Commit import changed from vendor branch of ipfilter to -current head

5 files changed, 222 insertions, 83 deletions

diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 96432a1..7072753 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -3,7 +3,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
 # include <sys/ptimers.h>
 #endif
 #include <sys/errno.h>
@@ -701,7 +701,8 @@ void *m;
 			if (!fr_tcpudpchk(&fr->fr_tuc, fin))
 				continue;
 		} else if (fr->fr_icmpm || fr->fr_icmp) {
-			if ((fi->fi_p != IPPROTO_ICMP) || off ||
+			if (((fi->fi_p != IPPROTO_ICMP) &&
+			    (fi->fi_p != IPPROTO_ICMPV6)) || off ||
 			    (fin->fin_dlen < 2))
 				continue;
 			if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
@@ -816,6 +817,26 @@ int out;
 #  endif
 	int up;
 
+#  if !SOLARIS && !defined(NETBSD_PF) && \
+      ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
+       defined(__OpenBSD__) || defined(_BSDI_VERSION))
+	if (fr_checkp != fr_check && fr_running > 0) {
+		static int counter = 0;
+
+		if (counter == 0) {
+			printf("WARNING: fr_checkp corrupt: value %lx\n",
+				(u_long)fr_checkp);
+			printf("WARNING: fr_checkp should be %lx\n",
+				(u_long)fr_check);
+			printf("WARNING: fixing fr_checkp\n");
+		}
+		fr_checkp = fr_check;
+		counter++;
+		if (counter == 10000)
+			counter = 0;
+	}
+#  endif
+
 #  ifdef M_CANFASTFWD
 	/*
 	 * XXX For now, IP Filter and fast-forwarding of cached flows
@@ -1526,7 +1547,7 @@ nodata:
  * SUCH DAMAGE.
  *
  *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
  */
 /*
  * Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1732,9 +1753,9 @@ frentry_t **listp;
 }
 
 
-int frflush(unit, flags)
+int frflush(unit, proto, flags)
 minor_t unit;
-int flags;
+int proto, flags;
 {
 	int flushed = 0, set;
 
@@ -1749,19 +1770,35 @@ int flags;
 
 	if (flags & FR_OUTQUE) {
 #ifdef	USE_INET6
-		(void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]);
-		(void) frflushlist(set, unit, &flushed, &ipacct6[1][set]);
+		if (proto == 0 || proto == 6) {
+			(void) frflushlist(set, unit,
+					   &flushed, &ipfilter6[1][set]);
+			(void) frflushlist(set, unit,
+					   &flushed, &ipacct6[1][set]);
+		}
 #endif
-		(void) frflushlist(set, unit, &flushed, &ipfilter[1][set]);
-		(void) frflushlist(set, unit, &flushed, &ipacct[1][set]);
+		if (proto == 0 || proto == 4) {
+			(void) frflushlist(set, unit,
+					   &flushed, &ipfilter[1][set]);
+			(void) frflushlist(set, unit,
+					   &flushed, &ipacct[1][set]);
+		}
 	}
 	if (flags & FR_INQUE) {
 #ifdef	USE_INET6
-		(void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]);
-		(void) frflushlist(set, unit, &flushed, &ipacct6[0][set]);
+		if (proto == 0 || proto == 6) {
+			(void) frflushlist(set, unit,
+					    &flushed, &ipfilter6[0][set]);
+			(void) frflushlist(set, unit,
+					   &flushed, &ipacct6[0][set]);
+		}
 #endif
-		(void) frflushlist(set, unit, &flushed, &ipfilter[0][set]);
-		(void) frflushlist(set, unit, &flushed, &ipacct[0][set]);
+		if (proto == 0 || proto == 4) {
+			(void) frflushlist(set, unit,
+					   &flushed, &ipfilter[0][set]);
+			(void) frflushlist(set, unit,
+					   &flushed, &ipacct[0][set]);
+		}
 	}
 	RWLOCK_EXIT(&ipf_mutex);
 	return flushed;
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c
index fb9910d..a439a68 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.c
+++ b/sys/contrib/ipfilter/netinet/ip_auth.c
@@ -3,7 +3,7 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
 # include <sys/ptimers.h>
 #endif
 #include <sys/errno.h>
@@ -298,9 +298,15 @@ ip_t *ip;
 	cv_signal(&ipfauthwait);
 #else
 # if defined(BSD) && !defined(sparc) && (BSD >= 199306)
+<<<<<<< ip_auth.c
 	if (!fin->fin_out) {
 		ip->ip_len = htons(ip->ip_len);
 		ip->ip_off = htons(ip->ip_off);
+=======
+	if (fin->fin_out == 0) {
+		ip->ip_len = htons(ip->ip_len);
+		ip->ip_off = htons(ip->ip_off);
+>>>>>>> 1.1.1.11
 	}
 # endif
 	fr_authpkts[i] = m;
@@ -310,7 +316,7 @@ ip_t *ip;
 }
 
