This source file includes following definitions.
- port_match
- ip_fw_chk
- masq_expire
- alloc_masq_entry
- revamp
- recalc_check
- ip_fw_masquerade
- ip_fw_demasquerade
- zero_fw_chain
- free_fw_chain
- add_to_chain
- del_from_chain
- check_ipfw_struct
- ip_acct_cnt
- ip_acct_ctl
- ip_fw_ctl
- ip_chain_procinfo
- ip_acct_procinfo
- ip_fw_blk_procinfo
- ip_fw_fwd_procinfo
- ip_msqhst_procinfo
- ip_fw_init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65 #include <linux/config.h>
66 #include <asm/segment.h>
67 #include <asm/system.h>
68 #include <linux/types.h>
69 #include <linux/kernel.h>
70 #include <linux/sched.h>
71 #include <linux/string.h>
72 #include <linux/errno.h>
73 #include <linux/config.h>
74
75 #include <linux/socket.h>
76 #include <linux/sockios.h>
77 #include <linux/in.h>
78 #include <linux/inet.h>
79 #include <linux/netdevice.h>
80 #include <linux/icmp.h>
81 #include <linux/udp.h>
82 #include <net/ip.h>
83 #include <net/protocol.h>
84 #include <net/route.h>
85 #include <net/tcp.h>
86 #include <net/udp.h>
87 #include <linux/skbuff.h>
88 #include <net/sock.h>
89 #include <net/icmp.h>
90 #include <linux/ip_fw.h>
91 #include <net/checksum.h>
92 #include <linux/proc_fs.h>
93 #include <linux/stat.h>
94
95
96
97
98
99 #ifdef CONFIG_IPFIREWALL_DEBUG
100 #define dprintf1(a) printk(a)
101 #define dprintf2(a1,a2) printk(a1,a2)
102 #define dprintf3(a1,a2,a3) printk(a1,a2,a3)
103 #define dprintf4(a1,a2,a3,a4) printk(a1,a2,a3,a4)
104 #else
105 #define dprintf1(a)
106 #define dprintf2(a1,a2)
107 #define dprintf3(a1,a2,a3)
108 #define dprintf4(a1,a2,a3,a4)
109 #endif
110
111 #define print_ip(a) printk("%ld.%ld.%ld.%ld",(ntohl(a)>>24)&0xFF,\
112 (ntohl(a)>>16)&0xFF,\
113 (ntohl(a)>>8)&0xFF,\
114 (ntohl(a))&0xFF);
115
116 #ifdef IPFIREWALL_DEBUG
117 #define dprint_ip(a) print_ip(a)
118 #else
119 #define dprint_ip(a)
120 #endif
121
122 #ifdef CONFIG_IP_FIREWALL
123 struct ip_fw *ip_fw_fwd_chain;
124 struct ip_fw *ip_fw_blk_chain;
125 int ip_fw_blk_policy=IP_FW_F_ACCEPT;
126 int ip_fw_fwd_policy=IP_FW_F_ACCEPT;
127 #endif
128 #ifdef CONFIG_IP_ACCT
129 struct ip_fw *ip_acct_chain;
130 #endif
131
132 #define IP_INFO_BLK 0
133 #define IP_INFO_FWD 1
134 #define IP_INFO_ACCT 2
135
136 #ifdef CONFIG_IP_MASQUERADE
137
138
139
140
141 static unsigned short masq_port = PORT_MASQ_BEGIN;
142 static const char *strProt[] = {"UDP","TCP"};
143 struct ip_masq *ip_msq_hosts;
144
145 #endif
146
147
148
149
150
151 extern inline int port_match(unsigned short *portptr,int nports,unsigned short port,int range_flag)
152 {
153 if (!nports)
154 return 1;
155 if ( range_flag )
156 {
157 if ( portptr[0] <= port && port <= portptr[1] )
158 {
159 return( 1 );
160 }
161 nports -= 2;
162 portptr += 2;
163 }
164 while ( nports-- > 0 )
165 {
166 if ( *portptr++ == port )
167 {
168 return( 1 );
169 }
170 }
171 return(0);
172 }
173
174 #if defined(CONFIG_IP_ACCT) || defined(CONFIG_IP_FIREWALL)
175
176
177
178
179
180
181
182
183
184
185
186
187
188 int ip_fw_chk(struct iphdr *ip, struct device *rif, struct ip_fw *chain, int policy, int opt)
189 {
190 struct ip_fw *f;
191 struct tcphdr *tcp=(struct tcphdr *)((unsigned long *)ip+ip->ihl);
192 struct udphdr *udp=(struct udphdr *)((unsigned long *)ip+ip->ihl);
193 struct icmphdr *icmp=(struct icmphdr *)((unsigned long *)ip+ip->ihl);
194 __u32 src, dst;
195 __u16 src_port=0, dst_port=0, icmp_type=0;
196 unsigned short f_prt=0, prt;
197 char notcpsyn=1, notcpack=1, match;
198 unsigned short f_flag;
199 unsigned short offset;
200
201
202
203
204
205
206
207 src = ip->saddr;
208 dst = ip->daddr;
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224 offset = ntohs(ip->frag_off) & IP_OFFSET;
225
226
227
228
229
230
231
232
233 if (offset == 1 && ip->protocol == IPPROTO_TCP)
234 return FW_BLOCK;
235
236 if (offset!=0 && (opt != 1) && (ip->protocol == IPPROTO_TCP ||
237 ip->protocol == IPPROTO_UDP))
238 return FW_ACCEPT;
239
240
241
242
243
244 if(ip->protocol==IPPROTO_TCP && (ip->ihl<<2)+16 > ntohs(ip->tot_len))
245 return FW_BLOCK;
246
247
248
249
250
251 else if(ntohs(ip->tot_len)<8+(ip->ihl<<2))
252 return FW_BLOCK;
253
254 src = ip->saddr;
255 dst = ip->daddr;
256
257
258
259
260
261
262
263
264
265 dprintf1("Packet ");
266 switch(ip->protocol)
267 {
268 case IPPROTO_TCP:
269 dprintf1("TCP ");
270
271 if (!offset) {
272 src_port=ntohs(tcp->source);
273 dst_port=ntohs(tcp->dest);
274 if(tcp->ack)
275
276 notcpack=0;
277 if(tcp->syn && notcpack)
278
279 notcpsyn=0;
280 }
281 prt=IP_FW_F_TCP;
282 break;
283 case IPPROTO_UDP:
284 dprintf1("UDP ");
285
286 if (!offset) {
287 src_port=ntohs(udp->source);
288 dst_port=ntohs(udp->dest);
289 }
290 prt=IP_FW_F_UDP;
291 break;
292 case IPPROTO_ICMP:
293 icmp_type=(__u16)(icmp->type);
294 dprintf2("ICMP:%d ",icmp_type);
295 prt=IP_FW_F_ICMP;
296 break;
297 default:
298 dprintf2("p=%d ",ip->protocol);
299 prt=IP_FW_F_ALL;
300 break;
301 }
302 #ifdef CONFIG_IP_FIREWALL_DEBUG
303 dprint_ip(ip->saddr);
304
305 if (ip->protocol==IPPROTO_TCP || ip->protocol==IPPROTO_UDP)
306
307 dprintf2(":%d ", src_port);
308 dprint_ip(ip->daddr);
309 if (ip->protocol==IPPROTO_TCP || ip->protocol==IPPROTO_UDP)
310
311 dprintf2(":%d ",dst_port);
312 dprintf1("\n");
313 #endif
314
315 for (f=chain;f;f=f->fw_next)
316 {
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334 match = 0x00;
335
336 if ((src&f->fw_smsk.s_addr)==f->fw_src.s_addr
337 && (dst&f->fw_dmsk.s_addr)==f->fw_dst.s_addr)
338
339 match |= 0x01;
340
341 if ((f->fw_flg & IP_FW_F_BIDIR) &&
342 (dst&f->fw_smsk.s_addr)==f->fw_src.s_addr
343 && (src&f->fw_dmsk.s_addr)==f->fw_dst.s_addr)
344
345 match |= 0x02;
346
347 if (match)
348 {
349
350
351
352 if(f->fw_via.s_addr && rif)
353 {
354 if(rif->pa_addr!=f->fw_via.s_addr)
355 continue;
356 }
357
358
359
360 }
361 else
362 continue;
363
364
365
366
367
368 f_prt=f->fw_flg&IP_FW_F_KIND;
369 if (f_prt!=IP_FW_F_ALL)
370 {
371
372
373
374
375
376
377
378 if((f->fw_flg&IP_FW_F_TCPSYN) && notcpsyn)
379 continue;
380
381
382
383
384
385
386
387
388 if((f->fw_flg&IP_FW_F_TCPACK) && notcpack)
389 if(f->fw_flg&IP_FW_F_BIDIR) {
390 if(match & 0x02)
391 continue;
392 } else
393 continue;
394
395
396
397
398
399
400 if(prt!=f_prt)
401 continue;
402
403 if((prt==IP_FW_F_ICMP &&
404 ! port_match(&f->fw_pts[0], f->fw_nsp,
405 icmp_type,f->fw_flg&IP_FW_F_SRNG)) ||
406 !(prt==IP_FW_F_ICMP || ((match & 0x01) &&
407 port_match(&f->fw_pts[0], f->fw_nsp, src_port,
408 f->fw_flg&IP_FW_F_SRNG) &&
409 port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, dst_port,
410 f->fw_flg&IP_FW_F_DRNG)) || ((match & 0x02) &&
411 port_match(&f->fw_pts[0], f->fw_nsp, dst_port,
412 f->fw_flg&IP_FW_F_SRNG) &&
413 port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, src_port,
414 f->fw_flg&IP_FW_F_DRNG))))
415 {
416 continue;
417 }
418 }
419 #ifdef CONFIG_IP_FIREWALL_VERBOSE
420
421
422
423
424
425 if (f->fw_flg & IP_FW_F_PRN)
426 {
427 if(opt != 1) {
428 if(f->fw_flg&IP_FW_F_ACCEPT)
429 printk("Accept ");
430 else if(f->fw_flg&IP_FW_F_ICMPRPL)
431 printk("Reject ");
432 else
433 printk("Deny ");
434 }
435 switch(ip->protocol)
436 {
437 case IPPROTO_TCP:
438 printk("TCP ");
439 break;
440 case IPPROTO_UDP:
441 printk("UDP ");
442 case IPPROTO_ICMP:
443 printk("ICMP ");
444 break;
445 default:
446 printk("p=%d ",ip->protocol);
447 break;
448 }
449 print_ip(ip->saddr);
450 if(ip->protocol == IPPROTO_TCP || ip->protocol == IPPROTO_UDP)
451 printk(":%d", src_port);
452 printk(" ");
453 print_ip(ip->daddr);
454 if(ip->protocol == IPPROTO_TCP || ip->protocol == IPPROTO_UDP)
455 printk(":%d",dst_port);
456 printk("\n");
457 }
458 #endif
459 if (opt != 2) {
460 f->fw_bcnt+=ntohs(ip->tot_len);
461 f->fw_pcnt++;
462 }
463 if (opt != 1)
464 break;
465 }
466
467 if(opt == 1)
468 return 0;
469
470
471
472
473
474
475
476 if(f!=NULL)
477 f_flag=f->fw_flg;
478 else
479 f_flag=policy;
480 if(f_flag&IP_FW_F_ACCEPT)
481 return ((f_flag&IP_FW_F_MASQ)?FW_MASQUERADE:FW_ACCEPT);
482 if(f_flag&IP_FW_F_ICMPRPL)
483 return FW_REJECT;
484 return FW_BLOCK;
485 }
486
487 #ifdef CONFIG_IP_MASQUERADE
488
489 static void masq_expire(unsigned long data)
490 {
491 struct ip_masq *ms = (struct ip_masq *)data;
492 struct ip_masq *old,*cur;
493 unsigned long flags;
494
495 #ifdef DEBUG_MASQ
496 printk("Masqueraded %s %lX:%X expired\n",
497 strProt[ms->protocol==IPPROTO_TCP],
498 ntohl(ms->src),ntohs(ms->sport));
499 #endif
500
501 save_flags(flags);
502 cli();
503
504
505 old = NULL;
506 cur = ip_msq_hosts;
507 while (cur!=NULL) {
508 if (cur==ms) {
509 if (old==NULL) ip_msq_hosts = ms->next;
510 else old->next = ms->next;
511 kfree_s(ms,sizeof(*ms));
512 break;
513 }
514 old = cur;
515 cur=cur->next;
516 }
517 restore_flags(flags);
518 }
519
520
521
522
523
524
525
526
527 static struct ip_masq *alloc_masq_entry(void)
528 {
529 struct ip_masq *ms, *mst;
530 unsigned long flags;
531
532 ms = (struct ip_masq *) kmalloc(sizeof(struct ip_masq), GFP_ATOMIC);
533 if (ms==NULL)
534 return NULL;
535
536 memset(ms,0,sizeof(*ms));
537 init_timer(&ms->timer);
538 ms->timer.data = (unsigned long)ms;
539 ms->timer.function = masq_expire;
540
541 save_flags(flags);
542 cli();
543 do
544 {
545
546 ms->mport = htons(masq_port++);
547 if (masq_port==PORT_MASQ_END)
548 masq_port = PORT_MASQ_BEGIN;
549
550
551
552 mst = ip_msq_hosts;
553 while (mst && mst->mport!=ms->mport)
554 mst = mst->next;
555 }
556 while (mst!=NULL);
557
558
559 ms->next = ip_msq_hosts;
560 ip_msq_hosts = ms;
561 restore_flags(flags);
562
563 return ms;
564 }
565
566
567
568
569
570
571
572
573
574
575
576
577
578 static struct sk_buff *revamp(struct sk_buff *skb, struct device *dev, struct ip_masq *ftp)
579 {
580 struct iphdr *iph = skb->h.iph;
581 struct tcphdr *th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]);
582 struct sk_buff *skb2;
583 char *p, *data = (char *)&th[1];
584 unsigned char p1,p2,p3,p4,p5,p6;
585 unsigned long from;
586 unsigned short port;
587 struct ip_masq *ms;
588 char buf[24];
589 int diff;
590 __u32 seq;
591
592
593
594
595
596
597
598
599
600 seq=ntohl(th->seq);
601 if (ftp->delta || ftp->previous_delta)
602 {
603 if(after(seq,ftp->init_seq) )
604 {
605 th->seq = htonl(seq + ftp->delta);
606 #ifdef DEBUG_MASQ
607 printk("masq_revamp : added delta (%d) to seq\n",ftp->delta);
608 #endif
609 }
610 else
611 {
612 th->seq = htonl(seq + ftp->previous_delta);
613 #ifdef DEBUG_MASQ
614 printk("masq_revamp : added previous_delta (%d) to seq\n",ftp->previous_delta);
615 #endif
616 }
617 }
618
619 while (skb->len - ((unsigned char *)data - skb->h.raw) > 18)
620 {
621 if (memcmp(data,"PORT ",5) && memcmp(data,"port ",5))
622 {
623 data ++;
624 continue;
625 }
626 p = data+5;
627 p1 = simple_strtoul(data+5,&data,10);
628 if (*data!=',')
629 continue;
630 p2 = simple_strtoul(data+1,&data,10);
631 if (*data!=',')
632 continue;
633 p3 = simple_strtoul(data+1,&data,10);
634 if (*data!=',')
635 continue;
636 p4 = simple_strtoul(data+1,&data,10);
637 if (*data!=',')
638 continue;
639 p5 = simple_strtoul(data+1,&data,10);
640 if (*data!=',')
641 continue;
642 p6 = simple_strtoul(data+1,&data,10);
643 if (*data!='\r' && *data!='\n')
644 continue;
645
646 from = (p1<<24) | (p2<<16) | (p3<<8) | p4;
647 port = (p5<<8) | p6;
648 #ifdef MASQ_DEBUG
649 printk("PORT %lX:%X detected\n",from,port);
650 #endif
651
652
653
654 ms = alloc_masq_entry();
655 if (ms==NULL)
656 return skb;
657 ms->protocol = IPPROTO_TCP;
658 ms->src = htonl(from);
659 ms->sport = htons(port);
660 ms->dst = iph->daddr;
661
662
663
664
665
666 ms->dport = htons(FTP_DPORT_TBD);
667 ms->timer.expires = jiffies+MASQUERADE_EXPIRE_TCP_FIN;
668 add_timer(&ms->timer);
669
670
671
672
673 from = ntohl(dev->pa_addr);
674 port = ntohs(ms->mport);
675 sprintf(buf,"%ld,%ld,%ld,%ld,%d,%d",
676 from>>24&255,from>>16&255,from>>8&255,from&255,
677 port>>8&255,port&255);
678
679
680
681
682
683 diff = strlen(buf) - (data-p);
684
685
686
687
688
689 if (diff==0)
690 {
691
692
693
694 memcpy(p,buf,strlen(buf));
695 return skb;
696 }
697
698
699
700
701
702
703
704
705
706
707
708 if(!ftp->init_seq || after(seq,ftp->init_seq) )
709 {
710 ftp->previous_delta=ftp->delta;
711 ftp->delta+=diff;
712 ftp->init_seq = seq;
713 }
714
715
716
717
718 #ifdef DEBUG_MASQ
719 printk("MASQUERADE: resizing needed for %d bytes (%ld)\n",diff, skb->len);
720 #endif
721 skb2 = alloc_skb(MAX_HEADER + skb->len+diff, GFP_ATOMIC);
722 if (skb2 == NULL) {
723 printk("MASQUERADE: No memory available\n");
724 return skb;
725 }
726 skb2->free = skb->free;
727 skb_reserve(skb2,MAX_HEADER);
728 skb_put(skb2,skb->len + diff);
729 skb2->h.raw = skb2->data + (skb->h.raw - skb->data);
730 iph=skb2->h.iph;
731
732
733
734 iph->tot_len = htons(diff+ntohs(iph->tot_len));
735 iph->check = 0;
736 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
737
738
739
740
741
742 memcpy(skb2->data, skb->data, (p - (char *)skb->data));
743 memcpy(&skb2->data[(p - (char *)skb->data)], buf, strlen(buf));
744 memcpy(&skb2->data[(p - (char *)skb->data) + strlen(buf)], data,
745 skb->len - (data-(char *)skb->data));
746
747
748
749
750
751 iph->tot_len = htons(skb->len + diff);
752
753
754
755
756
757
758 kfree_skb(skb, FREE_WRITE);
759 return skb2;
760 }
761 return skb;
762 }
763
764 static void recalc_check(struct udphdr *uh, unsigned long saddr,
765 unsigned long daddr, int len)
766 {
767 uh->check=0;
768 uh->check=csum_tcpudp_magic(saddr,daddr,len,
769 IPPROTO_UDP, csum_partial((char *)uh,len,0));
770 if(uh->check==0)
771 uh->check=0xFFFF;
772 }
773
774 void ip_fw_masquerade(struct sk_buff **skb_ptr, struct device *dev)
775 {
776 struct sk_buff *skb=*skb_ptr;
777 struct iphdr *iph = skb->h.iph;
778 unsigned short *portptr;
779 struct ip_masq *ms;
780 int size;
781
782
783
784
785
786 if (iph->protocol!=IPPROTO_UDP && iph->protocol!=IPPROTO_TCP)
787 return;
788
789
790
791
792
793 portptr = (unsigned short *)&(((char *)iph)[iph->ihl*4]);
794 ms = ip_msq_hosts;
795
796 #ifdef DEBUG_MASQ
797 printk("Outgoing %s %lX:%X -> %lX:%X\n",
798 strProt[iph->protocol==IPPROTO_TCP],
799 ntohl(iph->saddr), ntohs(portptr[0]),
800 ntohl(iph->daddr), ntohs(portptr[1]));
801 #endif
802 while (ms!=NULL)
803 {
804 if (iph->protocol == ms->protocol &&
805 iph->saddr == ms->src && iph->daddr == ms->dst &&
806 portptr[0] == ms->sport && portptr[1] == ms->dport)
807 {
808 del_timer(&ms->timer);
809 break;
810 }
811 ms = ms->next;
812 }
813
814
815
816
817
818 if (ms==NULL)
819 {
820 ms = alloc_masq_entry();
821 if (ms==NULL)
822 {
823 printk("MASQUERADE: no memory left !\n");
824 return;
825 }
826 ms->protocol = iph->protocol;
827 ms->src = iph->saddr;
828 ms->dst = iph->daddr;
829 ms->sport = portptr[0];
830 ms->dport = portptr[1];
831 }
832
833
834
835
836
837 size = skb->len - ((unsigned char *)portptr - skb->h.raw);
838 iph->saddr = dev->pa_addr;
839 portptr[0] = ms->mport;
840
841
842
843
844
845 if (iph->protocol==IPPROTO_UDP)
846 {
847 ms->timer.expires = jiffies+MASQUERADE_EXPIRE_UDP;
848 recalc_check((struct udphdr *)portptr,iph->saddr,iph->daddr,size);
849 }
850 else
851 {
852 struct tcphdr *th;
853 if (portptr[1]==htons(21))
854 {
855 skb = revamp(*skb_ptr, dev, ms);
856 *skb_ptr = skb;
857 iph = skb->h.iph;
858 portptr = (unsigned short *)&(((char *)iph)[iph->ihl*4]);
859 size = skb->len - ((unsigned char *)portptr-skb->h.raw);
860 }
861 th = (struct tcphdr *)portptr;
862
863
864
865
866 if (ms->sawfin || th->fin)
867 {
868 ms->timer.expires = jiffies+MASQUERADE_EXPIRE_TCP_FIN;
869 ms->sawfin = 1;
870 }
871 else ms->timer.expires = jiffies+MASQUERADE_EXPIRE_TCP;
872
873 tcp_send_check(th,iph->saddr,iph->daddr,size,skb->sk);
874 }
875 add_timer(&ms->timer);
876 ip_send_check(iph);
877
878 #ifdef DEBUG_MASQ
879 printk("O-routed from %lX:%X over %s\n",ntohl(dev->pa_addr),ntohs(ms->mport),dev->name);
880 #endif
881 }
882
883
884
885
886
887
888
889
890
891
892 int ip_fw_demasquerade(struct sk_buff *skb_ptr)
893 {
894 struct iphdr *iph = skb_ptr->h.iph;
895 unsigned short *portptr;
896 struct ip_masq *ms;
897 struct tcphdr *th = (struct tcphdr *)(skb_ptr->h.raw+(iph->ihl<<2));
898
899 if (iph->protocol!=IPPROTO_UDP && iph->protocol!=IPPROTO_TCP)
900 return 0;
901
902 portptr = (unsigned short *)&(((char *)iph)[iph->ihl*4]);
903 if (ntohs(portptr[1]) < PORT_MASQ_BEGIN ||
904 ntohs(portptr[1]) > PORT_MASQ_END)
905 return 0;
906
907 #ifdef DEBUG_MASQ
908 printk("Incoming %s %lX:%X -> %lX:%X\n",
909 strProt[iph->protocol==IPPROTO_TCP],
910 ntohl(iph->saddr), ntohs(portptr[0]),
911 ntohl(iph->daddr), ntohs(portptr[1]));
912 #endif
913
914
915
916
917
918
919
920
921
922
923 ms = ip_msq_hosts;
924 while (ms!=NULL)
925 {
926 if (iph->protocol==ms->protocol &&
927 (iph->saddr==ms->dst || iph->protocol==IPPROTO_UDP) &&
928 (ms->dport==htons(FTP_DPORT_TBD) || portptr[0]==ms->dport) &&
929 portptr[1]==ms->mport)
930 {
931
932 int size = skb_ptr->len - ((unsigned char *)portptr - skb_ptr->h.raw);
933 iph->daddr = ms->src;
934 portptr[1] = ms->sport;
935
936 if(ms->dport==htons(FTP_DPORT_TBD))
937 {
938 ms->dport=portptr[0];
939 #ifdef DEBUG_MASQ
