1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31
32 #include "opt_ipfw.h"
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 #ifndef INET
36 #error IPFIREWALL requires INET.
37 #endif /* INET */
38
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/malloc.h>
42 #include <sys/mbuf.h>
43 #include <sys/module.h>
44 #include <sys/kernel.h>
45 #include <sys/lock.h>
46 #include <sys/rwlock.h>
47 #include <sys/socket.h>
48 #include <sys/sysctl.h>
49
50 #include <net/if.h>
51 #include <net/if_var.h>
52 #include <net/route.h>
53 #include <net/ethernet.h>
54 #include <net/pfil.h>
55 #include <net/vnet.h>
56
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/ip.h>
60 #include <netinet/ip_var.h>
61 #include <netinet/ip_fw.h>
62 #ifdef INET6
63 #include <netinet/ip6.h>
64 #include <netinet6/ip6_var.h>
65 #include <netinet6/scope6_var.h>
66 #endif
67
68 #include <netgraph/ng_ipfw.h>
69
70 #include <netpfil/ipfw/ip_fw_private.h>
71
72 #include <machine/in_cksum.h>
73
74 VNET_DEFINE_STATIC(int, fw_enable) = 1;
75 #define V_fw_enable VNET(fw_enable)
76
77 #ifdef INET6
78 VNET_DEFINE_STATIC(int, fw6_enable) = 1;
79 #define V_fw6_enable VNET(fw6_enable)
80 #endif
81
82 VNET_DEFINE_STATIC(int, fwlink_enable) = 0;
83 #define V_fwlink_enable VNET(fwlink_enable)
84
85 int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
86
87 /* Forward declarations. */
88 static int ipfw_divert(struct mbuf **, struct ip_fw_args *, bool);
89
90 #ifdef SYSCTL_NODE
91
92 SYSBEGIN(f1)
93
94 SYSCTL_DECL(_net_inet_ip_fw);
95 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable,
96 CTLFLAG_VNET | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3 |
97 CTLFLAG_NEEDGIANT, &VNET_NAME(fw_enable), 0, ipfw_chg_hook, "I",
98 "Enable ipfw");
99 #ifdef INET6
100 SYSCTL_DECL(_net_inet6_ip6_fw);
101 SYSCTL_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
102 CTLFLAG_VNET | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3 |
103 CTLFLAG_NEEDGIANT, &VNET_NAME(fw6_enable), 0, ipfw_chg_hook, "I",
104 "Enable ipfw+6");
105 #endif /* INET6 */
106
107 SYSCTL_DECL(_net_link_ether);
108 SYSCTL_PROC(_net_link_ether, OID_AUTO, ipfw,
109 CTLFLAG_VNET | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3 |
110 CTLFLAG_NEEDGIANT, &VNET_NAME(fwlink_enable), 0, ipfw_chg_hook, "I",
111 "Pass ether pkts through firewall");
112
113 SYSEND
114
115 #endif /* SYSCTL_NODE */
116
117 /*
118 * The pfilter hook to pass packets to ipfw_chk and then to
119 * dummynet, divert, netgraph or other modules.
120 * The packet may be consumed.
121 */
122 static pfil_return_t
123 ipfw_check_packet(struct mbuf **m0, struct ifnet *ifp, int flags,
124 void *ruleset __unused, struct inpcb *inp)
125 {
126 struct ip_fw_args args;
127 struct m_tag *tag;
128 pfil_return_t ret;
129 int ipfw;
130
131 args.flags = (flags & PFIL_IN) ? IPFW_ARGS_IN : IPFW_ARGS_OUT;
132 again:
133 /*
134 * extract and remove the tag if present. If we are left
135 * with onepass, optimize the outgoing path.
