xref: /illumos-gate/usr/src/uts/common/inet/ipf/fil.c (revision af5f29dd)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * Copyright (C) 1993-2003 by Darren Reed.
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * See the IPFILTER.LICENCE file for details on licencing.
5ab25eeb5Syz  *
6de22af4eSJohn Ojemann  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
794bdecd9SRob Gulewich  *
894bdecd9SRob Gulewich  * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
97c478bd9Sstevel@tonic-gate  */
107c478bd9Sstevel@tonic-gate 
117c478bd9Sstevel@tonic-gate #if defined(KERNEL) || defined(_KERNEL)
127c478bd9Sstevel@tonic-gate # undef KERNEL
137c478bd9Sstevel@tonic-gate # undef _KERNEL
147c478bd9Sstevel@tonic-gate # define        KERNEL	1
157c478bd9Sstevel@tonic-gate # define        _KERNEL	1
167c478bd9Sstevel@tonic-gate #endif
177c478bd9Sstevel@tonic-gate #include <sys/errno.h>
187c478bd9Sstevel@tonic-gate #include <sys/types.h>
197c478bd9Sstevel@tonic-gate #include <sys/param.h>
207c478bd9Sstevel@tonic-gate #include <sys/time.h>
217c478bd9Sstevel@tonic-gate #if defined(__NetBSD__)
227c478bd9Sstevel@tonic-gate # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
237c478bd9Sstevel@tonic-gate #  include "opt_ipfilter_log.h"
247c478bd9Sstevel@tonic-gate # endif
257c478bd9Sstevel@tonic-gate #endif
267c478bd9Sstevel@tonic-gate #if defined(_KERNEL) && defined(__FreeBSD_version) && \
277c478bd9Sstevel@tonic-gate     (__FreeBSD_version >= 220000)
287c478bd9Sstevel@tonic-gate # if (__FreeBSD_version >= 400000)
297c478bd9Sstevel@tonic-gate #  if !defined(IPFILTER_LKM)
307c478bd9Sstevel@tonic-gate #   include "opt_inet6.h"
317c478bd9Sstevel@tonic-gate #  endif
327c478bd9Sstevel@tonic-gate #  if (__FreeBSD_version == 400019)
337c478bd9Sstevel@tonic-gate #   define CSUM_DELAY_DATA
347c478bd9Sstevel@tonic-gate #  endif
357c478bd9Sstevel@tonic-gate # endif
367c478bd9Sstevel@tonic-gate # include <sys/filio.h>
377c478bd9Sstevel@tonic-gate #else
387c478bd9Sstevel@tonic-gate # include <sys/ioctl.h>
397c478bd9Sstevel@tonic-gate #endif
40ab25eeb5Syz #if !defined(_AIX51)
41ab25eeb5Syz # include <sys/fcntl.h>
42ab25eeb5Syz #endif
437c478bd9Sstevel@tonic-gate #if defined(_KERNEL)
447c478bd9Sstevel@tonic-gate # include <sys/systm.h>
457c478bd9Sstevel@tonic-gate # include <sys/file.h>
467c478bd9Sstevel@tonic-gate #else
477c478bd9Sstevel@tonic-gate # include <stdio.h>
487c478bd9Sstevel@tonic-gate # include <string.h>
497c478bd9Sstevel@tonic-gate # include <stdlib.h>
50ab25eeb5Syz # include <stddef.h>
517c478bd9Sstevel@tonic-gate # include <sys/file.h>
527c478bd9Sstevel@tonic-gate # define _KERNEL
537c478bd9Sstevel@tonic-gate # ifdef __OpenBSD__
547c478bd9Sstevel@tonic-gate struct file;
557c478bd9Sstevel@tonic-gate # endif
567c478bd9Sstevel@tonic-gate # include <sys/uio.h>
577c478bd9Sstevel@tonic-gate # undef _KERNEL
587c478bd9Sstevel@tonic-gate #endif
59ab25eeb5Syz #if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
60ab25eeb5Syz     !defined(linux)
617c478bd9Sstevel@tonic-gate # include <sys/mbuf.h>
627c478bd9Sstevel@tonic-gate #else
63ab25eeb5Syz # if !defined(linux)
64ab25eeb5Syz #  include <sys/byteorder.h>
65ab25eeb5Syz # endif
667c478bd9Sstevel@tonic-gate # if (SOLARIS2 < 5) && defined(sun)
677c478bd9Sstevel@tonic-gate #  include <sys/dditypes.h>
687c478bd9Sstevel@tonic-gate # endif
697c478bd9Sstevel@tonic-gate #endif
707c478bd9Sstevel@tonic-gate #ifdef __hpux
717c478bd9Sstevel@tonic-gate # define _NET_ROUTE_INCLUDED
727c478bd9Sstevel@tonic-gate #endif
73ab25eeb5Syz #if !defined(linux)
74ab25eeb5Syz # include <sys/protosw.h>
75ab25eeb5Syz #endif
767c478bd9Sstevel@tonic-gate #include <sys/socket.h>
777c478bd9Sstevel@tonic-gate #include <net/if.h>
787c478bd9Sstevel@tonic-gate #ifdef sun
797c478bd9Sstevel@tonic-gate # include <net/af.h>
807c478bd9Sstevel@tonic-gate #endif
81ab25eeb5Syz #if !defined(_KERNEL) && defined(__FreeBSD__)
82ab25eeb5Syz # include "radix_ipf.h"
83ab25eeb5Syz #endif
847c478bd9Sstevel@tonic-gate #include <net/route.h>
857c478bd9Sstevel@tonic-gate #include <netinet/in.h>
867c478bd9Sstevel@tonic-gate #include <netinet/in_systm.h>
877c478bd9Sstevel@tonic-gate #include <netinet/ip.h>
88ab25eeb5Syz #if !defined(linux)
89ab25eeb5Syz # include <netinet/ip_var.h>
90ab25eeb5Syz #endif
917c478bd9Sstevel@tonic-gate #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
927c478bd9Sstevel@tonic-gate # include <sys/hashing.h>
937c478bd9Sstevel@tonic-gate # include <netinet/in_var.h>
947c478bd9Sstevel@tonic-gate #endif
957c478bd9Sstevel@tonic-gate #include <netinet/tcp.h>
96ab25eeb5Syz #if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
97ab25eeb5Syz # include <netinet/udp.h>
98ab25eeb5Syz # include <netinet/ip_icmp.h>
99ab25eeb5Syz #endif
1007c478bd9Sstevel@tonic-gate #ifdef __hpux
1017c478bd9Sstevel@tonic-gate # undef _NET_ROUTE_INCLUDED
1027c478bd9Sstevel@tonic-gate #endif
103ab25eeb5Syz #include "netinet/ip_compat.h"
1047c478bd9Sstevel@tonic-gate #ifdef	USE_INET6
1057c478bd9Sstevel@tonic-gate # include <netinet/icmp6.h>
106*af5f29ddSToomas Soome # if !defined(SOLARIS) && defined(_KERNEL) && !defined(__osf__) && \
107*af5f29ddSToomas Soome 	!defined(__hpux)
1087c478bd9Sstevel@tonic-gate #  include <netinet6/in6_var.h>
1097c478bd9Sstevel@tonic-gate # endif
1107c478bd9Sstevel@tonic-gate #endif
1117c478bd9Sstevel@tonic-gate #include <netinet/tcpip.h>
1127c478bd9Sstevel@tonic-gate #include "netinet/ip_fil.h"
1137c478bd9Sstevel@tonic-gate #include "netinet/ip_nat.h"
1147c478bd9Sstevel@tonic-gate #include "netinet/ip_frag.h"
1157c478bd9Sstevel@tonic-gate #include "netinet/ip_state.h"
1167c478bd9Sstevel@tonic-gate #include "netinet/ip_proxy.h"
1177c478bd9Sstevel@tonic-gate #include "netinet/ip_auth.h"
118f4b3ec61Sdh #include "netinet/ipf_stack.h"
1197c478bd9Sstevel@tonic-gate #ifdef IPFILTER_SCAN
1207c478bd9Sstevel@tonic-gate # include "netinet/ip_scan.h"
1217c478bd9Sstevel@tonic-gate #endif
122ab25eeb5Syz #ifdef IPFILTER_SYNC
123ab25eeb5Syz # include "netinet/ip_sync.h"
124ab25eeb5Syz #endif
1257c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h"
1267c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h"
127ab25eeb5Syz #ifdef IPFILTER_COMPILED
128ab25eeb5Syz # include "netinet/ip_rules.h"
1297c478bd9Sstevel@tonic-gate #endif
130ab25eeb5Syz #if defined(IPFILTER_BPF) && defined(_KERNEL)
1317c478bd9Sstevel@tonic-gate # include <net/bpf.h>
1327c478bd9Sstevel@tonic-gate #endif
1337c478bd9Sstevel@tonic-gate #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
1347c478bd9Sstevel@tonic-gate # include <sys/malloc.h>
1357c478bd9Sstevel@tonic-gate # if defined(_KERNEL) && !defined(IPFILTER_LKM)
1367c478bd9Sstevel@tonic-gate #  include "opt_ipfilter.h"
1377c478bd9Sstevel@tonic-gate # endif
1387c478bd9Sstevel@tonic-gate #endif
1397c478bd9Sstevel@tonic-gate #include "netinet/ipl.h"
14094bdecd9SRob Gulewich #if defined(_KERNEL)
14194bdecd9SRob Gulewich #include <sys/sunddi.h>
14294bdecd9SRob Gulewich #endif
143ab25eeb5Syz /* END OF INCLUDES */
1447c478bd9Sstevel@tonic-gate 
1457c478bd9Sstevel@tonic-gate #if !defined(lint)
1467c478bd9Sstevel@tonic-gate static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
147ab25eeb5Syz static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $";
1487c478bd9Sstevel@tonic-gate #endif
1497c478bd9Sstevel@tonic-gate 
1507c478bd9Sstevel@tonic-gate #ifndef	_KERNEL
1517c478bd9Sstevel@tonic-gate # include "ipf.h"
1527c478bd9Sstevel@tonic-gate # include "ipt.h"
153ab25eeb5Syz # include "bpf-ipf.h"
1547c478bd9Sstevel@tonic-gate extern	int	opts;
1557c478bd9Sstevel@tonic-gate 
1567c478bd9Sstevel@tonic-gate # define	FR_VERBOSE(verb_pr)			verbose verb_pr
1577c478bd9Sstevel@tonic-gate # define	FR_DEBUG(verb_pr)			debug verb_pr
1587c478bd9Sstevel@tonic-gate #else /* #ifndef _KERNEL */
1597c478bd9Sstevel@tonic-gate # define	FR_VERBOSE(verb_pr)
1607c478bd9Sstevel@tonic-gate # define	FR_DEBUG(verb_pr)
1617c478bd9Sstevel@tonic-gate #endif /* _KERNEL */
1627c478bd9Sstevel@tonic-gate 
1637c478bd9Sstevel@tonic-gate 
164ab25eeb5Syz char	ipfilter_version[] = IPL_VERSION;
165ab25eeb5Syz int	fr_features = 0
166ab25eeb5Syz #ifdef	IPFILTER_LKM
167ab25eeb5Syz 		| IPF_FEAT_LKM
1687c478bd9Sstevel@tonic-gate #endif
169ab25eeb5Syz #ifdef	IPFILTER_LOG
170ab25eeb5Syz 		| IPF_FEAT_LOG
171ab25eeb5Syz #endif
172ab25eeb5Syz #ifdef	IPFILTER_LOOKUP
173ab25eeb5Syz 		| IPF_FEAT_LOOKUP
174ab25eeb5Syz #endif
175ab25eeb5Syz #ifdef	IPFILTER_BPF
176ab25eeb5Syz 		| IPF_FEAT_BPF
177ab25eeb5Syz #endif
178ab25eeb5Syz #ifdef	IPFILTER_COMPILED
179ab25eeb5Syz 		| IPF_FEAT_COMPILED
180ab25eeb5Syz #endif
181ab25eeb5Syz #ifdef	IPFILTER_CKSUM
182ab25eeb5Syz 		| IPF_FEAT_CKSUM
183ab25eeb5Syz #endif
184ab25eeb5Syz #ifdef	IPFILTER_SYNC
185ab25eeb5Syz 		| IPF_FEAT_SYNC
186ab25eeb5Syz #endif
187ab25eeb5Syz #ifdef	IPFILTER_SCAN
188ab25eeb5Syz 		| IPF_FEAT_SCAN
189ab25eeb5Syz #endif
190ab25eeb5Syz #ifdef	USE_INET6
191ab25eeb5Syz 		| IPF_FEAT_IPV6
192ab25eeb5Syz #endif
193ab25eeb5Syz 	;
1947c478bd9Sstevel@tonic-gate 
195cbded9aeSdr #define	IPF_BUMP(x)	(x)++
196cbded9aeSdr 
197cbded9aeSdr static	INLINE int	fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
1987c478bd9Sstevel@tonic-gate static	INLINE int	fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
1997c478bd9Sstevel@tonic-gate static	int		fr_portcheck __P((frpcmp_t *, u_short *));
200f4b3ec61Sdh static	int		frflushlist __P((int, minor_t, int *, frentry_t **,
201f4b3ec61Sdh 					 ipf_stack_t *));
2027c478bd9Sstevel@tonic-gate static	ipfunc_t	fr_findfunc __P((ipfunc_t));
2037c478bd9Sstevel@tonic-gate static	frentry_t	*fr_firewall __P((fr_info_t *, u_32_t *));
204f4b3ec61Sdh static	int		fr_funcinit __P((frentry_t *fr, ipf_stack_t *));
205ab25eeb5Syz static	INLINE void	frpr_ah __P((fr_info_t *));
2067663b816Sml static	INLINE void	frpr_esp __P((fr_info_t *));
2077663b816Sml static	INLINE void	frpr_gre __P((fr_info_t *));
2087c478bd9Sstevel@tonic-gate static	INLINE void	frpr_udp __P((fr_info_t *));
2097c478bd9Sstevel@tonic-gate static	INLINE void	frpr_tcp __P((fr_info_t *));
2107c478bd9Sstevel@tonic-gate static	INLINE void	frpr_icmp __P((fr_info_t *));
2117c478bd9Sstevel@tonic-gate static	INLINE void	frpr_ipv4hdr __P((fr_info_t *));
2127663b816Sml static	INLINE int	frpr_pullup __P((fr_info_t *, int));
2137663b816Sml static	INLINE void	frpr_short __P((fr_info_t *, int));
2147c478bd9Sstevel@tonic-gate static	INLINE void	frpr_tcpcommon __P((fr_info_t *));
2157c478bd9Sstevel@tonic-gate static	INLINE void	frpr_udpcommon __P((fr_info_t *));
2167c478bd9Sstevel@tonic-gate static	INLINE int	fr_updateipid __P((fr_info_t *));
2177c478bd9Sstevel@tonic-gate #ifdef	IPFILTER_LOOKUP
218f4b3ec61Sdh static	int		fr_grpmapinit __P((frentry_t *fr, ipf_stack_t *));
219f4b3ec61Sdh static	INLINE void	*fr_resolvelookup __P((u_int, u_int, lookupfunc_t *,
220f4b3ec61Sdh 					       ipf_stack_t *));
2217c478bd9Sstevel@tonic-gate #endif
222f4b3ec61Sdh static	void		frsynclist __P((int, int, void *, char *, frentry_t *,
223f4b3ec61Sdh     ipf_stack_t *));
224381a2a9aSdr static	void		*fr_ifsync __P((int, int, char *, char *,
225f4b3ec61Sdh 					void *, void *, ipf_stack_t *));
226f4b3ec61Sdh static	ipftuneable_t	*fr_findtunebyname __P((const char *, ipf_stack_t *));
227f4b3ec61Sdh static	ipftuneable_t	*fr_findtunebycookie __P((void *, void **, ipf_stack_t *));
2287c478bd9Sstevel@tonic-gate 
2297c478bd9Sstevel@tonic-gate /*
2307c478bd9Sstevel@tonic-gate  * bit values for identifying presence of individual IP options
231ab25eeb5Syz  * All of these tables should be ordered by increasing key value on the left
232ab25eeb5Syz  * hand side to allow for binary searching of the array and include a trailer
233ab25eeb5Syz  * with a 0 for the bitmask for linear searches to easily find the end with.
