diff options
author | ugen <ugen@FreeBSD.org> | 1995-01-12 13:06:32 +0000 |
---|---|---|
committer | ugen <ugen@FreeBSD.org> | 1995-01-12 13:06:32 +0000 |
commit | dd3cca2bda9d3ca703f747b3b0b0e7ba3826e268 (patch) | |
tree | e08a527d927cd2352bf9634b2b9f5675613a97fe | |
parent | fb7c07cbe772b3ba04eb95bdebe04e365f18d72f (diff) | |
download | FreeBSD-src-dd3cca2bda9d3ca703f747b3b0b0e7ba3826e268.zip FreeBSD-src-dd3cca2bda9d3ca703f747b3b0b0e7ba3826e268.tar.gz |
Actual firewall change.
1) Firewall is not subdivided on forwarding / blocking chains
anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
-rw-r--r-- | sys/netinet/ip_fw.c | 60 | ||||
-rw-r--r-- | sys/netinet/ip_fw.h | 39 | ||||
-rw-r--r-- | sys/netinet/ip_fwdef.c | 47 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 42 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 13 | ||||
-rw-r--r-- | sys/netinet/raw_ip.c | 32 |
6 files changed, 125 insertions, 108 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 10a1eb1..38e5695 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -42,16 +42,6 @@ #include <netinet/ip_fw.h> -#ifdef IPFIREWALL -struct ip_fw *ip_fw_fwd_chain; -struct ip_fw *ip_fw_blk_chain; -u_short ip_fw_policy=0; -#endif -#ifdef IPACCT -struct ip_fw *ip_acct_chain; -#endif - - #ifdef IPFIREWALL_DEBUG #define dprintf1(a) printf(a) #define dprintf2(a1,a2) printf(a1,a2) @@ -76,20 +66,6 @@ struct ip_fw *ip_acct_chain; #define dprint_ip(a) #endif -/* -inline -void -print_ip(xaddr) -struct in_addr xaddr; -{ - u_long addr = ntohl(xaddr.s_addr); - printf("%d.%d.%d.%d",(addr>>24) & 0xff, - (addr>>16)&0xff, - (addr>>8)&0xff, - addr&0xFF); -} -*/ - /* * Returns 1 if the port is matched by the vector, 0 otherwise @@ -931,8 +907,7 @@ struct mbuf *m; { if ( stage == IP_FW_FLUSH ) { - free_fw_chain(&ip_fw_blk_chain); - free_fw_chain(&ip_fw_fwd_chain); + free_fw_chain(&ip_fw_chain); return(0); } @@ -954,40 +929,29 @@ if ( stage == IP_FW_POLICY ) /* * Here we really working hard-adding new elements - * to blocking/forwarding chains or deleting'em + * to firewall chain or deleting'em */ -if ( stage == IP_FW_ADD_BLK - || stage == IP_FW_ADD_FWD - || stage == IP_FW_DEL_BLK - || stage == IP_FW_DEL_FWD - ) { +if ( stage == IP_FW_ADD || + stage == IP_FW_DEL ) { struct ip_fw *frwl; - frwl=check_ipfw_struct(m); - if (frwl==NULL) - return (EINVAL); -#ifdef nenado if (!(frwl=check_ipfw_struct(m))) return (EINVAL); -#endif switch (stage) { - case IP_FW_ADD_BLK: - return(add_entry(&ip_fw_blk_chain,frwl)); - case IP_FW_ADD_FWD: - return(add_entry(&ip_fw_fwd_chain,frwl)); - case IP_FW_DEL_BLK: - return(del_entry(&ip_fw_blk_chain,frwl)); - case IP_FW_DEL_FWD: - return(del_entry(&ip_fw_fwd_chain,frwl)); + case IP_FW_ADD: + return(add_entry(&ip_fw_chain,frwl)); + case IP_FW_DEL: + return(del_entry(&ip_fw_chain,frwl)); default: - /* - * Should be panic but... - */ +#ifdef DIAGNOSTICS + panic("Can't happen"); +#else dprintf2("ip_fw_ctl: unknown request %d\n",stage); return(EINVAL); +#endif } } diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 7362c11..132dc84 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -69,10 +69,8 @@ struct ip_fw { */ #define IP_FW_BASE_CTL 53 -#define IP_FW_ADD_BLK (IP_FW_BASE_CTL) -#define IP_FW_ADD_FWD (IP_FW_BASE_CTL+1) -#define IP_FW_DEL_BLK (IP_FW_BASE_CTL+4) -#define