1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-04 09:09:56 +00:00

activate pfil_hooks and covert ipfilter to use it

This commit is contained in:
Darren Reed 2000-07-31 13:11:42 +00:00
parent 8acc38283a
commit c4ac87ea1c
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=64060
8 changed files with 137 additions and 26 deletions

View File

@ -190,7 +190,8 @@ struct devsw iplsw = {
};
#endif /* _BSDI_VERSION >= 199510 && _KERNEL */
#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_Version >= 50011)
# include <sys/conf.h>
# if defined(NETBSD_PF)
# include <net/pfil.h>
@ -231,7 +232,8 @@ int iplattach()
{
char *defpass;
int s;
# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000))
# if defined(__sgi) || (defined(NETBSD_PF) && \
((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011)))
int error = 0;
# endif
@ -253,7 +255,7 @@ int iplattach()
return -1;
# ifdef NETBSD_PF
# if __NetBSD_Version__ >= 104200000
# if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011)
error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
if (error) {
@ -338,7 +340,8 @@ int iplattach()
int ipldetach()
{
int s, i = FR_INQUE|FR_OUTQUE;
#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
#if defined(NETBSD_PF) && \
((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011))
int error = 0;
#endif
@ -372,7 +375,7 @@ int ipldetach()
fr_running = 0;
# ifdef NETBSD_PF
# if __NetBSD_Version__ >= 104200000
# if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011))
error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
if (error)

View File

@ -468,7 +468,8 @@ typedef struct ipflog {
* with this!
*/
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
(defined(NetBSD1_2) && NetBSD1_2 > 1)
(defined(NetBSD1_2) && NetBSD1_2 > 1) || (defined(__FreeBSD_version) && \
(__FreeBSD_version >= 500011))
# if (NetBSD >= 199905)
# define PFIL_HOOKS
# endif

View File

@ -43,12 +43,14 @@
#include "opt_ipfilter.h"
#include "opt_ipstealth.h"
#include "opt_ipsec.h"
#include "opt_pfil_hooks.h"
#include <stddef.h>
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/pfil.h>
#include <sys/malloc.h>
#include <sys/domain.h>
#include <sys/protosw.h>
@ -175,8 +177,6 @@ int fw_enable = 1 ;
ip_dn_ctl_t *ip_dn_ctl_ptr;
#endif
int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
/*
* We need to save the IP options in case a protocol wants to respond
@ -261,6 +261,11 @@ ip_input(struct mbuf *m)
u_int32_t divert_info = 0; /* packet divert/tee info */
#endif
struct ip_fw_chain *rule = NULL;
#ifdef PFIL_HOOKS
struct packet_filter_hook *pfh;
struct mbuf *m0;
int rv;
#endif /* PFIL_HOOKS */
#ifdef IPDIVERT
/* Get and reset firewall cookie */
@ -377,17 +382,30 @@ ip_input(struct mbuf *m)
#if defined(IPFIREWALL) && defined(DUMMYNET)
iphack:
#endif
/*
* Check if we want to allow this packet to be processed.
* Consider it to be bad if not.
*/
if (fr_checkp) {
struct mbuf *m1 = m;
if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
return;
ip = mtod(m = m1, struct ip *);
}
#ifdef PFIL_HOOKS
/*
* Run through list of hooks for input packets. If there are any
* filters which require that additional packets in the flow are
* not fast-forwarded, they must clear the M_CANFASTFWD flag.
* Note that filters must _never_ set this flag, as another filter
* in the list may have previously cleared it.
*/
m0 = m;
pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
for (; pfh; pfh = pfh->pfil_link.tqe_next)
if (pfh->pfil_func) {
rv = pfh->pfil_func(ip, hlen,
m->m_pkthdr.rcvif, 0, &m0);
if (rv)
return;
m = m0;
if (m == NULL)
return;
ip = mtod(m, struct ip *);
}
#endif /* PFIL_HOOKS */
if (fw_enable && ip_fw_chk_ptr) {
#ifdef IPFIREWALL_FORWARD
/*

View File

@ -41,6 +41,7 @@
#include "opt_ipdivert.h"
#include "opt_ipfilter.h"
#include "opt_ipsec.h"
#include "opt_pfil_hooks.h"
#include <sys/param.h>
#include <sys/systm.h>
@ -106,7 +107,6 @@ static int ip_setmoptions
__P((struct sockopt *, struct ip_moptions **));
int ip_optcopy __P((struct ip *, struct ip *));
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
extern struct protosw inetsw[];
@ -139,6 +139,11 @@ ip_output(m0, opt, ro, flags, imo)
struct secpolicy *sp = NULL;
#endif
u_int16_t divert_cookie; /* firewall cookie */
#ifdef PFIL_HOOKS
struct packet_filter_hook *pfh;
struct mbuf *m1;
int rv;
#endif /* PFIL_HOOKS */
#ifdef IPFIREWALL_FORWARD
int fwd_rewrite_src = 0;
#endif
@ -431,13 +436,25 @@ ip_output(m0, opt, ro, flags, imo)
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
*/
if (fr_checkp) {
struct mbuf *m1 = m;
if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
goto done;
ip = mtod(m = m1, struct ip *);
}
#ifdef PFIL_HOOKS
/*
* Run through list of hooks for output packets.
*/
m1 = m;
pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
for (; pfh; pfh = pfh->pfil_link.tqe_next)
if (pfh->pfil_func) {
rv = pfh->pfil_func(ip, hlen, ifp, 1, &m1);
if (rv) {
error = EHOSTUNREACH;
goto done;
}
m = m1;
if (m == NULL)
goto done;
ip = mtod(m, struct ip *);
}
#endif /* PFIL_HOOKS */
/*
* Check with the firewall...

View File

@ -66,6 +66,11 @@
#ifndef _NETINET_IPPROTOSW_H_
#define _NETINET_IPPROTOSW_H_
/*
* For pfil_head structure.
*/
#include <net/pfil.h>
/* Forward declare these structures referenced from prototypes below. */
struct mbuf;
struct proc;
@ -98,6 +103,7 @@ struct ipprotosw {
void (*pr_drain) __P((void));
/* flush any excess space possible */
struct pr_usrreqs *pr_usrreqs; /* supersedes pr_usrreq() */
struct pfil_head pr_pfh;
};
#endif /* !_NETINET_IPPROTOSW_H_ */

View File

@ -69,6 +69,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
#include "opt_pfil_hooks.h"
#include <sys/param.h>
#include <sys/systm.h>
@ -89,6 +90,9 @@
#include <net/route.h>
#include <net/netisr.h>
#include <net/intrq.h>
#ifdef PFIL_HOOKS
#include <net/pfil.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
@ -233,6 +237,11 @@ ip6_input(m)
u_int32_t rtalert = ~0;
int nxt, ours = 0;
struct ifnet *deliverifp = NULL;
#ifdef PFIL_HOOKS
struct packet_filter_hook *pfh;
struct mbuf *m0;
int rv;
#endif /* PFIL_HOOKS */
#ifdef IPSEC
/*
@ -291,6 +300,29 @@ ip6_input(m)
goto bad;
}
#ifdef PFIL_HOOKS
/*
* Run through list of hooks for input packets. If there are any
* filters which require that additional packets in the flow are
* not fast-forwarded, they must clear the M_CANFASTFWD flag.
* Note that filters must _never_ set this flag, as another filter
* in the list may have previously cleared it.
*/
m0 = m;
pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
for (; pfh; pfh = pfh->pfil_link.tqe_next)
if (pfh->pfil_func) {
rv = pfh->pfil_func(ip6, sizeof(*ip6),
m->m_pkthdr.rcvif, 0, &m0);
if (rv)
return;
m = m0;
if (m == NULL)
return;
ip6 = mtod(m, struct ip6_hdr *);
}
#endif /* PFIL_HOOKS */
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
#ifdef IPV6FIREWALL

View File

@ -69,6 +69,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
#include "opt_pfil_hooks.h"
#include <sys/param.h>
#include <sys/malloc.h>
@ -83,6 +84,9 @@
#include <net/if.h>
#include <net/route.h>
#ifdef PFIL_HOOKS
#include <net/pfil.h>
#endif
#include <netinet/in.h>
#include <netinet/in_var.h>
@ -157,6 +161,11 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp)
struct route_in6 *ro_pmtu = NULL;
int hdrsplit = 0;
int needipsec = 0;
#ifdef PFIL_HOOKS
struct packet_filter_hook *pfh;
struct mbuf *m1;
int rv;
#endif /* PFIL_HOOKS */
#ifdef IPSEC
int needipsectun = 0;
struct socket *so;
@ -840,6 +849,25 @@ skip_ipsec2:;
m->m_pkthdr.rcvif = NULL;
}
#ifdef PFIL_HOOKS
/*
* Run through list of hooks for output packets.
*/
m1 = m;
pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
for (; pfh; pfh = pfh->pfil_link.tqe_next)
if (pfh->pfil_func) {
rv = pfh->pfil_func(ip6, sizeof(*ip6), ifp, 1, &m1);
if (rv) {
error = EHOSTUNREACH;
goto done;
}
m = m1;
if (m == NULL)
goto done;
ip6 = mtod(m, struct ip6_hdr *);
}
#endif /* PFIL_HOOKS */
/*
* Send the packet to the outgoing interface.
* If necessary, do IPv6 fragmentation before sending.

View File

@ -37,6 +37,11 @@
#ifndef _SYS_PROTOSW_H_
#define _SYS_PROTOSW_H_
/*
* For pfil_head structure.
*/
#include <net/pfil.h>
/* Forward declare these structures referenced from prototypes below. */
struct mbuf;
struct proc;
@ -92,6 +97,7 @@ struct protosw {
void (*pr_drain) __P((void));
/* flush any excess space possible */
struct pr_usrreqs *pr_usrreqs; /* supersedes pr_usrreq() */
struct pfil_head pr_pfh;
};
/*#endif*/