diff options
Diffstat (limited to 'sys/contrib/ipfilter')
-rw-r--r-- | sys/contrib/ipfilter/netinet/fil.c | 71 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_auth.c | 16 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_fil.c | 23 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_fil.h | 14 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_frag.c | 11 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 25 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_log.c | 17 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_nat.c | 24 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_proxy.c | 47 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_state.c | 155 |
10 files changed, 161 insertions, 242 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index f2b19a5..57190a9 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -7,21 +7,24 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 1.1.1.6 1998/03/21 10:11:28 peter Exp $"; #endif +#include "opt_ipfilter.h" + #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if !defined(__FreeBSD__) +# include <sys/ioctl.h> +#endif #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) # include <sys/systm.h> #else # include <stdio.h> # include <string.h> -# include <stdlib.h> #endif #include <sys/uio.h> #if !defined(__SVR4) && !defined(__svr4__) @@ -33,6 +36,9 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 # include <sys/dditypes.h> # include <sys/stream.h> #endif +#if defined(__FreeBSD__) +# include <sys/malloc.h> +#endif #ifndef linux # include <sys/protosw.h> # include <sys/socket.h> @@ -195,7 +201,6 @@ fr_info_t *fin; { struct optlist *op; tcphdr_t *tcp; - icmphdr_t *icmp; fr_ip_t *fi = &fin->fin_fi; u_short optmsk = 0, secmsk = 0, auth = 0; int i, mv, ol, off; @@ -216,7 +221,6 @@ fr_info_t *fin; fin->fin_hlen = hlen; fin->fin_dlen = ip->ip_len - hlen; tcp = (tcphdr_t *)((char *)ip + hlen); - icmp = (icmphdr_t *)tcp; fin->fin_dp = (void *)tcp; (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3)); @@ -229,20 +233,12 @@ fr_info_t *fin; switch (ip->ip_p) { case IPPROTO_ICMP : - { - int minicmpsz = sizeof(struct icmp); - - if (!off && ip->ip_len > ICMP_MINLEN + hlen && - (icmp->icmp_type == ICMP_ECHOREPLY || - icmp->icmp_type == ICMP_UNREACH)) - minicmpsz = ICMP_MINLEN; - if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || + if ((!IPMINLEN(ip, icmp) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; if (fin->fin_dlen > 1) fin->fin_data[0] = *(u_short *)tcp; break; - } case IPPROTO_TCP : fi->fi_fl |= FI_TCPUDP; if ((!IPMINLEN(ip, tcphdr) && !off) || @@ -429,7 +425,7 @@ void *m; off = ip->ip_off & 0x1fff; pass |= (fi->fi_fl << 24); - if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) + if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) portcmp = 1; for (rulen = 0; fr; fr = fr->fr_next, rulen++) { @@ -486,22 +482,24 @@ void *m; * If a fragment, then only the first has what we're looking * for here... */ - if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || - fr->fr_tcpfm)) - continue; if (fi->fi_fl & FI_TCPUDP) { - if (!fr_tcpudpchk(fr, fin)) + if (portcmp) { + if (!fr_tcpudpchk(fr, fin)) + continue; + } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || + fr->fr_tcpfm) continue; - } else if (fr->fr_icmpm || fr->fr_icmp) { - if ((fi->fi_p != IPPROTO_ICMP) || off || - (fin->fin_dlen < 2)) - continue; - if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { - FR_DEBUG(("i. %#x & %#x != %#x\n", - fin->fin_data[0], fr->fr_icmpm, - fr->fr_icmp)); + } else if (fi->fi_p == IPPROTO_ICMP) { + if (!off && (fin->fin_dlen > 1)) { + if ((fin->fin_data[0] & fr->fr_icmpm) != + fr->fr_icmp) { + FR_DEBUG(("i. %#x & %#x != %#x\n", + fin->fin_data[0], + fr->fr_icmpm, fr->fr_icmp)); + continue; + } + } else if (fr->fr_icmpm || fr->fr_icmp) continue; - } } FR_VERBOSE(("*")); /* @@ -580,15 +578,6 @@ int out; # endif int up; -#ifdef M_CANFASTFWD - /* - * XXX For now, IP Filter and fast-forwarding of cached flows - * XXX are mutually exclusive. Eventually, IP Filter should - * XXX get a "can-fast-forward" filter rule. - */ - m->m_flags &= ~M_CANFASTFWD; -#endif /* M_CANFASTFWD */ - if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_ICMP)) { int plen = 0; @@ -905,7 +894,7 @@ u_short ipf_cksum(addr, len) register u_short *addr; register int len; { - register u_32_t sum = 0; + register u_long sum = 0; for (sum = 0; len > 1; len -= 2) sum += *addr++; @@ -938,7 +927,7 @@ int len; u_char c[2]; u_short s; } bytes; - u_32_t sum; + u_long sum; u_short *sp; # if SOLARIS || defined(__sgi) int add, hlen; @@ -1037,7 +1026,7 @@ int len; #endif /* SOLARIS */ if (len < 2) break; - if((u_32_t)sp & 1) { + if((u_long)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; } else @@ -1091,7 +1080,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $ + * $Id: fil.c,v 1.1.1.6 1998/03/21 10:11:28 peter Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index bdb3114..40ffc88 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -6,9 +6,14 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 1.2 1998/03/21 11:33:59 peter Exp $"; #endif +#if defined(KERNEL) && !defined(_KERNEL) +#define _KERNEL +#endif +#define __FreeBSD_version 300000 /* just a hack - no <sys/osreldate.h> */ + #if !defined(_KERNEL) && !defined(KERNEL) # include <stdlib.h> # include <string.h> @@ -43,6 +48,9 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43: # include <sys/stream.h> # include <sys/kmem.h> #endif +#if defined(KERNEL) && (__FreeBSD_version >= 300000) +# include <sys/malloc.h> +#endif #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) # include <machine/cpu.h> #endif @@ -50,6 +58,9 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43: #ifdef sun #include <net/af.h> #endif +#if !defined(KERNEL) && (__FreeBSD_version >= 300000) +# include <net/if_var.h> +#endif #include <net/route.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -86,9 +97,6 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #include "netinet/ip_auth.h" #if !SOLARIS && !defined(linux) # include <net/netisr.h> -# ifdef __FreeBSD__ -# include <machine/cpufunc.h> -# endif #endif diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 09c4b6e..d657b7f 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -7,9 +7,11 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 1.3 1998/03/27 18:03:13 peter Exp $"; #endif +#include "opt_ipfilter.h" + #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif @@ -19,7 +21,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #ifdef __FreeBSD__ # if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include <sys/osreldate.h> +# define __FreeBSD_version 300000 /* this will do as a hack */ # else # include <osreldate.h> # endif @@ -46,7 +48,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #include <sys/uio.h> #if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) +# if (NetBSD > 199609) || (OpenBSD > 199603) || __FreeBSD_version >= 220000 # include <sys/dirent.h> # else # include <sys/dir.h> @@ -64,6 +66,7 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:4 #endif #if __FreeBSD_version >= 300000 # include <net/if_var.h> +# include <sys/malloc.h> #endif #ifdef __sgi #include <sys/debug.h> @@ -164,7 +167,7 @@ struct devsw iplsw = { }; #endif /* _BSDI_VERSION >= 199510 && _KERNEL */ -#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +#if