From d18ce92d580ccae82a3d998f6127986ad1690a09 Mon Sep 17 00:00:00 2001
From: darrenr <darrenr@FreeBSD.org>
Date: Mon, 31 Jul 2000 13:11:42 +0000
Subject: activate pfil_hooks and covert ipfilter to use it

---
 sys/netinet/ip_fil.c    | 13 ++++++++-----
 sys/netinet/ip_fil.h    |  3 ++-
 sys/netinet/ip_input.c  | 38 ++++++++++++++++++++++++++++----------
 sys/netinet/ip_output.c | 33 +++++++++++++++++++++++++--------
 sys/netinet/ipprotosw.h |  6 ++++++
 5 files changed, 69 insertions(+), 24 deletions(-)

(limited to 'sys/netinet')

diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 746df30..e6cdb81 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -190,7 +190,8 @@ struct devsw iplsw = {
 };
 #endif /* _BSDI_VERSION >= 199510  && _KERNEL */
 
-#if defined(__NetBSD__) || defined(__OpenBSD__)  || (_BSDI_VERSION >= 199701)
+#if defined(__NetBSD__) || defined(__OpenBSD__)  || \
+    (_BSDI_VERSION >= 199701) || (__FreeBSD_Version >= 50011)
 # include <sys/conf.h>
 # if defined(NETBSD_PF)
 #  include <net/pfil.h>
@@ -231,7 +232,8 @@ int iplattach()
 {
 	char *defpass;
 	int s;
-# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000))
+# if defined(__sgi) || (defined(NETBSD_PF) && \
+  ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011)))
 	int error = 0;
 # endif
 
@@ -253,7 +255,7 @@ int iplattach()
 		return -1;
 
 # ifdef NETBSD_PF
-#  if __NetBSD_Version__ >= 104200000
+#  if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011)
 	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
 			      &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
 	if (error) {
@@ -338,7 +340,8 @@ pfil_error:
 int ipldetach()
 {
 	int s, i = FR_INQUE|FR_OUTQUE;
-#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
+#if defined(NETBSD_PF) && \
+    ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011))
 	int error = 0;
 #endif
 
@@ -372,7 +375,7 @@ int ipldetach()
 	fr_running = 0;
 
 # ifdef NETBSD_PF
-#  if __NetBSD_Version__ >= 104200000
+#  if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011))
 	error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
 				 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
 	if (error)
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h
index 0d7ff05..4c24f9c 100644
--- a/sys/netinet/ip_fil.h
+++ b/sys/netinet/ip_fil.h
@@ -468,7 +468,8 @@ typedef	struct	ipflog	{
  * with this!
  */
 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
-    (defined(NetBSD1_2) && NetBSD1_2 > 1)
+    (defined(NetBSD1_2) && NetBSD1_2 > 1) || (defined(__FreeBSD_version) && \
+     (__FreeBSD_version >= 500011))
 # if (NetBSD >= 199905)
 #  define PFIL_HOOKS
 # endif
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 6647622..387abd1 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -43,12 +43,14 @@
 #include "opt_ipfilter.h"
 #include "opt_ipstealth.h"
 #include "opt_ipsec.h"
+#include "opt_pfil_hooks.h"
 
 #include <stddef.h>
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
+#include <sys/pfil.h>
 #include <sys/malloc.h>
 #include <sys/domain.h>
 #include <sys/protosw.h>
@@ -175,8 +177,6 @@ int fw_enable = 1 ;
 ip_dn_ctl_t *ip_dn_ctl_ptr;
 #endif
 
-int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
-
 
 /*
  * We need to save the IP options in case a protocol wants to respond
@@ -261,6 +261,11 @@ ip_input(struct mbuf *m)
 	u_int32_t divert_info = 0;		/* packet divert/tee info */
 #endif
 	struct ip_fw_chain *rule = NULL;
+#ifdef PFIL_HOOKS
+	struct packet_filter_hook *pfh;
+	struct mbuf *m0;
+	int rv;
+#endif /* PFIL_HOOKS */
 
 #ifdef IPDIVERT
 	/* Get and reset firewall cookie */
@@ -377,17 +382,30 @@ tooshort:
 #if defined(IPFIREWALL) && defined(DUMMYNET)
 iphack:
 #endif
+
+#ifdef PFIL_HOOKS
 	/*
-	 * Check if we want to allow this packet to be processed.
-	 * Consider it to be bad if not.
+	 * Run through list of hooks for input packets.  If there are any
+	 * filters which require that additional packets in the flow are
+	 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
+	 * Note that filters must _never_ set this flag, as another filter
+	 * in the list may have previously cleared it.
 	 */
-	if (fr_checkp) {
-		struct	mbuf	*m1 = m;
+	m0 = m;
+	pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+	for (; pfh; pfh = pfh->pfil_link.tqe_next)
+		if (pfh->pfil_func) {
+			rv = pfh->pfil_func(ip, hlen,
+					    m->m_pkthdr.rcvif, 0, &m0);
+			if (rv)
+				return;
+			m = m0;
+			if (m == NULL)
+				return;
+			ip = mtod(m, struct ip *);
+		}
+#endif /* PFIL_HOOKS */
 
-		if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
-			return;
-		ip = mtod(m = m1, struct ip *);
-	}
 	if (fw_enable && ip_fw_chk_ptr) {
 #ifdef IPFIREWALL_FORWARD
 		/*
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 450b0d6..a5dd111 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -41,6 +41,7 @@
 #include "opt_ipdivert.h"
 #include "opt_ipfilter.h"
 #include "opt_ipsec.h"
+#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -106,7 +107,6 @@ static int	ip_setmoptions
 	__P((struct sockopt *, struct ip_moptions **));
 
 int	ip_optcopy __P((struct ip *, struct ip *));
-extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
 
 
 extern	struct protosw inetsw[];
@@ -139,6 +139,11 @@ ip_output(m0, opt, ro, flags, imo)
 	struct secpolicy *sp = NULL;
 #endif
 	u_int16_t divert_cookie;		/* firewall cookie */
+#ifdef PFIL_HOOKS
+	struct packet_filter_hook *pfh;
+	struct mbuf *m1;
+	int rv;
+#endif /* PFIL_HOOKS */
 #ifdef IPFIREWALL_FORWARD
 	int fwd_rewrite_src = 0;
 #endif
@@ -431,13 +436,25 @@ sendit:
 	 * - Wrap: fake packet's addr/port <unimpl.>
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
 	 */ 
-	if (fr_checkp) {
-		struct  mbuf    *m1 = m;
-
-		if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
-			goto done;
-		ip = mtod(m = m1, struct ip *);
-	}
+#ifdef PFIL_HOOKS
+	/*
+	 * Run through list of hooks for output packets.
+	 */
+	m1 = m;
+	pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+	for (; pfh; pfh = pfh->pfil_link.tqe_next)
+		if (pfh->pfil_func) {
+			rv = pfh->pfil_func(ip, hlen, ifp, 1, &m1);
+			if (rv) {
+				error = EHOSTUNREACH;
+				goto done;
+			}
+			m = m1;
+			if (m == NULL)
+				goto done;
+			ip = mtod(m, struct ip *);
+		}
+#endif /* PFIL_HOOKS */
 
 	/*
 	 * Check with the firewall...
diff --git a/sys/netinet/ipprotosw.h b/sys/netinet/ipprotosw.h
index 0ecb64d..1d65f0c 100644
--- a/sys/netinet/ipprotosw.h
+++ b/sys/netinet/ipprotosw.h
@@ -66,6 +66,11 @@
 #ifndef _NETINET_IPPROTOSW_H_
 #define _NETINET_IPPROTOSW_H_
 
+/*
+ * For pfil_head structure.
+ */
+#include <net/pfil.h>
+
 /* Forward declare these structures referenced from prototypes below. */
 struct mbuf;
 struct proc;
@@ -98,6 +103,7 @@ struct ipprotosw {
 	void	(*pr_drain) __P((void));
 					/* flush any excess space possible */
 	struct	pr_usrreqs *pr_usrreqs;	/* supersedes pr_usrreq() */
+	struct	pfil_head	pr_pfh;
 };
 
 #endif /* !_NETINET_IPPROTOSW_H_ */
-- 
cgit v1.1