head 1.2; access; symbols perseant-exfatfs-base-20250801:1.2 perseant-exfatfs-base-20240630:1.2 perseant-exfatfs:1.2.0.44 perseant-exfatfs-base:1.2 cjep_sun2x:1.2.0.42 cjep_sun2x-base:1.2 cjep_staticlib_x-base1:1.2 cjep_staticlib_x:1.2.0.40 cjep_staticlib_x-base:1.2 phil-wifi-20200421:1.2 phil-wifi-20200411:1.2 phil-wifi-20200406:1.2 pgoyette-compat-merge-20190127:1.2 pgoyette-compat-20190127:1.2 pgoyette-compat-20190118:1.2 pgoyette-compat-1226:1.2 pgoyette-compat-1126:1.2 pgoyette-compat-1020:1.2 pgoyette-compat-0930:1.2 pgoyette-compat-0906:1.2 pgoyette-compat-0728:1.2 pgoyette-compat-0625:1.2 pgoyette-compat-0521:1.2 pgoyette-compat-0502:1.2 pgoyette-compat-0422:1.2 pgoyette-compat-0415:1.2 pgoyette-compat-0407:1.2 pgoyette-compat-0330:1.2 pgoyette-compat-0322:1.2 pgoyette-compat-0315:1.2 pgoyette-compat:1.2.0.38 pgoyette-compat-base:1.2 prg-localcount2-base3:1.2 prg-localcount2-base2:1.2 prg-localcount2-base1:1.2 prg-localcount2:1.2.0.36 prg-localcount2-base:1.2 pgoyette-localcount-20170426:1.2 bouyer-socketcan-base1:1.2 pgoyette-localcount-20170320:1.2 bouyer-socketcan:1.2.0.34 bouyer-socketcan-base:1.2 pgoyette-localcount-20170107:1.2 pgoyette-localcount-20161104:1.2 localcount-20160914:1.2 pgoyette-localcount-20160806:1.2 pgoyette-localcount-20160726:1.2 pgoyette-localcount:1.2.0.32 pgoyette-localcount-base:1.2 netbsd-5-2-3-RELEASE:1.2 netbsd-5-1-5-RELEASE:1.2 yamt-pagecache-base9:1.2 yamt-pagecache-tag8:1.2 tls-earlyentropy:1.2.0.28 tls-earlyentropy-base:1.2 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.2 riastradh-drm2-base3:1.2 netbsd-5-2-2-RELEASE:1.2 netbsd-5-1-4-RELEASE:1.2 netbsd-5-2-1-RELEASE:1.2 netbsd-5-1-3-RELEASE:1.2 agc-symver:1.2.0.30 agc-symver-base:1.2 tls-maxphys-base:1.2 yamt-pagecache-base8:1.2 netbsd-5-2:1.2.0.26 yamt-pagecache-base7:1.2 netbsd-5-2-RELEASE:1.2 netbsd-5-2-RC1:1.2 yamt-pagecache-base6:1.2 yamt-pagecache-base5:1.2 yamt-pagecache-base4:1.2 netbsd-5-1-2-RELEASE:1.2 netbsd-5-1-1-RELEASE:1.2 yamt-pagecache-base3:1.2 yamt-pagecache-base2:1.2 yamt-pagecache:1.2.0.24 yamt-pagecache-base:1.2 bouyer-quota2-nbase:1.2 bouyer-quota2:1.2.0.22 bouyer-quota2-base:1.2 matt-nb5-pq3:1.2.0.20 matt-nb5-pq3-base:1.2 netbsd-5-1:1.2.0.18 netbsd-5-1-RELEASE:1.2 netbsd-5-1-RC4:1.2 netbsd-5-1-RC3:1.2 netbsd-5-1-RC2:1.2 netbsd-5-1-RC1:1.2 netbsd-5-0-2-RELEASE:1.2 netbsd-5-0-1-RELEASE:1.2 jym-xensuspend-nbase:1.2 netbsd-5-0:1.2.0.16 netbsd-5-0-RELEASE:1.2 netbsd-5-0-RC4:1.2 netbsd-5-0-RC3:1.2 netbsd-5-0-RC2:1.2 jym-xensuspend:1.2.0.14 jym-xensuspend-base:1.2 netbsd-5-0-RC1:1.2 netbsd-5:1.2.0.12 netbsd-5-base:1.2 mjf-devfs2:1.2.0.10 mjf-devfs2-base:1.2 yamt-pf42-base4:1.2 yamt-pf42-base3:1.2 hpcarm-cleanup-nbase:1.2 v4-1-29:1.1.1.2 yamt-pf42-base2:1.2 yamt-pf42:1.2.0.8 yamt-pf42-base:1.2 keiichi-mipv6:1.2.0.6 keiichi-mipv6-base:1.2 cube-autoconf:1.2.0.4 cube-autoconf-base:1.2 hpcarm-cleanup:1.2.0.2 hpcarm-cleanup-base:1.2 v4-1-23:1.1.1.2 v4-1-22:1.1.1.2 v4-1-20:1.1.1.2 v4-1-19:1.1.1.2 v4-1-13:1.1.1.2 v4-1-8:1.1.1.2 v4-1-6:1.1.1.2 v4-1-5:1.1.1.2 v4-1-3:1.1.1.1 DARRENR:1.1.1; locks; strict; comment @# @; 1.2 date 2004.07.23.05.43.04; author martti; state dead; branches; next 1.1; 1.1 date 2004.07.23.05.34.23; author martti; state Exp; branches 1.1.1.1; next ; 1.1.1.1 date 2004.07.23.05.34.23; author martti; state Exp; branches; next 1.1.1.2; 1.1.1.2 date 2005.02.08.06.53.12; author martti; state Exp; branches; next ; desc @@ 1.2 log @Not needed in NetBSD @ text @--- sys/arch/alpha/alpha/conf.c.orig Sat Feb 21 15:09:52 2004 +++ sys/arch/alpha/alpha/conf.c Thu Jul 8 14:04:39 2004 @@@@ -103,6 +103,11 @@@@ #include "lpt.h" cdev_decl(lpt); cdev_decl(prom); /* XXX XXX XXX */ +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif cdev_decl(wd); cdev_decl(fd); #include "cy.h" @@@@ -173,7 +178,7 @@@@ cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */ cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */ cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */ - cdev_notdef(), /* 44 */ + cdev_gen_ipf(NIPF,ipl), /* 44: IP filter log */ cdev_usb_init(NUSB,usb), /* 45: USB controller */ cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */ cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */ --- sys/arch/hp300/hp300/conf.c.orig Sat Feb 21 15:10:07 2004 +++ sys/arch/hp300/hp300/conf.c Thu Jul 8 14:04:40 2004 @@@@ -122,6 +122,12 @@@@ cdev_decl(xfs_dev); #endif +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -165,7 +171,7 @@@@ cdev_disk_init(NRD,rd), /* 34: RAM disk */ cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */ cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */ - cdev_notdef(), /* 37 */ + cdev_pf_init(NIPF,ipl), /* 37: packet filter */ cdev_notdef(), /* 38 */ cdev_notdef(), /* 39 */ cdev_notdef(), /* 40 */ --- sys/arch/hppa/hppa/conf.c.orig Sat Feb 21 15:10:10 2004 +++ sys/arch/hppa/hppa/conf.c Thu Jul 8 14:07:09 2004 @@@@ -107,6 +107,12 @@@@ #include "com.h" cdev_decl(com); +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -166,7 +172,7 @@@@ cdev_crypto_init(NCRYPTO,crypto), /* 36: /dev/crypto */ cdev_ses_init(NSES,ses), /* 37: SCSI SES/SAF-TE */ cdev_ptm_init(NPTY,ptm), /* 38: pseudo-tty ptm device */ - cdev_lkm_dummy(), + cdev_gen_ipf(NIPF,ipl), /* 39: ip filtering */ cdev_lkm_dummy(), cdev_lkm_dummy(), cdev_lkm_dummy(), --- sys/arch/i386/i386/conf.c.orig Sat Feb 21 15:10:12 2004 +++ sys/arch/i386/i386/conf.c Thu Jul 8 14:07:28 2004 @@@@ -185,6 +185,12 @@@@ #include "radio.h" #include "gpr.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + /* XXX -- this needs to be supported by config(8)! */ #if (NCOM > 0) && (NPCCOM > 0) #error com and pccom are mutually exclusive. Sorry. @@@@ -310,6 +316,7 @@@@ cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */ cdev_ch_init(NGPR,gpr), /* 80: GPR400 SmartCard reader */ cdev_ptm_init(NPTY,ptm), /* 81: pseudo-tty ptm device */ + cdev_gen_ipf(NIPF,ipl), /* 82: ip filtering */ }; int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]); --- sys/arch/mac68k/mac68k/conf.c.orig Sat Feb 21 15:10:19 2004 +++ sys/arch/mac68k/mac68k/conf.c Thu Jul 8 14:04:40 2004 @@@@ -104,6 +104,12 @@@@ cdev_decl(xfs_dev); #endif +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -148,7 +154,7 @@@@ cdev_pf_init(NPF,pf), /* 35: packet filter */ cdev_audio_init(NASC,asc), /* 36: ASC audio device */ cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */ - cdev_notdef(), /* 38 */ + cdev_gen_ipf(NIPF,ipl), /* 38: IP filter log */ cdev_notdef(), /* 39 */ cdev_notdef(), /* 40 */ cdev_notdef(), /* 41 */ --- sys/arch/macppc/macppc/conf.c.orig Sat Feb 21 15:10:20 2004 +++ sys/arch/macppc/macppc/conf.c Thu Jul 8 14:04:40 2004 @@@@ -105,6 +105,12 @@@@ #include "tun.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #ifdef XFS #include cdev_decl(xfs_dev); @@@@ -191,7 +197,7 @@@@ cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */ - cdev_notdef(), /* 45 */ + cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */ cdev_notdef(), /* 46 */ cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */ cdev_notdef(), /* 48 */ --- sys/arch/mvme68k/mvme68k/conf.c.orig Sat Feb 21 15:10:21 2004 +++ sys/arch/mvme68k/mvme68k/conf.c Thu Jul 8 14:08:04 2004 @@@@ -148,6 +148,12 @@@@ #include "bpfilter.h" #include "tun.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -203,7 +209,7 @@@@ cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ cdev_ch_init(NCH,ch), /* 44: SCSI autochanger */ - cdev_lkm_dummy(), /* 45 */ + cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */ cdev_lkm_dummy(), /* 46 */ cdev_lkm_dummy(), /* 47 */ cdev_lkm_dummy(), /* 48 */ --- sys/arch/mvme88k/mvme88k/conf.c.orig Sat Feb 21 15:10:24 2004 +++ sys/arch/mvme88k/mvme88k/conf.c Thu Jul 8 14:09:53 2004 @@@@ -99,6 +99,12 @@@@ cdev_decl(lptwo); #endif /* notyet */ +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -189,7 +195,7 @@@@ cdev_ss_init(NSS,ss), /* 42 */ cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ cdev_ch_init(NCH,ch), /* 44: SCSI autochanger */ - cdev_notdef(), /* 45 */ + cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */ cdev_notdef(), /* 46 */ cdev_notdef(), /* 47 */ cdev_notdef(), /* 48 */ --- sys/arch/mvmeppc/mvmeppc/conf.c.orig Sat Feb 21 15:10:29 2004 +++ sys/arch/mvmeppc/mvmeppc/conf.c Thu Jul 8 14:04:41 2004 @@@@ -112,6 +112,12 @@@@ #include "ksyms.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -165,7 +171,7 @@@@ cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ - cdev_notdef(), /* 44 */ + cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */ cdev_notdef(), /* 45 */ cdev_notdef(), /* 46 */ cdev_notdef(), /* 47 */ --- sys/arch/sparc/sparc/conf.c.orig Sat Feb 21 15:10:36 2004 +++ sys/arch/sparc/sparc/conf.c Thu Jul 8 14:04:41 2004 @@@@ -124,6 +124,12 @@@@ }; int nblkdev = sizeof(bdevsw) / sizeof(bdevsw[0]); +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -194,7 +200,7 @@@@ cdev_notdef(), /* 57 */ cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */ cdev_pf_init(NPF,pf), /* 59: packet filter */ - cdev_notdef(), /* 60 */ + cdev_gen_ipf(NIPF,ipl), /* 60: ip filtering log */ cdev_notdef(), /* 61 */ cdev_notdef(), /* 62 */ cdev_notdef(), /* 63 */ --- sys/arch/sparc64/sparc64/conf.c.orig Sat Feb 21 15:10:38 2004 +++ sys/arch/sparc64/sparc64/conf.c Thu Jul 8 14:04:41 2004 @@@@ -110,6 +110,12 @@@@ #include "ucom.h" #include "uscanner.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #ifdef XFS @@@@ -246,7 +252,7 @@@@ cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */ cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */ cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */ - cdev_notdef(), /* 82 */ + cdev_gen_ipf(NIPF,ipl), /* 82: IP filter */ cdev_notdef(), /* 83 */ cdev_notdef(), /* 84 */ cdev_notdef(), /* 85 */ --- sys/arch/vax/vax/conf.c.orig Sat Feb 21 15:10:41 2004 +++ sys/arch/vax/vax/conf.c Thu Jul 8 14:04:41 2004 @@@@ -353,6 +353,12 @@@@ #include "wskbd.h" #include "wsmouse.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + #include "pf.h" #include "systrace.h" @@@@ -406,7 +412,7 @@@@ cdev_notdef(), /* 44 was Datakit */ cdev_notdef(), /* 45 was Datakit */ cdev_notdef(), /* 46 was Datakit */ - cdev_notdef(), /* 47 */ + cdev_gen_ipf(NIPF,ipl), /* 47: IP filter */ cdev_notdef(), /* 48 */ cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */ cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */ --- sys/arch/amd64/amd64/conf.c.orig Thu Feb 26 06:22:12 2004 +++ sys/arch/amd64/amd64/conf.c Sat Jul 10 12:31:46 2004 @@@@ -191,6 +191,12 @@@@ #include "pf.h" +#ifdef IPFILTER +#define NIPF 1 +#else +#define NIPF 0 +#endif + struct cdevsw cdevsw[] = { cdev_cn_init(1,cn), /* 0: virtual console */ @@@@ -295,6 +301,7 @@@@ cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */ cdev_notdef(), /* 80: gpr? XXX */ cdev_ptm_init(NPTY,ptm), /* 81: pseudo-tty ptm device */ + cdev_gen_ipf(NIPF, ipl), /* 82: IP Filtering */ }; int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]); --- sys/conf/GENERIC.orig Wed Mar 3 08:23:46 2004 +++ sys/conf/GENERIC Thu Jul 8 14:04:41 2004 @@@@ -72,6 +72,8 @@@@ #option EON # OSI tunneling over IP #option NETATALK # AppleTalk #option CCITT,LLC,HDLC # X.25 +option IPFILTER # IP packet filter for security +option IPFILTER_LOG # use /dev/ipl to log IPF option PPP_BSDCOMP # PPP BSD compression option PPP_DEFLATE #option MROUTING # Multicast router --- sys/conf/files.orig Sun Mar 14 05:44:13 2004 +++ sys/conf/files Thu Jul 8 14:04:41 2004 @@@@ -719,6 +719,14 @@@@ file netinet/tcp_usrreq.c inet file netinet/udp_usrreq.c inet file netinet/ip_gre.c inet +file netinet/ip_fil.c ipfilter +file netinet/fil.c ipfilter +file netinet/ip_nat.c ipfilter +file netinet/ip_frag.c ipfilter +file netinet/ip_state.c ipfilter +file netinet/ip_proxy.c ipfilter +file netinet/ip_auth.c ipfilter +file netinet/ip_log.c ipfilter file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature) file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature) file netinet/ip_ipip.c inet | inet6 --- sys/net/bridgestp.c.orig Wed Dec 3 09:00:10 2003 +++ sys/net/bridgestp.c Thu Jul 8 14:04:42 2004 @@@@ -58,6 +58,11 @@@@ #include #include #include + +#ifdef IPFILTER +#include +#include +#endif #endif #if NBPFILTER > 0 --- sys/net/if.c.orig Sun Feb 29 05:34:01 2004 +++ sys/net/if.c Thu Jul 8 14:04:42 2004 @@@@ -99,6 +99,12 @@@@ #include #endif +#ifdef IPFILTER +#include +#include +#include +#endif + #if NBPFILTER > 0 #include #endif @@@@ -556,6 +562,11 @@@@ /* Remove the interface from the list of all interfaces. */ TAILQ_REMOVE(&ifnet, ifp, if_list); + +#ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ + frsync(); +#endif /* * Deallocate private resources. --- sys/net/if_bridge.c.orig Sat Feb 21 15:11:02 2004 +++ sys/net/if_bridge.c Thu Jul 8 14:04:42 2004 @@@@ -66,7 +66,11 @@@@ #include #include +#if (defined(IPFILTER) || defined(IPFILTER_LKM)) +#include +#include #endif +#endif #ifdef INET6 #include @@@@ -152,7 +156,7 @@@@ int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *); u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *, struct mbuf *); -#if NPF > 0 +#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, struct ether_header *, struct mbuf *m); #endif @@@@ -1218,7 +1222,7 @@@@ m_freem(m); return; } -#if NPF > 0 +#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m); if (m == NULL) return; @@@@ -1261,7 +1265,7 @@@@ m_freem(m); return; } -#if NPF > 0 +#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m); if (m == NULL) return; @@@@ -1509,7 +1513,7 @@@@ mc = m1; } -#if NPF > 0 +#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc); if (mc == NULL) continue; @@@@ -2287,6 +2291,12 @@@@ * We don't need to do loop detection, the * bridge will do that for us. */ +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (dir == BRIDGE_OUT && fr_checkp && + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, + 1, &m) || !m)) + return 1; +#endif #if NPF > 0 switch (af) { #ifdef INET @@@@ -2311,6 +2321,12 @@@@ if (m == NULL) return (1); #endif /* NPF */ +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (dir == BRIDGE_IN && fr_checkp && + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, + 0, &m) || !m)) + return 1; +#endif error = ipsp_process_packet(m, tdb, af, 0); return (1); } else @@@@ -2321,7 +2337,7 @@@@ } #endif /* IPSEC */ -#if NPF > 0 +#if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) /* * Filter IP packets by peeking into the ethernet frame. This violates * the ISO model, but allows us to act as a IP filter at the data link @@@@ -2424,14 +2440,32 @@@@ return (NULL); #endif /* IPSEC */ -#if NPF > 0 +#if defined(IPFILTER) || defined(IPFILTER_LKM) || (NPF > 0) /* Finally, we get to filter the packet! */ m->m_pkthdr.rcvif = ifp; +#endif +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (dir == BRIDGE_OUT) { + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m)) + goto dropit; + if (m == NULL) + goto dropit; + } +#endif +#if NPF > 0 if (pf_test(dir, ifp, &m) != PF_PASS) goto dropit; if (m == NULL) goto dropit; #endif /* NPF */ +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (dir == BRIDGE_IN) { + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) + goto dropit; + if (m == NULL) + goto dropit; + } +#endif /* Rebuild the IP header */ if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) @@@@ -2472,6 +2506,14 @@@@ return (NULL); #endif /* IPSEC */ +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (dir == BRIDGE_OUT) { + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m)) + goto dropit; + if (m == NULL) + return (NULL); + } +#endif #if NPF > 0 if (pf_test6(dir, ifp, &m) != PF_PASS) goto dropit; @@@@ -2478,6 +2520,14 @@@@ if (m == NULL) return (NULL); #endif /* NPF */ +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (dir == BRIDGE_IN) { + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) + goto dropit; + if (m == NULL) + return (NULL); + } +#endif break; } @@@@ -2509,7 +2559,7 @@@@ m_freem(m); return (NULL); } -#endif /* NPF > 0 */ +#endif /* (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) */ void bridge_fragment(struct bridge_softc *sc, struct ifnet *ifp, --- sys/netinet/in_proto.c.orig Tue Dec 16 15:33:09 2003 +++ sys/netinet/in_proto.c Thu Jul 8 14:04:42 2004 @@@@ -159,6 +159,11 @@@@ #include #endif /* MROUTING */ +#ifdef IPFILTER +void iplinit __P((void)); +#define ip_init iplinit +#endif + #ifdef INET6 #include #endif /* INET6 */ --- sys/netinet/ip_input.c.orig Tue Mar 16 10:36:27 2004 +++ sys/netinet/ip_input.c Thu Jul 8 14:04:42 2004 @@@@ -149,6 +149,10 @@@@ struct in_ifaddrhead in_ifaddr; struct ifqueue ipintrq; +#if defined(IPFILTER) || defined(IPFILTER_LKM) +int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +#endif + int ipq_locked; static __inline int ipq_lock_try(void); static __inline void ipq_unlock(void); @@@@ -404,6 +408,23 @@@@ ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; pfrdr = (pfrdr != ip->ip_dst.s_addr); +#endif + +#if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ + { + struct mbuf *m0 = m; + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) { + return; + } + if (m0 == 0) { /* in case of 'fastroute' */ + return; + } + ip = mtod(m = m0, struct ip *); + } #endif /* --- sys/netinet/ip_output.c.orig Sat Feb 21 15:11:04 2004 +++ sys/netinet/ip_output.c Thu Jul 8 14:04:42 2004 @@@@ -82,6 +82,10 @@@@ static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); static void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); +#if defined(IPFILTER) || defined(IPFILTER_LKM) +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +#endif + /* * IP output. The packet in mbuf chain m contains a skeletal IP * header (with len, off, ttl, proto, tos, src, dst). @@@@ -555,7 +559,31 @@@@ if (sproto != 0) { s = splnet(); +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (fr_checkp) { /* + * Ok, it's time for a simple round-trip to the IPF/NAT + * code with the enc0 interface. + */ + struct mbuf *m1 = m; + void *ifp = (void *)&encif[0].sc_if; + + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) { + error = EHOSTUNREACH; + splx(s); + goto done; + } + if (m1 == 0) { /* in case of 'fastroute' */ + error = 0; + splx(s); + goto done; + } + ip = mtod(m = m1, struct ip *); + hlen = ip->ip_hl << 2; + } +#endif /* IPFILTER */ + + /* * Packet filter */ #if NPF > 0 @@@@ -653,6 +681,25 @@@@ m->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */ } } + +#if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * looks like most checking has been done now...do a filter check + */ + { + struct mbuf *m1 = m; + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) { + error = EHOSTUNREACH; + goto done; + } + if (m1 == 0) { /* in case of 'fastroute' */ + error = 0; + goto done; + } + ip = mtod(m = m1, struct ip *); + } +#endif /* * Packet filter --- sys/netinet6/ip6_input.c.orig Sat Feb 21 15:11:05 2004 +++ sys/netinet6/ip6_input.c Thu Jul 8 14:04:42 2004 @@@@ -128,6 +128,10 @@@@ static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); +#if defined(IPFILTER) || defined(IPFILTER_LKM) +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +#endif + /* * IP6 initialization: fill in IP6 protocol switch table. * All protocols not implemented in kernel go to raw IP6 protocol handler. @@@@ -244,6 +248,26 @@@@ in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); goto bad; } + +#if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ + if (fr_checkp != NULL) { + struct mbuf *m0 = m; + + if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), + m->m_pkthdr.rcvif, 0, &m0)) { + return; + } + m = m0; + if (m == 0) { /* in case of 'fastroute' */ + return; + } + ip6 = mtod(m, struct ip6_hdr *); + } +#endif ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; --- sys/netinet6/ip6_output.c.orig Thu Feb 5 08:11:17 2004 +++ sys/netinet6/ip6_output.c Thu Jul 8 14:11:07 2004 @@@@ -118,6 +118,9 @@@@ static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *); static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *); +#if defined(IPFILTER) || defined(IPFILTER_LKM) +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); +#endif static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **); static int ip6_copyexthdr(struct mbuf **, caddr_t, int); static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int, @@@@ -124,7 +127,7 @@@@ struct ip6_frag **); static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t); static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *); -static int ip6_getpmtu(struct route_in6 *, struct route_in6 *, +int ip6_getpmtu(struct route_in6 *, struct route_in6 *, struct ifnet *, struct in6_addr *, u_long *, int *); /* @@@@ -797,6 +800,25 @@@@ goto done; ip6 = mtod(m, struct ip6_hdr *); #endif + +#if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * looks like most checking has been done now...do a filter check + */ + if (fr_checkp != NULL) { + struct mbuf *m1 = m; + if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), ifp, 1, &m1)) { + error = EHOSTUNREACH; + goto done; + } + m = m1; + if (m1 == 0) { /* in case of 'fastroute' */ + error = 0; + goto done; + } + ip6 = mtod(m, struct ip6_hdr *); + } +#endif /* * Send the packet to the outgoing interface. @@@@ -1192,7 +1214,7 @@@@ return (0); } -static int +int ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup, alwaysfragp) struct route_in6 *ro_pmtu, *ro; struct ifnet *ifp; --- sys/sys/conf.h.orig Sat Feb 21 15:11:07 2004 +++ sys/sys/conf.h Thu Jul 8 15:11:14 2004 @@@@ -406,6 +406,13 @@@@ dev_init(c,n,write), dev_init(c,n,ioctl), (dev_type_stop((*))) enodev, \ 0, (dev_type_poll((*))) enodev, (dev_type_mmap((*))) enodev } +/* open, close, read, ioctl */ +#define cdev_gen_ipf(c, n) { \ +dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \ + (dev_type_write((*))) enodev, dev_init(c,n,ioctl), \ + (dev_type_stop((*))) enodev, 0, (dev_type_poll((*))) enodev, \ + (dev_type_mmap((*))) enodev } + /* open, close, ioctl */ #define cdev_pf_init(c,n) { \ dev_init(c,n,open), dev_init(c,n,close), (dev_type_read((*))) enodev, \ @@@@ -586,6 +593,7 @@@@ cdev_decl(bpf); +cdev_decl(ipl); cdev_decl(pf); cdev_decl(tun); @ 1.1 log @Initial revision @ text @@ 1.1.1.1 log @Import IPFilter 4.1.3 @ text @@ 1.1.1.2 log @Import IPFilter 4.1.5 @ text @d374 1 a374 1 + frsync(ifp); @