fil.c revision 139282
1/* 2 * Copyright (C) 1993-2001 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 */ 6#if defined(__sgi) && (IRIX > 602) 7# include <sys/ptimers.h> 8#endif 9#include <sys/errno.h> 10#include <sys/types.h> 11#include <sys/param.h> 12#include <sys/time.h> 13#include <sys/file.h> 14#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ 15 defined(_KERNEL) 16# include "opt_ipfilter_log.h" 17#endif 18#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \ 19 (__FreeBSD_version >= 220000) 20# if (__FreeBSD_version >= 400000) 21# ifndef KLD_MODULE 22# include "opt_inet6.h" 23# endif 24# if (__FreeBSD_version == 400019) 25# define CSUM_DELAY_DATA 26# endif 27# endif 28# include <sys/filio.h> 29# include <sys/fcntl.h> 30#else 31# include <sys/ioctl.h> 32#endif 33#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) 34# include <sys/systm.h> 35#else 36# include <stdio.h> 37# include <string.h> 38# include <stdlib.h> 39#endif 40#if !defined(__SVR4) && !defined(__svr4__) 41# ifndef linux 42# include <sys/mbuf.h> 43# endif 44#else 45# include <sys/cmn_err.h> 46# include <sys/byteorder.h> 47# if SOLARIS2 < 5 48# include <sys/dditypes.h> 49# endif 50# include <sys/stream.h> 51#endif 52#ifndef linux 53# include <sys/protosw.h> 54# include <sys/socket.h> 55#endif 56#include <net/if.h> 57#ifdef sun 58# include <net/af.h> 59#endif 60#include <net/route.h> 61#include <netinet/in.h> 62#include <netinet/in_systm.h> 63#include <netinet/ip.h> 64#ifndef linux 65# include <netinet/ip_var.h> 66#endif 67#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ 68# include <sys/hashing.h> 69# include <netinet/in_var.h> 70#endif 71#include <netinet/tcp.h> 72#include <netinet/udp.h> 73#include <netinet/ip_icmp.h> 74#include "netinet/ip_compat.h" 75#ifdef USE_INET6 76# include <netinet/icmp6.h> 77# if !SOLARIS && defined(_KERNEL) 78# include <netinet6/in6_var.h> 79# endif 80#endif 81#include <netinet/tcpip.h> 82#include "netinet/ip_fil.h" 83#include "netinet/ip_nat.h" 84#include "netinet/ip_frag.h" 85#include "netinet/ip_state.h" 86#include "netinet/ip_proxy.h" 87#include "netinet/ip_auth.h" 88# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) 89# include <sys/malloc.h> 90# if defined(_KERNEL) && !defined(IPFILTER_LKM) 91# include "opt_ipfilter.h" 92# endif 93# endif 94#ifndef MIN 95# define MIN(a,b) (((a)<(b))?(a):(b)) 96#endif 97#include "netinet/ipl.h" 98 99#include <machine/in_cksum.h> 100 101#if !defined(lint) 102static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; 103static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/fil.c 139282 2004-12-25 00:22:25Z scottl $"; 104#endif 105 106#ifndef _KERNEL 107# include "ipf.h" 108# include "ipt.h" 109extern int opts; 110 111# define FR_VERBOSE(verb_pr) verbose verb_pr 112# define FR_DEBUG(verb_pr) debug verb_pr 113# define IPLLOG(a, c, d, e) ipflog(a, c, d, e) 114#else /* #ifndef _KERNEL */ 115# define FR_VERBOSE(verb_pr) 116# define FR_DEBUG(verb_pr) 117# define IPLLOG(a, c, d, e) ipflog(a, c, d, e) 118# if SOLARIS || defined(__sgi) || (__FreeBSD_version >= 500043) 119extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; 120extern kmutex_t ipf_rw; 121# endif /* SOLARIS || __sgi || __FreeBSD_version */ 122#endif /* _KERNEL */ 123 124 125struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; 126struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, 127#ifdef USE_INET6 128 *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } }, 129 *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } }, 130#endif 131 *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; 132struct frgroup *ipfgroups[3][2]; 133int fr_flags = IPF_LOGGING; 134int fr_active = 0; 135int fr_chksrc = 0; 136int fr_minttl = 3; 137int fr_minttllog = 1; 138#if defined(IPFILTER_DEFAULT_BLOCK) 139int fr_pass = FR_NOMATCH|FR_BLOCK; 140#else 141int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH); 142#endif 143char ipfilter_version[] = IPL_VERSION; 144 145fr_info_t frcache[2]; 146 147static int frflushlist __P((int, minor_t, int *, frentry_t **)); 148#ifdef _KERNEL 149static void frsynclist __P((frentry_t *)); 150# ifndef __sgi 151static void *ipf_pullup __P((mb_t *, fr_info_t *, int, void *)); 152# endif 153#endif 154 155 156/* 157 * bit values for identifying presence of individual IP options 158 */ 159struct optlist ipopts[20] = { 160 { IPOPT_NOP, 0x000001 }, 161 { IPOPT_RR, 0x000002 }, 162 { IPOPT_ZSU, 0x000004 }, 163 { IPOPT_MTUP, 0x000008 }, 164 { IPOPT_MTUR, 0x000010 }, 165 { IPOPT_ENCODE, 0x000020 }, 166 { IPOPT_TS, 0x000040 }, 167 { IPOPT_TR, 0x000080 }, 168 { IPOPT_SECURITY, 0x000100 }, 169 { IPOPT_LSRR, 0x000200 }, 170 { IPOPT_E_SEC, 0x000400 }, 171 { IPOPT_CIPSO, 0x000800 }, 172 { IPOPT_SATID, 0x001000 }, 173 { IPOPT_SSRR, 0x002000 }, 174 { IPOPT_ADDEXT, 0x004000 }, 175 { IPOPT_VISA, 0x008000 }, 176 { IPOPT_IMITD, 0x010000 }, 177 { IPOPT_EIP, 0x020000 }, 178 { IPOPT_FINN, 0x040000 }, 179 { 0, 0x000000 } 180}; 181 182/* 183 * bit values for identifying presence of individual IP security options 184 */ 185struct optlist secopt[8] = { 186 { IPSO_CLASS_RES4, 0x01 }, 187 { IPSO_CLASS_TOPS, 0x02 }, 188 { IPSO_CLASS_SECR, 0x04 }, 189 { IPSO_CLASS_RES3, 0x08 }, 190 { IPSO_CLASS_CONF, 0x10 }, 191 { IPSO_CLASS_UNCL, 0x20 }, 192 { IPSO_CLASS_RES2, 0x40 }, 193 { IPSO_CLASS_RES1, 0x80 } 194}; 195 196 197/* 198 * compact the IP header into a structure which contains just the info. 199 * which is useful for comparing IP headers with. 200 */ 201int fr_makefrip(hlen, ip, fin) 202int hlen; 203ip_t *ip; 204fr_info_t *fin; 205{ 206 u_short optmsk = 0, secmsk = 0, auth = 0; 207 int i, mv, ol, off, p, plen, v; 208#if defined(_KERNEL) 209# if SOLARIS 210 mb_t *m = fin->fin_qfm; 211# else 212 mb_t *m = fin->fin_mp ? *fin->fin_mp : NULL; 213# endif 214#endif 215 fr_ip_t *fi = &fin->fin_fi; 216 struct optlist *op; 217 u_char *s, opt; 218 tcphdr_t *tcp; 219 220 fin->fin_rev = 0; 221 fin->fin_dp = NULL; 222 fin->fin_fr = NULL; 223 fin->fin_tcpf = 0; 224 fin->fin_data[0] = 0; 225 fin->fin_data[1] = 0; 226 fin->fin_rule = -1; 227 fin->fin_group = -1; 228 fin->fin_icode = ipl_unreach; 229 v = fin->fin_v; 230 fi->fi_v = v; 231 fin->fin_hlen = hlen; 232 if (v == 4) { 233 fin->fin_id = ip->ip_id; 234 fi->fi_tos = ip->ip_tos; 235#if (OpenBSD >= 200311) && defined(_KERNEL) 236 ip->ip_off = ntohs(ip->ip_off); 237#endif 238 off = (ip->ip_off & IP_OFFMASK); 239 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); 240 fi->fi_src.i6[1] = 0; 241 fi->fi_src.i6[2] = 0; 242 fi->fi_src.i6[3] = 0; 243 fi->fi_dst.i6[1] = 0; 244 fi->fi_dst.i6[2] = 0; 245 fi->fi_dst.i6[3] = 0; 246 fi->fi_saddr = ip->ip_src.s_addr; 247 fi->fi_daddr = ip->ip_dst.s_addr; 248 p = ip->ip_p; 249 fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; 250 if (ip->ip_off & (IP_MF|IP_OFFMASK)) 251 fi->fi_fl |= FI_FRAG; 252#if (OpenBSD >= 200311) && defined(_KERNEL) 253 ip->ip_len = ntohs(ip->ip_len); 254#endif 255 plen = ip->ip_len; 256 fin->fin_dlen = plen - hlen; 257 } 258#ifdef USE_INET6 259 else if (v == 6) { 260 ip6_t *ip6 = (ip6_t *)ip; 261 262 off = 0; 263 p = ip6->ip6_nxt; 264 fi->fi_p = p; 265 fi->fi_ttl = ip6->ip6_hlim; 266 fi->fi_src.in6 = ip6->ip6_src; 267 fi->fi_dst.in6 = ip6->ip6_dst; 268 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); 269 fi->fi_tos = 0; 270 fi->fi_fl = 0; 271 plen = ntohs(ip6->ip6_plen); 272 fin->fin_dlen = plen; 273 plen += sizeof(*ip6); 274 } 275#endif 276 else 277 return -1; 278 279 fin->fin_off = off; 280 fin->fin_plen = plen; 281 tcp = (tcphdr_t *)((char *)ip + hlen); 282 fin->fin_misc = 0; 283 off <<= 3; 284 285 /* 286 * For both ICMPV6 & ICMP, we attempt to pullup the entire packet into 287 * a single buffer for recognised error return packets. Why? Because 288 * the entire data section of the ICMP payload is considered to be of 289 * significance and maybe required in NAT/state processing, so rather 290 * than be careful later, attempt to get it all in one buffeer first. 