
159 return (*ap->apr_init)();
| 207 if (ap->apr_init != NULL) 208 return (*ap->apr_init)(); 209 return 0;
|
160} 161 162 163/*
| 210} 211 212 213/*
|
| 214 * Check to see if the proxy this control request has come through for 215 * exists, and if it does and it has a control function then invoke that 216 * control function. 217 */ 218int appr_ctl(ctl) 219ap_ctl_t *ctl; 220{ 221 aproxy_t *a; 222 int error; 223 224 a = appr_lookup(ctl->apc_p, ctl->apc_label); 225 if (a == NULL) { 226 if (ipf_proxy_debug > 1) 227 printf("appr_ctl: can't find %s/%d\n", 228 ctl->apc_label, ctl->apc_p); 229 error = ESRCH; 230 } else if (a->apr_ctl == NULL) { 231 if (ipf_proxy_debug > 1) 232 printf("appr_ctl: no ctl function for %s/%d\n", 233 ctl->apc_label, ctl->apc_p); 234 error = ENXIO; 235 } else { 236 error = (*a->apr_ctl)(a, ctl); 237 if ((error != 0) && (ipf_proxy_debug > 1)) 238 printf("appr_ctl: %s/%d ctl error %d\n", 239 a->apr_label, a->apr_p, error); 240 } 241 return error; 242} 243 244 245/*
|
164 * Delete a proxy that has been added dynamically from those available. 165 * If it is in use, return 1 (do not destroy NOW), not in use 0 or -1 166 * if it cannot be matched. 167 */ 168int appr_del(ap) 169aproxy_t *ap; 170{ 171 aproxy_t *a, **app; 172
| 246 * Delete a proxy that has been added dynamically from those available. 247 * If it is in use, return 1 (do not destroy NOW), not in use 0 or -1 248 * if it cannot be matched. 249 */ 250int appr_del(ap) 251aproxy_t *ap; 252{ 253 aproxy_t *a, **app; 254
|
173 for (app = &ap_proxylist; (a = *app); app = &a->apr_next)
| 255 for (app = &ap_proxylist; ((a = *app) != NULL); app = &a->apr_next)
|
174 if (a == ap) { 175 a->apr_flags |= APR_DELETE; 176 *app = a->apr_next;
| 256 if (a == ap) { 257 a->apr_flags |= APR_DELETE; 258 *app = a->apr_next;
|
177 if (ap->apr_ref != 0)
| 259 if (ap->apr_ref != 0) { 260 if (ipf_proxy_debug > 2) 261 printf("appr_del: orphaning %s/%d\n", 262 ap->apr_label, ap->apr_p);
|
178 return 1;
| 263 return 1;
|
| 264 }
|
179 return 0; 180 }
| 265 return 0; 266 }
|
| 267 if (ipf_proxy_debug > 1) 268 printf("appr_del: proxy %lx not found\n", (u_long)ap);
|
181 return -1; 182} 183 184 185/* 186 * Return 1 if the packet is a good match against a proxy, else 0. 187 */
| 269 return -1; 270} 271 272 273/* 274 * Return 1 if the packet is a good match against a proxy, else 0. 275 */
|
188int appr_ok(ip, tcp, nat) 189ip_t *ip;
| 276int appr_ok(fin, tcp, nat) 277fr_info_t *fin;
|
190tcphdr_t *tcp; 191ipnat_t *nat; 192{ 193 aproxy_t *apr = nat->in_apr; 194 u_short dport = nat->in_dport; 195 196 if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
| 278tcphdr_t *tcp; 279ipnat_t *nat; 280{ 281 aproxy_t *apr = nat->in_apr; 282 u_short dport = nat->in_dport; 283 284 if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
|
197 (ip->ip_p != apr->apr_p))
| 285 (fin->fin_p != apr->apr_p))
|
198 return 0;
| 286 return 0;
|
199 if (((tcp != NULL) && (tcp->th_dport != dport)) || (!tcp && dport))
| 287 if ((tcp == NULL) && dport)
|
200 return 0; 201 return 1; 202} 203 204
| 288 return 0; 289 return 1; 290} 291 292
|
| 293int appr_ioctl(data, cmd, mode) 294caddr_t data; 295ioctlcmd_t cmd; 296int mode; 297{ 298 ap_ctl_t ctl; 299 caddr_t ptr; 300 int error; 301 302 mode = mode; /* LINT */ 303 304 switch (cmd) 305 { 306 case SIOCPROXY : 307 BCOPYIN(data, &ctl, sizeof(ctl)); 308 ptr = NULL; 309 310 if (ctl.apc_dsize > 0) { 311 KMALLOCS(ptr, caddr_t, ctl.apc_dsize); 312 if (ptr == NULL) 313 error = ENOMEM; 314 else { 315 error = copyinptr(ctl.apc_data, ptr, 316 ctl.apc_dsize); 317 if (error == 0) 318 ctl.apc_data = ptr; 319 } 320 } else { 321 ctl.apc_data = NULL; 322 error = 0; 323 } 324 325 if (error == 0) 326 error = appr_ctl(&ctl); 327 328 if ((ctl.apc_dsize > 0) && (ptr != NULL) && 329 (ctl.apc_data == ptr)) { 330 KFREES(ptr, ctl.apc_dsize); 331 } 332 break; 333 334 default : 335 error = EINVAL; 336 } 337 return error; 338} 339 340
|
205/* 206 * If a proxy has a match function, call that to do extended packet 207 * matching. 208 */ 209int appr_match(fin, nat) 210fr_info_t *fin; 211nat_t *nat; 212{ 213 aproxy_t *apr; 214 ipnat_t *ipn;
| 341/* 342 * If a proxy has a match function, call that to do extended packet 343 * matching. 344 */ 345int appr_match(fin, nat) 346fr_info_t *fin; 347nat_t *nat; 348{ 349 aproxy_t *apr; 350 ipnat_t *ipn;
|
| 351 int result;
|
215 216 ipn = nat->nat_ptr;
| 352 353 ipn = nat->nat_ptr;
|
217 if (ipn == NULL)
| 354 if (ipf_proxy_debug > 8) 355 printf("appr_match(%lx,%lx) aps %lx ptr %lx\n", 356 (u_long)fin, (u_long)nat, (u_long)nat->nat_aps, 357 (u_long)ipn); 358 359 if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) { 360 if (ipf_proxy_debug > 0) 361 printf("appr_match: flx 0x%x (BAD|SHORT)\n", 362 fin->fin_flx);
|
218 return -1;
| 363 return -1;
|
| 364 } 365
|
219 apr = ipn->in_apr;
| 366 apr = ipn->in_apr;
|
220 if ((apr == NULL) || (apr->apr_flags & APR_DELETE) || 221 (nat->nat_aps == NULL))
| 367 if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) { 368 if (ipf_proxy_debug > 0) 369 printf("appr_match:apr %lx apr_flags 0x%x\n", 370 (u_long)apr, apr ? apr->apr_flags : 0);
|
222 return -1;
| 371 return -1;
|
223 if (apr->apr_match != NULL) 224 if ((*apr->apr_match)(fin, nat->nat_aps, nat) != 0)
| 372 } 373 374 if (apr->apr_match != NULL) { 375 result = (*apr->apr_match)(fin, nat->nat_aps, nat); 376 if (result != 0) { 377 if (ipf_proxy_debug > 4) 378 printf("appr_match: result %d\n", result);
|
225 return -1;
| 379 return -1;
|
| 380 } 381 }
|
226 return 0; 227} 228 229 230/* 231 * Allocate a new application proxy structure and fill it in with the 232 * relevant details. call the init function once complete, prior to 233 * returning. 234 */
| 382 return 0; 383} 384 385 386/* 387 * Allocate a new application proxy structure and fill it in with the 388 * relevant details. call the init function once complete, prior to 389 * returning. 390 */
|
235int appr_new(fin, ip, nat)
| 391int appr_new(fin, nat)
|
236fr_info_t *fin;
| 392fr_info_t *fin;
|
237ip_t *ip;
| |
238nat_t *nat; 239{ 240 register ap_session_t *aps; 241 aproxy_t *apr; 242
| 393nat_t *nat; 394{ 395 register ap_session_t *aps; 396 aproxy_t *apr; 397
|
243 if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL))
| 398 if (ipf_proxy_debug > 8) 399 printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat); 400 401 if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) { 402 if (ipf_proxy_debug > 0) 403 printf("appr_new: nat_ptr %lx nat_aps %lx\n", 404 (u_long)nat->nat_ptr, (u_long)nat->nat_aps);
|
244 return -1;
| 405 return -1;
|
| 406 }
|
245 246 apr = nat->nat_ptr->in_apr; 247
| 407 408 apr = nat->nat_ptr->in_apr; 409
|
