fil.c revision 272994
1/* $FreeBSD: stable/10/sys/contrib/ipfilter/netinet/fil.c 272994 2014-10-12 17:13:14Z cy $ */ 2 3/* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 * 8 * Copyright 2008 Sun Microsystems. 9 * 10 * $Id$ 11 * 12 */ 13#if defined(KERNEL) || defined(_KERNEL) 14# undef KERNEL 15# undef _KERNEL 16# define KERNEL 1 17# define _KERNEL 1 18#endif 19#include <sys/errno.h> 20#include <sys/types.h> 21#include <sys/param.h> 22#include <sys/time.h> 23#if defined(_KERNEL) && defined(__FreeBSD_version) && \ 24 (__FreeBSD_version >= 220000) 25# if (__FreeBSD_version >= 400000) 26# if !defined(IPFILTER_LKM) 27# include "opt_inet6.h" 28# endif 29# if (__FreeBSD_version == 400019) 30# define CSUM_DELAY_DATA 31# endif 32# endif 33# include <sys/filio.h> 34#else 35# include <sys/ioctl.h> 36#endif 37#if (defined(__SVR4) || defined(__svr4__)) && defined(sun) 38# include <sys/filio.h> 39#endif 40#if !defined(_AIX51) 41# include <sys/fcntl.h> 42#endif 43#if defined(_KERNEL) 44# include <sys/systm.h> 45# include <sys/file.h> 46#else 47# include <stdio.h> 48# include <string.h> 49# include <stdlib.h> 50# include <stddef.h> 51# include <sys/file.h> 52# define _KERNEL 53# ifdef __OpenBSD__ 54struct file; 55# endif 56# include <sys/uio.h> 57# undef _KERNEL 58#endif 59#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \ 60 !defined(linux) 61# include <sys/mbuf.h> 62#else 63# if !defined(linux) 64# include <sys/byteorder.h> 65# endif 66# if (SOLARIS2 < 5) && defined(sun) 67# include <sys/dditypes.h> 68# endif 69#endif 70#ifdef __hpux 71# define _NET_ROUTE_INCLUDED 72#endif 73#if !defined(linux) 74# include <sys/protosw.h> 75#endif 76#include <sys/socket.h> 77#include <net/if.h> 78#ifdef sun 79# include <net/af.h> 80#endif 81#include <netinet/in.h> 82#include <netinet/in_systm.h> 83#include <netinet/ip.h> 84#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ 85# include <sys/hashing.h> 86# include <netinet/in_var.h> 87#endif 88#include <netinet/tcp.h> 89#if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL) 90# include <netinet/udp.h> 91# include <netinet/ip_icmp.h> 92#endif 93#ifdef __hpux 94# undef _NET_ROUTE_INCLUDED 95#endif 96#ifdef __osf__ 97# undef _RADIX_H_ 98#endif 99#include "netinet/ip_compat.h" 100#ifdef USE_INET6 101# include <netinet/icmp6.h> 102# if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) 103# include <netinet6/in6_var.h> 104# endif 105#endif 106#include "netinet/ip_fil.h" 107#include "netinet/ip_nat.h" 108#include "netinet/ip_frag.h" 109#include "netinet/ip_state.h" 110#include "netinet/ip_proxy.h" 111#include "netinet/ip_auth.h" 112#ifdef IPFILTER_SCAN 113# include "netinet/ip_scan.h" 114#endif 115#include "netinet/ip_sync.h" 116#include "netinet/ip_lookup.h" 117#include "netinet/ip_pool.h" 118#include "netinet/ip_htable.h" 119#ifdef IPFILTER_COMPILED 120# include "netinet/ip_rules.h" 121#endif 122#if defined(IPFILTER_BPF) && defined(_KERNEL) 123# include <net/bpf.h> 124#endif 125#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) 126# include <sys/malloc.h> 127#endif 128#include "netinet/ipl.h" 129 130#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) 131# include <sys/callout.h> 132extern struct callout ipf_slowtimer_ch; 133#endif 134#if defined(__OpenBSD__) 135# include <sys/timeout.h> 136extern struct timeout ipf_slowtimer_ch; 137#endif 138/* END OF INCLUDES */ 139 140#if !defined(lint) 141static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; 142static const char rcsid[] = "@(#)$FreeBSD: stable/10/sys/contrib/ipfilter/netinet/fil.c 272994 2014-10-12 17:13:14Z cy $"; 143/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.125 2007/10/10 09:27:20 darrenr Exp $"; */ 144#endif 145 146#ifndef _KERNEL 147# include "ipf.h" 148# include "ipt.h" 149extern int opts; 150extern int blockreason; 151#endif /* _KERNEL */ 152 153#define LBUMP(x) softc->x++ 154#define LBUMPD(x, y) do { softc->x.y++; DT(y); } while (0) 155 156static INLINE int ipf_check_ipf __P((fr_info_t *, frentry_t *, int)); 157static u_32_t ipf_checkcipso __P((fr_info_t *, u_char *, int)); 158static u_32_t ipf_checkripso __P((u_char *)); 159static u_32_t ipf_decaps __P((fr_info_t *, u_32_t, int)); 160#ifdef IPFILTER_LOG 161static frentry_t *ipf_dolog __P((fr_info_t *, u_32_t *)); 162#endif 163static int ipf_flushlist __P((ipf_main_softc_t *, int *, 164 frentry_t **)); 165static int ipf_flush_groups __P((ipf_main_softc_t *, frgroup_t **, 166 int)); 167static ipfunc_t ipf_findfunc __P((ipfunc_t)); 168static void *ipf_findlookup __P((ipf_main_softc_t *, int, 169 frentry_t *, 170 i6addr_t *, i6addr_t *)); 171static frentry_t *ipf_firewall __P((fr_info_t *, u_32_t *)); 172static int ipf_fr_matcharray __P((fr_info_t *, int *)); 173static int ipf_frruleiter __P((ipf_main_softc_t *, void *, int, 174 void *)); 175static void ipf_funcfini __P((ipf_main_softc_t *, frentry_t *)); 176static int ipf_funcinit __P((ipf_main_softc_t *, frentry_t *)); 177static int ipf_geniter __P((ipf_main_softc_t *, ipftoken_t *, 178 ipfgeniter_t *)); 179static void ipf_getstat __P((ipf_main_softc_t *, 180 struct friostat *, int)); 181static int ipf_group_flush __P((ipf_main_softc_t *, frgroup_t *)); 182static void ipf_group_free __P((frgroup_t *)); 183static int ipf_grpmapfini __P((struct ipf_main_softc_s *, 184 frentry_t *)); 185static int ipf_grpmapinit __P((struct ipf_main_softc_s *, 186 frentry_t *)); 187static frentry_t *ipf_nextrule __P((ipf_main_softc_t *, int, int, 188 frentry_t *, int)); 189static int ipf_portcheck __P((frpcmp_t *, u_32_t)); 190static INLINE int ipf_pr_ah __P((fr_info_t *)); 191static INLINE void ipf_pr_esp __P((fr_info_t *)); 192static INLINE void ipf_pr_gre __P((fr_info_t *)); 193static INLINE void ipf_pr_udp __P((fr_info_t *)); 194static INLINE void ipf_pr_tcp __P((fr_info_t *)); 195static INLINE void ipf_pr_icmp __P((fr_info_t *)); 196static INLINE void ipf_pr_ipv4hdr __P((fr_info_t *)); 197static INLINE void ipf_pr_short __P((fr_info_t *, int)); 198static INLINE int ipf_pr_tcpcommon __P((fr_info_t *)); 199static INLINE int ipf_pr_udpcommon __P((fr_info_t *)); 200static void ipf_rule_delete __P((ipf_main_softc_t *, frentry_t *f, 201 int, int)); 202static void ipf_rule_expire_insert __P((ipf_main_softc_t *, 203 frentry_t *, int)); 204static int ipf_synclist __P((ipf_main_softc_t *, frentry_t *, 205 void *)); 206static void ipf_token_flush __P((ipf_main_softc_t *)); 207static void ipf_token_unlink __P((ipf_main_softc_t *, 208 ipftoken_t *)); 209static ipftuneable_t *ipf_tune_findbyname __P((ipftuneable_t *, 210 const char *)); 211static ipftuneable_t *ipf_tune_findbycookie __P((ipftuneable_t **, void *, 212 void **)); 213static int ipf_updateipid __P((fr_info_t *)); 214static int ipf_settimeout __P((struct ipf_main_softc_s *, 215 struct ipftuneable *, 216 ipftuneval_t *)); 217#if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && \ 218 !defined(__FreeBSD__)) || \ 219 FREEBSD_LT_REV(501000) || NETBSD_LT_REV(105000000) || \ 220 OPENBSD_LT_REV(200006) 221static int ppsratecheck(struct timeval *, int *, int); 222#endif 223 224 225/* 226 * bit values for identifying presence of individual IP options 227 * All of these tables should be ordered by increasing key value on the left 228 * hand side to allow for binary searching of the array and include a trailer 229 * with a 0 for the bitmask for linear searches to easily find the end with. 230 */ 231static const struct optlist ipopts[20] = { 232 { IPOPT_NOP, 0x000001 }, 233 { IPOPT_RR, 0x000002 }, 234 { IPOPT_ZSU, 0x000004 }, 235 { IPOPT_MTUP, 0x000008 }, 236 { IPOPT_MTUR, 0x000010 }, 237 { IPOPT_ENCODE, 0x000020 }, 238 { IPOPT_TS, 0x000040 }, 239 { IPOPT_TR, 0x000080 }, 240 { IPOPT_SECURITY, 0x000100 }, 241 { IPOPT_LSRR, 0x000200 }, 242 { IPOPT_E_SEC, 0x000400 }, 243 { IPOPT_CIPSO, 0x000800 }, 244 { IPOPT_SATID, 0x001000 }, 245 { IPOPT_SSRR, 0x002000 }, 246 { IPOPT_ADDEXT, 0x004000 }, 247 { IPOPT_VISA, 0x008000 }, 248 { IPOPT_IMITD, 0x010000 }, 249 { IPOPT_EIP, 0x020000 }, 250 { IPOPT_FINN, 0x040000 }, 251 { 0, 0x000000 } 252}; 253 254#ifdef USE_INET6 255static struct optlist ip6exthdr[] = { 256 { IPPROTO_HOPOPTS, 0x000001 }, 257 { IPPROTO_IPV6, 0x000002 }, 258 { IPPROTO_ROUTING, 0x000004 }, 259 { IPPROTO_FRAGMENT, 0x000008 }, 260 { IPPROTO_ESP, 0x000010 }, 261 { IPPROTO_AH, 0x000020 }, 262 { IPPROTO_NONE, 0x000040 }, 263 { IPPROTO_DSTOPTS, 0x000080 }, 264 { IPPROTO_MOBILITY, 0x000100 }, 265 { 0, 0 } 266}; 267#endif 268 269/* 270 * bit values for identifying presence of individual IP security options 271 */ 272static const struct optlist secopt[8] = { 273 { IPSO_CLASS_RES4, 0x01 }, 274 { IPSO_CLASS_TOPS, 0x02 }, 275 { IPSO_CLASS_SECR, 0x04 }, 276 { IPSO_CLASS_RES3, 0x08 }, 277 { IPSO_CLASS_CONF, 0x10 }, 278 { IPSO_CLASS_UNCL, 0x20 }, 279 { IPSO_CLASS_RES2, 0x40 }, 280 { IPSO_CLASS_RES1, 0x80 } 281}; 282 283char ipfilter_version[] = IPL_VERSION; 284 285int ipf_features = 0 286#ifdef IPFILTER_LKM 287 | IPF_FEAT_LKM 288#endif 289#ifdef IPFILTER_LOG 290 | IPF_FEAT_LOG 291#endif 292 | IPF_FEAT_LOOKUP 293#ifdef IPFILTER_BPF 294 | IPF_FEAT_BPF 295#endif 296#ifdef IPFILTER_COMPILED 297 | IPF_FEAT_COMPILED 298#endif 299#ifdef IPFILTER_CKSUM 300 | IPF_FEAT_CKSUM 301#endif 302 | IPF_FEAT_SYNC 303#ifdef IPFILTER_SCAN 304 | IPF_FEAT_SCAN 305#endif 306#ifdef USE_INET6 307 | IPF_FEAT_IPV6 308#endif 309 ; 310 311 312/* 313 * Table of functions available for use with call rules. 314 */ 315static ipfunc_resolve_t ipf_availfuncs[] = { 316 { "srcgrpmap", ipf_srcgrpmap, ipf_grpmapinit, ipf_grpmapfini }, 317 { "dstgrpmap", ipf_dstgrpmap, ipf_grpmapinit, ipf_grpmapfini }, 318 { "", NULL, NULL, NULL } 319}; 320 321static ipftuneable_t ipf_main_tuneables[] = { 322 { { (void *)offsetof(struct ipf_main_softc_s, ipf_flags) }, 323 "ipf_flags", 0, 0xffffffff, 324 stsizeof(ipf_main_softc_t, ipf_flags), 325 0, NULL, NULL }, 326 { { (void *)offsetof(struct ipf_main_softc_s, ipf_active) }, 327 "active", 0, 0, 328 stsizeof(ipf_main_softc_t, ipf_active), 329 IPFT_RDONLY, NULL, NULL }, 330 { { (void *)offsetof(ipf_main_softc_t, ipf_control_forwarding) }, 331 "control_forwarding", 0, 1, 332 stsizeof(ipf_main_softc_t, ipf_control_forwarding), 333 0, NULL, NULL }, 334 { { (void *)offsetof(ipf_main_softc_t, ipf_update_ipid) }, 335 "update_ipid", 0, 1, 336 stsizeof(ipf_main_softc_t, ipf_update_ipid), 337 0, NULL, NULL }, 338 { { (void *)offsetof(ipf_main_softc_t, ipf_chksrc) }, 339 "chksrc", 0, 1, 340 stsizeof(ipf_main_softc_t, ipf_chksrc), 341 0, NULL, NULL }, 342 { { (void *)offsetof(ipf_main_softc_t, ipf_minttl) }, 343 "min_ttl", 0, 1, 344 stsizeof(ipf_main_softc_t, ipf_minttl), 345 0, NULL, NULL }, 346 { { (void *)offsetof(ipf_main_softc_t, ipf_icmpminfragmtu) }, 347 "icmp_minfragmtu", 0, 1, 348 stsizeof(ipf_main_softc_t, ipf_icmpminfragmtu), 349 0, NULL, NULL }, 350 { { (void *)offsetof(ipf_main_softc_t, ipf_pass) }, 351 "default_pass", 0, 0xffffffff, 352 stsizeof(ipf_main_softc_t, ipf_pass), 353 0, NULL, NULL }, 354 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpidletimeout) }, 355 "tcp_idle_timeout", 1, 0x7fffffff, 356 stsizeof(ipf_main_softc_t, ipf_tcpidletimeout), 357 0, NULL, ipf_settimeout }, 358 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpclosewait) }, 359 "tcp_close_wait", 1, 0x7fffffff, 360 stsizeof(ipf_main_softc_t, ipf_tcpclosewait), 361 0, NULL, ipf_settimeout }, 362 { { (void *)offsetof(ipf_main_softc_t, ipf_tcplastack) }, 363 "tcp_last_ack", 1, 0x7fffffff, 364 stsizeof(ipf_main_softc_t, ipf_tcplastack), 365 0, NULL, ipf_settimeout }, 366 { { (void *)offsetof(ipf_main_softc_t, ipf_tcptimeout) }, 367 "tcp_timeout", 1, 0x7fffffff, 368 stsizeof(ipf_main_softc_t, ipf_tcptimeout), 369 0, NULL, ipf_settimeout }, 370 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpsynsent) }, 371 "tcp_syn_sent", 1, 0x7fffffff, 372 stsizeof(ipf_main_softc_t, ipf_tcpsynsent), 373 0, NULL, ipf_settimeout }, 374 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpsynrecv) }, 375 "tcp_syn_received", 1, 0x7fffffff, 376 stsizeof(ipf_main_softc_t, ipf_tcpsynrecv), 377 0, NULL, ipf_settimeout }, 378 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpclosed) }, 379 "tcp_closed", 1, 0x7fffffff, 380 stsizeof(ipf_main_softc_t, ipf_tcpclosed), 381 0, NULL, ipf_settimeout }, 382 { { (void *)offsetof(ipf_main_softc_t, ipf_tcphalfclosed) }, 383 "tcp_half_closed", 1, 0x7fffffff, 384 stsizeof(ipf_main_softc_t, ipf_tcphalfclosed), 385 0, NULL, ipf_settimeout }, 386 { { (void *)offsetof(ipf_main_softc_t, ipf_tcptimewait) }, 387 "tcp_time_wait", 1, 0x7fffffff, 388 stsizeof(ipf_main_softc_t, ipf_tcptimewait), 389 0, NULL, ipf_settimeout }, 390 { { (void *)offsetof(ipf_main_softc_t, ipf_udptimeout) }, 391 "udp_timeout", 1, 0x7fffffff, 392 stsizeof(ipf_main_softc_t, ipf_udptimeout), 393 0, NULL, ipf_settimeout }, 394 { { (void *)offsetof(ipf_main_softc_t, ipf_udpacktimeout) }, 395 "udp_ack_timeout", 1, 0x7fffffff, 396 stsizeof(ipf_main_softc_t, ipf_udpacktimeout), 397 0, NULL, ipf_settimeout }, 398 { { (void *)offsetof(ipf_main_softc_t, ipf_icmptimeout) }, 399 "icmp_timeout", 1, 0x7fffffff, 400 stsizeof(ipf_main_softc_t, ipf_icmptimeout), 401 0, NULL, ipf_settimeout }, 402 { { (void *)offsetof(ipf_main_softc_t, ipf_icmpacktimeout) }, 403 "icmp_ack_timeout", 1, 0x7fffffff, 404 stsizeof(ipf_main_softc_t, ipf_icmpacktimeout), 405 0, NULL, ipf_settimeout }, 406 { { (void *)offsetof(ipf_main_softc_t, ipf_iptimeout) }, 407 "ip_timeout", 1, 0x7fffffff, 408 stsizeof(ipf_main_softc_t, ipf_iptimeout), 409 0, NULL, ipf_settimeout }, 410#if defined(INSTANCES) && defined(_KERNEL) 411 { { (void *)offsetof(ipf_main_softc_t, ipf_get_loopback) }, 412 "intercept_loopback", 0, 1, 413 stsizeof(ipf_main_softc_t, ipf_get_loopback), 414 0, NULL, ipf_set_loopback }, 415#endif 416 { { 0 }, 417 NULL, 0, 0, 418 0, 419 0, NULL, NULL } 420}; 421 422 423/* 424 * The next section of code is a a collection of small routines that set 425 * fields in the fr_info_t structure passed based on properties of the 426 * current packet. There are different routines for the same protocol 427 * for each of IPv4 and IPv6. Adding a new protocol, for which there 428 * will "special" inspection for setup, is now more easily done by adding 429 * a new routine and expanding the ipf_pr_ipinit*() function rather than by 430 * adding more code to a growing switch statement. 431 */ 432#ifdef USE_INET6 433static INLINE int ipf_pr_ah6 __P((fr_info_t *)); 434static INLINE void ipf_pr_esp6 __P((fr_info_t *)); 435static INLINE void ipf_pr_gre6 __P((fr_info_t *)); 436static INLINE void ipf_pr_udp6 __P((fr_info_t *)); 437static INLINE void ipf_pr_tcp6 __P((fr_info_t *)); 438static INLINE void ipf_pr_icmp6 __P((fr_info_t *)); 439static INLINE void ipf_pr_ipv6hdr __P((fr_info_t *)); 440static INLINE void ipf_pr_short6 __P((fr_info_t *, int)); 441static INLINE int ipf_pr_hopopts6 __P((fr_info_t *)); 442static INLINE int ipf_pr_mobility6 __P((fr_info_t *)); 443static INLINE int ipf_pr_routing6 __P((fr_info_t *)); 444static INLINE int ipf_pr_dstopts6 __P((fr_info_t *)); 445static INLINE int ipf_pr_fragment6 __P((fr_info_t *)); 446static INLINE struct ip6_ext *ipf_pr_ipv6exthdr __P((fr_info_t *, int, int)); 447 448 449/* ------------------------------------------------------------------------ */ 450/* Function: ipf_pr_short6 */ 451/* Returns: void */ 452/* Parameters: fin(I) - pointer to packet information */ 453/* xmin(I) - minimum header size */ 454/* */ 455/* IPv6 Only */ 456/* This is function enforces the 'is a packet too short to be legit' rule */ 457/* for IPv6 and marks the packet with FI_SHORT if so. See function comment */ 458/* for ipf_pr_short() for more details. */ 459/* ------------------------------------------------------------------------ */ 460static INLINE void 461ipf_pr_short6(fin, xmin) 462 fr_info_t *fin; 463 int xmin; 464{ 465 466 if (fin->fin_dlen < xmin) 467 fin->fin_flx |= FI_SHORT; 468} 469 470 471/* ------------------------------------------------------------------------ */ 472/* Function: ipf_pr_ipv6hdr */ 473/* Returns: void */ 474/* Parameters: fin(I) - pointer to packet information */ 475/* */ 476/* IPv6 Only */ 477/* Copy values from the IPv6 header into the fr_info_t struct and call the */ 478/* per-protocol analyzer if it exists. In validating the packet, a protocol*/ 479/* analyzer may pullup or free the packet itself so we need to be vigiliant */ 480/* of that possibility arising. */ 481/* ------------------------------------------------------------------------ */ 482static INLINE void 483ipf_pr_ipv6hdr(fin) 484 fr_info_t *fin; 485{ 486 ip6_t *ip6 = (ip6_t *)fin->fin_ip; 487 int p, go = 1, i, hdrcount; 488 fr_ip_t *fi = &fin->fin_fi; 489 490 fin->fin_off = 0; 491 492 fi->fi_tos = 0; 493 fi->fi_optmsk = 0; 494 fi->fi_secmsk = 0; 495 fi->fi_auth = 0; 496 497 p = ip6->ip6_nxt; 498 fin->fin_crc = p; 499 fi->fi_ttl = ip6->ip6_hlim; 500 fi->fi_src.in6 = ip6->ip6_src; 501 fin->fin_crc += fi->fi_src.i6[0]; 502 fin->fin_crc += fi->fi_src.i6[1]; 503 fin->fin_crc += fi->fi_src.i6[2]; 504 fin->fin_crc += fi->fi_src.i6[3]; 505 fi->fi_dst.in6 = ip6->ip6_dst; 506 fin->fin_crc += fi->fi_dst.i6[0]; 507 fin->fin_crc += fi->fi_dst.i6[1]; 508 fin->fin_crc += fi->fi_dst.i6[2]; 509 fin->fin_crc += fi->fi_dst.i6[3]; 510 fin->fin_id = 0; 511 if (IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6)) 512 fin->fin_flx |= FI_MULTICAST|FI_MBCAST; 513 514 hdrcount = 0; 515 while (go && !(fin->fin_flx & FI_SHORT)) { 516 switch (p) 517 { 518 case IPPROTO_UDP : 519 ipf_pr_udp6(fin); 520 go = 0; 521 break; 522 523 case IPPROTO_TCP : 524 ipf_pr_tcp6(fin); 525 go = 0; 526 break; 527 528 case IPPROTO_ICMPV6 : 529 ipf_pr_icmp6(fin); 530 go = 0; 531 break; 532 533 case IPPROTO_GRE : 534 ipf_pr_gre6(fin); 535 go = 0; 536 break; 537 538 case IPPROTO_HOPOPTS : 539 p = ipf_pr_hopopts6(fin); 540 break; 541 542 case IPPROTO_MOBILITY : 543 p = ipf_pr_mobility6(fin); 544 break; 545 546 case IPPROTO_DSTOPTS : 547 p = ipf_pr_dstopts6(fin); 548 break; 549 550 case IPPROTO_ROUTING : 551 p = ipf_pr_routing6(fin); 552 break; 553 554 case IPPROTO_AH : 555 p = ipf_pr_ah6(fin); 556 break; 557 558 case IPPROTO_ESP : 559 ipf_pr_esp6(fin); 560 go = 0; 561 break; 562 563 case IPPROTO_IPV6 : 564 for (i = 0; ip6exthdr[i].ol_bit != 0; i++) 565 if (ip6exthdr[i].ol_val == p) { 566 fin->fin_flx |= ip6exthdr[i].ol_bit; 567 break; 568 } 569 go = 0; 570 break; 571 572 case IPPROTO_NONE : 573 go = 0; 574 break; 575 576 case IPPROTO_FRAGMENT : 577 p = ipf_pr_fragment6(fin); 578 /* 579 * Given that the only fragments we want to let through 580 * (where fin_off != 0) are those where the non-first 581 * fragments only have data, we can safely stop looking 582 * at headers if this is a non-leading fragment. 583 */ 584 if (fin->fin_off != 0) 585 go = 0; 586 break; 587 588 default : 589 go = 0; 590 break; 591 } 592 hdrcount++; 593 594 /* 595 * It is important to note that at this point, for the 596 * extension headers (go != 0), the entire header may not have 597 * been pulled up when the code gets to this point. This is 598 * only done for "go != 0" because the other header handlers 599 * will all pullup their complete header. The other indicator 600 * of an incomplete packet is that this was just an extension 601 * header. 602 */ 603 if ((go != 0) && (p != IPPROTO_NONE) && 604 (ipf_pr_pullup(fin, 0) == -1)) { 605 p = IPPROTO_NONE; 606 break; 607 } 608 } 609 610 /* 611 * Some of the above functions, like ipf_pr_esp6(), can call ipf_pullup 612 * and destroy whatever packet was here. The caller of this function 613 * expects us to return if there is a problem with ipf_pullup. 614 */ 615 if (fin->fin_m == NULL) { 616 ipf_main_softc_t *softc = fin->fin_main_soft; 617 618 LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); 619 return; 620 } 621 622 fi->fi_p = p; 623 624 /* 625 * IPv6 fragment case 1 - see comment for ipf_pr_fragment6(). 626 * "go != 0" imples the above loop hasn't arrived at a layer 4 header. 627 */ 628 if ((go != 0) && (fin->fin_flx & FI_FRAG) && (fin->fin_off == 0)) { 629 ipf_main_softc_t *softc = fin->fin_main_soft; 630 631 fin->fin_flx |= FI_BAD; 632 LBUMPD(ipf_stats[fin->fin_out], fr_v6_badfrag); 633 LBUMP(ipf_stats[fin->fin_out].fr_v6_bad); 634 } 635} 636 637 638/* ------------------------------------------------------------------------ */ 639/* Function: ipf_pr_ipv6exthdr */ 640/* Returns: struct ip6_ext * - pointer to the start of the next header */ 641/* or NULL if there is a prolblem. */ 642/* Parameters: fin(I) - pointer to packet information */ 643/* multiple(I) - flag indicating yes/no if multiple occurances */ 644/* of this extension header are allowed. */ 645/* proto(I) - protocol number for this extension header */ 646/* */ 647/* IPv6 Only */ 648/* This function embodies a number of common checks that all IPv6 extension */ 649/* headers must be subjected to. For example, making sure the packet is */ 650/* big enough for it to be in, checking if it is repeated and setting a */ 651/* flag to indicate its presence. */ 652/* ------------------------------------------------------------------------ */ 653static INLINE struct ip6_ext * 654ipf_pr_ipv6exthdr(fin, multiple, proto) 655 fr_info_t *fin; 656 int multiple, proto; 657{ 658 ipf_main_softc_t *softc = fin->fin_main_soft; 659 struct ip6_ext *hdr; 660 u_short shift; 661 int i; 662 663 fin->fin_flx |= FI_V6EXTHDR; 664 665 /* 8 is default length of extension hdr */ 666 if ((fin->fin_dlen - 8) < 0) { 667 fin->fin_flx |= FI_SHORT; 668 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ext_short); 669 return NULL; 670 } 671 672 if (ipf_pr_pullup(fin, 8) == -1) { 673 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ext_pullup); 674 return NULL; 675 } 676 677 hdr = fin->fin_dp; 678 switch (proto) 679 { 680 case IPPROTO_FRAGMENT : 681 shift = 8; 682 break; 683 default : 684 shift = 8 + (hdr->ip6e_len << 3); 685 break; 686 } 687 688 if (shift > fin->fin_dlen) { /* Nasty extension header length? */ 689 fin->fin_flx |= FI_BAD; 690 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ext_hlen); 691 return NULL; 692 } 693 694 fin->fin_dp = (char *)fin->fin_dp + shift; 695 fin->fin_dlen -= shift; 696 697 /* 698 * If we have seen a fragment header, do not set any flags to indicate 699 * the presence of this extension header as it has no impact on the 700 * end result until after it has been defragmented. 701 */ 702 if (fin->fin_flx & FI_FRAG) 703 return hdr; 704 705 for (i = 0; ip6exthdr[i].ol_bit != 0; i++) 706 if (ip6exthdr[i].ol_val == proto) { 707 /* 708 * Most IPv6 extension headers are only allowed once. 709 */ 710 if ((multiple == 0) && 711 ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0)) 712 fin->fin_flx |= FI_BAD; 713 else 714 fin->fin_optmsk |= ip6exthdr[i].ol_bit; 715 break; 716 } 717 718 return hdr; 719} 720 721 722/* ------------------------------------------------------------------------ */ 723/* Function: ipf_pr_hopopts6 */ 724/* Returns: int - value of the next header or IPPROTO_NONE if error */ 725/* Parameters: fin(I) - pointer to packet information */ 726/* */ 727/* IPv6 Only */ 728/* This is function checks pending hop by hop options extension header */ 729/* ------------------------------------------------------------------------ */ 730static INLINE int 731ipf_pr_hopopts6(fin) 732 fr_info_t *fin; 733{ 734 struct ip6_ext *hdr; 735 736 hdr = ipf_pr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS); 737 if (hdr == NULL) 738 return IPPROTO_NONE; 739 return hdr->ip6e_nxt; 740} 741 742 743/* ------------------------------------------------------------------------ */ 744/* Function: ipf_pr_mobility6 */ 745/* Returns: int - value of the next header or IPPROTO_NONE if error */ 746/* Parameters: fin(I) - pointer to packet information */ 747/* */ 748/* IPv6 Only */ 749/* This is function checks the IPv6 mobility extension header */ 750/* ------------------------------------------------------------------------ */ 751static INLINE int 752ipf_pr_mobility6(fin) 753 fr_info_t *fin; 754{ 755 struct ip6_ext *hdr; 756 757 hdr = ipf_pr_ipv6exthdr(fin, 0, IPPROTO_MOBILITY); 758 if (hdr == NULL) 759 return IPPROTO_NONE; 760 return hdr->ip6e_nxt; 761} 762 763 764/* ------------------------------------------------------------------------ */ 765/* Function: ipf_pr_routing6 */ 766/* Returns: int - value of the next header or IPPROTO_NONE if error */ 767/* Parameters: fin(I) - pointer to packet information */ 768/* */ 769/* IPv6 Only */ 770/* This is function checks pending routing extension header */ 771/* ------------------------------------------------------------------------ */ 772static INLINE int 773ipf_pr_routing6(fin) 774 fr_info_t *fin; 775{ 776 struct ip6_routing *hdr; 777 778 hdr = (struct ip6_routing *)ipf_pr_ipv6exthdr(fin, 0, IPPROTO_ROUTING); 779 if (hdr == NULL) 780 return IPPROTO_NONE; 781 782 switch (hdr->ip6r_type) 783 { 784 case 0 : 785 /* 786 * Nasty extension header length? 787 */ 788 if (((hdr->ip6r_len >> 1) < hdr->ip6r_segleft) || 789 (hdr->ip6r_segleft && (hdr->ip6r_len & 1))) { 790 ipf_main_softc_t *softc = fin->fin_main_soft; 791 792 fin->fin_flx |= FI_BAD; 793 LBUMPD(ipf_stats[fin->fin_out], fr_v6_rh_bad); 794 return IPPROTO_NONE; 795 } 796 break; 797 798 default : 799 break; 800 } 801 802 return hdr->ip6r_nxt; 803} 804 805 806/* ------------------------------------------------------------------------ */ 807/* Function: ipf_pr_fragment6 */ 808/* Returns: int - value of the next header or IPPROTO_NONE if error */ 809/* Parameters: fin(I) - pointer to packet information */ 810/* */ 811/* IPv6 Only */ 812/* Examine the IPv6 fragment header and extract fragment offset information.*/ 813/* */ 814/* Fragments in IPv6 are extraordinarily difficult to deal with - much more */ 815/* so than in IPv4. There are 5 cases of fragments with IPv6 that all */ 816/* packets with a fragment header can fit into. They are as follows: */ 817/* */ 818/* 1. [IPv6][0-n EH][FH][0-n EH] (no L4HDR present) */ 819/* 2. [IPV6][0-n EH][FH][0-n EH][L4HDR part] (short) */ 820/* 3. [IPV6][0-n EH][FH][L4HDR part][0-n data] (short) */ 821/* 4. [IPV6][0-n EH][FH][0-n EH][L4HDR][0-n data] */ 822/* 5. [IPV6][0-n EH][FH][data] */ 823/* */ 824/* IPV6 = IPv6 header, FH = Fragment Header, */ 825/* 0-n EH = 0 or more extension headers, 0-n data = 0 or more bytes of data */ 826/* */ 827/* Packets that match 1, 2, 3 will be dropped as the only reasonable */ 828/* scenario in which they happen is in extreme circumstances that are most */ 829/* likely to be an indication of an attack rather than normal traffic. */ 830/* A type 3 packet may be sent by an attacked after a type 4 packet. There */ 831/* are two rules that can be used to guard against type 3 packets: L4 */ 832/* headers must always be in a packet that has the offset field set to 0 */ 833/* and no packet is allowed to overlay that where offset = 0. */ 834/* ------------------------------------------------------------------------ */ 835static INLINE int 836ipf_pr_fragment6(fin) 837 fr_info_t *fin; 838{ 839 ipf_main_softc_t *softc = fin->fin_main_soft; 840 struct ip6_frag *frag; 841 842 fin->fin_flx |= FI_FRAG; 843 844 frag = (struct ip6_frag *)ipf_pr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT); 845 if (frag == NULL) { 846 LBUMPD(ipf_stats[fin->fin_out], fr_v6_frag_bad); 847 return IPPROTO_NONE; 848 } 849 850 if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0) { 851 /* 852 * Any fragment that isn't the last fragment must have its 853 * length as a multiple of 8. 854 */ 855 if ((fin->fin_plen & 7) != 0) 856 fin->fin_flx |= FI_BAD; 857 } 858 859 fin->fin_fraghdr = frag; 860 fin->fin_id = frag->ip6f_ident; 861 fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK); 862 if (fin->fin_off != 0) 863 fin->fin_flx |= FI_FRAGBODY; 864 865 /* 866 * Jumbograms aren't handled, so the max. length is 64k 867 */ 868 if ((fin->fin_off << 3) + fin->fin_dlen > 65535) 869 fin->fin_flx |= FI_BAD; 870 871 /* 872 * We don't know where the transport layer header (or whatever is next 873 * is), as it could be behind destination options (amongst others) so 874 * return the fragment header as the type of packet this is. Note that 875 * this effectively disables the fragment cache for > 1 protocol at a 876 * time. 877 */ 878 return frag->ip6f_nxt; 879} 880 881 882/* ------------------------------------------------------------------------ */ 883/* Function: ipf_pr_dstopts6 */ 884/* Returns: int - value of the next header or IPPROTO_NONE if error */ 885/* Parameters: fin(I) - pointer to packet information */ 886/* */ 887/* IPv6 Only */ 888/* This is function checks pending destination options extension header */ 889/* ------------------------------------------------------------------------ */ 890static INLINE int 891ipf_pr_dstopts6(fin) 892 fr_info_t *fin; 893{ 894 ipf_main_softc_t *softc = fin->fin_main_soft; 895 struct ip6_ext *hdr; 896 897 hdr = ipf_pr_ipv6exthdr(fin, 0, IPPROTO_DSTOPTS); 898 if (hdr == NULL) { 899 LBUMPD(ipf_stats[fin->fin_out], fr_v6_dst_bad); 900 return IPPROTO_NONE; 901 } 902 return hdr->ip6e_nxt; 903} 904 905 906/* ------------------------------------------------------------------------ */ 907/* Function: ipf_pr_icmp6 */ 908/* Returns: void */ 909/* Parameters: fin(I) - pointer to packet information */ 910/* */ 911/* IPv6 Only */ 912/* This routine is mainly concerned with determining the minimum valid size */ 913/* for an ICMPv6 packet. */ 914/* ------------------------------------------------------------------------ */ 915static INLINE void 916ipf_pr_icmp6(fin) 917 fr_info_t *fin; 918{ 919 int minicmpsz = sizeof(struct icmp6_hdr); 920 struct icmp6_hdr *icmp6; 921 922 if (ipf_pr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1) { 923 ipf_main_softc_t *softc = fin->fin_main_soft; 924 925 LBUMPD(ipf_stats[fin->fin_out], fr_v6_icmp6_pullup); 926 return; 927 } 928 929 if (fin->fin_dlen > 1) { 930 ip6_t *ip6; 931 932 icmp6 = fin->fin_dp; 933 934 fin->fin_data[0] = *(u_short *)icmp6; 935 936 if ((icmp6->icmp6_type & ICMP6_INFOMSG_MASK) != 0) 937 fin->fin_flx |= FI_ICMPQUERY; 938 939 switch (icmp6->icmp6_type) 940 { 941 case ICMP6_ECHO_REPLY : 942 case ICMP6_ECHO_REQUEST : 943 if (fin->fin_dlen >= 6) 944 fin->fin_data[1] = icmp6->icmp6_id; 945 minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t); 946 break; 947 948 case ICMP6_DST_UNREACH : 949 case ICMP6_PACKET_TOO_BIG : 950 case ICMP6_TIME_EXCEEDED : 951 case ICMP6_PARAM_PROB : 952 fin->fin_flx |= FI_ICMPERR; 953 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t); 954 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) 955 break; 956 957 if (M_LEN(fin->fin_m) < fin->fin_plen) { 958 if (ipf_coalesce(fin) != 1) 959 return; 960 } 961 962 if (ipf_pr_pullup(fin, ICMP6ERR_MINPKTLEN) == -1) 963 return; 964 965 /* 966 * If the destination of this packet doesn't match the 967 * source of the original packet then this packet is 968 * not correct. 969 */ 970 icmp6 = fin->fin_dp; 971 ip6 = (ip6_t *)((char *)icmp6 + ICMPERR_ICMPHLEN); 972 if (IP6_NEQ(&fin->fin_fi.fi_dst, 973 (i6addr_t *)&ip6->ip6_src)) 974 fin->fin_flx |= FI_BAD; 975 break; 976 default : 977 break; 978 } 979 } 980 981 ipf_pr_short6(fin, minicmpsz); 982 if ((fin->fin_flx & (FI_SHORT|FI_BAD)) == 0) { 983 u_char p = fin->fin_p; 984 985 fin->fin_p = IPPROTO_ICMPV6; 986 ipf_checkv6sum(fin); 987 fin->fin_p = p; 988 } 989} 990 991 992/* ------------------------------------------------------------------------ */ 993/* Function: ipf_pr_udp6 */ 994/* Returns: void */ 995/* Parameters: fin(I) - pointer to packet information */ 996/* */ 997/* IPv6 Only */ 998/* Analyse the packet for IPv6/UDP properties. */ 999/* Is not expected to be called for fragmented packets. */ 1000/* ------------------------------------------------------------------------ */ 1001static INLINE void 1002ipf_pr_udp6(fin) 1003 fr_info_t *fin; 1004{ 1005 1006 if (ipf_pr_udpcommon(fin) == 0) { 1007 u_char p = fin->fin_p; 1008 1009 fin->fin_p = IPPROTO_UDP; 1010 ipf_checkv6sum(fin); 1011 fin->fin_p = p; 1012 } 1013} 1014 1015 1016/* ------------------------------------------------------------------------ */ 1017/* Function: ipf_pr_tcp6 */ 1018/* Returns: void */ 1019/* Parameters: fin(I) - pointer to packet information */ 1020/* */ 1021/* IPv6 Only */ 1022/* Analyse the packet for IPv6/TCP properties. */ 1023/* Is not expected to be called for fragmented packets. */ 1024/* ------------------------------------------------------------------------ */ 1025static INLINE void 1026ipf_pr_tcp6(fin) 1027 fr_info_t *fin; 1028{ 1029 1030 if (ipf_pr_tcpcommon(fin) == 0) { 1031 u_char p = fin->fin_p; 1032 1033 fin->fin_p = IPPROTO_TCP; 1034 ipf_checkv6sum(fin); 1035 fin->fin_p = p; 1036 } 1037} 1038 1039 1040/* ------------------------------------------------------------------------ */ 1041/* Function: ipf_pr_esp6 */ 1042/* Returns: void */ 1043/* Parameters: fin(I) - pointer to packet information */ 1044/* */ 1045/* IPv6 Only */ 1046/* Analyse the packet for ESP properties. */ 1047/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */ 1048/* even though the newer ESP packets must also have a sequence number that */ 1049/* is 32bits as well, it is not possible(?) to determine the version from a */ 1050/* simple packet header. */ 1051/* ------------------------------------------------------------------------ */ 1052static INLINE void 1053ipf_pr_esp6(fin) 1054 fr_info_t *fin; 1055{ 1056 1057 if ((fin->fin_off == 0) && (ipf_pr_pullup(fin, 8) == -1)) { 1058 ipf_main_softc_t *softc = fin->fin_main_soft; 1059 1060 LBUMPD(ipf_stats[fin->fin_out], fr_v6_esp_pullup); 1061 return; 1062 } 1063} 1064 1065 1066/* ------------------------------------------------------------------------ */ 1067/* Function: ipf_pr_ah6 */ 1068/* Returns: int - value of the next header or IPPROTO_NONE if error */ 1069/* Parameters: fin(I) - pointer to packet information */ 1070/* */ 1071/* IPv6 Only */ 1072/* Analyse the packet for AH properties. */ 1073/* The minimum length is taken to be the combination of all fields in the */ 1074/* header being present and no authentication data (null algorithm used.) */ 1075/* ------------------------------------------------------------------------ */ 1076static INLINE int 1077ipf_pr_ah6(fin) 1078 fr_info_t *fin; 1079{ 1080 authhdr_t *ah; 1081 1082 fin->fin_flx |= FI_AH; 1083 1084 ah = (authhdr_t *)ipf_pr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS); 1085 if (ah == NULL) { 1086 ipf_main_softc_t *softc = fin->fin_main_soft; 1087 1088 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ah_bad); 1089 return IPPROTO_NONE; 1090 } 1091 1092 ipf_pr_short6(fin, sizeof(*ah)); 1093 1094 /* 1095 * No need for another pullup, ipf_pr_ipv6exthdr() will pullup 1096 * enough data to satisfy ah_next (the very first one.) 1097 */ 1098 return ah->ah_next; 1099} 1100 1101 1102/* ------------------------------------------------------------------------ */ 1103/* Function: ipf_pr_gre6 */ 1104/* Returns: void */ 1105/* Parameters: fin(I) - pointer to packet information */ 1106/* */ 1107/* Analyse the packet for GRE properties. */ 1108/* ------------------------------------------------------------------------ */ 1109static INLINE void 1110ipf_pr_gre6(fin) 1111 fr_info_t *fin; 1112{ 1113 grehdr_t *gre; 1114 1115 if (ipf_pr_pullup(fin, sizeof(grehdr_t)) == -1) { 1116 ipf_main_softc_t *softc = fin->fin_main_soft; 1117 1118 LBUMPD(ipf_stats[fin->fin_out], fr_v6_gre_pullup); 1119 return; 1120 } 1121 1122 gre = fin->fin_dp; 1123 if (GRE_REV(gre->gr_flags) == 1) 1124 fin->fin_data[0] = gre->gr_call; 1125} 1126#endif /* USE_INET6 */ 1127 1128 1129/* ------------------------------------------------------------------------ */ 1130/* Function: ipf_pr_pullup */ 1131/* Returns: int - 0 == pullup succeeded, -1 == failure */ 1132/* Parameters: fin(I) - pointer to packet information */ 1133/* plen(I) - length (excluding L3 header) to pullup */ 1134/* */ 1135/* Short inline function to cut down on code duplication to perform a call */ 1136/* to ipf_pullup to ensure there is the required amount of data, */ 1137/* consecutively in the packet buffer. */ 1138/* */ 1139/* This function pulls up 'extra' data at the location of fin_dp. fin_dp */ 1140/* points to the first byte after the complete layer 3 header, which will */ 1141/* include all of the known extension headers for IPv6 or options for IPv4. */ 1142/* */ 1143/* Since fr_pullup() expects the total length of bytes to be pulled up, it */ 1144/* is necessary to add those we can already assume to be pulled up (fin_dp */ 1145/* - fin_ip) to what is passed through. */ 1146/* ------------------------------------------------------------------------ */ 1147int 1148ipf_pr_pullup(fin, plen) 1149 fr_info_t *fin; 1150 int plen; 1151{ 1152 ipf_main_softc_t *softc = fin->fin_main_soft; 1153 1154 if (fin->fin_m != NULL) { 1155 if (fin->fin_dp != NULL) 1156 plen += (char *)fin->fin_dp - 1157 ((char *)fin->fin_ip + fin->fin_hlen); 1158 plen += fin->fin_hlen; 1159 if (M_LEN(fin->fin_m) < plen + fin->fin_ipoff) { 1160#if defined(_KERNEL) 1161 if (ipf_pullup(fin->fin_m, fin, plen) == NULL) { 1162 DT(ipf_pullup_fail); 1163 LBUMP(ipf_stats[fin->fin_out].fr_pull[1]); 1164 return -1; 1165 } 1166 LBUMP(ipf_stats[fin->fin_out].fr_pull[0]); 1167#else 1168 LBUMP(ipf_stats[fin->fin_out].fr_pull[1]); 1169 /* 1170 * Fake ipf_pullup failing 1171 */ 1172 fin->fin_reason = FRB_PULLUP; 1173 *fin->fin_mp = NULL; 1174 fin->fin_m = NULL; 1175 fin->fin_ip = NULL; 1176 return -1; 1177#endif 1178 } 1179 } 1180 return 0; 1181} 1182 1183 1184/* ------------------------------------------------------------------------ */ 1185/* Function: ipf_pr_short */ 1186/* Returns: void */ 1187/* Parameters: fin(I) - pointer to packet information */ 1188/* xmin(I) - minimum header size */ 1189/* */ 1190/* Check if a packet is "short" as defined by xmin. The rule we are */ 1191/* applying here is that the packet must not be fragmented within the layer */ 1192/* 4 header. That is, it must not be a fragment that has its offset set to */ 1193/* start within the layer 4 header (hdrmin) or if it is at offset 0, the */ 1194/* entire layer 4 header must be present (min). */ 1195/* ------------------------------------------------------------------------ */ 1196static INLINE void 1197ipf_pr_short(fin, xmin) 1198 fr_info_t *fin; 1199 int xmin; 1200{ 1201 1202 if (fin->fin_off == 0) { 1203 if (fin->fin_dlen < xmin) 1204 fin->fin_flx |= FI_SHORT; 1205 } else if (fin->fin_off < xmin) { 1206 fin->fin_flx |= FI_SHORT; 1207 } 1208} 1209 1210 1211/* ------------------------------------------------------------------------ */ 1212/* Function: ipf_pr_icmp */ 1213/* Returns: void */ 1214/* Parameters: fin(I) - pointer to packet information */ 1215/* */ 1216/* IPv4 Only */ 1217/* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */ 1218/* except extrememly bad packets, both type and code will be present. */ 1219/* The expected minimum size of an ICMP packet is very much dependent on */ 1220/* the type of it. */ 1221/* */ 1222/* XXX - other ICMP sanity checks? */ 1223/* ------------------------------------------------------------------------ */ 1224static INLINE void 1225ipf_pr_icmp(fin) 1226 fr_info_t *fin; 1227{ 1228 ipf_main_softc_t *softc = fin->fin_main_soft; 1229 int minicmpsz = sizeof(struct icmp); 1230 icmphdr_t *icmp; 1231 ip_t *oip; 1232 1233 ipf_pr_short(fin, ICMPERR_ICMPHLEN); 1234 1235 if (fin->fin_off != 0) { 1236 LBUMPD(ipf_stats[fin->fin_out], fr_v4_icmp_frag); 1237 return; 1238 } 1239 1240 if (ipf_pr_pullup(fin, ICMPERR_ICMPHLEN) == -1) { 1241 LBUMPD(ipf_stats[fin->fin_out], fr_v4_icmp_pullup); 1242 return; 1243 } 1244 1245 icmp = fin->fin_dp; 1246 1247 fin->fin_data[0] = *(u_short *)icmp; 1248 fin->fin_data[1] = icmp->icmp_id; 1249 1250 switch (icmp->icmp_type) 1251 { 1252 case ICMP_ECHOREPLY : 1253 case ICMP_ECHO : 1254 /* Router discovery messaes - RFC 1256 */ 1255 case ICMP_ROUTERADVERT : 1256 case ICMP_ROUTERSOLICIT : 1257 fin->fin_flx |= FI_ICMPQUERY; 1258 minicmpsz = ICMP_MINLEN; 1259 break; 1260 /* 1261 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 1262 * 3 * timestamp(3 * 4) 1263 */ 1264 case ICMP_TSTAMP : 1265 case ICMP_TSTAMPREPLY : 1266 fin->fin_flx |= FI_ICMPQUERY; 1267 minicmpsz = 20; 1268 break; 1269 /* 1270 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 1271 * mask(4) 1272 */ 1273 case ICMP_IREQ : 1274 case ICMP_IREQREPLY : 1275 case ICMP_MASKREQ : 1276 case ICMP_MASKREPLY : 1277 fin->fin_flx |= FI_ICMPQUERY; 1278 minicmpsz = 12; 1279 break; 1280 /* 1281 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+) 1282 */ 1283 case ICMP_UNREACH : 1284#ifdef icmp_nextmtu 1285 if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) { 1286 if (icmp->icmp_nextmtu < softc->ipf_icmpminfragmtu) 1287 fin->fin_flx |= FI_BAD; 1288 } 1289#endif 1290 case ICMP_SOURCEQUENCH : 1291 case ICMP_REDIRECT : 1292 case ICMP_TIMXCEED : 1293 case ICMP_PARAMPROB : 1294 fin->fin_flx |= FI_ICMPERR; 1295 if (ipf_coalesce(fin) != 1) { 1296 LBUMPD(ipf_stats[fin->fin_out], fr_icmp_coalesce); 1297 return; 1298 } 1299 1300 /* 1301 * ICMP error packets should not be generated for IP 1302 * packets that are a fragment that isn't the first 1303 * fragment. 1304 */ 1305 oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); 1306 if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0) 1307 fin->fin_flx |= FI_BAD; 1308 1309 /* 1310 * If the destination of this packet doesn't match the 1311 * source of the original packet then this packet is 1312 * not correct. 1313 */ 1314 if (oip->ip_src.s_addr != fin->fin_daddr) 1315 fin->fin_flx |= FI_BAD; 1316 break; 1317 default : 1318 break; 1319 } 1320 1321 ipf_pr_short(fin, minicmpsz); 1322 1323 ipf_checkv4sum(fin); 1324} 1325 1326 1327/* ------------------------------------------------------------------------ */ 1328/* Function: ipf_pr_tcpcommon */ 1329/* Returns: int - 0 = header ok, 1 = bad packet, -1 = buffer error */ 1330/* Parameters: fin(I) - pointer to packet information */ 1331/* */ 1332/* TCP header sanity checking. Look for bad combinations of TCP flags, */ 1333/* and make some checks with how they interact with other fields. */ 1334/* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */ 1335/* valid and mark the packet as bad if not. */ 1336/* ------------------------------------------------------------------------ */ 1337static INLINE int 1338ipf_pr_tcpcommon(fin) 1339 fr_info_t *fin; 1340{ 1341 ipf_main_softc_t *softc = fin->fin_main_soft; 1342 int flags, tlen; 1343 tcphdr_t *tcp; 1344 1345 fin->fin_flx |= FI_TCPUDP; 1346 if (fin->fin_off != 0) { 1347 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_frag); 1348 return 0; 1349 } 1350 1351 if (ipf_pr_pullup(fin, sizeof(*tcp)) == -1) { 1352 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_pullup); 1353 return -1; 1354 } 1355 1356 tcp = fin->fin_dp; 1357 if (fin->fin_dlen > 3) { 1358 fin->fin_sport = ntohs(tcp->th_sport); 1359 fin->fin_dport = ntohs(tcp->th_dport); 1360 } 1361 1362 if ((fin->fin_flx & FI_SHORT) != 0) { 1363 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_short); 1364 return 1; 1365 } 1366 1367 /* 1368 * Use of the TCP data offset *must* result in a value that is at 1369 * least the same size as the TCP header. 1370 */ 1371 tlen = TCP_OFF(tcp) << 2; 1372 if (tlen < sizeof(tcphdr_t)) { 1373 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_small); 1374 fin->fin_flx |= FI_BAD; 1375 return 1; 1376 } 1377 1378 flags = tcp->th_flags; 1379 fin->fin_tcpf = tcp->th_flags; 1380 1381 /* 1382 * If the urgent flag is set, then the urgent pointer must 1383 * also be set and vice versa. Good TCP packets do not have 1384 * just one of these set. 1385 */ 1386 if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) { 1387 fin->fin_flx |= FI_BAD; 1388#if 0 1389 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) { 1390 /* 1391 * Ignore this case (#if 0) as it shows up in "real" 1392 * traffic with bogus values in the urgent pointer field. 1393 */ 1394 fin->fin_flx |= FI_BAD; 1395#endif 1396 } else if (((flags & (TH_SYN|TH_FIN)) != 0) && 1397 ((flags & (TH_RST|TH_ACK)) == TH_RST)) { 1398 /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */ 1399 fin->fin_flx |= FI_BAD; 1400#if 1 1401 } else if (((flags & TH_SYN) != 0) && 1402 ((flags & (TH_URG|TH_PUSH)) != 0)) { 1403 /* 1404 * SYN with URG and PUSH set is not for normal TCP but it is 1405 * possible(?) with T/TCP...but who uses T/TCP? 1406 */ 1407 fin->fin_flx |= FI_BAD; 1408#endif 1409 } else if (!(flags & TH_ACK)) { 1410 /* 1411 * If the ack bit isn't set, then either the SYN or 1412 * RST bit must be set. If the SYN bit is set, then 1413 * we expect the ACK field to be 0. If the ACK is 1414 * not set and if URG, PSH or FIN are set, consdier 1415 * that to indicate a bad TCP packet. 1416 */ 1417 if ((flags == TH_SYN) && (tcp->th_ack != 0)) { 1418 /* 1419 * Cisco PIX sets the ACK field to a random value. 1420 * In light of this, do not set FI_BAD until a patch 1421 * is available from Cisco to ensure that 1422 * interoperability between existing systems is 1423 * achieved. 1424 */ 1425 /*fin->fin_flx |= FI_BAD*/; 1426 } else if (!(flags & (TH_RST|TH_SYN))) { 1427 fin->fin_flx |= FI_BAD; 1428 } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) { 1429 fin->fin_flx |= FI_BAD; 1430 } 1431 } 1432 if (fin->fin_flx & FI_BAD) { 1433 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_bad_flags); 1434 return 1; 1435 } 1436 1437 /* 1438 * At this point, it's not exactly clear what is to be gained by 1439 * marking up which TCP options are and are not present. The one we 1440 * are most interested in is the TCP window scale. This is only in 1441 * a SYN packet [RFC1323] so we don't need this here...? 1442 * Now if we were to analyse the header for passive fingerprinting, 1443 * then that might add some weight to adding this... 1444 */ 1445 if (tlen == sizeof(tcphdr_t)) { 1446 return 0; 1447 } 1448 1449 if (ipf_pr_pullup(fin, tlen) == -1) { 1450 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_pullup); 1451 return -1; 1452 } 1453 1454#if 0 1455 tcp = fin->fin_dp; 1456 ip = fin->fin_ip; 1457 s = (u_char *)(tcp + 1); 1458 off = IP_HL(ip) << 2; 1459# ifdef _KERNEL 1460 if (fin->fin_mp != NULL) { 1461 mb_t *m = *fin->fin_mp; 1462 1463 if (off + tlen > M_LEN(m)) 1464 return; 1465 } 1466# endif 1467 for (tlen -= (int)sizeof(*tcp); tlen > 0; ) { 1468 opt = *s; 1469 if (opt == '\0') 1470 break; 1471 else if (opt == TCPOPT_NOP) 1472 ol = 1; 1473 else { 1474 if (tlen < 2) 1475 break; 1476 ol = (int)*(s + 1); 1477 if (ol < 2 || ol > tlen) 1478 break; 1479 } 1480 1481 for (i = 9, mv = 4; mv >= 0; ) { 1482 op = ipopts + i; 1483 if (opt == (u_char)op->ol_val) { 1484 optmsk |= op->ol_bit; 1485 break; 1486 } 1487 } 1488 tlen -= ol; 1489 s += ol; 1490 } 1491#endif /* 0 */ 1492 1493 return 0; 1494} 1495 1496 1497 1498/* ------------------------------------------------------------------------ */ 1499/* Function: ipf_pr_udpcommon */ 1500/* Returns: int - 0 = header ok, 1 = bad packet */ 1501/* Parameters: fin(I) - pointer to packet information */ 1502/* */ 1503/* Extract the UDP source and destination ports, if present. If compiled */ 1504/* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */ 1505/* ------------------------------------------------------------------------ */ 1506static INLINE int 1507ipf_pr_udpcommon(fin) 1508 fr_info_t *fin; 1509{ 1510 udphdr_t *udp; 1511 1512 fin->fin_flx |= FI_TCPUDP; 1513 1514 if (!fin->fin_off && (fin->fin_dlen > 3)) { 1515 if (ipf_pr_pullup(fin, sizeof(*udp)) == -1) { 1516 ipf_main_softc_t *softc = fin->fin_main_soft; 1517 1518 fin->fin_flx |= FI_SHORT; 1519 LBUMPD(ipf_stats[fin->fin_out], fr_udp_pullup); 1520 return 1; 1521 } 1522 1523 udp = fin->fin_dp; 1524 1525 fin->fin_sport = ntohs(udp->uh_sport); 1526 fin->fin_dport = ntohs(udp->uh_dport); 1527 } 1528 1529 return 0; 1530} 1531 1532 1533/* ------------------------------------------------------------------------ */ 1534/* Function: ipf_pr_tcp */ 1535/* Returns: void */ 1536/* Parameters: fin(I) - pointer to packet information */ 1537/* */ 1538/* IPv4 Only */ 1539/* Analyse the packet for IPv4/TCP properties. */ 1540/* ------------------------------------------------------------------------ */ 1541static INLINE void 1542ipf_pr_tcp(fin) 1543 fr_info_t *fin; 1544{ 1545 1546 ipf_pr_short(fin, sizeof(tcphdr_t)); 1547 1548 if (ipf_pr_tcpcommon(fin) == 0) 1549 ipf_checkv4sum(fin); 1550} 1551 1552 1553/* ------------------------------------------------------------------------ */ 1554/* Function: ipf_pr_udp */ 1555/* Returns: void */ 1556/* Parameters: fin(I) - pointer to packet information */ 1557/* */ 1558/* IPv4 Only */ 1559/* Analyse the packet for IPv4/UDP properties. */ 1560/* ------------------------------------------------------------------------ */ 1561static INLINE void 1562ipf_pr_udp(fin) 1563 fr_info_t *fin; 1564{ 1565 1566 ipf_pr_short(fin, sizeof(udphdr_t)); 1567 1568 if (ipf_pr_udpcommon(fin) == 0) 1569 ipf_checkv4sum(fin); 1570} 1571 1572 1573/* ------------------------------------------------------------------------ */ 1574/* Function: ipf_pr_esp */ 1575/* Returns: void */ 1576/* Parameters: fin(I) - pointer to packet information */ 1577/* */ 1578/* Analyse the packet for ESP properties. */ 1579/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */ 1580/* even though the newer ESP packets must also have a sequence number that */ 1581/* is 32bits as well, it is not possible(?) to determine the version from a */ 1582/* simple packet header. */ 1583/* ------------------------------------------------------------------------ */ 1584static INLINE void 1585ipf_pr_esp(fin) 1586 fr_info_t *fin; 1587{ 1588 1589 if (fin->fin_off == 0) { 1590 ipf_pr_short(fin, 8); 1591 if (ipf_pr_pullup(fin, 8) == -1) { 1592 ipf_main_softc_t *softc = fin->fin_main_soft; 1593 1594 LBUMPD(ipf_stats[fin->fin_out], fr_v4_esp_pullup); 1595 } 1596 } 1597} 1598 1599 1600/* ------------------------------------------------------------------------ */ 1601/* Function: ipf_pr_ah */ 1602/* Returns: int - value of the next header or IPPROTO_NONE if error */ 1603/* Parameters: fin(I) - pointer to packet information */ 1604/* */ 1605/* Analyse the packet for AH properties. */ 1606/* The minimum length is taken to be the combination of all fields in the */ 1607/* header being present and no authentication data (null algorithm used.) */ 1608/* ------------------------------------------------------------------------ */ 1609static INLINE int 1610ipf_pr_ah(fin) 1611 fr_info_t *fin; 1612{ 1613 ipf_main_softc_t *softc = fin->fin_main_soft; 1614 authhdr_t *ah; 1615 int len; 1616 1617 fin->fin_flx |= FI_AH; 1618 ipf_pr_short(fin, sizeof(*ah)); 1619 1620 if (((fin->fin_flx & FI_SHORT) != 0) || (fin->fin_off != 0)) { 1621 LBUMPD(ipf_stats[fin->fin_out], fr_v4_ah_bad); 1622 return IPPROTO_NONE; 1623 } 1624 1625 if (ipf_pr_pullup(fin, sizeof(*ah)) == -1) { 1626 DT(fr_v4_ah_pullup_1); 1627 LBUMP(ipf_stats[fin->fin_out].fr_v4_ah_pullup); 1628 return IPPROTO_NONE; 1629 } 1630 1631 ah = (authhdr_t *)fin->fin_dp; 1632 1633 len = (ah->ah_plen + 2) << 2; 1634 ipf_pr_short(fin, len); 1635 if (ipf_pr_pullup(fin, len) == -1) { 1636 DT(fr_v4_ah_pullup_2); 1637 LBUMP(ipf_stats[fin->fin_out].fr_v4_ah_pullup); 1638 return IPPROTO_NONE; 1639 } 1640 1641 /* 1642 * Adjust fin_dp and fin_dlen for skipping over the authentication 1643 * header. 1644 */ 1645 fin->fin_dp = (char *)fin->fin_dp + len; 1646 fin->fin_dlen -= len; 1647 return ah->ah_next; 1648} 1649 1650 1651/* ------------------------------------------------------------------------ */ 1652/* Function: ipf_pr_gre */ 1653/* Returns: void */ 1654/* Parameters: fin(I) - pointer to packet information */ 1655/* */ 1656/* Analyse the packet for GRE properties. */ 1657/* ------------------------------------------------------------------------ */ 1658static INLINE void 1659ipf_pr_gre(fin) 1660 fr_info_t *fin; 1661{ 1662 ipf_main_softc_t *softc = fin->fin_main_soft; 1663 grehdr_t *gre; 1664 1665 ipf_pr_short(fin, sizeof(grehdr_t)); 1666 1667 if (fin->fin_off != 0) { 1668 LBUMPD(ipf_stats[fin->fin_out], fr_v4_gre_frag); 1669 return; 1670 } 1671 1672 if (ipf_pr_pullup(fin, sizeof(grehdr_t)) == -1) { 1673 LBUMPD(ipf_stats[fin->fin_out], fr_v4_gre_pullup); 1674 return; 1675 } 1676 1677 gre = fin->fin_dp; 1678 if (GRE_REV(gre->gr_flags) == 1) 1679 fin->fin_data[0] = gre->gr_call; 1680} 1681 1682 1683/* ------------------------------------------------------------------------ */ 1684/* Function: ipf_pr_ipv4hdr */ 1685/* Returns: void */ 1686/* Parameters: fin(I) - pointer to packet information */ 1687/* */ 1688/* IPv4 Only */ 1689/* Analyze the IPv4 header and set fields in the fr_info_t structure. */ 1690/* Check all options present and flag their presence if any exist. */ 1691/* ------------------------------------------------------------------------ */ 1692static INLINE void 1693ipf_pr_ipv4hdr(fin) 1694 fr_info_t *fin; 1695{ 1696 u_short optmsk = 0, secmsk = 0, auth = 0; 1697 int hlen, ol, mv, p, i; 1698 const struct optlist *op; 1699 u_char *s, opt; 1700 u_short off; 1701 fr_ip_t *fi; 1702 ip_t *ip; 1703 1704 fi = &fin->fin_fi; 1705 hlen = fin->fin_hlen; 1706 1707 ip = fin->fin_ip; 1708 p = ip->ip_p; 1709 fi->fi_p = p; 1710 fin->fin_crc = p; 1711 fi->fi_tos = ip->ip_tos; 1712 fin->fin_id = ip->ip_id; 1713 off = ntohs(ip->ip_off); 1714 1715 /* Get both TTL and protocol */ 1716 fi->fi_p = ip->ip_p; 1717 fi->fi_ttl = ip->ip_ttl; 1718 1719 /* Zero out bits not used in IPv6 address */ 1720 fi->fi_src.i6[1] = 0; 1721 fi->fi_src.i6[2] = 0; 1722 fi->fi_src.i6[3] = 0; 1723 fi->fi_dst.i6[1] = 0; 1724 fi->fi_dst.i6[2] = 0; 1725 fi->fi_dst.i6[3] = 0; 1726 1727 fi->fi_saddr = ip->ip_src.s_addr; 1728 fin->fin_crc += fi->fi_saddr; 1729 fi->fi_daddr = ip->ip_dst.s_addr; 1730 fin->fin_crc += fi->fi_daddr; 1731 if (IN_CLASSD(ntohl(fi->fi_daddr))) 1732 fin->fin_flx |= FI_MULTICAST|FI_MBCAST; 1733 1734 /* 1735 * set packet attribute flags based on the offset and 1736 * calculate the byte offset that it represents. 1737 */ 1738 off &= IP_MF|IP_OFFMASK; 1739 if (off != 0) { 1740 int morefrag = off & IP_MF; 1741 1742 fi->fi_flx |= FI_FRAG; 1743 off &= IP_OFFMASK; 1744 if (off != 0) { 1745 fin->fin_flx |= FI_FRAGBODY; 1746 off <<= 3; 1747 if ((off + fin->fin_dlen > 65535) || 1748 (fin->fin_dlen == 0) || 1749 ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) { 1750 /* 1751 * The length of the packet, starting at its 1752 * offset cannot exceed 65535 (0xffff) as the 1753 * length of an IP packet is only 16 bits. 1754 * 1755 * Any fragment that isn't the last fragment 1756 * must have a length greater than 0 and it 1757 * must be an even multiple of 8. 1758 */ 1759 fi->fi_flx |= FI_BAD; 1760 } 1761 } 1762 } 1763 fin->fin_off = off; 1764 1765 /* 1766 * Call per-protocol setup and checking 1767 */ 1768 if (p == IPPROTO_AH) { 1769 /* 1770 * Treat AH differently because we expect there to be another 1771 * layer 4 header after it. 1772 */ 1773 p = ipf_pr_ah(fin); 1774 } 1775 1776 switch (p) 1777 { 1778 case IPPROTO_UDP : 1779 ipf_pr_udp(fin); 1780 break; 1781 case IPPROTO_TCP : 1782 ipf_pr_tcp(fin); 1783 break; 1784 case IPPROTO_ICMP : 1785 ipf_pr_icmp(fin); 1786 break; 1787 case IPPROTO_ESP : 1788 ipf_pr_esp(fin); 1789 break; 1790 case IPPROTO_GRE : 1791 ipf_pr_gre(fin); 1792 break; 1793 } 1794 1795 ip = fin->fin_ip; 1796 if (ip == NULL) 1797 return; 1798 1799 /* 1800 * If it is a standard IP header (no options), set the flag fields 1801 * which relate to options to 0. 1802 */ 1803 if (hlen == sizeof(*ip)) { 1804 fi->fi_optmsk = 0; 1805 fi->fi_secmsk = 0; 1806 fi->fi_auth = 0; 1807 return; 1808 } 1809 1810 /* 1811 * So the IP header has some IP options attached. Walk the entire 1812 * list of options present with this packet and set flags to indicate 1813 * which ones are here and which ones are not. For the somewhat out 1814 * of date and obscure security classification options, set a flag to 1815 * represent which classification is present. 1816 */ 1817 fi->fi_flx |= FI_OPTIONS; 1818 1819 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) { 1820 opt = *s; 1821 if (opt == '\0') 1822 break; 1823 else if (opt == IPOPT_NOP) 1824 ol = 1; 1825 else { 1826 if (hlen < 2) 1827 break; 1828 ol = (int)*(s + 1); 1829 if (ol < 2 || ol > hlen) 1830 break; 1831 } 1832 for (i = 9, mv = 4; mv >= 0; ) { 1833 op = ipopts + i; 1834 1835 if ((opt == (u_char)op->ol_val) && (ol > 4)) { 1836 u_32_t doi; 1837 1838 switch (opt) 1839 { 1840 case IPOPT_SECURITY : 1841 if (optmsk & op->ol_bit) { 1842 fin->fin_flx |= FI_BAD; 1843 } else { 1844 doi = ipf_checkripso(s); 1845 secmsk = doi >> 16; 1846 auth = doi & 0xffff; 1847 } 1848 break; 1849 1850 case IPOPT_CIPSO : 1851 1852 if (optmsk & op->ol_bit) { 1853 fin->fin_flx |= FI_BAD; 1854 } else { 1855 doi = ipf_checkcipso(fin, 1856 s, ol); 1857 secmsk = doi >> 16; 1858 auth = doi & 0xffff; 1859 } 1860 break; 1861 } 1862 optmsk |= op->ol_bit; 1863 } 1864 1865 if (opt < op->ol_val) 1866 i -= mv; 1867 else 1868 i += mv; 1869 mv--; 1870 } 1871 hlen -= ol; 1872 s += ol; 1873 } 1874 1875 /* 1876 * 1877 */ 1878 if (auth && !(auth & 0x0100)) 1879 auth &= 0xff00; 1880 fi->fi_optmsk = optmsk; 1881 fi->fi_secmsk = secmsk; 1882 fi->fi_auth = auth; 1883} 1884 1885 1886/* ------------------------------------------------------------------------ */ 1887/* Function: ipf_checkripso */ 1888/* Returns: void */ 1889/* Parameters: s(I) - pointer to start of RIPSO option */ 1890/* */ 1891/* ------------------------------------------------------------------------ */ 1892static u_32_t 1893ipf_checkripso(s) 1894 u_char *s; 1895{ 1896 const struct optlist *sp; 1897 u_short secmsk = 0, auth = 0; 1898 u_char sec; 1899 int j, m; 1900 1901 sec = *(s + 2); /* classification */ 1902 for (j = 3, m = 2; m >= 0; ) { 1903 sp = secopt + j; 1904 if (sec == sp->ol_val) { 1905 secmsk |= sp->ol_bit; 1906 auth = *(s + 3); 1907 auth *= 256; 1908 auth += *(s + 4); 1909 break; 1910 } 1911 if (sec < sp->ol_val) 1912 j -= m; 1913 else 1914 j += m; 1915 m--; 1916 } 1917 1918 return (secmsk << 16) | auth; 1919} 1920 1921 1922/* ------------------------------------------------------------------------ */ 1923/* Function: ipf_checkcipso */ 1924/* Returns: u_32_t - 0 = failure, else the doi from the header */ 1925/* Parameters: fin(IO) - pointer to packet information */ 1926/* s(I) - pointer to start of CIPSO option */ 1927/* ol(I) - length of CIPSO option field */ 1928/* */ 1929/* This function returns the domain of integrity (DOI) field from the CIPSO */ 1930/* header and returns that whilst also storing the highest sensitivity */ 1931/* value found in the fr_info_t structure. */ 1932/* */ 1933/* No attempt is made to extract the category bitmaps as these are defined */ 1934/* by the user (rather than the protocol) and can be rather numerous on the */ 1935/* end nodes. */ 1936/* ------------------------------------------------------------------------ */ 1937static u_32_t 1938ipf_checkcipso(fin, s, ol) 1939 fr_info_t *fin; 1940 u_char *s; 1941 int ol; 1942{ 1943 ipf_main_softc_t *softc = fin->fin_main_soft; 1944 fr_ip_t *fi; 1945 u_32_t doi; 1946 u_char *t, tag, tlen, sensitivity; 1947 int len; 1948 1949 if (ol < 6 || ol > 40) { 1950 LBUMPD(ipf_stats[fin->fin_out], fr_v4_cipso_bad); 1951 fin->fin_flx |= FI_BAD; 1952 return 0; 1953 } 1954 1955 fi = &fin->fin_fi; 1956 fi->fi_sensitivity = 0; 1957 /* 1958 * The DOI field MUST be there. 1959 */ 1960 bcopy(s + 2, &doi, sizeof(doi)); 1961 1962 t = (u_char *)s + 6; 1963 for (len = ol - 6; len >= 2; len -= tlen, t+= tlen) { 1964 tag = *t; 1965 tlen = *(t + 1); 1966 if (tlen > len || tlen < 4 || tlen > 34) { 1967 LBUMPD(ipf_stats[fin->fin_out], fr_v4_cipso_tlen); 1968 fin->fin_flx |= FI_BAD; 1969 return 0; 1970 } 1971 1972 sensitivity = 0; 1973 /* 1974 * Tag numbers 0, 1, 2, 5 are laid out in the CIPSO Internet 1975 * draft (16 July 1992) that has expired. 1976 */ 1977 if (tag == 0) { 1978 fin->fin_flx |= FI_BAD; 1979 continue; 1980 } else if (tag == 1) { 1981 if (*(t + 2) != 0) { 1982 fin->fin_flx |= FI_BAD; 1983 continue; 1984 } 1985 sensitivity = *(t + 3); 1986 /* Category bitmap for categories 0-239 */ 1987 1988 } else if (tag == 4) { 1989 if (*(t + 2) != 0) { 1990 fin->fin_flx |= FI_BAD; 1991 continue; 1992 } 1993 sensitivity = *(t + 3); 1994 /* Enumerated categories, 16bits each, upto 15 */ 1995 1996 } else if (tag == 5) { 1997 if (*(t + 2) != 0) { 1998 fin->fin_flx |= FI_BAD; 1999 continue; 2000 } 2001 sensitivity = *(t + 3); 2002 /* Range of categories (2*16bits), up to 7 pairs */ 2003 2004 } else if (tag > 127) { 2005 /* Custom defined DOI */ 2006 ; 2007 } else { 2008 fin->fin_flx |= FI_BAD; 2009 continue; 2010 } 2011 2012 if (sensitivity > fi->fi_sensitivity) 2013 fi->fi_sensitivity = sensitivity; 2014 } 2015 2016 return doi; 2017} 2018 2019 2020/* ------------------------------------------------------------------------ */ 2021/* Function: ipf_makefrip */ 2022/* Returns: int - 0 == packet ok, -1 == packet freed */ 2023/* Parameters: hlen(I) - length of IP packet header */ 2024/* ip(I) - pointer to the IP header */ 2025/* fin(IO) - pointer to packet information */ 2026/* */ 2027/* Compact the IP header into a structure which contains just the info. */ 2028/* which is useful for comparing IP headers with and store this information */ 2029/* in the fr_info_t structure pointer to by fin. At present, it is assumed */ 2030/* this function will be called with either an IPv4 or IPv6 packet. */ 2031/* ------------------------------------------------------------------------ */ 2032int 2033ipf_makefrip(hlen, ip, fin) 2034 int hlen; 2035 ip_t *ip; 2036 fr_info_t *fin; 2037{ 2038 ipf_main_softc_t *softc = fin->fin_main_soft; 2039 int v; 2040 2041 fin->fin_depth = 0; 2042 fin->fin_hlen = (u_short)hlen; 2043 fin->fin_ip = ip; 2044 fin->fin_rule = 0xffffffff; 2045 fin->fin_group[0] = -1; 2046 fin->fin_group[1] = '\0'; 2047 fin->fin_dp = (char *)ip + hlen; 2048 2049 v = fin->fin_v; 2050 if (v == 4) { 2051 fin->fin_plen = ntohs(ip->ip_len); 2052 fin->fin_dlen = fin->fin_plen - hlen; 2053 ipf_pr_ipv4hdr(fin); 2054#ifdef USE_INET6 2055 } else if (v == 6) { 2056 fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); 2057 fin->fin_dlen = fin->fin_plen; 2058 fin->fin_plen += hlen; 2059 2060 ipf_pr_ipv6hdr(fin); 2061#endif 2062 } 2063 if (fin->fin_ip == NULL) { 2064 LBUMP(ipf_stats[fin->fin_out].fr_ip_freed); 2065 return -1; 2066 } 2067 return 0; 2068} 2069 2070 2071/* ------------------------------------------------------------------------ */ 2072/* Function: ipf_portcheck */ 2073/* Returns: int - 1 == port matched, 0 == port match failed */ 2074/* Parameters: frp(I) - pointer to port check `expression' */ 2075/* pop(I) - port number to evaluate */ 2076/* */ 2077/* Perform a comparison of a port number against some other(s), using a */ 2078/* structure with compare information stored in it. */ 2079/* ------------------------------------------------------------------------ */ 2080static INLINE int 2081ipf_portcheck(frp, pop) 2082 frpcmp_t *frp; 2083 u_32_t pop; 2084{ 2085 int err = 1; 2086 u_32_t po; 2087 2088 po = frp->frp_port; 2089 2090 /* 2091 * Do opposite test to that required and continue if that succeeds. 2092 */ 2093 switch (frp->frp_cmp) 2094 { 2095 case FR_EQUAL : 2096 if (pop != po) /* EQUAL */ 2097 err = 0; 2098 break; 2099 case FR_NEQUAL : 2100 if (pop == po) /* NOTEQUAL */ 2101 err = 0; 2102 break; 2103 case FR_LESST : 2104 if (pop >= po) /* LESSTHAN */ 2105 err = 0; 2106 break; 2107 case FR_GREATERT : 2108 if (pop <= po) /* GREATERTHAN */ 2109 err = 0; 2110 break; 2111 case FR_LESSTE : 2112 if (pop > po) /* LT or EQ */ 2113 err = 0; 2114 break; 2115 case FR_GREATERTE : 2116 if (pop < po) /* GT or EQ */ 2117 err = 0; 2118 break; 2119 case FR_OUTRANGE : 2120 if (pop >= po && pop <= frp->frp_top) /* Out of range */ 2121 err = 0; 2122 break; 2123 case FR_INRANGE : 2124 if (pop <= po || pop >= frp->frp_top) /* In range */ 2125 err = 0; 2126 break; 2127 case FR_INCRANGE : 2128 if (pop < po || pop > frp->frp_top) /* Inclusive range */ 2129 err = 0; 2130 break; 2131 default : 2132 break; 2133 } 2134 return err; 2135} 2136 2137 2138/* ------------------------------------------------------------------------ */ 2139/* Function: ipf_tcpudpchk */ 2140/* Returns: int - 1 == protocol matched, 0 == check failed */ 2141/* Parameters: fda(I) - pointer to packet information */ 2142/* ft(I) - pointer to structure with comparison data */ 2143/* */ 2144/* Compares the current pcket (assuming it is TCP/UDP) information with a */ 2145/* structure containing information that we want to match against. */ 2146/* ------------------------------------------------------------------------ */ 2147int 2148ipf_tcpudpchk(fi, ft) 2149 fr_ip_t *fi; 2150 frtuc_t *ft; 2151{ 2152 int err = 1; 2153 2154 /* 2155 * Both ports should *always* be in the first fragment. 2156 * So far, I cannot find any cases where they can not be. 2157 * 2158 * compare destination ports 2159 */ 2160 if (ft->ftu_dcmp) 2161 err = ipf_portcheck(&ft->ftu_dst, fi->fi_ports[1]); 2162 2163 /* 2164 * compare source ports 2165 */ 2166 if (err && ft->ftu_scmp) 2167 err = ipf_portcheck(&ft->ftu_src, fi->fi_ports[0]); 2168 2169 /* 2170 * If we don't have all the TCP/UDP header, then how can we 2171 * expect to do any sort of match on it ? If we were looking for 2172 * TCP flags, then NO match. If not, then match (which should 2173 * satisfy the "short" class too). 2174 */ 2175 if (err && (fi->fi_p == IPPROTO_TCP)) { 2176 if (fi->fi_flx & FI_SHORT) 2177 return !(ft->ftu_tcpf | ft->ftu_tcpfm); 2178 /* 2179 * Match the flags ? If not, abort this match. 2180 */ 2181 if (ft->ftu_tcpfm && 2182 ft->ftu_tcpf != (fi->fi_tcpf & ft->ftu_tcpfm)) { 2183 FR_DEBUG(("f. %#x & %#x != %#x\n", fi->fi_tcpf, 2184 ft->ftu_tcpfm, ft->ftu_tcpf)); 2185 err = 0; 2186 } 2187 } 2188 return err; 2189} 2190 2191 2192/* ------------------------------------------------------------------------ */ 2193/* Function: ipf_check_ipf */ 2194/* Returns: int - 0 == match, else no match */ 2195/* Parameters: fin(I) - pointer to packet information */ 2196/* fr(I) - pointer to filter rule */ 2197/* portcmp(I) - flag indicating whether to attempt matching on */ 2198/* TCP/UDP port data. */ 2199/* */ 2200/* Check to see if a packet matches an IPFilter rule. Checks of addresses, */ 2201/* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */ 2202/* this function. */ 2203/* ------------------------------------------------------------------------ */ 2204static INLINE int 2205ipf_check_ipf(fin, fr, portcmp) 2206 fr_info_t *fin; 2207 frentry_t *fr; 2208 int portcmp; 2209{ 2210 u_32_t *ld, *lm, *lip; 2211 fripf_t *fri; 2212 fr_ip_t *fi; 2213 int i; 2214 2215 fi = &fin->fin_fi; 2216 fri = fr->fr_ipf; 2217 lip = (u_32_t *)fi; 2218 lm = (u_32_t *)&fri->fri_mip; 2219 ld = (u_32_t *)&fri->fri_ip; 2220 2221 /* 2222 * first 32 bits to check coversion: 2223 * IP version, TOS, TTL, protocol 2224 */ 2225 i = ((*lip & *lm) != *ld); 2226 FR_DEBUG(("0. %#08x & %#08x != %#08x\n", 2227 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2228 if (i) 2229 return 1; 2230 2231 /* 2232 * Next 32 bits is a constructed bitmask indicating which IP options 2233 * are present (if any) in this packet. 2234 */ 2235 lip++, lm++, ld++; 2236 i = ((*lip & *lm) != *ld); 2237 FR_DEBUG(("1. %#08x & %#08x != %#08x\n", 2238 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2239 if (i != 0) 2240 return 1; 2241 2242 lip++, lm++, ld++; 2243 /* 2244 * Unrolled loops (4 each, for 32 bits) for address checks. 2245 */ 2246 /* 2247 * Check the source address. 2248 */ 2249 if (fr->fr_satype == FRI_LOOKUP) { 2250 i = (*fr->fr_srcfunc)(fin->fin_main_soft, fr->fr_srcptr, 2251 fi->fi_v, lip, fin->fin_plen); 2252 if (i == -1) 2253 return 1; 2254 lip += 3; 2255 lm += 3; 2256 ld += 3; 2257 } else { 2258 i = ((*lip & *lm) != *ld); 2259 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n", 2260 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2261 if (fi->fi_v == 6) { 2262 lip++, lm++, ld++; 2263 i |= ((*lip & *lm) != *ld); 2264 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n", 2265 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2266 lip++, lm++, ld++; 2267 i |= ((*lip & *lm) != *ld); 2268 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n", 2269 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2270 lip++, lm++, ld++; 2271 i |= ((*lip & *lm) != *ld); 2272 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n", 2273 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2274 } else { 2275 lip += 3; 2276 lm += 3; 2277 ld += 3; 2278 } 2279 } 2280 i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6; 2281 if (i != 0) 2282 return 1; 2283 2284 /* 2285 * Check the destination address. 2286 */ 2287 lip++, lm++, ld++; 2288 if (fr->fr_datype == FRI_LOOKUP) { 2289 i = (*fr->fr_dstfunc)(fin->fin_main_soft, fr->fr_dstptr, 2290 fi->fi_v, lip, fin->fin_plen); 2291 if (i == -1) 2292 return 1; 2293 lip += 3; 2294 lm += 3; 2295 ld += 3; 2296 } else { 2297 i = ((*lip & *lm) != *ld); 2298 FR_DEBUG(("3a. %#08x & %#08x != %#08x\n", 2299 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2300 if (fi->fi_v == 6) { 2301 lip++, lm++, ld++; 2302 i |= ((*lip & *lm) != *ld); 2303 FR_DEBUG(("3b. %#08x & %#08x != %#08x\n", 2304 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2305 lip++, lm++, ld++; 2306 i |= ((*lip & *lm) != *ld); 2307 FR_DEBUG(("3c. %#08x & %#08x != %#08x\n", 2308 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2309 lip++, lm++, ld++; 2310 i |= ((*lip & *lm) != *ld); 2311 FR_DEBUG(("3d. %#08x & %#08x != %#08x\n", 2312 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2313 } else { 2314 lip += 3; 2315 lm += 3; 2316 ld += 3; 2317 } 2318 } 2319 i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7; 2320 if (i != 0) 2321 return 1; 2322 /* 2323 * IP addresses matched. The next 32bits contains: 2324 * mast of old IP header security & authentication bits. 2325 */ 2326 lip++, lm++, ld++; 2327 i = (*ld - (*lip & *lm)); 2328 FR_DEBUG(("4. %#08x & %#08x != %#08x\n", *lip, *lm, *ld)); 2329 2330 /* 2331 * Next we have 32 bits of packet flags. 2332 */ 2333 lip++, lm++, ld++; 2334 i |= (*ld - (*lip & *lm)); 2335 FR_DEBUG(("5. %#08x & %#08x != %#08x\n", *lip, *lm, *ld)); 2336 2337 if (i == 0) { 2338 /* 2339 * If a fragment, then only the first has what we're 2340 * looking for here... 2341 */ 2342 if (portcmp) { 2343 if (!ipf_tcpudpchk(&fin->fin_fi, &fr->fr_tuc)) 2344 i = 1; 2345 } else { 2346 if (fr->fr_dcmp || fr->fr_scmp || 2347 fr->fr_tcpf || fr->fr_tcpfm) 2348 i = 1; 2349 if (fr->fr_icmpm || fr->fr_icmp) { 2350 if (((fi->fi_p != IPPROTO_ICMP) && 2351 (fi->fi_p != IPPROTO_ICMPV6)) || 2352 fin->fin_off || (fin->fin_dlen < 2)) 2353 i = 1; 2354 else if ((fin->fin_data[0] & fr->fr_icmpm) != 2355 fr->fr_icmp) { 2356 FR_DEBUG(("i. %#x & %#x != %#x\n", 2357 fin->fin_data[0], 2358 fr->fr_icmpm, fr->fr_icmp)); 2359 i = 1; 2360 } 2361 } 2362 } 2363 } 2364 return i; 2365} 2366 2367 2368/* ------------------------------------------------------------------------ */ 2369/* Function: ipf_scanlist */ 2370/* Returns: int - result flags of scanning filter list */ 2371/* Parameters: fin(I) - pointer to packet information */ 2372/* pass(I) - default result to return for filtering */ 2373/* */ 2374/* Check the input/output list of rules for a match to the current packet. */ 2375/* If a match is found, the value of fr_flags from the rule becomes the */ 2376/* return value and fin->fin_fr points to the matched rule. */ 2377/* */ 2378/* This function may be called recusively upto 16 times (limit inbuilt.) */ 2379/* When unwinding, it should finish up with fin_depth as 0. */ 2380/* */ 2381/* Could be per interface, but this gets real nasty when you don't have, */ 2382/* or can't easily change, the kernel source code to . */ 2383/* ------------------------------------------------------------------------ */ 2384int 2385ipf_scanlist(fin, pass) 2386 fr_info_t *fin; 2387 u_32_t pass; 2388{ 2389 ipf_main_softc_t *softc = fin->fin_main_soft; 2390 int rulen, portcmp, off, skip; 2391 struct frentry *fr, *fnext; 2392 u_32_t passt, passo; 2393 2394 /* 2395 * Do not allow nesting deeper than 16 levels. 2396 */ 2397 if (fin->fin_depth >= 16) 2398 return pass; 2399 2400 fr = fin->fin_fr; 2401 2402 /* 2403 * If there are no rules in this list, return now. 2404 */ 2405 if (fr == NULL) 2406 return pass; 2407 2408 skip = 0; 2409 portcmp = 0; 2410 fin->fin_depth++; 2411 fin->fin_fr = NULL; 2412 off = fin->fin_off; 2413 2414 if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) 2415 portcmp = 1; 2416 2417 for (rulen = 0; fr; fr = fnext, rulen++) { 2418 fnext = fr->fr_next; 2419 if (skip != 0) { 2420 FR_VERBOSE(("SKIP %d (%#x)\n", skip, fr->fr_flags)); 2421 skip--; 2422 continue; 2423 } 2424 2425 /* 2426 * In all checks below, a null (zero) value in the 2427 * filter struture is taken to mean a wildcard. 2428 * 2429 * check that we are working for the right interface 2430 */ 2431#ifdef _KERNEL 2432 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) 2433 continue; 2434#else 2435 if (opts & (OPT_VERBOSE|OPT_DEBUG)) 2436 printf("\n"); 2437 FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' : 2438 FR_ISPASS(pass) ? 'p' : 2439 FR_ISACCOUNT(pass) ? 'A' : 2440 FR_ISAUTH(pass) ? 'a' : 2441 (pass & FR_NOMATCH) ? 'n' :'b')); 2442 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) 2443 continue; 2444 FR_VERBOSE((":i")); 2445#endif 2446 2447 switch (fr->fr_type) 2448 { 2449 case FR_T_IPF : 2450 case FR_T_IPF_BUILTIN : 2451 if (ipf_check_ipf(fin, fr, portcmp)) 2452 continue; 2453 break; 2454#if defined(IPFILTER_BPF) 2455 case FR_T_BPFOPC : 2456 case FR_T_BPFOPC_BUILTIN : 2457 { 2458 u_char *mc; 2459 int wlen; 2460 2461 if (*fin->fin_mp == NULL) 2462 continue; 2463 if (fin->fin_family != fr->fr_family) 2464 continue; 2465 mc = (u_char *)fin->fin_m; 2466 wlen = fin->fin_dlen + fin->fin_hlen; 2467 if (!bpf_filter(fr->fr_data, mc, wlen, 0)) 2468 continue; 2469 break; 2470 } 2471#endif 2472 case FR_T_CALLFUNC_BUILTIN : 2473 { 2474 frentry_t *f; 2475 2476 f = (*fr->fr_func)(fin, &pass); 2477 if (f != NULL) 2478 fr = f; 2479 else 2480 continue; 2481 break; 2482 } 2483 2484 case FR_T_IPFEXPR : 2485 case FR_T_IPFEXPR_BUILTIN : 2486 if (fin->fin_family != fr->fr_family) 2487 continue; 2488 if (ipf_fr_matcharray(fin, fr->fr_data) == 0) 2489 continue; 2490 break; 2491 2492 default : 2493 break; 2494 } 2495 2496 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) { 2497 if (fin->fin_nattag == NULL) 2498 continue; 2499 if (ipf_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0) 2500 continue; 2501 } 2502 FR_VERBOSE(("=%d/%d.%d *", fr->fr_grhead, fr->fr_group, rulen)); 2503 2504 passt = fr->fr_flags; 2505 2506 /* 2507 * If the rule is a "call now" rule, then call the function 2508 * in the rule, if it exists and use the results from that. 2509 * If the function pointer is bad, just make like we ignore 2510 * it, except for increasing the hit counter. 2511 */ 2512 if ((passt & FR_CALLNOW) != 0) { 2513 frentry_t *frs; 2514 2515 ATOMIC_INC64(fr->fr_hits); 2516 if ((fr->fr_func == NULL) || 2517 (fr->fr_func == (ipfunc_t)-1)) 2518 continue; 2519 2520 frs = fin->fin_fr; 2521 fin->fin_fr = fr; 2522 fr = (*fr->fr_func)(fin, &passt); 2523 if (fr == NULL) { 2524 fin->fin_fr = frs; 2525 continue; 2526 } 2527 passt = fr->fr_flags; 2528 } 2529 fin->fin_fr = fr; 2530 2531#ifdef IPFILTER_LOG 2532 /* 2533 * Just log this packet... 2534 */ 2535 if ((passt & FR_LOGMASK) == FR_LOG) { 2536 if (ipf_log_pkt(fin, passt) == -1) { 2537 if (passt & FR_LOGORBLOCK) { 2538 DT(frb_logfail); 2539 passt &= ~FR_CMDMASK; 2540 passt |= FR_BLOCK|FR_QUICK; 2541 fin->fin_reason = FRB_LOGFAIL; 2542 } 2543 } 2544 } 2545#endif /* IPFILTER_LOG */ 2546 2547 MUTEX_ENTER(&fr->fr_lock); 2548 fr->fr_bytes += (U_QUAD_T)fin->fin_plen; 2549 fr->fr_hits++; 2550 MUTEX_EXIT(&fr->fr_lock); 2551 fin->fin_rule = rulen; 2552 2553 passo = pass; 2554 if (FR_ISSKIP(passt)) { 2555 skip = fr->fr_arg; 2556 continue; 2557 } else if (((passt & FR_LOGMASK) != FR_LOG) && 2558 ((passt & FR_LOGMASK) != FR_DECAPSULATE)) { 2559 pass = passt; 2560 } 2561 2562 if (passt & (FR_RETICMP|FR_FAKEICMP)) 2563 fin->fin_icode = fr->fr_icode; 2564 2565 if (fr->fr_group != -1) { 2566 (void) strncpy(fin->fin_group, 2567 FR_NAME(fr, fr_group), 2568 strlen(FR_NAME(fr, fr_group))); 2569 } else { 2570 fin->fin_group[0] = '\0'; 2571 } 2572 2573 FR_DEBUG(("pass %#x/%#x/%x\n", passo, pass, passt)); 2574 2575 if (fr->fr_grphead != NULL) { 2576 fin->fin_fr = fr->fr_grphead->fg_start; 2577 FR_VERBOSE(("group %s\n", FR_NAME(fr, fr_grhead))); 2578 2579 if (FR_ISDECAPS(passt)) 2580 passt = ipf_decaps(fin, pass, fr->fr_icode); 2581 else 2582 passt = ipf_scanlist(fin, pass); 2583 2584 if (fin->fin_fr == NULL) { 2585 fin->fin_rule = rulen; 2586 if (fr->fr_group != -1) 2587 (void) strncpy(fin->fin_group, 2588 fr->fr_names + 2589 fr->fr_group, 2590 strlen(fr->fr_names + 2591 fr->fr_group)); 2592 fin->fin_fr = fr; 2593 passt = pass; 2594 } 2595 pass = passt; 2596 } 2597 2598 if (pass & FR_QUICK) { 2599 /* 2600 * Finally, if we've asked to track state for this 2601 * packet, set it up. Add state for "quick" rules 2602 * here so that if the action fails we can consider 2603 * the rule to "not match" and keep on processing 2604 * filter rules. 2605 */ 2606 if ((pass & FR_KEEPSTATE) && !FR_ISAUTH(pass) && 2607 !