| fil.c (72006) | fil.c (80482) |
|---|---|
| 1/* | 1/* |
| 2 * Copyright (C) 1993-2000 by Darren Reed. | 2 * Copyright (C) 1993-2001 by Darren Reed. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms are permitted 5 * provided that this notice is preserved and due credit is given 6 * to the original author and the contributors. | 4 * See the IPFILTER.LICENCE file for details on licencing. |
| 7 */ | 5 */ |
| 8#if !defined(lint) 9static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; 10/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; */ 11static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 72006 2001-02-04 14:26:56Z darrenr $"; 12#endif 13 | |
| 14#include <sys/errno.h> 15#include <sys/types.h> 16#include <sys/param.h> 17#include <sys/time.h> 18#include <sys/file.h> 19#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ 20 defined(_KERNEL) 21# include "opt_ipfilter_log.h" --- 76 unchanged lines hidden (view full) --- 98# endif 99#ifndef MIN 100# define MIN(a,b) (((a)<(b))?(a):(b)) 101#endif 102#include "netinet/ipl.h" 103 104#include <machine/in_cksum.h> 105 | 6#include <sys/errno.h> 7#include <sys/types.h> 8#include <sys/param.h> 9#include <sys/time.h> 10#include <sys/file.h> 11#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ 12 defined(_KERNEL) 13# include "opt_ipfilter_log.h" --- 76 unchanged lines hidden (view full) --- 90# endif 91#ifndef MIN 92# define MIN(a,b) (((a)<(b))?(a):(b)) 93#endif 94#include "netinet/ipl.h" 95 96#include <machine/in_cksum.h> 97 |
| 98#if !defined(lint) 99static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; 100/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.39 2001/07/18 13:30:32 darrenr Exp $"; */ 101static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 80482 2001-07-28 11:58:26Z darrenr $"; 102#endif 103 |
|
| 106#ifndef _KERNEL 107# include "ipf.h" 108# include "ipt.h" 109extern int opts; 110 111# define FR_VERBOSE(verb_pr) verbose verb_pr 112# define FR_DEBUG(verb_pr) debug verb_pr 113# define IPLLOG(a, c, d, e) ipllog() 114#else /* #ifndef _KERNEL */ 115# define FR_VERBOSE(verb_pr) 116# define FR_DEBUG(verb_pr) 117# define IPLLOG(a, c, d, e) ipflog(a, c, d, e) 118# if SOLARIS || defined(__sgi) 119extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; 120extern kmutex_t ipf_rw; | 104#ifndef _KERNEL 105# include "ipf.h" 106# include "ipt.h" 107extern int opts; 108 109# define FR_VERBOSE(verb_pr) verbose verb_pr 110# define FR_DEBUG(verb_pr) debug verb_pr 111# define IPLLOG(a, c, d, e) ipllog() 112#else /* #ifndef _KERNEL */ 113# define FR_VERBOSE(verb_pr) 114# define FR_DEBUG(verb_pr) 115# define IPLLOG(a, c, d, e) ipflog(a, c, d, e) 116# if SOLARIS || defined(__sgi) 117extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; 118extern kmutex_t ipf_rw; |
| 121# endif 122# if SOLARIS 123# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \ 124 ip, qif) 125# else /* SOLARIS */ 126# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) | |
