[apple/xnu.git] / bsd / netinet / ip_state.c

/*
 * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
/*
 * Copyright (C) 1995-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 */
#if !defined(lint)
/* static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-1995 Darren Reed"; */
#endif

#include "opt_ipfilter.h"
#if defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL
#endif
#define __FreeBSD_version 300000        /* it's a hack, but close enough */

#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
# include <stdlib.h>
# include <string.h>
#else
# ifdef linux
#  include <linux/kernel.h>
#  include <linux/module.h>
# endif
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
# include <sys/filio.h>
# include <sys/fcntl.h>
# include <sys/malloc.h>
#else
# include <sys/ioctl.h>
#endif
#include <sys/time.h>
#include <sys/uio.h>
#ifndef linux
#include <sys/protosw.h>
#endif
#include <sys/socket.h>
#if defined(_KERNEL) && !defined(linux)
# include <sys/systm.h>
#endif
#if !defined(__SVR4) && !defined(__svr4__)
# ifndef linux
#  include <sys/mbuf.h>
# endif
#else
# include <sys/filio.h>
# include <sys/byteorder.h>
# include <sys/dditypes.h>
# include <sys/stream.h>
# include <sys/kmem.h>
#endif

#include <net/if.h>
#if sun
#include <net/af.h>
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#ifndef linux
# include <netinet/ip_var.h>
# include <netinet/tcp_fsm.h>
#endif
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include "netinet/ip_compat.h"
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_state.h"
#ifndef	MIN
#define	MIN(a,b)	(((a)<(b))?(a):(b))
#endif

#define	TCP_CLOSE	(TH_FIN|TH_RST)

static ipstate_t *ips_table[IPSTATE_SIZE];
static int	ips_num = 0;
static ips_stat_t ips_stats;
#if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)
extern	kmutex_t	ipf_state;
#endif

static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
			       fr_info_t *, void *, u_short, u_short));
static int fr_state_flush __P((int));
static ips_stat_t *fr_statetstats __P((void));


#define	FIVE_DAYS	(2 * 5 * 86400)	/* 5 days: half closed session */

u_long	fr_tcpidletimeout = FIVE_DAYS,
	fr_tcpclosewait = 60,
	fr_tcplastack = 20,
	fr_tcptimeout = 120,
	fr_tcpclosed = 1,
	fr_udptimeout = 120,
	fr_icmptimeout = 120;


static ips_stat_t *fr_statetstats()
{
	ips_stats.iss_active = ips_num;
	ips_stats.iss_table = ips_table;
	return &ips_stats;
}


/*
 * flush state tables.  two actions currently defined:
 * which == 0 : flush all state table entries
 * which == 1 : flush TCP connections which have started to close but are
 *              stuck for some reason.
 */
static int fr_state_flush(which)
int which;
{
	register int i;
	register ipstate_t *is, **isp;
#if defined(_KERNEL) && !SOLARIS
	int s;
#endif
	int delete, removed = 0;

	SPL_NET(s);
	MUTEX_ENTER(&ipf_state);
	for (i = 0; i < IPSTATE_SIZE; i++)
		for (isp = &ips_table[i]; (is = *isp); ) {
			delete = 0;

			switch (which)
			{
			case 0 :
				delete = 1;
				break;
			case 1 :
				if ((is->is_p == IPPROTO_TCP) &&
				    (((is->is_state[0] <= TCPS_ESTABLISHED) &&
				      (is->is_state[1] > TCPS_ESTABLISHED)) ||
				     ((is->is_state[1] <= TCPS_ESTABLISHED) &&
				      (is->is_state[0] > TCPS_ESTABLISHED))))
					delete = 1;
				break;
			}

			if (delete) {
				*isp = is->is_next;
				if (is->is_p == IPPROTO_TCP)
					ips_stats.iss_fin++;
				else
					ips_stats.iss_expire++;
#if	IPFILTER_LOG
				ipstate_log(is, ISL_FLUSH);
#endif
				KFREE(is);
				ips_num--;
				removed++;
			} else
				isp = &is->is_next;
		}
	MUTEX_EXIT(&ipf_state);
	SPL_X(s);
	return removed;
}


int fr_state_ioctl(data, cmd, mode)
caddr_t data;
#if defined(__NetBSD__) || defined(__OpenBSD__)
u_long cmd;
#else
int cmd;
#endif
int mode;
{
	int	arg, ret, error = 0;

	switch (cmd)
	{
	case SIOCIPFFL :
		IRCOPY(data, (caddr_t)&arg, sizeof(arg));
		if (arg == 0 || arg == 1) {
			ret = fr_state_flush(arg);
			IWCOPY((caddr_t)&ret, data, sizeof(ret));
		} else
			error = EINVAL;
		break;
	case SIOCGIPST :
		IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
		break;
	case FIONREAD :
#if	IPFILTER_LOG
		IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
		       sizeof(iplused[IPL_LOGSTATE]));
#endif
		break;
	default :
		return EINVAL;
	}
	return error;
}


/*
 * Create a new ipstate structure and hang it off the hash table.
 */
int fr_addstate(ip, fin, pass)
ip_t *ip;
fr_info_t *fin;
u_int pass;
{
	ipstate_t ips;
	register ipstate_t *is = &ips;
	register u_int hv;

	if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT))
		return -1;
	if (ips_num == IPSTATE_MAX) {
		ips_stats.iss_max++;
		return -1;
	}
	ips.is_age = 1;
	ips.is_state[0] = 0;
	ips.is_state[1] = 0;
	/*
	 * Copy and calculate...
	 */
	hv = (is->is_p = ip->ip_p);
	hv += (is->is_src.s_addr = ip->ip_src.s_addr);
	hv += (is->is_dst.s_addr = ip->ip_dst.s_addr);

	switch (ip->ip_p)
	{
	case IPPROTO_ICMP :
	    {
		struct icmp *ic = (struct icmp *)fin->fin_dp;

		switch (ic->icmp_type)
		{
		case ICMP_ECHO :
			is->is_icmp.ics_type = ICMP_ECHOREPLY;	/* XXX */
			hv += (is->is_icmp.ics_id = ic->icmp_id);
			hv += (is->is_icmp.ics_seq = ic->icmp_seq);
			break;
		case ICMP_TSTAMP :
		case ICMP_IREQ :
		case ICMP_MASKREQ :
			is->is_icmp.ics_type = ic->icmp_type + 1;
			break;
		default :
			return -1;
		}
		ips_stats.iss_icmp++;
		is->is_age = fr_icmptimeout;
		break;
	    }
	case IPPROTO_TCP :
	    {
		register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;

