Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgraded IPFilter to v4.1.23

This commit is contained in:
martin 2007-06-16 10:52:24 +00:00
parent 03f2531d69
commit c77a3f5aad
19 changed files with 514 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
dist/ipf/HISTORY vendored
View File

@ -10,6 +10,28 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
4.1.23 - Released 31 May 2007
NAT was not always correctly fixing ICMP headers for errors
some TCP state steps when closing do not update timeouts, leading to
them being removed prematurely.
fix compilation problems for netbsd 4.99
protect enumeration of lists in the kernel from callout interrupts on
BSD without locking
fix various problems with IPv6 header checks: TCP/UDP checksum validation
was not being done, fragmentation header parsed dangerously and routing
header prevented others from being seen
fix gcc 4.2 compiler warnings
fix TCP/UDP checksum calculation for IPv6
fix reference after free'ing ipftoken memory
4.1.22 - Released 13 May 2007
fix endless loop when flushing state/NAT by idle time

8
dist/ipf/ip_fil.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.c,v 1.13 2007/06/04 12:38:58 martti Exp $ */
/* $NetBSD: ip_fil.c,v 1.14 2007/06/16 10:52:24 martin Exp $ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.133.2.15 2007/05/01 22:14:59 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.133.2.16 2007/05/28 11:56:22 darrenr Exp";
#endif
#ifndef SOLARIS
@ -461,7 +461,7 @@ int v;
ifp->if_unit = -1;
}
#endif
ifp->if_output = no_output;
ifp->if_output = (void *)no_output;
if (addr != NULL) {
fr_setifpaddr(ifp, addr);
@ -497,7 +497,7 @@ void init_ifp()
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
ifp->if_output = write_output;
ifp->if_output = (void *)write_output;
sprintf(fname, "/tmp/%s", ifp->if_xname);
fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
if (fd == -1)

11
dist/ipf/ip_lookup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_lookup.c,v 1.4 2007/04/16 02:36:24 dogcow Exp $ */
/* $NetBSD: ip_lookup.c,v 1.5 2007/06/16 10:52:25 martin Exp $ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
@ -60,7 +60,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.14 2007/02/17 12:41:42 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.15 2007/05/26 13:05:13 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -289,8 +289,7 @@ caddr_t data;
ip_pool_t *p;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
err = BCOPYIN(data, &op, sizeof(op));
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL;
@ -574,6 +573,7 @@ void *ctx;
ipflookupiter_t iter;
ipftoken_t *token;
int err;
SPL_INT(s);
err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER);
if (err != 0)
@ -585,9 +585,11 @@ void *ctx;
if (iter.ili_ival != IPFGENITER_LOOKUP)
return EINVAL;
SPL_SCHED(s);
token = ipf_findtoken(iter.ili_key, uid, ctx);
if (token == NULL) {
RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return ESRCH;
}
@ -604,6 +606,7 @@ void *ctx;
break;
}
RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return err;
}

6
dist/ipf/ip_scan.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_scan.c,v 1.1.1.6 2007/05/01 19:00:58 martti Exp $ */
/* $NetBSD: ip_scan.c,v 1.2 2007/06/16 10:52:25 martin Exp $ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
@ -576,7 +576,7 @@ int mode, uid;
void *ctx;
{
ipscanstat_t ipscs;
int err = 0;
int err;
switch (cmd)
{
@ -589,7 +589,7 @@ void *ctx;
case SIOCGSCST :
bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs));
ipscs.iscs_list = ipsc_list;
BCOPYOUT(&ipscs, data, sizeof(ipscs));
err = BCOPYOUT(&ipscs, data, sizeof(ipscs));
break;
default :
err = EINVAL;

6
dist/ipf/tools/ipfstat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipfstat.c,v 1.14 2007/05/15 22:52:23 martin Exp $ */
/* $NetBSD: ipfstat.c,v 1.15 2007/06/16 10:52:25 martin Exp $ */
/*
* Copyright (C) 2002-2006 by Darren Reed.
@ -71,7 +71,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.44.2.21 2007/05/11 10:44:16 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp";
#endif
#ifdef __hpux
@ -1117,6 +1117,8 @@ ips_stat_t *ipsp;
PRINTF("\nState table bucket statistics:\n");
PRINTF("\t%lu in use\t\n", ipsp->iss_inuse);
PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
(u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
minlen = ipsp->iss_max;
totallen = 0;

5
dist/ipf/tools/ipmon.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipmon.c,v 1.9 2007/04/14 20:34:34 martin Exp $ */
/* $NetBSD: ipmon.c,v 1.10 2007/06/16 10:52:26 martin Exp $ */
/*
* Copyright (C) 2001-2006 by Darren Reed.
@ -78,7 +78,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipmon.c,v 1.33.2.17 2006/12/18 15:27:58 darrenr Exp";
static const char rcsid[] = "@(#)Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp";
#endif
@ -1653,6 +1653,7 @@ char *argv[];
if (!tr)
continue;
nr += tr;
n = 0;
tr = read_log(fd[i], &n, buf, sizeof(buf));
if (donehup) {

8
regress/sys/kern/ipf/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.16 2007/05/07 07:06:30 martti Exp $
# $NetBSD: Makefile,v 1.17 2007/06/16 10:52:31 martin Exp $
#
# (C)opyright 1993-1996 by Darren Reed.
#
@ -38,7 +38,7 @@ logtests: l1
pools: p1 p2 p3 p5 ip1 ip2
ipv6: ipv6.1 ipv6.2 ipv6.3
ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5
bpf: bpf1 bpf-f1
@ -74,7 +74,7 @@ l1:
@${HOST_SH} ${.CURDIR}/logtest ${.CURDIR} \
`${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format`
ipv6.1 ipv6.2 ipv6.3:
ipv6.1 ipv6.2 ipv6.3 ipv6.5:
@${HOST_SH} ${.CURDIR}/dotest6 ${.CURDIR} \
`${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format`
@ -119,7 +119,7 @@ clean:
/bin/rm -f in1 in2 in3 in4 in5 in6
/bin/rm -f p1 p2 p3 p5 ip1 ip2
/bin/rm -f l1
/bin/rm -f ipv6.1 ipv6.2 ipv6.3
/bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5
/bin/rm -f bpf1 bpf-f1
/bin/rm -f results/* logout
/bin/rm -rf results