| 127# endif /* SOLARIS || __sgi */ 128#endif /* _KERNEL */ 129 130 131struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; 132struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, 133#ifdef USE_INET6 134 *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } }, --- 89 unchanged lines hidden (view full) --- 224 fin->fin_icode = ipl_unreach; 225#endif 226 v = fin->fin_v; 227 fi->fi_v = v; 228 fin->fin_hlen = hlen; 229 if (v == 4) { 230 fin->fin_id = ip->ip_id; 231 fi->fi_tos = ip->ip_tos; | 119# endif /* SOLARIS || __sgi */ 120#endif /* _KERNEL */ 121 122 123struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; 124struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, 125#ifdef USE_INET6 126 *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } }, --- 89 unchanged lines hidden (view full) --- 216 fin->fin_icode = ipl_unreach; 217#endif 218 v = fin->fin_v; 219 fi->fi_v = v; 220 fin->fin_hlen = hlen; 221 if (v == 4) { 222 fin->fin_id = ip->ip_id; 223 fi->fi_tos = ip->ip_tos; |
| 232 off = (ip->ip_off & IP_OFFMASK) << 3; | 224 off = (ip->ip_off & IP_OFFMASK); |
| 233 tcp = (tcphdr_t *)((char *)ip + hlen); 234 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); 235 fi->fi_src.i6[1] = 0; 236 fi->fi_src.i6[2] = 0; 237 fi->fi_src.i6[3] = 0; 238 fi->fi_dst.i6[1] = 0; 239 fi->fi_dst.i6[2] = 0; 240 fi->fi_dst.i6[3] = 0; 241 fi->fi_saddr = ip->ip_src.s_addr; 242 fi->fi_daddr = ip->ip_dst.s_addr; 243 p = ip->ip_p; 244 fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; | 225 tcp = (tcphdr_t *)((char *)ip + hlen); 226 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); 227 fi->fi_src.i6[1] = 0; 228 fi->fi_src.i6[2] = 0; 229 fi->fi_src.i6[3] = 0; 230 fi->fi_dst.i6[1] = 0; 231 fi->fi_dst.i6[2] = 0; 232 fi->fi_dst.i6[3] = 0; 233 fi->fi_saddr = ip->ip_src.s_addr; 234 fi->fi_daddr = ip->ip_dst.s_addr; 235 p = ip->ip_p; 236 fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; |
| 245 if (ip->ip_off & 0x3fff) | 237 if (ip->ip_off & (IP_MF|IP_OFFMASK)) |
| 246 fi->fi_fl |= FI_FRAG; 247 plen = ip->ip_len; 248 fin->fin_dlen = plen - hlen; 249 } 250#ifdef USE_INET6 251 else if (v == 6) { 252 ip6_t *ip6 = (ip6_t *)ip; 253 --- 4 unchanged lines hidden (view full) --- 258 tcp = (tcphdr_t *)(ip6 + 1); 259 fi->fi_src.in6 = ip6->ip6_src; 260 fi->fi_dst.in6 = ip6->ip6_dst; 261 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); 262 fi->fi_tos = 0; 263 fi->fi_fl = 0; 264 plen = ntohs(ip6->ip6_plen); 265 fin->fin_dlen = plen; | 238 fi->fi_fl |= FI_FRAG; 239 plen = ip->ip_len; 240 fin->fin_dlen = plen - hlen; 241 } 242#ifdef USE_INET6 243 else if (v == 6) { 244 ip6_t *ip6 = (ip6_t *)ip; 245 --- 4 unchanged lines hidden (view full) --- 250 tcp = (tcphdr_t *)(ip6 + 1); 251 fi->fi_src.in6 = ip6->ip6_src; 252 fi->fi_dst.in6 = ip6->ip6_dst; 253 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); 254 fi->fi_tos = 0; 255 fi->fi_fl = 0; 256 plen = ntohs(ip6->ip6_plen); 257 fin->fin_dlen = plen; |
| 258 plen += sizeof(*ip6); |
|
| 266 } 267#endif 268 else 269 return; 270 271 fin->fin_off = off; 272 fin->fin_plen = plen; 273 fin->fin_dp = (void *)tcp; | 259 } 260#endif 261 else 262 return; 263 264 fin->fin_off = off; 265 fin->fin_plen = plen; 266 fin->fin_dp = (void *)tcp; |
| 267 off <<= 3; |
|
| 274 275 switch (p) 276 { 277#ifdef USE_INET6 278 case IPPROTO_ICMPV6 : 279 { 280 int minicmpsz = sizeof(struct icmp6_hdr); 281 struct icmp6_hdr *icmp6; --- 31 unchanged lines hidden (view full) --- 313 int minicmpsz = sizeof(struct icmp); 314 icmphdr_t *icmp; 315 316 if (!off && (fin->fin_dlen > 1)) { 317 fin->fin_data[0] = *(u_short *)tcp; 318 319 icmp = (icmphdr_t *)tcp; 320 | 268 269 switch (p) 270 { 271#ifdef USE_INET6 272 case IPPROTO_ICMPV6 : 273 { 274 int minicmpsz = sizeof(struct icmp6_hdr); 275 struct icmp6_hdr *icmp6; --- 31 unchanged lines hidden (view full) --- 307 int minicmpsz = sizeof(struct icmp); 308 icmphdr_t *icmp; 309 310 if (!off && (fin->fin_dlen > 1)) { 311 fin->fin_data[0] = *(u_short *)tcp; 312 313 icmp = (icmphdr_t *)tcp; 314 |
| 321 if (icmp->icmp_type == ICMP_ECHOREPLY || 322 icmp->icmp_type == ICMP_ECHO) | 315 switch (icmp->icmp_type) 316 { 317 case ICMP_ECHOREPLY : 318 case ICMP_ECHO : 319 /* Router discovery messages - RFC 1256 */ 320 case ICMP_ROUTERADVERT : 321 case ICMP_ROUTERSOLICIT : |
| 323 minicmpsz = ICMP_MINLEN; | 322 minicmpsz = ICMP_MINLEN; |
| 324 | 323 break; |
| 325 /* 326 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 327 * 3*timestamp(3*4) 328 */ | 324 /* 325 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 326 * 3*timestamp(3*4) 327 */ |
| 329 else if (icmp->icmp_type == ICMP_TSTAMP || 330 icmp->icmp_type == ICMP_TSTAMPREPLY) | 328 case ICMP_TSTAMP : 329 case ICMP_TSTAMPREPLY : |
| 331 minicmpsz = 20; | 330 minicmpsz = 20; |
| 332 | 331 break; |
| 333 /* 334 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 335 * mask(4) 336 */ | 332 /* 333 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 334 * mask(4) 335 */ |
| 337 else if (icmp->icmp_type == ICMP_MASKREQ || 338 icmp->icmp_type == ICMP_MASKREPLY) | 336 case ICMP_MASKREQ : 337 case ICMP_MASKREPLY : |
| 339 minicmpsz = 12; | 338 minicmpsz = 12; |
| 339 break; 340 default : 341 break; 342 } |
|
| 340 } 341 342 if ((!(plen >= hlen + minicmpsz) && !off) || 343 (off && off < sizeof(struct icmp))) 344 fi->fi_fl |= FI_SHORT; 345 346 break; 347 } --- 172 unchanged lines hidden (view full) --- 520 521 /* 522 * If we don't have all the TCP/UDP header, then how can we 523 * expect to do any sort of match on it ? If we were looking for 524 * TCP flags, then NO match. If not, then match (which should 525 * satisfy the "short" class too). 526 */ 527 if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) { | 343 } 344 345 if ((!(plen >= hlen + minicmpsz) && !off) || 346 (off && off < sizeof(struct icmp))) 347 fi->fi_fl |= FI_SHORT; 348 349 break; 350 } --- 172 unchanged lines hidden (view full) --- 523 524 /* 525 * If we don't have all the TCP/UDP header, then how can we 526 * expect to do any sort of match on it ? If we were looking for 527 * TCP flags, then NO match. If not, then match (which should 528 * satisfy the "short" class too). 529 */ 530 if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) { |
| 528 if (fin->fin_fi.fi_fl & FI_SHORT) | 531 if (fin->fin_fl & FI_SHORT) |
