Rivoreo Source Code Repositories
src.rivoreo.one / net / ipfilter / v5-1-1 / . / OpenBSD-3 / 3.3-sys-diffs
blob: 691225b9b7b4fc314fbf3d5dbc4499fe93da23aa [file] [log] [blame] [raw]
diff -cr sys/arch/alpha/alpha/conf.c sys.ipf/arch/alpha/alpha/conf.c
*** sys/arch/alpha/alpha/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/alpha/alpha/conf.c Thu May 1 15:38:04 2003
***************
*** 107,112 ****
--- 107,117 ----
#include "lpt.h"
cdev_decl(lpt);
cdev_decl(prom); /* XXX XXX XXX */
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
cdev_decl(wd);
cdev_decl(fd);
#include "cy.h"
***************
*** 177,183 ****
cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */
cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */
cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */
! cdev_notdef(), /* 44 */
cdev_usb_init(NUSB,usb), /* 45: USB controller */
cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */
cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */
--- 182,188 ----
cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */
cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */
cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */
! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter log */
cdev_usb_init(NUSB,usb), /* 45: USB controller */
cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */
cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */
diff -cr sys/arch/hp300/hp300/conf.c sys.ipf/arch/hp300/hp300/conf.c
*** sys/arch/hp300/hp300/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/hp300/hp300/conf.c Thu May 1 15:38:23 2003
***************
*** 126,131 ****
--- 126,137 ----
cdev_decl(xfs_dev);
#endif
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 169,175 ****
cdev_disk_init(NRD,rd), /* 34: RAM disk */
cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */
cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */
! cdev_notdef(), /* 37 */
cdev_notdef(), /* 38 */
cdev_notdef(), /* 39 */
cdev_notdef(), /* 40 */
--- 175,181 ----
cdev_disk_init(NRD,rd), /* 34: RAM disk */
cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */
cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */
! cdev_pf_init(NIPF,ipl), /* 37: packet filter */
cdev_notdef(), /* 38 */
cdev_notdef(), /* 39 */
cdev_notdef(), /* 40 */
diff -cr sys/arch/hppa/hppa/conf.c sys.ipf/arch/hppa/hppa/conf.c
*** sys/arch/hppa/hppa/conf.c Sat Feb 8 23:34:27 2003
--- sys.ipf/arch/hppa/hppa/conf.c Thu May 1 15:38:24 2003
***************
*** 111,116 ****
--- 111,122 ----
#include "com.h"
cdev_decl(com);
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 161,166 ****
--- 167,173 ----
cdev_audio_init(NAUDIO,audio), /* 35: /dev/audio */
cdev_crypto_init(NCRYPTO,crypto), /* 36: /dev/crypto */
cdev_ses_init(NSES,ses), /* 37: SCSI SES/SAF-TE */
+ cdev_gen_ipf(NIPF,ipl), /* 38: ip filtering */
cdev_lkm_dummy(),
cdev_lkm_dummy(),
cdev_lkm_dummy(),
diff -cr sys/arch/i386/i386/conf.c sys.ipf/arch/i386/i386/conf.c
*** sys/arch/i386/i386/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/i386/i386/conf.c Thu May 1 15:38:24 2003
***************
*** 188,193 ****
--- 188,199 ----
#include "radio.h"
#include "gpr.h"
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
/* XXX -- this needs to be supported by config(8)! */
#if (NCOM > 0) && (NPCCOM > 0)
#error com and pccom are mutually exclusive. Sorry.
***************
*** 311,317 ****
cdev_usbdev_init(NUSCANNER,uscanner), /* 77: USB scanners */
cdev_systrace_init(NSYSTRACE,systrace), /* 78: system call tracing */
cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */
! cdev_ch_init(NGPR,gpr) /* 80: GPR400 SmartCard reader */
};
int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]);
--- 317,325 ----
cdev_usbdev_init(NUSCANNER,uscanner), /* 77: USB scanners */
cdev_systrace_init(NSYSTRACE,systrace), /* 78: system call tracing */
cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */
! cdev_ch_init(NGPR,gpr), /* 80: GPR400 SmartCard reader */
! cdev_gen_ipf(NIPF,ipl) /* 81: ip filtering */
!
};
int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]);
diff -cr sys/arch/mac68k/mac68k/conf.c sys.ipf/arch/mac68k/mac68k/conf.c
*** sys/arch/mac68k/mac68k/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/mac68k/mac68k/conf.c Thu May 1 15:38:24 2003
***************
*** 108,113 ****
--- 108,119 ----
cdev_decl(xfs_dev);
#endif
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 152,158 ****
cdev_pf_init(NPF,pf), /* 35: packet filter */
cdev_audio_init(NASC,asc), /* 36: ASC audio device */
cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */
! cdev_notdef(), /* 38 */
cdev_notdef(), /* 39 */
cdev_notdef(), /* 40 */
cdev_notdef(), /* 41 */
--- 158,164 ----
cdev_pf_init(NPF,pf), /* 35: packet filter */
cdev_audio_init(NASC,asc), /* 36: ASC audio device */
cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */
! cdev_gen_ipf(NIPF,ipl), /* 38: IP filter log */
cdev_notdef(), /* 39 */
cdev_notdef(), /* 40 */
cdev_notdef(), /* 41 */
diff -cr sys/arch/macppc/macppc/conf.c sys.ipf/arch/macppc/macppc/conf.c
*** sys/arch/macppc/macppc/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/macppc/macppc/conf.c Thu May 1 15:38:24 2003
***************
*** 105,110 ****
--- 105,116 ----
#include "tun.h"
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#ifdef XFS
#include <xfs/nxfs.h>
cdev_decl(xfs_dev);
***************
*** 191,197 ****
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */
! cdev_notdef(), /* 45 */
cdev_notdef(), /* 46 */
cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */
cdev_notdef(), /* 48 */
--- 197,203 ----
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */
! cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */
cdev_notdef(), /* 46 */
cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */
cdev_notdef(), /* 48 */
diff -cr sys/arch/mvme68k/mvme68k/conf.c sys.ipf/arch/mvme68k/mvme68k/conf.c
*** sys/arch/mvme68k/mvme68k/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/mvme68k/mvme68k/conf.c Thu May 1 15:38:24 2003
***************
*** 158,163 ****
--- 158,169 ----
#include "bpfilter.h"
#include "tun.h"
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 212,218 ****
cdev_uk_init(NUK,uk), /* 41: unknown SCSI */
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
! cdev_lkm_dummy(), /* 44 */
cdev_lkm_dummy(), /* 45 */
cdev_lkm_dummy(), /* 46 */
cdev_lkm_dummy(), /* 47 */
--- 218,224 ----
cdev_uk_init(NUK,uk), /* 41: unknown SCSI */
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */
cdev_lkm_dummy(), /* 45 */
cdev_lkm_dummy(), /* 46 */
cdev_lkm_dummy(), /* 47 */
diff -cr sys/arch/mvme88k/mvme88k/conf.c sys.ipf/arch/mvme88k/mvme88k/conf.c
*** sys/arch/mvme88k/mvme88k/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/mvme88k/mvme88k/conf.c Thu May 1 15:38:25 2003
***************
*** 101,106 ****
--- 101,112 ----
cdev_decl(lptwo);
#endif /* notyet */
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 187,193 ****
cdev_lkm_dummy(), /* 38 */
cdev_pf_init(NPF,pf), /* 39: packet filter */
cdev_random_init(1,random), /* 40: random data source */
! cdev_notdef(), /* 41 */
cdev_notdef(), /* 42 */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_notdef(), /* 44 */
--- 193,199 ----
cdev_lkm_dummy(), /* 38 */
cdev_pf_init(NPF,pf), /* 39: packet filter */
cdev_random_init(1,random), /* 40: random data source */
! cdev_gen_ipf(NIPF,ipl), /* 41: IP filter */
cdev_notdef(), /* 42 */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
cdev_notdef(), /* 44 */
diff -cr sys/arch/mvmeppc/mvmeppc/conf.c sys.ipf/arch/mvmeppc/mvmeppc/conf.c
*** sys/arch/mvmeppc/mvmeppc/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/mvmeppc/mvmeppc/conf.c Thu May 1 15:38:25 2003
***************
*** 114,119 ****
--- 114,125 ----
