blob: 1a399e557e8e304f42109064ca0796245a48f9bd [file] [log] [blame] [raw]
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id$";
#endif
#include <sys/types.h>
#include <sys/conf.h>
#include <sys/sysconfig.h>
#include <machine/machlimits.h>
#include <net/net_globals.h>
#include <io/common/iotypes.h>
#include <sys/errno.h>
#include <sys/buf.h>
#include <sys/secdefines.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/fcntl.h>
#include <sys/ioctl.h>
#include <sys/disklabel.h>
#include <sys/user.h>
#include <sys/socket.h>
#include <sys/sysmacros.h>
#include <sys/syslog.h>
#include <io/common/pt.h>
#include <io/common/devdriver.h>
#include <io/common/devio.h>
#include <io/common/devgetinfo.h>
#include <net/if.h>
#include <netinet/ip.h>
#include <netinet/ip_stat.h>
#include <netinet/in.h>
#include <netinet/firewall.h>
#include <netinet/if_ether.h>
#include <net/ether_driver.h>
#include "ip_compat.h"
#include "ip_fil.h"
#include "ip_nat.h"
#include "ip_state.h"
#include "ip_frag.h"
#include "ip_auth.h"
#include "ip_compat.h"
#include "ip_fil.h"
/* #undef IPFDEBUG */
/* function prototypes */
int ipfilter_attach(void);
int ipfilter_detach(void);
void ipfilter_ifattach(void);
void ipfilter_ifdetach(void);
int ipfilter_ifioctl(struct ifnet *, unsigned int, caddr_t);
#if TRU64 >= 1885
int ipfilter_ifoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
struct rtentry *, char *);
#else
int ipfilter_ifoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
struct rtentry *);
#endif
void ipfilter_in_control(struct socket *, u_int, caddr_t *, struct ifnet *);
void ipfilter_ip_input(struct mbuf *m);
int ipfilter_ip_output(struct ifnet *, struct mbuf *, struct in_route *,
int, struct ip_moptions *);
void ipfilter_configure_callback __P((int, int, int, int));
void ipfilter_timer(void);
void ipfilter_clock(void *arg);
int ipfilteropen(dev_t, int, int);
int ipfilterread(dev_t, struct uio *, int);
int ipfilterclose(dev_t, int, int);
int ipfilterwrite(dev_t, struct uio *);
int ipfilterioctl(dev_t, u_int, caddr_t, int);
extern int nodev(), nulldev();
extern task_t first_task;
extern ipfrwlock_t ipf_tru64;
struct dsent ipfilter_devsw_entry = {
ipfilteropen,
ipfilterclose,
nodev, /* d_strategy */
ipfilterread,
#ifdef IPFILTER_SYNC
ipfilterwrite,
#else
nulldev, /* d_write */
#endif
ipfilterioctl,
nodev, /* d_dump */
nodev, /* d_psize */
nulldev, /* d_stop */
nulldev, /* d_reset */
nulldev, /* d_select */
0, /* d_mmap */
0, /* d_segmap */
NULL, /* d_ttys */
DEV_FUNNEL_NULL,/* SMP-safe */
0, /* d_bflags */
0 /* d_cflags */
};
struct controller *ipfilter_info[IPL_LOGSIZE];
static char ipfilter_name[] = "ipfilter";
struct driver ipfdriver = {
NULL, /* probe */
NULL, /* slave */
NULL, /* cattach */
NULL, /* dattach */
0, /* go */
0, /* addr_list */
0, /* dev_name */
0, /* dev_list */
ipfilter_name, /* ctlr_name */
ipfilter_info, /* ctlr_list */
0, /* Want exclusive use of bdp's flag */
0, /* Size of first csr area */
0, /* Address space of first csr area */
0, /* Size of second csr area */
0, /* Address space of second csr area */
NULL, /* controller unattach routine */
NULL, /* dev_unattach */
};
#define NO_DEV -1
#define MAJOR_INSTANCE 1
#define IPF_NAME "ipf"
int ipfilter_config = FALSE;
int ipfilter_devno = NO_DEV;
int ipfilter_num_units=1;
int ipfilter_dev_number = NO_DEV;
int callback_return_status = ESUCCESS;
int driver_cfg_state;
int ipfilter_is_dynamic;
/* Variables referenced by attributes. 'majnum' must
* be present to inform cfgmgr that this is a 5.0A
* driver. 'ipfilter_version' is used to keep track of the version
* numbers during development. It is printed out after
* configure to indicate which version is being loaded.
*/
static int majnum = NO_DEV;
static int ipfilter_num_installed = 1;
static u_char ipfilter_desc[100] = "IPFilter firewall";
static u_char ipfilter_unused[300] = "";
static thread_t ipf_timeout = 0;
/* protos for functions used in configuration */
void ipfilter_print_attr_error __P((cfg_attr_t *));
void ipfilter_preconfig_callback __P((int, int, ulong, ulong));
void ipfilter_postconfig_callback __P((int, int, ulong, ulong));
struct firewall_stat {
u_long in_control_called;
u_long ip_input_mbufs;
u_long ip_input_accept;
u_long ip_input_reject;
u_long ip_input_tooshort;
u_long ip_input_toosmall;
u_long ip_input_badlen;
u_long ip_input_badhlen;
u_long ip_input_badvers;
u_long ip_input_badsum;
u_long ip_output_mbufs;
u_long ip_output_accept;
u_long ip_output_reject;
};
struct firewall_stat ipfilter_stat;
static int ipfilter_registered = 0;
static int ipftru64_inited = 0;
static char ipfname[CFG_ATTR_NAME_SZ] = "ipfilter";
cfg_subsys_attr_t ipfilter_attributes[] = {
{ "Subsystem_Description",CFG_ATTR_STRTYPE, CFG_OP_CONFIGURE | CFG_OP_QUERY,
(caddr_t)ipfilter_desc, 2, 300, 0 },
{ "Module_Config_Name", CFG_ATTR_STRTYPE, CFG_OP_CONFIGURE,
(caddr_t)ipfname, 2, CFG_ATTR_NAME_SZ, 0 },
{ "majnum", CFG_ATTR_INTTYPE, CFG_OP_QUERY,
(caddr_t)&majnum, 0, 512, 0 },
{ "Num_Installed", CFG_ATTR_INTTYPE, CFG_OP_QUERY,
(caddr_t)&ipfilter_num_installed, 1, 1, 1 },
{ "Num_Units", CFG_ATTR_INTTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)&ipfilter_num_units,
1, IPL_LOGSIZE, 0 },
{ "Module_Type", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
2, CFG_ATTR_NAME_SZ, 0 },
{ "Device_User", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
0, sizeof(ipfilter_unused), 0 },
{ "Device_Group", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
0, sizeof(ipfilter_unused), 0 },
{ "Device_Mode", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
0, sizeof(ipfilter_unused), 0 },
{ "Device_Major_Req", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
0, sizeof(ipfilter_unused), 0 },
{ "Device_Char_Major", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
0, sizeof(ipfilter_unused), 0 },
{ "Device_Char_Files", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused,
0, sizeof(ipfilter_unused), 0 },
{ "Device_Char_Minor", CFG_ATTR_STRTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE,
(caddr_t)ipfilter_unused, 0,
sizeof(ipfilter_unused), 0 },
{ "version", CFG_ATTR_STRTYPE, CFG_OP_QUERY,
(caddr_t)ipfilter_version, 0, 5, 0 },
{ "fr_chksrc", CFG_ATTR_INTTYPE, CFG_OP_QUERY |
CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE,
(caddr_t)&fr_chksrc, 0, 1, 0 },
{ "fr_minttl", CFG_ATTR_INTTYPE, CFG_OP_QUERY |
CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE,
(caddr_t)&fr_minttl, 0, 255, 0 },
{ "fr_pass", CFG_ATTR_INTTYPE, CFG_OP_QUERY |
CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE,
(caddr_t)&fr_minttl, 0, 0xffffffff, 0 },
{ "fr_flags", CFG_ATTR_INTTYPE, CFG_OP_QUERY |
CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE,
(caddr_t)&fr_minttl, 0, 0xffffffff, 0 },
{ "fr_active", CFG_ATTR_INTTYPE, CFG_OP_QUERY,
(caddr_t)&fr_minttl, 0, 1, 0 },
{ "fr_running", CFG_ATTR_INTTYPE, CFG_OP_QUERY,
(caddr_t)&fr_minttl, 0, 1, 0 },
{ "fr_control_forwarding",
CFG_ATTR_INTTYPE, CFG_OP_QUERY |
CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE,
(caddr_t) &fr_control_forwarding, 0, 1, 0 },
{ "fr_update_ipid", CFG_ATTR_INTTYPE, CFG_OP_QUERY |
CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE,
(caddr_t) &fr_update_ipid, 0, 1, 0 },
{ "", 0, 0, 0, 0, 0, 0 }
};
/*---------------------------------------------------------
* Configure interface
* 1 - Handle attribute verification.
* 2 - Handle the differences between static and dynamic
* configuration.
* Returns: EBUSY,EINVAL,ENOTSUP,ESRCH for fail,
* ESUCCESS for success
*--------------------------------------------------------*/
cfg_status_t ipfilter_configure(op, indata, indata_size, outdata, outdata_size)
cfg_op_t op;
caddr_t indata;
ulong indata_size;
caddr_t outdata;
ulong outdata_size;
{
int ipfilter_cfg_state;
cfg_attr_t *attr_ptr;
int status, i;
#ifdef IPFDEBUG
printf("ipfilter_configure(%x,%x,%d,%x,%d)\n",
op, indata, indata_size, outdata, outdata_size);
#endif
status = ESUCCESS;
if (cfgmgr_get_state("ipfilter", &ipfilter_cfg_state) != ESUCCESS) {
printf("ipfilter cfgmgr_get_state failed\n");
return EINVAL;
}
switch (op)
{
case CFG_OP_CONFIGURE :
#ifdef IPFDEBUG
printf("ipfilter_config=%d\n",ipfilter_config);
printf("driver_cfg_state=%d\n",driver_cfg_state);
#endif
if (ipfilter_config == TRUE) {
/*
* We have already been configured
*/
return EINVAL;
}
/*
* cfgmgr takes care of error checking, but we have to
* investigate what happened and report to user.
*/
attr_ptr = (cfg_attr_t *)indata;
for(i = 0; i < indata_size; i++) {
switch(attr_ptr->type)
{
case CFG_ATTR_STRTYPE:
break;
default:
switch(attr_ptr->status)
{
case CFG_FRAME_SUCCESS:
break;
default:
ipfilter_print_attr_error(attr_ptr);
break;
}
}
attr_ptr++;
}
if (cfgmgr_get_state((char *)ipfilter_name,
&driver_cfg_state) != ESUCCESS) {
printf("ipfilter_conf:Error determining state of ipf subsystem\n");
/*
* Error determining state of the "ipf" subs..
*/
return(EINVAL);
}
if (driver_cfg_state == SUBSYSTEM_STATICALLY_CONFIGURED) {
callback_return_status = ESUCCESS;
ipfilter_is_dynamic = 0;
status = register_callback(ipfilter_configure_callback,
CFG_PT_OLD_CONF_ALL,
CFG_ORD_DONTCARE, 0L);
if (status != ESUCCESS)
break;
status = register_callback(ipfilter_preconfig_callback,
CFG_PT_PRECONFIG,
CFG_ORD_NOMINAL, 0L);
if (status != ESUCCESS)
break;
status = register_callback(ipfilter_postconfig_callback,
CFG_PT_POSTCONFIG,
CFG_ORD_NOMINAL, 0L);
} else {
/*
* ipf.mod is getting loaded dynamically.
*/
ipfilter_is_dynamic = 1;
status = ipfilter_preconfig();
if (status != ESUCCESS) {
printf("ipfilter_conf:preconfig failed\n");
return (status);
}
status = ipfilter_postconfig();
if (status != ESUCCESS) {
printf("ipfilter_conf:postconfig failed\n");
return (status);
}
status = ipfilter_attach();
#ifdef IPFDEBUG
printf("ipfilter_attach=%d\n",status);
#endif
}
break;
case CFG_OP_QUERY :
break;
case CFG_OP_RECONFIGURE :
break;
case CFG_OP_UNCONFIGURE :
if (ipfilter_is_dynamic) {
status = devsw_del(ipfilter_name, MAJOR_INSTANCE);
if (status == NO_DEV) {
printf("ipfilter_configure: call to devsw_del failed\n");
return ESRCH;
}
ipfilter_is_dynamic = 0;
ipfilter_config = FALSE;
printf("ipfilter_configure: dynamic module unconfigured\n");
} else {
/* static configuration */
printf("ipfilter_configure: Can't unconfigure a static mod\n");
return ESUCCESS;
}
if (ipfilter_cfg_state & SUBSYSTEM_STATICALLY_CONFIGURED) {
status = EINVAL;
break;
}
status = ipfilter_detach();
break;
default :
status = ENOTSUP;
break;
}
#ifdef IPFDEBUG
printf("ipfilter_configure(%d)=%d\n",op,status);
#endif
return status;
}
void ipfilter_configure_callback(conf, order, arg, evarg)
int conf, order, arg, evarg;
{
int status;
#ifdef IPFDEBUG
printf("ipfilter_configure_callback(%x,%x,%x,%x)\n",
conf, order, arg, evarg);
#endif
status = ipfilter_attach();
if (status != ESUCCESS) {
cfgmgr_set_status("ipfilter");
}
}
/*
* This hook intercepts mbufs directly off the IP input
* queue(s) and gives them to the routine at (*ip_input_hook)(m).
* The hook must either free the mbuf, or enqueue it back to
* an IP input queue by calling ip_continue_input(m). It is
* assumed that the hook returns to the caller in a timely
* manner, enqueuing the mbuf on its own list for further
* processing at a later time (if necesary).
*/
void ipfilter_ip_input(m)
struct mbuf *m;
{
struct mbuf *m0;
struct ip *ip;
int hlen, len;
#ifdef IPFDEBUG
printf("ipfilter_ip_input(%x)\n", m);
#endif
READ_ENTER(&ipf_tru64);
if (ipfilter_registered < 1 || ipftru64_inited == 0) {
RWLOCK_EXIT(&ipf_tru64);
ip_continue_input(m);
return;
}
ipfilter_stat.ip_input_mbufs++;
ip = mtod(m, struct ip *);
/*
* Because this gets packets directly off the IP input queue, we need
* to do all of the input packet checking. This is IPv4 only.
*/
if (m->m_len < sizeof(struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == 0) {
ipfilter_stat.ip_input_toosmall++;
RWLOCK_EXIT(&ipf_tru64);
return;
}
if (IP_V(ip) != IPVERSION) {
ipfilter_stat.ip_input_badvers++;
goto bad;
}
hlen = IP_HL(ip) << 2;
if (hlen < sizeof(*ip)) {
ipfilter_stat.ip_input_badhlen++;
goto bad;
}
if (hlen > m->m_len) {
if ((m = m_pullup(m, hlen)) == 0) {
RWLOCK_EXIT(&ipf_tru64);
return;
}
ip = mtod(m, struct ip *);
}
/*
* If header checksum verification fails, do no more.
*/
if (in_cksum(m, hlen) != 0) {
ipfilter_stat.ip_input_badsum++;
goto bad;
}
/*
* Convert fields to host representation.
*/
ip->ip_len = ntohs(ip->ip_len);
len = ip->ip_len;
if (len < hlen) {
ipfilter_stat.ip_input_badlen++;
goto bad;
}
if (m->m_pkthdr.len < len) {
ipfilter_stat.ip_input_tooshort++;
goto bad;
}
if (m->m_pkthdr.len > len) {
if (m->m_len == m->m_pkthdr.len) {
m->m_len = len;
m->m_pkthdr.len = len;
} else
m_adj(m, len - m->m_pkthdr.len);
}
ip->ip_off = ntohs(ip->ip_off);
if (fr_check(ip, hlen, m->m_pkthdr.rcvif, 0, &m) == 0) {
if (m != NULL) {
m->m_flags &= ~M_PROTOCOL_SUM|M_NOCHECKSUM|M_CHECKSUM;
/*
* Convert back to network byte order.
*/
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
ipfilter_stat.ip_input_accept++;
RWLOCK_EXIT(&ipf_tru64);
ip_continue_input(m);
return;
}
}
bad:
RWLOCK_EXIT(&ipf_tru64);
if (m != NULL)
m_freem(m);
return;
}
/*
* This hook intercepts mbufs directly from the IP output
* routine and gives them to the routine at
* (*ip_output_hook)(ifp, m, in_ro, flags, imo). The
* hook must either free the mbuf, or set an mbuf flag
* (m->m_flags |= M_OUTPUT_PROCESSING_DONE) and call
* ip_output() again to transmit it. It is assumed that
* the hook returns to the caller in a timely manner, enqueuing
* the mbuf on its own list for further processing at a later
* time (if necesary).