| 529 return !(ft->ftu_tcpf | ft->ftu_tcpfm); 530 /* 531 * Match the flags ? If not, abort this match. 532 */ 533 if (ft->ftu_tcpfm && 534 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) { 535 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, 536 ft->ftu_tcpfm, ft->ftu_tcpf)); --- 18 unchanged lines hidden (view full) --- 555 register fr_ip_t *fi = &fin->fin_fi; 556 int rulen, portcmp = 0, off, skip = 0, logged = 0; 557 u_32_t passt; 558 559 fr = fin->fin_fr; 560 fin->fin_fr = NULL; 561 fin->fin_rule = 0; 562 fin->fin_group = 0; | 532 return !(ft->ftu_tcpf | ft->ftu_tcpfm); 533 /* 534 * Match the flags ? If not, abort this match. 535 */ 536 if (ft->ftu_tcpfm && 537 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) { 538 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, 539 ft->ftu_tcpfm, ft->ftu_tcpf)); --- 18 unchanged lines hidden (view full) --- 558 register fr_ip_t *fi = &fin->fin_fi; 559 int rulen, portcmp = 0, off, skip = 0, logged = 0; 560 u_32_t passt; 561 562 fr = fin->fin_fr; 563 fin->fin_fr = NULL; 564 fin->fin_rule = 0; 565 fin->fin_group = 0; |
| 563 if (fin->fin_v == 4) 564 off = ip->ip_off & IP_OFFMASK; 565 else 566 off = 0; | 566 off = fin->fin_off; |
| 567 pass |= (fi->fi_fl << 24); 568 569 if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) 570 portcmp = 1; 571 572 for (rulen = 0; fr; fr = fr->fr_next, rulen++) { 573 if (skip) { 574 skip--; --- 210 unchanged lines hidden (view full) --- 785 register mb_t *m = *mp; 786#endif 787 788#ifdef _KERNEL 789 int p, len, drop = 0, logit = 0; 790 mb_t *mc = NULL; 791# if !defined(__SVR4) && !defined(__svr4__) 792# ifdef __sgi | 567 pass |= (fi->fi_fl << 24); 568 569 if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) 570 portcmp = 1; 571 572 for (rulen = 0; fr; fr = fr->fr_next, rulen++) { 573 if (skip) { 574 skip--; --- 210 unchanged lines hidden (view full) --- 785 register mb_t *m = *mp; 786#endif 787 788#ifdef _KERNEL 789 int p, len, drop = 0, logit = 0; 790 mb_t *mc = NULL; 791# if !defined(__SVR4) && !defined(__svr4__) 792# ifdef __sgi |
| 793 char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8]; | 793 char hbuf[128]; |
| 794# endif 795 int up; 796 797# ifdef M_CANFASTFWD 798 /* 799 * XXX For now, IP Filter and fast-forwarding of cached flows 800 * XXX are mutually exclusive. Eventually, IP Filter should 801 * XXX get a "can-fast-forward" filter rule. --- 8 unchanged lines hidden (view full) --- 810 in_delayed_cksum(m); 811 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 812 } 813# endif /* CSUM_DELAY_DATA */ 814 815# ifdef USE_INET6 816 if (v == 6) { 817 len = ntohs(((ip6_t*)ip)->ip6_plen); | 794# endif 795 int up; 796 797# ifdef M_CANFASTFWD 798 /* 799 * XXX For now, IP Filter and fast-forwarding of cached flows 800 * XXX are mutually exclusive. Eventually, IP Filter should 801 * XXX get a "can-fast-forward" filter rule. --- 8 unchanged lines hidden (view full) --- 810 in_delayed_cksum(m); 811 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 812 } 813# endif /* CSUM_DELAY_DATA */ 814 815# ifdef USE_INET6 816 if (v == 6) { 817 len = ntohs(((ip6_t*)ip)->ip6_plen); |
| 818 if (!len) 819 return -1; /* potential jumbo gram */ 820 len += sizeof(ip6_t); |
|
| 818 p = ((ip6_t *)ip)->ip6_nxt; 819 } else 820# endif 821 { 822 p = ip->ip_p; 823 len = ip->ip_len; 824 } 825 | 821 p = ((ip6_t *)ip)->ip6_nxt; 822 } else 823# endif 824 { 825 p = ip->ip_p; 826 len = ip->ip_len; 827 } 828 |
| 826 if ((p == IPPROTO_TCP || p == IPPROTO_UDP || p == IPPROTO_ICMP | 829 if ((p == IPPROTO_TCP || p == IPPROTO_UDP || 830 (v == 4 && p == IPPROTO_ICMP) |
| 827# ifdef USE_INET6 828 || (v == 6 && p == IPPROTO_ICMPV6) 829# endif 830 )) { 831 int plen = 0; 832 833 if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0) 834 switch(p) --- 105 unchanged lines hidden (view full) --- 940# endif 941# if !SOLARIS 942 m_freem(m); 943# endif 944 return error; 945 } 946#endif 947 pass = fr_pass; | 831# ifdef USE_INET6 832 || (v == 6 && p == IPPROTO_ICMPV6) 833# endif 834 )) { 835 int plen = 0; 836 837 if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0) 838 switch(p) --- 105 unchanged lines hidden (view full) --- 944# endif 945# if !SOLARIS 946 m_freem(m); 947# endif 948 return error; 949 } 950#endif 951 pass = fr_pass; |
| 948 if (fin->fin_fi.fi_fl & FI_SHORT) { | 952 if (fin->fin_fl & FI_SHORT) { |
| 949 ATOMIC_INCL(frstats[out].fr_short); 950 } 951 952 READ_ENTER(&ipf_mutex); 953 | 953 ATOMIC_INCL(frstats[out].fr_short); 954 } 955 956 READ_ENTER(&ipf_mutex); 957 |
| 954 if (fin->fin_fi.fi_fl & FI_SHORT) 955 ATOMIC_INCL(frstats[out].fr_short); 956 | |
| 957 /* 958 * Check auth now. This, combined with the check below to see if apass 959 * is 0 is to ensure that we don't count the packet twice, which can 960 * otherwise occur when we reprocess it. As it is, we only count it 961 * after it has no auth. table matchup. This also stops NAT from 962 * occuring until after the packet has been auth'd. 963 */ 964 apass = fr_checkauth(ip, fin); --- 7 unchanged lines hidden (view full) --- 972 list = ipacct[0][fr_active]; 973 changed = ip_natin(ip, fin); 974 if (!apass && (fin->fin_fr = list) && 975 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { 976 ATOMIC_INCL(frstats[0].fr_acct); 977 } 978 } 979 | 958 /* 959 * Check auth now. This, combined with the check below to see if apass 960 * is 0 is to ensure that we don't count the packet twice, which can 961 * otherwise occur when we reprocess it. As it is, we only count it 962 * after it has no auth. table matchup. This also stops NAT from 963 * occuring until after the packet has been auth'd. 964 */ 965 apass = fr_checkauth(ip, fin); --- 7 unchanged lines hidden (view full) --- 973 list = ipacct[0][fr_active]; 974 changed = ip_natin(ip, fin); 975 if (!apass && (fin->fin_fr = list) && 976 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { 977 ATOMIC_INCL(frstats[0].fr_acct); 978 } 979 } 980 |
| 980 if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && 981 !(fr = fr_checkstate(ip, fin)))) { | 981 if (!apass) { 982 if ((fin->fin_fl & FI_FRAG) == FI_FRAG) 983 fr = ipfr_knownfrag(ip, fin); 984 if (!fr && !(fin->fin_fl & FI_SHORT)) 985 fr = fr_checkstate(ip, fin); 986 if (fr != NULL) 987 pass = fr->fr_flags; 988 if (fr && (pass & FR_LOGFIRST)) 989 pass &= ~(FR_LOGFIRST|FR_LOG); 990 } 991 992 if (apass || !fr) { |