		/*
		 * The endian of the ports doesn't matter, but the ack and
		 * sequence numbers do as we do mathematics on them later.
		 */
		hv += (is->is_dport = tcp->th_dport);
		hv += (is->is_sport = tcp->th_sport);
		is->is_seq = ntohl(tcp->th_seq);
		is->is_ack = ntohl(tcp->th_ack);
		is->is_swin = ntohs(tcp->th_win);
		is->is_dwin = is->is_swin;	/* start them the same */
		ips_stats.iss_tcp++;
		/*
		 * If we're creating state for a starting connection, start the
		 * timer on it as we'll never see an error if it fails to
		 * connect.
		 */
		if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN)
			is->is_ack = 0;	/* Trumpet WinSock 'ism */
		fr_tcp_age(&is->is_age, is->is_state, ip, fin,
			   tcp->th_sport == is->is_sport);
		break;
	    }
	case IPPROTO_UDP :
	    {
		register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;

		hv += (is->is_dport = tcp->th_dport);
		hv += (is->is_sport = tcp->th_sport);
		ips_stats.iss_udp++;
		is->is_age = fr_udptimeout;
		break;
	    }
	default :
		return -1;
	}

	KMALLOC(is, ipstate_t *, sizeof(*is));
	if (is == NULL) {
		ips_stats.iss_nomem++;
		return -1;
	}
	bcopy((char *)&ips, (char *)is, sizeof(*is));
	hv %= IPSTATE_SIZE;
	MUTEX_ENTER(&ipf_state);

	is->is_pass = pass;
	is->is_pkts = 1;
	is->is_bytes = ip->ip_len;
	/*
	 * Copy these from the rule itself.
	 */
	is->is_opt = fin->fin_fr->fr_ip.fi_optmsk;
	is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk;
	is->is_sec = fin->fin_fr->fr_ip.fi_secmsk;
	is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk;
	is->is_auth = fin->fin_fr->fr_ip.fi_auth;
	is->is_authmsk = fin->fin_fr->fr_mip.fi_auth;
	is->is_flags = fin->fin_fr->fr_ip.fi_fl;
	is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4;
	/*
	 * add into table.
	 */
	is->is_next = ips_table[hv];
	ips_table[hv] = is;
	if (fin->fin_out) {
		is->is_ifpin = NULL;
		is->is_ifpout = fin->fin_ifp;
	} else {
		is->is_ifpin = fin->fin_ifp;
		is->is_ifpout = NULL;
	}
	if (pass & FR_LOGFIRST)
		is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
	ips_num++;
#if	IPFILTER_LOG
	ipstate_log(is, ISL_NEW);
#endif
	MUTEX_EXIT(&ipf_state);
	if (fin->fin_fi.fi_fl & FI_FRAG)
		ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
	return 0;
}


/*
 * check to see if a packet with TCP headers fits within the TCP window.
 * change timeout depending on whether new packet is a SYN-ACK returning for a
 * SYN or a RST or FIN which indicate time to close up shop.
 */
int fr_tcpstate(is, fin, ip, tcp)
register ipstate_t *is;
fr_info_t *fin;
ip_t *ip;
tcphdr_t *tcp;
{
	register int seqskew, ackskew;
	register u_short swin, dwin;
	register tcp_seq seq, ack;
	int source;

	/*
	 * Find difference between last checked packet and this packet.
	 */
	seq = ntohl(tcp->th_seq);
	ack = ntohl(tcp->th_ack);
	source = (ip->ip_src.s_addr == is->is_src.s_addr);

	if (!(tcp->th_flags & TH_ACK))  /* Pretend an ack was sent */
		ack = source ? is->is_ack : is->is_seq;

	if (source) {
		if (!is->is_seq)
			/*
			 * Must be an outgoing SYN-ACK in reply to a SYN.
			 */
			is->is_seq = seq;
		seqskew = seq - is->is_seq;
		ackskew = ack - is->is_ack;
	} else {
		if (!is->is_ack)
			/*
			 * Must be a SYN-ACK in reply to a SYN.
			 */
			is->is_ack = seq;
		ackskew = seq - is->is_ack;
		seqskew = ack - is->is_seq;
	}

	/*
	 * Make skew values absolute
	 */
	if (seqskew < 0)
		seqskew = -seqskew;
	if (ackskew < 0)
		ackskew = -ackskew;

	/*
	 * If the difference in sequence and ack numbers is within the
	 * window size of the connection, store these values and match
	 * the packet.
	 */
	if (source) {
		swin = is->is_swin;
		dwin = is->is_dwin;
	} else {
		dwin = is->is_swin;
		swin = is->is_dwin;
	}

	if ((seqskew <= dwin) && (ackskew <= swin)) {
		if (source) {
			is->is_seq = seq;
			is->is_ack = ack;
			is->is_swin = ntohs(tcp->th_win);
		} else {
			is->is_seq = ack;
			is->is_ack = seq;
			is->is_dwin = ntohs(tcp->th_win);
		}
		ips_stats.iss_hits++;
		is->is_pkts++;
		is->is_bytes += ip->ip_len;
		/*
		 * Nearing end of connection, start timeout.
		 */
		fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
		return 1;
	}
	return 0;
}


static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp)
ipstate_t *is;
struct in_addr src, dst;
fr_info_t *fin;
void *tcp;
u_short sp, dp;
{
	int ret = 0, rev, out;
	void *ifp;

	rev = (is->is_dst.s_addr != dst.s_addr);
	ifp = fin->fin_ifp;
	out = fin->fin_out;