 
-int fr_auth_ioctl(data, mode, cmd, fr, frptr)
+int fr_auth_ioctl(data, mode, cmd)
 caddr_t data;
 int mode;
 #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
@@ -318,19 +324,21 @@ u_long cmd;
 #else
 int cmd;
 #endif
-frentry_t *fr, **frptr;
 {
 	mb_t *m;
 #if defined(_KERNEL) && !SOLARIS
 	int s;
 #endif
 	frauth_t auth, *au = &auth, *fra;
-	frauthent_t *fae, **faep;
 	int i, error = 0;
 
 	switch (cmd)
 	{
 	case SIOCSTLCK :
+		if (!(mode & FWRITE)) {
+			error = EPERM;
+			break;
+		}
 		error = fr_lock(data, &fr_auth_lock);
 		break;
 	case SIOCINIFR :
@@ -343,45 +351,8 @@ frentry_t *fr, **frptr;
 		break;
 	case SIOCRMAFR :
 	case SIOCADAFR :
-		for (faep = &fae_list; (fae = *faep); )
-			if (&fae->fae_fr == fr)
-				break;
-			else
-				faep = &fae->fae_next;
-		if (cmd == SIOCRMAFR) {
-			if (!fr || !frptr)
-				error = EINVAL;
-			else if (!fae)
-				error = ESRCH;
-			else {
-				WRITE_ENTER(&ipf_auth);
-				SPL_NET(s);
-				*faep = fae->fae_next;
-				*frptr = fr->fr_next;
-				SPL_X(s);
-				RWLOCK_EXIT(&ipf_auth);
-				KFREE(fae);
-			}
-		} else if (fr && frptr) {
-			KMALLOC(fae, frauthent_t *);
-			if (fae != NULL) {
-				bcopy((char *)fr, (char *)&fae->fae_fr,
-				      sizeof(*fr));
-				WRITE_ENTER(&ipf_auth);
-				SPL_NET(s);
-				fae->fae_age = fr_defaultauthage;
-				fae->fae_fr.fr_hits = 0;
-				fae->fae_fr.fr_next = *frptr;
-				*frptr = &fae->fae_fr;
-				fae->fae_next = *faep;
-				*faep = fae;
-				ipauth = &fae_list->fae_fr;
-				SPL_X(s);
-				RWLOCK_EXIT(&ipf_auth);
-			} else
-				error = ENOMEM;
-		} else
-			error = EINVAL;
+		/* These commands go via request to fr_preauthcmd */
+		error = EINVAL;
 		break;
 	case SIOCATHST:
 		fr_authstats.fas_faelist = fae_list;
@@ -629,3 +600,66 @@ void fr_authexpire()
 	RWLOCK_EXIT(&ipf_auth);
 	SPL_X(s);
 }
+
+int fr_preauthcmd(cmd, fr, frptr)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || \
+	(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
+u_long cmd;
+#else
+int cmd;
+#endif                 
+frentry_t *fr, **frptr;
+{
+	frauthent_t *fae, **faep;
+	int error = 0;
+#if defined(KERNEL) && !SOLARIS
+	int s;
+#endif
+
+	if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
+		/* Should not happen */
+		printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
+		return EIO;
+	}
+	
+	for (faep = &fae_list; (fae = *faep); )
+		if (&fae->fae_fr == fr)
+			break;
+		else
+			faep = &fae->fae_next;
+	if (cmd == SIOCRMAFR) {
+		if (!fr || !frptr)
+			error = EINVAL;
+		else if (!fae)
+			error = ESRCH;
+		else {
+			WRITE_ENTER(&ipf_auth);
+			SPL_NET(s);
+			*faep = fae->fae_next;
+			*frptr = fr->fr_next;
+			SPL_X(s);
+			RWLOCK_EXIT(&ipf_auth);
+			KFREE(fae);
+		}
+	} else if (fr && frptr) {
+		KMALLOC(fae, frauthent_t *);
+		if (fae != NULL) {
+			bcopy((char *)fr, (char *)&fae->fae_fr,
+			      sizeof(*fr));
+			WRITE_ENTER(&ipf_auth);
+			SPL_NET(s);
+			fae->fae_age = fr_defaultauthage;
+			fae->fae_fr.fr_hits = 0;
+			fae->fae_fr.fr_next = *frptr;
+			*frptr = &fae->fae_fr;
+			fae->fae_next = *faep;
+			*faep = fae;
+			ipauth = &fae_list->fae_fr;
+			SPL_X(s);
+			RWLOCK_EXIT(&ipf_auth);
+		} else
+			error = ENOMEM;
+	} else
+		error = EINVAL;
+	return error;
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h
index cc2b661..64fc2d7 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.h
+++ b/sys/contrib/ipfilter/netinet/ip_auth.h
@@ -54,8 +54,10 @@ extern	mb_t	*fr_authpkts[];
 extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
 #if defined(__NetBSD__) || defined(__OpenBSD__) || \
     (__FreeBSD_version >= 300003)
-extern	int	fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **));
+extern	int	fr_preauthcmd __P((u_long, frentry_t *, frentry_t **));
+extern	int	fr_auth_ioctl __P((caddr_t, int, u_long));
 #else
-extern	int	fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **));
+extern	int	fr_preauthcmd __P((int, frentry_t *, frentry_t **));
+extern	int	fr_auth_ioctl __P((caddr_t, int, int));
 #endif
 #endif	/* __IP_AUTH_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h
index 1a43238..90fc988 100644
--- a/sys/contrib/ipfilter/netinet/ip_compat.h
+++ b/sys/contrib/ipfilter/netinet/ip_compat.h
@@ -533,6 +533,7 @@ extern	ill_t	*get_unit __P((char *, int));
 
 # ifdef sun
 #  if !SOLARIS
+#   include	<sys/time.h>
 #   include	<sys/kmem_alloc.h>
 #   define	GETUNIT(n, v)	ifunit(n, IFNAMSIZ)
 #   define	IFNAME(x)	((struct ifnet *)x)->if_name
@@ -655,6 +656,7 @@ extern	vm_map_t	kmem_map;
 # define	IWCOPYPTR	iwcopyptr
 # define	IFNAME(x)	get_ifname((struct ifnet *)x)
 # define	UIOMOVE(a,b,c,d)	ipfuiomove(a,b,c,d)
+# include	<sys/time.h>
 extern	void	m_copydata __P((mb_t *, int, int, caddr_t));
 extern	int	ipfuiomove __P((caddr_t, int, int, struct uio *));
 #endif /* KERNEL */
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c
index da64a49..c2961cc 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil.c
+++ b/sys/contrib/ipfilter/netinet/ip_fil.c
@@ -25,7 +25,7 @@
 #  include <osreldate.h>
 # endif
 #endif
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
 # define _KMEMUSER
 # include <sys/ptimers.h>
 #endif
@@ -118,6 +118,10 @@
 # include <sys/kernel.h>
 extern	int	ip_optcopy __P((struct ip *, struct ip *));
 #endif
+#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL)
+extern	int	ip6_getpmtu(struct route_in6 *, struct route_in6 *,
+			    struct ifnet *, struct in6_addr *, u_long *);
+#endif
 
