44a45
> # include <sys/cmn_err.h>
102c103
< static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 128019 2004-04-07 20:46:16Z imp $";
---
> static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 130886 2004-06-21 22:46:36Z darrenr $";
148a150,152
> # ifndef __sgi
> static void *ipf_pullup __P((mb_t *, fr_info_t *, int, void *));
> # endif
197c201
< void fr_makefrip(hlen, ip, fin)
---
> int fr_makefrip(hlen, ip, fin)
203a208,214
> #if defined(_KERNEL)
> # if SOLARIS
> mb_t *m = fin->fin_qfm;
> # else
> mb_t *m = fin->fin_mp ? *fin->fin_mp : NULL;
> # endif
> #endif
209a221
> fin->fin_dp = NULL;
222a235,237
> #if (OpenBSD >= 200311) && defined(_KERNEL)
> ip->ip_off = ntohs(ip->ip_off);
> #endif
224d238
< tcp = (tcphdr_t *)((char *)ip + hlen);
237a252,254
> #if (OpenBSD >= 200311) && defined(_KERNEL)
> ip->ip_len = ntohs(ip->ip_len);
> #endif
249d265
< tcp = (tcphdr_t *)(ip6 + 1);
261c277
< return;
---
> return -1;
265c281
< fin->fin_dp = (char *)tcp;
---
> tcp = (tcphdr_t *)((char *)ip + hlen);
268a285,293
> /*
> * For both ICMPV6 & ICMP, we attempt to pullup the entire packet into
> * a single buffer for recognised error return packets. Why? Because
> * the entire data section of the ICMP payload is considered to be of
> * significance and maybe required in NAT/state processing, so rather
> * than be careful later, attempt to get it all in one buffeer first.
> * For TCP we just make sure the _entire_ TCP header is in the first
> * buffer for convienience.
> */
277c302
< if (fin->fin_dlen > 1) {
---
> if (!(fin->fin_fl & FI_SHORT) && (fin->fin_dlen > 1)) {
291a317,324
> # if defined(KERNEL) && !defined(__sgi)
> if ((m != NULL) && (M_BLEN(m) < plen)) {
> ip = ipf_pullup(m, fin, plen, ip);
> if (ip == NULL)
> return -1;
> tcp = (tcphdr_t *)((char *)ip + hlen);
> }
> # endif /* KERNEL && !__sgi */
299c332
< if (!(plen >= minicmpsz))
---
> if (!(fin->fin_dlen >= minicmpsz))
304c337,338
< #endif
---
> #endif /* USE_INET6 */
>
310c344
< if (!off && (fin->fin_dlen > 1)) {
---
> if (!off && (fin->fin_dlen > 1) && !(fin->fin_fl & FI_SHORT)) {
314a349,352
> /*
> * Minimum ICMP packet is type(1) code(1) cksum(2)
> * plus 4 bytes following, totalling 8 bytes.
> */
330c368
< minicmpsz = 20;
---
> minicmpsz = ICMP_MINLEN + 12;
338c376
< minicmpsz = 12;
---
> minicmpsz = ICMP_MINLEN + 4;
339a378,395
> /*
> * type(1) + code(1) + cksum(2) + arg(4) ip(20+)
> */
> case ICMP_UNREACH :
> case ICMP_SOURCEQUENCH :
> case ICMP_REDIRECT :
> case ICMP_TIMXCEED :
> case ICMP_PARAMPROB :
> #if defined(KERNEL) && !defined(__sgi)
> if ((m != NULL) && (M_BLEN(m) < plen)) {
> ip = ipf_pullup(m, fin, plen, ip);
> if (ip == NULL)
> return -1;
> tcp = (tcphdr_t *)((char *)ip + hlen);
> }
> #endif /* KERNEL && !__sgi */
> minicmpsz = ICMPERR_MINPKTLEN - sizeof(ip_t);
> break;
340a397
> minicmpsz = ICMP_MINLEN;
348d404
<
350a407
>
363a421,434
>
> #if defined(KERNEL) && !defined(__sgi)
> if (!off && !(fi->fi_fl & FI_SHORT)) {
> int tlen = hlen + (tcp->th_off << 2);
>
> if ((m != NULL) && (M_BLEN(m) < tlen)) {
> ip = ipf_pullup(m, fin, tlen, ip);
> if (ip == NULL)
> return -1;
> tcp = (tcphdr_t *)((char *)ip + hlen);
> }
> }
> #endif /* _KERNEL && !_sgi */
>
402a474,475
> fin->fin_dp = (char *)tcp;
>
408c481
< return;
---
> return 0;
464a538
> return 0;
752c826
< fr->fr_bytes += (U_QUAD_T)ip->ip_len;
---
> fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
814a889,893
> /*
> * We don't do this section for Solaris because fr_precheck() does a
> * pullupmsg() instead, effectively achieving the same result as here
> * so no need to duplicate it.
