summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKjell Wooding <kjell@cvs.openbsd.org>2001-01-30 04:23:57 +0000
committerKjell Wooding <kjell@cvs.openbsd.org>2001-01-30 04:23:57 +0000
commit2f35ed6fbb48972a399c5b56df252d3edcf73809 (patch)
tree49eedc7734fae4d6f8043d6e330b2206e3ddbe06
parent35a4a2f01b30f9510e1be64c14580cca8ed556d5 (diff)
re-add local ipf changes that were whacked in the 3.4.16 merge. userland to follow
-rw-r--r--sys/netinet/fil.c18
-rw-r--r--sys/netinet/ip_auth.c8
-rw-r--r--sys/netinet/ip_fil.c87
-rw-r--r--sys/netinet/ip_fil.h8
-rw-r--r--sys/netinet/ip_frag.c19
-rw-r--r--sys/netinet/ip_log.c16
-rw-r--r--sys/netinet/ip_nat.c36
-rw-r--r--sys/netinet/ip_proxy.c18
-rw-r--r--sys/netinet/ip_state.c14
-rw-r--r--sys/netinet/ip_state.h11
10 files changed, 147 insertions, 88 deletions
diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c
index f3f70f32c21..6509da46d9e 100644
--- a/sys/netinet/fil.c
+++ b/sys/netinet/fil.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: fil.c,v 1.27 2001/01/17 04:47:11 fgsch Exp $ */
+/* $OpenBSD: fil.c,v 1.28 2001/01/30 04:23:55 kjell Exp $ */
/*
* Copyright (C) 1993-2000 by Darren Reed.
@@ -77,7 +77,7 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.30 2000/12/17 05:49:2
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#ifdef USE_INET6
# include <netinet/icmp6.h>
# if !SOLARIS && defined(_KERNEL)
@@ -85,12 +85,12 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.30 2000/12/17 05:49:2
# endif
#endif
#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_nat.h>
+#include <netinet/ip_frag.h>
+#include <netinet/ip_state.h>
+#include <netinet/ip_auth.h>
# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
@@ -100,7 +100,7 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.30 2000/12/17 05:49:2
#ifndef MIN
# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
-#include "netinet/ipl.h"
+#include <netinet/ipl.h>
#ifndef _KERNEL
# include "ipf.h"
diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c
index 67904a1cb82..17046ab8283 100644
--- a/sys/netinet/ip_auth.c
+++ b/sys/netinet/ip_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_auth.c,v 1.16 2001/01/17 07:25:18 fgsch Exp $ */
+/* $OpenBSD: ip_auth.c,v 1.17 2001/01/30 04:23:55 kjell Exp $ */
/*
* Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij.
@@ -91,10 +91,10 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_auth.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_auth.h>
#if !SOLARIS && !defined(linux)
# include <net/netisr.h>
# ifdef __FreeBSD__
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 11a41d22bf1..97d595ce821 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_fil.c,v 1.39 2001/01/17 05:16:37 fgsch Exp $ */
+/* $OpenBSD: ip_fil.c,v 1.40 2001/01/30 04:23:55 kjell Exp $ */
/*
* Copyright (C) 1993-2000 by Darren Reed.
