From 609b8035e83638a43ab09d02e66dde20d26d56af Mon Sep 17 00:00:00 2001 From: darrenr Date: Sat, 15 Feb 2003 06:23:45 +0000 Subject: Commit import changed from vendor branch of ipfilter to -current head --- sys/contrib/ipfilter/netinet/fil.c | 63 ++++++++++++---- sys/contrib/ipfilter/netinet/ip_auth.c | 120 ++++++++++++++++++++----------- sys/contrib/ipfilter/netinet/ip_auth.h | 6 +- sys/contrib/ipfilter/netinet/ip_compat.h | 2 + sys/contrib/ipfilter/netinet/ip_fil.c | 114 ++++++++++++++++++++++------- 5 files changed, 222 insertions(+), 83 deletions(-) (limited to 'sys/contrib') diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 96432a1..7072753 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -701,7 +701,8 @@ void *m; if (!fr_tcpudpchk(&fr->fr_tuc, fin)) continue; } else if (fr->fr_icmpm || fr->fr_icmp) { - if ((fi->fi_p != IPPROTO_ICMP) || off || + if (((fi->fi_p != IPPROTO_ICMP) && + (fi->fi_p != IPPROTO_ICMPV6)) || off || (fin->fin_dlen < 2)) continue; if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { @@ -816,6 +817,26 @@ int out; # endif int up; +# if !SOLARIS && !defined(NETBSD_PF) && \ + ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \ + defined(__OpenBSD__) || defined(_BSDI_VERSION)) + if (fr_checkp != fr_check && fr_running > 0) { + static int counter = 0; + + if (counter == 0) { + printf("WARNING: fr_checkp corrupt: value %lx\n", + (u_long)fr_checkp); + printf("WARNING: fr_checkp should be %lx\n", + (u_long)fr_check); + printf("WARNING: fixing fr_checkp\n"); + } + fr_checkp = fr_check; + counter++; + if (counter == 10000) + counter = 0; + } +# endif + # ifdef M_CANFASTFWD /* * XXX For now, IP Filter and fast-forwarding of cached flows @@ -1526,7 +1547,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $ + * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1732,9 +1753,9 @@ frentry_t **listp; } -int frflush(unit, flags) +int frflush(unit, proto, flags) minor_t unit; -int flags; +int proto, flags; { int flushed = 0, set; @@ -1749,19 +1770,35 @@ int flags; if (flags & FR_OUTQUE) { #ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[1][set]); + if (proto == 0 || proto == 6) { + (void) frflushlist(set, unit, + &flushed, &ipfilter6[1][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct6[1][set]); + } #endif - (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[1][set]); + if (proto == 0 || proto == 4) { + (void) frflushlist(set, unit, + &flushed, &ipfilter[1][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct[1][set]); + } } if (flags & FR_INQUE) { #ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[0][set]); + if (proto == 0 || proto == 6) { + (void) frflushlist(set, unit, + &flushed, &ipfilter6[0][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct6[0][set]); + } #endif - (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[0][set]); + if (proto == 0 || proto == 4) { + (void) frflushlist(set, unit, + &flushed, &ipfilter[0][set]); + (void) frflushlist(set, unit, + &flushed, &ipacct[0][set]); + } } RWLOCK_EXIT(&ipf_mutex); return flushed; diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index fb9910d..a439a68 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # include #endif #include @@ -298,9 +298,15 @@ ip_t *ip; cv_signal(&ipfauthwait); #else # if defined(BSD) && !defined(sparc) && (BSD >= 199306) +<<<<<<< ip_auth.c if (!fin->fin_out) { ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); +======= + if (fin->fin_out == 0) { + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); +>>>>>>> 1.1.1.11 } # endif fr_authpkts[i] = m; @@ -310,7 +316,7 @@ ip_t *ip; } -int fr_auth_ioctl(data, mode, cmd, fr, frptr) +int fr_auth_ioctl(data, mode, cmd) caddr_t data; int mode; #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) @@ -318,19 +324,21 @@ u_long cmd; #else int cmd; #endif -frentry_t *fr, **frptr; { mb_t *m; #if defined(_KERNEL) && !SOLARIS int s; #endif frauth_t auth, *au = &auth, *fra; - frauthent_t *fae, **faep; int i, error = 0; switch (cmd) { case SIOCSTLCK : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } error = fr_lock(data, &fr_auth_lock); break; case SIOCINIFR : @@ -343,45 +351,8 @@ frentry_t *fr, **frptr; break; case SIOCRMAFR : case SIOCADAFR : - for (faep = &fae_list; (fae = *faep); ) - if (&fae->fae_fr == fr) - break; - else - faep = &fae->fae_next; - if (cmd == SIOCRMAFR) { - if (!fr || !frptr) - error = EINVAL; - else if (!fae) - error = ESRCH; - else { - WRITE_ENTER(&ipf_auth); - SPL_NET(s); - *faep = fae->fae_next; - *frptr = fr->fr_next; - SPL_X(s); - RWLOCK_EXIT(&ipf_auth); - KFREE(fae); - } - } else if (fr && frptr) { - KMALLOC(fae, frauthent_t *); - if (fae != NULL) { - bcopy((char *)fr, (char *)&fae->fae_fr, - sizeof(*fr)); - WRITE_ENTER(&ipf_auth); - SPL_NET(s); - fae->fae_age = fr_defaultauthage; - fae->fae_fr.fr_hits = 0; - fae->fae_fr.fr_next = *frptr; - *frptr = &fae->fae_fr; - fae->fae_next = *faep; - *faep = fae; - ipauth = &fae_list->fae_fr; - SPL_X(s); - RWLOCK_EXIT(&ipf_auth); - } else - error = ENOMEM; - } else - error = EINVAL; + /* These commands go via request to fr_preauthcmd */ + error = EINVAL; break; case SIOCATHST: fr_authstats.fas_faelist = fae_list; @@ -629,3 +600,66 @@ void fr_authexpire() RWLOCK_EXIT(&ipf_auth); SPL_X(s); } + +int fr_preauthcmd(cmd, fr, frptr) +#if defined(__NetBSD__) || defined(__OpenBSD__) || \ + (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) +u_long cmd; +#else +int cmd; +#endif +frentry_t *fr, **frptr; +{ + frauthent_t *fae, **faep; + int error = 0; +#if defined(KERNEL) && !SOLARIS + int s; +#endif + + if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { + /* Should not happen */ + printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd); + return EIO; + } + + for (faep = &fae_list; (fae = *faep); ) + if (&fae->fae_fr == fr) + break; + else + faep = &fae->fae_next; + if (cmd == SIOCRMAFR) { + if (!fr || !frptr) + error = EINVAL; + else if (!fae) + error = ESRCH; + else { + WRITE_ENTER(&ipf_auth); + SPL_NET(s); + *faep = fae->fae_next; + *frptr = fr->fr_next; + SPL_X(s); + RWLOCK_EXIT(&ipf_auth); + KFREE(fae); + } + } else if (fr && frptr) { + KMALLOC(fae, frauthent_t *); + if (fae != NULL) { + bcopy((char *)fr, (char *)&fae->fae_fr, + sizeof(*fr)); + WRITE_ENTER(&ipf_auth); + SPL_NET(s); + fae->fae_age = fr_defaultauthage; + fae->fae_fr.fr_hits = 0; + fae->fae_fr.fr_next = *frptr; + *frptr = &fae->fae_fr; + fae->fae_next = *faep; + *faep = fae; + ipauth = &fae_list->fae_fr; + SPL_X(s); + RWLOCK_EXIT(&ipf_auth); + } else + error = ENOMEM; + } else + error = EINVAL; + return error; +} diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h index cc2b661..64fc2d7 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.h +++ b/sys/contrib/ipfilter/netinet/ip_auth.h @@ -54,8 +54,10 @@ extern mb_t *fr_authpkts[]; extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *)); #if defined(__NetBSD__) || defined(__OpenBSD__) || \ (__FreeBSD_version >= 300003) -extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **)); +extern int fr_preauthcmd __P((u_long, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, u_long)); #else -extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **)); +extern int fr_preauthcmd __P((int, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, int)); #endif #endif /* __IP_AUTH_H__ */ diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 1a43238..90fc988 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -533,6 +533,7 @@ extern ill_t *get_unit __P((char *, int)); # ifdef sun # if !SOLARIS +# include # include # define GETUNIT(n, v) ifunit(n, IFNAMSIZ) # define IFNAME(x) ((struct ifnet *)x)->if_name @@ -655,6 +656,7 @@ extern vm_map_t kmem_map; # define IWCOPYPTR iwcopyptr # define IFNAME(x) get_ifname((struct ifnet *)x) # define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d) +# include extern void m_copydata __P((mb_t *, int, int, caddr_t)); extern int ipfuiomove __P((caddr_t, int, int, struct uio *)); #endif /* KERNEL */ diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index da64a49..c2961cc 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -25,7 +25,7 @@ # include # endif #endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) # define _KMEMUSER # include #endif @@ -118,6 +118,10 @@ # include extern int ip_optcopy __P((struct ip *, struct ip *)); #endif +#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL) +extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *, + struct ifnet *, struct in6_addr *, u_long *); +#endif #include @@ -195,6 +199,15 @@ struct timeout ipfr_slowtimer_ch; toid_t ipfr_slowtimer_ch; #endif +#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \ + defined(_KERNEL) +# include +const struct cdevsw ipl_cdevsw = { + iplopen, iplclose, iplread, nowrite, iplioctl, + nostop, notty, nopoll, nommap, +}; +#endif + #if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include # include @@ -323,7 +336,7 @@ int count; # endif -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) int ipl_enable() # else int iplattach() @@ -368,10 +381,13 @@ int iplattach() # ifdef NETBSD_PF # if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) # if __NetBSD_Version__ >= 105110000 - if ( - !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET)) + ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); +# ifdef USE_INET6 + ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); +# endif + if (ph_inet == NULL # ifdef USE_INET6 - && !(ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6)) + && ph_inet6 == NULL # endif ) return ENODEV; @@ -488,9 +504,15 @@ int ipl_disable() int ipldetach() # endif { +<<<<<<< ip_fil.c int s, i = FR_INQUE|FR_OUTQUE; #if defined(NETBSD_PF) && \ ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)) +======= + int s, i; +#if defined(NETBSD_PF) && \ + ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)) +>>>>>>> 1.1.1.17 int error = 0; # if __NetBSD_Version__ >= 105150000 struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); @@ -530,8 +552,8 @@ int ipldetach() printf("%s unloaded\n", ipfilter_version); fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); - i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); + i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); fr_running = 0; # ifdef NETBSD_PF @@ -676,7 +698,16 @@ int mode; if (!fr_running) error = EIO; else - error = fr_auth_ioctl(data, mode, cmd, NULL, NULL); + if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) { + if (!(mode & FWRITE)) { + error = EPERM; + } else { + error = frrequest(unit, cmd, data, + fr_active); + } + } else { + error = fr_auth_ioctl(data, mode, cmd); + } SPL_X(s); return error; } @@ -700,7 +731,7 @@ int mode; if (error) break; if (enable) -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) error = ipl_enable(); # else error = iplattach(); @@ -773,12 +804,26 @@ int mode; else { error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { - tmp = frflush(unit, tmp); + tmp = frflush(unit, 4, tmp); error = IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); } } break; +#ifdef USE_INET6 + case SIOCIPFL6 : + if (!(mode & FWRITE)) + error = EPERM; + else { + error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); + if (!error) { + tmp = frflush(unit, 6, tmp); + error = IWCOPY((caddr_t)&tmp, data, + sizeof(tmp)); + } + } + break; +#endif case SIOCSTLCK : error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); if (!error) { @@ -803,12 +848,6 @@ int mode; if (error) error = EFAULT; break; - case SIOCAUTHW : - case SIOCAUTHR : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } case SIOCFRSYN : if (!(mode & FWRITE)) error = EPERM; @@ -1014,6 +1053,9 @@ caddr_t data; return EBUSY; if (fg && fg->fg_head) fg->fg_head->fr_ref--; + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, f, ftail); + } if (f->fr_grhead) fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, unit, set); @@ -1028,6 +1070,9 @@ caddr_t data; if (f) error = EEXIST; else { + if (unit == IPL_LOGAUTH) { + return fr_preauthcmd(req, fp, ftail); + } KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) @@ -1253,7 +1298,8 @@ struct mbuf **mp; ip->ip_tos = oip->ip_tos; ip->ip_id = oip->ip_id; -# if defined(__NetBSD__) || defined(__OpenBSD__) +# if defined(__NetBSD__) || \ + (defined(__OpenBSD__) && (OpenBSD >= 200012)) if (ip_mtudisc != 0) ip->ip_off = IP_DF; # else @@ -1488,7 +1534,7 @@ void iplinit() { -# if defined(__NetBSD__) +# if defined(__NetBSD__) || defined(__OpenBSD__) if (ipl_enable() != 0) # else if (iplattach() != 0) @@ -1593,7 +1639,7 @@ frdest_t *fdp; /* * Route packet. */ -#ifdef __sgi +#if defined(__sgi) && (IRIX >= 605) ROUTE_RDLOCK(); #endif bzero((caddr_t)ro, sizeof (*ro)); @@ -1633,7 +1679,7 @@ frdest_t *fdp; rtalloc(ro); # endif -#ifdef __sgi +#if defined(__sgi) && (IRIX > 602) ROUTE_UNLOCK(); #endif @@ -1904,6 +1950,12 @@ frdest_t *fdp; struct route_in6 *ro; struct ifnet *ifp; frentry_t *fr; +#if defined(OpenBSD) && (OpenBSD >= 200211) + struct route_in6 *ro_pmtu = NULL; + struct in6_addr finaldst; + ip6_t *ip6; +#endif + u_long mtu; int error; ifp = NULL; @@ -1941,11 +1993,23 @@ frdest_t *fdp; dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway; ro->ro_rt->rt_use++; - if (m0->m_pkthdr.len <= nd_ifinfo[ifp->if_index].linkmtu) - error = nd6_output(ifp, fin->fin_ifp, m0, dst6, - ro->ro_rt); - else - error = EMSGSIZE; +#if defined(OpenBSD) && (OpenBSD >= 200211) + ip6 = mtod(m0, ip6_t *); + ro_pmtu = ro; + finaldst = ip6->ip6_dst; + error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu); + if (error == 0) { +#else + mtu = nd_ifinfo[ifp->if_index].linkmtu; +#endif + if (m0->m_pkthdr.len <= mtu) + error = nd6_output(ifp, fin->fin_ifp, m0, + dst6, ro->ro_rt); + else + error = EMSGSIZE; +#if defined(OpenBSD) && (OpenBSD >= 200211) + } +#endif } if (ro->ro_rt != NULL) { -- cgit v1.1