 #include <machine/in_cksum.h>
 
@@ -195,6 +199,15 @@ struct timeout ipfr_slowtimer_ch;
 toid_t ipfr_slowtimer_ch;
 #endif
 
+#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
+    defined(_KERNEL)
+# include <sys/conf.h>
+const struct cdevsw ipl_cdevsw = {
+	iplopen, iplclose, iplread, nowrite, iplioctl,
+	nostop, notty, nopoll, nommap,
+};
+#endif
+
 #if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
 # include <sys/device.h>
 # include <sys/conf.h>
@@ -323,7 +336,7 @@ int count;
 # endif
 
 
-# if defined(__NetBSD__)
+# if defined(__NetBSD__) || defined(__OpenBSD__)
 int ipl_enable()
 # else
 int iplattach()
@@ -368,10 +381,13 @@ int iplattach()
 # ifdef NETBSD_PF
 #  if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)
 #   if __NetBSD_Version__ >= 105110000
-	if (
-	    !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET))
+	ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+#    ifdef USE_INET6
+	ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+#    endif
+	if (ph_inet == NULL
 #    ifdef USE_INET6
-	    && !(ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6))
+	    && ph_inet6 == NULL
 #    endif
 	   )
 		return ENODEV;
@@ -488,9 +504,15 @@ int ipl_disable()
 int ipldetach()
 # endif
 {
+<<<<<<< ip_fil.c
 	int s, i = FR_INQUE|FR_OUTQUE;
 #if defined(NETBSD_PF) && \
     ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
+=======
+	int s, i;
+#if defined(NETBSD_PF) && \
+    ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
+>>>>>>> 1.1.1.17
 	int error = 0;
 # if __NetBSD_Version__ >= 105150000
         struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
@@ -530,8 +552,8 @@ int ipldetach()
 	printf("%s unloaded\n", ipfilter_version);
 
 	fr_checkp = fr_savep;
-	i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-	i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
+	i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+	i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
 	fr_running = 0;
 
 # ifdef NETBSD_PF
@@ -676,7 +698,16 @@ int mode;
 		if (!fr_running)
 			error = EIO;
 		else
-			error = fr_auth_ioctl(data, mode, cmd, NULL, NULL);
+			if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
+				if (!(mode & FWRITE))  {
+					error = EPERM;
+				} else {
+					error = frrequest(unit, cmd, data,
+							  fr_active);
+				}
+			} else {
+				error = fr_auth_ioctl(data, mode, cmd);
+			}
 		SPL_X(s);
 		return error;
 	}
@@ -700,7 +731,7 @@ int mode;
 			if (error)
 				break;
 			if (enable)
-# if defined(__NetBSD__)
+# if defined(__NetBSD__) || defined(__OpenBSD__)
 				error = ipl_enable();
 # else
 				error = iplattach();
@@ -773,12 +804,26 @@ int mode;
 		else {
 			error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
 			if (!error) {
-				tmp = frflush(unit, tmp);
+				tmp = frflush(unit, 4, tmp);
 				error = IWCOPY((caddr_t)&tmp, data,
 					       sizeof(tmp));
 			}
 		}
 		break;
+#ifdef	USE_INET6
+	case	SIOCIPFL6 :
+		if (!(mode & FWRITE))
+			error = EPERM;
+		else {
+			error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
+			if (!error) {
+				tmp = frflush(unit, 6, tmp);
+				error = IWCOPY((caddr_t)&tmp, data,
+					       sizeof(tmp));
+			}
+		}
+		break;
+#endif
 	case SIOCSTLCK :
 		error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
 		if (!error) {
@@ -803,12 +848,6 @@ int mode;
 		if (error)
 			error = EFAULT;
 		break;
-	case SIOCAUTHW :
-	case SIOCAUTHR :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			break;
-		}
 	case SIOCFRSYN :
 		if (!(mode & FWRITE))
 			error = EPERM;
@@ -1014,6 +1053,9 @@ caddr_t data;
 				return EBUSY;
 			if (fg && fg->fg_head)
 				fg->fg_head->fr_ref--;
+			if (unit == IPL_LOGAUTH) {
+				return fr_preauthcmd(req, f, ftail);
+			}
 			if (f->fr_grhead)
 				fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
 					    unit, set);
@@ -1028,6 +1070,9 @@ caddr_t data;
 		if (f)
 			error = EEXIST;
 		else {
+			if (unit == IPL_LOGAUTH) {
+				return fr_preauthcmd(req, fp, ftail);
+			}
 			KMALLOC(f, frentry_t *);
 			if (f != NULL) {
 				if (fg && fg->fg_head)
@@ -1253,7 +1298,8 @@ struct mbuf **mp;
 		ip->ip_tos = oip->ip_tos;
 		ip->ip_id = oip->ip_id;
 
-# if defined(__NetBSD__) || defined(__OpenBSD__)
+# if defined(__NetBSD__) || \
+     (defined(__OpenBSD__) && (OpenBSD >= 200012))
 		if (ip_mtudisc != 0)
 			ip->ip_off = IP_DF;
 # else
@@ -1488,7 +1534,7 @@ void
 iplinit()
 {
 
-#  if defined(__NetBSD__)
+#  if defined(__NetBSD__) || defined(__OpenBSD__)
 	if (ipl_enable() != 0)
 #  else
 	if (iplattach() != 0)
@@ -1593,7 +1639,7 @@ frdest_t *fdp;
 	/*
 	 * Route packet.
 	 */
-#ifdef	__sgi
+#if defined(__sgi) && (IRIX >= 605)
 	ROUTE_RDLOCK();
 #endif
 	bzero((caddr_t)ro, sizeof (*ro));
@@ -1633,7 +1679,7 @@ frdest_t *fdp;
 	rtalloc(ro);
 # endif
 
-#ifdef	__sgi
+#if defined(__sgi) && (IRIX > 602)
 	ROUTE_UNLOCK();
 #endif
 
@@ -1904,6 +1950,12 @@ frdest_t *fdp;
 	struct route_in6 *ro;
 	struct ifnet *ifp;
 	frentry_t *fr;
+#if defined(OpenBSD) && (OpenBSD >= 200211)
+	struct route_in6 *ro_pmtu = NULL;
+	struct in6_addr finaldst;
+	ip6_t *ip6;
+#endif
+	u_long mtu;
 	int error;
 
 	ifp = NULL;
@@ -1941,11 +1993,23 @@ frdest_t *fdp;
 			dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
 		ro->ro_rt->rt_use++;
 
-		if (m0->m_pkthdr.len <= nd_ifinfo[ifp->if_index].linkmtu)
-			error = nd6_output(ifp, fin->fin_ifp, m0, dst6,
-					   ro->ro_rt);
-		else
-			error = EMSGSIZE;
+#if defined(OpenBSD) && (OpenBSD >= 200211)
+		ip6 = mtod(m0, ip6_t *);
+		ro_pmtu = ro;
+		finaldst = ip6->ip6_dst;
+		error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu);
+		if (error == 0) {
+#else
+			mtu = nd_ifinfo[ifp->if_index].linkmtu;
+#endif
+			if (m0->m_pkthdr.len <= mtu)
+				error = nd6_output(ifp, fin->fin_ifp, m0,
+						   dst6, ro->ro_rt);
+			else
+				error = EMSGSIZE;
+#if defined(OpenBSD) && (OpenBSD >= 200211)
+		}
+#endif
 	}
 
 	if (ro->ro_rt != NULL) {