Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet Pull up revisions 1.59-1.75 (via patch, req...
details: https://anonhg.NetBSD.org/src/rev/0be96272a991
branches: netbsd-1-5
changeset: 492710:0be96272a991
user: he <he%NetBSD.org@localhost>
date: Sat Feb 09 16:58:05 2002 +0000
description:
Pull up revisions 1.59-1.75 (via patch, requested by martti):
Updated IPFilter to 3.4.23.
diffstat:
sys/netinet/ip_fil.c | 730 +++++++++++++++++++++++++++++++++++++-------------
1 files changed, 540 insertions(+), 190 deletions(-)
diffs (truncated from 1250 to 300 lines):
diff -r 64e58db511f3 -r 0be96272a991 sys/netinet/ip_fil.c
--- a/sys/netinet/ip_fil.c Sat Feb 09 16:56:53 2002 +0000
+++ b/sys/netinet/ip_fil.c Sat Feb 09 16:58:05 2002 +0000
@@ -1,26 +1,15 @@
-/* $NetBSD: ip_fil.c,v 1.55.2.4 2000/08/31 14:49:49 veego Exp $ */
+/* $NetBSD: ip_fil.c,v 1.55.2.5 2002/02/09 16:58:05 he Exp $ */
/*
- * Copyright (C) 1993-2000 by Darren Reed.
+ * Copyright (C) 1993-2001 by Darren Reed.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
+ * See the IPFILTER.LICENCE file for details on licencing.
*/
-#if !defined(lint)
-#if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_fil.c,v 1.55.2.4 2000/08/31 14:49:49 veego Exp $";
-#else
-static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.42.2.15 2000/08/05 14:49:08 darrenr Exp";
-#endif
-#endif
-
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
-#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
+#if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
#endif
#if defined(_KERNEL) && defined(__FreeBSD_version) && \
@@ -29,7 +18,7 @@
#endif
#include <sys/param.h>
#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
- defined(_KERNEL) && !defined(_LKM)
+ defined(_KERNEL) && !defined(_LKM)
# include "opt_ipfilter_log.h"
#endif
#if defined(__FreeBSD__) && !defined(__FreeBSD_version)
@@ -106,12 +95,16 @@
#include "netinet/ip_compat.h"
#ifdef USE_INET6
# include <netinet/icmp6.h>
+# if !SOLARIS
+# include <netinet6/ip6protosw.h>
+# include <netinet6/nd6.h>
+# endif
#endif
#include "netinet/ip_fil.h"
-#include "netinet/ip_proxy.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
+#include "netinet/ip_proxy.h"
#include "netinet/ip_auth.h"
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
@@ -124,6 +117,16 @@
extern int ip_optcopy __P((struct ip *, struct ip *));
#endif
+#if !defined(lint)
+#if defined(__NetBSD__)
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: ip_fil.c,v 1.55.2.5 2002/02/09 16:58:05 he Exp $");
+#else
+static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
+static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.42.2.48 2002/01/01 13:34:05 darrenr Exp";
+#endif
+#endif
+
extern struct protosw inetsw[];
@@ -137,7 +140,11 @@
# endif
#endif
+#ifdef ICMP_UNREACH_FILTER_PROHIB
+int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
+#else
int ipl_unreach = ICMP_UNREACH_FILTER;
+#endif
u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t));
@@ -148,7 +155,11 @@
#endif
#ifdef _KERNEL
static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
-static int send_ip __P((ip_t *, fr_info_t *, struct mbuf *));
+static int send_ip __P((ip_t *, fr_info_t *, struct mbuf **));
+# ifdef USE_INET6
+static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
+ fr_info_t *, frdest_t *));
+# endif
# ifdef __sgi
extern kmutex_t ipf_rw;
extern KRWLOCK_T ipf_mutex;
@@ -177,6 +188,13 @@
# include <sys/callout.h>
struct callout ipfr_slowtimer_ch;
#endif
+#if defined(__OpenBSD__)
+# include <sys/timeout.h>
+struct timeout ipfr_slowtimer_ch;
+#endif
+#if defined(__sgi) && defined(_KERNEL)
+toid_t ipfr_slowtimer_ch;
+#endif
#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
# include <sys/device.h>
@@ -205,6 +223,77 @@
# endif /* NETBSD_PF */
#endif /* __NetBSD__ */
+
+#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000) && \
+ defined(_KERNEL)
+# include <net/pfil.h>
+
+static int fr_check_wrapper(void *, struct mbuf **, struct ifnet *, int );
+
+static int fr_check_wrapper(arg, mp, ifp, dir)
+void *arg;
+struct mbuf **mp;
+struct ifnet *ifp;
+int dir;
+{
+ struct ip *ip = mtod(*mp, struct ip *);
+ int rv, hlen = ip->ip_hl << 2;
+
+#if defined(M_CSUM_TCPv4)
+ /*
+ * If the packet is out-bound, we can't delay checksums
+ * here. For in-bound, the checksum has already been
+ * validated.
+ */
+ if (dir == PFIL_OUT) {
+ if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
+ in_delayed_cksum(*mp);
+ (*mp)->m_pkthdr.csum_flags &=
+ ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
+ }
+ }
+#endif /* M_CSUM_TCPv4 */
+
+ /*
+ * We get the packet with all fields in network byte
+ * order. We expect ip_len and ip_off to be in host
+ * order. We frob them, call the filter, then frob
+ * them back.
+ *
+ * Note, we don't need to update the checksum, because
+ * it has already been verified.
+ */
+ NTOHS(ip->ip_len);
+ NTOHS(ip->ip_off);
+
+ rv = fr_check(ip, hlen, ifp, (dir == PFIL_OUT), mp);
+
+ if (rv == 0 && *mp != NULL) {
+ ip = mtod(*mp, struct ip *);
+ HTONS(ip->ip_len);
+ HTONS(ip->ip_off);
+ }
+
+ return (rv);
+}
+
+# ifdef USE_INET6
+# include <netinet/ip6.h>
+
+static int fr_check_wrapper6(void *, struct mbuf **, struct ifnet *, int );
+
+static int fr_check_wrapper6(arg, mp, ifp, dir)
+void *arg;
+struct mbuf **mp;
+struct ifnet *ifp;
+int dir;
+{
+
+ return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
+ ifp, (dir == PFIL_OUT), mp));
+}
+# endif
+#endif /* __NetBSD_Version >= 105110000 && _KERNEL */
#ifdef _KERNEL
# if defined(IPFILTER_LKM) && !defined(__sgi)
int iplidentify(s)
@@ -218,9 +307,9 @@
/*
- * BSD pseudo-device attach routine; this is a no-op.
+ * Try to detect the case when compiling for NetBSD with pseudo-device
*/
-# if defined(__NetBSD__)
+# if defined(__NetBSD__) && defined(PFIL_HOOKS)
void
ipfilterattach(count)
int count;
@@ -245,6 +334,12 @@
# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000))
int error = 0;
# endif
+#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)
+ struct pfil_head *ph_inet;
+# ifdef USE_INET6
+ struct pfil_head *ph_inet6;
+# endif
+#endif
SPL_NET(s);
if (fr_running || (fr_checkp == fr_check)) {
@@ -256,21 +351,47 @@
# ifdef IPFILTER_LOG
ipflog_init();
# endif
- if (nat_init() == -1)
+ if (nat_init() == -1) {
+ SPL_X(s);
return EIO;
- if (fr_stateinit() == -1)
+ }
+ if (fr_stateinit() == -1) {
+ SPL_X(s);
return EIO;
- if (appr_init() == -1)
+ }
+ if (appr_init() == -1) {
+ SPL_X(s);
return EIO;
+ }
# ifdef NETBSD_PF
# if __NetBSD_Version__ >= 104200000
+# if __NetBSD_Version__ >= 105110000
+ ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+# ifdef USE_INET6
+ ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+# endif
+ if (ph_inet == NULL
+# ifdef USE_INET6
+ && ph_inet6 == NULL
+# endif
+ )
+ return ENODEV;
+
+ if (ph_inet != NULL)
+ error = pfil_add_hook((void *)fr_check_wrapper, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet);
+ else
+ error = 0;
+# else
error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+# endif
if (error) {
# ifdef USE_INET6
goto pfil_error;
# else
+ SPL_X(s);
appr_unload();
ip_natunload();
fr_stateunload();
@@ -281,12 +402,24 @@
pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
# endif
# ifdef USE_INET6
+# if __NetBSD_Version__ >= 105110000
+ if (ph_inet6 != NULL)
+ error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet6);
+ else
+ error = 0;
+ if (error) {
+ pfil_remove_hook((void *)fr_check_wrapper6, NULL,
+ PFIL_IN|PFIL_OUT, ph_inet6);
+# else
error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
- &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
+ &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
if (error) {
pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+# endif
pfil_error:
+ SPL_X(s);
appr_unload();
ip_natunload();
fr_stateunload();
@@ -331,10 +464,15 @@
callout_init(&ipfr_slowtimer_ch);
callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
Home |
Main Index |
Thread Index |
Old Index