integrate IPV6FIREWALL.

kame · Aug 6, 1999 · b3af92b · b3af92b
1 parent 35587e1
commit b3af92b
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 3 deletions.
diff --git a/kame/sys/netinet6/in6.h b/kame/sys/netinet6/in6.h
@@ -346,7 +346,15 @@ struct route_in6 {
 #if 1 /*IPSEC*/
 #define IPV6_IPSEC_POLICY	28 /* struct; get/set security policy */
 #endif
-#define IPV6_FAITH		32 /* bool; accept FAITH'ed connections */
+#define IPV6_FAITH		29 /* bool; accept FAITH'ed connections */
+
+#if 1 /*IPV6FIREWALL*/
+#define IPV6_FW_ADD		30 /* add a firewall rule to chain */
+#define IPV6_FW_DEL		31 /* delete a firewall rule from chain */
+#define IPV6_FW_FLUSH		32 /* flush firewall rule chain */
+#define IPV6_FW_ZERO		33 /* clear single/all firewall counter(s) */
+#define IPV6_FW_GET		34 /* get entire firewall rule chain */
+#endif
 
 #define IPV6_RTHDR_LOOSE     0 /* this hop need not be a neighbor. XXX old spec */
 #define IPV6_RTHDR_STRICT    1 /* this hop must be a neighbor. XXX old spec */

diff --git a/kame/sys/netinet6/ip6_forward.c b/kame/sys/netinet6/ip6_forward.c
@@ -48,6 +48,10 @@
 #include <netinet6/ip6_var.h>
 #include <netinet6/icmp6.h>
 
+#ifdef IPV6FIREWALL
+#include <netinet6/ip6_fw.h>
+#endif
+
 #include <net/net_osdep.h>
 
 struct	route_in6 ip6_forward_rt;
@@ -70,7 +74,7 @@ ip6_forward(m, srcrt)
 	struct mbuf *m;
 	int srcrt;
 {
-	register struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
+	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 	register struct sockaddr_in6 *dst;
 	register struct rtentry *rt;
 	int error, type = 0, code = 0;
@@ -183,6 +187,22 @@ ip6_forward(m, srcrt)
 	    (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0)
 		type = ND_REDIRECT;
 
+#ifdef IPV6FIREWALL
+	/*
+	 * Check with the firewall...
+	 */
+	if (ip6_fw_chk_ptr) {
+		u_short port = 0;
+		/* If ipfw says divert, we have to just drop packet */
+		if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) {
+			m_freem(m);
+			goto freecopy;
+		}
+		if (!m)
+			goto freecopy;
+	}
+#endif
+
 	error = (*rt->rt_ifp->if_output)(rt->rt_ifp, m,
 					 (struct sockaddr *)dst,
 					 ip6_forward_rt.ro_rt);

diff --git a/kame/sys/netinet6/ip6_input.c b/kame/sys/netinet6/ip6_input.c
@@ -113,6 +113,10 @@
 #include <netinet/ip_icmp.h>
 #endif /*INET*/
 
+#ifdef IPV6FIREWALL
+#include <netinet6/ip6_fw.h>
+#endif
+
 #include <netinet6/ip6protosw.h>
 
 /* we need it for NLOOP. */
@@ -142,6 +146,12 @@ int ip6_sourcecheck;			/* XXX */
 int ip6_sourcecheck_interval;		/* XXX */
 #endif
 
+#ifdef IPV6FIREWALL
+/* firewall hooks */
+ip6_fw_chk_t *ip6_fw_chk_ptr;
+ip6_fw_ctl_t *ip6_fw_ctl_ptr;
+#endif
+
 struct ip6stat ip6stat;
 
 static void ip6_init2 __P((void *));
@@ -172,6 +182,9 @@ ip6_init()
 	ip6intrq.ifq_maxlen = ip6qmaxlen;
 	nd6_init();
 	frag6_init();
+#ifdef IPV6FIREWALL
+	ip6_fw_init();
+#endif
 	/*
 	 * in many cases, random() here does NOT return random number
 	 * as initialization during bootstrap time occur in fixed order.
@@ -245,7 +258,7 @@ void
 ip6_input(m)
 	struct mbuf *m;
 {
-	register struct ip6_hdr *ip6;
+	struct ip6_hdr *ip6;
 	int off = sizeof(struct ip6_hdr), nest;
 	u_int32_t plen;
 	u_int32_t rtalert = ~0;
@@ -305,6 +318,23 @@ ip6_input(m)
 
 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
 
+#ifdef IPV6FIREWALL
+	/*
+	 * Check with the firewall...
+	 */
+	if (ip6_fw_chk_ptr) {
+		u_short port = 0;
+		/* If ipfw says divert, we have to just drop packet */
+		/* use port as a dummy argument */
+		if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
+			m_freem(m);
+			m = NULL;
+		}
+		if (!m)
+			return;
+	}
+#endif
+
 	/*
 	 * Scope check
 	 */

diff --git a/kame/sys/netinet6/ip6_output.c b/kame/sys/netinet6/ip6_output.c
@@ -107,6 +107,14 @@
 
 #include <net/net_osdep.h>
 
+#ifdef IPV6FIREWALL
+#include <netinet6/ip6_fw.h>
+#endif
+
+#if defined(__FreeBSD__) && __FreeBSD__ >= 3
+static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
+#endif
+
 struct ip6_exthdrs {
 	struct mbuf *ip6e_ip6;
 	struct mbuf *ip6e_hbh;
@@ -751,6 +759,24 @@ skip_ipsec2:;
 			ip6->ip6_dst.s6_addr16[1] = 0;
 	}
 
+#ifdef IPV6FIREWALL
+	/*
+	 * Check with the firewall...
+	 */
+	if (ip6_fw_chk_ptr) {
+		u_short port = 0;
+		/* If ipfw says divert, we have to just drop packet */
+		if ((*ip6_fw_chk_ptr)(&ip6, ifp, &port, &m)) {
+			m_freem(m);
+			goto done;
+		}
+		if (!m) {
+			error = EACCES;
+			goto done;
+		}
+	}
+#endif
+
 	/*
 	 * If the outgoing packet contains a hop-by-hop options header,
 	 * it must be examined and processed even by the source node.
@@ -1321,6 +1347,20 @@ ip6_ctloutput(op, so, level, optname, mp)
 				break;
 #endif /* IPSEC */
 
+#ifdef IPV6FIREWALL
+			case IPV6_FW_ADD:
+			case IPV6_FW_DEL:
+			case IPV6_FW_FLUSH:
+			case IPV6_FW_ZERO:
+				if (ip6_fw_ctl_ptr == NULL) {
+					if (m) (void)m_free(m);
+					return EINVAL;
+				}
+				error = (*ip6_fw_ctl_ptr)(optname, mp);
+				m = *mp;
+				break;
+#endif
+
 			default:
 				error = ENOPROTOOPT;
 				break;
@@ -1481,6 +1521,17 @@ ip6_ctloutput(op, so, level, optname, mp)
 				break;
 #endif /* IPSEC */
 
+#ifdef IPV6FIREWALL
+			case IPV6_FW_GET:
+				if (ip6_fw_ctl_ptr == NULL) {
+					if (m)
+						(void)m_free(m);
+					return EINVAL;
+				}
+				error = (*ip6_fw_ctl_ptr)(optname, mp);
+				break;
+#endif
+
 			default:
 				error = ENOPROTOOPT;
 				break;