Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet Pull up revisions 1.19-1.24 (requested by m...
details: https://anonhg.NetBSD.org/src/rev/11ef7aac545e
branches: netbsd-1-5
changeset: 492717:11ef7aac545e
user: he <he%NetBSD.org@localhost>
date: Sat Feb 09 17:00:41 2002 +0000
description:
Pull up revisions 1.19-1.24 (requested by martti):
Updated IPFilter to 3.4.23.
diffstat:
sys/netinet/ip_auth.c | 250 ++++++++++++++++++++++++++++++++-----------------
1 files changed, 163 insertions(+), 87 deletions(-)
diffs (truncated from 505 to 300 lines):
diff -r d8e368ec7a6a -r 11ef7aac545e sys/netinet/ip_auth.c
--- a/sys/netinet/ip_auth.c Sat Feb 09 17:00:22 2002 +0000
+++ b/sys/netinet/ip_auth.c Sat Feb 09 17:00:41 2002 +0000
@@ -1,20 +1,10 @@
-/* $NetBSD: ip_auth.c,v 1.17.4.1 2000/08/31 14:49:49 veego Exp $ */
+/* $NetBSD: ip_auth.c,v 1.17.4.2 2002/02/09 17:00:41 he Exp $ */
/*
- * Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij.
+ * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
+ * See the IPFILTER.LICENCE file for details on licencing.
*/
-#if !defined(lint)
-#if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_auth.c,v 1.17.4.1 2000/08/31 14:49:49 veego Exp $";
-#else
-static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.4 2000/08/05 14:48:50 darrenr Exp";
-#endif
-#endif
-
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
@@ -83,7 +73,7 @@
#endif
#include <netinet/tcp.h>
#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
-extern struct ifqueue ipintrq; /* ip packet input queue */
+extern struct ifqueue ipintrq; /* ip packet input queue */
#else
# ifndef linux
# if __FreeBSD_version >= 300000
@@ -113,10 +103,18 @@
# endif
#endif
+#if !defined(lint)
+#if defined(__NetBSD__)
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.17.4.2 2002/02/09 17:00:41 he Exp $");
+#else
+static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.11.2.15 2002/01/01 15:08:01 darrenr Exp";
+#endif
+#endif
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T ipf_auth;
+extern KRWLOCK_T ipf_auth, ipf_mutex;
extern kmutex_t ipf_authmx;
# if SOLARIS
extern kcondvar_t ipfauthwait;
@@ -135,7 +133,8 @@
mb_t *fr_authpkts[FR_NUMAUTH];
static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
static frauthent_t *fae_list = NULL;
-frentry_t *ipauth = NULL;
+frentry_t *ipauth = NULL,
+ *fr_authlist = NULL;
/*
@@ -148,10 +147,12 @@
fr_info_t *fin;
{
u_short id = ip->ip_id;
+ frentry_t *fr;
+ frauth_t *fra;
u_32_t pass;
int i;
- if (fr_auth_lock)
+ if (fr_auth_lock || !fr_authused)
return 0;
READ_ENTER(&ipf_auth);
@@ -161,24 +162,54 @@
* case the same packet gets sent again and it hasn't yet been
* auth'd.
*/
- if ((fr_auth[i].fra_index == -2) &&
- (id == fr_auth[i].fra_info.fin_id) &&
- !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
+ fra = fr_auth + i;
+ if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
+ !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
/*
* Avoid feedback loop.
*/
- if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
+ if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
pass = FR_BLOCK;
+ /*
+ * Create a dummy rule for the stateful checking to
+ * use and return. Zero out any values we don't
+ * trust from userland!
+ */
+ if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
+ (fin->fin_fi.fi_fl & FI_FRAG))) {
+ KMALLOC(fr, frentry_t *);
+ if (fr) {
+ bcopy((char *)fra->fra_info.fin_fr,
+ fr, sizeof(*fr));
+ fr->fr_grp = NULL;
+ fr->fr_ifa = fin->fin_ifp;
+ fr->fr_func = NULL;
+ fr->fr_ref = 1;
+ fr->fr_flags = pass;
+#if BSD >= 199306
+ fr->fr_oifa = NULL;
+#endif
+ }
+ } else
+ fr = fra->fra_info.fin_fr;
+ fin->fin_fr = fr;
RWLOCK_EXIT(&ipf_auth);
WRITE_ENTER(&ipf_auth);
+ if (fr && fr != fra->fra_info.fin_fr) {
+ fr->fr_next = fr_authlist;
+ fr_authlist = fr;
+ }
fr_authstats.fas_hits++;
- fr_auth[i].fra_index = -1;
+ fra->fra_index = -1;
fr_authused--;
if (i == fr_authstart) {
- while (fr_auth[i].fra_index == -1) {
+ while (fra->fra_index == -1) {
i++;
- if (i == FR_NUMAUTH)
+ fra++;
+ if (i == FR_NUMAUTH) {
i = 0;
+ fra = fr_auth;
+ }
fr_authstart = i;
if (i == fr_authend)
break;
@@ -214,6 +245,7 @@
#if defined(_KERNEL) && SOLARIS
qif_t *qif = fin->fin_qif;
#endif
+ frauth_t *fra;
int i;
if (fr_auth_lock)
@@ -225,7 +257,7 @@
RWLOCK_EXIT(&ipf_auth);
return 0;
} else {
- if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) {
+ if (fr_authused == FR_NUMAUTH) {
fr_authstats.fas_nospace++;
RWLOCK_EXIT(&ipf_auth);
return 0;
@@ -238,52 +270,49 @@
if (fr_authend == FR_NUMAUTH)
fr_authend = 0;
RWLOCK_EXIT(&ipf_auth);
- fr_auth[i].fra_index = i;
- fr_auth[i].fra_pass = 0;
- fr_auth[i].fra_age = fr_defaultauthage;
- bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
-
+ fra = fr_auth + i;
+ fra->fra_index = i;
+ fra->fra_pass = 0;
+ fra->fra_age = fr_defaultauthage;
+ bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
+#if SOLARIS && defined(_KERNEL)
+# if !defined(sparc)
/*
* No need to copyback here as we want to undo the changes, not keep
* them.
*/
-# if SOLARIS && defined(_KERNEL)
if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
-# endif
{
- u_short bo;
+ register u_short bo;
bo = ip->ip_len;
ip->ip_len = htons(bo);
-# if !SOLARIS && !defined(__NetBSD__)
- /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
- bo = ip->ip_id;
- ip->ip_id = htons(bo);
-# endif
bo = ip->ip_off;
ip->ip_off = htons(bo);
}
-
-#if SOLARIS && defined(_KERNEL)
+# endif
m->b_rptr -= qif->qf_off;
fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
- fr_auth[i].fra_q = qif->qf_q;
+ fra->fra_q = qif->qf_q;
cv_signal(&ipfauthwait);
#else
+# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
+ if (!fin->fin_out) {
+ HTONS(ip->ip_len);
+ HTONS(ip->ip_off);
+ }
+# endif
fr_authpkts[i] = m;
-# if defined(linux) && defined(_KERNEL)
- wake_up_interruptible(&ipfauthwait);
-# else
WAKEUP(&fr_authnext);
-# endif
#endif
return 1;
}
-int fr_auth_ioctl(data, cmd, fr, frptr)
+int fr_auth_ioctl(data, mode, cmd, fr, frptr)
caddr_t data;
-#if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003)
+int mode;
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
u_long cmd;
#else
int cmd;
@@ -293,8 +322,9 @@
mb_t *m;
#if defined(_KERNEL) && !SOLARIS
struct ifqueue *ifq;
+ int s;
#endif
- frauth_t auth, *au = &auth;
+ frauth_t auth, *au = &auth, *fra;
frauthent_t *fae, **faep;
int i, error = 0;
@@ -319,21 +349,26 @@
else
faep = &fae->fae_next;
if (cmd == SIOCRMAFR) {
- if (!fae)
+ if (!fr || !frptr)
+ error = EINVAL;
+ else if (!fae)
error = ESRCH;
else {
WRITE_ENTER(&ipf_auth);
+ SPL_NET(s);
*faep = fae->fae_next;
*frptr = fr->fr_next;
+ SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
KFREE(fae);
}
- } else {
+ } else if (fr && frptr) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
WRITE_ENTER(&ipf_auth);
+ SPL_NET(s);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
@@ -341,31 +376,37 @@
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
+ SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
} else
error = ENOMEM;
- }
+ } else
+ error = EINVAL;
break;
case SIOCATHST:
- READ_ENTER(&ipf_auth);
fr_authstats.fas_faelist = fae_list;
- RWLOCK_EXIT(&ipf_auth);
error = IWCOPYPTR((char *)&fr_authstats, data,
sizeof(fr_authstats));
break;
case SIOCAUTHW:
+ if (!(mode & FWRITE)) {
+ error = EPERM;
+ break;
+ }
fr_authioctlloop:
READ_ENTER(&ipf_auth);
if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
- sizeof(fr_info_t));
Home |
Main Index |
Thread Index |
Old Index