Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgraded IPFilter to v4.1.23

This commit is contained in:
martin 2007-06-16 10:52:24 +00:00
parent 03f2531d69
commit c77a3f5aad
19 changed files with 514 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
dist/ipf/HISTORY vendored
View File

@ -10,6 +10,28 @@
# and especially those who have found the time to port IP Filter to new # and especially those who have found the time to port IP Filter to new
# platforms. # platforms.
# #
4.1.23 - Released 31 May 2007
NAT was not always correctly fixing ICMP headers for errors
some TCP state steps when closing do not update timeouts, leading to
them being removed prematurely.
fix compilation problems for netbsd 4.99
protect enumeration of lists in the kernel from callout interrupts on
BSD without locking
fix various problems with IPv6 header checks: TCP/UDP checksum validation
was not being done, fragmentation header parsed dangerously and routing
header prevented others from being seen
fix gcc 4.2 compiler warnings
fix TCP/UDP checksum calculation for IPv6
fix reference after free'ing ipftoken memory
4.1.22 - Released 13 May 2007 4.1.22 - Released 13 May 2007
fix endless loop when flushing state/NAT by idle time fix endless loop when flushing state/NAT by idle time

8
dist/ipf/ip_fil.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.c,v 1.13 2007/06/04 12:38:58 martti Exp $ */ /* $NetBSD: ip_fil.c,v 1.14 2007/06/16 10:52:24 martin Exp $ */
/* /*
* Copyright (C) 1993-2001 by Darren Reed. * Copyright (C) 1993-2001 by Darren Reed.
@ -7,7 +7,7 @@
*/ */
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.133.2.15 2007/05/01 22:14:59 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.133.2.16 2007/05/28 11:56:22 darrenr Exp";
#endif #endif
#ifndef SOLARIS #ifndef SOLARIS
@ -461,7 +461,7 @@ int v;
ifp->if_unit = -1; ifp->if_unit = -1;
} }
#endif #endif
ifp->if_output = no_output; ifp->if_output = (void *)no_output;
if (addr != NULL) { if (addr != NULL) {
fr_setifpaddr(ifp, addr); fr_setifpaddr(ifp, addr);
@ -497,7 +497,7 @@ void init_ifp()
(defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
ifp->if_output = write_output; ifp->if_output = (void *)write_output;
sprintf(fname, "/tmp/%s", ifp->if_xname); sprintf(fname, "/tmp/%s", ifp->if_xname);
fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
if (fd == -1) if (fd == -1)

11
dist/ipf/ip_lookup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_lookup.c,v 1.4 2007/04/16 02:36:24 dogcow Exp $ */ /* $NetBSD: ip_lookup.c,v 1.5 2007/06/16 10:52:25 martin Exp $ */
/* /*
* Copyright (C) 2002-2003 by Darren Reed. * Copyright (C) 2002-2003 by Darren Reed.
@ -60,7 +60,7 @@ struct file;
/* END OF INCLUDES */ /* END OF INCLUDES */
#if !defined(lint) #if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.14 2007/02/17 12:41:42 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.15 2007/05/26 13:05:13 darrenr Exp";
#endif #endif
#ifdef IPFILTER_LOOKUP #ifdef IPFILTER_LOOKUP
@ -289,8 +289,7 @@ caddr_t data;
ip_pool_t *p; ip_pool_t *p;
int err; int err;
err = 0; err = BCOPYIN(data, &op, sizeof(op));
BCOPYIN(data, &op, sizeof(op));
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL; return EINVAL;
@ -574,6 +573,7 @@ void *ctx;
ipflookupiter_t iter; ipflookupiter_t iter;
ipftoken_t *token; ipftoken_t *token;
int err; int err;
SPL_INT(s);
err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER); err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER);
if (err != 0) if (err != 0)
@ -585,9 +585,11 @@ void *ctx;
if (iter.ili_ival != IPFGENITER_LOOKUP) if (iter.ili_ival != IPFGENITER_LOOKUP)
return EINVAL; return EINVAL;
SPL_SCHED(s);
token = ipf_findtoken(iter.ili_key, uid, ctx); token = ipf_findtoken(iter.ili_key, uid, ctx);
if (token == NULL) { if (token == NULL) {
RWLOCK_EXIT(&ipf_tokens); RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return ESRCH; return ESRCH;
} }
@ -604,6 +606,7 @@ void *ctx;
break; break;
} }
RWLOCK_EXIT(&ipf_tokens); RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return err; return err;
} }

6
dist/ipf/ip_scan.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_scan.c,v 1.1.1.6 2007/05/01 19:00:58 martti Exp $ */ /* $NetBSD: ip_scan.c,v 1.2 2007/06/16 10:52:25 martin Exp $ */
/* /*
* Copyright (C) 1995-2001 by Darren Reed. * Copyright (C) 1995-2001 by Darren Reed.
@ -576,7 +576,7 @@ int mode, uid;
void *ctx; void *ctx;
{ {
ipscanstat_t ipscs; ipscanstat_t ipscs;
int err = 0; int err;
switch (cmd) switch (cmd)
{ {
@ -589,7 +589,7 @@ void *ctx;
case SIOCGSCST : case SIOCGSCST :
bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs)); bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs));
ipscs.iscs_list = ipsc_list; ipscs.iscs_list = ipsc_list;
BCOPYOUT(&ipscs, data, sizeof(ipscs)); err = BCOPYOUT(&ipscs, data, sizeof(ipscs));
break; break;
default : default :
err = EINVAL; err = EINVAL;

6
dist/ipf/tools/ipfstat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipfstat.c,v 1.14 2007/05/15 22:52:23 martin Exp $ */ /* $NetBSD: ipfstat.c,v 1.15 2007/06/16 10:52:25 martin Exp $ */
/* /*
* Copyright (C) 2002-2006 by Darren Reed. * Copyright (C) 2002-2006 by Darren Reed.
@ -71,7 +71,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.44.2.21 2007/05/11 10:44:16 darrenr Exp"; static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.44.2.23 2007/05/31 13:13:02 darrenr Exp";
#endif #endif
#ifdef __hpux #ifdef __hpux
@ -1117,6 +1117,8 @@ ips_stat_t *ipsp;
PRINTF("\nState table bucket statistics:\n"); PRINTF("\nState table bucket statistics:\n");
PRINTF("\t%lu in use\t\n", ipsp->iss_inuse); PRINTF("\t%lu in use\t\n", ipsp->iss_inuse);
PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
(u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
minlen = ipsp->iss_max; minlen = ipsp->iss_max;
totallen = 0; totallen = 0;

5
dist/ipf/tools/ipmon.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipmon.c,v 1.9 2007/04/14 20:34:34 martin Exp $ */ /* $NetBSD: ipmon.c,v 1.10 2007/06/16 10:52:26 martin Exp $ */
/* /*
* Copyright (C) 2001-2006 by Darren Reed. * Copyright (C) 2001-2006 by Darren Reed.
@ -78,7 +78,7 @@
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ipmon.c,v 1.33.2.17 2006/12/18 15:27:58 darrenr Exp"; static const char rcsid[] = "@(#)Id: ipmon.c,v 1.33.2.18 2007/05/27 11:12:12 darrenr Exp";
#endif #endif
@ -1653,6 +1653,7 @@ char *argv[];
if (!tr) if (!tr)
continue; continue;
nr += tr; nr += tr;
n = 0;
tr = read_log(fd[i], &n, buf, sizeof(buf)); tr = read_log(fd[i], &n, buf, sizeof(buf));
if (donehup) { if (donehup) {

8
regress/sys/kern/ipf/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.16 2007/05/07 07:06:30 martti Exp $ # $NetBSD: Makefile,v 1.17 2007/06/16 10:52:31 martin Exp $
# #
# (C)opyright 1993-1996 by Darren Reed. # (C)opyright 1993-1996 by Darren Reed.
# #
@ -38,7 +38,7 @@ logtests: l1
pools: p1 p2 p3 p5 ip1 ip2 pools: p1 p2 p3 p5 ip1 ip2
ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5
bpf: bpf1 bpf-f1 bpf: bpf1 bpf-f1
@ -74,7 +74,7 @@ l1:
@${HOST_SH} ${.CURDIR}/logtest ${.CURDIR} \ @${HOST_SH} ${.CURDIR}/logtest ${.CURDIR} \
`${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format` `${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format`
ipv6.1 ipv6.2 ipv6.3: ipv6.1 ipv6.2 ipv6.3 ipv6.5:
@${HOST_SH} ${.CURDIR}/dotest6 ${.CURDIR} \ @${HOST_SH} ${.CURDIR}/dotest6 ${.CURDIR} \
`${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format` `${AWK} "/^$@ / { print; } " ${.CURDIR}/test.format`
@ -119,7 +119,7 @@ clean:
/bin/rm -f in1 in2 in3 in4 in5 in6 /bin/rm -f in1 in2 in3 in4 in5 in6
/bin/rm -f p1 p2 p3 p5 ip1 ip2 /bin/rm -f p1 p2 p3 p5 ip1 ip2
/bin/rm -f l1 /bin/rm -f l1
/bin/rm -f ipv6.1 ipv6.2 ipv6.3 /bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5
/bin/rm -f bpf1 bpf-f1 /bin/rm -f bpf1 bpf-f1
/bin/rm -f results/* logout /bin/rm -f results/* logout
/bin/rm -rf results /bin/rm -rf results

