search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / uts / common / inet / ipf / ip_proxy.c
blobe3d990ffd1bc886ded385f103024f6d95e88d846
1 /*
2 * Copyright (C) 1997-2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
7 * Use is subject to license terms.
8 */
9
10 #if defined(KERNEL) || defined(_KERNEL)
11 # undef KERNEL
12 # undef _KERNEL
13 # define KERNEL 1
14 # define _KERNEL 1
15 #endif
16 #include <sys/errno.h>
17 #include <sys/types.h>
18 #include <sys/param.h>
19 #include <sys/time.h>
20 #include <sys/file.h>
21 #if !defined(AIX)
22 # include <sys/fcntl.h>
23 #endif
24 #if !defined(_KERNEL) && !defined(__KERNEL__)
25 # include <stdio.h>
26 # include <string.h>
27 # include <stdlib.h>
28 # include <ctype.h>
29 # define _KERNEL
30 # ifdef __OpenBSD__
31 struct file;
32 # endif
33 # include <sys/uio.h>
34 # undef _KERNEL
35 #endif
36 #if !defined(linux)
37 # include <sys/protosw.h>
38 #endif
39 #include <sys/socket.h>
40 #if defined(_KERNEL)
41 # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
42 !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) && \
43 !defined(AIX)
44 # include <sys/ctype.h>
45 # endif
46 # include <sys/systm.h>
47 # if !defined(__SVR4) && !defined(__svr4__)
48 # include <sys/mbuf.h>
49 # endif
50 #endif
51 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
52 # include <sys/filio.h>
53 # include <sys/fcntl.h>
54 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
55 # include "opt_ipfilter.h"
56 # endif
57 #else
58 # include <sys/ioctl.h>
59 #endif
60 #if defined(__SVR4) || defined(__svr4__)
61 # include <sys/byteorder.h>
62 # ifdef _KERNEL
63 # include <sys/dditypes.h>
64 # include <sys/strsubr.h>
65 # endif
66 # include <sys/stream.h>
67 # include <sys/kmem.h>
68 # include <sys/pattr.h>
69 #endif
70 #if __FreeBSD__ > 2
71 # include <sys/queue.h>
72 #endif
73 #include <net/if.h>
74 #ifdef sun
75 # include <net/af.h>
76 #endif
77 #include <net/route.h>
78 #include <netinet/in.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip.h>
81 #ifndef linux
82 # include <netinet/ip_var.h>
83 #endif
84 #include <netinet/tcp.h>
85 #include <netinet/udp.h>
86 #include <netinet/ip_icmp.h>
87 #include "netinet/ip_compat.h"
88 #include <netinet/tcpip.h>
89 #include "netinet/ipf_stack.h"
90 #include "netinet/ip_fil.h"
91 #include "netinet/ip_nat.h"
92 #include "netinet/ip_state.h"
93 #include "netinet/ip_proxy.h"
94 #if (__FreeBSD_version >= 300000)
95 # include <sys/malloc.h>
96 #endif
97
98 #include "netinet/ip_ftp_pxy.c"
99 #include "netinet/ip_rcmd_pxy.c"
100 # include "netinet/ip_pptp_pxy.c"
101 #if defined(_KERNEL)
102 # include "netinet/ip_irc_pxy.c"
103 # include "netinet/ip_raudio_pxy.c"
104 # include "netinet/ip_h323_pxy.c"
105 # include "netinet/ip_netbios_pxy.c"
106 #endif
107 #include "netinet/ip_ipsec_pxy.c"
108 #include "netinet/ip_rpcb_pxy.c"
109
110 /* END OF INCLUDES */
111
112 #if !defined(lint)
113 static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.14 2005/06/18 02:41:33 darrenr Exp $";
114 #endif
115
116 static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
117
118 #define AP_SESS_SIZE 53
119
120 #if defined(_KERNEL)
121 int ipf_proxy_debug = 0;
122 #else
123 int ipf_proxy_debug = 2;
124 #endif
125
126 static aproxy_t lcl_ap_proxies[] = {
127 #ifdef IPF_FTP_PROXY
128 { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, NULL, ippr_ftp_init, ippr_ftp_fini,
129 ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL },
130 #endif
