Print this page
Only exploit ipf state keeping for CFW logging.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipf/ip_state.c
+++ new/usr/src/uts/common/inet/ipf/ip_state.c
1 1 /*
2 2 * Copyright (C) 1995-2003 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
7 7 *
8 8 * Copyright (c) 2014, Joyent, Inc. All rights reserved.
9 9 */
10 10
11 11 #if defined(KERNEL) || defined(_KERNEL)
12 12 # undef KERNEL
13 13 # undef _KERNEL
14 14 # define KERNEL 1
15 15 # define _KERNEL 1
16 16 #endif
17 17 #include <sys/errno.h>
18 18 #include <sys/types.h>
19 19 #include <sys/param.h>
20 20 #include <sys/file.h>
21 21 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
22 22 defined(_KERNEL)
23 23 # include "opt_ipfilter_log.h"
24 24 #endif
25 25 #if defined(_KERNEL) && defined(__FreeBSD_version) && \
26 26 (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
27 27 #include "opt_inet6.h"
28 28 #endif
29 29 #if !defined(_KERNEL) && !defined(__KERNEL__)
30 30 # include <stdio.h>
31 31 # include <stdlib.h>
32 32 # include <string.h>
33 33 # define _KERNEL
34 34 # ifdef __OpenBSD__
35 35 struct file;
36 36 # endif
37 37 # include <sys/uio.h>
38 38 # undef _KERNEL
39 39 #endif
40 40 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
41 41 # include <sys/filio.h>
42 42 # include <sys/fcntl.h>
43 43 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
44 44 # include "opt_ipfilter.h"
45 45 # endif
46 46 #else
47 47 # include <sys/ioctl.h>
48 48 #endif
49 49 #include <sys/time.h>
50 50 #if !defined(linux)
51 51 # include <sys/protosw.h>
52 52 #endif
53 53 #include <sys/socket.h>
54 54 #if defined(_KERNEL)
55 55 # include <sys/systm.h>
56 56 # if !defined(__SVR4) && !defined(__svr4__)
57 57 # include <sys/mbuf.h>
58 58 # endif
59 59 #endif
60 60 #if defined(__SVR4) || defined(__svr4__)
61 61 # include <sys/filio.h>
62 62 # include <sys/byteorder.h>
63 63 # ifdef _KERNEL
64 64 # include <sys/dditypes.h>
65 65 # endif
66 66 # include <sys/stream.h>
67 67 # include <sys/kmem.h>
68 68 #endif
69 69
70 70 #include <net/if.h>
71 71 #ifdef sun
72 72 # include <net/af.h>
73 73 #endif
74 74 #include <net/route.h>
75 75 #include <netinet/in.h>
76 76 #include <netinet/in_systm.h>
77 77 #include <netinet/ip.h>
78 78 #include <netinet/tcp.h>
79 79 #if !defined(linux)
80 80 # include <netinet/ip_var.h>
81 81 #endif
82 82 #if !defined(__hpux) && !defined(linux)
83 83 # include <netinet/tcp_fsm.h>
84 84 #endif
85 85 #include <netinet/udp.h>
86 86 #include <netinet/ip_icmp.h>
87 87 #include "netinet/ip_compat.h"
88 88 #include <netinet/tcpip.h>
89 89 #include "netinet/ip_fil.h"
90 90 #include "netinet/ip_nat.h"
91 91 #include "netinet/ip_frag.h"
92 92 #include "netinet/ip_state.h"
93 93 #include "netinet/ip_proxy.h"
94 94 #include "netinet/ipf_stack.h"
95 95 #ifdef IPFILTER_SYNC
96 96 #include "netinet/ip_sync.h"
97 97 #endif
98 98 #ifdef IPFILTER_SCAN
99 99 #include "netinet/ip_scan.h"
100 100 #endif
101 101 #ifdef USE_INET6
102 102 #include <netinet/icmp6.h>
103 103 #endif
104 104 #if (__FreeBSD_version >= 300000)
105 105 # include <sys/malloc.h>
106 106 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
107 107 # include <sys/libkern.h>
108 108 # include <sys/systm.h>
109 109 # endif
110 110 #endif
111 111 /* END OF INCLUDES */
112 112
113 113
114 114 #if !defined(lint)
115 115 static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
116 116 static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.36 2005/08/11 19:58:03 darrenr Exp $";
117 117 #endif
118 118
119 119 #ifdef USE_INET6
120 120 static ipstate_t *fr_checkicmp6matchingstate __P((fr_info_t *));
121 121 #endif
122 122 static ipstate_t *fr_matchsrcdst __P((fr_info_t *, ipstate_t *, i6addr_t *,
123 123 i6addr_t *, tcphdr_t *, u_32_t));
124 124 static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *));
125 125 static int fr_state_flush __P((int, int, ipf_stack_t *));
126 126 static ips_stat_t *fr_statetstats __P((ipf_stack_t *));
127 127 static int fr_state_remove __P((caddr_t, ipf_stack_t *));
128 128 static void fr_ipsmove __P((ipstate_t *, u_int, ipf_stack_t *));
129 129 static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *));
130 130 static int fr_tcpoptions __P((fr_info_t *, tcphdr_t *, tcpdata_t *));
131 131 static ipstate_t *fr_stclone __P((fr_info_t *, tcphdr_t *, ipstate_t *));
132 132 static void fr_fixinisn __P((fr_info_t *, ipstate_t *));
133 133 static void fr_fixoutisn __P((fr_info_t *, ipstate_t *));
134 134 static void fr_checknewisn __P((fr_info_t *, ipstate_t *));
135 135 static int fr_stateiter __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
136 136
137 137 int fr_stputent __P((caddr_t, ipf_stack_t *));
138 138 int fr_stgetent __P((caddr_t, ipf_stack_t *));
139 139
140 140 #define ONE_DAY IPF_TTLVAL(1 * 86400) /* 1 day */
141 141 #define FIVE_DAYS (5 * ONE_DAY)
142 142 #define DOUBLE_HASH(x, ifs) \
143 143 (((x) + ifs->ifs_ips_seed[(x) % ifs->ifs_fr_statesize]) % ifs->ifs_fr_statesize)
144 144
145 145
146 146 /* ------------------------------------------------------------------------ */
147 147 /* Function: fr_stateinit */
148 148 /* Returns: int - 0 == success, -1 == failure */
149 149 /* Parameters: ifs - ipf stack instance */
150 150 /* */
151 151 /* Initialise all the global variables used within the state code. */
152 152 /* This action also includes initiailising locks. */
153 153 /* ------------------------------------------------------------------------ */
154 154 int fr_stateinit(ifs)
155 155 ipf_stack_t *ifs;
156 156 {
157 157 #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
158 158 struct timeval tv;
159 159 #endif
160 160 int i;
161 161
162 162 KMALLOCS(ifs->ifs_ips_table, ipstate_t **,
163 163 ifs->ifs_fr_statesize * sizeof(ipstate_t *));
164 164 if (ifs->ifs_ips_table == NULL)
165 165 return -1;
166 166 bzero((char *)ifs->ifs_ips_table,
167 167 ifs->ifs_fr_statesize * sizeof(ipstate_t *));
168 168
169 169 KMALLOCS(ifs->ifs_ips_seed, u_long *,
170 170 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
171 171 if (ifs->ifs_ips_seed == NULL)
172 172 return -2;
173 173 #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
174 174 tv.tv_sec = 0;
175 175 GETKTIME(&tv);
176 176 #endif
177 177 for (i = 0; i < ifs->ifs_fr_statesize; i++) {
178 178 /*
179 179 * XXX - ips_seed[X] should be a random number of sorts.
180 180 */
181 181 #if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
182 182 ifs->ifs_ips_seed[i] = ipf_random();
183 183 #else
184 184 ifs->ifs_ips_seed[i] = ((u_long)ifs->ifs_ips_seed + i) *
185 185 ifs->ifs_fr_statesize;
186 186 ifs->ifs_ips_seed[i] += tv.tv_sec;
187 187 ifs->ifs_ips_seed[i] *= (u_long)ifs->ifs_ips_seed;
188 188 ifs->ifs_ips_seed[i] ^= 0x5a5aa5a5;
189 189 ifs->ifs_ips_seed[i] *= ifs->ifs_fr_statemax;
190 190 #endif
191 191 }
192 192
193 193 /* fill icmp reply type table */
194 194 for (i = 0; i <= ICMP_MAXTYPE; i++)
195 195 icmpreplytype4[i] = -1;
196 196 icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY;
197 197 icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
198 198 icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
199 199 icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
200 200 #ifdef USE_INET6
201 201 /* fill icmp reply type table */
202 202 for (i = 0; i <= ICMP6_MAXTYPE; i++)
203 203 icmpreplytype6[i] = -1;
204 204 icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY;
205 205 icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT;
206 206 icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY;
207 207 icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT;
208 208 icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT;
209 209 #endif
210 210
211 211 KMALLOCS(ifs->ifs_ips_stats.iss_bucketlen, u_long *,
212 212 ifs->ifs_fr_statesize * sizeof(u_long));
213 213 if (ifs->ifs_ips_stats.iss_bucketlen == NULL)
214 214 return -1;
215 215 bzero((char *)ifs->ifs_ips_stats.iss_bucketlen,
216 216 ifs->ifs_fr_statesize * sizeof(u_long));
217 217
218 218 if (ifs->ifs_fr_state_maxbucket == 0) {
219 219 for (i = ifs->ifs_fr_statesize; i > 0; i >>= 1)
220 220 ifs->ifs_fr_state_maxbucket++;
221 221 ifs->ifs_fr_state_maxbucket *= 2;
222 222 }
223 223
224 224 fr_sttab_init(ifs->ifs_ips_tqtqb, ifs);
225 225 ifs->ifs_ips_tqtqb[IPF_TCP_NSTATES - 1].ifq_next = &ifs->ifs_ips_udptq;
226 226 ifs->ifs_ips_udptq.ifq_ttl = (u_long)ifs->ifs_fr_udptimeout;
227 227 ifs->ifs_ips_udptq.ifq_ref = 1;
228 228 ifs->ifs_ips_udptq.ifq_head = NULL;
229 229 ifs->ifs_ips_udptq.ifq_tail = &ifs->ifs_ips_udptq.ifq_head;
230 230 MUTEX_INIT(&ifs->ifs_ips_udptq.ifq_lock, "ipftq udp tab");
231 231 ifs->ifs_ips_udptq.ifq_next = &ifs->ifs_ips_udpacktq;
232 232 ifs->ifs_ips_udpacktq.ifq_ttl = (u_long)ifs->ifs_fr_udpacktimeout;
233 233 ifs->ifs_ips_udpacktq.ifq_ref = 1;
234 234 ifs->ifs_ips_udpacktq.ifq_head = NULL;
235 235 ifs->ifs_ips_udpacktq.ifq_tail = &ifs->ifs_ips_udpacktq.ifq_head;
236 236 MUTEX_INIT(&ifs->ifs_ips_udpacktq.ifq_lock, "ipftq udpack tab");
237 237 ifs->ifs_ips_udpacktq.ifq_next = &ifs->ifs_ips_icmptq;
238 238 ifs->ifs_ips_icmptq.ifq_ttl = (u_long)ifs->ifs_fr_icmptimeout;
239 239 ifs->ifs_ips_icmptq.ifq_ref = 1;
240 240 ifs->ifs_ips_icmptq.ifq_head = NULL;
241 241 ifs->ifs_ips_icmptq.ifq_tail = &ifs->ifs_ips_icmptq.ifq_head;
242 242 MUTEX_INIT(&ifs->ifs_ips_icmptq.ifq_lock, "ipftq icmp tab");
243 243 ifs->ifs_ips_icmptq.ifq_next = &ifs->ifs_ips_icmpacktq;
244 244 ifs->ifs_ips_icmpacktq.ifq_ttl = (u_long)ifs->ifs_fr_icmpacktimeout;
245 245 ifs->ifs_ips_icmpacktq.ifq_ref = 1;
246 246 ifs->ifs_ips_icmpacktq.ifq_head = NULL;
247 247 ifs->ifs_ips_icmpacktq.ifq_tail = &ifs->ifs_ips_icmpacktq.ifq_head;
248 248 MUTEX_INIT(&ifs->ifs_ips_icmpacktq.ifq_lock, "ipftq icmpack tab");
249 249 ifs->ifs_ips_icmpacktq.ifq_next = &ifs->ifs_ips_iptq;
250 250 ifs->ifs_ips_iptq.ifq_ttl = (u_long)ifs->ifs_fr_iptimeout;
251 251 ifs->ifs_ips_iptq.ifq_ref = 1;
252 252 ifs->ifs_ips_iptq.ifq_head = NULL;
253 253 ifs->ifs_ips_iptq.ifq_tail = &ifs->ifs_ips_iptq.ifq_head;
254 254 MUTEX_INIT(&ifs->ifs_ips_iptq.ifq_lock, "ipftq ip tab");
255 255 ifs->ifs_ips_iptq.ifq_next = &ifs->ifs_ips_deletetq;
256 256 /* entry's ttl in deletetq is just 1 tick */
257 257 ifs->ifs_ips_deletetq.ifq_ttl = (u_long) 1;
258 258 ifs->ifs_ips_deletetq.ifq_ref = 1;
259 259 ifs->ifs_ips_deletetq.ifq_head = NULL;
260 260 ifs->ifs_ips_deletetq.ifq_tail = &ifs->ifs_ips_deletetq.ifq_head;
261 261 MUTEX_INIT(&ifs->ifs_ips_deletetq.ifq_lock, "state delete queue");
262 262 ifs->ifs_ips_deletetq.ifq_next = NULL;
263 263
264 264 RWLOCK_INIT(&ifs->ifs_ipf_state, "ipf IP state rwlock");
265 265 MUTEX_INIT(&ifs->ifs_ipf_stinsert, "ipf state insert mutex");
266 266 ifs->ifs_fr_state_init = 1;
267 267
268 268 ifs->ifs_ips_last_force_flush = ifs->ifs_fr_ticks;
269 269 return 0;
270 270 }
271 271
272 272
273 273 /* ------------------------------------------------------------------------ */
274 274 /* Function: fr_stateunload */
275 275 /* Returns: Nil */
276 276 /* Parameters: ifs - ipf stack instance */
277 277 /* */
278 278 /* Release and destroy any resources acquired or initialised so that */
279 279 /* IPFilter can be unloaded or re-initialised. */
280 280 /* ------------------------------------------------------------------------ */
281 281 void fr_stateunload(ifs)
282 282 ipf_stack_t *ifs;
283 283 {
284 284 ipftq_t *ifq, *ifqnext;
285 285 ipstate_t *is;
286 286
287 287 while ((is = ifs->ifs_ips_list) != NULL)
288 288 (void) fr_delstate(is, 0, ifs);
289 289
290 290 /*
291 291 * Proxy timeout queues are not cleaned here because although they
292 292 * exist on the state list, appr_unload is called after fr_stateunload
293 293 * and the proxies actually are responsible for them being created.
294 294 * Should the proxy timeouts have their own list? There's no real
295 295 * justification as this is the only complicationA
296 296 */
297 297 for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
298 298 ifqnext = ifq->ifq_next;
299 299 if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
300 300 (fr_deletetimeoutqueue(ifq) == 0))
301 301 fr_freetimeoutqueue(ifq, ifs);
302 302 }
303 303
304 304 ifs->ifs_ips_stats.iss_inuse = 0;
305 305 ifs->ifs_ips_num = 0;
306 306
307 307 if (ifs->ifs_fr_state_init == 1) {
308 308 fr_sttab_destroy(ifs->ifs_ips_tqtqb);
309 309 MUTEX_DESTROY(&ifs->ifs_ips_udptq.ifq_lock);
310 310 MUTEX_DESTROY(&ifs->ifs_ips_icmptq.ifq_lock);
311 311 MUTEX_DESTROY(&ifs->ifs_ips_udpacktq.ifq_lock);
312 312 MUTEX_DESTROY(&ifs->ifs_ips_icmpacktq.ifq_lock);
313 313 MUTEX_DESTROY(&ifs->ifs_ips_iptq.ifq_lock);
314 314 MUTEX_DESTROY(&ifs->ifs_ips_deletetq.ifq_lock);
315 315 }
316 316
317 317 if (ifs->ifs_ips_table != NULL) {
318 318 KFREES(ifs->ifs_ips_table,
319 319 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_table));
320 320 ifs->ifs_ips_table = NULL;
321 321 }
322 322
323 323 if (ifs->ifs_ips_seed != NULL) {
324 324 KFREES(ifs->ifs_ips_seed,
325 325 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
326 326 ifs->ifs_ips_seed = NULL;
327 327 }
328 328
329 329 if (ifs->ifs_ips_stats.iss_bucketlen != NULL) {
330 330 KFREES(ifs->ifs_ips_stats.iss_bucketlen,
331 331 ifs->ifs_fr_statesize * sizeof(u_long));
332 332 ifs->ifs_ips_stats.iss_bucketlen = NULL;
333 333 }
334 334
335 335 if (ifs->ifs_fr_state_maxbucket_reset == 1)
336 336 ifs->ifs_fr_state_maxbucket = 0;
337 337
338 338 if (ifs->ifs_fr_state_init == 1) {
339 339 ifs->ifs_fr_state_init = 0;
340 340 RW_DESTROY(&ifs->ifs_ipf_state);
341 341 MUTEX_DESTROY(&ifs->ifs_ipf_stinsert);
342 342 }
343 343 }
344 344
345 345
346 346 /* ------------------------------------------------------------------------ */
347 347 /* Function: fr_statetstats */
348 348 /* Returns: ips_state_t* - pointer to state stats structure */
349 349 /* Parameters: Nil */
350 350 /* */
351 351 /* Put all the current numbers and pointers into a single struct and return */
352 352 /* a pointer to it. */
353 353 /* ------------------------------------------------------------------------ */
354 354 static ips_stat_t *fr_statetstats(ifs)
355 355 ipf_stack_t *ifs;
356 356 {
357 357 ifs->ifs_ips_stats.iss_active = ifs->ifs_ips_num;
358 358 ifs->ifs_ips_stats.iss_statesize = ifs->ifs_fr_statesize;
359 359 ifs->ifs_ips_stats.iss_statemax = ifs->ifs_fr_statemax;
360 360 ifs->ifs_ips_stats.iss_table = ifs->ifs_ips_table;
361 361 ifs->ifs_ips_stats.iss_list = ifs->ifs_ips_list;
362 362 ifs->ifs_ips_stats.iss_ticks = ifs->ifs_fr_ticks;
363 363 return &ifs->ifs_ips_stats;
364 364 }
365 365
366 366 /* ------------------------------------------------------------------------ */
367 367 /* Function: fr_state_remove */
368 368 /* Returns: int - 0 == success, != 0 == failure */
369 369 /* Parameters: data(I) - pointer to state structure to delete from table */
370 370 /* ifs - ipf stack instance */
371 371 /* */
372 372 /* Search for a state structure that matches the one passed, according to */
373 373 /* the IP addresses and other protocol specific information. */
374 374 /* ------------------------------------------------------------------------ */
375 375 static int fr_state_remove(data, ifs)
376 376 caddr_t data;
377 377 ipf_stack_t *ifs;
378 378 {
379 379 ipstate_t *sp, st;
380 380 int error;
381 381
382 382 sp = &st;
383 383 error = fr_inobj(data, &st, IPFOBJ_IPSTATE);
384 384 if (error)
385 385 return EFAULT;
386 386
387 387 WRITE_ENTER(&ifs->ifs_ipf_state);
388 388 for (sp = ifs->ifs_ips_list; sp; sp = sp->is_next)
389 389 if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
390 390 !bcmp((caddr_t)&sp->is_src, (caddr_t)&st.is_src,
391 391 sizeof(st.is_src)) &&
392 392 !bcmp((caddr_t)&sp->is_dst, (caddr_t)&st.is_dst,
393 393 sizeof(st.is_dst)) &&
394 394 !bcmp((caddr_t)&sp->is_ps, (caddr_t)&st.is_ps,
395 395 sizeof(st.is_ps))) {
396 396 (void) fr_delstate(sp, ISL_REMOVE, ifs);
397 397 RWLOCK_EXIT(&ifs->ifs_ipf_state);
398 398 return 0;
399 399 }
400 400 RWLOCK_EXIT(&ifs->ifs_ipf_state);
401 401 return ESRCH;
402 402 }
403 403
404 404
405 405 /* ------------------------------------------------------------------------ */
406 406 /* Function: fr_state_ioctl */
407 407 /* Returns: int - 0 == success, != 0 == failure */
408 408 /* Parameters: data(I) - pointer to ioctl data */
409 409 /* cmd(I) - ioctl command integer */
410 410 /* mode(I) - file mode bits used with open */
411 411 /* uid(I) - uid of caller */
412 412 /* ctx(I) - pointer to give the uid context */
413 413 /* ifs - ipf stack instance */
414 414 /* */
415 415 /* Processes an ioctl call made to operate on the IP Filter state device. */
416 416 /* ------------------------------------------------------------------------ */
417 417 int fr_state_ioctl(data, cmd, mode, uid, ctx, ifs)
418 418 caddr_t data;
419 419 ioctlcmd_t cmd;
420 420 int mode, uid;
421 421 void *ctx;
422 422 ipf_stack_t *ifs;
423 423 {
424 424 int arg, ret, error = 0;
425 425
426 426 switch (cmd)
427 427 {
428 428 /*
429 429 * Delete an entry from the state table.
430 430 */
431 431 case SIOCDELST :
432 432 error = fr_state_remove(data, ifs);
433 433 break;
434 434 /*
435 435 * Flush the state table
436 436 */
437 437 case SIOCIPFFL :
438 438 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
439 439 if (error != 0) {
440 440 error = EFAULT;
441 441 } else {
442 442 if (VALID_TABLE_FLUSH_OPT(arg)) {
443 443 WRITE_ENTER(&ifs->ifs_ipf_state);
444 444 ret = fr_state_flush(arg, 4, ifs);
445 445 RWLOCK_EXIT(&ifs->ifs_ipf_state);
446 446 error = BCOPYOUT((char *)&ret, data,
447 447 sizeof(ret));
448 448 if (error != 0)
449 449 return EFAULT;
450 450 } else {
451 451 error = EINVAL;
452 452 }
453 453 }
454 454 break;
455 455
456 456 #ifdef USE_INET6
457 457 case SIOCIPFL6 :
458 458 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
459 459 if (error != 0) {
460 460 error = EFAULT;
461 461 } else {
462 462 if (VALID_TABLE_FLUSH_OPT(arg)) {
463 463 WRITE_ENTER(&ifs->ifs_ipf_state);
464 464 ret = fr_state_flush(arg, 6, ifs);
465 465 RWLOCK_EXIT(&ifs->ifs_ipf_state);
466 466 error = BCOPYOUT((char *)&ret, data,
467 467 sizeof(ret));
468 468 if (error != 0)
469 469 return EFAULT;
470 470 } else {
471 471 error = EINVAL;
472 472 }
473 473 }
474 474 break;
475 475 #endif
476 476 #ifdef IPFILTER_LOG
477 477 /*
478 478 * Flush the state log.
479 479 */
480 480 case SIOCIPFFB :
481 481 if (!(mode & FWRITE))
482 482 error = EPERM;
483 483 else {
484 484 int tmp;
485 485
486 486 tmp = ipflog_clear(IPL_LOGSTATE, ifs);
487 487 error = BCOPYOUT((char *)&tmp, data, sizeof(tmp));
488 488 if (error != 0)
489 489 error = EFAULT;
490 490 }
491 491 break;
492 492 /*
493 493 * Turn logging of state information on/off.
494 494 */
495 495 case SIOCSETLG :
496 496 if (!(mode & FWRITE)) {
497 497 error = EPERM;
498 498 } else {
499 499 error = BCOPYIN((char *)data,
500 500 (char *)&ifs->ifs_ipstate_logging,
501 501 sizeof(ifs->ifs_ipstate_logging));
502 502 if (error != 0)
503 503 error = EFAULT;
504 504 }
505 505 break;
506 506 /*
507 507 * Return the current state of logging.
508 508 */
509 509 case SIOCGETLG :
510 510 error = BCOPYOUT((char *)&ifs->ifs_ipstate_logging,
511 511 (char *)data,
512 512 sizeof(ifs->ifs_ipstate_logging));
513 513 if (error != 0)
514 514 error = EFAULT;
515 515 break;
516 516 /*
517 517 * Return the number of bytes currently waiting to be read.
518 518 */
519 519 case FIONREAD :
520 520 arg = ifs->ifs_iplused[IPL_LOGSTATE]; /* returned in an int */
521 521 error = BCOPYOUT((char *)&arg, data, sizeof(arg));
522 522 if (error != 0)
523 523 error = EFAULT;
524 524 break;
525 525 #endif
526 526 /*
527 527 * Get the current state statistics.
