diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index 9f953614e42d..118edf225ed5 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -7,12 +7,13 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; +static char rcsid[] = "$Id: fil.c,v 1.1.1.3 1997/04/03 10:10:10 darrenr Exp $"; #endif #include #include #include +#include #include #include #if defined(_KERNEL) || defined(KERNEL) @@ -44,8 +45,8 @@ static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #include #include #include -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_nat.h" #include "ip_frag.h" #include "ip_state.h" @@ -54,46 +55,48 @@ static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #endif #ifndef _KERNEL -#include "ipf.h" +# include "ipf.h" +# include "ipt.h" extern int opts; -extern void debug(), verbose(); -#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; } -#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; } -#define FR_VERBOSE(verb_pr) verbose verb_pr -#define FR_DEBUG(verb_pr) debug verb_pr -#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi) +# define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; \ + second; } +# define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; \ + second; } +# define FR_VERBOSE(verb_pr) verbose verb_pr +# define FR_DEBUG(verb_pr) debug verb_pr +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# define SEND_RESET(ip, qif, q, if) send_reset(ip, if) +# define IPLLOG(a, c, d, e) ipllog() # if SOLARIS +# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip) # define bcmp memcmp -# endif -#else -#define FR_IFVERBOSE(ex,second,verb_pr) ; -#define FR_IFDEBUG(ex,second,verb_pr) ; -#define FR_VERBOSE(verb_pr) -#define FR_DEBUG(verb_pr) -#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) -extern int send_reset(); -# if SOLARIS -extern int icmp_error(), ipfr_fastroute(); -extern kmutex_t ipf_mutex, ipl_mutex; # else -extern void ipfr_fastroute(); +# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if) # endif -extern int ipl_unreach, ipllog(); -#endif -#if SOLARIS -# define SEND_RESET(ip, if, q) send_reset(ip, qif, q) -# define ICMP_ERROR(b, ip, t, c, if, src) \ +#else /* #ifndef _KERNEL */ +# define FR_IFVERBOSE(ex,second,verb_pr) ; +# define FR_IFDEBUG(ex,second,verb_pr) ; +# define FR_VERBOSE(verb_pr) +# define FR_DEBUG(verb_pr) +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# define IPLLOG(a, c, d, e) ipllog(a, IPL_LOGIPF, c, d, e) +# if SOLARIS +extern kmutex_t ipf_mutex; +# define SEND_RESET(ip, qif, q, if) send_reset(ip, qif, q) +# define ICMP_ERROR(b, ip, t, c, if, src) \ icmp_error(b, ip, t, c, if, src) -#else -# define SEND_RESET(ip, if, q) send_reset(ip) -# if BSD < 199103 -# define ICMP_ERROR(b, ip, t, c, if, src) \ - icmp_error(mtod(b, ip_t *), t, c, if, src) # else -# define ICMP_ERROR(b, ip, t, c, if, src) \ +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# define SEND_RESET(ip, qif, q, if) send_reset((struct tcpiphdr *)ip) +# if BSD < 199103 +# define ICMP_ERROR(b, ip, t, c, if, src) \ + icmp_error(mtod(b, ip_t *), t, c, if, src) +# else +# define ICMP_ERROR(b, ip, t, c, if, src) \ icmp_error(b, t, c, (src).s_addr, if) +# endif # endif #endif @@ -103,7 +106,7 @@ extern int ipl_unreach, ipllog(); #ifdef IPF_DEFAULT_PASS #define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH) #else -#define IPF_NOMATCH (FR_NOMATCH) +#define IPF_NOMATCH (FR_PASS|FR_NOMATCH) #endif struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; @@ -113,6 +116,10 @@ int fr_flags = IPF_LOGGING, fr_active = 0; fr_info_t frcache[2]; +static void fr_makefrip __P((int, ip_t *, fr_info_t *)); +static int fr_tcpudpchk __P((frentry_t *, fr_info_t *)); +static int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); + /* * bit values for identifying presence of individual IP options @@ -159,7 +166,7 @@ struct optlist secopt[8] = { * compact the IP header into a structure which contains just the info. * which is useful for comparing IP headers with. */ -void fr_makefrip(hlen, ip, fin) +static void fr_makefrip(hlen, ip, fin) int hlen; ip_t *ip; fr_info_t *fin; @@ -278,7 +285,7 @@ getports: /* * check an IP packet for TCP/UDP characteristics such as ports and flags. */ -int fr_tcpudpchk(fr, fin) +static int fr_tcpudpchk(fr, fin) frentry_t *fr; fr_info_t *fin; { @@ -371,7 +378,7 @@ fr_info_t *fin; * Could be per interface, but this gets real nasty when you don't have * kernel sauce. */ -int fr_scanlist(pass, ip, fin, m) +static int fr_scanlist(pass, ip, fin, m) int pass; ip_t *ip; register fr_info_t *fin; @@ -404,8 +411,7 @@ void *m; if (opts & (OPT_VERBOSE|OPT_DEBUG)) printf("\n"); FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b')); - if (fin->fin_ifp && *fr->fr_ifname && - strcasecmp((char *)fin->fin_ifp, fr->fr_ifname)) + if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) continue; FR_VERBOSE((":i")); #endif @@ -467,7 +473,7 @@ void *m; pass = (*fr->fr_func)(pass, ip, fin); #ifdef IPFILTER_LOG if ((pass & FR_LOGMASK) == FR_LOG) { - if (!ipllog(fr->fr_flags, ip, fin, m)) + if (!IPLLOG(fr->fr_flags, ip, fin, m)) frstats[fin->fin_out].fr_skip++; frstats[fin->fin_out].fr_pkl++; } @@ -475,7 +481,7 @@ void *m; FR_DEBUG(("pass %#x\n", pass)); fr->fr_hits++; if (pass & FR_ACCOUNT) - fr->fr_bytes += ip->ip_len; + fr->fr_bytes += (U_QUAD_T)ip->ip_len; else fin->fin_icode = fr->fr_icode; fin->fin_rule = rulen; @@ -504,7 +510,8 @@ mblk_t **mp; struct mbuf **mp; # endif #else -) +, mp) +char *mp; #endif ip_t *ip; int hlen; @@ -518,8 +525,12 @@ int out; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; int pass, changed; +#ifndef _KERNEL + char *mc = mp, *m = mp; +#endif -#if !defined(__SVR4) && !defined(__svr4__) && defined(_KERNEL) +#ifdef _KERNEL +# if !defined(__SVR4) && !defined(__svr4__) register struct mbuf *m = *mp; struct mbuf *mc = NULL; @@ -538,9 +549,10 @@ int out; } } } -#endif -#if SOLARIS && defined(_KERNEL) +# endif +# if SOLARIS mblk_t *mc = NULL, *m = qif->qf_m; +# endif #endif fr_makefrip(hlen, ip, fin); fin->fin_ifp = ifp; @@ -608,7 +620,7 @@ int out; } } - if (fr && fr->fr_func) + if (fr && fr->fr_func && !(pass & FR_CALLNOW)) pass = (*fr->fr_func)(pass, ip, fin); if (out) { @@ -639,7 +651,7 @@ int out; pass |= FF_LOGBLOCK; frstats[out].fr_bpkl++; logit: - if (!ipllog(pass, ip, fin, m)) { + if (!IPLLOG(pass, ip, fin, m)) { frstats[out].fr_skip++; if ((pass & (FR_PASS|FR_LOGORBLOCK)) == (FR_PASS|FR_LOGORBLOCK)) @@ -676,7 +688,7 @@ logit: frstats[0].fr_ret++; } else if ((pass & FR_RETRST) && !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (SEND_RESET(ip, qif, q) == 0) + if (SEND_RESET(ip, qif, q, ifp) == 0) frstats[1].fr_ret++; } #else @@ -736,37 +748,32 @@ logit: #ifdef IPFILTER_LOG -# if !(defined(_KERNEL)) -static void ipllog() -{ - verbose("l"); -} -# endif - - -int fr_copytolog(buf, len) +int fr_copytolog(dev, buf, len) +int dev; char *buf; int len; { - int clen, tail; + register char *bufp = iplbuf[dev], *tp = iplt[dev], *hp = iplh[dev]; + register int clen, tail; - tail = (iplh >= iplt) ? (iplbuf + IPLLOGSIZE - iplh) : (iplt - iplh); + tail = (hp >= tp) ? (bufp + IPLLOGSIZE - hp) : (tp - hp); clen = MIN(tail, len); - bcopy(buf, iplh, clen); + bcopy(buf, hp, clen); len -= clen; tail -= clen; - iplh += clen; + hp += clen; buf += clen; - if (iplh == iplbuf + IPLLOGSIZE) { - iplh = iplbuf; - tail = iplt - iplh; + if (hp == bufp + IPLLOGSIZE) { + hp = bufp; + tail = tp - hp; } if (len && tail) { clen = MIN(tail, len); - bcopy(buf, iplh, clen); + bcopy(buf, hp, clen); len -= clen; - iplh += clen; + hp += clen; } + iplh[dev] = hp; return len; } #endif diff --git a/sys/netinet/ip_compat.h b/sys/netinet/ip_compat.h index 5a36cc318ad6..615e4d061139 100644 --- a/sys/netinet/ip_compat.h +++ b/sys/netinet/ip_compat.h @@ -6,17 +6,48 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.1.4 1997/02/04 14:24:25 darrenr Exp $ + * $Id: ip_compat.h,v 1.1.1.2 1997/04/03 10:10:48 darrenr Exp $ */ #ifndef __IP_COMPAT_H_ #define __IP_COMPAT_H__ +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif +#endif + #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif + #if SOLARIS -#define MTYPE(m) ((m)->b_datap->db_type) +# define MTYPE(m) ((m)->b_datap->db_type) +# include +# include +/* + * because Solaris 2 defines these in two places :-/ + */ +# undef IPOPT_EOL +# undef IPOPT_NOP +# undef IPOPT_LSRR +# undef IPOPT_RR +# undef IPOPT_SSRR +# ifndef _KERNEL +# define _KERNEL +# undef RES_INIT +# include +# include +# include +# undef _KERNEL +# else +# include +# include +# include +# endif #endif #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -24,6 +55,13 @@ #define IP_OFFMASK 0x1fff #endif +#if BSD > 199306 +# define USE_QUAD_T +# define U_QUAD_T u_quad_t +#else +# define U_QUAD_T u_long +#endif + #ifndef MAX #define MAX(a,b) (((a) > (b)) ? (a) : (b)) #endif @@ -85,11 +123,18 @@ #define IPOPT_FINN 205 /* FINN */ +#ifdef __FreeBSD__ +# include +# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) +# define ACTUALLY_LKM_NOT_KERNEL +# endif +#endif + /* * Build some macros and #defines to enable the same code to compile anywhere * Well, that's the idea, anyway :-) */ -#ifdef _KERNEL +#if defined(_KERNEL) || defined(KERNEL) # if SOLARIS # define MUTEX_ENTER(x) mutex_enter(x) # define MUTEX_EXIT(x) mutex_exit(x) @@ -108,6 +153,7 @@ # ifdef sun # if defined(__svr4__) || defined(__SVR4) +extern ill_t *get_unit __P((char *)); # define GETUNIT(n) get_unit((n)) # else # include @@ -132,8 +178,8 @@ typedef struct qif { queue_t *qf_out; void *qf_wqinfo; void *qf_rqinfo; - int (*qf_inp)(); - int (*qf_outp)(); + int (*qf_inp) __P((queue_t *, mblk_t *)); + int (*qf_outp) __P((queue_t *, mblk_t *)); mblk_t *qf_m; int qf_len; char qf_name[8]; @@ -151,10 +197,10 @@ typedef struct qif { # define htons(x) (x) # define htonl(x) (x) # endif -# define KMALLOC(x) kmem_alloc((x), KM_NOSLEEP) +# define KMALLOC(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) # else -# define KMALLOC(x) new_kmem_alloc((x), KMEM_NOSLEEP) +# define KMALLOC(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) # endif /* __svr4__ */ # endif /* sun && !linux */ # ifndef GET_MINOR @@ -162,7 +208,7 @@ typedef struct qif { # endif # if BSD >= 199306 || defined(__FreeBSD__) # include -# if !defined(__FreeBSD__) +# if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3) # include # include extern vm_map_t kmem_map; @@ -170,15 +216,15 @@ extern vm_map_t kmem_map; # include # endif /* __FreeBSD__ */ /* -** # define KMALLOC(x) kmem_alloc(kmem_map, (x)) -** # define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \ +# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c)) +# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \ sizeof(*(x))) */ # ifdef M_PFIL -# define KMALLOC(x) malloc((x), M_PFIL, M_NOWAIT) +# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) # define KFREE(x) FREE((x), M_PFIL) # else -# define KMALLOC(x) malloc((x), M_TEMP, M_NOWAIT) +# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) # define KFREE(x) FREE((x), M_TEMP) # endif # define UIOMOVE(a,b,c,d) uiomove(a,b,d) @@ -193,17 +239,16 @@ extern vm_map_t kmem_map; # endif # endif #else -# ifndef linux -# define MUTEX_ENTER(x) ; -# define MUTEX_EXIT(x) ; -# define SPLNET(x) ; -# define SPLX(x) ; -# define KMALLOC(x) malloc(x) -# define KFREE(x) free(x) -# define GETUNIT(x) (x) -# define IRCOPY(a,b,c) bcopy((a), (b), (c)) -# define IWCOPY(a,b,c) bcopy((a), (b), (c)) -# endif +# define MUTEX_ENTER(x) ; +# define MUTEX_EXIT(x) ; +# define SPLNET(x) ; +# undef SPLX +# define SPLX(x) ; +# define KMALLOC(a,b,c) (a) = (b)malloc(c) +# define KFREE(x) free(x) +# define GETUNIT(x) get_unit(x) +# define IRCOPY(a,b,c) bcopy((a), (b), (c)) +# define IWCOPY(a,b,c) bcopy((a), (b), (c)) #endif /* KERNEL */ #ifdef linux @@ -318,7 +363,7 @@ struct ipovly { # define UNITNAME(n) dev_get((n)) # define ifnet device -# define KMALLOC(x) kmalloc((x), GFP_ATOMIC) +# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) # define KFREE(x) kfree_s((x), sizeof(*(x))) # define IRCOPY(a,b,c) { \ error = verify_area(VERIFY_READ, \ diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index fec484670f4b..a9c298aedc5b 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -7,17 +7,39 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $"; +static char rcsid[] = "$Id: ip_fil.c,v 1.1.1.3 1997/04/03 10:10:52 darrenr Exp $"; #endif +#ifndef SOLARIS +#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) +#endif + +#ifdef __FreeBSD__ +#include +#endif +#ifndef _KERNEL +#include +#include +#endif #include #include #include #include #include +#include +#ifdef _KERNEL #include +#endif #include +#if !SOLARIS +#include #include +#else +#define bcmp memcmp +#define bzero(a,b) memset(a,0,b) +#define bcopy(a,b,c) memcpy(b,a,c) +#include +#endif #include #include @@ -36,8 +58,8 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $ #include #include #include -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_frag.h" #include "ip_nat.h" #include "ip_state.h" @@ -47,45 +69,49 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $ extern fr_flags, fr_active; extern struct protosw inetsw[]; -extern int (*fr_checkp)(); #if BSD < 199306 -extern int ipfr_slowtimer(); -static int (*fr_saveslowtimo)(); +static int (*fr_saveslowtimo) __P((void)); extern int tcp_ttl; #else -extern void ipfr_slowtimer(); -static void (*fr_saveslowtimo)(); +static void (*fr_saveslowtimo) __P((void)); #endif int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; -int send_reset(); + +#ifndef _KERNEL +#include "ipt.h" +static struct ifnet **ifneta = NULL; +static int nifs = 0; +struct ifnet *get_unit __P((char *)); +#endif #ifdef IPFILTER_LOG -# define LOGSIZE 8192 -int ipllog(); -char iplbuf[LOGSIZE]; -caddr_t iplh = iplbuf, iplt = iplbuf; -static int iplused = 0; +char iplbuf[3][IPLLOGSIZE]; +caddr_t iplh[3], iplt[3]; +int iplused[3] = {0,0,0}; #endif /* IPFILTER_LOG */ -static void frflush(); -static int frrequest(); -static int (*fr_savep)() = NULL; +static void frflush __P((caddr_t)); +static int frrequest __P((int, caddr_t, int)); +static void frzerostats __P((caddr_t)); +#ifdef _KERNEL +static int (*fr_savep) __P((struct ip *, int, struct ifnet *, + int, struct mbuf **)); +#else +void init_ifp __P((void)); +static int (*fr_savep) __P((struct ip *, int, struct ifnet *, + int, char *)); +static int no_output __P((struct ifnet *, struct mbuf *, + struct sockaddr *, struct rtentry *)); +static int write_output __P((struct ifnet *, struct mbuf *, + struct sockaddr *, struct rtentry *)); +#endif -#if _BSDI_VERSION >= 199501 + +#if (_BSDI_VERSION >= 199510) && defined(_KERNEL) # include # include -int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); -int iplopen __P((dev_t, int, int, struct proc *)); -int iplclose __P((dev_t, int, int, struct proc *)); -# ifdef IPFILTER_LOG -int iplread __P((dev_t, struct uio *, int)); -# else -# define iplread noread -# endif -int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); - struct cfdriver iplcd = { NULL, "ipl", NULL, NULL, DV_DULL, 0 }; @@ -96,9 +122,11 @@ struct devsw iplsw = { nostrat, nodump, nopsize, 0, nostop }; -#endif /* _BSDI_VERSION >= 199501 */ +#endif /* _BSDI_VERSION >= 199510 && _KERNEL */ -#ifdef IPFILTER_LKM + +#ifdef _KERNEL +# ifdef IPFILTER_LKM int iplidentify(s) char *s; { @@ -106,12 +134,12 @@ char *s; return 1; return 0; } -#endif /* IPFILTER_LKM */ +# endif /* IPFILTER_LKM */ int iplattach() { - int s; + int s, i; SPLNET(s); if (ipl_inited || (fr_checkp == fr_check)) { @@ -125,6 +153,14 @@ int iplattach() fr_checkp = fr_check; fr_saveslowtimo = inetsw[0].pr_slowtimo; inetsw[0].pr_slowtimo = ipfr_slowtimer; + + /* + * Set log buffer pointers for each of the log buffers + */ + for (i = 0; i <= 2; i++) { + iplh[i] = iplbuf[i]; + iplt[i] = iplbuf[i]; + } SPLX(s); return 0; } @@ -142,7 +178,9 @@ int ipldetach() return EBUSY; } +#if defined(IPFILTER_LKM) || defined(IPFILTER) fr_checkp = fr_savep; +#endif inetsw[0].pr_slowtimo = fr_saveslowtimo; frflush((caddr_t)&i); ipl_inited = 0; @@ -154,6 +192,7 @@ int ipldetach() SPLX(s); return 0; } +#endif /* _KERNEL */ static void frzerostats(data) @@ -219,7 +258,7 @@ caddr_t data; * Filter ioctl interface. */ int iplioctl(dev, cmd, data, mode -#if _BSDI_VERSION >= 199501 +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) , p) struct proc *p; #else @@ -232,18 +271,20 @@ int mode; { int error = 0, s, unit; +#ifdef _KERNEL unit = minor(dev); - if (unit != 0) + if ((2 < unit) || (unit < 0)) return ENXIO; +#endif SPLNET(s); switch (cmd) { case FIONREAD : #ifdef IPFILTER_LOG - *(int *)data = iplused; + *(int *)data = iplused[unit]; #endif break; -#ifndef IPFILTER_LKM +#if !defined(IPFILTER_LKM) && defined(_KERNEL) case SIOCFRENB : { u_int enable; @@ -330,9 +371,9 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else { - *(int *)data = iplused; - iplh = iplt = iplbuf; - iplused = 0; + *(int *)data = iplused[unit]; + iplh[unit] = iplt[unit] = iplbuf[unit]; + iplused[unit] = 0; } break; #endif /* IPFILTER_LOG */ @@ -365,16 +406,13 @@ caddr_t data; { register frentry_t *fp, *f, **fprev; register frentry_t **ftail; - frentry_t fr; + frentry_t frd; frdest_t *fdp; - struct frentry frd; int error = 0, in; - fp = &fr; + fp = &frd; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); - bzero((char *)frcache, sizeof(frcache[0]) * 2); - in = (fp->fr_flags & FR_INQUE) ? 0 : 1; if (fp->fr_flags & FR_ACCOUNT) { ftail = fprev = &ipacct[in][set]; @@ -383,8 +421,8 @@ caddr_t data; else return ESRCH; - IRCOPY((char *)fp, (char *)&frd, sizeof(frd)); - fp = &frd; + bzero((char *)frcache, sizeof(frcache[0]) * 2); + if (*fp->fr_ifname) { fp->fr_ifa = GETUNIT(fp->fr_ifname); if (!fp->fr_ifa) @@ -451,7 +489,8 @@ caddr_t data; if (f) error = EEXIST; else { - if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) { + KMALLOC(f, frentry_t *, sizeof(*f)); + if (f != NULL) { bcopy((char *)fp, (char *)f, sizeof(*f)); f->fr_hits = 0; f->fr_next = *ftail; @@ -464,44 +503,48 @@ caddr_t data; } -#if !defined(linux) +#ifdef _KERNEL /* * routines below for saving IP headers to buffer */ int iplopen(dev, flags -#if _BSDI_VERSION >= 199501 +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -#else +# else ) -#endif +# endif dev_t dev; int flags; { u_int min = minor(dev); - if (min) + if (2 < min) min = ENXIO; + else + min = 0; return min; } int iplclose(dev, flags -#if _BSDI_VERSION >= 199501 +#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL) , devtype, p) int devtype; struct proc *p; -#else +# else ) -#endif +# endif dev_t dev; int flags; { u_int min = minor(dev); - if (min) + if (2 < min) min = ENXIO; + else + min = 0; return min; } @@ -521,52 +564,57 @@ int iplread(dev, uio) dev_t dev; register struct uio *uio; { - register int ret, s; + register int ret, s, unit; register size_t sz, sx; int error; + unit = minor(dev); + if ((2 < unit) || (unit < 0)) + return ENXIO; + if (!uio->uio_resid) return 0; - while (!iplused) { - error = SLEEP(iplbuf, "ipl sleep"); + + while (!iplused[unit]) { + error = SLEEP(iplbuf[unit], "ipl sleep"); if (error) return error; } SPLNET(s); - sx = sz = MIN(uio->uio_resid, iplused); - if (iplh < iplt) - sz = MIN(sz, LOGSIZE - (iplt - iplbuf)); + sx = sz = MIN(uio->uio_resid, iplused[unit]); + if (iplh[unit] < iplt[unit]) + sz = MIN(sz, IPLLOGSIZE - (iplt[unit] - iplbuf[unit])); sx -= sz; # if BSD >= 199306 || defined(__FreeBSD__) uio->uio_rw = UIO_READ; # endif - if (!(ret = UIOMOVE(iplt, sz, UIO_READ, uio))) { - iplt += sz; - iplused -= sz; - if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE)) - iplt = iplbuf; + if (!(ret = UIOMOVE(iplt[unit], sz, UIO_READ, uio))) { + iplt[unit] += sz; + iplused[unit] -= sz; + if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE)) + iplt[unit] = iplbuf[unit]; - if (sx && !(ret = UIOMOVE(iplt, sx, UIO_READ, uio))) { - iplt += sx; - iplused -= sx; - if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE)) - iplt = iplbuf; + if (sx && !(ret = UIOMOVE(iplt[unit], sx, UIO_READ, uio))) { + iplt[unit] += sx; + iplused[unit] -= sx; + if ((iplh[unit] < iplt[unit]) && (iplt[unit] == iplbuf[unit] + IPLLOGSIZE)) + iplt[unit] = iplbuf[unit]; } - if (!iplused) /* minimise wrapping around the end */ - iplh = iplt = iplbuf; + if (!iplused[unit]) /* minimise wrapping around the end */ + iplh[unit] = iplt[unit] = iplbuf[unit]; } SPLX(s); return ret; } # endif /* IPFILTER_LOG */ -#endif /* linux */ -#ifdef IPFILTER_LOG -int ipllog(flags, ip, fin, m) +# ifdef IPFILTER_LOG +int ipllog(flags, dev, ip, fin, m) u_int flags; +int dev; ip_t *ip; register fr_info_t *fin; struct mbuf *m; @@ -597,16 +645,16 @@ struct mbuf *m; mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0; len = hlen + sizeof(iplci) + mlen; - if (iplused + len > LOGSIZE) + if (iplused[dev] + len > IPLLOGSIZE) return 0; - iplused += len; + iplused[dev] += len; -# ifdef sun +# ifdef sun uniqtime(&iplci); -# endif -# if BSD >= 199306 || defined(__FreeBSD__) +# endif +# if BSD >= 199306 || defined(__FreeBSD__) microtime((struct timeval *)&iplci); -# endif +# endif iplci.flags = flags; iplci.hlen = (u_char)hlen; iplci.plen = (u_char)mlen; @@ -619,22 +667,25 @@ struct mbuf *m; if ((iplci.ifname[1] = ifp->if_name[1])) if ((iplci.ifname[2] = ifp->if_name[2])) iplci.ifname[3] = ifp->if_name[3]; -# endif +# endif + if (iplh[dev] == iplbuf[dev] + IPLLOGSIZE) + iplh[dev] = iplbuf[dev]; + /* * Gauranteed to succeed from above */ - (void) fr_copytolog(&iplci, sizeof(iplci)); + (void) fr_copytolog(dev, (char *)&iplci, sizeof(iplci)); for (len -= sizeof(iplci); m && len > 0; m = m->m_next, len -= hlen) { hlen = MIN(len, m->m_len); - if (fr_copytolog(mtod(m, char *), hlen)) + if (fr_copytolog(dev, mtod(m, char *), hlen)) break; } - wakeup(iplbuf); + wakeup(iplbuf[dev]); return 1; } -#endif /* IPFILTER_LOG */ +# endif /* IPFILTER_LOG */ /* * send_reset - this could conceivably be a call to tcp_respond(), but that @@ -651,22 +702,22 @@ struct tcpiphdr *ti; if (ti->ti_flags & TH_RST) return -1; /* feedback loop */ -#if BSD < 199306 +# if BSD < 199306 m = m_get(M_DONTWAIT, MT_HEADER); -#else +# else m = m_gethdr(M_DONTWAIT, MT_HEADER); m->m_data += max_linkhdr; -#endif +# endif if (m == NULL) return -1; if (ti->ti_flags & TH_SYN) tlen = 1; m->m_len = sizeof (struct tcpiphdr); -#if BSD >= 199306 +# if BSD >= 199306 m->m_pkthdr.len = sizeof (struct tcpiphdr); m->m_pkthdr.rcvif = (struct ifnet *)0; -#endif +# endif bzero(mtod(m, char *), sizeof(struct tcpiphdr)); ip = mtod(m, struct ip *); tp = mtod(m, struct tcpiphdr *); @@ -686,11 +737,11 @@ struct tcpiphdr *ti; ip->ip_tos = ((struct ip *)ti)->ip_tos; ip->ip_p = ((struct ip *)ti)->ip_p; ip->ip_len = sizeof (struct tcpiphdr); -#if BSD < 199306 +# if BSD < 199306 ip->ip_ttl = tcp_ttl; -#else +# else ip->ip_ttl = ip_defttl; -#endif +# endif /* * extra 0 in case of multicast @@ -700,13 +751,18 @@ struct tcpiphdr *ti; } -#ifndef IPFILTER_LKM -void iplinit() +# ifndef IPFILTER_LKM +# if BSD < 199306 +int +# else +void +# endif +iplinit() { (void) iplattach(); ip_init(); } -#endif +# endif void ipfr_fastroute(m0, fin, fdp) @@ -738,12 +794,12 @@ frdest_t *fdp; #if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) # ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); -# else +# else rtalloc_ign(ro, RTF_PRCLONING); -# endif -#else +# endif +# else rtalloc(ro); -#endif +# endif if (!ifp) { if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -773,19 +829,19 @@ frdest_t *fdp; * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { -#ifndef sparc +# ifndef sparc ip->ip_id = htons(ip->ip_id); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); -#endif +# endif if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); -#if BSD >= 199306 +# if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); -#else +# else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); -#endif +# endif goto done; } /* @@ -818,11 +874,11 @@ frdest_t *fdp; error = ENOBUFS; goto bad; } -#if BSD >= 199306 +# if BSD >= 199306 m->m_data += max_linkhdr; -#else +# else m->m_off = MMAXOFF - hlen; -#endif +# endif mhip = mtod(m, struct ip *); bcopy((char *)ip, (char *)mhip, sizeof(*ip)); if (hlen > sizeof (struct ip)) { @@ -843,9 +899,9 @@ frdest_t *fdp; error = ENOBUFS; /* ??? */ goto sendorfree; } -#ifndef sparc +# ifndef sparc mhip->ip_off = htons((u_short)mhip->ip_off); -#endif +# endif mhip->ip_sum = 0; mhip->ip_sum = in_cksum(m, mhlen); *mnext = m; @@ -865,13 +921,13 @@ sendorfree: m0 = m->m_act; m->m_act = 0; if (error == 0) -#if BSD >= 199306 +# if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); -#else +# else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); -#endif +# endif else m_freem(m); } @@ -885,3 +941,159 @@ bad: m_freem(m); goto done; } +#else /* #ifdef _KERNEL */ + + +static int no_output __P((struct ifnet *ifp, struct mbuf *m, + struct sockaddr *s, struct rtentry *rt)) +{ + return 0; +} + + +# ifdef __STDC__ +static int write_output __P((struct ifnet *ifp, struct mbuf *m, + struct sockaddr *s, struct rtentry *rt)) +{ + ip_t *ip = (ip_t *)m; +# else +static int write_output(ifp, ip) +struct ifnet *ifp; +ip_t *ip; +{ +# endif + FILE *fp; + char fname[32]; + +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + sprintf(fname, "/tmp/%s", ifp->if_xname); + if ((fp = fopen(fname, "a"))) { + fclose(fp); + } +#else + sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); + if ((fp = fopen(fname, "a"))) { + fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); + fclose(fp); + } +#endif +} + + +struct ifnet *get_unit(name) +char *name; +{ + struct ifnet *ifp, **ifa; +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + if (!strcmp(name, ifp->if_xname)) + return ifp; + } +#else + char ifname[32], *s; + + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + (void) sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit); + if (!strcmp(name, ifname)) + return ifp; + } +#endif + + if (!ifneta) { + ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2); + ifneta[1] = NULL; + ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp)); + nifs = 1; + } else { + nifs++; + ifneta = (struct ifnet **)realloc(ifneta, + (nifs + 1) * sizeof(*ifa)); + ifneta[nifs] = NULL; + ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp)); + } + ifp = ifneta[nifs - 1]; + +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); +#else + for (s = name; *s && !isdigit(*s); s++) + ; + if (*s && isdigit(*s)) { + ifp->if_unit = atoi(s); + ifp->if_name = (char *)malloc(s - name + 1); + strncpy(ifp->if_name, name, s - name); + ifp->if_name[s - name] = '\0'; + } else { + ifp->if_name = strdup(name); + ifp->if_unit = -1; + } +#endif + ifp->if_output = no_output; + return ifp; +} + + +void init_ifp() +{ + FILE *fp; + struct ifnet *ifp, **ifa; + char fname[32]; +#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + ifp->if_output = write_output; + sprintf(fname, "/tmp/%s", ifp->if_xname); + if ((fp = fopen(fname, "w"))) + fclose(fp); + } +#else + + for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + ifp->if_output = write_output; + sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); + if ((fp = fopen(fname, "w"))) + fclose(fp); + } +#endif +} + + +void ipfr_fastroute(ip, fin, fdp) +ip_t *ip; +fr_info_t *fin; +frdest_t *fdp; +{ + struct ifnet *ifp = fdp->fd_ifp; + + if (!ifp) + return; /* no routing table out here */ + + ip->ip_len = htons((u_short)ip->ip_len); + ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); + ip->ip_sum = 0; + (*ifp->if_output)(ifp, (void *)ip, NULL, 0); +} + + +void ipllog() +{ + verbose("l"); +} + + +int send_reset(ip, ifp) +ip_t *ip; +struct ifnet *ifp; +{ + verbose("- TCP RST sent\n"); + return 0; +} + + +int icmp_error(ip, ifp) +ip_t *ip; +struct ifnet *ifp; +{ + verbose("- TCP RST sent\n"); + return 0; +} +#endif /* _KERNEL */ diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 389a161bc2df..4f0bfa98d09d 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.1.2 1997/01/10 00:28:15 darrenr Exp $ + * $Id: ip_fil.h,v 1.1.1.2 1997/04/03 10:10:58 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -19,20 +19,12 @@ #if defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif -#if SOLARIS -# include -# include -# ifdef _KERNEL -# include -/* - * because Solaris 2 defines these in two places :-/ - */ -#undef IPOPT_EOL -#undef IPOPT_NOP -#undef IPOPT_LSRR -#undef IPOPT_RR -#undef IPOPT_SSRR -# include + +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () # endif #endif @@ -118,9 +110,12 @@ typedef struct frdest { typedef struct frentry { struct frentry *fr_next; struct ifnet *fr_ifa; - u_long fr_hits; - u_long fr_bytes; /* this is only incremented when a packet */ - /* matches this rule and it is the last match*/ + /* + * There are only incremented when a packet matches this rule and + * it is the last match + */ + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; /* * Fields after this may not change whilst in the kernel. */ @@ -140,7 +135,7 @@ typedef struct frentry { u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ u_long fr_flags; /* per-rule flags && options (see below) */ - int (*fr_func)(); /* call this function */ + int (*fr_func) __P((int, struct ip *, fr_info_t *)); /* call this function */ char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; struct frdest fr_tif; /* "to" interface */ @@ -162,7 +157,7 @@ typedef struct frentry { /* * fr_flags -*/ + */ #define FR_BLOCK 0x00001 #define FR_PASS 0x00002 #define FR_OUTQUE 0x00004 @@ -276,18 +271,100 @@ typedef struct ipl_ci { #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPLLOGSIZE 8192 -extern int fr_check(); -extern int fr_copytolog(); -extern fr_info_t frcache[]; -extern char *iplh, *iplt; -extern char iplbuf[IPLLOGSIZE]; - -#ifdef _KERNEL - -extern struct frentry *ipfilter[2][2], *ipacct[2][2]; -extern struct filterstats frstats[]; +/* + * Device filenames. Use ipf on Solaris2 because ipl is already a name used + * by something else. + */ +#ifndef IPL_NAME # if SOLARIS -extern int ipfsync(); +# define IPL_NAME "/dev/ipf" +# else +# define IPL_NAME "/dev/ipl" # endif +#endif +#define IPL_NAT "/dev/ipnat" +#define IPL_STATE "/dev/ipstate" +#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ +#define IPL_LOGNAT 1 +#define IPL_LOGSTATE 2 + +#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) +# define CDEV_MAJOR 79 +#endif + +#ifndef _KERNEL +extern int fr_check __P((struct ip *, int, struct ifnet *, int, char *)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, + int, char *)); +extern int send_reset __P((struct ip *, struct ifnet *)); +extern int icmp_error __P((struct ip *, struct ifnet *)); +extern void ipllog __P((void)); +extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *)); +#else +# if SOLARIS +extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *, + queue_t *, mblk_t **)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, + int, qif_t *, queue_t *, mblk_t *)); +extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *, + struct in_addr)); +# else +extern int fr_check __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); +extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); +extern int send_reset __P((struct tcpiphdr *)); +extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *)); +extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *)); +# endif +#endif +extern int fr_copytolog __P((int, char *, int)); +extern int ipl_unreach; +extern fr_info_t frcache[]; +extern char *iplh[3], *iplt[3]; +extern char iplbuf[3][IPLLOGSIZE]; +extern int iplused[3]; +extern struct frentry *ipfilter[2][2], *ipacct[2][2]; +extern struct filterstats frstats[]; + +#ifndef _KERNEL +extern int iplioctl __P((dev_t, int, caddr_t, int)); +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); +#else +extern int iplattach __P((void)); +extern int ipldetach __P((void)); +# if SOLARIS +extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); +extern int iplopen __P((dev_t *, int, int, cred_t *)); +extern int iplclose __P((dev_t, int, int, cred_t *)); +extern int ipfsync __P((void)); +# ifdef IPFILTER_LOG +extern int iplread __P((dev_t, struct uio *, cred_t *)); +# endif +# else +# ifdef IPFILTER_LKM +extern int iplidentify __P((char *)); +# endif +# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612) +extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); +extern int iplopen __P((dev_t, int, int, struct proc *)); +extern int iplclose __P((dev_t, int, int, struct proc *)); +# else +extern int iplioctl __P((dev_t, int, caddr_t, int)); +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); +# endif /* (_BSDI_VERSION >= 199510) */ +# ifdef IPFILTER_LOG +# if BSD >= 199306 +extern int iplread __P((dev_t, struct uio *, int)); +# else +extern int iplread __P((dev_t, struct uio *)); +# endif /* BSD >= 199306 */ +# else +# define iplread noread +# endif /* IPFILTER_LOG */ +# endif /* SOLARIS */ #endif /* _KERNEL */ #endif /* __IP_FIL_H__ */ diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index 7ed97ceb56fd..dbe852e9cd82 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $"; +static char rcsid[] = "$Id: ip_frag.c,v 1.1.1.3 1997/04/03 10:11:03 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -17,12 +17,19 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp #include #include #include +#include #include +#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) +#include +#include +#include +#else #include +#endif #include #include #include -#ifdef _KERNEL +#ifdef _KERNEL # include #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -47,8 +54,8 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp #include #include #include -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_frag.h" #include "ip_nat.h" #include "ip_state.h" @@ -69,6 +76,13 @@ extern kmutex_t ipf_frag; # endif #endif +#ifdef __FreeBSD__ +# if BSD < 199306 +int ipfr_slowtimer __P((void)); +# else +void ipfr_slowtimer __P((void)); +# endif +#endif /* __FreeBSD__ */ ipfrstat_t *ipfr_fragstats() { @@ -114,7 +128,8 @@ int pass; return -1; } - if (!(fr = (ipfr_t *)KMALLOC(sizeof(*fr)))) { + KMALLOC(fr, ipfr_t *, sizeof(*fr)); + if (fr == NULL) { ipfr_stats.ifs_nomem++; MUTEX_EXIT(&ipf_frag); return -1; @@ -230,10 +245,10 @@ void ipfr_unload() * Slowly expire held state for fragments. Timeouts are set * in expectation * of this being called twice per second. */ -# if BSD < 199306 -int ipfr_slowtimer() -# else +# if (BSD >= 199306) || SOLARIS void ipfr_slowtimer() +# else +int ipfr_slowtimer() # endif { ipfr_t **fp, *fr; diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h index a356785e528c..0e8fe90ccc54 100644 --- a/sys/netinet/ip_frag.h +++ b/sys/netinet/ip_frag.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ + * $Id: ip_frag.h,v 1.1.1.2 1997/04/03 10:11:06 darrenr Exp $ */ #ifndef __IP_FRAG_H_ @@ -39,9 +39,13 @@ typedef struct ipfrstat { #define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) -extern ipfrstat_t *ipfr_fragstats(); -extern int ipfr_newfrag(), ipfr_knownfrag(); -# ifdef _KERNEL -extern void ipfr_unload(); -# endif +extern ipfrstat_t *ipfr_fragstats __P((void)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int)); +extern int ipfr_knownfrag __P((ip_t *, fr_info_t *)); +extern void ipfr_unload __P((void)); +#if (BSD >= 199306) || SOLARIS +extern void ipfr_slowtimer __P((void)); +#else +extern int ipfr_slowtimer __P((void)); +#endif #endif /* __IP_FIL_H__ */ diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index ee59a6cda1dd..146b4906c60d 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -9,7 +9,11 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $"; +static char rcsid[] = "$Id: ip_nat.c,v 1.1.1.3 1997/04/03 10:11:11 darrenr Exp $"; +#endif + +#if defined(__FreeBSD__) && defined(KERNEL) +#define _KERNEL #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -20,12 +24,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp #include #include #include +#include #include #include #include #include #include -#ifdef _KERNEL +#ifdef _KERNEL # include #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -57,8 +62,8 @@ extern struct ifnet vpnif; #include #include #include -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_nat.h" #include "ip_state.h" #ifndef MIN @@ -80,10 +85,13 @@ extern kmutex_t ipf_nat; # endif #endif -static int flush_nattable(), clear_natlist(); -static void nattable_sync(); +static int flush_nattable __P((void)), clear_natlist __P((void)); +static void nattable_sync __P((void)), nat_delete __P((struct nat *)); +static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int)); +static void fix_outcksum __P((u_short *, u_long)); +static void fix_incksum __P((u_short *, u_long)); -void fix_outcksum(sp, n) +static void fix_outcksum(sp, n) u_short *sp; u_long n; { @@ -104,7 +112,7 @@ u_long n; } -void fix_incksum(sp, n) +static void fix_incksum(sp, n) u_short *sp; u_long n; { @@ -182,7 +190,8 @@ int cmd, mode; error = EEXIST; break; } - if (!(n = (ipnat_t *)KMALLOC(sizeof(*n)))) { + KMALLOC(n, ipnat_t *, sizeof(*n)); + if (n == NULL) { error = ENOMEM; break; } @@ -365,7 +374,7 @@ static int clear_natlist() /* * Create a new NAT table entry. */ -nat_t *nat_new(np, ip, fin, flags, direction) +static nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; @@ -387,15 +396,22 @@ int direction; } /* Give me a new nat */ - if (!(nat = (nat_t *)KMALLOC(sizeof(*nat)))) + KMALLOC(nat, nat_t *, sizeof(*nat)); + if (nat == NULL) return NULL; bzero((char *)nat, sizeof(*nat)); + nat->nat_flags = flags; /* * Search the current table for a match. */ if (direction == NAT_OUTBOUND) { +#if SOLARIS + ill_t *ill = fin->fin_ifp; +#else + struct ifnet *ifp = fin->fin_ifp; +#endif /* * If it's an outbound packet which doesn't match any existing * record, then create a new port @@ -403,6 +419,34 @@ int direction; do { port = 0; in.s_addr = np->in_nip; + if (!in.s_addr && (np->in_outmsk == 0xffffffff)) { +#if SOLARIS + in.s_addr = ill->ill_ipif->ipif_local_addr; +#else + struct ifaddr *ifa; + struct sockaddr_in *sin; + + ifa = ifp->if_addrlist; +# if BSD < 199306 + sin = (struct sockaddr_in *)&ifa->ifa_addr; +# else + sin = (struct sockaddr_in *)ifa->ifa_addr; + while (sin && ifa && + sin->sin_family != AF_INET) { + ifa = ifa->ifa_next; + sin = (struct sockaddr_in *)ifa->ifa_addr; + } + if (!ifa) + sin = NULL; + if (!sin) { + KFREE(nat); + return NULL; + } +# endif + in = sin->sin_addr; + in.s_addr = ntohl(in.s_addr); +#endif + } if (nflags & IPN_TCPUDP) { port = htons(np->in_pnext++); if (np->in_pnext >= ntohs(np->in_pmax)) { @@ -555,8 +599,9 @@ u_short sport, mapdport; for (; nat; nat = nat->nat_hnext[1]) if (nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && - (!flags || (nat->nat_oport == sport && - nat->nat_outport == mapdport))) + flags == nat->nat_flags && (!flags || + (nat->nat_oport == sport && + nat->nat_outport == mapdport))) return nat; return NULL; } @@ -581,8 +626,8 @@ u_short sport, dport; for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && - (!flags || (nat->nat_inport == sport && - nat->nat_oport == dport))) + flags == nat->nat_flags && (!flags || + (nat->nat_inport == sport && nat->nat_oport == dport))) return nat; return NULL; } @@ -606,8 +651,9 @@ u_short mapsport, dport; for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_outip.s_addr == mapsrc.s_addr && nat->nat_oip.s_addr == dst.s_addr && - (!flags || (nat->nat_outport == mapsport && - nat->nat_oport == dport))) + flags == nat->nat_flags && (!flags || + (nat->nat_outport == mapsport && + nat->nat_oport == dport))) return nat; return NULL; } @@ -684,17 +730,20 @@ fr_info_t *fin; */ if (!(nat = nat_outlookup(nflags, ip->ip_src, sport, ip->ip_dst, dport))) { - if (np->in_redir == NAT_REDIRECT) - continue; /* - * if it's a redirection, then we don't want + * If it's a redirection, then we don't want * to create new outgoing port stuff. * Redirections are only for incoming * connections. */ + if (np->in_redir == NAT_REDIRECT) + continue; if (!(nat = nat_new(np, ip, fin, nflags, NAT_OUTBOUND))) break; +#ifdef IPFILTER_LOG + nat_log(nat, (u_short)np->in_redir); +#endif } ip->ip_src = nat->nat_outip; @@ -719,8 +768,8 @@ fr_info_t *fin; if (ip->ip_p == IPPROTO_TCP) { csump = &tcp->th_sum; - set_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,1); + fr_tcp_age(&nat->nat_age, + nat->nat_state, ip, fin,1); } else if (ip->ip_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -787,20 +836,20 @@ fr_info_t *fin; (np->in_redir == NAT_MAP || np->in_pmin == dport)) { if (!(nat = nat_inlookup(nflags, ip->ip_src, sport, ip->ip_dst, dport))) { + /* + * If this rule (np) is a redirection, rather + * than a mapping, then do a nat_new. + * Otherwise, if it's just a mapping, do a + * continue; + */ if (np->in_redir == NAT_MAP) continue; - else { - /* - * If this rule (np) is a redirection, - * rather than a mapping, then do a - * nat_new. Otherwise, if it's just a - * mapping, do a continue; - */ - if (!(nat = nat_new(np, ip, fin, - nflags, - NAT_INBOUND))) - break; - } + if (!(nat = nat_new(np, ip, fin, nflags, + NAT_INBOUND))) + break; +#ifdef IPFILTER_LOG + nat_log(nat, (u_short)np->in_redir); +#endif } ip->ip_dst = nat->nat_inip; @@ -824,8 +873,8 @@ fr_info_t *fin; if (ip->ip_p == IPPROTO_TCP) { csump = &tcp->th_sum; - set_tcp_age(&nat->nat_age, - nat->nat_state, ip, fin,0); + fr_tcp_age(&nat->nat_age, + nat->nat_state, ip, fin,0); } else if (ip->ip_p == IPPROTO_UDP) { udphdr_t *udp = (udphdr_t *)tcp; @@ -887,9 +936,61 @@ void ip_natexpire() continue; } *natp = nat->nat_next; +#ifdef IPFILTER_LOG + nat_log(nat, NL_EXPIRE); +#endif nat_delete(nat); nat_stats.ns_expire++; } SPLX(s); MUTEX_EXIT(&ipf_nat); } + + +#ifdef IPFILTER_LOG +void nat_log(nat, type) +struct nat *nat; +u_short type; +{ + struct ipnat *np; + struct natlog natl; + int rulen; + + if (iplused[IPL_LOGNAT] + sizeof(natl) > IPLLOGSIZE) { + nat_stats.ns_logfail++; + return; + } + + if (iplh[IPL_LOGNAT] == iplbuf[IPL_LOGNAT] + IPLLOGSIZE) + iplh[IPL_LOGNAT] = iplbuf[IPL_LOGNAT]; + +# ifdef sun + uniqtime(&natl); +# endif +# if BSD >= 199306 || defined(__FreeBSD__) + microtime((struct timeval *)&natl); +# endif + natl.nl_origport = nat->nat_oport; + natl.nl_outport = nat->nat_outport; + natl.nl_inport = nat->nat_inport; + natl.nl_origip = nat->nat_oip; + natl.nl_outip = nat->nat_outip; + natl.nl_inip = nat->nat_inip; + natl.nl_type = type; + natl.nl_rule = -1; + if (nat->nat_ptr) { + for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++) + if (np == nat->nat_ptr) { + natl.nl_rule = rulen; + break; + } + } + + if (!fr_copytolog(IPL_LOGNAT, (char *)&natl, sizeof(natl))) { + iplused[IPL_LOGNAT] += sizeof(natl); + nat_stats.ns_logged++; + } else + nat_stats.ns_logfail++; + wakeup(iplbuf[IPL_LOGNAT]); +} +#endif diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h index d64183ac3920..6dcd28be4185 100644 --- a/sys/netinet/ip_nat.h +++ b/sys/netinet/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.0.1.7 1997/01/30 12:39:41 darrenr Exp $ + * $Id: ip_nat.h,v 1.1.1.2 1997/04/03 10:11:19 darrenr Exp $ */ #ifndef __IP_NAT_H_ @@ -40,7 +40,8 @@ #define NAT_SIZE 367 typedef struct nat { - int nat_age; + u_long nat_age; + int nat_flags; u_long nat_sumd; u_long nat_ipsumd; struct in_addr nat_inip; @@ -101,6 +102,8 @@ typedef struct natstat { u_long ns_added; u_long ns_expire; u_long ns_inuse; + u_long ns_logged; + u_long ns_logfail; nat_t **ns_table[2]; ipnat_t *ns_list; } natstat_t; @@ -110,9 +113,37 @@ typedef struct natstat { #define IPN_UDP 2 #define IPN_TCPUDP 3 + +typedef struct natlog { + struct timeval nl_tv; + struct in_addr nl_origip; + struct in_addr nl_outip; + struct in_addr nl_inip; + u_short nl_origport; + u_short nl_outport; + u_short nl_inport; + u_short nl_type; + int nl_rule; +} natlog_t; + + +#define NL_NEWMAP NAT_MAP +#define NL_NEWRDR NAT_REDIRECT +#define NL_EXPIRE 0xffff + + extern nat_t *nat_table[2][NAT_SIZE]; -extern int nat_ioctl(); -extern nat_t *nat_outlookup(), *nat_inlookup(), *nat_lookupredir(); -extern int ip_natout(), ip_natin(); -extern void ip_natunload(), ip_natexpire(); +extern int nat_ioctl __P((caddr_t, int, int)); +extern nat_t *nat_outlookup __P((int, struct in_addr, u_short, + struct in_addr, u_short)); +extern nat_t *nat_inlookup __P((int, struct in_addr, u_short, + struct in_addr, u_short)); +extern nat_t *nat_lookupredir __P((natlookup_t *)); +extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short, + struct in_addr, u_short)); + +extern int ip_natout __P((ip_t *, int, fr_info_t *)); +extern int ip_natin __P((ip_t *, int, fr_info_t *)); +extern void ip_natunload __P((void)), ip_natexpire __P((void)); +extern void nat_log __P((struct nat *, u_short)); #endif /* __IP_NAT_H__ */ diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 2643ce95a633..e26b4f3c400b 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $"; +static char rcsid[] = "$Id: ip_state.c,v 1.1.1.3 1997/04/03 10:11:29 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -17,12 +17,19 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp #include #include #include +#include #include +#if defined(__FreeBSD__) && (__FreeBSD__ >= 3) +#include +#include +#include +#else #include +#endif #include #include #include -#ifdef _KERNEL +#ifdef _KERNEL # include #endif #if !defined(__SVR4) && !defined(__svr4__) @@ -48,15 +55,13 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp #include #include #include -#include "ip_fil.h" #include "ip_compat.h" +#include "ip_fil.h" #include "ip_state.h" #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif -void set_tcp_age(); - #define TCP_CLOSE (TH_FIN|TH_RST) ipstate_t *ips_table[IPSTATE_SIZE]; @@ -169,8 +174,8 @@ u_int pass; */ if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) is->is_ack = 0; /* Trumpet WinSock 'ism */ - set_tcp_age(&is->is_age, is->is_state, ip, fin, - tcp->th_sport == is->is_sport); + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); break; } case IPPROTO_UDP : @@ -187,7 +192,8 @@ u_int pass; return -1; } - if (!(is = (ipstate_t *)KMALLOC(sizeof(*is)))) { + KMALLOC(is, ipstate_t *, sizeof(*is)); + if (is == NULL) { ips_stats.iss_nomem++; return -1; } @@ -197,9 +203,14 @@ u_int pass; is->is_next = ips_table[hv]; ips_table[hv] = is; is->is_pass = pass; + is->is_pkts = 1; + is->is_bytes = ip->ip_len; if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; +#ifdef IPFILTER_LOG + ipstate_log(is, ISL_NEW); +#endif MUTEX_EXIT(&ipf_state); return 0; } @@ -210,13 +221,7 @@ u_int pass; * change timeout depending on whether new packet is a SYN-ACK returning for a * SYN or a RST or FIN which indicate time to close up shop. */ -int fr_tcpstate(is, fin, ip, tcp, sport -#ifndef _KERNEL -,isp) -ipstate_t **isp; -#else -) -#endif +int fr_tcpstate(is, fin, ip, tcp, sport) register ipstate_t *is; fr_info_t *fin; ip_t *ip; @@ -278,11 +283,13 @@ u_short sport; is->is_dwin = ntohs(tcp->th_win); } ips_stats.iss_hits++; + is->is_pkts++; + is->is_bytes += ip->ip_len; /* * Nearing end of connection, start timeout. */ - set_tcp_age(&is->is_age, is->is_state, ip, fin, - tcp->th_sport == is->is_sport); + fr_tcp_age(&is->is_age, is->is_state, ip, fin, + tcp->th_sport == is->is_sport); return 1; } return 0; @@ -301,7 +308,7 @@ fr_info_t *fin; register u_char pr; struct icmp *ic; tcphdr_t *tcp; - u_int hv, hlen; + u_int hv, hlen, pass; if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT)) return 0; @@ -336,6 +343,8 @@ fr_info_t *fin; is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; + is->is_pkts++; + is->is_bytes += ip->ip_len; ips_stats.iss_hits++; MUTEX_EXIT(&ipf_state); return is->is_pass; @@ -357,7 +366,6 @@ fr_info_t *fin; if (fr_tcpstate(is, fin, ip, tcp, sport)) { #ifdef _KERNEL MUTEX_EXIT(&ipf_state); - return is->is_pass; #else int pass = is->is_pass; @@ -366,8 +374,8 @@ fr_info_t *fin; isp = &ips_table[hv]; KFREE(is); } - return pass; #endif + return pass; } } MUTEX_EXIT(&ipf_state); @@ -389,9 +397,12 @@ fr_info_t *fin; PAIRS(sport, dport, is->is_sport, is->is_dport) && IPPAIR(src, dst, is->is_src, is->is_dst)) { ips_stats.iss_hits++; + is->is_pkts++; + is->is_bytes += ip->ip_len; is->is_age = fr_udptimeout; + pass = is->is_pass; MUTEX_EXIT(&ipf_state); - return is->is_pass; + return pass; } MUTEX_EXIT(&ipf_state); break; @@ -445,6 +456,9 @@ void fr_timeoutstate() ips_stats.iss_fin++; else ips_stats.iss_expire++; +#ifdef IPFILTER_LOG + ipstate_log(is, ISL_EXPIRE); +#endif KFREE(is); ips_num--; } else @@ -458,8 +472,8 @@ void fr_timeoutstate() * Original idea freom Pradeep Krishnan for use primarily with NAT code. * (pkrishna@netcom.com) */ -void set_tcp_age(age, state, ip, fin, dir) -int *age; +void fr_tcp_age(age, state, ip, fin, dir) +u_long *age; u_char *state; ip_t *ip; fr_info_t *fin; @@ -540,3 +554,51 @@ int dir; break; } } + + +#ifdef IPFILTER_LOG +void ipstate_log(is, type) +struct ipstate *is; +u_short type; +{ + struct ipslog ipsl; + + if (iplused[IPL_LOGSTATE] + sizeof(ipsl) > IPLLOGSIZE) { + ips_stats.iss_logfail++; + return; + } + + if (iplh[IPL_LOGSTATE] == iplbuf[IPL_LOGSTATE] + IPLLOGSIZE) + iplh[IPL_LOGSTATE] = iplbuf[IPL_LOGSTATE]; + +# ifdef sun + uniqtime(&ipsl); +# endif +# if BSD >= 199306 || defined(__FreeBSD__) + microtime((struct timeval *)&ipsl); +# endif + ipsl.isl_pkts = is->is_pkts; + ipsl.isl_bytes = is->is_bytes; + ipsl.isl_src = is->is_src; + ipsl.isl_dst = is->is_dst; + ipsl.isl_p = is->is_p; + ipsl.isl_flags = is->is_flags; + ipsl.isl_type = type; + if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { + ipsl.isl_sport = is->is_sport; + ipsl.isl_dport = is->is_dport; + } else if (ipsl.isl_p == IPPROTO_ICMP) + ipsl.isl_itype = is->is_icmp.ics_type; + else { + ipsl.isl_ps.isl_filler[0] = 0; + ipsl.isl_ps.isl_filler[1] = 0; + } + + if (!fr_copytolog(IPL_LOGSTATE, (char *)&ipsl, sizeof(ipsl))) { + iplused[IPL_LOGSTATE] += sizeof(ipsl); + ips_stats.iss_logged++; + } else + ips_stats.iss_logfail++; + wakeup(iplbuf[IPL_LOGSTATE]); +} +#endif diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index ee30b986d844..b92f8c23e434 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ + * $Id: ip_state.h,v 1.1.1.2 1997/04/03 10:11:33 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -37,8 +37,10 @@ typedef struct tcpstate { typedef struct ipstate { struct ipstate *is_next; - int is_age; + u_long is_age; u_int is_pass; + U_QUAD_T is_pkts; + U_QUAD_T is_bytes; struct in_addr is_src; struct in_addr is_dst; u_char is_p; @@ -63,6 +65,31 @@ typedef struct ipstate { #define TH_OPENING (TH_SYN|TH_ACK) + +typedef struct ipslog { + struct timeval isl_tv; + U_QUAD_T isl_pkts; + U_QUAD_T isl_bytes; + struct in_addr isl_src; + struct in_addr isl_dst; + u_char isl_p; + u_char isl_flags; + u_short isl_type; + union { + u_short isl_filler[2]; + u_short isl_ports[2]; + u_short isl_icmp; + } isl_ps; +} ipslog_t; + +#define isl_sport isl_ps.isl_ports[0] +#define isl_dport isl_ps.isl_ports[1] +#define isl_itype isl_ps.isl_icmp + +#define ISL_NEW 0 +#define ISL_EXPIRE 0xffff + + typedef struct ips_stat { u_long iss_hits; u_long iss_miss; @@ -74,13 +101,18 @@ typedef struct ips_stat { u_long iss_expire; u_long iss_fin; u_long iss_active; + u_long iss_logged; + u_long iss_logfail; ipstate_t **iss_table; } ips_stat_t; -extern ips_stat_t *fr_statetstats(); -extern int fr_addstate(), fr_checkstate(); -extern void fr_timeoutstate(), set_tcp_age(); -# ifdef _KERNEL -extern void fr_stateunload(); -# endif +extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, + tcphdr_t *, u_short)); +extern ips_stat_t *fr_statetstats __P((void)); +extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); +extern int fr_checkstate __P((ip_t *, fr_info_t *)); +extern void fr_timeoutstate __P((void)); +extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); +extern void fr_stateunload __P((void)); +extern void ipstate_log __P((struct ipstate *, u_short)); #endif /* __IP_STATE_H__ */