Cross Reference: /freebsd-11.0-release/sys/netpfil/ipfw/ip

Deleted Added

sdiff udiff text old ( 125952 ) new ( 126239 )

full compact

ip_fw2.c (125952)	ip_fw2.c (126239)
1/* 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 *	1/* 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 *
25 * $FreeBSD: head/sys/netinet/ip_fw2.c 125952 2004-02-18 00:04:52Z mlaier $	25 * $FreeBSD: head/sys/netinet/ip_fw2.c 126239 2004-02-25 19:55:29Z mlaier $
26 / 27 28#define DEB(x) 29#define DDB(x) x 30 31/ 32 * Implement IP packet firewall (new version) 33 / --- 27 unchanged lines hidden* (view full) --- 61#include <netinet/in.h> 62#include <netinet/in_systm.h> 63#include <netinet/in_var.h> 64#include <netinet/in_pcb.h> 65#include <netinet/ip.h> 66#include <netinet/ip_var.h> 67#include <netinet/ip_icmp.h> 68#include <netinet/ip_fw.h>	26 / 27 28#define DEB(x) 29#define DDB(x) x 30 31/ 32 * Implement IP packet firewall (new version) 33 / --- 27 unchanged lines hidden* (view full) --- 61#include <netinet/in.h> 62#include <netinet/in_systm.h> 63#include <netinet/in_var.h> 64#include <netinet/in_pcb.h> 65#include <netinet/ip.h> 66#include <netinet/ip_var.h> 67#include <netinet/ip_icmp.h> 68#include <netinet/ip_fw.h>
	69#include <netinet/ip_divert.h>
69#include <netinet/ip_dummynet.h> 70#include <netinet/tcp.h> 71#include <netinet/tcp_timer.h> 72#include <netinet/tcp_var.h> 73#include <netinet/tcpip.h> 74#include <netinet/udp.h> 75#include <netinet/udp_var.h> 76 --- 1375 unchanged lines hidden (view full) --- 1452 u_int8_t proto; 1453 u_int16_t src_port = 0, dst_port = 0; /* NOTE: host format / 1454* struct in_addr src_ip, dst_ip; /* NOTE: network format / 1455* u_int16_t ip_len=0; 1456 int pktlen; 1457 int dyn_dir = MATCH_UNKNOWN; 1458 ipfw_dyn_rule q = NULL; 1459* struct ip_fw_chain *chain = &layer3_chain;	70#include <netinet/ip_dummynet.h> 71#include <netinet/tcp.h> 72#include <netinet/tcp_timer.h> 73#include <netinet/tcp_var.h> 74#include <netinet/tcpip.h> 75#include <netinet/udp.h> 76#include <netinet/udp_var.h> 77 --- 1375 unchanged lines hidden (view full) --- 1453 u_int8_t proto; 1454 u_int16_t src_port = 0, dst_port = 0; /* NOTE: host format / 1455* struct in_addr src_ip, dst_ip; /* NOTE: network format / 1456* u_int16_t ip_len=0; 1457 int pktlen; 1458 int dyn_dir = MATCH_UNKNOWN; 1459 ipfw_dyn_rule q = NULL; 1460* struct ip_fw_chain *chain = &layer3_chain;
	1461 struct m_tag *mtag;
1460 1461 if (m->m_flags & M_SKIP_FIREWALL) 1462 return 0; /* accept / 1463* /* 1464 * dyn_dir = MATCH_UNKNOWN when rules unchecked, 1465 * MATCH_NONE when checked and not matched (q = NULL), 1466 * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL) 1467 / --- 72 unchanged lines hidden* (view full) --- 1540 1541 args->f_id.src_ip = ntohl(src_ip.s_addr); 1542 args->f_id.dst_ip = ntohl(dst_ip.s_addr); 1543 args->f_id.src_port = src_port = ntohs(src_port); 1544 args->f_id.dst_port = dst_port = ntohs(dst_port); 1545 1546after_ip_checks: 1547 IPFW_LOCK(chain); /* XXX expensive? can we run lock free? */	1462 1463 if (m->m_flags & M_SKIP_FIREWALL) 1464 return 0; /* accept / 1465* /* 1466 * dyn_dir = MATCH_UNKNOWN when rules unchecked, 1467 * MATCH_NONE when checked and not matched (q = NULL), 1468 * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL) 1469 / --- 72 unchanged lines hidden* (view full) --- 1542 1543 args->f_id.src_ip = ntohl(src_ip.s_addr); 1544 args->f_id.dst_ip = ntohl(dst_ip.s_addr); 1545 args->f_id.src_port = src_port = ntohs(src_port); 1546 args->f_id.dst_port = dst_port = ntohs(dst_port); 1547 1548after_ip_checks: 1549 IPFW_LOCK(chain); /* XXX expensive? can we run lock free? */
	1550 mtag = m_tag_find(m, PACKET_TAG_DIVERT, NULL);