@@ -99,16 +99,16 @@ static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.42.2.17 2000/10/19 15:3
# include <unistd.h>
# include <syslog.h>
#endif
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#ifdef USE_INET6
# include <netinet/icmp6.h>
#endif
-#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_nat.h>
+#include <netinet/ip_frag.h>
+#include <netinet/ip_state.h>
+#include <netinet/ip_auth.h>
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
@@ -133,7 +133,12 @@ extern int tcp_ttl;
# endif
#endif
+# if defined (__OpenBSD__)
+int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
+# else
int ipl_unreach = ICMP_UNREACH_FILTER;
+# endif
+
u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t));
@@ -174,7 +179,7 @@ struct callout_handle ipfr_slowtimer_ch;
struct callout ipfr_slowtimer_ch;
#endif
#if defined(__OpenBSD__)
-#include <sys/timeout.h>
+# include <sys/timeout.h>
struct timeout ipfr_slowtimer_ch;
#endif
#if defined(__sgi) && defined(_KERNEL)
@@ -335,7 +340,7 @@ pfil_error:
timeout_add(&ipfr_slowtimer_ch, hz / 2);
# else
# if (__FreeBSD_version >= 300000) || defined(__sgi)
- ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
+ ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
# else
timeout(ipfr_slowtimer, NULL, hz/2);
# endif
@@ -367,7 +372,7 @@ int ipldetach()
# if (__FreeBSD_version >= 300000)
untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch);
# else
-# ifdef __sgi
+# ifdef __sgi
untimeout(ipfr_slowtimer_ch);
# else
untimeout(ipfr_slowtimer, NULL);
@@ -384,9 +389,7 @@ int ipldetach()
return 0;
}
-#if !defined(__OpenBSD__)
printf("%s unloaded\n", ipfilter_version);
-#endif
fr_checkp = fr_savep;
i = frflush(IPL_LOGIPF, i);
@@ -485,7 +488,34 @@ int mode;
unit = GET_MINOR(dev);
if ((IPL_LOGMAX < unit) || (unit < 0))
return ENXIO;
-#else
+
+# if defined(__OpenBSD__)
+ /* Prevent IPF changes when securelevel > 1 */
+ if (securelevel > 1) {
+ switch (cmd) {
+# ifndef IPFILTER_LKM
+ case SIOCFRENB:
+# endif
+ case SIOCSETFF:
+ case SIOCADAFR:
+ case SIOCADIFR:
+ case SIOCINAFR:
+ case SIOCINIFR:
+ case SIOCRMAFR:
+ case SIOCRMIFR:
+ case SIOCZRLST:
+ case SIOCSWAPA:
+ case SIOCFRZST:
+ case SIOCIPFFL:
+# ifdef IPFILTER_LOG
+ case SIOCIPFFB:
+# endif
+ case SIOCSTLCK:
+ return EPERM;
+ }
+ }
+# endif /* OpenBSD */
+#else /* _KERNEL */
unit = dev;
#endif
@@ -1404,11 +1434,9 @@ frdest_t *fdp;
# endif
i = 1;
# endif
-# ifndef sparc
ip->ip_id = htons(ip->ip_id);
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
-# endif
if (!ip->ip_sum)
ip->ip_sum = in_cksum(m, hlen);
# if BSD >= 199306
@@ -1487,9 +1515,7 @@ frdest_t *fdp;
m->m_pkthdr.len = mhlen + len;
m->m_pkthdr.rcvif = NULL;
# endif
-# ifndef sparc
mhip->ip_off = htons((u_short)mhip->ip_off);
-# endif
mhip->ip_sum = 0;
mhip->ip_sum = in_cksum(m, mhlen);
*mnext = m;
@@ -1584,6 +1610,7 @@ static int no_output __P((struct ifnet *ifp, struct mbuf *m,
return 0;
}
+
# ifdef __STDC__
# ifdef __sgi
static int write_output __P((struct ifnet *ifp, struct mbuf *m,
@@ -1601,21 +1628,27 @@ ip_t *ip;
{
# endif
char fname[32];
- int fd;
+ FILE *fp;
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
+# if defined __OpenBSD__
+ sprintf(fname, "/var/run/%s", ifp->if_xname);
+# else
sprintf(fname, "/tmp/%s", ifp->if_xname);
+# endif
# else
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
# endif
- fd = open(fname, O_WRONLY|O_APPEND);
- if (fd == -1) {
- perror("open");
- return -1;
+ /*
+ * XXX
+ * This is still raceable, if the attacker gains the ability to
+ * erase the existing file in /tmp
+ */
+ if ((fp = fopen(fname, "a"))) {
+ fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
+ fclose(fp);
}
- write(fd, (char *)ip, ntohs(ip->ip_len));
- close(fd);
return 0;
}
@@ -1701,7 +1734,11 @@ void init_ifp()
(defined(OpenBSD) && (OpenBSD >= 199603))
for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
ifp->if_output = write_output;
+# if defined(__OpenBSD__)
+ sprintf(fname, "/var/run/%s", ifp->if_xname);
+# else
sprintf(fname, "/tmp/%s", ifp->if_xname);
+# endif
fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
if (fd == -1)
perror("open");
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h
index 72b5025c19e..4e2a4c78ae8 100644
--- a/sys/netinet/ip_fil.h
+++ b/sys/netinet/ip_fil.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_fil.h,v 1.21 2001/01/17 04:47:13 fgsch Exp $ */
+/* $OpenBSD: ip_fil.h,v 1.22 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1993-2000 by Darren Reed.
@@ -424,8 +424,10 @@ typedef struct ipflog {
} ipflog_t;
-#ifndef ICMP_UNREACH_FILTER
-# define ICMP_UNREACH_FILTER 13
+#if !defined(__OpenBSD__)
+# ifndef ICMP_UNREACH_FILTER
+# define ICMP_UNREACH_FILTER 13
+# endif
#endif
#ifndef IPF_LOGGING
diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c
index 4f5bd7822ad..37af2b1de4c 100644
--- a/sys/netinet/ip_frag.c
+++ b/sys/netinet/ip_frag.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_frag.c,v 1.20 2001/01/17 04:47:13 fgsch Exp $ */
+/* $OpenBSD: ip_frag.c,v 1.21 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1993-2000 by Darren Reed.
@@ -69,21 +69,21 @@ static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.10.2.7 2000/11/27 10:2
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_nat.h>
+#include <netinet/ip_frag.h>
+#include <netinet/ip_state.h>
+#include <netinet/ip_auth.h>
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
# if (defined(KERNEL) || defined(_KERNEL))
# ifndef IPFILTER_LKM
# include <sys/libkern.h>
# include <sys/systm.h>
-# endif
+# endif
extern struct callout_handle ipfr_slowtimer_ch;
# endif
#endif
@@ -91,6 +91,7 @@ extern struct callout_handle ipfr_slowtimer_ch;
# include <sys/callout.h>
extern struct callout ipfr_slowtimer_ch;
#elif defined(__OpenBSD__)
+# include <sys/timeout.h>
extern struct timeout ipfr_slowtimer_ch;
#endif
diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c
index 1c798708e11..a5d696631cb 100644
--- a/sys/netinet/ip_log.c
+++ b/sys/netinet/ip_log.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_log.c,v 1.9 2001/01/17 04:47:14 fgsch Exp $ */
+/* $OpenBSD: ip_log.c,v 1.10 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1997-2000 by Darren Reed.
@@ -105,14 +105,14 @@
# ifndef _KERNEL
# include <syslog.h>
# endif
-# include "netinet/ip_compat.h"
+# include <netinet/ip_fil_compat.h>
# include <netinet/tcpip.h>
-# include "netinet/ip_fil.h"
-# include "netinet/ip_proxy.h"
-# include "netinet/ip_nat.h"
-# include "netinet/ip_frag.h"
-# include "netinet/ip_state.h"
-# include "netinet/ip_auth.h"
+# include <netinet/ip_fil.h>
+# include <netinet/ip_proxy.h>
+# include <netinet/ip_nat.h>
+# include <netinet/ip_frag.h>
+# include <netinet/ip_state.h>
+# include <netinet/ip_auth.h>
# if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
# endif
diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index c6d49f9d84f..a92c042cbcd 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_nat.c,v 1.37 2001/01/17 07:25:19 fgsch Exp $ */
+/* $OpenBSD: ip_nat.c,v 1.38 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1995-2000 by Darren Reed.
@@ -97,13 +97,13 @@ extern struct ifnet vpnif;
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_nat.h>
+#include <netinet/ip_frag.h>
+#include <netinet/ip_state.h>
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
@@ -342,11 +342,7 @@ u_32_t n;
return;
}
#endif
-#ifdef sparc
- sum1 = (~(*sp)) & 0xffff;
-#else
sum1 = (~ntohs(*sp)) & 0xffff;
-#endif
sum1 += ~(n) & 0xffff;
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
/* Again */
@@ -430,6 +426,24 @@ int mode;
if ((securelevel >= 2) && (mode & FWRITE))
return EPERM;
#endif
+#if defined(_KERNEL)
+# if defined(__OpenBSD__)
+ /* Prevent IPNAT changes when securelevel > 1 */
+ if (securelevel > 1) {
+ switch (cmd) {
+ case SIOCIPFFL:
+# ifdef IPFILTER_LOG
+ case SIOCIPFFB:
+# endif
+ case SIOCADNAT:
+ case SIOCRMNAT:
+ case SIOCSTPUT:
+ case SIOCSTLCK:
+ return EPERM;
+ }
+ }
+# endif /* OpenBSD */
+#endif /* _KERNEL */
nat = NULL; /* XXX gcc -Wuninitialized */
KMALLOC(nt, ipnat_t *);
diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c
index 24de449b3d6..467b4f86eee 100644
--- a/sys/netinet/ip_proxy.c
+++ b/sys/netinet/ip_proxy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_proxy.c,v 1.12 2001/01/17 04:47:15 fgsch Exp $ */
+/* $OpenBSD: ip_proxy.c,v 1.13 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1997-2000 by Darren Reed.
@@ -70,12 +70,12 @@ static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.9.2.1 2000/05/06 12:3
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_nat.h>
+#include <netinet/ip_state.h>
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
@@ -93,9 +93,9 @@ static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
#define AP_SESS_SIZE 53
#if defined(_KERNEL) && !defined(linux)
-#include "netinet/ip_ftp_pxy.c"
-#include "netinet/ip_rcmd_pxy.c"
-#include "netinet/ip_raudio_pxy.c"
+#include <netinet/ip_ftp_pxy.c>
+#include <netinet/ip_rcmd_pxy.c>
+#include <netinet/ip_raudio_pxy.c>
#endif
ap_session_t *ap_sess_tab[AP_SESS_SIZE];
diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c
index d1dc3d96731..a17feb9c3f5 100644
--- a/sys/netinet/ip_state.c
+++ b/sys/netinet/ip_state.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_state.c,v 1.25 2001/01/17 07:25:19 fgsch Exp $ */
+/* $OpenBSD: ip_state.c,v 1.26 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1995-2000 by Darren Reed.
@@ -81,13 +81,13 @@ static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.30.2.28 2001/01/08 14
#endif
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
+#include <netinet/ip_fil_compat.h>
#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_state.h"
+#include <netinet/ip_fil.h>
+#include <netinet/ip_nat.h>
+#include <netinet/ip_frag.h>
+#include <netinet/ip_proxy.h>
+#include <netinet/ip_state.h>
#ifdef USE_INET6
#include <netinet/icmp6.h>
#endif
diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h
index a7cbaaac28d..0f28639ffc2 100644
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_state.h,v 1.16 2001/01/17 04:47:16 fgsch Exp $ */
+/* $OpenBSD: ip_state.h,v 1.17 2001/01/30 04:23:56 kjell Exp $ */
/*
* Copyright (C) 1995-2000 by Darren Reed.
@@ -19,8 +19,13 @@
# define SIOCDELST _IOW(r, 61, struct ipstate *)
#endif
-#define IPSTATE_SIZE 5737
-#define IPSTATE_MAX 4013 /* Maximum number of states held */
+#ifndef IPSTATE_SIZE
+# define IPSTATE_SIZE 5737
+#endif
+
+#ifndef IPSTATE_MAX
+# define IPSTATE_MAX 4013 /* Maximum number of states held */
+#endif
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
(((s1) == (d2)) && ((d1) == (s2))))