| 982 /* 983 * If a packet is found in the auth table, then skip checking 984 * the access lists for permission but we do need to consider 985 * the result as if it were from the ACL's. 986 */ 987 if (!apass) { 988 fc = frcache + out; 989 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { --- 18 unchanged lines hidden (view full) --- 1008 pass = fr_scanlist(fr_pass, ip, fin, m); 1009 if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE))) 1010 bcopy((char *)fin, (char *)fc, 1011 FI_COPYSIZE); 1012 if (pass & FR_NOMATCH) { 1013 ATOMIC_INCL(frstats[out].fr_nom); 1014 } 1015 } | 993 /* 994 * If a packet is found in the auth table, then skip checking 995 * the access lists for permission but we do need to consider 996 * the result as if it were from the ACL's. 997 */ 998 if (!apass) { 999 fc = frcache + out; 1000 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { --- 18 unchanged lines hidden (view full) --- 1019 pass = fr_scanlist(fr_pass, ip, fin, m); 1020 if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE))) 1021 bcopy((char *)fin, (char *)fc, 1022 FI_COPYSIZE); 1023 if (pass & FR_NOMATCH) { 1024 ATOMIC_INCL(frstats[out].fr_nom); 1025 } 1026 } |
| 1016 fr = fin->fin_fr; | |
| 1017 } else 1018 pass = apass; | 1027 } else 1028 pass = apass; |
| 1029 fr = fin->fin_fr; |
|
| 1019 1020 /* 1021 * If we fail to add a packet to the authorization queue, 1022 * then we drop the packet later. However, if it was added 1023 * then pretend we've dropped it already. 1024 */ | 1030 1031 /* 1032 * If we fail to add a packet to the authorization queue, 1033 * then we drop the packet later. However, if it was added 1034 * then pretend we've dropped it already. 1035 */ |
| 1025 if ((pass & FR_AUTH)) 1026 if (fr_newauth((mb_t *)m, fin, ip) != 0) | 1036 if ((pass & FR_AUTH)) { 1037 if (fr_newauth((mb_t *)m, fin, ip) != 0) { |
| 1027#ifdef _KERNEL 1028 m = *mp = NULL; 1029#else 1030 ; 1031#endif | 1038#ifdef _KERNEL 1039 m = *mp = NULL; 1040#else 1041 ; 1042#endif |
| 1043 error = 0; 1044 } else 1045 error = ENOSPC; 1046 } |
|
| 1032 1033 if (pass & FR_PREAUTH) { 1034 READ_ENTER(&ipf_auth); 1035 if ((fin->fin_fr = ipauth) && 1036 (pass = fr_scanlist(0, ip, fin, m))) { 1037 ATOMIC_INCL(fr_authstats.fas_hits); 1038 } else { 1039 ATOMIC_INCL(fr_authstats.fas_miss); 1040 } 1041 RWLOCK_EXIT(&ipf_auth); 1042 } 1043 1044 fin->fin_fr = fr; 1045 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { | 1047 1048 if (pass & FR_PREAUTH) { 1049 READ_ENTER(&ipf_auth); 1050 if ((fin->fin_fr = ipauth) && 1051 (pass = fr_scanlist(0, ip, fin, m))) { 1052 ATOMIC_INCL(fr_authstats.fas_hits); 1053 } else { 1054 ATOMIC_INCL(fr_authstats.fas_miss); 1055 } 1056 RWLOCK_EXIT(&ipf_auth); 1057 } 1058 1059 fin->fin_fr = fr; 1060 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { |
| 1046 if (fin->fin_fi.fi_fl & FI_FRAG) { | 1061 if (fin->fin_fl & FI_FRAG) { |
| 1047 if (ipfr_newfrag(ip, fin, pass) == -1) { 1048 ATOMIC_INCL(frstats[out].fr_bnfr); 1049 } else { 1050 ATOMIC_INCL(frstats[out].fr_nfr); 1051 } 1052 } else { 1053 ATOMIC_INCL(frstats[out].fr_cfr); 1054 } --- 107 unchanged lines hidden (view full) --- 1162 1163 if ((pass & FR_RETMASK) == FR_FAKEICMP) 1164 dst = 1; 1165 else 1166 dst = 0; 1167 send_icmp_err(ip, ICMP_UNREACH, fin, dst); 1168 ATOMIC_INCL(frstats[0].fr_ret); 1169 } else if (((pass & FR_RETMASK) == FR_RETRST) && | 1062 if (ipfr_newfrag(ip, fin, pass) == -1) { 1063 ATOMIC_INCL(frstats[out].fr_bnfr); 1064 } else { 1065 ATOMIC_INCL(frstats[out].fr_nfr); 1066 } 1067 } else { 1068 ATOMIC_INCL(frstats[out].fr_cfr); 1069 } --- 107 unchanged lines hidden (view full) --- 1177 1178 if ((pass & FR_RETMASK) == FR_FAKEICMP) 1179 dst = 1; 1180 else 1181 dst = 0; 1182 send_icmp_err(ip, ICMP_UNREACH, fin, dst); 1183 ATOMIC_INCL(frstats[0].fr_ret); 1184 } else if (((pass & FR_RETMASK) == FR_RETRST) && |
