ip_fw_pfil.c (223358) | ip_fw_pfil.c (223593) |
---|---|
1/*- 2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> |
28__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_pfil.c 223358 2011-06-21 06:06:47Z ae $"); | 28__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_pfil.c 223593 2011-06-27 12:21:11Z glebius $"); |
29 30#if !defined(KLD_MODULE) 31#include "opt_ipfw.h" 32#include "opt_ipdn.h" 33#include "opt_inet.h" 34#ifndef INET 35#error IPFIREWALL requires INET. 36#endif /* INET */ --- 16 unchanged lines hidden (view full) --- 53#include <net/pfil.h> 54#include <net/vnet.h> 55 56#include <netinet/in.h> 57#include <netinet/in_systm.h> 58#include <netinet/ip.h> 59#include <netinet/ip_var.h> 60#include <netinet/ip_fw.h> | 29 30#if !defined(KLD_MODULE) 31#include "opt_ipfw.h" 32#include "opt_ipdn.h" 33#include "opt_inet.h" 34#ifndef INET 35#error IPFIREWALL requires INET. 36#endif /* INET */ --- 16 unchanged lines hidden (view full) --- 53#include <net/pfil.h> 54#include <net/vnet.h> 55 56#include <netinet/in.h> 57#include <netinet/in_systm.h> 58#include <netinet/ip.h> 59#include <netinet/ip_var.h> 60#include <netinet/ip_fw.h> |
61#ifdef INET6 62#include <netinet/ip6.h> 63#include <netinet6/ip6_var.h> 64#endif |
|
61#include <netinet/ipfw/ip_fw_private.h> 62#include <netgraph/ng_ipfw.h> 63 64#include <machine/in_cksum.h> 65 66static VNET_DEFINE(int, fw_enable) = 1; 67#define V_fw_enable VNET(fw_enable) 68 --- 191 unchanged lines hidden (view full) --- 260 int tee) 261{ 262 /* 263 * ipfw_chk() has already tagged the packet with the divert tag. 264 * If tee is set, copy packet and return original. 265 * If not tee, consume packet and send it to divert socket. 266 */ 267 struct mbuf *clone; | 65#include <netinet/ipfw/ip_fw_private.h> 66#include <netgraph/ng_ipfw.h> 67 68#include <machine/in_cksum.h> 69 70static VNET_DEFINE(int, fw_enable) = 1; 71#define V_fw_enable VNET(fw_enable) 72 --- 191 unchanged lines hidden (view full) --- 264 int tee) 265{ 266 /* 267 * ipfw_chk() has already tagged the packet with the divert tag. 268 * If tee is set, copy packet and return original. 269 * If not tee, consume packet and send it to divert socket. 270 */ 271 struct mbuf *clone; |
268 struct ip *ip; | 272 struct ip *ip = mtod(*m0, struct ip *); |
269 struct m_tag *tag; 270 271 /* Cloning needed for tee? */ 272 if (tee == 0) { 273 clone = *m0; /* use the original mbuf */ 274 *m0 = NULL; 275 } else { 276 clone = m_dup(*m0, M_DONTWAIT); --- 7 unchanged lines hidden (view full) --- 284 /* 285 * Divert listeners can normally handle non-fragmented packets, 286 * but we can only reass in the non-tee case. 287 * This means that listeners on a tee rule may get fragments, 288 * and have to live with that. 289 * Note that we now have the 'reass' ipfw option so if we care 290 * we can do it before a 'tee'. 291 */ | 273 struct m_tag *tag; 274 275 /* Cloning needed for tee? */ 276 if (tee == 0) { 277 clone = *m0; /* use the original mbuf */ 278 *m0 = NULL; 279 } else { 280 clone = m_dup(*m0, M_DONTWAIT); --- 7 unchanged lines hidden (view full) --- 288 /* 289 * Divert listeners can normally handle non-fragmented packets, 290 * but we can only reass in the non-tee case. 291 * This means that listeners on a tee rule may get fragments, 292 * and have to live with that. 293 * Note that we now have the 'reass' ipfw option so if we care 294 * we can do it before a 'tee'. 295 */ |
292 ip = mtod(clone, struct ip *); 293 if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { | 296 if (!tee) switch (ip->ip_v) { 297 case IPVERSION: 298 if (ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { |
294 int hlen; 295 struct mbuf *reass; 296 297 SET_HOST_IPLEN(ip); /* ip_reass wants host order */ 298 reass = ip_reass(clone); /* Reassemble packet. */ 299 if (reass == NULL) 300 return 0; /* not an error */ 301 /* if reass = NULL then it was consumed by ip_reass */ --- 5 unchanged lines hidden (view full) --- 307 hlen = ip->ip_hl << 2; 308 SET_NET_IPLEN(ip); 309 ip->ip_sum = 0; 310 if (hlen == sizeof(struct ip)) 311 ip->ip_sum = in_cksum_hdr(ip); 312 else 313 ip->ip_sum = in_cksum(reass, hlen); 314 clone = reass; | 299 int hlen; 300 struct mbuf *reass; 301 302 SET_HOST_IPLEN(ip); /* ip_reass wants host order */ 303 reass = ip_reass(clone); /* Reassemble packet. */ 304 if (reass == NULL) 305 return 0; /* not an error */ 306 /* if reass = NULL then it was consumed by ip_reass */ --- 5 unchanged lines hidden (view full) --- 312 hlen = ip->ip_hl << 2; 313 SET_NET_IPLEN(ip); 314 ip->ip_sum = 0; 315 if (hlen == sizeof(struct ip)) 316 ip->ip_sum = in_cksum_hdr(ip); 317 else 318 ip->ip_sum = in_cksum(reass, hlen); 319 clone = reass; |
320 } 321 break; 322#ifdef INET6 323 case IPV6_VERSION >> 4: 324 { 325 struct ip6_hdr *const ip6 = mtod(clone, struct ip6_hdr *); 326 327 if (ip6->ip6_nxt == IPPROTO_FRAGMENT) { 328 int nxt, off; 329 330 off = sizeof(struct ip6_hdr); 331 nxt = frag6_input(&clone, &off, 0); 332 if (nxt == IPPROTO_DONE) 333 return (0); 334 } 335 break; 336 } 337#endif |
|
315 } | 338 } |
339 |
|
316 /* attach a tag to the packet with the reinject info */ 317 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, 318 sizeof(struct ipfw_rule_ref), M_NOWAIT); 319 if (tag == NULL) { 320 FREE_PKT(clone); 321 return 1; 322 } 323 *((struct ipfw_rule_ref *)(tag+1)) = *rule; --- 93 unchanged lines hidden --- | 340 /* attach a tag to the packet with the reinject info */ 341 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, 342 sizeof(struct ipfw_rule_ref), M_NOWAIT); 343 if (tag == NULL) { 344 FREE_PKT(clone); 345 return 1; 346 } 347 *((struct ipfw_rule_ref *)(tag+1)) = *rule; --- 93 unchanged lines hidden --- |