1 /*
2 * Copyright (C) 1993-2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
7 *
8 * Copyright (c) 2014, Joyent, Inc. All rights reserved.
9 */
10
11 #if defined(KERNEL) || defined(_KERNEL)
12 # undef KERNEL
13 # undef _KERNEL
14 # define KERNEL 1
15 # define _KERNEL 1
16 #endif
17 #include <sys/errno.h>
18 #include <sys/types.h>
19 #include <sys/param.h>
20 #include <sys/time.h>
21 #if defined(__NetBSD__)
22 # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
23 # include "opt_ipfilter_log.h"
24 # endif
25 #endif
26 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
27 (__FreeBSD_version >= 220000)
28 # if (__FreeBSD_version >= 400000)
29 # if !defined(IPFILTER_LKM)
30 # include "opt_inet6.h"
31 # endif
32 # if (__FreeBSD_version == 400019)
33 # define CSUM_DELAY_DATA
34 # endif
35 # endif
36 # include <sys/filio.h>
37 #else
38 # include <sys/ioctl.h>
39 #endif
40 #if !defined(_AIX51)
41 # include <sys/fcntl.h>
42 #endif
43 #if defined(_KERNEL)
44 # include <sys/systm.h>
45 # include <sys/file.h>
46 #else
47 # include <stdio.h>
48 # include <string.h>
49 # include <stdlib.h>
50 # include <stddef.h>
51 # include <sys/file.h>
52 # define _KERNEL
53 # ifdef __OpenBSD__
54 struct file;
55 # endif
56 # include <sys/uio.h>
57 # undef _KERNEL
58 #endif
59 #if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
60 !defined(linux)
61 # include <sys/mbuf.h>
62 #else
63 # if !defined(linux)
64 # include <sys/byteorder.h>
65 # endif
66 # if (SOLARIS2 < 5) && defined(sun)
67 # include <sys/dditypes.h>
68 # endif
69 #endif
70 #ifdef __hpux
71 # define _NET_ROUTE_INCLUDED
72 #endif
73 #if !defined(linux)
74 # include <sys/protosw.h>
75 #endif
76 #include <sys/socket.h>
77 #include <net/if.h>
78 #ifdef sun
79 # include <net/af.h>
80 #endif
81 #if !defined(_KERNEL) && defined(__FreeBSD__)
82 # include "radix_ipf.h"
83 #endif
84 #include <net/route.h>
85 #include <netinet/in.h>
86 #include <netinet/in_systm.h>
87 #include <netinet/ip.h>
88 #if !defined(linux)
89 # include <netinet/ip_var.h>
90 #endif
91 #if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
92 # include <sys/hashing.h>
93 # include <netinet/in_var.h>
94 #endif
95 #include <netinet/tcp.h>
96 #if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
97 # include <netinet/udp.h>
98 # include <netinet/ip_icmp.h>
99 #endif
100 #ifdef __hpux
101 # undef _NET_ROUTE_INCLUDED
102 #endif
103 #include "netinet/ip_compat.h"
104 #ifdef USE_INET6
105 # include <netinet/icmp6.h>
106 # if !defined(SOLARIS) && defined(_KERNEL) && !defined(__osf__) && \
107 !defined(__hpux)
108 # include <netinet6/in6_var.h>
109 # endif
110 #endif
111 #include <netinet/tcpip.h>
112 #include "netinet/ip_fil.h"
113 #include "netinet/ip_nat.h"
114 #include "netinet/ip_frag.h"
115 #include "netinet/ip_state.h"
116 #include "netinet/ip_proxy.h"
117 #include "netinet/ip_auth.h"
118 #include "netinet/ipf_stack.h"
119 #ifdef IPFILTER_SCAN
120 # include "netinet/ip_scan.h"
121 #endif
122 #ifdef IPFILTER_SYNC
123 # include "netinet/ip_sync.h"
124 #endif
125 #include "netinet/ip_pool.h"
126 #include "netinet/ip_htable.h"
127 #ifdef IPFILTER_COMPILED
128 # include "netinet/ip_rules.h"
129 #endif
130 #if defined(IPFILTER_BPF) && defined(_KERNEL)
131 # include <net/bpf.h>
132 #endif
133 #if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
134 # include <sys/malloc.h>
135 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
136 # include "opt_ipfilter.h"
137 # endif
138 #endif
139 #include "netinet/ipl.h"
140 #if defined(_KERNEL)
141 #include <sys/sunddi.h>
142 #endif
143 /* END OF INCLUDES */
144
145 #if !defined(lint)
146 static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
147 static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $";
148 #endif
149
150 #ifndef _KERNEL
151 # include "ipf.h"
152 # include "ipt.h"
153 # include "bpf-ipf.h"
154 extern int opts;
155
156 # define FR_VERBOSE(verb_pr) verbose verb_pr
157 # define FR_DEBUG(verb_pr) debug verb_pr
158 #else /* #ifndef _KERNEL */
159 # define FR_VERBOSE(verb_pr)
160 # define FR_DEBUG(verb_pr)
161 #endif /* _KERNEL */
162
163
164 char ipfilter_version[] = IPL_VERSION;
165 int fr_features = 0
166 #ifdef IPFILTER_LKM
167 | IPF_FEAT_LKM
168 #endif
169 #ifdef IPFILTER_LOG
170 | IPF_FEAT_LOG
171 #endif
172 #ifdef IPFILTER_LOOKUP
173 | IPF_FEAT_LOOKUP
174 #endif
175 #ifdef IPFILTER_BPF
176 | IPF_FEAT_BPF
177 #endif
178 #ifdef IPFILTER_COMPILED
179 | IPF_FEAT_COMPILED
180 #endif
181 #ifdef IPFILTER_CKSUM
182 | IPF_FEAT_CKSUM
183 #endif
184 #ifdef IPFILTER_SYNC
185 | IPF_FEAT_SYNC
186 #endif
187 #ifdef IPFILTER_SCAN
188 | IPF_FEAT_SCAN
189 #endif
190 #ifdef USE_INET6
191 | IPF_FEAT_IPV6
192 #endif
193 ;
194
195 #define IPF_BUMP(x) (x)++
196
197 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
198 static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
199 static int fr_portcheck __P((frpcmp_t *, u_short *));
200 static int frflushlist __P((int, minor_t, int *, frentry_t **,
201 ipf_stack_t *));
202 static ipfunc_t fr_findfunc __P((ipfunc_t));
203 static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *));
204 static int fr_funcinit __P((frentry_t *fr, ipf_stack_t *));
205 static INLINE void frpr_ah __P((fr_info_t *));
206 static INLINE void frpr_esp __P((fr_info_t *));
207 static INLINE void frpr_gre __P((fr_info_t *));
208 static INLINE void frpr_udp __P((fr_info_t *));
209 static INLINE void frpr_tcp __P((fr_info_t *));
210 static INLINE void frpr_icmp __P((fr_info_t *));
211 static INLINE void frpr_ipv4hdr __P((fr_info_t *));
212 static INLINE int frpr_pullup __P((fr_info_t *, int));
213 static INLINE void frpr_short __P((fr_info_t *, int));
214 static INLINE void frpr_tcpcommon __P((fr_info_t *));
215 static INLINE void frpr_udpcommon __P((fr_info_t *));
216 static INLINE int fr_updateipid __P((fr_info_t *));
217 #ifdef IPFILTER_LOOKUP
218 static int fr_grpmapinit __P((frentry_t *fr, ipf_stack_t *));
219 static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *,
220 ipf_stack_t *));
221 #endif
222 static void frsynclist __P((int, int, void *, char *, frentry_t *,
223 ipf_stack_t *));
224 static void *fr_ifsync __P((int, int, char *, char *,
225 void *, void *, ipf_stack_t *));
226 static ipftuneable_t *fr_findtunebyname __P((const char *, ipf_stack_t *));
227 static ipftuneable_t *fr_findtunebycookie __P((void *, void **, ipf_stack_t *));
228
229 /*
230 * bit values for identifying presence of individual IP options
231 * All of these tables should be ordered by increasing key value on the left
232 * hand side to allow for binary searching of the array and include a trailer
233 * with a 0 for the bitmask for linear searches to easily find the end with.
234 */
235 const struct optlist ipopts[20] = {
236 { IPOPT_NOP, 0x000001 },
237 { IPOPT_RR, 0x000002 },
238 { IPOPT_ZSU, 0x000004 },
239 { IPOPT_MTUP, 0x000008 },
240 { IPOPT_MTUR, 0x000010 },
241 { IPOPT_ENCODE, 0x000020 },
242 { IPOPT_TS, 0x000040 },
243 { IPOPT_TR, 0x000080 },
244 { IPOPT_SECURITY, 0x000100 },
245 { IPOPT_LSRR, 0x000200 },
246 { IPOPT_E_SEC, 0x000400 },
247 { IPOPT_CIPSO, 0x000800 },
248 { IPOPT_SATID, 0x001000 },
249 { IPOPT_SSRR, 0x002000 },
250 { IPOPT_ADDEXT, 0x004000 },
251 { IPOPT_VISA, 0x008000 },
252 { IPOPT_IMITD, 0x010000 },
253 { IPOPT_EIP, 0x020000 },
254 { IPOPT_FINN, 0x040000 },
255 { 0, 0x000000 }
256 };
257
258 #ifdef USE_INET6
259 struct optlist ip6exthdr[] = {
260 { IPPROTO_HOPOPTS, 0x000001 },
261 { IPPROTO_IPV6, 0x000002 },
262 { IPPROTO_ROUTING, 0x000004 },
263 { IPPROTO_FRAGMENT, 0x000008 },
264 { IPPROTO_ESP, 0x000010 },
265 { IPPROTO_AH, 0x000020 },
266 { IPPROTO_NONE, 0x000040 },
267 { IPPROTO_DSTOPTS, 0x000080 },
268 { 0, 0 }
269 };
270 #endif
271
272 struct optlist tcpopts[] = {
273 { TCPOPT_NOP, 0x000001 },
274 { TCPOPT_MAXSEG, 0x000002 },
275 { TCPOPT_WINDOW, 0x000004 },
276 { TCPOPT_SACK_PERMITTED, 0x000008 },
277 { TCPOPT_SACK, 0x000010 },
278 { TCPOPT_TIMESTAMP, 0x000020 },
279 { 0, 0x000000 }
280 };
281
282 /*
283 * bit values for identifying presence of individual IP security options
284 */
285 const struct optlist secopt[8] = {
286 { IPSO_CLASS_RES4, 0x01 },
287 { IPSO_CLASS_TOPS, 0x02 },
288 { IPSO_CLASS_SECR, 0x04 },
289 { IPSO_CLASS_RES3, 0x08 },
290 { IPSO_CLASS_CONF, 0x10 },
291 { IPSO_CLASS_UNCL, 0x20 },
292 { IPSO_CLASS_RES2, 0x40 },
293 { IPSO_CLASS_RES1, 0x80 }
294 };
295
296
297 /*
298 * Table of functions available for use with call rules.
299 */
300 static ipfunc_resolve_t fr_availfuncs[] = {
301 #ifdef IPFILTER_LOOKUP
302 { "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
303 { "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
304 #endif
305 { "", NULL }
306 };
307
308
309 /*
310 * Below we declare a list of constants used only by the ipf_extraflush()
311 * routine. We are placing it here, instead of in ipf_extraflush() itself,
312 * because we want to make it visible to tools such as mdb, nm etc., so the
313 * values can easily be altered during debugging.
314 */
315 static const int idletime_tab[] = {
316 IPF_TTLVAL(30), /* 30 seconds */
317 IPF_TTLVAL(1800), /* 30 minutes */
318 IPF_TTLVAL(43200), /* 12 hours */
319 IPF_TTLVAL(345600), /* 4 days */
320 };
321
322
323 /*
324 * The next section of code is a a collection of small routines that set
325 * fields in the fr_info_t structure passed based on properties of the
326 * current packet. There are different routines for the same protocol
327 * for each of IPv4 and IPv6. Adding a new protocol, for which there
328 * will "special" inspection for setup, is now more easily done by adding
329 * a new routine and expanding the frpr_ipinit*() function rather than by
330 * adding more code to a growing switch statement.
331 */
332 #ifdef USE_INET6
333 static INLINE int frpr_ah6 __P((fr_info_t *));
334 static INLINE void frpr_esp6 __P((fr_info_t *));
335 static INLINE void frpr_gre6 __P((fr_info_t *));
336 static INLINE void frpr_udp6 __P((fr_info_t *));
337 static INLINE void frpr_tcp6 __P((fr_info_t *));
338 static INLINE void frpr_icmp6 __P((fr_info_t *));
339 static INLINE void frpr_ipv6hdr __P((fr_info_t *));
340 static INLINE void frpr_short6 __P((fr_info_t *, int));
341 static INLINE int frpr_hopopts6 __P((fr_info_t *));
342 static INLINE int frpr_routing6 __P((fr_info_t *));
343 static INLINE int frpr_dstopts6 __P((fr_info_t *));
344 static INLINE int frpr_fragment6 __P((fr_info_t *));
345 static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int));
346
347
348 /* ------------------------------------------------------------------------ */
349 /* Function: frpr_short6 */
350 /* Returns: void */
351 /* Parameters: fin(I) - pointer to packet information */
352 /* */
353 /* IPv6 Only */
354 /* This is function enforces the 'is a packet too short to be legit' rule */
355 /* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
356 /* for frpr_short() for more details. */
357 /* ------------------------------------------------------------------------ */
358 static INLINE void frpr_short6(fin, xmin)
359 fr_info_t *fin;
360 int xmin;
361 {
362
363 if (fin->fin_dlen < xmin)
364 fin->fin_flx |= FI_SHORT;
365 }
366
367
368 /* ------------------------------------------------------------------------ */
369 /* Function: frpr_ipv6hdr */
370 /* Returns: Nil */
371 /* Parameters: fin(I) - pointer to packet information */
372 /* */
373 /* IPv6 Only */
374 /* Copy values from the IPv6 header into the fr_info_t struct and call the */
375 /* per-protocol analyzer if it exists. */
376 /* ------------------------------------------------------------------------ */
377 static INLINE void frpr_ipv6hdr(fin)
378 fr_info_t *fin;
379 {
380 ip6_t *ip6 = (ip6_t *)fin->fin_ip;
381 int p, go = 1, i, hdrcount;
382 fr_ip_t *fi = &fin->fin_fi;
383
384 fin->fin_off = 0;
385
386 fi->fi_tos = 0;
387 fi->fi_optmsk = 0;
388 fi->fi_secmsk = 0;
389 fi->fi_auth = 0;
390
391 p = ip6->ip6_nxt;
392 fi->fi_ttl = ip6->ip6_hlim;
393 fi->fi_src.in6 = ip6->ip6_src;
394 fi->fi_dst.in6 = ip6->ip6_dst;
395 fin->fin_id = 0;
396
397 hdrcount = 0;
398 while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
399 switch (p)
400 {
401 case IPPROTO_UDP :
402 frpr_udp6(fin);
403 go = 0;
404 break;
405
406 case IPPROTO_TCP :
407 frpr_tcp6(fin);
408 go = 0;
409 break;
410
411 case IPPROTO_ICMPV6 :
412 frpr_icmp6(fin);
413 go = 0;
414 break;
415
416 case IPPROTO_GRE :
417 frpr_gre6(fin);
418 go = 0;
419 break;
420
421 case IPPROTO_HOPOPTS :
422 /*
423 * hop by hop ext header is only allowed
424 * right after IPv6 header.
425 */
426 if (hdrcount != 0) {
427 fin->fin_flx |= FI_BAD;
428 p = IPPROTO_NONE;
429 } else {
430 p = frpr_hopopts6(fin);
431 }
432 break;
433
434 case IPPROTO_DSTOPTS :
435 p = frpr_dstopts6(fin);
436 break;
437
438 case IPPROTO_ROUTING :
439 p = frpr_routing6(fin);
440 break;
441
442 case IPPROTO_AH :
443 p = frpr_ah6(fin);
444 break;
445
446 case IPPROTO_ESP :
447 frpr_esp6(fin);
448 go = 0;
449 break;
450
451 case IPPROTO_IPV6 :
452 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
453 if (ip6exthdr[i].ol_val == p) {
454 fin->fin_flx |= ip6exthdr[i].ol_bit;
455 break;
456 }
457 go = 0;
458 break;
459
460 case IPPROTO_NONE :
461 go = 0;
462 break;
463
464 case IPPROTO_FRAGMENT :
465 p = frpr_fragment6(fin);
466 if (fin->fin_off != 0) /* Not the first frag */
467 go = 0;
468 break;
469
470 default :
471 go = 0;
472 break;
473 }
474 hdrcount++;
475
476 /*
477 * It is important to note that at this point, for the
478 * extension headers (go != 0), the entire header may not have
479 * been pulled up when the code gets to this point. This is
480 * only done for "go != 0" because the other header handlers
481 * will all pullup their complete header. The other indicator
482 * of an incomplete packet is that this was just an extension
483 * header.
484 */
485 if ((go != 0) && (p != IPPROTO_NONE) &&
486 (frpr_pullup(fin, 0) == -1)) {
487 p = IPPROTO_NONE;
488 go = 0;
489 }
490 }
491 fi->fi_p = p;
492 }
493
494
495 /* ------------------------------------------------------------------------ */
496 /* Function: frpr_ipv6exthdr */
497 /* Returns: int - value of the next header or IPPROTO_NONE if error */
498 /* Parameters: fin(I) - pointer to packet information */
499 /* multiple(I) - flag indicating yes/no if multiple occurances */
500 /* of this extension header are allowed. */
501 /* proto(I) - protocol number for this extension header */
502 /* */
503 /* IPv6 Only */
504 /* This function expects to find an IPv6 extension header at fin_dp. */
505 /* There must be at least 8 bytes of data at fin_dp for there to be a valid */
506 /* extension header present. If a good one is found, fin_dp is advanced to */
507 /* point at the first piece of data after the extension header, fin_exthdr */
508 /* points to the start of the extension header and the "protocol" of the */
509 /* *NEXT* header is returned. */
510 /* ------------------------------------------------------------------------ */
511 static INLINE int frpr_ipv6exthdr(fin, multiple, proto)
512 fr_info_t *fin;
513 int multiple, proto;
514 {
515 struct ip6_ext *hdr;
516 u_short shift;
517 int i;
518
519 fin->fin_flx |= FI_V6EXTHDR;
520
521 /* 8 is default length of extension hdr */
522 if ((fin->fin_dlen - 8) < 0) {
523 fin->fin_flx |= FI_SHORT;
524 return IPPROTO_NONE;
525 }
526
527 if (frpr_pullup(fin, 8) == -1)
528 return IPPROTO_NONE;
529
530 hdr = fin->fin_dp;
531 shift = 8 + (hdr->ip6e_len << 3);
532 if (shift > fin->fin_dlen) { /* Nasty extension header length? */
533 fin->fin_flx |= FI_BAD;
534 return IPPROTO_NONE;
535 }
536
537 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
538 if (ip6exthdr[i].ol_val == proto) {
539 /*
540 * Most IPv6 extension headers are only allowed once.
541 */
542 if ((multiple == 0) &&
543 ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0))
544 fin->fin_flx |= FI_BAD;
545 else
546 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
547 break;
548 }
549
550 fin->fin_dp = (char *)fin->fin_dp + shift;
551 fin->fin_dlen -= shift;
552
553 return hdr->ip6e_nxt;
554 }
555
556
557 /* ------------------------------------------------------------------------ */
558 /* Function: frpr_hopopts6 */
559 /* Returns: int - value of the next header or IPPROTO_NONE if error */
560 /* Parameters: fin(I) - pointer to packet information */
561 /* */
562 /* IPv6 Only */
563 /* This is function checks pending hop by hop options extension header */
564 /* ------------------------------------------------------------------------ */
565 static INLINE int frpr_hopopts6(fin)
566 fr_info_t *fin;
567 {
568 return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS);
569 }
570
571
572 /* ------------------------------------------------------------------------ */
573 /* Function: frpr_routing6 */
574 /* Returns: int - value of the next header or IPPROTO_NONE if error */
575 /* Parameters: fin(I) - pointer to packet information */
576 /* */
577 /* IPv6 Only */
578 /* This is function checks pending routing extension header */
579 /* ------------------------------------------------------------------------ */
580 static INLINE int frpr_routing6(fin)
581 fr_info_t *fin;
582 {
583 struct ip6_ext *hdr;
584 int shift;
585
586 hdr = fin->fin_dp;
587 if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
588 return IPPROTO_NONE;
589
590 shift = 8 + (hdr->ip6e_len << 3);
591 /*
592 * Nasty extension header length?
593 */
594 if ((hdr->ip6e_len << 3) & 15) {
595 fin->fin_flx |= FI_BAD;
596 /*
597 * Compensate for the changes made in frpr_ipv6exthdr()
598 */
599 fin->fin_dlen += shift;
600 fin->fin_dp = (char *)fin->fin_dp - shift;
601 return IPPROTO_NONE;
602 }
603
604 return hdr->ip6e_nxt;
605 }
606
607
608 /* ------------------------------------------------------------------------ */
609 /* Function: frpr_fragment6 */
610 /* Returns: int - value of the next header or IPPROTO_NONE if error */
611 /* Parameters: fin(I) - pointer to packet information */
612 /* */
613 /* IPv6 Only */
614 /* Examine the IPv6 fragment header and extract fragment offset information.*/
615 /* */
616 /* We don't know where the transport layer header (or whatever is next is), */
617 /* as it could be behind destination options (amongst others). Because */
618 /* there is no fragment cache, there is no knowledge about whether or not an*/
619 /* upper layer header has been seen (or where it ends) and thus we are not */
620 /* able to continue processing beyond this header with any confidence. */
621 /* ------------------------------------------------------------------------ */
622 static INLINE int frpr_fragment6(fin)
623 fr_info_t *fin;
624 {
625 struct ip6_frag *frag;
626
627 fin->fin_flx |= FI_FRAG;
628
629 /*
630 * A fragmented IPv6 packet implies that there must be something
631 * else after the fragment.
632 */
633 if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
634 return IPPROTO_NONE;
635
636 frag = (struct ip6_frag *)((char *)fin->fin_dp - sizeof(*frag));
637
638 /*
639 * If this fragment isn't the last then the packet length must
640 * be a multiple of 8.
641 */
642 if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0) {
643 fin->fin_flx |= FI_MOREFRAG;
644
645 if ((fin->fin_plen & 0x7) != 0)
646 fin->fin_flx |= FI_BAD;
647 }
648
649 fin->fin_id = frag->ip6f_ident;
650 fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK);
651 if (fin->fin_off != 0)
652 fin->fin_flx |= FI_FRAGBODY;
653
654 return frag->ip6f_nxt;
655 }
656
657
658 /* ------------------------------------------------------------------------ */
659 /* Function: frpr_dstopts6 */
660 /* Returns: int - value of the next header or IPPROTO_NONE if error */
661 /* Parameters: fin(I) - pointer to packet information */
662 /* nextheader(I) - stores next header value */
663 /* */
664 /* IPv6 Only */
665 /* This is function checks pending destination options extension header */
666 /* ------------------------------------------------------------------------ */
667 static INLINE int frpr_dstopts6(fin)
668 fr_info_t *fin;
669 {
670 return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS);
671 }
672
673
674 /* ------------------------------------------------------------------------ */
675 /* Function: frpr_icmp6 */
676 /* Returns: void */
677 /* Parameters: fin(I) - pointer to packet information */
678 /* */
679 /* IPv6 Only */
680 /* This routine is mainly concerned with determining the minimum valid size */
681 /* for an ICMPv6 packet. */
682 /* ------------------------------------------------------------------------ */
683 static INLINE void frpr_icmp6(fin)
684 fr_info_t *fin;
685 {
686 int minicmpsz = sizeof(struct icmp6_hdr);
687 struct icmp6_hdr *icmp6;
688
689 if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1)
690 return;
691
692 if (fin->fin_dlen > 1) {
693 icmp6 = fin->fin_dp;
694
695 fin->fin_data[0] = *(u_short *)icmp6;
696
697 if ((icmp6->icmp6_type & ICMP6_INFOMSG_MASK) != 0)
698 fin->fin_flx |= FI_ICMPQUERY;
699
700 switch (icmp6->icmp6_type)
701 {
702 case ICMP6_ECHO_REPLY :
703 case ICMP6_ECHO_REQUEST :
704 if (fin->fin_dlen >= 6)
705 fin->fin_data[1] = icmp6->icmp6_id;
706 minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
707 break;
708 case ICMP6_DST_UNREACH :
709 case ICMP6_PACKET_TOO_BIG :
710 case ICMP6_TIME_EXCEEDED :
711 case ICMP6_PARAM_PROB :
712 if ((fin->fin_m != NULL) &&
713 (M_LEN(fin->fin_m) < fin->fin_plen)) {
714 if (fr_coalesce(fin) != 1)
715 return;
716 }
717 fin->fin_flx |= FI_ICMPERR;
718 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
719 break;
720 default :
721 break;
722 }
723 }
724
725 frpr_short6(fin, minicmpsz);
726 }
727
728
729 /* ------------------------------------------------------------------------ */
730 /* Function: frpr_udp6 */
731 /* Returns: void */
732 /* Parameters: fin(I) - pointer to packet information */
733 /* */
734 /* IPv6 Only */
735 /* Analyse the packet for IPv6/UDP properties. */
736 /* Is not expected to be called for fragmented packets. */
737 /* ------------------------------------------------------------------------ */
738 static INLINE void frpr_udp6(fin)
739 fr_info_t *fin;
740 {
741
742 fr_checkv6sum(fin);
743
744 frpr_short6(fin, sizeof(struct udphdr));
745 if (frpr_pullup(fin, sizeof(struct udphdr)) == -1)
746 return;
747
748 frpr_udpcommon(fin);
749 }
750
751
752 /* ------------------------------------------------------------------------ */
753 /* Function: frpr_tcp6 */
754 /* Returns: void */
755 /* Parameters: fin(I) - pointer to packet information */
756 /* */
757 /* IPv6 Only */
758 /* Analyse the packet for IPv6/TCP properties. */
759 /* Is not expected to be called for fragmented packets. */
760 /* ------------------------------------------------------------------------ */
761 static INLINE void frpr_tcp6(fin)
762 fr_info_t *fin;
763 {
764
765 fr_checkv6sum(fin);
766
767 frpr_short6(fin, sizeof(struct tcphdr));
768 if (frpr_pullup(fin, sizeof(struct tcphdr)) == -1)
769 return;
770
771 frpr_tcpcommon(fin);
772 }
773
774
775 /* ------------------------------------------------------------------------ */
776 /* Function: frpr_esp6 */
777 /* Returns: void */
778 /* Parameters: fin(I) - pointer to packet information */
779 /* */
780 /* IPv6 Only */
781 /* Analyse the packet for ESP properties. */
782 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
783 /* even though the newer ESP packets must also have a sequence number that */
784 /* is 32bits as well, it is not possible(?) to determine the version from a */
785 /* simple packet header. */
786 /* ------------------------------------------------------------------------ */
787 static INLINE void frpr_esp6(fin)
788 fr_info_t *fin;
789 {
790 int i;
791 frpr_short6(fin, sizeof(grehdr_t));
792
793 (void) frpr_pullup(fin, 8);
794
795 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
796 if (ip6exthdr[i].ol_val == IPPROTO_ESP) {
797 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
798 break;
799 }
800 }
801
802
803 /* ------------------------------------------------------------------------ */
804 /* Function: frpr_ah6 */
805 /* Returns: void */
806 /* Parameters: fin(I) - pointer to packet information */
807 /* */
808 /* IPv6 Only */
809 /* Analyse the packet for AH properties. */
810 /* The minimum length is taken to be the combination of all fields in the */
811 /* header being present and no authentication data (null algorithm used.) */
812 /* ------------------------------------------------------------------------ */
813 static INLINE int frpr_ah6(fin)
814 fr_info_t *fin;
815 {
816 authhdr_t *ah;
817 int i, shift;
818
819 frpr_short6(fin, 12);
820
821 if (frpr_pullup(fin, sizeof(*ah)) == -1)
822 return IPPROTO_NONE;
823
824 for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
825 if (ip6exthdr[i].ol_val == IPPROTO_AH) {
826 fin->fin_optmsk |= ip6exthdr[i].ol_bit;
827 break;
828 }
829
830 ah = (authhdr_t *)fin->fin_dp;
831
832 shift = (ah->ah_plen + 2) * 4;
833 fin->fin_dlen -= shift;
834 fin->fin_dp = (char*)fin->fin_dp + shift;
835
836 return ah->ah_next;
837 }
838
839
840 /* ------------------------------------------------------------------------ */
841 /* Function: frpr_gre6 */
842 /* Returns: void */
843 /* Parameters: fin(I) - pointer to packet information */
844 /* */
845 /* Analyse the packet for GRE properties. */
846 /* ------------------------------------------------------------------------ */
847 static INLINE void frpr_gre6(fin)
848 fr_info_t *fin;
849 {
850 grehdr_t *gre;
851
852 frpr_short6(fin, sizeof(grehdr_t));
853
854 if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
855 return;
856
857 gre = fin->fin_dp;
858 if (GRE_REV(gre->gr_flags) == 1)
859 fin->fin_data[0] = gre->gr_call;
860 }
861 #endif /* USE_INET6 */
862
863
864 /* ------------------------------------------------------------------------ */
865 /* Function: frpr_pullup */
866 /* Returns: int - 0 == pullup succeeded, -1 == failure */
867 /* Parameters: fin(I) - pointer to packet information */
868 /* plen(I) - length (excluding L3 header) to pullup */
869 /* */
870 /* Short inline function to cut down on code duplication to perform a call */
871 /* to fr_pullup to ensure there is the required amount of data, */
872 /* consecutively in the packet buffer. */
873 /* ------------------------------------------------------------------------ */
874 static INLINE int frpr_pullup(fin, plen)
875 fr_info_t *fin;
876 int plen;
877 {
878 #if defined(_KERNEL)
879 if (fin->fin_m != NULL) {
880 int ipoff;
881
882 ipoff = (char *)fin->fin_ip - MTOD(fin->fin_m, char *);
883
884 if (fin->fin_dp != NULL)
885 plen += (char *)fin->fin_dp -
886 ((char *)fin->fin_ip + fin->fin_hlen);
887 plen += fin->fin_hlen;
888 /*
889 * We don't do 'plen += ipoff;' here. The fr_pullup() will
890 * do it for us.
891 */
892 if (M_LEN(fin->fin_m) < plen + ipoff) {
893 if (fr_pullup(fin->fin_m, fin, plen) == NULL)
894 return -1;
895 }
896 }
897 #endif
898 return 0;
899 }
900
901
902 /* ------------------------------------------------------------------------ */
903 /* Function: frpr_short */
904 /* Returns: void */
905 /* Parameters: fin(I) - pointer to packet information */
906 /* xmin(I) - minimum header size */
907 /* */
908 /* Check if a packet is "short" as defined by xmin. The rule we are */
909 /* applying here is that the packet must not be fragmented within the layer */
910 /* 4 header. That is, it must not be a fragment that has its offset set to */
911 /* start within the layer 4 header (hdrmin) or if it is at offset 0, the */
912 /* entire layer 4 header must be present (min). */
913 /* ------------------------------------------------------------------------ */
914 static INLINE void frpr_short(fin, xmin)
915 fr_info_t *fin;
916 int xmin;
917 {
918
919 if (fin->fin_off == 0) {
920 if (fin->fin_dlen < xmin)
921 fin->fin_flx |= FI_SHORT;
922 } else if (fin->fin_off < xmin) {
923 fin->fin_flx |= FI_SHORT;
924 }
925 }
926
927
928 /* ------------------------------------------------------------------------ */
929 /* Function: frpr_icmp */
930 /* Returns: void */
931 /* Parameters: fin(I) - pointer to packet information */
932 /* */
933 /* IPv4 Only */
934 /* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */
935 /* except extrememly bad packets, both type and code will be present. */
936 /* The expected minimum size of an ICMP packet is very much dependent on */
937 /* the type of it. */
938 /* */
939 /* XXX - other ICMP sanity checks? */
940 /* ------------------------------------------------------------------------ */
941 static INLINE void frpr_icmp(fin)
942 fr_info_t *fin;
943 {
944 int minicmpsz = sizeof(struct icmp);
945 icmphdr_t *icmp;
946 ip_t *oip;
947 ipf_stack_t *ifs = fin->fin_ifs;
948
949 if (fin->fin_off != 0) {
950 frpr_short(fin, ICMPERR_ICMPHLEN);
951 return;
952 }
953
954 if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
955 return;
956
957 fr_checkv4sum(fin);
958
959 /*
960 * This is a right place to set icmp pointer, since the memory
961 * referenced by fin_dp could get reallocated. The code down below can
962 * rely on fact icmp variable always points to ICMP header.
963 */
964 icmp = fin->fin_dp;
965 fin->fin_data[0] = *(u_short *)icmp;
966 fin->fin_data[1] = icmp->icmp_id;
967
968 switch (icmp->icmp_type)
969 {
970 case ICMP_ECHOREPLY :
971 case ICMP_ECHO :
972 /* Router discovery messaes - RFC 1256 */
973 case ICMP_ROUTERADVERT :
974 case ICMP_ROUTERSOLICIT :
975 minicmpsz = ICMP_MINLEN;
976 break;
977 /*
978 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
979 * 3 * timestamp(3 * 4)
980 */
981 case ICMP_TSTAMP :
982 case ICMP_TSTAMPREPLY :
983 minicmpsz = 20;
984 break;
985 /*
986 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
987 * mask(4)
988 */
989 case ICMP_MASKREQ :
990 case ICMP_MASKREPLY :
991 minicmpsz = 12;
992 break;
993 /*
994 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
995 */
996 case ICMP_UNREACH :
997 if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) {
998 if (icmp->icmp_nextmtu < ifs->ifs_fr_icmpminfragmtu)
999 fin->fin_flx |= FI_BAD;
1000 }
1001 /* FALLTHRU */
1002 case ICMP_SOURCEQUENCH :
1003 case ICMP_REDIRECT :
1004 case ICMP_TIMXCEED :
1005 case ICMP_PARAMPROB :
1006 fin->fin_flx |= FI_ICMPERR;
1007 if (fr_coalesce(fin) != 1)
1008 return;
1009 /*
1010 * ICMP error packets should not be generated for IP
1011 * packets that are a fragment that isn't the first
1012 * fragment.
1013 */
1014 oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
1015 if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0)
1016 fin->fin_flx |= FI_BAD;
1017 break;
1018 default :
1019 break;
1020 }
1021
1022 frpr_short(fin, minicmpsz);
1023 }
1024
1025
1026 /* ------------------------------------------------------------------------ */
1027 /* Function: frpr_tcpcommon */
1028 /* Returns: void */
1029 /* Parameters: fin(I) - pointer to packet information */
1030 /* */
1031 /* TCP header sanity checking. Look for bad combinations of TCP flags, */
1032 /* and make some checks with how they interact with other fields. */
1033 /* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */
1034 /* valid and mark the packet as bad if not. */
1035 /* ------------------------------------------------------------------------ */
1036 static INLINE void frpr_tcpcommon(fin)
1037 fr_info_t *fin;
1038 {
1039 int flags, tlen;
1040 tcphdr_t *tcp;
1041
1042 fin->fin_flx |= FI_TCPUDP;
1043 if (fin->fin_off != 0)
1044 return;
1045
1046 if (frpr_pullup(fin, sizeof(*tcp)) == -1)
1047 return;
1048 tcp = fin->fin_dp;
1049
1050 if (fin->fin_dlen > 3) {
1051 fin->fin_sport = ntohs(tcp->th_sport);
1052 fin->fin_dport = ntohs(tcp->th_dport);
1053 }
1054
1055 if ((fin->fin_flx & FI_SHORT) != 0)
1056 return;
1057
1058 /*
1059 * Use of the TCP data offset *must* result in a value that is at
1060 * least the same size as the TCP header.
1061 */
1062 tlen = TCP_OFF(tcp) << 2;
1063 if (tlen < sizeof(tcphdr_t)) {
1064 fin->fin_flx |= FI_BAD;
1065 return;
1066 }
1067
1068 flags = tcp->th_flags;
1069 fin->fin_tcpf = tcp->th_flags;
1070
1071 /*
1072 * If the urgent flag is set, then the urgent pointer must
1073 * also be set and vice versa. Good TCP packets do not have
1074 * just one of these set.
1075 */
1076 if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
1077 fin->fin_flx |= FI_BAD;
1078 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
1079 /* Ignore this case, it shows up in "real" traffic with */
1080 /* bogus values in the urgent pointer field. */
1081 flags = flags; /* LINT */
1082 } else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
1083 ((flags & (TH_RST|TH_ACK)) == TH_RST)) {
1084 /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
1085 fin->fin_flx |= FI_BAD;
1086 } else if (!(flags & TH_ACK)) {
1087 /*
1088 * If the ack bit isn't set, then either the SYN or
1089 * RST bit must be set. If the SYN bit is set, then
1090 * we expect the ACK field to be 0. If the ACK is
1091 * not set and if URG, PSH or FIN are set, consdier
1092 * that to indicate a bad TCP packet.
1093 */
1094 if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
1095 /*
1096 * Cisco PIX sets the ACK field to a random value.
1097 * In light of this, do not set FI_BAD until a patch
1098 * is available from Cisco to ensure that
1099 * interoperability between existing systems is
1100 * achieved.
1101 */
1102 /*fin->fin_flx |= FI_BAD*/;
1103 flags = flags; /* LINT */
1104 } else if (!(flags & (TH_RST|TH_SYN))) {
1105 fin->fin_flx |= FI_BAD;
1106 } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
1107 fin->fin_flx |= FI_BAD;
1108 }
1109 }
1110
1111 /*
1112 * At this point, it's not exactly clear what is to be gained by
1113 * marking up which TCP options are and are not present. The one we
1114 * are most interested in is the TCP window scale. This is only in
1115 * a SYN packet [RFC1323] so we don't need this here...?
1116 * Now if we were to analyse the header for passive fingerprinting,
1117 * then that might add some weight to adding this...
1118 */
1119 if (tlen == sizeof(tcphdr_t))
1120 return;
1121
1122 if (frpr_pullup(fin, tlen) == -1)
1123 return;
1124
1125 #if 0
1126 ip = fin->fin_ip;
1127 s = (u_char *)(tcp + 1);
1128 off = IP_HL(ip) << 2;
1129 # ifdef _KERNEL
1130 if (fin->fin_mp != NULL) {
1131 mb_t *m = *fin->fin_mp;
1132
1133 if (off + tlen > M_LEN(m))
1134 return;
1135 }
1136 # endif
1137 for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
1138 opt = *s;
1139 if (opt == '\0')
1140 break;
1141 else if (opt == TCPOPT_NOP)
1142 ol = 1;
1143 else {
1144 if (tlen < 2)
1145 break;
1146 ol = (int)*(s + 1);
1147 if (ol < 2 || ol > tlen)
1148 break;
1149 }
1150
1151 for (i = 9, mv = 4; mv >= 0; ) {
1152 op = ipopts + i;
1153 if (opt == (u_char)op->ol_val) {
1154 optmsk |= op->ol_bit;
1155 break;
1156 }
1157 }
1158 tlen -= ol;
1159 s += ol;
1160 }
1161 #endif /* 0 */
1162 }
1163
1164
1165
1166 /* ------------------------------------------------------------------------ */
1167 /* Function: frpr_udpcommon */
1168 /* Returns: void */
1169 /* Parameters: fin(I) - pointer to packet information */
1170 /* */
1171 /* Extract the UDP source and destination ports, if present. If compiled */
1172 /* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */
1173 /* ------------------------------------------------------------------------ */
1174 static INLINE void frpr_udpcommon(fin)
1175 fr_info_t *fin;
1176 {
1177 udphdr_t *udp;
1178
1179 fin->fin_flx |= FI_TCPUDP;
1180
1181 if (!fin->fin_off && (fin->fin_dlen > 3)) {
1182 if (frpr_pullup(fin, sizeof(*udp)) == -1) {
1183 fin->fin_flx |= FI_SHORT;
1184 return;
1185 }
1186
1187 udp = fin->fin_dp;
1188
1189 fin->fin_sport = ntohs(udp->uh_sport);
1190 fin->fin_dport = ntohs(udp->uh_dport);
1191 }
1192 }
1193
1194
1195 /* ------------------------------------------------------------------------ */
1196 /* Function: frpr_tcp */
1197 /* Returns: void */
1198 /* Parameters: fin(I) - pointer to packet information */
1199 /* */
1200 /* IPv4 Only */
1201 /* Analyse the packet for IPv4/TCP properties. */
1202 /* ------------------------------------------------------------------------ */
1203 static INLINE void frpr_tcp(fin)
1204 fr_info_t *fin;
1205 {
1206
1207 fr_checkv4sum(fin);
1208
1209 frpr_short(fin, sizeof(tcphdr_t));
1210
1211 frpr_tcpcommon(fin);
1212 }
1213
1214
1215 /* ------------------------------------------------------------------------ */
1216 /* Function: frpr_udp */
1217 /* Returns: void */
1218 /* Parameters: fin(I) - pointer to packet information */
1219 /* */
1220 /* IPv4 Only */
1221 /* Analyse the packet for IPv4/UDP properties. */
1222 /* ------------------------------------------------------------------------ */
1223 static INLINE void frpr_udp(fin)
1224 fr_info_t *fin;
1225 {
1226
1227 fr_checkv4sum(fin);
1228
1229 frpr_short(fin, sizeof(udphdr_t));
1230
1231 frpr_udpcommon(fin);
1232 }
1233
1234
1235 /* ------------------------------------------------------------------------ */
1236 /* Function: frpr_esp */
1237 /* Returns: void */
1238 /* Parameters: fin(I) - pointer to packet information */
1239 /* */
1240 /* Analyse the packet for ESP properties. */
1241 /* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
1242 /* even though the newer ESP packets must also have a sequence number that */
1243 /* is 32bits as well, it is not possible(?) to determine the version from a */
1244 /* simple packet header. */
1245 /* ------------------------------------------------------------------------ */
1246 static INLINE void frpr_esp(fin)
1247 fr_info_t *fin;
1248 {
1249 if ((fin->fin_off == 0) && (frpr_pullup(fin, 8) == -1))
1250 return;
1251
1252 frpr_short(fin, 8);
1253 }
1254
1255
1256 /* ------------------------------------------------------------------------ */
1257 /* Function: frpr_ah */
1258 /* Returns: void */
1259 /* Parameters: fin(I) - pointer to packet information */
1260 /* */
1261 /* Analyse the packet for AH properties. */
1262 /* The minimum length is taken to be the combination of all fields in the */
1263 /* header being present and no authentication data (null algorithm used.) */
1264 /* ------------------------------------------------------------------------ */
1265 static INLINE void frpr_ah(fin)
1266 fr_info_t *fin;
1267 {
1268 authhdr_t *ah;
1269 int len;
1270
1271 if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(*ah)) == -1))
1272 return;
1273
1274 ah = (authhdr_t *)fin->fin_dp;
1275
1276 len = (ah->ah_plen + 2) << 2;
1277 frpr_short(fin, len);
1278 }
1279
1280
1281 /* ------------------------------------------------------------------------ */
1282 /* Function: frpr_gre */
1283 /* Returns: void */
1284 /* Parameters: fin(I) - pointer to packet information */
1285 /* */
1286 /* Analyse the packet for GRE properties. */
1287 /* ------------------------------------------------------------------------ */
1288 static INLINE void frpr_gre(fin)
1289 fr_info_t *fin;
1290 {
1291 grehdr_t *gre;
1292
1293 if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(grehdr_t)) == -1))
1294 return;
1295
1296 frpr_short(fin, sizeof(grehdr_t));
1297
1298 if (fin->fin_off == 0) {
1299 gre = fin->fin_dp;
1300 if (GRE_REV(gre->gr_flags) == 1)
1301 fin->fin_data[0] = gre->gr_call;
1302 }
1303 }
1304
1305
1306 /* ------------------------------------------------------------------------ */
1307 /* Function: frpr_ipv4hdr */
1308 /* Returns: void */
1309 /* Parameters: fin(I) - pointer to packet information */
1310 /* */
1311 /* IPv4 Only */
1312 /* Analyze the IPv4 header and set fields in the fr_info_t structure. */
1313 /* Check all options present and flag their presence if any exist. */
1314 /* ------------------------------------------------------------------------ */
1315 static INLINE void frpr_ipv4hdr(fin)
1316 fr_info_t *fin;
1317 {
1318 u_short optmsk = 0, secmsk = 0, auth = 0;
1319 int hlen, ol, mv, p, i;
1320 const struct optlist *op;
1321 u_char *s, opt;
1322 u_short off;
1323 fr_ip_t *fi;
1324 ip_t *ip;
1325
1326 fi = &fin->fin_fi;
1327 hlen = fin->fin_hlen;
1328
1329 ip = fin->fin_ip;
1330 p = ip->ip_p;
1331 fi->fi_p = p;
1332 fi->fi_tos = ip->ip_tos;
1333 fin->fin_id = ip->ip_id;
1334 off = ip->ip_off;
1335
1336 /* Get both TTL and protocol */
1337 fi->fi_p = ip->ip_p;
1338 fi->fi_ttl = ip->ip_ttl;
1339 #if 0
1340 (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
1341 #endif
1342
1343 /* Zero out bits not used in IPv6 address */
1344 fi->fi_src.i6[1] = 0;
1345 fi->fi_src.i6[2] = 0;
1346 fi->fi_src.i6[3] = 0;
1347 fi->fi_dst.i6[1] = 0;
1348 fi->fi_dst.i6[2] = 0;
1349 fi->fi_dst.i6[3] = 0;
1350
1351 fi->fi_saddr = ip->ip_src.s_addr;
1352 fi->fi_daddr = ip->ip_dst.s_addr;
1353
1354 /*
1355 * set packet attribute flags based on the offset and
1356 * calculate the byte offset that it represents.
1357 */
1358 off &= IP_MF|IP_OFFMASK;
1359 if (off != 0) {
1360 int morefrag = off & IP_MF;
1361
1362 fi->fi_flx |= FI_FRAG;
1363 if (morefrag)
1364 fi->fi_flx |= FI_MOREFRAG;
1365 off &= IP_OFFMASK;
1366 if (off != 0) {
1367 fin->fin_flx |= FI_FRAGBODY;
1368 off <<= 3;
1369 if ((off + fin->fin_dlen > 65535) ||
1370 (fin->fin_dlen == 0) ||
1371 ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) {
1372 /*
1373 * The length of the packet, starting at its
1374 * offset cannot exceed 65535 (0xffff) as the
1375 * length of an IP packet is only 16 bits.
1376 *
1377 * Any fragment that isn't the last fragment
1378 * must have a length greater than 0 and it
1379 * must be an even multiple of 8.
1380 */
1381 fi->fi_flx |= FI_BAD;
1382 }
1383 }
1384 }
1385 fin->fin_off = off;
1386
1387 /*
1388 * Call per-protocol setup and checking
1389 */
1390 switch (p)
1391 {
1392 case IPPROTO_UDP :
1393 frpr_udp(fin);
1394 break;
1395 case IPPROTO_TCP :
1396 frpr_tcp(fin);
1397 break;
1398 case IPPROTO_ICMP :
1399 frpr_icmp(fin);
1400 break;
1401 case IPPROTO_AH :
1402 frpr_ah(fin);
1403 break;
1404 case IPPROTO_ESP :
1405 frpr_esp(fin);
1406 break;
1407 case IPPROTO_GRE :
1408 frpr_gre(fin);
1409 break;
1410 }
1411
1412 ip = fin->fin_ip;
1413 if (ip == NULL)
1414 return;
1415
1416 /*
1417 * If it is a standard IP header (no options), set the flag fields
1418 * which relate to options to 0.
1419 */
1420 if (hlen == sizeof(*ip)) {
1421 fi->fi_optmsk = 0;
1422 fi->fi_secmsk = 0;
1423 fi->fi_auth = 0;
1424 return;
1425 }
1426
1427 /*
1428 * So the IP header has some IP options attached. Walk the entire
1429 * list of options present with this packet and set flags to indicate
1430 * which ones are here and which ones are not. For the somewhat out
1431 * of date and obscure security classification options, set a flag to
1432 * represent which classification is present.
1433 */
1434 fi->fi_flx |= FI_OPTIONS;
1435
1436 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
1437 opt = *s;
1438 if (opt == '\0')
1439 break;
1440 else if (opt == IPOPT_NOP)
1441 ol = 1;
1442 else {
1443 if (hlen < 2)
1444 break;
1445 ol = (int)*(s + 1);
1446 if (ol < 2 || ol > hlen)
1447 break;
1448 }
1449 for (i = 9, mv = 4; mv >= 0; ) {
1450 op = ipopts + i;
1451 if ((opt == (u_char)op->ol_val) && (ol > 4)) {
1452 optmsk |= op->ol_bit;
1453 if (opt == IPOPT_SECURITY) {
1454 const struct optlist *sp;
1455 u_char sec;
1456 int j, m;
1457
1458 sec = *(s + 2); /* classification */
1459 for (j = 3, m = 2; m >= 0; ) {
1460 sp = secopt + j;
1461 if (sec == sp->ol_val) {
1462 secmsk |= sp->ol_bit;
1463 auth = *(s + 3);
1464 auth *= 256;
1465 auth += *(s + 4);
1466 break;
1467 }
1468 if (sec < sp->ol_val)
1469 j -= m;
1470 else
1471 j += m;
1472 m--;
1473 }
1474 }
1475 break;
1476 }
1477 if (opt < op->ol_val)
1478 i -= mv;
1479 else
1480 i += mv;
1481 mv--;
1482 }
1483 hlen -= ol;
1484 s += ol;
1485 }
1486
1487 /*
1488 *
1489 */
1490 if (auth && !(auth & 0x0100))
1491 auth &= 0xff00;
1492 fi->fi_optmsk = optmsk;
1493 fi->fi_secmsk = secmsk;
1494 fi->fi_auth = auth;
1495 }
1496
1497
1498 /* ------------------------------------------------------------------------ */
1499 /* Function: fr_makefrip */
1500 /* Returns: int - 1 == hdr checking error, 0 == OK */
1501 /* Parameters: hlen(I) - length of IP packet header */
1502 /* ip(I) - pointer to the IP header */
1503 /* fin(IO) - pointer to packet information */
1504 /* */
1505 /* Compact the IP header into a structure which contains just the info. */
1506 /* which is useful for comparing IP headers with and store this information */
1507 /* in the fr_info_t structure pointer to by fin. At present, it is assumed */
1508 /* this function will be called with either an IPv4 or IPv6 packet. */
1509 /* ------------------------------------------------------------------------ */
1510 int fr_makefrip(hlen, ip, fin)
1511 int hlen;
1512 ip_t *ip;
1513 fr_info_t *fin;
1514 {
1515 int v;
1516
1517 fin->fin_depth = 0;
1518 fin->fin_hlen = (u_short)hlen;
1519 fin->fin_ip = ip;
1520 fin->fin_rule = 0xffffffff;
1521 fin->fin_group[0] = -1;
1522 fin->fin_group[1] = '\0';
1523 fin->fin_dlen = fin->fin_plen - hlen;
1524 fin->fin_dp = (char *)ip + hlen;
1525
1526 v = fin->fin_v;
1527 if (v == 4)
1528 frpr_ipv4hdr(fin);
1529 #ifdef USE_INET6
1530 else if (v == 6)
1531 frpr_ipv6hdr(fin);
1532 #endif
1533 if (fin->fin_ip == NULL)
1534 return -1;
1535 return 0;
1536 }
1537
1538
1539 /* ------------------------------------------------------------------------ */
1540 /* Function: fr_portcheck */
1541 /* Returns: int - 1 == port matched, 0 == port match failed */
1542 /* Parameters: frp(I) - pointer to port check `expression' */
1543 /* pop(I) - pointer to port number to evaluate */
1544 /* */
1545 /* Perform a comparison of a port number against some other(s), using a */
1546 /* structure with compare information stored in it. */
1547 /* ------------------------------------------------------------------------ */
1548 static INLINE int fr_portcheck(frp, pop)
1549 frpcmp_t *frp;
1550 u_short *pop;
1551 {
1552 u_short tup, po;
1553 int err = 1;
1554
1555 tup = *pop;
1556 po = frp->frp_port;
1557
1558 /*
1559 * Do opposite test to that required and continue if that succeeds.
1560 */
1561 switch (frp->frp_cmp)
1562 {
1563 case FR_EQUAL :
1564 if (tup != po) /* EQUAL */
1565 err = 0;
1566 break;
1567 case FR_NEQUAL :
1568 if (tup == po) /* NOTEQUAL */
1569 err = 0;
1570 break;
1571 case FR_LESST :
1572 if (tup >= po) /* LESSTHAN */
1573 err = 0;
1574 break;
1575 case FR_GREATERT :
1576 if (tup <= po) /* GREATERTHAN */
1577 err = 0;
1578 break;
1579 case FR_LESSTE :
1580 if (tup > po) /* LT or EQ */
1581 err = 0;
1582 break;
1583 case FR_GREATERTE :
1584 if (tup < po) /* GT or EQ */
1585 err = 0;
1586 break;
1587 case FR_OUTRANGE :
1588 if (tup >= po && tup <= frp->frp_top) /* Out of range */
1589 err = 0;
1590 break;
1591 case FR_INRANGE :
1592 if (tup <= po || tup >= frp->frp_top) /* In range */
1593 err = 0;
1594 break;
1595 case FR_INCRANGE :
1596 if (tup < po || tup > frp->frp_top) /* Inclusive range */
1597 err = 0;
1598 break;
1599 default :
1600 break;
1601 }
1602 return err;
1603 }
1604
1605
1606 /* ------------------------------------------------------------------------ */
1607 /* Function: fr_tcpudpchk */
1608 /* Returns: int - 1 == protocol matched, 0 == check failed */
1609 /* Parameters: fin(I) - pointer to packet information */
1610 /* ft(I) - pointer to structure with comparison data */
1611 /* */
1612 /* Compares the current pcket (assuming it is TCP/UDP) information with a */
1613 /* structure containing information that we want to match against. */
1614 /* ------------------------------------------------------------------------ */
1615 int fr_tcpudpchk(fin, ft)
1616 fr_info_t *fin;
1617 frtuc_t *ft;
1618 {
1619 int err = 1;
1620
1621 /*
1622 * Both ports should *always* be in the first fragment.
1623 * So far, I cannot find any cases where they can not be.
1624 *
1625 * compare destination ports
1626 */
1627 if (ft->ftu_dcmp)
1628 err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
1629
1630 /*
1631 * compare source ports
1632 */
1633 if (err && ft->ftu_scmp)
1634 err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
1635
1636 /*
1637 * If we don't have all the TCP/UDP header, then how can we
1638 * expect to do any sort of match on it ? If we were looking for
1639 * TCP flags, then NO match. If not, then match (which should
1640 * satisfy the "short" class too).
1641 */
1642 if (err && (fin->fin_p == IPPROTO_TCP)) {
1643 if (fin->fin_flx & FI_SHORT)
1644 return !(ft->ftu_tcpf | ft->ftu_tcpfm);
1645 /*
1646 * Match the flags ? If not, abort this match.
1647 */
1648 if (ft->ftu_tcpfm &&
1649 ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
1650 FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
1651 ft->ftu_tcpfm, ft->ftu_tcpf));
1652 err = 0;
1653 }
1654 }
1655 return err;
1656 }
1657
1658
1659 /* ------------------------------------------------------------------------ */
1660 /* Function: fr_ipfcheck */
1661 /* Returns: int - 0 == match, 1 == no match */
1662 /* Parameters: fin(I) - pointer to packet information */
1663 /* fr(I) - pointer to filter rule */
1664 /* portcmp(I) - flag indicating whether to attempt matching on */
1665 /* TCP/UDP port data. */
1666 /* */
1667 /* Check to see if a packet matches an IPFilter rule. Checks of addresses, */
1668 /* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
1669 /* this function. */
1670 /* ------------------------------------------------------------------------ */
1671 static INLINE int fr_ipfcheck(fin, fr, portcmp)
1672 fr_info_t *fin;
1673 frentry_t *fr;
1674 int portcmp;
1675 {
1676 u_32_t *ld, *lm, *lip;
1677 fripf_t *fri;
1678 fr_ip_t *fi;
1679 int i;
1680 ipf_stack_t *ifs = fin->fin_ifs;
1681
1682 fi = &fin->fin_fi;
1683 fri = fr->fr_ipf;
1684 lip = (u_32_t *)fi;
1685 lm = (u_32_t *)&fri->fri_mip;
1686 ld = (u_32_t *)&fri->fri_ip;
1687
1688 /*
1689 * first 32 bits to check coversion:
1690 * IP version, TOS, TTL, protocol
1691 */
1692 i = ((*lip & *lm) != *ld);
1693 FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
1694 *lip, *lm, *ld));
1695 if (i)
1696 return 1;
1697
1698 /*
1699 * Next 32 bits is a constructed bitmask indicating which IP options
1700 * are present (if any) in this packet.
1701 */
1702 lip++, lm++, ld++;
1703 i |= ((*lip & *lm) != *ld);
1704 FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
1705 *lip, *lm, *ld));
1706 if (i)
1707 return 1;
1708
1709 lip++, lm++, ld++;
1710 /*
1711 * Unrolled loops (4 each, for 32 bits) for address checks.
1712 */
1713 /*
1714 * Check the source address.
1715 */
1716 #ifdef IPFILTER_LOOKUP
1717 if (fr->fr_satype == FRI_LOOKUP) {
1718 fin->fin_flx |= FI_DONTCACHE;
1719 i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip, fin, ifs);
1720 if (i == -1)
1721 return 1;
1722 lip += 3;
1723 lm += 3;
1724 ld += 3;
1725 } else {
1726 #endif
1727 i = ((*lip & *lm) != *ld);
1728 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
1729 *lip, *lm, *ld));
1730 if (fi->fi_v == 6) {
1731 lip++, lm++, ld++;
1732 i |= ((*lip & *lm) != *ld);
1733 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
1734 *lip, *lm, *ld));
1735 lip++, lm++, ld++;
1736 i |= ((*lip & *lm) != *ld);
1737 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
1738 *lip, *lm, *ld));
1739 lip++, lm++, ld++;
1740 i |= ((*lip & *lm) != *ld);
1741 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
1742 *lip, *lm, *ld));
1743 } else {
1744 lip += 3;
1745 lm += 3;
1746 ld += 3;
1747 }
1748 #ifdef IPFILTER_LOOKUP
1749 }
1750 #endif
1751 i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
1752 if (i)
1753 return 1;
1754
1755 /*
1756 * Check the destination address.
1757 */
1758 lip++, lm++, ld++;
1759 #ifdef IPFILTER_LOOKUP
1760 if (fr->fr_datype == FRI_LOOKUP) {
1761 fin->fin_flx |= FI_DONTCACHE;
1762 i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip, fin, ifs);
1763 if (i == -1)
1764 return 1;
1765 lip += 3;
1766 lm += 3;
1767 ld += 3;
1768 } else {
1769 #endif
1770 i = ((*lip & *lm) != *ld);
1771 FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
1772 *lip, *lm, *ld));
1773 if (fi->fi_v == 6) {
1774 lip++, lm++, ld++;
1775 i |= ((*lip & *lm) != *ld);
1776 FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
1777 *lip, *lm, *ld));
1778 lip++, lm++, ld++;
1779 i |= ((*lip & *lm) != *ld);
1780 FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
1781 *lip, *lm, *ld));
1782 lip++, lm++, ld++;
1783 i |= ((*lip & *lm) != *ld);
1784 FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
1785 *lip, *lm, *ld));
1786 } else {
1787 lip += 3;
1788 lm += 3;
1789 ld += 3;
1790 }
1791 #ifdef IPFILTER_LOOKUP
1792 }
1793 #endif
1794 i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
1795 if (i)
1796 return 1;
1797 /*
1798 * IP addresses matched. The next 32bits contains:
1799 * mast of old IP header security & authentication bits.
1800 */
1801 lip++, lm++, ld++;
1802 i |= ((*lip & *lm) != *ld);
1803 FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
1804 *lip, *lm, *ld));
1805
1806 /*
1807 * Next we have 32 bits of packet flags.
1808 */
1809 lip++, lm++, ld++;
1810 i |= ((*lip & *lm) != *ld);
1811 FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
1812 *lip, *lm, *ld));
1813
1814 if (i == 0) {
1815 /*
1816 * If a fragment, then only the first has what we're
1817 * looking for here...
1818 */
1819 if (portcmp) {
1820 if (!fr_tcpudpchk(fin, &fr->fr_tuc))
1821 i = 1;
1822 } else {
1823 if (fr->fr_dcmp || fr->fr_scmp ||
1824 fr->fr_tcpf || fr->fr_tcpfm)
1825 i = 1;
1826 if (fr->fr_icmpm || fr->fr_icmp) {
1827 if (((fi->fi_p != IPPROTO_ICMP) &&
1828 (fi->fi_p != IPPROTO_ICMPV6)) ||
1829 fin->fin_off || (fin->fin_dlen < 2))
1830 i = 1;
1831 else if ((fin->fin_data[0] & fr->fr_icmpm) !=
1832 fr->fr_icmp) {
1833 FR_DEBUG(("i. %#x & %#x != %#x\n",
1834 fin->fin_data[0],
1835 fr->fr_icmpm, fr->fr_icmp));
1836 i = 1;
1837 }
1838 }
1839 }
1840 }
1841 return i;
1842 }
1843
1844
1845 /* ------------------------------------------------------------------------ */
1846 /* Function: fr_scanlist */
1847 /* Returns: int - result flags of scanning filter list */
1848 /* Parameters: fin(I) - pointer to packet information */
1849 /* pass(I) - default result to return for filtering */
1850 /* */
1851 /* Check the input/output list of rules for a match to the current packet. */
1852 /* If a match is found, the value of fr_flags from the rule becomes the */
1853 /* return value and fin->fin_fr points to the matched rule. */
1854 /* */
1855 /* This function may be called recusively upto 16 times (limit inbuilt.) */
1856 /* When unwinding, it should finish up with fin_depth as 0. */
1857 /* */
1858 /* Could be per interface, but this gets real nasty when you don't have, */
1859 /* or can't easily change, the kernel source code to . */
1860 /* ------------------------------------------------------------------------ */
1861 int fr_scanlist(fin, pass)
1862 fr_info_t *fin;
1863 u_32_t pass;
1864 {
1865 int rulen, portcmp, off, logged, skip;
1866 struct frentry *fr, *fnext;
1867 u_32_t passt, passo;
1868 ipf_stack_t *ifs = fin->fin_ifs;
1869
1870 /*
1871 * Do not allow nesting deeper than 16 levels.
1872 */
1873 if (fin->fin_depth >= 16)
1874 return pass;
1875
1876 fr = fin->fin_fr;
1877
1878 /*
1879 * If there are no rules in this list, return now.
1880 */
1881 if (fr == NULL)
1882 return pass;
1883
1884 skip = 0;
1885 logged = 0;
1886 portcmp = 0;
1887 fin->fin_depth++;
1888 fin->fin_fr = NULL;
1889 off = fin->fin_off;
1890
1891 if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
1892 portcmp = 1;
1893
1894 for (rulen = 0; fr; fr = fnext, rulen++) {
1895 fnext = fr->fr_next;
1896 if (skip != 0) {
1897 FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
1898 skip--;
1899 continue;
1900 }
1901
1902 /*
1903 * In all checks below, a null (zero) value in the
1904 * filter struture is taken to mean a wildcard.
1905 *
1906 * check that we are working for the right interface
1907 */
1908 #ifdef _KERNEL
1909 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
1910 continue;
1911 #else
1912 if (opts & (OPT_VERBOSE|OPT_DEBUG))
1913 printf("\n");
1914 FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
1915 FR_ISPASS(pass) ? 'p' :
1916 FR_ISACCOUNT(pass) ? 'A' :
1917 FR_ISAUTH(pass) ? 'a' :
1918 (pass & FR_NOMATCH) ? 'n' :'b'));
1919 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
1920 continue;
1921 FR_VERBOSE((":i"));
1922 #endif
1923
1924 switch (fr->fr_type)
1925 {
1926 case FR_T_IPF :
1927 case FR_T_IPF|FR_T_BUILTIN :
1928 if (fr_ipfcheck(fin, fr, portcmp))
1929 continue;
1930 break;
1931 #if defined(IPFILTER_BPF)
1932 case FR_T_BPFOPC :
1933 case FR_T_BPFOPC|FR_T_BUILTIN :
1934 {
1935 u_char *mc;
1936
1937 if (*fin->fin_mp == NULL)
1938 continue;
1939 if (fin->fin_v != fr->fr_v)
1940 continue;
1941 mc = (u_char *)fin->fin_m;
1942 if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0))
1943 continue;
1944 break;
1945 }
1946 #endif
1947 case FR_T_CALLFUNC|FR_T_BUILTIN :
1948 {
1949 frentry_t *f;
1950
1951 f = (*fr->fr_func)(fin, &pass);
1952 if (f != NULL)
1953 fr = f;
1954 else
1955 continue;
1956 break;
1957 }
1958 default :
1959 break;
1960 }
1961
1962 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
1963 if (fin->fin_nattag == NULL)
1964 continue;
1965 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
1966 continue;
1967 }
1968 FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
1969
1970 passt = fr->fr_flags;
1971
1972 /*
1973 * Allowing a rule with the "keep state" flag set to match
1974 * packets that have been tagged "out of window" by the TCP
1975 * state tracking is foolish as the attempt to add a new
1976 * state entry to the table will fail.
1977 */
1978 if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
1979 continue;
1980
1981 /*
1982 * If the rule is a "call now" rule, then call the function
1983 * in the rule, if it exists and use the results from that.
1984 * If the function pointer is bad, just make like we ignore
1985 * it, except for increasing the hit counter.
1986 */
1987 IPF_BUMP(fr->fr_hits);
1988 fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
1989 if ((passt & FR_CALLNOW) != 0) {
1990 if ((fr->fr_func != NULL) &&
1991 (fr->fr_func != (ipfunc_t)-1)) {
1992 frentry_t *frs;
1993
1994 frs = fin->fin_fr;
1995 fin->fin_fr = fr;
1996 fr = (*fr->fr_func)(fin, &passt);
1997 if (fr == NULL) {
1998 fin->fin_fr = frs;
1999 continue;
2000 }
2001 passt = fr->fr_flags;
2002 fin->fin_fr = fr;
2003 }
2004 } else {
2005 fin->fin_fr = fr;
2006 }
2007
2008 #ifdef IPFILTER_LOG
2009 /*
2010 * Just log this packet...
2011 */
2012 if ((passt & FR_LOGMASK) == FR_LOG) {
2013 if (ipflog(fin, passt) == -1) {
2014 if (passt & FR_LOGORBLOCK) {
2015 passt &= ~FR_CMDMASK;
2016 passt |= FR_BLOCK|FR_QUICK;
2017 }
2018 IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_skip);
2019 }
2020 IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_pkl);
2021 logged = 1;
2022 }
2023 #endif /* IPFILTER_LOG */
2024 passo = pass;
2025 if (FR_ISSKIP(passt))
2026 skip = fr->fr_arg;
2027 else if ((passt & FR_LOGMASK) != FR_LOG)
2028 pass = passt;
2029 if (passt & (FR_RETICMP|FR_FAKEICMP))
2030 fin->fin_icode = fr->fr_icode;
2031 FR_DEBUG(("pass %#x\n", pass));
2032 fin->fin_rule = rulen;
2033 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
2034 if (fr->fr_grp != NULL) {
2035 fin->fin_fr = *fr->fr_grp;
2036 pass = fr_scanlist(fin, pass);
2037 if (fin->fin_fr == NULL) {
2038 fin->fin_rule = rulen;
2039 (void) strncpy(fin->fin_group, fr->fr_group,
2040 FR_GROUPLEN);
2041 fin->fin_fr = fr;
2042 }
2043 if (fin->fin_flx & FI_DONTCACHE)
2044 logged = 1;
2045 }
2046
2047 if (pass & FR_QUICK) {
2048 /*
2049 * Finally, if we've asked to track state for this
2050 * packet, set it up. Add state for "quick" rules
2051 * here so that if the action fails we can consider
2052 * the rule to "not match" and keep on processing
2053 * filter rules.
2054 */
2055 if ((pass & FR_KEEPSTATE) &&
2056 !(fin->fin_flx & FI_STATE)) {
2057 int out = fin->fin_out;
2058
2059 if (fr_addstate(fin, NULL, 0) != NULL) {
2060 IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
2061 } else {
2062 IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
2063 pass = passo;
2064 continue;
2065 }
2066 }
2067 break;
2068 }
2069 }
2070 if (logged)
2071 fin->fin_flx |= FI_DONTCACHE;
2072 fin->fin_depth--;
2073 return pass;
2074 }
2075
2076
2077 /* ------------------------------------------------------------------------ */
2078 /* Function: fr_acctpkt */
2079 /* Returns: frentry_t* - always returns NULL */
2080 /* Parameters: fin(I) - pointer to packet information */
2081 /* passp(IO) - pointer to current/new filter decision (unused) */
2082 /* */
2083 /* Checks a packet against accounting rules, if there are any for the given */
2084 /* IP protocol version. */
2085 /* */
2086 /* N.B.: this function returns NULL to match the prototype used by other */
2087 /* functions called from the IPFilter "mainline" in fr_check(). */
2088 /* ------------------------------------------------------------------------ */
2089 frentry_t *fr_acctpkt(fin, passp)
2090 fr_info_t *fin;
2091 u_32_t *passp;
2092 {
2093 char group[FR_GROUPLEN];
2094 frentry_t *fr, *frsave;
2095 u_32_t pass, rulen;
2096 ipf_stack_t *ifs = fin->fin_ifs;
2097
2098 passp = passp;
2099 #ifdef USE_INET6
2100 if (fin->fin_v == 6)
2101 fr = ifs->ifs_ipacct6[fin->fin_out][ifs->ifs_fr_active];
2102 else
2103 #endif
2104 fr = ifs->ifs_ipacct[fin->fin_out][ifs->ifs_fr_active];
2105
2106 if (fr != NULL) {
2107 frsave = fin->fin_fr;
2108 bcopy(fin->fin_group, group, FR_GROUPLEN);
2109 rulen = fin->fin_rule;
2110 fin->fin_fr = fr;
2111 pass = fr_scanlist(fin, FR_NOMATCH);
2112 if (FR_ISACCOUNT(pass)) {
2113 IPF_BUMP(ifs->ifs_frstats[0].fr_acct);
2114 }
2115 fin->fin_fr = frsave;
2116 bcopy(group, fin->fin_group, FR_GROUPLEN);
2117 fin->fin_rule = rulen;
2118 }
2119 return NULL;
2120 }
2121
2122
2123 /* ------------------------------------------------------------------------ */
2124 /* Function: fr_firewall */
2125 /* Returns: frentry_t* - returns pointer to matched rule, if no matches */
2126 /* were found, returns NULL. */
2127 /* Parameters: fin(I) - pointer to packet information */
2128 /* passp(IO) - pointer to current/new filter decision (unused) */
2129 /* */
2130 /* Applies an appropriate set of firewall rules to the packet, to see if */
2131 /* there are any matches. The first check is to see if a match can be seen */
2132 /* in the cache. If not, then search an appropriate list of rules. Once a */
2133 /* matching rule is found, take any appropriate actions as defined by the */
2134 /* rule - except logging. */
2135 /* ------------------------------------------------------------------------ */
2136 static frentry_t *fr_firewall(fin, passp)
2137 fr_info_t *fin;
2138 u_32_t *passp;
2139 {
2140 frentry_t *fr;
2141 fr_info_t *fc;
2142 u_32_t pass;
2143 int out;
2144 ipf_stack_t *ifs = fin->fin_ifs;
2145
2146 out = fin->fin_out;
2147 pass = *passp;
2148
2149 #ifdef USE_INET6
2150 if (fin->fin_v == 6)
2151 fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active];
2152 else
2153 #endif
2154 fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active];
2155
2156 /*
2157 * If there are no rules loaded skip all checks and return.
2158 */
2159 if (fin->fin_fr == NULL) {
2160
2161 if ((pass & FR_NOMATCH)) {
2162 IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
2163 }
2164
2165 return (NULL);
2166 }
2167
2168 fc = &ifs->ifs_frcache[out][CACHE_HASH(fin)];
2169 READ_ENTER(&ifs->ifs_ipf_frcache);
2170 if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
2171 /*
2172 * copy cached data so we can unlock the mutexes earlier.
2173 */
2174 bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
2175 RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
2176 IPF_BUMP(ifs->ifs_frstats[out].fr_chit);
2177
2178 if ((fr = fin->fin_fr) != NULL) {
2179 IPF_BUMP(fr->fr_hits);
2180 fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
2181 pass = fr->fr_flags;
2182 }
2183 } else {
2184 RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
2185
2186 pass = fr_scanlist(fin, ifs->ifs_fr_pass);
2187
2188 if (((pass & FR_KEEPSTATE) == 0) &&
2189 ((fin->fin_flx & FI_DONTCACHE) == 0)) {
2190 WRITE_ENTER(&ifs->ifs_ipf_frcache);
2191 bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
2192 RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
2193 }
2194
2195 fr = fin->fin_fr;
2196 }
2197
2198 if ((pass & FR_NOMATCH)) {
2199 IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
2200 }
2201
2202 /*
2203 * Apply packets per second rate-limiting to a rule as required.
2204 */
2205 if ((fr != NULL) && (fr->fr_pps != 0) &&
2206 !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
2207 pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
2208 pass |= FR_BLOCK;
2209 IPF_BUMP(ifs->ifs_frstats[out].fr_ppshit);
2210 }
2211
2212 /*
2213 * If we fail to add a packet to the authorization queue, then we
2214 * drop the packet later. However, if it was added then pretend
2215 * we've dropped it already.
2216 */
2217 if (FR_ISAUTH(pass)) {
2218 if (fr_newauth(fin->fin_m, fin) != 0) {
2219 #ifdef _KERNEL
2220 fin->fin_m = *fin->fin_mp = NULL;
2221 #else
2222 ;
2223 #endif
2224 fin->fin_error = 0;
2225 } else
2226 fin->fin_error = ENOSPC;
2227 }
2228
2229 if ((fr != NULL) && (fr->fr_func != NULL) &&
2230 (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
2231 (void) (*fr->fr_func)(fin, &pass);
2232
2233 /*
2234 * If a rule is a pre-auth rule, check again in the list of rules
2235 * loaded for authenticated use. It does not particulary matter
2236 * if this search fails because a "preauth" result, from a rule,
2237 * is treated as "not a pass", hence the packet is blocked.
2238 */
2239 if (FR_ISPREAUTH(pass)) {
2240 if ((fin->fin_fr = ifs->ifs_ipauth) != NULL)
2241 pass = fr_scanlist(fin, ifs->ifs_fr_pass);
2242 }
2243
2244 /*
2245 * If the rule has "keep frag" and the packet is actually a fragment,
2246 * then create a fragment state entry.
2247 */
2248 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
2249 if (fin->fin_flx & FI_FRAG) {
2250 if (fr_newfrag(fin, pass) == -1) {
2251 IPF_BUMP(ifs->ifs_frstats[out].fr_bnfr);
2252 } else {
2253 IPF_BUMP(ifs->ifs_frstats[out].fr_nfr);
2254 }
2255 } else {
2256 IPF_BUMP(ifs->ifs_frstats[out].fr_cfr);
2257 }
2258 }
2259
2260 /*
2261 * Finally, if we've asked to track state for this packet, set it up.
2262 */
2263 if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
2264 if (fr_addstate(fin, NULL, 0) != NULL) {
2265 IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
2266 } else {
2267 IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
2268 if (FR_ISPASS(pass)) {
2269 pass &= ~FR_CMDMASK;
2270 pass |= FR_BLOCK;
2271 }
2272 }
2273 }
2274
2275 fr = fin->fin_fr;
2276
2277 if (passp != NULL)
2278 *passp = pass;
2279
2280 return fr;
2281 }
2282
2283 /* ------------------------------------------------------------------------ */
2284 /* Function: fr_check */
2285 /* Returns: int - 0 == packet allowed through, */
2286 /* User space: */
2287 /* -1 == packet blocked */
2288 /* 1 == packet not matched */
2289 /* -2 == requires authentication */
2290 /* Kernel: */
2291 /* > 0 == filter error # for packet */
2292 /* Parameters: ip(I) - pointer to start of IPv4/6 packet */
2293 /* hlen(I) - length of header */
2294 /* ifp(I) - pointer to interface this packet is on */
2295 /* out(I) - 0 == packet going in, 1 == packet going out */
2296 /* mp(IO) - pointer to caller's buffer pointer that holds this */
2297 /* IP packet. */
2298 /* Solaris & HP-UX ONLY : */
2299 /* qpi(I) - pointer to STREAMS queue information for this */
2300 /* interface & direction. */
2301 /* */
2302 /* fr_check() is the master function for all IPFilter packet processing. */
2303 /* It orchestrates: Network Address Translation (NAT), checking for packet */
2304 /* authorisation (or pre-authorisation), presence of related state info., */
2305 /* generating log entries, IP packet accounting, routing of packets as */
2306 /* directed by firewall rules and of course whether or not to allow the */
2307 /* packet to be further processed by the kernel. */
2308 /* */
2309 /* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
2310 /* freed. Packets passed may be returned with the pointer pointed to by */
2311 /* by "mp" changed to a new buffer. */
2312 /* ------------------------------------------------------------------------ */
2313 int fr_check(ip, hlen, ifp, out
2314 #if defined(_KERNEL) && defined(MENTAT)
2315 , qif, mp, ifs)
2316 void *qif;
2317 #else
2318 , mp, ifs)
2319 #endif
2320 mb_t **mp;
2321 ip_t *ip;
2322 int hlen;
2323 void *ifp;
2324 int out;
2325 ipf_stack_t *ifs;
2326 {
2327 /*
2328 * The above really sucks, but short of writing a diff
2329 */
2330 fr_info_t frinfo;
2331 fr_info_t *fin = &frinfo;
2332 u_32_t pass;
2333 frentry_t *fr = NULL;
2334 int v = IP_V(ip);
2335 mb_t *mc = NULL;
2336 mb_t *m;
2337 #ifdef USE_INET6
2338 ip6_t *ip6;
2339 #endif
2340 #ifdef _KERNEL
2341 # ifdef MENTAT
2342 qpktinfo_t *qpi = qif;
2343 #endif
2344 #endif
2345
2346 SPL_INT(s);
2347 pass = ifs->ifs_fr_pass;
2348
2349 /*
2350 * The first part of fr_check() deals with making sure that what goes
2351 * into the filtering engine makes some sense. Information about the
2352 * the packet is distilled, collected into a fr_info_t structure and
2353 * the an attempt to ensure the buffer the packet is in is big enough
2354 * to hold all the required packet headers.
2355 */
2356 #ifdef _KERNEL
2357 # ifdef MENTAT
2358 if (!OK_32PTR(ip))
2359 return 2;
2360 # endif
2361
2362
2363 if (ifs->ifs_fr_running <= 0) {
2364 return 0;
2365 }
2366
2367 bzero((char *)fin, sizeof(*fin));
2368
2369 # ifdef MENTAT
2370 fin->fin_flx = qpi->qpi_flags & (FI_NOCKSUM|FI_MBCAST|FI_MULTICAST|
2371 FI_BROADCAST);
2372 m = qpi->qpi_m;
2373 fin->fin_qfm = m;
2374 fin->fin_qpi = qpi;
2375 # else /* MENTAT */
2376
2377 m = *mp;
2378
2379 # if defined(M_MCAST)
2380 if ((m->m_flags & M_MCAST) != 0)
2381 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
2382 # endif
2383 # if defined(M_MLOOP)
2384 if ((m->m_flags & M_MLOOP) != 0)
2385 fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
2386 # endif
2387 # if defined(M_BCAST)
2388 if ((m->m_flags & M_BCAST) != 0)
2389 fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
2390 # endif
2391 # ifdef M_CANFASTFWD
2392 /*
2393 * XXX For now, IP Filter and fast-forwarding of cached flows
2394 * XXX are mutually exclusive. Eventually, IP Filter should
2395 * XXX get a "can-fast-forward" filter rule.
2396 */
2397 m->m_flags &= ~M_CANFASTFWD;
2398 # endif /* M_CANFASTFWD */
2399 # ifdef CSUM_DELAY_DATA
2400 /*
2401 * disable delayed checksums.
2402 */
2403 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
2404 in_delayed_cksum(m);
2405 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
2406 }
2407 # endif /* CSUM_DELAY_DATA */
2408 # endif /* MENTAT */
2409 #else
2410
2411 bzero((char *)fin, sizeof(*fin));
2412 m = *mp;
2413 #endif /* _KERNEL */
2414
2415 fin->fin_v = v;
2416 fin->fin_m = m;
2417 fin->fin_ip = ip;
2418 fin->fin_mp = mp;
2419 fin->fin_out = out;
2420 fin->fin_ifp = ifp;
2421 fin->fin_error = ENETUNREACH;
2422 fin->fin_hlen = (u_short)hlen;
2423 fin->fin_dp = (char *)ip + hlen;
2424 fin->fin_ipoff = (char *)ip - MTOD(m, char *);
2425 fin->fin_ifs = ifs;
2426
2427 SPL_NET(s);
2428
2429 #ifdef USE_INET6
2430 if (v == 6) {
2431 IPF_BUMP(ifs->ifs_frstats[out].fr_ipv6);
2432 /*
2433 * Jumbo grams are quite likely too big for internal buffer
2434 * structures to handle comfortably, for now, so just drop
2435 * them.
2436 */
2437 ip6 = (ip6_t *)ip;
2438 fin->fin_plen = ntohs(ip6->ip6_plen);
2439 if (fin->fin_plen == 0) {
2440 READ_ENTER(&ifs->ifs_ipf_mutex);
2441 pass = FR_BLOCK|FR_NOMATCH;
2442 goto filtered;
2443 }
2444 fin->fin_plen += sizeof(ip6_t);
2445 } else
2446 #endif
2447 {
2448 #if (OpenBSD >= 200311) && defined(_KERNEL)
2449 ip->ip_len = ntohs(ip->ip_len);
2450 ip->ip_off = ntohs(ip->ip_off);
2451 #endif
2452 fin->fin_plen = ip->ip_len;
2453 }
2454
2455 if (fr_makefrip(hlen, ip, fin) == -1) {
2456 READ_ENTER(&ifs->ifs_ipf_mutex);
2457 pass = FR_BLOCK;
2458 goto filtered;
2459 }
2460
2461 /*
2462 * For at least IPv6 packets, if a m_pullup() fails then this pointer
2463 * becomes NULL and so we have no packet to free.
2464 */
2465 if (*fin->fin_mp == NULL)
2466 goto finished;
2467
2468 if (!out) {
2469 if (v == 4) {
2470 #ifdef _KERNEL
2471 if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
2472 IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
2473 fin->fin_flx |= FI_BADSRC;
2474 }
2475 #endif
2476 if (fin->fin_ip->ip_ttl < ifs->ifs_fr_minttl) {
2477 IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
2478 fin->fin_flx |= FI_LOWTTL;
2479 }
2480 }
2481 #ifdef USE_INET6
2482 else if (v == 6) {
2483 ip6 = (ip6_t *)ip;
2484 #ifdef _KERNEL
2485 if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
2486 IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
2487 fin->fin_flx |= FI_BADSRC;
2488 }
2489 #endif
2490 if (ip6->ip6_hlim < ifs->ifs_fr_minttl) {
2491 IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
2492 fin->fin_flx |= FI_LOWTTL;
2493 }
2494 }
2495 #endif
2496 }
2497
2498 if (fin->fin_flx & FI_SHORT) {
2499 IPF_BUMP(ifs->ifs_frstats[out].fr_short);
2500 }
2501
2502 READ_ENTER(&ifs->ifs_ipf_mutex);
2503
2504 /*
2505 * Check auth now. This, combined with the check below to see if apass
2506 * is 0 is to ensure that we don't count the packet twice, which can
2507 * otherwise occur when we reprocess it. As it is, we only count it
2508 * after it has no auth. table matchup. This also stops NAT from
2509 * occuring until after the packet has been auth'd.
2510 */
2511 fr = fr_checkauth(fin, &pass);
2512 if (!out) {
2513 switch (fin->fin_v)
2514 {
2515 case 4 :
2516 if (fr_checknatin(fin, &pass) == -1) {
2517 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2518 goto finished;
2519 }
2520 break;
2521 #ifdef USE_INET6
2522 case 6 :
2523 if (fr_checknat6in(fin, &pass) == -1) {
2524 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2525 goto finished;
2526 }
2527 break;
2528 #endif
2529 default :
2530 break;
2531 }
2532 }
2533 if (!out)
2534 (void) fr_acctpkt(fin, NULL);
2535
2536 if (fr == NULL)
2537 if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG)
2538 fr = fr_knownfrag(fin, &pass);
2539 if (fr == NULL)
2540 fr = fr_checkstate(fin, &pass);
2541
2542 if ((pass & FR_NOMATCH) || (fr == NULL))
2543 fr = fr_firewall(fin, &pass);
2544
2545 fin->fin_fr = fr;
2546
2547 /*
2548 * Only count/translate packets which will be passed on, out the
2549 * interface.
2550 */
2551 if (out && FR_ISPASS(pass)) {
2552 (void) fr_acctpkt(fin, NULL);
2553
2554 switch (fin->fin_v)
2555 {
2556 case 4 :
2557 if (fr_checknatout(fin, &pass) == -1) {
2558 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2559 goto finished;
2560 }
2561 break;
2562 #ifdef USE_INET6
2563 case 6 :
2564 if (fr_checknat6out(fin, &pass) == -1) {
2565 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2566 goto finished;
2567 }
2568 break;
2569 #endif
2570 default :
2571 break;
2572 }
2573
2574 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
2575 if (fr_updateipid(fin) == -1) {
2576 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
2577 pass &= ~FR_CMDMASK;
2578 pass |= FR_BLOCK;
2579 } else {
2580 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
2581 }
2582 }
2583 }
2584
2585 #ifdef IPFILTER_LOG
2586 if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2587 (void) fr_dolog(fin, &pass);
2588 }
2589 #endif
2590
2591 if (IFS_CFWLOG(ifs) && FR_ISBLOCK(pass))
2592 ipf_block_cfwlog(fr, fin, ifs);
2593
2594 /*
2595 * The FI_STATE flag is cleared here so that calling fr_checkstate
2596 * will work when called from inside of fr_fastroute. Although
2597 * there is a similar flag, FI_NATED, for NAT, it does have the same
2598 * impact on code execution.
2599 */
2600 fin->fin_flx &= ~FI_STATE;
2601
2602 /*
2603 * Only allow FR_DUP to work if a rule matched - it makes no sense to
2604 * set FR_DUP as a "default" as there are no instructions about where
2605 * to send the packet. Use fin_m here because it may have changed
2606 * (without an update of 'm') in prior processing.
2607 */
2608 if ((fr != NULL) && (pass & FR_DUP)) {
2609 mc = M_DUPLICATE(fin->fin_m);
2610 #ifdef _KERNEL
2611 mc->b_rptr += fin->fin_ipoff;
2612 #endif
2613 }
2614
2615 /*
2616 * We don't want to send RST for packets, which are going to be
2617 * dropped, just because they don't fit into TCP window. Those packets
2618 * will be dropped silently. In other words, we want to drop packet,
2619 * while keeping session alive.
2620 */
2621 if ((pass & (FR_RETRST|FR_RETICMP)) && ((fin->fin_flx & FI_OOW) == 0)) {
2622 /*
2623 * Should we return an ICMP packet to indicate error
2624 * status passing through the packet filter ?
2625 * WARNING: ICMP error packets AND TCP RST packets should
2626 * ONLY be sent in repsonse to incoming packets. Sending them
2627 * in response to outbound packets can result in a panic on
2628 * some operating systems.
2629 */
2630 if (!out) {
2631 if (pass & FR_RETICMP) {
2632 int dst;
2633
2634 if ((pass & FR_RETMASK) == FR_FAKEICMP)
2635 dst = 1;
2636 else
2637 dst = 0;
2638 #if defined(_KERNEL) && (SOLARIS2 >= 10)
2639 /*
2640 * Assume it's possible to enter insane rule:
2641 * pass return-icmp in proto udp ...
2642 * then we have no other option than to forward
2643 * packet on loopback and give up any attempt
2644 * to create a fake response.
2645 */
2646 if (IPF_IS_LOOPBACK(qpi->qpi_flags) &&
2647 FR_ISBLOCK(pass)) {
2648
2649 if (fr_make_icmp(fin) == 0) {
2650 IPF_BUMP(
2651 ifs->ifs_frstats[out].fr_ret);
2652 }
2653 /*
2654 * we drop packet silently in case we
2655 * failed assemble fake response for it
2656 */
2657 else if (*mp != NULL) {
2658 FREE_MB_T(*mp);
2659 m = *mp = NULL;
2660 }
2661
2662 IPF_BUMP(
2663 ifs->ifs_frstats[out].fr_block);
2664 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2665
2666 return (0);
2667 }
2668 #endif /* _KERNEL && SOLARIS2 >= 10 */
2669
2670 (void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
2671 IPF_BUMP(ifs->ifs_frstats[out].fr_ret);
2672
2673 } else if (((pass & FR_RETMASK) == FR_RETRST) &&
2674 !(fin->fin_flx & FI_SHORT)) {
2675
2676 #if defined(_KERNEL) && (SOLARIS2 >= 10)
2677 /*
2678 * Assume it's possible to enter insane rule:
2679 * pass return-rst in proto tcp ...
2680 * then we have no other option than to forward
2681 * packet on loopback and give up any attempt
2682 * to create a fake response.
2683 */
2684 if (IPF_IS_LOOPBACK(qpi->qpi_flags) &&
2685 FR_ISBLOCK(pass)) {
2686 if (fr_make_rst(fin) == 0) {
2687 IPF_BUMP(
2688 ifs->ifs_frstats[out].fr_ret);
2689 }
2690 else if (mp != NULL) {
2691 /*
2692 * we drop packet silently in case we
2693 * failed assemble fake response for it
2694 */
2695 FREE_MB_T(*mp);
2696 m = *mp = NULL;
2697 }
2698
2699 IPF_BUMP(
2700 ifs->ifs_frstats[out].fr_block);
2701 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2702
2703 return (0);
2704 }
2705 #endif /* _KERNEL && _SOLARIS2 >= 10 */
2706 if (fr_send_reset(fin) == 0) {
2707 IPF_BUMP(ifs->ifs_frstats[1].fr_ret);
2708 }
2709 }
2710 } else {
2711 if (pass & FR_RETRST)
2712 fin->fin_error = ECONNRESET;
2713 }
2714 }
2715
2716 /*
2717 * If we didn't drop off the bottom of the list of rules (and thus
2718 * the 'current' rule fr is not NULL), then we may have some extra
2719 * instructions about what to do with a packet.
2720 * Once we're finished return to our caller, freeing the packet if
2721 * we are dropping it (* BSD ONLY *).
2722 * Reassign m from fin_m as we may have a new buffer, now.
2723 */
2724 filtered:
2725 m = fin->fin_m;
2726
2727 if (fr != NULL) {
2728 frdest_t *fdp;
2729
2730 fdp = &fr->fr_tifs[fin->fin_rev];
2731
2732 if (!out && (pass & FR_FASTROUTE)) {
2733 /*
2734 * For fastroute rule, no destioation interface defined
2735 * so pass NULL as the frdest_t parameter
2736 */
2737 (void) fr_fastroute(m, mp, fin, NULL);
2738 m = *mp = NULL;
2739 } else if ((fdp->fd_ifp != NULL) &&
2740 (fdp->fd_ifp != (struct ifnet *)-1)) {
2741 /* this is for to rules: */
2742 (void) fr_fastroute(m, mp, fin, fdp);
2743 m = *mp = NULL;
2744 }
2745
2746 /*
2747 * Send a duplicated packet.
2748 */
2749 if (mc != NULL) {
2750 #if defined(_KERNEL) && (SOLARIS2 >= 10)
2751 /*
2752 * We are going to compute chksum for copies of loopback packets
2753 * only. IP stack does not compute chksums at all for loopback
2754 * packets. We want to get it fixed in their copies, since those
2755 * are going to be sent to network.
2756 */
2757 if (IPF_IS_LOOPBACK(qpi->qpi_flags))
2758 fr_calc_chksum(fin, mc);
2759 #endif
2760 (void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
2761 }
2762 }
2763
2764 if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT))
2765 nat_uncreate(fin);
2766
2767 /*
2768 * This late because the likes of fr_fastroute() use fin_fr.
2769 */
2770 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
2771
2772 finished:
2773 if (!FR_ISPASS(pass)) {
2774 IPF_BUMP(ifs->ifs_frstats[out].fr_block);
2775 if (*mp != NULL) {
2776 FREE_MB_T(*mp);
2777 m = *mp = NULL;
2778 }
2779 } else {
2780 IPF_BUMP(ifs->ifs_frstats[out].fr_pass);
2781 #if defined(_KERNEL) && defined(__sgi)
2782 if ((fin->fin_hbuf != NULL) &&
2783 (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
2784 COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
2785 }
2786 #endif
2787 }
2788
2789 SPL_X(s);
2790
2791 #ifdef _KERNEL
2792 # if OpenBSD >= 200311
2793 if (FR_ISPASS(pass) && (v == 4)) {
2794 ip = fin->fin_ip;
2795 ip->ip_len = ntohs(ip->ip_len);
2796 ip->ip_off = ntohs(ip->ip_off);
2797 }
2798 # endif
2799 return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
2800 #else /* _KERNEL */
2801 FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
2802 if ((pass & FR_NOMATCH) != 0)
2803 return 1;
2804
2805 if ((pass & FR_RETMASK) != 0)
2806 switch (pass & FR_RETMASK)
2807 {
2808 case FR_RETRST :
2809 return 3;
2810 case FR_RETICMP :
2811 return 4;
2812 case FR_FAKEICMP :
2813 return 5;
2814 }
2815
2816 switch (pass & FR_CMDMASK)
2817 {
2818 case FR_PASS :
2819 return 0;
2820 case FR_BLOCK :
2821 return -1;
2822 case FR_AUTH :
2823 return -2;
2824 case FR_ACCOUNT :
2825 return -3;
2826 case FR_PREAUTH :
2827 return -4;
2828 }
2829 return 2;
2830 #endif /* _KERNEL */
2831 }
2832
2833
2834 #ifdef IPFILTER_LOG
2835 /* ------------------------------------------------------------------------ */
2836 /* Function: fr_dolog */
2837 /* Returns: frentry_t* - returns contents of fin_fr (no change made) */
2838 /* Parameters: fin(I) - pointer to packet information */
2839 /* passp(IO) - pointer to current/new filter decision (unused) */
2840 /* */
2841 /* Checks flags set to see how a packet should be logged, if it is to be */
2842 /* logged. Adjust statistics based on its success or not. */
2843 /* ------------------------------------------------------------------------ */
2844 frentry_t *fr_dolog(fin, passp)
2845 fr_info_t *fin;
2846 u_32_t *passp;
2847 {
2848 u_32_t pass;
2849 int out;
2850 ipf_stack_t *ifs = fin->fin_ifs;
2851
2852 out = fin->fin_out;
2853 pass = *passp;
2854
2855 if ((ifs->ifs_fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
2856 pass |= FF_LOGNOMATCH;
2857 IPF_BUMP(ifs->ifs_frstats[out].fr_npkl);
2858 goto logit;
2859 } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
2860 (FR_ISPASS(pass) && (ifs->ifs_fr_flags & FF_LOGPASS))) {
2861 if ((pass & FR_LOGMASK) != FR_LOGP)
2862 pass |= FF_LOGPASS;
2863 IPF_BUMP(ifs->ifs_frstats[out].fr_ppkl);
2864 goto logit;
2865 } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
2866 (FR_ISBLOCK(pass) && (ifs->ifs_fr_flags & FF_LOGBLOCK))) {
2867 if ((pass & FR_LOGMASK) != FR_LOGB)
2868 pass |= FF_LOGBLOCK;
2869 IPF_BUMP(ifs->ifs_frstats[out].fr_bpkl);
2870 logit:
2871 if (ipflog(fin, pass) == -1) {
2872 IPF_BUMP(ifs->ifs_frstats[out].fr_skip);
2873
2874 /*
2875 * If the "or-block" option has been used then
2876 * block the packet if we failed to log it.
2877 */
2878 if ((pass & FR_LOGORBLOCK) &&
2879 FR_ISPASS(pass)) {
2880 pass &= ~FR_CMDMASK;
2881 pass |= FR_BLOCK;
2882 }
2883 }
2884 *passp = pass;
2885 }
2886
2887 return fin->fin_fr;
2888 }
2889 #endif /* IPFILTER_LOG */
2890
2891
2892 /* ------------------------------------------------------------------------ */
2893 /* Function: ipf_cksum */
2894 /* Returns: u_short - IP header checksum */
2895 /* Parameters: addr(I) - pointer to start of buffer to checksum */
2896 /* len(I) - length of buffer in bytes */
2897 /* */
2898 /* Calculate the two's complement 16 bit checksum of the buffer passed. */
2899 /* */
2900 /* N.B.: addr should be 16bit aligned. */
2901 /* ------------------------------------------------------------------------ */
2902 u_short ipf_cksum(addr, len)
2903 u_short *addr;
2904 int len;
2905 {
2906 u_32_t sum = 0;
2907
2908 for (sum = 0; len > 1; len -= 2)
2909 sum += *addr++;
2910
2911 /* mop up an odd byte, if necessary */
2912 if (len == 1)
2913 sum += *(u_char *)addr;
2914
2915 /*
2916 * add back carry outs from top 16 bits to low 16 bits
2917 */
2918 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
2919 sum += (sum >> 16); /* add carry */
2920 return (u_short)(~sum);
2921 }
2922
2923
2924 /* ------------------------------------------------------------------------ */
2925 /* Function: fr_cksum */
2926 /* Returns: u_short - layer 4 checksum */
2927 /* Parameters: m(I ) - pointer to buffer holding packet */
2928 /* ip(I) - pointer to IP header */
2929 /* l4proto(I) - protocol to caclulate checksum for */
2930 /* l4hdr(I) - pointer to layer 4 header */
2931 /* */
2932 /* Calculates the TCP checksum for the packet held in "m", using the data */
2933 /* in the IP header "ip" to seed it. */
2934 /* */
2935 /* NB: This function assumes we've pullup'd enough for all of the IP header */
2936 /* and the TCP header. We also assume that data blocks aren't allocated in */
2937 /* odd sizes. */
2938 /* */
2939 /* Expects ip_len to be in host byte order when called. */
2940 /* ------------------------------------------------------------------------ */
2941 u_short fr_cksum(m, ip, l4proto, l4hdr)
2942 mb_t *m;
2943 ip_t *ip;
2944 int l4proto;
2945 void *l4hdr;
2946 {
2947 u_short *sp, slen, sumsave, l4hlen, *csump;
2948 u_int sum, sum2;
2949 int hlen;
2950 #ifdef USE_INET6
2951 ip6_t *ip6;
2952 #endif
2953
2954 csump = NULL;
2955 sumsave = 0;
2956 l4hlen = 0;
2957 sp = NULL;
2958 slen = 0;
2959 hlen = 0;
2960 sum = 0;
2961
2962 /*
2963 * Add up IP Header portion
2964 */
2965 #ifdef USE_INET6
2966 if (IP_V(ip) == 4) {
2967 #endif
2968 hlen = IP_HL(ip) << 2;
2969 slen = ip->ip_len - hlen;
2970 sum = htons((u_short)l4proto);
2971 sum += htons(slen);
2972 sp = (u_short *)&ip->ip_src;
2973 sum += *sp++; /* ip_src */
2974 sum += *sp++;
2975 sum += *sp++; /* ip_dst */
2976 sum += *sp++;
2977 #ifdef USE_INET6
2978 } else if (IP_V(ip) == 6) {
2979 ip6 = (ip6_t *)ip;
2980 hlen = sizeof(*ip6);
2981 slen = ntohs(ip6->ip6_plen);
2982 sum = htons((u_short)l4proto);
2983 sum += htons(slen);
2984 sp = (u_short *)&ip6->ip6_src;
2985 sum += *sp++; /* ip6_src */
2986 sum += *sp++;
2987 sum += *sp++;
2988 sum += *sp++;
2989 sum += *sp++;
2990 sum += *sp++;
2991 sum += *sp++;
2992 sum += *sp++;
2993 sum += *sp++; /* ip6_dst */
2994 sum += *sp++;
2995 sum += *sp++;
2996 sum += *sp++;
2997 sum += *sp++;
2998 sum += *sp++;
2999 sum += *sp++;
3000 sum += *sp++;
3001 }
3002 #endif
3003
3004 switch (l4proto)
3005 {
3006 case IPPROTO_UDP :
3007 csump = &((udphdr_t *)l4hdr)->uh_sum;
3008 l4hlen = sizeof(udphdr_t);
3009 break;
3010
3011 case IPPROTO_TCP :
3012 csump = &((tcphdr_t *)l4hdr)->th_sum;
3013 l4hlen = sizeof(tcphdr_t);
3014 break;
3015 case IPPROTO_ICMP :
3016 csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
3017 l4hlen = 4;
3018 sum = 0;
3019 break;
3020 default :
3021 break;
3022 }
3023
3024 if (csump != NULL) {
3025 sumsave = *csump;
3026 *csump = 0;
3027 }
3028
3029 l4hlen = l4hlen; /* LINT */
3030
3031 #ifdef _KERNEL
3032 # ifdef MENTAT
3033 {
3034 void *rp = m->b_rptr;
3035
3036 if ((unsigned char *)ip > m->b_rptr && (unsigned char *)ip < m->b_wptr)
3037 m->b_rptr = (u_char *)ip;
3038 sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */
3039 m->b_rptr = rp;
3040 sum2 = (sum2 & 0xffff) + (sum2 >> 16);
3041 sum2 = ~sum2 & 0xffff;
3042 }
3043 # else /* MENTAT */
3044 # if defined(BSD) || defined(sun)
3045 # if BSD >= 199103
3046 m->m_data += hlen;
3047 # else
3048 m->m_off += hlen;
3049 # endif
3050 m->m_len -= hlen;
3051 sum2 = in_cksum(m, slen);
3052 m->m_len += hlen;
3053 # if BSD >= 199103
3054 m->m_data -= hlen;
3055 # else
3056 m->m_off -= hlen;
3057 # endif
3058 /*
3059 * Both sum and sum2 are partial sums, so combine them together.
3060 */
3061 sum += ~sum2 & 0xffff;
3062 while (sum > 0xffff)
3063 sum = (sum & 0xffff) + (sum >> 16);
3064 sum2 = ~sum & 0xffff;
3065 # else /* defined(BSD) || defined(sun) */
3066 {
3067 union {
3068 u_char c[2];
3069 u_short s;
3070 } bytes;
3071 u_short len = ip->ip_len;
3072 # if defined(__sgi)
3073 int add;
3074 # endif
3075
3076 /*
3077 * Add up IP Header portion
3078 */
3079 if (sp != (u_short *)l4hdr)
3080 sp = (u_short *)l4hdr;
3081
3082 switch (l4proto)
3083 {
3084 case IPPROTO_UDP :
3085 sum += *sp++; /* sport */
3086 sum += *sp++; /* dport */
3087 sum += *sp++; /* udp length */
3088 sum += *sp++; /* checksum */
3089 break;
3090
3091 case IPPROTO_TCP :
3092 sum += *sp++; /* sport */
3093 sum += *sp++; /* dport */
3094 sum += *sp++; /* seq */
3095 sum += *sp++;
3096 sum += *sp++; /* ack */
3097 sum += *sp++;
3098 sum += *sp++; /* off */
3099 sum += *sp++; /* win */
3100 sum += *sp++; /* checksum */
3101 sum += *sp++; /* urp */
3102 break;
3103 case IPPROTO_ICMP :
3104 sum = *sp++; /* type/code */
3105 sum += *sp++; /* checksum */
3106 break;
3107 }
3108
3109 # ifdef __sgi
3110 /*
3111 * In case we had to copy the IP & TCP header out of mbufs,
3112 * skip over the mbuf bits which are the header
3113 */
3114 if ((caddr_t)ip != mtod(m, caddr_t)) {
3115 hlen = (caddr_t)sp - (caddr_t)ip;
3116 while (hlen) {
3117 add = MIN(hlen, m->m_len);
3118 sp = (u_short *)(mtod(m, caddr_t) + add);
3119 hlen -= add;
3120 if (add == m->m_len) {
3121 m = m->m_next;
3122 if (!hlen) {
3123 if (!m)
3124 break;
3125 sp = mtod(m, u_short *);
3126 }
3127 PANIC((!m),("fr_cksum(1): not enough data"));
3128 }
3129 }
3130 }
3131 # endif
3132
3133 len -= (l4hlen + hlen);
3134 if (len <= 0)
3135 goto nodata;
3136
3137 while (len > 1) {
3138 if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
3139 m = m->m_next;
3140 PANIC((!m),("fr_cksum(2): not enough data"));
3141 sp = mtod(m, u_short *);
3142 }
3143 if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
3144 bytes.c[0] = *(u_char *)sp;
3145 m = m->m_next;
3146 PANIC((!m),("fr_cksum(3): not enough data"));
3147 sp = mtod(m, u_short *);
3148 bytes.c[1] = *(u_char *)sp;
3149 sum += bytes.s;
3150 sp = (u_short *)((u_char *)sp + 1);
3151 }
3152 if ((u_long)sp & 1) {
3153 bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
3154 sum += bytes.s;
3155 } else
3156 sum += *sp++;
3157 len -= 2;
3158 }
3159
3160 if (len != 0)
3161 sum += ntohs(*(u_char *)sp << 8);
3162 nodata:
3163 while (sum > 0xffff)
3164 sum = (sum & 0xffff) + (sum >> 16);
3165 sum2 = (u_short)(~sum & 0xffff);
3166 }
3167 # endif /* defined(BSD) || defined(sun) */
3168 # endif /* MENTAT */
3169 #else /* _KERNEL */
3170 for (; slen > 1; slen -= 2)
3171 sum += *sp++;
3172 if (slen)
3173 sum += ntohs(*(u_char *)sp << 8);
3174 while (sum > 0xffff)
3175 sum = (sum & 0xffff) + (sum >> 16);
3176 sum2 = (u_short)(~sum & 0xffff);
3177 #endif /* _KERNEL */
3178 if (csump != NULL)
3179 *csump = sumsave;
3180 return sum2;
3181 }
3182
3183
3184 #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
3185 defined(__sgi) ) && !defined(linux) && !defined(_AIX51)
3186 /*
3187 * Copyright (c) 1982, 1986, 1988, 1991, 1993
3188 * The Regents of the University of California. All rights reserved.
3189 *
3190 * Redistribution and use in source and binary forms, with or without
3191 * modification, are permitted provided that the following conditions
3192 * are met:
3193 * 1. Redistributions of source code must retain the above copyright
3194 * notice, this list of conditions and the following disclaimer.
3195 * 2. Redistributions in binary form must reproduce the above copyright
3196 * notice, this list of conditions and the following disclaimer in the
3197 * documentation and/or other materials provided with the distribution.
3198 * 3. Neither the name of the University nor the names of its contributors
3199 * may be used to endorse or promote products derived from this software
3200 * without specific prior written permission.
3201 *
3202 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
3203 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3204 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3205 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
3206 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3207 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3208 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3209 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3210 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3211 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3212 * SUCH DAMAGE.
3213 *
3214 * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
3215 * $Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $
3216 */
3217 /*
3218 * Copy data from an mbuf chain starting "off" bytes from the beginning,
3219 * continuing for "len" bytes, into the indicated buffer.
3220 */
3221 void
3222 m_copydata(m, off, len, cp)
3223 mb_t *m;
3224 int off;
3225 int len;
3226 caddr_t cp;
3227 {
3228 unsigned count;
3229
3230 if (off < 0 || len < 0)
3231 panic("m_copydata");
3232 while (off > 0) {
3233 if (m == 0)
3234 panic("m_copydata");
3235 if (off < m->m_len)
3236 break;
3237 off -= m->m_len;
3238 m = m->m_next;
3239 }
3240 while (len > 0) {
3241 if (m == 0)
3242 panic("m_copydata");
3243 count = MIN(m->m_len - off, len);
3244 bcopy(mtod(m, caddr_t) + off, cp, count);
3245 len -= count;
3246 cp += count;
3247 off = 0;
3248 m = m->m_next;
3249 }
3250 }
3251
3252
3253 /*
3254 * Copy data from a buffer back into the indicated mbuf chain,
3255 * starting "off" bytes from the beginning, extending the mbuf
3256 * chain if necessary.
3257 */
3258 void
3259 m_copyback(m0, off, len, cp)
3260 struct mbuf *m0;
3261 int off;
3262 int len;
3263 caddr_t cp;
3264 {
3265 int mlen;
3266 struct mbuf *m = m0, *n;
3267 int totlen = 0;
3268
3269 if (m0 == 0)
3270 return;
3271 while (off > (mlen = m->m_len)) {
3272 off -= mlen;
3273 totlen += mlen;
3274 if (m->m_next == 0) {
3275 n = m_getclr(M_DONTWAIT, m->m_type);
3276 if (n == 0)
3277 goto out;
3278 n->m_len = min(MLEN, len + off);
3279 m->m_next = n;
3280 }
3281 m = m->m_next;
3282 }
3283 while (len > 0) {
3284 mlen = min(m->m_len - off, len);
3285 bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
3286 cp += mlen;
3287 len -= mlen;
3288 mlen += off;
3289 off = 0;
3290 totlen += mlen;
3291 if (len == 0)
3292 break;
3293 if (m->m_next == 0) {
3294 n = m_get(M_DONTWAIT, m->m_type);
3295 if (n == 0)
3296 break;
3297 n->m_len = min(MLEN, len);
3298 m->m_next = n;
3299 }
3300 m = m->m_next;
3301 }
3302 out:
3303 #if 0
3304 if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
3305 m->m_pkthdr.len = totlen;
3306 #endif
3307 return;
3308 }
3309 #endif /* (_KERNEL) && ( ((BSD < 199103) && !MENTAT) || __sgi) */
3310
3311
3312 /* ------------------------------------------------------------------------ */
3313 /* Function: fr_findgroup */
3314 /* Returns: frgroup_t * - NULL = group not found, else pointer to group */
3315 /* Parameters: group(I) - group name to search for */
3316 /* unit(I) - device to which this group belongs */
3317 /* set(I) - which set of rules (inactive/inactive) this is */
3318 /* fgpp(O) - pointer to place to store pointer to the pointer */
3319 /* to where to add the next (last) group or where */
3320 /* to delete group from. */
3321 /* */
3322 /* Search amongst the defined groups for a particular group number. */
3323 /* ------------------------------------------------------------------------ */
3324 frgroup_t *fr_findgroup(group, unit, set, fgpp, ifs)
3325 char *group;
3326 minor_t unit;
3327 int set;
3328 frgroup_t ***fgpp;
3329 ipf_stack_t *ifs;
3330 {
3331 frgroup_t *fg, **fgp;
3332
3333 /*
3334 * Which list of groups to search in is dependent on which list of
3335 * rules are being operated on.
3336 */
3337 fgp = &ifs->ifs_ipfgroups[unit][set];
3338
3339 while ((fg = *fgp) != NULL) {
3340 if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0)
3341 break;
3342 else
3343 fgp = &fg->fg_next;
3344 }
3345 if (fgpp != NULL)
3346 *fgpp = fgp;
3347 return fg;
3348 }
3349
3350
3351 /* ------------------------------------------------------------------------ */
3352 /* Function: fr_addgroup */
3353 /* Returns: frgroup_t * - NULL == did not create group, */
3354 /* != NULL == pointer to the group */
3355 /* Parameters: num(I) - group number to add */
3356 /* head(I) - rule pointer that is using this as the head */
3357 /* flags(I) - rule flags which describe the type of rule it is */
3358 /* unit(I) - device to which this group will belong to */
3359 /* set(I) - which set of rules (inactive/inactive) this is */
3360 /* Write Locks: ipf_mutex */
3361 /* */
3362 /* Add a new group head, or if it already exists, increase the reference */
3363 /* count to it. */
3364 /* ------------------------------------------------------------------------ */
3365 frgroup_t *fr_addgroup(group, head, flags, unit, set, ifs)
3366 char *group;
3367 void *head;
3368 u_32_t flags;
3369 minor_t unit;
3370 int set;
3371 ipf_stack_t *ifs;
3372 {
3373 frgroup_t *fg, **fgp;
3374 u_32_t gflags;
3375
3376 if (group == NULL)
3377 return NULL;
3378
3379 if (unit == IPL_LOGIPF && *group == '\0')
3380 return NULL;
3381
3382 fgp = NULL;
3383 gflags = flags & FR_INOUT;
3384
3385 fg = fr_findgroup(group, unit, set, &fgp, ifs);
3386 if (fg != NULL) {
3387 if (fg->fg_flags == 0)
3388 fg->fg_flags = gflags;
3389 else if (gflags != fg->fg_flags)
3390 return NULL;
3391 fg->fg_ref++;
3392 return fg;
3393 }
3394 KMALLOC(fg, frgroup_t *);
3395 if (fg != NULL) {
3396 fg->fg_head = head;
3397 fg->fg_start = NULL;
3398 fg->fg_next = *fgp;
3399 bcopy(group, fg->fg_name, FR_GROUPLEN);
3400 fg->fg_flags = gflags;
3401 fg->fg_ref = 1;
3402 *fgp = fg;
3403 }
3404 return fg;
3405 }
3406
3407
3408 /* ------------------------------------------------------------------------ */
3409 /* Function: fr_delgroup */
3410 /* Returns: Nil */
3411 /* Parameters: group(I) - group name to delete */
3412 /* unit(I) - device to which this group belongs */
3413 /* set(I) - which set of rules (inactive/inactive) this is */
3414 /* Write Locks: ipf_mutex */
3415 /* */
3416 /* Attempt to delete a group head. */
3417 /* Only do this when its reference count reaches 0. */
3418 /* ------------------------------------------------------------------------ */
3419 void fr_delgroup(group, unit, set, ifs)
3420 char *group;
3421 minor_t unit;
3422 int set;
3423 ipf_stack_t *ifs;
3424 {
3425 frgroup_t *fg, **fgp;
3426
3427 fg = fr_findgroup(group, unit, set, &fgp, ifs);
3428 if (fg == NULL)
3429 return;
3430
3431 fg->fg_ref--;
3432 if (fg->fg_ref == 0) {
3433 *fgp = fg->fg_next;
3434 KFREE(fg);
3435 }
3436 }
3437
3438
3439 /* ------------------------------------------------------------------------ */
3440 /* Function: fr_getrulen */
3441 /* Returns: frentry_t * - NULL == not found, else pointer to rule n */
3442 /* Parameters: unit(I) - device for which to count the rule's number */
3443 /* flags(I) - which set of rules to find the rule in */
3444 /* group(I) - group name */
3445 /* n(I) - rule number to find */
3446 /* */
3447 /* Find rule # n in group # g and return a pointer to it. Return NULl if */
3448 /* group # g doesn't exist or there are less than n rules in the group. */
3449 /* ------------------------------------------------------------------------ */
3450 frentry_t *fr_getrulen(unit, group, n, ifs)
3451 int unit;
3452 char *group;
3453 u_32_t n;
3454 ipf_stack_t *ifs;
3455 {
3456 frentry_t *fr;
3457 frgroup_t *fg;
3458
3459 fg = fr_findgroup(group, unit, ifs->ifs_fr_active, NULL, ifs);
3460 if (fg == NULL)
3461 return NULL;
3462 for (fr = fg->fg_head; fr && n; fr = fr->fr_next, n--)
3463 ;
3464 if (n != 0)
3465 return NULL;
3466 return fr;
3467 }
3468
3469
3470 /* ------------------------------------------------------------------------ */
3471 /* Function: fr_rulen */
3472 /* Returns: int - >= 0 - rule number, -1 == search failed */
3473 /* Parameters: unit(I) - device for which to count the rule's number */
3474 /* fr(I) - pointer to rule to match */
3475 /* */
3476 /* Return the number for a rule on a specific filtering device. */
3477 /* ------------------------------------------------------------------------ */
3478 int fr_rulen(unit, fr, ifs)
3479 int unit;
3480 frentry_t *fr;
3481 ipf_stack_t *ifs;
3482 {
3483 frentry_t *fh;
3484 frgroup_t *fg;
3485 u_32_t n = 0;
3486
3487 if (fr == NULL)
3488 return -1;
3489 fg = fr_findgroup(fr->fr_group, unit, ifs->ifs_fr_active, NULL, ifs);
3490 if (fg == NULL)
3491 return -1;
3492 for (fh = fg->fg_head; fh; n++, fh = fh->fr_next)
3493 if (fh == fr)
3494 break;
3495 if (fh == NULL)
3496 return -1;
3497 return n;
3498 }
3499
3500
3501 /* ------------------------------------------------------------------------ */
3502 /* Function: frflushlist */
3503 /* Returns: int - >= 0 - number of flushed rules */
3504 /* Parameters: set(I) - which set of rules (inactive/inactive) this is */
3505 /* unit(I) - device for which to flush rules */
3506 /* flags(I) - which set of rules to flush */
3507 /* nfreedp(O) - pointer to int where flush count is stored */
3508 /* listp(I) - pointer to list to flush pointer */
3509 /* Write Locks: ipf_mutex */
3510 /* */
3511 /* Recursively flush rules from the list, descending groups as they are */
3512 /* encountered. if a rule is the head of a group and it has lost all its */
3513 /* group members, then also delete the group reference. nfreedp is needed */
3514 /* to store the accumulating count of rules removed, whereas the returned */
3515 /* value is just the number removed from the current list. The latter is */
3516 /* needed to correctly adjust reference counts on rules that define groups. */
3517 /* */
3518 /* NOTE: Rules not loaded from user space cannot be flushed. */
3519 /* ------------------------------------------------------------------------ */
3520 static int frflushlist(set, unit, nfreedp, listp, ifs)
3521 int set;
3522 minor_t unit;
3523 int *nfreedp;
3524 frentry_t **listp;
3525 ipf_stack_t *ifs;
3526 {
3527 int freed = 0;
3528 frentry_t *fp;
3529
3530 while ((fp = *listp) != NULL) {
3531 if ((fp->fr_type & FR_T_BUILTIN) ||
3532 !(fp->fr_flags & FR_COPIED)) {
3533 listp = &fp->fr_next;
3534 continue;
3535 }
3536 *listp = fp->fr_next;
3537 if (fp->fr_grp != NULL) {
3538 (void) frflushlist(set, unit, nfreedp, fp->fr_grp, ifs);
3539 }
3540
3541 if (fp->fr_grhead != NULL) {
3542 fr_delgroup(fp->fr_grhead, unit, set, ifs);
3543 *fp->fr_grhead = '\0';
3544 }
3545
3546 ASSERT(fp->fr_ref > 0);
3547 fp->fr_next = NULL;
3548 if (fr_derefrule(&fp, ifs) == 0)
3549 freed++;
3550 }
3551 *nfreedp += freed;
3552 return freed;
3553 }
3554
3555
3556 /* ------------------------------------------------------------------------ */
3557 /* Function: frflush */
3558 /* Returns: int - >= 0 - number of flushed rules */
3559 /* Parameters: unit(I) - device for which to flush rules */
3560 /* flags(I) - which set of rules to flush */
3561 /* */
3562 /* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */
3563 /* and IPv6) as defined by the value of flags. */
3564 /* ------------------------------------------------------------------------ */
3565 int frflush(unit, proto, flags, ifs)
3566 minor_t unit;
3567 int proto, flags;
3568 ipf_stack_t *ifs;
3569 {
3570 int flushed = 0, set;
3571
3572 WRITE_ENTER(&ifs->ifs_ipf_mutex);
3573 bzero((char *)ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
3574
3575 set = ifs->ifs_fr_active;
3576 if ((flags & FR_INACTIVE) == FR_INACTIVE)
3577 set = 1 - set;
3578
3579 if (flags & FR_OUTQUE) {
3580 if (proto == 0 || proto == 6) {
3581 (void) frflushlist(set, unit,
3582 &flushed, &ifs->ifs_ipfilter6[1][set], ifs);
3583 (void) frflushlist(set, unit,
3584 &flushed, &ifs->ifs_ipacct6[1][set], ifs);
3585 }
3586 if (proto == 0 || proto == 4) {
3587 (void) frflushlist(set, unit,
3588 &flushed, &ifs->ifs_ipfilter[1][set], ifs);
3589 (void) frflushlist(set, unit,
3590 &flushed, &ifs->ifs_ipacct[1][set], ifs);
3591 }
3592 }
3593 if (flags & FR_INQUE) {
3594 if (proto == 0 || proto == 6) {
3595 (void) frflushlist(set, unit,
3596 &flushed, &ifs->ifs_ipfilter6[0][set], ifs);
3597 (void) frflushlist(set, unit,
3598 &flushed, &ifs->ifs_ipacct6[0][set], ifs);
3599 }
3600 if (proto == 0 || proto == 4) {
3601 (void) frflushlist(set, unit,
3602 &flushed, &ifs->ifs_ipfilter[0][set], ifs);
3603 (void) frflushlist(set, unit,
3604 &flushed, &ifs->ifs_ipacct[0][set], ifs);
3605 }
3606 }
3607 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
3608
3609 if (unit == IPL_LOGIPF) {
3610 int tmp;
3611
3612 tmp = frflush(IPL_LOGCOUNT, proto, flags, ifs);
3613 if (tmp >= 0)
3614 flushed += tmp;
3615 }
3616 return flushed;
3617 }
3618
3619
3620 /* ------------------------------------------------------------------------ */
3621 /* Function: memstr */
3622 /* Returns: char * - NULL if failed, != NULL pointer to matching bytes */
3623 /* Parameters: src(I) - pointer to byte sequence to match */
3624 /* dst(I) - pointer to byte sequence to search */
3625 /* slen(I) - match length */
3626 /* dlen(I) - length available to search in */
3627 /* */
3628 /* Search dst for a sequence of bytes matching those at src and extend for */
3629 /* slen bytes. */
3630 /* ------------------------------------------------------------------------ */
3631 char *memstr(src, dst, slen, dlen)
3632 char *src, *dst;
3633 int slen, dlen;
3634 {
3635 char *s = NULL;
3636
3637 while (dlen >= slen) {
3638 if (bcmp(src, dst, slen) == 0) {
3639 s = dst;
3640 break;
3641 }
3642 dst++;
3643 dlen--;
3644 }
3645 return s;
3646 }
3647 /* ------------------------------------------------------------------------ */
3648 /* Function: fr_fixskip */
3649 /* Returns: Nil */
3650 /* Parameters: listp(IO) - pointer to start of list with skip rule */
3651 /* rp(I) - rule added/removed with skip in it. */
3652 /* addremove(I) - adjustment (-1/+1) to make to skip count, */
3653 /* depending on whether a rule was just added */
3654 /* or removed. */
3655 /* */
3656 /* Adjust all the rules in a list which would have skip'd past the position */
3657 /* where we are inserting to skip to the right place given the change. */
3658 /* ------------------------------------------------------------------------ */
3659 void fr_fixskip(listp, rp, addremove)
3660 frentry_t **listp, *rp;
3661 int addremove;
3662 {
3663 int rules, rn;
3664 frentry_t *fp;
3665
3666 rules = 0;
3667 for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next)
3668 rules++;
3669
3670 if (!fp)
3671 return;
3672
3673 for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
3674 if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules))
3675 fp->fr_arg += addremove;
3676 }
3677
3678
3679 #ifdef _KERNEL
3680 /* ------------------------------------------------------------------------ */
3681 /* Function: count4bits */
3682 /* Returns: int - >= 0 - number of consecutive bits in input */
3683 /* Parameters: ip(I) - 32bit IP address */
3684 /* */
3685 /* IPv4 ONLY */
3686 /* count consecutive 1's in bit mask. If the mask generated by counting */
3687 /* consecutive 1's is different to that passed, return -1, else return # */
3688 /* of bits. */
3689 /* ------------------------------------------------------------------------ */
3690 int count4bits(ip)
3691 u_32_t ip;
3692 {
3693 u_32_t ipn;
3694 int cnt = 0, i, j;
3695
3696 ip = ipn = ntohl(ip);
3697 for (i = 32; i; i--, ipn *= 2)
3698 if (ipn & 0x80000000)
3699 cnt++;
3700 else
3701 break;
3702 ipn = 0;
3703 for (i = 32, j = cnt; i; i--, j--) {
3704 ipn *= 2;
3705 if (j > 0)
3706 ipn++;
3707 }
3708 if (ipn == ip)
3709 return cnt;
3710 return -1;
3711 }
3712
3713
3714 #ifdef USE_INET6
3715 /* ------------------------------------------------------------------------ */
3716 /* Function: count6bits */
3717 /* Returns: int - >= 0 - number of consecutive bits in input */
3718 /* Parameters: msk(I) - pointer to start of IPv6 bitmask */
3719 /* */
3720 /* IPv6 ONLY */
3721 /* count consecutive 1's in bit mask. */
3722 /* ------------------------------------------------------------------------ */
3723 int count6bits(msk)
3724 u_32_t *msk;
3725 {
3726 int i = 0, k;
3727 u_32_t j;
3728
3729 for (k = 3; k >= 0; k--)
3730 if (msk[k] == 0xffffffff)
3731 i += 32;
3732 else {
3733 for (j = msk[k]; j; j <<= 1)
3734 if (j & 0x80000000)
3735 i++;
3736 }
3737 return i;
3738 }
3739 # endif
3740 #endif /* _KERNEL */
3741
3742
3743 /* ------------------------------------------------------------------------ */
3744 /* Function: fr_ifsync */
3745 /* Returns: void * - new interface identifier */
3746 /* Parameters: action(I) - type of synchronisation to do */
3747 /* v(I) - IP version being sync'd (v4 or v6) */
3748 /* newifp(I) - interface identifier being introduced/removed */
3749 /* oldifp(I) - interface identifier in a filter rule */
3750 /* newname(I) - name associated with newifp interface */
3751 /* oldname(I) - name associated with oldifp interface */
3752 /* ifs - pointer to IPF stack instance */
3753 /* */
3754 /* This function returns what the new value for "oldifp" should be for its */
3755 /* caller. In some cases it will not change, in some it will. */
3756 /* action == IPFSYNC_RESYNC */
3757 /* a new value for oldifp will always be looked up, according to oldname, */
3758 /* the values of newname and newifp are ignored. */
3759 /* action == IPFSYNC_NEWIFP */
3760 /* if oldname matches newname then we are doing a sync for the matching */
3761 /* interface, so we return newifp to be used in place of oldifp. If the */
3762 /* the names don't match, just return oldifp. */
3763 /* action == IPFSYNC_OLDIFP */
3764 /* if oldifp matches newifp then we are are doing a sync to remove any */
3765 /* references to oldifp, so we return "-1". */
3766 /* ----- */
3767 /* NOTE: */
3768 /* This function processes NIC event from PF_HOOKS. The action parameter */
3769 /* is set in ipf_nic_event_v4()/ipf_nic_event_v6() function. There is */
3770 /* one single switch statement() in ipf_nic_event_vx() function, which */
3771 /* translates the HOOK event type to action parameter passed to fr_ifsync. */
3772 /* The translation table looks as follows: */
3773 /* event | action */
3774 /* ----------------+------------- */
3775 /* NE_PLUMB | IPFSYNC_NEWIFP */
3776 /* NE_UNPLUMB | IPFSYNC_OLDIFP */
3777 /* NE_ADDRESS_CHANGE | IPFSYNC_RESYNC */
3778 /* */
3779 /* The oldname and oldifp parameters are taken from IPF entry (rule, state */
3780 /* table entry, NAT table entry, fragment ...). The newname and newifp */
3781 /* parameters come from hook event data, parameters are taken from event */
3782 /* in ipf_nic_event_vx() functions. Any time NIC changes, the IPF is */
3783 /* notified by hook function. */
3784 /* */
3785 /* We get NE_UNPLUMB event from PF_HOOKS even if someone coincidently tries */
3786 /* to plumb the interface, which is already plumbed. In such case we always */
3787 /* get the event from PF_HOOKS as follows: */
3788 /* event: NE_PLUMB */
3789 /* NIC: 0x0 */
3790 /* ------------------------------------------------------------------------ */
3791 static void *fr_ifsync(action, v, newname, oldname, newifp, oldifp, ifs)
3792 int action, v;
3793 char *newname, *oldname;
3794 void *newifp, *oldifp;
3795 ipf_stack_t *ifs;
3796 {
3797 void *rval = oldifp;
3798
3799 switch (action)
3800 {
3801 case IPFSYNC_RESYNC :
3802 if (oldname[0] != '\0') {
3803 rval = fr_resolvenic(oldname, v, ifs);
3804 }
3805 break;
3806 case IPFSYNC_NEWIFP :
3807 if (!strncmp(newname, oldname, LIFNAMSIZ))
3808 rval = newifp;
3809 break;
3810 case IPFSYNC_OLDIFP :
3811 /*
3812 * If interface gets unplumbed it must be invalidated, which
3813 * means set all existing references to the interface to -1.
3814 * We don't want to invalidate references for wildcard
3815 * (unbound) rules (entries).
3816 */
3817 if (newifp == oldifp)
3818 rval = (oldifp) ? (void *)-1 : NULL;
3819 break;
3820 }
3821
3822 return rval;
3823 }
3824
3825
3826 /* ------------------------------------------------------------------------ */
3827 /* Function: frsynclist */
3828 /* Returns: void */
3829 /* Parameters: action(I) - type of synchronisation to do */
3830 /* v(I) - IP version being sync'd (v4 or v6) */
3831 /* ifp(I) - interface identifier associated with action */
3832 /* ifname(I) - name associated with ifp parameter */
3833 /* fr(I) - pointer to filter rule */
3834 /* ifs - pointer to IPF stack instance */
3835 /* Write Locks: ipf_mutex */
3836 /* */
3837 /* Walk through a list of filter rules and resolve any interface names into */
3838 /* pointers. Where dynamic addresses are used, also update the IP address */
3839 /* used in the rule. The interface pointer is used to limit the lookups to */
3840 /* a specific set of matching names if it is non-NULL. */
3841 /* ------------------------------------------------------------------------ */
3842 static void frsynclist(action, v, ifp, ifname, fr, ifs)
3843 int action, v;
3844 void *ifp;
3845 char *ifname;
3846 frentry_t *fr;
3847 ipf_stack_t *ifs;
3848 {
3849 frdest_t *fdp;
3850 int rv, i;
3851
3852 for (; fr; fr = fr->fr_next) {
3853 rv = fr->fr_v;
3854 if (v != 0 && v != rv)
3855 continue;
3856
3857 /*
3858 * Lookup all the interface names that are part of the rule.
3859 */
3860 for (i = 0; i < 4; i++) {
3861 fr->fr_ifas[i] = fr_ifsync(action, rv, ifname,
3862 fr->fr_ifnames[i],
3863 ifp, fr->fr_ifas[i],
3864 ifs);
3865 }
3866
3867 fdp = &fr->fr_tifs[0];
3868 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
3869 ifp, fdp->fd_ifp, ifs);
3870
3871 fdp = &fr->fr_tifs[1];
3872 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
3873 ifp, fdp->fd_ifp, ifs);
3874
3875 fdp = &fr->fr_dif;
3876 fdp->fd_ifp = fr_ifsync(action, rv, ifname, fdp->fd_ifname,
3877 ifp, fdp->fd_ifp, ifs);
3878
3879 if (action != IPFSYNC_RESYNC)
3880 continue;
3881
3882 if (fr->fr_type == FR_T_IPF) {
3883 if (fr->fr_satype != FRI_NORMAL &&
3884 fr->fr_satype != FRI_LOOKUP) {
3885 (void)fr_ifpaddr(rv, fr->fr_satype,
3886 fr->fr_ifas[fr->fr_sifpidx],
3887 &fr->fr_src, &fr->fr_smsk,
3888 ifs);
3889 }
3890 if (fr->fr_datype != FRI_NORMAL &&
3891 fr->fr_datype != FRI_LOOKUP) {
3892 (void)fr_ifpaddr(rv, fr->fr_datype,
3893 fr->fr_ifas[fr->fr_difpidx],
3894 &fr->fr_dst, &fr->fr_dmsk,
3895 ifs);
3896 }
3897 }
3898
3899 #ifdef IPFILTER_LOOKUP
3900 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP &&
3901 fr->fr_srcptr == NULL) {
3902 fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype,
3903 fr->fr_srcnum,
3904 &fr->fr_srcfunc, ifs);
3905 }
3906 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP &&
3907 fr->fr_dstptr == NULL) {
3908 fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype,
3909 fr->fr_dstnum,
3910 &fr->fr_dstfunc, ifs);
3911 }
3912 #endif
3913 }
3914 }
3915
3916
3917 #ifdef _KERNEL
3918 /* ------------------------------------------------------------------------ */
3919 /* Function: frsync */
3920 /* Returns: void */
3921 /* Parameters: action(I) - type of synchronisation to do */
3922 /* v(I) - IP version being sync'd (v4 or v6) */
3923 /* ifp(I) - interface identifier associated with action */
3924 /* name(I) - name associated with ifp parameter */
3925 /* */
3926 /* frsync() is called when we suspect that the interface list or */
3927 /* information about interfaces (like IP#) has changed. Go through all */
3928 /* filter rules, NAT entries and the state table and check if anything */
3929 /* needs to be changed/updated. */
3930 /* With the filtering hooks added to Solaris, we needed to change the manner*/
3931 /* in which this was done to support three different types of sync: */
3932 /* - complete resync of all interface name/identifiers */
3933 /* - new interface being announced with its name and identifier */
3934 /* - interface removal being announced by only its identifier */
3935 /* ------------------------------------------------------------------------ */
3936 void frsync(action, v, ifp, name, ifs)
3937 int action, v;
3938 void *ifp;
3939 char *name;
3940 ipf_stack_t *ifs;
3941 {
3942 int i;
3943
3944 WRITE_ENTER(&ifs->ifs_ipf_mutex);
3945 frsynclist(action, v, ifp, name, ifs->ifs_ipacct[0][ifs->ifs_fr_active], ifs);
3946 frsynclist(action, v, ifp, name, ifs->ifs_ipacct[1][ifs->ifs_fr_active], ifs);
3947 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter[0][ifs->ifs_fr_active], ifs);
3948 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter[1][ifs->ifs_fr_active], ifs);
3949 frsynclist(action, v, ifp, name, ifs->ifs_ipacct6[0][ifs->ifs_fr_active], ifs);
3950 frsynclist(action, v, ifp, name, ifs->ifs_ipacct6[1][ifs->ifs_fr_active], ifs);
3951 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter6[0][ifs->ifs_fr_active], ifs);
3952 frsynclist(action, v, ifp, name, ifs->ifs_ipfilter6[1][ifs->ifs_fr_active], ifs);
3953
3954 for (i = 0; i < IPL_LOGSIZE; i++) {
3955 frgroup_t *g;
3956
3957 for (g = ifs->ifs_ipfgroups[i][0]; g != NULL; g = g->fg_next)
3958 frsynclist(action, v, ifp, name, g->fg_start, ifs);
3959 for (g = ifs->ifs_ipfgroups[i][1]; g != NULL; g = g->fg_next)
3960 frsynclist(action, v, ifp, name, g->fg_start, ifs);
3961 }
3962 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
3963 }
3964
3965 #if SOLARIS2 >= 10
3966 /* ------------------------------------------------------------------------ */
3967 /* Function: fr_syncindex */
3968 /* Returns: void */
3969 /* Parameters: rules - list of rules to be sync'd */
3970 /* ifp - interface, which is being sync'd */
3971 /* newifp - new ifindex value for interface */
3972 /* */
3973 /* Function updates all NIC indecis, which match ifp, in every rule. Every */
3974 /* NIC index matching ifp, will be updated to newifp. */
3975 /* ------------------------------------------------------------------------ */
3976 static void fr_syncindex(rules, ifp, newifp)
3977 frentry_t *rules;
3978 void *ifp;
3979 void *newifp;
3980 {
3981 int i;
3982 frentry_t *fr;
3983
3984 for (fr = rules; fr != NULL; fr = fr->fr_next) {
3985 /*
3986 * Lookup all the interface names that are part of the rule.
3987 */
3988 for (i = 0; i < 4; i++)
3989 if (fr->fr_ifas[i] == ifp)
3990 fr->fr_ifas[i] = newifp;
3991
3992 for (i = 0; i < 2; i++) {
3993 if (fr->fr_tifs[i].fd_ifp == ifp)
3994 fr->fr_tifs[i].fd_ifp = newifp;
3995 }
3996
3997 if (fr->fr_dif.fd_ifp == ifp)
3998 fr->fr_dif.fd_ifp = newifp;
3999 }
4000 }
4001
4002 /* ------------------------------------------------------------------------ */
4003 /* Function: fr_ifindexsync */
4004 /* Returns: void */
4005 /* Parameters: ifp - interface, which is being sync'd */
4006 /* newifp - new ifindex value for interface */
4007 /* ifs - IPF's stack */
4008 /* */
4009 /* Function assumes ipf_mutex is locked exclusively. */
4010 /* */
4011 /* Function updates the NIC references in rules with new interfaces index */
4012 /* (newifp). Function must process active lists: */
4013 /* with accounting rules (IPv6 and IPv4) */
4014 /* with inbound rules (IPv6 and IPv4) */
4015 /* with outbound rules (IPv6 and IPv4) */
4016 /* Function also has to take care of rule groups. */
4017 /* */
4018 /* NOTE: The ipf_mutex is grabbed exclusively by caller (which is always */
4019 /* nic_event_hook). The hook function also updates state entries, NAT rules */
4020 /* and NAT entries. We want to do all these update atomically to keep the */
4021 /* NIC references consistent. The ipf_mutex will synchronize event with */
4022 /* fr_check(), which processes packets, so no packet will enter fr_check(), */
4023 /* while NIC references will be synchronized. */
4024 /* ------------------------------------------------------------------------ */
4025 void fr_ifindexsync(ifp, newifp, ifs)
4026 void *ifp;
4027 void *newifp;
4028 ipf_stack_t *ifs;
4029 {
4030 unsigned int i;
4031 frentry_t *rule_lists[8];
4032 unsigned int rules = sizeof (rule_lists) / sizeof (frentry_t *);
4033
4034 rule_lists[0] = ifs->ifs_ipacct[0][ifs->ifs_fr_active];
4035 rule_lists[1] = ifs->ifs_ipacct[1][ifs->ifs_fr_active];
4036 rule_lists[2] = ifs->ifs_ipfilter[0][ifs->ifs_fr_active];
4037 rule_lists[3] = ifs->ifs_ipfilter[1][ifs->ifs_fr_active];
4038 rule_lists[4] = ifs->ifs_ipacct6[0][ifs->ifs_fr_active];
4039 rule_lists[5] = ifs->ifs_ipacct6[1][ifs->ifs_fr_active];
4040 rule_lists[6] = ifs->ifs_ipfilter6[0][ifs->ifs_fr_active];
4041 rule_lists[7] = ifs->ifs_ipfilter6[1][ifs->ifs_fr_active];
4042
4043 for (i = 0; i < rules; i++) {
4044 fr_syncindex(rule_lists[i], ifp, newifp);
4045 }
4046
4047 /*
4048 * Update rule groups.
4049 */
4050 for (i = 0; i < IPL_LOGSIZE; i++) {
4051 frgroup_t *g;
4052
4053 for (g = ifs->ifs_ipfgroups[i][0]; g != NULL; g = g->fg_next)
4054 fr_syncindex(g->fg_start, ifp, newifp);
4055 for (g = ifs->ifs_ipfgroups[i][1]; g != NULL; g = g->fg_next)
4056 fr_syncindex(g->fg_start, ifp, newifp);
4057 }
4058 }
4059 #endif
4060
4061 /*
4062 * In the functions below, bcopy() is called because the pointer being
4063 * copied _from_ in this instance is a pointer to a char buf (which could
4064 * end up being unaligned) and on the kernel's local stack.
4065 */
4066 /* ------------------------------------------------------------------------ */
4067 /* Function: copyinptr */
4068 /* Returns: int - 0 = success, else failure */
4069 /* Parameters: src(I) - pointer to the source address */
4070 /* dst(I) - destination address */
4071 /* size(I) - number of bytes to copy */
4072 /* */
4073 /* Copy a block of data in from user space, given a pointer to the pointer */
4074 /* to start copying from (src) and a pointer to where to store it (dst). */
4075 /* NB: src - pointer to user space pointer, dst - kernel space pointer */
4076 /* ------------------------------------------------------------------------ */
4077 int copyinptr(src, dst, size)
4078 void *src, *dst;
4079 size_t size;
4080 {
4081 caddr_t ca;
4082 int err;
4083
4084 # ifdef SOLARIS
4085 err = COPYIN(src, (caddr_t)&ca, sizeof(ca));
4086 if (err != 0)
4087 return err;
4088 # else
4089 bcopy(src, (caddr_t)&ca, sizeof(ca));
4090 # endif
4091 err = COPYIN(ca, dst, size);
4092 return err;
4093 }
4094
4095
4096 /* ------------------------------------------------------------------------ */
4097 /* Function: copyoutptr */
4098 /* Returns: int - 0 = success, else failure */
4099 /* Parameters: src(I) - pointer to the source address */
4100 /* dst(I) - destination address */
4101 /* size(I) - number of bytes to copy */
4102 /* */
4103 /* Copy a block of data out to user space, given a pointer to the pointer */
4104 /* to start copying from (src) and a pointer to where to store it (dst). */
4105 /* NB: src - kernel space pointer, dst - pointer to user space pointer. */
4106 /* ------------------------------------------------------------------------ */
4107 int copyoutptr(src, dst, size)
4108 void *src, *dst;
4109 size_t size;
4110 {
4111 caddr_t ca;
4112 int err;
4113
4114 # ifdef SOLARIS
4115 err = COPYIN(dst, (caddr_t)&ca, sizeof(ca));
4116 if (err != 0)
4117 return err;
4118 # else
4119 bcopy(dst, (caddr_t)&ca, sizeof(ca));
4120 # endif
4121 err = COPYOUT(src, ca, size);
4122 return err;
4123 }
4124 #endif
4125
4126
4127 /* ------------------------------------------------------------------------ */
4128 /* Function: fr_lock */
4129 /* Returns: int - 0 = success, else error */
4130 /* Parameters: data(I) - pointer to lock value to set */
4131 /* lockp(O) - pointer to location to store old lock value */
4132 /* */
4133 /* Get the new value for the lock integer, set it and return the old value */
4134 /* in *lockp. */
4135 /* ------------------------------------------------------------------------ */
4136 int fr_lock(data, lockp)
4137 caddr_t data;
4138 int *lockp;
4139 {
4140 int arg, err;
4141
4142 err = BCOPYIN(data, (caddr_t)&arg, sizeof(arg));
4143 if (err != 0)
4144 return (EFAULT);
4145 err = BCOPYOUT((caddr_t)lockp, data, sizeof(*lockp));
4146 if (err != 0)
4147 return (EFAULT);
4148 *lockp = arg;
4149 return (0);
4150 }
4151
4152
4153 /* ------------------------------------------------------------------------ */
4154 /* Function: fr_getstat */
4155 /* Returns: Nil */
4156 /* Parameters: fiop(I) - pointer to ipfilter stats structure */
4157 /* */
4158 /* Stores a copy of current pointers, counters, etc, in the friostat */
4159 /* structure. */
4160 /* ------------------------------------------------------------------------ */
4161 void fr_getstat(fiop, ifs)
4162 friostat_t *fiop;
4163 ipf_stack_t *ifs;
4164 {
4165 int i, j;
4166
4167 bcopy((char *)&ifs->ifs_frstats, (char *)fiop->f_st,
4168 sizeof(filterstats_t) * 2);
4169 fiop->f_locks[IPL_LOGSTATE] = ifs->ifs_fr_state_lock;
4170 fiop->f_locks[IPL_LOGNAT] = ifs->ifs_fr_nat_lock;
4171 fiop->f_locks[IPL_LOGIPF] = ifs->ifs_fr_frag_lock;
4172 fiop->f_locks[IPL_LOGAUTH] = ifs->ifs_fr_auth_lock;
4173
4174 for (i = 0; i < 2; i++)
4175 for (j = 0; j < 2; j++) {
4176 fiop->f_ipf[i][j] = ifs->ifs_ipfilter[i][j];
4177 fiop->f_acct[i][j] = ifs->ifs_ipacct[i][j];
4178 fiop->f_ipf6[i][j] = ifs->ifs_ipfilter6[i][j];
4179 fiop->f_acct6[i][j] = ifs->ifs_ipacct6[i][j];
4180 }
4181
4182 fiop->f_ticks = ifs->ifs_fr_ticks;
4183 fiop->f_active = ifs->ifs_fr_active;
4184 fiop->f_froute[0] = ifs->ifs_fr_frouteok[0];
4185 fiop->f_froute[1] = ifs->ifs_fr_frouteok[1];
4186
4187 fiop->f_running = ifs->ifs_fr_running;
4188 for (i = 0; i < IPL_LOGSIZE; i++) {
4189 fiop->f_groups[i][0] = ifs->ifs_ipfgroups[i][0];
4190 fiop->f_groups[i][1] = ifs->ifs_ipfgroups[i][1];
4191 }
4192 #ifdef IPFILTER_LOG
4193 fiop->f_logging = 1;
4194 #else
4195 fiop->f_logging = 0;
4196 #endif
4197 fiop->f_defpass = ifs->ifs_fr_pass;
4198 fiop->f_features = fr_features;
4199 (void) strncpy(fiop->f_version, ipfilter_version,
4200 sizeof(fiop->f_version));
4201 }
4202
4203
4204 #ifdef USE_INET6
4205 int icmptoicmp6types[ICMP_MAXTYPE+1] = {
4206 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */
4207 -1, /* 1: UNUSED */
4208 -1, /* 2: UNUSED */
4209 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */
4210 -1, /* 4: ICMP_SOURCEQUENCH */
4211 ND_REDIRECT, /* 5: ICMP_REDIRECT */
4212 -1, /* 6: UNUSED */
4213 -1, /* 7: UNUSED */
4214 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */
4215 -1, /* 9: UNUSED */
4216 -1, /* 10: UNUSED */
4217 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */
4218 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */
4219 -1, /* 13: ICMP_TSTAMP */
4220 -1, /* 14: ICMP_TSTAMPREPLY */
4221 -1, /* 15: ICMP_IREQ */
4222 -1, /* 16: ICMP_IREQREPLY */
4223 -1, /* 17: ICMP_MASKREQ */
4224 -1, /* 18: ICMP_MASKREPLY */
4225 };
4226
4227
4228 int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
4229 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */
4230 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */
4231 -1, /* 2: ICMP_UNREACH_PROTOCOL */
4232 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */
4233 -1, /* 4: ICMP_UNREACH_NEEDFRAG */
4234 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */
4235 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */
4236 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */
4237 -1, /* 8: ICMP_UNREACH_ISOLATED */
4238 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */
4239 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */
4240 -1, /* 11: ICMP_UNREACH_TOSNET */
4241 -1, /* 12: ICMP_UNREACH_TOSHOST */
4242 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
4243 };
4244 int icmpreplytype6[ICMP6_MAXTYPE + 1];
4245 #endif
4246
4247 int icmpreplytype4[ICMP_MAXTYPE + 1];
4248
4249
4250 /* ------------------------------------------------------------------------ */
4251 /* Function: fr_matchicmpqueryreply */
4252 /* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */
4253 /* Parameters: v(I) - IP protocol version (4 or 6) */
4254 /* ic(I) - ICMP information */
4255 /* icmp(I) - ICMP packet header */
4256 /* rev(I) - direction (0 = forward/1 = reverse) of packet */
4257 /* */
4258 /* Check if the ICMP packet defined by the header pointed to by icmp is a */
4259 /* reply to one as described by what's in ic. If it is a match, return 1, */
4260 /* else return 0 for no match. */
4261 /* ------------------------------------------------------------------------ */
4262 int fr_matchicmpqueryreply(v, ic, icmp, rev)
4263 int v;
4264 icmpinfo_t *ic;
4265 icmphdr_t *icmp;
4266 int rev;
4267 {
4268 int ictype;
4269
4270 ictype = ic->ici_type;
4271
4272 if (v == 4) {
4273 /*
4274 * If we matched its type on the way in, then when going out
4275 * it will still be the same type.
4276 */
4277 if ((!rev && (icmp->icmp_type == ictype)) ||
4278 (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
4279 if (icmp->icmp_type != ICMP_ECHOREPLY)
4280 return 1;
4281 if (icmp->icmp_id == ic->ici_id)
4282 return 1;
4283 }
4284 }
4285 #ifdef USE_INET6
4286 else if (v == 6) {
4287 if ((!rev && (icmp->icmp_type == ictype)) ||
4288 (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
4289 if (icmp->icmp_type != ICMP6_ECHO_REPLY)
4290 return 1;
4291 if (icmp->icmp_id == ic->ici_id)
4292 return 1;
4293 }
4294 }
4295 #endif
4296 return 0;
4297 }
4298
4299
4300 #ifdef IPFILTER_LOOKUP
4301 /* ------------------------------------------------------------------------ */
4302 /* Function: fr_resolvelookup */
4303 /* Returns: void * - NULL = failure, else success. */
4304 /* Parameters: type(I) - type of lookup these parameters are for. */
4305 /* number(I) - table number to use when searching */
4306 /* funcptr(IO) - pointer to pointer for storing IP address */
4307 /* searching function. */
4308 /* ifs - ipf stack instance */
4309 /* */
4310 /* Search for the "table" number passed in amongst those configured for */
4311 /* that particular type. If the type is recognised then the function to */
4312 /* call to do the IP address search will be change, regardless of whether */
4313 /* or not the "table" number exists. */
4314 /* ------------------------------------------------------------------------ */
4315 static void *fr_resolvelookup(type, number, funcptr, ifs)
4316 u_int type, number;
4317 lookupfunc_t *funcptr;
4318 ipf_stack_t *ifs;
4319 {
4320 char name[FR_GROUPLEN];
4321 iphtable_t *iph;
4322 ip_pool_t *ipo;
4323 void *ptr;
4324
4325 #if defined(SNPRINTF) && defined(_KERNEL)
4326 (void) SNPRINTF(name, sizeof(name), "%u", number);
4327 #else
4328 (void) sprintf(name, "%u", number);
4329 #endif
4330
4331 READ_ENTER(&ifs->ifs_ip_poolrw);
4332
4333 switch (type)
4334 {
4335 case IPLT_POOL :
4336 # if (defined(__osf__) && defined(_KERNEL))
4337 ptr = NULL;
4338 *funcptr = NULL;
4339 # else
4340 ipo = ip_pool_find(IPL_LOGIPF, name, ifs);
4341 ptr = ipo;
4342 if (ipo != NULL) {
4343 ATOMIC_INC32(ipo->ipo_ref);
4344 }
4345 *funcptr = ip_pool_search;
4346 # endif
4347 break;
4348 case IPLT_HASH :
4349 iph = fr_findhtable(IPL_LOGIPF, name, ifs);
4350 ptr = iph;
4351 if (iph != NULL) {
4352 ATOMIC_INC32(iph->iph_ref);
4353 }
4354 *funcptr = fr_iphmfindip;
4355 break;
4356 default:
4357 ptr = NULL;
4358 *funcptr = NULL;
4359 break;
4360 }
4361 RWLOCK_EXIT(&ifs->ifs_ip_poolrw);
4362
4363 return ptr;
4364 }
4365 #endif
4366
4367
4368 /* ------------------------------------------------------------------------ */
4369 /* Function: frrequest */
4370 /* Returns: int - 0 == success, > 0 == errno value */
4371 /* Parameters: unit(I) - device for which this is for */
4372 /* req(I) - ioctl command (SIOC*) */
4373 /* data(I) - pointr to ioctl data */
4374 /* set(I) - 1 or 0 (filter set) */
4375 /* makecopy(I) - flag indicating whether data points to a rule */
4376 /* in kernel space & hence doesn't need copying. */
4377 /* */
4378 /* This function handles all the requests which operate on the list of */
4379 /* filter rules. This includes adding, deleting, insertion. It is also */
4380 /* responsible for creating groups when a "head" rule is loaded. Interface */
4381 /* names are resolved here and other sanity checks are made on the content */
4382 /* of the rule structure being loaded. If a rule has user defined timeouts */
4383 /* then make sure they are created and initialised before exiting. */
4384 /* ------------------------------------------------------------------------ */
4385 int frrequest(unit, req, data, set, makecopy, ifs)
4386 int unit;
4387 ioctlcmd_t req;
4388 int set, makecopy;
4389 caddr_t data;
4390 ipf_stack_t *ifs;
4391 {
4392 frentry_t frd, *fp, *f, **fprev, **ftail;
4393 int error = 0, in, v;
4394 void *ptr, *uptr;
4395 u_int *p, *pp;
4396 frgroup_t *fg;
4397 char *group;
4398
4399 fg = NULL;
4400 fp = &frd;
4401 if (makecopy != 0) {
4402 error = fr_inobj(data, fp, IPFOBJ_FRENTRY);
4403 if (error)
4404 return EFAULT;
4405 if ((fp->fr_flags & FR_T_BUILTIN) != 0)
4406 return EINVAL;
4407 fp->fr_ref = 0;
4408 fp->fr_flags |= FR_COPIED;
4409 } else {
4410 fp = (frentry_t *)data;
4411 if ((fp->fr_type & FR_T_BUILTIN) == 0)
4412 return EINVAL;
4413 fp->fr_flags &= ~FR_COPIED;
4414 }
4415
4416 if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) ||
4417 ((fp->fr_dsize != 0) && (fp->fr_data == NULL)))
4418 return EINVAL;
4419
4420 v = fp->fr_v;
4421 uptr = fp->fr_data;
4422
4423 /*
4424 * Only filter rules for IPv4 or IPv6 are accepted.
4425 */
4426 if (v == 4)
4427 /*EMPTY*/;
4428 #ifdef USE_INET6
4429 else if (v == 6)
4430 /*EMPTY*/;
4431 #endif
4432 else {
4433 return EINVAL;
4434 }
4435
4436 /*
4437 * If the rule is being loaded from user space, i.e. we had to copy it
4438 * into kernel space, then do not trust the function pointer in the
4439 * rule.
4440 */
4441 if ((makecopy == 1) && (fp->fr_func != NULL)) {
4442 if (fr_findfunc(fp->fr_func) == NULL)
4443 return ESRCH;
4444 error = fr_funcinit(fp, ifs);
4445 if (error != 0)
4446 return error;
4447 }
4448
4449 ptr = NULL;
4450 /*
4451 * Check that the group number does exist and that its use (in/out)
4452 * matches what the rule is.
4453 */
4454 if (!strncmp(fp->fr_grhead, "0", FR_GROUPLEN))
4455 *fp->fr_grhead = '\0';
4456 group = fp->fr_group;
4457 if (!strncmp(group, "0", FR_GROUPLEN))
4458 *group = '\0';
4459
4460 if (FR_ISACCOUNT(fp->fr_flags))
4461 unit = IPL_LOGCOUNT;
4462
4463 if ((req != (int)SIOCZRLST) && (*group != '\0')) {
4464 fg = fr_findgroup(group, unit, set, NULL, ifs);
4465 if (fg == NULL)
4466 return ESRCH;
4467 if (fg->fg_flags == 0)
4468 fg->fg_flags = fp->fr_flags & FR_INOUT;
4469 else if (fg->fg_flags != (fp->fr_flags & FR_INOUT))
4470 return ESRCH;
4471 }
4472
4473 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
4474
4475 /*
4476 * Work out which rule list this change is being applied to.
4477 */
4478 ftail = NULL;
4479 fprev = NULL;
4480 if (unit == IPL_LOGAUTH)
4481 fprev = &ifs->ifs_ipauth;
4482 else if (v == 4) {
4483 if (FR_ISACCOUNT(fp->fr_flags))
4484 fprev = &ifs->ifs_ipacct[in][set];
4485 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
4486 fprev = &ifs->ifs_ipfilter[in][set];
4487 } else if (v == 6) {
4488 if (FR_ISACCOUNT(fp->fr_flags))
4489 fprev = &ifs->ifs_ipacct6[in][set];
4490 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
4491 fprev = &ifs->ifs_ipfilter6[in][set];
4492 }
4493 if (fprev == NULL)
4494 return ESRCH;
4495
4496 if (*group != '\0') {
4497 if (!fg && !(fg = fr_findgroup(group, unit, set, NULL, ifs)))
4498 return ESRCH;
4499 fprev = &fg->fg_start;
4500 }
4501
4502 ftail = fprev;
4503 for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) {
4504 if (fp->fr_collect <= f->fr_collect) {
4505 ftail = fprev;
4506 f = NULL;
4507 break;
4508 }
4509 fprev = ftail;
4510 }
4511
4512 /*
4513 * Copy in extra data for the rule.
4514 */
4515 if (fp->fr_dsize != 0) {
4516 if (makecopy != 0) {
4517 KMALLOCS(ptr, void *, fp->fr_dsize);
4518 if (!ptr)
4519 return ENOMEM;
4520 error = COPYIN(uptr, ptr, fp->fr_dsize);
4521 } else {
4522 ptr = uptr;
4523 error = 0;
4524 }
4525 if (error != 0) {
4526 KFREES(ptr, fp->fr_dsize);
4527 return EFAULT;
4528 }
4529 fp->fr_data = ptr;
4530 } else
4531 fp->fr_data = NULL;
4532
4533 /*
4534 * Perform per-rule type sanity checks of their members.
4535 */
4536 switch (fp->fr_type & ~FR_T_BUILTIN)
4537 {
4538 #if defined(IPFILTER_BPF)
4539 case FR_T_BPFOPC :
4540 if (fp->fr_dsize == 0)
4541 return EINVAL;
4542 if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) {
4543 if (makecopy && fp->fr_data != NULL) {
4544 KFREES(fp->fr_data, fp->fr_dsize);
4545 }
4546 return EINVAL;
4547 }
4548 break;
4549 #endif
4550 case FR_T_IPF :
4551 if (fp->fr_dsize != sizeof(fripf_t)) {
4552 if (makecopy && fp->fr_data != NULL) {
4553 KFREES(fp->fr_data, fp->fr_dsize);
4554 }
4555 return EINVAL;
4556 }
4557
4558 /*
4559 * Allowing a rule with both "keep state" and "with oow" is
4560 * pointless because adding a state entry to the table will
4561 * fail with the out of window (oow) flag set.
4562 */
4563 if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW)) {
4564 if (makecopy && fp->fr_data != NULL) {
4565 KFREES(fp->fr_data, fp->fr_dsize);
4566 }
4567 return EINVAL;
4568 }
4569
4570 switch (fp->fr_satype)
4571 {
4572 case FRI_BROADCAST :
4573 case FRI_DYNAMIC :
4574 case FRI_NETWORK :
4575 case FRI_NETMASKED :
4576 case FRI_PEERADDR :
4577 if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > 3) {
4578 if (makecopy && fp->fr_data != NULL) {
4579 KFREES(fp->fr_data, fp->fr_dsize);
4580 }
4581 return EINVAL;
4582 }
4583 break;
4584 #ifdef IPFILTER_LOOKUP
4585 case FRI_LOOKUP :
4586 fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype,
4587 fp->fr_srcnum,
4588 &fp->fr_srcfunc, ifs);
4589 break;
4590 #endif
4591 default :
4592 break;
4593 }
4594
4595 switch (fp->fr_datype)
4596 {
4597 case FRI_BROADCAST :
4598 case FRI_DYNAMIC :
4599 case FRI_NETWORK :
4600 case FRI_NETMASKED :
4601 case FRI_PEERADDR :
4602 if (fp->fr_difpidx < 0 || fp->fr_difpidx > 3) {
4603 if (makecopy && fp->fr_data != NULL) {
4604 KFREES(fp->fr_data, fp->fr_dsize);
4605 }
4606 return EINVAL;
4607 }
4608 break;
4609 #ifdef IPFILTER_LOOKUP
4610 case FRI_LOOKUP :
4611 fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype,
4612 fp->fr_dstnum,
4613 &fp->fr_dstfunc, ifs);
4614 break;
4615 #endif
4616 default :
4617 break;
4618 }
4619 break;
4620 case FR_T_NONE :
4621 break;
4622 case FR_T_CALLFUNC :
4623 break;
4624 case FR_T_COMPIPF :
4625 break;
4626 default :
4627 if (makecopy && fp->fr_data != NULL) {
4628 KFREES(fp->fr_data, fp->fr_dsize);
4629 }
4630 return EINVAL;
4631 }
4632
4633 /*
4634 * Lookup all the interface names that are part of the rule.
4635 */
4636 frsynclist(0, 0, NULL, NULL, fp, ifs);
4637 fp->fr_statecnt = 0;
4638
4639 /*
4640 * Look for an existing matching filter rule, but don't include the
4641 * next or interface pointer in the comparison (fr_next, fr_ifa).
4642 * This elminates rules which are indentical being loaded. Checksum
4643 * the constant part of the filter rule to make comparisons quicker
4644 * (this meaning no pointers are included).
4645 */
4646 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum;
4647 p < pp; p++)
4648 fp->fr_cksum += *p;
4649 pp = (u_int *)(fp->fr_caddr + fp->fr_dsize);
4650 for (p = (u_int *)fp->fr_data; p < pp; p++)
4651 fp->fr_cksum += *p;
4652
4653 WRITE_ENTER(&ifs->ifs_ipf_mutex);
4654 bzero((char *)ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
4655
4656 for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
4657 if ((fp->fr_cksum != f->fr_cksum) ||
4658 (f->fr_dsize != fp->fr_dsize))
4659 continue;
4660 if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, FR_CMPSIZ))
4661 continue;
4662 if ((!ptr && !f->fr_data) ||
4663 (ptr && f->fr_data &&
4664 !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
4665 break;
4666 }
4667
4668 /*
4669 * If zero'ing statistics, copy current to caller and zero.
4670 */
4671 if (req == (ioctlcmd_t)SIOCZRLST) {
4672 if (f == NULL)
4673 error = ESRCH;
4674 else {
4675 /*
4676 * Copy and reduce lock because of impending copyout.
4677 * Well we should, but if we do then the atomicity of
4678 * this call and the correctness of fr_hits and
4679 * fr_bytes cannot be guaranteed. As it is, this code
4680 * only resets them to 0 if they are successfully
4681 * copied out into user space.
4682 */
4683 bcopy((char *)f, (char *)fp, sizeof(*f));
4684
4685 /*
4686 * When we copy this rule back out, set the data
4687 * pointer to be what it was in user space.
4688 */
4689 fp->fr_data = uptr;
4690 error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
4691
4692 if (error == 0) {
4693 if ((f->fr_dsize != 0) && (uptr != NULL))
4694 error = COPYOUT(f->fr_data, uptr,
4695 f->fr_dsize);
4696 if (error == 0) {
4697 f->fr_hits = 0;
4698 f->fr_bytes = 0;
4699 }
4700 }
4701 }
4702
4703 if ((ptr != NULL) && (makecopy != 0)) {
4704 KFREES(ptr, fp->fr_dsize);
4705 }
4706 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
4707 return error;
4708 }
4709
4710 if (!f) {
4711 /*
4712 * At the end of this, ftail must point to the place where the
4713 * new rule is to be saved/inserted/added.
4714 * For SIOCAD*FR, this should be the last rule in the group of
4715 * rules that have equal fr_collect fields.
4716 * For SIOCIN*FR, ...
4717 */
4718 if (req == (ioctlcmd_t)SIOCADAFR ||
4719 req == (ioctlcmd_t)SIOCADIFR) {
4720
4721 for (ftail = fprev; (f = *ftail) != NULL; ) {
4722 if (f->fr_collect > fp->fr_collect)
4723 break;
4724 ftail = &f->fr_next;
4725 }
4726 f = NULL;
4727 ptr = NULL;
4728 error = 0;
4729 } else if (req == (ioctlcmd_t)SIOCINAFR ||
4730 req == (ioctlcmd_t)SIOCINIFR) {
4731 while ((f = *fprev) != NULL) {
4732 if (f->fr_collect >= fp->fr_collect)
4733 break;
4734 fprev = &f->fr_next;
4735 }
4736 ftail = fprev;
4737 if (fp->fr_hits != 0) {
4738 while (fp->fr_hits && (f = *ftail)) {
4739 if (f->fr_collect != fp->fr_collect)
4740 break;
4741 fprev = ftail;
4742 ftail = &f->fr_next;
4743 fp->fr_hits--;
4744 }
4745 }
4746 f = NULL;
4747 ptr = NULL;
4748 error = 0;
4749 }
4750 }
4751
4752 /*
4753 * Request to remove a rule.
4754 */
4755 if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) {
4756 if (!f)
4757 error = ESRCH;
4758 else {
4759 /*
4760 * Do not allow activity from user space to interfere
4761 * with rules not loaded that way.
4762 */
4763 if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) {
4764 error = EPERM;
4765 goto done;
4766 }
4767
4768 /*
4769 * Return EBUSY if the rule is being reference by
4770 * something else (eg state information.
4771 */
4772 if (f->fr_ref > 1) {
4773 error = EBUSY;
4774 goto done;
4775 }
4776 #ifdef IPFILTER_SCAN
4777 if (f->fr_isctag[0] != '\0' &&
4778 (f->fr_isc != (struct ipscan *)-1))
4779 ipsc_detachfr(f);
4780 #endif
4781 if (unit == IPL_LOGAUTH) {
4782 error = fr_preauthcmd(req, f, ftail, ifs);
4783 goto done;
4784 }
4785 if (*f->fr_grhead != '\0')
4786 fr_delgroup(f->fr_grhead, unit, set, ifs);
4787 fr_fixskip(ftail, f, -1);
4788 *ftail = f->fr_next;
4789 f->fr_next = NULL;
4790 (void)fr_derefrule(&f, ifs);
4791 }
4792 } else {
4793 /*
4794 * Not removing, so we must be adding/inserting a rule.
4795 */
4796 if (f)
4797 error = EEXIST;
4798 else {
4799 if (unit == IPL_LOGAUTH) {
4800 error = fr_preauthcmd(req, fp, ftail, ifs);
4801 goto done;
4802 }
4803 if (makecopy) {
4804 KMALLOC(f, frentry_t *);
4805 } else
4806 f = fp;
4807 if (f != NULL) {
4808 if (fp != f)
4809 bcopy((char *)fp, (char *)f,
4810 sizeof(*f));
4811 MUTEX_NUKE(&f->fr_lock);
4812 MUTEX_INIT(&f->fr_lock, "filter rule lock");
4813 #ifdef IPFILTER_SCAN
4814 if (f->fr_isctag[0] != '\0' &&
4815 ipsc_attachfr(f))
4816 f->fr_isc = (struct ipscan *)-1;
4817 #endif
4818 f->fr_hits = 0;
4819 if (makecopy != 0)
4820 f->fr_ref = 1;
4821 f->fr_next = *ftail;
4822 *ftail = f;
4823 if (req == (ioctlcmd_t)SIOCINIFR ||
4824 req == (ioctlcmd_t)SIOCINAFR)
4825 fr_fixskip(ftail, f, 1);
4826 f->fr_grp = NULL;
4827 group = f->fr_grhead;
4828 if (*group != '\0') {
4829 fg = fr_addgroup(group, f, f->fr_flags,
4830 unit, set, ifs);
4831 if (fg != NULL)
4832 f->fr_grp = &fg->fg_start;
4833 }
4834 } else
4835 error = ENOMEM;
4836 }
4837 }
4838 done:
4839 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
4840 if ((ptr != NULL) && (error != 0) && (makecopy != 0)) {
4841 KFREES(ptr, fp->fr_dsize);
4842 }
4843 return (error);
4844 }
4845
4846
4847 /* ------------------------------------------------------------------------ */
4848 /* Function: fr_funcinit */
4849 /* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */
4850 /* Parameters: fr(I) - pointer to filter rule */
4851 /* */
4852 /* If a rule is a call rule, then check if the function it points to needs */
4853 /* an init function to be called now the rule has been loaded. */
4854 /* ------------------------------------------------------------------------ */
4855 static int fr_funcinit(fr, ifs)
4856 frentry_t *fr;
4857 ipf_stack_t *ifs;
4858 {
4859 ipfunc_resolve_t *ft;
4860 int err;
4861
4862 err = ESRCH;
4863
4864 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4865 if (ft->ipfu_addr == fr->fr_func) {
4866 err = 0;
4867 if (ft->ipfu_init != NULL)
4868 err = (*ft->ipfu_init)(fr, ifs);
4869 break;
4870 }
4871 return err;
4872 }
4873
4874
4875 /* ------------------------------------------------------------------------ */
4876 /* Function: fr_findfunc */
4877 /* Returns: ipfunc_t - pointer to function if found, else NULL */
4878 /* Parameters: funcptr(I) - function pointer to lookup */
4879 /* */
4880 /* Look for a function in the table of known functions. */
4881 /* ------------------------------------------------------------------------ */
4882 static ipfunc_t fr_findfunc(funcptr)
4883 ipfunc_t funcptr;
4884 {
4885 ipfunc_resolve_t *ft;
4886
4887 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4888 if (ft->ipfu_addr == funcptr)
4889 return funcptr;
4890 return NULL;
4891 }
4892
4893
4894 /* ------------------------------------------------------------------------ */
4895 /* Function: fr_resolvefunc */
4896 /* Returns: int - 0 == success, else error */
4897 /* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */
4898 /* */
4899 /* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
4900 /* This will either be the function name (if the pointer is set) or the */
4901 /* function pointer if the name is set. When found, fill in the other one */
4902 /* so that the entire, complete, structure can be copied back to user space.*/
4903 /* ------------------------------------------------------------------------ */
4904 int fr_resolvefunc(data)
4905 void *data;
4906 {
4907 ipfunc_resolve_t res, *ft;
4908 int err;
4909
4910 err = BCOPYIN(data, &res, sizeof(res));
4911 if (err != 0)
4912 return EFAULT;
4913
4914 if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') {
4915 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4916 if (strncmp(res.ipfu_name, ft->ipfu_name,
4917 sizeof(res.ipfu_name)) == 0) {
4918 res.ipfu_addr = ft->ipfu_addr;
4919 res.ipfu_init = ft->ipfu_init;
4920 if (COPYOUT(&res, data, sizeof(res)) != 0)
4921 return EFAULT;
4922 return 0;
4923 }
4924 }
4925 if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') {
4926 for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
4927 if (ft->ipfu_addr == res.ipfu_addr) {
4928 (void) strncpy(res.ipfu_name, ft->ipfu_name,
4929 sizeof(res.ipfu_name));
4930 res.ipfu_init = ft->ipfu_init;
4931 if (COPYOUT(&res, data, sizeof(res)) != 0)
4932 return EFAULT;
4933 return 0;
4934 }
4935 }
4936 return ESRCH;
4937 }
4938
4939
4940 #if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \
4941 (defined(__FreeBSD__) && (__FreeBSD_version < 490000)) || \
4942 (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \
4943 (defined(__OpenBSD__) && (OpenBSD < 200006))
4944 /*
4945 * From: NetBSD
4946 * ppsratecheck(): packets (or events) per second limitation.
4947 */
4948 int
4949 ppsratecheck(lasttime, curpps, maxpps)
4950 struct timeval *lasttime;
4951 int *curpps;
4952 int maxpps; /* maximum pps allowed */
4953 {
4954 struct timeval tv, delta;
4955 int rv;
4956
4957 GETKTIME(&tv);
4958
4959 delta.tv_sec = tv.tv_sec - lasttime->tv_sec;
4960 delta.tv_usec = tv.tv_usec - lasttime->tv_usec;
4961 if (delta.tv_usec < 0) {
4962 delta.tv_sec--;
4963 delta.tv_usec += 1000000;
4964 }
4965
4966 /*
4967 * check for 0,0 is so that the message will be seen at least once.
4968 * if more than one second have passed since the last update of
4969 * lasttime, reset the counter.
4970 *
4971 * we do increment *curpps even in *curpps < maxpps case, as some may
4972 * try to use *curpps for stat purposes as well.
4973 */
4974 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
4975 delta.tv_sec >= 1) {
4976 *lasttime = tv;
4977 *curpps = 0;
4978 rv = 1;
4979 } else if (maxpps < 0)
4980 rv = 1;
4981 else if (*curpps < maxpps)
4982 rv = 1;
4983 else
4984 rv = 0;
4985 *curpps = *curpps + 1;
4986
4987 return (rv);
4988 }
4989 #endif
4990
4991
4992 /* ------------------------------------------------------------------------ */
4993 /* Function: fr_derefrule */
4994 /* Returns: int - 0 == rule freed up, else rule not freed */
4995 /* Parameters: fr(I) - pointer to filter rule */
4996 /* */
4997 /* Decrement the reference counter to a rule by one. If it reaches zero, */
4998 /* free it and any associated storage space being used by it. */
4999 /* ------------------------------------------------------------------------ */
5000 int fr_derefrule(frp, ifs)
5001 frentry_t **frp;
5002 ipf_stack_t *ifs;
5003 {
5004 frentry_t *fr;
5005
5006 fr = *frp;
5007
5008 MUTEX_ENTER(&fr->fr_lock);
5009 fr->fr_ref--;
5010 if (fr->fr_ref == 0) {
5011 MUTEX_EXIT(&fr->fr_lock);
5012 MUTEX_DESTROY(&fr->fr_lock);
5013
5014 #ifdef IPFILTER_LOOKUP
5015 if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
5016 ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr, ifs);
5017 if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
5018 ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr, ifs);
5019 #endif
5020
5021 if (fr->fr_dsize) {
5022 KFREES(fr->fr_data, fr->fr_dsize);
5023 }
5024 if ((fr->fr_flags & FR_COPIED) != 0) {
5025 KFREE(fr);
5026 return 0;
5027 }
5028 return 1;
5029 } else {
5030 MUTEX_EXIT(&fr->fr_lock);
5031 }
5032 *frp = NULL;
5033 return -1;
5034 }
5035
5036
5037 #ifdef IPFILTER_LOOKUP
5038 /* ------------------------------------------------------------------------ */
5039 /* Function: fr_grpmapinit */
5040 /* Returns: int - 0 == success, else ESRCH because table entry not found*/
5041 /* Parameters: fr(I) - pointer to rule to find hash table for */
5042 /* */
5043 /* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */
5044 /* fr_ptr is later used by fr_srcgrpmap and fr_dstgrpmap. */
5045 /* ------------------------------------------------------------------------ */
5046 static int fr_grpmapinit(fr, ifs)
5047 frentry_t *fr;
5048 ipf_stack_t *ifs;
5049 {
5050 char name[FR_GROUPLEN];
5051 iphtable_t *iph;
5052
5053 #if defined(SNPRINTF) && defined(_KERNEL)
5054 (void) SNPRINTF(name, sizeof(name), "%d", fr->fr_arg);
5055 #else
5056 (void) sprintf(name, "%d", fr->fr_arg);
5057 #endif
5058 iph = fr_findhtable(IPL_LOGIPF, name, ifs);
5059 if (iph == NULL)
5060 return ESRCH;
5061 if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT))
5062 return ESRCH;
5063 fr->fr_ptr = iph;
5064 return 0;
5065 }
5066
5067
5068 /* ------------------------------------------------------------------------ */
5069 /* Function: fr_srcgrpmap */
5070 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
5071 /* Parameters: fin(I) - pointer to packet information */
5072 /* passp(IO) - pointer to current/new filter decision (unused) */
5073 /* */
5074 /* Look for a rule group head in a hash table, using the source address as */
5075 /* the key, and descend into that group and continue matching rules against */
5076 /* the packet. */
5077 /* ------------------------------------------------------------------------ */
5078 frentry_t *fr_srcgrpmap(fin, passp)
5079 fr_info_t *fin;
5080 u_32_t *passp;
5081 {
5082 frgroup_t *fg;
5083 void *rval;
5084 ipf_stack_t *ifs = fin->fin_ifs;
5085
5086 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, fin->fin_v, &fin->fin_src, ifs);
5087 if (rval == NULL)
5088 return NULL;
5089
5090 fg = rval;
5091 fin->fin_fr = fg->fg_start;
5092 (void) fr_scanlist(fin, *passp);
5093 return fin->fin_fr;
5094 }
5095
5096
5097 /* ------------------------------------------------------------------------ */
5098 /* Function: fr_dstgrpmap */
5099 /* Returns: frentry_t * - pointer to "new last matching" rule or NULL */
5100 /* Parameters: fin(I) - pointer to packet information */
5101 /* passp(IO) - pointer to current/new filter decision (unused) */
5102 /* */
5103 /* Look for a rule group head in a hash table, using the destination */
5104 /* address as the key, and descend into that group and continue matching */
5105 /* rules against the packet. */
5106 /* ------------------------------------------------------------------------ */
5107 frentry_t *fr_dstgrpmap(fin, passp)
5108 fr_info_t *fin;
5109 u_32_t *passp;
5110 {
5111 frgroup_t *fg;
5112 void *rval;
5113 ipf_stack_t *ifs = fin->fin_ifs;
5114
5115 rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, fin->fin_v, &fin->fin_dst, ifs);
5116 if (rval == NULL)
5117 return NULL;
5118
5119 fg = rval;
5120 fin->fin_fr = fg->fg_start;
5121 (void) fr_scanlist(fin, *passp);
5122 return fin->fin_fr;
5123 }
5124 #endif /* IPFILTER_LOOKUP */
5125
5126 /*
5127 * Queue functions
5128 * ===============
5129 * These functions manage objects on queues for efficient timeouts. There are
5130 * a number of system defined queues as well as user defined timeouts. It is
5131 * expected that a lock is held in the domain in which the queue belongs
5132 * (i.e. either state or NAT) when calling any of these functions that prevents
5133 * fr_freetimeoutqueue() from being called at the same time as any other.
5134 */
5135
5136
5137 /* ------------------------------------------------------------------------ */
5138 /* Function: fr_addtimeoutqueue */
5139 /* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */
5140 /* timeout queue with given interval. */
5141 /* Parameters: parent(I) - pointer to pointer to parent node of this list */
5142 /* of interface queues. */
5143 /* seconds(I) - timeout value in seconds for this queue. */
5144 /* */
5145 /* This routine first looks for a timeout queue that matches the interval */
5146 /* being requested. If it finds one, increments the reference counter and */
5147 /* returns a pointer to it. If none are found, it allocates a new one and */
5148 /* inserts it at the top of the list. */
5149 /* */
5150 /* Locking. */
5151 /* It is assumed that the caller of this function has an appropriate lock */
5152 /* held (exclusively) in the domain that encompases 'parent'. */
5153 /* ------------------------------------------------------------------------ */
5154 ipftq_t *fr_addtimeoutqueue(parent, seconds, ifs)
5155 ipftq_t **parent;
5156 u_int seconds;
5157 ipf_stack_t *ifs;
5158 {
5159 ipftq_t *ifq;
5160 u_int period;
5161
5162 period = seconds * IPF_HZ_DIVIDE;
5163
5164 MUTEX_ENTER(&ifs->ifs_ipf_timeoutlock);
5165 for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) {
5166 if (ifq->ifq_ttl == period) {
5167 /*
5168 * Reset the delete flag, if set, so the structure
5169 * gets reused rather than freed and reallocated.
5170 */
5171 MUTEX_ENTER(&ifq->ifq_lock);
5172 ifq->ifq_flags &= ~IFQF_DELETE;
5173 ifq->ifq_ref++;
5174 MUTEX_EXIT(&ifq->ifq_lock);
5175 MUTEX_EXIT(&ifs->ifs_ipf_timeoutlock);
5176
5177 return ifq;
5178 }
5179 }
5180
5181 KMALLOC(ifq, ipftq_t *);
5182 if (ifq != NULL) {
5183 ifq->ifq_ttl = period;
5184 ifq->ifq_head = NULL;
5185 ifq->ifq_tail = &ifq->ifq_head;
5186 ifq->ifq_next = *parent;
5187 ifq->ifq_pnext = parent;
5188 ifq->ifq_ref = 1;
5189 ifq->ifq_flags = IFQF_USER;
5190 *parent = ifq;
5191 ifs->ifs_fr_userifqs++;
5192 MUTEX_NUKE(&ifq->ifq_lock);
5193 MUTEX_INIT(&ifq->ifq_lock, "ipftq mutex");
5194 }
5195 MUTEX_EXIT(&ifs->ifs_ipf_timeoutlock);
5196 return ifq;
5197 }
5198
5199
5200 /* ------------------------------------------------------------------------ */
5201 /* Function: fr_deletetimeoutqueue */
5202 /* Returns: int - new reference count value of the timeout queue */
5203 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
5204 /* Locks: ifq->ifq_lock */
5205 /* */
5206 /* This routine must be called when we're discarding a pointer to a timeout */
5207 /* queue object, taking care of the reference counter. */
5208 /* */
5209 /* Now that this just sets a DELETE flag, it requires the expire code to */
5210 /* check the list of user defined timeout queues and call the free function */
5211 /* below (currently commented out) to stop memory leaking. It is done this */
5212 /* way because the locking may not be sufficient to safely do a free when */
5213 /* this function is called. */
5214 /* ------------------------------------------------------------------------ */
5215 int fr_deletetimeoutqueue(ifq)
5216 ipftq_t *ifq;
5217 {
5218
5219 ifq->ifq_ref--;
5220 if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) {
5221 ifq->ifq_flags |= IFQF_DELETE;
5222 }
5223
5224 return ifq->ifq_ref;
5225 }
5226
5227
5228 /* ------------------------------------------------------------------------ */
5229 /* Function: fr_freetimeoutqueue */
5230 /* Parameters: ifq(I) - timeout queue which is losing a reference. */
5231 /* Returns: Nil */
5232 /* */
5233 /* Locking: */
5234 /* It is assumed that the caller of this function has an appropriate lock */
5235 /* held (exclusively) in the domain that encompases the callers "domain". */
5236 /* The ifq_lock for this structure should not be held. */
5237 /* */
5238 /* Remove a user definde timeout queue from the list of queues it is in and */
5239 /* tidy up after this is done. */
5240 /* ------------------------------------------------------------------------ */
5241 void fr_freetimeoutqueue(ifq, ifs)
5242 ipftq_t *ifq;
5243 ipf_stack_t *ifs;
5244 {
5245
5246
5247 if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) ||
5248 ((ifq->ifq_flags & IFQF_USER) == 0)) {
5249 printf("fr_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n",
5250 (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl,
5251 ifq->ifq_ref);
5252 return;
5253 }
5254
5255 /*
5256 * Remove from its position in the list.
5257 */
5258 *ifq->ifq_pnext = ifq->ifq_next;
5259 if (ifq->ifq_next != NULL)
5260 ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
5261
5262 MUTEX_DESTROY(&ifq->ifq_lock);
5263 ifs->ifs_fr_userifqs--;
5264 KFREE(ifq);
5265 }
5266
5267
5268 /* ------------------------------------------------------------------------ */
5269 /* Function: fr_deletequeueentry */
5270 /* Returns: Nil */
5271 /* Parameters: tqe(I) - timeout queue entry to delete */
5272 /* ifq(I) - timeout queue to remove entry from */
5273 /* */
5274 /* Remove a tail queue entry from its queue and make it an orphan. */
5275 /* fr_deletetimeoutqueue is called to make sure the reference count on the */
5276 /* queue is correct. We can't, however, call fr_freetimeoutqueue because */
5277 /* the correct lock(s) may not be held that would make it safe to do so. */
5278 /* ------------------------------------------------------------------------ */
5279 void fr_deletequeueentry(tqe)
5280 ipftqent_t *tqe;
5281 {
5282 ipftq_t *ifq;
5283
5284 ifq = tqe->tqe_ifq;
5285 if (ifq == NULL)
5286 return;
5287
5288 MUTEX_ENTER(&ifq->ifq_lock);
5289
5290 if (tqe->tqe_pnext != NULL) {
5291 *tqe->tqe_pnext = tqe->tqe_next;
5292 if (tqe->tqe_next != NULL)
5293 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5294 else /* we must be the tail anyway */
5295 ifq->ifq_tail = tqe->tqe_pnext;
5296
5297 tqe->tqe_pnext = NULL;
5298 tqe->tqe_ifq = NULL;
5299 }
5300
5301 (void) fr_deletetimeoutqueue(ifq);
5302
5303 MUTEX_EXIT(&ifq->ifq_lock);
5304 }
5305
5306
5307 /* ------------------------------------------------------------------------ */
5308 /* Function: fr_queuefront */
5309 /* Returns: Nil */
5310 /* Parameters: tqe(I) - pointer to timeout queue entry */
5311 /* */
5312 /* Move a queue entry to the front of the queue, if it isn't already there. */
5313 /* ------------------------------------------------------------------------ */
5314 void fr_queuefront(tqe)
5315 ipftqent_t *tqe;
5316 {
5317 ipftq_t *ifq;
5318
5319 ifq = tqe->tqe_ifq;
5320 if (ifq == NULL)
5321 return;
5322
5323 MUTEX_ENTER(&ifq->ifq_lock);
5324 if (ifq->ifq_head != tqe) {
5325 *tqe->tqe_pnext = tqe->tqe_next;
5326 if (tqe->tqe_next)
5327 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5328 else
5329 ifq->ifq_tail = tqe->tqe_pnext;
5330
5331 tqe->tqe_next = ifq->ifq_head;
5332 ifq->ifq_head->tqe_pnext = &tqe->tqe_next;
5333 ifq->ifq_head = tqe;
5334 tqe->tqe_pnext = &ifq->ifq_head;
5335 }
5336 MUTEX_EXIT(&ifq->ifq_lock);
5337 }
5338
5339
5340 /* ------------------------------------------------------------------------ */
5341 /* Function: fr_queueback */
5342 /* Returns: Nil */
5343 /* Parameters: tqe(I) - pointer to timeout queue entry */
5344 /* */
5345 /* Move a queue entry to the back of the queue, if it isn't already there. */
5346 /* ------------------------------------------------------------------------ */
5347 void fr_queueback(tqe, ifs)
5348 ipftqent_t *tqe;
5349 ipf_stack_t *ifs;
5350 {
5351 ipftq_t *ifq;
5352
5353 ifq = tqe->tqe_ifq;
5354 if (ifq == NULL)
5355 return;
5356 tqe->tqe_die = ifs->ifs_fr_ticks + ifq->ifq_ttl;
5357
5358 MUTEX_ENTER(&ifq->ifq_lock);
5359 if (tqe->tqe_next == NULL) { /* at the end already ? */
5360 MUTEX_EXIT(&ifq->ifq_lock);
5361 return;
5362 }
5363
5364 /*
5365 * Remove from list
5366 */
5367 *tqe->tqe_pnext = tqe->tqe_next;
5368 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5369
5370 /*
5371 * Make it the last entry.
5372 */
5373 tqe->tqe_next = NULL;
5374 tqe->tqe_pnext = ifq->ifq_tail;
5375 *ifq->ifq_tail = tqe;
5376 ifq->ifq_tail = &tqe->tqe_next;
5377 MUTEX_EXIT(&ifq->ifq_lock);
5378 }
5379
5380
5381 /* ------------------------------------------------------------------------ */
5382 /* Function: fr_queueappend */
5383 /* Returns: Nil */
5384 /* Parameters: tqe(I) - pointer to timeout queue entry */
5385 /* ifq(I) - pointer to timeout queue */
5386 /* parent(I) - owing object pointer */
5387 /* */
5388 /* Add a new item to this queue and put it on the very end. */
5389 /* ------------------------------------------------------------------------ */
5390 void fr_queueappend(tqe, ifq, parent, ifs)
5391 ipftqent_t *tqe;
5392 ipftq_t *ifq;
5393 void *parent;
5394 ipf_stack_t *ifs;
5395 {
5396
5397 MUTEX_ENTER(&ifq->ifq_lock);
5398 tqe->tqe_parent = parent;
5399 tqe->tqe_pnext = ifq->ifq_tail;
5400 *ifq->ifq_tail = tqe;
5401 ifq->ifq_tail = &tqe->tqe_next;
5402 tqe->tqe_next = NULL;
5403 tqe->tqe_ifq = ifq;
5404 tqe->tqe_die = ifs->ifs_fr_ticks + ifq->ifq_ttl;
5405 ifq->ifq_ref++;
5406 MUTEX_EXIT(&ifq->ifq_lock);
5407 }
5408
5409
5410 /* ------------------------------------------------------------------------ */
5411 /* Function: fr_movequeue */
5412 /* Returns: Nil */
5413 /* Parameters: tq(I) - pointer to timeout queue information */
5414 /* oifp(I) - old timeout queue entry was on */
5415 /* nifp(I) - new timeout queue to put entry on */
5416 /* ifs - ipf stack instance */
5417 /* */
5418 /* Move a queue entry from one timeout queue to another timeout queue. */
5419 /* If it notices that the current entry is already last and does not need */
5420 /* to move queue, the return. */
5421 /* ------------------------------------------------------------------------ */
5422 void fr_movequeue(tqe, oifq, nifq, ifs)
5423 ipftqent_t *tqe;
5424 ipftq_t *oifq, *nifq;
5425 ipf_stack_t *ifs;
5426 {
5427 /*
5428 * If the queue isn't changing, and the clock hasn't ticked
5429 * since the last update, the operation will be a no-op.
5430 */
5431 if (oifq == nifq && tqe->tqe_touched == ifs->ifs_fr_ticks)
5432 return;
5433
5434 /*
5435 * Grab the lock and update the timers.
5436 */
5437 MUTEX_ENTER(&oifq->ifq_lock);
5438 tqe->tqe_touched = ifs->ifs_fr_ticks;
5439 tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl;
5440
5441 /*
5442 * The remainder of the operation can still be a no-op.
5443 *
5444 * If the queue isn't changing, check to see if
5445 * an update would be meaningless.
5446 */
5447 if (oifq == nifq) {
5448 if ((tqe->tqe_next == NULL) ||
5449 (tqe->tqe_next->tqe_die == tqe->tqe_die)) {
5450 MUTEX_EXIT(&oifq->ifq_lock);
5451 return;
5452 }
5453 }
5454
5455 /*
5456 * Remove from the old queue
5457 */
5458 *tqe->tqe_pnext = tqe->tqe_next;
5459 if (tqe->tqe_next)
5460 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
5461 else
5462 oifq->ifq_tail = tqe->tqe_pnext;
5463 tqe->tqe_next = NULL;
5464
5465 /*
5466 * If we're moving from one queue to another, release the lock on the
5467 * old queue and get a lock on the new queue. For user defined queues,
5468 * if we're moving off it, call delete in case it can now be freed.
5469 */
5470 if (oifq != nifq) {
5471 tqe->tqe_ifq = NULL;
5472
5473 (void) fr_deletetimeoutqueue(oifq);
5474
5475 MUTEX_EXIT(&oifq->ifq_lock);
5476
5477 MUTEX_ENTER(&nifq->ifq_lock);
5478
5479 tqe->tqe_ifq = nifq;
5480 nifq->ifq_ref++;
5481 }
5482
5483 /*
5484 * Add to the bottom of the new queue
5485 */
5486 tqe->tqe_pnext = nifq->ifq_tail;
5487 *nifq->ifq_tail = tqe;
5488 nifq->ifq_tail = &tqe->tqe_next;
5489 MUTEX_EXIT(&nifq->ifq_lock);
5490 }
5491
5492
5493 /* ------------------------------------------------------------------------ */
5494 /* Function: fr_updateipid */
5495 /* Returns: int - 0 == success, -1 == error (packet should be droppped) */
5496 /* Parameters: fin(I) - pointer to packet information */
5497 /* */
5498 /* When we are doing NAT, change the IP of every packet to represent a */
5499 /* single sequence of packets coming from the host, hiding any host */
5500 /* specific sequencing that might otherwise be revealed. If the packet is */
5501 /* a fragment, then store the 'new' IPid in the fragment cache and look up */
5502 /* the fragment cache for non-leading fragments. If a non-leading fragment */
5503 /* has no match in the cache, return an error. */
5504 /* ------------------------------------------------------------------------ */
5505 static INLINE int fr_updateipid(fin)
5506 fr_info_t *fin;
5507 {
5508 u_short id, ido, sums;
5509 u_32_t sumd, sum;
5510 ip_t *ip;
5511
5512 if (fin->fin_off != 0) {
5513 sum = fr_ipid_knownfrag(fin);
5514 if (sum == 0xffffffff)
5515 return -1;
5516 sum &= 0xffff;
5517 id = (u_short)sum;
5518 } else {
5519 id = fr_nextipid(fin);
5520 if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0)
5521 (void) fr_ipid_newfrag(fin, (u_32_t)id);
5522 }
5523
5524 ip = fin->fin_ip;
5525 ido = ntohs(ip->ip_id);
5526 if (id == ido)
5527 return 0;
5528 ip->ip_id = htons(id);
5529 CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */
5530 sum = (~ntohs(ip->ip_sum)) & 0xffff;
5531 sum += sumd;
5532 sum = (sum >> 16) + (sum & 0xffff);
5533 sum = (sum >> 16) + (sum & 0xffff);
5534 sums = ~(u_short)sum;
5535 ip->ip_sum = htons(sums);
5536 return 0;
5537 }
5538
5539
5540 #ifdef NEED_FRGETIFNAME
5541 /* ------------------------------------------------------------------------ */
5542 /* Function: fr_getifname */
5543 /* Returns: char * - pointer to interface name */
5544 /* Parameters: ifp(I) - pointer to network interface */
5545 /* buffer(O) - pointer to where to store interface name */
5546 /* */
5547 /* Constructs an interface name in the buffer passed. The buffer passed is */
5548 /* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */
5549 /* as a NULL pointer then return a pointer to a static array. */
5550 /* ------------------------------------------------------------------------ */
5551 char *fr_getifname(ifp, buffer)
5552 struct ifnet *ifp;
5553 char *buffer;
5554 {
5555 static char namebuf[LIFNAMSIZ];
5556 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
5557 defined(__sgi) || defined(linux) || defined(_AIX51) || \
5558 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
5559 int unit, space;
5560 char temp[20];
5561 char *s;
5562 # endif
5563
5564 ASSERT(buffer != NULL);
5565 #ifdef notdef
5566 if (buffer == NULL)
5567 buffer = namebuf;
5568 #endif
5569 (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
5570 buffer[LIFNAMSIZ - 1] = '\0';
5571 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
5572 defined(__sgi) || defined(_AIX51) || \
5573 (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
5574 for (s = buffer; *s; s++)
5575 ;
5576 unit = ifp->if_unit;
5577 space = LIFNAMSIZ - (s - buffer);
5578 if (space > 0) {
5579 # if defined(SNPRINTF) && defined(_KERNEL)
5580 (void) SNPRINTF(temp, sizeof(temp), "%d", unit);
5581 # else
5582 (void) sprintf(temp, "%d", unit);
5583 # endif
5584 (void) strncpy(s, temp, space);
5585 }
5586 # endif
5587 return buffer;
5588 }
5589 #endif
5590
5591
5592 /* ------------------------------------------------------------------------ */
5593 /* Function: fr_ioctlswitch */
5594 /* Returns: int - -1 continue processing, else ioctl return value */
5595 /* Parameters: unit(I) - device unit opened */
5596 /* data(I) - pointer to ioctl data */
5597 /* cmd(I) - ioctl command */
5598 /* mode(I) - mode value */
5599 /* */
5600 /* Based on the value of unit, call the appropriate ioctl handler or return */
5601 /* EIO if ipfilter is not running. Also checks if write perms are req'd */
5602 /* for the device in order to execute the ioctl. */
5603 /* ------------------------------------------------------------------------ */
5604 INLINE int fr_ioctlswitch(unit, data, cmd, mode, uid, ctx, ifs)
5605 int unit, mode, uid;
5606 ioctlcmd_t cmd;
5607 void *data, *ctx;
5608 ipf_stack_t *ifs;
5609 {
5610 int error = 0;
5611
5612 switch (unit)
5613 {
5614 case IPL_LOGIPF :
5615 error = -1;
5616 break;
5617 case IPL_LOGNAT :
5618 if (ifs->ifs_fr_running > 0)
5619 error = fr_nat_ioctl(data, cmd, mode, uid, ctx, ifs);
5620 else
5621 error = EIO;
5622 break;
5623 case IPL_LOGSTATE :
5624 if (ifs->ifs_fr_running > 0)
5625 error = fr_state_ioctl(data, cmd, mode, uid, ctx, ifs);
5626 else
5627 error = EIO;
5628 break;
5629 case IPL_LOGAUTH :
5630 if (ifs->ifs_fr_running > 0) {
5631 if ((cmd == (ioctlcmd_t)SIOCADAFR) ||
5632 (cmd == (ioctlcmd_t)SIOCRMAFR)) {
5633 if (!(mode & FWRITE)) {
5634 error = EPERM;
5635 } else {
5636 error = frrequest(unit, cmd, data,
5637 ifs->ifs_fr_active, 1, ifs);
5638 }
5639 } else {
5640 error = fr_auth_ioctl(data, cmd, mode, uid, ctx, ifs);
5641 }
5642 } else
5643 error = EIO;
5644 break;
5645 case IPL_LOGSYNC :
5646 #ifdef IPFILTER_SYNC
5647 if (ifs->ifs_fr_running > 0)
5648 error = fr_sync_ioctl(data, cmd, mode, ifs);
5649 else
5650 #endif
5651 error = EIO;
5652 break;
5653 case IPL_LOGSCAN :
5654 #ifdef IPFILTER_SCAN
5655 if (ifs->ifs_fr_running > 0)
5656 error = fr_scan_ioctl(data, cmd, mode, ifs);
5657 else
5658 #endif
5659 error = EIO;
5660 break;
5661 case IPL_LOGLOOKUP :
5662 #ifdef IPFILTER_LOOKUP
5663 if (ifs->ifs_fr_running > 0)
5664 error = ip_lookup_ioctl(data, cmd, mode, uid, ctx, ifs);
5665 else
5666 #endif
5667 error = EIO;
5668 break;
5669 default :
5670 error = EIO;
5671 break;
5672 }
5673
5674 return error;
5675 }
5676
5677
5678 /*
5679 * This array defines the expected size of objects coming into the kernel
5680 * for the various recognised object types.
5681 */
5682 #define NUM_OBJ_TYPES 19
5683
5684 static int fr_objbytes[NUM_OBJ_TYPES][2] = {
5685 { 1, sizeof(struct frentry) }, /* frentry */
5686 { 0, sizeof(struct friostat) },
5687 { 0, sizeof(struct fr_info) },
5688 { 0, sizeof(struct fr_authstat) },
5689 { 0, sizeof(struct ipfrstat) },
5690 { 0, sizeof(struct ipnat) },
5691 { 0, sizeof(struct natstat) },
5692 { 0, sizeof(struct ipstate_save) },
5693 { 1, sizeof(struct nat_save) }, /* nat_save */
5694 { 0, sizeof(struct natlookup) },
5695 { 1, sizeof(struct ipstate) }, /* ipstate */
5696 { 0, sizeof(struct ips_stat) },
5697 { 0, sizeof(struct frauth) },
5698 { 0, sizeof(struct ipftune) },
5699 { 0, sizeof(struct nat) }, /* nat_t */
5700 { 0, sizeof(struct ipfruleiter) },
5701 { 0, sizeof(struct ipfgeniter) },
5702 { 0, sizeof(struct ipftable) },
5703 { 0, sizeof(struct ipflookupiter) }
5704 };
5705
5706
5707 /* ------------------------------------------------------------------------ */
5708 /* Function: fr_getzoneid */
5709 /* Returns: int - 0 = success, else failure */
5710 /* Parameters: idsp(I) - pointer to ipf_devstate_t */
5711 /* data(I) - pointer to ioctl data */
5712 /* */
5713 /* Set the zone ID in idsp based on the zone name in ipfzoneobj. Further */
5714 /* ioctls will act on the IPF stack for that zone ID. */
5715 /* ------------------------------------------------------------------------ */
5716 #if defined(_KERNEL)
5717 int fr_setzoneid(idsp, data)
5718 ipf_devstate_t *idsp;
5719 void *data;
5720 {
5721 int error = 0;
5722 ipfzoneobj_t ipfzo;
5723 zone_t *zone;
5724
5725 error = BCOPYIN(data, &ipfzo, sizeof(ipfzo));
5726 if (error != 0)
5727 return EFAULT;
5728
5729 if (memchr(ipfzo.ipfz_zonename, '\0', ZONENAME_MAX) == NULL)
5730 return EFAULT;
5731
5732 /*
5733 * The global zone doesn't have a GZ-controlled stack, so no
5734 * sense in going any further
5735 */
5736 if (strcmp(ipfzo.ipfz_zonename, "global") == 0)
5737 return ENODEV;
5738
5739 if ((zone = zone_find_by_name(ipfzo.ipfz_zonename)) == NULL)
5740 return ENODEV;
5741
5742 /*
5743 * Store the zone ID that to control, and whether it's the
5744 * GZ-controlled stack that's wanted
5745 */
5746 idsp->ipfs_zoneid = zone->zone_id;
5747 idsp->ipfs_gz = (ipfzo.ipfz_gz == 1) ? B_TRUE : B_FALSE;
5748 zone_rele(zone);
5749
5750 return error;
5751 }
5752 #endif
5753
5754
5755 /* ------------------------------------------------------------------------ */
5756 /* Function: fr_inobj */
5757 /* Returns: int - 0 = success, else failure */
5758 /* Parameters: data(I) - pointer to ioctl data */
5759 /* ptr(I) - pointer to store real data in */
5760 /* type(I) - type of structure being moved */
5761 /* */
5762 /* Copy in the contents of what the ipfobj_t points to. In future, we */
5763 /* add things to check for version numbers, sizes, etc, to make it backward */
5764 /* compatible at the ABI for user land. */
5765 /* ------------------------------------------------------------------------ */
5766 int fr_inobj(data, ptr, type)
5767 void *data;
5768 void *ptr;
5769 int type;
5770 {
5771 ipfobj_t obj;
5772 int error = 0;
5773
5774 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
5775 return EINVAL;
5776
5777 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5778 if (error != 0)
5779 return EFAULT;
5780
5781 if (obj.ipfo_type != type)
5782 return EINVAL;
5783
5784 #ifndef IPFILTER_COMPAT
5785 if ((fr_objbytes[type][0] & 1) != 0) {
5786 if (obj.ipfo_size < fr_objbytes[type][1])
5787 return EINVAL;
5788 } else if (obj.ipfo_size != fr_objbytes[type][1])
5789 return EINVAL;
5790 #else
5791 if (obj.ipfo_rev != IPFILTER_VERSION) {
5792 error = fr_incomptrans(&obj, ptr);
5793 return error;
5794 }
5795
5796 if ((fr_objbytes[type][0] & 1) != 0 &&
5797 obj.ipfo_size < fr_objbytes[type][1] ||
5798 obj.ipfo_size != fr_objbytes[type][1])
5799 return EINVAL;
5800 #endif
5801
5802 if ((fr_objbytes[type][0] & 1) != 0) {
5803 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
5804 fr_objbytes[type][1]);
5805 } else {
5806 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
5807 obj.ipfo_size);
5808 }
5809 return error;
5810 }
5811
5812
5813 /* ------------------------------------------------------------------------ */
5814 /* Function: fr_inobjsz */
5815 /* Returns: int - 0 = success, else failure */
5816 /* Parameters: data(I) - pointer to ioctl data */
5817 /* ptr(I) - pointer to store real data in */
5818 /* type(I) - type of structure being moved */
5819 /* sz(I) - size of data to copy */
5820 /* */
5821 /* As per fr_inobj, except the size of the object to copy in is passed in */
5822 /* but it must not be smaller than the size defined for the type and the */
5823 /* type must allow for varied sized objects. The extra requirement here is */
5824 /* that sz must match the size of the object being passed in - this is not */
5825 /* not possible nor required in fr_inobj(). */
5826 /* ------------------------------------------------------------------------ */
5827 int fr_inobjsz(data, ptr, type, sz)
5828 void *data;
5829 void *ptr;
5830 int type, sz;
5831 {
5832 ipfobj_t obj;
5833 int error;
5834
5835 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
5836 return EINVAL;
5837 if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1]))
5838 return EINVAL;
5839
5840 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5841 if (error != 0)
5842 return EFAULT;
5843
5844 if (obj.ipfo_type != type)
5845 return EINVAL;
5846
5847 #ifndef IPFILTER_COMPAT
5848 if (obj.ipfo_size != sz)
5849 return EINVAL;
5850 #else
5851 if (obj.ipfo_rev != IPFILTER_VERSION)
5852 /*XXX compatibility hook here */
5853 /*EMPTY*/;
5854 if (obj.ipfo_size != sz)
5855 /* XXX compatibility hook here */
5856 return EINVAL;
5857 #endif
5858
5859 error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, sz);
5860 return error;
5861 }
5862
5863
5864 /* ------------------------------------------------------------------------ */
5865 /* Function: fr_outobjsz */
5866 /* Returns: int - 0 = success, else failure */
5867 /* Parameters: data(I) - pointer to ioctl data */
5868 /* ptr(I) - pointer to store real data in */
5869 /* type(I) - type of structure being moved */
5870 /* sz(I) - size of data to copy */
5871 /* */
5872 /* As per fr_outobj, except the size of the object to copy out is passed in */
5873 /* but it must not be smaller than the size defined for the type and the */
5874 /* type must allow for varied sized objects. The extra requirement here is */
5875 /* that sz must match the size of the object being passed in - this is not */
5876 /* not possible nor required in fr_outobj(). */
5877 /* ------------------------------------------------------------------------ */
5878 int fr_outobjsz(data, ptr, type, sz)
5879 void *data;
5880 void *ptr;
5881 int type, sz;
5882 {
5883 ipfobj_t obj;
5884 int error;
5885
5886 if ((type < 0) || (type > NUM_OBJ_TYPES-1) ||
5887 ((fr_objbytes[type][0] & 1) == 0) ||
5888 (sz < fr_objbytes[type][1]))
5889 return EINVAL;
5890
5891 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5892 if (error != 0)
5893 return EFAULT;
5894
5895 if (obj.ipfo_type != type)
5896 return EINVAL;
5897
5898 #ifndef IPFILTER_COMPAT
5899 if (obj.ipfo_size != sz)
5900 return EINVAL;
5901 #else
5902 if (obj.ipfo_rev != IPFILTER_VERSION)
5903 /* XXX compatibility hook here */
5904 /*EMPTY*/;
5905 if (obj.ipfo_size != sz)
5906 /* XXX compatibility hook here */
5907 return EINVAL;
5908 #endif
5909
5910 error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, sz);
5911 return error;
5912 }
5913
5914
5915 /* ------------------------------------------------------------------------ */
5916 /* Function: fr_outobj */
5917 /* Returns: int - 0 = success, else failure */
5918 /* Parameters: data(I) - pointer to ioctl data */
5919 /* ptr(I) - pointer to store real data in */
5920 /* type(I) - type of structure being moved */
5921 /* */
5922 /* Copy out the contents of what ptr is to where ipfobj points to. In */
5923 /* future, we add things to check for version numbers, sizes, etc, to make */
5924 /* it backward compatible at the ABI for user land. */
5925 /* ------------------------------------------------------------------------ */
5926 int fr_outobj(data, ptr, type)
5927 void *data;
5928 void *ptr;
5929 int type;
5930 {
5931 ipfobj_t obj;
5932 int error;
5933
5934 if ((type < 0) || (type > NUM_OBJ_TYPES-1))
5935 return EINVAL;
5936
5937 error = BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
5938 if (error != 0)
5939 return EFAULT;
5940
5941 if (obj.ipfo_type != type)
5942 return EINVAL;
5943
5944 #ifndef IPFILTER_COMPAT
5945 if ((fr_objbytes[type][0] & 1) != 0) {
5946 if (obj.ipfo_size < fr_objbytes[type][1])
5947 return EINVAL;
5948 } else if (obj.ipfo_size != fr_objbytes[type][1])
5949 return EINVAL;
5950 #else
5951 if (obj.ipfo_rev != IPFILTER_VERSION) {
5952 error = fr_outcomptrans(&obj, ptr);
5953 return error;
5954 }
5955
5956 if ((fr_objbytes[type][0] & 1) != 0 &&
5957 obj.ipfo_size < fr_objbytes[type][1] ||
5958 obj.ipfo_size != fr_objbytes[type][1])
5959 return EINVAL;
5960 #endif
5961
5962 error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, obj.ipfo_size);
5963 return error;
5964 }
5965
5966
5967 /* ------------------------------------------------------------------------ */
5968 /* Function: fr_checkl4sum */
5969 /* Returns: int - 0 = good, -1 = bad, 1 = cannot check */
5970 /* Parameters: fin(I) - pointer to packet information */
5971 /* */
5972 /* If possible, calculate the layer 4 checksum for the packet. If this is */
5973 /* not possible, return without indicating a failure or success but in a */
5974 /* way that is ditinguishable. */
5975 /* ------------------------------------------------------------------------ */
5976 int fr_checkl4sum(fin)
5977 fr_info_t *fin;
5978 {
5979 u_short sum, hdrsum, *csump;
5980 udphdr_t *udp;
5981 int dosum;
5982 ipf_stack_t *ifs = fin->fin_ifs;
5983
5984 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
5985 net_handle_t net_data_p;
5986 if (fin->fin_v == 4)
5987 net_data_p = ifs->ifs_ipf_ipv4;
5988 else
5989 net_data_p = ifs->ifs_ipf_ipv6;
5990 #endif
5991
5992 if ((fin->fin_flx & FI_NOCKSUM) != 0)
5993 return 0;
5994
5995 /*
5996 * If the TCP packet isn't a fragment, isn't too short and otherwise
5997 * isn't already considered "bad", then validate the checksum. If
5998 * this check fails then considered the packet to be "bad".
5999 */
6000 if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0)
6001 return 1;
6002
6003 csump = NULL;
6004 hdrsum = 0;
6005 dosum = 0;
6006 sum = 0;
6007
6008 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
6009 ASSERT(fin->fin_m != NULL);
6010 if (NET_IS_HCK_L4_FULL(net_data_p, fin->fin_m) ||
6011 NET_IS_HCK_L4_PART(net_data_p, fin->fin_m)) {
6012 hdrsum = 0;
6013 sum = 0;
6014 } else {
6015 #endif
6016 switch (fin->fin_p)
6017 {
6018 case IPPROTO_TCP :
6019 csump = &((tcphdr_t *)fin->fin_dp)->th_sum;
6020 dosum = 1;
6021 break;
6022
6023 case IPPROTO_UDP :
6024 udp = fin->fin_dp;
6025 if (udp->uh_sum != 0) {
6026 csump = &udp->uh_sum;
6027 dosum = 1;
6028 }
6029 break;
6030
6031 case IPPROTO_ICMP :
6032 csump = &((struct icmp *)fin->fin_dp)->icmp_cksum;
6033 dosum = 1;
6034 break;
6035
6036 default :
6037 return 1;
6038 /*NOTREACHED*/
6039 }
6040
6041 if (csump != NULL)
6042 hdrsum = *csump;
6043
6044 if (dosum)
6045 sum = fr_cksum(fin->fin_m, fin->fin_ip,
6046 fin->fin_p, fin->fin_dp);
6047 #if defined(SOLARIS) && defined(_KERNEL) && (SOLARIS2 >= 6)
6048 }
6049 #endif
6050 #if !defined(_KERNEL)
6051 if (sum == hdrsum) {
6052 FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum));
6053 } else {
6054 FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum));
6055 }
6056 #endif
6057 if (hdrsum == sum)
6058 return 0;
6059 return -1;
6060 }
6061
6062
6063 /* ------------------------------------------------------------------------ */
6064 /* Function: fr_ifpfillv4addr */
6065 /* Returns: int - 0 = address update, -1 = address not updated */
6066 /* Parameters: atype(I) - type of network address update to perform */
6067 /* sin(I) - pointer to source of address information */
6068 /* mask(I) - pointer to source of netmask information */
6069 /* inp(I) - pointer to destination address store */
6070 /* inpmask(I) - pointer to destination netmask store */
6071 /* */
6072 /* Given a type of network address update (atype) to perform, copy */
6073 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
6074 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
6075 /* which case the operation fails. For all values of atype other than */
6076 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
6077 /* value. */
6078 /* ------------------------------------------------------------------------ */
6079 int fr_ifpfillv4addr(atype, sin, mask, inp, inpmask)
6080 int atype;
6081 struct sockaddr_in *sin, *mask;
6082 struct in_addr *inp, *inpmask;
6083 {
6084 if (inpmask != NULL && atype != FRI_NETMASKED)
6085 inpmask->s_addr = 0xffffffff;
6086
6087 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
6088 if (atype == FRI_NETMASKED) {
6089 if (inpmask == NULL)
6090 return -1;
6091 inpmask->s_addr = mask->sin_addr.s_addr;
6092 }
6093 inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr;
6094 } else {
6095 inp->s_addr = sin->sin_addr.s_addr;
6096 }
6097 return 0;
6098 }
6099
6100
6101 #ifdef USE_INET6
6102 /* ------------------------------------------------------------------------ */
6103 /* Function: fr_ifpfillv6addr */
6104 /* Returns: int - 0 = address update, -1 = address not updated */
6105 /* Parameters: atype(I) - type of network address update to perform */
6106 /* sin(I) - pointer to source of address information */
6107 /* mask(I) - pointer to source of netmask information */
6108 /* inp(I) - pointer to destination address store */
6109 /* inpmask(I) - pointer to destination netmask store */
6110 /* */
6111 /* Given a type of network address update (atype) to perform, copy */
6112 /* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */
6113 /* netmask update is performed unless FRI_NETMASKED is passed as atype, in */
6114 /* which case the operation fails. For all values of atype other than */
6115 /* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */
6116 /* value. */
6117 /* ------------------------------------------------------------------------ */
6118 int fr_ifpfillv6addr(atype, sin, mask, inp, inpmask)
6119 int atype;
6120 struct sockaddr_in6 *sin, *mask;
6121 struct in_addr *inp, *inpmask;
6122 {
6123 i6addr_t *src, *dst, *and, *dmask;
6124
6125 src = (i6addr_t *)&sin->sin6_addr;
6126 and = (i6addr_t *)&mask->sin6_addr;
6127 dst = (i6addr_t *)inp;
6128 dmask = (i6addr_t *)inpmask;
6129
6130 if (inpmask != NULL && atype != FRI_NETMASKED) {
6131 dmask->i6[0] = 0xffffffff;
6132 dmask->i6[1] = 0xffffffff;
6133 dmask->i6[2] = 0xffffffff;
6134 dmask->i6[3] = 0xffffffff;
6135 }
6136
6137 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
6138 if (atype == FRI_NETMASKED) {
6139 if (inpmask == NULL)
6140 return -1;
6141 dmask->i6[0] = and->i6[0];
6142 dmask->i6[1] = and->i6[1];
6143 dmask->i6[2] = and->i6[2];
6144 dmask->i6[3] = and->i6[3];
6145 }
6146
6147 dst->i6[0] = src->i6[0] & and->i6[0];
6148 dst->i6[1] = src->i6[1] & and->i6[1];
6149 dst->i6[2] = src->i6[2] & and->i6[2];
6150 dst->i6[3] = src->i6[3] & and->i6[3];
6151 } else {
6152 dst->i6[0] = src->i6[0];
6153 dst->i6[1] = src->i6[1];
6154 dst->i6[2] = src->i6[2];
6155 dst->i6[3] = src->i6[3];
6156 }
6157 return 0;
6158 }
6159 #endif
6160
6161
6162 /* ------------------------------------------------------------------------ */
6163 /* Function: fr_matchtag */
6164 /* Returns: 0 == mismatch, 1 == match. */
6165 /* Parameters: tag1(I) - pointer to first tag to compare */
6166 /* tag2(I) - pointer to second tag to compare */
6167 /* */
6168 /* Returns true (non-zero) or false(0) if the two tag structures can be */
6169 /* considered to be a match or not match, respectively. The tag is 16 */
6170 /* bytes long (16 characters) but that is overlayed with 4 32bit ints so */
6171 /* compare the ints instead, for speed. tag1 is the master of the */
6172 /* comparison. This function should only be called with both tag1 and tag2 */
6173 /* as non-NULL pointers. */
6174 /* ------------------------------------------------------------------------ */
6175 int fr_matchtag(tag1, tag2)
6176 ipftag_t *tag1, *tag2;
6177 {
6178 if (tag1 == tag2)
6179 return 1;
6180
6181 if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0))
6182 return 1;
6183
6184 if ((tag1->ipt_num[0] == tag2->ipt_num[0]) &&
6185 (tag1->ipt_num[1] == tag2->ipt_num[1]) &&
6186 (tag1->ipt_num[2] == tag2->ipt_num[2]) &&
6187 (tag1->ipt_num[3] == tag2->ipt_num[3]))
6188 return 1;
6189 return 0;
6190 }
6191
6192
6193 /* ------------------------------------------------------------------------ */
6194 /* Function: fr_coalesce */
6195 /* Returns: 1 == success, -1 == failure, 0 == no change */
6196 /* Parameters: fin(I) - pointer to packet information */
6197 /* */
6198 /* Attempt to get all of the packet data into a single, contiguous buffer. */
6199 /* If this call returns a failure then the buffers have also been freed. */
6200 /* ------------------------------------------------------------------------ */
6201 int fr_coalesce(fin)
6202 fr_info_t *fin;
6203 {
6204 ipf_stack_t *ifs = fin->fin_ifs;
6205 if ((fin->fin_flx & FI_COALESCE) != 0)
6206 return 1;
6207
6208 /*
6209 * If the mbuf pointers indicate that there is no mbuf to work with,
6210 * return but do not indicate success or failure.
6211 */
6212 if (fin->fin_m == NULL || fin->fin_mp == NULL)
6213 return 0;
6214
6215 #if defined(_KERNEL)
6216 if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
6217 IPF_BUMP(ifs->ifs_fr_badcoalesces[fin->fin_out]);
6218 # ifdef MENTAT
6219 FREE_MB_T(*fin->fin_mp);
6220 # endif
6221 *fin->fin_mp = NULL;
6222 fin->fin_m = NULL;
6223 return -1;
6224 }
6225 #else
6226 fin = fin; /* LINT */
6227 #endif
6228 return 1;
6229 }
6230
6231
6232 /*
6233 * The following table lists all of the tunable variables that can be
6234 * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXT. The format of each row
6235 * in the table below is as follows:
6236 *
6237 * pointer to value, name of value, minimum, maximum, size of the value's
6238 * container, value attribute flags
6239 *
6240 * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED
6241 * means the value can only be written to when IPFilter is loaded but disabled.
6242 * The obvious implication is if neither of these are set then the value can be
6243 * changed at any time without harm.
6244 */
6245 ipftuneable_t lcl_ipf_tuneables[] = {
6246 /* filtering */
6247 { { NULL }, "fr_flags", 0, 0xffffffff,
6248 0, 0 },
6249 { { NULL }, "fr_active", 0, 0,
6250 0, IPFT_RDONLY },
6251 { { NULL }, "fr_control_forwarding", 0, 1,
6252 0, 0 },
6253 { { NULL }, "fr_update_ipid", 0, 1,
6254 0, 0 },
6255 { { NULL }, "fr_chksrc", 0, 1,
6256 0, 0 },
6257 { { NULL }, "fr_minttl", 0, 1,
6258 0, 0 },
6259 { { NULL }, "fr_icmpminfragmtu", 0, 1,
6260 0, 0 },
6261 { { NULL }, "fr_pass", 0, 0xffffffff,
6262 0, 0 },
6263 #if SOLARIS2 >= 10
6264 { { NULL }, "ipf_loopback", 0, 1,
6265 0, IPFT_WRDISABLED },
6266 #endif
6267 /* state */
6268 { { NULL }, "fr_tcpidletimeout", 1, 0x7fffffff,
6269 0, IPFT_WRDISABLED },
6270 { { NULL }, "fr_tcpclosewait", 1, 0x7fffffff,
6271 0, IPFT_WRDISABLED },
6272 { { NULL }, "fr_tcplastack", 1, 0x7fffffff,
6273 0, IPFT_WRDISABLED },
6274 { { NULL }, "fr_tcptimeout", 1, 0x7fffffff,
6275 0, IPFT_WRDISABLED },
6276 { { NULL }, "fr_tcpclosed", 1, 0x7fffffff,
6277 0, IPFT_WRDISABLED },
6278 { { NULL }, "fr_tcphalfclosed", 1, 0x7fffffff,
6279 0, IPFT_WRDISABLED },
6280 { { NULL }, "fr_udptimeout", 1, 0x7fffffff,
6281 0, IPFT_WRDISABLED },
6282 { { NULL }, "fr_udpacktimeout", 1, 0x7fffffff,
6283 0, IPFT_WRDISABLED },
6284 { { NULL }, "fr_icmptimeout", 1, 0x7fffffff,
6285 0, IPFT_WRDISABLED },
6286 { { NULL }, "fr_icmpacktimeout", 1, 0x7fffffff,
6287 0, IPFT_WRDISABLED },
6288 { { NULL }, "fr_iptimeout", 1, 0x7fffffff,
6289 0, IPFT_WRDISABLED },
6290 { { NULL }, "fr_statemax", 1, 0x7fffffff,
6291 0, 0 },
6292 { { NULL }, "fr_statesize", 1, 0x7fffffff,
6293 0, IPFT_WRDISABLED },
6294 { { NULL }, "fr_state_lock", 0, 1,
6295 0, IPFT_RDONLY },
6296 { { NULL }, "fr_state_maxbucket", 1, 0x7fffffff,
6297 0, IPFT_WRDISABLED },
6298 { { NULL }, "fr_state_maxbucket_reset", 0, 1,
6299 0, IPFT_WRDISABLED },
6300 { { NULL }, "ipstate_logging", 0, 1,
6301 0, 0 },
6302 { { NULL }, "state_flush_level_hi", 1, 100,
6303 0, 0 },
6304 { { NULL }, "state_flush_level_lo", 1, 100,
6305 0, 0 },
6306 /* nat */
6307 { { NULL }, "fr_nat_lock", 0, 1,
6308 0, IPFT_RDONLY },
6309 { { NULL }, "ipf_nattable_sz", 1, 0x7fffffff,
6310 0, IPFT_WRDISABLED },
6311 { { NULL }, "ipf_nattable_max", 1, 0x7fffffff,
6312 0, 0 },
6313 { { NULL }, "ipf_natrules_sz", 1, 0x7fffffff,
6314 0, IPFT_WRDISABLED },
6315 { { NULL }, "ipf_rdrrules_sz", 1, 0x7fffffff,
6316 0, IPFT_WRDISABLED },
6317 { { NULL }, "ipf_hostmap_sz", 1, 0x7fffffff,
6318 0, IPFT_WRDISABLED },
6319 { { NULL }, "fr_nat_maxbucket", 1, 0x7fffffff,
6320 0, IPFT_WRDISABLED },
6321 { { NULL }, "fr_nat_maxbucket_reset", 0, 1,
6322 0, IPFT_WRDISABLED },
6323 { { NULL }, "nat_logging", 0, 1,
6324 0, 0 },
6325 { { NULL }, "fr_defnatage", 1, 0x7fffffff,
6326 0, IPFT_WRDISABLED },
6327 { { NULL }, "fr_defnatipage", 1, 0x7fffffff,
6328 0, IPFT_WRDISABLED },
6329 { { NULL }, "fr_defnaticmpage", 1, 0x7fffffff,
6330 0, IPFT_WRDISABLED },
6331 { { NULL }, "nat_flush_level_hi", 1, 100,
6332 0, 0 },
6333 { { NULL }, "nat_flush_level_lo", 1, 100,
6334 0, 0 },
6335 /* frag */
6336 { { NULL }, "ipfr_size", 1, 0x7fffffff,
6337 0, IPFT_WRDISABLED },
6338 { { NULL }, "fr_ipfrttl", 1, 0x7fffffff,
6339 0, IPFT_WRDISABLED },
6340 #ifdef IPFILTER_LOG
6341 /* log */
6342 { { NULL }, "ipl_suppress", 0, 1,
6343 0, 0 },
6344 { { NULL }, "ipl_buffer_sz", 0, 0,
6345 0, IPFT_RDONLY },
6346 { { NULL }, "ipl_logmax", 0, 0x7fffffff,
6347 0, IPFT_WRDISABLED },
6348 { { NULL }, "ipl_logall", 0, 1,
6349 0, 0 },
6350 { { NULL }, "ipl_logsize", 0, 0x80000,
6351 0, 0 },
6352 #endif
6353 { { NULL }, NULL, 0, 0 }
6354 };
6355
6356 static ipftuneable_t *
6357 tune_lookup(ipf_stack_t *ifs, char *name)
6358 {
6359 int i;
6360
6361 for (i = 0; ifs->ifs_ipf_tuneables[i].ipft_name != NULL; i++) {
6362 if (strcmp(ifs->ifs_ipf_tuneables[i].ipft_name, name) == 0)
6363 return (&ifs->ifs_ipf_tuneables[i]);
6364 }
6365 return (NULL);
6366 }
6367
6368 #ifdef _KERNEL
6369 extern dev_info_t *ipf_dev_info;
6370 extern int ipf_property_update __P((dev_info_t *, ipf_stack_t *));
6371 #endif
6372
6373 /* -------------------------------------------------------------------- */
6374 /* Function: ipftuneable_setdefs() */
6375 /* Returns: void */
6376 /* Parameters: ifs - pointer to newly allocated IPF instance */
6377 /* assigned to IP instance */
6378 /* */
6379 /* Function initializes IPF instance variables. Function is invoked */
6380 /* from ipftuneable_alloc(). ipftuneable_alloc() is called only one */
6381 /* time during IP instance lifetime - at the time of IP instance */
6382 /* creation. Anytime IP instance is being created new private IPF */
6383 /* instance is allocated and assigned to it. The moment of IP */
6384 /* instance creation is the right time to initialize those IPF */
6385 /* variables. */
6386 /* */
6387 /* -------------------------------------------------------------------- */
6388 static void ipftuneable_setdefs(ipf_stack_t *ifs)
6389 {
6390 ifs->ifs_ipfr_size = IPFT_SIZE;
6391 ifs->ifs_fr_ipfrttl = 120; /* 60 seconds */
6392
6393 /* it comes from fr_authinit() in IPF auth */
6394 ifs->ifs_fr_authsize = FR_NUMAUTH;
6395 ifs->ifs_fr_defaultauthage = 600;
6396
6397 /* it comes from fr_stateinit() in IPF state */
6398 ifs->ifs_fr_tcpidletimeout = IPF_TTLVAL(3600 * 24 * 5); /* five days */
6399 ifs->ifs_fr_tcpclosewait = IPF_TTLVAL(TCP_MSL);
6400 ifs->ifs_fr_tcplastack = IPF_TTLVAL(TCP_MSL);
6401 ifs->ifs_fr_tcptimeout = IPF_TTLVAL(TCP_MSL);
6402 ifs->ifs_fr_tcpclosed = IPF_TTLVAL(60);
6403 ifs->ifs_fr_tcphalfclosed = IPF_TTLVAL(2 * 3600); /* 2 hours */
6404 ifs->ifs_fr_udptimeout = IPF_TTLVAL(120);
6405 ifs->ifs_fr_udpacktimeout = IPF_TTLVAL(12);
6406 ifs->ifs_fr_icmptimeout = IPF_TTLVAL(60);
6407 ifs->ifs_fr_icmpacktimeout = IPF_TTLVAL(6);
6408 ifs->ifs_fr_iptimeout = IPF_TTLVAL(60);
6409 ifs->ifs_fr_statemax = IPSTATE_MAX;
6410 ifs->ifs_fr_statesize = IPSTATE_SIZE;
6411 ifs->ifs_fr_state_maxbucket_reset = 1;
6412 ifs->ifs_state_flush_level_hi = ST_FLUSH_HI;
6413 ifs->ifs_state_flush_level_lo = ST_FLUSH_LO;
6414
6415 /* it comes from fr_natinit() in ipnat */
6416 ifs->ifs_ipf_nattable_sz = NAT_TABLE_SZ;
6417 ifs->ifs_ipf_nattable_max = NAT_TABLE_MAX;
6418 ifs->ifs_ipf_natrules_sz = NAT_SIZE;
6419 ifs->ifs_ipf_rdrrules_sz = RDR_SIZE;
6420 ifs->ifs_ipf_hostmap_sz = HOSTMAP_SIZE;
6421 ifs->ifs_fr_nat_maxbucket_reset = 1;
6422 ifs->ifs_fr_defnatage = DEF_NAT_AGE;
6423 ifs->ifs_fr_defnatipage = 120; /* 60 seconds */
6424 ifs->ifs_fr_defnaticmpage = 6; /* 3 seconds */
6425 ifs->ifs_nat_flush_level_hi = NAT_FLUSH_HI;
6426 ifs->ifs_nat_flush_level_lo = NAT_FLUSH_LO;
6427
6428 #ifdef IPFILTER_LOG
6429 /* it comes from fr_loginit() in IPF log */
6430 ifs->ifs_ipl_suppress = 1;
6431 ifs->ifs_ipl_logmax = IPL_LOGMAX;
6432 ifs->ifs_ipl_logsize = IPFILTER_LOGSIZE;
6433
6434 /* from fr_natinit() */
6435 ifs->ifs_nat_logging = 1;
6436
6437 /* from fr_stateinit() */
6438 ifs->ifs_ipstate_logging = 1;
6439 #else
6440 /* from fr_natinit() */
6441 ifs->ifs_nat_logging = 0;
6442
6443 /* from fr_stateinit() */
6444 ifs->ifs_ipstate_logging = 0;
6445 #endif
6446 ifs->ifs_ipf_loopback = 0;
6447
6448 }
6449 /*
6450 * Allocate a per-stack tuneable and copy in the names. Then
6451 * set it to point to each of the per-stack tunables.
6452 */
6453 void
6454 ipftuneable_alloc(ipf_stack_t *ifs)
6455 {
6456 ipftuneable_t *item;
6457
6458 KMALLOCS(ifs->ifs_ipf_tuneables, ipftuneable_t *,
6459 sizeof (lcl_ipf_tuneables));
6460 bcopy(lcl_ipf_tuneables, ifs->ifs_ipf_tuneables,
6461 sizeof (lcl_ipf_tuneables));
6462
6463 #define TUNE_SET(_ifs, _name, _field) \
6464 item = tune_lookup((_ifs), (_name)); \
6465 if (item != NULL) { \
6466 item->ipft_una.ipftp_int = (unsigned int *)&((_ifs)->_field); \
6467 item->ipft_sz = sizeof ((_ifs)->_field); \
6468 }
6469
6470 TUNE_SET(ifs, "fr_flags", ifs_fr_flags);
6471 TUNE_SET(ifs, "fr_active", ifs_fr_active);
6472 TUNE_SET(ifs, "fr_control_forwarding", ifs_fr_control_forwarding);
6473 TUNE_SET(ifs, "fr_update_ipid", ifs_fr_update_ipid);
6474 TUNE_SET(ifs, "fr_chksrc", ifs_fr_chksrc);
6475 TUNE_SET(ifs, "fr_minttl", ifs_fr_minttl);
6476 TUNE_SET(ifs, "fr_icmpminfragmtu", ifs_fr_icmpminfragmtu);
6477 TUNE_SET(ifs, "fr_pass", ifs_fr_pass);
6478 TUNE_SET(ifs, "fr_tcpidletimeout", ifs_fr_tcpidletimeout);
6479 TUNE_SET(ifs, "fr_tcpclosewait", ifs_fr_tcpclosewait);
6480 TUNE_SET(ifs, "fr_tcplastack", ifs_fr_tcplastack);
6481 TUNE_SET(ifs, "fr_tcptimeout", ifs_fr_tcptimeout);
6482 TUNE_SET(ifs, "fr_tcpclosed", ifs_fr_tcpclosed);
6483 TUNE_SET(ifs, "fr_tcphalfclosed", ifs_fr_tcphalfclosed);
6484 TUNE_SET(ifs, "fr_udptimeout", ifs_fr_udptimeout);
6485 TUNE_SET(ifs, "fr_udpacktimeout", ifs_fr_udpacktimeout);
6486 TUNE_SET(ifs, "fr_icmptimeout", ifs_fr_icmptimeout);
6487 TUNE_SET(ifs, "fr_icmpacktimeout", ifs_fr_icmpacktimeout);
6488 TUNE_SET(ifs, "fr_iptimeout", ifs_fr_iptimeout);
6489 TUNE_SET(ifs, "fr_statemax", ifs_fr_statemax);
6490 TUNE_SET(ifs, "fr_statesize", ifs_fr_statesize);
6491 TUNE_SET(ifs, "fr_state_lock", ifs_fr_state_lock);
6492 TUNE_SET(ifs, "fr_state_maxbucket", ifs_fr_state_maxbucket);
6493 TUNE_SET(ifs, "fr_state_maxbucket_reset", ifs_fr_state_maxbucket_reset);
6494 TUNE_SET(ifs, "ipstate_logging", ifs_ipstate_logging);
6495 TUNE_SET(ifs, "fr_nat_lock", ifs_fr_nat_lock);
6496 TUNE_SET(ifs, "ipf_nattable_sz", ifs_ipf_nattable_sz);
6497 TUNE_SET(ifs, "ipf_nattable_max", ifs_ipf_nattable_max);
6498 TUNE_SET(ifs, "ipf_natrules_sz", ifs_ipf_natrules_sz);
6499 TUNE_SET(ifs, "ipf_rdrrules_sz", ifs_ipf_rdrrules_sz);
6500 TUNE_SET(ifs, "ipf_hostmap_sz", ifs_ipf_hostmap_sz);
6501 TUNE_SET(ifs, "fr_nat_maxbucket", ifs_fr_nat_maxbucket);
6502 TUNE_SET(ifs, "fr_nat_maxbucket_reset", ifs_fr_nat_maxbucket_reset);
6503 TUNE_SET(ifs, "nat_logging", ifs_nat_logging);
6504 TUNE_SET(ifs, "fr_defnatage", ifs_fr_defnatage);
6505 TUNE_SET(ifs, "fr_defnatipage", ifs_fr_defnatipage);
6506 TUNE_SET(ifs, "fr_defnaticmpage", ifs_fr_defnaticmpage);
6507 TUNE_SET(ifs, "nat_flush_level_hi", ifs_nat_flush_level_hi);
6508 TUNE_SET(ifs, "nat_flush_level_lo", ifs_nat_flush_level_lo);
6509 TUNE_SET(ifs, "state_flush_level_hi", ifs_state_flush_level_hi);
6510 TUNE_SET(ifs, "state_flush_level_lo", ifs_state_flush_level_lo);
6511 TUNE_SET(ifs, "ipfr_size", ifs_ipfr_size);
6512 TUNE_SET(ifs, "fr_ipfrttl", ifs_fr_ipfrttl);
6513 TUNE_SET(ifs, "ipf_loopback", ifs_ipf_loopback);
6514 #ifdef IPFILTER_LOG
6515 TUNE_SET(ifs, "ipl_suppress", ifs_ipl_suppress);
6516 TUNE_SET(ifs, "ipl_buffer_sz", ifs_ipl_buffer_sz);
6517 TUNE_SET(ifs, "ipl_logmax", ifs_ipl_logmax);
6518 TUNE_SET(ifs, "ipl_logall", ifs_ipl_logall);
6519 TUNE_SET(ifs, "ipl_logsize", ifs_ipl_logsize);
6520 #endif
6521 #undef TUNE_SET
6522
6523 ipftuneable_setdefs(ifs);
6524
6525 #ifdef _KERNEL
6526 (void) ipf_property_update(ipf_dev_info, ifs);
6527 #endif
6528 }
6529
6530 void
6531 ipftuneable_free(ipf_stack_t *ifs)
6532 {
6533 KFREES(ifs->ifs_ipf_tuneables, sizeof (lcl_ipf_tuneables));
6534 ifs->ifs_ipf_tuneables = NULL;
6535 }
6536
6537 /* ------------------------------------------------------------------------ */
6538 /* Function: fr_findtunebycookie */
6539 /* Returns: NULL = search failed, else pointer to tune struct */
6540 /* Parameters: cookie(I) - cookie value to search for amongst tuneables */
6541 /* next(O) - pointer to place to store the cookie for the */
6542 /* "next" tuneable, if it is desired. */
6543 /* */
6544 /* This function is used to walk through all of the existing tunables with */
6545 /* successive calls. It searches the known tunables for the one which has */
6546 /* a matching value for "cookie" - ie its address. When returning a match, */
6547 /* the next one to be found may be returned inside next. */
6548 /* ------------------------------------------------------------------------ */
6549 static ipftuneable_t *fr_findtunebycookie(cookie, next, ifs)
6550 void *cookie, **next;
6551 ipf_stack_t * ifs;
6552 {
6553 ipftuneable_t *ta, **tap;
6554
6555 for (ta = ifs->ifs_ipf_tuneables; ta->ipft_name != NULL; ta++)
6556 if (ta == cookie) {
6557 if (next != NULL) {
6558 /*
6559 * If the next entry in the array has a name
6560 * present, then return a pointer to it for
6561 * where to go next, else return a pointer to
6562 * the dynaminc list as a key to search there
6563 * next. This facilitates a weak linking of
6564 * the two "lists" together.
6565 */
6566 if ((ta + 1)->ipft_name != NULL)
6567 *next = ta + 1;
6568 else
6569 *next = &ifs->ifs_ipf_tunelist;
6570 }
6571 return ta;
6572 }
6573
6574 for (tap = &ifs->ifs_ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
6575 if (tap == cookie) {
6576 if (next != NULL)
6577 *next = &ta->ipft_next;
6578 return ta;
6579 }
6580
6581 if (next != NULL)
6582 *next = NULL;
6583 return NULL;
6584 }
6585
6586
6587 /* ------------------------------------------------------------------------ */
6588 /* Function: fr_findtunebyname */
6589 /* Returns: NULL = search failed, else pointer to tune struct */
6590 /* Parameters: name(I) - name of the tuneable entry to find. */
6591 /* */
6592 /* Search the static array of tuneables and the list of dynamic tuneables */
6593 /* for an entry with a matching name. If we can find one, return a pointer */
6594 /* to the matching structure. */
6595 /* ------------------------------------------------------------------------ */
6596 static ipftuneable_t *fr_findtunebyname(name, ifs)
6597 const char *name;
6598 ipf_stack_t *ifs;
6599 {
6600 ipftuneable_t *ta;
6601
6602 for (ta = ifs->ifs_ipf_tuneables; ta->ipft_name != NULL; ta++)
6603 if (!strcmp(ta->ipft_name, name)) {
6604 return ta;
6605 }
6606
6607 for (ta = ifs->ifs_ipf_tunelist; ta != NULL; ta = ta->ipft_next)
6608 if (!strcmp(ta->ipft_name, name)) {
6609 return ta;
6610 }
6611
6612 return NULL;
6613 }
6614
6615
6616 /* ------------------------------------------------------------------------ */
6617 /* Function: fr_addipftune */
6618 /* Returns: int - 0 == success, else failure */
6619 /* Parameters: newtune - pointer to new tune struct to add to tuneables */
6620 /* */
6621 /* Appends the tune structure pointer to by "newtune" to the end of the */
6622 /* current list of "dynamic" tuneable parameters. Once added, the owner */
6623 /* of the object is not expected to ever change "ipft_next". */
6624 /* ------------------------------------------------------------------------ */
6625 int fr_addipftune(newtune, ifs)
6626 ipftuneable_t *newtune;
6627 ipf_stack_t *ifs;
6628 {
6629 ipftuneable_t *ta, **tap;
6630
6631 ta = fr_findtunebyname(newtune->ipft_name, ifs);
6632 if (ta != NULL)
6633 return EEXIST;
6634
6635 for (tap = &ifs->ifs_ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next)
6636 ;
6637
6638 newtune->ipft_next = NULL;
6639 *tap = newtune;
6640 return 0;
6641 }
6642
6643
6644 /* ------------------------------------------------------------------------ */
6645 /* Function: fr_delipftune */
6646 /* Returns: int - 0 == success, else failure */
6647 /* Parameters: oldtune - pointer to tune struct to remove from the list of */
6648 /* current dynamic tuneables */
6649 /* */
6650 /* Search for the tune structure, by pointer, in the list of those that are */
6651 /* dynamically added at run time. If found, adjust the list so that this */
6652 /* structure is no longer part of it. */
6653 /* ------------------------------------------------------------------------ */
6654 int fr_delipftune(oldtune, ifs)
6655 ipftuneable_t *oldtune;
6656 ipf_stack_t *ifs;
6657 {
6658 ipftuneable_t *ta, **tap;
6659
6660 for (tap = &ifs->ifs_ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
6661 if (ta == oldtune) {
6662 *tap = oldtune->ipft_next;
6663 oldtune->ipft_next = NULL;
6664 return 0;
6665 }
6666
6667 return ESRCH;
6668 }
6669
6670
6671 /* ------------------------------------------------------------------------ */
6672 /* Function: fr_ipftune */
6673 /* Returns: int - 0 == success, else failure */
6674 /* Parameters: cmd(I) - ioctl command number */
6675 /* data(I) - pointer to ioctl data structure */
6676 /* */
6677 /* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */
6678 /* three ioctls provide the means to access and control global variables */
6679 /* within IPFilter, allowing (for example) timeouts and table sizes to be */
6680 /* changed without rebooting, reloading or recompiling. The initialisation */
6681 /* and 'destruction' routines of the various components of ipfilter are all */
6682 /* each responsible for handling their own values being too big. */
6683 /* ------------------------------------------------------------------------ */
6684 int fr_ipftune(cmd, data, ifs)
6685 ioctlcmd_t cmd;
6686 void *data;
6687 ipf_stack_t *ifs;
6688 {
6689 ipftuneable_t *ta;
6690 ipftune_t tu;
6691 void *cookie;
6692 int error;
6693
6694 error = fr_inobj(data, &tu, IPFOBJ_TUNEABLE);
6695 if (error != 0)
6696 return error;
6697
6698 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
6699 cookie = tu.ipft_cookie;
6700 ta = NULL;
6701
6702 switch (cmd)
6703 {
6704 case SIOCIPFGETNEXT :
6705 /*
6706 * If cookie is non-NULL, assume it to be a pointer to the last
6707 * entry we looked at, so find it (if possible) and return a
6708 * pointer to the next one after it. The last entry in the
6709 * the table is a NULL entry, so when we get to it, set cookie
6710 * to NULL and return that, indicating end of list, erstwhile
6711 * if we come in with cookie set to NULL, we are starting anew
6712 * at the front of the list.
6713 */
6714 if (cookie != NULL) {
6715 ta = fr_findtunebycookie(cookie, &tu.ipft_cookie, ifs);
6716 } else {
6717 ta = ifs->ifs_ipf_tuneables;
6718 tu.ipft_cookie = ta + 1;
6719 }
6720 if (ta != NULL) {
6721 /*
6722 * Entry found, but does the data pointed to by that
6723 * row fit in what we can return?
6724 */
6725 if (ta->ipft_sz > sizeof(tu.ipft_un))
6726 return EINVAL;
6727
6728 tu.ipft_vlong = 0;
6729 if (ta->ipft_sz == sizeof(u_long))
6730 tu.ipft_vlong = *ta->ipft_plong;
6731 else if (ta->ipft_sz == sizeof(u_int))
6732 tu.ipft_vint = *ta->ipft_pint;
6733 else if (ta->ipft_sz == sizeof(u_short))
6734 tu.ipft_vshort = *ta->ipft_pshort;
6735 else if (ta->ipft_sz == sizeof(u_char))
6736 tu.ipft_vchar = *ta->ipft_pchar;
6737
6738 tu.ipft_sz = ta->ipft_sz;
6739 tu.ipft_min = ta->ipft_min;
6740 tu.ipft_max = ta->ipft_max;
6741 tu.ipft_flags = ta->ipft_flags;
6742 bcopy(ta->ipft_name, tu.ipft_name,
6743 MIN(sizeof(tu.ipft_name),
6744 strlen(ta->ipft_name) + 1));
6745 }
6746 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6747 break;
6748
6749 case SIOCIPFGET :
6750 case SIOCIPFSET :
6751 /*
6752 * Search by name or by cookie value for a particular entry
6753 * in the tuning paramter table.
6754 */
6755 error = ESRCH;
6756 if (cookie != NULL) {
6757 ta = fr_findtunebycookie(cookie, NULL, ifs);
6758 if (ta != NULL)
6759 error = 0;
6760 } else if (tu.ipft_name[0] != '\0') {
6761 ta = fr_findtunebyname(tu.ipft_name, ifs);
6762 if (ta != NULL)
6763 error = 0;
6764 }
6765 if (error != 0)
6766 break;
6767
6768 if (cmd == (ioctlcmd_t)SIOCIPFGET) {
6769 /*
6770 * Fetch the tuning parameters for a particular value
6771 */
6772 tu.ipft_vlong = 0;
6773 if (ta->ipft_sz == sizeof(u_long))
6774 tu.ipft_vlong = *ta->ipft_plong;
6775 else if (ta->ipft_sz == sizeof(u_int))
6776 tu.ipft_vint = *ta->ipft_pint;
6777 else if (ta->ipft_sz == sizeof(u_short))
6778 tu.ipft_vshort = *ta->ipft_pshort;
6779 else if (ta->ipft_sz == sizeof(u_char))
6780 tu.ipft_vchar = *ta->ipft_pchar;
6781 tu.ipft_cookie = ta;
6782 tu.ipft_sz = ta->ipft_sz;
6783 tu.ipft_min = ta->ipft_min;
6784 tu.ipft_max = ta->ipft_max;
6785 tu.ipft_flags = ta->ipft_flags;
6786 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6787
6788 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
6789 /*
6790 * Set an internal parameter. The hard part here is
6791 * getting the new value safely and correctly out of
6792 * the kernel (given we only know its size, not type.)
6793 */
6794 u_long in;
6795
6796 if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) &&
6797 (ifs->ifs_fr_running > 0)) {
6798 error = EBUSY;
6799 break;
6800 }
6801
6802 in = tu.ipft_vlong;
6803 if (in < ta->ipft_min || in > ta->ipft_max) {
6804 error = EINVAL;
6805 break;
6806 }
6807
6808 if (ta->ipft_sz == sizeof(u_long)) {
6809 tu.ipft_vlong = *ta->ipft_plong;
6810 *ta->ipft_plong = in;
6811 } else if (ta->ipft_sz == sizeof(u_int)) {
6812 tu.ipft_vint = *ta->ipft_pint;
6813 *ta->ipft_pint = (u_int)(in & 0xffffffff);
6814 } else if (ta->ipft_sz == sizeof(u_short)) {
6815 tu.ipft_vshort = *ta->ipft_pshort;
6816 *ta->ipft_pshort = (u_short)(in & 0xffff);
6817 } else if (ta->ipft_sz == sizeof(u_char)) {
6818 tu.ipft_vchar = *ta->ipft_pchar;
6819 *ta->ipft_pchar = (u_char)(in & 0xff);
6820 }
6821 error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
6822 }
6823 break;
6824
6825 default :
6826 error = EINVAL;
6827 break;
6828 }
6829
6830 return error;
6831 }
6832
6833
6834 /* ------------------------------------------------------------------------ */
6835 /* Function: fr_initialise */
6836 /* Returns: int - 0 == success, < 0 == failure */
6837 /* Parameters: None. */
6838 /* */
6839 /* Call of the initialise functions for all the various subsystems inside */
6840 /* of IPFilter. If any of them should fail, return immeadiately a failure */
6841 /* BUT do not try to recover from the error here. */
6842 /* ------------------------------------------------------------------------ */
6843 int fr_initialise(ifs)
6844 ipf_stack_t *ifs;
6845 {
6846 int i;
6847
6848 #ifdef IPFILTER_LOG
6849 i = fr_loginit(ifs);
6850 if (i < 0)
6851 return -10 + i;
6852 #endif
6853 i = fr_natinit(ifs);
6854 if (i < 0)
6855 return -20 + i;
6856
6857 i = fr_stateinit(ifs);
6858 if (i < 0)
6859 return -30 + i;
6860
6861 i = fr_authinit(ifs);
6862 if (i < 0)
6863 return -40 + i;
6864
6865 i = fr_fraginit(ifs);
6866 if (i < 0)
6867 return -50 + i;
6868
6869 i = appr_init(ifs);
6870 if (i < 0)
6871 return -60 + i;
6872
6873 #ifdef IPFILTER_SYNC
6874 i = ipfsync_init(ifs);
6875 if (i < 0)
6876 return -70 + i;
6877 #endif
6878 #ifdef IPFILTER_SCAN
6879 i = ipsc_init(ifs);
6880 if (i < 0)
6881 return -80 + i;
6882 #endif
6883 #ifdef IPFILTER_LOOKUP
6884 i = ip_lookup_init(ifs);
6885 if (i < 0)
6886 return -90 + i;
6887 #endif
6888 #ifdef IPFILTER_COMPILED
6889 ipfrule_add(ifs);
6890 #endif
6891 return 0;
6892 }
6893
6894
6895 /* ------------------------------------------------------------------------ */
6896 /* Function: fr_deinitialise */
6897 /* Returns: None. */
6898 /* Parameters: None. */
6899 /* */
6900 /* Call all the various subsystem cleanup routines to deallocate memory or */
6901 /* destroy locks or whatever they've done that they need to now undo. */
6902 /* The order here IS important as there are some cross references of */
6903 /* internal data structures. */
6904 /* ------------------------------------------------------------------------ */
6905 void fr_deinitialise(ifs)
6906 ipf_stack_t *ifs;
6907 {
6908 fr_fragunload(ifs);
6909 fr_authunload(ifs);
6910 fr_natunload(ifs);
6911 fr_stateunload(ifs);
6912 #ifdef IPFILTER_SCAN
6913 fr_scanunload(ifs);
6914 #endif
6915 appr_unload(ifs);
6916
6917 #ifdef IPFILTER_COMPILED
6918 ipfrule_remove(ifs);
6919 #endif
6920
6921 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
6922 (void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE, ifs);
6923 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE, ifs);
6924 (void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE, ifs);
6925
6926 #ifdef IPFILTER_LOOKUP
6927 ip_lookup_unload(ifs);
6928 #endif
6929
6930 #ifdef IPFILTER_LOG
6931 fr_logunload(ifs);
6932 #endif
6933 }
6934
6935
6936 /* ------------------------------------------------------------------------ */
6937 /* Function: fr_zerostats */
6938 /* Returns: int - 0 = success, else failure */
6939 /* Parameters: data(O) - pointer to pointer for copying data back to */
6940 /* */
6941 /* Copies the current statistics out to userspace and then zero's the */
6942 /* current ones in the kernel. The lock is only held across the bzero() as */
6943 /* the copyout may result in paging (ie network activity.) */
6944 /* ------------------------------------------------------------------------ */
6945 int fr_zerostats(data, ifs)
6946 caddr_t data;
6947 ipf_stack_t *ifs;
6948 {
6949 friostat_t fio;
6950 int error;
6951
6952 fr_getstat(&fio, ifs);
6953 error = copyoutptr(&fio, data, sizeof(fio));
6954 if (error)
6955 return EFAULT;
6956
6957 WRITE_ENTER(&ifs->ifs_ipf_mutex);
6958 bzero((char *)ifs->ifs_frstats, sizeof(*ifs->ifs_frstats) * 2);
6959 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
6960
6961 return 0;
6962 }
6963
6964
6965 #ifdef _KERNEL
6966 /* ------------------------------------------------------------------------ */
6967 /* Function: fr_resolvedest */
6968 /* Returns: Nil */
6969 /* Parameters: fdp(IO) - pointer to destination information to resolve */
6970 /* v(I) - IP protocol version to match */
6971 /* */
6972 /* Looks up an interface name in the frdest structure pointed to by fdp and */
6973 /* if a matching name can be found for the particular IP protocol version */
6974 /* then store the interface pointer in the frdest struct. If no match is */
6975 /* found, then set the interface pointer to be -1 as NULL is considered to */
6976 /* indicate there is no information at all in the structure. */
6977 /* ------------------------------------------------------------------------ */
6978 void fr_resolvedest(fdp, v, ifs)
6979 frdest_t *fdp;
6980 int v;
6981 ipf_stack_t *ifs;
6982 {
6983 fdp->fd_ifp = NULL;
6984
6985 if (*fdp->fd_ifname != '\0') {
6986 fdp->fd_ifp = GETIFP(fdp->fd_ifname, v, ifs);
6987 if (fdp->fd_ifp == NULL)
6988 fdp->fd_ifp = (void *)-1;
6989 }
6990 }
6991 #endif /* _KERNEL */
6992
6993
6994 /* ------------------------------------------------------------------------ */
6995 /* Function: fr_resolvenic */
6996 /* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */
6997 /* pointer to interface structure for NIC */
6998 /* Parameters: name(I) - complete interface name */
6999 /* v(I) - IP protocol version */
7000 /* */
7001 /* Look for a network interface structure that firstly has a matching name */
7002 /* to that passed in and that is also being used for that IP protocol */
7003 /* version (necessary on some platforms where there are separate listings */
7004 /* for both IPv4 and IPv6 on the same physical NIC. */
7005 /* */
7006 /* One might wonder why name gets terminated with a \0 byte in here. The */
7007 /* reason is an interface name could get into the kernel structures of ipf */
7008 /* in any number of ways and so long as they all use the same sized array */
7009 /* to put the name in, it makes sense to ensure it gets null terminated */
7010 /* before it is used for its intended purpose - finding its match in the */
7011 /* kernel's list of configured interfaces. */
7012 /* */
7013 /* NOTE: This SHOULD ONLY be used with IPFilter structures that have an */
7014 /* array for the name that is LIFNAMSIZ bytes (at least) in length. */
7015 /* ------------------------------------------------------------------------ */
7016 void *fr_resolvenic(name, v, ifs)
7017 char *name;
7018 int v;
7019 ipf_stack_t *ifs;
7020 {
7021 void *nic;
7022
7023 if (name[0] == '\0')
7024 return NULL;
7025
7026 if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) {
7027 return NULL;
7028 }
7029
7030 name[LIFNAMSIZ - 1] = '\0';
7031
7032 nic = GETIFP(name, v, ifs);
7033 if (nic == NULL)
7034 nic = (void *)-1;
7035 return nic;
7036 }
7037
7038
7039 /* ------------------------------------------------------------------------ */
7040 /* Function: ipf_expiretokens */
7041 /* Returns: None. */
7042 /* Parameters: ifs - ipf stack instance */
7043 /* */
7044 /* This function is run every ipf tick to see if there are any tokens that */
7045 /* have been held for too long and need to be freed up. */
7046 /* ------------------------------------------------------------------------ */
7047 void ipf_expiretokens(ifs)
7048 ipf_stack_t *ifs;
7049 {
7050 ipftoken_t *it;
7051
7052 WRITE_ENTER(&ifs->ifs_ipf_tokens);
7053 while ((it = ifs->ifs_ipftokenhead) != NULL) {
7054 if (it->ipt_die > ifs->ifs_fr_ticks)
7055 break;
7056
7057 ipf_freetoken(it, ifs);
7058 }
7059 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7060 }
7061
7062
7063 /* ------------------------------------------------------------------------ */
7064 /* Function: ipf_deltoken */
7065 /* Returns: int - 0 = success, else error */
7066 /* Parameters: type(I) - the token type to match */
7067 /* uid(I) - uid owning the token */
7068 /* ptr(I) - context pointer for the token */
7069 /* ifs - ipf stack instance */
7070 /* */
7071 /* This function looks for a a token in the current list that matches up */
7072 /* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */
7073 /* call ipf_freetoken() to remove it from the list. */
7074 /* ------------------------------------------------------------------------ */
7075 int ipf_deltoken(type, uid, ptr, ifs)
7076 int type, uid;
7077 void *ptr;
7078 ipf_stack_t *ifs;
7079 {
7080 ipftoken_t *it;
7081 int error = ESRCH;
7082
7083 WRITE_ENTER(&ifs->ifs_ipf_tokens);
7084 for (it = ifs->ifs_ipftokenhead; it != NULL; it = it->ipt_next)
7085 if (ptr == it->ipt_ctx && type == it->ipt_type &&
7086 uid == it->ipt_uid) {
7087 ipf_freetoken(it, ifs);
7088 error = 0;
7089 break;
7090 }
7091 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7092
7093 return error;
7094 }
7095
7096
7097 /* ------------------------------------------------------------------------ */
7098 /* Function: ipf_unlinktoken */
7099 /* Returns: None. */
7100 /* Parameters: token(I) - pointer to token structure */
7101 /* ifs - ipf stack instance */
7102 /* */
7103 /* This function unlinks a token structure from the linked list of tokens */
7104 /* that it belongs to. The head pointer never needs to be explicitly */
7105 /* adjusted, but the tail does due to the linked list implementation. */
7106 /* ------------------------------------------------------------------------ */
7107 static void ipf_unlinktoken(token, ifs)
7108 ipftoken_t *token;
7109 ipf_stack_t *ifs;
7110 {
7111
7112 if (ifs->ifs_ipftokentail == &token->ipt_next)
7113 ifs->ifs_ipftokentail = token->ipt_pnext;
7114
7115 *token->ipt_pnext = token->ipt_next;
7116 if (token->ipt_next != NULL)
7117 token->ipt_next->ipt_pnext = token->ipt_pnext;
7118 }
7119
7120
7121 /* ------------------------------------------------------------------------ */
7122 /* Function: ipf_findtoken */
7123 /* Returns: ipftoken_t * - NULL if no memory, else pointer to token */
7124 /* Parameters: type(I) - the token type to match */
7125 /* uid(I) - uid owning the token */
7126 /* ptr(I) - context pointer for the token */
7127 /* ifs - ipf stack instance */
7128 /* */
7129 /* This function looks for a live token in the list of current tokens that */
7130 /* matches the tuple (type, uid, ptr). If one cannot be found then one is */
7131 /* allocated. If one is found then it is moved to the top of the list of */
7132 /* currently active tokens. */
7133 /* */
7134 /* NOTE: It is by design that this function returns holding a read lock on */
7135 /* ipf_tokens. Callers must make sure they release it! */
7136 /* ------------------------------------------------------------------------ */
7137 ipftoken_t *ipf_findtoken(type, uid, ptr, ifs)
7138 int type, uid;
7139 void *ptr;
7140 ipf_stack_t *ifs;
7141 {
7142 ipftoken_t *it, *new;
7143
7144 KMALLOC(new, ipftoken_t *);
7145
7146 WRITE_ENTER(&ifs->ifs_ipf_tokens);
7147 for (it = ifs->ifs_ipftokenhead; it != NULL; it = it->ipt_next) {
7148 if (it->ipt_alive == 0)
7149 continue;
7150 if (ptr == it->ipt_ctx && type == it->ipt_type &&
7151 uid == it->ipt_uid)
7152 break;
7153 }
7154
7155 if (it == NULL) {
7156 it = new;
7157 new = NULL;
7158 if (it == NULL)
7159 return NULL;
7160 it->ipt_data = NULL;
7161 it->ipt_ctx = ptr;
7162 it->ipt_uid = uid;
7163 it->ipt_type = type;
7164 it->ipt_next = NULL;
7165 it->ipt_alive = 1;
7166 } else {
7167 if (new != NULL) {
7168 KFREE(new);
7169 new = NULL;
7170 }
7171
7172 ipf_unlinktoken(it, ifs);
7173 }
7174 it->ipt_pnext = ifs->ifs_ipftokentail;
7175 *ifs->ifs_ipftokentail = it;
7176 ifs->ifs_ipftokentail = &it->ipt_next;
7177 it->ipt_next = NULL;
7178
7179 it->ipt_die = ifs->ifs_fr_ticks + 2;
7180
7181 MUTEX_DOWNGRADE(&ifs->ifs_ipf_tokens);
7182
7183 return it;
7184 }
7185
7186
7187 /* ------------------------------------------------------------------------ */
7188 /* Function: ipf_freetoken */
7189 /* Returns: None. */
7190 /* Parameters: token(I) - pointer to token structure */
7191 /* ifs - ipf stack instance */
7192 /* */
7193 /* This function unlinks a token from the linked list and on the path to */
7194 /* free'ing the data, it calls the dereference function that is associated */
7195 /* with the type of data pointed to by the token as it is considered to */
7196 /* hold a reference to it. */
7197 /* ------------------------------------------------------------------------ */
7198 void ipf_freetoken(token, ifs)
7199 ipftoken_t *token;
7200 ipf_stack_t *ifs;
7201 {
7202 void *data, **datap;
7203
7204 ipf_unlinktoken(token, ifs);
7205
7206 data = token->ipt_data;
7207 datap = &data;
7208
7209 if ((data != NULL) && (data != (void *)-1)) {
7210 switch (token->ipt_type)
7211 {
7212 case IPFGENITER_IPF :
7213 (void)fr_derefrule((frentry_t **)datap, ifs);
7214 break;
7215 case IPFGENITER_IPNAT :
7216 WRITE_ENTER(&ifs->ifs_ipf_nat);
7217 fr_ipnatderef((ipnat_t **)datap, ifs);
7218 RWLOCK_EXIT(&ifs->ifs_ipf_nat);
7219 break;
7220 case IPFGENITER_NAT :
7221 fr_natderef((nat_t **)datap, ifs);
7222 break;
7223 case IPFGENITER_STATE :
7224 fr_statederef((ipstate_t **)datap, ifs);
7225 break;
7226 case IPFGENITER_FRAG :
7227 fr_fragderef((ipfr_t **)datap, &ifs->ifs_ipf_frag, ifs);
7228 break;
7229 case IPFGENITER_NATFRAG :
7230 fr_fragderef((ipfr_t **)datap,
7231 &ifs->ifs_ipf_natfrag, ifs);
7232 break;
7233 case IPFGENITER_HOSTMAP :
7234 WRITE_ENTER(&ifs->ifs_ipf_nat);
7235 fr_hostmapdel((hostmap_t **)datap);
7236 RWLOCK_EXIT(&ifs->ifs_ipf_nat);
7237 break;
7238 default :
7239 (void) ip_lookup_iterderef(token->ipt_type, data, ifs);
7240 break;
7241 }
7242 }
7243
7244 KFREE(token);
7245 }
7246
7247
7248 /* ------------------------------------------------------------------------ */
7249 /* Function: ipf_getnextrule */
7250 /* Returns: int - 0 = success, else error */
7251 /* Parameters: t(I) - pointer to destination information to resolve */
7252 /* ptr(I) - pointer to ipfobj_t to copyin from user space */
7253 /* ifs - ipf stack instance */
7254 /* */
7255 /* This function's first job is to bring in the ipfruleiter_t structure via */
7256 /* the ipfobj_t structure to determine what should be the next rule to */
7257 /* return. Once the ipfruleiter_t has been brought in, it then tries to */
7258 /* find the 'next rule'. This may include searching rule group lists or */
7259 /* just be as simple as looking at the 'next' field in the rule structure. */
7260 /* When we have found the rule to return, increase its reference count and */
7261 /* if we used an existing rule to get here, decrease its reference count. */
7262 /* ------------------------------------------------------------------------ */
7263 int ipf_getnextrule(t, ptr, ifs)
7264 ipftoken_t *t;
7265 void *ptr;
7266 ipf_stack_t *ifs;
7267 {
7268 frentry_t *fr, *next, zero;
7269 int error, out, count;
7270 ipfruleiter_t it;
7271 frgroup_t *fg;
7272 char *dst;
7273
7274 if (t == NULL || ptr == NULL)
7275 return EFAULT;
7276 error = fr_inobj(ptr, &it, IPFOBJ_IPFITER);
7277 if (error != 0)
7278 return error;
7279 if ((it.iri_ver != AF_INET) && (it.iri_ver != AF_INET6))
7280 return EINVAL;
7281 if ((it.iri_inout < 0) || (it.iri_inout > 3))
7282 return EINVAL;
7283 if (it.iri_nrules == 0)
7284 return EINVAL;
7285 if ((it.iri_active != 0) && (it.iri_active != 1))
7286 return EINVAL;
7287 if (it.iri_rule == NULL)
7288 return EFAULT;
7289
7290 /*
7291 * Use bitmask on it.iri_inout to determine direction.
7292 * F_OUT (1) and F_ACOUT (3) mask to out = 1, while
7293 * F_IN (0) and F_ACIN (2) mask to out = 0.
7294 */
7295 out = it.iri_inout & F_OUT;
7296 READ_ENTER(&ifs->ifs_ipf_mutex);
7297
7298 /*
7299 * Retrieve "previous" entry from token and find the next entry.
7300 */
7301 fr = t->ipt_data;
7302 if (fr == NULL) {
7303 if (*it.iri_group == '\0') {
7304 /*
7305 * Use bitmask again to determine accounting or not.
7306 * F_ACIN will mask to accounting cases F_ACIN (2)
7307 * or F_ACOUT (3), but not F_IN or F_OUT.
7308 */
7309 if ((it.iri_inout & F_ACIN) != 0) {
7310 if (it.iri_ver == AF_INET)
7311 next = ifs->ifs_ipacct
7312 [out][it.iri_active];
7313 else
7314 next = ifs->ifs_ipacct6
7315 [out][it.iri_active];
7316 } else {
7317 if (it.iri_ver == AF_INET)
7318 next = ifs->ifs_ipfilter
7319 [out][it.iri_active];
7320 else
7321 next = ifs->ifs_ipfilter6
7322 [out][it.iri_active];
7323 }
7324 } else {
7325 fg = fr_findgroup(it.iri_group, IPL_LOGIPF,
7326 it.iri_active, NULL, ifs);
7327 if (fg != NULL)
7328 next = fg->fg_start;
7329 else
7330 next = NULL;
7331 }
7332 } else {
7333 next = fr->fr_next;
7334 }
7335
7336 dst = (char *)it.iri_rule;
7337 /*
7338 * The ipfruleiter may ask for more than 1 rule at a time to be
7339 * copied out, so long as that many exist in the list to start with!
7340 */
7341 for (count = it.iri_nrules; count > 0; count--) {
7342 /*
7343 * If we found an entry, add reference to it and update token.
7344 * Otherwise, zero out data to be returned and NULL out token.
7345 */
7346 if (next != NULL) {
7347 MUTEX_ENTER(&next->fr_lock);
7348 next->fr_ref++;
7349 MUTEX_EXIT(&next->fr_lock);
7350 t->ipt_data = next;
7351 } else {
7352 bzero(&zero, sizeof(zero));
7353 next = &zero;
7354 t->ipt_data = NULL;
7355 }
7356
7357 /*
7358 * Now that we have ref, it's save to give up lock.
7359 */
7360 RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
7361
7362 /*
7363 * Copy out data and clean up references and token as needed.
7364 */
7365 error = COPYOUT(next, dst, sizeof(*next));
7366 if (error != 0)
7367 error = EFAULT;
7368 if (t->ipt_data == NULL) {
7369 ipf_freetoken(t, ifs);
7370 break;
7371 } else {
7372 if (fr != NULL)
7373 (void) fr_derefrule(&fr, ifs);
7374 if (next->fr_data != NULL) {
7375 dst += sizeof(*next);
7376 error = COPYOUT(next->fr_data, dst,
7377 next->fr_dsize);
7378 if (error != 0)
7379 error = EFAULT;
7380 else
7381 dst += next->fr_dsize;
7382 }
7383 if (next->fr_next == NULL) {
7384 ipf_freetoken(t, ifs);
7385 break;
7386 }
7387 }
7388
7389 if ((count == 1) || (error != 0))
7390 break;
7391
7392 READ_ENTER(&ifs->ifs_ipf_mutex);
7393 fr = next;
7394 next = fr->fr_next;
7395 }
7396
7397 return error;
7398 }
7399
7400
7401 /* ------------------------------------------------------------------------ */
7402 /* Function: fr_frruleiter */
7403 /* Returns: int - 0 = success, else error */
7404 /* Parameters: data(I) - the token type to match */
7405 /* uid(I) - uid owning the token */
7406 /* ptr(I) - context pointer for the token */
7407 /* ifs - ipf stack instance */
7408 /* */
7409 /* This function serves as a stepping stone between fr_ipf_ioctl and */
7410 /* ipf_getnextrule. It's role is to find the right token in the kernel for */
7411 /* the process doing the ioctl and use that to ask for the next rule. */
7412 /* ------------------------------------------------------------------------ */
7413 int ipf_frruleiter(data, uid, ctx, ifs)
7414 void *data, *ctx;
7415 int uid;
7416 ipf_stack_t *ifs;
7417 {
7418 ipftoken_t *token;
7419 int error;
7420
7421 token = ipf_findtoken(IPFGENITER_IPF, uid, ctx, ifs);
7422 if (token != NULL)
7423 error = ipf_getnextrule(token, data, ifs);
7424 else
7425 error = EFAULT;
7426 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7427
7428 return error;
7429 }
7430
7431
7432 /* ------------------------------------------------------------------------ */
7433 /* Function: ipf_geniter */
7434 /* Returns: int - 0 = success, else error */
7435 /* Parameters: token(I) - pointer to ipftoken structure */
7436 /* itp(I) - pointer to ipfgeniter structure */
7437 /* ifs - ipf stack instance */
7438 /* */
7439 /* Generic iterator called from ipf_genericiter. Currently only used for */
7440 /* walking through list of fragments. */
7441 /* ------------------------------------------------------------------------ */
7442 int ipf_geniter(token, itp, ifs)
7443 ipftoken_t *token;
7444 ipfgeniter_t *itp;
7445 ipf_stack_t *ifs;
7446 {
7447 int error;
7448
7449 switch (itp->igi_type)
7450 {
7451 case IPFGENITER_FRAG :
7452 error = fr_nextfrag(token, itp, &ifs->ifs_ipfr_list,
7453 &ifs->ifs_ipfr_tail, &ifs->ifs_ipf_frag,
7454 ifs);
7455 break;
7456 default :
7457 error = EINVAL;
7458 break;
7459 }
7460
7461 return error;
7462 }
7463
7464
7465 /* ------------------------------------------------------------------------ */
7466 /* Function: ipf_genericiter */
7467 /* Returns: int - 0 = success, else error */
7468 /* Parameters: data(I) - the token type to match */
7469 /* uid(I) - uid owning the token */
7470 /* ptr(I) - context pointer for the token */
7471 /* ifs - ipf stack instance */
7472 /* */
7473 /* This function serves as a stepping stone between fr_ipf_ioctl and */
7474 /* ipf_geniter when handling SIOCGENITER. It's role is to find the right */
7475 /* token in the kernel for the process using the ioctl, and to use that */
7476 /* token when calling ipf_geniter. */
7477 /* ------------------------------------------------------------------------ */
7478 int ipf_genericiter(data, uid, ctx, ifs)
7479 void *data, *ctx;
7480 int uid;
7481 ipf_stack_t *ifs;
7482 {
7483 ipftoken_t *token;
7484 ipfgeniter_t iter;
7485 int error;
7486
7487 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
7488 if (error != 0)
7489 return error;
7490
7491 token = ipf_findtoken(iter.igi_type, uid, ctx, ifs);
7492 if (token != NULL) {
7493 token->ipt_subtype = iter.igi_type;
7494 error = ipf_geniter(token, &iter, ifs);
7495 } else
7496 error = EFAULT;
7497 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
7498
7499 return error;
7500 }
7501
7502
7503 /* --------------------------------------------------------------------- */
7504 /* Function: ipf_earlydrop */
7505 /* Returns: number of dropped/removed entries from the queue */
7506 /* Parameters: flushtype - which table we're cleaning (NAT or State) */
7507 /* ifq - pointer to queue with entries to be deleted */
7508 /* idletime - entry must be idle this long to be deleted */
7509 /* ifs - ipf stack instance */
7510 /* */
7511 /* Function is invoked from state/NAT flush routines to remove entries */
7512 /* from specified timeout queue, based on how long they've sat idle, */
7513 /* without waiting for it to happen on its own. */
7514 /* --------------------------------------------------------------------- */
7515 int ipf_earlydrop(flushtype, ifq, idletime, ifs)
7516 int flushtype;
7517 ipftq_t *ifq;
7518 int idletime;
7519 ipf_stack_t *ifs;
7520 {
7521 ipftqent_t *tqe, *tqn;
7522 unsigned int dropped;
7523 int droptick;
7524 void *ent;
7525
7526 if (ifq == NULL)
7527 return (0);
7528
7529 dropped = 0;
7530
7531 /*
7532 * Determine the tick representing the idle time we're interested
7533 * in. If an entry exists in the queue, and it was touched before
7534 * that tick, then it's been idle longer than idletime, so it should
7535 * be deleted.
7536 */
7537 droptick = ifs->ifs_fr_ticks - idletime;
7538 tqn = ifq->ifq_head;
7539 while ((tqe = tqn) != NULL && tqe->tqe_touched < droptick) {
7540 tqn = tqe->tqe_next;
7541 ent = tqe->tqe_parent;
7542 switch (flushtype)
7543 {
7544 case NAT_FLUSH:
7545 if (nat_delete((nat_t *)ent, NL_FLUSH, ifs) == 0)
7546 dropped++;
7547 break;
7548 case STATE_FLUSH:
7549 if (fr_delstate((ipstate_t *)ent, ISL_FLUSH, ifs) == 0)
7550 dropped++;
7551 break;
7552 default:
7553 return (0);
7554 }
7555 }
7556 return (dropped);
7557 }
7558
7559
7560 /* --------------------------------------------------------------------- */
7561 /* Function: ipf_flushclosing */
7562 /* Returns: int - number of entries deleted */
7563 /* Parameters: flushtype - which table we're cleaning (NAT or State) */
7564 /* stateval - TCP state at which to start removing entries */
7565 /* ipfqs - pointer to timeout queues */
7566 /* userqs - pointer to user defined queues */
7567 /* ifs - ipf stack instance */
7568 /* */
7569 /* Remove state/NAT table entries for TCP connections which are in the */
7570 /* process of closing, and have at least reached the state specified by */
7571 /* the 'stateval' parameter. */
7572 /* --------------------------------------------------------------------- */
7573 int ipf_flushclosing(flushtype, stateval, ipfqs, userqs, ifs)
7574 int flushtype, stateval;
7575 ipftq_t *ipfqs, *userqs;
7576 ipf_stack_t *ifs;
7577 {
7578 ipftq_t *ifq, *ifqn;
7579 ipftqent_t *tqe, *tqn;
7580 int dropped;
7581 void *ent;
7582 nat_t *nat;
7583 ipstate_t *is;
7584
7585 dropped = 0;
7586
7587 /*
7588 * Start by deleting any entries in specific timeout queues.
7589 */
7590 ifqn = &ipfqs[stateval];
7591 while ((ifq = ifqn) != NULL) {
7592 ifqn = ifq->ifq_next;
7593 dropped += ipf_earlydrop(flushtype, ifq, (int)0, ifs);
7594 }
7595
7596 /*
7597 * Next, look through user defined queues for closing entries.
7598 */
7599 ifqn = userqs;
7600 while ((ifq = ifqn) != NULL) {
7601 ifqn = ifq->ifq_next;
7602 tqn = ifq->ifq_head;
7603 while ((tqe = tqn) != NULL) {
7604 tqn = tqe->tqe_next;
7605 ent = tqe->tqe_parent;
7606 switch (flushtype)
7607 {
7608 case NAT_FLUSH:
7609 nat = (nat_t *)ent;
7610 if ((nat->nat_p == IPPROTO_TCP) &&
7611 (nat->nat_tcpstate[0] >= stateval) &&
7612 (nat->nat_tcpstate[1] >= stateval) &&
7613 (nat_delete(nat, NL_EXPIRE, ifs) == 0))
7614 dropped++;
7615 break;
7616 case STATE_FLUSH:
7617 is = (ipstate_t *)ent;
7618 if ((is->is_p == IPPROTO_TCP) &&
7619 (is->is_state[0] >= stateval) &&
7620 (is->is_state[1] >= stateval) &&
7621 (fr_delstate(is, ISL_EXPIRE, ifs) == 0))
7622 dropped++;
7623 break;
7624 default:
7625 return (0);
7626 }
7627 }
7628 }
7629 return (dropped);
7630 }
7631
7632
7633 /* --------------------------------------------------------------------- */
7634 /* Function: ipf_extraflush */
7635 /* Returns: int - number of entries flushed (0 = none) */
7636 /* Parameters: flushtype - which table we're cleaning (NAT or State) */
7637 /* ipfqs - pointer to 'established' timeout queue */
7638 /* userqs - pointer to user defined queues */
7639 /* ifs - ipf stack instance */
7640 /* */
7641 /* This function gets called when either NAT or state tables fill up. */
7642 /* We need to try a bit harder to free up some space. The function will */
7643 /* flush entries for TCP connections which have been idle a long time. */
7644 /* */
7645 /* Currently, the idle time is checked using values from ideltime_tab[] */
7646 /* --------------------------------------------------------------------- */
7647 int ipf_extraflush(flushtype, ipfqs, userqs, ifs)
7648 int flushtype;
7649 ipftq_t *ipfqs, *userqs;
7650 ipf_stack_t *ifs;
7651 {
7652 ipftq_t *ifq, *ifqn;
7653 int idletime, removed, idle_idx;
7654
7655 removed = 0;
7656
7657 /*
7658 * Determine initial threshold for minimum idle time based on
7659 * how long ipfilter has been running. Ipfilter needs to have
7660 * been up as long as the smallest interval to continue on.
7661 *
7662 * Minimum idle times stored in idletime_tab and indexed by
7663 * idle_idx. Start at upper end of array and work backwards.
7664 *
7665 * Once the index is found, set the initial idle time to the
7666 * first interval before the current ipfilter run time.
7667 */
7668 if (ifs->ifs_fr_ticks < idletime_tab[0])
7669 return (0);
7670 idle_idx = (sizeof (idletime_tab) / sizeof (int)) - 1;
7671 if (ifs->ifs_fr_ticks > idletime_tab[idle_idx]) {
7672 idletime = idletime_tab[idle_idx];
7673 } else {
7674 while ((idle_idx > 0) &&
7675 (ifs->ifs_fr_ticks < idletime_tab[idle_idx]))
7676 idle_idx--;
7677
7678 idletime = (ifs->ifs_fr_ticks /
7679 idletime_tab[idle_idx]) *
7680 idletime_tab[idle_idx];
7681 }
7682
7683 while (idle_idx >= 0) {
7684 /*
7685 * Check to see if we need to delete more entries.
7686 * If we do, start with appropriate timeout queue.
7687 */
7688 if (flushtype == NAT_FLUSH) {
7689 if (NAT_TAB_WATER_LEVEL(ifs) <=
7690 ifs->ifs_nat_flush_level_lo)
7691 break;
7692 } else if (flushtype == STATE_FLUSH) {
7693 if (ST_TAB_WATER_LEVEL(ifs) <=
7694 ifs->ifs_state_flush_level_lo)
7695 break;
7696 } else {
7697 break;
7698 }
7699
7700 removed += ipf_earlydrop(flushtype, ipfqs, idletime, ifs);
7701
7702 /*
7703 * Next, check the user defined queues. But first, make
7704 * certain that timeout queue deletions didn't do enough.
7705 */
7706 if (flushtype == NAT_FLUSH) {
7707 if (NAT_TAB_WATER_LEVEL(ifs) <=
7708 ifs->ifs_nat_flush_level_lo)
7709 break;
7710 } else {
7711 if (ST_TAB_WATER_LEVEL(ifs) <=
7712 ifs->ifs_state_flush_level_lo)
7713 break;
7714 }
7715 ifqn = userqs;
7716 while ((ifq = ifqn) != NULL) {
7717 ifqn = ifq->ifq_next;
7718 removed += ipf_earlydrop(flushtype, ifq, idletime, ifs);
7719 }
7720
7721 /*
7722 * Adjust the granularity of idle time.
7723 *
7724 * If we reach an interval boundary, we need to
7725 * either adjust the idle time accordingly or exit
7726 * the loop altogether (if this is very last check).
7727 */
7728 idletime -= idletime_tab[idle_idx];
7729 if (idletime < idletime_tab[idle_idx]) {
7730 if (idle_idx != 0) {
7731 idletime = idletime_tab[idle_idx] -
7732 idletime_tab[idle_idx - 1];
7733 idle_idx--;
7734 } else {
7735 break;
7736 }
7737 }
7738 }
7739
7740 return (removed);
7741 }