1/*
2 * PPP IP Protocol Interface
3 *
4 * Written by Toshiharu OHNO (tony-o@iij.ad.jp)
5 *
6 * Copyright (C) 1993, Internet Initiative Japan, Inc. All rights reserverd.
7 *
8 * Redistribution and use in source and binary forms are permitted
9 * provided that the above copyright notice and this paragraph are
10 * duplicated in all such forms and that any documentation,
11 * advertising materials, and other materials related to such
12 * distribution and use acknowledge that the software was developed
13 * by the Internet Initiative Japan. The name of the
14 * IIJ may not be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
18 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19 *
| 1/*
2 * PPP IP Protocol Interface
3 *
4 * Written by Toshiharu OHNO (tony-o@iij.ad.jp)
5 *
6 * Copyright (C) 1993, Internet Initiative Japan, Inc. All rights reserverd.
7 *
8 * Redistribution and use in source and binary forms are permitted
9 * provided that the above copyright notice and this paragraph are
10 * duplicated in all such forms and that any documentation,
11 * advertising materials, and other materials related to such
12 * distribution and use acknowledge that the software was developed
13 * by the Internet Initiative Japan. The name of the
14 * IIJ may not be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
18 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19 *
|
20 * $FreeBSD: head/usr.sbin/ppp/ip.c 50479 1999-08-28 01:35:59Z peter $
| 20 * $FreeBSD: head/usr.sbin/ppp/ip.c 50867 1999-09-04 00:00:21Z brian $
|
21 *
22 * TODO:
23 * o Return ICMP message for filterd packet
24 * and optionaly record it into log.
25 */
26#include <sys/param.h>
27#if defined(__OpenBSD__) || defined(__NetBSD__)
28#include <sys/socket.h>
29#endif
30#include <netinet/in.h>
31#include <netinet/in_systm.h>
32#include <netinet/ip.h>
33#include <netinet/ip_icmp.h>
34#include <netinet/udp.h>
35#include <netinet/tcp.h>
36#include <arpa/inet.h>
37#include <sys/un.h>
38
39#include <errno.h>
40#include <stdio.h>
41#include <string.h>
42#include <termios.h>
43#include <unistd.h>
44
45#include "layer.h"
46#include "proto.h"
47#include "mbuf.h"
48#include "log.h"
49#include "defs.h"
50#include "timer.h"
51#include "fsm.h"
52#include "lqr.h"
53#include "hdlc.h"
54#include "throughput.h"
55#include "iplist.h"
56#include "slcompress.h"
57#include "ipcp.h"
58#include "filter.h"
59#include "descriptor.h"
60#include "lcp.h"
61#include "ccp.h"
62#include "link.h"
63#include "mp.h"
64#ifndef NORADIUS
65#include "radius.h"
66#endif
67#include "bundle.h"
68#include "tun.h"
69#include "ip.h"
70
| 21 *
22 * TODO:
23 * o Return ICMP message for filterd packet
24 * and optionaly record it into log.
25 */
26#include <sys/param.h>
27#if defined(__OpenBSD__) || defined(__NetBSD__)
28#include <sys/socket.h>
29#endif
30#include <netinet/in.h>
31#include <netinet/in_systm.h>
32#include <netinet/ip.h>
33#include <netinet/ip_icmp.h>
34#include <netinet/udp.h>
35#include <netinet/tcp.h>
36#include <arpa/inet.h>
37#include <sys/un.h>
38
39#include <errno.h>
40#include <stdio.h>
41#include <string.h>
42#include <termios.h>
43#include <unistd.h>
44
45#include "layer.h"
46#include "proto.h"
47#include "mbuf.h"
48#include "log.h"
49#include "defs.h"
50#include "timer.h"
51#include "fsm.h"
52#include "lqr.h"
53#include "hdlc.h"
54#include "throughput.h"
55#include "iplist.h"
56#include "slcompress.h"
57#include "ipcp.h"
58#include "filter.h"
59#include "descriptor.h"
60#include "lcp.h"
61#include "ccp.h"
62#include "link.h"
63#include "mp.h"
64#ifndef NORADIUS
65#include "radius.h"
66#endif
67#include "bundle.h"
68#include "tun.h"
69#include "ip.h"
70
|
71static const u_short interactive_ports[32] = {
72 544, 513, 514, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
73 80, 81, 0, 0, 0, 21, 22, 23, 0, 0, 0, 0, 0, 0, 0, 543,
74};
75
76#define INTERACTIVE(p) (interactive_ports[(p) & 0x1F] == (p))
77
| |
78static const char *TcpFlags[] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG" };
79
80static __inline int
81PortMatch(int op, u_short pport, u_short rport)
82{
83 switch (op) {
84 case OP_EQ:
85 return (pport == rport);
86 case OP_GT:
87 return (pport > rport);
88 case OP_LT:
89 return (pport < rport);
90 default:
91 return (0);
92 }
93}
94
95/*
96 * Check a packet against a defined filter
97 * Returns 0 to accept the packet, non-zero to drop the packet
98 *
99 * If filtering is enabled, the initial fragment of a datagram must
100 * contain the complete protocol header, and subsequent fragments
101 * must not attempt to over-write it.
102 */
103static int
104FilterCheck(const struct ip *pip, const struct filter *filter)
105{
106 int gotinfo; /* true if IP payload decoded */
107 int cproto; /* P_* protocol type if (gotinfo) */
108 int estab, syn, finrst; /* TCP state flags if (gotinfo) */
109 u_short sport, dport; /* src, dest port from packet if (gotinfo) */
110 int n; /* filter rule to process */
111 int len; /* bytes used in dbuff */
112 int didname; /* true if filter header printed */
113 int match; /* true if condition matched */
114 const struct filterent *fp = filter->rule;
115 char dbuff[100];
116
117 if (fp->f_action == A_NONE)
118 return (0); /* No rule is given. Permit this packet */
119
120 /* Deny any packet fragment that tries to over-write the header.
121 * Since we no longer have the real header available, punt on the
122 * largest normal header - 20 bytes for TCP without options, rounded
123 * up to the next possible fragment boundary. Since the smallest
124 * `legal' MTU is 576, and the smallest recommended MTU is 296, any
125 * fragmentation within this range is dubious at best */
126 len = ntohs(pip->ip_off) & IP_OFFMASK; /* fragment offset */
127 if (len > 0) { /* Not first fragment within datagram */
128 if (len < (24 >> 3)) /* don't allow fragment to over-write header */
129 return (1);
130 /* permit fragments on in and out filter */
131 return (filter->fragok);
132 }
133
134 cproto = gotinfo = estab = syn = finrst = didname = 0;
135 sport = dport = 0;
136 for (n = 0; n < MAXFILTERS; ) {
137 if (fp->f_action == A_NONE) {
138 n++;
139 fp++;
140 continue;
141 }
142
143 if (!didname) {
144 log_Printf(LogDEBUG, "%s filter:\n", filter->name);
145 didname = 1;
146 }
147
148 match = 0;
149 if (!((pip->ip_src.s_addr ^ fp->f_src.ipaddr.s_addr) &
150 fp->f_src.mask.s_addr) &&
151 !((pip->ip_dst.s_addr ^ fp->f_dst.ipaddr.s_addr) &
152 fp->f_dst.mask.s_addr)) {
153 if (fp->f_proto != P_NONE) {
154 if (!gotinfo) {
155 const char *ptop = (const char *) pip + (pip->ip_hl << 2);
156 const struct tcphdr *th;
157 const struct udphdr *uh;
158 const struct icmp *ih;
159 int datalen; /* IP datagram length */
160
161 datalen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
162 switch (pip->ip_p) {
163 case IPPROTO_ICMP:
164 cproto = P_ICMP;
165 if (datalen < 8) /* ICMP must be at least 8 octets */
166 return (1);
167 ih = (const struct icmp *) ptop;
168 sport = ih->icmp_type;
169 estab = syn = finrst = -1;
170 if (log_IsKept(LogDEBUG))
171 snprintf(dbuff, sizeof dbuff, "sport = %d", sport);
172 break;
173 case IPPROTO_IGMP:
174 cproto = P_IGMP;
175 if (datalen < 8) /* IGMP uses 8-octet messages */
176 return (1);
177 estab = syn = finrst = -1;
178 sport = ntohs(0);
179 break;
180#ifdef IPPROTO_OSPFIGP
181 case IPPROTO_OSPFIGP:
182 cproto = P_OSPF;
183 if (datalen < 8) /* IGMP uses 8-octet messages */
184 return (1);
185 estab = syn = finrst = -1;
186 sport = ntohs(0);
187 break;
188#endif
189 case IPPROTO_UDP:
190 case IPPROTO_IPIP:
191 cproto = P_UDP;
192 if (datalen < 8) /* UDP header is 8 octets */
193 return (1);
194 uh = (const struct udphdr *) ptop;
195 sport = ntohs(uh->uh_sport);
196 dport = ntohs(uh->uh_dport);
197 estab = syn = finrst = -1;
198 if (log_IsKept(LogDEBUG))
199 snprintf(dbuff, sizeof dbuff, "sport = %d, dport = %d",
200 sport, dport);
201 break;
202 case IPPROTO_TCP:
203 cproto = P_TCP;
204 th = (const struct tcphdr *) ptop;
205 /* TCP headers are variable length. The following code
206 * ensures that the TCP header length isn't de-referenced if
207 * the datagram is too short
208 */
209 if (datalen < 20 || datalen < (th->th_off << 2))
210 return (1);
211 sport = ntohs(th->th_sport);
212 dport = ntohs(th->th_dport);
213 estab = (th->th_flags & TH_ACK);
214 syn = (th->th_flags & TH_SYN);
215 finrst = (th->th_flags & (TH_FIN|TH_RST));
216 if (log_IsKept(LogDEBUG)) {
217 if (!estab)
218 snprintf(dbuff, sizeof dbuff,
219 "flags = %02x, sport = %d, dport = %d",
