Add feature for tcp "established".

Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.

5 files changed, 43 insertions, 54 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 810dec8..f19aaeb 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)in.h	8.3 (Berkeley) 1/3/94
- * $Id: in.h,v 1.15 1996/02/22 21:32:17 peter Exp $
+ * $Id: in.h,v 1.16 1996/03/14 16:59:18 fenner Exp $
  */
 
 #ifndef _NETINET_IN_H_
@@ -310,7 +310,13 @@ int	 in_canforward __P((struct in_addr));
 int	 in_cksum __P((struct mbuf *, int));
 int	 in_localaddr __P((struct in_addr));
 char 	*inet_ntoa __P((struct in_addr)); /* in libkern */
-#endif
 
-#endif
+/* Firewall hooks */
+struct ip;
+typedef  int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**));
+typedef  int ip_fw_ctl_t __P((int, struct mbuf**));
+extern ip_fw_chk_t *ip_fw_chk_ptr;
+extern ip_fw_ctl_t *ip_fw_ctl_ptr;
+#endif /* KERNEL */
 
+#endif
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 857d18a..129d72c 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -11,7 +11,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.32 1996/02/24 13:38:26 phk Exp $
+ *	$Id: ip_fw.c,v 1.33 1996/02/26 15:28:15 phk Exp $
  */
 
 /*
@@ -70,8 +70,8 @@ static int	port_match __P((u_short *portptr, int nports, u_short port,
 static int	tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f));
 static void	ipfw_report __P((char *txt, int rule, struct ip *ip));
 
-static int (*old_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir);
-static int (*old_ctl_ptr)(int,struct mbuf **);
+static ip_fw_chk_t *old_chk_ptr;
+static ip_fw_ctl_t *old_ctl_ptr;
 
 /*
  * Returns 1 if the port is matched by the vector, 0 otherwise
@@ -107,6 +107,10 @@ tcpflg_match(tcp, f)
 {
 	u_char		flg_set, flg_clr;
 	
+	if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) &&
+	    (tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK)))
+		return 1;
+
 	flg_set = tcp->th_flags & f->fw_tcpf;
 	flg_clr = tcp->th_flags & f->fw_tcpnf;
 
@@ -225,14 +229,15 @@ ipfw_report(char *txt, int rule, struct ip *ip)
  */
 
 int 
-ip_fw_chk(m, ip, rif, dir)
-	struct mbuf *m;
-	struct ip *ip;
+ip_fw_chk(pip, hlen, rif, dir, m)
+	struct ip **pip;
 	struct ifnet *rif;
-	int dir;
+	int hlen, dir;
+	struct mbuf **m;
 {
 	struct ip_fw_chain *chain;
 	register struct ip_fw *f = NULL;
+	struct ip *ip = *pip;
 	struct tcphdr *tcp = (struct tcphdr *) ((u_long *) ip + ip->ip_hl);
 	struct udphdr *udp = (struct udphdr *) ((u_long *) ip + ip->ip_hl);
 	struct icmp *icmp = (struct icmp *) ((u_long *) ip + ip->ip_hl);
@@ -247,7 +252,7 @@ ip_fw_chk(m, ip, rif, dir)
 	 */
 	if ((ip->ip_off & IP_OFFMASK) == 1) {
 		ipfw_report("Refuse", -1, ip);
-		m_freem(m);
+		m_freem(*m);
 		return 0;
 	}
 
@@ -422,15 +427,15 @@ got_match:
 		 */
 		if ((f_prt != IP_FW_F_ICMP) && (f->fw_flg & IP_FW_F_ICMPRPL)) {
 			if (f_prt == IP_FW_F_ALL)
-				icmp_error(m, ICMP_UNREACH, 
+				icmp_error(*m, ICMP_UNREACH, 
 					ICMP_UNREACH_HOST, 0L, 0);
 			else
-				icmp_error(m, ICMP_UNREACH, 
+				icmp_error(*m, ICMP_UNREACH, 
 					ICMP_UNREACH_PORT, 0L, 0);
 			return 0;
 		}
 	}
-	m_freem(m);
+	m_freem(*m);
 	return 0;
 }
 
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index 9f6ac09..b2d8e2b 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -11,7 +11,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.h,v 1.16 1996/02/24 00:17:33 phk Exp $
+ *	$Id: ip_fw.h,v 1.17 1996/02/24 13:38:27 phk Exp $
  */
 
 /*
@@ -105,6 +105,7 @@ struct ip_fw_chain {
 #define IP_FW_TCPF_PSH		TH_PUSH
 #define IP_FW_TCPF_ACK		TH_ACK
 #define IP_FW_TCPF_URG		TH_URG
+#define IP_FW_TCPF_ESTAB	0x40
 
 /*
  * New IP firewall options for [gs]etsockopt at the RAW IP level.
@@ -123,12 +124,6 @@ struct ip_fw_chain {
 #ifdef KERNEL
 
 /*
- * Function pointers.
- */
-extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir);
-extern int (*ip_fw_ctl_ptr)(int,struct mbuf **);
-
-/*
  * Function definitions.
  */
 void ip_fw_init(void);
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 38ee8c9..f139e13 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- * $Id: ip_input.c,v 1.38 1996/02/24 13:38:28 phk Exp $
+ * $Id: ip_input.c,v 1.39 1996/03/25 17:41:23 phk Exp $
  */
 
 #include <sys/param.h>
@@ -60,8 +60,6 @@
 #include <netinet/ip_var.h>
 #include <netinet/ip_icmp.h>
 
-#include <netinet/ip_fw.h>
-
 #include <sys/socketvar.h>
 int rsvp_on = 0;
 static int ip_rsvp_on;
@@ -105,23 +103,9 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
 	&ip_mtu, 0, "");
 #endif
 
-/*
- * The dummy IP-firewall function, and the pointer we access it through
- */
-static int 
-dummy_ip_fw_chk(m, ip, rif, dir)
-	struct mbuf *m;
-	struct ip *ip;
-	struct ifnet *rif;
-	int dir;
-{
-	return 1;
-}
-
-int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *, struct ifnet *, int dir) = 
-	dummy_ip_fw_chk;
-
-int (*ip_fw_ctl_ptr)(int, struct mbuf **);
+/* Firewall hooks */
+ip_fw_chk_t *ip_fw_chk_ptr;
+ip_fw_ctl_t *ip_fw_ctl_ptr;
 
 /*
  * We need to save the IP options in case a protocol wants to respond
@@ -187,9 +171,9 @@ static struct	route ipforward_rt;
 void
 ip_input(struct mbuf *m)
 {
-	register struct ip *ip;
-	register struct ipq *fp;
-	register struct in_ifaddr *ia;
+	struct ip *ip;
+	struct ipq *fp;
+	struct in_ifaddr *ia;
 	int hlen;
 
 #ifdef	DIAGNOSTIC
@@ -269,8 +253,9 @@ ip_input(struct mbuf *m)
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
  	 */
 
-	if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,0)) 
-	       return;
+	if (ip_fw_chk_ptr &&
+	    !(*ip_fw_chk_ptr)(&ip, hlen, m->m_pkthdr.rcvif, 0, &m))
+		goto bad;
 
 	/*
 	 * Process options and, if not destined for us,
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 617fd5e..628921a 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- *	$Id: ip_output.c,v 1.32 1996/03/13 08:02:43 pst Exp $
+ *	$Id: ip_output.c,v 1.33 1996/03/26 18:56:51 fenner Exp $
  */
 
 #include <sys/param.h>
@@ -54,8 +54,6 @@
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 
-#include <netinet/ip_fw.h>
-
 #ifdef vax
 #include <machine/mtpr.h>
 #endif
@@ -86,10 +84,10 @@ ip_output(m0, opt, ro, flags, imo)
 	int flags;
 	struct ip_moptions *imo;
 {
-	register struct ip *ip, *mhip;
-	register struct ifnet *ifp;
-	register struct mbuf *m = m0;
-	register int hlen = sizeof (struct ip);
+	struct ip *ip, *mhip;
+	struct ifnet *ifp;
+	struct mbuf *m = m0;
+	int hlen = sizeof (struct ip);
 	int len, off, error = 0;
 	/*
 	 * It might seem obvious at first glance that one could easily
@@ -339,7 +337,7 @@ sendit:
 	/*
 	 * Check with the firewall...
 	 */
-	if (!(*ip_fw_chk_ptr)(m,ip,ifp,1)) {
+	if (ip_fw_chk_ptr && !(*ip_fw_chk_ptr)(&ip, hlen, ifp, 1, &m)) {
 		error = EACCES;
 		goto done;
 	}