Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

PF for freebsd5. given the amount of compiler warnings i don't think

it will work.
IPSEC (more specifically, algorithms that use AES) does not work due to
conflicts with FAST_IPSEC changes.
  • Loading branch information...
commit 3c8b5a1863d1ada3536b3603a255b698b1ba2928 1 parent 25f5aa6
itojun authored
View
7 freebsd5/sys/conf/files
@@ -1318,6 +1318,12 @@ netgraph/ng_split.c optional netgraph_split
netgraph/ng_tee.c optional netgraph_tee
netgraph/ng_tty.c optional netgraph_tty
netgraph/ng_vjc.c optional netgraph_vjc
+net/if_pflog.c count pflog
+net/if_pfsync.c count pfsync
+net/pf.c count pf
+net/pf_ioctl.c optional pf
+net/pf_norm.c optional pf
+net/pf_table.c optional pf
net/slcompress.c optional netgraph_vjc
netinet/accf_data.c optional accept_filter_data
netinet/accf_http.c optional accept_filter_http
@@ -1333,6 +1339,7 @@ netinet/ip_id.c optional inet
netinet/in_pcb.c optional inet
netinet/in_proto.c optional inet
netinet/in_rmx.c optional inet
+netinet/in4_cksum.c optional inet
netinet/ip_divert.c optional ipdivert
netinet/ip_dummynet.c optional dummynet
netinet/ip_ecn.c optional inet
View
9 freebsd5/sys/i386/conf/GENERIC.KAME
@@ -260,8 +260,9 @@ device kue # Kawasaki LSI USB ethernet
# KAME extensions
#
-options IPSEC #IP security
-options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
+# IPSEC does not work due to FAST_IPSEC changes
+#options IPSEC #IP security
+#options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
#options IPSEC_DEBUG #debug for IP security
#options NATM #native mode ATM
#options ENABLE_DEFAULT_SCOPE
@@ -328,3 +329,7 @@ device stf 1
#options MIP6_MOBILE_NODE
#device hif 1
#options MIP6_DEBUG
+
+device pf 1
+device pflog 1
+device pfsync 1
View
2  freebsd5/sys/net/bpf.h
@@ -169,6 +169,8 @@ struct bpf_hdr {
#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
+#define DLT_PFSYNC 18 /* Packet filter state syncing */
+
#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
/*
View
6 freebsd5/sys/net/if_types.h
@@ -249,6 +249,8 @@
#define IFT_GIF 0xf0
#define IFT_PVC 0xf1
#define IFT_FAITH 0xf2
-#define IFT_DUMMY 0xf4
-#define IFT_HIF 0xf5
+#define IFT_DUMMY 0xf4
+#define IFT_HIF 0xf5
+#define IFT_PFLOG 0xf6
+#define IFT_PFSYNC 0xf7
#endif /* !_NET_IF_TYPES_H_ */
View
3  freebsd5/sys/net/radix.c
@@ -62,7 +62,6 @@
static int rn_walktree_from(struct radix_node_head *h, void *a, void *m,
walktree_f_t *f, void *w);
-static int rn_walktree(struct radix_node_head *, walktree_f_t *, void *);
static struct radix_node
*rn_insert(void *, struct radix_node_head *, int *,
struct radix_node [2]),
@@ -995,7 +994,7 @@ rn_walktree_from(h, a, m, f, w)
return 0;
}
-static int
+int
rn_walktree(h, f, w)
struct radix_node_head *h;
walktree_f_t *f;
View
2  freebsd5/sys/net/radix.h
@@ -165,6 +165,6 @@ struct radix_node
*rn_lookup (void *v_arg, void *m_arg,
struct radix_node_head *head),
*rn_match(void *, struct radix_node_head *);
-
+int rn_walktree(struct radix_node_head *, walktree_f_t *, void *);
#endif /* _RADIX_H_ */
View
2  freebsd5/sys/netinet/ip_icmp.c
@@ -78,7 +78,7 @@
* host table maintenance routines.
*/
-static struct icmpstat icmpstat;
+struct icmpstat icmpstat;
SYSCTL_STRUCT(_net_inet_icmp, ICMPCTL_STATS, stats, CTLFLAG_RW,
&icmpstat, icmpstat, "");
View
2  freebsd5/sys/netinet/ip_icmp.h
@@ -182,6 +182,8 @@ struct icmp {
#ifdef _KERNEL
void icmp_error(struct mbuf *, int, int, n_long, struct ifnet *);
void icmp_input(struct mbuf *, int);
+
+extern struct icmpstat icmpstat;
#endif
#endif
View
19 freebsd5/sys/netinet/ip_input.c
@@ -134,6 +134,11 @@
#include <netipsec/key.h>
#endif
+#include "pf.h"
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
int rsvp_on = 0;
int ipforwarding = 0;
@@ -519,8 +524,22 @@ ip_input(struct mbuf *m)
if (m == NULL)
return;
ip = mtod(m, struct ip *);
+ hlen = ip->ip_hl << 2;
}
#endif /* PFIL_HOOKS */
+#if NPF > 0
+ /*
+ * Packet filter
+ * XXX pfrdr
+ */
+ if (pf_test(PF_IN, m->m_pkthdr.rcvif, &m) != PF_PASS)
+ goto bad;
+ if (m == NULL)
+ return;
+
+ ip = mtod(m, struct ip *);
+ hlen = ip->ip_hl << 2;
+#endif
if (fw_enable && IPFW_LOADED) {
/*
View
155 freebsd5/sys/netinet/ip_output.c
@@ -109,6 +109,11 @@
#include <machine/in_cksum.h>
+#include "pf.h"
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options");
#ifdef IPSEC
@@ -180,7 +185,7 @@ ip_output(m0, opt, ro, flags, imo, inp)
struct ip_moptions *imo;
struct inpcb *inp;
{
- struct ip *ip, *mhip;
+ struct ip *ip;
struct ifnet *ifp = NULL; /* keep compiler happy */
struct mbuf *m;
int hlen = sizeof (struct ip);
@@ -803,8 +808,21 @@ ip_output(m0, opt, ro, flags, imo, inp)
if (m == NULL)
goto done;
ip = mtod(m, struct ip *);
+ hlen = ip->ip_hl << 2;
}
#endif /* PFIL_HOOKS */
+#if NPF > 0
+ if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
+ error = EHOSTUNREACH;
+ m_freem(m);
+ goto done;
+ }
+ if (m == NULL)
+ goto done;
+
+ ip = mtod(m, struct ip *);
+ hlen = ip->ip_hl << 2;
+#endif
/*
* Check with the firewall...
@@ -1108,11 +1126,85 @@ ip_output(m0, opt, ro, flags, imo, inp)
ipstat.ips_cantfrag++;
goto bad;
}
- len = (ifp->if_mtu - hlen) &~ 7;
- if (len < 8) {
- error = EMSGSIZE;
+
+ /*
+ * Recover all the flag bits in pkthdr.csum_flags for ip_fragment to
+ * calculate checksum correctly. pkthdr.csum will be fixed again
+ * in ip_fragment.
+ */
+ m->m_pkthdr.csum_flags |= sw_csum;
+ error = ip_fragment(m, ifp, ifp->if_mtu);
+ if (error == EMSGSIZE)
goto bad;
+
+ for (m = m0; m; m = m0) {
+ m0 = m->m_nextpkt;
+ m->m_nextpkt = 0;
+#ifdef IPSEC
+ /* clean ipsec history once it goes out of the node */
+ ipsec_delaux(m);
+#endif
+ if (error == 0) {
+ /* Record statistics for this interface address. */
+ if (ia != NULL) {
+ ia->ia_ifa.if_opackets++;
+ ia->ia_ifa.if_obytes += m->m_pkthdr.len;
+ }
+
+ error = (*ifp->if_output)(ifp, m,
+ (struct sockaddr *)dst, ro->ro_rt);
+ } else
+ m_freem(m);
+ }
+
+ if (error == 0)
+ ipstat.ips_fragmented++;
+done:
+#ifdef IPSEC
+ if (ro == &iproute && ro->ro_rt) {
+ RTFREE(ro->ro_rt);
+ ro->ro_rt = NULL;
+ }
+ if (sp != NULL) {
+ KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
+ printf("DP ip_output call free SP:%p\n", sp));
+ key_freesp(sp);
+ }
+#endif /* IPSEC */
+#ifdef FAST_IPSEC
+ if (ro == &iproute && ro->ro_rt) {
+ RTFREE(ro->ro_rt);
+ ro->ro_rt = NULL;
}
+ if (sp != NULL)
+ KEY_FREESP(&sp);
+#endif /* FAST_IPSEC */
+ return (error);
+bad:
+ m_freem(m);
+ goto done;
+}
+
+int
+ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu)
+{
+ struct ip *ip, *mhip;
+ struct mbuf *m0;
+ int len, hlen, off;
+ int mhlen, firstlen;
+ struct mbuf **mnext;
+ int error = 0;
+ int sw_csum;
+ int nfrags = 1;
+
+ ip = mtod(m, struct ip *);
+ hlen = ip->ip_hl << 2;
+ sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_hwassist;
+ m->m_pkthdr.csum_flags &= ifp->if_hwassist;
+
+ len = (ifp->if_mtu - hlen) &~ 7;
+ if (len < 8)
+ return (EMSGSIZE);
/*
* if the interface will not calculate checksums on
@@ -1164,17 +1256,12 @@ ip_output(m0, opt, ro, flags, imo, inp)
off = hlen + len;
}
-
-
- {
- int mhlen, firstlen = off - hlen;
- struct mbuf **mnext = &m->m_nextpkt;
- int nfrags = 1;
-
/*
* Loop through length of segment after first fragment,
* make new header and copy data of each part and link onto chain.
*/
+ firstlen = off - hlen;
+ mnext = &m->m_nextpkt;
m0 = m;
mhlen = sizeof (struct ip);
for (; off < (u_short)ip->ip_len; off += len) {
@@ -1242,53 +1329,7 @@ ip_output(m0, opt, ro, flags, imo, inp)
if (sw_csum & CSUM_DELAY_IP)
ip->ip_sum = in_cksum(m, hlen);
sendorfree:
- for (m = m0; m; m = m0) {
- m0 = m->m_nextpkt;
- m->m_nextpkt = 0;
-#ifdef IPSEC
- /* clean ipsec history once it goes out of the node */
- ipsec_delaux(m);
-#endif
- if (error == 0) {
- /* Record statistics for this interface address. */
- if (ia != NULL) {
- ia->ia_ifa.if_opackets++;
- ia->ia_ifa.if_obytes += m->m_pkthdr.len;
- }
-
- error = (*ifp->if_output)(ifp, m,
- (struct sockaddr *)dst, ro->ro_rt);
- } else
- m_freem(m);
- }
-
- if (error == 0)
- ipstat.ips_fragmented++;
- }
-done:
-#ifdef IPSEC
- if (ro == &iproute && ro->ro_rt) {
- RTFREE(ro->ro_rt);
- ro->ro_rt = NULL;
- }
- if (sp != NULL) {
- KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP ip_output call free SP:%p\n", sp));
- key_freesp(sp);
- }
-#endif /* IPSEC */
-#ifdef FAST_IPSEC
- if (ro == &iproute && ro->ro_rt) {
- RTFREE(ro->ro_rt);
- ro->ro_rt = NULL;
- }
- if (sp != NULL)
- KEY_FREESP(&sp);
-#endif /* FAST_IPSEC */
return (error);
-bad:
- m_freem(m);
- goto done;
}
void
View
1  freebsd5/sys/netinet/ip_var.h
@@ -230,6 +230,7 @@ extern int (*ip_mforward)(struct ip *, struct ifnet *, struct mbuf *,
int ip_output(struct mbuf *,
struct mbuf *, struct route *, int, struct ip_moptions *,
struct inpcb *);
+int ip_fragment(struct mbuf *, struct ifnet *, u_long);
struct in_ifaddr *
ip_rtaddr(struct in_addr, struct route *);
void ip_savecontrol(struct inpcb *, struct mbuf **, struct ip *,
View
7 freebsd5/sys/sys/mbuf.h
@@ -539,8 +539,13 @@ struct mbuf *m_split(struct mbuf *, int, int);
#define PACKET_TAG_IPFORWARD 18 /* ipforward info */
#define PACKET_TAG_INET6 19 /* IPv6 info */
#define PACKET_TAG_ESP 20 /* ESP information */
+#define PACKET_TAG_PF_GENERATED 21 /* PF generated, pass always */
+#define PACKET_TAG_PF_ROUTED 22 /* PF routed, no route loops */
+#define PACKET_TAG_PF_FRAGCACHE 23 /* PF fragment cached */
+#define PACKET_TAG_PF_QID 24 /* PF queue id */
+#define PACKET_TAG_PF_TAG 25 /* PF tags */
-#define PACKET_TAG_MAX 22
+#define PACKET_TAG_MAX 26
/* Packet tag routines */
struct m_tag *m_tag_alloc(u_int32_t, int, int, int);
View
11 kame/sys/net/if_pflog.c
@@ -72,6 +72,10 @@
#include <netinet/ip.h>
#endif
+#ifdef __FreeBSD__
+#include <machine/in_cksum.h>
+#endif
+
#ifdef INET6
#ifndef INET
#include <netinet/in.h>
@@ -170,8 +174,15 @@ pflogstart(struct ifnet *ifp)
#else
s = splnet();
#endif
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 500000)
+ IFQ_LOCK(&ifp->if_snd);
+#else
IF_DROP(&ifp->if_snd);
+#endif
IF_DEQUEUE(&ifp->if_snd, m);
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 500000)
+ IFQ_UNLOCK(&ifp->if_snd);
+#endif
splx(s);
if (m == NULL)
View
9 kame/sys/net/if_pfsync.c
@@ -148,6 +148,8 @@ pfsyncattach(int npfsync)
pfsync_setmtu(&pfsyncif, MCLBYTES);
#ifdef __OpenBSD__
timeout_set(&pfsyncif.sc_tmo, pfsync_timeout, &pfsyncif);
+#elif defined(__FreeBSD__) && __FreeBSD__ >= 5
+ callout_init(&pfsyncif.sc_tmo, 0);
#else
callout_init(&pfsyncif.sc_tmo);
#endif
@@ -180,8 +182,15 @@ pfsyncstart(struct ifnet *ifp)
#else
s = splnet();
#endif
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 500000)
+ IFQ_LOCK(&ifp->if_snd);
+#else
IF_DROP(&ifp->if_snd);
+#endif
IF_DEQUEUE(&ifp->if_snd, m);
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 500000)
+ IFQ_UNLOCK(&ifp->if_snd);
+#endif
splx(s);
if (m == NULL)
View
4 kame/sys/net/pf_ioctl.c
@@ -195,6 +195,10 @@ pfattach(int num)
#ifdef __OpenBSD__
timeout_set(&pf_expire_to, pf_purge_timeout, &pf_expire_to);
timeout_add(&pf_expire_to, timeout[PFTM_INTERVAL] * hz);
+#elif defined(__FreeBSD__) && __FreeBSD__ >= 5
+ callout_init(&pf_expire_to, 0);
+ callout_reset(&pf_expire_to, timeout[PFTM_INTERVAL] * hz,
+ pf_purge_timeout, &pf_expire_to);
#else
callout_init(&pf_expire_to);
callout_reset(&pf_expire_to, timeout[PFTM_INTERVAL] * hz,
Please sign in to comment.
Something went wrong with that request. Please try again.