mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-04 09:09:56 +00:00
activate pfil_hooks and covert ipfilter to use it
This commit is contained in:
parent
8acc38283a
commit
c4ac87ea1c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=64060
@ -190,7 +190,8 @@ struct devsw iplsw = {
|
||||
};
|
||||
#endif /* _BSDI_VERSION >= 199510 && _KERNEL */
|
||||
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
|
||||
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
|
||||
(_BSDI_VERSION >= 199701) || (__FreeBSD_Version >= 50011)
|
||||
# include <sys/conf.h>
|
||||
# if defined(NETBSD_PF)
|
||||
# include <net/pfil.h>
|
||||
@ -231,7 +232,8 @@ int iplattach()
|
||||
{
|
||||
char *defpass;
|
||||
int s;
|
||||
# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000))
|
||||
# if defined(__sgi) || (defined(NETBSD_PF) && \
|
||||
((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011)))
|
||||
int error = 0;
|
||||
# endif
|
||||
|
||||
@ -253,7 +255,7 @@ int iplattach()
|
||||
return -1;
|
||||
|
||||
# ifdef NETBSD_PF
|
||||
# if __NetBSD_Version__ >= 104200000
|
||||
# if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011)
|
||||
error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
|
||||
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
|
||||
if (error) {
|
||||
@ -338,7 +340,8 @@ int iplattach()
|
||||
int ipldetach()
|
||||
{
|
||||
int s, i = FR_INQUE|FR_OUTQUE;
|
||||
#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
|
||||
#if defined(NETBSD_PF) && \
|
||||
((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011))
|
||||
int error = 0;
|
||||
#endif
|
||||
|
||||
@ -372,7 +375,7 @@ int ipldetach()
|
||||
fr_running = 0;
|
||||
|
||||
# ifdef NETBSD_PF
|
||||
# if __NetBSD_Version__ >= 104200000
|
||||
# if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_Version >= 50011))
|
||||
error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
|
||||
&inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
|
||||
if (error)
|
||||
|
@ -468,7 +468,8 @@ typedef struct ipflog {
|
||||
* with this!
|
||||
*/
|
||||
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
|
||||
(defined(NetBSD1_2) && NetBSD1_2 > 1)
|
||||
(defined(NetBSD1_2) && NetBSD1_2 > 1) || (defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 500011))
|
||||
# if (NetBSD >= 199905)
|
||||
# define PFIL_HOOKS
|
||||
# endif
|
||||
|
@ -43,12 +43,14 @@
|
||||
#include "opt_ipfilter.h"
|
||||
#include "opt_ipstealth.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_pfil_hooks.h"
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/pfil.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/domain.h>
|
||||
#include <sys/protosw.h>
|
||||
@ -175,8 +177,6 @@ int fw_enable = 1 ;
|
||||
ip_dn_ctl_t *ip_dn_ctl_ptr;
|
||||
#endif
|
||||
|
||||
int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
|
||||
|
||||
|
||||
/*
|
||||
* We need to save the IP options in case a protocol wants to respond
|
||||
@ -261,6 +261,11 @@ ip_input(struct mbuf *m)
|
||||
u_int32_t divert_info = 0; /* packet divert/tee info */
|
||||
#endif
|
||||
struct ip_fw_chain *rule = NULL;
|
||||
#ifdef PFIL_HOOKS
|
||||
struct packet_filter_hook *pfh;
|
||||
struct mbuf *m0;
|
||||
int rv;
|
||||
#endif /* PFIL_HOOKS */
|
||||
|
||||
#ifdef IPDIVERT
|
||||
/* Get and reset firewall cookie */
|
||||
@ -377,17 +382,30 @@ ip_input(struct mbuf *m)
|
||||
#if defined(IPFIREWALL) && defined(DUMMYNET)
|
||||
iphack:
|
||||
#endif
|
||||
/*
|
||||
* Check if we want to allow this packet to be processed.
|
||||
* Consider it to be bad if not.
|
||||
*/
|
||||
if (fr_checkp) {
|
||||
struct mbuf *m1 = m;
|
||||
|
||||
if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
|
||||
return;
|
||||
ip = mtod(m = m1, struct ip *);
|
||||
}
|
||||
#ifdef PFIL_HOOKS
|
||||
/*
|
||||
* Run through list of hooks for input packets. If there are any
|
||||
* filters which require that additional packets in the flow are
|
||||
* not fast-forwarded, they must clear the M_CANFASTFWD flag.
|
||||
* Note that filters must _never_ set this flag, as another filter
|
||||
* in the list may have previously cleared it.
|
||||
*/
|
||||
m0 = m;
|
||||
pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
|
||||
for (; pfh; pfh = pfh->pfil_link.tqe_next)
|
||||
if (pfh->pfil_func) {
|
||||
rv = pfh->pfil_func(ip, hlen,
|
||||
m->m_pkthdr.rcvif, 0, &m0);
|
||||
if (rv)
|
||||
return;
|
||||
m = m0;
|
||||
if (m == NULL)
|
||||
return;
|
||||
ip = mtod(m, struct ip *);
|
||||
}
|
||||
#endif /* PFIL_HOOKS */
|
||||
|
||||
if (fw_enable && ip_fw_chk_ptr) {
|
||||
#ifdef IPFIREWALL_FORWARD
|
||||
/*
|
||||
|
@ -41,6 +41,7 @@
|
||||
#include "opt_ipdivert.h"
|
||||
#include "opt_ipfilter.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_pfil_hooks.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
@ -106,7 +107,6 @@ static int ip_setmoptions
|
||||
__P((struct sockopt *, struct ip_moptions **));
|
||||
|
||||
int ip_optcopy __P((struct ip *, struct ip *));
|
||||
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
|
||||
|
||||
|
||||
extern struct protosw inetsw[];
|
||||
@ -139,6 +139,11 @@ ip_output(m0, opt, ro, flags, imo)
|
||||
struct secpolicy *sp = NULL;
|
||||
#endif
|
||||
u_int16_t divert_cookie; /* firewall cookie */
|
||||
#ifdef PFIL_HOOKS
|
||||
struct packet_filter_hook *pfh;
|
||||
struct mbuf *m1;
|
||||
int rv;
|
||||
#endif /* PFIL_HOOKS */
|
||||
#ifdef IPFIREWALL_FORWARD
|
||||
int fwd_rewrite_src = 0;
|
||||
#endif
|
||||
@ -431,13 +436,25 @@ ip_output(m0, opt, ro, flags, imo)
|
||||
* - Wrap: fake packet's addr/port <unimpl.>
|
||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||
*/
|
||||
if (fr_checkp) {
|
||||
struct mbuf *m1 = m;
|
||||
|
||||
if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
|
||||
goto done;
|
||||
ip = mtod(m = m1, struct ip *);
|
||||
}
|
||||
#ifdef PFIL_HOOKS
|
||||
/*
|
||||
* Run through list of hooks for output packets.
|
||||
*/
|
||||
m1 = m;
|
||||
pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
|
||||
for (; pfh; pfh = pfh->pfil_link.tqe_next)
|
||||
if (pfh->pfil_func) {
|
||||
rv = pfh->pfil_func(ip, hlen, ifp, 1, &m1);
|
||||
if (rv) {
|
||||
error = EHOSTUNREACH;
|
||||
goto done;
|
||||
}
|
||||
m = m1;
|
||||
if (m == NULL)
|
||||
goto done;
|
||||
ip = mtod(m, struct ip *);
|
||||
}
|
||||
#endif /* PFIL_HOOKS */
|
||||
|
||||
/*
|
||||
* Check with the firewall...
|
||||
|
@ -66,6 +66,11 @@
|
||||
#ifndef _NETINET_IPPROTOSW_H_
|
||||
#define _NETINET_IPPROTOSW_H_
|
||||
|
||||
/*
|
||||
* For pfil_head structure.
|
||||
*/
|
||||
#include <net/pfil.h>
|
||||
|
||||
/* Forward declare these structures referenced from prototypes below. */
|
||||
struct mbuf;
|
||||
struct proc;
|
||||
@ -98,6 +103,7 @@ struct ipprotosw {
|
||||
void (*pr_drain) __P((void));
|
||||
/* flush any excess space possible */
|
||||
struct pr_usrreqs *pr_usrreqs; /* supersedes pr_usrreq() */
|
||||
struct pfil_head pr_pfh;
|
||||
};
|
||||
|
||||
#endif /* !_NETINET_IPPROTOSW_H_ */
|
||||
|
@ -69,6 +69,7 @@
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_pfil_hooks.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
@ -89,6 +90,9 @@
|
||||
#include <net/route.h>
|
||||
#include <net/netisr.h>
|
||||
#include <net/intrq.h>
|
||||
#ifdef PFIL_HOOKS
|
||||
#include <net/pfil.h>
|
||||
#endif
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
@ -233,6 +237,11 @@ ip6_input(m)
|
||||
u_int32_t rtalert = ~0;
|
||||
int nxt, ours = 0;
|
||||
struct ifnet *deliverifp = NULL;
|
||||
#ifdef PFIL_HOOKS
|
||||
struct packet_filter_hook *pfh;
|
||||
struct mbuf *m0;
|
||||
int rv;
|
||||
#endif /* PFIL_HOOKS */
|
||||
|
||||
#ifdef IPSEC
|
||||
/*
|
||||
@ -291,6 +300,29 @@ ip6_input(m)
|
||||
goto bad;
|
||||
}
|
||||
|
||||
#ifdef PFIL_HOOKS
|
||||
/*
|
||||
* Run through list of hooks for input packets. If there are any
|
||||
* filters which require that additional packets in the flow are
|
||||
* not fast-forwarded, they must clear the M_CANFASTFWD flag.
|
||||
* Note that filters must _never_ set this flag, as another filter
|
||||
* in the list may have previously cleared it.
|
||||
*/
|
||||
m0 = m;
|
||||
pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
|
||||
for (; pfh; pfh = pfh->pfil_link.tqe_next)
|
||||
if (pfh->pfil_func) {
|
||||
rv = pfh->pfil_func(ip6, sizeof(*ip6),
|
||||
m->m_pkthdr.rcvif, 0, &m0);
|
||||
if (rv)
|
||||
return;
|
||||
m = m0;
|
||||
if (m == NULL)
|
||||
return;
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
}
|
||||
#endif /* PFIL_HOOKS */
|
||||
|
||||
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
|
||||
|
||||
#ifdef IPV6FIREWALL
|
||||
|
@ -69,6 +69,7 @@
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_pfil_hooks.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/malloc.h>
|
||||
@ -83,6 +84,9 @@
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
#ifdef PFIL_HOOKS
|
||||
#include <net/pfil.h>
|
||||
#endif
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_var.h>
|
||||
@ -157,6 +161,11 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp)
|
||||
struct route_in6 *ro_pmtu = NULL;
|
||||
int hdrsplit = 0;
|
||||
int needipsec = 0;
|
||||
#ifdef PFIL_HOOKS
|
||||
struct packet_filter_hook *pfh;
|
||||
struct mbuf *m1;
|
||||
int rv;
|
||||
#endif /* PFIL_HOOKS */
|
||||
#ifdef IPSEC
|
||||
int needipsectun = 0;
|
||||
struct socket *so;
|
||||
@ -840,6 +849,25 @@ skip_ipsec2:;
|
||||
m->m_pkthdr.rcvif = NULL;
|
||||
}
|
||||
|
||||
#ifdef PFIL_HOOKS
|
||||
/*
|
||||
* Run through list of hooks for output packets.
|
||||
*/
|
||||
m1 = m;
|
||||
pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
|
||||
for (; pfh; pfh = pfh->pfil_link.tqe_next)
|
||||
if (pfh->pfil_func) {
|
||||
rv = pfh->pfil_func(ip6, sizeof(*ip6), ifp, 1, &m1);
|
||||
if (rv) {
|
||||
error = EHOSTUNREACH;
|
||||
goto done;
|
||||
}
|
||||
m = m1;
|
||||
if (m == NULL)
|
||||
goto done;
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
}
|
||||
#endif /* PFIL_HOOKS */
|
||||
/*
|
||||
* Send the packet to the outgoing interface.
|
||||
* If necessary, do IPv6 fragmentation before sending.
|
||||
|
@ -37,6 +37,11 @@
|
||||
#ifndef _SYS_PROTOSW_H_
|
||||
#define _SYS_PROTOSW_H_
|
||||
|
||||
/*
|
||||
* For pfil_head structure.
|
||||
*/
|
||||
#include <net/pfil.h>
|
||||
|
||||
/* Forward declare these structures referenced from prototypes below. */
|
||||
struct mbuf;
|
||||
struct proc;
|
||||
@ -92,6 +97,7 @@ struct protosw {
|
||||
void (*pr_drain) __P((void));
|
||||
/* flush any excess space possible */
|
||||
struct pr_usrreqs *pr_usrreqs; /* supersedes pr_usrreq() */
|
||||
struct pfil_head pr_pfh;
|
||||
};
|
||||
/*#endif*/
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user