| diff -cr sys/arch/alpha/alpha/conf.c sys.ipf/arch/alpha/alpha/conf.c |
| *** sys/arch/alpha/alpha/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/alpha/alpha/conf.c Thu May 1 15:38:04 2003 |
| *************** |
| *** 107,112 **** |
| --- 107,117 ---- |
| #include "lpt.h" |
| cdev_decl(lpt); |
| cdev_decl(prom); /* XXX XXX XXX */ |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| cdev_decl(wd); |
| cdev_decl(fd); |
| #include "cy.h" |
| *************** |
| *** 177,183 **** |
| cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */ |
| cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */ |
| cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */ |
| ! cdev_notdef(), /* 44 */ |
| cdev_usb_init(NUSB,usb), /* 45: USB controller */ |
| cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */ |
| cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */ |
| --- 182,188 ---- |
| cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */ |
| cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */ |
| cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter log */ |
| cdev_usb_init(NUSB,usb), /* 45: USB controller */ |
| cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */ |
| cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */ |
| diff -cr sys/arch/hp300/hp300/conf.c sys.ipf/arch/hp300/hp300/conf.c |
| *** sys/arch/hp300/hp300/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/hp300/hp300/conf.c Thu May 1 15:38:23 2003 |
| *************** |
| *** 126,131 **** |
| --- 126,137 ---- |
| cdev_decl(xfs_dev); |
| #endif |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 169,175 **** |
| cdev_disk_init(NRD,rd), /* 34: RAM disk */ |
| cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */ |
| ! cdev_notdef(), /* 37 */ |
| cdev_notdef(), /* 38 */ |
| cdev_notdef(), /* 39 */ |
| cdev_notdef(), /* 40 */ |
| --- 175,181 ---- |
| cdev_disk_init(NRD,rd), /* 34: RAM disk */ |
| cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */ |
| ! cdev_pf_init(NIPF,ipl), /* 37: packet filter */ |
| cdev_notdef(), /* 38 */ |
| cdev_notdef(), /* 39 */ |
| cdev_notdef(), /* 40 */ |
| diff -cr sys/arch/hppa/hppa/conf.c sys.ipf/arch/hppa/hppa/conf.c |
| *** sys/arch/hppa/hppa/conf.c Sat Feb 8 23:34:27 2003 |
| --- sys.ipf/arch/hppa/hppa/conf.c Thu May 1 15:38:24 2003 |
| *************** |
| *** 111,116 **** |
| --- 111,122 ---- |
| #include "com.h" |
| cdev_decl(com); |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 161,166 **** |
| --- 167,173 ---- |
| cdev_audio_init(NAUDIO,audio), /* 35: /dev/audio */ |
| cdev_crypto_init(NCRYPTO,crypto), /* 36: /dev/crypto */ |
| cdev_ses_init(NSES,ses), /* 37: SCSI SES/SAF-TE */ |
| + cdev_gen_ipf(NIPF,ipl), /* 38: ip filtering */ |
| cdev_lkm_dummy(), |
| cdev_lkm_dummy(), |
| cdev_lkm_dummy(), |
| diff -cr sys/arch/i386/i386/conf.c sys.ipf/arch/i386/i386/conf.c |
| *** sys/arch/i386/i386/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/i386/i386/conf.c Thu May 1 15:38:24 2003 |
| *************** |
| *** 188,193 **** |
| --- 188,199 ---- |
| #include "radio.h" |
| #include "gpr.h" |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| /* XXX -- this needs to be supported by config(8)! */ |
| #if (NCOM > 0) && (NPCCOM > 0) |
| #error com and pccom are mutually exclusive. Sorry. |
| *************** |
| *** 311,317 **** |
| cdev_usbdev_init(NUSCANNER,uscanner), /* 77: USB scanners */ |
| cdev_systrace_init(NSYSTRACE,systrace), /* 78: system call tracing */ |
| cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */ |
| ! cdev_ch_init(NGPR,gpr) /* 80: GPR400 SmartCard reader */ |
