Actual firewall change.

1) Firewall is not subdivided on forwarding / blocking chains
   anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.

sys/netinet/ip_fw.c

@@ -42,16 +42,6 @@
 
 #include <netinet/ip_fw.h>
 
-#ifdef IPFIREWALL
-struct ip_fw *ip_fw_fwd_chain;
-struct ip_fw *ip_fw_blk_chain;
-u_short ip_fw_policy=0;
-#endif
-#ifdef IPACCT
-struct ip_fw *ip_acct_chain;
-#endif
-
-
 #ifdef IPFIREWALL_DEBUG 
 #define dprintf1(a)		printf(a)
 #define dprintf2(a1,a2)		printf(a1,a2)
@@ -76,20 +66,6 @@ struct ip_fw *ip_acct_chain;
 #define dprint_ip(a)	
 #endif
 
-/*
-inline
-void
-print_ip(xaddr)
-struct in_addr xaddr;
-{
-    u_long addr = ntohl(xaddr.s_addr);
-    printf("%d.%d.%d.%d",(addr>>24) & 0xff,
-                         (addr>>16)&0xff,
-                         (addr>>8)&0xff,
-                         addr&0xFF);
-}                  
-*/
-
 
 /*
  * Returns 1 if the port is matched by the vector, 0 otherwise
@@ -931,8 +907,7 @@ struct mbuf *m;
 {
 if ( stage == IP_FW_FLUSH )
        {
-	free_fw_chain(&ip_fw_blk_chain);
-	free_fw_chain(&ip_fw_fwd_chain);
+	free_fw_chain(&ip_fw_chain);
 	return(0);
        }  
 
@@ -954,40 +929,29 @@ if ( stage == IP_FW_POLICY )
 
 /*
  * Here we really working hard-adding new elements
- * to blocking/forwarding chains or deleting'em
+ * to firewall chain or deleting'em
  */
 
-if ( stage == IP_FW_ADD_BLK
-  || stage == IP_FW_ADD_FWD
-  || stage == IP_FW_DEL_BLK
-  || stage == IP_FW_DEL_FWD
-   ) {
+if ( stage == IP_FW_ADD || 
+     stage == IP_FW_DEL ) {
 
 	    struct ip_fw *frwl;
  
-		frwl=check_ipfw_struct(m);
-		if (frwl==NULL)
-			return (EINVAL);
-#ifdef nenado
 	    if (!(frwl=check_ipfw_struct(m)))
 			return (EINVAL);
-#endif
 
 	    switch (stage) {
-	    case IP_FW_ADD_BLK:
-		return(add_entry(&ip_fw_blk_chain,frwl));
-	    case IP_FW_ADD_FWD:
-		return(add_entry(&ip_fw_fwd_chain,frwl));
-	    case IP_FW_DEL_BLK:
-		return(del_entry(&ip_fw_blk_chain,frwl));
-	    case IP_FW_DEL_FWD: 
-		return(del_entry(&ip_fw_fwd_chain,frwl));
+	    case IP_FW_ADD:
+		return(add_entry(&ip_fw_chain,frwl));
+	    case IP_FW_DEL:
+		return(del_entry(&ip_fw_chain,frwl));
 	    default:
-		/*
- 		 * Should be panic but...
-		 */
+#ifdef DIAGNOSTICS
+		panic("Can't happen");
+#else
 		dprintf2("ip_fw_ctl:  unknown request %d\n",stage);
 		return(EINVAL);
+#endif
 	    }
 } 
 

sys/netinet/ip_fw.h

@@ -69,10 +69,8 @@ struct ip_fw {
  */     
 #define IP_FW_BASE_CTL	53
 
-#define IP_FW_ADD_BLK (IP_FW_BASE_CTL)
-#define IP_FW_ADD_FWD (IP_FW_BASE_CTL+1)   
-#define IP_FW_DEL_BLK (IP_FW_BASE_CTL+4)
-#define IP_FW_DEL_FWD (IP_FW_BASE_CTL+5)
+#define IP_FW_ADD     (IP_FW_BASE_CTL)
+#define IP_FW_DEL     (IP_FW_BASE_CTL+4)
 #define IP_FW_FLUSH   (IP_FW_BASE_CTL+6)
 #define IP_FW_POLICY  (IP_FW_BASE_CTL+7) 
 
@@ -94,14 +92,33 @@ struct ip_fw {
  * Main firewall chains definitions and global var's definitions.
  */
 #ifdef KERNEL
-#ifdef IPFIREWALL
-extern struct ip_fw *ip_fw_blk_chain;
-extern struct ip_fw *ip_fw_fwd_chain;
+
+/*
+ * Variables/chain.
+ */
+extern struct  ip_fw *ip_fw_chain;
 extern u_short ip_fw_policy;
-#endif
-#ifdef IPACCT
-extern struct ip_fw *ip_acct_chain;
-#endif
+
+extern struct  ip_fw *ip_acct_chain;
+
+/*
+ * Function pointers.
+ */
+extern int (*ip_fw_chk_ptr)(struct ip *,struct ifnet *,struct ip_fw *);
+extern int (*ip_fw_ctl_ptr)(int,struct mbuf *);
+
+extern void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int);
+extern int  (*ip_acct_ctl_ptr)(int,struct mbuf *);
+
+/*
+ * Function definitions.
+ */
+int ip_fw_chk(struct ip *,struct ifnet *,struct ip_fw *);
+int ip_fw_ctl(int,struct mbuf *);
+
+void ip_acct_cnt(struct ip *,struct ifnet *,struct ip_fw *,int);
+int  ip_acct_ctl(int,struct mbuf *);
+
 #endif /* KERNEL */
 
 #endif /* _IP_FW_H */

sys/netinet/ip_fwdef.c

@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1993 Daniel Boulet
+ * Copyright (c) 1994 Ugen J.S.Antsilevich
+ *
+ * Redistribution and use in source forms, with and without modification,
+ * are permitted provided that this entire comment appears intact.
+ *
+ * Redistribution in binary form may occur without any restrictions.
+ * Obviously, it would be nice if you gave credit where credit is due
+ * but requiring it would be too onerous.
+ *
+ * This software is provided ``AS IS'' without any warranties of any kind.
+ */
+
+/*
+ * Dumb definitions which needed when 
+ * firewall/accounting module is not loaded.
+ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/domain.h>
+#include <sys/socket.h>
+#include <sys/errno.h>
+#include <sys/time.h> 
+#include <sys/kernel.h>
+
+#include <net/if.h>
+#include <net/route.h>
+
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+
+#include <netinet/ip_fw.h>
+
+struct  ip_fw *ip_fw_chain=NULL;
+u_short ip_fw_policy=0;
+
+struct  ip_fw *ip_acct_chain=NULL;
+
+int (*ip_fw_chk_ptr)(struct ip *,struct ifnet *,struct ip_fw *)=NULL;
+int (*ip_fw_ctl_ptr)(int,struct mbuf *)=NULL;
+
+void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int)=NULL;
+int  (*ip_acct_ctl_ptr)(int,struct mbuf *)=NULL;

sys/netinet/ip_input.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- * $Id: ip_input.c,v 1.13 1994/12/13 23:08:11 wollman Exp $
+ * $Id: ip_input.c,v 1.14 1994/12/14 19:06:37 wollman Exp $
  */
 
 #include <sys/param.h>
@@ -56,12 +56,7 @@
 #include <netinet/ip_var.h>
 #include <netinet/ip_icmp.h>
 
-#ifdef IPFIREWALL
 #include <netinet/ip_fw.h>
-#endif
-#ifdef IPACCT
-#include <netinet/ip_fw.h>
-#endif
 
 #include <sys/socketvar.h>
 struct socket *ip_rsvpd;
@@ -237,13 +232,21 @@ ipintr()
 		} else
 			m_adj(m, ip->ip_len - m->m_pkthdr.len);
 	}
+	/*
+	 * IpHack's section.
+	 * Right now when no processing on packet has done
+	 * and it is still fresh out of network we do our black
+	 * deals with it.
+	 * - Firewall: deny/allow
+	 * - Wrap: fake packet's addr/port <unimpl.>
+	 * - Encapsulate: put it in another IP and send out. <unimp.>
+ 	 */
 
-#ifdef IPFIREWALL
-        if ( ((char *)&(ip->ip_dst.s_addr))[0] != 127
-        && !ip_fw_chk(ip,m->m_pkthdr.rcvif,ip_fw_blk_chain) ) {
-                goto bad;
-        }
-#endif                            
+        if (ip_fw_chk_ptr!=NULL)
+		if (((char *)&(ip->ip_dst.s_addr))[0] != 127
+        	&& !(*ip_fw_chk_ptr)(ip,m->m_pkthdr.rcvif,ip_fw_chain) ) {
+                	goto bad;
+        	}
 
 	/*
 	 * Process options and, if not destined for us,
@@ -356,7 +359,6 @@ ipintr()
 
 ours:
 
-#ifdef IPACCT
 		/*
 		 * If packet came to us we count it...
 		 * This way we count all incoming packets which has 
@@ -364,8 +366,8 @@ ipintr()
 		 * Do not convert ip_len to host byte order when 
 		 * counting,ppl already made it for us before..
 		 */
-		ip_acct_cnt(ip,m->m_pkthdr.rcvif,ip_acct_chain,0);
-#endif
+	if (ip_acct_cnt_ptr!=NULL)
+		(*ip_acct_cnt_ptr)(ip,m->m_pkthdr.rcvif,ip_acct_chain,0);
 
 	/*
 	 * If offset or IP_MF are set, must reassemble.
@@ -1049,14 +1051,6 @@ ip_forward(m, srcrt)
 			ip->ip_src.s_addr, ip->ip_dst.s_addr, ip->ip_ttl);
 #endif
 
-#ifdef IPFIREWALL
-	if ( ((char *)&(ip->ip_dst.s_addr))[0] != 127
-	    && !ip_fw_chk(ip, m->m_pkthdr.rcvif, ip_fw_fwd_chain) ) {
-		ipstat.ips_cantforward++;
-		m_freem(m);
-		return;
-	} 
-#endif   
 
 	if (m->m_flags & M_BCAST || in_canforward(ip->ip_dst) == 0) {
 		ipstat.ips_cantforward++;

sys/netinet/ip_output.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- * $Id: ip_output.c,v 1.10 1994/12/12 17:20:54 ugen Exp $
+ * $Id: ip_output.c,v 1.11 1994/12/13 23:08:12 wollman Exp $
  */
 
 #include <sys/param.h>
@@ -53,12 +53,7 @@
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 
-#ifdef IPFIREWALL
 #include <netinet/ip_fw.h>
-#endif
-#ifdef IPACCT
-#include <netinet/ip_fw.h>
-#endif
 
 #ifdef vax
 #include <machine/mtpr.h>
@@ -417,7 +412,6 @@ ip_output(m0, opt, ro, flags, imo)
 done:
 	if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt)
 		RTFREE(ro->ro_rt);
-#ifdef IPACCT
 	/*
 	 * Count outgoing packet,here we count both our packets and
 	 * those we forward.
@@ -426,8 +420,9 @@ ip_output(m0, opt, ro, flags, imo)
 	 * This is locally generated packet so it has not
 	 * incoming interface.
 	 */
-	ip_acct_cnt(ip,NULL,ip_acct_chain,1);
-#endif
+	if (ip_acct_cnt_ptr!=NULL)
+		(*ip_acct_cnt_ptr)(ip,NULL,ip_acct_chain,1);
+
 	return (error);
 bad:
 	m_freem(m0);

sys/netinet/raw_ip.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)raw_ip.c	8.2 (Berkeley) 1/4/94
- * $Id: raw_ip.c,v 1.10 1994/12/13 15:57:34 ugen Exp $
+ * $Id: raw_ip.c,v 1.11 1995/01/12 10:53:25 davidg Exp $
  */
 
 #include <sys/param.h>
@@ -53,12 +53,7 @@
 #include <netinet/ip_mroute.h>
 #include <netinet/in_pcb.h>
 
-#ifdef IPFIREWALL
 #include <netinet/ip_fw.h>
-#endif
-#ifdef IPACCT
-#include <netinet/ip_fw.h>
-#endif
 
 struct inpcb rawinpcb;
 
@@ -214,39 +209,44 @@ rip_ctloutput(op, so, level, optname, m)
 		}
 		break;
 
-#ifdef IPFIREWALL
-	case IP_FW_ADD_BLK:
-	case IP_FW_ADD_FWD:
-	case IP_FW_DEL_BLK:
-	case IP_FW_DEL_FWD:
+	case IP_FW_ADD:
+	case IP_FW_DEL:
 	case IP_FW_FLUSH:
 	case IP_FW_POLICY:
+		if (ip_fw_ctl_ptr==NULL) {
+			if (*m)
+				(void)m_free(*m);
+			return(EINVAL);
+		}
 
 		if (op == PRCO_SETOPT) {
-			error=ip_fw_ctl(optname, *m); 
+			error=(*ip_fw_ctl_ptr)(optname, *m); 
 			if (*m)
 				(void)m_free(*m);
 		}
 		else
 			error=EINVAL;
 		return(error);
-#endif
-#ifdef IPACCT
+
 	case IP_ACCT_DEL:
 	case IP_ACCT_ADD:
 	case IP_ACCT_CLR:
 	case IP_ACCT_FLUSH:
 	case IP_ACCT_ZERO: 
+		if (ip_acct_ctl_ptr==NULL) {
+			if (*m)
+				(void)m_free(*m);
+			return(EINVAL);
+		}
 	
 		if (op = PRCO_SETOPT) {
-			error=ip_acct_ctl(optname, *m);
+			error=(*ip_acct_ctl_ptr)(optname, *m);
 			if (*m)
 				(void)m_free(*m);
 		}
 		else
 			error=EINVAL;
 		return(error);
-#endif
 
 	case IP_RSVP_ON:
 		error = ip_rsvp_init(so);