From 8a4381b139489559851a24f7e7088354b0acf624 Mon Sep 17 00:00:00 2001 From: phk Date: Wed, 3 Apr 1996 13:52:20 +0000 Subject: Add feature for tcp "established". Change interface between netinet and ip_fw to be more general, and thus hopefully also support other ip filtering implementations. --- sys/netinet/in.h | 12 +++++++++--- sys/netinet/ip_fw.c | 27 ++++++++++++++++----------- sys/netinet/ip_fw.h | 9 ++------- sys/netinet/ip_input.c | 35 ++++++++++------------------------- sys/netinet/ip_output.c | 14 ++++++-------- 5 files changed, 43 insertions(+), 54 deletions(-) diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 810dec8..f19aaeb 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)in.h 8.3 (Berkeley) 1/3/94 - * $Id: in.h,v 1.15 1996/02/22 21:32:17 peter Exp $ + * $Id: in.h,v 1.16 1996/03/14 16:59:18 fenner Exp $ */ #ifndef _NETINET_IN_H_ @@ -310,7 +310,13 @@ int in_canforward __P((struct in_addr)); int in_cksum __P((struct mbuf *, int)); int in_localaddr __P((struct in_addr)); char *inet_ntoa __P((struct in_addr)); /* in libkern */ -#endif -#endif +/* Firewall hooks */ +struct ip; +typedef int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**)); +typedef int ip_fw_ctl_t __P((int, struct mbuf**)); +extern ip_fw_chk_t *ip_fw_chk_ptr; +extern ip_fw_ctl_t *ip_fw_ctl_ptr; +#endif /* KERNEL */ +#endif diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 857d18a..129d72c 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -11,7 +11,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.c,v 1.32 1996/02/24 13:38:26 phk Exp $ + * $Id: ip_fw.c,v 1.33 1996/02/26 15:28:15 phk Exp $ */ /* @@ -70,8 +70,8 @@ static int port_match __P((u_short *portptr, int nports, u_short port, static int tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f)); static void ipfw_report __P((char *txt, int rule, struct ip *ip)); -static int (*old_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir); -static int (*old_ctl_ptr)(int,struct mbuf **); +static ip_fw_chk_t *old_chk_ptr; +static ip_fw_ctl_t *old_ctl_ptr; /* * Returns 1 if the port is matched by the vector, 0 otherwise @@ -107,6 +107,10 @@ tcpflg_match(tcp, f) { u_char flg_set, flg_clr; + if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) && + (tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK))) + return 1; + flg_set = tcp->th_flags & f->fw_tcpf; flg_clr = tcp->th_flags & f->fw_tcpnf; @@ -225,14 +229,15 @@ ipfw_report(char *txt, int rule, struct ip *ip) */ int -ip_fw_chk(m, ip, rif, dir) - struct mbuf *m; - struct ip *ip; +ip_fw_chk(pip, hlen, rif, dir, m) + struct ip **pip; struct ifnet *rif; - int dir; + int hlen, dir; + struct mbuf **m; { struct ip_fw_chain *chain; register struct ip_fw *f = NULL; + struct ip *ip = *pip; struct tcphdr *tcp = (struct tcphdr *) ((u_long *) ip + ip->ip_hl); struct udphdr *udp = (struct udphdr *) ((u_long *) ip + ip->ip_hl); struct icmp *icmp = (struct icmp *) ((u_long *) ip + ip->ip_hl); @@ -247,7 +252,7 @@ ip_fw_chk(m, ip, rif, dir) */ if ((ip->ip_off & IP_OFFMASK) == 1) { ipfw_report("Refuse", -1, ip); - m_freem(m); + m_freem(*m); return 0; } @@ -422,15 +427,15 @@ got_match: */ if ((f_prt != IP_FW_F_ICMP) && (f->fw_flg & IP_FW_F_ICMPRPL)) { if (f_prt == IP_FW_F_ALL) - icmp_error(m, ICMP_UNREACH, + icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0L, 0); else - icmp_error(m, ICMP_UNREACH, + icmp_error(*m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0L, 0); return 0; } } - m_freem(m); + m_freem(*m); return 0; } diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 9f6ac09..b2d8e2b 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -11,7 +11,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.h,v 1.16 1996/02/24 00:17:33 phk Exp $ + * $Id: ip_fw.h,v 1.17 1996/02/24 13:38:27 phk Exp $ */ /* @@ -105,6 +105,7 @@ struct ip_fw_chain { #define IP_FW_TCPF_PSH TH_PUSH #define IP_FW_TCPF_ACK TH_ACK #define IP_FW_TCPF_URG TH_URG +#define IP_FW_TCPF_ESTAB 0x40 /* * New IP firewall options for [gs]etsockopt at the RAW IP level. @@ -123,12 +124,6 @@ struct ip_fw_chain { #ifdef KERNEL /* - * Function pointers. - */ -extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir); -extern int (*ip_fw_ctl_ptr)(int,struct mbuf **); - -/* * Function definitions. */ void ip_fw_init(void); diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 38ee8c9..f139e13 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.38 1996/02/24 13:38:28 phk Exp $ + * $Id: ip_input.c,v 1.39 1996/03/25 17:41:23 phk Exp $ */ #include @@ -60,8 +60,6 @@ #include #include -#include - #include int rsvp_on = 0; static int ip_rsvp_on; @@ -105,23 +103,9 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW, &ip_mtu, 0, ""); #endif -/* - * The dummy IP-firewall function, and the pointer we access it through - */ -static int -dummy_ip_fw_chk(m, ip, rif, dir) - struct mbuf *m; - struct ip *ip; - struct ifnet *rif; - int dir; -{ - return 1; -} - -int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *, struct ifnet *, int dir) = - dummy_ip_fw_chk; - -int (*ip_fw_ctl_ptr)(int, struct mbuf **); +/* Firewall hooks */ +ip_fw_chk_t *ip_fw_chk_ptr; +ip_fw_ctl_t *ip_fw_ctl_ptr; /* * We need to save the IP options in case a protocol wants to respond @@ -187,9 +171,9 @@ static struct route ipforward_rt; void ip_input(struct mbuf *m) { - register struct ip *ip; - register struct ipq *fp; - register struct in_ifaddr *ia; + struct ip *ip; + struct ipq *fp; + struct in_ifaddr *ia; int hlen; #ifdef DIAGNOSTIC @@ -269,8 +253,9 @@ ip_input(struct mbuf *m) * - Encapsulate: put it in another IP and send out. */ - if (!(*ip_fw_chk_ptr)(m,ip,m->m_pkthdr.rcvif,0)) - return; + if (ip_fw_chk_ptr && + !(*ip_fw_chk_ptr)(&ip, hlen, m->m_pkthdr.rcvif, 0, &m)) + goto bad; /* * Process options and, if not destined for us, diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 617fd5e..628921a 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 - * $Id: ip_output.c,v 1.32 1996/03/13 08:02:43 pst Exp $ + * $Id: ip_output.c,v 1.33 1996/03/26 18:56:51 fenner Exp $ */ #include @@ -54,8 +54,6 @@ #include #include -#include - #ifdef vax #include #endif @@ -86,10 +84,10 @@ ip_output(m0, opt, ro, flags, imo) int flags; struct ip_moptions *imo; { - register struct ip *ip, *mhip; - register struct ifnet *ifp; - register struct mbuf *m = m0; - register int hlen = sizeof (struct ip); + struct ip *ip, *mhip; + struct ifnet *ifp; + struct mbuf *m = m0; + int hlen = sizeof (struct ip); int len, off, error = 0; /* * It might seem obvious at first glance that one could easily @@ -339,7 +337,7 @@ sendit: /* * Check with the firewall... */ - if (!(*ip_fw_chk_ptr)(m,ip,ifp,1)) { + if (ip_fw_chk_ptr && !(*ip_fw_chk_ptr)(&ip, hlen, ifp, 1, &m)) { error = EACCES; goto done; } -- cgit v1.1