Lines Matching +full:ese +full:- +full:present
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
143 VNET_DEFINE(unsigned int, fw_tables_sets) = 0; /* Don't use set-aware tables */
199 …"Only do a single pass through ipfw when using dummynet(4), ipfw_nat or other divert(4)-like inter…
202 "Rule number auto-increment step");
211 "Status of linear skipto cache: 1 - enabled, 0 - disabled.");
222 "Use per-set namespace for tables");
254 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
264 int type = icmp->icmp_type; in icmptype_match()
266 return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) ); in icmptype_match()
275 int type = icmp->icmp_type; in is_icmp_query()
284 * low and high half of cmd->arg1 or cmd->d[0].
299 if ( ((cmd->arg1 & 0xff) & bits) != 0) in flags_match()
301 want_clear = (cmd->arg1 >> 8) & 0xff; in flags_match()
312 int x = (ip->ip_hl << 2) - sizeof (struct ip); in ipopts_match()
314 for (; x > 0; x -= optlen, cp += optlen) { in ipopts_match()
358 int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr); in tcpopts_parse()
360 for (; cnt > 0; cnt -= optlen, cp += optlen) { in tcpopts_parse()
397 if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0) in tcpopts_parse()
426 if (cmd->name[0] != '\0') { /* match by name */ in iface_match()
427 if (cmd->name[0] == '\1') /* use tablearg to match */ in iface_match()
428 return ipfw_lookup_table(chain, cmd->p.kidx, 0, in iface_match()
429 &ifp->if_index, tablearg); in iface_match()
431 if (cmd->p.glob) { in iface_match()
432 if (fnmatch(cmd->name, ifp->if_xname, 0) == 0) in iface_match()
435 if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0) in iface_match()
444 CK_STAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { in iface_match()
445 if (ia->ifa_addr->sa_family != AF_INET) in iface_match()
447 if (cmd->p.ip.s_addr == ((struct sockaddr_in *) in iface_match()
448 (ia->ifa_addr))->sin_addr.s_addr) in iface_match()
466 * commonly known as "anti-spoofing" or Unicast Reverse Path
467 * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
470 * ip verify unicast reverse-path
471 * ip verify unicast source reachable-via any
491 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp, in verify_path()
496 if (ifp != NULL && ifp != nh->nh_aifp) in verify_path()
500 if (ifp == NULL && (nh->nh_flags & NHF_DEFAULT) != 0) in verify_path()
504 if (ifp == NULL && (nh->nh_flags & (NHF_REJECT|NHF_BLACKHOLE)) != 0) in verify_path()
514 * is given by vtag. The T-bit is set in the ABORT chunk if and only if
535 M_SETFIB(m, id->fib); in ipfw_send_abort()
545 switch (id->addr_type) { in ipfw_send_abort()
561 m->m_data += max_linkhdr; in ipfw_send_abort()
562 m->m_flags |= M_SKIP_FIREWALL; in ipfw_send_abort()
563 m->m_pkthdr.len = m->m_len = tlen; in ipfw_send_abort()
564 m->m_pkthdr.rcvif = NULL; in ipfw_send_abort()
565 bzero(m->m_data, tlen); in ipfw_send_abort()
567 switch (id->addr_type) { in ipfw_send_abort()
571 ip->ip_v = 4; in ipfw_send_abort()
572 ip->ip_hl = sizeof(struct ip) >> 2; in ipfw_send_abort()
573 ip->ip_tos = IPTOS_LOWDELAY; in ipfw_send_abort()
574 ip->ip_len = htons(tlen); in ipfw_send_abort()
575 ip->ip_id = htons(0); in ipfw_send_abort()
576 ip->ip_off = htons(0); in ipfw_send_abort()
577 ip->ip_ttl = V_ip_defttl; in ipfw_send_abort()
578 ip->ip_p = IPPROTO_SCTP; in ipfw_send_abort()
579 ip->ip_sum = 0; in ipfw_send_abort()
580 ip->ip_src.s_addr = htonl(id->dst_ip); in ipfw_send_abort()
581 ip->ip_dst.s_addr = htonl(id->src_ip); in ipfw_send_abort()
589 ip6->ip6_vfc = IPV6_VERSION; in ipfw_send_abort()
590 ip6->ip6_plen = htons(plen); in ipfw_send_abort()
591 ip6->ip6_nxt = IPPROTO_SCTP; in ipfw_send_abort()
592 ip6->ip6_hlim = IPV6_DEFHLIM; in ipfw_send_abort()
593 ip6->ip6_src = id->dst_ip6; in ipfw_send_abort()
594 ip6->ip6_dst = id->src_ip6; in ipfw_send_abort()
601 sctp->src_port = htons(id->dst_port); in ipfw_send_abort()
602 sctp->dest_port = htons(id->src_port); in ipfw_send_abort()
603 sctp->v_tag = htonl(vtag); in ipfw_send_abort()
604 sctp->checksum = htonl(0); in ipfw_send_abort()
607 chunk->chunk_type = SCTP_ABORT_ASSOCIATION; in ipfw_send_abort()
608 chunk->chunk_flags = 0; in ipfw_send_abort()
610 chunk->chunk_flags |= SCTP_HAD_NO_TCB; in ipfw_send_abort()
612 chunk->chunk_length = htons(sizeof(struct sctp_chunkhdr)); in ipfw_send_abort()
614 sctp->checksum = sctp_calculate_cksum(m, hlen); in ipfw_send_abort()
643 M_SETFIB(m, id->fib); in ipfw_send_pkt()
653 switch (id->addr_type) { in ipfw_send_pkt()
669 m->m_data += max_linkhdr; in ipfw_send_pkt()
670 m->m_flags |= M_SKIP_FIREWALL; in ipfw_send_pkt()
671 m->m_pkthdr.len = m->m_len = len; in ipfw_send_pkt()
672 m->m_pkthdr.rcvif = NULL; in ipfw_send_pkt()
673 bzero(m->m_data, len); in ipfw_send_pkt()
675 switch (id->addr_type) { in ipfw_send_pkt()
680 h->ip_p = IPPROTO_TCP; in ipfw_send_pkt()
681 h->ip_len = htons(sizeof(struct tcphdr)); in ipfw_send_pkt()
683 h->ip_src.s_addr = htonl(id->src_ip); in ipfw_send_pkt()
684 h->ip_dst.s_addr = htonl(id->dst_ip); in ipfw_send_pkt()
686 h->ip_src.s_addr = htonl(id->dst_ip); in ipfw_send_pkt()
687 h->ip_dst.s_addr = htonl(id->src_ip); in ipfw_send_pkt()
697 h6->ip6_nxt = IPPROTO_TCP; in ipfw_send_pkt()
698 h6->ip6_plen = htons(sizeof(struct tcphdr)); in ipfw_send_pkt()
700 h6->ip6_src = id->src_ip6; in ipfw_send_pkt()
701 h6->ip6_dst = id->dst_ip6; in ipfw_send_pkt()
703 h6->ip6_src = id->dst_ip6; in ipfw_send_pkt()
704 h6->ip6_dst = id->src_ip6; in ipfw_send_pkt()
713 th->th_sport = htons(id->src_port); in ipfw_send_pkt()
714 th->th_dport = htons(id->dst_port); in ipfw_send_pkt()
716 th->th_sport = htons(id->dst_port); in ipfw_send_pkt()
717 th->th_dport = htons(id->src_port); in ipfw_send_pkt()
719 th->th_off = sizeof(struct tcphdr) >> 2; in ipfw_send_pkt()
723 th->th_seq = htonl(ack); in ipfw_send_pkt()
728 th->th_ack = htonl(seq); in ipfw_send_pkt()
733 * Keepalive - use caller provided sequence numbers in ipfw_send_pkt()
735 th->th_seq = htonl(seq); in ipfw_send_pkt()
736 th->th_ack = htonl(ack); in ipfw_send_pkt()
740 switch (id->addr_type) { in ipfw_send_pkt()
742 th->th_sum = in_cksum(m, len); in ipfw_send_pkt()
745 h->ip_v = 4; in ipfw_send_pkt()
746 h->ip_hl = sizeof(*h) >> 2; in ipfw_send_pkt()
747 h->ip_tos = IPTOS_LOWDELAY; in ipfw_send_pkt()
748 h->ip_off = htons(0); in ipfw_send_pkt()
749 h->ip_len = htons(len); in ipfw_send_pkt()
750 h->ip_ttl = V_ip_defttl; in ipfw_send_pkt()
751 h->ip_sum = 0; in ipfw_send_pkt()
755 th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(*h6), in ipfw_send_pkt()
759 h6->ip6_vfc |= IPV6_VERSION; in ipfw_send_pkt()
760 h6->ip6_hlim = IPV6_DEFHLIM; in ipfw_send_pkt()
775 return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) ); in icmp6type_match()
782 for (i=0; i <= cmd->o.arg1; ++i) in flow6id_match()
783 if (curr_flow == cmd->d[i]) in flow6id_match()
808 if (!IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) in ipfw_localip6()
810 if (IN6_ARE_MASKED_ADDR_EQUAL(&ia->ia_addr.sin6_addr, in ipfw_localip6()
833 if (ifp != NULL && ifp != nh->nh_aifp) in verify_path6()
837 if (ifp == NULL && (nh->nh_flags & NHF_DEFAULT) != 0) in verify_path6()
841 if (ifp == NULL && (nh->nh_flags & (NHF_REJECT|NHF_BLACKHOLE)) != 0) in verify_path6()
894 m = args->m; in send_reject6()
895 if (code == ICMP6_UNREACH_RST && args->f_id.proto == IPPROTO_TCP) { in send_reject6()
901 m0 = ipfw_send_pkt(args->m, &(args->f_id), in send_reject6()
902 ntohl(tcp->th_seq), ntohl(tcp->th_ack), in send_reject6()
910 args->f_id.proto == IPPROTO_SCTP) { in send_reject6()
918 v_tag = ntohl(sctp->v_tag); in send_reject6()
920 if (m->m_len >= hlen + sizeof(struct sctphdr) + in send_reject6()
925 switch (chunk->chunk_type) { in send_reject6()
929 * a zero v-tag. in send_reject6()
936 if (m->m_pkthdr.len > in send_reject6()
938 ntohs(chunk->chunk_length) + 3) { in send_reject6()
942 if ((m->m_len >= hlen + sizeof(struct sctphdr) + in send_reject6()
948 v_tag = ntohl(init->initiate_tag); in send_reject6()
966 m0 = ipfw_send_abort(args->m, &(args->f_id), v_tag, in send_reject6()
983 if (args->L3offset) in send_reject6()
984 m_adj(m, args->L3offset); in send_reject6()
990 args->m = NULL; in send_reject6()
1009 if (args->L3offset) in send_reject()
1010 m_adj(m, args->L3offset); in send_reject()
1014 icmp_error(args->m, ICMP_UNREACH, code, 0L, mtu); in send_reject()
1015 } else if (code == ICMP_REJECT_RST && args->f_id.proto == IPPROTO_TCP) { in send_reject()
1017 L3HDR(struct tcphdr, mtod(args->m, struct ip *)); in send_reject()
1020 m = ipfw_send_pkt(args->m, &(args->f_id), in send_reject()
1021 ntohl(tcp->th_seq), ntohl(tcp->th_ack), in send_reject()
1026 FREE_PKT(args->m); in send_reject()
1028 args->f_id.proto == IPPROTO_SCTP) { in send_reject()
1036 sctp = L3HDR(struct sctphdr, mtod(args->m, struct ip *)); in send_reject()
1038 v_tag = ntohl(sctp->v_tag); in send_reject()
1039 if (iplen >= (ip->ip_hl << 2) + sizeof(struct sctphdr) + in send_reject()
1043 switch (chunk->chunk_type) { in send_reject()
1047 * a zero v-tag. in send_reject()
1055 (ip->ip_hl << 2) + sizeof(struct sctphdr) + in send_reject()
1056 ntohs(chunk->chunk_length) + 3) { in send_reject()
1060 if ((iplen >= (ip->ip_hl << 2) + in send_reject()
1065 v_tag = ntohl(init->initiate_tag); in send_reject()
1083 m = ipfw_send_abort(args->m, &(args->f_id), v_tag, in send_reject()
1088 FREE_PKT(args->m); in send_reject()
1090 FREE_PKT(args->m); in send_reject()
1091 args->m = NULL; in send_reject()
1098 * yet done a lookup, 1 if we succeeded, and -1 if we tried
1115 (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb); in check_uidgid()
1124 id = &args->f_id; in check_uidgid()
1125 inp = args->inp; in check_uidgid()
1134 if (inp->inp_socket != NULL) { in check_uidgid()
1135 *uc = crhold(inp->inp_cred); in check_uidgid()
1138 *ugid_lookupp = -1; in check_uidgid()
1145 if (*ugid_lookupp == -1) in check_uidgid()
1147 if (id->proto == IPPROTO_TCP) { in check_uidgid()
1150 } else if (id->proto == IPPROTO_UDP) { in check_uidgid()
1153 } else if (id->proto == IPPROTO_UDPLITE) { in check_uidgid()
1161 if (id->addr_type == 6) { in check_uidgid()
1163 if (args->flags & IPFW_ARGS_IN) in check_uidgid()
1165 &id->src_ip6, htons(id->src_port), in check_uidgid()
1166 &id->dst_ip6, htons(id->dst_port), in check_uidgid()
1167 lookupflags, NULL, args->m); in check_uidgid()
1170 &id->dst_ip6, htons(id->dst_port), in check_uidgid()
1171 &id->src_ip6, htons(id->src_port), in check_uidgid()
1172 lookupflags, args->ifp, args->m); in check_uidgid()
1174 *ugid_lookupp = -1; in check_uidgid()
1178 src_ip.s_addr = htonl(id->src_ip); in check_uidgid()
1179 dst_ip.s_addr = htonl(id->dst_ip); in check_uidgid()
1180 if (args->flags & IPFW_ARGS_IN) in check_uidgid()
1182 src_ip, htons(id->src_port), in check_uidgid()
1183 dst_ip, htons(id->dst_port), in check_uidgid()
1184 lookupflags, NULL, args->m); in check_uidgid()
1187 dst_ip, htons(id->dst_port), in check_uidgid()
1188 src_ip, htons(id->src_port), in check_uidgid()
1189 lookupflags, args->ifp, args->m); in check_uidgid()
1193 *uc = crhold(pcb->inp_cred); in check_uidgid()
1199 * We tried and failed, set the variable to -1 in check_uidgid()
1202 *ugid_lookupp = -1; in check_uidgid()
1206 if (insn->o.opcode == O_UID) in check_uidgid()
1207 match = ((*uc)->cr_uid == (uid_t)insn->d[0]); in check_uidgid()
1208 else if (insn->o.opcode == O_GID) in check_uidgid()
1209 match = groupmember((gid_t)insn->d[0], *uc); in check_uidgid()
1210 else if (insn->o.opcode == O_JAIL) in check_uidgid()
1211 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]); in check_uidgid()
1226 args->rule.chain_id = chain->id; in set_match()
1227 args->rule.slot = slot + 1; /* we use 0 as a marker */ in set_match()
1228 args->rule.rule_id = 1 + chain->map[slot]->id; in set_match()
1229 args->rule.rulenum = chain->map[slot]->rulenum; in set_match()
1230 args->flags |= IPFW_ARGS_REF; in set_match()
1243 if (!jump_backwards && i <= f->rulenum) in jump_lookup_pos()
1244 i = f->rulenum + 1; in jump_lookup_pos()
1253 i = IPFW_DEFAULT_RULE - 1; in jump_lookup_pos()
1254 f_pos = chain->idxmap[i]; in jump_lookup_pos()
1271 * If possible use cached f_pos (in f->cache.pos), in jump()
1272 * whose version is written in f->cache.id (horrible hacks in jump()
1282 cache.raw_value = f->cache.raw_value; in jump()
1283 if (cache.id == chain->id) in jump()
1289 cache.id = chain->id; in jump()
1290 f->cache.raw_value = cache.raw_value; in jump()
1292 if (f->cache.id == chain->id) { in jump()
1295 return (f->cache.pos); in jump()
1300 f->cache.pos = f_pos; in jump()
1303 f->cache.id = chain->id; in jump()
1316 switch (IPFW_TVALUE_TYPE(&cmd->o)) { in tvalue_match()
1352 return (tvalue == cmd->value); in tvalue_match()
1363 * args->m (in/out) The packet; we set to NULL when/if we nuke it.
1365 * args->L3offset Number of bytes bypassed if we came from L2.
1367 * args->ifp Incoming or outgoing interface.
1368 * args->divert_rule (in/out)
1370 * upon return, non-zero port number for divert or tee.
1372 * args->rule Pointer to the last matching rule (in/out)
1373 * args->next_hop Socket we are forwarding to (out).
1374 * args->next_hop6 IPv6 next hop we are forwarding to (out).
1375 * args->f_id Addresses grabbed from the packet (out)
1376 * args->rule.info a cookie depending on rule action
1384 * IP_FW_DUMMYNET to dummynet, pipe in args->cookie
1385 * IP_FW_NETGRAPH into netgraph, cookie args->cookie
1386 * args->rule contains the matching rule,
1387 * args->rule.info has additional information.
1403 * m | args->m Pointer to the mbuf, as received from the caller. in ipfw_chk()
1409 * args->mem Pointer to contigous memory chunk. in ipfw_chk()
1457 * proto The protocol. Set to 0 for non-ip packets, in ipfw_chk()
1502 if ((mem = (args->flags & IPFW_ARGS_LENMASK))) { in ipfw_chk()
1503 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
1504 eh = (struct ether_header *)args->mem; in ipfw_chk()
1505 if (eh->ether_type == htons(ETHERTYPE_VLAN)) in ipfw_chk()
1512 ip = (struct ip *)args->mem; in ipfw_chk()
1514 pktlen = IPFW_ARGS_LENGTH(args->flags); in ipfw_chk()
1515 args->f_id.fib = args->ifp->if_fib; /* best guess */ in ipfw_chk()
1517 m = args->m; in ipfw_chk()
1518 if (m->m_flags & M_SKIP_FIREWALL || (! V_ipfw_vnet_ready)) in ipfw_chk()
1520 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
1522 if (m->m_len < min(m->m_pkthdr.len, max_protohdr) && in ipfw_chk()
1523 (args->m = m = m_pullup(m, min(m->m_pkthdr.len, in ipfw_chk()
1532 pktlen = m->m_pkthdr.len; in ipfw_chk()
1533 args->f_id.fib = M_GETFIB(m); /* mbuf not altered */ in ipfw_chk()
1548 #define EHLEN (eh != NULL ? ((char *)ip - (char *)eh) : 0) in ipfw_chk()
1557 p = (char *)args->mem + (_len) + EHLEN; \ in ipfw_chk()
1559 if (__predict_false((m)->m_len < x)) { \ in ipfw_chk()
1560 args->m = m = m_pullup(m, x); \ in ipfw_chk()
1585 args->m = m; \ in ipfw_chk()
1591 (eh == NULL || eh->ether_type == htons(ETHERTYPE_IPV6)) && in ipfw_chk()
1592 ip->ip_v == 6) { in ipfw_chk()
1596 args->flags |= IPFW_ARGS_IP6; in ipfw_chk()
1598 proto = ip6->ip6_nxt; in ipfw_chk()
1605 icmp6_type = ICMP6(ulp)->icmp6_type; in ipfw_chk()
1611 dst_port = TCP(ulp)->th_dport; in ipfw_chk()
1612 src_port = TCP(ulp)->th_sport; in ipfw_chk()
1614 args->f_id._flags = tcp_get_flags(TCP(ulp)); in ipfw_chk()
1626 PULLUP_LEN(hlen, ulp, pktlen - hlen); in ipfw_chk()
1630 src_port = SCTP(ulp)->src_port; in ipfw_chk()
1631 dst_port = SCTP(ulp)->dest_port; in ipfw_chk()
1637 dst_port = UDP(ulp)->uh_dport; in ipfw_chk()
1638 src_port = UDP(ulp)->uh_sport; in ipfw_chk()
1644 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; in ipfw_chk()
1645 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; in ipfw_chk()
1651 switch (((struct ip6_rthdr *)ulp)->ip6r_type) { in ipfw_chk()
1660 printf("IPFW2: IPV6 - Unknown " in ipfw_chk()
1663 ulp)->ip6r_type); in ipfw_chk()
1669 hlen += (((struct ip6_rthdr *)ulp)->ip6r_len + 1) << 3; in ipfw_chk()
1670 proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt; in ipfw_chk()
1678 proto = ((struct ip6_frag *)ulp)->ip6f_nxt; in ipfw_chk()
1679 offset = ((struct ip6_frag *)ulp)->ip6f_offlg & in ipfw_chk()
1681 ip6f_mf = ((struct ip6_frag *)ulp)->ip6f_offlg & in ipfw_chk()
1686 printf("IPFW2: IPV6 - Invalid " in ipfw_chk()
1692 args->f_id.extra = in ipfw_chk()
1693 ntohl(((struct ip6_frag *)ulp)->ip6f_ident); in ipfw_chk()
1700 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; in ipfw_chk()
1701 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; in ipfw_chk()
1708 hlen += (((struct ip6_ext *)ulp)->ip6e_len + 2) << 2; in ipfw_chk()
1709 proto = ((struct ip6_ext *)ulp)->ip6e_nxt; in ipfw_chk()
1726 ulp = ip; /* non-NULL to get out of loop. */ in ipfw_chk()
1748 ((struct carp_header *)ulp)->carp_type) in ipfw_chk()
1766 printf("IPFW2: IPV6 - Unknown " in ipfw_chk()
1777 args->f_id.addr_type = 6; in ipfw_chk()
1778 args->f_id.src_ip6 = ip6->ip6_src; in ipfw_chk()
1779 args->f_id.dst_ip6 = ip6->ip6_dst; in ipfw_chk()
1780 args->f_id.flow_id6 = ntohl(ip6->ip6_flow); in ipfw_chk()
1781 iplen = ntohs(ip6->ip6_plen) + sizeof(*ip6); in ipfw_chk()
1783 (eh == NULL || eh->ether_type == htons(ETHERTYPE_IP)) && in ipfw_chk()
1784 ip->ip_v == 4) { in ipfw_chk()
1786 args->flags |= IPFW_ARGS_IP4; in ipfw_chk()
1787 hlen = ip->ip_hl << 2; in ipfw_chk()
1792 proto = ip->ip_p; in ipfw_chk()
1793 src_ip = ip->ip_src; in ipfw_chk()
1794 dst_ip = ip->ip_dst; in ipfw_chk()
1795 offset = ntohs(ip->ip_off) & IP_OFFMASK; in ipfw_chk()
1796 iplen = ntohs(ip->ip_len); in ipfw_chk()
1802 dst_port = TCP(ulp)->th_dport; in ipfw_chk()
1803 src_port = TCP(ulp)->th_sport; in ipfw_chk()
1805 args->f_id._flags = tcp_get_flags(TCP(ulp)); in ipfw_chk()
1817 PULLUP_LEN(hlen, ulp, pktlen - hlen); in ipfw_chk()
1821 src_port = SCTP(ulp)->src_port; in ipfw_chk()
1822 dst_port = SCTP(ulp)->dest_port; in ipfw_chk()
1828 dst_port = UDP(ulp)->uh_dport; in ipfw_chk()
1829 src_port = UDP(ulp)->uh_sport; in ipfw_chk()
1834 //args->f_id.flags = ICMP(ulp)->icmp_type; in ipfw_chk()
1848 args->f_id.addr_type = 4; in ipfw_chk()
1849 args->f_id.src_ip = ntohl(src_ip.s_addr); in ipfw_chk()
1850 args->f_id.dst_ip = ntohl(dst_ip.s_addr); in ipfw_chk()
1855 args->f_id.addr_type = 1; /* XXX */ in ipfw_chk()
1861 args->f_id.proto = proto; in ipfw_chk()
1862 args->f_id.src_port = src_port = ntohs(src_port); in ipfw_chk()
1863 args->f_id.dst_port = dst_port = ntohs(dst_port); in ipfw_chk()
1870 if (args->flags & IPFW_ARGS_REF) { in ipfw_chk()
1873 * match on rule args->rule aka args->rule_id (PIPE, QUEUE, in ipfw_chk()
1876 * if still present, otherwise do a lookup. in ipfw_chk()
1878 f_pos = (args->rule.chain_id == chain->id) ? in ipfw_chk()
1879 args->rule.slot : in ipfw_chk()
1880 ipfw_find_rule(chain, args->rule.rulenum, in ipfw_chk()
1881 args->rule.rule_id); in ipfw_chk()
1886 if (args->flags & IPFW_ARGS_IN) { in ipfw_chk()
1887 iif = args->ifp; in ipfw_chk()
1890 MPASS(args->flags & IPFW_ARGS_OUT); in ipfw_chk()
1892 oif = args->ifp; in ipfw_chk()
1898 * need to break out of one or both loops, or re-enter one of in ipfw_chk()
1913 for (; f_pos < chain->n_rules; f_pos++) { in ipfw_chk()
1919 f = chain->map[f_pos]; in ipfw_chk()
1920 if (V_set_disable & (1 << f->set) ) in ipfw_chk()
1924 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; in ipfw_chk()
1925 l -= cmdlen, cmd += cmdlen) { in ipfw_chk()
1944 if ((cmd->len & F_OR) == 0) in ipfw_chk()
1950 switch (cmd->opcode) { in ipfw_chk()
1964 cmd->opcode); in ipfw_chk()
2001 match = iface_match(args->ifp, in ipfw_chk()
2006 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
2008 ((ipfw_insn_mac *)cmd)->addr; in ipfw_chk()
2010 ((ipfw_insn_mac *)cmd)->mask; in ipfw_chk()
2021 if (args->flags & IPFW_ARGS_ETHER) { in ipfw_chk()
2023 ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2026 for (i = cmdlen - 1; !match && i>0; in ipfw_chk()
2027 i--, p += 2) in ipfw_chk()
2029 (ntohs(eh->ether_type) >= in ipfw_chk()
2031 ntohs(eh->ether_type) <= in ipfw_chk()
2044 ((ntohs(ip->ip_off) & ~IP_OFFMASK) in ipfw_chk()
2051 match = (cmd->arg1 == 0x1 && in ipfw_chk()
2061 match = (args->flags & IPFW_ARGS_ETHER); in ipfw_chk()
2065 if ((args->flags & IPFW_ARGS_REF) == 0) in ipfw_chk()
2068 * For diverted packets, args->rule.info in ipfw_chk()
2072 match = ((args->rule.info & IPFW_IS_MASK) == in ipfw_chk()
2074 ((args->rule.info & IPFW_INFO_IN) ? in ipfw_chk()
2075 1: 2) & cmd->arg1); in ipfw_chk()
2083 match = (proto == cmd->arg1); in ipfw_chk()
2088 (((ipfw_insn_ip *)cmd)->addr.s_addr == in ipfw_chk()
2113 pkey = &args->f_id.dst_ip6; in ipfw_chk()
2115 pkey = &args->f_id.src_ip6; in ipfw_chk()
2120 key = ip->ip_tos >> 2; in ipfw_chk()
2129 key &= insntod(cmd, table)->value; in ipfw_chk()
2155 key &= insntod(cmd, table)->value; in ipfw_chk()
2161 if ((args->flags & IPFW_ARGS_ETHER) == 0) in ipfw_chk()
2165 eh->ether_dhost : eh->ether_shost; in ipfw_chk()
2176 key = ucred_cache->cr_uid; in ipfw_chk()
2178 key = ucred_cache->cr_prison->pr_id; in ipfw_chk()
2188 key &= insntod(cmd, table)->value; in ipfw_chk()
2193 key = args->rule.pkt_mark; in ipfw_chk()
2195 key &= insntod(cmd, table)->value; in ipfw_chk()
2200 key = f->rulenum; in ipfw_chk()
2202 key &= insntod(cmd, table)->value; in ipfw_chk()
2211 insntod(cmd, kidx)->kidx, keylen, in ipfw_chk()
2228 if (cmd->opcode == O_IP_DST_LOOKUP) in ipfw_chk()
2234 if (cmd->opcode == O_IP_DST_LOOKUP) in ipfw_chk()
2235 pkey = &args->f_id.dst_ip6; in ipfw_chk()
2237 pkey = &args->f_id.src_ip6; in ipfw_chk()
2241 insntod(cmd, kidx)->kidx, in ipfw_chk()
2263 if ((args->flags & IPFW_ARGS_ETHER) == 0) in ipfw_chk()
2266 if (cmd->opcode == O_MAC_DST_LOOKUP) in ipfw_chk()
2267 pkey = eh->ether_dhost; in ipfw_chk()
2269 pkey = eh->ether_shost; in ipfw_chk()
2272 insntod(cmd, kidx)->kidx, in ipfw_chk()
2291 insntod(cmd, kidx)->kidx, 0, in ipfw_chk()
2292 &args->f_id, &vidx); in ipfw_chk()
2307 (cmd->opcode == O_IP_DST_MASK) ? in ipfw_chk()
2309 uint32_t *p = ((ipfw_insn_u32 *)cmd)->d; in ipfw_chk()
2310 int i = cmdlen-1; in ipfw_chk()
2312 for (; !match && i>0; i-= 2, p+= 2) in ipfw_chk()
2326 ipfw_localip6(&args->f_id.src_ip6); in ipfw_chk()
2335 cmd->opcode == O_IP_DST_SET ? in ipfw_chk()
2336 args->f_id.dst_ip : in ipfw_chk()
2337 args->f_id.src_ip; in ipfw_chk()
2341 addr -= d[0]; /* subtract base */ in ipfw_chk()
2342 match = (addr < cmd->arg1) && in ipfw_chk()
2350 (((ipfw_insn_ip *)cmd)->addr.s_addr == in ipfw_chk()
2363 ipfw_localip6(&args->f_id.dst_ip6); in ipfw_chk()
2379 (cmd->opcode == O_IP_SRCPORT) ? in ipfw_chk()
2382 ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2385 for (i = cmdlen - 1; !match && i>0; in ipfw_chk()
2386 i--, p += 2) in ipfw_chk()
2401 ICMP6(ulp)->icmp6_type, in ipfw_chk()
2413 cmd->arg1 == ip->ip_v); in ipfw_chk()
2426 if (cmd->opcode == O_IPLEN) in ipfw_chk()
2428 else if (cmd->opcode == O_IPTTL) in ipfw_chk()
2429 x = ip->ip_ttl; in ipfw_chk()
2431 x = ntohs(ip->ip_id); in ipfw_chk()
2433 match = (cmd->arg1 == x); in ipfw_chk()
2437 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2438 i = cmdlen - 1; in ipfw_chk()
2439 for (; !match && i>0; i--, p += 2) in ipfw_chk()
2446 (cmd->arg1 == (ip->ip_tos & 0xe0)) ); in ipfw_chk()
2451 flags_match(cmd, ip->ip_tos)); in ipfw_chk()
2459 p = ((ipfw_insn_u32 *)cmd)->d; in ipfw_chk()
2462 x = ip->ip_tos >> 2; in ipfw_chk()
2472 match = *(p + 1) & (1 << (x - 32)); in ipfw_chk()
2489 if (ip6->ip6_plen == 0) { in ipfw_chk()
2497 x = iplen - hlen; in ipfw_chk()
2500 x = iplen - (ip->ip_hl << 2); in ipfw_chk()
2502 x -= tcp->th_off << 2; in ipfw_chk()
2504 match = (cmd->arg1 == x); in ipfw_chk()
2508 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2509 i = cmdlen - 1; in ipfw_chk()
2510 for (; !match && i>0; i--, p += 2) in ipfw_chk()
2528 (TCP(ulp)->th_off << 2)); in ipfw_chk()
2535 ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2536 TCP(ulp)->th_seq); in ipfw_chk()
2541 ((ipfw_insn_u32 *)cmd)->d[0] == in ipfw_chk()
2542 TCP(ulp)->th_ack); in ipfw_chk()
2547 (args->f_id._flags & TH_SYN) != 0 && in ipfw_chk()
2553 (TCP(ulp)->th_off << 2)); in ipfw_chk()
2558 match = (cmd->arg1 == mss); in ipfw_chk()
2562 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2563 i = cmdlen - 1; in ipfw_chk()
2564 for (; !match && i > 0; i--, p += 2) in ipfw_chk()
2576 x = ntohs(TCP(ulp)->th_win); in ipfw_chk()
2578 match = (cmd->arg1 == x); in ipfw_chk()
2582 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2583 i = cmdlen - 1; in ipfw_chk()
2584 for (; !match && i > 0; i--, p += 2) in ipfw_chk()
2604 * packet filtering system - pf(4). in ipfw_chk()
2610 if (at != NULL && at->qid != 0) in ipfw_chk()
2623 at->qid = altq->qid; in ipfw_chk()
2624 at->hdr = ip; in ipfw_chk()
2635 match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); in ipfw_chk()
2640 match = (args->flags & IPFW_ARGS_OUT || in ipfw_chk()
2644 verify_path6(&(args->f_id.src_ip6), in ipfw_chk()
2645 iif, args->f_id.fib) : in ipfw_chk()
2647 verify_path(src_ip, iif, args->f_id.fib))); in ipfw_chk()
2655 verify_path6(&(args->f_id.src_ip6), in ipfw_chk()
2656 NULL, args->f_id.fib) : in ipfw_chk()
2658 verify_path(src_ip, NULL, args->f_id.fib)))); in ipfw_chk()
2667 in6_localaddr(&(args->f_id.src_ip6))) in ipfw_chk()
2673 &(args->f_id.src_ip6), iif, in ipfw_chk()
2674 args->f_id.fib) : in ipfw_chk()
2677 args->f_id.fib); in ipfw_chk()
2691 IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6, in ipfw_chk()
2692 &((ipfw_insn_ip6 *)cmd)->addr6); in ipfw_chk()
2697 IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6, in ipfw_chk()
2698 &((ipfw_insn_ip6 *)cmd)->addr6); in ipfw_chk()
2703 int i = cmdlen - 1; in ipfw_chk()
2706 &((ipfw_insn_ip6 *)cmd)->addr6; in ipfw_chk()
2709 i -= F_INSN_SIZE(struct in6_addr) in ipfw_chk()
2711 p = (cmd->opcode == in ipfw_chk()
2713 args->f_id.src_ip6: in ipfw_chk()
2714 args->f_id.dst_ip6; in ipfw_chk()
2725 flow6id_match(args->f_id.flow_id6, in ipfw_chk()
2731 (ext_hd & ((ipfw_insn *) cmd)->arg1); in ipfw_chk()
2745 uint32_t tag = TARG(cmd->arg1, tag); in ipfw_chk()
2751 * present. And we must remove this mtag from in ipfw_chk()
2757 if (cmd->len & F_NOT) { /* `untag' action */ in ipfw_chk()
2774 if (args->f_id.fib == cmd->arg1) in ipfw_chk()
2780 struct inpcb *inp = args->inp; in ipfw_chk()
2812 &args->f_id.src_ip6, in ipfw_chk()
2814 &args->f_id.dst_ip6, in ipfw_chk()
2821 if (inp->inp_socket) { in ipfw_chk()
2823 inp->inp_socket->so_user_cookie; in ipfw_chk()
2836 uint32_t tag = TARG(cmd->arg1, tag); in ipfw_chk()
2851 if (mtag->m_tag_cookie != MTAG_IPFW) in ipfw_chk()
2854 p = ((ipfw_insn_u16 *)cmd)->ports; in ipfw_chk()
2855 i = cmdlen - 1; in ipfw_chk()
2856 for(; !match && i > 0; i--, p += 2) in ipfw_chk()
2858 mtag->m_tag_id >= p[0] && in ipfw_chk()
2859 mtag->m_tag_id <= p[1]; in ipfw_chk()
2866 if (cmd->arg1 == IP_FW_TARG) in ipfw_chk()
2869 mark = insntoc(cmd, u32)->d[0]; in ipfw_chk()
2871 (args->rule.pkt_mark & in ipfw_chk()
2872 insntoc(cmd, u32)->d[1]) == in ipfw_chk()
2873 (mark & insntoc(cmd, u32)->d[1]); in ipfw_chk()
2883 * (but there are exceptions -- see below). in ipfw_chk()
2947 * keep-state or check-state occurrence, in ipfw_chk()
2966 l = f->cmd_len - f->act_ofs; in ipfw_chk()
2975 if (cmd->opcode == O_CHECK_STATE) in ipfw_chk()
2994 args->rule.info = TARG(cmd->arg1, pipe); in ipfw_chk()
2995 if (cmd->opcode == O_PIPE) in ipfw_chk()
2996 args->rule.info |= IPFW_IS_PIPE; in ipfw_chk()
2998 args->rule.info |= IPFW_ONEPASS; in ipfw_chk()
3006 if (args->flags & IPFW_ARGS_ETHER) in ipfw_chk()
3011 retval = (cmd->opcode == O_DIVERT) ? in ipfw_chk()
3014 args->rule.info = TARG(cmd->arg1, divert); in ipfw_chk()
3025 insntod(cmd, u32)->d[0], tablearg, false); in ipfw_chk()
3027 * Skip disabled rules, and re-enter in ipfw_chk()
3032 for (; f_pos < chain->n_rules - 1 && in ipfw_chk()
3034 (1 << chain->map[f_pos]->set)); in ipfw_chk()
3037 /* Re-enter the inner loop at the skipto rule. */ in ipfw_chk()
3038 f = chain->map[f_pos]; in ipfw_chk()
3039 l = f->cmd_len; in ipfw_chk()
3040 cmd = f->cmd; in ipfw_chk()
3055 * present. The `m_tag_id' field is used as in ipfw_chk()
3061 #define IS_CALL ((cmd->len & F_NOT) == 0) in ipfw_chk()
3062 #define IS_RETURN ((cmd->len & F_NOT) != 0) in ipfw_chk()
3064 * Hand-rolled version of m_tag_locate() with in ipfw_chk()
3070 if (mtag->m_tag_cookie == in ipfw_chk()
3078 * of stack. If it doesn't match chain->id, in ipfw_chk()
3086 if (stack[0] != chain->id) { in ipfw_chk()
3087 stack[0] = chain->id; in ipfw_chk()
3088 mtag->m_tag_id = 0; in ipfw_chk()
3097 mtag->m_tag_id == 0)) { in ipfw_chk()
3110 stack[0] = chain->id; in ipfw_chk()
3118 f->rulenum); in ipfw_chk()
3125 if (IS_CALL && mtag->m_tag_id >= in ipfw_chk()
3126 IPFW_CALLSTACK_SIZE - 1) { in ipfw_chk()
3129 f->rulenum); in ipfw_chk()
3140 stack[++mtag->m_tag_id] = f_pos; in ipfw_chk()
3142 insntod(cmd, u32)->d[0], in ipfw_chk()
3145 jmpto = stack[mtag->m_tag_id--]; in ipfw_chk()
3146 if (cmd->arg1 == RETURN_NEXT_RULE) in ipfw_chk()
3150 chain->map[ in ipfw_chk()
3151 jmpto]->rulenum + 1, 0); in ipfw_chk()
3155 * Skip disabled rules, and re-enter in ipfw_chk()
3160 MPASS(f_pos < chain->n_rules - 1); in ipfw_chk()
3161 for (; f_pos < chain->n_rules - 1 && in ipfw_chk()
3163 (1 << chain->map[f_pos]->set)); f_pos++) in ipfw_chk()
3166 * Re-enter the inner loop at the dest in ipfw_chk()
3169 f = chain->map[f_pos]; in ipfw_chk()
3170 l = f->cmd_len; in ipfw_chk()
3171 cmd = f->cmd; in ipfw_chk()
3189 !(m->m_flags & (M_BCAST|M_MCAST)) && in ipfw_chk()
3192 ("o_reject - need_send_reject was set previously")); in ipfw_chk()
3193 if ((reject_code = cmd->arg1) == ICMP_UNREACH_NEEDFRAG && in ipfw_chk()
3194 cmd->len == F_INSN_SIZE(ipfw_insn_u16)) { in ipfw_chk()
3196 ((ipfw_insn_u16 *)cmd)->ports[0]; in ipfw_chk()
3209 !(m->m_flags & (M_BCAST|M_MCAST)) && in ipfw_chk()
3211 &args->f_id.dst_ip6)) { in ipfw_chk()
3213 ("o_unreach6 - need_send_reject was set previously")); in ipfw_chk()
3214 reject_code = cmd->arg1; in ipfw_chk()
3215 if (cmd->opcode == O_REJECT) { in ipfw_chk()
3230 if (args->flags & IPFW_ARGS_ETHER) in ipfw_chk()
3236 sa = &(((ipfw_insn_sa *)cmd)->sa); in ipfw_chk()
3237 if (sa->sin_addr.s_addr == INADDR_ANY) { in ipfw_chk()
3250 args->flags |= IPFW_ARGS_NH6; in ipfw_chk()
3251 nh6 = &args->hopstore6; in ipfw_chk()
3252 nh6->sin6_addr = TARG_VAL( in ipfw_chk()
3254 nh6->sin6_port = sa->sin_port; in ipfw_chk()
3255 nh6->sin6_scope_id = TARG_VAL( in ipfw_chk()
3260 args->flags |= IPFW_ARGS_NH4; in ipfw_chk()
3261 args->hopstore.sin_port = in ipfw_chk()
3262 sa->sin_port; in ipfw_chk()
3263 sa = &args->hopstore; in ipfw_chk()
3264 sa->sin_family = AF_INET; in ipfw_chk()
3265 sa->sin_len = sizeof(*sa); in ipfw_chk()
3266 sa->sin_addr.s_addr = htonl( in ipfw_chk()
3271 args->flags |= IPFW_ARGS_NH4PTR; in ipfw_chk()
3272 args->next_hop = sa; in ipfw_chk()
3282 if (args->flags & IPFW_ARGS_ETHER) in ipfw_chk()
3288 sin6 = &(((ipfw_insn_sa6 *)cmd)->sa); in ipfw_chk()
3289 args->flags |= IPFW_ARGS_NH6PTR; in ipfw_chk()
3290 args->next_hop6 = sin6; in ipfw_chk()
3301 args->rule.info = TARG(cmd->arg1, netgraph); in ipfw_chk()
3303 args->rule.info |= IPFW_ONEPASS; in ipfw_chk()
3304 retval = (cmd->opcode == O_NETGRAPH) ? in ipfw_chk()
3314 fib = TARG(cmd->arg1, fib) & 0x7FFF; in ipfw_chk()
3318 args->f_id.fib = fib; /* XXX */ in ipfw_chk()
3326 code = TARG(cmd->arg1, dscp) & 0x3F; in ipfw_chk()
3332 ip->ip_tos = (code << 2) | in ipfw_chk()
3333 (ip->ip_tos & 0x03); in ipfw_chk()
3334 ip->ip_sum = cksum_adjust(ip->ip_sum, in ipfw_chk()
3338 args->f_id.flow_id6 = in ipfw_chk()
3340 args->f_id.flow_id6 |= code << 22; in ipfw_chk()
3343 htonl(args->f_id.flow_id6); in ipfw_chk()
3366 args->rule.info = 0; in ipfw_chk()
3369 if (cmd->arg1 == IP_FW_NAT44_GLOBAL) { in ipfw_chk()
3373 t = ((ipfw_insn_nat *)cmd)->nat; in ipfw_chk()
3375 nat_id = TARG(cmd->arg1, nat); in ipfw_chk()
3376 t = (*lookup_nat_ptr)(&chain->nat, nat_id); in ipfw_chk()
3382 if (cmd->arg1 != IP_FW_TARG) in ipfw_chk()
3383 ((ipfw_insn_nat *)cmd)->nat = t; in ipfw_chk()
3395 ip_off = ntohs(ip->ip_off); in ipfw_chk()
3401 args->m = m = ip_reass(m); in ipfw_chk()
3412 hlen = ip->ip_hl << 2; in ipfw_chk()
3413 ip->ip_sum = 0; in ipfw_chk()
3415 ip->ip_sum = in_cksum_hdr(ip); in ipfw_chk()
3417 ip->ip_sum = in_cksum(m, hlen); in ipfw_chk()
3419 args->rule.info = 0; in ipfw_chk()
3428 args->rule.pkt_mark = ( in ipfw_chk()
3429 (cmd->arg1 == IP_FW_TARG) ? in ipfw_chk()
3431 insntoc(cmd, u32)->d[0]); in ipfw_chk()
3461 f->rulenum, cmd->opcode); in ipfw_chk()
3467 if (cmd->len & F_NOT) in ipfw_chk()
3471 if (cmd->len & F_OR) in ipfw_chk()
3474 if (!(cmd->len & F_OR)) /* not an OR block, */ in ipfw_chk()
3490 struct ip_fw *rule = chain->map[f_pos]; in ipfw_chk()
3496 (uintptr_t)&args->f_id.src_ip6, in ipfw_chk()
3498 (uintptr_t)&args->f_id.dst_ip6, in ipfw_chk()
3541 if ((error != 0) || (req->newptr == NULL)) in sysctl_ipfw_table_num()
3548 * Switches table namespace between global and per-set.
3560 if ((error != 0) || (req->newptr == NULL)) in sysctl_ipfw_tables_sets()
3616 /* Check user-supplied table count for validness */ in ipfw_init()
3664 LIST_INIT(&chain->nat); in vnet_ipfw_init()
3676 free(chain->map, M_IPFW); in vnet_ipfw_init()
3686 rule->flags |= IPFW_RULE_NOOPT; in vnet_ipfw_init()
3687 rule->cmd_len = 1; in vnet_ipfw_init()
3688 rule->cmd[0].len = 1; in vnet_ipfw_init()
3689 rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; in vnet_ipfw_init()
3690 chain->default_rule = rule; in vnet_ipfw_init()
3708 * changes in the underlying (per-vnet) variables trigger in vnet_ipfw_init()
3748 for (i = 0; i < chain->n_rules; i++) in vnet_ipfw_uninit()
3749 ipfw_reap_add(chain, &reap, chain->map[i]); in vnet_ipfw_uninit()
3750 free(chain->map, M_IPFW); in vnet_ipfw_uninit()
3810 #define IPFW_MODEVENT_ORDER (SI_ORDER_ANY - 255) /* On boot slot in here. */