528 528 */
529 529 case SIOCGETFS :
530 530 error = fr_outobj(data, fr_statetstats(ifs), IPFOBJ_STATESTAT);
531 531 break;
532 532 /*
533 533 * Lock/Unlock the state table. (Locking prevents any changes, which
534 534 * means no packets match).
535 535 */
536 536 case SIOCSTLCK :
537 537 if (!(mode & FWRITE)) {
538 538 error = EPERM;
539 539 } else {
540 540 error = fr_lock(data, &ifs->ifs_fr_state_lock);
541 541 }
542 542 break;
543 543 /*
544 544 * Add an entry to the current state table.
545 545 */
546 546 case SIOCSTPUT :
547 547 if (!ifs->ifs_fr_state_lock || !(mode & FWRITE)) {
548 548 error = EACCES;
549 549 break;
550 550 }
551 551 error = fr_stputent(data, ifs);
552 552 break;
553 553 /*
554 554 * Get a state table entry.
555 555 */
556 556 case SIOCSTGET :
557 557 if (!ifs->ifs_fr_state_lock) {
558 558 error = EACCES;
559 559 break;
560 560 }
561 561 error = fr_stgetent(data, ifs);
562 562 break;
563 563
564 564 case SIOCGENITER :
565 565 {
566 566 ipftoken_t *token;
567 567 ipfgeniter_t iter;
568 568
569 569 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
570 570 if (error != 0)
571 571 break;
572 572
573 573 token = ipf_findtoken(IPFGENITER_STATE, uid, ctx, ifs);
574 574 if (token != NULL)
575 575 error = fr_stateiter(token, &iter, ifs);
576 576 else
577 577 error = ESRCH;
578 578 RWLOCK_EXIT(&ifs->ifs_ipf_tokens);
579 579 break;
580 580 }
581 581
582 582 case SIOCIPFDELTOK :
583 583 error = BCOPYIN(data, (char *)&arg, sizeof(arg));
584 584 if (error != 0) {
585 585 error = EFAULT;
586 586 } else {
587 587 error = ipf_deltoken(arg, uid, ctx, ifs);
588 588 }
589 589 break;
590 590
591 591 default :
592 592 error = EINVAL;
593 593 break;
594 594 }
595 595 return error;
596 596 }
597 597
598 598
599 599 /* ------------------------------------------------------------------------ */
600 600 /* Function: fr_stgetent */
601 601 /* Returns: int - 0 == success, != 0 == failure */
602 602 /* Parameters: data(I) - pointer to state structure to retrieve from table */
603 603 /* */
604 604 /* Copy out state information from the kernel to a user space process. If */
605 605 /* there is a filter rule associated with the state entry, copy that out */
606 606 /* as well. The entry to copy out is taken from the value of "ips_next" in */
607 607 /* the struct passed in and if not null and not found in the list of current*/
608 608 /* state entries, the retrieval fails. */
609 609 /* ------------------------------------------------------------------------ */
610 610 int fr_stgetent(data, ifs)
611 611 caddr_t data;
612 612 ipf_stack_t *ifs;
613 613 {
614 614 ipstate_t *is, *isn;
615 615 ipstate_save_t ips;
616 616 int error;
617 617
618 618 error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
619 619 if (error)
620 620 return EFAULT;
621 621
622 622 isn = ips.ips_next;
623 623 if (isn == NULL) {
624 624 isn = ifs->ifs_ips_list;
625 625 if (isn == NULL) {
626 626 if (ips.ips_next == NULL)
627 627 return ENOENT;
628 628 return 0;
629 629 }
630 630 } else {
631 631 /*
632 632 * Make sure the pointer we're copying from exists in the
633 633 * current list of entries. Security precaution to prevent
634 634 * copying of random kernel data.
635 635 */
636 636 for (is = ifs->ifs_ips_list; is; is = is->is_next)
637 637 if (is == isn)
638 638 break;
639 639 if (!is)
640 640 return ESRCH;
641 641 }
642 642 ips.ips_next = isn->is_next;
643 643 bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is));
644 644 ips.ips_rule = isn->is_rule;
645 645 if (isn->is_rule != NULL)
646 646 bcopy((char *)isn->is_rule, (char *)&ips.ips_fr,
647 647 sizeof(ips.ips_fr));
648 648 error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
649 649 if (error)
650 650 return EFAULT;
651 651 return 0;
652 652 }
653 653
654 654
655 655 /* ------------------------------------------------------------------------ */
656 656 /* Function: fr_stputent */
657 657 /* Returns: int - 0 == success, != 0 == failure */
658 658 /* Parameters: data(I) - pointer to state information struct */
659 659 /* ifs - ipf stack instance */
660 660 /* */
661 661 /* This function implements the SIOCSTPUT ioctl: insert a state entry into */
662 662 /* the state table. If the state info. includes a pointer to a filter rule */
663 663 /* then also add in an orphaned rule (will not show up in any "ipfstat -io" */
664 664 /* output. */
665 665 /* ------------------------------------------------------------------------ */
666 666 int fr_stputent(data, ifs)
667 667 caddr_t data;
668 668 ipf_stack_t *ifs;
669 669 {
670 670 ipstate_t *is, *isn;
671 671 ipstate_save_t ips;
672 672 int error, i;
673 673 frentry_t *fr;
674 674 char *name;
675 675
676 676 error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
677 677 if (error)
678 678 return EFAULT;
679 679
680 680 /*
681 681 * Trigger automatic call to fr_state_flush() if the
682 682 * table has reached capacity specified by hi watermark.
683 683 */
684 684 if (ST_TAB_WATER_LEVEL(ifs) > ifs->ifs_state_flush_level_hi)
685 685 ifs->ifs_fr_state_doflush = 1;
686 686
687 687 /*
688 688 * If automatic flushing did not do its job, and the table
689 689 * has filled up, don't try to create a new entry.
690 690 */
691 691 if (ifs->ifs_ips_num >= ifs->ifs_fr_statemax) {
692 692 ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
693 693 return ENOMEM;
694 694 }
695 695
696 696 KMALLOC(isn, ipstate_t *);
697 697 if (isn == NULL)
698 698 return ENOMEM;
699 699
700 700 bcopy((char *)&ips.ips_is, (char *)isn, sizeof(*isn));
701 701 bzero((char *)isn, offsetof(struct ipstate, is_pkts));
702 702 isn->is_sti.tqe_pnext = NULL;
703 703 isn->is_sti.tqe_next = NULL;
704 704 isn->is_sti.tqe_ifq = NULL;
705 705 isn->is_sti.tqe_parent = isn;
706 706 isn->is_ifp[0] = NULL;
707 707 isn->is_ifp[1] = NULL;
708 708 isn->is_ifp[2] = NULL;
709 709 isn->is_ifp[3] = NULL;
710 710 isn->is_sync = NULL;
711 711 fr = ips.ips_rule;
712 712
713 713 if (fr == NULL) {
714 714 READ_ENTER(&ifs->ifs_ipf_state);
715 715 fr_stinsert(isn, 0, ifs);
716 716 MUTEX_EXIT(&isn->is_lock);
717 717 RWLOCK_EXIT(&ifs->ifs_ipf_state);
718 718 return 0;
719 719 }
720 720
721 721 if (isn->is_flags & SI_NEWFR) {
722 722 KMALLOC(fr, frentry_t *);
723 723 if (fr == NULL) {
724 724 KFREE(isn);
725 725 return ENOMEM;
726 726 }
727 727 bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
728 728 isn->is_rule = fr;
729 729 ips.ips_is.is_rule = fr;
730 730 MUTEX_NUKE(&fr->fr_lock);
731 731 MUTEX_INIT(&fr->fr_lock, "state filter rule lock");
732 732
733 733 /*
734 734 * Look up all the interface names in the rule.
735 735 */
736 736 for (i = 0; i < 4; i++) {
737 737 name = fr->fr_ifnames[i];
738 738 fr->fr_ifas[i] = fr_resolvenic(name, fr->fr_v, ifs);
739 739 name = isn->is_ifname[i];
740 740 isn->is_ifp[i] = fr_resolvenic(name, isn->is_v, ifs);
741 741 }
742 742
743 743 fr->fr_ref = 0;
744 744 fr->fr_dsize = 0;
745 745 fr->fr_data = NULL;
746 746 fr->fr_type = FR_T_NONE;
747 747
748 748 fr_resolvedest(&fr->fr_tif, fr->fr_v, ifs);
749 749 fr_resolvedest(&fr->fr_dif, fr->fr_v, ifs);
750 750 fr_resolvedest(&fr->fr_rif, fr->fr_v, ifs);
751 751
752 752 /*
753 753 * send a copy back to userland of what we ended up
754 754 * to allow for verification.
755 755 */
756 756 error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
757 757 if (error) {
758 758 KFREE(isn);
759 759 MUTEX_DESTROY(&fr->fr_lock);
760 760 KFREE(fr);
761 761 return EFAULT;
762 762 }
763 763 READ_ENTER(&ifs->ifs_ipf_state);
764 764 fr_stinsert(isn, 0, ifs);
765 765 MUTEX_EXIT(&isn->is_lock);
766 766 RWLOCK_EXIT(&ifs->ifs_ipf_state);
767 767
768 768 } else {
769 769 READ_ENTER(&ifs->ifs_ipf_state);
770 770 for (is = ifs->ifs_ips_list; is; is = is->is_next)
771 771 if (is->is_rule == fr) {
772 772 fr_stinsert(isn, 0, ifs);
773 773 MUTEX_EXIT(&isn->is_lock);
774 774 break;
775 775 }
776 776
777 777 if (is == NULL) {
778 778 KFREE(isn);
779 779 isn = NULL;
780 780 }
781 781 RWLOCK_EXIT(&ifs->ifs_ipf_state);
782 782
783 783 return (isn == NULL) ? ESRCH : 0;
784 784 }
785 785
786 786 return 0;
787 787 }
788 788
789 789
790 790 /* ------------------------------------------------------------------------ */
791 791 /* Function: fr_stinsert */
792 792 /* Returns: Nil */
793 793 /* Parameters: is(I) - pointer to state structure */
794 794 /* rev(I) - flag indicating forward/reverse direction of packet */
795 795 /* */
796 796 /* Inserts a state structure into the hash table (for lookups) and the list */
797 797 /* of state entries (for enumeration). Resolves all of the interface names */
798 798 /* to pointers and adjusts running stats for the hash table as appropriate. */
799 799 /* */
800 800 /* Locking: it is assumed that some kind of lock on ipf_state is held. */
801 801 /* Exits with is_lock initialised and held. */
802 802 /* ------------------------------------------------------------------------ */
803 803 void fr_stinsert(is, rev, ifs)
804 804 ipstate_t *is;
805 805 int rev;
806 806 ipf_stack_t *ifs;
807 807 {
808 808 frentry_t *fr;
809 809 u_int hv;
810 810 int i;
811 811
812 812 MUTEX_INIT(&is->is_lock, "ipf state entry");
813 813
814 814 fr = is->is_rule;
815 815 if (fr != NULL) {
816 816 MUTEX_ENTER(&fr->fr_lock);
817 817 fr->fr_ref++;
818 818 fr->fr_statecnt++;
819 819 MUTEX_EXIT(&fr->fr_lock);
820 820 }
821 821
822 822 /*
823 823 * Look up all the interface names in the state entry.
824 824 */
825 825 for (i = 0; i < 4; i++) {
826 826 if (is->is_ifp[i] != NULL)
827 827 continue;
828 828 is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], is->is_v, ifs);
829 829 }
830 830
831 831 /*
832 832 * If we could trust is_hv, then the modulous would not be needed, but
833 833 * when running with IPFILTER_SYNC, this stops bad values.
834 834 */
835 835 hv = is->is_hv % ifs->ifs_fr_statesize;
836 836 is->is_hv = hv;
837 837
838 838 /*
839 839 * We need to get both of these locks...the first because it is
840 840 * possible that once the insert is complete another packet might
841 841 * come along, match the entry and want to update it.
842 842 */
843 843 MUTEX_ENTER(&is->is_lock);
844 844 MUTEX_ENTER(&ifs->ifs_ipf_stinsert);
845 845
846 846 /*
847 847 * add into list table.
848 848 */
849 849 if (ifs->ifs_ips_list != NULL)
850 850 ifs->ifs_ips_list->is_pnext = &is->is_next;
851 851 is->is_pnext = &ifs->ifs_ips_list;
852 852 is->is_next = ifs->ifs_ips_list;
853 853 ifs->ifs_ips_list = is;
854 854
855 855 if (ifs->ifs_ips_table[hv] != NULL)
856 856 ifs->ifs_ips_table[hv]->is_phnext = &is->is_hnext;
857 857 else
858 858 ifs->ifs_ips_stats.iss_inuse++;
859 859 is->is_phnext = ifs->ifs_ips_table + hv;
860 860 is->is_hnext = ifs->ifs_ips_table[hv];
861 861 ifs->ifs_ips_table[hv] = is;
862 862 ifs->ifs_ips_stats.iss_bucketlen[hv]++;
863 863 ifs->ifs_ips_num++;
864 864 MUTEX_EXIT(&ifs->ifs_ipf_stinsert);
865 865
866 866 fr_setstatequeue(is, rev, ifs);
867 867 }
868 868
869 869 /* ------------------------------------------------------------------------ */
870 870 /* Function: fr_match_ipv4addrs */
871 871 /* Returns: int - 2 strong match (same addresses, same direction) */
872 872 /* 1 weak match (same address, opposite direction) */
873 873 /* 0 no match */
874 874 /* */
875 875 /* Function matches IPv4 addresses. */
876 876 /* ------------------------------------------------------------------------ */
877 877 static int fr_match_ipv4addrs(is1, is2)
878 878 ipstate_t *is1;
879 879 ipstate_t *is2;
880 880 {
881 881 int rv;
882 882
883 883 if (is1->is_saddr == is2->is_saddr && is1->is_daddr == is2->is_daddr)
884 884 rv = 2;
885 885 else if (is1->is_saddr == is2->is_daddr &&
886 886 is1->is_daddr == is2->is_saddr)
887 887 rv = 1;
888 888 else
889 889 rv = 0;
890 890
891 891 return (rv);
892 892 }
893 893
894 894 /* ------------------------------------------------------------------------ */
895 895 /* Function: fr_match_ipv6addrs */
896 896 /* Returns: int - 2 strong match (same addresses, same direction) */
897 897 /* 1 weak match (same addresses, opposite direction) */
898 898 /* 0 no match */
899 899 /* */
900 900 /* Function matches IPv6 addresses. */
901 901 /* ------------------------------------------------------------------------ */
902 902 static int fr_match_ipv6addrs(is1, is2)
903 903 ipstate_t *is1;
904 904 ipstate_t *is2;
905 905 {
906 906 int rv;
907 907
908 908 if (IP6_EQ(&is1->is_src, &is2->is_src) &&
909 909 IP6_EQ(&is1->is_dst, &is2->is_dst))
910 910 rv = 2;
911 911 else if (IP6_EQ(&is1->is_src, &is2->is_dst) &&
912 912 IP6_EQ(&is1->is_dst, &is2->is_src)) {
913 913 rv = 1;
914 914 }
915 915 else
916 916 rv = 0;
917 917
918 918 return (rv);
919 919 }
920 920 /* ------------------------------------------------------------------------ */
921 921 /* Function: fr_match_addresses */
922 922 /* Returns: int - 2 strong match (same addresses, same direction) */
923 923 /* 1 weak match (same address, opposite directions) */
924 924 /* 0 no match */
925 925 /* Parameters: is1, is2 pointers to states we are checking */
926 926 /* */
927 927 /* Matches addresses, function uses fr_match_ipvXaddrs() to deal with IPv4 */
928 928 /* and IPv6 address format. */
929 929 /* ------------------------------------------------------------------------ */
930 930 static int fr_match_addresses(is1, is2)
931 931 ipstate_t *is1;
932 932 ipstate_t *is2;
933 933 {
934 934 int rv;
935 935
936 936 if (is1->is_v == 4) {
937 937 rv = fr_match_ipv4addrs(is1, is2);
938 938 } else {
939 939 rv = fr_match_ipv6addrs(is1, is2);
940 940 }
941 941
942 942 return (rv);
943 943 }
944 944
945 945 /* ------------------------------------------------------------------------ */
946 946 /* Function: fr_match_ppairs */
947 947 /* Returns: int - 2 strong match (same ports, same direction) */
948 948 /* 1 weak match (same ports, different direction) */
949 949 /* 0 no match */
950 950 /* Parameters ppairs1, ppairs - src, dst ports we want to match. */
951 951 /* */
952 952 /* Matches two port_pair_t types (port pairs). Each port pair contains */
953 953 /* src, dst port, which belong to session (state entry). */
954 954 /* ------------------------------------------------------------------------ */
955 955 static int fr_match_ppairs(ppairs1, ppairs2)
956 956 port_pair_t *ppairs1;
957 957 port_pair_t *ppairs2;
958 958 {
959 959 int rv;
960 960
961 961 if (ppairs1->pp_sport == ppairs2->pp_sport &&
962 962 ppairs1->pp_dport == ppairs2->pp_dport)
963 963 rv = 2;
964 964 else if (ppairs1->pp_sport == ppairs2->pp_dport &&
965 965 ppairs1->pp_dport == ppairs2->pp_sport)
966 966 rv = 1;
967 967 else
968 968 rv = 0;
969 969
970 970 return (rv);
971 971 }
972 972
973 973 /* ------------------------------------------------------------------------ */
974 974 /* Function: fr_match_l4_hdr */
975 975 /* Returns: int - 0 no match, */
976 976 /* 1 weak match (same ports, different directions) */
977 977 /* 2 strong match (same ports, same direction) */
978 978 /* Parameters is1, is2 - states we want to match */
979 979 /* */
980 980 /* Function matches L4 header data (source ports for TCP, UDP, CallIds for */
981 981 /* GRE protocol). */
982 982 /* ------------------------------------------------------------------------ */
983 983 static int fr_match_l4_hdr(is1, is2)
984 984 ipstate_t *is1;
985 985 ipstate_t *is2;
986 986 {
987 987 int rv = 0;
988 988 port_pair_t pp1;
989 989 port_pair_t pp2;
990 990
991 991 if (is1->is_p != is2->is_p)
992 992 return (0);
993 993
994 994 switch (is1->is_p) {
995 995 case IPPROTO_TCP:
996 996 pp1.pp_sport = is1->is_ps.is_ts.ts_sport;
997 997 pp1.pp_dport = is1->is_ps.is_ts.ts_dport;
998 998 pp2.pp_sport = is2->is_ps.is_ts.ts_sport;
999 999 pp2.pp_dport = is2->is_ps.is_ts.ts_dport;
1000 1000 rv = fr_match_ppairs(&pp1, &pp2);
1001 1001 break;
1002 1002 case IPPROTO_UDP:
1003 1003 pp1.pp_sport = is1->is_ps.is_us.us_sport;
1004 1004 pp1.pp_dport = is1->is_ps.is_us.us_dport;
1005 1005 pp2.pp_sport = is2->is_ps.is_us.us_sport;
1006 1006 pp2.pp_dport = is2->is_ps.is_us.us_dport;
1007 1007 rv = fr_match_ppairs(&pp1, &pp2);
1008 1008 break;
1009 1009 case IPPROTO_GRE:
1010 1010 /* greinfo_t can be also interprted as port pair */
1011 1011 pp1.pp_sport = is1->is_ps.is_ug.gs_call[0];
1012 1012 pp1.pp_dport = is1->is_ps.is_ug.gs_call[1];
1013 1013 pp2.pp_sport = is2->is_ps.is_ug.gs_call[0];
1014 1014 pp2.pp_dport = is2->is_ps.is_ug.gs_call[1];
1015 1015 rv = fr_match_ppairs(&pp1, &pp2);
1016 1016 break;
1017 1017 case IPPROTO_ICMP:
1018 1018 case IPPROTO_ICMPV6:
1019 1019 if (bcmp(&is1->is_ps, &is2->is_ps, sizeof (icmpinfo_t)))
1020 1020 rv = 1;
1021 1021 else
1022 1022 rv = 0;
1023 1023 break;
1024 1024 default:
1025 1025 rv = 0;
1026 1026 }
1027 1027
1028 1028 return (rv);
1029 1029 }
1030 1030
1031 1031 /* ------------------------------------------------------------------------ */
1032 1032 /* Function: fr_matchstates */
1033 1033 /* Returns: int - nonzero match, zero no match */
1034 1034 /* Parameters is1, is2 - states we want to match */
1035 1035 /* */
1036 1036 /* The state entries are equal (identical match) if they belong to the same */
1037 1037 /* session. Any time new state entry is being added the fr_addstate() */
1038 1038 /* function creates temporal state entry from the data it gets from IP and */
1039 1039 /* L4 header. The fr_matchstats() must be also aware of packet direction, */
1040 1040 /* which is also stored within the state entry. We should keep in mind the */
1041 1041 /* information about packet direction is spread accross L3 (addresses) and */
1042 1042 /* L4 (ports). There are three possible relationships betwee is1, is2: */
1043 1043 /* - no match (match(is1, is2) == 0)) */
1044 1044 /* - weak match same addresses (ports), but different */
1045 1045 /* directions (1) (fr_match_xxxx(is1, is2) == 1) */
1046 1046 /* - strong match same addresses (ports) and same directions */
1047 1047 /* (2) (fr_match_xxxx(is1, is2) == 2) */
1048 1048 /* */
1049 1049 /* There are functions, which match match addresses (L3 header) in is1, is2 */
1050 1050 /* and functions, which are used to compare ports (L4 header) data. We say */
1051 1051 /* the is1 and is2 are same (identical) if there is a match */
1052 1052 /* (fr_match_l4_hdr(is1, is2) != 0) and matchlevels are same for entries */
1053 1053 /* (fr_match_l3_hdr(is1, is2) == fr_match_l4_hdr(is1, is2)) for is1, is2. */
1054 1054 /* Such requirement deals with case as follows: */
1055 1055 /* suppose there are two connections between hosts A, B. Connection 1: */
1056 1056 /* a.a.a.a:12345 <=> b.b.b.b:54321 */
1057 1057 /* Connection 2: */
1058 1058 /* a.a.a.a:54321 <=> b.b.b.b:12345 */
1059 1059 /* since we've introduced match levels into our fr_matchstates(), we are */
1060 1060 /* able to identify, which packets belong to connection A and which belong */
1061 1061 /* to connection B. Assume there are two entries is1, is2. is1 has been */
1062 1062 /* from con. 1 packet, which travelled from A to B: */
1063 1063 /* a.a.a.a:12345 -> b.b.b.b:54321 */
1064 1064 /* while s2, has been created from packet which belongs to con. 2 and is */
1065 1065 /* also coming from A to B: */
1066 1066 /* a.a.a.a:54321 -> b.b.b.b:12345 */
1067 1067 /* fr_match_l3_hdr(is1, is2) == 2 -> strong match, while */
1068 1068 /* fr_match_l4_hdr(is1, is2) == 1 -> weak match. Since match levels are */
1069 1069 /* different the state entries are not identical -> no match as a final */
1070 1070 /* result. */
1071 1071 /* ------------------------------------------------------------------------ */
1072 1072 static int fr_matchstates(is1, is2)
1073 1073 ipstate_t *is1;
1074 1074 ipstate_t *is2;
1075 1075 {
1076 1076 int rv;
1077 1077 int amatch;
1078 1078 int pmatch;
1079 1079
1080 1080 if (bcmp(&is1->is_pass, &is2->is_pass,
1081 1081 offsetof(struct ipstate, is_ps) -
1082 1082 offsetof(struct ipstate, is_pass)) == 0) {
1083 1083
1084 1084 pmatch = fr_match_l4_hdr(is1, is2);
1085 1085 amatch = fr_match_addresses(is1, is2);
1086 1086 /*
1087 1087 * If addresses match (amatch != 0), then 'match levels'
1088 1088 * must be same for matching entries. If amatch and pmatch
1089 1089 * have different values (different match levels), then
1090 1090 * is1 and is2 belong to different sessions.