| }; |
| int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]); |
| |
| --- 317,325 ---- |
| cdev_usbdev_init(NUSCANNER,uscanner), /* 77: USB scanners */ |
| cdev_systrace_init(NSYSTRACE,systrace), /* 78: system call tracing */ |
| cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */ |
| ! cdev_ch_init(NGPR,gpr), /* 80: GPR400 SmartCard reader */ |
| ! cdev_gen_ipf(NIPF,ipl) /* 81: ip filtering */ |
| ! |
| }; |
| int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]); |
| |
| diff -cr sys/arch/mac68k/mac68k/conf.c sys.ipf/arch/mac68k/mac68k/conf.c |
| *** sys/arch/mac68k/mac68k/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/mac68k/mac68k/conf.c Thu May 1 15:38:24 2003 |
| *************** |
| *** 108,113 **** |
| --- 108,119 ---- |
| cdev_decl(xfs_dev); |
| #endif |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 152,158 **** |
| cdev_pf_init(NPF,pf), /* 35: packet filter */ |
| cdev_audio_init(NASC,asc), /* 36: ASC audio device */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */ |
| ! cdev_notdef(), /* 38 */ |
| cdev_notdef(), /* 39 */ |
| cdev_notdef(), /* 40 */ |
| cdev_notdef(), /* 41 */ |
| --- 158,164 ---- |
| cdev_pf_init(NPF,pf), /* 35: packet filter */ |
| cdev_audio_init(NASC,asc), /* 36: ASC audio device */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 38: IP filter log */ |
| cdev_notdef(), /* 39 */ |
| cdev_notdef(), /* 40 */ |
| cdev_notdef(), /* 41 */ |
| diff -cr sys/arch/macppc/macppc/conf.c sys.ipf/arch/macppc/macppc/conf.c |
| *** sys/arch/macppc/macppc/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/macppc/macppc/conf.c Thu May 1 15:38:24 2003 |
| *************** |
| *** 105,110 **** |
| --- 105,116 ---- |
| |
| #include "tun.h" |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #ifdef XFS |
| #include <xfs/nxfs.h> |
| cdev_decl(xfs_dev); |
| *************** |
| *** 191,197 **** |
| cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */ |
| ! cdev_notdef(), /* 45 */ |
| cdev_notdef(), /* 46 */ |
| cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */ |
| cdev_notdef(), /* 48 */ |
| --- 197,203 ---- |
| cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */ |
| cdev_notdef(), /* 46 */ |
| cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */ |
| cdev_notdef(), /* 48 */ |
| diff -cr sys/arch/mvme68k/mvme68k/conf.c sys.ipf/arch/mvme68k/mvme68k/conf.c |
| *** sys/arch/mvme68k/mvme68k/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/mvme68k/mvme68k/conf.c Thu May 1 15:38:24 2003 |
| *************** |
| *** 158,163 **** |
| --- 158,169 ---- |
| #include "bpfilter.h" |
| #include "tun.h" |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 212,218 **** |
| cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ |
| cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| ! cdev_lkm_dummy(), /* 44 */ |
| cdev_lkm_dummy(), /* 45 */ |
| cdev_lkm_dummy(), /* 46 */ |
| cdev_lkm_dummy(), /* 47 */ |
| --- 218,224 ---- |
| cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ |
| cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */ |
| cdev_lkm_dummy(), /* 45 */ |
| cdev_lkm_dummy(), /* 46 */ |
| cdev_lkm_dummy(), /* 47 */ |
| diff -cr sys/arch/mvme88k/mvme88k/conf.c sys.ipf/arch/mvme88k/mvme88k/conf.c |
| *** sys/arch/mvme88k/mvme88k/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/mvme88k/mvme88k/conf.c Thu May 1 15:38:25 2003 |
| *************** |
| *** 101,106 **** |
| --- 101,112 ---- |
| cdev_decl(lptwo); |
| #endif /* notyet */ |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 187,193 **** |
