diff options
| author | guido <guido@FreeBSD.org> | 2000-02-09 20:56:36 +0000 |
|---|---|---|
| committer | guido <guido@FreeBSD.org> | 2000-02-09 20:56:36 +0000 |
| commit | 2fb4ae435fb81cf80118686a2955f9c3f4ef8e23 (patch) | |
| tree | 3d20f7e5c636b91e4f4bbaccef1029fdcf11fb85 | |
| parent | 0af99ab61af5d653b7d579370f26db7241b9aeae (diff) | |
| download | FreeBSD-src-2fb4ae435fb81cf80118686a2955f9c3f4ef8e23.zip FreeBSD-src-2fb4ae435fb81cf80118686a2955f9c3f4ef8e23.tar.gz | |
Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl
Approved by: jkh
40 files changed, 216 insertions, 186 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index cb069f8..00187cd 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; #endif #include <sys/errno.h> @@ -20,10 +19,8 @@ static const char rcsid[] = "@(#)$FreeBSD$"; defined(_KERNEL) # include "opt_ipfilter_log.h" #endif -#if ((defined(KERNEL) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && defined(__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -248,6 +245,12 @@ fr_info_t *fin; if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || icmp->icmp_type == ICMP_ECHO)) minicmpsz = ICMP_MINLEN; + if (!off && (icmp->icmp_type == ICMP_TSTAMP || + icmp->icmp_type == ICMP_TSTAMPREPLY)) + minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ + if (!off && (icmp->icmp_type == ICMP_MASKREQ || + icmp->icmp_type == ICMP_MASKREPLY)) + minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; @@ -691,6 +694,9 @@ int out; READ_ENTER(&ipf_mutex); + if (fin->fin_fi.fi_fl & FI_SHORT) + ATOMIC_INC(frstats[out].fr_short); + /* * Check auth now. This, combined with the check below to see if apass * is 0 is to ensure that we don't count the packet twice, which can @@ -1181,7 +1187,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $ + * $Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1582,7 +1588,10 @@ void frsync() # else for (ifp = ifnet; ifp; ifp = ifp->if_next) # endif + { ip_natsync(ifp); + ip_statesync(ifp); + } # endif WRITE_ENTER(&ipf_mutex); diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index 0490510..6b980be 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -6,8 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $"; #endif #include <sys/errno.h> @@ -20,8 +19,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <stdlib.h> # include <string.h> #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -32,7 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <sys/protosw.h> #endif #include <sys/socket.h> -#if defined(_KERNEL) && !defined(linux) +#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -398,7 +396,7 @@ fr_authioctlloop: # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ -# if _BSDI_VERSION >= 199802 +# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); # else diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h index e6b5a59..46b8d92 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.h +++ b/sys/contrib/ipfilter/netinet/ip_auth.h @@ -6,7 +6,6 @@ * to the original author and the contributors. * * $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $ - * $FreeBSD$ * */ #ifndef __IP_AUTH_H__ diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 0c8242d..318ef2f 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -7,7 +7,6 @@ * * @(#)ip_compat.h 1.8 1/14/96 * $Id: ip_compat.h,v 2.1.2.3 1999/11/18 13:55:26 darrenr Exp $ - * $FreeBSD$ */ #ifndef __IP_COMPAT_H__ diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 902e3f7..2efeabd 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.14 1999/12/11 05:31:08 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $"; #endif #ifndef SOLARIS @@ -127,7 +126,6 @@ extern int tcp_ttl; # endif #endif -int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; @@ -159,11 +157,7 @@ static int write_output __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *)); # endif #endif -#if defined(IPFILTER_LKM) -int fr_running = 1; -#else int fr_running = 0; -#endif #if (__FreeBSD_version >= 300000) && defined(_KERNEL) struct callout_handle ipfr_slowtimer_ch; @@ -231,7 +225,7 @@ int iplattach() # endif SPL_NET(s); - if (ipl_inited || (fr_checkp == fr_check)) { + if (fr_running || (fr_checkp == fr_check)) { printf("IP Filter: already initialized\n"); SPL_X(s); return EBUSY; @@ -259,7 +253,6 @@ int iplattach() } # endif - ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); fr_savep = fr_checkp; fr_checkp = fr_check; @@ -287,6 +280,7 @@ int iplattach() timeout(ipfr_slowtimer, NULL, hz/2); # endif #endif + fr_running = 1; return 0; } @@ -311,18 +305,16 @@ int ipldetach() # endif #endif SPL_NET(s); - if (!ipl_inited) + if (!fr_running) { printf("IP Filter: not initialized\n"); SPL_X(s); return 0; } - printf("IP Filter: unloaded\n"); - fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); - ipl_inited = 0; + fr_running = 0; # ifdef NETBSD_PF pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); @@ -415,11 +407,15 @@ int mode; SPL_NET(s); if (unit == IPL_LOGNAT) { + if (!fr_running) + return EIO; error = nat_ioctl(data, cmd, mode); SPL_X(s); return error; } if (unit == IPL_LOGSTATE) { + if (!fr_running) + return EIO; error = fr_state_ioctl(data, cmd, mode); SPL_X(s); return error; @@ -440,15 +436,10 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); - if (enable) { + if (enable) error = iplattach(); - if (error == 0) - fr_running = 1; - } else { + else error = ipldetach(); - if (error == 0) - fr_running = 0; - } } break; } @@ -705,13 +696,15 @@ caddr_t data; } if (!f) { - if (req != SIOCINAFR || req != SIOCINIFR) + if (req != SIOCINAFR && req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { - if (fp->fr_hits) + if (fp->fr_hits) { + ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; + } f = NULL; } } @@ -947,7 +940,11 @@ ip_t *ip; # if _BSDI_VERSION >= 199802 return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL); # else +# if defined(__OpenBSD__) + return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL); +# else return ip_output(m, (struct mbuf *)0, 0, 0, 0); +# endif # endif # endif } diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 3458922..aa42f2f 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -6,8 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.3.2.6 1999/12/17 12:58:16 darrenr Exp $ - * $FreeBSD$ + * $Id: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -83,8 +82,8 @@ #define SIOCINSFR SIOCINAFR typedef struct fr_ip { - u_int fi_v:4; /* IP version */ - u_int fi_fl:4; /* packet flags */ + u_char fi_v:4; /* IP version */ + u_char fi_fl:4; /* packet flags */ u_char fi_tos; /* IP packet TOS */ u_char fi_ttl; /* IP packet TTL */ u_char fi_p; /* IP packet protocol */ @@ -272,6 +271,7 @@ typedef struct filterstats { u_long fr_pass; /* packets allowed */ u_long fr_block; /* packets denied */ u_long fr_nom; /* packets which don't match any rule */ + u_long fr_short; /* packets which are short */ u_long fr_ppkl; /* packets allowed and logged */ u_long fr_bpkl; /* packets denied and logged */ u_long fr_npkl; /* packets unmatched and logged */ @@ -427,7 +427,6 @@ typedef struct ipflog { #ifndef _KERNEL -struct ifnet; extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern int send_reset __P((ip_t *, struct ifnet *)); @@ -554,7 +553,7 @@ extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); extern int fr_ifpaddr __P((void *, struct in_addr *)); extern char *memstr __P((char *, char *, int, int)); extern int ipl_unreach; -extern int ipl_inited; +extern int fr_running; extern u_long ipl_frouteok[2]; extern int fr_pass; extern int fr_flags; diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index 54f5a84..168368a 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -25,8 +24,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <string.h> # include <stdlib.h> #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else diff --git a/sys/contrib/ipfilter/netinet/ip_frag.h b/sys/contrib/ipfilter/netinet/ip_frag.h index 0494e9c..1097dec 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.h +++ b/sys/contrib/ipfilter/netinet/ip_frag.h @@ -7,7 +7,6 @@ * * @(#)ip_frag.h 1.5 3/24/96 * $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $ - * $FreeBSD$ */ #ifndef __IP_FRAG_H__ diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 3ed1853..73c27ce 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -1,7 +1,6 @@ /* * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. - * $FreeBSD$ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 57a5bff..b71aa7f 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -6,7 +6,6 @@ * to the original author and the contributors. * * $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $ - * $FreeBSD$ */ #include <sys/param.h> #if defined(KERNEL) && !defined(_KERNEL) @@ -16,7 +15,7 @@ # include "opt_ipfilter_log.h" #endif #ifdef __FreeBSD__ -# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# if defined(_KERNEL) && !defined(IPFILTER_LKM) # if !defined(__FreeBSD_version) # include <sys/osreldate.h> # endif diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index d24849a..5b8a686 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -9,8 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.11 1999/12/17 13:05:40 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -31,8 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <string.h> # include <stdlib.h> #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -728,12 +726,22 @@ int direction; port = 0; in.s_addr = np->in_nip; if (l == 0) { + /* + * Check to see if there is an existing NAT + * setup for this IP address pair. + */ natl = nat_maplookup(fin->fin_ifp, flags, ip->ip_src, ip->ip_dst); if (natl != NULL) { in = natl->nat_outip; + if ((in.s_addr & np->in_outmsk) != + np->in_outip) + in.s_addr = 0; + else #ifndef sparc - in.s_addr = ntohl(in.s_addr); + in.s_addr = ntohl(in.s_addr); +#else + ; #endif } } @@ -1768,6 +1776,7 @@ u_int type; natl.nl_origport = nat->nat_oport; natl.nl_inport = nat->nat_inport; natl.nl_outport = nat->nat_outport; + natl.nl_p = nat->nat_p; natl.nl_type = type; natl.nl_rule = -1; #ifndef LARGE_NAT diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h index b931469..c57b4e7 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.h +++ b/sys/contrib/ipfilter/netinet/ip_nat.h @@ -6,8 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.1.2.2 1999/11/28 11:01:51 darrenr Exp $ - * $FreeBSD$ + * $Id: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -187,6 +186,7 @@ typedef struct natlog { int nl_rule; U_QUAD_T nl_pkts; U_QUAD_T nl_bytes; + u_char nl_p; } natlog_t; diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 3a03863..ccf9c12 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -6,8 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -/*static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.h b/sys/contrib/ipfilter/netinet/ip_proxy.h index 9ccd46a..08409b0 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.h +++ b/sys/contrib/ipfilter/netinet/ip_proxy.h @@ -6,7 +6,6 @@ * to the original author and the contributors. * * $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ - * $FreeBSD$ */ #ifndef __IP_PROXY_H__ diff --git a/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c b/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c index 611dc26..6ccf4e4 100644 --- a/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_raudio_pxy.c @@ -1,6 +1,3 @@ -/* - * $FreeBSD$ - */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; #endif diff --git a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c index c8b15d1..2b67ee5 100644 --- a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c @@ -1,7 +1,6 @@ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. - * $FreeBSD$ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 599ec27..17944ca 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.16 1999/12/28 05:24:58 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $"; #endif #include <sys/errno.h> @@ -29,8 +28,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <linux/module.h> # endif #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 400013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM) @@ -45,7 +43,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <sys/protosw.h> #endif #include <sys/socket.h> -#if defined(_KERNEL) && !defined(linux) +#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -176,11 +174,10 @@ int which; delete = 1; break; case 1 : - if ((is->is_p == IPPROTO_TCP) && - (((is->is_state[0] <= TCPS_ESTABLISHED) && - (is->is_state[1] > TCPS_ESTABLISHED)) || - ((is->is_state[1] <= TCPS_ESTABLISHED) && - (is->is_state[0] > TCPS_ESTABLISHED)))) + if (is->is_p != IPPROTO_TCP) + break; + if ((is->is_state[0] != TCPS_ESTABLISHED) || + (is->is_state[1] != TCPS_ESTABLISHED)) delete = 1; break; } @@ -459,7 +456,7 @@ tcphdr_t *tcp; win = ntohs(tcp->th_win); end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); + ((tcp->th_flags & TH_FIN) ? 