search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / dist / ipf / netinet / ip_fil_netbsd.c
blob579ec2cdd5be9b460b0a0bf6422d6f8a9590c88b
1 /* $NetBSD: ip_fil_netbsd.c,v 1.52 2009/10/03 00:37:02 elad Exp $ */
2
3 /*
4 * Copyright (C) 1993-2003 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 */
8 #if !defined(lint)
9 #if defined(__NetBSD__)
10 #include <sys/cdefs.h>
11 __KERNEL_RCSID(0, "$NetBSD: ip_fil_netbsd.c,v 1.52 2009/10/03 00:37:02 elad Exp $");
12 #else
13 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
14 static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.66 2009/05/17 17:45:26 darrenr Exp";
15 #endif
16 #endif
17
18 #if defined(KERNEL) || defined(_KERNEL)
19 # undef KERNEL
20 # undef _KERNEL
21 # define KERNEL 1
22 # define _KERNEL 1
23 #endif
24 #include <sys/param.h>
25 #if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
26 # if (__NetBSD_Version__ < 399001400)
27 # include "opt_ipfilter_log.h"
28 # else
29 # include "opt_ipfilter.h"
30 # endif
31 # include "opt_pfil_hooks.h"
32 # include "opt_ipsec.h"
33 #endif
34 #include <sys/errno.h>
35 #include <sys/types.h>
36 #include <sys/file.h>
37 #include <sys/ioctl.h>
38 #include <sys/time.h>
39 #include <sys/systm.h>
40 #if (NetBSD > 199609)
41 # include <sys/dirent.h>
42 #else
43 # include <sys/dir.h>
44 #endif
45 #include <sys/mbuf.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/poll.h>
49 #if (__NetBSD_Version__ >= 399002000)
50 # include <sys/kauth.h>
51 #endif
52
53 #include <net/if.h>
54 #include <net/route.h>
55 #include <netinet/in.h>
56 #include <netinet/in_var.h>
57 #include <netinet/in_systm.h>
58 #include <netinet/ip.h>
59 #include <netinet/ip_var.h>
60 #include <netinet/tcp.h>
61 #if __NetBSD_Version__ >= 105190000 /* 1.5T */
62 # include <netinet/tcp_timer.h>
63 # include <netinet/tcp_var.h>
64 #endif
65 #include <netinet/udp.h>
66 #include <netinet/tcpip.h>
67 #include <netinet/ip_icmp.h>
68 #include "netinet/ip_compat.h"
69 #ifdef USE_INET6
70 # include <netinet/icmp6.h>
71 # if (__NetBSD_Version__ >= 106000000)
72 # include <netinet6/nd6.h>
73 # endif
74 #endif
75 #include "netinet/ip_fil.h"
76 #include "netinet/ip_nat.h"
77 #include "netinet/ip_frag.h"
78 #include "netinet/ip_state.h"
79 #include "netinet/ip_proxy.h"
80 #include "netinet/ip_auth.h"
81 #ifdef IPFILTER_SYNC
82 #include "netinet/ip_sync.h"
83 #endif
84 #ifdef IPFILTER_SCAN
85 #include "netinet/ip_scan.h"
86 #endif
87 #include "netinet/ip_pool.h"
88 #include <sys/md5.h>
89 #include <sys/kernel.h>
90 #ifdef INET
91 extern int ip_optcopy __P((struct ip *, struct ip *));
92 #endif
93
94 #ifdef USE_MUTEXES
95 ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw;
96 ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
97 ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag;
98 ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
99 ipfrwlock_t ipf_frcache, ipf_tokens;
100 int ipf_locks_done = 0;
101 #endif
102
103 #ifdef IPFILTER_M_IPFILTER
104 # ifdef MALLOC_DEFINE
105 MALLOC_DEFINE(M_IPFILTER, "IP Filter", "IP Filter packet filter data structures");
106 # else
107 MALLOC_DECLARE(M_IPFILTER);
108 # endif
109 #endif
110
111 #if __NetBSD_Version__ >= 105009999
112 # define csuminfo csum_flags
113 #endif
114
115 #if __NetBSD_Version__ < 200000000
116 extern struct protosw inetsw[];
117 #endif
118
119 #if (__NetBSD_Version__ >= 599002000)
120 static kauth_listener_t ipf_listener;
121 #endif
122
123 #if (__NetBSD_Version__ < 399001400)
124 extern int ip6_getpmtu __P((struct route_in6 *, struct route_in6 *,
125 struct ifnet *, struct in6_addr *, u_long *,
126 int *));
127 #endif
128
129 static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
130 static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
131 #ifdef USE_INET6
132 static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
133 fr_info_t *, frdest_t *));
134 #endif
135
136 #if (__NetBSD_Version__ >= 104040000)
137 # include <sys/callout.h>
138 struct callout fr_slowtimer_ch;
139 #endif
140
141 #include <sys/conf.h>
142 #if defined(NETBSD_PF)
143 # include <net/pfil.h>
144 /*
145 * We provide the fr_checkp name just to minimize changes later.
146 */
147 int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
148 #endif /* NETBSD_PF */
149
150 #if (__NetBSD_Version__ >= 106080000) && defined(_KERNEL)
151 # include <sys/select.h>
152
153 # if (__NetBSD_Version__ >= 399001400)
154 int iplpoll __P((dev_t dev, int events, struct lwp *p));
155 # else
156 int iplpoll __P((dev_t dev, int events, struct proc *p));
157 # endif
158
159 struct selinfo ipfselwait[IPL_LOGSIZE];
160
161 const struct cdevsw ipl_cdevsw = {
162 iplopen, iplclose, iplread, nowrite, iplioctl,
163 nostop, notty, iplpoll, nommap,
164 # if (__NetBSD_Version__ >= 200000000)
165 nokqfilter,
166 # endif
167 # ifdef D_OTHER
168 D_OTHER,
169 # endif
170 };
171 #endif
172
173
174 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)
175 # include <net/pfil.h>
176
177 static int fr_check_wrapper(void *, struct mbuf **, struct ifnet *, int );
178
179 static int
180 fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp,
181 int dir)
182 {
183 struct ip *ip;
184 int rv, hlen;
185
186 #if __NetBSD_Version__ >= 200080000
187 /*
188 * ensure that mbufs are writable beforehand
189 * as it's assumed by ipf code.
190 * XXX inefficient
191 */
192 int error = m_makewritable(mp, 0, M_COPYALL, M_DONTWAIT);
193
194 if (error) {
195 m_freem(*mp);
196 *mp = NULL;
197 return error;
198 }
199 #endif
200 ip = mtod(*mp, struct ip *);
201 hlen = ip->ip_hl << 2;
202
203 #ifdef INET
204 #if defined(M_CSUM_TCPv4)
205 /*
206 * If the packet is out-bound, we can't delay checksums
207 * here. For in-bound, the checksum has already been
208 * validated.
209 */
210 if (dir == PFIL_OUT) {
211 if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
212 in_delayed_cksum(*mp);
213 (*mp)->m_pkthdr.csum_flags &=
214 ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
215 }
216 }
217 #endif /* M_CSUM_TCPv4 */
218 #endif /* INET */
219
220 /*
221 * We get the packet with all fields in network byte
222 * order. We expect ip_len and ip_off to be in host
223 * order. We frob them, call the filter, then frob
224 * them back.
225 *
226 * Note, we don't need to update the checksum, because
227 * it has already been verified.
228 */
229 NTOHS(ip->ip_len);
230 NTOHS(ip->ip_off);
231
232 rv = fr_check(ip, hlen, ifp, (dir == PFIL_OUT), mp);
233
234 if (rv == 0 && *mp != NULL) {
235 ip = mtod(*mp, struct ip *);
236 HTONS(ip->ip_len);
237 HTONS(ip->ip_off);
238 }
239
240 return (rv);
241 }
242
243 # ifdef USE_INET6
244 # include <netinet/ip6.h>
245
246 static int fr_check_wrapper6(void *, struct mbuf **, struct ifnet *, int );
247
248 static int
249 fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp,
250 int dir)
251 {
252 #if defined(INET6)
253 # if defined(M_CSUM_TCPv6) && (__NetBSD_Version__ > 200000000)
254 /*
255 * If the packet is out-bound, we can't delay checksums
256 * here. For in-bound, the checksum has already been
257 * validated.
258 */
259 if (dir == PFIL_OUT) {
260 if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv6|M_CSUM_UDPv6)) {
261 # if (__NetBSD_Version__ > 399000600)
262 in6_delayed_cksum(*mp);
263 # endif
264 (*mp)->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv6|
265 M_CSUM_UDPv6);
266 }
267 }
268 # endif
269 #endif /* INET6 */
270
271 return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
272 ifp, (dir == PFIL_OUT), mp));
273 }
274 # endif
275
276
277 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
278 static int ipf_pfilsync(void *, struct mbuf **, struct ifnet *, int);
279
280 static int ipf_pfilsync(void *hdr, struct mbuf **mp,
281 struct ifnet *ifp, int dir)
282 {
283 /*
284 * The interface pointer is useless for create (we have nothing to
285 * compare it to) and at detach, the interface name is still in the
286 * list of active NICs (albeit, down, but that's not any real
287 * indicator) and doing ifunit() on the name will still return the
288 * pointer, so it's not much use then, either.
289 */
290 frsync(NULL);
291 return 0;
292 }
293 # endif
294
295 #endif /* __NetBSD_Version__ >= 105110000 */
296
297
298 #if defined(IPFILTER_LKM)
299 int iplidentify(s)
300 char *s;
301 {
302 if (strcmp(s, "ipl") == 0)
303 return 1;
304 return 0;
305 }
306 #endif /* IPFILTER_LKM */
307
308 #if (__NetBSD_Version__ >= 599002000)
309 static int
310 ipf_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
311 void *arg0, void *arg1, void *arg2, void *arg3)
312 {
313 int result;
314 enum kauth_network_req req;
315
316 result = KAUTH_RESULT_DEFER;
317 req = (enum kauth_network_req)arg0;
318
319 if (action != KAUTH_NETWORK_FIREWALL)
320 return result;
321
322 /* These must have came from device context. */
323 if ((req == KAUTH_REQ_NETWORK_FIREWALL_FW) ||
324 (req == KAUTH_REQ_NETWORK_FIREWALL_NAT))
325 result = KAUTH_RESULT_ALLOW;
326
327 return result;
328 }
329 #endif
330
331 /*
332 * Try to detect the case when compiling for NetBSD with pseudo-device
333 */
334 #if defined(PFIL_HOOKS)
335 void
336 ipfilterattach(int count)
337 {
338 # ifdef USE_MUTEXES
339 RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
340 RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
341 RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock");
342 # endif
343
344 #if (__NetBSD_Version__ >= 599002000)
345 ipf_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
346 ipf_listener_cb, NULL);
347 #endif
348
349 }
350 #endif
351
352
353 int ipfattach(void)
354 {
355 SPL_INT(s);
356 #if (__NetBSD_Version__ >= 499005500)
357 int i;
358 #endif
359 #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
360 int error = 0;
361 # if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)
362 struct pfil_head *ph_inet;
363 # ifdef USE_INET6
364 struct pfil_head *ph_inet6;
365 # endif
366 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
367 struct pfil_head *ph_ifsync;
368 # endif
369 # endif
370 #endif
371
372 SPL_NET(s);
373 if ((fr_running > 0) || (fr_checkp == fr_check)) {
374 printf("IP Filter: already initialized\n");
375 SPL_X(s);
376 return EBUSY;
377 }
378
379 #ifdef USE_MUTEXES
380 MUTEX_INIT(&ipf_rw, "ipf rw mutex");
381 MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex");
382 RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
383 RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
384 ipf_locks_done = 1;
385 #endif
386
387 if (fr_initialise() < 0) {
388 SPL_X(s);
389 return EIO;
390 }
391
392 #ifdef NETBSD_PF
393 # if (__NetBSD_Version__ >= 104200000)
394 # if __NetBSD_Version__ >= 105110000
395 ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
396 # ifdef USE_INET6
397 ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
398 # endif
399 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
400 ph_ifsync = pfil_head_get(PFIL_TYPE_IFNET, 0);
401 # endif
402
403 if (ph_inet == NULL
404 # ifdef USE_INET6
405 && ph_inet6 == NULL
406 # endif
407 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
408 && ph_ifsync == NULL
409 # endif
410 ) {
411 SPL_X(s);
412 printf("pfil_head_get failed\n");
413 return ENODEV;
414 }
415
416 if (ph_inet != NULL)
417 error = pfil_add_hook((void *)fr_check_wrapper, NULL,
418 PFIL_IN|PFIL_OUT, ph_inet);
419 else
420 error = 0;
421 # else
422 error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
423 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
424 # endif
425 if (error)
426 goto pfil_error;
427 # else
428 pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
429 # endif
430
431 # ifdef USE_INET6
432 # if __NetBSD_Version__ >= 105110000
433 if (ph_inet6 != NULL)
434 error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
435 PFIL_IN|PFIL_OUT, ph_inet6);
436 else
437 error = 0;
438 if (error) {
439 pfil_remove_hook((void *)fr_check_wrapper6, NULL,
440 PFIL_IN|PFIL_OUT, ph_inet6);
441 goto pfil_error;
442 }
443 # else
444 error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
445 &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
446 if (error) {
447 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
448 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
449 goto pfil_error;
450 }
451 # endif
452 # endif
453
454 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
455 if (ph_ifsync != NULL)
456 (void) pfil_add_hook((void *)ipf_pfilsync, NULL,
457 PFIL_IFNET, ph_ifsync);
458 # endif
459 #endif
460
461 #if (__NetBSD_Version__ >= 499005500)
462 for (i = 0; i < IPL_LOGSIZE; i++)
463 selinit(&ipfselwait[i]);
464 #else
465 bzero((char *)ipfselwait, sizeof(ipfselwait));
466 #endif
467 bzero((char *)frcache, sizeof(frcache));
468 fr_savep = fr_checkp;
469 fr_checkp = fr_check;
470
471 #ifdef INET
472 if (fr_control_forwarding & 1)
473 ipforwarding = 1;
474 #endif
475
476 SPL_X(s);
477
478 #if (__NetBSD_Version__ >= 104010000)
479 # if (__NetBSD_Version__ >= 499002000)
480 callout_init(&fr_slowtimer_ch, 0);
481 # else
482 callout_init(&fr_slowtimer_ch);
483 # endif
484 callout_reset(&fr_slowtimer_ch, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
485 fr_slowtimer, NULL);
486 #else
487 timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
488 #endif
489
490 return 0;
491
492 #if __NetBSD_Version__ >= 105110000
493 pfil_error:
494 fr_deinitialise();
495 SPL_X(s);
496 return error;
497 #endif
498 }
499
500
501 /*
502 * Disable the filter by removing the hooks from the IP input/output
503 * stream.
504 */
505 int ipfdetach(void)
506 {
507 SPL_INT(s);
508 #if (__NetBSD_Version__ >= 499005500)
509 int i;
510 #endif
511 #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
512 int error = 0;
513 # if __NetBSD_Version__ >= 105150000
514 struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
515 # ifdef USE_INET6
516 struct pfil_head *ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
517 # endif
518 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
519 struct pfil_head *ph_ifsync = pfil_head_get(PFIL_TYPE_IFNET, 0);
520 # endif
521 # endif
522 #endif
523
524 SPL_NET(s);
525
526 #if (__NetBSD_Version__ >= 104010000)
527 if (fr_running > 0)
528 callout_stop(&fr_slowtimer_ch);
529 #else
530 untimeout(fr_slowtimer, NULL);
531 #endif /* NetBSD */
532
533 fr_checkp = fr_savep;
534 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
535 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
536
537 #ifdef INET
538 if (fr_control_forwarding & 2)
539 ipforwarding = 0;
540 #endif
541
542 #ifdef NETBSD_PF
543 # if (__NetBSD_Version__ >= 104200000)
544 # if __NetBSD_Version__ >= 105110000
545 # if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
546 (void) pfil_remove_hook((void *)ipf_pfilsync, NULL,
547 PFIL_IFNET, ph_ifsync);
548 # endif
549
550 if (ph_inet != NULL)
551 error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
552 PFIL_IN|PFIL_OUT, ph_inet);
553 else
554 error = 0;
555 # else
556 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
557 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
558 # endif
559 if (error) {
560 SPL_X(s);
561 return error;
562 }
563 # else
564 pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
565 # endif
566 # ifdef USE_INET6
567 # if __NetBSD_Version__ >= 105110000
568 if (ph_inet6 != NULL)
569 error = pfil_remove_hook((void *)fr_check_wrapper6, NULL,
570 PFIL_IN|PFIL_OUT, ph_inet6);
571 else
572 error = 0;
573 # else
574 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
575 &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
576 # endif
577 if (error) {
578 SPL_X(s);
579 return error;
580 }
581 # endif
582 #endif
583 fr_deinitialise();
584
585 SPL_X(s);
586
587 #if (__NetBSD_Version__ >= 499005500)
588 for (i = 0; i < IPL_LOGSIZE; i++)
589 seldestroy(&ipfselwait[i]);
590 #endif
591 #ifdef USE_MUTEXES
592 if (ipf_locks_done == 1) {
593 MUTEX_DESTROY(&ipf_rw);
594 MUTEX_DESTROY(&ipf_timeoutlock);
595 RW_DESTROY(&ipf_ipidfrag);
596 RW_DESTROY(&ipf_tokens);
597 ipf_locks_done = 0;
598 }
599 #endif
600 return 0;
601 }
602
603
604 /*
605 * Filter ioctl interface.