| cdev_lkm_dummy(), /* 38 */ |
| cdev_pf_init(NPF,pf), /* 39: packet filter */ |
| cdev_random_init(1,random), /* 40: random data source */ |
| ! cdev_notdef(), /* 41 */ |
| cdev_notdef(), /* 42 */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| cdev_notdef(), /* 44 */ |
| --- 193,199 ---- |
| cdev_lkm_dummy(), /* 38 */ |
| cdev_pf_init(NPF,pf), /* 39: packet filter */ |
| cdev_random_init(1,random), /* 40: random data source */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 41: IP filter */ |
| cdev_notdef(), /* 42 */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| cdev_notdef(), /* 44 */ |
| diff -cr sys/arch/mvmeppc/mvmeppc/conf.c sys.ipf/arch/mvmeppc/mvmeppc/conf.c |
| *** sys/arch/mvmeppc/mvmeppc/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/mvmeppc/mvmeppc/conf.c Thu May 1 15:38:25 2003 |
| *************** |
| *** 114,119 **** |
| --- 114,125 ---- |
| |
| #include "ksyms.h" |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 167,173 **** |
| cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ |
| cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| ! cdev_notdef(), /* 44 */ |
| cdev_notdef(), /* 45 */ |
| cdev_notdef(), /* 46 */ |
| cdev_notdef(), /* 47 */ |
| --- 173,179 ---- |
| cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ |
| cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */ |
| cdev_notdef(), /* 45 */ |
| cdev_notdef(), /* 46 */ |
| cdev_notdef(), /* 47 */ |
| diff -cr sys/arch/sparc/sparc/conf.c sys.ipf/arch/sparc/sparc/conf.c |
| *** sys/arch/sparc/sparc/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/sparc/sparc/conf.c Thu May 1 15:38:25 2003 |
| *************** |
| *** 126,131 **** |
| --- 126,137 ---- |
| }; |
| int nblkdev = sizeof(bdevsw) / sizeof(bdevsw[0]); |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 196,202 **** |
| cdev_notdef(), /* 57 */ |
| cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */ |
| cdev_pf_init(NPF,pf), /* 59: packet filter */ |
| ! cdev_notdef(), /* 60 */ |
| cdev_notdef(), /* 61 */ |
| cdev_notdef(), /* 62 */ |
| cdev_notdef(), /* 63 */ |
| --- 202,208 ---- |
| cdev_notdef(), /* 57 */ |
| cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */ |
| cdev_pf_init(NPF,pf), /* 59: packet filter */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 60: ip filtering log */ |
| cdev_notdef(), /* 61 */ |
| cdev_notdef(), /* 62 */ |
| cdev_notdef(), /* 63 */ |
| diff -cr sys/arch/sparc64/sparc64/conf.c sys.ipf/arch/sparc64/sparc64/conf.c |
| *** sys/arch/sparc64/sparc64/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/sparc64/sparc64/conf.c Thu May 1 15:38:25 2003 |
| *************** |
| *** 114,119 **** |
| --- 114,125 ---- |
| #include "ucom.h" |
| #include "uscanner.h" |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #ifdef XFS |
| *************** |
| *** 250,256 **** |
| cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */ |
| cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */ |
| cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */ |
| ! cdev_notdef(), /* 82 */ |
| cdev_notdef(), /* 83 */ |
| cdev_notdef(), /* 84 */ |
| cdev_notdef(), /* 85 */ |
| --- 256,262 ---- |
| cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */ |
| cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */ |
| cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 82: IP filter */ |
| cdev_notdef(), /* 83 */ |
| cdev_notdef(), /* 84 */ |
| cdev_notdef(), /* 85 */ |
| diff -cr sys/arch/vax/vax/conf.c sys.ipf/arch/vax/vax/conf.c |
| *** sys/arch/vax/vax/conf.c Thu Dec 5 13:49:55 2002 |
