[apple/xnu.git] / bsd / netinet / ip_auth.c

/*
 * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
/*
 * Copyright (C) 1997 by Darren Reed & Guido van Rooij.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 */

#define __FreeBSD_version 300000	/* just a hack - no <sys/osreldate.h> */

#if !defined(KERNEL)
# include <stdlib.h>
# include <string.h>
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/file.h>
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
# include <sys/ioctl.h>
#endif
#include <sys/uio.h>
#ifndef linux
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
#if defined(KERNEL) 
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
# ifndef linux
#  include <sys/mbuf.h>
# endif
#else
# include <sys/filio.h>
# include <sys/byteorder.h>
# include <sys/dditypes.h>
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
#if defined(KERNEL) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
# include <kern/cpu_number.h>
#endif
#include <net/if.h>
#ifdef sun
#include <net/af.h>
#endif
#if !defined(KERNEL) && (__FreeBSD_version >= 300000)
# include <net/if_var.h>
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifndef	KERNEL
#define	KERNEL
#define	NOT_KERNEL
#endif
#ifndef linux
# include <netinet/ip_var.h>
#endif
#ifdef	NOT_KERNEL
#undef	KERNEL
#endif
#ifdef __sgi
# ifdef IFF_DRVRLOCK /* IRIX6 */
#include <sys/hashing.h>
# endif
#endif
#include <netinet/tcp.h>
#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
extern struct ifqueue   ipintrq;                /* ip packet input queue */
#else
# ifndef linux
#  include <netinet/in_var.h>
#  include <netinet/tcp_fsm.h>
# endif
#endif
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include "netinet/ip_compat.h"
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_auth.h"
#if !SOLARIS && !defined(linux)
# include <net/netisr.h>
# ifdef __FreeBSD__
#  include <machine/cpufunc.h>
# endif
#endif


#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern kmutex_t ipf_auth;
# if SOLARIS
extern kcondvar_t ipfauthwait;
# endif
#endif
#ifdef linux
static struct wait_queue *ipfauthwait = NULL;
#endif

int	fr_authsize = FR_NUMAUTH;
int	fr_authused = 0;
int	fr_defaultauthage = 600;
fr_authstat_t	fr_authstats;
static frauth_t fr_auth[FR_NUMAUTH];
mb_t	*fr_authpkts[FR_NUMAUTH];
static int	fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
static frauthent_t	*fae_list = NULL;
frentry_t	*ipauth = NULL;


/*
 * Check if a packet has authorization.  If the packet is found to match an
 * authorization result and that would result in a feedback loop (i.e. it
 * will end up returning FR_AUTH) then return FR_BLOCK instead.
 */
int fr_checkauth(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
	u_short id = ip->ip_id;
	u_32_t pass;
	int i;

	MUTEX_ENTER(&ipf_auth);
	for (i = fr_authstart; i != fr_authend; ) {
		/*
		 * index becomes -2 only after an SIOCAUTHW.  Check this in
		 * case the same packet gets sent again and it hasn't yet been
		 * auth'd.
		 */
		if ((fr_auth[i].fra_index == -2) &&
		    (id == fr_auth[i].fra_info.fin_id) &&
		    !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
			/*
			 * Avoid feedback loop.
			 */
			if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
				pass = FR_BLOCK;
			fr_authstats.fas_hits++;
			fr_auth[i].fra_index = -1;
			fr_authused--;
			if (i == fr_authstart) {
				while (fr_auth[i].fra_index == -1) {
					i++;
					if (i == FR_NUMAUTH)
						i = 0;
					fr_authstart = i;
					if (i == fr_authend)
						break;
				}
				if (fr_authstart == fr_authend) {
					fr_authnext = 0;
					fr_authstart = fr_authend = 0;
				}
			}
			MUTEX_EXIT(&ipf_auth);
			return pass;
		}
		i++;
		if (i == FR_NUMAUTH)
			i = 0;
	}
	fr_authstats.fas_miss++;
	MUTEX_EXIT(&ipf_auth);
	return 0;
}


/*
 * Check if we have room in the auth array to hold details for another packet.
 * If we do, store it and wake up any user programs which are waiting to
 * hear about these events.
 */
int fr_newauth(m, fin, ip
#if defined(_KERNEL) && SOLARIS
, qif)
qif_t *qif;
#else
)
#endif
mb_t *m;
fr_info_t *fin;
ip_t *ip;
{
	int i;

