12393Syz155240 /*
22393Syz155240 * Copyright (C) 1993-2003 by Darren Reed.
32393Syz155240 *
42393Syz155240 * See the IPFILTER.LICENCE file for details on licencing.
52393Syz155240 *
612255SJohn.Ojemann@Oracle.COM * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
72393Syz155240 */
82393Syz155240
92393Syz155240 #if defined(KERNEL) || defined(_KERNEL)
102393Syz155240 # undef KERNEL
112393Syz155240 # undef _KERNEL
122393Syz155240 # define KERNEL 1
132393Syz155240 # define _KERNEL 1
142393Syz155240 #endif
152393Syz155240 #include <sys/errno.h>
162393Syz155240 #include <sys/types.h>
172393Syz155240 #include <sys/param.h>
182393Syz155240 #include <sys/time.h>
192393Syz155240 #if defined(__NetBSD__)
202393Syz155240 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
212393Syz155240 # include "opt_ipfilter_log.h"
222393Syz155240 # endif
232393Syz155240 #endif
242393Syz155240 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
252393Syz155240 (__FreeBSD_version >= 220000)
262393Syz155240 # if (__FreeBSD_version >= 400000)
272393Syz155240 # if !defined(IPFILTER_LKM)
282393Syz155240 # include "opt_inet6.h"
292393Syz155240 # endif
302393Syz155240 # if (__FreeBSD_version == 400019)
312393Syz155240 # define CSUM_DELAY_DATA
322393Syz155240 # endif
332393Syz155240 # endif
342393Syz155240 # include <sys/filio.h>
352393Syz155240 #else
362393Syz155240 # include <sys/ioctl.h>
372393Syz155240 #endif
382393Syz155240 #if !defined(_AIX51)
392393Syz155240 # include <sys/fcntl.h>
402393Syz155240 #endif
412393Syz155240 #if defined(_KERNEL)
422393Syz155240 # include <sys/systm.h>
432393Syz155240 # include <sys/file.h>
442393Syz155240 #else
452393Syz155240 # include <stdio.h>
462393Syz155240 # include <string.h>
472393Syz155240 # include <stdlib.h>
482393Syz155240 # include <stddef.h>
492393Syz155240 # include <sys/file.h>
502393Syz155240 # define _KERNEL
512393Syz155240 # ifdef __OpenBSD__
522393Syz155240 struct file;
532393Syz155240 # endif
542393Syz155240 # include <sys/uio.h>
552393Syz155240 # undef _KERNEL
562393Syz155240 #endif
572393Syz155240 #if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
582393Syz155240 !defined(linux)
592393Syz155240 # include <sys/mbuf.h>
602393Syz155240 #else
612393Syz155240 # if !defined(linux)
622393Syz155240 # include <sys/byteorder.h>
632393Syz155240 # endif
642393Syz155240 # if (SOLARIS2 < 5) && defined(sun)
652393Syz155240 # include <sys/dditypes.h>
662393Syz155240 # endif
672393Syz155240 #endif
682393Syz155240 #ifdef __hpux
692393Syz155240 # define _NET_ROUTE_INCLUDED
702393Syz155240 #endif
712393Syz155240 #if !defined(linux)
722393Syz155240 # include <sys/protosw.h>
732393Syz155240 #endif
742393Syz155240 #include <sys/socket.h>
752393Syz155240 #include <net/if.h>
762393Syz155240 #ifdef sun
772393Syz155240 # include <net/af.h>
782393Syz155240 #endif
792393Syz155240 #if !defined(_KERNEL) && defined(__FreeBSD__)
802393Syz155240 # include "radix_ipf.h"
812393Syz155240 #endif
822393Syz155240 #include <net/route.h>
832393Syz155240 #include <netinet/in.h>
842393Syz155240 #include <netinet/in_systm.h>
852393Syz155240 #include <netinet/ip.h>
862393Syz155240 #if !defined(linux)
872393Syz155240 # include <netinet/ip_var.h>
882393Syz155240 #endif
892393Syz155240 #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
902393Syz155240 # include <sys/hashing.h>
912393Syz155240 # include <netinet/in_var.h>
922393Syz155240 #endif
932393Syz155240 #include <netinet/tcp.h>
942393Syz155240 #if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
952393Syz155240 # include <netinet/udp.h>
962393Syz155240 # include <netinet/ip_icmp.h>
972393Syz155240 #endif
982393Syz155240 #ifdef __hpux
992393Syz155240 # undef _NET_ROUTE_INCLUDED
1002393Syz155240 #endif
1012393Syz155240 #include "netinet/ip_compat.h"
1022393Syz155240 #ifdef USE_INET6
1032393Syz155240 # include <netinet/icmp6.h>
1042393Syz155240 # if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux)
1052393Syz155240 # include <netinet6/in6_var.h>
1062393Syz155240 # endif
1072393Syz155240 #endif
1082393Syz155240 #include <netinet/tcpip.h>
1092393Syz155240 #include "netinet/ip_fil.h"
1102393Syz155240 #include "netinet/ip_nat.h"
1112393Syz155240 #include "netinet/ip_frag.h"
1122393Syz155240 #include "netinet/ip_state.h"
1132393Syz155240 #include "netinet/ip_proxy.h"
1142393Syz155240 #include "netinet/ip_auth.h"
1153448Sdh155122 #include "netinet/ipf_stack.h"
1162393Syz155240 #ifdef IPFILTER_SCAN
1172393Syz155240 # include "netinet/ip_scan.h"
1182393Syz155240 #endif
1192393Syz155240 #ifdef IPFILTER_SYNC
1202393Syz155240 # include "netinet/ip_sync.h"
1212393Syz155240 #endif
1222393Syz155240 #include "netinet/ip_pool.h"
1232393Syz155240 #include "netinet/ip_htable.h"
1242393Syz155240 #ifdef IPFILTER_COMPILED
1252393Syz155240 # include "netinet/ip_rules.h"
1262393Syz155240 #endif
1272393Syz155240 #if defined(IPFILTER_BPF) && defined(_KERNEL)
1282393Syz155240 # include <net/bpf.h>
1292393Syz155240 #endif
1302393Syz155240 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
1312393Syz155240 # include <sys/malloc.h>
1322393Syz155240 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
1332393Syz155240 # include "opt_ipfilter.h"
1342393Syz155240 # endif
1352393Syz155240 #endif
1362393Syz155240 #include "netinet/ipl.h"
1372393Syz155240 /* END OF INCLUDES */
1382393Syz155240
1392393Syz155240 #if !defined(lint)
1402393Syz155240 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
1412393Syz155240 static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $";
1422393Syz155240 #endif
1432393Syz155240
1442393Syz155240 #ifndef _KERNEL
1452393Syz155240 # include "ipf.h"
1462393Syz155240 # include "ipt.h"
1472393Syz155240 # include "bpf-ipf.h"
1482393Syz155240 extern int opts;
1492393Syz155240
1502393Syz155240 # define FR_VERBOSE(verb_pr) verbose verb_pr
1512393Syz155240 # define FR_DEBUG(verb_pr) debug verb_pr
1522393Syz155240 #else /* #ifndef _KERNEL */
1532393Syz155240 # define FR_VERBOSE(verb_pr)
1542393Syz155240 # define FR_DEBUG(verb_pr)
1552393Syz155240 #endif /* _KERNEL */
1562393Syz155240
1572393Syz155240
1582393Syz155240 char ipfilter_version[] = IPL_VERSION;
1592393Syz155240 int fr_features = 0
1602393Syz155240 #ifdef IPFILTER_LKM
1612393Syz155240 | IPF_FEAT_LKM
1622393Syz155240 #endif
1632393Syz155240 #ifdef IPFILTER_LOG
1642393Syz155240 | IPF_FEAT_LOG
1652393Syz155240 #endif
1662393Syz155240 #ifdef IPFILTER_LOOKUP
1672393Syz155240 | IPF_FEAT_LOOKUP
1682393Syz155240 #endif
1692393Syz155240 #ifdef IPFILTER_BPF
1702393Syz155240 | IPF_FEAT_BPF
1712393Syz155240 #endif
1722393Syz155240 #ifdef IPFILTER_COMPILED
1732393Syz155240 | IPF_FEAT_COMPILED
1742393Syz155240 #endif
1752393Syz155240 #ifdef IPFILTER_CKSUM
1762393Syz155240 | IPF_FEAT_CKSUM
1772393Syz155240 #endif
1782393Syz155240 #ifdef IPFILTER_SYNC
1792393Syz155240 | IPF_FEAT_SYNC
1802393Syz155240 #endif
1812393Syz155240 #ifdef IPFILTER_SCAN
1822393Syz155240 | IPF_FEAT_SCAN
1832393Syz155240 #endif
1842393Syz155240 #ifdef USE_INET6
1852393Syz155240 | IPF_FEAT_IPV6
1862393Syz155240 #endif
1872393Syz155240 ;
1882393Syz155240
1897131Sdr146992 #define IPF_BUMP(x) (x)++
1907131Sdr146992
1917131Sdr146992 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
1922393Syz155240 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
1932393Syz155240 static int fr_portcheck __P((frpcmp_t *, u_short *));
1943448Sdh155122 static int frflushlist __P((int, minor_t, int *, frentry_t **,
1953448Sdh155122 ipf_stack_t *));
1962393Syz155240 static ipfunc_t fr_findfunc __P((ipfunc_t));
1972393Syz155240 static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *));
1983448Sdh155122 static int fr_funcinit __P((frentry_t *fr, ipf_stack_t *));
1992393Syz155240 static INLINE void frpr_ah __P((fr_info_t *));
2002393Syz155240 static INLINE void frpr_esp __P((fr_info_t *));
2012393Syz155240 static INLINE void frpr_gre __P((fr_info_t *));
2022393Syz155240 static INLINE void frpr_udp __P((fr_info_t *));
2032393Syz155240 static INLINE void frpr_tcp __P((fr_info_t *));
2042393Syz155240 static INLINE void frpr_icmp __P((fr_info_t *));
2052393Syz155240 static INLINE void frpr_ipv4hdr __P((fr_info_t *));
2062393Syz155240 static INLINE int frpr_pullup __P((fr_info_t *, int));
2072393Syz155240 static INLINE void frpr_short __P((fr_info_t *, int));
2082393Syz155240 static INLINE void frpr_tcpcommon __P((fr_info_t *));
2092393Syz155240 static INLINE void frpr_udpcommon __P((fr_info_t *));
2102393Syz155240 static INLINE int fr_updateipid __P((fr_info_t *));
2112393Syz155240 #ifdef IPFILTER_LOOKUP
2123448Sdh155122 static int fr_grpmapinit __P((frentry_t *fr, ipf_stack_t *));
2133448Sdh155122 static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *,
2143448Sdh155122 ipf_stack_t *));
2152393Syz155240 #endif
2163448Sdh155122 static void frsynclist __P((int, int, void *, char *, frentry_t *,
2173448Sdh155122 ipf_stack_t *));
2182958Sdr146992 static void *fr_ifsync __P((int, int, char *, char *,
2193448Sdh155122 void *, void *, ipf_stack_t *));
2203448Sdh155122 static ipftuneable_t *fr_findtunebyname __P((const char *, ipf_stack_t *));
2213448Sdh155122 static ipftuneable_t *fr_findtunebycookie __P((void *, void **, ipf_stack_t *));
2222393Syz155240
2232393Syz155240 /*
2242393Syz155240 * bit values for identifying presence of individual IP options
2252393Syz155240 * All of these tables should be ordered by increasing key value on the left
2262393Syz155240 * hand side to allow for binary searching of the array and include a trailer
2272393Syz155240 * with a 0 for the bitmask for linear searches to easily find the end with.
2282393Syz155240 */
2292393Syz155240 const struct optlist ipopts[20] = {
2302393Syz155240 { IPOPT_NOP, 0x000001 },
2312393Syz155240 { IPOPT_RR, 0x000002 },
2322393Syz155240 { IPOPT_ZSU, 0x000004 },
2332393Syz155240 { IPOPT_MTUP, 0x000008 },
2342393Syz155240 { IPOPT_MTUR, 0x000010 },
2352393Syz155240 { IPOPT_ENCODE, 0x000020 },
2362393Syz155240 { IPOPT_TS, 0x000040 },
2372393Syz155240 { IPOPT_TR, 0x000080 },
2382393Syz155240 { IPOPT_SECURITY, 0x000100 },
2392393Syz155240 { IPOPT_LSRR, 0x000200 },
2402393Syz155240 { IPOPT_E_SEC, 0x000400 },
2412393Syz155240 { IPOPT_CIPSO, 0x000800 },
2422393Syz155240 { IPOPT_SATID, 0x001000 },
2432393Syz155240 { IPOPT_SSRR, 0x002000 },
2442393Syz155240 { IPOPT_ADDEXT, 0x004000 },
2452393Syz155240 { IPOPT_VISA, 0x008000 },
2462393Syz155240 { IPOPT_IMITD, 0x010000 },
2472393Syz155240 { IPOPT_EIP, 0x020000 },
2482393Syz155240 { IPOPT_FINN, 0x040000 },
2492393Syz155240 { 0, 0x000000 }
2502393Syz155240 };
2512393Syz155240
2522393Syz155240 #ifdef USE_INET6
2532393Syz155240 struct optlist ip6exthdr[] = {
2542393Syz155240 { IPPROTO_HOPOPTS, 0x000001 },
2552393Syz155240 { IPPROTO_IPV6, 0x000002 },
2562393Syz155240 { IPPROTO_ROUTING, 0x000004 },
2572393Syz155240 { IPPROTO_FRAGMENT, 0x000008 },
2582393Syz155240 { IPPROTO_ESP, 0x000010 },
2592393Syz155240 { IPPROTO_AH, 0x000020 },
2602393Syz155240 { IPPROTO_NONE, 0x000040 },
2612393Syz155240 { IPPROTO_DSTOPTS, 0x000080 },
2622393Syz155240 { 0, 0 }
2632393Syz155240 };
2642393Syz155240 #endif
2652393Syz155240
2662393Syz155240 struct optlist tcpopts[] = {
2672393Syz155240 { TCPOPT_NOP, 0x000001 },
2682393Syz155240 { TCPOPT_MAXSEG, 0x000002 },
2692393Syz155240 { TCPOPT_WINDOW, 0x000004 },
2702393Syz155240 { TCPOPT_SACK_PERMITTED, 0x000008 },
2712393Syz155240 { TCPOPT_SACK, 0x000010 },
2722393Syz155240 { TCPOPT_TIMESTAMP, 0x000020 },
2732393Syz155240 { 0, 0x000000 }
2742393Syz155240 };
2752393Syz155240
2762393Syz155240 /*
2772393Syz155240 * bit values for identifying presence of individual IP security options
2782393Syz155240 */
2792393Syz155240 const struct optlist secopt[8] = {
2802393Syz155240 { IPSO_CLASS_RES4, 0x01 },
2812393Syz155240 { IPSO_CLASS_TOPS, 0x02 },
2822393Syz155240 { IPSO_CLASS_SECR, 0x04 },
2832393Syz155240 { IPSO_CLASS_RES3, 0x08 },
2842393Syz155240 { IPSO_CLASS_CONF, 0x10 },
2852393Syz155240 { IPSO_CLASS_UNCL, 0x20 },
2862393Syz155240 { IPSO_CLASS_RES2, 0x40 },
2872393Syz155240 { IPSO_CLASS_RES1, 0x80 }
2882393Syz155240 };
2892393Syz155240
2902393Syz155240
2912393Syz155240 /*
2922393Syz155240 * Table of functions available for use with call rules.
2932393Syz155240 */
2942393Syz155240 static ipfunc_resolve_t fr_availfuncs[] = {
2952393Syz155240 #ifdef IPFILTER_LOOKUP
2962393Syz155240 { "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
2972393Syz155240 { "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
2982393Syz155240 #endif
2992393Syz155240 { "", NULL }
3002393Syz155240 };
3012393Syz155240
3022393Syz155240
3032393Syz155240 /*
3048170SJohn.Ojemann@Sun.COM * Below we declare a list of constants used only by the ipf_extraflush()
3058170SJohn.Ojemann@Sun.COM * routine. We are placing it here, instead of in ipf_extraflush() itself,
3068170SJohn.Ojemann@Sun.COM * because we want to make it visible to tools such as mdb, nm etc., so the
3078170SJohn.Ojemann@Sun.COM * values can easily be altered during debugging.
3088170SJohn.Ojemann@Sun.COM */
3098170SJohn.Ojemann@Sun.COM static const int idletime_tab[] = {
3108170SJohn.Ojemann@Sun.COM IPF_TTLVAL(30), /* 30 seconds */
3118170SJohn.Ojemann@Sun.COM IPF_TTLVAL(1800), /* 30 minutes */
3128170SJohn.Ojemann@Sun.COM IPF_TTLVAL(43200), /* 12 hours */
3138170SJohn.Ojemann@Sun.COM IPF_TTLVAL(345600), /* 4 days */
3148170SJohn.Ojemann@Sun.COM };
3158170SJohn.Ojemann@Sun.COM
3168170SJohn.Ojemann@Sun.COM
3178170SJohn.Ojemann@Sun.COM /*
3182393Syz155240 * The next section of code is a a collection of small routines that set
3192393Syz155240 * fields in the fr_info_t structure passed based on properties of the
3202393Syz155240 * current packet. There are different routines for the same protocol
3212393Syz155240 * for each of IPv4 and IPv6. Adding a new protocol, for which there
3222393Syz155240 * will "special" inspection for setup, is now more easily done by adding
3232393Syz155240 * a new routine and expanding the frpr_ipinit*() function rather than by
3242393Syz155240 * adding more code to a growing switch statement.
3252393Syz155240 */
3262393Syz155240 #ifdef USE_INET6
3272393Syz155240 static INLINE int frpr_ah6 __P((fr_info_t *));
3282393Syz155240 static INLINE void frpr_esp6 __P((fr_info_t *));
3292393Syz155240 static INLINE void frpr_gre6 __P((fr_info_t *));
3302393Syz155240 static INLINE void frpr_udp6 __P((fr_info_t *));
3312393Syz155240 static INLINE void frpr_tcp6 __P((fr_info_t *));
3322393Syz155240 static INLINE void frpr_icmp6 __P((fr_info_t *));
3338624SDarren.Reed@Sun.COM static INLINE void frpr_ipv6hdr __P((fr_info_t *));
3342393Syz155240 static INLINE void frpr_short6 __P((fr_info_t *, int));
3352393Syz155240 static INLINE int frpr_hopopts6 __P((fr_info_t *));
3362393Syz155240 static INLINE int frpr_routing6 __P((fr_info_t *));
3372393Syz155240 static INLINE int frpr_dstopts6 __P((fr_info_t *));
3382393Syz155240 static INLINE int frpr_fragment6 __P((fr_info_t *));
3392393Syz155240 static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int));
3402393Syz155240
3412393Syz155240
3422393Syz155240 /* ------------------------------------------------------------------------ */
3432393Syz155240 /* Function: frpr_short6 */
3442393Syz155240 /* Returns: void */
3452393Syz155240 /* Parameters: fin(I) - pointer to packet information */
3462393Syz155240 /* */
3472393Syz155240 /* IPv6 Only */
3482393Syz155240 /* This is function enforces the 'is a packet too short to be legit' rule */
3492393Syz155240 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
3502393Syz155240 /* for frpr_short() for more details. */
3512393Syz155240 /* ------------------------------------------------------------------------ */
frpr_short6(fin,xmin)3522393Syz155240 static INLINE void frpr_short6(fin, xmin)
3532393Syz155240 fr_info_t *fin;
3542393Syz155240 int xmin;
3552393Syz155240 {
3562393Syz155240
3572393Syz155240 if (fin->fin_dlen < xmin)
3582393Syz155240 fin->fin_flx |= FI_SHORT;
3592393Syz155240 }
3602393Syz155240
3612393Syz155240
3622393Syz155240 /* ------------------------------------------------------------------------ */
3632393Syz155240 /* Function: frpr_ipv6hdr */
3648624SDarren.Reed@Sun.COM /* Returns: Nil */
3652393Syz155240 /* Parameters: fin(I) - pointer to packet information */
3662393Syz155240 /* */
3672393Syz155240 /* IPv6 Only */
3682393Syz155240 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
3692393Syz155240 /* per-protocol analyzer if it exists. */
3702393Syz155240 /* ------------------------------------------------------------------------ */
frpr_ipv6hdr(fin)3718624SDarren.Reed@Sun.COM static INLINE void frpr_ipv6hdr(fin)
3722393Syz155240 fr_info_t *fin;
3732393Syz155240 {
3742393Syz155240 ip6_t *ip6 = (ip6_t *)fin->fin_ip;
3752393Syz155240 int p, go = 1, i, hdrcount;
3762393Syz155240 fr_ip_t *fi = &fin->fin_fi;
3772393Syz155240
3782393Syz155240 fin->fin_off = 0;
3792393Syz155240
3802393Syz155240 fi->fi_tos = 0;
3812393Syz155240 fi->fi_optmsk = 0;
3822393Syz155240 fi->fi_secmsk = 0;
3832393Syz155240 fi->fi_auth = 0;
3842393Syz155240
3852393Syz155240 p = ip6->ip6_nxt;
3862393Syz155240 fi->fi_ttl = ip6->ip6_hlim;
3872393Syz155240 fi->fi_src.in6 = ip6->ip6_src;
3882393Syz155240 fi->fi_dst.in6 = ip6->ip6_dst;
3892393Syz155240 fin->fin_id = 0;
3902393Syz155240
3912393Syz155240 hdrcount = 0;
3922393Syz155240 while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
3932393Syz155240 switch (p)
3942393Syz155240 {
3952393Syz155240 case IPPROTO_UDP :
3962393Syz155240 frpr_udp6(fin);
3972393Syz155240 go = 0;
3982393Syz155240 break;
3992393Syz155240
4002393Syz155240 case IPPROTO_TCP :
4012393Syz155240 frpr_tcp6(fin);
4022393Syz155240 go = 0;
4032393Syz155240 break;
4042393Syz155240
4052393Syz155240 case IPPROTO_ICMPV6 :
4062393Syz155240 frpr_icmp6(fin);
4072393Syz155240 go = 0;
4082393Syz155240 break;
4092393Syz155240
4102393Syz155240 case IPPROTO_GRE :
4112393Syz155240 frpr_gre6(fin);
4122393Syz155240 go = 0;
4132393Syz155240 break;
4142393Syz155240
4152393Syz155240 case IPPROTO_HOPOPTS :
4162393Syz155240 /*
4172393Syz155240 * hop by hop ext header is only allowed
4182393Syz155240 * right after IPv6 header.
4192393Syz155240 */
4202393Syz155240 if (hdrcount != 0) {
4212393Syz155240 fin->fin_flx |= FI_BAD;
4222393Syz155240 p = IPPROTO_NONE;
4232393Syz155240 } else {
4242393Syz155240 p = frpr_hopopts6(fin);
4252393Syz155240 }
4262393Syz155240 break;
4272393Syz155240
4282393Syz155240 case IPPROTO_DSTOPTS :
4292393Syz155240 p = frpr_dstopts6(fin);
4302393Syz155240 break;
4312393Syz155240
4322393Syz155240 case IPPROTO_ROUTING :
4332393Syz155240 p = frpr_routing6(fin);
4342393Syz155240 break;
4352393Syz155240
4362393Syz155240 case IPPROTO_AH :
4372393Syz155240 p = frpr_ah6(fin);
4382393Syz155240 break;
4392393Syz155240
4402393Syz155240 case IPPROTO_ESP :
4412393Syz155240 frpr_esp6(fin);
4422393Syz155240 go = 0;
4432393Syz155240 break;
4442393Syz155240
4452393Syz155240 case IPPROTO_IPV6 :
4462393Syz155240 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
4472393Syz155240 if (ip6exthdr[i].ol_val == p) {
4482393Syz155240 fin->fin_flx |= ip6exthdr[i].ol_bit;
4492393Syz155240 break;
4502393Syz155240 }
4512393Syz155240 go = 0;
4522393Syz155240 break;
4532393Syz155240
4542393Syz155240 case IPPROTO_NONE :
4552393Syz155240 go = 0;
4562393Syz155240 break;
4572393Syz155240
4582393Syz155240 case IPPROTO_FRAGMENT :
4592393Syz155240 p = frpr_fragment6(fin);
4602393Syz155240 if (fin->fin_off != 0) /* Not the first frag */
4612393Syz155240 go = 0;
4622393Syz155240 break;
4632393Syz155240
4642393Syz155240 default :
4652393Syz155240 go = 0;
4662393Syz155240 break;
4672393Syz155240 }
4682393Syz155240 hdrcount++;
4692393Syz155240
4702393Syz155240 /*
4712393Syz155240 * It is important to note that at this point, for the
4722393Syz155240 * extension headers (go != 0), the entire header may not have
4732393Syz155240 * been pulled up when the code gets to this point. This is
4742393Syz155240 * only done for "go != 0" because the other header handlers
4752393Syz155240 * will all pullup their complete header. The other indicator
4762393Syz155240 * of an incomplete packet is that this was just an extension
4772393Syz155240 * header.
4782393Syz155240 */
4792393Syz155240 if ((go != 0) && (p != IPPROTO_NONE) &&
4802393Syz155240 (frpr_pullup(fin, 0) == -1)) {
4812393Syz155240 p = IPPROTO_NONE;
4822393Syz155240 go = 0;
4832393Syz155240 }
4842393Syz155240 }
4852393Syz155240 fi->fi_p = p;
4862393Syz155240 }
4872393Syz155240
4882393Syz155240
4892393Syz155240 /* ------------------------------------------------------------------------ */
4902393Syz155240 /* Function: frpr_ipv6exthdr */
4912393Syz155240 /* Returns: int - value of the next header or IPPROTO_NONE if error */
4922393Syz155240 /* Parameters: fin(I) - pointer to packet information */
4932393Syz155240 /* multiple(I) - flag indicating yes/no if multiple occurances */
4942393Syz155240 /* of this extension header are allowed. */
4952393Syz155240 /* proto(I) - protocol number for this extension header */
4962393Syz155240 /* */
4972393Syz155240 /* IPv6 Only */
4989876SDarren.Reed@Sun.COM /* This function expects to find an IPv6 extension header at fin_dp. */
4999876SDarren.Reed@Sun.COM /* There must be at least 8 bytes of data at fin_dp for there to be a valid */
5009876SDarren.Reed@Sun.COM /* extension header present. If a good one is found, fin_dp is advanced to */
5019876SDarren.Reed@Sun.COM /* point at the first piece of data after the extension header, fin_exthdr */
5029876SDarren.Reed@Sun.COM /* points to the start of the extension header and the "protocol" of the */
5039876SDarren.Reed@Sun.COM /* *NEXT* header is returned. */
5042393Syz155240 /* ------------------------------------------------------------------------ */
frpr_ipv6exthdr(fin,multiple,proto)5052393Syz155240 static INLINE int frpr_ipv6exthdr(fin, multiple, proto)
5062393Syz155240 fr_info_t *fin;
5072393Syz155240 int multiple, proto;
5082393Syz155240 {
5092393Syz155240 struct ip6_ext *hdr;
5102393Syz155240 u_short shift;
5112393Syz155240 int i;
5122393Syz155240
5132393Syz155240 fin->fin_flx |= FI_V6EXTHDR;
5142393Syz155240
5152393Syz155240 /* 8 is default length of extension hdr */
5162393Syz155240 if ((fin->fin_dlen - 8) < 0) {
5172393Syz155240 fin->fin_flx |= FI_SHORT;
5182393Syz155240 return IPPROTO_NONE;
5192393Syz155240 }
5202393Syz155240
5212393Syz155240 if (frpr_pullup(fin, 8) == -1)
5222393Syz155240 return IPPROTO_NONE;
5232393Syz155240
5242393Syz155240 hdr = fin->fin_dp;
5252393Syz155240 shift = 8 + (hdr->ip6e_len << 3);
5262393Syz155240 if (shift > fin->fin_dlen) { /* Nasty extension header length? */
5272393Syz155240 fin->fin_flx |= FI_BAD;
5282393Syz155240 return IPPROTO_NONE;
5292393Syz155240 }
5302393Syz155240
5312393Syz155240 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
5322393Syz155240 if (ip6exthdr[i].ol_val == proto) {
5332393Syz155240 /*
5342393Syz155240 * Most IPv6 extension headers are only allowed once.
5352393Syz155240 */
5362393Syz155240 if ((multiple == 0) &&
5372393Syz155240 ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0))
5382393Syz155240 fin->fin_flx |= FI_BAD;
5392393Syz155240 else
5402393Syz155240 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
5412393Syz155240 break;
5422393Syz155240 }
5432393Syz155240
5442393Syz155240 fin->fin_dp = (char *)fin->fin_dp + shift;
5452393Syz155240 fin->fin_dlen -= shift;
5462393Syz155240
5472393Syz155240 return hdr->ip6e_nxt;
5482393Syz155240 }
5492393Syz155240
5502393Syz155240
5512393Syz155240 /* ------------------------------------------------------------------------ */
5522393Syz155240 /* Function: frpr_hopopts6 */
5532393Syz155240 /* Returns: int - value of the next header or IPPROTO_NONE if error */
5542393Syz155240 /* Parameters: fin(I) - pointer to packet information */
5552393Syz155240 /* */
5562393Syz155240 /* IPv6 Only */
5572393Syz155240 /* This is function checks pending hop by hop options extension header */
5582393Syz155240 /* ------------------------------------------------------------------------ */
frpr_hopopts6(fin)5592393Syz155240 static INLINE int frpr_hopopts6(fin)
5602393Syz155240 fr_info_t *fin;
5612393Syz155240 {
5622393Syz155240 return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS);
5632393Syz155240 }
5642393Syz155240
5652393Syz155240
5662393Syz155240 /* ------------------------------------------------------------------------ */
5672393Syz155240 /* Function: frpr_routing6 */
5682393Syz155240 /* Returns: int - value of the next header or IPPROTO_NONE if error */
5692393Syz155240 /* Parameters: fin(I) - pointer to packet information */
5702393Syz155240 /* */
5712393Syz155240 /* IPv6 Only */
5722393Syz155240 /* This is function checks pending routing extension header */
5732393Syz155240 /* ------------------------------------------------------------------------ */
frpr_routing6(fin)5742393Syz155240 static INLINE int frpr_routing6(fin)
5752393Syz155240 fr_info_t *fin;
5762393Syz155240 {
5772393Syz155240 struct ip6_ext *hdr;
5782393Syz155240 int shift;
5792393Syz155240
5802393Syz155240 hdr = fin->fin_dp;
5812393Syz155240 if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
5822393Syz155240 return IPPROTO_NONE;
5832393Syz155240
5842393Syz155240 shift = 8 + (hdr->ip6e_len << 3);
5852393Syz155240 /*
5862393Syz155240 * Nasty extension header length?
5872393Syz155240 */
5882393Syz155240 if ((hdr->ip6e_len << 3) & 15) {
5892393Syz155240 fin->fin_flx |= FI_BAD;
5902393Syz155240 /*
5912393Syz155240 * Compensate for the changes made in frpr_ipv6exthdr()
5922393Syz155240 */
5932393Syz155240 fin->fin_dlen += shift;
5942393Syz155240 fin->fin_dp = (char *)fin->fin_dp - shift;
5952393Syz155240 return IPPROTO_NONE;
5962393Syz155240 }
5972393Syz155240
5982393Syz155240 return hdr->ip6e_nxt;
5992393Syz155240 }
6002393Syz155240
6012393Syz155240
6022393Syz155240 /* ------------------------------------------------------------------------ */
6032393Syz155240 /* Function: frpr_fragment6 */
6042393Syz155240 /* Returns: int - value of the next header or IPPROTO_NONE if error */
6052393Syz155240 /* Parameters: fin(I) - pointer to packet information */
6062393Syz155240 /* */
6072393Syz155240 /* IPv6 Only */
6082393Syz155240 /* Examine the IPv6 fragment header and extract fragment offset information.*/
6092393Syz155240 /* */
6102393Syz155240 /* We don't know where the transport layer header (or whatever is next is), */
6112393Syz155240 /* as it could be behind destination options (amongst others). Because */
6122393Syz155240 /* there is no fragment cache, there is no knowledge about whether or not an*/
6132393Syz155240 /* upper layer header has been seen (or where it ends) and thus we are not */
6142393Syz155240 /* able to continue processing beyond this header with any confidence. */
6152393Syz155240 /* ------------------------------------------------------------------------ */
frpr_fragment6(fin)6162393Syz155240 static INLINE int frpr_fragment6(fin)
6172393Syz155240 fr_info_t *fin;
6182393Syz155240 {
6192393Syz155240 struct ip6_frag *frag;
6202393Syz155240
6212393Syz155240 fin->fin_flx |= FI_FRAG;
6222393Syz155240
6239876SDarren.Reed@Sun.COM /*
6249876SDarren.Reed@Sun.COM * A fragmented IPv6 packet implies that there must be something
6259876SDarren.Reed@Sun.COM * else after the fragment.
6269876SDarren.Reed@Sun.COM */
6272393Syz155240 if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
62811043SDarren.Reed@Sun.COM return IPPROTO_NONE;
6292393Syz155240
6302393Syz155240 frag = (struct ip6_frag *)((char *)fin->fin_dp - sizeof(*frag));
63111043SDarren.Reed@Sun.COM
6322393Syz155240 /*
63311043SDarren.Reed@Sun.COM * If this fragment isn't the last then the packet length must
63411043SDarren.Reed@Sun.COM * be a multiple of 8.
6352393Syz155240 */
63611043SDarren.Reed@Sun.COM if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0) {
63711043SDarren.Reed@Sun.COM fin->fin_flx |= FI_MOREFRAG;
63811043SDarren.Reed@Sun.COM
63911043SDarren.Reed@Sun.COM if ((fin->fin_plen & 0x7) != 0)
64011043SDarren.Reed@Sun.COM fin->fin_flx |= FI_BAD;
64111043SDarren.Reed@Sun.COM }
6422393Syz155240
6432393Syz155240 fin->fin_id = frag->ip6f_ident;
6449876SDarren.Reed@Sun.COM fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK);
6459876SDarren.Reed@Sun.COM if (fin->fin_off != 0)
6469876SDarren.Reed@Sun.COM fin->fin_flx |= FI_FRAGBODY;
6479876SDarren.Reed@Sun.COM
6482393Syz155240 return frag->ip6f_nxt;
6492393Syz155240 }
6502393Syz155240
6512393Syz155240
6522393Syz155240 /* ------------------------------------------------------------------------ */
6532393Syz155240 /* Function: frpr_dstopts6 */
6542393Syz155240 /* Returns: int - value of the next header or IPPROTO_NONE if error */
6552393Syz155240 /* Parameters: fin(I) - pointer to packet information */
6562393Syz155240 /* nextheader(I) - stores next header value */
6572393Syz155240 /* */
6582393Syz155240 /* IPv6 Only */
6592393Syz155240 /* This is function checks pending destination options extension header */
6602393Syz155240 /* ------------------------------------------------------------------------ */
frpr_dstopts6(fin)6612393Syz155240 static INLINE int frpr_dstopts6(fin)
6622393Syz155240 fr_info_t *fin;
6632393Syz155240 {
6642393Syz155240 return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS);
6652393Syz155240 }
6662393Syz155240
6672393Syz155240
6682393Syz155240 /* ------------------------------------------------------------------------ */
6692393Syz155240 /* Function: frpr_icmp6 */
6702393Syz155240 /* Returns: void */
6712393Syz155240 /* Parameters: fin(I) - pointer to packet information */
6722393Syz155240 /* */
6732393Syz155240 /* IPv6 Only */
6742393Syz155240 /* This routine is mainly concerned with determining the minimum valid size */
6752393Syz155240 /* for an ICMPv6 packet. */
6762393Syz155240 /* ------------------------------------------------------------------------ */
frpr_icmp6(fin)6772393Syz155240 static INLINE void frpr_icmp6(fin)
6782393Syz155240 fr_info_t *fin;
6792393Syz155240 {
6802393Syz155240 int minicmpsz = sizeof(struct icmp6_hdr);
6812393Syz155240 struct icmp6_hdr *icmp6;
6822393Syz155240
6832393Syz155240 if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1)
6842393Syz155240 return;
6852393Syz155240
6862393Syz155240 if (fin->fin_dlen > 1) {
6872393Syz155240 icmp6 = fin->fin_dp;
6882393Syz155240
6892393Syz155240 fin->fin_data[0] = *(u_short *)icmp6;
6902393Syz155240
6917176Syx160601 if ((icmp6->icmp6_type & ICMP6_INFOMSG_MASK) != 0)
6927176Syx160601 fin->fin_flx |= FI_ICMPQUERY;
6937176Syx160601
6942393Syz155240 switch (icmp6->icmp6_type)
6952393Syz155240 {
6962393Syz155240 case ICMP6_ECHO_REPLY :
6972393Syz155240 case ICMP6_ECHO_REQUEST :
6987176Syx160601 if (fin->fin_dlen >= 6)
6997176Syx160601 fin->fin_data[1] = icmp6->icmp6_id;
7002393Syz155240 minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
7012393Syz155240 break;
7022393Syz155240 case ICMP6_DST_UNREACH :
7032393Syz155240 case ICMP6_PACKET_TOO_BIG :
7042393Syz155240 case ICMP6_TIME_EXCEEDED :
7052393Syz155240 case ICMP6_PARAM_PROB :
7062393Syz155240 if ((fin->fin_m != NULL) &&
7072393Syz155240 (M_LEN(fin->fin_m) < fin->fin_plen)) {
7082393Syz155240 if (fr_coalesce(fin) != 1)
7092393Syz155240 return;
7102393Syz155240 }
7112393Syz155240 fin->fin_flx |= FI_ICMPERR;
7122393Syz155240 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
7132393Syz155240 break;
7142393Syz155240 default :
7152393Syz155240 break;
7162393Syz155240 }
7172393Syz155240 }
7182393Syz155240
7192393Syz155240 frpr_short6(fin, minicmpsz);
7202393Syz155240 }
7212393Syz155240
7222393Syz155240
7232393Syz155240 /* ------------------------------------------------------------------------ */
7242393Syz155240 /* Function: frpr_udp6 */
7252393Syz155240 /* Returns: void */
7262393Syz155240 /* Parameters: fin(I) - pointer to packet information */
7272393Syz155240 /* */
7282393Syz155240 /* IPv6 Only */
7292393Syz155240 /* Analyse the packet for IPv6/UDP properties. */
7302393Syz155240 /* Is not expected to be called for fragmented packets. */
7312393Syz155240 /* ------------------------------------------------------------------------ */
frpr_udp6(fin)7322393Syz155240 static INLINE void frpr_udp6(fin)
7332393Syz155240 fr_info_t *fin;
7342393Syz155240 {
7352393Syz155240
7362393Syz155240 fr_checkv6sum(fin);
7372393Syz155240
7382393Syz155240 frpr_short6(fin, sizeof(struct udphdr));
7392393Syz155240 if (frpr_pullup(fin, sizeof(struct udphdr)) == -1)
7402393Syz155240 return;
7412393Syz155240
7422393Syz155240 frpr_udpcommon(fin);
7432393Syz155240 }
7442393Syz155240
7452393Syz155240
7462393Syz155240 /* ------------------------------------------------------------------------ */
7472393Syz155240 /* Function: frpr_tcp6 */
7482393Syz155240 /* Returns: void */
7492393Syz155240 /* Parameters: fin(I) - pointer to packet information */
7502393Syz155240 /* */
7512393Syz155240 /* IPv6 Only */
7522393Syz155240 /* Analyse the packet for IPv6/TCP properties. */
7532393Syz155240 /* Is not expected to be called for fragmented packets. */
7542393Syz155240 /* ------------------------------------------------------------------------ */
frpr_tcp6(fin)7552393Syz155240 static INLINE void frpr_tcp6(fin)
7562393Syz155240 fr_info_t *fin;
7572393Syz155240 {
7582393Syz155240
7592393Syz155240 fr_checkv6sum(fin);
7602393Syz155240
7612393Syz155240 frpr_short6(fin, sizeof(struct tcphdr));
7622393Syz155240 if (frpr_pullup(fin, sizeof(struct tcphdr)) == -1)
7632393Syz155240 return;
7642393Syz155240
7652393Syz155240 frpr_tcpcommon(fin);
7662393Syz155240 }
7672393Syz155240
7682393Syz155240
7692393Syz155240 /* ------------------------------------------------------------------------ */
7702393Syz155240 /* Function: frpr_esp6 */
7712393Syz155240 /* Returns: void */
7722393Syz155240 /* Parameters: fin(I) - pointer to packet information */
7732393Syz155240 /* */
7742393Syz155240 /* IPv6 Only */
7752393Syz155240 /* Analyse the packet for ESP properties. */
7762393Syz155240 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
7772393Syz155240 /* even though the newer ESP packets must also have a sequence number that */
7782393Syz155240 /* is 32bits as well, it is not possible(?) to determine the version from a */
7792393Syz155240 /* simple packet header. */
7802393Syz155240 /* ------------------------------------------------------------------------ */
frpr_esp6(fin)7812393Syz155240 static INLINE void frpr_esp6(fin)
7822393Syz155240 fr_info_t *fin;
7832393Syz155240 {
7842393Syz155240 int i;
7852393Syz155240 frpr_short6(fin, sizeof(grehdr_t));
7862393Syz155240
7872393Syz155240 (void) frpr_pullup(fin, 8);
7882393Syz155240
7892393Syz155240 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
7902393Syz155240 if (ip6exthdr[i].ol_val == IPPROTO_ESP) {
7912393Syz155240 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
7922393Syz155240 break;
7932393Syz155240 }
7942393Syz155240 }
7952393Syz155240
7962393Syz155240
7972393Syz155240 /* ------------------------------------------------------------------------ */
7982393Syz155240 /* Function: frpr_ah6 */
7992393Syz155240 /* Returns: void */
8002393Syz155240 /* Parameters: fin(I) - pointer to packet information */
8012393Syz155240 /* */
8022393Syz155240 /* IPv6 Only */
8032393Syz155240 /* Analyse the packet for AH properties. */
8042393Syz155240 /* The minimum length is taken to be the combination of all fields in the */
8052393Syz155240 /* header being present and no authentication data (null algorithm used.) */
8062393Syz155240 /* ------------------------------------------------------------------------ */
frpr_ah6(fin)8072393Syz155240 static INLINE int frpr_ah6(fin)
8082393Syz155240 fr_info_t *fin;
8092393Syz155240 {
8102393Syz155240 authhdr_t *ah;
8112393Syz155240 int i, shift;
8122393Syz155240
8132393Syz155240 frpr_short6(fin, 12);
8142393Syz155240
8152393Syz155240 if (frpr_pullup(fin, sizeof(*ah)) == -1)
8162393Syz155240 return IPPROTO_NONE;
8172393Syz155240
8182393Syz155240 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
8192393Syz155240 if (ip6exthdr[i].ol_val == IPPROTO_AH) {
8202393Syz155240 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
8212393Syz155240 break;
8222393Syz155240 }
8232393Syz155240
8242393Syz155240 ah = (authhdr_t *)fin->fin_dp;
8252393Syz155240
8262393Syz155240 shift = (ah->ah_plen + 2) * 4;
8272393Syz155240 fin->fin_dlen -= shift;
8282393Syz155240 fin->fin_dp = (char*)fin->fin_dp + shift;
8292393Syz155240
8302393Syz155240 return ah->ah_next;
8312393Syz155240 }
8322393Syz155240
8332393Syz155240
8342393Syz155240 /* ------------------------------------------------------------------------ */
8352393Syz155240 /* Function: frpr_gre6 */
8362393Syz155240 /* Returns: void */
8372393Syz155240 /* Parameters: fin(I) - pointer to packet information */
8382393Syz155240 /* */
8392393Syz155240 /* Analyse the packet for GRE properties. */
8402393Syz155240 /* ------------------------------------------------------------------------ */
frpr_gre6(fin)8412393Syz155240 static INLINE void frpr_gre6(fin)
8422393Syz155240 fr_info_t *fin;
8432393Syz155240 {
8442393Syz155240 grehdr_t *gre;
8452393Syz155240
8462393Syz155240 frpr_short6(fin, sizeof(grehdr_t));
8472393Syz155240
8482393Syz155240 if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
8492393Syz155240 return;
8502393Syz155240
8512393Syz155240 gre = fin->fin_dp;
8522393Syz155240 if (GRE_REV(gre->gr_flags) == 1)
8532393Syz155240 fin->fin_data[0] = gre->gr_call;
8542393Syz155240 }
8552393Syz155240 #endif /* USE_INET6 */
8562393Syz155240
8572393Syz155240
8582393Syz155240 /* ------------------------------------------------------------------------ */
8592393Syz155240 /* Function: frpr_pullup */
8602393Syz155240 /* Returns: int - 0 == pullup succeeded, -1 == failure */
8612393Syz155240 /* Parameters: fin(I) - pointer to packet information */
8622393Syz155240 /* plen(I) - length (excluding L3 header) to pullup */
8632393Syz155240 /* */
8642393Syz155240 /* Short inline function to cut down on code duplication to perform a call */
8652393Syz155240 /* to fr_pullup to ensure there is the required amount of data, */
8662393Syz155240 /* consecutively in the packet buffer. */
8672393Syz155240 /* ------------------------------------------------------------------------ */
frpr_pullup(fin,plen)8682393Syz155240 static INLINE int frpr_pullup(fin, plen)
8692393Syz155240 fr_info_t *fin;
8702393Syz155240 int plen;
8712393Syz155240 {
8722393Syz155240 #if defined(_KERNEL)
8732393Syz155240 if (fin->fin_m != NULL) {
8747704SAlexandr.Nedvedicky@Sun.COM int ipoff;
8757704SAlexandr.Nedvedicky@Sun.COM
8767704SAlexandr.Nedvedicky@Sun.COM ipoff = (char *)fin->fin_ip - MTOD(fin->fin_m, char *);
8777704SAlexandr.Nedvedicky@Sun.COM
8782393Syz155240 if (fin->fin_dp != NULL)
8792393Syz155240 plen += (char *)fin->fin_dp -
8802393Syz155240 ((char *)fin->fin_ip + fin->fin_hlen);
8817704SAlexandr.Nedvedicky@Sun.COM plen += fin->fin_hlen;
8827704SAlexandr.Nedvedicky@Sun.COM /*
8837704SAlexandr.Nedvedicky@Sun.COM * We don't do 'plen += ipoff;' here. The fr_pullup() will
8847704SAlexandr.Nedvedicky@Sun.COM * do it for us.
8857704SAlexandr.Nedvedicky@Sun.COM */
8867704SAlexandr.Nedvedicky@Sun.COM if (M_LEN(fin->fin_m) < plen + ipoff) {
8872393Syz155240 if (fr_pullup(fin->fin_m, fin, plen) == NULL)
8882393Syz155240 return -1;
8892393Syz155240 }
8902393Syz155240 }
8912393Syz155240 #endif
8922393Syz155240 return 0;
8932393Syz155240 }
8942393Syz155240
8952393Syz155240
8962393Syz155240 /* ------------------------------------------------------------------------ */
8972393Syz155240 /* Function: frpr_short */
8982393Syz155240 /* Returns: void */
8992393Syz155240 /* Parameters: fin(I) - pointer to packet information */
9002393Syz155240 /* xmin(I) - minimum header size */
9012393Syz155240 /* */
9022393Syz155240 /* Check if a packet is "short" as defined by xmin. The rule we are */
9032393Syz155240 /* applying here is that the packet must not be fragmented within the layer */
9042393Syz155240 /* 4 header. That is, it must not be a fragment that has its offset set to */
9052393Syz155240 /* start within the layer 4 header (hdrmin) or if it is at offset 0, the */
9062393Syz155240 /* entire layer 4 header must be present (min). */
9072393Syz155240 /* ------------------------------------------------------------------------ */
frpr_short(fin,xmin)9082393Syz155240 static INLINE void frpr_short(fin, xmin)
9092393Syz155240 fr_info_t *fin;
9102393Syz155240 int xmin;
9112393Syz155240 {
9122393Syz155240
9132393Syz155240 if (fin->fin_off == 0) {
9142393Syz155240 if (fin->fin_dlen < xmin)
9152393Syz155240 fin->fin_flx |= FI_SHORT;
9162393Syz155240 } else if (fin->fin_off < xmin) {
9172393Syz155240 fin->fin_flx |= FI_SHORT;
9182393Syz155240 }
9192393Syz155240 }
9202393Syz155240
9212393Syz155240
9222393Syz155240 /* ------------------------------------------------------------------------ */
9232393Syz155240 /* Function: frpr_icmp */
9242393Syz155240 /* Returns: void */
9252393Syz155240 /* Parameters: fin(I) - pointer to packet information */
9262393Syz155240 /* */
9272393Syz155240 /* IPv4 Only */
9282393Syz155240 /* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */
9292393Syz155240 /* except extrememly bad packets, both type and code will be present. */
9302393Syz155240 /* The expected minimum size of an ICMP packet is very much dependent on */
9312393Syz155240 /* the type of it. */
9322393Syz155240 /* */
9332393Syz155240 /* XXX - other ICMP sanity checks? */
9342393Syz155240 /* ------------------------------------------------------------------------ */
frpr_icmp(fin)9352393Syz155240 static INLINE void frpr_icmp(fin)
9362393Syz155240 fr_info_t *fin;
9372393Syz155240 {
9382393Syz155240 int minicmpsz = sizeof(struct icmp);
9392393Syz155240 icmphdr_t *icmp;
9402393Syz155240 ip_t *oip;
9413448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
9422393Syz155240
9432393Syz155240 if (fin->fin_off != 0) {
9442393Syz155240 frpr_short(fin, ICMPERR_ICMPHLEN);
9452393Syz155240 return;
9462393Syz155240 }
9472393Syz155240
9482393Syz155240 if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
9492393Syz155240 return;
9502393Syz155240
9512393Syz155240 fr_checkv4sum(fin);
9522393Syz155240
9539029SAlexandr.Nedvedicky@Sun.COM /*
9549029SAlexandr.Nedvedicky@Sun.COM * This is a right place to set icmp pointer, since the memory
9559029SAlexandr.Nedvedicky@Sun.COM * referenced by fin_dp could get reallocated. The code down below can
9569029SAlexandr.Nedvedicky@Sun.COM * rely on fact icmp variable always points to ICMP header.
9579029SAlexandr.Nedvedicky@Sun.COM */
9589029SAlexandr.Nedvedicky@Sun.COM icmp = fin->fin_dp;
9599029SAlexandr.Nedvedicky@Sun.COM fin->fin_data[0] = *(u_short *)icmp;
9609029SAlexandr.Nedvedicky@Sun.COM fin->fin_data[1] = icmp->icmp_id;
9619029SAlexandr.Nedvedicky@Sun.COM
9629029SAlexandr.Nedvedicky@Sun.COM switch (icmp->icmp_type)
9639029SAlexandr.Nedvedicky@Sun.COM {
9649029SAlexandr.Nedvedicky@Sun.COM case ICMP_ECHOREPLY :
9659029SAlexandr.Nedvedicky@Sun.COM case ICMP_ECHO :
9669029SAlexandr.Nedvedicky@Sun.COM /* Router discovery messaes - RFC 1256 */
9679029SAlexandr.Nedvedicky@Sun.COM case ICMP_ROUTERADVERT :
9689029SAlexandr.Nedvedicky@Sun.COM case ICMP_ROUTERSOLICIT :
9699029SAlexandr.Nedvedicky@Sun.COM minicmpsz = ICMP_MINLEN;
9709029SAlexandr.Nedvedicky@Sun.COM break;
9719029SAlexandr.Nedvedicky@Sun.COM /*
9729029SAlexandr.Nedvedicky@Sun.COM * type(1) + code(1) + cksum(2) + id(2) seq(2) +
9739029SAlexandr.Nedvedicky@Sun.COM * 3 * timestamp(3 * 4)
9749029SAlexandr.Nedvedicky@Sun.COM */
9759029SAlexandr.Nedvedicky@Sun.COM case ICMP_TSTAMP :
9769029SAlexandr.Nedvedicky@Sun.COM case ICMP_TSTAMPREPLY :
9779029SAlexandr.Nedvedicky@Sun.COM minicmpsz = 20;
9789029SAlexandr.Nedvedicky@Sun.COM break;
9799029SAlexandr.Nedvedicky@Sun.COM /*
9809029SAlexandr.Nedvedicky@Sun.COM * type(1) + code(1) + cksum(2) + id(2) seq(2) +
9819029SAlexandr.Nedvedicky@Sun.COM * mask(4)
9829029SAlexandr.Nedvedicky@Sun.COM */
9839029SAlexandr.Nedvedicky@Sun.COM case ICMP_MASKREQ :
9849029SAlexandr.Nedvedicky@Sun.COM case ICMP_MASKREPLY :
9852393Syz155240 minicmpsz = 12;
9862393Syz155240 break;
9879029SAlexandr.Nedvedicky@Sun.COM /*
9889029SAlexandr.Nedvedicky@Sun.COM * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
9899029SAlexandr.Nedvedicky@Sun.COM */
9909029SAlexandr.Nedvedicky@Sun.COM case ICMP_UNREACH :
9919029SAlexandr.Nedvedicky@Sun.COM if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) {
9929029SAlexandr.Nedvedicky@Sun.COM if (icmp->icmp_nextmtu < ifs->ifs_fr_icmpminfragmtu)
9939029SAlexandr.Nedvedicky@Sun.COM fin->fin_flx |= FI_BAD;
9949029SAlexandr.Nedvedicky@Sun.COM }
9959029SAlexandr.Nedvedicky@Sun.COM /* FALLTHRU */
9969029SAlexandr.Nedvedicky@Sun.COM case ICMP_SOURCEQUENCH :
9979029SAlexandr.Nedvedicky@Sun.COM case ICMP_REDIRECT :
9989029SAlexandr.Nedvedicky@Sun.COM case ICMP_TIMXCEED :
9999029SAlexandr.Nedvedicky@Sun.COM case ICMP_PARAMPROB :
10009029SAlexandr.Nedvedicky@Sun.COM fin->fin_flx |= FI_ICMPERR;
10019029SAlexandr.Nedvedicky@Sun.COM if (fr_coalesce(fin) != 1)
10029029SAlexandr.Nedvedicky@Sun.COM return;
10032393Syz155240 /*
10049029SAlexandr.Nedvedicky@Sun.COM * ICMP error packets should not be generated for IP
10059029SAlexandr.Nedvedicky@Sun.COM * packets that are a fragment that isn't the first
10069029SAlexandr.Nedvedicky@Sun.COM * fragment.
10072393Syz155240 */
10089029SAlexandr.Nedvedicky@Sun.COM oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
10099029SAlexandr.Nedvedicky@Sun.COM if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0)
10109029SAlexandr.Nedvedicky@Sun.COM fin->fin_flx |= FI_BAD;
10119029SAlexandr.Nedvedicky@Sun.COM break;
10129029SAlexandr.Nedvedicky@Sun.COM default :
10139029SAlexandr.Nedvedicky@Sun.COM break;
10142393Syz155240 }
10152393Syz155240
10162393Syz155240 frpr_short(fin, minicmpsz);
10172393Syz155240 }
10182393Syz155240
10192393Syz155240
10202393Syz155240 /* ------------------------------------------------------------------------ */
10212393Syz155240 /* Function: frpr_tcpcommon */
10222393Syz155240 /* Returns: void */
10232393Syz155240 /* Parameters: fin(I) - pointer to packet information */
10242393Syz155240 /* */
10252393Syz155240 /* TCP header sanity checking. Look for bad combinations of TCP flags, */
10262393Syz155240 /* and make some checks with how they interact with other fields. */
10272393Syz155240 /* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */
10282393Syz155240 /* valid and mark the packet as bad if not. */
10292393Syz155240 /* ------------------------------------------------------------------------ */
frpr_tcpcommon(fin)10302393Syz155240 static INLINE void frpr_tcpcommon(fin)
10312393Syz155240 fr_info_t *fin;
10322393Syz155240 {
10332393Syz155240 int flags, tlen;
10342393Syz155240 tcphdr_t *tcp;
10352393Syz155240
10362393Syz155240 fin->fin_flx |= FI_TCPUDP;
10372393Syz155240 if (fin->fin_off != 0)
10382393Syz155240 return;
10392393Syz155240
10402393Syz155240 if (frpr_pullup(fin, sizeof(*tcp)) == -1)
10412393Syz155240 return;
10422393Syz155240 tcp = fin->fin_dp;
10432393Syz155240
10442393Syz155240 if (fin->fin_dlen > 3) {
10452393Syz155240 fin->fin_sport = ntohs(tcp->th_sport);
10462393Syz155240 fin->fin_dport = ntohs(tcp->th_dport);
10472393Syz155240 }
10482393Syz155240
10492393Syz155240 if ((fin->fin_flx & FI_SHORT) != 0)
10502393Syz155240 return;
10512393Syz155240
10522393Syz155240 /*
10532393Syz155240 * Use of the TCP data offset *must* result in a value that is at
10542393Syz155240 * least the same size as the TCP header.
10552393Syz155240 */
10562393Syz155240 tlen = TCP_OFF(tcp) << 2;
10572393Syz155240 if (tlen < sizeof(tcphdr_t)) {
10582393Syz155240 fin->fin_flx |= FI_BAD;
10592393Syz155240 return;
10602393Syz155240 }
10612393Syz155240
10622393Syz155240 flags = tcp->th_flags;
10632393Syz155240 fin->fin_tcpf = tcp->th_flags;
10642393Syz155240
10652393Syz155240 /*
10662393Syz155240 * If the urgent flag is set, then the urgent pointer must
10672393Syz155240 * also be set and vice versa. Good TCP packets do not have
10682393Syz155240 * just one of these set.
10692393Syz155240 */
10702393Syz155240 if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
10712393Syz155240 fin->fin_flx |= FI_BAD;
10722393Syz155240 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
10732393Syz155240 /* Ignore this case, it shows up in "real" traffic with */
10742393Syz155240 /* bogus values in the urgent pointer field. */
10752393Syz155240 flags = flags; /* LINT */
10762393Syz155240 } else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
10772393Syz155240 ((flags & (TH_RST|TH_ACK)) == TH_RST)) {
10782393Syz155240 /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
10792393Syz155240 fin->fin_flx |= FI_BAD;
10802393Syz155240 } else if (!(flags & TH_ACK)) {
10812393Syz155240 /*
10822393Syz155240 * If the ack bit isn't set, then either the SYN or
10832393Syz155240 * RST bit must be set. If the SYN bit is set, then
10842393Syz155240 * we expect the ACK field to be 0. If the ACK is
10852393Syz155240 * not set and if URG, PSH or FIN are set, consdier
10862393Syz155240 * that to indicate a bad TCP packet.
10872393Syz155240 */
10882393Syz155240 if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
10892393Syz155240 /*
10902393Syz155240 * Cisco PIX sets the ACK field to a random value.
10912393Syz155240 * In light of this, do not set FI_BAD until a patch
10922393Syz155240 * is available from Cisco to ensure that
10932393Syz155240 * interoperability between existing systems is
10942393Syz155240 * achieved.
10952393Syz155240 */
10962393Syz155240 /*fin->fin_flx |= FI_BAD*/;
10972393Syz155240 flags = flags; /* LINT */
10982393Syz155240 } else if (!(flags & (TH_RST|TH_SYN))) {
10992393Syz155240 fin->fin_flx |= FI_BAD;
11002393Syz155240 } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
11012393Syz155240 fin->fin_flx |= FI_BAD;
11022393Syz155240 }
11032393Syz155240 }
11042393Syz155240
11052393Syz155240 /*
11062393Syz155240 * At this point, it's not exactly clear what is to be gained by
11072393Syz155240 * marking up which TCP options are and are not present. The one we
11082393Syz155240 * are most interested in is the TCP window scale. This is only in
11092393Syz155240 * a SYN packet [RFC1323] so we don't need this here...?
11102393Syz155240 * Now if we were to analyse the header for passive fingerprinting,
11112393Syz155240 * then that might add some weight to adding this...
11122393Syz155240 */
11132393Syz155240 if (tlen == sizeof(tcphdr_t))
11142393Syz155240 return;
11152393Syz155240
11162393Syz155240 if (frpr_pullup(fin, tlen) == -1)
11172393Syz155240 return;
11182393Syz155240
11192393Syz155240 #if 0
11202393Syz155240 ip = fin->fin_ip;
11212393Syz155240 s = (u_char *)(tcp + 1);
11222393Syz155240 off = IP_HL(ip) << 2;
11232393Syz155240 # ifdef _KERNEL
11242393Syz155240 if (fin->fin_mp != NULL) {
11252393Syz155240 mb_t *m = *fin->fin_mp;
11262393Syz155240
11272393Syz155240 if (off + tlen > M_LEN(m))
11282393Syz155240 return;
11292393Syz155240 }
11302393Syz155240 # endif
11312393Syz155240 for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
11322393Syz155240 opt = *s;
11332393Syz155240 if (opt == '\0')
11342393Syz155240 break;
11352393Syz155240 else if (opt == TCPOPT_NOP)
11362393Syz155240 ol = 1;
11372393Syz155240 else {
11382393Syz155240 if (tlen < 2)
11392393Syz155240 break;
11402393Syz155240 ol = (int)*(s + 1);
11412393Syz155240 if (ol < 2 || ol > tlen)
11422393Syz155240 break;
11432393Syz155240 }
11442393Syz155240
11452393Syz155240 for (i = 9, mv = 4; mv >= 0; ) {
11462393Syz155240 op = ipopts + i;
11472393Syz155240 if (opt == (u_char)op->ol_val) {
11482393Syz155240 optmsk |= op->ol_bit;
11492393Syz155240 break;
11502393Syz155240 }
11512393Syz155240 }
11522393Syz155240 tlen -= ol;
11532393Syz155240 s += ol;
11542393Syz155240 }
11552393Syz155240 #endif /* 0 */
11562393Syz155240 }
11572393Syz155240
11582393Syz155240
11592393Syz155240
11602393Syz155240 /* ------------------------------------------------------------------------ */
11612393Syz155240 /* Function: frpr_udpcommon */
11622393Syz155240 /* Returns: void */
11632393Syz155240 /* Parameters: fin(I) - pointer to packet information */
11642393Syz155240 /* */
11652393Syz155240 /* Extract the UDP source and destination ports, if present. If compiled */
11662393Syz155240 /* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */
11672393Syz155240 /* ------------------------------------------------------------------------ */
frpr_udpcommon(fin)11682393Syz155240 static INLINE void frpr_udpcommon(fin)
11692393Syz155240 fr_info_t *fin;
11702393Syz155240 {
11712393Syz155240 udphdr_t *udp;
11722393Syz155240
11732393Syz155240 fin->fin_flx |= FI_TCPUDP;
11742393Syz155240
11752393Syz155240 if (!fin->fin_off && (fin->fin_dlen > 3)) {
11762393Syz155240 if (frpr_pullup(fin, sizeof(*udp)) == -1) {
11772393Syz155240 fin->fin_flx |= FI_SHORT;
11782393Syz155240 return;
11792393Syz155240 }
11802393Syz155240
11812393Syz155240 udp = fin->fin_dp;
11822393Syz155240
11832393Syz155240 fin->fin_sport = ntohs(udp->uh_sport);
11842393Syz155240 fin->fin_dport = ntohs(udp->uh_dport);
11852393Syz155240 }
11862393Syz155240 }
11872393Syz155240
11882393Syz155240
11892393Syz155240 /* ------------------------------------------------------------------------ */
11902393Syz155240 /* Function: frpr_tcp */
11912393Syz155240 /* Returns: void */
11922393Syz155240 /* Parameters: fin(I) - pointer to packet information */
11932393Syz155240 /* */
11942393Syz155240 /* IPv4 Only */
11952393Syz155240 /* Analyse the packet for IPv4/TCP properties. */
11962393Syz155240 /* ------------------------------------------------------------------------ */
frpr_tcp(fin)11972393Syz155240 static INLINE void frpr_tcp(fin)
11982393Syz155240 fr_info_t *fin;
11992393Syz155240 {
12002393Syz155240
12012393Syz155240 fr_checkv4sum(fin);
12022393Syz155240
12032393Syz155240 frpr_short(fin, sizeof(tcphdr_t));
12042393Syz155240
12052393Syz155240 frpr_tcpcommon(fin);
12062393Syz155240 }
12072393Syz155240
12082393Syz155240
12092393Syz155240 /* ------------------------------------------------------------------------ */
12102393Syz155240 /* Function: frpr_udp */
12112393Syz155240 /* Returns: void */
12122393Syz155240 /* Parameters: fin(I) - pointer to packet information */
12132393Syz155240 /* */
12142393Syz155240 /* IPv4 Only */
12152393Syz155240 /* Analyse the packet for IPv4/UDP properties. */
12162393Syz155240 /* ------------------------------------------------------------------------ */
frpr_udp(fin)12172393Syz155240 static INLINE void frpr_udp(fin)
12182393Syz155240 fr_info_t *fin;
12192393Syz155240 {
12202393Syz155240
12212393Syz155240 fr_checkv4sum(fin);
12222393Syz155240
12232393Syz155240 frpr_short(fin, sizeof(udphdr_t));
12242393Syz155240
12252393Syz155240 frpr_udpcommon(fin);
12262393Syz155240 }
12272393Syz155240
12282393Syz155240
12292393Syz155240 /* ------------------------------------------------------------------------ */
12302393Syz155240 /* Function: frpr_esp */
12312393Syz155240 /* Returns: void */
12322393Syz155240 /* Parameters: fin(I) - pointer to packet information */
12332393Syz155240 /* */
12342393Syz155240 /* Analyse the packet for ESP properties. */
12352393Syz155240 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
12362393Syz155240 /* even though the newer ESP packets must also have a sequence number that */
12372393Syz155240 /* is 32bits as well, it is not possible(?) to determine the version from a */
12382393Syz155240 /* simple packet header. */
12392393Syz155240 /* ------------------------------------------------------------------------ */
frpr_esp(fin)12402393Syz155240 static INLINE void frpr_esp(fin)
12412393Syz155240 fr_info_t *fin;
12422393Syz155240 {
12432393Syz155240 if ((fin->fin_off == 0) && (frpr_pullup(fin, 8) == -1))
12442393Syz155240 return;
12452393Syz155240
12462393Syz155240 frpr_short(fin, 8);
12472393Syz155240 }
12482393Syz155240
12492393Syz155240
12502393Syz155240 /* ------------------------------------------------------------------------ */
12512393Syz155240 /* Function: frpr_ah */
12522393Syz155240 /* Returns: void */
12532393Syz155240 /* Parameters: fin(I) - pointer to packet information */
12542393Syz155240 /* */
12552393Syz155240 /* Analyse the packet for AH properties. */
12562393Syz155240 /* The minimum length is taken to be the combination of all fields in the */
12572393Syz155240 /* header being present and no authentication data (null algorithm used.) */
12582393Syz155240 /* ------------------------------------------------------------------------ */
frpr_ah(fin)12592393Syz155240 static INLINE void frpr_ah(fin)
12602393Syz155240 fr_info_t *fin;
12612393Syz155240 {
12622393Syz155240 authhdr_t *ah;
12632393Syz155240 int len;
12642393Syz155240
12652393Syz155240 if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(*ah)) == -1))
12662393Syz155240 return;
12672393Syz155240
12682393Syz155240 ah = (authhdr_t *)fin->fin_dp;
12692393Syz155240
12702393Syz155240 len = (ah->ah_plen + 2) << 2;
12712393Syz155240 frpr_short(fin, len);
12722393Syz155240 }
12732393Syz155240
12742393Syz155240
12752393Syz155240 /* ------------------------------------------------------------------------ */
12762393Syz155240 /* Function: frpr_gre */
12772393Syz155240 /* Returns: void */
12782393Syz155240 /* Parameters: fin(I) - pointer to packet information */
12792393Syz155240 /* */
12802393Syz155240 /* Analyse the packet for GRE properties. */
12812393Syz155240 /* ------------------------------------------------------------------------ */
frpr_gre(fin)12822393Syz155240 static INLINE void frpr_gre(fin)
12832393Syz155240 fr_info_t *fin;
12842393Syz155240 {
12852393Syz155240 grehdr_t *gre;
12862393Syz155240
12872393Syz155240 if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(grehdr_t)) == -1))
12882393Syz155240 return;
12892393Syz155240
12902393Syz155240 frpr_short(fin, sizeof(grehdr_t));
12912393Syz155240
12922393Syz155240 if (fin->fin_off == 0) {
12932393Syz155240 gre = fin->fin_dp;
12942393Syz155240 if (GRE_REV(gre->gr_flags) == 1)
12952393Syz155240 fin->fin_data[0] = gre->gr_call;
12962393Syz155240 }
12972393Syz155240 }
12982393Syz155240
12992393Syz155240
13002393Syz155240 /* ------------------------------------------------------------------------ */
13012393Syz155240 /* Function: frpr_ipv4hdr */
13022393Syz155240 /* Returns: void */
13032393Syz155240 /* Parameters: fin(I) - pointer to packet information */
13042393Syz155240 /* */
13052393Syz155240 /* IPv4 Only */
13062393Syz155240 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
13072393Syz155240 /* Check all options present and flag their presence if any exist. */
13082393Syz155240 /* ------------------------------------------------------------------------ */
frpr_ipv4hdr(fin)13092393Syz155240 static INLINE void frpr_ipv4hdr(fin)
13102393Syz155240 fr_info_t *fin;
13112393Syz155240 {
13122393Syz155240 u_short optmsk = 0, secmsk = 0, auth = 0;
13132393Syz155240 int hlen, ol, mv, p, i;
13142393Syz155240 const struct optlist *op;
13152393Syz155240 u_char *s, opt;
13162393Syz155240 u_short off;
13172393Syz155240 fr_ip_t *fi;
13182393Syz155240 ip_t *ip;
13192393Syz155240
13202393Syz155240 fi = &fin->fin_fi;
13212393Syz155240 hlen = fin->fin_hlen;
13222393Syz155240
13232393Syz155240 ip = fin->fin_ip;
13242393Syz155240 p = ip->ip_p;
13252393Syz155240 fi->fi_p = p;
13262393Syz155240 fi->fi_tos = ip->ip_tos;
13272393Syz155240 fin->fin_id = ip->ip_id;
13282393Syz155240 off = ip->ip_off;
13292393Syz155240
13302393Syz155240 /* Get both TTL and protocol */
13312393Syz155240 fi->fi_p = ip->ip_p;
13322393Syz155240 fi->fi_ttl = ip->ip_ttl;
13332393Syz155240 #if 0
13342393Syz155240 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
13352393Syz155240 #endif
13362393Syz155240
13372393Syz155240 /* Zero out bits not used in IPv6 address */
13382393Syz155240 fi->fi_src.i6[1] = 0;
13392393Syz155240 fi->fi_src.i6[2] = 0;
13402393Syz155240 fi->fi_src.i6[3] = 0;
13412393Syz155240 fi->fi_dst.i6[1] = 0;
13422393Syz155240 fi->fi_dst.i6[2] = 0;
13432393Syz155240 fi->fi_dst.i6[3] = 0;
13442393Syz155240
13452393Syz155240 fi->fi_saddr = ip->ip_src.s_addr;
13462393Syz155240 fi->fi_daddr = ip->ip_dst.s_addr;
13472393Syz155240
13482393Syz155240 /*
13492393Syz155240 * set packet attribute flags based on the offset and
13502393Syz155240 * calculate the byte offset that it represents.
13512393Syz155240 */
13522393Syz155240 off &= IP_MF|IP_OFFMASK;
13532393Syz155240 if (off != 0) {
13549876SDarren.Reed@Sun.COM int morefrag = off & IP_MF;
13559876SDarren.Reed@Sun.COM
13562393Syz155240 fi->fi_flx |= FI_FRAG;
13579876SDarren.Reed@Sun.COM if (morefrag)
13589876SDarren.Reed@Sun.COM fi->fi_flx |= FI_MOREFRAG;
13592393Syz155240 off &= IP_OFFMASK;
13602393Syz155240 if (off != 0) {
13612393Syz155240 fin->fin_flx |= FI_FRAGBODY;
13622393Syz155240 off <<= 3;
13632393Syz155240 if ((off + fin->fin_dlen > 65535) ||
13642393Syz155240 (fin->fin_dlen == 0) ||
13659876SDarren.Reed@Sun.COM ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) {
13662393Syz155240 /*
13672393Syz155240 * The length of the packet, starting at its
13682393Syz155240 * offset cannot exceed 65535 (0xffff) as the
13692393Syz155240 * length of an IP packet is only 16 bits.
13702393Syz155240 *
13712393Syz155240 * Any fragment that isn't the last fragment
13722393Syz155240 * must have a length greater than 0 and it
13732393Syz155240 * must be an even multiple of 8.
13742393Syz155240 */
13752393Syz155240 fi->fi_flx |= FI_BAD;
13762393Syz155240 }
13772393Syz155240 }
13782393Syz155240 }
13792393Syz155240 fin->fin_off = off;
13802393Syz155240
13812393Syz155240 /*
13822393Syz155240 * Call per-protocol setup and checking
13832393Syz155240 */
13842393Syz155240 switch (p)
13852393Syz155240 {
13862393Syz155240 case IPPROTO_UDP :
13872393Syz155240 frpr_udp(fin);
13882393Syz155240 break;
13892393Syz155240 case IPPROTO_TCP :
13902393Syz155240 frpr_tcp(fin);
13912393Syz155240 break;
13922393Syz155240 case IPPROTO_ICMP :
13932393Syz155240 frpr_icmp(fin);
13942393Syz155240 break;
13952393Syz155240 case IPPROTO_AH :
13962393Syz155240 frpr_ah(fin);
13972393Syz155240 break;
13982393Syz155240 case IPPROTO_ESP :
13992393Syz155240 frpr_esp(fin);
14002393Syz155240 break;
14012393Syz155240 case IPPROTO_GRE :
14022393Syz155240 frpr_gre(fin);
14032393Syz155240 break;
14042393Syz155240 }
14052393Syz155240
14062393Syz155240 ip = fin->fin_ip;
14072393Syz155240 if (ip == NULL)
14082393Syz155240 return;
14092393Syz155240
14102393Syz155240 /*
14112393Syz155240 * If it is a standard IP header (no options), set the flag fields
14122393Syz155240 * which relate to options to 0.
14132393Syz155240 */
14142393Syz155240 if (hlen == sizeof(*ip)) {
14152393Syz155240 fi->fi_optmsk = 0;
14162393Syz155240 fi->fi_secmsk = 0;
14172393Syz155240 fi->fi_auth = 0;
14182393Syz155240 return;
14192393Syz155240 }
14202393Syz155240
14212393Syz155240 /*
14222393Syz155240 * So the IP header has some IP options attached. Walk the entire
14232393Syz155240 * list of options present with this packet and set flags to indicate
14242393Syz155240 * which ones are here and which ones are not. For the somewhat out
14252393Syz155240 * of date and obscure security classification options, set a flag to
14262393Syz155240 * represent which classification is present.
14272393Syz155240 */
14282393Syz155240 fi->fi_flx |= FI_OPTIONS;
14292393Syz155240
14302393Syz155240 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
14312393Syz155240 opt = *s;
14322393Syz155240 if (opt == '\0')
14332393Syz155240 break;
14342393Syz155240 else if (opt == IPOPT_NOP)
14352393Syz155240 ol = 1;
14362393Syz155240 else {
14372393Syz155240 if (hlen < 2)
14382393Syz155240 break;
14392393Syz155240 ol = (int)*(s + 1);
14402393Syz155240 if (ol < 2 || ol > hlen)
14412393Syz155240 break;
14422393Syz155240 }
14432393Syz155240 for (i = 9, mv = 4; mv >= 0; ) {
14442393Syz155240 op = ipopts + i;
14452393Syz155240 if ((opt == (u_char)op->ol_val) && (ol > 4)) {
14462393Syz155240 optmsk |= op->ol_bit;
14472393Syz155240 if (opt == IPOPT_SECURITY) {
14482393Syz155240 const struct optlist *sp;
14492393Syz155240 u_char sec;
14502393Syz155240 int j, m;
14512393Syz155240
14522393Syz155240 sec = *(s + 2); /* classification */
14532393Syz155240 for (j = 3, m = 2; m >= 0; ) {
14542393Syz155240 sp = secopt + j;
14552393Syz155240 if (sec == sp->ol_val) {
14562393Syz155240 secmsk |= sp->ol_bit;
14572393Syz155240 auth = *(s + 3);
14582393Syz155240 auth *= 256;
14592393Syz155240 auth += *(s + 4);
14602393Syz155240 break;
14612393Syz155240 }
14622393Syz155240 if (sec < sp->ol_val)
14632393Syz155240 j -= m;
14642393Syz155240 else
14652393Syz155240 j += m;
14662393Syz155240 m--;
14672393Syz155240 }
14682393Syz155240 }
14692393Syz155240 break;
14702393Syz155240 }
14712393Syz155240 if (opt < op->ol_val)
14722393Syz155240 i -= mv;
14732393Syz155240 else
14742393Syz155240 i += mv;
14752393Syz155240 mv--;
14762393Syz155240 }
14772393Syz155240 hlen -= ol;
14782393Syz155240 s += ol;
14792393Syz155240 }
14802393Syz155240
14812393Syz155240 /*
14822393Syz155240 *
14832393Syz155240 */
14842393Syz155240 if (auth && !(auth & 0x0100))
14852393Syz155240 auth &= 0xff00;
14862393Syz155240 fi->fi_optmsk = optmsk;
14872393Syz155240 fi->fi_secmsk = secmsk;
14882393Syz155240 fi->fi_auth = auth;
14892393Syz155240 }
14902393Syz155240
14912393Syz155240
14922393Syz155240 /* ------------------------------------------------------------------------ */
14932393Syz155240 /* Function: fr_makefrip */
14942393Syz155240 /* Returns: int - 1 == hdr checking error, 0 == OK */
14952393Syz155240 /* Parameters: hlen(I) - length of IP packet header */
14962393Syz155240 /* ip(I) - pointer to the IP header */
14972393Syz155240 /* fin(IO) - pointer to packet information */
14982393Syz155240 /* */
14992393Syz155240 /* Compact the IP header into a structure which contains just the info. */
15002393Syz155240 /* which is useful for comparing IP headers with and store this information */
15012393Syz155240 /* in the fr_info_t structure pointer to by fin. At present, it is assumed */
15022393Syz155240 /* this function will be called with either an IPv4 or IPv6 packet. */
15032393Syz155240 /* ------------------------------------------------------------------------ */
fr_makefrip(hlen,ip,fin)15042393Syz155240 int fr_makefrip(hlen, ip, fin)
15052393Syz155240 int hlen;
15062393Syz155240 ip_t *ip;
15072393Syz155240 fr_info_t *fin;
15082393Syz155240 {
15092393Syz155240 int v;
15102393Syz155240
15112393Syz155240 fin->fin_depth = 0;
15122393Syz155240 fin->fin_hlen = (u_short)hlen;
15132393Syz155240 fin->fin_ip = ip;
15142393Syz155240 fin->fin_rule = 0xffffffff;
15152393Syz155240 fin->fin_group[0] = -1;
15162393Syz155240 fin->fin_group[1] = '\0';
15172393Syz155240 fin->fin_dlen = fin->fin_plen - hlen;
15182393Syz155240 fin->fin_dp = (char *)ip + hlen;
15192393Syz155240
15202393Syz155240 v = fin->fin_v;
15212393Syz155240 if (v == 4)
15222393Syz155240 frpr_ipv4hdr(fin);
15232393Syz155240 #ifdef USE_INET6
15248624SDarren.Reed@Sun.COM else if (v == 6)
15258624SDarren.Reed@Sun.COM frpr_ipv6hdr(fin);
15262393Syz155240 #endif
15272393Syz155240 if (fin->fin_ip == NULL)
15282393Syz155240 return -1;
15292393Syz155240 return 0;
15302393Syz155240 }
15312393Syz155240
15322393Syz155240
15332393Syz155240 /* ------------------------------------------------------------------------ */
15342393Syz155240 /* Function: fr_portcheck */
15352393Syz155240 /* Returns: int - 1 == port matched, 0 == port match failed */
15362393Syz155240 /* Parameters: frp(I) - pointer to port check `expression' */
15372393Syz155240 /* pop(I) - pointer to port number to evaluate */
15382393Syz155240 /* */
15392393Syz155240 /* Perform a comparison of a port number against some other(s), using a */
15402393Syz155240 /* structure with compare information stored in it. */
15412393Syz155240 /* ------------------------------------------------------------------------ */
fr_portcheck(frp,pop)15422393Syz155240 static INLINE int fr_portcheck(frp, pop)
15432393Syz155240 frpcmp_t *frp;
15442393Syz155240 u_short *pop;
15452393Syz155240 {
15462393Syz155240 u_short tup, po;
15472393Syz155240 int err = 1;
15482393Syz155240
15492393Syz155240 tup = *pop;
15502393Syz155240 po = frp->frp_port;
15512393Syz155240
15522393Syz155240 /*
15532393Syz155240 * Do opposite test to that required and continue if that succeeds.
15542393Syz155240 */
15552393Syz155240 switch (frp->frp_cmp)
15562393Syz155240 {
15572393Syz155240 case FR_EQUAL :
15582393Syz155240 if (tup != po) /* EQUAL */
15592393Syz155240 err = 0;
15602393Syz155240 break;
15612393Syz155240 case FR_NEQUAL :
15622393Syz155240 if (tup == po) /* NOTEQUAL */
15632393Syz155240 err = 0;
15642393Syz155240 break;
15652393Syz155240 case FR_LESST :
15662393Syz155240 if (tup >= po) /* LESSTHAN */
15672393Syz155240 err = 0;
15682393Syz155240 break;
15692393Syz155240 case FR_GREATERT :
15702393Syz155240 if (tup <= po) /* GREATERTHAN */
15712393Syz155240 err = 0;
15722393Syz155240 break;
15732393Syz155240 case FR_LESSTE :
15742393Syz155240 if (tup > po) /* LT or EQ */
15752393Syz155240 err = 0;
15762393Syz155240 break;
15772393Syz155240 case FR_GREATERTE :
15782393Syz155240 if (tup < po) /* GT or EQ */
15792393Syz155240 err = 0;
15802393Syz155240 break;
15812393Syz155240 case FR_OUTRANGE :
15822393Syz155240 if (tup >= po && tup <= frp->frp_top) /* Out of range */
15832393Syz155240 err = 0;
15842393Syz155240 break;
15852393Syz155240 case FR_INRANGE :
15862393Syz155240 if (tup <= po || tup >= frp->frp_top) /* In range */
15872393Syz155240 err = 0;
15882393Syz155240 break;
15892393Syz155240 case FR_INCRANGE :
15902393Syz155240 if (tup < po || tup > frp->frp_top) /* Inclusive range */
15912393Syz155240 err = 0;
15922393Syz155240 break;
15932393Syz155240 default :
15942393Syz155240 break;
15952393Syz155240 }
15962393Syz155240 return err;
15972393Syz155240 }
15982393Syz155240
15992393Syz155240
16002393Syz155240 /* ------------------------------------------------------------------------ */
16012393Syz155240 /* Function: fr_tcpudpchk */
16022393Syz155240 /* Returns: int - 1 == protocol matched, 0 == check failed */
16032393Syz155240 /* Parameters: fin(I) - pointer to packet information */
16042393Syz155240 /* ft(I) - pointer to structure with comparison data */
16052393Syz155240 /* */
16062393Syz155240 /* Compares the current pcket (assuming it is TCP/UDP) information with a */
16072393Syz155240 /* structure containing information that we want to match against. */
16082393Syz155240 /* ------------------------------------------------------------------------ */
fr_tcpudpchk(fin,ft)16092393Syz155240 int fr_tcpudpchk(fin, ft)
16102393Syz155240 fr_info_t *fin;
16112393Syz155240 frtuc_t *ft;
16122393Syz155240 {
16132393Syz155240 int err = 1;
16142393Syz155240
16152393Syz155240 /*
16162393Syz155240 * Both ports should *always* be in the first fragment.
16172393Syz155240 * So far, I cannot find any cases where they can not be.
16182393Syz155240 *
16192393Syz155240 * compare destination ports
16202393Syz155240 */
16212393Syz155240 if (ft->ftu_dcmp)
16222393Syz155240 err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
16232393Syz155240
16242393Syz155240 /*
16252393Syz155240 * compare source ports
16262393Syz155240 */
16272393Syz155240 if (err && ft->ftu_scmp)
16282393Syz155240 err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
16292393Syz155240
16302393Syz155240 /*
16312393Syz155240 * If we don't have all the TCP/UDP header, then how can we
16322393Syz155240 * expect to do any sort of match on it ? If we were looking for
16332393Syz155240 * TCP flags, then NO match. If not, then match (which should
16342393Syz155240 * satisfy the "short" class too).
16352393Syz155240 */
16362393Syz155240 if (err && (fin->fin_p == IPPROTO_TCP)) {
16372393Syz155240 if (fin->fin_flx & FI_SHORT)
16382393Syz155240 return !(ft->ftu_tcpf | ft->ftu_tcpfm);
16392393Syz155240 /*
16402393Syz155240 * Match the flags ? If not, abort this match.
16412393Syz155240 */
16422393Syz155240 if (ft->ftu_tcpfm &&
16432393Syz155240 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
16442393Syz155240 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
16452393Syz155240 ft->ftu_tcpfm, ft->ftu_tcpf));
16462393Syz155240 err = 0;
16472393Syz155240 }
16482393Syz155240 }
16492393Syz155240 return err;
16502393Syz155240 }
16512393Syz155240
16522393Syz155240
16532393Syz155240 /* ------------------------------------------------------------------------ */
16542393Syz155240 /* Function: fr_ipfcheck */
16552393Syz155240 /* Returns: int - 0 == match, 1 == no match */
16562393Syz155240 /* Parameters: fin(I) - pointer to packet information */
16572393Syz155240 /* fr(I) - pointer to filter rule */
16582393Syz155240 /* portcmp(I) - flag indicating whether to attempt matching on */
16592393Syz155240 /* TCP/UDP port data. */
16602393Syz155240 /* */
16612393Syz155240 /* Check to see if a packet matches an IPFilter rule. Checks of addresses, */
16622393Syz155240 /* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
16632393Syz155240 /* this function. */
16642393Syz155240 /* ------------------------------------------------------------------------ */
fr_ipfcheck(fin,fr,portcmp)16652393Syz155240 static INLINE int fr_ipfcheck(fin, fr, portcmp)
16662393Syz155240 fr_info_t *fin;
16672393Syz155240 frentry_t *fr;
16682393Syz155240 int portcmp;
16692393Syz155240 {
16702393Syz155240 u_32_t *ld, *lm, *lip;
16712393Syz155240 fripf_t *fri;
16722393Syz155240 fr_ip_t *fi;
16732393Syz155240 int i;
16743448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
16752393Syz155240
16762393Syz155240 fi = &fin->fin_fi;
16772393Syz155240 fri = fr->fr_ipf;
16782393Syz155240 lip = (u_32_t *)fi;
16792393Syz155240 lm = (u_32_t *)&fri->fri_mip;
16802393Syz155240 ld = (u_32_t *)&fri->fri_ip;
16812393Syz155240
16822393Syz155240 /*
16832393Syz155240 * first 32 bits to check coversion:
16842393Syz155240 * IP version, TOS, TTL, protocol
16852393Syz155240 */
16862393Syz155240 i = ((*lip & *lm) != *ld);
16872393Syz155240 FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
16882393Syz155240 *lip, *lm, *ld));
16892393Syz155240 if (i)
16902393Syz155240 return 1;
16912393Syz155240
16922393Syz155240 /*
16932393Syz155240 * Next 32 bits is a constructed bitmask indicating which IP options
16942393Syz155240 * are present (if any) in this packet.
16952393Syz155240 */
16962393Syz155240 lip++, lm++, ld++;
16972393Syz155240 i |= ((*lip & *lm) != *ld);
16982393Syz155240 FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
16992393Syz155240 *lip, *lm, *ld));
17002393Syz155240 if (i)
17012393Syz155240 return 1;
17022393Syz155240
17032393Syz155240 lip++, lm++, ld++;
17042393Syz155240 /*
17052393Syz155240 * Unrolled loops (4 each, for 32 bits) for address checks.
17062393Syz155240 */
17072393Syz155240 /*
17082393Syz155240 * Check the source address.
17092393Syz155240 */
17102393Syz155240 #ifdef IPFILTER_LOOKUP
17112393Syz155240 if (fr->fr_satype == FRI_LOOKUP) {
171212255SJohn.Ojemann@Oracle.COM fin->fin_flx |= FI_DONTCACHE;
171312255SJohn.Ojemann@Oracle.COM i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip, fin, ifs);
17142393Syz155240 if (i == -1)
17152393Syz155240 return 1;
17162393Syz155240 lip += 3;
17172393Syz155240 lm += 3;
17182393Syz155240 ld += 3;
17192393Syz155240 } else {
17202393Syz155240 #endif
17212393Syz155240 i = ((*lip & *lm) != *ld);
17222393Syz155240 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
17232393Syz155240 *lip, *lm, *ld));
17242393Syz155240 if (fi->fi_v == 6) {
17252393Syz155240 lip++, lm++, ld++;
17262393Syz155240 i |= ((*lip & *lm) != *ld);
17272393Syz155240 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
17282393Syz155240 *lip, *lm, *ld));
17292393Syz155240 lip++, lm++, ld++;
17302393Syz155240 i |= ((*lip & *lm) != *ld);
17312393Syz155240 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
17322393Syz155240 *lip, *lm, *ld));
17332393Syz155240 lip++, lm++, ld++;
17342393Syz155240 i |= ((*lip & *lm) != *ld);
17352393Syz155240 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
17362393Syz155240 *lip, *lm, *ld));
17372393Syz155240 } else {
17382393Syz155240 lip += 3;
17392393Syz155240 lm += 3;
17402393Syz155240 ld += 3;
17412393Syz155240 }
17422393Syz155240 #ifdef IPFILTER_LOOKUP
17432393Syz155240 }
17442393Syz155240 #endif
17452393Syz155240 i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
17462393Syz155240 if (i)
17472393Syz155240 return 1;
17482393Syz155240
17492393Syz155240 /*
17502393Syz155240 * Check the destination address.
17512393Syz155240 */
17522393Syz155240 lip++, lm++, ld++;
17532393Syz155240 #ifdef IPFILTER_LOOKUP
17542393Syz155240 if (fr->fr_datype == FRI_LOOKUP) {
175512255SJohn.Ojemann@Oracle.COM fin->fin_flx |= FI_DONTCACHE;
175612255SJohn.Ojemann@Oracle.COM i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip, fin, ifs);
17572393Syz155240 if (i == -1)
17582393Syz155240 return 1;
17592393Syz155240 lip += 3;
17602393Syz155240 lm += 3;
17612393Syz155240 ld += 3;
17622393Syz155240 } else {
17632393Syz155240 #endif
17642393Syz155240 i = ((*lip & *lm) != *ld);
17652393Syz155240 FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
17662393Syz155240 *lip, *lm, *ld));
17672393Syz155240 if (fi->fi_v == 6) {
17682393Syz155240 lip++, lm++, ld++;
17692393Syz155240 i |= ((*lip & *lm) != *ld);
17702393Syz155240 FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
17712393Syz155240 *lip, *lm, *ld));
17722393Syz155240 lip++, lm++, ld++;
17732393Syz155240 i |= ((*lip & *lm) != *ld);
17742393Syz155240 FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
17752393Syz155240 *lip, *lm, *ld));
17762393Syz155240 lip++, lm++, ld++;
17772393Syz155240 i |= ((*lip & *lm) != *ld);
17782393Syz155240 FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
17792393Syz155240 *lip, *lm, *ld));
17802393Syz155240 } else {
17812393Syz155240 lip += 3;
17822393Syz155240 lm += 3;
17832393Syz155240 ld += 3;
17842393Syz155240 }
17852393Syz155240 #ifdef IPFILTER_LOOKUP
17862393Syz155240 }
17872393Syz155240 #endif
17882393Syz155240 i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
17892393Syz155240 if (i)
17902393Syz155240 return 1;
17912393Syz155240 /*
17922393Syz155240 * IP addresses matched. The next 32bits contains:
17932393Syz155240 * mast of old IP header security & authentication bits.
17942393Syz155240 */
17952393Syz155240 lip++, lm++, ld++;
17962393Syz155240 i |= ((*lip & *lm) != *ld);
17972393Syz155240 FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
17982393Syz155240 *lip, *lm, *ld));
17992393Syz155240
18002393Syz155240 /*
18012393Syz155240 * Next we have 32 bits of packet flags.
18022393Syz155240 */
18032393Syz155240 lip++, lm++, ld++;
18042393Syz155240 i |= ((*lip & *lm) != *ld);
18052393Syz155240 FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
18062393Syz155240 *lip, *lm, *ld));
18072393Syz155240
18082393Syz155240 if (i == 0) {
18092393Syz155240 /*
18102393Syz155240 * If a fragment, then only the first has what we're
18112393Syz155240 * looking for here...
18122393Syz155240 */
18132393Syz155240 if (portcmp) {
18142393Syz155240 if (!fr_tcpudpchk(fin, &fr->fr_tuc))
18152393Syz155240 i = 1;
18162393Syz155240 } else {
18172393Syz155240 if (fr->fr_dcmp || fr->fr_scmp ||
18182393Syz155240 fr->fr_tcpf || fr->fr_tcpfm)
18192393Syz155240 i = 1;
18202393Syz155240 if (fr->fr_icmpm || fr->fr_icmp) {
18212393Syz155240 if (((fi->fi_p != IPPROTO_ICMP) &&
18222393Syz155240 (fi->fi_p != IPPROTO_ICMPV6)) ||
18232393Syz155240 fin->fin_off || (fin->fin_dlen < 2))
18242393Syz155240 i = 1;
18252393Syz155240 else if ((fin->fin_data[0] & fr->fr_icmpm) !=
18262393Syz155240 fr->fr_icmp) {
18272393Syz155240 FR_DEBUG(("i. %#x & %#x != %#x\n",
18282393Syz155240 fin->fin_data[0],
18292393Syz155240 fr->fr_icmpm, fr->fr_icmp));
18302393Syz155240 i = 1;
18312393Syz155240 }
18322393Syz155240 }
18332393Syz155240 }
18342393Syz155240 }
18352393Syz155240 return i;
18362393Syz155240 }
18372393Syz155240
18382393Syz155240
18392393Syz155240 /* ------------------------------------------------------------------------ */
18402393Syz155240 /* Function: fr_scanlist */
18412393Syz155240 /* Returns: int - result flags of scanning filter list */
18422393Syz155240 /* Parameters: fin(I) - pointer to packet information */
18432393Syz155240 /* pass(I) - default result to return for filtering */
18442393Syz155240 /* */
18452393Syz155240 /* Check the input/output list of rules for a match to the current packet. */
18462393Syz155240 /* If a match is found, the value of fr_flags from the rule becomes the */
18472393Syz155240 /* return value and fin->fin_fr points to the matched rule. */
18482393Syz155240 /* */
18492393Syz155240 /* This function may be called recusively upto 16 times (limit inbuilt.) */
18502393Syz155240 /* When unwinding, it should finish up with fin_depth as 0. */
18512393Syz155240 /* */
18522393Syz155240 /* Could be per interface, but this gets real nasty when you don't have, */
18532393Syz155240 /* or can't easily change, the kernel source code to . */
18542393Syz155240 /* ------------------------------------------------------------------------ */
fr_scanlist(fin,pass)18552393Syz155240 int fr_scanlist(fin, pass)
18562393Syz155240 fr_info_t *fin;
18572393Syz155240 u_32_t pass;
18582393Syz155240 {
18592393Syz155240 int rulen, portcmp, off, logged, skip;
18602393Syz155240 struct frentry *fr, *fnext;
18612393Syz155240 u_32_t passt, passo;
18623448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
18632393Syz155240
18642393Syz155240 /*
18652393Syz155240 * Do not allow nesting deeper than 16 levels.
18662393Syz155240 */
18672393Syz155240 if (fin->fin_depth >= 16)
18682393Syz155240 return pass;
18692393Syz155240
18702393Syz155240 fr = fin->fin_fr;
18712393Syz155240
18722393Syz155240 /*
18732393Syz155240 * If there are no rules in this list, return now.
18742393Syz155240 */
18752393Syz155240 if (fr == NULL)
18762393Syz155240 return pass;
18772393Syz155240
18782393Syz155240 skip = 0;
18792393Syz155240 logged = 0;
18802393Syz155240 portcmp = 0;
18812393Syz155240 fin->fin_depth++;
18822393Syz155240 fin->fin_fr = NULL;
18832393Syz155240 off = fin->fin_off;
18842393Syz155240
18852393Syz155240 if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
18862393Syz155240 portcmp = 1;
18872393Syz155240
18882393Syz155240 for (rulen = 0; fr; fr = fnext, rulen++) {
18892393Syz155240 fnext = fr->fr_next;
18902393Syz155240 if (skip != 0) {
18912393Syz155240 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
18922393Syz155240 skip--;
18932393Syz155240 continue;
18942393Syz155240 }
18952393Syz155240
18962393Syz155240 /*
18972393Syz155240 * In all checks below, a null (zero) value in the
18982393Syz155240 * filter struture is taken to mean a wildcard.
18992393Syz155240 *
19002393Syz155240 * check that we are working for the right interface
19012393Syz155240 */
19022393Syz155240 #ifdef _KERNEL
19032393Syz155240 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
19042393Syz155240 continue;
19052393Syz155240 #else
19062393Syz155240 if (opts & (OPT_VERBOSE|OPT_DEBUG))
19072393Syz155240 printf("\n");
19082393Syz155240 FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
19092393Syz155240 FR_ISPASS(pass) ? 'p' :
19102393Syz155240 FR_ISACCOUNT(pass) ? 'A' :
19112393Syz155240 FR_ISAUTH(pass) ? 'a' :
19122393Syz155240 (pass & FR_NOMATCH) ? 'n' :'b'));
19132393Syz155240 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
19142393Syz155240 continue;
19152393Syz155240 FR_VERBOSE((":i"));
19162393Syz155240 #endif
19172393Syz155240
19182393Syz155240 switch (fr->fr_type)
19192393Syz155240 {
19202393Syz155240 case FR_T_IPF :
19212393Syz155240 case FR_T_IPF|FR_T_BUILTIN :
19222393Syz155240 if (fr_ipfcheck(fin, fr, portcmp))
19232393Syz155240 continue;
19242393Syz155240 break;
19252393Syz155240 #if defined(IPFILTER_BPF)
19262393Syz155240 case FR_T_BPFOPC :
19272393Syz155240 case FR_T_BPFOPC|FR_T_BUILTIN :
19282393Syz155240 {
19292393Syz155240 u_char *mc;
19302393Syz155240
19312393Syz155240 if (*fin->fin_mp == NULL)
19322393Syz155240 continue;
19332393Syz155240 if (fin->fin_v != fr->fr_v)
19342393Syz155240 continue;
19352393Syz155240 mc = (u_char *)fin->fin_m;
19362393Syz155240 if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0))
19372393Syz155240 continue;
19382393Syz155240 break;
19392393Syz155240 }
19402393Syz155240 #endif
19412393Syz155240 case FR_T_CALLFUNC|FR_T_BUILTIN :
19422393Syz155240 {
19432393Syz155240 frentry_t *f;
19442393Syz155240
19452393Syz155240 f = (*fr->fr_func)(fin, &pass);
19462393Syz155240 if (f != NULL)
19472393Syz155240 fr = f;
19482393Syz155240 else
19492393Syz155240 continue;
19502393Syz155240 break;
19512393Syz155240 }
19522393Syz155240 default :
19532393Syz155240 break;
19542393Syz155240 }
19552393Syz155240
19562393Syz155240 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
19572393Syz155240 if (fin->fin_nattag == NULL)
19582393Syz155240 continue;
19592393Syz155240 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
19602393Syz155240 continue;
19612393Syz155240 }
19622393Syz155240 FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
19632393Syz155240
19642393Syz155240 passt = fr->fr_flags;
19652393Syz155240
19662393Syz155240 /*
19672393Syz155240 * Allowing a rule with the "keep state" flag set to match
19682393Syz155240 * packets that have been tagged "out of window" by the TCP
19692393Syz155240 * state tracking is foolish as the attempt to add a new
19702393Syz155240 * state entry to the table will fail.
19712393Syz155240 */
19722393Syz155240 if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
19732393Syz155240 continue;
19742393Syz155240
19752393Syz155240 /*
19762393Syz155240 * If the rule is a "call now" rule, then call the function
19772393Syz155240 * in the rule, if it exists and use the results from that.
19782393Syz155240 * If the function pointer is bad, just make like we ignore
19792393Syz155240 * it, except for increasing the hit counter.
19802393Syz155240 */
198112255SJohn.Ojemann@Oracle.COM IPF_BUMP(fr->fr_hits);
198212255SJohn.Ojemann@Oracle.COM fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
19832393Syz155240 if ((passt & FR_CALLNOW) != 0) {
19842393Syz155240 if ((fr->fr_func != NULL) &&
19852393Syz155240 (fr->fr_func != (ipfunc_t)-1)) {
19862393Syz155240 frentry_t *frs;
19872393Syz155240
19882393Syz155240 frs = fin->fin_fr;
19892393Syz155240 fin->fin_fr = fr;
19902393Syz155240 fr = (*fr->fr_func)(fin, &passt);
19912393Syz155240 if (fr == NULL) {
19922393Syz155240 fin->fin_fr = frs;
19932393Syz155240 continue;
19942393Syz155240 }
19952393Syz155240 passt = fr->fr_flags;
19962393Syz155240 fin->fin_fr = fr;
19972393Syz155240 }
19982393Syz155240 } else {
19992393Syz155240 fin->fin_fr = fr;
20002393Syz155240 }
20012393Syz155240
20022393Syz155240 #ifdef IPFILTER_LOG
20032393Syz155240 /*
20042393Syz155240 * Just log this packet...
20052393Syz155240 */
20062393Syz155240 if ((passt & FR_LOGMASK) == FR_LOG) {
20072393Syz155240 if (ipflog(fin, passt) == -1) {
20082393Syz155240 if (passt & FR_LOGORBLOCK) {
20092393Syz155240 passt &= ~FR_CMDMASK;
20102393Syz155240 passt |= FR_BLOCK|FR_QUICK;
20112393Syz155240 }
20127131Sdr146992 IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_skip);
20132393Syz155240 }
20147131Sdr146992 IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_pkl);
20152393Syz155240 logged = 1;
20162393Syz155240 }
20172393Syz155240 #endif /* IPFILTER_LOG */
20182393Syz155240 passo = pass;
20192393Syz155240 if (FR_ISSKIP(passt))
20202393Syz155240 skip = fr->fr_arg;
20212393Syz155240 else if ((passt & FR_LOGMASK) != FR_LOG)
20222393Syz155240 pass = passt;
20232393Syz155240 if (passt & (FR_RETICMP|FR_FAKEICMP))
20242393Syz155240 fin->fin_icode = fr->fr_icode;
20252393Syz155240 FR_DEBUG(("pass %#x\n", pass));
20262393Syz155240 fin->fin_rule = rulen;
20272393Syz155240 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
20282393Syz155240 if (fr->fr_grp != NULL) {
20292393Syz155240 fin->fin_fr = *fr->fr_grp;
20302393Syz155240 pass = fr_scanlist(fin, pass);
20312393Syz155240 if (fin->fin_fr == NULL) {
20322393Syz155240 fin->fin_rule = rulen;
20332393Syz155240 (void) strncpy(fin->fin_group, fr->fr_group,
20342393Syz155240 FR_GROUPLEN);
20352393Syz155240 fin->fin_fr = fr;
20362393Syz155240 }
20372393Syz155240 if (fin->fin_flx & FI_DONTCACHE)
20382393Syz155240 logged = 1;
20392393Syz155240 }
20402393Syz155240
20412393Syz155240 if (pass & FR_QUICK) {
20422393Syz155240 /*
20432393Syz155240 * Finally, if we've asked to track state for this
20442393Syz155240 * packet, set it up. Add state for "quick" rules
20452393Syz155240 * here so that if the action fails we can consider
20462393Syz155240 * the rule to "not match" and keep on processing
20472393Syz155240 * filter rules.
