diff options
| author | Federico G. Schwindt <fgsch@cvs.openbsd.org> | 2001-01-17 04:47:19 +0000 |
|---|---|---|
| committer | Federico G. Schwindt <fgsch@cvs.openbsd.org> | 2001-01-17 04:47:19 +0000 |
| commit | 4c2f6e4f5fcdd3dd6e4318cbe93f5e67c3673e8c (patch) | |
| tree | 01a426346aace2e6b14e001d1276f0f17e3703e2 /sys/netinet/ip_fil.c | |
| parent | 5e7b102be725a3da894e929575e0b29d80c846e2 (diff) | |
IPF 3.4.15. (IPv6 not working yet).
Note: before building the userland part you need to do make includes.
Diffstat (limited to 'sys/netinet/ip_fil.c')
| -rw-r--r-- | sys/netinet/ip_fil.c | 763 |
1 files changed, 495 insertions, 268 deletions
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index ce308dacb5c..da31e69f30d 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,15 +1,15 @@ -/* $OpenBSD: ip_fil.c,v 1.37 2000/09/07 19:45:04 art Exp $ */ +/* $OpenBSD: ip_fil.c,v 1.38 2001/01/17 04:47:12 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.22 2000/07/08 02:43:47 darrenr Exp $"; +static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.42.2.17 2000/10/19 15:39:42 darrenr Exp $"; #endif #ifndef SOLARIS @@ -19,15 +19,17 @@ static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.22 2000/07/08 02:43 #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif +#if defined(_KERNEL) && defined(__FreeBSD_version) && \ + (__FreeBSD_version >= 400000) && !defined(KLD_MODULE) +#include "opt_inet6.h" +#endif #include <sys/param.h> #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ defined(_KERNEL) # include "opt_ipfilter_log.h" #endif -#ifdef __FreeBSD__ -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include <sys/osreldate.h> -# else +#if defined(__FreeBSD__) && !defined(__FreeBSD_version) +# if !defined(_KERNEL) || defined(IPFILTER_LKM) # include <osreldate.h> # endif #endif @@ -97,13 +99,16 @@ static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.22 2000/07/08 02:43 # include <unistd.h> # include <syslog.h> #endif -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_state.h> -#include <netinet/ip_auth.h> +#include "netinet/ip_compat.h" +#ifdef USE_INET6 +# include <netinet/icmp6.h> +#endif +#include "netinet/ip_fil.h" +#include "netinet/ip_proxy.h" +#include "netinet/ip_nat.h" +#include "netinet/ip_frag.h" +#include "netinet/ip_state.h" +#include "netinet/ip_auth.h" #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) # include <sys/malloc.h> #endif @@ -128,16 +133,11 @@ extern int tcp_ttl; # endif #endif -# if defined (__OpenBSD__) -int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB; -# else int ipl_unreach = ICMP_UNREACH_FILTER; -# endif - u_long ipl_frouteok[2] = {0, 0}; -static void frzerostats __P((caddr_t)); -#if defined(__NetBSD__) || defined(__OpenBSD__) +static int frzerostats __P((caddr_t)); +#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) static int frrequest __P((int, u_long, caddr_t, int)); #else static int frrequest __P((int, int, caddr_t, int)); @@ -169,10 +169,15 @@ int fr_running = 0; #if (__FreeBSD_version >= 300000) && defined(_KERNEL) struct callout_handle ipfr_slowtimer_ch; #endif - -#ifdef __OpenBSD__ -#include <sys/timeout.h> -struct timeout ipfr_slowtimer_to; +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) +# include <sys/callout.h> +struct callout ipfr_slowtimer_ch; +#endif +#if defined(__OpenBSD__) +struct timeout ipfr_slowtimer_ch; +#endif +#if defined(__sgi) && defined(_KERNEL) +toid_t ipfr_slowtimer_ch; #endif #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) @@ -258,14 +263,31 @@ int iplattach() error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); if (error) { +# ifdef USE_INET6 + goto pfil_error; +# else appr_unload(); ip_natunload(); fr_stateunload(); return error; +# endif } # else pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif +# ifdef USE_INET6 + error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); + if (error) { + pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); +pfil_error: + appr_unload(); + ip_natunload(); + fr_stateunload(); + return error; + } +# endif # endif # ifdef __sgi @@ -293,24 +315,30 @@ int iplattach() defpass = "no-match -> block"; #if !defined(__OpenBSD__) - printf("IP Filter: initialized. Default = %s all, Logging = %s\n", - defpass, + printf("%s initialized. Default = %s all, Logging = %s\n", + ipfilter_version, defpass, # ifdef IPFILTER_LOG "enabled"); # else "disabled"); # endif - printf("%s\n", ipfilter_version); #endif -#ifdef _KERNEL -# if (__FreeBSD_version >= 300000) && defined(_KERNEL) - ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); -# elif defined(__OpenBSD__) - timeout_set(&ipfr_slowtimer_to, ipfr_slowtimer, NULL); - timeout_add(&ipfr_slowtimer_to, hz/2); -#else +#ifdef _KERNEL +# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) + callout_init(&ipfr_slowtimer_ch); + callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL); +# else +# if defined(__OpenBSD__) + timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL); + timeout_add(&ipfr_slowtimer_ch, hz / 2); +# else +# if (__FreeBSD_version >= 300000) || defined(__sgi) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# else timeout(ipfr_slowtimer, NULL, hz/2); +# endif +# endif # endif #endif return 0; @@ -328,18 +356,24 @@ int ipldetach() int error = 0; #endif -#ifdef _KERNEL -# if (__FreeBSD_version >= 300000) - untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch); -# elif defined(__OpenBSD__) - timeout_del(&ipfr_slowtimer_to); +#ifdef _KERNEL +# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) + callout_stop(&ipfr_slowtimer_ch); # else -# ifdef __sgi - untimeout(ipfr_slowtimer); +# if defined(__OpenBSD__) + timeout_del(&ipfr_slowtimer_ch); # else +# if (__FreeBSD_version >= 300000) + untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch); +# else +# ifdef __sgi + untimeout(ipfr_slowtimer_ch); +# else untimeout(ipfr_slowtimer, NULL); -# endif -# endif +# endif +# endif /* FreeBSD */ +# endif /* OpenBSD */ +# endif /* NetBSD */ #endif SPL_NET(s); if (!fr_running) @@ -349,6 +383,10 @@ int ipldetach() return 0; } +#if !defined(__OpenBSD__) + printf("%s unloaded\n", ipfilter_version); +#endif + fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); fr_running = 0; @@ -356,12 +394,18 @@ int ipldetach() # ifdef NETBSD_PF # if __NetBSD_Version__ >= 104200000 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); + &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); if (error) return error; # else pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif +# ifdef USE_INET6 + error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, + &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); + if (error) + return error; +# endif # endif # ifdef __sgi @@ -380,26 +424,20 @@ int ipldetach() #endif /* _KERNEL */ -static void frzerostats(data) +static int frzerostats(data) caddr_t data; { friostat_t fio; + int error; + + fr_getstat(&fio); + error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); + if (error) + return EFAULT; - bcopy((char *)frstats, (char *)fio.f_st, - sizeof(struct filterstats) * 2); - fio.f_fin[0] = ipfilter[0][0]; - fio.f_fin[1] = ipfilter[0][1]; - fio.f_fout[0] = ipfilter[1][0]; - fio.f_fout[1] = ipfilter[1][1]; - fio.f_acctin[0] = ipacct[0][0]; - fio.f_acctin[1] = ipacct[0][1]; - fio.f_acctout[0] = ipacct[1][0]; - fio.f_acctout[1] = ipacct[1][1]; - fio.f_active = fr_active; - fio.f_froute[0] = ipl_frouteok[0]; - fio.f_froute[1] = ipl_frouteok[1]; - IWCOPY((caddr_t)&fio, data, sizeof(fio)); bzero((char *)frstats, sizeof(*frstats) * 2); + + return 0; } @@ -414,20 +452,21 @@ int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode ) #else int IPL_EXTERN(ioctl)(dev, cmd, data, mode -#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) +# if (defined(_KERNEL) && ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || \ + (NetBSD >= 199511) || (__FreeBSD_version >= 220000) || \ + defined(__OpenBSD__))) , p) struct proc *p; -#else +# else ) -#endif +# endif dev_t dev; -#if defined(__NetBSD__) || defined(__OpenBSD__) || \ - (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) +# if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) u_long cmd; -#else +# else int cmd; -#endif +# endif caddr_t data; int mode; #endif /* __sgi */ @@ -445,37 +484,7 @@ int mode; unit = GET_MINOR(dev); if ((IPL_LOGMAX < unit) || (unit < 0)) return ENXIO; - -# if defined(__OpenBSD__) - /* Prevent IPF and NAT changes when securelevel > 1 */ - if (securelevel > 1) { - switch (cmd) { -# ifndef IPFILTER_LKM - case SIOCFRENB: -# endif - case SIOCSETFF: - case SIOCADAFR: - case SIOCADIFR: - case SIOCINAFR: - case SIOCINIFR: - case SIOCRMAFR: - case SIOCRMIFR: - case SIOCZRLST: - case SIOCSWAPA: - case SIOCFRZST: - case SIOCIPFFL: -# ifdef IPFILTER_LOG - case SIOCIPFFB: -# endif - case SIOCADNAT: - case SIOCRMNAT: - case SIOCFLNAT: - case SIOCCNATL: - return EPERM; - } - } -# endif /* OpenBSD */ -#else /* _KERNEL */ +#else unit = dev; #endif @@ -489,7 +498,6 @@ int mode; SPL_X(s); return error; } - if (unit == IPL_LOGSTATE) { if (fr_running) error = fr_state_ioctl(data, cmd, mode); @@ -498,12 +506,19 @@ int mode; SPL_X(s); return error; } + if (unit == IPL_LOGAUTH) { + if (!fr_running) + return EIO; + error = fr_auth_ioctl(data, cmd, NULL, NULL); + SPL_X(s); + return error; + } switch (cmd) { case FIONREAD : #ifdef IPFILTER_LOG - IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data, - sizeof(iplused[IPL_LOGIPF])); + error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data, + sizeof(iplused[IPL_LOGIPF])); #endif break; #if !defined(IPFILTER_LKM) && defined(_KERNEL) @@ -514,7 +529,9 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else { - IRCOPY(data, (caddr_t)&enable, sizeof(enable)); + error = IRCOPY(data, (caddr_t)&enable, sizeof(enable)); + if (error) + break; if (enable) error = iplattach(); else @@ -527,10 +544,11 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else - IRCOPY(data, (caddr_t)&fr_flags, sizeof(fr_flags)); + error = IRCOPY(data, (caddr_t)&fr_flags, + sizeof(fr_flags)); break; case SIOCGETFF : - IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags)); + error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags)); break; case SIOCINAFR : case SIOCRMAFR : @@ -560,55 +578,42 @@ int mode; break; case SIOCGETFS : { - struct friostat fio; - - bcopy((char *)frstats, (char *)fio.f_st, - sizeof(struct filterstats) * 2); - fio.f_fin[0] = ipfilter[0][0]; - fio.f_fin[1] = ipfilter[0][1]; - fio.f_fout[0] = ipfilter[1][0]; - fio.f_fout[1] = ipfilter[1][1]; - fio.f_acctin[0] = ipacct[0][0]; - fio.f_acctin[1] = ipacct[0][1]; - fio.f_acctout[0] = ipacct[1][0]; - fio.f_acctout[1] = ipacct[1][1]; - fio.f_auth = ipauth; - fio.f_active = fr_active; - fio.f_froute[0] = ipl_frouteok[0]; - fio.f_froute[1] = ipl_frouteok[1]; - fio.f_running = fr_running; - fio.f_groups[0][0] = ipfgroups[0][0]; - fio.f_groups[0][1] = ipfgroups[0][1]; - fio.f_groups[1][0] = ipfgroups[1][0]; - fio.f_groups[1][1] = ipfgroups[1][1]; - fio.f_groups[2][0] = ipfgroups[2][0]; - fio.f_groups[2][1] = ipfgroups[2][1]; -#ifdef IPFILTER_LOG - fio.f_logging = 1; -#else - fio.f_logging = 0; -#endif - fio.f_defpass = fr_pass; - strncpy(fio.f_version, ipfilter_version, - sizeof(fio.f_version)); - IWCOPY((caddr_t)&fio, data, sizeof(fio)); + friostat_t fio; + + fr_getstat(&fio); + error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); + if (error) + return EFAULT; break; } case SIOCFRZST : if (!