172
sys/dist/ipf/netinet/fil.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fil.c,v 1.36 2007/06/04 12:38:58 martti Exp $ */
/* $NetBSD: fil.c,v 1.37 2007/06/16 10:52:26 martin Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -154,10 +154,10 @@ struct file;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.36 2007/06/04 12:38:58 martti Exp $");
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.37 2007/06/16 10:52:26 martin Exp $");
#else
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.104 2007/05/11 13:41:51 darrenr Exp";
static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.109 2007/05/31 12:27:33 darrenr Exp";
#endif
#endif
@ -551,7 +551,16 @@ int multiple, proto;
return IPPROTO_NONE;
hdr = fin->fin_dp;
shift = 8 + (hdr->ip6e_len << 3);
switch (proto)
{
case IPPROTO_FRAGMENT :
shift = 8;
break;
default :
shift = 8 + (hdr->ip6e_len << 3);
break;
}
if (shift > fin->fin_dlen) { /* Nasty extension header length? */
fin->fin_flx |= FI_BAD;
return IPPROTO_NONE;
@ -570,6 +579,7 @@ int multiple, proto;
break;
}
fin->fin_exthdr = fin->fin_dp;
fin->fin_dp = (char *)fin->fin_dp + shift;
fin->fin_dlen -= shift;
@ -619,24 +629,22 @@ static INLINE int frpr_routing6(fin)
fr_info_t *fin;
{
struct ip6_ext *hdr;
int shift;
if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
return IPPROTO_NONE;
hdr = fin->fin_exthdr;
hdr = fin->fin_dp;
shift = 8 + (hdr->ip6e_len << 3);
/*
* Nasty extension header length?
*/
if ((shift < sizeof(struct ip6_hdr)) ||
((shift - sizeof(struct ip6_hdr)) & 15)) {
if ((hdr->ip6e_len & 1) != 0) {
/*
* The routing header data is made up of 128 bit IPv6 addresses
* which means it must be a multiple of 2 lots of 8 in length.
*/
fin->fin_flx |= FI_BAD;
/*
* Compensate for the changes made in frpr_ipv6exthdr()
*/
fin->fin_dlen += shift;
fin->fin_dp = (char *)fin->fin_dp - shift;
fin->fin_dlen += 8 + (hdr->ip6e_len << 3);
fin->fin_dp = hdr;
return IPPROTO_NONE;
}
@ -662,16 +670,20 @@ static INLINE void frpr_fragment6(fin)
fr_info_t *fin;
{
struct ip6_frag *frag;
int extoff;
fin->fin_flx |= FI_FRAG;
if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
return;
extoff = (char *)fin->fin_exthdr - (char *)fin->fin_dp;
if (frpr_pullup(fin, sizeof(*frag)) == -1)
return;
frag = fin->fin_dp;
fin->fin_exthdr = (char *)fin->fin_dp + extoff;
frag = fin->fin_exthdr;
/*
* Fragment but no fragmentation info set? Bad packet...
*/
@ -787,8 +799,13 @@ fr_info_t *fin;
frpr_short6(fin, sizeof(struct udphdr));
if (frpr_udpcommon(fin) == 0)
if (frpr_udpcommon(fin) == 0) {
u_char p = fin->fin_p;
fin->fin_p = IPPROTO_UDP;
fr_checkv6sum(fin);
fin->fin_p = p;
}
}
@ -807,8 +824,13 @@ fr_info_t *fin;
frpr_short6(fin, sizeof(struct tcphdr));
if (frpr_tcpcommon(fin) == 0)
if (frpr_tcpcommon(fin) == 0) {
u_char p = fin->fin_p;
fin->fin_p = IPPROTO_TCP;
fr_checkv6sum(fin);
fin->fin_p = p;
}
}
@ -2865,6 +2887,7 @@ int len;
/* ip(I) - pointer to IP header */
/* l4proto(I) - protocol to caclulate checksum for */
/* l4hdr(I) - pointer to layer 4 header */
/* l3len(I) - length of layer 4 data plus layer 3 header */
/* */
/* Calculates the TCP checksum for the packet held in "m", using the data */
/* in the IP header "ip" to seed it. */
@ -2873,6 +2896,8 @@ int len;
/* and the TCP header. We also assume that data blocks aren't allocated in */
/* odd sizes. */
/* */
/* For IPv6, l3len excludes extension header size. */
/* */
/* Expects ip_len to be in host byte order when called. */
/* ------------------------------------------------------------------------ */
#ifdef INET
@ -2916,9 +2941,9 @@ void *l4hdr;
} else if (IP_V(ip) == 6) {
ip6 = (ip6_t *)ip;
hlen = sizeof(*ip6);
slen = ntohs(l3len);
slen = l3len - hlen;
sum = htons((u_short)l4proto);
sum += slen;
sum += htons(slen);
sp = (u_short *)&ip6->ip6_src;
sum += *sp++; /* ip6_src */
sum += *sp++;
@ -3104,6 +3129,12 @@ nodata:
# endif /* defined(BSD) || defined(sun) */
# endif /* MENTAT */
#else /* _KERNEL */
/*
* Add up IP Header portion
*/
if (sp != (u_short *)l4hdr)
sp = (u_short *)l4hdr;
for (; slen > 1; slen -= 2)
sum += *sp++;
if (slen)
@ -3150,7 +3181,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* Id: fil.c,v 2.243.2.104 2007/05/11 13:41:51 darrenr Exp
* Id: fil.c,v 2.243.2.109 2007/05/31 12:27:33 darrenr Exp
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -5690,13 +5721,15 @@ fr_info_t *fin;
if (csump != NULL)
hdrsum = *csump;
if (dosum)
if (dosum) {
#ifdef INET
sum = fr_cksum(fin->fin_m, fin->fin_ip,
fin->fin_p, fin->fin_dp, fin->fin_plen);
fin->fin_p, fin->fin_dp,
fin->fin_dlen + fin->fin_hlen);
#else
return 1;
#endif
}
#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
}
#endif
@ -5994,7 +6027,7 @@ ipftuneable_t ipf_tuneables[] = {
sizeof(ipl_logsize), 0, NULL },
#endif
{ { NULL }, NULL, 0, 0,
0, 0, NULL }
0, 0, NULL }
};
static ipftuneable_t *ipf_tunelist = NULL;
@ -6305,6 +6338,8 @@ int fr_initialise()
{
int i;
bzero(&frstats, sizeof(frstats));
#ifdef IPFILTER_LOG
i = fr_loginit();
if (i < 0)
@ -6413,7 +6448,7 @@ void *data;
return EFAULT;
WRITE_ENTER(&ipf_mutex);
bzero((char *)frstats, sizeof(*frstats) * 2);
bzero(&frstats, sizeof(frstats));
RWLOCK_EXIT(&ipf_mutex);
return 0;
@ -6564,6 +6599,9 @@ void *ptr;
/* matches the tuple (type, uid, ptr). If one cannot be found then one is */
/* allocated. If one is found then it is moved to the top of the list of */
/* currently active tokens. */
/* */
/* NOTE: It is by design that this function returns holding a read lock on */
/* ipf_tokens. Callers must make sure they release it! */
/* ------------------------------------------------------------------------ */
ipftoken_t *ipf_findtoken(type, uid, ptr)
int type, uid;
@ -6928,7 +6966,8 @@ int mode, uid;
void *ctx;
{
friostat_t fio;
int error = 0, tmp;
int error, tmp;
SPL_INT(s);
switch (cmd)
{
@ -6936,7 +6975,12 @@ void *ctx;
if (!(mode & FWRITE))
error = EPERM;
else {
BCOPYIN(data, &tmp, sizeof(tmp));
error = BCOPYIN((caddr_t)data, (caddr_t)&tmp,
sizeof(tmp));
if (error != 0) {
error = EFAULT;
break;
}
RWLOCK_EXIT(&ipf_global);
WRITE_ENTER(&ipf_global);
@ -6972,12 +7016,18 @@ void *ctx;
if (!(mode & FWRITE))
error = EPERM;
else {
BCOPYIN(data, &fr_flags, sizeof(fr_flags));
error = BCOPYIN((caddr_t)data, (caddr_t)&fr_flags,
sizeof(fr_flags));
if (error != 0)
error = EFAULT;
}
break;
case SIOCGETFF :
BCOPYOUT(&fr_flags, data, sizeof(fr_flags));
error = BCOPYOUT((caddr_t)&fr_flags, (caddr_t)data,
sizeof(fr_flags));
if (error != 0)
error = EFAULT;
break;
case SIOCFUNCL :
@ -7011,8 +7061,12 @@ void *ctx;
else {
WRITE_ENTER(&ipf_mutex);
bzero((char *)frcache, sizeof(frcache[0]) * 2);
BCOPYOUT(&fr_active, data, sizeof(fr_active));
fr_active = 1 - fr_active;
error = BCOPYOUT((caddr_t)&fr_active, (caddr_t)data,
sizeof(fr_active));
if (error != 0)
error = EFAULT;
else
fr_active = 1 - fr_active;
RWLOCK_EXIT(&ipf_mutex);
}
break;
@ -7033,9 +7087,16 @@ void *ctx;
if (!(mode & FWRITE))
error = EPERM;
else {
BCOPYIN(data, &tmp, sizeof(tmp));
tmp = frflush(IPL_LOGIPF, 4, tmp);
BCOPYOUT(&tmp, data, sizeof(tmp));
error = BCOPYIN((caddr_t)data, (caddr_t)&tmp,
sizeof(tmp));
if (!error) {
tmp = frflush(IPL_LOGIPF, 4, tmp);
error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error != 0)
error = EFAULT;
} else
error = EFAULT;
}
break;
@ -7044,19 +7105,29 @@ void *ctx;
if (!(mode & FWRITE))
error = EPERM;
else {
BCOPYIN(data, &tmp, sizeof(tmp));
tmp = frflush(IPL_LOGIPF, 6, tmp);
BCOPYOUT(&tmp, data, sizeof(tmp));
error = BCOPYIN((caddr_t)data, (caddr_t)&tmp,
sizeof(tmp));
if (!error) {
tmp = frflush(IPL_LOGIPF, 6, tmp);
error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error != 0)
error = EFAULT;
} else
error = EFAULT;
}
break;
#endif
case SIOCSTLCK :
BCOPYIN(data, &tmp, sizeof(tmp));
fr_state_lock = tmp;
fr_nat_lock = tmp;
fr_frag_lock = tmp;
fr_auth_lock = tmp;
error = BCOPYIN((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
if (error == 0) {
fr_state_lock = tmp;
fr_nat_lock = tmp;
fr_frag_lock = tmp;
fr_auth_lock = tmp;
} else
error = EFAULT;
break;
#ifdef IPFILTER_LOG
@ -7065,7 +7136,10 @@ void *ctx;
error = EPERM;
else {
tmp = ipflog_clear(IPL_LOGIPF);
BCOPYOUT(&tmp, data, sizeof(tmp));
error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error)
error = EFAULT;
}
break;
#endif /* IPFILTER_LOG */
@ -7095,21 +7169,29 @@ void *ctx;
case FIONREAD :
tmp = (int)iplused[IPL_LOGIPF];
BCOPYOUT(&tmp, data, sizeof(tmp));
error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data, sizeof(tmp));
break;
#endif
case SIOCIPFITER :
SPL_SCHED(s);
error = ipf_frruleiter(data, uid, ctx);
SPL_X(s);
break;
case SIOCGENITER :
SPL_SCHED(s);
error = ipf_genericiter(data, uid, ctx);
SPL_X(s);
break;
break;
case SIOCIPFDELTOK :
BCOPYIN(data, &tmp, sizeof(tmp));
error = ipf_deltoken(tmp, uid, ctx);
SPL_SCHED(s);
error = BCOPYIN((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
if (error == 0)
error = ipf_deltoken(tmp, uid, ctx);
SPL_X(s);
break;
default :

15
sys/dist/ipf/netinet/ip_auth.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_auth.c,v 1.10 2007/04/14 20:34:35 martin Exp $ */
/* $NetBSD: ip_auth.c,v 1.11 2007/06/16 10:52:26 martin Exp $ */
/*
* Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
@ -121,9 +121,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.10 2007/04/14 20:34:35 martin Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.11 2007/06/16 10:52:26 martin Exp $");
#else
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.18 2006/12/16 17:12:56 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.20 2007/05/29 13:48:54 darrenr Exp";
#endif
#endif
@ -425,12 +425,14 @@ void *ctx;
if (error != 0)
break;
SPL_SCHED(s);
token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx);
if (token != NULL)
error = fr_authgeniter(token, &iter);
else
error = ESRCH;
RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
break;
}
@ -761,8 +763,12 @@ ipfgeniter_t *itp;
* so that it can be used for is_next when we come back.
*/
ATOMIC_INC(next->fae_ref);
if (next->fae_next == NULL)
if (next->fae_next == NULL) {
ipf_freetoken(token);
token = NULL;
} else {
token->ipt_data = next;
}
} else {
bzero(&zero, sizeof(zero));
next = &zero;
@ -777,7 +783,6 @@ ipfgeniter_t *itp;
fr_authderef(&fae);
RWLOCK_EXIT(&ipf_auth);
}
token->ipt_data = next;
/*
* This should arguably be via fr_outobj() so that the auth

35
sys/dist/ipf/netinet/ip_compat.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_compat.h,v 1.17 2007/05/15 22:52:48 martin Exp $ */
/* $NetBSD: ip_compat.h,v 1.18 2007/06/16 10:52:27 martin Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
* Id: ip_compat.h,v 2.142.2.44 2007/05/12 09:48:16 darrenr Exp
* Id: ip_compat.h,v 2.142.2.48 2007/05/31 12:27:34 darrenr Exp
*/
#ifndef _NETINET_IP_COMPAT_H_
@ -245,6 +245,7 @@ typedef unsigned int u_32_t;
# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
# define KFREES(x,s) kmem_free((char *)(x), (s))
# define SPL_SCHED(x) ;
# define SPL_NET(x) ;
# define SPL_IMP(x) ;
# undef SPL_X
@ -417,6 +418,7 @@ typedef struct iplog_select_s {
# define RW_DESTROY(x)
# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
# define SPL_SCHED(x) ;
# define SPL_NET(x) ;
# define SPL_IMP(x) ;
# undef SPL_X
@ -584,6 +586,7 @@ typedef struct {
# define USE_SPL 1
# define SPL_IMP(x) (x) = splimp()
# define SPL_NET(x) (x) = splnet()
# define SPL_SCHED(x) (x) = splsched()
# define SPL_X(x) (void) splx(x)
extern void m_copydata __P((struct mbuf *, int, int, void *));
extern void m_copyback __P((struct mbuf *, int, int, void *));
@ -644,6 +647,7 @@ typedef struct mbuf mb_t;
simple_unlock(&ipf_rw); }
# define ATOMIC_DEC(x) { simple_lock(&ipf_rw); (x)--; \
simple_unlock(&ipf_rw); }
# define SPL_SCHED(x) ;
# define SPL_NET(x) ;
# define SPL_IMP(x) ;
# undef SPL_X
@ -709,6 +713,9 @@ typedef unsigned int u_32_t;
/* N E T B S D */
/* ----------------------------------------------------------------------- */
#ifdef __NetBSD__
# if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
# include "opt_ipfilter.h"
# endif
# if defined(_KERNEL)
# include <sys/systm.h>
# else
@ -728,6 +735,9 @@ typedef unsigned int u_32_t;
# endif
# ifdef _KERNEL
# if (__NetBSD_Version__ >= 499000000)
typedef char * caddr_t;
# endif
# if (__NetBSD_Version__ >= 399001400)
# define KMALLOCS(a, b, c) (a) = (b)malloc((c), _M_IPF, M_NOWAIT)
# endif
@ -736,18 +746,10 @@ typedef unsigned int u_32_t;
# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
# define GETKTIME(x) microtime((struct timeval *)x)
# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
#if __NetBSD_Version__ >= 499001000
typedef unsigned char * caddr_t;
# define COPYIN(a,b,c) copyin((a), (b), (c))
# define COPYOUT(a,b,c) copyout((a), (b), (c))
# define BCOPYIN(a,b,c) bcopy((a), (b), (c))
# define BCOPYOUT(a,b,c) bcopy((a), (b), (c))
#else
# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c))
#endif
# define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
# define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
typedef struct mbuf mb_t;
# endif /* _KERNEL */
# if (NetBSD <= 1991011) && (NetBSD >= 199606)
@ -893,15 +895,16 @@ typedef u_int32_t u_32_t;
mtx_unlock(&ipf_rw.ipf_lk); }
# define ATOMIC_INCL(x) atomic_add_long(&(x), 1)
# define ATOMIC_INC64(x) ATOMIC_INC(x)
# define ATOMIC_INC32(x) atomic_add_32(&(x), 1)
# define ATOMIC_INC32(x) atomic_add_32((u_int *)&(x), 1)
# define ATOMIC_INC16(x) atomic_add_16(&(x), 1)
# define ATOMIC_DECL(x) atomic_add_long(&(x), -1)
# define ATOMIC_DEC64(x) ATOMIC_DEC(x)
# define ATOMIC_DEC32(x) atomic_add_32(&(x), -1)
# define ATOMIC_DEC32(x) atomic_add_32((u_int *)&(x), -1)
# define ATOMIC_DEC16(x) atomic_add_16(&(x), -1)
# define SPL_X(x) ;
# define SPL_NET(x) ;
# define SPL_IMP(x) ;
# define SPL_SCHED(x) ;
extern int in_cksum __P((struct mbuf *, int));
# endif /* __FreeBSD_version >= 500043 */
# define MSGDSIZE(x) mbufchainlen(x)
@ -1115,6 +1118,7 @@ struct ip6_ext {
MUTEX_EXIT(&ipf_rw)
# define ATOMIC_DEC16(x) MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw)
# define SPL_SCHED(x) do { } while (0)
# define SPL_IMP(x) do { } while (0)
# define SPL_NET(x) do { } while (0)
# define SPL_X(x) do { } while (0)
@ -1264,6 +1268,7 @@ typedef u_int32_t u_32_t;
MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw); }
# define SPL_SCHED(x) x = splsched()
# define SPL_NET(x) x = splnet()
# define SPL_IMP(x) x = splimp()
# undef SPL_X
@ -1441,6 +1446,7 @@ typedef struct mb_s {
# define POLLWAKEUP(y) ;
# define IPF_PANIC(x,y) ;
# define PANIC(x,y) ;
# define SPL_SCHED(x) ;
# define SPL_NET(x) ;
# define SPL_IMP(x) ;
# define SPL_X(x) ;
@ -1603,6 +1609,7 @@ MALLOC_DECLARE(M_IPFILTER);
# define SPL_IMP(x) x = splimp()
# define SPL_NET(x) x = splnet()
# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
# define SPL_SCHED(x) x = splsched()
# define SPL_X(x) (void) splx(x)
# endif /* !USE_MUTEXES */

13
sys/dist/ipf/netinet/ip_fil.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.h,v 1.12 2007/06/04 12:38:58 martti Exp $ */
/* $NetBSD: ip_fil.h,v 1.13 2007/06/16 10:52:27 martin Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_fil.h,v 2.170.2.43 2007/05/11 13:41:53 darrenr Exp
* Id: ip_fil.h,v 2.170.2.45 2007/05/28 11:56:22 darrenr Exp
*/
#ifndef _NETINET_IP_FIL_H_
@ -331,6 +331,7 @@ typedef struct fr_info {
void *fin_nat;
void *fin_state;
void *fin_nattag;
void *fin_exthdr;
ip_t *fin_ip;
mb_t **fin_mp; /* pointer to pointer to mbuf */
mb_t *fin_m; /* pointer to mbuf */
@ -1345,11 +1346,13 @@ extern int iplioctl __P((dev_t, u_long, void *, int, struct thread *));
# endif /* __FreeBSD_version >= 502116 */
# else
# if (__NetBSD_Version__ >= 499001000)
extern int iplioctl __P((dev_t, u_long, void*, int, struct lwp *));
# elif (__NetBSD_Version__ >= 399001400)
extern int iplioctl __P((dev_t, u_long, void *, int, struct lwp *));
# else
# if (__NetBSD_Version__ >= 399001400)
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *));
# else
# else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
# endif
# endif
# endif /* __FreeBSD_version >= 500024 */
# else