131 #ifdef IPF_IRC_PROXY
132 { NULL, "irc", (char)IPPROTO_TCP, 0, 0, NULL, ippr_irc_init, ippr_irc_fini,
133 ippr_irc_new, NULL, NULL, ippr_irc_out, NULL, NULL },
134 #endif
135 #ifdef IPF_RCMD_PROXY
136 { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, NULL, ippr_rcmd_init, ippr_rcmd_fini,
137 ippr_rcmd_new, NULL, ippr_rcmd_in, ippr_rcmd_out, NULL, NULL },
138 #endif
139 #ifdef IPF_RAUDIO_PROXY
140 { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, NULL, ippr_raudio_init, ippr_raudio_fini,
141 ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL, NULL },
142 #endif
143 #ifdef IPF_MSNRPC_PROXY
144 { NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, NULL, ippr_msnrpc_init, ippr_msnrpc_fini,
145 ippr_msnrpc_new, NULL, ippr_msnrpc_in, ippr_msnrpc_out, NULL, NULL },
146 #endif
147 #ifdef IPF_NETBIOS_PROXY
148 { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, NULL, ippr_netbios_init, ippr_netbios_fini,
149 NULL, NULL, NULL, ippr_netbios_out, NULL, NULL },
150 #endif
151 #ifdef IPF_IPSEC_PROXY
152 { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0, NULL,
153 ippr_ipsec_init, ippr_ipsec_fini, ippr_ipsec_new, ippr_ipsec_del,
154 ippr_ipsec_inout, ippr_ipsec_inout, ippr_ipsec_match, NULL },
155 #endif
156 #ifdef IPF_PPTP_PROXY
157 { NULL, "pptp", (char)IPPROTO_TCP, 0, 0, NULL,
158 ippr_pptp_init, ippr_pptp_fini, ippr_pptp_new, ippr_pptp_del,
159 ippr_pptp_inout, ippr_pptp_inout, NULL, NULL },
160 #endif
161 #ifdef IPF_H323_PROXY
162 { NULL, "h323", (char)IPPROTO_TCP, 0, 0, NULL, ippr_h323_init, ippr_h323_fini,
163 ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL },
164 { NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL, NULL,
165 ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
166 #endif
167 #ifdef IPF_RPCB_PROXY
168 # if 0
169 { NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0, NULL,
170 ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
171 ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
172 # endif
173 { NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0, NULL,
174 ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
175 ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
176 #endif
177 { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL, NULL }
178 };
179
180 /*
181 * Dynamically add a new kernel proxy. Ensure that it is unique in the
182 * collection compiled in and dynamically added.
183 */
184 int appr_add(ap, ifs)
185 aproxy_t *ap;
186 ipf_stack_t *ifs;
187 {
188 aproxy_t *a;
189
190 for (a = ifs->ifs_ap_proxies; a->apr_p; a++)
191 if ((a->apr_p == ap->apr_p) &&
192 !strncmp(a->apr_label, ap->apr_label,
193 sizeof(ap->apr_label))) {
194 if (ipf_proxy_debug > 1)
195 printf("appr_add: %s/%d already present (B)\n",
196 a->apr_label, a->apr_p);
197 return -1;
198 }
199
200 for (a = ifs->ifs_ap_proxylist; a->apr_p; a = a->apr_next)
201 if ((a->apr_p == ap->apr_p) &&
202 !strncmp(a->apr_label, ap->apr_label,
203 sizeof(ap->apr_label))) {
204 if (ipf_proxy_debug > 1)
205 printf("appr_add: %s/%d already present (D)\n",
206 a->apr_label, a->apr_p);
207 return -1;
208 }
209 ap->apr_next = ifs->ifs_ap_proxylist;
210 ifs->ifs_ap_proxylist = ap;
211 if (ap->apr_init != NULL)
212 return (*ap->apr_init)(&ap->apr_private, ifs);
213
214 return 0;
215 }
216
217
218 /*
219 * Check to see if the proxy this control request has come through for
220 * exists, and if it does and it has a control function then invoke that
221 * control function.
222 */
223 int appr_ctl(ctl, ifs)
224 ap_ctl_t *ctl;
225 ipf_stack_t *ifs;
226 {
227 aproxy_t *a;
228 int error;
229
230 a = appr_lookup(ctl->apc_p, ctl->apc_label, ifs);
231 if (a == NULL) {
232 if (ipf_proxy_debug > 1)
233 printf("appr_ctl: can't find %s/%d\n",
234 ctl->apc_label, ctl->apc_p);
235 error = ESRCH;
236 } else if (a->apr_ctl == NULL) {
237 if (ipf_proxy_debug > 1)
238 printf("appr_ctl: no ctl function for %s/%d\n",
239 ctl->apc_label, ctl->apc_p);
240 error = ENXIO;
241 } else {
242 error = (*a->apr_ctl)(a, ctl, a->apr_private);
243 if ((error != 0) && (ipf_proxy_debug > 1))
244 printf("appr_ctl: %s/%d ctl error %d\n",
245 a->apr_label, a->apr_p, error);
246 }
247 return error;
248 }
249
250
251 /*
252 * Delete a proxy that has been added dynamically from those available.
253 * If it is in use, return 1 (do not destroy NOW), not in use 0 or -1
254 * if it cannot be matched.
255 */
256 int appr_del(ap, ifs)
257 aproxy_t *ap;
258 ipf_stack_t *ifs;
259 {
260 aproxy_t *a, **app;
261
262 for (app = &ifs->ifs_ap_proxylist; ((a = *app) != NULL);
263 app = &a->apr_next)
264 if (a == ap) {
265 a->apr_flags |= APR_DELETE;
266 *app = a->apr_next;
267 if (ap->apr_ref != 0) {
268 if (ipf_proxy_debug > 2)
269 printf("appr_del: orphaning %s/%d\n",
270 ap->apr_label, ap->apr_p);
271 return 1;
272 }
273 return 0;
274 }
275 if (ipf_proxy_debug > 1)
276 printf("appr_del: proxy %lx not found\n", (u_long)ap);
277 return -1;
278 }
279
280
281 /*
282 * Return 1 if the packet is a good match against a proxy, else 0.
283 */
284 int appr_ok(fin, tcp, nat)
285 fr_info_t *fin;
286 tcphdr_t *tcp;
287 ipnat_t *nat;
288 {
289 aproxy_t *apr = nat->in_apr;
290 u_short dport = nat->in_dport;
291
292 if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
293 (fin->fin_p != apr->apr_p))
294 return 0;
295 if ((tcp == NULL) && dport)
296 return 0;
297 return 1;
298 }
299
300
301 int appr_ioctl(data, cmd, mode, ifs)
302 caddr_t data;
303 ioctlcmd_t cmd;
304 int mode;
305 ipf_stack_t *ifs;
306 {
307 ap_ctl_t ctl;
308 caddr_t ptr;
309 int error;
310
311 mode = mode; /* LINT */
312
313 switch (cmd)
314 {
315 case SIOCPROXY :
316 error = BCOPYIN(data, &ctl, sizeof(ctl));
317 if (error != 0)
318 return EFAULT;
319
320 ptr = NULL;
321
322 if (ctl.apc_dsize > 0) {
323 KMALLOCS(ptr, caddr_t, ctl.apc_dsize);
324 if (ptr == NULL)
325 error = ENOMEM;
326 else {
327 error = copyinptr(ctl.apc_data, ptr,
328 ctl.apc_dsize);
329 if (error == 0)
330 ctl.apc_data = ptr;
331 }
332 } else {
333 ctl.apc_data = NULL;
334 error = 0;
335 }
336
337 if (error == 0)
338 error = appr_ctl(&ctl, ifs);
339
340 if ((ctl.apc_dsize > 0) && (ptr != NULL) &&
341 (ctl.apc_data == ptr)) {
342 KFREES(ptr, ctl.apc_dsize);
343 }
344 break;
345
346 default :
347 error = EINVAL;
348 }
349 return error;
350 }
351
352
353 /*
354 * If a proxy has a match function, call that to do extended packet
355 * matching.