> */
820c899
< # if !SOLARIS && !defined(NETBSD_PF) && \
---
> # if !defined(NETBSD_PF) && \
858c937
< # ifdef USE_INET6
---
> # ifdef USE_INET6
866c945
< # endif
---
> # endif
871a951,953
> fin->fin_mp = mp;
> fin->fin_out = out;
>
874c956
< # ifdef USE_INET6
---
> # ifdef USE_INET6
876c958
< # endif
---
> # endif
896c978
< # ifdef USE_INET6
---
> # ifdef USE_INET6
904c986
< # endif
---
> # endif
905a988,989
> if ((plen > 0) && (len < hlen + plen))
> fin->fin_fl |= FI_SHORT;
920,921c1004,1029
< if ((*mp = m_pullup(m, up)) == 0) {
< ATOMIC_INCL(frstats[out].fr_pull[1]);
---
> /*
> * Having determined that we need to pullup some data,
> * try to bring as much of the packet up into a single
> * buffer with the first pullup. This hopefully means
> * less need for doing futher pullups. Not needed for
> * Solaris because fr_precheck() does it anyway.
> *
> * The main potential for trouble here is if MLEN/MHLEN
> * become quite small, lets say < 64 bytes...but if
> * that did happen, BSD networking as a whole would be
> * slow/inefficient.
> */
> # ifdef MHLEN
> /*
> * Assume that M_PKTHDR is set and just work with what
> * is left rather than check.. Should not make any
> * real difference, anyway.
> */
> if ((MHLEN > up) && (len > up))
> up = MIN(len, MHLEN);
> # else
> if ((MLEN > up) && (len > up))
> up = MIN(len, MLEN);
> # endif
> ip = ipf_pullup(m, fin, up, ip);
> if (ip == NULL)
923,927c1031
< } else {
< ATOMIC_INCL(frstats[out].fr_pull[0]);
< m = *mp;
< ip = mtod(m, ip_t *);
< }
---
> m = *mp;
939a1044,1045
> fin->fin_mp = mp;
> fin->fin_out = out;
942a1049,1051
> #else
> fin->fin_mp = mp;
> fin->fin_out = out;
955d1063
< fin->fin_ifp = ifp;
957,959c1065,1067
< fin->fin_out = out;
< fin->fin_mp = mp;
< fr_makefrip(hlen, ip, fin);
---
> fin->fin_ifp = ifp;
> if (fr_makefrip(hlen, ip, fin) == -1)
> return -1;
1122a1231,1234
> if (pass & FR_PASS) {
> pass &= ~FR_PASS;
> pass |= FR_BLOCK;
> }
1308a1421,1426
> #if (OpenBSD >= 200311) && defined(_KERNEL)
> if (pass & FR_PASS) {
> ip->ip_len = htons(ip->ip_len);
> ip->ip_off = htons(ip->ip_off);
> }
> #endif
1406,1409c1524,1527
< sum = (sum & 0xffff) + (sum >> 16);
< sum = ~sum & 0xffff;
< sum2 += sum;
< sum2 = (sum2 & 0xffff) + (sum2 >> 16);
---
> sum += ~sum2 & 0xffff;
> while (sum > 0xffff)
> sum = (sum & 0xffff) + (sum >> 16);
> sum2 = ~sum & 0xffff;
1546c1664
< * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
---
> * $Id: fil.c,v 2.35.2.82 2004/06/20 10:27:47 darrenr Exp $
1977a2096,2098
> frdest_t *fdp;
> int i;
>
1979,1982c2100,2110
< if (fr->fr_ifa != NULL) {
< fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_ip.fi_v);
< if (fr->fr_ifa == NULL)
< fr->fr_ifa = (void *)-1;
---
> for (i = 0; i < 4; i++) {
> if ((fr->fr_ifnames[i][1] == '\0') &&