291 * For TCP we just make sure the _entire_ TCP header is in the first 292 * buffer for convienience. 293 */ 294 switch (p) 295 { 296#ifdef USE_INET6 297 case IPPROTO_ICMPV6 : 298 { 299 int minicmpsz = sizeof(struct icmp6_hdr); 300 struct icmp6_hdr *icmp6; 301 302 if (!(fin->fin_fl & FI_SHORT) && (fin->fin_dlen > 1)) { 303 fin->fin_data[0] = *(u_short *)tcp; 304 305 icmp6 = (struct icmp6_hdr *)tcp; 306 307 switch (icmp6->icmp6_type) 308 { 309 case ICMP6_ECHO_REPLY : 310 case ICMP6_ECHO_REQUEST : 311 minicmpsz = ICMP6_MINLEN; 312 break; 313 case ICMP6_DST_UNREACH : 314 case ICMP6_PACKET_TOO_BIG : 315 case ICMP6_TIME_EXCEEDED : 316 case ICMP6_PARAM_PROB : 317# if defined(KERNEL) && !defined(__sgi) 318 if ((m != NULL) && (M_BLEN(m) < plen)) { 319 ip = ipf_pullup(m, fin, plen, ip); 320 if (ip == NULL) 321 return -1; 322 tcp = (tcphdr_t *)((char *)ip + hlen); 323 } 324# endif /* KERNEL && !__sgi */ 325 minicmpsz = ICMP6ERR_IPICMPHLEN; 326 break; 327 default : 328 break; 329 } 330 } 331 332 if (!(fin->fin_dlen >= minicmpsz)) 333 fi->fi_fl |= FI_SHORT; 334 335 break; 336 } 337#endif /* USE_INET6 */ 338 339 case IPPROTO_ICMP : 340 { 341 int minicmpsz = sizeof(struct icmp); 342 icmphdr_t *icmp; 343 344 if (!off && (fin->fin_dlen > 1) && !(fin->fin_fl & FI_SHORT)) { 345 fin->fin_data[0] = *(u_short *)tcp; 346 347 icmp = (icmphdr_t *)tcp; 348 349 /* 350 * Minimum ICMP packet is type(1) code(1) cksum(2) 351 * plus 4 bytes following, totalling 8 bytes. 352 */ 353 switch (icmp->icmp_type) 354 { 355 case ICMP_ECHOREPLY : 356 case ICMP_ECHO : 357 /* Router discovery messages - RFC 1256 */ 358 case ICMP_ROUTERADVERT : 359 case ICMP_ROUTERSOLICIT : 360 minicmpsz = ICMP_MINLEN; 361 break; 362 /* 363 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 364 * 3*timestamp(3*4) 365 */ 366 case ICMP_TSTAMP : 367 case ICMP_TSTAMPREPLY : 368 minicmpsz = ICMP_MINLEN + 12; 369 break; 370 /* 371 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 372 * mask(4) 373 */ 374 case ICMP_MASKREQ : 375 case ICMP_MASKREPLY : 376 minicmpsz = ICMP_MINLEN + 4; 377 break; 378 /* 379 * type(1) + code(1) + cksum(2) + arg(4) ip(20+) 380 */ 381 case ICMP_UNREACH : 382 case ICMP_SOURCEQUENCH : 383 case ICMP_REDIRECT : 384 case ICMP_TIMXCEED : 385 case ICMP_PARAMPROB : 386#if defined(KERNEL) && !defined(__sgi) 387 if ((m != NULL) && (M_BLEN(m) < plen)) { 388 ip = ipf_pullup(m, fin, plen, ip); 389 if (ip == NULL) 390 return -1; 391 tcp = (tcphdr_t *)((char *)ip + hlen); 392 } 393#endif /* KERNEL && !__sgi */ 394 minicmpsz = ICMPERR_MINPKTLEN - sizeof(ip_t); 395 break; 396 default : 397 minicmpsz = ICMP_MINLEN; 398 break; 399 } 400 } 401 402 if ((!(plen >= hlen + minicmpsz) && !off) || 403 (off && off < sizeof(struct icmp))) 404 fi->fi_fl |= FI_SHORT; 405 break; 406 } 407 408 case IPPROTO_TCP : 409 fi->fi_fl |= FI_TCPUDP; 410#ifdef USE_INET6 411 if (v == 6) { 412 if (plen < sizeof(struct tcphdr)) 413 fi->fi_fl |= FI_SHORT; 414 } else 415#endif 416 if (v == 4) { 417 if ((!IPMINLEN(ip, tcphdr) && !off) || 418 (off && off < sizeof(struct tcphdr))) 419 fi->fi_fl |= FI_SHORT; 420 } 421 422#if defined(KERNEL) && !defined(__sgi) 423 if (!off && !(fi->fi_fl & FI_SHORT)) { 424 int tlen = hlen + (tcp->th_off << 2); 425 426 if ((m != NULL) && (M_BLEN(m) < tlen)) { 427 ip = ipf_pullup(m, fin, tlen, ip); 428 if (ip == NULL) 429 return -1; 430 tcp = (tcphdr_t *)((char *)ip + hlen); 431 } 432 } 433#endif /* _KERNEL && !_sgi */ 434 435 if (!(fi->fi_fl & FI_SHORT) && !off) 436 fin->fin_tcpf = tcp->th_flags; 437 goto getports; 438 case IPPROTO_UDP : 439 fi->fi_fl |= FI_TCPUDP; 440#ifdef USE_INET6 441 if (v == 6) { 442 if (plen < sizeof(struct udphdr)) 443 fi->fi_fl |= FI_SHORT; 444 } else 445#endif 446 if (v == 4) { 447 if ((!IPMINLEN(ip, udphdr) && !off) || 448 (off && off < sizeof(struct udphdr))) 449 fi->fi_fl |= FI_SHORT; 450 } 451getports: 452 if (!off && (fin->fin_dlen > 3)) { 453 fin->fin_data[0] = ntohs(tcp->th_sport); 454 fin->fin_data[1] = ntohs(tcp->th_dport); 455 } 456 break; 457 case IPPROTO_ESP : 458#ifdef USE_INET6 459 if (v == 6) { 460 if (plen < 8) 461 fi->fi_fl |= FI_SHORT; 462 } else 463#endif 464 if (v == 4) { 465 if (((ip->ip_len < hlen + 8) && !off) || 466 (off && off < 8)) 467 fi->fi_fl |= FI_SHORT; 468 } 469 break; 470 default : 471 break; 472 } 473 474 fin->fin_dp = (char *)tcp; 475 476#ifdef USE_INET6 477 if (v == 6) { 478 fi->fi_optmsk = 0; 479 fi->fi_secmsk = 0; 480 fi->fi_auth = 0; 481 return 0; 482 } 483#endif 484 485 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) { 486 opt = *s; 487 if (opt == '\0') 488 break; 489 else if (opt == IPOPT_NOP) 490 ol = 1; 491 else { 492 if (hlen < 2) 493 break; 494 ol = (int)*(s + 1); 495 if (ol < 2 || ol > hlen) 496 break; 497 } 498 for (i = 9, mv = 4; mv >= 0; ) { 499 op = ipopts + i; 500 if (opt == (u_char)op->ol_val) { 501 optmsk |= op->ol_bit; 502 if (opt == IPOPT_SECURITY) { 503 struct optlist *sp; 504 u_char sec; 505 int j, m; 506 507 sec = *(s + 2); /* classification */ 508 for (j = 3, m = 2; m >= 0; ) { 509 sp = secopt + j; 510 if (sec == sp->ol_val) { 511 secmsk |= sp->ol_bit; 512 auth = *(s + 3); 513 auth *= 256; 514 auth += *(s + 4); 515 break; 516 } 517 if (sec < sp->ol_val) 518 j -= m--; 519 else 520 j += m--; 521 } 522 } 523 break; 524 } 525 if (opt < op->ol_val) 526 i -= mv--; 527 else 528 i += mv--; 529 } 530 hlen -= ol; 531 s += ol; 532 } 533 if (auth && !(auth & 0x0100)) 534 auth &= 0xff00; 535 fi->fi_optmsk = optmsk; 536 fi->fi_secmsk = secmsk; 537 fi->fi_auth = auth; 538 return 0; 539} 540 541 542/* 543 * check an IP packet for TCP/UDP characteristics such as ports and flags. 544 */ 545int fr_tcpudpchk(ft, fin) 546frtuc_t *ft; 547fr_info_t *fin; 548{ 549 register u_short po, tup; 550 register char i; 551 register int err = 1; 552 553 /* 554 * Both ports should *always* be in the first fragment. 555 * So far, I cannot find any cases where they can not be. 556 * 557 * compare destination ports 558 */ 559 if ((i = (int)ft->ftu_dcmp)) { 560 po = ft->ftu_dport; 561 tup = fin->fin_data[1]; 562 /* 563 * Do opposite test to that required and 564 * continue if that succeeds. 565 */ 566 if (!--i && tup != po) /* EQUAL */ 567 err = 0; 568 else if (!--i && tup == po) /* NOTEQUAL */ 569 err = 0; 570 else if (!--i && tup >= po) /* LESSTHAN */ 571 err = 0; 572 else if (!--i && tup <= po) /* GREATERTHAN */ 573 err = 0; 574 else if (!--i && tup > po) /* LT or EQ */ 575 err = 0; 576 else if (!--i && tup < po) /* GT or EQ */ 577 err = 0; 578 else if (!--i && /* Out of range */ 579 (tup >= po && tup <= ft->ftu_dtop)) 580 err = 0; 581 else if (!--i && /* In range */ 582 (tup <= po || tup >= ft->ftu_dtop)) 583 err = 0; 584 } 585 /* 586 * compare source ports 587 */ 588 if (err && (i = (int)ft->ftu_scmp)) { 589 po = ft->ftu_sport; 590 tup = fin->fin_data[0]; 591 if (!--i && tup != po) 592 err = 0; 593 else if (!--i && tup == po) 594 err = 0; 595 else if (!--i && tup >= po) 596 err = 0; 597 else if (!--i && tup <= po) 598 err = 0; 599 else if (!--i && tup > po) 600 err = 0; 601 else if (!--i && tup < po) 602 err = 0; 603 else if (!--i && /* Out of range */ 604 (tup >= po && tup <= ft->ftu_stop)) 605 err = 0; 606 else if (!--i && /* In range */ 607 (tup <= po || tup >= ft->ftu_stop)) 608 err = 0; 609 } 610 611 /* 612 * If we don't have all the TCP/UDP header, then how can we 613 * expect to do any sort of match on it ? If we were looking for 614 * TCP flags, then NO match. If not, then match (which should 615 * satisfy the "short" class too). 616 */ 617 if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) { 618 if (fin->fin_fl & FI_SHORT) 619 return !(ft->ftu_tcpf | ft->ftu_tcpfm); 620 /* 621 * Match the flags ? If not, abort this match. 