#include "ksyms.h"
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 167,173 ****
cdev_uk_init(NUK,uk), /* 41: unknown SCSI */
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
! cdev_notdef(), /* 44 */
cdev_notdef(), /* 45 */
cdev_notdef(), /* 46 */
cdev_notdef(), /* 47 */
--- 173,179 ----
cdev_uk_init(NUK,uk), /* 41: unknown SCSI */
cdev_ss_init(NSS,ss), /* 42: SCSI scanner */
cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */
! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */
cdev_notdef(), /* 45 */
cdev_notdef(), /* 46 */
cdev_notdef(), /* 47 */
diff -cr sys/arch/sparc/sparc/conf.c sys.ipf/arch/sparc/sparc/conf.c
*** sys/arch/sparc/sparc/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/sparc/sparc/conf.c Thu May 1 15:38:25 2003
***************
*** 126,131 ****
--- 126,137 ----
};
int nblkdev = sizeof(bdevsw) / sizeof(bdevsw[0]);
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 196,202 ****
cdev_notdef(), /* 57 */
cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */
cdev_pf_init(NPF,pf), /* 59: packet filter */
! cdev_notdef(), /* 60 */
cdev_notdef(), /* 61 */
cdev_notdef(), /* 62 */
cdev_notdef(), /* 63 */
--- 202,208 ----
cdev_notdef(), /* 57 */
cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */
cdev_pf_init(NPF,pf), /* 59: packet filter */
! cdev_gen_ipf(NIPF,ipl), /* 60: ip filtering log */
cdev_notdef(), /* 61 */
cdev_notdef(), /* 62 */
cdev_notdef(), /* 63 */
diff -cr sys/arch/sparc64/sparc64/conf.c sys.ipf/arch/sparc64/sparc64/conf.c
*** sys/arch/sparc64/sparc64/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/sparc64/sparc64/conf.c Thu May 1 15:38:25 2003
***************
*** 114,119 ****
--- 114,125 ----
#include "ucom.h"
#include "uscanner.h"
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#ifdef XFS
***************
*** 250,256 ****
cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */
cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */
cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */
! cdev_notdef(), /* 82 */
cdev_notdef(), /* 83 */
cdev_notdef(), /* 84 */
cdev_notdef(), /* 85 */
--- 256,262 ----
cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */
cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */
cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */
! cdev_gen_ipf(NIPF,ipl), /* 82: IP filter */
cdev_notdef(), /* 83 */
cdev_notdef(), /* 84 */
cdev_notdef(), /* 85 */
diff -cr sys/arch/vax/vax/conf.c sys.ipf/arch/vax/vax/conf.c
*** sys/arch/vax/vax/conf.c Thu Dec 5 13:49:55 2002
--- sys.ipf/arch/vax/vax/conf.c Thu May 1 15:38:28 2003
***************
*** 357,362 ****
--- 357,368 ----
#include "wskbd.h"
#include "wsmouse.h"
+ #ifdef IPFILTER
+ #define NIPF 1
+ #else
+ #define NIPF 0
+ #endif
+
#include "pf.h"
#include "systrace.h"
***************
*** 410,416 ****
cdev_notdef(), /* 44 was Datakit */
cdev_notdef(), /* 45 was Datakit */
cdev_notdef(), /* 46 was Datakit */
! cdev_notdef(), /* 47 */
cdev_notdef(), /* 48 */
cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */
cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */
--- 416,422 ----
cdev_notdef(), /* 44 was Datakit */
cdev_notdef(), /* 45 was Datakit */
cdev_notdef(), /* 46 was Datakit */
! cdev_gen_ipf(NIPF,ipl), /* 47: IP filter */
cdev_notdef(), /* 48 */
cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */
cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */
diff -cr sys/conf/GENERIC sys.ipf/conf/GENERIC
*** sys/conf/GENERIC Sat Mar 1 10:44:46 2003
--- sys.ipf/conf/GENERIC Thu May 1 15:38:28 2003
***************
*** 72,77 ****
--- 72,79 ----
#option EON # OSI tunneling over IP
#option NETATALK # AppleTalk
#option CCITT,LLC,HDLC # X.25
+ option IPFILTER # IP packet filter for security
+ option IPFILTER_LOG # use /dev/ipl to log IPF
option PPP_BSDCOMP # PPP BSD compression
option PPP_DEFLATE
#option MROUTING # Multicast router
diff -cr sys/conf/files sys.ipf/conf/files
*** sys/conf/files Thu Feb 27 07:25:49 2003
--- sys.ipf/conf/files Thu May 1 15:38:28 2003
***************
*** 678,683 ****
--- 678,691 ----
file netinet/tcp_usrreq.c inet
file netinet/udp_usrreq.c inet
file netinet/ip_gre.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature)
file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature)
file netinet/ip_ipip.c inet | inet6
diff -cr sys/net/bridgestp.c sys.ipf/net/bridgestp.c
*** sys/net/bridgestp.c Wed Dec 11 00:22:55 2002
--- sys.ipf/net/bridgestp.c Thu May 1 15:38:29 2003
***************
*** 63,68 ****
--- 63,73 ----
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
+
+ #ifdef IPFILTER
+ #include <netinet/ip_compat.h>
+ #include <netinet/ip_fil.h>
+ #endif
#endif
#if NBPFILTER > 0
diff -cr sys/net/if.c sys.ipf/net/if.c
*** sys/net/if.c Wed Sep 11 15:38:47 2002
--- sys.ipf/net/if.c Thu May 1 15:38:29 2003
***************
*** 101,106 ****
--- 101,112 ----
#include <netinet6/nd6.h>
#endif
+ #ifdef IPFILTER
+ #include <netinet/ip_compat.h>
+ #include <netinet/ip_fil.h>
+ #include <netinet/ip_nat.h>
+ #endif
+
#if NBPFILTER > 0
#include <net/bpf.h>
#endif
***************
*** 468,473 ****
--- 474,484 ----
/* Remove the interface from the list of all interfaces. */
TAILQ_REMOVE(&ifnet, ifp, if_list);
+
+ #ifdef IPFILTER
+ /* XXX More ipf & ipnat cleanup needed. */
+ frsync(ifp);
+ #endif
/*
* Deallocate private resources.
diff -cr sys/net/if_bridge.c sys.ipf/net/if_bridge.c
*** sys/net/if_bridge.c 11 Mar 2003 16:06:25 -0000
--- sys.ipf/net/if_bridge.c 18 Jun 2003 13:01:48 -0000
***************
*** 71,76 ****
--- 71,80 ----
#include <netinet/ip_ipsp.h>
#include <net/if_enc.h>
+ #if (defined(IPFILTER) || defined(IPFILTER_LKM))
+ #include <netinet/ip_compat.h>
+ #include <netinet/ip_fil.h>
+ #endif
#endif
#ifdef INET6
***************
*** 159,165 ****
int bridge_flushrule(struct bridge_iflist *);
int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *);
u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *);
! #if NPF > 0
struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *,
struct ether_header *, struct mbuf *m);
#endif
--- 163,169 ----
int bridge_flushrule(struct bridge_iflist *);
int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *);
u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *);
! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *,
struct ether_header *, struct mbuf *m);
#endif
***************
*** 1175,1181 ****
m_freem(m);
return;
}
! #if NPF > 0
m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m);
if (m == NULL)
return;
--- 1179,1185 ----
m_freem(m);
return;
}
! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m);
if (m == NULL)
return;
***************
*** 1218,1224 ****
m_freem(m);
return;
}
! #if NPF > 0
m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m);
if (m == NULL)
return;
--- 1222,1228 ----
m_freem(m);
return;
}
! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m);
if (m == NULL)
return;
***************
*** 1472,1478 ****
mc = m1;
}
! #if NPF > 0
mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc);
if (mc == NULL)
continue;
--- 1476,1482 ----
mc = m1;
}
! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc);
if (mc == NULL)
continue;
***************
*** 2260,2265 ****
--- 2264,2275 ----
* We don't need to do loop detection, the
* bridge will do that for us.
