Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipf/ip_state.c
+++ new/usr/src/uts/common/inet/ipf/ip_state.c
1 1 /*
2 2 * Copyright (C) 1995-2003 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
7 7 *
8 - * Copyright (c) 2014, Joyent, Inc. All rights reserved.
8 + * Copyright 2019 Joyent, Inc.
9 9 */
10 10
11 11 #if defined(KERNEL) || defined(_KERNEL)
12 12 # undef KERNEL
13 13 # undef _KERNEL
14 14 # define KERNEL 1
15 15 # define _KERNEL 1
16 16 #endif
17 17 #include <sys/errno.h>
18 18 #include <sys/types.h>
19 19 #include <sys/param.h>
20 20 #include <sys/file.h>
21 21 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
22 22 defined(_KERNEL)
23 23 # include "opt_ipfilter_log.h"
24 24 #endif
25 25 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
26 26 (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
27 27 #include "opt_inet6.h"
28 28 #endif
29 29 #if !defined(_KERNEL) && !defined(__KERNEL__)
30 30 # include <stdio.h>
31 31 # include <stdlib.h>
32 32 # include <string.h>
33 33 # define _KERNEL
34 34 # ifdef __OpenBSD__
35 35 struct file;
36 36 # endif
37 37 # include <sys/uio.h>
38 38 # undef _KERNEL
39 39 #endif
40 40 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
41 41 # include <sys/filio.h>
42 42 # include <sys/fcntl.h>
43 43 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
44 44 # include "opt_ipfilter.h"
45 45 # endif
46 46 #else
47 47 # include <sys/ioctl.h>
48 48 #endif
49 49 #include <sys/time.h>
50 50 #if !defined(linux)
51 51 # include <sys/protosw.h>
52 52 #endif
53 53 #include <sys/socket.h>
54 54 #if defined(_KERNEL)
55 55 # include <sys/systm.h>
56 56 # if !defined(__SVR4) && !defined(__svr4__)
57 57 # include <sys/mbuf.h>
58 58 # endif
59 59 #endif
60 60 #if defined(__SVR4) || defined(__svr4__)
61 61 # include <sys/filio.h>
62 62 # include <sys/byteorder.h>
63 63 # ifdef _KERNEL
64 64 # include <sys/dditypes.h>
65 65 # endif
66 66 # include <sys/stream.h>
67 67 # include <sys/kmem.h>
68 68 #endif
69 69
70 70 #include <net/if.h>
71 71 #ifdef sun
72 72 # include <net/af.h>
73 73 #endif
74 74 #include <net/route.h>
75 75 #include <netinet/in.h>
76 76 #include <netinet/in_systm.h>
77 77 #include <netinet/ip.h>
78 78 #include <netinet/tcp.h>
79 79 #if !defined(linux)
80 80 # include <netinet/ip_var.h>
81 81 #endif
82 82 #if !defined(__hpux) && !defined(linux)
83 83 # include <netinet/tcp_fsm.h>
84 84 #endif
85 85 #include <netinet/udp.h>
86 86 #include <netinet/ip_icmp.h>
87 87 #include "netinet/ip_compat.h"
88 88 #include <netinet/tcpip.h>
89 89 #include "netinet/ip_fil.h"
90 90 #include "netinet/ip_nat.h"
91 91 #include "netinet/ip_frag.h"
92 92 #include "netinet/ip_state.h"
93 93 #include "netinet/ip_proxy.h"
94 94 #include "netinet/ipf_stack.h"
95 95 #ifdef IPFILTER_SYNC
96 96 #include "netinet/ip_sync.h"
97 97 #endif
98 98 #ifdef IPFILTER_SCAN
99 99 #include "netinet/ip_scan.h"
100 100 #endif
|
↓ open down ↓ |
82 lines elided |
↑ open up ↑ |
101 101 #ifdef USE_INET6
102 102 #include <netinet/icmp6.h>
103 103 #endif
104 104 #if (__FreeBSD_version >= 300000)
105 105 # include <sys/malloc.h>
106 106 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
107 107 # include <sys/libkern.h>
108 108 # include <sys/systm.h>
109 109 # endif
110 110 #endif
111 +#include <sys/uuid.h>
111 112 /* END OF INCLUDES */
112 113
113 114
114 115 #if !defined(lint)
115 116 static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
116 117 static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.36 2005/08/11 19:58:03 darrenr Exp $";
117 118 #endif
118 119
119 120 #ifdef USE_INET6
120 121 static ipstate_t *fr_checkicmp6matchingstate __P((fr_info_t *));
121 122 #endif
122 123 static ipstate_t *fr_matchsrcdst __P((fr_info_t *, ipstate_t *, i6addr_t *,
123 124 i6addr_t *, tcphdr_t *, u_32_t));
124 125 static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *));
125 126 static int fr_state_flush __P((int, int, ipf_stack_t *));
126 127 static ips_stat_t *fr_statetstats __P((ipf_stack_t *));
127 128 static int fr_state_remove __P((caddr_t, ipf_stack_t *));
128 129 static void fr_ipsmove __P((ipstate_t *, u_int, ipf_stack_t *));
129 130 static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *));
130 131 static int fr_tcpoptions __P((fr_info_t *, tcphdr_t *, tcpdata_t *));
131 132 static ipstate_t *fr_stclone __P((fr_info_t *, tcphdr_t *, ipstate_t *));
132 133 static void fr_fixinisn __P((fr_info_t *, ipstate_t *));
133 134 static void fr_fixoutisn __P((fr_info_t *, ipstate_t *));
134 135 static void fr_checknewisn __P((fr_info_t *, ipstate_t *));
135 136 static int fr_stateiter __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
136 137
137 138 int fr_stputent __P((caddr_t, ipf_stack_t *));
138 139 int fr_stgetent __P((caddr_t, ipf_stack_t *));
139 140
140 141 #define ONE_DAY IPF_TTLVAL(1 * 86400) /* 1 day */
141 142 #define FIVE_DAYS (5 * ONE_DAY)
142 143 #define DOUBLE_HASH(x, ifs) \
143 144 (((x) + ifs->ifs_ips_seed[(x) % ifs->ifs_fr_statesize]) % ifs->ifs_fr_statesize)
144 145
145 146
146 147 /* ------------------------------------------------------------------------ */
147 148 /* Function: fr_stateinit */
148 149 /* Returns: int - 0 == success, -1 == failure */
149 150 /* Parameters: ifs - ipf stack instance */
150 151 /* */
151 152 /* Initialise all the global variables used within the state code. */
152 153 /* This action also includes initiailising locks. */
153 154 /* ------------------------------------------------------------------------ */
154 155 int fr_stateinit(ifs)
155 156 ipf_stack_t *ifs;
156 157 {
157 158 #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
158 159 struct timeval tv;
159 160 #endif
160 161 int i;
161 162
162 163 KMALLOCS(ifs->ifs_ips_table, ipstate_t **,
163 164 ifs->ifs_fr_statesize * sizeof(ipstate_t *));
164 165 if (ifs->ifs_ips_table == NULL)
165 166 return -1;
166 167 bzero((char *)ifs->ifs_ips_table,
167 168 ifs->ifs_fr_statesize * sizeof(ipstate_t *));
168 169
169 170 KMALLOCS(ifs->ifs_ips_seed, u_long *,
170 171 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
171 172 if (ifs->ifs_ips_seed == NULL)
172 173 return -2;
173 174 #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
174 175 tv.tv_sec = 0;
175 176 GETKTIME(&tv);
176 177 #endif
177 178 for (i = 0; i < ifs->ifs_fr_statesize; i++) {
178 179 /*
179 180 * XXX - ips_seed[X] should be a random number of sorts.
180 181 */
181 182 #if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
182 183 ifs->ifs_ips_seed[i] = ipf_random();
183 184 #else
184 185 ifs->ifs_ips_seed[i] = ((u_long)ifs->ifs_ips_seed + i) *
185 186 ifs->ifs_fr_statesize;
186 187 ifs->ifs_ips_seed[i] += tv.tv_sec;
187 188 ifs->ifs_ips_seed[i] *= (u_long)ifs->ifs_ips_seed;
188 189 ifs->ifs_ips_seed[i] ^= 0x5a5aa5a5;
189 190 ifs->ifs_ips_seed[i] *= ifs->ifs_fr_statemax;
190 191 #endif
191 192 }
192 193
193 194 /* fill icmp reply type table */
194 195 for (i = 0; i <= ICMP_MAXTYPE; i++)
195 196 icmpreplytype4[i] = -1;
196 197 icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY;
197 198 icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
198 199 icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
199 200 icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
200 201 #ifdef USE_INET6
201 202 /* fill icmp reply type table */
202 203 for (i = 0; i <= ICMP6_MAXTYPE; i++)
203 204 icmpreplytype6[i] = -1;
204 205 icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY;
205 206 icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT;
206 207 icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY;
207 208 icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT;
208 209 icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT;
209 210 #endif
210 211
211 212 KMALLOCS(ifs->ifs_ips_stats.iss_bucketlen, u_long *,
212 213 ifs->ifs_fr_statesize * sizeof(u_long));
213 214 if (ifs->ifs_ips_stats.iss_bucketlen == NULL)
214 215 return -1;
215 216 bzero((char *)ifs->ifs_ips_stats.iss_bucketlen,
216 217 ifs->ifs_fr_statesize * sizeof(u_long));
217 218
218 219 if (ifs->ifs_fr_state_maxbucket == 0) {
219 220 for (i = ifs->ifs_fr_statesize; i > 0; i >>= 1)
220 221 ifs->ifs_fr_state_maxbucket++;
221 222 ifs->ifs_fr_state_maxbucket *= 2;
222 223 }
223 224
224 225 fr_sttab_init(ifs->ifs_ips_tqtqb, ifs);
225 226 ifs->ifs_ips_tqtqb[IPF_TCP_NSTATES - 1].ifq_next = &ifs->ifs_ips_udptq;
226 227 ifs->ifs_ips_udptq.ifq_ttl = (u_long)ifs->ifs_fr_udptimeout;
227 228 ifs->ifs_ips_udptq.ifq_ref = 1;
228 229 ifs->ifs_ips_udptq.ifq_head = NULL;
229 230 ifs->ifs_ips_udptq.ifq_tail = &ifs->ifs_ips_udptq.ifq_head;
230 231 MUTEX_INIT(&ifs->ifs_ips_udptq.ifq_lock, "ipftq udp tab");
231 232 ifs->ifs_ips_udptq.ifq_next = &ifs->ifs_ips_udpacktq;
232 233 ifs->ifs_ips_udpacktq.ifq_ttl = (u_long)ifs->ifs_fr_udpacktimeout;
233 234 ifs->ifs_ips_udpacktq.ifq_ref = 1;
234 235 ifs->ifs_ips_udpacktq.ifq_head = NULL;
235 236 ifs->ifs_ips_udpacktq.ifq_tail = &ifs->ifs_ips_udpacktq.ifq_head;
236 237 MUTEX_INIT(&ifs->ifs_ips_udpacktq.ifq_lock, "ipftq udpack tab");
237 238 ifs->ifs_ips_udpacktq.ifq_next = &ifs->ifs_ips_icmptq;
238 239 ifs->ifs_ips_icmptq.ifq_ttl = (u_long)ifs->ifs_fr_icmptimeout;
239 240 ifs->ifs_ips_icmptq.ifq_ref = 1;
240 241 ifs->ifs_ips_icmptq.ifq_head = NULL;
241 242 ifs->ifs_ips_icmptq.ifq_tail = &ifs->ifs_ips_icmptq.ifq_head;
242 243 MUTEX_INIT(&ifs->ifs_ips_icmptq.ifq_lock, "ipftq icmp tab");
243 244 ifs->ifs_ips_icmptq.ifq_next = &ifs->ifs_ips_icmpacktq;
244 245 ifs->ifs_ips_icmpacktq.ifq_ttl = (u_long)ifs->ifs_fr_icmpacktimeout;
245 246 ifs->ifs_ips_icmpacktq.ifq_ref = 1;
246 247 ifs->ifs_ips_icmpacktq.ifq_head = NULL;
247 248 ifs->ifs_ips_icmpacktq.ifq_tail = &ifs->ifs_ips_icmpacktq.ifq_head;
248 249 MUTEX_INIT(&ifs->ifs_ips_icmpacktq.ifq_lock, "ipftq icmpack tab");
249 250 ifs->ifs_ips_icmpacktq.ifq_next = &ifs->ifs_ips_iptq;
250 251 ifs->ifs_ips_iptq.ifq_ttl = (u_long)ifs->ifs_fr_iptimeout;
251 252 ifs->ifs_ips_iptq.ifq_ref = 1;
252 253 ifs->ifs_ips_iptq.ifq_head = NULL;
253 254 ifs->ifs_ips_iptq.ifq_tail = &ifs->ifs_ips_iptq.ifq_head;
254 255 MUTEX_INIT(&ifs->ifs_ips_iptq.ifq_lock, "ipftq ip tab");
255 256 ifs->ifs_ips_iptq.ifq_next = &ifs->ifs_ips_deletetq;
256 257 /* entry's ttl in deletetq is just 1 tick */
257 258 ifs->ifs_ips_deletetq.ifq_ttl = (u_long) 1;
258 259 ifs->ifs_ips_deletetq.ifq_ref = 1;
259 260 ifs->ifs_ips_deletetq.ifq_head = NULL;
260 261 ifs->ifs_ips_deletetq.ifq_tail = &ifs->ifs_ips_deletetq.ifq_head;
261 262 MUTEX_INIT(&ifs->ifs_ips_deletetq.ifq_lock, "state delete queue");
262 263 ifs->ifs_ips_deletetq.ifq_next = NULL;
263 264
264 265 RWLOCK_INIT(&ifs->ifs_ipf_state, "ipf IP state rwlock");
265 266 MUTEX_INIT(&ifs->ifs_ipf_stinsert, "ipf state insert mutex");
266 267 ifs->ifs_fr_state_init = 1;
267 268
268 269 ifs->ifs_ips_last_force_flush = ifs->ifs_fr_ticks;
269 270 return 0;
270 271 }
271 272
272 273
273 274 /* ------------------------------------------------------------------------ */
274 275 /* Function: fr_stateunload */
275 276 /* Returns: Nil */
276 277 /* Parameters: ifs - ipf stack instance */
277 278 /* */
278 279 /* Release and destroy any resources acquired or initialised so that */
279 280 /* IPFilter can be unloaded or re-initialised. */
280 281 /* ------------------------------------------------------------------------ */
281 282 void fr_stateunload(ifs)
282 283 ipf_stack_t *ifs;
283 284 {
284 285 ipftq_t *ifq, *ifqnext;
285 286 ipstate_t *is;
286 287
287 288 while ((is = ifs->ifs_ips_list) != NULL)
288 289 (void) fr_delstate(is, 0, ifs);
289 290
290 291 /*
291 292 * Proxy timeout queues are not cleaned here because although they
292 293 * exist on the state list, appr_unload is called after fr_stateunload
293 294 * and the proxies actually are responsible for them being created.
294 295 * Should the proxy timeouts have their own list? There's no real
295 296 * justification as this is the only complicationA
296 297 */
297 298 for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
298 299 ifqnext = ifq->ifq_next;
299 300 if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
300 301 (fr_deletetimeoutqueue(ifq) == 0))
301 302 fr_freetimeoutqueue(ifq, ifs);
302 303 }
303 304
304 305 ifs->ifs_ips_stats.iss_inuse = 0;
305 306 ifs->ifs_ips_num = 0;
306 307
307 308 if (ifs->ifs_fr_state_init == 1) {
308 309 fr_sttab_destroy(ifs->ifs_ips_tqtqb);
309 310 MUTEX_DESTROY(&ifs->ifs_ips_udptq.ifq_lock);
310 311 MUTEX_DESTROY(&ifs->ifs_ips_icmptq.ifq_lock);
311 312 MUTEX_DESTROY(&ifs->ifs_ips_udpacktq.ifq_lock);
312 313 MUTEX_DESTROY(&ifs->ifs_ips_icmpacktq.ifq_lock);
313 314 MUTEX_DESTROY(&ifs->ifs_ips_iptq.ifq_lock);
314 315 MUTEX_DESTROY(&ifs->ifs_ips_deletetq.ifq_lock);
315 316 }
316 317
317 318 if (ifs->ifs_ips_table != NULL) {
318 319 KFREES(ifs->ifs_ips_table,
319 320 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_table));
320 321 ifs->ifs_ips_table = NULL;
321 322 }
322 323
323 324 if (ifs->ifs_ips_seed != NULL) {
324 325 KFREES(ifs->ifs_ips_seed,
325 326 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
326 327 ifs->ifs_ips_seed = NULL;
327 328 }
328 329
329 330 if (ifs->ifs_ips_stats.iss_bucketlen != NULL) {
330 331 KFREES(ifs->ifs_ips_stats.iss_bucketlen,
331 332 ifs->ifs_fr_statesize * sizeof(u_long));
332 333 ifs->ifs_ips_stats.iss_bucketlen = NULL;
333 334 }
334 335
335 336 if (ifs->ifs_fr_state_maxbucket_reset == 1)
336 337 ifs->ifs_fr_state_maxbucket = 0;
337 338
338 339 if (ifs->ifs_fr_state_init == 1) {
339 340 ifs->ifs_fr_state_init = 0;
340 341 RW_DESTROY(&ifs->ifs_ipf_state);
341 342 MUTEX_DESTROY(&ifs->ifs_ipf_stinsert);
342 343 }
343 344 }
344 345
345 346
346 347 /* ------------------------------------------------------------------------ */
347 348 /* Function: fr_statetstats */
348 349 /* Returns: ips_state_t* - pointer to state stats structure */
349 350 /* Parameters: Nil */
350 351 /* */
351 352 /* Put all the current numbers and pointers into a single struct and return */
352 353 /* a pointer to it. */
353 354 /* ------------------------------------------------------------------------ */
354 355 static ips_stat_t *fr_statetstats(ifs)
355 356 ipf_stack_t *ifs;
356 357 {
357 358 ifs->ifs_ips_stats.iss_active = ifs->ifs_ips_num;
358 359 ifs->ifs_ips_stats.iss_statesize = ifs->ifs_fr_statesize;
359 360 ifs->ifs_ips_stats.iss_statemax = ifs->ifs_fr_statemax;
360 361 ifs->ifs_ips_stats.iss_table = ifs->ifs_ips_table;
361 362 ifs->ifs_ips_stats.iss_list = ifs->ifs_ips_list;
362 363 ifs->ifs_ips_stats.iss_ticks = ifs->ifs_fr_ticks;
363 364 return &ifs->ifs_ips_stats;
364 365 }
365 366
366 367 /* ------------------------------------------------------------------------ */
367 368 /* Function: fr_state_remove */
368 369 /* Returns: int - 0 == success, != 0 == failure */
369 370 /* Parameters: data(I) - pointer to state structure to delete from table */
370 371 /* ifs - ipf stack instance */
371 372 /* */
372 373 /* Search for a state structure that matches the one passed, according to */
373 374 /* the IP addresses and other protocol specific information. */
374 375 /* ------------------------------------------------------------------------ */
375 376 static int fr_state_remove(data, ifs)
376 377 caddr_t data;
377 378 ipf_stack_t *ifs;
378 379 {
379 380 ipstate_t *sp, st;
380 381 int error;
381 382
382 383 sp = &st;
383 384 error = fr_inobj(data, &st, IPFOBJ_IPSTATE);
384 385 if (error)
385 386 return EFAULT;
386 387
387 388 WRITE_ENTER(&ifs->ifs_ipf_state);
388 389 for (sp = ifs->ifs_ips_list; sp; sp = sp->is_next)
389 390 if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
390 391 !bcmp((caddr_t)&sp->is_src, (caddr_t)&st.is_src,
391 392 sizeof(st.is_src)) &&
392 393 !bcmp((caddr_t)&sp->is_dst, (caddr_t)&st.is_dst,
393 394 sizeof(st.is_dst)) &&
394 395 !bcmp((caddr_t)&sp->is_ps, (caddr_t)&st.is_ps,
395 396 sizeof(st.is_ps))) {
396 397 (void) fr_delstate(sp, ISL_REMOVE, ifs);
397 398 RWLOCK_EXIT(&ifs->ifs_ipf_state);
398 399 return 0;
399 400 }
400 401 RWLOCK_EXIT(&ifs->ifs_ipf_state);
401 402 return ESRCH;
402 403 }
403 404
404 405
405 406 /* ------------------------------------------------------------------------ */
406 407 /* Function: fr_state_ioctl */
407 408 /* Returns: int - 0 == success, != 0 == failure */
408 409 /* Parameters: data(I) - pointer to ioctl data */
409 410 /* cmd(I) - ioctl command integer */
410 411 /* mode(I) - file mode bits used with open */
411 412 /* uid(I) - uid of caller */
412 413 /* ctx(I) - pointer to give the uid context */
413 414 /* ifs - ipf stack instance */
414 415 /* */
415 416 /* Processes an ioctl call made to operate on the IP Filter state device. */
416 417 /* ------------------------------------------------------------------------ */
417 418 int fr_state_ioctl(data, cmd, mode, uid, ctx, ifs)
418 419 caddr_t data;
419 420 ioctlcmd_t cmd;
420 421 int mode, uid;
421 422 void *ctx;
422 423 ipf_stack_t *ifs;
423 424 {
424 425 int arg, ret, error = 0;
425 426
426 427 switch (cmd)
427 428 {
428 429 /*
429 430 * Delete an entry from the state table.
430 431 */
431 432 case SIOCDELST :
432 433 error = fr_state_remove(data, ifs);
433 434 break;
434 435 /*
435 436 * Flush the state table
436 437 */
437 438 case SIOCIPFFL :
438 439 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
439 440 if (error != 0) {
440 441 error = EFAULT;
441 442 } else {
442 443 if (VALID_TABLE_FLUSH_OPT(arg)) {
443 444 WRITE_ENTER(&ifs->ifs_ipf_state);
444 445 ret = fr_state_flush(arg, 4, ifs);
445 446 RWLOCK_EXIT(&ifs->ifs_ipf_state);
446 447 error = BCOPYOUT((char *)&ret, data,
447 448 sizeof(ret));
448 449 if (error != 0)
449 450 return EFAULT;
450 451 } else {
451 452 error = EINVAL;
452 453 }
453 454 }
454 455 break;
455 456
456 457 #ifdef USE_INET6
457 458 case SIOCIPFL6 :
458 459 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
459 460 if (error != 0) {
460 461 error = EFAULT;
461 462 } else {
462 463 if (VALID_TABLE_FLUSH_OPT(arg)) {
463 464 WRITE_ENTER(&ifs->ifs_ipf_state);
464 465 ret = fr_state_flush(arg, 6, ifs);
465 466 RWLOCK_EXIT(&ifs->ifs_ipf_state);
466 467 error = BCOPYOUT((char *)&ret, data,
467 468 sizeof(ret));
468 469 if (error != 0)
469 470 return EFAULT;
470 471 } else {
471 472 error = EINVAL;
472 473 }
473 474 }
474 475 break;
475 476 #endif
476 477 #ifdef IPFILTER_LOG
477 478 /*
478 479 * Flush the state log.
479 480 */
480 481 case SIOCIPFFB :
481 482 if (!(mode & FWRITE))
482 483 error = EPERM;
483 484 else {
484 485 int tmp;
485 486
486 487 tmp = ipflog_clear(IPL_LOGSTATE, ifs);
487 488 error = BCOPYOUT((char *)&tmp, data, sizeof(tmp));
488 489 if (error != 0)
489 490 error = EFAULT;
490 491 }
491 492 break;
492 493 /*
493 494 * Turn logging of state information on/off.
494 495 */
495 496 case SIOCSETLG :
496 497 if (!(mode & FWRITE)) {
497 498 error = EPERM;
498 499 } else {
499 500 error = BCOPYIN((char *)data,
500 501 (char *)&ifs->ifs_ipstate_logging,
501 502 sizeof(ifs->ifs_ipstate_logging));
502 503 if (error != 0)
503 504 error = EFAULT;
504 505 }
505 506 break;
506 507 /*
507 508 * Return the current state of logging.
508 509 */
509 510 case SIOCGETLG :
510 511 error = BCOPYOUT((char *)&ifs->ifs_ipstate_logging,
511 512 (char *)data,
512 513 sizeof(ifs->ifs_ipstate_logging));
513 514 if (error != 0)
514 515 error = EFAULT;
515 516 break;
516 517 /*
517 518 * Return the number of bytes currently waiting to be read.
518 519 */
519 520 case FIONREAD :
520 521 arg = ifs->ifs_iplused[IPL_LOGSTATE]; /* returned in an int */
521 522 error = BCOPYOUT((char *)&arg, data, sizeof(arg));
522 523 if (error != 0)
523 524 error = EFAULT;
524 525 break;
525 526 #endif
526 527 /*
527 528 * Get the current state statistics.
528 529 */
529 530 case SIOCGETFS :
530 531 error = fr_outobj(data, fr_statetstats(ifs), IPFOBJ_STATESTAT);
531 532 break;
532 533 /*
533 534 * Lock/Unlock the state table. (Locking prevents any changes, which
534 535 * means no packets match).
535 536 */
536 537 case SIOCSTLCK :
537 538 if (!(mode & FWRITE)) {
538 539 error = EPERM;
539 540 } else {
540 541 error = fr_lock(data, &ifs->ifs_fr_state_lock);
541 542 }
542 543 break;
543 544 /*
544 545 * Add an entry to the current state table.
545 546 */
546 547 case SIOCSTPUT :
547 548 if (!ifs->ifs_fr_state_lock || !(mode & FWRITE)) {
548 549 error = EACCES;
549 550 break;
550 551 }
551 552 error = fr_stputent(data, ifs);
552 553 break;
553 554 /*
554 555 * Get a state table entry.
555 556 */
556 557 case SIOCSTGET :
557 558 if (!ifs->ifs_fr_state_lock) {
558 559 error = EACCES;
559 560 break;
560 561 }
561 562 error = fr_stgetent(data, ifs);
562 563 break;
563 564
564 565 case SIOCGENITER :
565 566 {
566 567 ipftoken_t *token;
567 568 ipfgeniter_t iter;
568 569
569 570 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
570 571 if (error != 0)
571 572 break;
572 573
573 574 token = ipf_findtoken(IPFGENITER_STATE, uid, ctx, ifs);
574 575 if (token != NULL)
575 576 error = fr_stateiter(token, &iter, ifs);
576 577 else
577 578 error = ESRCH;
578 579 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
579 580 break;
580 581 }
581 582
582 583 case SIOCIPFDELTOK :
583 584 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
584 585 if (error != 0) {
585 586 error = EFAULT;
586 587 } else {
587 588 error = ipf_deltoken(arg, uid, ctx, ifs);
588 589 }
589 590 break;
590 591
591 592 default :
592 593 error = EINVAL;
593 594 break;
594 595 }
595 596 return error;
596 597 }
597 598
598 599
599 600 /* ------------------------------------------------------------------------ */
600 601 /* Function: fr_stgetent */
601 602 /* Returns: int - 0 == success, != 0 == failure */
602 603 /* Parameters: data(I) - pointer to state structure to retrieve from table */
603 604 /* */
604 605 /* Copy out state information from the kernel to a user space process. If */
605 606 /* there is a filter rule associated with the state entry, copy that out */
606 607 /* as well. The entry to copy out is taken from the value of "ips_next" in */
607 608 /* the struct passed in and if not null and not found in the list of current*/
608 609 /* state entries, the retrieval fails. */
609 610 /* ------------------------------------------------------------------------ */
610 611 int fr_stgetent(data, ifs)
611 612 caddr_t data;
612 613 ipf_stack_t *ifs;
613 614 {
614 615 ipstate_t *is, *isn;
615 616 ipstate_save_t ips;
616 617 int error;
617 618
618 619 error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
619 620 if (error)
620 621 return EFAULT;
621 622
622 623 isn = ips.ips_next;
623 624 if (isn == NULL) {
624 625 isn = ifs->ifs_ips_list;
625 626 if (isn == NULL) {
626 627 if (ips.ips_next == NULL)
627 628 return ENOENT;
628 629 return 0;
629 630 }
630 631 } else {
631 632 /*
632 633 * Make sure the pointer we're copying from exists in the
633 634 * current list of entries. Security precaution to prevent
634 635 * copying of random kernel data.
635 636 */
636 637 for (is = ifs->ifs_ips_list; is; is = is->is_next)
637 638 if (is == isn)
638 639 break;
639 640 if (!is)
640 641 return ESRCH;
641 642 }
642 643 ips.ips_next = isn->is_next;
643 644 bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is));
644 645 ips.ips_rule = isn->is_rule;
645 646 if (isn->is_rule != NULL)
646 647 bcopy((char *)isn->is_rule, (char *)&ips.ips_fr,
647 648 sizeof(ips.ips_fr));
648 649 error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
649 650 if (error)
650 651 return EFAULT;
651 652 return 0;
652 653 }
653 654
654 655
655 656 /* ------------------------------------------------------------------------ */
656 657 /* Function: fr_stputent */
657 658 /* Returns: int - 0 == success, != 0 == failure */
658 659 /* Parameters: data(I) - pointer to state information struct */
659 660 /* ifs - ipf stack instance */
660 661 /* */
661 662 /* This function implements the SIOCSTPUT ioctl: insert a state entry into */
662 663 /* the state table. If the state info. includes a pointer to a filter rule */
663 664 /* then also add in an orphaned rule (will not show up in any "ipfstat -io" */
664 665 /* output. */
665 666 /* ------------------------------------------------------------------------ */
666 667 int fr_stputent(data, ifs)
667 668 caddr_t data;
668 669 ipf_stack_t *ifs;
669 670 {
670 671 ipstate_t *is, *isn;
671 672 ipstate_save_t ips;
672 673 int error, i;
673 674 frentry_t *fr;
674 675 char *name;
675 676
676 677 error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
677 678 if (error)
678 679 return EFAULT;
679 680
680 681 /*
681 682 * Trigger automatic call to fr_state_flush() if the
682 683 * table has reached capacity specified by hi watermark.
683 684 */
684 685 if (ST_TAB_WATER_LEVEL(ifs) > ifs->ifs_state_flush_level_hi)
685 686 ifs->ifs_fr_state_doflush = 1;
686 687
687 688 /*
688 689 * If automatic flushing did not do its job, and the table
689 690 * has filled up, don't try to create a new entry.
690 691 */
691 692 if (ifs->ifs_ips_num >= ifs->ifs_fr_statemax) {
692 693 ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
693 694 return ENOMEM;
694 695 }
695 696
696 697 KMALLOC(isn, ipstate_t *);
697 698 if (isn == NULL)
698 699 return ENOMEM;
699 700
700 701 bcopy((char *)&ips.ips_is, (char *)isn, sizeof(*isn));
701 702 bzero((char *)isn, offsetof(struct ipstate, is_pkts));
702 703 isn->is_sti.tqe_pnext = NULL;
703 704 isn->is_sti.tqe_next = NULL;
704 705 isn->is_sti.tqe_ifq = NULL;
705 706 isn->is_sti.tqe_parent = isn;
706 707 isn->is_ifp[0] = NULL;
707 708 isn->is_ifp[1] = NULL;
708 709 isn->is_ifp[2] = NULL;
709 710 isn->is_ifp[3] = NULL;
710 711 isn->is_sync = NULL;
711 712 fr = ips.ips_rule;
712 713
713 714 if (fr == NULL) {
714 715 READ_ENTER(&ifs->ifs_ipf_state);
715 716 fr_stinsert(isn, 0, ifs);
716 717 MUTEX_EXIT(&isn->is_lock);
717 718 RWLOCK_EXIT(&ifs->ifs_ipf_state);
718 719 return 0;
719 720 }
720 721
721 722 if (isn->is_flags & SI_NEWFR) {
722 723 KMALLOC(fr, frentry_t *);
723 724 if (fr == NULL) {
724 725 KFREE(isn);
725 726 return ENOMEM;
726 727 }
727 728 bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
728 729 isn->is_rule = fr;
729 730 ips.ips_is.is_rule = fr;
730 731 MUTEX_NUKE(&fr->fr_lock);
731 732 MUTEX_INIT(&fr->fr_lock, "state filter rule lock");
732 733
733 734 /*
734 735 * Look up all the interface names in the rule.
735 736 */
736 737 for (i = 0; i < 4; i++) {
737 738 name = fr->fr_ifnames[i];
738 739 fr->fr_ifas[i] = fr_resolvenic(name, fr->fr_v, ifs);
739 740 name = isn->is_ifname[i];
740 741 isn->is_ifp[i] = fr_resolvenic(name, isn->is_v, ifs);
741 742 }
742 743
743 744 fr->fr_ref = 0;
744 745 fr->fr_dsize = 0;
745 746 fr->fr_data = NULL;
746 747 fr->fr_type = FR_T_NONE;
747 748
748 749 fr_resolvedest(&fr->fr_tif, fr->fr_v, ifs);
749 750 fr_resolvedest(&fr->fr_dif, fr->fr_v, ifs);
750 751 fr_resolvedest(&fr->fr_rif, fr->fr_v, ifs);
751 752
752 753 /*
753 754 * send a copy back to userland of what we ended up
754 755 * to allow for verification.
755 756 */
756 757 error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
757 758 if (error) {
758 759 KFREE(isn);
759 760 MUTEX_DESTROY(&fr->fr_lock);
760 761 KFREE(fr);
761 762 return EFAULT;
762 763 }
763 764 READ_ENTER(&ifs->ifs_ipf_state);
764 765 fr_stinsert(isn, 0, ifs);
765 766 MUTEX_EXIT(&isn->is_lock);
766 767 RWLOCK_EXIT(&ifs->ifs_ipf_state);
767 768
768 769 } else {
769 770 READ_ENTER(&ifs->ifs_ipf_state);
770 771 for (is = ifs->ifs_ips_list; is; is = is->is_next)
771 772 if (is->is_rule == fr) {
772 773 fr_stinsert(isn, 0, ifs);
773 774 MUTEX_EXIT(&isn->is_lock);
774 775 break;
775 776 }
776 777
777 778 if (is == NULL) {
778 779 KFREE(isn);
779 780 isn = NULL;
780 781 }
781 782 RWLOCK_EXIT(&ifs->ifs_ipf_state);
782 783
783 784 return (isn == NULL) ? ESRCH : 0;
784 785 }
785 786
786 787 return 0;
787 788 }
788 789
789 790
790 791 /* ------------------------------------------------------------------------ */
791 792 /* Function: fr_stinsert */
792 793 /* Returns: Nil */
793 794 /* Parameters: is(I) - pointer to state structure */
794 795 /* rev(I) - flag indicating forward/reverse direction of packet */
795 796 /* */
796 797 /* Inserts a state structure into the hash table (for lookups) and the list */
797 798 /* of state entries (for enumeration). Resolves all of the interface names */
798 799 /* to pointers and adjusts running stats for the hash table as appropriate. */
799 800 /* */
800 801 /* Locking: it is assumed that some kind of lock on ipf_state is held. */
801 802 /* Exits with is_lock initialised and held. */
802 803 /* ------------------------------------------------------------------------ */
803 804 void fr_stinsert(is, rev, ifs)
804 805 ipstate_t *is;
805 806 int rev;
806 807 ipf_stack_t *ifs;
807 808 {
808 809 frentry_t *fr;
809 810 u_int hv;
810 811 int i;
811 812
812 813 MUTEX_INIT(&is->is_lock, "ipf state entry");
813 814
814 815 fr = is->is_rule;
815 816 if (fr != NULL) {
816 817 MUTEX_ENTER(&fr->fr_lock);
817 818 fr->fr_ref++;
818 819 fr->fr_statecnt++;
819 820 MUTEX_EXIT(&fr->fr_lock);
820 821 }
821 822
822 823 /*
823 824 * Look up all the interface names in the state entry.
824 825 */
825 826 for (i = 0; i < 4; i++) {
826 827 if (is->is_ifp[i] != NULL)
827 828 continue;
828 829 is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], is->is_v, ifs);
829 830 }
830 831
831 832 /*
832 833 * If we could trust is_hv, then the modulous would not be needed, but
833 834 * when running with IPFILTER_SYNC, this stops bad values.
834 835 */
835 836 hv = is->is_hv % ifs->ifs_fr_statesize;
836 837 is->is_hv = hv;
837 838
838 839 /*
839 840 * We need to get both of these locks...the first because it is
840 841 * possible that once the insert is complete another packet might
841 842 * come along, match the entry and want to update it.
842 843 */
843 844 MUTEX_ENTER(&is->is_lock);
844 845 MUTEX_ENTER(&ifs->ifs_ipf_stinsert);
845 846
846 847 /*
847 848 * add into list table.
848 849 */
849 850 if (ifs->ifs_ips_list != NULL)
850 851 ifs->ifs_ips_list->is_pnext = &is->is_next;
851 852 is->is_pnext = &ifs->ifs_ips_list;
852 853 is->is_next = ifs->ifs_ips_list;
853 854 ifs->ifs_ips_list = is;
854 855
855 856 if (ifs->ifs_ips_table[hv] != NULL)
856 857 ifs->ifs_ips_table[hv]->is_phnext = &is->is_hnext;
857 858 else
858 859 ifs->ifs_ips_stats.iss_inuse++;
859 860 is->is_phnext = ifs->ifs_ips_table + hv;
860 861 is->is_hnext = ifs->ifs_ips_table[hv];
861 862 ifs->ifs_ips_table[hv] = is;
862 863 ifs->ifs_ips_stats.iss_bucketlen[hv]++;
863 864 ifs->ifs_ips_num++;
864 865 MUTEX_EXIT(&ifs->ifs_ipf_stinsert);
865 866
866 867 fr_setstatequeue(is, rev, ifs);
867 868 }
868 869
869 870 /* ------------------------------------------------------------------------ */
870 871 /* Function: fr_match_ipv4addrs */
871 872 /* Returns: int - 2 strong match (same addresses, same direction) */
872 873 /* 1 weak match (same address, opposite direction) */
873 874 /* 0 no match */
874 875 /* */
875 876 /* Function matches IPv4 addresses. */
876 877 /* ------------------------------------------------------------------------ */
877 878 static int fr_match_ipv4addrs(is1, is2)
878 879 ipstate_t *is1;
879 880 ipstate_t *is2;
880 881 {
881 882 int rv;
882 883
883 884 if (is1->is_saddr == is2->is_saddr && is1->is_daddr == is2->is_daddr)
884 885 rv = 2;
885 886 else if (is1->is_saddr == is2->is_daddr &&
886 887 is1->is_daddr == is2->is_saddr)
887 888 rv = 1;
888 889 else
889 890 rv = 0;
890 891
891 892 return (rv);
892 893 }
893 894
894 895 /* ------------------------------------------------------------------------ */
895 896 /* Function: fr_match_ipv6addrs */
896 897 /* Returns: int - 2 strong match (same addresses, same direction) */
897 898 /* 1 weak match (same addresses, opposite direction) */
898 899 /* 0 no match */
899 900 /* */
900 901 /* Function matches IPv6 addresses. */
901 902 /* ------------------------------------------------------------------------ */
902 903 static int fr_match_ipv6addrs(is1, is2)
903 904 ipstate_t *is1;
904 905 ipstate_t *is2;
905 906 {
906 907 int rv;
907 908
908 909 if (IP6_EQ(&is1->is_src, &is2->is_src) &&
909 910 IP6_EQ(&is1->is_dst, &is2->is_dst))
910 911 rv = 2;
911 912 else if (IP6_EQ(&is1->is_src, &is2->is_dst) &&
912 913 IP6_EQ(&is1->is_dst, &is2->is_src)) {
913 914 rv = 1;
914 915 }
915 916 else
916 917 rv = 0;
917 918
918 919 return (rv);
919 920 }
920 921 /* ------------------------------------------------------------------------ */
921 922 /* Function: fr_match_addresses */
922 923 /* Returns: int - 2 strong match (same addresses, same direction) */
923 924 /* 1 weak match (same address, opposite directions) */
924 925 /* 0 no match */
925 926 /* Parameters: is1, is2 pointers to states we are checking */
926 927 /* */
927 928 /* Matches addresses, function uses fr_match_ipvXaddrs() to deal with IPv4 */
928 929 /* and IPv6 address format. */
929 930 /* ------------------------------------------------------------------------ */
930 931 static int fr_match_addresses(is1, is2)
931 932 ipstate_t *is1;
932 933 ipstate_t *is2;
933 934 {
934 935 int rv;
935 936
936 937 if (is1->is_v == 4) {
937 938 rv = fr_match_ipv4addrs(is1, is2);
938 939 } else {
939 940 rv = fr_match_ipv6addrs(is1, is2);
940 941 }
941 942
942 943 return (rv);
943 944 }
944 945
945 946 /* ------------------------------------------------------------------------ */
946 947 /* Function: fr_match_ppairs */
947 948 /* Returns: int - 2 strong match (same ports, same direction) */
948 949 /* 1 weak match (same ports, different direction) */
949 950 /* 0 no match */
950 951 /* Parameters ppairs1, ppairs - src, dst ports we want to match. */
951 952 /* */
952 953 /* Matches two port_pair_t types (port pairs). Each port pair contains */
953 954 /* src, dst port, which belong to session (state entry). */
954 955 /* ------------------------------------------------------------------------ */
955 956 static int fr_match_ppairs(ppairs1, ppairs2)
956 957 port_pair_t *ppairs1;
957 958 port_pair_t *ppairs2;
958 959 {
959 960 int rv;
960 961
961 962 if (ppairs1->pp_sport == ppairs2->pp_sport &&
962 963 ppairs1->pp_dport == ppairs2->pp_dport)
963 964 rv = 2;
964 965 else if (ppairs1->pp_sport == ppairs2->pp_dport &&
965 966 ppairs1->pp_dport == ppairs2->pp_sport)
966 967 rv = 1;
967 968 else
968 969 rv = 0;
969 970
970 971 return (rv);
971 972 }
972 973
973 974 /* ------------------------------------------------------------------------ */
974 975 /* Function: fr_match_l4_hdr */
975 976 /* Returns: int - 0 no match, */
976 977 /* 1 weak match (same ports, different directions) */
977 978 /* 2 strong match (same ports, same direction) */
978 979 /* Parameters is1, is2 - states we want to match */
979 980 /* */
980 981 /* Function matches L4 header data (source ports for TCP, UDP, CallIds for */
981 982 /* GRE protocol). */
982 983 /* ------------------------------------------------------------------------ */
983 984 static int fr_match_l4_hdr(is1, is2)
984 985 ipstate_t *is1;
985 986 ipstate_t *is2;
986 987 {
987 988 int rv = 0;
988 989 port_pair_t pp1;
989 990 port_pair_t pp2;
990 991
991 992 if (is1->is_p != is2->is_p)
992 993 return (0);
993 994
994 995 switch (is1->is_p) {
995 996 case IPPROTO_TCP:
996 997 pp1.pp_sport = is1->is_ps.is_ts.ts_sport;
997 998 pp1.pp_dport = is1->is_ps.is_ts.ts_dport;
998 999 pp2.pp_sport = is2->is_ps.is_ts.ts_sport;
999 1000 pp2.pp_dport = is2->is_ps.is_ts.ts_dport;
1000 1001 rv = fr_match_ppairs(&pp1, &pp2);
1001 1002 break;
1002 1003 case IPPROTO_UDP:
1003 1004 pp1.pp_sport = is1->is_ps.is_us.us_sport;
1004 1005 pp1.pp_dport = is1->is_ps.is_us.us_dport;
1005 1006 pp2.pp_sport = is2->is_ps.is_us.us_sport;
1006 1007 pp2.pp_dport = is2->is_ps.is_us.us_dport;
1007 1008 rv = fr_match_ppairs(&pp1, &pp2);
1008 1009 break;
1009 1010 case IPPROTO_GRE:
1010 1011 /* greinfo_t can be also interprted as port pair */
1011 1012 pp1.pp_sport = is1->is_ps.is_ug.gs_call[0];
1012 1013 pp1.pp_dport = is1->is_ps.is_ug.gs_call[1];
1013 1014 pp2.pp_sport = is2->is_ps.is_ug.gs_call[0];
1014 1015 pp2.pp_dport = is2->is_ps.is_ug.gs_call[1];
1015 1016 rv = fr_match_ppairs(&pp1, &pp2);
1016 1017 break;
1017 1018 case IPPROTO_ICMP:
1018 1019 case IPPROTO_ICMPV6:
1019 1020 if (bcmp(&is1->is_ps, &is2->is_ps, sizeof (icmpinfo_t)))
1020 1021 rv = 1;
1021 1022 else
1022 1023 rv = 0;
1023 1024 break;
1024 1025 default:
1025 1026 rv = 0;
1026 1027 }
1027 1028
1028 1029 return (rv);
1029 1030 }
1030 1031
1031 1032 /* ------------------------------------------------------------------------ */
1032 1033 /* Function: fr_matchstates */
1033 1034 /* Returns: int - nonzero match, zero no match */
1034 1035 /* Parameters is1, is2 - states we want to match */
1035 1036 /* */
1036 1037 /* The state entries are equal (identical match) if they belong to the same */
1037 1038 /* session. Any time new state entry is being added the fr_addstate() */
1038 1039 /* function creates temporal state entry from the data it gets from IP and */
1039 1040 /* L4 header. The fr_matchstats() must be also aware of packet direction, */
1040 1041 /* which is also stored within the state entry. We should keep in mind the */
1041 1042 /* information about packet direction is spread accross L3 (addresses) and */
1042 1043 /* L4 (ports). There are three possible relationships betwee is1, is2: */
1043 1044 /* - no match (match(is1, is2) == 0)) */
1044 1045 /* - weak match same addresses (ports), but different */
1045 1046 /* directions (1) (fr_match_xxxx(is1, is2) == 1) */
1046 1047 /* - strong match same addresses (ports) and same directions */
1047 1048 /* (2) (fr_match_xxxx(is1, is2) == 2) */
1048 1049 /* */
1049 1050 /* There are functions, which match match addresses (L3 header) in is1, is2 */
1050 1051 /* and functions, which are used to compare ports (L4 header) data. We say */
1051 1052 /* the is1 and is2 are same (identical) if there is a match */
1052 1053 /* (fr_match_l4_hdr(is1, is2) != 0) and matchlevels are same for entries */
1053 1054 /* (fr_match_l3_hdr(is1, is2) == fr_match_l4_hdr(is1, is2)) for is1, is2. */
1054 1055 /* Such requirement deals with case as follows: */
1055 1056 /* suppose there are two connections between hosts A, B. Connection 1: */
1056 1057 /* a.a.a.a:12345 <=> b.b.b.b:54321 */
1057 1058 /* Connection 2: */
1058 1059 /* a.a.a.a:54321 <=> b.b.b.b:12345 */
1059 1060 /* since we've introduced match levels into our fr_matchstates(), we are */
1060 1061 /* able to identify, which packets belong to connection A and which belong */
1061 1062 /* to connection B. Assume there are two entries is1, is2. is1 has been */
1062 1063 /* from con. 1 packet, which travelled from A to B: */
1063 1064 /* a.a.a.a:12345 -> b.b.b.b:54321 */
1064 1065 /* while s2, has been created from packet which belongs to con. 2 and is */
1065 1066 /* also coming from A to B: */
1066 1067 /* a.a.a.a:54321 -> b.b.b.b:12345 */
1067 1068 /* fr_match_l3_hdr(is1, is2) == 2 -> strong match, while */
1068 1069 /* fr_match_l4_hdr(is1, is2) == 1 -> weak match. Since match levels are */
1069 1070 /* different the state entries are not identical -> no match as a final */
1070 1071 /* result. */
1071 1072 /* ------------------------------------------------------------------------ */
1072 1073 static int fr_matchstates(is1, is2)
1073 1074 ipstate_t *is1;
1074 1075 ipstate_t *is2;
1075 1076 {
1076 1077 int rv;
1077 1078 int amatch;
1078 1079 int pmatch;
1079 1080
1080 1081 if (bcmp(&is1->is_pass, &is2->is_pass,
1081 1082 offsetof(struct ipstate, is_ps) -
1082 1083 offsetof(struct ipstate, is_pass)) == 0) {
1083 1084
1084 1085 pmatch = fr_match_l4_hdr(is1, is2);
1085 1086 amatch = fr_match_addresses(is1, is2);
1086 1087 /*
1087 1088 * If addresses match (amatch != 0), then 'match levels'
1088 1089 * must be same for matching entries. If amatch and pmatch
1089 1090 * have different values (different match levels), then
1090 1091 * is1 and is2 belong to different sessions.