622 */ 623 if (ft->ftu_tcpfm && 624 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) { 625 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, 626 ft->ftu_tcpfm, ft->ftu_tcpf)); 627 err = 0; 628 } 629 } 630 return err; 631} 632 633/* 634 * Check the input/output list of rules for a match and result. 635 * Could be per interface, but this gets real nasty when you don't have 636 * kernel sauce. 637 */ 638int fr_scanlist(passin, ip, fin, m) 639u_32_t passin; 640ip_t *ip; 641register fr_info_t *fin; 642void *m; 643{ 644 register struct frentry *fr; 645 register fr_ip_t *fi = &fin->fin_fi; 646 int rulen, portcmp = 0, off, skip = 0, logged = 0; 647 u_32_t pass, passt, passl; 648 frentry_t *frl; 649 650 frl = NULL; 651 pass = passin; 652 fr = fin->fin_fr; 653 fin->fin_fr = NULL; 654 off = fin->fin_off; 655 656 if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) 657 portcmp = 1; 658 659 for (rulen = 0; fr; fr = fr->fr_next, rulen++) { 660 if (skip) { 661 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags)); 662 skip--; 663 continue; 664 } 665 /* 666 * In all checks below, a null (zero) value in the 667 * filter struture is taken to mean a wildcard. 668 * 669 * check that we are working for the right interface 670 */ 671#ifdef _KERNEL 672# if (BSD >= 199306) 673 if (fin->fin_out != 0) { 674 if ((fr->fr_oifa && 675 (fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif))) 676 continue; 677 } 678# endif 679#else 680 if (opts & (OPT_VERBOSE|OPT_DEBUG)) 681 printf("\n"); 682#endif 683 684 FR_VERBOSE(("%c", fr->fr_skip ? 's' : 685 (pass & FR_PASS) ? 'p' : 686 (pass & FR_AUTH) ? 'a' : 687 (pass & FR_ACCOUNT) ? 'A' : 688 (pass & FR_NOMATCH) ? 'n' : 'b')); 689 690 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) 691 continue; 692 693 FR_VERBOSE((":i")); 694 { 695 register u_32_t *ld, *lm, *lip; 696 register int i; 697 698 lip = (u_32_t *)fi; 699 lm = (u_32_t *)&fr->fr_mip; 700 ld = (u_32_t *)&fr->fr_ip; 701 i = ((*lip & *lm) != *ld); 702 FR_DEBUG(("0. %#08x & %#08x != %#08x\n", 703 *lip, *lm, *ld)); 704 if (i) 705 continue; 706 /* 707 * We now know whether the packet version and the 708 * rule version match, along with protocol, ttl and 709 * tos. 710 */ 711 lip++, lm++, ld++; 712 /* 713 * Unrolled loops (4 each, for 32 bits). 714 */ 715 FR_DEBUG(("1a. %#08x & %#08x != %#08x\n", 716 *lip, *lm, *ld)); 717 i |= ((*lip++ & *lm++) != *ld++) << 5; 718 if (fi->fi_v == 6) { 719 FR_DEBUG(("1b. %#08x & %#08x != %#08x\n", 720 *lip, *lm, *ld)); 721 i |= ((*lip++ & *lm++) != *ld++) << 5; 722 FR_DEBUG(("1c. %#08x & %#08x != %#08x\n", 723 *lip, *lm, *ld)); 724 i |= ((*lip++ & *lm++) != *ld++) << 5; 725 FR_DEBUG(("1d. %#08x & %#08x != %#08x\n", 726 *lip, *lm, *ld)); 727 i |= ((*lip++ & *lm++) != *ld++) << 5; 728 } else { 729 lip += 3; 730 lm += 3; 731 ld += 3; 732 } 733 i ^= (fr->fr_flags & FR_NOTSRCIP); 734 if (i) 735 continue; 736 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n", 737 *lip, *lm, *ld)); 738 i |= ((*lip++ & *lm++) != *ld++) << 6; 739 if (fi->fi_v == 6) { 740 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n", 741 *lip, *lm, *ld)); 742 i |= ((*lip++ & *lm++) != *ld++) << 6; 743 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n", 744 *lip, *lm, *ld)); 745 i |= ((*lip++ & *lm++) != *ld++) << 6; 746 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n", 747 *lip, *lm, *ld)); 748 i |= ((*lip++ & *lm++) != *ld++) << 6; 749 } else { 750 lip += 3; 751 lm += 3; 752 ld += 3; 753 } 754 i ^= (fr->fr_flags & FR_NOTDSTIP); 755 if (i) 756 continue; 757 FR_DEBUG(("3. %#08x & %#08x != %#08x\n", 758 *lip, *lm, *ld)); 759 i |= ((*lip++ & *lm++) != *ld++); 760 FR_DEBUG(("4. %#08x & %#08x != %#08x\n", 761 *lip, *lm, *ld)); 762 i |= ((*lip & *lm) != *ld); 763 if (i) 764 continue; 765 } 766 767 /* 768 * If a fragment, then only the first has what we're looking 769 * for here... 770 */ 771 if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || 772 fr->fr_tcpfm)) 773 continue; 774 if (fi->fi_fl & FI_TCPUDP) { 775 if (!fr_tcpudpchk(&fr->fr_tuc, fin)) 776 continue; 777 } else if (fr->fr_icmpm || fr->fr_icmp) { 778 if (((fi->fi_p != IPPROTO_ICMP) && 779 (fi->fi_p != IPPROTO_ICMPV6)) || off || 780 (fin->fin_dlen < 2)) 781 continue; 782 if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { 783 FR_DEBUG(("i. %#x & %#x != %#x\n", 784 fin->fin_data[0], fr->fr_icmpm, 785 fr->fr_icmp)); 786 continue; 787 } 788 } 789 FR_VERBOSE(("*")); 790 791 if (fr->fr_flags & FR_NOMATCH) { 792 passt = passl; 793 passl = passin; 794 fin->fin_fr = frl; 795 frl = NULL; 796 if (fr->fr_flags & FR_QUICK) 797 break; 798 continue; 799 } 800 801 passl = passt; 802 passt = fr->fr_flags; 803 frl = fin->fin_fr; 804 fin->fin_fr = fr; 805#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL)) 806 if (securelevel <= 0) 807#endif 808 if ((passt & FR_CALLNOW) && fr->fr_func) 809 passt = (*fr->fr_func)(passt, ip, fin); 810#ifdef IPFILTER_LOG 811 /* 812 * Just log this packet... 813 */ 814 if ((passt & FR_LOGMASK) == FR_LOG) { 815 if (!IPLLOG(passt, ip, fin, m)) { 816 if (passt & FR_LOGORBLOCK) 817 passt |= FR_BLOCK|FR_QUICK; 818 ATOMIC_INCL(frstats[fin->fin_out].fr_skip); 819 } 820 ATOMIC_INCL(frstats[fin->fin_out].fr_pkl); 821 logged = 1; 822 } 823#endif /* IPFILTER_LOG */ 824 ATOMIC_INCL(fr->fr_hits); 825 if (passt & FR_ACCOUNT) 826 fr->fr_bytes += (U_QUAD_T)fin->fin_plen; 827 else 828 fin->fin_icode = fr->fr_icode; 829 fin->fin_rule = rulen; 830 fin->fin_group = fr->fr_group; 831 if (fr->fr_grp != NULL) { 832 fin->fin_fr = fr->fr_grp; 833 passt = fr_scanlist(passt, ip, fin, m); 834 if (fin->fin_fr == NULL) { 835 fin->fin_rule = rulen; 836 fin->fin_group = fr->fr_group; 837 fin->fin_fr = fr; 838 } 839 if (passt & FR_DONTCACHE) 840 logged = 1; 841 } 842 if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG) 843 pass = passt; 844 FR_DEBUG(("pass %#x\n", pass)); 845 if (passt & FR_QUICK) 846 break; 847 } 848 if (logged) 849 pass |= FR_DONTCACHE; 850 pass |= (fi->fi_fl << 24); 851 return pass; 852} 853 854 855/* 856 * frcheck - filter check 857 * check using source and destination addresses/ports in a packet whether 858 * or not to pass it on or not. 859 */ 860int fr_check(ip, hlen, ifp, out 861#if defined(_KERNEL) && SOLARIS 862, qif, mp) 863qif_t *qif; 864#else 865, mp) 866#endif 867mb_t **mp; 868ip_t *ip; 869int hlen; 870void *ifp; 871int out; 872{ 873 /* 874 * The above really sucks, but short of writing a diff 875 */ 876 fr_info_t frinfo, *fc; 877 register fr_info_t *fin = &frinfo; 878 int changed, error = EHOSTUNREACH, v = ip->ip_v; 879 frentry_t *fr = NULL, *list; 880 u_32_t pass, apass; 881#if !SOLARIS || !defined(_KERNEL) 882 register mb_t *m = *mp; 883#endif 884 885#ifdef _KERNEL 886 int p, len, drop = 0, logit = 0; 887 mb_t *mc = NULL; 888# if !defined(__SVR4) && !defined(__svr4__) 889 /* 890 * We don't do this section for Solaris because fr_precheck() does a 891 * pullupmsg() instead, effectively achieving the same result as here 892 * so no need to duplicate it. 893 */ 894# ifdef __sgi 895 char hbuf[128]; 896# endif 897 int up; 898 899# if !defined(NETBSD_PF) && \ 900 ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \ 901 defined(__OpenBSD__) || defined(_BSDI_VERSION)) 902 if (fr_checkp != fr_check && fr_running > 0) { 903 static int counter = 0; 904 905 if (counter == 0) { 906 printf("WARNING: fr_checkp corrupt: value %lx\n", 907 (u_long)fr_checkp); 908 printf("WARNING: fr_checkp should be %lx\n", 909 (u_long)fr_check); 910 printf("WARNING: fixing fr_checkp\n"); 911 } 912 fr_checkp = fr_check; 913 counter++; 914 if (counter == 10000) 915 counter = 0; 916 } 917# endif 918 919# ifdef M_CANFASTFWD 920 /* 921 * XXX For now, IP Filter and fast-forwarding of cached flows 922 * XXX are mutually exclusive. Eventually, IP Filter should 923 * XXX get a "can-fast-forward" filter rule. 924 */ 925 m->m_flags &= ~M_CANFASTFWD; 926# endif /* M_CANFASTFWD */ 927# ifdef CSUM_DELAY_DATA 928 /* 929 * disable delayed checksums. 