mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-14 22:32:30 +01:00
Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from ip_fw.h to in.h where it belongs.
This commit is contained in:
parent
1702c53ed2
commit
fed1c7e9e4
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=17758
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)in.h 8.3 (Berkeley) 1/3/94
|
||||
* $Id: in.h,v 1.18 1996/07/10 19:44:20 julian Exp $
|
||||
* $Id: in.h,v 1.19 1996/08/12 14:05:53 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NETINET_IN_H_
|
||||
@ -220,6 +220,13 @@ struct ip_opts {
|
||||
#define IP_RSVP_VIF_OFF 18 /* unset RSVP per-vif socket */
|
||||
#define IP_PORTRANGE 19 /* int; range to choose for unspec port */
|
||||
|
||||
#define IP_FW_ADD 50 /* add a firewall rule to chain */
|
||||
#define IP_FW_DEL 51 /* delete a firewall rule from chain */
|
||||
#define IP_FW_FLUSH 52 /* flush firewall rule chain */
|
||||
#define IP_FW_ZERO 53 /* clear all firewall counters */
|
||||
#define IP_FW_GET 54 /* get entire firewall rule chain */
|
||||
#define IP_NAT 55 /* set/get NAT opts */
|
||||
|
||||
/*
|
||||
* Defaults and limits for options
|
||||
*/
|
||||
@ -322,10 +329,19 @@ char *inet_ntoa __P((struct in_addr)); /* in libkern */
|
||||
|
||||
/* Firewall hooks */
|
||||
struct ip;
|
||||
typedef int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**));
|
||||
typedef int ip_fw_ctl_t __P((int, struct mbuf**));
|
||||
extern ip_fw_chk_t *ip_fw_chk_ptr;
|
||||
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
|
||||
typedef int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**));
|
||||
typedef int ip_fw_ctl_t __P((int, struct mbuf**));
|
||||
extern ip_fw_chk_t *ip_fw_chk_ptr;
|
||||
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
|
||||
|
||||
/* ip NAT hooks */
|
||||
typedef int ip_nat_t __P((struct ip**, struct mbuf**, int));
|
||||
typedef int ip_nat_ctl_t __P((int, struct mbuf**));
|
||||
extern ip_nat_t *ip_nat_ptr;
|
||||
extern ip_nat_ctl_t *ip_nat_ctl_ptr;
|
||||
#define IP_NAT_IN 0x00000001
|
||||
#define IP_NAT_OUT 0x00000002
|
||||
|
||||
#endif /* KERNEL */
|
||||
|
||||
#endif
|
||||
|
@ -11,7 +11,7 @@
|
||||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
* $Id: ip_fw.h,v 1.21 1996/07/10 19:44:24 julian Exp $
|
||||
* $Id: ip_fw.h,v 1.22 1996/08/13 19:43:41 pst Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -113,17 +113,6 @@ struct ip_fw_chain {
|
||||
#define IP_FW_TCPF_URG TH_URG
|
||||
#define IP_FW_TCPF_ESTAB 0x40
|
||||
|
||||
/*
|
||||
* New IP firewall options for [gs]etsockopt at the RAW IP level.
|
||||
*/
|
||||
#define IP_FW_BASE_CTL 50
|
||||
|
||||
#define IP_FW_ADD (IP_FW_BASE_CTL+0)
|
||||
#define IP_FW_DEL (IP_FW_BASE_CTL+1)
|
||||
#define IP_FW_FLUSH (IP_FW_BASE_CTL+2)
|
||||
#define IP_FW_ZERO (IP_FW_BASE_CTL+3)
|
||||
#define IP_FW_GET (IP_FW_BASE_CTL+4)
|
||||
|
||||
/*
|
||||
* Main firewall chains definitions and global var's definitions.
|
||||
*/
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ip_input.c 8.2 (Berkeley) 1/4/94
|
||||
* $Id: ip_input.c,v 1.44 1996/06/12 19:34:33 gpalmer Exp $
|
||||
* $Id: ip_input.c,v 1.45 1996/07/10 19:44:25 julian Exp $
|
||||
*/
|
||||
|
||||
#include "opt_ipfw.h"
|
||||
@ -114,6 +114,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
|
||||
ip_fw_chk_t *ip_fw_chk_ptr;
|
||||
ip_fw_ctl_t *ip_fw_ctl_ptr;
|
||||
|
||||
/* IP Network Address Translation (NAT) hooks */
|
||||
ip_nat_t *ip_nat_ptr;
|
||||
ip_nat_ctl_t *ip_nat_ctl_ptr;
|
||||
|
||||
/*
|
||||
* We need to save the IP options in case a protocol wants to respond
|
||||
* to an incoming packet over the same route if the packet got here
|
||||
@ -175,6 +179,10 @@ ip_init()
|
||||
#ifdef IPFIREWALL
|
||||
ip_fw_init();
|
||||
#endif
|
||||
#ifdef IPNAT
|
||||
ip_nat_init();
|
||||
#endif
|
||||
|
||||
}
|
||||
|
||||
static struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
|
||||
@ -265,6 +273,7 @@ ip_input(struct mbuf *m)
|
||||
* and it is still fresh out of network we do our black
|
||||
* deals with it.
|
||||
* - Firewall: deny/allow/divert
|
||||
* - Xlate: translate packet's addr/port (NAT).
|
||||
* - Wrap: fake packet's addr/port <unimpl.>
|
||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||
*/
|
||||
@ -290,6 +299,9 @@ ip_input(struct mbuf *m)
|
||||
}
|
||||
}
|
||||
|
||||
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, IP_NAT_IN))
|
||||
return;
|
||||
|
||||
/*
|
||||
* Process options and, if not destined for us,
|
||||
* ship it on. ip_dooptions returns 1 when an
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)ip_output.c 8.3 (Berkeley) 1/21/94
|
||||
* $Id: ip_output.c,v 1.40 1996/06/08 08:18:59 bde Exp $
|
||||
* $Id: ip_output.c,v 1.41 1996/07/10 19:44:26 julian Exp $
|
||||
*/
|
||||
|
||||
#define _IP_VHL
|
||||
@ -331,6 +331,19 @@ ip_output(m0, opt, ro, flags, imo)
|
||||
}
|
||||
|
||||
sendit:
|
||||
/*
|
||||
* IpHack's section.
|
||||
* - Xlate: translate packet's addr/port (NAT).
|
||||
* - Firewall: deny/allow
|
||||
* - Wrap: fake packet's addr/port <unimpl.>
|
||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||
*/
|
||||
|
||||
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, IP_NAT_OUT)) {
|
||||
error = EACCES;
|
||||
goto done;
|
||||
}
|
||||
|
||||
#ifdef COMPAT_IPFW
|
||||
/*
|
||||
* Check with the firewall...
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)raw_ip.c 8.7 (Berkeley) 5/15/95
|
||||
* $Id: raw_ip.c,v 1.32 1996/07/20 00:16:20 alex Exp $
|
||||
* $Id: raw_ip.c,v 1.33 1996/07/24 18:46:18 wollman Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -235,23 +235,30 @@ rip_ctloutput(op, so, level, optname, m)
|
||||
|
||||
#ifdef COMPAT_IPFW
|
||||
case IP_FW_GET:
|
||||
if (ip_fw_ctl_ptr==NULL || op == PRCO_SETOPT) {
|
||||
if (ip_fw_ctl_ptr == NULL || op == PRCO_SETOPT) {
|
||||
if (*m) (void)m_free(*m);
|
||||
return(EINVAL);
|
||||
}
|
||||
return (*ip_fw_ctl_ptr)(optname, m);
|
||||
|
||||
case IP_FW_ADD:
|
||||
case IP_FW_DEL:
|
||||
case IP_FW_FLUSH:
|
||||
case IP_FW_ZERO:
|
||||
if (ip_fw_ctl_ptr==NULL || op != PRCO_SETOPT) {
|
||||
if (ip_fw_ctl_ptr == NULL || op != PRCO_SETOPT) {
|
||||
if (*m) (void)m_free(*m);
|
||||
return(EINVAL);
|
||||
}
|
||||
|
||||
return (*ip_fw_ctl_ptr)(optname, m);
|
||||
#endif
|
||||
|
||||
case IP_NAT:
|
||||
if (ip_nat_ctl_ptr == NULL) {
|
||||
if (*m) (void)m_free(*m);
|
||||
return(EINVAL);
|
||||
}
|
||||
return (*ip_nat_ctl_ptr)(optname, m);
|
||||
|
||||
case IP_RSVP_ON:
|
||||
return ip_rsvp_init(so);
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user