	if (!rev) {
		if (out) {
			if (!is->is_ifpout)
				is->is_ifpout = ifp;
		} else {
			if (!is->is_ifpin)
				is->is_ifpin = ifp;
		}
	} else {
		if (out) {
			if (!is->is_ifpin)
				is->is_ifpin = ifp;
		} else {
			if (!is->is_ifpout)
				is->is_ifpout = ifp;
		}
	}

	if (!rev) {
		if (((out && is->is_ifpout == ifp) ||
		     (!out && is->is_ifpin == ifp)) &&
		    (is->is_dst.s_addr == dst.s_addr) &&
		    (is->is_src.s_addr == src.s_addr) &&
		    (!tcp || (sp == is->is_sport) &&
		     (dp == is->is_dport))) {
			ret = 1;
		}
	} else {
		if (((out && is->is_ifpin == ifp) ||
		     (!out && is->is_ifpout == ifp)) &&
		    (is->is_dst.s_addr == src.s_addr) &&
		    (is->is_src.s_addr == dst.s_addr) &&
		    (!tcp || (sp == is->is_dport) &&
		     (dp == is->is_sport))) {
			ret = 1;
		}
	}

	/*
	 * Whether or not this should be here, is questionable, but the aim
	 * is to get this out of the main line.
	 */
	if (ret) {
		if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) ||
		    ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) ||
		    ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) ||
		    ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) !=
		     (is->is_flags & 0xf)))
			ret = 0;
	}
	return ret;
}


/*
 * Check if a packet has a registered state.
 */
int fr_checkstate(ip, fin)
ip_t *ip;
fr_info_t *fin;
{
	register struct in_addr dst, src;
	register ipstate_t *is, **isp;
	register u_char pr;
	struct icmp *ic;
	tcphdr_t *tcp;
	u_int hv, hlen, pass;

	if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT))
		return 0;

	hlen = fin->fin_hlen;
	tcp = (tcphdr_t *)((char *)ip + hlen);
	ic = (struct icmp *)tcp;
	hv = (pr = ip->ip_p);
	hv += (src.s_addr = ip->ip_src.s_addr);
	hv += (dst.s_addr = ip->ip_dst.s_addr);

	/*
	 * Search the hash table for matching packet header info.
	 */
	switch (ip->ip_p)
	{
	case IPPROTO_ICMP :
		hv += ic->icmp_id;
		hv += ic->icmp_seq;
		hv %= IPSTATE_SIZE;
		MUTEX_ENTER(&ipf_state);
		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
			if ((is->is_p == pr) &&
			    (ic->icmp_id == is->is_icmp.ics_id) &&
			    (ic->icmp_seq == is->is_icmp.ics_seq) &&
			    fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) {
				if (is->is_icmp.ics_type != ic->icmp_type)
					continue;
				is->is_age = fr_icmptimeout;
				is->is_pkts++;
				is->is_bytes += ip->ip_len;
				ips_stats.iss_hits++;
				pass = is->is_pass;
				MUTEX_EXIT(&ipf_state);
				return pass;
			}
		MUTEX_EXIT(&ipf_state);
		break;
	case IPPROTO_TCP :
	    {
		register u_short dport = tcp->th_dport, sport = tcp->th_sport;

		hv += dport;
		hv += sport;
		hv %= IPSTATE_SIZE;
		MUTEX_ENTER(&ipf_state);
		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
			if ((is->is_p == pr) &&
			    fr_matchsrcdst(is, src, dst, fin, tcp,
					   sport, dport)) {
				if (fr_tcpstate(is, fin, ip, tcp)) {
					pass = is->is_pass;
#ifdef	_KERNEL
					MUTEX_EXIT(&ipf_state);
#else

					if (tcp->th_flags & TCP_CLOSE) {
						*isp = is->is_next;
						isp = &ips_table[hv];
						KFREE(is);
					}
#endif
					return pass;
				}
			}
		MUTEX_EXIT(&ipf_state);
		break;
	    }
	case IPPROTO_UDP :
	    {
		register u_short dport = tcp->th_dport, sport = tcp->th_sport;

		hv += dport;
		hv += sport;
		hv %= IPSTATE_SIZE;
		/*
		 * Nothing else to match on but ports. and IP#'s
		 */
		MUTEX_ENTER(&ipf_state);
		for (is = ips_table[hv]; is; is = is->is_next)
			if ((is->is_p == pr) &&
			    fr_matchsrcdst(is, src, dst, fin,
					   tcp, sport, dport)) {
				ips_stats.iss_hits++;
				is->is_pkts++;
				is->is_bytes += ip->ip_len;
				is->is_age = fr_udptimeout;
				pass = is->is_pass;
				MUTEX_EXIT(&ipf_state);
				return pass;
			}
		MUTEX_EXIT(&ipf_state);
		break;
	    }
	default :
		break;
	}
	ips_stats.iss_miss++;
	return 0;
}


/*
 * Free memory in use by all state info. kept.
 */
void fr_stateunload()
{
	register int i;
	register ipstate_t *is, **isp;

	MUTEX_ENTER(&ipf_state);
	for (i = 0; i < IPSTATE_SIZE; i++)
		for (isp = &ips_table[i]; (is = *isp); ) {
			*isp = is->is_next;
			KFREE(is);
		}
	MUTEX_EXIT(&ipf_state);
}


/*
 * Slowly expire held state for thingslike UDP and ICMP.  Timeouts are set
 * in expectation of this being called twice per second.
 */
void fr_timeoutstate()
{
	register int i;
	register ipstate_t *is, **isp;
#if defined(_KERNEL) && !SOLARIS
	int s;
#endif

	SPL_NET(s);
	MUTEX_ENTER(&ipf_state);
	for (i = 0; i < IPSTATE_SIZE; i++)
		for (isp = &ips_table[i]; (is = *isp); )
			if (is->is_age && !--is->is_age) {
				*isp = is->is_next;
				if (is->is_p == IPPROTO_TCP)
					ips_stats.iss_fin++;
				else
					ips_stats.iss_expire++;
#if	IPFILTER_LOG
				ipstate_log(is, ISL_EXPIRE);
#endif
				KFREE(is);
				ips_num--;
			} else
				isp = &is->is_next;
	MUTEX_EXIT(&ipf_state);
	SPL_X(s);
}


