diff options
Diffstat (limited to 'sys/netinet/ipfw/ip_fw2.c')
-rw-r--r-- | sys/netinet/ipfw/ip_fw2.c | 66 |
1 files changed, 52 insertions, 14 deletions
diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index 724536c..e7ad107 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -142,6 +142,11 @@ ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; #ifdef SYSCTL_NODE +uint32_t dummy_def = IPFW_DEFAULT_RULE; +uint32_t dummy_tables_max = IPFW_TABLES_MAX; + +SYSBEGIN(f3) + SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass, CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0, @@ -156,10 +161,10 @@ SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &VNET_NAME(verbose_limit), 0, "Set upper limit of matches of ipfw rules logged"); SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD, - NULL, IPFW_DEFAULT_RULE, + &dummy_def, 0, "The default/max possible rule number."); SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, tables_max, CTLFLAG_RD, - NULL, IPFW_TABLES_MAX, + &dummy_tables_max, 0, "The maximum number of tables."); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN, &default_to_accept, 0, @@ -177,6 +182,8 @@ SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, "Deny packets with unknown IPv6 Extension Headers"); #endif /* INET6 */ +SYSEND + #endif /* SYSCTL_NODE */ @@ -344,6 +351,7 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd) return(1); } } else { +#ifdef __FreeBSD__ /* and OSX too ? */ struct ifaddr *ia; if_addr_rlock(ifp); @@ -357,6 +365,7 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd) } } if_addr_runlock(ifp); +#endif /* __FreeBSD__ */ } return(0); /* no match, fail ... */ } @@ -385,6 +394,9 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd) static int verify_path(struct in_addr src, struct ifnet *ifp, u_int fib) { +#ifndef __FreeBSD__ + return 0; +#else struct route ro; struct sockaddr_in *dst; @@ -427,6 +439,7 @@ verify_path(struct in_addr src, struct ifnet *ifp, u_int fib) /* found valid route */ RTFREE(ro.ro_rt); return 1; +#endif /* __FreeBSD__ */ } #ifdef INET6 @@ -634,9 +647,14 @@ send_reject(struct ip_fw_args *args, int code, int iplen, struct ip *ip) static int check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip, - u_int16_t src_port, struct ucred **uc, int *ugid_lookupp, - struct inpcb *inp) + u_int16_t src_port, int *ugid_lookupp, + struct ucred **uc, struct inpcb *inp) { +#ifndef __FreeBSD__ + return cred_check(insn, proto, oif, + dst_ip, dst_port, src_ip, src_port, + (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb); +#else /* FreeBSD */ struct inpcbinfo *pi; int wildcard; struct inpcb *pcb; @@ -703,6 +721,7 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, else if (insn->o.opcode == O_JAIL) match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]); return match; +#endif /* __FreeBSD__ */ } /* @@ -794,7 +813,11 @@ ipfw_chk(struct ip_fw_args *args) * these types of constraints, as well as decrease contention * on pcb related locks. */ +#ifndef __FreeBSD__ + struct bsd_ucred ucred_cache; +#else struct ucred *ucred_cache = NULL; +#endif int ucred_lookup = 0; /* @@ -1233,8 +1256,13 @@ do { \ (ipfw_insn_u32 *)cmd, proto, oif, dst_ip, dst_port, - src_ip, src_port, &ucred_cache, - &ucred_lookup, args->inp); + src_ip, src_port, &ucred_lookup, +#ifdef __FreeBSD__ + &ucred_cache, args->inp); +#else + (void *)&ucred_cache, + (struct inpcb *)args->m); +#endif break; case O_RECV: @@ -1348,12 +1376,21 @@ do { \ (ipfw_insn_u32 *)cmd, proto, oif, dst_ip, dst_port, - src_ip, src_port, &ucred_cache, - &ucred_lookup, args->inp); + src_ip, src_port, &ucred_lookup, +#ifdef __FreeBSD__ + &ucred_cache, args->inp); if (v == 4 /* O_UID */) key = ucred_cache->cr_uid; else if (v == 5 /* O_JAIL */) key = ucred_cache->cr_prison->pr_id; +#else /* !__FreeBSD__ */ + (void *)&ucred_cache, + (struct inpcb *)args->m); + if (v ==4 /* O_UID */) + key = ucred_cache.uid; + else if (v == 5 /* O_JAIL */) + key = ucred_cache.xid; +#endif /* !__FreeBSD__ */ key = htonl(key); } else break; @@ -1392,11 +1429,10 @@ do { \ match = (tif != NULL); break; } - /* FALLTHROUGH */ #ifdef INET6 + /* FALLTHROUGH */ case O_IP6_SRC_ME: - match = is_ipv6 && - search_ip6_addr_net(&args->f_id.src_ip6); + match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6); #endif break; @@ -1432,14 +1468,14 @@ do { \ match = (tif != NULL); break; } - /* FALLTHROUGH */ #ifdef INET6 + /* FALLTHROUGH */ case O_IP6_DST_ME: - match = is_ipv6 && - search_ip6_addr_net(&args->f_id.dst_ip6); + match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6); #endif break; + case O_IP_SRCPORT: case O_IP_DSTPORT: /* @@ -2164,8 +2200,10 @@ do { \ printf("ipfw: ouch!, skip past end of rules, denying packet\n"); } IPFW_RUNLOCK(chain); +#ifdef __FreeBSD__ if (ucred_cache != NULL) crfree(ucred_cache); +#endif return (retval); pullup_failed: |