248 if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p))
| 410 if ((apr->apr_flags & APR_DELETE) || 411 (fin->fin_p != apr->apr_p)) { 412 if (ipf_proxy_debug > 2) 413 printf("appr_new: apr_flags 0x%x p %d/%d\n", 414 apr->apr_flags, fin->fin_p, apr->apr_p);
|
249 return -1;
| 415 return -1;
|
| 416 }
|
250 251 KMALLOC(aps, ap_session_t *);
| 417 418 KMALLOC(aps, ap_session_t *);
|
252 if (!aps)
| 419 if (!aps) { 420 if (ipf_proxy_debug > 0) 421 printf("appr_new: malloc failed (%lu)\n", 422 (u_long)sizeof(ap_session_t));
|
253 return -1;
| 423 return -1;
|
| 424 } 425
|
254 bzero((char *)aps, sizeof(*aps));
| 426 bzero((char *)aps, sizeof(*aps));
|
255 aps->aps_p = ip->ip_p;
| 427 aps->aps_p = fin->fin_p;
|
256 aps->aps_data = NULL; 257 aps->aps_apr = apr; 258 aps->aps_psiz = 0; 259 if (apr->apr_new != NULL)
| 428 aps->aps_data = NULL; 429 aps->aps_apr = apr; 430 aps->aps_psiz = 0; 431 if (apr->apr_new != NULL)
|
260 if ((*apr->apr_new)(fin, ip, aps, nat) == -1) {
| 432 if ((*apr->apr_new)(fin, aps, nat) == -1) {
|
261 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) { 262 KFREES(aps->aps_data, aps->aps_psiz); 263 } 264 KFREE(aps);
| 433 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) { 434 KFREES(aps->aps_data, aps->aps_psiz); 435 } 436 KFREE(aps);
|
| 437 if (ipf_proxy_debug > 2) 438 printf("appr_new: new(%lx) failed\n", 439 (u_long)apr->apr_new);
|
265 return -1; 266 } 267 aps->aps_nat = nat; 268 aps->aps_next = ap_sess_list; 269 ap_sess_list = aps; 270 nat->nat_aps = aps; 271 272 return 0; 273} 274 275 276/*
| 440 return -1; 441 } 442 aps->aps_nat = nat; 443 aps->aps_next = ap_sess_list; 444 ap_sess_list = aps; 445 nat->nat_aps = aps; 446 447 return 0; 448} 449 450 451/*
|
277 * check to see if a packet should be passed through an active proxy routine 278 * if one has been setup for it.
| 452 * Check to see if a packet should be passed through an active proxy routine 453 * if one has been setup for it. We don't need to check the checksum here if 454 * IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD 455 * to be set.
|
279 */
| 456 */
|
280int appr_check(ip, fin, nat) 281ip_t *ip;
| 457int appr_check(fin, nat)
|
282fr_info_t *fin; 283nat_t *nat; 284{ 285#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
| 458fr_info_t *fin; 459nat_t *nat; 460{ 461#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
|
286 mb_t *m = fin->fin_qfm;
| 462# if defined(ICK_VALID) 463 mb_t *m; 464# endif
|
287 int dosum = 1; 288#endif 289 tcphdr_t *tcp = NULL;
| 465 int dosum = 1; 466#endif 467 tcphdr_t *tcp = NULL;
|
| 468 udphdr_t *udp = NULL;
|
290 ap_session_t *aps; 291 aproxy_t *apr;
| 469 ap_session_t *aps; 470 aproxy_t *apr;
|
292 u_32_t sum;
| 471 ip_t *ip;
|
293 short rv; 294 int err;
| 472 short rv; 473 int err;
|
| 474#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) 475 u_32_t s1, s2, sd; 476#endif
|
295
| 477
|
296 aps = nat->nat_aps; 297 if ((aps != NULL) && (aps->aps_p == ip->ip_p)) { 298 if (ip->ip_p == IPPROTO_TCP) { 299 tcp = (tcphdr_t *)fin->fin_dp; 300 /* 301 * verify that the checksum is correct. If not, then 302 * don't do anything with this packet. 303 */ 304#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) 305 if (dohwcksum && (m->b_ick_flag == ICK_VALID)) { 306 sum = tcp->th_sum; 307 dosum = 0; 308 } 309 if (dosum) 310 sum = fr_tcpsum(fin->fin_qfm, ip, tcp); 311#else 312 sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
