![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ip_frag.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to ip_frag.c CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 root 1: /*
2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3: *
4: * @APPLE_LICENSE_HEADER_START@
5: *
6: * The contents of this file constitute Original Code as defined in and
7: * are subject to the Apple Public Source License Version 1.1 (the
8: * "License"). You may not use this file except in compliance with the
9: * License. Please obtain a copy of the License at
10: * http://www.apple.com/publicsource and read it before using this file.
11: *
12: * This Original Code and all software distributed under the License are
13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17: * License for the specific language governing rights and limitations
18: * under the License.
19: *
20: * @APPLE_LICENSE_HEADER_END@
21: */
22: /*
23: * Copyright (C) 1993-1997 by Darren Reed.
24: *
25: * Redistribution and use in source and binary forms are permitted
26: * provided that this notice is preserved and due credit is given
27: * to the original author and the contributors.
28: */
29: #if !defined(lint)
30: /* static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; */
31: #endif
32:
33:
34: #if !defined(KERNEL)
35: # include <string.h>
36: # include <stdlib.h>
37: #endif
38: #include <sys/errno.h>
39: #include <sys/types.h>
40: #include <sys/param.h>
41: #include <sys/time.h>
42: #include <sys/file.h>
43: #if defined(KERNEL)
44: #include <sys/filio.h>
45: #include <sys/fcntl.h>
46: #include <sys/malloc.h>
47: #else
48: #include <sys/ioctl.h>
49: #endif
50: #include <sys/uio.h>
51: #ifndef linux
52: #include <sys/protosw.h>
53: #endif
54: #include <sys/socket.h>
55: #if defined(KERNEL)
56: # include <sys/systm.h>
57: #endif
58: #if !defined(__SVR4) && !defined(__svr4__)
59: # ifndef linux
60: # include <sys/mbuf.h>
61: # endif
62: #else
63: # include <sys/byteorder.h>
64: # include <sys/dditypes.h>
65: # include <sys/stream.h>
66: # include <sys/kmem.h>
67: #endif
68: #if defined(KERNEL)
69: #include <sys/malloc.h>
70: #endif
71:
72: #include <net/if.h>
73: #ifdef sun
74: #include <net/af.h>
75: #endif
76: #include <net/route.h>
77: #include <netinet/in.h>
78: #include <netinet/in_systm.h>
79: #include <netinet/ip.h>
80: #ifndef linux
81: #include <netinet/ip_var.h>
82: #endif
83: #include <netinet/tcp.h>
84: #include <netinet/udp.h>
85: #include <netinet/ip_icmp.h>
86: #include "netinet/ip_compat.h"
87: #include <netinet/tcpip.h>
88: #include "netinet/ip_fil.h"
89: #include "netinet/ip_proxy.h"
90: #include "netinet/ip_nat.h"
91: #include "netinet/ip_frag.h"
92: #include "netinet/ip_state.h"
93: #include "netinet/ip_auth.h"
94:
95: static ipfr_t *ipfr_heads[IPFT_SIZE];
96: static ipfr_t *ipfr_nattab[IPFT_SIZE];
97: static ipfrstat_t ipfr_stats;
98: static int ipfr_inuse = 0;
99: int fr_ipfrttl = 120; /* 60 seconds */
100: #ifdef KERNEL
101: extern int ipfr_timer_id;
102: #endif
103: #if (SOLARIS || defined(__sgi)) && defined(KERNEL)
104: extern kmutex_t ipf_frag;
105: extern kmutex_t ipf_natfrag;
106: extern kmutex_t ipf_nat;
107: #endif
108:
109:
110: static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **));
111: static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
112:
113:
114: ipfrstat_t *ipfr_fragstats()
115: {
116: ipfr_stats.ifs_table = ipfr_heads;
117: ipfr_stats.ifs_nattab = ipfr_nattab;
118: ipfr_stats.ifs_inuse = ipfr_inuse;
119: return &ipfr_stats;
120: }
121:
122:
123: /*
124: * add a new entry to the fragment cache, registering it as having come
125: * through this box, with the result of the filter operation.
126: */
127: static ipfr_t *ipfr_new(ip, fin, pass, table)
128: ip_t *ip;
129: fr_info_t *fin;
130: int pass;
131: ipfr_t *table[];
132: {
133: ipfr_t **fp, *fr, frag;
134: u_int idx;
135:
136: frag.ipfr_p = ip->ip_p;
137: idx = ip->ip_p;
138: frag.ipfr_id = ip->ip_id;
139: idx += ip->ip_id;
140: frag.ipfr_tos = ip->ip_tos;
141: frag.ipfr_src.s_addr = ip->ip_src.s_addr;
142: idx += ip->ip_src.s_addr;
143: frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
144: idx += ip->ip_dst.s_addr;
145: idx *= 127;
146: idx %= IPFT_SIZE;
147:
148: /*
149: * first, make sure it isn't already there...
150: */
151: for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next)
152: if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src,
153: IPFR_CMPSZ)) {
154: ipfr_stats.ifs_exists++;
155: return NULL;
156: }
157:
158: /*
159: * allocate some memory, if possible, if not, just record that we
160: * failed to do so.
161: */
162: KMALLOC(fr, ipfr_t *, sizeof(*fr));
163: if (fr == NULL) {
164: ipfr_stats.ifs_nomem++;
165: return NULL;
166: }
167:
168: /*
169: * Instert the fragment into the fragment table, copy the struct used
170: * in the search using bcopy rather than reassign each field.
171: * Set the ttl to the default and mask out logging from "pass"
172: */
173: if ((fr->ipfr_next = table[idx]))
174: table[idx]->ipfr_prev = fr;
175: fr->ipfr_prev = NULL;
176: fr->ipfr_data = NULL;
177: table[idx] = fr;
178: bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ);
179: fr->ipfr_ttl = fr_ipfrttl;
180: fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
181: /*
182: * Compute the offset of the expected start of the next packet.
183: */
184: fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
185: ipfr_stats.ifs_new++;
186: ipfr_inuse++;
187: return fr;
188: }
189:
190:
191: int ipfr_newfrag(ip, fin, pass)
192: ip_t *ip;
193: fr_info_t *fin;
194: int pass;
195: {
196: ipfr_t *ipf;
197:
198: MUTEX_ENTER(&ipf_frag);
199: ipf = ipfr_new(ip, fin, pass, ipfr_heads);
200: MUTEX_EXIT(&ipf_frag);
201: return ipf ? 0 : -1;
202: }
203:
204:
205: int ipfr_nat_newfrag(ip, fin, pass, nat)
206: ip_t *ip;
207: fr_info_t *fin;
208: int pass;
209: nat_t *nat;
210: {
211: ipfr_t *ipf;
212:
213: MUTEX_ENTER(&ipf_natfrag);
214: if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) {
215: ipf->ipfr_data = nat;
216: nat->nat_data = ipf;
217: }
218: MUTEX_EXIT(&ipf_natfrag);
219: return ipf ? 0 : -1;
220: }
221:
222:
223: /*
224: * check the fragment cache to see if there is already a record of this packet
225: * with its filter result known.
226: */
227: static ipfr_t *ipfr_lookup(ip, fin, table)
228: ip_t *ip;
229: fr_info_t *fin;
230: ipfr_t *table[];
231: {
232: ipfr_t *f, frag;
233: u_int idx;
234:
235: /*
236: * For fragments, we record protocol, packet id, TOS and both IP#'s
237: * (these should all be the same for all fragments of a packet).
238: *
239: * build up a hash value to index the table with.
240: */
241: frag.ipfr_p = ip->ip_p;
242: idx = ip->ip_p;
243: frag.ipfr_id = ip->ip_id;
244: idx += ip->ip_id;
245: frag.ipfr_tos = ip->ip_tos;
246: frag.ipfr_src.s_addr = ip->ip_src.s_addr;
247: idx += ip->ip_src.s_addr;
248: frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
249: idx += ip->ip_dst.s_addr;
250: idx *= 127;
251: idx %= IPFT_SIZE;
252:
253: /*
254: * check the table, careful to only compare the right amount of data
255: */
256: for (f = table[idx]; f; f = f->ipfr_next)
257: if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
258: IPFR_CMPSZ)) {
259: u_short atoff, off;
260:
261: if (f != table[idx]) {
262: /*
263: * move fragment info. to the top of the list
264: * to speed up searches.
265: */
266: if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
267: f->ipfr_next->ipfr_prev = f->ipfr_prev;
268: f->ipfr_next = table[idx];
269: table[idx]->ipfr_prev = f;
270: f->ipfr_prev = NULL;
271: table[idx] = f;
272: }
273: off = ip->ip_off;
274: atoff = off + (fin->fin_dlen >> 3);
275: /*
276: * If we've follwed the fragments, and this is the
277: * last (in order), shrink expiration time.
278: */
279: if ((off & 0x1fff) == f->ipfr_off) {
280: if (!(off & IP_MF))
281: f->ipfr_ttl = 1;
282: else
283: f->ipfr_off = atoff;
284: }
285: ipfr_stats.ifs_hits++;
286: return f;
287: }
288: return NULL;
289: }
290:
291:
292: /*
293: * functional interface for NAT lookups of the NAT fragment cache
294: */
295: nat_t *ipfr_nat_knownfrag(ip, fin)
296: ip_t *ip;
297: fr_info_t *fin;
298: {
299: nat_t *nat;
300: ipfr_t *ipf;
301:
302: MUTEX_ENTER(&ipf_natfrag);
303: ipf = ipfr_lookup(ip, fin, ipfr_nattab);
304: if (ipf) {
305: nat = ipf->ipfr_data;
306: /*
307: * This is the last fragment for this packet.
308: */
309: if (ipf->ipfr_ttl == 1) {
310: nat->nat_data = NULL;
311: ipf->ipfr_data = NULL;
312: }
313: } else
314: nat = NULL;
315: MUTEX_EXIT(&ipf_natfrag);
316: return nat;
317: }
318:
319:
320: /*
321: * functional interface for normal lookups of the fragment cache
322: */
323: int ipfr_knownfrag(ip, fin)
324: ip_t *ip;
325: fr_info_t *fin;
326: {
327: int ret;
328: ipfr_t *ipf;
329:
330: MUTEX_ENTER(&ipf_frag);
331: ipf = ipfr_lookup(ip, fin, ipfr_heads);
332: ret = ipf ? ipf->ipfr_pass : 0;
333: MUTEX_EXIT(&ipf_frag);
334: return ret;
335: }
336:
337:
338: /*
339: * forget any references to this external object.
340: */
341: void ipfr_forget(nat)
342: void *nat;
343: {
344: ipfr_t *fr;
345: int idx;
346:
347: MUTEX_ENTER(&ipf_natfrag);
348: for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
349: for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next)
350: if (fr->ipfr_data == nat)
351: fr->ipfr_data = NULL;
352:
353: MUTEX_EXIT(&ipf_natfrag);
354: }
355:
356:
357: /*
358: * Free memory in use by fragment state info. kept.
359: */
360: void ipfr_unload()
361: {
362: ipfr_t **fp, *fr;
363: nat_t *nat;
364: int idx;
365:
366: MUTEX_ENTER(&ipf_frag);
367: for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
368: for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
369: *fp = fr->ipfr_next;
370: KFREE(fr);
371: }
372: MUTEX_EXIT(&ipf_frag);
373:
374: MUTEX_ENTER(&ipf_nat);
375: MUTEX_ENTER(&ipf_natfrag);
376: for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
377: for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
378: *fp = fr->ipfr_next;
379: if ((nat = (nat_t *)fr->ipfr_data)) {
380: if (nat->nat_data == fr)
381: nat->nat_data = NULL;
382: }
383: KFREE(fr);
384: }
385: MUTEX_EXIT(&ipf_natfrag);
386: MUTEX_EXIT(&ipf_nat);
387: }
388:
389:
390: #ifdef KERNEL
391: /*
392: * Slowly expire held state for fragments. Timeouts are set * in expectation
393: * of this being called twice per second.
394: */
395: # if (BSD >= 199306) || SOLARIS || defined(__sgi)
396: void ipfr_slowtimer()
397: # else
398: int ipfr_slowtimer()
399: # endif
400: {
401: ipfr_t **fp, *fr;
402: nat_t *nat;
403: int s, idx;
404:
405: #ifdef __sgi
406: ipfilter_sgi_intfsync();
407: #endif
408:
409: SPL_NET(s);
410: MUTEX_ENTER(&ipf_frag);
411:
412: /*
413: * Go through the entire table, looking for entries to expire,
414: * decreasing the ttl by one for each entry. If it reaches 0,
415: * remove it from the chain and free it.
416: */
417: for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
418: for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
419: --fr->ipfr_ttl;
420: if (fr->ipfr_ttl == 0) {
421: if (fr->ipfr_prev)
422: fr->ipfr_prev->ipfr_next =
423: fr->ipfr_next;
424: if (fr->ipfr_next)
425: fr->ipfr_next->ipfr_prev =
426: fr->ipfr_prev;
427: *fp = fr->ipfr_next;
428: ipfr_stats.ifs_expire++;
429: ipfr_inuse--;
430: KFREE(fr);
431: } else
432: fp = &fr->ipfr_next;
433: }
434: MUTEX_EXIT(&ipf_frag);
435:
436: /*
437: * Same again for the NAT table, except that if the structure also
438: * still points to a NAT structure, and the NAT structure points back
439: * at the one to be free'd, NULL the reference from the NAT struct.
440: * NOTE: We need to grab both mutex's early, and in this order so as
441: * to prevent a deadlock if both try to expire at the same time.
442: */
443: MUTEX_ENTER(&ipf_nat);
444: MUTEX_ENTER(&ipf_natfrag);
445: for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
446: for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
447: --fr->ipfr_ttl;
448: if (fr->ipfr_ttl == 0) {
449: if (fr->ipfr_prev)
450: fr->ipfr_prev->ipfr_next =
451: fr->ipfr_next;
452: if (fr->ipfr_next)
453: fr->ipfr_next->ipfr_prev =
454: fr->ipfr_prev;
455: *fp = fr->ipfr_next;
456: ipfr_stats.ifs_expire++;
457: ipfr_inuse--;
458: if ((nat = (nat_t *)fr->ipfr_data)) {
459: if (nat->nat_data == fr)
460: nat->nat_data = NULL;
461: }
462: KFREE(fr);
463: } else
464: fp = &fr->ipfr_next;
465: }
466: MUTEX_EXIT(&ipf_natfrag);
467: MUTEX_EXIT(&ipf_nat);
468: SPL_X(s);
469: fr_timeoutstate();
470: ip_natexpire();
471: fr_authexpire();
472: # if SOLARIS
473: ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
474: # else
475: # ifndef linux
476: ip_slowtimo();
477: # endif
478: # if (BSD < 199306) && !defined(__sgi)
479: return 0;
480: # endif
481: # endif
482: }
483: #endif /* defined(KERNEL) */
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.