summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/arch/i386/i386/conf.c14
-rw-r--r--sys/conf/files2
-rw-r--r--sys/conf/files.oldconf2
-rw-r--r--sys/netinet/fil.c534
-rw-r--r--sys/netinet/ip_fil.c585
-rw-r--r--sys/netinet/ip_fil.h463
-rw-r--r--sys/netinet/ip_input.c19
-rw-r--r--sys/netinet/ip_output.c13
8 files changed, 1632 insertions, 0 deletions
diff --git a/sys/arch/i386/i386/conf.c b/sys/arch/i386/i386/conf.c
index 1f97e5960b6..15aa1270a25 100644
--- a/sys/arch/i386/i386/conf.c
+++ b/sys/arch/i386/i386/conf.c
@@ -171,6 +171,19 @@ cdev_decl(audio);
cdev_decl(svr4_net);
cdev_decl(ccd);
+/* open, close, read, ioctl */
+cdev_decl(ipl);
+#define cdev_gen_ipf(c,n) { \
+ dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \
+ (dev_type_write((*))) enodev, dev_init(c,n,ioctl), \
+ (dev_type_stop((*))) nullop, 0, (dev_type_select((*))) enodev, \
+ (dev_type_mmap((*))) enodev, 0 }
+#ifdef IPFILTER
+#define NIPF 1
+#else
+#define NIPF 0
+#endif
+
struct cdevsw cdevsw[] =
{
cdev_cn_init(1,cn), /* 0: virtual console */
@@ -223,6 +236,7 @@ struct cdevsw cdevsw[] =
#else
cdev_notdef(), /* 43 */
#endif
+ cdev_gen_ipf(NIPF,ipl), /* 44 */
};
int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]);
diff --git a/sys/conf/files b/sys/conf/files
index 6273730565b..543090df1d8 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -228,6 +228,8 @@ file netinet/tcp_subr.c inet
file netinet/tcp_timer.c inet
file netinet/tcp_usrreq.c inet
file netinet/udp_usrreq.c inet
+file netinet/ip_fil.c ipfilter
+file netinet/fil.c ipfilter
file netiso/clnp_debug.c iso
file netiso/clnp_er.c iso
file netiso/clnp_frag.c iso
diff --git a/sys/conf/files.oldconf b/sys/conf/files.oldconf
index d6eaa8a0318..d1e0f0fe919 100644
--- a/sys/conf/files.oldconf
+++ b/sys/conf/files.oldconf
@@ -181,6 +181,8 @@ netinet/tcp_subr.c optional inet
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+netinet/ip_fil.c optional ipfilter requires inet
+netinet/fil.c optional ipfilter requires inet
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso
diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c
new file mode 100644
index 00000000000..b485678d5a7
--- /dev/null
+++ b/sys/netinet/fil.c
@@ -0,0 +1,534 @@
+/*
+ * (C)opyright 1993,1994,1995 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ */
+#ifndef lint
+static char sccsid[] = "@(#)fil.c 1.18 10/24/95 (C) 1993-1995 Darren Reed";
+#endif
+
+#ifndef linux
+# include <sys/errno.h>
+# include <sys/types.h>
+# include <sys/param.h>
+# include <sys/file.h>
+# include <sys/ioctl.h>
+# if defined(_KERNEL) || defined(KERNEL)
+# include <sys/systm.h>
+# endif
+# include <sys/uio.h>
+# if !defined(__SVR4) && !defined(__svr4__)
+# include <sys/dir.h>
+# include <sys/mbuf.h>
+# else
+# include <sys/byteorder.h>
+# include <sys/dditypes.h>
+# include <sys/stream.h>
+# endif
+# include <sys/protosw.h>
+# include <sys/socket.h>
+# include <net/if.h>
+# ifdef sun
+# include <net/af.h>
+# endif
+# include <net/route.h>
+# include <netinet/in.h>
+# include <netinet/in_systm.h>
+# include <netinet/ip.h>
+# include <netinet/ip_var.h>
+# include <netinet/tcp.h>
+# include <netinet/udp.h>
+# include <netinet/tcpip.h>
+# include <netinet/ip_icmp.h>
+#endif
+#include <netinet/ip_fil.h>
+#ifndef MIN
+#define MIN(a,b) (((a)<(b))?(a):(b))
+#endif
+
+#ifndef _KERNEL
+#include "ipf.h"
+extern int opts;
+extern void debug(), verbose();
+
+#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; }
+#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; }
+#define FR_VERBOSE(verb_pr) verbose verb_pr
+#define FR_DEBUG(verb_pr) debug verb_pr
+#else
+#define FR_IFVERBOSE(ex,second,verb_pr) ;
+#define FR_IFDEBUG(ex,second,verb_pr) ;
+#define FR_VERBOSE(verb_pr)
+#define FR_DEBUG(verb_pr)
+
+extern int ipl_unreach, ipllog();
+#endif
+
+struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
+struct frentry *filterin[2] = { NULL, NULL },
+ *filterout[2] = { NULL, NULL };
+int fr_flags = 0, fr_active = 0;
+int fr_check();
+
+
+/*
+ * bit values for identifying presence of individual IP options
+ */
+struct optlist ipopts[20] = {
+ { IPOPT_NOP, 0x000001 },
+ { IPOPT_RR, 0x000002 },
+ { IPOPT_ZSU, 0x000004 },
+ { IPOPT_MTUP, 0x000008 },
+ { IPOPT_MTUR, 0x000010 },
+ { IPOPT_ENCODE, 0x000020 },
+ { IPOPT_TS, 0x000040 },
+ { IPOPT_TR, 0x000080 },
+ { IPOPT_SECURITY, 0x000100 },
+ { IPOPT_LSRR, 0x000200 },
+ { IPOPT_E_SEC, 0x000400 },
+ { IPOPT_CIPSO, 0x000800 },
+ { IPOPT_SATID, 0x001000 },
+ { IPOPT_SSRR, 0x002000 },
+ { IPOPT_ADDEXT, 0x004000 },
+ { IPOPT_VISA, 0x008000 },
+ { IPOPT_IMITD, 0x010000 },
+ { IPOPT_EIP, 0x020000 },
+ { IPOPT_FINN, 0x040000 },
+ { 0, 0x000000 }
+};
+
+/*
+ * bit values for identifying presence of individual IP security options
+ */
+struct optlist secopt[8] = {
+ { IPSO_CLASS_RES4, 0x01 },
+ { IPSO_CLASS_TOPS, 0x02 },
+ { IPSO_CLASS_SECR, 0x04 },
+ { IPSO_CLASS_RES3, 0x08 },
+ { IPSO_CLASS_CONF, 0x10 },
+ { IPSO_CLASS_UNCL, 0x20 },
+ { IPSO_CLASS_RES2, 0x40 },
+ { IPSO_CLASS_RES1, 0x80 }
+};
+
+
+/*
+ * compact the IP header into a structure which contains just the info.
+ * which is useful for comparing IP headers with.
