search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reduce ifnet.if_serializer contention on output path:
[dragonfly.git] / sys / contrib / ipfilter / netinet / ip_fil.c
blob2be449de65a150e9bc4208a46dce6f43f8101f1f
1 /*
2 * Copyright (C) 1993-2001 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed
7 * @(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $
8 * $FreeBSD: src/sys/contrib/ipfilter/netinet/ip_fil.c,v 1.25.2.7 2004/07/04 09:24:38 darrenr Exp $
9 * $DragonFly: src/sys/contrib/ipfilter/netinet/ip_fil.c,v 1.27 2008/05/14 11:59:18 sephe Exp $
10 */
11 #ifndef SOLARIS
12 #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
13 #endif
14
15 #if defined(KERNEL) && !defined(_KERNEL)
16 # define _KERNEL
17 #endif
18 #if defined(_KERNEL) && (defined(__DragonFly__) || (defined(__FreeBSD_version) && \
19 (__FreeBSD_version >= 400000))) && !defined(KLD_MODULE)
20 #include "opt_inet6.h"
21 #endif
22 #include <sys/param.h>
23 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
24 defined(_KERNEL) && !defined(_LKM)
25 # include "opt_ipfilter_log.h"
26 #endif
27 #if defined(__FreeBSD__) && !defined(__FreeBSD_version)
28 # if !defined(_KERNEL) || defined(IPFILTER_LKM)
29 # include <osreldate.h>
30 # endif
31 #endif
32 #if defined(__sgi) && (IRIX > 602)
33 # define _KMEMUSER
34 # include <sys/ptimers.h>
35 #endif
36 #ifndef _KERNEL
37 # include <stdio.h>
38 # include <string.h>
39 # include <stdlib.h>
40 # include <ctype.h>
41 # include <fcntl.h>
42 #define ksprintf sprintf
43 #endif
44 #include <sys/errno.h>
45 #include <sys/types.h>
46 #include <sys/file.h>
47 #if (defined(__DragonFly__) || __FreeBSD_version >= 220000) && defined(_KERNEL)
48 # include <sys/fcntl.h>
49 # include <sys/filio.h>
50 #else
51 # include <sys/ioctl.h>
52 #endif
53 #include <sys/time.h>
54 #ifdef _KERNEL
55 # include <sys/systm.h>
56 #endif
57 #if !SOLARIS
58 # if defined(__DragonFly__) || (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
59 # include <sys/dirent.h>
60 # else
61 # include <sys/dir.h>
62 # endif
63 # include <sys/mbuf.h>
64 #else
65 # include <sys/filio.h>
66 #endif
67 #include <sys/protosw.h>
68 #include <sys/socket.h>
69 #if defined(__DragonFly__) && defined(_KERNEL)
70 # include <sys/thread2.h>
71 #endif
72
73 #include <net/if.h>
74 #ifdef sun
75 # include <net/af.h>
76 #endif
77 #if defined(__DragonFly__) || __FreeBSD_version >= 300000
78 # include <net/if_var.h>
79 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
80 # include "opt_ipfilter.h"
81 # endif
82 #endif
83 #ifdef __sgi
84 #include <sys/debug.h>
85 # ifdef IFF_DRVRLOCK /* IRIX6 */
86 #include <sys/hashing.h>
87 # endif
88 #endif
89 #include <net/route.h>
90 #include <netinet/in.h>
91 #if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */
92 # include <netinet/in_var.h>
93 #endif
94 #include <netinet/in_systm.h>
95 #include <netinet/ip.h>
96 #include <netinet/ip_var.h>
97 #include <netinet/tcp.h>
98 #include <netinet/udp.h>
99 #include <netinet/tcpip.h>
100 #include <netinet/ip_icmp.h>
101 #ifndef _KERNEL
102 # include <unistd.h>
103 # include <syslog.h>
104 #endif
105 #include "ip_compat.h"
106 #ifdef USE_INET6
107 # include <netinet/icmp6.h>
108 # if !SOLARIS
109 # include <netinet6/ip6protosw.h>
110 # include <netinet6/nd6.h>
111 # endif
112 #endif
113 #include "ip_fil.h"
114 #include "ip_nat.h"
115 #include "ip_frag.h"
116 #include "ip_state.h"
117 #include "ip_proxy.h"
118 #include "ip_auth.h"
119 #if defined(__DragonFly__) || (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
120 # include <sys/malloc.h>
121 #endif
122 #ifndef MIN
123 # define MIN(a,b) (((a)<(b))?(a):(b))
124 #endif
125 #if !SOLARIS && defined(_KERNEL) && !defined(__sgi)
126 # include <sys/kernel.h>
127 extern int ip_optcopy (struct ip *, struct ip *);
128 #endif
129 #if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL)
130 extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
131 struct ifnet *, struct in6_addr *, u_long *);
132 #endif
133
134 #include <sys/in_cksum.h>
135
136 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
137
138 #ifndef _KERNEL
139 # include "ipt.h"
140 static struct ifnet **ifneta = NULL;
141 static int nifs = 0;
142 #else
143 # if (BSD < 199306) || defined(__sgi)
144 extern int tcp_ttl;
145 # endif
146 #endif
147
148 #ifdef ICMP_UNREACH_FILTER_PROHIB
149 int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
150 #else
151 int ipl_unreach = ICMP_UNREACH_FILTER;
152 #endif
153 u_long ipl_frouteok[2] = {0, 0};
154
155 static int frzerostats (caddr_t);
156 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
157 static int frrequest (int, u_long, caddr_t, int);
158 #else
159 static int frrequest (int, int, caddr_t, int);
160 #endif
161 #ifdef _KERNEL
162 static int (*fr_savep) (ip_t *, int, void *, int, struct mbuf **);
163 static int send_ip (ip_t *, fr_info_t *, struct mbuf **);
164 # ifdef USE_INET6
165 static int ipfr_fastroute6 (struct mbuf *, struct mbuf **,
166 fr_info_t *, frdest_t *);
167 # endif
168 # ifdef __sgi
169 extern int tcp_mtudisc;
170 extern kmutex_t ipf_rw;
171 extern KRWLOCK_T ipf_mutex;
172 # endif
173 #else
174 void init_ifp (void);
175 # if defined(__sgi) && (IRIX < 605)
176 static int no_output (struct ifnet *, struct mbuf *,
177 struct sockaddr *);
178 static int write_output (struct ifnet *, struct mbuf *,
179 struct sockaddr *);
180 # else
181 static int no_output (struct ifnet *, struct mbuf *,
182 struct sockaddr *, struct rtentry *);
183 static int write_output (struct ifnet *, struct mbuf *,
184 struct sockaddr *, struct rtentry *);
185 # endif
186 #endif
187 int fr_running = 0;
188
189 #if (defined(__DragonFly__) || __FreeBSD_version >= 300000) && defined(_KERNEL)
190 struct callout ipfr_slowtimer_ch;
191 #endif
192 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
193 # include <sys/callout.h>
194 struct callout ipfr_slowtimer_ch;
195 #endif
196 #if defined(__OpenBSD__)
197 # include <sys/timeout.h>
198 struct timeout ipfr_slowtimer_ch;
199 #endif
200 #if defined(__sgi) && defined(_KERNEL)
201 toid_t ipfr_slowtimer_ch;
202 #endif
203
204 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
205 defined(_KERNEL)
206 # include <sys/conf.h>
207 const struct cdevsw ipl_cdevsw = {
208 iplopen, iplclose, iplread, nowrite, iplioctl,
209 nostop, notty, nopoll, nommap,
210 };
211 #endif
212
213 #if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
214 # include <sys/device.h>
215 # include <sys/conf.h>
216
217 struct cfdriver iplcd = {
218 NULL, "ipl", NULL, NULL, DV_DULL, 0
219 };
220
221 struct devsw iplsw = {
222 &iplcd,
223 iplopen, iplclose, iplread, nowrite, iplioctl, noselect, nommap,
224 nostrat, nodump, nopsize, 0,
225 nostop
226 };
227 #endif /* _BSDI_VERSION >= 199510 && _KERNEL */
228
229 #if defined(__NetBSD__) || defined(__OpenBSD__) || \
230 (_BSDI_VERSION >= 199701) || (defined(__DragonFly_version) && \
231 (__DragonFly_version >= 100000))
232 # include <sys/conf.h>
233 # if defined(NETBSD_PF)
234 # include <net/pfil.h>
235 /*
236 * We provide the fr_checkp name just to minimize changes later.
237 */
238 int (*fr_checkp) (ip_t *ip, int hlen, void *ifp, int out, mb_t **mp);
239 # endif /* NETBSD_PF */
240 #endif /* __NetBSD__ */
241
242
243 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000) && \
244 defined(_KERNEL)
245 # include <net/pfil.h>
246
247 static int fr_check_wrapper(void *, struct mbuf **, struct ifnet *, int );
248
249 static int fr_check_wrapper(arg, mp, ifp, dir)
250 void *arg;
251 struct mbuf **mp;
252 struct ifnet *ifp;
253 int dir;
254 {
255 struct ip *ip = mtod(*mp, struct ip *);
256 int rv, hlen = ip->ip_hl << 2;
257
258 #if defined(M_CSUM_TCPv4)
259 /*
260 * If the packet is out-bound, we can't delay checksums
261 * here. For in-bound, the checksum has already been
262 * validated.