*/
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_OUT && fr_checkp &&
+ ((*fr_checkp)(ip, hlen, &encif[0].sc_if,
+ 1, &m) || !m))
+ return 1;
+ #endif
#if NPF > 0
switch (af) {
#ifdef INET
***************
*** 2284,2289 ****
--- 2294,2305 ----
if (m == NULL)
return (1);
#endif /* NPF */
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_IN && fr_checkp &&
+ ((*fr_checkp)(ip, hlen, &encif[0].sc_if,
+ 0, &m) || !m))
+ return 1;
+ #endif
#ifdef INET
if (af == AF_INET) {
ip = mtod(m, struct ip *);
***************
*** 2302,2308 ****
}
#endif /* IPSEC */
! #if NPF > 0
/*
* Filter IP packets by peeking into the ethernet frame. This violates
* the ISO model, but allows us to act as a IP filter at the data link
--- 2318,2324 ----
}
#endif /* IPSEC */
! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM))
/*
* Filter IP packets by peeking into the ethernet frame. This violates
* the ISO model, but allows us to act as a IP filter at the data link
***************
*** 2412,2425 ****
return (NULL);
#endif /* IPSEC */
! #if NPF > 0
/* Finally, we get to filter the packet! */
m->m_pkthdr.rcvif = ifp;
if (pf_test(dir, ifp, &m) != PF_PASS)
goto dropit;
if (m == NULL)
goto dropit;
#endif /* NPF */
/* Rebuild the IP header */
if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL))
--- 2428,2459 ----
return (NULL);
#endif /* IPSEC */
! #if defined(IPFILTER) || defined(IPFILTER_LKM) || (NPF > 0)
/* Finally, we get to filter the packet! */
m->m_pkthdr.rcvif = ifp;
+ #endif
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_OUT) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m))
+ goto dropit;
+ if (m == NULL)
+ goto dropit;
+ }
+ #endif
+ #if NPF > 0
if (pf_test(dir, ifp, &m) != PF_PASS)
goto dropit;
if (m == NULL)
goto dropit;
#endif /* NPF */
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_IN) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m))
+ goto dropit;
+ if (m == NULL)
+ goto dropit;
+ }
+ #endif
/* Rebuild the IP header */
if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL))
***************
*** 2463,2474 ****
--- 2497,2524 ----
return (NULL);
#endif /* IPSEC */
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_OUT) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m))
+ goto dropit;
+ if (m == NULL)
+ return (NULL);
+ }
+ #endif
#if NPF > 0
if (pf_test6(dir, ifp, &m) != PF_PASS)
goto dropit;
if (m == NULL)
return (NULL);
#endif /* NPF */
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (dir == BRIDGE_IN) {
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m))
+ goto dropit;
+ if (m == NULL)
+ return (NULL);
+ }
+ #endif
break;
}
***************
*** 2500,2506 ****
m_freem(m);
return (NULL);
}
! #endif /* NPF > 0 */
void
bridge_fragment(sc, ifp, eh, m)
--- 2550,2556 ----
m_freem(m);
return (NULL);
}
! #endif /* (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) */
void
bridge_fragment(sc, ifp, eh, m)
diff -cr sys/netinet/in_proto.c sys.ipf/netinet/in_proto.c
*** sys/netinet/in_proto.c Mon Jun 10 02:26:10 2002
--- sys.ipf/netinet/in_proto.c Thu May 1 15:38:29 2003
***************
*** 163,168 ****
--- 163,173 ----
#include <netinet/ip_mroute.h>
#endif /* MROUTING */
+ #ifdef IPFILTER
+ void iplinit __P((void));
+ #define ip_init iplinit
+ #endif
+
#ifdef INET6
#include <netinet6/ip6_var.h>
#endif /* INET6 */
diff -cr sys/netinet/ip_input.c sys.ipf/netinet/ip_input.c
*** sys/netinet/ip_input.c Thu Feb 13 01:41:07 2003
--- sys.ipf/netinet/ip_input.c Thu May 1 15:42:00 2003
***************
*** 151,156 ****
--- 151,160 ----
struct in_ifaddrhead in_ifaddr;
struct ifqueue ipintrq;
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
+
int ipq_locked;
static __inline int ipq_lock_try(void);
static __inline void ipq_unlock(void);
***************
*** 404,409 ****
--- 408,430 ----
ip = mtod(m, struct ip *);
hlen = ip->ip_hl << 2;
pfrdr = (pfrdr != ip->ip_dst.s_addr);
+ #endif
+
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ {
+ struct mbuf *m0 = m;
+ if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) {
+ return;
+ }
+ if (m0 == 0) { /* in case of 'fastroute' */
+ return;
+ }
+ ip = mtod(m = m0, struct ip *);
+ }
#endif
/*
diff -cr sys/netinet/ip_output.c sys.ipf/netinet/ip_output.c
*** sys/netinet/ip_output.c Sat Mar 15 06:08:02 2003
--- sys.ipf/netinet/ip_output.c Thu May 1 15:38:30 2003
***************
*** 86,91 ****
--- 86,95 ----
static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
static void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
+
/*
* IP output. The packet in mbuf chain m contains a skeletal IP
* header (with len, off, ttl, proto, tos, src, dst).
***************
*** 559,564 ****
--- 563,592 ----
if (sproto != 0) {
s = splnet();
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ if (fr_checkp) {
+ /*
+ * Ok, it's time for a simple round-trip to the IPF/NAT
+ * code with the enc0 interface.
+ */
+ struct mbuf *m1 = m;
+ void *ifp = (void *)&encif[0].sc_if;
+
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) {
+ error = EHOSTUNREACH;
+ splx(s);
+ goto done;
+ }
+ if (m1 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ splx(s);
+ goto done;
+ }
+ ip = mtod(m = m1, struct ip *);
+ hlen = ip->ip_hl << 2;
+ }
+ #endif /* IPFILTER */
+
/*
* Packet filter
*/
***************
*** 661,666 ****
--- 689,713 ----
m->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */
}
}
+
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ {
+ struct mbuf *m1 = m;
+
+ if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) {
+ error = EHOSTUNREACH;
+ goto done;
+ }
+ if (m1 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ goto done;
+ }
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
/*
* Packet filter
diff -cr sys/netinet6/ip6_input.c sys.ipf/netinet6/ip6_input.c
*** sys/netinet6/ip6_input.c Tue Jan 7 20:00:34 2003
--- sys.ipf/netinet6/ip6_input.c Thu May 1 15:38:30 2003
***************
*** 134,139 ****
--- 134,143 ----
static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
#endif
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
+
/*
* IP6 initialization: fill in IP6 protocol switch table.
* All protocols not implemented in kernel go to raw IP6 protocol handler.
***************
*** 251,256 ****
--- 255,280 ----
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
}
+
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ if (fr_checkp != NULL) {
+ struct mbuf *m0 = m;
+
+ if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6),
+ m->m_pkthdr.rcvif, 0, &m0)) {
+ return;
+ }
+ m = m0;
+ if (m == 0) { /* in case of 'fastroute' */
+ return;
+ }
+ ip6 = mtod(m, struct ip6_hdr *);
+ }
+ #endif
#if NPF > 0
/*
diff -cr sys/netinet6/ip6_output.c sys.ipf/netinet6/ip6_output.c
*** sys/netinet6/ip6_output.c Fri Nov 1 05:02:27 2002
--- sys.ipf/netinet6/ip6_output.c Thu May 1 15:38:30 2003
***************
*** 120,132 ****
static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *);
static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *);
static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **);
static int ip6_copyexthdr(struct mbuf **, caddr_t, int);
static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int,
struct ip6_frag **);
static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t);
static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *);
! static int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
struct ifnet *, struct in6_addr *, u_long *);
/*
--- 120,135 ----
static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *);
static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *);
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **);
static int ip6_copyexthdr(struct mbuf **, caddr_t, int);
static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int,
struct ip6_frag **);
static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t);
static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *);
! int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
struct ifnet *, struct in6_addr *, u_long *);
/*
***************
*** 796,801 ****
--- 799,823 ----
goto done;
ip6 = mtod(m, struct ip6_hdr *);
#endif
+
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ if (fr_checkp != NULL) {
+ struct mbuf *m1 = m;
+ if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), ifp, 1, &m1)) {
+ error = EHOSTUNREACH;
+ goto done;
+ }
+ m = m1;
+ if (m1 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ goto done;
+ }
+ ip6 = mtod(m, struct ip6_hdr *);
+ }
+ #endif
/*
* Send the packet to the outgoing interface.
***************
*** 1120,1126 ****
return (0);
}
! static int
ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup)
struct route_in6 *ro_pmtu, *ro;
struct ifnet *ifp;
--- 1142,1148 ----
return (0);
}
! int
ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup)
struct route_in6 *ro_pmtu, *ro;
struct ifnet *ifp;
diff -cr sys/sys/conf.h sys.ipf/sys/conf.h
*** sys/sys/conf.h Sat Nov 9 06:00:37 2002
--- sys.ipf/sys/conf.h Thu May 1 15:38:30 2003
***************
*** 362,367 ****
--- 362,374 ----
(dev_type_ioctl((*))) enodev, (dev_type_stop((*))) nullop, \
0, (dev_type_select((*))) enodev, (dev_type_mmap((*))) enodev }
+ /* open, close, read, ioctl */
+ #define cdev_gen_ipf(c, n) { \
+ dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \
+ (dev_type_write((*))) enodev, dev_init(c,n,ioctl), \
+ (dev_type_stop((*))) enodev, 0, (dev_type_select((*))) enodev, \
+ (dev_type_mmap((*))) enodev }
+
/* open, close, read, write, ioctl, select, nokqfilter */
#define cdev_xfs_init(c, n) { \
dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \
***************
*** 571,576 ****
--- 578,584 ----
cdev_decl(bpf);
+ cdev_decl(ipl);
cdev_decl(pf);
cdev_decl(tun);