/*
 * Original idea freom Pradeep Krishnan for use primarily with NAT code.
 * (pkrishna@netcom.com)
 */
void fr_tcp_age(age, state, ip, fin, dir)
u_long *age;
u_char *state;
ip_t *ip;
fr_info_t *fin;
int dir;
{
	tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
	u_char flags = tcp->th_flags;
	int dlen, ostate;

	ostate = state[1 - dir];

	dlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);

	if (flags & TH_RST) {
		if (!(tcp->th_flags & TH_PUSH) && !dlen) {
			*age = fr_tcpclosed;
			state[dir] = TCPS_CLOSED;
		} else {
			*age = fr_tcpclosewait;
			state[dir] = TCPS_CLOSE_WAIT;
		}
		return;
	}

	*age = fr_tcptimeout; /* 1 min */

	switch(state[dir])
	{
	case TCPS_FIN_WAIT_2:
	case TCPS_CLOSED:
		if ((flags & TH_OPENING) == TH_OPENING)
			state[dir] = TCPS_SYN_RECEIVED;
		else if (flags & TH_SYN)
			state[dir] = TCPS_SYN_SENT;
		break;
	case TCPS_SYN_RECEIVED:
		if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) {
			state[dir] = TCPS_ESTABLISHED;
			current_active_connections++;
			*age = fr_tcpidletimeout;
		}
		break;
	case TCPS_SYN_SENT:
		if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) {
			state[dir] = TCPS_ESTABLISHED;
			current_active_connections++;
			*age = fr_tcpidletimeout;
		}
		break;
	case TCPS_ESTABLISHED:
		if (flags & TH_FIN) {
			state[dir] = TCPS_CLOSE_WAIT;
			if (!(flags & TH_PUSH) && !dlen &&
			    ostate > TCPS_ESTABLISHED)
				*age  = fr_tcplastack;
			else
				*age  = fr_tcpclosewait;
		} else
			*age = fr_tcpidletimeout;
		break;
	case TCPS_CLOSE_WAIT:
		if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen &&
		    ostate > TCPS_ESTABLISHED) {
			*age  = fr_tcplastack;
			state[dir] = TCPS_LAST_ACK;
		} else
			*age  = fr_tcpclosewait;
		break;
	case TCPS_LAST_ACK:
		if (flags & TH_ACK) {
			state[dir] = TCPS_FIN_WAIT_2;
			if (!(flags & TH_PUSH) && !dlen &&
			    ostate > TCPS_ESTABLISHED)
				*age  = fr_tcplastack;
			else {
				*age  = fr_tcpclosewait;
				state[dir] = TCPS_CLOSE_WAIT;
			}
		}
		break;
	}
}


#if	IPFILTER_LOG
void ipstate_log(is, type)
struct ipstate *is;
u_short type;
{
	struct	ipslog	ipsl;
	void *items[1];
	size_t sizes[1];
	int types[1];

	ipsl.isl_pkts = is->is_pkts;
	ipsl.isl_bytes = is->is_bytes;
	ipsl.isl_src = is->is_src;
	ipsl.isl_dst = is->is_dst;
	ipsl.isl_p = is->is_p;
	ipsl.isl_flags = is->is_flags;
	ipsl.isl_type = type;
	if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
		ipsl.isl_sport = is->is_sport;
		ipsl.isl_dport = is->is_dport;
	} else if (ipsl.isl_p == IPPROTO_ICMP)
		ipsl.isl_itype = is->is_icmp.ics_type;
	else {
		ipsl.isl_ps.isl_filler[0] = 0;
		ipsl.isl_ps.isl_filler[1] = 0;
	}
	items[0] = &ipsl;
	sizes[0] = sizeof(ipsl);
	types[0] = 0;

	(void) ipllog(IPL_LOGSTATE, 0, items, sizes, types, 1);
}
#endif
Commit	Line	Data
1c79356b A	1	/*
	2	* Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
	11	*
	12	* This Original Code and all software distributed under the License are
	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
	19	*
	20	* @APPLE_LICENSE_HEADER_END@
	21	*/
	22	/*
	23	* Copyright (C) 1995-1997 by Darren Reed.
	24	*
	25	* Redistribution and use in source and binary forms are permitted
	26	* provided that this notice is preserved and due credit is given
	27	* to the original author and the contributors.
	28	*/
	29	#if !defined(lint)
	30	/* static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; */
	31	#endif
	32
	33	#include "opt_ipfilter.h"
	34	#if defined(KERNEL) && !defined(_KERNEL)
	35	#define _KERNEL
	36	#endif
	37	#define __FreeBSD_version 300000 /* it's a hack, but close enough */
	38
	39	#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
	40	# include <stdlib.h>
	41	# include <string.h>
	42	#else
	43	# ifdef linux
	44	# include <linux/kernel.h>
	45	# include <linux/module.h>
	46	# endif
	47	#endif
	48	#include <sys/errno.h>
	49	#include <sys/types.h>
	50	#include <sys/param.h>
	51	#include <sys/file.h>
	52	#if defined(KERNEL) && (__FreeBSD_version >= 220000)
	53	# include <sys/filio.h>
	54	# include <sys/fcntl.h>
	55	# include <sys/malloc.h>
	56	#else
	57	# include <sys/ioctl.h>
	58	#endif
	59	#include <sys/time.h>
	60	#include <sys/uio.h>
	61	#ifndef linux
	62	#include <sys/protosw.h>
	63	#endif
	64	#include <sys/socket.h>
65	#if defined(_KERNEL) && !defined(linux)
66	# include <sys/systm.h>
67	#endif
68	#if !defined(__SVR4) && !defined(__svr4__)
69	# ifndef linux
70	# include <sys/mbuf.h>
71	# endif
72	#else
73	# include <sys/filio.h>
74	# include <sys/byteorder.h>
75	# include <sys/dditypes.h>
76	# include <sys/stream.h>
77	# include <sys/kmem.h>
78	#endif
79
80	#include <net/if.h>
81	#if sun
82	#include <net/af.h>
83	#endif
84	#include <net/route.h>
85	#include <netinet/in.h>
86	#include <netinet/in_systm.h>
87	#include <netinet/ip.h>
88	#include <netinet/tcp.h>
89	#ifndef linux
90	# include <netinet/ip_var.h>
91	# include <netinet/tcp_fsm.h>
92	#endif
93	#include <netinet/udp.h>
94	#include <netinet/ip_icmp.h>
95	#include "netinet/ip_compat.h"
96	#include <netinet/tcpip.h>
97	#include "netinet/ip_fil.h"
98	#include "netinet/ip_nat.h"
99	#include "netinet/ip_frag.h"
100	#include "netinet/ip_proxy.h"
101	#include "netinet/ip_state.h"
102	#ifndef MIN
103	#define MIN(a,b) (((a)<(b))?(a):(b))
104	#endif
105
106	#define TCP_CLOSE (TH_FIN\|TH_RST)
107
108	static ipstate_t *ips_table[IPSTATE_SIZE];
109	static int ips_num = 0;
110	static ips_stat_t ips_stats;
111	#if (SOLARIS \|\| defined(__sgi)) && defined(_KERNEL)
112	extern kmutex_t ipf_state;
113	#endif
114
115	static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
116	fr_info_t , void , u_short, u_short));
117	static int fr_state_flush __P((int));
118	static ips_stat_t *fr_statetstats __P((void));
119
120
121	#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */
122
123	u_long fr_tcpidletimeout = FIVE_DAYS,
124	fr_tcpclosewait = 60,
125	fr_tcplastack = 20,
126	fr_tcptimeout = 120,
127	fr_tcpclosed = 1,
128	fr_udptimeout = 120,
129	fr_icmptimeout = 120;
130
131
132	static ips_stat_t *fr_statetstats()
133	{
134	ips_stats.iss_active = ips_num;
135	ips_stats.iss_table = ips_table;
136	return &ips_stats;
137	}
138
139
140	/*
141	* flush state tables. two actions currently defined:
142	* which == 0 : flush all state table entries
143	* which == 1 : flush TCP connections which have started to close but are
144	* stuck for some reason.
145	*/
146	static int fr_state_flush(which)
147	int which;
148	{
149	register int i;
150	register ipstate_t is, *isp;
151	#if defined(_KERNEL) && !SOLARIS
152	int s;
153	#endif
154	int delete, removed = 0;
155
156	SPL_NET(s);
157	MUTEX_ENTER(&ipf_state);
158	for (i = 0; i < IPSTATE_SIZE; i++)
159	for (isp = &ips_table[i]; (is = *isp); ) {
160	delete = 0;
161
162	switch (which)
163	{
164	case 0 :
165	delete = 1;
166	break;
167	case 1 :
168	if ((is->is_p == IPPROTO_TCP) &&
169	(((is->is_state[0] <= TCPS_ESTABLISHED) &&
170	(is->is_state[1] > TCPS_ESTABLISHED)) \|\|
171	((is->is_state[1] <= TCPS_ESTABLISHED) &&
172	(is->is_state[0] > TCPS_ESTABLISHED))))
173	delete = 1;
174	break;
175	}
176
177	if (delete) {
178	*isp = is->is_next;
179	if (is->is_p == IPPROTO_TCP)
180	ips_stats.iss_fin++;
181	else
182	ips_stats.iss_expire++;
183	#if IPFILTER_LOG
184	ipstate_log(is, ISL_FLUSH);
185	#endif
186	KFREE(is);
187	ips_num--;
188	removed++;
189	} else
190	isp = &is->is_next;
191	}
192	MUTEX_EXIT(&ipf_state);
193	SPL_X(s);
194	return removed;
195	}
196
197
198	int fr_state_ioctl(data, cmd, mode)
199	caddr_t data;
200	#if defined(__NetBSD__) \|\| defined(__OpenBSD__)
201	u_long cmd;
202	#else
203	int cmd;
204	#endif
205	int mode;
206	{
207	int arg, ret, error = 0;
208
209	switch (cmd)
210	{
211	case SIOCIPFFL :
212	IRCOPY(data, (caddr_t)&arg, sizeof(arg));
213	if (arg == 0 \|\| arg == 1) {
214	ret = fr_state_flush(arg);
215	IWCOPY((caddr_t)&ret, data, sizeof(ret));
216	} else
217	error = EINVAL;
218	break;
219	case SIOCGIPST :
220	IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
221	break;
222	case FIONREAD :
223	#if IPFILTER_LOG
224	IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
225	sizeof(iplused[IPL_LOGSTATE]));
226	#endif
227	break;
228	default :
229	return EINVAL;
230	}
231	return error;
232	}
233
234
235	/*
236	* Create a new ipstate structure and hang it off the hash table.
237	*/
238	int fr_addstate(ip, fin, pass)
239	ip_t *ip;
240	fr_info_t *fin;
241	u_int pass;
242	{
243	ipstate_t ips;
244	register ipstate_t *is = &ips;
245	register u_int hv;
246
247	if ((ip->ip_off & 0x1fff) \|\| (fin->fin_fi.fi_fl & FI_SHORT))
248	return -1;
249	if (ips_num == IPSTATE_MAX) {
250	ips_stats.iss_max++;
251	return -1;
252	}
253	ips.is_age = 1;
254	ips.is_state[0] = 0;
255	ips.is_state[1] = 0;
256	/*
257	* Copy and calculate...
258	*/
259	hv = (is->is_p = ip->ip_p);
260	hv += (is->is_src.s_addr = ip->ip_src.s_addr);
261	hv += (is->is_dst.s_addr = ip->ip_dst.s_addr);
262
263	switch (ip->ip_p)
264	{
265	case IPPROTO_ICMP :
266	{
267	struct icmp ic = (struct icmp )fin->fin_dp;
268
269	switch (ic->icmp_type)
270	{
271	case ICMP_ECHO :
272	is->is_icmp.ics_type = ICMP_ECHOREPLY; /* XXX */
273	hv += (is->is_icmp.ics_id = ic->icmp_id);
274	hv += (is->is_icmp.ics_seq = ic->icmp_seq);
275	break;
276	case ICMP_TSTAMP :
277	case ICMP_IREQ :
278	case ICMP_MASKREQ :
279	is->is_icmp.ics_type = ic->icmp_type + 1;
280	break;
281	default :
282	return -1;
283	}
284	ips_stats.iss_icmp++;
285	is->is_age = fr_icmptimeout;
286	break;
287	}
288	case IPPROTO_TCP :
289	{
290	register tcphdr_t tcp = (tcphdr_t )fin->fin_dp;
291
292	/*
293	* The endian of the ports doesn't matter, but the ack and
294	* sequence numbers do as we do mathematics on them later.
295	*/
296	hv += (is->is_dport = tcp->th_dport);
297	hv += (is->is_sport = tcp->th_sport);
298	is->is_seq = ntohl(tcp->th_seq);
299	is->is_ack = ntohl(tcp->th_ack);
300	is->is_swin = ntohs(tcp->th_win);
301	is->is_dwin = is->is_swin; /* start them the same */
302	ips_stats.iss_tcp++;
303	/*
304	* If we're creating state for a starting connection, start the
305	* timer on it as we'll never see an error if it fails to
306	* connect.
307	*/
308	if ((tcp->th_flags & (TH_SYN\|TH_ACK)) == TH_SYN)
309	is->is_ack = 0; /* Trumpet WinSock 'ism */
310	fr_tcp_age(&is->is_age, is->is_state, ip, fin,
311	tcp->th_sport == is->is_sport);
312	break;
313	}
314	case IPPROTO_UDP :
315	{
316	register tcphdr_t tcp = (tcphdr_t )fin->fin_dp;
317
318	hv += (is->is_dport = tcp->th_dport);
319	hv += (is->is_sport = tcp->th_sport);
320	ips_stats.iss_udp++;
321	is->is_age = fr_udptimeout;
322	break;
323	}
324	default :
325	return -1;
326	}
327
328	KMALLOC(is, ipstate_t , sizeof(is));
329	if (is == NULL) {
330	ips_stats.iss_nomem++;
331	return -1;
332	}
333	bcopy((char )&ips, (char )is, sizeof(*is));
334	hv %= IPSTATE_SIZE;
335	MUTEX_ENTER(&ipf_state);
336
337	is->is_pass = pass;
338	is->is_pkts = 1;
339	is->is_bytes = ip->ip_len;
340	/*
341	* Copy these from the rule itself.
342	*/
343	is->is_opt = fin->fin_fr->fr_ip.fi_optmsk;
344	is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk;
345	is->is_sec = fin->fin_fr->fr_ip.fi_secmsk;
346	is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk;
347	is->is_auth = fin->fin_fr->fr_ip.fi_auth;
348	is->is_authmsk = fin->fin_fr->fr_mip.fi_auth;
349	is->is_flags = fin->fin_fr->fr_ip.fi_fl;
350	is->is_flags \|= fin->fin_fr->fr_mip.fi_fl << 4;
351	/*
352	* add into table.
353	*/
354	is->is_next = ips_table[hv];
355	ips_table[hv] = is;
356	if (fin->fin_out) {
357	is->is_ifpin = NULL;
358	is->is_ifpout = fin->fin_ifp;
359	} else {
360	is->is_ifpin = fin->fin_ifp;
361	is->is_ifpout = NULL;
362	}
363	if (pass & FR_LOGFIRST)
364	is->is_pass &= ~(FR_LOGFIRST\|FR_LOG);
365	ips_num++;
366	#if IPFILTER_LOG
367	ipstate_log(is, ISL_NEW);
368	#endif
369	MUTEX_EXIT(&ipf_state);
370	if (fin->fin_fi.fi_fl & FI_FRAG)
371	ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
372	return 0;
373	}
374
375
376	/*
377	* check to see if a packet with TCP headers fits within the TCP window.
378	* change timeout depending on whether new packet is a SYN-ACK returning for a
379	* SYN or a RST or FIN which indicate time to close up shop.
380	*/
381	int fr_tcpstate(is, fin, ip, tcp)
382	register ipstate_t *is;
383	fr_info_t *fin;
384	ip_t *ip;
385	tcphdr_t *tcp;
386	{
387	register int seqskew, ackskew;
388	register u_short swin, dwin;
389	register tcp_seq seq, ack;
390	int source;
391
392	/*
393	* Find difference between last checked packet and this packet.
394	*/
395	seq = ntohl(tcp->th_seq);
396	ack = ntohl(tcp->th_ack);
397	source = (ip->ip_src.s_addr == is->is_src.s_addr);
398
399	if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */
400	ack = source ? is->is_ack : is->is_seq;
401
402	if (source) {
403	if (!is->is_seq)
404	/*
405	* Must be an outgoing SYN-ACK in reply to a SYN.
406	*/
407	is->is_seq = seq;
408	seqskew = seq - is->is_seq;
409	ackskew = ack - is->is_ack;
410	} else {
411	if (!is->is_ack)
412	/*
413	* Must be a SYN-ACK in reply to a SYN.
414	*/
415	is->is_ack = seq;
416	ackskew = seq - is->is_ack;
417	seqskew = ack - is->is_seq;
418	}
419
420	/*
421	* Make skew values absolute
422	*/
423	if (seqskew < 0)
424	seqskew = -seqskew;
425	if (ackskew < 0)
426	ackskew = -ackskew;
427
428	/*
429	* If the difference in sequence and ack numbers is within the
430	* window size of the connection, store these values and match
431	* the packet.
432	*/
433	if (source) {
434	swin = is->is_swin;
435	dwin = is->is_dwin;
436	} else {
437	dwin = is->is_swin;
438	swin = is->is_dwin;
439	}
440
441	if ((seqskew <= dwin) && (ackskew <= swin)) {
442	if (source) {
443	is->is_seq = seq;
444	is->is_ack = ack;
445	is->is_swin = ntohs(tcp->th_win);
446	} else {
447	is->is_seq = ack;
448	is->is_ack = seq;
449	is->is_dwin = ntohs(tcp->th_win);
450	}
451	ips_stats.iss_hits++;
452	is->is_pkts++;
453	is->is_bytes += ip->ip_len;
454	/*
455	* Nearing end of connection, start timeout.
456	*/
457	fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
458	return 1;
459	}
460	return 0;
461	}
462
463
464	static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp)
465	ipstate_t *is;
466	struct in_addr src, dst;
467	fr_info_t *fin;
468	void *tcp;
469	u_short sp, dp;
470	{
471	int ret = 0, rev, out;
472	void *ifp;
473
474	rev = (is->is_dst.s_addr != dst.s_addr);
475	ifp = fin->fin_ifp;
476	out = fin->fin_out;
477
478	if (!rev) {
479	if (out) {
480	if (!is->is_ifpout)
481	is->is_ifpout = ifp;
482	} else {
483	if (!is->is_ifpin)
484	is->is_ifpin = ifp;
485	}
486	} else {
487	if (out) {
488	if (!is->is_ifpin)
489	is->is_ifpin = ifp;
490	} else {
491	if (!is->is_ifpout)
492	is->is_ifpout = ifp;
493	}
494	}
495
496	if (!rev) {
497	if (((out && is->is_ifpout == ifp) \|\|
498	(!out && is->is_ifpin == ifp)) &&
499	(is->is_dst.s_addr == dst.s_addr) &&
500	(is->is_src.s_addr == src.s_addr) &&
501	(!tcp \|\| (sp == is->is_sport) &&
502	(dp == is->is_dport))) {
503	ret = 1;
504	}
505	} else {
506	if (((out && is->is_ifpin == ifp) \|\|
507	(!out && is->is_ifpout == ifp)) &&
508	(is->is_dst.s_addr == src.s_addr) &&
509	(is->is_src.s_addr == dst.s_addr) &&
510	(!tcp \|\| (sp == is->is_dport) &&
511	(dp == is->is_sport))) {
512	ret = 1;
513	}
514	}
515
516	/*
517	* Whether or not this should be here, is questionable, but the aim
518	* is to get this out of the main line.
519	*/
520	if (ret) {
521	if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) \|\|
522	((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) \|\|
523	((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) \|\|
524	((fin->fin_fi.fi_fl & (is->is_flags >> 4)) !=
525	(is->is_flags & 0xf)))
526	ret = 0;
527	}
528	return ret;
529	}
530
531
532	/*
533	* Check if a packet has a registered state.
534	*/
535	int fr_checkstate(ip, fin)
536	ip_t *ip;
537	fr_info_t *fin;
538	{
539	register struct in_addr dst, src;
540	register ipstate_t is, *isp;
541	register u_char pr;
542	struct icmp *ic;
543	tcphdr_t *tcp;
544	u_int hv, hlen, pass;
545
546	if ((ip->ip_off & 0x1fff) \|\| (fin->fin_fi.fi_fl & FI_SHORT))
547	return 0;
548
549	hlen = fin->fin_hlen;
550	tcp = (tcphdr_t )((char )ip + hlen);
551	ic = (struct icmp *)tcp;
552	hv = (pr = ip->ip_p);
553	hv += (src.s_addr = ip->ip_src.s_addr);
554	hv += (dst.s_addr = ip->ip_dst.s_addr);
555
556	/*
557	* Search the hash table for matching packet header info.
558	*/
559	switch (ip->ip_p)
560	{
561	case IPPROTO_ICMP :
562	hv += ic->icmp_id;
563	hv += ic->icmp_seq;
564	hv %= IPSTATE_SIZE;
565	MUTEX_ENTER(&ipf_state);
566	for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
567	if ((is->is_p == pr) &&
568	(ic->icmp_id == is->is_icmp.ics_id) &&
569	(ic->icmp_seq == is->is_icmp.ics_seq) &&
570	fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) {
571	if (is->is_icmp.ics_type != ic->icmp_type)
572	continue;
573	is->is_age = fr_icmptimeout;
574	is->is_pkts++;
575	is->is_bytes += ip->ip_len;
576	ips_stats.iss_hits++;
577	pass = is->is_pass;
578	MUTEX_EXIT(&ipf_state);
579	return pass;
580	}
581	MUTEX_EXIT(&ipf_state);
582	break;
583	case IPPROTO_TCP :
584	{
585	register u_short dport = tcp->th_dport, sport = tcp->th_sport;
586
587	hv += dport;
588	hv += sport;
589	hv %= IPSTATE_SIZE;
590	MUTEX_ENTER(&ipf_state);
591	for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
592	if ((is->is_p == pr) &&
593	fr_matchsrcdst(is, src, dst, fin, tcp,
594	sport, dport)) {
595	if (fr_tcpstate(is, fin, ip, tcp)) {
596	pass = is->is_pass;
597	#ifdef _KERNEL
598	MUTEX_EXIT(&ipf_state);
599	#else
600
601	if (tcp->th_flags & TCP_CLOSE) {
602	*isp = is->is_next;
603	isp = &ips_table[hv];
604	KFREE(is);
605	}
606	#endif
607	return pass;
608	}
609	}
610	MUTEX_EXIT(&ipf_state);
611	break;
612	}
613	case IPPROTO_UDP :
614	{
615	register u_short dport = tcp->th_dport, sport = tcp->th_sport;
616
617	hv += dport;
618	hv += sport;
619	hv %= IPSTATE_SIZE;
620	/*
621	* Nothing else to match on but ports. and IP#'s
622	*/
623	MUTEX_ENTER(&ipf_state);
624	for (is = ips_table[hv]; is; is = is->is_next)
625	if ((is->is_p == pr) &&
626	fr_matchsrcdst(is, src, dst, fin,
627	tcp, sport, dport)) {
628	ips_stats.iss_hits++;
629	is->is_pkts++;
630	is->is_bytes += ip->ip_len;
631	is->is_age = fr_udptimeout;
632	pass = is->is_pass;
633	MUTEX_EXIT(&ipf_state);
634	return pass;
635	}
636	MUTEX_EXIT(&ipf_state);
637	break;
638	}
639	default :
640	break;
641	}
642	ips_stats.iss_miss++;
643	return 0;
644	}
645
646
647	/*
648	* Free memory in use by all state info. kept.
649	*/
650	void fr_stateunload()
651	{
652	register int i;
653	register ipstate_t is, *isp;
654
655	MUTEX_ENTER(&ipf_state);
656	for (i = 0; i < IPSTATE_SIZE; i++)
657	for (isp = &ips_table[i]; (is = *isp); ) {
658	*isp = is->is_next;
659	KFREE(is);
660	}
661	MUTEX_EXIT(&ipf_state);
662	}
663
664
665	/*
666	* Slowly expire held state for thingslike UDP and ICMP. Timeouts are set
667	* in expectation of this being called twice per second.
668	*/
669	void fr_timeoutstate()
670	{
671	register int i;
672	register ipstate_t is, *isp;
673	#if defined(_KERNEL) && !SOLARIS
674	int s;
675	#endif
676
677	SPL_NET(s);
678	MUTEX_ENTER(&ipf_state);
679	for (i = 0; i < IPSTATE_SIZE; i++)
680	for (isp = &ips_table[i]; (is = *isp); )
681	if (is->is_age && !--is->is_age) {
682	*isp = is->is_next;
683	if (is->is_p == IPPROTO_TCP)
684	ips_stats.iss_fin++;
685	else
686	ips_stats.iss_expire++;
687	#if IPFILTER_LOG
688	ipstate_log(is, ISL_EXPIRE);
689	#endif
690	KFREE(is);
691	ips_num--;
692	} else
693	isp = &is->is_next;
694	MUTEX_EXIT(&ipf_state);
695	SPL_X(s);
696	}
697
698
699	/*
700	* Original idea freom Pradeep Krishnan for use primarily with NAT code.
701	* (pkrishna@netcom.com)
702	*/
703	void fr_tcp_age(age, state, ip, fin, dir)
704	u_long *age;
705	u_char *state;
706	ip_t *ip;
707	fr_info_t *fin;
708	int dir;
709	{
710	tcphdr_t tcp = (tcphdr_t )fin->fin_dp;
711	u_char flags = tcp->th_flags;
712	int dlen, ostate;
713
714	ostate = state[1 - dir];
715
716	dlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
717
718	if (flags & TH_RST) {
719	if (!(tcp->th_flags & TH_PUSH) && !dlen) {
720	*age = fr_tcpclosed;
721	state[dir] = TCPS_CLOSED;
722	} else {
723	*age = fr_tcpclosewait;
724	state[dir] = TCPS_CLOSE_WAIT;
725	}
726	return;
727	}
728
729	age = fr_tcptimeout; / 1 min */
730
731	switch(state[dir])
732	{
733	case TCPS_FIN_WAIT_2:
734	case TCPS_CLOSED:
735	if ((flags & TH_OPENING) == TH_OPENING)
736	state[dir] = TCPS_SYN_RECEIVED;
737	else if (flags & TH_SYN)
738	state[dir] = TCPS_SYN_SENT;
739	break;
740	case TCPS_SYN_RECEIVED:
741	if ((flags & (TH_FIN\|TH_ACK)) == TH_ACK) {
742	state[dir] = TCPS_ESTABLISHED;
743	current_active_connections++;
744	*age = fr_tcpidletimeout;
745	}
746	break;
747	case TCPS_SYN_SENT:
748	if ((flags & (TH_FIN\|TH_ACK)) == TH_ACK) {
749	state[dir] = TCPS_ESTABLISHED;
750	current_active_connections++;
751	*age = fr_tcpidletimeout;
752	}
753	break;
754	case TCPS_ESTABLISHED:
755	if (flags & TH_FIN) {
756	state[dir] = TCPS_CLOSE_WAIT;
757	if (!(flags & TH_PUSH) && !dlen &&
758	ostate > TCPS_ESTABLISHED)
759	*age = fr_tcplastack;
760	else
761	*age = fr_tcpclosewait;
762	} else
763	*age = fr_tcpidletimeout;
764	break;
765	case TCPS_CLOSE_WAIT:
766	if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen &&
767	ostate > TCPS_ESTABLISHED) {
768	*age = fr_tcplastack;
769	state[dir] = TCPS_LAST_ACK;
770	} else
771	*age = fr_tcpclosewait;
772	break;
773	case TCPS_LAST_ACK:
774	if (flags & TH_ACK) {
775	state[dir] = TCPS_FIN_WAIT_2;
776	if (!(flags & TH_PUSH) && !dlen &&
777	ostate > TCPS_ESTABLISHED)
778	*age = fr_tcplastack;
779	else {
780	*age = fr_tcpclosewait;
781	state[dir] = TCPS_CLOSE_WAIT;
782	}
783	}
784	break;
785	}
786	}
787
788
789	#if IPFILTER_LOG
790	void ipstate_log(is, type)
791	struct ipstate *is;
792	u_short type;
793	{
794	struct ipslog ipsl;
795	void *items[1];
796	size_t sizes[1];
797	int types[1];
798
799	ipsl.isl_pkts = is->is_pkts;
800	ipsl.isl_bytes = is->is_bytes;
801	ipsl.isl_src = is->is_src;
802	ipsl.isl_dst = is->is_dst;
803	ipsl.isl_p = is->is_p;
804	ipsl.isl_flags = is->is_flags;
805	ipsl.isl_type = type;
806	if (ipsl.isl_p == IPPROTO_TCP \|\| ipsl.isl_p == IPPROTO_UDP) {
807	ipsl.isl_sport = is->is_sport;
808	ipsl.isl_dport = is->is_dport;
809	} else if (ipsl.isl_p == IPPROTO_ICMP)
810	ipsl.isl_itype = is->is_icmp.ics_type;
811	else {
812	ipsl.isl_ps.isl_filler[0] = 0;
813	ipsl.isl_ps.isl_filler[1] = 0;
814	}
815	items[0] = &ipsl;
816	sizes[0] = sizeof(ipsl);
817	types[0] = 0;
818
819	(void) ipllog(IPL_LOGSTATE, 0, items, sizes, types, 1);
820	}
821	#endif