	MUTEX_ENTER(&ipf_auth);
	if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) {
		fr_authstats.fas_nospace++;
		MUTEX_EXIT(&ipf_auth);
		return 0;
	}
	if (fr_authend - fr_authstart == FR_NUMAUTH - 1) {
		fr_authstats.fas_nospace++;
		MUTEX_EXIT(&ipf_auth);
		return 0;
	}

	fr_authstats.fas_added++;
	fr_authused++;
	i = fr_authend++;
	if (fr_authend == FR_NUMAUTH)
		fr_authend = 0;
	MUTEX_EXIT(&ipf_auth);
	fr_auth[i].fra_index = i;
	fr_auth[i].fra_pass = 0;
	fr_auth[i].fra_age = fr_defaultauthage;
	bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
#if !defined(sparc) && !defined(m68k)
	/*
	 * No need to copyback here as we want to undo the changes, not keep
	 * them.
	 */
# if SOLARIS && defined(KERNEL)
	if (ip == (ip_t *)m->b_rptr)
# endif
	{
		register u_short bo;

		bo = ip->ip_len;
		ip->ip_len = htons(bo);
# if !SOLARIS	/* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
		bo = ip->ip_id;
		ip->ip_id = htons(bo);
# endif
		bo = ip->ip_off;
		ip->ip_off = htons(bo);
	}
#endif
#if SOLARIS && defined(KERNEL)
	m->b_rptr -= qif->qf_off;
	fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
	fr_auth[i].fra_q = qif->qf_q;
	cv_signal(&ipfauthwait);
#else
	fr_authpkts[i] = m;
# if defined(linux) && defined(KERNEL)
	wake_up_interruptible(&ipfauthwait);
# else
	WAKEUP(&fr_authnext);
# endif
#endif
	return 1;
}


int fr_auth_ioctl(data, cmd, fr, frptr)
caddr_t data;
#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
u_long cmd;
#else
int cmd;
#endif
frentry_t *fr, **frptr;
{
	mb_t *m;
#if defined(KERNEL)
# if !SOLARIS
	struct ifqueue *ifq;
	int s;
# endif
#endif
	frauth_t auth, *au = &auth;
	frauthent_t *fae, **faep;
	int i, error = 0;

	switch (cmd)
	{
	case SIOCINIFR :
	case SIOCRMIFR :
	case SIOCADIFR :
		error = EINVAL;
		break;
	case SIOCINAFR :
	case SIOCRMAFR :
	case SIOCADAFR :
		for (faep = &fae_list; (fae = *faep); )
			if (&fae->fae_fr == fr)
				break;
			else
				faep = &fae->fae_next;
		if (cmd == SIOCRMAFR) {
			if (!fae)
				error = ESRCH;
			else {
				*faep = fae->fae_next;
				*frptr = fr->fr_next;
				KFREE(fae);
			}
		} else {
			KMALLOC(fae, frauthent_t *, sizeof(*fae));
			if (fae != NULL) {
				IRCOPY((char *)data, (char *)&fae->fae_fr,
				       sizeof(fae->fae_fr));
				if (!fae->fae_age)
					fae->fae_age = fr_defaultauthage;
				fae->fae_fr.fr_hits = 0;
				fae->fae_fr.fr_next = *frptr;
				*frptr = &fae->fae_fr;
				fae->fae_next = *faep;
				*faep = fae;
			} else
				error = ENOMEM;
		}
		break;
	case SIOCATHST:
		IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
		break;
	case SIOCAUTHW:
fr_authioctlloop:
		MUTEX_ENTER(&ipf_auth);
		if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
			IWCOPY((char *)&fr_auth[fr_authnext++], data,
			       sizeof(fr_info_t));
			if (fr_authnext == FR_NUMAUTH)
				fr_authnext = 0;
			MUTEX_EXIT(&ipf_auth);
			return 0;
		}
#ifdef	KERNEL
# if	SOLARIS
		if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) {
			mutex_exit(&ipf_auth);
			return EINTR;
		}
# else
#  ifdef linux
		interruptible_sleep_on(&ipfauthwait);
		if (current->signal & ~current->blocked)
			error = -EINTR;
#  else
		error = SLEEP(&fr_authnext, "fr_authnext");
# endif
# endif
#endif
		MUTEX_EXIT(&ipf_auth);
		if (!error)
			goto fr_authioctlloop;
		break;
	case SIOCAUTHR:
		IRCOPY(data, (caddr_t)&auth, sizeof(auth));
		MUTEX_ENTER(&ipf_auth);
		i = au->fra_index;
		if ((i < 0) || (i > FR_NUMAUTH) ||
		    (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
			MUTEX_EXIT(&ipf_auth);
			return EINVAL;
		}
		m = fr_authpkts[i];
		fr_auth[i].fra_index = -2;
		fr_auth[i].fra_pass = au->fra_pass;
		fr_authpkts[i] = NULL;
#ifdef	KERNEL
		MUTEX_EXIT(&ipf_auth);
		SPL_NET(s);
# ifndef linux
		if (m && au->fra_info.fin_out) {
#  if SOLARIS
			error = fr_qout(fr_auth[i].fra_q, m);
#  else /* SOLARIS */
#if IPSEC
			m->m_pkthdr.rcvif = NULL;
#endif /*IPSEC*/

