Date: Sun, 19 May 1996 17:19:43 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org Subject: kern/1219: IPFW: kernel code enhancements Message-ID: <199605192219.RAA01314@zen.nash.org> Resent-Message-ID: <199605192230.PAA29750@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1219
>Category: kern
>Synopsis: IPFW kernel code enhancements
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 19 15:30:03 PDT 1996
>Last-Modified:
>Originator: Alex Nash
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
FreeBSD 2.1.0-stable or FreeBSD 2.2-current with IPFW changes submitted
in PRs bin/1193 and kern/1192.
>Description:
ip_fw.h
- Corrected a spelling error.
- Added an ICMP type bitmap and timestamp field.
- Added a new flag, IP_FW_F_ICMPBIT. When this flag is set,
it indicates that the ICMP type bitmap (fw_icmptypes) is valid.
ip_fw.c
- Timestamp chain entry when updating packet/byte counters.
- Display ICMP code along with type when logging.
- Filter based on ICMP type.
- Removed (#if 0'ed) comment about ICMP firewall not being
supported.
>How-To-Repeat:
N/A
>Fix:
NOTE:
1. The version numbers shown in the diffs do *not* correspond
to version numbers in the FreeBSD CVS tree.
2. All diffs are applied after the changes made in kern/1192.
Complete sources for kernel and user-level code are available at:
ftp://ftp.fa.tdktca.com/pub/FreeBSD/ipfw
MD5 (ipfw.tar.gz) = f54888e0aa91745f8bb27f35c104e62e
*** ip_fw.h 1996/05/18 15:36:39 1.1
--- ip_fw.h 1996/05/19 18:30:20 1.3
***************
*** 48,54 ****
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
! u_char fw_tcpf,fw_tcpnf; /* TCP flags sen/unset */
};
struct ip_fw_chain {
--- 48,57 ----
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
! u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
! #define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
! unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
! long timestamp; /* timestamp (tv_sec) of last match */
};
struct ip_fw_chain {
***************
*** 60,92 ****
* Values for "flags" field .
*/
! #define IP_FW_F_ALL 0x000 /* This is a universal packet rule */
! #define IP_FW_F_TCP 0x001 /* This is a TCP packet rule */
! #define IP_FW_F_UDP 0x002 /* This is a UDP packet rule */
! #define IP_FW_F_ICMP 0x003 /* This is a ICMP packet rule */
! #define IP_FW_F_KIND 0x003 /* Mask to isolate rule kind */
!
! #define IP_FW_F_IN 0x004 /* Inbound */
! #define IP_FW_F_OUT 0x008 /* Outboun */
!
! #define IP_FW_F_ACCEPT 0x010 /* This is an accept rule */
! #define IP_FW_F_COUNT 0x020 /* This is an accept rule */
! #define IP_FW_F_PRN 0x040 /* Print if this rule matches */
! #define IP_FW_F_ICMPRPL 0x080 /* Send back icmp unreachable packet */
! #define IP_FW_F_SRNG 0x100 /* The first two src ports are a min *
* and max range (stored in host byte *
* order). */
! #define IP_FW_F_DRNG 0x200 /* The first two dst ports are a min *
* and max range (stored in host byte *
* order). */
! #define IP_FW_F_IFNAME 0x400 /* Use interface name/unit (not IP) */
! #define IP_FW_F_FRAG 0x800 /* Fragment */
! #define IP_FW_F_MASK 0xFFF /* All possible flag bits mask */
/*
* Definitions for IP option names.
--- 63,97 ----
* Values for "flags" field .
*/
! #define IP_FW_F_ALL 0x0000 /* This is a universal packet rule */
! #define IP_FW_F_TCP 0x0001 /* This is a TCP packet rule */
! #define IP_FW_F_UDP 0x0002 /* This is a UDP packet rule */
! #define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet rule */
! #define IP_FW_F_KIND 0x0003 /* Mask to isolate rule kind */
!
! #define IP_FW_F_IN 0x0004 /* Inbound */
! #define IP_FW_F_OUT 0x0008 /* Outbound */
!
! #define IP_FW_F_ACCEPT 0x0010 /* This is an accept rule */
! #define IP_FW_F_COUNT 0x0020 /* This is an accept rule */
! #define IP_FW_F_PRN 0x0040 /* Print if this rule matches */
! #define IP_FW_F_ICMPRPL 0x0080 /* Send back icmp unreachable packet */
! #define IP_FW_F_SRNG 0x0100 /* The first two src ports are a min *
* and max range (stored in host byte *
* order). */
! #define IP_FW_F_DRNG 0x0200 /* The first two dst ports are a min *
* and max range (stored in host byte *
* order). */
! #define IP_FW_F_IFNAME 0x0400 /* Use interface name/unit (not IP) */
! #define IP_FW_F_FRAG 0x0800 /* Fragment */
! #define IP_FW_F_ICMPBIT 0x1000 /* ICMP type bitmap is valid */
!
! #define IP_FW_F_MASK 0x1FFF /* All possible flag bits mask */
/*
* Definitions for IP option names.
*** ip_fw.c 1996/05/18 15:36:39 1.1
--- ip_fw.c 1996/05/19 18:31:09 1.3
***************
*** 22,29 ****
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/queue.h>
- #if 0 /* XXX -current, but not -stable */
#include <sys/kernel.h>
#include <sys/sysctl.h>
#endif
#include <net/if.h>
--- 22,30 ----
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/queue.h>
#include <sys/kernel.h>
+ #include <sys/time.h>
+ #if 0 /* XXX -current, but not -stable */
#include <sys/sysctl.h>
#endif
#include <net/if.h>
***************
*** 124,129 ****
--- 125,149 ----
return 1;
}
+ static int
+ icmptype_match(icmp, f)
+ struct icmp * icmp;
+ struct ip_fw * f;
+ {
+ int type;
+
+ if (!(f->fw_flg & IP_FW_F_ICMPBIT))
+ return(1);
+
+ type = icmp->icmp_type;
+
+ /* check for matching type in the bitmap */
+ if (f->fw_icmptypes[type / (sizeof(unsigned) * 8)] &
+ (1U << (type % (8 * sizeof(unsigned)))))
+ return(1);
+
+ return(0); /* no match */
+ }
static int
ipopts_match(ip, f)
***************
*** 211,217 ****
printf(":%d", ntohs(udp->uh_dport));
break;
case IPPROTO_ICMP:
! printf("ICMP:%u ", icmp->icmp_type);
print_ip(ip->ip_src);
printf(" ");
print_ip(ip->ip_dst);
--- 231,237 ----
printf(":%d", ntohs(udp->uh_dport));
break;
case IPPROTO_ICMP:
! printf("ICMP:%u.%u ", icmp->icmp_type, icmp->icmp_code);
print_ip(ip->ip_src);
printf(" ");
print_ip(ip->ip_dst);
***************
*** 383,390 ****
continue;
/* ICMP, done */
! if (prt == IP_FW_F_ICMP)
goto got_match;
/* Fragments can't match past this point */
if (ip->ip_off & IP_OFFMASK)
--- 403,414 ----
continue;
/* ICMP, done */
! if (prt == IP_FW_F_ICMP) {
! if (!icmptype_match(icmp, f))
! continue;
!
goto got_match;
+ }
/* Fragments can't match past this point */
if (ip->ip_off & IP_OFFMASK)
***************
*** 407,412 ****
--- 431,437 ----
got_match:
f->fw_pcnt++;
f->fw_bcnt+=ip->ip_len;
+ f->timestamp = time.tv_sec;
if (f->fw_flg & IP_FW_F_PRN) {
if (f->fw_flg & IP_FW_F_ACCEPT)
ipfw_report("Accept", f->fw_number, ip, f->fw_pcnt);
***************
*** 554,561 ****
--- 579,591 ----
s = splnet();
for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next)
if (!frwl || frwl->fw_number == fcp->rule->fw_number)
+ {
fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0;
+ fcp->rule->timestamp = 0;
+ }
splx(s);
+
+ return(0);
}
static struct ip_fw *
***************
*** 596,607 ****
frwl->fw_nsp, frwl->fw_ndp));
return (NULL);
}
- #if 0
- if ((frwl->fw_flg & IP_FW_F_KIND) == IP_FW_F_ICMP) {
- dprintf(("ip_fw_ctl: request for unsupported ICMP frwling\n"));
- return (NULL);
- }
- #endif
return frwl;
}
--- 626,631 ----
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605192219.RAA01314>