263 */
264 if (dir == PFIL_OUT) {
265 if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
266 in_delayed_cksum(*mp);
267 (*mp)->m_pkthdr.csum_flags &=
268 ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
269 }
270 }
271 #endif /* M_CSUM_TCPv4 */
272
273 /*
274 * We get the packet with all fields in network byte
275 * order. We expect ip_len and ip_off to be in host
276 * order. We frob them, call the filter, then frob
277 * them back.
278 *
279 * Note, we don't need to update the checksum, because
280 * it has already been verified.
281 */
282 ip->ip_len = ntohs(ip->ip_len);
283 ip->ip_off = ntohs(ip->ip_off);
284
285 rv = fr_check(ip, hlen, ifp, (dir == PFIL_OUT), mp);
286
287 if (rv == 0 && *mp != NULL) {
288 ip = mtod(*mp, struct ip *);
289 ip->ip_len = htons(ip->ip_len);
290 ip->ip_off = htnos(ip->ip_off);
291 }
292
293 return (rv);
294 }
295
296 # ifdef USE_INET6
297 # include <netinet/ip6.h>
298
299 static int fr_check_wrapper6(void *, struct mbuf **, struct ifnet *, int );
300
301 static int fr_check_wrapper6(arg, mp, ifp, dir)
302 void *arg;
303 struct mbuf **mp;
304 struct ifnet *ifp;
305 int dir;
306 {
307
308 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
309 ifp, (dir == PFIL_OUT), mp));
310 }
311 # endif
312 #endif /* __NetBSD_Version >= 105110000 && _KERNEL */
313 #if defined(__DragonFly_version) && (__DragonFly_version >= 100000) && \
314 defined(_KERNEL)
315
316 static int
317 fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
318 {
319 struct ip *ip = mtod(*mp, struct ip *);
320 return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
321 }
322
323 # ifdef USE_INET6
324 # include <netinet/ip6.h>
325
326 static int
327 fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
328 {
329 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
330 ifp, (dir == PFIL_OUT), mp));
331 }
332 # endif /* USE_INET6 */
333 #endif /* __DragonFly_version >= 100000 && _KERNEL */
334 #ifdef _KERNEL
335 # if defined(IPFILTER_LKM) && !defined(__sgi)
336 int iplidentify(s)
337 char *s;
338 {
339 if (strcmp(s, "ipl") == 0)
340 return 1;
341 return 0;
342 }
343 # endif /* IPFILTER_LKM */
344
345
346 /*
347 * Try to detect the case when compiling for NetBSD with pseudo-device
348 */
349 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
350 void
351 ipfilterattach(count)
352 int count;
353 {
354
355 /*
356 * Do nothing here, really. The filter will be enabled
357 * by the SIOCFRENB ioctl.
358 */
359 }
360 # endif
361
362
363 # if defined(__NetBSD__) || defined(__OpenBSD__)
364 int ipl_enable()
365 # else
366 int iplattach()
367 # endif
368 {
369 char *defpass;
370 # if !defined(__DragonFly__)
371 int s;
372 # endif
373 # if defined(__sgi) || (defined(NETBSD_PF) && \
374 (__NetBSD_Version__ >= 104200000)) || \
375 (defined(__DragonFly_version) && (__DragonFly_version >= 100000))
376 int error = 0;
377 # endif
378 #if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)) || \
379 (defined(__DragonFly_version) && (__DragonFly_version >= 100000))
380 struct pfil_head *ph_inet;
381 # ifdef USE_INET6
382 struct pfil_head *ph_inet6;
383 # endif
384 #endif
385
386 SPL_NET(s);
387 if (fr_running || (fr_checkp == fr_check)) {
388 kprintf("IP Filter: already initialized\n");
389 SPL_X(s);
390 return EBUSY;
391 }
392
393 # ifdef IPFILTER_LOG
394 ipflog_init();
395 # endif
396 if (nat_init() == -1) {
397 SPL_X(s);
398 return EIO;
399 }
400 if (fr_stateinit() == -1) {
401 SPL_X(s);
402 return EIO;
403 }
404 if (appr_init() == -1) {
405 SPL_X(s);
406 return EIO;
407 }
408
409 # ifdef NETBSD_PF
410 # if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) || \
411 (defined(__DragonFly_version) && (__DragonFly_version >= 100000))
412 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
413 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
414 # ifdef USE_INET6
415 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
416 # endif
417 if (ph_inet == NULL
418 # ifdef USE_INET6
419 && ph_inet6 == NULL
420 # endif
421 )
422 return ENODEV;
423
424 if (ph_inet != NULL)
425 error = pfil_add_hook((void *)fr_check_wrapper, NULL,
426 PFIL_IN|PFIL_OUT, ph_inet);
427 else
428 error = 0;
429 # else
430 error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
431 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
432 # endif
433 if (error) {
434 # ifdef USE_INET6
435 goto pfil_error;
436 # else
437 SPL_X(s);
438 appr_unload();
439 ip_natunload();
440 fr_stateunload();
441 return error;
442 # endif
443 }
444 # else
445 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
446 # endif
447 # ifdef USE_INET6
448 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
449 if (ph_inet6 != NULL)
450 error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
451 PFIL_IN|PFIL_OUT, ph_inet6);
452 else
453 error = 0;
454 if (error) {
455 pfil_remove_hook((void *)fr_check_wrapper6, NULL,
456 PFIL_IN|PFIL_OUT, ph_inet6);
457 # else
458 error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
459 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
460 if (error) {
461 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
462 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
463 # endif
464 pfil_error:
465 SPL_X(s);
466 appr_unload();
467 ip_natunload();
468 fr_stateunload();
469 return error;
470 }
471 # endif
472 # endif
473
474 # ifdef __sgi
475 error = ipfilter_sgi_attach();
476 if (error) {
477 SPL_X(s);
478 appr_unload();
479 ip_natunload();
480 fr_stateunload();
481 return error;
482 }
483 # endif
484
485 bzero((char *)frcache, sizeof(frcache));
486 fr_savep = fr_checkp;
487 fr_checkp = fr_check;
488 fr_running = 1;
489
490 SPL_X(s);
491 if (fr_pass & FR_PASS)
492 defpass = "pass";
493 else if (fr_pass & FR_BLOCK)
494 defpass = "block";
495 else
496 defpass = "no-match -> block";
497
498 kprintf("%s initialized. Default = %s all, Logging = %s\n",
499 ipfilter_version, defpass,
500 # ifdef IPFILTER_LOG
501 "enabled");
502 # else
503 "disabled");
504 # endif
505 #ifdef _KERNEL
506 # if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
507 callout_init(&ipfr_slowtimer_ch);
508 callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
509 # else
510 # if defined(__OpenBSD__)
511 timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL);
512 timeout_add(&ipfr_slowtimer_ch, hz/2);
513 # else
514 # if (defined(__DragonFly__) || __FreeBSD_version >= 300000) || defined(__sgi)
515 callout_init(&ipfr_slowtimer_ch);
516 callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
517 # else
518 timeout(ipfr_slowtimer, NULL, hz/2);
519 # endif
520 # endif
521 # endif
522 #endif
523 return 0;
524 }
525
526
527 /*
528 * Disable the filter by removing the hooks from the IP input/output
529 * stream.
530 */
531 # if defined(__NetBSD__)
532 int ipl_disable()
533 # else
534 int ipldetach()
535 # endif
536 {
537 # if !defined(__DragonFly__)
538 int s;
539 # endif
540 int i;
541 #if defined(NETBSD_PF) && \
542 ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) || \
543 (defined(__DragonFly_version) && (__DragonFly_version >= 100000)))
544 int error = 0;
545 # if (__NetBSD_Version__ >= 105150000) || (__DragonFly_version >= 100000)
546 struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
547 # ifdef USE_INET6
548 struct pfil_head *ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
549 # endif
550 # endif
551 #endif
552
553 #ifdef _KERNEL
554 # if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
555 callout_stop(&ipfr_slowtimer_ch);
556 # else
557 # if (defined(__DragonFly__) || __FreeBSD_version >= 300000)
558 callout_stop(&ipfr_slowtimer_ch);
559 # else
560 # ifdef __sgi
561 untimeout(ipfr_slowtimer_ch);
562 # else
563 # if defined(__OpenBSD__)
564 timeout_del(&ipfr_slowtimer_ch);
565 # else
566 untimeout(ipfr_slowtimer, NULL);
567 # endif /* OpenBSD */
568 # endif /* __sgi */
569 # endif /* FreeBSD */
570 # endif /* NetBSD */
571 #endif
572 SPL_NET(s);
573 if (!fr_running)
574 {
575 kprintf("IP Filter: not initialized\n");
576 SPL_X(s);
577 return 0;
578 }
579
580 kprintf("%s unloaded\n", ipfilter_version);
581
582 fr_checkp = fr_savep;
583 i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
584 i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
585 fr_running = 0;
586
587 # ifdef NETBSD_PF
588 # if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011) || \
589 (__DragonFly_version >= 100000))
590 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
591 if (ph_inet != NULL)
592 error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
593 PFIL_IN|PFIL_OUT, ph_inet);
594 else
595 error = 0;
596 # else
597 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
598 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
599 # endif
600 if (error) {
601 SPL_X(s);
602 return error;
603 }
604 # else
605 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
606 # endif
607 # ifdef USE_INET6
608 # if (__NetBSD_Version__ >= 105110000) || (__DragonFly_version >= 100000)
609 if (ph_inet6 != NULL)
610 error = pfil_remove_hook((void *)fr_check_wrapper6, NULL,
611 PFIL_IN|PFIL_OUT, ph_inet6);
612 else
613 error = 0;
614 # else
615 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
616 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
617 # endif
618 if (error) {
619 SPL_X(s);
620 return error;
621 }
622 # endif
623 # endif
624
625 # ifdef __sgi
626 ipfilter_sgi_detach();
627 # endif
628
629 appr_unload();
630 ipfr_unload();
631 ip_natunload();
632 fr_stateunload();
633 fr_authunload();
634
635 SPL_X(s);
636 return 0;
637 }
638 #endif /* _KERNEL */
639
640
641 static int frzerostats(data)
642 caddr_t data;
643 {
644 friostat_t fio;
645 int error;
646
647 fr_getstat(&fio);
648 error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
649 if (error)
650 return EFAULT;
651
652 bzero((char *)frstats, sizeof(*frstats) * 2);
653
654 return 0;
655 }
656
657
658 /*
659 * Filter ioctl interface.