172
sys/dist/ipf/netinet/fil.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fil.c,v 1.36 2007/06/04 12:38:58 martti Exp $ */ /* $NetBSD: fil.c,v 1.37 2007/06/16 10:52:26 martin Exp $ */
/* /*
* Copyright (C) 1993-2003 by Darren Reed. * Copyright (C) 1993-2003 by Darren Reed.
@ -154,10 +154,10 @@ struct file;
#if !defined(lint) #if !defined(lint)
#if defined(__NetBSD__) #if defined(__NetBSD__)
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.36 2007/06/04 12:38:58 martti Exp $"); __KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.37 2007/06/16 10:52:26 martin Exp $");
#else #else
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.104 2007/05/11 13:41:51 darrenr Exp"; static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.109 2007/05/31 12:27:33 darrenr Exp";
#endif #endif
#endif #endif
@ -551,7 +551,16 @@ int multiple, proto;
return IPPROTO_NONE; return IPPROTO_NONE;
hdr = fin->fin_dp; hdr = fin->fin_dp;
shift = 8 + (hdr->ip6e_len << 3); switch (proto)
{
case IPPROTO_FRAGMENT :
shift = 8;
break;
default :
shift = 8 + (hdr->ip6e_len << 3);
break;
}
if (shift > fin->fin_dlen) { /* Nasty extension header length? */ if (shift > fin->fin_dlen) { /* Nasty extension header length? */
fin->fin_flx |= FI_BAD; fin->fin_flx |= FI_BAD;
return IPPROTO_NONE; return IPPROTO_NONE;
@ -570,6 +579,7 @@ int multiple, proto;
break; break;
} }
fin->fin_exthdr = fin->fin_dp;
fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dp = (char *)fin->fin_dp + shift;
fin->fin_dlen -= shift; fin->fin_dlen -= shift;
@ -619,24 +629,22 @@ static INLINE int frpr_routing6(fin)
fr_info_t *fin; fr_info_t *fin;
{ {
struct ip6_ext *hdr; struct ip6_ext *hdr;
int shift;
if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE) if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
return IPPROTO_NONE; return IPPROTO_NONE;
hdr = fin->fin_exthdr;
hdr = fin->fin_dp; if ((hdr->ip6e_len & 1) != 0) {
shift = 8 + (hdr->ip6e_len << 3); /*
/* * The routing header data is made up of 128 bit IPv6 addresses
* Nasty extension header length? * which means it must be a multiple of 2 lots of 8 in length.
*/ */
if ((shift < sizeof(struct ip6_hdr)) ||
((shift - sizeof(struct ip6_hdr)) & 15)) {
fin->fin_flx |= FI_BAD; fin->fin_flx |= FI_BAD;
/* /*
* Compensate for the changes made in frpr_ipv6exthdr() * Compensate for the changes made in frpr_ipv6exthdr()
*/ */
fin->fin_dlen += shift; fin->fin_dlen += 8 + (hdr->ip6e_len << 3);
fin->fin_dp = (char *)fin->fin_dp - shift; fin->fin_dp = hdr;
return IPPROTO_NONE; return IPPROTO_NONE;
} }
@ -662,16 +670,20 @@ static INLINE void frpr_fragment6(fin)
fr_info_t *fin; fr_info_t *fin;
{ {
struct ip6_frag *frag; struct ip6_frag *frag;
int extoff;
fin->fin_flx |= FI_FRAG; fin->fin_flx |= FI_FRAG;
if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE) if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
return; return;
extoff = (char *)fin->fin_exthdr - (char *)fin->fin_dp;
if (frpr_pullup(fin, sizeof(*frag)) == -1) if (frpr_pullup(fin, sizeof(*frag)) == -1)
return; return;
frag = fin->fin_dp; fin->fin_exthdr = (char *)fin->fin_dp + extoff;
frag = fin->fin_exthdr;
/* /*
* Fragment but no fragmentation info set? Bad packet... * Fragment but no fragmentation info set? Bad packet...
*/ */
@ -787,8 +799,13 @@ fr_info_t *fin;
frpr_short6(fin, sizeof(struct udphdr)); frpr_short6(fin, sizeof(struct udphdr));
if (frpr_udpcommon(fin) == 0) if (frpr_udpcommon(fin) == 0) {
u_char p = fin->fin_p;
fin->fin_p = IPPROTO_UDP;
fr_checkv6sum(fin); fr_checkv6sum(fin);
fin->fin_p = p;
}
} }
@ -807,8 +824,13 @@ fr_info_t *fin;
frpr_short6(fin, sizeof(struct tcphdr)); frpr_short6(fin, sizeof(struct tcphdr));
if (frpr_tcpcommon(fin) == 0) if (frpr_tcpcommon(fin) == 0) {
u_char p = fin->fin_p;
fin->fin_p = IPPROTO_TCP;
fr_checkv6sum(fin); fr_checkv6sum(fin);
fin->fin_p = p;
}
} }
@ -2865,6 +2887,7 @@ int len;
/* ip(I) - pointer to IP header */ /* ip(I) - pointer to IP header */
/* l4proto(I) - protocol to caclulate checksum for */ /* l4proto(I) - protocol to caclulate checksum for */
/* l4hdr(I) - pointer to layer 4 header */ /* l4hdr(I) - pointer to layer 4 header */
/* l3len(I) - length of layer 4 data plus layer 3 header */
/* */ /* */
/* Calculates the TCP checksum for the packet held in "m", using the data */ /* Calculates the TCP checksum for the packet held in "m", using the data */
/* in the IP header "ip" to seed it. */ /* in the IP header "ip" to seed it. */
@ -2873,6 +2896,8 @@ int len;
/* and the TCP header. We also assume that data blocks aren't allocated in */ /* and the TCP header. We also assume that data blocks aren't allocated in */
/* odd sizes. */ /* odd sizes. */
/* */ /* */
/* For IPv6, l3len excludes extension header size. */
/* */
/* Expects ip_len to be in host byte order when called. */ /* Expects ip_len to be in host byte order when called. */
/* ------------------------------------------------------------------------ */ /* ------------------------------------------------------------------------ */
#ifdef INET #ifdef INET
@ -2916,9 +2941,9 @@ void *l4hdr;
} else if (IP_V(ip) == 6) { } else if (IP_V(ip) == 6) {
ip6 = (ip6_t *)ip; ip6 = (ip6_t *)ip;
hlen = sizeof(*ip6); hlen = sizeof(*ip6);
slen = ntohs(l3len); slen = l3len - hlen;
sum = htons((u_short)l4proto); sum = htons((u_short)l4proto);
sum += slen; sum += htons(slen);
sp = (u_short *)&ip6->ip6_src; sp = (u_short *)&ip6->ip6_src;
sum += *sp++; /* ip6_src */ sum += *sp++; /* ip6_src */
sum += *sp++; sum += *sp++;
@ -3104,6 +3129,12 @@ nodata:
# endif /* defined(BSD) || defined(sun) */ # endif /* defined(BSD) || defined(sun) */
# endif /* MENTAT */ # endif /* MENTAT */
#else /* _KERNEL */ #else /* _KERNEL */
/*
* Add up IP Header portion
*/
if (sp != (u_short *)l4hdr)
sp = (u_short *)l4hdr;
for (; slen > 1; slen -= 2) for (; slen > 1; slen -= 2)
sum += *sp++; sum += *sp++;
if (slen) if (slen)
@ -3150,7 +3181,7 @@ nodata:
* SUCH DAMAGE. * SUCH DAMAGE.
* *
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* Id: fil.c,v 2.243.2.104 2007/05/11 13:41:51 darrenr Exp * Id: fil.c,v 2.243.2.109 2007/05/31 12:27:33 darrenr Exp
*/ */
/* /*
* Copy data from an mbuf chain starting "off" bytes from the beginning, * Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -5690,13 +5721,15 @@ fr_info_t *fin;
if (csump != NULL) if (csump != NULL)
hdrsum = *csump; hdrsum = *csump;
if (dosum) if (dosum) {
#ifdef INET #ifdef INET
sum = fr_cksum(fin->fin_m, fin->fin_ip, sum = fr_cksum(fin->fin_m, fin->fin_ip,
fin->fin_p, fin->fin_dp, fin->fin_plen); fin->fin_p, fin->fin_dp,
fin->fin_dlen + fin->fin_hlen);
#else #else
return 1; return 1;
#endif #endif
}
#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID) #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
} }
#endif #endif
@ -5994,7 +6027,7 @@ ipftuneable_t ipf_tuneables[] = {
sizeof(ipl_logsize), 0, NULL }, sizeof(ipl_logsize), 0, NULL },
#endif #endif
{ { NULL }, NULL, 0, 0, { { NULL }, NULL, 0, 0,
0, 0, NULL } 0, 0, NULL }
}; };
static ipftuneable_t *ipf_tunelist = NULL; static ipftuneable_t *ipf_tunelist = NULL;
@ -6305,6 +6338,8 @@ int fr_initialise()
{ {
int i; int i;
bzero(&frstats, sizeof(frstats));
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
i = fr_loginit(); i = fr_loginit();
if (i < 0) if (i < 0)
@ -6413,7 +6448,7 @@ void *data;
return EFAULT; return EFAULT;
WRITE_ENTER(&ipf_mutex); WRITE_ENTER(&ipf_mutex);
bzero((char *)frstats, sizeof(*frstats) * 2); bzero(&frstats, sizeof(frstats));
RWLOCK_EXIT(&ipf_mutex); RWLOCK_EXIT(&ipf_mutex);
return 0; return 0;
@ -6564,6 +6599,9 @@ void *ptr;
/* matches the tuple (type, uid, ptr). If one cannot be found then one is */ /* matches the tuple (type, uid, ptr). If one cannot be found then one is */
/* allocated. If one is found then it is moved to the top of the list of */ /* allocated. If one is found then it is moved to the top of the list of */
/* currently active tokens. */ /* currently active tokens. */
/* */
/* NOTE: It is by design that this function returns holding a read lock on */
/* ipf_tokens. Callers must make sure they release it! */
/* ------------------------------------------------------------------------ */ /* ------------------------------------------------------------------------ */
ipftoken_t *ipf_findtoken(type, uid, ptr) ipftoken_t *ipf_findtoken(type, uid, ptr)
int type, uid; int type, uid;
@ -6928,7 +6966,8 @@ int mode, uid;
void *ctx; void *ctx;
{ {
friostat_t fio; friostat_t fio;
int error = 0, tmp; int error, tmp;
SPL_INT(s);
switch (cmd) switch (cmd)
{ {
@ -6936,7 +6975,12 @@ void *ctx;
if (!(mode & FWRITE)) if (!(mode & FWRITE))
error = EPERM; error = EPERM;
else { else {
BCOPYIN(data, &tmp, sizeof(tmp)); error = BCOPYIN((caddr_t)data, (caddr_t)&tmp,
sizeof(tmp));
if (error != 0) {
error = EFAULT;
break;
}
RWLOCK_EXIT(&ipf_global); RWLOCK_EXIT(&ipf_global);
WRITE_ENTER(&ipf_global); WRITE_ENTER(&ipf_global);
@ -6972,12 +7016,18 @@ void *ctx;
if (!(mode & FWRITE)) if (!(mode & FWRITE))
error = EPERM; error = EPERM;
else { else {
BCOPYIN(data, &fr_flags, sizeof(fr_flags)); error = BCOPYIN((caddr_t)data, (caddr_t)&fr_flags,
sizeof(fr_flags));
if (error != 0)
error = EFAULT;
} }
break; break;
case SIOCGETFF : case SIOCGETFF :
BCOPYOUT(&fr_flags, data, sizeof(fr_flags)); error = BCOPYOUT((caddr_t)&fr_flags, (caddr_t)data,
sizeof(fr_flags));
if (error != 0)
error = EFAULT;
break; break;
case SIOCFUNCL : case SIOCFUNCL :
@ -7011,8 +7061,12 @@ void *ctx;
else { else {
WRITE_ENTER(&ipf_mutex); WRITE_ENTER(&ipf_mutex);
bzero((char *)frcache, sizeof(frcache[0]) * 2); bzero((char *)frcache, sizeof(frcache[0]) * 2);
BCOPYOUT(&fr_active, data, sizeof(fr_active)); error = BCOPYOUT((caddr_t)&fr_active, (caddr_t)data,
fr_active = 1 - fr_active; sizeof(fr_active));
if (error != 0)
error = EFAULT;
else
fr_active = 1 - fr_active;
RWLOCK_EXIT(&ipf_mutex); RWLOCK_EXIT(&ipf_mutex);
} }
break; break;
@ -7033,9 +7087,16 @@ void *ctx;
if (!(mode & FWRITE)) if (!(mode & FWRITE))
error = EPERM; error = EPERM;
else { else {
BCOPYIN(data, &tmp, sizeof(tmp)); error = BCOPYIN((caddr_t)data, (caddr_t)&tmp,
tmp = frflush(IPL_LOGIPF, 4, tmp); sizeof(tmp));
BCOPYOUT(&tmp, data, sizeof(tmp)); if (!error) {
tmp = frflush(IPL_LOGIPF, 4, tmp);
error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error != 0)
error = EFAULT;
} else
error = EFAULT;
} }
break; break;
@ -7044,19 +7105,29 @@ void *ctx;
if (!(mode & FWRITE)) if (!(mode & FWRITE))
error = EPERM; error = EPERM;
else { else {
BCOPYIN(data, &tmp, sizeof(tmp)); error = BCOPYIN((caddr_t)data, (caddr_t)&tmp,
tmp = frflush(IPL_LOGIPF, 6, tmp); sizeof(tmp));
BCOPYOUT(&tmp, data, sizeof(tmp)); if (!error) {
tmp = frflush(IPL_LOGIPF, 6, tmp);
error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error != 0)
error = EFAULT;
} else
error = EFAULT;
} }
break; break;
#endif #endif
case SIOCSTLCK : case SIOCSTLCK :
BCOPYIN(data, &tmp, sizeof(tmp)); error = BCOPYIN((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
fr_state_lock = tmp; if (error == 0) {
fr_nat_lock = tmp; fr_state_lock = tmp;
fr_frag_lock = tmp; fr_nat_lock = tmp;
fr_auth_lock = tmp; fr_frag_lock = tmp;
fr_auth_lock = tmp;
} else
error = EFAULT;
break; break;
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
@ -7065,7 +7136,10 @@ void *ctx;
error = EPERM; error = EPERM;
else { else {
tmp = ipflog_clear(IPL_LOGIPF); tmp = ipflog_clear(IPL_LOGIPF);
BCOPYOUT(&tmp, data, sizeof(tmp)); error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error)
error = EFAULT;
} }
break; break;
#endif /* IPFILTER_LOG */ #endif /* IPFILTER_LOG */
@ -7095,21 +7169,29 @@ void *ctx;
case FIONREAD : case FIONREAD :
tmp = (int)iplused[IPL_LOGIPF]; tmp = (int)iplused[IPL_LOGIPF];
BCOPYOUT(&tmp, data, sizeof(tmp)); error = BCOPYOUT((caddr_t)&tmp, (caddr_t)data, sizeof(tmp));
break; break;
#endif #endif
case SIOCIPFITER : case SIOCIPFITER :
SPL_SCHED(s);
error = ipf_frruleiter(data, uid, ctx); error = ipf_frruleiter(data, uid, ctx);
SPL_X(s);
break; break;
case SIOCGENITER : case SIOCGENITER :
SPL_SCHED(s);
error = ipf_genericiter(data, uid, ctx); error = ipf_genericiter(data, uid, ctx);
SPL_X(s);
break;
break; break;
case SIOCIPFDELTOK : case SIOCIPFDELTOK :
BCOPYIN(data, &tmp, sizeof(tmp)); SPL_SCHED(s);
error = ipf_deltoken(tmp, uid, ctx); error = BCOPYIN((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
if (error == 0)
error = ipf_deltoken(tmp, uid, ctx);
SPL_X(s);
break; break;
default : default :