1548 if (args->rule) { 1549 /* 1550 * Packet has already been tagged. Look for the next rule 1551 * to restart processing. 1552 * 1553 * If fw_one_pass != 0 then just accept it. 1554 * XXX should not happen here, but optimized out in 1555 * the caller. --- 6 unchanged lines hidden (view full) --- 1562 f = args->rule->next_rule; 1563 if (f == NULL) 1564 f = lookup_next_rule(args->rule); 1565 } else { 1566 /* 1567 * Find the starting rule. It can be either the first 1568 * one, or the one after divert_rule if asked so. 1569 */	1551 if (args->rule) { 1552 /* 1553 * Packet has already been tagged. Look for the next rule 1554 * to restart processing. 1555 * 1556 * If fw_one_pass != 0 then just accept it. 1557 * XXX should not happen here, but optimized out in 1558 * the caller. --- 6 unchanged lines hidden (view full) --- 1565 f = args->rule->next_rule; 1566 if (f == NULL) 1567 f = lookup_next_rule(args->rule); 1568 } else { 1569 /* 1570 * Find the starting rule. It can be either the first 1571 * one, or the one after divert_rule if asked so. 1572 */
1570 int skipto = args->divert_rule;	1573 int skipto = mtag ? divert_cookie(mtag) : 0;
1571 1572 f = chain->rules; 1573 if (args->eh == NULL && skipto != 0) { 1574 if (skipto >= IPFW_DEFAULT_RULE) { 1575 IPFW_UNLOCK(chain); 1576 return(IP_FW_PORT_DENY_FLAG); /* invalid / 1577* } 1578 while (f && f->rulenum <= skipto) 1579 f = f->next; 1580 if (f == NULL) { /* drop packet / 1581* IPFW_UNLOCK(chain); 1582 return(IP_FW_PORT_DENY_FLAG); 1583 } 1584 } 1585 }	1574 1575 f = chain->rules; 1576 if (args->eh == NULL && skipto != 0) { 1577 if (skipto >= IPFW_DEFAULT_RULE) { 1578 IPFW_UNLOCK(chain); 1579 return(IP_FW_PORT_DENY_FLAG); /* invalid / 1580* } 1581 while (f && f->rulenum <= skipto) 1582 f = f->next; 1583 if (f == NULL) { /* drop packet / 1584* IPFW_UNLOCK(chain); 1585 return(IP_FW_PORT_DENY_FLAG); 1586 } 1587 } 1588 }
1586 args->divert_rule = 0; /* reset to avoid confusion later */	1589 /* reset divert rule to avoid confusion later / 1590* if (mtag) 1591 m_tag_delete(m, mtag);
1587 1588 /* 1589 * Now scan the rules, and parse microinstructions for each rule. 1590 / 1591* for (; f; f = f->next) { 1592 int l, cmdlen; 1593 ipfw_insn cmd; 1594* int skip_or; /* skip rest of OR block / --- 418 unchanged lines hidden* (view full) --- 2013 2014 case O_PIPE: 2015 case O_QUEUE: 2016 args->rule = f; /* report matching rule / 2017* retval = cmd->arg1 \| IP_FW_PORT_DYNT_FLAG; 2018 goto done; 2019 2020 case O_DIVERT:	1592 1593 /* 1594 * Now scan the rules, and parse microinstructions for each rule. 1595 / 1596* for (; f; f = f->next) { 1597 int l, cmdlen; 1598 ipfw_insn cmd; 1599* int skip_or; /* skip rest of OR block / --- 418 unchanged lines hidden* (view full) --- 2018 2019 case O_PIPE: 2020 case O_QUEUE: 2021 args->rule = f; /* report matching rule / 2022* retval = cmd->arg1 \| IP_FW_PORT_DYNT_FLAG; 2023 goto done; 2024 2025 case O_DIVERT:
2021 case O_TEE:	2026 case O_TEE: { 2027 struct divert_tag dt; 2028*
2022 if (args->eh) /* not on layer 2 / 2023* break;	2029 if (args->eh) /* not on layer 2 / 2030* break;
2024 args->divert_rule = f->rulenum; 2025 retval = (cmd->opcode == O_DIVERT) ?	2031 mtag = m_tag_get(PACKET_TAG_DIVERT, 2032 sizeof(struct divert_tag), 2033 M_NOWAIT); 2034 if (mtag == NULL) { 2035 /* XXX statistic / 2036* /* drop packet / 2037* IPFW_UNLOCK(chain); 2038 return IP_FW_PORT_DENY_FLAG; 2039 } 2040 dt = (struct divert_tag )(mtag+1); 2041* dt->cookie = f->rulenum; 2042 dt->info = (cmd->opcode == O_DIVERT) ?
2026 cmd->arg1 : 2027 cmd->arg1 \| IP_FW_PORT_TEE_FLAG;	2043 cmd->arg1 : 2044 cmd->arg1 \| IP_FW_PORT_TEE_FLAG;
	2045 m_tag_prepend(m, mtag); 2046 retval = dt->info;
2028 goto done;	2047 goto done;
	2048 }
2029 2030 case O_COUNT: 2031 case O_SKIPTO: 2032 f->pcnt++; /* update stats / 2033* f->bcnt += pktlen; 2034 f->timestamp = time_second; 2035 if (cmd->opcode == O_COUNT) 2036 goto next_rule; --- 999 unchanged lines hidden ---	2049 2050 case O_COUNT: 2051 case O_SKIPTO: 2052 f->pcnt++; /* update stats / 2053* f->bcnt += pktlen; 2054 f->timestamp = time_second; 2055 if (cmd->opcode == O_COUNT) 2056 goto next_rule; --- 999 unchanged lines hidden ---