Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipf/fil.c
+++ new/usr/src/uts/common/inet/ipf/fil.c
1 1 /*
2 2 * Copyright (C) 1993-2003 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
7 7 *
8 - * Copyright (c) 2014, Joyent, Inc. All rights reserved.
8 + * Copyright 2019 Joyent, Inc.
9 9 */
10 10
11 11 #if defined(KERNEL) || defined(_KERNEL)
12 12 # undef KERNEL
13 13 # undef _KERNEL
14 14 # define KERNEL 1
15 15 # define _KERNEL 1
16 16 #endif
17 17 #include <sys/errno.h>
18 18 #include <sys/types.h>
19 19 #include <sys/param.h>
20 20 #include <sys/time.h>
21 21 #if defined(__NetBSD__)
22 22 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
23 23 # include "opt_ipfilter_log.h"
24 24 # endif
25 25 #endif
26 26 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
27 27 (__FreeBSD_version >= 220000)
28 28 # if (__FreeBSD_version >= 400000)
29 29 # if !defined(IPFILTER_LKM)
30 30 # include "opt_inet6.h"
31 31 # endif
32 32 # if (__FreeBSD_version == 400019)
33 33 # define CSUM_DELAY_DATA
34 34 # endif
35 35 # endif
36 36 # include <sys/filio.h>
37 37 #else
38 38 # include <sys/ioctl.h>
39 39 #endif
40 40 #if !defined(_AIX51)
41 41 # include <sys/fcntl.h>
42 42 #endif
43 43 #if defined(_KERNEL)
44 44 # include <sys/systm.h>
45 45 # include <sys/file.h>
46 46 #else
47 47 # include <stdio.h>
48 48 # include <string.h>
49 49 # include <stdlib.h>
50 50 # include <stddef.h>
51 51 # include <sys/file.h>
52 52 # define _KERNEL
53 53 # ifdef __OpenBSD__
54 54 struct file;
55 55 # endif
56 56 # include <sys/uio.h>
57 57 # undef _KERNEL
58 58 #endif
59 59 #if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
60 60 !defined(linux)
61 61 # include <sys/mbuf.h>
62 62 #else
63 63 # if !defined(linux)
64 64 # include <sys/byteorder.h>
65 65 # endif
66 66 # if (SOLARIS2 < 5) && defined(sun)
67 67 # include <sys/dditypes.h>
68 68 # endif
69 69 #endif
70 70 #ifdef __hpux
71 71 # define _NET_ROUTE_INCLUDED
72 72 #endif
73 73 #if !defined(linux)
74 74 # include <sys/protosw.h>
75 75 #endif
76 76 #include <sys/socket.h>
77 77 #include <net/if.h>
78 78 #ifdef sun
79 79 # include <net/af.h>
80 80 #endif
81 81 #if !defined(_KERNEL) && defined(__FreeBSD__)
82 82 # include "radix_ipf.h"
83 83 #endif
84 84 #include <net/route.h>
85 85 #include <netinet/in.h>
86 86 #include <netinet/in_systm.h>
87 87 #include <netinet/ip.h>
88 88 #if !defined(linux)
89 89 # include <netinet/ip_var.h>
90 90 #endif
91 91 #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
92 92 # include <sys/hashing.h>
93 93 # include <netinet/in_var.h>
94 94 #endif
95 95 #include <netinet/tcp.h>
96 96 #if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
97 97 # include <netinet/udp.h>
98 98 # include <netinet/ip_icmp.h>
99 99 #endif
100 100 #ifdef __hpux
101 101 # undef _NET_ROUTE_INCLUDED
102 102 #endif
103 103 #include "netinet/ip_compat.h"
104 104 #ifdef USE_INET6
105 105 # include <netinet/icmp6.h>
106 106 # if !defined(SOLARIS) && defined(_KERNEL) && !defined(__osf__) && \
107 107 !defined(__hpux)
108 108 # include <netinet6/in6_var.h>
109 109 # endif
110 110 #endif
111 111 #include <netinet/tcpip.h>
112 112 #include "netinet/ip_fil.h"
113 113 #include "netinet/ip_nat.h"
114 114 #include "netinet/ip_frag.h"
115 115 #include "netinet/ip_state.h"
116 116 #include "netinet/ip_proxy.h"
117 117 #include "netinet/ip_auth.h"
118 118 #include "netinet/ipf_stack.h"
119 119 #ifdef IPFILTER_SCAN
120 120 # include "netinet/ip_scan.h"
121 121 #endif
122 122 #ifdef IPFILTER_SYNC
123 123 # include "netinet/ip_sync.h"
124 124 #endif
125 125 #include "netinet/ip_pool.h"
126 126 #include "netinet/ip_htable.h"
127 127 #ifdef IPFILTER_COMPILED
128 128 # include "netinet/ip_rules.h"
129 129 #endif
130 130 #if defined(IPFILTER_BPF) && defined(_KERNEL)
131 131 # include <net/bpf.h>
132 132 #endif
133 133 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
134 134 # include <sys/malloc.h>
135 135 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
136 136 # include "opt_ipfilter.h"
137 137 # endif
138 138 #endif
139 139 #include "netinet/ipl.h"
140 140 #if defined(_KERNEL)
141 141 #include <sys/sunddi.h>
142 142 #endif
143 143 /* END OF INCLUDES */
144 144
145 145 #if !defined(lint)
146 146 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
147 147 static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $";
148 148 #endif
149 149
150 150 #ifndef _KERNEL
151 151 # include "ipf.h"
152 152 # include "ipt.h"
153 153 # include "bpf-ipf.h"
154 154 extern int opts;
155 155
156 156 # define FR_VERBOSE(verb_pr) verbose verb_pr
157 157 # define FR_DEBUG(verb_pr) debug verb_pr
158 158 #else /* #ifndef _KERNEL */
159 159 # define FR_VERBOSE(verb_pr)
160 160 # define FR_DEBUG(verb_pr)
161 161 #endif /* _KERNEL */
162 162
163 163
164 164 char ipfilter_version[] = IPL_VERSION;
165 165 int fr_features = 0
166 166 #ifdef IPFILTER_LKM
167 167 | IPF_FEAT_LKM
168 168 #endif
169 169 #ifdef IPFILTER_LOG
170 170 | IPF_FEAT_LOG
171 171 #endif
172 172 #ifdef IPFILTER_LOOKUP
173 173 | IPF_FEAT_LOOKUP
174 174 #endif
175 175 #ifdef IPFILTER_BPF
176 176 | IPF_FEAT_BPF
177 177 #endif
178 178 #ifdef IPFILTER_COMPILED
179 179 | IPF_FEAT_COMPILED
180 180 #endif
181 181 #ifdef IPFILTER_CKSUM
182 182 | IPF_FEAT_CKSUM
183 183 #endif
184 184 #ifdef IPFILTER_SYNC
185 185 | IPF_FEAT_SYNC
186 186 #endif
187 187 #ifdef IPFILTER_SCAN
188 188 | IPF_FEAT_SCAN
189 189 #endif
190 190 #ifdef USE_INET6
191 191 | IPF_FEAT_IPV6
192 192 #endif
193 193 ;
194 194
195 195 #define IPF_BUMP(x) (x)++
196 196
197 197 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
198 198 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
199 199 static int fr_portcheck __P((frpcmp_t *, u_short *));
200 200 static int frflushlist __P((int, minor_t, int *, frentry_t **,
201 201 ipf_stack_t *));
202 202 static ipfunc_t fr_findfunc __P((ipfunc_t));
203 203 static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *));
204 204 static int fr_funcinit __P((frentry_t *fr, ipf_stack_t *));
205 205 static INLINE void frpr_ah __P((fr_info_t *));
206 206 static INLINE void frpr_esp __P((fr_info_t *));
207 207 static INLINE void frpr_gre __P((fr_info_t *));
208 208 static INLINE void frpr_udp __P((fr_info_t *));
209 209 static INLINE void frpr_tcp __P((fr_info_t *));
210 210 static INLINE void frpr_icmp __P((fr_info_t *));
211 211 static INLINE void frpr_ipv4hdr __P((fr_info_t *));
212 212 static INLINE int frpr_pullup __P((fr_info_t *, int));
213 213 static INLINE void frpr_short __P((fr_info_t *, int));
214 214 static INLINE void frpr_tcpcommon __P((fr_info_t *));
215 215 static INLINE void frpr_udpcommon __P((fr_info_t *));
216 216 static INLINE int fr_updateipid __P((fr_info_t *));
217 217 #ifdef IPFILTER_LOOKUP
218 218 static int fr_grpmapinit __P((frentry_t *fr, ipf_stack_t *));
219 219 static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *,
220 220 ipf_stack_t *));
221 221 #endif
222 222 static void frsynclist __P((int, int, void *, char *, frentry_t *,
223 223 ipf_stack_t *));
224 224 static void *fr_ifsync __P((int, int, char *, char *,
225 225 void *, void *, ipf_stack_t *));
226 226 static ipftuneable_t *fr_findtunebyname __P((const char *, ipf_stack_t *));
227 227 static ipftuneable_t *fr_findtunebycookie __P((void *, void **, ipf_stack_t *));
228 228
229 229 /*
230 230 * bit values for identifying presence of individual IP options
231 231 * All of these tables should be ordered by increasing key value on the left
232 232 * hand side to allow for binary searching of the array and include a trailer
233 233 * with a 0 for the bitmask for linear searches to easily find the end with.
234 234 */
235 235 const struct optlist ipopts[20] = {
236 236 { IPOPT_NOP, 0x000001 },
237 237 { IPOPT_RR, 0x000002 },
238 238 { IPOPT_ZSU, 0x000004 },
239 239 { IPOPT_MTUP, 0x000008 },
240 240 { IPOPT_MTUR, 0x000010 },
241 241 { IPOPT_ENCODE, 0x000020 },
242 242 { IPOPT_TS, 0x000040 },
243 243 { IPOPT_TR, 0x000080 },
244 244 { IPOPT_SECURITY, 0x000100 },
245 245 { IPOPT_LSRR, 0x000200 },
246 246 { IPOPT_E_SEC, 0x000400 },
247 247 { IPOPT_CIPSO, 0x000800 },
248 248 { IPOPT_SATID, 0x001000 },
249 249 { IPOPT_SSRR, 0x002000 },
250 250 { IPOPT_ADDEXT, 0x004000 },
251 251 { IPOPT_VISA, 0x008000 },
252 252 { IPOPT_IMITD, 0x010000 },
253 253 { IPOPT_EIP, 0x020000 },
254 254 { IPOPT_FINN, 0x040000 },
255 255 { 0, 0x000000 }
256 256 };
257 257
258 258 #ifdef USE_INET6
259 259 struct optlist ip6exthdr[] = {
260 260 { IPPROTO_HOPOPTS, 0x000001 },
261 261 { IPPROTO_IPV6, 0x000002 },
262 262 { IPPROTO_ROUTING, 0x000004 },
263 263 { IPPROTO_FRAGMENT, 0x000008 },
264 264 { IPPROTO_ESP, 0x000010 },
265 265 { IPPROTO_AH, 0x000020 },
266 266 { IPPROTO_NONE, 0x000040 },
267 267 { IPPROTO_DSTOPTS, 0x000080 },
268 268 { 0, 0 }
269 269 };
270 270 #endif
271 271
272 272 struct optlist tcpopts[] = {
273 273 { TCPOPT_NOP, 0x000001 },
274 274 { TCPOPT_MAXSEG, 0x000002 },
275 275 { TCPOPT_WINDOW, 0x000004 },
276 276 { TCPOPT_SACK_PERMITTED, 0x000008 },
277 277 { TCPOPT_SACK, 0x000010 },
278 278 { TCPOPT_TIMESTAMP, 0x000020 },
279 279 { 0, 0x000000 }
280 280 };
281 281
282 282 /*
283 283 * bit values for identifying presence of individual IP security options
284 284 */
285 285 const struct optlist secopt[8] = {
286 286 { IPSO_CLASS_RES4, 0x01 },
287 287 { IPSO_CLASS_TOPS, 0x02 },
288 288 { IPSO_CLASS_SECR, 0x04 },
289 289 { IPSO_CLASS_RES3, 0x08 },
290 290 { IPSO_CLASS_CONF, 0x10 },
291 291 { IPSO_CLASS_UNCL, 0x20 },
292 292 { IPSO_CLASS_RES2, 0x40 },
293 293 { IPSO_CLASS_RES1, 0x80 }
294 294 };
295 295
296 296
297 297 /*
298 298 * Table of functions available for use with call rules.
299 299 */
300 300 static ipfunc_resolve_t fr_availfuncs[] = {
301 301 #ifdef IPFILTER_LOOKUP
302 302 { "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
303 303 { "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
304 304 #endif
305 305 { "", NULL }
306 306 };
307 307
308 308
309 309 /*
310 310 * Below we declare a list of constants used only by the ipf_extraflush()
311 311 * routine. We are placing it here, instead of in ipf_extraflush() itself,
312 312 * because we want to make it visible to tools such as mdb, nm etc., so the
313 313 * values can easily be altered during debugging.
314 314 */
315 315 static const int idletime_tab[] = {
316 316 IPF_TTLVAL(30), /* 30 seconds */
317 317 IPF_TTLVAL(1800), /* 30 minutes */
318 318 IPF_TTLVAL(43200), /* 12 hours */
319 319 IPF_TTLVAL(345600), /* 4 days */
320 320 };
321 321
322 322
323 323 /*
324 324 * The next section of code is a a collection of small routines that set
325 325 * fields in the fr_info_t structure passed based on properties of the
326 326 * current packet. There are different routines for the same protocol
327 327 * for each of IPv4 and IPv6. Adding a new protocol, for which there
328 328 * will "special" inspection for setup, is now more easily done by adding
329 329 * a new routine and expanding the frpr_ipinit*() function rather than by
330 330 * adding more code to a growing switch statement.
331 331 */
332 332 #ifdef USE_INET6
333 333 static INLINE int frpr_ah6 __P((fr_info_t *));
334 334 static INLINE void frpr_esp6 __P((fr_info_t *));
335 335 static INLINE void frpr_gre6 __P((fr_info_t *));
336 336 static INLINE void frpr_udp6 __P((fr_info_t *));
337 337 static INLINE void frpr_tcp6 __P((fr_info_t *));
338 338 static INLINE void frpr_icmp6 __P((fr_info_t *));
339 339 static INLINE void frpr_ipv6hdr __P((fr_info_t *));
340 340 static INLINE void frpr_short6 __P((fr_info_t *, int));
341 341 static INLINE int frpr_hopopts6 __P((fr_info_t *));
342 342 static INLINE int frpr_routing6 __P((fr_info_t *));
343 343 static INLINE int frpr_dstopts6 __P((fr_info_t *));
344 344 static INLINE int frpr_fragment6 __P((fr_info_t *));
345 345 static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int));
346 346
347 347
348 348 /* ------------------------------------------------------------------------ */
349 349 /* Function: frpr_short6 */
350 350 /* Returns: void */
351 351 /* Parameters: fin(I) - pointer to packet information */
352 352 /* */
353 353 /* IPv6 Only */
354 354 /* This is function enforces the 'is a packet too short to be legit' rule */
355 355 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
356 356 /* for frpr_short() for more details. */
357 357 /* ------------------------------------------------------------------------ */
358 358 static INLINE void frpr_short6(fin, xmin)
359 359 fr_info_t *fin;
360 360 int xmin;
361 361 {
362 362
363 363 if (fin->fin_dlen < xmin)
364 364 fin->fin_flx |= FI_SHORT;
365 365 }
366 366
367 367
368 368 /* ------------------------------------------------------------------------ */
369 369 /* Function: frpr_ipv6hdr */
370 370 /* Returns: Nil */
371 371 /* Parameters: fin(I) - pointer to packet information */
372 372 /* */
373 373 /* IPv6 Only */
374 374 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
375 375 /* per-protocol analyzer if it exists. */
376 376 /* ------------------------------------------------------------------------ */
377 377 static INLINE void frpr_ipv6hdr(fin)
378 378 fr_info_t *fin;
379 379 {
380 380 ip6_t *ip6 = (ip6_t *)fin->fin_ip;
381 381 int p, go = 1, i, hdrcount;
382 382 fr_ip_t *fi = &fin->fin_fi;
383 383
384 384 fin->fin_off = 0;
385 385
386 386 fi->fi_tos = 0;
387 387 fi->fi_optmsk = 0;
388 388 fi->fi_secmsk = 0;
389 389 fi->fi_auth = 0;
390 390
391 391 p = ip6->ip6_nxt;
392 392 fi->fi_ttl = ip6->ip6_hlim;
393 393 fi->fi_src.in6 = ip6->ip6_src;
394 394 fi->fi_dst.in6 = ip6->ip6_dst;
395 395 fin->fin_id = 0;
396 396
397 397 hdrcount = 0;
398 398 while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
399 399 switch (p)
400 400 {
401 401 case IPPROTO_UDP :
402 402 frpr_udp6(fin);
403 403 go = 0;
404 404 break;
405 405
406 406 case IPPROTO_TCP :
407 407 frpr_tcp6(fin);
408 408 go = 0;
409 409 break;
410 410
411 411 case IPPROTO_ICMPV6 :
412 412 frpr_icmp6(fin);
413 413 go = 0;
414 414 break;
415 415
416 416 case IPPROTO_GRE :
417 417 frpr_gre6(fin);
418 418 go = 0;
419 419 break;
420 420
421 421 case IPPROTO_HOPOPTS :
422 422 /*
423 423 * hop by hop ext header is only allowed
424 424 * right after IPv6 header.
425 425 */
426 426 if (hdrcount != 0) {
427 427 fin->fin_flx |= FI_BAD;
428 428 p = IPPROTO_NONE;
429 429 } else {
430 430 p = frpr_hopopts6(fin);
431 431 }
432 432 break;
433 433
434 434 case IPPROTO_DSTOPTS :
435 435 p = frpr_dstopts6(fin);
436 436 break;
437 437
438 438 case IPPROTO_ROUTING :
439 439 p = frpr_routing6(fin);
440 440 break;
441 441
442 442 case IPPROTO_AH :
443 443 p = frpr_ah6(fin);
444 444 break;
445 445
446 446 case IPPROTO_ESP :
447 447 frpr_esp6(fin);
448 448 go = 0;
449 449 break;
450 450
451 451 case IPPROTO_IPV6 :
452 452 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
453 453 if (ip6exthdr[i].ol_val == p) {
454 454 fin->fin_flx |= ip6exthdr[i].ol_bit;
455 455 break;
456 456 }
457 457 go = 0;
458 458 break;
459 459
460 460 case IPPROTO_NONE :
461 461 go = 0;
462 462 break;
463 463
464 464 case IPPROTO_FRAGMENT :
465 465 p = frpr_fragment6(fin);
466 466 if (fin->fin_off != 0) /* Not the first frag */
467 467 go = 0;
468 468 break;
469 469
470 470 default :
471 471 go = 0;
472 472 break;
473 473 }
474 474 hdrcount++;
475 475
476 476 /*
477 477 * It is important to note that at this point, for the
478 478 * extension headers (go != 0), the entire header may not have
479 479 * been pulled up when the code gets to this point. This is
480 480 * only done for "go != 0" because the other header handlers
481 481 * will all pullup their complete header. The other indicator
482 482 * of an incomplete packet is that this was just an extension
483 483 * header.
484 484 */
485 485 if ((go != 0) && (p != IPPROTO_NONE) &&
486 486 (frpr_pullup(fin, 0) == -1)) {
487 487 p = IPPROTO_NONE;
488 488 go = 0;
489 489 }
490 490 }
491 491 fi->fi_p = p;
492 492 }
493 493
494 494
495 495 /* ------------------------------------------------------------------------ */
496 496 /* Function: frpr_ipv6exthdr */
497 497 /* Returns: int - value of the next header or IPPROTO_NONE if error */
498 498 /* Parameters: fin(I) - pointer to packet information */
499 499 /* multiple(I) - flag indicating yes/no if multiple occurances */
500 500 /* of this extension header are allowed. */
501 501 /* proto(I) - protocol number for this extension header */
502 502 /* */
503 503 /* IPv6 Only */
504 504 /* This function expects to find an IPv6 extension header at fin_dp. */
505 505 /* There must be at least 8 bytes of data at fin_dp for there to be a valid */
506 506 /* extension header present. If a good one is found, fin_dp is advanced to */
507 507 /* point at the first piece of data after the extension header, fin_exthdr */
508 508 /* points to the start of the extension header and the "protocol" of the */
509 509 /* *NEXT* header is returned. */
510 510 /* ------------------------------------------------------------------------ */
511 511 static INLINE int frpr_ipv6exthdr(fin, multiple, proto)
512 512 fr_info_t *fin;
513 513 int multiple, proto;
514 514 {
515 515 struct ip6_ext *hdr;
516 516 u_short shift;
517 517 int i;
518 518
519 519 fin->fin_flx |= FI_V6EXTHDR;
520 520
521 521 /* 8 is default length of extension hdr */
522 522 if ((fin->fin_dlen - 8) < 0) {
523 523 fin->fin_flx |= FI_SHORT;
524 524 return IPPROTO_NONE;
525 525 }
526 526
527 527 if (frpr_pullup(fin, 8) == -1)
528 528 return IPPROTO_NONE;
529 529
530 530 hdr = fin->fin_dp;
531 531 shift = 8 + (hdr->ip6e_len << 3);
532 532 if (shift > fin->fin_dlen) { /* Nasty extension header length? */
533 533 fin->fin_flx |= FI_BAD;
534 534 return IPPROTO_NONE;
535 535 }
536 536
537 537 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
538 538 if (ip6exthdr[i].ol_val == proto) {
539 539 /*
540 540 * Most IPv6 extension headers are only allowed once.
541 541 */
542 542 if ((multiple == 0) &&
543 543 ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0))
544 544 fin->fin_flx |= FI_BAD;
545 545 else
546 546 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
547 547 break;
548 548 }
549 549
550 550 fin->fin_dp = (char *)fin->fin_dp + shift;
551 551 fin->fin_dlen -= shift;
552 552
553 553 return hdr->ip6e_nxt;
554 554 }
555 555
556 556
557 557 /* ------------------------------------------------------------------------ */
558 558 /* Function: frpr_hopopts6 */
559 559 /* Returns: int - value of the next header or IPPROTO_NONE if error */
560 560 /* Parameters: fin(I) - pointer to packet information */
561 561 /* */
562 562 /* IPv6 Only */
563 563 /* This is function checks pending hop by hop options extension header */
564 564 /* ------------------------------------------------------------------------ */
565 565 static INLINE int frpr_hopopts6(fin)
566 566 fr_info_t *fin;
567 567 {
568 568 return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS);
569 569 }
570 570
571 571
572 572 /* ------------------------------------------------------------------------ */
573 573 /* Function: frpr_routing6 */
574 574 /* Returns: int - value of the next header or IPPROTO_NONE if error */
575 575 /* Parameters: fin(I) - pointer to packet information */
576 576 /* */
577 577 /* IPv6 Only */
578 578 /* This is function checks pending routing extension header */
579 579 /* ------------------------------------------------------------------------ */
580 580 static INLINE int frpr_routing6(fin)
581 581 fr_info_t *fin;
582 582 {
583 583 struct ip6_ext *hdr;
584 584 int shift;
585 585
586 586 hdr = fin->fin_dp;
587 587 if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
588 588 return IPPROTO_NONE;
589 589
590 590 shift = 8 + (hdr->ip6e_len << 3);
591 591 /*
592 592 * Nasty extension header length?
593 593 */
594 594 if ((hdr->ip6e_len << 3) & 15) {
595 595 fin->fin_flx |= FI_BAD;
596 596 /*
597 597 * Compensate for the changes made in frpr_ipv6exthdr()
598 598 */
599 599 fin->fin_dlen += shift;
600 600 fin->fin_dp = (char *)fin->fin_dp - shift;
601 601 return IPPROTO_NONE;
602 602 }
603 603
604 604 return hdr->ip6e_nxt;
605 605 }
606 606
607 607
608 608 /* ------------------------------------------------------------------------ */
609 609 /* Function: frpr_fragment6 */
610 610 /* Returns: int - value of the next header or IPPROTO_NONE if error */
611 611 /* Parameters: fin(I) - pointer to packet information */
612 612 /* */
613 613 /* IPv6 Only */
614 614 /* Examine the IPv6 fragment header and extract fragment offset information.*/
615 615 /* */
616 616 /* We don't know where the transport layer header (or whatever is next is), */
617 617 /* as it could be behind destination options (amongst others). Because */
618 618 /* there is no fragment cache, there is no knowledge about whether or not an*/
619 619 /* upper layer header has been seen (or where it ends) and thus we are not */
620 620 /* able to continue processing beyond this header with any confidence. */
621 621 /* ------------------------------------------------------------------------ */
622 622 static INLINE int frpr_fragment6(fin)
623 623 fr_info_t *fin;
624 624 {
625 625 struct ip6_frag *frag;
626 626
627 627 fin->fin_flx |= FI_FRAG;
628 628
629 629 /*
630 630 * A fragmented IPv6 packet implies that there must be something
631 631 * else after the fragment.
632 632 */
633 633 if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
634 634 return IPPROTO_NONE;
635 635
636 636 frag = (struct ip6_frag *)((char *)fin->fin_dp - sizeof(*frag));
637 637
638 638 /*
639 639 * If this fragment isn't the last then the packet length must
640 640 * be a multiple of 8.
641 641 */
642 642 if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0) {
643 643 fin->fin_flx |= FI_MOREFRAG;
644 644
645 645 if ((fin->fin_plen & 0x7) != 0)
646 646 fin->fin_flx |= FI_BAD;
647 647 }
648 648
649 649 fin->fin_id = frag->ip6f_ident;
650 650 fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK);
651 651 if (fin->fin_off != 0)
652 652 fin->fin_flx |= FI_FRAGBODY;
653 653
654 654 return frag->ip6f_nxt;
655 655 }
656 656
657 657
658 658 /* ------------------------------------------------------------------------ */
659 659 /* Function: frpr_dstopts6 */
660 660 /* Returns: int - value of the next header or IPPROTO_NONE if error */
661 661 /* Parameters: fin(I) - pointer to packet information */
662 662 /* nextheader(I) - stores next header value */
663 663 /* */
664 664 /* IPv6 Only */
665 665 /* This is function checks pending destination options extension header */
666 666 /* ------------------------------------------------------------------------ */
667 667 static INLINE int frpr_dstopts6(fin)
668 668 fr_info_t *fin;
669 669 {
670 670 return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS);
671 671 }
672 672
673 673
674 674 /* ------------------------------------------------------------------------ */
675 675 /* Function: frpr_icmp6 */
676 676 /* Returns: void */
677 677 /* Parameters: fin(I) - pointer to packet information */
678 678 /* */
679 679 /* IPv6 Only */
680 680 /* This routine is mainly concerned with determining the minimum valid size */
681 681 /* for an ICMPv6 packet. */
682 682 /* ------------------------------------------------------------------------ */
683 683 static INLINE void frpr_icmp6(fin)
684 684 fr_info_t *fin;
685 685 {
686 686 int minicmpsz = sizeof(struct icmp6_hdr);
687 687 struct icmp6_hdr *icmp6;
688 688
689 689 if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1)
690 690 return;
691 691
692 692 if (fin->fin_dlen > 1) {
693 693 icmp6 = fin->fin_dp;
694 694
695 695 fin->fin_data[0] = *(u_short *)icmp6;
696 696
697 697 if ((icmp6->icmp6_type & ICMP6_INFOMSG_MASK) != 0)
698 698 fin->fin_flx |= FI_ICMPQUERY;
699 699
700 700 switch (icmp6->icmp6_type)
701 701 {
702 702 case ICMP6_ECHO_REPLY :
703 703 case ICMP6_ECHO_REQUEST :
704 704 if (fin->fin_dlen >= 6)
705 705 fin->fin_data[1] = icmp6->icmp6_id;
706 706 minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
707 707 break;
708 708 case ICMP6_DST_UNREACH :
709 709 case ICMP6_PACKET_TOO_BIG :
710 710 case ICMP6_TIME_EXCEEDED :
711 711 case ICMP6_PARAM_PROB :
712 712 if ((fin->fin_m != NULL) &&
713 713 (M_LEN(fin->fin_m) < fin->fin_plen)) {
714 714 if (fr_coalesce(fin) != 1)
715 715 return;
716 716 }
717 717 fin->fin_flx |= FI_ICMPERR;
718 718 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
719 719 break;
720 720 default :
721 721 break;
722 722 }
723 723 }
724 724
725 725 frpr_short6(fin, minicmpsz);
726 726 }
727 727
728 728
729 729 /* ------------------------------------------------------------------------ */
730 730 /* Function: frpr_udp6 */
731 731 /* Returns: void */
732 732 /* Parameters: fin(I) - pointer to packet information */
733 733 /* */
734 734 /* IPv6 Only */
735 735 /* Analyse the packet for IPv6/UDP properties. */
736 736 /* Is not expected to be called for fragmented packets. */
737 737 /* ------------------------------------------------------------------------ */
738 738 static INLINE void frpr_udp6(fin)
739 739 fr_info_t *fin;
740 740 {
741 741
742 742 fr_checkv6sum(fin);
743 743
744 744 frpr_short6(fin, sizeof(struct udphdr));
745 745 if (frpr_pullup(fin, sizeof(struct udphdr)) == -1)
746 746 return;
747 747
748 748 frpr_udpcommon(fin);
749 749 }
750 750
751 751
752 752 /* ------------------------------------------------------------------------ */
753 753 /* Function: frpr_tcp6 */
754 754 /* Returns: void */
755 755 /* Parameters: fin(I) - pointer to packet information */
756 756 /* */
757 757 /* IPv6 Only */
758 758 /* Analyse the packet for IPv6/TCP properties. */
759 759 /* Is not expected to be called for fragmented packets. */
760 760 /* ------------------------------------------------------------------------ */
761 761 static INLINE void frpr_tcp6(fin)
762 762 fr_info_t *fin;
763 763 {
764 764
765 765 fr_checkv6sum(fin);
766 766
767 767 frpr_short6(fin, sizeof(struct tcphdr));
768 768 if (frpr_pullup(fin, sizeof(struct tcphdr)) == -1)
769 769 return;
770 770
771 771 frpr_tcpcommon(fin);
772 772 }
773 773
774 774
775 775 /* ------------------------------------------------------------------------ */
776 776 /* Function: frpr_esp6 */
777 777 /* Returns: void */
778 778 /* Parameters: fin(I) - pointer to packet information */
779 779 /* */
780 780 /* IPv6 Only */
781 781 /* Analyse the packet for ESP properties. */
782 782 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
783 783 /* even though the newer ESP packets must also have a sequence number that */
784 784 /* is 32bits as well, it is not possible(?) to determine the version from a */
785 785 /* simple packet header. */
786 786 /* ------------------------------------------------------------------------ */
787 787 static INLINE void frpr_esp6(fin)
788 788 fr_info_t *fin;
789 789 {
790 790 int i;
791 791 frpr_short6(fin, sizeof(grehdr_t));
792 792
793 793 (void) frpr_pullup(fin, 8);
794 794
795 795 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
796 796 if (ip6exthdr[i].ol_val == IPPROTO_ESP) {
797 797 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
798 798 break;
799 799 }
800 800 }
801 801
802 802
803 803 /* ------------------------------------------------------------------------ */
804 804 /* Function: frpr_ah6 */
805 805 /* Returns: void */
806 806 /* Parameters: fin(I) - pointer to packet information */
807 807 /* */
808 808 /* IPv6 Only */
809 809 /* Analyse the packet for AH properties. */
810 810 /* The minimum length is taken to be the combination of all fields in the */
811 811 /* header being present and no authentication data (null algorithm used.) */
812 812 /* ------------------------------------------------------------------------ */
813 813 static INLINE int frpr_ah6(fin)
814 814 fr_info_t *fin;
815 815 {
816 816 authhdr_t *ah;
817 817 int i, shift;
818 818
819 819 frpr_short6(fin, 12);
820 820
821 821 if (frpr_pullup(fin, sizeof(*ah)) == -1)
822 822 return IPPROTO_NONE;
823 823
824 824 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
825 825 if (ip6exthdr[i].ol_val == IPPROTO_AH) {
826 826 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
827 827 break;
828 828 }
829 829
830 830 ah = (authhdr_t *)fin->fin_dp;
831 831
832 832 shift = (ah->ah_plen + 2) * 4;
833 833 fin->fin_dlen -= shift;
834 834 fin->fin_dp = (char*)fin->fin_dp + shift;
835 835
836 836 return ah->ah_next;
837 837 }
838 838
839 839
840 840 /* ------------------------------------------------------------------------ */
841 841 /* Function: frpr_gre6 */
842 842 /* Returns: void */
843 843 /* Parameters: fin(I) - pointer to packet information */
844 844 /* */
845 845 /* Analyse the packet for GRE properties. */
846 846 /* ------------------------------------------------------------------------ */
847 847 static INLINE void frpr_gre6(fin)
848 848 fr_info_t *fin;
849 849 {
850 850 grehdr_t *gre;
851 851
852 852 frpr_short6(fin, sizeof(grehdr_t));
853 853
854 854 if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
855 855 return;
856 856
857 857 gre = fin->fin_dp;
858 858 if (GRE_REV(gre->gr_flags) == 1)
859 859 fin->fin_data[0] = gre->gr_call;
860 860 }
861 861 #endif /* USE_INET6 */
862 862
863 863
864 864 /* ------------------------------------------------------------------------ */
865 865 /* Function: frpr_pullup */
866 866 /* Returns: int - 0 == pullup succeeded, -1 == failure */
867 867 /* Parameters: fin(I) - pointer to packet information */
868 868 /* plen(I) - length (excluding L3 header) to pullup */
869 869 /* */
870 870 /* Short inline function to cut down on code duplication to perform a call */
871 871 /* to fr_pullup to ensure there is the required amount of data, */
872 872 /* consecutively in the packet buffer. */
873 873 /* ------------------------------------------------------------------------ */
874 874 static INLINE int frpr_pullup(fin, plen)
875 875 fr_info_t *fin;
876 876 int plen;
877 877 {
878 878 #if defined(_KERNEL)
879 879 if (fin->fin_m != NULL) {
880 880 int ipoff;
881 881
882 882 ipoff = (char *)fin->fin_ip - MTOD(fin->fin_m, char *);
883 883
884 884 if (fin->fin_dp != NULL)
885 885 plen += (char *)fin->fin_dp -
886 886 ((char *)fin->fin_ip + fin->fin_hlen);
887 887 plen += fin->fin_hlen;
888 888 /*
889 889 * We don't do 'plen += ipoff;' here. The fr_pullup() will
890 890 * do it for us.
891 891 */
892 892 if (M_LEN(fin->fin_m) < plen + ipoff) {
893 893 if (fr_pullup(fin->fin_m, fin, plen) == NULL)
894 894 return -1;
895 895 }
896 896 }
897 897 #endif
898 898 return 0;
899 899 }
900 900
901 901
902 902 /* ------------------------------------------------------------------------ */
903 903 /* Function: frpr_short */
904 904 /* Returns: void */
905 905 /* Parameters: fin(I) - pointer to packet information */
906 906 /* xmin(I) - minimum header size */
907 907 /* */
908 908 /* Check if a packet is "short" as defined by xmin. The rule we are */
909 909 /* applying here is that the packet must not be fragmented within the layer */
910 910 /* 4 header. That is, it must not be a fragment that has its offset set to */
911 911 /* start within the layer 4 header (hdrmin) or if it is at offset 0, the */
912 912 /* entire layer 4 header must be present (min). */
913 913 /* ------------------------------------------------------------------------ */
914 914 static INLINE void frpr_short(fin, xmin)
915 915 fr_info_t *fin;
916 916 int xmin;
917 917 {
918 918
919 919 if (fin->fin_off == 0) {
920 920 if (fin->fin_dlen < xmin)
921 921 fin->fin_flx |= FI_SHORT;
922 922 } else if (fin->fin_off < xmin) {
923 923 fin->fin_flx |= FI_SHORT;
924 924 }
925 925 }
926 926
927 927
928 928 /* ------------------------------------------------------------------------ */
929 929 /* Function: frpr_icmp */
930 930 /* Returns: void */
931 931 /* Parameters: fin(I) - pointer to packet information */
932 932 /* */
933 933 /* IPv4 Only */
934 934 /* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */
935 935 /* except extrememly bad packets, both type and code will be present. */
936 936 /* The expected minimum size of an ICMP packet is very much dependent on */
937 937 /* the type of it. */
938 938 /* */
939 939 /* XXX - other ICMP sanity checks? */
940 940 /* ------------------------------------------------------------------------ */
941 941 static INLINE void frpr_icmp(fin)
942 942 fr_info_t *fin;
943 943 {
944 944 int minicmpsz = sizeof(struct icmp);
945 945 icmphdr_t *icmp;
946 946 ip_t *oip;
947 947 ipf_stack_t *ifs = fin->fin_ifs;
948 948
949 949 if (fin->fin_off != 0) {
950 950 frpr_short(fin, ICMPERR_ICMPHLEN);
951 951 return;
952 952 }
953 953
954 954 if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
955 955 return;
956 956
957 957 fr_checkv4sum(fin);
958 958
959 959 /*
960 960 * This is a right place to set icmp pointer, since the memory
961 961 * referenced by fin_dp could get reallocated. The code down below can
962 962 * rely on fact icmp variable always points to ICMP header.
963 963 */
964 964 icmp = fin->fin_dp;
965 965 fin->fin_data[0] = *(u_short *)icmp;
966 966 fin->fin_data[1] = icmp->icmp_id;
967 967
968 968 switch (icmp->icmp_type)
969 969 {
970 970 case ICMP_ECHOREPLY :
971 971 case ICMP_ECHO :
972 972 /* Router discovery messaes - RFC 1256 */
973 973 case ICMP_ROUTERADVERT :
974 974 case ICMP_ROUTERSOLICIT :
975 975 minicmpsz = ICMP_MINLEN;
976 976 break;
977 977 /*
978 978 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
979 979 * 3 * timestamp(3 * 4)
980 980 */
981 981 case ICMP_TSTAMP :
982 982 case ICMP_TSTAMPREPLY :
983 983 minicmpsz = 20;
984 984 break;
985 985 /*
986 986 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
987 987 * mask(4)
988 988 */
989 989 case ICMP_MASKREQ :
990 990 case ICMP_MASKREPLY :
991 991 minicmpsz = 12;
992 992 break;
993 993 /*
994 994 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
995 995 */
996 996 case ICMP_UNREACH :
997 997 if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) {
998 998 if (icmp->icmp_nextmtu < ifs->ifs_fr_icmpminfragmtu)
999 999 fin->fin_flx |= FI_BAD;
1000 1000 }
1001 1001 /* FALLTHRU */
1002 1002 case ICMP_SOURCEQUENCH :
1003 1003 case ICMP_REDIRECT :
1004 1004 case ICMP_TIMXCEED :
1005 1005 case ICMP_PARAMPROB :
1006 1006 fin->fin_flx |= FI_ICMPERR;
1007 1007 if (fr_coalesce(fin) != 1)
1008 1008 return;
1009 1009 /*
1010 1010 * ICMP error packets should not be generated for IP
1011 1011 * packets that are a fragment that isn't the first
1012 1012 * fragment.
1013 1013 */
1014 1014 oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
1015 1015 if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0)
1016 1016 fin->fin_flx |= FI_BAD;
1017 1017 break;
1018 1018 default :
1019 1019 break;
1020 1020 }
1021 1021
1022 1022 frpr_short(fin, minicmpsz);
1023 1023 }
1024 1024
1025 1025
1026 1026 /* ------------------------------------------------------------------------ */
1027 1027 /* Function: frpr_tcpcommon */
1028 1028 /* Returns: void */
1029 1029 /* Parameters: fin(I) - pointer to packet information */
1030 1030 /* */
1031 1031 /* TCP header sanity checking. Look for bad combinations of TCP flags, */
1032 1032 /* and make some checks with how they interact with other fields. */
1033 1033 /* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */
1034 1034 /* valid and mark the packet as bad if not. */
1035 1035 /* ------------------------------------------------------------------------ */
1036 1036 static INLINE void frpr_tcpcommon(fin)
1037 1037 fr_info_t *fin;
1038 1038 {
1039 1039 int flags, tlen;
1040 1040 tcphdr_t *tcp;
1041 1041
1042 1042 fin->fin_flx |= FI_TCPUDP;
1043 1043 if (fin->fin_off != 0)
1044 1044 return;
1045 1045
1046 1046 if (frpr_pullup(fin, sizeof(*tcp)) == -1)
1047 1047 return;
1048 1048 tcp = fin->fin_dp;
1049 1049
1050 1050 if (fin->fin_dlen > 3) {
1051 1051 fin->fin_sport = ntohs(tcp->th_sport);
1052 1052 fin->fin_dport = ntohs(tcp->th_dport);
1053 1053 }
1054 1054
1055 1055 if ((fin->fin_flx & FI_SHORT) != 0)
1056 1056 return;
1057 1057
1058 1058 /*
1059 1059 * Use of the TCP data offset *must* result in a value that is at
1060 1060 * least the same size as the TCP header.
1061 1061 */
1062 1062 tlen = TCP_OFF(tcp) << 2;
1063 1063 if (tlen < sizeof(tcphdr_t)) {
1064 1064 fin->fin_flx |= FI_BAD;
1065 1065 return;
1066 1066 }
1067 1067
1068 1068 flags = tcp->th_flags;
1069 1069 fin->fin_tcpf = tcp->th_flags;
1070 1070
1071 1071 /*
1072 1072 * If the urgent flag is set, then the urgent pointer must
1073 1073 * also be set and vice versa. Good TCP packets do not have
1074 1074 * just one of these set.
1075 1075 */
1076 1076 if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
1077 1077 fin->fin_flx |= FI_BAD;
1078 1078 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
1079 1079 /* Ignore this case, it shows up in "real" traffic with */
1080 1080 /* bogus values in the urgent pointer field. */
1081 1081 flags = flags; /* LINT */
1082 1082 } else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
1083 1083 ((flags & (TH_RST|TH_ACK)) == TH_RST)) {
1084 1084 /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
1085 1085 fin->fin_flx |= FI_BAD;
1086 1086 } else if (!(flags & TH_ACK)) {
1087 1087 /*
1088 1088 * If the ack bit isn't set, then either the SYN or
1089 1089 * RST bit must be set. If the SYN bit is set, then
1090 1090 * we expect the ACK field to be 0. If the ACK is
1091 1091 * not set and if URG, PSH or FIN are set, consdier
1092 1092 * that to indicate a bad TCP packet.
1093 1093 */
1094 1094 if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
1095 1095 /*
1096 1096 * Cisco PIX sets the ACK field to a random value.
1097 1097 * In light of this, do not set FI_BAD until a patch
1098 1098 * is available from Cisco to ensure that
1099 1099 * interoperability between existing systems is
1100 1100 * achieved.
1101 1101 */
1102 1102 /*fin->fin_flx |= FI_BAD*/;
1103 1103 flags = flags; /* LINT */
1104 1104 } else if (!(flags & (TH_RST|TH_SYN))) {
1105 1105 fin->fin_flx |= FI_BAD;
1106 1106 } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
1107 1107 fin->fin_flx |= FI_BAD;
1108 1108 }
1109 1109 }
1110 1110
1111 1111 /*
1112 1112 * At this point, it's not exactly clear what is to be gained by
1113 1113 * marking up which TCP options are and are not present. The one we
1114 1114 * are most interested in is the TCP window scale. This is only in
1115 1115 * a SYN packet [RFC1323] so we don't need this here...?
1116 1116 * Now if we were to analyse the header for passive fingerprinting,
1117 1117 * then that might add some weight to adding this...
1118 1118 */
1119 1119 if (tlen == sizeof(tcphdr_t))
1120 1120 return;
1121 1121
1122 1122 if (frpr_pullup(fin, tlen) == -1)
1123 1123 return;
1124 1124
1125 1125 #if 0
1126 1126 ip = fin->fin_ip;
1127 1127 s = (u_char *)(tcp + 1);
1128 1128 off = IP_HL(ip) << 2;
1129 1129 # ifdef _KERNEL
1130 1130 if (fin->fin_mp != NULL) {
1131 1131 mb_t *m = *fin->fin_mp;
1132 1132
1133 1133 if (off + tlen > M_LEN(m))
1134 1134 return;
1135 1135 }
1136 1136 # endif
1137 1137 for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
1138 1138 opt = *s;
1139 1139 if (opt == '\0')
1140 1140 break;
1141 1141 else if (opt == TCPOPT_NOP)
1142 1142 ol = 1;
1143 1143 else {
1144 1144 if (tlen < 2)
1145 1145 break;
1146 1146 ol = (int)*(s + 1);
1147 1147 if (ol < 2 || ol > tlen)
1148 1148 break;
1149 1149 }
1150 1150
1151 1151 for (i = 9, mv = 4; mv >= 0; ) {
1152 1152 op = ipopts + i;
1153 1153 if (opt == (u_char)op->ol_val) {
1154 1154 optmsk |= op->ol_bit;
1155 1155 break;
1156 1156 }
1157 1157 }
1158 1158 tlen -= ol;
1159 1159 s += ol;
1160 1160 }
1161 1161 #endif /* 0 */
1162 1162 }
1163 1163
1164 1164
1165 1165
1166 1166 /* ------------------------------------------------------------------------ */
1167 1167 /* Function: frpr_udpcommon */
1168 1168 /* Returns: void */
1169 1169 /* Parameters: fin(I) - pointer to packet information */
1170 1170 /* */
1171 1171 /* Extract the UDP source and destination ports, if present. If compiled */
1172 1172 /* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */
1173 1173 /* ------------------------------------------------------------------------ */
1174 1174 static INLINE void frpr_udpcommon(fin)
1175 1175 fr_info_t *fin;
1176 1176 {
1177 1177 udphdr_t *udp;
1178 1178
1179 1179 fin->fin_flx |= FI_TCPUDP;
1180 1180
1181 1181 if (!fin->fin_off && (fin->fin_dlen > 3)) {
1182 1182 if (frpr_pullup(fin, sizeof(*udp)) == -1) {
1183 1183 fin->fin_flx |= FI_SHORT;
1184 1184 return;
1185 1185 }
1186 1186
1187 1187 udp = fin->fin_dp;
1188 1188
1189 1189 fin->fin_sport = ntohs(udp->uh_sport);
1190 1190 fin->fin_dport = ntohs(udp->uh_dport);
1191 1191 }
1192 1192 }
1193 1193
1194 1194
1195 1195 /* ------------------------------------------------------------------------ */
1196 1196 /* Function: frpr_tcp */
1197 1197 /* Returns: void */
1198 1198 /* Parameters: fin(I) - pointer to packet information */
1199 1199 /* */
1200 1200 /* IPv4 Only */
1201 1201 /* Analyse the packet for IPv4/TCP properties. */
1202 1202 /* ------------------------------------------------------------------------ */
1203 1203 static INLINE void frpr_tcp(fin)
1204 1204 fr_info_t *fin;
1205 1205 {
1206 1206
1207 1207 fr_checkv4sum(fin);
1208 1208
1209 1209 frpr_short(fin, sizeof(tcphdr_t));
1210 1210
1211 1211 frpr_tcpcommon(fin);
1212 1212 }
1213 1213
1214 1214
1215 1215 /* ------------------------------------------------------------------------ */
1216 1216 /* Function: frpr_udp */
1217 1217 /* Returns: void */
1218 1218 /* Parameters: fin(I) - pointer to packet information */
1219 1219 /* */
1220 1220 /* IPv4 Only */
1221 1221 /* Analyse the packet for IPv4/UDP properties. */
1222 1222 /* ------------------------------------------------------------------------ */
1223 1223 static INLINE void frpr_udp(fin)
1224 1224 fr_info_t *fin;
1225 1225 {
1226 1226
1227 1227 fr_checkv4sum(fin);
1228 1228
1229 1229 frpr_short(fin, sizeof(udphdr_t));
1230 1230
1231 1231 frpr_udpcommon(fin);
1232 1232 }
1233 1233
1234 1234
1235 1235 /* ------------------------------------------------------------------------ */
1236 1236 /* Function: frpr_esp */
1237 1237 /* Returns: void */
1238 1238 /* Parameters: fin(I) - pointer to packet information */
1239 1239 /* */
1240 1240 /* Analyse the packet for ESP properties. */
1241 1241 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
1242 1242 /* even though the newer ESP packets must also have a sequence number that */
1243 1243 /* is 32bits as well, it is not possible(?) to determine the version from a */
1244 1244 /* simple packet header. */
1245 1245 /* ------------------------------------------------------------------------ */
1246 1246 static INLINE void frpr_esp(fin)
1247 1247 fr_info_t *fin;
1248 1248 {
1249 1249 if ((fin->fin_off == 0) && (frpr_pullup(fin, 8) == -1))
1250 1250 return;
1251 1251
1252 1252 frpr_short(fin, 8);
1253 1253 }
1254 1254
1255 1255
1256 1256 /* ------------------------------------------------------------------------ */
1257 1257 /* Function: frpr_ah */
1258 1258 /* Returns: void */
1259 1259 /* Parameters: fin(I) - pointer to packet information */
1260 1260 /* */
1261 1261 /* Analyse the packet for AH properties. */
1262 1262 /* The minimum length is taken to be the combination of all fields in the */
1263 1263 /* header being present and no authentication data (null algorithm used.) */
1264 1264 /* ------------------------------------------------------------------------ */
1265 1265 static INLINE void frpr_ah(fin)
1266 1266 fr_info_t *fin;
1267 1267 {
1268 1268 authhdr_t *ah;
1269 1269 int len;
1270 1270
1271 1271 if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(*ah)) == -1))
1272 1272 return;
1273 1273
1274 1274 ah = (authhdr_t *)fin->fin_dp;
1275 1275
1276 1276 len = (ah->ah_plen + 2) << 2;
1277 1277 frpr_short(fin, len);
1278 1278 }
1279 1279
1280 1280
1281 1281 /* ------------------------------------------------------------------------ */
1282 1282 /* Function: frpr_gre */
1283 1283 /* Returns: void */
1284 1284 /* Parameters: fin(I) - pointer to packet information */
1285 1285 /* */
1286 1286 /* Analyse the packet for GRE properties. */
1287 1287 /* ------------------------------------------------------------------------ */
1288 1288 static INLINE void frpr_gre(fin)
1289 1289 fr_info_t *fin;
1290 1290 {
1291 1291 grehdr_t *gre;
1292 1292
1293 1293 if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(grehdr_t)) == -1))
1294 1294 return;
1295 1295
1296 1296 frpr_short(fin, sizeof(grehdr_t));
1297 1297
1298 1298 if (fin->fin_off == 0) {
1299 1299 gre = fin->fin_dp;
1300 1300 if (GRE_REV(gre->gr_flags) == 1)
1301 1301 fin->fin_data[0] = gre->gr_call;
1302 1302 }
1303 1303 }
1304 1304
1305 1305
1306 1306 /* ------------------------------------------------------------------------ */
1307 1307 /* Function: frpr_ipv4hdr */
1308 1308 /* Returns: void */
1309 1309 /* Parameters: fin(I) - pointer to packet information */
1310 1310 /* */
1311 1311 /* IPv4 Only */
1312 1312 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
1313 1313 /* Check all options present and flag their presence if any exist. */
1314 1314 /* ------------------------------------------------------------------------ */
1315 1315 static INLINE void frpr_ipv4hdr(fin)
1316 1316 fr_info_t *fin;
1317 1317 {
1318 1318 u_short optmsk = 0, secmsk = 0, auth = 0;
1319 1319 int hlen, ol, mv, p, i;
1320 1320 const struct optlist *op;
1321 1321 u_char *s, opt;
1322 1322 u_short off;
1323 1323 fr_ip_t *fi;
1324 1324 ip_t *ip;
1325 1325
1326 1326 fi = &fin->fin_fi;
1327 1327 hlen = fin->fin_hlen;
1328 1328
1329 1329 ip = fin->fin_ip;
1330 1330 p = ip->ip_p;
1331 1331 fi->fi_p = p;
1332 1332 fi->fi_tos = ip->ip_tos;
1333 1333 fin->fin_id = ip->ip_id;
1334 1334 off = ip->ip_off;
1335 1335
1336 1336 /* Get both TTL and protocol */
1337 1337 fi->fi_p = ip->ip_p;
1338 1338 fi->fi_ttl = ip->ip_ttl;
1339 1339 #if 0
1340 1340 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
1341 1341 #endif
1342 1342
1343 1343 /* Zero out bits not used in IPv6 address */
1344 1344 fi->fi_src.i6[1] = 0;
1345 1345 fi->fi_src.i6[2] = 0;
1346 1346 fi->fi_src.i6[3] = 0;
1347 1347 fi->fi_dst.i6[1] = 0;
1348 1348 fi->fi_dst.i6[2] = 0;
1349 1349 fi->fi_dst.i6[3] = 0;
1350 1350
1351 1351 fi->fi_saddr = ip->ip_src.s_addr;
1352 1352 fi->fi_daddr = ip->ip_dst.s_addr;
1353 1353
1354 1354 /*
1355 1355 * set packet attribute flags based on the offset and
1356 1356 * calculate the byte offset that it represents.
1357 1357 */
1358 1358 off &= IP_MF|IP_OFFMASK;
1359 1359 if (off != 0) {
1360 1360 int morefrag = off & IP_MF;
1361 1361
1362 1362 fi->fi_flx |= FI_FRAG;
1363 1363 if (morefrag)
1364 1364 fi->fi_flx |= FI_MOREFRAG;
1365 1365 off &= IP_OFFMASK;
1366 1366 if (off != 0) {
1367 1367 fin->fin_flx |= FI_FRAGBODY;
1368 1368 off <<= 3;
1369 1369 if ((off + fin->fin_dlen > 65535) ||
1370 1370 (fin->fin_dlen == 0) ||
1371 1371 ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) {
1372 1372 /*
1373 1373 * The length of the packet, starting at its
1374 1374 * offset cannot exceed 65535 (0xffff) as the
1375 1375 * length of an IP packet is only 16 bits.
1376 1376 *
1377 1377 * Any fragment that isn't the last fragment
1378 1378 * must have a length greater than 0 and it
1379 1379 * must be an even multiple of 8.
1380 1380 */
1381 1381 fi->fi_flx |= FI_BAD;
1382 1382 }
1383 1383 }
1384 1384 }
1385 1385 fin->fin_off = off;
1386 1386
1387 1387 /*
1388 1388 * Call per-protocol setup and checking
1389 1389 */
1390 1390 switch (p)
1391 1391 {
1392 1392 case IPPROTO_UDP :
1393 1393 frpr_udp(fin);
1394 1394 break;
1395 1395 case IPPROTO_TCP :
1396 1396 frpr_tcp(fin);
1397 1397 break;
1398 1398 case IPPROTO_ICMP :
1399 1399 frpr_icmp(fin);
1400 1400 break;
1401 1401 case IPPROTO_AH :
1402 1402 frpr_ah(fin);
1403 1403 break;
1404 1404 case IPPROTO_ESP :
1405 1405 frpr_esp(fin);
1406 1406 break;
1407 1407 case IPPROTO_GRE :
1408 1408 frpr_gre(fin);
1409 1409 break;
1410 1410 }
1411 1411
1412 1412 ip = fin->fin_ip;
1413 1413 if (ip == NULL)
1414 1414 return;
1415 1415
1416 1416 /*
1417 1417 * If it is a standard IP header (no options), set the flag fields
1418 1418 * which relate to options to 0.
1419 1419 */
1420 1420 if (hlen == sizeof(*ip)) {
1421 1421 fi->fi_optmsk = 0;
1422 1422 fi->fi_secmsk = 0;
1423 1423 fi->fi_auth = 0;
1424 1424 return;
1425 1425 }
1426 1426
1427 1427 /*
1428 1428 * So the IP header has some IP options attached. Walk the entire
1429 1429 * list of options present with this packet and set flags to indicate
1430 1430 * which ones are here and which ones are not. For the somewhat out
1431 1431 * of date and obscure security classification options, set a flag to
1432 1432 * represent which classification is present.
1433 1433 */
1434 1434 fi->fi_flx |= FI_OPTIONS;
1435 1435
1436 1436 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
1437 1437 opt = *s;
1438 1438 if (opt == '\0')
1439 1439 break;
1440 1440 else if (opt == IPOPT_NOP)
1441 1441 ol = 1;
1442 1442 else {
1443 1443 if (hlen < 2)
1444 1444 break;
1445 1445 ol = (int)*(s + 1);
1446 1446 if (ol < 2 || ol > hlen)
1447 1447 break;
1448 1448 }
1449 1449 for (i = 9, mv = 4; mv >= 0; ) {
1450 1450 op = ipopts + i;
1451 1451 if ((opt == (u_char)op->ol_val) && (ol > 4)) {
1452 1452 optmsk |= op->ol_bit;
1453 1453 if (opt == IPOPT_SECURITY) {
1454 1454 const struct optlist *sp;
1455 1455 u_char sec;
1456 1456 int j, m;
1457 1457
1458 1458 sec = *(s + 2); /* classification */
1459 1459 for (j = 3, m = 2; m >= 0; ) {
1460 1460 sp = secopt + j;
1461 1461 if (sec == sp->ol_val) {
1462 1462 secmsk |= sp->ol_bit;
1463 1463 auth = *(s + 3);
1464 1464 auth *= 256;
1465 1465 auth += *(s + 4);
1466 1466 break;
1467 1467 }
1468 1468 if (sec < sp->ol_val)
1469 1469 j -= m;
1470 1470 else
1471 1471 j += m;
1472 1472 m--;
1473 1473 }
1474 1474 }
1475 1475 break;
1476 1476 }
1477 1477 if (opt < op->ol_val)
1478 1478 i -= mv;
1479 1479 else
1480 1480 i += mv;
1481 1481 mv--;
1482 1482 }
1483 1483 hlen -= ol;
1484 1484 s += ol;
1485 1485 }
1486 1486
1487 1487 /*
1488 1488 *
1489 1489 */
1490 1490 if (auth && !(auth & 0x0100))
1491 1491 auth &= 0xff00;
1492 1492 fi->fi_optmsk = optmsk;
1493 1493 fi->fi_secmsk = secmsk;
1494 1494 fi->fi_auth = auth;
1495 1495 }
1496 1496
1497 1497
1498 1498 /* ------------------------------------------------------------------------ */
1499 1499 /* Function: fr_makefrip */
1500 1500 /* Returns: int - 1 == hdr checking error, 0 == OK */
1501 1501 /* Parameters: hlen(I) - length of IP packet header */
1502 1502 /* ip(I) - pointer to the IP header */
1503 1503 /* fin(IO) - pointer to packet information */
1504 1504 /* */
1505 1505 /* Compact the IP header into a structure which contains just the info. */
1506 1506 /* which is useful for comparing IP headers with and store this information */
1507 1507 /* in the fr_info_t structure pointer to by fin. At present, it is assumed */
1508 1508 /* this function will be called with either an IPv4 or IPv6 packet. */
1509 1509 /* ------------------------------------------------------------------------ */
1510 1510 int fr_makefrip(hlen, ip, fin)
1511 1511 int hlen;
1512 1512 ip_t *ip;
1513 1513 fr_info_t *fin;
1514 1514 {
1515 1515 int v;
1516 1516
1517 1517 fin->fin_depth = 0;
1518 1518 fin->fin_hlen = (u_short)hlen;
1519 1519 fin->fin_ip = ip;
1520 1520 fin->fin_rule = 0xffffffff;
1521 1521 fin->fin_group[0] = -1;
1522 1522 fin->fin_group[1] = '\0';
1523 1523 fin->fin_dlen = fin->fin_plen - hlen;
1524 1524 fin->fin_dp = (char *)ip + hlen;
1525 1525
1526 1526 v = fin->fin_v;
1527 1527 if (v == 4)
1528 1528 frpr_ipv4hdr(fin);
1529 1529 #ifdef USE_INET6
1530 1530 else if (v == 6)
1531 1531 frpr_ipv6hdr(fin);
1532 1532 #endif
1533 1533 if (fin->fin_ip == NULL)
1534 1534 return -1;
1535 1535 return 0;
1536 1536 }
1537 1537
1538 1538
1539 1539 /* ------------------------------------------------------------------------ */
1540 1540 /* Function: fr_portcheck */
1541 1541 /* Returns: int - 1 == port matched, 0 == port match failed */
1542 1542 /* Parameters: frp(I) - pointer to port check `expression' */
1543 1543 /* pop(I) - pointer to port number to evaluate */
1544 1544 /* */
1545 1545 /* Perform a comparison of a port number against some other(s), using a */
1546 1546 /* structure with compare information stored in it. */
1547 1547 /* ------------------------------------------------------------------------ */
1548 1548 static INLINE int fr_portcheck(frp, pop)
1549 1549 frpcmp_t *frp;
1550 1550 u_short *pop;
1551 1551 {
1552 1552 u_short tup, po;
1553 1553 int err = 1;
1554 1554
1555 1555 tup = *pop;
1556 1556 po = frp->frp_port;
1557 1557
1558 1558 /*
1559 1559 * Do opposite test to that required and continue if that succeeds.
1560 1560 */
1561 1561 switch (frp->frp_cmp)
1562 1562 {
1563 1563 case FR_EQUAL :
1564 1564 if (tup != po) /* EQUAL */
1565 1565 err = 0;
1566 1566 break;
1567 1567 case FR_NEQUAL :
1568 1568 if (tup == po) /* NOTEQUAL */
1569 1569 err = 0;
1570 1570 break;
1571 1571 case FR_LESST :
1572 1572 if (tup >= po) /* LESSTHAN */
1573 1573 err = 0;
1574 1574 break;
1575 1575 case FR_GREATERT :
1576 1576 if (tup <= po) /* GREATERTHAN */
1577 1577 err = 0;
1578 1578 break;
1579 1579 case FR_LESSTE :
1580 1580 if (tup > po) /* LT or EQ */
1581 1581 err = 0;
1582 1582 break;
1583 1583 case FR_GREATERTE :
1584 1584 if (tup < po) /* GT or EQ */
1585 1585 err = 0;
1586 1586 break;
1587 1587 case FR_OUTRANGE :
1588 1588 if (tup >= po && tup <= frp->frp_top) /* Out of range */
1589 1589 err = 0;
1590 1590 break;
1591 1591 case FR_INRANGE :
1592 1592 if (tup <= po || tup >= frp->frp_top) /* In range */
1593 1593 err = 0;
1594 1594 break;
1595 1595 case FR_INCRANGE :
1596 1596 if (tup < po || tup > frp->frp_top) /* Inclusive range */
1597 1597 err = 0;
1598 1598 break;
1599 1599 default :
1600 1600 break;
1601 1601 }
1602 1602 return err;
1603 1603 }
1604 1604
1605 1605
1606 1606 /* ------------------------------------------------------------------------ */
1607 1607 /* Function: fr_tcpudpchk */
1608 1608 /* Returns: int - 1 == protocol matched, 0 == check failed */
1609 1609 /* Parameters: fin(I) - pointer to packet information */
1610 1610 /* ft(I) - pointer to structure with comparison data */
1611 1611 /* */
1612 1612 /* Compares the current pcket (assuming it is TCP/UDP) information with a */
1613 1613 /* structure containing information that we want to match against. */
1614 1614 /* ------------------------------------------------------------------------ */
1615 1615 int fr_tcpudpchk(fin, ft)
1616 1616 fr_info_t *fin;
1617 1617 frtuc_t *ft;
1618 1618 {
1619 1619 int err = 1;
1620 1620
1621 1621 /*
1622 1622 * Both ports should *always* be in the first fragment.
1623 1623 * So far, I cannot find any cases where they can not be.
1624 1624 *
1625 1625 * compare destination ports
1626 1626 */
1627 1627 if (ft->ftu_dcmp)
1628 1628 err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
1629 1629
1630 1630 /*
1631 1631 * compare source ports
1632 1632 */
1633 1633 if (err && ft->ftu_scmp)
1634 1634 err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
1635 1635
1636 1636 /*
1637 1637 * If we don't have all the TCP/UDP header, then how can we
1638 1638 * expect to do any sort of match on it ? If we were looking for
1639 1639 * TCP flags, then NO match. If not, then match (which should
1640 1640 * satisfy the "short" class too).
1641 1641 */
1642 1642 if (err && (fin->fin_p == IPPROTO_TCP)) {
1643 1643 if (fin->fin_flx & FI_SHORT)
1644 1644 return !(ft->ftu_tcpf | ft->ftu_tcpfm);
1645 1645 /*
1646 1646 * Match the flags ? If not, abort this match.
1647 1647 */
1648 1648 if (ft->ftu_tcpfm &&
1649 1649 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
1650 1650 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
1651 1651 ft->ftu_tcpfm, ft->ftu_tcpf));
1652 1652 err = 0;
1653 1653 }
1654 1654 }
1655 1655 return err;
1656 1656 }
1657 1657
1658 1658
1659 1659 /* ------------------------------------------------------------------------ */
1660 1660 /* Function: fr_ipfcheck */
1661 1661 /* Returns: int - 0 == match, 1 == no match */
1662 1662 /* Parameters: fin(I) - pointer to packet information */
1663 1663 /* fr(I) - pointer to filter rule */
1664 1664 /* portcmp(I) - flag indicating whether to attempt matching on */
1665 1665 /* TCP/UDP port data. */
1666 1666 /* */
1667 1667 /* Check to see if a packet matches an IPFilter rule. Checks of addresses, */
1668 1668 /* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
1669 1669 /* this function. */
1670 1670 /* ------------------------------------------------------------------------ */
1671 1671 static INLINE int fr_ipfcheck(fin, fr, portcmp)
1672 1672 fr_info_t *fin;
1673 1673 frentry_t *fr;
1674 1674 int portcmp;
1675 1675 {
1676 1676 u_32_t *ld, *lm, *lip;
1677 1677 fripf_t *fri;
1678 1678 fr_ip_t *fi;
1679 1679 int i;
1680 1680 ipf_stack_t *ifs = fin->fin_ifs;
1681 1681
1682 1682 fi = &fin->fin_fi;
1683 1683 fri = fr->fr_ipf;
1684 1684 lip = (u_32_t *)fi;
1685 1685 lm = (u_32_t *)&fri->fri_mip;
1686 1686 ld = (u_32_t *)&fri->fri_ip;
1687 1687
1688 1688 /*
1689 1689 * first 32 bits to check coversion:
1690 1690 * IP version, TOS, TTL, protocol
1691 1691 */
1692 1692 i = ((*lip & *lm) != *ld);
1693 1693 FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
1694 1694 *lip, *lm, *ld));
1695 1695 if (i)
1696 1696 return 1;
1697 1697
1698 1698 /*
1699 1699 * Next 32 bits is a constructed bitmask indicating which IP options
1700 1700 * are present (if any) in this packet.
1701 1701 */
1702 1702 lip++, lm++, ld++;
1703 1703 i |= ((*lip & *lm) != *ld);
1704 1704 FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
1705 1705 *lip, *lm, *ld));
1706 1706 if (i)
1707 1707 return 1;
1708 1708
1709 1709 lip++, lm++, ld++;
1710 1710 /*
1711 1711 * Unrolled loops (4 each, for 32 bits) for address checks.
1712 1712 */
1713 1713 /*
1714 1714 * Check the source address.
1715 1715 */
1716 1716 #ifdef IPFILTER_LOOKUP
1717 1717 if (fr->fr_satype == FRI_LOOKUP) {
1718 1718 fin->fin_flx |= FI_DONTCACHE;
1719 1719 i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip, fin, ifs);
1720 1720 if (i == -1)
1721 1721 return 1;
1722 1722 lip += 3;
1723 1723 lm += 3;
1724 1724 ld += 3;
1725 1725 } else {
1726 1726 #endif
1727 1727 i = ((*lip & *lm) != *ld);
1728 1728 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
1729 1729 *lip, *lm, *ld));
1730 1730 if (fi->fi_v == 6) {
1731 1731 lip++, lm++, ld++;
1732 1732 i |= ((*lip & *lm) != *ld);
1733 1733 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
1734 1734 *lip, *lm, *ld));
1735 1735 lip++, lm++, ld++;
1736 1736 i |= ((*lip & *lm) != *ld);
1737 1737 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
1738 1738 *lip, *lm, *ld));
1739 1739 lip++, lm++, ld++;
1740 1740 i |= ((*lip & *lm) != *ld);
1741 1741 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
1742 1742 *lip, *lm, *ld));
1743 1743 } else {
1744 1744 lip += 3;
1745 1745 lm += 3;
1746 1746 ld += 3;
1747 1747 }
1748 1748 #ifdef IPFILTER_LOOKUP
1749 1749 }
1750 1750 #endif
1751 1751 i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
1752 1752 if (i)
1753 1753 return 1;
1754 1754
1755 1755 /*
1756 1756 * Check the destination address.
1757 1757 */
1758 1758 lip++, lm++, ld++;
1759 1759 #ifdef IPFILTER_LOOKUP
1760 1760 if (fr->fr_datype == FRI_LOOKUP) {
1761 1761 fin->fin_flx |= FI_DONTCACHE;
1762 1762 i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip, fin, ifs);
1763 1763 if (i == -1)
1764 1764 return 1;
1765 1765 lip += 3;
1766 1766 lm += 3;
1767 1767 ld += 3;
1768 1768 } else {
1769 1769 #endif
1770 1770 i = ((*lip & *lm) != *ld);
1771 1771 FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
1772 1772 *lip, *lm, *ld));
1773 1773 if (fi->fi_v == 6) {
1774 1774 lip++, lm++, ld++;
1775 1775 i |= ((*lip & *lm) != *ld);
1776 1776 FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
1777 1777 *lip, *lm, *ld));
1778 1778 lip++, lm++, ld++;
1779 1779 i |= ((*lip & *lm) != *ld);
1780 1780 FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
1781 1781 *lip, *lm, *ld));
1782 1782 lip++, lm++, ld++;
1783 1783 i |= ((*lip & *lm) != *ld);
1784 1784 FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
1785 1785 *lip, *lm, *ld));
1786 1786 } else {
1787 1787 lip += 3;
1788 1788 lm += 3;
1789 1789 ld += 3;
1790 1790 }
1791 1791 #ifdef IPFILTER_LOOKUP
1792 1792 }
1793 1793 #endif
1794 1794 i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
1795 1795 if (i)
1796 1796 return 1;
1797 1797 /*
1798 1798 * IP addresses matched. The next 32bits contains:
1799 1799 * mast of old IP header security & authentication bits.
1800 1800 */
1801 1801 lip++, lm++, ld++;
1802 1802 i |= ((*lip & *lm) != *ld);
1803 1803 FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
1804 1804 *lip, *lm, *ld));
1805 1805
1806 1806 /*
1807 1807 * Next we have 32 bits of packet flags.
1808 1808 */
1809 1809 lip++, lm++, ld++;
1810 1810 i |= ((*lip & *lm) != *ld);
1811 1811 FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
1812 1812 *lip, *lm, *ld));
1813 1813
1814 1814 if (i == 0) {
1815 1815 /*
1816 1816 * If a fragment, then only the first has what we're
1817 1817 * looking for here...
1818 1818 */
1819 1819 if (portcmp) {
1820 1820 if (!fr_tcpudpchk(fin, &fr->fr_tuc))
1821 1821 i = 1;
1822 1822 } else {
1823 1823 if (fr->fr_dcmp || fr->fr_scmp ||
1824 1824 fr->fr_tcpf || fr->fr_tcpfm)
1825 1825 i = 1;
1826 1826 if (fr->fr_icmpm || fr->fr_icmp) {
1827 1827 if (((fi->fi_p != IPPROTO_ICMP) &&
1828 1828 (fi->fi_p != IPPROTO_ICMPV6)) ||
1829 1829 fin->fin_off || (fin->fin_dlen < 2))
1830 1830 i = 1;
1831 1831 else if ((fin->fin_data[0] & fr->fr_icmpm) !=
1832 1832 fr->fr_icmp) {
1833 1833 FR_DEBUG(("i. %#x & %#x != %#x\n",
1834 1834 fin->fin_data[0],
1835 1835 fr->fr_icmpm, fr->fr_icmp));
1836 1836 i = 1;
1837 1837 }
1838 1838 }
1839 1839 }
1840 1840 }
1841 1841 return i;
1842 1842 }
1843 1843
1844 1844
1845 1845 /* ------------------------------------------------------------------------ */
1846 1846 /* Function: fr_scanlist */
1847 1847 /* Returns: int - result flags of scanning filter list */
1848 1848 /* Parameters: fin(I) - pointer to packet information */
1849 1849 /* pass(I) - default result to return for filtering */
1850 1850 /* */
1851 1851 /* Check the input/output list of rules for a match to the current packet. */
1852 1852 /* If a match is found, the value of fr_flags from the rule becomes the */
1853 1853 /* return value and fin->fin_fr points to the matched rule. */
1854 1854 /* */
1855 1855 /* This function may be called recusively upto 16 times (limit inbuilt.) */
1856 1856 /* When unwinding, it should finish up with fin_depth as 0. */
1857 1857 /* */
1858 1858 /* Could be per interface, but this gets real nasty when you don't have, */
1859 1859 /* or can't easily change, the kernel source code to . */
1860 1860 /* ------------------------------------------------------------------------ */
1861 1861 int fr_scanlist(fin, pass)
1862 1862 fr_info_t *fin;
1863 1863 u_32_t pass;
1864 1864 {
1865 1865 int rulen, portcmp, off, logged, skip;
1866 1866 struct frentry *fr, *fnext;
1867 1867 u_32_t passt, passo;
1868 1868 ipf_stack_t *ifs = fin->fin_ifs;
1869 1869
1870 1870 /*
1871 1871 * Do not allow nesting deeper than 16 levels.
1872 1872 */
1873 1873 if (fin->fin_depth >= 16)
1874 1874 return pass;
1875 1875
1876 1876 fr = fin->fin_fr;
1877 1877
1878 1878 /*
1879 1879 * If there are no rules in this list, return now.
1880 1880 */
1881 1881 if (fr == NULL)
1882 1882 return pass;
1883 1883
1884 1884 skip = 0;
1885 1885 logged = 0;
1886 1886 portcmp = 0;
1887 1887 fin->fin_depth++;
1888 1888 fin->fin_fr = NULL;
1889 1889 off = fin->fin_off;
1890 1890
1891 1891 if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
1892 1892 portcmp = 1;
1893 1893
1894 1894 for (rulen = 0; fr; fr = fnext, rulen++) {
1895 1895 fnext = fr->fr_next;
1896 1896 if (skip != 0) {
1897 1897 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
1898 1898 skip--;
1899 1899 continue;
1900 1900 }
1901 1901
1902 1902 /*
1903 1903 * In all checks below, a null (zero) value in the
1904 1904 * filter struture is taken to mean a wildcard.
1905 1905 *
1906 1906 * check that we are working for the right interface
1907 1907 */
1908 1908 #ifdef _KERNEL
1909 1909 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
1910 1910 continue;
1911 1911 #else
1912 1912 if (opts & (OPT_VERBOSE|OPT_DEBUG))
1913 1913 printf("\n");
1914 1914 FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
1915 1915 FR_ISPASS(pass) ? 'p' :
1916 1916 FR_ISACCOUNT(pass) ? 'A' :
1917 1917 FR_ISAUTH(pass) ? 'a' :
1918 1918 (pass & FR_NOMATCH) ? 'n' :'b'));
1919 1919 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
1920 1920 continue;
1921 1921 FR_VERBOSE((":i"));
1922 1922 #endif
1923 1923
1924 1924 switch (fr->fr_type)
1925 1925 {
1926 1926 case FR_T_IPF :
1927 1927 case FR_T_IPF|FR_T_BUILTIN :
1928 1928 if (fr_ipfcheck(fin, fr, portcmp))
1929 1929 continue;
1930 1930 break;
1931 1931 #if defined(IPFILTER_BPF)
1932 1932 case FR_T_BPFOPC :
1933 1933 case FR_T_BPFOPC|FR_T_BUILTIN :
1934 1934 {
1935 1935 u_char *mc;
1936 1936
1937 1937 if (*fin->fin_mp == NULL)
1938 1938 continue;
1939 1939 if (fin->fin_v != fr->fr_v)
1940 1940 continue;
1941 1941 mc = (u_char *)fin->fin_m;
1942 1942 if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0))
1943 1943 continue;
1944 1944 break;
1945 1945 }
1946 1946 #endif
1947 1947 case FR_T_CALLFUNC|FR_T_BUILTIN :
1948 1948 {
1949 1949 frentry_t *f;
1950 1950
1951 1951 f = (*fr->fr_func)(fin, &pass);
1952 1952 if (f != NULL)
1953 1953 fr = f;
1954 1954 else
1955 1955 continue;
1956 1956 break;
1957 1957 }
1958 1958 default :
1959 1959 break;
1960 1960 }
1961 1961
1962 1962 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
1963 1963 if (fin->fin_nattag == NULL)
1964 1964 continue;
1965 1965 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
1966 1966 continue;
1967 1967 }
1968 1968 FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
1969 1969
1970 1970 passt = fr->fr_flags;
1971 1971
1972 1972 /*
1973 1973 * Allowing a rule with the "keep state" flag set to match
1974 1974 * packets that have been tagged "out of window" by the TCP
1975 1975 * state tracking is foolish as the attempt to add a new
1976 1976 * state entry to the table will fail.
1977 1977 */
1978 1978 if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
1979 1979 continue;
1980 1980
1981 1981 /*
1982 1982 * If the rule is a "call now" rule, then call the function
1983 1983 * in the rule, if it exists and use the results from that.
1984 1984 * If the function pointer is bad, just make like we ignore
1985 1985 * it, except for increasing the hit counter.
1986 1986 */
1987 1987 IPF_BUMP(fr->fr_hits);
1988 1988 fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
1989 1989 if ((passt & FR_CALLNOW) != 0) {
1990 1990 if ((fr->fr_func != NULL) &&
1991 1991 (fr->fr_func != (ipfunc_t)-1)) {
1992 1992 frentry_t *frs;
1993 1993
1994 1994 frs = fin->fin_fr;
1995 1995 fin->fin_fr = fr;
1996 1996 fr = (*fr->fr_func)(fin, &passt);
1997 1997 if (fr == NULL) {
1998 1998 fin->fin_fr = frs;
1999 1999 continue;
2000 2000 }
2001 2001 passt = fr->fr_flags;
2002 2002 fin->fin_fr = fr;
2003 2003 }
2004 2004 } else {
2005 2005 fin->fin_fr = fr;
2006 2006 }
2007 2007
2008 2008 #ifdef IPFILTER_LOG
2009 2009 /*
2010 2010 * Just log this packet...
2011 2011 */
2012 2012 if ((passt & FR_LOGMASK) == FR_LOG) {
2013 2013 if (ipflog(fin, passt) == -1) {
2014 2014 if (passt & FR_LOGORBLOCK) {
2015 2015 passt &= ~FR_CMDMASK;
2016 2016 passt |= FR_BLOCK|FR_QUICK;
2017 2017 }
2018 2018 IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_skip);
2019 2019 }
2020 2020 IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_pkl);
2021 2021 logged = 1;
2022 2022 }
2023 2023 #endif /* IPFILTER_LOG */
2024 2024 passo = pass;
2025 2025 if (FR_ISSKIP(passt))
2026 2026 skip = fr->fr_arg;
2027 2027 else if ((passt & FR_LOGMASK) != FR_LOG)
2028 2028 pass = passt;
2029 2029 if (passt & (FR_RETICMP|FR_FAKEICMP))
2030 2030 fin->fin_icode = fr->fr_icode;
2031 2031 FR_DEBUG(("pass %#x\n", pass));
2032 2032 fin->fin_rule = rulen;
2033 2033 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
2034 2034 if (fr->fr_grp != NULL) {
2035 2035 fin->fin_fr = *fr->fr_grp;
2036 2036 pass = fr_scanlist(fin, pass);
2037 2037 if (fin->fin_fr == NULL) {
2038 2038 fin->fin_rule = rulen;
2039 2039 (void) strncpy(fin->fin_group, fr->fr_group,
2040 2040 FR_GROUPLEN);
2041 2041 fin->fin_fr = fr;
2042 2042 }
2043 2043 if (fin->fin_flx & FI_DONTCACHE)
2044 2044 logged = 1;
2045 2045 }
2046 2046
2047 2047 if (pass & FR_QUICK) {
2048 2048 /*
2049 2049 * Finally, if we've asked to track state for this
2050 2050 * packet, set it up. Add state for "quick" rules
2051 2051 * here so that if the action fails we can consider
2052 2052 * the rule to "not match" and keep on processing
2053 2053 * filter rules.
2054 2054 */
2055 2055 if ((pass & FR_KEEPSTATE) &&
2056 2056 !(fin->fin_flx & FI_STATE)) {
2057 2057 int out = fin->fin_out;
2058 2058
2059 2059 if (fr_addstate(fin, NULL, 0) != NULL) {
2060 2060 IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
2061 2061 } else {
2062 2062 IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
2063 2063 pass = passo;
2064 2064 continue;
2065 2065 }
2066 2066 }
2067 2067 break;
2068 2068 }
2069 2069 }
2070 2070 if (logged)
2071 2071 fin->fin_flx |= FI_DONTCACHE;
2072 2072 fin->fin_depth--;
2073 2073 return pass;
2074 2074 }
2075 2075
2076 2076
2077 2077 /* ------------------------------------------------------------------------ */
2078 2078 /* Function: fr_acctpkt */
2079 2079 /* Returns: frentry_t* - always returns NULL */
2080 2080 /* Parameters: fin(I) - pointer to packet information */
2081 2081 /* passp(IO) - pointer to current/new filter decision (unused) */
2082 2082 /* */
2083 2083 /* Checks a packet against accounting rules, if there are any for the given */
2084 2084 /* IP protocol version. */
2085 2085 /* */
2086 2086 /* N.B.: this function returns NULL to match the prototype used by other */
2087 2087 /* functions called from the IPFilter "mainline" in fr_check(). */
2088 2088 /* ------------------------------------------------------------------------ */
2089 2089 frentry_t *fr_acctpkt(fin, passp)
2090 2090 fr_info_t *fin;
2091 2091 u_32_t *passp;
2092 2092 {
2093 2093 char group[FR_GROUPLEN];
2094 2094 frentry_t *fr, *frsave;
2095 2095 u_32_t pass, rulen;
2096 2096 ipf_stack_t *ifs = fin->fin_ifs;
2097 2097
2098 2098 passp = passp;
2099 2099 #ifdef USE_INET6
2100 2100 if (fin->fin_v == 6)
2101 2101 fr = ifs->ifs_ipacct6[fin->fin_out][ifs->ifs_fr_active];
2102 2102 else
2103 2103 #endif
2104 2104 fr = ifs->ifs_ipacct[fin->fin_out][ifs->ifs_fr_active];
2105 2105
2106 2106 if (fr != NULL) {
2107 2107 frsave = fin->fin_fr;
2108 2108 bcopy(fin->fin_group, group, FR_GROUPLEN);
2109 2109 rulen = fin->fin_rule;
2110 2110 fin->fin_fr = fr;
2111 2111 pass = fr_scanlist(fin, FR_NOMATCH);
2112 2112 if (FR_ISACCOUNT(pass)) {
2113 2113 IPF_BUMP(ifs->ifs_frstats[0].fr_acct);
2114 2114 }
2115 2115 fin->fin_fr = frsave;
2116 2116 bcopy(group, fin->fin_group, FR_GROUPLEN);
2117 2117 fin->fin_rule = rulen;
2118 2118 }
2119 2119 return NULL;
2120 2120 }
2121 2121
2122 2122
2123 2123 /* ------------------------------------------------------------------------ */
2124 2124 /* Function: fr_firewall */
2125 2125 /* Returns: frentry_t* - returns pointer to matched rule, if no matches */
2126 2126 /* were found, returns NULL. */
2127 2127 /* Parameters: fin(I) - pointer to packet information */
2128 2128 /* passp(IO) - pointer to current/new filter decision (unused) */
2129 2129 /* */
2130 2130 /* Applies an appropriate set of firewall rules to the packet, to see if */
2131 2131 /* there are any matches. The first check is to see if a match can be seen */
2132 2132 /* in the cache. If not, then search an appropriate list of rules. Once a */
2133 2133 /* matching rule is found, take any appropriate actions as defined by the */
2134 2134 /* rule - except logging. */
2135 2135 /* ------------------------------------------------------------------------ */
2136 2136 static frentry_t *fr_firewall(fin, passp)
2137 2137 fr_info_t *fin;
2138 2138 u_32_t *passp;
2139 2139 {
2140 2140 frentry_t *fr;
2141 2141 fr_info_t *fc;
2142 2142 u_32_t pass;
2143 2143 int out;
2144 2144 ipf_stack_t *ifs = fin->fin_ifs;
2145 2145
2146 2146 out = fin->fin_out;
2147 2147 pass = *passp;
2148 2148
2149 2149 #ifdef USE_INET6
2150 2150 if (fin->fin_v == 6)
2151 2151 fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active];
2152 2152 else
2153 2153 #endif
2154 2154 fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active];
2155 2155
2156 2156 /*
2157 2157 * If there are no rules loaded skip all checks and return.
2158 2158 */
2159 2159 if (fin->fin_fr == NULL) {
2160 2160
2161 2161 if ((pass & FR_NOMATCH)) {
2162 2162 IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
2163 2163 }
2164 2164
2165 2165 return (NULL);
2166 2166 }
2167 2167
2168 2168 fc = &ifs->ifs_frcache[out][CACHE_HASH(fin)];
2169 2169 READ_ENTER(&ifs->ifs_ipf_frcache);
2170 2170 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
2171 2171 /*
2172 2172 * copy cached data so we can unlock the mutexes earlier.
2173 2173 */
2174 2174 bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
2175 2175 RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
2176 2176 IPF_BUMP(ifs->ifs_frstats[out].fr_chit);
2177 2177
2178 2178 if ((fr = fin->fin_fr) != NULL) {
2179 2179 IPF_BUMP(fr->fr_hits);
2180 2180 fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
2181 2181 pass = fr->fr_flags;
2182 2182 }
2183 2183 } else {
2184 2184 RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
2185 2185
2186 2186 pass = fr_scanlist(fin, ifs->ifs_fr_pass);
2187 2187
2188 2188 if (((pass & FR_KEEPSTATE) == 0) &&
2189 2189 ((fin->fin_flx & FI_DONTCACHE) == 0)) {
2190 2190 WRITE_ENTER(&ifs->ifs_ipf_frcache);
2191 2191 bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
2192 2192 RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
2193 2193 }
2194 2194
2195 2195 fr = fin->fin_fr;
2196 2196 }
2197 2197
2198 2198 if ((pass & FR_NOMATCH)) {
2199 2199 IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
2200 2200 }
2201 2201
2202 2202 /*
2203 2203 * Apply packets per second rate-limiting to a rule as required.
2204 2204 */
2205 2205 if ((fr != NULL) && (fr->fr_pps != 0) &&
2206 2206 !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
2207 2207 pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
2208 2208 pass |= FR_BLOCK;
2209 2209 IPF_BUMP(ifs->ifs_frstats[out].fr_ppshit);
2210 2210 }
2211 2211
2212 2212 /*
2213 2213 * If we fail to add a packet to the authorization queue, then we
2214 2214 * drop the packet later. However, if it was added then pretend
2215 2215 * we've dropped it already.
2216 2216 */
2217 2217 if (FR_ISAUTH(pass)) {
2218 2218 if (fr_newauth(fin->fin_m, fin) != 0) {
2219 2219 #ifdef _KERNEL
2220 2220 fin->fin_m = *fin->fin_mp = NULL;
2221 2221 #else
2222 2222 ;
2223 2223 #endif
2224 2224 fin->fin_error = 0;
2225 2225 } else
2226 2226 fin->fin_error = ENOSPC;
2227 2227 }
2228 2228
2229 2229 if ((fr != NULL) && (fr->fr_func != NULL) &&
2230 2230 (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
2231 2231 (void) (*fr->fr_func)(fin, &pass);
2232 2232
2233 2233 /*
2234 2234 * If a rule is a pre-auth rule, check again in the list of rules
2235 2235 * loaded for authenticated use. It does not particulary matter
2236 2236 * if this search fails because a "preauth" result, from a rule,
2237 2237 * is treated as "not a pass", hence the packet is blocked.
2238 2238 */
2239 2239 if (FR_ISPREAUTH(pass)) {
2240 2240 if ((fin->fin_fr = ifs->ifs_ipauth) != NULL)
2241 2241 pass = fr_scanlist(fin, ifs->ifs_fr_pass);
2242 2242 }
2243 2243
2244 2244 /*
2245 2245 * If the rule has "keep frag" and the packet is actually a fragment,
2246 2246 * then create a fragment state entry.
2247 2247 */
2248 2248 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
2249 2249 if (fin->fin_flx & FI_FRAG) {
2250 2250 if (fr_newfrag(fin, pass) == -1) {
2251 2251 IPF_BUMP(ifs->ifs_frstats[out].fr_bnfr);
2252 2252 } else {
2253 2253 IPF_BUMP(ifs->ifs_frstats[out].fr_nfr);
2254 2254 }
2255 2255 } else {
2256 2256 IPF_BUMP(ifs->ifs_frstats[out].fr_cfr);
2257 2257 }
2258 2258 }
2259 2259
2260 2260 /*
2261 2261 * Finally, if we've asked to track state for this packet, set it up.
2262 2262 */
2263 2263 if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
2264 2264 if (fr_addstate(fin, NULL, 0) != NULL) {
2265 2265 IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
2266 2266 } else {
2267 2267 IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
2268 2268 if (FR_ISPASS(pass)) {
2269 2269 pass &= ~FR_CMDMASK;
2270 2270 pass |= FR_BLOCK;
2271 2271 }
2272 2272 }
2273 2273 }
2274 2274
2275 2275 fr = fin->fin_fr;
2276 2276
2277 2277 if (passp != NULL)
2278 2278 *passp = pass;
2279 2279
2280 2280 return fr;
2281 2281 }
2282 2282
2283 2283 /* ------------------------------------------------------------------------ */
2284 2284 /* Function: fr_check */
2285 2285 /* Returns: int - 0 == packet allowed through, */
2286 2286 /* User space: */
2287 2287 /* -1 == packet blocked */
2288 2288 /* 1 == packet not matched */
2289 2289 /* -2 == requires authentication */
2290 2290 /* Kernel: */
2291 2291 /* > 0 == filter error # for packet */
2292 2292 /* Parameters: ip(I) - pointer to start of IPv4/6 packet */
2293 2293 /* hlen(I) - length of header */
2294 2294 /* ifp(I) - pointer to interface this packet is on */
2295 2295 /* out(I) - 0 == packet going in, 1 == packet going out */
2296 2296 /* mp(IO) - pointer to caller's buffer pointer that holds this */
2297 2297 /* IP packet. */
2298 2298 /* Solaris & HP-UX ONLY : */
2299 2299 /* qpi(I) - pointer to STREAMS queue information for this */
2300 2300 /* interface & direction. */
2301 2301 /* */
2302 2302 /* fr_check() is the master function for all IPFilter packet processing. */
2303 2303 /* It orchestrates: Network Address Translation (NAT), checking for packet */
2304 2304 /* authorisation (or pre-authorisation), presence of related state info., */
2305 2305 /* generating log entries, IP packet accounting, routing of packets as */
2306 2306 /* directed by firewall rules and of course whether or not to allow the */
2307 2307 /* packet to be further processed by the kernel. */
2308 2308 /* */
2309 2309 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
2310 2310 /* freed. Packets passed may be returned with the pointer pointed to by */
2311 2311 /* by "mp" changed to a new buffer. */
2312 2312 /* ------------------------------------------------------------------------ */
2313 2313 int fr_check(ip, hlen, ifp, out
2314 2314 #if defined(_KERNEL) && defined(MENTAT)
2315 2315 , qif, mp, ifs)
2316 2316 void *qif;
2317 2317 #else
2318 2318 , mp, ifs)
2319 2319 #endif
2320 2320 mb_t **mp;
2321 2321 ip_t *ip;
2322 2322 int hlen;
2323 2323 void *ifp;
2324 2324 int out;
2325 2325 ipf_stack_t *ifs;
2326 2326 {
2327 2327 /*
2328 2328 * The above really sucks, but short of writing a diff
2329 2329 */
2330 2330 fr_info_t frinfo;
2331 2331 fr_info_t *fin = &frinfo;
2332 2332 u_32_t pass;
2333 2333 frentry_t *fr = NULL;
2334 2334 int v = IP_V(ip);
2335 2335 mb_t *mc = NULL;
2336 2336 mb_t *m;
2337 2337 #ifdef USE_INET6
2338 2338 ip6_t *ip6;
2339 2339 #endif
2340 2340 #ifdef _KERNEL
2341 2341 # ifdef MENTAT
2342 2342 qpktinfo_t *qpi = qif;
2343 2343 #endif
2344 2344 #endif
2345 2345
2346 2346 SPL_INT(s);
2347 2347 pass = ifs->ifs_fr_pass;
2348 2348
2349 2349 /*
2350 2350 * The first part of fr_check() deals with making sure that what goes
2351 2351 * into the filtering engine makes some sense. Information about the
2352 2352 * the packet is distilled, collected into a fr_info_t structure and
2353 2353 * the an attempt to ensure the buffer the packet is in is big enough
2354 2354 * to hold all the required packet headers.
2355 2355 */
2356 2356 #ifdef _KERNEL
2357 2357 # ifdef MENTAT
2358 2358 if (!OK_32PTR(ip))
2359 2359 return 2;
2360 2360 # endif
2361 2361
2362 2362
2363 2363 if (ifs->ifs_fr_running <= 0) {
2364 2364 return 0;
2365 2365 }
2366 2366
2367 2367 bzero((char *)fin, sizeof(*fin));
2368 2368
2369 2369 # ifdef MENTAT
2370 2370 fin->fin_flx = qpi->qpi_flags & (FI_NOCKSUM|FI_MBCAST|FI_MULTICAST|
2371 2371 FI_BROADCAST);
2372 2372 m = qpi->qpi_m;
2373 2373 fin->fin_qfm = m;
2374 2374 fin->fin_qpi = qpi;
2375 2375 # else /* MENTAT */
2376 2376
2377 2377 m = *mp;
2378 2378
2379 2379 # if defined(M_MCAST)
2380 2380 if ((m->m_flags & M_MCAST) != 0)
2381 2381 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
2382 2382 # endif
2383 2383 # if defined(M_MLOOP)
2384 2384 if ((m->m_flags & M_MLOOP) != 0)
2385 2385 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
2386 2386 # endif
2387 2387 # if defined(M_BCAST)
2388 2388 if ((m->m_flags & M_BCAST) != 0)
2389 2389 fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
2390 2390 # endif
2391 2391 # ifdef M_CANFASTFWD
2392 2392 /*
2393 2393 * XXX For now, IP Filter and fast-forwarding of cached flows
2394 2394 * XXX are mutually exclusive. Eventually, IP Filter should
2395 2395 * XXX get a "can-fast-forward" filter rule.
2396 2396 */
2397 2397 m->m_flags &= ~M_CANFASTFWD;
2398 2398 # endif /* M_CANFASTFWD */
2399 2399 # ifdef CSUM_DELAY_DATA
2400 2400 /*
2401 2401 * disable delayed checksums.
2402 2402 */
2403 2403 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
2404 2404 in_delayed_cksum(m);
2405 2405 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
2406 2406 }
2407 2407 # endif /* CSUM_DELAY_DATA */
2408 2408 # endif /* MENTAT */
2409 2409 #else
2410 2410
2411 2411 bzero((char *)fin, sizeof(*fin));
2412 2412 m = *mp;
2413 2413 #endif /* _KERNEL */
2414 2414
2415 2415 fin->fin_v = v;
2416 2416 fin->fin_m = m;
2417 2417 fin->fin_ip = ip;
2418 2418 fin->fin_mp = mp;
2419 2419 fin->fin_out = out;
2420 2420 fin->fin_ifp = ifp;
2421 2421 fin->fin_error = ENETUNREACH;
2422 2422 fin->fin_hlen = (u_short)hlen;
2423 2423 fin->fin_dp = (char *)ip + hlen;
2424 2424 fin->fin_ipoff = (char *)ip - MTOD(m, char *);
2425 2425 fin->fin_ifs = ifs;
2426 2426
2427 2427 SPL_NET(s);
2428 2428
2429 2429 #ifdef USE_INET6
2430 2430 if (v == 6) {
2431 2431 IPF_BUMP(ifs->ifs_frstats[out].fr_ipv6);
2432 2432 /*
2433 2433 * Jumbo grams are quite likely too big for internal buffer
2434 2434 * structures to handle comfortably, for now, so just drop
2435 2435 * them.
2436 2436 */
2437 2437 ip6 = (ip6_t *)ip;
2438 2438 fin->fin_plen = ntohs(ip6->ip6_plen);
2439 2439 if (fin->fin_plen == 0) {
2440 2440 READ_ENTER(&ifs->ifs_ipf_mutex);
2441 2441 pass = FR_BLOCK|FR_NOMATCH;
2442 2442 goto filtered;
2443 2443 }
2444 2444 fin->fin_plen += sizeof(ip6_t);
2445 2445 } else
2446 2446 #endif
2447 2447 {
2448 2448 #if (OpenBSD >= 200311) && defined(_KERNEL)
2449 2449 ip->ip_len = ntohs(ip->ip_len);
2450 2450 ip->ip_off = ntohs(ip->ip_off);
2451 2451 #endif
2452 2452 fin->fin_plen = ip->ip_len;
2453 2453 }
2454 2454
2455 2455 if (fr_makefrip(hlen, ip, fin) == -1) {
2456 2456 READ_ENTER(&ifs->ifs_ipf_mutex);
2457 2457 pass = FR_BLOCK;
2458 2458 goto filtered;
2459 2459 }
2460 2460
2461 2461 /*
2462 2462 * For at least IPv6 packets, if a m_pullup() fails then this pointer
2463 2463 * becomes NULL and so we have no packet to free.
2464 2464 */
2465 2465 if (*fin->fin_mp == NULL)
2466 2466 goto finished;
2467 2467
2468 2468 if (!out) {
2469 2469 if (v == 4) {
2470 2470 #ifdef _KERNEL
2471 2471 if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
2472 2472 IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
2473 2473 fin->fin_flx |= FI_BADSRC;
2474 2474 }
2475 2475 #endif
2476 2476 if (fin->fin_ip->ip_ttl < ifs->ifs_fr_minttl) {
2477 2477 IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
2478 2478 fin->fin_flx |= FI_LOWTTL;
2479 2479 }
2480 2480 }
2481 2481 #ifdef USE_INET6
2482 2482 else if (v == 6) {
2483 2483 ip6 = (ip6_t *)ip;
2484 2484 #ifdef _KERNEL
2485 2485 if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
2486 2486 IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
2487 2487 fin->fin_flx |= FI_BADSRC;
2488 2488 }
2489 2489 #endif
2490 2490 if (ip6->ip6_hlim < ifs->ifs_fr_minttl) {
2491 2491 IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
2492 2492 fin->fin_flx |= FI_LOWTTL;
2493 2493 }
2494 2494 }
2495 2495 #endif
2496 2496 }
2497 2497
2498 2498 if (fin->fin_flx & FI_SHORT) {
2499 2499 IPF_BUMP(ifs->ifs_frstats[out].fr_short);
2500 2500 }
2501 2501
2502 2502 READ_ENTER(&ifs->ifs_ipf_mutex);
2503 2503
2504 2504 /*
2505 2505 * Check auth now. This, combined with the check below to see if apass
2506 2506 * is 0 is to ensure that we don't count the packet twice, which can
2507 2507 * otherwise occur when we reprocess it. As it is, we only count it
2508 2508 * after it has no auth. table matchup. This also stops NAT from
2509 2509 * occuring until after the packet has been auth'd.
2510 2510 */
2511 2511 fr = fr_checkauth(fin, &pass);
2512 2512 if (!out) {
2513 2513 switch (fin->fin_v)
2514 2514 {
2515 2515 case 4 :
2516 2516 if (fr_checknatin(fin, &pass) == -1) {
2517 2517 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2518 2518 goto finished;
2519 2519 }
2520 2520 break;
2521 2521 #ifdef USE_INET6
2522 2522 case 6 :
2523 2523 if (fr_checknat6in(fin, &pass) == -1) {
2524 2524 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2525 2525 goto finished;
2526 2526 }
2527 2527 break;
2528 2528 #endif
2529 2529 default :
2530 2530 break;
2531 2531 }
2532 2532 }
2533 2533 if (!out)
2534 2534 (void) fr_acctpkt(fin, NULL);
2535 2535
2536 2536 if (fr == NULL)
2537 2537 if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG)
2538 2538 fr = fr_knownfrag(fin, &pass);
2539 2539 if (fr == NULL)
2540 2540 fr = fr_checkstate(fin, &pass);
2541 2541
2542 2542 if ((pass & FR_NOMATCH) || (fr == NULL))
2543 2543 fr = fr_firewall(fin, &pass);
2544 2544
2545 2545 fin->fin_fr = fr;
2546 2546
2547 2547 /*
2548 2548 * Only count/translate packets which will be passed on, out the
2549 2549 * interface.
2550 2550 */
2551 2551 if (out && FR_ISPASS(pass)) {
2552 2552 (void) fr_acctpkt(fin, NULL);
2553 2553
2554 2554 switch (fin->fin_v)
2555 2555 {
2556 2556 case 4 :
2557 2557 if (fr_checknatout(fin, &pass) == -1) {
2558 2558 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2559 2559 goto finished;
2560 2560 }
2561 2561 break;
2562 2562 #ifdef USE_INET6
2563 2563 case 6 :
2564 2564 if (fr_checknat6out(fin, &pass) == -1) {
2565 2565 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2566 2566 goto finished;
2567 2567 }
2568 2568 break;
2569 2569 #endif
2570 2570 default :
2571 2571 break;
2572 2572 }
2573 2573
2574 2574 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
2575 2575 if (fr_updateipid(fin) == -1) {
2576 2576 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
2577 2577 pass &= ~FR_CMDMASK;
2578 2578 pass |= FR_BLOCK;
2579 2579 } else {
2580 2580 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
|
↓ open down ↓ |
2562 lines elided |
↑ open up ↑ |
2581 2581 }
2582 2582 }
2583 2583 }
2584 2584
2585 2585 #ifdef IPFILTER_LOG
2586 2586 if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2587 2587 (void) fr_dolog(fin, &pass);
2588 2588 }
2589 2589 #endif
2590 2590
2591 + if (IFS_CFWLOG(ifs, fr) && FR_ISBLOCK(pass))
2592 + ipf_block_cfwlog(fr, fin, ifs);
2593 +
2591 2594 /*
2592 2595 * The FI_STATE flag is cleared here so that calling fr_checkstate
2593 2596 * will work when called from inside of fr_fastroute. Although
2594 2597 * there is a similar flag, FI_NATED, for NAT, it does have the same
2595 2598 * impact on code execution.
2596 2599 */
2597 2600 fin->fin_flx &= ~FI_STATE;
2598 2601
2599 2602 /*
2600 2603 * Only allow FR_DUP to work if a rule matched - it makes no sense to
2601 2604 * set FR_DUP as a "default" as there are no instructions about where
2602 2605 * to send the packet. Use fin_m here because it may have changed
2603 2606 * (without an update of 'm') in prior processing.
2604 2607 */
2605 2608 if ((fr != NULL) && (pass & FR_DUP)) {
2606 2609 mc = M_DUPLICATE(fin->fin_m);
2607 2610 #ifdef _KERNEL
2608 2611 mc->b_rptr += fin->fin_ipoff;
2609 2612 #endif
2610 2613 }
2611 2614
2612 2615 /*
2613 2616 * We don't want to send RST for packets, which are going to be
2614 2617 * dropped, just because they don't fit into TCP window. Those packets
2615 2618 * will be dropped silently. In other words, we want to drop packet,
2616 2619 * while keeping session alive.
2617 2620 */
2618 2621 if ((pass & (FR_RETRST|FR_RETICMP)) && ((fin->fin_flx & FI_OOW) == 0)) {
2619 2622 /*
2620 2623 * Should we return an ICMP packet to indicate error
2621 2624 * status passing through the packet filter ?
2622 2625 * WARNING: ICMP error packets AND TCP RST packets should
2623 2626 * ONLY be sent in repsonse to incoming packets. Sending them
2624 2627 * in response to outbound packets can result in a panic on
2625 2628 * some operating systems.
2626 2629 */
2627 2630 if (!out) {
2628 2631 if (pass & FR_RETICMP) {
2629 2632 int dst;
2630 2633
2631 2634 if ((pass & FR_RETMASK) == FR_FAKEICMP)
2632 2635 dst = 1;
2633 2636 else
2634 2637 dst = 0;
2635 2638 #if defined(_KERNEL) && (SOLARIS2 >= 10)
2636 2639 /*
2637 2640 * Assume it's possible to enter insane rule:
2638 2641 * pass return-icmp in proto udp ...
2639 2642 * then we have no other option than to forward
2640 2643 * packet on loopback and give up any attempt
2641 2644 * to create a fake response.
2642 2645 */
2643 2646 if (IPF_IS_LOOPBACK(qpi->qpi_flags) &&
2644 2647 FR_ISBLOCK(pass)) {
2645 2648
2646 2649 if (fr_make_icmp(fin) == 0) {
2647 2650 IPF_BUMP(
2648 2651 ifs->ifs_frstats[out].fr_ret);
2649 2652 }
2650 2653 /*
2651 2654 * we drop packet silently in case we
2652 2655 * failed assemble fake response for it
2653 2656 */
2654 2657 else if (*mp != NULL) {
2655 2658 FREE_MB_T(*mp);
2656 2659 m = *mp = NULL;
2657 2660 }
2658 2661
2659 2662 IPF_BUMP(
2660 2663 ifs->ifs_frstats[out].fr_block);
2661 2664 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2662 2665
2663 2666 return (0);
2664 2667 }
2665 2668 #endif /* _KERNEL && SOLARIS2 >= 10 */
2666 2669
2667 2670 (void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
2668 2671 IPF_BUMP(ifs->ifs_frstats[out].fr_ret);
2669 2672
2670 2673 } else if (((pass & FR_RETMASK) == FR_RETRST) &&
2671 2674 !(fin->fin_flx & FI_SHORT)) {
2672 2675
2673 2676 #if defined(_KERNEL) && (SOLARIS2 >= 10)
2674 2677 /*
2675 2678 * Assume it's possible to enter insane rule:
2676 2679 * pass return-rst in proto tcp ...
2677 2680 * then we have no other option than to forward
2678 2681 * packet on loopback and give up any attempt
2679 2682 * to create a fake response.
2680 2683 */
2681 2684 if (IPF_IS_LOOPBACK(qpi->qpi_flags) &&
2682 2685 FR_ISBLOCK(pass)) {
2683 2686 if (fr_make_rst(fin) == 0) {
2684 2687 IPF_BUMP(
2685 2688 ifs->ifs_frstats[out].fr_ret);
2686 2689 }
2687 2690 else if (mp != NULL) {
2688 2691 /*
2689 2692 * we drop packet silently in case we
2690 2693 * failed assemble fake response for it
2691 2694 */
2692 2695 FREE_MB_T(*mp);
2693 2696 m = *mp = NULL;
2694 2697 }
2695 2698
2696 2699 IPF_BUMP(
2697 2700 ifs->ifs_frstats[out].fr_block);
2698 2701 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2699 2702
2700 2703 return (0);
2701 2704 }
2702 2705 #endif /* _KERNEL && _SOLARIS2 >= 10 */
2703 2706 if (fr_send_reset(fin) == 0) {
2704 2707 IPF_BUMP(ifs->ifs_frstats[1].fr_ret);
2705 2708 }
2706 2709 }
2707 2710 } else {
2708 2711 if (pass & FR_RETRST)
2709 2712 fin->fin_error = ECONNRESET;
2710 2713 }
2711 2714 }
2712 2715
2713 2716 /*
2714 2717 * If we didn't drop off the bottom of the list of rules (and thus
2715 2718 * the 'current' rule fr is not NULL), then we may have some extra
2716 2719 * instructions about what to do with a packet.
2717 2720 * Once we're finished return to our caller, freeing the packet if
2718 2721 * we are dropping it (* BSD ONLY *).
2719 2722 * Reassign m from fin_m as we may have a new buffer, now.
2720 2723 */
2721 2724 filtered:
2722 2725 m = fin->fin_m;
2723 2726
2724 2727 if (fr != NULL) {
2725 2728 frdest_t *fdp;
2726 2729
2727 2730 fdp = &fr->fr_tifs[fin->fin_rev];
2728 2731
2729 2732 if (!out && (pass & FR_FASTROUTE)) {
2730 2733 /*
2731 2734 * For fastroute rule, no destioation interface defined
2732 2735 * so pass NULL as the frdest_t parameter
2733 2736 */
2734 2737 (void) fr_fastroute(m, mp, fin, NULL);
2735 2738 m = *mp = NULL;
2736 2739 } else if ((fdp->fd_ifp != NULL) &&
2737 2740 (fdp->fd_ifp != (struct ifnet *)-1)) {
2738 2741 /* this is for to rules: */
2739 2742 (void) fr_fastroute(m, mp, fin, fdp);
2740 2743 m = *mp = NULL;
2741 2744 }
2742 2745
2743 2746 /*
2744 2747 * Send a duplicated packet.
2745 2748 */
2746 2749 if (mc != NULL) {
2747 2750 #if defined(_KERNEL) && (SOLARIS2 >= 10)
2748 2751 /*
2749 2752 * We are going to compute chksum for copies of loopback packets
2750 2753 * only. IP stack does not compute chksums at all for loopback
2751 2754 * packets. We want to get it fixed in their copies, since those
2752 2755 * are going to be sent to network.
2753 2756 */
2754 2757 if (IPF_IS_LOOPBACK(qpi->qpi_flags))
2755 2758 fr_calc_chksum(fin, mc);
2756 2759 #endif
2757 2760 (void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
2758 2761 }
2759 2762 }
2760 2763
2761 2764 if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT))
2762 2765 nat_uncreate(fin);
2763 2766
2764 2767 /*
2765 2768 * This late because the likes of fr_fastroute() use fin_fr.
2766 2769 */
2767 2770 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2768 2771
2769 2772 finished:
2770 2773 if (!FR_ISPASS(pass)) {
2771 2774 IPF_BUMP(ifs->ifs_frstats[out].fr_block);
2772 2775 if (*mp != NULL) {
2773 2776 FREE_MB_T(*mp);
2774 2777 m = *mp = NULL;
2775 2778 }
2776 2779 } else {
2777 2780 IPF_BUMP(ifs->ifs_frstats[out].fr_pass);
2778 2781 #if defined(_KERNEL) && defined(__sgi)
2779 2782 if ((fin->fin_hbuf != NULL) &&
2780 2783 (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
2781 2784 COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
2782 2785 }
2783 2786 #endif
2784 2787 }
2785 2788
2786 2789 SPL_X(s);
2787 2790
2788 2791 #ifdef _KERNEL
2789 2792 # if OpenBSD >= 200311
2790 2793 if (FR_ISPASS(pass) && (v == 4)) {
2791 2794 ip = fin->fin_ip;
2792 2795 ip->ip_len = ntohs(ip->ip_len);
2793 2796 ip->ip_off = ntohs(ip->ip_off);
2794 2797 }
2795 2798 # endif
2796 2799 return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
2797 2800 #else /* _KERNEL */
2798 2801 FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
2799 2802 if ((pass & FR_NOMATCH) != 0)
2800 2803 return 1;
2801 2804
2802 2805 if ((pass & FR_RETMASK) != 0)
2803 2806 switch (pass & FR_RETMASK)
2804 2807 {
2805 2808 case FR_RETRST :
2806 2809 return 3;
2807 2810 case FR_RETICMP :
2808 2811 return 4;
2809 2812 case FR_FAKEICMP :
2810 2813 return 5;
2811 2814 }
2812 2815
2813 2816 switch (pass & FR_CMDMASK)
2814 2817 {
2815 2818 case FR_PASS :
2816 2819 return 0;
2817 2820 case FR_BLOCK :
2818 2821 return -1;
2819 2822 case FR_AUTH :
2820 2823 return -2;
2821 2824 case FR_ACCOUNT :
2822 2825 return -3;
2823 2826 case FR_PREAUTH :
2824 2827 return -4;
2825 2828 }
2826 2829 return 2;
2827 2830 #endif /* _KERNEL */
2828 2831 }
2829 2832
2830 2833
2831 2834 #ifdef IPFILTER_LOG
2832 2835 /* ------------------------------------------------------------------------ */
2833 2836 /* Function: fr_dolog */
2834 2837 /* Returns: frentry_t* - returns contents of fin_fr (no change made) */
2835 2838 /* Parameters: fin(I) - pointer to packet information */
2836 2839 /* passp(IO) - pointer to current/new filter decision (unused) */
2837 2840 /* */
2838 2841 /* Checks flags set to see how a packet should be logged, if it is to be */
2839 2842 /* logged. Adjust statistics based on its success or not. */
2840 2843 /* ------------------------------------------------------------------------ */
2841 2844 frentry_t *fr_dolog(fin, passp)
2842 2845 fr_info_t *fin;
2843 2846 u_32_t *passp;
2844 2847 {
2845 2848 u_32_t pass;
2846 2849 int out;
2847 2850 ipf_stack_t *ifs = fin->fin_ifs;
2848 2851
2849 2852 out = fin->fin_out;
2850 2853 pass = *passp;
2851 2854
2852 2855 if ((ifs->ifs_fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
2853 2856 pass |= FF_LOGNOMATCH;
2854 2857 IPF_BUMP(ifs->ifs_frstats[out].fr_npkl);
2855 2858 goto logit;
2856 2859 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
2857 2860 (FR_ISPASS(pass) && (ifs->ifs_fr_flags & FF_LOGPASS))) {
2858 2861 if ((pass & FR_LOGMASK) != FR_LOGP)
2859 2862 pass |= FF_LOGPASS;
2860 2863 IPF_BUMP(ifs->ifs_frstats[out].fr_ppkl);
2861 2864 goto logit;
2862 2865 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
2863 2866 (FR_ISBLOCK(pass) && (ifs->ifs_fr_flags & FF_LOGBLOCK))) {
2864 2867 if ((pass & FR_LOGMASK) != FR_LOGB)
2865 2868 pass |= FF_LOGBLOCK;
2866 2869 IPF_BUMP(ifs->ifs_frstats[out].fr_bpkl);
2867 2870 logit:
2868 2871 if (ipflog(fin, pass) == -1) {
2869 2872 IPF_BUMP(ifs->ifs_frstats[out].fr_skip);
2870 2873
2871 2874 /*
2872 2875 * If the "or-block" option has been used then
2873 2876 * block the packet if we failed to log it.
2874 2877 */
2875 2878 if ((pass & FR_LOGORBLOCK) &&
2876 2879 FR_ISPASS(pass)) {
2877 2880 pass &= ~FR_CMDMASK;
2878 2881 pass |= FR_BLOCK;
2879 2882 }
2880 2883 }
2881 2884 *passp = pass;
2882 2885 }
2883 2886
2884 2887 return fin->fin_fr;
2885 2888 }
2886 2889 #endif /* IPFILTER_LOG */
2887 2890
2888 2891
2889 2892 /* ------------------------------------------------------------------------ */
2890 2893 /* Function: ipf_cksum */
2891 2894 /* Returns: u_short - IP header checksum */
2892 2895 /* Parameters: addr(I) - pointer to start of buffer to checksum */
2893 2896 /* len(I) - length of buffer in bytes */
2894 2897 /* */
2895 2898 /* Calculate the two's complement 16 bit checksum of the buffer passed. */
2896 2899 /* */
2897 2900 /* N.B.: addr should be 16bit aligned. */
2898 2901 /* ------------------------------------------------------------------------ */
2899 2902 u_short ipf_cksum(addr, len)
2900 2903 u_short *addr;
2901 2904 int len;
2902 2905 {
2903 2906 u_32_t sum = 0;
2904 2907
2905 2908 for (sum = 0; len > 1; len -= 2)
2906 2909 sum += *addr++;
2907 2910
2908 2911 /* mop up an odd byte, if necessary */
2909 2912 if (len == 1)
2910 2913 sum += *(u_char *)addr;
2911 2914
2912 2915 /*
2913 2916 * add back carry outs from top 16 bits to low 16 bits
2914 2917 */
2915 2918 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
2916 2919 sum += (sum >> 16); /* add carry */
2917 2920 return (u_short)(~sum);
2918 2921 }
2919 2922
2920 2923
2921 2924 /* ------------------------------------------------------------------------ */
2922 2925 /* Function: fr_cksum */
2923 2926 /* Returns: u_short - layer 4 checksum */
2924 2927 /* Parameters: m(I ) - pointer to buffer holding packet */
2925 2928 /* ip(I) - pointer to IP header */
2926 2929 /* l4proto(I) - protocol to caclulate checksum for */
2927 2930 /* l4hdr(I) - pointer to layer 4 header */
2928 2931 /* */
2929 2932 /* Calculates the TCP checksum for the packet held in "m", using the data */
2930 2933 /* in the IP header "ip" to seed it. */
2931 2934 /* */
2932 2935 /* NB: This function assumes we've pullup'd enough for all of the IP header */
2933 2936 /* and the TCP header. We also assume that data blocks aren't allocated in */
2934 2937 /* odd sizes. */
2935 2938 /* */
2936 2939 /* Expects ip_len to be in host byte order when called. */
2937 2940 /* ------------------------------------------------------------------------ */
2938 2941 u_short fr_cksum(m, ip, l4proto, l4hdr)
2939 2942 mb_t *m;
2940 2943 ip_t *ip;
2941 2944 int l4proto;
2942 2945 void *l4hdr;
2943 2946 {
2944 2947 u_short *sp, slen, sumsave, l4hlen, *csump;
2945 2948 u_int sum, sum2;
2946 2949 int hlen;
2947 2950 #ifdef USE_INET6
2948 2951 ip6_t *ip6;
2949 2952 #endif
2950 2953
2951 2954 csump = NULL;
2952 2955 sumsave = 0;
2953 2956 l4hlen = 0;
2954 2957 sp = NULL;
2955 2958 slen = 0;
2956 2959 hlen = 0;
2957 2960 sum = 0;
2958 2961
2959 2962 /*
2960 2963 * Add up IP Header portion
2961 2964 */
2962 2965 #ifdef USE_INET6
2963 2966 if (IP_V(ip) == 4) {
2964 2967 #endif
2965 2968 hlen = IP_HL(ip) << 2;
2966 2969 slen = ip->ip_len - hlen;
2967 2970 sum = htons((u_short)l4proto);
2968 2971 sum += htons(slen);
2969 2972 sp = (u_short *)&ip->ip_src;
2970 2973 sum += *sp++; /* ip_src */
2971 2974 sum += *sp++;
2972 2975 sum += *sp++; /* ip_dst */
2973 2976 sum += *sp++;
2974 2977 #ifdef USE_INET6
2975 2978 } else if (IP_V(ip) == 6) {
2976 2979 ip6 = (ip6_t *)ip;
2977 2980 hlen = sizeof(*ip6);
2978 2981 slen = ntohs(ip6->ip6_plen);
2979 2982 sum = htons((u_short)l4proto);
2980 2983 sum += htons(slen);
2981 2984 sp = (u_short *)&ip6->ip6_src;
2982 2985 sum += *sp++; /* ip6_src */
2983 2986 sum += *sp++;
2984 2987 sum += *sp++;
2985 2988 sum += *sp++;
2986 2989 sum += *sp++;
2987 2990 sum += *sp++;
2988 2991 sum += *sp++;
2989 2992 sum += *sp++;
2990 2993 sum += *sp++; /* ip6_dst */
2991 2994 sum += *sp++;
2992 2995 sum += *sp++;
2993 2996 sum += *sp++;
2994 2997 sum += *sp++;
2995 2998 sum += *sp++;
2996 2999 sum += *sp++;
2997 3000 sum += *sp++;
2998 3001 }
2999 3002 #endif
3000 3003
3001 3004 switch (l4proto)
3002 3005 {
3003 3006 case IPPROTO_UDP :
3004 3007 csump = &((udphdr_t *)l4hdr)->uh_sum;
3005 3008 l4hlen = sizeof(udphdr_t);
3006 3009 break;
3007 3010
3008 3011 case IPPROTO_TCP :
3009 3012 csump = &((tcphdr_t *)l4hdr)->th_sum;
3010 3013 l4hlen = sizeof(tcphdr_t);
3011 3014 break;
3012 3015 case IPPROTO_ICMP :
3013 3016 csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
3014 3017 l4hlen = 4;
3015 3018 sum = 0;
3016 3019 break;
3017 3020 default :
3018 3021 break;
3019 3022 }
3020 3023
3021 3024 if (csump != NULL) {
3022 3025 sumsave = *csump;
3023 3026 *csump = 0;
3024 3027 }
3025 3028
3026 3029 l4hlen = l4hlen; /* LINT */
3027 3030
3028 3031 #ifdef _KERNEL
3029 3032 # ifdef MENTAT
3030 3033 {
3031 3034 void *rp = m->b_rptr;
3032 3035
3033 3036 if ((unsigned char *)ip > m->b_rptr && (unsigned char *)ip < m->b_wptr)
3034 3037 m->b_rptr = (u_char *)ip;
3035 3038 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
3036 3039 m->b_rptr = rp;
3037 3040 sum2 = (sum2 & 0xffff) + (sum2 >> 16);
3038 3041 sum2 = ~sum2 & 0xffff;
3039 3042 }
3040 3043 # else /* MENTAT */
3041 3044 # if defined(BSD) || defined(sun)
3042 3045 # if BSD >= 199103
3043 3046 m->m_data += hlen;
3044 3047 # else
3045 3048 m->m_off += hlen;
3046 3049 # endif
3047 3050 m->m_len -= hlen;
3048 3051 sum2 = in_cksum(m, slen);
3049 3052 m->m_len += hlen;
3050 3053 # if BSD >= 199103
3051 3054 m->m_data -= hlen;
3052 3055 # else
3053 3056 m->m_off -= hlen;
3054 3057 # endif
3055 3058 /*
3056 3059 * Both sum and sum2 are partial sums, so combine them together.
3057 3060 */
3058 3061 sum += ~sum2 & 0xffff;
3059 3062 while (sum > 0xffff)
3060 3063 sum = (sum & 0xffff) + (sum >> 16);
3061 3064 sum2 = ~sum & 0xffff;
3062 3065 # else /* defined(BSD) || defined(sun) */
3063 3066 {
3064 3067 union {
3065 3068 u_char c[2];
3066 3069 u_short s;
3067 3070 } bytes;
3068 3071 u_short len = ip->ip_len;
3069 3072 # if defined(__sgi)
3070 3073 int add;
3071 3074 # endif
3072 3075
3073 3076 /*
3074 3077 * Add up IP Header portion
3075 3078 */
3076 3079 if (sp != (u_short *)l4hdr)
3077 3080 sp = (u_short *)l4hdr;
3078 3081
3079 3082 switch (l4proto)
3080 3083 {
3081 3084 case IPPROTO_UDP :
3082 3085 sum += *sp++; /* sport */
3083 3086 sum += *sp++; /* dport */
3084 3087 sum += *sp++; /* udp length */
3085 3088 sum += *sp++; /* checksum */
3086 3089 break;
3087 3090
3088 3091 case IPPROTO_TCP :
3089 3092 sum += *sp++; /* sport */
3090 3093 sum += *sp++; /* dport */
3091 3094 sum += *sp++; /* seq */
3092 3095 sum += *sp++;
3093 3096 sum += *sp++; /* ack */
3094 3097 sum += *sp++;
3095 3098 sum += *sp++; /* off */
3096 3099 sum += *sp++; /* win */
3097 3100 sum += *sp++; /* checksum */
3098 3101 sum += *sp++; /* urp */
3099 3102 break;
3100 3103 case IPPROTO_ICMP :
3101 3104 sum = *sp++; /* type/code */
3102 3105 sum += *sp++; /* checksum */
3103 3106 break;
3104 3107 }
3105 3108
3106 3109 # ifdef __sgi
3107 3110 /*
3108 3111 * In case we had to copy the IP & TCP header out of mbufs,
3109 3112 * skip over the mbuf bits which are the header
3110 3113 */
3111 3114 if ((caddr_t)ip != mtod(m, caddr_t)) {
3112 3115 hlen = (caddr_t)sp - (caddr_t)ip;
3113 3116 while (hlen) {
3114 3117 add = MIN(hlen, m->m_len);
3115 3118 sp = (u_short *)(mtod(m, caddr_t) + add);
3116 3119 hlen -= add;
3117 3120 if (add == m->m_len) {
3118 3121 m = m->m_next;
3119 3122 if (!hlen) {
3120 3123 if (!m)
3121 3124 break;
3122 3125 sp = mtod(m, u_short *);
3123 3126 }
3124 3127 PANIC((!m),("fr_cksum(1): not enough data"));
3125 3128 }
3126 3129 }
3127 3130 }
3128 3131 # endif
3129 3132
3130 3133 len -= (l4hlen + hlen);
3131 3134 if (len <= 0)
3132 3135 goto nodata;
3133 3136
3134 3137 while (len > 1) {
3135 3138 if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
3136 3139 m = m->m_next;
3137 3140 PANIC((!m),("fr_cksum(2): not enough data"));
3138 3141 sp = mtod(m, u_short *);
3139 3142 }
3140 3143 if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
3141 3144 bytes.c[0] = *(u_char *)sp;
3142 3145 m = m->m_next;
3143 3146 PANIC((!m),("fr_cksum(3): not enough data"));
3144 3147 sp = mtod(m, u_short *);
3145 3148 bytes.c[1] = *(u_char *)sp;
3146 3149 sum += bytes.s;
3147 3150 sp = (u_short *)((u_char *)sp + 1);
3148 3151 }
3149 3152 if ((u_long)sp & 1) {
3150 3153 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
3151 3154 sum += bytes.s;
3152 3155 } else
3153 3156 sum += *sp++;
3154 3157 len -= 2;
3155 3158 }
3156 3159
3157 3160 if (len != 0)
3158 3161 sum += ntohs(*(u_char *)sp << 8);
3159 3162 nodata:
3160 3163 while (sum > 0xffff)
3161 3164 sum = (sum & 0xffff) + (sum >> 16);
3162 3165 sum2 = (u_short)(~sum & 0xffff);
3163 3166 }
3164 3167 # endif /* defined(BSD) || defined(sun) */
3165 3168 # endif /* MENTAT */
3166 3169 #else /* _KERNEL */
3167 3170 for (; slen > 1; slen -= 2)
3168 3171 sum += *sp++;
3169 3172 if (slen)
3170 3173 sum += ntohs(*(u_char *)sp << 8);
3171 3174 while (sum > 0xffff)
3172 3175 sum = (sum & 0xffff) + (sum >> 16);
3173 3176 sum2 = (u_short)(~sum & 0xffff);
3174 3177 #endif /* _KERNEL */
3175 3178 if (csump != NULL)
3176 3179 *csump = sumsave;
3177 3180 return sum2;
3178 3181 }
3179 3182
3180 3183
3181 3184 #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
3182 3185 defined(__sgi) ) && !defined(linux) && !defined(_AIX51)
3183 3186 /*
3184 3187 * Copyright (c) 1982, 1986, 1988, 1991, 1993
3185 3188 * The Regents of the University of California. All rights reserved.
3186 3189 *
3187 3190 * Redistribution and use in source and binary forms, with or without
3188 3191 * modification, are permitted provided that the following conditions
3189 3192 * are met:
3190 3193 * 1. Redistributions of source code must retain the above copyright
3191 3194 * notice, this list of conditions and the following disclaimer.
3192 3195 * 2. Redistributions in binary form must reproduce the above copyright
3193 3196 * notice, this list of conditions and the following disclaimer in the
3194 3197 * documentation and/or other materials provided with the distribution.
3195 3198 * 3. Neither the name of the University nor the names of its contributors
3196 3199 * may be used to endorse or promote products derived from this software
3197 3200 * without specific prior written permission.
3198 3201 *
3199 3202 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
3200 3203 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3201 3204 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3202 3205 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
3203 3206 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3204 3207 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3205 3208 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3206 3209 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3207 3210 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3208 3211 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3209 3212 * SUCH DAMAGE.
3210 3213 *
3211 3214 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
3212 3215 * $Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $
3213 3216 */
3214 3217 /*
3215 3218 * Copy data from an mbuf chain starting "off" bytes from the beginning,
3216 3219 * continuing for "len" bytes, into the indicated buffer.
3217 3220 */
3218 3221 void
3219 3222 m_copydata(m, off, len, cp)
3220 3223 mb_t *m;
3221 3224 int off;
3222 3225 int len;
3223 3226 caddr_t cp;
3224 3227 {
3225 3228 unsigned count;
3226 3229
3227 3230 if (off < 0 || len < 0)
3228 3231 panic("m_copydata");
3229 3232 while (off > 0) {
3230 3233 if (m == 0)
3231 3234 panic("m_copydata");
3232 3235 if (off < m->m_len)
3233 3236 break;
3234 3237 off -= m->m_len;
3235 3238 m = m->m_next;
3236 3239 }
3237 3240 while (len > 0) {
3238 3241 if (m == 0)
3239 3242 panic("m_copydata");
3240 3243 count = MIN(m->m_len - off, len);
3241 3244 bcopy(mtod(m, caddr_t) + off, cp, count);
3242 3245 len -= count;
3243 3246 cp += count;
3244 3247 off = 0;
3245 3248 m = m->m_next;
3246 3249 }
3247 3250 }
3248 3251
3249 3252
3250 3253 /*
3251 3254 * Copy data from a buffer back into the indicated mbuf chain,
3252 3255 * starting "off" bytes from the beginning, extending the mbuf
3253 3256 * chain if necessary.
3254 3257 */
3255 3258 void
3256 3259 m_copyback(m0, off, len, cp)
3257 3260 struct mbuf *m0;
3258 3261 int off;
3259 3262 int len;
3260 3263 caddr_t cp;
3261 3264 {
3262 3265 int mlen;
3263 3266 struct mbuf *m = m0, *n;
3264 3267 int totlen = 0;
3265 3268
3266 3269 if (m0 == 0)
3267 3270 return;
3268 3271 while (off > (mlen = m->m_len)) {
3269 3272 off -= mlen;
3270 3273 totlen += mlen;
3271 3274 if (m->m_next == 0) {
3272 3275 n = m_getclr(M_DONTWAIT, m->m_type);
3273 3276 if (n == 0)
3274 3277 goto out;
3275 3278 n->m_len = min(MLEN, len + off);
3276 3279 m->m_next = n;
3277 3280 }
3278 3281 m = m->m_next;
3279 3282 }
3280 3283 while (len > 0) {
3281 3284 mlen = min(m->m_len - off, len);
3282 3285 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
3283 3286 cp += mlen;
3284 3287 len -= mlen;
3285 3288 mlen += off;
3286 3289 off = 0;
3287 3290 totlen += mlen;
3288 3291 if (len == 0)
3289 3292 break;
3290 3293 if (m->m_next == 0) {
3291 3294 n = m_get(M_DONTWAIT, m->m_type);
3292 3295 if (n == 0)
3293 3296 break;
3294 3297 n->m_len = min(MLEN, len);
3295 3298 m->m_next = n;
3296 3299 }
3297 3300 m = m->m_next;
3298 3301 }
3299 3302 out:
3300 3303 #if 0
3301 3304 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
3302 3305 m->m_pkthdr.len = totlen;
3303 3306 #endif
3304 3307 return;
3305 3308 }
3306 3309 #endif /* (_KERNEL) && ( ((BSD < 199103) && !MENTAT) || __sgi) */
3307 3310
3308 3311
3309 3312 /* ------------------------------------------------------------------------ */
3310 3313 /* Function: fr_findgroup */
3311 3314 /* Returns: frgroup_t * - NULL = group not found, else pointer to group */
3312 3315 /* Parameters: group(I) - group name to search for */
3313 3316 /* unit(I) - device to which this group belongs */
3314 3317 /* set(I) - which set of rules (inactive/inactive) this is */
3315 3318 /* fgpp(O) - pointer to place to store pointer to the pointer */
3316 3319 /* to where to add the next (last) group or where */
3317 3320 /* to delete group from. */
3318 3321 /* */
3319 3322 /* Search amongst the defined groups for a particular group number. */
3320 3323 /* ------------------------------------------------------------------------ */
3321 3324 frgroup_t *fr_findgroup(group, unit, set, fgpp, ifs)
3322 3325 char *group;
3323 3326 minor_t unit;
3324 3327 int set;
3325 3328 frgroup_t ***fgpp;
3326 3329 ipf_stack_t *ifs;
3327 3330 {
3328 3331 frgroup_t *fg, **fgp;
3329 3332
3330 3333 /*
3331 3334 * Which list of groups to search in is dependent on which list of
3332 3335 * rules are being operated on.
3333 3336 */
3334 3337 fgp = &ifs->ifs_ipfgroups[unit][set];
3335 3338
3336 3339 while ((fg = *fgp) != NULL) {
3337 3340 if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0)
3338 3341 break;
3339 3342 else
3340 3343 fgp = &fg->fg_next;
3341 3344 }
3342 3345 if (fgpp != NULL)
3343 3346 *fgpp = fgp;
3344 3347 return fg;
3345 3348 }
3346 3349
3347 3350
3348 3351 /* ------------------------------------------------------------------------ */
3349 3352 /* Function: fr_addgroup */
3350 3353 /* Returns: frgroup_t * - NULL == did not create group, */
3351 3354 /* != NULL == pointer to the group */
3352 3355 /* Parameters: num(I) - group number to add */
3353 3356 /* head(I) - rule pointer that is using this as the head */
3354 3357 /* flags(I) - rule flags which describe the type of rule it is */
3355 3358 /* unit(I) - device to which this group will belong to */
3356 3359 /* set(I) - which set of rules (inactive/inactive) this is */
3357 3360 /* Write Locks: ipf_mutex */
3358 3361 /* */
3359 3362 /* Add a new group head, or if it already exists, increase the reference */
3360 3363 /* count to it. */
3361 3364 /* ------------------------------------------------------------------------ */
3362 3365 frgroup_t *fr_addgroup(group, head, flags, unit, set, ifs)
3363 3366 char *group;
3364 3367 void *head;
3365 3368 u_32_t flags;
3366 3369 minor_t unit;
3367 3370 int set;
3368 3371 ipf_stack_t *ifs;
3369 3372 {
3370 3373 frgroup_t *fg, **fgp;
3371 3374 u_32_t gflags;
3372 3375
3373 3376 if (group == NULL)
3374 3377 return NULL;
3375 3378
3376 3379 if (unit == IPL_LOGIPF && *group == '\0')
3377 3380 return NULL;
3378 3381
3379 3382 fgp = NULL;
3380 3383 gflags = flags & FR_INOUT;
3381 3384
3382 3385 fg = fr_findgroup(group, unit, set, &fgp, ifs);
3383 3386 if (fg != NULL) {
3384 3387 if (fg->fg_flags == 0)
3385 3388 fg->fg_flags = gflags;
3386 3389 else if (gflags != fg->fg_flags)
3387 3390 return NULL;
3388 3391 fg->fg_ref++;
3389 3392 return fg;
3390 3393 }
3391 3394 KMALLOC(fg, frgroup_t *);
3392 3395 if (fg != NULL) {
3393 3396 fg->fg_head = head;
3394 3397 fg->fg_start = NULL;
3395 3398 fg->fg_next = *fgp;
3396 3399 bcopy(group, fg->fg_name, FR_GROUPLEN);
3397 3400 fg->fg_flags = gflags;
3398 3401 fg->fg_ref = 1;
3399 3402 *fgp = fg;
3400 3403 }
3401 3404 return fg;
3402 3405 }
3403 3406
3404 3407
3405 3408 /* ------------------------------------------------------------------------ */
3406 3409 /* Function: fr_delgroup */
3407 3410 /* Returns: Nil */
3408 3411 /* Parameters: group(I) - group name to delete */
3409 3412 /* unit(I) - device to which this group belongs */
3410 3413 /* set(I) - which set of rules (inactive/inactive) this is */
3411 3414 /* Write Locks: ipf_mutex */
3412 3415 /* */
3413 3416 /* Attempt to delete a group head. */
3414 3417 /* Only do this when its reference count reaches 0. */
3415 3418 /* ------------------------------------------------------------------------ */
3416 3419 void fr_delgroup(group, unit, set, ifs)
3417 3420 char *group;
3418 3421 minor_t unit;
3419 3422 int set;
3420 3423 ipf_stack_t *ifs;
3421 3424 {
3422 3425 frgroup_t *fg, **fgp;
3423 3426
3424 3427 fg = fr_findgroup(group, unit, set, &fgp, ifs);
3425 3428 if (fg == NULL)
3426 3429 return;
3427 3430
3428 3431 fg->fg_ref--;
3429 3432 if (fg->fg_ref == 0) {
3430 3433 *fgp = fg->fg_next;
3431 3434 KFREE(fg);
3432 3435 }
3433 3436 }
3434 3437
3435 3438
3436 3439 /* ------------------------------------------------------------------------ */
3437 3440 /* Function: fr_getrulen */
3438 3441 /* Returns: frentry_t * - NULL == not found, else pointer to rule n */
3439 3442 /* Parameters: unit(I) - device for which to count the rule's number */
3440 3443 /* flags(I) - which set of rules to find the rule in */
3441 3444 /* group(I) - group name */
3442 3445 /* n(I) - rule number to find */
3443 3446 /* */
3444 3447 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
3445 3448 /* group # g doesn't exist or there are less than n rules in the group. */
3446 3449 /* ------------------------------------------------------------------------ */
3447 3450 frentry_t *fr_getrulen(unit, group, n, ifs)
3448 3451 int unit;
3449 3452 char *group;
3450 3453 u_32_t n;
3451 3454 ipf_stack_t *ifs;
3452 3455 {
3453 3456 frentry_t *fr;
3454 3457 frgroup_t *fg;
3455 3458
3456 3459 fg = fr_findgroup(group, unit, ifs->ifs_fr_active, NULL, ifs);
3457 3460 if (fg == NULL)
3458 3461 return NULL;
3459 3462 for (fr = fg->fg_head; fr && n; fr = fr->fr_next, n--)
3460 3463 ;
3461 3464 if (n != 0)
3462 3465 return NULL;
3463 3466 return fr;
3464 3467 }
3465 3468
3466 3469
3467 3470 /* ------------------------------------------------------------------------ */
3468 3471 /* Function: fr_rulen */
3469 3472 /* Returns: int - >= 0 - rule number, -1 == search failed */
3470 3473 /* Parameters: unit(I) - device for which to count the rule's number */
3471 3474 /* fr(I) - pointer to rule to match */
3472 3475 /* */
3473 3476 /* Return the number for a rule on a specific filtering device. */
3474 3477 /* ------------------------------------------------------------------------ */
3475 3478 int fr_rulen(unit, fr, ifs)
3476 3479 int unit;
3477 3480 frentry_t *fr;
3478 3481 ipf_stack_t *ifs;
3479 3482 {
3480 3483 frentry_t *fh;
3481 3484 frgroup_t *fg;
3482 3485 u_32_t n = 0;
3483 3486
3484 3487 if (fr == NULL)
3485 3488 return -1;
3486 3489 fg = fr_findgroup(fr->fr_group, unit, ifs->ifs_fr_active, NULL, ifs);
3487 3490 if (fg == NULL)
3488 3491 return -1;
3489 3492 for (fh = fg->fg_head; fh; n++, fh = fh->fr_next)
3490 3493 if (fh == fr)
3491 3494 break;
3492 3495 if (fh == NULL)
3493 3496 return -1;
3494 3497 return n;
3495 3498 }
3496 3499
3497 3500
3498 3501 /* ------------------------------------------------------------------------ */
3499 3502 /* Function: frflushlist */
3500 3503 /* Returns: int - >= 0 - number of flushed rules */
3501 3504 /* Parameters: set(I) - which set of rules (inactive/inactive) this is */
3502 3505 /* unit(I) - device for which to flush rules */
3503 3506 /* flags(I) - which set of rules to flush */
3504 3507 /* nfreedp(O) - pointer to int where flush count is stored */
3505 3508 /* listp(I) - pointer to list to flush pointer */
3506 3509 /* Write Locks: ipf_mutex */
3507 3510 /* */
3508 3511 /* Recursively flush rules from the list, descending groups as they are */
3509 3512 /* encountered. if a rule is the head of a group and it has lost all its */
3510 3513 /* group members, then also delete the group reference. nfreedp is needed */
3511 3514 /* to store the accumulating count of rules removed, whereas the returned */
3512 3515 /* value is just the number removed from the current list. The latter is */
3513 3516 /* needed to correctly adjust reference counts on rules that define groups. */
3514 3517 /* */
3515 3518 /* NOTE: Rules not loaded from user space cannot be flushed. */
3516 3519 /* ------------------------------------------------------------------------ */
3517 3520 static int frflushlist(set, unit, nfreedp, listp, ifs)
3518 3521 int set;
3519 3522 minor_t unit;
3520 3523 int *nfreedp;
3521 3524 frentry_t **listp;
3522 3525 ipf_stack_t *ifs;
3523 3526 {
3524 3527 int freed = 0;
3525 3528 frentry_t *fp;
3526 3529
3527 3530 while ((fp = *listp) != NULL) {
3528 3531 if ((fp->fr_type & FR_T_BUILTIN) ||
3529 3532 !(fp->fr_flags & FR_COPIED)) {
3530 3533 listp = &fp->fr_next;
3531 3534 continue;
3532 3535 }
3533 3536 *listp = fp->fr_next;
3534 3537 if (fp->fr_grp != NULL) {
3535 3538 (void) frflushlist(set, unit, nfreedp, fp->fr_grp, ifs);
3536 3539 }
3537 3540
3538 3541 if (fp->fr_grhead != NULL) {
3539 3542 fr_delgroup(fp->fr_grhead, unit, set, ifs);
3540 3543 *fp->fr_grhead = '\0';
3541 3544 }
3542 3545
3543 3546 ASSERT(fp->fr_ref > 0);
3544 3547 fp->fr_next = NULL;
3545 3548 if (fr_derefrule(&fp, ifs) == 0)
3546 3549 freed++;
3547 3550 }
3548 3551 *nfreedp += freed;
3549 3552 return freed;
3550 3553 }
3551 3554
3552 3555
3553 3556 /* ------------------------------------------------------------------------ */
3554 3557 /* Function: frflush */
3555 3558 /* Returns: int - >= 0 - number of flushed rules */
3556 3559 /* Parameters: unit(I) - device for which to flush rules */
3557 3560 /* flags(I) - which set of rules to flush */
3558 3561 /* */
3559 3562 /* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */
3560 3563 /* and IPv6) as defined by the value of flags. */
3561 3564 /* ------------------------------------------------------------------------ */
3562 3565 int frflush(unit, proto, flags, ifs)
3563 3566 minor_t unit;
3564 3567 int proto, flags;
3565 3568 ipf_stack_t *ifs;
3566 3569 {
3567 3570 int flushed = 0, set;
3568 3571
3569 3572 WRITE_ENTER(&ifs->ifs_ipf_mutex);
3570 3573 bzero((char *)ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
3571 3574
3572 3575 set = ifs->ifs_fr_active;
3573 3576 if ((flags & FR_INACTIVE) == FR_INACTIVE)
3574 3577 set = 1 - set;
3575 3578
3576 3579 if (flags & FR_OUTQUE) {
3577 3580 if (proto == 0 || proto == 6) {
3578 3581 (void) frflushlist(set, unit,
3579 3582 &flushed, &ifs->ifs_ipfilter6[1][set], ifs);
3580 3583 (void) frflushlist(set, unit,
3581 3584 &flushed, &ifs->ifs_ipacct6[1][set], ifs);
3582 3585 }
3583 3586 if (proto == 0 || proto == 4) {
3584 3587 (void) frflushlist(set, unit,
3585 3588 &flushed, &ifs->ifs_ipfilter[1][set], ifs);
3586 3589 (void) frflushlist(set, unit,
3587 3590 &flushed, &ifs->ifs_ipacct[1][set], ifs);
3588 3591 }
3589 3592 }
3590 3593 if (flags & FR_INQUE) {
3591 3594 if (proto == 0 || proto == 6) {
3592 3595 (void) frflushlist(set, unit,
3593 3596 &flushed, &ifs->ifs_ipfilter6[0][set], ifs);
3594 3597 (void) frflushlist(set, unit,
3595 3598 &flushed, &ifs->ifs_ipacct6[0][set], ifs);
3596 3599 }
3597 3600 if (proto == 0 || proto == 4) {
3598 3601 (void) frflushlist(set, unit,
3599 3602 &flushed, &ifs->ifs_ipfilter[0][set], ifs);
3600 3603 (void) frflushlist(set, unit,
3601 3604 &flushed, &ifs->ifs_ipacct[0][set], ifs);
3602 3605 }
3603 3606 }
3604 3607 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
3605 3608
3606 3609 if (unit == IPL_LOGIPF) {
3607 3610 int tmp;
3608 3611
3609 3612 tmp = frflush(IPL_LOGCOUNT, proto, flags, ifs);
3610 3613 if (tmp >= 0)
3611 3614 flushed += tmp;
3612 3615 }
3613 3616 return flushed;
3614 3617 }
3615 3618
3616 3619
3617 3620 /* ------------------------------------------------------------------------ */
3618 3621 /* Function: memstr */
3619 3622 /* Returns: char * - NULL if failed, != NULL pointer to matching bytes */
3620 3623 /* Parameters: src(I) - pointer to byte sequence to match */
3621 3624 /* dst(I) - pointer to byte sequence to search */
3622 3625 /* slen(I) - match length */
3623 3626 /* dlen(I) - length available to search in */
3624 3627 /* */
3625 3628 /* Search dst for a sequence of bytes matching those at src and extend for */
3626 3629 /* slen bytes. */
3627 3630 /* ------------------------------------------------------------------------ */
3628 3631 char *memstr(src, dst, slen, dlen)
3629 3632 char *src, *dst;
3630 3633 int slen, dlen;
3631 3634 {
3632 3635 char *s = NULL;
3633 3636
3634 3637 while (dlen >= slen) {
3635 3638 if (bcmp(src, dst, slen) == 0) {
3636 3639 s = dst;
3637 3640 break;
3638 3641 }
3639 3642 dst++;
3640 3643 dlen--;
3641 3644 }
3642 3645 return s;
3643 3646 }
3644 3647 /* ------------------------------------------------------------------------ */
3645 3648 /* Function: fr_fixskip */
3646 3649 /* Returns: Nil */
3647 3650 /* Parameters: listp(IO) - pointer to start of list with skip rule */
3648 3651 /* rp(I) - rule added/removed with skip in it. */
3649 3652 /* addremove(I) - adjustment (-1/+1) to make to skip count, */
3650 3653 /* depending on whether a rule was just added */
3651 3654 /* or removed. */
3652 3655 /* */
3653 3656 /* Adjust all the rules in a list which would have skip'd past the position */
3654 3657 /* where we are inserting to skip to the right place given the change. */
3655 3658 /* ------------------------------------------------------------------------ */
3656 3659 void fr_fixskip(listp, rp, addremove)
3657 3660 frentry_t **listp, *rp;
3658 3661 int addremove;
3659 3662 {
3660 3663 int rules, rn;
3661 3664 frentry_t *fp;
3662 3665
3663 3666 rules = 0;
3664 3667 for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next)
3665 3668 rules++;
3666 3669
3667 3670 if (!fp)
3668 3671 return;
3669 3672
3670 3673 for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
3671 3674 if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules))
3672 3675 fp->fr_arg += addremove;
3673 3676 }
3674 3677
3675 3678
3676 3679 #ifdef _KERNEL
3677 3680 /* ------------------------------------------------------------------------ */
3678 3681 /* Function: count4bits */
3679 3682 /* Returns: int - >= 0 - number of consecutive bits in input */
3680 3683 /* Parameters: ip(I) - 32bit IP address */
3681 3684 /* */
3682 3685 /* IPv4 ONLY */
3683 3686 /* count consecutive 1's in bit mask. If the mask generated by counting */
3684 3687 /* consecutive 1's is different to that passed, return -1, else return # */
3685 3688 /* of bits. */
3686 3689 /* ------------------------------------------------------------------------ */
3687 3690 int count4bits(ip)
3688 3691 u_32_t ip;
3689 3692 {
3690 3693 u_32_t ipn;
3691 3694 int cnt = 0, i, j;
3692 3695
3693 3696 ip = ipn = ntohl(ip);
3694 3697 for (i = 32; i; i--, ipn *= 2)
3695 3698 if (ipn & 0x80000000)
3696 3699 cnt++;
3697 3700 else
3698 3701 break;
3699 3702 ipn = 0;
3700 3703 for (i = 32, j = cnt; i; i--, j--) {
3701 3704 ipn *= 2;
3702 3705 if (j > 0)
3703 3706 ipn++;
3704 3707 }
3705 3708 if (ipn == ip)
3706 3709 return cnt;
3707 3710 return -1;
3708 3711 }
3709 3712
3710 3713
3711 3714 #ifdef USE_INET6
3712 3715 /* ------------------------------------------------------------------------ */
3713 3716 /* Function: count6bits */
3714 3717 /* Returns: int - >= 0 - number of consecutive bits in input */
3715 3718 /* Parameters: msk(I) - pointer to start of IPv6 bitmask */
3716 3719 /* */
3717 3720 /* IPv6 ONLY */
3718 3721 /* count consecutive 1's in bit mask. */
3719 3722 /* ------------------------------------------------------------------------ */
3720 3723 int count6bits(msk)
3721 3724 u_32_t *msk;
3722 3725 {
3723 3726 int i = 0, k;
3724 3727 u_32_t j;
3725 3728
3726 3729 for (k = 3; k >= 0; k--)
3727 3730 if (msk[k] == 0xffffffff)
3728 3731 i += 32;
3729 3732 else {
3730 3733 for (j = msk[k]; j; j <<= 1)
3731 3734 if (j & 0x80000000)
3732 3735 i++;
3733 3736 }
3734 3737 return i;
3735 3738 }
3736 3739 # endif
3737 3740 #endif /* _KERNEL */
3738 3741
3739 3742
3740 3743 /* ------------------------------------------------------------------------ */
3741 3744 /* Function: fr_ifsync */
3742 3745 /* Returns: void * - new interface identifier */
3743 3746 /* Parameters: action(I) - type of synchronisation to do */
3744 3747 /* v(I) - IP version being sync'd (v4 or v6) */
3745 3748 /* newifp(I) - interface identifier being introduced/removed */
3746 3749 /* oldifp(I) - interface identifier in a filter rule */
3747 3750 /* newname(I) - name associated with newifp interface */
3748 3751 /* oldname(I) - name associated with oldifp interface */
3749 3752 /* ifs - pointer to IPF stack instance */
3750 3753 /* */
3751 3754 /* This function returns what the new value for "oldifp" should be for its */
3752 3755 /* caller. In some cases it will not change, in some it will. */
3753 3756 /* action == IPFSYNC_RESYNC */
3754 3757 /* a new value for oldifp will always be looked up, according to oldname, */
3755 3758 /* the values of newname and newifp are ignored. */
3756 3759 /* action == IPFSYNC_NEWIFP */
3757 3760 /* if oldname matches newname then we are doing a sync for the matching */
3758 3761 /* interface, so we return newifp to be used in place of oldifp. If the */
3759 3762 /* the names don't match, just return oldifp. */
3760 3763 /* action == IPFSYNC_OLDIFP */
3761 3764 /* if oldifp matches newifp then we are are doing a sync to remove any */
3762 3765 /* references to oldifp, so we return "-1". */
3763 3766 /* ----- */
3764 3767 /* NOTE: */
3765 3768 /* This function processes NIC event from PF_HOOKS. The action parameter */
3766 3769 /* is set in ipf_nic_event_v4()/ipf_nic_event_v6() function. There is */
3767 3770 /* one single switch statement() in ipf_nic_event_vx() function, which */
3768 3771 /* translates the HOOK event type to action parameter passed to fr_ifsync. */
3769 3772 /* The translation table looks as follows: */
3770 3773 /* event | action */
3771 3774 /* ----------------+------------- */
3772 3775 /* NE_PLUMB | IPFSYNC_NEWIFP */
3773 3776 /* NE_UNPLUMB | IPFSYNC_OLDIFP */
3774 3777 /* NE_ADDRESS_CHANGE | IPFSYNC_RESYNC */
3775 3778 /* */
3776 3779 /* The oldname and oldifp parameters are taken from IPF entry (rule, state */
3777 3780 /* table entry, NAT table entry, fragment ...). The newname and newifp */
3778 3781 /* parameters come from hook event data, parameters are taken from event */
3779 3782 /* in ipf_nic_event_vx() functions. Any time NIC changes, the IPF is */
3780 3783 /* notified by hook function. */
3781 3784 /* */
3782 3785 /* We get NE_UNPLUMB event from PF_HOOKS even if someone coincidently tries */
3783 3786 /* to plumb the interface, which is already plumbed. In such case we always */
3784 3787 /* get the event from PF_HOOKS as follows: */
3785 3788 /* event: NE_PLUMB */
3786 3789 /* NIC: 0x0 */
3787 3790 /* ------------------------------------------------------------------------ */
3788 3791 static void *fr_ifsync(action, v, newname, oldname, newifp, oldifp, ifs)
3789 3792 int action, v;
3790 3793 char *newname, *oldname;
3791 3794 void *newifp, *oldifp;
3792 3795 ipf_stack_t *ifs;
3793 3796 {
3794 3797 void *rval = oldifp;
3795 3798
3796 3799 switch (action)
3797 3800 {
3798 3801 case IPFSYNC_RESYNC :
3799 3802 if (oldname[0] != '\0') {
3800 3803 rval = fr_resolvenic(oldname, v, ifs);
3801 3804 }
3802 3805 break;
3803 3806 case IPFSYNC_NEWIFP :
3804 3807 if (!strncmp(newname, oldname, LIFNAMSIZ))
3805 3808 rval = newifp;
3806 3809 break;
3807 3810 case IPFSYNC_OLDIFP :
3808 3811 /*
3809 3812 * If interface gets unplumbed it must be invalidated, which
3810 3813 * means set all existing references to the interface to -1.
3811 3814 * We don't want to invalidate references for wildcard
3812 3815 * (unbound) rules (entries).
3813 3816 */
3814 3817 if (newifp == oldifp)
3815 3818 rval = (oldifp) ? (void *)-1 : NULL;
3816 3819 break;
3817 3820 }
3818 3821
3819 3822 return rval;
3820 3823 }
3821 3824
3822 3825
3823 3826 /* ------------------------------------------------------------------------ */
3824 3827 /* Function: frsynclist */
3825 3828 /* Returns: void */
3826 3829 /* Parameters: action(I) - type of synchronisation to do */
3827 3830 /* v(I) - IP version being sync'd (v4 or v6) */
3828 3831 /* ifp(I) - interface identifier associated with action */
3829 3832 /* ifname(I) - name associated with ifp parameter */
3830 3833 /* fr(I) - pointer to filter rule */
3831 3834 /* ifs - pointer to IPF stack instance */
3832 3835 /* Write Locks: ipf_mutex */
3833 3836 /* */
3834 3837 /* Walk through a list of filter rules and resolve any interface names into */
3835 3838 /* pointers. Where dynamic addresses are used, also update the IP address */
3836 3839 /* used in the rule. The interface pointer is used to limit the lookups to */
3837 3840 /* a specific set of matching names if it is non-NULL. */
3838 3841 /* ------------------------------------------------------------------------ */
3839 3842 static void frsynclist(action, v, ifp, ifname, fr, ifs)
3840 3843 int action, v;
3841 3844 void *ifp;
3842 3845 char *ifname;
3843 3846 frentry_t *fr;
3844 3847 ipf_stack_t *ifs;
3845 3848 {
3846 3849 frdest_t *fdp;
3847 3850 int rv, i;
3848 3851
3849 3852 for (; fr; fr = fr->fr_next) {
3850 3853 rv = fr->fr_v;
3851 3854 if (v != 0 && v != rv)
3852 3855 continue;
3853 3856
3854 3857 /*
3855 3858 * Lookup all the interface names that are part of the rule.
3856 3859 */
3857 3860 for (i = 0; i < 4; i++) {
3858 3861 fr->fr_ifas[i] = fr_ifsync(action, rv, ifname,
3859 3862 fr->fr_ifnames[i],
3860 3863 ifp, fr->fr_ifas[i],
3861 3864 ifs);
3862 3865 }
3863 3866
3864 3867 fdp = &fr->fr_tifs[0];
3865 3868 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
3866 3869 ifp, fdp->fd_ifp, ifs);
3867 3870
3868 3871 fdp = &fr->fr_tifs[1];
3869 3872 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
3870 3873 ifp, fdp->fd_ifp, ifs);
3871 3874
3872 3875 fdp = &fr->fr_dif;
3873 3876 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
3874 3877 ifp, fdp->fd_ifp, ifs);
3875 3878
3876 3879 if (action != IPFSYNC_RESYNC)
3877 3880 continue;
3878 3881
3879 3882 if (fr->fr_type == FR_T_IPF) {
3880 3883 if (fr->fr_satype != FRI_NORMAL &&
3881 3884 fr->fr_satype != FRI_LOOKUP) {
3882 3885 (void)fr_ifpaddr(rv, fr->fr_satype,
3883 3886 fr->fr_ifas[fr->fr_sifpidx],
3884 3887 &fr->fr_src, &fr->fr_smsk,
3885 3888 ifs);
3886 3889 }
3887 3890 if (fr->fr_datype != FRI_NORMAL &&
3888 3891 fr->fr_datype != FRI_LOOKUP) {
3889 3892 (void)fr_ifpaddr(rv, fr->fr_datype,
3890 3893 fr->fr_ifas[fr->fr_difpidx],
3891 3894 &fr->fr_dst, &fr->fr_dmsk,
3892 3895 ifs);
3893 3896 }
3894 3897 }
3895 3898
3896 3899 #ifdef IPFILTER_LOOKUP
3897 3900 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP &&
3898 3901 fr->fr_srcptr == NULL) {
3899 3902 fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype,
3900 3903 fr->fr_srcnum,
3901 3904 &fr->fr_srcfunc, ifs);
3902 3905 }
3903 3906 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP &&
3904 3907 fr->fr_dstptr == NULL) {
3905 3908 fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype,
3906 3909 fr->fr_dstnum,
3907 3910 &fr->fr_dstfunc, ifs);
3908 3911 }
3909 3912 #endif
3910 3913 }
3911 3914 }
3912 3915
3913 3916
3914 3917 #ifdef _KERNEL
3915 3918 /* ------------------------------------------------------------------------ */
3916 3919 /* Function: frsync */
3917 3920 /* Returns: void */
3918 3921 /* Parameters: action(I) - type of synchronisation to do */
3919 3922 /* v(I) - IP version being sync'd (v4 or v6) */
3920 3923 /* ifp(I) - interface identifier associated with action */
3921 3924 /* name(I) - name associated with ifp parameter */
3922 3925 /* */
3923 3926 /* frsync() is called when we suspect that the interface list or */
3924 3927 /* information about interfaces (like IP#) has changed. Go through all */
3925 3928 /* filter rules, NAT entries and the state table and check if anything */
3926 3929 /* needs to be changed/updated. */
3927 3930 /* With the filtering hooks added to Solaris, we needed to change the manner*/
3928 3931 /* in which this was done to support three different types of sync: */
3929 3932 /* - complete resync of all interface name/identifiers */
3930 3933 /* - new interface being announced with its name and identifier */
3931 3934 /* - interface removal being announced by only its identifier */
3932 3935 /* ------------------------------------------------------------------------ */
3933 3936 void frsync(action, v, ifp, name, ifs)
3934 3937 int action, v;
3935 3938 void *ifp;
3936 3939 char *name;
3937 3940 ipf_stack_t *ifs;
3938 3941 {
3939 3942 int i;
3940 3943
3941 3944 WRITE_ENTER(&ifs->ifs_ipf_mutex);
3942 3945 frsynclist(action, v, ifp, name, ifs->ifs_ipacct[0][ifs->ifs_fr_active], ifs);
3943 3946 frsynclist(action, v, ifp, name, ifs->ifs_ipacct[1][ifs->ifs_fr_active], ifs);
3944 3947 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter[0][ifs->ifs_fr_active], ifs);
3945 3948 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter[1][ifs->ifs_fr_active], ifs);
3946 3949 frsynclist(action, v, ifp, name, ifs->ifs_ipacct6[0][ifs->ifs_fr_active], ifs);
3947 3950 frsynclist(action, v, ifp, name, ifs->ifs_ipacct6[1][ifs->ifs_fr_active], ifs);
3948 3951 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter6[0][ifs->ifs_fr_active], ifs);
3949 3952 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter6[1][ifs->ifs_fr_active], ifs);
3950 3953
3951 3954 for (i = 0; i < IPL_LOGSIZE; i++) {
3952 3955 frgroup_t *g;
3953 3956
3954 3957 for (g = ifs->ifs_ipfgroups[i][0]; g != NULL; g = g->fg_next)
3955 3958 frsynclist(action, v, ifp, name, g->fg_start, ifs);
3956 3959 for (g = ifs->ifs_ipfgroups[i][1]; g != NULL; g = g->fg_next)
3957 3960 frsynclist(action, v, ifp, name, g->fg_start, ifs);
3958 3961 }
3959 3962 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
3960 3963 }
3961 3964
3962 3965 #if SOLARIS2 >= 10
3963 3966 /* ------------------------------------------------------------------------ */
3964 3967 /* Function: fr_syncindex */
3965 3968 /* Returns: void */
3966 3969 /* Parameters: rules - list of rules to be sync'd */
3967 3970 /* ifp - interface, which is being sync'd */
3968 3971 /* newifp - new ifindex value for interface */
3969 3972 /* */
3970 3973 /* Function updates all NIC indecis, which match ifp, in every rule. Every */
3971 3974 /* NIC index matching ifp, will be updated to newifp. */
3972 3975 /* ------------------------------------------------------------------------ */
3973 3976 static void fr_syncindex(rules, ifp, newifp)
3974 3977 frentry_t *rules;
3975 3978 void *ifp;
3976 3979 void *newifp;
3977 3980 {
3978 3981 int i;
3979 3982 frentry_t *fr;
3980 3983
3981 3984 for (fr = rules; fr != NULL; fr = fr->fr_next) {
3982 3985 /*
3983 3986 * Lookup all the interface names that are part of the rule.
3984 3987 */
3985 3988 for (i = 0; i < 4; i++)
3986 3989 if (fr->fr_ifas[i] == ifp)
3987 3990 fr->fr_ifas[i] = newifp;
3988 3991
3989 3992 for (i = 0; i < 2; i++) {
3990 3993 if (fr->fr_tifs[i].fd_ifp == ifp)
3991 3994 fr->fr_tifs[i].fd_ifp = newifp;
3992 3995 }
3993 3996
3994 3997 if (fr->fr_dif.fd_ifp == ifp)
3995 3998 fr->fr_dif.fd_ifp = newifp;
3996 3999 }
3997 4000 }
3998 4001
3999 4002 /* ------------------------------------------------------------------------ */
4000 4003 /* Function: fr_ifindexsync */
4001 4004 /* Returns: void */
4002 4005 /* Parameters: ifp - interface, which is being sync'd */
4003 4006 /* newifp - new ifindex value for interface */
4004 4007 /* ifs - IPF's stack */
4005 4008 /* */
4006 4009 /* Function assumes ipf_mutex is locked exclusively. */
4007 4010 /* */
4008 4011 /* Function updates the NIC references in rules with new interfaces index */
4009 4012 /* (newifp). Function must process active lists: */
4010 4013 /* with accounting rules (IPv6 and IPv4) */
4011 4014 /* with inbound rules (IPv6 and IPv4) */
4012 4015 /* with outbound rules (IPv6 and IPv4) */
4013 4016 /* Function also has to take care of rule groups. */
4014 4017 /* */
4015 4018 /* NOTE: The ipf_mutex is grabbed exclusively by caller (which is always */
4016 4019 /* nic_event_hook). The hook function also updates state entries, NAT rules */
4017 4020 /* and NAT entries. We want to do all these update atomically to keep the */
4018 4021 /* NIC references consistent. The ipf_mutex will synchronize event with */
4019 4022 /* fr_check(), which processes packets, so no packet will enter fr_check(), */
4020 4023 /* while NIC references will be synchronized. */
4021 4024 /* ------------------------------------------------------------------------ */
4022 4025 void fr_ifindexsync(ifp, newifp, ifs)
4023 4026 void *ifp;
4024 4027 void *newifp;
4025 4028 ipf_stack_t *ifs;
4026 4029 {
4027 4030 unsigned int i;
4028 4031 frentry_t *rule_lists[8];
4029 4032 unsigned int rules = sizeof (rule_lists) / sizeof (frentry_t *);
4030 4033
4031 4034 rule_lists[0] = ifs->ifs_ipacct[0][ifs->ifs_fr_active];
4032 4035 rule_lists[1] = ifs->ifs_ipacct[1][ifs->ifs_fr_active];
4033 4036 rule_lists[2] = ifs->ifs_ipfilter[0][ifs->ifs_fr_active];
4034 4037 rule_lists[3] = ifs->ifs_ipfilter[1][ifs->ifs_fr_active];
4035 4038 rule_lists[4] = ifs->ifs_ipacct6[0][ifs->ifs_fr_active];
4036 4039 rule_lists[5] = ifs->ifs_ipacct6[1][ifs->ifs_fr_active];
4037 4040 rule_lists[6] = ifs->ifs_ipfilter6[0][ifs->ifs_fr_active];
4038 4041 rule_lists[7] = ifs->ifs_ipfilter6[1][ifs->ifs_fr_active];
4039 4042
4040 4043 for (i = 0; i < rules; i++) {
4041 4044 fr_syncindex(rule_lists[i], ifp, newifp);
4042 4045 }
4043 4046
4044 4047 /*
4045 4048 * Update rule groups.
4046 4049 */
4047 4050 for (i = 0; i < IPL_LOGSIZE; i++) {
4048 4051 frgroup_t *g;
4049 4052
4050 4053 for (g = ifs->ifs_ipfgroups[i][0]; g != NULL; g = g->fg_next)
4051 4054 fr_syncindex(g->fg_start, ifp, newifp);
4052 4055 for (g = ifs->ifs_ipfgroups[i][1]; g != NULL; g = g->fg_next)
4053 4056 fr_syncindex(g->fg_start, ifp, newifp);
4054 4057 }
4055 4058 }
4056 4059 #endif
4057 4060
4058 4061 /*
4059 4062 * In the functions below, bcopy() is called because the pointer being
4060 4063 * copied _from_ in this instance is a pointer to a char buf (which could
4061 4064 * end up being unaligned) and on the kernel's local stack.
4062 4065 */
4063 4066 /* ------------------------------------------------------------------------ */
4064 4067 /* Function: copyinptr */
4065 4068 /* Returns: int - 0 = success, else failure */
4066 4069 /* Parameters: src(I) - pointer to the source address */
4067 4070 /* dst(I) - destination address */
4068 4071 /* size(I) - number of bytes to copy */
4069 4072 /* */
4070 4073 /* Copy a block of data in from user space, given a pointer to the pointer */
4071 4074 /* to start copying from (src) and a pointer to where to store it (dst). */
4072 4075 /* NB: src - pointer to user space pointer, dst - kernel space pointer */
4073 4076 /* ------------------------------------------------------------------------ */
4074 4077 int copyinptr(src, dst, size)
4075 4078 void *src, *dst;
4076 4079 size_t size;
4077 4080 {
4078 4081 caddr_t ca;
4079 4082 int err;
4080 4083
4081 4084 # ifdef SOLARIS
4082 4085 err = COPYIN(src, (caddr_t)&ca, sizeof(ca));
4083 4086 if (err != 0)
4084 4087 return err;
4085 4088 # else
4086 4089 bcopy(src, (caddr_t)&ca, sizeof(ca));
4087 4090 # endif
4088 4091 err = COPYIN(ca, dst, size);
4089 4092 return err;
4090 4093 }
4091 4094
4092 4095
4093 4096 /* ------------------------------------------------------------------------ */
4094 4097 /* Function: copyoutptr */
4095 4098 /* Returns: int - 0 = success, else failure */
4096 4099 /* Parameters: src(I) - pointer to the source address */
4097 4100 /* dst(I) - destination address */
4098 4101 /* size(I) - number of bytes to copy */
4099 4102 /* */
4100 4103 /* Copy a block of data out to user space, given a pointer to the pointer */
4101 4104 /* to start copying from (src) and a pointer to where to store it (dst). */
4102 4105 /* NB: src - kernel space pointer, dst - pointer to user space pointer. */
4103 4106 /* ------------------------------------------------------------------------ */
4104 4107 int copyoutptr(src, dst, size)
4105 4108 void *src, *dst;
4106 4109 size_t size;
4107 4110 {
4108 4111 caddr_t ca;
4109 4112 int err;
4110 4113
4111 4114 # ifdef SOLARIS
4112 4115 err = COPYIN(dst, (caddr_t)&ca, sizeof(ca));
4113 4116 if (err != 0)
4114 4117 return err;
4115 4118 # else
4116 4119 bcopy(dst, (caddr_t)&ca, sizeof(ca));
4117 4120 # endif
4118 4121 err = COPYOUT(src, ca, size);
4119 4122 return err;
4120 4123 }
4121 4124 #endif
4122 4125
4123 4126
4124 4127 /* ------------------------------------------------------------------------ */
4125 4128 /* Function: fr_lock */
4126 4129 /* Returns: int - 0 = success, else error */
4127 4130 /* Parameters: data(I) - pointer to lock value to set */
4128 4131 /* lockp(O) - pointer to location to store old lock value */
4129 4132 /* */
4130 4133 /* Get the new value for the lock integer, set it and return the old value */
4131 4134 /* in *lockp. */
4132 4135 /* ------------------------------------------------------------------------ */
4133 4136 int fr_lock(data, lockp)
4134 4137 caddr_t data;
4135 4138 int *lockp;
4136 4139 {
4137 4140 int arg, err;
4138 4141
4139 4142 err = BCOPYIN(data, (caddr_t)&arg, sizeof(arg));
4140 4143 if (err != 0)
4141 4144 return (EFAULT);
4142 4145 err = BCOPYOUT((caddr_t)lockp, data, sizeof(*lockp));
4143 4146 if (err != 0)
4144 4147 return (EFAULT);
4145 4148 *lockp = arg;
4146 4149 return (0);
4147 4150 }
4148 4151
4149 4152
4150 4153 /* ------------------------------------------------------------------------ */
4151 4154 /* Function: fr_getstat */
4152 4155 /* Returns: Nil */
4153 4156 /* Parameters: fiop(I) - pointer to ipfilter stats structure */
4154 4157 /* */
4155 4158 /* Stores a copy of current pointers, counters, etc, in the friostat */
4156 4159 /* structure. */
4157 4160 /* ------------------------------------------------------------------------ */
4158 4161 void fr_getstat(fiop, ifs)
4159 4162 friostat_t *fiop;
4160 4163 ipf_stack_t *ifs;
4161 4164 {
4162 4165 int i, j;
4163 4166
4164 4167 bcopy((char *)&ifs->ifs_frstats, (char *)fiop->f_st,
4165 4168 sizeof(filterstats_t) * 2);
4166 4169 fiop->f_locks[IPL_LOGSTATE] = ifs->ifs_fr_state_lock;
4167 4170 fiop->f_locks[IPL_LOGNAT] = ifs->ifs_fr_nat_lock;
4168 4171 fiop->f_locks[IPL_LOGIPF] = ifs->ifs_fr_frag_lock;
4169 4172 fiop->f_locks[IPL_LOGAUTH] = ifs->ifs_fr_auth_lock;
4170 4173
4171 4174 for (i = 0; i < 2; i++)
4172 4175 for (j = 0; j < 2; j++) {
4173 4176 fiop->f_ipf[i][j] = ifs->ifs_ipfilter[i][j];
4174 4177 fiop->f_acct[i][j] = ifs->ifs_ipacct[i][j];
4175 4178 fiop->f_ipf6[i][j] = ifs->ifs_ipfilter6[i][j];
4176 4179 fiop->f_acct6[i][j] = ifs->ifs_ipacct6[i][j];
4177 4180 }
4178 4181
4179 4182 fiop->f_ticks = ifs->ifs_fr_ticks;
4180 4183 fiop->f_active = ifs->ifs_fr_active;
4181 4184 fiop->f_froute[0] = ifs->ifs_fr_frouteok[0];
4182 4185 fiop->f_froute[1] = ifs->ifs_fr_frouteok[1];
4183 4186
4184 4187 fiop->f_running = ifs->ifs_fr_running;
4185 4188 for (i = 0; i < IPL_LOGSIZE; i++) {
4186 4189 fiop->f_groups[i][0] = ifs->ifs_ipfgroups[i][0];
4187 4190 fiop->f_groups[i][1] = ifs->ifs_ipfgroups[i][1];
4188 4191 }
4189 4192 #ifdef IPFILTER_LOG
4190 4193 fiop->f_logging = 1;
4191 4194 #else
4192 4195 fiop->f_logging = 0;
4193 4196 #endif
4194 4197 fiop->f_defpass = ifs->ifs_fr_pass;
4195 4198 fiop->f_features = fr_features;
4196 4199 (void) strncpy(fiop->f_version, ipfilter_version,
4197 4200 sizeof(fiop->f_version));
4198 4201 }
4199 4202
4200 4203
4201 4204 #ifdef USE_INET6
4202 4205 int icmptoicmp6types[ICMP_MAXTYPE+1] = {
4203 4206 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */
4204 4207 -1, /* 1: UNUSED */
4205 4208 -1, /* 2: UNUSED */
4206 4209 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */
4207 4210 -1, /* 4: ICMP_SOURCEQUENCH */
4208 4211 ND_REDIRECT, /* 5: ICMP_REDIRECT */
4209 4212 -1, /* 6: UNUSED */
4210 4213 -1, /* 7: UNUSED */
4211 4214 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */
4212 4215 -1, /* 9: UNUSED */
4213 4216 -1, /* 10: UNUSED */
4214 4217 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */
4215 4218 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */
4216 4219 -1, /* 13: ICMP_TSTAMP */
4217 4220 -1, /* 14: ICMP_TSTAMPREPLY */
4218 4221 -1, /* 15: ICMP_IREQ */
4219 4222 -1, /* 16: ICMP_IREQREPLY */
4220 4223 -1, /* 17: ICMP_MASKREQ */
4221 4224 -1, /* 18: ICMP_MASKREPLY */
4222 4225 };
4223 4226
4224 4227
4225 4228 int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
4226 4229 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */
4227 4230 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */
4228 4231 -1, /* 2: ICMP_UNREACH_PROTOCOL */
4229 4232 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */
4230 4233 -1, /* 4: ICMP_UNREACH_NEEDFRAG */
4231 4234 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */
4232 4235 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */
4233 4236 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */
4234 4237 -1, /* 8: ICMP_UNREACH_ISOLATED */
4235 4238 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */
4236 4239 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */
4237 4240 -1, /* 11: ICMP_UNREACH_TOSNET */
4238 4241 -1, /* 12: ICMP_UNREACH_TOSHOST */
4239 4242 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
4240 4243 };
4241 4244 int icmpreplytype6[ICMP6_MAXTYPE + 1];
4242 4245 #endif
4243 4246
4244 4247 int icmpreplytype4[ICMP_MAXTYPE + 1];
4245 4248
4246 4249
4247 4250 /* ------------------------------------------------------------------------ */
4248 4251 /* Function: fr_matchicmpqueryreply */
4249 4252 /* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */
4250 4253 /* Parameters: v(I) - IP protocol version (4 or 6) */
4251 4254 /* ic(I) - ICMP information */
4252 4255 /* icmp(I) - ICMP packet header */
4253 4256 /* rev(I) - direction (0 = forward/1 = reverse) of packet */
4254 4257 /* */
4255 4258 /* Check if the ICMP packet defined by the header pointed to by icmp is a */
4256 4259 /* reply to one as described by what's in ic. If it is a match, return 1, */
4257 4260 /* else return 0 for no match. */
4258 4261 /* ------------------------------------------------------------------------ */
4259 4262 int fr_matchicmpqueryreply(v, ic, icmp, rev)
4260 4263 int v;
4261 4264 icmpinfo_t *ic;
4262 4265 icmphdr_t *icmp;
4263 4266 int rev;
4264 4267 {
4265 4268 int ictype;
4266 4269
4267 4270 ictype = ic->ici_type;
4268 4271
4269 4272 if (v == 4) {
4270 4273 /*
4271 4274 * If we matched its type on the way in, then when going out
4272 4275 * it will still be the same type.
4273 4276 */
4274 4277 if ((!rev && (icmp->icmp_type == ictype)) ||
4275 4278 (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
4276 4279 if (icmp->icmp_type != ICMP_ECHOREPLY)
4277 4280 return 1;
4278 4281 if (icmp->icmp_id == ic->ici_id)
4279 4282 return 1;
4280 4283 }
4281 4284 }
4282 4285 #ifdef USE_INET6
4283 4286 else if (v == 6) {
4284 4287 if ((!rev && (icmp->icmp_type == ictype)) ||
4285 4288 (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
4286 4289 if (icmp->icmp_type != ICMP6_ECHO_REPLY)
4287 4290 return 1;
4288 4291 if (icmp->icmp_id == ic->ici_id)
4289 4292 return 1;
4290 4293 }
4291 4294 }
4292 4295 #endif
4293 4296 return 0;
4294 4297 }
4295 4298
4296 4299
4297 4300 #ifdef IPFILTER_LOOKUP
4298 4301 /* ------------------------------------------------------------------------ */
4299 4302 /* Function: fr_resolvelookup */
4300 4303 /* Returns: void * - NULL = failure, else success. */
4301 4304 /* Parameters: type(I) - type of lookup these parameters are for. */
4302 4305 /* number(I) - table number to use when searching */
4303 4306 /* funcptr(IO) - pointer to pointer for storing IP address */
4304 4307 /* searching function. */
4305 4308 /* ifs - ipf stack instance */
4306 4309 /* */
4307 4310 /* Search for the "table" number passed in amongst those configured for */
4308 4311 /* that particular type. If the type is recognised then the function to */
4309 4312 /* call to do the IP address search will be change, regardless of whether */
4310 4313 /* or not the "table" number exists. */
4311 4314 /* ------------------------------------------------------------------------ */
4312 4315 static void *fr_resolvelookup(type, number, funcptr, ifs)
4313 4316 u_int type, number;
4314 4317 lookupfunc_t *funcptr;
4315 4318 ipf_stack_t *ifs;
4316 4319 {
4317 4320 char name[FR_GROUPLEN];
4318 4321 iphtable_t *iph;
4319 4322 ip_pool_t *ipo;
4320 4323 void *ptr;
4321 4324
4322 4325 #if defined(SNPRINTF) && defined(_KERNEL)
4323 4326 (void) SNPRINTF(name, sizeof(name), "%u", number);
4324 4327 #else
4325 4328 (void) sprintf(name, "%u", number);
4326 4329 #endif
4327 4330
4328 4331 READ_ENTER(&ifs->ifs_ip_poolrw);
4329 4332
4330 4333 switch (type)
4331 4334 {
4332 4335 case IPLT_POOL :
4333 4336 # if (defined(__osf__) && defined(_KERNEL))
4334 4337 ptr = NULL;
4335 4338 *funcptr = NULL;
4336 4339 # else
4337 4340 ipo = ip_pool_find(IPL_LOGIPF, name, ifs);
4338 4341 ptr = ipo;
4339 4342 if (ipo != NULL) {
4340 4343 ATOMIC_INC32(ipo->ipo_ref);
4341 4344 }
4342 4345 *funcptr = ip_pool_search;
4343 4346 # endif
4344 4347 break;
4345 4348 case IPLT_HASH :
4346 4349 iph = fr_findhtable(IPL_LOGIPF, name, ifs);
4347 4350 ptr = iph;
4348 4351 if (iph != NULL) {
4349 4352 ATOMIC_INC32(iph->iph_ref);
4350 4353 }
4351 4354 *funcptr = fr_iphmfindip;
4352 4355 break;
4353 4356 default:
4354 4357 ptr = NULL;
4355 4358 *funcptr = NULL;
4356 4359 break;
4357 4360 }
4358 4361 RWLOCK_EXIT(&ifs->ifs_ip_poolrw);
4359 4362
4360 4363 return ptr;
4361 4364 }
4362 4365 #endif
4363 4366
4364 4367
4365 4368 /* ------------------------------------------------------------------------ */
4366 4369 /* Function: frrequest */
4367 4370 /* Returns: int - 0 == success, > 0 == errno value */
4368 4371 /* Parameters: unit(I) - device for which this is for */
4369 4372 /* req(I) - ioctl command (SIOC*) */
4370 4373 /* data(I) - pointr to ioctl data */
4371 4374 /* set(I) - 1 or 0 (filter set) */
4372 4375 /* makecopy(I) - flag indicating whether data points to a rule */
4373 4376 /* in kernel space & hence doesn't need copying. */
4374 4377 /* */
4375 4378 /* This function handles all the requests which operate on the list of */
4376 4379 /* filter rules. This includes adding, deleting, insertion. It is also */
4377 4380 /* responsible for creating groups when a "head" rule is loaded. Interface */
4378 4381 /* names are resolved here and other sanity checks are made on the content */
4379 4382 /* of the rule structure being loaded. If a rule has user defined timeouts */
4380 4383 /* then make sure they are created and initialised before exiting. */
4381 4384 /* ------------------------------------------------------------------------ */
4382 4385 int frrequest(unit, req, data, set, makecopy, ifs)
4383 4386 int unit;
4384 4387 ioctlcmd_t req;
4385 4388 int set, makecopy;
4386 4389 caddr_t data;
4387 4390 ipf_stack_t *ifs;
4388 4391 {
4389 4392 frentry_t frd, *fp, *f, **fprev, **ftail;
4390 4393 int error = 0, in, v;
4391 4394 void *ptr, *uptr;
4392 4395 u_int *p, *pp;
4393 4396 frgroup_t *fg;
4394 4397 char *group;
4395 4398
4396 4399 fg = NULL;
4397 4400 fp = &frd;
4398 4401 if (makecopy != 0) {
4399 4402 error = fr_inobj(data, fp, IPFOBJ_FRENTRY);
4400 4403 if (error)
4401 4404 return EFAULT;
4402 4405 if ((fp->fr_flags & FR_T_BUILTIN) != 0)
4403 4406 return EINVAL;
4404 4407 fp->fr_ref = 0;
4405 4408 fp->fr_flags |= FR_COPIED;
4406 4409 } else {
4407 4410 fp = (frentry_t *)data;
4408 4411 if ((fp->fr_type & FR_T_BUILTIN) == 0)
4409 4412 return EINVAL;
4410 4413 fp->fr_flags &= ~FR_COPIED;
4411 4414 }
4412 4415
4413 4416 if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) ||
4414 4417 ((fp->fr_dsize != 0) && (fp->fr_data == NULL)))
4415 4418 return EINVAL;
4416 4419
4417 4420 v = fp->fr_v;
4418 4421 uptr = fp->fr_data;
4419 4422
4420 4423 /*
4421 4424 * Only filter rules for IPv4 or IPv6 are accepted.
4422 4425 */
4423 4426 if (v == 4)
4424 4427 /*EMPTY*/;
4425 4428 #ifdef USE_INET6
4426 4429 else if (v == 6)
4427 4430 /*EMPTY*/;
4428 4431 #endif
4429 4432 else {
4430 4433 return EINVAL;
4431 4434 }
4432 4435
4433 4436 /*
4434 4437 * If the rule is being loaded from user space, i.e. we had to copy it
4435 4438 * into kernel space, then do not trust the function pointer in the
4436 4439 * rule.
4437 4440 */
4438 4441 if ((makecopy == 1) && (fp->fr_func != NULL)) {
4439 4442 if (fr_findfunc(fp->fr_func) == NULL)
4440 4443 return ESRCH;
4441 4444 error = fr_funcinit(fp, ifs);
4442 4445 if (error != 0)
4443 4446 return error;
4444 4447 }
4445 4448
4446 4449 ptr = NULL;
4447 4450 /*
4448 4451 * Check that the group number does exist and that its use (in/out)
4449 4452 * matches what the rule is.
4450 4453 */
4451 4454 if (!strncmp(fp->fr_grhead, "0", FR_GROUPLEN))
4452 4455 *fp->fr_grhead = '\0';
4453 4456 group = fp->fr_group;
4454 4457 if (!strncmp(group, "0", FR_GROUPLEN))
4455 4458 *group = '\0';
4456 4459
4457 4460 if (FR_ISACCOUNT(fp->fr_flags))
4458 4461 unit = IPL_LOGCOUNT;
4459 4462
4460 4463 if ((req != (int)SIOCZRLST) && (*group != '\0')) {
4461 4464 fg = fr_findgroup(group, unit, set, NULL, ifs);
4462 4465 if (fg == NULL)
4463 4466 return ESRCH;
4464 4467 if (fg->fg_flags == 0)
4465 4468 fg->fg_flags = fp->fr_flags & FR_INOUT;
4466 4469 else if (fg->fg_flags != (fp->fr_flags & FR_INOUT))
4467 4470 return ESRCH;
4468 4471 }
4469 4472
4470 4473 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
4471 4474
4472 4475 /*
4473 4476 * Work out which rule list this change is being applied to.
4474 4477 */
4475 4478 ftail = NULL;
4476 4479 fprev = NULL;
4477 4480 if (unit == IPL_LOGAUTH)
4478 4481 fprev = &ifs->ifs_ipauth;
4479 4482 else if (v == 4) {
4480 4483 if (FR_ISACCOUNT(fp->fr_flags))
4481 4484 fprev = &ifs->ifs_ipacct[in][set];
4482 4485 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
4483 4486 fprev = &ifs->ifs_ipfilter[in][set];
4484 4487 } else if (v == 6) {
4485 4488 if (FR_ISACCOUNT(fp->fr_flags))
4486 4489 fprev = &ifs->ifs_ipacct6[in][set];
4487 4490 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
4488 4491 fprev = &ifs->ifs_ipfilter6[in][set];
4489 4492 }
4490 4493 if (fprev == NULL)
4491 4494 return ESRCH;
4492 4495
4493 4496 if (*group != '\0') {
4494 4497 if (!fg && !(fg = fr_findgroup(group, unit, set, NULL, ifs)))
4495 4498 return ESRCH;
4496 4499 fprev = &fg->fg_start;
4497 4500 }
4498 4501
4499 4502 ftail = fprev;
4500 4503 for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) {
4501 4504 if (fp->fr_collect <= f->fr_collect) {
4502 4505 ftail = fprev;
4503 4506 f = NULL;
4504 4507 break;
4505 4508 }
4506 4509 fprev = ftail;
4507 4510 }
4508 4511
4509 4512 /*
4510 4513 * Copy in extra data for the rule.
4511 4514 */
4512 4515 if (fp->fr_dsize != 0) {
4513 4516 if (makecopy != 0) {
4514 4517 KMALLOCS(ptr, void *, fp->fr_dsize);
4515 4518 if (!ptr)
4516 4519 return ENOMEM;
4517 4520 error = COPYIN(uptr, ptr, fp->fr_dsize);
4518 4521 } else {
4519 4522 ptr = uptr;
4520 4523 error = 0;
4521 4524 }
4522 4525 if (error != 0) {
4523 4526 KFREES(ptr, fp->fr_dsize);
4524 4527 return EFAULT;
4525 4528 }
4526 4529 fp->fr_data = ptr;
4527 4530 } else
4528 4531 fp->fr_data = NULL;
4529 4532
4530 4533 /*
4531 4534 * Perform per-rule type sanity checks of their members.
4532 4535 */
4533 4536 switch (fp->fr_type & ~FR_T_BUILTIN)
4534 4537 {
4535 4538 #if defined(IPFILTER_BPF)
4536 4539 case FR_T_BPFOPC :
4537 4540 if (fp->fr_dsize == 0)
4538 4541 return EINVAL;
4539 4542 if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) {
4540 4543 if (makecopy && fp->fr_data != NULL) {
4541 4544 KFREES(fp->fr_data, fp->fr_dsize);
4542 4545 }
4543 4546 return EINVAL;
4544 4547 }
4545 4548 break;
4546 4549 #endif
4547 4550 case FR_T_IPF :
4548 4551 if (fp->fr_dsize != sizeof(fripf_t)) {
4549 4552 if (makecopy && fp->fr_data != NULL) {
4550 4553 KFREES(fp->fr_data, fp->fr_dsize);
4551 4554 }
4552 4555 return EINVAL;
4553 4556 }
4554 4557
4555 4558 /*
4556 4559 * Allowing a rule with both "keep state" and "with oow" is
4557 4560 * pointless because adding a state entry to the table will
4558 4561 * fail with the out of window (oow) flag set.
4559 4562 */
4560 4563 if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW)) {
4561 4564 if (makecopy && fp->fr_data != NULL) {
4562 4565 KFREES(fp->fr_data, fp->fr_dsize);
4563 4566 }
4564 4567 return EINVAL;
4565 4568 }
4566 4569
4567 4570 switch (fp->fr_satype)
4568 4571 {
4569 4572 case FRI_BROADCAST :
4570 4573 case FRI_DYNAMIC :
4571 4574 case FRI_NETWORK :
4572 4575 case FRI_NETMASKED :
4573 4576 case FRI_PEERADDR :
4574 4577 if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > 3) {
4575 4578 if (makecopy && fp->fr_data != NULL) {
4576 4579 KFREES(fp->fr_data, fp->fr_dsize);
4577 4580 }
4578 4581 return EINVAL;
4579 4582 }
4580 4583 break;
4581 4584 #ifdef IPFILTER_LOOKUP
4582 4585 case FRI_LOOKUP :
4583 4586 fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype,
4584 4587 fp->fr_srcnum,
4585 4588 &fp->fr_srcfunc, ifs);
4586 4589 break;
4587 4590 #endif
4588 4591 default :
4589 4592 break;
4590 4593 }
4591 4594
4592 4595 switch (fp->fr_datype)
4593 4596 {
4594 4597 case FRI_BROADCAST :
4595 4598 case FRI_DYNAMIC :
4596 4599 case FRI_NETWORK :
4597 4600 case FRI_NETMASKED :
4598 4601 case FRI_PEERADDR :
4599 4602 if (fp->fr_difpidx < 0 || fp->fr_difpidx > 3) {
4600 4603 if (makecopy && fp->fr_data != NULL) {
4601 4604 KFREES(fp->fr_data, fp->fr_dsize);
4602 4605 }
4603 4606 return EINVAL;
4604 4607 }
4605 4608 break;
4606 4609 #ifdef IPFILTER_LOOKUP
4607 4610 case FRI_LOOKUP :
4608 4611 fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype,
4609 4612 fp->fr_dstnum,
4610 4613 &fp->fr_dstfunc, ifs);
4611 4614 break;
4612 4615 #endif
4613 4616 default :
4614 4617 break;
4615 4618 }
4616 4619 break;
4617 4620 case FR_T_NONE :
4618 4621 break;
4619 4622 case FR_T_CALLFUNC :
4620 4623 break;
4621 4624 case FR_T_COMPIPF :
4622 4625 break;
4623 4626 default :
4624 4627 if (makecopy && fp->fr_data != NULL) {
4625 4628 KFREES(fp->fr_data, fp->fr_dsize);
4626 4629 }
4627 4630 return EINVAL;
4628 4631 }
4629 4632
4630 4633 /*
4631 4634 * Lookup all the interface names that are part of the rule.
4632 4635 */
4633 4636 frsynclist(0, 0, NULL, NULL, fp, ifs);
4634 4637 fp->fr_statecnt = 0;
4635 4638
4636 4639 /*
4637 4640 * Look for an existing matching filter rule, but don't include the
4638 4641 * next or interface pointer in the comparison (fr_next, fr_ifa).
4639 4642 * This elminates rules which are indentical being loaded. Checksum
4640 4643 * the constant part of the filter rule to make comparisons quicker
4641 4644 * (this meaning no pointers are included).
4642 4645 */
4643 4646 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum;
4644 4647 p < pp; p++)
4645 4648 fp->fr_cksum += *p;
4646 4649 pp = (u_int *)(fp->fr_caddr + fp->fr_dsize);
4647 4650 for (p = (u_int *)fp->fr_data; p < pp; p++)
4648 4651 fp->fr_cksum += *p;
4649 4652
4650 4653 WRITE_ENTER(&ifs->ifs_ipf_mutex);
4651 4654 bzero((char *)ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
4652 4655
4653 4656 for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
4654 4657 if ((fp->fr_cksum != f->fr_cksum) ||
4655 4658 (f->fr_dsize != fp->fr_dsize))
4656 4659 continue;
4657 4660 if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, FR_CMPSIZ))
4658 4661 continue;
4659 4662 if ((!ptr && !f->fr_data) ||
4660 4663 (ptr && f->fr_data &&
4661 4664 !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
4662 4665 break;
4663 4666 }
4664 4667
4665 4668 /*
4666 4669 * If zero'ing statistics, copy current to caller and zero.
4667 4670 */
4668 4671 if (req == (ioctlcmd_t)SIOCZRLST) {
4669 4672 if (f == NULL)
4670 4673 error = ESRCH;
4671 4674 else {
4672 4675 /*
4673 4676 * Copy and reduce lock because of impending copyout.
4674 4677 * Well we should, but if we do then the atomicity of
4675 4678 * this call and the correctness of fr_hits and
4676 4679 * fr_bytes cannot be guaranteed. As it is, this code
4677 4680 * only resets them to 0 if they are successfully
4678 4681 * copied out into user space.
4679 4682 */
4680 4683 bcopy((char *)f, (char *)fp, sizeof(*f));
4681 4684
4682 4685 /*
4683 4686 * When we copy this rule back out, set the data
4684 4687 * pointer to be what it was in user space.
4685 4688 */
4686 4689 fp->fr_data = uptr;
4687 4690 error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
4688 4691
4689 4692 if (error == 0) {
4690 4693 if ((f->fr_dsize != 0) && (uptr != NULL))
4691 4694 error = COPYOUT(f->fr_data, uptr,
4692 4695 f->fr_dsize);
4693 4696 if (error == 0) {
4694 4697 f->fr_hits = 0;
4695 4698 f->fr_bytes = 0;
4696 4699 }
4697 4700 }
4698 4701 }
4699 4702
4700 4703 if ((ptr != NULL) && (makecopy != 0)) {
4701 4704 KFREES(ptr, fp->fr_dsize);
4702 4705 }
4703 4706 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
4704 4707 return error;
4705 4708 }
4706 4709
4707 4710 if (!f) {
4708 4711 /*
4709 4712 * At the end of this, ftail must point to the place where the
4710 4713 * new rule is to be saved/inserted/added.
4711 4714 * For SIOCAD*FR, this should be the last rule in the group of
4712 4715 * rules that have equal fr_collect fields.
4713 4716 * For SIOCIN*FR, ...
4714 4717 */
4715 4718 if (req == (ioctlcmd_t)SIOCADAFR ||
4716 4719 req == (ioctlcmd_t)SIOCADIFR) {
4717 4720
4718 4721 for (ftail = fprev; (f = *ftail) != NULL; ) {
4719 4722 if (f->fr_collect > fp->fr_collect)
4720 4723 break;
4721 4724 ftail = &f->fr_next;
4722 4725 }
4723 4726 f = NULL;
4724 4727 ptr = NULL;
4725 4728 error = 0;
4726 4729 } else if (req == (ioctlcmd_t)SIOCINAFR ||
4727 4730 req == (ioctlcmd_t)SIOCINIFR) {
4728 4731 while ((f = *fprev) != NULL) {
4729 4732 if (f->fr_collect >= fp->fr_collect)
4730 4733 break;
4731 4734 fprev = &f->fr_next;
4732 4735 }
4733 4736 ftail = fprev;
4734 4737 if (fp->fr_hits != 0) {
4735 4738 while (fp->fr_hits && (f = *ftail)) {
4736 4739 if (f->fr_collect != fp->fr_collect)
4737 4740 break;
4738 4741 fprev = ftail;
4739 4742 ftail = &f->fr_next;
4740 4743 fp->fr_hits--;
4741 4744 }
4742 4745 }
4743 4746 f = NULL;
4744 4747 ptr = NULL;
4745 4748 error = 0;
4746 4749 }
4747 4750 }
4748 4751
4749 4752 /*
4750 4753 * Request to remove a rule.
4751 4754 */
4752 4755 if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) {
4753 4756 if (!f)
4754 4757 error = ESRCH;
4755 4758 else {
4756 4759 /*
4757 4760 * Do not allow activity from user space to interfere
4758 4761 * with rules not loaded that way.
4759 4762 */
4760 4763 if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) {
4761 4764 error = EPERM;
4762 4765 goto done;
4763 4766 }
4764 4767
4765 4768 /*
4766 4769 * Return EBUSY if the rule is being reference by
4767 4770 * something else (eg state information.
4768 4771 */
4769 4772 if (f->fr_ref > 1) {
4770 4773 error = EBUSY;
4771 4774 goto done;
4772 4775 }
4773 4776 #ifdef IPFILTER_SCAN
4774 4777 if (f->fr_isctag[0] != '\0' &&
4775 4778 (f->fr_isc != (struct ipscan *)-1))
4776 4779 ipsc_detachfr(f);
4777 4780 #endif
4778 4781 if (unit == IPL_LOGAUTH) {
4779 4782 error = fr_preauthcmd(req, f, ftail, ifs);
4780 4783 goto done;
4781 4784 }
4782 4785 if (*f->fr_grhead != '\0')
4783 4786 fr_delgroup(f->fr_grhead, unit, set, ifs);
4784 4787 fr_fixskip(ftail, f, -1);
4785 4788 *ftail = f->fr_next;
4786 4789 f->fr_next = NULL;
4787 4790 (void)fr_derefrule(&f, ifs);
4788 4791 }
4789 4792 } else {
4790 4793 /*
4791 4794 * Not removing, so we must be adding/inserting a rule.
4792 4795 */
4793 4796 if (f)
4794 4797 error = EEXIST;
4795 4798 else {
4796 4799 if (unit == IPL_LOGAUTH) {
4797 4800 error = fr_preauthcmd(req, fp, ftail, ifs);
4798 4801 goto done;
4799 4802 }
4800 4803 if (makecopy) {
4801 4804 KMALLOC(f, frentry_t *);
4802 4805 } else
4803 4806 f = fp;
4804 4807 if (f != NULL) {
4805 4808 if (fp != f)
4806 4809 bcopy((char *)fp, (char *)f,
4807 4810 sizeof(*f));
4808 4811 MUTEX_NUKE(&f->fr_lock);
4809 4812 MUTEX_INIT(&f->fr_lock, "filter rule lock");
4810 4813 #ifdef IPFILTER_SCAN
4811 4814 if (f->fr_isctag[0] != '\0' &&
4812 4815 ipsc_attachfr(f))
4813 4816 f->fr_isc = (struct ipscan *)-1;
4814 4817 #endif
4815 4818 f->fr_hits = 0;
4816 4819 if (makecopy != 0)
4817 4820 f->fr_ref = 1;
4818 4821 f->fr_next = *ftail;
4819 4822 *ftail = f;
4820 4823 if (req == (ioctlcmd_t)SIOCINIFR ||
4821 4824 req == (ioctlcmd_t)SIOCINAFR)
4822 4825 fr_fixskip(ftail, f, 1);
4823 4826 f->fr_grp = NULL;
4824 4827 group = f->fr_grhead;
4825 4828 if (*group != '\0') {
4826 4829 fg = fr_addgroup(group, f, f->fr_flags,
4827 4830 unit, set, ifs);
4828 4831 if (fg != NULL)
4829 4832 f->fr_grp = &fg->fg_start;
4830 4833 }
4831 4834 } else
4832 4835 error = ENOMEM;
4833 4836 }
4834 4837 }
4835 4838 done:
4836 4839 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
4837 4840 if ((ptr != NULL) && (error != 0) && (makecopy != 0)) {
4838 4841 KFREES(ptr, fp->fr_dsize);
4839 4842 }
4840 4843 return (error);
4841 4844 }
4842 4845
4843 4846
4844 4847 /* ------------------------------------------------------------------------ */
4845 4848 /* Function: fr_funcinit */
4846 4849 /* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */
4847 4850 /* Parameters: fr(I) - pointer to filter rule */
4848 4851 /* */
4849 4852 /* If a rule is a call rule, then check if the function it points to needs */
4850 4853 /* an init function to be called now the rule has been loaded. */
4851 4854 /* ------------------------------------------------------------------------ */
4852 4855 static int fr_funcinit(fr, ifs)
4853 4856 frentry_t *fr;
4854 4857 ipf_stack_t *ifs;
4855 4858 {
4856 4859 ipfunc_resolve_t *ft;
4857 4860 int err;
4858 4861
4859 4862 err = ESRCH;
4860 4863
4861 4864 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4862 4865 if (ft->ipfu_addr == fr->fr_func) {
4863 4866 err = 0;
4864 4867 if (ft->ipfu_init != NULL)
4865 4868 err = (*ft->ipfu_init)(fr, ifs);
4866 4869 break;
4867 4870 }
4868 4871 return err;
4869 4872 }
4870 4873
4871 4874
4872 4875 /* ------------------------------------------------------------------------ */
4873 4876 /* Function: fr_findfunc */
4874 4877 /* Returns: ipfunc_t - pointer to function if found, else NULL */
4875 4878 /* Parameters: funcptr(I) - function pointer to lookup */
4876 4879 /* */
4877 4880 /* Look for a function in the table of known functions. */
4878 4881 /* ------------------------------------------------------------------------ */
4879 4882 static ipfunc_t fr_findfunc(funcptr)
4880 4883 ipfunc_t funcptr;
4881 4884 {
4882 4885 ipfunc_resolve_t *ft;
4883 4886
4884 4887 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4885 4888 if (ft->ipfu_addr == funcptr)
4886 4889 return funcptr;
4887 4890 return NULL;
4888 4891 }
4889 4892
4890 4893
4891 4894 /* ------------------------------------------------------------------------ */
4892 4895 /* Function: fr_resolvefunc */
4893 4896 /* Returns: int - 0 == success, else error */
4894 4897 /* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */
4895 4898 /* */
4896 4899 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
4897 4900 /* This will either be the function name (if the pointer is set) or the */
4898 4901 /* function pointer if the name is set. When found, fill in the other one */
4899 4902 /* so that the entire, complete, structure can be copied back to user space.*/
4900 4903 /* ------------------------------------------------------------------------ */
4901 4904 int fr_resolvefunc(data)
4902 4905 void *data;
4903 4906 {
4904 4907 ipfunc_resolve_t res, *ft;
4905 4908 int err;
4906 4909
4907 4910 err = BCOPYIN(data, &res, sizeof(res));
4908 4911 if (err != 0)
4909 4912 return EFAULT;
4910 4913
4911 4914 if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') {
4912 4915 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4913 4916 if (strncmp(res.ipfu_name, ft->ipfu_name,
4914 4917 sizeof(res.ipfu_name)) == 0) {
4915 4918 res.ipfu_addr = ft->ipfu_addr;
4916 4919 res.ipfu_init = ft->ipfu_init;
4917 4920 if (COPYOUT(&res, data, sizeof(res)) != 0)
4918 4921 return EFAULT;
4919 4922 return 0;
4920 4923 }
4921 4924 }
4922 4925 if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') {
4923 4926 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4924 4927 if (ft->ipfu_addr == res.ipfu_addr) {
4925 4928 (void) strncpy(res.ipfu_name, ft->ipfu_name,
4926 4929 sizeof(res.ipfu_name));
4927 4930 res.ipfu_init = ft->ipfu_init;
4928 4931 if (COPYOUT(&res, data, sizeof(res)) != 0)
4929 4932 return EFAULT;
4930 4933 return 0;
4931 4934 }
4932 4935 }
4933 4936 return ESRCH;
4934 4937 }
4935 4938
4936 4939
4937 4940 #if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \
4938 4941 (defined(__FreeBSD__) && (__FreeBSD_version < 490000)) || \
4939 4942 (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \
4940 4943 (defined(__OpenBSD__) && (OpenBSD < 200006))
4941 4944 /*
4942 4945 * From: NetBSD
4943 4946 * ppsratecheck(): packets (or events) per second limitation.
4944 4947 */
4945 4948 int
4946 4949 ppsratecheck(lasttime, curpps, maxpps)
4947 4950 struct timeval *lasttime;
4948 4951 int *curpps;
4949 4952 int maxpps; /* maximum pps allowed */
4950 4953 {
4951 4954 struct timeval tv, delta;
4952 4955 int rv;
4953 4956
4954 4957 GETKTIME(&tv);
4955 4958
4956 4959 delta.tv_sec = tv.tv_sec - lasttime->tv_sec;
4957 4960 delta.tv_usec = tv.tv_usec - lasttime->tv_usec;
4958 4961 if (delta.tv_usec < 0) {
4959 4962 delta.tv_sec--;
4960 4963 delta.tv_usec += 1000000;
4961 4964 }
4962 4965
4963 4966 /*
4964 4967 * check for 0,0 is so that the message will be seen at least once.
4965 4968 * if more than one second have passed since the last update of
4966 4969 * lasttime, reset the counter.
4967 4970 *
4968 4971 * we do increment *curpps even in *curpps < maxpps case, as some may
4969 4972 * try to use *curpps for stat purposes as well.
4970 4973 */
4971 4974 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
4972 4975 delta.tv_sec >= 1) {
4973 4976 *lasttime = tv;
4974 4977 *curpps = 0;
4975 4978 rv = 1;
4976 4979 } else if (maxpps < 0)
4977 4980 rv = 1;
4978 4981 else if (*curpps < maxpps)
4979 4982 rv = 1;
4980 4983 else
4981 4984 rv = 0;
4982 4985 *curpps = *curpps + 1;
4983 4986
4984 4987 return (rv);
4985 4988 }
4986 4989 #endif
4987 4990
4988 4991
4989 4992 /* ------------------------------------------------------------------------ */
4990 4993 /* Function: fr_derefrule */
4991 4994 /* Returns: int - 0 == rule freed up, else rule not freed */
4992 4995 /* Parameters: fr(I) - pointer to filter rule */
4993 4996 /* */
4994 4997 /* Decrement the reference counter to a rule by one. If it reaches zero, */
4995 4998 /* free it and any associated storage space being used by it. */
4996 4999 /* ------------------------------------------------------------------------ */
4997 5000 int fr_derefrule(frp, ifs)
4998 5001 frentry_t **frp;
4999 5002 ipf_stack_t *ifs;
5000 5003 {
5001 5004 frentry_t *fr;
5002 5005
5003 5006 fr = *frp;
5004 5007
5005 5008 MUTEX_ENTER(&fr->fr_lock);
5006 5009 fr->fr_ref--;
5007 5010 if (fr->fr_ref == 0) {
5008 5011 MUTEX_EXIT(&fr->fr_lock);
5009 5012 MUTEX_DESTROY(&fr->fr_lock);
5010 5013
5011 5014 #ifdef IPFILTER_LOOKUP
5012 5015 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
5013 5016 ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr, ifs);
5014 5017 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
5015 5018 ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr, ifs);
5016 5019 #endif
5017 5020
5018 5021 if (fr->fr_dsize) {
5019 5022 KFREES(fr->fr_data, fr->fr_dsize);
5020 5023 }
5021 5024 if ((fr->fr_flags & FR_COPIED) != 0) {
5022 5025 KFREE(fr);
5023 5026 return 0;
5024 5027 }
5025 5028 return 1;
5026 5029 } else {
5027 5030 MUTEX_EXIT(&fr->fr_lock);
5028 5031 }
5029 5032 *frp = NULL;
5030 5033 return -1;
5031 5034 }
5032 5035
5033 5036
5034 5037 #ifdef IPFILTER_LOOKUP
5035 5038 /* ------------------------------------------------------------------------ */
5036 5039 /* Function: fr_grpmapinit */
5037 5040 /* Returns: int - 0 == success, else ESRCH because table entry not found*/
5038 5041 /* Parameters: fr(I) - pointer to rule to find hash table for */
5039 5042 /* */
5040 5043 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
5041 5044 /* fr_ptr is later used by fr_srcgrpmap and fr_dstgrpmap. */
5042 5045 /* ------------------------------------------------------------------------ */
5043 5046 static int fr_grpmapinit(fr, ifs)
5044 5047 frentry_t *fr;
5045 5048 ipf_stack_t *ifs;
5046 5049 {
5047 5050 char name[FR_GROUPLEN];
5048 5051 iphtable_t *iph;
5049 5052
5050 5053 #if defined(SNPRINTF) && defined(_KERNEL)
5051 5054 (void) SNPRINTF(name, sizeof(name), "%d", fr->fr_arg);
5052 5055 #else
5053 5056 (void) sprintf(name, "%d", fr->fr_arg);
5054 5057 #endif
5055 5058 iph = fr_findhtable(IPL_LOGIPF, name, ifs);
5056 5059 if (iph == NULL)
5057 5060 return ESRCH;
5058 5061 if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT))
5059 5062 return ESRCH;
5060 5063 fr->fr_ptr = iph;
5061 5064 return 0;
5062 5065 }
5063 5066
5064 5067
5065 5068 /* ------------------------------------------------------------------------ */
5066 5069 /* Function: fr_srcgrpmap */
5067 5070 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
5068 5071 /* Parameters: fin(I) - pointer to packet information */
5069 5072 /* passp(IO) - pointer to current/new filter decision (unused) */
5070 5073 /* */
5071 5074 /* Look for a rule group head in a hash table, using the source address as */
5072 5075 /* the key, and descend into that group and continue matching rules against */
5073 5076 /* the packet. */
5074 5077 /* ------------------------------------------------------------------------ */
5075 5078 frentry_t *fr_srcgrpmap(fin, passp)
5076 5079 fr_info_t *fin;
5077 5080 u_32_t *passp;
5078 5081 {
5079 5082 frgroup_t *fg;
5080 5083 void *rval;
5081 5084 ipf_stack_t *ifs = fin->fin_ifs;
5082 5085
5083 5086 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, fin->fin_v, &fin->fin_src, ifs);
5084 5087 if (rval == NULL)
5085 5088 return NULL;
5086 5089
5087 5090 fg = rval;
5088 5091 fin->fin_fr = fg->fg_start;
5089 5092 (void) fr_scanlist(fin, *passp);
5090 5093 return fin->fin_fr;
5091 5094 }
5092 5095
5093 5096
5094 5097 /* ------------------------------------------------------------------------ */
5095 5098 /* Function: fr_dstgrpmap */
5096 5099 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
5097 5100 /* Parameters: fin(I) - pointer to packet information */
5098 5101 /* passp(IO) - pointer to current/new filter decision (unused) */
5099 5102 /* */
5100 5103 /* Look for a rule group head in a hash table, using the destination */
5101 5104 /* address as the key, and descend into that group and continue matching */
5102 5105 /* rules against the packet. */
5103 5106 /* ------------------------------------------------------------------------ */
5104 5107 frentry_t *fr_dstgrpmap(fin, passp)
5105 5108 fr_info_t *fin;
5106 5109 u_32_t *passp;
5107 5110 {
5108 5111 frgroup_t *fg;
5109 5112 void *rval;
5110 5113 ipf_stack_t *ifs = fin->fin_ifs;
5111 5114
5112 5115 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, fin->fin_v, &fin->fin_dst, ifs);
5113 5116 if (rval == NULL)
5114 5117 return NULL;
5115 5118
5116 5119 fg = rval;
5117 5120 fin->fin_fr = fg->fg_start;
5118 5121 (void) fr_scanlist(fin, *passp);
5119 5122 return fin->fin_fr;
5120 5123 }
5121 5124 #endif /* IPFILTER_LOOKUP */
5122 5125
5123 5126 /*
5124 5127 * Queue functions
5125 5128 * ===============
5126 5129 * These functions manage objects on queues for efficient timeouts. There are
5127 5130 * a number of system defined queues as well as user defined timeouts. It is
5128 5131 * expected that a lock is held in the domain in which the queue belongs
5129 5132 * (i.e. either state or NAT) when calling any of these functions that prevents
5130 5133 * fr_freetimeoutqueue() from being called at the same time as any other.
5131 5134 */
5132 5135
5133 5136
5134 5137 /* ------------------------------------------------------------------------ */
5135 5138 /* Function: fr_addtimeoutqueue */
5136 5139 /* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */
5137 5140 /* timeout queue with given interval. */
5138 5141 /* Parameters: parent(I) - pointer to pointer to parent node of this list */
5139 5142 /* of interface queues. */
5140 5143 /* seconds(I) - timeout value in seconds for this queue. */
5141 5144 /* */
5142 5145 /* This routine first looks for a timeout queue that matches the interval */
5143 5146 /* being requested. If it finds one, increments the reference counter and */
5144 5147 /* returns a pointer to it. If none are found, it allocates a new one and */
5145 5148 /* inserts it at the top of the list. */
5146 5149 /* */
5147 5150 /* Locking. */
5148 5151 /* It is assumed that the caller of this function has an appropriate lock */
5149 5152 /* held (exclusively) in the domain that encompases 'parent'. */
5150 5153 /* ------------------------------------------------------------------------ */
5151 5154 ipftq_t *fr_addtimeoutqueue(parent, seconds, ifs)
5152 5155 ipftq_t **parent;
5153 5156 u_int seconds;
5154 5157 ipf_stack_t *ifs;
5155 5158 {
5156 5159 ipftq_t *ifq;
5157 5160 u_int period;
5158 5161
5159 5162 period = seconds * IPF_HZ_DIVIDE;
5160 5163
5161 5164 MUTEX_ENTER(&ifs->ifs_ipf_timeoutlock);
5162 5165 for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) {
5163 5166 if (ifq->ifq_ttl == period) {
5164 5167 /*
5165 5168 * Reset the delete flag, if set, so the structure
5166 5169 * gets reused rather than freed and reallocated.
5167 5170 */
5168 5171 MUTEX_ENTER(&ifq->ifq_lock);
5169 5172 ifq->ifq_flags &= ~IFQF_DELETE;
5170 5173 ifq->ifq_ref++;
5171 5174 MUTEX_EXIT(&ifq->ifq_lock);
5172 5175 MUTEX_EXIT(&ifs->ifs_ipf_timeoutlock);
5173 5176
5174 5177 return ifq;
5175 5178 }
5176 5179 }
5177 5180
5178 5181 KMALLOC(ifq, ipftq_t *);
5179 5182 if (ifq != NULL) {
5180 5183 ifq->ifq_ttl = period;
5181 5184 ifq->ifq_head = NULL;
5182 5185 ifq->ifq_tail = &ifq->ifq_head;
5183 5186 ifq->ifq_next = *parent;
5184 5187 ifq->ifq_pnext = parent;
5185 5188 ifq->ifq_ref = 1;
5186 5189 ifq->ifq_flags = IFQF_USER;
5187 5190 *parent = ifq;
5188 5191 ifs->ifs_fr_userifqs++;
5189 5192 MUTEX_NUKE(&ifq->ifq_lock);
5190 5193 MUTEX_INIT(&ifq->ifq_lock, "ipftq mutex");
5191 5194 }
5192 5195 MUTEX_EXIT(&ifs->ifs_ipf_timeoutlock);
5193 5196 return ifq;
5194 5197 }
5195 5198
5196 5199
5197 5200 /* ------------------------------------------------------------------------ */
5198 5201 /* Function: fr_deletetimeoutqueue */
5199 5202 /* Returns: int - new reference count value of the timeout queue */
5200 5203 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
5201 5204 /* Locks: ifq->ifq_lock */
5202 5205 /* */
5203 5206 /* This routine must be called when we're discarding a pointer to a timeout */
5204 5207 /* queue object, taking care of the reference counter. */
5205 5208 /* */
5206 5209 /* Now that this just sets a DELETE flag, it requires the expire code to */
5207 5210 /* check the list of user defined timeout queues and call the free function */
5208 5211 /* below (currently commented out) to stop memory leaking. It is done this */
5209 5212 /* way because the locking may not be sufficient to safely do a free when */
5210 5213 /* this function is called. */
5211 5214 /* ------------------------------------------------------------------------ */
5212 5215 int fr_deletetimeoutqueue(ifq)
5213 5216 ipftq_t *ifq;
5214 5217 {
5215 5218
5216 5219 ifq->ifq_ref--;
5217 5220 if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) {
5218 5221 ifq->ifq_flags |= IFQF_DELETE;
5219 5222 }
5220 5223
5221 5224 return ifq->ifq_ref;
5222 5225 }
5223 5226
5224 5227
5225 5228 /* ------------------------------------------------------------------------ */
5226 5229 /* Function: fr_freetimeoutqueue */
5227 5230 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
5228 5231 /* Returns: Nil */
5229 5232 /* */
5230 5233 /* Locking: */
5231 5234 /* It is assumed that the caller of this function has an appropriate lock */
5232 5235 /* held (exclusively) in the domain that encompases the callers "domain". */
5233 5236 /* The ifq_lock for this structure should not be held. */
5234 5237 /* */
5235 5238 /* Remove a user definde timeout queue from the list of queues it is in and */
5236 5239 /* tidy up after this is done. */
5237 5240 /* ------------------------------------------------------------------------ */
5238 5241 void fr_freetimeoutqueue(ifq, ifs)
5239 5242 ipftq_t *ifq;
5240 5243 ipf_stack_t *ifs;
5241 5244 {
5242 5245
5243 5246
5244 5247 if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) ||
5245 5248 ((ifq->ifq_flags & IFQF_USER) == 0)) {
5246 5249 printf("fr_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n",
5247 5250 (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl,
5248 5251 ifq->ifq_ref);
5249 5252 return;
5250 5253 }
5251 5254
5252 5255 /*
5253 5256 * Remove from its position in the list.
5254 5257 */
5255 5258 *ifq->ifq_pnext = ifq->ifq_next;
5256 5259 if (ifq->ifq_next != NULL)
5257 5260 ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
5258 5261
5259 5262 MUTEX_DESTROY(&ifq->ifq_lock);
5260 5263 ifs->ifs_fr_userifqs--;
5261 5264 KFREE(ifq);
5262 5265 }
5263 5266
5264 5267
5265 5268 /* ------------------------------------------------------------------------ */
5266 5269 /* Function: fr_deletequeueentry */
5267 5270 /* Returns: Nil */
5268 5271 /* Parameters: tqe(I) - timeout queue entry to delete */
5269 5272 /* ifq(I) - timeout queue to remove entry from */
5270 5273 /* */
5271 5274 /* Remove a tail queue entry from its queue and make it an orphan. */
5272 5275 /* fr_deletetimeoutqueue is called to make sure the reference count on the */
5273 5276 /* queue is correct. We can't, however, call fr_freetimeoutqueue because */
5274 5277 /* the correct lock(s) may not be held that would make it safe to do so. */
5275 5278 /* ------------------------------------------------------------------------ */
5276 5279 void fr_deletequeueentry(tqe)
5277 5280 ipftqent_t *tqe;
5278 5281 {
5279 5282 ipftq_t *ifq;
5280 5283
5281 5284 ifq = tqe->tqe_ifq;
5282 5285 if (ifq == NULL)
5283 5286 return;
5284 5287
5285 5288 MUTEX_ENTER(&ifq->ifq_lock);
5286 5289
5287 5290 if (tqe->tqe_pnext != NULL) {
5288 5291 *tqe->tqe_pnext = tqe->tqe_next;
5289 5292 if (tqe->tqe_next != NULL)
5290 5293 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5291 5294 else /* we must be the tail anyway */
5292 5295 ifq->ifq_tail = tqe->tqe_pnext;
5293 5296
5294 5297 tqe->tqe_pnext = NULL;
5295 5298 tqe->tqe_ifq = NULL;
5296 5299 }
5297 5300
5298 5301 (void) fr_deletetimeoutqueue(ifq);
5299 5302
5300 5303 MUTEX_EXIT(&ifq->ifq_lock);
5301 5304 }
5302 5305
5303 5306
5304 5307 /* ------------------------------------------------------------------------ */
5305 5308 /* Function: fr_queuefront */
5306 5309 /* Returns: Nil */
5307 5310 /* Parameters: tqe(I) - pointer to timeout queue entry */
5308 5311 /* */
5309 5312 /* Move a queue entry to the front of the queue, if it isn't already there. */
5310 5313 /* ------------------------------------------------------------------------ */
5311 5314 void fr_queuefront(tqe)
5312 5315 ipftqent_t *tqe;
5313 5316 {
5314 5317 ipftq_t *ifq;
5315 5318
5316 5319 ifq = tqe->tqe_ifq;
5317 5320 if (ifq == NULL)
5318 5321 return;
5319 5322
5320 5323 MUTEX_ENTER(&ifq->ifq_lock);
5321 5324 if (ifq->ifq_head != tqe) {
5322 5325 *tqe->tqe_pnext = tqe->tqe_next;
5323 5326 if (tqe->tqe_next)
5324 5327 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5325 5328 else
5326 5329 ifq->ifq_tail = tqe->tqe_pnext;
5327 5330
5328 5331 tqe->tqe_next = ifq->ifq_head;
5329 5332 ifq->ifq_head->tqe_pnext = &tqe->tqe_next;
5330 5333 ifq->ifq_head = tqe;
5331 5334 tqe->tqe_pnext = &ifq->ifq_head;
5332 5335 }
5333 5336 MUTEX_EXIT(&ifq->ifq_lock);
5334 5337 }
5335 5338
5336 5339
5337 5340 /* ------------------------------------------------------------------------ */
5338 5341 /* Function: fr_queueback */
5339 5342 /* Returns: Nil */
5340 5343 /* Parameters: tqe(I) - pointer to timeout queue entry */
5341 5344 /* */
5342 5345 /* Move a queue entry to the back of the queue, if it isn't already there. */
5343 5346 /* ------------------------------------------------------------------------ */
5344 5347 void fr_queueback(tqe, ifs)
5345 5348 ipftqent_t *tqe;
5346 5349 ipf_stack_t *ifs;
5347 5350 {
5348 5351 ipftq_t *ifq;
5349 5352
5350 5353 ifq = tqe->tqe_ifq;
5351 5354 if (ifq == NULL)
5352 5355 return;
5353 5356 tqe->tqe_die = ifs->ifs_fr_ticks + ifq->ifq_ttl;
5354 5357
5355 5358 MUTEX_ENTER(&ifq->ifq_lock);
5356 5359 if (tqe->tqe_next == NULL) { /* at the end already ? */
5357 5360 MUTEX_EXIT(&ifq->ifq_lock);
5358 5361 return;
5359 5362 }
5360 5363
5361 5364 /*
5362 5365 * Remove from list
5363 5366 */
5364 5367 *tqe->tqe_pnext = tqe->tqe_next;
5365 5368 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5366 5369
5367 5370 /*
5368 5371 * Make it the last entry.
5369 5372 */
5370 5373 tqe->tqe_next = NULL;
5371 5374 tqe->tqe_pnext = ifq->ifq_tail;
5372 5375 *ifq->ifq_tail = tqe;
5373 5376 ifq->ifq_tail = &tqe->tqe_next;
5374 5377 MUTEX_EXIT(&ifq->ifq_lock);
5375 5378 }
5376 5379
5377 5380
5378 5381 /* ------------------------------------------------------------------------ */
5379 5382 /* Function: fr_queueappend */
5380 5383 /* Returns: Nil */
5381 5384 /* Parameters: tqe(I) - pointer to timeout queue entry */
5382 5385 /* ifq(I) - pointer to timeout queue */
5383 5386 /* parent(I) - owing object pointer */
5384 5387 /* */
5385 5388 /* Add a new item to this queue and put it on the very end. */
5386 5389 /* ------------------------------------------------------------------------ */
5387 5390 void fr_queueappend(tqe, ifq, parent, ifs)
5388 5391 ipftqent_t *tqe;
5389 5392 ipftq_t *ifq;
5390 5393 void *parent;
5391 5394 ipf_stack_t *ifs;
5392 5395 {
5393 5396
5394 5397 MUTEX_ENTER(&ifq->ifq_lock);
5395 5398 tqe->tqe_parent = parent;
5396 5399 tqe->tqe_pnext = ifq->ifq_tail;
5397 5400 *ifq->ifq_tail = tqe;
5398 5401 ifq->ifq_tail = &tqe->tqe_next;
5399 5402 tqe->tqe_next = NULL;
5400 5403 tqe->tqe_ifq = ifq;
5401 5404 tqe->tqe_die = ifs->ifs_fr_ticks + ifq->ifq_ttl;
5402 5405 ifq->ifq_ref++;
5403 5406 MUTEX_EXIT(&ifq->ifq_lock);
5404 5407 }
5405 5408
5406 5409
5407 5410 /* ------------------------------------------------------------------------ */
5408 5411 /* Function: fr_movequeue */
5409 5412 /* Returns: Nil */
5410 5413 /* Parameters: tq(I) - pointer to timeout queue information */
5411 5414 /* oifp(I) - old timeout queue entry was on */
5412 5415 /* nifp(I) - new timeout queue to put entry on */
5413 5416 /* ifs - ipf stack instance */
5414 5417 /* */
5415 5418 /* Move a queue entry from one timeout queue to another timeout queue. */
5416 5419 /* If it notices that the current entry is already last and does not need */
5417 5420 /* to move queue, the return. */
5418 5421 /* ------------------------------------------------------------------------ */
5419 5422 void fr_movequeue(tqe, oifq, nifq, ifs)
5420 5423 ipftqent_t *tqe;
5421 5424 ipftq_t *oifq, *nifq;
5422 5425 ipf_stack_t *ifs;
5423 5426 {
5424 5427 /*
5425 5428 * If the queue isn't changing, and the clock hasn't ticked
5426 5429 * since the last update, the operation will be a no-op.
5427 5430 */
5428 5431 if (oifq == nifq && tqe->tqe_touched == ifs->ifs_fr_ticks)
5429 5432 return;
5430 5433
5431 5434 /*
5432 5435 * Grab the lock and update the timers.
5433 5436 */
5434 5437 MUTEX_ENTER(&oifq->ifq_lock);
5435 5438 tqe->tqe_touched = ifs->ifs_fr_ticks;
5436 5439 tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl;
5437 5440
5438 5441 /*
5439 5442 * The remainder of the operation can still be a no-op.
5440 5443 *
5441 5444 * If the queue isn't changing, check to see if
5442 5445 * an update would be meaningless.
5443 5446 */
5444 5447 if (oifq == nifq) {
5445 5448 if ((tqe->tqe_next == NULL) ||
5446 5449 (tqe->tqe_next->tqe_die == tqe->tqe_die)) {
5447 5450 MUTEX_EXIT(&oifq->ifq_lock);
5448 5451 return;
5449 5452 }
5450 5453 }
5451 5454
5452 5455 /*
5453 5456 * Remove from the old queue
5454 5457 */
5455 5458 *tqe->tqe_pnext = tqe->tqe_next;
5456 5459 if (tqe->tqe_next)
5457 5460 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5458 5461 else
5459 5462 oifq->ifq_tail = tqe->tqe_pnext;
5460 5463 tqe->tqe_next = NULL;
5461 5464
5462 5465 /*
5463 5466 * If we're moving from one queue to another, release the lock on the
5464 5467 * old queue and get a lock on the new queue. For user defined queues,
5465 5468 * if we're moving off it, call delete in case it can now be freed.
5466 5469 */
5467 5470 if (oifq != nifq) {
5468 5471 tqe->tqe_ifq = NULL;
5469 5472
5470 5473 (void) fr_deletetimeoutqueue(oifq);
5471 5474
5472 5475 MUTEX_EXIT(&oifq->ifq_lock);
5473 5476
5474 5477 MUTEX_ENTER(&nifq->ifq_lock);
5475 5478
5476 5479 tqe->tqe_ifq = nifq;
5477 5480 nifq->ifq_ref++;
5478 5481 }
5479 5482
5480 5483 /*
5481 5484 * Add to the bottom of the new queue
5482 5485 */
5483 5486 tqe->tqe_pnext = nifq->ifq_tail;
5484 5487 *nifq->ifq_tail = tqe;
5485 5488 nifq->ifq_tail = &tqe->tqe_next;
5486 5489 MUTEX_EXIT(&nifq->ifq_lock);
5487 5490 }
5488 5491
5489 5492
5490 5493 /* ------------------------------------------------------------------------ */
5491 5494 /* Function: fr_updateipid */
5492 5495 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
5493 5496 /* Parameters: fin(I) - pointer to packet information */
5494 5497 /* */
5495 5498 /* When we are doing NAT, change the IP of every packet to represent a */
5496 5499 /* single sequence of packets coming from the host, hiding any host */
5497 5500 /* specific sequencing that might otherwise be revealed. If the packet is */
5498 5501 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
5499 5502 /* the fragment cache for non-leading fragments. If a non-leading fragment */
5500 5503 /* has no match in the cache, return an error. */
5501 5504 /* ------------------------------------------------------------------------ */
5502 5505 static INLINE int fr_updateipid(fin)
5503 5506 fr_info_t *fin;
5504 5507 {
5505 5508 u_short id, ido, sums;
5506 5509 u_32_t sumd, sum;
5507 5510 ip_t *ip;
5508 5511
5509 5512 if (fin->fin_off != 0) {
5510 5513 sum = fr_ipid_knownfrag(fin);
5511 5514 if (sum == 0xffffffff)
5512 5515 return -1;
5513 5516 sum &= 0xffff;
5514 5517 id = (u_short)sum;
5515 5518 } else {
5516 5519 id = fr_nextipid(fin);
5517 5520 if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0)
5518 5521 (void) fr_ipid_newfrag(fin, (u_32_t)id);
5519 5522 }
5520 5523
5521 5524 ip = fin->fin_ip;
5522 5525 ido = ntohs(ip->ip_id);
5523 5526 if (id == ido)
5524 5527 return 0;
5525 5528 ip->ip_id = htons(id);
5526 5529 CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */
5527 5530 sum = (~ntohs(ip->ip_sum)) & 0xffff;
5528 5531 sum += sumd;
5529 5532 sum = (sum >> 16) + (sum & 0xffff);
5530 5533 sum = (sum >> 16) + (sum & 0xffff);
5531 5534 sums = ~(u_short)sum;
5532 5535 ip->ip_sum = htons(sums);
5533 5536 return 0;
5534 5537 }
5535 5538
5536 5539
5537 5540 #ifdef NEED_FRGETIFNAME
5538 5541 /* ------------------------------------------------------------------------ */
5539 5542 /* Function: fr_getifname */
5540 5543 /* Returns: char * - pointer to interface name */
5541 5544 /* Parameters: ifp(I) - pointer to network interface */
5542 5545 /* buffer(O) - pointer to where to store interface name */
5543 5546 /* */
5544 5547 /* Constructs an interface name in the buffer passed. The buffer passed is */
5545 5548 /* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */
5546 5549 /* as a NULL pointer then return a pointer to a static array. */
5547 5550 /* ------------------------------------------------------------------------ */
5548 5551 char *fr_getifname(ifp, buffer)
5549 5552 struct ifnet *ifp;
5550 5553 char *buffer;
5551 5554 {
5552 5555 static char namebuf[LIFNAMSIZ];
5553 5556 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
5554 5557 defined(__sgi) || defined(linux) || defined(_AIX51) || \
5555 5558 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
5556 5559 int unit, space;
5557 5560 char temp[20];
5558 5561 char *s;
5559 5562 # endif
5560 5563
5561 5564 ASSERT(buffer != NULL);
5562 5565 #ifdef notdef
5563 5566 if (buffer == NULL)
5564 5567 buffer = namebuf;
5565 5568 #endif
5566 5569 (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
5567 5570 buffer[LIFNAMSIZ - 1] = '\0';
5568 5571 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
5569 5572 defined(__sgi) || defined(_AIX51) || \
5570 5573 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
5571 5574 for (s = buffer; *s; s++)
5572 5575 ;
5573 5576 unit = ifp->if_unit;
5574 5577 space = LIFNAMSIZ - (s - buffer);
5575 5578 if (space > 0) {
5576 5579 # if defined(SNPRINTF) && defined(_KERNEL)
5577 5580 (void) SNPRINTF(temp, sizeof(temp), "%d", unit);
5578 5581 # else
5579 5582 (void) sprintf(temp, "%d", unit);
5580 5583 # endif
5581 5584 (void) strncpy(s, temp, space);
5582 5585 }
5583 5586 # endif
5584 5587 return buffer;
5585 5588 }
5586 5589 #endif
5587 5590
5588 5591
5589 5592 /* ------------------------------------------------------------------------ */
5590 5593 /* Function: fr_ioctlswitch */
5591 5594 /* Returns: int - -1 continue processing, else ioctl return value */
5592 5595 /* Parameters: unit(I) - device unit opened */
5593 5596 /* data(I) - pointer to ioctl data */
5594 5597 /* cmd(I) - ioctl command */
5595 5598 /* mode(I) - mode value */
5596 5599 /* */
5597 5600 /* Based on the value of unit, call the appropriate ioctl handler or return */
5598 5601 /* EIO if ipfilter is not running. Also checks if write perms are req'd */
5599 5602 /* for the device in order to execute the ioctl. */
5600 5603 /* ------------------------------------------------------------------------ */
5601 5604 INLINE int fr_ioctlswitch(unit, data, cmd, mode, uid, ctx, ifs)
5602 5605 int unit, mode, uid;
5603 5606 ioctlcmd_t cmd;
5604 5607 void *data, *ctx;
5605 5608 ipf_stack_t *ifs;
5606 5609 {
5607 5610 int error = 0;
5608 5611
5609 5612 switch (unit)
5610 5613 {
5611 5614 case IPL_LOGIPF :
5612 5615 error = -1;
5613 5616 break;
5614 5617 case IPL_LOGNAT :
5615 5618 if (ifs->ifs_fr_running > 0)
5616 5619 error = fr_nat_ioctl(data, cmd, mode, uid, ctx, ifs);
5617 5620 else
5618 5621 error = EIO;
5619 5622 break;
5620 5623 case IPL_LOGSTATE :
5621 5624 if (ifs->ifs_fr_running > 0)
5622 5625 error = fr_state_ioctl(data, cmd, mode, uid, ctx, ifs);
5623 5626 else
5624 5627 error = EIO;
5625 5628 break;
5626 5629 case IPL_LOGAUTH :
5627 5630 if (ifs->ifs_fr_running > 0) {
5628 5631 if ((cmd == (ioctlcmd_t)SIOCADAFR) ||
5629 5632 (cmd == (ioctlcmd_t)SIOCRMAFR)) {
5630 5633 if (!(mode & FWRITE)) {
5631 5634 error = EPERM;
5632 5635 } else {
5633 5636 error = frrequest(unit, cmd, data,
5634 5637 ifs->ifs_fr_active, 1, ifs);
5635 5638 }
5636 5639 } else {
5637 5640 error = fr_auth_ioctl(data, cmd, mode, uid, ctx, ifs);
5638 5641 }
5639 5642 } else
5640 5643 error = EIO;
5641 5644 break;
5642 5645 case IPL_LOGSYNC :
5643 5646 #ifdef IPFILTER_SYNC
5644 5647 if (ifs->ifs_fr_running > 0)
5645 5648 error = fr_sync_ioctl(data, cmd, mode, ifs);
5646 5649 else
5647 5650 #endif
5648 5651 error = EIO;
5649 5652 break;
5650 5653 case IPL_LOGSCAN :
5651 5654 #ifdef IPFILTER_SCAN
5652 5655 if (ifs->ifs_fr_running > 0)
5653 5656 error = fr_scan_ioctl(data, cmd, mode, ifs);
5654 5657 else
5655 5658 #endif
5656 5659 error = EIO;
5657 5660 break;
5658 5661 case IPL_LOGLOOKUP :
5659 5662 #ifdef IPFILTER_LOOKUP
5660 5663 if (ifs->ifs_fr_running > 0)
5661 5664 error = ip_lookup_ioctl(data, cmd, mode, uid, ctx, ifs);
5662 5665 else
5663 5666 #endif
5664 5667 error = EIO;
5665 5668 break;
5666 5669 default :
5667 5670 error = EIO;
5668 5671 break;
5669 5672 }
5670 5673
5671 5674 return error;
5672 5675 }
5673 5676
5674 5677
5675 5678 /*
5676 5679 * This array defines the expected size of objects coming into the kernel
5677 5680 * for the various recognised object types.
5678 5681 */
5679 5682 #define NUM_OBJ_TYPES 19
5680 5683
5681 5684 static int fr_objbytes[NUM_OBJ_TYPES][2] = {
5682 5685 { 1, sizeof(struct frentry) }, /* frentry */
5683 5686 { 0, sizeof(struct friostat) },
5684 5687 { 0, sizeof(struct fr_info) },
5685 5688 { 0, sizeof(struct fr_authstat) },
5686 5689 { 0, sizeof(struct ipfrstat) },
5687 5690 { 0, sizeof(struct ipnat) },
5688 5691 { 0, sizeof(struct natstat) },
5689 5692 { 0, sizeof(struct ipstate_save) },
5690 5693 { 1, sizeof(struct nat_save) }, /* nat_save */
5691 5694 { 0, sizeof(struct natlookup) },
5692 5695 { 1, sizeof(struct ipstate) }, /* ipstate */
5693 5696 { 0, sizeof(struct ips_stat) },
5694 5697 { 0, sizeof(struct frauth) },
5695 5698 { 0, sizeof(struct ipftune) },
5696 5699 { 0, sizeof(struct nat) }, /* nat_t */
5697 5700 { 0, sizeof(struct ipfruleiter) },
5698 5701 { 0, sizeof(struct ipfgeniter) },
5699 5702 { 0, sizeof(struct ipftable) },
5700 5703 { 0, sizeof(struct ipflookupiter) }
5701 5704 };
5702 5705
5703 5706
5704 5707 /* ------------------------------------------------------------------------ */
5705 5708 /* Function: fr_getzoneid */
5706 5709 /* Returns: int - 0 = success, else failure */
5707 5710 /* Parameters: idsp(I) - pointer to ipf_devstate_t */
5708 5711 /* data(I) - pointer to ioctl data */
5709 5712 /* */
5710 5713 /* Set the zone ID in idsp based on the zone name in ipfzoneobj. Further */
5711 5714 /* ioctls will act on the IPF stack for that zone ID. */
5712 5715 /* ------------------------------------------------------------------------ */
5713 5716 #if defined(_KERNEL)
5714 5717 int fr_setzoneid(idsp, data)
5715 5718 ipf_devstate_t *idsp;
5716 5719 void *data;
5717 5720 {
5718 5721 int error = 0;
5719 5722 ipfzoneobj_t ipfzo;
5720 5723 zone_t *zone;
5721 5724
5722 5725 error = BCOPYIN(data, &ipfzo, sizeof(ipfzo));
5723 5726 if (error != 0)
5724 5727 return EFAULT;
5725 5728
5726 5729 if (memchr(ipfzo.ipfz_zonename, '\0', ZONENAME_MAX) == NULL)
5727 5730 return EFAULT;
5728 5731
5729 5732 /*
5730 5733 * The global zone doesn't have a GZ-controlled stack, so no
5731 5734 * sense in going any further
5732 5735 */
5733 5736 if (strcmp(ipfzo.ipfz_zonename, "global") == 0)
5734 5737 return ENODEV;
5735 5738
5736 5739 if ((zone = zone_find_by_name(ipfzo.ipfz_zonename)) == NULL)
5737 5740 return ENODEV;
5738 5741
5739 5742 /*
5740 5743 * Store the zone ID that to control, and whether it's the
5741 5744 * GZ-controlled stack that's wanted
5742 5745 */
5743 5746 idsp->ipfs_zoneid = zone->zone_id;
5744 5747 idsp->ipfs_gz = (ipfzo.ipfz_gz == 1) ? B_TRUE : B_FALSE;
5745 5748 zone_rele(zone);
5746 5749
5747 5750 return error;
5748 5751 }
5749 5752 #endif
5750 5753
5751 5754
5752 5755 /* ------------------------------------------------------------------------ */
5753 5756 /* Function: fr_inobj */
5754 5757 /* Returns: int - 0 = success, else failure */
5755 5758 /* Parameters: data(I) - pointer to ioctl data */
5756 5759 /* ptr(I) - pointer to store real data in */
5757 5760 /* type(I) - type of structure being moved */
5758 5761 /* */
5759 5762 /* Copy in the contents of what the ipfobj_t points to. In future, we */
5760 5763 /* add things to check for version numbers, sizes, etc, to make it backward */
5761 5764 /* compatible at the ABI for user land. */
5762 5765 /* ------------------------------------------------------------------------ */
5763 5766 int fr_inobj(data, ptr, type)
5764 5767 void *data;
5765 5768 void *ptr;
5766 5769 int type;
5767 5770 {
5768 5771 ipfobj_t obj;
5769 5772 int error = 0;
5770 5773
5771 5774 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
5772 5775 return EINVAL;
5773 5776
5774 5777 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5775 5778 if (error != 0)
5776 5779 return EFAULT;
5777 5780
5778 5781 if (obj.ipfo_type != type)
5779 5782 return EINVAL;
5780 5783
5781 5784 #ifndef IPFILTER_COMPAT
5782 5785 if ((fr_objbytes[type][0] & 1) != 0) {
5783 5786 if (obj.ipfo_size < fr_objbytes[type][1])
5784 5787 return EINVAL;
5785 5788 } else if (obj.ipfo_size != fr_objbytes[type][1])
5786 5789 return EINVAL;
5787 5790 #else
5788 5791 if (obj.ipfo_rev != IPFILTER_VERSION) {
5789 5792 error = fr_incomptrans(&obj, ptr);
5790 5793 return error;
5791 5794 }
5792 5795
5793 5796 if ((fr_objbytes[type][0] & 1) != 0 &&
5794 5797 obj.ipfo_size < fr_objbytes[type][1] ||
5795 5798 obj.ipfo_size != fr_objbytes[type][1])
5796 5799 return EINVAL;
5797 5800 #endif
5798 5801
5799 5802 if ((fr_objbytes[type][0] & 1) != 0) {
5800 5803 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
5801 5804 fr_objbytes[type][1]);
5802 5805 } else {
5803 5806 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
5804 5807 obj.ipfo_size);
5805 5808 }
5806 5809 return error;
5807 5810 }
5808 5811
5809 5812
5810 5813 /* ------------------------------------------------------------------------ */
5811 5814 /* Function: fr_inobjsz */
5812 5815 /* Returns: int - 0 = success, else failure */
5813 5816 /* Parameters: data(I) - pointer to ioctl data */
5814 5817 /* ptr(I) - pointer to store real data in */
5815 5818 /* type(I) - type of structure being moved */
5816 5819 /* sz(I) - size of data to copy */
5817 5820 /* */
5818 5821 /* As per fr_inobj, except the size of the object to copy in is passed in */
5819 5822 /* but it must not be smaller than the size defined for the type and the */
5820 5823 /* type must allow for varied sized objects. The extra requirement here is */
5821 5824 /* that sz must match the size of the object being passed in - this is not */
5822 5825 /* not possible nor required in fr_inobj(). */
5823 5826 /* ------------------------------------------------------------------------ */
5824 5827 int fr_inobjsz(data, ptr, type, sz)
5825 5828 void *data;
5826 5829 void *ptr;
5827 5830 int type, sz;
5828 5831 {
5829 5832 ipfobj_t obj;
5830 5833 int error;
5831 5834
5832 5835 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
5833 5836 return EINVAL;
5834 5837 if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1]))
5835 5838 return EINVAL;
5836 5839
5837 5840 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5838 5841 if (error != 0)
5839 5842 return EFAULT;
5840 5843
5841 5844 if (obj.ipfo_type != type)
5842 5845 return EINVAL;
5843 5846
5844 5847 #ifndef IPFILTER_COMPAT
5845 5848 if (obj.ipfo_size != sz)
5846 5849 return EINVAL;
5847 5850 #else
5848 5851 if (obj.ipfo_rev != IPFILTER_VERSION)
5849 5852 /*XXX compatibility hook here */
5850 5853 /*EMPTY*/;
5851 5854 if (obj.ipfo_size != sz)
5852 5855 /* XXX compatibility hook here */
5853 5856 return EINVAL;
5854 5857 #endif
5855 5858
5856 5859 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, sz);
5857 5860 return error;
5858 5861 }
5859 5862
5860 5863
5861 5864 /* ------------------------------------------------------------------------ */
5862 5865 /* Function: fr_outobjsz */
5863 5866 /* Returns: int - 0 = success, else failure */
5864 5867 /* Parameters: data(I) - pointer to ioctl data */
5865 5868 /* ptr(I) - pointer to store real data in */
5866 5869 /* type(I) - type of structure being moved */
5867 5870 /* sz(I) - size of data to copy */
5868 5871 /* */
5869 5872 /* As per fr_outobj, except the size of the object to copy out is passed in */
5870 5873 /* but it must not be smaller than the size defined for the type and the */
5871 5874 /* type must allow for varied sized objects. The extra requirement here is */
5872 5875 /* that sz must match the size of the object being passed in - this is not */
5873 5876 /* not possible nor required in fr_outobj(). */
5874 5877 /* ------------------------------------------------------------------------ */
5875 5878 int fr_outobjsz(data, ptr, type, sz)
5876 5879 void *data;
5877 5880 void *ptr;
5878 5881 int type, sz;
5879 5882 {
5880 5883 ipfobj_t obj;
5881 5884 int error;
5882 5885
5883 5886 if ((type < 0) || (type > NUM_OBJ_TYPES-1) ||
5884 5887 ((fr_objbytes[type][0] & 1) == 0) ||
5885 5888 (sz < fr_objbytes[type][1]))
5886 5889 return EINVAL;
5887 5890
5888 5891 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5889 5892 if (error != 0)
5890 5893 return EFAULT;
5891 5894
5892 5895 if (obj.ipfo_type != type)
5893 5896 return EINVAL;
5894 5897
5895 5898 #ifndef IPFILTER_COMPAT
5896 5899 if (obj.ipfo_size != sz)
5897 5900 return EINVAL;
5898 5901 #else
5899 5902 if (obj.ipfo_rev != IPFILTER_VERSION)
5900 5903 /* XXX compatibility hook here */
5901 5904 /*EMPTY*/;
5902 5905 if (obj.ipfo_size != sz)
5903 5906 /* XXX compatibility hook here */
5904 5907 return EINVAL;
5905 5908 #endif
5906 5909
5907 5910 error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, sz);
5908 5911 return error;
5909 5912 }
5910 5913
5911 5914
5912 5915 /* ------------------------------------------------------------------------ */
5913 5916 /* Function: fr_outobj */
5914 5917 /* Returns: int - 0 = success, else failure */
5915 5918 /* Parameters: data(I) - pointer to ioctl data */
5916 5919 /* ptr(I) - pointer to store real data in */
5917 5920 /* type(I) - type of structure being moved */
5918 5921 /* */
5919 5922 /* Copy out the contents of what ptr is to where ipfobj points to. In */
5920 5923 /* future, we add things to check for version numbers, sizes, etc, to make */
5921 5924 /* it backward compatible at the ABI for user land. */
5922 5925 /* ------------------------------------------------------------------------ */
5923 5926 int fr_outobj(data, ptr, type)
5924 5927 void *data;
5925 5928 void *ptr;
5926 5929 int type;
5927 5930 {
5928 5931 ipfobj_t obj;
5929 5932 int error;
5930 5933
5931 5934 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
5932 5935 return EINVAL;
5933 5936
5934 5937 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5935 5938 if (error != 0)
5936 5939 return EFAULT;
5937 5940
5938 5941 if (obj.ipfo_type != type)
5939 5942 return EINVAL;
5940 5943
5941 5944 #ifndef IPFILTER_COMPAT
5942 5945 if ((fr_objbytes[type][0] & 1) != 0) {
5943 5946 if (obj.ipfo_size < fr_objbytes[type][1])
5944 5947 return EINVAL;
5945 5948 } else if (obj.ipfo_size != fr_objbytes[type][1])
5946 5949 return EINVAL;
5947 5950 #else
5948 5951 if (obj.ipfo_rev != IPFILTER_VERSION) {
5949 5952 error = fr_outcomptrans(&obj, ptr);
5950 5953 return error;
5951 5954 }
5952 5955
5953 5956 if ((fr_objbytes[type][0] & 1) != 0 &&
5954 5957 obj.ipfo_size < fr_objbytes[type][1] ||
5955 5958 obj.ipfo_size != fr_objbytes[type][1])
5956 5959 return EINVAL;
5957 5960 #endif
5958 5961
5959 5962 error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, obj.ipfo_size);
5960 5963 return error;
5961 5964 }
5962 5965
5963 5966
5964 5967 /* ------------------------------------------------------------------------ */
5965 5968 /* Function: fr_checkl4sum */
5966 5969 /* Returns: int - 0 = good, -1 = bad, 1 = cannot check */
5967 5970 /* Parameters: fin(I) - pointer to packet information */
5968 5971 /* */
5969 5972 /* If possible, calculate the layer 4 checksum for the packet. If this is */
5970 5973 /* not possible, return without indicating a failure or success but in a */
5971 5974 /* way that is ditinguishable. */
5972 5975 /* ------------------------------------------------------------------------ */
5973 5976 int fr_checkl4sum(fin)
5974 5977 fr_info_t *fin;
5975 5978 {
5976 5979 u_short sum, hdrsum, *csump;
5977 5980 udphdr_t *udp;
5978 5981 int dosum;
5979 5982 ipf_stack_t *ifs = fin->fin_ifs;
5980 5983
5981 5984 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
5982 5985 net_handle_t net_data_p;
5983 5986 if (fin->fin_v == 4)
5984 5987 net_data_p = ifs->ifs_ipf_ipv4;
5985 5988 else
5986 5989 net_data_p = ifs->ifs_ipf_ipv6;
5987 5990 #endif
5988 5991
5989 5992 if ((fin->fin_flx & FI_NOCKSUM) != 0)
5990 5993 return 0;
5991 5994
5992 5995 /*
5993 5996 * If the TCP packet isn't a fragment, isn't too short and otherwise
5994 5997 * isn't already considered "bad", then validate the checksum. If
5995 5998 * this check fails then considered the packet to be "bad".
5996 5999 */
5997 6000 if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0)
5998 6001 return 1;
5999 6002
6000 6003 csump = NULL;
6001 6004 hdrsum = 0;
6002 6005 dosum = 0;
6003 6006 sum = 0;
6004 6007
6005 6008 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
6006 6009 ASSERT(fin->fin_m != NULL);
6007 6010 if (NET_IS_HCK_L4_FULL(net_data_p, fin->fin_m) ||
6008 6011 NET_IS_HCK_L4_PART(net_data_p, fin->fin_m)) {
6009 6012 hdrsum = 0;
6010 6013 sum = 0;
6011 6014 } else {
6012 6015 #endif
6013 6016 switch (fin->fin_p)
6014 6017 {
6015 6018 case IPPROTO_TCP :
6016 6019 csump = &((tcphdr_t *)fin->fin_dp)->th_sum;
6017 6020 dosum = 1;
6018 6021 break;
6019 6022
6020 6023 case IPPROTO_UDP :
6021 6024 udp = fin->fin_dp;
6022 6025 if (udp->uh_sum != 0) {
6023 6026 csump = &udp->uh_sum;
6024 6027 dosum = 1;
6025 6028 }
6026 6029 break;
6027 6030
6028 6031 case IPPROTO_ICMP :
6029 6032 csump = &((struct icmp *)fin->fin_dp)->icmp_cksum;
6030 6033 dosum = 1;
6031 6034 break;
6032 6035
6033 6036 default :
6034 6037 return 1;
6035 6038 /*NOTREACHED*/
6036 6039 }
6037 6040
6038 6041 if (csump != NULL)
6039 6042 hdrsum = *csump;
6040 6043
6041 6044 if (dosum)
6042 6045 sum = fr_cksum(fin->fin_m, fin->fin_ip,
6043 6046 fin->fin_p, fin->fin_dp);
6044 6047 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
6045 6048 }
6046 6049 #endif
6047 6050 #if !defined(_KERNEL)
6048 6051 if (sum == hdrsum) {
6049 6052 FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum));
6050 6053 } else {
6051 6054 FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum));
6052 6055 }
6053 6056 #endif
6054 6057 if (hdrsum == sum)
6055 6058 return 0;
6056 6059 return -1;
6057 6060 }
6058 6061
6059 6062
6060 6063 /* ------------------------------------------------------------------------ */
6061 6064 /* Function: fr_ifpfillv4addr */
6062 6065 /* Returns: int - 0 = address update, -1 = address not updated */
6063 6066 /* Parameters: atype(I) - type of network address update to perform */
6064 6067 /* sin(I) - pointer to source of address information */
6065 6068 /* mask(I) - pointer to source of netmask information */
6066 6069 /* inp(I) - pointer to destination address store */
6067 6070 /* inpmask(I) - pointer to destination netmask store */
6068 6071 /* */
6069 6072 /* Given a type of network address update (atype) to perform, copy */
6070 6073 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
6071 6074 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
6072 6075 /* which case the operation fails. For all values of atype other than */
6073 6076 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
6074 6077 /* value. */
6075 6078 /* ------------------------------------------------------------------------ */
6076 6079 int fr_ifpfillv4addr(atype, sin, mask, inp, inpmask)
6077 6080 int atype;
6078 6081 struct sockaddr_in *sin, *mask;
6079 6082 struct in_addr *inp, *inpmask;
6080 6083 {
6081 6084 if (inpmask != NULL && atype != FRI_NETMASKED)
6082 6085 inpmask->s_addr = 0xffffffff;
6083 6086
6084 6087 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
6085 6088 if (atype == FRI_NETMASKED) {
6086 6089 if (inpmask == NULL)
6087 6090 return -1;
6088 6091 inpmask->s_addr = mask->sin_addr.s_addr;
6089 6092 }
6090 6093 inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr;
6091 6094 } else {
6092 6095 inp->s_addr = sin->sin_addr.s_addr;
6093 6096 }
6094 6097 return 0;
6095 6098 }
6096 6099
6097 6100
6098 6101 #ifdef USE_INET6
6099 6102 /* ------------------------------------------------------------------------ */
6100 6103 /* Function: fr_ifpfillv6addr */
6101 6104 /* Returns: int - 0 = address update, -1 = address not updated */
6102 6105 /* Parameters: atype(I) - type of network address update to perform */
6103 6106 /* sin(I) - pointer to source of address information */
6104 6107 /* mask(I) - pointer to source of netmask information */
6105 6108 /* inp(I) - pointer to destination address store */
6106 6109 /* inpmask(I) - pointer to destination netmask store */
6107 6110 /* */
6108 6111 /* Given a type of network address update (atype) to perform, copy */
6109 6112 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
6110 6113 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
6111 6114 /* which case the operation fails. For all values of atype other than */
6112 6115 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
6113 6116 /* value. */
6114 6117 /* ------------------------------------------------------------------------ */
6115 6118 int fr_ifpfillv6addr(atype, sin, mask, inp, inpmask)
6116 6119 int atype;
6117 6120 struct sockaddr_in6 *sin, *mask;
6118 6121 struct in_addr *inp, *inpmask;
6119 6122 {
6120 6123 i6addr_t *src, *dst, *and, *dmask;
6121 6124
6122 6125 src = (i6addr_t *)&sin->sin6_addr;
6123 6126 and = (i6addr_t *)&mask->sin6_addr;
6124 6127 dst = (i6addr_t *)inp;
6125 6128 dmask = (i6addr_t *)inpmask;
6126 6129
6127 6130 if (inpmask != NULL && atype != FRI_NETMASKED) {
6128 6131 dmask->i6[0] = 0xffffffff;
6129 6132 dmask->i6[1] = 0xffffffff;
6130 6133 dmask->i6[2] = 0xffffffff;
6131 6134 dmask->i6[3] = 0xffffffff;
6132 6135 }
6133 6136
6134 6137 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
6135 6138 if (atype == FRI_NETMASKED) {
6136 6139 if (inpmask == NULL)
6137 6140 return -1;
6138 6141 dmask->i6[0] = and->i6[0];
6139 6142 dmask->i6[1] = and->i6[1];
6140 6143 dmask->i6[2] = and->i6[2];
6141 6144 dmask->i6[3] = and->i6[3];
6142 6145 }
6143 6146
6144 6147 dst->i6[0] = src->i6[0] & and->i6[0];
6145 6148 dst->i6[1] = src->i6[1] & and->i6[1];
6146 6149 dst->i6[2] = src->i6[2] & and->i6[2];
6147 6150 dst->i6[3] = src->i6[3] & and->i6[3];
6148 6151 } else {
6149 6152 dst->i6[0] = src->i6[0];
6150 6153 dst->i6[1] = src->i6[1];
6151 6154 dst->i6[2] = src->i6[2];
6152 6155 dst->i6[3] = src->i6[3];
6153 6156 }
6154 6157 return 0;
6155 6158 }
6156 6159 #endif
6157 6160
6158 6161
6159 6162 /* ------------------------------------------------------------------------ */
6160 6163 /* Function: fr_matchtag */
6161 6164 /* Returns: 0 == mismatch, 1 == match. */
6162 6165 /* Parameters: tag1(I) - pointer to first tag to compare */
6163 6166 /* tag2(I) - pointer to second tag to compare */
6164 6167 /* */
6165 6168 /* Returns true (non-zero) or false(0) if the two tag structures can be */
6166 6169 /* considered to be a match or not match, respectively. The tag is 16 */
6167 6170 /* bytes long (16 characters) but that is overlayed with 4 32bit ints so */
6168 6171 /* compare the ints instead, for speed. tag1 is the master of the */
6169 6172 /* comparison. This function should only be called with both tag1 and tag2 */
6170 6173 /* as non-NULL pointers. */
6171 6174 /* ------------------------------------------------------------------------ */
6172 6175 int fr_matchtag(tag1, tag2)
6173 6176 ipftag_t *tag1, *tag2;
6174 6177 {
6175 6178 if (tag1 == tag2)
6176 6179 return 1;
6177 6180
6178 6181 if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0))
6179 6182 return 1;
6180 6183
6181 6184 if ((tag1->ipt_num[0] == tag2->ipt_num[0]) &&
6182 6185 (tag1->ipt_num[1] == tag2->ipt_num[1]) &&
6183 6186 (tag1->ipt_num[2] == tag2->ipt_num[2]) &&
6184 6187 (tag1->ipt_num[3] == tag2->ipt_num[3]))
6185 6188 return 1;
6186 6189 return 0;
6187 6190 }
6188 6191
6189 6192
6190 6193 /* ------------------------------------------------------------------------ */
6191 6194 /* Function: fr_coalesce */
6192 6195 /* Returns: 1 == success, -1 == failure, 0 == no change */
6193 6196 /* Parameters: fin(I) - pointer to packet information */
6194 6197 /* */
6195 6198 /* Attempt to get all of the packet data into a single, contiguous buffer. */
6196 6199 /* If this call returns a failure then the buffers have also been freed. */
6197 6200 /* ------------------------------------------------------------------------ */
6198 6201 int fr_coalesce(fin)
6199 6202 fr_info_t *fin;
6200 6203 {
6201 6204 ipf_stack_t *ifs = fin->fin_ifs;
6202 6205 if ((fin->fin_flx & FI_COALESCE) != 0)
6203 6206 return 1;
6204 6207
6205 6208 /*
6206 6209 * If the mbuf pointers indicate that there is no mbuf to work with,
6207 6210 * return but do not indicate success or failure.
6208 6211 */
6209 6212 if (fin->fin_m == NULL || fin->fin_mp == NULL)
6210 6213 return 0;
6211 6214
6212 6215 #if defined(_KERNEL)
6213 6216 if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
6214 6217 IPF_BUMP(ifs->ifs_fr_badcoalesces[fin->fin_out]);
6215 6218 # ifdef MENTAT
6216 6219 FREE_MB_T(*fin->fin_mp);
6217 6220 # endif
6218 6221 *fin->fin_mp = NULL;
6219 6222 fin->fin_m = NULL;
6220 6223 return -1;
6221 6224 }
6222 6225 #else
6223 6226 fin = fin; /* LINT */
6224 6227 #endif
6225 6228 return 1;
6226 6229 }
6227 6230
6228 6231
6229 6232 /*
6230 6233 * The following table lists all of the tunable variables that can be
6231 6234 * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXT. The format of each row
6232 6235 * in the table below is as follows:
6233 6236 *
6234 6237 * pointer to value, name of value, minimum, maximum, size of the value's
6235 6238 * container, value attribute flags
6236 6239 *
6237 6240 * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED
6238 6241 * means the value can only be written to when IPFilter is loaded but disabled.
6239 6242 * The obvious implication is if neither of these are set then the value can be
6240 6243 * changed at any time without harm.
6241 6244 */
6242 6245 ipftuneable_t lcl_ipf_tuneables[] = {
6243 6246 /* filtering */
6244 6247 { { NULL }, "fr_flags", 0, 0xffffffff,
6245 6248 0, 0 },
6246 6249 { { NULL }, "fr_active", 0, 0,
6247 6250 0, IPFT_RDONLY },
6248 6251 { { NULL }, "fr_control_forwarding", 0, 1,
6249 6252 0, 0 },
6250 6253 { { NULL }, "fr_update_ipid", 0, 1,
6251 6254 0, 0 },
6252 6255 { { NULL }, "fr_chksrc", 0, 1,
6253 6256 0, 0 },
6254 6257 { { NULL }, "fr_minttl", 0, 1,
6255 6258 0, 0 },
6256 6259 { { NULL }, "fr_icmpminfragmtu", 0, 1,
6257 6260 0, 0 },
6258 6261 { { NULL }, "fr_pass", 0, 0xffffffff,
6259 6262 0, 0 },
6260 6263 #if SOLARIS2 >= 10
6261 6264 { { NULL }, "ipf_loopback", 0, 1,
6262 6265 0, IPFT_WRDISABLED },
6263 6266 #endif
6264 6267 /* state */
6265 6268 { { NULL }, "fr_tcpidletimeout", 1, 0x7fffffff,
6266 6269 0, IPFT_WRDISABLED },
6267 6270 { { NULL }, "fr_tcpclosewait", 1, 0x7fffffff,
6268 6271 0, IPFT_WRDISABLED },
6269 6272 { { NULL }, "fr_tcplastack", 1, 0x7fffffff,
6270 6273 0, IPFT_WRDISABLED },
6271 6274 { { NULL }, "fr_tcptimeout", 1, 0x7fffffff,
6272 6275 0, IPFT_WRDISABLED },
6273 6276 { { NULL }, "fr_tcpclosed", 1, 0x7fffffff,
6274 6277 0, IPFT_WRDISABLED },
6275 6278 { { NULL }, "fr_tcphalfclosed", 1, 0x7fffffff,
6276 6279 0, IPFT_WRDISABLED },
6277 6280 { { NULL }, "fr_udptimeout", 1, 0x7fffffff,
6278 6281 0, IPFT_WRDISABLED },
6279 6282 { { NULL }, "fr_udpacktimeout", 1, 0x7fffffff,
6280 6283 0, IPFT_WRDISABLED },
6281 6284 { { NULL }, "fr_icmptimeout", 1, 0x7fffffff,
6282 6285 0, IPFT_WRDISABLED },
6283 6286 { { NULL }, "fr_icmpacktimeout", 1, 0x7fffffff,
6284 6287 0, IPFT_WRDISABLED },
6285 6288 { { NULL }, "fr_iptimeout", 1, 0x7fffffff,
6286 6289 0, IPFT_WRDISABLED },
6287 6290 { { NULL }, "fr_statemax", 1, 0x7fffffff,
6288 6291 0, 0 },
6289 6292 { { NULL }, "fr_statesize", 1, 0x7fffffff,
6290 6293 0, IPFT_WRDISABLED },
6291 6294 { { NULL }, "fr_state_lock", 0, 1,
6292 6295 0, IPFT_RDONLY },
6293 6296 { { NULL }, "fr_state_maxbucket", 1, 0x7fffffff,
6294 6297 0, IPFT_WRDISABLED },
6295 6298 { { NULL }, "fr_state_maxbucket_reset", 0, 1,
6296 6299 0, IPFT_WRDISABLED },
6297 6300 { { NULL }, "ipstate_logging", 0, 1,
6298 6301 0, 0 },
6299 6302 { { NULL }, "state_flush_level_hi", 1, 100,
6300 6303 0, 0 },
6301 6304 { { NULL }, "state_flush_level_lo", 1, 100,
6302 6305 0, 0 },
6303 6306 /* nat */
6304 6307 { { NULL }, "fr_nat_lock", 0, 1,
6305 6308 0, IPFT_RDONLY },
6306 6309 { { NULL }, "ipf_nattable_sz", 1, 0x7fffffff,
6307 6310 0, IPFT_WRDISABLED },
6308 6311 { { NULL }, "ipf_nattable_max", 1, 0x7fffffff,
6309 6312 0, 0 },
6310 6313 { { NULL }, "ipf_natrules_sz", 1, 0x7fffffff,
6311 6314 0, IPFT_WRDISABLED },
6312 6315 { { NULL }, "ipf_rdrrules_sz", 1, 0x7fffffff,
6313 6316 0, IPFT_WRDISABLED },
6314 6317 { { NULL }, "ipf_hostmap_sz", 1, 0x7fffffff,
6315 6318 0, IPFT_WRDISABLED },
6316 6319 { { NULL }, "fr_nat_maxbucket", 1, 0x7fffffff,
6317 6320 0, IPFT_WRDISABLED },
6318 6321 { { NULL }, "fr_nat_maxbucket_reset", 0, 1,
6319 6322 0, IPFT_WRDISABLED },
6320 6323 { { NULL }, "nat_logging", 0, 1,
6321 6324 0, 0 },
6322 6325 { { NULL }, "fr_defnatage", 1, 0x7fffffff,
6323 6326 0, IPFT_WRDISABLED },
6324 6327 { { NULL }, "fr_defnatipage", 1, 0x7fffffff,
6325 6328 0, IPFT_WRDISABLED },
6326 6329 { { NULL }, "fr_defnaticmpage", 1, 0x7fffffff,
6327 6330 0, IPFT_WRDISABLED },
6328 6331 { { NULL }, "nat_flush_level_hi", 1, 100,
6329 6332 0, 0 },
6330 6333 { { NULL }, "nat_flush_level_lo", 1, 100,
6331 6334 0, 0 },
6332 6335 /* frag */
6333 6336 { { NULL }, "ipfr_size", 1, 0x7fffffff,
6334 6337 0, IPFT_WRDISABLED },
6335 6338 { { NULL }, "fr_ipfrttl", 1, 0x7fffffff,
6336 6339 0, IPFT_WRDISABLED },
6337 6340 #ifdef IPFILTER_LOG
6338 6341 /* log */
6339 6342 { { NULL }, "ipl_suppress", 0, 1,
6340 6343 0, 0 },
6341 6344 { { NULL }, "ipl_buffer_sz", 0, 0,
6342 6345 0, IPFT_RDONLY },
6343 6346 { { NULL }, "ipl_logmax", 0, 0x7fffffff,
6344 6347 0, IPFT_WRDISABLED },
6345 6348 { { NULL }, "ipl_logall", 0, 1,
6346 6349 0, 0 },
6347 6350 { { NULL }, "ipl_logsize", 0, 0x80000,
6348 6351 0, 0 },
6349 6352 #endif
6350 6353 { { NULL }, NULL, 0, 0 }
6351 6354 };
6352 6355
6353 6356 static ipftuneable_t *
6354 6357 tune_lookup(ipf_stack_t *ifs, char *name)
6355 6358 {
6356 6359 int i;
6357 6360
6358 6361 for (i = 0; ifs->ifs_ipf_tuneables[i].ipft_name != NULL; i++) {
6359 6362 if (strcmp(ifs->ifs_ipf_tuneables[i].ipft_name, name) == 0)
6360 6363 return (&ifs->ifs_ipf_tuneables[i]);
6361 6364 }
6362 6365 return (NULL);
6363 6366 }
6364 6367
6365 6368 #ifdef _KERNEL
6366 6369 extern dev_info_t *ipf_dev_info;
6367 6370 extern int ipf_property_update __P((dev_info_t *, ipf_stack_t *));
6368 6371 #endif
6369 6372
6370 6373 /* -------------------------------------------------------------------- */
6371 6374 /* Function: ipftuneable_setdefs() */
6372 6375 /* Returns: void */
6373 6376 /* Parameters: ifs - pointer to newly allocated IPF instance */
6374 6377 /* assigned to IP instance */
6375 6378 /* */
6376 6379 /* Function initializes IPF instance variables. Function is invoked */
6377 6380 /* from ipftuneable_alloc(). ipftuneable_alloc() is called only one */
6378 6381 /* time during IP instance lifetime - at the time of IP instance */
6379 6382 /* creation. Anytime IP instance is being created new private IPF */
6380 6383 /* instance is allocated and assigned to it. The moment of IP */
6381 6384 /* instance creation is the right time to initialize those IPF */
6382 6385 /* variables. */
6383 6386 /* */
6384 6387 /* -------------------------------------------------------------------- */
6385 6388 static void ipftuneable_setdefs(ipf_stack_t *ifs)
6386 6389 {
6387 6390 ifs->ifs_ipfr_size = IPFT_SIZE;
6388 6391 ifs->ifs_fr_ipfrttl = 120; /* 60 seconds */
6389 6392
6390 6393 /* it comes from fr_authinit() in IPF auth */
6391 6394 ifs->ifs_fr_authsize = FR_NUMAUTH;
6392 6395 ifs->ifs_fr_defaultauthage = 600;
6393 6396
6394 6397 /* it comes from fr_stateinit() in IPF state */
6395 6398 ifs->ifs_fr_tcpidletimeout = IPF_TTLVAL(3600 * 24 * 5); /* five days */
6396 6399 ifs->ifs_fr_tcpclosewait = IPF_TTLVAL(TCP_MSL);
6397 6400 ifs->ifs_fr_tcplastack = IPF_TTLVAL(TCP_MSL);
6398 6401 ifs->ifs_fr_tcptimeout = IPF_TTLVAL(TCP_MSL);
6399 6402 ifs->ifs_fr_tcpclosed = IPF_TTLVAL(60);
6400 6403 ifs->ifs_fr_tcphalfclosed = IPF_TTLVAL(2 * 3600); /* 2 hours */
6401 6404 ifs->ifs_fr_udptimeout = IPF_TTLVAL(120);
6402 6405 ifs->ifs_fr_udpacktimeout = IPF_TTLVAL(12);
6403 6406 ifs->ifs_fr_icmptimeout = IPF_TTLVAL(60);
6404 6407 ifs->ifs_fr_icmpacktimeout = IPF_TTLVAL(6);
6405 6408 ifs->ifs_fr_iptimeout = IPF_TTLVAL(60);
6406 6409 ifs->ifs_fr_statemax = IPSTATE_MAX;
6407 6410 ifs->ifs_fr_statesize = IPSTATE_SIZE;
6408 6411 ifs->ifs_fr_state_maxbucket_reset = 1;
6409 6412 ifs->ifs_state_flush_level_hi = ST_FLUSH_HI;
6410 6413 ifs->ifs_state_flush_level_lo = ST_FLUSH_LO;
6411 6414
6412 6415 /* it comes from fr_natinit() in ipnat */
6413 6416 ifs->ifs_ipf_nattable_sz = NAT_TABLE_SZ;
6414 6417 ifs->ifs_ipf_nattable_max = NAT_TABLE_MAX;
6415 6418 ifs->ifs_ipf_natrules_sz = NAT_SIZE;
6416 6419 ifs->ifs_ipf_rdrrules_sz = RDR_SIZE;
6417 6420 ifs->ifs_ipf_hostmap_sz = HOSTMAP_SIZE;
6418 6421 ifs->ifs_fr_nat_maxbucket_reset = 1;
6419 6422 ifs->ifs_fr_defnatage = DEF_NAT_AGE;
6420 6423 ifs->ifs_fr_defnatipage = 120; /* 60 seconds */
6421 6424 ifs->ifs_fr_defnaticmpage = 6; /* 3 seconds */
6422 6425 ifs->ifs_nat_flush_level_hi = NAT_FLUSH_HI;
6423 6426 ifs->ifs_nat_flush_level_lo = NAT_FLUSH_LO;
6424 6427
6425 6428 #ifdef IPFILTER_LOG
6426 6429 /* it comes from fr_loginit() in IPF log */
6427 6430 ifs->ifs_ipl_suppress = 1;
6428 6431 ifs->ifs_ipl_logmax = IPL_LOGMAX;
6429 6432 ifs->ifs_ipl_logsize = IPFILTER_LOGSIZE;
6430 6433
6431 6434 /* from fr_natinit() */
6432 6435 ifs->ifs_nat_logging = 1;
6433 6436
6434 6437 /* from fr_stateinit() */
6435 6438 ifs->ifs_ipstate_logging = 1;
6436 6439 #else
6437 6440 /* from fr_natinit() */
6438 6441 ifs->ifs_nat_logging = 0;
6439 6442
6440 6443 /* from fr_stateinit() */
6441 6444 ifs->ifs_ipstate_logging = 0;
6442 6445 #endif
6443 6446 ifs->ifs_ipf_loopback = 0;
6444 6447
6445 6448 }
6446 6449 /*
6447 6450 * Allocate a per-stack tuneable and copy in the names. Then
6448 6451 * set it to point to each of the per-stack tunables.
6449 6452 */
6450 6453 void
6451 6454 ipftuneable_alloc(ipf_stack_t *ifs)
6452 6455 {
6453 6456 ipftuneable_t *item;
6454 6457
6455 6458 KMALLOCS(ifs->ifs_ipf_tuneables, ipftuneable_t *,
6456 6459 sizeof (lcl_ipf_tuneables));
6457 6460 bcopy(lcl_ipf_tuneables, ifs->ifs_ipf_tuneables,
6458 6461 sizeof (lcl_ipf_tuneables));
6459 6462
6460 6463 #define TUNE_SET(_ifs, _name, _field) \
6461 6464 item = tune_lookup((_ifs), (_name)); \
6462 6465 if (item != NULL) { \
6463 6466 item->ipft_una.ipftp_int = (unsigned int *)&((_ifs)->_field); \
6464 6467 item->ipft_sz = sizeof ((_ifs)->_field); \
6465 6468 }
6466 6469
6467 6470 TUNE_SET(ifs, "fr_flags", ifs_fr_flags);
6468 6471 TUNE_SET(ifs, "fr_active", ifs_fr_active);
6469 6472 TUNE_SET(ifs, "fr_control_forwarding", ifs_fr_control_forwarding);
6470 6473 TUNE_SET(ifs, "fr_update_ipid", ifs_fr_update_ipid);
6471 6474 TUNE_SET(ifs, "fr_chksrc", ifs_fr_chksrc);
6472 6475 TUNE_SET(ifs, "fr_minttl", ifs_fr_minttl);
6473 6476 TUNE_SET(ifs, "fr_icmpminfragmtu", ifs_fr_icmpminfragmtu);
6474 6477 TUNE_SET(ifs, "fr_pass", ifs_fr_pass);
6475 6478 TUNE_SET(ifs, "fr_tcpidletimeout", ifs_fr_tcpidletimeout);
6476 6479 TUNE_SET(ifs, "fr_tcpclosewait", ifs_fr_tcpclosewait);
6477 6480 TUNE_SET(ifs, "fr_tcplastack", ifs_fr_tcplastack);
6478 6481 TUNE_SET(ifs, "fr_tcptimeout", ifs_fr_tcptimeout);
6479 6482 TUNE_SET(ifs, "fr_tcpclosed", ifs_fr_tcpclosed);
6480 6483 TUNE_SET(ifs, "fr_tcphalfclosed", ifs_fr_tcphalfclosed);
6481 6484 TUNE_SET(ifs, "fr_udptimeout", ifs_fr_udptimeout);
6482 6485 TUNE_SET(ifs, "fr_udpacktimeout", ifs_fr_udpacktimeout);
6483 6486 TUNE_SET(ifs, "fr_icmptimeout", ifs_fr_icmptimeout);
6484 6487 TUNE_SET(ifs, "fr_icmpacktimeout", ifs_fr_icmpacktimeout);
6485 6488 TUNE_SET(ifs, "fr_iptimeout", ifs_fr_iptimeout);
6486 6489 TUNE_SET(ifs, "fr_statemax", ifs_fr_statemax);
6487 6490 TUNE_SET(ifs, "fr_statesize", ifs_fr_statesize);
6488 6491 TUNE_SET(ifs, "fr_state_lock", ifs_fr_state_lock);
6489 6492 TUNE_SET(ifs, "fr_state_maxbucket", ifs_fr_state_maxbucket);
6490 6493 TUNE_SET(ifs, "fr_state_maxbucket_reset", ifs_fr_state_maxbucket_reset);
6491 6494 TUNE_SET(ifs, "ipstate_logging", ifs_ipstate_logging);
6492 6495 TUNE_SET(ifs, "fr_nat_lock", ifs_fr_nat_lock);
6493 6496 TUNE_SET(ifs, "ipf_nattable_sz", ifs_ipf_nattable_sz);
6494 6497 TUNE_SET(ifs, "ipf_nattable_max", ifs_ipf_nattable_max);
6495 6498 TUNE_SET(ifs, "ipf_natrules_sz", ifs_ipf_natrules_sz);
6496 6499 TUNE_SET(ifs, "ipf_rdrrules_sz", ifs_ipf_rdrrules_sz);
6497 6500 TUNE_SET(ifs, "ipf_hostmap_sz", ifs_ipf_hostmap_sz);
6498 6501 TUNE_SET(ifs, "fr_nat_maxbucket", ifs_fr_nat_maxbucket);
6499 6502 TUNE_SET(ifs, "fr_nat_maxbucket_reset", ifs_fr_nat_maxbucket_reset);
6500 6503 TUNE_SET(ifs, "nat_logging", ifs_nat_logging);
6501 6504 TUNE_SET(ifs, "fr_defnatage", ifs_fr_defnatage);
6502 6505 TUNE_SET(ifs, "fr_defnatipage", ifs_fr_defnatipage);
6503 6506 TUNE_SET(ifs, "fr_defnaticmpage", ifs_fr_defnaticmpage);
6504 6507 TUNE_SET(ifs, "nat_flush_level_hi", ifs_nat_flush_level_hi);
6505 6508 TUNE_SET(ifs, "nat_flush_level_lo", ifs_nat_flush_level_lo);
6506 6509 TUNE_SET(ifs, "state_flush_level_hi", ifs_state_flush_level_hi);
6507 6510 TUNE_SET(ifs, "state_flush_level_lo", ifs_state_flush_level_lo);
6508 6511 TUNE_SET(ifs, "ipfr_size", ifs_ipfr_size);
6509 6512 TUNE_SET(ifs, "fr_ipfrttl", ifs_fr_ipfrttl);
6510 6513 TUNE_SET(ifs, "ipf_loopback", ifs_ipf_loopback);
6511 6514 #ifdef IPFILTER_LOG
6512 6515 TUNE_SET(ifs, "ipl_suppress", ifs_ipl_suppress);
6513 6516 TUNE_SET(ifs, "ipl_buffer_sz", ifs_ipl_buffer_sz);
6514 6517 TUNE_SET(ifs, "ipl_logmax", ifs_ipl_logmax);
6515 6518 TUNE_SET(ifs, "ipl_logall", ifs_ipl_logall);
6516 6519 TUNE_SET(ifs, "ipl_logsize", ifs_ipl_logsize);
6517 6520 #endif
6518 6521 #undef TUNE_SET
6519 6522
6520 6523 ipftuneable_setdefs(ifs);
6521 6524
6522 6525 #ifdef _KERNEL
6523 6526 (void) ipf_property_update(ipf_dev_info, ifs);
6524 6527 #endif
6525 6528 }
6526 6529
6527 6530 void
6528 6531 ipftuneable_free(ipf_stack_t *ifs)
6529 6532 {
6530 6533 KFREES(ifs->ifs_ipf_tuneables, sizeof (lcl_ipf_tuneables));
6531 6534 ifs->ifs_ipf_tuneables = NULL;
6532 6535 }
6533 6536
6534 6537 /* ------------------------------------------------------------------------ */
6535 6538 /* Function: fr_findtunebycookie */
6536 6539 /* Returns: NULL = search failed, else pointer to tune struct */
6537 6540 /* Parameters: cookie(I) - cookie value to search for amongst tuneables */
6538 6541 /* next(O) - pointer to place to store the cookie for the */
6539 6542 /* "next" tuneable, if it is desired. */
6540 6543 /* */
6541 6544 /* This function is used to walk through all of the existing tunables with */
6542 6545 /* successive calls. It searches the known tunables for the one which has */
6543 6546 /* a matching value for "cookie" - ie its address. When returning a match, */
6544 6547 /* the next one to be found may be returned inside next. */
6545 6548 /* ------------------------------------------------------------------------ */
6546 6549 static ipftuneable_t *fr_findtunebycookie(cookie, next, ifs)
6547 6550 void *cookie, **next;
6548 6551 ipf_stack_t * ifs;
6549 6552 {
6550 6553 ipftuneable_t *ta, **tap;
6551 6554
6552 6555 for (ta = ifs->ifs_ipf_tuneables; ta->ipft_name != NULL; ta++)
6553 6556 if (ta == cookie) {
6554 6557 if (next != NULL) {
6555 6558 /*
6556 6559 * If the next entry in the array has a name
6557 6560 * present, then return a pointer to it for
6558 6561 * where to go next, else return a pointer to
6559 6562 * the dynaminc list as a key to search there
6560 6563 * next. This facilitates a weak linking of
6561 6564 * the two "lists" together.
6562 6565 */
6563 6566 if ((ta + 1)->ipft_name != NULL)
6564 6567 *next = ta + 1;
6565 6568 else
6566 6569 *next = &ifs->ifs_ipf_tunelist;
6567 6570 }
6568 6571 return ta;
6569 6572 }
6570 6573
6571 6574 for (tap = &ifs->ifs_ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
6572 6575 if (tap == cookie) {
6573 6576 if (next != NULL)
6574 6577 *next = &ta->ipft_next;
6575 6578 return ta;
6576 6579 }
6577 6580
6578 6581 if (next != NULL)
6579 6582 *next = NULL;
6580 6583 return NULL;
6581 6584 }
6582 6585
6583 6586
6584 6587 /* ------------------------------------------------------------------------ */
6585 6588 /* Function: fr_findtunebyname */
6586 6589 /* Returns: NULL = search failed, else pointer to tune struct */
6587 6590 /* Parameters: name(I) - name of the tuneable entry to find. */
6588 6591 /* */
6589 6592 /* Search the static array of tuneables and the list of dynamic tuneables */
6590 6593 /* for an entry with a matching name. If we can find one, return a pointer */
6591 6594 /* to the matching structure. */
6592 6595 /* ------------------------------------------------------------------------ */
6593 6596 static ipftuneable_t *fr_findtunebyname(name, ifs)
6594 6597 const char *name;
6595 6598 ipf_stack_t *ifs;
6596 6599 {
6597 6600 ipftuneable_t *ta;
6598 6601
6599 6602 for (ta = ifs->ifs_ipf_tuneables; ta->ipft_name != NULL; ta++)
6600 6603 if (!strcmp(ta->ipft_name, name)) {
6601 6604 return ta;
6602 6605 }
6603 6606
6604 6607 for (ta = ifs->ifs_ipf_tunelist; ta != NULL; ta = ta->ipft_next)
6605 6608 if (!strcmp(ta->ipft_name, name)) {
6606 6609 return ta;
6607 6610 }
6608 6611
6609 6612 return NULL;
6610 6613 }
6611 6614
6612 6615
6613 6616 /* ------------------------------------------------------------------------ */
6614 6617 /* Function: fr_addipftune */
6615 6618 /* Returns: int - 0 == success, else failure */
6616 6619 /* Parameters: newtune - pointer to new tune struct to add to tuneables */
6617 6620 /* */
6618 6621 /* Appends the tune structure pointer to by "newtune" to the end of the */
6619 6622 /* current list of "dynamic" tuneable parameters. Once added, the owner */
6620 6623 /* of the object is not expected to ever change "ipft_next". */
6621 6624 /* ------------------------------------------------------------------------ */
6622 6625 int fr_addipftune(newtune, ifs)
6623 6626 ipftuneable_t *newtune;
6624 6627 ipf_stack_t *ifs;
6625 6628 {
6626 6629 ipftuneable_t *ta, **tap;
6627 6630
6628 6631 ta = fr_findtunebyname(newtune->ipft_name, ifs);
6629 6632 if (ta != NULL)
6630 6633 return EEXIST;
6631 6634
6632 6635 for (tap = &ifs->ifs_ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next)
6633 6636 ;
6634 6637
6635 6638 newtune->ipft_next = NULL;
6636 6639 *tap = newtune;
6637 6640 return 0;
6638 6641 }
6639 6642
6640 6643
6641 6644 /* ------------------------------------------------------------------------ */
6642 6645 /* Function: fr_delipftune */
6643 6646 /* Returns: int - 0 == success, else failure */
6644 6647 /* Parameters: oldtune - pointer to tune struct to remove from the list of */
6645 6648 /* current dynamic tuneables */
6646 6649 /* */
6647 6650 /* Search for the tune structure, by pointer, in the list of those that are */
6648 6651 /* dynamically added at run time. If found, adjust the list so that this */
6649 6652 /* structure is no longer part of it. */
6650 6653 /* ------------------------------------------------------------------------ */
6651 6654 int fr_delipftune(oldtune, ifs)
6652 6655 ipftuneable_t *oldtune;
6653 6656 ipf_stack_t *ifs;
6654 6657 {
6655 6658 ipftuneable_t *ta, **tap;
6656 6659
6657 6660 for (tap = &ifs->ifs_ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
6658 6661 if (ta == oldtune) {
6659 6662 *tap = oldtune->ipft_next;
6660 6663 oldtune->ipft_next = NULL;
6661 6664 return 0;
6662 6665 }
6663 6666
6664 6667 return ESRCH;
6665 6668 }
6666 6669
6667 6670
6668 6671 /* ------------------------------------------------------------------------ */
6669 6672 /* Function: fr_ipftune */
6670 6673 /* Returns: int - 0 == success, else failure */
6671 6674 /* Parameters: cmd(I) - ioctl command number */
6672 6675 /* data(I) - pointer to ioctl data structure */
6673 6676 /* */
6674 6677 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
6675 6678 /* three ioctls provide the means to access and control global variables */
6676 6679 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
6677 6680 /* changed without rebooting, reloading or recompiling. The initialisation */
6678 6681 /* and 'destruction' routines of the various components of ipfilter are all */
6679 6682 /* each responsible for handling their own values being too big. */
6680 6683 /* ------------------------------------------------------------------------ */
6681 6684 int fr_ipftune(cmd, data, ifs)
6682 6685 ioctlcmd_t cmd;
6683 6686 void *data;
6684 6687 ipf_stack_t *ifs;
6685 6688 {
6686 6689 ipftuneable_t *ta;
6687 6690 ipftune_t tu;
6688 6691 void *cookie;
6689 6692 int error;
6690 6693
6691 6694 error = fr_inobj(data, &tu, IPFOBJ_TUNEABLE);
6692 6695 if (error != 0)
6693 6696 return error;
6694 6697
6695 6698 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
6696 6699 cookie = tu.ipft_cookie;
6697 6700 ta = NULL;
6698 6701
6699 6702 switch (cmd)
6700 6703 {
6701 6704 case SIOCIPFGETNEXT :
6702 6705 /*
6703 6706 * If cookie is non-NULL, assume it to be a pointer to the last
6704 6707 * entry we looked at, so find it (if possible) and return a
6705 6708 * pointer to the next one after it. The last entry in the
6706 6709 * the table is a NULL entry, so when we get to it, set cookie
6707 6710 * to NULL and return that, indicating end of list, erstwhile
6708 6711 * if we come in with cookie set to NULL, we are starting anew
6709 6712 * at the front of the list.
6710 6713 */
6711 6714 if (cookie != NULL) {
6712 6715 ta = fr_findtunebycookie(cookie, &tu.ipft_cookie, ifs);
6713 6716 } else {
6714 6717 ta = ifs->ifs_ipf_tuneables;
6715 6718 tu.ipft_cookie = ta + 1;
6716 6719 }
6717 6720 if (ta != NULL) {
6718 6721 /*
6719 6722 * Entry found, but does the data pointed to by that
6720 6723 * row fit in what we can return?
6721 6724 */
6722 6725 if (ta->ipft_sz > sizeof(tu.ipft_un))
6723 6726 return EINVAL;
6724 6727
6725 6728 tu.ipft_vlong = 0;
6726 6729 if (ta->ipft_sz == sizeof(u_long))
6727 6730 tu.ipft_vlong = *ta->ipft_plong;
6728 6731 else if (ta->ipft_sz == sizeof(u_int))
6729 6732 tu.ipft_vint = *ta->ipft_pint;
6730 6733 else if (ta->ipft_sz == sizeof(u_short))
6731 6734 tu.ipft_vshort = *ta->ipft_pshort;
6732 6735 else if (ta->ipft_sz == sizeof(u_char))
6733 6736 tu.ipft_vchar = *ta->ipft_pchar;
6734 6737
6735 6738 tu.ipft_sz = ta->ipft_sz;
6736 6739 tu.ipft_min = ta->ipft_min;
6737 6740 tu.ipft_max = ta->ipft_max;
6738 6741 tu.ipft_flags = ta->ipft_flags;
6739 6742 bcopy(ta->ipft_name, tu.ipft_name,
6740 6743 MIN(sizeof(tu.ipft_name),
6741 6744 strlen(ta->ipft_name) + 1));
6742 6745 }
6743 6746 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6744 6747 break;
6745 6748
6746 6749 case SIOCIPFGET :
6747 6750 case SIOCIPFSET :
6748 6751 /*
6749 6752 * Search by name or by cookie value for a particular entry
6750 6753 * in the tuning paramter table.
6751 6754 */
6752 6755 error = ESRCH;
6753 6756 if (cookie != NULL) {
6754 6757 ta = fr_findtunebycookie(cookie, NULL, ifs);
6755 6758 if (ta != NULL)
6756 6759 error = 0;
6757 6760 } else if (tu.ipft_name[0] != '\0') {
6758 6761 ta = fr_findtunebyname(tu.ipft_name, ifs);
6759 6762 if (ta != NULL)
6760 6763 error = 0;
6761 6764 }
6762 6765 if (error != 0)
6763 6766 break;
6764 6767
6765 6768 if (cmd == (ioctlcmd_t)SIOCIPFGET) {
6766 6769 /*
6767 6770 * Fetch the tuning parameters for a particular value
6768 6771 */
6769 6772 tu.ipft_vlong = 0;
6770 6773 if (ta->ipft_sz == sizeof(u_long))
6771 6774 tu.ipft_vlong = *ta->ipft_plong;
6772 6775 else if (ta->ipft_sz == sizeof(u_int))
6773 6776 tu.ipft_vint = *ta->ipft_pint;
6774 6777 else if (ta->ipft_sz == sizeof(u_short))
6775 6778 tu.ipft_vshort = *ta->ipft_pshort;
6776 6779 else if (ta->ipft_sz == sizeof(u_char))
6777 6780 tu.ipft_vchar = *ta->ipft_pchar;
6778 6781 tu.ipft_cookie = ta;
6779 6782 tu.ipft_sz = ta->ipft_sz;
6780 6783 tu.ipft_min = ta->ipft_min;
6781 6784 tu.ipft_max = ta->ipft_max;
6782 6785 tu.ipft_flags = ta->ipft_flags;
6783 6786 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6784 6787
6785 6788 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
6786 6789 /*
6787 6790 * Set an internal parameter. The hard part here is
6788 6791 * getting the new value safely and correctly out of
6789 6792 * the kernel (given we only know its size, not type.)
6790 6793 */
6791 6794 u_long in;
6792 6795
6793 6796 if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) &&
6794 6797 (ifs->ifs_fr_running > 0)) {
6795 6798 error = EBUSY;
6796 6799 break;
6797 6800 }
6798 6801
6799 6802 in = tu.ipft_vlong;
6800 6803 if (in < ta->ipft_min || in > ta->ipft_max) {
6801 6804 error = EINVAL;
6802 6805 break;
6803 6806 }
6804 6807
6805 6808 if (ta->ipft_sz == sizeof(u_long)) {
6806 6809 tu.ipft_vlong = *ta->ipft_plong;
6807 6810 *ta->ipft_plong = in;
6808 6811 } else if (ta->ipft_sz == sizeof(u_int)) {
6809 6812 tu.ipft_vint = *ta->ipft_pint;
6810 6813 *ta->ipft_pint = (u_int)(in & 0xffffffff);
6811 6814 } else if (ta->ipft_sz == sizeof(u_short)) {
6812 6815 tu.ipft_vshort = *ta->ipft_pshort;
6813 6816 *ta->ipft_pshort = (u_short)(in & 0xffff);
6814 6817 } else if (ta->ipft_sz == sizeof(u_char)) {
6815 6818 tu.ipft_vchar = *ta->ipft_pchar;
6816 6819 *ta->ipft_pchar = (u_char)(in & 0xff);
6817 6820 }
6818 6821 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6819 6822 }
6820 6823 break;
6821 6824
6822 6825 default :
6823 6826 error = EINVAL;
6824 6827 break;
6825 6828 }
6826 6829
6827 6830 return error;
6828 6831 }
6829 6832
6830 6833
6831 6834 /* ------------------------------------------------------------------------ */
6832 6835 /* Function: fr_initialise */
6833 6836 /* Returns: int - 0 == success, < 0 == failure */
6834 6837 /* Parameters: None. */
6835 6838 /* */
6836 6839 /* Call of the initialise functions for all the various subsystems inside */
6837 6840 /* of IPFilter. If any of them should fail, return immeadiately a failure */
6838 6841 /* BUT do not try to recover from the error here. */
6839 6842 /* ------------------------------------------------------------------------ */
6840 6843 int fr_initialise(ifs)
6841 6844 ipf_stack_t *ifs;
6842 6845 {
6843 6846 int i;
6844 6847
6845 6848 #ifdef IPFILTER_LOG
6846 6849 i = fr_loginit(ifs);
6847 6850 if (i < 0)
6848 6851 return -10 + i;
6849 6852 #endif
6850 6853 i = fr_natinit(ifs);
6851 6854 if (i < 0)
6852 6855 return -20 + i;
6853 6856
6854 6857 i = fr_stateinit(ifs);
6855 6858 if (i < 0)
6856 6859 return -30 + i;
6857 6860
6858 6861 i = fr_authinit(ifs);
6859 6862 if (i < 0)
6860 6863 return -40 + i;
6861 6864
6862 6865 i = fr_fraginit(ifs);
6863 6866 if (i < 0)
6864 6867 return -50 + i;
6865 6868
6866 6869 i = appr_init(ifs);
6867 6870 if (i < 0)
6868 6871 return -60 + i;
6869 6872
6870 6873 #ifdef IPFILTER_SYNC
6871 6874 i = ipfsync_init(ifs);
6872 6875 if (i < 0)
6873 6876 return -70 + i;
6874 6877 #endif
6875 6878 #ifdef IPFILTER_SCAN
6876 6879 i = ipsc_init(ifs);
6877 6880 if (i < 0)
6878 6881 return -80 + i;
6879 6882 #endif
6880 6883 #ifdef IPFILTER_LOOKUP
6881 6884 i = ip_lookup_init(ifs);
6882 6885 if (i < 0)
6883 6886 return -90 + i;
6884 6887 #endif
6885 6888 #ifdef IPFILTER_COMPILED
6886 6889 ipfrule_add(ifs);
6887 6890 #endif
6888 6891 return 0;
6889 6892 }
6890 6893
6891 6894
6892 6895 /* ------------------------------------------------------------------------ */
6893 6896 /* Function: fr_deinitialise */
6894 6897 /* Returns: None. */
6895 6898 /* Parameters: None. */
6896 6899 /* */
6897 6900 /* Call all the various subsystem cleanup routines to deallocate memory or */
6898 6901 /* destroy locks or whatever they've done that they need to now undo. */
6899 6902 /* The order here IS important as there are some cross references of */
6900 6903 /* internal data structures. */
6901 6904 /* ------------------------------------------------------------------------ */
6902 6905 void fr_deinitialise(ifs)
6903 6906 ipf_stack_t *ifs;
6904 6907 {
6905 6908 fr_fragunload(ifs);
6906 6909 fr_authunload(ifs);
6907 6910 fr_natunload(ifs);
6908 6911 fr_stateunload(ifs);
6909 6912 #ifdef IPFILTER_SCAN
6910 6913 fr_scanunload(ifs);
6911 6914 #endif
6912 6915 appr_unload(ifs);
6913 6916
6914 6917 #ifdef IPFILTER_COMPILED
6915 6918 ipfrule_remove(ifs);
6916 6919 #endif
6917 6920
6918 6921 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
6919 6922 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE, ifs);
6920 6923 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
6921 6924 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE, ifs);
6922 6925
6923 6926 #ifdef IPFILTER_LOOKUP
6924 6927 ip_lookup_unload(ifs);
6925 6928 #endif
6926 6929
6927 6930 #ifdef IPFILTER_LOG
6928 6931 fr_logunload(ifs);
6929 6932 #endif
6930 6933 }
6931 6934
6932 6935
6933 6936 /* ------------------------------------------------------------------------ */
6934 6937 /* Function: fr_zerostats */
6935 6938 /* Returns: int - 0 = success, else failure */
6936 6939 /* Parameters: data(O) - pointer to pointer for copying data back to */
6937 6940 /* */
6938 6941 /* Copies the current statistics out to userspace and then zero's the */
6939 6942 /* current ones in the kernel. The lock is only held across the bzero() as */
6940 6943 /* the copyout may result in paging (ie network activity.) */
6941 6944 /* ------------------------------------------------------------------------ */
6942 6945 int fr_zerostats(data, ifs)
6943 6946 caddr_t data;
6944 6947 ipf_stack_t *ifs;
6945 6948 {
6946 6949 friostat_t fio;
6947 6950 int error;
6948 6951
6949 6952 fr_getstat(&fio, ifs);
6950 6953 error = copyoutptr(&fio, data, sizeof(fio));
6951 6954 if (error)
6952 6955 return EFAULT;
6953 6956
6954 6957 WRITE_ENTER(&ifs->ifs_ipf_mutex);
6955 6958 bzero((char *)ifs->ifs_frstats, sizeof(*ifs->ifs_frstats) * 2);
6956 6959 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
6957 6960
6958 6961 return 0;
6959 6962 }
6960 6963
6961 6964
6962 6965 #ifdef _KERNEL
6963 6966 /* ------------------------------------------------------------------------ */
6964 6967 /* Function: fr_resolvedest */
6965 6968 /* Returns: Nil */
6966 6969 /* Parameters: fdp(IO) - pointer to destination information to resolve */
6967 6970 /* v(I) - IP protocol version to match */
6968 6971 /* */
6969 6972 /* Looks up an interface name in the frdest structure pointed to by fdp and */
6970 6973 /* if a matching name can be found for the particular IP protocol version */
6971 6974 /* then store the interface pointer in the frdest struct. If no match is */
6972 6975 /* found, then set the interface pointer to be -1 as NULL is considered to */
6973 6976 /* indicate there is no information at all in the structure. */
6974 6977 /* ------------------------------------------------------------------------ */
6975 6978 void fr_resolvedest(fdp, v, ifs)
6976 6979 frdest_t *fdp;
6977 6980 int v;
6978 6981 ipf_stack_t *ifs;
6979 6982 {
6980 6983 fdp->fd_ifp = NULL;
6981 6984
6982 6985 if (*fdp->fd_ifname != '\0') {
6983 6986 fdp->fd_ifp = GETIFP(fdp->fd_ifname, v, ifs);
6984 6987 if (fdp->fd_ifp == NULL)
6985 6988 fdp->fd_ifp = (void *)-1;
6986 6989 }
6987 6990 }
6988 6991 #endif /* _KERNEL */
6989 6992
6990 6993
6991 6994 /* ------------------------------------------------------------------------ */
6992 6995 /* Function: fr_resolvenic */
6993 6996 /* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */
6994 6997 /* pointer to interface structure for NIC */
6995 6998 /* Parameters: name(I) - complete interface name */
6996 6999 /* v(I) - IP protocol version */
6997 7000 /* */
6998 7001 /* Look for a network interface structure that firstly has a matching name */
6999 7002 /* to that passed in and that is also being used for that IP protocol */
7000 7003 /* version (necessary on some platforms where there are separate listings */
7001 7004 /* for both IPv4 and IPv6 on the same physical NIC. */
7002 7005 /* */
7003 7006 /* One might wonder why name gets terminated with a \0 byte in here. The */
7004 7007 /* reason is an interface name could get into the kernel structures of ipf */
7005 7008 /* in any number of ways and so long as they all use the same sized array */
7006 7009 /* to put the name in, it makes sense to ensure it gets null terminated */
7007 7010 /* before it is used for its intended purpose - finding its match in the */
7008 7011 /* kernel's list of configured interfaces. */
7009 7012 /* */
7010 7013 /* NOTE: This SHOULD ONLY be used with IPFilter structures that have an */
7011 7014 /* array for the name that is LIFNAMSIZ bytes (at least) in length. */
7012 7015 /* ------------------------------------------------------------------------ */
7013 7016 void *fr_resolvenic(name, v, ifs)
7014 7017 char *name;
7015 7018 int v;
7016 7019 ipf_stack_t *ifs;
7017 7020 {
7018 7021 void *nic;
7019 7022
7020 7023 if (name[0] == '\0')
7021 7024 return NULL;
7022 7025
7023 7026 if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) {
7024 7027 return NULL;
7025 7028 }
7026 7029
7027 7030 name[LIFNAMSIZ - 1] = '\0';
7028 7031
7029 7032 nic = GETIFP(name, v, ifs);
7030 7033 if (nic == NULL)
7031 7034 nic = (void *)-1;
7032 7035 return nic;
7033 7036 }
7034 7037
7035 7038
7036 7039 /* ------------------------------------------------------------------------ */
7037 7040 /* Function: ipf_expiretokens */
7038 7041 /* Returns: None. */
7039 7042 /* Parameters: ifs - ipf stack instance */
7040 7043 /* */
7041 7044 /* This function is run every ipf tick to see if there are any tokens that */
7042 7045 /* have been held for too long and need to be freed up. */
7043 7046 /* ------------------------------------------------------------------------ */
7044 7047 void ipf_expiretokens(ifs)
7045 7048 ipf_stack_t *ifs;
7046 7049 {
7047 7050 ipftoken_t *it;
7048 7051
7049 7052 WRITE_ENTER(&ifs->ifs_ipf_tokens);
7050 7053 while ((it = ifs->ifs_ipftokenhead) != NULL) {
7051 7054 if (it->ipt_die > ifs->ifs_fr_ticks)
7052 7055 break;
7053 7056
7054 7057 ipf_freetoken(it, ifs);
7055 7058 }
7056 7059 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7057 7060 }
7058 7061
7059 7062
7060 7063 /* ------------------------------------------------------------------------ */
7061 7064 /* Function: ipf_deltoken */
7062 7065 /* Returns: int - 0 = success, else error */
7063 7066 /* Parameters: type(I) - the token type to match */
7064 7067 /* uid(I) - uid owning the token */
7065 7068 /* ptr(I) - context pointer for the token */
7066 7069 /* ifs - ipf stack instance */
7067 7070 /* */
7068 7071 /* This function looks for a a token in the current list that matches up */
7069 7072 /* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */
7070 7073 /* call ipf_freetoken() to remove it from the list. */
7071 7074 /* ------------------------------------------------------------------------ */
7072 7075 int ipf_deltoken(type, uid, ptr, ifs)
7073 7076 int type, uid;
7074 7077 void *ptr;
7075 7078 ipf_stack_t *ifs;
7076 7079 {
7077 7080 ipftoken_t *it;
7078 7081 int error = ESRCH;
7079 7082
7080 7083 WRITE_ENTER(&ifs->ifs_ipf_tokens);
7081 7084 for (it = ifs->ifs_ipftokenhead; it != NULL; it = it->ipt_next)
7082 7085 if (ptr == it->ipt_ctx && type == it->ipt_type &&
7083 7086 uid == it->ipt_uid) {
7084 7087 ipf_freetoken(it, ifs);
7085 7088 error = 0;
7086 7089 break;
7087 7090 }
7088 7091 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7089 7092
7090 7093 return error;
7091 7094 }
7092 7095
7093 7096
7094 7097 /* ------------------------------------------------------------------------ */
7095 7098 /* Function: ipf_unlinktoken */
7096 7099 /* Returns: None. */
7097 7100 /* Parameters: token(I) - pointer to token structure */
7098 7101 /* ifs - ipf stack instance */
7099 7102 /* */
7100 7103 /* This function unlinks a token structure from the linked list of tokens */
7101 7104 /* that it belongs to. The head pointer never needs to be explicitly */
7102 7105 /* adjusted, but the tail does due to the linked list implementation. */
7103 7106 /* ------------------------------------------------------------------------ */
7104 7107 static void ipf_unlinktoken(token, ifs)
7105 7108 ipftoken_t *token;
7106 7109 ipf_stack_t *ifs;
7107 7110 {
7108 7111
7109 7112 if (ifs->ifs_ipftokentail == &token->ipt_next)
7110 7113 ifs->ifs_ipftokentail = token->ipt_pnext;
7111 7114
7112 7115 *token->ipt_pnext = token->ipt_next;
7113 7116 if (token->ipt_next != NULL)
7114 7117 token->ipt_next->ipt_pnext = token->ipt_pnext;
7115 7118 }
7116 7119
7117 7120
7118 7121 /* ------------------------------------------------------------------------ */
7119 7122 /* Function: ipf_findtoken */
7120 7123 /* Returns: ipftoken_t * - NULL if no memory, else pointer to token */
7121 7124 /* Parameters: type(I) - the token type to match */
7122 7125 /* uid(I) - uid owning the token */
7123 7126 /* ptr(I) - context pointer for the token */
7124 7127 /* ifs - ipf stack instance */
7125 7128 /* */
7126 7129 /* This function looks for a live token in the list of current tokens that */
7127 7130 /* matches the tuple (type, uid, ptr). If one cannot be found then one is */
7128 7131 /* allocated. If one is found then it is moved to the top of the list of */
7129 7132 /* currently active tokens. */
7130 7133 /* */
7131 7134 /* NOTE: It is by design that this function returns holding a read lock on */
7132 7135 /* ipf_tokens. Callers must make sure they release it! */
7133 7136 /* ------------------------------------------------------------------------ */
7134 7137 ipftoken_t *ipf_findtoken(type, uid, ptr, ifs)
7135 7138 int type, uid;
7136 7139 void *ptr;
7137 7140 ipf_stack_t *ifs;
7138 7141 {
7139 7142 ipftoken_t *it, *new;
7140 7143
7141 7144 KMALLOC(new, ipftoken_t *);
7142 7145
7143 7146 WRITE_ENTER(&ifs->ifs_ipf_tokens);
7144 7147 for (it = ifs->ifs_ipftokenhead; it != NULL; it = it->ipt_next) {
7145 7148 if (it->ipt_alive == 0)
7146 7149 continue;
7147 7150 if (ptr == it->ipt_ctx && type == it->ipt_type &&
7148 7151 uid == it->ipt_uid)
7149 7152 break;
7150 7153 }
7151 7154
7152 7155 if (it == NULL) {
7153 7156 it = new;
7154 7157 new = NULL;
7155 7158 if (it == NULL)
7156 7159 return NULL;
7157 7160 it->ipt_data = NULL;
7158 7161 it->ipt_ctx = ptr;
7159 7162 it->ipt_uid = uid;
7160 7163 it->ipt_type = type;
7161 7164 it->ipt_next = NULL;
7162 7165 it->ipt_alive = 1;
7163 7166 } else {
7164 7167 if (new != NULL) {
7165 7168 KFREE(new);
7166 7169 new = NULL;
7167 7170 }
7168 7171
7169 7172 ipf_unlinktoken(it, ifs);
7170 7173 }
7171 7174 it->ipt_pnext = ifs->ifs_ipftokentail;
7172 7175 *ifs->ifs_ipftokentail = it;
7173 7176 ifs->ifs_ipftokentail = &it->ipt_next;
7174 7177 it->ipt_next = NULL;
7175 7178
7176 7179 it->ipt_die = ifs->ifs_fr_ticks + 2;
7177 7180
7178 7181 MUTEX_DOWNGRADE(&ifs->ifs_ipf_tokens);
7179 7182
7180 7183 return it;
7181 7184 }
7182 7185
7183 7186
7184 7187 /* ------------------------------------------------------------------------ */
7185 7188 /* Function: ipf_freetoken */
7186 7189 /* Returns: None. */
7187 7190 /* Parameters: token(I) - pointer to token structure */
7188 7191 /* ifs - ipf stack instance */
7189 7192 /* */
7190 7193 /* This function unlinks a token from the linked list and on the path to */
7191 7194 /* free'ing the data, it calls the dereference function that is associated */
7192 7195 /* with the type of data pointed to by the token as it is considered to */
7193 7196 /* hold a reference to it. */
7194 7197 /* ------------------------------------------------------------------------ */
7195 7198 void ipf_freetoken(token, ifs)
7196 7199 ipftoken_t *token;
7197 7200 ipf_stack_t *ifs;
7198 7201 {
7199 7202 void *data, **datap;
7200 7203
7201 7204 ipf_unlinktoken(token, ifs);
7202 7205
7203 7206 data = token->ipt_data;
7204 7207 datap = &data;
7205 7208
7206 7209 if ((data != NULL) && (data != (void *)-1)) {
7207 7210 switch (token->ipt_type)
7208 7211 {
7209 7212 case IPFGENITER_IPF :
7210 7213 (void)fr_derefrule((frentry_t **)datap, ifs);
7211 7214 break;
7212 7215 case IPFGENITER_IPNAT :
7213 7216 WRITE_ENTER(&ifs->ifs_ipf_nat);
7214 7217 fr_ipnatderef((ipnat_t **)datap, ifs);
7215 7218 RWLOCK_EXIT(&ifs->ifs_ipf_nat);
7216 7219 break;
7217 7220 case IPFGENITER_NAT :
7218 7221 fr_natderef((nat_t **)datap, ifs);
7219 7222 break;
7220 7223 case IPFGENITER_STATE :
7221 7224 fr_statederef((ipstate_t **)datap, ifs);
7222 7225 break;
7223 7226 case IPFGENITER_FRAG :
7224 7227 fr_fragderef((ipfr_t **)datap, &ifs->ifs_ipf_frag, ifs);
7225 7228 break;
7226 7229 case IPFGENITER_NATFRAG :
7227 7230 fr_fragderef((ipfr_t **)datap,
7228 7231 &ifs->ifs_ipf_natfrag, ifs);
7229 7232 break;
7230 7233 case IPFGENITER_HOSTMAP :
7231 7234 WRITE_ENTER(&ifs->ifs_ipf_nat);
7232 7235 fr_hostmapdel((hostmap_t **)datap);
7233 7236 RWLOCK_EXIT(&ifs->ifs_ipf_nat);
7234 7237 break;
7235 7238 default :
7236 7239 (void) ip_lookup_iterderef(token->ipt_type, data, ifs);
7237 7240 break;
7238 7241 }
7239 7242 }
7240 7243
7241 7244 KFREE(token);
7242 7245 }
7243 7246
7244 7247
7245 7248 /* ------------------------------------------------------------------------ */
7246 7249 /* Function: ipf_getnextrule */
7247 7250 /* Returns: int - 0 = success, else error */
7248 7251 /* Parameters: t(I) - pointer to destination information to resolve */
7249 7252 /* ptr(I) - pointer to ipfobj_t to copyin from user space */
7250 7253 /* ifs - ipf stack instance */
7251 7254 /* */
7252 7255 /* This function's first job is to bring in the ipfruleiter_t structure via */
7253 7256 /* the ipfobj_t structure to determine what should be the next rule to */
7254 7257 /* return. Once the ipfruleiter_t has been brought in, it then tries to */
7255 7258 /* find the 'next rule'. This may include searching rule group lists or */
7256 7259 /* just be as simple as looking at the 'next' field in the rule structure. */
7257 7260 /* When we have found the rule to return, increase its reference count and */
7258 7261 /* if we used an existing rule to get here, decrease its reference count. */
7259 7262 /* ------------------------------------------------------------------------ */
7260 7263 int ipf_getnextrule(t, ptr, ifs)
7261 7264 ipftoken_t *t;
7262 7265 void *ptr;
7263 7266 ipf_stack_t *ifs;
7264 7267 {
7265 7268 frentry_t *fr, *next, zero;
7266 7269 int error, out, count;
7267 7270 ipfruleiter_t it;
7268 7271 frgroup_t *fg;
7269 7272 char *dst;
7270 7273
7271 7274 if (t == NULL || ptr == NULL)
7272 7275 return EFAULT;
7273 7276 error = fr_inobj(ptr, &it, IPFOBJ_IPFITER);
7274 7277 if (error != 0)
7275 7278 return error;
7276 7279 if ((it.iri_ver != AF_INET) && (it.iri_ver != AF_INET6))
7277 7280 return EINVAL;
7278 7281 if ((it.iri_inout < 0) || (it.iri_inout > 3))
7279 7282 return EINVAL;
7280 7283 if (it.iri_nrules == 0)
7281 7284 return EINVAL;
7282 7285 if ((it.iri_active != 0) && (it.iri_active != 1))
7283 7286 return EINVAL;
7284 7287 if (it.iri_rule == NULL)
7285 7288 return EFAULT;
7286 7289
7287 7290 /*
7288 7291 * Use bitmask on it.iri_inout to determine direction.
7289 7292 * F_OUT (1) and F_ACOUT (3) mask to out = 1, while
7290 7293 * F_IN (0) and F_ACIN (2) mask to out = 0.
7291 7294 */
7292 7295 out = it.iri_inout & F_OUT;
7293 7296 READ_ENTER(&ifs->ifs_ipf_mutex);
7294 7297
7295 7298 /*
7296 7299 * Retrieve "previous" entry from token and find the next entry.
7297 7300 */
7298 7301 fr = t->ipt_data;
7299 7302 if (fr == NULL) {
7300 7303 if (*it.iri_group == '\0') {
7301 7304 /*
7302 7305 * Use bitmask again to determine accounting or not.
7303 7306 * F_ACIN will mask to accounting cases F_ACIN (2)
7304 7307 * or F_ACOUT (3), but not F_IN or F_OUT.
7305 7308 */
7306 7309 if ((it.iri_inout & F_ACIN) != 0) {
7307 7310 if (it.iri_ver == AF_INET)
7308 7311 next = ifs->ifs_ipacct
7309 7312 [out][it.iri_active];
7310 7313 else
7311 7314 next = ifs->ifs_ipacct6
7312 7315 [out][it.iri_active];
7313 7316 } else {
7314 7317 if (it.iri_ver == AF_INET)
7315 7318 next = ifs->ifs_ipfilter
7316 7319 [out][it.iri_active];
7317 7320 else
7318 7321 next = ifs->ifs_ipfilter6
7319 7322 [out][it.iri_active];
7320 7323 }
7321 7324 } else {
7322 7325 fg = fr_findgroup(it.iri_group, IPL_LOGIPF,
7323 7326 it.iri_active, NULL, ifs);
7324 7327 if (fg != NULL)
7325 7328 next = fg->fg_start;
7326 7329 else
7327 7330 next = NULL;
7328 7331 }
7329 7332 } else {
7330 7333 next = fr->fr_next;
7331 7334 }
7332 7335
7333 7336 dst = (char *)it.iri_rule;
7334 7337 /*
7335 7338 * The ipfruleiter may ask for more than 1 rule at a time to be
7336 7339 * copied out, so long as that many exist in the list to start with!
7337 7340 */
7338 7341 for (count = it.iri_nrules; count > 0; count--) {
7339 7342 /*
7340 7343 * If we found an entry, add reference to it and update token.
7341 7344 * Otherwise, zero out data to be returned and NULL out token.
7342 7345 */
7343 7346 if (next != NULL) {
7344 7347 MUTEX_ENTER(&next->fr_lock);
7345 7348 next->fr_ref++;
7346 7349 MUTEX_EXIT(&next->fr_lock);
7347 7350 t->ipt_data = next;
7348 7351 } else {
7349 7352 bzero(&zero, sizeof(zero));
7350 7353 next = &zero;
7351 7354 t->ipt_data = NULL;
7352 7355 }
7353 7356
7354 7357 /*
7355 7358 * Now that we have ref, it's save to give up lock.
7356 7359 */
7357 7360 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
7358 7361
7359 7362 /*
7360 7363 * Copy out data and clean up references and token as needed.
7361 7364 */
7362 7365 error = COPYOUT(next, dst, sizeof(*next));
7363 7366 if (error != 0)
7364 7367 error = EFAULT;
7365 7368 if (t->ipt_data == NULL) {
7366 7369 ipf_freetoken(t, ifs);
7367 7370 break;
7368 7371 } else {
7369 7372 if (fr != NULL)
7370 7373 (void) fr_derefrule(&fr, ifs);
7371 7374 if (next->fr_data != NULL) {
7372 7375 dst += sizeof(*next);
7373 7376 error = COPYOUT(next->fr_data, dst,
7374 7377 next->fr_dsize);
7375 7378 if (error != 0)
7376 7379 error = EFAULT;
7377 7380 else
7378 7381 dst += next->fr_dsize;
7379 7382 }
7380 7383 if (next->fr_next == NULL) {
7381 7384 ipf_freetoken(t, ifs);
7382 7385 break;
7383 7386 }
7384 7387 }
7385 7388
7386 7389 if ((count == 1) || (error != 0))
7387 7390 break;
7388 7391
7389 7392 READ_ENTER(&ifs->ifs_ipf_mutex);
7390 7393 fr = next;
7391 7394 next = fr->fr_next;
7392 7395 }
7393 7396
7394 7397 return error;
7395 7398 }
7396 7399
7397 7400
7398 7401 /* ------------------------------------------------------------------------ */
7399 7402 /* Function: fr_frruleiter */
7400 7403 /* Returns: int - 0 = success, else error */
7401 7404 /* Parameters: data(I) - the token type to match */
7402 7405 /* uid(I) - uid owning the token */
7403 7406 /* ptr(I) - context pointer for the token */
7404 7407 /* ifs - ipf stack instance */
7405 7408 /* */
7406 7409 /* This function serves as a stepping stone between fr_ipf_ioctl and */
7407 7410 /* ipf_getnextrule. It's role is to find the right token in the kernel for */
7408 7411 /* the process doing the ioctl and use that to ask for the next rule. */
7409 7412 /* ------------------------------------------------------------------------ */
7410 7413 int ipf_frruleiter(data, uid, ctx, ifs)
7411 7414 void *data, *ctx;
7412 7415 int uid;
7413 7416 ipf_stack_t *ifs;
7414 7417 {
7415 7418 ipftoken_t *token;
7416 7419 int error;
7417 7420
7418 7421 token = ipf_findtoken(IPFGENITER_IPF, uid, ctx, ifs);
7419 7422 if (token != NULL)
7420 7423 error = ipf_getnextrule(token, data, ifs);
7421 7424 else
7422 7425 error = EFAULT;
7423 7426 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7424 7427
7425 7428 return error;
7426 7429 }
7427 7430
7428 7431
7429 7432 /* ------------------------------------------------------------------------ */
7430 7433 /* Function: ipf_geniter */
7431 7434 /* Returns: int - 0 = success, else error */
7432 7435 /* Parameters: token(I) - pointer to ipftoken structure */
7433 7436 /* itp(I) - pointer to ipfgeniter structure */
7434 7437 /* ifs - ipf stack instance */
7435 7438 /* */
7436 7439 /* Generic iterator called from ipf_genericiter. Currently only used for */
7437 7440 /* walking through list of fragments. */
7438 7441 /* ------------------------------------------------------------------------ */
7439 7442 int ipf_geniter(token, itp, ifs)
7440 7443 ipftoken_t *token;
7441 7444 ipfgeniter_t *itp;
7442 7445 ipf_stack_t *ifs;
7443 7446 {
7444 7447 int error;
7445 7448
7446 7449 switch (itp->igi_type)
7447 7450 {
7448 7451 case IPFGENITER_FRAG :
7449 7452 error = fr_nextfrag(token, itp, &ifs->ifs_ipfr_list,
7450 7453 &ifs->ifs_ipfr_tail, &ifs->ifs_ipf_frag,
7451 7454 ifs);
7452 7455 break;
7453 7456 default :
7454 7457 error = EINVAL;
7455 7458 break;
7456 7459 }
7457 7460
7458 7461 return error;
7459 7462 }
7460 7463
7461 7464
7462 7465 /* ------------------------------------------------------------------------ */
7463 7466 /* Function: ipf_genericiter */
7464 7467 /* Returns: int - 0 = success, else error */
7465 7468 /* Parameters: data(I) - the token type to match */
7466 7469 /* uid(I) - uid owning the token */
7467 7470 /* ptr(I) - context pointer for the token */
7468 7471 /* ifs - ipf stack instance */
7469 7472 /* */
7470 7473 /* This function serves as a stepping stone between fr_ipf_ioctl and */
7471 7474 /* ipf_geniter when handling SIOCGENITER. It's role is to find the right */
7472 7475 /* token in the kernel for the process using the ioctl, and to use that */
7473 7476 /* token when calling ipf_geniter. */
7474 7477 /* ------------------------------------------------------------------------ */
7475 7478 int ipf_genericiter(data, uid, ctx, ifs)
7476 7479 void *data, *ctx;
7477 7480 int uid;
7478 7481 ipf_stack_t *ifs;
7479 7482 {
7480 7483 ipftoken_t *token;
7481 7484 ipfgeniter_t iter;
7482 7485 int error;
7483 7486
7484 7487 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
7485 7488 if (error != 0)
7486 7489 return error;
7487 7490
7488 7491 token = ipf_findtoken(iter.igi_type, uid, ctx, ifs);
7489 7492 if (token != NULL) {
7490 7493 token->ipt_subtype = iter.igi_type;
7491 7494 error = ipf_geniter(token, &iter, ifs);
7492 7495 } else
7493 7496 error = EFAULT;
7494 7497 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7495 7498
7496 7499 return error;
7497 7500 }
7498 7501
7499 7502
7500 7503 /* --------------------------------------------------------------------- */
7501 7504 /* Function: ipf_earlydrop */
7502 7505 /* Returns: number of dropped/removed entries from the queue */
7503 7506 /* Parameters: flushtype - which table we're cleaning (NAT or State) */
7504 7507 /* ifq - pointer to queue with entries to be deleted */
7505 7508 /* idletime - entry must be idle this long to be deleted */
7506 7509 /* ifs - ipf stack instance */
7507 7510 /* */
7508 7511 /* Function is invoked from state/NAT flush routines to remove entries */
7509 7512 /* from specified timeout queue, based on how long they've sat idle, */
7510 7513 /* without waiting for it to happen on its own. */
7511 7514 /* --------------------------------------------------------------------- */
7512 7515 int ipf_earlydrop(flushtype, ifq, idletime, ifs)
7513 7516 int flushtype;
7514 7517 ipftq_t *ifq;
7515 7518 int idletime;
7516 7519 ipf_stack_t *ifs;
7517 7520 {
7518 7521 ipftqent_t *tqe, *tqn;
7519 7522 unsigned int dropped;
7520 7523 int droptick;
7521 7524 void *ent;
7522 7525
7523 7526 if (ifq == NULL)
7524 7527 return (0);
7525 7528
7526 7529 dropped = 0;
7527 7530
7528 7531 /*
7529 7532 * Determine the tick representing the idle time we're interested
7530 7533 * in. If an entry exists in the queue, and it was touched before
7531 7534 * that tick, then it's been idle longer than idletime, so it should
7532 7535 * be deleted.
7533 7536 */
7534 7537 droptick = ifs->ifs_fr_ticks - idletime;
7535 7538 tqn = ifq->ifq_head;
7536 7539 while ((tqe = tqn) != NULL && tqe->tqe_touched < droptick) {
7537 7540 tqn = tqe->tqe_next;
7538 7541 ent = tqe->tqe_parent;
7539 7542 switch (flushtype)
7540 7543 {
7541 7544 case NAT_FLUSH:
7542 7545 if (nat_delete((nat_t *)ent, NL_FLUSH, ifs) == 0)
7543 7546 dropped++;
7544 7547 break;
7545 7548 case STATE_FLUSH:
7546 7549 if (fr_delstate((ipstate_t *)ent, ISL_FLUSH, ifs) == 0)
7547 7550 dropped++;
7548 7551 break;
7549 7552 default:
7550 7553 return (0);
7551 7554 }
7552 7555 }
7553 7556 return (dropped);
7554 7557 }
7555 7558
7556 7559
7557 7560 /* --------------------------------------------------------------------- */
7558 7561 /* Function: ipf_flushclosing */
7559 7562 /* Returns: int - number of entries deleted */
7560 7563 /* Parameters: flushtype - which table we're cleaning (NAT or State) */
7561 7564 /* stateval - TCP state at which to start removing entries */
7562 7565 /* ipfqs - pointer to timeout queues */
7563 7566 /* userqs - pointer to user defined queues */
7564 7567 /* ifs - ipf stack instance */
7565 7568 /* */
7566 7569 /* Remove state/NAT table entries for TCP connections which are in the */
7567 7570 /* process of closing, and have at least reached the state specified by */
7568 7571 /* the 'stateval' parameter. */
7569 7572 /* --------------------------------------------------------------------- */
7570 7573 int ipf_flushclosing(flushtype, stateval, ipfqs, userqs, ifs)
7571 7574 int flushtype, stateval;
7572 7575 ipftq_t *ipfqs, *userqs;
7573 7576 ipf_stack_t *ifs;
7574 7577 {
7575 7578 ipftq_t *ifq, *ifqn;
7576 7579 ipftqent_t *tqe, *tqn;
7577 7580 int dropped;
7578 7581 void *ent;
7579 7582 nat_t *nat;
7580 7583 ipstate_t *is;
7581 7584
7582 7585 dropped = 0;
7583 7586
7584 7587 /*
7585 7588 * Start by deleting any entries in specific timeout queues.
7586 7589 */
7587 7590 ifqn = &ipfqs[stateval];
7588 7591 while ((ifq = ifqn) != NULL) {
7589 7592 ifqn = ifq->ifq_next;
7590 7593 dropped += ipf_earlydrop(flushtype, ifq, (int)0, ifs);
7591 7594 }
7592 7595
7593 7596 /*
7594 7597 * Next, look through user defined queues for closing entries.
7595 7598 */
7596 7599 ifqn = userqs;
7597 7600 while ((ifq = ifqn) != NULL) {
7598 7601 ifqn = ifq->ifq_next;
7599 7602 tqn = ifq->ifq_head;
7600 7603 while ((tqe = tqn) != NULL) {
7601 7604 tqn = tqe->tqe_next;
7602 7605 ent = tqe->tqe_parent;
7603 7606 switch (flushtype)
7604 7607 {
7605 7608 case NAT_FLUSH:
7606 7609 nat = (nat_t *)ent;
7607 7610 if ((nat->nat_p == IPPROTO_TCP) &&
7608 7611 (nat->nat_tcpstate[0] >= stateval) &&
7609 7612 (nat->nat_tcpstate[1] >= stateval) &&
7610 7613 (nat_delete(nat, NL_EXPIRE, ifs) == 0))
7611 7614 dropped++;
7612 7615 break;
7613 7616 case STATE_FLUSH:
7614 7617 is = (ipstate_t *)ent;
7615 7618 if ((is->is_p == IPPROTO_TCP) &&
7616 7619 (is->is_state[0] >= stateval) &&
7617 7620 (is->is_state[1] >= stateval) &&
7618 7621 (fr_delstate(is, ISL_EXPIRE, ifs) == 0))
7619 7622 dropped++;
7620 7623 break;
7621 7624 default:
7622 7625 return (0);
7623 7626 }
7624 7627 }
7625 7628 }
7626 7629 return (dropped);
7627 7630 }
7628 7631
7629 7632
7630 7633 /* --------------------------------------------------------------------- */
7631 7634 /* Function: ipf_extraflush */
7632 7635 /* Returns: int - number of entries flushed (0 = none) */
7633 7636 /* Parameters: flushtype - which table we're cleaning (NAT or State) */
7634 7637 /* ipfqs - pointer to 'established' timeout queue */
7635 7638 /* userqs - pointer to user defined queues */
7636 7639 /* ifs - ipf stack instance */
7637 7640 /* */
7638 7641 /* This function gets called when either NAT or state tables fill up. */
7639 7642 /* We need to try a bit harder to free up some space. The function will */
7640 7643 /* flush entries for TCP connections which have been idle a long time. */
7641 7644 /* */
7642 7645 /* Currently, the idle time is checked using values from ideltime_tab[] */
7643 7646 /* --------------------------------------------------------------------- */
7644 7647 int ipf_extraflush(flushtype, ipfqs, userqs, ifs)
7645 7648 int flushtype;
7646 7649 ipftq_t *ipfqs, *userqs;
7647 7650 ipf_stack_t *ifs;
7648 7651 {
7649 7652 ipftq_t *ifq, *ifqn;
7650 7653 int idletime, removed, idle_idx;
7651 7654
7652 7655 removed = 0;
7653 7656
7654 7657 /*
7655 7658 * Determine initial threshold for minimum idle time based on
7656 7659 * how long ipfilter has been running. Ipfilter needs to have
7657 7660 * been up as long as the smallest interval to continue on.
7658 7661 *
7659 7662 * Minimum idle times stored in idletime_tab and indexed by
7660 7663 * idle_idx. Start at upper end of array and work backwards.
7661 7664 *
7662 7665 * Once the index is found, set the initial idle time to the
7663 7666 * first interval before the current ipfilter run time.
7664 7667 */
7665 7668 if (ifs->ifs_fr_ticks < idletime_tab[0])
7666 7669 return (0);
7667 7670 idle_idx = (sizeof (idletime_tab) / sizeof (int)) - 1;
7668 7671 if (ifs->ifs_fr_ticks > idletime_tab[idle_idx]) {
7669 7672 idletime = idletime_tab[idle_idx];
7670 7673 } else {
7671 7674 while ((idle_idx > 0) &&
7672 7675 (ifs->ifs_fr_ticks < idletime_tab[idle_idx]))
7673 7676 idle_idx--;
7674 7677
7675 7678 idletime = (ifs->ifs_fr_ticks /
7676 7679 idletime_tab[idle_idx]) *
7677 7680 idletime_tab[idle_idx];
7678 7681 }
7679 7682
7680 7683 while (idle_idx >= 0) {
7681 7684 /*
7682 7685 * Check to see if we need to delete more entries.
7683 7686 * If we do, start with appropriate timeout queue.
7684 7687 */
7685 7688 if (flushtype == NAT_FLUSH) {
7686 7689 if (NAT_TAB_WATER_LEVEL(ifs) <=
7687 7690 ifs->ifs_nat_flush_level_lo)
7688 7691 break;
7689 7692 } else if (flushtype == STATE_FLUSH) {
7690 7693 if (ST_TAB_WATER_LEVEL(ifs) <=
7691 7694 ifs->ifs_state_flush_level_lo)
7692 7695 break;
7693 7696 } else {
7694 7697 break;
7695 7698 }
7696 7699
7697 7700 removed += ipf_earlydrop(flushtype, ipfqs, idletime, ifs);
7698 7701
7699 7702 /*
7700 7703 * Next, check the user defined queues. But first, make
7701 7704 * certain that timeout queue deletions didn't do enough.
7702 7705 */
7703 7706 if (flushtype == NAT_FLUSH) {
7704 7707 if (NAT_TAB_WATER_LEVEL(ifs) <=
7705 7708 ifs->ifs_nat_flush_level_lo)
7706 7709 break;
7707 7710 } else {
7708 7711 if (ST_TAB_WATER_LEVEL(ifs) <=
7709 7712 ifs->ifs_state_flush_level_lo)
7710 7713 break;
7711 7714 }
7712 7715 ifqn = userqs;
7713 7716 while ((ifq = ifqn) != NULL) {
7714 7717 ifqn = ifq->ifq_next;
7715 7718 removed += ipf_earlydrop(flushtype, ifq, idletime, ifs);
7716 7719 }
7717 7720
7718 7721 /*
7719 7722 * Adjust the granularity of idle time.
7720 7723 *
7721 7724 * If we reach an interval boundary, we need to
7722 7725 * either adjust the idle time accordingly or exit
7723 7726 * the loop altogether (if this is very last check).
7724 7727 */
7725 7728 idletime -= idletime_tab[idle_idx];
7726 7729 if (idletime < idletime_tab[idle_idx]) {
7727 7730 if (idle_idx != 0) {
7728 7731 idletime = idletime_tab[idle_idx] -
7729 7732 idletime_tab[idle_idx - 1];
7730 7733 idle_idx--;
7731 7734 } else {
7732 7735 break;
7733 7736 }
7734 7737 }
7735 7738 }
7736 7739
7737 7740 return (removed);
7738 7741 }
|
↓ open down ↓ |
5138 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX