![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to fil.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to fil.c CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 root 1: /*
2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3: *
4: * @APPLE_LICENSE_HEADER_START@
5: *
6: * The contents of this file constitute Original Code as defined in and
7: * are subject to the Apple Public Source License Version 1.1 (the
8: * "License"). You may not use this file except in compliance with the
9: * License. Please obtain a copy of the License at
10: * http://www.apple.com/publicsource and read it before using this file.
11: *
12: * This Original Code and all software distributed under the License are
13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17: * License for the specific language governing rights and limitations
18: * under the License.
19: *
20: * @APPLE_LICENSE_HEADER_END@
21: */
22: /*
23: * Copyright (C) 1993-1997 by Darren Reed.
24: *
25: * Redistribution and use in source and binary forms are permitted
26: * provided that this notice is preserved and due credit is given
27: * to the original author and the contributors.
28: */
29: #if !defined(lint)
30: /* static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; */
31: #endif
32:
33: #include "opt_ipfilter.h"
34:
35: #include <sys/errno.h>
36: #include <sys/types.h>
37: #include <sys/param.h>
38: #include <sys/time.h>
39: #include <sys/file.h>
40: #if !defined(__FreeBSD__)
41: # include <sys/ioctl.h>
42: #endif
43:
44: # include <sys/systm.h>
45:
46: #include <sys/uio.h>
47: #if !defined(__SVR4) && !defined(__svr4__)
48: # ifndef linux
49: # include <sys/mbuf.h>
50: # endif
51: #else
52: # include <sys/byteorder.h>
53: # include <sys/dditypes.h>
54: # include <sys/stream.h>
55: #endif
56: #if defined(__FreeBSD__)
57: # include <sys/malloc.h>
58: #endif
59: #ifndef linux
60: # include <sys/protosw.h>
61: # include <sys/socket.h>
62: #endif
63: #include <net/if.h>
64: #ifdef sun
65: # include <net/af.h>
66: #endif
67: #include <net/route.h>
68: #include <netinet/in.h>
69: #include <netinet/in_systm.h>
70: #include <netinet/ip.h>
71: #ifndef linux
72: # include <netinet/ip_var.h>
73: #endif
74: #include <netinet/tcp.h>
75: #include <netinet/udp.h>
76: #include <netinet/ip_icmp.h>
77: #include "netinet/ip_compat.h"
78: #include <netinet/tcpip.h>
79: #include "netinet/ip_fil.h"
80: #include "netinet/ip_proxy.h"
81: #include "netinet/ip_nat.h"
82: #include "netinet/ip_frag.h"
83: #include "netinet/ip_state.h"
84: #include "netinet/ip_auth.h"
85: #ifndef MIN
86: #define MIN(a,b) (((a)<(b))?(a):(b))
87: #endif
88:
89: #ifndef KERNEL
90: # include "ipf.h"
91: # include "ipt.h"
92: extern int opts;
93:
94: # define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; \
95: second; }
96: # define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; \
97: second; }
98: # define FR_VERBOSE(verb_pr) verbose verb_pr
99: # define FR_DEBUG(verb_pr) debug verb_pr
100: # define SEND_RESET(ip, qif, if, m) send_reset(ip, if)
101: # define IPLLOG(a, c, d, e) ipllog()
102: # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
103: # if SOLARIS
104: # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
105: # else
106: # define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
107: # endif
108: #else /* #ifndef KERNEL */
109: # define FR_IFVERBOSE(ex,second,verb_pr) ;
110: # define FR_IFDEBUG(ex,second,verb_pr) ;
111: # define FR_VERBOSE(verb_pr)
112: # define FR_DEBUG(verb_pr)
113: # define IPLLOG(a, c, d, e) ipflog(a, c, d, e)
114: # if SOLARIS || defined(__sgi)
115: extern kmutex_t ipf_mutex, ipf_auth;
116: # endif
117: # if SOLARIS
118: # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
119: ip, qif)
120: # define SEND_RESET(ip, qif, if) send_reset(ip, qif)
121: # define ICMP_ERROR(b, ip, t, c, if, src) \
122: icmp_error(ip, t, c, if, src)
123: # else /* SOLARIS */
124: # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
125: # ifdef linux
126: # define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\
127: ifp)
128: # else
129: # define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip)
130: # endif
131: # ifdef __sgi
132: # define ICMP_ERROR(b, ip, t, c, if, src) \
133: icmp_error(b, t, c, if, src, if)
134: # else
135: # if BSD < 199103
136: # ifdef linux
137: # define ICMP_ERROR(b, ip, t, c, if, src) icmp_send(b,t,c,0,if)
138: # else
139: # define ICMP_ERROR(b, ip, t, c, if, src) \
140: icmp_error(mtod(b, ip_t *), t, c, if, src)
141: # endif /* linux */
142: # else
143: # define ICMP_ERROR(b, ip, t, c, if, src) \
144: icmp_error(b, t, c, (src).s_addr, if)
145: # endif /* BSD < 199103 */
146: # endif /* __sgi */
147: # endif /* SOLARIS || __sgi */
148: #endif /* KERNEL */
149:
150:
151: struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
152: struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
153: *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
154: struct frgroup *ipfgroups[3][2];
155: int fr_flags = IPF_LOGGING, fr_active = 0;
156: #if defined(IPFILTER_DEFAULT_BLOCK)