defined(__NetBSD__) || defined(__OpenBSD__) # include <sys/conf.h> # if defined(NETBSD_PF) # include <net/pfil.h> @@ -339,7 +342,8 @@ struct proc *p; ) #endif dev_t dev; -#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +#if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300003) u_long cmd; #else int cmd; @@ -510,7 +514,9 @@ static void frsync() #ifdef _KERNEL struct ifnet *ifp; -# if defined(__OpenBSD__) || (NetBSD >= 199511) +# if (__FreeBSD_version >= 300000) + for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) +# elif defined(__OpenBSD__) || (NetBSD >= 199511) for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) # else for (ifp = ifnet; ifp; ifp = ifp->if_next) @@ -719,7 +725,7 @@ int flags; u_int min = GET_MINOR(dev); #endif - if (2 < min) + if (IPL_LOGMAX < min) min = ENXIO; else min = 0; @@ -933,8 +939,7 @@ frdest_t *fdp; if (ro->ro_rt->rt_flags & RTF_GATEWAY) dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway; } - if (ro->ro_rt) - ro->ro_rt->rt_use++; + ro->ro_rt->rt_use++; /* * For input packets which are being "fastrouted", they won't diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index edbd685..ebaab4c 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $ + * $Id: ip_fil.h,v 1.4 1998/06/08 06:04:11 bde Exp $ */ #ifndef __IP_FIL_H__ @@ -82,8 +82,8 @@ #define SIOCINSFR SIOCINAFR typedef struct fr_ip { - u_char fi_v:4; /* IP version */ - u_char fi_fl:4; /* packet flags */ + u_int fi_v:4; /* IP version */ + u_int fi_fl:4; /* packet flags */ u_char fi_tos; u_char fi_ttl; u_char fi_p; @@ -373,6 +373,7 @@ typedef struct ipflog { #endif #ifndef _KERNEL +struct ifnet; extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern int send_reset __P((ip_t *, struct ifnet *)); @@ -381,7 +382,8 @@ extern int ipf_log __P((void)); extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *)); # define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +# if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300003) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); # else extern int iplioctl __P((dev_t, int, caddr_t, int)); @@ -446,7 +448,8 @@ extern int iplidentify __P((char *)); # endif # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ (NetBSD >= 199511) -# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) +# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ + (__FreeBSD_version >= 300003) extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); @@ -518,5 +521,4 @@ extern int iplused[IPL_LOGMAX + 1]; extern struct frentry *ipfilter[2][2], *ipacct[2][2]; extern struct frgroup *ipfgroups[3][2]; extern struct filterstats frstats[]; - #endif /* __IP_FIL_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index 923f685..a379c67 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -7,9 +7,14 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 1.1.1.5 1997/11/16 05:55:34 peter Exp $"; #endif +#if !defined(_KERNEL) && defined(KERNEL) +#define _KERNEL +#endif +#define __FreeBSD_version 300000 /* it's a hack, but close enough */ + #if !defined(_KERNEL) && !defined(KERNEL) # include <string.h> # include <stdlib.h> @@ -22,6 +27,7 @@ static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50: #if defined(KERNEL) && (__FreeBSD_version >= 220000) #include <sys/filio.h> #include <sys/fcntl.h> +#include <sys/malloc.h> #else #include <sys/ioctl.h> #endif @@ -43,6 +49,9 @@ static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.0.2.19.2.1 1997/11/12 10:50: # include <sys/stream.h> # include <sys/kmem.h> #endif +#if defined(KERNEL) && (__FreeBSD_version >= 300000) +#include <sys/malloc.h> +#endif #include <net/if.h> #ifdef sun diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 7ff8adb..2d218e9 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -20,17 +20,6 @@ int ippr_ftp_out __P((fr_info_t *, ip_t *, tcphdr_t *, u_short ipf_ftp_atoi __P((char **)); -int ippr_ftp_init __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); -int ippr_ftp_in __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); -int ippr_ftp_out __P((fr_info_t *, ip_t *, tcphdr_t *, ap_session_t *, - nat_t *)); - -u_short ipf_ftp_atoi __P((char **)); - - - /* * FTP application proxy initialization. */ @@ -54,18 +43,18 @@ tcphdr_t *tcp; ap_session_t *aps; nat_t *nat; { - u_32_t sum1, sum2; + u_long sum1, sum2; short sel; if (tcp->th_sport == aps->aps_dport) { - sum2 = (u_32_t)ntohl(tcp->th_ack); + sum2 = (u_long)ntohl(tcp->th_ack); sel = aps->aps_sel; if ((aps->aps_after[!sel] > aps->aps_after[sel]) && (sum2 > aps->aps_after[!sel])) { sel = aps->aps_sel = !sel; /* switch to other set */ } if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) { - sum1 = (u_32_t)aps->aps_seqoff[sel]; + sum1 = (u_long)aps->aps_seqoff[sel]; tcp->th_ack = htonl(sum2 - sum1); return 2; } @@ -110,7 +99,7 @@ tcphdr_t *tcp; ap_session_t *aps; nat_t *nat; { - register u_32_t sum1, sum2; + register u_long sum1, sum2; char newbuf[IPF_MAXPORTLEN+1]; char portbuf[IPF_MAXPORTLEN+1], *s; int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2); @@ -243,17 +232,17 @@ nat_t *nat; adjust_seqack: if (tcp->th_dport == aps->aps_dport) { - sum2 = (u_32_t)ntohl(tcp->th_seq); + sum2 = (u_long)ntohl(tcp->th_seq); off = aps->aps_sel; if ((aps->aps_after[!off] > aps->aps_after[off]) && (sum2 > aps->aps_after[!off])) { off = aps->aps_sel = !off; /* switch to other set */ } if (aps->aps_seqoff[off]) { - sum1 = (u_32_t)aps->aps_after[off] - + sum1 = (u_long)aps->aps_after[off] - aps->aps_seqoff[off]; if (sum2 > sum1) { - sum1 = (u_32_t)aps->aps_seqoff[off]; + sum1 = (u_long)aps->aps_seqoff[off]; sum2 += sum1; tcp->th_seq = htonl(sum2); ch = 1; diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c index 81e89e5..2d78915 100644 --- a/sys/contrib/ipfilter/netinet/ip_log.c +++ b/sys/contrib/ipfilter/netinet/ip_log.c @@ -5,8 +5,10 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $ + * $Id: ip_log.c,v 1.3 1998/03/21 14:42:45 peter Exp $ */ +#include "opt_ipfilter.h" + #ifdef IPFILTER_LOG # ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) @@ -17,7 +19,7 @@ # endif # ifdef __FreeBSD__ # if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include <sys/osreldate.h> +# define __FreeBSD_version 300000 /* this will do as a hack */ # else # include <osreldate.h> # endif @@ -44,7 +46,7 @@ # endif # include <sys/uio.h> # if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) +# if (NetBSD > 199609) || (OpenBSD > 199603) || defined(__FreeBSD__) # include <sys/dirent.h> # else # include <sys/dir.h> @@ -73,7 +75,8 @@ # include <net/af.h> # endif # if __FreeBSD_version >= 300000 -# include <net/if_var.h> +# include <sys/malloc.h> +# include <machine/random.h> # endif # include <net/route.h> # include <netinet/in.h> @@ -140,12 +143,16 @@ void ipflog_init() iplh[i] = &iplt[i]; iplused[i] = 0; } -# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) +# if defined(__FreeBSD__) && __FreeBSD_version >= 300000 + read_random(&iplcrcinit, sizeof iplcrcinit); +# else +#if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) microtime(&tv); # else uniqtime(&tv); # endif iplcrcinit = tv.tv_sec ^ (tv.tv_usec << 8) ^ tv.tv_usec; +# endif } diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index 102d57f..447fb7a 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -9,9 +9,12 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 