| --- sys.ipf/arch/vax/vax/conf.c Thu May 1 15:38:28 2003 |
| *************** |
| *** 357,362 **** |
| --- 357,368 ---- |
| #include "wskbd.h" |
| #include "wsmouse.h" |
| |
| + #ifdef IPFILTER |
| + #define NIPF 1 |
| + #else |
| + #define NIPF 0 |
| + #endif |
| + |
| #include "pf.h" |
| |
| #include "systrace.h" |
| *************** |
| *** 410,416 **** |
| cdev_notdef(), /* 44 was Datakit */ |
| cdev_notdef(), /* 45 was Datakit */ |
| cdev_notdef(), /* 46 was Datakit */ |
| ! cdev_notdef(), /* 47 */ |
| cdev_notdef(), /* 48 */ |
| cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */ |
| --- 416,422 ---- |
| cdev_notdef(), /* 44 was Datakit */ |
| cdev_notdef(), /* 45 was Datakit */ |
| cdev_notdef(), /* 46 was Datakit */ |
| ! cdev_gen_ipf(NIPF,ipl), /* 47: IP filter */ |
| cdev_notdef(), /* 48 */ |
| cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */ |
| cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */ |
| diff -cr sys/conf/GENERIC sys.ipf/conf/GENERIC |
| *** sys/conf/GENERIC Sat Mar 1 10:44:46 2003 |
| --- sys.ipf/conf/GENERIC Thu May 1 15:38:28 2003 |
| *************** |
| *** 72,77 **** |
| --- 72,79 ---- |
| #option EON # OSI tunneling over IP |
| #option NETATALK # AppleTalk |
| #option CCITT,LLC,HDLC # X.25 |
| + option IPFILTER # IP packet filter for security |
| + option IPFILTER_LOG # use /dev/ipl to log IPF |
| option PPP_BSDCOMP # PPP BSD compression |
| option PPP_DEFLATE |
| #option MROUTING # Multicast router |
| diff -cr sys/conf/files sys.ipf/conf/files |
| *** sys/conf/files Thu Feb 27 07:25:49 2003 |
| --- sys.ipf/conf/files Thu May 1 15:38:28 2003 |
| *************** |
| *** 678,683 **** |
| --- 678,691 ---- |
| file netinet/tcp_usrreq.c inet |
| file netinet/udp_usrreq.c inet |
| file netinet/ip_gre.c inet |
| + file netinet/ip_fil.c ipfilter |
| + file netinet/fil.c ipfilter |
| + file netinet/ip_nat.c ipfilter |
| + file netinet/ip_frag.c ipfilter |
| + file netinet/ip_state.c ipfilter |
| + file netinet/ip_proxy.c ipfilter |
| + file netinet/ip_auth.c ipfilter |
| + file netinet/ip_log.c ipfilter |
| file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature) |
| file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature) |
| file netinet/ip_ipip.c inet | inet6 |
| diff -cr sys/net/bridgestp.c sys.ipf/net/bridgestp.c |
| *** sys/net/bridgestp.c Wed Dec 11 00:22:55 2002 |
| --- sys.ipf/net/bridgestp.c Thu May 1 15:38:29 2003 |
| *************** |
| *** 63,68 **** |
| --- 63,73 ---- |
| #include <netinet/in_var.h> |
| #include <netinet/ip.h> |
| #include <netinet/if_ether.h> |
| + |
| + #ifdef IPFILTER |
| + #include <netinet/ip_compat.h> |
| + #include <netinet/ip_fil.h> |
| + #endif |
| #endif |
| |
| #if NBPFILTER > 0 |
| diff -cr sys/net/if.c sys.ipf/net/if.c |
| *** sys/net/if.c Wed Sep 11 15:38:47 2002 |
| --- sys.ipf/net/if.c Thu May 1 15:38:29 2003 |
| *************** |
| *** 101,106 **** |
| --- 101,112 ---- |
| #include <netinet6/nd6.h> |
| #endif |
| |
| + #ifdef IPFILTER |
| + #include <netinet/ip_compat.h> |
| + #include <netinet/ip_fil.h> |
| + #include <netinet/ip_nat.h> |
| + #endif |
| + |
| #if NBPFILTER > 0 |
| #include <net/bpf.h> |
| #endif |
| *************** |
| *** 468,473 **** |
| --- 474,484 ---- |
| |
| /* Remove the interface from the list of all interfaces. */ |
| TAILQ_REMOVE(&ifnet, ifp, if_list); |
| + |
| + #ifdef IPFILTER |
| + /* XXX More ipf & ipnat cleanup needed. */ |
| + frsync(); |
| + #endif |
| |
| /* |
| * Deallocate private resources. |
| diff -cr sys/net/if_bridge.c sys.ipf/net/if_bridge.c |
| *** sys/net/if_bridge.c 11 Mar 2003 16:06:25 -0000 |
| --- sys.ipf/net/if_bridge.c 18 Jun 2003 13:01:48 -0000 |
| *************** |
| *** 71,76 **** |
| --- 71,80 ---- |
| #include <netinet/ip_ipsp.h> |
| |
| #include <net/if_enc.h> |
| + #if (defined(IPFILTER) || defined(IPFILTER_LKM)) |
| + #include <netinet/ip_compat.h> |
| + #include <netinet/ip_fil.h> |
| + #endif |
| #endif |
| |
| #ifdef INET6 |
| *************** |
| *** 159,165 **** |
| int bridge_flushrule(struct bridge_iflist *); |
| int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *); |
| u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *); |
| ! #if NPF > 0 |
| struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, |
| struct ether_header *, struct mbuf *m); |
| #endif |
| --- 163,169 ---- |
| int bridge_flushrule(struct bridge_iflist *); |
| int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *); |
| u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *); |
| ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) |
| struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, |
| struct ether_header *, struct mbuf *m); |
| #endif |
| *************** |
| *** 1175,1181 **** |
| m_freem(m); |
| return; |
| } |
| ! #if NPF > 0 |
| m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m); |
| if (m == NULL) |
| return; |
| --- 1179,1185 ---- |
| m_freem(m); |
| return; |
| } |
| ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) |
| m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m); |
| if (m == NULL) |
| return; |
| *************** |
| *** 1218,1224 **** |
| m_freem(m); |
| return; |
| } |
| ! #if NPF > 0 |
| m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m); |
| if (m == NULL) |
| return; |
| --- 1222,1228 ---- |
| m_freem(m); |
| return; |
| } |
| ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) |
| m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m); |
| if (m == NULL) |
| return; |
| *************** |
| *** 1472,1478 **** |
| mc = m1; |
| } |
| |
| ! #if NPF > 0 |
| mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc); |
| if (mc == NULL) |
| continue; |
| --- 1476,1482 ---- |
| mc = m1; |
| } |
| |
| ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) |
| mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc); |
| if (mc == NULL) |
| continue; |
| *************** |
| *** 2260,2265 **** |
| --- 2264,2275 ---- |
| * We don't need to do loop detection, the |
| * bridge will do that for us. |
| */ |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (dir == BRIDGE_OUT && fr_checkp && |
| + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, |
| + 1, &m) || !m)) |
| + return 1; |
| + #endif |
| #if NPF > 0 |
| switch (af) { |
| #ifdef INET |
| *************** |
| *** 2284,2289 **** |
| --- 2294,2305 ---- |
| if (m == NULL) |
| return (1); |
| #endif /* NPF */ |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (dir == BRIDGE_IN && fr_checkp && |
| + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, |
| + 0, &m) || !m)) |
| + return 1; |
| + #endif |
| #ifdef INET |
| if (af == AF_INET) { |
| ip = mtod(m, struct ip *); |
| *************** |
| *** 2302,2308 **** |
| } |
| #endif /* IPSEC */ |
| |
| ! #if NPF > 0 |
| /* |
| * Filter IP packets by peeking into the ethernet frame. This violates |
| * the ISO model, but allows us to act as a IP filter at the data link |
| --- 2318,2324 ---- |
| } |
| #endif /* IPSEC */ |
| |
| ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) |
| /* |
| * Filter IP packets by peeking into the ethernet frame. This violates |
| * the ISO model, but allows us to act as a IP filter at the data link |