606 */
607 int iplioctl(dev, cmd, data, mode
608 #if (NetBSD >= 199511)
609 , p)
610 # if (__NetBSD_Version__ >= 399001400)
611 struct lwp *p;
612 # if (__NetBSD_Version__ >= 399002000)
613 # define UID(l) kauth_cred_getuid((l)->l_cred)
614 # else
615 # define UID(l) ((l)->l_proc->p_cred->p_ruid)
616 # endif
617 # else
618 struct proc *p;
619 # define UID(p) ((p)->p_cred->p_ruid)
620 # endif
621 #else
622 )
623 #endif
624 dev_t dev;
625 u_long cmd;
626 #if (__NetBSD_Version__ >= 499001000)
627 void *data;
628 #else
629 caddr_t data;
630 #endif
631 int mode;
632 {
633 int error = 0, unit = 0;
634 SPL_INT(s);
635
636 #if (__NetBSD_Version__ >= 399002000)
637 if ((mode & FWRITE) &&
638 kauth_authorize_network(p->l_cred, KAUTH_NETWORK_FIREWALL,
639 KAUTH_REQ_NETWORK_FIREWALL_FW, NULL,
640 NULL, NULL)) {
641 return EPERM;
642 }
643 #else
644 if ((securelevel >= 2) && (mode & FWRITE)) {
645 return EPERM;
646 }
647 #endif
648
649 unit = GET_MINOR(dev);
650 if ((IPL_LOGMAX < unit) || (unit < 0))
651 return ENXIO;
652
653 if (fr_running <= 0) {
654 if (unit != IPL_LOGIPF)
655 return EIO;
656 if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
657 cmd != SIOCIPFSET && cmd != SIOCFRENB &&
658 cmd != SIOCGETFS && cmd != SIOCGETFF)
659 return EIO;
660 }
661
662 SPL_NET(s);
663
664 error = fr_ioctlswitch(unit, data, cmd, mode, UID(p), p);
665
666 SPL_X(s);
667 return error;
668 }
669
670
671 #if 0
672 void fr_forgetifp(ifp)
673 void *ifp;
674 {
675 register frentry_t *f;
676
677 WRITE_ENTER(&ipf_mutex);
678 for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
679 if (f->fr_ifa == ifp)
680 f->fr_ifa = (void *)-1;
681 for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
682 if (f->fr_ifa == ifp)
683 f->fr_ifa = (void *)-1;
684 for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
685 if (f->fr_ifa == ifp)
686 f->fr_ifa = (void *)-1;
687 for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
688 if (f->fr_ifa == ifp)
689 f->fr_ifa = (void *)-1;
690 #ifdef USE_INET6
691 for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
692 if (f->fr_ifa == ifp)
693 f->fr_ifa = (void *)-1;
694 for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
695 if (f->fr_ifa == ifp)
696 f->fr_ifa = (void *)-1;
697 for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
698 if (f->fr_ifa == ifp)
699 f->fr_ifa = (void *)-1;
700 for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
701 if (f->fr_ifa == ifp)
702 f->fr_ifa = (void *)-1;
703 #endif
704 RWLOCK_EXIT(&ipf_mutex);
705 fr_natsync(ifp);
706 }
707 #endif
708
709
710 /*
711 * routines below for saving IP headers to buffer
712 */
713 int iplopen(
714 dev_t dev,
715 int flags,
716 #if (NetBSD >= 199511)
717 int devtype,
718 #endif
719 # if (__NetBSD_Version__ >= 399001400)
720 struct lwp *p
721 # else
722 struct proc *p
723 # endif
724 )
725 {
726 u_int unit = GET_MINOR(dev);
727 int error;
728
729 if (IPL_LOGMAX < unit)
730 error = ENXIO;
731 else {
732 switch (unit)
733 {
734 case IPL_LOGIPF :
735 case IPL_LOGNAT :
736 case IPL_LOGSTATE :
737 case IPL_LOGAUTH :
738 #ifdef IPFILTER_LOOKUP
739 case IPL_LOGLOOKUP :
740 #endif
741 #ifdef IPFILTER_SYNC
742 case IPL_LOGSYNC :
743 #endif
744 #ifdef IPFILTER_SCAN
745 case IPL_LOGSCAN :
746 #endif
747 error = 0;
748 break;
749 default :
750 error = ENXIO;
751 break;
752 }
753 }
754 return error;
755 }
756
757
758 int iplclose(
759 dev_t dev,
760 int flags,
761 #if (NetBSD >= 199511)
762 int devtype,
763 #endif
764 # if (__NetBSD_Version__ >= 399001400)
765 struct lwp *p
766 # else
767 struct proc *p
768 # endif
769 )
770 {
771 u_int unit = GET_MINOR(dev);
772
773 if (IPL_LOGMAX < unit)
774 unit = ENXIO;
775 else
776 unit = 0;
777 return unit;
778 }
779
780 /*
781 * iplread/ipllog
782 * both of these must operate with at least splnet() lest they be
783 * called during packet processing and cause an inconsistancy to appear in
784 * the filter lists.
785 */
786 int iplread(
787 dev_t dev,
788 struct uio *uio,
789 #if (BSD >= 199306)
790 int ioflag
791 #endif
792 )
793 {
794
795 if (fr_running < 1)
796 return EIO;
797
798 # ifdef IPFILTER_SYNC
799 if (GET_MINOR(dev) == IPL_LOGSYNC)
800 return ipfsync_read(uio);
801 # endif
802
803 #ifdef IPFILTER_LOG
804 return ipflog_read(GET_MINOR(dev), uio);
805 #else
806 return ENXIO;
807 #endif
808 }
809
810
811 /*
812 * iplwrite
813 * both of these must operate with at least splnet() lest they be
814 * called during packet processing and cause an inconsistancy to appear in
815 * the filter lists.
816 */
817 int iplwrite(
818 dev_t dev,
819 struct uio *uio,
820 #if (BSD >= 199306)
821 int ioflag
822 #endif
823 )
824 {
825
826 if (fr_running < 1)
827 return EIO;
828
829 #ifdef IPFILTER_SYNC
830 if (GET_MINOR(dev) == IPL_LOGSYNC)
831 return ipfsync_write(uio);
832 #endif
833 return ENXIO;
834 }
835
836
837 /*
838 * fr_send_reset - this could conceivably be a call to tcp_respond(), but that
839 * requires a large amount of setting up and isn't any more efficient.