660 */
661 #ifdef __sgi
662 int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode
663 # ifdef _KERNEL
664 , cred_t *cp, int *rp
665 # endif
666 )
667 #else
668 #if defined(__DragonFly__)
669 # if defined(_KERNEL)
670 int IPL_EXTERN(ioctl)(struct dev_ioctl_args *ap)
671 # else
672 int IPL_EXTERN(ioctl)(struct cdev *dev, u_long cmd, caddr_t data, int mode)
673 #endif
674 #else
675 int IPL_EXTERN(ioctl)(dev, cmd, data, mode
676 #if (defined(_KERNEL) && defined(__FreeBSD__))
677 , td)
678 struct thread *td;
679 # elif (defined(_KERNEL) && ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || \
680 (NetBSD >= 199511) || (__FreeBSD_version >= 220000) || \
681 defined(__OpenBSD__)))
682 , p)
683 struct proc *p;
684 # else
685 )
686 # endif
687 dev_t dev;
688 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
689 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
690 u_long cmd;
691 # else
692 int cmd;
693 # endif
694 caddr_t data;
695 int mode;
696 #endif /* DragonFly */
697 #endif /* __sgi */
698 {
699 #if (defined(_KERNEL) && defined(__DragonFly__))
700 struct cdev *dev = ap->a_head.a_dev;
701 u_long cmd = ap->a_cmd;
702 caddr_t data = ap->a_data;
703 int mode = ap->a_fflag;
704 #endif
705 #if defined(_KERNEL) && !SOLARIS && !defined(__DragonFly__)
706 int s;
707 #endif
708 int error = 0, unit = 0, tmp;
709
710 #if (BSD >= 199306) && defined(_KERNEL)
711 if ((securelevel >= 3) && (mode & FWRITE))
712 return EPERM;
713 #endif
714 #ifdef _KERNEL
715 unit = GET_MINOR(dev);
716 if ((IPL_LOGMAX < unit) || (unit < 0))
717 return ENXIO;
718 #else
719 unit = dev;
720 #endif
721
722 if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
723 return ENODEV;
724
725 SPL_NET(s);
726
727 if (unit == IPL_LOGNAT) {
728 if (fr_running)
729 error = nat_ioctl(data, cmd, mode);
730 else
731 error = EIO;
732 SPL_X(s);
733 return error;
734 }
735 if (unit == IPL_LOGSTATE) {
736 if (fr_running)
737 error = fr_state_ioctl(data, cmd, mode);
738 else
739 error = EIO;
740 SPL_X(s);
741 return error;
742 }
743 if (unit == IPL_LOGAUTH) {
744 if (!fr_running)
745 error = EIO;
746 else
747 if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
748 if (!(mode & FWRITE)) {
749 error = EPERM;
750 } else {
751 error = frrequest(unit, cmd, data,
752 fr_active);
753 }
754 } else {
755 error = fr_auth_ioctl(data, mode, cmd);
756 }
757 SPL_X(s);
758 return error;
759 }
760
761 switch (cmd) {
762 case FIONREAD :
763 #ifdef IPFILTER_LOG
764 error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data,
765 sizeof(iplused[IPL_LOGIPF]));
766 #endif
767 break;
768 #if (!defined(IPFILTER_LKM) || defined(__NetBSD__)) && defined(_KERNEL)
769 case SIOCFRENB :
770 {
771 u_int enable;
772
773 if (!(mode & FWRITE))
774 error = EPERM;
775 else {
776 error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
777 if (error)
778 break;
779 if (enable)
780 # if defined(__NetBSD__) || defined(__OpenBSD__)
781 error = ipl_enable();
782 # else
783 error = iplattach();
784 # endif
785 else
786 # if defined(__NetBSD__)
787 error = ipl_disable();
788 # else
789 error = ipldetach();
790 # endif
791 }
792 break;
793 }
794 #endif
795 case SIOCSETFF :
796 if (!(mode & FWRITE))
797 error = EPERM;
798 else
799 error = IRCOPY(data, (caddr_t)&fr_flags,
800 sizeof(fr_flags));
801 break;
802 case SIOCGETFF :
803 error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
804 break;
805 case SIOCINAFR :
806 case SIOCRMAFR :
807 case SIOCADAFR :
808 case SIOCZRLST :
809 if (!(mode & FWRITE))
810 error = EPERM;
811 else
812 error = frrequest(unit, cmd, data, fr_active);
813 break;
814 case SIOCINIFR :
815 case SIOCRMIFR :
816 case SIOCADIFR :
817 if (!(mode & FWRITE))
818 error = EPERM;
819 else
820 error = frrequest(unit, cmd, data, 1 - fr_active);
821 break;
822 case SIOCSWAPA :
823 if (!(mode & FWRITE))
824 error = EPERM;
825 else {
826 bzero((char *)frcache, sizeof(frcache[0]) * 2);
827 *(u_int *)data = fr_active;
828 fr_active = 1 - fr_active;
829 }
830 break;
831 case SIOCGETFS :
832 {
833 friostat_t fio;
834
835 fr_getstat(&fio);
836 error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
837 if (error)
838 error = EFAULT;
839 break;
840 }
841 case SIOCFRZST :
842 if (!(mode & FWRITE))
843 error = EPERM;
844 else
845 error = frzerostats(data);
846 break;
847 case SIOCIPFFL :
848 if (!(mode & FWRITE))
849 error = EPERM;
850 else {
851 error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
852 if (!error) {
853 tmp = frflush(unit, 4, tmp);
854 error = IWCOPY((caddr_t)&tmp, data,
855 sizeof(tmp));
856 }
857 }
858 break;
859 #ifdef USE_INET6
860 case SIOCIPFL6 :
861 if (!(mode & FWRITE))
862 error = EPERM;
863 else {
864 error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
865 if (!error) {
866 tmp = frflush(unit, 6, tmp);
867 error = IWCOPY((caddr_t)&tmp, data,
868 sizeof(tmp));
869 }
870 }
871 break;
872 #endif
873 case SIOCSTLCK :
874 error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
875 if (!error) {
876 fr_state_lock = tmp;
877 fr_nat_lock = tmp;
878 fr_frag_lock = tmp;
879 fr_auth_lock = tmp;
880 } else
881 error = EFAULT;
882 break;
883 #ifdef IPFILTER_LOG
884 case SIOCIPFFB :
885 if (!(mode & FWRITE))
886 error = EPERM;
887 else
888 *(int *)data = ipflog_clear(unit);
889 break;
890 #endif /* IPFILTER_LOG */
891 case SIOCGFRST :
892 error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
893 sizeof(ipfrstat_t));
894 if (error)
895 error = EFAULT;
896 break;
897 case SIOCFRSYN :
898 if (!(mode & FWRITE))
899 error = EPERM;
900 else {
901 #if defined(_KERNEL) && defined(__sgi)
902 ipfsync();
903 #endif
904 frsync();
905 }
906 break;
907 default :
908 error = EINVAL;
909 break;
910 }
911 SPL_X(s);
912 return error;
913 }
914
915
916 void fr_forgetifp(ifp)
917 void *ifp;
918 {
919 frentry_t *f;
920
921 WRITE_ENTER(&ipf_mutex);
922 for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
923 if (f->fr_ifa == ifp)
924 f->fr_ifa = (void *)-1;
925 for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
926 if (f->fr_ifa == ifp)
927 f->fr_ifa = (void *)-1;
928 for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
929 if (f->fr_ifa == ifp)
930 f->fr_ifa = (void *)-1;
931 for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
932 if (f->fr_ifa == ifp)
933 f->fr_ifa = (void *)-1;
934 #ifdef USE_INET6
935 for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
936 if (f->fr_ifa == ifp)
937 f->fr_ifa = (void *)-1;
938 for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
939 if (f->fr_ifa == ifp)
940 f->fr_ifa = (void *)-1;
941 for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
942 if (f->fr_ifa == ifp)
943 f->fr_ifa = (void *)-1;
944 for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
945 if (f->fr_ifa == ifp)
946 f->fr_ifa = (void *)-1;
947 #endif
948 RWLOCK_EXIT(&ipf_mutex);
949 ip_natsync(ifp);
950 }
951
952
953 static int frrequest(unit, req, data, set)
954 int unit;
955 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
956 u_long req;
957 #else
958 int req;
959 #endif
960 int set;
961 caddr_t data;
962 {
963 frentry_t *fp, *f, **fprev;
964 frentry_t **ftail;
965 frgroup_t *fg = NULL;
966 int error = 0, in, i;
967 u_int *p, *pp;
968 frentry_t frd;
969 frdest_t *fdp;
970 u_int group;
971
972 fp = &frd;
973 error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
974 if (error)
975 return EFAULT;
976 fp->fr_ref = 0;
977 #if (BSD >= 199306) && defined(_KERNEL)
978 if ((securelevel > 0) && (fp->fr_func != NULL))
979 return EPERM;
980 #endif
981
982 /*
983 * Check that the group number does exist and that if a head group
984 * has been specified, doesn't exist.
985 */
986 if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
987 (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
988 fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
989 return EEXIST;
990 if ((req != SIOCZRLST) && fp->fr_group &&
991 !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL))
992 return ESRCH;
993
994 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
995
996 if (unit == IPL_LOGAUTH)
997 ftail = fprev = &ipauth;
998 else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
999 ftail = fprev = &ipacct[in][set];
1000 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
1001 ftail = fprev = &ipfilter[in][set];
1002 #ifdef USE_INET6
1003 else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
1004 ftail = fprev = &ipacct6[in][set];
1005 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
1006 ftail = fprev = &ipfilter6[in][set];
1007 #endif
1008 else
1009 return ESRCH;
1010
1011 if ((group = fp->fr_group)) {
1012 if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
1013 return ESRCH;
1014 ftail = fprev = fg->fg_start;
1015 }
1016
1017 bzero((char *)frcache, sizeof(frcache[0]) * 2);
1018
1019 for (i = 0; i < 4; i++) {
1020 if ((fp->fr_ifnames[i][1] == '\0') &&
1021 ((fp->fr_ifnames[i][0] == '-') ||
1022 (fp->fr_ifnames[i][0] == '*'))) {
1023 fp->fr_ifas[i] = NULL;
1024 } else if (*fp->fr_ifnames[i]) {
1025 fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
1026 if (!fp->fr_ifas[i])
1027 fp->fr_ifas[i] = (void *)-1;
1028 }
1029 }
1030
1031 fdp = &fp->fr_dif;
1032 fp->fr_flags &= ~FR_DUP;
1033 if (*fdp->fd_ifname) {
1034 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
1035 if (!fdp->fd_ifp)
1036 fdp->fd_ifp = (struct ifnet *)-1;
1037 else
1038 fp->fr_flags |= FR_DUP;
1039 }
1040
1041 fdp = &fp->fr_tif;
1042 if (*fdp->fd_ifname) {
1043 fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
1044 if (!fdp->fd_ifp)
1045 fdp->fd_ifp = (struct ifnet *)-1;
1046 }
1047
1048 /*
1049 * Look for a matching filter rule, but don't include the next or
1050 * interface pointer in the comparison (fr_next, fr_ifa).
1051 */
1052 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
1053 p < pp; p++)
1054 fp->fr_cksum += *p;
1055
1056 for (; (f = *ftail); ftail = &f->fr_next)
1057 if ((fp->fr_cksum == f->fr_cksum) &&
1058 !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
1059 break;
1060
1061 /*
1062 * If zero'ing statistics, copy current to caller and zero.
1063 */
1064 if (req == SIOCZRLST) {
1065 if (!f)
1066 return ESRCH;
1067 error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
1068 if (error)
1069 return EFAULT;
1070 f->fr_hits = 0;
1071 f->fr_bytes = 0;
1072 return 0;
1073 }
1074
1075 if (!f) {
1076 if (req != SIOCINAFR && req != SIOCINIFR)
1077 while ((f = *ftail))
1078 ftail = &f->fr_next;
1079 else {
1080 ftail = fprev;
1081 if (fp->fr_hits) {
1082 while (--fp->fr_hits && (f = *ftail))
1083 ftail = &f->fr_next;
1084 }
1085 f = NULL;
1086 }
1087 }
1088
1089 if (req == SIOCRMAFR || req == SIOCRMIFR) {
1090 if (!f)
1091 error = ESRCH;
1092 else {
1093 /*
1094 * Only return EBUSY if there is a group list, else
1095 * it's probably just state information referencing
1096 * the rule.
1097 */
1098 if ((f->fr_ref > 1) && f->fr_grp)
1099 return EBUSY;
1100 if (fg && fg->fg_head)
1101 fg->fg_head->fr_ref--;
1102 if (unit == IPL_LOGAUTH) {
1103 return fr_preauthcmd(req, f, ftail);
1104 }
1105 if (f->fr_grhead)
1106 fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
1107 unit, set);
1108 fixskip(fprev, f, -1);
1109 *ftail = f->fr_next;
1110 f->fr_next = NULL;
1111 f->fr_ref--;
1112 if (f->fr_ref == 0)
1113 KFREE(f);
1114 }
1115 } else {
1116 if (f)
1117 error = EEXIST;
1118 else {
1119 if (unit == IPL_LOGAUTH) {
1120 return fr_preauthcmd(req, fp, ftail);
1121 }
1122 KMALLOC(f, frentry_t *);
1123 if (f != NULL) {
1124 if (fg && fg->fg_head)
1125 fg->fg_head->fr_ref++;
1126 bcopy((char *)fp, (char *)f, sizeof(*f));
1127 f->fr_ref = 1;
1128 f->fr_hits = 0;
1129 f->fr_next = *ftail;
1130 *ftail = f;
1131 if (req == SIOCINIFR || req == SIOCINAFR)
1132 fixskip(fprev, f, 1);
1133 f->fr_grp = NULL;
1134 if ((group = f->fr_grhead))
1135 fg = fr_addgroup(group, f, unit, set);
1136 } else
1137 error = ENOMEM;
1138 }
1139 }
1140 return (error);
1141 }
1142
1143
1144 #ifdef _KERNEL
1145 /*
1146 * routines below for saving IP headers to buffer
1147 */
1148 #ifdef __DragonFly__
1149 int IPL_EXTERN(open)(struct dev_open_args *ap)
1150 #else
1151 # ifdef __sgi
1152 int IPL_EXTERN(open)(dev_t *pdev, int flags, int devtype, cred_t *cp)
1153 # else
1154 int IPL_EXTERN(open)(dev, flags
1155 #if defined(__FreeBSD__)
1156 , devtype, td)
1157 int devtype;
1158 struct thread *td;
1159 #elif ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
1160 (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
1161 , devtype, p)
1162 int devtype;
1163 struct proc *p;
1164 # else
1165 )
1166 # endif
1167 dev_t dev;
1168 int flags;
1169 # endif /* __sgi */
1170 #endif /* DragonFly */
1171 {
1172 #ifdef __DragonFly__
1173 struct cdev *dev = ap->a_head.a_dev;
1174 #endif
1175 # if defined(__sgi) && defined(_KERNEL)
1176 u_int min = geteminor(*pdev);
1177 # else
1178 u_int min = GET_MINOR(dev);
1179 # endif
1180
1181 if (IPL_LOGMAX < min)
1182 min = ENXIO;
1183 else
1184 min = 0;
1185 return min;
1186 }
1187
1188
1189 #ifdef __DragonFly__
1190 int IPL_EXTERN(close)(struct dev_close_args *ap)
1191 #else
1192 # ifdef __sgi
1193 int IPL_EXTERN(close)(dev_t dev, int flags, int devtype, cred_t *cp)
1194 #else
1195 int IPL_EXTERN(close)(dev, flags
1196 #if defined(__FreeBSD__)
1197 , devtype, td)
1198 int devtype;
1199 struct thread *td;
1200 #elif ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
1201 (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
1202 , devtype, p)
1203 int devtype;
1204 struct proc *p;
1205 # else
1206 )
1207 # endif
1208 dev_t dev;
1209 int flags;
1210 # endif /* __sgi */
1211 #endif /* DragonFly */
1212 {
1213 #ifdef __DragonFly__
1214 struct cdev *dev = ap->a_head.a_dev;
1215 #endif
1216 u_int min = GET_MINOR(dev);
1217
1218 if (IPL_LOGMAX < min)
1219 min = ENXIO;
1220 else
1221 min = 0;
1222 return min;
1223 }
1224
1225 /*
1226 * iplread/ipllog
1227 * both of these must operate with at least splnet() lest they be
1228 * called during packet processing and cause an inconsistancy to appear in
1229 * the filter lists.
1230 */
1231 #ifdef __DragonFly__
1232 int IPL_EXTERN(read)(struct dev_read_args *ap)
1233 #else
1234 # ifdef __sgi
1235 int IPL_EXTERN(read)(dev_t dev, uio_t *uio, cred_t *crp)
1236 # else
1237 # if BSD >= 199306
1238 int IPL_EXTERN(read)(dev, uio, ioflag)
1239 int ioflag;
1240 # else
1241 int IPL_EXTERN(read)(dev, uio)
1242 # endif
1243 dev_t dev;
1244 struct uio *uio;
1245 # endif /* __sgi */
1246 #endif /* DragonFly */
1247 {
1248 #ifdef __DragonFly__
1249 struct cdev *dev = ap->a_head.a_dev;
1250 struct uio *uio = ap->a_uio;
1251 #endif
1252 # ifdef IPFILTER_LOG
1253 return ipflog_read(GET_MINOR(dev), uio);
1254 # else
1255 return ENXIO;
1256 # endif
1257 }
1258
1259
1260 /*
1261 * send_reset - this could conceivably be a call to tcp_respond(), but that
1262 * requires a large amount of setting up and isn't any more efficient.
1263 */
1264 int send_reset(oip, fin)
1265 struct ip *oip;
1266 fr_info_t *fin;
1267 {
1268 struct tcphdr *tcp, *tcp2;
1269 int tlen = 0, hlen;
1270 struct mbuf *m;
1271 #ifdef USE_INET6
1272 ip6_t *ip6, *oip6 = (ip6_t *)oip;
1273 #endif
1274 ip_t *ip;
1275
1276 tcp = (struct tcphdr *)fin->fin_dp;
1277 if (tcp->th_flags & TH_RST)
1278 return -1; /* feedback loop */
1279 # if (BSD < 199306) || defined(__sgi)
1280 m = m_get(M_DONTWAIT, MT_HEADER);
1281 # elif defined(__DragonFly__)
1282 m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1283 # else
1284 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1285 # endif
1286 if (m == NULL)
1287 return ENOBUFS;
1288 if (m == NULL)
1289 return -1;
1290
1291 tlen = fin->fin_dlen - (tcp->th_off << 2) +
1292 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
1293 ((tcp->th_flags & TH_FIN) ? 1 : 0);
1294
1295 #ifdef USE_INET6
1296 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
1297 #else
1298 hlen = sizeof(ip_t);
1299 #endif
1300 m->m_len = sizeof(*tcp2) + hlen;
1301 # if BSD >= 199306
1302 m->m_data += max_linkhdr;
1303 m->m_pkthdr.len = m->m_len;
1304 m->m_pkthdr.rcvif = (struct ifnet *)0;
1305 # endif
1306 ip = mtod(m, struct ip *);
1307 # ifdef USE_INET6
1308 ip6 = (ip6_t *)ip;
1309 # endif
1310 bzero((char *)ip, sizeof(*tcp2) + hlen);
1311 tcp2 = (struct tcphdr *)((char *)ip + hlen);
1312
1313 tcp2->th_sport = tcp->th_dport;
1314 tcp2->th_dport = tcp->th_sport;
1315 if (tcp->th_flags & TH_ACK) {
1316 tcp2->th_seq = tcp->th_ack;
1317 tcp2->th_flags = TH_RST;
1318 } else {
1319 tcp2->th_ack = ntohl(tcp->th_seq);
1320 tcp2->th_ack += tlen;
1321 tcp2->th_ack = htonl(tcp2->th_ack);
1322 tcp2->th_flags = TH_RST|TH_ACK;
1323 }
1324 tcp2->th_off = sizeof(*tcp2) >> 2;
1325 # ifdef USE_INET6
1326 if (fin->fin_v == 6) {
1327 ip6->ip6_plen = htons(sizeof(struct tcphdr));
1328 ip6->ip6_nxt = IPPROTO_TCP;
1329 ip6->ip6_src = oip6->ip6_dst;
1330 ip6->ip6_dst = oip6->ip6_src;
1331 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
1332 sizeof(*ip6), sizeof(*tcp2));
1333 return send_ip(oip, fin, &m);
1334 }
1335 # endif
1336 ip->ip_p = IPPROTO_TCP;
1337 ip->ip_len = htons(sizeof(struct tcphdr));
1338 ip->ip_src.s_addr = oip->ip_dst.s_addr;
1339 ip->ip_dst.s_addr = oip->ip_src.s_addr;
1340 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
1341 ip->ip_len = hlen + sizeof(*tcp2);
1342 return send_ip(oip, fin, &m);
1343 }
1344
1345
1346 /*
1347 * Send an IP(v4/v6) datagram out into the network
1348 */
1349 static int send_ip(oip, fin, mp)
1350 ip_t *oip;
1351 fr_info_t *fin;
1352 struct mbuf **mp;
1353 {
1354 struct mbuf *m = *mp;
1355 int error, hlen;
1356 fr_info_t frn;
1357 ip_t *ip;
1358
1359 bzero((char *)&frn, sizeof(frn));
1360 frn.fin_ifp = fin->fin_ifp;
1361 frn.fin_v = fin->fin_v;
1362 frn.fin_out = fin->fin_out;
1363 frn.fin_mp = mp;
1364
1365 ip = mtod(m, ip_t *);
1366 hlen = sizeof(*ip);
1367
1368 ip->ip_v = fin->fin_v;
1369 if (ip->ip_v == 4) {
1370 ip->ip_hl = (sizeof(*oip) >> 2);
1371 ip->ip_v = IPVERSION;
1372 ip->ip_tos = oip->ip_tos;
1373 ip->ip_id = oip->ip_id;
1374
1375 # if defined(__NetBSD__) || \
1376 (defined(__OpenBSD__) && (OpenBSD >= 200012))
1377 if (ip_mtudisc != 0)
1378 ip->ip_off = IP_DF;
1379 # else
1380 # if defined(__sgi)
1381 if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0)
1382 ip->ip_off = IP_DF;
1383 # endif
1384 # endif
1385
1386 # if (BSD < 199306) || defined(__sgi)
1387 ip->ip_ttl = tcp_ttl;
1388 # else
1389 ip->ip_ttl = ip_defttl;
1390 # endif
1391 ip->ip_sum = 0;
1392 frn.fin_dp = (char *)(ip + 1);
1393 }
1394 # ifdef USE_INET6
1395 else if (ip->ip_v == 6) {
1396 ip6_t *ip6 = (ip6_t *)ip;
1397
1398 hlen = sizeof(*ip6);
1399 ip6->ip6_hlim = 127;
1400 frn.fin_dp = (char *)(ip6 + 1);
1401 }
1402 # endif
1403 # ifdef IPSEC
1404 m->m_pkthdr.rcvif = NULL;
1405 # endif
1406
1407 if (fr_makefrip(hlen, ip, &frn) == 0)
1408 error = ipfr_fastroute(m, mp, &frn, NULL);
1409 else
1410 error = EINVAL;
1411 return error;
1412 }
1413
1414
1415 int send_icmp_err(oip, type, fin, dst)
1416 ip_t *oip;
1417 int type;
1418 fr_info_t *fin;
1419 int dst;
1420 {
1421 int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code;
1422 u_short shlen, slen = 0, soff = 0;
1423 struct in_addr dst4;
1424 struct icmp *icmp;
1425 struct mbuf *m;
1426 void *ifp;
1427 #ifdef USE_INET6
1428 ip6_t *ip6, *oip6 = (ip6_t *)oip;
1429 struct in6_addr dst6;
1430 #endif
1431 ip_t *ip;
1432
1433 if ((type < 0) || (type > ICMP_MAXTYPE))
1434 return -1;
1435
1436 code = fin->fin_icode;
1437 #ifdef USE_INET6
1438 if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
1439 return -1;
1440 #endif
1441
1442 avail = 0;
1443 m = NULL;
1444 ifp = fin->fin_ifp;
1445 if (fin->fin_v == 4) {
1446 if ((oip->ip_p == IPPROTO_ICMP) &&
1447 !(fin->fin_fi.fi_fl & FI_SHORT))
1448 switch (ntohs(fin->fin_data[0]) >> 8)
1449 {
1450 case ICMP_ECHO :
1451 case ICMP_TSTAMP :
1452 case ICMP_IREQ :
1453 case ICMP_MASKREQ :
1454 break;
1455 default :
1456 return 0;
1457 }
1458
1459 # if (BSD < 199306) || defined(__sgi)
1460 avail = MLEN;
1461 m = m_get(M_DONTWAIT, MT_HEADER);
1462 # elif defined(__DragonFly__)
1463 avail = MHLEN;
1464 m = m_gethdr(MB_DONTWAIT, MT_HEADER);
1465 # else
1466 avail = MHLEN;
1467 m = m_gethdr(M_DONTWAIT, MT_HEADER);
1468 # endif
1469 if (m == NULL)
1470 return ENOBUFS;
1471
1472 if (dst == 0) {
1473 if (fr_ifpaddr(4, ifp, &dst4) == -1)
1474 return -1;
1475 } else
1476 dst4.s_addr = oip->ip_dst.s_addr;
1477
1478 hlen = sizeof(ip_t);
1479 ohlen = oip->ip_hl << 2;
1480 xtra = 8;
1481 }
1482
1483 #ifdef USE_INET6
1484 else if (fin->fin_v == 6) {
1485 hlen = sizeof(ip6_t);
1486 ohlen = sizeof(ip6_t);
1487 type = icmptoicmp6types[type];
1488 if (type == ICMP6_DST_UNREACH)
1489 code = icmptoicmp6unreach[code];
1490
1491 #ifdef __DragonFly__
1492 MGETHDR(m, MB_DONTWAIT, MT_HEADER);
1493 #else
1494 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1495 #endif
1496 if (!m)
1497 return ENOBUFS;
1498
1499 #ifdef __DragonFly__
1500 MCLGET(m, MB_DONTWAIT);
1501 #else
1502 MCLGET(m, M_DONTWAIT);
1503 #endif
1504 if ((m->m_flags & M_EXT) == 0) {
1505 m_freem(m);
1506 return ENOBUFS;
1507 }
1508 # ifdef M_TRAILINGSPACE
1509 m->m_len = 0;
1510 avail = M_TRAILINGSPACE(m);
1511 # else
1512 avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN;
1513 # endif
1514 xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t),
1515 avail - hlen - sizeof(*icmp) - max_linkhdr);
1516 if (dst == 0) {
1517 if (fr_ifpaddr(6, ifp, (struct in_addr *)&dst6) == -1)
1518 return -1;
1519 } else
1520 dst6 = oip6->ip6_dst;
1521 }
1522 #endif
1523
1524 iclen = hlen + sizeof(*icmp);
1525 # if BSD >= 199306
1526 avail -= (max_linkhdr + iclen);
1527 m->m_data += max_linkhdr;
1528 m->m_pkthdr.rcvif = (struct ifnet *)0;
1529 if (xtra > avail)
1530 xtra = avail;
1531 iclen += xtra;