15
sys/dist/ipf/netinet/ip_auth.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_auth.c,v 1.10 2007/04/14 20:34:35 martin Exp $ */ /* $NetBSD: ip_auth.c,v 1.11 2007/06/16 10:52:26 martin Exp $ */
/* /*
* Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij. * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
@ -121,9 +121,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#if !defined(lint) #if !defined(lint)
#if defined(__NetBSD__) #if defined(__NetBSD__)
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.10 2007/04/14 20:34:35 martin Exp $"); __KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.11 2007/06/16 10:52:26 martin Exp $");
#else #else
static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.18 2006/12/16 17:12:56 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.20 2007/05/29 13:48:54 darrenr Exp";
#endif #endif
#endif #endif
@ -425,12 +425,14 @@ void *ctx;
if (error != 0) if (error != 0)
break; break;
SPL_SCHED(s);
token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx); token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx);
if (token != NULL) if (token != NULL)
error = fr_authgeniter(token, &iter); error = fr_authgeniter(token, &iter);
else else
error = ESRCH; error = ESRCH;
RWLOCK_EXIT(&ipf_tokens); RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
break; break;
} }
@ -761,8 +763,12 @@ ipfgeniter_t *itp;
* so that it can be used for is_next when we come back. * so that it can be used for is_next when we come back.
*/ */
ATOMIC_INC(next->fae_ref); ATOMIC_INC(next->fae_ref);
if (next->fae_next == NULL) if (next->fae_next == NULL) {
ipf_freetoken(token); ipf_freetoken(token);
token = NULL;
} else {
token->ipt_data = next;
}
} else { } else {
bzero(&zero, sizeof(zero)); bzero(&zero, sizeof(zero));
next = &zero; next = &zero;
@ -777,7 +783,6 @@ ipfgeniter_t *itp;
fr_authderef(&fae); fr_authderef(&fae);
RWLOCK_EXIT(&ipf_auth); RWLOCK_EXIT(&ipf_auth);
} }
token->ipt_data = next;
/* /*
* This should arguably be via fr_outobj() so that the auth * This should arguably be via fr_outobj() so that the auth

35
sys/dist/ipf/netinet/ip_compat.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_compat.h,v 1.17 2007/05/15 22:52:48 martin Exp $ */ /* $NetBSD: ip_compat.h,v 1.18 2007/06/16 10:52:27 martin Exp $ */
/* /*
* Copyright (C) 1993-2001, 2003 by Darren Reed. * Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ip_compat.h 1.8 1/14/96 * @(#)ip_compat.h 1.8 1/14/96
* Id: ip_compat.h,v 2.142.2.44 2007/05/12 09:48:16 darrenr Exp * Id: ip_compat.h,v 2.142.2.48 2007/05/31 12:27:34 darrenr Exp
*/ */
#ifndef _NETINET_IP_COMPAT_H_ #ifndef _NETINET_IP_COMPAT_H_
@ -245,6 +245,7 @@ typedef unsigned int u_32_t;
# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) # define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d)
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) # define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
# define KFREES(x,s) kmem_free((char *)(x), (s)) # define KFREES(x,s) kmem_free((char *)(x), (s))
# define SPL_SCHED(x) ;
# define SPL_NET(x) ; # define SPL_NET(x) ;
# define SPL_IMP(x) ; # define SPL_IMP(x) ;
# undef SPL_X # undef SPL_X
@ -417,6 +418,7 @@ typedef struct iplog_select_s {
# define RW_DESTROY(x) # define RW_DESTROY(x)
# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
# define SPL_SCHED(x) ;
# define SPL_NET(x) ; # define SPL_NET(x) ;
# define SPL_IMP(x) ; # define SPL_IMP(x) ;
# undef SPL_X # undef SPL_X
@ -584,6 +586,7 @@ typedef struct {
# define USE_SPL 1 # define USE_SPL 1
# define SPL_IMP(x) (x) = splimp() # define SPL_IMP(x) (x) = splimp()
# define SPL_NET(x) (x) = splnet() # define SPL_NET(x) (x) = splnet()
# define SPL_SCHED(x) (x) = splsched()
# define SPL_X(x) (void) splx(x) # define SPL_X(x) (void) splx(x)
extern void m_copydata __P((struct mbuf *, int, int, void *)); extern void m_copydata __P((struct mbuf *, int, int, void *));
extern void m_copyback __P((struct mbuf *, int, int, void *)); extern void m_copyback __P((struct mbuf *, int, int, void *));
@ -644,6 +647,7 @@ typedef struct mbuf mb_t;
simple_unlock(&ipf_rw); } simple_unlock(&ipf_rw); }
# define ATOMIC_DEC(x) { simple_lock(&ipf_rw); (x)--; \ # define ATOMIC_DEC(x) { simple_lock(&ipf_rw); (x)--; \
simple_unlock(&ipf_rw); } simple_unlock(&ipf_rw); }
# define SPL_SCHED(x) ;
# define SPL_NET(x) ; # define SPL_NET(x) ;
# define SPL_IMP(x) ; # define SPL_IMP(x) ;
# undef SPL_X # undef SPL_X
@ -709,6 +713,9 @@ typedef unsigned int u_32_t;
/* N E T B S D */ /* N E T B S D */
/* ----------------------------------------------------------------------- */ /* ----------------------------------------------------------------------- */
#ifdef __NetBSD__ #ifdef __NetBSD__
# if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
# include "opt_ipfilter.h"
# endif
# if defined(_KERNEL) # if defined(_KERNEL)
# include <sys/systm.h> # include <sys/systm.h>
# else # else
@ -728,6 +735,9 @@ typedef unsigned int u_32_t;
# endif # endif
# ifdef _KERNEL # ifdef _KERNEL
# if (__NetBSD_Version__ >= 499000000)
typedef char * caddr_t;
# endif
# if (__NetBSD_Version__ >= 399001400) # if (__NetBSD_Version__ >= 399001400)
# define KMALLOCS(a, b, c) (a) = (b)malloc((c), _M_IPF, M_NOWAIT) # define KMALLOCS(a, b, c) (a) = (b)malloc((c), _M_IPF, M_NOWAIT)
# endif # endif
@ -736,18 +746,10 @@ typedef unsigned int u_32_t;
# define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL) # define M_DUPLICATE(x) m_copy((x), 0, M_COPYALL)
# define GETKTIME(x) microtime((struct timeval *)x) # define GETKTIME(x) microtime((struct timeval *)x)
# define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); } # define IPF_PANIC(x,y) if (x) { printf y; panic("ipf_panic"); }
#if __NetBSD_Version__ >= 499001000
typedef unsigned char * caddr_t;
# define COPYIN(a,b,c) copyin((a), (b), (c))
# define COPYOUT(a,b,c) copyout((a), (b), (c))
# define BCOPYIN(a,b,c) bcopy((a), (b), (c))
# define BCOPYOUT(a,b,c) bcopy((a), (b), (c))
#else
# define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) # define COPYIN(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c))
# define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) # define COPYOUT(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c))
# define BCOPYIN(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # define BCOPYIN(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
# define BCOPYOUT(a,b,c) bcopy((caddr_t)(a), (caddr_t)(b), (c)) # define BCOPYOUT(a,b,c) (bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
#endif
typedef struct mbuf mb_t; typedef struct mbuf mb_t;
# endif /* _KERNEL */ # endif /* _KERNEL */
# if (NetBSD <= 1991011) && (NetBSD >= 199606) # if (NetBSD <= 1991011) && (NetBSD >= 199606)
@ -893,15 +895,16 @@ typedef u_int32_t u_32_t;
mtx_unlock(&ipf_rw.ipf_lk); } mtx_unlock(&ipf_rw.ipf_lk); }
# define ATOMIC_INCL(x) atomic_add_long(&(x), 1) # define ATOMIC_INCL(x) atomic_add_long(&(x), 1)
# define ATOMIC_INC64(x) ATOMIC_INC(x) # define ATOMIC_INC64(x) ATOMIC_INC(x)
# define ATOMIC_INC32(x) atomic_add_32(&(x), 1) # define ATOMIC_INC32(x) atomic_add_32((u_int *)&(x), 1)
# define ATOMIC_INC16(x) atomic_add_16(&(x), 1) # define ATOMIC_INC16(x) atomic_add_16(&(x), 1)
# define ATOMIC_DECL(x) atomic_add_long(&(x), -1) # define ATOMIC_DECL(x) atomic_add_long(&(x), -1)
# define ATOMIC_DEC64(x) ATOMIC_DEC(x) # define ATOMIC_DEC64(x) ATOMIC_DEC(x)
# define ATOMIC_DEC32(x) atomic_add_32(&(x), -1) # define ATOMIC_DEC32(x) atomic_add_32((u_int *)&(x), -1)
# define ATOMIC_DEC16(x) atomic_add_16(&(x), -1) # define ATOMIC_DEC16(x) atomic_add_16(&(x), -1)
# define SPL_X(x) ; # define SPL_X(x) ;
# define SPL_NET(x) ; # define SPL_NET(x) ;
# define SPL_IMP(x) ; # define SPL_IMP(x) ;
# define SPL_SCHED(x) ;
extern int in_cksum __P((struct mbuf *, int)); extern int in_cksum __P((struct mbuf *, int));
# endif /* __FreeBSD_version >= 500043 */ # endif /* __FreeBSD_version >= 500043 */
# define MSGDSIZE(x) mbufchainlen(x) # define MSGDSIZE(x) mbufchainlen(x)
@ -1115,6 +1118,7 @@ struct ip6_ext {
MUTEX_EXIT(&ipf_rw) MUTEX_EXIT(&ipf_rw)
# define ATOMIC_DEC16(x) MUTEX_ENTER(&ipf_rw); (x)--; \ # define ATOMIC_DEC16(x) MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw) MUTEX_EXIT(&ipf_rw)
# define SPL_SCHED(x) do { } while (0)
# define SPL_IMP(x) do { } while (0) # define SPL_IMP(x) do { } while (0)
# define SPL_NET(x) do { } while (0) # define SPL_NET(x) do { } while (0)
# define SPL_X(x) do { } while (0) # define SPL_X(x) do { } while (0)
@ -1264,6 +1268,7 @@ typedef u_int32_t u_32_t;
MUTEX_EXIT(&ipf_rw); } MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \ # define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); (x)--; \
MUTEX_EXIT(&ipf_rw); } MUTEX_EXIT(&ipf_rw); }
# define SPL_SCHED(x) x = splsched()
# define SPL_NET(x) x = splnet() # define SPL_NET(x) x = splnet()
# define SPL_IMP(x) x = splimp() # define SPL_IMP(x) x = splimp()
# undef SPL_X # undef SPL_X
@ -1441,6 +1446,7 @@ typedef struct mb_s {
# define POLLWAKEUP(y) ; # define POLLWAKEUP(y) ;
# define IPF_PANIC(x,y) ; # define IPF_PANIC(x,y) ;
# define PANIC(x,y) ; # define PANIC(x,y) ;
# define SPL_SCHED(x) ;
# define SPL_NET(x) ; # define SPL_NET(x) ;
# define SPL_IMP(x) ; # define SPL_IMP(x) ;
# define SPL_X(x) ; # define SPL_X(x) ;
@ -1603,6 +1609,7 @@ MALLOC_DECLARE(M_IPFILTER);
# define SPL_IMP(x) x = splimp() # define SPL_IMP(x) x = splimp()
# define SPL_NET(x) x = splnet() # define SPL_NET(x) x = splnet()
# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */ # endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
# define SPL_SCHED(x) x = splsched()
# define SPL_X(x) (void) splx(x) # define SPL_X(x) (void) splx(x)
# endif /* !USE_MUTEXES */ # endif /* !USE_MUTEXES */

13
sys/dist/ipf/netinet/ip_fil.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil.h,v 1.12 2007/06/04 12:38:58 martti Exp $ */ /* $NetBSD: ip_fil.h,v 1.13 2007/06/16 10:52:27 martin Exp $ */
/* /*
* Copyright (C) 1993-2001, 2003 by Darren Reed. * Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,7 +6,7 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ip_fil.h 1.35 6/5/96 * @(#)ip_fil.h 1.35 6/5/96
* Id: ip_fil.h,v 2.170.2.43 2007/05/11 13:41:53 darrenr Exp * Id: ip_fil.h,v 2.170.2.45 2007/05/28 11:56:22 darrenr Exp
*/ */
#ifndef _NETINET_IP_FIL_H_ #ifndef _NETINET_IP_FIL_H_
@ -331,6 +331,7 @@ typedef struct fr_info {
void *fin_nat; void *fin_nat;
void *fin_state; void *fin_state;
void *fin_nattag; void *fin_nattag;
void *fin_exthdr;
ip_t *fin_ip; ip_t *fin_ip;
mb_t **fin_mp; /* pointer to pointer to mbuf */ mb_t **fin_mp; /* pointer to pointer to mbuf */
mb_t *fin_m; /* pointer to mbuf */ mb_t *fin_m; /* pointer to mbuf */
@ -1345,11 +1346,13 @@ extern int iplioctl __P((dev_t, u_long, void *, int, struct thread *));
# endif /* __FreeBSD_version >= 502116 */ # endif /* __FreeBSD_version >= 502116 */
# else # else
# if (__NetBSD_Version__ >= 499001000) # if (__NetBSD_Version__ >= 499001000)
extern int iplioctl __P((dev_t, u_long, void*, int, struct lwp *)); extern int iplioctl __P((dev_t, u_long, void *, int, struct lwp *));
# elif (__NetBSD_Version__ >= 399001400) # else
# if (__NetBSD_Version__ >= 399001400)
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *)); extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *));
# else # else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
# endif
# endif # endif
# endif /* __FreeBSD_version >= 500024 */ # endif /* __FreeBSD_version >= 500024 */
# else # else

234
sys/dist/ipf/netinet/ip_fil_netbsd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil_netbsd.c,v 1.37 2007/06/04 12:38:58 martti Exp $ */ /* $NetBSD: ip_fil_netbsd.c,v 1.38 2007/06/16 10:52:27 martin Exp $ */
/* /*
* Copyright (C) 1993-2003 by Darren Reed. * Copyright (C) 1993-2003 by Darren Reed.
@ -7,7 +7,7 @@
*/ */
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.49 2007/05/10 06:00:56 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.51 2007/05/31 12:27:35 darrenr Exp";
#endif #endif
#if defined(KERNEL) || defined(_KERNEL) #if defined(KERNEL) || defined(_KERNEL)
@ -41,6 +41,9 @@ static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.49 2007/05/10 06:0
#include <sys/protosw.h> #include <sys/protosw.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <sys/poll.h> #include <sys/poll.h>
#if (__NetBSD_Version__ >= 399002000)
# include <sys/kauth.h>
#endif
#if (__NetBSD_Version__ >= 399002000) #if (__NetBSD_Version__ >= 399002000)
#include <sys/kauth.h> #include <sys/kauth.h>
@ -133,12 +136,17 @@ struct selinfo ipfselwait[IPL_LOGSIZE];
const struct cdevsw ipl_cdevsw = { const struct cdevsw ipl_cdevsw = {
iplopen, iplclose, iplread, nowrite, iplioctl, iplopen, iplclose, iplread, nowrite, iplioctl,
nostop, notty, iplpoll, nommap, nokqfilter, D_OTHER, nostop, notty, iplpoll, nommap,
# if (__NetBSD_Version__ >= 200000000)
nokqfilter,
# endif
# ifdef D_OTHER
D_OTHER,
# endif
}; };
#endif #endif
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000) #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)
# include <net/pfil.h> # include <net/pfil.h>
@ -518,7 +526,7 @@ struct proc *p;
#endif #endif
dev_t dev; dev_t dev;
u_long cmd; u_long cmd;
#if __NetBSD_Version__ >= 499001000 #if (__NetBSD_Version__ >= 499001000)
void *data; void *data;
#else #else
caddr_t data; caddr_t data;
@ -529,13 +537,17 @@ int mode;
SPL_INT(s); SPL_INT(s);
#if (__NetBSD_Version__ >= 399002000) #if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) && kauth_authorize_network(p->l_cred, if ((mode & FWRITE) &&
KAUTH_NETWORK_FIREWALL, KAUTH_REQ_NETWORK_FIREWALL_FW, kauth_authorize_network(p->l_cred, KAUTH_NETWORK_FIREWALL,
NULL, NULL, NULL)) KAUTH_REQ_NETWORK_FIREWALL_FW, NULL,
#else NULL, NULL)) {
if ((securelevel >= 2) && (mode & FWRITE))
#endif
return EPERM; return EPERM;
}
#else
if ((securelevel >= 2) && (mode & FWRITE)) {
return EPERM;
}
#endif
unit = GET_MINOR(dev); unit = GET_MINOR(dev);
if ((IPL_LOGMAX < unit) || (unit < 0)) if ((IPL_LOGMAX < unit) || (unit < 0))
@ -1067,15 +1079,15 @@ frdest_t *fdp;
struct route *ro; struct route *ro;
int off, len, hlen, code; int off, len, hlen, code;
struct ifnet *ifp, *sifp; struct ifnet *ifp, *sifp;
#if __NetBSD_Version__ < 499001100 #if __NetBSD_Version__ >= 499001100
struct sockaddr_in *dst;
#else /* __NetBSD_Version__ < 499001100 */
const struct sockaddr *dst; const struct sockaddr *dst;
union { union {
struct sockaddr dst; struct sockaddr dst;
struct sockaddr_in dst4; struct sockaddr_in dst4;
} u; } u;
#endif /* __NetBSD_Version__ < 499001100 */ #else
struct sockaddr_in *dst;
#endif
struct route iproute; struct route iproute;
u_short ip_off; u_short ip_off;
frentry_t *fr; frentry_t *fr;
@ -1107,23 +1119,32 @@ frdest_t *fdp;
m0->m_pkthdr.csuminfo = 0; m0->m_pkthdr.csuminfo = 0;
# endif /* __NetBSD__ && M_CSUM_IPv4 */ # endif /* __NetBSD__ && M_CSUM_IPv4 */
fr = fin->fin_fr; /*
* Route packet.
*/
ro = &iproute;
memset(ro, 0, sizeof(*ro));
if (fdp != NULL) if (fdp != NULL)
ifp = fdp->fd_ifp; ifp = fdp->fd_ifp;
else else
ifp = fin->fin_ifp; ifp = fin->fin_ifp;
fr = fin->fin_fr;
if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) { if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
error = -2; error = -2;
goto bad; goto bad;
} }
/* # if __NetBSD_Version__ >= 499001100
* Route packet. if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
*/ sockaddr_in_init(&u.dst4, &fdp->fd_ip, 0);
ro = &iproute; else
memset(ro, 0, sizeof(*ro)); sockaddr_in_init(&u.dst4, &ip->ip_dst, 0);
#if __NetBSD_Version__ < 499001100 dst = &u.dst;
rtcache_setdst(ro, dst);
rtcache_init(ro);
# else
dst = (struct sockaddr_in *)&ro->ro_dst; dst = (struct sockaddr_in *)&ro->ro_dst;
dst->sin_family = AF_INET; dst->sin_family = AF_INET;
dst->sin_addr = ip->ip_dst; dst->sin_addr = ip->ip_dst;
@ -1132,15 +1153,7 @@ frdest_t *fdp;
dst->sin_addr = fdp->fd_ip; dst->sin_addr = fdp->fd_ip;
dst->sin_len = sizeof(*dst); dst->sin_len = sizeof(*dst);
rtalloc(ro); rtalloc(ro);
#else /* __NetBSD_Version__ < 499001100 */ # endif
if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
sockaddr_in_init(&u.dst4, &fdp->fd_ip, 0);
else
sockaddr_in_init(&u.dst4, &ip->ip_dst, 0);
dst = &u.dst;
rtcache_setdst(ro, dst);
rtcache_init(ro);
#endif /* __NetBSD_Version__ < 499001100 */
if ((ifp == NULL) && (ro->ro_rt != NULL)) if ((ifp == NULL) && (ro->ro_rt != NULL))
ifp = ro->ro_rt->rt_ifp; ifp = ro->ro_rt->rt_ifp;
@ -1154,13 +1167,15 @@ frdest_t *fdp;
error = ENETUNREACH; error = ENETUNREACH;
goto bad; goto bad;
} }
#if __NetBSD_Version__ < 499001100
# if __NetBSD_Version__ >= 499001100
if (ro->ro_rt->rt_flags & RTF_GATEWAY) if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway; dst = ro->ro_rt->rt_gateway;
#else /* __NetBSD_Version__ < 499001100 */ # else
if (ro->ro_rt->rt_flags & RTF_GATEWAY) if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = ro->ro_rt->rt_gateway; dst = ro->ro_rt->rt_gateway;
#endif /* __NetBSD_Version__ < 499001100 */ #endif /* __NetBSD_Version__ < 499001100 */
if (ro->ro_rt) if (ro->ro_rt)
ro->ro_rt->rt_use++; ro->ro_rt->rt_use++;
@ -1227,12 +1242,12 @@ frdest_t *fdp;
if (!ip->ip_sum) if (!ip->ip_sum)
ip->ip_sum = in_cksum(m, hlen); ip->ip_sum = in_cksum(m, hlen);
# endif /* M_CSUM_IPv4 */ # endif /* M_CSUM_IPv4 */
#if __NetBSD_Version__ < 499001100 # if __NetBSD_Version__ >= 499001100
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
# else
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
ro->ro_rt); ro->ro_rt);
#else /* __NetBSD_Version__ < 499001100 */ # endif
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
#endif /* __NetBSD_Version__ < 499001100 */
if (i) { if (i) {
ip->ip_len = ntohs(ip->ip_len); ip->ip_len = ntohs(ip->ip_len);
ip->ip_off = ntohs(ip->ip_off); ip->ip_off = ntohs(ip->ip_off);
@ -1322,18 +1337,18 @@ sendorfree:
for (m = m0; m; m = m0) { for (m = m0; m; m = m0) {
m0 = m->m_act; m0 = m->m_act;
m->m_act = 0; m->m_act = 0;
#if __NetBSD_Version__ < 499001100 # if __NetBSD_Version__ >= 499001100
if (error == 0)
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
else
FREE_MB_T(m);
# else
if (error == 0) if (error == 0)
error = (*ifp->if_output)(ifp, m, error = (*ifp->if_output)(ifp, m,
(struct sockaddr *)dst, ro->ro_rt); (struct sockaddr *)dst, ro->ro_rt);
else else
FREE_MB_T(m); FREE_MB_T(m);
#else /* __NetBSD_Version__ < 499001100 */ # endif
if (error == 0)
error = (*ifp->if_output)(ifp, m, dst, ro->ro_rt);
else
FREE_MB_T(m);
#endif /* __NetBSD_Version__ < 499001100 */
} }
} }
done: done:
@ -1342,13 +1357,13 @@ done:
else else
fr_frouteok[1]++; fr_frouteok[1]++;
#if __NetBSD_Version__ >= 499001100 # if __NetBSD_Version__ >= 499001100
rtcache_free(ro); rtcache_free(ro);
#else # else
if (ro->ro_rt) { if (ro->ro_rt) {
RTFREE(ro->ro_rt); RTFREE(((struct route *)ro)->ro_rt);
} }
#endif # endif
*mpp = NULL; *mpp = NULL;
return error; return error;
bad: bad:
@ -1378,19 +1393,19 @@ struct mbuf *m0, **mpp;
fr_info_t *fin; fr_info_t *fin;
frdest_t *fdp; frdest_t *fdp;
{ {
#if __NetBSD_Version__ < 499001100 # if __NetBSD_Version__ >= 499001100
struct route_in6 ip6route;
struct sockaddr_in6 *dst6;
struct route_in6 *ro;
#else /* __NetBSD_Version__ < 499001100 */
struct route ip6route; struct route ip6route;
const struct sockaddr *dst; const struct sockaddr *dst;
union { union {
struct sockaddr dst; struct sockaddr dst;
struct sockaddr_in6 dst6; struct sockaddr_in6 dst6;
} u; } u;
struct route *ro; struct route *ro;
#endif /* __NetBSD_Version__ < 499001100 */ # else
struct route_in6 ip6route;
struct sockaddr_in6 *dst6;
struct route_in6 *ro;
# endif
struct rtentry *rt; struct rtentry *rt;
struct ifnet *ifp; struct ifnet *ifp;
frentry_t *fr; frentry_t *fr;
@ -1405,19 +1420,8 @@ frdest_t *fdp;
ifp = fdp->fd_ifp; ifp = fdp->fd_ifp;
else else
ifp = fin->fin_ifp; ifp = fin->fin_ifp;
memset(ro, 0, sizeof(*ro));
bzero((void *)ro, sizeof(*ro)); # if __NetBSD_Version__ >= 499001100
#if __NetBSD_Version__ < 499001100
dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
dst6->sin6_family = AF_INET6;
dst6->sin6_len = sizeof(struct sockaddr_in6);
dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
if (fdp != NULL) {
if (IP6_NOTZERO(&fdp->fd_ip6))
dst6->sin6_addr = fdp->fd_ip6.in6;
}
rtalloc((struct route *)ro);
#else /* __NetBSD_Version__ < 499001100 */
if (fdp != NULL && IP6_NOTZERO(&fdp->fd_ip6)) if (fdp != NULL && IP6_NOTZERO(&fdp->fd_ip6))
sockaddr_in6_init(&u.dst6, &fdp->fd_ip6.in6, 0, 0, 0); sockaddr_in6_init(&u.dst6, &fdp->fd_ip6.in6, 0, 0, 0);
else else
@ -1426,7 +1430,18 @@ frdest_t *fdp;
rtcache_setdst(ro, dst); rtcache_setdst(ro, dst);
rtcache_init(ro); rtcache_init(ro);
#endif /* __NetBSD_Version__ < 499001100 */ # else
dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
dst6->sin6_family = AF_INET6;
dst6->sin6_len = sizeof(struct sockaddr_in6);
dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
if (fdp != NULL) {
if (IP6_NOTZERO(&fdp->fd_ip6))
dst6->sin6_addr = fdp->fd_ip6.in6;
}
rtalloc((struct route *)ro);
# endif
if ((ifp == NULL) && (ro->ro_rt != NULL)) if ((ifp == NULL) && (ro->ro_rt != NULL))
ifp = ro->ro_rt->rt_ifp; ifp = ro->ro_rt->rt_ifp;
@ -1439,80 +1454,81 @@ frdest_t *fdp;
rt = fdp ? NULL : ro->ro_rt; rt = fdp ? NULL : ro->ro_rt;
/* KAME */ /* KAME */
#if __NetBSD_Version__ < 499001100 # if __NetBSD_Version__ >= 499001100
if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
#else /* __NetBSD_Version__ < 499001100 */
if (IN6_IS_ADDR_LINKLOCAL(&u.dst6.sin6_addr)) if (IN6_IS_ADDR_LINKLOCAL(&u.dst6.sin6_addr))
u.dst6.sin6_addr.s6_addr16[1] = htons(ifp->if_index); u.dst6.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
#endif /* __NetBSD_Version__ < 499001100 */ # else
if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
# endif
{ {
#if (__NetBSD_Version__ >= 106010000) # if (__NetBSD_Version__ >= 106010000)
# if (__NetBSD_Version__ >= 399001400) # if (__NetBSD_Version__ >= 399001400)
struct in6_ifextra *ife; struct in6_ifextra *ife;
# else # else
struct in6_addr finaldst = fin->fin_dst6; struct in6_addr finaldst = fin->fin_dst6;
int frag; int frag;
# endif
# endif # endif
#endif # if __NetBSD_Version__ >= 499001100
#if __NetBSD_Version__ < 499001100
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
#else /* __NetBSD_Version__ < 499001100 */
if (ro->ro_rt->rt_flags & RTF_GATEWAY) if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = ro->ro_rt->rt_gateway; dst = ro->ro_rt->rt_gateway;
#endif /* __NetBSD_Version__ < 499001100 */ # else
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
# endif
ro->ro_rt->rt_use++; ro->ro_rt->rt_use++;
/* Determine path MTU. */ /* Determine path MTU. */
#if (__NetBSD_Version__ <= 106009999) # if (__NetBSD_Version__ <= 106009999)
mtu = nd_ifinfo[ifp->if_index].linkmtu; mtu = nd_ifinfo[ifp->if_index].linkmtu;
#else # else
# if (__NetBSD_Version__ >= 399001400) # if (__NetBSD_Version__ >= 399001400)
ife = (struct in6_ifextra *)(ifp)->if_afdata[AF_INET6]; ife = (struct in6_ifextra *)(ifp)->if_afdata[AF_INET6];
mtu = ife->nd_ifinfo[ifp->if_index].linkmtu; mtu = ife->nd_ifinfo[ifp->if_index].linkmtu;
# else # else
error = ip6_getpmtu(ro, ro, ifp, &finaldst, &mtu, &frag); error = ip6_getpmtu(ro, ro, ifp, &finaldst, &mtu, &frag);
# endif
# endif # endif
#endif
if ((error == 0) && (m0->m_pkthdr.len <= mtu)) { if ((error == 0) && (m0->m_pkthdr.len <= mtu)) {
*mpp = NULL; *mpp = NULL;
#if __NetBSD_Version__ < 499001100 # if __NetBSD_Version__ >= 499001100
error = nd6_output(ifp, ifp, m0, dst6, rt);
#else /* __NetBSD_Version__ < 499001100 */
error = nd6_output(ifp, ifp, m0, satocsin6(dst), rt); error = nd6_output(ifp, ifp, m0, satocsin6(dst), rt);
#endif /* __NetBSD_Version__ < 499001100 */ # else
error = nd6_output(ifp, ifp, m0, dst6, rt);
# endif
} else { } else {
error = EMSGSIZE; error = EMSGSIZE;
} }
} }
bad: bad:
#if __NetBSD_Version__ >= 499001100 # if __NetBSD_Version__ >= 499001100
rtcache_free(ro); rtcache_free(ro);
#else # else
RTFREE(((struct route *)ro)->ro_rt); if (ro->ro_rt != NULL) {
#endif RTFREE(((struct route *)ro)->ro_rt);
}
# endif
return error; return error;
} }
#endif #endif /* INET6 */
int fr_verifysrc(fin) int fr_verifysrc(fin)
fr_info_t *fin; fr_info_t *fin;
{ {
int rc; #if __NetBSD_Version__ >= 499001100
#if __NetBSD_Version__ < 499001100
struct sockaddr_in *dst;
#else /* __NetBSD_Version__ < 499001100 */
union { union {
struct sockaddr dst; struct sockaddr dst;
struct sockaddr_in dst4; struct sockaddr_in dst4;
} u; } u;
#endif /* __NetBSD_Version__ < 499001100 */ #else
struct sockaddr_in *dst;
#endif
struct route iproute; struct route iproute;
int rc;
memset(&iproute, 0, sizeof(iproute));
#if __NetBSD_Version__ >= 499001100 #if __NetBSD_Version__ >= 499001100
sockaddr_in_init(&u.dst4, &fin->fin_src, 0); sockaddr_in_init(&u.dst4, &fin->fin_src, 0);
rtcache_setdst(&iproute, &u.dst); rtcache_setdst(&iproute, &u.dst);

14
sys/dist/ipf/netinet/ip_frag.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_frag.c,v 1.6 2007/04/14 20:34:36 martin Exp $ */ /* $NetBSD: ip_frag.c,v 1.7 2007/06/16 10:52:28 martin Exp $ */
/* /*
* Copyright (C) 1993-2003 by Darren Reed. * Copyright (C) 1993-2003 by Darren Reed.
@ -103,10 +103,10 @@ extern struct timeout fr_slowtimer_ch;
#if !defined(lint) #if !defined(lint)
#if defined(__NetBSD__) #if defined(__NetBSD__)
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.6 2007/04/14 20:34:36 martin Exp $"); __KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.7 2007/06/16 10:52:28 martin Exp $");
#else #else
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77.2.8 2006/09/01 14:09:33 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77.2.9 2007/05/27 11:13:44 darrenr Exp";
#endif #endif
#endif #endif
@ -715,6 +715,14 @@ ipfr_t *fra, ***tail;
} }
/* ------------------------------------------------------------------------ */
/* Function: fr_fragfree */
/* Returns: Nil */
/* Parameters: fra - pointer to frag structure to free */
/* */
/* Take care of the details associated with deleting an entry from the frag */
/* cache. Currently this just means bumping stats correctly after freeing */
/* ------------------------------------------------------------------------ */
static void fr_fragfree(fra) static void fr_fragfree(fra)
ipfr_t *fra; ipfr_t *fra;
{ {

46
sys/dist/ipf/netinet/ip_lookup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_lookup.c,v 1.11 2007/04/27 10:17:19 jnemeth Exp $ */ /* $NetBSD: ip_lookup.c,v 1.12 2007/06/16 10:52:28 martin Exp $ */
/* /*
* Copyright (C) 2002-2003 by Darren Reed. * Copyright (C) 2002-2003 by Darren Reed.
@ -65,7 +65,7 @@ struct file;
/* END OF INCLUDES */ /* END OF INCLUDES */
#if !defined(lint) #if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.14 2007/02/17 12:41:42 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.15 2007/05/26 13:05:13 darrenr Exp";
#endif #endif
#ifdef IPFILTER_LOOKUP #ifdef IPFILTER_LOOKUP
@ -219,8 +219,9 @@ void *data;
ip_pool_t *p; ip_pool_t *p;
int err; int err;
err = 0; err = BCOPYIN(data, &op, sizeof(op));
BCOPYIN(data, &op, sizeof(op)); if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL; return EINVAL;
@ -293,8 +294,9 @@ void *data;
ip_pool_t *p; ip_pool_t *p;
int err; int err;
err = 0; err = BCOPYIN(data, &op, sizeof(op));
BCOPYIN(data, &op, sizeof(op)); if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL; return EINVAL;
@ -357,8 +359,7 @@ void *data;
iplookupop_t op; iplookupop_t op;
int err; int err;
err = 0; err = BCOPYIN(data, &op, sizeof(op));
BCOPYIN(data, &op, sizeof(op));
if (err != 0) if (err != 0)
return EFAULT; return EFAULT;
@ -393,7 +394,9 @@ void *data;
* case of success it will contain the new table's name. * case of success it will contain the new table's name.
*/ */
if ((err == 0) && ((op.iplo_arg & LOOKUP_ANON) != 0)) { if ((err == 0) && ((op.iplo_arg & LOOKUP_ANON) != 0)) {
BCOPYOUT(&op, data, sizeof(op)); err = BCOPYOUT(&op, data, sizeof(op));
if (err != 0)
err = EFAULT;
} }
return err; return err;
@ -414,8 +417,9 @@ void *data;
iplookupop_t op; iplookupop_t op;
int err; int err;
err = 0; err = BCOPYIN(data, &op, sizeof(op));
BCOPYIN(data, &op, sizeof(op)); if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL; return EINVAL;
@ -457,8 +461,9 @@ void *data;
iplookupop_t op; iplookupop_t op;
int err; int err;
err = 0; err = BCOPYIN(data, &op, sizeof(op));
BCOPYIN(data, &op, sizeof(op)); if (err != 0)
return EFAULT;
if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX) if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
return EINVAL; return EINVAL;
@ -495,9 +500,10 @@ void *data;
int err, unit, num, type; int err, unit, num, type;
iplookupflush_t flush; iplookupflush_t flush;
err = 0; err = BCOPYIN(data, &flush, sizeof(flush));
BCOPYIN(data, &flush, sizeof(flush)); if (err != 0)
return EFAULT;
unit = flush.iplf_unit; unit = flush.iplf_unit;
if ((unit < 0 || unit > IPL_LOGMAX) && (unit != IPLT_ALL)) if ((unit < 0 || unit > IPL_LOGMAX) && (unit != IPLT_ALL))
return EINVAL; return EINVAL;
@ -520,7 +526,9 @@ void *data;
if (err == 0) { if (err == 0) {
flush.iplf_count = num; flush.iplf_count = num;
BCOPYOUT(&flush, data, sizeof(flush)); err = BCOPYOUT(&flush, data, sizeof(flush));
if (err != 0)
err = EFAULT;
} }
return err; return err;
} }
@ -572,6 +580,7 @@ void *ctx;
ipflookupiter_t iter; ipflookupiter_t iter;
ipftoken_t *token; ipftoken_t *token;
int err; int err;
SPL_INT(s);
err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER); err = fr_inobj(data, &iter, IPFOBJ_LOOKUPITER);
if (err != 0) if (err != 0)
@ -583,9 +592,11 @@ void *ctx;
if (iter.ili_ival != IPFGENITER_LOOKUP) if (iter.ili_ival != IPFGENITER_LOOKUP)
return EINVAL; return EINVAL;
SPL_SCHED(s);
token = ipf_findtoken(iter.ili_key, uid, ctx); token = ipf_findtoken(iter.ili_key, uid, ctx);
if (token == NULL) { if (token == NULL) {
RWLOCK_EXIT(&ipf_tokens); RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return ESRCH; return ESRCH;
} }
@ -602,6 +613,7 @@ void *ctx;
break; break;
} }
RWLOCK_EXIT(&ipf_tokens); RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
return err; return err;
} }

123
sys/dist/ipf/netinet/ip_nat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.c,v 1.29 2007/05/31 10:33:54 darrenr Exp $ */ /* $NetBSD: ip_nat.c,v 1.30 2007/06/16 10:52:28 martin Exp $ */
/* /*
* Copyright (C) 1995-2003 by Darren Reed. * Copyright (C) 1995-2003 by Darren Reed.
@ -16,8 +16,8 @@
#include <sys/param.h> #include <sys/param.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/file.h> #include <sys/file.h>
#if (__NetBSD_Version__ >= 399002000) #if (__NetBSD_Version__ >= 399002000) && defined(_KERNEL)
#include <sys/kauth.h> # include <sys/kauth.h>
#endif #endif
#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
defined(_KERNEL) defined(_KERNEL)
@ -116,7 +116,7 @@ extern struct ifnet vpnif;
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.82 2007/05/13 00:08:53 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.87 2007/05/31 10:17:17 darrenr Exp";
#endif #endif
@ -649,16 +649,21 @@ void *ctx;
ipnat_t *nat, *nt, *n = NULL, **np = NULL; ipnat_t *nat, *nt, *n = NULL, **np = NULL;
int error = 0, ret, arg, getlock; int error = 0, ret, arg, getlock;
ipnat_t natd; ipnat_t natd;
SPL_INT(s);
#if (BSD >= 199306) && defined(_KERNEL) #if (BSD >= 199306) && defined(_KERNEL)
#if (__NetBSD_Version__ >= 399002000) # if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) && kauth_authorize_network(curlwp->l_cred, if ((mode & FWRITE) &&
KAUTH_NETWORK_FIREWALL, KAUTH_REQ_NETWORK_FIREWALL_NAT, kauth_authorize_network(curlwp->l_cred, KAUTH_NETWORK_FIREWALL,
NULL, NULL, NULL)) KAUTH_REQ_NETWORK_FIREWALL_FW,
#else NULL, NULL, NULL)) {
if ((securelevel >= 2) && (mode & FWRITE))
#endif
return EPERM; return EPERM;
}
# else
if ((securelevel >= 2) && (mode & FWRITE)) {
return EPERM;
}
# endif
#endif #endif
#if defined(__osf__) && defined(_KERNEL) #if defined(__osf__) && defined(_KERNEL)
@ -713,22 +718,6 @@ void *ctx;
switch (cmd) switch (cmd)
{ {
case SIOCGENITER :
{
ipfgeniter_t iter;
ipftoken_t *token;
error = fr_inobj(data, &iter, IPFOBJ_GENITER);
if (error != 0)
break;
token = ipf_findtoken(iter.igi_type, uid, ctx);
if (token != NULL) {
error = nat_iterator(token, &iter);
}
RWLOCK_EXIT(&ipf_tokens);
break;
}
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
case SIOCIPFFB : case SIOCIPFFB :
{ {
@ -738,7 +727,10 @@ void *ctx;
error = EPERM; error = EPERM;
else { else {
tmp = ipflog_clear(IPL_LOGNAT); tmp = ipflog_clear(IPL_LOGNAT);
BCOPYOUT((char *)&tmp, (char *)data, sizeof(tmp)); error = BCOPYOUT((char *)&tmp, (char *)data,
sizeof(tmp));
if (error != 0)
error = EFAULT;
} }
break; break;
} }
@ -747,19 +739,25 @@ void *ctx;
if (!(mode & FWRITE)) if (!(mode & FWRITE))
error = EPERM; error = EPERM;
else { else {
BCOPYIN((char *)data, (char *)&nat_logging, error = BCOPYIN((char *)data, (char *)&nat_logging,
sizeof(nat_logging)); sizeof(nat_logging));
if (error != 0)
error = EFAULT;
} }
break; break;
case SIOCGETLG : case SIOCGETLG :
BCOPYOUT((char *)&nat_logging, (char *)data, error = BCOPYOUT((char *)&nat_logging, (char *)data,
sizeof(nat_logging)); sizeof(nat_logging));
if (error != 0)
error = EFAULT;
break; break;
case FIONREAD : case FIONREAD :
arg = iplused[IPL_LOGNAT]; arg = iplused[IPL_LOGNAT];
BCOPYOUT(&arg, data, sizeof(arg)); error = BCOPYOUT(&arg, data, sizeof(arg));
if (error != 0)
error = EFAULT;
break; break;
#endif #endif
case SIOCADNAT : case SIOCADNAT :
@ -846,19 +844,23 @@ void *ctx;
WRITE_ENTER(&ipf_nat); WRITE_ENTER(&ipf_nat);
} }
BCOPYIN(data, &arg, sizeof(arg)); error = BCOPYIN(data, &arg, sizeof(arg));
if (arg == 0) if (error != 0)
ret = nat_flushtable(); error = EFAULT;
else if (arg == 1) else {
ret = nat_clearlist(); if (arg == 0)
else ret = nat_flushtable();
ret = nat_extraflush(arg); else if (arg == 1)
ret = nat_clearlist();
else
ret = nat_extraflush(arg);
}
if (getlock) { if (getlock) {
RWLOCK_EXIT(&ipf_nat); RWLOCK_EXIT(&ipf_nat);
} }
if (error == 0) { if (error == 0) {
BCOPYOUT(&ret, data, sizeof(ret)); error = BCOPYOUT(&ret, data, sizeof(ret));
} }
break; break;
@ -908,9 +910,33 @@ void *ctx;
error = EACCES; error = EACCES;
break; break;
case SIOCGENITER :
{
ipfgeniter_t iter;
ipftoken_t *token;
SPL_SCHED(s);
error = fr_inobj(data, &iter, IPFOBJ_GENITER);
if (error == 0) {
token = ipf_findtoken(iter.igi_type, uid, ctx);
if (token != NULL) {
error = nat_iterator(token, &iter);
}
RWLOCK_EXIT(&ipf_tokens);
}
SPL_X(s);
break;
}
case SIOCIPFDELTOK : case SIOCIPFDELTOK :
BCOPYIN(data, &arg, sizeof(arg)); error = BCOPYIN((caddr_t)data, (caddr_t)&arg, sizeof(arg));
error = ipf_deltoken(arg, uid, ctx); if (error == 0) {
SPL_SCHED(s);
error = ipf_deltoken(arg, uid, ctx);
SPL_X(s);
} else {
error = EFAULT;
}
break; break;
case SIOCGTQTAB : case SIOCGTQTAB :
@ -1176,7 +1202,8 @@ caddr_t data;
nat_t *nat, *n; nat_t *nat, *n;
natget_t ng; natget_t ng;
BCOPYIN(data, &ng, sizeof(ng)); if (BCOPYIN(data, &ng, sizeof(ng)) != 0)
return EFAULT;
nat = ng.ng_ptr; nat = ng.ng_ptr;
if (!nat) { if (!nat) {
@ -1186,7 +1213,8 @@ caddr_t data;
* Empty list so the size returned is 0. Simple. * Empty list so the size returned is 0. Simple.
*/ */
if (nat == NULL) { if (nat == NULL) {
BCOPYOUT(&ng, data, sizeof(ng)); if (BCOPYOUT(&ng, data, sizeof(ng)) != 0)
return EFAULT;
return 0; return 0;
} }
} else { } else {
@ -1213,7 +1241,8 @@ caddr_t data;
ng.ng_sz += aps->aps_psiz; ng.ng_sz += aps->aps_psiz;
} }
BCOPYOUT(&ng, data, sizeof(ng)); if (BCOPYOUT(&ng, data, sizeof(ng)) != 0)
return EFAULT;
return 0; return 0;
} }
@ -2319,6 +2348,8 @@ int direction;
ni.nai_np = np; ni.nai_np = np;
ni.nai_nflags = nflags; ni.nai_nflags = nflags;
ni.nai_flags = flags; ni.nai_flags = flags;
ni.nai_dport = 0;
ni.nai_sport = 0;
/* Give me a new nat */ /* Give me a new nat */
KMALLOC(nat, nat_t *); KMALLOC(nat, nat_t *);
@ -5309,7 +5340,7 @@ int which;
/* ------------------------------------------------------------------------ */ /* ------------------------------------------------------------------------ */
/* Function: nat_flush_entry */ /* Function: nat_flush_entry */
/* Returns: 1 - always succeeds */ /* Returns: 0 - always succeeds */
/* Parameters: entry(I) - pointer to NAT entry */ /* Parameters: entry(I) - pointer to NAT entry */
/* Write Locks: ipf_nat */ /* Write Locks: ipf_nat */
/* */ /* */
@ -5322,5 +5353,5 @@ static int nat_flush_entry(entry)
void *entry; void *entry;
{ {
nat_delete(entry, NL_FLUSH); nat_delete(entry, NL_FLUSH);
return 1; return 0;
} }

