ip_fw2.c (135168) | ip_fw2.c (135920) |
---|---|
1/* 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * | 1/* 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * |
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 135168 2004-09-13 19:27:23Z andre $ | 25 * $FreeBSD: head/sys/netinet/ip_fw2.c 135920 2004-09-29 04:54:33Z mlaier $ |
26 */ 27 28#define DEB(x) 29#define DDB(x) x 30 31/* 32 * Implement IP packet firewall (new version) 33 */ --- 1493 unchanged lines hidden (view full) --- 1527 rnh = ipfw_tables[tbl->tbl].rnh; 1528 tbl->cnt = 0; 1529 RADIX_NODE_HEAD_LOCK(rnh); 1530 rnh->rnh_walktree(rnh, dump_table_entry, tbl); 1531 RADIX_NODE_HEAD_UNLOCK(rnh); 1532 return (0); 1533} 1534 | 26 */ 27 28#define DEB(x) 29#define DDB(x) x 30 31/* 32 * Implement IP packet firewall (new version) 33 */ --- 1493 unchanged lines hidden (view full) --- 1527 rnh = ipfw_tables[tbl->tbl].rnh; 1528 tbl->cnt = 0; 1529 RADIX_NODE_HEAD_LOCK(rnh); 1530 rnh->rnh_walktree(rnh, dump_table_entry, tbl); 1531 RADIX_NODE_HEAD_UNLOCK(rnh); 1532 return (0); 1533} 1534 |
1535static void 1536fill_ugid_cache(struct inpcb *inp, struct ip_fw_ugid *ugp) 1537{ 1538 struct ucred *cr; 1539 1540 if (inp->inp_socket != NULL) { 1541 cr = inp->inp_socket->so_cred; 1542 ugp->fw_prid = jailed(cr) ? 1543 cr->cr_prison->pr_id : -1; 1544 ugp->fw_uid = cr->cr_uid; 1545 ugp->fw_ngroups = cr->cr_ngroups; 1546 bcopy(cr->cr_groups, ugp->fw_groups, 1547 sizeof(ugp->fw_groups)); 1548 } 1549} 1550 |
|
1535static int 1536check_uidgid(ipfw_insn_u32 *insn, 1537 int proto, struct ifnet *oif, 1538 struct in_addr dst_ip, u_int16_t dst_port, 1539 struct in_addr src_ip, u_int16_t src_port, | 1551static int 1552check_uidgid(ipfw_insn_u32 *insn, 1553 int proto, struct ifnet *oif, 1554 struct in_addr dst_ip, u_int16_t dst_port, 1555 struct in_addr src_ip, u_int16_t src_port, |
1540 struct ip_fw_ugid *ugp, int *lookup) | 1556 struct ip_fw_ugid *ugp, int *lookup, struct inpcb *inp) |
1541{ 1542 struct inpcbinfo *pi; 1543 int wildcard; 1544 struct inpcb *pcb; 1545 int match; | 1557{ 1558 struct inpcbinfo *pi; 1559 int wildcard; 1560 struct inpcb *pcb; 1561 int match; |
1546 struct ucred *cr; | |
1547 gid_t *gp; 1548 1549 /* | 1562 gid_t *gp; 1563 1564 /* |
1565 * Check to see if the UDP or TCP stack supplied us with 1566 * the PCB. If so, rather then holding a lock and looking 1567 * up the PCB, we can use the one that was supplied. 1568 */ 1569 if (inp && *lookup == 0) { 1570 INP_LOCK_ASSERT(inp); 1571 if (inp->inp_socket != NULL) { 1572 fill_ugid_cache(inp, ugp); 1573 *lookup = 1; 1574 } 1575 } 1576 /* |
|
1550 * If we have already been here and the packet has no 1551 * PCB entry associated with it, then we can safely 1552 * assume that this is a no match. 1553 */ 1554 if (*lookup == -1) 1555 return (0); 1556 if (proto == IPPROTO_TCP) { 1557 wildcard = 0; 1558 pi = &tcbinfo; 1559 } else if (proto == IPPROTO_UDP) { 1560 wildcard = 1; 1561 pi = &udbinfo; 1562 } else 1563 return 0; 1564 match = 0; 1565 if (*lookup == 0) { | 1577 * If we have already been here and the packet has no 1578 * PCB entry associated with it, then we can safely 1579 * assume that this is a no match. 1580 */ 1581 if (*lookup == -1) 1582 return (0); 1583 if (proto == IPPROTO_TCP) { 1584 wildcard = 0; 1585 pi = &tcbinfo; 1586 } else if (proto == IPPROTO_UDP) { 1587 wildcard = 1; 1588 pi = &udbinfo; 1589 } else 1590 return 0; 1591 match = 0; 1592 if (*lookup == 0) { |
1566 INP_INFO_RLOCK(pi); /* XXX LOR with IPFW */ | 1593 INP_INFO_RLOCK(pi); |
1567 pcb = (oif) ? 1568 in_pcblookup_hash(pi, 1569 dst_ip, htons(dst_port), 1570 src_ip, htons(src_port), 1571 wildcard, oif) : 1572 in_pcblookup_hash(pi, 1573 src_ip, htons(src_port), 1574 dst_ip, htons(dst_port), 1575 wildcard, NULL); 1576 if (pcb != NULL) { 1577 INP_LOCK(pcb); 1578 if (pcb->inp_socket != NULL) { | 1594 pcb = (oif) ? 1595 in_pcblookup_hash(pi, 1596 dst_ip, htons(dst_port), 1597 src_ip, htons(src_port), 1598 wildcard, oif) : 1599 in_pcblookup_hash(pi, 1600 src_ip, htons(src_port), 1601 dst_ip, htons(dst_port), 1602 wildcard, NULL); 1603 if (pcb != NULL) { 1604 INP_LOCK(pcb); 1605 if (pcb->inp_socket != NULL) { |
1579 cr = pcb->inp_socket->so_cred; 1580 ugp->fw_prid = jailed(cr) ? 1581 cr->cr_prison->pr_id : -1; 1582 ugp->fw_uid = cr->cr_uid; 1583 ugp->fw_ngroups = cr->cr_ngroups; 1584 bcopy(cr->cr_groups, ugp->fw_groups, 1585 sizeof(ugp->fw_groups)); | 1606 fill_ugid_cache(pcb, ugp); |
1586 *lookup = 1; 1587 } 1588 INP_UNLOCK(pcb); 1589 } 1590 INP_INFO_RUNLOCK(pi); 1591 if (*lookup == 0) { 1592 /* 1593 * If the lookup did not yield any results, there --- 339 unchanged lines hidden (view full) --- 1933 break; 1934 if (proto == IPPROTO_TCP || 1935 proto == IPPROTO_UDP) 1936 match = check_uidgid( 1937 (ipfw_insn_u32 *)cmd, 1938 proto, oif, 1939 dst_ip, dst_port, 1940 src_ip, src_port, &fw_ugid_cache, | 1607 *lookup = 1; 1608 } 1609 INP_UNLOCK(pcb); 1610 } 1611 INP_INFO_RUNLOCK(pi); 1612 if (*lookup == 0) { 1613 /* 1614 * If the lookup did not yield any results, there --- 339 unchanged lines hidden (view full) --- 1954 break; 1955 if (proto == IPPROTO_TCP || 1956 proto == IPPROTO_UDP) 1957 match = check_uidgid( 1958 (ipfw_insn_u32 *)cmd, 1959 proto, oif, 1960 dst_ip, dst_port, 1961 src_ip, src_port, &fw_ugid_cache, |
1941 &ugid_lookup); | 1962 &ugid_lookup, args->inp); |
1942 break; 1943 1944 case O_RECV: 1945 match = iface_match(m->m_pkthdr.rcvif, 1946 (ipfw_insn_if *)cmd); 1947 break; 1948 1949 case O_XMIT: --- 1498 unchanged lines hidden --- | 1963 break; 1964 1965 case O_RECV: 1966 match = iface_match(m->m_pkthdr.rcvif, 1967 (ipfw_insn_if *)cmd); 1968 break; 1969 1970 case O_XMIT: --- 1498 unchanged lines hidden --- |