(mode & FWRITE)) error = EPERM; else - frzerostats(data); + error = frzerostats(data); break; case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; else { - IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - tmp = frflush(unit, tmp); - IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); + error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + if (!error) { + tmp = frflush(unit, tmp); + error = IWCOPY((caddr_t)&tmp, data, + sizeof(tmp)); + } } break; + case SIOCSTLCK : + error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + if (!error) { + fr_state_lock = tmp; + fr_nat_lock = tmp; + fr_frag_lock = tmp; + fr_auth_lock = tmp; + } else + error = EFAULT; + break; #ifdef IPFILTER_LOG case SIOCIPFFB : if (!(mode & FWRITE)) @@ -618,7 +623,10 @@ int mode; break; #endif /* IPFILTER_LOG */ case SIOCGFRST : - IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); + error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data, + sizeof(ipfrstat_t)); + if (error) + return EFAULT; break; case SIOCAUTHW : case SIOCAUTHR : @@ -626,9 +634,6 @@ int mode; error = EPERM; break; } - case SIOCATHST : - error = fr_auth_ioctl(data, cmd, NULL, NULL); - break; case SIOCFRSYN : if (!(mode & FWRITE)) error = EPERM; @@ -666,6 +671,20 @@ void *ifp; for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) if (f->fr_ifa == ifp) f->fr_ifa = (void *)-1; +#ifdef USE_INET6 + for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; + for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next) + if (f->fr_ifa == ifp) + f->fr_ifa = (void *)-1; +#endif RWLOCK_EXIT(&ipf_mutex); ip_natsync(ifp); } @@ -673,7 +692,7 @@ void *ifp; static int frrequest(unit, req, data, set) int unit; -#if defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) u_long req; #else int req; @@ -686,12 +705,19 @@ caddr_t data; frentry_t frd; frdest_t *fdp; frgroup_t *fg = NULL; + u_int *p, *pp; int error = 0, in; u_int group; fp = &frd; - IRCOPY(data, (caddr_t)fp, sizeof(*fp)); + error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp)); + if (error) + return EFAULT; fp->fr_ref = 0; +#if (BSD >= 199306) && defined(_KERNEL) + if ((securelevel > 0) && (fp->fr_func != NULL)) + return EPERM; +#endif /* * Check that the group number does exist and that if a head group @@ -708,10 +734,16 @@ caddr_t data; if (unit == IPL_LOGAUTH) ftail = fprev = &ipauth; - else if (fp->fr_flags & FR_ACCOUNT) + else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4)) ftail = fprev = &ipacct[in][set]; - else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE)) + else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4)) ftail = fprev = &ipfilter[in][set]; +#ifdef USE_INET6 + else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6)) + ftail = fprev = &ipacct6[in][set]; + else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6)) + ftail = fprev = &ipfilter6[in][set]; +#endif else return ESRCH; @@ -724,13 +756,13 @@ caddr_t data; bzero((char *)frcache, sizeof(frcache[0]) * 2); if (*fp->fr_ifname) { - fp->fr_ifa = GETUNIT(fp->fr_ifname); + fp->fr_ifa = GETUNIT(fp->fr_ifname, fp->fr_v); if (!fp->fr_ifa) fp->fr_ifa = (void *)-1; } #if BSD >= 199306 if (*fp->fr_oifname) { - fp->fr_oifa = GETUNIT(fp->fr_oifname); + fp->fr_oifa = GETUNIT(fp->fr_oifname, fp->fr_v); if (!fp->fr_oifa) fp->fr_oifa = (void *)-1; } @@ -739,7 +771,7 @@ caddr_t data; fdp = &fp->fr_dif; fp->fr_flags &= ~FR_DUP; if (*fdp->fd_ifname) { - fdp->fd_ifp = GETUNIT(fdp->fd_ifname); + fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v); if (!fdp->fd_ifp) fdp->fd_ifp = (struct ifnet *)-1; else @@ -748,7 +780,7 @@ caddr_t data; fdp = &fp->fr_tif; if (*fdp->fd_ifname) { - fdp->fd_ifp = GETUNIT(fdp->fd_ifname); + fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v); if (!fdp->fd_ifp) fdp->fd_ifp = (struct ifnet *)-1; } @@ -757,9 +789,13 @@ caddr_t data; * Look for a matching filter rule, but don't include the next or * interface pointer in the comparison (fr_next, fr_ifa). */ + for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum; + p < pp; p++) + fp->fr_cksum += *p; + for (; (f = *ftail); ftail = &f->fr_next) - if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, - FR_CMPSIZ) == 0) + if ((fp->fr_cksum == f->fr_cksum) && + !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ)) break; /* @@ -768,16 +804,21 @@ caddr_t data; if (req == SIOCZRLST) { if (!f) return ESRCH; - IWCOPY((caddr_t)f, data, sizeof(*f)); + error = IWCOPYPTR((caddr_t)f, data, sizeof(*f)); + if (error) + return EFAULT; f->fr_hits = 0; f->fr_bytes = 0; return 0; } if (!f) { - if (req == SIOCINAFR || req == SIOCINIFR) { - ftail = fprev; + if (req != SIOCINAFR && req != SIOCINIFR) + while ((f = *ftail)) + ftail = &f->fr_next; + else { if (fp->fr_hits) { + ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; } @@ -785,11 +826,16 @@ caddr_t data; } } - if (req == SIOCDELFR || req == SIOCRMIFR) { + if (req == SIOCRMAFR || req == SIOCRMIFR) { if (!f) error = ESRCH; else { - if (f->fr_ref > 1) + /* + * Only return EBUSY if there is a group list, else + * it's probably just state information referencing + * the rule. + */ + if ((f->fr_ref > 1) && f->fr_grp) return EBUSY; if (fg && fg->fg_head) fg->fg_head->fr_ref--; @@ -800,7 +846,9 @@ caddr_t data; unit, set); fixskip(fprev, f, -1); *ftail = f->fr_next; - KFREE(f); + f->fr_next = NULL; + if (f->fr_ref == 0) + KFREE(f); } } else { if (f) @@ -929,8 +977,11 @@ struct ip *oip; fr_info_t *fin; { struct tcphdr *tcp, *tcp2; + int tlen = 0, hlen; struct mbuf *m; - int tlen = 0; +#ifdef USE_INET6 + ip6_t *ip6, *oip6 = (ip6_t *)oip; +#endif ip_t *ip; tcp = (struct tcphdr *)fin->fin_dp; @@ -946,52 +997,93 @@ fr_info_t *fin; if (m == NULL) return -1; - if (tcp->th_flags & TH_SYN) - tlen = 1; - m->m_len = sizeof(*tcp2) + sizeof(*ip); + tlen = oip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + + ((tcp->th_flags & TH_SYN) ? 1 : 0) + + ((tcp->th_flags & TH_FIN) ? 1 : 0); + +#ifdef USE_INET6 + hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t); +#else + hlen = sizeof(ip_t); +#endif + m->m_len = sizeof(*tcp2) + hlen; # if BSD >= 199306 m->m_data += max_linkhdr; - m->m_pkthdr.len = sizeof(*tcp2) + sizeof(*ip); + m->m_pkthdr.len = m->m_len; m->m_pkthdr.rcvif = (struct ifnet *)0; # endif ip = mtod(m, struct ip *); - bzero((char *)ip, sizeof(*tcp2) + sizeof(*ip)); - tcp2 = (struct tcphdr *)(ip + 1); +# ifdef USE_INET6 + ip6 = (ip6_t *)ip; +# endif + bzero((char *)ip, sizeof(*tcp2) + hlen); + tcp2 = (struct tcphdr *)((char *)ip + hlen); - ip->ip_src.s_addr = oip->ip_dst.s_addr; - ip->ip_dst.s_addr = oip->ip_src.s_addr; - tcp2->th_dport = tcp->th_sport; tcp2->th_sport = tcp->th_dport; - tcp2->th_ack = ntohl(tcp->th_seq); - tcp2->th_ack += tlen; - tcp2->th_ack = htonl(tcp2->th_ack); + tcp2->th_dport = tcp->th_sport; + if (tcp->th_flags & TH_ACK) { + tcp2->th_seq = tcp->th_ack; + tcp2->th_flags = TH_RST; + } else { + tcp2->th_ack = ntohl(tcp->th_seq); + tcp2->th_ack += tlen; + tcp2->th_ack = htonl(tcp2->th_ack); + tcp2->th_flags = TH_RST|TH_ACK; + } tcp2->th_off = sizeof(*tcp2) >> 2; - tcp2->th_flags = TH_RST|TH_ACK; +# ifdef USE_INET6 + if (fin->fin_v == 6) { + ip6->ip6_plen = htons(sizeof(struct tcphdr)); + ip6->ip6_nxt = IPPROTO_TCP; + ip6->ip6_src = oip6->ip6_dst; + ip6->ip6_dst = oip6->ip6_src; + tcp2->th_sum = in6_cksum(m, IPPROTO_TCP, + sizeof(*ip6), sizeof(*tcp2)); + return send_ip(oip, fin, m); + } +# endif ip->ip_p = IPPROTO_TCP; ip->ip_len = htons(sizeof(struct tcphdr)); - tcp2->th_sum = in_cksum(m, sizeof(*ip) + sizeof(*tcp2)); - - ip->ip_id = oip->ip_id; - ip->ip_tos = oip->ip_tos; - ip->ip_len = sizeof(*ip) + sizeof(*tcp2); - - return send_ip(ip, fin, m); + ip->ip_src.s_addr = oip->ip_dst.s_addr; + ip->ip_dst.s_addr = oip->ip_src.s_addr; + tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2)); + ip->ip_len = hlen + sizeof(*tcp2); + return send_ip(oip, fin, m); } -static int send_ip(ip, fin, m) +static int send_ip(oip, fin, m) +ip_t *oip; fr_info_t *fin; struct mbuf *m; -ip_t *ip; { - ip->ip_v = IPVERSION; - ip->ip_hl = (sizeof(*ip) >> 2); + ip_t *ip; + + ip = mtod(m, ip_t *); + + ip->ip_v = fin->fin_v; + if (ip->ip_v == 4) { + ip->ip_hl = (sizeof(*oip) >> 2); + ip->ip_v = IPVERSION; + ip->ip_tos = oip->ip_tos; + ip->ip_id = oip->ip_id; + ip->ip_off = 0; # if (BSD < 199306) || defined(__sgi) - ip->ip_ttl = tcp_ttl; + ip->ip_ttl = tcp_ttl; # else - ip->ip_ttl = ip_defttl; + ip->ip_ttl = ip_defttl; # endif + ip->ip_sum = 0; + } +# ifdef USE_INET6 + else if (ip->ip_v == 6) { + ip6_t *ip6 = (ip6_t *)ip; + + ip6->ip6_hlim = 127; + return ip6_output(m, NULL, NULL, 0, NULL, NULL); + } +# endif # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif @@ -1003,76 +1095,165 @@ int send_icmp_err(oip, type, fin, dst) ip_t *oip; int type; fr_info_t *fin; -struct in_addr dst; +int dst; { + int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code; + struct in_addr dst4; struct icmp *icmp; struct mbuf *m; - ip_t *nip; - int code; - - if ((oip->ip_p == IPPROTO_ICMP) && !(fin->fin_fi.fi_fl & FI_SHORT)) - switch (ntohs(fin->fin_data[0]) >> 8) - { - case ICMP_ECHO : - case ICMP_TSTAMP : - case ICMP_IREQ : - case ICMP_MASKREQ : - break; - default : - return 0; - } + void *ifp; +#ifdef USE_INET6 + ip6_t *ip6, *oip6 = (ip6_t *)oip; + struct in6_addr dst6; +#endif + ip_t *ip; + + if ((type < 0) || (type > ICMP_MAXTYPE)) + return -1; code = fin->fin_icode; +#ifdef USE_INET6 + if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int))) + return -1; +#endif + + avail = 0; + m = NULL; + ifp = fin->fin_ifp; + if (fin->fin_v == 4) { + if ((oip->ip_p == IPPROTO_ICMP) && + !(fin->fin_fi.fi_fl & FI_SHORT)) + switch (ntohs(fin->fin_data[0]) >> 8) + { + case ICMP_ECHO : + case ICMP_TSTAMP : + case ICMP_IREQ : + case ICMP_MASKREQ : + break; + default : + return 0; + } + # if (BSD < 199306) || defined(__sgi) - m = m_get(M_DONTWAIT, MT_HEADER); + avail = MLEN; + m = m_get(M_DONTWAIT, MT_HEADER); # else - m = m_gethdr(M_DONTWAIT, MT_HEADER); + avail = MHLEN; + m = m_gethdr(M_DONTWAIT, MT_HEADER); # endif - if (m == NULL) - return ENOBUFS; - m->m_len = sizeof(*nip) + sizeof(*icmp) + 8; + if (m == NULL) + return ENOBUFS; + + if (dst == 0) { + if (fr_ifpaddr(4, ifp, &dst4) == -1) + return -1; + } else + dst4.s_addr = oip->ip_dst.s_addr; + + hlen = sizeof(ip_t); + ohlen = oip->ip_hl << 2; + xtra = 8; + } + +#ifdef USE_INET6 + else if (fin->fin_v == 6) { + hlen = sizeof(ip6_t); + ohlen = sizeof(ip6_t); + type = icmptoicmp6types[type]; + if (type == ICMP6_DST_UNREACH) + code = icmptoicmp6unreach[code]; + + MGETHDR(m, M_DONTWAIT, MT_HEADER); + if (!m) + return ENOBUFS; + + MCLGET(m, M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + return ENOBUFS; + } +# ifdef M_TRAILINGSPACE + m->m_len = 0; + avail = M_TRAILINGSPACE(m); +# else + avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN; +# endif + xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t), + avail - hlen - sizeof(*icmp) - max_linkhdr); + if (dst == 0) { + if (fr_ifpaddr(6, ifp, (struct in_addr *)&dst6) == -1) + return -1; + } else + dst6 = oip6->ip6_dst; + } +#endif + + iclen = hlen + sizeof(*icmp); # if BSD >= 199306 + avail -= (max_linkhdr + iclen); m->m_data += max_linkhdr; - m->m_pkthdr.len = sizeof(*nip) + sizeof(*icmp) + 8; m->m_pkthdr.rcvif = (struct ifnet *)0; -# endif - - bzero(mtod(m, char *), (size_t)sizeof(*nip) + sizeof(*icmp) + 8); - nip = mtod(m, ip_t *); - icmp = (struct icmp *)(nip + 1); - - nip->ip_p = IPPROTO_ICMP; - nip->ip_id = oip->ip_id; - nip->ip_sum = 0; - nip->ip_ttl = 60; - nip->ip_tos = oip->ip_tos; - nip->ip_len = sizeof(*nip) + sizeof(*icmp) + 8; - if (dst.s_addr == 0) { - if (fr_ifpaddr(fin->fin_ifp, &dst) == -1) - return -1; - } - nip->ip_src = dst; - nip->ip_dst = oip->ip_src; + if (xtra > avail) + xtra = avail; + iclen += xtra; + m->m_pkthdr.len = iclen; +#else + avail -= (m->m_off + iclen); + if (xtra > avail) + xtra = avail; + iclen += xtra; +#endif + m->m_len = iclen; + ip = mtod(m, ip_t *); + icmp = (struct icmp *)((char *)ip + hlen); + bzero((char *)ip, iclen); icmp->icmp_type = type; - icmp->icmp_code = code; + icmp->icmp_code = fin->fin_icode; icmp->icmp_cksum = 0; - bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip)); - bcopy((char *)oip + (oip->ip_hl << 2), - (char *)&icmp->icmp_ip + sizeof(*oip), 8); /* 64 bits */ -# ifndef sparc - { - register u_short __iplen, __ipoff; - ip_t *ip = &icmp->icmp_ip; +#ifdef icmp_nextmtu + if (type == ICMP_UNREACH && + fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) + icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu); +#endif - __iplen = ip->ip_len; - __ipoff = ip->ip_off; - ip->ip_len = htons(__iplen); - ip->ip_off = htons(__ipoff); + if (avail) { + bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail)); + avail -= MIN(ohlen, avail); } -# endif - icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); - return send_ip(nip, fin, m); + +#ifdef USE_INET6 + ip6 = (ip6_t *)ip; + if (fin->fin_v == 6) { + ip6->ip6_flow = 0; + ip6->ip6_plen = htons(iclen - hlen); + ip6->ip6_nxt = IPPROTO_ICMPV6; + ip6->ip6_hlim = 0; + ip6->ip6_src = dst6; + ip6->ip6_dst = oip6->ip6_src; + if (avail) + bcopy((char *)oip + ohlen, + (char *)&icmp->icmp_ip + ohlen, avail); + icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6, + sizeof(*ip6), iclen - hlen); + } else +#endif + { + ip->ip_src.s_addr = dst4.s_addr; + ip->ip_dst.s_addr = oip->ip_src.s_addr; + + if (avail > 8) + avail = 8; + if (avail) + bcopy((char *)oip + ohlen, + (char *)&icmp->icmp_ip + ohlen, avail); + icmp->icmp_cksum = ipf_cksum((u_short *)icmp, + sizeof(*icmp) + 8); + ip->ip_len = iclen; + ip->ip_p = IPPROTO_ICMP; + } + err = send_ip(oip, fin, m); + return err; } @@ -1122,6 +1303,16 @@ frdest_t *fdp; hlen = fin->fin_hlen; ip = mtod(m0, struct ip *); + +#ifdef USE_INET6 + if (ip->ip_v == 6) { + /* + * currently "to <if>" and "to <if>:ip#" are not supported + * for IPv6 + */ + return ip6_output(m0, NULL, NULL, 0, NULL, NULL); + } +#endif /* * Route packet. */ @@ -1190,27 +1381,43 @@ frdest_t *fdp; fin->fin_out = 1; if ((fin->fin_fr = ipacct[1][fr_active]) && (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { - ATOMIC_INC(frstats[1].fr_acct); + ATOMIC_INCL(frstats[1].fr_acct); } fin->fin_fr = NULL; - if (!fr || !(fr->fr_flags & FR_RETMASK)) { + if (!fr || !(fr->fr_flags & FR_RETMASK)) (void) fr_checkstate(ip, fin); - (void) ip_natout(ip, fin); - } + (void) ip_natout(ip, fin); } else ip->ip_sum = 0; /* * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { +# if BSD >= 199306 + int i = 0; + +# ifdef MCLISREFERENCED + if ((m->m_flags & M_EXT) && MCLISREFERENCED(m)) +# else + if (m->m_flags & M_EXT) +# endif + i = 1; +# endif +# ifndef sparc ip->ip_id = htons(ip->ip_id); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); +# endif if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); # if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); + if (i) { + ip->ip_id = ntohs(ip->ip_id); + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + } # else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); # endif @@ -1279,7 +1486,9 @@ frdest_t *fdp; m->m_pkthdr.len = mhlen + len; m->m_pkthdr.rcvif = NULL; # endif +# ifndef sparc mhip->ip_off = htons((u_short)mhip->ip_off); +# endif mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); *mnext = m; @@ -1322,16 +1531,44 @@ done: bad: if (error == EMSGSIZE) { sifp = fin->fin_ifp; - fin->fin_ifp = ifp; code = fin->fin_icode; fin->fin_icode = ICMP_UNREACH_NEEDFRAG; - (void) send_icmp_err(ip, ICMP_UNREACH, fin, ip->ip_dst); + fin->fin_ifp = ifp; + (void) send_icmp_err(ip, ICMP_UNREACH, fin, 1); fin->fin_ifp = sifp; fin->fin_icode = code; } m_freem(m); goto done; } + + +int fr_verifysrc(ipa, ifp) +struct in_addr ipa; +void *ifp; +{ + struct sockaddr_in *dst; + struct route iproute; + + bzero((char *)&iproute, sizeof(iproute)); + dst = (struct sockaddr_in *)&iproute.ro_dst; + dst->sin_family = AF_INET; + dst->sin_addr = ipa; +# if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \ + !defined(__OpenBSD__) +# ifdef RTF_CLONING + rtalloc_ign(&iproute, RTF_CLONING); +# else + rtalloc_ign(&iproute, RTF_PRCLONING); +# endif +# else + rtalloc(&iproute); +# endif + if (iproute.ro_rt == NULL) + return 0; + return (ifp == iproute.ro_rt->rt_ifp); +} + #else /* #ifdef _KERNEL */ @@ -1346,7 +1583,6 @@ static int no_output __P((struct ifnet *ifp, struct mbuf *m, return 0; } - # ifdef __STDC__ # ifdef __sgi static int write_output __P((struct ifnet *ifp, struct mbuf *m, @@ -1364,33 +1600,28 @@ ip_t *ip; { # endif char fname[32]; - FILE *fp; + int fd; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) -# if defined __OpenBSD__ - sprintf(fname, "/var/run/%s", ifp->if_xname); -# else sprintf(fname, "/tmp/%s", ifp->if_xname); -# endif # else sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); # endif - /* - * XXX - * This is still raceable, if the attacker gains the ability to - * erase the existing file in /tmp - */ - if ((fp = fopen(fname, "a"))) { - fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); - fclose(fp); + fd = open(fname, O_WRONLY|O_APPEND); + if (fd == -1) { + perror("open"); + return -1; } + write(fd, (char *)ip, ntohs(ip->ip_len)); + close(fd); return 0; } -struct ifnet *get_unit(name) +struct ifnet *get_unit(name, v) char *name; +int v; { struct ifnet *ifp, **ifa; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ @@ -1469,11 +1700,7 @@ void init_ifp() (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; -# if defined(__OpenBSD__) - sprintf(fname, "/var/run/%s", ifp->if_xname); -# else sprintf(fname, "/tmp/%s", ifp->if_xname); -# endif fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); if (fd == -1) perror("open"); |