930 */ 931 if ((out != 0) && (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA)) { 932 in_delayed_cksum(m); 933 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 934 } 935# endif /* CSUM_DELAY_DATA */ 936 937# ifdef USE_INET6 938 if (v == 6) { 939 len = ntohs(((ip6_t*)ip)->ip6_plen); 940 if (!len) 941 return -1; /* potential jumbo gram */ 942 len += sizeof(ip6_t); 943 p = ((ip6_t *)ip)->ip6_nxt; 944 } else 945# endif 946 { 947 p = ip->ip_p; 948 len = ip->ip_len; 949 } 950 951 fin->fin_mp = mp; 952 fin->fin_out = out; 953 954 if ((p == IPPROTO_TCP || p == IPPROTO_UDP || 955 (v == 4 && p == IPPROTO_ICMP) 956# ifdef USE_INET6 957 || (v == 6 && p == IPPROTO_ICMPV6) 958# endif 959 )) { 960 int plen = 0; 961 962 if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0) 963 switch(p) 964 { 965 case IPPROTO_TCP: 966 plen = sizeof(tcphdr_t); 967 break; 968 case IPPROTO_UDP: 969 plen = sizeof(udphdr_t); 970 break; 971 /* 96 - enough for complete ICMP error IP header */ 972 case IPPROTO_ICMP: 973 plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); 974 break; 975 case IPPROTO_ESP: 976 plen = 8; 977 break; 978# ifdef USE_INET6 979 case IPPROTO_ICMPV6 : 980 /* 981 * XXX does not take intermediate header 982 * into account 983 */ 984 plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t); 985 break; 986# endif 987 } 988 if ((plen > 0) && (len < hlen + plen)) 989 fin->fin_fl |= FI_SHORT; 990 up = MIN(hlen + plen, len); 991 992 if (up > m->m_len) { 993# ifdef __sgi 994 /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */ 995 if ((up > sizeof(hbuf)) || (m_length(m) < up)) { 996 ATOMIC_INCL(frstats[out].fr_pull[1]); 997 return -1; 998 } 999 m_copydata(m, 0, up, hbuf); 1000 ATOMIC_INCL(frstats[out].fr_pull[0]); 1001 ip = (ip_t *)hbuf; 1002# else /* __ sgi */ 1003# ifndef linux 1004 /* 1005 * Having determined that we need to pullup some data, 1006 * try to bring as much of the packet up into a single 1007 * buffer with the first pullup. This hopefully means 1008 * less need for doing futher pullups. Not needed for 1009 * Solaris because fr_precheck() does it anyway. 1010 * 1011 * The main potential for trouble here is if MLEN/MHLEN 1012 * become quite small, lets say < 64 bytes...but if 1013 * that did happen, BSD networking as a whole would be 1014 * slow/inefficient. 1015 */ 1016# ifdef MHLEN 1017 /* 1018 * Assume that M_PKTHDR is set and just work with what 1019 * is left rather than check.. Should not make any 1020 * real difference, anyway. 1021 */ 1022 if ((MHLEN > up) && (len > up)) 1023 up = MIN(len, MHLEN); 1024# else 1025 if ((MLEN > up) && (len > up)) 1026 up = MIN(len, MLEN); 1027# endif 1028 ip = ipf_pullup(m, fin, up, ip); 1029 if (ip == NULL) 1030 return -1; 1031 m = *mp; 1032# endif /* !linux */ 1033# endif /* __sgi */ 1034 } else 1035 up = 0; 1036 } else 1037 up = 0; 1038# endif /* !defined(__SVR4) && !defined(__svr4__) */ 1039# if SOLARIS 1040 mb_t *m = qif->qf_m; 1041 1042 if ((u_int)ip & 0x3) 1043 return 2; 1044 fin->fin_mp = mp; 1045 fin->fin_out = out; 1046 fin->fin_qfm = m; 1047 fin->fin_qif = qif; 1048# endif 1049#else 1050 fin->fin_mp = mp; 1051 fin->fin_out = out; 1052#endif /* _KERNEL */ 1053 1054#ifndef __FreeBSD__ 1055 /* 1056 * Be careful here: ip_id is in network byte order when called 1057 * from ip_output() 1058 */ 1059 if ((out) && (v == 4)) 1060 ip->ip_id = ntohs(ip->ip_id); 1061#endif 1062 1063 changed = 0; 1064 fin->fin_v = v; 1065 fin->fin_ifp = ifp; 1066 if (fr_makefrip(hlen, ip, fin) == -1) 1067 return -1; 1068 1069#ifdef _KERNEL 1070# ifdef USE_INET6 1071 if (v == 6) { 1072 ATOMIC_INCL(frstats[0].fr_ipv6[out]); 1073 if (((ip6_t *)ip)->ip6_hlim < fr_minttl) { 1074 ATOMIC_INCL(frstats[0].fr_badttl); 1075 if (fr_minttllog & 1) 1076 logit = -3; 1077 if (fr_minttllog & 2) 1078 drop = 1; 1079 } 1080 } else 1081# endif 1082 if (!out) { 1083 if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) { 1084 ATOMIC_INCL(frstats[0].fr_badsrc); 1085 if (fr_chksrc & 1) 1086 drop = 1; 1087 if (fr_chksrc & 2) 1088 logit = -2; 1089 } else if (ip->ip_ttl < fr_minttl) { 1090 ATOMIC_INCL(frstats[0].fr_badttl); 1091 if (fr_minttllog & 1) 1092 logit = -3; 1093 if (fr_minttllog & 2) 1094 drop = 1; 1095 } 1096 } 1097 if (drop) { 1098# ifdef IPFILTER_LOG 1099 if (logit) { 1100 fin->fin_group = logit; 1101 pass = FR_INQUE|FR_NOMATCH|FR_LOGB; 1102 (void) IPLLOG(pass, ip, fin, m); 1103 } 1104# endif 1105# if !SOLARIS 1106 m_freem(m); 1107# endif 1108 return error; 1109 } 1110#endif 1111 pass = fr_pass; 1112 if (fin->fin_fl & FI_SHORT) { 1113 ATOMIC_INCL(frstats[out].fr_short); 1114 } 1115 1116 READ_ENTER(&ipf_mutex); 1117 1118 /* 1119 * Check auth now. This, combined with the check below to see if apass 1120 * is 0 is to ensure that we don't count the packet twice, which can 1121 * otherwise occur when we reprocess it. As it is, we only count it 1122 * after it has no auth. table matchup. This also stops NAT from 1123 * occuring until after the packet has been auth'd. 1124 */ 1125 apass = fr_checkauth(ip, fin); 1126 1127 if (!out) { 1128#ifdef USE_INET6 1129 if (v == 6) 1130 list = ipacct6[0][fr_active]; 1131 else 1132#endif 1133 list = ipacct[0][fr_active]; 1134 changed = ip_natin(ip, fin); 1135 if (!apass && (fin->fin_fr = list) && 1136 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { 1137 ATOMIC_INCL(frstats[0].fr_acct); 1138 } 1139 } 1140 1141 if (!apass) { 1142 if ((fin->fin_fl & FI_FRAG) == FI_FRAG) 1143 fr = ipfr_knownfrag(ip, fin); 1144 if (!fr && !(fin->fin_fl & FI_SHORT)) 1145 fr = fr_checkstate(ip, fin); 1146 if (fr != NULL) 1147 pass = fr->fr_flags; 1148 if (fr && (pass & FR_LOGFIRST)) 1149 pass &= ~(FR_LOGFIRST|FR_LOG); 1150 } 1151 1152 if (apass || !fr) { 1153 /* 1154 * If a packet is found in the auth table, then skip checking 1155 * the access lists for permission but we do need to consider 1156 * the result as if it were from the ACL's. 1157 */ 1158 if (!apass) { 1159 fc = frcache + out; 1160 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { 1161 /* 1162 * copy cached data so we can unlock the mutex 1163 * earlier. 1164 */ 1165 bcopy((char *)fc, (char *)fin, FI_COPYSIZE); 1166 ATOMIC_INCL(frstats[out].fr_chit); 1167 if ((fr = fin->fin_fr)) { 1168 ATOMIC_INCL(fr->fr_hits); 1169 pass = fr->fr_flags; 1170 } 1171 } else { 1172#ifdef USE_INET6 1173 if (v == 6) 1174 list = ipfilter6[out][fr_active]; 1175 else 1176#endif 1177 list = ipfilter[out][fr_active]; 1178 if ((fin->fin_fr = list)) 1179 pass = fr_scanlist(fr_pass, ip, fin, m); 1180 if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE))) 1181 bcopy((char *)fin, (char *)fc, 1182 FI_COPYSIZE); 1183 if (pass & FR_NOMATCH) { 1184 ATOMIC_INCL(frstats[out].fr_nom); 1185 fin->fin_fr = NULL; 1186 } 1187 } 1188 } else 1189 pass = apass; 1190 fr = fin->fin_fr; 1191 1192 /* 1193 * If we fail to add a packet to the authorization queue, 1194 * then we drop the packet later. However, if it was added 1195 * then pretend we've dropped it already. 1196 */ 1197 if ((pass & FR_AUTH)) { 1198 if (fr_newauth((mb_t *)m, fin, ip) != 0) { 1199 m = *mp = NULL; 1200 error = 0; 1201 } else 1202 error = ENOSPC; 1203 } 1204 1205 if (pass & FR_PREAUTH) { 1206 READ_ENTER(&ipf_auth); 1207 if ((fin->fin_fr = ipauth) && 1208 (pass = fr_scanlist(0, ip, fin, m))) { 1209 ATOMIC_INCL(fr_authstats.fas_hits); 1210 } else { 1211 ATOMIC_INCL(fr_authstats.fas_miss); 1212 } 1213 RWLOCK_EXIT(&ipf_auth); 1214 } 1215 1216 fin->fin_fr = fr; 1217 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { 1218 if (fin->fin_fl & FI_FRAG) { 1219 if (ipfr_newfrag(ip, fin) == -1) { 1220 ATOMIC_INCL(frstats[out].fr_bnfr); 1221 } else { 1222 ATOMIC_INCL(frstats[out].fr_nfr); 1223 } 1224 } else { 1225 ATOMIC_INCL(frstats[out].fr_cfr); 1226 } 1227 } 1228 if (pass & FR_KEEPSTATE) { 1229 if (fr_addstate(ip, fin, NULL, 0) == NULL) { 1230 ATOMIC_INCL(frstats[out].fr_bads); 1231 if (pass & FR_PASS) { 1232 pass &= ~FR_PASS; 1233 pass |= FR_BLOCK; 1234 } 1235 } else { 1236 ATOMIC_INCL(frstats[out].fr_ads); 1237 } 1238 } 1239 } else if (fr != NULL) { 1240 pass = fr->fr_flags; 1241 if (pass & FR_LOGFIRST) 1242 pass &= ~(FR_LOGFIRST|FR_LOG); 1243 } 1244 1245#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL)) 1246 if (securelevel <= 0) 1247#endif 1248 if (fr && fr->fr_func && !