| *************** |
| *** 2412,2425 **** |
| return (NULL); |
| #endif /* IPSEC */ |
| |
| ! #if NPF > 0 |
| /* Finally, we get to filter the packet! */ |
| m->m_pkthdr.rcvif = ifp; |
| if (pf_test(dir, ifp, &m) != PF_PASS) |
| goto dropit; |
| if (m == NULL) |
| goto dropit; |
| #endif /* NPF */ |
| |
| /* Rebuild the IP header */ |
| if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) |
| --- 2428,2459 ---- |
| return (NULL); |
| #endif /* IPSEC */ |
| |
| ! #if defined(IPFILTER) || defined(IPFILTER_LKM) || (NPF > 0) |
| /* Finally, we get to filter the packet! */ |
| m->m_pkthdr.rcvif = ifp; |
| + #endif |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (dir == BRIDGE_OUT) { |
| + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m)) |
| + goto dropit; |
| + if (m == NULL) |
| + goto dropit; |
| + } |
| + #endif |
| + #if NPF > 0 |
| if (pf_test(dir, ifp, &m) != PF_PASS) |
| goto dropit; |
| if (m == NULL) |
| goto dropit; |
| #endif /* NPF */ |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (dir == BRIDGE_IN) { |
| + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) |
| + goto dropit; |
| + if (m == NULL) |
| + goto dropit; |
| + } |
| + #endif |
| |
| /* Rebuild the IP header */ |
| if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) |
| *************** |
| *** 2463,2474 **** |
| --- 2497,2524 ---- |
| return (NULL); |
| #endif /* IPSEC */ |
| |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (dir == BRIDGE_OUT) { |
| + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m)) |
| + goto dropit; |
| + if (m == NULL) |
| + return (NULL); |
| + } |
| + #endif |
| #if NPF > 0 |
| if (pf_test6(dir, ifp, &m) != PF_PASS) |
| goto dropit; |
| if (m == NULL) |
| return (NULL); |
| #endif /* NPF */ |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (dir == BRIDGE_IN) { |
| + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) |
| + goto dropit; |
| + if (m == NULL) |
| + return (NULL); |
| + } |
| + #endif |
| |
| break; |
| } |
| *************** |
| *** 2500,2506 **** |
| m_freem(m); |
| return (NULL); |
| } |
| ! #endif /* NPF > 0 */ |
| |
| void |
| bridge_fragment(sc, ifp, eh, m) |
| --- 2550,2556 ---- |
| m_freem(m); |
| return (NULL); |
| } |
| ! #endif /* (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) */ |
| |
| void |
| bridge_fragment(sc, ifp, eh, m) |
| diff -cr sys/netinet/in_proto.c sys.ipf/netinet/in_proto.c |
| *** sys/netinet/in_proto.c Mon Jun 10 02:26:10 2002 |
| --- sys.ipf/netinet/in_proto.c Thu May 1 15:38:29 2003 |
| *************** |
| *** 163,168 **** |
| --- 163,173 ---- |
| #include <netinet/ip_mroute.h> |
| #endif /* MROUTING */ |
| |
| + #ifdef IPFILTER |
| + void iplinit __P((void)); |
| + #define ip_init iplinit |
| + #endif |
| + |
| #ifdef INET6 |
| #include <netinet6/ip6_var.h> |
| #endif /* INET6 */ |
| diff -cr sys/netinet/ip_input.c sys.ipf/netinet/ip_input.c |
| *** sys/netinet/ip_input.c Thu Feb 13 01:41:07 2003 |
| --- sys.ipf/netinet/ip_input.c Thu May 1 15:42:00 2003 |
| *************** |
| *** 151,156 **** |
| --- 151,160 ---- |
| struct in_ifaddrhead in_ifaddr; |
| struct ifqueue ipintrq; |
| |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); |
| + #endif |
| + |
| int ipq_locked; |
| static __inline int ipq_lock_try(void); |
| static __inline void ipq_unlock(void); |
| *************** |
| *** 404,409 **** |
| --- 408,430 ---- |
| ip = mtod(m, struct ip *); |
| hlen = ip->ip_hl << 2; |
| pfrdr = (pfrdr != ip->ip_dst.s_addr); |
| + #endif |
| + |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + /* |