356 */
357 int appr_match(fin, nat)
358 fr_info_t *fin;
359 nat_t *nat;
360 {
361 aproxy_t *apr;
362 ipnat_t *ipn;
363 int result;
364
365 ipn = nat->nat_ptr;
366 if (ipf_proxy_debug > 8)
367 printf("appr_match(%lx,%lx) aps %lx ptr %lx\n",
368 (u_long)fin, (u_long)nat, (u_long)nat->nat_aps,
369 (u_long)ipn);
370
371 if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) {
372 if (ipf_proxy_debug > 0)
373 printf("appr_match: flx 0x%x (BAD|SHORT)\n",
374 fin->fin_flx);
375 return -1;
376 }
377
378 apr = ipn->in_apr;
379 if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) {
380 if (ipf_proxy_debug > 0)
381 printf("appr_match:apr %lx apr_flags 0x%x\n",
382 (u_long)apr, apr ? apr->apr_flags : 0);
383 return -1;
384 }
385
386 if (apr->apr_match != NULL) {
387 result = (*apr->apr_match)(fin, nat->nat_aps, nat, apr->apr_private);
388 if (result != 0) {
389 if (ipf_proxy_debug > 4)
390 printf("appr_match: result %d\n", result);
391 return -1;
392 }
393 }
394 return 0;
395 }
396
397
398 /*
399 * Allocate a new application proxy structure and fill it in with the
400 * relevant details. call the init function once complete, prior to
401 * returning.
402 */
403 int appr_new(fin, nat)
404 fr_info_t *fin;
405 nat_t *nat;
406 {
407 register ap_session_t *aps;
408 aproxy_t *apr;
409 ipf_stack_t *ifs = fin->fin_ifs;
410
411 if (ipf_proxy_debug > 8)
412 printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat);
413
414 if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) {
415 if (ipf_proxy_debug > 0)
416 printf("appr_new: nat_ptr %lx nat_aps %lx\n",
417 (u_long)nat->nat_ptr, (u_long)nat->nat_aps);
418 return -1;
419 }
420
421 apr = nat->nat_ptr->in_apr;
422
423 if ((apr->apr_flags & APR_DELETE) ||
424 (fin->fin_p != apr->apr_p)) {
425 if (ipf_proxy_debug > 2)
426 printf("appr_new: apr_flags 0x%x p %d/%d\n",
427 apr->apr_flags, fin->fin_p, apr->apr_p);
428 return -1;
429 }
430
431 KMALLOC(aps, ap_session_t *);
432 if (!aps) {
433 if (ipf_proxy_debug > 0)
434 printf("appr_new: malloc failed (%lu)\n",
435 (u_long)sizeof(ap_session_t));
436 return -1;
437 }
438
439 bzero((char *)aps, sizeof(*aps));
440 aps->aps_p = fin->fin_p;
441 aps->aps_data = NULL;
442 aps->aps_apr = apr;
443 aps->aps_psiz = 0;
444 if (apr->apr_new != NULL)
445 if ((*apr->apr_new)(fin, aps, nat, apr->apr_private) == -1) {
446 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) {
447 KFREES(aps->aps_data, aps->aps_psiz);
448 }
449 KFREE(aps);
450 if (ipf_proxy_debug > 2)
451 printf("appr_new: new(%lx) failed\n",
452 (u_long)apr->apr_new);
453 return -1;
454 }
455 aps->aps_nat = nat;
456 aps->aps_next = ifs->ifs_ap_sess_list;
457 ifs->ifs_ap_sess_list = aps;
458 nat->nat_aps = aps;
459
460 return 0;
461 }
462
463
464 /*
465 * Check to see if a packet should be passed through an active proxy routine
466 * if one has been setup for it. We don't need to check the checksum here if
467 * IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD
468 * to be set.
469 */
470 int appr_check(fin, nat)
471 fr_info_t *fin;
472 nat_t *nat;
473 {
474 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6) && \
475 defined(ICK_VALID)
476 mb_t *m;
477 int dosum = 1;
478 #endif
479 tcphdr_t *tcp = NULL;
480 udphdr_t *udp = NULL;
481 void *tcpudp = NULL;
482 u_short *csump;
483 ap_session_t *aps;
484 aproxy_t *apr;
485 ip_t *ip;
486 short rv;
487 int err;
488 #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
489 u_32_t s1, s2, sd;
490 #endif
491 ipf_stack_t *ifs = fin->fin_ifs;
492
493 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
494 net_handle_t net_data_p;
495 if (fin->fin_v == 4)
496 net_data_p = ifs->ifs_ipf_ipv4;
497 else
498 net_data_p = ifs->ifs_ipf_ipv6;
499 #endif
500
501 if (fin->fin_flx & FI_BAD) {
502 if (ipf_proxy_debug > 0)
503 printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx);
504 return -1;
505 }
506
507 #ifndef IPFILTER_CKSUM
508 if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
509 if (ipf_proxy_debug > 0)
510 printf("appr_check: l4 checksum failure %d\n",
511 fin->fin_p);
512 if (fin->fin_p == IPPROTO_TCP)
513 ifs->ifs_frstats[fin->fin_out].fr_tcpbad++;
514 return -1;
515 }
516 #endif
517
518 aps = nat->nat_aps;
519 if ((aps != NULL) && (aps->aps_p == fin->fin_p)) {
520 /*
521 * If there is data in this packet to be proxied then try and
522 * get it all into the one buffer, else drop it.
523 */
524 #if defined(MENTAT) || defined(HAVE_M_PULLDOWN)
525 if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE))
526 if (fr_coalesce(fin) == -1) {
527 if (ipf_proxy_debug > 0)
528 printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
529 return -1;
530 }
531 #endif
532 ip = fin->fin_ip;
533
534 switch (fin->fin_p)
535 {
536 case IPPROTO_TCP :
537 tcp = (tcphdr_t *)fin->fin_dp;
538
539 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6) && \
540 defined(ICK_VALID)
541 m = fin->fin_qfm;
542 if (dohwcksum && (m->b_ick_flag == ICK_VALID))
543 dosum = 0;
544 #endif
545 /*
546 * Don't bother the proxy with these...or in fact,
547 * should we free up proxy stuff when seen?
548 */
549 if ((fin->fin_tcpf & TH_RST) != 0)
550 break;
551 /*FALLTHROUGH*/
552 case IPPROTO_UDP :
553 udp = (udphdr_t *)fin->fin_dp;
554 break;
555 default :
556 break;
557 }
558
559 apr = aps->aps_apr;
560 err = 0;
561 if (fin->fin_out != 0) {
562 if (apr->apr_outpkt != NULL)
563 err = (*apr->apr_outpkt)(fin, aps, nat, apr->apr_private);
564 } else {
565 if (apr->apr_inpkt != NULL)
566 err = (*apr->apr_inpkt)(fin, aps, nat, apr->apr_private);
567 }
568
569 rv = APR_EXIT(err);
570 if (((ipf_proxy_debug > 0) && (rv != 0)) ||
571 (ipf_proxy_debug > 8))
572 printf("appr_check: out %d err %x rv %d\n",
573 fin->fin_out, err, rv);
574 if (rv == 1)
575 return -1;
576
577 if (rv == 2) {
578 appr_free(apr);
579 nat->nat_aps = NULL;
580 return -1;
581 }
582
583 /*
584 * If err != 0 then the data size of the packet has changed
585 * so we need to recalculate the header checksums for the
586 * packet.
587 * inbound packets always need to be adjusted.
588 */
589 #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
590 if (err != 0) {
591 short adjlen = err & 0xffff;
592
593 s1 = LONG_SUM(ip->ip_len - adjlen);
594 s2 = LONG_SUM(ip->ip_len);
595 CALC_SUMD(s1, s2, sd);
596 sd = (sd & 0xffff) + (sd >> 16);
597 if (!fin->fin_out ||
598 !NET_IS_HCK_L3_FULL(net_data_p, fin->fin_m))
599 fix_outcksum(&ip->ip_sum, sd);
600 }
601 #endif
602
603 /*
604 * For TCP packets, we may need to adjust the sequence and
605 * acknowledgement numbers to reflect changes in size of the
606 * data stream.
607 *
608 * For both TCP and UDP, recalculate the layer 4 checksum in
609 * software checksum case, as we can't tell if data has been
610 * changed or not.
611 */
612 if (tcp != NULL) {
613 tcpudp = tcp;
614 csump = &tcp->th_sum;
615 (void) appr_fixseqack(fin, ip, aps, APR_INC(err));
616 } else if (udp != NULL) {
617 tcpudp = udp;
618 csump = &udp->uh_sum;
619 }
620
621 if (tcpudp) {
622 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(MENTAT)
623 if (!fin->fin_out) {
624 /*
625 * We are incapable of adjusting partial hcksum
626 * result for inbound packets here, as the
627 * partial hcksum calculation range might not
628 * cover the whole payload, and the payload data
629 * might be changed by proxy.
630 */
631 DB_CKSUMFLAGS(fin->fin_m) &= ~HCK_PARTIALCKSUM;
632
633 /* Inbound packets always need recalculation. */
634 *csump = fr_cksum(fin->fin_qfm, ip,
635 fin->fin_p, tcpudp);
636 } else if (NET_IS_HCK_L4_PART(net_data_p, fin->fin_m)) {
637 if (err != 0) {
638 DB_CKSUMEND(fin->fin_m) += (short)err;
639 fix_incksum(csump, sd);
640 }
641 } else if (!NET_IS_HCK_L4_FULL(net_data_p, fin->fin_m))
642 *csump = fr_cksum(fin->fin_qfm, ip,
643 fin->fin_p, tcpudp);
644 #else
645 *csump = fr_cksum(fin->fin_m, ip, fin->fin_p, tcpudp);
646 #endif
647 }
648 aps->aps_bytes += fin->fin_plen;
649 aps->aps_pkts++;
650 return 1;
651 }
652 return 0;
653 }
654
655
656 /*
657 * Search for an proxy by the protocol it is being used with and its name.
658 */
659 aproxy_t *appr_lookup(pr, name, ifs)
660 u_int pr;
661 char *name;
662 ipf_stack_t *ifs;
663 {
664 aproxy_t *ap;
665
666 if (ipf_proxy_debug > 8)
667 printf("appr_lookup(%d,%s)\n", pr, name);
668
669 for (ap = ifs->ifs_ap_proxies; ap->apr_p; ap++)
670 if ((ap->apr_p == pr) &&
671 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
672 ap->apr_ref++;
673 return ap;
674 }
675
676 for (ap = ifs->ifs_ap_proxylist; ap; ap = ap->apr_next)
677 if ((ap->apr_p == pr) &&
678 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
679 ap->apr_ref++;
680 return ap;
681 }
682 if (ipf_proxy_debug > 2)
683 printf("appr_lookup: failed for %d/%s\n", pr, name);
684 return NULL;
685 }
686
687
688 void appr_free(ap)
689 aproxy_t *ap;
690 {
691 ap->apr_ref--;
692 }
693
694
695 void aps_free(aps, ifs)
696 ap_session_t *aps;
697 ipf_stack_t *ifs;
698 {
699 ap_session_t *a, **ap;
700 aproxy_t *apr;
701
702 if (!aps)
703 return;
704
705 for (ap = &ifs->ifs_ap_sess_list; ((a = *ap) != NULL); ap = &a->aps_next)
706 if (a == aps) {
707 *ap = a->aps_next;
708 break;
709 }
710
711 apr = aps->aps_apr;
712 if ((apr != NULL) && (apr->apr_del != NULL))
713 (*apr->apr_del)(aps, apr->apr_private, ifs);
714
715 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
716 KFREES(aps->aps_data, aps->aps_psiz);
717 KFREE(aps);
718 }
719
720
721 /*
722 * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise
723 */
724 static int appr_fixseqack(fin, ip, aps, inc)
725 fr_info_t *fin;
726 ip_t *ip;
727 ap_session_t *aps;
728 int inc;
729 {
730 int sel, ch = 0, out, nlen;
731 u_32_t seq1, seq2;
732 tcphdr_t *tcp;
733 short inc2;
734
735 tcp = (tcphdr_t *)fin->fin_dp;
736 out = fin->fin_out;
737 /*
738 * ip_len has already been adjusted by 'inc'.
739 */
740 nlen = ip->ip_len;
741 nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
742
743 inc2 = inc;
744 inc = (int)inc2;
745
746 if (out != 0) {
747 seq1 = (u_32_t)ntohl(tcp->th_seq);
748 sel = aps->aps_sel[out];
749
750 /* switch to other set ? */
751 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
752 (seq1 > aps->aps_seqmin[!sel])) {
753 if (ipf_proxy_debug > 7)
754 printf("proxy out switch set seq %d -> %d %x > %x\n",
755 sel, !sel, seq1,
756 aps->aps_seqmin[!sel]);
757 sel = aps->aps_sel[out] = !sel;
758 }
759
760 if (aps->aps_seqoff[sel]) {
761 seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
762 if (seq1 > seq2) {
763 seq2 = aps->aps_seqoff[sel];
764 seq1 += seq2;
765 tcp->th_seq = htonl(seq1);
766 ch = 1;
767 }
768 }
769
770 if (inc && (seq1 > aps->aps_seqmin[!sel])) {
771 aps->aps_seqmin[sel] = seq1 + nlen - 1;
772 aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
773 if (ipf_proxy_debug > 7)
774 printf("proxy seq set %d at %x to %d + %d\n",
775 sel, aps->aps_seqmin[sel],
776 aps->aps_seqoff[sel], inc);
777 }
778
779 /***/
780
781 seq1 = ntohl(tcp->th_ack);
782 sel = aps->aps_sel[1 - out];
783
784 /* switch to other set ? */
785 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
786 (seq1 > aps->aps_ackmin[!sel])) {
787 if (ipf_proxy_debug > 7)
788 printf("proxy out switch set ack %d -> %d %x > %x\n",
789 sel, !sel, seq1,
790 aps->aps_ackmin[!sel]);
791 sel = aps->aps_sel[1 - out] = !sel;
792 }
793
794 if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
795 seq2 = aps->aps_ackoff[sel];
796 tcp->th_ack = htonl(seq1 - seq2);
797 ch = 1;
798 }
799 } else {
800 seq1 = ntohl(tcp->th_seq);
801 sel = aps->aps_sel[out];
802
803 /* switch to other set ? */
804 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
805 (seq1 > aps->aps_ackmin[!sel])) {
806 if (ipf_proxy_debug > 7)
807 printf("proxy in switch set ack %d -> %d %x > %x\n",
808 sel, !sel, seq1, aps->aps_ackmin[!sel]);
809 sel = aps->aps_sel[out] = !sel;
810 }
811
812 if (aps->aps_ackoff[sel]) {
813 seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
814 if (seq1 > seq2) {
815 seq2 = aps->aps_ackoff[sel];
816 seq1 += seq2;
817 tcp->th_seq = htonl(seq1);
818 ch = 1;
819 }
820 }
821
822 if (inc && (seq1 > aps->aps_ackmin[!sel])) {
823 aps->aps_ackmin[!sel] = seq1 + nlen - 1;
824 aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
825
826 if (ipf_proxy_debug > 7)
827 printf("proxy ack set %d at %x to %d + %d\n",
828 !sel, aps->aps_seqmin[!sel],
829 aps->aps_seqoff[sel], inc);
830 }
831
832 /***/
833
834 seq1 = ntohl(tcp->th_ack);
835 sel = aps->aps_sel[1 - out];
836
837 /* switch to other set ? */
838 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
839 (seq1 > aps->aps_seqmin[!sel])) {
840 if (ipf_proxy_debug > 7)
841 printf("proxy in switch set seq %d -> %d %x > %x\n",
842 sel, !sel, seq1, aps->aps_seqmin[!sel]);
843 sel = aps->aps_sel[1 - out] = !sel;
844 }
845
846 if (aps->aps_seqoff[sel] != 0) {
847 if (ipf_proxy_debug > 7)
848 printf("sel %d seqoff %d seq1 %x seqmin %x\n",
849 sel, aps->aps_seqoff[sel], seq1,
850 aps->aps_seqmin[sel]);
851 if (seq1 > aps->aps_seqmin[sel]) {
852 seq2 = aps->aps_seqoff[sel];
853 tcp->th_ack = htonl(seq1 - seq2);
854 ch = 1;
855 }
856 }
857 }
858
859 if (ipf_proxy_debug > 8)
860 printf("appr_fixseqack: seq %x ack %x\n",
861 ntohl(tcp->th_seq), ntohl(tcp->th_ack));
862 return ch ? 2 : 0;
863 }
864
865
866 /*
867 * Initialise hook for kernel application proxies.
868 * Call the initialise routine for all the compiled in kernel proxies.
869 */
870 int appr_init(ifs)
871 ipf_stack_t *ifs;
872 {
873 aproxy_t *ap;
874 int err = 0;
875
876 /* Since the refcnt is used we make a copy of lcl_ap_proxies */
877 KMALLOCS(ifs->ifs_ap_proxies, aproxy_t *, sizeof (lcl_ap_proxies));
878 bcopy(lcl_ap_proxies, ifs->ifs_ap_proxies, sizeof (lcl_ap_proxies));
879
880 for (ap = ifs->ifs_ap_proxies; ap->apr_p; ap++) {
881 if (ap->apr_init != NULL) {
882 err = (*ap->apr_init)(&ap->apr_private, ifs);
883 if (err != 0)
884 break;
885 }
886 }
887 return 0;
888 }
889
890
891 /*
892 * Unload hook for kernel application proxies.
893 * Call the finialise routine for all the compiled in kernel proxies.
894 */
895 void appr_unload(ifs)
896 ipf_stack_t *ifs;
897 {
898 aproxy_t *ap;
899 if(ifs->ifs_ap_proxies == NULL)
900 return;
901
902 for (ap = ifs->ifs_ap_proxies; ap->apr_p; ap++)
903 if (ap->apr_fini != NULL)
904 (*ap->apr_fini)(&ap->apr_private, ifs);
905 for (ap = ifs->ifs_ap_proxylist; ap; ap = ap->apr_next)
906 if (ap->apr_fini != NULL)
907 (*ap->apr_fini)(&ap->apr_private, ifs);
908
909 KFREES(ifs->ifs_ap_proxies, sizeof (lcl_ap_proxies));
910 ifs->ifs_ap_proxies = NULL;
911 }
unleashed repo fork