1/*- 2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h>
| 1/*- 2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h>
|
71#define V_fw6_enable VNET(fw6_enable) 72#endif 73 74int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); 75 76/* Forward declarations. */ 77static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int); 78 79#ifdef SYSCTL_NODE 80 81SYSBEGIN(f1) 82 83SYSCTL_DECL(_net_inet_ip_fw); 84SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, 85 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, 86 ipfw_chg_hook, "I", "Enable ipfw"); 87#ifdef INET6 88SYSCTL_DECL(_net_inet6_ip6_fw); 89SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, 90 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0, 91 ipfw_chg_hook, "I", "Enable ipfw+6"); 92#endif /* INET6 */ 93 94SYSEND 95 96#endif /* SYSCTL_NODE */ 97 98/* 99 * The pfilter hook to pass packets to ipfw_chk and then to 100 * dummynet, divert, netgraph or other modules. 101 * The packet may be consumed. 102 */ 103int 104ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, 105 struct inpcb *inp) 106{ 107 struct ip_fw_args args; 108 struct m_tag *tag; 109 int ipfw; 110 int ret; 111 112 /* all the processing now uses ip_len in net format */ 113 if (mtod(*m0, struct ip *)->ip_v == 4) 114 SET_NET_IPLEN(mtod(*m0, struct ip *)); 115 116 /* convert dir to IPFW values */ 117 dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT; 118 bzero(&args, sizeof(args)); 119 120again: 121 /* 122 * extract and remove the tag if present. If we are left 123 * with onepass, optimize the outgoing path. 124 */ 125 tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL); 126 if (tag != NULL) { 127 args.rule = *((struct ipfw_rule_ref *)(tag+1)); 128 m_tag_delete(*m0, tag); 129 if (args.rule.info & IPFW_ONEPASS) { 130 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 131 return 0; 132 } 133 } 134 135 args.m = *m0; 136 args.oif = dir == DIR_OUT ? ifp : NULL; 137 args.inp = inp; 138 139 ipfw = ipfw_chk(&args); 140 *m0 = args.m; 141 142 KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", 143 __func__)); 144 145 /* breaking out of the switch means drop */ 146 ret = 0; /* default return value for pass */ 147 switch (ipfw) { 148 case IP_FW_PASS: 149 /* next_hop may be set by ipfw_chk */ 150 if (args.next_hop == NULL) 151 break; /* pass */ 152#ifndef IPFIREWALL_FORWARD 153 ret = EACCES; 154#else 155 { 156 struct m_tag *fwd_tag; 157 158 /* Incoming packets should not be tagged so we do not 159 * m_tag_find. Outgoing packets may be tagged, so we 160 * reuse the tag if present. 161 */ 162 fwd_tag = (dir == DIR_IN) ? NULL : 163 m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL); 164 if (fwd_tag != NULL) { 165 m_tag_unlink(*m0, fwd_tag); 166 } else { 167 fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, 168 sizeof(struct sockaddr_in), M_NOWAIT); 169 if (fwd_tag == NULL) { 170 ret = EACCES; 171 break; /* i.e. drop */ 172 } 173 } 174 bcopy(args.next_hop, (fwd_tag+1), sizeof(struct sockaddr_in)); 175 m_tag_prepend(*m0, fwd_tag); 176 177 if (in_localip(args.next_hop->sin_addr)) 178 (*m0)->m_flags |= M_FASTFWD_OURS; 179 } 180#endif 181 break; 182 183 case IP_FW_DENY: 184 ret = EACCES; 185 break; /* i.e. drop */ 186 187 case IP_FW_DUMMYNET: 188 ret = EACCES; 189 if (ip_dn_io_ptr == NULL) 190 break; /* i.e. drop */ 191 if (mtod(*m0, struct ip *)->ip_v == 4) 192 ret = ip_dn_io_ptr(m0, dir, &args); 193 else if (mtod(*m0, struct ip *)->ip_v == 6) 194 ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args); 195 else 196 break; /* drop it */ 197 /* 198 * XXX should read the return value. 199 * dummynet normally eats the packet and sets *m0=NULL 200 * unless the packet can be sent immediately. In this 201 * case args is updated and we should re-run the 202 * check without clearing args. 203 */ 204 if (*m0 != NULL) 205 goto again; 206 break; 207 208 case IP_FW_TEE: 209 case IP_FW_DIVERT: 210 if (ip_divert_ptr == NULL) { 211 ret = EACCES; 212 break; /* i.e. drop */ 213 } 214 ret = ipfw_divert(m0, dir, &args.rule, 215 (ipfw == IP_FW_TEE) ? 1 : 0); 216 /* continue processing for the original packet (tee). */ 217 if (*m0) 218 goto again; 219 break; 220 221 case IP_FW_NGTEE: 222 case IP_FW_NETGRAPH: 223 if (ng_ipfw_input_p == NULL) { 224 ret = EACCES; 225 break; /* i.e. drop */ 226 } 227 ret = ng_ipfw_input_p(m0, dir, &args, 228 (ipfw == IP_FW_NGTEE) ? 1 : 0); 229 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */ 230 goto again; /* continue with packet */ 231 break; 232 233 case IP_FW_NAT: 234 /* honor one-pass in case of successful nat */ 235 if (V_fw_one_pass) 236 break; /* ret is already 0 */ 237 goto again; 238 239 case IP_FW_REASS: 240 goto again; /* continue with packet */ 241 242 default: 243 KASSERT(0, ("%s: unknown retval", __func__)); 244 } 245 246 if (ret != 0) { 247 if (*m0) 248 FREE_PKT(*m0); 249 *m0 = NULL; 250 } 251 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4) 252 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 253 return ret; 254} 255 256/* do the divert, return 1 on error 0 on success */ 257static int 258ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, 259 int tee) 260{ 261 /* 262 * ipfw_chk() has already tagged the packet with the divert tag. 263 * If tee is set, copy packet and return original. 264 * If not tee, consume packet and send it to divert socket. 265 */ 266 struct mbuf *clone; 267 struct ip *ip; 268 struct m_tag *tag; 269 270 /* Cloning needed for tee? */ 271 if (tee == 0) { 272 clone = *m0; /* use the original mbuf */ 273 *m0 = NULL; 274 } else { 275 clone = m_dup(*m0, M_DONTWAIT); 276 /* If we cannot duplicate the mbuf, we sacrifice the divert 277 * chain and continue with the tee-ed packet. 278 */ 279 if (clone == NULL) 280 return 1; 281 } 282 283 /* 284 * Divert listeners can normally handle non-fragmented packets, 285 * but we can only reass in the non-tee case. 286 * This means that listeners on a tee rule may get fragments, 287 * and have to live with that. 288 * Note that we now have the 'reass' ipfw option so if we care 289 * we can do it before a 'tee'. 290 */ 291 ip = mtod(clone, struct ip *); 292 if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { 293 int hlen; 294 struct mbuf *reass; 295 296 SET_HOST_IPLEN(ip); /* ip_reass wants host order */ 297 reass = ip_reass(clone); /* Reassemble packet. */ 298 if (reass == NULL) 299 return 0; /* not an error */ 300 /* if reass = NULL then it was consumed by ip_reass */ 301 /* 302 * IP header checksum fixup after reassembly and leave header 303 * in network byte order. 304 */ 305 ip = mtod(reass, struct ip *); 306 hlen = ip->ip_hl << 2; 307 SET_NET_IPLEN(ip); 308 ip->ip_sum = 0; 309 if (hlen == sizeof(struct ip)) 310 ip->ip_sum = in_cksum_hdr(ip); 311 else 312 ip->ip_sum = in_cksum(reass, hlen); 313 clone = reass; 314 } 315 /* attach a tag to the packet with the reinject info */ 316 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, 317 sizeof(struct ipfw_rule_ref), M_NOWAIT); 318 if (tag == NULL) { 319 FREE_PKT(clone); 320 return 1; 321 } 322 *((struct ipfw_rule_ref *)(tag+1)) = *rule; 323 m_tag_prepend(clone, tag); 324 325 /* Do the dirty job... */ 326 ip_divert_ptr(clone, incoming); 327 return 0; 328} 329 330/* 331 * attach or detach hooks for a given protocol family 332 */ 333static int 334ipfw_hook(int onoff, int pf) 335{ 336 struct pfil_head *pfh; 337 338 pfh = pfil_head_get(PFIL_TYPE_AF, pf); 339 if (pfh == NULL) 340 return ENOENT; 341 342 (void) (onoff ? pfil_add_hook : pfil_remove_hook) 343 (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); 344 345 return 0; 346} 347 348int 349ipfw_attach_hooks(int arg) 350{ 351 int error = 0; 352 353 if (arg == 0) /* detach */ 354 ipfw_hook(0, AF_INET); 355 else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) { 356 error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ 357 printf("ipfw_hook() error\n"); 358 } 359#ifdef INET6 360 if (arg == 0) /* detach */ 361 ipfw_hook(0, AF_INET6); 362 else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) { 363 error = ENOENT; 364 printf("ipfw6_hook() error\n"); 365 } 366#endif 367 return error; 368} 369 370int 371ipfw_chg_hook(SYSCTL_HANDLER_ARGS) 372{ 373 int enable; 374 int oldenable; 375 int error; 376 int af; 377 378 if (arg1 == &VNET_NAME(fw_enable)) { 379 enable = V_fw_enable; 380 af = AF_INET; 381 } 382#ifdef INET6 383 else if (arg1 == &VNET_NAME(fw6_enable)) { 384 enable = V_fw6_enable; 385 af = AF_INET6; 386 } 387#endif 388 else 389 return (EINVAL); 390 391 oldenable = enable; 392 393 error = sysctl_handle_int(oidp, &enable, 0, req); 394 395 if (error) 396 return (error); 397 398 enable = (enable) ? 1 : 0; 399 400 if (enable == oldenable) 401 return (0); 402 403 error = ipfw_hook(enable, af); 404 if (error) 405 return (error); 406 if (af == AF_INET) 407 V_fw_enable = enable; 408#ifdef INET6 409 else if (af == AF_INET6) 410 V_fw6_enable = enable; 411#endif 412 413 return (0); 414} 415/* end of file */
| 71#define V_fw6_enable VNET(fw6_enable) 72#endif 73 74int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); 75 76/* Forward declarations. */ 77static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int); 78 79#ifdef SYSCTL_NODE 80 81SYSBEGIN(f1) 82 83SYSCTL_DECL(_net_inet_ip_fw); 84SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, 85 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, 86 ipfw_chg_hook, "I", "Enable ipfw"); 87#ifdef INET6 88SYSCTL_DECL(_net_inet6_ip6_fw); 89SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, 90 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0, 91 ipfw_chg_hook, "I", "Enable ipfw+6"); 92#endif /* INET6 */ 93 94SYSEND 95 96#endif /* SYSCTL_NODE */ 97 98/* 99 * The pfilter hook to pass packets to ipfw_chk and then to 100 * dummynet, divert, netgraph or other modules. 101 * The packet may be consumed. 102 */ 103int 104ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, 105 struct inpcb *inp) 106{ 107 struct ip_fw_args args; 108 struct m_tag *tag; 109 int ipfw; 110 int ret; 111 112 /* all the processing now uses ip_len in net format */ 113 if (mtod(*m0, struct ip *)->ip_v == 4) 114 SET_NET_IPLEN(mtod(*m0, struct ip *)); 115 116 /* convert dir to IPFW values */ 117 dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT; 118 bzero(&args, sizeof(args)); 119 120again: 121 /* 122 * extract and remove the tag if present. If we are left 123 * with onepass, optimize the outgoing path. 124 */ 125 tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL); 126 if (tag != NULL) { 127 args.rule = *((struct ipfw_rule_ref *)(tag+1)); 128 m_tag_delete(*m0, tag); 129 if (args.rule.info & IPFW_ONEPASS) { 130 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 