(pass & FR_CALLNOW)) 1249 pass = (*fr->fr_func)(pass, ip, fin); 1250 1251 /* 1252 * Only count/translate packets which will be passed on, out the 1253 * interface. 1254 */ 1255 if (out && (pass & FR_PASS)) { 1256#ifdef USE_INET6 1257 if (v == 6) 1258 list = ipacct6[1][fr_active]; 1259 else 1260#endif 1261 list = ipacct[1][fr_active]; 1262 if (list != NULL) { 1263 u_32_t sg, sr; 1264 1265 fin->fin_fr = list; 1266 sg = fin->fin_group; 1267 sr = fin->fin_rule; 1268 if (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT) { 1269 ATOMIC_INCL(frstats[1].fr_acct); 1270 } 1271 fin->fin_group = sg; 1272 fin->fin_rule = sr; 1273 fin->fin_fr = fr; 1274 } 1275 changed = ip_natout(ip, fin); 1276 } else 1277 fin->fin_fr = fr; 1278 RWLOCK_EXIT(&ipf_mutex); 1279 1280#ifdef IPFILTER_LOG 1281 if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { 1282 if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { 1283 pass |= FF_LOGNOMATCH; 1284 ATOMIC_INCL(frstats[out].fr_npkl); 1285 goto logit; 1286 } else if (((pass & FR_LOGMASK) == FR_LOGP) || 1287 ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) { 1288 if ((pass & FR_LOGMASK) != FR_LOGP) 1289 pass |= FF_LOGPASS; 1290 ATOMIC_INCL(frstats[out].fr_ppkl); 1291 goto logit; 1292 } else if (((pass & FR_LOGMASK) == FR_LOGB) || 1293 ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) { 1294 if ((pass & FR_LOGMASK) != FR_LOGB) 1295 pass |= FF_LOGBLOCK; 1296 ATOMIC_INCL(frstats[out].fr_bpkl); 1297logit: 1298 if (!IPLLOG(pass, ip, fin, m)) { 1299 ATOMIC_INCL(frstats[out].fr_skip); 1300 if ((pass & (FR_PASS|FR_LOGORBLOCK)) == 1301 (FR_PASS|FR_LOGORBLOCK)) 1302 pass ^= FR_PASS|FR_BLOCK; 1303 } 1304 } 1305 } 1306#endif /* IPFILTER_LOG */ 1307 1308#ifndef __FreeBSD__ 1309 if ((out) && (v == 4)) 1310 ip->ip_id = htons(ip->ip_id); 1311#endif 1312 1313#ifdef _KERNEL 1314 /* 1315 * Only allow FR_DUP to work if a rule matched - it makes no sense to 1316 * set FR_DUP as a "default" as there are no instructions about where 1317 * to send the packet. 1318 */ 1319 if (fr && (pass & FR_DUP)) 1320# if SOLARIS 1321 mc = dupmsg(m); 1322# else 1323# if defined(__OpenBSD__) && (OpenBSD >= 199905) 1324 mc = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 1325# else 1326 mc = m_copy(m, 0, M_COPYALL); 1327# endif 1328# endif 1329#endif 1330 if (pass & FR_PASS) { 1331 ATOMIC_INCL(frstats[out].fr_pass); 1332 } else if (pass & FR_BLOCK) { 1333 ATOMIC_INCL(frstats[out].fr_block); 1334 /* 1335 * Should we return an ICMP packet to indicate error 1336 * status passing through the packet filter ? 1337 * WARNING: ICMP error packets AND TCP RST packets should 1338 * ONLY be sent in repsonse to incoming packets. Sending them 1339 * in response to outbound packets can result in a panic on 1340 * some operating systems. 1341 */ 1342 if (!out) { 1343 if (changed == -1) 1344 /* 1345 * If a packet results in a NAT error, do not 1346 * send a reset or ICMP error as it may disrupt 1347 * an existing flow. This is the proxy saying 1348 * the content is bad so just drop the packet 1349 * silently. 1350 */ 1351 ; 1352 else if (pass & FR_RETICMP) { 1353 int dst; 1354 1355 if ((pass & FR_RETMASK) == FR_FAKEICMP) 1356 dst = 1; 1357 else 1358 dst = 0; 1359 send_icmp_err(ip, ICMP_UNREACH, fin, dst); 1360 ATOMIC_INCL(frstats[0].fr_ret); 1361 } else if (((pass & FR_RETMASK) == FR_RETRST) && 1362 !(fin->fin_fl & FI_SHORT)) { 1363 if (send_reset(ip, fin) == 0) { 1364 ATOMIC_INCL(frstats[1].fr_ret); 1365 } 1366 } 1367 } else { 1368 if (pass & FR_RETRST) 1369 error = ECONNRESET; 1370 } 1371 } 1372 1373 /* 1374 * If we didn't drop off the bottom of the list of rules (and thus 1375 * the 'current' rule fr is not NULL), then we may have some extra 1376 * instructions about what to do with a packet. 1377 * Once we're finished return to our caller, freeing the packet if 1378 * we are dropping it (* BSD ONLY *). 1379 */ 1380 if ((changed == -1) && (pass & FR_PASS)) { 1381 pass &= ~FR_PASS; 1382 pass |= FR_BLOCK; 1383 } 1384#if defined(_KERNEL) 1385# if !SOLARIS 1386# if !defined(linux) 1387 if (fr) { 1388 frdest_t *fdp = &fr->fr_tif; 1389 1390 if (((pass & FR_FASTROUTE) && !out) || 1391 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { 1392 (void) ipfr_fastroute(m, mp, fin, fdp); 1393 m = *mp; 1394 } 1395 1396 if (mc != NULL) 1397 (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif); 1398 } 1399 1400 if (!(pass & FR_PASS) && m) { 1401 m_freem(m); 1402 m = *mp = NULL; 1403 } 1404# ifdef __sgi 1405 else if (changed && up && m) 1406 m_copyback(m, 0, up, hbuf); 1407# endif 1408# endif /* !linux */ 1409# else /* !SOLARIS */ 1410 if (fr) { 1411 frdest_t *fdp = &fr->fr_tif; 1412 1413 if (((pass & FR_FASTROUTE) && !out) || 1414 (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) 1415 (void) ipfr_fastroute(ip, m, mp, fin, fdp); 1416 1417 if (mc != NULL) 1418 (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif); 1419 } 1420# endif /* !SOLARIS */ 1421#if (OpenBSD >= 200311) && defined(_KERNEL) 1422 if (pass & FR_PASS) { 1423 ip->ip_len = htons(ip->ip_len); 1424 ip->ip_off = htons(ip->ip_off); 1425 } 1426#endif 1427 return (pass & FR_PASS) ? 0 : error; 1428#else /* _KERNEL */ 1429 if (pass & FR_NOMATCH) 1430 return 1; 1431 if (pass & FR_PASS) 1432 return 0; 1433 if (pass & FR_AUTH) 1434 return -2; 1435 if ((pass & FR_RETMASK) == FR_RETRST) 1436 return -3; 1437 if ((pass & FR_RETMASK) == FR_RETICMP) 1438 return -4; 1439 if ((pass & FR_RETMASK) == FR_FAKEICMP) 1440 return -5; 1441 return -1; 1442#endif /* _KERNEL */ 1443} 1444 1445 1446/* 1447 * ipf_cksum 1448 * addr should be 16bit aligned and len is in bytes. 1449 * length is in bytes 1450 */ 1451u_short ipf_cksum(addr, len) 1452register u_short *addr; 1453register int len; 1454{ 1455 register u_32_t sum = 0; 1456 1457 for (sum = 0; len > 1; len -= 2) 1458 sum += *addr++; 1459 1460 /* mop up an odd byte, if necessary */ 1461 if (len == 1) 1462 sum += *(u_char *)addr; 1463 1464 /* 1465 * add back carry outs from top 16 bits to low 16 bits 1466 */ 1467 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ 1468 sum += (sum >> 16); /* add carry */ 1469 return (u_short)(~sum); 1470} 1471 1472 1473/* 1474 * NB: This function assumes we've pullup'd enough for all of the IP header 1475 * and the TCP header. We also assume that data blocks aren't allocated in 1476 * odd sizes. 1477 */ 1478u_short fr_tcpsum(m, ip, tcp) 1479mb_t *m; 1480ip_t *ip; 1481tcphdr_t *tcp; 1482{ 1483 u_short *sp, slen, ts; 1484 u_int sum, sum2; 1485 int hlen; 1486 1487 /* 1488 * Add up IP Header portion 1489 */ 1490 hlen = ip->ip_hl << 2; 1491 slen = ip->ip_len - hlen; 1492 sum = htons((u_short)ip->ip_p); 1493 sum += htons(slen); 1494 sp = (u_short *)&ip->ip_src; 1495 sum += *sp++; /* ip_src */ 1496 sum += *sp++; 1497 sum += *sp++; /* ip_dst */ 1498 sum += *sp++; 1499 ts = tcp->th_sum; 1500 tcp->th_sum = 0; 1501#ifdef KERNEL 1502# if SOLARIS 1503 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */ 1504 sum2 = (sum2 & 0xffff) + (sum2 >> 16); 1505 sum2 = ~sum2 & 0xffff; 1506# else /* SOLARIS */ 1507# if defined(BSD) || defined(sun) 1508# if BSD >= 199306 1509 m->m_data += hlen; 1510# else 1511 m->m_off += hlen; 1512# endif 1513 m->m_len -= hlen; 1514 sum2 = in_cksum(m, slen); 1515 m->m_len += hlen; 1516# if BSD >= 199306 1517 m->m_data -= hlen; 1518# else 1519 m->m_off -= hlen; 1520# endif 1521 /* 1522 * Both sum and sum2 are partial sums, so combine them together. 