1 /*
2 * Copyright (C) 1993-2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
7 *
8 * Copyright (c) 2014, Joyent, Inc. All rights reserved.
9 */
10
11 #if defined(KERNEL) || defined(_KERNEL)
12 # undef KERNEL
13 # undef _KERNEL
14 # define KERNEL 1
15 # define _KERNEL 1
16 #endif
17 #include <sys/errno.h>
18 #include <sys/types.h>
19 #include <sys/param.h>
20 #include <sys/time.h>
21 #if defined(__NetBSD__)
22 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
23 # include "opt_ipfilter_log.h"
24 # endif
25 #endif
26 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
27 (__FreeBSD_version >= 220000)
28 # if (__FreeBSD_version >= 400000)
2571 break;
2572 }
2573
2574 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
2575 if (fr_updateipid(fin) == -1) {
2576 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
2577 pass &= ~FR_CMDMASK;
2578 pass |= FR_BLOCK;
2579 } else {
2580 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
2581 }
2582 }
2583 }
2584
2585 #ifdef IPFILTER_LOG
2586 if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2587 (void) fr_dolog(fin, &pass);
2588 }
2589 #endif
2590
2591 /*
2592 * The FI_STATE flag is cleared here so that calling fr_checkstate
2593 * will work when called from inside of fr_fastroute. Although
2594 * there is a similar flag, FI_NATED, for NAT, it does have the same
2595 * impact on code execution.
2596 */
2597 fin->fin_flx &= ~FI_STATE;
2598
2599 /*
2600 * Only allow FR_DUP to work if a rule matched - it makes no sense to
2601 * set FR_DUP as a "default" as there are no instructions about where
2602 * to send the packet. Use fin_m here because it may have changed
2603 * (without an update of 'm') in prior processing.
2604 */
2605 if ((fr != NULL) && (pass & FR_DUP)) {
2606 mc = M_DUPLICATE(fin->fin_m);
2607 #ifdef _KERNEL
2608 mc->b_rptr += fin->fin_ipoff;
2609 #endif
2610 }
|
1 /*
2 * Copyright (C) 1993-2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
7 *
8 * Copyright 2019 Joyent, Inc.
9 */
10
11 #if defined(KERNEL) || defined(_KERNEL)
12 # undef KERNEL
13 # undef _KERNEL
14 # define KERNEL 1
15 # define _KERNEL 1
16 #endif
17 #include <sys/errno.h>
18 #include <sys/types.h>
19 #include <sys/param.h>
20 #include <sys/time.h>
21 #if defined(__NetBSD__)
22 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
23 # include "opt_ipfilter_log.h"
24 # endif
25 #endif
26 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
27 (__FreeBSD_version >= 220000)
28 # if (__FreeBSD_version >= 400000)
2571 break;
2572 }
2573
2574 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
2575 if (fr_updateipid(fin) == -1) {
2576 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
2577 pass &= ~FR_CMDMASK;
2578 pass |= FR_BLOCK;
2579 } else {
2580 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
2581 }
2582 }
2583 }
2584
2585 #ifdef IPFILTER_LOG
2586 if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2587 (void) fr_dolog(fin, &pass);
2588 }
2589 #endif
2590
2591 if (IFS_CFWLOG(ifs, fr) && FR_ISBLOCK(pass))
2592 ipf_block_cfwlog(fr, fin, ifs);
2593
2594 /*
2595 * The FI_STATE flag is cleared here so that calling fr_checkstate
2596 * will work when called from inside of fr_fastroute. Although
2597 * there is a similar flag, FI_NATED, for NAT, it does have the same
2598 * impact on code execution.
2599 */
2600 fin->fin_flx &= ~FI_STATE;
2601
2602 /*
2603 * Only allow FR_DUP to work if a rule matched - it makes no sense to
2604 * set FR_DUP as a "default" as there are no instructions about where
2605 * to send the packet. Use fin_m here because it may have changed
2606 * (without an update of 'm') in prior processing.
2607 */
2608 if ((fr != NULL) && (pass & FR_DUP)) {
2609 mc = M_DUPLICATE(fin->fin_m);
2610 #ifdef _KERNEL
2611 mc->b_rptr += fin->fin_ipoff;
2612 #endif
2613 }
|