Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/sys/netinet Pull up revision 1.18 (requested by darrenr):
details: https://anonhg.NetBSD.org/src/rev/24ee4a964ea3
branches: netbsd-1-4
changeset: 469945:24ee4a964ea3
user: he <he%NetBSD.org@localhost>
date: Mon Dec 20 21:07:26 1999 +0000
description:
Pull up revision 1.18 (requested by darrenr):
Update IPF to version 3.3.5.
diffstat:
sys/netinet/ip_state.c | 762 +++++++++++++++++++++++++++++++++++-------------
1 files changed, 556 insertions(+), 206 deletions(-)
diffs (truncated from 1119 to 300 lines):
diff -r e88cebab0982 -r 24ee4a964ea3 sys/netinet/ip_state.c
--- a/sys/netinet/ip_state.c Mon Dec 20 21:07:21 1999 +0000
+++ b/sys/netinet/ip_state.c Mon Dec 20 21:07:26 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_state.c,v 1.17 1999/02/02 19:57:32 cjs Exp $ */
+/* $NetBSD: ip_state.c,v 1.17.2.1 1999/12/20 21:07:26 he Exp $ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
@@ -9,10 +9,10 @@
*/
#if !defined(lint)
#if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_state.c,v 1.17 1999/02/02 19:57:32 cjs Exp $";
+static const char rcsid[] = "$NetBSD: ip_state.c,v 1.17.2.1 1999/12/20 21:07:26 he Exp $";
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_state.c,v 2.0.2.24.2.25 1998/11/22 01:50:31 darrenr Exp ";
+static const char rcsid[] = "@(#)Id: ip_state.c,v 2.3.2.14 1999/11/30 13:46:05 darrenr Exp";
#endif
#endif
@@ -33,13 +33,16 @@
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
+# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
+# include "opt_ipfilter.h"
+# endif
#else
# include <sys/ioctl.h>
#endif
#include <sys/time.h>
#include <sys/uio.h>
#ifndef linux
-#include <sys/protosw.h>
+# include <sys/protosw.h>
#endif
#include <sys/socket.h>
#if defined(_KERNEL) && !defined(linux)
@@ -52,14 +55,16 @@
#else
# include <sys/filio.h>
# include <sys/byteorder.h>
-# include <sys/dditypes.h>
+# ifdef _KERNEL
+# include <sys/dditypes.h>
+# endif
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
#include <net/if.h>
#ifdef sun
-#include <net/af.h>
+# include <net/af.h>
#endif
#include <net/route.h>
#include <netinet/in.h>
@@ -79,35 +84,60 @@
#include "netinet/ip_frag.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_state.h"
+#if (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
+# include <sys/libkern.h>
+# include <sys/systm.h>
+# endif
+#endif
+
#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
+# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
#define TCP_CLOSE (TH_FIN|TH_RST)
-ipstate_t *ips_table[IPSTATE_SIZE];
+ipstate_t **ips_table = NULL;
int ips_num = 0;
ips_stat_t ips_stats;
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T ipf_state;
+extern KRWLOCK_T ipf_state, ipf_mutex;
extern kmutex_t ipf_rw;
#endif
static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
- fr_info_t *, void *, u_short, u_short));
+ fr_info_t *, tcphdr_t *));
+static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *));
static int fr_state_flush __P((int));
static ips_stat_t *fr_statetstats __P((void));
+static void fr_delstate __P((ipstate_t *));
#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */
+#define TCP_MSL 240 /* 2 minutes */
u_long fr_tcpidletimeout = FIVE_DAYS,
- fr_tcpclosewait = 60,
- fr_tcplastack = 20,
- fr_tcptimeout = 120,
+ fr_tcpclosewait = 2 * TCP_MSL,
+ fr_tcplastack = 2 * TCP_MSL,
+ fr_tcptimeout = 2 * TCP_MSL,
fr_tcpclosed = 1,
- fr_udptimeout = 120,
+ fr_udptimeout = 240,
fr_icmptimeout = 120;
+int fr_statemax = IPSTATE_MAX,
+ fr_statesize = IPSTATE_SIZE;
+int fr_state_doflush = 0;
+
+
+int fr_stateinit()
+{
+ KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
+ if (ips_table != NULL)
+ bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *));
+ else
+ return -1;
+ return 0;
+}
static ips_stat_t *fr_statetstats()
@@ -136,7 +166,7 @@
SPL_NET(s);
WRITE_ENTER(&ipf_state);
- for (i = 0; i < IPSTATE_SIZE; i++)
+ for (i = fr_statesize - 1; i >= 0; i--)
for (isp = &ips_table[i]; (is = *isp); ) {
delete = 0;
@@ -161,10 +191,12 @@
ips_stats.iss_fin++;
else
ips_stats.iss_expire++;
+ if (ips_table[i] == NULL)
+ ips_stats.iss_inuse--;
#ifdef IPFILTER_LOG
ipstate_log(is, ISL_FLUSH);
#endif
- KFREE(is);
+ fr_delstate(is);
ips_num--;
removed++;
} else
@@ -207,7 +239,8 @@
#endif
break;
default :
- return EINVAL;
+ error = EINVAL;
+ break;
}
return error;
}
@@ -216,21 +249,25 @@
/*
* Create a new ipstate structure and hang it off the hash table.
*/
-int fr_addstate(ip, fin, pass)
+ipstate_t *fr_addstate(ip, fin, flags)
ip_t *ip;
fr_info_t *fin;
-u_int pass;
+u_int flags;
{
+ register ipstate_t *is;
+ register u_int hv;
ipstate_t ips;
- register ipstate_t *is = &ips;
- register u_int hv;
+ u_int pass;
if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT))
- return -1;
- if (ips_num == IPSTATE_MAX) {
+ return NULL;
+ if (ips_num == fr_statemax) {
ips_stats.iss_max++;
- return -1;
+ fr_state_doflush = 1;
+ return NULL;
}
+ is = &ips;
+ bzero((char *)is, sizeof(*is));
ips.is_age = 1;
ips.is_state[0] = 0;
ips.is_state[1] = 0;
@@ -260,7 +297,7 @@
is->is_icmp.ics_type = ic->icmp_type + 1;
break;
default :
- return -1;
+ return NULL;
}
ATOMIC_INC(ips_stats.iss_icmp);
is->is_age = fr_icmptimeout;
@@ -274,19 +311,28 @@
* The endian of the ports doesn't matter, but the ack and
* sequence numbers do as we do mathematics on them later.
*/
- hv += (is->is_dport = tcp->th_dport);
- hv += (is->is_sport = tcp->th_sport);
- is->is_seq = ntohl(tcp->th_seq);
- is->is_ack = ntohl(tcp->th_ack);
- is->is_swin = ntohs(tcp->th_win);
- is->is_dwin = is->is_swin; /* start them the same */
+ is->is_dport = tcp->th_dport;
+ is->is_sport = tcp->th_sport;
+ if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) {
+ hv += tcp->th_dport;
+ hv += tcp->th_sport;
+ }
+ if (tcp->th_seq != 0) {
+ is->is_send = ntohl(tcp->th_seq) + ip->ip_len -
+ fin->fin_hlen - (tcp->th_off << 2) +
+ ((tcp->th_flags & TH_SYN) ? 1 : 0) +
+ ((tcp->th_flags & TH_FIN) ? 1 : 0);
+ is->is_maxsend = is->is_send + 1;
+ }
+ is->is_dend = 0;
+ is->is_maxswin = ntohs(tcp->th_win);
+ if (is->is_maxswin == 0)
+ is->is_maxswin = 1;
/*
* If we're creating state for a starting connection, start the
* timer on it as we'll never see an error if it fails to
* connect.
*/
- if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN)
- is->is_ack = 0; /* Trumpet WinSock 'ism */
MUTEX_ENTER(&ipf_rw);
ips_stats.iss_tcp++;
fr_tcp_age(&is->is_age, is->is_state, ip, fin,
@@ -298,25 +344,38 @@
{
register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
- hv += (is->is_dport = tcp->th_dport);
- hv += (is->is_sport = tcp->th_sport);
+ is->is_dport = tcp->th_dport;
+ is->is_sport = tcp->th_sport;
+ if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) {
+ hv += tcp->th_dport;
+ hv += tcp->th_sport;
+ }
ATOMIC_INC(ips_stats.iss_udp);
is->is_age = fr_udptimeout;
break;
}
default :
- return -1;
+ return NULL;
}
- KMALLOC(is, ipstate_t *, sizeof(*is));
+ KMALLOC(is, ipstate_t *);
if (is == NULL) {
ATOMIC_INC(ips_stats.iss_nomem);
- return -1;
+ return NULL;
}
bcopy((char *)&ips, (char *)is, sizeof(*is));
- hv %= IPSTATE_SIZE;
+ hv %= fr_statesize;
+ RW_UPGRADE(&ipf_mutex);
+ is->is_rule = fin->fin_fr;
+ if (is->is_rule != NULL) {
+ is->is_rule->fr_ref++;
+ pass = is->is_rule->fr_flags;
+ } else
+ pass = fr_flags;
+ MUTEX_DOWNGRADE(&ipf_mutex);
WRITE_ENTER(&ipf_state);
+ is->is_rout = pass & FR_OUTQUE ? 1 : 0;
is->is_pass = pass;
is->is_pkts = 1;
is->is_bytes = ip->ip_len;
@@ -331,14 +390,16 @@
is->is_secmsk = 0xffff;
is->is_auth = fin->fin_fi.fi_auth;
is->is_authmsk = 0xffff;
- is->is_flags = fin->fin_fi.fi_fl;
- is->is_flags |= FI_OPTIONS|FI_TCPUDP|FI_SHORT;
- is->is_flags |= fin->fin_fi.fi_fl << 4;
+ is->is_flags = fin->fin_fi.fi_fl & FI_CMP;
+ is->is_flags |= FI_CMP << 4;
+ is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT);
/*
* add into table.
*/
is->is_next = ips_table[hv];
ips_table[hv] = is;
Home |
Main Index |
Thread Index |
Old Index