			error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
#  endif /* SOLARIS */
			if (error)
				fr_authstats.fas_sendfail++;
			else
				fr_authstats.fas_sendok++;
		} else if (m) {
# if SOLARIS
			error = fr_qin(fr_auth[i].fra_q, m);
# else /* SOLARIS */
			ifq = &ipintrq;
			if (IF_QFULL(ifq)) {
				IF_DROP(ifq);
				m_freem(m);
				error = ENOBUFS;
			} else {
				IF_ENQUEUE(ifq, m);
				schednetisr(NETISR_IP);
			}
# endif /* SOLARIS */
			if (error)
				fr_authstats.fas_quefail++;
			else
				fr_authstats.fas_queok++;
		} else
			error = EINVAL;
# endif
# if SOLARIS
		if (error)
			error = EINVAL;
# else
		/*
		 * If we experience an error which will result in the packet
		 * not being processed, make sure we advance to the next one.
		 */ 
		if (error == ENOBUFS) {
			fr_authused--;
			fr_auth[i].fra_index = -1;
			fr_auth[i].fra_pass = 0;
			if (i == fr_authstart) {
				while (fr_auth[i].fra_index == -1) {
					i++;
					if (i == FR_NUMAUTH)
						i = 0;
					fr_authstart = i;
					if (i == fr_authend)
						break;
				}
				if (fr_authstart == fr_authend) {
					fr_authnext = 0;
					fr_authstart = fr_authend = 0;
				}
			}
		}
# endif
		SPL_X(s);
#endif /* KERNEL */
		break;
	default :
		error = EINVAL;
		break;
	}
	return error;
}


#ifdef	KERNEL
/*
 * Free all network buffer memory used to keep saved packets.
 */
void fr_authunload()
{
	register int i;
	register frauthent_t *fae, **faep;
	mb_t *m;

	MUTEX_ENTER(&ipf_auth);
	for (i = 0; i < FR_NUMAUTH; i++) {
		if ((m = fr_authpkts[i])) {
			FREE_MB_T(m);
			fr_authpkts[i] = NULL;
			fr_auth[i].fra_index = -1;
		}
	}


	for (faep = &fae_list; (fae = *faep); ) {
		*faep = fae->fae_next;
		KFREE(fae);
	}
	MUTEX_EXIT(&ipf_auth);
}


/*
 * Slowly expire held auth records.  Timeouts are set
 * in expectation of this being called twice per second.
 */
void fr_authexpire()
{
	register int i;
	register frauth_t *fra;
	register frauthent_t *fae, **faep;
	mb_t *m;
#if !SOLARIS
	int s;
#endif

	SPL_NET(s);
	MUTEX_ENTER(&ipf_auth);
	for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
		if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
			FREE_MB_T(m);
			fr_authpkts[i] = NULL;
			fr_auth[i].fra_index = -1;
			fr_authstats.fas_expire++;
			fr_authused--;
		}
	}

	for (faep = &fae_list; (fae = *faep); ) {
		if (!--fra->fra_age) {
			*faep = fae->fae_next;
			KFREE(fae);
			fr_authstats.fas_expire++;
		} else
			faep = &fae->fae_next;
	}
	MUTEX_EXIT(&ipf_auth);
	SPL_X(s);
}
#endif
Commit	Line	Data
1c79356b A	1	/*
	2	* Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
	11	*
	12	* This Original Code and all software distributed under the License are
	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
	19	*
	20	* @APPLE_LICENSE_HEADER_END@
	21	*/
	22	/*
	23	* Copyright (C) 1997 by Darren Reed & Guido van Rooij.
	24	*
	25	* Redistribution and use in source and binary forms are permitted
	26	* provided that this notice is preserved and due credit is given
	27	* to the original author and the contributors.
	28	*/
	29
	30	#define __FreeBSD_version 300000 /* just a hack - no <sys/osreldate.h> */
	31
	32	#if !defined(KERNEL)
	33	# include <stdlib.h>
	34	# include <string.h>
	35	#endif
	36	#include <sys/errno.h>
	37	#include <sys/types.h>
	38	#include <sys/param.h>
	39	#include <sys/time.h>
	40	#include <sys/file.h>
	41	#if defined(KERNEL) && (__FreeBSD_version >= 220000)
	42	# include <sys/filio.h>
	43	# include <sys/fcntl.h>
	44	#else
	45	# include <sys/ioctl.h>
	46	#endif
	47	#include <sys/uio.h>
	48	#ifndef linux
	49	# include <sys/protosw.h>
	50	#endif
	51	#include <sys/socket.h>
	52	#if defined(KERNEL)
	53	# include <sys/systm.h>
	54	#endif
	55	#if !defined(__SVR4) && !defined(__svr4__)
	56	# ifndef linux
	57	# include <sys/mbuf.h>
	58	# endif
	59	#else
	60	# include <sys/filio.h>
	61	# include <sys/byteorder.h>
	62	# include <sys/dditypes.h>
	63	# include <sys/stream.h>
	64	# include <sys/kmem.h>
65	#endif
66	#if defined(KERNEL) && (__FreeBSD_version >= 300000)
67	# include <sys/malloc.h>
68	#endif
69	#if defined(__NetBSD__) \|\| defined(__OpenBSD__) \|\| defined(bsdi)
70	# include <kern/cpu_number.h>
71	#endif
72	#include <net/if.h>
73	#ifdef sun
74	#include <net/af.h>
75	#endif
76	#if !defined(KERNEL) && (__FreeBSD_version >= 300000)
77	# include <net/if_var.h>
78	#endif
79	#include <net/route.h>
80	#include <netinet/in.h>
81	#include <netinet/in_systm.h>
82	#include <netinet/ip.h>
83	#ifndef KERNEL
84	#define KERNEL
85	#define NOT_KERNEL
86	#endif
87	#ifndef linux
88	# include <netinet/ip_var.h>
89	#endif
90	#ifdef NOT_KERNEL
91	#undef KERNEL
92	#endif
93	#ifdef __sgi
94	# ifdef IFF_DRVRLOCK /* IRIX6 */
95	#include <sys/hashing.h>
96	# endif
97	#endif
98	#include <netinet/tcp.h>
99	#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
100	extern struct ifqueue ipintrq; /* ip packet input queue */
101	#else
102	# ifndef linux
103	# include <netinet/in_var.h>
104	# include <netinet/tcp_fsm.h>
105	# endif
106	#endif
107	#include <netinet/udp.h>
108	#include <netinet/ip_icmp.h>
109	#include "netinet/ip_compat.h"
110	#include <netinet/tcpip.h>
111	#include "netinet/ip_fil.h"
112	#include "netinet/ip_auth.h"
113	#if !SOLARIS && !defined(linux)
114	# include <net/netisr.h>
115	# ifdef __FreeBSD__
116	# include <machine/cpufunc.h>
117	# endif
118	#endif
119
120
121	#if (SOLARIS \|\| defined(__sgi)) && defined(_KERNEL)
122	extern kmutex_t ipf_auth;
123	# if SOLARIS
124	extern kcondvar_t ipfauthwait;
125	# endif
126	#endif
127	#ifdef linux
128	static struct wait_queue *ipfauthwait = NULL;
129	#endif
130
131	int fr_authsize = FR_NUMAUTH;
132	int fr_authused = 0;
133	int fr_defaultauthage = 600;
134	fr_authstat_t fr_authstats;
135	static frauth_t fr_auth[FR_NUMAUTH];
136	mb_t *fr_authpkts[FR_NUMAUTH];
137	static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
138	static frauthent_t *fae_list = NULL;
139	frentry_t *ipauth = NULL;
140
141
142	/*
143	* Check if a packet has authorization. If the packet is found to match an
144	* authorization result and that would result in a feedback loop (i.e. it
145	* will end up returning FR_AUTH) then return FR_BLOCK instead.
146	*/
147	int fr_checkauth(ip, fin)
148	ip_t *ip;
149	fr_info_t *fin;
150	{
151	u_short id = ip->ip_id;
152	u_32_t pass;
153	int i;
154
155	MUTEX_ENTER(&ipf_auth);
156	for (i = fr_authstart; i != fr_authend; ) {
157	/*
158	* index becomes -2 only after an SIOCAUTHW. Check this in
159	* case the same packet gets sent again and it hasn't yet been
160	* auth'd.
161	*/
162	if ((fr_auth[i].fra_index == -2) &&
163	(id == fr_auth[i].fra_info.fin_id) &&
164	!bcmp((char )fin,(char )&fr_auth[i].fra_info,FI_CSIZE)) {
165	/*
166	* Avoid feedback loop.
167	*/
168	if (!(pass = fr_auth[i].fra_pass) \|\| (pass & FR_AUTH))
169	pass = FR_BLOCK;
170	fr_authstats.fas_hits++;
171	fr_auth[i].fra_index = -1;
172	fr_authused--;
173	if (i == fr_authstart) {
174	while (fr_auth[i].fra_index == -1) {
175	i++;
176	if (i == FR_NUMAUTH)
177	i = 0;
178	fr_authstart = i;
179	if (i == fr_authend)
180	break;
181	}
182	if (fr_authstart == fr_authend) {
183	fr_authnext = 0;
184	fr_authstart = fr_authend = 0;
185	}
186	}
187	MUTEX_EXIT(&ipf_auth);
188	return pass;
189	}
190	i++;
191	if (i == FR_NUMAUTH)
192	i = 0;
193	}
194	fr_authstats.fas_miss++;
195	MUTEX_EXIT(&ipf_auth);
196	return 0;
197	}
198
199
200	/*
201	* Check if we have room in the auth array to hold details for another packet.
202	* If we do, store it and wake up any user programs which are waiting to
203	* hear about these events.
204	*/
205	int fr_newauth(m, fin, ip
206	#if defined(_KERNEL) && SOLARIS
207	, qif)
208	qif_t *qif;
209	#else
210	)
211	#endif
212	mb_t *m;
213	fr_info_t *fin;
214	ip_t *ip;
215	{
216	int i;
217
218	MUTEX_ENTER(&ipf_auth);
219	if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) {
220	fr_authstats.fas_nospace++;
221	MUTEX_EXIT(&ipf_auth);
222	return 0;
223	}
224	if (fr_authend - fr_authstart == FR_NUMAUTH - 1) {
225	fr_authstats.fas_nospace++;
226	MUTEX_EXIT(&ipf_auth);
227	return 0;
228	}
229
230	fr_authstats.fas_added++;
231	fr_authused++;
232	i = fr_authend++;
233	if (fr_authend == FR_NUMAUTH)
234	fr_authend = 0;
235	MUTEX_EXIT(&ipf_auth);
236	fr_auth[i].fra_index = i;
237	fr_auth[i].fra_pass = 0;
238	fr_auth[i].fra_age = fr_defaultauthage;
239	bcopy((char )fin, (char )&fr_auth[i].fra_info, sizeof(*fin));
240	#if !defined(sparc) && !defined(m68k)
241	/*
242	* No need to copyback here as we want to undo the changes, not keep
243	* them.
244	*/
245	# if SOLARIS && defined(KERNEL)
246	if (ip == (ip_t *)m->b_rptr)
247	# endif
248	{
249	register u_short bo;
250
251	bo = ip->ip_len;
252	ip->ip_len = htons(bo);
253	# if !SOLARIS /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
254	bo = ip->ip_id;
255	ip->ip_id = htons(bo);
256	# endif
257	bo = ip->ip_off;
258	ip->ip_off = htons(bo);
259	}
260	#endif
261	#if SOLARIS && defined(KERNEL)
262	m->b_rptr -= qif->qf_off;
263	fr_authpkts[i] = (mblk_t *)fin->fin_mp;
264	fr_auth[i].fra_q = qif->qf_q;
265	cv_signal(&ipfauthwait);
266	#else
267	fr_authpkts[i] = m;
268	# if defined(linux) && defined(KERNEL)
269	wake_up_interruptible(&ipfauthwait);
270	# else
271	WAKEUP(&fr_authnext);
272	# endif
273	#endif
274	return 1;
275	}
276
277
278	int fr_auth_ioctl(data, cmd, fr, frptr)
279	caddr_t data;
280	#if defined(__NetBSD__) \|\| defined(__OpenBSD__) \|\| (__FreeBSD_version >= 300003)
281	u_long cmd;
282	#else
283	int cmd;
284	#endif
285	frentry_t fr, *frptr;
286	{
287	mb_t *m;
288	#if defined(KERNEL)
289	# if !SOLARIS
290	struct ifqueue *ifq;
291	int s;
292	# endif
293	#endif
294	frauth_t auth, *au = &auth;
295	frauthent_t fae, *faep;
296	int i, error = 0;
297
298	switch (cmd)
299	{
300	case SIOCINIFR :
301	case SIOCRMIFR :
302	case SIOCADIFR :
303	error = EINVAL;
304	break;
305	case SIOCINAFR :
306	case SIOCRMAFR :
307	case SIOCADAFR :
308	for (faep = &fae_list; (fae = *faep); )
309	if (&fae->fae_fr == fr)
310	break;
311	else
312	faep = &fae->fae_next;
313	if (cmd == SIOCRMAFR) {
314	if (!fae)
315	error = ESRCH;
316	else {
317	*faep = fae->fae_next;
318	*frptr = fr->fr_next;
319	KFREE(fae);
320	}
321	} else {
322	KMALLOC(fae, frauthent_t , sizeof(fae));
323	if (fae != NULL) {
324	IRCOPY((char )data, (char )&fae->fae_fr,
325	sizeof(fae->fae_fr));
326	if (!fae->fae_age)
327	fae->fae_age = fr_defaultauthage;
328	fae->fae_fr.fr_hits = 0;
329	fae->fae_fr.fr_next = *frptr;
330	*frptr = &fae->fae_fr;
331	fae->fae_next = *faep;
332	*faep = fae;
333	} else
334	error = ENOMEM;
335	}
336	break;
337	case SIOCATHST:
338	IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
339	break;
340	case SIOCAUTHW:
341	fr_authioctlloop:
342	MUTEX_ENTER(&ipf_auth);
343	if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
344	IWCOPY((char *)&fr_auth[fr_authnext++], data,
345	sizeof(fr_info_t));
346	if (fr_authnext == FR_NUMAUTH)
347	fr_authnext = 0;
348	MUTEX_EXIT(&ipf_auth);
349	return 0;
350	}
351	#ifdef KERNEL
352	# if SOLARIS
353	if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) {
354	mutex_exit(&ipf_auth);
355	return EINTR;
356	}
357	# else
358	# ifdef linux
359	interruptible_sleep_on(&ipfauthwait);
360	if (current->signal & ~current->blocked)
361	error = -EINTR;
362	# else
363	error = SLEEP(&fr_authnext, "fr_authnext");
364	# endif
365	# endif
366	#endif
367	MUTEX_EXIT(&ipf_auth);
368	if (!error)
369	goto fr_authioctlloop;
370	break;
371	case SIOCAUTHR:
372	IRCOPY(data, (caddr_t)&auth, sizeof(auth));
373	MUTEX_ENTER(&ipf_auth);
374	i = au->fra_index;
375	if ((i < 0) \|\| (i > FR_NUMAUTH) \|\|
376	(fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
377	MUTEX_EXIT(&ipf_auth);
378	return EINVAL;
379	}
380	m = fr_authpkts[i];
381	fr_auth[i].fra_index = -2;
382	fr_auth[i].fra_pass = au->fra_pass;
383	fr_authpkts[i] = NULL;
384	#ifdef KERNEL
385	MUTEX_EXIT(&ipf_auth);
386	SPL_NET(s);
387	# ifndef linux
388	if (m && au->fra_info.fin_out) {
389	# if SOLARIS
390	error = fr_qout(fr_auth[i].fra_q, m);
391	# else /* SOLARIS */
392	#if IPSEC
393	m->m_pkthdr.rcvif = NULL;
394	#endif /IPSEC/
395
396	error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
397	# endif /* SOLARIS */
398	if (error)
399	fr_authstats.fas_sendfail++;
400	else
401	fr_authstats.fas_sendok++;
402	} else if (m) {
403	# if SOLARIS
404	error = fr_qin(fr_auth[i].fra_q, m);
405	# else /* SOLARIS */
406	ifq = &ipintrq;
407	if (IF_QFULL(ifq)) {
408	IF_DROP(ifq);
409	m_freem(m);
410	error = ENOBUFS;
411	} else {
412	IF_ENQUEUE(ifq, m);
413	schednetisr(NETISR_IP);
414	}
415	# endif /* SOLARIS */
416	if (error)
417	fr_authstats.fas_quefail++;
418	else
419	fr_authstats.fas_queok++;
420	} else
421	error = EINVAL;
422	# endif
423	# if SOLARIS
424	if (error)
425	error = EINVAL;
426	# else
427	/*
428	* If we experience an error which will result in the packet
429	* not being processed, make sure we advance to the next one.
430	*/
431	if (error == ENOBUFS) {
432	fr_authused--;
433	fr_auth[i].fra_index = -1;
434	fr_auth[i].fra_pass = 0;
435	if (i == fr_authstart) {
436	while (fr_auth[i].fra_index == -1) {
437	i++;
438	if (i == FR_NUMAUTH)
439	i = 0;
440	fr_authstart = i;
441	if (i == fr_authend)
442	break;
443	}
444	if (fr_authstart == fr_authend) {
445	fr_authnext = 0;
446	fr_authstart = fr_authend = 0;
447	}
448	}
449	}
450	# endif
451	SPL_X(s);
452	#endif /* KERNEL */
453	break;
454	default :
455	error = EINVAL;
456	break;
457	}
458	return error;
459	}
460
461
462	#ifdef KERNEL
463	/*
464	* Free all network buffer memory used to keep saved packets.
465	*/
466	void fr_authunload()
467	{
468	register int i;
469	register frauthent_t fae, *faep;
470	mb_t *m;
471
472	MUTEX_ENTER(&ipf_auth);
473	for (i = 0; i < FR_NUMAUTH; i++) {
474	if ((m = fr_authpkts[i])) {
475	FREE_MB_T(m);
476	fr_authpkts[i] = NULL;
477	fr_auth[i].fra_index = -1;
478	}
479	}
480
481
482	for (faep = &fae_list; (fae = *faep); ) {
483	*faep = fae->fae_next;
484	KFREE(fae);
485	}
486	MUTEX_EXIT(&ipf_auth);
487	}
488
489
490	/*
491	* Slowly expire held auth records. Timeouts are set
492	* in expectation of this being called twice per second.
493	*/
494	void fr_authexpire()
495	{
496	register int i;
497	register frauth_t *fra;
498	register frauthent_t fae, *faep;
499	mb_t *m;
500	#if !SOLARIS
501	int s;
502	#endif
503
504	SPL_NET(s);
505	MUTEX_ENTER(&ipf_auth);
506	for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
507	if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
508	FREE_MB_T(m);
509	fr_authpkts[i] = NULL;
510	fr_auth[i].fra_index = -1;
511	fr_authstats.fas_expire++;
512	fr_authused--;
513	}
514	}
515
516	for (faep = &fae_list; (fae = *faep); ) {
517	if (!--fra->fra_age) {
518	*faep = fae->fae_next;
519	KFREE(fae);
520	fr_authstats.fas_expire++;
521	} else
522	faep = &fae->fae_next;
523	}
524	MUTEX_EXIT(&ipf_auth);
525	SPL_X(s);
526	}
527	#endif