940 printk("demasq : Filled out dport entry (%d) based on initial connect attempt from FTP deamon\n",ntohs(ms->dport));
941 #endif
942 }
943
944
945
946
947 if (iph->protocol==IPPROTO_UDP)
948 recalc_check((struct udphdr *)portptr,iph->saddr,iph->daddr,size);
949 else
950 {
951 __u32 ack_seq;
952
953
954
955
956
957 #ifdef DEBUG_MASQ
958 printk("demasq : delta=%d ; previous_delta=%d ; init_seq=%lX ; ack_seq=%lX ; after=%d\n",ms->delta,ms->previous_delta,ntohl(ms->init_seq),ntohl(th->ack_seq),after(ntohl(th->ack_seq),ntohl(ms->init_seq)));
959 #endif
960 ack_seq=ntohl(th->ack_seq);
961 if (ms->delta || ms->previous_delta)
962 {
963 if(after(ack_seq,ms->init_seq))
964 {
965 th->ack_seq = htonl(ack_seq-ms->delta);
966 #ifdef DEBUG_MASQ
967 printk("demasq : substracted delta (%d) from ack_seq\n",ms->delta);
968 #endif
969 }
970 else
971 {
972 th->ack_seq = htonl(ack_seq-ms->previous_delta);
973 #ifdef DEBUG_MASQ
974 printk("demasq : substracted previous_delta (%d) from ack_seq\n",ms->previous_delta);
975 #endif
976 }
977 }
978 tcp_send_check((struct tcphdr *)portptr,iph->saddr,iph->daddr,size,skb_ptr->sk);
979 }
980 ip_send_check(iph);
981 #ifdef DEBUG_MASQ
982 printk("I-routed to %lX:%X\n",ntohl(iph->daddr),ntohs(portptr[1]));
983 #endif
984 return 1;
985 }
986 ms = ms->next;
987 }
988
989
990 return 0;
991 }
992 #endif
993
994
995
996 static void zero_fw_chain(struct ip_fw *chainptr)
997 {
998 struct ip_fw *ctmp=chainptr;
999 while(ctmp)
1000 {
1001 ctmp->fw_pcnt=0L;
1002 ctmp->fw_bcnt=0L;
1003 ctmp=ctmp->fw_next;
1004 }
1005 }
1006
1007 static void free_fw_chain(struct ip_fw *volatile* chainptr)
1008 {
1009 unsigned long flags;
1010 save_flags(flags);
1011 cli();
1012 while ( *chainptr != NULL )
1013 {
1014 struct ip_fw *ftmp;
1015 ftmp = *chainptr;
1016 *chainptr = ftmp->fw_next;
1017 kfree_s(ftmp,sizeof(*ftmp));
1018 }
1019 restore_flags(flags);
1020 }
1021
1022
1023
1024 static int add_to_chain(struct ip_fw *volatile* chainptr, struct ip_fw *frwl)
1025 {
1026 struct ip_fw *ftmp;
1027 struct ip_fw *chtmp=NULL;
1028 struct ip_fw *volatile chtmp_prev=NULL;
1029 unsigned long flags;
1030 unsigned long m_src_mask,m_dst_mask;
1031 unsigned long n_sa,n_da,o_sa,o_da,o_sm,o_dm,n_sm,n_dm;
1032 unsigned short n_sr,n_dr,o_sr,o_dr;
1033 unsigned short oldkind,newkind;
1034 int addb4=0;
1035 int n_o,n_n;
1036
1037 save_flags(flags);
1038
1039 ftmp = kmalloc( sizeof(struct ip_fw), GFP_ATOMIC );
1040 if ( ftmp == NULL )
1041 {
1042 #ifdef DEBUG_CONFIG_IP_FIREWALL
1043 printk("ip_fw_ctl: malloc said no\n");
1044 #endif
1045 return( ENOMEM );
1046 }
1047
1048 memcpy(ftmp, frwl, sizeof( struct ip_fw ) );
1049
1050 ftmp->fw_pcnt=0L;
1051 ftmp->fw_bcnt=0L;
1052
1053 ftmp->fw_next = NULL;
1054
1055 cli();
1056
1057 if (*chainptr==NULL)
1058 {
1059 *chainptr=ftmp;
1060 }
1061 else
1062 {
1063 chtmp_prev=NULL;
1064 for (chtmp=*chainptr;chtmp!=NULL;chtmp=chtmp->fw_next)
1065 {
1066 addb4=0;
1067 newkind=ftmp->fw_flg & IP_FW_F_KIND;
1068 oldkind=chtmp->fw_flg & IP_FW_F_KIND;
1069
1070 if (newkind!=IP_FW_F_ALL
1071 && oldkind!=IP_FW_F_ALL
1072 && oldkind!=newkind)
1073 {
1074 chtmp_prev=chtmp;
1075 continue;
1076 }
1077
1078
1079
1080
1081
1082
1083 n_sa=ntohl(ftmp->fw_src.s_addr);
1084 n_da=ntohl(ftmp->fw_dst.s_addr);
1085 n_sm=ntohl(ftmp->fw_smsk.s_addr);
1086 n_dm=ntohl(ftmp->fw_dmsk.s_addr);
1087
1088 o_sa=ntohl(chtmp->fw_src.s_addr);
1089 o_da=ntohl(chtmp->fw_dst.s_addr);
1090 o_sm=ntohl(chtmp->fw_smsk.s_addr);
1091 o_dm=ntohl(chtmp->fw_dmsk.s_addr);
1092
1093 m_src_mask = o_sm & n_sm;
1094 m_dst_mask = o_dm & n_dm;
1095
1096 if ((o_sa & m_src_mask) == (n_sa & m_src_mask))
1097 {
1098 if (n_sm > o_sm)
1099 addb4++;
1100 if (n_sm < o_sm)
1101 addb4--;
1102 }
1103
1104 if ((o_da & m_dst_mask) == (n_da & m_dst_mask))
1105 {
1106 if (n_dm > o_dm)
1107 addb4++;
1108 if (n_dm < o_dm)
1109 addb4--;
1110 }
1111
1112 if (((o_da & o_dm) == (n_da & n_dm))
1113 &&((o_sa & o_sm) == (n_sa & n_sm)))
1114 {
1115 if (newkind!=IP_FW_F_ALL &&
1116 oldkind==IP_FW_F_ALL)
1117 addb4++;
1118 if (newkind==oldkind && (oldkind==IP_FW_F_TCP
1119 || oldkind==IP_FW_F_UDP))
1120 {
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133 if (ftmp->fw_flg & IP_FW_F_SRNG)
1134 n_sr=ftmp->fw_pts[1]-ftmp->fw_pts[0];
1135 else
1136 n_sr=(ftmp->fw_nsp)?
1137 ftmp->fw_nsp : 0xFFFF;
1138
1139 if (chtmp->fw_flg & IP_FW_F_SRNG)
1140 o_sr=chtmp->fw_pts[1]-chtmp->fw_pts[0];
1141 else
1142 o_sr=(chtmp->fw_nsp)?chtmp->fw_nsp : 0xFFFF;
1143
1144 if (n_sr<o_sr)
1145 addb4++;
1146 if (n_sr>o_sr)
1147 addb4--;
1148
1149 n_n=ftmp->fw_nsp;
1150 n_o=chtmp->fw_nsp;
1151
1152
1153
1154
1155
1156
1157
1158 if ((n_n>(IP_FW_MAX_PORTS-2)) ||
1159 (n_o>(IP_FW_MAX_PORTS-2)))
1160 goto skip_check;
1161
1162 if (ftmp->fw_flg & IP_FW_F_DRNG)
1163 n_dr=ftmp->fw_pts[n_n+1]-ftmp->fw_pts[n_n];
1164 else
1165 n_dr=(ftmp->fw_ndp)? ftmp->fw_ndp : 0xFFFF;
1166
1167 if (chtmp->fw_flg & IP_FW_F_DRNG)
1168 o_dr=chtmp->fw_pts[n_o+1]-chtmp->fw_pts[n_o];
1169 else
1170 o_dr=(chtmp->fw_ndp)? chtmp->fw_ndp : 0xFFFF;
1171 if (n_dr<o_dr)
1172 addb4++;
1173 if (n_dr>o_dr)
1174 addb4--;
1175 skip_check:
1176 }
1177
1178 if ((addb4 == 0) && ftmp->fw_via.s_addr &&
1179 !(chtmp->fw_via.s_addr))
1180 addb4++;
1181 }
1182 if (addb4>0)
1183 {
1184 if (chtmp_prev)
1185 {
1186 chtmp_prev->fw_next=ftmp;
1187 ftmp->fw_next=chtmp;
1188 }
1189 else
1190 {
1191 *chainptr=ftmp;
1192 ftmp->fw_next=chtmp;
1193 }
1194 restore_flags(flags);
1195 return 0;
1196 }
1197 chtmp_prev=chtmp;
1198 }
1199 }
1200
1201 if (chtmp_prev)
1202 chtmp_prev->fw_next=ftmp;
1203 else
1204 *chainptr=ftmp;
1205 restore_flags(flags);
1206 return(0);
1207 }
1208
1209 static int del_from_chain(struct ip_fw *volatile*chainptr, struct ip_fw *frwl)
1210 {
1211 struct ip_fw *ftmp,*ltmp;
1212 unsigned short tport1,tport2,tmpnum;
1213 char matches,was_found;
1214 unsigned long flags;
1215
1216 save_flags(flags);
1217 cli();
1218
1219 ftmp=*chainptr;
1220
1221 if ( ftmp == NULL )
1222 {
1223 #ifdef DEBUG_CONFIG_IP_FIREWALL
1224 printk("ip_fw_ctl: chain is empty\n");
1225 #endif
1226 restore_flags(flags);
1227 return( EINVAL );
1228 }
1229
1230 ltmp=NULL;
1231 was_found=0;
1232
1233 while( ftmp != NULL )
1234 {
1235 matches=1;
1236 if (ftmp->fw_src.s_addr!=frwl->fw_src.s_addr
1237 || ftmp->fw_dst.s_addr!=frwl->fw_dst.s_addr
1238 || ftmp->fw_smsk.s_addr!=frwl->fw_smsk.s_addr
1239 || ftmp->fw_dmsk.s_addr!=frwl->fw_dmsk.s_addr
1240 || ftmp->fw_via.s_addr!=frwl->fw_via.s_addr
1241 || ftmp->fw_flg!=frwl->fw_flg)
1242 matches=0;
1243
1244 tport1=ftmp->fw_nsp+ftmp->fw_ndp;
1245 tport2=frwl->fw_nsp+frwl->fw_ndp;
1246 if (tport1!=tport2)
1247 matches=0;
1248 else if (tport1!=0)
1249 {
1250 for (tmpnum=0;tmpnum < tport1 && tmpnum < IP_FW_MAX_PORTS;tmpnum++)
1251 if (ftmp->fw_pts[tmpnum]!=frwl->fw_pts[tmpnum])
1252 matches=0;
1253 }
1254 if(matches)
1255 {
1256 was_found=1;
1257 if (ltmp)
1258 {
1259 ltmp->fw_next=ftmp->fw_next;
1260 kfree_s(ftmp,sizeof(*ftmp));
1261 ftmp=ltmp->fw_next;
1262 }
1263 else
1264 {
1265 *chainptr=ftmp->fw_next;
1266 kfree_s(ftmp,sizeof(*ftmp));
1267 ftmp=*chainptr;
1268 }
1269 }
1270 else
1271 {
1272 ltmp = ftmp;
1273 ftmp = ftmp->fw_next;
1274 }
1275 }
1276 restore_flags(flags);
1277 if (was_found)
1278 return 0;
1279 else
1280 return(EINVAL);
1281 }
1282
1283 #endif
1284
1285 struct ip_fw *check_ipfw_struct(struct ip_fw *frwl, int len)
1286 {
1287
1288 if ( len != sizeof(struct ip_fw) )
1289 {
1290 #ifdef DEBUG_CONFIG_IP_FIREWALL
1291 printk("ip_fw_ctl: len=%d, want %d\n",len, sizeof(struct ip_fw));
1292 #endif
1293 return(NULL);
1294 }
1295
1296 if ( (frwl->fw_flg & ~IP_FW_F_MASK) != 0 )
1297 {
1298 #ifdef DEBUG_CONFIG_IP_FIREWALL
1299 printk("ip_fw_ctl: undefined flag bits set (flags=%x)\n",
1300 frwl->fw_flg);
1301 #endif
1302 return(NULL);
1303 }
1304
1305 if ( (frwl->fw_flg & IP_FW_F_SRNG) && frwl->fw_nsp < 2 )
1306 {
1307 #ifdef DEBUG_CONFIG_IP_FIREWALL
1308 printk("ip_fw_ctl: src range set but fw_nsp=%d\n",
1309 frwl->fw_nsp);
1310 #endif
1311 return(NULL);
1312 }
1313
1314 if ( (frwl->fw_flg & IP_FW_F_DRNG) && frwl->fw_ndp < 2 )
1315 {
1316 #ifdef DEBUG_CONFIG_IP_FIREWALL
1317 printk("ip_fw_ctl: dst range set but fw_ndp=%d\n",
1318 frwl->fw_ndp);
1319 #endif
1320 return(NULL);
1321 }
1322
1323 if ( frwl->fw_nsp + frwl->fw_ndp > IP_FW_MAX_PORTS )
1324 {
1325 #ifdef DEBUG_CONFIG_IP_FIREWALL
1326 printk("ip_fw_ctl: too many ports (%d+%d)\n",
1327 frwl->fw_nsp,frwl->fw_ndp);
1328 #endif
1329 return(NULL);
1330 }
1331
1332 return frwl;
1333 }
1334
1335
1336
1337
1338 #ifdef CONFIG_IP_ACCT
1339
1340 #if 0
1341 void ip_acct_cnt(struct iphdr *iph, struct device *dev, struct ip_fw *f)
1342 {
1343 (void) ip_fw_chk(iph, dev, f, 0, 1);
1344 return;
1345 }
1346 #endif
1347
1348 int ip_acct_ctl(int stage, void *m, int len)
1349 {
1350 if ( stage == IP_ACCT_FLUSH )
1351 {
1352 free_fw_chain(&ip_acct_chain);
1353 return(0);
1354 }
1355 if ( stage == IP_ACCT_ZERO )
1356 {
1357 zero_fw_chain(ip_acct_chain);
1358 return(0);
1359 }
1360 if ( stage == IP_ACCT_ADD
1361 || stage == IP_ACCT_DEL
1362 )
1363 {
1364 struct ip_fw *frwl;
1365
1366 if (!(frwl=check_ipfw_struct(m,len)))
1367 return (EINVAL);
1368
1369 switch (stage)
1370 {
1371 case IP_ACCT_ADD:
1372 return( add_to_chain(&ip_acct_chain,frwl));
1373 case IP_ACCT_DEL:
1374 return( del_from_chain(&ip_acct_chain,frwl));
1375 default:
1376
1377
1378
1379 #ifdef DEBUG_CONFIG_IP_FIREWALL
1380 printk("ip_acct_ctl: unknown request %d\n",stage);
1381 #endif
1382 return(EINVAL);
1383 }
1384 }
1385 #ifdef DEBUG_CONFIG_IP_FIREWALL
1386 printk("ip_acct_ctl: unknown request %d\n",stage);
1387 #endif
1388 return(EINVAL);
1389 }
1390 #endif
1391
1392 #ifdef CONFIG_IP_FIREWALL
1393 int ip_fw_ctl(int stage, void *m, int len)
1394 {
1395 int ret;
1396
1397 if ( stage == IP_FW_FLUSH_BLK )
1398 {
1399 free_fw_chain(&ip_fw_blk_chain);
1400 return(0);
1401 }
1402
1403 if ( stage == IP_FW_FLUSH_FWD )
1404 {
1405 free_fw_chain(&ip_fw_fwd_chain);
1406 return(0);
1407 }
1408
1409 if ( stage == IP_FW_ZERO_BLK )
1410 {
1411 zero_fw_chain(ip_fw_blk_chain);
1412 return(0);
1413 }
1414
1415 if ( stage == IP_FW_ZERO_FWD )
1416 {
1417 zero_fw_chain(ip_fw_fwd_chain);
1418 return(0);
1419 }
1420
1421 if ( stage == IP_FW_POLICY_BLK || stage == IP_FW_POLICY_FWD )
1422 {
1423 int *tmp_policy_ptr;
1424 tmp_policy_ptr=(int *)m;
1425 if ( stage == IP_FW_POLICY_BLK )
1426 ip_fw_blk_policy=*tmp_policy_ptr;
1427 else
1428 ip_fw_fwd_policy=*tmp_policy_ptr;
1429 return 0;
1430 }
1431
1432 if ( stage == IP_FW_CHK_BLK || stage == IP_FW_CHK_FWD )
1433 {
1434 struct device viadev;
1435 struct ip_fwpkt *ipfwp;
1436 struct iphdr *ip;
1437
1438 if ( len < sizeof(struct ip_fwpkt) )
1439 {
1440 #ifdef DEBUG_CONFIG_IP_FIREWALL
1441 printk("ip_fw_ctl: length=%d, expected %d\n",
1442 len, sizeof(struct ip_fwpkt));
1443 #endif
1444 return( EINVAL );
1445 }
1446
1447 ipfwp = (struct ip_fwpkt *)m;
1448 ip = &(ipfwp->fwp_iph);
1449
1450 if ( ip->ihl != sizeof(struct iphdr) / sizeof(int))
1451 {
1452 #ifdef DEBUG_CONFIG_IP_FIREWALL
1453 printk("ip_fw_ctl: ip->ihl=%d, want %d\n",ip->ihl,
1454 sizeof(struct iphdr)/sizeof(int));
1455 #endif
1456 return(EINVAL);
1457 }
1458
1459 viadev.pa_addr = ipfwp->fwp_via.s_addr;
1460
1461 if ((ret = ip_fw_chk(ip, &viadev,
1462 stage == IP_FW_CHK_BLK ?
1463 ip_fw_blk_chain : ip_fw_fwd_chain,
1464 stage == IP_FW_CHK_BLK ?
1465 ip_fw_blk_policy : ip_fw_fwd_policy, 2 )) > 0
1466 )
1467 return(0);
1468 else if (ret == -1)
1469 return(ECONNREFUSED);
1470 else
1471 return(ETIMEDOUT);
1472 }
1473
1474
1475
1476
1477
1478
1479 if ( stage == IP_FW_ADD_BLK || stage == IP_FW_ADD_FWD
1480 || stage == IP_FW_DEL_BLK || stage == IP_FW_DEL_FWD
1481 )
1482 {
1483 struct ip_fw *frwl;
1484 frwl=check_ipfw_struct(m,len);
1485 if (frwl==NULL)
1486 return (EINVAL);
1487
1488 switch (stage)
1489 {
1490 case IP_FW_ADD_BLK:
1491 return(add_to_chain(&ip_fw_blk_chain,frwl));
1492 case IP_FW_ADD_FWD:
1493 return(add_to_chain(&ip_fw_fwd_chain,frwl));
1494 case IP_FW_DEL_BLK:
1495 return(del_from_chain(&ip_fw_blk_chain,frwl));
1496 case IP_FW_DEL_FWD:
1497 return(del_from_chain(&ip_fw_fwd_chain,frwl));
1498 default:
1499
1500
1501
1502 #ifdef DEBUG_CONFIG_IP_FIREWALL
1503 printk("ip_fw_ctl: unknown request %d\n",stage);
1504 #endif
1505 return(EINVAL);
1506 }
1507 }
1508
1509 #ifdef DEBUG_CONFIG_IP_FIREWALL
1510 printk("ip_fw_ctl: unknown request %d\n",stage);
1511 #endif
1512 return(EINVAL);
1513 }
1514 #endif
1515
1516 #if defined(CONFIG_IP_FIREWALL) || defined(CONFIG_IP_ACCT)
1517
1518 static int ip_chain_procinfo(int stage, char *buffer, char **start,
1519 off_t offset, int length, int reset)
1520 {
1521 off_t pos=0, begin=0;
1522 struct ip_fw *i;
1523 unsigned long flags;
1524 int len, p;
1525
1526
1527 switch(stage)
1528 {
1529 #ifdef CONFIG_IP_FIREWALL
1530 case IP_INFO_BLK:
1531 i = ip_fw_blk_chain;
1532 len=sprintf(buffer, "IP firewall block rules, default %d\n",
1533 ip_fw_blk_policy);
1534 break;
1535 case IP_INFO_FWD:
1536 i = ip_fw_fwd_chain;
1537 len=sprintf(buffer, "IP firewall forward rules, default %d\n",
1538 ip_fw_fwd_policy);
1539 break;
1540 #endif
1541 #ifdef CONFIG_IP_ACCT
1542 case IP_INFO_ACCT:
1543 i = ip_acct_chain;
1544 len=sprintf(buffer,"IP accounting rules\n");
1545 break;
1546 #endif
1547 default:
1548
1549 i = NULL;
1550 len=0;
1551 break;
1552 }
1553
1554 save_flags(flags);
1555 cli();
1556
1557 while(i!=NULL)
1558 {
1559 len+=sprintf(buffer+len,"%08lX/%08lX->%08lX/%08lX %08lX %X ",
1560 ntohl(i->fw_src.s_addr),ntohl(i->fw_smsk.s_addr),
1561 ntohl(i->fw_dst.s_addr),ntohl(i->fw_dmsk.s_addr),
1562 ntohl(i->fw_via.s_addr),i->fw_flg);
1563 len+=sprintf(buffer+len,"%u %u %-9lu %-9lu",
1564 i->fw_nsp,i->fw_ndp, i->fw_pcnt,i->fw_bcnt);
1565 for (p = 0; p < IP_FW_MAX_PORTS; p++)
1566 len+=sprintf(buffer+len, " %u", i->fw_pts[p]);
1567 buffer[len++]='\n';
1568 buffer[len]='\0';
1569 pos=begin+len;
1570 if(pos<offset)
1571 {
1572 len=0;
1573 begin=pos;
1574 }
1575 else if(reset)
1576 {
1577
1578 i->fw_pcnt=0L;
1579 i->fw_bcnt=0L;
1580 }
1581 if(pos>offset+length)
1582 break;
1583 i=i->fw_next;
1584 }
1585 restore_flags(flags);
1586 *start=buffer+(offset-begin);
1587 len-=(offset-begin);
1588 if(len>length)
1589 len=length;
1590 return len;
1591 }
1592 #endif
1593
1594 #ifdef CONFIG_IP_ACCT
1595
1596 static int ip_acct_procinfo(char *buffer, char **start, off_t offset,
1597 int length, int reset)
1598 {
1599 return ip_chain_procinfo(IP_INFO_ACCT, buffer,start, offset,length,
1600 reset);
1601 }
1602
1603 #endif
1604
1605 #ifdef CONFIG_IP_FIREWALL
1606
1607 static int ip_fw_blk_procinfo(char *buffer, char **start, off_t offset,
1608 int length, int reset)
1609 {
1610 return ip_chain_procinfo(IP_INFO_BLK, buffer,start,offset,length,
1611 reset);
1612 }
1613
1614 static int ip_fw_fwd_procinfo(char *buffer, char **start, off_t offset,
1615 int length, int reset)
1616 {
1617 return ip_chain_procinfo(IP_INFO_FWD, buffer,start,offset,length,
1618 reset);
1619 }
1620 #endif
1621
1622 #ifdef CONFIG_IP_MASQUERADE
1623
1624 static int ip_msqhst_procinfo(char *buffer, char **start, off_t offset,
1625 int length, int unused)
1626 {
1627 off_t pos=0, begin=0;
1628 struct ip_masq *ms;
1629 unsigned long flags;
1630 int len=0;
1631
1632 len=sprintf(buffer,"Prc FromIP FPrt ToIP TPrt Masq Init-seq Delta PDelta Expires\n");
1633 save_flags(flags);
1634 cli();
1635
1636 ms=ip_msq_hosts;
1637 while (ms!=NULL)
1638 {
1639 int timer_active = del_timer(&ms->timer);
1640 if (!timer_active)
1641 ms->timer.expires = jiffies;
1642 len+=sprintf(buffer+len,"%s %08lX:%04X %08lX:%04X %04X %08X %5d %5d %lu\n",
1643 strProt[ms->protocol==IPPROTO_TCP],
1644 ntohl(ms->src),ntohs(ms->sport),
1645 ntohl(ms->dst),ntohs(ms->dport),
1646 ntohs(ms->mport),
1647 ms->init_seq,ms->delta,ms->previous_delta,ms->timer.expires-jiffies);
1648 if (timer_active)
1649 add_timer(&ms->timer);
1650
1651 pos=begin+len;
1652 if(pos<offset)
1653 {
1654 len=0;
1655 begin=pos;
1656 }
1657 if(pos>offset+length)
1658 break;
1659 ms=ms->next;
1660 }
1661 restore_flags(flags);
1662 *start=buffer+(offset-begin);
1663 len-=(offset-begin);
1664 if(len>length)
1665 len=length;
1666 return len;
1667 }
1668
1669 #endif
1670
1671 void ip_fw_init(void)
1672 {
1673 #ifdef CONFIG_IP_ACCT
1674 proc_net_register(&(struct proc_dir_entry) {
1675 PROC_NET_IPACCT, 7, "ip_acct",
1676 S_IFREG | S_IRUGO | S_IWUSR, 1, 0, 0,
1677 0, &proc_net_inode_operations,
1678 ip_acct_procinfo
1679 });
1680 #endif
1681 #ifdef CONFIG_IP_FIREWALL
1682 proc_net_register(&(struct proc_dir_entry) {
1683 PROC_NET_IPFWBLK, 8, "ip_block",
1684 S_IFREG | S_IRUGO | S_IWUSR, 1, 0, 0,
1685 0, &proc_net_inode_operations,
1686 ip_fw_blk_procinfo
1687 });
1688 proc_net_register(&(struct proc_dir_entry) {
1689 PROC_NET_IPFWFWD, 10, "ip_forward",
1690 S_IFREG | S_IRUGO | S_IWUSR, 1, 0, 0,
1691 0, &proc_net_inode_operations,
1692 ip_fw_fwd_procinfo
1693 });
1694 #endif
1695 #ifdef CONFIG_IP_MASQUERADE
1696 proc_net_register(&(struct proc_dir_entry) {
1697 PROC_NET_IPMSQHST, 13, "ip_masquerade",
1698 S_IFREG | S_IRUGO, 1, 0, 0,
1699 0, &proc_net_inode_operations,
1700 ip_msqhst_procinfo
1701 });
1702 #endif
1703 }