1091 1092 */
1092 1093 rv = (amatch != 0) && (amatch == pmatch);
1093 1094 }
1094 1095 else
1095 1096 rv = 0;
1096 1097
1097 1098 return (rv);
1098 1099 }
1099 1100
1100 1101 /* ------------------------------------------------------------------------ */
1101 1102 /* Function: fr_addstate */
1102 1103 /* Returns: ipstate_t* - NULL == failure, else pointer to new state */
1103 1104 /* Parameters: fin(I) - pointer to packet information */
1104 1105 /* stsave(O) - pointer to place to save pointer to created */
1105 1106 /* state structure. */
1106 1107 /* flags(I) - flags to use when creating the structure */
1107 1108 /* */
1108 1109 /* Creates a new IP state structure from the packet information collected. */
1109 1110 /* Inserts it into the state table and appends to the bottom of the active */
1110 1111 /* list. If the capacity of the table has reached the maximum allowed then */
1111 1112 /* the call will fail and a flush is scheduled for the next timeout call. */
1112 1113 /* ------------------------------------------------------------------------ */
1113 1114 ipstate_t *fr_addstate(fin, stsave, flags)
1114 1115 fr_info_t *fin;
1115 1116 ipstate_t **stsave;
1116 1117 u_int flags;
1117 1118 {
1118 1119 ipstate_t *is, ips;
1119 1120 struct icmp *ic;
1120 1121 u_int pass, hv;
1121 1122 frentry_t *fr;
1122 1123 tcphdr_t *tcp;
1123 1124 grehdr_t *gre;
1124 1125 void *ifp;
1125 1126 int out;
1126 1127 ipf_stack_t *ifs = fin->fin_ifs;
1127 1128
1128 1129 if (ifs->ifs_fr_state_lock ||
1129 1130 (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
1130 1131 return NULL;
1131 1132
1132 1133 if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN))
1133 1134 return NULL;
1134 1135
1135 1136 /*
1136 1137 * Trigger automatic call to fr_state_flush() if the
1137 1138 * table has reached capacity specified by hi watermark.
1138 1139 */
1139 1140 if (ST_TAB_WATER_LEVEL(ifs) > ifs->ifs_state_flush_level_hi)
1140 1141 ifs->ifs_fr_state_doflush = 1;
1141 1142
1142 1143 /*
1143 1144 * If the max number of state entries has been reached, and there is no
1144 1145 * limit on the state count for the rule, then do not continue. In the
1145 1146 * case where a limit exists, it's ok allow the entries to be created as
1146 1147 * long as specified limit itself has not been reached.
1147 1148 *
1148 1149 * Note that because the lock isn't held on fr, it is possible to exceed
1149 1150 * the specified size of the table. However, the cost of this is being
1150 1151 * ignored here; as the number by which it can go over is a product of
1151 1152 * the number of simultaneous threads that could be executing in here.
1152 1153 * So, a limit of 100 won't result in 200, but could result in 101 or 102.
1153 1154 *
1154 1155 * Also note that, since the automatic flush should have been triggered
1155 1156 * well before we reach the maximum number of state table entries, the
1156 1157 * likelihood of reaching the max (and thus exceedng it) is minimal.
1157 1158 */
1158 1159 fr = fin->fin_fr;
1159 1160 if (fr != NULL) {
1160 1161 if ((ifs->ifs_ips_num >= ifs->ifs_fr_statemax) &&
1161 1162 (fr->fr_statemax == 0)) {
1162 1163 ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
1163 1164 return NULL;
1164 1165 }
1165 1166 if ((fr->fr_statemax != 0) &&
1166 1167 (fr->fr_statecnt >= fr->fr_statemax)) {
1167 1168 ATOMIC_INCL(ifs->ifs_ips_stats.iss_maxref);
1168 1169 ifs->ifs_fr_state_doflush = 1;
1169 1170 return NULL;
1170 1171 }
1171 1172 }
1172 1173
1173 1174 ic = NULL;
1174 1175 tcp = NULL;
1175 1176 out = fin->fin_out;
1176 1177 is = &ips;
1177 1178 bzero((char *)is, sizeof(*is));
1178 1179
1179 1180 if (fr == NULL) {
1180 1181 pass = ifs->ifs_fr_flags;
1181 1182 is->is_tag = FR_NOLOGTAG;
1182 1183 } else {
1183 1184 pass = fr->fr_flags;
1184 1185 }
1185 1186
1186 1187 is->is_die = 1 + ifs->ifs_fr_ticks;
1187 1188 /*
1188 1189 * We want to check everything that is a property of this packet,
1189 1190 * but we don't (automatically) care about it's fragment status as
1190 1191 * this may change.
1191 1192 */
1192 1193 is->is_pass = pass;
1193 1194 is->is_v = fin->fin_v;
1194 1195 is->is_opt[0] = fin->fin_optmsk;
1195 1196 is->is_optmsk[0] = 0xffffffff;
1196 1197 /*
1197 1198 * The reverse direction option mask will be set in fr_matchsrcdst(),
1198 1199 * when we will see the first packet from the peer. We will leave it
1199 1200 * as zero for now.
1200 1201 */
1201 1202 is->is_optmsk[1] = 0x0;
1202 1203
1203 1204 if (is->is_v == 6) {
1204 1205 is->is_opt[0] &= ~0x8;
1205 1206 is->is_optmsk[0] &= ~0x8;
1206 1207 }
1207 1208 is->is_sec = fin->fin_secmsk;
1208 1209 is->is_secmsk = 0xffff;
1209 1210 is->is_auth = fin->fin_auth;
1210 1211 is->is_authmsk = 0xffff;
1211 1212
1212 1213 /*
1213 1214 * Copy and calculate...
1214 1215 */
1215 1216 hv = (is->is_p = fin->fin_fi.fi_p);
1216 1217 is->is_src = fin->fin_fi.fi_src;
1217 1218 hv += is->is_saddr;
1218 1219 is->is_dst = fin->fin_fi.fi_dst;
1219 1220 hv += is->is_daddr;
1220 1221 #ifdef USE_INET6
1221 1222 if (fin->fin_v == 6) {
1222 1223 /*
1223 1224 * For ICMPv6, we check to see if the destination address is
1224 1225 * a multicast address. If it is, do not include it in the
1225 1226 * calculation of the hash because the correct reply will come
1226 1227 * back from a real address, not a multicast address.
1227 1228 */
1228 1229 if ((is->is_p == IPPROTO_ICMPV6) &&
1229 1230 IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) {
1230 1231 /*
1231 1232 * So you can do keep state with neighbour discovery.
1232 1233 *
1233 1234 * Here we could use the address from the neighbour
1234 1235 * solicit message to put in the state structure and
1235 1236 * we could use that without a wildcard flag too...
1236 1237 */
1237 1238 is->is_flags |= SI_W_DADDR;
1238 1239 hv -= is->is_daddr;
1239 1240 } else {
1240 1241 hv += is->is_dst.i6[1];
1241 1242 hv += is->is_dst.i6[2];
1242 1243 hv += is->is_dst.i6[3];
1243 1244 }
1244 1245 hv += is->is_src.i6[1];
1245 1246 hv += is->is_src.i6[2];
1246 1247 hv += is->is_src.i6[3];
1247 1248 }
1248 1249 #endif
1249 1250 if ((fin->fin_v == 4) &&
1250 1251 (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) {
1251 1252 if (fin->fin_out == 0) {
1252 1253 flags |= SI_W_DADDR|SI_CLONE;
1253 1254 hv -= is->is_daddr;
1254 1255 } else {
1255 1256 flags |= SI_W_SADDR|SI_CLONE;
1256 1257 hv -= is->is_saddr;
1257 1258 }
1258 1259 }
1259 1260
1260 1261 switch (is->is_p)
1261 1262 {
1262 1263 #ifdef USE_INET6
1263 1264 case IPPROTO_ICMPV6 :
1264 1265 ic = fin->fin_dp;
1265 1266
1266 1267 switch (ic->icmp_type)
1267 1268 {
1268 1269 case ICMP6_ECHO_REQUEST :
1269 1270 is->is_icmp.ici_type = ic->icmp_type;
1270 1271 hv += (is->is_icmp.ici_id = ic->icmp_id);
1271 1272 break;
1272 1273 case ICMP6_MEMBERSHIP_QUERY :
1273 1274 case ND_ROUTER_SOLICIT :
1274 1275 case ND_NEIGHBOR_SOLICIT :
1275 1276 case ICMP6_NI_QUERY :
1276 1277 is->is_icmp.ici_type = ic->icmp_type;
1277 1278 break;
1278 1279 default :
1279 1280 return NULL;
1280 1281 }
1281 1282 ATOMIC_INCL(ifs->ifs_ips_stats.iss_icmp);
1282 1283 break;
1283 1284 #endif
1284 1285 case IPPROTO_ICMP :
1285 1286 ic = fin->fin_dp;
1286 1287
1287 1288 switch (ic->icmp_type)
1288 1289 {
1289 1290 case ICMP_ECHO :
1290 1291 case ICMP_ECHOREPLY :
1291 1292 case ICMP_TSTAMP :
1292 1293 case ICMP_IREQ :
1293 1294 case ICMP_MASKREQ :
1294 1295 is->is_icmp.ici_type = ic->icmp_type;
1295 1296 hv += (is->is_icmp.ici_id = ic->icmp_id);
1296 1297 break;
1297 1298 default :
1298 1299 return NULL;
1299 1300 }
1300 1301 ATOMIC_INCL(ifs->ifs_ips_stats.iss_icmp);
1301 1302 break;
1302 1303
1303 1304 case IPPROTO_GRE :
1304 1305 gre = fin->fin_dp;
1305 1306
1306 1307 is->is_gre.gs_flags = gre->gr_flags;
1307 1308 is->is_gre.gs_ptype = gre->gr_ptype;
1308 1309 if (GRE_REV(is->is_gre.gs_flags) == 1) {
1309 1310 is->is_call[0] = fin->fin_data[0];
1310 1311 is->is_call[1] = fin->fin_data[1];
1311 1312 }
1312 1313 break;
1313 1314
1314 1315 case IPPROTO_TCP :
1315 1316 tcp = fin->fin_dp;
1316 1317
1317 1318 if (tcp->th_flags & TH_RST)
1318 1319 return NULL;
1319 1320 /*
1320 1321 * The endian of the ports doesn't matter, but the ack and
1321 1322 * sequence numbers do as we do mathematics on them later.
1322 1323 */
1323 1324 is->is_sport = htons(fin->fin_data[0]);
1324 1325 is->is_dport = htons(fin->fin_data[1]);
1325 1326 if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1326 1327 hv += is->is_sport;
1327 1328 hv += is->is_dport;
1328 1329 }
1329 1330
1330 1331 /*
1331 1332 * If this is a real packet then initialise fields in the
1332 1333 * state information structure from the TCP header information.
1333 1334 */
1334 1335
1335 1336 is->is_maxdwin = 1;
1336 1337 is->is_maxswin = ntohs(tcp->th_win);
1337 1338 if (is->is_maxswin == 0)
1338 1339 is->is_maxswin = 1;
1339 1340
1340 1341 if ((fin->fin_flx & FI_IGNORE) == 0) {
1341 1342 is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
1342 1343 (TCP_OFF(tcp) << 2) +
1343 1344 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
1344 1345 ((tcp->th_flags & TH_FIN) ? 1 : 0);
1345 1346 is->is_maxsend = is->is_send;
1346 1347
1347 1348 /*
1348 1349 * Window scale option is only present in
1349 1350 * SYN/SYN-ACK packet.
1350 1351 */
1351 1352 if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
1352 1353 TH_SYN &&
1353 1354 (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
1354 1355 if (fr_tcpoptions(fin, tcp,
1355 1356 &is->is_tcp.ts_data[0]) == -1) {
1356 1357 fin->fin_flx |= FI_BAD;
1357 1358 }
1358 1359 }
1359 1360
1360 1361 if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
1361 1362 fr_checknewisn(fin, is);
1362 1363 fr_fixoutisn(fin, is);
1363 1364 }
1364 1365
1365 1366 if ((tcp->th_flags & TH_OPENING) == TH_SYN)
1366 1367 flags |= IS_TCPFSM;
1367 1368 else {
1368 1369 is->is_maxdwin = is->is_maxswin * 2;
1369 1370 is->is_dend = ntohl(tcp->th_ack);
1370 1371 is->is_maxdend = ntohl(tcp->th_ack);
1371 1372 is->is_maxdwin *= 2;
1372 1373 }
1373 1374 }
1374 1375
1375 1376 /*
1376 1377 * If we're creating state for a starting connection, start the
1377 1378 * timer on it as we'll never see an error if it fails to
1378 1379 * connect.
1379 1380 */
1380 1381 ATOMIC_INCL(ifs->ifs_ips_stats.iss_tcp);
1381 1382 break;
1382 1383
1383 1384 case IPPROTO_UDP :
1384 1385 tcp = fin->fin_dp;
1385 1386
1386 1387 is->is_sport = htons(fin->fin_data[0]);
1387 1388 is->is_dport = htons(fin->fin_data[1]);
1388 1389 if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1389 1390 hv += tcp->th_dport;
1390 1391 hv += tcp->th_sport;
1391 1392 }
1392 1393 ATOMIC_INCL(ifs->ifs_ips_stats.iss_udp);
1393 1394 break;
1394 1395
1395 1396 default :
1396 1397 break;
1397 1398 }
1398 1399 hv = DOUBLE_HASH(hv, ifs);
1399 1400 is->is_hv = hv;
1400 1401 is->is_rule = fr;
1401 1402 is->is_flags = flags & IS_INHERITED;
1402 1403
1403 1404 /*
1404 1405 * Look for identical state.
1405 1406 */
1406 1407 for (is = ifs->ifs_ips_table[is->is_hv % ifs->ifs_fr_statesize];
1407 1408 is != NULL;
1408 1409 is = is->is_hnext) {
1409 1410 if (fr_matchstates(&ips, is) == 1)
1410 1411 break;
1411 1412 }
1412 1413
1413 1414 /*
1414 1415 * we've found a matching state -> state already exists,
1415 1416 * we are not going to add a duplicate record.
1416 1417 */
1417 1418 if (is != NULL)
1418 1419 return NULL;
1419 1420
1420 1421 if (ifs->ifs_ips_stats.iss_bucketlen[hv] >= ifs->ifs_fr_state_maxbucket) {
1421 1422 ATOMIC_INCL(ifs->ifs_ips_stats.iss_bucketfull);
1422 1423 return NULL;
1423 1424 }
1424 1425 KMALLOC(is, ipstate_t *);
1425 1426 if (is == NULL) {
1426 1427 ATOMIC_INCL(ifs->ifs_ips_stats.iss_nomem);
1427 1428 return NULL;
1428 1429 }
1429 1430 bcopy((char *)&ips, (char *)is, sizeof(*is));
1430 1431 /*
1431 1432 * Do not do the modulous here, it is done in fr_stinsert().
1432 1433 */
1433 1434 if (fr != NULL) {
1434 1435 (void) strncpy(is->is_group, fr->fr_group, FR_GROUPLEN);
1435 1436 if (fr->fr_age[0] != 0) {
1436 1437 is->is_tqehead[0] =
1437 1438 fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
|
↓ open down ↓ |
1317 lines elided |
↑ open up ↑ |
1438 1439 fr->fr_age[0], ifs);
1439 1440 is->is_sti.tqe_flags |= TQE_RULEBASED;
1440 1441 }
1441 1442 if (fr->fr_age[1] != 0) {
1442 1443 is->is_tqehead[1] =
1443 1444 fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
1444 1445 fr->fr_age[1], ifs);
1445 1446 is->is_sti.tqe_flags |= TQE_RULEBASED;
1446 1447 }
1447 1448 is->is_tag = fr->fr_logtag;
1449 + memcpy(is->is_uuid, fr->fr_uuid, sizeof (uuid_t));
1448 1450
1449 1451 is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
1450 1452 is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
1451 1453 is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
1452 1454
1453 1455 if (((ifp = fr->fr_ifas[1]) != NULL) &&
1454 1456 (ifp != (void *)-1)) {
1455 1457 COPYIFNAME(ifp, is->is_ifname[(out << 1) + 1], fr->fr_v);
1456 1458 }
1457 1459 if (((ifp = fr->fr_ifas[2]) != NULL) &&
1458 1460 (ifp != (void *)-1)) {
1459 1461 COPYIFNAME(ifp, is->is_ifname[(1 - out) << 1], fr->fr_v);
1460 1462 }
1461 1463 if (((ifp = fr->fr_ifas[3]) != NULL) &&
1462 1464 (ifp != (void *)-1)) {
1463 1465 COPYIFNAME(ifp, is->is_ifname[((1 - out) << 1) + 1], fr->fr_v);
1464 1466 }
1465 1467 }
1466 1468
1467 1469 is->is_ifp[out << 1] = fin->fin_ifp;
1468 1470 if (fin->fin_ifp != NULL) {
1469 1471 COPYIFNAME(fin->fin_ifp, is->is_ifname[out << 1], fin->fin_v);
1470 1472 }
1471 1473
1472 1474 is->is_ref = 1;
1473 1475 is->is_pkts[0] = 0, is->is_bytes[0] = 0;
1474 1476 is->is_pkts[1] = 0, is->is_bytes[1] = 0;
1475 1477 is->is_pkts[2] = 0, is->is_bytes[2] = 0;
1476 1478 is->is_pkts[3] = 0, is->is_bytes[3] = 0;
1477 1479 if ((fin->fin_flx & FI_IGNORE) == 0) {
1478 1480 is->is_pkts[out] = 1;
1479 1481 is->is_bytes[out] = fin->fin_plen;
1480 1482 is->is_flx[out][0] = fin->fin_flx & FI_CMP;
1481 1483 is->is_flx[out][0] &= ~FI_OOW;
1482 1484 }
1483 1485
1484 1486 if (pass & FR_STSTRICT)
1485 1487 is->is_flags |= IS_STRICT;
1486 1488
1487 1489 if (pass & FR_STATESYNC)
1488 1490 is->is_flags |= IS_STATESYNC;
1489 1491
1490 1492 if (flags & (SI_WILDP|SI_WILDA)) {
1491 1493 ATOMIC_INCL(ifs->ifs_ips_stats.iss_wild);
1492 1494 }
1493 1495 is->is_rulen = fin->fin_rule;
1494 1496
1495 1497
1496 1498 if (pass & FR_LOGFIRST)
1497 1499 is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
1498 1500
1499 1501 READ_ENTER(&ifs->ifs_ipf_state);
1500 1502 is->is_me = stsave;
1501 1503
1502 1504 fr_stinsert(is, fin->fin_rev, ifs);
1503 1505
1504 1506 if (fin->fin_p == IPPROTO_TCP) {
1505 1507 /*
1506 1508 * If we're creating state for a starting connection, start the
1507 1509 * timer on it as we'll never see an error if it fails to
1508 1510 * connect.
1509 1511 */
1510 1512 (void) fr_tcp_age(&is->is_sti, fin, ifs->ifs_ips_tqtqb,
1511 1513 is->is_flags);
1512 1514 MUTEX_EXIT(&is->is_lock);
1513 1515 #ifdef IPFILTER_SCAN
1514 1516 if ((is->is_flags & SI_CLONE) == 0)
1515 1517 (void) ipsc_attachis(is);
1516 1518 #endif
|
↓ open down ↓ |
59 lines elided |
↑ open up ↑ |
1517 1519 } else {
1518 1520 MUTEX_EXIT(&is->is_lock);
1519 1521 }
1520 1522 #ifdef IPFILTER_SYNC
1521 1523 if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
1522 1524 is->is_sync = ipfsync_new(SMC_STATE, fin, is);
1523 1525 #endif
1524 1526 if (ifs->ifs_ipstate_logging)
1525 1527 ipstate_log(is, ISL_NEW, ifs);
1526 1528
1529 + if (IFS_CFWLOG(ifs, is->is_rule))
1530 + ipf_log_cfwlog(is, ISL_NEW, ifs);
1531 +
1527 1532 RWLOCK_EXIT(&ifs->ifs_ipf_state);
1528 1533 fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
1529 1534 fin->fin_flx |= FI_STATE;
1530 1535 if (fin->fin_flx & FI_FRAG)
1531 1536 (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
1532 1537
1533 1538 return is;
1534 1539 }
1535 1540
1536 1541
1537 1542 /* ------------------------------------------------------------------------ */
1538 1543 /* Function: fr_tcpoptions */
1539 1544 /* Returns: int - 1 == packet matches state entry, 0 == it does not */
1540 1545 /* Parameters: fin(I) - pointer to packet information */
1541 1546 /* tcp(I) - pointer to TCP packet header */
1542 1547 /* td(I) - pointer to TCP data held as part of the state */
1543 1548 /* */
1544 1549 /* Look after the TCP header for any options and deal with those that are */
1545 1550 /* present. Record details about those that we recogise. */
1546 1551 /* ------------------------------------------------------------------------ */
1547 1552 static int fr_tcpoptions(fin, tcp, td)
1548 1553 fr_info_t *fin;
1549 1554 tcphdr_t *tcp;
1550 1555 tcpdata_t *td;
1551 1556 {
1552 1557 int off, mlen, ol, i, len, retval;
1553 1558 char buf[64], *s, opt;
1554 1559 mb_t *m = NULL;
1555 1560
1556 1561 len = (TCP_OFF(tcp) << 2);
1557 1562 if (fin->fin_dlen < len)
1558 1563 return 0;
1559 1564 len -= sizeof(*tcp);
1560 1565
1561 1566 off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff;
1562 1567
1563 1568 m = fin->fin_m;
1564 1569 mlen = MSGDSIZE(m) - off;
1565 1570 if (len > mlen) {
1566 1571 len = mlen;
1567 1572 retval = 0;
1568 1573 } else {
1569 1574 retval = 1;
1570 1575 }
1571 1576
1572 1577 COPYDATA(m, off, len, buf);
1573 1578
1574 1579 for (s = buf; len > 0; ) {
1575 1580 opt = *s;
1576 1581 if (opt == TCPOPT_EOL)
1577 1582 break;
1578 1583 else if (opt == TCPOPT_NOP)
1579 1584 ol = 1;
1580 1585 else {
1581 1586 if (len < 2)
1582 1587 break;
1583 1588 ol = (int)*(s + 1);
1584 1589 if (ol < 2 || ol > len)
1585 1590 break;
1586 1591
1587 1592 /*
1588 1593 * Extract the TCP options we are interested in out of
1589 1594 * the header and store them in the the tcpdata struct.
1590 1595 */
1591 1596 switch (opt)
1592 1597 {
1593 1598 case TCPOPT_WINDOW :
1594 1599 if (ol == TCPOLEN_WINDOW) {
1595 1600 i = (int)*(s + 2);
1596 1601 if (i > TCP_WSCALE_MAX)
1597 1602 i = TCP_WSCALE_MAX;
1598 1603 else if (i < 0)
1599 1604 i = 0;
1600 1605 td->td_winscale = i;
1601 1606 td->td_winflags |= TCP_WSCALE_SEEN |
1602 1607 TCP_WSCALE_FIRST;
1603 1608 } else
1604 1609 retval = -1;
1605 1610 break;
1606 1611 case TCPOPT_MAXSEG :
1607 1612 /*
1608 1613 * So, if we wanted to set the TCP MAXSEG,
1609 1614 * it should be done here...
1610 1615 */
1611 1616 if (ol == TCPOLEN_MAXSEG) {
1612 1617 i = (int)*(s + 2);
1613 1618 i <<= 8;
1614 1619 i += (int)*(s + 3);
1615 1620 td->td_maxseg = i;
1616 1621 } else
1617 1622 retval = -1;
1618 1623 break;
1619 1624 case TCPOPT_SACK_PERMITTED :
1620 1625 if (ol == TCPOLEN_SACK_PERMITTED)
1621 1626 td->td_winflags |= TCP_SACK_PERMIT;
1622 1627 else
1623 1628 retval = -1;
1624 1629 break;
1625 1630 }
1626 1631 }
1627 1632 len -= ol;
1628 1633 s += ol;
1629 1634 }
1630 1635 return retval;
1631 1636 }
1632 1637
1633 1638
1634 1639 /* ------------------------------------------------------------------------ */
1635 1640 /* Function: fr_tcpstate */
1636 1641 /* Returns: int - 1 == packet matches state entry, 0 == it does not */
1637 1642 /* Parameters: fin(I) - pointer to packet information */
1638 1643 /* tcp(I) - pointer to TCP packet header */
1639 1644 /* is(I) - pointer to master state structure */
1640 1645 /* */
1641 1646 /* Check to see if a packet with TCP headers fits within the TCP window. */
1642 1647 /* Change timeout depending on whether new packet is a SYN-ACK returning */
1643 1648 /* for a SYN or a RST or FIN which indicate time to close up shop. */
1644 1649 /* ------------------------------------------------------------------------ */
1645 1650 static int fr_tcpstate(fin, tcp, is)
1646 1651 fr_info_t *fin;
1647 1652 tcphdr_t *tcp;
1648 1653 ipstate_t *is;
1649 1654 {
1650 1655 int source, ret = 0, flags;
1651 1656 tcpdata_t *fdata, *tdata;
1652 1657 ipf_stack_t *ifs = fin->fin_ifs;
1653 1658
1654 1659 source = !fin->fin_rev;
1655 1660 if (((is->is_flags & IS_TCPFSM) != 0) && (source == 1) &&
1656 1661 (ntohs(is->is_sport) != fin->fin_data[0]))
1657 1662 source = 0;
1658 1663 fdata = &is->is_tcp.ts_data[!source];
1659 1664 tdata = &is->is_tcp.ts_data[source];
1660 1665
1661 1666 MUTEX_ENTER(&is->is_lock);
1662 1667
1663 1668 /*
1664 1669 * If a SYN packet is received for a connection that is in a half
1665 1670 * closed state, then move its state entry to deletetq. In such case
1666 1671 * the SYN packet will be consequently dropped. This allows new state
1667 1672 * entry to be created with a retransmited SYN packet.
1668 1673 */
1669 1674 if ((tcp->th_flags & TH_OPENING) == TH_SYN) {
1670 1675 if ((is->is_state[source] > IPF_TCPS_ESTABLISHED) &&
1671 1676 (is->is_state[!source] > IPF_TCPS_ESTABLISHED)) {
1672 1677 is->is_state[source] = IPF_TCPS_CLOSED;
1673 1678 is->is_state[!source] = IPF_TCPS_CLOSED;
1674 1679 /*
1675 1680 * Do not update is->is_sti.tqe_die in case state entry
1676 1681 * is already present in deletetq. It prevents state
1677 1682 * entry ttl update by retransmitted SYN packets, which
1678 1683 * may arrive before timer tick kicks off. The SYN
1679 1684 * packet will be dropped again.
1680 1685 */
1681 1686 if (is->is_sti.tqe_ifq != &ifs->ifs_ips_deletetq)
1682 1687 fr_movequeue(&is->is_sti, is->is_sti.tqe_ifq,
1683 1688 &fin->fin_ifs->ifs_ips_deletetq,
1684 1689 fin->fin_ifs);
1685 1690
1686 1691 MUTEX_EXIT(&is->is_lock);
1687 1692 return 0;
1688 1693 }
1689 1694 }
1690 1695
1691 1696 if (fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags)) {
1692 1697 #ifdef IPFILTER_SCAN
1693 1698 if (is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER)) {
1694 1699 ipsc_packet(fin, is);
1695 1700 if (FR_ISBLOCK(is->is_pass)) {
1696 1701 MUTEX_EXIT(&is->is_lock);
1697 1702 return 1;
1698 1703 }
1699 1704 }
1700 1705 #endif
1701 1706
1702 1707 /*
1703 1708 * Nearing end of connection, start timeout.
1704 1709 */
1705 1710 ret = fr_tcp_age(&is->is_sti, fin, ifs->ifs_ips_tqtqb,
1706 1711 is->is_flags);
1707 1712 if (ret == 0) {
1708 1713 MUTEX_EXIT(&is->is_lock);
1709 1714 return 0;
1710 1715 }
1711 1716
1712 1717 /*
1713 1718 * set s0's as appropriate. Use syn-ack packet as it
1714 1719 * contains both pieces of required information.
1715 1720 */
1716 1721 /*
1717 1722 * Window scale option is only present in SYN/SYN-ACK packet.
1718 1723 * Compare with ~TH_FIN to mask out T/TCP setups.
1719 1724 */
1720 1725 flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL);
1721 1726 if (flags == (TH_SYN|TH_ACK)) {
1722 1727 is->is_s0[source] = ntohl(tcp->th_ack);
1723 1728 is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
1724 1729 if (TCP_OFF(tcp) > (sizeof (tcphdr_t) >> 2)) {
1725 1730 (void) fr_tcpoptions(fin, tcp, fdata);
1726 1731 }
1727 1732 if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1728 1733 fr_checknewisn(fin, is);
1729 1734 } else if (flags == TH_SYN) {
1730 1735 is->is_s0[source] = ntohl(tcp->th_seq) + 1;
1731 1736 if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
1732 1737 (void) fr_tcpoptions(fin, tcp, fdata);
1733 1738
1734 1739 if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1735 1740 fr_checknewisn(fin, is);
1736 1741
1737 1742 }
1738 1743 ret = 1;
1739 1744 } else
1740 1745 fin->fin_flx |= FI_OOW;
1741 1746 MUTEX_EXIT(&is->is_lock);
1742 1747 return ret;
1743 1748 }
1744 1749
1745 1750
1746 1751 /* ------------------------------------------------------------------------ */
1747 1752 /* Function: fr_checknewisn */
1748 1753 /* Returns: Nil */
1749 1754 /* Parameters: fin(I) - pointer to packet information */
1750 1755 /* is(I) - pointer to master state structure */
1751 1756 /* */
1752 1757 /* Check to see if this TCP connection is expecting and needs a new */
1753 1758 /* sequence number for a particular direction of the connection. */
1754 1759 /* */
1755 1760 /* NOTE: This does not actually change the sequence numbers, only gets new */
1756 1761 /* one ready. */
1757 1762 /* ------------------------------------------------------------------------ */
1758 1763 static void fr_checknewisn(fin, is)
1759 1764 fr_info_t *fin;
1760 1765 ipstate_t *is;
1761 1766 {
1762 1767 u_32_t sumd, old, new;
1763 1768 tcphdr_t *tcp;
1764 1769 int i;
1765 1770
1766 1771 i = fin->fin_rev;
1767 1772 tcp = fin->fin_dp;
1768 1773
1769 1774 if (((i == 0) && !(is->is_flags & IS_ISNSYN)) ||
1770 1775 ((i == 1) && !(is->is_flags & IS_ISNACK))) {
1771 1776 old = ntohl(tcp->th_seq);
1772 1777 new = fr_newisn(fin);
1773 1778 is->is_isninc[i] = new - old;
1774 1779 CALC_SUMD(old, new, sumd);
1775 1780 is->is_sumd[i] = (sumd & 0xffff) + (sumd >> 16);
1776 1781
1777 1782 is->is_flags |= ((i == 0) ? IS_ISNSYN : IS_ISNACK);
1778 1783 }
1779 1784 }
1780 1785
1781 1786
1782 1787 /* ------------------------------------------------------------------------ */
1783 1788 /* Function: fr_tcpinwindow */
1784 1789 /* Returns: int - 1 == packet inside TCP "window", 0 == not inside. */
1785 1790 /* Parameters: fin(I) - pointer to packet information */
1786 1791 /* fdata(I) - pointer to tcp state informatio (forward) */
1787 1792 /* tdata(I) - pointer to tcp state informatio (reverse) */
1788 1793 /* tcp(I) - pointer to TCP packet header */
1789 1794 /* */
1790 1795 /* Given a packet has matched addresses and ports, check to see if it is */
1791 1796 /* within the TCP data window. In a show of generosity, allow packets that */
1792 1797 /* are within the window space behind the current sequence # as well. */
1793 1798 /* ------------------------------------------------------------------------ */
1794 1799 int fr_tcpinwindow(fin, fdata, tdata, tcp, flags)
1795 1800 fr_info_t *fin;
1796 1801 tcpdata_t *fdata, *tdata;
1797 1802 tcphdr_t *tcp;
1798 1803 int flags;
1799 1804 {
1800 1805 tcp_seq seq, ack, end;
1801 1806 int ackskew, tcpflags;
1802 1807 u_32_t win, maxwin;
1803 1808 int dsize, inseq;
1804 1809
1805 1810 /*
1806 1811 * Find difference between last checked packet and this packet.
1807 1812 */
1808 1813 tcpflags = tcp->th_flags;
1809 1814 seq = ntohl(tcp->th_seq);
1810 1815 ack = ntohl(tcp->th_ack);
1811 1816
1812 1817 if (tcpflags & TH_SYN)
1813 1818 win = ntohs(tcp->th_win);
1814 1819 else
1815 1820 win = ntohs(tcp->th_win) << fdata->td_winscale;
1816 1821
1817 1822 /*
1818 1823 * win 0 means the receiving endpoint has closed the window, because it
1819 1824 * has not enough memory to receive data from sender. In such case we
1820 1825 * are pretending window size to be 1 to let TCP probe data through.
1821 1826 * TCP probe data can be either 0 or 1 octet of data, the RFC does not
1822 1827 * state this accurately, so we have to allow 1 octet (win = 1) even if
1823 1828 * the window is closed (win == 0).
1824 1829 */
1825 1830 if (win == 0)
1826 1831 win = 1;
1827 1832
1828 1833 dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
1829 1834 ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
1830 1835
1831 1836 /*
1832 1837 * if window scaling is present, the scaling is only allowed
1833 1838 * for windows not in the first SYN packet. In that packet the
1834 1839 * window is 65535 to specify the largest window possible
1835 1840 * for receivers not implementing the window scale option.
1836 1841 * Currently, we do not assume TTCP here. That means that
1837 1842 * if we see a second packet from a host (after the initial
1838 1843 * SYN), we can assume that the receiver of the SYN did
1839 1844 * already send back the SYN/ACK (and thus that we know if
1840 1845 * the receiver also does window scaling)
1841 1846 */
1842 1847 if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) {
1843 1848 fdata->td_winflags &= ~TCP_WSCALE_FIRST;
1844 1849 fdata->td_maxwin = win;
1845 1850 }
1846 1851
1847 1852 end = seq + dsize;
1848 1853
1849 1854 if ((fdata->td_end == 0) &&
1850 1855 (!(flags & IS_TCPFSM) ||
1851 1856 ((tcpflags & TH_OPENING) == TH_OPENING))) {
1852 1857 /*
1853 1858 * Must be a (outgoing) SYN-ACK in reply to a SYN.
1854 1859 */
1855 1860 fdata->td_end = end - 1;
1856 1861 fdata->td_maxwin = 1;
1857 1862 fdata->td_maxend = end + win;
1858 1863 }
1859 1864
1860 1865 if (!(tcpflags & TH_ACK)) { /* Pretend an ack was sent */
1861 1866 ack = tdata->td_end;
1862 1867 } else if (((tcpflags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
1863 1868 (ack == 0)) {
1864 1869 /* gross hack to get around certain broken tcp stacks */
1865 1870 ack = tdata->td_end;
1866 1871 }
1867 1872
1868 1873 maxwin = tdata->td_maxwin;
1869 1874 ackskew = tdata->td_end - ack;
1870 1875
1871 1876 /*
1872 1877 * Strict sequencing only allows in-order delivery.
1873 1878 */
1874 1879 if ((flags & IS_STRICT) != 0) {
1875 1880 if (seq != fdata->td_end) {
1876 1881 DTRACE_PROBE(strict_check);
1877 1882 return 0;
1878 1883 }
1879 1884 }
1880 1885
1881 1886 #define SEQ_GE(a,b) ((int)((a) - (b)) >= 0)
1882 1887 #define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
1883 1888 inseq = 0;
1884 1889 DTRACE_PROBE4(
1885 1890 dyn_params,
1886 1891 int, dsize,
1887 1892 int, ackskew,
1888 1893 int, maxwin,
1889 1894 int, win
1890 1895 );
1891 1896 if (
1892 1897 #if defined(_KERNEL)
1893 1898 /*
1894 1899 * end <-> s + n
1895 1900 * maxend <-> ack + win
1896 1901 * this is upperbound check
1897 1902 */
1898 1903 (SEQ_GE(fdata->td_maxend, end)) &&
1899 1904 /*
1900 1905 * this is lowerbound check
1901 1906 */
1902 1907 (SEQ_GE(seq, fdata->td_end - maxwin)) &&
1903 1908 #endif
1904 1909 /* XXX what about big packets */
1905 1910 #define MAXACKWINDOW 66000
1906 1911 (-ackskew <= (MAXACKWINDOW)) &&
1907 1912 ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
1908 1913 inseq = 1;
1909 1914 /*
1910 1915 * Microsoft Windows will send the next packet to the right of the
1911 1916 * window if SACK is in use.
1912 1917 */
1913 1918 } else if ((seq == fdata->td_maxend) && (ackskew == 0) &&
1914 1919 (fdata->td_winflags & TCP_SACK_PERMIT) &&
1915 1920 (tdata->td_winflags & TCP_SACK_PERMIT)) {
1916 1921 inseq = 1;
1917 1922 /*
1918 1923 * RST ACK with SEQ equal to 0 is sent by some OSes (i.e. Solaris) as a
1919 1924 * response to initial SYN packet, when there is no application
1920 1925 * listeing to on a port, where the SYN packet has came to.
1921 1926 */
1922 1927 } else if ((seq == 0) && (tcpflags == (TH_RST|TH_ACK)) &&
1923 1928 (ackskew >= -1) && (ackskew <= 1)) {
1924 1929 inseq = 1;
1925 1930 } else if (!(flags & IS_TCPFSM)) {
1926 1931
1927 1932 if (!(fdata->td_winflags &
1928 1933 (TCP_WSCALE_SEEN|TCP_WSCALE_FIRST))) {
1929 1934 /*
1930 1935 * No TCPFSM and no window scaling, so make some
1931 1936 * extra guesses.
1932 1937 */
1933 1938 if ((seq == fdata->td_maxend) && (ackskew == 0))
1934 1939 inseq = 1;
1935 1940 else if (SEQ_GE(seq + maxwin, fdata->td_end - maxwin))
1936 1941 inseq = 1;
1937 1942 }
1938 1943 }
1939 1944
1940 1945 if (inseq) {
1941 1946 /* if ackskew < 0 then this should be due to fragmented
1942 1947 * packets. There is no way to know the length of the
1943 1948 * total packet in advance.
1944 1949 * We do know the total length from the fragment cache though.
1945 1950 * Note however that there might be more sessions with
1946 1951 * exactly the same source and destination parameters in the
1947 1952 * state cache (and source and destination is the only stuff
1948 1953 * that is saved in the fragment cache). Note further that
1949 1954 * some TCP connections in the state cache are hashed with
1950 1955 * sport and dport as well which makes it not worthwhile to
1951 1956 * look for them.
1952 1957 * Thus, when ackskew is negative but still seems to belong
1953 1958 * to this session, we bump up the destinations end value.
1954 1959 */
1955 1960 if (ackskew < 0) {
1956 1961 DTRACE_PROBE2(end_update_td,
1957 1962 int, tdata->td_end,
1958 1963 int, ack
1959 1964 );
1960 1965 tdata->td_end = ack;
1961 1966 }
1962 1967
1963 1968 /* update max window seen */
1964 1969 if (fdata->td_maxwin < win) {
1965 1970 DTRACE_PROBE2(win_update_fd,
1966 1971 int, fdata->td_maxwin,
1967 1972 int, win
1968 1973 );
1969 1974 fdata->td_maxwin = win;
1970 1975 }
1971 1976
1972 1977 if (SEQ_GT(end, fdata->td_end)) {
1973 1978 DTRACE_PROBE2(end_update_fd,
1974 1979 int, fdata->td_end,
1975 1980 int, end
1976 1981 );
1977 1982 fdata->td_end = end;
1978 1983 }
1979 1984
1980 1985 if (SEQ_GE(ack + win, tdata->td_maxend)) {
1981 1986 DTRACE_PROBE2(max_end_update_td,
1982 1987 int, tdata->td_maxend,
1983 1988 int, ack + win
1984 1989 );
1985 1990 tdata->td_maxend = ack + win;
1986 1991 }
1987 1992
1988 1993 return 1;
1989 1994 }
1990 1995 fin->fin_flx |= FI_OOW;
1991 1996
1992 1997 #if defined(_KERNEL)
1993 1998 if (!(SEQ_GE(seq, fdata->td_end - maxwin)))
1994 1999 fin->fin_flx |= FI_NEG_OOW;
1995 2000 #endif
1996 2001
1997 2002 return 0;
1998 2003 }
1999 2004
2000 2005
2001 2006 /* ------------------------------------------------------------------------ */
2002 2007 /* Function: fr_stclone */
2003 2008 /* Returns: ipstate_t* - NULL == cloning failed, */
2004 2009 /* else pointer to new state structure */
2005 2010 /* Parameters: fin(I) - pointer to packet information */
2006 2011 /* tcp(I) - pointer to TCP/UDP header */
2007 2012 /* is(I) - pointer to master state structure */
2008 2013 /* */
2009 2014 /* Create a "duplcate" state table entry from the master. */
2010 2015 /* ------------------------------------------------------------------------ */
2011 2016 static ipstate_t *fr_stclone(fin, tcp, is)
2012 2017 fr_info_t *fin;
2013 2018 tcphdr_t *tcp;
2014 2019 ipstate_t *is;
2015 2020 {
2016 2021 ipstate_t *clone;
2017 2022 u_32_t send;
2018 2023 ipf_stack_t *ifs = fin->fin_ifs;
2019 2024
2020 2025 /*
2021 2026 * Trigger automatic call to fr_state_flush() if the
2022 2027 * table has reached capacity specified by hi watermark.
2023 2028 */
2024 2029 if (ST_TAB_WATER_LEVEL(ifs) > ifs->ifs_state_flush_level_hi)
2025 2030 ifs->ifs_fr_state_doflush = 1;
2026 2031
2027 2032 /*
2028 2033 * If automatic flushing did not do its job, and the table
2029 2034 * has filled up, don't try to create a new entry. A NULL
2030 2035 * return will indicate that the cloning has failed.
2031 2036 */
2032 2037 if (ifs->ifs_ips_num >= ifs->ifs_fr_statemax) {
2033 2038 ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
2034 2039 return NULL;
2035 2040 }
2036 2041
2037 2042 KMALLOC(clone, ipstate_t *);
2038 2043 if (clone == NULL)
2039 2044 return NULL;
2040 2045 bcopy((char *)is, (char *)clone, sizeof(*clone));
2041 2046
2042 2047 MUTEX_NUKE(&clone->is_lock);
2043 2048
2044 2049 clone->is_die = ONE_DAY + ifs->ifs_fr_ticks;
2045 2050 clone->is_state[0] = 0;
2046 2051 clone->is_state[1] = 0;
2047 2052 send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
2048 2053 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
2049 2054 ((tcp->th_flags & TH_FIN) ? 1 : 0);
2050 2055
2051 2056 if (fin->fin_rev == 1) {
2052 2057 clone->is_dend = send;
2053 2058 clone->is_maxdend = send;
2054 2059 clone->is_send = 0;
2055 2060 clone->is_maxswin = 1;
2056 2061 clone->is_maxdwin = ntohs(tcp->th_win);
2057 2062 if (clone->is_maxdwin == 0)
2058 2063 clone->is_maxdwin = 1;
2059 2064 } else {
2060 2065 clone->is_send = send;
2061 2066 clone->is_maxsend = send;
2062 2067 clone->is_dend = 0;
2063 2068 clone->is_maxdwin = 1;
2064 2069 clone->is_maxswin = ntohs(tcp->th_win);
2065 2070 if (clone->is_maxswin == 0)
2066 2071 clone->is_maxswin = 1;
2067 2072 }
2068 2073
2069 2074 clone->is_flags &= ~SI_CLONE;
2070 2075 clone->is_flags |= SI_CLONED;
2071 2076 fr_stinsert(clone, fin->fin_rev, ifs);
2072 2077 clone->is_ref = 1;
2073 2078 if (clone->is_p == IPPROTO_TCP) {
2074 2079 (void) fr_tcp_age(&clone->is_sti, fin, ifs->ifs_ips_tqtqb,
2075 2080 clone->is_flags);
2076 2081 }
2077 2082 MUTEX_EXIT(&clone->is_lock);
2078 2083 #ifdef IPFILTER_SCAN
2079 2084 (void) ipsc_attachis(is);
2080 2085 #endif
2081 2086 #ifdef IPFILTER_SYNC
2082 2087 if (is->is_flags & IS_STATESYNC)
2083 2088 clone->is_sync = ipfsync_new(SMC_STATE, fin, clone);
2084 2089 #endif
2085 2090 return clone;
2086 2091 }
2087 2092
2088 2093
2089 2094 /* ------------------------------------------------------------------------ */
2090 2095 /* Function: fr_matchsrcdst */
2091 2096 /* Returns: Nil */
2092 2097 /* Parameters: fin(I) - pointer to packet information */
2093 2098 /* is(I) - pointer to state structure */
2094 2099 /* src(I) - pointer to source address */
2095 2100 /* dst(I) - pointer to destination address */
2096 2101 /* tcp(I) - pointer to TCP/UDP header */
2097 2102 /* */
2098 2103 /* Match a state table entry against an IP packet. The logic below is that */
2099 2104 /* ret gets set to one if the match succeeds, else remains 0. If it is */
2100 2105 /* still 0 after the test. no match. */
2101 2106 /* ------------------------------------------------------------------------ */
2102 2107 static ipstate_t *fr_matchsrcdst(fin, is, src, dst, tcp, cmask)
2103 2108 fr_info_t *fin;
2104 2109 ipstate_t *is;
2105 2110 i6addr_t *src, *dst;
2106 2111 tcphdr_t *tcp;
2107 2112 u_32_t cmask;
2108 2113 {
2109 2114 int ret = 0, rev, out, flags, flx = 0, idx;
2110 2115 u_short sp, dp;
2111 2116 u_32_t cflx;
2112 2117 void *ifp;
2113 2118 ipf_stack_t *ifs = fin->fin_ifs;
2114 2119
2115 2120 rev = IP6_NEQ(&is->is_dst, dst);
2116 2121 ifp = fin->fin_ifp;
2117 2122 out = fin->fin_out;
2118 2123 flags = is->is_flags;
2119 2124 sp = 0;
2120 2125 dp = 0;
2121 2126
2122 2127 if (tcp != NULL) {
2123 2128 sp = htons(fin->fin_sport);
2124 2129 dp = ntohs(fin->fin_dport);
2125 2130 }
2126 2131 if (!rev) {
2127 2132 if (tcp != NULL) {
2128 2133 if (!(flags & SI_W_SPORT) && (sp != is->is_sport))
2129 2134 rev = 1;
2130 2135 else if (!(flags & SI_W_DPORT) && (dp != is->is_dport))
2131 2136 rev = 1;
2132 2137 }
2133 2138 }
2134 2139
2135 2140 idx = (out << 1) + rev;
2136 2141
2137 2142 /*
2138 2143 * If the interface for this 'direction' is set, make sure it matches.
2139 2144 * An interface name that is not set matches any, as does a name of *.
2140 2145 */
2141 2146 if ((is->is_ifp[idx] == NULL &&
2142 2147 (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) ||
2143 2148 is->is_ifp[idx] == ifp)
2144 2149 ret = 1;
2145 2150
2146 2151 if (ret == 0) {
2147 2152 DTRACE_PROBE(no_match_on_iface);
2148 2153 return NULL;
2149 2154 }
2150 2155 ret = 0;
2151 2156
2152 2157 /*
2153 2158 * Match addresses and ports.
2154 2159 */
2155 2160 if (rev == 0) {
2156 2161 if ((IP6_EQ(&is->is_dst, dst) || (flags & SI_W_DADDR)) &&
2157 2162 (IP6_EQ(&is->is_src, src) || (flags & SI_W_SADDR))) {
2158 2163 if (tcp) {
2159 2164 if ((sp == is->is_sport || flags & SI_W_SPORT)&&
2160 2165 (dp == is->is_dport || flags & SI_W_DPORT))
2161 2166 ret = 1;
2162 2167 } else {
2163 2168 ret = 1;
2164 2169 }
2165 2170 }
2166 2171 } else {
2167 2172 if ((IP6_EQ(&is->is_dst, src) || (flags & SI_W_DADDR)) &&
2168 2173 (IP6_EQ(&is->is_src, dst) || (flags & SI_W_SADDR))) {
2169 2174 if (tcp) {
2170 2175 if ((dp == is->is_sport || flags & SI_W_SPORT)&&
2171 2176 (sp == is->is_dport || flags & SI_W_DPORT))
2172 2177 ret = 1;
2173 2178 } else {
2174 2179 ret = 1;
2175 2180 }
2176 2181 }
2177 2182 }
2178 2183
2179 2184 if (ret == 0) {
2180 2185 DTRACE_PROBE(no_match_on_addrs);
2181 2186 return NULL;
2182 2187 }
2183 2188 /*
2184 2189 * Whether or not this should be here, is questionable, but the aim
2185 2190 * is to get this out of the main line.
2186 2191 */
2187 2192 if (tcp == NULL)
2188 2193 flags = is->is_flags & ~(SI_WILDP|SI_NEWFR|SI_CLONE|SI_CLONED);
2189 2194
2190 2195 /*
2191 2196 * Only one of the source or destination address can be flaged as a
2192 2197 * wildcard. Fill in the missing address, if set.
2193 2198 * For IPv6, if the address being copied in is multicast, then
2194 2199 * don't reset the wild flag - multicast causes it to be set in the
2195 2200 * first place!