IP_FW_DEL_FWD (IP_FW_BASE_CTL+5) +#define IP_FW_ADD (IP_FW_BASE_CTL) +#define IP_FW_DEL (IP_FW_BASE_CTL+4) #define IP_FW_FLUSH (IP_FW_BASE_CTL+6) #define IP_FW_POLICY (IP_FW_BASE_CTL+7) @@ -94,14 +92,33 @@ struct ip_fw { * Main firewall chains definitions and global var's definitions. */ #ifdef KERNEL -#ifdef IPFIREWALL -extern struct ip_fw *ip_fw_blk_chain; -extern struct ip_fw *ip_fw_fwd_chain; + +/* + * Variables/chain. + */ +extern struct ip_fw *ip_fw_chain; extern u_short ip_fw_policy; -#endif -#ifdef IPACCT -extern struct ip_fw *ip_acct_chain; -#endif + +extern struct ip_fw *ip_acct_chain; + +/* + * Function pointers. + */ +extern int (*ip_fw_chk_ptr)(struct ip *,struct ifnet *,struct ip_fw *); +extern int (*ip_fw_ctl_ptr)(int,struct mbuf *); + +extern void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int); +extern int (*ip_acct_ctl_ptr)(int,struct mbuf *); + +/* + * Function definitions. + */ +int ip_fw_chk(struct ip *,struct ifnet *,struct ip_fw *); +int ip_fw_ctl(int,struct mbuf *); + +void ip_acct_cnt(struct ip *,struct ifnet *,struct ip_fw *,int); +int ip_acct_ctl(int,struct mbuf *); + #endif /* KERNEL */ #endif /* _IP_FW_H */ diff --git a/sys/netinet/ip_fwdef.c b/sys/netinet/ip_fwdef.c new file mode 100644 index 0000000..4b6e6f0 --- /dev/null +++ b/sys/netinet/ip_fwdef.c @@ -0,0 +1,47 @@ +/* + * Copyright (c) 1993 Daniel Boulet + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + */ + +/* + * Dumb definitions which needed when + * firewall/accounting module is not loaded. + */ + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/domain.h> +#include <sys/socket.h> +#include <sys/errno.h> +#include <sys/time.h> +#include <sys/kernel.h> + +#include <net/if.h> +#include <net/route.h> + + +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> + +#include <netinet/ip_fw.h> + +struct ip_fw *ip_fw_chain=NULL; +u_short ip_fw_policy=0; + +struct ip_fw *ip_acct_chain=NULL; + +int (*ip_fw_chk_ptr)(struct ip *,struct ifnet *,struct ip_fw *)=NULL; +int (*ip_fw_ctl_ptr)(int,struct mbuf *)=NULL; + +void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int)=NULL; +int (*ip_acct_ctl_ptr)(int,struct mbuf *)=NULL; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index cb5ae5f..f7a9818 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.13 1994/12/13 23:08:11 wollman Exp $ + * $Id: ip_input.c,v 1.14 1994/12/14 19:06:37 wollman Exp $ */ #include <sys/param.h> @@ -56,12 +56,7 @@ #include <netinet/ip_var.h> #include <netinet/ip_icmp.h> -#ifdef IPFIREWALL #include <netinet/ip_fw.h> -#endif -#ifdef IPACCT -#include <netinet/ip_fw.h> -#endif #include <sys/socketvar.h> struct socket *ip_rsvpd; @@ -237,13 +232,21 @@ next: } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } - -#ifdef IPFIREWALL - if ( ((char *)&(ip->ip_dst.s_addr))[0] != 127 - && !ip_fw_chk(ip,m->m_pkthdr.rcvif,ip_fw_blk_chain) ) { - goto bad; - } -#endif + /* + * IpHack's section. + * Right now when no processing on packet has done + * and it is still fresh out of network we do our black + * deals with it. + * - Firewall: deny/allow + * - Wrap: fake packet's addr/port <unimpl.> + * - Encapsulate: put it in another IP and send out. <unimp.> + */ + + if (ip_fw_chk_ptr!=NULL) + if (((char *)&(ip->ip_dst.s_addr))[0] != 127 + && !