1/* 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * |
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 135920 2004-09-29 04:54:33Z mlaier $ |
26 */ 27 28#define DEB(x) 29#define DDB(x) x 30 31/* 32 * Implement IP packet firewall (new version) 33 */ --- 1493 unchanged lines hidden (view full) --- 1527 rnh = ipfw_tables[tbl->tbl].rnh; 1528 tbl->cnt = 0; 1529 RADIX_NODE_HEAD_LOCK(rnh); 1530 rnh->rnh_walktree(rnh, dump_table_entry, tbl); 1531 RADIX_NODE_HEAD_UNLOCK(rnh); 1532 return (0); 1533} 1534 |
1535static void 1536fill_ugid_cache(struct inpcb *inp, struct ip_fw_ugid *ugp) 1537{ 1538 struct ucred *cr; 1539 1540 if (inp->inp_socket != NULL) { 1541 cr = inp->inp_socket->so_cred; 1542 ugp->fw_prid = jailed(cr) ? 1543 cr->cr_prison->pr_id : -1; 1544 ugp->fw_uid = cr->cr_uid; 1545 ugp->fw_ngroups = cr->cr_ngroups; 1546 bcopy(cr->cr_groups, ugp->fw_groups, 1547 sizeof(ugp->fw_groups)); 1548 } 1549} 1550 |
1551static int 1552check_uidgid(ipfw_insn_u32 *insn, 1553 int proto, struct ifnet *oif, 1554 struct in_addr dst_ip, u_int16_t dst_port, 1555 struct in_addr src_ip, u_int16_t src_port, |
1556 struct ip_fw_ugid *ugp, int *lookup, struct inpcb *inp) |
1557{ 1558 struct inpcbinfo *pi; 1559 int wildcard; 1560 struct inpcb *pcb; 1561 int match; |
1562 gid_t *gp; 1563 1564 /* |
1565 * Check to see if the UDP or TCP stack supplied us with 1566 * the PCB. If so, rather then holding a lock and looking 1567 * up the PCB, we can use the one that was supplied. 1568 */ 1569 if (inp && *lookup == 0) { 1570 INP_LOCK_ASSERT(inp); 1571 if (inp->inp_socket != NULL) { 1572 fill_ugid_cache(inp, ugp); 1573 *lookup = 1; 1574 } 1575 } 1576 /* |
1577 * If we have already been here and the packet has no 1578 * PCB entry associated with it, then we can safely 1579 * assume that this is a no match. 1580 */ 1581 if (*lookup == -1) 1582 return (0); 1583 if (proto == IPPROTO_TCP) { 1584 wildcard = 0; 1585 pi = &tcbinfo; 1586 } else if (proto == IPPROTO_UDP) { 1587 wildcard = 1; 1588 pi = &udbinfo; 1589 } else 1590 return 0; 1591 match = 0; 1592 if (*lookup == 0) { |
1593 INP_INFO_RLOCK(pi); |
1594 pcb = (oif) ? 1595 in_pcblookup_hash(pi, 1596 dst_ip, htons(dst_port), 1597 src_ip, htons(src_port), 1598 wildcard, oif) : 1599 in_pcblookup_hash(pi, 1600 src_ip, htons(src_port), 1601 dst_ip, htons(dst_port), 1602 wildcard, NULL); 1603 if (pcb != NULL) { 1604 INP_LOCK(pcb); 1605 if (pcb->inp_socket != NULL) { |
1606 fill_ugid_cache(pcb, ugp); |
1607 *lookup = 1; 1608 } 1609 INP_UNLOCK(pcb); 1610 } 1611 INP_INFO_RUNLOCK(pi); 1612 if (*lookup == 0) { 1613 /* 1614 * If the lookup did not yield any results, there --- 339 unchanged lines hidden (view full) --- 1954 break; 1955 if (proto == IPPROTO_TCP || 1956 proto == IPPROTO_UDP) 1957 match = check_uidgid( 1958 (ipfw_insn_u32 *)cmd, 1959 proto, oif, 1960 dst_ip, dst_port, 1961 src_ip, src_port, &fw_ugid_cache, |
1962 &ugid_lookup, args->inp); |
1963 break; 1964 1965 case O_RECV: 1966 match = iface_match(m->m_pkthdr.rcvif, 1967 (ipfw_insn_if *)cmd); 1968 break; 1969 1970 case O_XMIT: --- 1498 unchanged lines hidden --- |