131 return 0; 132 } 133 } 134 135 args.m = *m0; 136 args.oif = dir == DIR_OUT ? ifp : NULL; 137 args.inp = inp; 138 139 ipfw = ipfw_chk(&args); 140 *m0 = args.m; 141 142 KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", 143 __func__)); 144 145 /* breaking out of the switch means drop */ 146 ret = 0; /* default return value for pass */ 147 switch (ipfw) { 148 case IP_FW_PASS: 149 /* next_hop may be set by ipfw_chk */ 150 if (args.next_hop == NULL) 151 break; /* pass */ 152#ifndef IPFIREWALL_FORWARD 153 ret = EACCES; 154#else 155 { 156 struct m_tag *fwd_tag; 157 158 /* Incoming packets should not be tagged so we do not 159 * m_tag_find. Outgoing packets may be tagged, so we 160 * reuse the tag if present. 161 */ 162 fwd_tag = (dir == DIR_IN) ? NULL : 163 m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL); 164 if (fwd_tag != NULL) { 165 m_tag_unlink(*m0, fwd_tag); 166 } else { 167 fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, 168 sizeof(struct sockaddr_in), M_NOWAIT); 169 if (fwd_tag == NULL) { 170 ret = EACCES; 171 break; /* i.e. drop */ 172 } 173 } 174 bcopy(args.next_hop, (fwd_tag+1), sizeof(struct sockaddr_in)); 175 m_tag_prepend(*m0, fwd_tag); 176 177 if (in_localip(args.next_hop->sin_addr)) 178 (*m0)->m_flags |= M_FASTFWD_OURS; 179 } 180#endif 181 break; 182 183 case IP_FW_DENY: 184 ret = EACCES; 185 break; /* i.e. drop */ 186 187 case IP_FW_DUMMYNET: 188 ret = EACCES; 189 if (ip_dn_io_ptr == NULL) 190 break; /* i.e. drop */ 191 if (mtod(*m0, struct ip *)->ip_v == 4) 192 ret = ip_dn_io_ptr(m0, dir, &args); 193 else if (mtod(*m0, struct ip *)->ip_v == 6) 194 ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args); 195 else 196 break; /* drop it */ 197 /* 198 * XXX should read the return value. 199 * dummynet normally eats the packet and sets *m0=NULL 200 * unless the packet can be sent immediately. In this 201 * case args is updated and we should re-run the 202 * check without clearing args. 203 */ 204 if (*m0 != NULL) 205 goto again; 206 break; 207 208 case IP_FW_TEE: 209 case IP_FW_DIVERT: 210 if (ip_divert_ptr == NULL) { 211 ret = EACCES; 212 break; /* i.e. drop */ 213 } 214 ret = ipfw_divert(m0, dir, &args.rule, 215 (ipfw == IP_FW_TEE) ? 1 : 0); 216 /* continue processing for the original packet (tee). */ 217 if (*m0) 218 goto again; 219 break; 220 221 case IP_FW_NGTEE: 222 case IP_FW_NETGRAPH: 223 if (ng_ipfw_input_p == NULL) { 224 ret = EACCES; 225 break; /* i.e. drop */ 226 } 227 ret = ng_ipfw_input_p(m0, dir, &args, 228 (ipfw == IP_FW_NGTEE) ? 1 : 0); 229 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */ 230 goto again; /* continue with packet */ 231 break; 232 233 case IP_FW_NAT: 234 /* honor one-pass in case of successful nat */ 235 if (V_fw_one_pass) 236 break; /* ret is already 0 */ 237 goto again; 238 239 case IP_FW_REASS: 240 goto again; /* continue with packet */ 241 242 default: 243 KASSERT(0, ("%s: unknown retval", __func__)); 244 } 245 246 if (ret != 0) { 247 if (*m0) 248 FREE_PKT(*m0); 249 *m0 = NULL; 250 } 251 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4) 252 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 253 return ret; 254} 255 256/* do the divert, return 1 on error 0 on success */ 257static int 258ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, 259 int tee) 260{ 261 /* 262 * ipfw_chk() has already tagged the packet with the divert tag. 263 * If tee is set, copy packet and return original. 264 * If not tee, consume packet and send it to divert socket. 