| 1170 !(fin->fin_fi.fi_fl & FI_SHORT)) { | 1185 !(fin->fin_fl & FI_SHORT)) { |
| 1171 if (send_reset(ip, fin) == 0) { 1172 ATOMIC_INCL(frstats[1].fr_ret); 1173 } 1174 } 1175#else 1176 if ((pass & FR_RETMASK) == FR_RETICMP) { 1177 verbose("- ICMP unreachable sent\n"); 1178 ATOMIC_INCL(frstats[0].fr_ret); 1179 } else if ((pass & FR_RETMASK) == FR_FAKEICMP) { 1180 verbose("- forged ICMP unreachable sent\n"); 1181 ATOMIC_INCL(frstats[0].fr_ret); 1182 } else if (((pass & FR_RETMASK) == FR_RETRST) && | 1186 if (send_reset(ip, fin) == 0) { 1187 ATOMIC_INCL(frstats[1].fr_ret); 1188 } 1189 } 1190#else 1191 if ((pass & FR_RETMASK) == FR_RETICMP) { 1192 verbose("- ICMP unreachable sent\n"); 1193 ATOMIC_INCL(frstats[0].fr_ret); 1194 } else if ((pass & FR_RETMASK) == FR_FAKEICMP) { 1195 verbose("- forged ICMP unreachable sent\n"); 1196 ATOMIC_INCL(frstats[0].fr_ret); 1197 } else if (((pass & FR_RETMASK) == FR_RETRST) && |
| 1183 !(fin->fin_fi.fi_fl & FI_SHORT)) { | 1198 !(fin->fin_fl & FI_SHORT)) { |
| 1184 verbose("- TCP RST sent\n"); 1185 ATOMIC_INCL(frstats[1].fr_ret); 1186 } 1187#endif 1188 } else { 1189 if (pass & FR_RETRST) 1190 error = ECONNRESET; 1191 } --- 12 unchanged lines hidden (view full) --- 1204 } 1205#if defined(_KERNEL) 1206# if !SOLARIS 1207# if !defined(linux) 1208 if (fr) { 1209 frdest_t *fdp = &fr->fr_tif; 1210 1211 if (((pass & FR_FASTROUTE) && !out) || | 1199 verbose("- TCP RST sent\n"); 1200 ATOMIC_INCL(frstats[1].fr_ret); 1201 } 1202#endif 1203 } else { 1204 if (pass & FR_RETRST) 1205 error = ECONNRESET; 1206 } --- 12 unchanged lines hidden (view full) --- 1219 } 1220#if defined(_KERNEL) 1221# if !SOLARIS 1222# if !defined(linux) 1223 if (fr) { 1224 frdest_t *fdp = &fr->fr_tif; 1225 1226 if (((pass & FR_FASTROUTE) && !out) || |
| 1212 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { 1213 if (ipfr_fastroute(m, fin, fdp) == 0) 1214 m = *mp = NULL; 1215 } 1216 if (mc) 1217 ipfr_fastroute(mc, fin, &fr->fr_dif); | 1227 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) 1228 (void) ipfr_fastroute(m, mp, fin, fdp); 1229 1230 if (mc != NULL) 1231 (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif); |
| 1218 } | 1232 } |
| 1219 if (!(pass & FR_PASS) && m) | 1233 1234 if (!(pass & FR_PASS) && m) { |
| 1220 m_freem(m); | 1235 m_freem(m); |
| 1236 m = *mp = NULL; 1237 } |
|
| 1221# ifdef __sgi 1222 else if (changed && up && m) 1223 m_copyback(m, 0, up, hbuf); 1224# endif 1225# endif /* !linux */ 1226# else /* !SOLARIS */ 1227 if (fr) { 1228 frdest_t *fdp = &fr->fr_tif; 1229 1230 if (((pass & FR_FASTROUTE) && !out) || | 1238# ifdef __sgi 1239 else if (changed && up && m) 1240 m_copyback(m, 0, up, hbuf); 1241# endif 1242# endif /* !linux */ 1243# else /* !SOLARIS */ 1244 if (fr) { 1245 frdest_t *fdp = &fr->fr_tif; 1246 1247 if (((pass & FR_FASTROUTE) && !out) || |
