Differential D18951 Diff 53495 sys/contrib/ipfilter/netinet/ip_fil_freebsd.c

Changeset View

Standalone View

sys/contrib/ipfilter/netinet/ip_fil_freebsd.c

Show All 19 Lines	#if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
!defined(KLD_MODULE) && !defined(IPFILTER_LKM)		!defined(KLD_MODULE) && !defined(IPFILTER_LKM)
# include "opt_inet6.h"		# include "opt_inet6.h"
#endif		#endif
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \		#if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \
!defined(KLD_MODULE) && !defined(IPFILTER_LKM)		!defined(KLD_MODULE) && !defined(IPFILTER_LKM)
# include "opt_random_ip_id.h"		# include "opt_random_ip_id.h"
#endif		#endif
#include <sys/param.h>		#include <sys/param.h>
		#include <sys/conf.h>
#include <sys/errno.h>		#include <sys/errno.h>
#include <sys/types.h>		#include <sys/types.h>
#include <sys/file.h>		#include <sys/file.h>
# include <sys/fcntl.h>		# include <sys/fcntl.h>
# include <sys/filio.h>		# include <sys/filio.h>
#include <sys/time.h>		#include <sys/time.h>
#include <sys/systm.h>		#include <sys/systm.h>
# include <sys/dirent.h>		# include <sys/dirent.h>
▲ Show 20 Lines • Show All 85 Lines • ▼ Show 20 Lines	static void ipf_ifevent(arg, ifp)
CURVNET_SET(ifp->if_vnet);		CURVNET_SET(ifp->if_vnet);
if (V_ipfmain.ipf_running > 0)		if (V_ipfmain.ipf_running > 0)
ipf_sync(&V_ipfmain, NULL);		ipf_sync(&V_ipfmain, NULL);
CURVNET_RESTORE();		CURVNET_RESTORE();
}		}



static int		static pfil_return_t
ipf_check_wrapper(void arg, struct mbuf mp, struct ifnet ifp, int dir)		ipf_check_wrapper(struct mbuf *mp, struct ifnet ifp, int flags,
		void ruleset __unused, struct inpcb inp)
{		{
struct ip ip = mtod(mp, struct ip *);		struct ip ip = mtod(mp, struct ip *);
int rv;		pfil_return_t rv;

CURVNET_SET(ifp->if_vnet);		CURVNET_SET(ifp->if_vnet);
rv = ipf_check(&V_ipfmain, ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT),		rv = ipf_check(&V_ipfmain, ip, ip->ip_hl << 2, ifp, (flags & PFIL_OUT),
mp);		mp);
CURVNET_RESTORE();		CURVNET_RESTORE();
return rv;		return (rv == 0 ? PFIL_PASS : PFIL_DROPPED);
}		}

# ifdef USE_INET6		#ifdef USE_INET6
# include <netinet/ip6.h>		static pfil_return_t
		ipf_check_wrapper6(struct mbuf *mp, struct ifnet ifp, int flags,
static int		void ruleset __unused, struct inpcb inp)
ipf_check_wrapper6(void arg, struct mbuf mp, struct ifnet ifp, int dir)
{		{
int error;		pfil_return_t rv;

CURVNET_SET(ifp->if_vnet);		CURVNET_SET(ifp->if_vnet);
error = ipf_check(&V_ipfmain, mtod(mp, struct ip ),		rv = ipf_check(&V_ipfmain, mtod(mp, struct ip ),
sizeof(struct ip6_hdr), ifp, (dir == PFIL_OUT), mp);		sizeof(struct ip6_hdr), ifp, (flags & PFIL_OUT), mp);
		bzUnsubmitted Not Done Inline Actions struct ip? Should this be struct ip6_hdr as well? bz: struct ip? Should this be struct ip6_hdr as well?
		glebiusAuthorUnsubmitted Done Inline Actions Well, this is how it was in ipfilter before. Of course this looks very much like a bug, but fixing ipfilter out of scope of this commit. glebius: Well, this is how it was in ipfilter before. Of course this looks very much like a bug, but…
		cyUnsubmitted Not Done Inline Actions We can't change ip to ip6_hdr, at least not yet. ipf_check defines the second argument as ip. Later in ipf_check it casts ip to ip6_t if the version is 6. It's another thing I need to sift through. cy: We can't change ip to ip6_hdr, at least not yet. ipf_check defines the second argument as ip.
CURVNET_RESTORE();		CURVNET_RESTORE();
return (error);
		return (rv == 0 ? PFIL_PASS : PFIL_DROPPED);
}		}
# endif		# endif
#if defined(IPFILTER_LKM)		#if defined(IPFILTER_LKM)
int ipf_identify(s)		int ipf_identify(s)
char *s;		char *s;
{		{
if (strcmp(s, "ipl") == 0)		if (strcmp(s, "ipl") == 0)
return 1;		return 1;
▲ Show 20 Lines • Show All 1,150 Lines • ▼ Show 20 Lines	if (fin->fin_out == 0) {
fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);		fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);		fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);		error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
}		}

return error;		return error;
}		}

		VNET_DEFINE_STATIC(pfil_hook_t, ipf_inet_hook);
		VNET_DEFINE_STATIC(pfil_hook_t, ipf_inet6_hook);
		#define V_ipf_inet_hook VNET(ipf_inet_hook)
		#define V_ipf_inet6_hook VNET(ipf_inet6_hook)

int ipf_pfil_unhook(void) {		int ipf_pfil_unhook(void) {
struct pfil_head *ph_inet;
#ifdef USE_INET6
struct pfil_head *ph_inet6;
#endif

ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);		pfil_remove_hook(V_ipf_inet_hook);
if (ph_inet != NULL)
		bzUnsubmitted Not Done Inline Actions Can we please hide all legacy IP stuff under some equivalent INET ifdef? (here and everywhere else in the diff) bz: Can we please hide all legacy IP stuff under some equivalent INET ifdef? (here and everywhere…
		glebiusAuthorUnsubmitted Done Inline Actions Again, this is how ipfilter does now. I'm all for improving it, but out of scope of this work. glebius: Again, this is how ipfilter does now. I'm all for improving it, but out of scope of this work.
pfil_remove_hook((void *)ipf_check_wrapper, NULL,
PFIL_IN\|PFIL_OUT\|PFIL_WAITOK, ph_inet);
# ifdef USE_INET6		#ifdef USE_INET6
ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);		pfil_remove_hook(V_ipf_inet6_hook);
if (ph_inet6 != NULL)
pfil_remove_hook((void *)ipf_check_wrapper6, NULL,
PFIL_IN\|PFIL_OUT\|PFIL_WAITOK, ph_inet6);
# endif		#endif

return (0);		return (0);
}		}

int ipf_pfil_hook(void) {		int ipf_pfil_hook(void) {
struct pfil_head *ph_inet;		struct pfil_hook_args pha;
#ifdef USE_INET6		struct pfil_link_args pla;
struct pfil_head *ph_inet6;		int error, error6;
#endif

ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);		pha.pa_version = PFIL_VERSION;
		pha.pa_flags = PFIL_IN \| PFIL_OUT;
		pha.pa_modname = "ipfilter";
		pha.pa_rulname = "default";
		pha.pa_func = ipf_check_wrapper;
		pha.pa_ruleset = NULL;
		pha.pa_type = PFIL_TYPE_IP4;
		V_ipf_inet_hook = pfil_add_hook(&pha);

# ifdef USE_INET6		#ifdef USE_INET6
ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);		pha.pa_func = ipf_check_wrapper6;
		pha.pa_type = PFIL_TYPE_IP6;
		V_ipf_inet6_hook = pfil_add_hook(&pha);
# endif		#endif
if (ph_inet == NULL
# ifdef USE_INET6
&& ph_inet6 == NULL
# endif
) {
return ENODEV;
}

if (ph_inet != NULL)		pla.pa_version = PFIL_VERSION;
pfil_add_hook((void *)ipf_check_wrapper, NULL,		pla.pa_flags = PFIL_IN \| PFIL_OUT \|
PFIL_IN\|PFIL_OUT\|PFIL_WAITOK, ph_inet);		PFIL_HEADPTR \| PFIL_HOOKPTR;
		pla.pa_head = V_inet_pfil_head;
		pla.pa_hook = V_ipf_inet_hook;
		error = pfil_link(&pla);

		error6 = 0;
# ifdef USE_INET6		#ifdef USE_INET6
if (ph_inet6 != NULL)		pla.pa_head = V_inet6_pfil_head;
pfil_add_hook((void *)ipf_check_wrapper6, NULL,		pla.pa_hook = V_ipf_inet6_hook;
PFIL_IN\|PFIL_OUT\|PFIL_WAITOK, ph_inet6);		error6 = pfil_link(&pla);
# endif		#endif
return (0);
		if (error \|\| error6)
		error = ENODEV;
		else
		error = 0;

		return (error);
}		}

void		void
ipf_event_reg(void)		ipf_event_reg(void)
{		{
ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \		ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
ipf_ifevent, NULL, \		ipf_ifevent, NULL, \
EVENTHANDLER_PRI_ANY);		EVENTHANDLER_PRI_ANY);
▲ Show 20 Lines • Show All 60 Lines • Show Last 20 Lines