157: int fr_pass = FR_NOMATCH|FR_BLOCK;
158: #else
159: int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
160: #endif
161:
162: fr_info_t frcache[2];
163:
164: static void fr_makefrip __P((int, ip_t *, fr_info_t *));
165: static int fr_tcpudpchk __P((frentry_t *, fr_info_t *));
166: static int frflushlist __P((int, int, int *, frentry_t *, frentry_t **));
167:
168:
169: /*
170: * bit values for identifying presence of individual IP options
171: */
172: static struct optlist ipopts[20] = {
173: { IPOPT_NOP, 0x000001 },
174: { IPOPT_RR, 0x000002 },
175: { IPOPT_ZSU, 0x000004 },
176: { IPOPT_MTUP, 0x000008 },
177: { IPOPT_MTUR, 0x000010 },
178: { IPOPT_ENCODE, 0x000020 },
179: { IPOPT_TS, 0x000040 },
180: { IPOPT_TR, 0x000080 },
181: { IPOPT_SECURITY, 0x000100 },
182: { IPOPT_LSRR, 0x000200 },
183: { IPOPT_E_SEC, 0x000400 },
184: { IPOPT_CIPSO, 0x000800 },
185: { IPOPT_SATID, 0x001000 },
186: { IPOPT_SSRR, 0x002000 },
187: { IPOPT_ADDEXT, 0x004000 },
188: { IPOPT_VISA, 0x008000 },
189: { IPOPT_IMITD, 0x010000 },
190: { IPOPT_EIP, 0x020000 },
191: { IPOPT_FINN, 0x040000 },
192: { 0, 0x000000 }
193: };
194:
195: /*
196: * bit values for identifying presence of individual IP security options
197: */
198: static struct optlist secopt[8] = {
199: { IPSO_CLASS_RES4, 0x01 },
200: { IPSO_CLASS_TOPS, 0x02 },
201: { IPSO_CLASS_SECR, 0x04 },
202: { IPSO_CLASS_RES3, 0x08 },
203: { IPSO_CLASS_CONF, 0x10 },
204: { IPSO_CLASS_UNCL, 0x20 },
205: { IPSO_CLASS_RES2, 0x40 },
206: { IPSO_CLASS_RES1, 0x80 }
207: };
208:
209:
210: /*
211: * compact the IP header into a structure which contains just the info.
212: * which is useful for comparing IP headers with.
213: */
214: static void fr_makefrip(hlen, ip, fin)
215: int hlen;
216: ip_t *ip;
217: fr_info_t *fin;
218: {
219: struct optlist *op;
220: tcphdr_t *tcp;
221: icmphdr_t *icmp;
222: fr_ip_t *fi = &fin->fin_fi;
223: u_short optmsk = 0, secmsk = 0, auth = 0;
224: int i, mv, ol, off;
225: u_char *s, opt;
226:
227: fin->fin_fr = NULL;
228: fin->fin_tcpf = 0;
229: fin->fin_data[0] = 0;
230: fin->fin_data[1] = 0;
231: fin->fin_rule = -1;
232: fin->fin_group = -1;
233: fin->fin_id = ip->ip_id;
234: #ifdef KERNEL
235: fin->fin_icode = ipl_unreach;
236: #endif
237: fi->fi_v = ip->ip_v;
238: fi->fi_tos = ip->ip_tos;
239: fin->fin_hlen = hlen;
240: fin->fin_dlen = ip->ip_len - hlen;
241: tcp = (tcphdr_t *)((char *)ip + hlen);
242: icmp = (icmphdr_t *)tcp;
243: fin->fin_dp = (void *)tcp;
244: (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
245: (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3));
246: (*(((u_32_t *)fi) + 2)) = (*(((u_32_t *)ip) + 4));
247:
248: fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
249: off = (ip->ip_off & 0x1fff) << 3;
250: if (ip->ip_off & 0x3fff)
251: fi->fi_fl |= FI_FRAG;
252: switch (ip->ip_p)
253: {
254: case IPPROTO_ICMP :
255: {
256: int minicmpsz = sizeof(struct icmp);
257:
258: if (!off && ip->ip_len > ICMP_MINLEN + hlen &&
259: (icmp->icmp_type == ICMP_ECHOREPLY ||
260: icmp->icmp_type == ICMP_UNREACH))
261: minicmpsz = ICMP_MINLEN;
262: if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
263: (off && off < sizeof(struct icmp)))
264: fi->fi_fl |= FI_SHORT;
265: if (fin->fin_dlen > 1)
266: fin->fin_data[0] = *(u_short *)tcp;
267: break;
268: }
269: case IPPROTO_TCP :
270: fi->fi_fl |= FI_TCPUDP;
271: if ((!IPMINLEN(ip, tcphdr) && !off) ||
272: (off && off < sizeof(struct tcphdr)))
273: fi->fi_fl |= FI_SHORT;
274: if (!(fi->fi_fl & FI_SHORT) && !off)
275: fin->fin_tcpf = tcp->th_flags;
276: goto getports;
277: case IPPROTO_UDP :
278: fi->fi_fl |= FI_TCPUDP;
279: if ((!IPMINLEN(ip, udphdr) && !off) ||
280: (off && off < sizeof(struct udphdr)))
281: fi->fi_fl |= FI_SHORT;
282: getports:
283: if (!off && (fin->fin_dlen > 3)) {
284: fin->fin_data[0] = ntohs(tcp->th_sport);
285: fin->fin_data[1] = ntohs(tcp->th_dport);
286: }
287: break;
288: default :
289: break;
290: }
291:
292:
293: for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) {
294: if (!(opt = *s))
295: break;
296: ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
297: if (opt > 1 && (ol < 2 || ol > hlen))
298: break;
299: for (i = 9, mv = 4; mv >= 0; ) {
300: op = ipopts + i;
301: if (opt == (u_char)op->ol_val) {
302: optmsk |= op->ol_bit;
303: if (opt == IPOPT_SECURITY) {
304: struct optlist *sp;
305: u_char sec;
306: int j, m;
307:
308: sec = *(s + 2); /* classification */
309: for (j = 3, m = 2; m >= 0; ) {
310: sp = secopt + j;
311: if (sec == sp->ol_val) {
312: secmsk |= sp->ol_bit;
313: auth = *(s + 3);
314: auth *= 256;
315: auth += *(s + 4);
316: break;
317: }
318: if (sec < sp->ol_val)
319: j -= m--;
320: else
321: j += m--;
322: }
323: }
324: break;
325: }
326: if (opt < op->ol_val)
327: i -= mv--;
328: else
329: i += mv--;
330: }
331: hlen -= ol;
332: s += ol;
333: }
334: if (auth && !(auth & 0x0100))
335: auth &= 0xff00;
336: fi->fi_optmsk = optmsk;
337: fi->fi_secmsk = secmsk;
338: fi->fi_auth = auth;
339: }
340:
341:
342: /*
343: * check an IP packet for TCP/UDP characteristics such as ports and flags.
344: */
345: static int fr_tcpudpchk(fr, fin)
346: frentry_t *fr;
347: fr_info_t *fin;
348: {
349: register u_short po, tup;
350: register char i;
351: register int err = 1;
352:
353: /*
354: * Both ports should *always* be in the first fragment.
355: * So far, I cannot find any cases where they can not be.
356: *
357: * compare destination ports
358: */
359: if ((i = (int)fr->fr_dcmp)) {
360: po = fr->fr_dport;
361: tup = fin->fin_data[1];
362: /*
363: * Do opposite test to that required and
364: * continue if that succeeds.
365: */
366: if (!--i && tup != po) /* EQUAL */
367: err = 0;
368: else if (!--i && tup == po) /* NOTEQUAL */
369: err = 0;
370: else if (!--i && tup >= po) /* LESSTHAN */
371: err = 0;
372: else if (!--i && tup <= po) /* GREATERTHAN */
373: err = 0;
374: else if (!--i && tup > po) /* LT or EQ */
375: err = 0;
376: else if (!--i && tup < po) /* GT or EQ */
377: err = 0;
378: else if (!--i && /* Out of range */
379: (tup >= po && tup <= fr->fr_dtop))
380: err = 0;
381: else if (!--i && /* In range */
382: (tup <= po || tup >= fr->fr_dtop))
383: err = 0;
384: }
385: /*
386: * compare source ports
387: */
388: if (err && (i = (int)fr->fr_scmp)) {
389: po = fr->fr_sport;
390: tup = fin->fin_data[0];
391: if (!--i && tup != po)
392: err = 0;
393: else if (!--i && tup == po)
394: err = 0;
395: else if (!--i && tup >= po)
396: err = 0;
397: else if (!--i && tup <= po)
398: err = 0;
399: else if (!--i && tup > po)
400: err = 0;
401: else if (!--i && tup < po)
402: err = 0;
403: else if (!--i && /* Out of range */
404: (tup >= po && tup <= fr->fr_stop))
405: err = 0;
406: else if (!--i && /* In range */
407: (tup <= po || tup >= fr->fr_stop))
408: err = 0;
409: }
410:
411: /*
412: * If we don't have all the TCP/UDP header, then how can we
413: * expect to do any sort of match on it ? If we were looking for
414: * TCP flags, then NO match. If not, then match (which should
415: * satisfy the "short" class too).
416: */
417: if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
418: if (fin->fin_fi.fi_fl & FI_SHORT)
419: return !(fr->fr_tcpf | fr->fr_tcpfm);
420: /*
421: * Match the flags ? If not, abort this match.
422: */
423: if (fr->fr_tcpf &&
424: fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
425: FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
426: fr->fr_tcpfm, fr->fr_tcpf));
427: err = 0;
428: }
429: }
430: return err;
431: }
432:
433: /*
434: * Check the input/output list of rules for a match and result.
435: * Could be per interface, but this gets real nasty when you don't have
436: * kernel sauce.
437: */
438: int fr_scanlist(pass, ip, fin, m)
439: int pass;
440: ip_t *ip;
441: register fr_info_t *fin;
442: void *m;
443: {
444: register struct frentry *fr;
445: register fr_ip_t *fi = &fin->fin_fi;
446: int rulen, portcmp = 0, off, skip = 0;
447:
448: fr = fin->fin_fr;
449: fin->fin_fr = NULL;
450: fin->fin_rule = 0;
451: fin->fin_group = 0;
452: off = ip->ip_off & 0x1fff;
453: pass |= (fi->fi_fl << 24);
454:
455: if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
456: portcmp = 1;
457:
458: for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
459: if (skip) {
460: skip--;
461: continue;
462: }
463: /*
464: * In all checks below, a null (zero) value in the
465: * filter struture is taken to mean a wildcard.
466: *
467: * check that we are working for the right interface
468: */
469: #ifdef KERNEL
470: if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
471: continue;
472: #else
473: if (opts & (OPT_VERBOSE|OPT_DEBUG))
474: printf("\n");
475: FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' :
476: (pass & FR_AUTH) ? 'a' : 'b'));
477: if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
478: continue;
479: FR_VERBOSE((":i"));
480: #endif
481: {
482: register u_32_t *ld, *lm, *lip;
483: register int i;
484:
485: lip = (u_32_t *)fi;
486: lm = (u_32_t *)&fr->fr_mip;
487: ld = (u_32_t *)&fr->fr_ip;
488: i = ((lip[0] & lm[0]) != ld[0]);
489: FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
490: lip[0], lm[0], ld[0]));
491: i |= ((lip[1] & lm[1]) != ld[1]) << 21;
492: FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
493: lip[1], lm[1], ld[1]));
494: i |= ((lip[2] & lm[2]) != ld[2]) << 22;
495: FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
496: lip[2], lm[2], ld[2]));
497: i |= ((lip[3] & lm[3]) != ld[3]);
498: FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n",
499: lip[3], lm[3], ld[3]));
500: i |= ((lip[4] & lm[4]) != ld[4]);
501: FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
502: lip[4], lm[4], ld[4]));
503: i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP));
504: if (i)
505: continue;
506: }
507:
508: /*
509: * If a fragment, then only the first has what we're looking
510: * for here...
511: */
512: if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
513: fr->fr_tcpfm))
514: continue;
515: if (fi->fi_fl & FI_TCPUDP) {
516: if (!fr_tcpudpchk(fr, fin))
517: continue;
518: } else if (fr->fr_icmpm || fr->fr_icmp) {
519: if ((fi->fi_p != IPPROTO_ICMP) || off ||
520: (fin->fin_dlen < 2))
521: continue;
522: if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
523: FR_DEBUG(("i. %#x & %#x != %#x\n",
524: fin->fin_data[0], fr->fr_icmpm,
525: fr->fr_icmp));
526: continue;
527: }
528: }
529: FR_VERBOSE(("*"));
530: /*
531: * Just log this packet...
532: */
533: if (!(skip = fr->fr_skip))
534: pass = fr->fr_flags;
535: if ((pass & FR_CALLNOW) && fr->fr_func)
536: pass = (*fr->fr_func)(pass, ip, fin);
537: #if IPFILTER_LOG
538: if ((pass & FR_LOGMASK) == FR_LOG) {
539: if (!IPLLOG(fr->fr_flags, ip, fin, m))
540: frstats[fin->fin_out].fr_skip++;
541: frstats[fin->fin_out].fr_pkl++;
542: }
543: #endif /* IPFILTER_LOG */
544: FR_DEBUG(("pass %#x\n", pass));
545: fr->fr_hits++;
546: if (pass & FR_ACCOUNT)
547: fr->fr_bytes += (U_QUAD_T)ip->ip_len;
548: else
549: fin->fin_icode = fr->fr_icode;
550: fin->fin_rule = rulen;
551: fin->fin_group = fr->fr_group;
552: fin->fin_fr = fr;
553: if (fr->fr_grp) {
554: fin->fin_fr = fr->fr_grp;
555: pass = fr_scanlist(pass, ip, fin, m);
556: if (fin->fin_fr == NULL) {
557: fin->fin_rule = rulen;
558: fin->fin_group = fr->fr_group;
559: fin->fin_fr = fr;
560: }
561: }
562: if (pass & FR_QUICK)
563: break;
564: }
565: return pass;
566: }
567:
568:
569: /*
570: * frcheck - filter check
571: * check using source and destination addresses/pors in a packet whether
572: * or not to pass it on or not.
573: */
574: int fr_check(ip, hlen, ifp, out
575: #if defined(KERNEL) && SOLARIS
576: , qif, mp)
577: qif_t *qif;
578: #else
579: , mp)
580: #endif
581: mb_t **mp;
582: ip_t *ip;
583: int hlen;
584: void *ifp;
585: int out;
586: {
587: /*
588: * The above is really bad, but short of writing a diff
589: */
590: fr_info_t frinfo, *fc;
591: register fr_info_t *fin = &frinfo;
592: frentry_t *fr = NULL;
593: int pass, changed, apass, error = EHOSTUNREACH;
594: #if !SOLARIS || !defined(KERNEL)
595: register mb_t *m = *mp;
596: #endif
597:
598: #if KERNEL
599: mb_t *mc = NULL;
600: # if !defined(__SVR4) && !defined(__svr4__)
601: # ifdef __sgi
602: char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8];
603: # endif
604: int up;
605:
606: #if M_CANFASTFWD
607: /*
608: * XXX For now, IP Filter and fast-forwarding of cached flows
609: * XXX are mutually exclusive. Eventually, IP Filter should
610: * XXX get a "can-fast-forward" filter rule.
611: */
612: m->m_flags &= ~M_CANFASTFWD;
613: #endif /* M_CANFASTFWD */
614:
615: if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
616: ip->ip_p == IPPROTO_ICMP)) {
617: int plen = 0;
618:
619: switch(ip->ip_p)
620: {
621: case IPPROTO_TCP:
622: plen = sizeof(tcphdr_t);
623: break;
624: case IPPROTO_UDP:
625: plen = sizeof(udphdr_t);
626: break;
627: case IPPROTO_ICMP:
628: /* 96 - enough for complete ICMP error IP header */
629: plen = sizeof(struct icmp) + sizeof(ip_t) + 8;
630: break;
631: }
632: up = MIN(hlen + plen, ip->ip_len);
633:
634: if (up > m->m_len) {
635: #ifdef __sgi /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
636: if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
637: frstats[out].fr_pull[1]++;
638: return -1;
639: }
640: m_copydata(m, 0, up, hbuf);
641: frstats[out].fr_pull[0]++;
642: ip = (ip_t *)hbuf;
643: #else
644: # ifndef linux
645: if ((*mp = m_pullup(m, up)) == 0) {
646: frstats[out].fr_pull[1]++;
647: return -1;
648: } else {
649: frstats[out].fr_pull[0]++;
650: m = *mp;
651: ip = mtod(m, ip_t *);
652: }
653: # endif
654: #endif
655: } else
656: up = 0;
657: } else
658: up = 0;
659: # endif
660: # if SOLARIS
661: mb_t *m = qif->qf_m;
662: # endif
663: #endif
664: fr_makefrip(hlen, ip, fin);
665: fin->fin_ifp = ifp;
666: fin->fin_out = out;
667: fin->fin_mp = mp;
668:
669: MUTEX_ENTER(&ipf_mutex);
670:
671: /*
672: * Check auth now. This, combined with the check below to see if apass
673: * is 0 is to ensure that we don't count the packet twice, which can
674: * otherwise occur when we reprocess it. As it is, we only count it
675: * after it has no auth. table matchup. This also stops NAT from
676: * occuring until after the packet has been auth'd.
677: */
678: apass = fr_checkauth(ip, fin);
679:
680: if (!out) {
681: changed = ip_natin(ip, hlen, fin);
682: if (!apass && (fin->fin_fr = ipacct[0][fr_active]) &&
683: (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT))
684: frstats[0].fr_acct++;
685: }
686:
687: if (apass || (!(pass = ipfr_knownfrag(ip, fin)) &&
688: !(pass = fr_checkstate(ip, fin)))) {
689: /*
690: * If a packet is found in the auth table, then skip checking
691: * the access lists for permission but we do need to consider
692: * the result as if it were from the ACL's.
693: */
694: if (!apass) {
695: fc = frcache + out;
696: if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
697: /*
698: * copy cached data so we can unlock the mutex
699: * earlier.
700: */
701: bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
702: frstats[out].fr_chit++;
703: if ((fr = fin->fin_fr)) {
704: fr->fr_hits++;
705: pass = fr->fr_flags;
706: } else
707: pass = fr_pass;
708: } else {
709: pass = fr_pass;
710: if ((fin->fin_fr = ipfilter[out][fr_active]))
711: pass = FR_SCANLIST(fr_pass, ip, fin, m);
712: bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
713: if (pass & FR_NOMATCH)
714: frstats[out].fr_nom++;
715: }
716: fr = fin->fin_fr;
717: } else
718: pass = apass;
719:
720: /*
721: * If we fail to add a packet to the authorization queue,
722: * then we drop the packet later. However, if it was added
723: * then pretend we've dropped it already.
724: */
725: if ((pass & FR_AUTH))
726: if (FR_NEWAUTH(m, fin, ip, qif) != 0)
727: #ifdef KERNEL
728: m = *mp = NULL;
729: #else
730: ;
731: #endif
732:
733: if (pass & FR_PREAUTH) {
734: MUTEX_ENTER(&ipf_auth);
735: if ((fin->fin_fr = ipauth) &&
736: (pass = FR_SCANLIST(0, ip, fin, m)))
737: fr_authstats.fas_hits++;
738: else
739: fr_authstats.fas_miss++;
740: MUTEX_EXIT(&ipf_auth);
741: }
742:
743: if (pass & FR_KEEPFRAG) {
744: if (fin->fin_fi.fi_fl & FI_FRAG) {
745: if (ipfr_newfrag(ip, fin, pass) == -1)
746: frstats[out].fr_bnfr++;
747: else
748: frstats[out].fr_nfr++;
749: } else
750: frstats[out].fr_cfr++;
751: }
752: if (pass & FR_KEEPSTATE) {
753: if (fr_addstate(ip, fin, pass) == -1)
754: frstats[out].fr_bads++;
755: else
756: frstats[out].fr_ads++;
757: }
758: }
759:
760: if (fr && fr->fr_func && !(pass & FR_CALLNOW))
761: pass = (*fr->fr_func)(pass, ip, fin);
762:
763: /*
764: * Only count/translate packets which will be passed on, out the
765: * interface.
766: */
767: if (out && (pass & FR_PASS)) {
768: if ((fin->fin_fr = ipacct[1][fr_active]) &&
769: (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT))
770: frstats[1].fr_acct++;
771: fin->fin_fr = NULL;
772: changed = ip_natout(ip, hlen, fin);
773: }
774: fin->fin_fr = fr;
775: MUTEX_EXIT(&ipf_mutex);
776:
777: #if IPFILTER_LOG
778: if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
779: if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
780: pass |= FF_LOGNOMATCH;
781: frstats[out].fr_npkl++;
782: goto logit;
783: } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
784: ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
785: if ((pass & FR_LOGMASK) != FR_LOGP)
786: pass |= FF_LOGPASS;
787: frstats[out].fr_ppkl++;
788: goto logit;
789: } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
790: ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
791: if ((pass & FR_LOGMASK) != FR_LOGB)
792: pass |= FF_LOGBLOCK;
793: frstats[out].fr_bpkl++;
794: logit:
795: if (!IPLLOG(pass, ip, fin, m)) {
796: frstats[out].fr_skip++;
797: if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
798: (FR_PASS|FR_LOGORBLOCK))
799: pass ^= FR_PASS|FR_BLOCK;
800: }
801: }
802: }
803: #endif /* IPFILTER_LOG */
804: #ifdef KERNEL
805: /*
806: * Only allow FR_DUP to work if a rule matched - it makes no sense to
807: * set FR_DUP as a "default" as there are no instructions about where
808: * to send the packet.
809: */
810: if (fr && (pass & FR_DUP))
811: # if SOLARIS
812: mc = dupmsg(m);
813: # else
814: # ifndef linux
815: mc = m_copy(m, 0, M_COPYALL);
816: # else
817: ;
818: # endif
819: # endif
820: #endif
821: if (pass & FR_PASS)
822: frstats[out].fr_pass++;
823: else if (pass & FR_BLOCK) {
824: frstats[out].fr_block++;
825: /*
826: * Should we return an ICMP packet to indicate error
827: * status passing through the packet filter ?
828: * WARNING: ICMP error packets AND TCP RST packets should
829: * ONLY be sent in repsonse to incoming packets. Sending them
830: * in response to outbound packets can result in a panic on
831: * some operating systems.
832: */
833: if (!out) {
834: #ifdef KERNEL
835: if (pass & FR_RETICMP) {
836: # if SOLARIS
837: ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
838: qif, ip->ip_src);
839: # else
840: ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
841: ifp, ip->ip_src);
842: m = *mp = NULL; /* freed by icmp_error() */
843: # endif
844:
845: frstats[0].fr_ret++;
846: } else if ((pass & FR_RETRST) &&
847: !(fin->fin_fi.fi_fl & FI_SHORT)) {
848: if (SEND_RESET(ip, qif, ifp) == 0)
849: frstats[1].fr_ret++;
850: }
851: #else
852: if (pass & FR_RETICMP) {
853: verbose("- ICMP unreachable sent\n");
854: frstats[0].fr_ret++;
855: } else if ((pass & FR_RETRST) &&
856: !(fin->fin_fi.fi_fl & FI_SHORT)) {
857: verbose("- TCP RST sent\n");
858: frstats[1].fr_ret++;
859: }
860: #endif
861: } else {
862: if (pass & FR_RETRST)
863: error = ECONNRESET;
864: }
865: }
866:
867: /*
868: * If we didn't drop off the bottom of the list of rules (and thus
869: * the 'current' rule fr is not NULL), then we may have some extra
870: * instructions about what to do with a packet.
871: * Once we're finished return to our caller, freeing the packet if
872: * we are dropping it (* BSD ONLY *).
873: */
874: #if defined(KERNEL)
875: # if !SOLARIS
876: # if !defined(linux)
877: if (fr) {
878: frdest_t *fdp = &fr->fr_tif;
879:
880: if ((pass & FR_FASTROUTE) ||
881: (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
882: ipfr_fastroute(m, fin, fdp);
883: m = *mp = NULL;
884: }
885: if (mc)
886: ipfr_fastroute(mc, fin, &fr->fr_dif);
887: }
888: if (!(pass & FR_PASS) && m)
889: m_freem(m);
890: # ifdef __sgi
891: else if (changed && up && m)
892: m_copyback(m, 0, up, hbuf);
893: # endif
894: # endif /* !linux */
895: return (pass & FR_PASS) ? 0 : error;
896: # else /* !SOLARIS */
897: if (fr) {
898: frdest_t *fdp = &fr->fr_tif;
899:
900: if ((pass & FR_FASTROUTE) ||
901: (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
902: ipfr_fastroute(qif, ip, m, mp, fin, fdp);
903: m = *mp = NULL;
904: }
905: if (mc)
906: ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
907: }
908: return (pass & FR_PASS) ? changed : error;
909: # endif /* !SOLARIS */
910: #else /* KERNEL */
911: if (pass & FR_NOMATCH)
912: return 1;
913: if (pass & FR_PASS)
914: return 0;
915: if (pass & FR_AUTH)
916: return -2;
917: return -1;
918: #endif /* KERNEL */
919: }
920:
921:
922: /*
923: * ipf_cksum
924: * addr should be 16bit aligned and len is in bytes.
925: * length is in bytes
926: */
927: u_short ipf_cksum(addr, len)
928: register u_short *addr;
929: register int len;
930: {
931: register u_32_t sum = 0;
932:
933: for (sum = 0; len > 1; len -= 2)
934: sum += *addr++;
935:
936: /* mop up an odd byte, if necessary */
937: if (len == 1)
938: sum += *(u_char *)addr;
939:
940: /*
941: * add back carry outs from top 16 bits to low 16 bits
942: */
943: sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
944: sum += (sum >> 16); /* add carry */
945: return (u_short)(~sum);
946: }
947:
948:
949: /*
950: * NB: This function assumes we've pullup'd enough for all of the IP header
951: * and the TCP header. We also assume that data blocks aren't allocated in
952: * odd sizes.
953: */
954: u_short fr_tcpsum(m, ip, tcp, len)
955: mb_t *m;
956: ip_t *ip;
957: tcphdr_t *tcp;
958: int len;
959: {
960: union {
961: u_char c[2];
962: u_short s;
963: } bytes;
964: u_32_t sum;
965: u_short *sp;
966: # if SOLARIS || defined(__sgi)
967: int add, hlen;
968: # endif
969:
970: # if SOLARIS
971: /* skip any leading M_PROTOs */
972: while(m && (MTYPE(m) != M_DATA))
973: m = m->b_cont;
974: PANIC((!m),("fr_tcpsum: no M_DATA"));
975: # endif
976:
977: /*
978: * Add up IP Header portion
979: */
980: bytes.c[0] = 0;
981: bytes.c[1] = IPPROTO_TCP;
982: len -= (ip->ip_hl << 2);
983: sum = bytes.s;
984: sum += htons((u_short)len);
985: sp = (u_short *)&ip->ip_src;
986: sum += *sp++;
987: sum += *sp++;
988: sum += *sp++;
989: sum += *sp++;
990: if (sp != (u_short *)tcp)
991: sp = (u_short *)tcp;
992: sum += *sp++;
993: sum += *sp++;
994: sum += *sp++;
995: sum += *sp++;
996: sum += *sp++;
997: sum += *sp++;
998: sum += *sp++;
999: sum += *sp;
1000: sp += 2; /* Skip over checksum */
1001: sum += *sp++;
1002:
1003: #if SOLARIS
1004: /*
1005: * In case we had to copy the IP & TCP header out of mblks,
1006: * skip over the mblk bits which are the header
1007: */
1008: if ((caddr_t)ip != (caddr_t)m->b_rptr) {
1009: hlen = (caddr_t)sp - (caddr_t)ip;
1010: while (hlen) {
1011: add = MIN(hlen, m->b_wptr - m->b_rptr);
1012: sp = (u_short *)((caddr_t)m->b_rptr + add);
1013: hlen -= add;
1014: if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
1015: m = m->b_cont;
1016: PANIC((!m),("fr_tcpsum: not enough data"));
1017: if (!hlen)
1018: sp = (u_short *)m->b_rptr;
1019: }
1020: }
1021: }
1022: #endif
1023: #ifdef __sgi
1024: /*
1025: * In case we had to copy the IP & TCP header out of mbufs,
1026: * skip over the mbuf bits which are the header
1027: */
1028: if ((caddr_t)ip != mtod(m, caddr_t)) {
1029: hlen = (caddr_t)sp - (caddr_t)ip;
1030: while (hlen) {
1031: add = MIN(hlen, m->m_len);
1032: sp = (u_short *)(mtod(m, caddr_t) + add);
1033: hlen -= add;
1034: if (add >= m->m_len) {
1035: m = m->m_next;
1036: PANIC((!m),("fr_tcpsum: not enough data"));
1037: if (!hlen)
1038: sp = mtod(m, u_short *);
1039: }
1040: }
1041: }
1042: #endif
1043:
1044: if (!(len -= sizeof(*tcp)))
1045: goto nodata;
1046: while (len > 0) {
1047: #if SOLARIS
1048: while ((caddr_t)sp >= (caddr_t)m->b_wptr) {
1049: m = m->b_cont;
1050: PANIC((!m),("fr_tcpsum: not enough data"));
1051: sp = (u_short *)m->b_rptr;
1052: }
1053: #else
1054: while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len)
1055: {
1056: m = m->m_next;
1057: PANIC((!m),("fr_tcpsum: not enough data"));
1058: sp = mtod(m, u_short *);
1059: }
1060: #endif /* SOLARIS */
1061: if (len < 2)
1062: break;
1063: if((u_32_t)sp & 1) {
1064: bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
1065: sum += bytes.s;
1066: } else
1067: sum += *sp++;
1068: len -= 2;
1069: }
1070: if (len) {
1071: bytes.c[1] = 0;
1072: bytes.c[0] = *(u_char *)sp;
1073: sum += bytes.s;
1074: }
1075: nodata:
1076: sum = (sum >> 16) + (sum & 0xffff);
1077: sum += (sum >> 16);
1078: sum = (u_short)((~sum) & 0xffff);
1079: return sum;
1080: }
1081:
1082:
1083: #if defined(KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) )
1084: /*
1085: * Copyright (c) 1982, 1986, 1988, 1991, 1993
1086: * The Regents of the University of California. All rights reserved.
1087: *
1088: * Redistribution and use in source and binary forms, with or without
1089: * modification, are permitted provided that the following conditions
1090: * are met:
1091: * 1. Redistributions of source code must retain the above copyright
1092: * notice, this list of conditions and the following disclaimer.
1093: * 2. Redistributions in binary form must reproduce the above copyright
1094: * notice, this list of conditions and the following disclaimer in the
1095: * documentation and/or other materials provided with the distribution.
1096: * 3. All advertising materials mentioning features or use of this software
1097: * must display the following acknowledgement:
1098: * This product includes software developed by the University of
1099: * California, Berkeley and its contributors.
1100: * 4. Neither the name of the University nor the names of its contributors
1101: * may be used to endorse or promote products derived from this software
1102: * without specific prior written permission.
1103: *
1104: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1105: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1106: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1107: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1108: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1109: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1110: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1111: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1112: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1113: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1114: * SUCH DAMAGE.
1115: *
1116: * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
1117: */
1118: /*
1119: * Copy data from an mbuf chain starting "off" bytes from the beginning,
1120: * continuing for "len" bytes, into the indicated buffer.
1121: */
1122: void
1123: m_copydata(m, off, len, cp)
1124: register mb_t *m;
1125: register int off;
1126: register int len;
1127: caddr_t cp;
1128: {
1129: register unsigned count;
1130:
1131: if (off < 0 || len < 0)
1132: panic("m_copydata");
1133: while (off > 0) {
1134: if (m == 0)
1135: panic("m_copydata");
1136: if (off < m->m_len)
1137: break;
1138: off -= m->m_len;
1139: m = m->m_next;
1140: }
1141: while (len > 0) {
1142: if (m == 0)
1143: panic("m_copydata");
1144: count = MIN(m->m_len - off, len);
1145: bcopy(mtod(m, caddr_t) + off, cp, count);
1146: len -= count;
1147: cp += count;
1148: off = 0;
1149: m = m->m_next;
1150: }
1151: }
1152:
1153:
1154: # ifndef linux
1155: /*
1156: * Copy data from a buffer back into the indicated mbuf chain,
1157: * starting "off" bytes from the beginning, extending the mbuf
1158: * chain if necessary.
1159: */
1160: void
1161: m_copyback(m0, off, len, cp)
1162: struct mbuf *m0;
1163: register int off;
1164: register int len;
1165: caddr_t cp;
1166: {
1167: register int mlen;
1168: register struct mbuf *m = m0, *n;
1169: int totlen = 0;
1170:
1171: if (m0 == 0)
1172: return;
1173: while (off > (mlen = m->m_len)) {
1174: off -= mlen;
1175: totlen += mlen;
1176: if (m->m_next == 0) {
1177: n = m_getclr(M_DONTWAIT, m->m_type);
1178: if (n == 0)
1179: goto out;
1180: n->m_len = min(MLEN, len + off);
1181: m->m_next = n;
1182: }
1183: m = m->m_next;
1184: }
1185: while (len > 0) {
1186: mlen = min (m->m_len - off, len);
1187: bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
1188: cp += mlen;
1189: len -= mlen;
1190: mlen += off;
1191: off = 0;
1192: totlen += mlen;
1193: if (len == 0)
1194: break;
1195: if (m->m_next == 0) {
1196: n = m_get(M_DONTWAIT, m->m_type);
1197: if (n == 0)
1198: break;
1199: n->m_len = min(MLEN, len);
1200: m->m_next = n;
1201: }
1202: m = m->m_next;
1203: }
1204: out:
1205: #if 0
1206: if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
1207: m->m_pkthdr.len = totlen;
1208: #endif
1209: return;
1210: }
1211: # endif /* linux */
1212: #endif /* (KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */
1213:
1214:
1215: frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
1216: u_short num;
1217: u_32_t flags;
1218: int which, set;
1219: frgroup_t ***fgpp;
1220: {
1221: frgroup_t *fg, **fgp;
1222:
1223: if (which == IPL_LOGAUTH)
1224: fgp = &ipfgroups[2][set];
1225: else if (flags & FR_ACCOUNT)
1226: fgp = &ipfgroups[1][set];
1227: else if (flags & (FR_OUTQUE|FR_INQUE))
1228: fgp = &ipfgroups[0][set];
1229: else
1230: return NULL;
1231:
1232: while ((fg = *fgp))
1233: if (fg->fg_num == num)
1234: break;
1235: else
1236: fgp = &fg->fg_next;
1237: if (fgpp)
1238: *fgpp = fgp;
1239: return fg;
1240: }
1241:
1242:
1243: frgroup_t *fr_addgroup(num, fp, which, set)
1244: u_short num;
1245: frentry_t *fp;
1246: int which, set;
1247: {
1248: frgroup_t *fg, **fgp;
1249:
1250: if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
1251: return fg;
1252:
1253: KMALLOC(fg, frgroup_t *, sizeof(*fg));
1254: if (fg) {
1255: fg->fg_num = num;
1256: fg->fg_next = *fgp;
1257: fg->fg_head = fp;
1258: fg->fg_start = &fp->fr_grp;
1259: *fgp = fg;
1260: }
1261: return fg;
1262: }
1263:
1264:
1265: void fr_delgroup(num, flags, which, set)
1266: u_short num;
1267: u_32_t flags;
1268: int which, set;
1269: {
1270: frgroup_t *fg, **fgp;
1271:
1272: if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
1273: return;
1274:
1275: *fgp = fg->fg_next;
1276: KFREE(fg);
1277: }
1278:
1279:
1280:
1281: /*
1282: * recursively flush rules from the list, descending groups as they are
1283: * encountered. if a rule is the head of a group and it has lost all its
1284: * group members, then also delete the group reference.
1285: */
1286: static int frflushlist(set, unit, nfreedp, list, listp)
1287: int set, unit, *nfreedp;
1288: frentry_t *list, **listp;
1289: {
1290: register frentry_t *fp = list, *fpn;
1291: register int freed = 0;
1292:
1293: while (fp) {
1294: fpn = fp->fr_next;
1295: if (fp->fr_grp) {
1296: fp->fr_ref -= frflushlist(set, unit, nfreedp,
1297: fp->fr_grp, &fp->fr_grp);
1298: }
1299:
1300: if (fp->fr_ref == 1) {
1301: if (fp->fr_grhead)
1302: fr_delgroup(fp->fr_grhead, fp->fr_flags, unit,
1303: set);
1304: KFREE(fp);
1305: *listp = fpn;
1306: freed++;
1307: }
1308: fp = fpn;
1309: }
1310: *nfreedp += freed;
1311: return freed;
1312: }
1313:
1314:
1315: void frflush(unit, result)
1316: int unit;
1317: int *result;
1318: {
1319: int flags = *result, flushed = 0, set = fr_active;
1320:
1321: bzero((char *)frcache, sizeof(frcache[0]) * 2);
1322:
1323: if (flags & FR_INACTIVE)
1324: set = 1 - set;
1325:
1326: if (unit == IPL_LOGIPF) {
1327: if (flags & FR_OUTQUE) {
1328: (void) frflushlist(set, unit, &flushed,
1329: ipfilter[1][set],
1330: &ipfilter[1][set]);
1331: (void) frflushlist(set, unit, &flushed,
1332: ipacct[1][set], &ipacct[1][set]);
1333: }
1334: if (flags & FR_INQUE) {
1335: (void) frflushlist(set, unit, &flushed,
1336: ipfilter[0][set],
1337: &ipfilter[0][set]);
1338: (void) frflushlist(set, unit, &flushed,
1339: ipacct[0][set], &ipacct[0][set]);
1340: }
1341: }
1342:
1343: *result = flushed;
1344: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.