Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet Pull up revisions 1.23-1.27 (requested by m...
details: https://anonhg.NetBSD.org/src/rev/4acef0d6bc08
branches: netbsd-1-5
changeset: 492723:4acef0d6bc08
user: he <he%NetBSD.org@localhost>
date: Sat Feb 09 17:14:12 2002 +0000
description:
Pull up revisions 1.23-1.27 (requested by martti):
Updated IPFilter to 3.4.23.
diffstat:
sys/netinet/ip_proxy.c | 174 ++++++++++++++++++++++++++++++++++++------------
1 files changed, 130 insertions(+), 44 deletions(-)
diffs (truncated from 362 to 300 lines):
diff -r 93e8bbeb9ba7 -r 4acef0d6bc08 sys/netinet/ip_proxy.c
--- a/sys/netinet/ip_proxy.c Sat Feb 09 17:03:02 2002 +0000
+++ b/sys/netinet/ip_proxy.c Sat Feb 09 17:14:12 2002 +0000
@@ -1,20 +1,10 @@
-/* $NetBSD: ip_proxy.c,v 1.22 2000/05/11 19:46:06 veego Exp $ */
+/* $NetBSD: ip_proxy.c,v 1.22.4.1 2002/02/09 17:14:12 he Exp $ */
/*
- * Copyright (C) 1997-2000 by Darren Reed.
+ * Copyright (C) 1997-2002 by Darren Reed.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
+ * See the IPFILTER.LICENCE file for details on licencing.
*/
-#if !defined(lint)
-#if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_proxy.c,v 1.22 2000/05/11 19:46:06 veego Exp $";
-#else
-static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 darrenr Exp";
-#endif
-#endif
-
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
#endif
@@ -77,30 +67,42 @@
#include "netinet/ip_compat.h"
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_state.h"
+#include "netinet/ip_proxy.h"
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
+#if !defined(lint)
+#if defined(__NetBSD__)
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: ip_proxy.c,v 1.22.4.1 2002/02/09 17:14:12 he Exp $");
+#else
+static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.9.2.17 2002/01/15 14:36:49 darrenr Exp";
+#endif
+#endif
+
+#if defined(_KERNEL) && (SOLARIS || defined(__sgi))
+extern KRWLOCK_T ipf_nat, ipf_state;
+#endif
#ifndef MIN
#define MIN(a,b) (((a)<(b))?(a):(b))
#endif
-static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *,
- fr_info_t *, nat_t *));
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
#define AP_SESS_SIZE 53
-#if defined(_KERNEL) && !defined(linux)
+#if defined(_KERNEL)
#include "netinet/ip_ftp_pxy.c"
#include "netinet/ip_rcmd_pxy.c"
#include "netinet/ip_raudio_pxy.c"
+#include "netinet/ip_netbios_pxy.c"
#endif
+#include "netinet/ip_ipsec_pxy.c"
ap_session_t *ap_sess_tab[AP_SESS_SIZE];
ap_session_t *ap_sess_list = NULL;
@@ -108,20 +110,33 @@
aproxy_t ap_proxies[] = {
#ifdef IPF_FTP_PROXY
{ NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
- ippr_ftp_new, ippr_ftp_in, ippr_ftp_out },
+ ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL },
#endif
#ifdef IPF_RCMD_PROXY
{ NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL,
- ippr_rcmd_new, NULL, ippr_rcmd_out },
+ ippr_rcmd_new, NULL, NULL, ippr_rcmd_out, NULL },
#endif
#ifdef IPF_RAUDIO_PROXY
{ NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL,
- ippr_raudio_new, ippr_raudio_in, ippr_raudio_out },
+ ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL },
#endif
- { NULL, "", '\0', 0, 0, NULL, NULL }
+#ifdef IPF_IPSEC_PROXY
+ { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, ippr_ipsec_init, NULL,
+ ippr_ipsec_new, ippr_ipsec_del, NULL, ippr_ipsec_out,
+ ippr_ipsec_match },
+#endif
+#ifdef IPF_NETBIOS_PROXY
+ { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL,
+ NULL, NULL, NULL, ippr_netbios_out, NULL },
+#endif
+ { NULL, "", '\0', 0, 0, NULL, NULL, NULL }
};
+/*
+ * Dynamically add a new kernel proxy. Ensure that it is unique in the
+ * collection compiled in and dynamically added.
+ */
int appr_add(ap)
aproxy_t *ap;
{
@@ -133,7 +148,7 @@
sizeof(ap->apr_label)))
return -1;
- for (a = ap_proxylist; a->apr_p; a = a->apr_next)
+ for (a = ap_proxylist; a && a->apr_p; a = a->apr_next)
if ((a->apr_p == ap->apr_p) &&
!strncmp(a->apr_label, ap->apr_label,
sizeof(ap->apr_label)))
@@ -144,6 +159,11 @@
}
+/*
+ * Delete a proxy that has been added dynamically from those available.
+ * If it is in use, return 1 (do not destroy NOW), not in use 0 or -1
+ * if it cannot be matched.
+ */
int appr_del(ap)
aproxy_t *ap;
{
@@ -151,15 +171,19 @@
for (app = &ap_proxylist; (a = *app); app = &a->apr_next)
if (a == ap) {
+ a->apr_flags |= APR_DELETE;
+ *app = a->apr_next;
if (ap->apr_ref != 0)
return 1;
- *app = a->apr_next;
return 0;
}
return -1;
}
+/*
+ * Return 1 if the packet is a good match against a proxy, else 0.
+ */
int appr_ok(ip, tcp, nat)
ip_t *ip;
tcphdr_t *tcp;
@@ -168,34 +192,64 @@
aproxy_t *apr = nat->in_apr;
u_short dport = nat->in_dport;
- if (!apr || (apr->apr_flags & APR_DELETE) ||
+ if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
(ip->ip_p != apr->apr_p))
return 0;
- if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport))
+ if (((tcp != NULL) && (tcp->th_dport != dport)) || (!tcp && dport))
return 0;
return 1;
}
/*
+ * If a proxy has a match function, call that to do extended packet
+ * matching.
+ */
+int appr_match(fin, nat)
+fr_info_t *fin;
+nat_t *nat;
+{
+ aproxy_t *apr;
+ ipnat_t *ipn;
+
+ ipn = nat->nat_ptr;
+ if (ipn == NULL)
+ return -1;
+ apr = ipn->in_apr;
+ if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
+ (nat->nat_aps == NULL))
+ return -1;
+ if (apr->apr_match != NULL)
+ if ((*apr->apr_match)(fin, nat->nat_aps, nat) != 0)
+ return -1;
+ return 0;
+}
+
+
+/*
* Allocate a new application proxy structure and fill it in with the
* relevant details. call the init function once complete, prior to
* returning.
*/
-static ap_session_t *appr_new_session(apr, ip, fin, nat)
-aproxy_t *apr;
+int appr_new(fin, ip, nat)
+fr_info_t *fin;
ip_t *ip;
-fr_info_t *fin;
nat_t *nat;
{
- ap_session_t *aps;
+ register ap_session_t *aps;
+ aproxy_t *apr;
+
+ if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL))
+ return -1;
+
+ apr = nat->nat_ptr->in_apr;
if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p))
- return NULL;
+ return -1;
KMALLOC(aps, ap_session_t *);
if (!aps)
- return NULL;
+ return -1;
bzero((char *)aps, sizeof(*aps));
aps->aps_p = ip->ip_p;
aps->aps_data = NULL;
@@ -203,13 +257,17 @@
aps->aps_psiz = 0;
if (apr->apr_new != NULL)
if ((*apr->apr_new)(fin, ip, aps, nat) == -1) {
+ if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
+ KFREES(aps->aps_data, aps->aps_psiz);
KFREE(aps);
- return NULL;
+ return -1;
}
aps->aps_nat = nat;
aps->aps_next = ap_sess_list;
ap_sess_list = aps;
- return aps;
+ nat->nat_aps = aps;
+
+ return 0;
}
@@ -222,16 +280,17 @@
fr_info_t *fin;
nat_t *nat;
{
+#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
+ mb_t *m = fin->fin_qfm;
+ int dosum = 1;
+#endif
+ tcphdr_t *tcp = NULL;
ap_session_t *aps;
aproxy_t *apr;
- tcphdr_t *tcp = NULL;
u_32_t sum;
short rv;
int err;
- if (nat->nat_aps == NULL)
- nat->nat_aps = appr_new_session(nat->nat_ptr->in_apr, ip,
- fin, nat);
aps = nat->nat_aps;
if ((aps != NULL) && (aps->aps_p == ip->ip_p)) {
if (ip->ip_p == IPPROTO_TCP) {
@@ -240,8 +299,13 @@
* verify that the checksum is correct. If not, then
* don't do anything with this packet.
*/
-#if SOLARIS && defined(_KERNEL)
- sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
+#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
+ if (dohwcksum && (m->b_ick_flag == ICK_VALID)) {
+ sum = tcp->th_sum;
+ dosum = 0;
+ }
+ if (dosum)
+ sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
#else
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif
@@ -262,13 +326,19 @@
}
rv = APR_EXIT(err);
- if (rv == -1)
- return rv;
+ if (rv == 1)
+ return -1;
+ if (rv == 2) {
+ appr_free(apr);
+ nat->nat_aps = NULL;
+ return -1;
+ }
if (tcp != NULL) {
Home |
Main Index |
Thread Index |
Old Index