release/3.0.0

1 files changed, 32 insertions, 198 deletions

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 4bad5b66e3cc7..bf4beb4702b13 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -12,7 +12,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.102 1998/12/22 20:38:06 luigi Exp $
+ *	$Id: ip_fw.c,v 1.96 1998/08/23 03:07:14 wollman Exp $
  */
 
 /*
@@ -21,7 +21,6 @@
 
 #if !defined(KLD_MODULE) && !defined(IPFIREWALL_MODULE)
 #include "opt_ipfw.h"
-#include "opt_ipdn.h"
 #include "opt_ipdivert.h"
 #include "opt_inet.h"
 #ifndef INET
@@ -44,25 +43,18 @@
 #include <netinet/ip_var.h>
 #include <netinet/ip_icmp.h>
 #include <netinet/ip_fw.h>
-#ifdef DUMMYNET
-#include <net/route.h>
-#include <netinet/ip_dummynet.h>
-#endif
 #include <netinet/tcp.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcpip.h>
 #include <netinet/udp.h>
 
-#include <netinet/if_ether.h> /* XXX ethertype_ip */
-
 static int fw_debug = 1;
 #ifdef IPFIREWALL_VERBOSE
 static int fw_verbose = 1;
 #else
 static int fw_verbose = 0;
 #endif
-static int fw_one_pass = 0; /* XXX */
 #ifdef IPFIREWALL_VERBOSE_LIMIT
 static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
 #else
@@ -71,14 +63,13 @@ static int fw_verbose_limit = 0;
 
 #define	IPFW_DEFAULT_RULE	((u_int)(u_short)~0)
 
-LIST_HEAD (ip_fw_head, ip_fw_chain) ip_fw_chain;
+static LIST_HEAD (ip_fw_head, ip_fw_chain) ip_fw_chain;
 
-MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
+static MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
 #ifdef SYSCTL_NODE
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, "");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, "");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw_verbose, 0, "");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw_verbose_limit, 0, "");
 #endif
@@ -109,11 +100,8 @@ static int	icmptype_match __P((struct icmp *  icmp, struct ip_fw * f));
 static void	ipfw_report __P((struct ip_fw *f, struct ip *ip,
 				struct ifnet *rif, struct ifnet *oif));
 
-static void flush_rule_ptrs(void);
-
 static int	ip_fw_chk __P((struct ip **pip, int hlen,
 			struct ifnet *oif, u_int16_t *cookie, struct mbuf **m,
-			struct ip_fw_chain **flow_id,
 			struct sockaddr_in **next_hop));
 static int	ip_fw_ctl __P((struct sockopt *sopt));
 
@@ -291,7 +279,6 @@ static void
 ipfw_report(struct ip_fw *f, struct ip *ip,
 	struct ifnet *rif, struct ifnet *oif)
 {
-    if (ip) {
 	static u_int64_t counter;
 	struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
 	struct udphdr *const udp = (struct udphdr *) ((u_int32_t *) ip+ ip->ip_hl);
@@ -332,11 +319,6 @@ ipfw_report(struct ip_fw *f, struct ip *ip,
 		case IP_FW_F_SKIPTO:
 			printf("SkipTo %d", f->fw_skipto_rule);
 			break;
-#ifdef DUMMYNET
-		case IP_FW_F_PIPE:
-			printf("Pipe %d", f->fw_skipto_rule);
-			break;
-#endif
 #ifdef IPFIREWALL_FORWARD
 		case IP_FW_F_FWD:
 			printf("Forward to ");
@@ -400,46 +382,16 @@ ipfw_report(struct ip_fw *f, struct ip *ip,
 	if (fw_verbose_limit != 0 && count == fw_verbose_limit)
 		printf("ipfw: limit reached on rule #%d\n",
 		f ? f->fw_number : -1);
-    }
-}
-
-/*
- * given an ip_fw_chain *, lookup_next_rule will return a pointer
- * of the same type to the next one. This can be either the jump
- * target (for skipto instructions) or the next one in the chain (in
- * all other cases including a missing jump target).
- * Backward jumps are not allowed, so start looking from the next
- * rule...
- */ 
-static struct ip_fw_chain * lookup_next_rule(struct ip_fw_chain *me);
-
-static struct ip_fw_chain *
-lookup_next_rule(struct ip_fw_chain *me)
-{
-    struct ip_fw_chain *chain ;
-    int rule = me->rule->fw_skipto_rule ; /* guess... */
-
-    if ( (me->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_SKIPTO )
-	for (chain = me->chain.le_next; chain ; chain = chain->chain.le_next )
-	    if (chain->rule->fw_number >= rule)
-                return chain ;
-    return me->chain.le_next ; /* failure or not a skipto */
 }
 
 /*
  * Parameters:
  *
- *	pip	Pointer to packet header (struct ip **)
- *      bridge_ipfw extension: pip = NULL means a complete ethernet packet
- *      including ethernet header in the mbuf. Other fields
- *      are ignored/invalid.
- *
+ *	ip	Pointer to packet header (struct ip *)
  *	hlen	Packet header length
  *	oif	Outgoing interface, or NULL if packet is incoming
  *	*cookie Skip up to the first rule past this rule number;
  *	*m	The packet; we set to NULL when/if we nuke it.
- *	*flow_id pointer to the last matching rule (in/out)
- *	*next_hop socket we are forwarding to (in/out).
  *
  * Return value:
  *
@@ -452,58 +404,17 @@ lookup_next_rule(struct ip_fw_chain *me)
 static int 
 ip_fw_chk(struct ip **pip, int hlen,
 	struct ifnet *oif, u_int16_t *cookie, struct mbuf **m,
-	struct ip_fw_chain **flow_id,
         struct sockaddr_in **next_hop)
 {
 	struct ip_fw_chain *chain;
 	struct ip_fw *rule = NULL;
-	struct ip *ip = NULL ;
+	struct ip *ip = *pip;
 	struct ifnet *const rif = (*m)->m_pkthdr.rcvif;
-	u_short offset = 0 ;
+	u_short offset = (ip->ip_off & IP_OFFMASK);
 	u_short src_port, dst_port;
 	u_int16_t skipto = *cookie;
 
-	if (pip) { /* normal ip packet */
-	    ip = *pip;
-	    offset = (ip->ip_off & IP_OFFMASK);
-	} else { /* bridged or non-ip packet */
-	    struct ether_header *eh = mtod(*m, struct ether_header *);
-	    switch (ntohs(eh->ether_type)) {
-	    case ETHERTYPE_IP :
-		if ((*m)->m_len<sizeof(struct ether_header) + sizeof(struct ip))
-		    goto non_ip ;
-		ip = (struct ip *)(eh + 1 );
-		if (ip->ip_v != IPVERSION)
-		    goto non_ip ;
-		hlen = ip->ip_hl << 2;
-		if (hlen < sizeof(struct ip)) /* minimum header length */
-		    goto non_ip ;
-		if ((*m)->m_len < 14 + hlen + 14) {
-		    printf("-- m_len %d, need more...\n", (*m)->m_len);
-		    goto non_ip ;
-		}
-		offset = (ntohs(ip->ip_off) & IP_OFFMASK);
-		break ;
-	    default :
-non_ip:         ip = NULL ;
-		break ;
-	    }
-	}
-
-	if (*flow_id) {
-	    if (fw_one_pass)
-		return 0 ; /* accept if passed first test */
-	    /*
-	     * pkt has already been tagged. Look for the next rule
-	     * to restart processing
-	     */
-	    chain = LIST_NEXT( *flow_id, chain);
-
-	    if ( (chain = (*flow_id)->rule->next_rule_ptr) == NULL )
-		chain = (*flow_id)->rule->next_rule_ptr =
-			lookup_next_rule(*flow_id) ;
-		if (! chain) goto dropit;
-	} else {
+	*cookie = 0;
 	/*
 	 * Go down the chain, looking for enlightment
 	 * If we've been asked to start at a given rule immediatly, do so.
@@ -517,12 +428,8 @@ non_ip:         ip = NULL ;
 		}
 		if (! chain) goto dropit;
 	}
-	}
-	*cookie = 0;
 	for (; chain; chain = LIST_NEXT(chain, chain)) {
-		register struct ip_fw * f ;
-again:
-		f = chain->rule;
+		register struct ip_fw *const f = chain->rule;
 
 		if (oif) {
 			/* Check direction outbound */
@@ -533,43 +440,9 @@ again:
 			if (!(f->fw_flg & IP_FW_F_IN))
 				continue;
 		}
-		if (ip == NULL ) {
-		    /*
-		     * do relevant checks for non-ip packets:
-		     * after this, only goto got_match or continue
-		     */
-		    struct ether_header *eh = mtod(*m, struct ether_header *);
-
-		    /*
-		     * make default rule always match or we have a panic
-		     */
-		    if (f->fw_number == IPFW_DEFAULT_RULE)
-			goto got_match ;
-		    /*
-		     * temporary hack: 
-		     *   udp from 0.0.0.0 means this rule applies.
-		     *   1 src port is match ether type
-		     *   2 src ports (interval) is match ether type
-		     *   3 src ports is match ether address
-		     */
-		    if ( f->fw_src.s_addr != 0 || f->fw_prot != IPPROTO_UDP)
-			continue;
-		    switch (IP_FW_GETNSRCP(f)) {
-		    case 1: /* match one type */
-			if (  /* ( (f->fw_flg & IP_FW_F_INVSRC) != 0) ^ */
-				( f->fw_uar.fw_pts[0] == ntohs(eh->ether_type) )  ) {
-			    printf("match!\n");
-			    goto got_match ;
-			}
-			break ;
-		    default:
-			break ;
-		    }
-		    continue ;
-		}
 
 		/* Fragments */
-		if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 )
+		if ((f->fw_flg & IP_FW_F_FRAG) && !(ip->ip_off & IP_OFFMASK))
 			continue;
 
 		/* If src-addr doesn't match, not this rule. */
@@ -615,19 +488,14 @@ again:
 		if (ip->ip_p != f->fw_prot) 
 			continue;
 
-#define PULLUP_TO(len)							\
-	do {								\
-	    if ((*m)->m_len < (len) ) {					\
-		if ( (*m = m_pullup(*m, (len))) == 0)			\
-		    goto bogusfrag;					\
-		ip = mtod(*m, struct ip *);				\
-		if (pip) {						\
-		    *pip = ip ;						\
-		    offset = (ip->ip_off & IP_OFFMASK);			\
-		} else							\
-		    offset = (ntohs(ip->ip_off) & IP_OFFMASK);		\
-	    }								\
-	} while (0)
+#define PULLUP_TO(len)	do {						\
+			    if ((*m)->m_len < (len)			\
+				&& (*m = m_pullup(*m, (len))) == 0) {	\
+				    goto bogusfrag;			\
+			    }						\
+			    *pip = ip = mtod(*m, struct ip *);		\
+			    offset = (ip->ip_off & IP_OFFMASK);		\
+			} while (0)
 
 		/* Protocol specific checks */
 		switch (ip->ip_p) {
@@ -710,12 +578,9 @@ bogusfrag:
 		}
 
 got_match:
-		*flow_id = chain ; /* XXX set flow id */
 		/* Update statistics */
 		f->fw_pcnt += 1;
-		if (ip) {
-		    f->fw_bcnt += pip ? ip->ip_len : ntohs(ip->ip_len);
-		}
+		f->fw_bcnt += ip->ip_len;
 		f->timestamp = time_second;
 
 		/* Log to console if desired */
@@ -728,11 +593,9 @@ got_match:
 			return(0);
 		case IP_FW_F_COUNT:
 			continue;
-#ifdef IPDIVERT
 		case IP_FW_F_DIVERT:
 			*cookie = f->fw_number;
 			return(f->fw_divert_port);
-#endif
 		case IP_FW_F_TEE:
 			/*
 			 * XXX someday tee packet here, but beware that you
@@ -743,17 +606,17 @@ got_match:
 			 * to write custom routine.
 			 */
 			continue;
-		case IP_FW_F_SKIPTO: /* XXX check */
-			if ( f->next_rule_ptr )
-			    chain = f->next_rule_ptr ;
-			else
-			    chain = lookup_next_rule(chain) ;
-			if (! chain) goto dropit;
-			goto again ;
-#ifdef DUMMYNET
-		case IP_FW_F_PIPE:
-			return(f->fw_pipe_nr | 0x10000 );
+		case IP_FW_F_SKIPTO:
+#ifdef DIAGNOSTIC
+			while (LIST_NEXT(chain, chain)
+			    && LIST_NEXT(chain, chain)->rule->fw_number
+				< f->fw_skipto_rule)
+#else
+			while (LIST_NEXT(chain, chain)->rule->fw_number
+			    < f->fw_skipto_rule)
 #endif
+				chain = LIST_NEXT(chain, chain);
+			continue;
 #ifdef IPFIREWALL_FORWARD
 		case IP_FW_F_FWD:
 			/* Change the next-hop address for this packet.
@@ -793,7 +656,6 @@ got_match:
 	 * - The packet is not a multicast or broadcast packet
 	 */
 	if ((rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
-	    && ip
 	    && (ip->ip_p != IPPROTO_ICMP || is_icmp_query(ip))
 	    && !((*m)->m_flags & (M_BCAST|M_MCAST))
 	    && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
@@ -836,7 +698,7 @@ dropit:
 	/*
 	 * Finally, drop the packet.
 	 */
-	/* *cookie = 0; */ /* XXX is this necessary ? */
+	*cookie = 0;
 	if (*m) {
 		m_freem(*m);
 		*m = NULL;
@@ -844,22 +706,6 @@ dropit:
 	return(0);
 }
 
-/*
- * when a rule is added/deleted, zero the direct pointers within
- * all firewall rules. These will be reconstructed on the fly
- * as packets are matched.
- * Must be called at splnet().
- */
-static void
-flush_rule_ptrs()
-{
-    struct ip_fw_chain *fcp ;
-
-    for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next) {
-	fcp->rule->next_rule_ptr = NULL ;
-    }
-}
-
 static int
 add_entry(struct ip_fw_head *chainptr, struct ip_fw *frwl)
 {
@@ -881,8 +727,6 @@ add_entry(struct ip_fw_head *chainptr, struct ip_fw *frwl)
 	ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0';
 	ftmp->fw_pcnt = 0L;
 	ftmp->fw_bcnt = 0L;
-	ftmp->next_rule_ptr = NULL ;
-	ftmp->pipe_ptr = NULL ;
 	fwc->rule = ftmp;
 	
 	s = splnet();
@@ -919,7 +763,6 @@ add_entry(struct ip_fw_head *chainptr, struct ip_fw *frwl)
 			fcpl = fcp;
 		}
 	}
-	flush_rule_ptrs();
 
 	splx(s);
 	return (0);
@@ -943,10 +786,6 @@ del_entry(struct ip_fw_head *chainptr, u_short number)
 
 					next = LIST_NEXT(fcp, chain);
 					LIST_REMOVE(fcp, chain);
-#ifdef DUMMYNET
-					dn_rule_delete(fcp) ;
-#endif
-					flush_rule_ptrs();
 					free(fcp->rule, M_IPFW);
 					free(fcp, M_IPFW);
 					fcp = next;
@@ -1102,7 +941,6 @@ check_ipfw_struct(struct ip_fw *frwl)
 		}
 		break;
 	case IP_FW_F_DIVERT:		/* Diverting to port zero is invalid */
-	case IP_FW_F_PIPE:              /* piping through 0 is invalid */
 	case IP_FW_F_TEE:
 		if (frwl->fw_divert_port == 0) {
 			dprintf(("%s can't divert to port 0\n", err_prefix));
@@ -1211,15 +1049,12 @@ ip_fw_ctl(struct sockopt *sopt)
 		break;
 
 	default:
-		printf("ip_fw_ctl invalid option %d\n", sopt->sopt_name);
-		error = EINVAL ;
+		panic("ip_fw_ctl");
 	}
 
 	return (error);
 }
 
-struct ip_fw_chain *ip_fw_default_rule ;
-
 void
 ip_fw_init(void)
 {
@@ -1242,7 +1077,6 @@ ip_fw_init(void)
 	    add_entry(&ip_fw_chain, &default_rule))
 		panic("ip_fw_init");
 
-	ip_fw_default_rule = ip_fw_chain.lh_first ;
 	printf("IP packet filtering initialized, "
 #ifdef IPDIVERT
 		"divert enabled, ");
@@ -1320,7 +1154,7 @@ ipfw_mod(struct lkm_table *lkmtp, int cmd, int ver)
 }
 #else
 static int
-ipfw_modevent(module_t mod, int type, void *unused)
+ipfw_modevent(module_t mod, modeventtype_t type, void *unused)
 {
 	int s;
 	
@@ -1356,7 +1190,7 @@ ipfw_modevent(module_t mod, int type, void *unused)
 	return 0;
 }
 
-static moduledata_t ipfwmod = {
+moduledata_t ipfwmod = {
 	"ipfw",
 	ipfw_modevent,
 	0