265 */ 266 struct mbuf *clone; 267 struct ip *ip; 268 struct m_tag *tag; 269 270 /* Cloning needed for tee? */ 271 if (tee == 0) { 272 clone = *m0; /* use the original mbuf */ 273 *m0 = NULL; 274 } else { 275 clone = m_dup(*m0, M_DONTWAIT); 276 /* If we cannot duplicate the mbuf, we sacrifice the divert 277 * chain and continue with the tee-ed packet. 278 */ 279 if (clone == NULL) 280 return 1; 281 } 282 283 /* 284 * Divert listeners can normally handle non-fragmented packets, 285 * but we can only reass in the non-tee case. 286 * This means that listeners on a tee rule may get fragments, 287 * and have to live with that. 288 * Note that we now have the 'reass' ipfw option so if we care 289 * we can do it before a 'tee'. 290 */ 291 ip = mtod(clone, struct ip *); 292 if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { 293 int hlen; 294 struct mbuf *reass; 295 296 SET_HOST_IPLEN(ip); /* ip_reass wants host order */ 297 reass = ip_reass(clone); /* Reassemble packet. */ 298 if (reass == NULL) 299 return 0; /* not an error */ 300 /* if reass = NULL then it was consumed by ip_reass */ 301 /* 302 * IP header checksum fixup after reassembly and leave header 303 * in network byte order. 304 */ 305 ip = mtod(reass, struct ip *); 306 hlen = ip->ip_hl << 2; 307 SET_NET_IPLEN(ip); 308 ip->ip_sum = 0; 309 if (hlen == sizeof(struct ip)) 310 ip->ip_sum = in_cksum_hdr(ip); 311 else 312 ip->ip_sum = in_cksum(reass, hlen); 313 clone = reass; 314 } 315 /* attach a tag to the packet with the reinject info */ 316 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, 317 sizeof(struct ipfw_rule_ref), M_NOWAIT); 318 if (tag == NULL) { 319 FREE_PKT(clone); 320 return 1; 321 } 322 *((struct ipfw_rule_ref *)(tag+1)) = *rule; 323 m_tag_prepend(clone, tag); 324 325 /* Do the dirty job... */ 326 ip_divert_ptr(clone, incoming); 327 return 0; 328} 329 330/* 331 * attach or detach hooks for a given protocol family 332 */ 333static int 334ipfw_hook(int onoff, int pf) 335{ 336 struct pfil_head *pfh; 337 338 pfh = pfil_head_get(PFIL_TYPE_AF, pf); 339 if (pfh == NULL) 340 return ENOENT; 341 342 (void) (onoff ? pfil_add_hook : pfil_remove_hook) 343 (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); 344 345 return 0; 346} 347 348int 349ipfw_attach_hooks(int arg) 350{ 351 int error = 0; 352 353 if (arg == 0) /* detach */ 354 ipfw_hook(0, AF_INET); 355 else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) { 356 error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ 357 printf("ipfw_hook() error\n"); 358 } 359#ifdef INET6 360 if (arg == 0) /* detach */ 361 ipfw_hook(0, AF_INET6); 362 else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) { 363 error = ENOENT; 364 printf("ipfw6_hook() error\n"); 365 } 366#endif 367 return error; 368} 369 370int 371ipfw_chg_hook(SYSCTL_HANDLER_ARGS) 372{ 373 int enable; 374 int oldenable; 375 int error; 376 int af; 377 378 if (arg1 == &VNET_NAME(fw_enable)) { 379 enable = V_fw_enable; 380 af = AF_INET; 381 } 382#ifdef INET6 383 else if (arg1 == &VNET_NAME(fw6_enable)) { 384 enable = V_fw6_enable; 385 af = AF_INET6; 386 } 387#endif 388 else 389 return (EINVAL); 390 391 oldenable = enable; 392 393 error = sysctl_handle_int(oidp, &enable, 0, req); 394 395 if (error) 396 return (error); 397 398 enable = (enable) ? 1 : 0; 399 400 if (enable == oldenable) 401 return (0); 402 403 error = ipfw_hook(enable, af); 404 if (error) 405 return (error); 406 if (af == AF_INET) 407 V_fw_enable = enable; 408#ifdef INET6 409 else if (af == AF_INET6) 410 V_fw6_enable = enable; 411#endif 412 413 return (0); 414} 415/* end of file */
|