+ */
+struct fr_ip *fr_makefrip(hlen, ip)
+int hlen;
+ip_t *ip;
+{
+ static struct fr_ip fi;
+ struct optlist *op;
+ u_short optmsk = 0, secmsk = 0, auth = 0;
+ int i, mv, ol, off;
+ u_char *s, opt;
+
+ fi.fi_fl = 0;
+ fi.fi_v = ip->ip_v;
+ fi.fi_tos = ip->ip_tos;
+ (*(((u_short *)&fi) + 1)) = (*(((u_short *)ip) + 4));
+ (*(((u_long *)&fi) + 1)) = (*(((u_long *)ip) + 3));
+ (*(((u_long *)&fi) + 2)) = (*(((u_long *)ip) + 4));
+
+ if (hlen > sizeof(struct ip))
+ fi.fi_fl |= FI_OPTIONS;
+ off = (ip->ip_off & 0x1fff) << 3;
+ if (ip->ip_off & 0x3fff)
+ fi.fi_fl |= FI_FRAG;
+ switch (ip->ip_p)
+ {
+ case IPPROTO_ICMP :
+ if ((!IPMINLEN(ip, icmp) && !off) ||
+ (off && off < sizeof(struct icmp)))
+ fi.fi_fl |= FI_SHORT;
+ break;
+ case IPPROTO_TCP :
+ fi.fi_fl |= FI_TCPUDP;
+ if ((!IPMINLEN(ip, tcphdr) && !off) ||
+ (off && off < sizeof(struct tcphdr)))
+ fi.fi_fl |= FI_SHORT;
+ break;
+ case IPPROTO_UDP :
+ fi.fi_fl |= FI_TCPUDP;
+ if ((!IPMINLEN(ip, udphdr) && !off) ||
+ (off && off < sizeof(struct udphdr)))
+ fi.fi_fl |= FI_SHORT;
+ break;
+ default :
+ break;
+ }
+
+ for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) {
+ if (!(opt = *s))
+ break;
+ ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
+ if (opt > 1 && (ol < 0 || ol > hlen))
+ break;
+ for (i = 9, mv = 4; mv >= 0; ) {
+ op = ipopts + i;
+ if (opt == (u_char)op->ol_val) {
+ optmsk |= op->ol_bit;
+ if (opt == IPOPT_SECURITY) {
+ struct optlist *sp;
+ u_char sec;
+ int j, m;
+
+ sec = *(s + 3); /* classification */
+ for (j = 3, m = 2; m >= 0; ) {
+ sp = secopt + j;
+ if (sec == sp->ol_val) {
+ secmsk |= sp->ol_bit;
+ auth = *(s + 3);
+ auth *= 256;
+ auth += *(s + 4);
+ break;
+ }
+ if (sec < sp->ol_val)
+ j -= m--;
+ else
+ j += m--;
+ }
+ }
+ break;
+ }
+ if (opt < op->ol_val)
+ i -= mv--;
+ else
+ i += mv--;
+ }
+ hlen -= ol;
+ s += ol;
+ }
+ if (auth && !(auth & 0x0100))
+ auth &= 0xff00;
+ fi.fi_optmsk = optmsk;
+ fi.fi_secmsk = secmsk;
+ fi.fi_auth = auth;
+ return &fi;
+}
+
+
+/*
+ * check an IP packet for TCP/UDP characteristics such as ports and flags.
+ */
+int fr_tcpudpchk(ip, tcp, fr)
+ip_t *ip;
+tcphdr_t *tcp;
+struct frentry *fr;
+{
+ register u_short po, tup;
+ register char i;
+ int err = 1;
+
+ /*
+ * Both ports should *always* be in the first fragment.
+ * So far, I cannot find any cases where they can not be.
+ *
+ * compare destination ports
+ */
+ if ((i = (int)fr->fr_dcmp)) {
+ po = ntohs(fr->fr_dport);
+ tup = ntohs(tcp->th_dport);
+ /*
+ * Do opposite test to that required and
+ * continue if that succeeds.
+ */
+ if (!--i && tup != po) /* EQUAL */
+ err = 0;
+ else if (!--i && tup == po) /* NOTEQUAL */
+ err = 0;
+ else if (!--i && tup >= po) /* LESSTHAN */
+ err = 0;
+ else if (!--i && tup <= po) /* GREATERTHAN */
+ err = 0;
+ else if (!--i && tup > po) /* LT or EQ */
+ err = 0;
+ else if (!--i && tup < po) /* GT or EQ */
+ err = 0;
+ else if (!--i && /* Out of range */
+ (tup >= po && tup <= ntohs(fr->fr_dtop)))
+ err = 0;
+ else if (!--i && /* In range */
+ (tup <= po || tup >= ntohs(fr->fr_dtop)))
+ err = 0;
+ }
+ /*
+ * compare source ports
+ */
+ if (err && (i = (int)fr->fr_scmp)) {
+ po = ntohs(fr->fr_sport);
+ tup = ntohs(tcp->th_sport);
+ if (!--i && tup != po)
+ err = 0;
+ else if (!--i && tup == po)
+ err = 0;
+ else if (!--i && tup >= po)
+ err = 0;
+ else if (!--i && tup <= po)
+ err = 0;
+ else if (!--i && tup > po)
+ err = 0;
+ else if (!--i && tup < po)
+ err = 0;
+ else if (!--i && /* Out of range */
+ (tup >= po && tup <= ntohs(fr->fr_stop)))
+ err = 0;
+ else if (!--i && /* In range */
+ (tup <= po || tup >= ntohs(fr->fr_stop)))
+ err = 0;
+ }
+
+ /*
+ * If we don't have all the TCP/UDP header, then how can we
+ * expect to do any sort of match on it ? If we were looking for
+ * TCP flags, then NO match. If not, then match (which should
+ * satisfy the "short" class too).
+ */
+ if (err)
+ if (ip->ip_p == IPPROTO_TCP) {
+ if (!IPMINLEN(ip, tcphdr))
+ return !(fr->fr_tcpf);
+ /*
+ * Match the flags ? If not, abort this match.
+ */
+ if (fr->fr_tcpf &&
+ fr->fr_tcpf != (tcp->th_flags & fr->fr_tcpfm)) {
+ FR_DEBUG(("f. %#x & %#x != %#x\n",
+ tcp->th_flags, fr->fr_tcpfm,
+ fr->fr_tcpf));
+ err = 0;
+ }
+ }
+ else if (!IPMINLEN(ip, udphdr)) /* must be UDP */
+ return 1;
+ return err;
+}
+
+/*
+ * Check the input/output list of rules for a match and result.
+ * Could be per interface, but this gets real nasty when you don't have
+ * kernel sauce.
+ */
+int fr_scanlist(pass, ip, hlen, ifp, out, rule)
+int pass;
+ip_t *ip;
+int hlen, out;
+struct ifnet *ifp;
+u_short *rule;
+{
+ register struct frentry *fr;
+ register struct fr_ip *fi;
+ tcphdr_t *tcp;
+ int rulen;
+
+ *rule = 1;
+ tcp = (tcphdr_t *)((char *)ip + hlen);
+ fr = (out) ? filterout[fr_active] : filterin[fr_active];
+ fi = fr_makefrip(hlen, ip);
+
+ for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
+ /*
+ * In all checks below, a null (zero) value in the
+ * filter struture is taken to mean a wildcard.
+ *
+ * check that we are working for the right interface
+ */
+#ifdef _KERNEL
+ if (fr->fr_ifa && fr->fr_ifa != ifp)
+ continue;
+#else
+ if (opts & (OPT_VERBOSE|OPT_DEBUG))
+ printf("\n");
+ FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b'));
+ if (ifp && *fr->fr_ifname && strcasecmp(ifp->if_name,
+ fr->fr_ifname))
+ continue;
+ FR_VERBOSE((":i"));
+#endif
+ {
+ register u_long *ld, *lm, *lip;
+ register int i;
+
+ lip = (u_long *)fi;
+ lm = (u_long *)&fr->fr_mip;
+ ld = (u_long *)&fr->fr_ip;
+ i = ((lip[0] & lm[0]) != ld[0]);
+ FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
+ lip[0], lm[0], ld[0]));
+ i |= ((lip[1] & lm[1]) != ld[1]);
+ FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
+ lip[1], lm[1], ld[1]));
+ i |= ((lip[2] & lm[2]) != ld[2]);
+ FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
+ lip[2], lm[2], ld[2]));
+ i |= ((lip[3] & lm[3]) != ld[3]);
+ FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n",
+ lip[3], lm[3], ld[3]));
+ i |= ((lip[4] & lm[4]) != ld[4]);
+ FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
+ lip[4], lm[4], ld[4]));
+ if (i)
+ continue;
+ }
+
+ /*
+ * If a fragment, then only the first has what we're looking
+ * for here...
+ */
+ if (!(ip->ip_off & 0x1fff)) {
+ if ((fi->fi_fl & FI_TCPUDP) &&
+ !fr_tcpudpchk(ip, tcp, fr))
+ continue;
+ else if (ip->ip_p == IPPROTO_ICMP &&
+ (*(u_short *)((char *)ip + hlen) &
+ fr->fr_icmpm) != fr->fr_icmp) {
+ FR_DEBUG(("i. %#x & %#x != %#x\n",
+ *(u_short *)((char *)ip + hlen),
+ fr->fr_icmpm, fr->fr_icmp));
+ continue;
+ }
+ } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_icmpm ||
+ fr->fr_tcpfm)
+ continue;
+ FR_VERBOSE(("*"));
+ /*
+ * Just log this packet...
+ */
+ if (fr->fr_flags & FR_LOG) {
+#ifdef IPFILTER_LOG
+ if (!ipllog(hlen, fr->fr_flags, ip, ifp, *rule))
+ frstats[out].fr_skip++;
+ frstats[out].fr_pkl++;
+#endif /* IPFILTER_LOG */
+ } else
+ pass = fr->fr_flags;
+ FR_DEBUG(("pass %#x\n", pass));
+ fr->fr_hits++;
+ *rule = rulen;
+ if (pass & FR_QUICK)
+ break;
+ }
+ return pass;
+}
+
+
+/*
+ * frcheck - filter check
+ * check using source and destination addresses/pors in a packet whether
+ * or not to pass it on or not.
+ */
+int fr_check(ip, hlen, ifp, out
+#if SOLARIS && defined(_KERNEL)
+, qif, q)
+qif_t *qif;
+queue_t *q;
+#else
+)
+#endif
+ip_t *ip;
+int hlen;
+struct ifnet *ifp;
+int out;
+{
+ int pass = FR_NOMATCH;
+ int sl;
+ u_short rule;
+
+ SPLNET(sl);
+
+ pass = fr_scanlist(pass, ip, hlen, ifp, out, &rule);
+ if (pass == FR_NOMATCH) {
+ frstats[out].fr_nom++;
+#ifdef NOMATCH
+ pass |= NOMATCH;
+#endif
+ }
+
+#ifdef IPFILTER_LOG
+ if ((pass & FR_LOGP) ||
+ ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
+ if (!(pass & FR_LOGP))
+ pass |= FF_LOGPASS << 8;
+ if (!ipllog(hlen, pass, ip, ifp, rule))
+ frstats[out].fr_skip++;
+ frstats[out].fr_ppkl++;
+ } else if ((pass & FR_LOGB) ||
+ ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
+ if (!(pass & FR_LOGB))
+ pass |= FF_LOGBLOCK << 8;
+ if (!ipllog(hlen, pass, ip, ifp, rule))
+ frstats[out].fr_skip++;
+ frstats[out].fr_bpkl++;
+ }
+#endif /* IPFILTER_LOG */
+ SPLX(sl);
+ if (pass & FR_PASS)
+ frstats[out].fr_pass++;
+ else if (pass & FR_BLOCK) {
+ frstats[out].fr_block++;
+ /*
+ * Should we return an ICMP packet to indicate error
+ * status passing through the packet filter ?
+ * XXX - copy mbuf as icmp_error() calls mfree() - fix this
+ * later, but preserve backward compatibility for now.
+ */
+#ifdef _KERNEL
+ if (pass & FR_RETICMP) {
+# if SOLARIS
+ icmp_error(q, ip, ICMP_UNREACH, ipl_unreach, qif,
+ ip->ip_src);
+# else
+ struct mbuf *copy;
+
+ copy = m_copy(dtom(ip), 0, imin((int)ip->ip_len, 64));
+# if BSD < 199103
+ icmp_error(mtod(copy, struct ip *),
+ ICMP_UNREACH, ipl_unreach, ifp, ip->ip_src);
+# else
+ icmp_error(copy, ICMP_UNREACH, ipl_unreach,
+ ip->ip_src.s_addr, ifp);
+# endif
+# endif
+ frstats[0].fr_ret++;
+ } else if (pass & FR_RETRST && IPMINLEN(ip, tcphdr)) {
+# if SOLARIS
+ if (send_reset(ip, qif, q) == 0)
+# else
+ if (send_reset(ip) == 0)
+# endif
+ frstats[1].fr_ret++;
+ }
+#else
+ if (pass & FR_RETICMP) {
+ verbose("- ICMP unreachable sent\n");
+ frstats[0].fr_ret++;
+ } else if (pass & FR_RETRST && IPMINLEN(ip, tcphdr)) {
+ verbose("- TCP RST sent\n");
+ frstats[1].fr_ret++;
+ }
+#endif
+ }
+#ifdef _KERNEL
+ return (pass & FR_PASS) ? 0 : -1;
+#else
+ if (pass & FR_NOMATCH)
+ return 1;
+ if (pass & FR_PASS)
+ return 0;
+ return -1;
+#endif
+}
+
+
+#ifndef _KERNEL
+int ipllog()
+{
+ verbose("l");
+ return 1;
+}
+#endif
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
new file mode 100644
index 00000000000..f234291a923
--- /dev/null
+++ b/sys/netinet/ip_fil.c
@@ -0,0 +1,585 @@
+/*
+ * (C)opyright 1993,1994,1995 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ */
+#ifndef lint
+static char sccsid[] = "@(#)ip_fil.c 2.26 11/8/95 (C) 1993-1995 Darren Reed";
+#endif
+
+#ifndef linux
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/dir.h>
+#include <sys/ioctl.h>
+#include <sys/systm.h>
+#include <sys/uio.h>
+#include <sys/mbuf.h>
+#include <sys/protosw.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+#ifdef sun
+#include <net/af.h>
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_var.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/tcpip.h>
+#include <netinet/ip_icmp.h>
+#include <syslog.h>
+#endif
+#include "ip_fil.h"
+#ifndef MIN
+#define MIN(a,b) (((a)<(b))?(a):(b))
+#endif
+
+extern fr_flags, fr_active;
+extern int fr_check(), (*fr_checkp)();
+#if BSD < 199306
+extern int tcp_ttl;
+#else
+extern int ip_defttl;
+#endif
+
+int ipl_inited = 0;
+int ipl_unreach = ICMP_UNREACH_FILTER;
+int send_reset();
+
+#ifdef IPFILTER_LOG
+#define LOGSIZE 8192
+int ipllog();
+static char iplbuf[LOGSIZE];
+static caddr_t iplh = iplbuf, iplt = iplbuf;
+static int iplused = 0;
+#endif /* IPFILTER_LOG */
+static void frflush();
+static int frrequest();
+static int iplbusy = 0;
+static int (*fr_savep)();
+
+
+#ifdef IPFILTER_LKM
+int iplidentify(s)
+char *s;
+{
+ if (strcmp(s, "ipl") == 0)
+ return 1;
+ return 0;
+}
+
+
+int iplattach()
+{
+ int s;
+
+ SPLNET(s);
+ if (ipl_inited || (fr_checkp == fr_check)) {
+ printf("ipl: already initialized (%d)\n", iplbusy);
+ SPLX(s);
+ return EBUSY;
+ }
+ ipl_inited = 1;
+ fr_savep = fr_checkp;
+ fr_checkp = fr_check;
+
+ SPLX(s);
+ return 0;
+}
+
+
+int ipldetach()
+{
+ int s, i = FR_INQUE|FR_OUTQUE;
+
+ if (iplbusy) {
+ printf("iplbusy: %d\n", iplbusy);
+ return EBUSY;
+ }
+ SPLNET(s);
+ if (!ipl_inited)
+ {
+ printf("ipl: not initialized\n");
+ SPLX(s);
+ return EBUSY;
+ }
+
+ fr_checkp = fr_savep;
+ frflush((caddr_t)&i);
+ ipl_inited = 0;
+
+ SPLX(s);
+ return 0;
+}
+#endif /* IPFILTER_LKM */
+
+
+static void frzerostats(data)
+caddr_t data;
+{
+ struct friostat fio;
+
+ bcopy((char *)frstats, (char *)fio.f_st,
+ sizeof(struct filterstats) * 2);
+ fio.f_fin[0] = filterin[0];
+ fio.f_fin[1] = filterin[1];
+ fio.f_fout[0] = filterout[0];
+ fio.f_fout[1] = filterout[1];
+ fio.f_active = fr_active;
+ IWCOPY((caddr_t)&fio, data, sizeof(fio));
+ bzero((char *)frstats, sizeof(*frstats));
+}
+
+
+static void frflush(data)
+caddr_t data;
+{
+ struct frentry *f, **fp;
+ int flags = *(int *)data, flushed = 0, set = fr_active;
+
+ if (flags & FR_INACTIVE)
+ set = 1 - set;
+ if (flags & FR_OUTQUE)
+ for (fp = &filterout[set]; (f = *fp); ) {
+ *fp = f->fr_next;
+ KFREE(f);
+ flushed++;
+ }
+ if (flags & FR_INQUE)
+ for (fp = &filterin[set]; (f = *fp); ) {
+ *fp = f->fr_next;
+ KFREE(f);
+ flushed++;
+ }
+
+ *(int *)data = flushed;
+}
+
+
+/*
+ * Filter ioctl interface.
+ */
+int iplioctl(dev, cmd, data, mode)
+dev_t dev;
+int cmd;
+caddr_t data;
+int mode;
+{
+ int error = 0, s, unit;
+
+ unit = minor(dev);
+ if (unit != 0)
+ return ENXIO;
+
+ SPLNET(s);
+ switch (cmd) {
+#ifndef IPFILTER_LKM
+ case SIOCFRENB :
+ {
+ u_int enable;
+
+ IRCOPY(data, (caddr_t)&enable, sizeof(enable));
+ if (enable) {
+ if (fr_checkp != fr_check) {
+ fr_savep = fr_checkp;
+ fr_checkp = fr_check;
+ }
+ } else
+ fr_checkp = fr_savep;
+ break;
+ }
+#endif
+ case SIOCSETFF :
+ IRCOPY(data, (caddr_t)&fr_flags, sizeof(fr_flags));
+ break;
+ case SIOCGETFF :
+ IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
+ break;
+ case SIOCINAFR :
+ case SIOCRMAFR :
+ case SIOCADAFR :
+ error = frrequest(cmd, (struct frentry *)data, fr_active);
+ break;
+ case SIOCINIFR :
+ case SIOCRMIFR :
+ case SIOCADIFR :
+ error = frrequest(cmd, (struct frentry *)data, 1-fr_active);
+ break;
+ case SIOCSWAPA :
+ *(u_int *)data = fr_active;
+ fr_active = 1 - fr_active;
+ break;
+ case SIOCGETFS :
+ {
+ struct friostat fio;
+
+ bcopy((char *)frstats, (char *)fio.f_st,
+ sizeof(struct filterstats) * 2);
+ fio.f_fin[0] = filterin[0];
+ fio.f_fin[1] = filterin[1];
+ fio.f_fout[0] = filterout[0];
+ fio.f_fout[1] = filterout[1];
+ fio.f_active = fr_active;
+ IWCOPY((caddr_t)&fio, data, sizeof(fio));
+ break;
+ }
+ case SIOCFRZST :
+ frzerostats(data);
+ break;
+ case SIOCIPFFL :
+ frflush(data);
+ break;
+#ifdef IPFILTER_LOG
+ case SIOCIPFFB :
+ *(int *)data = iplused;
+ iplh = iplt = iplbuf;
+ iplused = 0;
+ break;
+#endif /* IPFILTER_LOG */
+ default :
+ error = -EINVAL;
+ break;
+ }
+ SPLX(s);
+ return error;
+}
+
+
+static int frrequest(req, fp, set)
+int req, set;
+register struct frentry *fp;
+{
+ register struct frentry *f, **fprev;
+ register struct frentry **ftail;
+ struct frentry frd;
+ int error = 0;
+
+ if (fp->fr_flags & FR_OUTQUE)
+ ftail = fprev = &filterout[set];
+ else if (fp->fr_flags & FR_INQUE)
+ ftail = fprev = &filterin[set];
+ else
+ return ESRCH;
+
+ IRCOPY((char *)fp, (char *)&frd, sizeof(frd));
+ fp = &frd;
+ if (*fp->fr_ifname) {
+ fp->fr_ifa = GETUNIT(fp->fr_ifname);
+ if (!fp->fr_ifa)
+ fp->fr_ifa = (struct ifnet *)-1;
+ }
+ /*
+ * Look for a matching filter rule, but don't include the next or
+ * interface pointer in the comparison (fr_next, fr_ifa).
+ */
+ for (; f = *ftail; ftail = &f->fr_next)
+ if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
+ FR_CMPSIZ) == 0)
+ break;
+ if (!f) {
+ ftail = fprev;
+ if (req != SIOCINAFR && req != SIOCINIFR)
+ while ((f = *ftail))
+ ftail = &f->fr_next;
+ else if (fp->fr_hits)
+ while (--fp->fr_hits && (f = *ftail))
+ ftail = &f->fr_next;
+ f = NULL;
+ }
+
+ if (req == SIOCDELFR || req == SIOCRMIFR) {
+ if (!f)
+ error = ESRCH;
+ else {
+ *ftail = f->fr_next;
+ (void) KFREE(f);
+ }
+ } else {
+ if (f)
+ error = EEXIST;
+ else {
+ if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) {
+ bcopy((char *)fp, (char *)f, sizeof(*f));
+ f->fr_hits = 0;
+ f->fr_next = *ftail;
+ *ftail = f;
+ } else
+ error = ENOMEM;
+ }
+ }
+ return (error);
+}
+
+
+#if !defined(linux)
+/*
+ * routines below for saving IP headers to buffer
+ */
+int iplopen(dev, flags)
+dev_t dev;
+int flags;
+{
+ u_int min = minor(dev);
+
+ if ((flags & FWRITE) || min)
+ min = ENXIO;
+ else
+ iplbusy++;
+ return min;
+}
+
+
+int iplclose(dev, flags)
+dev_t dev;
+int flags;
+{
+ u_int min = minor(dev);
+
+ if (min)
+ min = ENXIO;
+ else if (iplbusy > 0)
+ iplbusy--;
+ return min;
+}
+
+# ifdef IPFILTER_LOG
+/*
+ * iplread/ipllog
+ * both of these must operate with at least splnet() lest they be
+ * called during packet processing and cause an inconsistancy to appear in
+ * the filter lists.
+ */
+# if BSD >= 199306
+int iplread(dev, uio, ioflag)
+int ioflag;
+# else
+int iplread(dev, uio)
+# endif
+dev_t dev;
+register struct uio *uio;
+{
+ register int ret, s;
+ register size_t sz, sx;
+ int error;
+
+ if (!uio->uio_resid)
+ return 0;
+ while (!iplused) {
+ error = SLEEP(iplbuf, "ipl sleep");
+ if (error)
+ return error;
+ }
+
+ SPLNET(s);
+
+ sx = sz = MIN(uio->uio_resid, iplused);
+ if (iplh < iplt)
+ sz = MIN(sz, LOGSIZE - (iplt - iplbuf));
+ sx -= sz;
+
+# if BSD >= 199306 || defined(__FreeBSD__)
+ uio->uio_rw = UIO_READ;
+# endif
+ if (!(ret = UIOMOVE(iplt, sz, UIO_READ, uio))) {
+ iplt += sz;
+ iplused -= sz;
+ if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
+ iplt = iplbuf;
+
+ if (sx && !(ret = UIOMOVE(iplt, sx, UIO_READ, uio))) {
+ iplt += sx;
+ iplused -= sx;
+ if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
+ iplt = iplbuf;
+ }
+ if (!iplused) /* minimise wrapping around the end */
+ iplh = iplt = iplbuf;
+ }
+ SPLX(s);
+ return ret;
+}
+# endif /* IPFILTER_LOG */
+#endif /* linux */
+
+
+#ifdef IPFILTER_LOG
+int ipllog(hlen, flags, ip, ifp, rule)
+register int hlen;
+u_int flags;
+ip_t *ip;
+struct ifnet *ifp;
+u_short rule;
+{
+ struct ipl_ci iplci;
+ register size_t tail = 0;
+ register int len, mlen;
+ register struct mbuf *m = dtom(ip);
+
+ if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
+ hlen += sizeof(tcphdr_t);
+ else if (ip->ip_p == IPPROTO_ICMP) {
+ struct icmp *icmp = (struct icmp *)((char *)ip + hlen);
+
+ switch (icmp->icmp_type) {
+ case ICMP_UNREACH :
+ case ICMP_SOURCEQUENCH :
+ case ICMP_REDIRECT :
+ case ICMP_TIMXCEED :
+ case ICMP_PARAMPROB :
+ hlen += 8;
+ default :
+ hlen += sizeof(struct icmp);
+ }
+ }
+
+ mlen = (flags & FR_LOGBODY) ? (MIN(m->m_len, 128) & 0xfa) : 0;
+ len = hlen + sizeof(iplci) + mlen;
+ if (iplused + len > LOGSIZE)
+ return 0;
+ iplused += len;
+
+# ifdef sun
+ uniqtime(&iplci);
+# endif
+# if BSD >= 199306 || defined(__FreeBSD__)
+ microtime((struct timeval *)&iplci);
+# endif
+ iplci.flags = flags;
+ iplci.hlen = (u_char)hlen;
+ iplci.plen = (flags & FR_LOGBODY) ? (u_char)mlen : 0 ;
+ iplci.rule = rule;
+ iplci.unit = (u_char)ifp->if_unit;
+ iplci.ifname[0] = ifp->if_name[0];
+ iplci.ifname[1] = ifp->if_name[1];
+ iplci.ifname[2] = ifp->if_name[2];
+ iplci.ifname[3] = ifp->if_name[3];
+
+ if (iplh == iplbuf + LOGSIZE)
+ iplh = iplbuf;
+ tail = (iplh >= iplt) ? (iplbuf + LOGSIZE - iplh) : (iplt - iplh);
+
+ len = MIN(tail, sizeof(iplci));
+
+ /*
+ * check in both cases where we add stuff to the buffer to see if we
+ * are going to wrap around at the end.
+ */
+ bcopy((char *)&iplci, iplh, len);
+ iplh += len;
+ if (len < sizeof(iplci)) {
+ bcopy((char *)&iplci + len, iplbuf, sizeof(iplci) - len);
+ iplh = iplbuf + sizeof(iplci) - len;
+ tail = iplt - iplh;
+ } else
+ tail -= len;
+
+ len = MIN(tail, hlen);
+ bcopy((char *)ip, iplh, len);
+ iplh += len;
+ if (len < hlen) {
+ iplh = iplbuf;
+ bcopy((char *)ip + len, iplh, hlen - len);
+ iplh += hlen - len;
+ tail = iplt - iplh;
+ } else
+ tail -= len;
+
+ if (mlen) {
+ len = MIN(tail, mlen);
+#if BSD < 199103
+ bcopy((char *)m->m_un.mun_dat, iplh, len);
+#else
+ bcopy((char *)m->M_dat.M_databuf, iplh, len);
+#endif
+ iplh += len;
+ if (len < mlen) {
+ iplh = iplbuf;
+#if BSD < 199103
+ bcopy((char *)m->m_un.mun_dat + len, iplh,
+ mlen - len);
+#else
+ bcopy((char *)m->M_dat.M_databuf + len, iplh,
+ mlen - len);
+#endif
+ iplh += mlen - len;
+ }
+ }
+ wakeup(iplbuf);
+ return 1;
+}
+#endif /* IPFILTER_LOG */
+
+/*
+ * send_reset - this could conceivably be a call to tcp_respond(), but that
+ * requires a large amount of setting up and isn't any more efficient.
+ */
+int send_reset(ti)
+struct tcpiphdr *ti;
+{
+ struct tcpiphdr *tp;
+ struct ip *ip;
+ struct tcphdr *tcp;
+ struct mbuf *m;
+ int tlen = 0;
+
+ if (ti->ti_flags & TH_RST)
+ return -1; /* feedback loop */
+#if BSD < 199306
+ m = m_get(M_DONTWAIT, MT_HEADER);
+#else
+ m = m_gethdr(M_DONTWAIT, MT_HEADER);
+ m->m_data += max_linkhdr;
+#endif
+ if (m == NULL)
+ return -1;
+
+ if (ti->ti_flags & TH_SYN)
+ tlen = 1;
+ m->m_len = sizeof (struct tcpiphdr);
+#if BSD >= 199306
+ m->m_pkthdr.len = sizeof (struct tcpiphdr);
+ m->m_pkthdr.rcvif = (struct ifnet *)0;
+#endif
+ bzero(mtod(m, char *), sizeof(struct tcpiphdr));
+ ip = mtod(m, struct ip *);
+ tp = mtod(m, struct tcpiphdr *);
+ tcp = (struct tcphdr *)((char *)ip + sizeof(struct ip));
+
+ ip->ip_src.s_addr = ti->ti_dst.s_addr;
+ ip->ip_dst.s_addr = ti->ti_src.s_addr;
+ tcp->th_dport = ti->ti_sport;
+ tcp->th_sport = ti->ti_dport;
+ tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
+ tcp->th_off = sizeof(struct tcphdr) >> 2;
+ tcp->th_flags = TH_RST|TH_ACK;
+ tp->ti_pr = ((struct ip *)ti)->ip_p;
+ tp->ti_len = htons(sizeof(struct tcphdr));
+ tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr));
+
+ ip->ip_hl = sizeof(struct ip) >> 2;
+ ip->ip_v = IPVERSION;
+ ip->ip_tos = ((struct ip *)ti)->ip_tos;
+ ip->ip_id = ((struct ip *)ti)->ip_id;
+ ip->ip_off = ((struct ip *)ti)->ip_off;
+ ip->ip_p = ((struct ip *)ti)->ip_p;
+ ip->ip_len = sizeof (struct tcpiphdr);
+#if BSD < 199306
+ ip->ip_ttl = tcp_ttl;
+#else
+ ip->ip_ttl = ip_defttl;
+#endif
+
+ /*
+ * extra 0 in case of multicast
+ */
+ (void) ip_output(m, (struct mbuf *)0, 0, IP_FORWARDING, 0);
+ return 0;
+}
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h
new file mode 100644
index 00000000000..8d4380dd4cc
--- /dev/null
+++ b/sys/netinet/ip_fil.h
@@ -0,0 +1,463 @@
+/*
+ * (C)opyright 1993, 1994, 1995 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ip_fil.h 1.23 11/11/95
+ */
+
+#ifndef __IP_FIL_H_
+#define __IP_FIL_H__
+
+#ifndef IPFILTER_LOG
+#define IPFILTER_LOG 1
+#endif
+
+#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#if defined(KERNEL) && !defined(_KERNEL)
+#define _KERNEL
+#endif
+#if SOLARIS
+# include <sys/ioccom.h>
+# include <sys/sysmacros.h>
+# ifdef _KERNEL
+# include <inet/common.h>
+/*
+ * because Solaris 2 defines these in two places :-/
+ */
+#undef IPOPT_EOL
+#undef IPOPT_NOP
+#undef IPOPT_LSRR
+#undef IPOPT_RR
+#undef IPOPT_SSRR
+# include <inet/ip.h>
+# endif
+#endif
+
+#if defined(__STDC__) || defined(__GNUC__)
+#define SIOCADAFR _IOW('r', 60, struct frentry)
+#define SIOCRMAFR _IOW('r', 61, struct frentry)
+#define SIOCSETFF _IOW('r', 62, u_int)
+#define SIOCGETFF _IOR('r', 63, u_int)
+#define SIOCGETFS _IOR('r', 64, struct friostat)
+#define SIOCIPFFL _IOWR('r', 65, int)
+#define SIOCIPFFB _IOR('r', 66, int)
+#define SIOCADIFR _IOW('r', 67, struct frentry)
+#define SIOCRMIFR _IOW('r', 68, struct frentry)
+#define SIOCSWAPA _IOR('r', 69, u_int)
+#define SIOCINAFR _IOW('r', 70, struct frentry)
+#define SIOCINIFR _IOW('r', 71, struct frentry)
+#define SIOCFRENB _IOW('r', 72, u_int)
+#define SIOCFRSYN _IOW('r', 73, u_int)
+#define SIOCFRZST _IOWR('r', 74, struct friostat)
+#else
+#define SIOCADAFR _IOW(r, 60, struct frentry)
+#define SIOCRMAFR _IOW(r, 61, struct frentry)
+#define SIOCSETFF _IOW(r, 62, u_int)
+#define SIOCGETFF _IOR(r, 63, u_int)
+#define SIOCGETFS _IOR(r, 64, struct friostat)
+#define SIOCIPFFL _IOWR(r, 65, int)
+#define SIOCIPFFB _IOR(r, 66, int)
+#define SIOCADIFR _IOW(r, 67, struct frentry)
+#define SIOCRMIFR _IOW(r, 68, struct frentry)
+#define SIOCSWAPA _IOR(r, 69, u_int)
+#define SIOCINAFR _IOW(r, 70, struct frentry)
+#define SIOCINIFR _IOW(r, 71, struct frentry)
+#define SIOCFRENB _IOW(r, 72, u_int)
+#define SIOCFRSYN _IOW(r, 73, u_int)
+#define SIOCFRZST _IOWR(r, 74, struct friostat)
+#endif
+#define SIOCADDFR SIOCADAFR
+#define SIOCDELFR SIOCRMAFR
+#define SIOCINSFR SIOCINAFR
+
+typedef struct fr_ip {
+ u_char fi_v:4;
+ u_char fi_fl:4;
+ u_char fi_tos;
+ u_char fi_ttl;
+ u_char fi_p;
+ struct in_addr fi_src;
+ struct in_addr fi_dst;
+ u_long fi_optmsk;
+ u_short fi_secmsk;
+ u_short fi_auth;
+} fr_ip_t;
+
+#define FI_SHORT 0x01
+#define FI_OPTIONS 0x02
+#define FI_FRAG 0x04
+#define FI_TCPUDP 0x08 /* TCP/UCP implied comparison involved */
+
+typedef struct frentry {
+ struct frentry *fr_next;
+ struct ifnet *fr_ifa;
+ u_int fr_hits;
+
+ /*
+ * Fields after this may not change whilst in the kernel.
+ */
+ struct fr_ip fr_ip;
+ struct fr_ip fr_mip;
+
+ u_char fr_tcpfm; /* tcp flags mask */
+ u_char fr_tcpf; /* tcp flags */
+
+ u_short fr_icmpm; /* data for ICMP packets (mask) */
+ u_short fr_icmp;
+
+ u_char fr_scmp; /* data for port comparisons */
+ u_char fr_dcmp;
+ u_short fr_dport;
+ u_short fr_sport;
+ u_short fr_stop; /* top port for <> and >< */
+ u_short fr_dtop; /* top port for <> and >< */
+ u_short fr_flags; /* per-rule flags && options (see below) */
+ char fr_ifname[IFNAMSIZ];
+} frentry_t;
+
+#define fr_proto fr_ip.fi_p
+#define fr_ttl fr_ip.fi_ttl
+#define fr_tos fr_ip.fi_tos
+#define fr_dst fr_ip.fi_dst
+#define fr_src fr_ip.fi_src
+#define fr_dmsk fr_mip.fi_dst
+#define fr_smsk fr_mip.fi_src
+
+#ifndef offsetof
+#define offsetof(t,m) (int)((&((t *)0L)->m))
+#endif
+#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
+
+/*
+ * fr_flags
+ */
+#define FR_BLOCK 0x0001
+#define FR_PASS 0x0002
+#define FR_OUTQUE 0x0004
+#define FR_INQUE 0x0008
+#define FR_LOGP 0x0010 /* Log-pass */
+#define FR_LOGB 0x0020 /* Log-fail */
+#define FR_LOG 0x0040 /* Log */
+#define FR_LOGBODY 0x0080 /* Log the body */
+#define FR_QUICK 0x0100
+#define FR_RETRST 0x0200
+#define FR_RETICMP 0x0400
+#define FR_INACTIVE 0x0800
+#define FR_NOMATCH 0x1000
+
+#define FR_NONE 0
+#define FR_EQUAL 1
+#define FR_NEQUAL 2
+#define FR_LESST 3
+#define FR_GREATERT 4
+#define FR_LESSTE 5
+#define FR_GREATERTE 6
+#define FR_OUTRANGE 7
+#define FR_INRANGE 8
+
+typedef struct filterstats {
+ u_long fr_pass; /* packets allowed */
+ u_long fr_block; /* packets denied */
+ u_long fr_nom; /* packets which don't match any rule */
+ u_long fr_ppkl; /* packets allowed and logged */
+ u_long fr_bpkl; /* packets denied and logged */
+ u_long fr_pkl; /* packets logged */
+ u_long fr_skip; /* packets to be logged but buffer full */
+ u_long fr_ret; /* packets for which a return is sent */
+#if SOLARIS
+ u_long fr_bad; /* bad IP packets to the filter */
+ u_long fr_notip; /* packets passed through no on ip queue */
+ u_long fr_drop; /* packets dropped - no info for them! */
+#endif
+} filterstats_t;
+
+/*
+ * recognized flags for SIOCGETFF and SIOCSETFF
+ */
+#define FF_LOGPASS 1
+#define FF_LOGBLOCK 2
+
+/*
+ * For SIOCGETFS
+ */
+typedef struct friostat {
+ struct filterstats f_st[2];
+ struct frentry *f_fin[2];
+ struct frentry *f_fout[2];
+ int f_active;
+} friostat_t;
+
+typedef struct optlist {
+ u_short ol_val;
+ int ol_bit;
+} optlist_t;
+
+#ifdef _KERNEL
+extern struct frentry *filterin[], *filterout[];
+extern struct filterstats frstats[];
+#endif
+
+typedef struct ipl_ci {
+ u_long sec;
+ u_long usec;
+ u_char hlen;
+ u_char plen;
+ u_short rule;
+ u_long flags:24;
+ u_long unit:8;
+ u_char ifname[4];
+} ipl_ci_t;
+
+#ifdef _KERNEL
+
+typedef struct ipfr {
+ struct ipfr *ipfr_next, *ipfr_prev;
+ struct in_addr ipfr_src;
+ struct in_addr ipfr_dst;
+ u_short ipfr_id;
+ u_short ipfr_age;
+ u_char ipfr_p;
+ u_char ipfr_tos;
+ u_char ipfr_pass;
+} ipfr_t;
+
+#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
+
+# if defined(sun) && !defined(linux)
+# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
+# define SLEEP(id, n) sleep((id), PZERO+1)
+# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
+# if SOLARIS
+# ifdef sparc
+# define ntohs(x) (x)
+# define ntohl(x) (x)
+# define htons(x) (x)
+# define htonl(x) (x)
+# endif
+# define KMALLOC(x) kmem_alloc((x), KM_SLEEP)
+# define GET_MINOR(x) getminor(x)
+# else
+# define KMALLOC(x) new_kmem_alloc((x), KMEM_SLEEP)
+# endif /* __svr4__ */
+# endif /* sun && !linux */
+# ifndef GET_MINOR
+# define GET_MINOR(x) minor(x)
+# endif
+# if BSD >= 199306 || defined(__FreeBSD__)
+# include <vm/vm.h>
+# if !defined(__FreeBSD__)
+# include <vm/vm_extern.h>
+# include <sys/proc.h>
+extern vm_map_t kmem_map;
+# else
+# include <vm/vm_kern.h>
+# endif /* __FreeBSD__ */
+# define KMALLOC(x) kmem_alloc(kmem_map, (x))
+# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
+ sizeof(*(x)))
+# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
+# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
+# else
+# endif /* BSD */
+#endif /* _KERNEL */
+
+#ifdef linux
+# define ICMP_UNREACH ICMP_DEST_UNREACH
+# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH
+# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED
+# define ICMP_PARAMPROB ICMP_PARAMETERPROB
+# define icmp icmphdr
+# define icmp_type type
+# define icmp_code code
+
+# define TH_FIN 0x01
+# define TH_SYN 0x02
+# define TH_RST 0x04
+# define TH_PUSH 0x08
+# define TH_ACK 0x10
+# define TH_URG 0x20
+
+typedef struct {
+ __u16 th_sport;
+ __u16 th_dport;
+ __u32 th_seq;
+ __u32 th_ack;
+ __u8 th_x;
+ __u8 th_flags;
+ __u16 th_win;
+ __u16 th_sum;
+ __u16 th_urp;
+} tcphdr_t;
+
+typedef struct {
+# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
+ defined(vax)
+ __u8 ip_hl:4;
+ __u8 ip_v:4;
+# else
+ __u8 ip_hl:4;
+ __u8 ip_v:4;
+# endif
+ __u8 ip_tos;
+ __u16 ip_len;
+ __u16 ip_id;
+ __u16 ip_off;
+ __u8 ip_ttl;
+ __u8 ip_p;
+ __u16 ip_sum;
+ __u32 ip_src;
+ __u32 ip_dst;
+} ip_t;
+
+# define SPLX(x) ;
+# define SPLNET(x) ;
+
+# define bcopy(a,b,c) memmove(b,a,c)
+# define bcmp(a,b,c) memcmp(a,b,c)
+
+# define UNITNAME(n) dev_get((n))
+# define ifnet device
+
+# define KMALLOC(x) kmalloc((x), GFP_ATOMIC)
+# define KFREE(x) kfree_s((x), sizeof(*(x)))
+# define IRCOPY(a,b,c) { \
+ error = verify_area(VERIFY_READ, \
+ (b) ,sizeof((b))); \
+ if (!error) \
+ memcpy_fromfs((b), (a), (c)); \
+ }
+# define IWCOPY(a,b,c) { \
+ error = verify_area(VERIFY_WRITE, \
+ (b) ,sizeof((b))); \
+ if (!error) \
+ memcpy_tofs((b), (a), (c)); \
+ }
+#else
+
+typedef struct tcphdr tcphdr_t;
+typedef struct ip ip_t;
+
+# if SOLARIS
+# define MTOD(m,t) (t)((m)->b_rptr)
+# define IRCOPY(a,b,c) copyin((a), (b), (c))
+# define IWCOPY(a,b,c) copyout((a), (b), (c))
+# ifdef _KERNEL
+typedef struct qif {
+ struct qif *qf_next;
+ ill_t *qf_ill;
+ kmutex_t qf_lock;
+ void *qf_iptr;
+ void *qf_optr;
+ queue_t *qf_in;
+ queue_t *qf_out;
+ void *qf_wqinfo;
+ void *qf_rqinfo;
+ char qf_name[8];
+ int (*qf_inp)();
+ int (*qf_outp)();
+ /*
+ * in case the ILL has disappeared...
+ */
+ int qf_hl; /* header length */
+} qif_t;
+# endif /* _KERNEL */
+# else
+# define MTOD(m,t) mtod(m,t)
+# define IRCOPY(a,b,c) bcopy((a), (b), (c))
+# define IWCOPY(a,b,c) bcopy((a), (b), (c))
+# endif /* SOLARIS */
+# ifdef _KERNEL
+# if defined(NetBSD1_0) && (NetBSD1_0 > 1)
+# define SPLNET(x) x = splsoftnet()
+# else
+# if SOLARIS
+# define SPLNET(x) ;
+# else
+# define SPLNET(x) x = splnet()
+# endif
+# endif
+# ifdef SPLX
+# undef SPLX
+# endif
+# if SOLARIS
+# define SPLX(x) ;
+# else
+# define SPLX(x) (void) splx(x)
+# endif
+# else
+# define SPLNET(x) ;
+# define SPLX(x) ;
+# endif /* KERNEL */
+
+# ifdef sun
+# if !defined(__sysv__) && !defined(__SVR4)
+# define GETUNIT(n) ifunit((n), IFNAMSIZ)
+# endif
+# else
+# define GETUNIT(n) ifunit((n))
+# endif /* sun */
+extern struct ifnet *ifunit();
+#endif /* linux */
+
+#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
+
+/*#define IPOPT_RR 7 */
+#define IPOPT_ZSU 10 /* ZSU */
+#define IPOPT_MTUP 11 /* MTUP */
+#define IPOPT_MTUR 12 /* MTUR */
+#define IPOPT_ENCODE 15 /* ENCODE */
+/*#define IPOPT_TS 68 */
+#define IPOPT_TR 82 /* TR */
+/*#define IPOPT_SECURITY 130 */
+/*#define IPOPT_LSRR 131 */
+#define IPOPT_E_SEC 133 /* E-SEC */
+#define IPOPT_CIPSO 134 /* CIPSO */
+/*#define IPOPT_SATID 136 */
+#ifndef IPOPT_SID
+# define IPOPT_SID IPOPT_SATID
+#endif
+/*#define IPOPT_SSRR 137 */
+#define IPOPT_ADDEXT 147 /* ADDEXT */
+#define IPOPT_VISA 142 /* VISA */
+#define IPOPT_IMITD 144 /* IMITD */
+#define IPOPT_EIP 145 /* EIP */
+#define IPOPT_FINN 205 /* FINN */
+
+#ifndef ICMP_UNREACH_FILTER
+#define ICMP_UNREACH_FILTER 13
+#endif
+/*
+ * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
+ *
+ * Basic Option
+ *
+ * 00000001 - (Reserved 4)
+ * 00111101 - Top Secret
+ * 01011010 - Secret
+ * 10010110 - Confidential
+ * 01100110 - (Reserved 3)
+ * 11001100 - (Reserved 2)
+ * 10101011 - Unclassified
+ * 11110001 - (Reserved 1)
+ */
+#define IPSO_CLASS_RES4 0x01
+#define IPSO_CLASS_TOPS 0x3d
+#define IPSO_CLASS_SECR 0x5a
+#define IPSO_CLASS_CONF 0x96
+#define IPSO_CLASS_RES3 0x66
+#define IPSO_CLASS_RES2 0xcc
+#define IPSO_CLASS_UNCL 0xab
+#define IPSO_CLASS_RES1 0xf1
+
+#define IPSO_AUTH_GENSER 0x80
+#define IPSO_AUTH_ESI 0x40
+#define IPSO_AUTH_SCI 0x20
+#define IPSO_AUTH_NSA 0x10
+#define IPSO_AUTH_DOE 0x08
+#define IPSO_AUTH_UN 0x06
+#define IPSO_AUTH_FTE 0x01
+
+#endif /* __IP_FIL_H__ */
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index f7797d04a28..897583fcfb4 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -82,6 +82,10 @@ u_char ip_protox[IPPROTO_MAX];
int ipqmaxlen = IFQ_MAXLEN;
struct in_ifaddrhead in_ifaddr;
struct ifqueue ipintrq;
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+int fr_nullcheck();
+int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int)) = fr_nullcheck;
+#endif
char *
inet_ntoa(ina)
@@ -231,6 +235,14 @@ next:
m_adj(m, ip->ip_len - m->m_pkthdr.len);
}
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0))
+ goto bad;
+#endif
/*
* Process options and, if not destined for us,
* ship it on. ip_dooptions returns 1 when an
@@ -1173,3 +1185,10 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
}
/* NOTREACHED */
}
+
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+int fr_nullcheck()
+{
+ return 0;
+}
+#endif
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 2362ebe3f07..7e7d7097b37 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -60,6 +60,9 @@
static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *));
static void ip_mloopback
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int));
+#endif
/*
* IP output. The packet in mbuf chain m contains a skeletal IP
@@ -276,6 +279,16 @@ ip_output(m0, opt, ro, flags, imo)
} else
m->m_flags &= ~M_BCAST;
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ if ((*fr_checkp)(ip, hlen, ifp, 1))
+ {
+ error = EHOSTUNREACH;
+ goto bad;
+ }
+#endif
sendit:
/*
* If small enough for interface, can just send directly.
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-17 02:59:10 +0000