1523 */ 1524 sum += ~sum2 & 0xffff; 1525 while (sum > 0xffff) 1526 sum = (sum & 0xffff) + (sum >> 16); 1527 sum2 = ~sum & 0xffff; 1528# else /* defined(BSD) || defined(sun) */ 1529{ 1530 union { 1531 u_char c[2]; 1532 u_short s; 1533 } bytes; 1534 u_short len = ip->ip_len; 1535# if defined(__sgi) 1536 int add; 1537# endif 1538 1539 /* 1540 * Add up IP Header portion 1541 */ 1542 sp = (u_short *)&ip->ip_src; 1543 len -= (ip->ip_hl << 2); 1544 sum = ntohs(IPPROTO_TCP); 1545 sum += htons(len); 1546 sum += *sp++; /* ip_src */ 1547 sum += *sp++; 1548 sum += *sp++; /* ip_dst */ 1549 sum += *sp++; 1550 if (sp != (u_short *)tcp) 1551 sp = (u_short *)tcp; 1552 sum += *sp++; /* sport */ 1553 sum += *sp++; /* dport */ 1554 sum += *sp++; /* seq */ 1555 sum += *sp++; 1556 sum += *sp++; /* ack */ 1557 sum += *sp++; 1558 sum += *sp++; /* off */ 1559 sum += *sp++; /* win */ 1560 sum += *sp++; /* Skip over checksum */ 1561 sum += *sp++; /* urp */ 1562 1563# ifdef __sgi 1564 /* 1565 * In case we had to copy the IP & TCP header out of mbufs, 1566 * skip over the mbuf bits which are the header 1567 */ 1568 if ((caddr_t)ip != mtod(m, caddr_t)) { 1569 hlen = (caddr_t)sp - (caddr_t)ip; 1570 while (hlen) { 1571 add = MIN(hlen, m->m_len); 1572 sp = (u_short *)(mtod(m, caddr_t) + add); 1573 hlen -= add; 1574 if (add == m->m_len) { 1575 m = m->m_next; 1576 if (!hlen) { 1577 if (!m) 1578 break; 1579 sp = mtod(m, u_short *); 1580 } 1581 PANIC((!m),("fr_tcpsum(1): not enough data")); 1582 } 1583 } 1584 } 1585# endif 1586 1587 if (!(len -= sizeof(*tcp))) 1588 goto nodata; 1589 while (len > 1) { 1590 if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { 1591 m = m->m_next; 1592 PANIC((!m),("fr_tcpsum(2): not enough data")); 1593 sp = mtod(m, u_short *); 1594 } 1595 if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) { 1596 bytes.c[0] = *(u_char *)sp; 1597 m = m->m_next; 1598 PANIC((!m),("fr_tcpsum(3): not enough data")); 1599 sp = mtod(m, u_short *); 1600 bytes.c[1] = *(u_char *)sp; 1601 sum += bytes.s; 1602 sp = (u_short *)((u_char *)sp + 1); 1603 } 1604 if ((u_long)sp & 1) { 1605 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); 1606 sum += bytes.s; 1607 } else 1608 sum += *sp++; 1609 len -= 2; 1610 } 1611 if (len) 1612 sum += ntohs(*(u_char *)sp << 8); 1613nodata: 1614 while (sum > 0xffff) 1615 sum = (sum & 0xffff) + (sum >> 16); 1616 sum2 = (u_short)(~sum & 0xffff); 1617} 1618# endif /* defined(BSD) || defined(sun) */ 1619# endif /* SOLARIS */ 1620#else /* KERNEL */ 1621 for (; slen > 1; slen -= 2) 1622 sum += *sp++; 1623 if (slen) 1624 sum += ntohs(*(u_char *)sp << 8); 1625 while (sum > 0xffff) 1626 sum = (sum & 0xffff) + (sum >> 16); 1627 sum2 = (u_short)(~sum & 0xffff); 1628#endif /* KERNEL */ 1629 tcp->th_sum = ts; 1630 return sum2; 1631} 1632 1633 1634#if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) ) 1635/* 1636 * Copyright (c) 1982, 1986, 1988, 1991, 1993 1637 * The Regents of the University of California. All rights reserved. 1638 * 1639 * Redistribution and use in source and binary forms, with or without 1640 * modification, are permitted provided that the following conditions 1641 * are met: 1642 * 1. Redistributions of source code must retain the above copyright 1643 * notice, this list of conditions and the following disclaimer. 1644 * 2. Redistributions in binary form must reproduce the above copyright 1645 * notice, this list of conditions and the following disclaimer in the 1646 * documentation and/or other materials provided with the distribution. 1647 * 4. Neither the name of the University nor the names of its contributors 1648 * may be used to endorse or promote products derived from this software 1649 * without specific prior written permission. 1650 * 1651 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 1652 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1653 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1654 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 1655 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1656 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1657 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 1658 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 1659 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 1660 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 1661 * SUCH DAMAGE. 1662 * 1663 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 1664 * $Id: fil.c,v 2.35.2.82 2004/06/20 10:27:47 darrenr Exp $ 1665 */ 1666/* 1667 * Copy data from an mbuf chain starting "off" bytes from the beginning, 1668 * continuing for "len" bytes, into the indicated buffer. 1669 */ 1670void 1671m_copydata(m, off, len, cp) 1672 register mb_t *m; 1673 register int off; 1674 register int len; 1675 caddr_t cp; 1676{ 1677 register unsigned count; 1678 1679 if (off < 0 || len < 0) 1680 panic("m_copydata"); 1681 while (off > 0) { 1682 if (m == 0) 1683 panic("m_copydata"); 1684 if (off < m->m_len) 1685 break; 1686 off -= m->m_len; 1687 m = m->m_next; 1688 } 1689 while (len > 0) { 1690 if (m == 0) 1691 panic("m_copydata"); 1692 count = MIN(m->m_len - off, len); 1693 bcopy(mtod(m, caddr_t) + off, cp, count); 1694 len -= count; 1695 cp += count; 1696 off = 0; 1697 m = m->m_next; 1698 } 1699} 1700 1701 1702# ifndef linux 1703/* 1704 * Copy data from a buffer back into the indicated mbuf chain, 1705 * starting "off" bytes from the beginning, extending the mbuf 1706 * chain if necessary. 1707 */ 1708void 1709m_copyback(m0, off, len, cp) 1710 struct mbuf *m0; 1711 register int off; 1712 register int len; 1713 caddr_t cp; 1714{ 1715 register int mlen; 1716 register struct mbuf *m = m0, *n; 1717 int totlen = 0; 1718 1719 if (m0 == 0) 1720 return; 1721 while (off > (mlen = m->m_len)) { 1722 off -= mlen; 1723 totlen += mlen; 1724 if (m->m_next == 0) { 1725 n = m_getclr(M_DONTWAIT, m->m_type); 1726 if (n == 0) 1727 goto out; 1728 n->m_len = min(MLEN, len + off); 1729 m->m_next = n; 1730 } 1731 m = m->m_next; 1732 } 1733 while (len > 0) { 1734 mlen = min (m->m_len - off, len); 1735 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen); 1736 cp += mlen; 1737 len -= mlen; 1738 mlen += off; 1739 off = 0; 1740 totlen += mlen; 1741 if (len == 0) 1742 break; 1743 if (m->m_next == 0) { 1744 n = m_get(M_DONTWAIT, m->m_type); 1745 if (n == 0) 1746 break; 1747 n->m_len = min(MLEN, len); 1748 m->m_next = n; 1749 } 1750 m = m->m_next; 1751 } 1752out: 1753#if 0 1754 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen)) 1755 m->m_pkthdr.len = totlen; 1756#endif 1757 return; 1758} 1759# endif /* linux */ 1760#endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */ 1761 1762 1763frgroup_t *fr_findgroup(num, flags, which, set, fgpp) 1764u_32_t num, flags; 1765minor_t which; 1766int set; 1767frgroup_t ***fgpp; 1768{ 1769 frgroup_t *fg, **fgp; 1770 1771 if (which == IPL_LOGAUTH) 1772 fgp = &ipfgroups[2][set]; 1773 else if (flags & FR_ACCOUNT) 1774 fgp = &ipfgroups[1][set]; 1775 else if (flags & (FR_OUTQUE|FR_INQUE)) 1776 fgp = &ipfgroups[0][set]; 1777 else 1778 return NULL; 1779 1780 while ((fg = *fgp)) 1781 if (fg->fg_num == num) 1782 break; 1783 else 1784 fgp = &fg->fg_next; 1785 if (fgpp) 1786 *fgpp = fgp; 1787 return fg; 1788} 1789 1790 1791frgroup_t *fr_addgroup(num, fp, which, set) 1792u_32_t num; 1793frentry_t *fp; 1794minor_t which; 1795int set; 1796{ 1797 frgroup_t *fg, **fgp; 1798 1799 if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp))) 1800 return fg; 1801 1802 KMALLOC(fg, frgroup_t *); 1803 if (fg) { 1804 fg->fg_num = num; 1805 fg->fg_next = *fgp; 1806 fg->fg_head = fp; 1807 fg->fg_start = &fp->fr_grp; 1808 *fgp = fg; 1809 } 1810 return fg; 1811} 1812 1813 1814void fr_delgroup(num, flags, which, set) 1815u_32_t num, flags; 1816minor_t which; 1817int set; 1818{ 1819 frgroup_t *fg, **fgp; 1820 1821 if (!(fg = fr_findgroup(num, flags, which, set, &fgp))) 1822 return; 1823 1824 *fgp = fg->fg_next; 1825 KFREE(fg); 1826} 1827 1828 1829 1830/* 1831 * recursively flush rules from the list, descending groups as they are 1832 * encountered. if a rule is the head of a group and it has lost all its 1833 * group members, then also delete the group reference. 1834 */ 1835static int frflushlist(set, unit, nfreedp, listp) 1836int set; 1837minor_t unit; 1838int *nfreedp; 1839frentry_t **listp; 1840{ 1841 register int freed = 0, i; 1842 register frentry_t *fp; 1843 1844 while ((fp = *listp)) { 1845 *listp = fp->fr_next; 1846 if (fp->fr_grp) { 1847 i = frflushlist(set, unit, nfreedp, &fp->fr_grp); 1848 MUTEX_ENTER(&ipf_rw); 1849 fp->fr_ref -= i; 1850 MUTEX_EXIT(&ipf_rw); 1851 } 1852 1853 ATOMIC_DEC32(fp->fr_ref); 1854 if (fp->fr_grhead) { 1855 fr_delgroup(fp->fr_grhead, fp->fr_flags, 1856 unit, set); 1857 fp->fr_grhead = 0; 1858 } 1859 if (fp->fr_ref == 0) { 1860 KFREE(fp); 1861 freed++; 1862 } else 1863 fp->fr_next = NULL; 1864 } 1865 *nfreedp += freed; 1866 return freed; 1867} 1868 1869 1870int frflush(unit, proto, flags) 1871minor_t unit; 1872int proto, flags; 1873{ 1874 int flushed = 0, set; 1875 1876 if (unit != IPL_LOGIPF) 1877 return 0; 1878 WRITE_ENTER(&ipf_mutex); 1879 bzero((char *)frcache, sizeof(frcache[0]) * 2); 1880 1881 set = fr_active; 1882 if (flags & FR_INACTIVE) 1883 set = 1 - set; 1884 1885 if (flags & FR_OUTQUE) { 1886#ifdef USE_INET6 1887 if (proto == 0 || proto == 6) { 1888 (void) frflushlist(set, unit, 1889 &flushed, &ipfilter6[1][set]); 1890 (void) frflushlist(set, unit, 1891 &flushed, &ipacct6[1][set]); 1892 } 1893#endif 1894 if (proto == 0 || proto == 4) { 1895 (void) frflushlist(set, unit, 1896 &flushed, &ipfilter[1][set]); 1897 (void) frflushlist(set, unit, 1898 &flushed, &ipacct[1][set]); 1899 } 1900 } 1901 if (flags & FR_INQUE) { 1902#ifdef USE_INET6 1903 if (proto == 0 || proto == 6) { 1904 (void) frflushlist(set, unit, 1905 &flushed, &ipfilter6[0][set]); 1906 (void) frflushlist(set, unit, 1907 &flushed, &ipacct6[0][set]); 1908 } 1909#endif 1910 if (proto == 0 || proto == 4) { 1911 (void) frflushlist(set, unit, 1912 &flushed, &ipfilter[0][set]); 1913 (void) frflushlist(set, unit, 1914 &flushed, &ipacct[0][set]); 1915 } 1916 } 1917 RWLOCK_EXIT(&ipf_mutex); 1918 return flushed; 1919} 1920 1921 1922char *memstr(src, dst, slen, dlen) 1923char *src, *dst; 1924int slen, dlen; 1925{ 1926 char *s = NULL; 1927 1928 while (dlen >= slen) { 1929 if (bcmp(src, dst, slen) == 0) { 1930 s = dst; 1931 break; 1932 } 1933 dst++; 1934 dlen--; 1935 } 1936 return s; 1937} 1938 1939 1940void fixskip(listp, rp, addremove) 1941frentry_t **listp, *rp; 1942int addremove; 1943{ 1944 frentry_t *fp; 1945 int rules = 0, rn = 0; 1946 1947 for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) 1948 ; 1949 1950 if (!fp) 1951 return; 1952 1953 for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) 1954 if (fp->fr_skip && (rn + fp->fr_skip >= rules)) 1955 fp->fr_skip += addremove; 1956} 1957 1958 1959#ifdef _KERNEL 1960/* 1961 * count consecutive 1's in bit mask. If the mask generated by counting 1962 * consecutive 1's is different to that passed, return -1, else return # 1963 * of bits. 1964 */ 1965int countbits(ip) 1966u_32_t ip; 1967{ 1968 u_32_t ipn; 1969 int cnt = 0, i, j; 1970 1971 ip = ipn = ntohl(ip); 1972 for (i = 32; i; i--, ipn *= 2) 1973 if (ipn & 0x80000000) 1974 cnt++; 1975 else 1976 break; 1977 ipn = 0; 1978 for (i = 32, j = cnt; i; i--, j--) { 1979 ipn *= 2; 1980 if (j > 0) 1981 ipn++; 1982 } 1983 if (ipn == ip) 1984 return cnt; 1985 return -1; 1986} 1987 1988 1989/* 1990 * return the first IP Address associated with an interface 1991 */ 1992int fr_ifpaddr(v, ifptr, inp) 1993int v; 1994void *ifptr; 1995struct in_addr *inp; 1996{ 1997# ifdef USE_INET6 1998 struct in6_addr *inp6 = NULL; 1999# endif 2000# if SOLARIS 2001 ill_t *ill = ifptr; 2002# else 2003 struct ifnet *ifp = ifptr; 2004# endif 2005 struct in_addr in; 2006 2007# if SOLARIS 2008# ifdef USE_INET6 2009 if (v == 6) { 2010 struct in6_addr in6; 2011 2012 /* 2013 * First is always link local. 2014 */ 2015 if (ill->ill_ipif->ipif_next) 2016 in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr; 2017 else 2018 bzero((char *)&in6, sizeof(in6)); 2019 bcopy((char *)&in6, (char *)inp, sizeof(in6)); 2020 } else 2021# endif 2022 { 2023 in.s_addr = ill->ill_ipif->ipif_local_addr; 2024 *inp = in; 2025 } 2026# else /* SOLARIS */ 2027# if linux 2028 ; 2029# else /* linux */ 2030 struct sockaddr_in *sin; 2031 struct ifaddr *ifa; 2032 2033# if (__FreeBSD_version >= 300000) 2034 ifa = TAILQ_FIRST(&ifp->if_addrhead); 2035# else 2036# if defined(__NetBSD__) || defined(__OpenBSD__) 2037 ifa = ifp->if_addrlist.tqh_first; 2038# else 2039# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ 2040 ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; 2041# else 2042 ifa = ifp->if_addrlist; 2043# endif 2044# endif /* __NetBSD__ || __OpenBSD__ */ 2045# endif /* __FreeBSD_version >= 300000 */ 2046# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) 2047 sin = (struct sockaddr_in *)&ifa->ifa_addr; 2048# else 2049 sin = (struct sockaddr_in *)ifa->ifa_addr; 2050 while (sin && ifa) { 2051 if ((v == 4) && (sin->sin_family == AF_INET)) 2052 break; 2053# ifdef USE_INET6 2054 if ((v == 6) && (sin->sin_family == AF_INET6)) { 2055 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr; 2056 if (!IN6_IS_ADDR_LINKLOCAL(inp6) && 2057 !IN6_IS_ADDR_LOOPBACK(inp6)) 2058 break; 2059 } 2060# endif 2061# if (__FreeBSD_version >= 300000) 2062 ifa = TAILQ_NEXT(ifa, ifa_link); 2063# else 2064# if defined(__NetBSD__) || defined(__OpenBSD__) 2065 ifa = ifa->ifa_list.tqe_next; 2066# else 2067 ifa = ifa->ifa_next; 2068# endif 2069# endif /* __FreeBSD_version >= 300000 */ 2070 if (ifa) 2071 sin = (struct sockaddr_in *)ifa->ifa_addr; 2072 } 2073 if (ifa == NULL) 2074 sin = NULL; 2075 if (sin == NULL) 2076 return -1; 2077# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ 2078# ifdef USE_INET6 2079 if (v == 6) 2080 bcopy((char *)inp6, (char *)inp, sizeof(*inp6)); 2081 else 2082# endif 2083 { 2084 in = sin->sin_addr; 2085 *inp = in; 2086 } 2087# endif /* linux */ 2088# endif /* SOLARIS */ 2089 return 0; 2090} 2091 2092 2093static void frsynclist(fr) 2094register frentry_t *fr; 2095{ 2096 frdest_t *fdp; 2097 int i; 2098 2099 for (; fr; fr = fr->fr_next) { 2100 for (i = 0; i < 4; i++) { 2101 if ((fr->fr_ifnames[i][1] == '\0') && 2102 ((fr->fr_ifnames[i][0] == '-') || 2103 (fr->fr_ifnames[i][0] == '*'))) { 2104 fr->fr_ifas[i] = NULL; 2105 } else if (*fr->fr_ifnames[i]) { 2106 fr->fr_ifas[i] = GETUNIT(fr->fr_ifnames[i], 2107 fr->fr_v); 2108 if (!fr->fr_ifas[i]) 2109 fr->fr_ifas[i] = (void *)-1; 2110 } 2111 } 2112 2113 fdp = &fr->fr_dif; 2114 fr->fr_flags &= ~FR_DUP; 2115 if (*fdp->fd_ifname) { 2116 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v); 2117 if (!fdp->fd_ifp) 2118 fdp->fd_ifp = (struct ifnet *)-1; 2119 else 2120 fr->fr_flags |= FR_DUP; 2121 } 2122 2123 fdp = &fr->fr_tif; 2124 if (*fdp->fd_ifname) { 2125 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fr->fr_v); 2126 if (!fdp->fd_ifp) 2127 fdp->fd_ifp = (struct ifnet *)-1; 2128 } 2129 2130 if (fr->fr_grp) 2131 frsynclist(fr->fr_grp); 2132 } 2133} 2134 2135 2136void frsync() 2137{ 2138# if !SOLARIS 2139 register struct ifnet *ifp; 2140 2141# if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \ 2142 (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) 2143# if (NetBSD >= 199905) || defined(__OpenBSD__) 2144 for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) 2145# elif defined(__FreeBSD_version) && (__FreeBSD_version >= 500043) 2146 IFNET_RLOCK(); 2147 TAILQ_FOREACH(ifp, &ifnet, if_link) 2148# else 2149 for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) 2150# endif 2151# else 2152 for (ifp = ifnet; ifp; ifp = ifp->if_next) 2153# endif 2154 { 2155 ip_natsync(ifp); 2156 ip_statesync(ifp); 2157 } 2158 ip_natsync((struct ifnet *)-1); 2159# if defined(__FreeBSD_version) && (__FreeBSD_version >= 500043) 2160 IFNET_RUNLOCK(); 2161# endif 2162# endif /* !SOLARIS */ 2163 2164 WRITE_ENTER(&ipf_mutex); 2165 frsynclist(ipacct[0][fr_active]); 2166 frsynclist(ipacct[1][fr_active]); 2167 frsynclist(ipfilter[0][fr_active]); 2168 frsynclist(ipfilter[1][fr_active]); 2169#ifdef USE_INET6 2170 frsynclist(ipacct6[0][fr_active]); 2171 frsynclist(ipacct6[1][fr_active]); 2172 frsynclist(ipfilter6[0][fr_active]); 2173 frsynclist(ipfilter6[1][fr_active]); 2174#endif 2175 RWLOCK_EXIT(&ipf_mutex); 2176} 2177 2178 2179/* 2180 * In the functions below, bcopy() is called because the pointer being 2181 * copied _from_ in this instance is a pointer to a char buf (which could 2182 * end up being unaligned) and on the kernel's local stack. 2183 */ 2184int ircopyptr(a, b, c) 2185void *a, *b; 2186size_t c; 2187{ 2188 caddr_t ca; 2189 int err; 2190 2191#if SOLARIS 2192 if (copyin(a, (char *)&ca, sizeof(ca))) 2193 return EFAULT; 2194#else 2195 bcopy(a, &ca, sizeof(ca)); 2196#endif 2197 err = copyin(ca, b, c); 2198 if (err) 2199 err = EFAULT; 2200 return err; 2201} 2202 2203 2204int iwcopyptr(a, b, c) 2205void *a, *b; 2206size_t c; 2207{ 2208 caddr_t ca; 2209 int err; 2210 2211#if SOLARIS 2212 if (copyin(b, (char *)&ca, sizeof(ca))) 2213 return EFAULT; 2214#else 2215 bcopy(b, &ca, sizeof(ca)); 2216#endif 2217 err = copyout(a, ca, c); 2218 if (err) 2219 err = EFAULT; 2220 return err; 2221} 2222 2223#else /* _KERNEL */ 2224 2225 2226/* 2227 * return the first IP Address associated with an interface 2228 */ 2229int fr_ifpaddr(v, ifptr, inp) 2230int v; 2231void *ifptr; 2232struct in_addr *inp; 2233{ 2234 return 0; 2235} 2236 2237 2238int ircopyptr(a, b, c) 2239void *a, *b; 2240size_t c; 2241{ 2242 caddr_t ca; 2243 2244 bcopy(a, &ca, sizeof(ca)); 2245 bcopy(ca, b, c); 2246 return 0; 2247} 2248 2249 2250int iwcopyptr(a, b, c) 2251void *a, *b; 2252size_t c; 2253{ 2254 caddr_t ca; 2255 2256 bcopy(b, &ca, sizeof(ca)); 2257 bcopy(a, ca, c); 2258 return 0; 2259} 2260 2261 2262#endif 2263 2264 2265int fr_lock(data, lockp) 2266caddr_t data; 2267int *lockp; 2268{ 2269 int arg, error; 2270 2271 error = IRCOPY(data, (caddr_t)&arg, sizeof(arg)); 2272 if (!error) { 2273 error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp)); 2274 if (!error) 2275 *lockp = arg; 2276 } 2277 return error; 2278} 2279 2280 2281void fr_getstat(fiop) 2282friostat_t *fiop; 2283{ 2284 bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2); 2285 fiop->f_locks[0] = fr_state_lock; 2286 fiop->f_locks[1] = fr_nat_lock; 2287 fiop->f_locks[2] = fr_frag_lock; 2288 fiop->f_locks[3] = fr_auth_lock; 2289 fiop->f_fin[0] = ipfilter[0][0]; 2290 fiop->f_fin[1] = ipfilter[0][1]; 2291 fiop->f_fout[0] = ipfilter[1][0]; 2292 fiop->f_fout[1] = ipfilter[1][1]; 2293 fiop->f_acctin[0] = ipacct[0][0]; 2294 fiop->f_acctin[1] = ipacct[0][1]; 2295 fiop->f_acctout[0] = ipacct[1][0]; 2296 fiop->f_acctout[1] = ipacct[1][1]; 2297#ifdef USE_INET6 2298 fiop->f_fin6[0] = ipfilter6[0][0]; 2299 fiop->f_fin6[1] = ipfilter6[0][1]; 2300 fiop->f_fout6[0] = ipfilter6[1][0]; 2301 fiop->f_fout6[1] = ipfilter6[1][1]; 2302 fiop->f_acctin6[0] = ipacct6[0][0]; 2303 fiop->f_acctin6[1] = ipacct6[0][1]; 2304 fiop->f_acctout6[0] = ipacct6[1][0]; 2305 fiop->f_acctout6[1] = ipacct6[1][1]; 2306#else 2307 fiop->f_fin6[0] = NULL; 2308 fiop->f_fin6[1] = NULL; 2309 fiop->f_fout6[0] = NULL; 2310 fiop->f_fout6[1] = NULL; 2311 fiop->f_acctin6[0] = NULL; 2312 fiop->f_acctin6[1] = NULL; 2313 fiop->f_acctout6[0] = NULL; 2314 fiop->f_acctout6[1] = NULL; 2315#endif 2316 fiop->f_active = fr_active; 2317 fiop->f_froute[0] = ipl_frouteok[0]; 2318 fiop->f_froute[1] = ipl_frouteok[1]; 2319 2320 fiop->f_running = fr_running; 2321 fiop->f_groups[0][0] = ipfgroups[0][0]; 2322 fiop->f_groups[0][1] = ipfgroups[0][1]; 2323 fiop->f_groups[1][0] = ipfgroups[1][0]; 2324 fiop->f_groups[1][1] = ipfgroups[1][1]; 2325 fiop->f_groups[2][0] = ipfgroups[2][0]; 2326 fiop->f_groups[2][1] = ipfgroups[2][1]; 2327#ifdef IPFILTER_LOG 2328 fiop->f_logging = 1; 2329#else 2330 fiop->f_logging = 0; 2331#endif 2332 fiop->f_defpass = fr_pass; 2333 strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version)); 2334} 2335 2336 2337#ifdef USE_INET6 2338int icmptoicmp6types[ICMP_MAXTYPE+1] = { 2339 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */ 2340 -1, /* 1: UNUSED */ 2341 -1, /* 2: UNUSED */ 2342 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */ 2343 -1, /* 4: ICMP_SOURCEQUENCH */ 2344 ND_REDIRECT, /* 5: ICMP_REDIRECT */ 2345 -1, /* 6: UNUSED */ 2346 -1, /* 7: UNUSED */ 2347 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */ 2348 -1, /* 9: UNUSED */ 2349 -1, /* 10: UNUSED */ 2350 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */ 2351 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */ 2352 -1, /* 13: ICMP_TSTAMP */ 2353 -1, /* 14: ICMP_TSTAMPREPLY */ 2354 -1, /* 15: ICMP_IREQ */ 2355 -1, /* 16: ICMP_IREQREPLY */ 2356 -1, /* 17: ICMP_MASKREQ */ 2357 -1, /* 18: ICMP_MASKREPLY */ 2358}; 2359 2360 2361int icmptoicmp6unreach[ICMP_MAX_UNREACH] = { 2362 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */ 2363 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */ 2364 -1, /* 2: ICMP_UNREACH_PROTOCOL */ 2365 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */ 2366 -1, /* 4: ICMP_UNREACH_NEEDFRAG */ 2367 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */ 2368 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */ 2369 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */ 2370 -1, /* 8: ICMP_UNREACH_ISOLATED */ 2371 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */ 2372 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */ 2373 -1, /* 11: ICMP_UNREACH_TOSNET */ 2374 -1, /* 12: ICMP_UNREACH_TOSHOST */ 2375 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */ 2376}; 2377#endif 2378 2379 2380#ifndef _KERNEL 2381int mbuflen(buf) 2382mb_t *buf; 2383{ 2384 ip_t *ip; 2385 2386 ip = (ip_t *)buf; 2387 return ip->ip_len; 2388} 2389#endif 2390 2391 2392#if defined(_KERNEL) && !defined(__sgi) 2393void *ipf_pullup(m, fin, len, ipin) 2394mb_t *m; 2395fr_info_t *fin; 2396int len; 2397void *ipin; 2398{ 2399# if SOLARIS 2400 qif_t *qf = fin->fin_qif; 2401# endif 2402 int out = fin->fin_out, dpoff, ipoff; 2403 char *ip; 2404 2405 if (m == NULL) 2406 return NULL; 2407 2408 ipoff = (char *)ipin - MTOD(m, char *); 2409 if (fin->fin_dp != NULL) 2410 dpoff = (char *)fin->fin_dp - (char *)ipin; 2411 else 2412 dpoff = 0; 2413 2414 if (M_BLEN(m) < len) { 2415# if SOLARIS 2416 qif_t *qf = fin->fin_qif; 2417 int inc = 0; 2418 2419 if (ipoff > 0) { 2420 if ((ipoff & 3) != 0) { 2421 inc = 4 - (ipoff & 3); 2422 if (m->b_rptr - inc >= m->b_datap->db_base) 2423 m->b_rptr -= inc; 2424 else 2425 inc = 0; 2426 } 2427 } 2428 if (!pullupmsg(m, len + ipoff + inc)) { 2429 ATOMIC_INCL(frstats[out].fr_pull[1]); 2430 return NULL; 2431 } 2432 m->b_rptr += inc; 2433 ATOMIC_INCL(frstats[out].fr_pull[0]); 2434 qf->qf_data = MTOD(m, char *) + ipoff; 2435# else 2436# if (__FreeBSD_version >= 490000) 2437 if ((len > MHLEN) && ((m->m_flags & M_PKTHDR) != 0)) 2438 m = m_defrag(m, M_DONTWAIT); 2439 else 2440# endif 2441 m = m_pullup(m, len); 2442 *fin->fin_mp = m; 2443 if (m == NULL) { 2444 ATOMIC_INCL(frstats[out].fr_pull[1]); 2445 return NULL; 2446 } 2447 ATOMIC_INCL(frstats[out].fr_pull[0]); 2448# endif /* SOLARIS */ 2449 } 2450 ip = MTOD(m, char *) + ipoff; 2451 if (fin->fin_dp != NULL) 2452 fin->fin_dp = (char *)ip + dpoff; 2453 return ip; 2454} 2455#endif /* _KERNEL */ 2456