1/*
2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
--- 8 unchanged lines hidden (view full) ---
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 *
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 135168 2004-09-13 19:27:23Z andre $
26 */
27
28#define DEB(x)
29#define DDB(x) x
30
31/*
32 * Implement IP packet firewall (new version)
33 */
--- 1493 unchanged lines hidden (view full) ---
1527 rnh = ipfw_tables[tbl->tbl].rnh;
1528 tbl->cnt = 0;
1529 RADIX_NODE_HEAD_LOCK(rnh);
1530 rnh->rnh_walktree(rnh, dump_table_entry, tbl);
1531 RADIX_NODE_HEAD_UNLOCK(rnh);
1532 return (0);
1533}
1534
1535static int
1536check_uidgid(ipfw_insn_u32 *insn,
1537 int proto, struct ifnet *oif,
1538 struct in_addr dst_ip, u_int16_t dst_port,
1539 struct in_addr src_ip, u_int16_t src_port,
1540 struct ip_fw_ugid *ugp, int *lookup)
1541{
1542 struct inpcbinfo *pi;
1543 int wildcard;
1544 struct inpcb *pcb;
1545 int match;
1546 struct ucred *cr;
1547 gid_t *gp;
1548
1549 /*
1550 * If we have already been here and the packet has no
1551 * PCB entry associated with it, then we can safely
1552 * assume that this is a no match.
1553 */
1554 if (*lookup == -1)
1555 return (0);
1556 if (proto == IPPROTO_TCP) {
1557 wildcard = 0;
1558 pi = &tcbinfo;
1559 } else if (proto == IPPROTO_UDP) {
1560 wildcard = 1;
1561 pi = &udbinfo;
1562 } else
1563 return 0;
1564 match = 0;
1565 if (*lookup == 0) {
1566 INP_INFO_RLOCK(pi); /* XXX LOR with IPFW */
1567 pcb = (oif) ?
1568 in_pcblookup_hash(pi,
1569 dst_ip, htons(dst_port),
1570 src_ip, htons(src_port),
1571 wildcard, oif) :
1572 in_pcblookup_hash(pi,
1573 src_ip, htons(src_port),
1574 dst_ip, htons(dst_port),
1575 wildcard, NULL);
1576 if (pcb != NULL) {
1577 INP_LOCK(pcb);
1578 if (pcb->inp_socket != NULL) {
1579 cr = pcb->inp_socket->so_cred;
1580 ugp->fw_prid = jailed(cr) ?
1581 cr->cr_prison->pr_id : -1;
1582 ugp->fw_uid = cr->cr_uid;
1583 ugp->fw_ngroups = cr->cr_ngroups;
1584 bcopy(cr->cr_groups, ugp->fw_groups,
1585 sizeof(ugp->fw_groups));
1586 *lookup = 1;
1587 }
1588 INP_UNLOCK(pcb);
1589 }
1590 INP_INFO_RUNLOCK(pi);
1591 if (*lookup == 0) {
1592 /*
1593 * If the lookup did not yield any results, there
--- 339 unchanged lines hidden (view full) ---
1933 break;
1934 if (proto == IPPROTO_TCP ||
1935 proto == IPPROTO_UDP)
1936 match = check_uidgid(
1937 (ipfw_insn_u32 *)cmd,
1938 proto, oif,
1939 dst_ip, dst_port,
1940 src_ip, src_port, &fw_ugid_cache,
1941 &ugid_lookup);
1942 break;
1943
1944 case O_RECV:
1945 match = iface_match(m->m_pkthdr.rcvif,
1946 (ipfw_insn_if *)cmd);
1947 break;
1948
1949 case O_XMIT:
--- 1498 unchanged lines hidden ---
2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
--- 8 unchanged lines hidden (view full) ---
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 *
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 135168 2004-09-13 19:27:23Z andre $
26 */
27
28#define DEB(x)
29#define DDB(x) x
30
31/*
32 * Implement IP packet firewall (new version)
33 */
--- 1493 unchanged lines hidden (view full) ---
1527 rnh = ipfw_tables[tbl->tbl].rnh;
1528 tbl->cnt = 0;
1529 RADIX_NODE_HEAD_LOCK(rnh);
1530 rnh->rnh_walktree(rnh, dump_table_entry, tbl);
1531 RADIX_NODE_HEAD_UNLOCK(rnh);
1532 return (0);
1533}
1534
1535static int
1536check_uidgid(ipfw_insn_u32 *insn,
1537 int proto, struct ifnet *oif,
1538 struct in_addr dst_ip, u_int16_t dst_port,
1539 struct in_addr src_ip, u_int16_t src_port,
1540 struct ip_fw_ugid *ugp, int *lookup)
1541{
1542 struct inpcbinfo *pi;
1543 int wildcard;
1544 struct inpcb *pcb;
1545 int match;
1546 struct ucred *cr;
1547 gid_t *gp;
1548
1549 /*
1550 * If we have already been here and the packet has no
1551 * PCB entry associated with it, then we can safely
1552 * assume that this is a no match.
1553 */
1554 if (*lookup == -1)
1555 return (0);
1556 if (proto == IPPROTO_TCP) {
1557 wildcard = 0;
1558 pi = &tcbinfo;
1559 } else if (proto == IPPROTO_UDP) {
1560 wildcard = 1;
1561 pi = &udbinfo;
1562 } else
1563 return 0;
1564 match = 0;
1565 if (*lookup == 0) {
1566 INP_INFO_RLOCK(pi); /* XXX LOR with IPFW */
1567 pcb = (oif) ?
1568 in_pcblookup_hash(pi,
1569 dst_ip, htons(dst_port),
1570 src_ip, htons(src_port),
1571 wildcard, oif) :
1572 in_pcblookup_hash(pi,
1573 src_ip, htons(src_port),
1574 dst_ip, htons(dst_port),
1575 wildcard, NULL);
1576 if (pcb != NULL) {
1577 INP_LOCK(pcb);
1578 if (pcb->inp_socket != NULL) {
1579 cr = pcb->inp_socket->so_cred;
1580 ugp->fw_prid = jailed(cr) ?
1581 cr->cr_prison->pr_id : -1;
1582 ugp->fw_uid = cr->cr_uid;
1583 ugp->fw_ngroups = cr->cr_ngroups;
1584 bcopy(cr->cr_groups, ugp->fw_groups,
1585 sizeof(ugp->fw_groups));
1586 *lookup = 1;
1587 }
1588 INP_UNLOCK(pcb);
1589 }
1590 INP_INFO_RUNLOCK(pi);
1591 if (*lookup == 0) {
1592 /*
1593 * If the lookup did not yield any results, there
--- 339 unchanged lines hidden (view full) ---
1933 break;
1934 if (proto == IPPROTO_TCP ||
1935 proto == IPPROTO_UDP)
1936 match = check_uidgid(
1937 (ipfw_insn_u32 *)cmd,
1938 proto, oif,
1939 dst_ip, dst_port,
1940 src_ip, src_port, &fw_ugid_cache,
1941 &ugid_lookup);
1942 break;
1943
1944 case O_RECV:
1945 match = iface_match(m->m_pkthdr.rcvif,
1946 (ipfw_insn_if *)cmd);
1947 break;
1948
1949 case O_XMIT:
--- 1498 unchanged lines hidden ---