Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Apr 1997 21:08:52 +1000 (EST)
From:      proff@suburbia.net
To:        hackers@freebsd.org
Subject:   ipfilter-proff backported to 2.2.1
Message-ID:  <19970410110853.6196.qmail@suburbia.net>
next in thread | raw e-mail | index | archive | help 
Replace src/sys-ipfilter-proff.diff after unpacking the
ipfilter-proff.shar distribution with the following patch
against FreeBSD-2.2.1 (should work with -2.2 also)

Index: conf/files
===================================================================
RCS file: /usr/src/cvs/src/sys/conf/files,v
retrieving revision 1.80.2.7
diff -u -r1.80.2.7 files
--- files	1997/03/16 07:21:12	1.80.2.7
+++ src/sys/conf/files	1997/04/10 08:09:55
@@ -217,6 +217,12 @@
 netinet/tcp_timer.c	optional inet
 netinet/tcp_usrreq.c	optional inet
 netinet/udp_usrreq.c	optional inet
+../contrib-sys/ipfilter/mlf_ipl.c	optional ipfilter inet
+../contrib-sys/ipfilter/ip_fil.c	optional ipfilter inet
+../contrib-sys/ipfilter/fil.c		optional ipfilter inet
+../contrib-sys/ipfilter/ip_nat.c	optional ipfilter inet
+../contrib-sys/ipfilter/ip_frag.c	optional ipfilter inet
+../contrib-sys/ipfilter/ip_state.c	optional ipfilter inet
 netipx/ipx.c		optional ipx
 netipx/ipx_cksum.c	optional ipx
 netipx/ipx_error.c	optional ipx
Index: conf/options
===================================================================
RCS file: /usr/src/cvs/src/sys/conf/options,v
retrieving revision 1.18.2.5
diff -u -r1.18.2.5 sys/conf/options
--- options	1997/02/28 15:41:25	1.18.2.5
+++ src/sys/conf/options	1997/04/10 08:01:09
@@ -84,3 +84,6 @@
 IPFIREWALL		opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
+IPFILTER		opt_ipfilter.h
+IPFILTER_LKM		opt_ipfilter.h
+IPFILTER_LOG		opt_ipfilter.h
Index: i386/conf/GENERIC
===================================================================
RCS file: /usr/src/cvs/src/sys/i386/conf/GENERIC,v
retrieving revision 1.77.2.4
diff -u -r1.77.2.4 i386/conf/GENERIC
--- GENERIC	1997/02/22 20:31:24	1.77.2.4
+++ src/sys/i386/conf/GENERIC	1997/04/10 08:01:09
@@ -23,6 +23,7 @@
 
 options		MATH_EMULATE		#Support for x87 emulation
 options		INET			#InterNETworking
+options		IPFILTER_LKM		#Hooks for ipfilter lkm
 options		FFS			#Berkeley Fast Filesystem
 options		NFS			#Network Filesystem
 options		MSDOSFS			#MSDOS Filesystem
Index: i386/conf/LINT
===================================================================
RCS file: /usr/src/cvs/src/sys/i386/conf/LINT,v
retrieving revision 1.286.2.19
diff -u -r1.286.2.19 LINT
--- LINT	1997/03/19 03:01:49	1.286.2.19
+++ src/sys/i386/conf/LINT	1997/04/10 08:01:09
@@ -261,6 +261,13 @@
 					# dropped packets
 options		"IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
 options		IPDIVERT		#divert sockets
+# new IPFILTER firewall
+# you need to have the src/contrib-sys tree installed to compile
+# kernel support for the in-kernel version
+options		IPFILTER		#in-kernel version
+options		IPFILTER_LKM		#module version
+options		IPFITLER_LOG		#support logging (in-kernel)
+#
 options		TCPDEBUG
 
 
Index: i386/conf/Makefile.i386
===================================================================
RCS file: /usr/src/cvs/src/sys/i386/conf/Makefile.i386,v
retrieving revision 1.89.2.2
diff -u -r1.89.2.2 Makefile.i386
--- Makefile.i386	1997/02/14 00:07:52	1.89.2.2
+++ src/sys/i386/conf/Makefile.i386	1997/04/10 08:01:09
@@ -27,7 +27,7 @@
 I386=	${S}/i386
 
 COPTFLAGS?=-O
-INCLUDES= -nostdinc -I- -I. -I$S
+INCLUDES= -nostdinc -I- -I. -I$S -I${.IMPSRC:H}
 # This hack is to allow kernel compiles to succeed on machines w/out srcdist
 .if exists($S/../include)
 INCLUDES+= -I$S/../include
Index: netinet/ip_input.c
===================================================================
RCS file: /usr/src/cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.50.2.4
diff -u -r1.50.2.4 ip_input.c
--- ip_input.c	1997/02/06 11:33:38	1.50.2.4
+++ src/sys/netinet/ip_input.c	1997/04/10 08:01:09
@@ -37,6 +37,7 @@
 
 #define	_IP_VHL
 
+#include "opt_ipfilter.h"
 #include "opt_ipfw.h"
 
 #include <stddef.h>
@@ -134,6 +135,11 @@
 ip_nat_ctl_t *ip_nat_ctl_ptr;
 #endif
 
+#if defined(IPFILTER_LKM) || defined(IPFILTER)
+int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
+#endif
+
 /*
  * We need to save the IP options in case a protocol wants to respond
  * to an incoming packet over the same route if the packet got here
@@ -310,7 +316,19 @@
 	 * - Wrap: fake packet's addr/port <unimpl.>
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
  	 */
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+	/*
+	 * Check if we want to allow this packet to be processed.
+	 * Consider it to be bad if not.
+	 */
+	if (fr_checkp) {
+		struct	mbuf	*m1 = m;
 
+		if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+			return;
+		ip = mtod(m = m1, struct ip *);
+	}
+#endif
 #ifdef COMPAT_IPFW
 	if (ip_fw_chk_ptr) {
 		int action;
Index: netinet/ip_output.c
===================================================================
RCS file: /usr/src/cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.44.2.4
diff -u -r1.44.2.4 ip_output.c
--- ip_output.c	1997/03/02 19:03:01	1.44.2.4
+++ src/sys/netinet/ip_output.c	1997/04/10 08:06:06
@@ -34,6 +34,9 @@
  *	$Id: ip_output.c,v 1.44.2.4 1997/03/02 19:03:01 fenner Exp $
  */
 
+#include "opt_ipfw.h"
+#include "opt_ipfilter.h"
+
 #define _IP_VHL
 
 #include <sys/param.h>
@@ -75,10 +78,17 @@
 	__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
 static int	ip_getmoptions
 	__P((int, struct ip_moptions *, struct mbuf **));
-static int	ip_optcopy __P((struct ip *, struct ip *));
 static int	ip_pcbopts __P((struct mbuf **, struct mbuf *));
 static int	ip_setmoptions
 	__P((int, struct ip_moptions **, struct mbuf *));
+#if defined(IPFILTER_LKM) || defined(IPFILTER)
+int	ip_optcopy __P((struct ip *, struct ip *));
+extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+#else
+static int	ip_optcopy __P((struct ip *, struct ip *));
+#endif
+
 
 extern	struct protosw inetsw[];
 
@@ -331,6 +341,20 @@
 	}
 
 sendit:
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+	/*
+	 * looks like most checking has been done now...do a filter check
+	 */
+	if (fr_checkp) {
+		struct  mbuf    *m1 = m;
+
+		if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
+			error = EACCES;
+		if (error || !m1)
+			goto done;
+		ip = mtod(m = m1, struct ip *);
+	}
+#endif
         /*
 	 * IpHack's section.
 	 * - Xlate: translate packet's addr/port (NAT).
@@ -559,7 +583,10 @@
  * Copy options from ip to jp,
  * omitting those not copied during fragmentation.
  */
-static int
+#if !defined(IPFILTER) && !defined(IPFILTER_LKM)
+static
+#endif
+int
 ip_optcopy(ip, jp)
 	struct ip *ip, *jp;
 {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970410110853.6196.qmail>