2347c478bd9Sstevel@tonic-gate  */
235ab25eeb5Syz const	struct	optlist	ipopts[20] = {
2367c478bd9Sstevel@tonic-gate 	{ IPOPT_NOP,	0x000001 },
2377c478bd9Sstevel@tonic-gate 	{ IPOPT_RR,	0x000002 },
2387c478bd9Sstevel@tonic-gate 	{ IPOPT_ZSU,	0x000004 },
2397c478bd9Sstevel@tonic-gate 	{ IPOPT_MTUP,	0x000008 },
2407c478bd9Sstevel@tonic-gate 	{ IPOPT_MTUR,	0x000010 },
2417c478bd9Sstevel@tonic-gate 	{ IPOPT_ENCODE,	0x000020 },
2427c478bd9Sstevel@tonic-gate 	{ IPOPT_TS,	0x000040 },
2437c478bd9Sstevel@tonic-gate 	{ IPOPT_TR,	0x000080 },
2447c478bd9Sstevel@tonic-gate 	{ IPOPT_SECURITY, 0x000100 },
2457c478bd9Sstevel@tonic-gate 	{ IPOPT_LSRR,	0x000200 },
2467c478bd9Sstevel@tonic-gate 	{ IPOPT_E_SEC,	0x000400 },
2477c478bd9Sstevel@tonic-gate 	{ IPOPT_CIPSO,	0x000800 },
2487c478bd9Sstevel@tonic-gate 	{ IPOPT_SATID,	0x001000 },
2497c478bd9Sstevel@tonic-gate 	{ IPOPT_SSRR,	0x002000 },
2507c478bd9Sstevel@tonic-gate 	{ IPOPT_ADDEXT,	0x004000 },
2517c478bd9Sstevel@tonic-gate 	{ IPOPT_VISA,	0x008000 },
2527c478bd9Sstevel@tonic-gate 	{ IPOPT_IMITD,	0x010000 },
2537c478bd9Sstevel@tonic-gate 	{ IPOPT_EIP,	0x020000 },
2547c478bd9Sstevel@tonic-gate 	{ IPOPT_FINN,	0x040000 },
2557c478bd9Sstevel@tonic-gate 	{ 0,		0x000000 }
2567c478bd9Sstevel@tonic-gate };
2577c478bd9Sstevel@tonic-gate 
2587c478bd9Sstevel@tonic-gate #ifdef USE_INET6
2597c478bd9Sstevel@tonic-gate struct optlist ip6exthdr[] = {
2607c478bd9Sstevel@tonic-gate 	{ IPPROTO_HOPOPTS,		0x000001 },
2617663b816Sml 	{ IPPROTO_IPV6,			0x000002 },
2627663b816Sml 	{ IPPROTO_ROUTING,		0x000004 },
2637663b816Sml 	{ IPPROTO_FRAGMENT,		0x000008 },
2647663b816Sml 	{ IPPROTO_ESP,			0x000010 },
2657663b816Sml 	{ IPPROTO_AH,			0x000020 },
2667663b816Sml 	{ IPPROTO_NONE,			0x000040 },
2677663b816Sml 	{ IPPROTO_DSTOPTS,		0x000080 },
2687663b816Sml 	{ 0,				0 }
2697c478bd9Sstevel@tonic-gate };
2707c478bd9Sstevel@tonic-gate #endif
2717c478bd9Sstevel@tonic-gate 
2727c478bd9Sstevel@tonic-gate struct optlist tcpopts[] = {
2737c478bd9Sstevel@tonic-gate 	{ TCPOPT_NOP,			0x000001 },
2747c478bd9Sstevel@tonic-gate 	{ TCPOPT_MAXSEG,		0x000002 },
2757c478bd9Sstevel@tonic-gate 	{ TCPOPT_WINDOW,		0x000004 },
2767c478bd9Sstevel@tonic-gate 	{ TCPOPT_SACK_PERMITTED,	0x000008 },
2777c478bd9Sstevel@tonic-gate 	{ TCPOPT_SACK,			0x000010 },
2787c478bd9Sstevel@tonic-gate 	{ TCPOPT_TIMESTAMP,		0x000020 },
2797c478bd9Sstevel@tonic-gate 	{ 0,				0x000000 }
2807c478bd9Sstevel@tonic-gate };
2817c478bd9Sstevel@tonic-gate 
2827c478bd9Sstevel@tonic-gate /*
2837c478bd9Sstevel@tonic-gate  * bit values for identifying presence of individual IP security options
2847c478bd9Sstevel@tonic-gate  */
285ab25eeb5Syz const	struct	optlist	secopt[8] = {
2867c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_RES4,	0x01 },
2877c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_TOPS,	0x02 },
2887c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_SECR,	0x04 },
2897c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_RES3,	0x08 },
2907c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_CONF,	0x10 },
2917c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_UNCL,	0x20 },
2927c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_RES2,	0x40 },
2937c478bd9Sstevel@tonic-gate 	{ IPSO_CLASS_RES1,	0x80 }
2947c478bd9Sstevel@tonic-gate };
2957c478bd9Sstevel@tonic-gate 
2967c478bd9Sstevel@tonic-gate 
2977c478bd9Sstevel@tonic-gate /*
2987c478bd9Sstevel@tonic-gate  * Table of functions available for use with call rules.
2997c478bd9Sstevel@tonic-gate  */
3007c478bd9Sstevel@tonic-gate static ipfunc_resolve_t fr_availfuncs[] = {
3017c478bd9Sstevel@tonic-gate #ifdef	IPFILTER_LOOKUP
3027c478bd9Sstevel@tonic-gate 	{ "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
3037c478bd9Sstevel@tonic-gate 	{ "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
3047c478bd9Sstevel@tonic-gate #endif
3057c478bd9Sstevel@tonic-gate 	{ "", NULL }
3067c478bd9Sstevel@tonic-gate };
3077c478bd9Sstevel@tonic-gate 
3087c478bd9Sstevel@tonic-gate 
309ea8244dcSJohn Ojemann /*
310ea8244dcSJohn Ojemann  * Below we declare a list of constants used only by the ipf_extraflush()
311ea8244dcSJohn Ojemann  * routine.  We are placing it here, instead of in ipf_extraflush() itself,
312ea8244dcSJohn Ojemann  * because we want to make it visible to tools such as mdb, nm etc., so the
313ea8244dcSJohn Ojemann  * values can easily be altered during debugging.
314ea8244dcSJohn Ojemann  */
315ea8244dcSJohn Ojemann static	const	int	idletime_tab[] = {
316ea8244dcSJohn Ojemann 	IPF_TTLVAL(30),		/* 30 seconds */
317ea8244dcSJohn Ojemann 	IPF_TTLVAL(1800),	/* 30 minutes */
318ea8244dcSJohn Ojemann 	IPF_TTLVAL(43200),	/* 12 hours */
319ea8244dcSJohn Ojemann 	IPF_TTLVAL(345600),	/* 4 days */
320ea8244dcSJohn Ojemann };
321ea8244dcSJohn Ojemann 
322ea8244dcSJohn Ojemann 
3237c478bd9Sstevel@tonic-gate /*
3247c478bd9Sstevel@tonic-gate  * The next section of code is a a collection of small routines that set
3257c478bd9Sstevel@tonic-gate  * fields in the fr_info_t structure passed based on properties of the
3267c478bd9Sstevel@tonic-gate  * current packet.  There are different routines for the same protocol
3277c478bd9Sstevel@tonic-gate  * for each of IPv4 and IPv6.  Adding a new protocol, for which there
3287c478bd9Sstevel@tonic-gate  * will "special" inspection for setup, is now more easily done by adding
3297c478bd9Sstevel@tonic-gate  * a new routine and expanding the frpr_ipinit*() function rather than by
3307c478bd9Sstevel@tonic-gate  * adding more code to a growing switch statement.
3317c478bd9Sstevel@tonic-gate  */
3327c478bd9Sstevel@tonic-gate #ifdef USE_INET6
333ab25eeb5Syz static	INLINE int	frpr_ah6 __P((fr_info_t *));
334ab25eeb5Syz static	INLINE void	frpr_esp6 __P((fr_info_t *));
335ab25eeb5Syz static	INLINE void	frpr_gre6 __P((fr_info_t *));
3367c478bd9Sstevel@tonic-gate static	INLINE void	frpr_udp6 __P((fr_info_t *));
3377c478bd9Sstevel@tonic-gate static	INLINE void	frpr_tcp6 __P((fr_info_t *));
3387c478bd9Sstevel@tonic-gate static	INLINE void	frpr_icmp6 __P((fr_info_t *));
33933f2fefdSDarren Reed static	INLINE void	frpr_ipv6hdr __P((fr_info_t *));
3407c478bd9Sstevel@tonic-gate static	INLINE void	frpr_short6 __P((fr_info_t *, int));
3417663b816Sml static	INLINE int	frpr_hopopts6 __P((fr_info_t *));
3427663b816Sml static	INLINE int	frpr_routing6 __P((fr_info_t *));
3437663b816Sml static	INLINE int	frpr_dstopts6 __P((fr_info_t *));
3447663b816Sml static	INLINE int	frpr_fragment6 __P((fr_info_t *));
345ab25eeb5Syz static	INLINE int	frpr_ipv6exthdr __P((fr_info_t *, int, int));
3467c478bd9Sstevel@tonic-gate 
3477c478bd9Sstevel@tonic-gate 
3487c478bd9Sstevel@tonic-gate /* ------------------------------------------------------------------------ */
3497c478bd9Sstevel@tonic-gate /* Function:    frpr_short6                                                 */
3507c478bd9Sstevel@tonic-gate /* Returns:     void                                                        */
3517c478bd9Sstevel@tonic-gate /* Parameters:  fin(I) - pointer to packet information                      */
3527c478bd9Sstevel@tonic-gate /*                                                                          */
3537c478bd9Sstevel@tonic-gate /* IPv6 Only                                                                */
3547c478bd9Sstevel@tonic-gate /* This is function enforces the 'is a packet too short to be legit' rule   */
355ab25eeb5Syz /* for IPv6 and marks the packet with FI_SHORT if so.  See function comment */
356ab25eeb5Syz /* for frpr_short() for more details.                                       */
3577c478bd9Sstevel@tonic-gate /* ------------------------------------------------------------------------ */
frpr_short6(fin,xmin)358ab25eeb5Syz static INLINE void frpr_short6(fin, xmin)
3597c478bd9Sstevel@tonic-gate fr_info_t *fin;
360ab25eeb5Syz int xmin;
3617c478bd9Sstevel@tonic-gate {
3627c478bd9Sstevel@tonic-gate 
363ab25eeb5Syz 	if (fin->fin_dlen < xmin)
364ab25eeb5Syz 		fin->fin_flx |= FI_SHORT;
3657c478bd9Sstevel@tonic-gate }
3667c478bd9Sstevel@tonic-gate 
3677c478bd9Sstevel@tonic-gate 
3687c478bd9Sstevel@tonic-gate /* ------------------------------------------------------------------------ */
3697c478bd9Sstevel@tonic-gate /* Function:    frpr_ipv6hdr                                                */
37033f2fefdSDarren Reed /* Returns:     Nil                                                         */
3717c478bd9Sstevel@tonic-gate /* Parameters:  fin(I) - pointer to packet information                      */
3727c478bd9Sstevel@tonic-gate /*                                                                          */
3737c478bd9Sstevel@tonic-gate /* IPv6 Only                                                                */
3747c478bd9Sstevel@tonic-gate /* Copy values from the IPv6 header into the fr_info_t struct and call the  */
3757c478bd9Sstevel@tonic-gate /* per-protocol analyzer if it exists.                                      */
3767c478bd9Sstevel@tonic-gate /* ------------------------------------------------------------------------ */
frpr_ipv6hdr(fin)37733f2fefdSDarren Reed static INLINE void frpr_ipv6hdr(fin)
3787c478bd9Sstevel@tonic-gate fr_info_t *fin;
3797c478bd9Sstevel@tonic-gate {
3807c478bd9Sstevel@tonic-gate 	ip6_t *ip6 = (ip6_t *)fin->fin_ip;
381ab25eeb5Syz 	int p, go = 1, i, hdrcount;
3827c478bd9Sstevel@tonic-gate 	fr_ip_t *fi = &fin->fin_fi;
3837c478bd9Sstevel@tonic-gate 
3847c478bd9Sstevel@tonic-gate 	fin->fin_off = 0;
3857c478bd9Sstevel@tonic-gate 
3867c478bd9