1091 1091 */
1092 1092 rv = (amatch != 0) && (amatch == pmatch);
1093 1093 }
1094 1094 else
1095 1095 rv = 0;
1096 1096
1097 1097 return (rv);
1098 1098 }
1099 1099
1100 1100 /* ------------------------------------------------------------------------ */
1101 1101 /* Function: fr_addstate */
1102 1102 /* Returns: ipstate_t* - NULL == failure, else pointer to new state */
1103 1103 /* Parameters: fin(I) - pointer to packet information */
1104 1104 /* stsave(O) - pointer to place to save pointer to created */
1105 1105 /* state structure. */
1106 1106 /* flags(I) - flags to use when creating the structure */
1107 1107 /* */
1108 1108 /* Creates a new IP state structure from the packet information collected. */
1109 1109 /* Inserts it into the state table and appends to the bottom of the active */
1110 1110 /* list. If the capacity of the table has reached the maximum allowed then */
1111 1111 /* the call will fail and a flush is scheduled for the next timeout call. */
1112 1112 /* ------------------------------------------------------------------------ */
1113 1113 ipstate_t *fr_addstate(fin, stsave, flags)
1114 1114 fr_info_t *fin;
1115 1115 ipstate_t **stsave;
1116 1116 u_int flags;
1117 1117 {
1118 1118 ipstate_t *is, ips;
1119 1119 struct icmp *ic;
1120 1120 u_int pass, hv;
1121 1121 frentry_t *fr;
1122 1122 tcphdr_t *tcp;
1123 1123 grehdr_t *gre;
1124 1124 void *ifp;
1125 1125 int out;
1126 1126 ipf_stack_t *ifs = fin->fin_ifs;
1127 1127
1128 1128 if (ifs->ifs_fr_state_lock ||
1129 1129 (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
1130 1130 return NULL;
1131 1131
1132 1132 if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN))
1133 1133 return NULL;
1134 1134
1135 1135 /*
1136 1136 * Trigger automatic call to fr_state_flush() if the
1137 1137 * table has reached capacity specified by hi watermark.
1138 1138 */
1139 1139 if (ST_TAB_WATER_LEVEL(ifs) > ifs->ifs_state_flush_level_hi)
1140 1140 ifs->ifs_fr_state_doflush = 1;
1141 1141
1142 1142 /*
1143 1143 * If the max number of state entries has been reached, and there is no
1144 1144 * limit on the state count for the rule, then do not continue. In the
1145 1145 * case where a limit exists, it's ok allow the entries to be created as
1146 1146 * long as specified limit itself has not been reached.
1147 1147 *
1148 1148 * Note that because the lock isn't held on fr, it is possible to exceed
1149 1149 * the specified size of the table. However, the cost of this is being
1150 1150 * ignored here; as the number by which it can go over is a product of
1151 1151 * the number of simultaneous threads that could be executing in here.
1152 1152 * So, a limit of 100 won't result in 200, but could result in 101 or 102.
1153 1153 *
1154 1154 * Also note that, since the automatic flush should have been triggered
1155 1155 * well before we reach the maximum number of state table entries, the
1156 1156 * likelihood of reaching the max (and thus exceedng it) is minimal.
1157 1157 */
1158 1158 fr = fin->fin_fr;
1159 1159 if (fr != NULL) {
1160 1160 if ((ifs->ifs_ips_num >= ifs->ifs_fr_statemax) &&
1161 1161 (fr->fr_statemax == 0)) {
1162 1162 ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
1163 1163 return NULL;
1164 1164 }
1165 1165 if ((fr->fr_statemax != 0) &&
1166 1166 (fr->fr_statecnt >= fr->fr_statemax)) {
1167 1167 ATOMIC_INCL(ifs->ifs_ips_stats.iss_maxref);
1168 1168 ifs->ifs_fr_state_doflush = 1;
1169 1169 return NULL;
1170 1170 }
1171 1171 }
1172 1172
1173 1173 ic = NULL;
1174 1174 tcp = NULL;
1175 1175 out = fin->fin_out;
1176 1176 is = &ips;
1177 1177 bzero((char *)is, sizeof(*is));
1178 1178
1179 1179 if (fr == NULL) {
1180 1180 pass = ifs->ifs_fr_flags;
1181 1181 is->is_tag = FR_NOLOGTAG;
1182 1182 } else {
1183 1183 pass = fr->fr_flags;
1184 1184 }
1185 1185
1186 1186 is->is_die = 1 + ifs->ifs_fr_ticks;
1187 1187 /*
1188 1188 * We want to check everything that is a property of this packet,
1189 1189 * but we don't (automatically) care about it's fragment status as
1190 1190 * this may change.
1191 1191 */
1192 1192 is->is_pass = pass;
1193 1193 is->is_v = fin->fin_v;
1194 1194 is->is_opt[0] = fin->fin_optmsk;
1195 1195 is->is_optmsk[0] = 0xffffffff;
1196 1196 /*
1197 1197 * The reverse direction option mask will be set in fr_matchsrcdst(),
1198 1198 * when we will see the first packet from the peer. We will leave it
1199 1199 * as zero for now.
1200 1200 */
1201 1201 is->is_optmsk[1] = 0x0;
1202 1202
1203 1203 if (is->is_v == 6) {
1204 1204 is->is_opt[0] &= ~0x8;
1205 1205 is->is_optmsk[0] &= ~0x8;
1206 1206 }
1207 1207 is->is_sec = fin->fin_secmsk;
1208 1208 is->is_secmsk = 0xffff;
1209 1209 is->is_auth = fin->fin_auth;
1210 1210 is->is_authmsk = 0xffff;
1211 1211
1212 1212 /*
1213 1213 * Copy and calculate...
1214 1214 */
1215 1215 hv = (is->is_p = fin->fin_fi.fi_p);
1216 1216 is->is_src = fin->fin_fi.fi_src;
1217 1217 hv += is->is_saddr;
1218 1218 is->is_dst = fin->fin_fi.fi_dst;
1219 1219 hv += is->is_daddr;
1220 1220 #ifdef USE_INET6
1221 1221 if (fin->fin_v == 6) {
1222 1222 /*
1223 1223 * For ICMPv6, we check to see if the destination address is
1224 1224 * a multicast address. If it is, do not include it in the
1225 1225 * calculation of the hash because the correct reply will come
1226 1226 * back from a real address, not a multicast address.
1227 1227 */
1228 1228 if ((is->is_p == IPPROTO_ICMPV6) &&
1229 1229 IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) {
1230 1230 /*
1231 1231 * So you can do keep state with neighbour discovery.
1232 1232 *
1233 1233 * Here we could use the address from the neighbour
1234 1234 * solicit message to put in the state structure and
1235 1235 * we could use that without a wildcard flag too...
1236 1236 */
1237 1237 is->is_flags |= SI_W_DADDR;
1238 1238 hv -= is->is_daddr;
1239 1239 } else {
1240 1240 hv += is->is_dst.i6[1];
1241 1241 hv += is->is_dst.i6[2];
1242 1242 hv += is->is_dst.i6[3];
1243 1243 }
1244 1244 hv += is->is_src.i6[1];
1245 1245 hv += is->is_src.i6[2];
1246 1246 hv += is->is_src.i6[3];
1247 1247 }
1248 1248 #endif
1249 1249 if ((fin->fin_v == 4) &&
1250 1250 (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) {
1251 1251 if (fin->fin_out == 0) {
1252 1252 flags |= SI_W_DADDR|SI_CLONE;
1253 1253 hv -= is->is_daddr;
1254 1254 } else {
1255 1255 flags |= SI_W_SADDR|SI_CLONE;
1256 1256 hv -= is->is_saddr;
1257 1257 }
1258 1258 }
1259 1259
1260 1260 switch (is->is_p)
1261 1261 {
1262 1262 #ifdef USE_INET6
1263 1263 case IPPROTO_ICMPV6 :
1264 1264 ic = fin->fin_dp;
1265 1265
1266 1266 switch (ic->icmp_type)
1267 1267 {
1268 1268 case ICMP6_ECHO_REQUEST :
1269 1269 is->is_icmp.ici_type = ic->icmp_type;
1270 1270 hv += (is->is_icmp.ici_id = ic->icmp_id);
1271 1271 break;
1272 1272 case ICMP6_MEMBERSHIP_QUERY :
1273 1273 case ND_ROUTER_SOLICIT :
1274 1274 case ND_NEIGHBOR_SOLICIT :
1275 1275 case ICMP6_NI_QUERY :
1276 1276 is->is_icmp.ici_type = ic->icmp_type;
1277 1277 break;
1278 1278 default :
1279 1279 return NULL;
1280 1280 }
1281 1281 ATOMIC_INCL(ifs->ifs_ips_stats.iss_icmp);
1282 1282 break;
1283 1283 #endif
1284 1284 case IPPROTO_ICMP :
1285 1285 ic = fin->fin_dp;
1286 1286
1287 1287 switch (ic->icmp_type)
1288 1288 {
1289 1289 case ICMP_ECHO :
1290 1290 case ICMP_ECHOREPLY :
1291 1291 case ICMP_TSTAMP :
1292 1292 case ICMP_IREQ :
1293 1293 case ICMP_MASKREQ :
1294 1294 is->is_icmp.ici_type = ic->icmp_type;
1295 1295 hv += (is->is_icmp.ici_id = ic->icmp_id);
1296 1296 break;
1297 1297 default :
1298 1298 return NULL;
1299 1299 }
1300 1300 ATOMIC_INCL(ifs->ifs_ips_stats.iss_icmp);
1301 1301 break;
1302 1302
1303 1303 case IPPROTO_GRE :
1304 1304 gre = fin->fin_dp;
1305 1305
1306 1306 is->is_gre.gs_flags = gre->gr_flags;
1307 1307 is->is_gre.gs_ptype = gre->gr_ptype;
1308 1308 if (GRE_REV(is->is_gre.gs_flags) == 1) {
1309 1309 is->is_call[0] = fin->fin_data[0];
1310 1310 is->is_call[1] = fin->fin_data[1];
1311 1311 }
1312 1312 break;
1313 1313
1314 1314 case IPPROTO_TCP :
1315 1315 tcp = fin->fin_dp;
1316 1316
1317 1317 if (tcp->th_flags & TH_RST)
1318 1318 return NULL;
1319 1319 /*
1320 1320 * The endian of the ports doesn't matter, but the ack and
1321 1321 * sequence numbers do as we do mathematics on them later.
1322 1322 */
1323 1323 is->is_sport = htons(fin->fin_data[0]);
1324 1324 is->is_dport = htons(fin->fin_data[1]);
1325 1325 if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1326 1326 hv += is->is_sport;
1327 1327 hv += is->is_dport;
1328 1328 }
1329 1329
1330 1330 /*
1331 1331 * If this is a real packet then initialise fields in the
1332 1332 * state information structure from the TCP header information.
1333 1333 */
1334 1334
1335 1335 is->is_maxdwin = 1;
1336 1336 is->is_maxswin = ntohs(tcp->th_win);
1337 1337 if (is->is_maxswin == 0)
1338 1338 is->is_maxswin = 1;
1339 1339
1340 1340 if ((fin->fin_flx & FI_IGNORE) == 0) {
1341 1341 is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
1342 1342 (TCP_OFF(tcp) << 2) +
1343 1343 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
1344 1344 ((tcp->th_flags & TH_FIN) ? 1 : 0);
1345 1345 is->is_maxsend = is->is_send;
1346 1346
1347 1347 /*
1348 1348 * Window scale option is only present in
1349 1349 * SYN/SYN-ACK packet.
1350 1350 */
1351 1351 if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
1352 1352 TH_SYN &&
1353 1353 (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
1354 1354 if (fr_tcpoptions(fin, tcp,
1355 1355 &is->is_tcp.ts_data[0]) == -1) {
1356 1356 fin->fin_flx |= FI_BAD;
1357 1357 }
1358 1358 }
1359 1359
1360 1360 if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
1361 1361 fr_checknewisn(fin, is);
1362 1362 fr_fixoutisn(fin, is);
1363 1363 }
1364 1364
1365 1365 if ((tcp->th_flags & TH_OPENING) == TH_SYN)
1366 1366 flags |= IS_TCPFSM;
1367 1367 else {
1368 1368 is->is_maxdwin = is->is_maxswin * 2;
1369 1369 is->is_dend = ntohl(tcp->th_ack);
1370 1370 is->is_maxdend = ntohl(tcp->th_ack);
1371 1371 is->is_maxdwin *= 2;
1372 1372 }
1373 1373 }
1374 1374
1375 1375 /*
1376 1376 * If we're creating state for a starting connection, start the
1377 1377 * timer on it as we'll never see an error if it fails to
1378 1378 * connect.
1379 1379 */
1380 1380 ATOMIC_INCL(ifs->ifs_ips_stats.iss_tcp);
1381 1381 break;
1382 1382
1383 1383 case IPPROTO_UDP :
1384 1384 tcp = fin->fin_dp;
1385 1385
1386 1386 is->is_sport = htons(fin->fin_data[0]);
1387 1387 is->is_dport = htons(fin->fin_data[1]);
1388 1388 if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
1389 1389 hv += tcp->th_dport;
1390 1390 hv += tcp->th_sport;
1391 1391 }
1392 1392 ATOMIC_INCL(ifs->ifs_ips_stats.iss_udp);
1393 1393 break;
1394 1394
1395 1395 default :
1396 1396 break;
1397 1397 }
1398 1398 hv = DOUBLE_HASH(hv, ifs);
1399 1399 is->is_hv = hv;
1400 1400 is->is_rule = fr;
1401 1401 is->is_flags = flags & IS_INHERITED;
1402 1402
1403 1403 /*
1404 1404 * Look for identical state.
1405 1405 */
1406 1406 for (is = ifs->ifs_ips_table[is->is_hv % ifs->ifs_fr_statesize];
1407 1407 is != NULL;
1408 1408 is = is->is_hnext) {
1409 1409 if (fr_matchstates(&ips, is) == 1)
1410 1410 break;
1411 1411 }
1412 1412
1413 1413 /*
1414 1414 * we've found a matching state -> state already exists,
1415 1415 * we are not going to add a duplicate record.
1416 1416 */
1417 1417 if (is != NULL)
1418 1418 return NULL;
1419 1419
1420 1420 if (ifs->ifs_ips_stats.iss_bucketlen[hv] >= ifs->ifs_fr_state_maxbucket) {
1421 1421 ATOMIC_INCL(ifs->ifs_ips_stats.iss_bucketfull);
1422 1422 return NULL;
1423 1423 }
1424 1424 KMALLOC(is, ipstate_t *);
1425 1425 if (is == NULL) {
1426 1426 ATOMIC_INCL(ifs->ifs_ips_stats.iss_nomem);
1427 1427 return NULL;
1428 1428 }
1429 1429 bcopy((char *)&ips, (char *)is, sizeof(*is));
1430 1430 /*
1431 1431 * Do not do the modulous here, it is done in fr_stinsert().
1432 1432 */
1433 1433 if (fr != NULL) {
1434 1434 (void) strncpy(is->is_group, fr->fr_group, FR_GROUPLEN);
1435 1435 if (fr->fr_age[0] != 0) {
1436 1436 is->is_tqehead[0] =
1437 1437 fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
1438 1438 fr->fr_age[0], ifs);
1439 1439 is->is_sti.tqe_flags |= TQE_RULEBASED;
1440 1440 }
1441 1441 if (fr->fr_age[1] != 0) {
1442 1442 is->is_tqehead[1] =
1443 1443 fr_addtimeoutqueue(&ifs->ifs_ips_utqe,
1444 1444 fr->fr_age[1], ifs);
1445 1445 is->is_sti.tqe_flags |= TQE_RULEBASED;
1446 1446 }
1447 1447 is->is_tag = fr->fr_logtag;
1448 1448
1449 1449 is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
1450 1450 is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
1451 1451 is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
1452 1452
1453 1453 if (((ifp = fr->fr_ifas[1]) != NULL) &&
1454 1454 (ifp != (void *)-1)) {
1455 1455 COPYIFNAME(ifp, is->is_ifname[(out << 1) + 1], fr->fr_v);
1456 1456 }
1457 1457 if (((ifp = fr->fr_ifas[2]) != NULL) &&
1458 1458 (ifp != (void *)-1)) {
1459 1459 COPYIFNAME(ifp, is->is_ifname[(1 - out) << 1], fr->fr_v);
1460 1460 }
1461 1461 if (((ifp = fr->fr_ifas[3]) != NULL) &&
1462 1462 (ifp != (void *)-1)) {
1463 1463 COPYIFNAME(ifp, is->is_ifname[((1 - out) << 1) + 1], fr->fr_v);
1464 1464 }
1465 1465 }
1466 1466
1467 1467 is->is_ifp[out << 1] = fin->fin_ifp;
1468 1468 if (fin->fin_ifp != NULL) {
1469 1469 COPYIFNAME(fin->fin_ifp, is->is_ifname[out << 1], fin->fin_v);
1470 1470 }
1471 1471
1472 1472 is->is_ref = 1;
1473 1473 is->is_pkts[0] = 0, is->is_bytes[0] = 0;
1474 1474 is->is_pkts[1] = 0, is->is_bytes[1] = 0;
1475 1475 is->is_pkts[2] = 0, is->is_bytes[2] = 0;
1476 1476 is->is_pkts[3] = 0, is->is_bytes[3] = 0;
1477 1477 if ((fin->fin_flx & FI_IGNORE) == 0) {
1478 1478 is->is_pkts[out] = 1;
1479 1479 is->is_bytes[out] = fin->fin_plen;
1480 1480 is->is_flx[out][0] = fin->fin_flx & FI_CMP;
1481 1481 is->is_flx[out][0] &= ~FI_OOW;
1482 1482 }
1483 1483
1484 1484 if (pass & FR_STSTRICT)
1485 1485 is->is_flags |= IS_STRICT;
1486 1486
1487 1487 if (pass & FR_STATESYNC)
1488 1488 is->is_flags |= IS_STATESYNC;
1489 1489
1490 1490 if (flags & (SI_WILDP|SI_WILDA)) {
1491 1491 ATOMIC_INCL(ifs->ifs_ips_stats.iss_wild);
1492 1492 }
1493 1493 is->is_rulen = fin->fin_rule;
1494 1494
1495 1495
1496 1496 if (pass & FR_LOGFIRST)
1497 1497 is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
1498 1498
1499 1499 READ_ENTER(&ifs->ifs_ipf_state);
1500 1500 is->is_me = stsave;
1501 1501
1502 1502 fr_stinsert(is, fin->fin_rev, ifs);
1503 1503
1504 1504 if (fin->fin_p == IPPROTO_TCP) {
1505 1505 /*
1506 1506 * If we're creating state for a starting connection, start the
1507 1507 * timer on it as we'll never see an error if it fails to
1508 1508 * connect.
1509 1509 */
1510 1510 (void) fr_tcp_age(&is->is_sti, fin, ifs->ifs_ips_tqtqb,
1511 1511 is->is_flags);
1512 1512 MUTEX_EXIT(&is->is_lock);
1513 1513 #ifdef IPFILTER_SCAN
1514 1514 if ((is->is_flags & SI_CLONE) == 0)
1515 1515 (void) ipsc_attachis(is);
1516 1516 #endif
|
↓ open down ↓ |
1516 lines elided |
↑ open up ↑ |
1517 1517 } else {
1518 1518 MUTEX_EXIT(&is->is_lock);
1519 1519 }
1520 1520 #ifdef IPFILTER_SYNC
1521 1521 if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
1522 1522 is->is_sync = ipfsync_new(SMC_STATE, fin, is);
1523 1523 #endif
1524 1524 if (ifs->ifs_ipstate_logging)
1525 1525 ipstate_log(is, ISL_NEW, ifs);
1526 1526
1527 + if (IFS_CFWLOG(ifs))
1528 + ipf_log_cfwlog(is, ISL_NEW, ifs);
1529 +
1527 1530 RWLOCK_EXIT(&ifs->ifs_ipf_state);
1528 1531 fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
1529 1532 fin->fin_flx |= FI_STATE;
1530 1533 if (fin->fin_flx & FI_FRAG)
1531 1534 (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
1532 1535
1533 1536 return is;
1534 1537 }
1535 1538
1536 1539
1537 1540 /* ------------------------------------------------------------------------ */
1538 1541 /* Function: fr_tcpoptions */
1539 1542 /* Returns: int - 1 == packet matches state entry, 0 == it does not */
1540 1543 /* Parameters: fin(I) - pointer to packet information */
1541 1544 /* tcp(I) - pointer to TCP packet header */
1542 1545 /* td(I) - pointer to TCP data held as part of the state */
1543 1546 /* */
1544 1547 /* Look after the TCP header for any options and deal with those that are */
1545 1548 /* present. Record details about those that we recogise. */
1546 1549 /* ------------------------------------------------------------------------ */
1547 1550 static int fr_tcpoptions(fin, tcp, td)
1548 1551 fr_info_t *fin;
1549 1552 tcphdr_t *tcp;
1550 1553 tcpdata_t *td;
1551 1554 {
1552 1555 int off, mlen, ol, i, len, retval;
1553 1556 char buf[64], *s, opt;
1554 1557 mb_t *m = NULL;
1555 1558
1556 1559 len = (TCP_OFF(tcp) << 2);
1557 1560 if (fin->fin_dlen < len)
1558 1561 return 0;
1559 1562 len -= sizeof(*tcp);
1560 1563
1561 1564 off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff;
1562 1565
1563 1566 m = fin->fin_m;
1564 1567 mlen = MSGDSIZE(m) - off;
1565 1568 if (len > mlen) {
1566 1569 len = mlen;
1567 1570 retval = 0;
1568 1571 } else {
1569 1572 retval = 1;
1570 1573 }
1571 1574
1572 1575 COPYDATA(m, off, len, buf);
1573 1576
1574 1577 for (s = buf; len > 0; ) {
1575 1578 opt = *s;
1576 1579 if (opt == TCPOPT_EOL)
1577 1580 break;
1578 1581 else if (opt == TCPOPT_NOP)
1579 1582 ol = 1;
1580 1583 else {
1581 1584 if (len < 2)
1582 1585 break;
1583 1586 ol = (int)*(s + 1);
1584 1587 if (ol < 2 || ol > len)
1585 1588 break;
1586 1589
1587 1590 /*
1588 1591 * Extract the TCP options we are interested in out of
1589 1592 * the header and store them in the the tcpdata struct.
1590 1593 */
1591 1594 switch (opt)
1592 1595 {
1593 1596 case TCPOPT_WINDOW :
1594 1597 if (ol == TCPOLEN_WINDOW) {
1595 1598 i = (int)*(s + 2);
1596 1599 if (i > TCP_WSCALE_MAX)
1597 1600 i = TCP_WSCALE_MAX;
1598 1601 else if (i < 0)
1599 1602 i = 0;
1600 1603 td->td_winscale = i;
1601 1604 td->td_winflags |= TCP_WSCALE_SEEN |
1602 1605 TCP_WSCALE_FIRST;
1603 1606 } else
1604 1607 retval = -1;
1605 1608 break;
1606 1609 case TCPOPT_MAXSEG :
1607 1610 /*
1608 1611 * So, if we wanted to set the TCP MAXSEG,
1609 1612 * it should be done here...
1610 1613 */
1611 1614 if (ol == TCPOLEN_MAXSEG) {
1612 1615 i = (int)*(s + 2);
1613 1616 i <<= 8;
1614 1617 i += (int)*(s + 3);
1615 1618 td->td_maxseg = i;
1616 1619 } else
1617 1620 retval = -1;
1618 1621 break;
1619 1622 case TCPOPT_SACK_PERMITTED :
1620 1623 if (ol == TCPOLEN_SACK_PERMITTED)
1621 1624 td->td_winflags |= TCP_SACK_PERMIT;
1622 1625 else
1623 1626 retval = -1;
1624 1627 break;
1625 1628 }
1626 1629 }
1627 1630 len -= ol;
1628 1631 s += ol;
1629 1632 }
1630 1633 return retval;
1631 1634 }
1632 1635
1633 1636
1634 1637 /* ------------------------------------------------------------------------ */
1635 1638 /* Function: fr_tcpstate */
1636 1639 /* Returns: int - 1 == packet matches state entry, 0 == it does not */
1637 1640 /* Parameters: fin(I) - pointer to packet information */
1638 1641 /* tcp(I) - pointer to TCP packet header */
1639 1642 /* is(I) - pointer to master state structure */
1640 1643 /* */
1641 1644 /* Check to see if a packet with TCP headers fits within the TCP window. */
1642 1645 /* Change timeout depending on whether new packet is a SYN-ACK returning */
1643 1646 /* for a SYN or a RST or FIN which indicate time to close up shop. */
1644 1647 /* ------------------------------------------------------------------------ */
1645 1648 static int fr_tcpstate(fin, tcp, is)
1646 1649 fr_info_t *fin;
1647 1650 tcphdr_t *tcp;
1648 1651 ipstate_t *is;
1649 1652 {
1650 1653 int source, ret = 0, flags;
1651 1654 tcpdata_t *fdata, *tdata;
1652 1655 ipf_stack_t *ifs = fin->fin_ifs;
1653 1656
1654 1657 source = !fin->fin_rev;
1655 1658 if (((is->is_flags & IS_TCPFSM) != 0) && (source == 1) &&
1656 1659 (ntohs(is->is_sport) != fin->fin_data[0]))
1657 1660 source = 0;
1658 1661 fdata = &is->is_tcp.ts_data[!source];
1659 1662 tdata = &is->is_tcp.ts_data[source];
1660 1663
1661 1664 MUTEX_ENTER(&is->is_lock);
1662 1665
1663 1666 /*
1664 1667 * If a SYN packet is received for a connection that is in a half
1665 1668 * closed state, then move its state entry to deletetq. In such case
1666 1669 * the SYN packet will be consequently dropped. This allows new state
1667 1670 * entry to be created with a retransmited SYN packet.