20482393Syz155240 */
20492393Syz155240 if ((pass & FR_KEEPSTATE) &&
20502393Syz155240 !(fin->fin_flx & FI_STATE)) {
20512393Syz155240 int out = fin->fin_out;
20522393Syz155240
20532393Syz155240 if (fr_addstate(fin, NULL, 0) != NULL) {
20547131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
20552393Syz155240 } else {
20567131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
20572393Syz155240 pass = passo;
20582393Syz155240 continue;
20592393Syz155240 }
20602393Syz155240 }
20612393Syz155240 break;
20622393Syz155240 }
20632393Syz155240 }
20642393Syz155240 if (logged)
20652393Syz155240 fin->fin_flx |= FI_DONTCACHE;
20662393Syz155240 fin->fin_depth--;
20672393Syz155240 return pass;
20682393Syz155240 }
20692393Syz155240
20702393Syz155240
20712393Syz155240 /* ------------------------------------------------------------------------ */
20722393Syz155240 /* Function: fr_acctpkt */
20732393Syz155240 /* Returns: frentry_t* - always returns NULL */
20742393Syz155240 /* Parameters: fin(I) - pointer to packet information */
20752393Syz155240 /* passp(IO) - pointer to current/new filter decision (unused) */
20762393Syz155240 /* */
20772393Syz155240 /* Checks a packet against accounting rules, if there are any for the given */
20782393Syz155240 /* IP protocol version. */
20792393Syz155240 /* */
20802393Syz155240 /* N.B.: this function returns NULL to match the prototype used by other */
20812393Syz155240 /* functions called from the IPFilter "mainline" in fr_check(). */
20822393Syz155240 /* ------------------------------------------------------------------------ */
fr_acctpkt(fin,passp)20832393Syz155240 frentry_t *fr_acctpkt(fin, passp)
20842393Syz155240 fr_info_t *fin;
20852393Syz155240 u_32_t *passp;
20862393Syz155240 {
20872393Syz155240 char group[FR_GROUPLEN];
20882393Syz155240 frentry_t *fr, *frsave;
20892393Syz155240 u_32_t pass, rulen;
20903448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
20912393Syz155240
20922393Syz155240 passp = passp;
20932393Syz155240 #ifdef USE_INET6
20942393Syz155240 if (fin->fin_v == 6)
20953448Sdh155122 fr = ifs->ifs_ipacct6[fin->fin_out][ifs->ifs_fr_active];
20962393Syz155240 else
20972393Syz155240 #endif
20983448Sdh155122 fr = ifs->ifs_ipacct[fin->fin_out][ifs->ifs_fr_active];
20992393Syz155240
21002393Syz155240 if (fr != NULL) {
21012393Syz155240 frsave = fin->fin_fr;
21022393Syz155240 bcopy(fin->fin_group, group, FR_GROUPLEN);
21032393Syz155240 rulen = fin->fin_rule;
21042393Syz155240 fin->fin_fr = fr;
21052393Syz155240 pass = fr_scanlist(fin, FR_NOMATCH);
21062393Syz155240 if (FR_ISACCOUNT(pass)) {
21077131Sdr146992 IPF_BUMP(ifs->ifs_frstats[0].fr_acct);
21082393Syz155240 }
21092393Syz155240 fin->fin_fr = frsave;
21102393Syz155240 bcopy(group, fin->fin_group, FR_GROUPLEN);
21112393Syz155240 fin->fin_rule = rulen;
21122393Syz155240 }
21132393Syz155240 return NULL;
21142393Syz155240 }
21152393Syz155240
21162393Syz155240
21172393Syz155240 /* ------------------------------------------------------------------------ */
21182393Syz155240 /* Function: fr_firewall */
21192393Syz155240 /* Returns: frentry_t* - returns pointer to matched rule, if no matches */
21202393Syz155240 /* were found, returns NULL. */
21212393Syz155240 /* Parameters: fin(I) - pointer to packet information */
21222393Syz155240 /* passp(IO) - pointer to current/new filter decision (unused) */
21232393Syz155240 /* */
21242393Syz155240 /* Applies an appropriate set of firewall rules to the packet, to see if */
21252393Syz155240 /* there are any matches. The first check is to see if a match can be seen */
21262393Syz155240 /* in the cache. If not, then search an appropriate list of rules. Once a */
21272393Syz155240 /* matching rule is found, take any appropriate actions as defined by the */
21282393Syz155240 /* rule - except logging. */
21292393Syz155240 /* ------------------------------------------------------------------------ */
fr_firewall(fin,passp)21302393Syz155240 static frentry_t *fr_firewall(fin, passp)
21312393Syz155240 fr_info_t *fin;
21322393Syz155240 u_32_t *passp;
21332393Syz155240 {
21342393Syz155240 frentry_t *fr;
213510587SAlexandr.Nedvedicky@Sun.COM fr_info_t *fc;
21362393Syz155240 u_32_t pass;
21372393Syz155240 int out;
21383448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
21392393Syz155240
21402393Syz155240 out = fin->fin_out;
21412393Syz155240 pass = *passp;
21422393Syz155240
21432393Syz155240 #ifdef USE_INET6
21447131Sdr146992 if (fin->fin_v == 6)
21457131Sdr146992 fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active];
21467131Sdr146992 else
21472393Syz155240 #endif
21487131Sdr146992 fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active];
214910587SAlexandr.Nedvedicky@Sun.COM
215010587SAlexandr.Nedvedicky@Sun.COM /*
215110587SAlexandr.Nedvedicky@Sun.COM * If there are no rules loaded skip all checks and return.
215210587SAlexandr.Nedvedicky@Sun.COM */
215310587SAlexandr.Nedvedicky@Sun.COM if (fin->fin_fr == NULL) {
215410587SAlexandr.Nedvedicky@Sun.COM
215510587SAlexandr.Nedvedicky@Sun.COM if ((pass & FR_NOMATCH)) {
215610587SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
215710587SAlexandr.Nedvedicky@Sun.COM }
215810587SAlexandr.Nedvedicky@Sun.COM
215910587SAlexandr.Nedvedicky@Sun.COM return (NULL);
216010587SAlexandr.Nedvedicky@Sun.COM }
216110587SAlexandr.Nedvedicky@Sun.COM
216210587SAlexandr.Nedvedicky@Sun.COM fc = &ifs->ifs_frcache[out][CACHE_HASH(fin)];
216310587SAlexandr.Nedvedicky@Sun.COM READ_ENTER(&ifs->ifs_ipf_frcache);
216410587SAlexandr.Nedvedicky@Sun.COM if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
216510587SAlexandr.Nedvedicky@Sun.COM /*
216610587SAlexandr.Nedvedicky@Sun.COM * copy cached data so we can unlock the mutexes earlier.
216710587SAlexandr.Nedvedicky@Sun.COM */
216810587SAlexandr.Nedvedicky@Sun.COM bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
216910587SAlexandr.Nedvedicky@Sun.COM RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
217010587SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(ifs->ifs_frstats[out].fr_chit);
217110587SAlexandr.Nedvedicky@Sun.COM
217210587SAlexandr.Nedvedicky@Sun.COM if ((fr = fin->fin_fr) != NULL) {
217310587SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(fr->fr_hits);
217412255SJohn.Ojemann@Oracle.COM fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
217510587SAlexandr.Nedvedicky@Sun.COM pass = fr->fr_flags;
217610587SAlexandr.Nedvedicky@Sun.COM }
217710587SAlexandr.Nedvedicky@Sun.COM } else {
217810587SAlexandr.Nedvedicky@Sun.COM RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
217910587SAlexandr.Nedvedicky@Sun.COM
21807131Sdr146992 pass = fr_scanlist(fin, ifs->ifs_fr_pass);
21817131Sdr146992
218210587SAlexandr.Nedvedicky@Sun.COM if (((pass & FR_KEEPSTATE) == 0) &&
218310587SAlexandr.Nedvedicky@Sun.COM ((fin->fin_flx & FI_DONTCACHE) == 0)) {
218410587SAlexandr.Nedvedicky@Sun.COM WRITE_ENTER(&ifs->ifs_ipf_frcache);
218510587SAlexandr.Nedvedicky@Sun.COM bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
218610587SAlexandr.Nedvedicky@Sun.COM RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
218710587SAlexandr.Nedvedicky@Sun.COM }
218810587SAlexandr.Nedvedicky@Sun.COM
218910587SAlexandr.Nedvedicky@Sun.COM fr = fin->fin_fr;
219010587SAlexandr.Nedvedicky@Sun.COM }
219110587SAlexandr.Nedvedicky@Sun.COM
21927131Sdr146992 if ((pass & FR_NOMATCH)) {
21937131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
21942393Syz155240 }
21952393Syz155240
21962393Syz155240 /*
21972393Syz155240 * Apply packets per second rate-limiting to a rule as required.
21982393Syz155240 */
21992393Syz155240 if ((fr != NULL) && (fr->fr_pps != 0) &&
22002393Syz155240 !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
22012393Syz155240 pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
22022393Syz155240 pass |= FR_BLOCK;
22037131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_ppshit);
22042393Syz155240 }
22052393Syz155240
22062393Syz155240 /*
22072393Syz155240 * If we fail to add a packet to the authorization queue, then we
22082393Syz155240 * drop the packet later. However, if it was added then pretend
22092393Syz155240 * we've dropped it already.
22102393Syz155240 */
22112393Syz155240 if (FR_ISAUTH(pass)) {
22122393Syz155240 if (fr_newauth(fin->fin_m, fin) != 0) {
22132393Syz155240 #ifdef _KERNEL
22142393Syz155240 fin->fin_m = *fin->fin_mp = NULL;
22152393Syz155240 #else
22162393Syz155240 ;
22172393Syz155240 #endif
22182393Syz155240 fin->fin_error = 0;
22192393Syz155240 } else
22202393Syz155240 fin->fin_error = ENOSPC;
22212393Syz155240 }
22222393Syz155240
22232393Syz155240 if ((fr != NULL) && (fr->fr_func != NULL) &&
22242393Syz155240 (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
22252393Syz155240 (void) (*fr->fr_func)(fin, &pass);
22262393Syz155240
22272393Syz155240 /*
22282393Syz155240 * If a rule is a pre-auth rule, check again in the list of rules
22292393Syz155240 * loaded for authenticated use. It does not particulary matter
22302393Syz155240 * if this search fails because a "preauth" result, from a rule,
22312393Syz155240 * is treated as "not a pass", hence the packet is blocked.
22322393Syz155240 */
22332393Syz155240 if (FR_ISPREAUTH(pass)) {
22343448Sdh155122 if ((fin->fin_fr = ifs->ifs_ipauth) != NULL)
22353448Sdh155122 pass = fr_scanlist(fin, ifs->ifs_fr_pass);
22362393Syz155240 }
22372393Syz155240
22382393Syz155240 /*
22392393Syz155240 * If the rule has "keep frag" and the packet is actually a fragment,
22402393Syz155240 * then create a fragment state entry.
22412393Syz155240 */
22422393Syz155240 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
22432393Syz155240 if (fin->fin_flx & FI_FRAG) {
22442393Syz155240 if (fr_newfrag(fin, pass) == -1) {
22457131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_bnfr);
22462393Syz155240 } else {
22477131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_nfr);
22482393Syz155240 }
22492393Syz155240 } else {
22507131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_cfr);
22512393Syz155240 }
22522393Syz155240 }
22532393Syz155240
22542393Syz155240 /*
22552393Syz155240 * Finally, if we've asked to track state for this packet, set it up.
22562393Syz155240 */
22572393Syz155240 if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
22582393Syz155240 if (fr_addstate(fin, NULL, 0) != NULL) {
22597131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
22602393Syz155240 } else {
22617131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
22622393Syz155240 if (FR_ISPASS(pass)) {
22632393Syz155240 pass &= ~FR_CMDMASK;
22642393Syz155240 pass |= FR_BLOCK;
22652393Syz155240 }
22662393Syz155240 }
22672393Syz155240 }
22682393Syz155240
22692393Syz155240 fr = fin->fin_fr;
22702393Syz155240
22712393Syz155240 if (passp != NULL)
22722393Syz155240 *passp = pass;
22732393Syz155240
22742393Syz155240 return fr;
22752393Syz155240 }
22762393Syz155240
22772393Syz155240 /* ------------------------------------------------------------------------ */
22782393Syz155240 /* Function: fr_check */
22792393Syz155240 /* Returns: int - 0 == packet allowed through, */
22802393Syz155240 /* User space: */
22812393Syz155240 /* -1 == packet blocked */
22822393Syz155240 /* 1 == packet not matched */
22832393Syz155240 /* -2 == requires authentication */
22842393Syz155240 /* Kernel: */
22852393Syz155240 /* > 0 == filter error # for packet */
22862393Syz155240 /* Parameters: ip(I) - pointer to start of IPv4/6 packet */
22872393Syz155240 /* hlen(I) - length of header */
22882393Syz155240 /* ifp(I) - pointer to interface this packet is on */
22892393Syz155240 /* out(I) - 0 == packet going in, 1 == packet going out */
22902393Syz155240 /* mp(IO) - pointer to caller's buffer pointer that holds this */
22912393Syz155240 /* IP packet. */
22922393Syz155240 /* Solaris & HP-UX ONLY : */
22932393Syz155240 /* qpi(I) - pointer to STREAMS queue information for this */
22942393Syz155240 /* interface & direction. */
22952393Syz155240 /* */
22962393Syz155240 /* fr_check() is the master function for all IPFilter packet processing. */
22972393Syz155240 /* It orchestrates: Network Address Translation (NAT), checking for packet */
22982393Syz155240 /* authorisation (or pre-authorisation), presence of related state info., */
22992393Syz155240 /* generating log entries, IP packet accounting, routing of packets as */
23002393Syz155240 /* directed by firewall rules and of course whether or not to allow the */
23012393Syz155240 /* packet to be further processed by the kernel. */
23022393Syz155240 /* */
23032393Syz155240 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
23042393Syz155240 /* freed. Packets passed may be returned with the pointer pointed to by */
23052393Syz155240 /* by "mp" changed to a new buffer. */
23062393Syz155240 /* ------------------------------------------------------------------------ */
fr_check(ip,hlen,ifp,out,qif,mp,ifs)23072393Syz155240 int fr_check(ip, hlen, ifp, out
23082393Syz155240 #if defined(_KERNEL) && defined(MENTAT)
23093448Sdh155122 , qif, mp, ifs)
23102393Syz155240 void *qif;
23112393Syz155240 #else
23123448Sdh155122 , mp, ifs)
23132393Syz155240 #endif
23142393Syz155240 mb_t **mp;
23152393Syz155240 ip_t *ip;
23162393Syz155240 int hlen;
23172393Syz155240 void *ifp;
23182393Syz155240 int out;
23193448Sdh155122 ipf_stack_t *ifs;
23202393Syz155240 {
23212393Syz155240 /*
23222393Syz155240 * The above really sucks, but short of writing a diff
23232393Syz155240 */
23242393Syz155240 fr_info_t frinfo;
23252393Syz155240 fr_info_t *fin = &frinfo;
23263448Sdh155122 u_32_t pass;
23272393Syz155240 frentry_t *fr = NULL;
23282393Syz155240 int v = IP_V(ip);
23292393Syz155240 mb_t *mc = NULL;
23302393Syz155240 mb_t *m;
23312393Syz155240 #ifdef USE_INET6
23322393Syz155240 ip6_t *ip6;
23332393Syz155240 #endif
23342393Syz155240 #ifdef _KERNEL
23352393Syz155240 # ifdef MENTAT
23362393Syz155240 qpktinfo_t *qpi = qif;
23372393Syz155240 #endif
23382393Syz155240 #endif
23393448Sdh155122
23402393Syz155240 SPL_INT(s);
23413448Sdh155122 pass = ifs->ifs_fr_pass;
23422393Syz155240
23432393Syz155240 /*
23442393Syz155240 * The first part of fr_check() deals with making sure that what goes
23452393Syz155240 * into the filtering engine makes some sense. Information about the
23462393Syz155240 * the packet is distilled, collected into a fr_info_t structure and
23472393Syz155240 * the an attempt to ensure the buffer the packet is in is big enough
23482393Syz155240 * to hold all the required packet headers.
23492393Syz155240 */
23502393Syz155240 #ifdef _KERNEL
23512393Syz155240 # ifdef MENTAT
23522393Syz155240 if (!OK_32PTR(ip))
23532393Syz155240 return 2;
23542393Syz155240 # endif
23552393Syz155240
23563448Sdh155122
23573448Sdh155122 if (ifs->ifs_fr_running <= 0) {
23582393Syz155240 return 0;
23592393Syz155240 }
23602393Syz155240
23612393Syz155240 bzero((char *)fin, sizeof(*fin));
23622393Syz155240
23632393Syz155240 # ifdef MENTAT
23645868Sdr146992 fin->fin_flx = qpi->qpi_flags & (FI_NOCKSUM|FI_MBCAST|FI_MULTICAST|
23655868Sdr146992 FI_BROADCAST);
23662393Syz155240 m = qpi->qpi_m;
23672393Syz155240 fin->fin_qfm = m;
23682393Syz155240 fin->fin_qpi = qpi;
23692393Syz155240 # else /* MENTAT */
23702393Syz155240
23712393Syz155240 m = *mp;
23722393Syz155240
23732393Syz155240 # if defined(M_MCAST)
23742393Syz155240 if ((m->m_flags & M_MCAST) != 0)
23752393Syz155240 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
23762393Syz155240 # endif
23772393Syz155240 # if defined(M_MLOOP)
23782393Syz155240 if ((m->m_flags & M_MLOOP) != 0)
23792393Syz155240 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
23802393Syz155240 # endif
23812393Syz155240 # if defined(M_BCAST)
23822393Syz155240 if ((m->m_flags & M_BCAST) != 0)
23832393Syz155240 fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
23842393Syz155240 # endif
23852393Syz155240 # ifdef M_CANFASTFWD
23862393Syz155240 /*
23872393Syz155240 * XXX For now, IP Filter and fast-forwarding of cached flows
23882393Syz155240 * XXX are mutually exclusive. Eventually, IP Filter should
23892393Syz155240 * XXX get a "can-fast-forward" filter rule.
23902393Syz155240 */
23912393Syz155240 m->m_flags &= ~M_CANFASTFWD;
23922393Syz155240 # endif /* M_CANFASTFWD */
23932393Syz155240 # ifdef CSUM_DELAY_DATA
23942393Syz155240 /*
23952393Syz155240 * disable delayed checksums.
23962393Syz155240 */
23972393Syz155240 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
23982393Syz155240 in_delayed_cksum(m);
23992393Syz155240 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
24002393Syz155240 }
24012393Syz155240 # endif /* CSUM_DELAY_DATA */
24022393Syz155240 # endif /* MENTAT */
24032393Syz155240 #else
24042393Syz155240
24052393Syz155240 bzero((char *)fin, sizeof(*fin));
24062393Syz155240 m = *mp;
24072393Syz155240 #endif /* _KERNEL */
24082393Syz155240
24092393Syz155240 fin->fin_v = v;
24102393Syz155240 fin->fin_m = m;
24112393Syz155240 fin->fin_ip = ip;
24122393Syz155240 fin->fin_mp = mp;
24132393Syz155240 fin->fin_out = out;
24142393Syz155240 fin->fin_ifp = ifp;
24152393Syz155240 fin->fin_error = ENETUNREACH;
24162393Syz155240 fin->fin_hlen = (u_short)hlen;
24172393Syz155240 fin->fin_dp = (char *)ip + hlen;
24182393Syz155240 fin->fin_ipoff = (char *)ip - MTOD(m, char *);
24193448Sdh155122 fin->fin_ifs = ifs;
24202393Syz155240
24212393Syz155240 SPL_NET(s);
24222393Syz155240
24232393Syz155240 #ifdef USE_INET6
24242393Syz155240 if (v == 6) {
24257131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_ipv6);
24262393Syz155240 /*
24272393Syz155240 * Jumbo grams are quite likely too big for internal buffer
24282393Syz155240 * structures to handle comfortably, for now, so just drop
24292393Syz155240 * them.
24302393Syz155240 */
24312393Syz155240 ip6 = (ip6_t *)ip;
24322393Syz155240 fin->fin_plen = ntohs(ip6->ip6_plen);
24332393Syz155240 if (fin->fin_plen == 0) {
24343448Sdh155122 READ_ENTER(&ifs->ifs_ipf_mutex);
24352393Syz155240 pass = FR_BLOCK|FR_NOMATCH;
24362393Syz155240 goto filtered;
24372393Syz155240 }
24382393Syz155240 fin->fin_plen += sizeof(ip6_t);
24392393Syz155240 } else
24402393Syz155240 #endif
24412393Syz155240 {
24422393Syz155240 #if (OpenBSD >= 200311) && defined(_KERNEL)
24432393Syz155240 ip->ip_len = ntohs(ip->ip_len);
24442393Syz155240 ip->ip_off = ntohs(ip->ip_off);
24452393Syz155240 #endif
24462393Syz155240 fin->fin_plen = ip->ip_len;
24472393Syz155240 }
24482393Syz155240
24492393Syz155240 if (fr_makefrip(hlen, ip, fin) == -1) {
24503448Sdh155122 READ_ENTER(&ifs->ifs_ipf_mutex);
24512393Syz155240 pass = FR_BLOCK;
24522393Syz155240 goto filtered;
24532393Syz155240 }
24542393Syz155240
24552393Syz155240 /*
24562393Syz155240 * For at least IPv6 packets, if a m_pullup() fails then this pointer
24572393Syz155240 * becomes NULL and so we have no packet to free.
24582393Syz155240 */
24592393Syz155240 if (*fin->fin_mp == NULL)
24602393Syz155240 goto finished;
24612393Syz155240
24622393Syz155240 if (!out) {
24632393Syz155240 if (v == 4) {
24642393Syz155240 #ifdef _KERNEL
24653448Sdh155122 if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
24667131Sdr146992 IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
24672393Syz155240 fin->fin_flx |= FI_BADSRC;
24682393Syz155240 }
24692393Syz155240 #endif
24703448Sdh155122 if (fin->fin_ip->ip_ttl < ifs->ifs_fr_minttl) {
24717131Sdr146992 IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
24722393Syz155240 fin->fin_flx |= FI_LOWTTL;
24732393Syz155240 }
24742393Syz155240 }
24752393Syz155240 #ifdef USE_INET6
24762393Syz155240 else if (v == 6) {
24772393Syz155240 ip6 = (ip6_t *)ip;
24782393Syz155240 #ifdef _KERNEL
24793448Sdh155122 if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
24807131Sdr146992 IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
24812393Syz155240 fin->fin_flx |= FI_BADSRC;
24822393Syz155240 }
24832393Syz155240 #endif
24843448Sdh155122 if (ip6->ip6_hlim < ifs->ifs_fr_minttl) {
24857131Sdr146992 IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
24862393Syz155240 fin->fin_flx |= FI_LOWTTL;
24872393Syz155240 }
24882393Syz155240 }
24892393Syz155240 #endif
24902393Syz155240 }
24912393Syz155240
24922393Syz155240 if (fin->fin_flx & FI_SHORT) {
24937131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_short);
24942393Syz155240 }
24952393Syz155240
24963448Sdh155122 READ_ENTER(&ifs->ifs_ipf_mutex);
24972393Syz155240
24982393Syz155240 /*
24992393Syz155240 * Check auth now. This, combined with the check below to see if apass
25002393Syz155240 * is 0 is to ensure that we don't count the packet twice, which can
25012393Syz155240 * otherwise occur when we reprocess it. As it is, we only count it
25022393Syz155240 * after it has no auth. table matchup. This also stops NAT from
25032393Syz155240 * occuring until after the packet has been auth'd.
25042393Syz155240 */
25052393Syz155240 fr = fr_checkauth(fin, &pass);
25062393Syz155240 if (!out) {
25077176Syx160601 switch (fin->fin_v)
25087176Syx160601 {
25097176Syx160601 case 4 :
25107176Syx160601 if (fr_checknatin(fin, &pass) == -1) {
25117176Syx160601 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
25127176Syx160601 goto finished;
25137176Syx160601 }
25147176Syx160601 break;
25157176Syx160601 #ifdef USE_INET6
25167176Syx160601 case 6 :
25177176Syx160601 if (fr_checknat6in(fin, &pass) == -1) {
25187176Syx160601 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
25197176Syx160601 goto finished;
25207176Syx160601 }
25217176Syx160601 break;
25227176Syx160601 #endif
25237176Syx160601 default :
25247176Syx160601 break;
25252393Syz155240 }
25262393Syz155240 }
25272393Syz155240 if (!out)
25282393Syz155240 (void) fr_acctpkt(fin, NULL);
25292393Syz155240
25302393Syz155240 if (fr == NULL)
25312393Syz155240 if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG)
25322393Syz155240 fr = fr_knownfrag(fin, &pass);
25332393Syz155240 if (fr == NULL)
25342393Syz155240 fr = fr_checkstate(fin, &pass);
25352393Syz155240
25362393Syz155240 if ((pass & FR_NOMATCH) || (fr == NULL))
25372393Syz155240 fr = fr_firewall(fin, &pass);
25382393Syz155240
25392393Syz155240 fin->fin_fr = fr;
25402393Syz155240
25412393Syz155240 /*
25422393Syz155240 * Only count/translate packets which will be passed on, out the
25432393Syz155240 * interface.
25442393Syz155240 */
25452393Syz155240 if (out && FR_ISPASS(pass)) {
25462393Syz155240 (void) fr_acctpkt(fin, NULL);
25472393Syz155240
25487176Syx160601 switch (fin->fin_v)
25497176Syx160601 {
25507176Syx160601 case 4 :
25517176Syx160601 if (fr_checknatout(fin, &pass) == -1) {
25527176Syx160601 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
25537176Syx160601 goto finished;
25547176Syx160601 }
25557176Syx160601 break;
25567176Syx160601 #ifdef USE_INET6
25577176Syx160601 case 6 :
25587176Syx160601 if (fr_checknat6out(fin, &pass) == -1) {
25597176Syx160601 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
25607176Syx160601 goto finished;
25617176Syx160601 }
25627176Syx160601 break;
25637176Syx160601 #endif
25647176Syx160601 default :
25657176Syx160601 break;
25667176Syx160601 }
25677176Syx160601
25687176Syx160601 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
25692393Syz155240 if (fr_updateipid(fin) == -1) {
25707131Sdr146992 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
25712393Syz155240 pass &= ~FR_CMDMASK;
25722393Syz155240 pass |= FR_BLOCK;
25732393Syz155240 } else {
25747131Sdr146992 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
25752393Syz155240 }
25762393Syz155240 }
25772393Syz155240 }
25782393Syz155240
25792393Syz155240 #ifdef IPFILTER_LOG
25803448Sdh155122 if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
25812393Syz155240 (void) fr_dolog(fin, &pass);
25822393Syz155240 }
25832393Syz155240 #endif
25842393Syz155240
25858624SDarren.Reed@Sun.COM /*
25868624SDarren.Reed@Sun.COM * The FI_STATE flag is cleared here so that calling fr_checkstate
25878624SDarren.Reed@Sun.COM * will work when called from inside of fr_fastroute. Although
25888624SDarren.Reed@Sun.COM * there is a similar flag, FI_NATED, for NAT, it does have the same
25898624SDarren.Reed@Sun.COM * impact on code execution.
25908624SDarren.Reed@Sun.COM */
25918624SDarren.Reed@Sun.COM fin->fin_flx &= ~FI_STATE;
25922393Syz155240
25932393Syz155240 /*
25942393Syz155240 * Only allow FR_DUP to work if a rule matched - it makes no sense to
25952393Syz155240 * set FR_DUP as a "default" as there are no instructions about where
25962393Syz155240 * to send the packet. Use fin_m here because it may have changed
25972393Syz155240 * (without an update of 'm') in prior processing.
25982393Syz155240 */
25992393Syz155240 if ((fr != NULL) && (pass & FR_DUP)) {
26002393Syz155240 mc = M_DUPLICATE(fin->fin_m);
260110838SAlexandr.Nedvedicky@Sun.COM #ifdef _KERNEL
260210838SAlexandr.Nedvedicky@Sun.COM mc->b_rptr += fin->fin_ipoff;
260310838SAlexandr.Nedvedicky@Sun.COM #endif
26042393Syz155240 }
26052393Syz155240
2606*12358SAlexandr.Nedvedicky@Sun.COM /*
2607*12358SAlexandr.Nedvedicky@Sun.COM * We don't want to send RST for packets, which are going to be
2608*12358SAlexandr.Nedvedicky@Sun.COM * dropped, just because they don't fit into TCP window. Those packets
2609*12358SAlexandr.Nedvedicky@Sun.COM * will be dropped silently. In other words, we want to drop packet,
2610*12358SAlexandr.Nedvedicky@Sun.COM * while keeping session alive.
2611*12358SAlexandr.Nedvedicky@Sun.COM */
2612*12358SAlexandr.Nedvedicky@Sun.COM if ((pass & (FR_RETRST|FR_RETICMP)) && ((fin->fin_flx & FI_OOW) == 0)) {
26132393Syz155240 /*
26142393Syz155240 * Should we return an ICMP packet to indicate error
26152393Syz155240 * status passing through the packet filter ?
26162393Syz155240 * WARNING: ICMP error packets AND TCP RST packets should
26172393Syz155240 * ONLY be sent in repsonse to incoming packets. Sending them
26182393Syz155240 * in response to outbound packets can result in a panic on
26192393Syz155240 * some operating systems.
26202393Syz155240 */
26212393Syz155240 if (!out) {
26222393Syz155240 if (pass & FR_RETICMP) {
26232393Syz155240 int dst;
26242393Syz155240
26252393Syz155240 if ((pass & FR_RETMASK) == FR_FAKEICMP)
26262393Syz155240 dst = 1;
26272393Syz155240 else
26282393Syz155240 dst = 0;
26299695SAlexandr.Nedvedicky@Sun.COM #if defined(_KERNEL) && (SOLARIS2 >= 10)
26309695SAlexandr.Nedvedicky@Sun.COM /*
26319695SAlexandr.Nedvedicky@Sun.COM * Assume it's possible to enter insane rule:
26329695SAlexandr.Nedvedicky@Sun.COM * pass return-icmp in proto udp ...
26339695SAlexandr.Nedvedicky@Sun.COM * then we have no other option than to forward
26349695SAlexandr.Nedvedicky@Sun.COM * packet on loopback and give up any attempt
26359695SAlexandr.Nedvedicky@Sun.COM * to create a fake response.
26369695SAlexandr.Nedvedicky@Sun.COM */
26379695SAlexandr.Nedvedicky@Sun.COM if (IPF_IS_LOOPBACK(qpi->qpi_flags) &&
26389695SAlexandr.Nedvedicky@Sun.COM FR_ISBLOCK(pass)) {
26399695SAlexandr.Nedvedicky@Sun.COM
26409695SAlexandr.Nedvedicky@Sun.COM if (fr_make_icmp(fin) == 0) {
26419695SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(
26429695SAlexandr.Nedvedicky@Sun.COM ifs->ifs_frstats[out].fr_ret);
26439695SAlexandr.Nedvedicky@Sun.COM }
26449695SAlexandr.Nedvedicky@Sun.COM /*
26459695SAlexandr.Nedvedicky@Sun.COM * we drop packet silently in case we
26469695SAlexandr.Nedvedicky@Sun.COM * failed assemble fake response for it
26479695SAlexandr.Nedvedicky@Sun.COM */
26489695SAlexandr.Nedvedicky@Sun.COM else if (*mp != NULL) {
26499695SAlexandr.Nedvedicky@Sun.COM FREE_MB_T(*mp);
26509695SAlexandr.Nedvedicky@Sun.COM m = *mp = NULL;
26519695SAlexandr.Nedvedicky@Sun.COM }
26529695SAlexandr.Nedvedicky@Sun.COM
26539695SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(
26549695SAlexandr.Nedvedicky@Sun.COM ifs->ifs_frstats[out].fr_block);
26559695SAlexandr.Nedvedicky@Sun.COM RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
26569695SAlexandr.Nedvedicky@Sun.COM
26579695SAlexandr.Nedvedicky@Sun.COM return (0);
26589695SAlexandr.Nedvedicky@Sun.COM }
26599695SAlexandr.Nedvedicky@Sun.COM #endif /* _KERNEL && SOLARIS2 >= 10 */
26609695SAlexandr.Nedvedicky@Sun.COM
26612393Syz155240 (void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
26629695SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(ifs->ifs_frstats[out].fr_ret);
26639695SAlexandr.Nedvedicky@Sun.COM
26642393Syz155240 } else if (((pass & FR_RETMASK) == FR_RETRST) &&
26652393Syz155240 !(fin->fin_flx & FI_SHORT)) {
26669695SAlexandr.Nedvedicky@Sun.COM
26679695SAlexandr.Nedvedicky@Sun.COM #if defined(_KERNEL) && (SOLARIS2 >= 10)
26689695SAlexandr.Nedvedicky@Sun.COM /*
26699695SAlexandr.Nedvedicky@Sun.COM * Assume it's possible to enter insane rule:
26709695SAlexandr.Nedvedicky@Sun.COM * pass return-rst in proto tcp ...
26719695SAlexandr.Nedvedicky@Sun.COM * then we have no other option than to forward
26729695SAlexandr.Nedvedicky@Sun.COM * packet on loopback and give up any attempt
26739695SAlexandr.Nedvedicky@Sun.COM * to create a fake response.
26749695SAlexandr.Nedvedicky@Sun.COM */
26759695SAlexandr.Nedvedicky@Sun.COM if (IPF_IS_LOOPBACK(qpi->qpi_flags) &&
26769695SAlexandr.Nedvedicky@Sun.COM FR_ISBLOCK(pass)) {
26779695SAlexandr.Nedvedicky@Sun.COM if (fr_make_rst(fin) == 0) {
26789695SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(
26799695SAlexandr.Nedvedicky@Sun.COM ifs->ifs_frstats[out].fr_ret);
26809695SAlexandr.Nedvedicky@Sun.COM }
26819695SAlexandr.Nedvedicky@Sun.COM else if (mp != NULL) {
26829695SAlexandr.Nedvedicky@Sun.COM /*
26839695SAlexandr.Nedvedicky@Sun.COM * we drop packet silently in case we
26849695SAlexandr.Nedvedicky@Sun.COM * failed assemble fake response for it
26859695SAlexandr.Nedvedicky@Sun.COM */
26869695SAlexandr.Nedvedicky@Sun.COM FREE_MB_T(*mp);
26879695SAlexandr.Nedvedicky@Sun.COM m = *mp = NULL;
26889695SAlexandr.Nedvedicky@Sun.COM }
26899695SAlexandr.Nedvedicky@Sun.COM
26909695SAlexandr.Nedvedicky@Sun.COM IPF_BUMP(
26919695SAlexandr.Nedvedicky@Sun.COM ifs->ifs_frstats[out].fr_block);
26929695SAlexandr.Nedvedicky@Sun.COM RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
26939695SAlexandr.Nedvedicky@Sun.COM
26949695SAlexandr.Nedvedicky@Sun.COM return (0);
26959695SAlexandr.Nedvedicky@Sun.COM }
26969695SAlexandr.Nedvedicky@Sun.COM #endif /* _KERNEL && _SOLARIS2 >= 10 */
26972393Syz155240 if (fr_send_reset(fin) == 0) {
26987131Sdr146992 IPF_BUMP(ifs->ifs_frstats[1].fr_ret);
26992393Syz155240 }
27002393Syz155240 }
27012393Syz155240 } else {
27022393Syz155240 if (pass & FR_RETRST)
27032393Syz155240 fin->fin_error = ECONNRESET;
27042393Syz155240 }
27052393Syz155240 }
27062393Syz155240
27072393Syz155240 /*
27082393Syz155240 * If we didn't drop off the bottom of the list of rules (and thus
27092393Syz155240 * the 'current' rule fr is not NULL), then we may have some extra
27102393Syz155240 * instructions about what to do with a packet.
27112393Syz155240 * Once we're finished return to our caller, freeing the packet if
27122393Syz155240 * we are dropping it (* BSD ONLY *).
27132393Syz155240 * Reassign m from fin_m as we may have a new buffer, now.
27142393Syz155240 */
27152393Syz155240 filtered:
27162393Syz155240 m = fin->fin_m;
27172393Syz155240
27182393Syz155240 if (fr != NULL) {
27192393Syz155240 frdest_t *fdp;
27202393Syz155240
27212393Syz155240 fdp = &fr->fr_tifs[fin->fin_rev];
27222393Syz155240
27232393Syz155240 if (!out && (pass & FR_FASTROUTE)) {
27242393Syz155240 /*
27252393Syz155240 * For fastroute rule, no destioation interface defined
27262393Syz155240 * so pass NULL as the frdest_t parameter
27272393Syz155240 */
27282393Syz155240 (void) fr_fastroute(m, mp, fin, NULL);
27292393Syz155240 m = *mp = NULL;
27302393Syz155240 } else if ((fdp->fd_ifp != NULL) &&
27312393Syz155240 (fdp->fd_ifp != (struct ifnet *)-1)) {
27322393Syz155240 /* this is for to rules: */
27332393Syz155240 (void) fr_fastroute(m, mp, fin, fdp);
27342393Syz155240 m = *mp = NULL;
27352393Syz155240 }
27362393Syz155240
27372393Syz155240 /*
2738*12358SAlexandr.Nedvedicky@Sun.COM * Send a duplicated packet.
27392393Syz155240 */
2740*12358SAlexandr.Nedvedicky@Sun.COM if (mc != NULL) {
2741*12358SAlexandr.Nedvedicky@Sun.COM #if defined(_KERNEL) && (SOLARIS2 >= 10)
2742*12358SAlexandr.Nedvedicky@Sun.COM /*
2743*12358SAlexandr.Nedvedicky@Sun.COM * We are going to compute chksum for copies of loopback packets
2744*12358SAlexandr.Nedvedicky@Sun.COM * only. IP stack does not compute chksums at all for loopback
2745*12358SAlexandr.Nedvedicky@Sun.COM * packets. We want to get it fixed in their copies, since those
2746*12358SAlexandr.Nedvedicky@Sun.COM * are going to be sent to network.
2747*12358SAlexandr.Nedvedicky@Sun.COM */
2748*12358SAlexandr.Nedvedicky@Sun.COM if (IPF_IS_LOOPBACK(qpi->qpi_flags))
2749*12358SAlexandr.Nedvedicky@Sun.COM fr_calc_chksum(fin, mc);
2750*12358SAlexandr.Nedvedicky@Sun.COM #endif
27512393Syz155240 (void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
2752*12358SAlexandr.Nedvedicky@Sun.COM }
27532393Syz155240 }
27542393Syz155240
27558624SDarren.Reed@Sun.COM if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT))
27568624SDarren.Reed@Sun.COM nat_uncreate(fin);
27578624SDarren.Reed@Sun.COM
27582393Syz155240 /*
27592393Syz155240 * This late because the likes of fr_fastroute() use fin_fr.
27602393Syz155240 */
27613448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
27622393Syz155240
27632393Syz155240 finished:
27642393Syz155240 if (!FR_ISPASS(pass)) {
27657131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_block);
27662393Syz155240 if (*mp != NULL) {
27672393Syz155240 FREE_MB_T(*mp);
27682393Syz155240 m = *mp = NULL;
27692393Syz155240 }
27702393Syz155240 } else {
27717131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_pass);
27722393Syz155240 #if defined(_KERNEL) && defined(__sgi)
27732393Syz155240 if ((fin->fin_hbuf != NULL) &&
27742393Syz155240 (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
27752393Syz155240 COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
27762393Syz155240 }
27772393Syz155240 #endif
27782393Syz155240 }
27792393Syz155240
27802393Syz155240 SPL_X(s);
27812393Syz155240
27822393Syz155240 #ifdef _KERNEL
27832393Syz155240 # if OpenBSD >= 200311
27842393Syz155240 if (FR_ISPASS(pass) && (v == 4)) {
27852393Syz155240 ip = fin->fin_ip;
27862393Syz155240 ip->ip_len = ntohs(ip->ip_len);
27872393Syz155240 ip->ip_off = ntohs(ip->ip_off);
27882393Syz155240 }
27892393Syz155240 # endif
27902393Syz155240 return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
27912393Syz155240 #else /* _KERNEL */
27922393Syz155240 FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
27932393Syz155240 if ((pass & FR_NOMATCH) != 0)
27942393Syz155240 return 1;
27952393Syz155240
27962393Syz155240 if ((pass & FR_RETMASK) != 0)
27972393Syz155240 switch (pass & FR_RETMASK)
27982393Syz155240 {
27992393Syz155240 case FR_RETRST :
28002393Syz155240 return 3;
28012393Syz155240 case FR_RETICMP :
28022393Syz155240 return 4;
28032393Syz155240 case FR_FAKEICMP :
28042393Syz155240 return 5;
28052393Syz155240 }
28062393Syz155240
28072393Syz155240 switch (pass & FR_CMDMASK)
28082393Syz155240 {
28092393Syz155240 case FR_PASS :
28102393Syz155240 return 0;
28112393Syz155240 case FR_BLOCK :
28122393Syz155240 return -1;
28132393Syz155240 case FR_AUTH :
28142393Syz155240 return -2;
28152393Syz155240 case FR_ACCOUNT :
28162393Syz155240 return -3;
28172393Syz155240 case FR_PREAUTH :
28182393Syz155240 return -4;
28192393Syz155240 }
28202393Syz155240 return 2;
28212393Syz155240 #endif /* _KERNEL */
28222393Syz155240 }
28232393Syz155240
28242393Syz155240
28252393Syz155240 #ifdef IPFILTER_LOG
28262393Syz155240 /* ------------------------------------------------------------------------ */
28272393Syz155240 /* Function: fr_dolog */
28282393Syz155240 /* Returns: frentry_t* - returns contents of fin_fr (no change made) */
28292393Syz155240 /* Parameters: fin(I) - pointer to packet information */
28302393Syz155240 /* passp(IO) - pointer to current/new filter decision (unused) */
28312393Syz155240 /* */
28322393Syz155240 /* Checks flags set to see how a packet should be logged, if it is to be */
28332393Syz155240 /* logged. Adjust statistics based on its success or not. */
28342393Syz155240 /* ------------------------------------------------------------------------ */
fr_dolog(fin,passp)28352393Syz155240 frentry_t *fr_dolog(fin, passp)
28362393Syz155240 fr_info_t *fin;
28372393Syz155240 u_32_t *passp;
28382393Syz155240 {
28392393Syz155240 u_32_t pass;
28402393Syz155240 int out;
28413448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
28422393Syz155240
28432393Syz155240 out = fin->fin_out;
28442393Syz155240 pass = *passp;
28452393Syz155240
28463448Sdh155122 if ((ifs->ifs_fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
28472393Syz155240 pass |= FF_LOGNOMATCH;
28487131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_npkl);
28492393Syz155240 goto logit;
28502393Syz155240 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
28513448Sdh155122 (FR_ISPASS(pass) && (ifs->ifs_fr_flags & FF_LOGPASS))) {
28522393Syz155240 if ((pass & FR_LOGMASK) != FR_LOGP)
28532393Syz155240 pass |= FF_LOGPASS;
28547131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_ppkl);
28552393Syz155240 goto logit;
28562393Syz155240 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
28573448Sdh155122 (FR_ISBLOCK(pass) && (ifs->ifs_fr_flags & FF_LOGBLOCK))) {
28582393Syz155240 if ((pass & FR_LOGMASK) != FR_LOGB)
28592393Syz155240 pass |= FF_LOGBLOCK;
28607131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_bpkl);
28612393Syz155240 logit:
28622393Syz155240 if (ipflog(fin, pass) == -1) {
28637131Sdr146992 IPF_BUMP(ifs->ifs_frstats[out].fr_skip);
28642393Syz155240
28652393Syz155240 /*
28662393Syz155240 * If the "or-block" option has been used then
28672393Syz155240 * block the packet if we failed to log it.
28682393Syz155240 */
28692393Syz155240 if ((pass & FR_LOGORBLOCK) &&
28702393Syz155240 FR_ISPASS(pass)) {
28712393Syz155240 pass &= ~FR_CMDMASK;
28722393Syz155240 pass |= FR_BLOCK;
28732393Syz155240 }
28742393Syz155240 }
28752393Syz155240 *passp = pass;
28762393Syz155240 }
28772393Syz155240
28782393Syz155240 return fin->fin_fr;
28792393Syz155240 }
28802393Syz155240 #endif /* IPFILTER_LOG */
28812393Syz155240
28822393Syz155240
28832393Syz155240 /* ------------------------------------------------------------------------ */
28842393Syz155240 /* Function: ipf_cksum */
28852393Syz155240 /* Returns: u_short - IP header checksum */
28862393Syz155240 /* Parameters: addr(I) - pointer to start of buffer to checksum */
28872393Syz155240 /* len(I) - length of buffer in bytes */
28882393Syz155240 /* */
28892393Syz155240 /* Calculate the two's complement 16 bit checksum of the buffer passed. */
28902393Syz155240 /* */
28912393Syz155240 /* N.B.: addr should be 16bit aligned. */
28922393Syz155240 /* ------------------------------------------------------------------------ */
ipf_cksum(addr,len)28932393Syz155240 u_short ipf_cksum(addr, len)
28942393Syz155240 u_short *addr;
28952393Syz155240 int len;
28962393Syz155240 {
28972393Syz155240 u_32_t sum = 0;
28982393Syz155240
28992393Syz155240 for (sum = 0; len > 1; len -= 2)
29002393Syz155240 sum += *addr++;
29012393Syz155240
29022393Syz155240 /* mop up an odd byte, if necessary */
29032393Syz155240 if (len == 1)
29042393Syz155240 sum += *(u_char *)addr;
29052393Syz155240
29062393Syz155240 /*
29072393Syz155240 * add back carry outs from top 16 bits to low 16 bits
29082393Syz155240 */
29092393Syz155240 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
29102393Syz155240 sum += (sum >> 16); /* add carry */
29112393Syz155240 return (u_short)(~sum);
29122393Syz155240 }
29132393Syz155240
29142393Syz155240
29152393Syz155240 /* ------------------------------------------------------------------------ */
29162393Syz155240 /* Function: fr_cksum */
29172393Syz155240 /* Returns: u_short - layer 4 checksum */
29182393Syz155240 /* Parameters: m(I ) - pointer to buffer holding packet */
29192393Syz155240 /* ip(I) - pointer to IP header */
29202393Syz155240 /* l4proto(I) - protocol to caclulate checksum for */
29212393Syz155240 /* l4hdr(I) - pointer to layer 4 header */
29222393Syz155240 /* */
29232393Syz155240 /* Calculates the TCP checksum for the packet held in "m", using the data */
29242393Syz155240 /* in the IP header "ip" to seed it. */
29252393Syz155240 /* */
29262393Syz155240 /* NB: This function assumes we've pullup'd enough for all of the IP header */
29272393Syz155240 /* and the TCP header. We also assume that data blocks aren't allocated in */
29282393Syz155240 /* odd sizes. */
29292393Syz155240 /* */
29302393Syz155240 /* Expects ip_len to be in host byte order when called. */
29312393Syz155240 /* ------------------------------------------------------------------------ */
fr_cksum(m,ip,l4proto,l4hdr)29322393Syz155240 u_short fr_cksum(m, ip, l4proto, l4hdr)
29332393Syz155240 mb_t *m;
29342393Syz155240 ip_t *ip;
29352393Syz155240 int l4proto;
29362393Syz155240 void *l4hdr;
29372393Syz155240 {
29382393Syz155240 u_short *sp, slen, sumsave, l4hlen, *csump;
29392393Syz155240 u_int sum, sum2;
29402393Syz155240 int hlen;
29412393Syz155240 #ifdef USE_INET6
29422393Syz155240 ip6_t *ip6;
29432393Syz155240 #endif
29442393Syz155240
29452393Syz155240 csump = NULL;
29462393Syz155240 sumsave = 0;
29472393Syz155240 l4hlen = 0;
29482393Syz155240 sp = NULL;
29492393Syz155240 slen = 0;
29502393Syz155240 hlen = 0;
29512393Syz155240 sum = 0;
29522393Syz155240
29532393Syz155240 /*
29542393Syz155240 * Add up IP Header portion
29552393Syz155240 */
29562393Syz155240 #ifdef USE_INET6
29572393Syz155240 if (IP_V(ip) == 4) {
29582393Syz155240 #endif
29592393Syz155240 hlen = IP_HL(ip) << 2;
29602393Syz155240 slen = ip->ip_len - hlen;
29612393Syz155240 sum = htons((u_short)l4proto);
29622393Syz155240 sum += htons(slen);
29632393Syz155240 sp = (u_short *)&ip->ip_src;
29642393Syz155240 sum += *sp++; /* ip_src */
29652393Syz155240 sum += *sp++;
29662393Syz155240 sum += *sp++; /* ip_dst */
29672393Syz155240 sum += *sp++;
29682393Syz155240 #ifdef USE_INET6
29692393Syz155240 } else if (IP_V(ip) == 6) {
29702393Syz155240 ip6 = (ip6_t *)ip;
29712393Syz155240 hlen = sizeof(*ip6);
29722393Syz155240 slen = ntohs(ip6->ip6_plen);
29732393Syz155240 sum = htons((u_short)l4proto);
29742393Syz155240 sum += htons(slen);
29752393Syz155240 sp = (u_short *)&ip6->ip6_src;
29762393Syz155240 sum += *sp++; /* ip6_src */
29772393Syz155240 sum += *sp++;
29782393Syz155240 sum += *sp++;
29792393Syz155240 sum += *sp++;
29802393Syz155240 sum += *sp++;
29812393Syz155240 sum += *sp++;
29822393Syz155240 sum += *sp++;
29832393Syz155240 sum += *sp++;
29842393Syz155240 sum += *sp++; /* ip6_dst */
29852393Syz155240 sum += *sp++;
29862393Syz155240 sum += *sp++;
29872393Syz155240 sum += *sp++;
29882393Syz155240 sum += *sp++;
29892393Syz155240 sum += *sp++;
29902393Syz155240 sum += *sp++;
29912393Syz155240 sum += *sp++;
29922393Syz155240 }
29932393Syz155240 #endif
29942393Syz155240
29952393Syz155240 switch (l4proto)
29962393Syz155240 {
29972393Syz155240 case IPPROTO_UDP :
29982393Syz155240 csump = &((udphdr_t *)l4hdr)->uh_sum;
29992393Syz155240 l4hlen = sizeof(udphdr_t);
30002393Syz155240 break;
30012393Syz155240
30022393Syz155240 case IPPROTO_TCP :
30032393Syz155240 csump = &((tcphdr_t *)l4hdr)->th_sum;
30042393Syz155240 l4hlen = sizeof(tcphdr_t);
30052393Syz155240 break;
30062393Syz155240 case IPPROTO_ICMP :
30072393Syz155240 csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
30082393Syz155240 l4hlen = 4;
30092393Syz155240 sum = 0;
30102393Syz155240 break;
30112393Syz155240 default :
30122393Syz155240 break;
30132393Syz155240 }
30142393Syz155240
30152393Syz155240 if (csump != NULL) {
30162393Syz155240 sumsave = *csump;
30172393Syz155240 *csump = 0;
30182393Syz155240 }
30192393Syz155240
30202393Syz155240 l4hlen = l4hlen; /* LINT */
30212393Syz155240
30222393Syz155240 #ifdef _KERNEL
30232393Syz155240 # ifdef MENTAT
30242393Syz155240 {
30252393Syz155240 void *rp = m->b_rptr;
30262393Syz155240
30272393Syz155240 if ((unsigned char *)ip > m->b_rptr && (unsigned char *)ip < m->b_wptr)
30282393Syz155240 m->b_rptr = (u_char *)ip;
30292393Syz155240 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
30302393Syz155240 m->b_rptr = rp;
30312393Syz155240 sum2 = (sum2 & 0xffff) + (sum2 >> 16);
30322393Syz155240 sum2 = ~sum2 & 0xffff;
30332393Syz155240 }
30342393Syz155240 # else /* MENTAT */
30352393Syz155240 # if defined(BSD) || defined(sun)
30362393Syz155240 # if BSD >= 199103
30372393Syz155240 m->m_data += hlen;
30382393Syz155240 # else
30392393Syz155240 m->m_off += hlen;
30402393Syz155240 # endif
30412393Syz155240 m->m_len -= hlen;
30422393Syz155240 sum2 = in_cksum(m, slen);
30432393Syz155240 m->m_len += hlen;
30442393Syz155240 # if BSD >= 199103
30452393Syz155240 m->m_data -= hlen;
30462393Syz155240 # else
30472393Syz155240 m->m_off -= hlen;
30482393Syz155240 # endif
30492393Syz155240 /*
30502393Syz155240 * Both sum and sum2 are partial sums, so combine them together.
30512393Syz155240 */
30522393Syz155240 sum += ~sum2 & 0xffff;
30532393Syz155240 while (sum > 0xffff)
30542393Syz155240 sum = (sum & 0xffff) + (sum >> 16);
30552393Syz155240 sum2 = ~sum & 0xffff;
30562393Syz155240 # else /* defined(BSD) || defined(sun) */
30572393Syz155240 {
30582393Syz155240 union {
30592393Syz155240 u_char c[2];
30602393Syz155240 u_short s;
30612393Syz155240 } bytes;
30622393Syz155240 u_short len = ip->ip_len;
30632393Syz155240 # if defined(__sgi)
30642393Syz155240 int add;
30652393Syz155240 # endif
30662393Syz155240
30672393Syz155240 /*
30682393Syz155240 * Add up IP Header portion
30692393Syz155240 */
30702393Syz155240 if (sp != (u_short *)l4hdr)
30712393Syz155240 sp = (u_short *)l4hdr;
30722393Syz155240
30732393Syz155240 switch (l4proto)
30742393Syz155240 {
30752393Syz155240 case IPPROTO_UDP :
30762393Syz155240 sum += *sp++; /* sport */
30772393Syz155240 sum += *sp++; /* dport */
30782393Syz155240 sum += *sp++; /* udp length */
30792393Syz155240 sum += *sp++; /* checksum */
30802393Syz155240 break;
30812393Syz155240
30822393Syz155240 case IPPROTO_TCP :
30832393Syz155240 sum += *sp++; /* sport */
30842393Syz155240 sum += *sp++; /* dport */
30852393Syz155240 sum += *sp++; /* seq */
30862393Syz155240 sum += *sp++;
30872393Syz155240 sum += *sp++; /* ack */
30882393Syz155240 sum += *sp++;
30892393Syz155240 sum += *sp++; /* off */
30902393Syz155240 sum += *sp++; /* win */
30912393Syz155240 sum += *sp++; /* checksum */
30922393Syz155240 sum += *sp++; /* urp */
30932393Syz155240 break;
30942393Syz155240 case IPPROTO_ICMP :
30952393Syz155240 sum = *sp++; /* type/code */
30962393Syz155240 sum += *sp++; /* checksum */
30972393Syz155240 break;
30982393Syz155240 }
30992393Syz155240
31002393Syz155240 # ifdef __sgi
31012393Syz155240 /*
31022393Syz155240 * In case we had to copy the IP & TCP header out of mbufs,
31032393Syz155240 * skip over the mbuf bits which are the header
31042393Syz155240 */
31052393Syz155240 if ((caddr_t)ip != mtod(m, caddr_t)) {
31062393Syz155240 hlen = (caddr_t)sp - (caddr_t)ip;
31072393Syz155240 while (hlen) {
31082393Syz155240 add = MIN(hlen, m->m_len);
31092393Syz155240 sp = (u_short *)(mtod(m, caddr_t) + add);
31102393Syz155240 hlen -= add;
31112393Syz155240 if (add == m->m_len) {
31122393Syz155240 m = m->m_next;
31132393Syz155240 if (!hlen) {
31142393Syz155240 if (!m)
31152393Syz155240 break;
31162393Syz155240 sp = mtod(m, u_short *);
31172393Syz155240 }
31182393Syz155240 PANIC((!m),("fr_cksum(1): not enough data"));
31192393Syz155240 }
31202393Syz155240 }
31212393Syz155240 }
31222393Syz155240 # endif
31232393Syz155240
31242393Syz155240 len -= (l4hlen + hlen);
31252393Syz155240 if (len <= 0)
31262393Syz155240 goto nodata;
31272393Syz155240
31282393Syz155240 while (len > 1) {
31292393Syz155240 if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
31302393Syz155240 m = m->m_next;
31312393Syz155240 PANIC((!m),("fr_cksum(2): not enough data"));
31322393Syz155240 sp = mtod(m, u_short *);
31332393Syz155240 }
31342393Syz155240 if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
31352393Syz155240 bytes.c[0] = *(u_char *)sp;
31362393Syz155240 m = m->m_next;
31372393Syz155240 PANIC((!m),("fr_cksum(3): not enough data"));
31382393Syz155240 sp = mtod(m, u_short *);
31392393Syz155240 bytes.c[1] = *(u_char *)sp;
31402393Syz155240 sum += bytes.s;
31412393Syz155240 sp = (u_short *)((u_char *)sp + 1);
31422393Syz155240 }
31432393Syz155240 if ((u_long)sp & 1) {
31442393Syz155240 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
31452393Syz155240 sum += bytes.s;
31462393Syz155240 } else
31472393Syz155240 sum += *sp++;
31482393Syz155240 len -= 2;
31492393Syz155240 }
31502393Syz155240
31512393Syz155240 if (len != 0)
31522393Syz155240 sum += ntohs(*(u_char *)sp << 8);
31532393Syz155240 nodata:
31542393Syz155240 while (sum > 0xffff)
31552393Syz155240 sum = (sum & 0xffff) + (sum >> 16);
31562393Syz155240 sum2 = (u_short)(~sum & 0xffff);
31572393Syz155240 }
31582393Syz155240 # endif /* defined(BSD) || defined(sun) */
31592393Syz155240 # endif /* MENTAT */
31602393Syz155240 #else /* _KERNEL */
31612393Syz155240 for (; slen > 1; slen -= 2)
31622393Syz155240 sum += *sp++;
31632393Syz155240 if (slen)
31642393Syz155240 sum += ntohs(*(u_char *)sp << 8);
31652393Syz155240 while (sum > 0xffff)
31662393Syz155240 sum = (sum & 0xffff) + (sum >> 16);
31672393Syz155240 sum2 = (u_short)(~sum & 0xffff);
31682393Syz155240 #endif /* _KERNEL */
31692393Syz155240 if (csump != NULL)
31702393Syz155240 *csump = sumsave;
31712393Syz155240 return sum2;
31722393Syz155240 }
31732393Syz155240
31742393Syz155240
31752393Syz155240 #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
31762393Syz155240 defined(__sgi) ) && !defined(linux) && !defined(_AIX51)
31772393Syz155240 /*
31782393Syz155240 * Copyright (c) 1982, 1986, 1988, 1991, 1993
31792393Syz155240 * The Regents of the University of California. All rights reserved.
31802393Syz155240 *
31812393Syz155240 * Redistribution and use in source and binary forms, with or without
31822393Syz155240 * modification, are permitted provided that the following conditions
31832393Syz155240 * are met:
31842393Syz155240 * 1. Redistributions of source code must retain the above copyright
31852393Syz155240 * notice, this list of conditions and the following disclaimer.
31862393Syz155240 * 2. Redistributions in binary form must reproduce the above copyright
31872393Syz155240 * notice, this list of conditions and the following disclaimer in the
31882393Syz155240 * documentation and/or other materials provided with the distribution.
31892393Syz155240 * 3. Neither the name of the University nor the names of its contributors
31902393Syz155240 * may be used to endorse or promote products derived from this software
31912393Syz155240 * without specific prior written permission.
31922393Syz155240 *
31932393Syz155240 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
31942393Syz155240 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
31952393Syz155240 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31962393Syz155240 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
31972393Syz155240 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31982393Syz155240 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31992393Syz155240 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32002393Syz155240 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32012393Syz155240 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32022393Syz155240 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32032393Syz155240 * SUCH DAMAGE.
32042393Syz155240 *
32052393Syz155240 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
32062393Syz155240 * $Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $
32072393Syz155240 */
32082393Syz155240 /*
32092393Syz155240 * Copy data from an mbuf chain starting "off" bytes from the beginning,
32102393Syz155240 * continuing for "len" bytes, into the indicated buffer.
32112393Syz155240 */
32122393Syz155240 void
m_copydata(m,off,len,cp)32132393Syz155240 m_copydata(m, off, len, cp)
32142393Syz155240 mb_t *m;
32152393Syz155240 int off;
32162393Syz155240 int len;
32172393Syz155240 caddr_t cp;
32182393Syz155240 {
32192393Syz155240 unsigned count;
32202393Syz155240
32212393Syz155240 if (off < 0 || len < 0)
32222393Syz155240 panic("m_copydata");
32232393Syz155240 while (off > 0) {
32242393Syz155240 if (m == 0)
32252393Syz155240 panic("m_copydata");
32262393Syz155240 if (off < m->m_len)
32272393Syz155240 break;
32282393Syz155240 off -= m->m_len;
32292393Syz155240 m = m->m_next;
32302393Syz155240 }
32312393Syz155240 while (len > 0) {
32322393Syz155240 if (m == 0)
32332393Syz155240 panic("m_copydata");
32342393Syz155240 count = MIN(m->m_len - off, len);
32352393Syz155240 bcopy(mtod(m, caddr_t) + off, cp, count);
32362393Syz155240 len -= count;
32372393Syz155240 cp += count;
32382393Syz155240 off = 0;
32392393Syz155240 m = m->m_next;
32402393Syz155240 }
32412393Syz155240 }
32422393Syz155240
32432393Syz155240
32442393Syz155240 /*
32452393Syz155240 * Copy data from a buffer back into the indicated mbuf chain,
32462393Syz155240 * starting "off" bytes from the beginning, extending the mbuf
32472393Syz155240 * chain if necessary.
32482393Syz155240 */
32492393Syz155240 void
m_copyback(m0,off,len,cp)32502393Syz155240 m_copyback(m0, off, len, cp)
32512393Syz155240 struct mbuf *m0;
32522393Syz155240 int off;
32532393Syz155240 int len;
32542393Syz155240 caddr_t cp;
32552393Syz155240 {
32562393Syz155240 int mlen;
32572393Syz155240 struct mbuf *m = m0, *n;
32582393Syz155240 int totlen = 0;
32592393Syz155240
32602393Syz155240 if (m0 == 0)
32612393Syz155240 return;
32622393Syz155240 while (off > (mlen = m->m_len)) {
32632393Syz155240 off -= mlen;
32642393Syz155240 totlen += mlen;
32652393Syz155240 if (m->m_next == 0) {
32662393Syz155240 n = m_getclr(M_DONTWAIT, m->m_type);
32672393Syz155240 if (n == 0)
32682393Syz155240 goto out;
32692393Syz155240 n->m_len = min(MLEN, len + off);
32702393Syz155240 m->m_next = n;
32712393Syz155240 }
32722393Syz155240 m = m->m_next;
32732393Syz155240 }
32742393Syz155240 while (len > 0) {
32752393Syz155240 mlen = min(m->m_len - off, len);
32762393Syz155240 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
32772393Syz155240 cp += mlen;
32782393Syz155240 len -= mlen;
32792393Syz155240 mlen += off;
32802393Syz155240 off = 0;
32812393Syz155240 totlen += mlen;
32822393Syz155240 if (len == 0)
32832393Syz155240 break;
32842393Syz155240 if (m->m_next == 0) {
32852393Syz155240 n = m_get(M_DONTWAIT, m->m_type);
32862393Syz155240 if (n == 0)
32872393Syz155240 break;
32882393Syz155240 n->m_len = min(MLEN, len);
32892393Syz155240 m->m_next = n;
32902393Syz155240 }
32912393Syz155240 m = m->m_next;
32922393Syz155240 }
32932393Syz155240 out:
32942393Syz155240 #if 0
32952393Syz155240 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
32962393Syz155240 m->m_pkthdr.len = totlen;
32972393Syz155240 #endif
32982393Syz155240 return;
32992393Syz155240 }
33002393Syz155240 #endif /* (_KERNEL) && ( ((BSD < 199103) && !MENTAT) || __sgi) */
33012393Syz155240
33022393Syz155240
33032393Syz155240 /* ------------------------------------------------------------------------ */
33042393Syz155240 /* Function: fr_findgroup */
33052393Syz155240 /* Returns: frgroup_t * - NULL = group not found, else pointer to group */
33062393Syz155240 /* Parameters: group(I) - group name to search for */
33072393Syz155240 /* unit(I) - device to which this group belongs */
33082393Syz155240 /* set(I) - which set of rules (inactive/inactive) this is */
33092393Syz155240 /* fgpp(O) - pointer to place to store pointer to the pointer */
33102393Syz155240 /* to where to add the next (last) group or where */
33112393Syz155240 /* to delete group from. */
33122393Syz155240 /* */
33132393Syz155240 /* Search amongst the defined groups for a particular group number. */
33142393Syz155240 /* ------------------------------------------------------------------------ */
fr_findgroup(group,unit,set,fgpp,ifs)33153448Sdh155122 frgroup_t *fr_findgroup(group, unit, set, fgpp, ifs)
33162393Syz155240 char *group;
33172393Syz155240 minor_t unit;
33182393Syz155240 int set;
33192393Syz155240 frgroup_t ***fgpp;
33203448Sdh155122 ipf_stack_t *ifs;
33212393Syz155240 {
33222393Syz155240 frgroup_t *fg, **fgp;
33232393Syz155240
33242393Syz155240 /*
33252393Syz155240 * Which list of groups to search in is dependent on which list of
33262393Syz155240 * rules are being operated on.
33272393Syz155240 */
33283448Sdh155122 fgp = &ifs->ifs_ipfgroups[unit][set];
33292393Syz155240
33302393Syz155240 while ((fg = *fgp) != NULL) {
33312393Syz155240 if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0)
33322393Syz155240 break;
33332393Syz155240 else
33342393Syz155240 fgp = &fg->fg_next;
33352393Syz155240 }
33362393Syz155240 if (fgpp != NULL)
33372393Syz155240 *fgpp = fgp;
33382393Syz155240 return fg;
33392393Syz155240 }
33402393Syz155240
33412393Syz155240
33422393Syz155240 /* ------------------------------------------------------------------------ */
33432393Syz155240 /* Function: fr_addgroup */
33442393Syz155240 /* Returns: frgroup_t * - NULL == did not create group, */
33452393Syz155240 /* != NULL == pointer to the group */
33462393Syz155240 /* Parameters: num(I) - group number to add */
33472393Syz155240 /* head(I) - rule pointer that is using this as the head */
33482393Syz155240 /* flags(I) - rule flags which describe the type of rule it is */
33492393Syz155240 /* unit(I) - device to which this group will belong to */
33502393Syz155240 /* set(I) - which set of rules (inactive/inactive) this is */
33512393Syz155240 /* Write Locks: ipf_mutex */
33522393Syz155240 /* */
33532393Syz155240 /* Add a new group head, or if it already exists, increase the reference */
33542393Syz155240 /* count to it. */
33552393Syz155240 /* ------------------------------------------------------------------------ */
fr_addgroup(group,head,flags,unit,set,ifs)33563448Sdh155122 frgroup_t *fr_addgroup(group, head, flags, unit, set, ifs)
33572393Syz155240 char *group;
33582393Syz155240 void *head;
33592393Syz155240 u_32_t flags;
33602393Syz155240 minor_t unit;
33612393Syz155240 int set;
33623448Sdh155122 ipf_stack_t *ifs;
33632393Syz155240 {
33642393Syz155240 frgroup_t *fg, **fgp;
33652393Syz155240 u_32_t gflags;
33662393Syz155240
33672393Syz155240 if (group == NULL)
33682393Syz155240 return NULL;
33692393Syz155240
33702393Syz155240 if (unit == IPL_LOGIPF && *group == '\0')
33712393Syz155240 return NULL;
33722393Syz155240
33732393Syz155240 fgp = NULL;
33742393Syz155240 gflags = flags & FR_INOUT;
33752393Syz155240
33763448Sdh155122 fg = fr_findgroup(group, unit, set, &fgp, ifs);
33772393Syz155240 if (fg != NULL) {
33782393Syz155240 if (fg->fg_flags == 0)
33792393Syz155240 fg->fg_flags = gflags;
33802393Syz155240 else if (gflags != fg->fg_flags)
33812393Syz155240 return NULL;
33822393Syz155240 fg->fg_ref++;
33832393Syz155240 return fg;
33842393Syz155240 }
33852393Syz155240 KMALLOC(fg, frgroup_t *);
33862393Syz155240 if (fg != NULL) {
33872393Syz155240 fg->fg_head = head;
33882393Syz155240 fg->fg_start = NULL;
33892393Syz155240 fg->fg_next = *fgp;
33902393Syz155240 bcopy(group, fg->fg_name, FR_GROUPLEN);
33912393Syz155240 fg->fg_flags = gflags;
33922393Syz155240 fg->fg_ref = 1;
33932393Syz155240 *fgp = fg;
33942393Syz155240 }
33952393Syz155240 return fg;
33962393Syz155240 }
33972393Syz155240
33982393Syz155240
33992393Syz155240 /* ------------------------------------------------------------------------ */
34002393Syz155240 /* Function: fr_delgroup */
34012393Syz155240 /* Returns: Nil */
34022393Syz155240 /* Parameters: group(I) - group name to delete */
34032393Syz155240 /* unit(I) - device to which this group belongs */
34042393Syz155240 /* set(I) - which set of rules (inactive/inactive) this is */
34052393Syz155240 /* Write Locks: ipf_mutex */
34062393Syz155240 /* */
34072393Syz155240 /* Attempt to delete a group head. */
34082393Syz155240 /* Only do this when its reference count reaches 0. */
34092393Syz155240 /* ------------------------------------------------------------------------ */
fr_delgroup(group,unit,set,ifs)34103448Sdh155122 void fr_delgroup(group, unit, set, ifs)
34112393Syz155240 char *group;
34122393Syz155240 minor_t unit;
34132393Syz155240 int set;
34143448Sdh155122 ipf_stack_t *ifs;
34152393Syz155240 {
34162393Syz155240 frgroup_t *fg, **fgp;
34172393Syz155240
34183448Sdh155122 fg = fr_findgroup(group, unit, set, &fgp, ifs);
34192393Syz155240 if (fg == NULL)
34202393Syz155240 return;
34212393Syz155240
34222393Syz155240 fg->fg_ref--;
34232393Syz155240 if (fg->fg_ref == 0) {
34242393Syz155240 *fgp = fg->fg_next;
34252393Syz155240 KFREE(fg);
34262393Syz155240 }
34272393Syz155240 }
34282393Syz155240
34292393Syz155240
34302393Syz155240 /* ------------------------------------------------------------------------ */
34312393Syz155240 /* Function: fr_getrulen */
34322393Syz155240 /* Returns: frentry_t * - NULL == not found, else pointer to rule n */
34332393Syz155240 /* Parameters: unit(I) - device for which to count the rule's number */
34342393Syz155240 /* flags(I) - which set of rules to find the rule in */
34352393Syz155240 /* group(I) - group name */
34362393Syz155240 /* n(I) - rule number to find */
34372393Syz155240 /* */
34382393Syz155240 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
34392393Syz155240 /* group # g doesn't exist or there are less than n rules in the group. */
34402393Syz155240 /* ------------------------------------------------------------------------ */
fr_getrulen(unit,group,n,ifs)34413448Sdh155122 frentry_t *fr_getrulen(unit, group, n, ifs)
34422393Syz155240 int unit;
34432393Syz155240 char *group;
34442393Syz155240 u_32_t n;
34453448Sdh155122 ipf_stack_t *ifs;
34462393Syz155240 {
34472393Syz155240 frentry_t *fr;
34482393Syz155240 frgroup_t *fg;
34492393Syz155240
34503448Sdh155122 fg = fr_findgroup(group, unit, ifs->ifs_fr_active, NULL, ifs);
34512393Syz155240 if (fg == NULL)
34522393Syz155240 return NULL;
34532393Syz155240 for (fr = fg->fg_head; fr && n; fr = fr->fr_next, n--)
34542393Syz155240 ;
34552393Syz155240 if (n != 0)
34562393Syz155240 return NULL;
34572393Syz155240 return fr;
34582393Syz155240 }
34592393Syz155240
34602393Syz155240
34612393Syz155240 /* ------------------------------------------------------------------------ */
34622393Syz155240 /* Function: fr_rulen */
34632393Syz155240 /* Returns: int - >= 0 - rule number, -1 == search failed */
34642393Syz155240 /* Parameters: unit(I) - device for which to count the rule's number */
34652393Syz155240 /* fr(I) - pointer to rule to match */
34662393Syz155240 /* */
34672393Syz155240 /* Return the number for a rule on a specific filtering device. */
34682393Syz155240 /* ------------------------------------------------------------------------ */
fr_rulen(unit,fr,ifs)34693448Sdh155122 int fr_rulen(unit, fr, ifs)
34702393Syz155240 int unit;
34712393Syz155240 frentry_t *fr;
34723448Sdh155122 ipf_stack_t *ifs;
34732393Syz155240 {
34742393Syz155240 frentry_t *fh;
34752393Syz155240 frgroup_t *fg;
34762393Syz155240 u_32_t n = 0;
34772393Syz155240
34782393Syz155240 if (fr == NULL)
34792393Syz155240 return -1;
34803448Sdh155122 fg = fr_findgroup(fr->fr_group, unit, ifs->ifs_fr_active, NULL, ifs);
34812393Syz155240 if (fg == NULL)
34822393Syz155240 return -1;
34832393Syz155240 for (fh = fg->fg_head; fh; n++, fh = fh->fr_next)
34842393Syz155240 if (fh == fr)
34852393Syz155240 break;
34862393Syz155240 if (fh == NULL)
34872393Syz155240 return -1;
34882393Syz155240 return n;
34892393Syz155240 }
34902393Syz155240
34912393Syz155240
34922393Syz155240 /* ------------------------------------------------------------------------ */
34932393Syz155240 /* Function: frflushlist */
34942393Syz155240 /* Returns: int - >= 0 - number of flushed rules */
34952393Syz155240 /* Parameters: set(I) - which set of rules (inactive/inactive) this is */
34962393Syz155240 /* unit(I) - device for which to flush rules */
34972393Syz155240 /* flags(I) - which set of rules to flush */
34982393Syz155240 /* nfreedp(O) - pointer to int where flush count is stored */
34992393Syz155240 /* listp(I) - pointer to list to flush pointer */
35002393Syz155240 /* Write Locks: ipf_mutex */
35012393Syz155240 /* */
35022393Syz155240 /* Recursively flush rules from the list, descending groups as they are */
35032393Syz155240 /* encountered. if a rule is the head of a group and it has lost all its */
35042393Syz155240 /* group members, then also delete the group reference. nfreedp is needed */
35052393Syz155240 /* to store the accumulating count of rules removed, whereas the returned */
35062393Syz155240 /* value is just the number removed from the current list. The latter is */
35072393Syz155240 /* needed to correctly adjust reference counts on rules that define groups. */
35082393Syz155240 /* */
35092393Syz155240 /* NOTE: Rules not loaded from user space cannot be flushed. */
35102393Syz155240 /* ------------------------------------------------------------------------ */
frflushlist(set,unit,nfreedp,listp,ifs)35113448Sdh155122 static int frflushlist(set, unit, nfreedp, listp, ifs)
35122393Syz155240 int set;
35132393Syz155240 minor_t unit;
35142393Syz155240 int *nfreedp;
35152393Syz155240 frentry_t **listp;
35163448Sdh155122 ipf_stack_t *ifs;
35172393Syz155240 {
35185274Syx160601 int freed = 0;
35192393Syz155240 frentry_t *fp;
35202393Syz155240
35212393Syz155240 while ((fp = *listp) != NULL) {
35222393Syz155240 if ((fp->fr_type & FR_T_BUILTIN) ||
35232393Syz155240 !(fp->fr_flags & FR_COPIED)) {
35242393Syz155240 listp = &fp->fr_next;
35252393Syz155240 continue;
35262393Syz155240 }
35272393Syz155240 *listp = fp->fr_next;
35282393Syz155240 if (fp->fr_grp != NULL) {
35295274Syx160601 (void) frflushlist(set, unit, nfreedp, fp->fr_grp, ifs);
35302393Syz155240 }
35312393Syz155240
35322393Syz155240 if (fp->fr_grhead != NULL) {
35333448Sdh155122 fr_delgroup(fp->fr_grhead, unit, set, ifs);
35342393Syz155240 *fp->fr_grhead = '\0';
35352393Syz155240 }
35362393Syz155240
35372393Syz155240 ASSERT(fp->fr_ref > 0);
35382393Syz155240 fp->fr_next = NULL;
35393448Sdh155122 if (fr_derefrule(&fp, ifs) == 0)
35402393Syz155240 freed++;
35412393Syz155240 }
35422393Syz155240 *nfreedp += freed;
35432393Syz155240 return freed;
35442393Syz155240 }
35452393Syz155240
35462393Syz155240
35472393Syz155240 /* ------------------------------------------------------------------------ */
35482393Syz155240 /* Function: frflush */
35492393Syz155240 /* Returns: int - >= 0 - number of flushed rules */
35502393Syz155240 /* Parameters: unit(I) - device for which to flush rules */
35512393Syz155240 /* flags(I) - which set of rules to flush */
35522393Syz155240 /* */
35532393Syz155240 /* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */
35542393Syz155240 /* and IPv6) as defined by the value of flags. */
35552393Syz155240 /* ------------------------------------------------------------------------ */
frflush(unit,proto,flags,ifs)35563448Sdh155122 int frflush(unit, proto, flags, ifs)
35572393Syz155240 minor_t unit;
35582393Syz155240 int proto, flags;
35593448Sdh155122 ipf_stack_t *ifs;
35602393Syz155240 {
35612393Syz155240 int flushed = 0, set;
35622393Syz155240
35633448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_mutex);
356410587SAlexandr.Nedvedicky@Sun.COM bzero((char *)ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
35653448Sdh155122
35663448Sdh155122 set = ifs->ifs_fr_active;
35672393Syz155240 if ((flags & FR_INACTIVE) == FR_INACTIVE)
35682393Syz155240 set = 1 - set;
35692393Syz155240
35702393Syz155240 if (flags & FR_OUTQUE) {
35712393Syz155240 if (proto == 0 || proto == 6) {
35722393Syz155240 (void) frflushlist(set, unit,
35733448Sdh155122 &flushed, &ifs->ifs_ipfilter6[1][set], ifs);
35742393Syz155240 (void) frflushlist(set, unit,
35753448Sdh155122 &flushed, &ifs->ifs_ipacct6[1][set], ifs);
35762393Syz155240 }
35772393Syz155240 if (proto == 0 || proto == 4) {
35782393Syz155240 (void) frflushlist(set, unit,
35793448Sdh155122 &flushed, &ifs->ifs_ipfilter[1][set], ifs);
35802393Syz155240 (void) frflushlist(set, unit,
35813448Sdh155122 &flushed, &ifs->ifs_ipacct[1][set], ifs);
35822393Syz155240 }
35832393Syz155240 }
35842393Syz155240 if (flags & FR_INQUE) {
35852393Syz155240 if (proto == 0 || proto == 6) {
35862393Syz155240 (void) frflushlist(set, unit,
35873448Sdh155122 &flushed, &ifs->ifs_ipfilter6[0][set], ifs);
35882393Syz155240 (void) frflushlist(set, unit,
35893448Sdh155122 &flushed, &ifs->ifs_ipacct6[0][set], ifs);
35902393Syz155240 }
35912393Syz155240 if (proto == 0 || proto == 4) {
35922393Syz155240 (void) frflushlist(set, unit,
35933448Sdh155122 &flushed, &ifs->ifs_ipfilter[0][set], ifs);
35942393Syz155240 (void) frflushlist(set, unit,
35953448Sdh155122 &flushed, &ifs->ifs_ipacct[0][set], ifs);
35962393Syz155240 }
35972393Syz155240 }
35983448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
35992393Syz155240
36002393Syz155240 if (unit == IPL_LOGIPF) {
36012393Syz155240 int tmp;
36022393Syz155240
36033448Sdh155122 tmp = frflush(IPL_LOGCOUNT, proto, flags, ifs);
36042393Syz155240 if (tmp >= 0)
36052393Syz155240 flushed += tmp;
36062393Syz155240 }
36072393Syz155240 return flushed;
36082393Syz155240 }
36092393Syz155240
36102393Syz155240
36112393Syz155240 /* ------------------------------------------------------------------------ */
36122393Syz155240 /* Function: memstr */
36132393Syz155240 /* Returns: char * - NULL if failed, != NULL pointer to matching bytes */
36142393Syz155240 /* Parameters: src(I) - pointer to byte sequence to match */
36152393Syz155240 /* dst(I) - pointer to byte sequence to search */
36162393Syz155240 /* slen(I) - match length */
36172393Syz155240 /* dlen(I) - length available to search in */
36182393Syz155240 /* */
36192393Syz155240 /* Search dst for a sequence of bytes matching those at src and extend for */
36202393Syz155240 /* slen bytes. */
36212393Syz155240 /* ------------------------------------------------------------------------ */
memstr(src,dst,slen,dlen)36222393Syz155240 char *memstr(src, dst, slen, dlen)
36232393Syz155240 char *src, *dst;
36242393Syz155240 int slen, dlen;
36252393Syz155240 {
36262393Syz155240 char *s = NULL;
36272393Syz155240
36282393Syz155240 while (dlen >= slen) {
36292393Syz155240 if (bcmp(src, dst, slen) == 0) {
36302393Syz155240 s = dst;
36312393Syz155240 break;
36322393Syz155240 }
36332393Syz155240 dst++;
36342393Syz155240 dlen--;
36352393Syz155240 }
36362393Syz155240 return s;
36372393Syz155240 }
36382393Syz155240 /* ------------------------------------------------------------------------ */
36392393Syz155240 /* Function: fr_fixskip */
36402393Syz155240 /* Returns: Nil */
36412393Syz155240 /* Parameters: listp(IO) - pointer to start of list with skip rule */
36422393Syz155240 /* rp(I) - rule added/removed with skip in it. */
36432393Syz155240 /* addremove(I) - adjustment (-1/+1) to make to skip count, */
36442393Syz155240 /* depending on whether a rule was just added */
36452393Syz155240 /* or removed. */
36462393Syz155240 /* */
36472393Syz155240 /* Adjust all the rules in a list which would have skip'd past the position */
36482393Syz155240 /* where we are inserting to skip to the right place given the change. */
36492393Syz155240 /* ------------------------------------------------------------------------ */
fr_fixskip(listp,rp,addremove)36502393Syz155240 void fr_fixskip(listp, rp, addremove)
36512393Syz155240 frentry_t **listp, *rp;
36522393Syz155240 int addremove;
36532393Syz155240 {
36542393Syz155240 int rules, rn;
36552393Syz155240 frentry_t *fp;
36562393Syz155240
36572393Syz155240 rules = 0;
36582393Syz155240 for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next)
36592393Syz155240 rules++;
36602393Syz155240
36612393Syz155240 if (!fp)
36622393Syz155240 return;
36632393Syz155240
36642393Syz155240 for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
36652393Syz155240 if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules))
36662393Syz155240 fp->fr_arg += addremove;
36672393Syz155240 }
36682393Syz155240
36692393Syz155240
36702393Syz155240 #ifdef _KERNEL
36712393Syz155240 /* ------------------------------------------------------------------------ */
36722393Syz155240 /* Function: count4bits */
36732393Syz155240 /* Returns: int - >= 0 - number of consecutive bits in input */
36742393Syz155240 /* Parameters: ip(I) - 32bit IP address */
36752393Syz155240 /* */
36762393Syz155240 /* IPv4 ONLY */
36772393Syz155240 /* count consecutive 1's in bit mask. If the mask generated by counting */
36782393Syz155240 /* consecutive 1's is different to that passed, return -1, else return # */
36792393Syz155240 /* of bits. */
36802393Syz155240 /* ------------------------------------------------------------------------ */
count4bits(ip)36812393Syz155240 int count4bits(ip)
36822393Syz155240 u_32_t ip;
36832393Syz155240 {
36842393Syz155240 u_32_t ipn;
36852393Syz155240 int cnt = 0, i, j;
36862393Syz155240
36872393Syz155240 ip = ipn = ntohl(ip);
36882393Syz155240 for (i = 32; i; i--, ipn *= 2)
36892393Syz155240 if (ipn & 0x80000000)
36902393Syz155240 cnt++;
36912393Syz155240 else
36922393Syz155240 break;
36932393Syz155240 ipn = 0;
36942393Syz155240 for (i = 32, j = cnt; i; i--, j--) {
36952393Syz155240 ipn *= 2;
36962393Syz155240 if (j > 0)
36972393Syz155240 ipn++;
36982393Syz155240 }
36992393Syz155240 if (ipn == ip)
37002393Syz155240 return cnt;
37012393Syz155240 return -1;
37022393Syz155240 }
37032393Syz155240
37042393Syz155240
37052393Syz155240 #ifdef USE_INET6
37062393Syz155240 /* ------------------------------------------------------------------------ */
37072393Syz155240 /* Function: count6bits */
37082393Syz155240 /* Returns: int - >= 0 - number of consecutive bits in input */
37092393Syz155240 /* Parameters: msk(I) - pointer to start of IPv6 bitmask */
37102393Syz155240 /* */
37112393Syz155240 /* IPv6 ONLY */
37122393Syz155240 /* count consecutive 1's in bit mask. */
37132393Syz155240 /* ------------------------------------------------------------------------ */
count6bits(msk)37142393Syz155240 int count6bits(msk)
37152393Syz155240 u_32_t *msk;
37162393Syz155240 {
37172393Syz155240 int i = 0, k;
37182393Syz155240 u_32_t j;
37192393Syz155240
37202393Syz155240 for (k = 3; k >= 0; k--)
37212393Syz155240 if (msk[k] == 0xffffffff)
37222393Syz155240 i += 32;
37232393Syz155240 else {
37242393Syz155240 for (j = msk[k]; j; j <<= 1)
37252393Syz155240 if (j & 0x80000000)
37262393Syz155240 i++;
37272393Syz155240 }
37282393Syz155240 return i;
37292393Syz155240 }
37302393Syz155240 # endif
37312393Syz155240 #endif /* _KERNEL */
37322393Syz155240
37332393Syz155240
37342393Syz155240 /* ------------------------------------------------------------------------ */
37352958Sdr146992 /* Function: fr_ifsync */
37362958Sdr146992 /* Returns: void * - new interface identifier */
37372958Sdr146992 /* Parameters: action(I) - type of synchronisation to do */
37382958Sdr146992 /* v(I) - IP version being sync'd (v4 or v6) */
37392958Sdr146992 /* newifp(I) - interface identifier being introduced/removed */
37402958Sdr146992 /* oldifp(I) - interface identifier in a filter rule */
37417704SAlexandr.Nedvedicky@Sun.COM /* newname(I) - name associated with newifp interface */
37427704SAlexandr.Nedvedicky@Sun.COM /* oldname(I) - name associated with oldifp interface */
37437704SAlexandr.Nedvedicky@Sun.COM /* ifs - pointer to IPF stack instance */
37442958Sdr146992 /* */
37452958Sdr146992 /* This function returns what the new value for "oldifp" should be for its */
37462958Sdr146992 /* caller. In some cases it will not change, in some it will. */
37472958Sdr146992 /* action == IPFSYNC_RESYNC */
37482958Sdr146992 /* a new value for oldifp will always be looked up, according to oldname, */
37492958Sdr146992 /* the values of newname and newifp are ignored. */
37502958Sdr146992 /* action == IPFSYNC_NEWIFP */
37512958Sdr146992 /* if oldname matches newname then we are doing a sync for the matching */
37522958Sdr146992 /* interface, so we return newifp to be used in place of oldifp. If the */
37532958Sdr146992 /* the names don't match, just return oldifp. */
37542958Sdr146992 /* action == IPFSYNC_OLDIFP */
37552958Sdr146992 /* if oldifp matches newifp then we are are doing a sync to remove any */
37562958Sdr146992 /* references to oldifp, so we return "-1". */
37577704SAlexandr.Nedvedicky@Sun.COM /* ----- */
37587704SAlexandr.Nedvedicky@Sun.COM /* NOTE: */
37597704SAlexandr.Nedvedicky@Sun.COM /* This function processes NIC event from PF_HOOKS. The action parameter */
37607704SAlexandr.Nedvedicky@Sun.COM /* is set in ipf_nic_event_v4()/ipf_nic_event_v6() function. There is */
37617704SAlexandr.Nedvedicky@Sun.COM /* one single switch statement() in ipf_nic_event_vx() function, which */
37627704SAlexandr.Nedvedicky@Sun.COM /* translates the HOOK event type to action parameter passed to fr_ifsync. */
37637704SAlexandr.Nedvedicky@Sun.COM /* The translation table looks as follows: */
37647704SAlexandr.Nedvedicky@Sun.COM /* event | action */
37657704SAlexandr.Nedvedicky@Sun.COM /* ----------------+------------- */
37667704SAlexandr.Nedvedicky@Sun.COM /* NE_PLUMB | IPFSYNC_NEWIFP */
37677704SAlexandr.Nedvedicky@Sun.COM /* NE_UNPLUMB | IPFSYNC_OLDIFP */
37687704SAlexandr.Nedvedicky@Sun.COM /* NE_ADDRESS_CHANGE | IPFSYNC_RESYNC */
37697704SAlexandr.Nedvedicky@Sun.COM /* */
37707704SAlexandr.Nedvedicky@Sun.COM /* The oldname and oldifp parameters are taken from IPF entry (rule, state */
37717704SAlexandr.Nedvedicky@Sun.COM /* table entry, NAT table entry, fragment ...). The newname and newifp */
37727704SAlexandr.Nedvedicky@Sun.COM /* parameters come from hook event data, parameters are taken from event */
37737704SAlexandr.Nedvedicky@Sun.COM /* in ipf_nic_event_vx() functions. Any time NIC changes, the IPF is */
37747704SAlexandr.Nedvedicky@Sun.COM /* notified by hook function. */
37757704SAlexandr.Nedvedicky@Sun.COM /* */
37767704SAlexandr.Nedvedicky@Sun.COM /* We get NE_UNPLUMB event from PF_HOOKS even if someone coincidently tries */
37777704SAlexandr.Nedvedicky@Sun.COM /* to plumb the interface, which is already plumbed. In such case we always */
37787704SAlexandr.Nedvedicky@Sun.COM /* get the event from PF_HOOKS as follows: */
37797704SAlexandr.Nedvedicky@Sun.COM /* event: NE_PLUMB */
37807704SAlexandr.Nedvedicky@Sun.COM /* NIC: 0x0 */
37812958Sdr146992 /* ------------------------------------------------------------------------ */
fr_ifsync(action,v,newname,oldname,newifp,oldifp,ifs)37823448Sdh155122 static void *fr_ifsync(action, v, newname, oldname, newifp, oldifp, ifs)
37832958Sdr146992 int action, v;
37842958Sdr146992 char *newname, *oldname;
37852958Sdr146992 void *newifp, *oldifp;
37863448Sdh155122 ipf_stack_t *ifs;
37872958Sdr146992 {
37882958Sdr146992 void *rval = oldifp;
37892958Sdr146992
37902958Sdr146992 switch (action)
37912958Sdr146992 {
37922958Sdr146992 case IPFSYNC_RESYNC :
37932958Sdr146992 if (oldname[0] != '\0') {
37943448Sdh155122 rval = fr_resolvenic(oldname, v, ifs);
37952958Sdr146992 }
37962958Sdr146992 break;
37972958Sdr146992 case IPFSYNC_NEWIFP :
37982958Sdr146992 if (!strncmp(newname, oldname, LIFNAMSIZ))
37992958Sdr146992 rval = newifp;
38002958Sdr146992 break;
38012958Sdr146992 case IPFSYNC_OLDIFP :
38027704SAlexandr.Nedvedicky@Sun.COM /*
38037704SAlexandr.Nedvedicky@Sun.COM * If interface gets unplumbed it must be invalidated, which
38047704SAlexandr.Nedvedicky@Sun.COM * means set all existing references to the interface to -1.
38057704SAlexandr.Nedvedicky@Sun.COM * We don't want to invalidate references for wildcard
38067704SAlexandr.Nedvedicky@Sun.COM * (unbound) rules (entries).
38077704SAlexandr.Nedvedicky@Sun.COM */
38082958Sdr146992 if (newifp == oldifp)
38096399San207044 rval = (oldifp) ? (void *)-1 : NULL;
38102958Sdr146992 break;
38112958Sdr146992 }
38122958Sdr146992
38132958Sdr146992 return rval;
38142958Sdr146992 }
38152958Sdr146992
38162958Sdr146992
38172958Sdr146992 /* ------------------------------------------------------------------------ */
38182393Syz155240 /* Function: frsynclist */
38192393Syz155240 /* Returns: void */
38202958Sdr146992 /* Parameters: action(I) - type of synchronisation to do */
38212958Sdr146992 /* v(I) - IP version being sync'd (v4 or v6) */
38222958Sdr146992 /* ifp(I) - interface identifier associated with action */
38237704SAlexandr.Nedvedicky@Sun.COM /* ifname(I) - name associated with ifp parameter */
38247704SAlexandr.Nedvedicky@Sun.COM /* fr(I) - pointer to filter rule */
38257704SAlexandr.Nedvedicky@Sun.COM /* ifs - pointer to IPF stack instance */
38262393Syz155240 /* Write Locks: ipf_mutex */
38272393Syz155240 /* */
38282393Syz155240 /* Walk through a list of filter rules and resolve any interface names into */
38292393Syz155240 /* pointers. Where dynamic addresses are used, also update the IP address */
38302393Syz155240 /* used in the rule. The interface pointer is used to limit the lookups to */
38312393Syz155240 /* a specific set of matching names if it is non-NULL. */
38322393Syz155240 /* ------------------------------------------------------------------------ */
frsynclist(action,v,ifp,ifname,fr,ifs)38333448Sdh155122 static void frsynclist(action, v, ifp, ifname, fr, ifs)
38342958Sdr146992 int action, v;
38352958Sdr146992 void *ifp;
38362958Sdr146992 char *ifname;
38372393Syz155240 frentry_t *fr;
38383448Sdh155122 ipf_stack_t *ifs;
38392393Syz155240 {
38402393Syz155240 frdest_t *fdp;
38412958Sdr146992 int rv, i;
38422393Syz155240
38432393Syz155240 for (; fr; fr = fr->fr_next) {
38442958Sdr146992 rv = fr->fr_v;
38452958Sdr146992 if (v != 0 && v != rv)
38462958Sdr146992 continue;
38472393Syz155240
38482393Syz155240 /*
38492393Syz155240 * Lookup all the interface names that are part of the rule.
38502393Syz155240 */
38512393Syz155240 for (i = 0; i < 4; i++) {
38522958Sdr146992 fr->fr_ifas[i] = fr_ifsync(action, rv, ifname,
38532958Sdr146992 fr->fr_ifnames[i],
38543448Sdh155122 ifp, fr->fr_ifas[i],
38553448Sdh155122 ifs);
38562393Syz155240 }
38572393Syz155240
38582958Sdr146992 fdp = &fr->fr_tifs[0];
38592958Sdr146992 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
38603448Sdh155122 ifp, fdp->fd_ifp, ifs);
38612958Sdr146992
38622958Sdr146992 fdp = &fr->fr_tifs[1];
38632958Sdr146992 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
38643448Sdh155122 ifp, fdp->fd_ifp, ifs);
38652958Sdr146992
38662958Sdr146992 fdp = &fr->fr_dif;
38672958Sdr146992 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
38683448Sdh155122 ifp, fdp->fd_ifp, ifs);
38692958Sdr146992
38702958Sdr146992 if (action != IPFSYNC_RESYNC)
38714118Sdr146992 continue;
38722958Sdr146992
38732393Syz155240 if (fr->fr_type == FR_T_IPF) {
38742393Syz155240 if (fr->fr_satype != FRI_NORMAL &&
38752393Syz155240 fr->fr_satype != FRI_LOOKUP) {
38762958Sdr146992 (void)fr_ifpaddr(rv, fr->fr_satype,
38772393Syz155240 fr->fr_ifas[fr->fr_sifpidx],
38783448Sdh155122 &fr->fr_src, &fr->fr_smsk,
38793448Sdh155122 ifs);
38802393Syz155240 }
38812393Syz155240 if (fr->fr_datype != FRI_NORMAL &&
38822393Syz155240 fr->fr_datype != FRI_LOOKUP) {
38832958Sdr146992 (void)fr_ifpaddr(rv, fr->fr_datype,
38842393Syz155240 fr->fr_ifas[fr->fr_difpidx],
38853448Sdh155122 &fr->fr_dst, &fr->fr_dmsk,
38863448Sdh155122 ifs);
38872393Syz155240 }
38882393Syz155240 }
38892393Syz155240
38902393Syz155240 #ifdef IPFILTER_LOOKUP
38912393Syz155240 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP &&
38922393Syz155240 fr->fr_srcptr == NULL) {
38932393Syz155240 fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype,
38942393Syz155240 fr->fr_srcnum,
38953448Sdh155122 &fr->fr_srcfunc, ifs);
38962393Syz155240 }
38972393Syz155240 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP &&
38982393Syz155240 fr->fr_dstptr == NULL) {
38992393Syz155240 fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype,
39002393Syz155240 fr->fr_dstnum,
39013448Sdh155122 &fr->fr_dstfunc, ifs);
39022393Syz155240 }
39032393Syz155240 #endif
39042393Syz155240 }
39052393Syz155240 }
39062393Syz155240
39072393Syz155240
39082393Syz155240 #ifdef _KERNEL
39092393Syz155240 /* ------------------------------------------------------------------------ */
39102393Syz155240 /* Function: frsync */
39112393Syz155240 /* Returns: void */
39122958Sdr146992 /* Parameters: action(I) - type of synchronisation to do */
39132958Sdr146992 /* v(I) - IP version being sync'd (v4 or v6) */
39142958Sdr146992 /* ifp(I) - interface identifier associated with action */
39152958Sdr146992 /* name(I) - name associated with ifp parameter */
39162393Syz155240 /* */
39172393Syz155240 /* frsync() is called when we suspect that the interface list or */
39182393Syz155240 /* information about interfaces (like IP#) has changed. Go through all */
39192393Syz155240 /* filter rules, NAT entries and the state table and check if anything */
39202393Syz155240 /* needs to be changed/updated. */
39212958Sdr146992 /* With the filtering hooks added to Solaris, we needed to change the manner*/
39222958Sdr146992 /* in which this was done to support three different types of sync: */
39232958Sdr146992 /* - complete resync of all interface name/identifiers */
39242958Sdr146992 /* - new interface being announced with its name and identifier */
39252958Sdr146992 /* - interface removal being announced by only its identifier */
39262958Sdr146992 /* ------------------------------------------------------------------------ */
frsync(action,v,ifp,name,ifs)39273448Sdh155122 void frsync(action, v, ifp, name, ifs)
39282958Sdr146992 int action, v;
39292393Syz155240 void *ifp;
39302958Sdr146992 char *name;
39313448Sdh155122 ipf_stack_t *ifs;
39322393Syz155240 {
39332393Syz155240 int i;
39342393Syz155240
39353448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_mutex);
39363448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipacct[0][ifs->ifs_fr_active], ifs);
39373448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipacct[1][ifs->ifs_fr_active], ifs);
39383448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter[0][ifs->ifs_fr_active], ifs);
39393448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter[1][ifs->ifs_fr_active], ifs);
39403448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipacct6[0][ifs->ifs_fr_active], ifs);
39413448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipacct6[1][ifs->ifs_fr_active], ifs);
39423448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter6[0][ifs->ifs_fr_active], ifs);
39433448Sdh155122 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter6[1][ifs->ifs_fr_active], ifs);
39442393Syz155240
39452393Syz155240 for (i = 0; i < IPL_LOGSIZE; i++) {
39462393Syz155240 frgroup_t *g;
39472393Syz155240
39483448Sdh155122 for (g = ifs->ifs_ipfgroups[i][0]; g != NULL; g = g->fg_next)
39493448Sdh155122 frsynclist(action, v, ifp, name, g->fg_start, ifs);
39503448Sdh155122 for (g = ifs->ifs_ipfgroups[i][1]; g != NULL; g = g->fg_next)
39513448Sdh155122 frsynclist(action, v, ifp, name, g->fg_start, ifs);
39522393Syz155240 }
39533448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
39542393Syz155240 }
39552393Syz155240
395611105SAlexandr.Nedvedicky@Sun.COM #if SOLARIS2 >= 10
395711105SAlexandr.Nedvedicky@Sun.COM /* ------------------------------------------------------------------------ */
395811105SAlexandr.Nedvedicky@Sun.COM /* Function: fr_syncindex */
395911105SAlexandr.Nedvedicky@Sun.COM /* Returns: void */
396011105SAlexandr.Nedvedicky@Sun.COM /* Parameters: rules - list of rules to be sync'd */
396111105SAlexandr.Nedvedicky@Sun.COM /* ifp - interface, which is being sync'd */
396211105SAlexandr.Nedvedicky@Sun.COM /* newifp - new ifindex value for interface */
396311105SAlexandr.Nedvedicky@Sun.COM /* */
396411105SAlexandr.Nedvedicky@Sun.COM /* Function updates all NIC indecis, which match ifp, in every rule. Every */
396511105SAlexandr.Nedvedicky@Sun.COM /* NIC index matching ifp, will be updated to newifp. */
396611105SAlexandr.Nedvedicky@Sun.COM /* ------------------------------------------------------------------------ */
fr_syncindex(rules,ifp,newifp)396711105SAlexandr.Nedvedicky@Sun.COM static void fr_syncindex(rules, ifp, newifp)
396811105SAlexandr.Nedvedicky@Sun.COM frentry_t *rules;
396911105SAlexandr.Nedvedicky@Sun.COM void *ifp;
397011105SAlexandr.Nedvedicky@Sun.COM void *newifp;
397111105SAlexandr.Nedvedicky@Sun.COM {
397211105SAlexandr.Nedvedicky@Sun.COM int i;
397311105SAlexandr.Nedvedicky@Sun.COM frentry_t *fr;
397411105SAlexandr.Nedvedicky@Sun.COM
397511105SAlexandr.Nedvedicky@Sun.COM for (fr = rules; fr != NULL; fr = fr->fr_next) {
397611105SAlexandr.Nedvedicky@Sun.COM /*
397711105SAlexandr.Nedvedicky@Sun.COM * Lookup all the interface names that are part of the rule.
397811105SAlexandr.Nedvedicky@Sun.COM */
397911105SAlexandr.Nedvedicky@Sun.COM for (i = 0; i < 4; i++)
398011105SAlexandr.Nedvedicky@Sun.COM if (fr->fr_ifas[i] == ifp)
398111105SAlexandr.Nedvedicky@Sun.COM fr->fr_ifas[i] = newifp;
398211105SAlexandr.Nedvedicky@Sun.COM
398311105SAlexandr.Nedvedicky@Sun.COM for (i = 0; i < 2; i++) {
398411105SAlexandr.Nedvedicky@Sun.COM if (fr->fr_tifs[i].fd_ifp == ifp)
398511105SAlexandr.Nedvedicky@Sun.COM fr->fr_tifs[i].fd_ifp = newifp;
398611105SAlexandr.Nedvedicky@Sun.COM }
398711105SAlexandr.Nedvedicky@Sun.COM
398811105SAlexandr.Nedvedicky@Sun.COM if (fr->fr_dif.fd_ifp == ifp)
398911105SAlexandr.Nedvedicky@Sun.COM fr->fr_dif.fd_ifp = newifp;
399011105SAlexandr.Nedvedicky@Sun.COM }
399111105SAlexandr.Nedvedicky@Sun.COM }
399211105SAlexandr.Nedvedicky@Sun.COM
399311105SAlexandr.Nedvedicky@Sun.COM /* ------------------------------------------------------------------------ */
399411105SAlexandr.Nedvedicky@Sun.COM /* Function: fr_ifindexsync */
399511105SAlexandr.Nedvedicky@Sun.COM /* Returns: void */
399611105SAlexandr.Nedvedicky@Sun.COM /* Parameters: ifp - interface, which is being sync'd */
399711105SAlexandr.Nedvedicky@Sun.COM /* newifp - new ifindex value for interface */
399811105SAlexandr.Nedvedicky@Sun.COM /* ifs - IPF's stack */
399911105SAlexandr.Nedvedicky@Sun.COM /* */
400011105SAlexandr.Nedvedicky@Sun.COM /* Function assumes ipf_mutex is locked exclusively. */
400111105SAlexandr.Nedvedicky@Sun.COM /* */
400211105SAlexandr.Nedvedicky@Sun.COM /* Function updates the NIC references in rules with new interfaces index */
400311105SAlexandr.Nedvedicky@Sun.COM /* (newifp). Function must process active lists: */
400411105SAlexandr.Nedvedicky@Sun.COM /* with accounting rules (IPv6 and IPv4) */
400511105SAlexandr.Nedvedicky@Sun.COM /* with inbound rules (IPv6 and IPv4) */
400611105SAlexandr.Nedvedicky@Sun.COM /* with outbound rules (IPv6 and IPv4) */
400711105SAlexandr.Nedvedicky@Sun.COM /* Function also has to take care of rule groups. */
400811105SAlexandr.Nedvedicky@Sun.COM /* */
400911105SAlexandr.Nedvedicky@Sun.COM /* NOTE: The ipf_mutex is grabbed exclusively by caller (which is always */
401011105SAlexandr.Nedvedicky@Sun.COM /* nic_event_hook). The hook function also updates state entries, NAT rules */
401111105SAlexandr.Nedvedicky@Sun.COM /* and NAT entries. We want to do all these update atomically to keep the */
401211105SAlexandr.Nedvedicky@Sun.COM /* NIC references consistent. The ipf_mutex will synchronize event with */
401311105SAlexandr.Nedvedicky@Sun.COM /* fr_check(), which processes packets, so no packet will enter fr_check(), */
401411105SAlexandr.Nedvedicky@Sun.COM /* while NIC references will be synchronized. */
401511105SAlexandr.Nedvedicky@Sun.COM /* ------------------------------------------------------------------------ */
fr_ifindexsync(ifp,newifp,ifs)401611105SAlexandr.Nedvedicky@Sun.COM void fr_ifindexsync(ifp, newifp, ifs)
401711105SAlexandr.Nedvedicky@Sun.COM void *ifp;
401811105SAlexandr.Nedvedicky@Sun.COM void *newifp;
401911105SAlexandr.Nedvedicky@Sun.COM ipf_stack_t *ifs;
402011105SAlexandr.Nedvedicky@Sun.COM {
402111105SAlexandr.Nedvedicky@Sun.COM unsigned int i;
402211105SAlexandr.Nedvedicky@Sun.COM frentry_t *rule_lists[8];
402311105SAlexandr.Nedvedicky@Sun.COM unsigned int rules = sizeof (rule_lists) / sizeof (frentry_t *);
402411105SAlexandr.Nedvedicky@Sun.COM
402511105SAlexandr.Nedvedicky@Sun.COM rule_lists[0] = ifs->ifs_ipacct[0][ifs->ifs_fr_active];
402611105SAlexandr.Nedvedicky@Sun.COM rule_lists[1] = ifs->ifs_ipacct[1][ifs->ifs_fr_active];
402711105SAlexandr.Nedvedicky@Sun.COM rule_lists[2] = ifs->ifs_ipfilter[0][ifs->ifs_fr_active];
402811105SAlexandr.Nedvedicky@Sun.COM rule_lists[3] = ifs->ifs_ipfilter[1][ifs->ifs_fr_active];
402911105SAlexandr.Nedvedicky@Sun.COM rule_lists[4] = ifs->ifs_ipacct6[0][ifs->ifs_fr_active];
403011105SAlexandr.Nedvedicky@Sun.COM rule_lists[5] = ifs->ifs_ipacct6[1][ifs->ifs_fr_active];
403111105SAlexandr.Nedvedicky@Sun.COM rule_lists[6] = ifs->ifs_ipfilter6[0][ifs->ifs_fr_active];
403211105SAlexandr.Nedvedicky@Sun.COM rule_lists[7] = ifs->ifs_ipfilter6[1][ifs->ifs_fr_active];
403311105SAlexandr.Nedvedicky@Sun.COM
403411105SAlexandr.Nedvedicky@Sun.COM for (i = 0; i < rules; i++) {
403511105SAlexandr.Nedvedicky@Sun.COM fr_syncindex(rule_lists[i], ifp, newifp);
403611105SAlexandr.Nedvedicky@Sun.COM }
403711105SAlexandr.Nedvedicky@Sun.COM
403811105SAlexandr.Nedvedicky@Sun.COM /*
403911105SAlexandr.Nedvedicky@Sun.COM * Update rule groups.
404011105SAlexandr.Nedvedicky@Sun.COM */
404111105SAlexandr.Nedvedicky@Sun.COM for (i = 0; i < IPL_LOGSIZE; i++) {
404211105SAlexandr.Nedvedicky@Sun.COM frgroup_t *g;
404311105SAlexandr.Nedvedicky@Sun.COM
404411105SAlexandr.Nedvedicky@Sun.COM for (g = ifs->ifs_ipfgroups[i][0]; g != NULL; g = g->fg_next)
404511105SAlexandr.Nedvedicky@Sun.COM fr_syncindex(g->fg_start, ifp, newifp);
404611105SAlexandr.Nedvedicky@Sun.COM for (g = ifs->ifs_ipfgroups[i][1]; g != NULL; g = g->fg_next)
404711105SAlexandr.Nedvedicky@Sun.COM fr_syncindex(g->fg_start, ifp, newifp);
404811105SAlexandr.Nedvedicky@Sun.COM }
404911105SAlexandr.Nedvedicky@Sun.COM }
405011105SAlexandr.Nedvedicky@Sun.COM #endif
40512393Syz155240
40522393Syz155240 /*
40532393Syz155240 * In the functions below, bcopy() is called because the pointer being
40542393Syz155240 * copied _from_ in this instance is a pointer to a char buf (which could
40552393Syz155240 * end up being unaligned) and on the kernel's local stack.
40562393Syz155240 */
40572393Syz155240 /* ------------------------------------------------------------------------ */
40582393Syz155240 /* Function: copyinptr */
40592393Syz155240 /* Returns: int - 0 = success, else failure */
40602393Syz155240 /* Parameters: src(I) - pointer to the source address */
40612393Syz155240 /* dst(I) - destination address */
40622393Syz155240 /* size(I) - number of bytes to copy */
40632393Syz155240 /* */
40642393Syz155240 /* Copy a block of data in from user space, given a pointer to the pointer */
40652393Syz155240 /* to start copying from (src) and a pointer to where to store it (dst). */
40662393Syz155240 /* NB: src - pointer to user space pointer, dst - kernel space pointer */
40672393Syz155240 /* ------------------------------------------------------------------------ */
copyinptr(src,dst,size)40682393Syz155240 int copyinptr(src, dst, size)
40692393Syz155240 void *src, *dst;
40702393Syz155240 size_t size;
40712393Syz155240 {
40722393Syz155240 caddr_t ca;
40732393Syz155240 int err;
40742393Syz155240
40752393Syz155240 # if SOLARIS
40762393Syz155240 err = COPYIN(src, (caddr_t)&ca, sizeof(ca));
40772393Syz155240 if (err != 0)
40782393Syz155240 return err;
40792393Syz155240 # else
40802393Syz155240 bcopy(src, (caddr_t)&ca, sizeof(ca));
40812393Syz155240 # endif
40822393Syz155240 err = COPYIN(ca, dst, size);
40832393Syz155240 return err;
40842393Syz155240 }
40852393Syz155240
40862393Syz155240
40872393Syz155240 /* ------------------------------------------------------------------------ */
40882393Syz155240 /* Function: copyoutptr */
40892393Syz155240 /* Returns: int - 0 = success, else failure */
40902393Syz155240 /* Parameters: src(I) - pointer to the source address */
40912393Syz155240 /* dst(I) - destination address */
40922393Syz155240 /* size(I) - number of bytes to copy */
40932393Syz155240 /* */
40942393Syz155240 /* Copy a block of data out to user space, given a pointer to the pointer */
40952393Syz155240 /* to start copying from (src) and a pointer to where to store it (dst). */
40962393Syz155240 /* NB: src - kernel space pointer, dst - pointer to user space pointer. */
40972393Syz155240 /* ------------------------------------------------------------------------ */
copyoutptr(src,dst,size)40982393Syz155240 int copyoutptr(src, dst, size)
40992393Syz155240 void *src, *dst;
41002393Syz155240 size_t size;
41012393Syz155240 {
41022393Syz155240 caddr_t ca;
41032393Syz155240 int err;
41042393Syz155240
41052393Syz155240 # if SOLARIS
41062393Syz155240 err = COPYIN(dst, (caddr_t)&ca, sizeof(ca));
41072393Syz155240 if (err != 0)
41082393Syz155240 return err;
41092393Syz155240 # else
41102393Syz155240 bcopy(dst, (caddr_t)&ca, sizeof(ca));
41112393Syz155240 # endif
41122393Syz155240 err = COPYOUT(src, ca, size);
41132393Syz155240 return err;
41142393Syz155240 }
41152393Syz155240 #endif
41162393Syz155240
41172393Syz155240
41182393Syz155240 /* ------------------------------------------------------------------------ */
41192393Syz155240 /* Function: fr_lock */
41207433SJohn.Ojemann@Sun.COM /* Returns: int - 0 = success, else error */
41212393Syz155240 /* Parameters: data(I) - pointer to lock value to set */
41222393Syz155240 /* lockp(O) - pointer to location to store old lock value */
41232393Syz155240 /* */
41242393Syz155240 /* Get the new value for the lock integer, set it and return the old value */
41252393Syz155240 /* in *lockp. */
41262393Syz155240 /* ------------------------------------------------------------------------ */
fr_lock(data,lockp)41277433SJohn.Ojemann@Sun.COM int fr_lock(data, lockp)
41282393Syz155240 caddr_t data;
41292393Syz155240 int *lockp;
41302393Syz155240 {
41317433SJohn.Ojemann@Sun.COM int arg, err;
41327433SJohn.Ojemann@Sun.COM
41337433SJohn.Ojemann@Sun.COM err = BCOPYIN(data, (caddr_t)&arg, sizeof(arg));
41347433SJohn.Ojemann@Sun.COM if (err != 0)
41357433SJohn.Ojemann@Sun.COM return (EFAULT);
41367433SJohn.Ojemann@Sun.COM err = BCOPYOUT((caddr_t)lockp, data, sizeof(*lockp));
41377433SJohn.Ojemann@Sun.COM if (err != 0)
41387433SJohn.Ojemann@Sun.COM return (EFAULT);
41392393Syz155240 *lockp = arg;
41407433SJohn.Ojemann@Sun.COM return (0);
41412393Syz155240 }
41422393Syz155240
41432393Syz155240
41442393Syz155240 /* ------------------------------------------------------------------------ */
41452393Syz155240 /* Function: fr_getstat */
41462393Syz155240 /* Returns: Nil */
41472393Syz155240 /* Parameters: fiop(I) - pointer to ipfilter stats structure */
41482393Syz155240 /* */
41492393Syz155240 /* Stores a copy of current pointers, counters, etc, in the friostat */
41502393Syz155240 /* structure. */
41512393Syz155240 /* ------------------------------------------------------------------------ */
fr_getstat(fiop,ifs)41523448Sdh155122 void fr_getstat(fiop, ifs)
41532393Syz155240 friostat_t *fiop;
41543448Sdh155122 ipf_stack_t *ifs;
41552393Syz155240 {
41562393Syz155240 int i, j;
41572393Syz155240
41583448Sdh155122 bcopy((char *)&ifs->ifs_frstats, (char *)fiop->f_st,
41593448Sdh155122 sizeof(filterstats_t) * 2);
41603448Sdh155122 fiop->f_locks[IPL_LOGSTATE] = ifs->ifs_fr_state_lock;
41613448Sdh155122 fiop->f_locks[IPL_LOGNAT] = ifs->ifs_fr_nat_lock;
41623448Sdh155122 fiop->f_locks[IPL_LOGIPF] = ifs->ifs_fr_frag_lock;
41633448Sdh155122 fiop->f_locks[IPL_LOGAUTH] = ifs->ifs_fr_auth_lock;
41642393Syz155240
41652393Syz155240 for (i = 0; i < 2; i++)
41662393Syz155240 for (j = 0; j < 2; j++) {
41673448Sdh155122 fiop->f_ipf[i][j] = ifs->ifs_ipfilter[i][j];
41683448Sdh155122 fiop->f_acct[i][j] = ifs->ifs_ipacct[i][j];
41693448Sdh155122 fiop->f_ipf6[i][j] = ifs->ifs_ipfilter6[i][j];
41703448Sdh155122 fiop->f_acct6[i][j] = ifs->ifs_ipacct6[i][j];
41712393Syz155240 }
41722393Syz155240
41733448Sdh155122 fiop->f_ticks = ifs->ifs_fr_ticks;
41743448Sdh155122 fiop->f_active = ifs->ifs_fr_active;
41753448Sdh155122 fiop->f_froute[0] = ifs->ifs_fr_frouteok[0];
41763448Sdh155122 fiop->f_froute[1] = ifs->ifs_fr_frouteok[1];
41773448Sdh155122
41783448Sdh155122 fiop->f_running = ifs->ifs_fr_running;
41792393Syz155240 for (i = 0; i < IPL_LOGSIZE; i++) {
41803448Sdh155122 fiop->f_groups[i][0] = ifs->ifs_ipfgroups[i][0];
41813448Sdh155122 fiop->f_groups[i][1] = ifs->ifs_ipfgroups[i][1];
41822393Syz155240 }
41832393Syz155240 #ifdef IPFILTER_LOG
41842393Syz155240 fiop->f_logging = 1;
41852393Syz155240 #else
41862393Syz155240 fiop->f_logging = 0;
41872393Syz155240 #endif
41883448Sdh155122 fiop->f_defpass = ifs->ifs_fr_pass;
41892393Syz155240 fiop->f_features = fr_features;
41902393Syz155240 (void) strncpy(fiop->f_version, ipfilter_version,
41912393Syz155240 sizeof(fiop->f_version));
41922393Syz155240 }
41932393Syz155240
41942393Syz155240
41952393Syz155240 #ifdef USE_INET6
41962393Syz155240 int icmptoicmp6types[ICMP_MAXTYPE+1] = {
41972393Syz155240 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */
41982393Syz155240 -1, /* 1: UNUSED */
41992393Syz155240 -1, /* 2: UNUSED */
42002393Syz155240 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */
42012393Syz155240 -1, /* 4: ICMP_SOURCEQUENCH */
42022393Syz155240 ND_REDIRECT, /* 5: ICMP_REDIRECT */
42032393Syz155240 -1, /* 6: UNUSED */
42042393Syz155240 -1, /* 7: UNUSED */
42052393Syz155240 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */
42062393Syz155240 -1, /* 9: UNUSED */
42072393Syz155240 -1, /* 10: UNUSED */
42082393Syz155240 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */
42092393Syz155240 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */
42102393Syz155240 -1, /* 13: ICMP_TSTAMP */
42112393Syz155240 -1, /* 14: ICMP_TSTAMPREPLY */
42122393Syz155240 -1, /* 15: ICMP_IREQ */
42132393Syz155240 -1, /* 16: ICMP_IREQREPLY */
42142393Syz155240 -1, /* 17: ICMP_MASKREQ */
42152393Syz155240 -1, /* 18: ICMP_MASKREPLY */
42162393Syz155240 };
42172393Syz155240
42182393Syz155240
42192393Syz155240 int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
42202393Syz155240 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */
42212393Syz155240 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */
42222393Syz155240 -1, /* 2: ICMP_UNREACH_PROTOCOL */
42232393Syz155240 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */
42242393Syz155240 -1, /* 4: ICMP_UNREACH_NEEDFRAG */
42252393Syz155240 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */
42262393Syz155240 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */
42272393Syz155240 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */
42282393Syz155240 -1, /* 8: ICMP_UNREACH_ISOLATED */
42292393Syz155240 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */
42302393Syz155240 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */
42312393Syz155240 -1, /* 11: ICMP_UNREACH_TOSNET */
42322393Syz155240 -1, /* 12: ICMP_UNREACH_TOSHOST */
42332393Syz155240 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
42342393Syz155240 };
42352393Syz155240 int icmpreplytype6[ICMP6_MAXTYPE + 1];
42362393Syz155240 #endif
42372393Syz155240
42382393Syz155240 int icmpreplytype4[ICMP_MAXTYPE + 1];
42392393Syz155240
42402393Syz155240
42412393Syz155240 /* ------------------------------------------------------------------------ */
42422393Syz155240 /* Function: fr_matchicmpqueryreply */
42432393Syz155240 /* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */
42442393Syz155240 /* Parameters: v(I) - IP protocol version (4 or 6) */
42452393Syz155240 /* ic(I) - ICMP information */
42462393Syz155240 /* icmp(I) - ICMP packet header */
42472393Syz155240 /* rev(I) - direction (0 = forward/1 = reverse) of packet */
42482393Syz155240 /* */
42492393Syz155240 /* Check if the ICMP packet defined by the header pointed to by icmp is a */
42502393Syz155240 /* reply to one as described by what's in ic. If it is a match, return 1, */
42512393Syz155240 /* else return 0 for no match. */
42522393Syz155240 /* ------------------------------------------------------------------------ */
fr_matchicmpqueryreply(v,ic,icmp,rev)42532393Syz155240 int fr_matchicmpqueryreply(v, ic, icmp, rev)
42542393Syz155240 int v;
42552393Syz155240 icmpinfo_t *ic;
42562393Syz155240 icmphdr_t *icmp;
42572393Syz155240 int rev;
42582393Syz155240 {
42592393Syz155240 int ictype;
42602393Syz155240
42612393Syz155240 ictype = ic->ici_type;
42622393Syz155240
42632393Syz155240 if (v == 4) {
42642393Syz155240 /*
42652393Syz155240 * If we matched its type on the way in, then when going out
42662393Syz155240 * it will still be the same type.
42672393Syz155240 */
42682393Syz155240 if ((!rev && (icmp->icmp_type == ictype)) ||
42692393Syz155240 (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
42702393Syz155240 if (icmp->icmp_type != ICMP_ECHOREPLY)
42712393Syz155240 return 1;
42722393Syz155240 if (icmp->icmp_id == ic->ici_id)
42732393Syz155240 return 1;
42742393Syz155240 }
42752393Syz155240 }
42762393Syz155240 #ifdef USE_INET6
42772393Syz155240 else if (v == 6) {
42782393Syz155240 if ((!rev && (icmp->icmp_type == ictype)) ||
42792393Syz155240 (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
42802393Syz155240 if (icmp->icmp_type != ICMP6_ECHO_REPLY)
42812393Syz155240 return 1;
42822393Syz155240 if (icmp->icmp_id == ic->ici_id)
42832393Syz155240 return 1;
42842393Syz155240 }
42852393Syz155240 }
42862393Syz155240 #endif
42872393Syz155240 return 0;
42882393Syz155240 }
42892393Syz155240
42902393Syz155240
42912393Syz155240 #ifdef IPFILTER_LOOKUP
42922393Syz155240 /* ------------------------------------------------------------------------ */
42932393Syz155240 /* Function: fr_resolvelookup */
42942393Syz155240 /* Returns: void * - NULL = failure, else success. */
42952393Syz155240 /* Parameters: type(I) - type of lookup these parameters are for. */
42962393Syz155240 /* number(I) - table number to use when searching */
42972393Syz155240 /* funcptr(IO) - pointer to pointer for storing IP address */
429812255SJohn.Ojemann@Oracle.COM /* searching function. */
429912255SJohn.Ojemann@Oracle.COM /* ifs - ipf stack instance */
43002393Syz155240 /* */
43012393Syz155240 /* Search for the "table" number passed in amongst those configured for */
43022393Syz155240 /* that particular type. If the type is recognised then the function to */
43032393Syz155240 /* call to do the IP address search will be change, regardless of whether */
43042393Syz155240 /* or not the "table" number exists. */
43052393Syz155240 /* ------------------------------------------------------------------------ */
fr_resolvelookup(type,number,funcptr,ifs)43063448Sdh155122 static void *fr_resolvelookup(type, number, funcptr, ifs)
43072393Syz155240 u_int type, number;
43082393Syz155240 lookupfunc_t *funcptr;
43093448Sdh155122 ipf_stack_t *ifs;
43102393Syz155240 {
43112393Syz155240 char name[FR_GROUPLEN];
43122393Syz155240 iphtable_t *iph;
43132393Syz155240 ip_pool_t *ipo;
43142393Syz155240 void *ptr;
43152393Syz155240
43162393Syz155240 #if defined(SNPRINTF) && defined(_KERNEL)
43172393Syz155240 (void) SNPRINTF(name, sizeof(name), "%u", number);
43182393Syz155240 #else
43192393Syz155240 (void) sprintf(name, "%u", number);
43202393Syz155240 #endif
43212393Syz155240
43223448Sdh155122 READ_ENTER(&ifs->ifs_ip_poolrw);
43232393Syz155240
43242393Syz155240 switch (type)
43252393Syz155240 {
43262393Syz155240 case IPLT_POOL :
43272393Syz155240 # if (defined(__osf__) && defined(_KERNEL))
43282393Syz155240 ptr = NULL;
43292393Syz155240 *funcptr = NULL;
43302393Syz155240 # else
43313448Sdh155122 ipo = ip_pool_find(IPL_LOGIPF, name, ifs);
43322393Syz155240 ptr = ipo;
43332393Syz155240 if (ipo != NULL) {
43342393Syz155240 ATOMIC_INC32(ipo->ipo_ref);
43352393Syz155240 }
43362393Syz155240 *funcptr = ip_pool_search;
43372393Syz155240 # endif
43382393Syz155240 break;
43392393Syz155240 case IPLT_HASH :
43403448Sdh155122 iph = fr_findhtable(IPL_LOGIPF, name, ifs);
43412393Syz155240 ptr = iph;
43422393Syz155240 if (iph != NULL) {
43432393Syz155240 ATOMIC_INC32(iph->iph_ref);
43442393Syz155240 }
43452393Syz155240 *funcptr = fr_iphmfindip;
43462393Syz155240 break;
43472393Syz155240 default:
43482393Syz155240 ptr = NULL;
43492393Syz155240 *funcptr = NULL;
43502393Syz155240 break;
43512393Syz155240 }
43523448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ip_poolrw);
43532393Syz155240
43542393Syz155240 return ptr;
43552393Syz155240 }
43562393Syz155240 #endif
43572393Syz155240
43582393Syz155240
43592393Syz155240 /* ------------------------------------------------------------------------ */
43602393Syz155240 /* Function: frrequest */
43612393Syz155240 /* Returns: int - 0 == success, > 0 == errno value */
43622393Syz155240 /* Parameters: unit(I) - device for which this is for */
43632393Syz155240 /* req(I) - ioctl command (SIOC*) */
43642393Syz155240 /* data(I) - pointr to ioctl data */
43652393Syz155240 /* set(I) - 1 or 0 (filter set) */
43662393Syz155240 /* makecopy(I) - flag indicating whether data points to a rule */
43672393Syz155240 /* in kernel space & hence doesn't need copying. */
43682393Syz155240 /* */
43692393Syz155240 /* This function handles all the requests which operate on the list of */
43702393Syz155240 /* filter rules. This includes adding, deleting, insertion. It is also */
43712393Syz155240 /* responsible for creating groups when a "head" rule is loaded. Interface */
43722393Syz155240 /* names are resolved here and other sanity checks are made on the content */
43732393Syz155240 /* of the rule structure being loaded. If a rule has user defined timeouts */
43742393Syz155240 /* then make sure they are created and initialised before exiting. */
43752393Syz155240 /* ------------------------------------------------------------------------ */
frrequest(unit,req,data,set,makecopy,ifs)43763448Sdh155122 int frrequest(unit, req, data, set, makecopy, ifs)
43772393Syz155240 int unit;
43782393Syz155240 ioctlcmd_t req;
43792393Syz155240 int set, makecopy;
43802393Syz155240 caddr_t data;
43813448Sdh155122 ipf_stack_t *ifs;
43822393Syz155240 {
43832393Syz155240 frentry_t frd, *fp, *f, **fprev, **ftail;
43842393Syz155240 int error = 0, in, v;
43852393Syz155240 void *ptr, *uptr;
43862393Syz155240 u_int *p, *pp;
43872393Syz155240 frgroup_t *fg;
43882393Syz155240 char *group;
43892393Syz155240
43902393Syz155240 fg = NULL;
43912393Syz155240 fp = &frd;
43922393Syz155240 if (makecopy != 0) {
43932393Syz155240 error = fr_inobj(data, fp, IPFOBJ_FRENTRY);
43942393Syz155240 if (error)
43952393Syz155240 return EFAULT;
43962393Syz155240 if ((fp->fr_flags & FR_T_BUILTIN) != 0)
43972393Syz155240 return EINVAL;
43982393Syz155240 fp->fr_ref = 0;
43992393Syz155240 fp->fr_flags |= FR_COPIED;
44002393Syz155240 } else {
44012393Syz155240 fp = (frentry_t *)data;
44022393Syz155240 if ((fp->fr_type & FR_T_BUILTIN) == 0)
44032393Syz155240 return EINVAL;
44042393Syz155240 fp->fr_flags &= ~FR_COPIED;
44052393Syz155240 }
44062393Syz155240
44072393Syz155240 if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) ||
44082393Syz155240 ((fp->fr_dsize != 0) && (fp->fr_data == NULL)))
44092393Syz155240 return EINVAL;
44102393Syz155240
44112393Syz155240 v = fp->fr_v;
44122393Syz155240 uptr = fp->fr_data;
44132393Syz155240
44142393Syz155240 /*
44152393Syz155240 * Only filter rules for IPv4 or IPv6 are accepted.
44162393Syz155240 */
44172393Syz155240 if (v == 4)
44182393Syz155240 /*EMPTY*/;
44192393Syz155240 #ifdef USE_INET6
44202393Syz155240 else if (v == 6)
44212393Syz155240 /*EMPTY*/;
44222393Syz155240 #endif
44232393Syz155240 else {
44242393Syz155240 return EINVAL;
44252393Syz155240 }
44262393Syz155240
44272393Syz155240 /*
44282393Syz155240 * If the rule is being loaded from user space, i.e. we had to copy it
44292393Syz155240 * into kernel space, then do not trust the function pointer in the
44302393Syz155240 * rule.
44312393Syz155240 */
44322393Syz155240 if ((makecopy == 1) && (fp->fr_func != NULL)) {
44332393Syz155240 if (fr_findfunc(fp->fr_func) == NULL)
44342393Syz155240 return ESRCH;
44353448Sdh155122 error = fr_funcinit(fp, ifs);
44362393Syz155240 if (error != 0)
44372393Syz155240 return error;
44382393Syz155240 }
44392393Syz155240
44402393Syz155240 ptr = NULL;
44412393Syz155240 /*
44422393Syz155240 * Check that the group number does exist and that its use (in/out)
44432393Syz155240 * matches what the rule is.
44442393Syz155240 */
44452393Syz155240 if (!strncmp(fp->fr_grhead, "0", FR_GROUPLEN))
44462393Syz155240 *fp->fr_grhead = '\0';
44472393Syz155240 group = fp->fr_group;
44482393Syz155240 if (!strncmp(group, "0", FR_GROUPLEN))
44492393Syz155240 *group = '\0';
44502393Syz155240
44512393Syz155240 if (FR_ISACCOUNT(fp->fr_flags))
44522393Syz155240 unit = IPL_LOGCOUNT;
44532393Syz155240
44542393Syz155240 if ((req != (int)SIOCZRLST) && (*group != '\0')) {
44553448Sdh155122 fg = fr_findgroup(group, unit, set, NULL, ifs);
44562393Syz155240 if (fg == NULL)
44572393Syz155240 return ESRCH;
44582393Syz155240 if (fg->fg_flags == 0)
44592393Syz155240 fg->fg_flags = fp->fr_flags & FR_INOUT;
44602393Syz155240 else if (fg->fg_flags != (fp->fr_flags & FR_INOUT))
44612393Syz155240 return ESRCH;
44622393Syz155240 }
44632393Syz155240
44642393Syz155240 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
44652393Syz155240
44662393Syz155240 /*
44672393Syz155240 * Work out which rule list this change is being applied to.
44682393Syz155240 */
44692393Syz155240 ftail = NULL;
44702393Syz155240 fprev = NULL;
44712393Syz155240 if (unit == IPL_LOGAUTH)
44723448Sdh155122 fprev = &ifs->ifs_ipauth;
44732393Syz155240 else if (v == 4) {
44742393Syz155240 if (FR_ISACCOUNT(fp->fr_flags))
44753448Sdh155122 fprev = &ifs->ifs_ipacct[in][set];
44762393Syz155240 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
44773448Sdh155122 fprev = &ifs->ifs_ipfilter[in][set];
44782393Syz155240 } else if (v == 6) {
44792393Syz155240 if (FR_ISACCOUNT(fp->fr_flags))
44803448Sdh155122 fprev = &ifs->ifs_ipacct6[in][set];
44812393Syz155240 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
44823448Sdh155122 fprev = &ifs->ifs_ipfilter6[in][set];
44832393Syz155240 }
44842393Syz155240 if (fprev == NULL)
44852393Syz155240 return ESRCH;
44862393Syz155240
44872393Syz155240 if (*group != '\0') {
44883448Sdh155122 if (!fg && !(fg = fr_findgroup(group, unit, set, NULL, ifs)))
44892393Syz155240 return ESRCH;
44902393Syz155240 fprev = &fg->fg_start;
44912393Syz155240 }
44922393Syz155240
44932393Syz155240 ftail = fprev;
44942393Syz155240 for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) {
44952393Syz155240 if (fp->fr_collect <= f->fr_collect) {
44962393Syz155240 ftail = fprev;
44972393Syz155240 f = NULL;
44982393Syz155240 break;
44992393Syz155240 }
45002393Syz155240 fprev = ftail;
45012393Syz155240 }
45022393Syz155240
45032393Syz155240 /*
45042393Syz155240 * Copy in extra data for the rule.
45052393Syz155240 */
45062393Syz155240 if (fp->fr_dsize != 0) {
45072393Syz155240 if (makecopy != 0) {
45082393Syz155240 KMALLOCS(ptr, void *, fp->fr_dsize);
45092393Syz155240 if (!ptr)
45102393Syz155240 return ENOMEM;
45112393Syz155240 error = COPYIN(uptr, ptr, fp->fr_dsize);
45122393Syz155240 } else {
45132393Syz155240 ptr = uptr;
45142393Syz155240 error = 0;
45152393Syz155240 }
45162393Syz155240 if (error != 0) {
45172393Syz155240 KFREES(ptr, fp->fr_dsize);
45189876SDarren.Reed@Sun.COM return EFAULT;
45192393Syz155240 }
45202393Syz155240 fp->fr_data = ptr;
45212393Syz155240 } else
45222393Syz155240 fp->fr_data = NULL;
45232393Syz155240
45242393Syz155240 /*
45252393Syz155240 * Perform per-rule type sanity checks of their members.
45262393Syz155240 */
45272393Syz155240 switch (fp->fr_type & ~FR_T_BUILTIN)
45282393Syz155240 {
45292393Syz155240 #if defined(IPFILTER_BPF)
45302393Syz155240 case FR_T_BPFOPC :
45312393Syz155240 if (fp->fr_dsize == 0)
45322393Syz155240 return EINVAL;
45332393Syz155240 if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) {
45342393Syz155240 if (makecopy && fp->fr_data != NULL) {
45352393Syz155240 KFREES(fp->fr_data, fp->fr_dsize);
45362393Syz155240 }
45372393Syz155240 return EINVAL;
45382393Syz155240 }
45392393Syz155240 break;
45402393Syz155240 #endif
45412393Syz155240 case FR_T_IPF :
45429876SDarren.Reed@Sun.COM if (fp->fr_dsize != sizeof(fripf_t)) {
45439876SDarren.Reed@Sun.COM if (makecopy && fp->fr_data != NULL) {
45449876SDarren.Reed@Sun.COM KFREES(fp->fr_data, fp->fr_dsize);
45459876SDarren.Reed@Sun.COM }
45462393Syz155240 return EINVAL;
45479876SDarren.Reed@Sun.COM }
45482393Syz155240
45492393Syz155240 /*
45502393Syz155240 * Allowing a rule with both "keep state" and "with oow" is
45512393Syz155240 * pointless because adding a state entry to the table will
45522393Syz155240 * fail with the out of window (oow) flag set.
45532393Syz155240 */
45549876SDarren.Reed@Sun.COM if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW)) {
45559876SDarren.Reed@Sun.COM if (makecopy && fp->fr_data != NULL) {
45569876SDarren.Reed@Sun.COM KFREES(fp->fr_data, fp->fr_dsize);
45579876SDarren.Reed@Sun.COM }
45582393Syz155240 return EINVAL;
45599876SDarren.Reed@Sun.COM }
45602393Syz155240
45612393Syz155240 switch (fp->fr_satype)
45622393Syz155240 {
45632393Syz155240 case FRI_BROADCAST :
45642393Syz155240 case FRI_DYNAMIC :
45652393Syz155240 case FRI_NETWORK :
45662393Syz155240 case FRI_NETMASKED :
45672393Syz155240 case FRI_PEERADDR :
45682393Syz155240 if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > 3) {
45692393Syz155240 if (makecopy && fp->fr_data != NULL) {
45702393Syz155240 KFREES(fp->fr_data, fp->fr_dsize);
45712393Syz155240 }
45722393Syz155240 return EINVAL;
45732393Syz155240 }
45742393Syz155240 break;
45752393Syz155240 #ifdef IPFILTER_LOOKUP
45762393Syz155240 case FRI_LOOKUP :
45772393Syz155240 fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype,
45782393Syz155240 fp->fr_srcnum,
45793448Sdh155122 &fp->fr_srcfunc, ifs);
45802393Syz155240 break;
45812393Syz155240 #endif
45822393Syz155240 default :
45832393Syz155240 break;
45842393Syz155240 }
45852393Syz155240
45862393Syz155240 switch (fp->fr_datype)
45872393Syz155240 {
45882393Syz155240 case FRI_BROADCAST :
45892393Syz155240 case FRI_DYNAMIC :
45902393Syz155240 case FRI_NETWORK :
45912393Syz155240 case FRI_NETMASKED :
45922393Syz155240 case FRI_PEERADDR :
45932393Syz155240 if (fp->fr_difpidx < 0 || fp->fr_difpidx > 3) {
45942393Syz155240 if (makecopy && fp->fr_data != NULL) {
45952393Syz155240 KFREES(fp->fr_data, fp->fr_dsize);
45962393Syz155240 }
45972393Syz155240 return EINVAL;
45982393Syz155240 }
45992393Syz155240 break;
46002393Syz155240 #ifdef IPFILTER_LOOKUP
46012393Syz155240 case FRI_LOOKUP :
46022393Syz155240 fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype,
46032393Syz155240 fp->fr_dstnum,
46043448Sdh155122 &fp->fr_dstfunc, ifs);
46052393Syz155240 break;
46062393Syz155240 #endif
46072393Syz155240 default :
46082393Syz155240 break;
46092393Syz155240 }
46102393Syz155240 break;
46112393Syz155240 case FR_T_NONE :
46122393Syz155240 break;
46132393Syz155240 case FR_T_CALLFUNC :
46142393Syz155240 break;
46152393Syz155240 case FR_T_COMPIPF :
46162393Syz155240 break;
46172393Syz155240 default :
46182393Syz155240 if (makecopy && fp->fr_data != NULL) {
46192393Syz155240 KFREES(fp->fr_data, fp->fr_dsize);
46202393Syz155240 }
46212393Syz155240 return EINVAL;
46222393Syz155240 }
46232393Syz155240
46242393Syz155240 /*
46252393Syz155240 * Lookup all the interface names that are part of the rule.
46262393Syz155240 */
46273448Sdh155122 frsynclist(0, 0, NULL, NULL, fp, ifs);
46282393Syz155240 fp->fr_statecnt = 0;
46292393Syz155240
46302393Syz155240 /*
46312393Syz155240 * Look for an existing matching filter rule, but don't include the
46322393Syz155240 * next or interface pointer in the comparison (fr_next, fr_ifa).
46332393Syz155240 * This elminates rules which are indentical being loaded. Checksum
46342393Syz155240 * the constant part of the filter rule to make comparisons quicker
46352393Syz155240 * (this meaning no pointers are included).
46362393Syz155240 */
46372393Syz155240 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum;
46382393Syz155240 p < pp; p++)
46392393Syz155240 fp->fr_cksum += *p;
46402393Syz155240 pp = (u_int *)(fp->fr_caddr + fp->fr_dsize);
46412393Syz155240 for (p = (u_int *)fp->fr_data; p < pp; p++)
46422393Syz155240 fp->fr_cksum += *p;
46432393Syz155240
46443448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_mutex);
464510587SAlexandr.Nedvedicky@Sun.COM bzero((char *)ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
46462393Syz155240
46472393Syz155240 for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
46482393Syz155240 if ((fp->fr_cksum != f->fr_cksum) ||
46492393Syz155240 (f->fr_dsize != fp->fr_dsize))
46502393Syz155240 continue;
46512393Syz155240 if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, FR_CMPSIZ))
46522393Syz155240 continue;
46532393Syz155240 if ((!ptr && !f->fr_data) ||
46542393Syz155240 (ptr && f->fr_data &&
46552393Syz155240 !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
46562393Syz155240 break;
46572393Syz155240 }
46582393Syz155240
46592393Syz155240 /*
46602393Syz155240 * If zero'ing statistics, copy current to caller and zero.
46612393Syz155240 */
46622393Syz155240 if (req == (ioctlcmd_t)SIOCZRLST) {
46632393Syz155240 if (f == NULL)
46642393Syz155240 error = ESRCH;
46652393Syz155240 else {
46662393Syz155240 /*
46672393Syz155240 * Copy and reduce lock because of impending copyout.
46682393Syz155240 * Well we should, but if we do then the atomicity of
46692393Syz155240 * this call and the correctness of fr_hits and
46702393Syz155240 * fr_bytes cannot be guaranteed. As it is, this code
46712393Syz155240 * only resets them to 0 if they are successfully
46722393Syz155240 * copied out into user space.
46732393Syz155240 */
46742393Syz155240 bcopy((char *)f, (char *)fp, sizeof(*f));
46752393Syz155240
46762393Syz155240 /*
46772393Syz155240 * When we copy this rule back out, set the data
46782393Syz155240 * pointer to be what it was in user space.
46792393Syz155240 */
46802393Syz155240 fp->fr_data = uptr;
46812393Syz155240 error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
46822393Syz155240
46832393Syz155240 if (error == 0) {
46842393Syz155240 if ((f->fr_dsize != 0) && (uptr != NULL))
46852393Syz155240 error = COPYOUT(f->fr_data, uptr,
46862393Syz155240 f->fr_dsize);
46872393Syz155240 if (error == 0) {
46882393Syz155240 f->fr_hits = 0;
46892393Syz155240 f->fr_bytes = 0;
46902393Syz155240 }
46912393Syz155240 }
46922393Syz155240 }
46932393Syz155240
46942393Syz155240 if ((ptr != NULL) && (makecopy != 0)) {
46952393Syz155240 KFREES(ptr, fp->fr_dsize);
46962393Syz155240 }
46973448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
46982393Syz155240 return error;
46992393Syz155240 }
47002393Syz155240
47012393Syz155240 if (!f) {
47022393Syz155240 /*
47032393Syz155240 * At the end of this, ftail must point to the place where the
47042393Syz155240 * new rule is to be saved/inserted/added.
47052393Syz155240 * For SIOCAD*FR, this should be the last rule in the group of
47062393Syz155240 * rules that have equal fr_collect fields.
47072393Syz155240 * For SIOCIN*FR, ...
47082393Syz155240 */
47092393Syz155240 if (req == (ioctlcmd_t)SIOCADAFR ||
47102393Syz155240 req == (ioctlcmd_t)SIOCADIFR) {
47112393Syz155240
47122393Syz155240 for (ftail = fprev; (f = *ftail) != NULL; ) {
47132393Syz155240 if (f->fr_collect > fp->fr_collect)
47142393Syz155240 break;
47152393Syz155240 ftail = &f->fr_next;
47162393Syz155240 }
47172393Syz155240 f = NULL;
47182393Syz155240 ptr = NULL;
47192393Syz155240 error = 0;
47202393Syz155240 } else if (req == (ioctlcmd_t)SIOCINAFR ||
47212393Syz155240 req == (ioctlcmd_t)SIOCINIFR) {
47222393Syz155240 while ((f = *fprev) != NULL) {
47232393Syz155240 if (f->fr_collect >= fp->fr_collect)
47242393Syz155240 break;
47252393Syz155240 fprev = &f->fr_next;
47262393Syz155240 }
47272393Syz155240 ftail = fprev;
47282393Syz155240 if (fp->fr_hits != 0) {
47292393Syz155240 while (fp->fr_hits && (f = *ftail)) {
47302393Syz155240 if (f->fr_collect != fp->fr_collect)
47312393Syz155240 break;
47322393Syz155240 fprev = ftail;
47332393Syz155240 ftail = &f->fr_next;
47342393Syz155240 fp->fr_hits--;
47352393Syz155240 }
47362393Syz155240 }
47372393Syz155240 f = NULL;
47382393Syz155240 ptr = NULL;
47392393Syz155240 error = 0;
47402393Syz155240 }
47412393Syz155240 }
47422393Syz155240
47432393Syz155240 /*
47442393Syz155240 * Request to remove a rule.
47452393Syz155240 */
47462393Syz155240 if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) {
47472393Syz155240 if (!f)
47482393Syz155240 error = ESRCH;
47492393Syz155240 else {
47502393Syz155240 /*
47512393Syz155240 * Do not allow activity from user space to interfere
47522393Syz155240 * with rules not loaded that way.
47532393Syz155240 */
47542393Syz155240 if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) {
47552393Syz155240 error = EPERM;
47562393Syz155240 goto done;
47572393Syz155240 }
47582393Syz155240
47592393Syz155240 /*
47602393Syz155240 * Return EBUSY if the rule is being reference by
47612393Syz155240 * something else (eg state information.
47622393Syz155240 */
47632393Syz155240 if (f->fr_ref > 1) {
47642393Syz155240 error = EBUSY;
47652393Syz155240 goto done;
47662393Syz155240 }
47672393Syz155240 #ifdef IPFILTER_SCAN
47682393Syz155240 if (f->fr_isctag[0] != '\0' &&
47692393Syz155240 (f->fr_isc != (struct ipscan *)-1))
47702393Syz155240 ipsc_detachfr(f);
47712393Syz155240 #endif
47722393Syz155240 if (unit == IPL_LOGAUTH) {
47733448Sdh155122 error = fr_preauthcmd(req, f, ftail, ifs);
47742393Syz155240 goto done;
47752393Syz155240 }
47762393Syz155240 if (*f->fr_grhead != '\0')
47773448Sdh155122 fr_delgroup(f->fr_grhead, unit, set, ifs);
47782393Syz155240 fr_fixskip(ftail, f, -1);
47792393Syz155240 *ftail = f->fr_next;
47802393Syz155240 f->fr_next = NULL;
47813448Sdh155122 (void)fr_derefrule(&f, ifs);
47822393Syz155240 }
47832393Syz155240 } else {
47842393Syz155240 /*
47852393Syz155240 * Not removing, so we must be adding/inserting a rule.
47862393Syz155240 */
47872393Syz155240 if (f)
47882393Syz155240 error = EEXIST;
47892393Syz155240 else {
47902393Syz155240 if (unit == IPL_LOGAUTH) {
47913448Sdh155122 error = fr_preauthcmd(req, fp, ftail, ifs);
47922393Syz155240 goto done;
47932393Syz155240 }
47942393Syz155240 if (makecopy) {
47952393Syz155240 KMALLOC(f, frentry_t *);
47962393Syz155240 } else
47972393Syz155240 f = fp;
47982393Syz155240 if (f != NULL) {
47992393Syz155240 if (fp != f)
48002393Syz155240 bcopy((char *)fp, (char *)f,
48012393Syz155240 sizeof(*f));
48022393Syz155240 MUTEX_NUKE(&f->fr_lock);
48032393Syz155240 MUTEX_INIT(&f->fr_lock, "filter rule lock");
48042393Syz155240 #ifdef IPFILTER_SCAN
48052393Syz155240 if (f->fr_isctag[0] != '\0' &&
48062393Syz155240 ipsc_attachfr(f))
48072393Syz155240 f->fr_isc = (struct ipscan *)-1;
48082393Syz155240 #endif
48092393Syz155240 f->fr_hits = 0;
48102393Syz155240 if (makecopy != 0)
48112393Syz155240 f->fr_ref = 1;
48122393Syz155240 f->fr_next = *ftail;
48132393Syz155240 *ftail = f;
48142393Syz155240 if (req == (ioctlcmd_t)SIOCINIFR ||
48152393Syz155240 req == (ioctlcmd_t)SIOCINAFR)
48162393Syz155240 fr_fixskip(ftail, f, 1);
48172393Syz155240 f->fr_grp = NULL;
48182393Syz155240 group = f->fr_grhead;
48192393Syz155240 if (*group != '\0') {
48202393Syz155240 fg = fr_addgroup(group, f, f->fr_flags,
48213448Sdh155122 unit, set, ifs);
48222393Syz155240 if (fg != NULL)
48232393Syz155240 f->fr_grp = &fg->fg_start;
48242393Syz155240 }
48252393Syz155240 } else
48262393Syz155240 error = ENOMEM;
48272393Syz155240 }
48282393Syz155240 }
48292393Syz155240 done:
48303448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
48312393Syz155240 if ((ptr != NULL) && (error != 0) && (makecopy != 0)) {
48322393Syz155240 KFREES(ptr, fp->fr_dsize);
48332393Syz155240 }
48342393Syz155240 return (error);
48352393Syz155240 }
48362393Syz155240
48372393Syz155240
48382393Syz155240 /* ------------------------------------------------------------------------ */
48392393Syz155240 /* Function: fr_funcinit */
48402393Syz155240 /* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */
48412393Syz155240 /* Parameters: fr(I) - pointer to filter rule */
48422393Syz155240 /* */
48432393Syz155240 /* If a rule is a call rule, then check if the function it points to needs */
48442393Syz155240 /* an init function to be called now the rule has been loaded. */
48452393Syz155240 /* ------------------------------------------------------------------------ */
fr_funcinit(fr,ifs)48463448Sdh155122 static int fr_funcinit(fr, ifs)
48472393Syz155240 frentry_t *fr;
48483448Sdh155122 ipf_stack_t *ifs;
48492393Syz155240 {
48502393Syz155240 ipfunc_resolve_t *ft;
48512393Syz155240 int err;
48522393Syz155240
48532393Syz155240 err = ESRCH;
48542393Syz155240
48552393Syz155240 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
48562393Syz155240 if (ft->ipfu_addr == fr->fr_func) {
48572393Syz155240 err = 0;
48582393Syz155240 if (ft->ipfu_init != NULL)
48593448Sdh155122 err = (*ft->ipfu_init)(fr, ifs);
48602393Syz155240 break;
48612393Syz155240 }
48622393Syz155240 return err;
48632393Syz155240 }
48642393Syz155240
48652393Syz155240
48662393Syz155240 /* ------------------------------------------------------------------------ */
48672393Syz155240 /* Function: fr_findfunc */
48682393Syz155240 /* Returns: ipfunc_t - pointer to function if found, else NULL */
48692393Syz155240 /* Parameters: funcptr(I) - function pointer to lookup */
48702393Syz155240 /* */
48712393Syz155240 /* Look for a function in the table of known functions. */
48722393Syz155240 /* ------------------------------------------------------------------------ */
fr_findfunc(funcptr)48732393Syz155240 static ipfunc_t fr_findfunc(funcptr)
48742393Syz155240 ipfunc_t funcptr;
48752393Syz155240 {
48762393Syz155240 ipfunc_resolve_t *ft;
48772393Syz155240
48782393Syz155240 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
48792393Syz155240 if (ft->ipfu_addr == funcptr)
48802393Syz155240 return funcptr;
48812393Syz155240 return NULL;
48822393Syz155240 }
48832393Syz155240
48842393Syz155240
48852393Syz155240 /* ------------------------------------------------------------------------ */
48862393Syz155240 /* Function: fr_resolvefunc */
48872393Syz155240 /* Returns: int - 0 == success, else error */
48882393Syz155240 /* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */
48892393Syz155240 /* */
48902393Syz155240 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
48912393Syz155240 /* This will either be the function name (if the pointer is set) or the */
48922393Syz155240 /* function pointer if the name is set. When found, fill in the other one */
48932393Syz155240 /* so that the entire, complete, structure can be copied back to user space.*/
48942393Syz155240 /* ------------------------------------------------------------------------ */
fr_resolvefunc(data)48952393Syz155240 int fr_resolvefunc(data)
48962393Syz155240 void *data;
48972393Syz155240 {
48982393Syz155240 ipfunc_resolve_t res, *ft;
48997433SJohn.Ojemann@Sun.COM int err;
49007433SJohn.Ojemann@Sun.COM
49017433SJohn.Ojemann@Sun.COM err = BCOPYIN(data, &res, sizeof(res));
49027433SJohn.Ojemann@Sun.COM if (err != 0)
49037433SJohn.Ojemann@Sun.COM return EFAULT;
49042393Syz155240
49052393Syz155240 if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') {
49062393Syz155240 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
49072393Syz155240 if (strncmp(res.ipfu_name, ft->ipfu_name,
49082393Syz155240 sizeof(res.ipfu_name)) == 0) {
49092393Syz155240 res.ipfu_addr = ft->ipfu_addr;
49102393Syz155240 res.ipfu_init = ft->ipfu_init;
49112393Syz155240 if (COPYOUT(&res, data, sizeof(res)) != 0)
49122393Syz155240 return EFAULT;
49132393Syz155240 return 0;
49142393Syz155240 }
49152393Syz155240 }
49162393Syz155240 if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') {
49172393Syz155240 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
49182393Syz155240 if (ft->ipfu_addr == res.ipfu_addr) {
49192393Syz155240 (void) strncpy(res.ipfu_name, ft->ipfu_name,
49202393Syz155240 sizeof(res.ipfu_name));
49212393Syz155240 res.ipfu_init = ft->ipfu_init;
49222393Syz155240 if (COPYOUT(&res, data, sizeof(res)) != 0)
49232393Syz155240 return EFAULT;
49242393Syz155240 return 0;
49252393Syz155240 }
49262393Syz155240 }
49272393Syz155240 return ESRCH;
49282393Syz155240 }
49292393Syz155240
49302393Syz155240
49312393Syz155240 #if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \
49322393Syz155240 (defined(__FreeBSD__) && (__FreeBSD_version < 490000)) || \
49332393Syz155240 (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \
49342393Syz155240 (defined(__OpenBSD__) && (OpenBSD < 200006))
49352393Syz155240 /*
49362393Syz155240 * From: NetBSD
49372393Syz155240 * ppsratecheck(): packets (or events) per second limitation.
49382393Syz155240 */
49392393Syz155240 int
ppsratecheck(lasttime,curpps,maxpps)49402393Syz155240 ppsratecheck(lasttime, curpps, maxpps)
49412393Syz155240 struct timeval *lasttime;
49422393Syz155240 int *curpps;
49432393Syz155240 int maxpps; /* maximum pps allowed */
49442393Syz155240 {
49452393Syz155240 struct timeval tv, delta;
49462393Syz155240 int rv;
49472393Syz155240
49482393Syz155240 GETKTIME(&tv);
49492393Syz155240
49502393Syz155240 delta.tv_sec = tv.tv_sec - lasttime->tv_sec;
49512393Syz155240 delta.tv_usec = tv.tv_usec - lasttime->tv_usec;
49522393Syz155240 if (delta.tv_usec < 0) {
49532393Syz155240 delta.tv_sec--;
49542393Syz155240 delta.tv_usec += 1000000;
49552393Syz155240 }
49562393Syz155240
49572393Syz155240 /*
49582393Syz155240 * check for 0,0 is so that the message will be seen at least once.
49592393Syz155240 * if more than one second have passed since the last update of
49602393Syz155240 * lasttime, reset the counter.
49612393Syz155240 *
49622393Syz155240 * we do increment *curpps even in *curpps < maxpps case, as some may
49632393Syz155240 * try to use *curpps for stat purposes as well.
49642393Syz155240 */
49652393Syz155240 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
49662393Syz155240 delta.tv_sec >= 1) {
49672393Syz155240 *lasttime = tv;
49682393Syz155240 *curpps = 0;
49692393Syz155240 rv = 1;
49702393Syz155240 } else if (maxpps < 0)
49712393Syz155240 rv = 1;
49722393Syz155240 else if (*curpps < maxpps)
49732393Syz155240 rv = 1;
49742393Syz155240 else
49752393Syz155240 rv = 0;
49762393Syz155240 *curpps = *curpps + 1;
49772393Syz155240
49782393Syz155240 return (rv);
49792393Syz155240 }
49802393Syz155240 #endif
49812393Syz155240
49822393Syz155240
49832393Syz155240 /* ------------------------------------------------------------------------ */
49842393Syz155240 /* Function: fr_derefrule */
49852393Syz155240 /* Returns: int - 0 == rule freed up, else rule not freed */
49862393Syz155240 /* Parameters: fr(I) - pointer to filter rule */
49872393Syz155240 /* */
49882393Syz155240 /* Decrement the reference counter to a rule by one. If it reaches zero, */
49892393Syz155240 /* free it and any associated storage space being used by it. */
49902393Syz155240 /* ------------------------------------------------------------------------ */
fr_derefrule(frp,ifs)49913448Sdh155122 int fr_derefrule(frp, ifs)
49922393Syz155240 frentry_t **frp;
49933448Sdh155122 ipf_stack_t *ifs;
49942393Syz155240 {
49952393Syz155240 frentry_t *fr;
49962393Syz155240
49972393Syz155240 fr = *frp;
49982393Syz155240
49992393Syz155240 MUTEX_ENTER(&fr->fr_lock);
50002393Syz155240 fr->fr_ref--;
50012393Syz155240 if (fr->fr_ref == 0) {
50022393Syz155240 MUTEX_EXIT(&fr->fr_lock);
50032393Syz155240 MUTEX_DESTROY(&fr->fr_lock);
50042393Syz155240
50052393Syz155240 #ifdef IPFILTER_LOOKUP
50062393Syz155240 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
50073448Sdh155122 ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr, ifs);
50082393Syz155240 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
50093448Sdh155122 ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr, ifs);
50102393Syz155240 #endif
50112393Syz155240
50122393Syz155240 if (fr->fr_dsize) {
50132393Syz155240 KFREES(fr->fr_data, fr->fr_dsize);
50142393Syz155240 }
50152393Syz155240 if ((fr->fr_flags & FR_COPIED) != 0) {
50162393Syz155240 KFREE(fr);
50172393Syz155240 return 0;
50182393Syz155240 }
50192393Syz155240 return 1;
50202393Syz155240 } else {
50212393Syz155240 MUTEX_EXIT(&fr->fr_lock);
50222393Syz155240 }
50232393Syz155240 *frp = NULL;
50242393Syz155240 return -1;
50252393Syz155240 }
50262393Syz155240
50272393Syz155240
50282393Syz155240 #ifdef IPFILTER_LOOKUP
50292393Syz155240 /* ------------------------------------------------------------------------ */
50302393Syz155240 /* Function: fr_grpmapinit */
50312393Syz155240 /* Returns: int - 0 == success, else ESRCH because table entry not found*/
50322393Syz155240 /* Parameters: fr(I) - pointer to rule to find hash table for */
50332393Syz155240 /* */
50342393Syz155240 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
50352393Syz155240 /* fr_ptr is later used by fr_srcgrpmap and fr_dstgrpmap. */
50362393Syz155240 /* ------------------------------------------------------------------------ */
fr_grpmapinit(fr,ifs)50373448Sdh155122 static int fr_grpmapinit(fr, ifs)
50382393Syz155240 frentry_t *fr;
50393448Sdh155122 ipf_stack_t *ifs;
50402393Syz155240 {
50412393Syz155240 char name[FR_GROUPLEN];
50422393Syz155240 iphtable_t *iph;
50432393Syz155240
50442393Syz155240 #if defined(SNPRINTF) && defined(_KERNEL)
50452393Syz155240 (void) SNPRINTF(name, sizeof(name), "%d", fr->fr_arg);
50462393Syz155240 #else
50472393Syz155240 (void) sprintf(name, "%d", fr->fr_arg);
50482393Syz155240 #endif
50493448Sdh155122 iph = fr_findhtable(IPL_LOGIPF, name, ifs);
50502393Syz155240 if (iph == NULL)
50512393Syz155240 return ESRCH;
50522393Syz155240 if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT))
50532393Syz155240 return ESRCH;
50542393Syz155240 fr->fr_ptr = iph;
50552393Syz155240 return 0;
50562393Syz155240 }
50572393Syz155240
50582393Syz155240
50592393Syz155240 /* ------------------------------------------------------------------------ */
50602393Syz155240 /* Function: fr_srcgrpmap */
50612393Syz155240 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
50622393Syz155240 /* Parameters: fin(I) - pointer to packet information */
50632393Syz155240 /* passp(IO) - pointer to current/new filter decision (unused) */
50642393Syz155240 /* */
50652393Syz155240 /* Look for a rule group head in a hash table, using the source address as */
50662393Syz155240 /* the key, and descend into that group and continue matching rules against */
50672393Syz155240 /* the packet. */
50682393Syz155240 /* ------------------------------------------------------------------------ */
fr_srcgrpmap(fin,passp)50692393Syz155240 frentry_t *fr_srcgrpmap(fin, passp)
50702393Syz155240 fr_info_t *fin;
50712393Syz155240 u_32_t *passp;
50722393Syz155240 {
50732393Syz155240 frgroup_t *fg;
50742393Syz155240 void *rval;
50753448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
50763448Sdh155122
50773448Sdh155122 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, fin->fin_v, &fin->fin_src, ifs);
50782393Syz155240 if (rval == NULL)
50792393Syz155240 return NULL;
50802393Syz155240
50812393Syz155240 fg = rval;
50822393Syz155240 fin->fin_fr = fg->fg_start;
50832393Syz155240 (void) fr_scanlist(fin, *passp);
50842393Syz155240 return fin->fin_fr;
50852393Syz155240 }
50862393Syz155240
50872393Syz155240
50882393Syz155240 /* ------------------------------------------------------------------------ */
50892393Syz155240 /* Function: fr_dstgrpmap */
50902393Syz155240 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
50912393Syz155240 /* Parameters: fin(I) - pointer to packet information */
50922393Syz155240 /* passp(IO) - pointer to current/new filter decision (unused) */
50932393Syz155240 /* */
50942393Syz155240 /* Look for a rule group head in a hash table, using the destination */
50952393Syz155240 /* address as the key, and descend into that group and continue matching */
50962393Syz155240 /* rules against the packet. */
50972393Syz155240 /* ------------------------------------------------------------------------ */
fr_dstgrpmap(fin,passp)50982393Syz155240 frentry_t *fr_dstgrpmap(fin, passp)
50992393Syz155240 fr_info_t *fin;
51002393Syz155240 u_32_t *passp;
51012393Syz155240 {
51022393Syz155240 frgroup_t *fg;
51032393Syz155240 void *rval;
51043448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
51053448Sdh155122
51063448Sdh155122 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, fin->fin_v, &fin->fin_dst, ifs);
51072393Syz155240 if (rval == NULL)
51082393Syz155240 return NULL;
51092393Syz155240
51102393Syz155240 fg = rval;
51112393Syz155240 fin->fin_fr = fg->fg_start;
51122393Syz155240 (void) fr_scanlist(fin, *passp);
51132393Syz155240 return fin->fin_fr;
51142393Syz155240 }
51152393Syz155240 #endif /* IPFILTER_LOOKUP */
51162393Syz155240
51172393Syz155240 /*
51182393Syz155240 * Queue functions
51192393Syz155240 * ===============
51202393Syz155240 * These functions manage objects on queues for efficient timeouts. There are
51212393Syz155240 * a number of system defined queues as well as user defined timeouts. It is
51222393Syz155240 * expected that a lock is held in the domain in which the queue belongs
51232393Syz155240 * (i.e. either state or NAT) when calling any of these functions that prevents
51242393Syz155240 * fr_freetimeoutqueue() from being called at the same time as any other.
51252393Syz155240 */
51262393Syz155240
51272393Syz155240
51282393Syz155240 /* ------------------------------------------------------------------------ */
51292393Syz155240 /* Function: fr_addtimeoutqueue */
51302393Syz155240 /* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */
51312393Syz155240 /* timeout queue with given interval. */
51322393Syz155240 /* Parameters: parent(I) - pointer to pointer to parent node of this list */
51332393Syz155240 /* of interface queues. */
51342393Syz155240 /* seconds(I) - timeout value in seconds for this queue. */
51352393Syz155240 /* */
51362393Syz155240 /* This routine first looks for a timeout queue that matches the interval */
51372393Syz155240 /* being requested. If it finds one, increments the reference counter and */
51382393Syz155240 /* returns a pointer to it. If none are found, it allocates a new one and */
51392393Syz155240 /* inserts it at the top of the list. */
51402393Syz155240 /* */
51412393Syz155240 /* Locking. */
51422393Syz155240 /* It is assumed that the caller of this function has an appropriate lock */
51432393Syz155240 /* held (exclusively) in the domain that encompases 'parent'. */
51442393Syz155240 /* ------------------------------------------------------------------------ */
fr_addtimeoutqueue(parent,seconds,ifs)51453448Sdh155122 ipftq_t *fr_addtimeoutqueue(parent, seconds, ifs)
51462393Syz155240 ipftq_t **parent;
51472393Syz155240 u_int seconds;
51483448Sdh155122 ipf_stack_t *ifs;
51492393Syz155240 {
51502393Syz155240 ipftq_t *ifq;
51512393Syz155240 u_int period;
51522393Syz155240
51532393Syz155240 period = seconds * IPF_HZ_DIVIDE;
51542393Syz155240
51553448Sdh155122 MUTEX_ENTER(&ifs->ifs_ipf_timeoutlock);
51562393Syz155240 for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) {
51572393Syz155240 if (ifq->ifq_ttl == period) {
51582393Syz155240 /*
51592393Syz155240 * Reset the delete flag, if set, so the structure
51602393Syz155240 * gets reused rather than freed and reallocated.
51612393Syz155240 */
51622393Syz155240 MUTEX_ENTER(&ifq->ifq_lock);
51632393Syz155240 ifq->ifq_flags &= ~IFQF_DELETE;
51642393Syz155240 ifq->ifq_ref++;
51652393Syz155240 MUTEX_EXIT(&ifq->ifq_lock);
51663448Sdh155122 MUTEX_EXIT(&ifs->ifs_ipf_timeoutlock);
51672393Syz155240
51682393Syz155240 return ifq;
51692393Syz155240 }
51702393Syz155240 }
51712393Syz155240
51722393Syz155240 KMALLOC(ifq, ipftq_t *);
51732393Syz155240 if (ifq != NULL) {
51742393Syz155240 ifq->ifq_ttl = period;
51752393Syz155240 ifq->ifq_head = NULL;
51762393Syz155240 ifq->ifq_tail = &ifq->ifq_head;
51772393Syz155240 ifq->ifq_next = *parent;
51782393Syz155240 ifq->ifq_pnext = parent;
51792393Syz155240 ifq->ifq_ref = 1;
51802393Syz155240 ifq->ifq_flags = IFQF_USER;
51812393Syz155240 *parent = ifq;
51823448Sdh155122 ifs->ifs_fr_userifqs++;
51832393Syz155240 MUTEX_NUKE(&ifq->ifq_lock);
51842393Syz155240 MUTEX_INIT(&ifq->ifq_lock, "ipftq mutex");
51852393Syz155240 }
51863448Sdh155122 MUTEX_EXIT(&ifs->ifs_ipf_timeoutlock);
51872393Syz155240 return ifq;
51882393Syz155240 }
51892393Syz155240
51902393Syz155240
51912393Syz155240 /* ------------------------------------------------------------------------ */
51922393Syz155240 /* Function: fr_deletetimeoutqueue */
51932393Syz155240 /* Returns: int - new reference count value of the timeout queue */
51942393Syz155240 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
51952393Syz155240 /* Locks: ifq->ifq_lock */
51962393Syz155240 /* */
51972393Syz155240 /* This routine must be called when we're discarding a pointer to a timeout */
51982393Syz155240 /* queue object, taking care of the reference counter. */
51992393Syz155240 /* */
52002393Syz155240 /* Now that this just sets a DELETE flag, it requires the expire code to */
52012393Syz155240 /* check the list of user defined timeout queues and call the free function */
52022393Syz155240 /* below (currently commented out) to stop memory leaking. It is done this */
52032393Syz155240 /* way because the locking may not be sufficient to safely do a free when */
52042393Syz155240 /* this function is called. */
52052393Syz155240 /* ------------------------------------------------------------------------ */
fr_deletetimeoutqueue(ifq)52062393Syz155240 int fr_deletetimeoutqueue(ifq)
52072393Syz155240 ipftq_t *ifq;
52082393Syz155240 {
52092393Syz155240
52102393Syz155240 ifq->ifq_ref--;
52112393Syz155240 if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) {
52122393Syz155240 ifq->ifq_flags |= IFQF_DELETE;
52132393Syz155240 }
52142393Syz155240
52152393Syz155240 return ifq->ifq_ref;
52162393Syz155240 }
52172393Syz155240
52182393Syz155240
52192393Syz155240 /* ------------------------------------------------------------------------ */
52202393Syz155240 /* Function: fr_freetimeoutqueue */
52212393Syz155240 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
52222393Syz155240 /* Returns: Nil */
52232393Syz155240 /* */
52242393Syz155240 /* Locking: */
52252393Syz155240 /* It is assumed that the caller of this function has an appropriate lock */
52262393Syz155240 /* held (exclusively) in the domain that encompases the callers "domain". */
52272393Syz155240 /* The ifq_lock for this structure should not be held. */
52282393Syz155240 /* */
52292393Syz155240 /* Remove a user definde timeout queue from the list of queues it is in and */
52302393Syz155240 /* tidy up after this is done. */
52312393Syz155240 /* ------------------------------------------------------------------------ */
fr_freetimeoutqueue(ifq,ifs)52323448Sdh155122 void fr_freetimeoutqueue(ifq, ifs)
52332393Syz155240 ipftq_t *ifq;
52343448Sdh155122 ipf_stack_t *ifs;
52352393Syz155240 {
52362393Syz155240
52372393Syz155240
52382393Syz155240 if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) ||
52392393Syz155240 ((ifq->ifq_flags & IFQF_USER) == 0)) {
52402393Syz155240 printf("fr_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n",
52412393Syz155240 (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl,
52422393Syz155240 ifq->ifq_ref);
52432393Syz155240 return;
52442393Syz155240 }
52452393Syz155240
52462393Syz155240 /*
52472393Syz155240 * Remove from its position in the list.
52482393Syz155240 */
52492393Syz155240 *ifq->ifq_pnext = ifq->ifq_next;
52502393Syz155240 if (ifq->ifq_next != NULL)
52512393Syz155240 ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
52522393Syz155240
52532393Syz155240 MUTEX_DESTROY(&ifq->ifq_lock);
52543448Sdh155122 ifs->ifs_fr_userifqs--;
52552393Syz155240 KFREE(ifq);
52562393Syz155240 }
52572393Syz155240
52582393Syz155240
52592393Syz155240 /* ------------------------------------------------------------------------ */
52602393Syz155240 /* Function: fr_deletequeueentry */
52612393Syz155240 /* Returns: Nil */
52622393Syz155240 /* Parameters: tqe(I) - timeout queue entry to delete */
52632393Syz155240 /* ifq(I) - timeout queue to remove entry from */
52642393Syz155240 /* */
52652393Syz155240 /* Remove a tail queue entry from its queue and make it an orphan. */
52662393Syz155240 /* fr_deletetimeoutqueue is called to make sure the reference count on the */
52672393Syz155240 /* queue is correct. We can't, however, call fr_freetimeoutqueue because */
52682393Syz155240 /* the correct lock(s) may not be held that would make it safe to do so. */
52692393Syz155240 /* ------------------------------------------------------------------------ */
fr_deletequeueentry(tqe)52702393Syz155240 void fr_deletequeueentry(tqe)
52712393Syz155240 ipftqent_t *tqe;
52722393Syz155240 {
52732393Syz155240 ipftq_t *ifq;
52742393Syz155240
52752393Syz155240 ifq = tqe->tqe_ifq;
52762393Syz155240 if (ifq == NULL)
52772393Syz155240 return;
52782393Syz155240
52792393Syz155240 MUTEX_ENTER(&ifq->ifq_lock);
52802393Syz155240
52812393Syz155240 if (tqe->tqe_pnext != NULL) {
52822393Syz155240 *tqe->tqe_pnext = tqe->tqe_next;
52832393Syz155240 if (tqe->tqe_next != NULL)
52842393Syz155240 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
52852393Syz155240 else /* we must be the tail anyway */
52862393Syz155240 ifq->ifq_tail = tqe->tqe_pnext;
52872393Syz155240
52882393Syz155240 tqe->tqe_pnext = NULL;
52892393Syz155240 tqe->tqe_ifq = NULL;
52902393Syz155240 }
52912393Syz155240
52922393Syz155240 (void) fr_deletetimeoutqueue(ifq);
52932393Syz155240
52942393Syz155240 MUTEX_EXIT(&ifq->ifq_lock);
52952393Syz155240 }
52962393Syz155240
52972393Syz155240
52982393Syz155240 /* ------------------------------------------------------------------------ */
52992393Syz155240 /* Function: fr_queuefront */
53002393Syz155240 /* Returns: Nil */
53012393Syz155240 /* Parameters: tqe(I) - pointer to timeout queue entry */
53022393Syz155240 /* */
53032393Syz155240 /* Move a queue entry to the front of the queue, if it isn't already there. */
53042393Syz155240 /* ------------------------------------------------------------------------ */
fr_queuefront(tqe)53052393Syz155240 void fr_queuefront(tqe)
53062393Syz155240 ipftqent_t *tqe;
53072393Syz155240 {
53082393Syz155240 ipftq_t *ifq;
53092393Syz155240
53102393Syz155240 ifq = tqe->tqe_ifq;
53112393Syz155240 if (ifq == NULL)
53122393Syz155240 return;
53132393Syz155240
53142393Syz155240 MUTEX_ENTER(&ifq->ifq_lock);
53152393Syz155240 if (ifq->ifq_head != tqe) {
53162393Syz155240 *tqe->tqe_pnext = tqe->tqe_next;
53172393Syz155240 if (tqe->tqe_next)
53182393Syz155240 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
53192393Syz155240 else
53202393Syz155240 ifq->ifq_tail = tqe->tqe_pnext;
53212393Syz155240
53222393Syz155240 tqe->tqe_next = ifq->ifq_head;
53232393Syz155240 ifq->ifq_head->tqe_pnext = &tqe->tqe_next;
53242393Syz155240 ifq->ifq_head = tqe;
53252393Syz155240 tqe->tqe_pnext = &ifq->ifq_head;
53262393Syz155240 }
53272393Syz155240 MUTEX_EXIT(&ifq->ifq_lock);
53282393Syz155240 }
53292393Syz155240
53302393Syz155240
53312393Syz155240 /* ------------------------------------------------------------------------ */
53322393Syz155240 /* Function: fr_queueback */
53332393Syz155240 /* Returns: Nil */
53342393Syz155240 /* Parameters: tqe(I) - pointer to timeout queue entry */
53352393Syz155240 /* */
53362393Syz155240 /* Move a queue entry to the back of the queue, if it isn't already there. */
53372393Syz155240 /* ------------------------------------------------------------------------ */
fr_queueback(tqe,ifs)53383448Sdh155122 void fr_queueback(tqe, ifs)
53392393Syz155240 ipftqent_t *tqe;
53403448Sdh155122 ipf_stack_t *ifs;
53412393Syz155240 {
53422393Syz155240 ipftq_t *ifq;
53432393Syz155240
53442393Syz155240 ifq = tqe->tqe_ifq;
53452393Syz155240 if (ifq == NULL)
53462393Syz155240 return;
53473448Sdh155122 tqe->tqe_die = ifs->ifs_fr_ticks + ifq->ifq_ttl;
53482393Syz155240
53492393Syz155240 MUTEX_ENTER(&ifq->ifq_lock);
53502393Syz155240 if (tqe->tqe_next == NULL) { /* at the end already ? */
53512393Syz155240 MUTEX_EXIT(&ifq->ifq_lock);
53522393Syz155240 return;
53532393Syz155240 }
53542393Syz155240
53552393Syz155240 /*
53562393Syz155240 * Remove from list
53572393Syz155240 */
53582393Syz155240 *tqe->tqe_pnext = tqe->tqe_next;
53592393Syz155240 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
53602393Syz155240
53612393Syz155240 /*
53622393Syz155240 * Make it the last entry.
53632393Syz155240 */
53642393Syz155240 tqe->tqe_next = NULL;
53652393Syz155240 tqe->tqe_pnext = ifq->ifq_tail;
53662393Syz155240 *ifq->ifq_tail = tqe;
53672393Syz155240 ifq->ifq_tail = &tqe->tqe_next;
53682393Syz155240 MUTEX_EXIT(&ifq->ifq_lock);
53692393Syz155240 }
53702393Syz155240
53712393Syz155240
53722393Syz155240 /* ------------------------------------------------------------------------ */
53732393Syz155240 /* Function: fr_queueappend */
53742393Syz155240 /* Returns: Nil */
53752393Syz155240 /* Parameters: tqe(I) - pointer to timeout queue entry */
53762393Syz155240 /* ifq(I) - pointer to timeout queue */
53772393Syz155240 /* parent(I) - owing object pointer */
53782393Syz155240 /* */
53792393Syz155240 /* Add a new item to this queue and put it on the very end. */
53802393Syz155240 /* ------------------------------------------------------------------------ */
fr_queueappend(tqe,ifq,parent,ifs)53813448Sdh155122 void fr_queueappend(tqe, ifq, parent, ifs)
53822393Syz155240 ipftqent_t *tqe;
53832393Syz155240 ipftq_t *ifq;
53842393Syz155240 void *parent;
53853448Sdh155122 ipf_stack_t *ifs;
53862393Syz155240 {
53872393Syz155240
53882393Syz155240 MUTEX_ENTER(&ifq->ifq_lock);
53892393Syz155240 tqe->tqe_parent = parent;
53902393Syz155240 tqe->tqe_pnext = ifq->ifq_tail;
53912393Syz155240 *ifq->ifq_tail = tqe;
53922393Syz155240 ifq->ifq_tail = &tqe->tqe_next;
53932393Syz155240 tqe->tqe_next = NULL;
53942393Syz155240 tqe->tqe_ifq = ifq;
53953448Sdh155122 tqe->tqe_die = ifs->ifs_fr_ticks + ifq->ifq_ttl;
53962393Syz155240 ifq->ifq_ref++;
53972393Syz155240 MUTEX_EXIT(&ifq->ifq_lock);
53982393Syz155240 }
53992393Syz155240
54002393Syz155240
54012393Syz155240 /* ------------------------------------------------------------------------ */
54022393Syz155240 /* Function: fr_movequeue */
54032393Syz155240 /* Returns: Nil */
54042393Syz155240 /* Parameters: tq(I) - pointer to timeout queue information */
54052393Syz155240 /* oifp(I) - old timeout queue entry was on */
54062393Syz155240 /* nifp(I) - new timeout queue to put entry on */
54077591SJohn.Ojemann@Sun.COM /* ifs - ipf stack instance */
54082393Syz155240 /* */
54092393Syz155240 /* Move a queue entry from one timeout queue to another timeout queue. */
54102393Syz155240 /* If it notices that the current entry is already last and does not need */
54112393Syz155240 /* to move queue, the return. */
54122393Syz155240 /* ------------------------------------------------------------------------ */
fr_movequeue(tqe,oifq,nifq,ifs)54133448Sdh155122 void fr_movequeue(tqe, oifq, nifq, ifs)
54142393Syz155240 ipftqent_t *tqe;
54152393Syz155240 ipftq_t *oifq, *nifq;
54163448Sdh155122 ipf_stack_t *ifs;
54172393Syz155240 {
54182393Syz155240 /*
54197591SJohn.Ojemann@Sun.COM * If the queue isn't changing, and the clock hasn't ticked
54207591SJohn.Ojemann@Sun.COM * since the last update, the operation will be a no-op.
54212393Syz155240 */
54227591SJohn.Ojemann@Sun.COM if (oifq == nifq && tqe->tqe_touched == ifs->ifs_fr_ticks)
54237591SJohn.Ojemann@Sun.COM return;
54247591SJohn.Ojemann@Sun.COM
54257591SJohn.Ojemann@Sun.COM /*
54267591SJohn.Ojemann@Sun.COM * Grab the lock and update the timers.
54277591SJohn.Ojemann@Sun.COM */
54287591SJohn.Ojemann@Sun.COM MUTEX_ENTER(&oifq->ifq_lock);
54297591SJohn.Ojemann@Sun.COM tqe->tqe_touched = ifs->ifs_fr_ticks;
54307131Sdr146992 tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl;
54317591SJohn.Ojemann@Sun.COM
54327591SJohn.Ojemann@Sun.COM /*
54337591SJohn.Ojemann@Sun.COM * The remainder of the operation can still be a no-op.
54347591SJohn.Ojemann@Sun.COM *
54357591SJohn.Ojemann@Sun.COM * If the queue isn't changing, check to see if
54367591SJohn.Ojemann@Sun.COM * an update would be meaningless.
54377591SJohn.Ojemann@Sun.COM */
54387131Sdr146992 if (oifq == nifq) {
54397591SJohn.Ojemann@Sun.COM if ((tqe->tqe_next == NULL) ||
54407591SJohn.Ojemann@Sun.COM (tqe->tqe_next->tqe_die == tqe->tqe_die)) {
54417591SJohn.Ojemann@Sun.COM MUTEX_EXIT(&oifq->ifq_lock);
54427131Sdr146992 return;
54437591SJohn.Ojemann@Sun.COM }
54447131Sdr146992 }
54457131Sdr146992
54462393Syz155240 /*
54472393Syz155240 * Remove from the old queue
54482393Syz155240 */
54492393Syz155240 *tqe->tqe_pnext = tqe->tqe_next;
54502393Syz155240 if (tqe->tqe_next)
54512393Syz155240 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
54522393Syz155240 else
54532393Syz155240 oifq->ifq_tail = tqe->tqe_pnext;
54542393Syz155240 tqe->tqe_next = NULL;
54552393Syz155240
54562393Syz155240 /*
54572393Syz155240 * If we're moving from one queue to another, release the lock on the
54582393Syz155240 * old queue and get a lock on the new queue. For user defined queues,
54592393Syz155240 * if we're moving off it, call delete in case it can now be freed.
54602393Syz155240 */
54612393Syz155240 if (oifq != nifq) {
54622393Syz155240 tqe->tqe_ifq = NULL;
54632393Syz155240
54642393Syz155240 (void) fr_deletetimeoutqueue(oifq);
54652393Syz155240
54662393Syz155240 MUTEX_EXIT(&oifq->ifq_lock);
54672393Syz155240
54682393Syz155240 MUTEX_ENTER(&nifq->ifq_lock);
54692393Syz155240
54702393Syz155240 tqe->tqe_ifq = nifq;
54712393Syz155240 nifq->ifq_ref++;
54722393Syz155240 }
54732393Syz155240
54742393Syz155240 /*
54752393Syz155240 * Add to the bottom of the new queue
54762393Syz155240 */
54772393Syz155240 tqe->tqe_pnext = nifq->ifq_tail;
54782393Syz155240 *nifq->ifq_tail = tqe;
54792393Syz155240 nifq->ifq_tail = &tqe->tqe_next;
54802393Syz155240 MUTEX_EXIT(&nifq->ifq_lock);
54812393Syz155240 }
54822393Syz155240
54832393Syz155240
54842393Syz155240 /* ------------------------------------------------------------------------ */
54852393Syz155240 /* Function: fr_updateipid */
54862393Syz155240 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
54872393Syz155240 /* Parameters: fin(I) - pointer to packet information */
54882393Syz155240 /* */
54892393Syz155240 /* When we are doing NAT, change the IP of every packet to represent a */
54902393Syz155240 /* single sequence of packets coming from the host, hiding any host */
54912393Syz155240 /* specific sequencing that might otherwise be revealed. If the packet is */
54922393Syz155240 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
54932393Syz155240 /* the fragment cache for non-leading fragments. If a non-leading fragment */
54942393Syz155240 /* has no match in the cache, return an error. */
54952393Syz155240 /* ------------------------------------------------------------------------ */
fr_updateipid(fin)54962393Syz155240 static INLINE int fr_updateipid(fin)
54972393Syz155240 fr_info_t *fin;
54982393Syz155240 {
54992393Syz155240 u_short id, ido, sums;
55002393Syz155240 u_32_t sumd, sum;
55012393Syz155240 ip_t *ip;
55022393Syz155240
55032393Syz155240 if (fin->fin_off != 0) {
55042393Syz155240 sum = fr_ipid_knownfrag(fin);
55052393Syz155240 if (sum == 0xffffffff)
55062393Syz155240 return -1;
55072393Syz155240 sum &= 0xffff;
55082393Syz155240 id = (u_short)sum;
55092393Syz155240 } else {
55102393Syz155240 id = fr_nextipid(fin);
55112393Syz155240 if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0)
55122393Syz155240 (void) fr_ipid_newfrag(fin, (u_32_t)id);
55132393Syz155240 }
55142393Syz155240
55152393Syz155240 ip = fin->fin_ip;
55162393Syz155240 ido = ntohs(ip->ip_id);
55172393Syz155240 if (id == ido)
55182393Syz155240 return 0;
55192393Syz155240 ip->ip_id = htons(id);
55202393Syz155240 CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */
55212393Syz155240 sum = (~ntohs(ip->ip_sum)) & 0xffff;
55222393Syz155240 sum += sumd;
55232393Syz155240 sum = (sum >> 16) + (sum & 0xffff);
55242393Syz155240 sum = (sum >> 16) + (sum & 0xffff);
55252393Syz155240 sums = ~(u_short)sum;
55262393Syz155240 ip->ip_sum = htons(sums);
55272393Syz155240 return 0;
55282393Syz155240 }
55292393Syz155240
55302393Syz155240
55312393Syz155240 #ifdef NEED_FRGETIFNAME
55322393Syz155240 /* ------------------------------------------------------------------------ */
55332393Syz155240 /* Function: fr_getifname */
55342393Syz155240 /* Returns: char * - pointer to interface name */
55352393Syz155240 /* Parameters: ifp(I) - pointer to network interface */
55362393Syz155240 /* buffer(O) - pointer to where to store interface name */
55372393Syz155240 /* */
55382393Syz155240 /* Constructs an interface name in the buffer passed. The buffer passed is */
55392393Syz155240 /* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */
55402393Syz155240 /* as a NULL pointer then return a pointer to a static array. */
55412393Syz155240 /* ------------------------------------------------------------------------ */
fr_getifname(ifp,buffer)55422393Syz155240 char *fr_getifname(ifp, buffer)
55432393Syz155240 struct ifnet *ifp;
55442393Syz155240 char *buffer;
55452393Syz155240 {
55462393Syz155240 static char namebuf[LIFNAMSIZ];
55472393Syz155240 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
55482393Syz155240 defined(__sgi) || defined(linux) || defined(_AIX51) || \
55492393Syz155240 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
55502393Syz155240 int unit, space;
55512393Syz155240 char temp[20];
55522393Syz155240 char *s;
55532393Syz155240 # endif
55542393Syz155240
55553448Sdh155122 ASSERT(buffer != NULL);
55563448Sdh155122 #ifdef notdef
55572393Syz155240 if (buffer == NULL)
55582393Syz155240 buffer = namebuf;
55593448Sdh155122 #endif
55602393Syz155240 (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
55612393Syz155240 buffer[LIFNAMSIZ - 1] = '\0';
55622393Syz155240 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
55632393Syz155240 defined(__sgi) || defined(_AIX51) || \
55642393Syz155240 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
55652393Syz155240 for (s = buffer; *s; s++)
55662393Syz155240 ;
55672393Syz155240 unit = ifp->if_unit;
55682393Syz155240 space = LIFNAMSIZ - (s - buffer);
55692393Syz155240 if (space > 0) {
55702393Syz155240 # if defined(SNPRINTF) && defined(_KERNEL)
55712393Syz155240 (void) SNPRINTF(temp, sizeof(temp), "%d", unit);
55722393Syz155240 # else
55732393Syz155240 (void) sprintf(temp, "%d", unit);
55742393Syz155240 # endif
55752393Syz155240 (void) strncpy(s, temp, space);
55762393Syz155240 }
55772393Syz155240 # endif
55782393Syz155240 return buffer;
55792393Syz155240 }
55802393Syz155240 #endif
55812393Syz155240
55822393Syz155240
55832393Syz155240 /* ------------------------------------------------------------------------ */
55842393Syz155240 /* Function: fr_ioctlswitch */
55852393Syz155240 /* Returns: int - -1 continue processing, else ioctl return value */
55862393Syz155240 /* Parameters: unit(I) - device unit opened */
55872393Syz155240 /* data(I) - pointer to ioctl data */
55882393Syz155240 /* cmd(I) - ioctl command */
55892393Syz155240 /* mode(I) - mode value */
55902393Syz155240 /* */
55912393Syz155240 /* Based on the value of unit, call the appropriate ioctl handler or return */
55922393Syz155240 /* EIO if ipfilter is not running. Also checks if write perms are req'd */
55932393Syz155240 /* for the device in order to execute the ioctl. */
55942393Syz155240 /* ------------------------------------------------------------------------ */
fr_ioctlswitch(unit,data,cmd,mode,uid,ctx,ifs)55953448Sdh155122 INLINE int fr_ioctlswitch(unit, data, cmd, mode, uid, ctx, ifs)
55963448Sdh155122 int unit, mode, uid;
55972393Syz155240 ioctlcmd_t cmd;
55983448Sdh155122 void *data, *ctx;
55993448Sdh155122 ipf_stack_t *ifs;
56002393Syz155240 {
56012393Syz155240 int error = 0;
56022393Syz155240
56032393Syz155240 switch (unit)
56042393Syz155240 {
56052393Syz155240 case IPL_LOGIPF :
56062393Syz155240 error = -1;
56072393Syz155240 break;
56082393Syz155240 case IPL_LOGNAT :
56093448Sdh155122 if (ifs->ifs_fr_running > 0)
56103448Sdh155122 error = fr_nat_ioctl(data, cmd, mode, uid, ctx, ifs);
56112393Syz155240 else
56122393Syz155240 error = EIO;
56132393Syz155240 break;
56142393Syz155240 case IPL_LOGSTATE :
56153448Sdh155122 if (ifs->ifs_fr_running > 0)
56163448Sdh155122 error = fr_state_ioctl(data, cmd, mode, uid, ctx, ifs);
56172393Syz155240 else
56182393Syz155240 error = EIO;
56192393Syz155240 break;
56202393Syz155240 case IPL_LOGAUTH :
56213448Sdh155122 if (ifs->ifs_fr_running > 0) {
56222393Syz155240 if ((cmd == (ioctlcmd_t)SIOCADAFR) ||
56232393Syz155240 (cmd == (ioctlcmd_t)SIOCRMAFR)) {
56242393Syz155240 if (!(mode & FWRITE)) {
56252393Syz155240 error = EPERM;
56262393Syz155240 } else {
56272393Syz155240 error = frrequest(unit, cmd, data,
56283448Sdh155122 ifs->ifs_fr_active, 1, ifs);
56292393Syz155240 }
56302393Syz155240 } else {
56313448Sdh155122 error = fr_auth_ioctl(data, cmd, mode, uid, ctx, ifs);
56322393Syz155240 }
56332393Syz155240 } else
56342393Syz155240 error = EIO;
56352393Syz155240 break;
56362393Syz155240 case IPL_LOGSYNC :
56372393Syz155240 #ifdef IPFILTER_SYNC
56383448Sdh155122 if (ifs->ifs_fr_running > 0)
56393448Sdh155122 error = fr_sync_ioctl(data, cmd, mode, ifs);
56402393Syz155240 else
56412393Syz155240 #endif
56422393Syz155240 error = EIO;
56432393Syz155240 break;
56442393Syz155240 case IPL_LOGSCAN :
56452393Syz155240 #ifdef IPFILTER_SCAN
56463448Sdh155122 if (ifs->ifs_fr_running > 0)
56473448Sdh155122 error = fr_scan_ioctl(data, cmd, mode, ifs);
56482393Syz155240 else
56492393Syz155240 #endif
56502393Syz155240 error = EIO;
56512393Syz155240 break;
56522393Syz155240 case IPL_LOGLOOKUP :
56532393Syz155240 #ifdef IPFILTER_LOOKUP
56543448Sdh155122 if (ifs->ifs_fr_running > 0)
56553448Sdh155122 error = ip_lookup_ioctl(data, cmd, mode, uid, ctx, ifs);
56562393Syz155240 else
56572393Syz155240 #endif
56582393Syz155240 error = EIO;
56592393Syz155240 break;
56602393Syz155240 default :
56612393Syz155240 error = EIO;
56622393Syz155240 break;
56632393Syz155240 }
56642393Syz155240
56652393Syz155240 return error;
56662393Syz155240 }
56672393Syz155240
56682393Syz155240
56692393Syz155240 /*
56702393Syz155240 * This array defines the expected size of objects coming into the kernel
56712393Syz155240 * for the various recognised object types.
56722393Syz155240 */
56733448Sdh155122 #define NUM_OBJ_TYPES 19
56742393Syz155240
56752393Syz155240 static int fr_objbytes[NUM_OBJ_TYPES][2] = {
56762393Syz155240 { 1, sizeof(struct frentry) }, /* frentry */
56772393Syz155240 { 0, sizeof(struct friostat) },
56782393Syz155240 { 0, sizeof(struct fr_info) },
56792393Syz155240 { 0, sizeof(struct fr_authstat) },
56802393Syz155240 { 0, sizeof(struct ipfrstat) },
56812393Syz155240 { 0, sizeof(struct ipnat) },
56822393Syz155240 { 0, sizeof(struct natstat) },
56832393Syz155240 { 0, sizeof(struct ipstate_save) },
56842393Syz155240 { 1, sizeof(struct nat_save) }, /* nat_save */
56852393Syz155240 { 0, sizeof(struct natlookup) },
56862393Syz155240 { 1, sizeof(struct ipstate) }, /* ipstate */
56872393Syz155240 { 0, sizeof(struct ips_stat) },
56882393Syz155240 { 0, sizeof(struct frauth) },
56893448Sdh155122 { 0, sizeof(struct ipftune) },
56903448Sdh155122 { 0, sizeof(struct nat) }, /* nat_t */
56913448Sdh155122 { 0, sizeof(struct ipfruleiter) },
56923448Sdh155122 { 0, sizeof(struct ipfgeniter) },
56933448Sdh155122 { 0, sizeof(struct ipftable) },
56943448Sdh155122 { 0, sizeof(struct ipflookupiter) }
56952393Syz155240 };
56962393Syz155240
56972393Syz155240
56982393Syz155240 /* ------------------------------------------------------------------------ */
56992393Syz155240 /* Function: fr_inobj */
57002393Syz155240 /* Returns: int - 0 = success, else failure */
57012393Syz155240 /* Parameters: data(I) - pointer to ioctl data */
57022393Syz155240 /* ptr(I) - pointer to store real data in */
57032393Syz155240 /* type(I) - type of structure being moved */
57042393Syz155240 /* */
57052393Syz155240 /* Copy in the contents of what the ipfobj_t points to. In future, we */
57062393Syz155240 /* add things to check for version numbers, sizes, etc, to make it backward */
57072393Syz155240 /* compatible at the ABI for user land. */
57082393Syz155240 /* ------------------------------------------------------------------------ */
fr_inobj(data,ptr,type)57092393Syz155240 int fr_inobj(data, ptr, type)
57102393Syz155240 void *data;
57112393Syz155240 void *ptr;
57122393Syz155240 int type;
57132393Syz155240 {
57142393Syz155240 ipfobj_t obj;
57152393Syz155240 int error = 0;
57162393Syz155240
57172393Syz155240 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
57182393Syz155240 return EINVAL;
57192393Syz155240
57207433SJohn.Ojemann@Sun.COM error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
57217433SJohn.Ojemann@Sun.COM if (error != 0)
57227433SJohn.Ojemann@Sun.COM return EFAULT;
57232393Syz155240
57242393Syz155240 if (obj.ipfo_type != type)
57252393Syz155240 return EINVAL;
57262393Syz155240
57272393Syz155240 #ifndef IPFILTER_COMPAT
57282393Syz155240 if ((fr_objbytes[type][0] & 1) != 0) {
57292393Syz155240 if (obj.ipfo_size < fr_objbytes[type][1])
57302393Syz155240 return EINVAL;
57312393Syz155240 } else if (obj.ipfo_size != fr_objbytes[type][1])
57322393Syz155240 return EINVAL;
57332393Syz155240 #else
57347176Syx160601 if (obj.ipfo_rev != IPFILTER_VERSION) {
57357176Syx160601 error = fr_incomptrans(&obj, ptr);
57367176Syx160601 return error;
57377176Syx160601 }
57387176Syx160601
57397176Syx160601 if ((fr_objbytes[type][0] & 1) != 0 &&
57407176Syx160601 obj.ipfo_size < fr_objbytes[type][1] ||
57417176Syx160601 obj.ipfo_size != fr_objbytes[type][1])
57422393Syz155240 return EINVAL;
57432393Syz155240 #endif
57442393Syz155240
57452393Syz155240 if ((fr_objbytes[type][0] & 1) != 0) {
57462393Syz155240 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
57472393Syz155240 fr_objbytes[type][1]);
57482393Syz155240 } else {
57492393Syz155240 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
57502393Syz155240 obj.ipfo_size);
57512393Syz155240 }
57522393Syz155240 return error;
57532393Syz155240 }
57542393Syz155240
57552393Syz155240
57562393Syz155240 /* ------------------------------------------------------------------------ */
57572393Syz155240 /* Function: fr_inobjsz */
57582393Syz155240 /* Returns: int - 0 = success, else failure */
57592393Syz155240 /* Parameters: data(I) - pointer to ioctl data */
57602393Syz155240 /* ptr(I) - pointer to store real data in */
57612393Syz155240 /* type(I) - type of structure being moved */
57622393Syz155240 /* sz(I) - size of data to copy */
57632393Syz155240 /* */
57642393Syz155240 /* As per fr_inobj, except the size of the object to copy in is passed in */
57652393Syz155240 /* but it must not be smaller than the size defined for the type and the */
57662393Syz155240 /* type must allow for varied sized objects. The extra requirement here is */
57672393Syz155240 /* that sz must match the size of the object being passed in - this is not */
57682393Syz155240 /* not possible nor required in fr_inobj(). */
57692393Syz155240 /* ------------------------------------------------------------------------ */
fr_inobjsz(data,ptr,type,sz)57702393Syz155240 int fr_inobjsz(data, ptr, type, sz)
57712393Syz155240 void *data;
57722393Syz155240 void *ptr;
57732393Syz155240 int type, sz;
57742393Syz155240 {
57752393Syz155240 ipfobj_t obj;
57762393Syz155240 int error;
57772393Syz155240
57782393Syz155240 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
57792393Syz155240 return EINVAL;
57802393Syz155240 if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1]))
57812393Syz155240 return EINVAL;
57822393Syz155240
57837433SJohn.Ojemann@Sun.COM error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
57847433SJohn.Ojemann@Sun.COM if (error != 0)
57857433SJohn.Ojemann@Sun.COM return EFAULT;
57862393Syz155240
57872393Syz155240 if (obj.ipfo_type != type)
57882393Syz155240 return EINVAL;
57892393Syz155240
57902393Syz155240 #ifndef IPFILTER_COMPAT
57912393Syz155240 if (obj.ipfo_size != sz)
57922393Syz155240 return EINVAL;
57932393Syz155240 #else
57942393Syz155240 if (obj.ipfo_rev != IPFILTER_VERSION)
57957176Syx160601 /*XXX compatibility hook here */
57967176Syx160601 /*EMPTY*/;
57972393Syz155240 if (obj.ipfo_size != sz)
57982393Syz155240 /* XXX compatibility hook here */
57992393Syz155240 return EINVAL;
58002393Syz155240 #endif
58012393Syz155240
58022393Syz155240 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, sz);
58032393Syz155240 return error;
58042393Syz155240 }
58052393Syz155240
58062393Syz155240
58072393Syz155240 /* ------------------------------------------------------------------------ */
58082393Syz155240 /* Function: fr_outobjsz */
58092393Syz155240 /* Returns: int - 0 = success, else failure */
58102393Syz155240 /* Parameters: data(I) - pointer to ioctl data */
58112393Syz155240 /* ptr(I) - pointer to store real data in */
58122393Syz155240 /* type(I) - type of structure being moved */
58132393Syz155240 /* sz(I) - size of data to copy */
58142393Syz155240 /* */
58152393Syz155240 /* As per fr_outobj, except the size of the object to copy out is passed in */
58162393Syz155240 /* but it must not be smaller than the size defined for the type and the */
58172393Syz155240 /* type must allow for varied sized objects. The extra requirement here is */
58182393Syz155240 /* that sz must match the size of the object being passed in - this is not */
58192393Syz155240 /* not possible nor required in fr_outobj(). */
58202393Syz155240 /* ------------------------------------------------------------------------ */
fr_outobjsz(data,ptr,type,sz)58212393Syz155240 int fr_outobjsz(data, ptr, type, sz)
58222393Syz155240 void *data;
58232393Syz155240 void *ptr;
58242393Syz155240 int type, sz;
58252393Syz155240 {
58262393Syz155240 ipfobj_t obj;
58272393Syz155240 int error;
58282393Syz155240
58292393Syz155240 if ((type < 0) || (type > NUM_OBJ_TYPES-1) ||
58302393Syz155240 ((fr_objbytes[type][0] & 1) == 0) ||
58312393Syz155240 (sz < fr_objbytes[type][1]))
58322393Syz155240 return EINVAL;
58332393Syz155240
58347433SJohn.Ojemann@Sun.COM error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
58357433SJohn.Ojemann@Sun.COM if (error != 0)
58367433SJohn.Ojemann@Sun.COM return EFAULT;
58372393Syz155240
58382393Syz155240 if (obj.ipfo_type != type)
58392393Syz155240 return EINVAL;
58402393Syz155240
58412393Syz155240 #ifndef IPFILTER_COMPAT
58422393Syz155240 if (obj.ipfo_size != sz)
58432393Syz155240 return EINVAL;
58442393Syz155240 #else
58452393Syz155240 if (obj.ipfo_rev != IPFILTER_VERSION)
58462393Syz155240 /* XXX compatibility hook here */
58477176Syx160601 /*EMPTY*/;
58482393Syz155240 if (obj.ipfo_size != sz)
58492393Syz155240 /* XXX compatibility hook here */
58502393Syz155240 return EINVAL;
58512393Syz155240 #endif
58522393Syz155240
58532393Syz155240 error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, sz);
58542393Syz155240 return error;
58552393Syz155240 }
58562393Syz155240
58572393Syz155240
58582393Syz155240 /* ------------------------------------------------------------------------ */
58592393Syz155240 /* Function: fr_outobj */
58602393Syz155240 /* Returns: int - 0 = success, else failure */
58612393Syz155240 /* Parameters: data(I) - pointer to ioctl data */
58622393Syz155240 /* ptr(I) - pointer to store real data in */
58632393Syz155240 /* type(I) - type of structure being moved */
58642393Syz155240 /* */
58652393Syz155240 /* Copy out the contents of what ptr is to where ipfobj points to. In */
58662393Syz155240 /* future, we add things to check for version numbers, sizes, etc, to make */
58672393Syz155240 /* it backward compatible at the ABI for user land. */
58682393Syz155240 /* ------------------------------------------------------------------------ */
fr_outobj(data,ptr,type)58692393Syz155240 int fr_outobj(data, ptr, type)
58702393Syz155240 void *data;
58712393Syz155240 void *ptr;
58722393Syz155240 int type;
58732393Syz155240 {
58742393Syz155240 ipfobj_t obj;
58752393Syz155240 int error;
58762393Syz155240
58772393Syz155240 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
58782393Syz155240 return EINVAL;
58792393Syz155240
58807433SJohn.Ojemann@Sun.COM error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
58817433SJohn.Ojemann@Sun.COM if (error != 0)
58827433SJohn.Ojemann@Sun.COM return EFAULT;
58832393Syz155240
58842393Syz155240 if (obj.ipfo_type != type)
58852393Syz155240 return EINVAL;
58862393Syz155240
58872393Syz155240 #ifndef IPFILTER_COMPAT
58882393Syz155240 if ((fr_objbytes[type][0] & 1) != 0) {
58892393Syz155240 if (obj.ipfo_size < fr_objbytes[type][1])
58902393Syz155240 return EINVAL;
58912393Syz155240 } else if (obj.ipfo_size != fr_objbytes[type][1])
58922393Syz155240 return EINVAL;
58932393Syz155240 #else
58947176Syx160601 if (obj.ipfo_rev != IPFILTER_VERSION) {
58957176Syx160601 error = fr_outcomptrans(&obj, ptr);
58967176Syx160601 return error;
58977176Syx160601 }
58987176Syx160601
58997176Syx160601 if ((fr_objbytes[type][0] & 1) != 0 &&
59007176Syx160601 obj.ipfo_size < fr_objbytes[type][1] ||
59017176Syx160601 obj.ipfo_size != fr_objbytes[type][1])
59022393Syz155240 return EINVAL;
59032393Syz155240 #endif
59042393Syz155240
59052393Syz155240 error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, obj.ipfo_size);
59062393Syz155240 return error;
59072393Syz155240 }
59082393Syz155240
59092393Syz155240
59102393Syz155240 /* ------------------------------------------------------------------------ */
59112393Syz155240 /* Function: fr_checkl4sum */
59122393Syz155240 /* Returns: int - 0 = good, -1 = bad, 1 = cannot check */
59132393Syz155240 /* Parameters: fin(I) - pointer to packet information */
59142393Syz155240 /* */
59152393Syz155240 /* If possible, calculate the layer 4 checksum for the packet. If this is */
59162393Syz155240 /* not possible, return without indicating a failure or success but in a */
59172393Syz155240 /* way that is ditinguishable. */
59182393Syz155240 /* ------------------------------------------------------------------------ */
fr_checkl4sum(fin)59192393Syz155240 int fr_checkl4sum(fin)
59202393Syz155240 fr_info_t *fin;
59212393Syz155240 {
59222393Syz155240 u_short sum, hdrsum, *csump;
59232393Syz155240 udphdr_t *udp;
59242393Syz155240 int dosum;
59253448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
59262393Syz155240
59272958Sdr146992 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
59287513SDarren.Reed@Sun.COM net_handle_t net_data_p;
59292958Sdr146992 if (fin->fin_v == 4)
59303448Sdh155122 net_data_p = ifs->ifs_ipf_ipv4;
59312958Sdr146992 else
59323448Sdh155122 net_data_p = ifs->ifs_ipf_ipv6;
59332958Sdr146992 #endif
59342958Sdr146992
59352393Syz155240 if ((fin->fin_flx & FI_NOCKSUM) != 0)
59362393Syz155240 return 0;
59372393Syz155240
59382393Syz155240 /*
59392393Syz155240 * If the TCP packet isn't a fragment, isn't too short and otherwise
59402393Syz155240 * isn't already considered "bad", then validate the checksum. If
59412393Syz155240 * this check fails then considered the packet to be "bad".
59422393Syz155240 */
59432393Syz155240 if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0)
59442393Syz155240 return 1;
59452393Syz155240
59462393Syz155240 csump = NULL;
59472393Syz155240 hdrsum = 0;
59482393Syz155240 dosum = 0;
59492393Syz155240 sum = 0;
59502393Syz155240
59512958Sdr146992 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
59522958Sdr146992 ASSERT(fin->fin_m != NULL);
59532958Sdr146992 if (NET_IS_HCK_L4_FULL(net_data_p, fin->fin_m) ||
59542958Sdr146992 NET_IS_HCK_L4_PART(net_data_p, fin->fin_m)) {
59552958Sdr146992 hdrsum = 0;
59562958Sdr146992 sum = 0;
59572393Syz155240 } else {
59582393Syz155240 #endif
59592393Syz155240 switch (fin->fin_p)
59602393Syz155240 {
59612393Syz155240 case IPPROTO_TCP :
59622393Syz155240 csump = &((tcphdr_t *)fin->fin_dp)->th_sum;
59632393Syz155240 dosum = 1;
59642393Syz155240 break;
59652393Syz155240
59662393Syz155240 case IPPROTO_UDP :
59672393Syz155240 udp = fin->fin_dp;
59682393Syz155240 if (udp->uh_sum != 0) {
59692393Syz155240 csump = &udp->uh_sum;
59702393Syz155240 dosum = 1;
59712393Syz155240 }
59722393Syz155240 break;
59732393Syz155240
59742393Syz155240 case IPPROTO_ICMP :
59752393Syz155240 csump = &((struct icmp *)fin->fin_dp)->icmp_cksum;
59762393Syz155240 dosum = 1;
59772393Syz155240 break;
59782393Syz155240
59792393Syz155240 default :
59802393Syz155240 return 1;
59812393Syz155240 /*NOTREACHED*/
59822393Syz155240 }
59832393Syz155240
59842393Syz155240 if (csump != NULL)
59852393Syz155240 hdrsum = *csump;
59862393Syz155240
59872393Syz155240 if (dosum)
59882393Syz155240 sum = fr_cksum(fin->fin_m, fin->fin_ip,
59892393Syz155240 fin->fin_p, fin->fin_dp);
59902958Sdr146992 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
59912393Syz155240 }
59922393Syz155240 #endif
59932393Syz155240 #if !defined(_KERNEL)
59942393Syz155240 if (sum == hdrsum) {
59952393Syz155240 FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum));
59962393Syz155240 } else {
59972393Syz155240 FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum));
59982393Syz155240 }
59992393Syz155240 #endif
60002393Syz155240 if (hdrsum == sum)
60012393Syz155240 return 0;
60022393Syz155240 return -1;
60032393Syz155240 }
60042393Syz155240
60052393Syz155240
60062393Syz155240 /* ------------------------------------------------------------------------ */
60072393Syz155240 /* Function: fr_ifpfillv4addr */
60082393Syz155240 /* Returns: int - 0 = address update, -1 = address not updated */
60092393Syz155240 /* Parameters: atype(I) - type of network address update to perform */
60102393Syz155240 /* sin(I) - pointer to source of address information */
60112393Syz155240 /* mask(I) - pointer to source of netmask information */
60122393Syz155240 /* inp(I) - pointer to destination address store */
60132393Syz155240 /* inpmask(I) - pointer to destination netmask store */
60142393Syz155240 /* */
60152393Syz155240 /* Given a type of network address update (atype) to perform, copy */
60162393Syz155240 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
60172393Syz155240 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
60182393Syz155240 /* which case the operation fails. For all values of atype other than */
60192393Syz155240 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
60202393Syz155240 /* value. */
60212393Syz155240 /* ------------------------------------------------------------------------ */
fr_ifpfillv4addr(atype,sin,mask,inp,inpmask)60222393Syz155240 int fr_ifpfillv4addr(atype, sin, mask, inp, inpmask)
60232393Syz155240 int atype;
60242393Syz155240 struct sockaddr_in *sin, *mask;
60252393Syz155240 struct in_addr *inp, *inpmask;
60262393Syz155240 {
60272393Syz155240 if (inpmask != NULL && atype != FRI_NETMASKED)
60282393Syz155240 inpmask->s_addr = 0xffffffff;
60292393Syz155240
60302393Syz155240 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
60312393Syz155240 if (atype == FRI_NETMASKED) {
60322393Syz155240 if (inpmask == NULL)
60332393Syz155240 return -1;
60342393Syz155240 inpmask->s_addr = mask->sin_addr.s_addr;
60352393Syz155240 }
60362393Syz155240 inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr;
60372393Syz155240 } else {
60382393Syz155240 inp->s_addr = sin->sin_addr.s_addr;
60392393Syz155240 }
60402393Syz155240 return 0;
60412393Syz155240 }
60422393Syz155240
60432393Syz155240
60442393Syz155240 #ifdef USE_INET6
60452393Syz155240 /* ------------------------------------------------------------------------ */
60462393Syz155240 /* Function: fr_ifpfillv6addr */
60472393Syz155240 /* Returns: int - 0 = address update, -1 = address not updated */
60482393Syz155240 /* Parameters: atype(I) - type of network address update to perform */
60492393Syz155240 /* sin(I) - pointer to source of address information */
60502393Syz155240 /* mask(I) - pointer to source of netmask information */
60512393Syz155240 /* inp(I) - pointer to destination address store */
60522393Syz155240 /* inpmask(I) - pointer to destination netmask store */
60532393Syz155240 /* */
60542393Syz155240 /* Given a type of network address update (atype) to perform, copy */
60552393Syz155240 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
60562393Syz155240 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
60572393Syz155240 /* which case the operation fails. For all values of atype other than */
60582393Syz155240 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
60592393Syz155240 /* value. */
60602393Syz155240 /* ------------------------------------------------------------------------ */
fr_ifpfillv6addr(atype,sin,mask,inp,inpmask)60612393Syz155240 int fr_ifpfillv6addr(atype, sin, mask, inp, inpmask)
60622393Syz155240 int atype;
60632393Syz155240 struct sockaddr_in6 *sin, *mask;
60642393Syz155240 struct in_addr *inp, *inpmask;
60652393Syz155240 {
60662393Syz155240 i6addr_t *src, *dst, *and, *dmask;
60672393Syz155240
60682393Syz155240 src = (i6addr_t *)&sin->sin6_addr;
60692393Syz155240 and = (i6addr_t *)&mask->sin6_addr;
60702393Syz155240 dst = (i6addr_t *)inp;
60712393Syz155240 dmask = (i6addr_t *)inpmask;
60722393Syz155240
60732393Syz155240 if (inpmask != NULL && atype != FRI_NETMASKED) {
60742393Syz155240 dmask->i6[0] = 0xffffffff;
60752393Syz155240 dmask->i6[1] = 0xffffffff;
60762393Syz155240 dmask->i6[2] = 0xffffffff;
60772393Syz155240 dmask->i6[3] = 0xffffffff;
60782393Syz155240 }
60792393Syz155240
60802393Syz155240 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
60812393Syz155240 if (atype == FRI_NETMASKED) {
60822393Syz155240 if (inpmask == NULL)
60832393Syz155240 return -1;
60842393Syz155240 dmask->i6[0] = and->i6[0];
60852393Syz155240 dmask->i6[1] = and->i6[1];
60862393Syz155240 dmask->i6[2] = and->i6[2];
60872393Syz155240 dmask->i6[3] = and->i6[3];
60882393Syz155240 }
60892393Syz155240
60902393Syz155240 dst->i6[0] = src->i6[0] & and->i6[0];
60912393Syz155240 dst->i6[1] = src->i6[1] & and->i6[1];
60922393Syz155240 dst->i6[2] = src->i6[2] & and->i6[2];
60932393Syz155240 dst->i6[3] = src->i6[3] & and->i6[3];
60942393Syz155240 } else {
60952393Syz155240 dst->i6[0] = src->i6[0];
60962393Syz155240 dst->i6[1] = src->i6[1];
60972393Syz155240 dst->i6[2] = src->i6[2];
60982393Syz155240 dst->i6[3] = src->i6[3];
60992393Syz155240 }
61002393Syz155240 return 0;
61012393Syz155240 }
61022393Syz155240 #endif
61032393Syz155240
61042393Syz155240
61052393Syz155240 /* ------------------------------------------------------------------------ */
61062393Syz155240 /* Function: fr_matchtag */
61072393Syz155240 /* Returns: 0 == mismatch, 1 == match. */
61082393Syz155240 /* Parameters: tag1(I) - pointer to first tag to compare */
61092393Syz155240 /* tag2(I) - pointer to second tag to compare */
61102393Syz155240 /* */
61112393Syz155240 /* Returns true (non-zero) or false(0) if the two tag structures can be */
61122393Syz155240 /* considered to be a match or not match, respectively. The tag is 16 */
61132393Syz155240 /* bytes long (16 characters) but that is overlayed with 4 32bit ints so */
61142393Syz155240 /* compare the ints instead, for speed. tag1 is the master of the */
61152393Syz155240 /* comparison. This function should only be called with both tag1 and tag2 */
61162393Syz155240 /* as non-NULL pointers. */
61172393Syz155240 /* ------------------------------------------------------------------------ */
fr_matchtag(tag1,tag2)61182393Syz155240 int fr_matchtag(tag1, tag2)
61192393Syz155240 ipftag_t *tag1, *tag2;
61202393Syz155240 {
61212393Syz155240 if (tag1 == tag2)
61222393Syz155240 return 1;
61232393Syz155240
61242393Syz155240 if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0))
61252393Syz155240 return 1;
61262393Syz155240
61272393Syz155240 if ((tag1->ipt_num[0] == tag2->ipt_num[0]) &&
61282393Syz155240 (tag1->ipt_num[1] == tag2->ipt_num[1]) &&
61292393Syz155240 (tag1->ipt_num[2] == tag2->ipt_num[2]) &&
61302393Syz155240 (tag1->ipt_num[3] == tag2->ipt_num[3]))
61312393Syz155240 return 1;
61322393Syz155240 return 0;
61332393Syz155240 }
61342393Syz155240
61352393Syz155240
61362393Syz155240 /* ------------------------------------------------------------------------ */
61372393Syz155240 /* Function: fr_coalesce */
61382393Syz155240 /* Returns: 1 == success, -1 == failure, 0 == no change */
61392393Syz155240 /* Parameters: fin(I) - pointer to packet information */
61402393Syz155240 /* */
61412393Syz155240 /* Attempt to get all of the packet data into a single, contiguous buffer. */
61422393Syz155240 /* If this call returns a failure then the buffers have also been freed. */
61432393Syz155240 /* ------------------------------------------------------------------------ */
fr_coalesce(fin)61442393Syz155240 int fr_coalesce(fin)
61452393Syz155240 fr_info_t *fin;
61462393Syz155240 {
61473448Sdh155122 ipf_stack_t *ifs = fin->fin_ifs;
61482393Syz155240 if ((fin->fin_flx & FI_COALESCE) != 0)
61492393Syz155240 return 1;
61502393Syz155240
61512393Syz155240 /*
61522393Syz155240 * If the mbuf pointers indicate that there is no mbuf to work with,
61532393Syz155240 * return but do not indicate success or failure.
61542393Syz155240 */
61552393Syz155240 if (fin->fin_m == NULL || fin->fin_mp == NULL)
61562393Syz155240 return 0;
61572393Syz155240
61582393Syz155240 #if defined(_KERNEL)
61592393Syz155240 if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
61607131Sdr146992 IPF_BUMP(ifs->ifs_fr_badcoalesces[fin->fin_out]);
61612393Syz155240 # ifdef MENTAT
61622393Syz155240 FREE_MB_T(*fin->fin_mp);
61632393Syz155240 # endif
61642393Syz155240 *fin->fin_mp = NULL;
61652393Syz155240 fin->fin_m = NULL;
61662393Syz155240 return -1;
61672393Syz155240 }
61682393Syz155240 #else
61692393Syz155240 fin = fin; /* LINT */
61702393Syz155240 #endif
61712393Syz155240 return 1;
61722393Syz155240 }
61732393Syz155240
61742393Syz155240
61752393Syz155240 /*
61762393Syz155240 * The following table lists all of the tunable variables that can be
61773448Sdh155122 * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXT. The format of each row
61782393Syz155240 * in the table below is as follows:
61792393Syz155240 *
61802393Syz155240 * pointer to value, name of value, minimum, maximum, size of the value's
61812393Syz155240 * container, value attribute flags
61822393Syz155240 *
61832393Syz155240 * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED
61842393Syz155240 * means the value can only be written to when IPFilter is loaded but disabled.
61852393Syz155240 * The obvious implication is if neither of these are set then the value can be
61862393Syz155240 * changed at any time without harm.
61872393Syz155240 */
61883448Sdh155122 ipftuneable_t lcl_ipf_tuneables[] = {
61892393Syz155240 /* filtering */
61903448Sdh155122 { { NULL }, "fr_flags", 0, 0xffffffff,
61913448Sdh155122 0, 0 },
61923448Sdh155122 { { NULL }, "fr_active", 0, 0,
61933448Sdh155122 0, IPFT_RDONLY },
61943448Sdh155122 { { NULL }, "fr_control_forwarding", 0, 1,
61953448Sdh155122 0, 0 },
61963448Sdh155122 { { NULL }, "fr_update_ipid", 0, 1,
61973448Sdh155122 0, 0 },
61983448Sdh155122 { { NULL }, "fr_chksrc", 0, 1,
61993448Sdh155122 0, 0 },
62003448Sdh155122 { { NULL }, "fr_minttl", 0, 1,
62013448Sdh155122 0, 0 },
62023448Sdh155122 { { NULL }, "fr_icmpminfragmtu", 0, 1,
62033448Sdh155122 0, 0 },
62043448Sdh155122 { { NULL }, "fr_pass", 0, 0xffffffff,
62053448Sdh155122 0, 0 },
62062958Sdr146992 #if SOLARIS2 >= 10
62073448Sdh155122 { { NULL }, "ipf_loopback", 0, 1,
62083448Sdh155122 0, IPFT_WRDISABLED },
62092958Sdr146992 #endif
62102393Syz155240 /* state */
62113448Sdh155122 { { NULL }, "fr_tcpidletimeout", 1, 0x7fffffff,
62123448Sdh155122 0, IPFT_WRDISABLED },
62133448Sdh155122 { { NULL }, "fr_tcpclosewait", 1, 0x7fffffff,
62143448Sdh155122 0, IPFT_WRDISABLED },
62153448Sdh155122 { { NULL }, "fr_tcplastack", 1, 0x7fffffff,
62163448Sdh155122 0, IPFT_WRDISABLED },
62173448Sdh155122 { { NULL }, "fr_tcptimeout", 1, 0x7fffffff,
62183448Sdh155122 0, IPFT_WRDISABLED },
62193448Sdh155122 { { NULL }, "fr_tcpclosed", 1, 0x7fffffff,
62203448Sdh155122 0, IPFT_WRDISABLED },
62213448Sdh155122 { { NULL }, "fr_tcphalfclosed", 1, 0x7fffffff,
62223448Sdh155122 0, IPFT_WRDISABLED },
62233448Sdh155122 { { NULL }, "fr_udptimeout", 1, 0x7fffffff,
62243448Sdh155122 0, IPFT_WRDISABLED },
62253448Sdh155122 { { NULL }, "fr_udpacktimeout", 1, 0x7fffffff,
62263448Sdh155122 0, IPFT_WRDISABLED },
62273448Sdh155122 { { NULL }, "fr_icmptimeout", 1, 0x7fffffff,
62283448Sdh155122 0, IPFT_WRDISABLED },
62293448Sdh155122 { { NULL }, "fr_icmpacktimeout", 1, 0x7fffffff,
62303448Sdh155122 0, IPFT_WRDISABLED },
62313448Sdh155122 { { NULL }, "fr_iptimeout", 1, 0x7fffffff,
62323448Sdh155122 0, IPFT_WRDISABLED },
62333448Sdh155122 { { NULL }, "fr_statemax", 1, 0x7fffffff,
62343448Sdh155122 0, 0 },
62353448Sdh155122 { { NULL }, "fr_statesize", 1, 0x7fffffff,
62363448Sdh155122 0, IPFT_WRDISABLED },
62373448Sdh155122 { { NULL }, "fr_state_lock", 0, 1,
62383448Sdh155122 0, IPFT_RDONLY },
62393448Sdh155122 { { NULL }, "fr_state_maxbucket", 1, 0x7fffffff,
62403448Sdh155122 0, IPFT_WRDISABLED },
62413448Sdh155122 { { NULL }, "fr_state_maxbucket_reset", 0, 1,
62423448Sdh155122 0, IPFT_WRDISABLED },
62433448Sdh155122 { { NULL }, "ipstate_logging", 0, 1,
62443448Sdh155122 0, 0 },
62458170SJohn.Ojemann@Sun.COM { { NULL }, "state_flush_level_hi", 1, 100,
62468170SJohn.Ojemann@Sun.COM 0, 0 },
62478170SJohn.Ojemann@Sun.COM { { NULL }, "state_flush_level_lo", 1, 100,
62488170SJohn.Ojemann@Sun.COM 0, 0 },
62492393Syz155240 /* nat */
62503448Sdh155122 { { NULL }, "fr_nat_lock", 0, 1,
62513448Sdh155122 0, IPFT_RDONLY },
62523448Sdh155122 { { NULL }, "ipf_nattable_sz", 1, 0x7fffffff,
62533448Sdh155122 0, IPFT_WRDISABLED },
62543448Sdh155122 { { NULL }, "ipf_nattable_max", 1, 0x7fffffff,
62553448Sdh155122 0, 0 },
62563448Sdh155122 { { NULL }, "ipf_natrules_sz", 1, 0x7fffffff,
62573448Sdh155122 0, IPFT_WRDISABLED },
62583448Sdh155122 { { NULL }, "ipf_rdrrules_sz", 1, 0x7fffffff,
62593448Sdh155122 0, IPFT_WRDISABLED },
62603448Sdh155122 { { NULL }, "ipf_hostmap_sz", 1, 0x7fffffff,
62613448Sdh155122 0, IPFT_WRDISABLED },
62623448Sdh155122 { { NULL }, "fr_nat_maxbucket", 1, 0x7fffffff,
62633448Sdh155122 0, IPFT_WRDISABLED },
62643448Sdh155122 { { NULL }, "fr_nat_maxbucket_reset", 0, 1,
62653448Sdh155122 0, IPFT_WRDISABLED },
62663448Sdh155122 { { NULL }, "nat_logging", 0, 1,
62673448Sdh155122 0, 0 },
62683448Sdh155122 { { NULL }, "fr_defnatage", 1, 0x7fffffff,
62693448Sdh155122 0, IPFT_WRDISABLED },
62703448Sdh155122 { { NULL }, "fr_defnatipage", 1, 0x7fffffff,
62713448Sdh155122 0, IPFT_WRDISABLED },
62723448Sdh155122 { { NULL }, "fr_defnaticmpage", 1, 0x7fffffff,
62733448Sdh155122 0, IPFT_WRDISABLED },
62748170SJohn.Ojemann@Sun.COM { { NULL }, "nat_flush_level_hi", 1, 100,
62754817San207044 0, 0 },
62768170SJohn.Ojemann@Sun.COM { { NULL }, "nat_flush_level_lo", 1, 100,
62774817San207044 0, 0 },
62782393Syz155240 /* frag */
62793448Sdh155122 { { NULL }, "ipfr_size", 1, 0x7fffffff,
62803448Sdh155122 0, IPFT_WRDISABLED },
62813448Sdh155122 { { NULL }, "fr_ipfrttl", 1, 0x7fffffff,
62823448Sdh155122 0, IPFT_WRDISABLED },
62832393Syz155240 #ifdef IPFILTER_LOG
62842393Syz155240 /* log */
62853448Sdh155122 { { NULL }, "ipl_suppress", 0, 1,
62863448Sdh155122 0, 0 },
62873448Sdh155122 { { NULL }, "ipl_buffer_sz", 0, 0,
62883448Sdh155122 0, IPFT_RDONLY },
62893448Sdh155122 { { NULL }, "ipl_logmax", 0, 0x7fffffff,
62903448Sdh155122 0, IPFT_WRDISABLED },
62913448Sdh155122 { { NULL }, "ipl_logall", 0, 1,
62923448Sdh155122 0, 0 },
62933448Sdh155122 { { NULL }, "ipl_logsize", 0, 0x80000,
62943448Sdh155122 0, 0 },
62952393Syz155240 #endif
62962393Syz155240 { { NULL }, NULL, 0, 0 }
62972393Syz155240 };
62982393Syz155240
62993448Sdh155122 static ipftuneable_t *
tune_lookup(ipf_stack_t * ifs,char * name)63003448Sdh155122 tune_lookup(ipf_stack_t *ifs, char *name)
63013448Sdh155122 {
63023448Sdh155122 int i;
63033448Sdh155122
63043448Sdh155122 for (i = 0; ifs->ifs_ipf_tuneables[i].ipft_name != NULL; i++) {
63053448Sdh155122 if (strcmp(ifs->ifs_ipf_tuneables[i].ipft_name, name) == 0)
63063448Sdh155122 return (&ifs->ifs_ipf_tuneables[i]);
63073448Sdh155122 }
63083448Sdh155122 return (NULL);
63093448Sdh155122 }
63103448Sdh155122
63113448Sdh155122 #ifdef _KERNEL
63123448Sdh155122 extern dev_info_t *ipf_dev_info;
63133448Sdh155122 extern int ipf_property_update __P((dev_info_t *, ipf_stack_t *));
63143448Sdh155122 #endif
63154251San207044
63164251San207044 /* -------------------------------------------------------------------- */
63174251San207044 /* Function: ipftuneable_setdefs() */
63184251San207044 /* Returns: void */
63194251San207044 /* Parameters: ifs - pointer to newly allocated IPF instance */
63204251San207044 /* assigned to IP instance */
63214251San207044 /* */
63224251San207044 /* Function initializes IPF instance variables. Function is invoked */
63234251San207044 /* from ipftuneable_alloc(). ipftuneable_alloc() is called only one */
63244251San207044 /* time during IP instance lifetime - at the time of IP instance */
63254251San207044 /* creation. Anytime IP instance is being created new private IPF */
63264251San207044 /* instance is allocated and assigned to it. The moment of IP */
63274251San207044 /* instance creation is the right time to initialize those IPF */
63284251San207044 /* variables. */
63294251San207044 /* */
63304251San207044 /* -------------------------------------------------------------------- */
ipftuneable_setdefs(ipf_stack_t * ifs)63314251San207044 static void ipftuneable_setdefs(ipf_stack_t *ifs)
63324251San207044 {
63334251San207044 ifs->ifs_ipfr_size = IPFT_SIZE;
63344251San207044 ifs->ifs_fr_ipfrttl = 120; /* 60 seconds */
63354251San207044
63364251San207044 /* it comes from fr_authinit() in IPF auth */
63374251San207044 ifs->ifs_fr_authsize = FR_NUMAUTH;
63384251San207044 ifs->ifs_fr_defaultauthage = 600;
63394251San207044
63404251San207044 /* it comes from fr_stateinit() in IPF state */
63414251San207044 ifs->ifs_fr_tcpidletimeout = IPF_TTLVAL(3600 * 24 * 5); /* five days */
63424251San207044 ifs->ifs_fr_tcpclosewait = IPF_TTLVAL(TCP_MSL);
63434251San207044 ifs->ifs_fr_tcplastack = IPF_TTLVAL(TCP_MSL);
63444251San207044 ifs->ifs_fr_tcptimeout = IPF_TTLVAL(TCP_MSL);
63454251San207044 ifs->ifs_fr_tcpclosed = IPF_TTLVAL(60);
63464251San207044 ifs->ifs_fr_tcphalfclosed = IPF_TTLVAL(2 * 3600); /* 2 hours */
63474251San207044 ifs->ifs_fr_udptimeout = IPF_TTLVAL(120);
63484251San207044 ifs->ifs_fr_udpacktimeout = IPF_TTLVAL(12);
63494251San207044 ifs->ifs_fr_icmptimeout = IPF_TTLVAL(60);
63504251San207044 ifs->ifs_fr_icmpacktimeout = IPF_TTLVAL(6);
63514251San207044 ifs->ifs_fr_iptimeout = IPF_TTLVAL(60);
63524251San207044 ifs->ifs_fr_statemax = IPSTATE_MAX;
63534251San207044 ifs->ifs_fr_statesize = IPSTATE_SIZE;
63544251San207044 ifs->ifs_fr_state_maxbucket_reset = 1;
63558170SJohn.Ojemann@Sun.COM ifs->ifs_state_flush_level_hi = ST_FLUSH_HI;
63568170SJohn.Ojemann@Sun.COM ifs->ifs_state_flush_level_lo = ST_FLUSH_LO;
63574251San207044
63584251San207044 /* it comes from fr_natinit() in ipnat */
63594251San207044 ifs->ifs_ipf_nattable_sz = NAT_TABLE_SZ;
63604251San207044 ifs->ifs_ipf_nattable_max = NAT_TABLE_MAX;
63614251San207044 ifs->ifs_ipf_natrules_sz = NAT_SIZE;
63624251San207044 ifs->ifs_ipf_rdrrules_sz = RDR_SIZE;
63634251San207044 ifs->ifs_ipf_hostmap_sz = HOSTMAP_SIZE;
63644251San207044 ifs->ifs_fr_nat_maxbucket_reset = 1;
63654251San207044 ifs->ifs_fr_defnatage = DEF_NAT_AGE;
63664251San207044 ifs->ifs_fr_defnatipage = 120; /* 60 seconds */
63674251San207044 ifs->ifs_fr_defnaticmpage = 6; /* 3 seconds */
63688170SJohn.Ojemann@Sun.COM ifs->ifs_nat_flush_level_hi = NAT_FLUSH_HI;
63698170SJohn.Ojemann@Sun.COM ifs->ifs_nat_flush_level_lo = NAT_FLUSH_LO;
63704251San207044
63714251San207044 #ifdef IPFILTER_LOG
63724251San207044 /* it comes from fr_loginit() in IPF log */
63734251San207044 ifs->ifs_ipl_suppress = 1;
63744251San207044 ifs->ifs_ipl_logmax = IPL_LOGMAX;
63754251San207044 ifs->ifs_ipl_logsize = IPFILTER_LOGSIZE;
63764251San207044
63774251San207044 /* from fr_natinit() */
63784251San207044 ifs->ifs_nat_logging = 1;
63794251San207044
63804251San207044 /* from fr_stateinit() */
63814251San207044 ifs->ifs_ipstate_logging = 1;
63824251San207044 #else
63834251San207044 /* from fr_natinit() */
63844251San207044 ifs->ifs_nat_logging = 0;
63854251San207044
63864251San207044 /* from fr_stateinit() */
63874251San207044 ifs->ifs_ipstate_logging = 0;
63884251San207044 #endif
63895941Szf203873 ifs->ifs_ipf_loopback = 0;
63904251San207044
63914251San207044 }
63923448Sdh155122 /*
63933448Sdh155122 * Allocate a per-stack tuneable and copy in the names. Then
63943448Sdh155122 * set it to point to each of the per-stack tunables.
63953448Sdh155122 */
63963448Sdh155122 void
ipftuneable_alloc(ipf_stack_t * ifs)63973448Sdh155122 ipftuneable_alloc(ipf_stack_t *ifs)
63983448Sdh155122 {
63993448Sdh155122 ipftuneable_t *item;
64003448Sdh155122
64013448Sdh155122 KMALLOCS(ifs->ifs_ipf_tuneables, ipftuneable_t *,
64023448Sdh155122 sizeof (lcl_ipf_tuneables));
64033448Sdh155122 bcopy(lcl_ipf_tuneables, ifs->ifs_ipf_tuneables,
64043448Sdh155122 sizeof (lcl_ipf_tuneables));
64053448Sdh155122
64063448Sdh155122 #define TUNE_SET(_ifs, _name, _field) \
64073448Sdh155122 item = tune_lookup((_ifs), (_name)); \
64083448Sdh155122 if (item != NULL) { \
64093448Sdh155122 item->ipft_una.ipftp_int = (unsigned int *)&((_ifs)->_field); \
64103448Sdh155122 item->ipft_sz = sizeof ((_ifs)->_field); \
64113448Sdh155122 }
64123448Sdh155122
64133448Sdh155122 TUNE_SET(ifs, "fr_flags", ifs_fr_flags);
64143448Sdh155122 TUNE_SET(ifs, "fr_active", ifs_fr_active);
64153448Sdh155122 TUNE_SET(ifs, "fr_control_forwarding", ifs_fr_control_forwarding);
64163448Sdh155122 TUNE_SET(ifs, "fr_update_ipid", ifs_fr_update_ipid);
64173448Sdh155122 TUNE_SET(ifs, "fr_chksrc", ifs_fr_chksrc);
64183448Sdh155122 TUNE_SET(ifs, "fr_minttl", ifs_fr_minttl);
64193448Sdh155122 TUNE_SET(ifs, "fr_icmpminfragmtu", ifs_fr_icmpminfragmtu);
64203448Sdh155122 TUNE_SET(ifs, "fr_pass", ifs_fr_pass);
64213448Sdh155122 TUNE_SET(ifs, "fr_tcpidletimeout", ifs_fr_tcpidletimeout);
64223448Sdh155122 TUNE_SET(ifs, "fr_tcpclosewait", ifs_fr_tcpclosewait);
64233448Sdh155122 TUNE_SET(ifs, "fr_tcplastack", ifs_fr_tcplastack);
64243448Sdh155122 TUNE_SET(ifs, "fr_tcptimeout", ifs_fr_tcptimeout);
64253448Sdh155122 TUNE_SET(ifs, "fr_tcpclosed", ifs_fr_tcpclosed);
64263448Sdh155122 TUNE_SET(ifs, "fr_tcphalfclosed", ifs_fr_tcphalfclosed);
64273448Sdh155122 TUNE_SET(ifs, "fr_udptimeout", ifs_fr_udptimeout);
64283448Sdh155122 TUNE_SET(ifs, "fr_udpacktimeout", ifs_fr_udpacktimeout);
64293448Sdh155122 TUNE_SET(ifs, "fr_icmptimeout", ifs_fr_icmptimeout);
64303448Sdh155122 TUNE_SET(ifs, "fr_icmpacktimeout", ifs_fr_icmpacktimeout);
64313448Sdh155122 TUNE_SET(ifs, "fr_iptimeout", ifs_fr_iptimeout);
64323448Sdh155122 TUNE_SET(ifs, "fr_statemax", ifs_fr_statemax);
64333448Sdh155122 TUNE_SET(ifs, "fr_statesize", ifs_fr_statesize);
64343448Sdh155122 TUNE_SET(ifs, "fr_state_lock", ifs_fr_state_lock);
64353448Sdh155122 TUNE_SET(ifs, "fr_state_maxbucket", ifs_fr_state_maxbucket);
64363448Sdh155122 TUNE_SET(ifs, "fr_state_maxbucket_reset", ifs_fr_state_maxbucket_reset);
64373448Sdh155122 TUNE_SET(ifs, "ipstate_logging", ifs_ipstate_logging);
64383448Sdh155122 TUNE_SET(ifs, "fr_nat_lock", ifs_fr_nat_lock);
64393448Sdh155122 TUNE_SET(ifs, "ipf_nattable_sz", ifs_ipf_nattable_sz);
64403448Sdh155122 TUNE_SET(ifs, "ipf_nattable_max", ifs_ipf_nattable_max);
64413448Sdh155122 TUNE_SET(ifs, "ipf_natrules_sz", ifs_ipf_natrules_sz);
64423448Sdh155122 TUNE_SET(ifs, "ipf_rdrrules_sz", ifs_ipf_rdrrules_sz);
64433448Sdh155122 TUNE_SET(ifs, "ipf_hostmap_sz", ifs_ipf_hostmap_sz);
64443448Sdh155122 TUNE_SET(ifs, "fr_nat_maxbucket", ifs_fr_nat_maxbucket);
64453448Sdh155122 TUNE_SET(ifs, "fr_nat_maxbucket_reset", ifs_fr_nat_maxbucket_reset);
64463448Sdh155122 TUNE_SET(ifs, "nat_logging", ifs_nat_logging);
64473448Sdh155122 TUNE_SET(ifs, "fr_defnatage", ifs_fr_defnatage);
64485941Szf203873 TUNE_SET(ifs, "fr_defnatipage", ifs_fr_defnatipage);
64493448Sdh155122 TUNE_SET(ifs, "fr_defnaticmpage", ifs_fr_defnaticmpage);
64508170SJohn.Ojemann@Sun.COM TUNE_SET(ifs, "nat_flush_level_hi", ifs_nat_flush_level_hi);
64518170SJohn.Ojemann@Sun.COM TUNE_SET(ifs, "nat_flush_level_lo", ifs_nat_flush_level_lo);
64528170SJohn.Ojemann@Sun.COM TUNE_SET(ifs, "state_flush_level_hi", ifs_state_flush_level_hi);
64538170SJohn.Ojemann@Sun.COM TUNE_SET(ifs, "state_flush_level_lo", ifs_state_flush_level_lo);
64543448Sdh155122 TUNE_SET(ifs, "ipfr_size", ifs_ipfr_size);
64553448Sdh155122 TUNE_SET(ifs, "fr_ipfrttl", ifs_fr_ipfrttl);
64565941Szf203873 TUNE_SET(ifs, "ipf_loopback", ifs_ipf_loopback);
64573448Sdh155122 #ifdef IPFILTER_LOG
64583448Sdh155122 TUNE_SET(ifs, "ipl_suppress", ifs_ipl_suppress);
64593448Sdh155122 TUNE_SET(ifs, "ipl_buffer_sz", ifs_ipl_buffer_sz);
64603448Sdh155122 TUNE_SET(ifs, "ipl_logmax", ifs_ipl_logmax);
64613448Sdh155122 TUNE_SET(ifs, "ipl_logall", ifs_ipl_logall);
64623448Sdh155122 TUNE_SET(ifs, "ipl_logsize", ifs_ipl_logsize);
64633448Sdh155122 #endif
64643448Sdh155122 #undef TUNE_SET
64653448Sdh155122
64664251San207044 ipftuneable_setdefs(ifs);
64674251San207044
64683448Sdh155122 #ifdef _KERNEL
64693448Sdh155122 (void) ipf_property_update(ipf_dev_info, ifs);
64703448Sdh155122 #endif
64713448Sdh155122 }
64723448Sdh155122
64733448Sdh155122 void
ipftuneable_free(ipf_stack_t * ifs)64743448Sdh155122 ipftuneable_free(ipf_stack_t *ifs)
64753448Sdh155122 {
64763448Sdh155122 KFREES(ifs->ifs_ipf_tuneables, sizeof (lcl_ipf_tuneables));
64773448Sdh155122 ifs->ifs_ipf_tuneables = NULL;
64783448Sdh155122 }
64792393Syz155240
64802393Syz155240 /* ------------------------------------------------------------------------ */
64812393Syz155240 /* Function: fr_findtunebycookie */
64822393Syz155240 /* Returns: NULL = search failed, else pointer to tune struct */
64832393Syz155240 /* Parameters: cookie(I) - cookie value to search for amongst tuneables */
64842393Syz155240 /* next(O) - pointer to place to store the cookie for the */
64852393Syz155240 /* "next" tuneable, if it is desired. */
64862393Syz155240 /* */
64872393Syz155240 /* This function is used to walk through all of the existing tunables with */
64882393Syz155240 /* successive calls. It searches the known tunables for the one which has */
64892393Syz155240 /* a matching value for "cookie" - ie its address. When returning a match, */
64902393Syz155240 /* the next one to be found may be returned inside next. */
64912393Syz155240 /* ------------------------------------------------------------------------ */
fr_findtunebycookie(cookie,next,ifs)64923448Sdh155122 static ipftuneable_t *fr_findtunebycookie(cookie, next, ifs)
64932393Syz155240 void *cookie, **next;
64943448Sdh155122 ipf_stack_t * ifs;
64952393Syz155240 {
64962393Syz155240 ipftuneable_t *ta, **tap;
64972393Syz155240
64983448Sdh155122 for (ta = ifs->ifs_ipf_tuneables; ta->ipft_name != NULL; ta++)
64992393Syz155240 if (ta == cookie) {
65002393Syz155240 if (next != NULL) {
65012393Syz155240 /*
65022393Syz155240 * If the next entry in the array has a name
65032393Syz155240 * present, then return a pointer to it for
65042393Syz155240 * where to go next, else return a pointer to
65052393Syz155240 * the dynaminc list as a key to search there
65062393Syz155240 * next. This facilitates a weak linking of
65072393Syz155240 * the two "lists" together.
65082393Syz155240 */
65092393Syz155240 if ((ta + 1)->ipft_name != NULL)
65102393Syz155240 *next = ta + 1;
65112393Syz155240 else
65123448Sdh155122 *next = &ifs->ifs_ipf_tunelist;
65132393Syz155240 }
65142393Syz155240 return ta;
65152393Syz155240 }
65162393Syz155240
65173448Sdh155122 for (tap = &ifs->ifs_ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
65182393Syz155240 if (tap == cookie) {
65192393Syz155240 if (next != NULL)
65202393Syz155240 *next = &ta->ipft_next;
65212393Syz155240 return ta;
65222393Syz155240 }
65232393Syz155240
65242393Syz155240 if (next != NULL)
65252393Syz155240 *next = NULL;
65262393Syz155240 return NULL;
65272393Syz155240 }
65282393Syz155240
65292393Syz155240
65302393Syz155240 /* ------------------------------------------------------------------------ */
65312393Syz155240 /* Function: fr_findtunebyname */
65322393Syz155240 /* Returns: NULL = search failed, else pointer to tune struct */
65332393Syz155240 /* Parameters: name(I) - name of the tuneable entry to find. */
65342393Syz155240 /* */
65352393Syz155240 /* Search the static array of tuneables and the list of dynamic tuneables */
65362393Syz155240 /* for an entry with a matching name. If we can find one, return a pointer */
65372393Syz155240 /* to the matching structure. */
65382393Syz155240 /* ------------------------------------------------------------------------ */
fr_findtunebyname(name,ifs)65393448Sdh155122 static ipftuneable_t *fr_findtunebyname(name, ifs)
65402393Syz155240 const char *name;
65413448Sdh155122 ipf_stack_t *ifs;
65422393Syz155240 {
65432393Syz155240 ipftuneable_t *ta;
65442393Syz155240
65453448Sdh155122 for (ta = ifs->ifs_ipf_tuneables; ta->ipft_name != NULL; ta++)
65462393Syz155240 if (!strcmp(ta->ipft_name, name)) {
65472393Syz155240 return ta;
65482393Syz155240 }
65492393Syz155240
65503448Sdh155122 for (ta = ifs->ifs_ipf_tunelist; ta != NULL; ta = ta->ipft_next)
65512393Syz155240 if (!strcmp(ta->ipft_name, name)) {
65522393Syz155240 return ta;
65532393Syz155240 }
65542393Syz155240
65552393Syz155240 return NULL;
65562393Syz155240 }
65572393Syz155240
65582393Syz155240
65592393Syz155240 /* ------------------------------------------------------------------------ */
65602393Syz155240 /* Function: fr_addipftune */
65612393Syz155240 /* Returns: int - 0 == success, else failure */
65622393Syz155240 /* Parameters: newtune - pointer to new tune struct to add to tuneables */
65632393Syz155240 /* */
65642393Syz155240 /* Appends the tune structure pointer to by "newtune" to the end of the */
65652393Syz155240 /* current list of "dynamic" tuneable parameters. Once added, the owner */
65662393Syz155240 /* of the object is not expected to ever change "ipft_next". */
65672393Syz155240 /* ------------------------------------------------------------------------ */
fr_addipftune(newtune,ifs)65683448Sdh155122 int fr_addipftune(newtune, ifs)
65692393Syz155240 ipftuneable_t *newtune;
65703448Sdh155122 ipf_stack_t *ifs;
65712393Syz155240 {
65722393Syz155240 ipftuneable_t *ta, **tap;
65732393Syz155240
65743448Sdh155122 ta = fr_findtunebyname(newtune->ipft_name, ifs);
65752393Syz155240 if (ta != NULL)
65762393Syz155240 return EEXIST;
65772393Syz155240
65783448Sdh155122 for (tap = &ifs->ifs_ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next)
65792393Syz155240 ;
65802393Syz155240
65812393Syz155240 newtune->ipft_next = NULL;
65822393Syz155240 *tap = newtune;
65832393Syz155240 return 0;
65842393Syz155240 }
65852393Syz155240
65862393Syz155240
65872393Syz155240 /* ------------------------------------------------------------------------ */
65882393Syz155240 /* Function: fr_delipftune */
65892393Syz155240 /* Returns: int - 0 == success, else failure */
65902393Syz155240 /* Parameters: oldtune - pointer to tune struct to remove from the list of */
65912393Syz155240 /* current dynamic tuneables */
65922393Syz155240 /* */
65932393Syz155240 /* Search for the tune structure, by pointer, in the list of those that are */
65942393Syz155240 /* dynamically added at run time. If found, adjust the list so that this */
65952393Syz155240 /* structure is no longer part of it. */
65962393Syz155240 /* ------------------------------------------------------------------------ */
fr_delipftune(oldtune,ifs)65973448Sdh155122 int fr_delipftune(oldtune, ifs)
65982393Syz155240 ipftuneable_t *oldtune;
65993448Sdh155122 ipf_stack_t *ifs;
66002393Syz155240 {
66012393Syz155240 ipftuneable_t *ta, **tap;
66022393Syz155240
66033448Sdh155122 for (tap = &ifs->ifs_ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
66042393Syz155240 if (ta == oldtune) {
66052393Syz155240 *tap = oldtune->ipft_next;
66062393Syz155240 oldtune->ipft_next = NULL;
66072393Syz155240 return 0;
66082393Syz155240 }
66092393Syz155240
66102393Syz155240 return ESRCH;
66112393Syz155240 }
66122393Syz155240
66132393Syz155240
66142393Syz155240 /* ------------------------------------------------------------------------ */
66152393Syz155240 /* Function: fr_ipftune */
66162393Syz155240 /* Returns: int - 0 == success, else failure */
66172393Syz155240 /* Parameters: cmd(I) - ioctl command number */
66182393Syz155240 /* data(I) - pointer to ioctl data structure */
66192393Syz155240 /* */
66202393Syz155240 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
66212393Syz155240 /* three ioctls provide the means to access and control global variables */
66222393Syz155240 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
66232393Syz155240 /* changed without rebooting, reloading or recompiling. The initialisation */
66242393Syz155240 /* and 'destruction' routines of the various components of ipfilter are all */
66252393Syz155240 /* each responsible for handling their own values being too big. */
66262393Syz155240 /* ------------------------------------------------------------------------ */
fr_ipftune(cmd,data,ifs)66273448Sdh155122 int fr_ipftune(cmd, data, ifs)
66282393Syz155240 ioctlcmd_t cmd;
66292393Syz155240 void *data;
66303448Sdh155122 ipf_stack_t *ifs;
66312393Syz155240 {
66322393Syz155240 ipftuneable_t *ta;
66332393Syz155240 ipftune_t tu;
66342393Syz155240 void *cookie;
66352393Syz155240 int error;
66362393Syz155240
66372393Syz155240 error = fr_inobj(data, &tu, IPFOBJ_TUNEABLE);
66382393Syz155240 if (error != 0)
66392393Syz155240 return error;
66402393Syz155240
66412393Syz155240 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
66422393Syz155240 cookie = tu.ipft_cookie;
66432393Syz155240 ta = NULL;
66442393Syz155240
66452393Syz155240 switch (cmd)
66462393Syz155240 {
66472393Syz155240 case SIOCIPFGETNEXT :
66482393Syz155240 /*
66492393Syz155240 * If cookie is non-NULL, assume it to be a pointer to the last
66502393Syz155240 * entry we looked at, so find it (if possible) and return a
66512393Syz155240 * pointer to the next one after it. The last entry in the
66522393Syz155240 * the table is a NULL entry, so when we get to it, set cookie
66532393Syz155240 * to NULL and return that, indicating end of list, erstwhile
66542393Syz155240 * if we come in with cookie set to NULL, we are starting anew
66552393Syz155240 * at the front of the list.
66562393Syz155240 */
66572393Syz155240 if (cookie != NULL) {
66583448Sdh155122 ta = fr_findtunebycookie(cookie, &tu.ipft_cookie, ifs);
66592393Syz155240 } else {
66603448Sdh155122 ta = ifs->ifs_ipf_tuneables;
66612393Syz155240 tu.ipft_cookie = ta + 1;
66622393Syz155240 }
66632393Syz155240 if (ta != NULL) {
66642393Syz155240 /*
66652393Syz155240 * Entry found, but does the data pointed to by that
66662393Syz155240 * row fit in what we can return?
66672393Syz155240 */
66682393Syz155240 if (ta->ipft_sz > sizeof(tu.ipft_un))
66692393Syz155240 return EINVAL;
66702393Syz155240
66712393Syz155240 tu.ipft_vlong = 0;
66722393Syz155240 if (ta->ipft_sz == sizeof(u_long))
66732393Syz155240 tu.ipft_vlong = *ta->ipft_plong;
66742393Syz155240 else if (ta->ipft_sz == sizeof(u_int))
66752393Syz155240 tu.ipft_vint = *ta->ipft_pint;
66762393Syz155240 else if (ta->ipft_sz == sizeof(u_short))
66772393Syz155240 tu.ipft_vshort = *ta->ipft_pshort;
66782393Syz155240 else if (ta->ipft_sz == sizeof(u_char))
66792393Syz155240 tu.ipft_vchar = *ta->ipft_pchar;
66802393Syz155240
66812393Syz155240 tu.ipft_sz = ta->ipft_sz;
66822393Syz155240 tu.ipft_min = ta->ipft_min;
66832393Syz155240 tu.ipft_max = ta->ipft_max;
66842393Syz155240 tu.ipft_flags = ta->ipft_flags;
66852393Syz155240 bcopy(ta->ipft_name, tu.ipft_name,
66862393Syz155240 MIN(sizeof(tu.ipft_name),
66872393Syz155240 strlen(ta->ipft_name) + 1));
66882393Syz155240 }
66892393Syz155240 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
66902393Syz155240 break;
66912393Syz155240
66922393Syz155240 case SIOCIPFGET :
66932393Syz155240 case SIOCIPFSET :
66942393Syz155240 /*
66952393Syz155240 * Search by name or by cookie value for a particular entry
66962393Syz155240 * in the tuning paramter table.
66972393Syz155240 */
66982393Syz155240 error = ESRCH;
66992393Syz155240 if (cookie != NULL) {
67003448Sdh155122 ta = fr_findtunebycookie(cookie, NULL, ifs);
67012393Syz155240 if (ta != NULL)
67022393Syz155240 error = 0;
67032393Syz155240 } else if (tu.ipft_name[0] != '\0') {
67043448Sdh155122 ta = fr_findtunebyname(tu.ipft_name, ifs);
67052393Syz155240 if (ta != NULL)
67062393Syz155240 error = 0;
67072393Syz155240 }
67082393Syz155240 if (error != 0)
67092393Syz155240 break;
67102393Syz155240
67112393Syz155240 if (cmd == (ioctlcmd_t)SIOCIPFGET) {
67122393Syz155240 /*
67132393Syz155240 * Fetch the tuning parameters for a particular value
67142393Syz155240 */
67152393Syz155240 tu.ipft_vlong = 0;
67162393Syz155240 if (ta->ipft_sz == sizeof(u_long))
67172393Syz155240 tu.ipft_vlong = *ta->ipft_plong;
67182393Syz155240 else if (ta->ipft_sz == sizeof(u_int))
67192393Syz155240 tu.ipft_vint = *ta->ipft_pint;
67202393Syz155240 else if (ta->ipft_sz == sizeof(u_short))
67212393Syz155240 tu.ipft_vshort = *ta->ipft_pshort;
67222393Syz155240 else if (ta->ipft_sz == sizeof(u_char))
67232393Syz155240 tu.ipft_vchar = *ta->ipft_pchar;
67242393Syz155240 tu.ipft_cookie = ta;
67252393Syz155240 tu.ipft_sz = ta->ipft_sz;
67262393Syz155240 tu.ipft_min = ta->ipft_min;
67272393Syz155240 tu.ipft_max = ta->ipft_max;
67282393Syz155240 tu.ipft_flags = ta->ipft_flags;
67292393Syz155240 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
67302393Syz155240
67312393Syz155240 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
67322393Syz155240 /*
67332393Syz155240 * Set an internal parameter. The hard part here is
67342393Syz155240 * getting the new value safely and correctly out of
67352393Syz155240 * the kernel (given we only know its size, not type.)
67362393Syz155240 */
67372393Syz155240 u_long in;
67382393Syz155240
67392393Syz155240 if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) &&
67403448Sdh155122 (ifs->ifs_fr_running > 0)) {
67412393Syz155240 error = EBUSY;
67422393Syz155240 break;
67432393Syz155240 }
67442393Syz155240
67452393Syz155240 in = tu.ipft_vlong;
67462393Syz155240 if (in < ta->ipft_min || in > ta->ipft_max) {
67472393Syz155240 error = EINVAL;
67482393Syz155240 break;
67492393Syz155240 }
67502393Syz155240
67512393Syz155240 if (ta->ipft_sz == sizeof(u_long)) {
67522393Syz155240 tu.ipft_vlong = *ta->ipft_plong;
67532393Syz155240 *ta->ipft_plong = in;
67542393Syz155240 } else if (ta->ipft_sz == sizeof(u_int)) {
67552393Syz155240 tu.ipft_vint = *ta->ipft_pint;
67562393Syz155240 *ta->ipft_pint = (u_int)(in & 0xffffffff);
67572393Syz155240 } else if (ta->ipft_sz == sizeof(u_short)) {
67582393Syz155240 tu.ipft_vshort = *ta->ipft_pshort;
67592393Syz155240 *ta->ipft_pshort = (u_short)(in & 0xffff);
67602393Syz155240 } else if (ta->ipft_sz == sizeof(u_char)) {
67612393Syz155240 tu.ipft_vchar = *ta->ipft_pchar;
67622393Syz155240 *ta->ipft_pchar = (u_char)(in & 0xff);
67632393Syz155240 }
67642393Syz155240 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
67652393Syz155240 }
67662393Syz155240 break;
67672393Syz155240
67682393Syz155240 default :
67692393Syz155240 error = EINVAL;
67702393Syz155240 break;
67712393Syz155240 }
67722393Syz155240
67732393Syz155240 return error;
67742393Syz155240 }
67752393Syz155240
67762393Syz155240
67772393Syz155240 /* ------------------------------------------------------------------------ */
67782393Syz155240 /* Function: fr_initialise */
67792393Syz155240 /* Returns: int - 0 == success, < 0 == failure */
67802393Syz155240 /* Parameters: None. */
67812393Syz155240 /* */
67822393Syz155240 /* Call of the initialise functions for all the various subsystems inside */
67832393Syz155240 /* of IPFilter. If any of them should fail, return immeadiately a failure */
67842393Syz155240 /* BUT do not try to recover from the error here. */
67852393Syz155240 /* ------------------------------------------------------------------------ */
fr_initialise(ifs)67863448Sdh155122 int fr_initialise(ifs)
67873448Sdh155122 ipf_stack_t *ifs;
67882393Syz155240 {
67892393Syz155240 int i;
67902393Syz155240
67912393Syz155240 #ifdef IPFILTER_LOG
67923448Sdh155122 i = fr_loginit(ifs);
67932393Syz155240 if (i < 0)
67942393Syz155240 return -10 + i;
67952393Syz155240 #endif
67963448Sdh155122 i = fr_natinit(ifs);
67972393Syz155240 if (i < 0)
67982393Syz155240 return -20 + i;
67992393Syz155240
68003448Sdh155122 i = fr_stateinit(ifs);
68012393Syz155240 if (i < 0)
68022393Syz155240 return -30 + i;
68032393Syz155240
68043448Sdh155122 i = fr_authinit(ifs);
68052393Syz155240 if (i < 0)
68062393Syz155240 return -40 + i;
68072393Syz155240
68083448Sdh155122 i = fr_fraginit(ifs);
68092393Syz155240 if (i < 0)
68102393Syz155240 return -50 + i;
68112393Syz155240
68123448Sdh155122 i = appr_init(ifs);
68132393Syz155240 if (i < 0)
68142393Syz155240 return -60 + i;
68152393Syz155240
68162393Syz155240 #ifdef IPFILTER_SYNC
68173448Sdh155122 i = ipfsync_init(ifs);
68182393Syz155240 if (i < 0)
68192393Syz155240 return -70 + i;
68202393Syz155240 #endif
68212393Syz155240 #ifdef IPFILTER_SCAN
68223448Sdh155122 i = ipsc_init(ifs);
68232393Syz155240 if (i < 0)
68242393Syz155240 return -80 + i;
68252393Syz155240 #endif
68262393Syz155240 #ifdef IPFILTER_LOOKUP
68273448Sdh155122 i = ip_lookup_init(ifs);
68282393Syz155240 if (i < 0)
68292393Syz155240 return -90 + i;
68302393Syz155240 #endif
68312393Syz155240 #ifdef IPFILTER_COMPILED
68323448Sdh155122 ipfrule_add(ifs);
68332393Syz155240 #endif
68342393Syz155240 return 0;
68352393Syz155240 }
68362393Syz155240
68372393Syz155240
68382393Syz155240 /* ------------------------------------------------------------------------ */
68392393Syz155240 /* Function: fr_deinitialise */
68402393Syz155240 /* Returns: None. */
68412393Syz155240 /* Parameters: None. */
68422393Syz155240 /* */
68432393Syz155240 /* Call all the various subsystem cleanup routines to deallocate memory or */
68442393Syz155240 /* destroy locks or whatever they've done that they need to now undo. */
68452393Syz155240 /* The order here IS important as there are some cross references of */
68462393Syz155240 /* internal data structures. */
68472393Syz155240 /* ------------------------------------------------------------------------ */
fr_deinitialise(ifs)68483448Sdh155122 void fr_deinitialise(ifs)
68493448Sdh155122 ipf_stack_t *ifs;
68502393Syz155240 {
68513448Sdh155122 fr_fragunload(ifs);
68523448Sdh155122 fr_authunload(ifs);
68533448Sdh155122 fr_natunload(ifs);
68543448Sdh155122 fr_stateunload(ifs);
68552393Syz155240 #ifdef IPFILTER_SCAN
68563448Sdh155122 fr_scanunload(ifs);
68572393Syz155240 #endif
68583448Sdh155122 appr_unload(ifs);
68592393Syz155240
68602393Syz155240 #ifdef IPFILTER_COMPILED
68613448Sdh155122 ipfrule_remove(ifs);
68622393Syz155240 #endif
68632393Syz155240
68643448Sdh155122 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
68653448Sdh155122 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE, ifs);
68663448Sdh155122 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
68673448Sdh155122 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE, ifs);
68682393Syz155240
68692393Syz155240 #ifdef IPFILTER_LOOKUP
68703448Sdh155122 ip_lookup_unload(ifs);
68712393Syz155240 #endif
68722393Syz155240
68732393Syz155240 #ifdef IPFILTER_LOG
68743448Sdh155122 fr_logunload(ifs);
68752393Syz155240 #endif
68762393Syz155240 }
68772393Syz155240
68782393Syz155240
68792393Syz155240 /* ------------------------------------------------------------------------ */
68802393Syz155240 /* Function: fr_zerostats */
68812393Syz155240 /* Returns: int - 0 = success, else failure */
68822393Syz155240 /* Parameters: data(O) - pointer to pointer for copying data back to */
68832393Syz155240 /* */
68842393Syz155240 /* Copies the current statistics out to userspace and then zero's the */
68852393Syz155240 /* current ones in the kernel. The lock is only held across the bzero() as */
68862393Syz155240 /* the copyout may result in paging (ie network activity.) */
68872393Syz155240 /* ------------------------------------------------------------------------ */
fr_zerostats(data,ifs)68883448Sdh155122 int fr_zerostats(data, ifs)
68892393Syz155240 caddr_t data;
68903448Sdh155122 ipf_stack_t *ifs;
68912393Syz155240 {
68922393Syz155240 friostat_t fio;
68932393Syz155240 int error;
68942393Syz155240
68953448Sdh155122 fr_getstat(&fio, ifs);
68962393Syz155240 error = copyoutptr(&fio, data, sizeof(fio));
68972393Syz155240 if (error)
68982393Syz155240 return EFAULT;
68992393Syz155240
69003448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_mutex);
69013448Sdh155122 bzero((char *)ifs->ifs_frstats, sizeof(*ifs->ifs_frstats) * 2);
69023448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
69032393Syz155240
69042393Syz155240 return 0;
69052393Syz155240 }
69062393Syz155240
69072393Syz155240
69082393Syz155240 #ifdef _KERNEL
69092393Syz155240 /* ------------------------------------------------------------------------ */
69102393Syz155240 /* Function: fr_resolvedest */
69112393Syz155240 /* Returns: Nil */
69122393Syz155240 /* Parameters: fdp(IO) - pointer to destination information to resolve */
69132393Syz155240 /* v(I) - IP protocol version to match */
69142393Syz155240 /* */
69152393Syz155240 /* Looks up an interface name in the frdest structure pointed to by fdp and */
69162393Syz155240 /* if a matching name can be found for the particular IP protocol version */
69172393Syz155240 /* then store the interface pointer in the frdest struct. If no match is */
69182393Syz155240 /* found, then set the interface pointer to be -1 as NULL is considered to */
69192393Syz155240 /* indicate there is no information at all in the structure. */
69202393Syz155240 /* ------------------------------------------------------------------------ */
fr_resolvedest(fdp,v,ifs)69213448Sdh155122 void fr_resolvedest(fdp, v, ifs)
69222393Syz155240 frdest_t *fdp;
69232393Syz155240 int v;
69243448Sdh155122 ipf_stack_t *ifs;
69252393Syz155240 {
69262958Sdr146992 fdp->fd_ifp = NULL;
69272958Sdr146992
69282958Sdr146992 if (*fdp->fd_ifname != '\0') {
69293448Sdh155122 fdp->fd_ifp = GETIFP(fdp->fd_ifname, v, ifs);
69302958Sdr146992 if (fdp->fd_ifp == NULL)
69312958Sdr146992 fdp->fd_ifp = (void *)-1;
69322393Syz155240 }
69332393Syz155240 }
69342393Syz155240 #endif /* _KERNEL */
69352393Syz155240
69362393Syz155240
69372393Syz155240 /* ------------------------------------------------------------------------ */
69382393Syz155240 /* Function: fr_resolvenic */
69392393Syz155240 /* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */
69402393Syz155240 /* pointer to interface structure for NIC */
69412393Syz155240 /* Parameters: name(I) - complete interface name */
69422393Syz155240 /* v(I) - IP protocol version */
69432393Syz155240 /* */
69442393Syz155240 /* Look for a network interface structure that firstly has a matching name */
69452393Syz155240 /* to that passed in and that is also being used for that IP protocol */
69462393Syz155240 /* version (necessary on some platforms where there are separate listings */
69472393Syz155240 /* for both IPv4 and IPv6 on the same physical NIC. */
69482393Syz155240 /* */
69492393Syz155240 /* One might wonder why name gets terminated with a \0 byte in here. The */
69502393Syz155240 /* reason is an interface name could get into the kernel structures of ipf */
69512393Syz155240 /* in any number of ways and so long as they all use the same sized array */
69522393Syz155240 /* to put the name in, it makes sense to ensure it gets null terminated */
69532393Syz155240 /* before it is used for its intended purpose - finding its match in the */
69542393Syz155240 /* kernel's list of configured interfaces. */
69552393Syz155240 /* */
69562393Syz155240 /* NOTE: This SHOULD ONLY be used with IPFilter structures that have an */
69572393Syz155240 /* array for the name that is LIFNAMSIZ bytes (at least) in length. */
69582393Syz155240 /* ------------------------------------------------------------------------ */
fr_resolvenic(name,v,ifs)69593448Sdh155122 void *fr_resolvenic(name, v, ifs)
69602393Syz155240 char *name;
69612393Syz155240 int v;
69623448Sdh155122 ipf_stack_t *ifs;
69632393Syz155240 {
69642393Syz155240 void *nic;
69652393Syz155240
69662393Syz155240 if (name[0] == '\0')
69672393Syz155240 return NULL;
69682393Syz155240
69692393Syz155240 if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) {
69702393Syz155240 return NULL;
69712393Syz155240 }
69722393Syz155240
69732393Syz155240 name[LIFNAMSIZ - 1] = '\0';
69742393Syz155240
69753448Sdh155122 nic = GETIFP(name, v, ifs);
69762393Syz155240 if (nic == NULL)
69772393Syz155240 nic = (void *)-1;
69782393Syz155240 return nic;
69792393Syz155240 }
69803448Sdh155122
69815417Sjojemann
69825417Sjojemann /* ------------------------------------------------------------------------ */
69835417Sjojemann /* Function: ipf_expiretokens */
69845417Sjojemann /* Returns: None. */
69855417Sjojemann /* Parameters: ifs - ipf stack instance */
69865417Sjojemann /* */
69875417Sjojemann /* This function is run every ipf tick to see if there are any tokens that */
69885417Sjojemann /* have been held for too long and need to be freed up. */
69895417Sjojemann /* ------------------------------------------------------------------------ */
ipf_expiretokens(ifs)69903448Sdh155122 void ipf_expiretokens(ifs)
69913448Sdh155122 ipf_stack_t *ifs;
69923448Sdh155122 {
69933448Sdh155122 ipftoken_t *it;
69943448Sdh155122
69953448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_tokens);
69963448Sdh155122 while ((it = ifs->ifs_ipftokenhead) != NULL) {
69973448Sdh155122 if (it->ipt_die > ifs->ifs_fr_ticks)
69983448Sdh155122 break;
69993448Sdh155122
70003448Sdh155122 ipf_freetoken(it, ifs);
70013448Sdh155122 }
70023448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
70033448Sdh155122 }
70043448Sdh155122
70053448Sdh155122
70065417Sjojemann /* ------------------------------------------------------------------------ */
70075417Sjojemann /* Function: ipf_deltoken */
70085417Sjojemann /* Returns: int - 0 = success, else error */
70095417Sjojemann /* Parameters: type(I) - the token type to match */
70105417Sjojemann /* uid(I) - uid owning the token */
70115417Sjojemann /* ptr(I) - context pointer for the token */
70125417Sjojemann /* ifs - ipf stack instance */
70135417Sjojemann /* */
70145417Sjojemann /* This function looks for a a token in the current list that matches up */
70155417Sjojemann /* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */
70165417Sjojemann /* call ipf_freetoken() to remove it from the list. */
70175417Sjojemann /* ------------------------------------------------------------------------ */
ipf_deltoken(type,uid,ptr,ifs)70183448Sdh155122 int ipf_deltoken(type, uid, ptr, ifs)
70193448Sdh155122 int type, uid;
70203448Sdh155122 void *ptr;
70213448Sdh155122 ipf_stack_t *ifs;
70223448Sdh155122 {
70233448Sdh155122 ipftoken_t *it;
70243448Sdh155122 int error = ESRCH;
70253448Sdh155122
70263448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_tokens);
70273448Sdh155122 for (it = ifs->ifs_ipftokenhead; it != NULL; it = it->ipt_next)
70283448Sdh155122 if (ptr == it->ipt_ctx && type == it->ipt_type &&
70293448Sdh155122 uid == it->ipt_uid) {
70303448Sdh155122 ipf_freetoken(it, ifs);
70313448Sdh155122 error = 0;
70323448Sdh155122 break;
70333448Sdh155122 }
70343448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
70353448Sdh155122
70363448Sdh155122 return error;
70373448Sdh155122 }
70383448Sdh155122
70395417Sjojemann
70405417Sjojemann /* ------------------------------------------------------------------------ */
70415417Sjojemann /* Function: ipf_unlinktoken */
70425417Sjojemann /* Returns: None. */
70435417Sjojemann /* Parameters: token(I) - pointer to token structure */
70445417Sjojemann /* ifs - ipf stack instance */
70455417Sjojemann /* */
70465417Sjojemann /* This function unlinks a token structure from the linked list of tokens */
70475417Sjojemann /* that it belongs to. The head pointer never needs to be explicitly */
70485417Sjojemann /* adjusted, but the tail does due to the linked list implementation. */
70495417Sjojemann /* ------------------------------------------------------------------------ */
ipf_unlinktoken(token,ifs)70506518Sjojemann static void ipf_unlinktoken(token, ifs)
70513448Sdh155122 ipftoken_t *token;
70523448Sdh155122 ipf_stack_t *ifs;
70533448Sdh155122 {
70543448Sdh155122
70553448Sdh155122 if (ifs->ifs_ipftokentail == &token->ipt_next)
70563448Sdh155122 ifs->ifs_ipftokentail = token->ipt_pnext;
70573448Sdh155122
70583448Sdh155122 *token->ipt_pnext = token->ipt_next;
70593448Sdh155122 if (token->ipt_next != NULL)
70603448Sdh155122 token->ipt_next->ipt_pnext = token->ipt_pnext;
70613448Sdh155122 }
70623448Sdh155122
70633448Sdh155122
70645417Sjojemann /* ------------------------------------------------------------------------ */
70655417Sjojemann /* Function: ipf_findtoken */
70665417Sjojemann /* Returns: ipftoken_t * - NULL if no memory, else pointer to token */
70675417Sjojemann /* Parameters: type(I) - the token type to match */
70685417Sjojemann /* uid(I) - uid owning the token */
70695417Sjojemann /* ptr(I) - context pointer for the token */
70705417Sjojemann /* ifs - ipf stack instance */
70715417Sjojemann /* */
70725417Sjojemann /* This function looks for a live token in the list of current tokens that */
70735417Sjojemann /* matches the tuple (type, uid, ptr). If one cannot be found then one is */
70745417Sjojemann /* allocated. If one is found then it is moved to the top of the list of */
70755417Sjojemann /* currently active tokens. */
70765417Sjojemann /* */
70775417Sjojemann /* NOTE: It is by design that this function returns holding a read lock on */
70785417Sjojemann /* ipf_tokens. Callers must make sure they release it! */
70795417Sjojemann /* ------------------------------------------------------------------------ */
ipf_findtoken(type,uid,ptr,ifs)70803448Sdh155122 ipftoken_t *ipf_findtoken(type, uid, ptr, ifs)
70813448Sdh155122 int type, uid;
70823448Sdh155122 void *ptr;
70833448Sdh155122 ipf_stack_t *ifs;
70843448Sdh155122 {
70853448Sdh155122 ipftoken_t *it, *new;
70863448Sdh155122
70873448Sdh155122 KMALLOC(new, ipftoken_t *);
70883448Sdh155122
70893448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_tokens);
70903448Sdh155122 for (it = ifs->ifs_ipftokenhead; it != NULL; it = it->ipt_next) {
70913448Sdh155122 if (it->ipt_alive == 0)
70923448Sdh155122 continue;
70933448Sdh155122 if (ptr == it->ipt_ctx && type == it->ipt_type &&
70943448Sdh155122 uid == it->ipt_uid)
70953448Sdh155122 break;
70963448Sdh155122 }
70973448Sdh155122
70983448Sdh155122 if (it == NULL) {
70993448Sdh155122 it = new;
71003448Sdh155122 new = NULL;
71013448Sdh155122 if (it == NULL)
71023448Sdh155122 return NULL;
71033448Sdh155122 it->ipt_data = NULL;
71043448Sdh155122 it->ipt_ctx = ptr;
71053448Sdh155122 it->ipt_uid = uid;
71063448Sdh155122 it->ipt_type = type;
71073448Sdh155122 it->ipt_next = NULL;
71083448Sdh155122 it->ipt_alive = 1;
71093448Sdh155122 } else {
71103448Sdh155122 if (new != NULL) {
71113448Sdh155122 KFREE(new);
71123448Sdh155122 new = NULL;
71133448Sdh155122 }
71143448Sdh155122
71153448Sdh155122 ipf_unlinktoken(it, ifs);
71163448Sdh155122 }
71173448Sdh155122 it->ipt_pnext = ifs->ifs_ipftokentail;
71183448Sdh155122 *ifs->ifs_ipftokentail = it;
71193448Sdh155122 ifs->ifs_ipftokentail = &it->ipt_next;
71203448Sdh155122 it->ipt_next = NULL;
71213448Sdh155122
71223448Sdh155122 it->ipt_die = ifs->ifs_fr_ticks + 2;
71233448Sdh155122
71243448Sdh155122 MUTEX_DOWNGRADE(&ifs->ifs_ipf_tokens);
71253448Sdh155122
71263448Sdh155122 return it;
71273448Sdh155122 }
71283448Sdh155122
71293448Sdh155122
71305417Sjojemann /* ------------------------------------------------------------------------ */
71315417Sjojemann /* Function: ipf_freetoken */
71325417Sjojemann /* Returns: None. */
71335417Sjojemann /* Parameters: token(I) - pointer to token structure */
71345417Sjojemann /* ifs - ipf stack instance */
71355417Sjojemann /* */
71365417Sjojemann /* This function unlinks a token from the linked list and on the path to */
71375417Sjojemann /* free'ing the data, it calls the dereference function that is associated */
71385417Sjojemann /* with the type of data pointed to by the token as it is considered to */
71395417Sjojemann /* hold a reference to it. */
71405417Sjojemann /* ------------------------------------------------------------------------ */
ipf_freetoken(token,ifs)71413448Sdh155122 void ipf_freetoken(token, ifs)
71423448Sdh155122 ipftoken_t *token;
71433448Sdh155122 ipf_stack_t *ifs;
71443448Sdh155122 {
71455417Sjojemann void *data, **datap;
71463448Sdh155122
71473448Sdh155122 ipf_unlinktoken(token, ifs);
71483448Sdh155122
71493448Sdh155122 data = token->ipt_data;
71505417Sjojemann datap = &data;
71513448Sdh155122
71523448Sdh155122 if ((data != NULL) && (data != (void *)-1)) {
71533448Sdh155122 switch (token->ipt_type)
71543448Sdh155122 {
71553448Sdh155122 case IPFGENITER_IPF :
71565417Sjojemann (void)fr_derefrule((frentry_t **)datap, ifs);
71573448Sdh155122 break;
71583448Sdh155122 case IPFGENITER_IPNAT :
71593448Sdh155122 WRITE_ENTER(&ifs->ifs_ipf_nat);
71605417Sjojemann fr_ipnatderef((ipnat_t **)datap, ifs);
71613448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_nat);
71623448Sdh155122 break;
71633448Sdh155122 case IPFGENITER_NAT :
71645417Sjojemann fr_natderef((nat_t **)datap, ifs);
71653448Sdh155122 break;
71663448Sdh155122 case IPFGENITER_STATE :
71675417Sjojemann fr_statederef((ipstate_t **)datap, ifs);
71683448Sdh155122 break;
71693448Sdh155122 case IPFGENITER_FRAG :
71705417Sjojemann fr_fragderef((ipfr_t **)datap, &ifs->ifs_ipf_frag, ifs);
71713448Sdh155122 break;
71723448Sdh155122 case IPFGENITER_NATFRAG :
71735417Sjojemann fr_fragderef((ipfr_t **)datap,
71745417Sjojemann &ifs->ifs_ipf_natfrag, ifs);
71753448Sdh155122 break;
71763448Sdh155122 case IPFGENITER_HOSTMAP :
71775417Sjojemann WRITE_ENTER(&ifs->ifs_ipf_nat);
71785417Sjojemann fr_hostmapdel((hostmap_t **)datap);
71795417Sjojemann RWLOCK_EXIT(&ifs->ifs_ipf_nat);
71803448Sdh155122 break;
71813448Sdh155122 default :
71823448Sdh155122 (void) ip_lookup_iterderef(token->ipt_type, data, ifs);
71833448Sdh155122 break;
71843448Sdh155122 }
71853448Sdh155122 }
71863448Sdh155122
71873448Sdh155122 KFREE(token);
71883448Sdh155122 }
71893448Sdh155122
71905417Sjojemann
71915417Sjojemann /* ------------------------------------------------------------------------ */
71925417Sjojemann /* Function: ipf_getnextrule */
71935417Sjojemann /* Returns: int - 0 = success, else error */
71945417Sjojemann /* Parameters: t(I) - pointer to destination information to resolve */
71955417Sjojemann /* ptr(I) - pointer to ipfobj_t to copyin from user space */
71965417Sjojemann /* ifs - ipf stack instance */
71975417Sjojemann /* */
71985417Sjojemann /* This function's first job is to bring in the ipfruleiter_t structure via */
71995417Sjojemann /* the ipfobj_t structure to determine what should be the next rule to */
72005417Sjojemann /* return. Once the ipfruleiter_t has been brought in, it then tries to */
72015417Sjojemann /* find the 'next rule'. This may include searching rule group lists or */
72025417Sjojemann /* just be as simple as looking at the 'next' field in the rule structure. */
72035417Sjojemann /* When we have found the rule to return, increase its reference count and */
72045417Sjojemann /* if we used an existing rule to get here, decrease its reference count. */
72055417Sjojemann /* ------------------------------------------------------------------------ */
ipf_getnextrule(t,ptr,ifs)72065417Sjojemann int ipf_getnextrule(t, ptr, ifs)
72075417Sjojemann ipftoken_t *t;
72085417Sjojemann void *ptr;
72095417Sjojemann ipf_stack_t *ifs;
72103448Sdh155122 {
72113448Sdh155122 frentry_t *fr, *next, zero;
72125417Sjojemann int error, out, count;
72133448Sdh155122 ipfruleiter_t it;
72143448Sdh155122 frgroup_t *fg;
72155417Sjojemann char *dst;
72163448Sdh155122
72173448Sdh155122 if (t == NULL || ptr == NULL)
72183448Sdh155122 return EFAULT;
72193448Sdh155122 error = fr_inobj(ptr, &it, IPFOBJ_IPFITER);
72203448Sdh155122 if (error != 0)
72213448Sdh155122 return error;
72223448Sdh155122 if ((it.iri_ver != AF_INET) && (it.iri_ver != AF_INET6))
72233448Sdh155122 return EINVAL;
72245417Sjojemann if ((it.iri_inout < 0) || (it.iri_inout > 3))
72255417Sjojemann return EINVAL;
72265417Sjojemann if (it.iri_nrules == 0)
72273448Sdh155122 return EINVAL;
72283448Sdh155122 if ((it.iri_active != 0) && (it.iri_active != 1))
72293448Sdh155122 return EINVAL;
72303448Sdh155122 if (it.iri_rule == NULL)
72313448Sdh155122 return EFAULT;
72323448Sdh155122
72335417Sjojemann /*
72345417Sjojemann * Use bitmask on it.iri_inout to determine direction.
72355417Sjojemann * F_OUT (1) and F_ACOUT (3) mask to out = 1, while
72365417Sjojemann * F_IN (0) and F_ACIN (2) mask to out = 0.
72375417Sjojemann */
72385417Sjojemann out = it.iri_inout & F_OUT;
72396518Sjojemann READ_ENTER(&ifs->ifs_ipf_mutex);
72406518Sjojemann
72416518Sjojemann /*
72426518Sjojemann * Retrieve "previous" entry from token and find the next entry.
72436518Sjojemann */
72443448Sdh155122 fr = t->ipt_data;
72453448Sdh155122 if (fr == NULL) {
72463448Sdh155122 if (*it.iri_group == '\0') {
72475417Sjojemann /*
72485417Sjojemann * Use bitmask again to determine accounting or not.
72495417Sjojemann * F_ACIN will mask to accounting cases F_ACIN (2)
72505417Sjojemann * or F_ACOUT (3), but not F_IN or F_OUT.
72515417Sjojemann */
72525417Sjojemann if ((it.iri_inout & F_ACIN) != 0) {
72535417Sjojemann if (it.iri_ver == AF_INET)
72545417Sjojemann next = ifs->ifs_ipacct
72555417Sjojemann [out][it.iri_active];
72565417Sjojemann else
72575417Sjojemann next = ifs->ifs_ipacct6
72585417Sjojemann [out][it.iri_active];
72595417Sjojemann } else {
72605417Sjojemann if (it.iri_ver == AF_INET)
72615417Sjojemann next = ifs->ifs_ipfilter
72625417Sjojemann [out][it.iri_active];
72635417Sjojemann else
72645417Sjojemann next = ifs->ifs_ipfilter6
72655417Sjojemann [out][it.iri_active];
72665417Sjojemann }
72673448Sdh155122 } else {
72683448Sdh155122 fg = fr_findgroup(it.iri_group, IPL_LOGIPF,
72693448Sdh155122 it.iri_active, NULL, ifs);
72703448Sdh155122 if (fg != NULL)
72713448Sdh155122 next = fg->fg_start;
72723448Sdh155122 else
72733448Sdh155122 next = NULL;
72743448Sdh155122 }
72753448Sdh155122 } else {
72763448Sdh155122 next = fr->fr_next;
72773448Sdh155122 }
72783448Sdh155122
72795417Sjojemann dst = (char *)it.iri_rule;
72805417Sjojemann /*
72815417Sjojemann * The ipfruleiter may ask for more than 1 rule at a time to be
72825417Sjojemann * copied out, so long as that many exist in the list to start with!
72835417Sjojemann */
72845417Sjojemann for (count = it.iri_nrules; count > 0; count--) {
72856518Sjojemann /*
72866518Sjojemann * If we found an entry, add reference to it and update token.
72876518Sjojemann * Otherwise, zero out data to be returned and NULL out token.
72886518Sjojemann */
72895417Sjojemann if (next != NULL) {
72903448Sdh155122 MUTEX_ENTER(&next->fr_lock);
72913448Sdh155122 next->fr_ref++;
72923448Sdh155122 MUTEX_EXIT(&next->fr_lock);
72933796Szf203873 t->ipt_data = next;
72945417Sjojemann } else {
72955417Sjojemann bzero(&zero, sizeof(zero));
72965417Sjojemann next = &zero;
72975417Sjojemann t->ipt_data = NULL;
72983448Sdh155122 }
72996518Sjojemann
73006518Sjojemann /*
73016518Sjojemann * Now that we have ref, it's save to give up lock.
73026518Sjojemann */
73035417Sjojemann RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
73045417Sjojemann
73056518Sjojemann /*
73066518Sjojemann * Copy out data and clean up references and token as needed.
73076518Sjojemann */
73085417Sjojemann error = COPYOUT(next, dst, sizeof(*next));
73095417Sjojemann if (error != 0)
73106518Sjojemann error = EFAULT;
73116518Sjojemann if (t->ipt_data == NULL) {
73126518Sjojemann ipf_freetoken(t, ifs);
73136518Sjojemann break;
73146518Sjojemann } else {
73156518Sjojemann if (fr != NULL)
73166518Sjojemann (void) fr_derefrule(&fr, ifs);
73176518Sjojemann if (next->fr_data != NULL) {
73186518Sjojemann dst += sizeof(*next);
73196518Sjojemann error = COPYOUT(next->fr_data, dst,
73206518Sjojemann next->fr_dsize);
73216518Sjojemann if (error != 0)
73226518Sjojemann error = EFAULT;
73236518Sjojemann else
73246518Sjojemann dst += next->fr_dsize;
73256518Sjojemann }
73266518Sjojemann if (next->fr_next == NULL) {
73276518Sjojemann ipf_freetoken(t, ifs);
73286518Sjojemann break;
73296518Sjojemann }
73305417Sjojemann }
73315417Sjojemann
73325417Sjojemann if ((count == 1) || (error != 0))
73335417Sjojemann break;
73345417Sjojemann
73355417Sjojemann READ_ENTER(&ifs->ifs_ipf_mutex);
73365417Sjojemann fr = next;
73375417Sjojemann next = fr->fr_next;
73383448Sdh155122 }
73396518Sjojemann
73403448Sdh155122 return error;
73413448Sdh155122 }
73423448Sdh155122
73433448Sdh155122
73445417Sjojemann /* ------------------------------------------------------------------------ */
73455417Sjojemann /* Function: fr_frruleiter */
73465417Sjojemann /* Returns: int - 0 = success, else error */
73475417Sjojemann /* Parameters: data(I) - the token type to match */
73485417Sjojemann /* uid(I) - uid owning the token */
73495417Sjojemann /* ptr(I) - context pointer for the token */
73505417Sjojemann /* ifs - ipf stack instance */
73515417Sjojemann /* */
73525417Sjojemann /* This function serves as a stepping stone between fr_ipf_ioctl and */
73535417Sjojemann /* ipf_getnextrule. It's role is to find the right token in the kernel for */
73545417Sjojemann /* the process doing the ioctl and use that to ask for the next rule. */
73555417Sjojemann /* ------------------------------------------------------------------------ */
ipf_frruleiter(data,uid,ctx,ifs)73563448Sdh155122 int ipf_frruleiter(data, uid, ctx, ifs)
73573448Sdh155122 void *data, *ctx;
73583448Sdh155122 int uid;
73593448Sdh155122 ipf_stack_t *ifs;
73603448Sdh155122 {
73613448Sdh155122 ipftoken_t *token;
73623448Sdh155122 int error;
73633448Sdh155122
73643448Sdh155122 token = ipf_findtoken(IPFGENITER_IPF, uid, ctx, ifs);
73653448Sdh155122 if (token != NULL)
73663448Sdh155122 error = ipf_getnextrule(token, data, ifs);
73673448Sdh155122 else
73683448Sdh155122 error = EFAULT;
73693448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
73703448Sdh155122
73713448Sdh155122 return error;
73723448Sdh155122 }
73733448Sdh155122
73743448Sdh155122
73755417Sjojemann /* ------------------------------------------------------------------------ */
73765417Sjojemann /* Function: ipf_geniter */
73775417Sjojemann /* Returns: int - 0 = success, else error */
73785417Sjojemann /* Parameters: token(I) - pointer to ipftoken structure */
73795417Sjojemann /* itp(I) - pointer to ipfgeniter structure */
73805417Sjojemann /* ifs - ipf stack instance */
73815417Sjojemann /* */
73825417Sjojemann /* Generic iterator called from ipf_genericiter. Currently only used for */
73835417Sjojemann /* walking through list of fragments. */
73845417Sjojemann /* ------------------------------------------------------------------------ */
ipf_geniter(token,itp,ifs)73853448Sdh155122 int ipf_geniter(token, itp, ifs)
73863448Sdh155122 ipftoken_t *token;
73873448Sdh155122 ipfgeniter_t *itp;
73883448Sdh155122 ipf_stack_t *ifs;
73893448Sdh155122 {
73903448Sdh155122 int error;
73913448Sdh155122
73923448Sdh155122 switch (itp->igi_type)
73933448Sdh155122 {
73943448Sdh155122 case IPFGENITER_FRAG :
73953448Sdh155122 error = fr_nextfrag(token, itp, &ifs->ifs_ipfr_list,
73965417Sjojemann &ifs->ifs_ipfr_tail, &ifs->ifs_ipf_frag,
73975417Sjojemann ifs);
73983448Sdh155122 break;
73993448Sdh155122 default :
74003448Sdh155122 error = EINVAL;
74013448Sdh155122 break;
74023448Sdh155122 }
74033448Sdh155122
74043448Sdh155122 return error;
74053448Sdh155122 }
74063448Sdh155122
74073448Sdh155122
74085417Sjojemann /* ------------------------------------------------------------------------ */
74095417Sjojemann /* Function: ipf_genericiter */
74105417Sjojemann /* Returns: int - 0 = success, else error */
74115417Sjojemann /* Parameters: data(I) - the token type to match */
74125417Sjojemann /* uid(I) - uid owning the token */
74135417Sjojemann /* ptr(I) - context pointer for the token */
74145417Sjojemann /* ifs - ipf stack instance */
74155417Sjojemann /* */
74165417Sjojemann /* This function serves as a stepping stone between fr_ipf_ioctl and */
74175417Sjojemann /* ipf_geniter when handling SIOCGENITER. It's role is to find the right */
74185417Sjojemann /* token in the kernel for the process using the ioctl, and to use that */
74195417Sjojemann /* token when calling ipf_geniter. */
74205417Sjojemann /* ------------------------------------------------------------------------ */
ipf_genericiter(data,uid,ctx,ifs)74213448Sdh155122 int ipf_genericiter(data, uid, ctx, ifs)
74223448Sdh155122 void *data, *ctx;
74233448Sdh155122 int uid;
74243448Sdh155122 ipf_stack_t *ifs;
74253448Sdh155122 {
74263448Sdh155122 ipftoken_t *token;
74273448Sdh155122 ipfgeniter_t iter;
74283448Sdh155122 int error;
74293448Sdh155122
74303448Sdh155122 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
74313448Sdh155122 if (error != 0)
74323448Sdh155122 return error;
74333448Sdh155122
74343448Sdh155122 token = ipf_findtoken(iter.igi_type, uid, ctx, ifs);
74353448Sdh155122 if (token != NULL) {
74363448Sdh155122 token->ipt_subtype = iter.igi_type;
74373448Sdh155122 error = ipf_geniter(token, &iter, ifs);
74383448Sdh155122 } else
74393448Sdh155122 error = EFAULT;
74403448Sdh155122 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
74413448Sdh155122
74423448Sdh155122 return error;
74433448Sdh155122 }
74448170SJohn.Ojemann@Sun.COM
74458170SJohn.Ojemann@Sun.COM
74468170SJohn.Ojemann@Sun.COM /* --------------------------------------------------------------------- */
74478170SJohn.Ojemann@Sun.COM /* Function: ipf_earlydrop */
74488170SJohn.Ojemann@Sun.COM /* Returns: number of dropped/removed entries from the queue */
74498170SJohn.Ojemann@Sun.COM /* Parameters: flushtype - which table we're cleaning (NAT or State) */
74508170SJohn.Ojemann@Sun.COM /* ifq - pointer to queue with entries to be deleted */
74518170SJohn.Ojemann@Sun.COM /* idletime - entry must be idle this long to be deleted */
74528170SJohn.Ojemann@Sun.COM /* ifs - ipf stack instance */
74538170SJohn.Ojemann@Sun.COM /* */
74548170SJohn.Ojemann@Sun.COM /* Function is invoked from state/NAT flush routines to remove entries */
74558170SJohn.Ojemann@Sun.COM /* from specified timeout queue, based on how long they've sat idle, */
74568170SJohn.Ojemann@Sun.COM /* without waiting for it to happen on its own. */
74578170SJohn.Ojemann@Sun.COM /* --------------------------------------------------------------------- */
ipf_earlydrop(flushtype,ifq,idletime,ifs)74588170SJohn.Ojemann@Sun.COM int ipf_earlydrop(flushtype, ifq, idletime, ifs)
74598170SJohn.Ojemann@Sun.COM int flushtype;
74608170SJohn.Ojemann@Sun.COM ipftq_t *ifq;
74618170SJohn.Ojemann@Sun.COM int idletime;
74628170SJohn.Ojemann@Sun.COM ipf_stack_t *ifs;
74638170SJohn.Ojemann@Sun.COM {
74648170SJohn.Ojemann@Sun.COM ipftqent_t *tqe, *tqn;
74658170SJohn.Ojemann@Sun.COM unsigned int dropped;
74668170SJohn.Ojemann@Sun.COM int droptick;
74678170SJohn.Ojemann@Sun.COM void *ent;
74688170SJohn.Ojemann@Sun.COM
74698170SJohn.Ojemann@Sun.COM if (ifq == NULL)
74708170SJohn.Ojemann@Sun.COM return (0);
74718170SJohn.Ojemann@Sun.COM
74728170SJohn.Ojemann@Sun.COM dropped = 0;
74738170SJohn.Ojemann@Sun.COM
74748170SJohn.Ojemann@Sun.COM /*
74758170SJohn.Ojemann@Sun.COM * Determine the tick representing the idle time we're interested
74768170SJohn.Ojemann@Sun.COM * in. If an entry exists in the queue, and it was touched before
74778170SJohn.Ojemann@Sun.COM * that tick, then it's been idle longer than idletime, so it should
74788170SJohn.Ojemann@Sun.COM * be deleted.
74798170SJohn.Ojemann@Sun.COM */
74808170SJohn.Ojemann@Sun.COM droptick = ifs->ifs_fr_ticks - idletime;
74818170SJohn.Ojemann@Sun.COM tqn = ifq->ifq_head;
74828170SJohn.Ojemann@Sun.COM while ((tqe = tqn) != NULL && tqe->tqe_touched < droptick) {
74838170SJohn.Ojemann@Sun.COM tqn = tqe->tqe_next;
74848170SJohn.Ojemann@Sun.COM ent = tqe->tqe_parent;
74858170SJohn.Ojemann@Sun.COM switch (flushtype)
74868170SJohn.Ojemann@Sun.COM {
74878170SJohn.Ojemann@Sun.COM case NAT_FLUSH:
74888170SJohn.Ojemann@Sun.COM if (nat_delete((nat_t *)ent, NL_FLUSH, ifs) == 0)
74898170SJohn.Ojemann@Sun.COM dropped++;
74908170SJohn.Ojemann@Sun.COM break;
74918170SJohn.Ojemann@Sun.COM case STATE_FLUSH:
74928170SJohn.Ojemann@Sun.COM if (fr_delstate((ipstate_t *)ent, ISL_FLUSH, ifs) == 0)
74938170SJohn.Ojemann@Sun.COM dropped++;
74948170SJohn.Ojemann@Sun.COM break;
74958170SJohn.Ojemann@Sun.COM default:
74968170SJohn.Ojemann@Sun.COM return (0);
74978170SJohn.Ojemann@Sun.COM }
74988170SJohn.Ojemann@Sun.COM }
74998170SJohn.Ojemann@Sun.COM return (dropped);
75008170SJohn.Ojemann@Sun.COM }
75018170SJohn.Ojemann@Sun.COM
75028170SJohn.Ojemann@Sun.COM
75038170SJohn.Ojemann@Sun.COM /* --------------------------------------------------------------------- */
75048170SJohn.Ojemann@Sun.COM /* Function: ipf_flushclosing */
75058170SJohn.Ojemann@Sun.COM /* Returns: int - number of entries deleted */
75068170SJohn.Ojemann@Sun.COM /* Parameters: flushtype - which table we're cleaning (NAT or State) */
75078170SJohn.Ojemann@Sun.COM /* stateval - TCP state at which to start removing entries */
75088170SJohn.Ojemann@Sun.COM /* ipfqs - pointer to timeout queues */
75098170SJohn.Ojemann@Sun.COM /* userqs - pointer to user defined queues */
75108170SJohn.Ojemann@Sun.COM /* ifs - ipf stack instance */
75118170SJohn.Ojemann@Sun.COM /* */
75128170SJohn.Ojemann@Sun.COM /* Remove state/NAT table entries for TCP connections which are in the */
75138170SJohn.Ojemann@Sun.COM /* process of closing, and have at least reached the state specified by */
75148170SJohn.Ojemann@Sun.COM /* the 'stateval' parameter. */
75158170SJohn.Ojemann@Sun.COM /* --------------------------------------------------------------------- */
ipf_flushclosing(flushtype,stateval,ipfqs,userqs,ifs)75168170SJohn.Ojemann@Sun.COM int ipf_flushclosing(flushtype, stateval, ipfqs, userqs, ifs)
75178170SJohn.Ojemann@Sun.COM int flushtype, stateval;
75188170SJohn.Ojemann@Sun.COM ipftq_t *ipfqs, *userqs;
75198170SJohn.Ojemann@Sun.COM ipf_stack_t *ifs;
75208170SJohn.Ojemann@Sun.COM {
75218170SJohn.Ojemann@Sun.COM ipftq_t *ifq, *ifqn;
75228170SJohn.Ojemann@Sun.COM ipftqent_t *tqe, *tqn;
75238170SJohn.Ojemann@Sun.COM int dropped;
75248170SJohn.Ojemann@Sun.COM void *ent;
75258170SJohn.Ojemann@Sun.COM nat_t *nat;
75268170SJohn.Ojemann@Sun.COM ipstate_t *is;
75278170SJohn.Ojemann@Sun.COM
75288170SJohn.Ojemann@Sun.COM dropped = 0;
75298170SJohn.Ojemann@Sun.COM
75308170SJohn.Ojemann@Sun.COM /*
75318170SJohn.Ojemann@Sun.COM * Start by deleting any entries in specific timeout queues.
75328170SJohn.Ojemann@Sun.COM */
75338170SJohn.Ojemann@Sun.COM ifqn = &ipfqs[stateval];
75348170SJohn.Ojemann@Sun.COM while ((ifq = ifqn) != NULL) {
75358170SJohn.Ojemann@Sun.COM ifqn = ifq->ifq_next;
75368170SJohn.Ojemann@Sun.COM dropped += ipf_earlydrop(flushtype, ifq, (int)0, ifs);
75378170SJohn.Ojemann@Sun.COM }
75388170SJohn.Ojemann@Sun.COM
75398170SJohn.Ojemann@Sun.COM /*
75408170SJohn.Ojemann@Sun.COM * Next, look through user defined queues for closing entries.
75418170SJohn.Ojemann@Sun.COM */
75428170SJohn.Ojemann@Sun.COM ifqn = userqs;
75438170SJohn.Ojemann@Sun.COM while ((ifq = ifqn) != NULL) {
75448170SJohn.Ojemann@Sun.COM ifqn = ifq->ifq_next;
75458170SJohn.Ojemann@Sun.COM tqn = ifq->ifq_head;
75468170SJohn.Ojemann@Sun.COM while ((tqe = tqn) != NULL) {
75478170SJohn.Ojemann@Sun.COM tqn = tqe->tqe_next;
75488170SJohn.Ojemann@Sun.COM ent = tqe->tqe_parent;
75498170SJohn.Ojemann@Sun.COM switch (flushtype)
75508170SJohn.Ojemann@Sun.COM {
75518170SJohn.Ojemann@Sun.COM case NAT_FLUSH:
75528170SJohn.Ojemann@Sun.COM nat = (nat_t *)ent;
75538170SJohn.Ojemann@Sun.COM if ((nat->nat_p == IPPROTO_TCP) &&
75548170SJohn.Ojemann@Sun.COM (nat->nat_tcpstate[0] >= stateval) &&
75558170SJohn.Ojemann@Sun.COM (nat->nat_tcpstate[1] >= stateval) &&
75568170SJohn.Ojemann@Sun.COM (nat_delete(nat, NL_EXPIRE, ifs) == 0))
75578170SJohn.Ojemann@Sun.COM dropped++;
75588170SJohn.Ojemann@Sun.COM break;
75598170SJohn.Ojemann@Sun.COM case STATE_FLUSH:
75608170SJohn.Ojemann@Sun.COM is = (ipstate_t *)ent;
75618170SJohn.Ojemann@Sun.COM if ((is->is_p == IPPROTO_TCP) &&
75628170SJohn.Ojemann@Sun.COM (is->is_state[0] >= stateval) &&
75638170SJohn.Ojemann@Sun.COM (is->is_state[1] >= stateval) &&
75648170SJohn.Ojemann@Sun.COM (fr_delstate(is, ISL_EXPIRE, ifs) == 0))
75658170SJohn.Ojemann@Sun.COM dropped++;
75668170SJohn.Ojemann@Sun.COM break;
75678170SJohn.Ojemann@Sun.COM default:
75688170SJohn.Ojemann@Sun.COM return (0);
75698170SJohn.Ojemann@Sun.COM }
75708170SJohn.Ojemann@Sun.COM }
75718170SJohn.Ojemann@Sun.COM }
75728170SJohn.Ojemann@Sun.COM return (dropped);
75738170SJohn.Ojemann@Sun.COM }
75748170SJohn.Ojemann@Sun.COM
75758170SJohn.Ojemann@Sun.COM
75768170SJohn.Ojemann@Sun.COM /* --------------------------------------------------------------------- */
75778170SJohn.Ojemann@Sun.COM /* Function: ipf_extraflush */
75788170SJohn.Ojemann@Sun.COM /* Returns: int - number of entries flushed (0 = none) */
75798170SJohn.Ojemann@Sun.COM /* Parameters: flushtype - which table we're cleaning (NAT or State) */
75808170SJohn.Ojemann@Sun.COM /* ipfqs - pointer to 'established' timeout queue */
75818170SJohn.Ojemann@Sun.COM /* userqs - pointer to user defined queues */
75828170SJohn.Ojemann@Sun.COM /* ifs - ipf stack instance */
75838170SJohn.Ojemann@Sun.COM /* */
75848170SJohn.Ojemann@Sun.COM /* This function gets called when either NAT or state tables fill up. */
75858170SJohn.Ojemann@Sun.COM /* We need to try a bit harder to free up some space. The function will */
75868170SJohn.Ojemann@Sun.COM /* flush entries for TCP connections which have been idle a long time. */
75878170SJohn.Ojemann@Sun.COM /* */
75888170SJohn.Ojemann@Sun.COM /* Currently, the idle time is checked using values from ideltime_tab[] */
75898170SJohn.Ojemann@Sun.COM /* --------------------------------------------------------------------- */
ipf_extraflush(flushtype,ipfqs,userqs,ifs)75908170SJohn.Ojemann@Sun.COM int ipf_extraflush(flushtype, ipfqs, userqs, ifs)
75918170SJohn.Ojemann@Sun.COM int flushtype;
75928170SJohn.Ojemann@Sun.COM ipftq_t *ipfqs, *userqs;
75938170SJohn.Ojemann@Sun.COM ipf_stack_t *ifs;
75948170SJohn.Ojemann@Sun.COM {
75958170SJohn.Ojemann@Sun.COM ipftq_t *ifq, *ifqn;
75968170SJohn.Ojemann@Sun.COM int idletime, removed, idle_idx;
75978170SJohn.Ojemann@Sun.COM
75988170SJohn.Ojemann@Sun.COM removed = 0;
75998170SJohn.Ojemann@Sun.COM
76008170SJohn.Ojemann@Sun.COM /*
76018170SJohn.Ojemann@Sun.COM * Determine initial threshold for minimum idle time based on
76028170SJohn.Ojemann@Sun.COM * how long ipfilter has been running. Ipfilter needs to have
76038170SJohn.Ojemann@Sun.COM * been up as long as the smallest interval to continue on.
76048170SJohn.Ojemann@Sun.COM *
76058170SJohn.Ojemann@Sun.COM * Minimum idle times stored in idletime_tab and indexed by
76068170SJohn.Ojemann@Sun.COM * idle_idx. Start at upper end of array and work backwards.
76078170SJohn.Ojemann@Sun.COM *
76088170SJohn.Ojemann@Sun.COM * Once the index is found, set the initial idle time to the
76098170SJohn.Ojemann@Sun.COM * first interval before the current ipfilter run time.
76108170SJohn.Ojemann@Sun.COM */
76118170SJohn.Ojemann@Sun.COM if (ifs->ifs_fr_ticks < idletime_tab[0])
76128170SJohn.Ojemann@Sun.COM return (0);
76138170SJohn.Ojemann@Sun.COM idle_idx = (sizeof (idletime_tab) / sizeof (int)) - 1;
76148170SJohn.Ojemann@Sun.COM if (ifs->ifs_fr_ticks > idletime_tab[idle_idx]) {
76158170SJohn.Ojemann@Sun.COM idletime = idletime_tab[idle_idx];
76168170SJohn.Ojemann@Sun.COM } else {
76178170SJohn.Ojemann@Sun.COM while ((idle_idx > 0) &&
76188170SJohn.Ojemann@Sun.COM (ifs->ifs_fr_ticks < idletime_tab[idle_idx]))
76198170SJohn.Ojemann@Sun.COM idle_idx--;
76208170SJohn.Ojemann@Sun.COM
76218170SJohn.Ojemann@Sun.COM idletime = (ifs->ifs_fr_ticks /
76228170SJohn.Ojemann@Sun.COM idletime_tab[idle_idx]) *
76238170SJohn.Ojemann@Sun.COM idletime_tab[idle_idx];
76248170SJohn.Ojemann@Sun.COM }
76258170SJohn.Ojemann@Sun.COM
76268170SJohn.Ojemann@Sun.COM while (idle_idx >= 0) {
76278170SJohn.Ojemann@Sun.COM /*
76288170SJohn.Ojemann@Sun.COM * Check to see if we need to delete more entries.
76298170SJohn.Ojemann@Sun.COM * If we do, start with appropriate timeout queue.
76308170SJohn.Ojemann@Sun.COM */
76318170SJohn.Ojemann@Sun.COM if (flushtype == NAT_FLUSH) {
76328170SJohn.Ojemann@Sun.COM if (NAT_TAB_WATER_LEVEL(ifs) <=
76338170SJohn.Ojemann@Sun.COM ifs->ifs_nat_flush_level_lo)
76348170SJohn.Ojemann@Sun.COM break;
76358170SJohn.Ojemann@Sun.COM } else if (flushtype == STATE_FLUSH) {
76368170SJohn.Ojemann@Sun.COM if (ST_TAB_WATER_LEVEL(ifs) <=
76378170SJohn.Ojemann@Sun.COM ifs->ifs_state_flush_level_lo)
76388170SJohn.Ojemann@Sun.COM break;
76398170SJohn.Ojemann@Sun.COM } else {
76408170SJohn.Ojemann@Sun.COM break;
76418170SJohn.Ojemann@Sun.COM }
76428170SJohn.Ojemann@Sun.COM
76438170SJohn.Ojemann@Sun.COM removed += ipf_earlydrop(flushtype, ipfqs, idletime, ifs);
76448170SJohn.Ojemann@Sun.COM
76458170SJohn.Ojemann@Sun.COM /*
76468170SJohn.Ojemann@Sun.COM * Next, check the user defined queues. But first, make
76478170SJohn.Ojemann@Sun.COM * certain that timeout queue deletions didn't do enough.
76488170SJohn.Ojemann@Sun.COM */
76498170SJohn.Ojemann@Sun.COM if (flushtype == NAT_FLUSH) {
76508170SJohn.Ojemann@Sun.COM if (NAT_TAB_WATER_LEVEL(ifs) <=
76518170SJohn.Ojemann@Sun.COM ifs->ifs_nat_flush_level_lo)
76528170SJohn.Ojemann@Sun.COM break;
76538170SJohn.Ojemann@Sun.COM } else {
76548170SJohn.Ojemann@Sun.COM if (ST_TAB_WATER_LEVEL(ifs) <=
76558170SJohn.Ojemann@Sun.COM ifs->ifs_state_flush_level_lo)
76568170SJohn.Ojemann@Sun.COM break;
76578170SJohn.Ojemann@Sun.COM }
76588170SJohn.Ojemann@Sun.COM ifqn = userqs;
76598170SJohn.Ojemann@Sun.COM while ((ifq = ifqn) != NULL) {
76608170SJohn.Ojemann@Sun.COM ifqn = ifq->ifq_next;
76618170SJohn.Ojemann@Sun.COM removed += ipf_earlydrop(flushtype, ifq, idletime, ifs);
76628170SJohn.Ojemann@Sun.COM }
76638170SJohn.Ojemann@Sun.COM
76648170SJohn.Ojemann@Sun.COM /*
76658170SJohn.Ojemann@Sun.COM * Adjust the granularity of idle time.
76668170SJohn.Ojemann@Sun.COM *
76678170SJohn.Ojemann@Sun.COM * If we reach an interval boundary, we need to
76688170SJohn.Ojemann@Sun.COM * either adjust the idle time accordingly or exit
76698170SJohn.Ojemann@Sun.COM * the loop altogether (if this is very last check).
76708170SJohn.Ojemann@Sun.COM */
76718170SJohn.Ojemann@Sun.COM idletime -= idletime_tab[idle_idx];
76728170SJohn.Ojemann@Sun.COM if (idletime < idletime_tab[idle_idx]) {
76738170SJohn.Ojemann@Sun.COM if (idle_idx != 0) {
76748170SJohn.Ojemann@Sun.COM idletime = idletime_tab[idle_idx] -
76758170SJohn.Ojemann@Sun.COM idletime_tab[idle_idx - 1];
76768170SJohn.Ojemann@Sun.COM idle_idx--;
76778170SJohn.Ojemann@Sun.COM } else {
76788170SJohn.Ojemann@Sun.COM break;
76798170SJohn.Ojemann@Sun.COM }
76808170SJohn.Ojemann@Sun.COM }
76818170SJohn.Ojemann@Sun.COM }
76828170SJohn.Ojemann@Sun.COM
76838170SJohn.Ojemann@Sun.COM return (removed);
76848170SJohn.Ojemann@Sun.COM }
7685