2196 2201 */
2197 2202 if ((flags & (SI_W_SADDR|SI_W_DADDR))) {
2198 2203 fr_ip_t *fi = &fin->fin_fi;
2199 2204
2200 2205 if ((flags & SI_W_SADDR) != 0) {
2201 2206 if (rev == 0) {
2202 2207 #ifdef USE_INET6
2203 2208 if (is->is_v == 6 &&
2204 2209 IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
2205 2210 /*EMPTY*/;
2206 2211 else
2207 2212 #endif
2208 2213 {
2209 2214 is->is_src = fi->fi_src;
2210 2215 is->is_flags &= ~SI_W_SADDR;
2211 2216 }
2212 2217 } else {
2213 2218 #ifdef USE_INET6
2214 2219 if (is->is_v == 6 &&
2215 2220 IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
2216 2221 /*EMPTY*/;
2217 2222 else
2218 2223 #endif
2219 2224 {
2220 2225 is->is_src = fi->fi_dst;
2221 2226 is->is_flags &= ~SI_W_SADDR;
2222 2227 }
2223 2228 }
2224 2229 } else if ((flags & SI_W_DADDR) != 0) {
2225 2230 if (rev == 0) {
2226 2231 #ifdef USE_INET6
2227 2232 if (is->is_v == 6 &&
2228 2233 IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
2229 2234 /*EMPTY*/;
2230 2235 else
2231 2236 #endif
2232 2237 {
2233 2238 is->is_dst = fi->fi_dst;
2234 2239 is->is_flags &= ~SI_W_DADDR;
2235 2240 }
2236 2241 } else {
2237 2242 #ifdef USE_INET6
2238 2243 if (is->is_v == 6 &&
2239 2244 IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
2240 2245 /*EMPTY*/;
2241 2246 else
2242 2247 #endif
2243 2248 {
2244 2249 is->is_dst = fi->fi_src;
2245 2250 is->is_flags &= ~SI_W_DADDR;
2246 2251 }
2247 2252 }
2248 2253 }
2249 2254 if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) {
2250 2255 ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
2251 2256 }
2252 2257 }
2253 2258
2254 2259 flx = fin->fin_flx & cmask;
2255 2260 cflx = is->is_flx[out][rev];
2256 2261
2257 2262 /*
2258 2263 * Match up any flags set from IP options.
2259 2264 */
2260 2265 if ((cflx && (flx != (cflx & cmask))) ||
2261 2266 ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) ||
2262 2267 ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
2263 2268 ((fin->fin_auth & is->is_authmsk) != is->is_auth)) {
2264 2269 DTRACE_PROBE4(no_match_on_flags,
2265 2270 int, (cflx && (flx != (cflx & cmask))),
2266 2271 int,
2267 2272 ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]),
2268 2273 int, ((fin->fin_secmsk & is->is_secmsk) != is->is_sec),
2269 2274 int, ((fin->fin_auth & is->is_authmsk) != is->is_auth)
2270 2275 );
2271 2276 return NULL;
2272 2277 }
2273 2278 /*
2274 2279 * Only one of the source or destination port can be flagged as a
2275 2280 * wildcard. When filling it in, fill in a copy of the matched entry
2276 2281 * if it has the cloning flag set.
2277 2282 */
2278 2283 if ((fin->fin_flx & FI_IGNORE) != 0) {
2279 2284 fin->fin_rev = rev;
2280 2285 return is;
2281 2286 }
2282 2287
2283 2288 if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
2284 2289 if ((flags & SI_CLONE) != 0) {
2285 2290 ipstate_t *clone;
2286 2291
2287 2292 clone = fr_stclone(fin, tcp, is);
2288 2293 if (clone == NULL)
2289 2294 return NULL;
2290 2295 is = clone;
2291 2296 } else {
2292 2297 ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
2293 2298 }
2294 2299
2295 2300 if ((flags & SI_W_SPORT) != 0) {
2296 2301 if (rev == 0) {
2297 2302 is->is_sport = sp;
2298 2303 is->is_send = ntohl(tcp->th_seq);
2299 2304 } else {
2300 2305 is->is_sport = dp;
2301 2306 is->is_send = ntohl(tcp->th_ack);
2302 2307 }
2303 2308 is->is_maxsend = is->is_send + 1;
2304 2309 } else if ((flags & SI_W_DPORT) != 0) {
2305 2310 if (rev == 0) {
2306 2311 is->is_dport = dp;
|
↓ open down ↓ |
770 lines elided |
↑ open up ↑ |
2307 2312 is->is_dend = ntohl(tcp->th_ack);
2308 2313 } else {
2309 2314 is->is_dport = sp;
2310 2315 is->is_dend = ntohl(tcp->th_seq);
2311 2316 }
2312 2317 is->is_maxdend = is->is_dend + 1;
2313 2318 }
2314 2319 is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
2315 2320 if ((flags & SI_CLONED) && ifs->ifs_ipstate_logging)
2316 2321 ipstate_log(is, ISL_CLONE, ifs);
2322 + if ((flags & SI_CLONED) && IFS_CFWLOG(ifs, is->is_rule))
2323 + ipf_log_cfwlog(is, ISL_CLONE, ifs);
2317 2324 }
2318 2325
2319 2326 ret = -1;
2320 2327
2321 2328 if (is->is_flx[out][rev] == 0) {
2322 2329 is->is_flx[out][rev] = flx;
2323 2330 /*
2324 2331 * If we are dealing with the first packet coming in reverse
2325 2332 * direction (sent by peer), then we have to set options into
2326 2333 * state.
2327 2334 */
2328 2335 if (rev == 1 && is->is_optmsk[1] == 0x0) {
2329 2336 is->is_optmsk[1] = 0xffffffff;
2330 2337 is->is_opt[1] = fin->fin_optmsk;
2331 2338 DTRACE_PROBE(set_rev_opts);
2332 2339 }
2333 2340 if (is->is_v == 6) {
2334 2341 is->is_opt[rev] &= ~0x8;
2335 2342 is->is_optmsk[rev] &= ~0x8;
2336 2343 }
2337 2344 }
2338 2345
2339 2346 /*
2340 2347 * Check if the interface name for this "direction" is set and if not,
2341 2348 * fill it in.
2342 2349 */
2343 2350 if (is->is_ifp[idx] == NULL &&
2344 2351 (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) {
2345 2352 is->is_ifp[idx] = ifp;
2346 2353 COPYIFNAME(ifp, is->is_ifname[idx], fin->fin_v);
2347 2354 }
2348 2355 fin->fin_rev = rev;
2349 2356 return is;
2350 2357 }
2351 2358
2352 2359
2353 2360 /* ------------------------------------------------------------------------ */
2354 2361 /* Function: fr_checkicmpmatchingstate */
2355 2362 /* Returns: Nil */
2356 2363 /* Parameters: fin(I) - pointer to packet information */
2357 2364 /* */
2358 2365 /* If we've got an ICMP error message, using the information stored in the */
2359 2366 /* ICMP packet, look for a matching state table entry. */
2360 2367 /* */
2361 2368 /* If we return NULL then no lock on ipf_state is held. */
2362 2369 /* If we return non-null then a read-lock on ipf_state is held. */
2363 2370 /* ------------------------------------------------------------------------ */
2364 2371 static ipstate_t *fr_checkicmpmatchingstate(fin)
2365 2372 fr_info_t *fin;
2366 2373 {
2367 2374 ipstate_t *is, **isp;
2368 2375 u_short sport, dport;
2369 2376 u_char pr;
2370 2377 int backward, i, oi;
2371 2378 i6addr_t dst, src;
2372 2379 struct icmp *ic;
2373 2380 u_short savelen;
2374 2381 icmphdr_t *icmp;
2375 2382 fr_info_t ofin;
2376 2383 tcphdr_t *tcp;
2377 2384 int len;
2378 2385 ip_t *oip;
2379 2386 u_int hv;
2380 2387 ipf_stack_t *ifs = fin->fin_ifs;
2381 2388
2382 2389 /*
2383 2390 * Does it at least have the return (basic) IP header ?
2384 2391 * Is it an actual recognised ICMP error type?
2385 2392 * Only a basic IP header (no options) should be with
2386 2393 * an ICMP error header.
2387 2394 */
2388 2395 if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
2389 2396 (fin->fin_plen < ICMPERR_MINPKTLEN) ||
2390 2397 !(fin->fin_flx & FI_ICMPERR))
2391 2398 return NULL;
2392 2399 ic = fin->fin_dp;
2393 2400
2394 2401 oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
2395 2402 /*
2396 2403 * Check if the at least the old IP header (with options) and
2397 2404 * 8 bytes of payload is present.
2398 2405 */
2399 2406 if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((IP_HL(oip) - 5) << 2))
2400 2407 return NULL;
2401 2408
2402 2409 /*
2403 2410 * Sanity Checks.
2404 2411 */
2405 2412 len = fin->fin_dlen - ICMPERR_ICMPHLEN;
2406 2413 if ((len <= 0) || ((IP_HL(oip) << 2) > len))
2407 2414 return NULL;
2408 2415
2409 2416 /*
2410 2417 * Is the buffer big enough for all of it ? It's the size of the IP
2411 2418 * header claimed in the encapsulated part which is of concern. It
2412 2419 * may be too big to be in this buffer but not so big that it's
2413 2420 * outside the ICMP packet, leading to TCP deref's causing problems.
2414 2421 * This is possible because we don't know how big oip_hl is when we
2415 2422 * do the pullup early in fr_check() and thus can't guarantee it is
2416 2423 * all here now.
2417 2424 */
2418 2425 #ifdef _KERNEL
2419 2426 {
2420 2427 mb_t *m;
2421 2428
2422 2429 m = fin->fin_m;
2423 2430 # if defined(MENTAT)
2424 2431 if ((char *)oip + len > (char *)m->b_wptr)
2425 2432 return NULL;
2426 2433 # else
2427 2434 if ((char *)oip + len > (char *)fin->fin_ip + m->m_len)
2428 2435 return NULL;
2429 2436 # endif
2430 2437 }
2431 2438 #endif
2432 2439 bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
2433 2440
2434 2441 /*
2435 2442 * in the IPv4 case we must zero the i6addr union otherwise
2436 2443 * the IP6_EQ and IP6_NEQ macros produce the wrong results because
2437 2444 * of the 'junk' in the unused part of the union
2438 2445 */
2439 2446 bzero((char *)&src, sizeof(src));
2440 2447 bzero((char *)&dst, sizeof(dst));
2441 2448
2442 2449 /*
2443 2450 * we make an fin entry to be able to feed it to
2444 2451 * matchsrcdst note that not all fields are encessary
2445 2452 * but this is the cleanest way. Note further we fill
2446 2453 * in fin_mp such that if someone uses it we'll get
2447 2454 * a kernel panic. fr_matchsrcdst does not use this.
2448 2455 *
2449 2456 * watch out here, as ip is in host order and oip in network
2450 2457 * order. Any change we make must be undone afterwards, like
2451 2458 * oip->ip_off - it is still in network byte order so fix it.
2452 2459 */
2453 2460 savelen = oip->ip_len;
2454 2461 oip->ip_len = len;
2455 2462 oip->ip_off = ntohs(oip->ip_off);
2456 2463
2457 2464 ofin.fin_flx = FI_NOCKSUM;
2458 2465 ofin.fin_v = 4;
2459 2466 ofin.fin_ip = oip;
2460 2467 ofin.fin_m = NULL; /* if dereferenced, panic XXX */
2461 2468 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
2462 2469 ofin.fin_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
2463 2470 (void) fr_makefrip(IP_HL(oip) << 2, oip, &ofin);
2464 2471 ofin.fin_ifp = fin->fin_ifp;
2465 2472 ofin.fin_out = !fin->fin_out;
2466 2473 /*
2467 2474 * Reset the short and bad flag here because in fr_matchsrcdst()
2468 2475 * the flags for the current packet (fin_flx) are compared against
2469 2476 * those for the existing session.
2470 2477 */
2471 2478 ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
2472 2479
2473 2480 /*
2474 2481 * Put old values of ip_len and ip_off back as we don't know
2475 2482 * if we have to forward the packet (or process it again.
2476 2483 */
2477 2484 oip->ip_len = savelen;
2478 2485 oip->ip_off = htons(oip->ip_off);
2479 2486
2480 2487 switch (oip->ip_p)
2481 2488 {
2482 2489 case IPPROTO_ICMP :
2483 2490 /*
2484 2491 * an ICMP error can only be generated as a result of an
2485 2492 * ICMP query, not as the response on an ICMP error
2486 2493 *
2487 2494 * XXX theoretically ICMP_ECHOREP and the other reply's are
2488 2495 * ICMP query's as well, but adding them here seems strange XXX
2489 2496 */
2490 2497 if ((ofin.fin_flx & FI_ICMPERR) != 0)
2491 2498 return NULL;
2492 2499
2493 2500 /*
2494 2501 * perform a lookup of the ICMP packet in the state table
2495 2502 */
2496 2503 icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2497 2504 hv = (pr = oip->ip_p);
2498 2505 src.in4 = oip->ip_src;
2499 2506 hv += src.in4.s_addr;
2500 2507 dst.in4 = oip->ip_dst;
2501 2508 hv += dst.in4.s_addr;
2502 2509 hv += icmp->icmp_id;
2503 2510 hv = DOUBLE_HASH(hv, ifs);
2504 2511
2505 2512 READ_ENTER(&ifs->ifs_ipf_state);
2506 2513 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2507 2514 isp = &is->is_hnext;
2508 2515 if ((is->is_p != pr) || (is->is_v != 4))
2509 2516 continue;
2510 2517 if (is->is_pass & FR_NOICMPERR)
2511 2518 continue;
2512 2519 is = fr_matchsrcdst(&ofin, is, &src, &dst,
2513 2520 NULL, FI_ICMPCMP);
2514 2521 if (is != NULL) {
2515 2522 if ((is->is_pass & FR_NOICMPERR) != 0) {
2516 2523 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2517 2524 return NULL;
2518 2525 }
2519 2526 /*
2520 2527 * i : the index of this packet (the icmp
2521 2528 * unreachable)
2522 2529 * oi : the index of the original packet found
2523 2530 * in the icmp header (i.e. the packet
2524 2531 * causing this icmp)
2525 2532 * backward : original packet was backward
2526 2533 * compared to the state
2527 2534 */
2528 2535 backward = IP6_NEQ(&is->is_src, &src);
2529 2536 fin->fin_rev = !backward;
2530 2537 i = (!backward << 1) + fin->fin_out;
2531 2538 oi = (backward << 1) + ofin.fin_out;
2532 2539 if (is->is_icmppkts[i] > is->is_pkts[oi])
2533 2540 continue;
2534 2541 ifs->ifs_ips_stats.iss_hits++;
2535 2542 is->is_icmppkts[i]++;
2536 2543 return is;
2537 2544 }
2538 2545 }
2539 2546 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2540 2547 return NULL;
2541 2548 case IPPROTO_TCP :
2542 2549 case IPPROTO_UDP :
2543 2550 break;
2544 2551 default :
2545 2552 return NULL;
2546 2553 }
2547 2554
2548 2555 tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2549 2556 dport = tcp->th_dport;
2550 2557 sport = tcp->th_sport;
2551 2558
2552 2559 hv = (pr = oip->ip_p);
2553 2560 src.in4 = oip->ip_src;
2554 2561 hv += src.in4.s_addr;
2555 2562 dst.in4 = oip->ip_dst;
2556 2563 hv += dst.in4.s_addr;
2557 2564 hv += dport;
2558 2565 hv += sport;
2559 2566 hv = DOUBLE_HASH(hv, ifs);
2560 2567
2561 2568 READ_ENTER(&ifs->ifs_ipf_state);
2562 2569 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2563 2570 isp = &is->is_hnext;
2564 2571 /*
2565 2572 * Only allow this icmp though if the
2566 2573 * encapsulated packet was allowed through the
2567 2574 * other way around. Note that the minimal amount
2568 2575 * of info present does not allow for checking against
2569 2576 * tcp internals such as seq and ack numbers. Only the
2570 2577 * ports are known to be present and can be even if the
2571 2578 * short flag is set.
2572 2579 */
2573 2580 if ((is->is_p == pr) && (is->is_v == 4) &&
2574 2581 (is = fr_matchsrcdst(&ofin, is, &src, &dst,
2575 2582 tcp, FI_ICMPCMP))) {
2576 2583 /*
2577 2584 * i : the index of this packet (the icmp unreachable)
2578 2585 * oi : the index of the original packet found in the
2579 2586 * icmp header (i.e. the packet causing this icmp)
2580 2587 * backward : original packet was backward compared to
2581 2588 * the state
2582 2589 */
2583 2590 backward = IP6_NEQ(&is->is_src, &src);
2584 2591 fin->fin_rev = !backward;
2585 2592 i = (!backward << 1) + fin->fin_out;
2586 2593 oi = (backward << 1) + ofin.fin_out;
2587 2594
2588 2595 if (((is->is_pass & FR_NOICMPERR) != 0) ||
2589 2596 (is->is_icmppkts[i] > is->is_pkts[oi]))
2590 2597 break;
2591 2598 ifs->ifs_ips_stats.iss_hits++;
2592 2599 is->is_icmppkts[i]++;
2593 2600 /*
2594 2601 * we deliberately do not touch the timeouts
2595 2602 * for the accompanying state table entry.
2596 2603 * It remains to be seen if that is correct. XXX
2597 2604 */
2598 2605 return is;
2599 2606 }
2600 2607 }
2601 2608 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2602 2609 return NULL;
2603 2610 }
2604 2611
2605 2612
2606 2613 /* ------------------------------------------------------------------------ */
2607 2614 /* Function: fr_ipsmove */
2608 2615 /* Returns: Nil */
2609 2616 /* Parameters: is(I) - pointer to state table entry */
2610 2617 /* hv(I) - new hash value for state table entry */
2611 2618 /* Write Locks: ipf_state */
2612 2619 /* */
2613 2620 /* Move a state entry from one position in the hash table to another. */
2614 2621 /* ------------------------------------------------------------------------ */
2615 2622 static void fr_ipsmove(is, hv, ifs)
2616 2623 ipstate_t *is;
2617 2624 u_int hv;
2618 2625 ipf_stack_t *ifs;
2619 2626 {
2620 2627 ipstate_t **isp;
2621 2628 u_int hvm;
2622 2629
2623 2630 ASSERT(rw_read_locked(&ifs->ifs_ipf_state.ipf_lk) == 0);
2624 2631
2625 2632 hvm = is->is_hv;
2626 2633 /*
2627 2634 * Remove the hash from the old location...
2628 2635 */
2629 2636 isp = is->is_phnext;
2630 2637 if (is->is_hnext)
2631 2638 is->is_hnext->is_phnext = isp;
2632 2639 *isp = is->is_hnext;
2633 2640 if (ifs->ifs_ips_table[hvm] == NULL)
2634 2641 ifs->ifs_ips_stats.iss_inuse--;
2635 2642 ifs->ifs_ips_stats.iss_bucketlen[hvm]--;
2636 2643
2637 2644 /*
2638 2645 * ...and put the hash in the new one.
2639 2646 */
2640 2647 hvm = DOUBLE_HASH(hv, ifs);
2641 2648 is->is_hv = hvm;
2642 2649 isp = &ifs->ifs_ips_table[hvm];
2643 2650 if (*isp)
2644 2651 (*isp)->is_phnext = &is->is_hnext;
2645 2652 else
2646 2653 ifs->ifs_ips_stats.iss_inuse++;
2647 2654 ifs->ifs_ips_stats.iss_bucketlen[hvm]++;
2648 2655 is->is_phnext = isp;
2649 2656 is->is_hnext = *isp;
2650 2657 *isp = is;
2651 2658 }
2652 2659
2653 2660
2654 2661 /* ------------------------------------------------------------------------ */
2655 2662 /* Function: fr_stlookup */
2656 2663 /* Returns: ipstate_t* - NULL == no matching state found, */
2657 2664 /* else pointer to state information is returned */
2658 2665 /* Parameters: fin(I) - pointer to packet information */
2659 2666 /* tcp(I) - pointer to TCP/UDP header. */
2660 2667 /* */
2661 2668 /* Search the state table for a matching entry to the packet described by */
2662 2669 /* the contents of *fin. */
2663 2670 /* */
2664 2671 /* If we return NULL then no lock on ipf_state is held. */
2665 2672 /* If we return non-null then a read-lock on ipf_state is held. */
2666 2673 /* ------------------------------------------------------------------------ */
2667 2674 ipstate_t *fr_stlookup(fin, tcp, ifqp)
2668 2675 fr_info_t *fin;
2669 2676 tcphdr_t *tcp;
2670 2677 ipftq_t **ifqp;
2671 2678 {
2672 2679 u_int hv, hvm, pr, v, tryagain;
2673 2680 ipstate_t *is, **isp;
2674 2681 u_short dport, sport;
2675 2682 i6addr_t src, dst;
2676 2683 struct icmp *ic;
2677 2684 ipftq_t *ifq;
2678 2685 int oow;
2679 2686 ipf_stack_t *ifs = fin->fin_ifs;
2680 2687
2681 2688 is = NULL;
2682 2689 ifq = NULL;
2683 2690 tcp = fin->fin_dp;
2684 2691 ic = (struct icmp *)tcp;
2685 2692 hv = (pr = fin->fin_fi.fi_p);
2686 2693 src = fin->fin_fi.fi_src;
2687 2694 dst = fin->fin_fi.fi_dst;
2688 2695 hv += src.in4.s_addr;
2689 2696 hv += dst.in4.s_addr;
2690 2697
2691 2698 v = fin->fin_fi.fi_v;
2692 2699 #ifdef USE_INET6
2693 2700 if (v == 6) {
2694 2701 hv += fin->fin_fi.fi_src.i6[1];
2695 2702 hv += fin->fin_fi.fi_src.i6[2];
2696 2703 hv += fin->fin_fi.fi_src.i6[3];
2697 2704
2698 2705 if ((fin->fin_p == IPPROTO_ICMPV6) &&
2699 2706 IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_dst.in6)) {
2700 2707 hv -= dst.in4.s_addr;
2701 2708 } else {
2702 2709 hv += fin->fin_fi.fi_dst.i6[1];
2703 2710 hv += fin->fin_fi.fi_dst.i6[2];
2704 2711 hv += fin->fin_fi.fi_dst.i6[3];
2705 2712 }
2706 2713 }
2707 2714 #endif
2708 2715 if ((v == 4) &&
2709 2716 (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) {
2710 2717 if (fin->fin_out == 0) {
2711 2718 hv -= src.in4.s_addr;
2712 2719 } else {
2713 2720 hv -= dst.in4.s_addr;
2714 2721 }
2715 2722 }
2716 2723
2717 2724 /*
2718 2725 * Search the hash table for matching packet header info.
2719 2726 */
2720 2727 switch (pr)
2721 2728 {
2722 2729 #ifdef USE_INET6
2723 2730 case IPPROTO_ICMPV6 :
2724 2731 tryagain = 0;
2725 2732 if (v == 6) {
2726 2733 if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
2727 2734 (ic->icmp_type == ICMP6_ECHO_REPLY)) {
2728 2735 hv += ic->icmp_id;
2729 2736 }
2730 2737 }
2731 2738 READ_ENTER(&ifs->ifs_ipf_state);
2732 2739 icmp6again:
2733 2740 hvm = DOUBLE_HASH(hv, ifs);
2734 2741 for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2735 2742 isp = &is->is_hnext;
2736 2743 if ((is->is_p != pr) || (is->is_v != v))
2737 2744 continue;
2738 2745 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2739 2746 if (is != NULL &&
2740 2747 fr_matchicmpqueryreply(v, &is->is_icmp,
2741 2748 ic, fin->fin_rev)) {
2742 2749 if (fin->fin_rev)
2743 2750 ifq = &ifs->ifs_ips_icmpacktq;
2744 2751 else
2745 2752 ifq = &ifs->ifs_ips_icmptq;
2746 2753 break;
2747 2754 }
2748 2755 }
2749 2756
2750 2757 if (is != NULL) {
2751 2758 if ((tryagain != 0) && !(is->is_flags & SI_W_DADDR)) {
2752 2759 hv += fin->fin_fi.fi_src.i6[0];
2753 2760 hv += fin->fin_fi.fi_src.i6[1];
2754 2761 hv += fin->fin_fi.fi_src.i6[2];
2755 2762 hv += fin->fin_fi.fi_src.i6[3];
2756 2763 fr_ipsmove(is, hv, ifs);
2757 2764 MUTEX_DOWNGRADE(&ifs->ifs_ipf_state);
2758 2765 }
2759 2766 break;
2760 2767 }
2761 2768 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2762 2769
2763 2770 /*
2764 2771 * No matching icmp state entry. Perhaps this is a
2765 2772 * response to another state entry.
2766 2773 *
2767 2774 * XXX With some ICMP6 packets, the "other" address is already
2768 2775 * in the packet, after the ICMP6 header, and this could be
2769 2776 * used in place of the multicast address. However, taking
2770 2777 * advantage of this requires some significant code changes
2771 2778 * to handle the specific types where that is the case.
2772 2779 */
2773 2780 if ((ifs->ifs_ips_stats.iss_wild != 0) && (v == 6) && (tryagain == 0) &&
2774 2781 !IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_src.in6)) {
2775 2782 hv -= fin->fin_fi.fi_src.i6[0];
2776 2783 hv -= fin->fin_fi.fi_src.i6[1];
2777 2784 hv -= fin->fin_fi.fi_src.i6[2];
2778 2785 hv -= fin->fin_fi.fi_src.i6[3];
2779 2786 tryagain = 1;
2780 2787 WRITE_ENTER(&ifs->ifs_ipf_state);
2781 2788 goto icmp6again;
2782 2789 }
2783 2790
2784 2791 is = fr_checkicmp6matchingstate(fin);
2785 2792 if (is != NULL)
2786 2793 return is;
2787 2794 break;
2788 2795 #endif
2789 2796
2790 2797 case IPPROTO_ICMP :
2791 2798 if (v == 4) {
2792 2799 hv += ic->icmp_id;
2793 2800 }
2794 2801 hv = DOUBLE_HASH(hv, ifs);
2795 2802 READ_ENTER(&ifs->ifs_ipf_state);
2796 2803 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2797 2804 isp = &is->is_hnext;
2798 2805 if ((is->is_p != pr) || (is->is_v != v))
2799 2806 continue;
2800 2807 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2801 2808 if (is != NULL &&
2802 2809 fr_matchicmpqueryreply(v, &is->is_icmp,
2803 2810 ic, fin->fin_rev)) {
2804 2811 if (fin->fin_rev)
2805 2812 ifq = &ifs->ifs_ips_icmpacktq;
2806 2813 else
2807 2814 ifq = &ifs->ifs_ips_icmptq;
2808 2815 break;
2809 2816 }
2810 2817 }
2811 2818 if (is == NULL) {
2812 2819 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2813 2820 }
2814 2821 break;
2815 2822
2816 2823 case IPPROTO_TCP :
2817 2824 case IPPROTO_UDP :
2818 2825 ifqp = NULL;
2819 2826 sport = htons(fin->fin_data[0]);
2820 2827 hv += sport;
2821 2828 dport = htons(fin->fin_data[1]);
2822 2829 hv += dport;
2823 2830 oow = 0;
2824 2831 tryagain = 0;
2825 2832 READ_ENTER(&ifs->ifs_ipf_state);
2826 2833 retry_tcpudp:
2827 2834 hvm = DOUBLE_HASH(hv, ifs);
2828 2835 for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2829 2836 isp = &is->is_hnext;
2830 2837 if ((is->is_p != pr) || (is->is_v != v))
2831 2838 continue;
2832 2839 fin->fin_flx &= ~FI_OOW;
2833 2840 is = fr_matchsrcdst(fin, is, &src, &dst, tcp, FI_CMP);
2834 2841 if (is != NULL) {
2835 2842 if (pr == IPPROTO_TCP) {
2836 2843 if (!fr_tcpstate(fin, tcp, is)) {
2837 2844 oow |= fin->fin_flx & FI_OOW;
2838 2845 continue;
2839 2846 }
2840 2847 }
2841 2848 break;
2842 2849 }
2843 2850 }
2844 2851 if (is != NULL) {
2845 2852 if (tryagain &&
2846 2853 !(is->is_flags & (SI_CLONE|SI_WILDP|SI_WILDA))) {
2847 2854 hv += dport;
2848 2855 hv += sport;
2849 2856 fr_ipsmove(is, hv, ifs);
2850 2857 MUTEX_DOWNGRADE(&ifs->ifs_ipf_state);
2851 2858 }
2852 2859 break;
2853 2860 }
2854 2861 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2855 2862
2856 2863 if (ifs->ifs_ips_stats.iss_wild) {
2857 2864 if (tryagain == 0) {
2858 2865 hv -= dport;
2859 2866 hv -= sport;
2860 2867 } else if (tryagain == 1) {
2861 2868 hv = fin->fin_fi.fi_p;
2862 2869 /*
2863 2870 * If we try to pretend this is a reply to a
2864 2871 * multicast/broadcast packet then we need to
2865 2872 * exclude part of the address from the hash
2866 2873 * calculation.
2867 2874 */
2868 2875 if (fin->fin_out == 0) {
2869 2876 hv += src.in4.s_addr;
2870 2877 } else {
2871 2878 hv += dst.in4.s_addr;
2872 2879 }
2873 2880 hv += dport;
2874 2881 hv += sport;
2875 2882 }
2876 2883 tryagain++;
2877 2884 if (tryagain <= 2) {
2878 2885 WRITE_ENTER(&ifs->ifs_ipf_state);
2879 2886 goto retry_tcpudp;
2880 2887 }
2881 2888 }
2882 2889 fin->fin_flx |= oow;
2883 2890 break;
2884 2891
2885 2892 #if 0
2886 2893 case IPPROTO_GRE :
2887 2894 gre = fin->fin_dp;
2888 2895 if (GRE_REV(gre->gr_flags) == 1) {
2889 2896 hv += gre->gr_call;
2890 2897 }
2891 2898 /* FALLTHROUGH */
2892 2899 #endif
2893 2900 default :
2894 2901 ifqp = NULL;
2895 2902 hvm = DOUBLE_HASH(hv, ifs);
2896 2903 READ_ENTER(&ifs->ifs_ipf_state);
2897 2904 for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2898 2905 isp = &is->is_hnext;
2899 2906 if ((is->is_p != pr) || (is->is_v != v))
2900 2907 continue;
2901 2908 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2902 2909 if (is != NULL) {
2903 2910 ifq = &ifs->ifs_ips_iptq;
2904 2911 break;
2905 2912 }
2906 2913 }
2907 2914 if (is == NULL) {
2908 2915 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2909 2916 }
2910 2917 break;
2911 2918 }
2912 2919
2913 2920 if ((is != NULL) && ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
2914 2921 (is->is_tqehead[fin->fin_rev] != NULL))
2915 2922 ifq = is->is_tqehead[fin->fin_rev];
2916 2923 if (ifq != NULL && ifqp != NULL)
2917 2924 *ifqp = ifq;
2918 2925 return is;
2919 2926 }
2920 2927
2921 2928
2922 2929 /* ------------------------------------------------------------------------ */
2923 2930 /* Function: fr_updatestate */
2924 2931 /* Returns: Nil */
2925 2932 /* Parameters: fin(I) - pointer to packet information */
2926 2933 /* is(I) - pointer to state table entry */
2927 2934 /* Read Locks: ipf_state */
2928 2935 /* */
2929 2936 /* Updates packet and byte counters for a newly received packet. Seeds the */
2930 2937 /* fragment cache with a new entry as required. */
2931 2938 /* ------------------------------------------------------------------------ */
2932 2939 void fr_updatestate(fin, is, ifq)
2933 2940 fr_info_t *fin;
2934 2941 ipstate_t *is;
2935 2942 ipftq_t *ifq;
2936 2943 {
2937 2944 ipftqent_t *tqe;
2938 2945 int i, pass;
2939 2946 ipf_stack_t *ifs = fin->fin_ifs;
2940 2947
2941 2948 i = (fin->fin_rev << 1) + fin->fin_out;
2942 2949
2943 2950 /*
2944 2951 * For TCP packets, ifq == NULL. For all others, check if this new
2945 2952 * queue is different to the last one it was on and move it if so.
2946 2953 */
2947 2954 tqe = &is->is_sti;
2948 2955 MUTEX_ENTER(&is->is_lock);
2949 2956 if ((tqe->tqe_flags & TQE_RULEBASED) != 0)
2950 2957 ifq = is->is_tqehead[fin->fin_rev];
2951 2958
2952 2959 if (ifq != NULL)
2953 2960 fr_movequeue(tqe, tqe->tqe_ifq, ifq, ifs);
2954 2961
2955 2962 is->is_pkts[i]++;
2956 2963 fin->fin_pktnum = is->is_pkts[i] + is->is_icmppkts[i];
2957 2964 is->is_bytes[i] += fin->fin_plen;
2958 2965 MUTEX_EXIT(&is->is_lock);
2959 2966
2960 2967 #ifdef IPFILTER_SYNC
2961 2968 if (is->is_flags & IS_STATESYNC)
2962 2969 ipfsync_update(SMC_STATE, fin, is->is_sync);
2963 2970 #endif
2964 2971
2965 2972 ATOMIC_INCL(ifs->ifs_ips_stats.iss_hits);
2966 2973
2967 2974 fin->fin_fr = is->is_rule;
2968 2975
2969 2976 /*
2970 2977 * If this packet is a fragment and the rule says to track fragments,
2971 2978 * then create a new fragment cache entry.
2972 2979 */
2973 2980 pass = is->is_pass;
2974 2981 if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(pass))
2975 2982 (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
2976 2983 }
2977 2984
2978 2985
2979 2986 /* ------------------------------------------------------------------------ */
2980 2987 /* Function: fr_checkstate */
2981 2988 /* Returns: frentry_t* - NULL == search failed, */
2982 2989 /* else pointer to rule for matching state */
2983 2990 /* Parameters: ifp(I) - pointer to interface */
2984 2991 /* passp(I) - pointer to filtering result flags */
2985 2992 /* */
2986 2993 /* Check if a packet is associated with an entry in the state table. */
2987 2994 /* ------------------------------------------------------------------------ */
2988 2995 frentry_t *fr_checkstate(fin, passp)
2989 2996 fr_info_t *fin;
2990 2997 u_32_t *passp;
2991 2998 {
2992 2999 ipstate_t *is;
2993 3000 frentry_t *fr;
2994 3001 tcphdr_t *tcp;
2995 3002 ipftq_t *ifq;
2996 3003 u_int pass;
2997 3004 ipf_stack_t *ifs = fin->fin_ifs;
2998 3005
2999 3006 if (ifs->ifs_fr_state_lock || (ifs->ifs_ips_list == NULL) ||
3000 3007 (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
3001 3008 return NULL;
3002 3009
3003 3010 is = NULL;
3004 3011 if ((fin->fin_flx & FI_TCPUDP) ||
3005 3012 (fin->fin_fi.fi_p == IPPROTO_ICMP)
3006 3013 #ifdef USE_INET6
3007 3014 || (fin->fin_fi.fi_p == IPPROTO_ICMPV6)
3008 3015 #endif
3009 3016 )
3010 3017 tcp = fin->fin_dp;
3011 3018 else
3012 3019 tcp = NULL;
3013 3020
3014 3021 /*
3015 3022 * Search the hash table for matching packet header info.
3016 3023 */
3017 3024 ifq = NULL;
3018 3025 is = fr_stlookup(fin, tcp, &ifq);
3019 3026 switch (fin->fin_p)
3020 3027 {
3021 3028 #ifdef USE_INET6
3022 3029 case IPPROTO_ICMPV6 :
3023 3030 if (is != NULL)
3024 3031 break;
3025 3032 if (fin->fin_v == 6) {
3026 3033 is = fr_checkicmp6matchingstate(fin);
3027 3034 if (is != NULL)
3028 3035 goto matched;
3029 3036 }
3030 3037 break;
3031 3038 #endif
3032 3039 case IPPROTO_ICMP :
3033 3040 if (is != NULL)
3034 3041 break;
3035 3042 /*
3036 3043 * No matching icmp state entry. Perhaps this is a
3037 3044 * response to another state entry.
3038 3045 */
3039 3046 is = fr_checkicmpmatchingstate(fin);
3040 3047 if (is != NULL)
3041 3048 goto matched;
3042 3049 break;
3043 3050 case IPPROTO_TCP :
3044 3051 if (is == NULL)
3045 3052 break;
3046 3053
3047 3054 if (is->is_pass & FR_NEWISN) {
3048 3055 if (fin->fin_out == 0)
3049 3056 fr_fixinisn(fin, is);
3050 3057 else if (fin->fin_out == 1)
3051 3058 fr_fixoutisn(fin, is);
3052 3059 }
3053 3060 break;
3054 3061 default :
3055 3062 if (fin->fin_rev)
3056 3063 ifq = &ifs->ifs_ips_udpacktq;
3057 3064 else
3058 3065 ifq = &ifs->ifs_ips_udptq;
3059 3066 break;
3060 3067 }
3061 3068 if (is == NULL) {
3062 3069 ATOMIC_INCL(ifs->ifs_ips_stats.iss_miss);
3063 3070 return NULL;
3064 3071 }
3065 3072
3066 3073 matched:
3067 3074 fr = is->is_rule;
3068 3075 if (fr != NULL) {
3069 3076 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
3070 3077 if (fin->fin_nattag == NULL) {
3071 3078 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3072 3079 return NULL;
3073 3080 }
3074 3081 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) != 0) {
3075 3082 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3076 3083 return NULL;
3077 3084 }
3078 3085 }
3079 3086 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
3080 3087 fin->fin_icode = fr->fr_icode;
3081 3088 }
3082 3089
3083 3090 fin->fin_rule = is->is_rulen;
3084 3091 pass = is->is_pass;
3085 3092 fr_updatestate(fin, is, ifq);
3086 3093
3087 3094 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3088 3095 fin->fin_flx |= FI_STATE;
3089 3096 if ((pass & FR_LOGFIRST) != 0)
3090 3097 pass &= ~(FR_LOGFIRST|FR_LOG);
3091 3098 *passp = pass;
3092 3099 return fr;
3093 3100 }
3094 3101
3095 3102
3096 3103 /* ------------------------------------------------------------------------ */
3097 3104 /* Function: fr_fixoutisn */
3098 3105 /* Returns: Nil */
3099 3106 /* Parameters: fin(I) - pointer to packet information */
3100 3107 /* is(I) - pointer to master state structure */
3101 3108 /* */
3102 3109 /* Called only for outbound packets, adjusts the sequence number and the */
3103 3110 /* TCP checksum to match that change. */
3104 3111 /* ------------------------------------------------------------------------ */
3105 3112 static void fr_fixoutisn(fin, is)
3106 3113 fr_info_t *fin;
3107 3114 ipstate_t *is;
3108 3115 {
3109 3116 tcphdr_t *tcp;
3110 3117 int rev;
3111 3118 u_32_t seq;
3112 3119
3113 3120 tcp = fin->fin_dp;
3114 3121 rev = fin->fin_rev;
3115 3122 if ((is->is_flags & IS_ISNSYN) != 0) {
3116 3123 if (rev == 0) {
3117 3124 seq = ntohl(tcp->th_seq);
3118 3125 seq += is->is_isninc[0];
3119 3126 tcp->th_seq = htonl(seq);
3120 3127 fix_outcksum(&tcp->th_sum, is->is_sumd[0]);
3121 3128 }
3122 3129 }
3123 3130 if ((is->is_flags & IS_ISNACK) != 0) {
3124 3131 if (rev == 1) {
3125 3132 seq = ntohl(tcp->th_seq);
3126 3133 seq += is->is_isninc[1];
3127 3134 tcp->th_seq = htonl(seq);
3128 3135 fix_outcksum(&tcp->th_sum, is->is_sumd[1]);
3129 3136 }
3130 3137 }
3131 3138 }
3132 3139
3133 3140
3134 3141 /* ------------------------------------------------------------------------ */
3135 3142 /* Function: fr_fixinisn */
3136 3143 /* Returns: Nil */
3137 3144 /* Parameters: fin(I) - pointer to packet information */
3138 3145 /* is(I) - pointer to master state structure */
3139 3146 /* */
3140 3147 /* Called only for inbound packets, adjusts the acknowledge number and the */
3141 3148 /* TCP checksum to match that change. */
3142 3149 /* ------------------------------------------------------------------------ */
3143 3150 static void fr_fixinisn(fin, is)
3144 3151 fr_info_t *fin;
3145 3152 ipstate_t *is;
3146 3153 {
3147 3154 tcphdr_t *tcp;
3148 3155 int rev;
3149 3156 u_32_t ack;
3150 3157
3151 3158 tcp = fin->fin_dp;
3152 3159 rev = fin->fin_rev;
3153 3160 if ((is->is_flags & IS_ISNSYN) != 0) {
3154 3161 if (rev == 1) {
3155 3162 ack = ntohl(tcp->th_ack);
3156 3163 ack -= is->is_isninc[0];
3157 3164 tcp->th_ack = htonl(ack);
3158 3165 fix_incksum(&tcp->th_sum, is->is_sumd[0]);
3159 3166 }
3160 3167 }
3161 3168 if ((is->is_flags & IS_ISNACK) != 0) {
3162 3169 if (rev == 0) {
3163 3170 ack = ntohl(tcp->th_ack);
3164 3171 ack -= is->is_isninc[1];
3165 3172 tcp->th_ack = htonl(ack);
3166 3173 fix_incksum(&tcp->th_sum, is->is_sumd[1]);
3167 3174 }
3168 3175 }
3169 3176 }
3170 3177
3171 3178
3172 3179 /* ------------------------------------------------------------------------ */
3173 3180 /* Function: fr_statesync */
3174 3181 /* Returns: Nil */
3175 3182 /* Parameters: action(I) - type of synchronisation to do */
3176 3183 /* v(I) - IP version being sync'd (v4 or v6) */
3177 3184 /* ifp(I) - interface identifier associated with action */
3178 3185 /* name(I) - name associated with ifp parameter */
3179 3186 /* */
3180 3187 /* Walk through all state entries and if an interface pointer match is */
3181 3188 /* found then look it up again, based on its name in case the pointer has */
3182 3189 /* changed since last time. */
3183 3190 /* */
3184 3191 /* If ifp is passed in as being non-null then we are only doing updates for */
3185 3192 /* existing, matching, uses of it. */
3186 3193 /* ------------------------------------------------------------------------ */
3187 3194 void fr_statesync(action, v, ifp, name, ifs)
3188 3195 int action, v;
3189 3196 void *ifp;
3190 3197 char *name;
3191 3198 ipf_stack_t *ifs;
3192 3199 {
3193 3200 ipstate_t *is;
3194 3201 int i;
3195 3202
3196 3203 if (ifs->ifs_fr_running <= 0)
3197 3204 return;
3198 3205
3199 3206 WRITE_ENTER(&ifs->ifs_ipf_state);
3200 3207
3201 3208 if (ifs->ifs_fr_running <= 0) {
3202 3209 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3203 3210 return;
3204 3211 }
3205 3212
3206 3213 switch (action)
3207 3214 {
3208 3215 case IPFSYNC_RESYNC :
3209 3216 for (is = ifs->ifs_ips_list; is; is = is->is_next) {
3210 3217 if (v != 0 && is->is_v != v)
3211 3218 continue;
3212 3219 /*
3213 3220 * Look up all the interface names in the state entry.
3214 3221 */
3215 3222 for (i = 0; i < 4; i++) {
3216 3223 is->is_ifp[i] = fr_resolvenic(is->is_ifname[i],
3217 3224 is->is_v, ifs);
3218 3225 }
3219 3226 }
3220 3227 break;
3221 3228 case IPFSYNC_NEWIFP :
3222 3229 for (is = ifs->ifs_ips_list; is; is = is->is_next) {
3223 3230 if (v != 0 && is->is_v != v)
3224 3231 continue;
3225 3232 /*
3226 3233 * Look up all the interface names in the state entry.
3227 3234 */
3228 3235 for (i = 0; i < 4; i++) {
3229 3236 if (!strncmp(is->is_ifname[i], name,
3230 3237 sizeof(is->is_ifname[i])))
3231 3238 is->is_ifp[i] = ifp;
3232 3239 }
3233 3240 }
3234 3241 break;
3235 3242 case IPFSYNC_OLDIFP :
3236 3243 for (is = ifs->ifs_ips_list; is; is = is->is_next) {
3237 3244 if (v != 0 && is->is_v != v)
3238 3245 continue;
3239 3246 /*
3240 3247 * Look up all the interface names in the state entry.
3241 3248 */
3242 3249 for (i = 0; i < 4; i++) {
3243 3250 if (is->is_ifp[i] == ifp)
3244 3251 is->is_ifp[i] = (void *)-1;
3245 3252 }
3246 3253 }
3247 3254 break;
3248 3255 }
3249 3256 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3250 3257 }
3251 3258
3252 3259
3253 3260 #if SOLARIS2 >= 10
3254 3261 /* ------------------------------------------------------------------------ */
3255 3262 /* Function: fr_stateifindexsync */
3256 3263 /* Returns: void */
3257 3264 /* Parameters: ifp - current network interface descriptor (ifindex) */
3258 3265 /* newifp - new interface descriptor (new ifindex) */
3259 3266 /* ifs - pointer to IPF stack */
3260 3267 /* */
3261 3268 /* Write Locks: assumes ipf_mutex is locked */
3262 3269 /* */
3263 3270 /* Updates all interface indeces matching to ifp with new interface index */
3264 3271 /* value. */
3265 3272 /* ------------------------------------------------------------------------ */
3266 3273 void fr_stateifindexsync(ifp, newifp, ifs)
3267 3274 void *ifp;
3268 3275 void *newifp;
3269 3276 ipf_stack_t *ifs;
3270 3277 {
3271 3278 ipstate_t *is;
3272 3279 int i;
3273 3280
3274 3281 WRITE_ENTER(&ifs->ifs_ipf_state);
3275 3282
3276 3283 for (is = ifs->ifs_ips_list; is != NULL; is = is->is_next) {
3277 3284
3278 3285 for (i = 0; i < 4; i++) {
3279 3286 if (is->is_ifp[i] == ifp)
3280 3287 is->is_ifp[i] = newifp;
3281 3288 }
3282 3289 }
3283 3290
3284 3291 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3285 3292 }
3286 3293 #endif
3287 3294
3288 3295 /* ------------------------------------------------------------------------ */
3289 3296 /* Function: fr_delstate */
3290 3297 /* Returns: int - 0 = entry deleted, else ref count on entry */
3291 3298 /* Parameters: is(I) - pointer to state structure to delete */
3292 3299 /* why(I) - if not 0, log reason why it was deleted */
3293 3300 /* ifs - ipf stack instance */
3294 3301 /* Write Locks: ipf_state/ipf_global */
3295 3302 /* */
3296 3303 /* Deletes a state entry from the enumerated list as well as the hash table */
3297 3304 /* and timeout queue lists. Make adjustments to hash table statistics and */
3298 3305 /* global counters as required. */
3299 3306 /* ------------------------------------------------------------------------ */
3300 3307 int fr_delstate(is, why, ifs)
3301 3308 ipstate_t *is;
3302 3309 int why;
3303 3310 ipf_stack_t *ifs;
3304 3311 {
3305 3312 int removed = 0;
3306 3313
3307 3314 ASSERT(rw_write_held(&ifs->ifs_ipf_global.ipf_lk) == 0 ||
3308 3315 rw_write_held(&ifs->ifs_ipf_state.ipf_lk) == 0);
3309 3316
3310 3317 /*
3311 3318 * Start by removing the entry from the hash table of state entries
3312 3319 * so it will not be "used" again.
3313 3320 *
3314 3321 * It will remain in the "list" of state entries until all references
3315 3322 * have been accounted for.
3316 3323 */
3317 3324 if (is->is_phnext != NULL) {
3318 3325 removed = 1;
3319 3326 *is->is_phnext = is->is_hnext;
3320 3327 if (is->is_hnext != NULL)
3321 3328 is->is_hnext->is_phnext = is->is_phnext;
3322 3329 if (ifs->ifs_ips_table[is->is_hv] == NULL)
3323 3330 ifs->ifs_ips_stats.iss_inuse--;
3324 3331 ifs->ifs_ips_stats.iss_bucketlen[is->is_hv]--;
3325 3332
3326 3333 is->is_phnext = NULL;
3327 3334 is->is_hnext = NULL;
3328 3335 }
3329 3336
3330 3337 /*
3331 3338 * Because ifs->ifs_ips_stats.iss_wild is a count of entries in the state
3332 3339 * table that have wildcard flags set, only decerement it once
3333 3340 * and do it here.
3334 3341 */
3335 3342 if (is->is_flags & (SI_WILDP|SI_WILDA)) {
3336 3343 if (!(is->is_flags & SI_CLONED)) {
3337 3344 ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
3338 3345 }
3339 3346 is->is_flags &= ~(SI_WILDP|SI_WILDA);
3340 3347 }
3341 3348
3342 3349 /*
3343 3350 * Next, remove it from the timeout queue it is in.
3344 3351 */
3345 3352 fr_deletequeueentry(&is->is_sti);
3346 3353
3347 3354 is->is_me = NULL;
3348 3355
3349 3356 /*
3350 3357 * If it is still in use by something else, do not go any further,
3351 3358 * but note that at this point it is now an orphan.
3352 3359 */
3353 3360 MUTEX_ENTER(&is->is_lock);
3354 3361 if (is->is_ref > 1) {
3355 3362 is->is_ref--;
3356 3363 MUTEX_EXIT(&is->is_lock);
3357 3364 if (removed)
3358 3365 ifs->ifs_ips_stats.iss_orphans++;
3359 3366 return (is->is_ref);
3360 3367 }
3361 3368 MUTEX_EXIT(&is->is_lock);
3362 3369
3363 3370 is->is_ref = 0;
3364 3371
3365 3372 /*
3366 3373 * If entry has already been removed from table,
3367 3374 * it means we're simply cleaning up an orphan.
