| ng_ipfw.c (201122) | ng_ipfw.c (201527) |
|---|---|
| 1/*- 2 * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * | 1/*- 2 * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * |
| 26 * $FreeBSD: head/sys/netgraph/ng_ipfw.c 201122 2009-12-28 10:47:04Z luigi $ | 26 * $FreeBSD: head/sys/netgraph/ng_ipfw.c 201527 2010-01-04 19:01:22Z luigi $ |
| 27 */ 28 29#include <sys/param.h> 30#include <sys/systm.h> 31#include <sys/kernel.h> 32#include <sys/lock.h> 33#include <sys/mbuf.h> 34#include <sys/malloc.h> --- 181 unchanged lines hidden (view full) --- 216 217 return (NULL); 218} 219 220 221static int 222ng_ipfw_rcvdata(hook_p hook, item_p item) 223{ | 27 */ 28 29#include <sys/param.h> 30#include <sys/systm.h> 31#include <sys/kernel.h> 32#include <sys/lock.h> 33#include <sys/mbuf.h> 34#include <sys/malloc.h> --- 181 unchanged lines hidden (view full) --- 216 217 return (NULL); 218} 219 220 221static int 222ng_ipfw_rcvdata(hook_p hook, item_p item) 223{ |
| 224 struct ng_ipfw_tag *ngit; | 224 struct ipfw_rule_ref *tag; |
| 225 struct mbuf *m; 226 227 NGI_GET_M(item, m); 228 NG_FREE_ITEM(item); 229 | 225 struct mbuf *m; 226 227 NGI_GET_M(item, m); 228 NG_FREE_ITEM(item); 229 |
| 230 if ((ngit = (struct ng_ipfw_tag *)m_tag_locate(m, NGM_IPFW_COOKIE, 0, 231 NULL)) == NULL) { | 230 tag = (struct ipfw_rule_ref *) 231 m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL); 232 if (tag == NULL) { |
| 232 NG_FREE_M(m); 233 return (EINVAL); /* XXX: find smth better */ 234 }; 235 | 233 NG_FREE_M(m); 234 return (EINVAL); /* XXX: find smth better */ 235 }; 236 |
| 236 switch (ngit->dir) { 237 case DIR_OUT: 238 { | 237 if (tag->info & IPFW_INFO_IN) { 238 ip_input(m); 239 return (0); 240 } else { |
| 239 struct ip *ip; 240 241 if (m->m_len < sizeof(struct ip) && 242 (m = m_pullup(m, sizeof(struct ip))) == NULL) 243 return (EINVAL); 244 245 ip = mtod(m, struct ip *); 246 | 241 struct ip *ip; 242 243 if (m->m_len < sizeof(struct ip) && 244 (m = m_pullup(m, sizeof(struct ip))) == NULL) 245 return (EINVAL); 246 247 ip = mtod(m, struct ip *); 248 |
| 247 ip->ip_len = ntohs(ip->ip_len); 248 ip->ip_off = ntohs(ip->ip_off); | 249 SET_HOST_IPLEN(ip); |
| 249 250 return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); | 250 251 return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); |
| 251 } 252 case DIR_IN: 253 ip_input(m); 254 return (0); 255 default: 256 panic("ng_ipfw_rcvdata: bad dir %u", ngit->dir); | |
| 257 } | 252 } |
| 258 259 /* not reached */ 260 return (0); | |
| 261} 262 263static int 264ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) 265{ 266 struct mbuf *m; | 253} 254 255static int 256ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) 257{ 258 struct mbuf *m; |
| 267 struct ng_ipfw_tag *ngit; | |
| 268 struct ip *ip; 269 hook_p hook; 270 int error = 0; 271 272 /* 273 * Node must be loaded and corresponding hook must be present. 274 */ 275 if (fw_node == NULL || | 259 struct ip *ip; 260 hook_p hook; 261 int error = 0; 262 263 /* 264 * Node must be loaded and corresponding hook must be present. 265 */ 266 if (fw_node == NULL || |
| 276 (hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) { | 267 (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) { |
| 277 if (tee == 0) 278 m_freem(*m0); 279 return (ESRCH); /* no hook associated with this rule */ 280 } 281 282 /* 283 * We have two modes: in normal mode we add a tag to packet, which is 284 * important to return packet back to IP stack. In tee mode we make 285 * a copy of a packet and forward it into netgraph without a tag. 286 */ 287 if (tee == 0) { | 268 if (tee == 0) 269 m_freem(*m0); 270 return (ESRCH); /* no hook associated with this rule */ 271 } 272 273 /* 274 * We have two modes: in normal mode we add a tag to packet, which is 275 * important to return packet back to IP stack. In tee mode we make 276 * a copy of a packet and forward it into netgraph without a tag. 277 */ 278 if (tee == 0) { |
| 279 struct m_tag *tag; 280 struct ipfw_rule_ref *r; |
|
| 288 m = *m0; 289 *m0 = NULL; /* it belongs now to netgraph */ 290 | 281 m = *m0; 282 *m0 = NULL; /* it belongs now to netgraph */ 283 |
| 291 if ((ngit = (struct ng_ipfw_tag *)m_tag_alloc(NGM_IPFW_COOKIE, 292 0, TAGSIZ, M_NOWAIT|M_ZERO)) == NULL) { | 284 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r), 285 M_NOWAIT|M_ZERO); 286 if (tag == NULL) { |
| 293 m_freem(m); 294 return (ENOMEM); 295 } | 287 m_freem(m); 288 return (ENOMEM); 289 } |
| 296 ngit->slot = fwa->slot; 297 ngit->rulenum = fwa->rulenum; 298 ngit->rule_id = fwa->rule_id; 299 ngit->chain_id = fwa->chain_id; 300 ngit->dir = dir; 301// ngit->ifp = fwa->oif; /* XXX do we use it ? */ 302 m_tag_prepend(m, &ngit->mt); | 290 r = (struct ipfw_rule_ref *)(tag + 1); 291 *r = fwa->rule; 292 r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT; 293 m_tag_prepend(m, tag); |
| 303 304 } else 305 if ((m = m_dup(*m0, M_DONTWAIT)) == NULL) 306 return (ENOMEM); /* which is ignored */ 307 308 if (m->m_len < sizeof(struct ip) && 309 (m = m_pullup(m, sizeof(struct ip))) == NULL) 310 return (EINVAL); 311 312 ip = mtod(m, struct ip *); | 294 295 } else 296 if ((m = m_dup(*m0, M_DONTWAIT)) == NULL) 297 return (ENOMEM); /* which is ignored */ 298 299 if (m->m_len < sizeof(struct ip) && 300 (m = m_pullup(m, sizeof(struct ip))) == NULL) 301 return (EINVAL); 302 303 ip = mtod(m, struct ip *); |
| 313 ip->ip_len = htons(ip->ip_len); 314 ip->ip_off = htons(ip->ip_off); | |
| 315 316 NG_SEND_DATA_ONLY(error, hook, m); 317 318 return (error); 319} 320 321static int 322ng_ipfw_shutdown(node_p node) --- 22 unchanged lines hidden --- | 304 305 NG_SEND_DATA_ONLY(error, hook, m); 306 307 return (error); 308} 309 310static int 311ng_ipfw_shutdown(node_p node) --- 22 unchanged lines hidden --- |