234
sys/dist/ipf/netinet/ip_fil_netbsd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil_netbsd.c,v 1.37 2007/06/04 12:38:58 martti Exp $ */
/* $NetBSD: ip_fil_netbsd.c,v 1.38 2007/06/16 10:52:27 martin Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.49 2007/05/10 06:00:56 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.51 2007/05/31 12:27:35 darrenr Exp";
#endif
#if defined(KERNEL) || defined(_KERNEL)
@ -41,6 +41,9 @@ static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.49 2007/05/10 06:0
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/poll.h>
#if (__NetBSD_Version__ >= 399002000)
# include <sys/kauth.h>
#endif
#if (__NetBSD_Version__ >= 399002000)
#include <sys/kauth.h>
@ -133,12 +136,17 @@ struct selinfo ipfselwait[IPL_LOGSIZE];
const struct cdevsw ipl_cdevsw = {
iplopen, iplclose, iplread, nowrite, iplioctl,
nostop, notty, iplpoll, nommap, nokqfilter, D_OTHER,
nostop, notty, iplpoll, nommap,
# if (__NetBSD_Version__ >= 200000000)
nokqfilter,
# endif
# ifdef D_OTHER
D_OTHER,
# endif
};
#endif
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)
# include <net/pfil.h>
@ -518,7 +526,7 @@ struct proc *p;
#endif
dev_t dev;
u_long cmd;
#if __NetBSD_Version__ >= 499001000
#if (__NetBSD_Version__ >= 499001000)
void *data;
#else
caddr_t data;
@ -529,13 +537,17 @@ int mode;
SPL_INT(s);
#if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) && kauth_authorize_network(p->l_cred,
KAUTH_NETWORK_FIREWALL, KAUTH_REQ_NETWORK_FIREWALL_FW,
NULL, NULL, NULL))
#else
if ((securelevel >= 2) && (mode & FWRITE))
#endif
if ((mode & FWRITE) &&
kauth_authorize_network(p->l_cred, KAUTH_NETWORK_FIREWALL,
KAUTH_REQ_NETWORK_FIREWALL_FW, NULL,
NULL, NULL)) {
return EPERM;
}
#else
if ((securelevel >= 2) && (mode & FWRITE)) {
return EPERM;
}
#endif
unit = GET_MINOR(dev);
if ((IPL_LOGMAX < unit) || (unit < 0))
@ -1067,15 +1079,15 @@ frdest_t *fdp;
struct route *ro;
int off, len, hlen, code;
struct ifnet *ifp, *sifp;
#if __NetBSD_Version__ < 499001100
struct sockaddr_in *dst;
#else /* __NetBSD_Version__ < 499001100 */
#if __NetBSD_Version__ >= 499001100
const struct sockaddr *dst;
union {
struct sockaddr dst;
struct sockaddr_in dst4;
struct sockaddr dst;
struct sockaddr_in dst4;
} u;
#endif /* __NetBSD_Version__ < 499001100 */
#else
struct sockaddr_in *dst;
#endif
struct route iproute;
u_short ip_off;
frentry_t *fr;
@ -1107,23 +1119,32 @@ frdest_t *fdp;
m0->m_pkthdr.csuminfo = 0;
# endif /* __NetBSD__ && M_CSUM_IPv4 */
fr = fin->fin_fr;
/*
* Route packet.
*/
ro = &iproute;
memset(ro, 0, sizeof(*ro));
if (fdp != NULL)
ifp = fdp->fd_ifp;
else
ifp = fin->fin_ifp;
fr = fin->fin_fr;
if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
error = -2;
goto bad;
}
/*
* Route packet.
*/
ro = &iproute;
memset(ro, 0, sizeof(*ro));
#if __NetBSD_Version__ < 499001100
# if __NetBSD_Version__ >= 499001100
if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
sockaddr_in_init(&u.dst4, &fdp->fd_ip, 0);
else
sockaddr_in_init(&u.dst4, &ip->ip_dst, 0);
dst = &u.dst;
rtcache_setdst(ro, dst);
rtcache_init(ro);
# else
dst = (struct sockaddr_in *)&ro->ro_dst;
dst->sin_family = AF_INET;
dst->sin_addr = ip->ip_dst;
@ -1132,15 +1153,7 @@ frdest_t *fdp;
dst->sin_addr = fdp->fd_ip;
dst->sin_len = sizeof(*dst);
rtalloc(ro);
#else /* __NetBSD_Version__ < 499001100 */
if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
sockaddr_in_init(&u.dst4, &fdp->fd_ip, 0);
else
sockaddr_in_init(&u.dst4, &ip->ip_dst, 0);
dst = &u.dst;
rtcache_setdst(ro, dst);
rtcache_init(ro);
#endif /* __NetBSD_Version__ < 499001100 */
# endif
if ((ifp == NULL) && (ro->ro_rt != NULL))
ifp = ro->ro_rt->rt_ifp;
@ -1154,13 +1167,15 @@ frdest_t *fdp;
error = ENETUNREACH;
goto bad;
}
#if __NetBSD_Version__ < 499001100
# if __NetBSD_Version__ >= 499001100
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
#else /* __NetBSD_Version__ < 499001100 */
dst = ro->ro_rt->rt_gateway;
# else
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = ro->ro_rt->rt_gateway;
#endif /* __NetBSD_Version__ < 499001100 */
if (ro->ro_rt)
ro->ro_rt->rt_use++;
@ -1227,12 +1242,12 @@ frdest_t *fdp;
if (!ip->ip_sum)
ip->ip_sum = in_cksum(m, hlen);
# endif /* M_CSUM_IPv4 */
#if __NetBSD_Version__ < 499001100
# if __NetBSD_Version__ >= 499001100
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
# else
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
ro->ro_rt);
#else /* __NetBSD_Version__ < 499001100 */
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
#endif /* __NetBSD_Version__ < 499001100 */
# endif
if (i) {
ip->ip_len = ntohs(ip->ip_len);
ip->ip_off = ntohs(ip->ip_off);
@ -1322,18 +1337,18 @@ sendorfree:
for (m = m0; m; m = m0) {
m0 = m->m_act;
m->m_act = 0;
#if __NetBSD_Version__ < 499001100
# if __NetBSD_Version__ >= 499001100
if (error == 0)
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
else
FREE_MB_T(m);
# else
if (error == 0)
error = (*ifp->if_output)(ifp, m,
(struct sockaddr *)dst, ro->ro_rt);
else
FREE_MB_T(m);
#else /* __NetBSD_Version__ < 499001100 */
if (error == 0)
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
else
FREE_MB_T(m);
#endif /* __NetBSD_Version__ < 499001100 */
# endif
}
}
done:
@ -1342,13 +1357,13 @@ done:
else
fr_frouteok[1]++;
#if __NetBSD_Version__ >= 499001100
# if __NetBSD_Version__ >= 499001100
rtcache_free(ro);
#else
# else
if (ro->ro_rt) {
RTFREE(ro->ro_rt);
RTFREE(((struct route *)ro)->ro_rt);
}
#endif
# endif
*mpp = NULL;
return error;
bad:
@ -1378,19 +1393,19 @@ struct mbuf *m0, **mpp;
fr_info_t *fin;
frdest_t *fdp;
{
#if __NetBSD_Version__ < 499001100
struct route_in6 ip6route;
struct sockaddr_in6 *dst6;
struct route_in6 *ro;
#else /* __NetBSD_Version__ < 499001100 */
# if __NetBSD_Version__ >= 499001100
struct route ip6route;
const struct sockaddr *dst;
union {
struct sockaddr dst;
struct sockaddr_in6 dst6;
struct sockaddr dst;
struct sockaddr_in6 dst6;
} u;
struct route *ro;
#endif /* __NetBSD_Version__ < 499001100 */
# else
struct route_in6 ip6route;
struct sockaddr_in6 *dst6;
struct route_in6 *ro;
# endif
struct rtentry *rt;
struct ifnet *ifp;
frentry_t *fr;
@ -1405,19 +1420,8 @@ frdest_t *fdp;
ifp = fdp->fd_ifp;
else
ifp = fin->fin_ifp;
bzero((void *)ro, sizeof(*ro));
#if __NetBSD_Version__ < 499001100
dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
dst6->sin6_family = AF_INET6;
dst6->sin6_len = sizeof(struct sockaddr_in6);
dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
if (fdp != NULL) {
if (IP6_NOTZERO(&fdp->fd_ip6))
dst6->sin6_addr = fdp->fd_ip6.in6;
}
rtalloc((struct route *)ro);
#else /* __NetBSD_Version__ < 499001100 */
memset(ro, 0, sizeof(*ro));
# if __NetBSD_Version__ >= 499001100
if (fdp != NULL && IP6_NOTZERO(&fdp->fd_ip6))
sockaddr_in6_init(&u.dst6, &fdp->fd_ip6.in6, 0, 0, 0);
else
@ -1426,7 +1430,18 @@ frdest_t *fdp;
rtcache_setdst(ro, dst);
rtcache_init(ro);
#endif /* __NetBSD_Version__ < 499001100 */
# else
dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
dst6->sin6_family = AF_INET6;
dst6->sin6_len = sizeof(struct sockaddr_in6);
dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
if (fdp != NULL) {
if (IP6_NOTZERO(&fdp->fd_ip6))
dst6->sin6_addr = fdp->fd_ip6.in6;
}
rtalloc((struct route *)ro);
# endif
if ((ifp == NULL) && (ro->ro_rt != NULL))
ifp = ro->ro_rt->rt_ifp;
@ -1439,80 +1454,81 @@ frdest_t *fdp;
rt = fdp ? NULL : ro->ro_rt;
/* KAME */
#if __NetBSD_Version__ < 499001100
if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
#else /* __NetBSD_Version__ < 499001100 */
# if __NetBSD_Version__ >= 499001100
if (IN6_IS_ADDR_LINKLOCAL(&u.dst6.sin6_addr))
u.dst6.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
#endif /* __NetBSD_Version__ < 499001100 */
# else
if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
# endif
{
#if (__NetBSD_Version__ >= 106010000)
# if (__NetBSD_Version__ >= 399001400)
# if (__NetBSD_Version__ >= 106010000)
# if (__NetBSD_Version__ >= 399001400)
struct in6_ifextra *ife;
# else
# else
struct in6_addr finaldst = fin->fin_dst6;
int frag;
# endif
# endif
#endif
#if __NetBSD_Version__ < 499001100
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
#else /* __NetBSD_Version__ < 499001100 */
# if __NetBSD_Version__ >= 499001100
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = ro->ro_rt->rt_gateway;
#endif /* __NetBSD_Version__ < 499001100 */
# else
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
# endif
ro->ro_rt->rt_use++;
/* Determine path MTU. */
#if (__NetBSD_Version__ <= 106009999)
# if (__NetBSD_Version__ <= 106009999)
mtu = nd_ifinfo[ifp->if_index].linkmtu;
#else
# if (__NetBSD_Version__ >= 399001400)
# else
# if (__NetBSD_Version__ >= 399001400)
ife = (struct in6_ifextra *)(ifp)->if_afdata[AF_INET6];
mtu = ife->nd_ifinfo[ifp->if_index].linkmtu;
# else
# else
error = ip6_getpmtu(ro, ro, ifp, &finaldst, &mtu, &frag);
# endif
# endif
#endif
if ((error == 0) && (m0->m_pkthdr.len <= mtu)) {
*mpp = NULL;
#if __NetBSD_Version__ < 499001100
error = nd6_output(ifp, ifp, m0, dst6, rt);
#else /* __NetBSD_Version__ < 499001100 */
# if __NetBSD_Version__ >= 499001100
error = nd6_output(ifp, ifp, m0, satocsin6(dst), rt);
#endif /* __NetBSD_Version__ < 499001100 */
# else
error = nd6_output(ifp, ifp, m0, dst6, rt);
# endif
} else {
error = EMSGSIZE;
}
}
bad:
#if __NetBSD_Version__ >= 499001100
# if __NetBSD_Version__ >= 499001100
rtcache_free(ro);
#else
RTFREE(((struct route *)ro)->ro_rt);
#endif
# else
if (ro->ro_rt != NULL) {
RTFREE(((struct route *)ro)->ro_rt);
}
# endif
return error;
}
#endif
#endif /* INET6 */
int fr_verifysrc(fin)
fr_info_t *fin;
{
int rc;
#if __NetBSD_Version__ < 499001100
struct sockaddr_in *dst;
#else /* __NetBSD_Version__ < 499001100 */
#if __NetBSD_Version__ >= 499001100
union {
struct sockaddr dst;
struct sockaddr_in dst4;
struct sockaddr dst;
struct sockaddr_in dst4;
} u;
#endif /* __NetBSD_Version__ < 499001100 */
#else
struct sockaddr_in *dst;
#endif
struct route iproute;
int rc;
memset(&iproute, 0, sizeof(iproute));
#if __NetBSD_Version__ >= 499001100
sockaddr_in_init(&u.dst4, &fin->fin_src, 0);
rtcache_setdst(&iproute, &u.dst);

14
sys/dist/ipf/netinet/ip_frag.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.c,v 1.6 2007/04/14 20:34:36 martin Exp $ */
/* $NetBSD: ip_frag.c,v 1.7 2007/06/16 10:52:28 martin Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -103,10 +103,10 @@ extern struct timeout fr_slowtimer_ch;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.6 2007/04/14 20:34:36 martin Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.7 2007/06/16 10:52:28 martin Exp $");
#else
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77.2.8 2006/09/01 14:09:33 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77.2.9 2007/05/27 11:13:44 darrenr Exp";
#endif
#endif
@ -715,6 +715,14 @@ ipfr_t *fra, ***tail;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_fragfree */
/* Returns: Nil */
/* Parameters: fra - pointer to frag structure to free */
/* */
/* Take care of the details associated with deleting an entry from the frag */
/* cache. Currently this just means bumping stats correctly after freeing */
/* ------------------------------------------------------------------------ */
static void fr_fragfree(fra)
ipfr_t *fra;
{

46
sys/dist/ipf/netinet/ip_lookup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_lookup.c,v 1.11 2007/04/27 10:17:19 jnemeth Exp $ */
/* $NetBSD: ip_lookup.c,v 1.12 2007/06/16 10:52:28 martin Exp $ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
@ -65,7 +65,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.14 2007/02/17 12:41:42 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.15 2007/05/26 13:05:13 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
@ -219,8 +219,9 @@ void *data;
ip_pool_t *p;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
err = BCOPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL;
@ -293,8 +294,9 @@ void *data;
ip_pool_t *p;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
err = BCOPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL;
@ -357,8 +359,7 @@ void *data;
iplookupop_t op;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
err = BCOPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
@ -393,7 +394,9 @@ void *data;
* case of success it will contain the new table's name.
*/
if ((err == 0) && ((op.iplo_arg & LOOKUP_ANON) != 0)) {
BCOPYOUT(&op, data, sizeof(op));
err = BCOPYOUT(&op, data, sizeof(op));
if (err != 0)
err = EFAULT;
}
return err;
@ -414,8 +417,9 @@ void *data;
iplookupop_t op;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
err = BCOPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL;
@ -457,8 +461,9 @@ void *data;
iplookupop_t op;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
err = BCOPYIN(data, &op, sizeof(op));
if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL;
@ -495,9 +500,10 @@ void *data;
int err, unit, num, type;
iplookupflush_t flush;
err = 0;
BCOPYIN(data, &flush, sizeof(flush));
err = BCOPYIN(data, &flush, sizeof(flush));
if (err != 0)
return EFAULT;
unit = flush.iplf_unit;
if ((unit < 0 || unit > IPL_LOGMAX) && (unit != IPLT_ALL))
return EINVAL;
@ -520,7 +526,9 @@ void *data;
if (err == 0) {
flush.iplf_count = num;
BCOPYOUT(&flush, data, sizeof(flush));
err = BCOPYOUT(&flush, data, sizeof(flush));
if (err != 0)
err = EFAULT;
}
return err;
}
@ -572,6 +580,7 @@ void *ctx;
ipflookupiter_t iter;
ipftoken_t *token;
int err;
SPL_INT(s);
err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER);
if (err != 0)
@ -583,9 +592,11 @@ void *ctx;
if (iter.ili_ival != IPFGENITER_LOOKUP)
return EINVAL;
SPL_SCHED(s);
token = ipf_findtoken(iter.ili_key, uid, ctx);
if (token == NULL) {
RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return ESRCH;
}
@ -602,6 +613,7 @@ void *ctx;
break;
}
RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return err;
}

123
sys/dist/ipf/netinet/ip_nat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.c,v 1.29 2007/05/31 10:33:54 darrenr Exp $ */
/* $NetBSD: ip_nat.c,v 1.30 2007/06/16 10:52:28 martin Exp $ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
@ -16,8 +16,8 @@
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
#if (__NetBSD_Version__ >= 399002000)
#include <sys/kauth.h>
#if (__NetBSD_Version__ >= 399002000) && defined(_KERNEL)
# include <sys/kauth.h>
#endif
#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
defined(_KERNEL)
@ -116,7 +116,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.82 2007/05/13 00:08:53 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.87 2007/05/31 10:17:17 darrenr Exp";
#endif
@ -649,16 +649,21 @@ void *ctx;
ipnat_t *nat, *nt, *n = NULL, **np = NULL;
int error = 0, ret, arg, getlock;
ipnat_t natd;
SPL_INT(s);
#if (BSD >= 199306) && defined(_KERNEL)
#if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) && kauth_authorize_network(curlwp->l_cred,
KAUTH_NETWORK_FIREWALL, KAUTH_REQ_NETWORK_FIREWALL_NAT,
NULL, NULL, NULL))
#else
if ((securelevel >= 2) && (mode & FWRITE))
#endif
# if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) &&
kauth_authorize_network(curlwp->l_cred, KAUTH_NETWORK_FIREWALL,
KAUTH_REQ_NETWORK_FIREWALL_FW,
NULL, NULL, NULL)) {
return EPERM;
}
# else
if ((securelevel >= 2) && (mode & FWRITE)) {
return EPERM;
}
# endif
#endif
#if defined(__osf__) && defined(_KERNEL)
@ -713,22 +718,6 @@ void *ctx;
switch (cmd)
{
case SIOCGENITER :
{
ipfgeniter_t iter;
ipftoken_t *token;
error = fr_inobj(data, &iter, IPFOBJ_GENITER);
if (error != 0)
break;
token = ipf_findtoken(iter.igi_type, uid, ctx);
if (token != NULL) {
error = nat_iterator(token, &iter);
}
RWLOCK_EXIT(&ipf_tokens);
break;
}
#ifdef IPFILTER_LOG
case SIOCIPFFB :
{
@ -738,7 +727,10 @@ void *ctx;
error = EPERM;
else {
tmp = ipflog_clear(IPL_LOGNAT);
BCOPYOUT((char *)&tmp, (char *)data, sizeof(tmp));
error = BCOPYOUT((char *)&tmp, (char *)data,
sizeof(tmp));
if (error != 0)
error = EFAULT;
}
break;
}
@ -747,19 +739,25 @@ void *ctx;
if (!(mode & FWRITE))
error = EPERM;
else {
BCOPYIN((char *)data, (char *)&nat_logging,
error = BCOPYIN((char *)data, (char *)&nat_logging,
sizeof(nat_logging));
if (error != 0)
error = EFAULT;
}
break;
case SIOCGETLG :
BCOPYOUT((char *)&nat_logging, (char *)data,
error = BCOPYOUT((char *)&nat_logging, (char *)data,
sizeof(nat_logging));
if (error != 0)
error = EFAULT;
break;
case FIONREAD :
arg = iplused[IPL_LOGNAT];
BCOPYOUT(&arg, data, sizeof(arg));
error = BCOPYOUT(&arg, data, sizeof(arg));
if (error != 0)
error = EFAULT;
break;
#endif
case SIOCADNAT :
@ -846,19 +844,23 @@ void *ctx;
WRITE_ENTER(&ipf_nat);
}
BCOPYIN(data, &arg, sizeof(arg));
if (arg == 0)
ret = nat_flushtable();
else if (arg == 1)
ret = nat_clearlist();
else
ret = nat_extraflush(arg);
error = BCOPYIN(data, &arg, sizeof(arg));
if (error != 0)
error = EFAULT;
else {
if (arg == 0)
ret = nat_flushtable();
else if (arg == 1)
ret = nat_clearlist();
else
ret = nat_extraflush(arg);
}
if (getlock) {
RWLOCK_EXIT(&ipf_nat);
}
if (error == 0) {
BCOPYOUT(&ret, data, sizeof(ret));
error = BCOPYOUT(&ret, data, sizeof(ret));
}
break;
@ -908,9 +910,33 @@ void *ctx;
error = EACCES;
break;
case SIOCGENITER :
{
ipfgeniter_t iter;
ipftoken_t *token;
SPL_SCHED(s);
error = fr_inobj(data, &iter, IPFOBJ_GENITER);
if (error == 0) {
token = ipf_findtoken(iter.igi_type, uid, ctx);
if (token != NULL) {
error = nat_iterator(token, &iter);
}
RWLOCK_EXIT(&ipf_tokens);
}
SPL_X(s);
break;
}
case SIOCIPFDELTOK :
BCOPYIN(data, &arg, sizeof(arg));
error = ipf_deltoken(arg, uid, ctx);
error = BCOPYIN((caddr_t)data, (caddr_t)&arg, sizeof(arg));
if (error == 0) {
SPL_SCHED(s);
error = ipf_deltoken(arg, uid, ctx);
SPL_X(s);
} else {
error = EFAULT;
}
break;
case SIOCGTQTAB :
@ -1176,7 +1202,8 @@ caddr_t data;
nat_t *nat, *n;
natget_t ng;
BCOPYIN(data, &ng, sizeof(ng));
if (BCOPYIN(data, &ng, sizeof(ng)) != 0)
return EFAULT;
nat = ng.ng_ptr;
if (!nat) {
@ -1186,7 +1213,8 @@ caddr_t data;
* Empty list so the size returned is 0. Simple.
*/
if (nat == NULL) {
BCOPYOUT(&ng, data, sizeof(ng));
if (BCOPYOUT(&ng, data, sizeof(ng)) != 0)
return EFAULT;
return 0;
}
} else {
@ -1213,7 +1241,8 @@ caddr_t data;
ng.ng_sz += aps->aps_psiz;
}
BCOPYOUT(&ng, data, sizeof(ng));
if (BCOPYOUT(&ng, data, sizeof(ng)) != 0)
return EFAULT;
return 0;
}
@ -2319,6 +2348,8 @@ int direction;
ni.nai_np = np;
ni.nai_nflags = nflags;
ni.nai_flags = flags;
ni.nai_dport = 0;
ni.nai_sport = 0;
/* Give me a new nat */
KMALLOC(nat, nat_t *);
@ -5309,7 +5340,7 @@ int which;
/* ------------------------------------------------------------------------ */
/* Function: nat_flush_entry */
/* Returns: 1 - always succeeds */
/* Returns: 0 - always succeeds */
/* Parameters: entry(I) - pointer to NAT entry */
/* Write Locks: ipf_nat */
/* */
@ -5322,5 +5353,5 @@ static int nat_flush_entry(entry)
void *entry;
{
nat_delete(entry, NL_FLUSH);
return 1;
return 0;
}

4
sys/dist/ipf/netinet/ip_pool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pool.c,v 1.9 2007/06/09 03:07:22 dyoung Exp $ */
/* $NetBSD: ip_pool.c,v 1.10 2007/06/16 10:52:29 martin Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -82,7 +82,7 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.19 2007/02/17 12:41:42 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.20 2007/05/31 12:27:35 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP

4
sys/dist/ipf/netinet/ip_proxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.c,v 1.15 2007/05/15 22:52:51 martin Exp $ */
/* $NetBSD: ip_proxy.c,v 1.16 2007/06/16 10:52:29 martin Exp $ */
/*
* Copyright (C) 1997-2003 by Darren Reed.
@ -105,7 +105,7 @@ struct file;
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.19 2007/04/30 09:07:51 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.20 2007/05/31 12:27:36 darrenr Exp";
#endif
#ifdef INET

71
sys/dist/ipf/netinet/ip_state.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.c,v 1.25 2007/05/25 06:44:20 martti Exp $ */
/* $NetBSD: ip_state.c,v 1.26 2007/06/16 10:52:30 martin Exp $ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
@ -114,10 +114,10 @@ struct file;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.25 2007/05/25 06:44:20 martti Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.26 2007/06/16 10:52:30 martin Exp $");
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.66 2007/05/13 00:08:54 darrenr Exp";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.69 2007/05/26 13:05:14 darrenr Exp";
#endif
#endif
@ -445,6 +445,7 @@ int mode, uid;
void *ctx;
{
int arg, ret, error = 0;
SPL_INT(s);
switch (cmd)
{
@ -459,20 +460,32 @@ void *ctx;
* Flush the state table
*/
case SIOCIPFFL :
BCOPYIN(data, (char *)&arg, sizeof(arg));
WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 4);
RWLOCK_EXIT(&ipf_state);
BCOPYOUT((char *)&ret, data, sizeof(ret));
error = BCOPYIN(data, (char *)&arg, sizeof(arg));
if (error != 0) {
error = EFAULT;
} else {
WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 4);
RWLOCK_EXIT(&ipf_state);
error = BCOPYOUT((char *)&ret, data, sizeof(ret));
if (error != 0)
error = EFAULT;
}
break;
#ifdef USE_INET6
case SIOCIPFL6 :
BCOPYIN(data, (char *)&arg, sizeof(arg));
WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 6);
RWLOCK_EXIT(&ipf_state);
BCOPYOUT((char *)&ret, data, sizeof(ret));
error = BCOPYIN(data, (char *)&arg, sizeof(arg));
if (error != 0) {
error = EFAULT;
} else {
WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 6);
RWLOCK_EXIT(&ipf_state);
error = BCOPYOUT((char *)&ret, data, sizeof(ret));
if (error != 0)
error = EFAULT;
}
break;
#endif
#ifdef IPFILTER_LOG
@ -486,7 +499,9 @@ void *ctx;
int tmp;
tmp = ipflog_clear(IPL_LOGSTATE);
BCOPYOUT((char *)&tmp, data, sizeof(tmp));
error = BCOPYOUT((char *)&tmp, data, sizeof(tmp));
if (error != 0)
error = EFAULT;
}
break;
@ -497,8 +512,10 @@ void *ctx;
if (!(mode & FWRITE))
error = EPERM;
else {
BCOPYIN((char *)data, (char *)&ipstate_logging,
error = BCOPYIN((char *)data, (char *)&ipstate_logging,
sizeof(ipstate_logging));
if (error != 0)
error = EFAULT;
}
break;
@ -506,8 +523,10 @@ void *ctx;
* Return the current state of logging.
*/
case SIOCGETLG :
BCOPYOUT((char *)&ipstate_logging, (char *)data,
error = BCOPYOUT((char *)&ipstate_logging, (char *)data,
sizeof(ipstate_logging));
if (error != 0)
error = EFAULT;
break;
/*
@ -515,7 +534,9 @@ void *ctx;
*/
case FIONREAD :
arg = iplused[IPL_LOGSTATE]; /* returned in an int */
BCOPYOUT((char *)&arg, data, sizeof(arg));
error = BCOPYOUT((char *)&arg, data, sizeof(arg));
if (error != 0)
error = EFAULT;
break;
#endif
@ -564,8 +585,10 @@ void *ctx;
* Return a copy of the hash table bucket lengths
*/
case SIOCSTAT1 :
BCOPYOUT(ips_stats.iss_bucketlen, data,
error = BCOPYOUT(ips_stats.iss_bucketlen, data,
fr_statesize * sizeof(u_long));
if (error != 0)
error = EFAULT;
break;
case SIOCGENITER :
@ -577,12 +600,14 @@ void *ctx;
if (error != 0)
break;
SPL_SCHED(s);
token = ipf_findtoken(IPFGENITER_STATE, uid, ctx);
if (token != NULL)
error = fr_stateiter(token, &iter);
else
error = ESRCH;
RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
break;
}
@ -591,8 +616,14 @@ void *ctx;
break;
case SIOCIPFDELTOK :
BCOPYIN(data, (char *)&arg, sizeof(arg));
error = ipf_deltoken(arg, uid, ctx);
error = BCOPYIN(data, (char *)&arg, sizeof(arg));
if (error != 0) {
error = EFAULT;
} else {
SPL_SCHED(s);
error = ipf_deltoken(arg, uid, ctx);
SPL_X(s);
}
break;
case SIOCGTQTAB :

8
sys/dist/ipf/netinet/ipl.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipl.h,v 1.9 2007/05/15 22:52:52 martin Exp $ */
/* $NetBSD: ipl.h,v 1.10 2007/06/16 10:52:30 martin Exp $ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,14 +6,14 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* Id: ipl.h,v 2.52.2.24 2007/05/13 00:10:39 darrenr Exp
* Id: ipl.h,v 2.52.2.25 2007/05/31 11:40:43 darrenr Exp
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v4.1.22"
#define IPL_VERSION "IP Filter: v4.1.23"
#define IPFILTER_VERSION 4012200
#define IPFILTER_VERSION 4012300
#endif