3368 3375 */
3369 3376 if (!removed)
3370 3377 ifs->ifs_ips_stats.iss_orphans--;
3371 3378
3372 3379 if (is->is_tqehead[0] != NULL)
3373 3380 (void) fr_deletetimeoutqueue(is->is_tqehead[0]);
3374 3381
3375 3382 if (is->is_tqehead[1] != NULL)
3376 3383 (void) fr_deletetimeoutqueue(is->is_tqehead[1]);
3377 3384
3378 3385 #ifdef IPFILTER_SYNC
3379 3386 if (is->is_sync)
3380 3387 ipfsync_del(is->is_sync);
3381 3388 #endif
3382 3389 #ifdef IPFILTER_SCAN
3383 3390 (void) ipsc_detachis(is);
3384 3391 #endif
3385 3392
3386 3393 /*
3387 3394 * Now remove it from master list of state table entries.
3388 3395 */
3389 3396 if (is->is_pnext != NULL) {
|
↓ open down ↓ |
1063 lines elided |
↑ open up ↑ |
3390 3397 *is->is_pnext = is->is_next;
3391 3398 if (is->is_next != NULL) {
3392 3399 is->is_next->is_pnext = is->is_pnext;
3393 3400 is->is_next = NULL;
3394 3401 }
3395 3402 is->is_pnext = NULL;
3396 3403 }
3397 3404
3398 3405 if (ifs->ifs_ipstate_logging != 0 && why != 0)
3399 3406 ipstate_log(is, why, ifs);
3400 -
3407 +#if 0
3408 + /*
3409 + * For now, ipf_log_cfwlog() copes with all "why" values. Strictly
3410 + * speaking, though, they all map to one event (CFWEV_END), which for
3411 + * now is not supported, hence the #if 0.
3412 + */
3413 + if (why != 0 && IFS_CFWLOG(ifs, is->is_rule))
3414 + ipf_log_cfwlog(is, why, ifs);
3415 +#endif
3401 3416 if (is->is_rule != NULL) {
3402 3417 is->is_rule->fr_statecnt--;
3403 3418 (void)fr_derefrule(&is->is_rule, ifs);
3404 3419 }
3405 3420
3406 3421 MUTEX_DESTROY(&is->is_lock);
3407 3422 KFREE(is);
3408 3423 ifs->ifs_ips_num--;
3409 3424
3410 3425 return (0);
3411 3426 }
3412 3427
3413 3428
3414 3429 /* ------------------------------------------------------------------------ */
3415 3430 /* Function: fr_timeoutstate */
3416 3431 /* Returns: Nil */
3417 3432 /* Parameters: ifs - ipf stack instance */
3418 3433 /* */
3419 3434 /* Slowly expire held state for thingslike UDP and ICMP. The algorithm */
3420 3435 /* used here is to keep the queue sorted with the oldest things at the top */
3421 3436 /* and the youngest at the bottom. So if the top one doesn't need to be */
3422 3437 /* expired then neither will any under it. */
3423 3438 /* ------------------------------------------------------------------------ */
3424 3439 void fr_timeoutstate(ifs)
3425 3440 ipf_stack_t *ifs;
3426 3441 {
3427 3442 ipftq_t *ifq, *ifqnext;
3428 3443 ipftqent_t *tqe, *tqn;
3429 3444 ipstate_t *is;
3430 3445 SPL_INT(s);
3431 3446
3432 3447 SPL_NET(s);
3433 3448 WRITE_ENTER(&ifs->ifs_ipf_state);
3434 3449 for (ifq = ifs->ifs_ips_tqtqb; ifq != NULL; ifq = ifq->ifq_next)
3435 3450 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3436 3451 if (tqe->tqe_die > ifs->ifs_fr_ticks)
3437 3452 break;
3438 3453 tqn = tqe->tqe_next;
3439 3454 is = tqe->tqe_parent;
3440 3455 (void) fr_delstate(is, ISL_EXPIRE, ifs);
3441 3456 }
3442 3457
3443 3458 for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifq->ifq_next) {
3444 3459 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3445 3460 if (tqe->tqe_die > ifs->ifs_fr_ticks)
3446 3461 break;
3447 3462 tqn = tqe->tqe_next;
3448 3463 is = tqe->tqe_parent;
3449 3464 (void) fr_delstate(is, ISL_EXPIRE, ifs);
3450 3465 }
3451 3466 }
3452 3467
3453 3468 for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
3454 3469 ifqnext = ifq->ifq_next;
3455 3470
3456 3471 if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
3457 3472 (ifq->ifq_ref == 0)) {
3458 3473 fr_freetimeoutqueue(ifq, ifs);
3459 3474 }
3460 3475 }
3461 3476
3462 3477 if (ifs->ifs_fr_state_doflush) {
3463 3478 (void) fr_state_flush(FLUSH_TABLE_EXTRA, 0, ifs);
3464 3479 ifs->ifs_fr_state_doflush = 0;
3465 3480 }
3466 3481 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3467 3482 SPL_X(s);
3468 3483 }
3469 3484
3470 3485
3471 3486 /* ---------------------------------------------------------------------- */
3472 3487 /* Function: fr_state_flush */
3473 3488 /* Returns: int - 0 == success, -1 == failure */
3474 3489 /* Parameters: flush_option - how to flush the active State table */
3475 3490 /* proto - IP version to flush (4, 6, or both) */
3476 3491 /* ifs - ipf stack instance */
3477 3492 /* Write Locks: ipf_state */
3478 3493 /* */
3479 3494 /* Flush state tables. Three possible flush options currently defined: */
3480 3495 /* */
3481 3496 /* FLUSH_TABLE_ALL : Flush all state table entries */
3482 3497 /* */
3483 3498 /* FLUSH_TABLE_CLOSING : Flush entries with TCP connections which */
3484 3499 /* have started to close on both ends using */
3485 3500 /* ipf_flushclosing(). */
3486 3501 /* */
3487 3502 /* FLUSH_TABLE_EXTRA : First, flush entries which are "almost" closed. */
3488 3503 /* Then, if needed, flush entries with TCP */
3489 3504 /* connections which have been idle for a long */
3490 3505 /* time with ipf_extraflush(). */
3491 3506 /* ---------------------------------------------------------------------- */
3492 3507 static int fr_state_flush(flush_option, proto, ifs)
3493 3508 int flush_option, proto;
3494 3509 ipf_stack_t *ifs;
3495 3510 {
3496 3511 ipstate_t *is, *isn;
3497 3512 int removed;
3498 3513 SPL_INT(s);
3499 3514
3500 3515 removed = 0;
3501 3516
3502 3517 SPL_NET(s);
3503 3518 switch (flush_option)
3504 3519 {
3505 3520 case FLUSH_TABLE_ALL:
3506 3521 isn = ifs->ifs_ips_list;
3507 3522 while ((is = isn) != NULL) {
3508 3523 isn = is->is_next;
3509 3524 if ((proto != 0) && (is->is_v != proto))
3510 3525 continue;
3511 3526 if (fr_delstate(is, ISL_FLUSH, ifs) == 0)
3512 3527 removed++;
3513 3528 }
3514 3529 break;
3515 3530
3516 3531 case FLUSH_TABLE_CLOSING:
3517 3532 removed = ipf_flushclosing(STATE_FLUSH,
3518 3533 IPF_TCPS_CLOSE_WAIT,
3519 3534 ifs->ifs_ips_tqtqb,
3520 3535 ifs->ifs_ips_utqe,
3521 3536 ifs);
3522 3537 break;
3523 3538
3524 3539 case FLUSH_TABLE_EXTRA:
3525 3540 removed = ipf_flushclosing(STATE_FLUSH,
3526 3541 IPF_TCPS_FIN_WAIT_2,
3527 3542 ifs->ifs_ips_tqtqb,
3528 3543 ifs->ifs_ips_utqe,
3529 3544 ifs);
3530 3545
3531 3546 /*
3532 3547 * Be sure we haven't done this in the last 10 seconds.
3533 3548 */
3534 3549 if (ifs->ifs_fr_ticks - ifs->ifs_ips_last_force_flush <
3535 3550 IPF_TTLVAL(10))
3536 3551 break;
3537 3552 ifs->ifs_ips_last_force_flush = ifs->ifs_fr_ticks;
3538 3553 removed += ipf_extraflush(STATE_FLUSH,
3539 3554 &ifs->ifs_ips_tqtqb[IPF_TCPS_ESTABLISHED],
3540 3555 ifs->ifs_ips_utqe,
3541 3556 ifs);
3542 3557 break;
3543 3558
3544 3559 default: /* Flush Nothing */
3545 3560 break;
3546 3561 }
3547 3562
3548 3563 SPL_X(s);
3549 3564 return (removed);
3550 3565 }
3551 3566
3552 3567
3553 3568 /* ------------------------------------------------------------------------ */
3554 3569 /* Function: fr_tcp_age */
3555 3570 /* Returns: int - 1 == state transition made, 0 == no change (rejected) */
3556 3571 /* Parameters: tq(I) - pointer to timeout queue information */
3557 3572 /* fin(I) - pointer to packet information */
3558 3573 /* tqtab(I) - TCP timeout queue table this is in */
3559 3574 /* flags(I) - flags from state/NAT entry */
3560 3575 /* */
3561 3576 /* Rewritten by Arjan de Vet <Arjan.deVet@adv.iae.nl>, 2000-07-29: */
3562 3577 /* */
3563 3578 /* - (try to) base state transitions on real evidence only, */
3564 3579 /* i.e. packets that are sent and have been received by ipfilter; */
3565 3580 /* diagram 18.12 of TCP/IP volume 1 by W. Richard Stevens was used. */
3566 3581 /* */
3567 3582 /* - deal with half-closed connections correctly; */
3568 3583 /* */
3569 3584 /* - store the state of the source in state[0] such that ipfstat */
3570 3585 /* displays the state as source/dest instead of dest/source; the calls */
3571 3586 /* to fr_tcp_age have been changed accordingly. */
3572 3587 /* */
3573 3588 /* Internal Parameters: */
3574 3589 /* */
3575 3590 /* state[0] = state of source (host that initiated connection) */
3576 3591 /* state[1] = state of dest (host that accepted the connection) */
3577 3592 /* */
3578 3593 /* dir == 0 : a packet from source to dest */
3579 3594 /* dir == 1 : a packet from dest to source */
3580 3595 /* */
3581 3596 /* Locking: it is assumed that the parent of the tqe structure is locked. */
3582 3597 /* ------------------------------------------------------------------------ */
3583 3598 int fr_tcp_age(tqe, fin, tqtab, flags)
3584 3599 ipftqent_t *tqe;
3585 3600 fr_info_t *fin;
3586 3601 ipftq_t *tqtab;
3587 3602 int flags;
3588 3603 {
3589 3604 int dlen, ostate, nstate, rval, dir;
3590 3605 u_char tcpflags;
3591 3606 tcphdr_t *tcp;
3592 3607 ipf_stack_t *ifs = fin->fin_ifs;
3593 3608
3594 3609 tcp = fin->fin_dp;
3595 3610
3596 3611 rval = 0;
3597 3612 dir = fin->fin_rev;
3598 3613 tcpflags = tcp->th_flags;
3599 3614 dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
3600 3615
3601 3616 ostate = tqe->tqe_state[1 - dir];
3602 3617 nstate = tqe->tqe_state[dir];
3603 3618
3604 3619 DTRACE_PROBE4(
3605 3620 indata,
3606 3621 fr_info_t *, fin,
3607 3622 int, ostate,
3608 3623 int, nstate,
3609 3624 u_char, tcpflags
3610 3625 );
3611 3626
3612 3627 if (tcpflags & TH_RST) {
3613 3628 if (!(tcpflags & TH_PUSH) && !dlen)
3614 3629 nstate = IPF_TCPS_CLOSED;
3615 3630 else
3616 3631 nstate = IPF_TCPS_CLOSE_WAIT;
3617 3632
3618 3633 /*
3619 3634 * Once RST is received, we must advance peer's state to
3620 3635 * CLOSE_WAIT.
3621 3636 */
3622 3637 if (ostate <= IPF_TCPS_ESTABLISHED) {
3623 3638 tqe->tqe_state[1 - dir] = IPF_TCPS_CLOSE_WAIT;
3624 3639 }
3625 3640 rval = 1;
3626 3641 } else {
3627 3642
3628 3643 switch (nstate)
3629 3644 {
3630 3645 case IPF_TCPS_LISTEN: /* 0 */
3631 3646 if ((tcpflags & TH_OPENING) == TH_OPENING) {
3632 3647 /*
3633 3648 * 'dir' received an S and sends SA in
3634 3649 * response, CLOSED -> SYN_RECEIVED
3635 3650 */
3636 3651 nstate = IPF_TCPS_SYN_RECEIVED;
3637 3652 rval = 1;
3638 3653 } else if ((tcpflags & TH_OPENING) == TH_SYN) {
3639 3654 /* 'dir' sent S, CLOSED -> SYN_SENT */
3640 3655 nstate = IPF_TCPS_SYN_SENT;
3641 3656 rval = 1;
3642 3657 }
3643 3658 /*
3644 3659 * the next piece of code makes it possible to get
3645 3660 * already established connections into the state table
3646 3661 * after a restart or reload of the filter rules; this
3647 3662 * does not work when a strict 'flags S keep state' is
3648 3663 * used for tcp connections of course
3649 3664 */
3650 3665 if (((flags & IS_TCPFSM) == 0) &&
3651 3666 ((tcpflags & TH_ACKMASK) == TH_ACK)) {
3652 3667 /*
3653 3668 * we saw an A, guess 'dir' is in ESTABLISHED
3654 3669 * mode
3655 3670 */
3656 3671 switch (ostate)
3657 3672 {
3658 3673 case IPF_TCPS_LISTEN :
3659 3674 case IPF_TCPS_SYN_RECEIVED :
3660 3675 nstate = IPF_TCPS_HALF_ESTAB;
3661 3676 rval = 1;
3662 3677 break;
3663 3678 case IPF_TCPS_HALF_ESTAB :
3664 3679 case IPF_TCPS_ESTABLISHED :
3665 3680 nstate = IPF_TCPS_ESTABLISHED;
3666 3681 rval = 1;
3667 3682 break;
3668 3683 default :
3669 3684 break;
3670 3685 }
3671 3686 }
3672 3687 /*
3673 3688 * TODO: besides regular ACK packets we can have other
3674 3689 * packets as well; it is yet to be determined how we
3675 3690 * should initialize the states in those cases
3676 3691 */
3677 3692 break;
3678 3693
3679 3694 case IPF_TCPS_SYN_SENT: /* 1 */
3680 3695 if ((tcpflags & ~(TH_ECN|TH_CWR)) == TH_SYN) {
3681 3696 /*
3682 3697 * A retransmitted SYN packet. We do not reset
3683 3698 * the timeout here to fr_tcptimeout because a
3684 3699 * connection connect timeout does not renew
3685 3700 * after every packet that is sent. We need to
3686 3701 * set rval so as to indicate the packet has
3687 3702 * passed the check for its flags being valid
3688 3703 * in the TCP FSM. Setting rval to 2 has the
3689 3704 * result of not resetting the timeout.
3690 3705 */
3691 3706 rval = 2;
3692 3707 } else if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) ==
3693 3708 TH_ACK) {
3694 3709 /*
3695 3710 * we see an A from 'dir' which is in SYN_SENT
3696 3711 * state: 'dir' sent an A in response to an SA
3697 3712 * which it received, SYN_SENT -> ESTABLISHED
3698 3713 */
3699 3714 nstate = IPF_TCPS_ESTABLISHED;
3700 3715 rval = 1;
3701 3716 } else if (tcpflags & TH_FIN) {
3702 3717 /*
3703 3718 * we see an F from 'dir' which is in SYN_SENT
3704 3719 * state and wants to close its side of the
3705 3720 * connection; SYN_SENT -> FIN_WAIT_1
3706 3721 */
3707 3722 nstate = IPF_TCPS_FIN_WAIT_1;
3708 3723 rval = 1;
3709 3724 } else if ((tcpflags & TH_OPENING) == TH_OPENING) {
3710 3725 /*
3711 3726 * we see an SA from 'dir' which is already in
3712 3727 * SYN_SENT state, this means we have a
3713 3728 * simultaneous open; SYN_SENT -> SYN_RECEIVED
3714 3729 */
3715 3730 nstate = IPF_TCPS_SYN_RECEIVED;
3716 3731 rval = 1;
3717 3732 }
3718 3733 break;
3719 3734
3720 3735 case IPF_TCPS_SYN_RECEIVED: /* 2 */
3721 3736 if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
3722 3737 /*
3723 3738 * we see an A from 'dir' which was in
3724 3739 * SYN_RECEIVED state so it must now be in
3725 3740 * established state, SYN_RECEIVED ->
3726 3741 * ESTABLISHED
3727 3742 */
3728 3743 nstate = IPF_TCPS_ESTABLISHED;
3729 3744 rval = 1;
3730 3745 } else if ((tcpflags & ~(TH_ECN|TH_CWR)) ==
3731 3746 TH_OPENING) {
3732 3747 /*
3733 3748 * We see an SA from 'dir' which is already in
3734 3749 * SYN_RECEIVED state.
3735 3750 */
3736 3751 rval = 2;
3737 3752 } else if (tcpflags & TH_FIN) {
3738 3753 /*
3739 3754 * we see an F from 'dir' which is in
3740 3755 * SYN_RECEIVED state and wants to close its
3741 3756 * side of the connection; SYN_RECEIVED ->
3742 3757 * FIN_WAIT_1
3743 3758 */
3744 3759 nstate = IPF_TCPS_FIN_WAIT_1;
3745 3760 rval = 1;
3746 3761 }
3747 3762 break;
3748 3763
3749 3764 case IPF_TCPS_HALF_ESTAB: /* 3 */
3750 3765 if (tcpflags & TH_FIN) {
3751 3766 nstate = IPF_TCPS_FIN_WAIT_1;
3752 3767 rval = 1;
3753 3768 } else if ((tcpflags & TH_ACKMASK) == TH_ACK) {
3754 3769 /*
3755 3770 * If we've picked up a connection in mid
3756 3771 * flight, we could be looking at a follow on
3757 3772 * packet from the same direction as the one
3758 3773 * that created this state. Recognise it but
3759 3774 * do not advance the entire connection's
3760 3775 * state.
3761 3776 */
3762 3777 switch (ostate)
3763 3778 {
3764 3779 case IPF_TCPS_LISTEN :
3765 3780 case IPF_TCPS_SYN_SENT :
3766 3781 case IPF_TCPS_SYN_RECEIVED :
3767 3782 rval = 1;
3768 3783 break;
3769 3784 case IPF_TCPS_HALF_ESTAB :
3770 3785 case IPF_TCPS_ESTABLISHED :
3771 3786 nstate = IPF_TCPS_ESTABLISHED;
3772 3787 rval = 1;
3773 3788 break;
3774 3789 default :
3775 3790 break;
3776 3791 }
3777 3792 }
3778 3793 break;
3779 3794
3780 3795 case IPF_TCPS_ESTABLISHED: /* 4 */
3781 3796 rval = 1;
3782 3797 if (tcpflags & TH_FIN) {
3783 3798 /*
3784 3799 * 'dir' closed its side of the connection;
3785 3800 * this gives us a half-closed connection;
3786 3801 * ESTABLISHED -> FIN_WAIT_1
3787 3802 */
3788 3803 if (ostate == IPF_TCPS_FIN_WAIT_1) {
3789 3804 nstate = IPF_TCPS_CLOSING;
3790 3805 } else {
3791 3806 nstate = IPF_TCPS_FIN_WAIT_1;
3792 3807 }
3793 3808 } else if (tcpflags & TH_ACK) {
3794 3809 /*
3795 3810 * an ACK, should we exclude other flags here?
3796 3811 */
3797 3812 if (ostate == IPF_TCPS_FIN_WAIT_1) {
3798 3813 /*
3799 3814 * We know the other side did an active
3800 3815 * close, so we are ACKing the recvd
3801 3816 * FIN packet (does the window matching
3802 3817 * code guarantee this?) and go into
3803 3818 * CLOSE_WAIT state; this gives us a
3804 3819 * half-closed connection
3805 3820 */
3806 3821 nstate = IPF_TCPS_CLOSE_WAIT;
3807 3822 } else if (ostate < IPF_TCPS_CLOSE_WAIT) {
3808 3823 /*
3809 3824 * still a fully established
3810 3825 * connection reset timeout
3811 3826 */
3812 3827 nstate = IPF_TCPS_ESTABLISHED;
3813 3828 }
3814 3829 }
3815 3830 break;
3816 3831
3817 3832 case IPF_TCPS_CLOSE_WAIT: /* 5 */
3818 3833 rval = 1;
3819 3834 if (tcpflags & TH_FIN) {
3820 3835 /*
3821 3836 * application closed and 'dir' sent a FIN,
3822 3837 * we're now going into LAST_ACK state
3823 3838 */
3824 3839 nstate = IPF_TCPS_LAST_ACK;
3825 3840 } else {
3826 3841 /*
3827 3842 * we remain in CLOSE_WAIT because the other
3828 3843 * side has closed already and we did not
3829 3844 * close our side yet; reset timeout
3830 3845 */
3831 3846 nstate = IPF_TCPS_CLOSE_WAIT;
3832 3847 }
3833 3848 break;
3834 3849
3835 3850 case IPF_TCPS_FIN_WAIT_1: /* 6 */
3836 3851 rval = 1;
3837 3852 if ((tcpflags & TH_ACK) &&
3838 3853 ostate > IPF_TCPS_CLOSE_WAIT) {
3839 3854 /*
3840 3855 * if the other side is not active anymore
3841 3856 * it has sent us a FIN packet that we are
3842 3857 * ack'ing now with an ACK; this means both
3843 3858 * sides have now closed the connection and
3844 3859 * we go into LAST_ACK
3845 3860 */
3846 3861 /*
3847 3862 * XXX: how do we know we really are ACKing
3848 3863 * the FIN packet here? does the window code
3849 3864 * guarantee that?
3850 3865 */
3851 3866 nstate = IPF_TCPS_LAST_ACK;
3852 3867 } else {
3853 3868 /*
3854 3869 * we closed our side of the connection
3855 3870 * already but the other side is still active
3856 3871 * (ESTABLISHED/CLOSE_WAIT); continue with
3857 3872 * this half-closed connection
3858 3873 */
3859 3874 nstate = IPF_TCPS_FIN_WAIT_1;
3860 3875 }
3861 3876 break;
3862 3877
3863 3878 case IPF_TCPS_CLOSING: /* 7 */
3864 3879 if ((tcpflags & (TH_FIN|TH_ACK)) == TH_ACK) {
3865 3880 nstate = IPF_TCPS_TIME_WAIT;
3866 3881 }
3867 3882 rval = 1;
3868 3883 break;
3869 3884
3870 3885 case IPF_TCPS_LAST_ACK: /* 8 */
3871 3886 /*
3872 3887 * We want to reset timer here to keep state in table.
3873 3888 * If we would allow the state to time out here, while
3874 3889 * there would still be packets being retransmitted, we
3875 3890 * would cut off line between the two peers preventing
3876 3891 * them to close connection properly.
3877 3892 */
3878 3893 rval = 1;
3879 3894 break;
3880 3895
3881 3896 case IPF_TCPS_FIN_WAIT_2: /* 9 */
3882 3897 /* NOT USED */
3883 3898 break;
3884 3899
3885 3900 case IPF_TCPS_TIME_WAIT: /* 10 */
3886 3901 /* we're in 2MSL timeout now */
3887 3902 if (ostate == IPF_TCPS_LAST_ACK) {
3888 3903 nstate = IPF_TCPS_CLOSED;
3889 3904 rval = 1;
3890 3905 } else {
3891 3906 rval = 2;
3892 3907 }
3893 3908 break;
3894 3909
3895 3910 case IPF_TCPS_CLOSED: /* 11 */
3896 3911 rval = 2;
3897 3912 break;
3898 3913
3899 3914 default :
3900 3915 #if defined(_KERNEL)
3901 3916 ASSERT(nstate >= IPF_TCPS_LISTEN &&
3902 3917 nstate <= IPF_TCPS_CLOSED);
3903 3918 #else
3904 3919 abort();
3905 3920 #endif
3906 3921 break;
3907 3922 }
3908 3923 }
3909 3924
3910 3925 /*
3911 3926 * If rval == 2 then do not update the queue position, but treat the
3912 3927 * packet as being ok.
3913 3928 */
3914 3929 if (rval == 2) {
3915 3930 DTRACE_PROBE1(state_keeping_timer, int, nstate);
3916 3931 rval = 1;
3917 3932 }
3918 3933 else if (rval == 1) {
3919 3934 tqe->tqe_state[dir] = nstate;
3920 3935 /*
3921 3936 * The nstate can either advance to a new state, or remain
3922 3937 * unchanged, resetting the timer by moving to the bottom of
3923 3938 * the queue.
|
↓ open down ↓ |
513 lines elided |
↑ open up ↑ |
3924 3939 */
3925 3940 DTRACE_PROBE1(state_done, int, nstate);
3926 3941
3927 3942 if ((tqe->tqe_flags & TQE_RULEBASED) == 0)
3928 3943 fr_movequeue(tqe, tqe->tqe_ifq, tqtab + nstate, ifs);
3929 3944 }
3930 3945
3931 3946 return rval;
3932 3947 }
3933 3948
3934 -
3935 3949 /* ------------------------------------------------------------------------ */
3936 3950 /* Function: ipstate_log */
3937 3951 /* Returns: Nil */
3938 3952 /* Parameters: is(I) - pointer to state structure */
3939 3953 /* type(I) - type of log entry to create */
3940 3954 /* */
3941 3955 /* Creates a state table log entry using the state structure and type info. */
3942 3956 /* passed in. Log packet/byte counts, source/destination address and other */
3943 3957 /* protocol specific information. */
3944 3958 /* ------------------------------------------------------------------------ */
3945 3959 void ipstate_log(is, type, ifs)
3946 3960 struct ipstate *is;
3947 3961 u_int type;
3948 3962 ipf_stack_t *ifs;
3949 3963 {
3950 3964 #ifdef IPFILTER_LOG
3951 3965 struct ipslog ipsl;
3952 3966 size_t sizes[1];
3953 3967 void *items[1];
3954 3968 int types[1];
3955 3969
3956 3970 /*
3957 3971 * Copy information out of the ipstate_t structure and into the
3958 3972 * structure used for logging.
3959 3973 */
3960 3974 ipsl.isl_type = type;
3961 3975 ipsl.isl_pkts[0] = is->is_pkts[0] + is->is_icmppkts[0];
3962 3976 ipsl.isl_bytes[0] = is->is_bytes[0];
3963 3977 ipsl.isl_pkts[1] = is->is_pkts[1] + is->is_icmppkts[1];
3964 3978 ipsl.isl_bytes[1] = is->is_bytes[1];
3965 3979 ipsl.isl_pkts[2] = is->is_pkts[2] + is->is_icmppkts[2];
3966 3980 ipsl.isl_bytes[2] = is->is_bytes[2];
3967 3981 ipsl.isl_pkts[3] = is->is_pkts[3] + is->is_icmppkts[3];
3968 3982 ipsl.isl_bytes[3] = is->is_bytes[3];
3969 3983 ipsl.isl_src = is->is_src;
3970 3984 ipsl.isl_dst = is->is_dst;
3971 3985 ipsl.isl_p = is->is_p;
3972 3986 ipsl.isl_v = is->is_v;
3973 3987 ipsl.isl_flags = is->is_flags;
3974 3988 ipsl.isl_tag = is->is_tag;
3975 3989 ipsl.isl_rulen = is->is_rulen;
3976 3990 (void) strncpy(ipsl.isl_group, is->is_group, FR_GROUPLEN);
3977 3991
3978 3992 if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
3979 3993 ipsl.isl_sport = is->is_sport;
3980 3994 ipsl.isl_dport = is->is_dport;
3981 3995 if (ipsl.isl_p == IPPROTO_TCP) {
3982 3996 ipsl.isl_state[0] = is->is_state[0];
3983 3997 ipsl.isl_state[1] = is->is_state[1];
3984 3998 }
3985 3999 } else if (ipsl.isl_p == IPPROTO_ICMP) {
3986 4000 ipsl.isl_itype = is->is_icmp.ici_type;
3987 4001 } else if (ipsl.isl_p == IPPROTO_ICMPV6) {
3988 4002 ipsl.isl_itype = is->is_icmp.ici_type;
3989 4003 } else {
3990 4004 ipsl.isl_ps.isl_filler[0] = 0;
3991 4005 ipsl.isl_ps.isl_filler[1] = 0;
3992 4006 }
3993 4007
3994 4008 items[0] = &ipsl;
3995 4009 sizes[0] = sizeof(ipsl);
3996 4010 types[0] = 0;
3997 4011
3998 4012 if (ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1, ifs)) {
3999 4013 ATOMIC_INCL(ifs->ifs_ips_stats.iss_logged);
4000 4014 } else {
4001 4015 ATOMIC_INCL(ifs->ifs_ips_stats.iss_logfail);
4002 4016 }
4003 4017 #endif
4004 4018 }
4005 4019
4006 4020
4007 4021 #ifdef USE_INET6
4008 4022 /* ------------------------------------------------------------------------ */
4009 4023 /* Function: fr_checkicmp6matchingstate */
4010 4024 /* Returns: ipstate_t* - NULL == no match found, */
4011 4025 /* else pointer to matching state entry */
4012 4026 /* Parameters: fin(I) - pointer to packet information */
4013 4027 /* Locks: NULL == no locks, else Read Lock on ipf_state */
4014 4028 /* */
4015 4029 /* If we've got an ICMPv6 error message, using the information stored in */
4016 4030 /* the ICMPv6 packet, look for a matching state table entry. */
4017 4031 /* ------------------------------------------------------------------------ */
4018 4032 static ipstate_t *fr_checkicmp6matchingstate(fin)
4019 4033 fr_info_t *fin;
4020 4034 {
4021 4035 struct icmp6_hdr *ic6, *oic;
4022 4036 int backward, i;
4023 4037 ipstate_t *is, **isp;
4024 4038 u_short sport, dport;
4025 4039 i6addr_t dst, src;
4026 4040 u_short savelen;
4027 4041 icmpinfo_t *ic;
4028 4042 fr_info_t ofin;
4029 4043 tcphdr_t *tcp;
4030 4044 ip6_t *oip6;
4031 4045 u_char pr;
4032 4046 u_int hv;
4033 4047 ipf_stack_t *ifs = fin->fin_ifs;
4034 4048
4035 4049 /*
4036 4050 * Does it at least have the return (basic) IP header ?
4037 4051 * Is it an actual recognised ICMP error type?
4038 4052 * Only a basic IP header (no options) should be with
4039 4053 * an ICMP error header.
4040 4054 */
4041 4055 if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) ||
4042 4056 !(fin->fin_flx & FI_ICMPERR))
4043 4057 return NULL;
4044 4058
4045 4059 ic6 = fin->fin_dp;
4046 4060
4047 4061 oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
4048 4062 if (fin->fin_plen < sizeof(*oip6))
4049 4063 return NULL;
4050 4064
4051 4065 bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
4052 4066 ofin.fin_v = 6;
4053 4067 ofin.fin_ifp = fin->fin_ifp;
4054 4068 ofin.fin_out = !fin->fin_out;
4055 4069 ofin.fin_m = NULL; /* if dereferenced, panic XXX */
4056 4070 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
4057 4071
4058 4072 /*
4059 4073 * We make a fin entry to be able to feed it to
4060 4074 * matchsrcdst. Note that not all fields are necessary
4061 4075 * but this is the cleanest way. Note further we fill
4062 4076 * in fin_mp such that if someone uses it we'll get
4063 4077 * a kernel panic. fr_matchsrcdst does not use this.
4064 4078 *
4065 4079 * watch out here, as ip is in host order and oip6 in network
4066 4080 * order. Any change we make must be undone afterwards.
4067 4081 */
4068 4082 savelen = oip6->ip6_plen;
4069 4083 oip6->ip6_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
4070 4084 ofin.fin_flx = FI_NOCKSUM;
4071 4085 ofin.fin_ip = (ip_t *)oip6;
4072 4086 ofin.fin_plen = oip6->ip6_plen;
4073 4087 (void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);
4074 4088 ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
4075 4089 oip6->ip6_plen = savelen;
4076 4090
4077 4091 if (oip6->ip6_nxt == IPPROTO_ICMPV6) {
4078 4092 oic = (struct icmp6_hdr *)(oip6 + 1);
4079 4093 /*
4080 4094 * an ICMP error can only be generated as a result of an
4081 4095 * ICMP query, not as the response on an ICMP error
4082 4096 *
4083 4097 * XXX theoretically ICMP_ECHOREP and the other reply's are
4084 4098 * ICMP query's as well, but adding them here seems strange XXX
4085 4099 */
4086 4100 if (!(oic->icmp6_type & ICMP6_INFOMSG_MASK))
4087 4101 return NULL;
4088 4102
4089 4103 /*
4090 4104 * perform a lookup of the ICMP packet in the state table
4091 4105 */
4092 4106 hv = (pr = oip6->ip6_nxt);
4093 4107 src.in6 = oip6->ip6_src;
4094 4108 hv += src.in4.s_addr;
4095 4109 dst.in6 = oip6->ip6_dst;
4096 4110 hv += dst.in4.s_addr;
4097 4111 hv += oic->icmp6_id;
4098 4112 hv += oic->icmp6_seq;
4099 4113 hv = DOUBLE_HASH(hv, ifs);
4100 4114
4101 4115 READ_ENTER(&ifs->ifs_ipf_state);
4102 4116 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
4103 4117 ic = &is->is_icmp;
4104 4118 isp = &is->is_hnext;
4105 4119 if ((is->is_p == pr) &&
4106 4120 !(is->is_pass & FR_NOICMPERR) &&
4107 4121 (oic->icmp6_id == ic->ici_id) &&
4108 4122 (oic->icmp6_seq == ic->ici_seq) &&
4109 4123 (is = fr_matchsrcdst(&ofin, is, &src,
4110 4124 &dst, NULL, FI_ICMPCMP))) {
4111 4125 /*
4112 4126 * in the state table ICMP query's are stored
4113 4127 * with the type of the corresponding ICMP
4114 4128 * response. Correct here
4115 4129 */
4116 4130 if (((ic->ici_type == ICMP6_ECHO_REPLY) &&
4117 4131 (oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
4118 4132 (ic->ici_type - 1 == oic->icmp6_type )) {
4119 4133 ifs->ifs_ips_stats.iss_hits++;
4120 4134 backward = IP6_NEQ(&is->is_dst, &src);
4121 4135 fin->fin_rev = !backward;
4122 4136 i = (backward << 1) + fin->fin_out;
4123 4137 is->is_icmppkts[i]++;
4124 4138 return is;
4125 4139 }
4126 4140 }
4127 4141 }
4128 4142 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4129 4143 return NULL;
4130 4144 }
4131 4145
4132 4146 hv = (pr = oip6->ip6_nxt);
4133 4147 src.in6 = oip6->ip6_src;
4134 4148 hv += src.i6[0];
4135 4149 hv += src.i6[1];
4136 4150 hv += src.i6[2];
4137 4151 hv += src.i6[3];
4138 4152 dst.in6 = oip6->ip6_dst;
4139 4153 hv += dst.i6[0];
4140 4154 hv += dst.i6[1];
4141 4155 hv += dst.i6[2];
4142 4156 hv += dst.i6[3];
4143 4157
4144 4158 if ((oip6->ip6_nxt == IPPROTO_TCP) || (oip6->ip6_nxt == IPPROTO_UDP)) {
4145 4159 tcp = (tcphdr_t *)(oip6 + 1);
4146 4160 dport = tcp->th_dport;
4147 4161 sport = tcp->th_sport;
4148 4162 hv += dport;
4149 4163 hv += sport;
4150 4164 } else
4151 4165 tcp = NULL;
4152 4166 hv = DOUBLE_HASH(hv, ifs);
4153 4167
4154 4168 READ_ENTER(&ifs->ifs_ipf_state);
4155 4169 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
4156 4170 isp = &is->is_hnext;
4157 4171 /*
4158 4172 * Only allow this icmp though if the
4159 4173 * encapsulated packet was allowed through the
4160 4174 * other way around. Note that the minimal amount
4161 4175 * of info present does not allow for checking against
4162 4176 * tcp internals such as seq and ack numbers.
4163 4177 */
4164 4178 if ((is->is_p != pr) || (is->is_v != 6) ||
4165 4179 (is->is_pass & FR_NOICMPERR))
4166 4180 continue;
4167 4181 is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP);
4168 4182 if (is != NULL) {
4169 4183 ifs->ifs_ips_stats.iss_hits++;
4170 4184 backward = IP6_NEQ(&is->is_dst, &src);
4171 4185 fin->fin_rev = !backward;
4172 4186 i = (backward << 1) + fin->fin_out;
4173 4187 is->is_icmppkts[i]++;
4174 4188 /*
4175 4189 * we deliberately do not touch the timeouts
4176 4190 * for the accompanying state table entry.
4177 4191 * It remains to be seen if that is correct. XXX
4178 4192 */
4179 4193 return is;
4180 4194 }
4181 4195 }
4182 4196 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4183 4197 return NULL;
4184 4198 }
4185 4199 #endif
4186 4200
4187 4201
4188 4202 /* ------------------------------------------------------------------------ */
4189 4203 /* Function: fr_sttab_init */
4190 4204 /* Returns: Nil */
4191 4205 /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
4192 4206 /* */
4193 4207 /* Initialise the array of timeout queues for TCP. */
4194 4208 /* ------------------------------------------------------------------------ */
4195 4209 void fr_sttab_init(tqp, ifs)
4196 4210 ipftq_t *tqp;
4197 4211 ipf_stack_t *ifs;
4198 4212 {
4199 4213 int i;
4200 4214
4201 4215 for (i = IPF_TCP_NSTATES - 1; i >= 0; i--) {
4202 4216 tqp[i].ifq_ttl = 0;
4203 4217 tqp[i].ifq_ref = 1;
4204 4218 tqp[i].ifq_head = NULL;
4205 4219 tqp[i].ifq_tail = &tqp[i].ifq_head;
4206 4220 tqp[i].ifq_next = tqp + i + 1;
4207 4221 MUTEX_INIT(&tqp[i].ifq_lock, "ipftq tcp tab");
4208 4222 }
4209 4223 tqp[IPF_TCP_NSTATES - 1].ifq_next = NULL;
4210 4224 tqp[IPF_TCPS_CLOSED].ifq_ttl = ifs->ifs_fr_tcpclosed;
4211 4225 tqp[IPF_TCPS_LISTEN].ifq_ttl = ifs->ifs_fr_tcptimeout;
4212 4226 tqp[IPF_TCPS_SYN_SENT].ifq_ttl = ifs->ifs_fr_tcptimeout;
4213 4227 tqp[IPF_TCPS_SYN_RECEIVED].ifq_ttl = ifs->ifs_fr_tcptimeout;
4214 4228 tqp[IPF_TCPS_ESTABLISHED].ifq_ttl = ifs->ifs_fr_tcpidletimeout;
4215 4229 tqp[IPF_TCPS_CLOSE_WAIT].ifq_ttl = ifs->ifs_fr_tcphalfclosed;
4216 4230 tqp[IPF_TCPS_FIN_WAIT_1].ifq_ttl = ifs->ifs_fr_tcphalfclosed;
4217 4231 tqp[IPF_TCPS_CLOSING].ifq_ttl = ifs->ifs_fr_tcptimeout;
4218 4232 tqp[IPF_TCPS_LAST_ACK].ifq_ttl = ifs->ifs_fr_tcplastack;
4219 4233 tqp[IPF_TCPS_FIN_WAIT_2].ifq_ttl = ifs->ifs_fr_tcpclosewait;
4220 4234 tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = ifs->ifs_fr_tcptimeout;
4221 4235 tqp[IPF_TCPS_HALF_ESTAB].ifq_ttl = ifs->ifs_fr_tcptimeout;
4222 4236 }
4223 4237
4224 4238
4225 4239 /* ------------------------------------------------------------------------ */
4226 4240 /* Function: fr_sttab_destroy */
4227 4241 /* Returns: Nil */
4228 4242 /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
4229 4243 /* */
4230 4244 /* Do whatever is necessary to "destroy" each of the entries in the array */
4231 4245 /* of timeout queues for TCP. */
4232 4246 /* ------------------------------------------------------------------------ */
4233 4247 void fr_sttab_destroy(tqp)
4234 4248 ipftq_t *tqp;
4235 4249 {
4236 4250 int i;
4237 4251
4238 4252 for (i = IPF_TCP_NSTATES - 1; i >= 0; i--)
4239 4253 MUTEX_DESTROY(&tqp[i].ifq_lock);
4240 4254 }
4241 4255
4242 4256
4243 4257 /* ------------------------------------------------------------------------ */
4244 4258 /* Function: fr_statederef */
4245 4259 /* Returns: Nil */
4246 4260 /* Parameters: isp(I) - pointer to pointer to state table entry */
4247 4261 /* ifs - ipf stack instance */
4248 4262 /* */
4249 4263 /* Decrement the reference counter for this state table entry and free it */
4250 4264 /* if there are no more things using it. */
4251 4265 /* */
4252 4266 /* Internal parameters: */
4253 4267 /* state[0] = state of source (host that initiated connection) */
4254 4268 /* state[1] = state of dest (host that accepted the connection) */
4255 4269 /* ------------------------------------------------------------------------ */
4256 4270 void fr_statederef(isp, ifs)
4257 4271 ipstate_t **isp;
4258 4272 ipf_stack_t *ifs;
4259 4273 {
4260 4274 ipstate_t *is;
4261 4275
4262 4276 is = *isp;
4263 4277 *isp = NULL;
4264 4278
4265 4279 MUTEX_ENTER(&is->is_lock);
4266 4280 if (is->is_ref > 1) {
4267 4281 is->is_ref--;
4268 4282 MUTEX_EXIT(&is->is_lock);
4269 4283 #ifndef _KERNEL
4270 4284 if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) ||
4271 4285 (is->is_sti.tqe_state[1] > IPF_TCPS_ESTABLISHED)) {
4272 4286 (void) fr_delstate(is, ISL_ORPHAN, ifs);
4273 4287 }
4274 4288 #endif
4275 4289 return;
4276 4290 }
4277 4291 MUTEX_EXIT(&is->is_lock);
4278 4292
4279 4293 WRITE_ENTER(&ifs->ifs_ipf_state);
4280 4294 (void) fr_delstate(is, ISL_EXPIRE, ifs);
4281 4295 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4282 4296 }
4283 4297
4284 4298
4285 4299 /* ------------------------------------------------------------------------ */
4286 4300 /* Function: fr_setstatequeue */
4287 4301 /* Returns: Nil */
4288 4302 /* Parameters: is(I) - pointer to state structure */
4289 4303 /* rev(I) - forward(0) or reverse(1) direction */
4290 4304 /* Locks: ipf_state (read or write) */
4291 4305 /* */
4292 4306 /* Put the state entry on its default queue entry, using rev as a helped in */
4293 4307 /* determining which queue it should be placed on. */
4294 4308 /* ------------------------------------------------------------------------ */
4295 4309 void fr_setstatequeue(is, rev, ifs)
4296 4310 ipstate_t *is;
4297 4311 int rev;
4298 4312 ipf_stack_t *ifs;
4299 4313 {
4300 4314 ipftq_t *oifq, *nifq;
4301 4315
4302 4316
4303 4317 if ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0)
4304 4318 nifq = is->is_tqehead[rev];
4305 4319 else
4306 4320 nifq = NULL;
4307 4321
4308 4322 if (nifq == NULL) {
4309 4323 switch (is->is_p)
4310 4324 {
4311 4325 #ifdef USE_INET6
4312 4326 case IPPROTO_ICMPV6 :
4313 4327 if (rev == 1)
4314 4328 nifq = &ifs->ifs_ips_icmpacktq;
4315 4329 else
4316 4330 nifq = &ifs->ifs_ips_icmptq;
4317 4331 break;
4318 4332 #endif
4319 4333 case IPPROTO_ICMP :
4320 4334 if (rev == 1)
4321 4335 nifq = &ifs->ifs_ips_icmpacktq;
4322 4336 else
4323 4337 nifq = &ifs->ifs_ips_icmptq;
4324 4338 break;
4325 4339 case IPPROTO_TCP :
4326 4340 nifq = ifs->ifs_ips_tqtqb + is->is_state[rev];
4327 4341 break;
4328 4342
4329 4343 case IPPROTO_UDP :
4330 4344 if (rev == 1)
4331 4345 nifq = &ifs->ifs_ips_udpacktq;
4332 4346 else
4333 4347 nifq = &ifs->ifs_ips_udptq;
4334 4348 break;
4335 4349
4336 4350 default :
4337 4351 nifq = &ifs->ifs_ips_iptq;
4338 4352 break;
4339 4353 }
4340 4354 }
4341 4355
4342 4356 oifq = is->is_sti.tqe_ifq;
4343 4357 /*
4344 4358 * If it's currently on a timeout queue, move it from one queue to
4345 4359 * another, else put it on the end of the newly determined queue.
4346 4360 */
4347 4361 if (oifq != NULL)
4348 4362 fr_movequeue(&is->is_sti, oifq, nifq, ifs);
4349 4363 else
4350 4364 fr_queueappend(&is->is_sti, nifq, is, ifs);
4351 4365 return;
4352 4366 }
4353 4367
4354 4368
4355 4369 /* ------------------------------------------------------------------------ */
4356 4370 /* Function: fr_stateiter */
4357 4371 /* Returns: int - 0 == success, else error */
4358 4372 /* Parameters: token(I) - pointer to ipftoken structure */
4359 4373 /* itp(I) - pointer to ipfgeniter structure */
4360 4374 /* */
4361 4375 /* This function handles the SIOCGENITER ioctl for the state tables and */
4362 4376 /* walks through the list of entries in the state table list (ips_list.) */
4363 4377 /* ------------------------------------------------------------------------ */
4364 4378 static int fr_stateiter(token, itp, ifs)
4365 4379 ipftoken_t *token;
4366 4380 ipfgeniter_t *itp;
4367 4381 ipf_stack_t *ifs;
4368 4382 {
4369 4383 ipstate_t *is, *next, zero;
4370 4384 int error, count;
4371 4385 char *dst;
4372 4386
4373 4387 if (itp->igi_data == NULL)
4374 4388 return EFAULT;
4375 4389
4376 4390 if (itp->igi_nitems == 0)
4377 4391 return EINVAL;
4378 4392
4379 4393 if (itp->igi_type != IPFGENITER_STATE)
4380 4394 return EINVAL;
4381 4395
4382 4396 error = 0;
4383 4397
4384 4398 READ_ENTER(&ifs->ifs_ipf_state);
4385 4399
4386 4400 /*
4387 4401 * Get "previous" entry from the token and find the next entry.
4388 4402 */
4389 4403 is = token->ipt_data;
4390 4404 if (is == NULL) {
4391 4405 next = ifs->ifs_ips_list;
4392 4406 } else {
4393 4407 next = is->is_next;
4394 4408 }
4395 4409
4396 4410 dst = itp->igi_data;
4397 4411 for (count = itp->igi_nitems; count > 0; count--) {
4398 4412 /*
4399 4413 * If we found an entry, add a reference to it and update the token.
4400 4414 * Otherwise, zero out data to be returned and NULL out token.
4401 4415 */
4402 4416 if (next != NULL) {
4403 4417 MUTEX_ENTER(&next->is_lock);
4404 4418 next->is_ref++;
4405 4419 MUTEX_EXIT(&next->is_lock);
4406 4420 token->ipt_data = next;
4407 4421 } else {
4408 4422 bzero(&zero, sizeof(zero));
4409 4423 next = &zero;
4410 4424 token->ipt_data = NULL;
4411 4425 }
4412 4426
4413 4427 /*
4414 4428 * Safe to release lock now the we have a reference.
4415 4429 */
4416 4430 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4417 4431
4418 4432 /*
4419 4433 * Copy out data and clean up references and tokens.
4420 4434 */
4421 4435 error = COPYOUT(next, dst, sizeof(*next));
4422 4436 if (error != 0)
4423 4437 error = EFAULT;
4424 4438 if (token->ipt_data == NULL) {
4425 4439 ipf_freetoken(token, ifs);
4426 4440 break;
4427 4441 } else {
4428 4442 if (is != NULL)
4429 4443 fr_statederef(&is, ifs);
4430 4444 if (next->is_next == NULL) {
4431 4445 ipf_freetoken(token, ifs);
4432 4446 break;
4433 4447 }
4434 4448 }
4435 4449
4436 4450 if ((count == 1) || (error != 0))
4437 4451 break;
4438 4452
4439 4453 READ_ENTER(&ifs->ifs_ipf_state);
4440 4454 dst += sizeof(*next);
4441 4455 is = next;
4442 4456 next = is->is_next;
4443 4457 }
4444 4458
4445 4459 return error;
4446 4460 }
|
↓ open down ↓ |
502 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX