1/* $FreeBSD: head/sys/contrib/ipfilter/netinet/mlfk_ipl.c 145522 2005-04-25 18:43:14Z darrenr $ */
2
3/*
4 * Copyright (C) 2000 by Darren Reed.
5 *
6 * $FreeBSD: head/sys/contrib/ipfilter/netinet/mlfk_ipl.c 145522 2005-04-25 18:43:14Z darrenr $
7 * See the IPFILTER.LICENCE file for details on licencing.
8 */
9
10
11#include <sys/param.h>
12#include <sys/systm.h>
13#include <sys/kernel.h>
14#include <sys/module.h>
15#include <sys/conf.h>
16#include <sys/socket.h>
17#include <sys/sysctl.h>
18#include <net/if.h>
19#include <netinet/in_systm.h>
20#include <netinet/in.h>
21
22
23#include <netinet/ipl.h>
24#include <netinet/ip_compat.h>
25#include <netinet/ip_fil.h>
26#include <netinet/ip_state.h>
27#include <netinet/ip_nat.h>
28#include <netinet/ip_auth.h>
29#include <netinet/ip_frag.h>
30
31#if __FreeBSD_version >= 502116
32static struct cdev *ipf_devs[IPL_LOGSIZE];
33#else
34static dev_t ipf_devs[IPL_LOGSIZE];
35#endif
36
37static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
38static int ipf_modload(void);
39static int ipf_modunload(void);
40
41SYSCTL_DECL(_net_inet);
42#define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
43 SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \
44 ptr, val, sysctl_ipf_int, "I", descr);
45#define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */
46#define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF)
47SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
48SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
49SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
50SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
51SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
52 &fr_tcpidletimeout, 0, "");
53SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
54 &fr_tcphalfclosed, 0, "");
55SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
56 &fr_tcpclosewait, 0, "");
57SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
58 &fr_tcplastack, 0, "");
59SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
60 &fr_tcptimeout, 0, "");
61SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
62 &fr_tcpclosed, 0, "");
63SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
64 &fr_udptimeout, 0, "");
65SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
66 &fr_udpacktimeout, 0, "");
67SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
68 &fr_icmptimeout, 0, "");
69SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
70 &fr_defnatage, 0, "");
71SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
72 &fr_ipfrttl, 0, "");
73SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
74 &fr_running, 0, "");
75SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
76 &fr_statesize, 0, "");
77SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
78 &fr_statemax, 0, "");
79SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO,
80 &ipf_nattable_sz, 0, "");
81SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO,
82 &ipf_natrules_sz, 0, "");
83SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO,
84 &ipf_rdrrules_sz, 0, "");
85SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO,
86 &ipf_hostmap_sz, 0, "");
87SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
88 &fr_authsize, 0, "");
89SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
90 &fr_authused, 0, "");
91SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
92 &fr_defaultauthage, 0, "");
93SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
94SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
95
96#define CDEV_MAJOR 79
97#if __FreeBSD_version >= 501000
98static struct cdevsw ipl_cdevsw = {
99# if __FreeBSD_version >= 502103
100 .d_version = D_VERSION,
101 .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */
102# endif
103 .d_open = iplopen,
104 .d_close = iplclose,
105 .d_read = iplread,
106 .d_ioctl = iplioctl,
107 .d_name = "ipl",
108# if __FreeBSD_version < 600000
109 .d_maj = CDEV_MAJOR,
110# endif
111};
112#else
113static struct cdevsw ipl_cdevsw = {
114 /* open */ iplopen,
115 /* close */ iplclose,
116 /* read */ iplread,
117 /* write */ iplwrite,
118 /* ioctl */ iplioctl,
119 /* poll */ nopoll,
120 /* mmap */ nommap,
121 /* strategy */ nostrategy,
122 /* name */ "ipl",
123 /* maj */ CDEV_MAJOR,
124 /* dump */ nodump,
125 /* psize */ nopsize,
126 /* flags */ 0,
127# if (__FreeBSD_version < 500043)
128 /* bmaj */ -1,
129# endif
130 /* kqfilter */ NULL
131};
132#endif
133
134static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
135 IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };
136
137
138static int
139ipfilter_modevent(module_t mod, int type, void *unused)
140{
141 int error = 0;
142
143 switch (type)
144 {
145 case MOD_LOAD :
146 error = ipf_modload();
147 break;
148
149 case MOD_UNLOAD :
150 error = ipf_modunload();
151 break;
152 default:
153 error = EINVAL;
154 break;
155 }
156 return error;
157}
158
159
160static int
161ipf_modload()
162{
163 char *defpass, *c, *str;
164 int i, j, error;
165
166 error = iplattach();
167 if (error)
168 return error;
169
170 for (i = 0; i < IPL_LOGSIZE; i++)
171 ipf_devs[i] = NULL;
172
173 for (i = 0; (str = ipf_devfiles[i]); i++) {
174 c = NULL;
175 for(j = strlen(str); j > 0; j--)
176 if (str[j] == '/') {
177 c = str + j + 1;
178 break;
179 }
180 if (!c)
181 c = str;
182 ipf_devs[i] = make_dev(&ipl_cdevsw, i, 0, 0, 0600, c);
183 }
184
185 if (FR_ISPASS(fr_pass))
186 defpass = "pass";
187 else if (FR_ISBLOCK(fr_pass))
188 defpass = "block";
189 else
190 defpass = "no-match -> block";
191
192 printf("%s initialized. Default = %s all, Logging = %s%s\n",
193 ipfilter_version, defpass,
194#ifdef IPFILTER_LOG
195 "enabled",
196#else
197 "disabled",
198#endif
199#ifdef IPFILTER_COMPILED
200 " (COMPILED)"
201#else
202 ""
203#endif
204 );
205 return 0;
206}
207
208
209static int
210ipf_modunload()
211{
212 int error, i;
213
214 if (fr_refcnt)
215 return EBUSY;
216
217 if (fr_running >= 0) {
218 error = ipldetach();
219 if (error != 0)
220 return error;
221 } else
222 error = 0;
223
224 fr_running = -2;
225
226 for (i = 0; ipf_devfiles[i]; i++) {
227 if (ipf_devs[i] != NULL)
228 destroy_dev(ipf_devs[i]);
229 }
230
231 printf("%s unloaded\n", ipfilter_version);
232
233 return error;
234}
235
236
237static moduledata_t ipfiltermod = {
238 "ipfilter",
239 ipfilter_modevent,
240 0
241};
242
243
244DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
245#ifdef MODULE_VERSION
246MODULE_VERSION(ipfilter, 1);
247#endif
248
249
250#ifdef SYSCTL_IPF
251int
252sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
253{
254 int error = 0;
255
256 if (arg1)
257 error = SYSCTL_OUT(req, arg1, sizeof(int));
258 else
259 error = SYSCTL_OUT(req, &arg2, sizeof(int));
260
261 if (error || !req->newptr)
262 return (error);
263
264 if (!arg1)
265 error = EPERM;
266 else {
267 if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0))
268 error = EBUSY;
269 else
270 error = SYSCTL_IN(req, arg1, sizeof(int));
271 }
272 return (error);
273}
274#endif
2
3/*
4 * Copyright (C) 2000 by Darren Reed.
5 *
6 * $FreeBSD: head/sys/contrib/ipfilter/netinet/mlfk_ipl.c 145522 2005-04-25 18:43:14Z darrenr $
7 * See the IPFILTER.LICENCE file for details on licencing.
8 */
9
10
11#include <sys/param.h>
12#include <sys/systm.h>
13#include <sys/kernel.h>
14#include <sys/module.h>
15#include <sys/conf.h>
16#include <sys/socket.h>
17#include <sys/sysctl.h>
18#include <net/if.h>
19#include <netinet/in_systm.h>
20#include <netinet/in.h>
21
22
23#include <netinet/ipl.h>
24#include <netinet/ip_compat.h>
25#include <netinet/ip_fil.h>
26#include <netinet/ip_state.h>
27#include <netinet/ip_nat.h>
28#include <netinet/ip_auth.h>
29#include <netinet/ip_frag.h>
30
31#if __FreeBSD_version >= 502116
32static struct cdev *ipf_devs[IPL_LOGSIZE];
33#else
34static dev_t ipf_devs[IPL_LOGSIZE];
35#endif
36
37static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
38static int ipf_modload(void);
39static int ipf_modunload(void);
40
41SYSCTL_DECL(_net_inet);
42#define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
43 SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \
44 ptr, val, sysctl_ipf_int, "I", descr);
45#define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */
46#define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF)
47SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
48SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
49SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
50SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
51SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
52 &fr_tcpidletimeout, 0, "");
53SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
54 &fr_tcphalfclosed, 0, "");
55SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
56 &fr_tcpclosewait, 0, "");
57SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
58 &fr_tcplastack, 0, "");
59SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
60 &fr_tcptimeout, 0, "");
61SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
62 &fr_tcpclosed, 0, "");
63SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
64 &fr_udptimeout, 0, "");
65SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
66 &fr_udpacktimeout, 0, "");
67SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
68 &fr_icmptimeout, 0, "");
69SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
70 &fr_defnatage, 0, "");
71SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
72 &fr_ipfrttl, 0, "");
73SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
74 &fr_running, 0, "");
75SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
76 &fr_statesize, 0, "");
77SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
78 &fr_statemax, 0, "");
79SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO,
80 &ipf_nattable_sz, 0, "");
81SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO,
82 &ipf_natrules_sz, 0, "");
83SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO,
84 &ipf_rdrrules_sz, 0, "");
85SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO,
86 &ipf_hostmap_sz, 0, "");
87SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
88 &fr_authsize, 0, "");
89SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
90 &fr_authused, 0, "");
91SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
92 &fr_defaultauthage, 0, "");
93SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
94SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
95
96#define CDEV_MAJOR 79
97#if __FreeBSD_version >= 501000
98static struct cdevsw ipl_cdevsw = {
99# if __FreeBSD_version >= 502103
100 .d_version = D_VERSION,
101 .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */
102# endif
103 .d_open = iplopen,
104 .d_close = iplclose,
105 .d_read = iplread,
106 .d_ioctl = iplioctl,
107 .d_name = "ipl",
108# if __FreeBSD_version < 600000
109 .d_maj = CDEV_MAJOR,
110# endif
111};
112#else
113static struct cdevsw ipl_cdevsw = {
114 /* open */ iplopen,
115 /* close */ iplclose,
116 /* read */ iplread,
117 /* write */ iplwrite,
118 /* ioctl */ iplioctl,
119 /* poll */ nopoll,
120 /* mmap */ nommap,
121 /* strategy */ nostrategy,
122 /* name */ "ipl",
123 /* maj */ CDEV_MAJOR,
124 /* dump */ nodump,
125 /* psize */ nopsize,
126 /* flags */ 0,
127# if (__FreeBSD_version < 500043)
128 /* bmaj */ -1,
129# endif
130 /* kqfilter */ NULL
131};
132#endif
133
134static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
135 IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };
136
137
138static int
139ipfilter_modevent(module_t mod, int type, void *unused)
140{
141 int error = 0;
142
143 switch (type)
144 {
145 case MOD_LOAD :
146 error = ipf_modload();
147 break;
148
149 case MOD_UNLOAD :
150 error = ipf_modunload();
151 break;
152 default:
153 error = EINVAL;
154 break;
155 }
156 return error;
157}
158
159
160static int
161ipf_modload()
162{
163 char *defpass, *c, *str;
164 int i, j, error;
165
166 error = iplattach();
167 if (error)
168 return error;
169
170 for (i = 0; i < IPL_LOGSIZE; i++)
171 ipf_devs[i] = NULL;
172
173 for (i = 0; (str = ipf_devfiles[i]); i++) {
174 c = NULL;
175 for(j = strlen(str); j > 0; j--)
176 if (str[j] == '/') {
177 c = str + j + 1;
178 break;
179 }
180 if (!c)
181 c = str;
182 ipf_devs[i] = make_dev(&ipl_cdevsw, i, 0, 0, 0600, c);
183 }
184
185 if (FR_ISPASS(fr_pass))
186 defpass = "pass";
187 else if (FR_ISBLOCK(fr_pass))
188 defpass = "block";
189 else
190 defpass = "no-match -> block";
191
192 printf("%s initialized. Default = %s all, Logging = %s%s\n",
193 ipfilter_version, defpass,
194#ifdef IPFILTER_LOG
195 "enabled",
196#else
197 "disabled",
198#endif
199#ifdef IPFILTER_COMPILED
200 " (COMPILED)"
201#else
202 ""
203#endif
204 );
205 return 0;
206}
207
208
209static int
210ipf_modunload()
211{
212 int error, i;
213
214 if (fr_refcnt)
215 return EBUSY;
216
217 if (fr_running >= 0) {
218 error = ipldetach();
219 if (error != 0)
220 return error;
221 } else
222 error = 0;
223
224 fr_running = -2;
225
226 for (i = 0; ipf_devfiles[i]; i++) {
227 if (ipf_devs[i] != NULL)
228 destroy_dev(ipf_devs[i]);
229 }
230
231 printf("%s unloaded\n", ipfilter_version);
232
233 return error;
234}
235
236
237static moduledata_t ipfiltermod = {
238 "ipfilter",
239 ipfilter_modevent,
240 0
241};
242
243
244DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
245#ifdef MODULE_VERSION
246MODULE_VERSION(ipfilter, 1);
247#endif
248
249
250#ifdef SYSCTL_IPF
251int
252sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
253{
254 int error = 0;
255
256 if (arg1)
257 error = SYSCTL_OUT(req, arg1, sizeof(int));
258 else
259 error = SYSCTL_OUT(req, &arg2, sizeof(int));
260
261 if (error || !req->newptr)
262 return (error);
263
264 if (!arg1)
265 error = EPERM;
266 else {
267 if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0))
268 error = EBUSY;
269 else
270 error = SYSCTL_IN(req, arg1, sizeof(int));
271 }
272 return (error);
273}
274#endif