1532 m->m_pkthdr.len = iclen;
1533 #else
1534 avail -= (m->m_off + iclen);
1535 if (xtra > avail)
1536 xtra = avail;
1537 iclen += xtra;
1538 #endif
1539 m->m_len = iclen;
1540 ip = mtod(m, ip_t *);
1541 icmp = (struct icmp *)((char *)ip + hlen);
1542 bzero((char *)ip, iclen);
1543
1544 icmp->icmp_type = type;
1545 icmp->icmp_code = fin->fin_icode;
1546 icmp->icmp_cksum = 0;
1547 #ifdef icmp_nextmtu
1548 if (type == ICMP_UNREACH &&
1549 fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
1550 icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu);
1551 #endif
1552
1553 if (avail) {
1554 slen = oip->ip_len;
1555 oip->ip_len = htons(oip->ip_len);
1556 soff = oip->ip_off;
1557 oip->ip_off = htons(oip->ip_off);
1558 bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail));
1559 oip->ip_len = slen;
1560 oip->ip_off = soff;
1561 avail -= MIN(ohlen, avail);
1562 }
1563
1564 #ifdef USE_INET6
1565 ip6 = (ip6_t *)ip;
1566 if (fin->fin_v == 6) {
1567 ip6->ip6_flow = 0;
1568 ip6->ip6_plen = htons(iclen - hlen);
1569 ip6->ip6_nxt = IPPROTO_ICMPV6;
1570 ip6->ip6_hlim = 0;
1571 ip6->ip6_src = dst6;
1572 ip6->ip6_dst = oip6->ip6_src;
1573 if (avail)
1574 bcopy((char *)oip + ohlen,
1575 (char *)&icmp->icmp_ip + ohlen, avail);
1576 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
1577 sizeof(*ip6), iclen - hlen);
1578 } else
1579 #endif
1580 {
1581
1582 ip->ip_src.s_addr = dst4.s_addr;
1583 ip->ip_dst.s_addr = oip->ip_src.s_addr;
1584
1585 if (avail > 8)
1586 avail = 8;
1587 if (avail)
1588 bcopy((char *)oip + ohlen,
1589 (char *)&icmp->icmp_ip + ohlen, avail);
1590 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
1591 sizeof(*icmp) + 8);
1592 ip->ip_len = iclen;
1593 ip->ip_p = IPPROTO_ICMP;
1594 }
1595
1596 shlen = fin->fin_hlen;
1597 fin->fin_hlen = hlen;
1598 err = send_ip(oip, fin, &m);
1599 fin->fin_hlen = shlen;
1600
1601 return err;
1602 }
1603
1604
1605 # if !defined(IPFILTER_LKM) && !defined(__sgi) && \
1606 (!defined(__DragonFly__) || !defined(__FreeBSD_version) || (__FreeBSD_version < 300000))
1607 # if (BSD < 199306)
1608 int iplinit (void);
1609
1610 int
1611 # else
1612 void iplinit (void);
1613
1614 void
1615 # endif
1616 iplinit()
1617 {
1618
1619 # if defined(__NetBSD__) || defined(__OpenBSD__)
1620 if (ipl_enable() != 0)
1621 # else
1622 if (iplattach() != 0)
1623 # endif
1624 {
1625 kprintf("IP Filter failed to attach\n");
1626 }
1627 ip_init();
1628 }
1629 # endif /* ! __NetBSD__ */
1630
1631
1632 /*
1633 * Return the length of the entire mbuf.
1634 */
1635 size_t mbufchainlen(m0)
1636 struct mbuf *m0;
1637 {
1638 #if BSD >= 199306
1639 return m0->m_pkthdr.len;
1640 #else
1641 size_t len = 0;
1642
1643 for (; m0; m0 = m0->m_next)
1644 len += m0->m_len;
1645 return len;
1646 #endif
1647 }
1648
1649
1650 int ipfr_fastroute(m0, mpp, fin, fdp)
1651 struct mbuf *m0, **mpp;
1652 fr_info_t *fin;
1653 frdest_t *fdp;
1654 {
1655 struct ip *ip, *mhip;
1656 struct mbuf *m = m0;
1657 struct route *ro;
1658 int len, off, error = 0, hlen, code, sout;
1659 struct ifnet *ifp, *sifp;
1660 struct sockaddr_in *dst;
1661 struct route iproute;
1662 frentry_t *fr;
1663
1664 ip = NULL;
1665 ro = NULL;
1666 ifp = NULL;
1667 ro = &iproute;
1668 ro->ro_rt = NULL;
1669
1670 #ifdef USE_INET6
1671 if (fin->fin_v == 6) {
1672 error = ipfr_fastroute6(m0, mpp, fin, fdp);
1673 if (error != 0)
1674 goto bad;
1675 goto done;
1676 }
1677 #else
1678 if (fin->fin_v == 6)
1679 goto bad;
1680 #endif
1681
1682 #ifdef M_WRITABLE
1683 /*
1684 * HOT FIX/KLUDGE:
1685 *
1686 * If the mbuf we're about to send is not writable (because of
1687 * a cluster reference, for example) we'll need to make a copy
1688 * of it since this routine modifies the contents.
1689 *
1690 * If you have non-crappy network hardware that can transmit data
1691 * from the mbuf, rather than making a copy, this is gonna be a
1692 * problem.
1693 */
1694 if (M_WRITABLE(m) == 0) {
1695 #ifdef __DragonFly__
1696 if ((m0 = m_dup(m, MB_DONTWAIT)) != NULL) {
1697 #else
1698 if ((m0 = m_dup(m, M_DONTWAIT)) != NULL) {
1699 #endif
1700 m_freem(*mpp);
1701 *mpp = m0;
1702 m = m0;
1703 } else {
1704 error = ENOBUFS;
1705 m_freem(*mpp);
1706 goto done;
1707 }
1708 }
1709 #endif
1710
1711 hlen = fin->fin_hlen;
1712 ip = mtod(m0, struct ip *);
1713
1714 #if defined(__NetBSD__) && defined(M_CSUM_IPv4)
1715 /*
1716 * Clear any in-bound checksum flags for this packet.
1717 */
1718 # if (__NetBSD_Version__ > 105009999)
1719 m0->m_pkthdr.csum_flags = 0;
1720 # else
1721 m0->m_pkthdr.csuminfo = 0;
1722 # endif
1723 #endif /* __NetBSD__ && M_CSUM_IPv4 */
1724
1725 /*
1726 * Route packet.
1727 */
1728 #if (defined(IRIX) && (IRIX >= 605))
1729 ROUTE_RDLOCK();
1730 #endif
1731 bzero((caddr_t)ro, sizeof (*ro));
1732 dst = (struct sockaddr_in *)&ro->ro_dst;
1733 dst->sin_family = AF_INET;
1734 dst->sin_addr = ip->ip_dst;
1735
1736 fr = fin->fin_fr;
1737 if (fdp != NULL)
1738 ifp = fdp->fd_ifp;
1739 else
1740 ifp = fin->fin_ifp;
1741
1742 /*
1743 * In case we're here due to "to <if>" being used with "keep state",
1744 * check that we're going in the correct direction.
1745 */
1746 if ((fr != NULL) && (fin->fin_rev != 0)) {
1747 if ((ifp != NULL) && (fdp == &fr->fr_tif)) {
1748 # if (defined(IRIX) && (IRIX >= 605))
1749 ROUTE_UNLOCK();
1750 # endif
1751 return 0;
1752 }
1753 } else if (fdp != NULL) {
1754 if (fdp->fd_ip.s_addr != 0)
1755 dst->sin_addr = fdp->fd_ip;
1756 }
1757
1758 # if BSD >= 199306
1759 dst->sin_len = sizeof(*dst);
1760 # endif
1761 # if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
1762 !defined(__OpenBSD__)
1763 # ifdef RTF_CLONING
1764 rtalloc_ign(ro, RTF_CLONING);
1765 # else
1766 rtalloc_ign(ro, RTF_PRCLONING);
1767 # endif
1768 # else
1769 rtalloc(ro);
1770 # endif
1771
1772 if (!ifp) {
1773 if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
1774 error = -2;
1775 # if (defined(IRIX) && (IRIX >= 605))
1776 ROUTE_UNLOCK();
1777 # endif
1778 goto bad;
1779 }
1780 }
1781
1782 if ((ifp == NULL) && (ro->ro_rt != NULL))
1783 ifp = ro->ro_rt->rt_ifp;
1784
1785 if ((ro->ro_rt == NULL) || (ifp == NULL)) {
1786 if (in_localaddr(ip->ip_dst))
1787 error = EHOSTUNREACH;
1788 else
1789 error = ENETUNREACH;
1790 # if (defined(IRIX) && (IRIX >= 605))
1791 ROUTE_UNLOCK();
1792 # endif
1793 goto bad;
1794 }
1795
1796 if (ro->ro_rt->rt_flags & RTF_GATEWAY) {
1797 #if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
1798 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
1799 #else
1800 dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
1801 #endif
1802 }
1803 ro->ro_rt->rt_use++;
1804
1805 #if (defined(IRIX) && (IRIX > 602))
1806 ROUTE_UNLOCK();
1807 #endif
1808
1809 /*
1810 * For input packets which are being "fastrouted", they won't
1811 * go back through output filtering and miss their chance to get
1812 * NAT'd and counted.
1813 */
1814 if (fin->fin_out == 0) {
1815 sifp = fin->fin_ifp;
1816 sout = fin->fin_out;
1817 fin->fin_ifp = ifp;
1818 fin->fin_out = 1;
1819 if ((fin->fin_fr = ipacct[1][fr_active]) &&
1820 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
1821 ATOMIC_INCL(frstats[1].fr_acct);
1822 }
1823 fin->fin_fr = NULL;
1824 if (!fr || !(fr->fr_flags & FR_RETMASK))
1825 (void) fr_checkstate(ip, fin);
1826
1827 switch (ip_natout(ip, fin))
1828 {
1829 case 0 :
1830 break;
1831 case 1 :
1832 ip->ip_sum = 0;
1833 break;
1834 case -1 :
1835 error = EINVAL;
1836 goto done;
1837 break;
1838 }
1839
1840 fin->fin_ifp = sifp;
1841 fin->fin_out = sout;
1842 } else
1843 ip->ip_sum = 0;
1844
1845 /*
1846 * If small enough for interface, can just send directly.
1847 */
1848 if (ip->ip_len <= ifp->if_mtu) {
1849 # ifndef sparc
1850 # if (!defined(__DragonFly__) && !defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \
1851 !(__NetBSD_Version__ >= 105110000)
1852 ip->ip_id = htons(ip->ip_id);
1853 # endif
1854 ip->ip_len = htons(ip->ip_len);
1855 ip->ip_off = htons(ip->ip_off);
1856 # endif
1857 # if defined(__NetBSD__) && defined(M_CSUM_IPv4)
1858 # if (__NetBSD_Version__ > 105009999)
1859 if (ifp->if_csum_flags_tx & IFCAP_CSUM_IPv4)
1860 m->m_pkthdr.csum_flags |= M_CSUM_IPv4;
1861 else if (ip->ip_sum == 0)
1862 ip->ip_sum = in_cksum(m, hlen);
1863 # else
1864 if (ifp->if_capabilities & IFCAP_CSUM_IPv4)
1865 m->m_pkthdr.csuminfo |= M_CSUM_IPv4;
1866 else if (ip->ip_sum == 0)
1867 ip->ip_sum = in_cksum(m, hlen);
1868 # endif
1869 # else
1870 if (!ip->ip_sum)
1871 ip->ip_sum = in_cksum(m, hlen);
1872 # endif /* __NetBSD__ && M_CSUM_IPv4 */
1873 # if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
1874 # ifdef IRIX
1875 IFNET_UPPERLOCK(ifp);
1876 # endif
1877 error = ifp->if_output(ifp, m, (struct sockaddr *)dst,
1878 ro->ro_rt);
1879 # ifdef IRIX
1880 IFNET_UPPERUNLOCK(ifp);
1881 # endif
1882 # else
1883 error = ifp->if_output(ifp, m, (struct sockaddr *)dst);
1884 # endif
1885 goto done;
1886 }
1887
1888 /*
1889 * Too large for interface; fragment if possible.
1890 * Must be able to put at least 8 bytes per fragment.
1891 */
1892 if (ip->ip_off & IP_DF) {
1893 error = EMSGSIZE;
1894 goto bad;
1895 }
1896 len = (ifp->if_mtu - hlen) &~ 7;
1897 if (len < 8) {
1898 error = EMSGSIZE;
1899 goto bad;
1900 }
1901
1902 {
1903 int mhlen, firstlen = len;
1904 struct mbuf **mnext = &m->m_act;
1905
1906 /*
1907 * Loop through length of segment after first fragment,
1908 * make new header and copy data of each part and link onto chain.
1909 */
1910 m0 = m;
1911 mhlen = sizeof (struct ip);
1912 for (off = hlen + len; off < ip->ip_len; off += len) {
1913 # ifdef __DragonFly__
1914 MGETHDR(m, MB_DONTWAIT, MT_HEADER);
1915 # elif defined(MGETHDR)
1916 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1917 # else
1918 MGET(m, M_DONTWAIT, MT_HEADER);
1919 # endif
1920 if (m == 0) {
1921 error = ENOBUFS;
1922 goto bad;
1923 }
1924 # if BSD >= 199306
1925 m->m_data += max_linkhdr;
1926 # else
1927 m->m_off = MMAXOFF - hlen;
1928 # endif
1929 mhip = mtod(m, struct ip *);
1930 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
1931 if (hlen > sizeof (struct ip)) {
1932 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1933 mhip->ip_hl = mhlen >> 2;
1934 }
1935 m->m_len = mhlen;
1936 mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
1937 if (ip->ip_off & IP_MF)
1938 mhip->ip_off |= IP_MF;
1939 if (off + len >= ip->ip_len)
1940 len = ip->ip_len - off;
1941 else
1942 mhip->ip_off |= IP_MF;
1943 mhip->ip_len = htons((u_short)(len + mhlen));
1944 m->m_next = m_copy(m0, off, len);
1945 if (m->m_next == 0) {
1946 error = ENOBUFS; /* ??? */
1947 goto sendorfree;
1948 }
1949 # if BSD >= 199306
1950 m->m_pkthdr.len = mhlen + len;
1951 m->m_pkthdr.rcvif = NULL;
1952 # endif
1953 mhip->ip_off = htons((u_short)mhip->ip_off);
1954 mhip->ip_sum = 0;
1955 mhip->ip_sum = in_cksum(m, mhlen);
1956 *mnext = m;
1957 mnext = &m->m_act;
1958 }
1959 /*
1960 * Update first fragment by trimming what's been copied out
1961 * and updating header, then send each fragment (in order).
1962 */
1963 m_adj(m0, hlen + firstlen - ip->ip_len);
1964 ip->ip_len = htons((u_short)(hlen + firstlen));
1965 ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
1966 ip->ip_sum = 0;
1967 ip->ip_sum = in_cksum(m0, hlen);
1968 sendorfree:
1969 for (m = m0; m; m = m0) {
1970 m0 = m->m_act;
1971 m->m_act = 0;
1972 if (error == 0) {
1973 # if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
1974 error = ifp->if_output(ifp, m,
1975 (struct sockaddr *)dst, ro->ro_rt);
1976 # else
1977 error = ifp->if_output(ifp, m,
1978 (struct sockaddr *)dst);
1979 # endif
1980 } else {
1981 m_freem(m);
1982 }
1983 }
1984 }
1985 done:
1986 if (!error)
1987 ipl_frouteok[0]++;
1988 else
1989 ipl_frouteok[1]++;
1990
1991 if (ro->ro_rt != NULL) {
1992 RTFREE(ro->ro_rt);
1993 }
1994 *mpp = NULL;
1995 return error;
1996 bad:
1997 if ((error == EMSGSIZE) && (fin->fin_v == 4)) {
1998 sifp = fin->fin_ifp;
1999 code = fin->fin_icode;
2000 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
2001 fin->fin_ifp = ifp;
2002 (void) send_icmp_err(ip, ICMP_UNREACH, fin, 1);
2003 fin->fin_ifp = sifp;
2004 fin->fin_icode = code;
2005 }
2006 m_freem(m);
2007 goto done;
2008 }
2009
2010
2011 /*
2012 * Return true or false depending on whether the route to the
2013 * given IP address uses the same interface as the one passed.
2014 */
2015 int fr_verifysrc(ipa, ifp)
2016 struct in_addr ipa;
2017 void *ifp;
2018 {
2019 struct sockaddr_in *dst;
2020 struct route iproute;
2021
2022 bzero((char *)&iproute, sizeof(iproute));
2023 dst = (struct sockaddr_in *)&iproute.ro_dst;
2024 # if (BSD >= 199306)
2025 dst->sin_len = sizeof(*dst);
2026 # endif
2027 dst->sin_family = AF_INET;
2028 dst->sin_addr = ipa;
2029 # if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
2030 !defined(__OpenBSD__)
2031 # ifdef RTF_CLONING
2032 rtalloc_ign(&iproute, RTF_CLONING);
2033 # else
2034 rtalloc_ign(&iproute, RTF_PRCLONING);
2035 # endif
2036 # else
2037 rtalloc(&iproute);
2038 # endif
2039 if (iproute.ro_rt == NULL)
2040 return 0;
2041 return (ifp == iproute.ro_rt->rt_ifp);
2042 }
2043
2044
2045 # ifdef USE_GETIFNAME
2046 char *
2047 get_ifname(ifp)
2048 struct ifnet *ifp;
2049 {
2050 static char workbuf[64];
2051
2052 ksprintf(workbuf, "%s%d", ifp->if_name, ifp->if_unit);
2053 return workbuf;
2054 }
2055 # endif
2056
2057
2058 # if defined(USE_INET6)
2059 /*
2060 * This is the IPv6 specific fastroute code. It doesn't clean up the mbuf's
2061 * or ensure that it is an IPv6 packet that is being forwarded, those are
2062 * expected to be done by the called (ipfr_fastroute).
2063 */
2064 static int ipfr_fastroute6(m0, mpp, fin, fdp)
2065 struct mbuf *m0, **mpp;
2066 fr_info_t *fin;
2067 frdest_t *fdp;
2068 {
2069 struct route_in6 ip6route;
2070 struct sockaddr_in6 *dst6;
2071 struct route_in6 *ro;
2072 struct ifnet *ifp;
2073 frentry_t *fr;
2074 #if defined(OpenBSD) && (OpenBSD >= 200211)
2075 struct route_in6 *ro_pmtu = NULL;
2076 struct in6_addr finaldst;
2077 ip6_t *ip6;
2078 #endif
2079 u_long mtu;
2080 int error;
2081
2082 ro = &ip6route;
2083 fr = fin->fin_fr;
2084 bzero((caddr_t)ro, sizeof(*ro));
2085 dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
2086 dst6->sin6_family = AF_INET6;
2087 dst6->sin6_len = sizeof(struct sockaddr_in6);
2088 dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
2089
2090 if (fdp != NULL)
2091 ifp = fdp->fd_ifp;
2092 else
2093 ifp = fin->fin_ifp;
2094
2095 if ((fr != NULL) && (fin->fin_rev != 0)) {
2096 if ((ifp != NULL) && (fdp == &fr->fr_tif))
2097 return 0;
2098 } else if (fdp != NULL) {
2099 if (IP6_NOTZERO(&fdp->fd_ip6))
2100 dst6->sin6_addr = fdp->fd_ip6.in6;
2101 }
2102 if (ifp == NULL)
2103 return -2;
2104
2105 #if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__)
2106 /* KAME */
2107 if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
2108 dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
2109 #endif
2110 rtalloc((struct route *)ro);
2111
2112 if ((ifp == NULL) && (ro->ro_rt != NULL))
2113 ifp = ro->ro_rt->rt_ifp;
2114
2115 if ((ro->ro_rt == NULL) || (ifp == NULL) ||
2116 (ifp != ro->ro_rt->rt_ifp)) {
2117 error = EHOSTUNREACH;
2118 } else {
2119 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
2120 dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
2121 ro->ro_rt->rt_use++;
2122
2123 #if defined(OpenBSD) && (OpenBSD >= 200211)
2124 ip6 = mtod(m0, ip6_t *);
2125 ro_pmtu = ro;
2126 finaldst = ip6->ip6_dst;
2127 error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu);
2128 if (error == 0) {
2129 #else
2130 #ifdef ND_IFINFO
2131 mtu = ND_IFINFO(ifp)->linkmtu;
2132 #else
2133 mtu = nd_ifinfo[ifp->if_index].linkmtu;
2134 #endif
2135 #endif
2136 if (m0->m_pkthdr.len <= mtu)
2137 error = nd6_output(ifp, fin->fin_ifp, m0,
2138 dst6, ro->ro_rt);
2139 else
2140 error = EMSGSIZE;
2141 #if defined(OpenBSD) && (OpenBSD >= 200211)
2142 }
2143 #endif
2144 }
2145
2146 if (ro->ro_rt != NULL) {
2147 RTFREE(ro->ro_rt);
2148 }
2149 return error;
2150 }
2151 # endif
2152 #else /* #ifdef _KERNEL */
2153
2154
2155 # if defined(__sgi) && (IRIX < 605)
2156 static int no_output (struct ifnet *ifp, struct mbuf *m,
2157 struct sockaddr *s)
2158 # else
2159 static int no_output (struct ifnet *ifp, struct mbuf *m,
2160 struct sockaddr *s, struct rtentry *rt)
2161 # endif
2162 {
2163 return 0;
2164 }
2165
2166
2167 # ifdef __STDC__
2168 # if defined(__sgi) && (IRIX < 605)
2169 static int write_output (struct ifnet *ifp, struct mbuf *m,
2170 struct sockaddr *s)
2171 # else
2172 static int write_output (struct ifnet *ifp, struct mbuf *m,
2173 struct sockaddr *s, struct rtentry *rt)
2174 # endif
2175 {
2176 ip_t *ip = (ip_t *)m;
2177 # else
2178 static int write_output(ifp, ip)
2179 struct ifnet *ifp;
2180 ip_t *ip;
2181 {
2182 # endif
2183 char fname[32];
2184 int fd;
2185
2186 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2187 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2188 (defined(__DragonFly__))
2189 ksprintf(fname, "%s", ifp->if_xname);
2190 # else
2191 ksprintf(fname, "%s%d", ifp->if_name, ifp->if_unit);
2192 # endif
2193 fd = open(fname, O_WRONLY|O_APPEND);
2194 if (fd == -1) {
2195 perror("open");
2196 return -1;
2197 }
2198 write(fd, (char *)ip, ntohs(ip->ip_len));
2199 close(fd);
2200 return 0;
2201 }
2202
2203
2204 char *get_ifname(ifp)
2205 struct ifnet *ifp;
2206 {
2207 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2208 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2209 (defined(__DragonFly__))
2210 return ifp->if_xname;
2211 # else
2212 static char fullifname[LIFNAMSIZ];
2213
2214 ksprintf(fullifname, "%s%d", ifp->if_name, ifp->if_unit);
2215 return fullifname;
2216 # endif
2217 }
2218
2219
2220 struct ifnet *get_unit(ifname, v)
2221 char *ifname;
2222 int v;
2223 {
2224 struct ifnet *ifp, **ifa, **old_ifneta;
2225
2226 for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
2227 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2228 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2229 (defined(__DragonFly__))
2230 if (!strncmp(ifname, ifp->if_xname, sizeof(ifp->if_xname)))
2231 # else
2232 char fullname[LIFNAMSIZ];
2233
2234 ksprintf(fullname, "%s%d", ifp->if_name, ifp->if_unit);
2235 if (!strcmp(ifname, fullname))
2236 # endif
2237 return ifp;
2238 }
2239
2240 if (!ifneta) {
2241 ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
2242 if (!ifneta)
2243 return NULL;
2244 ifneta[1] = NULL;
2245 ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
2246 if (!ifneta[0]) {
2247 free(ifneta);
2248 return NULL;
2249 }
2250 nifs = 1;
2251 } else {
2252 old_ifneta = ifneta;
2253 nifs++;
2254 ifneta = (struct ifnet **)realloc(ifneta,
2255 (nifs + 1) * sizeof(*ifa));
2256 if (!ifneta) {
2257 free(old_ifneta);
2258 nifs = 0;
2259 return NULL;
2260 }
2261 ifneta[nifs] = NULL;
2262 ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
2263 if (!ifneta[nifs - 1]) {
2264 nifs--;
2265 return NULL;
2266 }
2267 }
2268 ifp = ifneta[nifs - 1];
2269
2270 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2271 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2272 (defined(__DragonFly__))
2273 strncpy(ifp->if_xname, ifname, sizeof(ifp->if_xname));
2274 # else
2275 ifp->if_name = strdup(ifname);
2276
2277 ifname = ifp->if_name;
2278 while (*ifname && !isdigit(*ifname))
2279 ifname++;
2280 if (*ifname && isdigit(*ifname)) {
2281 ifp->if_unit = atoi(ifname);
2282 *ifname = '\0';
2283 } else
2284 ifp->if_unit = -1;
2285 # endif
2286 ifp->if_output = no_output;
2287 return ifp;
2288 }
2289
2290
2291
2292 void init_ifp()
2293 {
2294 struct ifnet *ifp, **ifa;
2295 char fname[32];
2296 int fd;
2297
2298 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
2299 (defined(OpenBSD) && (OpenBSD >= 199603)) || \
2300 (defined(__DragonFly__))
2301 for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
2302 ifp->if_output = write_output;
2303 ksprintf(fname, "/tmp/%s", ifp->if_xname);
2304 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
2305 if (fd == -1)
2306 perror("open");
2307 else
2308 close(fd);
2309 }
2310 # else
2311
2312 for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
2313 ifp->if_output = write_output;
2314 ksprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
2315 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
2316 if (fd == -1)
2317 perror("open");
2318 else
2319 close(fd);
2320 }
2321 # endif
2322 }
2323
2324
2325 int send_reset(ip, fin)
2326 ip_t *ip;
2327 fr_info_t *fin;
2328 {
2329 verbose("- TCP RST sent\n");
2330 return 0;
2331 }
2332
2333
2334 int send_icmp_err(ip, code, fin, dst)
2335 ip_t *ip;
2336 int code;
2337 fr_info_t *fin;
2338 int dst;
2339 {
2340 verbose("- ICMP UNREACHABLE sent\n");
2341 return 0;
2342 }
2343
2344
2345 void frsync()
2346 {
2347 return;
2348 }
2349
2350 void m_copydata(m, off, len, cp)
2351 mb_t *m;
2352 int off, len;
2353 caddr_t cp;
2354 {
2355 bcopy((char *)m + off, cp, len);
2356 }
2357
2358
2359 int ipfuiomove(buf, len, rwflag, uio)
2360 caddr_t buf;
2361 int len, rwflag;
2362 struct uio *uio;
2363 {
2364 int left, ioc, num, offset;
2365 struct iovec *io;
2366 char *start;
2367
2368 if (rwflag == UIO_READ) {
2369 left = len;
2370 ioc = 0;
2371
2372 offset = uio->uio_offset;
2373
2374 while ((left > 0) && (ioc < uio->uio_iovcnt)) {
2375 io = uio->uio_iov + ioc;
2376 num = io->iov_len;
2377 if (num > left)
2378 num = left;
2379 start = (char *)io->iov_base + offset;
2380 if (start > (char *)io->iov_base + io->iov_len) {
2381 offset -= io->iov_len;
2382 ioc++;
2383 continue;
2384 }
2385 bcopy(buf, start, num);
2386 uio->uio_resid -= num;
2387 uio->uio_offset += num;
2388 left -= num;
2389 if (left > 0)
2390 ioc++;
2391 }
2392 if (left > 0)
2393 return EFAULT;
2394 }
2395 return 0;
2396 }
2397 #endif /* _KERNEL */
DragonFly BSD