(*ip_fw_chk_ptr)(ip,m->m_pkthdr.rcvif,ip_fw_chain) ) { + goto bad; + } /* * Process options and, if not destined for us, @@ -356,7 +359,6 @@ next: ours: -#ifdef IPACCT /* * If packet came to us we count it... * This way we count all incoming packets which has @@ -364,8 +366,8 @@ ours: * Do not convert ip_len to host byte order when * counting,ppl already made it for us before.. */ - ip_acct_cnt(ip,m->m_pkthdr.rcvif,ip_acct_chain,0); -#endif + if (ip_acct_cnt_ptr!=NULL) + (*ip_acct_cnt_ptr)(ip,m->m_pkthdr.rcvif,ip_acct_chain,0); /* * If offset or IP_MF are set, must reassemble. @@ -1049,14 +1051,6 @@ ip_forward(m, srcrt) ip->ip_src.s_addr, ip->ip_dst.s_addr, ip->ip_ttl); #endif -#ifdef IPFIREWALL - if ( ((char *)&(ip->ip_dst.s_addr))[0] != 127 - && !ip_fw_chk(ip, m->m_pkthdr.rcvif, ip_fw_fwd_chain) ) { - ipstat.ips_cantforward++; - m_freem(m); - return; - } -#endif if (m->m_flags & M_BCAST || in_canforward(ip->ip_dst) == 0) { ipstat.ips_cantforward++; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index da1a29a..5d7537d 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 - * $Id: ip_output.c,v 1.10 1994/12/12 17:20:54 ugen Exp $ + * $Id: ip_output.c,v 1.11 1994/12/13 23:08:12 wollman Exp $ */ #include <sys/param.h> @@ -53,12 +53,7 @@ #include <netinet/in_var.h> #include <netinet/ip_var.h> -#ifdef IPFIREWALL #include <netinet/ip_fw.h> -#endif -#ifdef IPACCT -#include <netinet/ip_fw.h> -#endif #ifdef vax #include <machine/mtpr.h> @@ -417,7 +412,6 @@ sendorfree: done: if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) RTFREE(ro->ro_rt); -#ifdef IPACCT /* * Count outgoing packet,here we count both our packets and * those we forward. @@ -426,8 +420,9 @@ done: * This is locally generated packet so it has not * incoming interface. */ - ip_acct_cnt(ip,NULL,ip_acct_chain,1); -#endif + if (ip_acct_cnt_ptr!=NULL) + (*ip_acct_cnt_ptr)(ip,NULL,ip_acct_chain,1); + return (error); bad: m_freem(m0); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index c02cf40a..8dcdb97 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 - * $Id: raw_ip.c,v 1.10 1994/12/13 15:57:34 ugen Exp $ + * $Id: raw_ip.c,v 1.11 1995/01/12 10:53:25 davidg Exp $ */ #include <sys/param.h> @@ -53,12 +53,7 @@ #include <netinet/ip_mroute.h> #include <netinet/in_pcb.h> -#ifdef IPFIREWALL #include <netinet/ip_fw.h> -#endif -#ifdef IPACCT -#include <netinet/ip_fw.h> -#endif struct inpcb rawinpcb; @@ -214,39 +209,44 @@ rip_ctloutput(op, so, level, optname, m) } break; -#ifdef IPFIREWALL - case IP_FW_ADD_BLK: - case IP_FW_ADD_FWD: - case IP_FW_DEL_BLK: - case IP_FW_DEL_FWD: + case IP_FW_ADD: + case IP_FW_DEL: case IP_FW_FLUSH: case IP_FW_POLICY: + if (ip_fw_ctl_ptr==NULL) { + if (*m) + (void)m_free(*m); + return(EINVAL); + } if (op == PRCO_SETOPT) { - error=ip_fw_ctl(optname, *m); + error=(*ip_fw_ctl_ptr)(optname, *m); if (*m) (void)m_free(*m); } else error=EINVAL; return(error); -#endif -#ifdef IPACCT + case IP_ACCT_DEL: case IP_ACCT_ADD: case IP_ACCT_CLR: case IP_ACCT_FLUSH: case IP_ACCT_ZERO: + if (ip_acct_ctl_ptr==NULL) { + if (*m) + (void)m_free(*m); + return(EINVAL); + } if (op = PRCO_SETOPT) { - error=ip_acct_ctl(optname, *m); + error=(*ip_acct_ctl_ptr)(optname, *m); if (*m) (void)m_free(*m); } else error=EINVAL; return(error); -#endif case IP_RSVP_ON: error = ip_rsvp_init(so); |