| 1231 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { 1232 if (ipfr_fastroute(ip, m, mp, fin, fdp) == 0) 1233 m = *mp = NULL; 1234 } 1235 if (mc) 1236 ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); | 1248 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) 1249 (void) ipfr_fastroute(ip, m, mp, fin, fdp); 1250 1251 if (mc != NULL) 1252 (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif); |
| 1237 } 1238# endif /* !SOLARIS */ 1239 return (pass & FR_PASS) ? 0 : error; 1240#else /* _KERNEL */ 1241 if (pass & FR_NOMATCH) 1242 return 1; 1243 if (pass & FR_PASS) 1244 return 0; --- 215 unchanged lines hidden (view full) --- 1460 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1461 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 1462 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 1463 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 1464 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 1465 * SUCH DAMAGE. 1466 * 1467 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 | 1253 } 1254# endif /* !SOLARIS */ 1255 return (pass & FR_PASS) ? 0 : error; 1256#else /* _KERNEL */ 1257 if (pass & FR_NOMATCH) 1258 return 1; 1259 if (pass & FR_PASS) 1260 return 0; --- 215 unchanged lines hidden (view full) --- 1476 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1477 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 1478 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 1479 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 1480 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 1481 * SUCH DAMAGE. 1482 * 1483 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 |
| 1468 * $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $ | 1484 * $Id: fil.c,v 2.35.2.39 2001/07/18 13:30:32 darrenr Exp $ |
| 1469 */ 1470/* 1471 * Copy data from an mbuf chain starting "off" bytes from the beginning, 1472 * continuing for "len" bytes, into the indicated buffer. 1473 */ 1474void 1475m_copydata(m, off, len, cp) 1476 register mb_t *m; --- 432 unchanged lines hidden (view full) --- 1909# else 1910 for (ifp = ifnet; ifp; ifp = ifp->if_next) 1911# endif 1912 { 1913 ip_natsync(ifp); 1914 ip_statesync(ifp); 1915 } 1916 ip_natsync((struct ifnet *)-1); | 1485 */ 1486/* 1487 * Copy data from an mbuf chain starting "off" bytes from the beginning, 1488 * continuing for "len" bytes, into the indicated buffer. 1489 */ 1490void 1491m_copydata(m, off, len, cp) 1492 register mb_t *m; --- 432 unchanged lines hidden (view full) --- 1925# else 1926 for (ifp = ifnet; ifp; ifp = ifp->if_next) 1927# endif 1928 { 1929 ip_natsync(ifp); 1930 ip_statesync(ifp); 1931 } 1932 ip_natsync((struct ifnet *)-1); |
| 1917# endif | 1933# endif /* !SOLARIS */ |
| 1918 1919 WRITE_ENTER(&ipf_mutex); 1920 frsynclist(ipacct[0][fr_active]); 1921 frsynclist(ipacct[1][fr_active]); 1922 frsynclist(ipfilter[0][fr_active]); 1923 frsynclist(ipfilter[1][fr_active]); 1924#ifdef USE_INET6 1925 frsynclist(ipacct6[0][fr_active]); --- 207 unchanged lines hidden --- | 1934 1935 WRITE_ENTER(&ipf_mutex); 1936 frsynclist(ipacct[0][fr_active]); 1937 frsynclist(ipacct[1][fr_active]); 1938 frsynclist(ipfilter[0][fr_active]); 1939 frsynclist(ipfilter[1][fr_active]); 1940#ifdef USE_INET6 1941 frsynclist(ipacct6[0][fr_active]); --- 207 unchanged lines hidden --- |