4
sys/dist/ipf/netinet/ip_pool.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_pool.c,v 1.9 2007/06/09 03:07:22 dyoung Exp $ */ /* $NetBSD: ip_pool.c,v 1.10 2007/06/16 10:52:29 martin Exp $ */
/* /*
* Copyright (C) 1993-2001, 2003 by Darren Reed. * Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -82,7 +82,7 @@ static int rn_freenode __P((struct radix_node *, void *));
#if !defined(lint) #if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.19 2007/02/17 12:41:42 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.20 2007/05/31 12:27:35 darrenr Exp";
#endif #endif
#ifdef IPFILTER_LOOKUP #ifdef IPFILTER_LOOKUP

4
sys/dist/ipf/netinet/ip_proxy.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_proxy.c,v 1.15 2007/05/15 22:52:51 martin Exp $ */ /* $NetBSD: ip_proxy.c,v 1.16 2007/06/16 10:52:29 martin Exp $ */
/* /*
* Copyright (C) 1997-2003 by Darren Reed. * Copyright (C) 1997-2003 by Darren Reed.
@ -105,7 +105,7 @@ struct file;
/* END OF INCLUDES */ /* END OF INCLUDES */
#if !defined(lint) #if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.19 2007/04/30 09:07:51 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.20 2007/05/31 12:27:36 darrenr Exp";
#endif #endif
#ifdef INET #ifdef INET

71
sys/dist/ipf/netinet/ip_state.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.c,v 1.25 2007/05/25 06:44:20 martti Exp $ */ /* $NetBSD: ip_state.c,v 1.26 2007/06/16 10:52:30 martin Exp $ */
/* /*
* Copyright (C) 1995-2003 by Darren Reed. * Copyright (C) 1995-2003 by Darren Reed.
@ -114,10 +114,10 @@ struct file;
#if !defined(lint) #if !defined(lint)
#if defined(__NetBSD__) #if defined(__NetBSD__)
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.25 2007/05/25 06:44:20 martti Exp $"); __KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.26 2007/06/16 10:52:30 martin Exp $");
#else #else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.66 2007/05/13 00:08:54 darrenr Exp"; static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.69 2007/05/26 13:05:14 darrenr Exp";
#endif #endif
#endif #endif
@ -445,6 +445,7 @@ int mode, uid;
void *ctx; void *ctx;
{ {
int arg, ret, error = 0; int arg, ret, error = 0;
SPL_INT(s);
switch (cmd) switch (cmd)
{ {
@ -459,20 +460,32 @@ void *ctx;
* Flush the state table * Flush the state table
*/ */
case SIOCIPFFL : case SIOCIPFFL :
BCOPYIN(data, (char *)&arg, sizeof(arg)); error = BCOPYIN(data, (char *)&arg, sizeof(arg));
WRITE_ENTER(&ipf_state); if (error != 0) {
ret = fr_state_flush(arg, 4); error = EFAULT;
RWLOCK_EXIT(&ipf_state); } else {
BCOPYOUT((char *)&ret, data, sizeof(ret)); WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 4);
RWLOCK_EXIT(&ipf_state);
error = BCOPYOUT((char *)&ret, data, sizeof(ret));
if (error != 0)
error = EFAULT;
}
break; break;
#ifdef USE_INET6 #ifdef USE_INET6
case SIOCIPFL6 : case SIOCIPFL6 :
BCOPYIN(data, (char *)&arg, sizeof(arg)); error = BCOPYIN(data, (char *)&arg, sizeof(arg));
WRITE_ENTER(&ipf_state); if (error != 0) {
ret = fr_state_flush(arg, 6); error = EFAULT;
RWLOCK_EXIT(&ipf_state); } else {
BCOPYOUT((char *)&ret, data, sizeof(ret)); WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 6);
RWLOCK_EXIT(&ipf_state);
error = BCOPYOUT((char *)&ret, data, sizeof(ret));
if (error != 0)
error = EFAULT;
}
break; break;
#endif #endif
#ifdef IPFILTER_LOG #ifdef IPFILTER_LOG
@ -486,7 +499,9 @@ void *ctx;
int tmp; int tmp;
tmp = ipflog_clear(IPL_LOGSTATE); tmp = ipflog_clear(IPL_LOGSTATE);
BCOPYOUT((char *)&tmp, data, sizeof(tmp)); error = BCOPYOUT((char *)&tmp, data, sizeof(tmp));
if (error != 0)
error = EFAULT;
} }
break; break;
@ -497,8 +512,10 @@ void *ctx;
if (!(mode & FWRITE)) if (!(mode & FWRITE))
error = EPERM; error = EPERM;
else { else {
BCOPYIN((char *)data, (char *)&ipstate_logging, error = BCOPYIN((char *)data, (char *)&ipstate_logging,
sizeof(ipstate_logging)); sizeof(ipstate_logging));
if (error != 0)
error = EFAULT;
} }
break; break;
@ -506,8 +523,10 @@ void *ctx;
* Return the current state of logging. * Return the current state of logging.
*/ */
case SIOCGETLG : case SIOCGETLG :
BCOPYOUT((char *)&ipstate_logging, (char *)data, error = BCOPYOUT((char *)&ipstate_logging, (char *)data,
sizeof(ipstate_logging)); sizeof(ipstate_logging));
if (error != 0)
error = EFAULT;
break; break;
/* /*
@ -515,7 +534,9 @@ void *ctx;
*/ */
case FIONREAD : case FIONREAD :
arg = iplused[IPL_LOGSTATE]; /* returned in an int */ arg = iplused[IPL_LOGSTATE]; /* returned in an int */
BCOPYOUT((char *)&arg, data, sizeof(arg)); error = BCOPYOUT((char *)&arg, data, sizeof(arg));
if (error != 0)
error = EFAULT;
break; break;
#endif #endif
@ -564,8 +585,10 @@ void *ctx;
* Return a copy of the hash table bucket lengths * Return a copy of the hash table bucket lengths
*/ */
case SIOCSTAT1 : case SIOCSTAT1 :
BCOPYOUT(ips_stats.iss_bucketlen, data, error = BCOPYOUT(ips_stats.iss_bucketlen, data,
fr_statesize * sizeof(u_long)); fr_statesize * sizeof(u_long));
if (error != 0)
error = EFAULT;
break; break;
case SIOCGENITER : case SIOCGENITER :
@ -577,12 +600,14 @@ void *ctx;
if (error != 0) if (error != 0)
break; break;
SPL_SCHED(s);
token = ipf_findtoken(IPFGENITER_STATE, uid, ctx); token = ipf_findtoken(IPFGENITER_STATE, uid, ctx);
if (token != NULL) if (token != NULL)
error = fr_stateiter(token, &iter); error = fr_stateiter(token, &iter);
else else
error = ESRCH; error = ESRCH;
RWLOCK_EXIT(&ipf_tokens); RWLOCK_EXIT(&ipf_tokens);
SPL_X(s);
break; break;
} }
@ -591,8 +616,14 @@ void *ctx;
break; break;
case SIOCIPFDELTOK : case SIOCIPFDELTOK :
BCOPYIN(data, (char *)&arg, sizeof(arg)); error = BCOPYIN(data, (char *)&arg, sizeof(arg));
error = ipf_deltoken(arg, uid, ctx); if (error != 0) {
error = EFAULT;
} else {
SPL_SCHED(s);
error = ipf_deltoken(arg, uid, ctx);
SPL_X(s);
}
break; break;
case SIOCGTQTAB : case SIOCGTQTAB :

8
sys/dist/ipf/netinet/ipl.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipl.h,v 1.9 2007/05/15 22:52:52 martin Exp $ */ /* $NetBSD: ipl.h,v 1.10 2007/06/16 10:52:30 martin Exp $ */
/* /*
* Copyright (C) 1993-2001, 2003 by Darren Reed. * Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -6,14 +6,14 @@
* See the IPFILTER.LICENCE file for details on licencing. * See the IPFILTER.LICENCE file for details on licencing.
* *
* @(#)ipl.h 1.21 6/5/96 * @(#)ipl.h 1.21 6/5/96
* Id: ipl.h,v 2.52.2.24 2007/05/13 00:10:39 darrenr Exp * Id: ipl.h,v 2.52.2.25 2007/05/31 11:40:43 darrenr Exp
*/ */
#ifndef __IPL_H__ #ifndef __IPL_H__
#define __IPL_H__ #define __IPL_H__
#define IPL_VERSION "IP Filter: v4.1.22" #define IPL_VERSION "IP Filter: v4.1.23"
#define IPFILTER_VERSION 4012200 #define IPFILTER_VERSION 4012300
#endif #endif