1.1.1.6 1998/03/21 10:11:15 peter Exp $"; #endif +#include "opt_ipfilter.h" +#define __FreeBSD_version 300000 /* it's a hack, but close enough */ + #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif @@ -54,6 +57,7 @@ static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05: #endif #if __FreeBSD_version >= 300000 # include <sys/queue.h> +# include <sys/malloc.h> #endif #include <net/if.h> #if __FreeBSD_version >= 300000 @@ -130,10 +134,10 @@ static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *)); void fix_outcksum(sp, n) u_short *sp; -u_32_t n; +u_long n; { register u_short sumshort; - register u_32_t sum1; + register u_long sum1; if (!n) return; @@ -149,10 +153,10 @@ u_32_t n; void fix_incksum(sp, n) u_short *sp; -u_32_t n; +u_long n; { register u_short sumshort; - register u_32_t sum1; + register u_long sum1; if (!n) return; @@ -456,7 +460,7 @@ struct in_addr *inp; struct in_addr in; #if SOLARIS - in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr); + in.s_addr = ill->ill_ipif->ipif_local_addr; #else /* SOLARIS */ # if linux ; @@ -521,7 +525,7 @@ fr_info_t *fin; u_short flags; int direction; { - register u_32_t sum1, sum2, sumd, l; + register u_long sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; struct in_addr in; tcphdr_t *tcp = NULL; @@ -779,7 +783,7 @@ int *nflags; */ if (flags & IPN_TCPUDP) { tcphdr_t *tcp = (tcphdr_t *)(oip + 1); - u_32_t sum1, sum2, sumd; + u_long sum1, sum2, sumd; struct in_addr in; if (nat->nat_dir == NAT_OUTBOUND) { @@ -964,7 +968,7 @@ int hlen; fr_info_t *fin; { register ipnat_t *np; - register u_32_t ipa; + register u_long ipa; tcphdr_t *tcp = NULL; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; @@ -1281,7 +1285,7 @@ void *ifp; #endif { register nat_t *nat; - register u_32_t sum1, sum2, sumd; + register u_long sum1, sum2, sumd; struct in_addr in; ipnat_t *np; #if defined(_KERNEL) && !SOLARIS diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 0fb7e95..8bb86c0 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 1.1.1.3 1998/03/21 10:11:30 peter Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -23,7 +23,9 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15 #include <sys/param.h> #include <sys/time.h> #include <sys/file.h> -#include <sys/ioctl.h> +#if !defined(__FreeBSD__) +# include <sys/ioctl.h> +#endif #include <sys/fcntl.h> #include <sys/uio.h> #ifndef linux @@ -49,6 +51,7 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15 #endif #if __FreeBSD__ > 2 # include <sys/queue.h> +# include <sys/malloc.h> #endif #include <net/if.h> #ifdef sun @@ -111,37 +114,15 @@ ipnat_t *nat; } -static int -ap_matchsrcdst(aps, src, dst, tcp, sport, dport) -ap_session_t *aps; -struct in_addr src, dst; -void *tcp; -u_short sport, dport; -{ - if (aps->aps_dst.s_addr == dst.s_addr) { - if ((aps->aps_src.s_addr == src.s_addr) && - (!tcp || (sport == aps->aps_sport) && - (dport == aps->aps_dport))) - return 1; - } else if (aps->aps_dst.s_addr == src.s_addr) { - if ((aps->aps_src.s_addr == dst.s_addr) && - (!tcp || (sport == aps->aps_dport) && - (dport == aps->aps_sport))) - return 1; - } - return 0; -} - - static ap_session_t *ap_find(ip, tcp) ip_t *ip; tcphdr_t *tcp; { - register u_char p = ip->ip_p; - register ap_session_t *aps; - register u_short sp, dp; - register u_long hv; struct in_addr src, dst; + register u_long hv; + register u_short sp, dp; + register ap_session_t *aps; + register u_char p = ip->ip_p; src = ip->ip_src, dst = ip->ip_dst; sp = dp = 0; /* XXX gcc -Wunitialized */ @@ -158,8 +139,14 @@ tcphdr_t *tcp; for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next) if ((aps->aps_p == p) && - ap_matchsrcdst(aps, src, dst, tcp, sp, dp)) - break; + IPPAIR(aps->aps_src, aps->aps_dst, src, dst)) { + if (tcp) { + if (PAIRS(aps->aps_sport, aps->aps_dport, + sp, dp)) + break; + } else + break; + } return aps; } diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 89a2c3b..2a7de77 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -7,9 +7,15 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 1.1.1.6 1998/03/21 10:11:25 peter Exp $"; #endif +#include "opt_ipfilter.h" +#if defined(KERNEL) && !defined(_KERNEL) +#define _KERNEL +#endif +#define __FreeBSD_version 300000 /* it's a hack, but close enough */ + #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) # include <stdlib.h> # include <string.h> @@ -26,6 +32,7 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:5 #if defined(KERNEL) && (__FreeBSD_version >= 220000) # include <sys/filio.h> # include <sys/fcntl.h> +# include <sys/malloc.h> #else # include <sys/ioctl.h> #endif @@ -85,11 +92,6 @@ ips_stat_t ips_stats; extern kmutex_t ipf_state; #endif -static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr, - fr_info_t *, void *, u_short, u_short)); -static int fr_state_flush __P((int)); -static ips_stat_t *fr_statetstats __P((void)); - #define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ @@ -102,7 +104,7 @@ u_long fr_tcpidletimeout = FIVE_DAYS, fr_icmptimeout = 120; -static ips_stat_t *fr_statetstats() +ips_stat_t *fr_statetstats() { ips_stats.iss_active = ips_num; ips_stats.iss_table = ips_table; @@ -116,7 +118,7 @@ static ips_stat_t *fr_statetstats() * which == 1 : flush TCP connections which have started to close but are * stuck for some reason. */ -static int fr_state_flush(which) +int fr_state_flush(which) int which; { register int i; @@ -139,10 +141,10 @@ int which; break; case 1 : if ((is->is_p == IPPROTO_TCP) && - (((is->is_state[0] <= TCPS_ESTABLISHED) && - (is->is_state[1] > TCPS_ESTABLISHED)) || - ((is->is_state[1] <= TCPS_ESTABLISHED) && - (is->is_state[0] > TCPS_ESTABLISHED)))) + ((is->is_state[0] <= TCPS_ESTABLISHED) && + (is->is_state[1] > TCPS_ESTABLISHED)) || + ((is->is_state[1] <= TCPS_ESTABLISHED) && + (is->is_state[0] > TCPS_ESTABLISHED))) delete = 1; break; } @@ -242,7 +244,7 @@ u_int pass; switch (ic->icmp_type) { case ICMP_ECHO : - is->is_icmp.ics_type = ICMP_ECHOREPLY; /* XXX */ + is->is_icmp.ics_type = 0; hv += (is->is_icmp.ics_id = ic->icmp_id); hv += (is->is_icmp.ics_seq = ic->icmp_seq); break; @@ -306,33 +308,11 @@ u_int pass; bcopy((char *)&ips, (char *)is, sizeof(*is)); hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); - + is->is_next = ips_table[hv]; + ips_table[hv] = is; is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; - /* - * Copy these from the rule itself. - */ - is->is_opt = fin->fin_fr->fr_ip.fi_optmsk; - is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk; - is->is_sec = fin->fin_fr->fr_ip.fi_secmsk; - is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk; - is->is_auth = fin->fin_fr->fr_ip.fi_auth; - is->is_authmsk = fin->fin_fr->fr_mip.fi_auth; - is->is_flags = fin->fin_fr->fr_ip.fi_fl; - is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4; - /* - * add into table. - */ - is->is_next = ips_table[hv]; - ips_table[hv] = is; - if (fin->fin_out) { - is->is_ifpin = NULL; - is->is_ifpout = fin->fin_ifp; - } else { - is->is_ifpin = fin->fin_ifp; - is->is_ifpout = NULL; - } if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; @@ -351,11 +331,12 @@ u_int pass; * change timeout depending on whether new packet is a SYN-ACK returning for a * SYN or a RST or FIN which indicate time to close up shop. */ -int fr_tcpstate(is, fin, ip, tcp) +int fr_tcpstate(is, fin, ip, tcp, sport) register