*/
int ipfilter_ip_output(ifp, m, in_ro, flags, imo)
struct ifnet *ifp;
struct mbuf *m;
struct in_route *in_ro;
int flags;
struct ip_moptions *imo;
{
struct ip *ip;
int hlen;
#ifdef IPFDEBUG
printf("ipfilter_ip_output(%x,%x,%x,%x,%x)\n",
ifp, m, in_ro, flags, imo);
#endif
READ_ENTER(&ipf_tru64);
if (ipfilter_registered < 1 || ipftru64_inited == 0) {
RWLOCK_EXIT(&ipf_tru64);
return (ip_output(m, NULL, in_ro, flags, imo));
}
ipfilter_stat.ip_output_mbufs++;
ip = mtod(m, struct ip *);
hlen = IP_HL(ip);
hlen <<= 2;
if (fr_check(ip, hlen, ifp, 1, &m) == 0) {
if (m != NULL) {
m->m_flags |= M_OUTPUT_PROCESSING_DONE;
RWLOCK_EXIT(&ipf_tru64);
return (ip_output(m, NULL, in_ro, flags, imo));
}
}
RWLOCK_EXIT(&ipf_tru64);
return 0;
}
/*
* This is a passive routine. It does not implement any ioctl's, just merely
* "snoops" ioctls being sent so that we can be aware of things like address
* changes on the interfaces.
*/
void ipfilter_in_control(so, cmd, data, ifp)
struct socket *so;
u_int cmd;
caddr_t *data;
struct ifnet *ifp;
{
#ifdef IPFDEBUG
printf("ipfilter_in_control(%x,%x,%x,%x)\n", so, cmd, data, ifp);
#endif
ipfilter_stat.in_control_called++;
READ_ENTER(&ipf_tru64);
if (ipfilter_registered < 1 || ipftru64_inited == 0) {
RWLOCK_EXIT(&ipf_tru64);
return;
}
if (cmd == (ioctlcmd_t)SIOCAIFADDR)
frsync(NULL);
RWLOCK_EXIT(&ipf_tru64);
}
/* "protocol" ifnet structure for accessing ipf statistics */
static struct {
struct ifnet ifnet;
char pad[sizeof(struct ether_driver) - sizeof(ifnet)];
} ipfilter_if;
/*
* Routine to attach ipf module
*/
int
ipfilter_attach(void)
{
struct firewall ipf;
int status;
#ifdef IPFDEBUG
printf("ipfilter_attach(void)\n");
#endif
RWLOCK_INIT(&ipf_tru64, 1);
RWLOCK_INIT(&ipf_global, 1);
RWLOCK_INIT(&ipf_mutex, 1);
RWLOCK_INIT(&ipf_frcache, 1);
ipftru64_inited = 1;
status = ipfattach();
#ifdef IPFDEBUG
printf("ipfattach() = %d\n", status);
#endif
if (status != ESUCCESS) {
(void) ipfdetach();
return status;
}
ipfilter_registered = 1;
/*
* Initialize the struct, else the kernel might interpret
* a field as being valid when it's not, which would probably
* be fatal.
*/
bzero(&ipf, sizeof(struct firewall));
/*
* Tell which version of the ipf structure we are passing-in.
* The only currently supported version is #1.
*/
ipf.version = FIREWALL_VERSION1;
/*
* Tell which protocol family we wish to register.
* The only currently supported family is PF_INET.
*/
ipf.pf = PF_INET;
/*
* Tell the kernel to disable the RPC/NFS "fastpath" code and
* send all NFS output packets through the "slow" IP output code.
*/
ipf.flags = FW_DISABLE_RPC_FASTPATH;
/*
* Fill-in the hooks we wish to register. At a minumum there
* must be an input and output hook.
*/
ipf.in_control_hook = ipfilter_in_control;
ipf.fw_ip_input_hook = ipfilter_ip_input;
ipf.fw_ip_output_hook = ipfilter_ip_output;
/* make the call */
status = register_firewall(&ipf);
/*
* Additionally, if we wish to attach a protocol statistics structure,
* do it now. We will only attach to counter ioctls on success.
*/
if (status == ESUCCESS) {
char *defpass;
ipfilter_registered = 2;
ipfilter_ifattach();
fr_running = 1;
/*
* Start timeout thread
*/
ipf_timeout = kernel_thread_w_arg(first_task, ipfilter_timer,
NULL);
timeout(ipfilter_clock, NULL,
(hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
if (FR_ISPASS(fr_pass))
defpass = "pass";
else if (FR_ISBLOCK(fr_pass))
defpass = "block";
else
defpass = "no-match -> block";
printf("%s initialized. Default = %s all, Logging = %s%s\n",
ipfilter_version, defpass,
#ifdef IPFILTER_LOG
"enabled",
#else
"disabled",
#endif
#ifdef IPFILTER_COMPILED
" (COMPILED)"
#else
""
#endif
);
}
return (status);
}
/*
* Routine to detach ipf module
*/
int
ipfilter_detach(void)
{
int status;
struct firewall ipf;
#ifdef IPFDEBUG
printf("ipfilter_detach(void)\n");
#endif
WRITE_ENTER(&ipf_tru64);
/*
* Initialize the struct, else the kernel might interpret
* a field as being valid when it's not, which would probably
* be fatal.
*/
bzero(&ipf, sizeof(struct firewall));
/*
* If we had attached a protocol statistics structure, detach it now.
* We do this before un-registering our hooks.
*/
ipfilter_ifdetach();
/*
* Tell which version of the ipf structure we are passing-in.
* The only currently supported version is #1.
*/
ipf.version = FIREWALL_VERSION1;
/*
* Tell which protocol family we wish to register.
* The only currently supported family is PF_INET.
*/
ipf.pf = PF_INET;
/*
* Tell the kernel to re-enable the RPC/NFS "fastpath" code and stop
* sending all NFS output packets through the "slow" IP output code.
*/
ipf.flags = FW_ENABLE_RPC_FASTPATH;
/*
* We don't need to fill-in the hook pointers as they
* are not used in the unregister_ipf() routine.
*/
/* make the call */
status = ESUCCESS;
if (ipfilter_registered > 1) {
status = unregister_firewall(&ipf);
ipfilter_registered = 1;
}
if ((status == ESUCCESS) && (ipfilter_registered > 0)) {
status = ipfdetach();
#ifdef IPFDEBUG
printf("ipfdetach() = %d\n", status);
#endif
ipfilter_registered = 0;
}
if (status == ESUCCESS) {
fr_running = 0;
RWLOCK_EXIT(&ipf_tru64);
if (ipftru64_inited == 1) {
RW_DESTROY(&ipf_tru64);
RW_DESTROY(&ipf_global);
RW_DESTROY(&ipf_frcache);
RW_DESTROY(&ipf_mutex);
ipftru64_inited = 0;
}
#if 0
if (ipf_timeout != 0) {
thread_terminate(ipf_timeout);
ipf_timeout = 0;
}
#else
/*
* Deschedule the timeout, kill the thread that is wiating on
* it and then wait one second for that thread to die.
*/
untimeout(ipfilter_clock, NULL);
thread_wakeup_one((vm_offset_t)&ipf_timeout);
while (ipf_timeout != 0) {
assert_wait_mesg((vm_offset_t)&ipf_timeout,
TRUE, "ipftimeout");
thread_set_timeout(hz);
thread_block();
}
#endif
printf("%s unloaded\n", ipfilter_version);
} else {
RWLOCK_EXIT(&ipf_tru64);
}
return (status);
}
/*
* Routine to attach protocol statistics structure
*/
void ipfilter_ifattach(void)
{
struct ifnet *ifp = &(ipfilter_if.ifnet);
#ifdef IPFDEBUG
printf("ipfilter_ifattach(void)\n");
#endif
ifp->if_name = "ipf";
ifp->if_version = "Network Packet Filter";
ifp->if_mtu = IP_MAXPACKET;
ifp->if_flags = IFF_UP;
ifp->if_ioctl = ipfilter_ifioctl;
ifp->if_output = ipfilter_ifoutput;
ifp->if_type = IFT_OTHER;
ifp->if_hdrlen = 8;
ifp->if_affinity = NETALLCPU;
ifp->if_addrlen = 0;
if_proto_attach(ifp);
}
/*
* Routine to detach protocol statistics structure
*/
void ipfilter_ifdetach(void)
{
struct ifnet *ifp = &(ipfilter_if.ifnet);
#ifdef IPFDEBUG
printf("ipfilter_ifdetach(void)\n");
#endif
if_proto_detach(ifp);
}
/*
* Routine to handle protocol ioctls
*/
int ipfilter_ifioctl(ifp, cmd, data)
register struct ifnet *ifp;
unsigned int cmd;
caddr_t data;
{
return(EOPNOTSUPP);
}
/* Stub output routine. Should never be called, but just in case... */
#if TRU64 >= 1885
int ipfilter_ifoutput(ifp, m0, dst, rt, cp)
char *cp;
#else
int ipfilter_ifoutput(ifp, m0, dst, rt)
#endif
struct ifnet *ifp;
struct mbuf *m0;
struct sockaddr *dst;
struct rtentry *rt;
{
return(EOPNOTSUPP);
}
/* called from ipfilter_configure(CFG_OP_CONFIGURE,...) */
void ipfilter_print_attr_error(cfg_attr_t *attr_ptr)
{
printf("%s:", attr_ptr->name);
switch(attr_ptr->status)
{
case CFG_ATTR_EEXISTS:
printf("Attribute does not exist\n");
break;
case CFG_ATTR_EOP:
printf("Attribute does not support operation\n");
break;
case CFG_ATTR_ESUBSYS:
printf("Subsystem Failure\n");
break;
case CFG_ATTR_ESMALL:
printf("Attribute size/value too small\n");
break;
case CFG_ATTR_ELARGE:
printf("Attribute size/value too large\n");
break;
case CFG_ATTR_ETYPE:
printf("Attribute invalid type\n");
break;
case CFG_ATTR_EINDEX:
printf("Attribute invalid index\n");
break;
case CFG_ATTR_EMEM:
printf("Attribute memory allocation error\n");
break;
default:
printf("**Unknown attribute: ");
printf("%x\n", attr_ptr->status);
}
}
/*---------------------------------------------------------
* pre-configuration
* Returns: ENOMEM for fail.
* ESUCCESS for success.
*--------------------------------------------------------*/
int ipfilter_preconfig()
{
int status;
return ESUCCESS;
}
void
ipfilter_preconfig_callback(int point, int order, ulong argument, ulong event_arg)
{
int status;
struct hwconfig *hwc;
hwc = create_hwconfig_struct();
if (hwc == NULL)
return;
/*
* Add ourselves to the switch table.
*/
majnum = devsw_add(ipfilter_name, MAJOR_INSTANCE, NO_DEV, &ipfilter_devsw_entry);
if (majnum == NO_DEV) {
printf("devsw_add_failed\n");
(void)cfgmgr_set_status(ipfilter_name);
callback_return_status = ENODEV;
return;
}
printf("devsw_add_majnum=%d\n", majnum);
hwc->type = HWCONFIG_CONTROLLER_ALL | HWCONFIG_CONFIGURE_REQUEST;
hwc->parent_bus = HWCONFIG_ALL;
hwc->parent_bus_instance = DRIVER_WILDNUM;
hwc->driver_name = ipfilter_name;
hwc->driver_struct = &ipfdriver;
hwc->instance_info = -1;
status = driver_framework(hwc);
free_hwconfig_struct(hwc);
if (status != ESUCCESS) {
printf("Cannot configure driver %s-- status = %d\n",
ipfilter_name, status);
return;
}
}
/*---------------------------------------------------------
* post configure
* Return: ENODEV on fail.
* ESUCCESS on success.
*--------------------------------------------------------*/
int ipfilter_postconfig()
{
majnum = devsw_add(ipfilter_name,MAJOR_INSTANCE, majnum, &ipfilter_devsw_entry);
if (majnum == ENODEV) {
printf("ipfilter_postconfig: call to devsw_add failed\n");
return ENODEV;
}
printf("ipfilter_postconfig:major # = %d\n",majnum);
ipfilter_devno = majnum;
ipfilter_config = TRUE;
printf("%s configured\n", ipfilter_version);
return ESUCCESS;
}
void
ipfilter_postconfig_callback(int point, int order, ulong argument, ulong event_arg)
{
int status;
if (callback_return_status != ESUCCESS)
return;
status = ipfilter_postconfig();
if (status != ESUCCESS) {
cfgmgr_set_status(ipfilter_name);
callback_return_status = status;
}
}
/*---------------------------------------------------------
* Open
* Return: ENXIO on fail.
* ESUCCESS on success.
*--------------------------------------------------------*/
int ipfilteropen(dev_t dev, int flag, int format)
{
int unit;
int error;
unit = minor(dev);
if ((IPL_LOGMAX < unit) || (unit < 0)) {
error = ENXIO;
} else {
switch (unit)
{
case IPL_LOGIPF :
case IPL_LOGNAT :
case IPL_LOGSTATE :
case IPL_LOGAUTH :
#ifdef IPFILTER_LOOKUP
case IPL_LOGLOOKUP :
#endif
#ifdef IPFILTER_SYNC
case IPL_LOGSYNC :
#endif
#ifdef IPFILTER_SCAN
case IPL_LOGSCAN :
#endif
error = ESUCCESS;
break;
default :
error = ENXIO;
break;
}
}
return error;
}
/*---------------------------------------------------------
* Close
* Return: ESUCCESS on success.
* ENXIO on fail.
*--------------------------------------------------------*/
int ipfilterclose(dev_t dev, int flag, int format)
{
int unit;
#ifdef IPFDEBUG
printf("ipfilter_close(%x,%x,%x)\n", dev, flag, format);
#endif
unit = minor(dev);
if ((IPL_LOGMAX < unit) || (unit < 0))
unit = ENXIO;
else
unit = ESUCCESS;
return unit;
}
/*---------------------------------------------------------
* Read -
* return: ESUCCESS on success.
* fail: An error number from errno.h
*--------------------------------------------------------*/
int ipfilterread(dev_t dev, struct uio *uio, int flag)
{
#ifdef IPFILTER_LOG
int unit, status;
unit = minor(dev);
# ifdef IPFDEBUG
printf("ipfread(%x,%lx,%x)\n", dev, uio, flag);
# endif
status = ipflog_read(unit, uio);
return status;
#else
return ENXIO;
#endif
}
/*---------------------------------------------------------
* Write -
* return: ESUCCESS on success.
* fail: An error number from errno.h
*--------------------------------------------------------*/
#ifdef IPFILTER_SYNC
int
ipfilterwrite(dev_t dev, struct uio *uio)
{
int unit;
# ifdef IPFDEBUG
printf("ipfilter_write(%x,%lx)\n", dev, uio);
# endif
if (getminor(dev) != IPL_LOGSYNC)
return ENXIO;
return ipfsync_write(uio);
}
#endif
/*---------------------------------------------------------
* IOCTL
* Return: ESUCCESS on success.
* fail: An error number from errno.h
*--------------------------------------------------------*/
int ipfilterioctl(dev_t dev, unsigned int cmd, caddr_t data, int flag)
{
int err;
#ifdef IPFDEBUG
printf("ipfilterioctl(%d(%d),%x,%lx,%x)\n", dev,
getminor(dev), cmd, data, flag);
#endif
READ_ENTER(&ipf_tru64);
if (ipfilter_registered < 1 || ipftru64_inited == 0) {
RWLOCK_EXIT(&ipf_tru64);
#ifdef IPFDEBUG
printf("ipfilter_registered %d ipftru64_inited %d\n",
ipfilter_registered, ipftru64_inited);
#endif
return EIO;
}
err = iplioctl(dev, cmd, data, flag);
RWLOCK_EXIT(&ipf_tru64);
return err;
}
void ipfilter_clock(void *arg)
{
thread_wakeup_one((vm_offset_t)&ipf_timeout);
if (fr_running != 0) {
timeout(ipfilter_clock, NULL,
(hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
}
}
void ipfilter_timer()
{
#if 0
lock_data_t ipfdelaylock;
lock_init(&ipfdelaylock, TRUE);
#else
simple_lock_data_t ipfdelaylock;
simple_lock_init(&ipfdelaylock);
simple_lock(&ipfdelaylock);
#endif
while (1) {
#if 0
lock_write(&ipfdelaylock);
assert_wait_mesg((vm_offset_t)&ipfdelaylock, TRUE, "ipftimer");
lock_done(&ipfdelaylock);
thread_set_timeout((hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
thread_block();
#else
if (fr_running == 0)
break;
mpsleep((vm_offset_t)&ipf_timeout, PCATCH,
"ipftimer", 0, &ipfdelaylock,
MS_LOCK_SIMPLE | MS_LOCK_ON_ERROR);
#endif
if (fr_running == 0)
break;
simple_unlock(&ipfdelaylock);
fr_slowtimer(NULL);
simple_lock(&ipfdelaylock);
}
simple_unlock(&ipfdelaylock);
simple_lock_terminate(&ipfdelaylock);
if (ipf_timeout != 0) {
thread_terminate(ipf_timeout);
ipf_timeout = 0;
}
thread_halt_self();
}