| 478 if (fin->fin_flx & FI_BAD) { 479 if (ipf_proxy_debug > 0) 480 printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx); 481 return -1; 482 } 483 484#ifndef IPFILTER_CKSUM 485 if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) { 486 if (ipf_proxy_debug > 0) 487 printf("appr_check: l4 checksum failure %d\n", 488 fin->fin_p); 489 if (fin->fin_p == IPPROTO_TCP) 490 frstats[fin->fin_out].fr_tcpbad++; 491 return -1; 492 }
|
313#endif
| 493#endif
|
314 if (sum != tcp->th_sum) { 315#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) 316 printf("proxy tcp checksum failure\n"); 317#endif 318 frstats[fin->fin_out].fr_tcpbad++;
| 494 495 aps = nat->nat_aps; 496 if ((aps != NULL) && (aps->aps_p == fin->fin_p)) { 497 /* 498 * If there is data in this packet to be proxied then try and 499 * get it all into the one buffer, else drop it. 500 */ 501#if defined(MENTAT) || defined(HAVE_M_PULLDOWN) 502 if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE)) 503 if (fr_coalesce(fin) == -1) { 504 if (ipf_proxy_debug > 0) 505 printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
|
319 return -1; 320 }
| 506 return -1; 507 }
|
| 508#endif 509 ip = fin->fin_ip;
|
321
| 510
|
| 511 switch (fin->fin_p) 512 { 513 case IPPROTO_TCP : 514 tcp = (tcphdr_t *)fin->fin_dp; 515 516#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID) 517 m = fin->fin_qfm; 518 if (dohwcksum && (m->b_ick_flag == ICK_VALID)) 519 dosum = 0; 520#endif
|
322 /* 323 * Don't bother the proxy with these...or in fact, 324 * should we free up proxy stuff when seen? 325 */
| 521 /* 522 * Don't bother the proxy with these...or in fact, 523 * should we free up proxy stuff when seen? 524 */
|
326 if ((tcp->th_flags & TH_RST) != 0) 327 return 0;
| 525 if ((fin->fin_tcpf & TH_RST) != 0) 526 break; 527 /*FALLTHROUGH*/ 528 case IPPROTO_UDP : 529 udp = (udphdr_t *)fin->fin_dp; 530 break; 531 default : 532 break;
|
328 } 329 330 apr = aps->aps_apr; 331 err = 0; 332 if (fin->fin_out != 0) { 333 if (apr->apr_outpkt != NULL)
| 533 } 534 535 apr = aps->aps_apr; 536 err = 0; 537 if (fin->fin_out != 0) { 538 if (apr->apr_outpkt != NULL)
|
334 err = (*apr->apr_outpkt)(fin, ip, aps, nat);
| 539 err = (*apr->apr_outpkt)(fin, aps, nat);
|
335 } else { 336 if (apr->apr_inpkt != NULL)
| 540 } else { 541 if (apr->apr_inpkt != NULL)
|
337 err = (*apr->apr_inpkt)(fin, ip, aps, nat);
| 542 err = (*apr->apr_inpkt)(fin, aps, nat);
|
338 } 339 340 rv = APR_EXIT(err);
| 543 } 544 545 rv = APR_EXIT(err);
|
341 if (rv == 1) { 342#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) 343 printf("proxy says bad packet received\n"); 344#endif
| 546 if (((ipf_proxy_debug > 0) && (rv != 0)) || 547 (ipf_proxy_debug > 8)) 548 printf("appr_check: out %d err %x rv %d\n", 549 fin->fin_out, err, rv); 550 if (rv == 1)
|
345 return -1;
| 551 return -1;
|
346 }
| 552
|
347 if (rv == 2) {
| 553 if (rv == 2) {
|
348#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL)) 349 printf("proxy says free app proxy data\n"); 350#endif
| |
351 appr_free(apr); 352 nat->nat_aps = NULL; 353 return -1; 354 } 355
| 554 appr_free(apr); 555 nat->nat_aps = NULL; 556 return -1; 557 } 558
|
| 559 /* 560 * If err != 0 then the data size of the packet has changed 561 * so we need to recalculate the header checksums for the 562 * packet. 563 */ 564#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) 565 if (err != 0) { 566 short adjlen = err & 0xffff; 567 568 s1 = LONG_SUM(ip->ip_len - adjlen); 569 s2 = LONG_SUM(ip->ip_len); 570 CALC_SUMD(s1, s2, sd); 571 fix_outcksum(fin, &ip->ip_sum, sd); 572 } 573#endif 574 575 /* 576 * For TCP packets, we may need to adjust the sequence and 577 * acknowledgement numbers to reflect changes in size of the 578 * data stream. 579 * 580 * For both TCP and UDP, recalculate the layer 4 checksum, 581 * regardless, as we can't tell (here) if data has been 582 * changed or not. 583 */
|
356 if (tcp != NULL) { 357 err = appr_fixseqack(fin, ip, aps, APR_INC(err)); 358#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) 359 if (dosum)
| 584 if (tcp != NULL) { 585 err = appr_fixseqack(fin, ip, aps, APR_INC(err)); 586#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) 587 if (dosum)
|
360 tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
| 588 tcp->th_sum = fr_cksum(fin->fin_qfm, ip, 589 IPPROTO_TCP, tcp);
|
361#else
| 590#else
|
362 tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
| 591 tcp->th_sum = fr_cksum(fin->fin_m, ip, 592 IPPROTO_TCP, tcp);
|
363#endif
| 593#endif
|
| 594 } else if ((udp != NULL) && (udp->uh_sum != 0)) { 595#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) 596 if (dosum) 597 udp->uh_sum = fr_cksum(fin->fin_qfm, ip, 598 IPPROTO_UDP, udp); 599#else 600 udp->uh_sum = fr_cksum(fin->fin_m, ip, 601 IPPROTO_UDP, udp); 602#endif
|
364 }
| 603 }
|
365 aps->aps_bytes += ip->ip_len;
| 604 aps->aps_bytes += fin->fin_plen;
|
366 aps->aps_pkts++; 367 return 1; 368 } 369 return 0; 370} 371 372 373/* 374 * Search for an proxy by the protocol it is being used with and its name. 375 */ 376aproxy_t *appr_lookup(pr, name) 377u_int pr; 378char *name; 379{ 380 aproxy_t *ap; 381
| 605 aps->aps_pkts++; 606 return 1; 607 } 608 return 0; 609} 610 611 612/* 613 * Search for an proxy by the protocol it is being used with and its name. 614 */ 615aproxy_t *appr_lookup(pr, name) 616u_int pr; 617char *name; 618{ 619 aproxy_t *ap; 620
|
| 621 if (ipf_proxy_debug > 8) 622 printf("appr_lookup(%d,%s)\n", pr, name); 623
|
382 for (ap = ap_proxies; ap->apr_p; ap++) 383 if ((ap->apr_p == pr) && 384 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { 385 ap->apr_ref++; 386 return ap; 387 } 388 389 for (ap = ap_proxylist; ap; ap = ap->apr_next) 390 if ((ap->apr_p == pr) && 391 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { 392 ap->apr_ref++; 393 return ap; 394 }
| 624 for (ap = ap_proxies; ap->apr_p; ap++) 625 if ((ap->apr_p == pr) && 626 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { 627 ap->apr_ref++; 628 return ap; 629 } 630 631 for (ap = ap_proxylist; ap; ap = ap->apr_next) 632 if ((ap->apr_p == pr) && 633 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { 634 ap->apr_ref++; 635 return ap; 636 }
|
| 637 if (ipf_proxy_debug > 2) 638 printf("appr_lookup: failed for %d/%s\n", pr, name);
|
395 return NULL; 396} 397 398 399void appr_free(ap) 400aproxy_t *ap; 401{ 402 ap->apr_ref--; 403} 404 405 406void aps_free(aps) 407ap_session_t *aps; 408{ 409 ap_session_t *a, **ap; 410 aproxy_t *apr; 411 412 if (!aps) 413 return; 414
| 639 return NULL; 640} 641 642 643void appr_free(ap) 644aproxy_t *ap; 645{ 646 ap->apr_ref--; 647} 648 649 650void aps_free(aps) 651ap_session_t *aps; 652{ 653 ap_session_t *a, **ap; 654 aproxy_t *apr; 655 656 if (!aps) 657 return; 658
|
415 for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next)
| 659 for (ap = &ap_sess_list; ((a = *ap) != NULL); ap = &a->aps_next)
|
416 if (a == aps) { 417 *ap = a->aps_next; 418 break; 419 } 420 421 apr = aps->aps_apr; 422 if ((apr != NULL) && (apr->apr_del != NULL)) 423 (*apr->apr_del)(aps); 424 425 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) 426 KFREES(aps->aps_data, aps->aps_psiz); 427 KFREE(aps); 428} 429 430 431/* 432 * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise 433 */ 434static int appr_fixseqack(fin, ip, aps, inc) 435fr_info_t *fin; 436ip_t *ip; 437ap_session_t *aps; 438int inc; 439{ 440 int sel, ch = 0, out, nlen; 441 u_32_t seq1, seq2; 442 tcphdr_t *tcp; 443 short inc2; 444 445 tcp = (tcphdr_t *)fin->fin_dp; 446 out = fin->fin_out; 447 /* 448 * ip_len has already been adjusted by 'inc'. 449 */ 450 nlen = ip->ip_len;
| 660 if (a == aps) { 661 *ap = a->aps_next; 662 break; 663 } 664 665 apr = aps->aps_apr; 666 if ((apr != NULL) && (apr->apr_del != NULL)) 667 (*apr->apr_del)(aps); 668 669 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) 670 KFREES(aps->aps_data, aps->aps_psiz); 671 KFREE(aps); 672} 673 674 675/* 676 * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise 677 */ 678static int appr_fixseqack(fin, ip, aps, inc) 679fr_info_t *fin; 680ip_t *ip; 681ap_session_t *aps; 682int inc; 683{ 684 int sel, ch = 0, out, nlen; 685 u_32_t seq1, seq2; 686 tcphdr_t *tcp; 687 short inc2; 688 689 tcp = (tcphdr_t *)fin->fin_dp; 690 out = fin->fin_out; 691 /* 692 * ip_len has already been adjusted by 'inc'. 693 */ 694 nlen = ip->ip_len;
|
451 nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
| 695 nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
|
452 453 inc2 = inc; 454 inc = (int)inc2; 455 456 if (out != 0) { 457 seq1 = (u_32_t)ntohl(tcp->th_seq); 458 sel = aps->aps_sel[out]; 459 460 /* switch to other set ? */ 461 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && 462 (seq1 > aps->aps_seqmin[!sel])) {
| 696 697 inc2 = inc; 698 inc = (int)inc2; 699 700 if (out != 0) { 701 seq1 = (u_32_t)ntohl(tcp->th_seq); 702 sel = aps->aps_sel[out]; 703 704 /* switch to other set ? */ 705 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && 706 (seq1 > aps->aps_seqmin[!sel])) {
|
463#if PROXY_DEBUG 464 printf("proxy out switch set seq %d -> %d %x > %x\n", 465 sel, !sel, seq1, aps->aps_seqmin[!sel]); 466#endif
| 707 if (ipf_proxy_debug > 7) 708 printf("proxy out switch set seq %d -> %d %x > %x\n", 709 sel, !sel, seq1, 710 aps->aps_seqmin[!sel]);
|
467 sel = aps->aps_sel[out] = !sel; 468 } 469 470 if (aps->aps_seqoff[sel]) { 471 seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; 472 if (seq1 > seq2) { 473 seq2 = aps->aps_seqoff[sel]; 474 seq1 += seq2; 475 tcp->th_seq = htonl(seq1); 476 ch = 1; 477 } 478 } 479 480 if (inc && (seq1 > aps->aps_seqmin[!sel])) { 481 aps->aps_seqmin[sel] = seq1 + nlen - 1; 482 aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
| 711 sel = aps->aps_sel[out] = !sel; 712 } 713 714 if (aps->aps_seqoff[sel]) { 715 seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; 716 if (seq1 > seq2) { 717 seq2 = aps->aps_seqoff[sel]; 718 seq1 += seq2; 719 tcp->th_seq = htonl(seq1); 720 ch = 1; 721 } 722 } 723 724 if (inc && (seq1 > aps->aps_seqmin[!sel])) { 725 aps->aps_seqmin[sel] = seq1 + nlen - 1; 726 aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
|
483#if PROXY_DEBUG 484 printf("proxy seq set %d at %x to %d + %d\n", sel, 485 aps->aps_seqmin[sel], aps->aps_seqoff[sel], 486 inc); 487#endif
| 727 if (ipf_proxy_debug > 7) 728 printf("proxy seq set %d at %x to %d + %d\n", 729 sel, aps->aps_seqmin[sel], 730 aps->aps_seqoff[sel], inc);
|
488 } 489 490 /***/ 491 492 seq1 = ntohl(tcp->th_ack); 493 sel = aps->aps_sel[1 - out]; 494 495 /* switch to other set ? */ 496 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && 497 (seq1 > aps->aps_ackmin[!sel])) {
| 731 } 732 733 /***/ 734 735 seq1 = ntohl(tcp->th_ack); 736 sel = aps->aps_sel[1 - out]; 737 738 /* switch to other set ? */ 739 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && 740 (seq1 > aps->aps_ackmin[!sel])) {
|
498#if PROXY_DEBUG 499 printf("proxy out switch set ack %d -> %d %x > %x\n", 500 sel, !sel, seq1, aps->aps_ackmin[!sel]); 501#endif
| 741 if (ipf_proxy_debug > 7) 742 printf("proxy out switch set ack %d -> %d %x > %x\n", 743 sel, !sel, seq1, 744 aps->aps_ackmin[!sel]);
|
502 sel = aps->aps_sel[1 - out] = !sel; 503 } 504 505 if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { 506 seq2 = aps->aps_ackoff[sel]; 507 tcp->th_ack = htonl(seq1 - seq2); 508 ch = 1; 509 } 510 } else { 511 seq1 = ntohl(tcp->th_seq); 512 sel = aps->aps_sel[out]; 513 514 /* switch to other set ? */ 515 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && 516 (seq1 > aps->aps_ackmin[!sel])) {
| 745 sel = aps->aps_sel[1 - out] = !sel; 746 } 747 748 if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { 749 seq2 = aps->aps_ackoff[sel]; 750 tcp->th_ack = htonl(seq1 - seq2); 751 ch = 1; 752 } 753 } else { 754 seq1 = ntohl(tcp->th_seq); 755 sel = aps->aps_sel[out]; 756 757 /* switch to other set ? */ 758 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && 759 (seq1 > aps->aps_ackmin[!sel])) {
|
517#if PROXY_DEBUG 518 printf("proxy in switch set ack %d -> %d %x > %x\n", 519 sel, !sel, seq1, aps->aps_ackmin[!sel]); 520#endif
| 760 if (ipf_proxy_debug > 7) 761 printf("proxy in switch set ack %d -> %d %x > %x\n", 762 sel, !sel, seq1, aps->aps_ackmin[!sel]);
|
521 sel = aps->aps_sel[out] = !sel; 522 } 523 524 if (aps->aps_ackoff[sel]) { 525 seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; 526 if (seq1 > seq2) { 527 seq2 = aps->aps_ackoff[sel]; 528 seq1 += seq2; 529 tcp->th_seq = htonl(seq1); 530 ch = 1; 531 } 532 } 533 534 if (inc && (seq1 > aps->aps_ackmin[!sel])) { 535 aps->aps_ackmin[!sel] = seq1 + nlen - 1; 536 aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
| 763 sel = aps->aps_sel[out] = !sel; 764 } 765 766 if (aps->aps_ackoff[sel]) { 767 seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; 768 if (seq1 > seq2) { 769 seq2 = aps->aps_ackoff[sel]; 770 seq1 += seq2; 771 tcp->th_seq = htonl(seq1); 772 ch = 1; 773 } 774 } 775 776 if (inc && (seq1 > aps->aps_ackmin[!sel])) { 777 aps->aps_ackmin[!sel] = seq1 + nlen - 1; 778 aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
|
537#if PROXY_DEBUG 538 printf("proxy ack set %d at %x to %d + %d\n", !sel, 539 aps->aps_seqmin[!sel], aps->aps_seqoff[sel], 540 inc); 541#endif
| 779 780 if (ipf_proxy_debug > 7) 781 printf("proxy ack set %d at %x to %d + %d\n", 782 !sel, aps->aps_seqmin[!sel], 783 aps->aps_seqoff[sel], inc);
|
542 } 543 544 /***/ 545 546 seq1 = ntohl(tcp->th_ack); 547 sel = aps->aps_sel[1 - out]; 548 549 /* switch to other set ? */ 550 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && 551 (seq1 > aps->aps_seqmin[!sel])) {
| 784 } 785 786 /***/ 787 788 seq1 = ntohl(tcp->th_ack); 789 sel = aps->aps_sel[1 - out]; 790 791 /* switch to other set ? */ 792 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && 793 (seq1 > aps->aps_seqmin[!sel])) {
|
552#if PROXY_DEBUG 553 printf("proxy in switch set seq %d -> %d %x > %x\n", 554 sel, !sel, seq1, aps->aps_seqmin[!sel]); 555#endif
| 794 if (ipf_proxy_debug > 7) 795 printf("proxy in switch set seq %d -> %d %x > %x\n", 796 sel, !sel, seq1, aps->aps_seqmin[!sel]);
|
556 sel = aps->aps_sel[1 - out] = !sel; 557 } 558 559 if (aps->aps_seqoff[sel] != 0) {
| 797 sel = aps->aps_sel[1 - out] = !sel; 798 } 799 800 if (aps->aps_seqoff[sel] != 0) {
|
560#if PROXY_DEBUG 561 printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, 562 aps->aps_seqoff[sel], seq1, 563 aps->aps_seqmin[sel]); 564#endif
| 801 if (ipf_proxy_debug > 7) 802 printf("sel %d seqoff %d seq1 %x seqmin %x\n", 803 sel, aps->aps_seqoff[sel], seq1, 804 aps->aps_seqmin[sel]);
|
565 if (seq1 > aps->aps_seqmin[sel]) { 566 seq2 = aps->aps_seqoff[sel]; 567 tcp->th_ack = htonl(seq1 - seq2); 568 ch = 1; 569 } 570 } 571 }
| 805 if (seq1 > aps->aps_seqmin[sel]) { 806 seq2 = aps->aps_seqoff[sel]; 807 tcp->th_ack = htonl(seq1 - seq2); 808 ch = 1; 809 } 810 } 811 }
|
572#if PROXY_DEBUG 573 printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq), 574 ntohl(tcp->th_ack)); 575#endif
| 812 813 if (ipf_proxy_debug > 8) 814 printf("appr_fixseqack: seq %x ack %x\n", 815 ntohl(tcp->th_seq), ntohl(tcp->th_ack));
|
576 return ch ? 2 : 0; 577} 578 579 580/* 581 * Initialise hook for kernel application proxies. 582 * Call the initialise routine for all the compiled in kernel proxies. 583 */ 584int appr_init() 585{ 586 aproxy_t *ap; 587 int err = 0; 588 589 for (ap = ap_proxies; ap->apr_p; ap++) {
| 816 return ch ? 2 : 0; 817} 818 819 820/* 821 * Initialise hook for kernel application proxies. 822 * Call the initialise routine for all the compiled in kernel proxies. 823 */ 824int appr_init() 825{ 826 aproxy_t *ap; 827 int err = 0; 828 829 for (ap = ap_proxies; ap->apr_p; ap++) {
|
590 err = (*ap->apr_init)(); 591 if (err != 0) 592 break;
| 830 if (ap->apr_init != NULL) { 831 err = (*ap->apr_init)(); 832 if (err != 0) 833 break; 834 }
|
593 } 594 return err; 595} 596 597 598/* 599 * Unload hook for kernel application proxies. 600 * Call the finialise routine for all the compiled in kernel proxies. 601 */ 602void appr_unload() 603{ 604 aproxy_t *ap; 605 606 for (ap = ap_proxies; ap->apr_p; ap++)
| 835 } 836 return err; 837} 838 839 840/* 841 * Unload hook for kernel application proxies. 842 * Call the finialise routine for all the compiled in kernel proxies. 843 */ 844void appr_unload() 845{ 846 aproxy_t *ap; 847 848 for (ap = ap_proxies; ap->apr_p; ap++)
|
607 if (ap->apr_fini)
| 849 if (ap->apr_fini != NULL)
|
608 (*ap->apr_fini)(); 609 for (ap = ap_proxylist; ap; ap = ap->apr_next)
| 850 (*ap->apr_fini)(); 851 for (ap = ap_proxylist; ap; ap = ap->apr_next)
|
610 if (ap->apr_fini)
| 852 if (ap->apr_fini != NULL)
|
611 (*ap->apr_fini)(); 612}
| 853 (*ap->apr_fini)(); 854}
|