| + * Check if we want to allow this packet to be processed. |
| + * Consider it to be bad if not. |
| + */ |
| + { |
| + struct mbuf *m0 = m; |
| + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) { |
| + return; |
| + } |
| + if (m0 == 0) { /* in case of 'fastroute' */ |
| + return; |
| + } |
| + ip = mtod(m = m0, struct ip *); |
| + } |
| #endif |
| |
| /* |
| diff -cr sys/netinet/ip_output.c sys.ipf/netinet/ip_output.c |
| *** sys/netinet/ip_output.c Sat Mar 15 06:08:02 2003 |
| --- sys.ipf/netinet/ip_output.c Thu May 1 15:38:30 2003 |
| *************** |
| *** 86,91 **** |
| --- 86,95 ---- |
| static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); |
| static void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); |
| |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); |
| + #endif |
| + |
| /* |
| * IP output. The packet in mbuf chain m contains a skeletal IP |
| * header (with len, off, ttl, proto, tos, src, dst). |
| *************** |
| *** 559,564 **** |
| --- 563,592 ---- |
| if (sproto != 0) { |
| s = splnet(); |
| |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + if (fr_checkp) { |
| + /* |
| + * Ok, it's time for a simple round-trip to the IPF/NAT |
| + * code with the enc0 interface. |
| + */ |
| + struct mbuf *m1 = m; |
| + void *ifp = (void *)&encif[0].sc_if; |
| + |
| + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) { |
| + error = EHOSTUNREACH; |
| + splx(s); |
| + goto done; |
| + } |
| + if (m1 == 0) { /* in case of 'fastroute' */ |
| + error = 0; |
| + splx(s); |
| + goto done; |
| + } |
| + ip = mtod(m = m1, struct ip *); |
| + hlen = ip->ip_hl << 2; |
| + } |
| + #endif /* IPFILTER */ |
| + |
| /* |
| * Packet filter |
| */ |
| *************** |
| *** 661,666 **** |
| --- 689,713 ---- |
| m->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */ |
| } |
| } |
| + |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + /* |
| + * looks like most checking has been done now...do a filter check |
| + */ |
| + { |
| + struct mbuf *m1 = m; |
| + |
| + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) { |
| + error = EHOSTUNREACH; |
| + goto done; |
| + } |
| + if (m1 == 0) { /* in case of 'fastroute' */ |
| + error = 0; |
| + goto done; |
| + } |
| + ip = mtod(m = m1, struct ip *); |
| + } |
| + #endif |
| |
| /* |
| * Packet filter |
| diff -cr sys/netinet6/ip6_input.c sys.ipf/netinet6/ip6_input.c |
| *** sys/netinet6/ip6_input.c Tue Jan 7 20:00:34 2003 |
| --- sys.ipf/netinet6/ip6_input.c Thu May 1 15:38:30 2003 |
| *************** |
| *** 134,139 **** |
| --- 134,143 ---- |
| static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); |
| #endif |
| |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); |
| + #endif |
| + |
| /* |
| * IP6 initialization: fill in IP6 protocol switch table. |
| * All protocols not implemented in kernel go to raw IP6 protocol handler. |
| *************** |
| *** 251,256 **** |
| --- 255,280 ---- |
| in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); |
| goto bad; |
| } |
| + |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + /* |
| + * Check if we want to allow this packet to be processed. |
| + * Consider it to be bad if not. |
| + */ |
| + if (fr_checkp != NULL) { |
| + struct mbuf *m0 = m; |
| + |
| + if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), |
| + m->m_pkthdr.rcvif, 0, &m0)) { |
| + return; |
| + } |
| + m = m0; |
| + if (m == 0) { /* in case of 'fastroute' */ |
| + return; |
| + } |
| + ip6 = mtod(m, struct ip6_hdr *); |
| + } |
| + #endif |
| |
| #if NPF > 0 |
| /* |
| diff -cr sys/netinet6/ip6_output.c sys.ipf/netinet6/ip6_output.c |
| *** sys/netinet6/ip6_output.c Fri Nov 1 05:02:27 2002 |
| --- sys.ipf/netinet6/ip6_output.c Thu May 1 15:38:30 2003 |
| *************** |
| *** 120,132 **** |
| |
| static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *); |
| static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *); |
| static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **); |
| static int ip6_copyexthdr(struct mbuf **, caddr_t, int); |
| static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int, |
| struct ip6_frag **); |
| static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t); |
| static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *); |
| ! static int ip6_getpmtu(struct route_in6 *, struct route_in6 *, |
| struct ifnet *, struct in6_addr *, u_long *); |
| |
| /* |
| --- 120,135 ---- |
| |
| static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *); |
| static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *); |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); |
| + #endif |
| static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **); |
| static int ip6_copyexthdr(struct mbuf **, caddr_t, int); |
| static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int, |
| struct ip6_frag **); |
| static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t); |
| static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *); |
| ! int ip6_getpmtu(struct route_in6 *, struct route_in6 *, |
| struct ifnet *, struct in6_addr *, u_long *); |
| |
| /* |
| *************** |
| *** 796,801 **** |
| --- 799,823 ---- |
| goto done; |
| ip6 = mtod(m, struct ip6_hdr *); |
| #endif |
| + |
| + #if defined(IPFILTER) || defined(IPFILTER_LKM) |
| + /* |
| + * looks like most checking has been done now...do a filter check |
| + */ |
| + if (fr_checkp != NULL) { |
| + struct mbuf *m1 = m; |
| + if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), ifp, 1, &m1)) { |
| + error = EHOSTUNREACH; |
| + goto done; |
| + } |
| + m = m1; |
| + if (m1 == 0) { /* in case of 'fastroute' */ |
| + error = 0; |
| + goto done; |
| + } |
| + ip6 = mtod(m, struct ip6_hdr *); |
| + } |
| + #endif |
| |
| /* |
| * Send the packet to the outgoing interface. |
| *************** |
| *** 1120,1126 **** |
| return (0); |
| } |
| |
| ! static int |
| ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup) |
| struct route_in6 *ro_pmtu, *ro; |
| struct ifnet *ifp; |
| --- 1142,1148 ---- |
| return (0); |
| } |
| |
| ! int |
| ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup) |
| struct route_in6 *ro_pmtu, *ro; |
| struct ifnet *ifp; |
| diff -cr sys/sys/conf.h sys.ipf/sys/conf.h |
| *** sys/sys/conf.h Sat Nov 9 06:00:37 2002 |
| --- sys.ipf/sys/conf.h Thu May 1 15:38:30 2003 |
| *************** |
| *** 362,367 **** |
| --- 362,374 ---- |
| (dev_type_ioctl((*))) enodev, (dev_type_stop((*))) nullop, \ |
| 0, (dev_type_select((*))) enodev, (dev_type_mmap((*))) enodev } |
| |
| + /* open, close, read, ioctl */ |
| + #define cdev_gen_ipf(c, n) { \ |
| + dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \ |
| + (dev_type_write((*))) enodev, dev_init(c,n,ioctl), \ |
| + (dev_type_stop((*))) enodev, 0, (dev_type_select((*))) enodev, \ |
| + (dev_type_mmap((*))) enodev } |
| + |
| /* open, close, read, write, ioctl, select, nokqfilter */ |
| #define cdev_xfs_init(c, n) { \ |
| dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \ |
| *************** |
| *** 571,576 **** |
| --- 578,584 ---- |
| |
| cdev_decl(bpf); |
| |
| + cdev_decl(ipl); |
| cdev_decl(pf); |
| |
| cdev_decl(tun); |