📄 ipfwadm_core.c
字号:
* for a match for the TCP/UDP ports. Both directions * might match (e.g., when both addresses are on the * same network for which an address/mask is given), but * the ports might only match in one direction. * This was obviously wrong in the original BSD code. */ match = 0x00; if ((src&f->fw_smsk.s_addr)==f->fw_src.s_addr && (dst&f->fw_dmsk.s_addr)==f->fw_dst.s_addr) /* normal direction */ match |= 0x01; if ((f->fw_flg & IP_FW_F_BIDIR) && (dst&f->fw_smsk.s_addr)==f->fw_src.s_addr && (src&f->fw_dmsk.s_addr)==f->fw_dst.s_addr) /* reverse direction */ match |= 0x02; if (!match) continue; /* * Look for a VIA device match */ if(f->fw_viadev) { if(rif!=f->fw_viadev) continue; /* Mismatch */ } /* This looks stupid, because we scan almost static list, searching for static key. However, this way seems to be only reasonable way of handling fw_via rules (btw bsd makes the same thing). It will not affect performance if you will follow the following simple rules: - if inteface is aliased, ALWAYS specify fw_viadev, so that previous check will guarantee, that we will not waste time when packet arrive on another interface. - avoid using fw_via.s_addr if fw_via.s_addr is owned by an aliased interface. --ANK */ if (f->fw_via.s_addr && rif) { struct in_ifaddr *ifa; if (rif->ip_ptr == NULL) continue; /* Mismatch */ for (ifa = ((struct in_device*)(rif->ip_ptr))->ifa_list; ifa; ifa = ifa->ifa_next) { if (ifa->ifa_local == f->fw_via.s_addr) goto ifa_ok; } continue; /* Mismatch */ ifa_ok:; } /* * Ok the chain addresses match. */#ifdef CONFIG_IP_ACCT /* * See if we're in accounting mode and only want to * count incoming or outgoing packets. */ if (mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT) && ((mode == IP_FW_MODE_ACCT_IN && f->fw_flg&IP_FW_F_ACCTOUT) || (mode == IP_FW_MODE_ACCT_OUT && f->fw_flg&IP_FW_F_ACCTIN))) continue;#endif /* * For all non-TCP packets and/or non-first fragments, * notcpsyn and notcpack will always be FALSE, * so the IP_FW_F_TCPSYN and IP_FW_F_TCPACK flags * are actually ignored for these packets. */ if((f->fw_flg&IP_FW_F_TCPSYN) && notcpsyn) continue; if((f->fw_flg&IP_FW_F_TCPACK) && notcpack) continue; f_prt=f->fw_flg&IP_FW_F_KIND; if (f_prt!=IP_FW_F_ALL) { /* * Specific firewall - packet's protocol * must match firewall's. */ if(prt!=f_prt) continue; if((prt==IP_FW_F_ICMP && ! port_match(&f->fw_pts[0], f->fw_nsp, icmp_type,f->fw_flg&IP_FW_F_SRNG)) || !(prt==IP_FW_F_ICMP || ((match & 0x01) && port_match(&f->fw_pts[0], f->fw_nsp, src_port, f->fw_flg&IP_FW_F_SRNG) && port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, dst_port, f->fw_flg&IP_FW_F_DRNG)) || ((match & 0x02) && port_match(&f->fw_pts[0], f->fw_nsp, dst_port, f->fw_flg&IP_FW_F_SRNG) && port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, src_port, f->fw_flg&IP_FW_F_DRNG)))) { continue; } }#ifdef CONFIG_IP_FIREWALL_VERBOSE if (f->fw_flg & IP_FW_F_PRN) { char buf[16]; print_packet(ip, src_port, dst_port, icmp_type, chain_name(chain, mode), rule_name(f, mode, buf), rif ? rif->name : "-"); }#endif if (mode != IP_FW_MODE_CHK) { f->fw_bcnt+=ntohs(ip->tot_len); f->fw_pcnt++; } if (!(mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT))) break; } /* Loop */ if (!(mode & (IP_FW_MODE_ACCT_IN|IP_FW_MODE_ACCT_OUT))) { /* * We rely on policy defined in the rejecting entry or, if no match * was found, we rely on the general policy variable for this type * of firewall. */ if (f!=NULL) { policy=f->fw_flg; tosand=f->fw_tosand; tosxor=f->fw_tosxor; } else { tosand=0xFF; tosxor=0x00; } if (policy&IP_FW_F_ACCEPT) { /* Adjust priority and recompute checksum */ __u8 old_tos = ip->tos; ip->tos = (old_tos & tosand) ^ tosxor; if (ip->tos != old_tos) ip_send_check(ip);#ifdef CONFIG_IP_TRANSPARENT_PROXY if (policy&IP_FW_F_REDIR) { if (redirport) if ((*redirport = htons(f->fw_pts[f->fw_nsp+f->fw_ndp])) == 0) { /* Wildcard redirection. * Note that redirport will become * 0xFFFF for non-TCP/UDP packets. */ *redirport = htons(dst_port); } answer = FW_REDIRECT; } else#endif#ifdef CONFIG_IP_MASQUERADE if (policy&IP_FW_F_MASQ) answer = FW_MASQUERADE; else#endif answer = FW_ACCEPT; } else if(policy&IP_FW_F_ICMPRPL) answer = FW_REJECT; else answer = FW_BLOCK;#ifdef CONFIG_IP_FIREWALL_NETLINK if((policy&IP_FW_F_PRN) && (answer == FW_REJECT || answer == FW_BLOCK)) { struct sk_buff *skb=alloc_skb(128, GFP_ATOMIC); if(skb) { int len = min_t(unsigned int, 128, ntohs(ip->tot_len)); skb_put(skb,len); memcpy(skb->data,ip,len); if(netlink_post(NETLINK_FIREWALL, skb)) kfree_skb(skb); } }#endif return answer; } else /* we're doing accounting, always ok */ return 0;}static void zero_fw_chain(struct ip_fw *chainptr){ struct ip_fw *ctmp=chainptr; while(ctmp) { ctmp->fw_pcnt=0L; ctmp->fw_bcnt=0L; ctmp=ctmp->fw_next; }}static void free_fw_chain(struct ip_fw *volatile* chainptr){ unsigned long flags; save_flags(flags); cli(); while ( *chainptr != NULL ) { struct ip_fw *ftmp; ftmp = *chainptr; *chainptr = ftmp->fw_next; kfree(ftmp); MOD_DEC_USE_COUNT; } restore_flags(flags);}/* Volatiles to keep some of the compiler versions amused */static int insert_in_chain(struct ip_fw *volatile* chainptr, struct ip_fw *frwl,int len){ struct ip_fw *ftmp; unsigned long flags; save_flags(flags); ftmp = kmalloc( sizeof(struct ip_fw), GFP_ATOMIC ); if ( ftmp == NULL ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: malloc said no\n");#endif return( ENOMEM ); } memcpy(ftmp, frwl, len); /* * Allow the more recent "minimise cost" flag to be * set. [Rob van Nieuwkerk] */ ftmp->fw_tosand |= 0x01; ftmp->fw_tosxor &= 0xFE; ftmp->fw_pcnt=0L; ftmp->fw_bcnt=0L; cli(); if ((ftmp->fw_vianame)[0]) { if (!(ftmp->fw_viadev = dev_get_by_name(ftmp->fw_vianame))) ftmp->fw_viadev = (struct net_device *) -1; } else ftmp->fw_viadev = NULL; ftmp->fw_next = *chainptr; *chainptr=ftmp; restore_flags(flags); MOD_INC_USE_COUNT; return(0);}static int append_to_chain(struct ip_fw *volatile* chainptr, struct ip_fw *frwl,int len){ struct ip_fw *ftmp; struct ip_fw *chtmp=NULL; struct ip_fw *volatile chtmp_prev=NULL; unsigned long flags; save_flags(flags); ftmp = kmalloc( sizeof(struct ip_fw), GFP_ATOMIC ); if ( ftmp == NULL ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: malloc said no\n");#endif return( ENOMEM ); } memcpy(ftmp, frwl, len); /* * Allow the more recent "minimise cost" flag to be * set. [Rob van Nieuwkerk] */ ftmp->fw_tosand |= 0x01; ftmp->fw_tosxor &= 0xFE; ftmp->fw_pcnt=0L; ftmp->fw_bcnt=0L; ftmp->fw_next = NULL; cli(); if ((ftmp->fw_vianame)[0]) { if (!(ftmp->fw_viadev = dev_get_by_name(ftmp->fw_vianame))) ftmp->fw_viadev = (struct net_device *) -1; } else ftmp->fw_viadev = NULL; chtmp_prev=NULL; for (chtmp=*chainptr;chtmp!=NULL;chtmp=chtmp->fw_next) chtmp_prev=chtmp; if (chtmp_prev) chtmp_prev->fw_next=ftmp; else *chainptr=ftmp; restore_flags(flags); MOD_INC_USE_COUNT; return(0);}static int del_from_chain(struct ip_fw *volatile*chainptr, struct ip_fw *frwl){ struct ip_fw *ftmp,*ltmp; unsigned short tport1,tport2,tmpnum; char matches,was_found; unsigned long flags; save_flags(flags); cli(); ftmp=*chainptr; if ( ftmp == NULL ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: chain is empty\n");#endif restore_flags(flags); return( EINVAL ); } ltmp=NULL; was_found=0; while( !was_found && ftmp != NULL ) { matches=1; if (ftmp->fw_src.s_addr!=frwl->fw_src.s_addr || ftmp->fw_dst.s_addr!=frwl->fw_dst.s_addr || ftmp->fw_smsk.s_addr!=frwl->fw_smsk.s_addr || ftmp->fw_dmsk.s_addr!=frwl->fw_dmsk.s_addr || ftmp->fw_via.s_addr!=frwl->fw_via.s_addr || ftmp->fw_flg!=frwl->fw_flg) matches=0; tport1=ftmp->fw_nsp+ftmp->fw_ndp; tport2=frwl->fw_nsp+frwl->fw_ndp; if (tport1!=tport2) matches=0; else if (tport1!=0) { for (tmpnum=0;tmpnum < tport1 && tmpnum < IP_FW_MAX_PORTS;tmpnum++) if (ftmp->fw_pts[tmpnum]!=frwl->fw_pts[tmpnum]) matches=0; } if (strncmp(ftmp->fw_vianame, frwl->fw_vianame, IFNAMSIZ)) matches=0; if(matches) { was_found=1; if (ltmp) { ltmp->fw_next=ftmp->fw_next; kfree(ftmp); ftmp=ltmp->fw_next; } else { *chainptr=ftmp->fw_next; kfree(ftmp); ftmp=*chainptr; } } else { ltmp = ftmp; ftmp = ftmp->fw_next; } } restore_flags(flags); if (was_found) { MOD_DEC_USE_COUNT; return 0; } else return(EINVAL);}#endif /* CONFIG_IP_ACCT || CONFIG_IP_FIREWALL */struct ip_fw *check_ipfw_struct(struct ip_fw *frwl, int len){ if ( len != sizeof(struct ip_fw) ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: len=%d, want %d\n",len, sizeof(struct ip_fw));#endif return(NULL); } if ( (frwl->fw_flg & ~IP_FW_F_MASK) != 0 ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: undefined flag bits set (flags=%x)\n", frwl->fw_flg);#endif return(NULL); }#ifndef CONFIG_IP_TRANSPARENT_PROXY if (frwl->fw_flg & IP_FW_F_REDIR) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: unsupported flag IP_FW_F_REDIR\n");#endif return(NULL); }#endif#ifndef CONFIG_IP_MASQUERADE if (frwl->fw_flg & IP_FW_F_MASQ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: unsupported flag IP_FW_F_MASQ\n");#endif return(NULL); }#endif if ( (frwl->fw_flg & IP_FW_F_SRNG) && frwl->fw_nsp < 2 ) {#ifdef DEBUG_IP_FIREWALL printk("ip_fw_ctl: src range set but fw_nsp=%d\n", frwl->fw_nsp);#endif return(NULL); }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -