Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet Pull up revisions 1.28-1.29, 1.31-1.24 (via ...
details: https://anonhg.NetBSD.org/src/rev/6503d77f686c
branches: netbsd-1-5
changeset: 492715:6503d77f686c
user: he <he%NetBSD.org@localhost>
date: Sat Feb 09 17:00:03 2002 +0000
description:
Pull up revisions 1.28-1.29,1.31-1.24 (via patch, requested by martti):
Updated IPFilter to 3.4.23.
diffstat:
sys/netinet/ip_state.c | 845 +++++++++++++++++++++++++++++++-----------------
1 files changed, 542 insertions(+), 303 deletions(-)
diffs (truncated from 1481 to 300 lines):
diff -r 9e35b2372702 -r 6503d77f686c sys/netinet/ip_state.c
--- a/sys/netinet/ip_state.c Sat Feb 09 16:59:42 2002 +0000
+++ b/sys/netinet/ip_state.c Sat Feb 09 17:00:03 2002 +0000
@@ -1,27 +1,16 @@
-/* $NetBSD: ip_state.c,v 1.26.4.2 2001/04/14 20:57:34 he Exp $ */
+/* $NetBSD: ip_state.c,v 1.26.4.3 2002/02/09 17:00:03 he Exp $ */
/*
- * Copyright (C) 1995-2000 by Darren Reed.
+ * Copyright (C) 1995-2002 by Darren Reed.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
+ * See the IPFILTER.LICENCE file for details on licencing.
*/
-#if !defined(lint)
-#if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_state.c,v 1.26.4.2 2001/04/14 20:57:34 he Exp $";
-#else
-static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_state.c,v 2.30.2.17 2000/08/08 16:01:03 darrenr Exp";
-#endif
-#endif
-
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
- defined(_KERNEL) && !defined(_LKM)
+ defined(_KERNEL)
# include "opt_ipfilter_log.h"
#endif
#if defined(_KERNEL) && defined(__FreeBSD_version) && \
@@ -90,7 +79,6 @@
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
-#include "netinet/ip_proxy.h"
#include "netinet/ip_state.h"
#ifdef USE_INET6
#include <netinet/icmp6.h>
@@ -103,6 +91,15 @@
# endif
#endif
+#if !defined(lint)
+#if defined(__NetBSD__)
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.26.4.3 2002/02/09 17:00:03 he Exp $");
+static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
+static const char rcsid[] = "@(#)Id: ip_state.c,v 2.30.2.58 2002/01/15 14:36:49 darrenr Exp";
+#endif
+#endif
+
#ifndef MIN
# define MIN(a,b) (((a)<(b))?(a):(b))
#endif
@@ -110,8 +107,8 @@
#define TCP_CLOSE (TH_FIN|TH_RST)
static ipstate_t **ips_table = NULL;
-static ipstate_t *ips_list = NULL;
static int ips_num = 0;
+static int ips_wild = 0;
static ips_stat_t ips_stats;
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern KRWLOCK_T ipf_state, ipf_mutex;
@@ -129,6 +126,7 @@
static ips_stat_t *fr_statetstats __P((void));
static void fr_delstate __P((ipstate_t *));
static int fr_state_remove __P((caddr_t));
+static void fr_ipsmove __P((ipstate_t **, ipstate_t *, u_int));
int fr_stputent __P((caddr_t));
int fr_stgetent __P((caddr_t));
void fr_stinsert __P((ipstate_t *));
@@ -141,15 +139,22 @@
fr_tcpclosewait = 2 * TCP_MSL,
fr_tcplastack = 2 * TCP_MSL,
fr_tcptimeout = 2 * TCP_MSL,
- fr_tcpclosed = 1,
+ fr_tcpclosed = 120,
+ fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */
fr_udptimeout = 240,
- fr_icmptimeout = 120;
+ fr_udpacktimeout = 24,
+ fr_icmptimeout = 120,
+ fr_icmpacktimeout = 12;
int fr_statemax = IPSTATE_MAX,
fr_statesize = IPSTATE_SIZE;
int fr_state_doflush = 0,
fr_state_lock = 0;
+ipstate_t *ips_list = NULL;
static int icmpreplytype4[ICMP_MAXTYPE + 1];
+#ifdef USE_INET6
+static int icmpreplytype6[ICMP6_MAXTYPE + 1];
+#endif
int fr_stateinit()
{
@@ -168,6 +173,16 @@
icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
+#ifdef USE_INET6
+ /* fill icmp reply type table */
+ for (i = 0; i <= ICMP6_MAXTYPE; i++)
+ icmpreplytype6[i] = -1;
+ icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY;
+ icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT;
+ icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY;
+ icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT;
+ icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT;
+#endif
return 0;
}
@@ -187,15 +202,18 @@
* which == 0 : flush all state table entries
* which == 1 : flush TCP connections which have started to close but are
* stuck for some reason.
+ * which == 2 : flush TCP connections which have been idle for a long time,
+ * starting at > 4 days idle and working back in successive half-
+ * days to at most 12 hours old.
*/
static int fr_state_flush(which)
int which;
{
- register ipstate_t *is, **isp;
+ ipstate_t *is, **isp;
#if defined(_KERNEL) && !SOLARIS
int s;
#endif
- int delete, removed = 0;
+ int delete, removed = 0, try;
SPL_NET(s);
for (isp = &ips_list; (is = *isp); ) {
@@ -207,6 +225,7 @@
delete = 1;
break;
case 1 :
+ case 2 :
if (is->is_p != IPPROTO_TCP)
break;
if ((is->is_state[0] != TCPS_ESTABLISHED) ||
@@ -228,6 +247,40 @@
} else
isp = &is->is_next;
}
+
+ /*
+ * Asked to remove inactive entries, try again if first attempt
+ * failed. In this case, 86400 is half a day because the counter is
+ * activated every half second.
+ */
+ if ((which == 2) && (removed == 0)) {
+ try = 86400; /* half a day */
+ for (; (try < FIVE_DAYS) && (removed == 0); try += 86400) {
+ for (isp = &ips_list; (is = *isp); ) {
+ delete = 0;
+ if ((is->is_p == IPPROTO_TCP) &&
+ ((is->is_state[0] == TCPS_ESTABLISHED) ||
+ (is->is_state[1] == TCPS_ESTABLISHED)) &&
+ (is->is_age < try)) {
+ ips_stats.iss_fin++;
+ delete = 1;
+ } else if ((is->is_p != IPPROTO_TCP) &&
+ (is->is_pkts > 1)) {
+ ips_stats.iss_expire++;
+ delete = 1;
+ }
+ if (delete) {
+#ifdef IPFILTER_LOG
+ ipstate_log(is, ISL_FLUSH);
+#endif
+ fr_delstate(is);
+ removed++;
+ } else
+ isp = &is->is_next;
+ }
+ }
+ }
+
SPL_X(s);
return removed;
}
@@ -244,12 +297,15 @@
if (error)
return EFAULT;
+ WRITE_ENTER(&ipf_state);
for (sp = ips_list; sp; sp = sp->is_next)
if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
- !bcmp(&sp->is_src, &st.is_src, sizeof(st.is_src)) &&
- !bcmp(&sp->is_dst, &st.is_src, sizeof(st.is_dst)) &&
- !bcmp(&sp->is_ps, &st.is_ps, sizeof(st.is_ps))) {
- WRITE_ENTER(&ipf_state);
+ !bcmp((char *)&sp->is_src, (char *)&st.is_src,
+ sizeof(st.is_src)) &&
+ !bcmp((char *)&sp->is_dst, (char *)&st.is_src,
+ sizeof(st.is_dst)) &&
+ !bcmp((char *)&sp->is_ps, (char *)&st.is_ps,
+ sizeof(st.is_ps))) {
#ifdef IPFILTER_LOG
ipstate_log(sp, ISL_REMOVE);
#endif
@@ -257,6 +313,7 @@
RWLOCK_EXIT(&ipf_state);
return 0;
}
+ RWLOCK_EXIT(&ipf_state);
return ESRCH;
}
@@ -307,8 +364,8 @@
break;
case FIONREAD :
#ifdef IPFILTER_LOG
- error = IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
- sizeof(iplused[IPL_LOGSTATE]));
+ arg = (int)iplused[IPL_LOGSTATE];
+ error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg));
#endif
break;
case SIOCSTLCK :
@@ -336,19 +393,19 @@
}
+/*
+ * Copy out state information from the kernel to a user space process.
+ */
int fr_stgetent(data)
caddr_t data;
{
register ipstate_t *is, *isn;
- ipstate_save_t ips, *ipsp;
+ ipstate_save_t ips;
int error;
- error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp));
+ error = IRCOPYPTR(data, (caddr_t)&ips, sizeof(ips));
if (error)
- return EFAULT;
- error = IRCOPY((caddr_t)ipsp, (caddr_t)&ips, sizeof(ips));
- if (error)
- return EFAULT;
+ return error;
isn = ips.ips_next;
if (!isn) {
@@ -375,7 +432,7 @@
if (isn->is_rule)
bcopy((char *)isn->is_rule, (char *)&ips.ips_fr,
sizeof(ips.ips_fr));
- error = IWCOPY((caddr_t)&ips, ipsp, sizeof(ips));
+ error = IWCOPYPTR((caddr_t)&ips, data, sizeof(ips));
if (error)
error = EFAULT;
return error;
@@ -386,16 +443,14 @@
caddr_t data;
{
register ipstate_t *is, *isn;
- ipstate_save_t ips, *ipsp;
- int error, out;
+ ipstate_save_t ips;
+ int error, out, i;
frentry_t *fr;
+ char *name;
- error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp));
+ error = IRCOPYPTR(data, (caddr_t)&ips, sizeof(ips));
if (error)
- return EFAULT;
- error = IRCOPY((caddr_t)ipsp, (caddr_t)&ips, sizeof(ips));
- if (error)
- return EFAULT;
+ return error;
KMALLOC(isn, ipstate_t *);
if (isn == NULL)
@@ -414,24 +469,34 @@
out = fr->fr_flags & FR_OUTQUE ? 1 : 0;
isn->is_rule = fr;
ips.ips_is.is_rule = fr;
- if (*fr->fr_ifname) {
- fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_v);
- if (fr->fr_ifa == NULL)
- fr->fr_ifa = (void *)-1;
-#ifdef _KERNEL
- else {
- strncpy(isn->is_ifname[out],
- IFNAME(fr->fr_ifa), IFNAMSIZ);
- isn->is_ifp[out] = fr->fr_ifa;
+
+ /*
Home |
Main Index |
Thread Index |
Old Index