1 : 0); if (fdata->td_end == 0) { /* @@ -473,6 +470,8 @@ tcphdr_t *tcp; if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ ack = tdata->td_end; win = 1; + if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0)) + tdata->td_maxwin = 1; } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && (ack == 0)) { /* gross hack to get around certain broken tcp stacks */ @@ -488,7 +487,7 @@ tcphdr_t *tcp; #define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) #define SEQ_GT(a,b) ((int)((a) - (b)) > 0) if ((SEQ_GE(fdata->td_maxend, end)) && - (SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) && + (SEQ_GE(seq, fdata->td_end - maxwin)) && /* XXX what about big packets */ #define MAXACKWINDOW 66000 (ackskew >= -MAXACKWINDOW) && @@ -673,8 +672,8 @@ fr_info_t *fin; int type; u_int hv; - /* - * Does it at least have the return (basic) IP header ? + /* + * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with * an ICMP error header. */ @@ -708,10 +707,10 @@ fr_info_t *fin; if ((icmp->icmp_type != ICMP_ECHO) && (icmp->icmp_type != ICMP_TSTAMP) && (icmp->icmp_type != ICMP_IREQ) && - (icmp->icmp_type != ICMP_MASKREQ)) + (icmp->icmp_type != ICMP_MASKREQ)) return NULL; - /* + /* * perform a lookup of the ICMP packet in the state table */ @@ -735,9 +734,9 @@ fr_info_t *fin; for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && fr_matchsrcdst(is, src, dst, &ofin, NULL)) { - /* + /* * in the state table ICMP query's are stored - * with the type of the corresponding ICMP + * with the type of the corresponding ICMP * response. Correct here */ if (((is->is_type == ICMP_ECHOREPLY) && @@ -747,7 +746,7 @@ fr_info_t *fin; (is->is_type - 1 == ic->icmp_type)) { ips_stats.iss_hits++; is->is_pkts++; - is->is_bytes += ip->ip_len; + is->is_bytes += ip->ip_len; fr = is->is_rule; RWLOCK_EXIT(&ipf_state); return fr; @@ -805,7 +804,7 @@ fr_info_t *fin; * comes the other way around */ is->is_pkts++; - is->is_bytes += ip->ip_len; + is->is_bytes += ip->ip_len; /* * we deliberately do not touch the timeouts * for the accompanying state table entry. @@ -1040,12 +1039,12 @@ void fr_timeoutstate() ips_num--; } else isp = &is->is_next; + RWLOCK_EXIT(&ipf_state); + SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } - RWLOCK_EXIT(&ipf_state); - SPL_X(s); } @@ -1182,3 +1181,21 @@ u_int type; (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); } #endif + + +void ip_statesync(ifp) +void *ifp; +{ + register ipstate_t *is; + register int i; + + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) + for (is = ips_table[i]; is != NULL; is = is->is_next) { + if (is->is_ifpin == ifp) + is->is_ifpin = NULL; + if (is->is_ifpout == ifp) + is->is_ifpout = NULL; + } + RWLOCK_EXIT(&ipf_state); +} diff --git a/sys/contrib/ipfilter/netinet/ip_state.h b/sys/contrib/ipfilter/netinet/ip_state.h index 1b7c392..b20f286 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.h +++ b/sys/contrib/ipfilter/netinet/ip_state.h @@ -6,8 +6,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $ - * $FreeBSD$ + * $Id: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -152,6 +151,7 @@ extern int fr_stateinit __P((void)); extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); +extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 39ee74dc..6eb9b1a 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -6,12 +6,11 @@ * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 - * $FreeBSD$ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.3.6" +#define IPL_VERSION "IP Filter: v3.3.8" #endif diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c index 40c8783..732808d 100644 --- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c +++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c @@ -73,8 +73,8 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, &fr_ipfrttl, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW, &ipl_unreach, 0, ""); -SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD, - &ipl_inited, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, + &fr_running, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RD, &fr_authsize, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index cb069f8..00187cd 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; #endif #include <sys/errno.h> @@ -20,10 +19,8 @@ static const char rcsid[] = "@(#)$FreeBSD$"; defined(_KERNEL) # include "opt_ipfilter_log.h" #endif -#if ((defined(KERNEL) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && defined(__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -248,6 +245,12 @@ fr_info_t *fin; if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || icmp->icmp_type == ICMP_ECHO)) minicmpsz = ICMP_MINLEN; + if (!off && (icmp->icmp_type == ICMP_TSTAMP || + icmp->icmp_type == ICMP_TSTAMPREPLY)) + minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ + if (!off && (icmp->icmp_type == ICMP_MASKREQ || + icmp->icmp_type == ICMP_MASKREPLY)) + minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; @@ -691,6 +694,9 @@ int out; READ_ENTER(&ipf_mutex); + if (fin->fin_fi.fi_fl & FI_SHORT) + ATOMIC_INC(frstats[out].fr_short); + /* * Check auth now. This, combined with the check below to see if apass * is 0 is to ensure that we don't count the packet twice, which can @@ -1181,7 +1187,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $ + * $Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1582,7 +1588,10 @@ void frsync() # else for (ifp = ifnet; ifp; ifp = ifp->if_next) # endif + { ip_natsync(ifp); + ip_statesync(ifp); + } # endif WRITE_ENTER(&ipf_mutex); diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c index 0490510..6b980be 100644 --- a/sys/netinet/ip_auth.c +++ b/sys/netinet/ip_auth.c @@ -6,8 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $"; #endif #include <sys/errno.h> @@ -20,8 +19,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <stdlib.h> # include <string.h> #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -32,7 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <sys/protosw.h> #endif #include <sys/socket.h> -#if defined(_KERNEL) && !defined(linux) +#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -398,7 +396,7 @@ fr_authioctlloop: # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ -# if _BSDI_VERSION >= 199802 +# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); # else diff --git a/sys/netinet/ip_auth.h b/sys/netinet/ip_auth.h index e6b5a59..46b8d92 100644 --- a/sys/netinet/ip_auth.h +++ b/sys/netinet/ip_auth.h @@ -6,7 +6,6 @@ * to the original author and the contributors. * * $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $ - * $FreeBSD$ * */ #ifndef __IP_AUTH_H__ diff --git a/sys/netinet/ip_compat.h b/sys/netinet/ip_compat.h index 0c8242d..318ef2f 100644 --- a/sys/netinet/ip_compat.h +++ b/sys/netinet/ip_compat.h @@ -7,7 +7,6 @@ * * @(#)ip_compat.h 1.8 1/14/96 * $Id: ip_compat.h,v 2.1.2.3 1999/11/18 13:55:26 darrenr Exp $ - * $FreeBSD$ */ #ifndef __IP_COMPAT_H__ diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index 902e3f7..2efeabd 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.14 1999/12/11 05:31:08 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $"; #endif #ifndef SOLARIS @@ -127,7 +126,6 @@ extern int tcp_ttl; # endif #endif -int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; @@ -159,11 +157,7 @@ static int write_output __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *)); # endif #endif -#if defined(IPFILTER_LKM) -int fr_running = 1; -#else int fr_running = 0; -#endif #if (__FreeBSD_version >= 300000) && defined(_KERNEL) struct callout_handle ipfr_slowtimer_ch; @@ -231,7 +225,7 @@ int iplattach() # endif SPL_NET(s); - if (ipl_inited || (fr_checkp == fr_check)) { + if (fr_running || (fr_checkp == fr_check)) { printf("IP Filter: already initialized\n"); SPL_X(s); return EBUSY; @@ -259,7 +253,6 @@ int iplattach() } # endif - ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); fr_savep = fr_checkp; fr_checkp = fr_check; @@ -287,6 +280,7 @@ int iplattach() timeout(ipfr_slowtimer, NULL, hz/2); # endif #endif + fr_running = 1; return 0; } @@ -311,18 +305,16 @@ int ipldetach() # endif #endif SPL_NET(s); - if (!ipl_inited) + if (!fr_running) { printf("IP Filter: not initialized\n"); SPL_X(s); return 0; } - printf("IP Filter: unloaded\n"); - fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); - ipl_inited = 0; + fr_running = 0; # ifdef NETBSD_PF pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); @@ -415,11 +407,15 @@ int mode; SPL_NET(s); if (unit == IPL_LOGNAT) { + if (!fr_running) + return EIO; error = nat_ioctl(data, cmd, mode); SPL_X(s); return error; } if (unit == IPL_LOGSTATE) { + if (!fr_running) + return EIO; error = fr_state_ioctl(data, cmd, mode); SPL_X(s); return error; @@ -440,15 +436,10 @@ int mode; error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); - if (enable) { + if (enable) error = iplattach(); - if (error == 0) - fr_running = 1; - } else { + else error = ipldetach(); - if (error == 0) - fr_running = 0; - } } break; } @@ -705,13 +696,15 @@ caddr_t data; } if (!f) { - if (req != SIOCINAFR || req != SIOCINIFR) + if (req != SIOCINAFR && req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { - if (fp->fr_hits) + if (fp->fr_hits) { + ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; + } f = NULL; } } @@ -947,7 +940,11 @@ ip_t *ip; # if _BSDI_VERSION >= 199802 return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL); # else +# if defined(__OpenBSD__) + return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL); +# else return ip_output(m, (struct mbuf *)0, 0, 0, 0); +# endif # endif # endif } diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 3458922..aa42f2f 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -6,8 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.3.2.6 1999/12/17 12:58:16 darrenr Exp $ - * $FreeBSD$ + * $Id: ip_fil.h,v 2.3.2.7 2000/01/27 08:49:41 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -83,8 +82,8 @@ #define SIOCINSFR SIOCINAFR typedef struct fr_ip { - u_int fi_v:4; /* IP version */ - u_int fi_fl:4; /* packet flags */ + u_char fi_v:4; /* IP version */ + u_char fi_fl:4; /* packet flags */ u_char fi_tos; /* IP packet TOS */ u_char fi_ttl; /* IP packet TTL */ u_char fi_p; /* IP packet protocol */ @@ -272,6 +271,7 @@ typedef struct filterstats { u_long fr_pass; /* packets allowed */ u_long fr_block; /* packets denied */ u_long fr_nom; /* packets which don't match any rule */ + u_long fr_short; /* packets which are short */ u_long fr_ppkl; /* packets allowed and logged */ u_long fr_bpkl; /* packets denied and logged */ u_long fr_npkl; /* packets unmatched and logged */ @@ -427,7 +427,6 @@ typedef struct ipflog { #ifndef _KERNEL -struct ifnet; extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern int send_reset __P((ip_t *, struct ifnet *)); @@ -554,7 +553,7 @@ extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); extern int fr_ifpaddr __P((void *, struct in_addr *)); extern char *memstr __P((char *, char *, int, int)); extern int ipl_unreach; -extern int ipl_inited; +extern int fr_running; extern u_long ipl_frouteok[2]; extern int fr_pass; extern int fr_flags; diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 54f5a84..168368a 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -25,8 +24,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <string.h> # include <stdlib.h> #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h index 0494e9c..1097dec 100644 --- a/sys/netinet/ip_frag.h +++ b/sys/netinet/ip_frag.h @@ -7,7 +7,6 @@ * * @(#)ip_frag.h 1.5 3/24/96 * $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $ - * $FreeBSD$ */ #ifndef __IP_FRAG_H__ diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c index 3ed1853..73c27ce 100644 --- a/sys/netinet/ip_ftp_pxy.c +++ b/sys/netinet/ip_ftp_pxy.c @@ -1,7 +1,6 @@ /* * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. - * $FreeBSD$ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c index 57a5bff..b71aa7f 100644 --- a/sys/netinet/ip_log.c +++ b/sys/netinet/ip_log.c @@ -6,7 +6,6 @@ * to the original author and the contributors. * * $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $ - * $FreeBSD$ */ #include <sys/param.h> #if defined(KERNEL) && !defined(_KERNEL) @@ -16,7 +15,7 @@ # include "opt_ipfilter_log.h" #endif #ifdef __FreeBSD__ -# if defined(_KERNEL) && !defined(IPFILTER_LKM) +# if defined(_KERNEL) && !defined(IPFILTER_LKM) # if !defined(__FreeBSD_version) # include <sys/osreldate.h> # endif diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index d24849a..5b8a686 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -9,8 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.11 1999/12/17 13:05:40 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -31,8 +30,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <string.h> # include <stdlib.h> #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 40013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -728,12 +726,22 @@ int direction; port = 0; in.s_addr = np->in_nip; if (l == 0) { + /* + * Check to see if there is an existing NAT + * setup for this IP address pair. + */ natl = nat_maplookup(fin->fin_ifp, flags, ip->ip_src, ip->ip_dst); if (natl != NULL) { in = natl->nat_outip; + if ((in.s_addr & np->in_outmsk) != + np->in_outip) + in.s_addr = 0; + else #ifndef sparc - in.s_addr = ntohl(in.s_addr); + in.s_addr = ntohl(in.s_addr); +#else + ; #endif } } @@ -1768,6 +1776,7 @@ u_int type; natl.nl_origport = nat->nat_oport; natl.nl_inport = nat->nat_inport; natl.nl_outport = nat->nat_outport; + natl.nl_p = nat->nat_p; natl.nl_type = type; natl.nl_rule = -1; #ifndef LARGE_NAT diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h index b931469..c57b4e7 100644 --- a/sys/netinet/ip_nat.h +++ b/sys/netinet/ip_nat.h @@ -6,8 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.1.2.2 1999/11/28 11:01:51 darrenr Exp $ - * $FreeBSD$ + * $Id: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -187,6 +186,7 @@ typedef struct natlog { int nl_rule; U_QUAD_T nl_pkts; U_QUAD_T nl_bytes; + u_char nl_p; } natlog_t; diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c index 3a03863..ccf9c12 100644 --- a/sys/netinet/ip_proxy.c +++ b/sys/netinet/ip_proxy.c @@ -6,8 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -/*static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) diff --git a/sys/netinet/ip_proxy.h b/sys/netinet/ip_proxy.h index 9ccd46a..08409b0 100644 --- a/sys/netinet/ip_proxy.h +++ b/sys/netinet/ip_proxy.h @@ -6,7 +6,6 @@ * to the original author and the contributors. * * $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $ - * $FreeBSD$ */ #ifndef __IP_PROXY_H__ diff --git a/sys/netinet/ip_raudio_pxy.c b/sys/netinet/ip_raudio_pxy.c index 611dc26..6ccf4e4 100644 --- a/sys/netinet/ip_raudio_pxy.c +++ b/sys/netinet/ip_raudio_pxy.c @@ -1,6 +1,3 @@ -/* - * $FreeBSD$ - */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; #endif diff --git a/sys/netinet/ip_rcmd_pxy.c b/sys/netinet/ip_rcmd_pxy.c index c8b15d1..2b67ee5 100644 --- a/sys/netinet/ip_rcmd_pxy.c +++ b/sys/netinet/ip_rcmd_pxy.c @@ -1,7 +1,6 @@ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. - * $FreeBSD$ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 599ec27..17944ca 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -7,8 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -/*static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.16 1999/12/28 05:24:58 darrenr Exp $";*/ -static const char rcsid[] = "@(#)$FreeBSD$"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $"; #endif #include <sys/errno.h> @@ -29,8 +28,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <linux/module.h> # endif #endif -#if ((defined(KERNEL) && (__FreeBSD_version >= 220000)) || \ - (defined(_KERNEL) && (__FreeBSD_version >= 400013))) +#if defined(_KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM) @@ -45,7 +43,7 @@ static const char rcsid[] = "@(#)$FreeBSD$"; # include <sys/protosw.h> #endif #include <sys/socket.h> -#if defined(_KERNEL) && !defined(linux) +#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -176,11 +174,10 @@ int which; delete = 1; break; case 1 : - if ((is->is_p == IPPROTO_TCP) && - (((is->is_state[0] <= TCPS_ESTABLISHED) && - (is->is_state[1] > TCPS_ESTABLISHED)) || - ((is->is_state[1] <= TCPS_ESTABLISHED) && - (is->is_state[0] > TCPS_ESTABLISHED)))) + if (is->is_p != IPPROTO_TCP) + break; + if ((is->is_state[0] != TCPS_ESTABLISHED) || + (is->is_state[1] != TCPS_ESTABLISHED)) delete = 1; break; } @@ -459,7 +456,7 @@ tcphdr_t *tcp; win = ntohs(tcp->th_win); end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); + ((tcp->th_flags & TH_FIN) ? 1 : 0); if (fdata->td_end == 0) { /* @@ -473,6 +470,8 @@ tcphdr_t *tcp; if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ ack = tdata->td_end; win = 1; + if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0)) + tdata->td_maxwin = 1; } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && (ack == 0)) { /* gross hack to get around certain broken tcp stacks */ @@ -488,7 +487,7 @@ tcphdr_t *tcp; #define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) #define SEQ_GT(a,b) ((int)((a) - (b)) > 0) if ((SEQ_GE(fdata->td_maxend, end)) && - (SEQ_GE(seq + maxwin, fdata->td_end - maxwin)) && + (SEQ_GE(seq, fdata->td_end - maxwin)) && /* XXX what about big packets */ #define MAXACKWINDOW 66000 (ackskew >= -MAXACKWINDOW) && @@ -673,8 +672,8 @@ fr_info_t *fin; int type; u_int hv; - /* - * Does it at least have the return (basic) IP header ? + /* + * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with * an ICMP error header. */ @@ -708,10 +707,10 @@ fr_info_t *fin; if ((icmp->icmp_type != ICMP_ECHO) && (icmp->icmp_type != ICMP_TSTAMP) && (icmp->icmp_type != ICMP_IREQ) && - (icmp->icmp_type != ICMP_MASKREQ)) + (icmp->icmp_type != ICMP_MASKREQ)) return NULL; - /* + /* * perform a lookup of the ICMP packet in the state table */ @@ -735,9 +734,9 @@ fr_info_t *fin; for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && fr_matchsrcdst(is, src, dst, &ofin, NULL)) { - /* + /* * in the state table ICMP query's are stored - * with the type of the corresponding ICMP + * with the type of the corresponding ICMP * response. Correct here */ if (((is->is_type == ICMP_ECHOREPLY) && @@ -747,7 +746,7 @@ fr_info_t *fin; (is->is_type - 1 == ic->icmp_type)) { ips_stats.iss_hits++; is->is_pkts++; - is->is_bytes += ip->ip_len; + is->is_bytes += ip->ip_len; fr = is->is_rule; RWLOCK_EXIT(&ipf_state); return fr; @@ -805,7 +804,7 @@ fr_info_t *fin; * comes the other way around */ is->is_pkts++; - is->is_bytes += ip->ip_len; + is->is_bytes += ip->ip_len; /* * we deliberately do not touch the timeouts * for the accompanying state table entry. @@ -1040,12 +1039,12 @@ void fr_timeoutstate() ips_num--; } else isp = &is->is_next; + RWLOCK_EXIT(&ipf_state); + SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } - RWLOCK_EXIT(&ipf_state); - SPL_X(s); } @@ -1182,3 +1181,21 @@ u_int type; (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); } #endif + + +void ip_statesync(ifp) +void *ifp; +{ + register ipstate_t *is; + register int i; + + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) + for (is = ips_table[i]; is != NULL; is = is->is_next) { + if (is->is_ifpin == ifp) + is->is_ifpin = NULL; + if (is->is_ifpout == ifp) + is->is_ifpout = NULL; + } + RWLOCK_EXIT(&ipf_state); +} diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index 1b7c392..b20f286 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -6,8 +6,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $ - * $FreeBSD$ + * $Id: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -152,6 +151,7 @@ extern int fr_stateinit __P((void)); extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); +extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h index 39ee74dc..6eb9b1a 100644 --- a/sys/netinet/ipl.h +++ b/sys/netinet/ipl.h @@ -6,12 +6,11 @@ * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 - * $FreeBSD$ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.3.6" +#define IPL_VERSION "IP Filter: v3.3.8" #endif diff --git a/sys/netinet/mlfk_ipl.c b/sys/netinet/mlfk_ipl.c index 40c8783..732808d 100644 --- a/sys/netinet/mlfk_ipl.c +++ b/sys/netinet/mlfk_ipl.c @@ -73,8 +73,8 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, &fr_ipfrttl, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW, &ipl_unreach, 0, ""); -SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD, - &ipl_inited, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, + &fr_running, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RD, &fr_authsize, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, |
