Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-1-4]: src/sys/netinet Pull up revision 1.18 (requested by darrenr):



details:   https://anonhg.NetBSD.org/src/rev/24ee4a964ea3
branches:  netbsd-1-4
changeset: 469945:24ee4a964ea3
user:      he <he%NetBSD.org@localhost>
date:      Mon Dec 20 21:07:26 1999 +0000

description:
Pull up revision 1.18 (requested by darrenr):
  Update IPF to version 3.3.5.

diffstat:

 sys/netinet/ip_state.c |  762 +++++++++++++++++++++++++++++++++++-------------
 1 files changed, 556 insertions(+), 206 deletions(-)

diffs (truncated from 1119 to 300 lines):

diff -r e88cebab0982 -r 24ee4a964ea3 sys/netinet/ip_state.c
--- a/sys/netinet/ip_state.c    Mon Dec 20 21:07:21 1999 +0000
+++ b/sys/netinet/ip_state.c    Mon Dec 20 21:07:26 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_state.c,v 1.17 1999/02/02 19:57:32 cjs Exp $        */
+/*     $NetBSD: ip_state.c,v 1.17.2.1 1999/12/20 21:07:26 he Exp $     */
 
 /*
  * Copyright (C) 1995-1998 by Darren Reed.
@@ -9,10 +9,10 @@
  */
 #if !defined(lint)
 #if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_state.c,v 1.17 1999/02/02 19:57:32 cjs Exp $";
+static const char rcsid[] = "$NetBSD: ip_state.c,v 1.17.2.1 1999/12/20 21:07:26 he Exp $";
 #else
 static const char sccsid[] = "@(#)ip_state.c   1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_state.c,v 2.0.2.24.2.25 1998/11/22 01:50:31 darrenr Exp ";
+static const char rcsid[] = "@(#)Id: ip_state.c,v 2.3.2.14 1999/11/30 13:46:05 darrenr Exp";
 #endif
 #endif
 
@@ -33,13 +33,16 @@
 #if defined(KERNEL) && (__FreeBSD_version >= 220000)
 # include <sys/filio.h>
 # include <sys/fcntl.h>
+# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
+#  include "opt_ipfilter.h"
+# endif
 #else
 # include <sys/ioctl.h>
 #endif
 #include <sys/time.h>
 #include <sys/uio.h>
 #ifndef linux
-#include <sys/protosw.h>
+# include <sys/protosw.h>
 #endif
 #include <sys/socket.h>
 #if defined(_KERNEL) && !defined(linux)
@@ -52,14 +55,16 @@
 #else
 # include <sys/filio.h>
 # include <sys/byteorder.h>
-# include <sys/dditypes.h>
+# ifdef _KERNEL
+#  include <sys/dditypes.h>
+# endif
 # include <sys/stream.h>
 # include <sys/kmem.h>
 #endif
 
 #include <net/if.h>
 #ifdef sun
-#include <net/af.h>
+# include <net/af.h>
 #endif
 #include <net/route.h>
 #include <netinet/in.h>
@@ -79,35 +84,60 @@
 #include "netinet/ip_frag.h"
 #include "netinet/ip_proxy.h"
 #include "netinet/ip_state.h"
+#if (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
+#  include <sys/libkern.h>
+#  include <sys/systm.h>
+# endif
+#endif
+
 #ifndef        MIN
-#define        MIN(a,b)        (((a)<(b))?(a):(b))
+# define       MIN(a,b)        (((a)<(b))?(a):(b))
 #endif
 
 #define        TCP_CLOSE       (TH_FIN|TH_RST)
 
-ipstate_t *ips_table[IPSTATE_SIZE];
+ipstate_t **ips_table = NULL;
 int    ips_num = 0;
 ips_stat_t ips_stats;
 #if    (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T       ipf_state;
+extern KRWLOCK_T       ipf_state, ipf_mutex;
 extern kmutex_t        ipf_rw;
 #endif
 
 static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
-                              fr_info_t *, void *, u_short, u_short));
+                              fr_info_t *, tcphdr_t *));
+static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *));
 static int fr_state_flush __P((int));
 static ips_stat_t *fr_statetstats __P((void));
+static void fr_delstate __P((ipstate_t *));
 
 
 #define        FIVE_DAYS       (2 * 5 * 86400) /* 5 days: half closed session */
 
+#define        TCP_MSL 240                     /* 2 minutes */
 u_long fr_tcpidletimeout = FIVE_DAYS,
-       fr_tcpclosewait = 60,
-       fr_tcplastack = 20,
-       fr_tcptimeout = 120,
+       fr_tcpclosewait = 2 * TCP_MSL,
+       fr_tcplastack = 2 * TCP_MSL,
+       fr_tcptimeout = 2 * TCP_MSL,
        fr_tcpclosed = 1,
-       fr_udptimeout = 120,
+       fr_udptimeout = 240,
        fr_icmptimeout = 120;
+int    fr_statemax = IPSTATE_MAX,
+       fr_statesize = IPSTATE_SIZE;
+int    fr_state_doflush = 0;
+
+
+int fr_stateinit()
+{
+       KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
+       if (ips_table != NULL)
+               bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *));
+       else
+               return -1;
+       return 0;
+}
 
 
 static ips_stat_t *fr_statetstats()
@@ -136,7 +166,7 @@
 
        SPL_NET(s);
        WRITE_ENTER(&ipf_state);
-       for (i = 0; i < IPSTATE_SIZE; i++)
+       for (i = fr_statesize - 1; i >= 0; i--)
                for (isp = &ips_table[i]; (is = *isp); ) {
                        delete = 0;
 
@@ -161,10 +191,12 @@
                                        ips_stats.iss_fin++;
                                else
                                        ips_stats.iss_expire++;
+                               if (ips_table[i] == NULL)
+                                       ips_stats.iss_inuse--;
 #ifdef IPFILTER_LOG
                                ipstate_log(is, ISL_FLUSH);
 #endif
-                               KFREE(is);
+                               fr_delstate(is);
                                ips_num--;
                                removed++;
                        } else
@@ -207,7 +239,8 @@
 #endif
                break;
        default :
-               return EINVAL;
+               error = EINVAL;
+               break;
        }
        return error;
 }
@@ -216,21 +249,25 @@
 /*
  * Create a new ipstate structure and hang it off the hash table.
  */
-int fr_addstate(ip, fin, pass)
+ipstate_t *fr_addstate(ip, fin, flags)
 ip_t *ip;
 fr_info_t *fin;
-u_int pass;
+u_int flags;
 {
+       register ipstate_t *is;
+       register u_int hv;
        ipstate_t ips;
-       register ipstate_t *is = &ips;
-       register u_int hv;
+       u_int pass;
 
        if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT))
-               return -1;
-       if (ips_num == IPSTATE_MAX) {
+               return NULL;
+       if (ips_num == fr_statemax) {
                ips_stats.iss_max++;
-               return -1;
+               fr_state_doflush = 1;
+               return NULL;
        }
+       is = &ips;
+       bzero((char *)is, sizeof(*is));
        ips.is_age = 1;
        ips.is_state[0] = 0;
        ips.is_state[1] = 0;
@@ -260,7 +297,7 @@
                        is->is_icmp.ics_type = ic->icmp_type + 1;
                        break;
                default :
-                       return -1;
+                       return NULL;
                }
                ATOMIC_INC(ips_stats.iss_icmp);
                is->is_age = fr_icmptimeout;
@@ -274,19 +311,28 @@
                 * The endian of the ports doesn't matter, but the ack and
                 * sequence numbers do as we do mathematics on them later.
                 */
-               hv += (is->is_dport = tcp->th_dport);
-               hv += (is->is_sport = tcp->th_sport);
-               is->is_seq = ntohl(tcp->th_seq);
-               is->is_ack = ntohl(tcp->th_ack);
-               is->is_swin = ntohs(tcp->th_win);
-               is->is_dwin = is->is_swin;      /* start them the same */
+               is->is_dport = tcp->th_dport;
+               is->is_sport = tcp->th_sport;
+               if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) {
+                       hv += tcp->th_dport;
+                       hv += tcp->th_sport;
+               }
+               if (tcp->th_seq != 0) {
+                       is->is_send = ntohl(tcp->th_seq) + ip->ip_len -
+                                     fin->fin_hlen - (tcp->th_off << 2) +
+                                     ((tcp->th_flags & TH_SYN) ? 1 : 0) +
+                                     ((tcp->th_flags & TH_FIN) ? 1 : 0);
+                       is->is_maxsend = is->is_send + 1;
+               }
+               is->is_dend = 0;
+               is->is_maxswin = ntohs(tcp->th_win);
+               if (is->is_maxswin == 0)
+                       is->is_maxswin = 1;
                /*
                 * If we're creating state for a starting connection, start the
                 * timer on it as we'll never see an error if it fails to
                 * connect.
                 */
-               if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN)
-                       is->is_ack = 0; /* Trumpet WinSock 'ism */
                MUTEX_ENTER(&ipf_rw);
                ips_stats.iss_tcp++;
                fr_tcp_age(&is->is_age, is->is_state, ip, fin,
@@ -298,25 +344,38 @@
            {
                register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
 
-               hv += (is->is_dport = tcp->th_dport);
-               hv += (is->is_sport = tcp->th_sport);
+               is->is_dport = tcp->th_dport;
+               is->is_sport = tcp->th_sport;
+               if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) {
+                       hv += tcp->th_dport;
+                       hv += tcp->th_sport;
+               }
                ATOMIC_INC(ips_stats.iss_udp);
                is->is_age = fr_udptimeout;
                break;
            }
        default :
-               return -1;
+               return NULL;
        }
 
-       KMALLOC(is, ipstate_t *, sizeof(*is));
+       KMALLOC(is, ipstate_t *);
        if (is == NULL) {
                ATOMIC_INC(ips_stats.iss_nomem);
-               return -1;
+               return NULL;
        }
        bcopy((char *)&ips, (char *)is, sizeof(*is));
-       hv %= IPSTATE_SIZE;
+       hv %= fr_statesize;
+       RW_UPGRADE(&ipf_mutex);
+       is->is_rule = fin->fin_fr;
+       if (is->is_rule != NULL) {
+               is->is_rule->fr_ref++;
+               pass = is->is_rule->fr_flags;
+       } else
+               pass = fr_flags;
+       MUTEX_DOWNGRADE(&ipf_mutex);
        WRITE_ENTER(&ipf_state);
 
+       is->is_rout = pass & FR_OUTQUE ? 1 : 0;
        is->is_pass = pass;
        is->is_pkts = 1;
        is->is_bytes = ip->ip_len;
@@ -331,14 +390,16 @@
        is->is_secmsk = 0xffff;
        is->is_auth = fin->fin_fi.fi_auth;
        is->is_authmsk = 0xffff;
-       is->is_flags = fin->fin_fi.fi_fl;
-       is->is_flags |= FI_OPTIONS|FI_TCPUDP|FI_SHORT;
-       is->is_flags |= fin->fin_fi.fi_fl << 4;
+       is->is_flags = fin->fin_fi.fi_fl & FI_CMP;
+       is->is_flags |= FI_CMP << 4;
+       is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT);
        /*
         * add into table.
         */
        is->is_next = ips_table[hv];
        ips_table[hv] = is;



Home | Main Index | Thread Index | Old Index