840 */
841 int fr_send_reset(fin)
842 fr_info_t *fin;
843 {
844 struct tcphdr *tcp, *tcp2;
845 int tlen = 0, hlen;
846 struct mbuf *m;
847 #ifdef USE_INET6
848 ip6_t *ip6;
849 #endif
850 ip_t *ip;
851
852 tcp = fin->fin_dp;
853 if (tcp->th_flags & TH_RST)
854 return -1; /* feedback loop */
855
856 if (fr_checkl4sum(fin) == -1)
857 return -1;
858
859 tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
860 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
861 ((tcp->th_flags & TH_FIN) ? 1 : 0);
862
863 #ifdef USE_INET6
864 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
865 #else
866 hlen = sizeof(ip_t);
867 #endif
868 #ifdef MGETHDR
869 MGETHDR(m, M_DONTWAIT, MT_HEADER);
870 #else
871 MGET(m, M_DONTWAIT, MT_HEADER);
872 #endif
873 if (m == NULL)
874 return -1;
875 if (sizeof(*tcp2) + hlen > MHLEN) {
876 MCLGET(m, M_DONTWAIT);
877 if (m == NULL)
878 return -1;
879 if ((m->m_flags & M_EXT) == 0) {
880 FREE_MB_T(m);
881 return -1;
882 }
883 }
884
885 m->m_len = sizeof(*tcp2) + hlen;
886 m->m_data += max_linkhdr;
887 m->m_pkthdr.len = m->m_len;
888 m->m_pkthdr.rcvif = (struct ifnet *)0;
889 ip = mtod(m, struct ip *);
890 bzero((char *)ip, hlen);
891 #ifdef USE_INET6
892 ip6 = (ip6_t *)ip;
893 #endif
894 bzero((char *)ip, sizeof(*tcp2) + hlen);
895 tcp2 = (struct tcphdr *)((char *)ip + hlen);
896 tcp2->th_sport = tcp->th_dport;
897 tcp2->th_dport = tcp->th_sport;
898
899 if (tcp->th_flags & TH_ACK) {
900 tcp2->th_seq = tcp->th_ack;
901 tcp2->th_flags = TH_RST;
902 tcp2->th_ack = 0;
903 } else {
904 tcp2->th_seq = 0;
905 tcp2->th_ack = ntohl(tcp->th_seq);
906 tcp2->th_ack += tlen;
907 tcp2->th_ack = htonl(tcp2->th_ack);
908 tcp2->th_flags = TH_RST|TH_ACK;
909 }
910 tcp2->th_x2 = 0;
911 TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
912 tcp2->th_win = tcp->th_win;
913 tcp2->th_sum = 0;
914 tcp2->th_urp = 0;
915
916 #ifdef USE_INET6
917 if (fin->fin_v == 6) {
918 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
919 ip6->ip6_plen = htons(sizeof(struct tcphdr));
920 ip6->ip6_nxt = IPPROTO_TCP;
921 ip6->ip6_hlim = 0;
922 ip6->ip6_src = fin->fin_dst6;
923 ip6->ip6_dst = fin->fin_src6;
924 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
925 sizeof(*ip6), sizeof(*tcp2));
926 return fr_send_ip(fin, m, &m);
927 }
928 #endif
929 #ifdef INET
930 ip->ip_p = IPPROTO_TCP;
931 ip->ip_len = htons(sizeof(struct tcphdr));
932 ip->ip_src.s_addr = fin->fin_daddr;
933 ip->ip_dst.s_addr = fin->fin_saddr;
934 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
935 ip->ip_len = hlen + sizeof(*tcp2);
936 return fr_send_ip(fin, m, &m);
937 #else
938 return 0;
939 #endif
940 }
941
942
943 static int fr_send_ip(fin, m, mpp)
944 fr_info_t *fin;
945 mb_t *m, **mpp;
946 {
947 fr_info_t fnew;
948 #ifdef INET
949 ip_t *oip;
950 #endif
951 ip_t *ip;
952 int hlen;
953
954 ip = mtod(m, ip_t *);
955 bzero((char *)&fnew, sizeof(fnew));
956
957 IP_V_A(ip, fin->fin_v);
958 switch (fin->fin_v)
959 {
960 #ifdef INET
961 case 4 :
962 fnew.fin_v = 4;
963 oip = fin->fin_ip;
964 IP_HL_A(ip, sizeof(*oip) >> 2);
965 ip->ip_tos = oip->ip_tos;
966 ip->ip_id = fr_nextipid(fin);
967 ip->ip_off = ip_mtudisc ? IP_DF : 0;
968 ip->ip_ttl = ip_defttl;
969 ip->ip_sum = 0;
970 hlen = sizeof(*oip);
971 break;
972 #endif
973 #ifdef USE_INET6
974 case 6 :
975 {
976 ip6_t *ip6 = (ip6_t *)ip;
977
978 ip6->ip6_vfc = 0x60;
979 ip6->ip6_hlim = IPDEFTTL;
980
981 fnew.fin_v = 6;
982 hlen = sizeof(*ip6);
983 break;
984 }
985 #endif
986 default :
987 return EINVAL;
988 }
989 #ifdef IPSEC
990 m->m_pkthdr.rcvif = NULL;
991 #endif
992
993 fnew.fin_ifp = fin->fin_ifp;
994 fnew.fin_flx = FI_NOCKSUM;
995 fnew.fin_m = m;
996 fnew.fin_ip = ip;
997 fnew.fin_mp = mpp;
998 fnew.fin_hlen = hlen;
999 fnew.fin_dp = (char *)ip + hlen;
1000 (void) fr_makefrip(hlen, ip, &fnew);
1001
1002 return fr_fastroute(m, mpp, &fnew, NULL);
1003 }
1004
1005
1006 int fr_send_icmp_err(type, fin, dst)
1007 int type;
1008 fr_info_t *fin;
1009 int dst;
1010 {
1011 int err, hlen, xtra, iclen, ohlen, avail, code;
1012 struct in_addr dst4;
1013 struct icmp *icmp;
1014 struct mbuf *m;
1015 void *ifp;
1016 #ifdef USE_INET6
1017 ip6_t *ip6;
1018 struct in6_addr dst6;
1019 #endif
1020 ip_t *ip, *ip2;
1021
1022 if ((type < 0) || (type > ICMP_MAXTYPE))
1023 return -1;
1024
1025 code = fin->fin_icode;
1026 #ifdef USE_INET6
1027 if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
1028 return -1;
1029 #endif
1030
1031 if (fr_checkl4sum(fin) == -1)
1032 return -1;
1033 #ifdef MGETHDR
1034 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1035 #else
1036 MGET(m, M_DONTWAIT, MT_HEADER);
1037 #endif
1038 if (m == NULL)
1039 return -1;
1040 avail = MHLEN;
1041
1042 xtra = 0;
1043 hlen = 0;
1044 ohlen = 0;
1045 ifp = fin->fin_ifp;
1046 if (fin->fin_v == 4) {
1047 if ((fin->fin_p == IPPROTO_ICMP) && !(fin->fin_flx & FI_SHORT))
1048 switch (ntohs(fin->fin_data[0]) >> 8)
1049 {
1050 case ICMP_ECHO :
1051 case ICMP_TSTAMP :
1052 case ICMP_IREQ :
1053 case ICMP_MASKREQ :
1054 break;
1055 default :
1056 FREE_MB_T(m);
1057 return 0;
1058 }
1059
1060 if (dst == 0) {
1061 if (fr_ifpaddr(4, FRI_NORMAL, ifp,
1062 &dst4, NULL) == -1) {
1063 FREE_MB_T(m);
1064 return -1;
1065 }
1066 } else
1067 dst4.s_addr = fin->fin_daddr;
1068
1069 hlen = sizeof(ip_t);
1070 ohlen = fin->fin_hlen;
1071 if (fin->fin_hlen < fin->fin_plen)
1072 xtra = MIN(fin->fin_dlen, 8);
1073 else
1074 xtra = 0;
1075 }
1076
1077 #ifdef USE_INET6
1078 else if (fin->fin_v == 6) {
1079 hlen = sizeof(ip6_t);
1080 ohlen = sizeof(ip6_t);
1081 type = icmptoicmp6types[type];
1082 if (type == ICMP6_DST_UNREACH)
1083 code = icmptoicmp6unreach[code];
1084
1085 if (hlen + sizeof(*icmp) + max_linkhdr +
1086 fin->fin_plen > avail) {
1087 MCLGET(m, M_DONTWAIT);
1088 if (m == NULL)
1089 return -1;
1090 if ((m->m_flags & M_EXT) == 0) {
1091 FREE_MB_T(m);
1092 return -1;
1093 }
1094 avail = MCLBYTES;
1095 }
1096 xtra = MIN(fin->fin_plen,
1097 avail - hlen - sizeof(*icmp) - max_linkhdr);
1098 if (dst == 0) {
1099 if (fr_ifpaddr(6, FRI_NORMAL, ifp,
1100 (struct in_addr *)&dst6, NULL) == -1) {
1101 FREE_MB_T(m);
1102 return -1;
1103 }
1104 } else
1105 dst6 = fin->fin_dst6;
1106 }
1107 #endif
1108 else {
1109 FREE_MB_T(m);
1110 return -1;
1111 }
1112
1113 iclen = hlen + sizeof(*icmp);
1114 avail -= (max_linkhdr + iclen);
1115 if (avail < 0) {
1116 FREE_MB_T(m);
1117 return -1;
1118 }
1119 if (xtra > avail)
1120 xtra = avail;
1121 iclen += xtra;
1122 m->m_data += max_linkhdr;
1123 m->m_pkthdr.rcvif = (struct ifnet *)0;
1124 m->m_pkthdr.len = iclen;
1125 m->m_len = iclen;
1126 ip = mtod(m, ip_t *);
1127 icmp = (struct icmp *)((char *)ip + hlen);
1128 ip2 = (ip_t *)&icmp->icmp_ip;
1129
1130 icmp->icmp_type = type;
1131 icmp->icmp_code = fin->fin_icode;
1132 icmp->icmp_cksum = 0;
1133 #ifdef icmp_nextmtu
1134 if (type == ICMP_UNREACH &&
1135 fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
1136 icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu);
1137 #endif
1138
1139 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
1140
1141 #if defined(M_CSUM_IPv4)
1142 /*
1143 * Clear any in-bound checksum flags for this packet.
1144 */
1145 m->m_pkthdr.csuminfo = 0;
1146 #endif /* __NetBSD__ && M_CSUM_IPv4 */
1147
1148 #ifdef USE_INET6
1149 ip6 = (ip6_t *)ip;
1150 if (fin->fin_v == 6) {
1151 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
1152 ip6->ip6_plen = htons(iclen - hlen);
1153 ip6->ip6_nxt = IPPROTO_ICMPV6;
1154 ip6->ip6_hlim = 0;
1155 ip6->ip6_src = dst6;
1156 ip6->ip6_dst = fin->fin_src6;
1157 if (xtra > 0)
1158 bcopy((char *)fin->fin_ip + ohlen,
1159 (char *)&icmp->icmp_ip + ohlen, xtra);
1160 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
1161 sizeof(*ip6), iclen - hlen);
1162 } else
1163 #endif
1164 {
1165 ip2->ip_len = htons(ip2->ip_len);
1166 ip2->ip_off = htons(ip2->ip_off);
1167 ip->ip_p = IPPROTO_ICMP;
1168 ip->ip_src.s_addr = dst4.s_addr;
1169 ip->ip_dst.s_addr = fin->fin_saddr;
1170
1171 if (xtra > 0)
1172 bcopy((char *)fin->fin_ip + ohlen,
1173 (char *)&icmp->icmp_ip + ohlen, xtra);
1174 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
1175 sizeof(*icmp) + 8);
1176 ip->ip_len = iclen;
1177 ip->ip_p = IPPROTO_ICMP;
1178 }
1179 err = fr_send_ip(fin, m, &m);
1180 return err;
1181 }
1182
1183
1184 /*
1185 * m0 - pointer to mbuf where the IP packet starts
1186 * mpp - pointer to the mbuf pointer that is the start of the mbuf chain
1187 */
1188 int fr_fastroute(m0, mpp, fin, fdp)
1189 mb_t *m0, **mpp;
1190 fr_info_t *fin;
1191 frdest_t *fdp;
1192 {
1193 int error = 0;
1194 #ifdef INET
1195 struct ip *ip, *mhip;
1196 struct mbuf *m = m0;
1197 struct route *ro;
1198 int len, off, hlen, code;
1199 struct ifnet *ifp, *sifp;
1200 # if __NetBSD_Version__ >= 499001100
1201 union {
1202 struct sockaddr dst;
1203 struct sockaddr_in dst4;
1204 } u;
1205 # else
1206 struct sockaddr_in *dst4;
1207 # endif
1208 struct sockaddr *dst;
1209 struct route iproute;
1210 struct rtentry *rt;
1211 u_short ip_off;
1212 frentry_t *fr;
1213 #endif /* INET */
1214
1215 if (fin->fin_v == 6) {
1216 #ifdef USE_INET6
1217 error = ipfr_fastroute6(m0, mpp, fin, fdp);
1218 #else
1219 error = EPROTONOSUPPORT;
1220 #endif
1221 if ((error != 0) && (*mpp != NULL)) {
1222 FREE_MB_T(*mpp);
1223 *mpp = NULL;
1224 }
1225 return error;
1226 }
1227 #ifndef INET
1228 return EPROTONOSUPPORT;
1229 #else
1230
1231 hlen = fin->fin_hlen;
1232 ip = mtod(m0, struct ip *);
1233 rt = NULL;
1234
1235 # if defined(M_CSUM_IPv4)
1236 /*
1237 * Clear any in-bound checksum flags for this packet.
1238 */
1239 m0->m_pkthdr.csuminfo = 0;
1240 # endif /* __NetBSD__ && M_CSUM_IPv4 */
1241
1242 /*
1243 * Route packet.
1244 */
1245 ro = &iproute;
1246 memset(ro, 0, sizeof(*ro));
1247
1248 if (fdp != NULL)
1249 ifp = fdp->fd_ifp;
1250 else
1251 ifp = fin->fin_ifp;
1252 fr = fin->fin_fr;
1253
1254 if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
1255 error = -2;
1256 goto bad;
1257 }
1258
1259 # if __NetBSD_Version__ >= 499001100
1260 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
1261 sockaddr_in_init(&u.dst4, &fdp->fd_ip, 0);
1262 else
1263 sockaddr_in_init(&u.dst4, &ip->ip_dst, 0);
1264 dst = &u.dst;
1265 rtcache_setdst(ro, dst);
1266 rt = rtcache_init(ro);
1267 # else
1268 dst4 = (struct sockaddr_in *)&ro->ro_dst;
1269 dst4->sin_family = AF_INET;
1270 dst4->sin_addr = ip->ip_dst;
1271 dst = (struct sockaddr *)dst4;
1272
1273 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
1274 dst4->sin_addr = fdp->fd_ip;
1275
1276 dst4->sin_len = sizeof(*dst4);
1277 rtalloc(ro);
1278 rt = ro->ro_rt;
1279 # endif
1280
1281 if ((ifp == NULL) && (rt != NULL))
1282 ifp = rt->rt_ifp;
1283 if ((rt == NULL) || (ifp == NULL)) {
1284 #ifdef INET
1285 if (in_localaddr(ip->ip_dst))
1286 error = EHOSTUNREACH;
1287 else
1288 #endif
1289 error = ENETUNREACH;
1290 goto bad;
1291 }
1292
1293 if (rt->rt_flags & RTF_GATEWAY)
1294 dst = rt->rt_gateway;
1295
1296 rt->rt_use++;
1297
1298 /*
1299 * For input packets which are being "fastrouted", they won't
1300 * go back through output filtering and miss their chance to get
1301 * NAT'd and counted. Duplicated packets aren't considered to be
1302 * part of the normal packet stream, so do not NAT them or pass
1303 * them through stateful checking, etc.
1304 */
1305 if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {
1306 sifp = fin->fin_ifp;
1307 fin->fin_ifp = ifp;
1308 fin->fin_out = 1;
1309 (void) fr_acctpkt(fin, NULL);
1310 fin->fin_fr = NULL;
1311 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
1312 u_32_t pass;
1313
1314 (void) fr_checkstate(fin, &pass);
1315 }
1316
1317 switch (fr_checknatout(fin, NULL))
1318 {
1319 case 0 :
1320 break;
1321 case 1 :
1322 ip->ip_sum = 0;
1323 break;
1324 case -1 :
1325 error = -1;
1326 goto bad;
1327 break;
1328 }
1329
1330 fin->fin_ifp = sifp;
1331 fin->fin_out = 0;
1332 } else
1333 ip->ip_sum = 0;
1334 /*
1335 * If small enough for interface, can just send directly.
1336 */
1337 if (ip->ip_len <= ifp->if_mtu) {
1338 int i = 0;
1339
1340 if (m->m_flags & M_EXT)
1341 i = 1;
1342
1343 ip->ip_len = htons(ip->ip_len);
1344 ip->ip_off = htons(ip->ip_off);
1345 # if defined(M_CSUM_IPv4)
1346 # if (__NetBSD_Version__ >= 105009999)
1347 if (ifp->if_csum_flags_tx & M_CSUM_IPv4)
1348 m->m_pkthdr.csuminfo |= M_CSUM_IPv4;
1349 # else
1350 if (ifp->if_capabilities & IFCAP_CSUM_IPv4)
1351 m->m_pkthdr.csuminfo |= M_CSUM_IPv4;
1352 # endif /* (__NetBSD_Version__ >= 105009999) */
1353 else if (ip->ip_sum == 0)
1354 ip->ip_sum = in_cksum(m, hlen);
1355 # else
1356 if (!ip->ip_sum)
1357 ip->ip_sum = in_cksum(m, hlen);
1358 # endif /* M_CSUM_IPv4 */
1359 # if __NetBSD_Version__ >= 499001100
1360 error = (*ifp->if_output)(ifp, m, dst, rt);
1361 # else
1362 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, rt);
1363 # endif
1364 if (i) {
1365 ip->ip_len = ntohs(ip->ip_len);
1366 ip->ip_off = ntohs(ip->ip_off);
1367 }
1368 goto done;
1369 }
1370
1371 /*
1372 * Too large for interface; fragment if possible.
1373 * Must be able to put at least 8 bytes per fragment.
1374 */
1375 ip_off = ip->ip_off;
1376 if (ip_off & IP_DF) {
1377 error = EMSGSIZE;
1378 goto bad;
1379 }
1380 len = (ifp->if_mtu - hlen) &~ 7;
1381 if (len < 8) {
1382 error = EMSGSIZE;
1383 goto bad;
1384 }
1385
1386 {
1387 int mhlen, firstlen = len;
1388 struct mbuf **mnext = &m->m_act;
1389
1390 /*
1391 * Loop through length of segment after first fragment,
1392 * make new header and copy data of each part and link onto chain.
1393 */
1394 m0 = m;
1395 mhlen = sizeof (struct ip);
1396 for (off = hlen + len; off < ip->ip_len; off += len) {
1397 # ifdef MGETHDR
1398 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1399 # else
1400 MGET(m, M_DONTWAIT, MT_HEADER);
1401 # endif
1402 if (m == 0) {
1403 m = m0;
1404 error = ENOBUFS;
1405 goto bad;
1406 }
1407 m->m_data += max_linkhdr;
1408 mhip = mtod(m, struct ip *);
1409 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
1410 #ifdef INET
1411 if (hlen > sizeof (struct ip)) {
1412 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1413 IP_HL_A(mhip, mhlen >> 2);
1414 }
1415 #endif
1416 m->m_len = mhlen;
1417 mhip->ip_off = ((off - hlen) >> 3) + ip_off;
1418 if (off + len >= ip->ip_len)
1419 len = ip->ip_len - off;
1420 else
1421 mhip->ip_off |= IP_MF;
1422 mhip->ip_len = htons((u_short)(len + mhlen));
1423 m->m_next = m_copy(m0, off, len);
1424 if (m->m_next == 0) {
1425 error = ENOBUFS; /* ??? */
1426 goto sendorfree;
1427 }
1428 m->m_pkthdr.len = mhlen + len;
1429 m->m_pkthdr.rcvif = NULL;
1430 mhip->ip_off = htons((u_short)mhip->ip_off);
1431 mhip->ip_sum = 0;
1432 #ifdef INET
1433 mhip->ip_sum = in_cksum(m, mhlen);
1434 #endif
1435 *mnext = m;
1436 mnext = &m->m_act;
1437 }
1438 /*
1439 * Update first fragment by trimming what's been copied out
1440 * and updating header, then send each fragment (in order).
1441 */
1442 m_adj(m0, hlen + firstlen - ip->ip_len);
1443 ip->ip_len = htons((u_short)(hlen + firstlen));
1444 ip->ip_off = htons((u_short)IP_MF);
1445 ip->ip_sum = 0;
1446 #ifdef INET
1447 ip->ip_sum = in_cksum(m0, hlen);
1448 #endif
1449 sendorfree:
1450 for (m = m0; m; m = m0) {
1451 m0 = m->m_act;
1452 m->m_act = 0;
1453 # if __NetBSD_Version__ >= 499001100
1454 if (error == 0)
1455 error = (*ifp->if_output)(ifp, m, dst, rt);
1456 else
1457 FREE_MB_T(m);
1458 # else
1459 if (error == 0)
1460 error = (*ifp->if_output)(ifp, m,
1461 (struct sockaddr *)dst, rt);
1462 else
1463 FREE_MB_T(m);
1464 # endif
1465 }
1466 }
1467 done:
1468 if (!error)
1469 fr_frouteok[0]++;
1470 else
1471 fr_frouteok[1]++;
1472
1473 # if __NetBSD_Version__ >= 499001100
1474 rtcache_free(ro);
1475 # else
1476 if (rt != NULL) {
1477 RTFREE(((struct route *)ro)->ro_rt);
1478 }
1479 # endif
1480 *mpp = NULL;
1481 return error;
1482 bad:
1483 if (error == EMSGSIZE) {
1484 sifp = fin->fin_ifp;
1485 code = fin->fin_icode;
1486 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
1487 fin->fin_ifp = ifp;
1488 (void) fr_send_icmp_err(ICMP_UNREACH, fin, 1);
1489 fin->fin_ifp = sifp;
1490 fin->fin_icode = code;
1491 }
1492 FREE_MB_T(m);
1493 goto done;
1494 #endif /* INET */
1495 }
1496
1497
1498 #if defined(USE_INET6)
1499 /*
1500 * This is the IPv6 specific fastroute code. It doesn't clean up the mbuf's
1501 * or ensure that it is an IPv6 packet that is being forwarded, those are
1502 * expected to be done by the called (ipfr_fastroute).
1503 */
1504 static int ipfr_fastroute6(m0, mpp, fin, fdp)
1505 struct mbuf *m0, **mpp;
1506 fr_info_t *fin;
1507 frdest_t *fdp;
1508 {
1509 # if __NetBSD_Version__ >= 499001100
1510 struct route ip6route;
1511 const struct sockaddr *dst;
1512 union {
1513 struct sockaddr dst;
1514 struct sockaddr_in6 dst6;
1515 } u;
1516 struct route *ro;
1517 # else
1518 struct route_in6 ip6route;
1519 struct sockaddr_in6 *dst6;
1520 struct route_in6 *ro;
1521 # endif
1522 struct rtentry *rt;
1523 struct ifnet *ifp;
1524 frentry_t *fr;
1525 u_long mtu;
1526 int error;
1527
1528 error = 0;
1529 ro = &ip6route;
1530 fr = fin->fin_fr;
1531
1532 if (fdp != NULL)
1533 ifp = fdp->fd_ifp;
1534 else
1535 ifp = fin->fin_ifp;
1536 memset(ro, 0, sizeof(*ro));
1537 # if __NetBSD_Version__ >= 499001100
1538 if (fdp != NULL && IP6_NOTZERO(&fdp->fd_ip6))
1539 sockaddr_in6_init(&u.dst6, &fdp->fd_ip6.in6, 0, 0, 0);
1540 else
1541 sockaddr_in6_init(&u.dst6, &fin->fin_fi.fi_dst.in6, 0, 0, 0);
1542 dst = &u.dst;
1543 rtcache_setdst(ro, dst);
1544 rt = rtcache_init(ro);
1545 # else
1546 dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
1547 dst6->sin6_family = AF_INET6;
1548 dst6->sin6_len = sizeof(struct sockaddr_in6);
1549 dst6->sin6_addr = fin->fin_fi.fi_dst.in6;
1550
1551 if (fdp != NULL) {
1552 if (IP6_NOTZERO(&fdp->fd_ip6))
1553 dst6->sin6_addr = fdp->fd_ip6.in6;
1554 }
1555
1556 rtalloc((struct route *)ro);
1557 rt = ro->ro_rt;
1558 # endif
1559
1560 if ((ifp == NULL) && (rt != NULL))
1561 ifp = rt->rt_ifp;
1562
1563 if ((rt == NULL) || (ifp == NULL)) {
1564 error = EHOSTUNREACH;
1565 goto bad;
1566 }
1567
1568 /* KAME */
1569 # if __NetBSD_Version__ >= 499001100
1570 if (IN6_IS_ADDR_LINKLOCAL(&u.dst6.sin6_addr))
1571 u.dst6.sin6_addr.s6_addr16[1] = htons(ifp->if_index);
1572 # else
1573 if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr))
1574 dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
1575 # endif
1576
1577 {
1578 # if (__NetBSD_Version__ >= 106010000)
1579 # if (__NetBSD_Version__ >= 399001400)
1580 struct in6_ifextra *ife;
1581 # else
1582 struct in6_addr finaldst = fin->fin_dst6;
1583 int frag;
1584 # endif
1585 # endif
1586 if (rt->rt_flags & RTF_GATEWAY) {
1587 # if __NetBSD_Version__ >= 499001100
1588 dst = rt->rt_gateway;
1589 # else
1590 dst6 = (struct sockaddr_in6 *)rt->rt_gateway;
1591 # endif
1592 }
1593 rt->rt_use++;
1594
1595 /* Determine path MTU. */
1596 # if (__NetBSD_Version__ <= 106009999)
1597 mtu = nd_ifinfo[ifp->if_index].linkmtu;
1598 # else
1599 # if (__NetBSD_Version__ >= 399001400)
1600 ife = (struct in6_ifextra *)(ifp)->if_afdata[AF_INET6];
1601 mtu = ife->nd_ifinfo[ifp->if_index].linkmtu;
1602 # else
1603 error = ip6_getpmtu(ro, ro, ifp, &finaldst, &mtu, &frag);
1604 # endif
1605 # endif
1606 if ((error == 0) && (m0->m_pkthdr.len <= mtu)) {
1607 # if __NetBSD_Version__ >= 499001100
1608 error = nd6_output(ifp, ifp, m0, satocsin6(dst), rt);
1609 # else
1610 error = nd6_output(ifp, ifp, m0, dst6, rt);
1611 # endif
1612 *mpp = NULL;
1613 } else {
1614 error = EMSGSIZE;
1615 }
1616 }
1617 bad:
1618 # if __NetBSD_Version__ >= 499001100
1619 rtcache_free(ro);
1620 # else
1621 if (rt != NULL) {
1622 RTFREE(rt);
1623 }
1624 # endif
1625 return error;
1626 }
1627 #endif /* INET6 */
1628
1629
1630 int fr_verifysrc(fin)
1631 fr_info_t *fin;
1632 {
1633 #if __NetBSD_Version__ >= 499001100
1634 struct rtentry *rt;
1635 union {
1636 struct sockaddr dst;
1637 struct sockaddr_in dst4;
1638 } u;
1639 #else
1640 struct sockaddr_in *dst;
1641 #endif
1642 struct route iproute;
1643 int rc;
1644
1645 #if __NetBSD_Version__ >= 499001100
1646 sockaddr_in_init(&u.dst4, &fin->fin_src, 0);
1647 rtcache_setdst(&iproute, &u.dst);
1648 rt = rtcache_init(&iproute);
1649 if (rt == NULL)
1650 rc = 0;
1651 else
1652 rc = (fin->fin_ifp == rt->rt_ifp);
1653 rtcache_free(&iproute);
1654 #else
1655 dst = (struct sockaddr_in *)&iproute.ro_dst;
1656 dst->sin_len = sizeof(*dst);
1657 dst->sin_family = AF_INET;
1658 dst->sin_addr = fin->fin_src;
1659 rtalloc(&iproute);
1660 if (iproute.ro_rt == NULL)
1661 return 0;
1662 rc = (fin->fin_ifp == iproute.ro_rt->rt_ifp);
1663 RTFREE(iproute.ro_rt);
1664 #endif
1665 return rc;
1666 }
1667
1668
1669 /*
1670 * return the first IP Address associated with an interface
1671 */
1672 int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
1673 int v, atype;
1674 void *ifptr;
1675 struct in_addr *inp, *inpmask;
1676 {
1677 #ifdef USE_INET6
1678 struct in6_addr *inp6 = NULL;
1679 #endif
1680 struct sockaddr *sock, *mask;
1681 struct sockaddr_in *sin;
1682 struct ifaddr *ifa;
1683 struct ifnet *ifp;
1684
1685 if ((ifptr == NULL) || (ifptr == (void *)-1))
1686 return -1;
1687
1688 ifp = ifptr;
1689 mask = NULL;
1690
1691 if (v == 4)
1692 inp->s_addr = 0;
1693 #ifdef USE_INET6
1694 else if (v == 6)
1695 bzero((char *)inp, sizeof(struct in6_addr));
1696 #endif
1697
1698 ifa = IFADDR_FIRST(ifp);
1699 sock = ifa ? ifa->ifa_addr : NULL;
1700 while (sock != NULL && ifa != NULL) {
1701 sin = (struct sockaddr_in *)sock;
1702 if ((v == 4) && (sin->sin_family == AF_INET))
1703 break;
1704 #ifdef USE_INET6
1705 if ((v == 6) && (sin->sin_family == AF_INET6)) {
1706 inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
1707 if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
1708 !IN6_IS_ADDR_LOOPBACK(inp6))
1709 break;
1710 }
1711 #endif
1712 ifa = IFADDR_NEXT(ifa);
1713 if (ifa != NULL)
1714 sock = ifa->ifa_addr;
1715 }
1716 if (ifa == NULL || sock == NULL)
1717 return -1;
1718
1719 mask = ifa->ifa_netmask;
1720 if (atype == FRI_BROADCAST)
1721 sock = ifa->ifa_broadaddr;
1722 else if (atype == FRI_PEERADDR)
1723 sock = ifa->ifa_dstaddr;
1724
1725 #ifdef USE_INET6
1726 if (v == 6)
1727 return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
1728 (struct sockaddr_in6 *)mask,
1729 inp, inpmask);
1730 #endif
1731 return fr_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
1732 (struct sockaddr_in *)mask, inp, inpmask);
1733 }
1734
1735
1736 u_32_t fr_newisn(fin)
1737 fr_info_t *fin;
1738 {
1739 #if __NetBSD_Version__ >= 105190000 /* 1.5T */
1740 size_t asz;
1741
1742 if (fin->fin_v == 4)
1743 asz = sizeof(struct in_addr);
1744 else if (fin->fin_v == 6)
1745 asz = sizeof(fin->fin_src);
1746 else /* XXX: no way to return error */
1747 return 0;
1748 #ifdef INET
1749 return tcp_new_iss1((void *)&fin->fin_src, (void *)&fin->fin_dst,
1750 fin->fin_sport, fin->fin_dport, asz, 0);
1751 #else
1752 return ENOSYS;
1753 #endif
1754 #else
1755 static int iss_seq_off = 0;
1756 u_char hash[16];
1757 u_32_t newiss;
1758 MD5_CTX ctx;
1759
1760 /*
1761 * Compute the base value of the ISS. It is a hash
1762 * of (saddr, sport, daddr, dport, secret).
1763 */
1764 MD5Init(&ctx);
1765
1766 MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
1767 sizeof(fin->fin_fi.fi_src));
1768 MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
1769 sizeof(fin->fin_fi.fi_dst));
1770 MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
1771
1772 MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret));
1773
1774 MD5Final(hash, &ctx);
1775
1776 memcpy(&newiss, hash, sizeof(newiss));
1777
1778 /*
1779 * Now increment our "timer", and add it in to
1780 * the computed value.
1781 *
1782 * XXX Use `addin'?
1783 * XXX TCP_ISSINCR too large to use?
1784 */
1785 iss_seq_off += 0x00010000;
1786 newiss += iss_seq_off;
1787 return newiss;
1788 #endif
1789 }
1790
1791
1792 /* ------------------------------------------------------------------------ */
1793 /* Function: fr_nextipid */
1794 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
1795 /* Parameters: fin(I) - pointer to packet information */
1796 /* */
1797 /* Returns the next IPv4 ID to use for this packet. */
1798 /* ------------------------------------------------------------------------ */
1799 u_short fr_nextipid(fr_info_t *fin)
1800 {
1801 static u_short ipid = 0;
1802 u_short id;
1803
1804 MUTEX_ENTER(&ipf_rw);
1805 id = ipid++;
1806 MUTEX_EXIT(&ipf_rw);
1807
1808 return id;
1809 }
1810
1811
1812 INLINE void fr_checkv4sum(fin)
1813 fr_info_t *fin;
1814 {
1815 #ifdef M_CSUM_TCP_UDP_BAD
1816 int manual, pflag, cflags, active;
1817 mb_t *m;
1818
1819 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1820 return;
1821
1822 if (fin->fin_cksum != 0)
1823 return;
1824
1825 manual = 0;
1826 m = fin->fin_m;
1827 if (m == NULL) {
1828 manual = 1;
1829 goto skipauto;
1830 }
1831
1832 switch (fin->fin_p)
1833 {
1834 case IPPROTO_UDP :
1835 pflag = M_CSUM_UDPv4;
1836 break;
1837 case IPPROTO_TCP :
1838 pflag = M_CSUM_TCPv4;
1839 break;
1840 default :
1841 pflag = 0;
1842 manual = 1;
1843 break;
1844 }
1845
1846 active = ((struct ifnet *)fin->fin_ifp)->if_csum_flags_rx & pflag;
1847 active |= M_CSUM_TCP_UDP_BAD | M_CSUM_DATA;
1848 cflags = m->m_pkthdr.csum_flags & active;
1849
1850 if (pflag != 0) {
1851 if (cflags == (pflag | M_CSUM_TCP_UDP_BAD)) {
1852 fin->fin_flx |= FI_BAD;
1853 fin->fin_cksum = -1;
1854 } else if (cflags == (pflag | M_CSUM_DATA)) {
1855 if ((m->m_pkthdr.csum_data ^ 0xffff) != 0) {
1856 fin->fin_flx |= FI_BAD;
1857 fin->fin_cksum = -1;
1858 } else {
1859 fin->fin_cksum = 1;
1860 }
1861 } else if (cflags == pflag) {
1862 fin->fin_cksum = 1;
1863 ;
1864 } else {
1865 manual = 1;
1866 }
1867 }
1868 skipauto:
1869 # ifdef IPFILTER_CKSUM
1870 if (manual != 0)
1871 if (fr_checkl4sum(fin) == -1)
1872 fin->fin_flx |= FI_BAD;
1873 # else
1874 ;
1875 # endif
1876 #else
1877 # ifdef IPFILTER_CKSUM
1878 if (fr_checkl4sum(fin) == -1)
1879 fin->fin_flx |= FI_BAD;
1880 # endif
1881 #endif
1882 }
1883
1884
1885 #ifdef USE_INET6
1886 INLINE void fr_checkv6sum(fin)
1887 fr_info_t *fin;
1888 {
1889 # ifdef M_CSUM_TCP_UDP_BAD
1890 int manual, pflag, cflags, active;
1891 mb_t *m;
1892
1893 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1894 return;
1895
1896 manual = 0;
1897 m = fin->fin_m;
1898
1899 switch (fin->fin_p)
1900 {
1901 case IPPROTO_UDP :
1902 pflag = M_CSUM_UDPv6;
1903 break;
1904 case IPPROTO_TCP :
1905 pflag = M_CSUM_TCPv6;
1906 break;
1907 default :
1908 pflag = 0;
1909 manual = 1;
1910 break;
1911 }
1912
1913 active = ((struct ifnet *)fin->fin_ifp)->if_csum_flags_rx & pflag;
1914 active |= M_CSUM_TCP_UDP_BAD | M_CSUM_DATA;
1915 cflags = m->m_pkthdr.csum_flags & active;
1916
1917 if (pflag != 0) {
1918 if (cflags == (pflag | M_CSUM_TCP_UDP_BAD)) {
1919 fin->fin_flx |= FI_BAD;
1920 } else if (cflags == (pflag | M_CSUM_DATA)) {
1921 if ((m->m_pkthdr.csum_data ^ 0xffff) != 0)
1922 fin->fin_flx |= FI_BAD;
1923 } else if (cflags == pflag) {
1924 ;
1925 } else {
1926 manual = 1;
1927 }
1928 }
1929 # ifdef IPFILTER_CKSUM
1930 if (manual != 0)
1931 if (fr_checkl4sum(fin) == -1)
1932 fin->fin_flx |= FI_BAD;
1933 # endif
1934 # else
1935 # ifdef IPFILTER_CKSUM
1936 if (fr_checkl4sum(fin) == -1)
1937 fin->fin_flx |= FI_BAD;
1938 # endif
1939 # endif
1940 }
1941 #endif /* USE_INET6 */
1942
1943
1944 size_t mbufchainlen(m0)
1945 struct mbuf *m0;
1946 {
1947 size_t len;
1948
1949 if ((m0->m_flags & M_PKTHDR) != 0) {
1950 len = m0->m_pkthdr.len;
1951 } else {
1952 struct mbuf *m;
1953
1954 for (m = m0, len = 0; m != NULL; m = m->m_next)
1955 len += m->m_len;
1956 }
1957 return len;
1958 }
1959
1960
1961 /* ------------------------------------------------------------------------ */
1962 /* Function: fr_pullup */
1963 /* Returns: NULL == pullup failed, else pointer to protocol header */
1964 /* Parameters: m(I) - pointer to buffer where data packet starts */
1965 /* fin(I) - pointer to packet information */
1966 /* len(I) - number of bytes to pullup */
1967 /* */
1968 /* Attempt to move at least len bytes (from the start of the buffer) into a */
1969 /* single buffer for ease of access. Operating system native functions are */
1970 /* used to manage buffers - if necessary. If the entire packet ends up in */
1971 /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */
1972 /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
1973 /* and ONLY if the pullup succeeds. */
1974 /* */
1975 /* We assume that 'xmin' is a pointer to a buffer that is part of the chain */
1976 /* of buffers that starts at *fin->fin_mp. */
1977 /* ------------------------------------------------------------------------ */
1978 void *fr_pullup(xmin, fin, len)
1979 mb_t *xmin;
1980 fr_info_t *fin;
1981 int len;
1982 {
1983 int out = fin->fin_out, dpoff, ipoff;
1984 mb_t *m = xmin;
1985 char *ip;
1986
1987 if (m == NULL)
1988 return NULL;
1989
1990 ip = (char *)fin->fin_ip;
1991 if ((fin->fin_flx & FI_COALESCE) != 0)
1992 return ip;
1993
1994 ipoff = fin->fin_ipoff;
1995 if (fin->fin_dp != NULL)
1996 dpoff = (char *)fin->fin_dp - (char *)ip;
1997 else
1998 dpoff = 0;
1999
2000 if (M_LEN(m) < len) {
2001 mb_t *n = *fin->fin_mp;
2002 /*
2003 * Assume that M_PKTHDR is set and just work with what is left
2004 * rather than check..
2005 * Should not make any real difference, anyway.
2006 */
2007 if (m != n) {
2008 /*
2009 * Record the mbuf that points to the mbuf that we're
2010 * about to go to work on so that we can update the
2011 * m_next appropriately later.
2012 */
2013 for (; n->m_next != m; n = n->m_next)
2014 ;
2015 } else {
2016 n = NULL;
2017 }
2018
2019 #ifdef MHLEN
2020 if (len > MHLEN)
2021 #else
2022 if (len > MLEN)
2023 #endif
2024 {
2025 #ifdef HAVE_M_PULLDOWN
2026 if (m_pulldown(m, 0, len, NULL) == NULL)
2027 m = NULL;
2028 #else
2029 FREE_MB_T(*fin->fin_mp);
2030 m = NULL;
2031 n = NULL;
2032 #endif
2033 } else
2034 {
2035 m = m_pullup(m, len);
2036 }
2037 if (n != NULL)
2038 n->m_next = m;
2039 if (m == NULL) {
2040 /*
2041 * When n is non-NULL, it indicates that m pointed to
2042 * a sub-chain (tail) of the mbuf and that the head
2043 * of this chain has not yet been free'd.
2044 */
2045 if (n != NULL) {
2046 FREE_MB_T(*fin->fin_mp);
2047 }
2048
2049 *fin->fin_mp = NULL;
2050 fin->fin_m = NULL;
2051 ATOMIC_INCL(frstats[out].fr_pull[1]);
2052 return NULL;
2053 }
2054
2055 if (n == NULL)
2056 *fin->fin_mp = m;
2057
2058 while (M_LEN(m) == 0) {
2059 m = m->m_next;
2060 }
2061 fin->fin_m = m;
2062 ip = MTOD(m, char *) + ipoff;
2063
2064 ATOMIC_INCL(frstats[out].fr_pull[0]);
2065 fin->fin_ip = (ip_t *)ip;
2066 if (fin->fin_dp != NULL)
2067 fin->fin_dp = (char *)fin->fin_ip + dpoff;
2068 }
2069
2070 if (len == fin->fin_plen)
2071 fin->fin_flx |= FI_COALESCE;
2072 return ip;
2073 }
2074
2075
2076 int iplpoll(dev, events, p)
2077 dev_t dev;
2078 int events;
2079 #if (__NetBSD_Version__ >= 399001400)
2080 struct lwp *p;
2081 #else
2082 struct proc *p;
2083 #endif
2084 {
2085 u_int unit = GET_MINOR(dev);
2086 int revents = 0;
2087
2088 if (IPL_LOGMAX < unit)
2089 return ENXIO;
2090
2091 switch (unit)
2092 {
2093 case IPL_LOGIPF :
2094 case IPL_LOGNAT :
2095 case IPL_LOGSTATE :
2096 #ifdef IPFILTER_LOG
2097 if ((events & (POLLIN | POLLRDNORM)) && ipflog_canread(unit))
2098 revents |= events & (POLLIN | POLLRDNORM);
2099 #endif
2100 break;
2101 case IPL_LOGAUTH :
2102 if ((events & (POLLIN | POLLRDNORM)) && fr_auth_waiting())
2103 revents |= events & (POLLIN | POLLRDNORM);
2104 break;
2105 case IPL_LOGSYNC :
2106 #ifdef IPFILTER_SYNC
2107 if ((events & (POLLIN | POLLRDNORM)) && ipfsync_canread())
2108 revents |= events & (POLLIN | POLLRDNORM);
2109 if ((events & (POLLOUT | POLLWRNORM)) && ipfsync_canwrite())
2110 revents |= events & (POLLOUT | POLLOUTNORM);
2111 #endif
2112 break;
2113 case IPL_LOGSCAN :
2114 case IPL_LOGLOOKUP :
2115 default :
2116 break;
2117 }
2118
2119 if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0))
2120 selrecord(p, &ipfselwait[unit]);
2121 return revents;
2122 }
2123
2124
2125 int ipf_inject(fin, m)
2126 fr_info_t *fin;
2127 mb_t *m;
2128 {
2129 int error;
2130
2131 if (fin->fin_out == 0) {
2132 struct ifqueue *ifq;
2133
2134 ifq = &ipintrq;
2135
2136 if (IF_QFULL(ifq)) {
2137 IF_DROP(ifq);
2138 FREE_MB_T(m);
2139 error = ENOBUFS;
2140 } else {
2141 IF_ENQUEUE(ifq, m);
2142 error = 0;
2143 }
2144 } else {
2145 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
2146 }
2147
2148 return error;
2149 }
NetBSD on the FriendlyARM MINI2440