ipstate_t *is; fr_info_t *fin; ip_t *ip; tcphdr_t *tcp; +u_short sport; { register int seqskew, ackskew; register u_short swin, dwin; @@ -367,7 +348,7 @@ tcphdr_t *tcp; */ seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); - source = (ip->ip_src.s_addr == is->is_src.s_addr); + source = (sport == is->is_sport); if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ ack = source ? is->is_ack : is->is_seq; @@ -411,7 +392,7 @@ tcphdr_t *tcp; swin = is->is_dwin; } - if ((seqskew <= dwin) && (ackskew <= swin)) { + if ((seqskew <= swin) && (ackskew <= dwin)) { if (source) { is->is_seq = seq; is->is_ack = ack; @@ -427,81 +408,14 @@ tcphdr_t *tcp; /* * Nearing end of connection, start timeout. */ - fr_tcp_age(&is->is_age, is->is_state, ip, fin, source); + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); return 1; } return 0; } -static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp) -ipstate_t *is; -struct in_addr src, dst; -fr_info_t *fin; -void *tcp; -u_short sp, dp; -{ - int ret = 0, rev, out; - void *ifp; - - rev = (is->is_dst.s_addr != dst.s_addr); - ifp = fin->fin_ifp; - out = fin->fin_out; - - if (!rev) { - if (out) { - if (!is->is_ifpout) - is->is_ifpout = ifp; - } else { - if (!is->is_ifpin) - is->is_ifpin = ifp; - } - } else { - if (out) { - if (!is->is_ifpin) - is->is_ifpin = ifp; - } else { - if (!is->is_ifpout) - is->is_ifpout = ifp; - } - } - - if (!rev) { - if (((out && is->is_ifpout == ifp) || - (!out && is->is_ifpin == ifp)) && - (is->is_dst.s_addr == dst.s_addr) && - (is->is_src.s_addr == src.s_addr) && - (!tcp || (sp == is->is_sport) && - (dp == is->is_dport))) { - ret = 1; - } - } else { - if (((out && is->is_ifpin == ifp) || - (!out && is->is_ifpout == ifp)) && - (is->is_dst.s_addr == src.s_addr) && - (is->is_src.s_addr == dst.s_addr) && - (!tcp || (sp == is->is_dport) && - (dp == is->is_sport))) { - ret = 1; - } - } - - /* - * Whether or not this should be here, is questionable, but the aim - * is to get this out of the main line. - */ - if (ret) { - if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || - ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || - ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) || - ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) != - (is->is_flags & 0xf))) - ret = 0; - } - return ret; -} - - /* * Check if a packet has a registered state. */ @@ -540,8 +454,13 @@ fr_info_t *fin; if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && - fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) { - if (is->is_icmp.ics_type != ic->icmp_type) + IPPAIR(src, dst, is->is_src, is->is_dst)) { + /* + * If we have type 0 stored, allow any icmp + * replies through. + */ + if (is->is_icmp.ics_type && + is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; is->is_pkts++; @@ -561,11 +480,11 @@ fr_info_t *fin; hv += sport; hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) { if ((is->is_p == pr) && - fr_matchsrcdst(is, src, dst, fin, tcp, - sport, dport)) { - if (fr_tcpstate(is, fin, ip, tcp)) { + PAIRS(sport, dport, is->is_sport, is->is_dport) && + IPPAIR(src, dst, is->is_src, is->is_dst)) + if (fr_tcpstate(is, fin, ip, tcp, sport)) { pass = is->is_pass; #ifdef _KERNEL MUTEX_EXIT(&ipf_state); @@ -579,7 +498,7 @@ fr_info_t *fin; #endif return pass; } - } + } MUTEX_EXIT(&ipf_state); break; } @@ -596,8 +515,8 @@ fr_info_t *fin; MUTEX_ENTER(&ipf_state); for (is = ips_table[hv]; is; is = is->is_next) if ((is->is_p == pr) && - fr_matchsrcdst(is, src, dst, fin, - tcp, sport, dport)) { + PAIRS(sport, dport, is->is_sport, is->is_dport) && + IPPAIR(src, dst, is->is_src, is->is_dst)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; |