136 */
137 tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL);
138 if (tag != NULL) {
139 args.rule = *((struct ipfw_rule_ref *)(tag+1));
140 m_tag_delete(*m0, tag);
141 if (args.rule.info & IPFW_ONEPASS)
142 return (PFIL_PASS);
143 args.flags |= IPFW_ARGS_REF;
144 }
145
146 args.m = *m0;
147 args.ifp = ifp;
148 args.inp = inp;
149
150 ipfw = ipfw_chk(&args);
151 *m0 = args.m;
152
153 KASSERT(*m0 != NULL || ipfw == IP_FW_DENY ||
154 ipfw == IP_FW_NAT64, ("%s: m0 is NULL", __func__));
155
156 ret = PFIL_PASS;
157 switch (ipfw) {
158 case IP_FW_PASS:
159 /* next_hop may be set by ipfw_chk */
160 if ((args.flags & (IPFW_ARGS_NH4 | IPFW_ARGS_NH4PTR |
161 IPFW_ARGS_NH6 | IPFW_ARGS_NH6PTR)) == 0)
162 break;
163 #if (!defined(INET6) && !defined(INET))
164 ret = PFIL_DROPPED;
165 #else
166 {
167 void *psa;
168 size_t len;
169 #ifdef INET
170 if (args.flags & (IPFW_ARGS_NH4 | IPFW_ARGS_NH4PTR)) {
171 MPASS((args.flags & (IPFW_ARGS_NH4 |
172 IPFW_ARGS_NH4PTR)) != (IPFW_ARGS_NH4 |
173 IPFW_ARGS_NH4PTR));
174 MPASS((args.flags & (IPFW_ARGS_NH6 |
175 IPFW_ARGS_NH6PTR)) == 0);
176 len = sizeof(struct sockaddr_in);
177 psa = (args.flags & IPFW_ARGS_NH4) ?
178 &args.hopstore : args.next_hop;
179 if (in_localip(satosin(psa)->sin_addr))
180 (*m0)->m_flags |= M_FASTFWD_OURS;
181 (*m0)->m_flags |= M_IP_NEXTHOP;
182 }
183 #endif /* INET */
184 #ifdef INET6
185 if (args.flags & (IPFW_ARGS_NH6 | IPFW_ARGS_NH6PTR)) {
186 MPASS((args.flags & (IPFW_ARGS_NH6 |
187 IPFW_ARGS_NH6PTR)) != (IPFW_ARGS_NH6 |
188 IPFW_ARGS_NH6PTR));
189 MPASS((args.flags & (IPFW_ARGS_NH4 |
190 IPFW_ARGS_NH4PTR)) == 0);
191 len = sizeof(struct sockaddr_in6);
192 psa = args.next_hop6;
193 (*m0)->m_flags |= M_IP6_NEXTHOP;
194 }
195 #endif /* INET6 */
196 /*
197 * Incoming packets should not be tagged so we do not
198 * m_tag_find. Outgoing packets may be tagged, so we
199 * reuse the tag if present.
200 */
201 tag = (flags & PFIL_IN) ? NULL :
202 m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL);
203 if (tag != NULL) {
204 m_tag_unlink(*m0, tag);
205 } else {
206 tag = m_tag_get(PACKET_TAG_IPFORWARD, len,
207 M_NOWAIT);
208 if (tag == NULL) {
209 ret = PFIL_DROPPED;
210 break;
211 }
212 }
213 if ((args.flags & IPFW_ARGS_NH6) == 0)
214 bcopy(psa, tag + 1, len);
215 m_tag_prepend(*m0, tag);
216 ret = PFIL_PASS;
217 #ifdef INET6
218 /* IPv6 next hop needs additional handling */
219 if (args.flags & (IPFW_ARGS_NH6 | IPFW_ARGS_NH6PTR)) {
220 struct sockaddr_in6 *sa6;
221
222 sa6 = satosin6(tag + 1);
223 if (args.flags & IPFW_ARGS_NH6) {
224 sa6->sin6_family = AF_INET6;
225 sa6->sin6_len = sizeof(*sa6);
226 sa6->sin6_addr = args.hopstore6.sin6_addr;
227 sa6->sin6_port = args.hopstore6.sin6_port;
228 sa6->sin6_scope_id =
229 args.hopstore6.sin6_scope_id;
230 }
231 /*
232 * If nh6 address is link-local we should convert
233 * it to kernel internal form before doing any
234 * comparisons.
235 */
236 if (sa6_embedscope(sa6, V_ip6_use_defzone) != 0) {
237 ret = PFIL_DROPPED;
238 break;
239 }
240 if (in6_localip(&sa6->sin6_addr))
241 (*m0)->m_flags |= M_FASTFWD_OURS;
242 }
243 #endif /* INET6 */
244 }
245 #endif /* INET || INET6 */
246 break;
247
248 case IP_FW_DENY:
249 ret = PFIL_DROPPED;
250 break;
251
252 case IP_FW_DUMMYNET:
253 if (ip_dn_io_ptr == NULL) {
254 ret = PFIL_DROPPED;
255 break;
256 }
257 MPASS(args.flags & IPFW_ARGS_REF);
258 if (args.flags & (IPFW_ARGS_IP4 | IPFW_ARGS_IP6))
259 (void )ip_dn_io_ptr(m0, &args);
260 else {
261 ret = PFIL_DROPPED;
262 break;
263 }
264 /*
265 * XXX should read the return value.
266 * dummynet normally eats the packet and sets *m0=NULL
267 * unless the packet can be sent immediately. In this
268 * case args is updated and we should re-run the
269 * check without clearing args.
270 */
271 if (*m0 != NULL)
272 goto again;
273 ret = PFIL_CONSUMED;
274 break;
275
276 case IP_FW_TEE:
277 case IP_FW_DIVERT:
278 if (ip_divert_ptr == NULL) {
279 ret = PFIL_DROPPED;
280 break;
281 }
282 MPASS(args.flags & IPFW_ARGS_REF);
283 (void )ipfw_divert(m0, &args, ipfw == IP_FW_TEE);
284 /* continue processing for the original packet (tee). */
285 if (*m0)
286 goto again;
287 ret = PFIL_CONSUMED;
288 break;
289
290 case IP_FW_NGTEE:
291 case IP_FW_NETGRAPH:
292 if (ng_ipfw_input_p == NULL) {
293 ret = PFIL_DROPPED;
294 break;
295 }
296 MPASS(args.flags & IPFW_ARGS_REF);
297 (void )ng_ipfw_input_p(m0, &args, ipfw == IP_FW_NGTEE);
298 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
299 goto again; /* continue with packet */
300 ret = PFIL_CONSUMED;
301 break;
302
303 case IP_FW_NAT:
304 /* honor one-pass in case of successful nat */
305 if (V_fw_one_pass)
306 break;
307 goto again;
308
309 case IP_FW_REASS:
310 goto again; /* continue with packet */
311
312 case IP_FW_NAT64:
313 ret = PFIL_CONSUMED;
314 break;
315
316 default:
317 KASSERT(0, ("%s: unknown retval", __func__));
318 }
319
320 if (ret != PFIL_PASS) {
321 if (*m0)
322 FREE_PKT(*m0);
323 *m0 = NULL;
324 }
325
326 return (ret);
327 }
328
329 /*
330 * ipfw processing for ethernet packets (in and out).
331 */
332 static pfil_return_t
333 ipfw_check_frame(pfil_packet_t p, struct ifnet *ifp, int flags,
334 void *ruleset __unused, struct inpcb *inp)
335 {
336 struct ip_fw_args args;
337 pfil_return_t ret;
338 bool mem, realloc;
339 int ipfw;
340
341 if (flags & PFIL_MEMPTR) {
342 mem = true;
343 realloc = false;
344 args.flags = PFIL_LENGTH(flags) | IPFW_ARGS_ETHER;
345 args.mem = p.mem;
346 } else {
347 mem = realloc = false;
348 args.flags = IPFW_ARGS_ETHER;
349 }
350 args.flags |= (flags & PFIL_IN) ? IPFW_ARGS_IN : IPFW_ARGS_OUT;
351 args.ifp = ifp;
352 args.inp = inp;
353
354 again:
355 if (!mem) {
356 /*
357 * Fetch start point from rule, if any.
358 * Remove the tag if present.
359 */
360 struct m_tag *mtag;
361
362 mtag = m_tag_locate(*p.m, MTAG_IPFW_RULE, 0, NULL);
363 if (mtag != NULL) {
364 args.rule = *((struct ipfw_rule_ref *)(mtag+1));
365 m_tag_delete(*p.m, mtag);
366 if (args.rule.info & IPFW_ONEPASS)
367 return (PFIL_PASS);
368 args.flags |= IPFW_ARGS_REF;
369 }
370 args.m = *p.m;
371 }
372
373 ipfw = ipfw_chk(&args);
374 if (!mem)
375 *p.m = args.m;
376
377 ret = PFIL_PASS;
378 switch (ipfw) {
379 case IP_FW_PASS:
380 break;
381
382 case IP_FW_DENY:
383 ret = PFIL_DROPPED;
384 break;
385
386 case IP_FW_DUMMYNET:
387 if (ip_dn_io_ptr == NULL) {
388 ret = PFIL_DROPPED;
389 break;
390 }
391 if (mem) {
392 if (pfil_realloc(&p, flags, ifp) != 0) {
393 ret = PFIL_DROPPED;
394 break;
395 }
396 mem = false;
397 realloc = true;
398 }
399 MPASS(args.flags & IPFW_ARGS_REF);
400 ip_dn_io_ptr(p.m, &args);
401 return (PFIL_CONSUMED);
402
403 case IP_FW_NGTEE:
404 case IP_FW_NETGRAPH:
405 if (ng_ipfw_input_p == NULL) {
406 ret = PFIL_DROPPED;
407 break;
408 }
409 if (mem) {
410 if (pfil_realloc(&p, flags, ifp) != 0) {
411 ret = PFIL_DROPPED;
412 break;
413 }
414 mem = false;
415 realloc = true;
416 }
417 MPASS(args.flags & IPFW_ARGS_REF);
418 (void )ng_ipfw_input_p(p.m, &args, ipfw == IP_FW_NGTEE);
419 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
420 goto again; /* continue with packet */
421 ret = PFIL_CONSUMED;
422 break;
423
424 default:
425 KASSERT(0, ("%s: unknown retval", __func__));
426 }
427
428 if (!mem && ret != PFIL_PASS) {
429 if (*p.m)
430 FREE_PKT(*p.m);
431 *p.m = NULL;
432 }
433
434 if (realloc && ret == PFIL_PASS)
435 ret = PFIL_REALLOCED;
436
437 return (ret);
438 }
439
440 /* do the divert, return 1 on error 0 on success */
441 static int
442 ipfw_divert(struct mbuf **m0, struct ip_fw_args *args, bool tee)
443 {
444 /*
445 * ipfw_chk() has already tagged the packet with the divert tag.
446 * If tee is set, copy packet and return original.
447 * If not tee, consume packet and send it to divert socket.
448 */
449 struct mbuf *clone;
450 struct ip *ip = mtod(*m0, struct ip *);
451 struct m_tag *tag;
452
453 /* Cloning needed for tee? */
454 if (tee == false) {
455 clone = *m0; /* use the original mbuf */
456 *m0 = NULL;
457 } else {
458 clone = m_dup(*m0, M_NOWAIT);
459 /* If we cannot duplicate the mbuf, we sacrifice the divert
460 * chain and continue with the tee-ed packet.
461 */
462 if (clone == NULL)
463 return 1;
464 }
465
466 /*
467 * Divert listeners can normally handle non-fragmented packets,
468 * but we can only reass in the non-tee case.
469 * This means that listeners on a tee rule may get fragments,
470 * and have to live with that.
471 * Note that we now have the 'reass' ipfw option so if we care
472 * we can do it before a 'tee'.
473 */
474 if (tee == false) switch (ip->ip_v) {
475 case IPVERSION:
476 if (ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) {
477 int hlen;
478 struct mbuf *reass;
479
480 reass = ip_reass(clone); /* Reassemble packet. */
481 if (reass == NULL)
482 return 0; /* not an error */
483 /* if reass = NULL then it was consumed by ip_reass */
484 /*
485 * IP header checksum fixup after reassembly and leave header
486 * in network byte order.
487 */
488 ip = mtod(reass, struct ip *);
489 hlen = ip->ip_hl << 2;
490 ip->ip_sum = 0;
491 if (hlen == sizeof(struct ip))
492 ip->ip_sum = in_cksum_hdr(ip);
493 else
494 ip->ip_sum = in_cksum(reass, hlen);
495 clone = reass;
496 }
497 break;
498 #ifdef INET6
499 case IPV6_VERSION >> 4:
500 {
501 struct ip6_hdr *const ip6 = mtod(clone, struct ip6_hdr *);
502
503 if (ip6->ip6_nxt == IPPROTO_FRAGMENT) {
504 int nxt, off;
505
506 off = sizeof(struct ip6_hdr);
507 nxt = frag6_input(&clone, &off, 0);
508 if (nxt == IPPROTO_DONE)
509 return (0);
510 }
511 break;
512 }
513 #endif
514 }
515
516 /* attach a tag to the packet with the reinject info */
517 tag = m_tag_alloc(MTAG_IPFW_RULE, 0,
518 sizeof(struct ipfw_rule_ref), M_NOWAIT);
519 if (tag == NULL) {
520 FREE_PKT(clone);
521 return 1;
522 }
523 *((struct ipfw_rule_ref *)(tag+1)) = args->rule;
524 m_tag_prepend(clone, tag);
525
526 /* Do the dirty job... */
527 ip_divert_ptr(clone, args->flags & IPFW_ARGS_IN);
528 return 0;
529 }
530
531 /*
532 * attach or detach hooks for a given protocol family
533 */
534 VNET_DEFINE_STATIC(pfil_hook_t, ipfw_inet_hook);
535 #define V_ipfw_inet_hook VNET(ipfw_inet_hook)
536 #ifdef INET6
537 VNET_DEFINE_STATIC(pfil_hook_t, ipfw_inet6_hook);
538 #define V_ipfw_inet6_hook VNET(ipfw_inet6_hook)
539 #endif
540 VNET_DEFINE_STATIC(pfil_hook_t, ipfw_link_hook);
541 #define V_ipfw_link_hook VNET(ipfw_link_hook)
542
543 static void
544 ipfw_hook(int pf)
545 {
546 struct pfil_hook_args pha;
547 pfil_hook_t *h;
548
549 pha.pa_version = PFIL_VERSION;
550 pha.pa_flags = PFIL_IN | PFIL_OUT;
551 pha.pa_modname = "ipfw";
552 pha.pa_ruleset = NULL;
553
554 switch (pf) {
555 case AF_INET:
556 pha.pa_func = ipfw_check_packet;
557 pha.pa_type = PFIL_TYPE_IP4;
558 pha.pa_rulname = "default";
559 h = &V_ipfw_inet_hook;
560 break;
561 #ifdef INET6
562 case AF_INET6:
563 pha.pa_func = ipfw_check_packet;
564 pha.pa_type = PFIL_TYPE_IP6;
565 pha.pa_rulname = "default6";
566 h = &V_ipfw_inet6_hook;
567 break;
568 #endif
569 case AF_LINK:
570 pha.pa_func = ipfw_check_frame;
571 pha.pa_type = PFIL_TYPE_ETHERNET;
572 pha.pa_rulname = "default-link";
573 pha.pa_flags |= PFIL_MEMPTR;
574 h = &V_ipfw_link_hook;
575 break;
576 }
577
578 *h = pfil_add_hook(&pha);
579 }
580
581 static void
582 ipfw_unhook(int pf)
583 {
584
585 switch (pf) {
586 case AF_INET:
587 pfil_remove_hook(V_ipfw_inet_hook);
588 break;
589 #ifdef INET6
590 case AF_INET6:
591 pfil_remove_hook(V_ipfw_inet6_hook);
592 break;
593 #endif
594 case AF_LINK:
595 pfil_remove_hook(V_ipfw_link_hook);
596 break;
597 }
598 }
599
600 static int
601 ipfw_link(int pf, bool unlink)
602 {
603 struct pfil_link_args pla;
604
605 pla.pa_version = PFIL_VERSION;
606 pla.pa_flags = PFIL_IN | PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
607 if (unlink)
608 pla.pa_flags |= PFIL_UNLINK;
609
610 switch (pf) {
611 case AF_INET:
612 pla.pa_head = V_inet_pfil_head;
613 pla.pa_hook = V_ipfw_inet_hook;
614 break;
615 #ifdef INET6
616 case AF_INET6:
617 pla.pa_head = V_inet6_pfil_head;
618 pla.pa_hook = V_ipfw_inet6_hook;
619 break;
620 #endif
621 case AF_LINK:
622 pla.pa_head = V_link_pfil_head;
623 pla.pa_hook = V_ipfw_link_hook;
624 break;
625 }
626
627 return (pfil_link(&pla));
628 }
629
630 int
631 ipfw_attach_hooks(void)
632 {
633 int error = 0;
634
635 ipfw_hook(AF_INET);
636 TUNABLE_INT_FETCH("net.inet.ip.fw.enable", &V_fw_enable);
637 if (V_fw_enable && (error = ipfw_link(AF_INET, false)) != 0)
638 printf("ipfw_hook() error\n");
639 #ifdef INET6
640 ipfw_hook(AF_INET6);
641 TUNABLE_INT_FETCH("net.inet6.ip6.fw.enable", &V_fw6_enable);
642 if (V_fw6_enable && (error = ipfw_link(AF_INET6, false)) != 0)
643 printf("ipfw6_hook() error\n");
644 #endif
645 ipfw_hook(AF_LINK);
646 TUNABLE_INT_FETCH("net.link.ether.ipfw", &V_fwlink_enable);
647 if (V_fwlink_enable && (error = ipfw_link(AF_LINK, false)) != 0)
648 printf("ipfw_link_hook() error\n");
649
650 return (error);
651 }
652
653 void
654 ipfw_detach_hooks(void)
655 {
656
657 ipfw_unhook(AF_INET);
658 #ifdef INET6
659 ipfw_unhook(AF_INET6);
660 #endif
661 ipfw_unhook(AF_LINK);
662 }
663
664 int
665 ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
666 {
667 int newval;
668 int error;
669 int af;
670
671 if (arg1 == &V_fw_enable)
672 af = AF_INET;
673 #ifdef INET6
674 else if (arg1 == &V_fw6_enable)
675 af = AF_INET6;
676 #endif
677 else if (arg1 == &V_fwlink_enable)
678 af = AF_LINK;
679 else
680 return (EINVAL);
681
682 newval = *(int *)arg1;
683 /* Handle sysctl change */
684 error = sysctl_handle_int(oidp, &newval, 0, req);
685
686 if (error)
687 return (error);
688
689 /* Formalize new value */
690 newval = (newval) ? 1 : 0;
691
692 if (*(int *)arg1 == newval)
693 return (0);
694
695 error = ipfw_link(af, newval == 0 ? true : false);
696 if (error)
697 return (error);
698 *(int *)arg1 = newval;
699
700 return (0);
701 }
702 /* end of file */
Cache object: 8e93903ec943721777eb35de7287d1b7
|