220 th->th_flags, sport, dport);
221 else
222 *dbuff = '\0';
223 }
224 break;
225 default:
226 return (1); /* We'll block unknown type of packet */
227 }
228
229 if (log_IsKept(LogDEBUG)) {
230 if (estab != -1) {
231 len = strlen(dbuff);
232 snprintf(dbuff + len, sizeof dbuff - len,
233 ", estab = %d, syn = %d, finrst = %d",
234 estab, syn, finrst);
235 }
236 log_Printf(LogDEBUG, " Filter: proto = %s, %s\n",
237 filter_Proto2Nam(cproto), dbuff);
238 }
239 gotinfo = 1;
240 }
241 if (log_IsKept(LogDEBUG)) {
242 if (fp->f_srcop != OP_NONE) {
243 snprintf(dbuff, sizeof dbuff, ", src %s %d",
244 filter_Op2Nam(fp->f_srcop), fp->f_srcport);
245 len = strlen(dbuff);
246 } else
247 len = 0;
248 if (fp->f_dstop != OP_NONE) {
249 snprintf(dbuff + len, sizeof dbuff - len,
250 ", dst %s %d", filter_Op2Nam(fp->f_dstop),
251 fp->f_dstport);
252 } else if (!len)
253 *dbuff = '\0';
254
255 log_Printf(LogDEBUG, " rule = %d: Address match, "
256 "check against proto %s%s, action = %s\n",
257 n, filter_Proto2Nam(fp->f_proto),
258 dbuff, filter_Action2Nam(fp->f_action));
259 }
260
261 if (cproto == fp->f_proto) {
262 if ((fp->f_srcop == OP_NONE ||
263 PortMatch(fp->f_srcop, sport, fp->f_srcport)) &&
264 (fp->f_dstop == OP_NONE ||
265 PortMatch(fp->f_dstop, dport, fp->f_dstport)) &&
266 (fp->f_estab == 0 || estab) &&
267 (fp->f_syn == 0 || syn) &&
268 (fp->f_finrst == 0 || finrst)) {
269 match = 1;
270 }
271 }
272 } else {
273 /* Address is matched and no protocol specified. Make a decision. */
274 log_Printf(LogDEBUG, " rule = %d: Address match, action = %s\n", n,
275 filter_Action2Nam(fp->f_action));
276 match = 1;
277 }
278 } else
279 log_Printf(LogDEBUG, " rule = %d: Address mismatch\n", n);
280
281 if (match != fp->f_invert) {
282 /* Take specified action */
283 if (fp->f_action < A_NONE)
284 fp = &filter->rule[n = fp->f_action];
285 else
286 return (fp->f_action != A_PERMIT);
287 } else {
288 n++;
289 fp++;
290 }
291 }
292 return (1); /* No rule is mached. Deny this packet */
293}
294
295#ifdef notdef
296static void
297IcmpError(struct ip *pip, int code)
298{
299 struct mbuf *bp;
300
301 if (pip->ip_p != IPPROTO_ICMP) {
302 bp = mbuf_Alloc(cnt, MB_IPIN);
303 memcpy(MBUF_CTOP(bp), ptr, cnt);
304 vj_SendFrame(bp);
305 ipcp_AddOutOctets(cnt);
306 }
307}
308#endif
309
310/*
311 * For debugging aid.
312 */
313int
314PacketCheck(struct bundle *bundle, char *cp, int nb, struct filter *filter)
315{
316 struct ip *pip;
317 struct tcphdr *th;
318 struct udphdr *uh;
319 struct icmp *icmph;
320 char *ptop;
321 int mask, len, n;
| 71static const char *TcpFlags[] = { "FIN", "SYN", "RST", "PSH", "ACK", "URG" };
72
73static __inline int
74PortMatch(int op, u_short pport, u_short rport)
75{
76 switch (op) {
77 case OP_EQ:
78 return (pport == rport);
79 case OP_GT:
80 return (pport > rport);
81 case OP_LT:
82 return (pport < rport);
83 default:
84 return (0);
85 }
86}
87
88/*
89 * Check a packet against a defined filter
90 * Returns 0 to accept the packet, non-zero to drop the packet
91 *
92 * If filtering is enabled, the initial fragment of a datagram must
93 * contain the complete protocol header, and subsequent fragments
94 * must not attempt to over-write it.
95 */
96static int
97FilterCheck(const struct ip *pip, const struct filter *filter)
98{
99 int gotinfo; /* true if IP payload decoded */
100 int cproto; /* P_* protocol type if (gotinfo) */
101 int estab, syn, finrst; /* TCP state flags if (gotinfo) */
102 u_short sport, dport; /* src, dest port from packet if (gotinfo) */
103 int n; /* filter rule to process */
104 int len; /* bytes used in dbuff */
105 int didname; /* true if filter header printed */
106 int match; /* true if condition matched */
107 const struct filterent *fp = filter->rule;
108 char dbuff[100];
109
110 if (fp->f_action == A_NONE)
111 return (0); /* No rule is given. Permit this packet */
112
113 /* Deny any packet fragment that tries to over-write the header.
114 * Since we no longer have the real header available, punt on the
115 * largest normal header - 20 bytes for TCP without options, rounded
116 * up to the next possible fragment boundary. Since the smallest
117 * `legal' MTU is 576, and the smallest recommended MTU is 296, any
118 * fragmentation within this range is dubious at best */
119 len = ntohs(pip->ip_off) & IP_OFFMASK; /* fragment offset */
120 if (len > 0) { /* Not first fragment within datagram */
121 if (len < (24 >> 3)) /* don't allow fragment to over-write header */
122 return (1);
123 /* permit fragments on in and out filter */
124 return (filter->fragok);
125 }
126
127 cproto = gotinfo = estab = syn = finrst = didname = 0;
128 sport = dport = 0;
129 for (n = 0; n < MAXFILTERS; ) {
130 if (fp->f_action == A_NONE) {
131 n++;
132 fp++;
133 continue;
134 }
135
136 if (!didname) {
137 log_Printf(LogDEBUG, "%s filter:\n", filter->name);
138 didname = 1;
139 }
140
141 match = 0;
142 if (!((pip->ip_src.s_addr ^ fp->f_src.ipaddr.s_addr) &
143 fp->f_src.mask.s_addr) &&
144 !((pip->ip_dst.s_addr ^ fp->f_dst.ipaddr.s_addr) &
145 fp->f_dst.mask.s_addr)) {
146 if (fp->f_proto != P_NONE) {
147 if (!gotinfo) {
148 const char *ptop = (const char *) pip + (pip->ip_hl << 2);
149 const struct tcphdr *th;
150 const struct udphdr *uh;
151 const struct icmp *ih;
152 int datalen; /* IP datagram length */
153
154 datalen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
155 switch (pip->ip_p) {
156 case IPPROTO_ICMP:
157 cproto = P_ICMP;
158 if (datalen < 8) /* ICMP must be at least 8 octets */
159 return (1);
160 ih = (const struct icmp *) ptop;
161 sport = ih->icmp_type;
162 estab = syn = finrst = -1;
163 if (log_IsKept(LogDEBUG))
164 snprintf(dbuff, sizeof dbuff, "sport = %d", sport);
165 break;
166 case IPPROTO_IGMP:
167 cproto = P_IGMP;
168 if (datalen < 8) /* IGMP uses 8-octet messages */
169 return (1);
170 estab = syn = finrst = -1;
171 sport = ntohs(0);
172 break;
173#ifdef IPPROTO_OSPFIGP
174 case IPPROTO_OSPFIGP:
175 cproto = P_OSPF;
176 if (datalen < 8) /* IGMP uses 8-octet messages */
177 return (1);
178 estab = syn = finrst = -1;
179 sport = ntohs(0);
180 break;
181#endif
182 case IPPROTO_UDP:
183 case IPPROTO_IPIP:
184 cproto = P_UDP;
185 if (datalen < 8) /* UDP header is 8 octets */
186 return (1);
187 uh = (const struct udphdr *) ptop;
188 sport = ntohs(uh->uh_sport);
189 dport = ntohs(uh->uh_dport);
190 estab = syn = finrst = -1;
191 if (log_IsKept(LogDEBUG))
192 snprintf(dbuff, sizeof dbuff, "sport = %d, dport = %d",
193 sport, dport);
194 break;
195 case IPPROTO_TCP:
196 cproto = P_TCP;
197 th = (const struct tcphdr *) ptop;
198 /* TCP headers are variable length. The following code
199 * ensures that the TCP header length isn't de-referenced if
200 * the datagram is too short
201 */
202 if (datalen < 20 || datalen < (th->th_off << 2))
203 return (1);
204 sport = ntohs(th->th_sport);
205 dport = ntohs(th->th_dport);
206 estab = (th->th_flags & TH_ACK);
207 syn = (th->th_flags & TH_SYN);
208 finrst = (th->th_flags & (TH_FIN|TH_RST));
209 if (log_IsKept(LogDEBUG)) {
210 if (!estab)
211 snprintf(dbuff, sizeof dbuff,
212 "flags = %02x, sport = %d, dport = %d",
213 th->th_flags, sport, dport);
214 else
215 *dbuff = '\0';
216 }
217 break;
218 default:
219 return (1); /* We'll block unknown type of packet */
220 }
221
222 if (log_IsKept(LogDEBUG)) {
223 if (estab != -1) {
224 len = strlen(dbuff);
225 snprintf(dbuff + len, sizeof dbuff - len,
226 ", estab = %d, syn = %d, finrst = %d",
227 estab, syn, finrst);
228 }
229 log_Printf(LogDEBUG, " Filter: proto = %s, %s\n",
230 filter_Proto2Nam(cproto), dbuff);
231 }
232 gotinfo = 1;
233 }
234 if (log_IsKept(LogDEBUG)) {
235 if (fp->f_srcop != OP_NONE) {
236 snprintf(dbuff, sizeof dbuff, ", src %s %d",
237 filter_Op2Nam(fp->f_srcop), fp->f_srcport);
238 len = strlen(dbuff);
239 } else
240 len = 0;
241 if (fp->f_dstop != OP_NONE) {
242 snprintf(dbuff + len, sizeof dbuff - len,
243 ", dst %s %d", filter_Op2Nam(fp->f_dstop),
244 fp->f_dstport);
245 } else if (!len)
246 *dbuff = '\0';
247
248 log_Printf(LogDEBUG, " rule = %d: Address match, "
249 "check against proto %s%s, action = %s\n",
250 n, filter_Proto2Nam(fp->f_proto),
251 dbuff, filter_Action2Nam(fp->f_action));
252 }
253
254 if (cproto == fp->f_proto) {
255 if ((fp->f_srcop == OP_NONE ||
256 PortMatch(fp->f_srcop, sport, fp->f_srcport)) &&
257 (fp->f_dstop == OP_NONE ||
258 PortMatch(fp->f_dstop, dport, fp->f_dstport)) &&
259 (fp->f_estab == 0 || estab) &&
260 (fp->f_syn == 0 || syn) &&
261 (fp->f_finrst == 0 || finrst)) {
262 match = 1;
263 }
264 }
265 } else {
266 /* Address is matched and no protocol specified. Make a decision. */
267 log_Printf(LogDEBUG, " rule = %d: Address match, action = %s\n", n,
268 filter_Action2Nam(fp->f_action));
269 match = 1;
270 }
271 } else
272 log_Printf(LogDEBUG, " rule = %d: Address mismatch\n", n);
273
274 if (match != fp->f_invert) {
275 /* Take specified action */
276 if (fp->f_action < A_NONE)
277 fp = &filter->rule[n = fp->f_action];
278 else
279 return (fp->f_action != A_PERMIT);
280 } else {
281 n++;
282 fp++;
283 }
284 }
285 return (1); /* No rule is mached. Deny this packet */
286}
287
288#ifdef notdef
289static void
290IcmpError(struct ip *pip, int code)
291{
292 struct mbuf *bp;
293
294 if (pip->ip_p != IPPROTO_ICMP) {
295 bp = mbuf_Alloc(cnt, MB_IPIN);
296 memcpy(MBUF_CTOP(bp), ptr, cnt);
297 vj_SendFrame(bp);
298 ipcp_AddOutOctets(cnt);
299 }
300}
301#endif
302
303/*
304 * For debugging aid.
305 */
306int
307PacketCheck(struct bundle *bundle, char *cp, int nb, struct filter *filter)
308{
309 struct ip *pip;
310 struct tcphdr *th;
311 struct udphdr *uh;
312 struct icmp *icmph;
313 char *ptop;
314 int mask, len, n;
|
322 int pri = PRI_NORMAL;
| 315 int pri = 0;
|
323 int logit, loglen;
324 char logbuf[200];
325
326 logit = log_IsKept(LogTCPIP) && filter->logok;
327 loglen = 0;
328
329 pip = (struct ip *) cp;
330
331 if (logit && loglen < sizeof logbuf) {
332 snprintf(logbuf + loglen, sizeof logbuf - loglen, "%s ", filter->name);
333 loglen += strlen(logbuf + loglen);
334 }
335 ptop = (cp + (pip->ip_hl << 2));
336
337 switch (pip->ip_p) {
338 case IPPROTO_ICMP:
339 if (logit && loglen < sizeof logbuf) {
340 icmph = (struct icmp *) ptop;
341 snprintf(logbuf + loglen, sizeof logbuf - loglen,
342 "ICMP: %s:%d ---> ", inet_ntoa(pip->ip_src), icmph->icmp_type);
343 loglen += strlen(logbuf + loglen);
344 snprintf(logbuf + loglen, sizeof logbuf - loglen,
345 "%s:%d", inet_ntoa(pip->ip_dst), icmph->icmp_type);
346 loglen += strlen(logbuf + loglen);
347 }
348 break;
349 case IPPROTO_UDP:
350 if (logit && loglen < sizeof logbuf) {
351 uh = (struct udphdr *) ptop;
352 snprintf(logbuf + loglen, sizeof logbuf - loglen,
353 "UDP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(uh->uh_sport));
354 loglen += strlen(logbuf + loglen);
355 snprintf(logbuf + loglen, sizeof logbuf - loglen,
356 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
357 loglen += strlen(logbuf + loglen);
358 }
359 break;
360#ifdef IPPROTO_OSPFIGP
361 case IPPROTO_OSPFIGP:
362 if (logit && loglen < sizeof logbuf) {
363 snprintf(logbuf + loglen, sizeof logbuf - loglen,
364 "OSPF: %s ---> ", inet_ntoa(pip->ip_src));
365 loglen += strlen(logbuf + loglen);
366 snprintf(logbuf + loglen, sizeof logbuf - loglen,
367 "%s", inet_ntoa(pip->ip_dst));
368 loglen += strlen(logbuf + loglen);
369 }
370 break;
371#endif
372 case IPPROTO_IPIP:
373 if (logit && loglen < sizeof logbuf) {
374 uh = (struct udphdr *) ptop;
375 snprintf(logbuf + loglen, sizeof logbuf - loglen,
376 "IPIP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(uh->uh_sport));
377 loglen += strlen(logbuf + loglen);
378 snprintf(logbuf + loglen, sizeof logbuf - loglen,
379 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
380 loglen += strlen(logbuf + loglen);
381 }
382 break;
383 case IPPROTO_IGMP:
384 if (logit && loglen < sizeof logbuf) {
385 uh = (struct udphdr *) ptop;
386 snprintf(logbuf + loglen, sizeof logbuf - loglen,
387 "IGMP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(uh->uh_sport));
388 loglen += strlen(logbuf + loglen);
389 snprintf(logbuf + loglen, sizeof logbuf - loglen,
390 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
391 loglen += strlen(logbuf + loglen);
392 }
393 break;
394 case IPPROTO_TCP:
395 th = (struct tcphdr *) ptop;
396 if (pip->ip_tos == IPTOS_LOWDELAY)
| 316 int logit, loglen;
317 char logbuf[200];
318
319 logit = log_IsKept(LogTCPIP) && filter->logok;
320 loglen = 0;
321
322 pip = (struct ip *) cp;
323
324 if (logit && loglen < sizeof logbuf) {
325 snprintf(logbuf + loglen, sizeof logbuf - loglen, "%s ", filter->name);
326 loglen += strlen(logbuf + loglen);
327 }
328 ptop = (cp + (pip->ip_hl << 2));
329
330 switch (pip->ip_p) {
331 case IPPROTO_ICMP:
332 if (logit && loglen < sizeof logbuf) {
333 icmph = (struct icmp *) ptop;
334 snprintf(logbuf + loglen, sizeof logbuf - loglen,
335 "ICMP: %s:%d ---> ", inet_ntoa(pip->ip_src), icmph->icmp_type);
336 loglen += strlen(logbuf + loglen);
337 snprintf(logbuf + loglen, sizeof logbuf - loglen,
338 "%s:%d", inet_ntoa(pip->ip_dst), icmph->icmp_type);
339 loglen += strlen(logbuf + loglen);
340 }
341 break;
342 case IPPROTO_UDP:
343 if (logit && loglen < sizeof logbuf) {
344 uh = (struct udphdr *) ptop;
345 snprintf(logbuf + loglen, sizeof logbuf - loglen,
346 "UDP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(uh->uh_sport));
347 loglen += strlen(logbuf + loglen);
348 snprintf(logbuf + loglen, sizeof logbuf - loglen,
349 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
350 loglen += strlen(logbuf + loglen);
351 }
352 break;
353#ifdef IPPROTO_OSPFIGP
354 case IPPROTO_OSPFIGP:
355 if (logit && loglen < sizeof logbuf) {
356 snprintf(logbuf + loglen, sizeof logbuf - loglen,
357 "OSPF: %s ---> ", inet_ntoa(pip->ip_src));
358 loglen += strlen(logbuf + loglen);
359 snprintf(logbuf + loglen, sizeof logbuf - loglen,
360 "%s", inet_ntoa(pip->ip_dst));
361 loglen += strlen(logbuf + loglen);
362 }
363 break;
364#endif
365 case IPPROTO_IPIP:
366 if (logit && loglen < sizeof logbuf) {
367 uh = (struct udphdr *) ptop;
368 snprintf(logbuf + loglen, sizeof logbuf - loglen,
369 "IPIP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(uh->uh_sport));
370 loglen += strlen(logbuf + loglen);
371 snprintf(logbuf + loglen, sizeof logbuf - loglen,
372 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
373 loglen += strlen(logbuf + loglen);
374 }
375 break;
376 case IPPROTO_IGMP:
377 if (logit && loglen < sizeof logbuf) {
378 uh = (struct udphdr *) ptop;
379 snprintf(logbuf + loglen, sizeof logbuf - loglen,
380 "IGMP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(uh->uh_sport));
381 loglen += strlen(logbuf + loglen);
382 snprintf(logbuf + loglen, sizeof logbuf - loglen,
383 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
384 loglen += strlen(logbuf + loglen);
385 }
386 break;
387 case IPPROTO_TCP:
388 th = (struct tcphdr *) ptop;
389 if (pip->ip_tos == IPTOS_LOWDELAY)
|
397 pri = PRI_FAST;
398 else if ((ntohs(pip->ip_off) & IP_OFFMASK) == 0) {
399 if (INTERACTIVE(ntohs(th->th_sport)) || INTERACTIVE(ntohs(th->th_dport)))
400 pri = PRI_FAST;
401 }
| 390 pri++;
391 else if ((ntohs(pip->ip_off) & IP_OFFMASK) == 0 &&
392 ipcp_IsUrgentPort(&bundle->ncp.ipcp, ntohs(th->th_sport),
393 ntohs(th->th_dport)))
394 pri++;
395
|
402 if (logit && loglen < sizeof logbuf) {
403 len = ntohs(pip->ip_len) - (pip->ip_hl << 2) - (th->th_off << 2);
404 snprintf(logbuf + loglen, sizeof logbuf - loglen,
405 "TCP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(th->th_sport));
406 loglen += strlen(logbuf + loglen);
407 snprintf(logbuf + loglen, sizeof logbuf - loglen,
408 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(th->th_dport));
409 loglen += strlen(logbuf + loglen);
410 n = 0;
411 for (mask = TH_FIN; mask != 0x40; mask <<= 1) {
412 if (th->th_flags & mask) {
413 snprintf(logbuf + loglen, sizeof logbuf - loglen, " %s", TcpFlags[n]);
414 loglen += strlen(logbuf + loglen);
415 }
416 n++;
417 }
418 snprintf(logbuf + loglen, sizeof logbuf - loglen,
419 " seq:%lx ack:%lx (%d/%d)",
420 (u_long)ntohl(th->th_seq), (u_long)ntohl(th->th_ack), len, nb);
421 loglen += strlen(logbuf + loglen);
422 if ((th->th_flags & TH_SYN) && nb > 40) {
423 u_short *sp;
424
425 ptop += 20;
426 sp = (u_short *) ptop;
427 if (ntohs(sp[0]) == 0x0204) {
428 snprintf(logbuf + loglen, sizeof logbuf - loglen,
429 " MSS = %d", ntohs(sp[1]));
430 loglen += strlen(logbuf + loglen);
431 }
432 }
433 }
434 break;
435 }
436
437 if (FilterCheck(pip, filter)) {
438 if (logit)
439 log_Printf(LogTCPIP, "%s - BLOCKED\n", logbuf);
440#ifdef notdef
441 if (direction == 0)
442 IcmpError(pip, pri);
443#endif
444 return (-1);
445 } else {
446 /* Check Keep Alive filter */
447 if (logit) {
448 if (FilterCheck(pip, &bundle->filter.alive))
449 log_Printf(LogTCPIP, "%s - NO KEEPALIVE\n", logbuf);
450 else
451 log_Printf(LogTCPIP, "%s\n", logbuf);
452 }
453 return (pri);
454 }
455}
456
457struct mbuf *
458ip_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
459{
460 int nb, nw;
461 struct tun_data tun;
462 struct ip *pip;
463
464 if (bundle->ncp.ipcp.fsm.state != ST_OPENED) {
465 log_Printf(LogWARN, "ip_Input: IPCP not open - packet dropped\n");
466 mbuf_Free(bp);
467 return NULL;
468 }
469
470 mbuf_SetType(bp, MB_IPIN);
471 tun_fill_header(tun, AF_INET);
472 nb = mbuf_Length(bp);
473 if (nb > sizeof tun.data) {
474 log_Printf(LogWARN, "ip_Input: %s: Packet too large (got %d, max %d)\n",
475 l->name, nb, (int)(sizeof tun.data));
476 mbuf_Free(bp);
477 return NULL;
478 }
479 mbuf_Read(bp, tun.data, nb);
480
481 if (PacketCheck(bundle, tun.data, nb, &bundle->filter.in) < 0)
482 return NULL;
483
484 pip = (struct ip *)tun.data;
485 if (!FilterCheck(pip, &bundle->filter.alive))
486 bundle_StartIdleTimer(bundle);
487
488 ipcp_AddInOctets(&bundle->ncp.ipcp, nb);
489
490 nb += sizeof tun - sizeof tun.data;
491 nw = write(bundle->dev.fd, &tun, nb);
492 if (nw != nb) {
493 if (nw == -1)
494 log_Printf(LogERROR, "ip_Input: %s: wrote %d, got %s\n",
495 l->name, nb, strerror(errno));
496 else
497 log_Printf(LogERROR, "ip_Input: %s: wrote %d, got %d\n", l->name, nb, nw);
498 }
499
500 return NULL;
501}
502
503void
504ip_Enqueue(struct ipcp *ipcp, int pri, char *ptr, int count)
505{
506 struct mbuf *bp;
507
| 396 if (logit && loglen < sizeof logbuf) {
397 len = ntohs(pip->ip_len) - (pip->ip_hl << 2) - (th->th_off << 2);
398 snprintf(logbuf + loglen, sizeof logbuf - loglen,
399 "TCP: %s:%d ---> ", inet_ntoa(pip->ip_src), ntohs(th->th_sport));
400 loglen += strlen(logbuf + loglen);
401 snprintf(logbuf + loglen, sizeof logbuf - loglen,
402 "%s:%d", inet_ntoa(pip->ip_dst), ntohs(th->th_dport));
403 loglen += strlen(logbuf + loglen);
404 n = 0;
405 for (mask = TH_FIN; mask != 0x40; mask <<= 1) {
406 if (th->th_flags & mask) {
407 snprintf(logbuf + loglen, sizeof logbuf - loglen, " %s", TcpFlags[n]);
408 loglen += strlen(logbuf + loglen);
409 }
410 n++;
411 }
412 snprintf(logbuf + loglen, sizeof logbuf - loglen,
413 " seq:%lx ack:%lx (%d/%d)",
414 (u_long)ntohl(th->th_seq), (u_long)ntohl(th->th_ack), len, nb);
415 loglen += strlen(logbuf + loglen);
416 if ((th->th_flags & TH_SYN) && nb > 40) {
417 u_short *sp;
418
419 ptop += 20;
420 sp = (u_short *) ptop;
421 if (ntohs(sp[0]) == 0x0204) {
422 snprintf(logbuf + loglen, sizeof logbuf - loglen,
423 " MSS = %d", ntohs(sp[1]));
424 loglen += strlen(logbuf + loglen);
425 }
426 }
427 }
428 break;
429 }
430
431 if (FilterCheck(pip, filter)) {
432 if (logit)
433 log_Printf(LogTCPIP, "%s - BLOCKED\n", logbuf);
434#ifdef notdef
435 if (direction == 0)
436 IcmpError(pip, pri);
437#endif
438 return (-1);
439 } else {
440 /* Check Keep Alive filter */
441 if (logit) {
442 if (FilterCheck(pip, &bundle->filter.alive))
443 log_Printf(LogTCPIP, "%s - NO KEEPALIVE\n", logbuf);
444 else
445 log_Printf(LogTCPIP, "%s\n", logbuf);
446 }
447 return (pri);
448 }
449}
450
451struct mbuf *
452ip_Input(struct bundle *bundle, struct link *l, struct mbuf *bp)
453{
454 int nb, nw;
455 struct tun_data tun;
456 struct ip *pip;
457
458 if (bundle->ncp.ipcp.fsm.state != ST_OPENED) {
459 log_Printf(LogWARN, "ip_Input: IPCP not open - packet dropped\n");
460 mbuf_Free(bp);
461 return NULL;
462 }
463
464 mbuf_SetType(bp, MB_IPIN);
465 tun_fill_header(tun, AF_INET);
466 nb = mbuf_Length(bp);
467 if (nb > sizeof tun.data) {
468 log_Printf(LogWARN, "ip_Input: %s: Packet too large (got %d, max %d)\n",
469 l->name, nb, (int)(sizeof tun.data));
470 mbuf_Free(bp);
471 return NULL;
472 }
473 mbuf_Read(bp, tun.data, nb);
474
475 if (PacketCheck(bundle, tun.data, nb, &bundle->filter.in) < 0)
476 return NULL;
477
478 pip = (struct ip *)tun.data;
479 if (!FilterCheck(pip, &bundle->filter.alive))
480 bundle_StartIdleTimer(bundle);
481
482 ipcp_AddInOctets(&bundle->ncp.ipcp, nb);
483
484 nb += sizeof tun - sizeof tun.data;
485 nw = write(bundle->dev.fd, &tun, nb);
486 if (nw != nb) {
487 if (nw == -1)
488 log_Printf(LogERROR, "ip_Input: %s: wrote %d, got %s\n",
489 l->name, nb, strerror(errno));
490 else
491 log_Printf(LogERROR, "ip_Input: %s: wrote %d, got %d\n", l->name, nb, nw);
492 }
493
494 return NULL;
495}
496
497void
498ip_Enqueue(struct ipcp *ipcp, int pri, char *ptr, int count)
499{
500 struct mbuf *bp;
501
|
508 if (pri < 0 || pri > sizeof ipcp->Queue / sizeof ipcp->Queue[0])
| 502 if (pri < 0 || pri >= IPCP_QUEUES(ipcp))
|
509 log_Printf(LogERROR, "Can't store in ip queue %d\n", pri);
510 else {
511 /*
512 * We allocate an extra 6 bytes, four at the front and two at the end.
513 * This is an optimisation so that we need to do less work in
514 * mbuf_Prepend() in acf_LayerPush() and proto_LayerPush() and
515 * appending in hdlc_LayerPush().
516 */
517 bp = mbuf_Alloc(count + 6, MB_IPOUT);
518 bp->offset += 4;
519 bp->cnt -= 6;
520 memcpy(MBUF_CTOP(bp), ptr, count);
| 503 log_Printf(LogERROR, "Can't store in ip queue %d\n", pri);
504 else {
505 /*
506 * We allocate an extra 6 bytes, four at the front and two at the end.
507 * This is an optimisation so that we need to do less work in
508 * mbuf_Prepend() in acf_LayerPush() and proto_LayerPush() and
509 * appending in hdlc_LayerPush().
510 */
511 bp = mbuf_Alloc(count + 6, MB_IPOUT);
512 bp->offset += 4;
513 bp->cnt -= 6;
514 memcpy(MBUF_CTOP(bp), ptr, count);
|
521 mbuf_Enqueue(&ipcp->Queue[pri], bp);
| 515 mbuf_Enqueue(ipcp->Queue + pri, bp);
|
522 }
523}
524
525void
526ip_DeleteQueue(struct ipcp *ipcp)
527{
528 struct mqueue *queue;
529
| 516 }
517}
518
519void
520ip_DeleteQueue(struct ipcp *ipcp)
521{
522 struct mqueue *queue;
523
|
530 for (queue = ipcp->Queue; queue < ipcp->Queue + PRI_MAX; queue++)
| 524 for (queue = ipcp->Queue; queue < ipcp->Queue + IPCP_QUEUES(ipcp); queue++)
|
531 while (queue->top)
532 mbuf_Free(mbuf_Dequeue(queue));
533}
534
535int
536ip_QueueLen(struct ipcp *ipcp)
537{
538 struct mqueue *queue;
539 int result = 0;
540
| 525 while (queue->top)
526 mbuf_Free(mbuf_Dequeue(queue));
527}
528
529int
530ip_QueueLen(struct ipcp *ipcp)
531{
532 struct mqueue *queue;
533 int result = 0;
534
|
541 for (queue = ipcp->Queue; queue < ipcp->Queue + PRI_MAX; queue++)
| 535 for (queue = ipcp->Queue; queue < ipcp->Queue + IPCP_QUEUES(ipcp); queue++)
|
542 result += queue->qlen;
543
544 return result;
545}
546
547int
548ip_PushPacket(struct link *l, struct bundle *bundle)
549{
550 struct ipcp *ipcp = &bundle->ncp.ipcp;
551 struct mqueue *queue;
552 struct mbuf *bp;
553 struct ip *pip;
554 int cnt;
555
556 if (ipcp->fsm.state != ST_OPENED)
557 return 0;
558
| 536 result += queue->qlen;
537
538 return result;
539}
540
541int
542ip_PushPacket(struct link *l, struct bundle *bundle)
543{
544 struct ipcp *ipcp = &bundle->ncp.ipcp;
545 struct mqueue *queue;
546 struct mbuf *bp;
547 struct ip *pip;
548 int cnt;
549
550 if (ipcp->fsm.state != ST_OPENED)
551 return 0;
552
|
559 for (queue = &ipcp->Queue[PRI_FAST]; queue >= ipcp->Queue; queue--)
| 553 queue = ipcp->Queue + IPCP_QUEUES(ipcp) - 1;
554 do {
|
560 if (queue->top) {
561 bp = mbuf_Contiguous(mbuf_Dequeue(queue));
562 cnt = mbuf_Length(bp);
563 pip = (struct ip *)MBUF_CTOP(bp);
564 if (!FilterCheck(pip, &bundle->filter.alive))
565 bundle_StartIdleTimer(bundle);
| 555 if (queue->top) {
556 bp = mbuf_Contiguous(mbuf_Dequeue(queue));
557 cnt = mbuf_Length(bp);
558 pip = (struct ip *)MBUF_CTOP(bp);
559 if (!FilterCheck(pip, &bundle->filter.alive))
560 bundle_StartIdleTimer(bundle);
|
566 link_PushPacket(l, bp, bundle, PRI_NORMAL, PROTO_IP);
| 561 link_PushPacket(l, bp, bundle, 0, PROTO_IP);
|
567 ipcp_AddOutOctets(ipcp, cnt);
568 return 1;
569 }
| 562 ipcp_AddOutOctets(ipcp, cnt);
563 return 1;
564 }
|
| 565 } while (queue-- != ipcp->Queue);
|
570
571 return 0;
572}
| 566
567 return 0;
568}
|