1668 1671 */
1669 1672 if ((tcp->th_flags & TH_OPENING) == TH_SYN) {
1670 1673 if ((is->is_state[source] > IPF_TCPS_ESTABLISHED) &&
1671 1674 (is->is_state[!source] > IPF_TCPS_ESTABLISHED)) {
1672 1675 is->is_state[source] = IPF_TCPS_CLOSED;
1673 1676 is->is_state[!source] = IPF_TCPS_CLOSED;
1674 1677 /*
1675 1678 * Do not update is->is_sti.tqe_die in case state entry
1676 1679 * is already present in deletetq. It prevents state
1677 1680 * entry ttl update by retransmitted SYN packets, which
1678 1681 * may arrive before timer tick kicks off. The SYN
1679 1682 * packet will be dropped again.
1680 1683 */
1681 1684 if (is->is_sti.tqe_ifq != &ifs->ifs_ips_deletetq)
1682 1685 fr_movequeue(&is->is_sti, is->is_sti.tqe_ifq,
1683 1686 &fin->fin_ifs->ifs_ips_deletetq,
1684 1687 fin->fin_ifs);
1685 1688
1686 1689 MUTEX_EXIT(&is->is_lock);
1687 1690 return 0;
1688 1691 }
1689 1692 }
1690 1693
1691 1694 if (fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags)) {
1692 1695 #ifdef IPFILTER_SCAN
1693 1696 if (is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER)) {
1694 1697 ipsc_packet(fin, is);
1695 1698 if (FR_ISBLOCK(is->is_pass)) {
1696 1699 MUTEX_EXIT(&is->is_lock);
1697 1700 return 1;
1698 1701 }
1699 1702 }
1700 1703 #endif
1701 1704
1702 1705 /*
1703 1706 * Nearing end of connection, start timeout.
1704 1707 */
1705 1708 ret = fr_tcp_age(&is->is_sti, fin, ifs->ifs_ips_tqtqb,
1706 1709 is->is_flags);
1707 1710 if (ret == 0) {
1708 1711 MUTEX_EXIT(&is->is_lock);
1709 1712 return 0;
1710 1713 }
1711 1714
1712 1715 /*
1713 1716 * set s0's as appropriate. Use syn-ack packet as it
1714 1717 * contains both pieces of required information.
1715 1718 */
1716 1719 /*
1717 1720 * Window scale option is only present in SYN/SYN-ACK packet.
1718 1721 * Compare with ~TH_FIN to mask out T/TCP setups.
1719 1722 */
1720 1723 flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL);
1721 1724 if (flags == (TH_SYN|TH_ACK)) {
1722 1725 is->is_s0[source] = ntohl(tcp->th_ack);
1723 1726 is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
1724 1727 if (TCP_OFF(tcp) > (sizeof (tcphdr_t) >> 2)) {
1725 1728 (void) fr_tcpoptions(fin, tcp, fdata);
1726 1729 }
1727 1730 if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1728 1731 fr_checknewisn(fin, is);
1729 1732 } else if (flags == TH_SYN) {
1730 1733 is->is_s0[source] = ntohl(tcp->th_seq) + 1;
1731 1734 if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
1732 1735 (void) fr_tcpoptions(fin, tcp, fdata);
1733 1736
1734 1737 if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
1735 1738 fr_checknewisn(fin, is);
1736 1739
1737 1740 }
1738 1741 ret = 1;
1739 1742 } else
1740 1743 fin->fin_flx |= FI_OOW;
1741 1744 MUTEX_EXIT(&is->is_lock);
1742 1745 return ret;
1743 1746 }
1744 1747
1745 1748
1746 1749 /* ------------------------------------------------------------------------ */
1747 1750 /* Function: fr_checknewisn */
1748 1751 /* Returns: Nil */
1749 1752 /* Parameters: fin(I) - pointer to packet information */
1750 1753 /* is(I) - pointer to master state structure */
1751 1754 /* */
1752 1755 /* Check to see if this TCP connection is expecting and needs a new */
1753 1756 /* sequence number for a particular direction of the connection. */
1754 1757 /* */
1755 1758 /* NOTE: This does not actually change the sequence numbers, only gets new */
1756 1759 /* one ready. */
1757 1760 /* ------------------------------------------------------------------------ */
1758 1761 static void fr_checknewisn(fin, is)
1759 1762 fr_info_t *fin;
1760 1763 ipstate_t *is;
1761 1764 {
1762 1765 u_32_t sumd, old, new;
1763 1766 tcphdr_t *tcp;
1764 1767 int i;
1765 1768
1766 1769 i = fin->fin_rev;
1767 1770 tcp = fin->fin_dp;
1768 1771
1769 1772 if (((i == 0) && !(is->is_flags & IS_ISNSYN)) ||
1770 1773 ((i == 1) && !(is->is_flags & IS_ISNACK))) {
1771 1774 old = ntohl(tcp->th_seq);
1772 1775 new = fr_newisn(fin);
1773 1776 is->is_isninc[i] = new - old;
1774 1777 CALC_SUMD(old, new, sumd);
1775 1778 is->is_sumd[i] = (sumd & 0xffff) + (sumd >> 16);
1776 1779
1777 1780 is->is_flags |= ((i == 0) ? IS_ISNSYN : IS_ISNACK);
1778 1781 }
1779 1782 }
1780 1783
1781 1784
1782 1785 /* ------------------------------------------------------------------------ */
1783 1786 /* Function: fr_tcpinwindow */
1784 1787 /* Returns: int - 1 == packet inside TCP "window", 0 == not inside. */
1785 1788 /* Parameters: fin(I) - pointer to packet information */
1786 1789 /* fdata(I) - pointer to tcp state informatio (forward) */
1787 1790 /* tdata(I) - pointer to tcp state informatio (reverse) */
1788 1791 /* tcp(I) - pointer to TCP packet header */
1789 1792 /* */
1790 1793 /* Given a packet has matched addresses and ports, check to see if it is */
1791 1794 /* within the TCP data window. In a show of generosity, allow packets that */
1792 1795 /* are within the window space behind the current sequence # as well. */
1793 1796 /* ------------------------------------------------------------------------ */
1794 1797 int fr_tcpinwindow(fin, fdata, tdata, tcp, flags)
1795 1798 fr_info_t *fin;
1796 1799 tcpdata_t *fdata, *tdata;
1797 1800 tcphdr_t *tcp;
1798 1801 int flags;
1799 1802 {
1800 1803 tcp_seq seq, ack, end;
1801 1804 int ackskew, tcpflags;
1802 1805 u_32_t win, maxwin;
1803 1806 int dsize, inseq;
1804 1807
1805 1808 /*
1806 1809 * Find difference between last checked packet and this packet.
1807 1810 */
1808 1811 tcpflags = tcp->th_flags;
1809 1812 seq = ntohl(tcp->th_seq);
1810 1813 ack = ntohl(tcp->th_ack);
1811 1814
1812 1815 if (tcpflags & TH_SYN)
1813 1816 win = ntohs(tcp->th_win);
1814 1817 else
1815 1818 win = ntohs(tcp->th_win) << fdata->td_winscale;
1816 1819
1817 1820 /*
1818 1821 * win 0 means the receiving endpoint has closed the window, because it
1819 1822 * has not enough memory to receive data from sender. In such case we
1820 1823 * are pretending window size to be 1 to let TCP probe data through.
1821 1824 * TCP probe data can be either 0 or 1 octet of data, the RFC does not
1822 1825 * state this accurately, so we have to allow 1 octet (win = 1) even if
1823 1826 * the window is closed (win == 0).
1824 1827 */
1825 1828 if (win == 0)
1826 1829 win = 1;
1827 1830
1828 1831 dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
1829 1832 ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
1830 1833
1831 1834 /*
1832 1835 * if window scaling is present, the scaling is only allowed
1833 1836 * for windows not in the first SYN packet. In that packet the
1834 1837 * window is 65535 to specify the largest window possible
1835 1838 * for receivers not implementing the window scale option.
1836 1839 * Currently, we do not assume TTCP here. That means that
1837 1840 * if we see a second packet from a host (after the initial
1838 1841 * SYN), we can assume that the receiver of the SYN did
1839 1842 * already send back the SYN/ACK (and thus that we know if
1840 1843 * the receiver also does window scaling)
1841 1844 */
1842 1845 if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) {
1843 1846 fdata->td_winflags &= ~TCP_WSCALE_FIRST;
1844 1847 fdata->td_maxwin = win;
1845 1848 }
1846 1849
1847 1850 end = seq + dsize;
1848 1851
1849 1852 if ((fdata->td_end == 0) &&
1850 1853 (!(flags & IS_TCPFSM) ||
1851 1854 ((tcpflags & TH_OPENING) == TH_OPENING))) {
1852 1855 /*
1853 1856 * Must be a (outgoing) SYN-ACK in reply to a SYN.
1854 1857 */
1855 1858 fdata->td_end = end - 1;
1856 1859 fdata->td_maxwin = 1;
1857 1860 fdata->td_maxend = end + win;
1858 1861 }
1859 1862
1860 1863 if (!(tcpflags & TH_ACK)) { /* Pretend an ack was sent */
1861 1864 ack = tdata->td_end;
1862 1865 } else if (((tcpflags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
1863 1866 (ack == 0)) {
1864 1867 /* gross hack to get around certain broken tcp stacks */
1865 1868 ack = tdata->td_end;
1866 1869 }
1867 1870
1868 1871 maxwin = tdata->td_maxwin;
1869 1872 ackskew = tdata->td_end - ack;
1870 1873
1871 1874 /*
1872 1875 * Strict sequencing only allows in-order delivery.
1873 1876 */
1874 1877 if ((flags & IS_STRICT) != 0) {
1875 1878 if (seq != fdata->td_end) {
1876 1879 DTRACE_PROBE(strict_check);
1877 1880 return 0;
1878 1881 }
1879 1882 }
1880 1883
1881 1884 #define SEQ_GE(a,b) ((int)((a) - (b)) >= 0)
1882 1885 #define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
1883 1886 inseq = 0;
1884 1887 DTRACE_PROBE4(
1885 1888 dyn_params,
1886 1889 int, dsize,
1887 1890 int, ackskew,
1888 1891 int, maxwin,
1889 1892 int, win
1890 1893 );
1891 1894 if (
1892 1895 #if defined(_KERNEL)
1893 1896 /*
1894 1897 * end <-> s + n
1895 1898 * maxend <-> ack + win
1896 1899 * this is upperbound check
1897 1900 */
1898 1901 (SEQ_GE(fdata->td_maxend, end)) &&
1899 1902 /*
1900 1903 * this is lowerbound check
1901 1904 */
1902 1905 (SEQ_GE(seq, fdata->td_end - maxwin)) &&
1903 1906 #endif
1904 1907 /* XXX what about big packets */
1905 1908 #define MAXACKWINDOW 66000
1906 1909 (-ackskew <= (MAXACKWINDOW)) &&
1907 1910 ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
1908 1911 inseq = 1;
1909 1912 /*
1910 1913 * Microsoft Windows will send the next packet to the right of the
1911 1914 * window if SACK is in use.
1912 1915 */
1913 1916 } else if ((seq == fdata->td_maxend) && (ackskew == 0) &&
1914 1917 (fdata->td_winflags & TCP_SACK_PERMIT) &&
1915 1918 (tdata->td_winflags & TCP_SACK_PERMIT)) {
1916 1919 inseq = 1;
1917 1920 /*
1918 1921 * RST ACK with SEQ equal to 0 is sent by some OSes (i.e. Solaris) as a
1919 1922 * response to initial SYN packet, when there is no application
1920 1923 * listeing to on a port, where the SYN packet has came to.
1921 1924 */
1922 1925 } else if ((seq == 0) && (tcpflags == (TH_RST|TH_ACK)) &&
1923 1926 (ackskew >= -1) && (ackskew <= 1)) {
1924 1927 inseq = 1;
1925 1928 } else if (!(flags & IS_TCPFSM)) {
1926 1929
1927 1930 if (!(fdata->td_winflags &
1928 1931 (TCP_WSCALE_SEEN|TCP_WSCALE_FIRST))) {
1929 1932 /*
1930 1933 * No TCPFSM and no window scaling, so make some
1931 1934 * extra guesses.
1932 1935 */
1933 1936 if ((seq == fdata->td_maxend) && (ackskew == 0))
1934 1937 inseq = 1;
1935 1938 else if (SEQ_GE(seq + maxwin, fdata->td_end - maxwin))
1936 1939 inseq = 1;
1937 1940 }
1938 1941 }
1939 1942
1940 1943 if (inseq) {
1941 1944 /* if ackskew < 0 then this should be due to fragmented
1942 1945 * packets. There is no way to know the length of the
1943 1946 * total packet in advance.
1944 1947 * We do know the total length from the fragment cache though.
1945 1948 * Note however that there might be more sessions with
1946 1949 * exactly the same source and destination parameters in the
1947 1950 * state cache (and source and destination is the only stuff
1948 1951 * that is saved in the fragment cache). Note further that
1949 1952 * some TCP connections in the state cache are hashed with
1950 1953 * sport and dport as well which makes it not worthwhile to
1951 1954 * look for them.
1952 1955 * Thus, when ackskew is negative but still seems to belong
1953 1956 * to this session, we bump up the destinations end value.
1954 1957 */
1955 1958 if (ackskew < 0) {
1956 1959 DTRACE_PROBE2(end_update_td,
1957 1960 int, tdata->td_end,
1958 1961 int, ack
1959 1962 );
1960 1963 tdata->td_end = ack;
1961 1964 }
1962 1965
1963 1966 /* update max window seen */
1964 1967 if (fdata->td_maxwin < win) {
1965 1968 DTRACE_PROBE2(win_update_fd,
1966 1969 int, fdata->td_maxwin,
1967 1970 int, win
1968 1971 );
1969 1972 fdata->td_maxwin = win;
1970 1973 }
1971 1974
1972 1975 if (SEQ_GT(end, fdata->td_end)) {
1973 1976 DTRACE_PROBE2(end_update_fd,
1974 1977 int, fdata->td_end,
1975 1978 int, end
1976 1979 );
1977 1980 fdata->td_end = end;
1978 1981 }
1979 1982
1980 1983 if (SEQ_GE(ack + win, tdata->td_maxend)) {
1981 1984 DTRACE_PROBE2(max_end_update_td,
1982 1985 int, tdata->td_maxend,
1983 1986 int, ack + win
1984 1987 );
1985 1988 tdata->td_maxend = ack + win;
1986 1989 }
1987 1990
1988 1991 return 1;
1989 1992 }
1990 1993 fin->fin_flx |= FI_OOW;
1991 1994
1992 1995 #if defined(_KERNEL)
1993 1996 if (!(SEQ_GE(seq, fdata->td_end - maxwin)))
1994 1997 fin->fin_flx |= FI_NEG_OOW;
1995 1998 #endif
1996 1999
1997 2000 return 0;
1998 2001 }
1999 2002
2000 2003
2001 2004 /* ------------------------------------------------------------------------ */
2002 2005 /* Function: fr_stclone */
2003 2006 /* Returns: ipstate_t* - NULL == cloning failed, */
2004 2007 /* else pointer to new state structure */
2005 2008 /* Parameters: fin(I) - pointer to packet information */
2006 2009 /* tcp(I) - pointer to TCP/UDP header */
2007 2010 /* is(I) - pointer to master state structure */
2008 2011 /* */
2009 2012 /* Create a "duplcate" state table entry from the master. */
2010 2013 /* ------------------------------------------------------------------------ */
2011 2014 static ipstate_t *fr_stclone(fin, tcp, is)
2012 2015 fr_info_t *fin;
2013 2016 tcphdr_t *tcp;
2014 2017 ipstate_t *is;
2015 2018 {
2016 2019 ipstate_t *clone;
2017 2020 u_32_t send;
2018 2021 ipf_stack_t *ifs = fin->fin_ifs;
2019 2022
2020 2023 /*
2021 2024 * Trigger automatic call to fr_state_flush() if the
2022 2025 * table has reached capacity specified by hi watermark.
2023 2026 */
2024 2027 if (ST_TAB_WATER_LEVEL(ifs) > ifs->ifs_state_flush_level_hi)
2025 2028 ifs->ifs_fr_state_doflush = 1;
2026 2029
2027 2030 /*
2028 2031 * If automatic flushing did not do its job, and the table
2029 2032 * has filled up, don't try to create a new entry. A NULL
2030 2033 * return will indicate that the cloning has failed.
2031 2034 */
2032 2035 if (ifs->ifs_ips_num >= ifs->ifs_fr_statemax) {
2033 2036 ATOMIC_INCL(ifs->ifs_ips_stats.iss_max);
2034 2037 return NULL;
2035 2038 }
2036 2039
2037 2040 KMALLOC(clone, ipstate_t *);
2038 2041 if (clone == NULL)
2039 2042 return NULL;
2040 2043 bcopy((char *)is, (char *)clone, sizeof(*clone));
2041 2044
2042 2045 MUTEX_NUKE(&clone->is_lock);
2043 2046
2044 2047 clone->is_die = ONE_DAY + ifs->ifs_fr_ticks;
2045 2048 clone->is_state[0] = 0;
2046 2049 clone->is_state[1] = 0;
2047 2050 send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
2048 2051 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
2049 2052 ((tcp->th_flags & TH_FIN) ? 1 : 0);
2050 2053
2051 2054 if (fin->fin_rev == 1) {
2052 2055 clone->is_dend = send;
2053 2056 clone->is_maxdend = send;
2054 2057 clone->is_send = 0;
2055 2058 clone->is_maxswin = 1;
2056 2059 clone->is_maxdwin = ntohs(tcp->th_win);
2057 2060 if (clone->is_maxdwin == 0)
2058 2061 clone->is_maxdwin = 1;
2059 2062 } else {
2060 2063 clone->is_send = send;
2061 2064 clone->is_maxsend = send;
2062 2065 clone->is_dend = 0;
2063 2066 clone->is_maxdwin = 1;
2064 2067 clone->is_maxswin = ntohs(tcp->th_win);
2065 2068 if (clone->is_maxswin == 0)
2066 2069 clone->is_maxswin = 1;
2067 2070 }
2068 2071
2069 2072 clone->is_flags &= ~SI_CLONE;
2070 2073 clone->is_flags |= SI_CLONED;
2071 2074 fr_stinsert(clone, fin->fin_rev, ifs);
2072 2075 clone->is_ref = 1;
2073 2076 if (clone->is_p == IPPROTO_TCP) {
2074 2077 (void) fr_tcp_age(&clone->is_sti, fin, ifs->ifs_ips_tqtqb,
2075 2078 clone->is_flags);
2076 2079 }
2077 2080 MUTEX_EXIT(&clone->is_lock);
2078 2081 #ifdef IPFILTER_SCAN
2079 2082 (void) ipsc_attachis(is);
2080 2083 #endif
2081 2084 #ifdef IPFILTER_SYNC
2082 2085 if (is->is_flags & IS_STATESYNC)
2083 2086 clone->is_sync = ipfsync_new(SMC_STATE, fin, clone);
2084 2087 #endif
2085 2088 return clone;
2086 2089 }
2087 2090
2088 2091
2089 2092 /* ------------------------------------------------------------------------ */
2090 2093 /* Function: fr_matchsrcdst */
2091 2094 /* Returns: Nil */
2092 2095 /* Parameters: fin(I) - pointer to packet information */
2093 2096 /* is(I) - pointer to state structure */
2094 2097 /* src(I) - pointer to source address */
2095 2098 /* dst(I) - pointer to destination address */
2096 2099 /* tcp(I) - pointer to TCP/UDP header */
2097 2100 /* */
2098 2101 /* Match a state table entry against an IP packet. The logic below is that */
2099 2102 /* ret gets set to one if the match succeeds, else remains 0. If it is */
2100 2103 /* still 0 after the test. no match. */
2101 2104 /* ------------------------------------------------------------------------ */
2102 2105 static ipstate_t *fr_matchsrcdst(fin, is, src, dst, tcp, cmask)
2103 2106 fr_info_t *fin;
2104 2107 ipstate_t *is;
2105 2108 i6addr_t *src, *dst;
2106 2109 tcphdr_t *tcp;
2107 2110 u_32_t cmask;
2108 2111 {
2109 2112 int ret = 0, rev, out, flags, flx = 0, idx;
2110 2113 u_short sp, dp;
2111 2114 u_32_t cflx;
2112 2115 void *ifp;
2113 2116 ipf_stack_t *ifs = fin->fin_ifs;
2114 2117
2115 2118 rev = IP6_NEQ(&is->is_dst, dst);
2116 2119 ifp = fin->fin_ifp;
2117 2120 out = fin->fin_out;
2118 2121 flags = is->is_flags;
2119 2122 sp = 0;
2120 2123 dp = 0;
2121 2124
2122 2125 if (tcp != NULL) {
2123 2126 sp = htons(fin->fin_sport);
2124 2127 dp = ntohs(fin->fin_dport);
2125 2128 }
2126 2129 if (!rev) {
2127 2130 if (tcp != NULL) {
2128 2131 if (!(flags & SI_W_SPORT) && (sp != is->is_sport))
2129 2132 rev = 1;
2130 2133 else if (!(flags & SI_W_DPORT) && (dp != is->is_dport))
2131 2134 rev = 1;
2132 2135 }
2133 2136 }
2134 2137
2135 2138 idx = (out << 1) + rev;
2136 2139
2137 2140 /*
2138 2141 * If the interface for this 'direction' is set, make sure it matches.
2139 2142 * An interface name that is not set matches any, as does a name of *.
2140 2143 */
2141 2144 if ((is->is_ifp[idx] == NULL &&
2142 2145 (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) ||
2143 2146 is->is_ifp[idx] == ifp)
2144 2147 ret = 1;
2145 2148
2146 2149 if (ret == 0) {
2147 2150 DTRACE_PROBE(no_match_on_iface);
2148 2151 return NULL;
2149 2152 }
2150 2153 ret = 0;
2151 2154
2152 2155 /*
2153 2156 * Match addresses and ports.
2154 2157 */
2155 2158 if (rev == 0) {
2156 2159 if ((IP6_EQ(&is->is_dst, dst) || (flags & SI_W_DADDR)) &&
2157 2160 (IP6_EQ(&is->is_src, src) || (flags & SI_W_SADDR))) {
2158 2161 if (tcp) {
2159 2162 if ((sp == is->is_sport || flags & SI_W_SPORT)&&
2160 2163 (dp == is->is_dport || flags & SI_W_DPORT))
2161 2164 ret = 1;
2162 2165 } else {
2163 2166 ret = 1;
2164 2167 }
2165 2168 }
2166 2169 } else {
2167 2170 if ((IP6_EQ(&is->is_dst, src) || (flags & SI_W_DADDR)) &&
2168 2171 (IP6_EQ(&is->is_src, dst) || (flags & SI_W_SADDR))) {
2169 2172 if (tcp) {
2170 2173 if ((dp == is->is_sport || flags & SI_W_SPORT)&&
2171 2174 (sp == is->is_dport || flags & SI_W_DPORT))
2172 2175 ret = 1;
2173 2176 } else {
2174 2177 ret = 1;
2175 2178 }
2176 2179 }
2177 2180 }
2178 2181
2179 2182 if (ret == 0) {
2180 2183 DTRACE_PROBE(no_match_on_addrs);
2181 2184 return NULL;
2182 2185 }
2183 2186 /*
2184 2187 * Whether or not this should be here, is questionable, but the aim
2185 2188 * is to get this out of the main line.
2186 2189 */
2187 2190 if (tcp == NULL)
2188 2191 flags = is->is_flags & ~(SI_WILDP|SI_NEWFR|SI_CLONE|SI_CLONED);
2189 2192
2190 2193 /*
2191 2194 * Only one of the source or destination address can be flaged as a
2192 2195 * wildcard. Fill in the missing address, if set.
2193 2196 * For IPv6, if the address being copied in is multicast, then
2194 2197 * don't reset the wild flag - multicast causes it to be set in the
2195 2198 * first place!
2196 2199 */
2197 2200 if ((flags & (SI_W_SADDR|SI_W_DADDR))) {
2198 2201 fr_ip_t *fi = &fin->fin_fi;
2199 2202
2200 2203 if ((flags & SI_W_SADDR) != 0) {
2201 2204 if (rev == 0) {
2202 2205 #ifdef USE_INET6
2203 2206 if (is->is_v == 6 &&
2204 2207 IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
2205 2208 /*EMPTY*/;
2206 2209 else
2207 2210 #endif
2208 2211 {
2209 2212 is->is_src = fi->fi_src;
2210 2213 is->is_flags &= ~SI_W_SADDR;
2211 2214 }
2212 2215 } else {
2213 2216 #ifdef USE_INET6
2214 2217 if (is->is_v == 6 &&
2215 2218 IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
2216 2219 /*EMPTY*/;
2217 2220 else
2218 2221 #endif
2219 2222 {
2220 2223 is->is_src = fi->fi_dst;
2221 2224 is->is_flags &= ~SI_W_SADDR;
2222 2225 }
2223 2226 }
2224 2227 } else if ((flags & SI_W_DADDR) != 0) {
2225 2228 if (rev == 0) {
2226 2229 #ifdef USE_INET6
2227 2230 if (is->is_v == 6 &&
2228 2231 IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
2229 2232 /*EMPTY*/;
2230 2233 else
2231 2234 #endif
2232 2235 {
2233 2236 is->is_dst = fi->fi_dst;
2234 2237 is->is_flags &= ~SI_W_DADDR;
2235 2238 }
2236 2239 } else {
2237 2240 #ifdef USE_INET6
2238 2241 if (is->is_v == 6 &&
2239 2242 IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
2240 2243 /*EMPTY*/;
2241 2244 else
2242 2245 #endif
2243 2246 {
2244 2247 is->is_dst = fi->fi_src;
2245 2248 is->is_flags &= ~SI_W_DADDR;
2246 2249 }
2247 2250 }
2248 2251 }
2249 2252 if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) {
2250 2253 ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
2251 2254 }
2252 2255 }
2253 2256
2254 2257 flx = fin->fin_flx & cmask;
2255 2258 cflx = is->is_flx[out][rev];
2256 2259
2257 2260 /*
2258 2261 * Match up any flags set from IP options.
2259 2262 */
2260 2263 if ((cflx && (flx != (cflx & cmask))) ||
2261 2264 ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) ||
2262 2265 ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
2263 2266 ((fin->fin_auth & is->is_authmsk) != is->is_auth)) {
2264 2267 DTRACE_PROBE4(no_match_on_flags,
2265 2268 int, (cflx && (flx != (cflx & cmask))),
2266 2269 int,
2267 2270 ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]),
2268 2271 int, ((fin->fin_secmsk & is->is_secmsk) != is->is_sec),
2269 2272 int, ((fin->fin_auth & is->is_authmsk) != is->is_auth)
2270 2273 );
2271 2274 return NULL;
2272 2275 }
2273 2276 /*
2274 2277 * Only one of the source or destination port can be flagged as a
2275 2278 * wildcard. When filling it in, fill in a copy of the matched entry
2276 2279 * if it has the cloning flag set.
2277 2280 */
2278 2281 if ((fin->fin_flx & FI_IGNORE) != 0) {
2279 2282 fin->fin_rev = rev;
2280 2283 return is;
2281 2284 }
2282 2285
2283 2286 if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
2284 2287 if ((flags & SI_CLONE) != 0) {
2285 2288 ipstate_t *clone;
2286 2289
2287 2290 clone = fr_stclone(fin, tcp, is);
2288 2291 if (clone == NULL)
2289 2292 return NULL;
2290 2293 is = clone;
2291 2294 } else {
2292 2295 ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
2293 2296 }
2294 2297
2295 2298 if ((flags & SI_W_SPORT) != 0) {
2296 2299 if (rev == 0) {
2297 2300 is->is_sport = sp;
2298 2301 is->is_send = ntohl(tcp->th_seq);
2299 2302 } else {
2300 2303 is->is_sport = dp;
2301 2304 is->is_send = ntohl(tcp->th_ack);
2302 2305 }
2303 2306 is->is_maxsend = is->is_send + 1;
2304 2307 } else if ((flags & SI_W_DPORT) != 0) {
2305 2308 if (rev == 0) {
2306 2309 is->is_dport = dp;
|
↓ open down ↓ |
770 lines elided |
↑ open up ↑ |
2307 2310 is->is_dend = ntohl(tcp->th_ack);
2308 2311 } else {
2309 2312 is->is_dport = sp;
2310 2313 is->is_dend = ntohl(tcp->th_seq);
2311 2314 }
2312 2315 is->is_maxdend = is->is_dend + 1;
2313 2316 }
2314 2317 is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
2315 2318 if ((flags & SI_CLONED) && ifs->ifs_ipstate_logging)
2316 2319 ipstate_log(is, ISL_CLONE, ifs);
2320 + if ((flags & SI_CLONED) && IFS_CFWLOG(ifs))
2321 + ipf_log_cfwlog(is, ISL_CLONE, ifs);
2317 2322 }
2318 2323
2319 2324 ret = -1;
2320 2325
2321 2326 if (is->is_flx[out][rev] == 0) {
2322 2327 is->is_flx[out][rev] = flx;
2323 2328 /*
2324 2329 * If we are dealing with the first packet coming in reverse
2325 2330 * direction (sent by peer), then we have to set options into
2326 2331 * state.
2327 2332 */
2328 2333 if (rev == 1 && is->is_optmsk[1] == 0x0) {
2329 2334 is->is_optmsk[1] = 0xffffffff;
2330 2335 is->is_opt[1] = fin->fin_optmsk;
2331 2336 DTRACE_PROBE(set_rev_opts);
2332 2337 }
2333 2338 if (is->is_v == 6) {
2334 2339 is->is_opt[rev] &= ~0x8;
2335 2340 is->is_optmsk[rev] &= ~0x8;
2336 2341 }
2337 2342 }
2338 2343
2339 2344 /*
2340 2345 * Check if the interface name for this "direction" is set and if not,
2341 2346 * fill it in.
2342 2347 */
2343 2348 if (is->is_ifp[idx] == NULL &&
2344 2349 (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) {
2345 2350 is->is_ifp[idx] = ifp;
2346 2351 COPYIFNAME(ifp, is->is_ifname[idx], fin->fin_v);
2347 2352 }
2348 2353 fin->fin_rev = rev;
2349 2354 return is;
2350 2355 }
2351 2356
2352 2357
2353 2358 /* ------------------------------------------------------------------------ */
2354 2359 /* Function: fr_checkicmpmatchingstate */
2355 2360 /* Returns: Nil */
2356 2361 /* Parameters: fin(I) - pointer to packet information */
2357 2362 /* */
2358 2363 /* If we've got an ICMP error message, using the information stored in the */
2359 2364 /* ICMP packet, look for a matching state table entry. */
2360 2365 /* */
2361 2366 /* If we return NULL then no lock on ipf_state is held. */
2362 2367 /* If we return non-null then a read-lock on ipf_state is held. */
2363 2368 /* ------------------------------------------------------------------------ */
2364 2369 static ipstate_t *fr_checkicmpmatchingstate(fin)
2365 2370 fr_info_t *fin;
2366 2371 {
2367 2372 ipstate_t *is, **isp;
2368 2373 u_short sport, dport;
2369 2374 u_char pr;
2370 2375 int backward, i, oi;
2371 2376 i6addr_t dst, src;
2372 2377 struct icmp *ic;
2373 2378 u_short savelen;
2374 2379 icmphdr_t *icmp;
2375 2380 fr_info_t ofin;
2376 2381 tcphdr_t *tcp;
2377 2382 int len;
2378 2383 ip_t *oip;
2379 2384 u_int hv;
2380 2385 ipf_stack_t *ifs = fin->fin_ifs;
2381 2386
2382 2387 /*
2383 2388 * Does it at least have the return (basic) IP header ?
2384 2389 * Is it an actual recognised ICMP error type?
2385 2390 * Only a basic IP header (no options) should be with
2386 2391 * an ICMP error header.
2387 2392 */
2388 2393 if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
2389 2394 (fin->fin_plen < ICMPERR_MINPKTLEN) ||
2390 2395 !(fin->fin_flx & FI_ICMPERR))
2391 2396 return NULL;
2392 2397 ic = fin->fin_dp;
2393 2398
2394 2399 oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
2395 2400 /*
2396 2401 * Check if the at least the old IP header (with options) and
2397 2402 * 8 bytes of payload is present.
2398 2403 */
2399 2404 if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((IP_HL(oip) - 5) << 2))
2400 2405 return NULL;
2401 2406
2402 2407 /*
2403 2408 * Sanity Checks.
2404 2409 */
2405 2410 len = fin->fin_dlen - ICMPERR_ICMPHLEN;
2406 2411 if ((len <= 0) || ((IP_HL(oip) << 2) > len))
2407 2412 return NULL;
2408 2413
2409 2414 /*
2410 2415 * Is the buffer big enough for all of it ? It's the size of the IP
2411 2416 * header claimed in the encapsulated part which is of concern. It
2412 2417 * may be too big to be in this buffer but not so big that it's
2413 2418 * outside the ICMP packet, leading to TCP deref's causing problems.
2414 2419 * This is possible because we don't know how big oip_hl is when we
2415 2420 * do the pullup early in fr_check() and thus can't guarantee it is
2416 2421 * all here now.
2417 2422 */
2418 2423 #ifdef _KERNEL
2419 2424 {
2420 2425 mb_t *m;
2421 2426
2422 2427 m = fin->fin_m;
2423 2428 # if defined(MENTAT)
2424 2429 if ((char *)oip + len > (char *)m->b_wptr)
2425 2430 return NULL;
2426 2431 # else
2427 2432 if ((char *)oip + len > (char *)fin->fin_ip + m->m_len)
2428 2433 return NULL;
2429 2434 # endif
2430 2435 }
2431 2436 #endif
2432 2437 bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
2433 2438
2434 2439 /*
2435 2440 * in the IPv4 case we must zero the i6addr union otherwise
2436 2441 * the IP6_EQ and IP6_NEQ macros produce the wrong results because
2437 2442 * of the 'junk' in the unused part of the union
2438 2443 */
2439 2444 bzero((char *)&src, sizeof(src));
2440 2445 bzero((char *)&dst, sizeof(dst));
2441 2446
2442 2447 /*
2443 2448 * we make an fin entry to be able to feed it to
2444 2449 * matchsrcdst note that not all fields are encessary
2445 2450 * but this is the cleanest way. Note further we fill
2446 2451 * in fin_mp such that if someone uses it we'll get
2447 2452 * a kernel panic. fr_matchsrcdst does not use this.
2448 2453 *
2449 2454 * watch out here, as ip is in host order and oip in network
2450 2455 * order. Any change we make must be undone afterwards, like
2451 2456 * oip->ip_off - it is still in network byte order so fix it.
2452 2457 */
2453 2458 savelen = oip->ip_len;
2454 2459 oip->ip_len = len;
2455 2460 oip->ip_off = ntohs(oip->ip_off);
2456 2461
2457 2462 ofin.fin_flx = FI_NOCKSUM;
2458 2463 ofin.fin_v = 4;
2459 2464 ofin.fin_ip = oip;
2460 2465 ofin.fin_m = NULL; /* if dereferenced, panic XXX */
2461 2466 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
2462 2467 ofin.fin_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
2463 2468 (void) fr_makefrip(IP_HL(oip) << 2, oip, &ofin);
2464 2469 ofin.fin_ifp = fin->fin_ifp;
2465 2470 ofin.fin_out = !fin->fin_out;
2466 2471 /*
2467 2472 * Reset the short and bad flag here because in fr_matchsrcdst()
2468 2473 * the flags for the current packet (fin_flx) are compared against
2469 2474 * those for the existing session.
2470 2475 */
2471 2476 ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
2472 2477
2473 2478 /*
2474 2479 * Put old values of ip_len and ip_off back as we don't know
2475 2480 * if we have to forward the packet (or process it again.
2476 2481 */
2477 2482 oip->ip_len = savelen;
2478 2483 oip->ip_off = htons(oip->ip_off);
2479 2484
2480 2485 switch (oip->ip_p)
2481 2486 {
2482 2487 case IPPROTO_ICMP :
2483 2488 /*
2484 2489 * an ICMP error can only be generated as a result of an
2485 2490 * ICMP query, not as the response on an ICMP error
2486 2491 *
2487 2492 * XXX theoretically ICMP_ECHOREP and the other reply's are
2488 2493 * ICMP query's as well, but adding them here seems strange XXX
2489 2494 */
2490 2495 if ((ofin.fin_flx & FI_ICMPERR) != 0)
2491 2496 return NULL;
2492 2497
2493 2498 /*
2494 2499 * perform a lookup of the ICMP packet in the state table
2495 2500 */
2496 2501 icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2497 2502 hv = (pr = oip->ip_p);
2498 2503 src.in4 = oip->ip_src;
2499 2504 hv += src.in4.s_addr;
2500 2505 dst.in4 = oip->ip_dst;
2501 2506 hv += dst.in4.s_addr;
2502 2507 hv += icmp->icmp_id;
2503 2508 hv = DOUBLE_HASH(hv, ifs);
2504 2509
2505 2510 READ_ENTER(&ifs->ifs_ipf_state);
2506 2511 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2507 2512 isp = &is->is_hnext;
2508 2513 if ((is->is_p != pr) || (is->is_v != 4))
2509 2514 continue;
2510 2515 if (is->is_pass & FR_NOICMPERR)
2511 2516 continue;
2512 2517 is = fr_matchsrcdst(&ofin, is, &src, &dst,
2513 2518 NULL, FI_ICMPCMP);
2514 2519 if (is != NULL) {
2515 2520 if ((is->is_pass & FR_NOICMPERR) != 0) {
2516 2521 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2517 2522 return NULL;
2518 2523 }
2519 2524 /*
2520 2525 * i : the index of this packet (the icmp
2521 2526 * unreachable)
2522 2527 * oi : the index of the original packet found
2523 2528 * in the icmp header (i.e. the packet
2524 2529 * causing this icmp)
2525 2530 * backward : original packet was backward
2526 2531 * compared to the state
2527 2532 */
2528 2533 backward = IP6_NEQ(&is->is_src, &src);
2529 2534 fin->fin_rev = !backward;
2530 2535 i = (!backward << 1) + fin->fin_out;
2531 2536 oi = (backward << 1) + ofin.fin_out;
2532 2537 if (is->is_icmppkts[i] > is->is_pkts[oi])
2533 2538 continue;
2534 2539 ifs->ifs_ips_stats.iss_hits++;
2535 2540 is->is_icmppkts[i]++;
2536 2541 return is;
2537 2542 }
2538 2543 }
2539 2544 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2540 2545 return NULL;
2541 2546 case IPPROTO_TCP :
2542 2547 case IPPROTO_UDP :
2543 2548 break;
2544 2549 default :
2545 2550 return NULL;
2546 2551 }
2547 2552
2548 2553 tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
2549 2554 dport = tcp->th_dport;
2550 2555 sport = tcp->th_sport;
2551 2556
2552 2557 hv = (pr = oip->ip_p);
2553 2558 src.in4 = oip->ip_src;
2554 2559 hv += src.in4.s_addr;
2555 2560 dst.in4 = oip->ip_dst;
2556 2561 hv += dst.in4.s_addr;
2557 2562 hv += dport;
2558 2563 hv += sport;
2559 2564 hv = DOUBLE_HASH(hv, ifs);
2560 2565
2561 2566 READ_ENTER(&ifs->ifs_ipf_state);
2562 2567 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2563 2568 isp = &is->is_hnext;
2564 2569 /*
2565 2570 * Only allow this icmp though if the
2566 2571 * encapsulated packet was allowed through the
2567 2572 * other way around. Note that the minimal amount
2568 2573 * of info present does not allow for checking against
2569 2574 * tcp internals such as seq and ack numbers. Only the
2570 2575 * ports are known to be present and can be even if the
2571 2576 * short flag is set.
2572 2577 */
2573 2578 if ((is->is_p == pr) && (is->is_v == 4) &&
2574 2579 (is = fr_matchsrcdst(&ofin, is, &src, &dst,
2575 2580 tcp, FI_ICMPCMP))) {
2576 2581 /*
2577 2582 * i : the index of this packet (the icmp unreachable)
2578 2583 * oi : the index of the original packet found in the
2579 2584 * icmp header (i.e. the packet causing this icmp)
2580 2585 * backward : original packet was backward compared to
2581 2586 * the state
2582 2587 */
2583 2588 backward = IP6_NEQ(&is->is_src, &src);
2584 2589 fin->fin_rev = !backward;
2585 2590 i = (!backward << 1) + fin->fin_out;
2586 2591 oi = (backward << 1) + ofin.fin_out;
2587 2592
2588 2593 if (((is->is_pass & FR_NOICMPERR) != 0) ||
2589 2594 (is->is_icmppkts[i] > is->is_pkts[oi]))
2590 2595 break;
2591 2596 ifs->ifs_ips_stats.iss_hits++;
2592 2597 is->is_icmppkts[i]++;
2593 2598 /*
2594 2599 * we deliberately do not touch the timeouts
2595 2600 * for the accompanying state table entry.
2596 2601 * It remains to be seen if that is correct. XXX
2597 2602 */
2598 2603 return is;
2599 2604 }
2600 2605 }
2601 2606 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2602 2607 return NULL;
2603 2608 }
2604 2609
2605 2610
2606 2611 /* ------------------------------------------------------------------------ */
2607 2612 /* Function: fr_ipsmove */
2608 2613 /* Returns: Nil */
2609 2614 /* Parameters: is(I) - pointer to state table entry */
2610 2615 /* hv(I) - new hash value for state table entry */
2611 2616 /* Write Locks: ipf_state */
2612 2617 /* */
2613 2618 /* Move a state entry from one position in the hash table to another. */
2614 2619 /* ------------------------------------------------------------------------ */
2615 2620 static void fr_ipsmove(is, hv, ifs)
2616 2621 ipstate_t *is;
2617 2622 u_int hv;
2618 2623 ipf_stack_t *ifs;
2619 2624 {
2620 2625 ipstate_t **isp;
2621 2626 u_int hvm;
2622 2627
2623 2628 ASSERT(rw_read_locked(&ifs->ifs_ipf_state.ipf_lk) == 0);
2624 2629
2625 2630 hvm = is->is_hv;
2626 2631 /*
2627 2632 * Remove the hash from the old location...
2628 2633 */
2629 2634 isp = is->is_phnext;
2630 2635 if (is->is_hnext)
2631 2636 is->is_hnext->is_phnext = isp;
2632 2637 *isp = is->is_hnext;
2633 2638 if (ifs->ifs_ips_table[hvm] == NULL)
2634 2639 ifs->ifs_ips_stats.iss_inuse--;
2635 2640 ifs->ifs_ips_stats.iss_bucketlen[hvm]--;
2636 2641
2637 2642 /*
2638 2643 * ...and put the hash in the new one.
2639 2644 */
2640 2645 hvm = DOUBLE_HASH(hv, ifs);
2641 2646 is->is_hv = hvm;
2642 2647 isp = &ifs->ifs_ips_table[hvm];
2643 2648 if (*isp)
2644 2649 (*isp)->is_phnext = &is->is_hnext;
2645 2650 else
2646 2651 ifs->ifs_ips_stats.iss_inuse++;
2647 2652 ifs->ifs_ips_stats.iss_bucketlen[hvm]++;
2648 2653 is->is_phnext = isp;
2649 2654 is->is_hnext = *isp;
2650 2655 *isp = is;
2651 2656 }
2652 2657
2653 2658
2654 2659 /* ------------------------------------------------------------------------ */
2655 2660 /* Function: fr_stlookup */
2656 2661 /* Returns: ipstate_t* - NULL == no matching state found, */
2657 2662 /* else pointer to state information is returned */
2658 2663 /* Parameters: fin(I) - pointer to packet information */
2659 2664 /* tcp(I) - pointer to TCP/UDP header. */
2660 2665 /* */
2661 2666 /* Search the state table for a matching entry to the packet described by */
2662 2667 /* the contents of *fin. */
2663 2668 /* */
2664 2669 /* If we return NULL then no lock on ipf_state is held. */
2665 2670 /* If we return non-null then a read-lock on ipf_state is held. */
2666 2671 /* ------------------------------------------------------------------------ */
2667 2672 ipstate_t *fr_stlookup(fin, tcp, ifqp)
2668 2673 fr_info_t *fin;
2669 2674 tcphdr_t *tcp;
2670 2675 ipftq_t **ifqp;
2671 2676 {
2672 2677 u_int hv, hvm, pr, v, tryagain;
2673 2678 ipstate_t *is, **isp;
2674 2679 u_short dport, sport;
2675 2680 i6addr_t src, dst;
2676 2681 struct icmp *ic;
2677 2682 ipftq_t *ifq;
2678 2683 int oow;
2679 2684 ipf_stack_t *ifs = fin->fin_ifs;
2680 2685
2681 2686 is = NULL;
2682 2687 ifq = NULL;
2683 2688 tcp = fin->fin_dp;
2684 2689 ic = (struct icmp *)tcp;
2685 2690 hv = (pr = fin->fin_fi.fi_p);
2686 2691 src = fin->fin_fi.fi_src;
2687 2692 dst = fin->fin_fi.fi_dst;
2688 2693 hv += src.in4.s_addr;
2689 2694 hv += dst.in4.s_addr;
2690 2695
2691 2696 v = fin->fin_fi.fi_v;
2692 2697 #ifdef USE_INET6
2693 2698 if (v == 6) {
2694 2699 hv += fin->fin_fi.fi_src.i6[1];
2695 2700 hv += fin->fin_fi.fi_src.i6[2];
2696 2701 hv += fin->fin_fi.fi_src.i6[3];
2697 2702
2698 2703 if ((fin->fin_p == IPPROTO_ICMPV6) &&
2699 2704 IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_dst.in6)) {
2700 2705 hv -= dst.in4.s_addr;
2701 2706 } else {
2702 2707 hv += fin->fin_fi.fi_dst.i6[1];
2703 2708 hv += fin->fin_fi.fi_dst.i6[2];
2704 2709 hv += fin->fin_fi.fi_dst.i6[3];
2705 2710 }
2706 2711 }
2707 2712 #endif
2708 2713 if ((v == 4) &&
2709 2714 (fin->fin_flx & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST))) {
2710 2715 if (fin->fin_out == 0) {
2711 2716 hv -= src.in4.s_addr;
2712 2717 } else {
2713 2718 hv -= dst.in4.s_addr;
2714 2719 }
2715 2720 }
2716 2721
2717 2722 /*
2718 2723 * Search the hash table for matching packet header info.
2719 2724 */
2720 2725 switch (pr)
2721 2726 {
2722 2727 #ifdef USE_INET6
2723 2728 case IPPROTO_ICMPV6 :
2724 2729 tryagain = 0;
2725 2730 if (v == 6) {
2726 2731 if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
2727 2732 (ic->icmp_type == ICMP6_ECHO_REPLY)) {
2728 2733 hv += ic->icmp_id;
2729 2734 }
2730 2735 }
2731 2736 READ_ENTER(&ifs->ifs_ipf_state);
2732 2737 icmp6again:
2733 2738 hvm = DOUBLE_HASH(hv, ifs);
2734 2739 for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2735 2740 isp = &is->is_hnext;
2736 2741 if ((is->is_p != pr) || (is->is_v != v))
2737 2742 continue;
2738 2743 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2739 2744 if (is != NULL &&
2740 2745 fr_matchicmpqueryreply(v, &is->is_icmp,
2741 2746 ic, fin->fin_rev)) {
2742 2747 if (fin->fin_rev)
2743 2748 ifq = &ifs->ifs_ips_icmpacktq;
2744 2749 else
2745 2750 ifq = &ifs->ifs_ips_icmptq;
2746 2751 break;
2747 2752 }
2748 2753 }
2749 2754
2750 2755 if (is != NULL) {
2751 2756 if ((tryagain != 0) && !(is->is_flags & SI_W_DADDR)) {
2752 2757 hv += fin->fin_fi.fi_src.i6[0];
2753 2758 hv += fin->fin_fi.fi_src.i6[1];
2754 2759 hv += fin->fin_fi.fi_src.i6[2];
2755 2760 hv += fin->fin_fi.fi_src.i6[3];
2756 2761 fr_ipsmove(is, hv, ifs);
2757 2762 MUTEX_DOWNGRADE(&ifs->ifs_ipf_state);
2758 2763 }
2759 2764 break;
2760 2765 }
2761 2766 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2762 2767
2763 2768 /*
2764 2769 * No matching icmp state entry. Perhaps this is a
2765 2770 * response to another state entry.
2766 2771 *
2767 2772 * XXX With some ICMP6 packets, the "other" address is already
2768 2773 * in the packet, after the ICMP6 header, and this could be
2769 2774 * used in place of the multicast address. However, taking
2770 2775 * advantage of this requires some significant code changes
2771 2776 * to handle the specific types where that is the case.
2772 2777 */
2773 2778 if ((ifs->ifs_ips_stats.iss_wild != 0) && (v == 6) && (tryagain == 0) &&
2774 2779 !IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_src.in6)) {
2775 2780 hv -= fin->fin_fi.fi_src.i6[0];
2776 2781 hv -= fin->fin_fi.fi_src.i6[1];
2777 2782 hv -= fin->fin_fi.fi_src.i6[2];
2778 2783 hv -= fin->fin_fi.fi_src.i6[3];
2779 2784 tryagain = 1;
2780 2785 WRITE_ENTER(&ifs->ifs_ipf_state);
2781 2786 goto icmp6again;
2782 2787 }
2783 2788
2784 2789 is = fr_checkicmp6matchingstate(fin);
2785 2790 if (is != NULL)
2786 2791 return is;
2787 2792 break;
2788 2793 #endif
2789 2794
2790 2795 case IPPROTO_ICMP :
2791 2796 if (v == 4) {
2792 2797 hv += ic->icmp_id;
2793 2798 }
2794 2799 hv = DOUBLE_HASH(hv, ifs);
2795 2800 READ_ENTER(&ifs->ifs_ipf_state);
2796 2801 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
2797 2802 isp = &is->is_hnext;
2798 2803 if ((is->is_p != pr) || (is->is_v != v))
2799 2804 continue;
2800 2805 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2801 2806 if (is != NULL &&
2802 2807 fr_matchicmpqueryreply(v, &is->is_icmp,
2803 2808 ic, fin->fin_rev)) {
2804 2809 if (fin->fin_rev)
2805 2810 ifq = &ifs->ifs_ips_icmpacktq;
2806 2811 else
2807 2812 ifq = &ifs->ifs_ips_icmptq;
2808 2813 break;
2809 2814 }
2810 2815 }
2811 2816 if (is == NULL) {
2812 2817 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2813 2818 }
2814 2819 break;
2815 2820
2816 2821 case IPPROTO_TCP :
2817 2822 case IPPROTO_UDP :
2818 2823 ifqp = NULL;
2819 2824 sport = htons(fin->fin_data[0]);
2820 2825 hv += sport;
2821 2826 dport = htons(fin->fin_data[1]);
2822 2827 hv += dport;
2823 2828 oow = 0;
2824 2829 tryagain = 0;
2825 2830 READ_ENTER(&ifs->ifs_ipf_state);
2826 2831 retry_tcpudp:
2827 2832 hvm = DOUBLE_HASH(hv, ifs);
2828 2833 for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2829 2834 isp = &is->is_hnext;
2830 2835 if ((is->is_p != pr) || (is->is_v != v))
2831 2836 continue;
2832 2837 fin->fin_flx &= ~FI_OOW;
2833 2838 is = fr_matchsrcdst(fin, is, &src, &dst, tcp, FI_CMP);
2834 2839 if (is != NULL) {
2835 2840 if (pr == IPPROTO_TCP) {
2836 2841 if (!fr_tcpstate(fin, tcp, is)) {
2837 2842 oow |= fin->fin_flx & FI_OOW;
2838 2843 continue;
2839 2844 }
2840 2845 }
2841 2846 break;
2842 2847 }
2843 2848 }
2844 2849 if (is != NULL) {
2845 2850 if (tryagain &&
2846 2851 !(is->is_flags & (SI_CLONE|SI_WILDP|SI_WILDA))) {
2847 2852 hv += dport;
2848 2853 hv += sport;
2849 2854 fr_ipsmove(is, hv, ifs);
2850 2855 MUTEX_DOWNGRADE(&ifs->ifs_ipf_state);
2851 2856 }
2852 2857 break;
2853 2858 }
2854 2859 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2855 2860
2856 2861 if (ifs->ifs_ips_stats.iss_wild) {
2857 2862 if (tryagain == 0) {
2858 2863 hv -= dport;
2859 2864 hv -= sport;
2860 2865 } else if (tryagain == 1) {
2861 2866 hv = fin->fin_fi.fi_p;
2862 2867 /*
2863 2868 * If we try to pretend this is a reply to a
2864 2869 * multicast/broadcast packet then we need to
2865 2870 * exclude part of the address from the hash
2866 2871 * calculation.
2867 2872 */
2868 2873 if (fin->fin_out == 0) {
2869 2874 hv += src.in4.s_addr;
2870 2875 } else {
2871 2876 hv += dst.in4.s_addr;
2872 2877 }
2873 2878 hv += dport;
2874 2879 hv += sport;
2875 2880 }
2876 2881 tryagain++;
2877 2882 if (tryagain <= 2) {
2878 2883 WRITE_ENTER(&ifs->ifs_ipf_state);
2879 2884 goto retry_tcpudp;
2880 2885 }
2881 2886 }
2882 2887 fin->fin_flx |= oow;
2883 2888 break;
2884 2889
2885 2890 #if 0
2886 2891 case IPPROTO_GRE :
2887 2892 gre = fin->fin_dp;
2888 2893 if (GRE_REV(gre->gr_flags) == 1) {
2889 2894 hv += gre->gr_call;
2890 2895 }
2891 2896 /* FALLTHROUGH */
2892 2897 #endif
2893 2898 default :
2894 2899 ifqp = NULL;
2895 2900 hvm = DOUBLE_HASH(hv, ifs);
2896 2901 READ_ENTER(&ifs->ifs_ipf_state);
2897 2902 for (isp = &ifs->ifs_ips_table[hvm]; ((is = *isp) != NULL); ) {
2898 2903 isp = &is->is_hnext;
2899 2904 if ((is->is_p != pr) || (is->is_v != v))
2900 2905 continue;
2901 2906 is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
2902 2907 if (is != NULL) {
2903 2908 ifq = &ifs->ifs_ips_iptq;
2904 2909 break;
2905 2910 }
2906 2911 }
2907 2912 if (is == NULL) {
2908 2913 RWLOCK_EXIT(&ifs->ifs_ipf_state);
2909 2914 }
2910 2915 break;
2911 2916 }
2912 2917
2913 2918 if ((is != NULL) && ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
2914 2919 (is->is_tqehead[fin->fin_rev] != NULL))
2915 2920 ifq = is->is_tqehead[fin->fin_rev];
2916 2921 if (ifq != NULL && ifqp != NULL)
2917 2922 *ifqp = ifq;
2918 2923 return is;
2919 2924 }
2920 2925
2921 2926
2922 2927 /* ------------------------------------------------------------------------ */
2923 2928 /* Function: fr_updatestate */
2924 2929 /* Returns: Nil */
2925 2930 /* Parameters: fin(I) - pointer to packet information */
2926 2931 /* is(I) - pointer to state table entry */
2927 2932 /* Read Locks: ipf_state */
2928 2933 /* */
2929 2934 /* Updates packet and byte counters for a newly received packet. Seeds the */
2930 2935 /* fragment cache with a new entry as required. */
2931 2936 /* ------------------------------------------------------------------------ */
2932 2937 void fr_updatestate(fin, is, ifq)
2933 2938 fr_info_t *fin;
2934 2939 ipstate_t *is;
2935 2940 ipftq_t *ifq;
2936 2941 {
2937 2942 ipftqent_t *tqe;
2938 2943 int i, pass;
2939 2944 ipf_stack_t *ifs = fin->fin_ifs;
2940 2945
2941 2946 i = (fin->fin_rev << 1) + fin->fin_out;
2942 2947
2943 2948 /*
2944 2949 * For TCP packets, ifq == NULL. For all others, check if this new
2945 2950 * queue is different to the last one it was on and move it if so.
2946 2951 */
2947 2952 tqe = &is->is_sti;
2948 2953 MUTEX_ENTER(&is->is_lock);
2949 2954 if ((tqe->tqe_flags & TQE_RULEBASED) != 0)
2950 2955 ifq = is->is_tqehead[fin->fin_rev];
2951 2956
2952 2957 if (ifq != NULL)
2953 2958 fr_movequeue(tqe, tqe->tqe_ifq, ifq, ifs);
2954 2959
2955 2960 is->is_pkts[i]++;
2956 2961 fin->fin_pktnum = is->is_pkts[i] + is->is_icmppkts[i];
2957 2962 is->is_bytes[i] += fin->fin_plen;
2958 2963 MUTEX_EXIT(&is->is_lock);
2959 2964
2960 2965 #ifdef IPFILTER_SYNC
2961 2966 if (is->is_flags & IS_STATESYNC)
2962 2967 ipfsync_update(SMC_STATE, fin, is->is_sync);
2963 2968 #endif
2964 2969
2965 2970 ATOMIC_INCL(ifs->ifs_ips_stats.iss_hits);
2966 2971
2967 2972 fin->fin_fr = is->is_rule;
2968 2973
2969 2974 /*
2970 2975 * If this packet is a fragment and the rule says to track fragments,
2971 2976 * then create a new fragment cache entry.
2972 2977 */
2973 2978 pass = is->is_pass;
2974 2979 if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(pass))
2975 2980 (void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
2976 2981 }
2977 2982
2978 2983
2979 2984 /* ------------------------------------------------------------------------ */
2980 2985 /* Function: fr_checkstate */
2981 2986 /* Returns: frentry_t* - NULL == search failed, */
2982 2987 /* else pointer to rule for matching state */
2983 2988 /* Parameters: ifp(I) - pointer to interface */
2984 2989 /* passp(I) - pointer to filtering result flags */
2985 2990 /* */
2986 2991 /* Check if a packet is associated with an entry in the state table. */
2987 2992 /* ------------------------------------------------------------------------ */
2988 2993 frentry_t *fr_checkstate(fin, passp)
2989 2994 fr_info_t *fin;
2990 2995 u_32_t *passp;
2991 2996 {
2992 2997 ipstate_t *is;
2993 2998 frentry_t *fr;
2994 2999 tcphdr_t *tcp;
2995 3000 ipftq_t *ifq;
2996 3001 u_int pass;
2997 3002 ipf_stack_t *ifs = fin->fin_ifs;
2998 3003
2999 3004 if (ifs->ifs_fr_state_lock || (ifs->ifs_ips_list == NULL) ||
3000 3005 (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
3001 3006 return NULL;
3002 3007
3003 3008 is = NULL;
3004 3009 if ((fin->fin_flx & FI_TCPUDP) ||
3005 3010 (fin->fin_fi.fi_p == IPPROTO_ICMP)
3006 3011 #ifdef USE_INET6
3007 3012 || (fin->fin_fi.fi_p == IPPROTO_ICMPV6)
3008 3013 #endif
3009 3014 )
3010 3015 tcp = fin->fin_dp;
3011 3016 else
3012 3017 tcp = NULL;
3013 3018
3014 3019 /*
3015 3020 * Search the hash table for matching packet header info.
3016 3021 */
3017 3022 ifq = NULL;
3018 3023 is = fr_stlookup(fin, tcp, &ifq);
3019 3024 switch (fin->fin_p)
3020 3025 {
3021 3026 #ifdef USE_INET6
3022 3027 case IPPROTO_ICMPV6 :
3023 3028 if (is != NULL)
3024 3029 break;
3025 3030 if (fin->fin_v == 6) {
3026 3031 is = fr_checkicmp6matchingstate(fin);
3027 3032 if (is != NULL)
3028 3033 goto matched;
3029 3034 }
3030 3035 break;
3031 3036 #endif
3032 3037 case IPPROTO_ICMP :
3033 3038 if (is != NULL)
3034 3039 break;
3035 3040 /*
3036 3041 * No matching icmp state entry. Perhaps this is a
3037 3042 * response to another state entry.
3038 3043 */
3039 3044 is = fr_checkicmpmatchingstate(fin);
3040 3045 if (is != NULL)
3041 3046 goto matched;
3042 3047 break;
3043 3048 case IPPROTO_TCP :
3044 3049 if (is == NULL)
3045 3050 break;
3046 3051
3047 3052 if (is->is_pass & FR_NEWISN) {
3048 3053 if (fin->fin_out == 0)
3049 3054 fr_fixinisn(fin, is);
3050 3055 else if (fin->fin_out == 1)
3051 3056 fr_fixoutisn(fin, is);
3052 3057 }
3053 3058 break;
3054 3059 default :
3055 3060 if (fin->fin_rev)
3056 3061 ifq = &ifs->ifs_ips_udpacktq;
3057 3062 else
3058 3063 ifq = &ifs->ifs_ips_udptq;
3059 3064 break;
3060 3065 }
3061 3066 if (is == NULL) {
3062 3067 ATOMIC_INCL(ifs->ifs_ips_stats.iss_miss);
3063 3068 return NULL;
3064 3069 }
3065 3070
3066 3071 matched:
3067 3072 fr = is->is_rule;
3068 3073 if (fr != NULL) {
3069 3074 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
3070 3075 if (fin->fin_nattag == NULL) {
3071 3076 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3072 3077 return NULL;
3073 3078 }
3074 3079 if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) != 0) {
3075 3080 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3076 3081 return NULL;
3077 3082 }
3078 3083 }
3079 3084 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
3080 3085 fin->fin_icode = fr->fr_icode;
3081 3086 }
3082 3087
3083 3088 fin->fin_rule = is->is_rulen;
3084 3089 pass = is->is_pass;
3085 3090 fr_updatestate(fin, is, ifq);
3086 3091
3087 3092 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3088 3093 fin->fin_flx |= FI_STATE;
3089 3094 if ((pass & FR_LOGFIRST) != 0)
3090 3095 pass &= ~(FR_LOGFIRST|FR_LOG);
3091 3096 *passp = pass;
3092 3097 return fr;
3093 3098 }
3094 3099
3095 3100
3096 3101 /* ------------------------------------------------------------------------ */
3097 3102 /* Function: fr_fixoutisn */
3098 3103 /* Returns: Nil */
3099 3104 /* Parameters: fin(I) - pointer to packet information */
3100 3105 /* is(I) - pointer to master state structure */
3101 3106 /* */
3102 3107 /* Called only for outbound packets, adjusts the sequence number and the */
3103 3108 /* TCP checksum to match that change. */
3104 3109 /* ------------------------------------------------------------------------ */
3105 3110 static void fr_fixoutisn(fin, is)
3106 3111 fr_info_t *fin;
3107 3112 ipstate_t *is;
3108 3113 {
3109 3114 tcphdr_t *tcp;
3110 3115 int rev;
3111 3116 u_32_t seq;
3112 3117
3113 3118 tcp = fin->fin_dp;
3114 3119 rev = fin->fin_rev;
3115 3120 if ((is->is_flags & IS_ISNSYN) != 0) {
3116 3121 if (rev == 0) {
3117 3122 seq = ntohl(tcp->th_seq);
3118 3123 seq += is->is_isninc[0];
3119 3124 tcp->th_seq = htonl(seq);
3120 3125 fix_outcksum(&tcp->th_sum, is->is_sumd[0]);
3121 3126 }
3122 3127 }
3123 3128 if ((is->is_flags & IS_ISNACK) != 0) {
3124 3129 if (rev == 1) {
3125 3130 seq = ntohl(tcp->th_seq);
3126 3131 seq += is->is_isninc[1];
3127 3132 tcp->th_seq = htonl(seq);
3128 3133 fix_outcksum(&tcp->th_sum, is->is_sumd[1]);
3129 3134 }
3130 3135 }
3131 3136 }
3132 3137
3133 3138
3134 3139 /* ------------------------------------------------------------------------ */
3135 3140 /* Function: fr_fixinisn */
3136 3141 /* Returns: Nil */
3137 3142 /* Parameters: fin(I) - pointer to packet information */
3138 3143 /* is(I) - pointer to master state structure */
3139 3144 /* */
3140 3145 /* Called only for inbound packets, adjusts the acknowledge number and the */
3141 3146 /* TCP checksum to match that change. */
3142 3147 /* ------------------------------------------------------------------------ */
3143 3148 static void fr_fixinisn(fin, is)
3144 3149 fr_info_t *fin;
3145 3150 ipstate_t *is;
3146 3151 {
3147 3152 tcphdr_t *tcp;
3148 3153 int rev;
3149 3154 u_32_t ack;
3150 3155
3151 3156 tcp = fin->fin_dp;
3152 3157 rev = fin->fin_rev;
3153 3158 if ((is->is_flags & IS_ISNSYN) != 0) {
3154 3159 if (rev == 1) {
3155 3160 ack = ntohl(tcp->th_ack);
3156 3161 ack -= is->is_isninc[0];
3157 3162 tcp->th_ack = htonl(ack);
3158 3163 fix_incksum(&tcp->th_sum, is->is_sumd[0]);
3159 3164 }
3160 3165 }
3161 3166 if ((is->is_flags & IS_ISNACK) != 0) {
3162 3167 if (rev == 0) {
3163 3168 ack = ntohl(tcp->th_ack);
3164 3169 ack -= is->is_isninc[1];
3165 3170 tcp->th_ack = htonl(ack);
3166 3171 fix_incksum(&tcp->th_sum, is->is_sumd[1]);
3167 3172 }
3168 3173 }
3169 3174 }
3170 3175
3171 3176
3172 3177 /* ------------------------------------------------------------------------ */
3173 3178 /* Function: fr_statesync */
3174 3179 /* Returns: Nil */
3175 3180 /* Parameters: action(I) - type of synchronisation to do */
3176 3181 /* v(I) - IP version being sync'd (v4 or v6) */
3177 3182 /* ifp(I) - interface identifier associated with action */
3178 3183 /* name(I) - name associated with ifp parameter */
3179 3184 /* */
3180 3185 /* Walk through all state entries and if an interface pointer match is */
3181 3186 /* found then look it up again, based on its name in case the pointer has */
3182 3187 /* changed since last time. */
3183 3188 /* */
3184 3189 /* If ifp is passed in as being non-null then we are only doing updates for */
3185 3190 /* existing, matching, uses of it. */
3186 3191 /* ------------------------------------------------------------------------ */
3187 3192 void fr_statesync(action, v, ifp, name, ifs)
3188 3193 int action, v;
3189 3194 void *ifp;
3190 3195 char *name;
3191 3196 ipf_stack_t *ifs;
3192 3197 {
3193 3198 ipstate_t *is;
3194 3199 int i;
3195 3200
3196 3201 if (ifs->ifs_fr_running <= 0)
3197 3202 return;
3198 3203
3199 3204 WRITE_ENTER(&ifs->ifs_ipf_state);
3200 3205
3201 3206 if (ifs->ifs_fr_running <= 0) {
3202 3207 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3203 3208 return;
3204 3209 }
3205 3210
3206 3211 switch (action)
3207 3212 {
3208 3213 case IPFSYNC_RESYNC :
3209 3214 for (is = ifs->ifs_ips_list; is; is = is->is_next) {
3210 3215 if (v != 0 && is->is_v != v)
3211 3216 continue;
3212 3217 /*
3213 3218 * Look up all the interface names in the state entry.
3214 3219 */
3215 3220 for (i = 0; i < 4; i++) {
3216 3221 is->is_ifp[i] = fr_resolvenic(is->is_ifname[i],
3217 3222 is->is_v, ifs);
3218 3223 }
3219 3224 }
3220 3225 break;
3221 3226 case IPFSYNC_NEWIFP :
3222 3227 for (is = ifs->ifs_ips_list; is; is = is->is_next) {
3223 3228 if (v != 0 && is->is_v != v)
3224 3229 continue;
3225 3230 /*
3226 3231 * Look up all the interface names in the state entry.
3227 3232 */
3228 3233 for (i = 0; i < 4; i++) {
3229 3234 if (!strncmp(is->is_ifname[i], name,
3230 3235 sizeof(is->is_ifname[i])))
3231 3236 is->is_ifp[i] = ifp;
3232 3237 }
3233 3238 }
3234 3239 break;
3235 3240 case IPFSYNC_OLDIFP :
3236 3241 for (is = ifs->ifs_ips_list; is; is = is->is_next) {
3237 3242 if (v != 0 && is->is_v != v)
3238 3243 continue;
3239 3244 /*
3240 3245 * Look up all the interface names in the state entry.
3241 3246 */
3242 3247 for (i = 0; i < 4; i++) {
3243 3248 if (is->is_ifp[i] == ifp)
3244 3249 is->is_ifp[i] = (void *)-1;
3245 3250 }
3246 3251 }
3247 3252 break;
3248 3253 }
3249 3254 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3250 3255 }
3251 3256
3252 3257
3253 3258 #if SOLARIS2 >= 10
3254 3259 /* ------------------------------------------------------------------------ */
3255 3260 /* Function: fr_stateifindexsync */
3256 3261 /* Returns: void */
3257 3262 /* Parameters: ifp - current network interface descriptor (ifindex) */
3258 3263 /* newifp - new interface descriptor (new ifindex) */
3259 3264 /* ifs - pointer to IPF stack */
3260 3265 /* */
3261 3266 /* Write Locks: assumes ipf_mutex is locked */
3262 3267 /* */
3263 3268 /* Updates all interface indeces matching to ifp with new interface index */
3264 3269 /* value. */
3265 3270 /* ------------------------------------------------------------------------ */
3266 3271 void fr_stateifindexsync(ifp, newifp, ifs)
3267 3272 void *ifp;
3268 3273 void *newifp;
3269 3274 ipf_stack_t *ifs;
3270 3275 {
3271 3276 ipstate_t *is;
3272 3277 int i;
3273 3278
3274 3279 WRITE_ENTER(&ifs->ifs_ipf_state);
3275 3280
3276 3281 for (is = ifs->ifs_ips_list; is != NULL; is = is->is_next) {
3277 3282
3278 3283 for (i = 0; i < 4; i++) {
3279 3284 if (is->is_ifp[i] == ifp)
3280 3285 is->is_ifp[i] = newifp;
3281 3286 }
3282 3287 }
3283 3288
3284 3289 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3285 3290 }
3286 3291 #endif
3287 3292
3288 3293 /* ------------------------------------------------------------------------ */
3289 3294 /* Function: fr_delstate */
3290 3295 /* Returns: int - 0 = entry deleted, else ref count on entry */
3291 3296 /* Parameters: is(I) - pointer to state structure to delete */
3292 3297 /* why(I) - if not 0, log reason why it was deleted */
3293 3298 /* ifs - ipf stack instance */
3294 3299 /* Write Locks: ipf_state/ipf_global */
3295 3300 /* */
3296 3301 /* Deletes a state entry from the enumerated list as well as the hash table */
3297 3302 /* and timeout queue lists. Make adjustments to hash table statistics and */
3298 3303 /* global counters as required. */
3299 3304 /* ------------------------------------------------------------------------ */
3300 3305 int fr_delstate(is, why, ifs)
3301 3306 ipstate_t *is;
3302 3307 int why;
3303 3308 ipf_stack_t *ifs;
3304 3309 {
3305 3310 int removed = 0;
3306 3311
3307 3312 ASSERT(rw_write_held(&ifs->ifs_ipf_global.ipf_lk) == 0 ||
3308 3313 rw_write_held(&ifs->ifs_ipf_state.ipf_lk) == 0);
3309 3314
3310 3315 /*
3311 3316 * Start by removing the entry from the hash table of state entries
3312 3317 * so it will not be "used" again.
3313 3318 *
3314 3319 * It will remain in the "list" of state entries until all references
3315 3320 * have been accounted for.
3316 3321 */
3317 3322 if (is->is_phnext != NULL) {
3318 3323 removed = 1;
3319 3324 *is->is_phnext = is->is_hnext;
3320 3325 if (is->is_hnext != NULL)
3321 3326 is->is_hnext->is_phnext = is->is_phnext;
3322 3327 if (ifs->ifs_ips_table[is->is_hv] == NULL)
3323 3328 ifs->ifs_ips_stats.iss_inuse--;
3324 3329 ifs->ifs_ips_stats.iss_bucketlen[is->is_hv]--;
3325 3330
3326 3331 is->is_phnext = NULL;
3327 3332 is->is_hnext = NULL;
3328 3333 }
3329 3334
3330 3335 /*
3331 3336 * Because ifs->ifs_ips_stats.iss_wild is a count of entries in the state
3332 3337 * table that have wildcard flags set, only decerement it once
3333 3338 * and do it here.
3334 3339 */
3335 3340 if (is->is_flags & (SI_WILDP|SI_WILDA)) {
3336 3341 if (!(is->is_flags & SI_CLONED)) {
3337 3342 ATOMIC_DECL(ifs->ifs_ips_stats.iss_wild);
3338 3343 }
3339 3344 is->is_flags &= ~(SI_WILDP|SI_WILDA);
3340 3345 }
3341 3346
3342 3347 /*
3343 3348 * Next, remove it from the timeout queue it is in.
3344 3349 */
3345 3350 fr_deletequeueentry(&is->is_sti);
3346 3351
3347 3352 is->is_me = NULL;
3348 3353
3349 3354 /*
3350 3355 * If it is still in use by something else, do not go any further,
3351 3356 * but note that at this point it is now an orphan.
3352 3357 */
3353 3358 MUTEX_ENTER(&is->is_lock);
3354 3359 if (is->is_ref > 1) {
3355 3360 is->is_ref--;
3356 3361 MUTEX_EXIT(&is->is_lock);
3357 3362 if (removed)
3358 3363 ifs->ifs_ips_stats.iss_orphans++;
3359 3364 return (is->is_ref);
3360 3365 }
3361 3366 MUTEX_EXIT(&is->is_lock);
3362 3367
3363 3368 is->is_ref = 0;
3364 3369
3365 3370 /*
3366 3371 * If entry has already been removed from table,
3367 3372 * it means we're simply cleaning up an orphan.
3368 3373 */
3369 3374 if (!removed)
3370 3375 ifs->ifs_ips_stats.iss_orphans--;
3371 3376
3372 3377 if (is->is_tqehead[0] != NULL)
3373 3378 (void) fr_deletetimeoutqueue(is->is_tqehead[0]);
3374 3379
3375 3380 if (is->is_tqehead[1] != NULL)
3376 3381 (void) fr_deletetimeoutqueue(is->is_tqehead[1]);
3377 3382
3378 3383 #ifdef IPFILTER_SYNC
3379 3384 if (is->is_sync)
3380 3385 ipfsync_del(is->is_sync);
3381 3386 #endif
3382 3387 #ifdef IPFILTER_SCAN
3383 3388 (void) ipsc_detachis(is);
3384 3389 #endif
3385 3390
3386 3391 /*
3387 3392 * Now remove it from master list of state table entries.
3388 3393 */
3389 3394 if (is->is_pnext != NULL) {
|
↓ open down ↓ |
1063 lines elided |
↑ open up ↑ |
3390 3395 *is->is_pnext = is->is_next;
3391 3396 if (is->is_next != NULL) {
3392 3397 is->is_next->is_pnext = is->is_pnext;
3393 3398 is->is_next = NULL;
3394 3399 }
3395 3400 is->is_pnext = NULL;
3396 3401 }
3397 3402
3398 3403 if (ifs->ifs_ipstate_logging != 0 && why != 0)
3399 3404 ipstate_log(is, why, ifs);
3400 -
3405 +#if 0
3406 + /*
3407 + * For now, ipf_log_cfwlog() copes with all "why" values.
3408 + * strictly speaking, though, they all map to one event, which for
3409 + * now is not supported.
3410 + */
3411 + if (why != 0 && IFS_CFWLOG(ifs))
3412 + ipf_log_cfwlog(is, why, ifs);
3413 +#endif
3401 3414 if (is->is_rule != NULL) {
3402 3415 is->is_rule->fr_statecnt--;
3403 3416 (void)fr_derefrule(&is->is_rule, ifs);
3404 3417 }
3405 3418
3406 3419 MUTEX_DESTROY(&is->is_lock);
3407 3420 KFREE(is);
3408 3421 ifs->ifs_ips_num--;
3409 3422
3410 3423 return (0);
3411 3424 }
3412 3425
3413 3426
3414 3427 /* ------------------------------------------------------------------------ */
3415 3428 /* Function: fr_timeoutstate */
3416 3429 /* Returns: Nil */
3417 3430 /* Parameters: ifs - ipf stack instance */
3418 3431 /* */
3419 3432 /* Slowly expire held state for thingslike UDP and ICMP. The algorithm */
3420 3433 /* used here is to keep the queue sorted with the oldest things at the top */
3421 3434 /* and the youngest at the bottom. So if the top one doesn't need to be */
3422 3435 /* expired then neither will any under it. */
3423 3436 /* ------------------------------------------------------------------------ */
3424 3437 void fr_timeoutstate(ifs)
3425 3438 ipf_stack_t *ifs;
3426 3439 {
3427 3440 ipftq_t *ifq, *ifqnext;
3428 3441 ipftqent_t *tqe, *tqn;
3429 3442 ipstate_t *is;
3430 3443 SPL_INT(s);
3431 3444
3432 3445 SPL_NET(s);
3433 3446 WRITE_ENTER(&ifs->ifs_ipf_state);
3434 3447 for (ifq = ifs->ifs_ips_tqtqb; ifq != NULL; ifq = ifq->ifq_next)
3435 3448 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3436 3449 if (tqe->tqe_die > ifs->ifs_fr_ticks)
3437 3450 break;
3438 3451 tqn = tqe->tqe_next;
3439 3452 is = tqe->tqe_parent;
3440 3453 (void) fr_delstate(is, ISL_EXPIRE, ifs);
3441 3454 }
3442 3455
3443 3456 for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifq->ifq_next) {
3444 3457 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
3445 3458 if (tqe->tqe_die > ifs->ifs_fr_ticks)
3446 3459 break;
3447 3460 tqn = tqe->tqe_next;
3448 3461 is = tqe->tqe_parent;
3449 3462 (void) fr_delstate(is, ISL_EXPIRE, ifs);
3450 3463 }
3451 3464 }
3452 3465
3453 3466 for (ifq = ifs->ifs_ips_utqe; ifq != NULL; ifq = ifqnext) {
3454 3467 ifqnext = ifq->ifq_next;
3455 3468
3456 3469 if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
3457 3470 (ifq->ifq_ref == 0)) {
3458 3471 fr_freetimeoutqueue(ifq, ifs);
3459 3472 }
3460 3473 }
3461 3474
3462 3475 if (ifs->ifs_fr_state_doflush) {
3463 3476 (void) fr_state_flush(FLUSH_TABLE_EXTRA, 0, ifs);
3464 3477 ifs->ifs_fr_state_doflush = 0;
3465 3478 }
3466 3479 RWLOCK_EXIT(&ifs->ifs_ipf_state);
3467 3480 SPL_X(s);
3468 3481 }
3469 3482
3470 3483
3471 3484 /* ---------------------------------------------------------------------- */
3472 3485 /* Function: fr_state_flush */
3473 3486 /* Returns: int - 0 == success, -1 == failure */
3474 3487 /* Parameters: flush_option - how to flush the active State table */
3475 3488 /* proto - IP version to flush (4, 6, or both) */
3476 3489 /* ifs - ipf stack instance */
3477 3490 /* Write Locks: ipf_state */
3478 3491 /* */
3479 3492 /* Flush state tables. Three possible flush options currently defined: */
3480 3493 /* */
3481 3494 /* FLUSH_TABLE_ALL : Flush all state table entries */
3482 3495 /* */
3483 3496 /* FLUSH_TABLE_CLOSING : Flush entries with TCP connections which */
3484 3497 /* have started to close on both ends using */
3485 3498 /* ipf_flushclosing(). */
3486 3499 /* */
3487 3500 /* FLUSH_TABLE_EXTRA : First, flush entries which are "almost" closed. */
3488 3501 /* Then, if needed, flush entries with TCP */
3489 3502 /* connections which have been idle for a long */
3490 3503 /* time with ipf_extraflush(). */
3491 3504 /* ---------------------------------------------------------------------- */
3492 3505 static int fr_state_flush(flush_option, proto, ifs)
3493 3506 int flush_option, proto;
3494 3507 ipf_stack_t *ifs;
3495 3508 {
3496 3509 ipstate_t *is, *isn;
3497 3510 int removed;
3498 3511 SPL_INT(s);
3499 3512
3500 3513 removed = 0;
3501 3514
3502 3515 SPL_NET(s);
3503 3516 switch (flush_option)
3504 3517 {
3505 3518 case FLUSH_TABLE_ALL:
3506 3519 isn = ifs->ifs_ips_list;
3507 3520 while ((is = isn) != NULL) {
3508 3521 isn = is->is_next;
3509 3522 if ((proto != 0) && (is->is_v != proto))
3510 3523 continue;
3511 3524 if (fr_delstate(is, ISL_FLUSH, ifs) == 0)
3512 3525 removed++;
3513 3526 }
3514 3527 break;
3515 3528
3516 3529 case FLUSH_TABLE_CLOSING:
3517 3530 removed = ipf_flushclosing(STATE_FLUSH,
3518 3531 IPF_TCPS_CLOSE_WAIT,
3519 3532 ifs->ifs_ips_tqtqb,
3520 3533 ifs->ifs_ips_utqe,
3521 3534 ifs);
3522 3535 break;
3523 3536
3524 3537 case FLUSH_TABLE_EXTRA:
3525 3538 removed = ipf_flushclosing(STATE_FLUSH,
3526 3539 IPF_TCPS_FIN_WAIT_2,
3527 3540 ifs->ifs_ips_tqtqb,
3528 3541 ifs->ifs_ips_utqe,
3529 3542 ifs);
3530 3543
3531 3544 /*
3532 3545 * Be sure we haven't done this in the last 10 seconds.
3533 3546 */
3534 3547 if (ifs->ifs_fr_ticks - ifs->ifs_ips_last_force_flush <
3535 3548 IPF_TTLVAL(10))
3536 3549 break;
3537 3550 ifs->ifs_ips_last_force_flush = ifs->ifs_fr_ticks;
3538 3551 removed += ipf_extraflush(STATE_FLUSH,
3539 3552 &ifs->ifs_ips_tqtqb[IPF_TCPS_ESTABLISHED],
3540 3553 ifs->ifs_ips_utqe,
3541 3554 ifs);
3542 3555 break;
3543 3556
3544 3557 default: /* Flush Nothing */
3545 3558 break;
3546 3559 }
3547 3560
3548 3561 SPL_X(s);
3549 3562 return (removed);
3550 3563 }
3551 3564
3552 3565
3553 3566 /* ------------------------------------------------------------------------ */
3554 3567 /* Function: fr_tcp_age */
3555 3568 /* Returns: int - 1 == state transition made, 0 == no change (rejected) */
3556 3569 /* Parameters: tq(I) - pointer to timeout queue information */
3557 3570 /* fin(I) - pointer to packet information */
3558 3571 /* tqtab(I) - TCP timeout queue table this is in */
3559 3572 /* flags(I) - flags from state/NAT entry */
3560 3573 /* */
3561 3574 /* Rewritten by Arjan de Vet <Arjan.deVet@adv.iae.nl>, 2000-07-29: */
3562 3575 /* */
3563 3576 /* - (try to) base state transitions on real evidence only, */
3564 3577 /* i.e. packets that are sent and have been received by ipfilter; */
3565 3578 /* diagram 18.12 of TCP/IP volume 1 by W. Richard Stevens was used. */
3566 3579 /* */
3567 3580 /* - deal with half-closed connections correctly; */
3568 3581 /* */
3569 3582 /* - store the state of the source in state[0] such that ipfstat */
3570 3583 /* displays the state as source/dest instead of dest/source; the calls */
3571 3584 /* to fr_tcp_age have been changed accordingly. */
3572 3585 /* */
3573 3586 /* Internal Parameters: */
3574 3587 /* */
3575 3588 /* state[0] = state of source (host that initiated connection) */
3576 3589 /* state[1] = state of dest (host that accepted the connection) */
3577 3590 /* */
3578 3591 /* dir == 0 : a packet from source to dest */
3579 3592 /* dir == 1 : a packet from dest to source */
3580 3593 /* */
3581 3594 /* Locking: it is assumed that the parent of the tqe structure is locked. */
3582 3595 /* ------------------------------------------------------------------------ */
3583 3596 int fr_tcp_age(tqe, fin, tqtab, flags)
3584 3597 ipftqent_t *tqe;
3585 3598 fr_info_t *fin;
3586 3599 ipftq_t *tqtab;
3587 3600 int flags;
3588 3601 {
3589 3602 int dlen, ostate, nstate, rval, dir;
3590 3603 u_char tcpflags;
3591 3604 tcphdr_t *tcp;
3592 3605 ipf_stack_t *ifs = fin->fin_ifs;
3593 3606
3594 3607 tcp = fin->fin_dp;
3595 3608
3596 3609 rval = 0;
3597 3610 dir = fin->fin_rev;
3598 3611 tcpflags = tcp->th_flags;
3599 3612 dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
3600 3613
3601 3614 ostate = tqe->tqe_state[1 - dir];
3602 3615 nstate = tqe->tqe_state[dir];
3603 3616
3604 3617 DTRACE_PROBE4(
3605 3618 indata,
3606 3619 fr_info_t *, fin,
3607 3620 int, ostate,
3608 3621 int, nstate,
3609 3622 u_char, tcpflags
3610 3623 );
3611 3624
3612 3625 if (tcpflags & TH_RST) {
3613 3626 if (!(tcpflags & TH_PUSH) && !dlen)
3614 3627 nstate = IPF_TCPS_CLOSED;
3615 3628 else
3616 3629 nstate = IPF_TCPS_CLOSE_WAIT;
3617 3630
3618 3631 /*
3619 3632 * Once RST is received, we must advance peer's state to
3620 3633 * CLOSE_WAIT.
3621 3634 */
3622 3635 if (ostate <= IPF_TCPS_ESTABLISHED) {
3623 3636 tqe->tqe_state[1 - dir] = IPF_TCPS_CLOSE_WAIT;
3624 3637 }
3625 3638 rval = 1;
3626 3639 } else {
3627 3640
3628 3641 switch (nstate)
3629 3642 {
3630 3643 case IPF_TCPS_LISTEN: /* 0 */
3631 3644 if ((tcpflags & TH_OPENING) == TH_OPENING) {
3632 3645 /*
3633 3646 * 'dir' received an S and sends SA in
3634 3647 * response, CLOSED -> SYN_RECEIVED
3635 3648 */
3636 3649 nstate = IPF_TCPS_SYN_RECEIVED;
3637 3650 rval = 1;
3638 3651 } else if ((tcpflags & TH_OPENING) == TH_SYN) {
3639 3652 /* 'dir' sent S, CLOSED -> SYN_SENT */
3640 3653 nstate = IPF_TCPS_SYN_SENT;
3641 3654 rval = 1;
3642 3655 }
3643 3656 /*
3644 3657 * the next piece of code makes it possible to get
3645 3658 * already established connections into the state table
3646 3659 * after a restart or reload of the filter rules; this
3647 3660 * does not work when a strict 'flags S keep state' is
3648 3661 * used for tcp connections of course
3649 3662 */
3650 3663 if (((flags & IS_TCPFSM) == 0) &&
3651 3664 ((tcpflags & TH_ACKMASK) == TH_ACK)) {
3652 3665 /*
3653 3666 * we saw an A, guess 'dir' is in ESTABLISHED
3654 3667 * mode
3655 3668 */
3656 3669 switch (ostate)
3657 3670 {
3658 3671 case IPF_TCPS_LISTEN :
3659 3672 case IPF_TCPS_SYN_RECEIVED :
3660 3673 nstate = IPF_TCPS_HALF_ESTAB;
3661 3674 rval = 1;
3662 3675 break;
3663 3676 case IPF_TCPS_HALF_ESTAB :
3664 3677 case IPF_TCPS_ESTABLISHED :
3665 3678 nstate = IPF_TCPS_ESTABLISHED;
3666 3679 rval = 1;
3667 3680 break;
3668 3681 default :
3669 3682 break;
3670 3683 }
3671 3684 }
3672 3685 /*
3673 3686 * TODO: besides regular ACK packets we can have other
3674 3687 * packets as well; it is yet to be determined how we
3675 3688 * should initialize the states in those cases
3676 3689 */
3677 3690 break;
3678 3691
3679 3692 case IPF_TCPS_SYN_SENT: /* 1 */
3680 3693 if ((tcpflags & ~(TH_ECN|TH_CWR)) == TH_SYN) {
3681 3694 /*
3682 3695 * A retransmitted SYN packet. We do not reset
3683 3696 * the timeout here to fr_tcptimeout because a
3684 3697 * connection connect timeout does not renew
3685 3698 * after every packet that is sent. We need to
3686 3699 * set rval so as to indicate the packet has
3687 3700 * passed the check for its flags being valid
3688 3701 * in the TCP FSM. Setting rval to 2 has the
3689 3702 * result of not resetting the timeout.
3690 3703 */
3691 3704 rval = 2;
3692 3705 } else if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) ==
3693 3706 TH_ACK) {
3694 3707 /*
3695 3708 * we see an A from 'dir' which is in SYN_SENT
3696 3709 * state: 'dir' sent an A in response to an SA
3697 3710 * which it received, SYN_SENT -> ESTABLISHED
3698 3711 */
3699 3712 nstate = IPF_TCPS_ESTABLISHED;
3700 3713 rval = 1;
3701 3714 } else if (tcpflags & TH_FIN) {
3702 3715 /*
3703 3716 * we see an F from 'dir' which is in SYN_SENT
3704 3717 * state and wants to close its side of the
3705 3718 * connection; SYN_SENT -> FIN_WAIT_1
3706 3719 */
3707 3720 nstate = IPF_TCPS_FIN_WAIT_1;
3708 3721 rval = 1;
3709 3722 } else if ((tcpflags & TH_OPENING) == TH_OPENING) {
3710 3723 /*
3711 3724 * we see an SA from 'dir' which is already in
3712 3725 * SYN_SENT state, this means we have a
3713 3726 * simultaneous open; SYN_SENT -> SYN_RECEIVED
3714 3727 */
3715 3728 nstate = IPF_TCPS_SYN_RECEIVED;
3716 3729 rval = 1;
3717 3730 }
3718 3731 break;
3719 3732
3720 3733 case IPF_TCPS_SYN_RECEIVED: /* 2 */
3721 3734 if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
3722 3735 /*
3723 3736 * we see an A from 'dir' which was in
3724 3737 * SYN_RECEIVED state so it must now be in
3725 3738 * established state, SYN_RECEIVED ->
3726 3739 * ESTABLISHED
3727 3740 */
3728 3741 nstate = IPF_TCPS_ESTABLISHED;
3729 3742 rval = 1;
3730 3743 } else if ((tcpflags & ~(TH_ECN|TH_CWR)) ==
3731 3744 TH_OPENING) {
3732 3745 /*
3733 3746 * We see an SA from 'dir' which is already in
3734 3747 * SYN_RECEIVED state.
3735 3748 */
3736 3749 rval = 2;
3737 3750 } else if (tcpflags & TH_FIN) {
3738 3751 /*
3739 3752 * we see an F from 'dir' which is in
3740 3753 * SYN_RECEIVED state and wants to close its
3741 3754 * side of the connection; SYN_RECEIVED ->
3742 3755 * FIN_WAIT_1
3743 3756 */
3744 3757 nstate = IPF_TCPS_FIN_WAIT_1;
3745 3758 rval = 1;
3746 3759 }
3747 3760 break;
3748 3761
3749 3762 case IPF_TCPS_HALF_ESTAB: /* 3 */
3750 3763 if (tcpflags & TH_FIN) {
3751 3764 nstate = IPF_TCPS_FIN_WAIT_1;
3752 3765 rval = 1;
3753 3766 } else if ((tcpflags & TH_ACKMASK) == TH_ACK) {
3754 3767 /*
3755 3768 * If we've picked up a connection in mid
3756 3769 * flight, we could be looking at a follow on
3757 3770 * packet from the same direction as the one
3758 3771 * that created this state. Recognise it but
3759 3772 * do not advance the entire connection's
3760 3773 * state.
3761 3774 */
3762 3775 switch (ostate)
3763 3776 {
3764 3777 case IPF_TCPS_LISTEN :
3765 3778 case IPF_TCPS_SYN_SENT :
3766 3779 case IPF_TCPS_SYN_RECEIVED :
3767 3780 rval = 1;
3768 3781 break;
3769 3782 case IPF_TCPS_HALF_ESTAB :
3770 3783 case IPF_TCPS_ESTABLISHED :
3771 3784 nstate = IPF_TCPS_ESTABLISHED;
3772 3785 rval = 1;
3773 3786 break;
3774 3787 default :
3775 3788 break;
3776 3789 }
3777 3790 }
3778 3791 break;
3779 3792
3780 3793 case IPF_TCPS_ESTABLISHED: /* 4 */
3781 3794 rval = 1;
3782 3795 if (tcpflags & TH_FIN) {
3783 3796 /*
3784 3797 * 'dir' closed its side of the connection;
3785 3798 * this gives us a half-closed connection;
3786 3799 * ESTABLISHED -> FIN_WAIT_1
3787 3800 */
3788 3801 if (ostate == IPF_TCPS_FIN_WAIT_1) {
3789 3802 nstate = IPF_TCPS_CLOSING;
3790 3803 } else {
3791 3804 nstate = IPF_TCPS_FIN_WAIT_1;
3792 3805 }
3793 3806 } else if (tcpflags & TH_ACK) {
3794 3807 /*
3795 3808 * an ACK, should we exclude other flags here?
3796 3809 */
3797 3810 if (ostate == IPF_TCPS_FIN_WAIT_1) {
3798 3811 /*
3799 3812 * We know the other side did an active
3800 3813 * close, so we are ACKing the recvd
3801 3814 * FIN packet (does the window matching
3802 3815 * code guarantee this?) and go into
3803 3816 * CLOSE_WAIT state; this gives us a
3804 3817 * half-closed connection
3805 3818 */
3806 3819 nstate = IPF_TCPS_CLOSE_WAIT;
3807 3820 } else if (ostate < IPF_TCPS_CLOSE_WAIT) {
3808 3821 /*
3809 3822 * still a fully established
3810 3823 * connection reset timeout
3811 3824 */
3812 3825 nstate = IPF_TCPS_ESTABLISHED;
3813 3826 }
3814 3827 }
3815 3828 break;
3816 3829
3817 3830 case IPF_TCPS_CLOSE_WAIT: /* 5 */
3818 3831 rval = 1;
3819 3832 if (tcpflags & TH_FIN) {
3820 3833 /*
3821 3834 * application closed and 'dir' sent a FIN,
3822 3835 * we're now going into LAST_ACK state
3823 3836 */
3824 3837 nstate = IPF_TCPS_LAST_ACK;
3825 3838 } else {
3826 3839 /*
3827 3840 * we remain in CLOSE_WAIT because the other
3828 3841 * side has closed already and we did not
3829 3842 * close our side yet; reset timeout
3830 3843 */
3831 3844 nstate = IPF_TCPS_CLOSE_WAIT;
3832 3845 }
3833 3846 break;
3834 3847
3835 3848 case IPF_TCPS_FIN_WAIT_1: /* 6 */
3836 3849 rval = 1;
3837 3850 if ((tcpflags & TH_ACK) &&
3838 3851 ostate > IPF_TCPS_CLOSE_WAIT) {
3839 3852 /*
3840 3853 * if the other side is not active anymore
3841 3854 * it has sent us a FIN packet that we are
3842 3855 * ack'ing now with an ACK; this means both
3843 3856 * sides have now closed the connection and
3844 3857 * we go into LAST_ACK
3845 3858 */
3846 3859 /*
3847 3860 * XXX: how do we know we really are ACKing
3848 3861 * the FIN packet here? does the window code
3849 3862 * guarantee that?
3850 3863 */
3851 3864 nstate = IPF_TCPS_LAST_ACK;
3852 3865 } else {
3853 3866 /*
3854 3867 * we closed our side of the connection
3855 3868 * already but the other side is still active
3856 3869 * (ESTABLISHED/CLOSE_WAIT); continue with
3857 3870 * this half-closed connection
3858 3871 */
3859 3872 nstate = IPF_TCPS_FIN_WAIT_1;
3860 3873 }
3861 3874 break;
3862 3875
3863 3876 case IPF_TCPS_CLOSING: /* 7 */
3864 3877 if ((tcpflags & (TH_FIN|TH_ACK)) == TH_ACK) {
3865 3878 nstate = IPF_TCPS_TIME_WAIT;
3866 3879 }
3867 3880 rval = 1;
3868 3881 break;
3869 3882
3870 3883 case IPF_TCPS_LAST_ACK: /* 8 */
3871 3884 /*
3872 3885 * We want to reset timer here to keep state in table.
3873 3886 * If we would allow the state to time out here, while
3874 3887 * there would still be packets being retransmitted, we
3875 3888 * would cut off line between the two peers preventing
3876 3889 * them to close connection properly.
3877 3890 */
3878 3891 rval = 1;
3879 3892 break;
3880 3893
3881 3894 case IPF_TCPS_FIN_WAIT_2: /* 9 */
3882 3895 /* NOT USED */
3883 3896 break;
3884 3897
3885 3898 case IPF_TCPS_TIME_WAIT: /* 10 */
3886 3899 /* we're in 2MSL timeout now */
3887 3900 if (ostate == IPF_TCPS_LAST_ACK) {
3888 3901 nstate = IPF_TCPS_CLOSED;
3889 3902 rval = 1;
3890 3903 } else {
3891 3904 rval = 2;
3892 3905 }
3893 3906 break;
3894 3907
3895 3908 case IPF_TCPS_CLOSED: /* 11 */
3896 3909 rval = 2;
3897 3910 break;
3898 3911
3899 3912 default :
3900 3913 #if defined(_KERNEL)
3901 3914 ASSERT(nstate >= IPF_TCPS_LISTEN &&
3902 3915 nstate <= IPF_TCPS_CLOSED);
3903 3916 #else
3904 3917 abort();
3905 3918 #endif
3906 3919 break;
3907 3920 }
3908 3921 }
3909 3922
3910 3923 /*
3911 3924 * If rval == 2 then do not update the queue position, but treat the
3912 3925 * packet as being ok.
3913 3926 */
3914 3927 if (rval == 2) {
3915 3928 DTRACE_PROBE1(state_keeping_timer, int, nstate);
3916 3929 rval = 1;
3917 3930 }
3918 3931 else if (rval == 1) {
3919 3932 tqe->tqe_state[dir] = nstate;
3920 3933 /*
3921 3934 * The nstate can either advance to a new state, or remain
3922 3935 * unchanged, resetting the timer by moving to the bottom of
3923 3936 * the queue.
|
↓ open down ↓ |
513 lines elided |
↑ open up ↑ |
3924 3937 */
3925 3938 DTRACE_PROBE1(state_done, int, nstate);
3926 3939
3927 3940 if ((tqe->tqe_flags & TQE_RULEBASED) == 0)
3928 3941 fr_movequeue(tqe, tqe->tqe_ifq, tqtab + nstate, ifs);
3929 3942 }
3930 3943
3931 3944 return rval;
3932 3945 }
3933 3946
3934 -
3935 3947 /* ------------------------------------------------------------------------ */
3936 3948 /* Function: ipstate_log */
3937 3949 /* Returns: Nil */
3938 3950 /* Parameters: is(I) - pointer to state structure */
3939 3951 /* type(I) - type of log entry to create */
3940 3952 /* */
3941 3953 /* Creates a state table log entry using the state structure and type info. */
3942 3954 /* passed in. Log packet/byte counts, source/destination address and other */
3943 3955 /* protocol specific information. */
3944 3956 /* ------------------------------------------------------------------------ */
3945 3957 void ipstate_log(is, type, ifs)
3946 3958 struct ipstate *is;
3947 3959 u_int type;
3948 3960 ipf_stack_t *ifs;
3949 3961 {
3950 3962 #ifdef IPFILTER_LOG
3951 3963 struct ipslog ipsl;
3952 3964 size_t sizes[1];
3953 3965 void *items[1];
3954 3966 int types[1];
3955 3967
3956 3968 /*
3957 3969 * Copy information out of the ipstate_t structure and into the
3958 3970 * structure used for logging.
3959 3971 */
3960 3972 ipsl.isl_type = type;
3961 3973 ipsl.isl_pkts[0] = is->is_pkts[0] + is->is_icmppkts[0];
3962 3974 ipsl.isl_bytes[0] = is->is_bytes[0];
3963 3975 ipsl.isl_pkts[1] = is->is_pkts[1] + is->is_icmppkts[1];
3964 3976 ipsl.isl_bytes[1] = is->is_bytes[1];
3965 3977 ipsl.isl_pkts[2] = is->is_pkts[2] + is->is_icmppkts[2];
3966 3978 ipsl.isl_bytes[2] = is->is_bytes[2];
3967 3979 ipsl.isl_pkts[3] = is->is_pkts[3] + is->is_icmppkts[3];
3968 3980 ipsl.isl_bytes[3] = is->is_bytes[3];
3969 3981 ipsl.isl_src = is->is_src;
3970 3982 ipsl.isl_dst = is->is_dst;
3971 3983 ipsl.isl_p = is->is_p;
3972 3984 ipsl.isl_v = is->is_v;
3973 3985 ipsl.isl_flags = is->is_flags;
3974 3986 ipsl.isl_tag = is->is_tag;
3975 3987 ipsl.isl_rulen = is->is_rulen;
3976 3988 (void) strncpy(ipsl.isl_group, is->is_group, FR_GROUPLEN);
3977 3989
3978 3990 if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
3979 3991 ipsl.isl_sport = is->is_sport;
3980 3992 ipsl.isl_dport = is->is_dport;
3981 3993 if (ipsl.isl_p == IPPROTO_TCP) {
3982 3994 ipsl.isl_state[0] = is->is_state[0];
3983 3995 ipsl.isl_state[1] = is->is_state[1];
3984 3996 }
3985 3997 } else if (ipsl.isl_p == IPPROTO_ICMP) {
3986 3998 ipsl.isl_itype = is->is_icmp.ici_type;
3987 3999 } else if (ipsl.isl_p == IPPROTO_ICMPV6) {
3988 4000 ipsl.isl_itype = is->is_icmp.ici_type;
3989 4001 } else {
3990 4002 ipsl.isl_ps.isl_filler[0] = 0;
3991 4003 ipsl.isl_ps.isl_filler[1] = 0;
3992 4004 }
3993 4005
3994 4006 items[0] = &ipsl;
3995 4007 sizes[0] = sizeof(ipsl);
3996 4008 types[0] = 0;
3997 4009
3998 4010 if (ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1, ifs)) {
3999 4011 ATOMIC_INCL(ifs->ifs_ips_stats.iss_logged);
4000 4012 } else {
4001 4013 ATOMIC_INCL(ifs->ifs_ips_stats.iss_logfail);
4002 4014 }
4003 4015 #endif
4004 4016 }
4005 4017
4006 4018
4007 4019 #ifdef USE_INET6
4008 4020 /* ------------------------------------------------------------------------ */
4009 4021 /* Function: fr_checkicmp6matchingstate */
4010 4022 /* Returns: ipstate_t* - NULL == no match found, */
4011 4023 /* else pointer to matching state entry */
4012 4024 /* Parameters: fin(I) - pointer to packet information */
4013 4025 /* Locks: NULL == no locks, else Read Lock on ipf_state */
4014 4026 /* */
4015 4027 /* If we've got an ICMPv6 error message, using the information stored in */
4016 4028 /* the ICMPv6 packet, look for a matching state table entry. */
4017 4029 /* ------------------------------------------------------------------------ */
4018 4030 static ipstate_t *fr_checkicmp6matchingstate(fin)
4019 4031 fr_info_t *fin;
4020 4032 {
4021 4033 struct icmp6_hdr *ic6, *oic;
4022 4034 int backward, i;
4023 4035 ipstate_t *is, **isp;
4024 4036 u_short sport, dport;
4025 4037 i6addr_t dst, src;
4026 4038 u_short savelen;
4027 4039 icmpinfo_t *ic;
4028 4040 fr_info_t ofin;
4029 4041 tcphdr_t *tcp;
4030 4042 ip6_t *oip6;
4031 4043 u_char pr;
4032 4044 u_int hv;
4033 4045 ipf_stack_t *ifs = fin->fin_ifs;
4034 4046
4035 4047 /*
4036 4048 * Does it at least have the return (basic) IP header ?
4037 4049 * Is it an actual recognised ICMP error type?
4038 4050 * Only a basic IP header (no options) should be with
4039 4051 * an ICMP error header.
4040 4052 */
4041 4053 if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) ||
4042 4054 !(fin->fin_flx & FI_ICMPERR))
4043 4055 return NULL;
4044 4056
4045 4057 ic6 = fin->fin_dp;
4046 4058
4047 4059 oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
4048 4060 if (fin->fin_plen < sizeof(*oip6))
4049 4061 return NULL;
4050 4062
4051 4063 bcopy((char *)fin, (char *)&ofin, sizeof(*fin));
4052 4064 ofin.fin_v = 6;
4053 4065 ofin.fin_ifp = fin->fin_ifp;
4054 4066 ofin.fin_out = !fin->fin_out;
4055 4067 ofin.fin_m = NULL; /* if dereferenced, panic XXX */
4056 4068 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
4057 4069
4058 4070 /*
4059 4071 * We make a fin entry to be able to feed it to
4060 4072 * matchsrcdst. Note that not all fields are necessary
4061 4073 * but this is the cleanest way. Note further we fill
4062 4074 * in fin_mp such that if someone uses it we'll get
4063 4075 * a kernel panic. fr_matchsrcdst does not use this.
4064 4076 *
4065 4077 * watch out here, as ip is in host order and oip6 in network
4066 4078 * order. Any change we make must be undone afterwards.
4067 4079 */
4068 4080 savelen = oip6->ip6_plen;
4069 4081 oip6->ip6_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
4070 4082 ofin.fin_flx = FI_NOCKSUM;
4071 4083 ofin.fin_ip = (ip_t *)oip6;
4072 4084 ofin.fin_plen = oip6->ip6_plen;
4073 4085 (void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);
4074 4086 ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
4075 4087 oip6->ip6_plen = savelen;
4076 4088
4077 4089 if (oip6->ip6_nxt == IPPROTO_ICMPV6) {
4078 4090 oic = (struct icmp6_hdr *)(oip6 + 1);
4079 4091 /*
4080 4092 * an ICMP error can only be generated as a result of an
4081 4093 * ICMP query, not as the response on an ICMP error
4082 4094 *
4083 4095 * XXX theoretically ICMP_ECHOREP and the other reply's are
4084 4096 * ICMP query's as well, but adding them here seems strange XXX
4085 4097 */
4086 4098 if (!(oic->icmp6_type & ICMP6_INFOMSG_MASK))
4087 4099 return NULL;
4088 4100
4089 4101 /*
4090 4102 * perform a lookup of the ICMP packet in the state table
4091 4103 */
4092 4104 hv = (pr = oip6->ip6_nxt);
4093 4105 src.in6 = oip6->ip6_src;
4094 4106 hv += src.in4.s_addr;
4095 4107 dst.in6 = oip6->ip6_dst;
4096 4108 hv += dst.in4.s_addr;
4097 4109 hv += oic->icmp6_id;
4098 4110 hv += oic->icmp6_seq;
4099 4111 hv = DOUBLE_HASH(hv, ifs);
4100 4112
4101 4113 READ_ENTER(&ifs->ifs_ipf_state);
4102 4114 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
4103 4115 ic = &is->is_icmp;
4104 4116 isp = &is->is_hnext;
4105 4117 if ((is->is_p == pr) &&
4106 4118 !(is->is_pass & FR_NOICMPERR) &&
4107 4119 (oic->icmp6_id == ic->ici_id) &&
4108 4120 (oic->icmp6_seq == ic->ici_seq) &&
4109 4121 (is = fr_matchsrcdst(&ofin, is, &src,
4110 4122 &dst, NULL, FI_ICMPCMP))) {
4111 4123 /*
4112 4124 * in the state table ICMP query's are stored
4113 4125 * with the type of the corresponding ICMP
4114 4126 * response. Correct here
4115 4127 */
4116 4128 if (((ic->ici_type == ICMP6_ECHO_REPLY) &&
4117 4129 (oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
4118 4130 (ic->ici_type - 1 == oic->icmp6_type )) {
4119 4131 ifs->ifs_ips_stats.iss_hits++;
4120 4132 backward = IP6_NEQ(&is->is_dst, &src);
4121 4133 fin->fin_rev = !backward;
4122 4134 i = (backward << 1) + fin->fin_out;
4123 4135 is->is_icmppkts[i]++;
4124 4136 return is;
4125 4137 }
4126 4138 }
4127 4139 }
4128 4140 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4129 4141 return NULL;
4130 4142 }
4131 4143
4132 4144 hv = (pr = oip6->ip6_nxt);
4133 4145 src.in6 = oip6->ip6_src;
4134 4146 hv += src.i6[0];
4135 4147 hv += src.i6[1];
4136 4148 hv += src.i6[2];
4137 4149 hv += src.i6[3];
4138 4150 dst.in6 = oip6->ip6_dst;
4139 4151 hv += dst.i6[0];
4140 4152 hv += dst.i6[1];
4141 4153 hv += dst.i6[2];
4142 4154 hv += dst.i6[3];
4143 4155
4144 4156 if ((oip6->ip6_nxt == IPPROTO_TCP) || (oip6->ip6_nxt == IPPROTO_UDP)) {
4145 4157 tcp = (tcphdr_t *)(oip6 + 1);
4146 4158 dport = tcp->th_dport;
4147 4159 sport = tcp->th_sport;
4148 4160 hv += dport;
4149 4161 hv += sport;
4150 4162 } else
4151 4163 tcp = NULL;
4152 4164 hv = DOUBLE_HASH(hv, ifs);
4153 4165
4154 4166 READ_ENTER(&ifs->ifs_ipf_state);
4155 4167 for (isp = &ifs->ifs_ips_table[hv]; ((is = *isp) != NULL); ) {
4156 4168 isp = &is->is_hnext;
4157 4169 /*
4158 4170 * Only allow this icmp though if the
4159 4171 * encapsulated packet was allowed through the
4160 4172 * other way around. Note that the minimal amount
4161 4173 * of info present does not allow for checking against
4162 4174 * tcp internals such as seq and ack numbers.
4163 4175 */
4164 4176 if ((is->is_p != pr) || (is->is_v != 6) ||
4165 4177 (is->is_pass & FR_NOICMPERR))
4166 4178 continue;
4167 4179 is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP);
4168 4180 if (is != NULL) {
4169 4181 ifs->ifs_ips_stats.iss_hits++;
4170 4182 backward = IP6_NEQ(&is->is_dst, &src);
4171 4183 fin->fin_rev = !backward;
4172 4184 i = (backward << 1) + fin->fin_out;
4173 4185 is->is_icmppkts[i]++;
4174 4186 /*
4175 4187 * we deliberately do not touch the timeouts
4176 4188 * for the accompanying state table entry.
4177 4189 * It remains to be seen if that is correct. XXX
4178 4190 */
4179 4191 return is;
4180 4192 }
4181 4193 }
4182 4194 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4183 4195 return NULL;
4184 4196 }
4185 4197 #endif
4186 4198
4187 4199
4188 4200 /* ------------------------------------------------------------------------ */
4189 4201 /* Function: fr_sttab_init */
4190 4202 /* Returns: Nil */
4191 4203 /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
4192 4204 /* */
4193 4205 /* Initialise the array of timeout queues for TCP. */
4194 4206 /* ------------------------------------------------------------------------ */
4195 4207 void fr_sttab_init(tqp, ifs)
4196 4208 ipftq_t *tqp;
4197 4209 ipf_stack_t *ifs;
4198 4210 {
4199 4211 int i;
4200 4212
4201 4213 for (i = IPF_TCP_NSTATES - 1; i >= 0; i--) {
4202 4214 tqp[i].ifq_ttl = 0;
4203 4215 tqp[i].ifq_ref = 1;
4204 4216 tqp[i].ifq_head = NULL;
4205 4217 tqp[i].ifq_tail = &tqp[i].ifq_head;
4206 4218 tqp[i].ifq_next = tqp + i + 1;
4207 4219 MUTEX_INIT(&tqp[i].ifq_lock, "ipftq tcp tab");
4208 4220 }
4209 4221 tqp[IPF_TCP_NSTATES - 1].ifq_next = NULL;
4210 4222 tqp[IPF_TCPS_CLOSED].ifq_ttl = ifs->ifs_fr_tcpclosed;
4211 4223 tqp[IPF_TCPS_LISTEN].ifq_ttl = ifs->ifs_fr_tcptimeout;
4212 4224 tqp[IPF_TCPS_SYN_SENT].ifq_ttl = ifs->ifs_fr_tcptimeout;
4213 4225 tqp[IPF_TCPS_SYN_RECEIVED].ifq_ttl = ifs->ifs_fr_tcptimeout;
4214 4226 tqp[IPF_TCPS_ESTABLISHED].ifq_ttl = ifs->ifs_fr_tcpidletimeout;
4215 4227 tqp[IPF_TCPS_CLOSE_WAIT].ifq_ttl = ifs->ifs_fr_tcphalfclosed;
4216 4228 tqp[IPF_TCPS_FIN_WAIT_1].ifq_ttl = ifs->ifs_fr_tcphalfclosed;
4217 4229 tqp[IPF_TCPS_CLOSING].ifq_ttl = ifs->ifs_fr_tcptimeout;
4218 4230 tqp[IPF_TCPS_LAST_ACK].ifq_ttl = ifs->ifs_fr_tcplastack;
4219 4231 tqp[IPF_TCPS_FIN_WAIT_2].ifq_ttl = ifs->ifs_fr_tcpclosewait;
4220 4232 tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = ifs->ifs_fr_tcptimeout;
4221 4233 tqp[IPF_TCPS_HALF_ESTAB].ifq_ttl = ifs->ifs_fr_tcptimeout;
4222 4234 }
4223 4235
4224 4236
4225 4237 /* ------------------------------------------------------------------------ */
4226 4238 /* Function: fr_sttab_destroy */
4227 4239 /* Returns: Nil */
4228 4240 /* Parameters: tqp(I) - pointer to an array of timeout queues for TCP */
4229 4241 /* */
4230 4242 /* Do whatever is necessary to "destroy" each of the entries in the array */
4231 4243 /* of timeout queues for TCP. */
4232 4244 /* ------------------------------------------------------------------------ */
4233 4245 void fr_sttab_destroy(tqp)
4234 4246 ipftq_t *tqp;
4235 4247 {
4236 4248 int i;
4237 4249
4238 4250 for (i = IPF_TCP_NSTATES - 1; i >= 0; i--)
4239 4251 MUTEX_DESTROY(&tqp[i].ifq_lock);
4240 4252 }
4241 4253
4242 4254
4243 4255 /* ------------------------------------------------------------------------ */
4244 4256 /* Function: fr_statederef */
4245 4257 /* Returns: Nil */
4246 4258 /* Parameters: isp(I) - pointer to pointer to state table entry */
4247 4259 /* ifs - ipf stack instance */
4248 4260 /* */
4249 4261 /* Decrement the reference counter for this state table entry and free it */
4250 4262 /* if there are no more things using it. */
4251 4263 /* */
4252 4264 /* Internal parameters: */
4253 4265 /* state[0] = state of source (host that initiated connection) */
4254 4266 /* state[1] = state of dest (host that accepted the connection) */
4255 4267 /* ------------------------------------------------------------------------ */
4256 4268 void fr_statederef(isp, ifs)
4257 4269 ipstate_t **isp;
4258 4270 ipf_stack_t *ifs;
4259 4271 {
4260 4272 ipstate_t *is;
4261 4273
4262 4274 is = *isp;
4263 4275 *isp = NULL;
4264 4276
4265 4277 MUTEX_ENTER(&is->is_lock);
4266 4278 if (is->is_ref > 1) {
4267 4279 is->is_ref--;
4268 4280 MUTEX_EXIT(&is->is_lock);
4269 4281 #ifndef _KERNEL
4270 4282 if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) ||
4271 4283 (is->is_sti.tqe_state[1] > IPF_TCPS_ESTABLISHED)) {
4272 4284 (void) fr_delstate(is, ISL_ORPHAN, ifs);
4273 4285 }
4274 4286 #endif
4275 4287 return;
4276 4288 }
4277 4289 MUTEX_EXIT(&is->is_lock);
4278 4290
4279 4291 WRITE_ENTER(&ifs->ifs_ipf_state);
4280 4292 (void) fr_delstate(is, ISL_EXPIRE, ifs);
4281 4293 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4282 4294 }
4283 4295
4284 4296
4285 4297 /* ------------------------------------------------------------------------ */
4286 4298 /* Function: fr_setstatequeue */
4287 4299 /* Returns: Nil */
4288 4300 /* Parameters: is(I) - pointer to state structure */
4289 4301 /* rev(I) - forward(0) or reverse(1) direction */
4290 4302 /* Locks: ipf_state (read or write) */
4291 4303 /* */
4292 4304 /* Put the state entry on its default queue entry, using rev as a helped in */
4293 4305 /* determining which queue it should be placed on. */
4294 4306 /* ------------------------------------------------------------------------ */
4295 4307 void fr_setstatequeue(is, rev, ifs)
4296 4308 ipstate_t *is;
4297 4309 int rev;
4298 4310 ipf_stack_t *ifs;
4299 4311 {
4300 4312 ipftq_t *oifq, *nifq;
4301 4313
4302 4314
4303 4315 if ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0)
4304 4316 nifq = is->is_tqehead[rev];
4305 4317 else
4306 4318 nifq = NULL;
4307 4319
4308 4320 if (nifq == NULL) {
4309 4321 switch (is->is_p)
4310 4322 {
4311 4323 #ifdef USE_INET6
4312 4324 case IPPROTO_ICMPV6 :
4313 4325 if (rev == 1)
4314 4326 nifq = &ifs->ifs_ips_icmpacktq;
4315 4327 else
4316 4328 nifq = &ifs->ifs_ips_icmptq;
4317 4329 break;
4318 4330 #endif
4319 4331 case IPPROTO_ICMP :
4320 4332 if (rev == 1)
4321 4333 nifq = &ifs->ifs_ips_icmpacktq;
4322 4334 else
4323 4335 nifq = &ifs->ifs_ips_icmptq;
4324 4336 break;
4325 4337 case IPPROTO_TCP :
4326 4338 nifq = ifs->ifs_ips_tqtqb + is->is_state[rev];
4327 4339 break;
4328 4340
4329 4341 case IPPROTO_UDP :
4330 4342 if (rev == 1)
4331 4343 nifq = &ifs->ifs_ips_udpacktq;
4332 4344 else
4333 4345 nifq = &ifs->ifs_ips_udptq;
4334 4346 break;
4335 4347
4336 4348 default :
4337 4349 nifq = &ifs->ifs_ips_iptq;
4338 4350 break;
4339 4351 }
4340 4352 }
4341 4353
4342 4354 oifq = is->is_sti.tqe_ifq;
4343 4355 /*
4344 4356 * If it's currently on a timeout queue, move it from one queue to
4345 4357 * another, else put it on the end of the newly determined queue.
4346 4358 */
4347 4359 if (oifq != NULL)
4348 4360 fr_movequeue(&is->is_sti, oifq, nifq, ifs);
4349 4361 else
4350 4362 fr_queueappend(&is->is_sti, nifq, is, ifs);
4351 4363 return;
4352 4364 }
4353 4365
4354 4366
4355 4367 /* ------------------------------------------------------------------------ */
4356 4368 /* Function: fr_stateiter */
4357 4369 /* Returns: int - 0 == success, else error */
4358 4370 /* Parameters: token(I) - pointer to ipftoken structure */
4359 4371 /* itp(I) - pointer to ipfgeniter structure */
4360 4372 /* */
4361 4373 /* This function handles the SIOCGENITER ioctl for the state tables and */
4362 4374 /* walks through the list of entries in the state table list (ips_list.) */
4363 4375 /* ------------------------------------------------------------------------ */
4364 4376 static int fr_stateiter(token, itp, ifs)
4365 4377 ipftoken_t *token;
4366 4378 ipfgeniter_t *itp;
4367 4379 ipf_stack_t *ifs;
4368 4380 {
4369 4381 ipstate_t *is, *next, zero;
4370 4382 int error, count;
4371 4383 char *dst;
4372 4384
4373 4385 if (itp->igi_data == NULL)
4374 4386 return EFAULT;
4375 4387
4376 4388 if (itp->igi_nitems == 0)
4377 4389 return EINVAL;
4378 4390
4379 4391 if (itp->igi_type != IPFGENITER_STATE)
4380 4392 return EINVAL;
4381 4393
4382 4394 error = 0;
4383 4395
4384 4396 READ_ENTER(&ifs->ifs_ipf_state);
4385 4397
4386 4398 /*
4387 4399 * Get "previous" entry from the token and find the next entry.
4388 4400 */
4389 4401 is = token->ipt_data;
4390 4402 if (is == NULL) {
4391 4403 next = ifs->ifs_ips_list;
4392 4404 } else {
4393 4405 next = is->is_next;
4394 4406 }
4395 4407
4396 4408 dst = itp->igi_data;
4397 4409 for (count = itp->igi_nitems; count > 0; count--) {
4398 4410 /*
4399 4411 * If we found an entry, add a reference to it and update the token.
4400 4412 * Otherwise, zero out data to be returned and NULL out token.
4401 4413 */
4402 4414 if (next != NULL) {
4403 4415 MUTEX_ENTER(&next->is_lock);
4404 4416 next->is_ref++;
4405 4417 MUTEX_EXIT(&next->is_lock);
4406 4418 token->ipt_data = next;
4407 4419 } else {
4408 4420 bzero(&zero, sizeof(zero));
4409 4421 next = &zero;
4410 4422 token->ipt_data = NULL;
4411 4423 }
4412 4424
4413 4425 /*
4414 4426 * Safe to release lock now the we have a reference.
4415 4427 */
4416 4428 RWLOCK_EXIT(&ifs->ifs_ipf_state);
4417 4429
4418 4430 /*
4419 4431 * Copy out data and clean up references and tokens.
4420 4432 */
4421 4433 error = COPYOUT(next, dst, sizeof(*next));
4422 4434 if (error != 0)
4423 4435 error = EFAULT;
4424 4436 if (token->ipt_data == NULL) {
4425 4437 ipf_freetoken(token, ifs);
4426 4438 break;
4427 4439 } else {
4428 4440 if (is != NULL)
4429 4441 fr_statederef(&is, ifs);
4430 4442 if (next->is_next == NULL) {
4431 4443 ipf_freetoken(token, ifs);
4432 4444 break;
4433 4445 }
4434 4446 }
4435 4447
4436 4448 if ((count == 1) || (error != 0))
4437 4449 break;
4438 4450
4439 4451 READ_ENTER(&ifs->ifs_ipf_state);
4440 4452 dst += sizeof(*next);
4441 4453 is = next;
4442 4454 next = is->is_next;
4443 4455 }
4444 4456
4445 4457 return error;
4446 4458 }
|
↓ open down ↓ |
502 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX