* chains, new "insert" and "append"
* commands to replace "add" commands,
* add ICMP header to struct ip_fwpkt.
+ * Jos Vos : Add support for matching device names.
*
* All the real work was done by .....
*/
struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
struct in_addr fw_via; /* IP address of interface "via" */
+ struct device *fw_viadev; /* device of interface "via" */
unsigned short fw_flg; /* Flags word */
unsigned short fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */
/* in ports array (dst ports follow */
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
unsigned short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */
- unsigned char fw_tosand, fw_tosxor; /* Revised packet priority */
+ unsigned char fw_tosand, fw_tosxor; /* Revised packet priority */
+ char fw_vianame[IFNAMSIZ]; /* name of interface "via" */
};
/*
#define IP_FW_IN 1
#define IP_FW_OUT 2
#define IP_FW_ACCT 3
+#define IP_FW_CHAINS 4 /* total number of ip_fw chains */
#define IP_FW_INSERT (IP_FW_BASE_CTL)
#define IP_FW_APPEND (IP_FW_BASE_CTL+1)
struct icmphdr fwp_icmph; /* ICMP header */
} fwp_protoh;
struct in_addr fwp_via; /* interface address */
+ char fwp_vianame[IFNAMSIZ]; /* interface name */
};
/*
static __inline__ void tcp_set_state(struct sock *sk, int state)
{
- if(sk->state==TCP_ESTABLISHED)
- tcp_statistics.TcpCurrEstab--;
+ int oldstate = sk->state;
+
+ sk->state = state;
+
#ifdef STATE_TRACE
if(sk->debug)
- printk("TCP sk=%p, State %s -> %s\n",sk, statename[sk->state],statename[state]);
+ printk("TCP sk=%p, State %s -> %s\n",sk, statename[oldstate],statename[state]);
#endif
- /* This is a hack but it doesn't occur often and it's going to
- be a real to fix nicely */
-
- if(state==TCP_ESTABLISHED && sk->state==TCP_SYN_RECV)
- {
- wake_up_interruptible(&master_select_wakeup);
- }
- sk->state=state;
- if(state==TCP_ESTABLISHED)
- tcp_statistics.TcpCurrEstab++;
- if(sk->state==TCP_CLOSE)
+
+ switch (state) {
+ case TCP_ESTABLISHED:
+ if (oldstate != TCP_ESTABLISHED) {
+ tcp_statistics.TcpCurrEstab++;
+ /* This is a hack but it doesn't occur often and it's going to
+ be a real to fix nicely */
+ if (oldstate == TCP_SYN_RECV)
+ wake_up_interruptible(&master_select_wakeup);
+ }
+ break;
+
+ case TCP_CLOSE:
tcp_cache_zap();
+ /* fall through */
+ default:
+ if (oldstate==TCP_ESTABLISHED)
+ tcp_statistics.TcpCurrEstab--;
+ }
}
#endif /* _TCP_H */
* only delete the first matching entry, use 0xFFFF (0xFF) as ports (ICMP
* types) when counting packets being 2nd and further fragments.
* Jos Vos <jos@xos.nl> 8/2/1996.
+ * Add support for matching on device names.
+ * Jos Vos <jos@xos.nl> 15/2/1996.
*
* Masquerading functionality
*
if (match)
{
/*
- * Look for a VIA match
+ * Look for a VIA address match
*/
if(f->fw_via.s_addr && rif)
{
if(rif->pa_addr!=f->fw_via.s_addr)
continue; /* Mismatch */
}
+
+ /*
+ * Look for a VIA device match
+ */
+ if(f->fw_viadev)
+ {
+ if(rif!=f->fw_viadev)
+ continue; /* Mismatch */
+ }
+
/*
* Drop through - this is a match
*/
break;
} /* Loop */
- answer = FW_BLOCK;
-
- /*
- * We rely on policy defined in the rejecting entry or, if no match
- * was found, we rely on the general policy variable for this type
- * of firewall.
- */
+ if (opt != 1) {
- if(f!=NULL)
- {
- policy=f->fw_flg;
- tosand=f->fw_tosand;
- tosxor=f->fw_tosxor;
- }
- else
- {
- tosand=0xFF;
- tosxor=0x00;
- }
-
- if(opt != 1)
- {
- if(policy&IP_FW_F_ACCEPT)
+ /*
+ * We rely on policy defined in the rejecting entry or, if no match
+ * was found, we rely on the general policy variable for this type
+ * of firewall.
+ */
+
+ if (f!=NULL) {
+ policy=f->fw_flg;
+ tosand=f->fw_tosand;
+ tosxor=f->fw_tosxor;
+ } else {
+ tosand=0xFF;
+ tosxor=0x00;
+ }
+
+ if (policy&IP_FW_F_ACCEPT) {
+ /* Adjust priority and recompute checksum */
+ __u8 old_tos = ip->tos;
+ ip->tos = (old_tos & tosand) ^ tosxor;
+ if (ip->tos != old_tos)
+ ip_send_check(ip);
answer=(policy&IP_FW_F_MASQ)?FW_MASQUERADE:FW_ACCEPT;
+ } else if(policy&IP_FW_F_ICMPRPL)
+ answer = FW_REJECT;
else
- if(policy&IP_FW_F_ICMPRPL)
- answer = FW_REJECT;
- }
-
- if (policy&IP_FW_F_ACCEPT) { /* Adjust priority and recompute checksum */
- __u8 old_tos = ip->tos;
- ip->tos = (old_tos & tosand) ^ tosxor;
- if (ip->tos != old_tos)
- ip_send_check(ip);
- }
+ answer = FW_BLOCK;
- return answer;
+ return answer;
+ } else
+ /* we're doing accounting, always ok */
+ return 0;
}
#ifdef CONFIG_IP_MASQUERADE
}
else ms->timer.expires = jiffies+MASQUERADE_EXPIRE_TCP;
+ skb->csum = csum_partial(th + 1, size - sizeof(*th), 0);
tcp_send_check(th,iph->saddr,iph->daddr,size,skb);
}
add_timer(&ms->timer);
#endif
}
}
+ skb->csum = csum_partial(portptr + sizeof(struct tcphdr),
+ size - sizeof(struct tcphdr), 0);
tcp_send_check((struct tcphdr *)portptr,iph->saddr,iph->daddr,size,skb);
}
ip_send_check(iph);
cli();
+ if ((ftmp->fw_vianame)[0]) {
+ if (!(ftmp->fw_viadev = dev_get(ftmp->fw_vianame)))
+ ftmp->fw_viadev = (struct device *) -1;
+ } else
+ ftmp->fw_viadev = NULL;
+
ftmp->fw_next = *chainptr;
*chainptr=ftmp;
restore_flags(flags);
cli();
+ if ((ftmp->fw_vianame)[0]) {
+ if (!(ftmp->fw_viadev = dev_get(ftmp->fw_vianame)))
+ ftmp->fw_viadev = (struct device *) -1;
+ } else
+ ftmp->fw_viadev = NULL;
+
chtmp_prev=NULL;
for (chtmp=*chainptr;chtmp!=NULL;chtmp=chtmp->fw_next)
chtmp_prev=chtmp;
while( !was_found && ftmp != NULL )
{
matches=1;
- if (ftmp->fw_src.s_addr!=frwl->fw_src.s_addr
+ if (ftmp->fw_src.s_addr!=frwl->fw_src.s_addr
|| ftmp->fw_dst.s_addr!=frwl->fw_dst.s_addr
|| ftmp->fw_smsk.s_addr!=frwl->fw_smsk.s_addr
|| ftmp->fw_dmsk.s_addr!=frwl->fw_dmsk.s_addr
if (ftmp->fw_pts[tmpnum]!=frwl->fw_pts[tmpnum])
matches=0;
}
+ if (strncmp(ftmp->fw_vianame, frwl->fw_vianame, IFNAMSIZ))
+ matches=0;
if(matches)
{
was_found=1;
if ( cmd == IP_FW_CHECK )
{
- struct device viadev;
+ struct device *viadev;
struct ip_fwpkt *ipfwp;
struct iphdr *ip;
- if ( len < sizeof(struct ip_fwpkt) )
+ if ( len != sizeof(struct ip_fwpkt) )
{
#ifdef DEBUG_CONFIG_IP_FIREWALL
printk("ip_fw_ctl: length=%d, expected %d\n",
ipfwp = (struct ip_fwpkt *)m;
ip = &(ipfwp->fwp_iph);
- if ( ip->ihl != sizeof(struct iphdr) / sizeof(int))
- {
+ if ( !(viadev = dev_get(ipfwp->fwp_vianame)) ) {
+#ifdef DEBUG_CONFIG_IP_FIREWALL
+ printk("ip_fw_ctl: invalid device \"%s\"\n", ipfwp->fwp_vianame);
+#endif
+ return(EINVAL);
+ } else if ( viadev->pa_addr != ipfwp->fwp_via.s_addr ) {
+#ifdef DEBUG_CONFIG_IP_FIREWALL
+ printk("ip_fw_ctl: device \"%s\" has another IP address\n",
+ ipfwp->fwp_vianame);
+#endif
+ return(EINVAL);
+ } else if ( ip->ihl != sizeof(struct iphdr) / sizeof(int)) {
#ifdef DEBUG_CONFIG_IP_FIREWALL
printk("ip_fw_ctl: ip->ihl=%d, want %d\n",ip->ihl,
sizeof(struct iphdr)/sizeof(int));
return(EINVAL);
}
- viadev.pa_addr = ipfwp->fwp_via.s_addr;
-
- if ((ret = ip_fw_chk(ip, &viadev, *chains[fwtype],
+ if ((ret = ip_fw_chk(ip, viadev, *chains[fwtype],
*policies[fwtype], 2)) == FW_ACCEPT)
return(0);
else if (ret == FW_MASQUERADE)
while(i!=NULL)
{
- len+=sprintf(buffer+len,"%08lX/%08lX->%08lX/%08lX %08lX %X ",
+ len+=sprintf(buffer+len,"%08lX/%08lX->%08lX/%08lX %.16s %08lX %X ",
ntohl(i->fw_src.s_addr),ntohl(i->fw_smsk.s_addr),
ntohl(i->fw_dst.s_addr),ntohl(i->fw_dmsk.s_addr),
+ (i->fw_vianame)[0] ? i->fw_vianame : "-",
ntohl(i->fw_via.s_addr),i->fw_flg);
len+=sprintf(buffer+len,"%u %u %-9lu %-9lu",
i->fw_nsp,i->fw_ndp, i->fw_pcnt,i->fw_bcnt);
#endif
+#if defined(CONFIG_IP_ACCT) || defined(CONFIG_IP_FIREWALL)
+
+int ipfw_device_event(struct notifier_block *this, unsigned long event, void *ptr)
+{
+ struct device *dev=ptr;
+ char *devname = dev->name;
+ unsigned long flags;
+ struct ip_fw *fw;
+ int chn;
+
+ save_flags(flags);
+ cli();
+
+ if (event == NETDEV_UP) {
+ for (chn = 0; chn < IP_FW_CHAINS; chn++)
+ for (fw = *chains[chn]; fw; fw = fw->fw_next)
+ if ((fw->fw_vianame)[0] && !strncmp(devname,
+ fw->fw_vianame, IFNAMSIZ))
+ fw->fw_viadev = dev;
+ } else if (event == NETDEV_DOWN) {
+ for (chn = 0; chn < IP_FW_CHAINS; chn++)
+ for (fw = *chains[chn]; fw; fw = fw->fw_next)
+ /* we could compare just the pointers ... */
+ if ((fw->fw_vianame)[0] && !strncmp(devname,
+ fw->fw_vianame, IFNAMSIZ))
+ fw->fw_viadev = (struct device *) -1;
+ }
+
+ restore_flags(flags);
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block ipfw_dev_notifier={
+ ipfw_device_event,
+ NULL,
+ 0
+};
+
+#endif
+
void ip_fw_init(void)
{
#ifdef CONFIG_IP_ACCT
ip_msqhst_procinfo
});
#endif
+#if defined(CONFIG_IP_ACCT) || defined(CONFIG_IP_FIREWALL)
+ /* Register for device up/down reports */
+ register_netdevice_notifier(&ipfw_dev_notifier);
+#endif
}
projects / history.git / commitdiff