> ((fr->fr_ifnames[i][0] == '-') ||
> (fr->fr_ifnames[i][0] == '*'))) {
> fr->fr_ifas[i] = NULL;
> } else if (*fr->fr_ifnames[i]) {
> fr->fr_ifas[i] = GETUNIT(fr->fr_ifnames[i],
> fr->fr_v);
> if (!fr->fr_ifas[i])
> fr->fr_ifas[i] = (void *)-1;
> }
1983a2112,2129
>
> fdp = &fr->fr_dif;
> fr->fr_flags &= ~FR_DUP;
> if (*fdp->fd_ifname) {
> fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
> if (!fdp->fd_ifp)
> fdp->fd_ifp = (struct ifnet *)-1;
> else
> fr->fr_flags |= FR_DUP;
> }
>
> fdp = &fr->fr_tif;
> if (*fdp->fd_ifname) {
> fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
> if (!fdp->fd_ifp)
> fdp->fd_ifp = (struct ifnet *)-1;
> }
>
2015a2162,2164
> # if defined(__FreeBSD_version) && (__FreeBSD_version >= 500043)
> IFNET_RUNLOCK();
> # endif
2243a2393,2453
>
>
> #if defined(_KERNEL) && !defined(__sgi)
> void *ipf_pullup(m, fin, len, ipin)
> mb_t *m;
> fr_info_t *fin;
> int len;
> void *ipin;
> {
> # if SOLARIS
> qif_t *qf = fin->fin_qif;
> # endif
> int out = fin->fin_out, dpoff, ipoff;
> char *ip;
>
> if (m == NULL)
> return NULL;
>
> ipoff = (char *)ipin - MTOD(m, char *);
> if (fin->fin_dp != NULL)
> dpoff = (char *)fin->fin_dp - (char *)ipin;
> else
> dpoff = 0;
>
> if (M_BLEN(m) < len) {
> # if SOLARIS
> qif_t *qf = fin->fin_qif;
> int inc = 0;
>
> if (ipoff > 0) {
> if ((ipoff & 3) != 0) {
> inc = 4 - (ipoff & 3);
> if (m->b_rptr - inc >= m->b_datap->db_base)
> m->b_rptr -= inc;
> else
> inc = 0;
> }
> }
> if (!pullupmsg(m, len + ipoff + inc)) {
> ATOMIC_INCL(frstats[out].fr_pull[1]);
> return NULL;
> }
> m->b_rptr += inc;
> ATOMIC_INCL(frstats[out].fr_pull[0]);
> qf->qf_data = MTOD(m, char *) + ipoff;
> # else
> m = m_pullup(m, len);
> *fin->fin_mp = m;
> if (m == NULL) {
> ATOMIC_INCL(frstats[out].fr_pull[1]);
> return NULL;
> }
> ATOMIC_INCL(frstats[out].fr_pull[0]);
> # endif /* SOLARIS */
> }
> ip = MTOD(m, char *) + ipoff;
> if (fin->fin_dp != NULL)
> fin->fin_dp = (char *)ip + dpoff;
> return ip;
> }
> #endif /* _KERNEL */
> # include <sys/cmn_err.h>
102c103
< static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 128019 2004-04-07 20:46:16Z imp $";
---
> static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 130886 2004-06-21 22:46:36Z darrenr $";
148a150,152
> # ifndef __sgi
> static void *ipf_pullup __P((mb_t *, fr_info_t *, int, void *));
> # endif
197c201
< void fr_makefrip(hlen, ip, fin)
---
> int fr_makefrip(hlen, ip, fin)
203a208,214
> #if defined(_KERNEL)
> # if SOLARIS
> mb_t *m = fin->fin_qfm;
> # else
> mb_t *m = fin->fin_mp ? *fin->fin_mp : NULL;
> # endif
> #endif
209a221
> fin->fin_dp = NULL;
222a235,237
> #if (OpenBSD >= 200311) && defined(_KERNEL)
> ip->ip_off = ntohs(ip->ip_off);
> #endif
224d238
< tcp = (tcphdr_t *)((char *)ip + hlen);
237a252,254
> #if (OpenBSD >= 200311) && defined(_KERNEL)
> ip->ip_len = ntohs(ip->ip_len);
> #endif
249d265
< tcp = (tcphdr_t *)(ip6 + 1);
261c277
< return;
---
> return -1;
265c281
< fin->fin_dp = (char *)tcp;
---
> tcp = (tcphdr_t *)((char *)ip + hlen);
268a285,293
> /*
> * For both ICMPV6 & ICMP, we attempt to pullup the entire packet into
> * a single buffer for recognised error return packets. Why? Because
> * the entire data section of the ICMP payload is considered to be of
> * significance and maybe required in NAT/state processing, so rather
> * than be careful later, attempt to get it all in one buffeer first.
> * For TCP we just make sure the _entire_ TCP header is in the first
> * buffer for convienience.
> */
277c302
< if (fin->fin_dlen > 1) {
---
> if (!(fin->fin_fl & FI_SHORT) && (fin->fin_dlen > 1)) {
291a317,324
> # if defined(KERNEL) && !defined(__sgi)
> if ((m != NULL) && (M_BLEN(m) < plen)) {
> ip = ipf_pullup(m, fin, plen, ip);
> if (ip == NULL)
> return -1;
> tcp = (tcphdr_t *)((char *)ip + hlen);
> }
> # endif /* KERNEL && !__sgi */
299c332
< if (!(plen >= minicmpsz))
---
> if (!(fin->fin_dlen >= minicmpsz))
304c337,338
< #endif
---
> #endif /* USE_INET6 */
>
310c344
< if (!off && (fin->fin_dlen > 1)) {
---
> if (!off && (fin->fin_dlen > 1) && !(fin->fin_fl & FI_SHORT)) {
314a349,352
> /*
> * Minimum ICMP packet is type(1) code(1) cksum(2)
> * plus 4 bytes following, totalling 8 bytes.
> */
330c368
< minicmpsz = 20;
---
> minicmpsz = ICMP_MINLEN + 12;
338c376
< minicmpsz = 12;
---
> minicmpsz = ICMP_MINLEN + 4;
339a378,395
> /*
> * type(1) + code(1) + cksum(2) + arg(4) ip(20+)
> */
> case ICMP_UNREACH :
> case ICMP_SOURCEQUENCH :
> case ICMP_REDIRECT :
> case ICMP_TIMXCEED :
> case ICMP_PARAMPROB :
> #if defined(KERNEL) && !defined(__sgi)
> if ((m != NULL) && (M_BLEN(m) < plen)) {
> ip = ipf_pullup(m, fin, plen, ip);
> if (ip == NULL)
> return -1;
> tcp = (tcphdr_t *)((char *)ip + hlen);
> }
> #endif /* KERNEL && !__sgi */
> minicmpsz = ICMPERR_MINPKTLEN - sizeof(ip_t);
> break;
340a397
> minicmpsz = ICMP_MINLEN;
348d404
<
350a407
>
363a421,434
>
> #if defined(KERNEL) && !defined(__sgi)
> if (!off && !(fi->fi_fl & FI_SHORT)) {
> int tlen = hlen + (tcp->th_off << 2);
>
> if ((m != NULL) && (M_BLEN(m) < tlen)) {
> ip = ipf_pullup(m, fin, tlen, ip);
> if (ip == NULL)
> return -1;
> tcp = (tcphdr_t *)((char *)ip + hlen);
> }
> }
> #endif /* _KERNEL && !_sgi */
>
402a474,475
> fin->fin_dp = (char *)tcp;
>
408c481
< return;
---
> return 0;
464a538
> return 0;
752c826
< fr->fr_bytes += (U_QUAD_T)ip->ip_len;
---
> fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
814a889,893
> /*
> * We don't do this section for Solaris because fr_precheck() does a
> * pullupmsg() instead, effectively achieving the same result as here
> * so no need to duplicate it.
> */
820c899
< # if !SOLARIS && !defined(NETBSD_PF) && \
---
> # if !defined(NETBSD_PF) && \
858c937
< # ifdef USE_INET6
---
> # ifdef USE_INET6
866c945
< # endif
---
> # endif
871a951,953
> fin->fin_mp = mp;
> fin->fin_out = out;
>
874c956
< # ifdef USE_INET6
---
> # ifdef USE_INET6
876c958
< # endif
---
> # endif
896c978
< # ifdef USE_INET6
---
> # ifdef USE_INET6
904c986
< # endif
---
> # endif
905a988,989
> if ((plen > 0) && (len < hlen + plen))
> fin->fin_fl |= FI_SHORT;
920,921c1004,1029
< if ((*mp = m_pullup(m, up)) == 0) {
< ATOMIC_INCL(frstats[out].fr_pull[1]);
---
> /*
> * Having determined that we need to pullup some data,
> * try to bring as much of the packet up into a single
> * buffer with the first pullup. This hopefully means
> * less need for doing futher pullups. Not needed for
> * Solaris because fr_precheck() does it anyway.
> *
> * The main potential for trouble here is if MLEN/MHLEN
> * become quite small, lets say < 64 bytes...but if
> * that did happen, BSD networking as a whole would be
> * slow/inefficient.
> */
> # ifdef MHLEN
> /*
> * Assume that M_PKTHDR is set and just work with what
> * is left rather than check.. Should not make any
> * real difference, anyway.
> */
> if ((MHLEN > up) && (len > up))
> up = MIN(len, MHLEN);
> # else
> if ((MLEN > up) && (len > up))
> up = MIN(len, MLEN);
> # endif
> ip = ipf_pullup(m, fin, up, ip);
> if (ip == NULL)
923,927c1031
< } else {
< ATOMIC_INCL(frstats[out].fr_pull[0]);
< m = *mp;
< ip = mtod(m, ip_t *);
< }
---
> m = *mp;
939a1044,1045
> fin->fin_mp = mp;
> fin->fin_out = out;
942a1049,1051
> #else
> fin->fin_mp = mp;
> fin->fin_out = out;
955d1063
< fin->fin_ifp = ifp;
957,959c1065,1067
< fin->fin_out = out;
< fin->fin_mp = mp;
< fr_makefrip(hlen, ip, fin);
---
> fin->fin_ifp = ifp;
> if (fr_makefrip(hlen, ip, fin) == -1)
> return -1;
1122a1231,1234
> if (pass & FR_PASS) {
> pass &= ~FR_PASS;
> pass |= FR_BLOCK;
> }
1308a1421,1426
> #if (OpenBSD >= 200311) && defined(_KERNEL)
> if (pass & FR_PASS) {
> ip->ip_len = htons(ip->ip_len);
> ip->ip_off = htons(ip->ip_off);
> }
> #endif
1406,1409c1524,1527
< sum = (sum & 0xffff) + (sum >> 16);
< sum = ~sum & 0xffff;
< sum2 += sum;
< sum2 = (sum2 & 0xffff) + (sum2 >> 16);
---
> sum += ~sum2 & 0xffff;
> while (sum > 0xffff)
> sum = (sum & 0xffff) + (sum >> 16);
> sum2 = ~sum & 0xffff;
1546c1664
< * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
---
> * $Id: fil.c,v 2.35.2.82 2004/06/20 10:27:47 darrenr Exp $
1977a2096,2098
> frdest_t *fdp;
> int i;
>
1979,1982c2100,2110
< if (fr->fr_ifa != NULL) {
< fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_ip.fi_v);
< if (fr->fr_ifa == NULL)
< fr->fr_ifa = (void *)-1;
---
> for (i = 0; i < 4; i++) {
> if ((fr->fr_ifnames[i][1] == '\0') &&
> ((fr->fr_ifnames[i][0] == '-') ||
> (fr->fr_ifnames[i][0] == '*'))) {
> fr->fr_ifas[i] = NULL;
> } else if (*fr->fr_ifnames[i]) {
> fr->fr_ifas[i] = GETUNIT(fr->fr_ifnames[i],
> fr->fr_v);
> if (!fr->fr_ifas[i])
> fr->fr_ifas[i] = (void *)-1;
> }
1983a2112,2129
>
> fdp = &fr->fr_dif;
> fr->fr_flags &= ~FR_DUP;
> if (*fdp->fd_ifname) {
> fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
> if (!fdp->fd_ifp)
> fdp->fd_ifp = (struct ifnet *)-1;
> else
> fr->fr_flags |= FR_DUP;
> }
>
> fdp = &fr->fr_tif;
> if (*fdp->fd_ifname) {
> fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v);
> if (!fdp->fd_ifp)
> fdp->fd_ifp = (struct ifnet *)-1;
> }
>
2015a2162,2164
> # if defined(__FreeBSD_version) && (__FreeBSD_version >= 500043)
> IFNET_RUNLOCK();
> # endif
2243a2393,2453
>
>
> #if defined(_KERNEL) && !defined(__sgi)
> void *ipf_pullup(m, fin, len, ipin)
> mb_t *m;
> fr_info_t *fin;
> int len;
> void *ipin;
> {
> # if SOLARIS
> qif_t *qf = fin->fin_qif;
> # endif
> int out = fin->fin_out, dpoff, ipoff;
> char *ip;
>
> if (m == NULL)
> return NULL;
>
> ipoff = (char *)ipin - MTOD(m, char *);
> if (fin->fin_dp != NULL)
> dpoff = (char *)fin->fin_dp - (char *)ipin;
> else
> dpoff = 0;
>
> if (M_BLEN(m) < len) {
> # if SOLARIS
> qif_t *qf = fin->fin_qif;
> int inc = 0;
>
> if (ipoff > 0) {
> if ((ipoff & 3) != 0) {
> inc = 4 - (ipoff & 3);
> if (m->b_rptr - inc >= m->b_datap->db_base)
> m->b_rptr -= inc;
> else
> inc = 0;
> }
> }
> if (!pullupmsg(m, len + ipoff + inc)) {
> ATOMIC_INCL(frstats[out].fr_pull[1]);
> return NULL;
> }
> m->b_rptr += inc;
> ATOMIC_INCL(frstats[out].fr_pull[0]);
> qf->qf_data = MTOD(m, char *) + ipoff;
> # else
> m = m_pullup(m, len);
> *fin->fin_mp = m;
> if (m == NULL) {
> ATOMIC_INCL(frstats[out].fr_pull[1]);
> return NULL;
> }
> ATOMIC_INCL(frstats[out].fr_pull[0]);
> # endif /* SOLARIS */
> }
> ip = MTOD(m, char *) + ipoff;
> if (fin->fin_dp != NULL)
> fin->fin_dp = (char *)ip + dpoff;
> return ip;
> }
> #endif /* _KERNEL */