(fin->fin_flx & FI_STATE)) { 2608 int out = fin->fin_out; 2609 2610 fin->fin_fr = fr; 2611 if (ipf_state_add(softc, fin, NULL, 0) == 0) { 2612 LBUMPD(ipf_stats[out], fr_ads); 2613 } else { 2614 LBUMPD(ipf_stats[out], fr_bads); 2615 pass = passo; 2616 continue; 2617 } 2618 } 2619 break; 2620 } 2621 } 2622 fin->fin_depth--; 2623 return pass; 2624} 2625 2626 2627/* ------------------------------------------------------------------------ */ 2628/* Function: ipf_acctpkt */ 2629/* Returns: frentry_t* - always returns NULL */ 2630/* Parameters: fin(I) - pointer to packet information */ 2631/* passp(IO) - pointer to current/new filter decision (unused) */ 2632/* */ 2633/* Checks a packet against accounting rules, if there are any for the given */ 2634/* IP protocol version. */ 2635/* */ 2636/* N.B.: this function returns NULL to match the prototype used by other */ 2637/* functions called from the IPFilter "mainline" in ipf_check(). */ 2638/* ------------------------------------------------------------------------ */ 2639frentry_t * 2640ipf_acctpkt(fin, passp) 2641 fr_info_t *fin; 2642 u_32_t *passp; 2643{ 2644 ipf_main_softc_t *softc = fin->fin_main_soft; 2645 char group[FR_GROUPLEN]; 2646 frentry_t *fr, *frsave; 2647 u_32_t pass, rulen; 2648 2649 passp = passp; 2650 fr = softc->ipf_acct[fin->fin_out][softc->ipf_active]; 2651 2652 if (fr != NULL) { 2653 frsave = fin->fin_fr; 2654 bcopy(fin->fin_group, group, FR_GROUPLEN); 2655 rulen = fin->fin_rule; 2656 fin->fin_fr = fr; 2657 pass = ipf_scanlist(fin, FR_NOMATCH); 2658 if (FR_ISACCOUNT(pass)) { 2659 LBUMPD(ipf_stats[0], fr_acct); 2660 } 2661 fin->fin_fr = frsave; 2662 bcopy(group, fin->fin_group, FR_GROUPLEN); 2663 fin->fin_rule = rulen; 2664 } 2665 return NULL; 2666} 2667 2668 2669/* ------------------------------------------------------------------------ */ 2670/* Function: ipf_firewall */ 2671/* Returns: frentry_t* - returns pointer to matched rule, if no matches */ 2672/* were found, returns NULL. */ 2673/* Parameters: fin(I) - pointer to packet information */ 2674/* passp(IO) - pointer to current/new filter decision (unused) */ 2675/* */ 2676/* Applies an appropriate set of firewall rules to the packet, to see if */ 2677/* there are any matches. The first check is to see if a match can be seen */ 2678/* in the cache. If not, then search an appropriate list of rules. Once a */ 2679/* matching rule is found, take any appropriate actions as defined by the */ 2680/* rule - except logging. */ 2681/* ------------------------------------------------------------------------ */ 2682static frentry_t * 2683ipf_firewall(fin, passp) 2684 fr_info_t *fin; 2685 u_32_t *passp; 2686{ 2687 ipf_main_softc_t *softc = fin->fin_main_soft; 2688 frentry_t *fr; 2689 u_32_t pass; 2690 int out; 2691 2692 out = fin->fin_out; 2693 pass = *passp; 2694 2695 /* 2696 * This rule cache will only affect packets that are not being 2697 * statefully filtered. 2698 */ 2699 fin->fin_fr = softc->ipf_rules[out][softc->ipf_active]; 2700 if (fin->fin_fr != NULL) 2701 pass = ipf_scanlist(fin, softc->ipf_pass); 2702 2703 if ((pass & FR_NOMATCH)) { 2704 LBUMPD(ipf_stats[out], fr_nom); 2705 } 2706 fr = fin->fin_fr; 2707 2708 /* 2709 * Apply packets per second rate-limiting to a rule as required. 2710 */ 2711 if ((fr != NULL) && (fr->fr_pps != 0) && 2712 !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) { 2713 DT2(frb_ppsrate, fr_info_t *, fin, frentry_t *, fr); 2714 pass &= ~(FR_CMDMASK|FR_RETICMP|FR_RETRST); 2715 pass |= FR_BLOCK; 2716 LBUMPD(ipf_stats[out], fr_ppshit); 2717 fin->fin_reason = FRB_PPSRATE; 2718 } 2719 2720 /* 2721 * If we fail to add a packet to the authorization queue, then we 2722 * drop the packet later. However, if it was added then pretend 2723 * we've dropped it already. 2724 */ 2725 if (FR_ISAUTH(pass)) { 2726 if (ipf_auth_new(fin->fin_m, fin) != 0) { 2727 DT1(frb_authnew, fr_info_t *, fin); 2728 fin->fin_m = *fin->fin_mp = NULL; 2729 fin->fin_reason = FRB_AUTHNEW; 2730 fin->fin_error = 0; 2731 } else { 2732 IPFERROR(1); 2733 fin->fin_error = ENOSPC; 2734 } 2735 } 2736 2737 if ((fr != NULL) && (fr->fr_func != NULL) && 2738 (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW)) 2739 (void) (*fr->fr_func)(fin, &pass); 2740 2741 /* 2742 * If a rule is a pre-auth rule, check again in the list of rules 2743 * loaded for authenticated use. It does not particulary matter 2744 * if this search fails because a "preauth" result, from a rule, 2745 * is treated as "not a pass", hence the packet is blocked. 2746 */ 2747 if (FR_ISPREAUTH(pass)) { 2748 pass = ipf_auth_pre_scanlist(softc, fin, pass); 2749 } 2750 2751 /* 2752 * If the rule has "keep frag" and the packet is actually a fragment, 2753 * then create a fragment state entry. 2754 */ 2755 if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { 2756 if (fin->fin_flx & FI_FRAG) { 2757 if (ipf_frag_new(softc, fin, pass) == -1) { 2758 LBUMP(ipf_stats[out].fr_bnfr); 2759 } else { 2760 LBUMP(ipf_stats[out].fr_nfr); 2761 } 2762 } else { 2763 LBUMP(ipf_stats[out].fr_cfr); 2764 } 2765 } 2766 2767 fr = fin->fin_fr; 2768 *passp = pass; 2769 2770 return fr; 2771} 2772 2773 2774/* ------------------------------------------------------------------------ */ 2775/* Function: ipf_check */ 2776/* Returns: int - 0 == packet allowed through, */ 2777/* User space: */ 2778/* -1 == packet blocked */ 2779/* 1 == packet not matched */ 2780/* -2 == requires authentication */ 2781/* Kernel: */ 2782/* > 0 == filter error # for packet */ 2783/* Parameters: ip(I) - pointer to start of IPv4/6 packet */ 2784/* hlen(I) - length of header */ 2785/* ifp(I) - pointer to interface this packet is on */ 2786/* out(I) - 0 == packet going in, 1 == packet going out */ 2787/* mp(IO) - pointer to caller's buffer pointer that holds this */ 2788/* IP packet. */ 2789/* Solaris & HP-UX ONLY : */ 2790/* qpi(I) - pointer to STREAMS queue information for this */ 2791/* interface & direction. */ 2792/* */ 2793/* ipf_check() is the master function for all IPFilter packet processing. */ 2794/* It orchestrates: Network Address Translation (NAT), checking for packet */ 2795/* authorisation (or pre-authorisation), presence of related state info., */ 2796/* generating log entries, IP packet accounting, routing of packets as */ 2797/* directed by firewall rules and of course whether or not to allow the */ 2798/* packet to be further processed by the kernel. */ 2799/* */ 2800/* For packets blocked, the contents of "mp" will be NULL'd and the buffer */ 2801/* freed. Packets passed may be returned with the pointer pointed to by */ 2802/* by "mp" changed to a new buffer. */ 2803/* ------------------------------------------------------------------------ */ 2804int 2805ipf_check(ctx, ip, hlen, ifp, out 2806#if defined(_KERNEL) && defined(MENTAT) 2807 , qif, mp) 2808 void *qif; 2809#else 2810 , mp) 2811#endif 2812 mb_t **mp; 2813 ip_t *ip; 2814 int hlen; 2815 void *ifp; 2816 int out; 2817 void *ctx; 2818{ 2819 /* 2820 * The above really sucks, but short of writing a diff 2821 */ 2822 ipf_main_softc_t *softc = ctx; 2823 fr_info_t frinfo; 2824 fr_info_t *fin = &frinfo; 2825 u_32_t pass = softc->ipf_pass; 2826 frentry_t *fr = NULL; 2827 int v = IP_V(ip); 2828 mb_t *mc = NULL; 2829 mb_t *m; 2830 /* 2831 * The first part of ipf_check() deals with making sure that what goes 2832 * into the filtering engine makes some sense. Information about the 2833 * the packet is distilled, collected into a fr_info_t structure and 2834 * the an attempt to ensure the buffer the packet is in is big enough 2835 * to hold all the required packet headers. 2836 */ 2837#ifdef _KERNEL 2838# ifdef MENTAT 2839 qpktinfo_t *qpi = qif; 2840 2841# ifdef __sparc 2842 if ((u_int)ip & 0x3) 2843 return 2; 2844# endif 2845# else 2846 SPL_INT(s); 2847# endif 2848 2849 if (softc->ipf_running <= 0) { 2850 return 0; 2851 } 2852 2853 bzero((char *)fin, sizeof(*fin)); 2854 2855# ifdef MENTAT 2856 if (qpi->qpi_flags & QF_BROADCAST) 2857 fin->fin_flx |= FI_MBCAST|FI_BROADCAST; 2858 if (qpi->qpi_flags & QF_MULTICAST) 2859 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2860 m = qpi->qpi_m; 2861 fin->fin_qfm = m; 2862 fin->fin_qpi = qpi; 2863# else /* MENTAT */ 2864 2865 m = *mp; 2866 2867# if defined(M_MCAST) 2868 if ((m->m_flags & M_MCAST) != 0) 2869 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2870# endif 2871# if defined(M_MLOOP) 2872 if ((m->m_flags & M_MLOOP) != 0) 2873 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2874# endif 2875# if defined(M_BCAST) 2876 if ((m->m_flags & M_BCAST) != 0) 2877 fin->fin_flx |= FI_MBCAST|FI_BROADCAST; 2878# endif 2879# ifdef M_CANFASTFWD 2880 /* 2881 * XXX For now, IP Filter and fast-forwarding of cached flows 2882 * XXX are mutually exclusive. Eventually, IP Filter should 2883 * XXX get a "can-fast-forward" filter rule. 2884 */ 2885 m->m_flags &= ~M_CANFASTFWD; 2886# endif /* M_CANFASTFWD */ 2887# if defined(CSUM_DELAY_DATA) && (!defined(__FreeBSD_version) || \ 2888 (__FreeBSD_version < 501108)) 2889 /* 2890 * disable delayed checksums. 2891 */ 2892 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 2893 in_delayed_cksum(m); 2894 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 2895 } 2896# endif /* CSUM_DELAY_DATA */ 2897# endif /* MENTAT */ 2898#else 2899 bzero((char *)fin, sizeof(*fin)); 2900 m = *mp; 2901# if defined(M_MCAST) 2902 if ((m->m_flags & M_MCAST) != 0) 2903 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2904# endif 2905# if defined(M_MLOOP) 2906 if ((m->m_flags & M_MLOOP) != 0) 2907 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2908# endif 2909# if defined(M_BCAST) 2910 if ((m->m_flags & M_BCAST) != 0) 2911 fin->fin_flx |= FI_MBCAST|FI_BROADCAST; 2912# endif 2913#endif /* _KERNEL */ 2914 2915 fin->fin_v = v; 2916 fin->fin_m = m; 2917 fin->fin_ip = ip; 2918 fin->fin_mp = mp; 2919 fin->fin_out = out; 2920 fin->fin_ifp = ifp; 2921 fin->fin_error = ENETUNREACH; 2922 fin->fin_hlen = (u_short)hlen; 2923 fin->fin_dp = (char *)ip + hlen; 2924 fin->fin_main_soft = softc; 2925 2926 fin->fin_ipoff = (char *)ip - MTOD(m, char *); 2927 2928 SPL_NET(s); 2929 2930#ifdef USE_INET6 2931 if (v == 6) { 2932 LBUMP(ipf_stats[out].fr_ipv6); 2933 /* 2934 * Jumbo grams are quite likely too big for internal buffer 2935 * structures to handle comfortably, for now, so just drop 2936 * them. 2937 */ 2938 if (((ip6_t *)ip)->ip6_plen == 0) { 2939 DT1(frb_jumbo, ip6_t *, (ip6_t *)ip); 2940 pass = FR_BLOCK|FR_NOMATCH; 2941 fin->fin_reason = FRB_JUMBO; 2942 goto finished; 2943 } 2944 fin->fin_family = AF_INET6; 2945 } else 2946#endif 2947 { 2948 fin->fin_family = AF_INET; 2949 } 2950 2951 if (ipf_makefrip(hlen, ip, fin) == -1) { 2952 DT1(frb_makefrip, fr_info_t *, fin); 2953 pass = FR_BLOCK|FR_NOMATCH; 2954 fin->fin_reason = FRB_MAKEFRIP; 2955 goto finished; 2956 } 2957 2958 /* 2959 * For at least IPv6 packets, if a m_pullup() fails then this pointer 2960 * becomes NULL and so we have no packet to free. 2961 */ 2962 if (*fin->fin_mp == NULL) 2963 goto finished; 2964 2965 if (!out) { 2966 if (v == 4) { 2967 if (softc->ipf_chksrc && !ipf_verifysrc(fin)) { 2968 LBUMPD(ipf_stats[0], fr_v4_badsrc); 2969 fin->fin_flx |= FI_BADSRC; 2970 } 2971 if (fin->fin_ip->ip_ttl < softc->ipf_minttl) { 2972 LBUMPD(ipf_stats[0], fr_v4_badttl); 2973 fin->fin_flx |= FI_LOWTTL; 2974 } 2975 } 2976#ifdef USE_INET6 2977 else if (v == 6) { 2978 if (((ip6_t *)ip)->ip6_hlim < softc->ipf_minttl) { 2979 LBUMPD(ipf_stats[0], fr_v6_badttl); 2980 fin->fin_flx |= FI_LOWTTL; 2981 } 2982 } 2983#endif 2984 } 2985 2986 if (fin->fin_flx & FI_SHORT) { 2987 LBUMPD(ipf_stats[out], fr_short); 2988 } 2989 2990 READ_ENTER(&softc->ipf_mutex); 2991 2992 if (!out) { 2993 switch (fin->fin_v) 2994 { 2995 case 4 : 2996 if (ipf_nat_checkin(fin, &pass) == -1) { 2997 goto filterdone; 2998 } 2999 break; 3000#ifdef USE_INET6 3001 case 6 : 3002 if (ipf_nat6_checkin(fin, &pass) == -1) { 3003 goto filterdone; 3004 } 3005 break; 3006#endif 3007 default : 3008 break; 3009 } 3010 } 3011 /* 3012 * Check auth now. 3013 * If a packet is found in the auth table, then skip checking 3014 * the access lists for permission but we do need to consider 3015 * the result as if it were from the ACL's. In addition, being 3016 * found in the auth table means it has been seen before, so do 3017 * not pass it through accounting (again), lest it be counted twice. 3018 */ 3019 fr = ipf_auth_check(fin, &pass); 3020 if (!out && (fr == NULL)) 3021 (void) ipf_acctpkt(fin, NULL); 3022 3023 if (fr == NULL) { 3024 if ((fin->fin_flx & FI_FRAG) != 0) 3025 fr = ipf_frag_known(fin, &pass); 3026 3027 if (fr == NULL) 3028 fr = ipf_state_check(fin, &pass); 3029 } 3030 3031 if ((pass & FR_NOMATCH) || (fr == NULL)) 3032 fr = ipf_firewall(fin, &pass); 3033 3034 /* 3035 * If we've asked to track state for this packet, set it up. 3036 * Here rather than ipf_firewall because ipf_checkauth may decide 3037 * to return a packet for "keep state" 3038 */ 3039 if ((pass & FR_KEEPSTATE) && (fin->fin_m != NULL) && 3040 !(fin->fin_flx & FI_STATE)) { 3041 if (ipf_state_add(softc, fin, NULL, 0) == 0) { 3042 LBUMP(ipf_stats[out].fr_ads); 3043 } else { 3044 LBUMP(ipf_stats[out].fr_bads); 3045 if (FR_ISPASS(pass)) { 3046 DT(frb_stateadd); 3047 pass &= ~FR_CMDMASK; 3048 pass |= FR_BLOCK; 3049 fin->fin_reason = FRB_STATEADD; 3050 } 3051 } 3052 } 3053 3054 fin->fin_fr = fr; 3055 if ((fr != NULL) && !(fin->fin_flx & FI_STATE)) { 3056 fin->fin_dif = &fr->fr_dif; 3057 fin->fin_tif = &fr->fr_tifs[fin->fin_rev]; 3058 } 3059 3060 /* 3061 * Only count/translate packets which will be passed on, out the 3062 * interface. 3063 */ 3064 if (out && FR_ISPASS(pass)) { 3065 (void) ipf_acctpkt(fin, NULL); 3066 3067 switch (fin->fin_v) 3068 { 3069 case 4 : 3070 if (ipf_nat_checkout(fin, &pass) == -1) { 3071 ; 3072 } else if ((softc->ipf_update_ipid != 0) && (v == 4)) { 3073 if (ipf_updateipid(fin) == -1) { 3074 DT(frb_updateipid); 3075 LBUMP(ipf_stats[1].fr_ipud); 3076 pass &= ~FR_CMDMASK; 3077 pass |= FR_BLOCK; 3078 fin->fin_reason = FRB_UPDATEIPID; 3079 } else { 3080 LBUMP(ipf_stats[0].fr_ipud); 3081 } 3082 } 3083 break; 3084#ifdef USE_INET6 3085 case 6 : 3086 (void) ipf_nat6_checkout(fin, &pass); 3087 break; 3088#endif 3089 default : 3090 break; 3091 } 3092 } 3093 3094filterdone: 3095#ifdef IPFILTER_LOG 3096 if ((softc->ipf_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { 3097 (void) ipf_dolog(fin, &pass); 3098 } 3099#endif 3100 3101 /* 3102 * The FI_STATE flag is cleared here so that calling ipf_state_check 3103 * will work when called from inside of fr_fastroute. Although 3104 * there is a similar flag, FI_NATED, for NAT, it does have the same 3105 * impact on code execution. 3106 */ 3107 fin->fin_flx &= ~FI_STATE; 3108 3109#if defined(FASTROUTE_RECURSION) 3110 /* 3111 * Up the reference on fr_lock and exit ipf_mutex. The generation of 3112 * a packet below can sometimes cause a recursive call into IPFilter. 3113 * On those platforms where that does happen, we need to hang onto 3114 * the filter rule just in case someone decides to remove or flush it 3115 * in the meantime. 3116 */ 3117 if (fr != NULL) { 3118 MUTEX_ENTER(&fr->fr_lock); 3119 fr->fr_ref++; 3120 MUTEX_EXIT(&fr->fr_lock); 3121 } 3122 3123 RWLOCK_EXIT(&softc->ipf_mutex); 3124#endif 3125 3126 if ((pass & FR_RETMASK) != 0) { 3127 /* 3128 * Should we return an ICMP packet to indicate error 3129 * status passing through the packet filter ? 3130 * WARNING: ICMP error packets AND TCP RST packets should 3131 * ONLY be sent in repsonse to incoming packets. Sending 3132 * them in response to outbound packets can result in a 3133 * panic on some operating systems. 3134 */ 3135 if (!out) { 3136 if (pass & FR_RETICMP) { 3137 int dst; 3138 3139 if ((pass & FR_RETMASK) == FR_FAKEICMP) 3140 dst = 1; 3141 else 3142 dst = 0; 3143 (void) ipf_send_icmp_err(ICMP_UNREACH, fin, 3144 dst); 3145 LBUMP(ipf_stats[0].fr_ret); 3146 } else if (((pass & FR_RETMASK) == FR_RETRST) && 3147 !(fin->fin_flx & FI_SHORT)) { 3148 if (((fin->fin_flx & FI_OOW) != 0) || 3149 (ipf_send_reset(fin) == 0)) { 3150 LBUMP(ipf_stats[1].fr_ret); 3151 } 3152 } 3153 3154 /* 3155 * When using return-* with auth rules, the auth code 3156 * takes over disposing of this packet. 3157 */ 3158 if (FR_ISAUTH(pass) && (fin->fin_m != NULL)) { 3159 DT1(frb_authcapture, fr_info_t *, fin); 3160 fin->fin_m = *fin->fin_mp = NULL; 3161 fin->fin_reason = FRB_AUTHCAPTURE; 3162 m = NULL; 3163 } 3164 } else { 3165 if (pass & FR_RETRST) { 3166 fin->fin_error = ECONNRESET; 3167 } 3168 } 3169 } 3170 3171 /* 3172 * After the above so that ICMP unreachables and TCP RSTs get 3173 * created properly. 3174 */ 3175 if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT)) 3176 ipf_nat_uncreate(fin); 3177 3178 /* 3179 * If we didn't drop off the bottom of the list of rules (and thus 3180 * the 'current' rule fr is not NULL), then we may have some extra 3181 * instructions about what to do with a packet. 3182 * Once we're finished return to our caller, freeing the packet if 3183 * we are dropping it. 3184 */ 3185 if (fr != NULL) { 3186 frdest_t *fdp; 3187 3188 /* 3189 * Generate a duplicated packet first because ipf_fastroute 3190 * can lead to fin_m being free'd... not good. 3191 */ 3192 fdp = fin->fin_dif; 3193 if ((fdp != NULL) && (fdp->fd_ptr != NULL) && 3194 (fdp->fd_ptr != (void *)-1)) { 3195 mc = M_COPY(fin->fin_m); 3196 if (mc != NULL) 3197 ipf_fastroute(mc, &mc, fin, fdp); 3198 } 3199 3200 fdp = fin->fin_tif; 3201 if (!out && (pass & FR_FASTROUTE)) { 3202 /* 3203 * For fastroute rule, no destination interface defined 3204 * so pass NULL as the frdest_t parameter 3205 */ 3206 (void) ipf_fastroute(fin->fin_m, mp, fin, NULL); 3207 m = *mp = NULL; 3208 } else if ((fdp != NULL) && (fdp->fd_ptr != NULL) && 3209 (fdp->fd_ptr != (struct ifnet *)-1)) { 3210 /* this is for to rules: */ 3211 ipf_fastroute(fin->fin_m, mp, fin, fdp); 3212 m = *mp = NULL; 3213 } 3214 3215#if defined(FASTROUTE_RECURSION) 3216 (void) ipf_derefrule(softc, &fr); 3217#endif 3218 } 3219#if !defined(FASTROUTE_RECURSION) 3220 RWLOCK_EXIT(&softc->ipf_mutex); 3221#endif 3222 3223finished: 3224 if (!FR_ISPASS(pass)) { 3225 LBUMP(ipf_stats[out].fr_block); 3226 if (*mp != NULL) { 3227#ifdef _KERNEL 3228 FREE_MB_T(*mp); 3229#endif 3230 m = *mp = NULL; 3231 } 3232 } else { 3233 LBUMP(ipf_stats[out].fr_pass); 3234#if defined(_KERNEL) && defined(__sgi) 3235 if ((fin->fin_hbuf != NULL) && 3236 (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) { 3237 COPYBACK(fin->fin_m, 0, fin->fin_plen, fin->fin_hbuf); 3238 } 3239#endif 3240 } 3241 3242 SPL_X(s); 3243 3244#ifdef _KERNEL 3245 if (FR_ISPASS(pass)) 3246 return 0; 3247 LBUMP(ipf_stats[out].fr_blocked[fin->fin_reason]); 3248 return fin->fin_error; 3249#else /* _KERNEL */ 3250 if (*mp != NULL) 3251 (*mp)->mb_ifp = fin->fin_ifp; 3252 blockreason = fin->fin_reason; 3253 FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass)); 3254 /*if ((pass & FR_CMDMASK) == (softc->ipf_pass & FR_CMDMASK))*/ 3255 if ((pass & FR_NOMATCH) != 0) 3256 return 1; 3257 3258 if ((pass & FR_RETMASK) != 0) 3259 switch (pass & FR_RETMASK) 3260 { 3261 case FR_RETRST : 3262 return 3; 3263 case FR_RETICMP : 3264 return 4; 3265 case FR_FAKEICMP : 3266 return 5; 3267 } 3268 3269 switch (pass & FR_CMDMASK) 3270 { 3271 case FR_PASS : 3272 return 0; 3273 case FR_BLOCK : 3274 return -1; 3275 case FR_AUTH : 3276 return -2; 3277 case FR_ACCOUNT : 3278 return -3; 3279 case FR_PREAUTH : 3280 return -4; 3281 } 3282 return 2; 3283#endif /* _KERNEL */ 3284} 3285 3286 3287#ifdef IPFILTER_LOG 3288/* ------------------------------------------------------------------------ */ 3289/* Function: ipf_dolog */ 3290/* Returns: frentry_t* - returns contents of fin_fr (no change made) */ 3291/* Parameters: fin(I) - pointer to packet information */ 3292/* passp(IO) - pointer to current/new filter decision (unused) */ 3293/* */ 3294/* Checks flags set to see how a packet should be logged, if it is to be */ 3295/* logged. Adjust statistics based on its success or not. */ 3296/* ------------------------------------------------------------------------ */ 3297frentry_t * 3298ipf_dolog(fin, passp) 3299 fr_info_t *fin; 3300 u_32_t *passp; 3301{ 3302 ipf_main_softc_t *softc = fin->fin_main_soft; 3303 u_32_t pass; 3304 int out; 3305 3306 out = fin->fin_out; 3307 pass = *passp; 3308 3309 if ((softc->ipf_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { 3310 pass |= FF_LOGNOMATCH; 3311 LBUMPD(ipf_stats[out], fr_npkl); 3312 goto logit; 3313 3314 } else if (((pass & FR_LOGMASK) == FR_LOGP) || 3315 (FR_ISPASS(pass) && (softc->ipf_flags & FF_LOGPASS))) { 3316 if ((pass & FR_LOGMASK) != FR_LOGP) 3317 pass |= FF_LOGPASS; 3318 LBUMPD(ipf_stats[out], fr_ppkl); 3319 goto logit; 3320 3321 } else if (((pass & FR_LOGMASK) == FR_LOGB) || 3322 (FR_ISBLOCK(pass) && (softc->ipf_flags & FF_LOGBLOCK))) { 3323 if ((pass & FR_LOGMASK) != FR_LOGB) 3324 pass |= FF_LOGBLOCK; 3325 LBUMPD(ipf_stats[out], fr_bpkl); 3326 3327logit: 3328 if (ipf_log_pkt(fin, pass) == -1) { 3329 /* 3330 * If the "or-block" option has been used then 3331 * block the packet if we failed to log it. 3332 */ 3333 if ((pass & FR_LOGORBLOCK) && FR_ISPASS(pass)) { 3334 DT1(frb_logfail2, u_int, pass); 3335 pass &= ~FR_CMDMASK; 3336 pass |= FR_BLOCK; 3337 fin->fin_reason = FRB_LOGFAIL2; 3338 } 3339 } 3340 *passp = pass; 3341 } 3342 3343 return fin->fin_fr; 3344} 3345#endif /* IPFILTER_LOG */ 3346 3347 3348/* ------------------------------------------------------------------------ */ 3349/* Function: ipf_cksum */ 3350/* Returns: u_short - IP header checksum */ 3351/* Parameters: addr(I) - pointer to start of buffer to checksum */ 3352/* len(I) - length of buffer in bytes */ 3353/* */ 3354/* Calculate the two's complement 16 bit checksum of the buffer passed. */ 3355/* */ 3356/* N.B.: addr should be 16bit aligned. */ 3357/* ------------------------------------------------------------------------ */ 3358u_short 3359ipf_cksum(addr, len) 3360 u_short *addr; 3361 int len; 3362{ 3363 u_32_t sum = 0; 3364 3365 for (sum = 0; len > 1; len -= 2) 3366 sum += *addr++; 3367 3368 /* mop up an odd byte, if necessary */ 3369 if (len == 1) 3370 sum += *(u_char *)addr; 3371 3372 /* 3373 * add back carry outs from top 16 bits to low 16 bits 3374 */ 3375 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ 3376 sum += (sum >> 16); /* add carry */ 3377 return (u_short)(~sum); 3378} 3379 3380 3381/* ------------------------------------------------------------------------ */ 3382/* Function: fr_cksum */ 3383/* Returns: u_short - layer 4 checksum */ 3384/* Parameters: fin(I) - pointer to packet information */ 3385/* ip(I) - pointer to IP header */ 3386/* l4proto(I) - protocol to caclulate checksum for */ 3387/* l4hdr(I) - pointer to layer 4 header */ 3388/* */ 3389/* Calculates the TCP checksum for the packet held in "m", using the data */ 3390/* in the IP header "ip" to seed it. */ 3391/* */ 3392/* NB: This function assumes we've pullup'd enough for all of the IP header */ 3393/* and the TCP header. We also assume that data blocks aren't allocated in */ 3394/* odd sizes. */ 3395/* */ 3396/* Expects ip_len and ip_off to be in network byte order when called. */ 3397/* ------------------------------------------------------------------------ */ 3398u_short 3399fr_cksum(fin, ip, l4proto, l4hdr) 3400 fr_info_t *fin; 3401 ip_t *ip; 3402 int l4proto; 3403 void *l4hdr; 3404{ 3405 u_short *sp, slen, sumsave, *csump; 3406 u_int sum, sum2; 3407 int hlen; 3408 int off; 3409#ifdef USE_INET6 3410 ip6_t *ip6; 3411#endif 3412 3413 csump = NULL; 3414 sumsave = 0; 3415 sp = NULL; 3416 slen = 0; 3417 hlen = 0; 3418 sum = 0; 3419 3420 sum = htons((u_short)l4proto); 3421 /* 3422 * Add up IP Header portion 3423 */ 3424#ifdef USE_INET6 3425 if (IP_V(ip) == 4) { 3426#endif 3427 hlen = IP_HL(ip) << 2; 3428 off = hlen; 3429 sp = (u_short *)&ip->ip_src; 3430 sum += *sp++; /* ip_src */ 3431 sum += *sp++; 3432 sum += *sp++; /* ip_dst */ 3433 sum += *sp++; 3434#ifdef USE_INET6 3435 } else if (IP_V(ip) == 6) { 3436 ip6 = (ip6_t *)ip; 3437 hlen = sizeof(*ip6); 3438 off = ((char *)fin->fin_dp - (char *)fin->fin_ip); 3439 sp = (u_short *)&ip6->ip6_src; 3440 sum += *sp++; /* ip6_src */ 3441 sum += *sp++; 3442 sum += *sp++; 3443 sum += *sp++; 3444 sum += *sp++; 3445 sum += *sp++; 3446 sum += *sp++; 3447 sum += *sp++; 3448 /* This needs to be routing header aware. */ 3449 sum += *sp++; /* ip6_dst */ 3450 sum += *sp++; 3451 sum += *sp++; 3452 sum += *sp++; 3453 sum += *sp++; 3454 sum += *sp++; 3455 sum += *sp++; 3456 sum += *sp++; 3457 } else { 3458 return 0xffff; 3459 } 3460#endif 3461 slen = fin->fin_plen - off; 3462 sum += htons(slen); 3463 3464 switch (l4proto) 3465 { 3466 case IPPROTO_UDP : 3467 csump = &((udphdr_t *)l4hdr)->uh_sum; 3468 break; 3469 3470 case IPPROTO_TCP : 3471 csump = &((tcphdr_t *)l4hdr)->th_sum; 3472 break; 3473 case IPPROTO_ICMP : 3474 csump = &((icmphdr_t *)l4hdr)->icmp_cksum; 3475 sum = 0; /* Pseudo-checksum is not included */ 3476 break; 3477#ifdef USE_INET6 3478 case IPPROTO_ICMPV6 : 3479 csump = &((struct icmp6_hdr *)l4hdr)->icmp6_cksum; 3480 break; 3481#endif 3482 default : 3483 break; 3484 } 3485 3486 if (csump != NULL) { 3487 sumsave = *csump; 3488 *csump = 0; 3489 } 3490 3491 sum2 = ipf_pcksum(fin, off, sum); 3492 if (csump != NULL) 3493 *csump = sumsave; 3494 return sum2; 3495} 3496 3497 3498/* ------------------------------------------------------------------------ */ 3499/* Function: ipf_findgroup */ 3500/* Returns: frgroup_t * - NULL = group not found, else pointer to group */ 3501/* Parameters: softc(I) - pointer to soft context main structure */ 3502/* group(I) - group name to search for */ 3503/* unit(I) - device to which this group belongs */ 3504/* set(I) - which set of rules (inactive/inactive) this is */ 3505/* fgpp(O) - pointer to place to store pointer to the pointer */ 3506/* to where to add the next (last) group or where */ 3507/* to delete group from. */ 3508/* */ 3509/* Search amongst the defined groups for a particular group number. */ 3510/* ------------------------------------------------------------------------ */ 3511frgroup_t * 3512ipf_findgroup(softc, group, unit, set, fgpp) 3513 ipf_main_softc_t *softc; 3514 char *group; 3515 minor_t unit; 3516 int set; 3517 frgroup_t ***fgpp; 3518{ 3519 frgroup_t *fg, **fgp; 3520 3521 /* 3522 * Which list of groups to search in is dependent on which list of 3523 * rules are being operated on. 3524 */ 3525 fgp = &softc->ipf_groups[unit][set]; 3526 3527 while ((fg = *fgp) != NULL) { 3528 if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0) 3529 break; 3530 else 3531 fgp = &fg->fg_next; 3532 } 3533 if (fgpp != NULL) 3534 *fgpp = fgp; 3535 return fg; 3536} 3537 3538 3539/* ------------------------------------------------------------------------ */ 3540/* Function: ipf_group_add */ 3541/* Returns: frgroup_t * - NULL == did not create group, */ 3542/* != NULL == pointer to the group */ 3543/* Parameters: softc(I) - pointer to soft context main structure */ 3544/* num(I) - group number to add */ 3545/* head(I) - rule pointer that is using this as the head */ 3546/* flags(I) - rule flags which describe the type of rule it is */ 3547/* unit(I) - device to which this group will belong to */ 3548/* set(I) - which set of rules (inactive/inactive) this is */ 3549/* Write Locks: ipf_mutex */ 3550/* */ 3551/* Add a new group head, or if it already exists, increase the reference */ 3552/* count to it. */ 3553/* ------------------------------------------------------------------------ */ 3554frgroup_t * 3555ipf_group_add(softc, group, head, flags, unit, set) 3556 ipf_main_softc_t *softc; 3557 char *group; 3558 void *head; 3559 u_32_t flags; 3560 minor_t unit; 3561 int set; 3562{ 3563 frgroup_t *fg, **fgp; 3564 u_32_t gflags; 3565 3566 if (group == NULL) 3567 return NULL; 3568 3569 if (unit == IPL_LOGIPF && *group == '\0') 3570 return NULL; 3571 3572 fgp = NULL; 3573 gflags = flags & FR_INOUT; 3574 3575 fg = ipf_findgroup(softc, group, unit, set, &fgp); 3576 if (fg != NULL) { 3577 if (fg->fg_head == NULL && head != NULL) 3578 fg->fg_head = head; 3579 if (fg->fg_flags == 0) 3580 fg->fg_flags = gflags; 3581 else if (gflags != fg->fg_flags) 3582 return NULL; 3583 fg->fg_ref++; 3584 return fg; 3585 } 3586 3587 KMALLOC(fg, frgroup_t *); 3588 if (fg != NULL) { 3589 fg->fg_head = head; 3590 fg->fg_start = NULL; 3591 fg->fg_next = *fgp; 3592 bcopy(group, fg->fg_name, strlen(group) + 1); 3593 fg->fg_flags = gflags; 3594 fg->fg_ref = 1; 3595 fg->fg_set = &softc->ipf_groups[unit][set]; 3596 *fgp = fg; 3597 } 3598 return fg; 3599} 3600 3601 3602/* ------------------------------------------------------------------------ */ 3603/* Function: ipf_group_del */ 3604/* Returns: int - number of rules deleted */ 3605/* Parameters: softc(I) - pointer to soft context main structure */ 3606/* group(I) - group name to delete */ 3607/* fr(I) - filter rule from which group is referenced */ 3608/* Write Locks: ipf_mutex */ 3609/* */ 3610/* This function is called whenever a reference to a group is to be dropped */ 3611/* and thus its reference count needs to be lowered and the group free'd if */ 3612/* the reference count reaches zero. Passing in fr is really for the sole */ 3613/* purpose of knowing when the head rule is being deleted. */ 3614/* ------------------------------------------------------------------------ */ 3615void 3616ipf_group_del(softc, group, fr) 3617 ipf_main_softc_t *softc; 3618 frgroup_t *group; 3619 frentry_t *fr; 3620{ 3621 3622 if (group->fg_head == fr) 3623 group->fg_head = NULL; 3624 3625 group->fg_ref--; 3626 if ((group->fg_ref == 0) && (group->fg_start == NULL)) 3627 ipf_group_free(group); 3628} 3629 3630 3631/* ------------------------------------------------------------------------ */ 3632/* Function: ipf_group_free */ 3633/* Returns: Nil */ 3634/* Parameters: group(I) - pointer to filter rule group */ 3635/* */ 3636/* Remove the group from the list of groups and free it. */ 3637/* ------------------------------------------------------------------------ */ 3638static void 3639ipf_group_free(group) 3640 frgroup_t *group; 3641{ 3642 frgroup_t **gp; 3643 3644 for (gp = group->fg_set; *gp != NULL; gp = &(*gp)->fg_next) { 3645 if (*gp == group) { 3646 *gp = group->fg_next; 3647 break; 3648 } 3649 } 3650 KFREE(group); 3651} 3652 3653 3654/* ------------------------------------------------------------------------ */ 3655/* Function: ipf_group_flush */ 3656/* Returns: int - number of rules flush from group */ 3657/* Parameters: softc(I) - pointer to soft context main structure */ 3658/* Parameters: group(I) - pointer to filter rule group */ 3659/* */ 3660/* Remove all of the rules that currently are listed under the given group. */ 3661/* ------------------------------------------------------------------------ */ 3662static int 3663ipf_group_flush(softc, group) 3664 ipf_main_softc_t *softc; 3665 frgroup_t *group; 3666{ 3667 int gone = 0; 3668 3669 (void) ipf_flushlist(softc, &gone, &group->fg_start); 3670 3671 return gone; 3672} 3673 3674 3675/* ------------------------------------------------------------------------ */ 3676/* Function: ipf_getrulen */ 3677/* Returns: frentry_t * - NULL == not found, else pointer to rule n */ 3678/* Parameters: softc(I) - pointer to soft context main structure */ 3679/* Parameters: unit(I) - device for which to count the rule's number */ 3680/* flags(I) - which set of rules to find the rule in */ 3681/* group(I) - group name */ 3682/* n(I) - rule number to find */ 3683/* */ 3684/* Find rule # n in group # g and return a pointer to it. Return NULl if */ 3685/* group # g doesn't exist or there are less than n rules in the group. */ 3686/* ------------------------------------------------------------------------ */ 3687frentry_t * 3688ipf_getrulen(softc, unit, group, n) 3689 ipf_main_softc_t *softc; 3690 int unit; 3691 char *group; 3692 u_32_t n; 3693{ 3694 frentry_t *fr; 3695 frgroup_t *fg; 3696 3697 fg = ipf_findgroup(softc, group, unit, softc->ipf_active, NULL); 3698 if (fg == NULL) 3699 return NULL; 3700 for (fr = fg->fg_start; fr && n; fr = fr->fr_next, n--) 3701 ; 3702 if (n != 0) 3703 return NULL; 3704 return fr; 3705} 3706 3707 3708/* ------------------------------------------------------------------------ */ 3709/* Function: ipf_flushlist */ 3710/* Returns: int - >= 0 - number of flushed rules */ 3711/* Parameters: softc(I) - pointer to soft context main structure */ 3712/* nfreedp(O) - pointer to int where flush count is stored */ 3713/* listp(I) - pointer to list to flush pointer */ 3714/* Write Locks: ipf_mutex */ 3715/* */ 3716/* Recursively flush rules from the list, descending groups as they are */ 3717/* encountered. if a rule is the head of a group and it has lost all its */ 3718/* group members, then also delete the group reference. nfreedp is needed */ 3719/* to store the accumulating count of rules removed, whereas the returned */ 3720/* value is just the number removed from the current list. The latter is */ 3721/* needed to correctly adjust reference counts on rules that define groups. */ 3722/* */ 3723/* NOTE: Rules not loaded from user space cannot be flushed. */ 3724/* ------------------------------------------------------------------------ */ 3725static int 3726ipf_flushlist(softc, nfreedp, listp) 3727 ipf_main_softc_t *softc; 3728 int *nfreedp; 3729 frentry_t **listp; 3730{ 3731 int freed = 0; 3732 frentry_t *fp; 3733 3734 while ((fp = *listp) != NULL) { 3735 if ((fp->fr_type & FR_T_BUILTIN) || 3736 !(fp->fr_flags & FR_COPIED)) { 3737 listp = &fp->fr_next; 3738 continue; 3739 } 3740 *listp = fp->fr_next; 3741 if (fp->fr_next != NULL) 3742 fp->fr_next->fr_pnext = fp->fr_pnext; 3743 fp->fr_pnext = NULL; 3744 3745 if (fp->fr_grphead != NULL) { 3746 freed += ipf_group_flush(softc, fp->fr_grphead); 3747 fp->fr_names[fp->fr_grhead] = '\0'; 3748 } 3749 3750 if (fp->fr_icmpgrp != NULL) { 3751 freed += ipf_group_flush(softc, fp->fr_icmpgrp); 3752 fp->fr_names[fp->fr_icmphead] = '\0'; 3753 } 3754 3755 if (fp->fr_srctrack.ht_max_nodes) 3756 ipf_rb_ht_flush(&fp->fr_srctrack); 3757 3758 fp->fr_next = NULL; 3759 3760 ASSERT(fp->fr_ref > 0); 3761 if (ipf_derefrule(softc, &fp) == 0) 3762 freed++; 3763 } 3764 *nfreedp += freed; 3765 return freed; 3766} 3767 3768 3769/* ------------------------------------------------------------------------ */ 3770/* Function: ipf_flush */ 3771/* Returns: int - >= 0 - number of flushed rules */ 3772/* Parameters: softc(I) - pointer to soft context main structure */ 3773/* unit(I) - device for which to flush rules */ 3774/* flags(I) - which set of rules to flush */ 3775/* */ 3776/* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */ 3777/* and IPv6) as defined by the value of flags. */ 3778/* ------------------------------------------------------------------------ */ 3779int 3780ipf_flush(softc, unit, flags) 3781 ipf_main_softc_t *softc; 3782 minor_t unit; 3783 int flags; 3784{ 3785 int flushed = 0, set; 3786 3787 WRITE_ENTER(&softc->ipf_mutex); 3788 3789 set = softc->ipf_active; 3790 if ((flags & FR_INACTIVE) == FR_INACTIVE) 3791 set = 1 - set; 3792 3793 if (flags & FR_OUTQUE) { 3794 ipf_flushlist(softc, &flushed, &softc->ipf_rules[1][set]); 3795 ipf_flushlist(softc, &flushed, &softc->ipf_acct[1][set]); 3796 } 3797 if (flags & FR_INQUE) { 3798 ipf_flushlist(softc, &flushed, &softc->ipf_rules[0][set]); 3799 ipf_flushlist(softc, &flushed, &softc->ipf_acct[0][set]); 3800 } 3801 3802 flushed += ipf_flush_groups(softc, &softc->ipf_groups[unit][set], 3803 flags & (FR_INQUE|FR_OUTQUE)); 3804 3805 RWLOCK_EXIT(&softc->ipf_mutex); 3806 3807 if (unit == IPL_LOGIPF) { 3808 int tmp; 3809 3810 tmp = ipf_flush(softc, IPL_LOGCOUNT, flags); 3811 if (tmp >= 0) 3812 flushed += tmp; 3813 } 3814 return flushed; 3815} 3816 3817 3818/* ------------------------------------------------------------------------ */ 3819/* Function: ipf_flush_groups */ 3820/* Returns: int - >= 0 - number of flushed rules */ 3821/* Parameters: softc(I) - soft context pointerto work with */ 3822/* grhead(I) - pointer to the start of the group list to flush */ 3823/* flags(I) - which set of rules to flush */ 3824/* */ 3825/* Walk through all of the groups under the given group head and remove all */ 3826/* of those that match the flags passed in. The for loop here is bit more */ 3827/* complicated than usual because the removal of a rule with ipf_derefrule */ 3828/* may end up removing not only the structure pointed to by "fg" but also */ 3829/* what is fg_next and fg_next after that. So if a filter rule is actually */ 3830/* removed from the group then it is necessary to start again. */ 3831/* ------------------------------------------------------------------------ */ 3832static int 3833ipf_flush_groups(softc, grhead, flags) 3834 ipf_main_softc_t *softc; 3835 frgroup_t **grhead; 3836 int flags; 3837{ 3838 frentry_t *fr, **frp; 3839 frgroup_t *fg, **fgp; 3840 int flushed = 0; 3841 int removed = 0; 3842 3843 for (fgp = grhead; (fg = *fgp) != NULL; ) { 3844 while ((fg != NULL) && ((fg->fg_flags & flags) == 0)) 3845 fg = fg->fg_next; 3846 if (fg == NULL) 3847 break; 3848 removed = 0; 3849 frp = &fg->fg_start; 3850 while ((removed == 0) && ((fr = *frp) != NULL)) { 3851 if ((fr->fr_flags & flags) == 0) { 3852 frp = &fr->fr_next; 3853 } else { 3854 if (fr->fr_next != NULL) 3855 fr->fr_next->fr_pnext = fr->fr_pnext; 3856 *frp = fr->fr_next; 3857 fr->fr_pnext = NULL; 3858 fr->fr_next = NULL; 3859 (void) ipf_derefrule(softc, &fr); 3860 flushed++; 3861 removed++; 3862 } 3863 } 3864 if (removed == 0) 3865 fgp = &fg->fg_next; 3866 } 3867 return flushed; 3868} 3869 3870 3871/* ------------------------------------------------------------------------ */ 3872/* Function: memstr */ 3873/* Returns: char * - NULL if failed, != NULL pointer to matching bytes */ 3874/* Parameters: src(I) - pointer to byte sequence to match */ 3875/* dst(I) - pointer to byte sequence to search */ 3876/* slen(I) - match length */ 3877/* dlen(I) - length available to search in */ 3878/* */ 3879/* Search dst for a sequence of bytes matching those at src and extend for */ 3880/* slen bytes. */ 3881/* ------------------------------------------------------------------------ */ 3882char * 3883memstr(src, dst, slen, dlen) 3884 const char *src; 3885 char *dst; 3886 size_t slen, dlen; 3887{ 3888 char *s = NULL; 3889 3890 while (dlen >= slen) { 3891 if (bcmp(src, dst, slen) == 0) { 3892 s = dst; 3893 break; 3894 } 3895 dst++; 3896 dlen--; 3897 } 3898 return s; 3899} 3900/* ------------------------------------------------------------------------ */ 3901/* Function: ipf_fixskip */ 3902/* Returns: Nil */ 3903/* Parameters: listp(IO) - pointer to start of list with skip rule */ 3904/* rp(I) - rule added/removed with skip in it. */ 3905/* addremove(I) - adjustment (-1/+1) to make to skip count, */ 3906/* depending on whether a rule was just added */ 3907/* or removed. */ 3908/* */ 3909/* Adjust all the rules in a list which would have skip'd past the position */ 3910/* where we are inserting to skip to the right place given the change. */ 3911/* ------------------------------------------------------------------------ */ 3912void 3913ipf_fixskip(listp, rp, addremove) 3914 frentry_t **listp, *rp; 3915 int addremove; 3916{ 3917 int rules, rn; 3918 frentry_t *fp; 3919 3920 rules = 0; 3921 for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next) 3922 rules++; 3923 3924 if (!fp) 3925 return; 3926 3927 for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) 3928 if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules)) 3929 fp->fr_arg += addremove; 3930} 3931 3932 3933#ifdef _KERNEL 3934/* ------------------------------------------------------------------------ */ 3935/* Function: count4bits */ 3936/* Returns: int - >= 0 - number of consecutive bits in input */ 3937/* Parameters: ip(I) - 32bit IP address */ 3938/* */ 3939/* IPv4 ONLY */ 3940/* count consecutive 1's in bit mask. If the mask generated by counting */ 3941/* consecutive 1's is different to that passed, return -1, else return # */ 3942/* of bits. */ 3943/* ------------------------------------------------------------------------ */ 3944int 3945count4bits(ip) 3946 u_32_t ip; 3947{ 3948 u_32_t ipn; 3949 int cnt = 0, i, j; 3950 3951 ip = ipn = ntohl(ip); 3952 for (i = 32; i; i--, ipn *= 2) 3953 if (ipn & 0x80000000) 3954 cnt++; 3955 else 3956 break; 3957 ipn = 0; 3958 for (i = 32, j = cnt; i; i--, j--) { 3959 ipn *= 2; 3960 if (j > 0) 3961 ipn++; 3962 } 3963 if (ipn == ip) 3964 return cnt; 3965 return -1; 3966} 3967 3968 3969/* ------------------------------------------------------------------------ */ 3970/* Function: count6bits */ 3971/* Returns: int - >= 0 - number of consecutive bits in input */ 3972/* Parameters: msk(I) - pointer to start of IPv6 bitmask */ 3973/* */ 3974/* IPv6 ONLY */ 3975/* count consecutive 1's in bit mask. */ 3976/* ------------------------------------------------------------------------ */ 3977# ifdef USE_INET6 3978int 3979count6bits(msk) 3980 u_32_t *msk; 3981{ 3982 int i = 0, k; 3983 u_32_t j; 3984 3985 for (k = 3; k >= 0; k--) 3986 if (msk[k] == 0xffffffff) 3987 i += 32; 3988 else { 3989 for (j = msk[k]; j; j <<= 1) 3990 if (j & 0x80000000) 3991 i++; 3992 } 3993 return i; 3994} 3995# endif 3996#endif /* _KERNEL */ 3997 3998 3999/* ------------------------------------------------------------------------ */ 4000/* Function: ipf_synclist */ 4001/* Returns: int - 0 = no failures, else indication of first failure */ 4002/* Parameters: fr(I) - start of filter list to sync interface names for */ 4003/* ifp(I) - interface pointer for limiting sync lookups */ 4004/* Write Locks: ipf_mutex */ 4005/* */ 4006/* Walk through a list of filter rules and resolve any interface names into */ 4007/* pointers. Where dynamic addresses are used, also update the IP address */ 4008/* used in the rule. The interface pointer is used to limit the lookups to */ 4009/* a specific set of matching names if it is non-NULL. */ 4010/* Errors can occur when resolving the destination name of to/dup-to fields */ 4011/* when the name points to a pool and that pool doest not exist. If this */ 4012/* does happen then it is necessary to check if there are any lookup refs */ 4013/* that need to be dropped before returning with an error. */ 4014/* ------------------------------------------------------------------------ */ 4015static int 4016ipf_synclist(softc, fr, ifp) 4017 ipf_main_softc_t *softc; 4018 frentry_t *fr; 4019 void *ifp; 4020{ 4021 frentry_t *frt, *start = fr; 4022 frdest_t *fdp; 4023 char *name; 4024 int error; 4025 void *ifa; 4026 int v, i; 4027 4028 error = 0; 4029 4030 for (; fr; fr = fr->fr_next) { 4031 if (fr->fr_family == AF_INET) 4032 v = 4; 4033 else if (fr->fr_family == AF_INET6) 4034 v = 6; 4035 else 4036 v = 0; 4037 4038 /* 4039 * Lookup all the interface names that are part of the rule. 4040 */ 4041 for (i = 0; i < 4; i++) { 4042 if ((ifp != NULL) && (fr->fr_ifas[i] != ifp)) 4043 continue; 4044 if (fr->fr_ifnames[i] == -1) 4045 continue; 4046 name = FR_NAME(fr, fr_ifnames[i]); 4047 fr->fr_ifas[i] = ipf_resolvenic(softc, name, v); 4048 } 4049 4050 if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) { 4051 if (fr->fr_satype != FRI_NORMAL && 4052 fr->fr_satype != FRI_LOOKUP) { 4053 ifa = ipf_resolvenic(softc, fr->fr_names + 4054 fr->fr_sifpidx, v); 4055 ipf_ifpaddr(softc, v, fr->fr_satype, ifa, 4056 &fr->fr_src6, &fr->fr_smsk6); 4057 } 4058 if (fr->fr_datype != FRI_NORMAL && 4059 fr->fr_datype != FRI_LOOKUP) { 4060 ifa = ipf_resolvenic(softc, fr->fr_names + 4061 fr->fr_sifpidx, v); 4062 ipf_ifpaddr(softc, v, fr->fr_datype, ifa, 4063 &fr->fr_dst6, &fr->fr_dmsk6); 4064 } 4065 } 4066 4067 fdp = &fr->fr_tifs[0]; 4068 if ((ifp == NULL) || (fdp->fd_ptr == ifp)) { 4069 error = ipf_resolvedest(softc, fr->fr_names, fdp, v); 4070 if (error != 0) 4071 goto unwind; 4072 } 4073 4074 fdp = &fr->fr_tifs[1]; 4075 if ((ifp == NULL) || (fdp->fd_ptr == ifp)) { 4076 error = ipf_resolvedest(softc, fr->fr_names, fdp, v); 4077 if (error != 0) 4078 goto unwind; 4079 } 4080 4081 fdp = &fr->fr_dif; 4082 if ((ifp == NULL) || (fdp->fd_ptr == ifp)) { 4083 error = ipf_resolvedest(softc, fr->fr_names, fdp, v); 4084 if (error != 0) 4085 goto unwind; 4086 } 4087 4088 if (((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4089 (fr->fr_satype == FRI_LOOKUP) && (fr->fr_srcptr == NULL)) { 4090 fr->fr_srcptr = ipf_lookup_res_num(softc, 4091 fr->fr_srctype, 4092 IPL_LOGIPF, 4093 fr->fr_srcnum, 4094 &fr->fr_srcfunc); 4095 } 4096 if (((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4097 (fr->fr_datype == FRI_LOOKUP) && (fr->fr_dstptr == NULL)) { 4098 fr->fr_dstptr = ipf_lookup_res_num(softc, 4099 fr->fr_dsttype, 4100 IPL_LOGIPF, 4101 fr->fr_dstnum, 4102 &fr->fr_dstfunc); 4103 } 4104 } 4105 return 0; 4106 4107unwind: 4108 for (frt = start; frt != fr; fr = fr->fr_next) { 4109 if (((frt->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4110 (frt->fr_satype == FRI_LOOKUP) && (frt->fr_srcptr != NULL)) 4111 ipf_lookup_deref(softc, frt->fr_srctype, 4112 frt->fr_srcptr); 4113 if (((frt->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4114 (frt->fr_datype == FRI_LOOKUP) && (frt->fr_dstptr != NULL)) 4115 ipf_lookup_deref(softc, frt->fr_dsttype, 4116 frt->fr_dstptr); 4117 } 4118 return error; 4119} 4120 4121 4122/* ------------------------------------------------------------------------ */ 4123/* Function: ipf_sync */ 4124/* Returns: void */ 4125/* Parameters: Nil */ 4126/* */ 4127/* ipf_sync() is called when we suspect that the interface list or */ 4128/* information about interfaces (like IP#) has changed. Go through all */ 4129/* filter rules, NAT entries and the state table and check if anything */ 4130/* needs to be changed/updated. */ 4131/* ------------------------------------------------------------------------ */ 4132int 4133ipf_sync(softc, ifp) 4134 ipf_main_softc_t *softc; 4135 void *ifp; 4136{ 4137 int i; 4138 4139# if !SOLARIS 4140 ipf_nat_sync(softc, ifp); 4141 ipf_state_sync(softc, ifp); 4142 ipf_lookup_sync(softc, ifp); 4143# endif 4144 4145 WRITE_ENTER(&softc->ipf_mutex); 4146 (void) ipf_synclist(softc, softc->ipf_acct[0][softc->ipf_active], ifp); 4147 (void) ipf_synclist(softc, softc->ipf_acct[1][softc->ipf_active], ifp); 4148 (void) ipf_synclist(softc, softc->ipf_rules[0][softc->ipf_active], ifp); 4149 (void) ipf_synclist(softc, softc->ipf_rules[1][softc->ipf_active], ifp); 4150 4151 for (i = 0; i < IPL_LOGSIZE; i++) { 4152 frgroup_t *g; 4153 4154 for (g = softc->ipf_groups[i][0]; g != NULL; g = g->fg_next) 4155 (void) ipf_synclist(softc, g->fg_start, ifp); 4156 for (g = softc->ipf_groups[i][1]; g != NULL; g = g->fg_next) 4157 (void) ipf_synclist(softc, g->fg_start, ifp); 4158 } 4159 RWLOCK_EXIT(&softc->ipf_mutex); 4160 4161 return 0; 4162} 4163 4164 4165/* 4166 * In the functions below, bcopy() is called because the pointer being 4167 * copied _from_ in this instance is a pointer to a char buf (which could 4168 * end up being unaligned) and on the kernel's local stack. 4169 */ 4170/* ------------------------------------------------------------------------ */ 4171/* Function: copyinptr */ 4172/* Returns: int - 0 = success, else failure */ 4173/* Parameters: src(I) - pointer to the source address */ 4174/* dst(I) - destination address */ 4175/* size(I) - number of bytes to copy */ 4176/* */ 4177/* Copy a block of data in from user space, given a pointer to the pointer */ 4178/* to start copying from (src) and a pointer to where to store it (dst). */ 4179/* NB: src - pointer to user space pointer, dst - kernel space pointer */ 4180/* ------------------------------------------------------------------------ */ 4181int 4182copyinptr(softc, src, dst, size) 4183 ipf_main_softc_t *softc; 4184 void *src, *dst; 4185 size_t size; 4186{ 4187 caddr_t ca; 4188 int error; 4189 4190# if SOLARIS 4191 error = COPYIN(src, &ca, sizeof(ca)); 4192 if (error != 0) 4193 return error; 4194# else 4195 bcopy(src, (caddr_t)&ca, sizeof(ca)); 4196# endif 4197 error = COPYIN(ca, dst, size); 4198 if (error != 0) { 4199 IPFERROR(3); 4200 error = EFAULT; 4201 } 4202 return error; 4203} 4204 4205 4206/* ------------------------------------------------------------------------ */ 4207/* Function: copyoutptr */ 4208/* Returns: int - 0 = success, else failure */ 4209/* Parameters: src(I) - pointer to the source address */ 4210/* dst(I) - destination address */ 4211/* size(I) - number of bytes to copy */ 4212/* */ 4213/* Copy a block of data out to user space, given a pointer to the pointer */ 4214/* to start copying from (src) and a pointer to where to store it (dst). */ 4215/* NB: src - kernel space pointer, dst - pointer to user space pointer. */ 4216/* ------------------------------------------------------------------------ */ 4217int 4218copyoutptr(softc, src, dst, size) 4219 ipf_main_softc_t *softc; 4220 void *src, *dst; 4221 size_t size; 4222{ 4223 caddr_t ca; 4224 int error; 4225 4226 bcopy(dst, (caddr_t)&ca, sizeof(ca)); 4227 error = COPYOUT(src, ca, size); 4228 if (error != 0) { 4229 IPFERROR(4); 4230 error = EFAULT; 4231 } 4232 return error; 4233} 4234#ifdef _KERNEL 4235#endif 4236 4237 4238/* ------------------------------------------------------------------------ */ 4239/* Function: ipf_lock */ 4240/* Returns: int - 0 = success, else error */ 4241/* Parameters: data(I) - pointer to lock value to set */ 4242/* lockp(O) - pointer to location to store old lock value */ 4243/* */ 4244/* Get the new value for the lock integer, set it and return the old value */ 4245/* in *lockp. */ 4246/* ------------------------------------------------------------------------ */ 4247int 4248ipf_lock(data, lockp) 4249 caddr_t data; 4250 int *lockp; 4251{ 4252 int arg, err; 4253 4254 err = BCOPYIN(data, &arg, sizeof(arg)); 4255 if (err != 0) 4256 return EFAULT; 4257 err = BCOPYOUT(lockp, data, sizeof(*lockp)); 4258 if (err != 0) 4259 return EFAULT; 4260 *lockp = arg; 4261 return 0; 4262} 4263 4264 4265/* ------------------------------------------------------------------------ */ 4266/* Function: ipf_getstat */ 4267/* Returns: Nil */ 4268/* Parameters: softc(I) - pointer to soft context main structure */ 4269/* fiop(I) - pointer to ipfilter stats structure */ 4270/* rev(I) - version claim by program doing ioctl */ 4271/* */ 4272/* Stores a copy of current pointers, counters, etc, in the friostat */ 4273/* structure. */ 4274/* If IPFILTER_COMPAT is compiled, we pretend to be whatever version the */ 4275/* program is looking for. This ensure that validation of the version it */ 4276/* expects will always succeed. Thus kernels with IPFILTER_COMPAT will */ 4277/* allow older binaries to work but kernels without it will not. */ 4278/* ------------------------------------------------------------------------ */ 4279/*ARGSUSED*/ 4280static void 4281ipf_getstat(softc, fiop, rev) 4282 ipf_main_softc_t *softc; 4283 friostat_t *fiop; 4284 int rev; 4285{ 4286 int i; 4287 4288 bcopy((char *)softc->ipf_stats, (char *)fiop->f_st, 4289 sizeof(ipf_statistics_t) * 2); 4290 fiop->f_locks[IPL_LOGSTATE] = -1; 4291 fiop->f_locks[IPL_LOGNAT] = -1; 4292 fiop->f_locks[IPL_LOGIPF] = -1; 4293 fiop->f_locks[IPL_LOGAUTH] = -1; 4294 4295 fiop->f_ipf[0][0] = softc->ipf_rules[0][0]; 4296 fiop->f_acct[0][0] = softc->ipf_acct[0][0]; 4297 fiop->f_ipf[0][1] = softc->ipf_rules[0][1]; 4298 fiop->f_acct[0][1] = softc->ipf_acct[0][1]; 4299 fiop->f_ipf[1][0] = softc->ipf_rules[1][0]; 4300 fiop->f_acct[1][0] = softc->ipf_acct[1][0]; 4301 fiop->f_ipf[1][1] = softc->ipf_rules[1][1]; 4302 fiop->f_acct[1][1] = softc->ipf_acct[1][1]; 4303 4304 fiop->f_ticks = softc->ipf_ticks; 4305 fiop->f_active = softc->ipf_active; 4306 fiop->f_froute[0] = softc->ipf_frouteok[0]; 4307 fiop->f_froute[1] = softc->ipf_frouteok[1]; 4308 fiop->f_rb_no_mem = softc->ipf_rb_no_mem; 4309 fiop->f_rb_node_max = softc->ipf_rb_node_max; 4310 4311 fiop->f_running = softc->ipf_running; 4312 for (i = 0; i < IPL_LOGSIZE; i++) { 4313 fiop->f_groups[i][0] = softc->ipf_groups[i][0]; 4314 fiop->f_groups[i][1] = softc->ipf_groups[i][1]; 4315 } 4316#ifdef IPFILTER_LOG 4317 fiop->f_log_ok = ipf_log_logok(softc, IPL_LOGIPF); 4318 fiop->f_log_fail = ipf_log_failures(softc, IPL_LOGIPF); 4319 fiop->f_logging = 1; 4320#else 4321 fiop->f_log_ok = 0; 4322 fiop->f_log_fail = 0; 4323 fiop->f_logging = 0; 4324#endif 4325 fiop->f_defpass = softc->ipf_pass; 4326 fiop->f_features = ipf_features; 4327 4328#ifdef IPFILTER_COMPAT 4329 sprintf(fiop->f_version, "IP Filter: v%d.%d.%d", 4330 (rev / 1000000) % 100, 4331 (rev / 10000) % 100, 4332 (rev / 100) % 100); 4333#else 4334 rev = rev; 4335 (void) strncpy(fiop->f_version, ipfilter_version, 4336 sizeof(fiop->f_version)); 4337#endif 4338} 4339 4340 4341#ifdef USE_INET6 4342int icmptoicmp6types[ICMP_MAXTYPE+1] = { 4343 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */ 4344 -1, /* 1: UNUSED */ 4345 -1, /* 2: UNUSED */ 4346 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */ 4347 -1, /* 4: ICMP_SOURCEQUENCH */ 4348 ND_REDIRECT, /* 5: ICMP_REDIRECT */ 4349 -1, /* 6: UNUSED */ 4350 -1, /* 7: UNUSED */ 4351 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */ 4352 -1, /* 9: UNUSED */ 4353 -1, /* 10: UNUSED */ 4354 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */ 4355 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */ 4356 -1, /* 13: ICMP_TSTAMP */ 4357 -1, /* 14: ICMP_TSTAMPREPLY */ 4358 -1, /* 15: ICMP_IREQ */ 4359 -1, /* 16: ICMP_IREQREPLY */ 4360 -1, /* 17: ICMP_MASKREQ */ 4361 -1, /* 18: ICMP_MASKREPLY */ 4362}; 4363 4364 4365int icmptoicmp6unreach[ICMP_MAX_UNREACH] = { 4366 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */ 4367 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */ 4368 -1, /* 2: ICMP_UNREACH_PROTOCOL */ 4369 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */ 4370 -1, /* 4: ICMP_UNREACH_NEEDFRAG */ 4371 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */ 4372 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */ 4373 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */ 4374 -1, /* 8: ICMP_UNREACH_ISOLATED */ 4375 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */ 4376 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */ 4377 -1, /* 11: ICMP_UNREACH_TOSNET */ 4378 -1, /* 12: ICMP_UNREACH_TOSHOST */ 4379 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */ 4380}; 4381int icmpreplytype6[ICMP6_MAXTYPE + 1]; 4382#endif 4383 4384int icmpreplytype4[ICMP_MAXTYPE + 1]; 4385 4386 4387/* ------------------------------------------------------------------------ */ 4388/* Function: ipf_matchicmpqueryreply */ 4389/* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */ 4390/* Parameters: v(I) - IP protocol version (4 or 6) */ 4391/* ic(I) - ICMP information */ 4392/* icmp(I) - ICMP packet header */ 4393/* rev(I) - direction (0 = forward/1 = reverse) of packet */ 4394/* */ 4395/* Check if the ICMP packet defined by the header pointed to by icmp is a */ 4396/* reply to one as described by what's in ic. If it is a match, return 1, */ 4397/* else return 0 for no match. */ 4398/* ------------------------------------------------------------------------ */ 4399int 4400ipf_matchicmpqueryreply(v, ic, icmp, rev) 4401 int v; 4402 icmpinfo_t *ic; 4403 icmphdr_t *icmp; 4404 int rev; 4405{ 4406 int ictype; 4407 4408 ictype = ic->ici_type; 4409 4410 if (v == 4) { 4411 /* 4412 * If we matched its type on the way in, then when going out 4413 * it will still be the same type. 4414 */ 4415 if ((!rev && (icmp->icmp_type == ictype)) || 4416 (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) { 4417 if (icmp->icmp_type != ICMP_ECHOREPLY) 4418 return 1; 4419 if (icmp->icmp_id == ic->ici_id) 4420 return 1; 4421 } 4422 } 4423#ifdef USE_INET6 4424 else if (v == 6) { 4425 if ((!rev && (icmp->icmp_type == ictype)) || 4426 (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) { 4427 if (icmp->icmp_type != ICMP6_ECHO_REPLY) 4428 return 1; 4429 if (icmp->icmp_id == ic->ici_id) 4430 return 1; 4431 } 4432 } 4433#endif 4434 return 0; 4435} 4436 4437 4438/* ------------------------------------------------------------------------ */ 4439/* Function: frrequest */ 4440/* Returns: int - 0 == success, > 0 == errno value */ 4441/* Parameters: unit(I) - device for which this is for */ 4442/* req(I) - ioctl command (SIOC*) */ 4443/* data(I) - pointr to ioctl data */ 4444/* set(I) - 1 or 0 (filter set) */ 4445/* makecopy(I) - flag indicating whether data points to a rule */ 4446/* in kernel space & hence doesn't need copying. */ 4447/* */ 4448/* This function handles all the requests which operate on the list of */ 4449/* filter rules. This includes adding, deleting, insertion. It is also */ 4450/* responsible for creating groups when a "head" rule is loaded. Interface */ 4451/* names are resolved here and other sanity checks are made on the content */ 4452/* of the rule structure being loaded. If a rule has user defined timeouts */ 4453/* then make sure they are created and initialised before exiting. */ 4454/* ------------------------------------------------------------------------ */ 4455int 4456frrequest(softc, unit, req, data, set, makecopy) 4457 ipf_main_softc_t *softc; 4458 int unit; 4459 ioctlcmd_t req; 4460 int set, makecopy; 4461 caddr_t data; 4462{ 4463 int error = 0, in, family, addrem, need_free = 0; 4464 frentry_t frd, *fp, *f, **fprev, **ftail; 4465 void *ptr, *uptr, *cptr; 4466 u_int *p, *pp; 4467 frgroup_t *fg; 4468 char *group; 4469 4470 ptr = NULL; 4471 cptr = NULL; 4472 fg = NULL; 4473 fp = &frd; 4474 if (makecopy != 0) { 4475 bzero(fp, sizeof(frd)); 4476 error = ipf_inobj(softc, data, NULL, fp, IPFOBJ_FRENTRY); 4477 if (error) { 4478 return error; 4479 } 4480 if ((fp->fr_type & FR_T_BUILTIN) != 0) { 4481 IPFERROR(6); 4482 return EINVAL; 4483 } 4484 KMALLOCS(f, frentry_t *, fp->fr_size); 4485 if (f == NULL) { 4486 IPFERROR(131); 4487 return ENOMEM; 4488 } 4489 bzero(f, fp->fr_size); 4490 error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY, 4491 fp->fr_size); 4492 if (error) { 4493 KFREES(f, fp->fr_size); 4494 return error; 4495 } 4496 4497 fp = f; 4498 f = NULL; 4499 fp->fr_next = NULL; 4500 fp->fr_dnext = NULL; 4501 fp->fr_pnext = NULL; 4502 fp->fr_pdnext = NULL; 4503 fp->fr_grp = NULL; 4504 fp->fr_grphead = NULL; 4505 fp->fr_icmpgrp = NULL; 4506 fp->fr_isc = (void *)-1; 4507 fp->fr_ptr = NULL; 4508 fp->fr_ref = 0; 4509 fp->fr_flags |= FR_COPIED; 4510 } else { 4511 fp = (frentry_t *)data; 4512 if ((fp->fr_type & FR_T_BUILTIN) == 0) { 4513 IPFERROR(7); 4514 return EINVAL; 4515 } 4516 fp->fr_flags &= ~FR_COPIED; 4517 } 4518 4519 if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) || 4520 ((fp->fr_dsize != 0) && (fp->fr_data == NULL))) { 4521 IPFERROR(8); 4522 error = EINVAL; 4523 goto donenolock; 4524 } 4525 4526 family = fp->fr_family; 4527 uptr = fp->fr_data; 4528 4529 if (req == (ioctlcmd_t)SIOCINAFR || req == (ioctlcmd_t)SIOCINIFR || 4530 req == (ioctlcmd_t)SIOCADAFR || req == (ioctlcmd_t)SIOCADIFR) 4531 addrem = 0; 4532 else if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) 4533 addrem = 1; 4534 else if (req == (ioctlcmd_t)SIOCZRLST) 4535 addrem = 2; 4536 else { 4537 IPFERROR(9); 4538 error = EINVAL; 4539 goto donenolock; 4540 } 4541 4542 /* 4543 * Only filter rules for IPv4 or IPv6 are accepted. 4544 */ 4545 if (family == AF_INET) { 4546 /*EMPTY*/; 4547#ifdef USE_INET6 4548 } else if (family == AF_INET6) { 4549 /*EMPTY*/; 4550#endif 4551 } else if (family != 0) { 4552 IPFERROR(10); 4553 error = EINVAL; 4554 goto donenolock; 4555 } 4556 4557 /* 4558 * If the rule is being loaded from user space, i.e. we had to copy it 4559 * into kernel space, then do not trust the function pointer in the 4560 * rule. 4561 */ 4562 if ((makecopy == 1) && (fp->fr_func != NULL)) { 4563 if (ipf_findfunc(fp->fr_func) == NULL) { 4564 IPFERROR(11); 4565 error = ESRCH; 4566 goto donenolock; 4567 } 4568 4569 if (addrem == 0) { 4570 error = ipf_funcinit(softc, fp); 4571 if (error != 0) 4572 goto donenolock; 4573 } 4574 } 4575 if ((fp->fr_flags & FR_CALLNOW) && 4576 ((fp->fr_func == NULL) || (fp->fr_func == (ipfunc_t)-1))) { 4577 IPFERROR(142); 4578 error = ESRCH; 4579 goto donenolock; 4580 } 4581 if (((fp->fr_flags & FR_CMDMASK) == FR_CALL) && 4582 ((fp->fr_func == NULL) || (fp->fr_func == (ipfunc_t)-1))) { 4583 IPFERROR(143); 4584 error = ESRCH; 4585 goto donenolock; 4586 } 4587 4588 ptr = NULL; 4589 cptr = NULL; 4590 4591 if (FR_ISACCOUNT(fp->fr_flags)) 4592 unit = IPL_LOGCOUNT; 4593 4594 /* 4595 * Check that each group name in the rule has a start index that 4596 * is valid. 4597 */ 4598 if (fp->fr_icmphead != -1) { 4599 if ((fp->fr_icmphead < 0) || 4600 (fp->fr_icmphead >= fp->fr_namelen)) { 4601 IPFERROR(136); 4602 error = EINVAL; 4603 goto donenolock; 4604 } 4605 if (!strcmp(FR_NAME(fp, fr_icmphead), "0")) 4606 fp->fr_names[fp->fr_icmphead] = '\0'; 4607 } 4608 4609 if (fp->fr_grhead != -1) { 4610 if ((fp->fr_grhead < 0) || 4611 (fp->fr_grhead >= fp->fr_namelen)) { 4612 IPFERROR(137); 4613 error = EINVAL; 4614 goto donenolock; 4615 } 4616 if (!strcmp(FR_NAME(fp, fr_grhead), "0")) 4617 fp->fr_names[fp->fr_grhead] = '\0'; 4618 } 4619 4620 if (fp->fr_group != -1) { 4621 if ((fp->fr_group < 0) || 4622 (fp->fr_group >= fp->fr_namelen)) { 4623 IPFERROR(138); 4624 error = EINVAL; 4625 goto donenolock; 4626 } 4627 if ((req != (int)SIOCZRLST) && (fp->fr_group != -1)) { 4628 /* 4629 * Allow loading rules that are in groups to cause 4630 * them to be created if they don't already exit. 4631 */ 4632 group = FR_NAME(fp, fr_group); 4633 if (addrem == 0) { 4634 fg = ipf_group_add(softc, group, NULL, 4635 fp->fr_flags, unit, set); 4636 fp->fr_grp = fg; 4637 } else { 4638 fg = ipf_findgroup(softc, group, unit, 4639 set, NULL); 4640 if (fg == NULL) { 4641 IPFERROR(12); 4642 error = ESRCH; 4643 goto donenolock; 4644 } 4645 } 4646 4647 if (fg->fg_flags == 0) { 4648 fg->fg_flags = fp->fr_flags & FR_INOUT; 4649 } else if (fg->fg_flags != (fp->fr_flags & FR_INOUT)) { 4650 IPFERROR(13); 4651 error = ESRCH; 4652 goto donenolock; 4653 } 4654 } 4655 } else { 4656 /* 4657 * If a rule is going to be part of a group then it does 4658 * not matter whether it is an in or out rule, but if it 4659 * isn't in a group, then it does... 4660 */ 4661 if ((fp->fr_flags & (FR_INQUE|FR_OUTQUE)) == 0) { 4662 IPFERROR(14); 4663 error = EINVAL; 4664 goto donenolock; 4665 } 4666 } 4667 in = (fp->fr_flags & FR_INQUE) ? 0 : 1; 4668 4669 /* 4670 * Work out which rule list this change is being applied to. 4671 */ 4672 ftail = NULL; 4673 fprev = NULL; 4674 if (unit == IPL_LOGAUTH) { 4675 if ((fp->fr_tifs[0].fd_ptr != NULL) || 4676 (fp->fr_tifs[1].fd_ptr != NULL) || 4677 (fp->fr_dif.fd_ptr != NULL) || 4678 (fp->fr_flags & FR_FASTROUTE)) { 4679 softc->ipf_interror = 145; 4680 error = EINVAL; 4681 goto donenolock; 4682 } 4683 fprev = ipf_auth_rulehead(softc); 4684 } else { 4685 if (FR_ISACCOUNT(fp->fr_flags)) 4686 fprev = &softc->ipf_acct[in][set]; 4687 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0) 4688 fprev = &softc->ipf_rules[in][set]; 4689 } 4690 if (fprev == NULL) { 4691 IPFERROR(15); 4692 error = ESRCH; 4693 goto donenolock; 4694 } 4695 4696 if (fg != NULL) 4697 fprev = &fg->fg_start; 4698 4699 /* 4700 * Copy in extra data for the rule. 4701 */ 4702 if (fp->fr_dsize != 0) { 4703 if (makecopy != 0) { 4704 KMALLOCS(ptr, void *, fp->fr_dsize); 4705 if (ptr == NULL) { 4706 IPFERROR(16); 4707 error = ENOMEM; 4708 goto donenolock; 4709 } 4710 4711 /* 4712 * The bcopy case is for when the data is appended 4713 * to the rule by ipf_in_compat(). 4714 */ 4715 if (uptr >= (void *)fp && 4716 uptr < (void *)((char *)fp + fp->fr_size)) { 4717 bcopy(uptr, ptr, fp->fr_dsize); 4718 error = 0; 4719 } else { 4720 error = COPYIN(uptr, ptr, fp->fr_dsize); 4721 if (error != 0) { 4722 IPFERROR(17); 4723 error = EFAULT; 4724 goto donenolock; 4725 } 4726 } 4727 } else { 4728 ptr = uptr; 4729 } 4730 fp->fr_data = ptr; 4731 } else { 4732 fp->fr_data = NULL; 4733 } 4734 4735 /* 4736 * Perform per-rule type sanity checks of their members. 4737 * All code after this needs to be aware that allocated memory 4738 * may need to be free'd before exiting. 4739 */ 4740 switch (fp->fr_type & ~FR_T_BUILTIN) 4741 { 4742#if defined(IPFILTER_BPF) 4743 case FR_T_BPFOPC : 4744 if (fp->fr_dsize == 0) { 4745 IPFERROR(19); 4746 error = EINVAL; 4747 break; 4748 } 4749 if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) { 4750 IPFERROR(20); 4751 error = EINVAL; 4752 break; 4753 } 4754 break; 4755#endif 4756 case FR_T_IPF : 4757 /* 4758 * Preparation for error case at the bottom of this function. 4759 */ 4760 if (fp->fr_datype == FRI_LOOKUP) 4761 fp->fr_dstptr = NULL; 4762 if (fp->fr_satype == FRI_LOOKUP) 4763 fp->fr_srcptr = NULL; 4764 4765 if (fp->fr_dsize != sizeof(fripf_t)) { 4766 IPFERROR(21); 4767 error = EINVAL; 4768 break; 4769 } 4770 4771 /* 4772 * Allowing a rule with both "keep state" and "with oow" is 4773 * pointless because adding a state entry to the table will 4774 * fail with the out of window (oow) flag set. 4775 */ 4776 if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW)) { 4777 IPFERROR(22); 4778 error = EINVAL; 4779 break; 4780 } 4781 4782 switch (fp->fr_satype) 4783 { 4784 case FRI_BROADCAST : 4785 case FRI_DYNAMIC : 4786 case FRI_NETWORK : 4787 case FRI_NETMASKED : 4788 case FRI_PEERADDR : 4789 if (fp->fr_sifpidx < 0) { 4790 IPFERROR(23); 4791 error = EINVAL; 4792 } 4793 break; 4794 case FRI_LOOKUP : 4795 fp->fr_srcptr = ipf_findlookup(softc, unit, fp, 4796 &fp->fr_src6, 4797 &fp->fr_smsk6); 4798 if (fp->fr_srcfunc == NULL) { 4799 IPFERROR(132); 4800 error = ESRCH; 4801 break; 4802 } 4803 break; 4804 case FRI_NORMAL : 4805 break; 4806 default : 4807 IPFERROR(133); 4808 error = EINVAL; 4809 break; 4810 } 4811 if (error != 0) 4812 break; 4813 4814 switch (fp->fr_datype) 4815 { 4816 case FRI_BROADCAST : 4817 case FRI_DYNAMIC : 4818 case FRI_NETWORK : 4819 case FRI_NETMASKED : 4820 case FRI_PEERADDR : 4821 if (fp->fr_difpidx < 0) { 4822 IPFERROR(24); 4823 error = EINVAL; 4824 } 4825 break; 4826 case FRI_LOOKUP : 4827 fp->fr_dstptr = ipf_findlookup(softc, unit, fp, 4828 &fp->fr_dst6, 4829 &fp->fr_dmsk6); 4830 if (fp->fr_dstfunc == NULL) { 4831 IPFERROR(134); 4832 error = ESRCH; 4833 } 4834 break; 4835 case FRI_NORMAL : 4836 break; 4837 default : 4838 IPFERROR(135); 4839 error = EINVAL; 4840 } 4841 break; 4842 4843 case FR_T_NONE : 4844 case FR_T_CALLFUNC : 4845 case FR_T_COMPIPF : 4846 break; 4847 4848 case FR_T_IPFEXPR : 4849 if (ipf_matcharray_verify(fp->fr_data, fp->fr_dsize) == -1) { 4850 IPFERROR(25); 4851 error = EINVAL; 4852 } 4853 break; 4854 4855 default : 4856 IPFERROR(26); 4857 error = EINVAL; 4858 break; 4859 } 4860 if (error != 0) 4861 goto donenolock; 4862 4863 if (fp->fr_tif.fd_name != -1) { 4864 if ((fp->fr_tif.fd_name < 0) || 4865 (fp->fr_tif.fd_name >= fp->fr_namelen)) { 4866 IPFERROR(139); 4867 error = EINVAL; 4868 goto donenolock; 4869 } 4870 } 4871 4872 if (fp->fr_dif.fd_name != -1) { 4873 if ((fp->fr_dif.fd_name < 0) || 4874 (fp->fr_dif.fd_name >= fp->fr_namelen)) { 4875 IPFERROR(140); 4876 error = EINVAL; 4877 goto donenolock; 4878 } 4879 } 4880 4881 if (fp->fr_rif.fd_name != -1) { 4882 if ((fp->fr_rif.fd_name < 0) || 4883 (fp->fr_rif.fd_name >= fp->fr_namelen)) { 4884 IPFERROR(141); 4885 error = EINVAL; 4886 goto donenolock; 4887 } 4888 } 4889 4890 /* 4891 * Lookup all the interface names that are part of the rule. 4892 */ 4893 error = ipf_synclist(softc, fp, NULL); 4894 if (error != 0) 4895 goto donenolock; 4896 fp->fr_statecnt = 0; 4897 if (fp->fr_srctrack.ht_max_nodes != 0) 4898 ipf_rb_ht_init(&fp->fr_srctrack); 4899 4900 /* 4901 * Look for an existing matching filter rule, but don't include the 4902 * next or interface pointer in the comparison (fr_next, fr_ifa). 4903 * This elminates rules which are indentical being loaded. Checksum 4904 * the constant part of the filter rule to make comparisons quicker 4905 * (this meaning no pointers are included). 4906 */ 4907 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum; 4908 p < pp; p++) 4909 fp->fr_cksum += *p; 4910 pp = (u_int *)(fp->fr_caddr + fp->fr_dsize); 4911 for (p = (u_int *)fp->fr_data; p < pp; p++) 4912 fp->fr_cksum += *p; 4913 4914 WRITE_ENTER(&softc->ipf_mutex); 4915 4916 /* 4917 * Now that the filter rule lists are locked, we can walk the 4918 * chain of them without fear. 4919 */ 4920 ftail = fprev; 4921 for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) { 4922 if (fp->fr_collect <= f->fr_collect) { 4923 ftail = fprev; 4924 f = NULL; 4925 break; 4926 } 4927 fprev = ftail; 4928 } 4929 4930 for (; (f = *ftail) != NULL; ftail = &f->fr_next) { 4931 DT2(rule_cmp, frentry_t *, fp, frentry_t *, f); 4932 if ((fp->fr_cksum != f->fr_cksum) || 4933 (fp->fr_size != f->fr_size) || 4934 (f->fr_dsize != fp->fr_dsize)) 4935 continue; 4936 if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, 4937 fp->fr_size - offsetof(struct frentry, fr_func)) != 0) 4938 continue; 4939 if ((!ptr && !f->fr_data) || 4940 (ptr && f->fr_data && 4941 !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize))) 4942 break; 4943 } 4944 4945 /* 4946 * If zero'ing statistics, copy current to caller and zero. 4947 */ 4948 if (addrem == 2) { 4949 if (f == NULL) { 4950 IPFERROR(27); 4951 error = ESRCH; 4952 } else { 4953 /* 4954 * Copy and reduce lock because of impending copyout. 4955 * Well we should, but if we do then the atomicity of 4956 * this call and the correctness of fr_hits and 4957 * fr_bytes cannot be guaranteed. As it is, this code 4958 * only resets them to 0 if they are successfully 4959 * copied out into user space. 4960 */ 4961 bcopy((char *)f, (char *)fp, f->fr_size); 4962 /* MUTEX_DOWNGRADE(&softc->ipf_mutex); */ 4963 4964 /* 4965 * When we copy this rule back out, set the data 4966 * pointer to be what it was in user space. 4967 */ 4968 fp->fr_data = uptr; 4969 error = ipf_outobj(softc, data, fp, IPFOBJ_FRENTRY); 4970 4971 if (error == 0) { 4972 if ((f->fr_dsize != 0) && (uptr != NULL)) 4973 error = COPYOUT(f->fr_data, uptr, 4974 f->fr_dsize); 4975 if (error != 0) { 4976 IPFERROR(28); 4977 error = EFAULT; 4978 } 4979 if (error == 0) { 4980 f->fr_hits = 0; 4981 f->fr_bytes = 0; 4982 } 4983 } 4984 } 4985 4986 if (makecopy != 0) { 4987 if (ptr != NULL) { 4988 KFREES(ptr, fp->fr_dsize); 4989 } 4990 KFREES(fp, fp->fr_size); 4991 } 4992 RWLOCK_EXIT(&softc->ipf_mutex); 4993 return error; 4994 } 4995 4996 if (!f) { 4997 /* 4998 * At the end of this, ftail must point to the place where the 4999 * new rule is to be saved/inserted/added. 5000 * For SIOCAD*FR, this should be the last rule in the group of 5001 * rules that have equal fr_collect fields. 5002 * For SIOCIN*FR, ... 5003 */ 5004 if (req == (ioctlcmd_t)SIOCADAFR || 5005 req == (ioctlcmd_t)SIOCADIFR) { 5006 5007 for (ftail = fprev; (f = *ftail) != NULL; ) { 5008 if (f->fr_collect > fp->fr_collect) 5009 break; 5010 ftail = &f->fr_next; 5011 fprev = ftail; 5012 } 5013 ftail = fprev; 5014 f = NULL; 5015 ptr = NULL; 5016 } else if (req == (ioctlcmd_t)SIOCINAFR || 5017 req == (ioctlcmd_t)SIOCINIFR) { 5018 while ((f = *fprev) != NULL) { 5019 if (f->fr_collect >= fp->fr_collect) 5020 break; 5021 fprev = &f->fr_next; 5022 } 5023 ftail = fprev; 5024 if (fp->fr_hits != 0) { 5025 while (fp->fr_hits && (f = *ftail)) { 5026 if (f->fr_collect != fp->fr_collect) 5027 break; 5028 fprev = ftail; 5029 ftail = &f->fr_next; 5030 fp->fr_hits--; 5031 } 5032 } 5033 f = NULL; 5034 ptr = NULL; 5035 } 5036 } 5037 5038 /* 5039 * Request to remove a rule. 5040 */ 5041 if (addrem == 1) { 5042 if (!f) { 5043 IPFERROR(29); 5044 error = ESRCH; 5045 } else { 5046 /* 5047 * Do not allow activity from user space to interfere 5048 * with rules not loaded that way. 5049 */ 5050 if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) { 5051 IPFERROR(30); 5052 error = EPERM; 5053 goto done; 5054 } 5055 5056 /* 5057 * Return EBUSY if the rule is being reference by 5058 * something else (eg state information.) 5059 */ 5060 if (f->fr_ref > 1) { 5061 IPFERROR(31); 5062 error = EBUSY; 5063 goto done; 5064 } 5065#ifdef IPFILTER_SCAN 5066 if (f->fr_isctag != -1 && 5067 (f->fr_isc != (struct ipscan *)-1)) 5068 ipf_scan_detachfr(f); 5069#endif 5070 5071 if (unit == IPL_LOGAUTH) { 5072 error = ipf_auth_precmd(softc, req, f, ftail); 5073 goto done; 5074 } 5075 5076 ipf_rule_delete(softc, f, unit, set); 5077 5078 need_free = makecopy; 5079 } 5080 } else { 5081 /* 5082 * Not removing, so we must be adding/inserting a rule. 5083 */ 5084 if (f != NULL) { 5085 IPFERROR(32); 5086 error = EEXIST; 5087 goto done; 5088 } 5089 if (unit == IPL_LOGAUTH) { 5090 error = ipf_auth_precmd(softc, req, fp, ftail); 5091 goto done; 5092 } 5093 5094 MUTEX_NUKE(&fp->fr_lock); 5095 MUTEX_INIT(&fp->fr_lock, "filter rule lock"); 5096 if (fp->fr_die != 0) 5097 ipf_rule_expire_insert(softc, fp, set); 5098 5099 fp->fr_hits = 0; 5100 if (makecopy != 0) 5101 fp->fr_ref = 1; 5102 fp->fr_pnext = ftail; 5103 fp->fr_next = *ftail; 5104 if (fp->fr_next != NULL) 5105 fp->fr_next->fr_pnext = &fp->fr_next; 5106 *ftail = fp; 5107 if (addrem == 0) 5108 ipf_fixskip(ftail, fp, 1); 5109 5110 fp->fr_icmpgrp = NULL; 5111 if (fp->fr_icmphead != -1) { 5112 group = FR_NAME(fp, fr_icmphead); 5113 fg = ipf_group_add(softc, group, fp, 0, unit, set); 5114 fp->fr_icmpgrp = fg; 5115 } 5116 5117 fp->fr_grphead = NULL; 5118 if (fp->fr_grhead != -1) { 5119 group = FR_NAME(fp, fr_grhead); 5120 fg = ipf_group_add(softc, group, fp, fp->fr_flags, 5121 unit, set); 5122 fp->fr_grphead = fg; 5123 } 5124 } 5125done: 5126 RWLOCK_EXIT(&softc->ipf_mutex); 5127donenolock: 5128 if (need_free || (error != 0)) { 5129 if ((fp->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) { 5130 if ((fp->fr_satype == FRI_LOOKUP) && 5131 (fp->fr_srcptr != NULL)) 5132 ipf_lookup_deref(softc, fp->fr_srctype, 5133 fp->fr_srcptr); 5134 if ((fp->fr_datype == FRI_LOOKUP) && 5135 (fp->fr_dstptr != NULL)) 5136 ipf_lookup_deref(softc, fp->fr_dsttype, 5137 fp->fr_dstptr); 5138 } 5139 if (fp->fr_grp != NULL) { 5140 WRITE_ENTER(&softc->ipf_mutex); 5141 ipf_group_del(softc, fp->fr_grp, fp); 5142 RWLOCK_EXIT(&softc->ipf_mutex); 5143 } 5144 if ((ptr != NULL) && (makecopy != 0)) { 5145 KFREES(ptr, fp->fr_dsize); 5146 } 5147 KFREES(fp, fp->fr_size); 5148 } 5149 return (error); 5150} 5151 5152 5153/* ------------------------------------------------------------------------ */ 5154/* Function: ipf_rule_delete */ 5155/* Returns: Nil */ 5156/* Parameters: softc(I) - pointer to soft context main structure */ 5157/* f(I) - pointer to the rule being deleted */ 5158/* ftail(I) - pointer to the pointer to f */ 5159/* unit(I) - device for which this is for */ 5160/* set(I) - 1 or 0 (filter set) */ 5161/* */ 5162/* This function attempts to do what it can to delete a filter rule: remove */ 5163/* it from any linked lists and remove any groups it is responsible for. */ 5164/* But in the end, removing a rule can only drop the reference count - we */ 5165/* must use that as the guide for whether or not it can be freed. */ 5166/* ------------------------------------------------------------------------ */ 5167static void 5168ipf_rule_delete(softc, f, unit, set) 5169 ipf_main_softc_t *softc; 5170 frentry_t *f; 5171 int unit, set; 5172{ 5173 5174 /* 5175 * If fr_pdnext is set, then the rule is on the expire list, so 5176 * remove it from there. 5177 */ 5178 if (f->fr_pdnext != NULL) { 5179 *f->fr_pdnext = f->fr_dnext; 5180 if (f->fr_dnext != NULL) 5181 f->fr_dnext->fr_pdnext = f->fr_pdnext; 5182 f->fr_pdnext = NULL; 5183 f->fr_dnext = NULL; 5184 } 5185 5186 ipf_fixskip(f->fr_pnext, f, -1); 5187 if (f->fr_pnext != NULL) 5188 *f->fr_pnext = f->fr_next; 5189 if (f->fr_next != NULL) 5190 f->fr_next->fr_pnext = f->fr_pnext; 5191 f->fr_pnext = NULL; 5192 f->fr_next = NULL; 5193 5194 (void) ipf_derefrule(softc, &f); 5195} 5196 5197/* ------------------------------------------------------------------------ */ 5198/* Function: ipf_rule_expire_insert */ 5199/* Returns: Nil */ 5200/* Parameters: softc(I) - pointer to soft context main structure */ 5201/* f(I) - pointer to rule to be added to expire list */ 5202/* set(I) - 1 or 0 (filter set) */ 5203/* */ 5204/* If the new rule has a given expiration time, insert it into the list of */ 5205/* expiring rules with the ones to be removed first added to the front of */ 5206/* the list. The insertion is O(n) but it is kept sorted for quick scans at */ 5207/* expiration interval checks. */ 5208/* ------------------------------------------------------------------------ */ 5209static void 5210ipf_rule_expire_insert(softc, f, set) 5211 ipf_main_softc_t *softc; 5212 frentry_t *f; 5213 int set; 5214{ 5215 frentry_t *fr; 5216 5217 /* 5218 */ 5219 5220 f->fr_die = softc->ipf_ticks + IPF_TTLVAL(f->fr_die); 5221 for (fr = softc->ipf_rule_explist[set]; fr != NULL; 5222 fr = fr->fr_dnext) { 5223 if (f->fr_die < fr->fr_die) 5224 break; 5225 if (fr->fr_dnext == NULL) { 5226 /* 5227 * We've got to the last rule and everything 5228 * wanted to be expired before this new node, 5229 * so we have to tack it on the end... 5230 */ 5231 fr->fr_dnext = f; 5232 f->fr_pdnext = &fr->fr_dnext; 5233 fr = NULL; 5234 break; 5235 } 5236 } 5237 5238 if (softc->ipf_rule_explist[set] == NULL) { 5239 softc->ipf_rule_explist[set] = f; 5240 f->fr_pdnext = &softc->ipf_rule_explist[set]; 5241 } else if (fr != NULL) { 5242 f->fr_dnext = fr; 5243 f->fr_pdnext = fr->fr_pdnext; 5244 fr->fr_pdnext = &f->fr_dnext; 5245 } 5246} 5247 5248 5249/* ------------------------------------------------------------------------ */ 5250/* Function: ipf_findlookup */ 5251/* Returns: NULL = failure, else success */ 5252/* Parameters: softc(I) - pointer to soft context main structure */ 5253/* unit(I) - ipf device we want to find match for */ 5254/* fp(I) - rule for which lookup is for */ 5255/* addrp(I) - pointer to lookup information in address struct */ 5256/* maskp(O) - pointer to lookup information for storage */ 5257/* */ 5258/* When using pools and hash tables to store addresses for matching in */ 5259/* rules, it is necessary to resolve both the object referred to by the */ 5260/* name or address (and return that pointer) and also provide the means by */ 5261/* which to determine if an address belongs to that object to make the */ 5262/* packet matching quicker. */ 5263/* ------------------------------------------------------------------------ */ 5264static void * 5265ipf_findlookup(softc, unit, fr, addrp, maskp) 5266 ipf_main_softc_t *softc; 5267 int unit; 5268 frentry_t *fr; 5269 i6addr_t *addrp, *maskp; 5270{ 5271 void *ptr = NULL; 5272 5273 switch (addrp->iplookupsubtype) 5274 { 5275 case 0 : 5276 ptr = ipf_lookup_res_num(softc, unit, addrp->iplookuptype, 5277 addrp->iplookupnum, 5278 &maskp->iplookupfunc); 5279 break; 5280 case 1 : 5281 if (addrp->iplookupname < 0) 5282 break; 5283 if (addrp->iplookupname >= fr->fr_namelen) 5284 break; 5285 ptr = ipf_lookup_res_name(softc, unit, addrp->iplookuptype, 5286 fr->fr_names + addrp->iplookupname, 5287 &maskp->iplookupfunc); 5288 break; 5289 default : 5290 break; 5291 } 5292 5293 return ptr; 5294} 5295 5296 5297/* ------------------------------------------------------------------------ */ 5298/* Function: ipf_funcinit */ 5299/* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */ 5300/* Parameters: softc(I) - pointer to soft context main structure */ 5301/* fr(I) - pointer to filter rule */ 5302/* */ 5303/* If a rule is a call rule, then check if the function it points to needs */ 5304/* an init function to be called now the rule has been loaded. */ 5305/* ------------------------------------------------------------------------ */ 5306static int 5307ipf_funcinit(softc, fr) 5308 ipf_main_softc_t *softc; 5309 frentry_t *fr; 5310{ 5311 ipfunc_resolve_t *ft; 5312 int err; 5313 5314 IPFERROR(34); 5315 err = ESRCH; 5316 5317 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5318 if (ft->ipfu_addr == fr->fr_func) { 5319 err = 0; 5320 if (ft->ipfu_init != NULL) 5321 err = (*ft->ipfu_init)(softc, fr); 5322 break; 5323 } 5324 return err; 5325} 5326 5327 5328/* ------------------------------------------------------------------------ */ 5329/* Function: ipf_funcfini */ 5330/* Returns: Nil */ 5331/* Parameters: softc(I) - pointer to soft context main structure */ 5332/* fr(I) - pointer to filter rule */ 5333/* */ 5334/* For a given filter rule, call the matching "fini" function if the rule */ 5335/* is using a known function that would have resulted in the "init" being */ 5336/* called for ealier. */ 5337/* ------------------------------------------------------------------------ */ 5338static void 5339ipf_funcfini(softc, fr) 5340 ipf_main_softc_t *softc; 5341 frentry_t *fr; 5342{ 5343 ipfunc_resolve_t *ft; 5344 5345 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5346 if (ft->ipfu_addr == fr->fr_func) { 5347 if (ft->ipfu_fini != NULL) 5348 (void) (*ft->ipfu_fini)(softc, fr); 5349 break; 5350 } 5351} 5352 5353 5354/* ------------------------------------------------------------------------ */ 5355/* Function: ipf_findfunc */ 5356/* Returns: ipfunc_t - pointer to function if found, else NULL */ 5357/* Parameters: funcptr(I) - function pointer to lookup */ 5358/* */ 5359/* Look for a function in the table of known functions. */ 5360/* ------------------------------------------------------------------------ */ 5361static ipfunc_t 5362ipf_findfunc(funcptr) 5363 ipfunc_t funcptr; 5364{ 5365 ipfunc_resolve_t *ft; 5366 5367 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5368 if (ft->ipfu_addr == funcptr) 5369 return funcptr; 5370 return NULL; 5371} 5372 5373 5374/* ------------------------------------------------------------------------ */ 5375/* Function: ipf_resolvefunc */ 5376/* Returns: int - 0 == success, else error */ 5377/* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */ 5378/* */ 5379/* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */ 5380/* This will either be the function name (if the pointer is set) or the */ 5381/* function pointer if the name is set. When found, fill in the other one */ 5382/* so that the entire, complete, structure can be copied back to user space.*/ 5383/* ------------------------------------------------------------------------ */ 5384int 5385ipf_resolvefunc(softc, data) 5386 ipf_main_softc_t *softc; 5387 void *data; 5388{ 5389 ipfunc_resolve_t res, *ft; 5390 int error; 5391 5392 error = BCOPYIN(data, &res, sizeof(res)); 5393 if (error != 0) { 5394 IPFERROR(123); 5395 return EFAULT; 5396 } 5397 5398 if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') { 5399 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5400 if (strncmp(res.ipfu_name, ft->ipfu_name, 5401 sizeof(res.ipfu_name)) == 0) { 5402 res.ipfu_addr = ft->ipfu_addr; 5403 res.ipfu_init = ft->ipfu_init; 5404 if (COPYOUT(&res, data, sizeof(res)) != 0) { 5405 IPFERROR(35); 5406 return EFAULT; 5407 } 5408 return 0; 5409 } 5410 } 5411 if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') { 5412 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5413 if (ft->ipfu_addr == res.ipfu_addr) { 5414 (void) strncpy(res.ipfu_name, ft->ipfu_name, 5415 sizeof(res.ipfu_name)); 5416 res.ipfu_init = ft->ipfu_init; 5417 if (COPYOUT(&res, data, sizeof(res)) != 0) { 5418 IPFERROR(36); 5419 return EFAULT; 5420 } 5421 return 0; 5422 } 5423 } 5424 IPFERROR(37); 5425 return ESRCH; 5426} 5427 5428 5429#if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && \ 5430 !defined(__FreeBSD__)) || \ 5431 FREEBSD_LT_REV(501000) || NETBSD_LT_REV(105000000) || \ 5432 OPENBSD_LT_REV(200006) 5433/* 5434 * From: NetBSD 5435 * ppsratecheck(): packets (or events) per second limitation. 5436 */ 5437int 5438ppsratecheck(lasttime, curpps, maxpps) 5439 struct timeval *lasttime; 5440 int *curpps; 5441 int maxpps; /* maximum pps allowed */ 5442{ 5443 struct timeval tv, delta; 5444 int rv; 5445 5446 GETKTIME(&tv); 5447 5448 delta.tv_sec = tv.tv_sec - lasttime->tv_sec; 5449 delta.tv_usec = tv.tv_usec - lasttime->tv_usec; 5450 if (delta.tv_usec < 0) { 5451 delta.tv_sec--; 5452 delta.tv_usec += 1000000; 5453 } 5454 5455 /* 5456 * check for 0,0 is so that the message will be seen at least once. 5457 * if more than one second have passed since the last update of 5458 * lasttime, reset the counter. 5459 * 5460 * we do increment *curpps even in *curpps < maxpps case, as some may 5461 * try to use *curpps for stat purposes as well. 5462 */ 5463 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) || 5464 delta.tv_sec >= 1) { 5465 *lasttime = tv; 5466 *curpps = 0; 5467 rv = 1; 5468 } else if (maxpps < 0) 5469 rv = 1; 5470 else if (*curpps < maxpps) 5471 rv = 1; 5472 else 5473 rv = 0; 5474 *curpps = *curpps + 1; 5475 5476 return (rv); 5477} 5478#endif 5479 5480 5481/* ------------------------------------------------------------------------ */ 5482/* Function: ipf_derefrule */ 5483/* Returns: int - 0 == rule freed up, else rule not freed */ 5484/* Parameters: fr(I) - pointer to filter rule */ 5485/* */ 5486/* Decrement the reference counter to a rule by one. If it reaches zero, */ 5487/* free it and any associated storage space being used by it. */ 5488/* ------------------------------------------------------------------------ */ 5489int 5490ipf_derefrule(softc, frp) 5491 ipf_main_softc_t *softc; 5492 frentry_t **frp; 5493{ 5494 frentry_t *fr; 5495 frdest_t *fdp; 5496 5497 fr = *frp; 5498 *frp = NULL; 5499 5500 MUTEX_ENTER(&fr->fr_lock); 5501 fr->fr_ref--; 5502 if (fr->fr_ref == 0) { 5503 MUTEX_EXIT(&fr->fr_lock); 5504 MUTEX_DESTROY(&fr->fr_lock); 5505 5506 ipf_funcfini(softc, fr); 5507 5508 fdp = &fr->fr_tif; 5509 if (fdp->fd_type == FRD_DSTLIST) 5510 ipf_lookup_deref(softc, IPLT_DSTLIST, fdp->fd_ptr); 5511 5512 fdp = &fr->fr_rif; 5513 if (fdp->fd_type == FRD_DSTLIST) 5514 ipf_lookup_deref(softc, IPLT_DSTLIST, fdp->fd_ptr); 5515 5516 fdp = &fr->fr_dif; 5517 if (fdp->fd_type == FRD_DSTLIST) 5518 ipf_lookup_deref(softc, IPLT_DSTLIST, fdp->fd_ptr); 5519 5520 if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF && 5521 fr->fr_satype == FRI_LOOKUP) 5522 ipf_lookup_deref(softc, fr->fr_srctype, fr->fr_srcptr); 5523 if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF && 5524 fr->fr_datype == FRI_LOOKUP) 5525 ipf_lookup_deref(softc, fr->fr_dsttype, fr->fr_dstptr); 5526 5527 if (fr->fr_grp != NULL) 5528 ipf_group_del(softc, fr->fr_grp, fr); 5529 5530 if (fr->fr_grphead != NULL) 5531 ipf_group_del(softc, fr->fr_grphead, fr); 5532 5533 if (fr->fr_icmpgrp != NULL) 5534 ipf_group_del(softc, fr->fr_icmpgrp, fr); 5535 5536 if ((fr->fr_flags & FR_COPIED) != 0) { 5537 if (fr->fr_dsize) { 5538 KFREES(fr->fr_data, fr->fr_dsize); 5539 } 5540 KFREES(fr, fr->fr_size); 5541 return 0; 5542 } 5543 return 1; 5544 } else { 5545 MUTEX_EXIT(&fr->fr_lock); 5546 } 5547 return -1; 5548} 5549 5550 5551/* ------------------------------------------------------------------------ */ 5552/* Function: ipf_grpmapinit */ 5553/* Returns: int - 0 == success, else ESRCH because table entry not found*/ 5554/* Parameters: fr(I) - pointer to rule to find hash table for */ 5555/* */ 5556/* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */ 5557/* fr_ptr is later used by ipf_srcgrpmap and ipf_dstgrpmap. */ 5558/* ------------------------------------------------------------------------ */ 5559static int 5560ipf_grpmapinit(softc, fr) 5561 ipf_main_softc_t *softc; 5562 frentry_t *fr; 5563{ 5564 char name[FR_GROUPLEN]; 5565 iphtable_t *iph; 5566 5567#if defined(SNPRINTF) && defined(_KERNEL) 5568 SNPRINTF(name, sizeof(name), "%d", fr->fr_arg); 5569#else 5570 (void) sprintf(name, "%d", fr->fr_arg); 5571#endif 5572 iph = ipf_lookup_find_htable(softc, IPL_LOGIPF, name); 5573 if (iph == NULL) { 5574 IPFERROR(38); 5575 return ESRCH; 5576 } 5577 if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT)) { 5578 IPFERROR(39); 5579 return ESRCH; 5580 } 5581 iph->iph_ref++; 5582 fr->fr_ptr = iph; 5583 return 0; 5584} 5585 5586 5587/* ------------------------------------------------------------------------ */ 5588/* Function: ipf_grpmapfini */ 5589/* Returns: int - 0 == success, else ESRCH because table entry not found*/ 5590/* Parameters: softc(I) - pointer to soft context main structure */ 5591/* fr(I) - pointer to rule to release hash table for */ 5592/* */ 5593/* For rules that have had ipf_grpmapinit called, ipf_lookup_deref needs to */ 5594/* be called to undo what ipf_grpmapinit caused to be done. */ 5595/* ------------------------------------------------------------------------ */ 5596static int 5597ipf_grpmapfini(softc, fr) 5598 ipf_main_softc_t *softc; 5599 frentry_t *fr; 5600{ 5601 iphtable_t *iph; 5602 iph = fr->fr_ptr; 5603 if (iph != NULL) 5604 ipf_lookup_deref(softc, IPLT_HASH, iph); 5605 return 0; 5606} 5607 5608 5609/* ------------------------------------------------------------------------ */ 5610/* Function: ipf_srcgrpmap */ 5611/* Returns: frentry_t * - pointer to "new last matching" rule or NULL */ 5612/* Parameters: fin(I) - pointer to packet information */ 5613/* passp(IO) - pointer to current/new filter decision (unused) */ 5614/* */ 5615/* Look for a rule group head in a hash table, using the source address as */ 5616/* the key, and descend into that group and continue matching rules against */ 5617/* the packet. */ 5618/* ------------------------------------------------------------------------ */ 5619frentry_t * 5620ipf_srcgrpmap(fin, passp) 5621 fr_info_t *fin; 5622 u_32_t *passp; 5623{ 5624 frgroup_t *fg; 5625 void *rval; 5626 5627 rval = ipf_iphmfindgroup(fin->fin_main_soft, fin->fin_fr->fr_ptr, 5628 &fin->fin_src); 5629 if (rval == NULL) 5630 return NULL; 5631 5632 fg = rval; 5633 fin->fin_fr = fg->fg_start; 5634 (void) ipf_scanlist(fin, *passp); 5635 return fin->fin_fr; 5636} 5637 5638 5639/* ------------------------------------------------------------------------ */ 5640/* Function: ipf_dstgrpmap */ 5641/* Returns: frentry_t * - pointer to "new last matching" rule or NULL */ 5642/* Parameters: fin(I) - pointer to packet information */ 5643/* passp(IO) - pointer to current/new filter decision (unused) */ 5644/* */ 5645/* Look for a rule group head in a hash table, using the destination */ 5646/* address as the key, and descend into that group and continue matching */ 5647/* rules against the packet. */ 5648/* ------------------------------------------------------------------------ */ 5649frentry_t * 5650ipf_dstgrpmap(fin, passp) 5651 fr_info_t *fin; 5652 u_32_t *passp; 5653{ 5654 frgroup_t *fg; 5655 void *rval; 5656 5657 rval = ipf_iphmfindgroup(fin->fin_main_soft, fin->fin_fr->fr_ptr, 5658 &fin->fin_dst); 5659 if (rval == NULL) 5660 return NULL; 5661 5662 fg = rval; 5663 fin->fin_fr = fg->fg_start; 5664 (void) ipf_scanlist(fin, *passp); 5665 return fin->fin_fr; 5666} 5667 5668/* 5669 * Queue functions 5670 * =============== 5671 * These functions manage objects on queues for efficient timeouts. There 5672 * are a number of system defined queues as well as user defined timeouts. 5673 * It is expected that a lock is held in the domain in which the queue 5674 * belongs (i.e. either state or NAT) when calling any of these functions 5675 * that prevents ipf_freetimeoutqueue() from being called at the same time 5676 * as any other. 5677 */ 5678 5679 5680/* ------------------------------------------------------------------------ */ 5681/* Function: ipf_addtimeoutqueue */ 5682/* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */ 5683/* timeout queue with given interval. */ 5684/* Parameters: parent(I) - pointer to pointer to parent node of this list */ 5685/* of interface queues. */ 5686/* seconds(I) - timeout value in seconds for this queue. */ 5687/* */ 5688/* This routine first looks for a timeout queue that matches the interval */ 5689/* being requested. If it finds one, increments the reference counter and */ 5690/* returns a pointer to it. If none are found, it allocates a new one and */ 5691/* inserts it at the top of the list. */ 5692/* */ 5693/* Locking. */ 5694/* It is assumed that the caller of this function has an appropriate lock */ 5695/* held (exclusively) in the domain that encompases 'parent'. */ 5696/* ------------------------------------------------------------------------ */ 5697ipftq_t * 5698ipf_addtimeoutqueue(softc, parent, seconds) 5699 ipf_main_softc_t *softc; 5700 ipftq_t **parent; 5701 u_int seconds; 5702{ 5703 ipftq_t *ifq; 5704 u_int period; 5705 5706 period = seconds * IPF_HZ_DIVIDE; 5707 5708 MUTEX_ENTER(&softc->ipf_timeoutlock); 5709 for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) { 5710 if (ifq->ifq_ttl == period) { 5711 /* 5712 * Reset the delete flag, if set, so the structure 5713 * gets reused rather than freed and reallocated. 5714 */ 5715 MUTEX_ENTER(&ifq->ifq_lock); 5716 ifq->ifq_flags &= ~IFQF_DELETE; 5717 ifq->ifq_ref++; 5718 MUTEX_EXIT(&ifq->ifq_lock); 5719 MUTEX_EXIT(&softc->ipf_timeoutlock); 5720 5721 return ifq; 5722 } 5723 } 5724 5725 KMALLOC(ifq, ipftq_t *); 5726 if (ifq != NULL) { 5727 MUTEX_NUKE(&ifq->ifq_lock); 5728 IPFTQ_INIT(ifq, period, "ipftq mutex"); 5729 ifq->ifq_next = *parent; 5730 ifq->ifq_pnext = parent; 5731 ifq->ifq_flags = IFQF_USER; 5732 ifq->ifq_ref++; 5733 *parent = ifq; 5734 softc->ipf_userifqs++; 5735 } 5736 MUTEX_EXIT(&softc->ipf_timeoutlock); 5737 return ifq; 5738} 5739 5740 5741/* ------------------------------------------------------------------------ */ 5742/* Function: ipf_deletetimeoutqueue */ 5743/* Returns: int - new reference count value of the timeout queue */ 5744/* Parameters: ifq(I) - timeout queue which is losing a reference. */ 5745/* Locks: ifq->ifq_lock */ 5746/* */ 5747/* This routine must be called when we're discarding a pointer to a timeout */ 5748/* queue object, taking care of the reference counter. */ 5749/* */ 5750/* Now that this just sets a DELETE flag, it requires the expire code to */ 5751/* check the list of user defined timeout queues and call the free function */ 5752/* below (currently commented out) to stop memory leaking. It is done this */ 5753/* way because the locking may not be sufficient to safely do a free when */ 5754/* this function is called. */ 5755/* ------------------------------------------------------------------------ */ 5756int 5757ipf_deletetimeoutqueue(ifq) 5758 ipftq_t *ifq; 5759{ 5760 5761 ifq->ifq_ref--; 5762 if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) { 5763 ifq->ifq_flags |= IFQF_DELETE; 5764 } 5765 5766 return ifq->ifq_ref; 5767} 5768 5769 5770/* ------------------------------------------------------------------------ */ 5771/* Function: ipf_freetimeoutqueue */ 5772/* Parameters: ifq(I) - timeout queue which is losing a reference. */ 5773/* Returns: Nil */ 5774/* */ 5775/* Locking: */ 5776/* It is assumed that the caller of this function has an appropriate lock */ 5777/* held (exclusively) in the domain that encompases the callers "domain". */ 5778/* The ifq_lock for this structure should not be held. */ 5779/* */ 5780/* Remove a user defined timeout queue from the list of queues it is in and */ 5781/* tidy up after this is done. */ 5782/* ------------------------------------------------------------------------ */ 5783void 5784ipf_freetimeoutqueue(softc, ifq) 5785 ipf_main_softc_t *softc; 5786 ipftq_t *ifq; 5787{ 5788 5789 if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) || 5790 ((ifq->ifq_flags & IFQF_USER) == 0)) { 5791 printf("ipf_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n", 5792 (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl, 5793 ifq->ifq_ref); 5794 return; 5795 } 5796 5797 /* 5798 * Remove from its position in the list. 5799 */ 5800 *ifq->ifq_pnext = ifq->ifq_next; 5801 if (ifq->ifq_next != NULL) 5802 ifq->ifq_next->ifq_pnext = ifq->ifq_pnext; 5803 ifq->ifq_next = NULL; 5804 ifq->ifq_pnext = NULL; 5805 5806 MUTEX_DESTROY(&ifq->ifq_lock); 5807 ATOMIC_DEC(softc->ipf_userifqs); 5808 KFREE(ifq); 5809} 5810 5811 5812/* ------------------------------------------------------------------------ */ 5813/* Function: ipf_deletequeueentry */ 5814/* Returns: Nil */ 5815/* Parameters: tqe(I) - timeout queue entry to delete */ 5816/* */ 5817/* Remove a tail queue entry from its queue and make it an orphan. */ 5818/* ipf_deletetimeoutqueue is called to make sure the reference count on the */ 5819/* queue is correct. We can't, however, call ipf_freetimeoutqueue because */ 5820/* the correct lock(s) may not be held that would make it safe to do so. */ 5821/* ------------------------------------------------------------------------ */ 5822void 5823ipf_deletequeueentry(tqe) 5824 ipftqent_t *tqe; 5825{ 5826 ipftq_t *ifq; 5827 5828 ifq = tqe->tqe_ifq; 5829 5830 MUTEX_ENTER(&ifq->ifq_lock); 5831 5832 if (tqe->tqe_pnext != NULL) { 5833 *tqe->tqe_pnext = tqe->tqe_next; 5834 if (tqe->tqe_next != NULL) 5835 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 5836 else /* we must be the tail anyway */ 5837 ifq->ifq_tail = tqe->tqe_pnext; 5838 5839 tqe->tqe_pnext = NULL; 5840 tqe->tqe_ifq = NULL; 5841 } 5842 5843 (void) ipf_deletetimeoutqueue(ifq); 5844 ASSERT(ifq->ifq_ref > 0); 5845 5846 MUTEX_EXIT(&ifq->ifq_lock); 5847} 5848 5849 5850/* ------------------------------------------------------------------------ */ 5851/* Function: ipf_queuefront */ 5852/* Returns: Nil */ 5853/* Parameters: tqe(I) - pointer to timeout queue entry */ 5854/* */ 5855/* Move a queue entry to the front of the queue, if it isn't already there. */ 5856/* ------------------------------------------------------------------------ */ 5857void 5858ipf_queuefront(tqe) 5859 ipftqent_t *tqe; 5860{ 5861 ipftq_t *ifq; 5862 5863 ifq = tqe->tqe_ifq; 5864 if (ifq == NULL) 5865 return; 5866 5867 MUTEX_ENTER(&ifq->ifq_lock); 5868 if (ifq->ifq_head != tqe) { 5869 *tqe->tqe_pnext = tqe->tqe_next; 5870 if (tqe->tqe_next) 5871 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 5872 else 5873 ifq->ifq_tail = tqe->tqe_pnext; 5874 5875 tqe->tqe_next = ifq->ifq_head; 5876 ifq->ifq_head->tqe_pnext = &tqe->tqe_next; 5877 ifq->ifq_head = tqe; 5878 tqe->tqe_pnext = &ifq->ifq_head; 5879 } 5880 MUTEX_EXIT(&ifq->ifq_lock); 5881} 5882 5883 5884/* ------------------------------------------------------------------------ */ 5885/* Function: ipf_queueback */ 5886/* Returns: Nil */ 5887/* Parameters: ticks(I) - ipf tick time to use with this call */ 5888/* tqe(I) - pointer to timeout queue entry */ 5889/* */ 5890/* Move a queue entry to the back of the queue, if it isn't already there. */ 5891/* We use use ticks to calculate the expiration and mark for when we last */ 5892/* touched the structure. */ 5893/* ------------------------------------------------------------------------ */ 5894void 5895ipf_queueback(ticks, tqe) 5896 u_long ticks; 5897 ipftqent_t *tqe; 5898{ 5899 ipftq_t *ifq; 5900 5901 ifq = tqe->tqe_ifq; 5902 if (ifq == NULL) 5903 return; 5904 tqe->tqe_die = ticks + ifq->ifq_ttl; 5905 tqe->tqe_touched = ticks; 5906 5907 MUTEX_ENTER(&ifq->ifq_lock); 5908 if (tqe->tqe_next != NULL) { /* at the end already ? */ 5909 /* 5910 * Remove from list 5911 */ 5912 *tqe->tqe_pnext = tqe->tqe_next; 5913 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 5914 5915 /* 5916 * Make it the last entry. 5917 */ 5918 tqe->tqe_next = NULL; 5919 tqe->tqe_pnext = ifq->ifq_tail; 5920 *ifq->ifq_tail = tqe; 5921 ifq->ifq_tail = &tqe->tqe_next; 5922 } 5923 MUTEX_EXIT(&ifq->ifq_lock); 5924} 5925 5926 5927/* ------------------------------------------------------------------------ */ 5928/* Function: ipf_queueappend */ 5929/* Returns: Nil */ 5930/* Parameters: ticks(I) - ipf tick time to use with this call */ 5931/* tqe(I) - pointer to timeout queue entry */ 5932/* ifq(I) - pointer to timeout queue */ 5933/* parent(I) - owing object pointer */ 5934/* */ 5935/* Add a new item to this queue and put it on the very end. */ 5936/* We use use ticks to calculate the expiration and mark for when we last */ 5937/* touched the structure. */ 5938/* ------------------------------------------------------------------------ */ 5939void 5940ipf_queueappend(ticks, tqe, ifq, parent) 5941 u_long ticks; 5942 ipftqent_t *tqe; 5943 ipftq_t *ifq; 5944 void *parent; 5945{ 5946 5947 MUTEX_ENTER(&ifq->ifq_lock); 5948 tqe->tqe_parent = parent; 5949 tqe->tqe_pnext = ifq->ifq_tail; 5950 *ifq->ifq_tail = tqe; 5951 ifq->ifq_tail = &tqe->tqe_next; 5952 tqe->tqe_next = NULL; 5953 tqe->tqe_ifq = ifq; 5954 tqe->tqe_die = ticks + ifq->ifq_ttl; 5955 tqe->tqe_touched = ticks; 5956 ifq->ifq_ref++; 5957 MUTEX_EXIT(&ifq->ifq_lock); 5958} 5959 5960 5961/* ------------------------------------------------------------------------ */ 5962/* Function: ipf_movequeue */ 5963/* Returns: Nil */ 5964/* Parameters: tq(I) - pointer to timeout queue information */ 5965/* oifp(I) - old timeout queue entry was on */ 5966/* nifp(I) - new timeout queue to put entry on */ 5967/* */ 5968/* Move a queue entry from one timeout queue to another timeout queue. */ 5969/* If it notices that the current entry is already last and does not need */ 5970/* to move queue, the return. */ 5971/* ------------------------------------------------------------------------ */ 5972void 5973ipf_movequeue(ticks, tqe, oifq, nifq) 5974 u_long ticks; 5975 ipftqent_t *tqe; 5976 ipftq_t *oifq, *nifq; 5977{ 5978 5979 /* 5980 * If the queue hasn't changed and we last touched this entry at the 5981 * same ipf time, then we're not going to achieve anything by either 5982 * changing the ttl or moving it on the queue. 5983 */ 5984 if (oifq == nifq && tqe->tqe_touched == ticks) 5985 return; 5986 5987 /* 5988 * For any of this to be outside the lock, there is a risk that two 5989 * packets entering simultaneously, with one changing to a different 5990 * queue and one not, could end up with things in a bizarre state. 5991 */ 5992 MUTEX_ENTER(&oifq->ifq_lock); 5993 5994 tqe->tqe_touched = ticks; 5995 tqe->tqe_die = ticks + nifq->ifq_ttl; 5996 /* 5997 * Is the operation here going to be a no-op ? 5998 */ 5999 if (oifq == nifq) { 6000 if ((tqe->tqe_next == NULL) || 6001 (tqe->tqe_next->tqe_die == tqe->tqe_die)) { 6002 MUTEX_EXIT(&oifq->ifq_lock); 6003 return; 6004 } 6005 } 6006 6007 /* 6008 * Remove from the old queue 6009 */ 6010 *tqe->tqe_pnext = tqe->tqe_next; 6011 if (tqe->tqe_next) 6012 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 6013 else 6014 oifq->ifq_tail = tqe->tqe_pnext; 6015 tqe->tqe_next = NULL; 6016 6017 /* 6018 * If we're moving from one queue to another, release the 6019 * lock on the old queue and get a lock on the new queue. 6020 * For user defined queues, if we're moving off it, call 6021 * delete in case it can now be freed. 6022 */ 6023 if (oifq != nifq) { 6024 tqe->tqe_ifq = NULL; 6025 6026 (void) ipf_deletetimeoutqueue(oifq); 6027 6028 MUTEX_EXIT(&oifq->ifq_lock); 6029 6030 MUTEX_ENTER(&nifq->ifq_lock); 6031 6032 tqe->tqe_ifq = nifq; 6033 nifq->ifq_ref++; 6034 } 6035 6036 /* 6037 * Add to the bottom of the new queue 6038 */ 6039 tqe->tqe_pnext = nifq->ifq_tail; 6040 *nifq->ifq_tail = tqe; 6041 nifq->ifq_tail = &tqe->tqe_next; 6042 MUTEX_EXIT(&nifq->ifq_lock); 6043} 6044 6045 6046/* ------------------------------------------------------------------------ */ 6047/* Function: ipf_updateipid */ 6048/* Returns: int - 0 == success, -1 == error (packet should be droppped) */ 6049/* Parameters: fin(I) - pointer to packet information */ 6050/* */ 6051/* When we are doing NAT, change the IP of every packet to represent a */ 6052/* single sequence of packets coming from the host, hiding any host */ 6053/* specific sequencing that might otherwise be revealed. If the packet is */ 6054/* a fragment, then store the 'new' IPid in the fragment cache and look up */ 6055/* the fragment cache for non-leading fragments. If a non-leading fragment */ 6056/* has no match in the cache, return an error. */ 6057/* ------------------------------------------------------------------------ */ 6058static int 6059ipf_updateipid(fin) 6060 fr_info_t *fin; 6061{ 6062 u_short id, ido, sums; 6063 u_32_t sumd, sum; 6064 ip_t *ip; 6065 6066 if (fin->fin_off != 0) { 6067 sum = ipf_frag_ipidknown(fin); 6068 if (sum == 0xffffffff) 6069 return -1; 6070 sum &= 0xffff; 6071 id = (u_short)sum; 6072 } else { 6073 id = ipf_nextipid(fin); 6074 if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0) 6075 (void) ipf_frag_ipidnew(fin, (u_32_t)id); 6076 } 6077 6078 ip = fin->fin_ip; 6079 ido = ntohs(ip->ip_id); 6080 if (id == ido) 6081 return 0; 6082 ip->ip_id = htons(id); 6083 CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */ 6084 sum = (~ntohs(ip->ip_sum)) & 0xffff; 6085 sum += sumd; 6086 sum = (sum >> 16) + (sum & 0xffff); 6087 sum = (sum >> 16) + (sum & 0xffff); 6088 sums = ~(u_short)sum; 6089 ip->ip_sum = htons(sums); 6090 return 0; 6091} 6092 6093 6094#ifdef NEED_FRGETIFNAME 6095/* ------------------------------------------------------------------------ */ 6096/* Function: ipf_getifname */ 6097/* Returns: char * - pointer to interface name */ 6098/* Parameters: ifp(I) - pointer to network interface */ 6099/* buffer(O) - pointer to where to store interface name */ 6100/* */ 6101/* Constructs an interface name in the buffer passed. The buffer passed is */ 6102/* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */ 6103/* as a NULL pointer then return a pointer to a static array. */ 6104/* ------------------------------------------------------------------------ */ 6105char * 6106ipf_getifname(ifp, buffer) 6107 struct ifnet *ifp; 6108 char *buffer; 6109{ 6110 static char namebuf[LIFNAMSIZ]; 6111# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ 6112 defined(__sgi) || defined(linux) || defined(_AIX51) || \ 6113 (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) 6114 int unit, space; 6115 char temp[20]; 6116 char *s; 6117# endif 6118 6119 if (buffer == NULL) 6120 buffer = namebuf; 6121 (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ); 6122 buffer[LIFNAMSIZ - 1] = '\0'; 6123# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ 6124 defined(__sgi) || defined(_AIX51) || \ 6125 (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) 6126 for (s = buffer; *s; s++) 6127 ; 6128 unit = ifp->if_unit; 6129 space = LIFNAMSIZ - (s - buffer); 6130 if ((space > 0) && (unit >= 0)) { 6131# if defined(SNPRINTF) && defined(_KERNEL) 6132 SNPRINTF(temp, sizeof(temp), "%d", unit); 6133# else 6134 (void) sprintf(temp, "%d", unit); 6135# endif 6136 (void) strncpy(s, temp, space); 6137 } 6138# endif 6139 return buffer; 6140} 6141#endif 6142 6143 6144/* ------------------------------------------------------------------------ */ 6145/* Function: ipf_ioctlswitch */ 6146/* Returns: int - -1 continue processing, else ioctl return value */ 6147/* Parameters: unit(I) - device unit opened */ 6148/* data(I) - pointer to ioctl data */ 6149/* cmd(I) - ioctl command */ 6150/* mode(I) - mode value */ 6151/* uid(I) - uid making the ioctl call */ 6152/* ctx(I) - pointer to context data */ 6153/* */ 6154/* Based on the value of unit, call the appropriate ioctl handler or return */ 6155/* EIO if ipfilter is not running. Also checks if write perms are req'd */ 6156/* for the device in order to execute the ioctl. A special case is made */ 6157/* SIOCIPFINTERROR so that the same code isn't required in every handler. */ 6158/* The context data pointer is passed through as this is used as the key */ 6159/* for locating a matching token for continued access for walking lists, */ 6160/* etc. */ 6161/* ------------------------------------------------------------------------ */ 6162int 6163ipf_ioctlswitch(softc, unit, data, cmd, mode, uid, ctx) 6164 ipf_main_softc_t *softc; 6165 int unit, mode, uid; 6166 ioctlcmd_t cmd; 6167 void *data, *ctx; 6168{ 6169 int error = 0; 6170 6171 switch (cmd) 6172 { 6173 case SIOCIPFINTERROR : 6174 error = BCOPYOUT(&softc->ipf_interror, data, 6175 sizeof(softc->ipf_interror)); 6176 if (error != 0) { 6177 IPFERROR(40); 6178 error = EFAULT; 6179 } 6180 return error; 6181 default : 6182 break; 6183 } 6184 6185 switch (unit) 6186 { 6187 case IPL_LOGIPF : 6188 error = ipf_ipf_ioctl(softc, data, cmd, mode, uid, ctx); 6189 break; 6190 case IPL_LOGNAT : 6191 if (softc->ipf_running > 0) { 6192 error = ipf_nat_ioctl(softc, data, cmd, mode, 6193 uid, ctx); 6194 } else { 6195 IPFERROR(42); 6196 error = EIO; 6197 } 6198 break; 6199 case IPL_LOGSTATE : 6200 if (softc->ipf_running > 0) { 6201 error = ipf_state_ioctl(softc, data, cmd, mode, 6202 uid, ctx); 6203 } else { 6204 IPFERROR(43); 6205 error = EIO; 6206 } 6207 break; 6208 case IPL_LOGAUTH : 6209 if (softc->ipf_running > 0) { 6210 error = ipf_auth_ioctl(softc, data, cmd, mode, 6211 uid, ctx); 6212 } else { 6213 IPFERROR(44); 6214 error = EIO; 6215 } 6216 break; 6217 case IPL_LOGSYNC : 6218 if (softc->ipf_running > 0) { 6219 error = ipf_sync_ioctl(softc, data, cmd, mode, 6220 uid, ctx); 6221 } else { 6222 error = EIO; 6223 IPFERROR(45); 6224 } 6225 break; 6226 case IPL_LOGSCAN : 6227#ifdef IPFILTER_SCAN 6228 if (softc->ipf_running > 0) 6229 error = ipf_scan_ioctl(softc, data, cmd, mode, 6230 uid, ctx); 6231 else 6232#endif 6233 { 6234 error = EIO; 6235 IPFERROR(46); 6236 } 6237 break; 6238 case IPL_LOGLOOKUP : 6239 if (softc->ipf_running > 0) { 6240 error = ipf_lookup_ioctl(softc, data, cmd, mode, 6241 uid, ctx); 6242 } else { 6243 error = EIO; 6244 IPFERROR(47); 6245 } 6246 break; 6247 default : 6248 IPFERROR(48); 6249 error = EIO; 6250 break; 6251 } 6252 6253 return error; 6254} 6255 6256 6257/* 6258 * This array defines the expected size of objects coming into the kernel 6259 * for the various recognised object types. The first column is flags (see 6260 * below), 2nd column is current size, 3rd column is the version number of 6261 * when the current size became current. 6262 * Flags: 6263 * 1 = minimum size, not absolute size 6264 */ 6265static int ipf_objbytes[IPFOBJ_COUNT][3] = { 6266 { 1, sizeof(struct frentry), 5010000 }, /* 0 */ 6267 { 1, sizeof(struct friostat), 5010000 }, 6268 { 0, sizeof(struct fr_info), 5010000 }, 6269 { 0, sizeof(struct ipf_authstat), 4010100 }, 6270 { 0, sizeof(struct ipfrstat), 5010000 }, 6271 { 1, sizeof(struct ipnat), 5010000 }, /* 5 */ 6272 { 0, sizeof(struct natstat), 5010000 }, 6273 { 0, sizeof(struct ipstate_save), 5010000 }, 6274 { 1, sizeof(struct nat_save), 5010000 }, 6275 { 0, sizeof(struct natlookup), 5010000 }, 6276 { 1, sizeof(struct ipstate), 5010000 }, /* 10 */ 6277 { 0, sizeof(struct ips_stat), 5010000 }, 6278 { 0, sizeof(struct frauth), 5010000 }, 6279 { 0, sizeof(struct ipftune), 4010100 }, 6280 { 0, sizeof(struct nat), 5010000 }, 6281 { 0, sizeof(struct ipfruleiter), 4011400 }, /* 15 */ 6282 { 0, sizeof(struct ipfgeniter), 4011400 }, 6283 { 0, sizeof(struct ipftable), 4011400 }, 6284 { 0, sizeof(struct ipflookupiter), 4011400 }, 6285 { 0, sizeof(struct ipftq) * IPF_TCP_NSTATES }, 6286 { 1, 0, 0 }, /* IPFEXPR */ 6287 { 0, 0, 0 }, /* PROXYCTL */ 6288 { 0, sizeof (struct fripf), 5010000 } 6289}; 6290 6291 6292/* ------------------------------------------------------------------------ */ 6293/* Function: ipf_inobj */ 6294/* Returns: int - 0 = success, else failure */ 6295/* Parameters: softc(I) - soft context pointerto work with */ 6296/* data(I) - pointer to ioctl data */ 6297/* objp(O) - where to store ipfobj structure */ 6298/* ptr(I) - pointer to data to copy out */ 6299/* type(I) - type of structure being moved */ 6300/* */ 6301/* Copy in the contents of what the ipfobj_t points to. In future, we */ 6302/* add things to check for version numbers, sizes, etc, to make it backward */ 6303/* compatible at the ABI for user land. */ 6304/* If objp is not NULL then we assume that the caller wants to see what is */ 6305/* in the ipfobj_t structure being copied in. As an example, this can tell */ 6306/* the caller what version of ipfilter the ioctl program was written to. */ 6307/* ------------------------------------------------------------------------ */ 6308int 6309ipf_inobj(softc, data, objp, ptr, type) 6310 ipf_main_softc_t *softc; 6311 void *data; 6312 ipfobj_t *objp; 6313 void *ptr; 6314 int type; 6315{ 6316 ipfobj_t obj; 6317 int error; 6318 int size; 6319 6320 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6321 IPFERROR(49); 6322 return EINVAL; 6323 } 6324 6325 if (objp == NULL) 6326 objp = &obj; 6327 error = BCOPYIN(data, objp, sizeof(*objp)); 6328 if (error != 0) { 6329 IPFERROR(124); 6330 return EFAULT; 6331 } 6332 6333 if (objp->ipfo_type != type) { 6334 IPFERROR(50); 6335 return EINVAL; 6336 } 6337 6338 if (objp->ipfo_rev >= ipf_objbytes[type][2]) { 6339 if ((ipf_objbytes[type][0] & 1) != 0) { 6340 if (objp->ipfo_size < ipf_objbytes[type][1]) { 6341 IPFERROR(51); 6342 return EINVAL; 6343 } 6344 size = ipf_objbytes[type][1]; 6345 } else if (objp->ipfo_size == ipf_objbytes[type][1]) { 6346 size = objp->ipfo_size; 6347 } else { 6348 IPFERROR(52); 6349 return EINVAL; 6350 } 6351 error = COPYIN(objp->ipfo_ptr, ptr, size); 6352 if (error != 0) { 6353 IPFERROR(55); 6354 error = EFAULT; 6355 } 6356 } else { 6357#ifdef IPFILTER_COMPAT 6358 error = ipf_in_compat(softc, objp, ptr, 0); 6359#else 6360 IPFERROR(54); 6361 error = EINVAL; 6362#endif 6363 } 6364 return error; 6365} 6366 6367 6368/* ------------------------------------------------------------------------ */ 6369/* Function: ipf_inobjsz */ 6370/* Returns: int - 0 = success, else failure */ 6371/* Parameters: softc(I) - soft context pointerto work with */ 6372/* data(I) - pointer to ioctl data */ 6373/* ptr(I) - pointer to store real data in */ 6374/* type(I) - type of structure being moved */ 6375/* sz(I) - size of data to copy */ 6376/* */ 6377/* As per ipf_inobj, except the size of the object to copy in is passed in */ 6378/* but it must not be smaller than the size defined for the type and the */ 6379/* type must allow for varied sized objects. The extra requirement here is */ 6380/* that sz must match the size of the object being passed in - this is not */ 6381/* not possible nor required in ipf_inobj(). */ 6382/* ------------------------------------------------------------------------ */ 6383int 6384ipf_inobjsz(softc, data, ptr, type, sz) 6385 ipf_main_softc_t *softc; 6386 void *data; 6387 void *ptr; 6388 int type, sz; 6389{ 6390 ipfobj_t obj; 6391 int error; 6392 6393 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6394 IPFERROR(56); 6395 return EINVAL; 6396 } 6397 6398 error = BCOPYIN(data, &obj, sizeof(obj)); 6399 if (error != 0) { 6400 IPFERROR(125); 6401 return EFAULT; 6402 } 6403 6404 if (obj.ipfo_type != type) { 6405 IPFERROR(58); 6406 return EINVAL; 6407 } 6408 6409 if (obj.ipfo_rev >= ipf_objbytes[type][2]) { 6410 if (((ipf_objbytes[type][0] & 1) == 0) || 6411 (sz < ipf_objbytes[type][1])) { 6412 IPFERROR(57); 6413 return EINVAL; 6414 } 6415 error = COPYIN(obj.ipfo_ptr, ptr, sz); 6416 if (error != 0) { 6417 IPFERROR(61); 6418 error = EFAULT; 6419 } 6420 } else { 6421#ifdef IPFILTER_COMPAT 6422 error = ipf_in_compat(softc, &obj, ptr, sz); 6423#else 6424 IPFERROR(60); 6425 error = EINVAL; 6426#endif 6427 } 6428 return error; 6429} 6430 6431 6432/* ------------------------------------------------------------------------ */ 6433/* Function: ipf_outobjsz */ 6434/* Returns: int - 0 = success, else failure */ 6435/* Parameters: data(I) - pointer to ioctl data */ 6436/* ptr(I) - pointer to store real data in */ 6437/* type(I) - type of structure being moved */ 6438/* sz(I) - size of data to copy */ 6439/* */ 6440/* As per ipf_outobj, except the size of the object to copy out is passed in*/ 6441/* but it must not be smaller than the size defined for the type and the */ 6442/* type must allow for varied sized objects. The extra requirement here is */ 6443/* that sz must match the size of the object being passed in - this is not */ 6444/* not possible nor required in ipf_outobj(). */ 6445/* ------------------------------------------------------------------------ */ 6446int 6447ipf_outobjsz(softc, data, ptr, type, sz) 6448 ipf_main_softc_t *softc; 6449 void *data; 6450 void *ptr; 6451 int type, sz; 6452{ 6453 ipfobj_t obj; 6454 int error; 6455 6456 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6457 IPFERROR(62); 6458 return EINVAL; 6459 } 6460 6461 error = BCOPYIN(data, &obj, sizeof(obj)); 6462 if (error != 0) { 6463 IPFERROR(127); 6464 return EFAULT; 6465 } 6466 6467 if (obj.ipfo_type != type) { 6468 IPFERROR(63); 6469 return EINVAL; 6470 } 6471 6472 if (obj.ipfo_rev >= ipf_objbytes[type][2]) { 6473 if (((ipf_objbytes[type][0] & 1) == 0) || 6474 (sz < ipf_objbytes[type][1])) { 6475 IPFERROR(146); 6476 return EINVAL; 6477 } 6478 error = COPYOUT(ptr, obj.ipfo_ptr, sz); 6479 if (error != 0) { 6480 IPFERROR(66); 6481 error = EFAULT; 6482 } 6483 } else { 6484#ifdef IPFILTER_COMPAT 6485 error = ipf_out_compat(softc, &obj, ptr); 6486#else 6487 IPFERROR(65); 6488 error = EINVAL; 6489#endif 6490 } 6491 return error; 6492} 6493 6494 6495/* ------------------------------------------------------------------------ */ 6496/* Function: ipf_outobj */ 6497/* Returns: int - 0 = success, else failure */ 6498/* Parameters: data(I) - pointer to ioctl data */ 6499/* ptr(I) - pointer to store real data in */ 6500/* type(I) - type of structure being moved */ 6501/* */ 6502/* Copy out the contents of what ptr is to where ipfobj points to. In */ 6503/* future, we add things to check for version numbers, sizes, etc, to make */ 6504/* it backward compatible at the ABI for user land. */ 6505/* ------------------------------------------------------------------------ */ 6506int 6507ipf_outobj(softc, data, ptr, type) 6508 ipf_main_softc_t *softc; 6509 void *data; 6510 void *ptr; 6511 int type; 6512{ 6513 ipfobj_t obj; 6514 int error; 6515 6516 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6517 IPFERROR(67); 6518 return EINVAL; 6519 } 6520 6521 error = BCOPYIN(data, &obj, sizeof(obj)); 6522 if (error != 0) { 6523 IPFERROR(126); 6524 return EFAULT; 6525 } 6526 6527 if (obj.ipfo_type != type) { 6528 IPFERROR(68); 6529 return EINVAL; 6530 } 6531 6532 if (obj.ipfo_rev >= ipf_objbytes[type][2]) { 6533 if ((ipf_objbytes[type][0] & 1) != 0) { 6534 if (obj.ipfo_size < ipf_objbytes[type][1]) { 6535 IPFERROR(69); 6536 return EINVAL; 6537 } 6538 } else if (obj.ipfo_size != ipf_objbytes[type][1]) { 6539 IPFERROR(70); 6540 return EINVAL; 6541 } 6542 6543 error = COPYOUT(ptr, obj.ipfo_ptr, obj.ipfo_size); 6544 if (error != 0) { 6545 IPFERROR(73); 6546 error = EFAULT; 6547 } 6548 } else { 6549#ifdef IPFILTER_COMPAT 6550 error = ipf_out_compat(softc, &obj, ptr); 6551#else 6552 IPFERROR(72); 6553 error = EINVAL; 6554#endif 6555 } 6556 return error; 6557} 6558 6559 6560/* ------------------------------------------------------------------------ */ 6561/* Function: ipf_outobjk */ 6562/* Returns: int - 0 = success, else failure */ 6563/* Parameters: obj(I) - pointer to data description structure */ 6564/* ptr(I) - pointer to kernel data to copy out */ 6565/* */ 6566/* In the above functions, the ipfobj_t structure is copied into the kernel,*/ 6567/* telling ipfilter how to copy out data. In this instance, the ipfobj_t is */ 6568/* already populated with information and now we just need to use it. */ 6569/* There is no need for this function to have a "type" parameter as there */ 6570/* is no point in validating information that comes from the kernel with */ 6571/* itself. */ 6572/* ------------------------------------------------------------------------ */ 6573int 6574ipf_outobjk(softc, obj, ptr) 6575 ipf_main_softc_t *softc; 6576 ipfobj_t *obj; 6577 void *ptr; 6578{ 6579 int type = obj->ipfo_type; 6580 int error; 6581 6582 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6583 IPFERROR(147); 6584 return EINVAL; 6585 } 6586 6587 if (obj->ipfo_rev >= ipf_objbytes[type][2]) { 6588 if ((ipf_objbytes[type][0] & 1) != 0) { 6589 if (obj->ipfo_size < ipf_objbytes[type][1]) { 6590 IPFERROR(148); 6591 return EINVAL; 6592 } 6593 6594 } else if (obj->ipfo_size != ipf_objbytes[type][1]) { 6595 IPFERROR(149); 6596 return EINVAL; 6597 } 6598 6599 error = COPYOUT(ptr, obj->ipfo_ptr, obj->ipfo_size); 6600 if (error != 0) { 6601 IPFERROR(150); 6602 error = EFAULT; 6603 } 6604 } else { 6605#ifdef IPFILTER_COMPAT 6606 error = ipf_out_compat(softc, obj, ptr); 6607#else 6608 IPFERROR(151); 6609 error = EINVAL; 6610#endif 6611 } 6612 return error; 6613} 6614 6615 6616/* ------------------------------------------------------------------------ */ 6617/* Function: ipf_checkl4sum */ 6618/* Returns: int - 0 = good, -1 = bad, 1 = cannot check */ 6619/* Parameters: fin(I) - pointer to packet information */ 6620/* */ 6621/* If possible, calculate the layer 4 checksum for the packet. If this is */ 6622/* not possible, return without indicating a failure or success but in a */ 6623/* way that is ditinguishable. This function should only be called by the */ 6624/* ipf_checkv6sum() for each platform. */ 6625/* ------------------------------------------------------------------------ */ 6626INLINE int 6627ipf_checkl4sum(fin) 6628 fr_info_t *fin; 6629{ 6630 u_short sum, hdrsum, *csump; 6631 udphdr_t *udp; 6632 int dosum; 6633 6634 /* 6635 * If the TCP packet isn't a fragment, isn't too short and otherwise 6636 * isn't already considered "bad", then validate the checksum. If 6637 * this check fails then considered the packet to be "bad". 6638 */ 6639 if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0) 6640 return 1; 6641 6642 csump = NULL; 6643 hdrsum = 0; 6644 dosum = 0; 6645 sum = 0; 6646 6647 switch (fin->fin_p) 6648 { 6649 case IPPROTO_TCP : 6650 csump = &((tcphdr_t *)fin->fin_dp)->th_sum; 6651 dosum = 1; 6652 break; 6653 6654 case IPPROTO_UDP : 6655 udp = fin->fin_dp; 6656 if (udp->uh_sum != 0) { 6657 csump = &udp->uh_sum; 6658 dosum = 1; 6659 } 6660 break; 6661 6662#ifdef USE_INET6 6663 case IPPROTO_ICMPV6 : 6664 csump = &((struct icmp6_hdr *)fin->fin_dp)->icmp6_cksum; 6665 dosum = 1; 6666 break; 6667#endif 6668 6669 case IPPROTO_ICMP : 6670 csump = &((struct icmp *)fin->fin_dp)->icmp_cksum; 6671 dosum = 1; 6672 break; 6673 6674 default : 6675 return 1; 6676 /*NOTREACHED*/ 6677 } 6678 6679 if (csump != NULL) 6680 hdrsum = *csump; 6681 6682 if (dosum) { 6683 sum = fr_cksum(fin, fin->fin_ip, fin->fin_p, fin->fin_dp); 6684 } 6685#if !defined(_KERNEL) 6686 if (sum == hdrsum) { 6687 FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum)); 6688 } else { 6689 FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum)); 6690 } 6691#endif 6692 DT2(l4sums, u_short, hdrsum, u_short, sum); 6693 if (hdrsum == sum) { 6694 fin->fin_cksum = FI_CK_SUMOK; 6695 return 0; 6696 } 6697 fin->fin_cksum = FI_CK_BAD; 6698 return -1; 6699} 6700 6701 6702/* ------------------------------------------------------------------------ */ 6703/* Function: ipf_ifpfillv4addr */ 6704/* Returns: int - 0 = address update, -1 = address not updated */ 6705/* Parameters: atype(I) - type of network address update to perform */ 6706/* sin(I) - pointer to source of address information */ 6707/* mask(I) - pointer to source of netmask information */ 6708/* inp(I) - pointer to destination address store */ 6709/* inpmask(I) - pointer to destination netmask store */ 6710/* */ 6711/* Given a type of network address update (atype) to perform, copy */ 6712/* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */ 6713/* netmask update is performed unless FRI_NETMASKED is passed as atype, in */ 6714/* which case the operation fails. For all values of atype other than */ 6715/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */ 6716/* value. */ 6717/* ------------------------------------------------------------------------ */ 6718int 6719ipf_ifpfillv4addr(atype, sin, mask, inp, inpmask) 6720 int atype; 6721 struct sockaddr_in *sin, *mask; 6722 struct in_addr *inp, *inpmask; 6723{ 6724 if (inpmask != NULL && atype != FRI_NETMASKED) 6725 inpmask->s_addr = 0xffffffff; 6726 6727 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) { 6728 if (atype == FRI_NETMASKED) { 6729 if (inpmask == NULL) 6730 return -1; 6731 inpmask->s_addr = mask->sin_addr.s_addr; 6732 } 6733 inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr; 6734 } else { 6735 inp->s_addr = sin->sin_addr.s_addr; 6736 } 6737 return 0; 6738} 6739 6740 6741#ifdef USE_INET6 6742/* ------------------------------------------------------------------------ */ 6743/* Function: ipf_ifpfillv6addr */ 6744/* Returns: int - 0 = address update, -1 = address not updated */ 6745/* Parameters: atype(I) - type of network address update to perform */ 6746/* sin(I) - pointer to source of address information */ 6747/* mask(I) - pointer to source of netmask information */ 6748/* inp(I) - pointer to destination address store */ 6749/* inpmask(I) - pointer to destination netmask store */ 6750/* */ 6751/* Given a type of network address update (atype) to perform, copy */ 6752/* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */ 6753/* netmask update is performed unless FRI_NETMASKED is passed as atype, in */ 6754/* which case the operation fails. For all values of atype other than */ 6755/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */ 6756/* value. */ 6757/* ------------------------------------------------------------------------ */ 6758int 6759ipf_ifpfillv6addr(atype, sin, mask, inp, inpmask) 6760 int atype; 6761 struct sockaddr_in6 *sin, *mask; 6762 i6addr_t *inp, *inpmask; 6763{ 6764 i6addr_t *src, *and; 6765 6766 src = (i6addr_t *)&sin->sin6_addr; 6767 and = (i6addr_t *)&mask->sin6_addr; 6768 6769 if (inpmask != NULL && atype != FRI_NETMASKED) { 6770 inpmask->i6[0] = 0xffffffff; 6771 inpmask->i6[1] = 0xffffffff; 6772 inpmask->i6[2] = 0xffffffff; 6773 inpmask->i6[3] = 0xffffffff; 6774 } 6775 6776 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) { 6777 if (atype == FRI_NETMASKED) { 6778 if (inpmask == NULL) 6779 return -1; 6780 inpmask->i6[0] = and->i6[0]; 6781 inpmask->i6[1] = and->i6[1]; 6782 inpmask->i6[2] = and->i6[2]; 6783 inpmask->i6[3] = and->i6[3]; 6784 } 6785 6786 inp->i6[0] = src->i6[0] & and->i6[0]; 6787 inp->i6[1] = src->i6[1] & and->i6[1]; 6788 inp->i6[2] = src->i6[2] & and->i6[2]; 6789 inp->i6[3] = src->i6[3] & and->i6[3]; 6790 } else { 6791 inp->i6[0] = src->i6[0]; 6792 inp->i6[1] = src->i6[1]; 6793 inp->i6[2] = src->i6[2]; 6794 inp->i6[3] = src->i6[3]; 6795 } 6796 return 0; 6797} 6798#endif 6799 6800 6801/* ------------------------------------------------------------------------ */ 6802/* Function: ipf_matchtag */ 6803/* Returns: 0 == mismatch, 1 == match. */ 6804/* Parameters: tag1(I) - pointer to first tag to compare */ 6805/* tag2(I) - pointer to second tag to compare */ 6806/* */ 6807/* Returns true (non-zero) or false(0) if the two tag structures can be */ 6808/* considered to be a match or not match, respectively. The tag is 16 */ 6809/* bytes long (16 characters) but that is overlayed with 4 32bit ints so */ 6810/* compare the ints instead, for speed. tag1 is the master of the */ 6811/* comparison. This function should only be called with both tag1 and tag2 */ 6812/* as non-NULL pointers. */ 6813/* ------------------------------------------------------------------------ */ 6814int 6815ipf_matchtag(tag1, tag2) 6816 ipftag_t *tag1, *tag2; 6817{ 6818 if (tag1 == tag2) 6819 return 1; 6820 6821 if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0)) 6822 return 1; 6823 6824 if ((tag1->ipt_num[0] == tag2->ipt_num[0]) && 6825 (tag1->ipt_num[1] == tag2->ipt_num[1]) && 6826 (tag1->ipt_num[2] == tag2->ipt_num[2]) && 6827 (tag1->ipt_num[3] == tag2->ipt_num[3])) 6828 return 1; 6829 return 0; 6830} 6831 6832 6833/* ------------------------------------------------------------------------ */ 6834/* Function: ipf_coalesce */ 6835/* Returns: 1 == success, -1 == failure, 0 == no change */ 6836/* Parameters: fin(I) - pointer to packet information */ 6837/* */ 6838/* Attempt to get all of the packet data into a single, contiguous buffer. */ 6839/* If this call returns a failure then the buffers have also been freed. */ 6840/* ------------------------------------------------------------------------ */ 6841int 6842ipf_coalesce(fin) 6843 fr_info_t *fin; 6844{ 6845 6846 if ((fin->fin_flx & FI_COALESCE) != 0) 6847 return 1; 6848 6849 /* 6850 * If the mbuf pointers indicate that there is no mbuf to work with, 6851 * return but do not indicate success or failure. 6852 */ 6853 if (fin->fin_m == NULL || fin->fin_mp == NULL) 6854 return 0; 6855 6856#if defined(_KERNEL) 6857 if (ipf_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) { 6858 ipf_main_softc_t *softc = fin->fin_main_soft; 6859 6860 DT1(frb_coalesce, fr_info_t *, fin); 6861 LBUMP(ipf_stats[fin->fin_out].fr_badcoalesces); 6862# ifdef MENTAT 6863 FREE_MB_T(*fin->fin_mp); 6864# endif 6865 fin->fin_reason = FRB_COALESCE; 6866 *fin->fin_mp = NULL; 6867 fin->fin_m = NULL; 6868 return -1; 6869 } 6870#else 6871 fin = fin; /* LINT */ 6872#endif 6873 return 1; 6874} 6875 6876 6877/* 6878 * The following table lists all of the tunable variables that can be 6879 * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXt. The format of each row 6880 * in the table below is as follows: 6881 * 6882 * pointer to value, name of value, minimum, maximum, size of the value's 6883 * container, value attribute flags 6884 * 6885 * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED 6886 * means the value can only be written to when IPFilter is loaded but disabled. 6887 * The obvious implication is if neither of these are set then the value can be 6888 * changed at any time without harm. 6889 */ 6890 6891 6892/* ------------------------------------------------------------------------ */ 6893/* Function: ipf_tune_findbycookie */ 6894/* Returns: NULL = search failed, else pointer to tune struct */ 6895/* Parameters: cookie(I) - cookie value to search for amongst tuneables */ 6896/* next(O) - pointer to place to store the cookie for the */ 6897/* "next" tuneable, if it is desired. */ 6898/* */ 6899/* This function is used to walk through all of the existing tunables with */ 6900/* successive calls. It searches the known tunables for the one which has */ 6901/* a matching value for "cookie" - ie its address. When returning a match, */ 6902/* the next one to be found may be returned inside next. */ 6903/* ------------------------------------------------------------------------ */ 6904static ipftuneable_t * 6905ipf_tune_findbycookie(ptop, cookie, next) 6906 ipftuneable_t **ptop; 6907 void *cookie, **next; 6908{ 6909 ipftuneable_t *ta, **tap; 6910 6911 for (ta = *ptop; ta->ipft_name != NULL; ta++) 6912 if (ta == cookie) { 6913 if (next != NULL) { 6914 /* 6915 * If the next entry in the array has a name 6916 * present, then return a pointer to it for 6917 * where to go next, else return a pointer to 6918 * the dynaminc list as a key to search there 6919 * next. This facilitates a weak linking of 6920 * the two "lists" together. 6921 */ 6922 if ((ta + 1)->ipft_name != NULL) 6923 *next = ta + 1; 6924 else 6925 *next = ptop; 6926 } 6927 return ta; 6928 } 6929 6930 for (tap = ptop; (ta = *tap) != NULL; tap = &ta->ipft_next) 6931 if (tap == cookie) { 6932 if (next != NULL) 6933 *next = &ta->ipft_next; 6934 return ta; 6935 } 6936 6937 if (next != NULL) 6938 *next = NULL; 6939 return NULL; 6940} 6941 6942 6943/* ------------------------------------------------------------------------ */ 6944/* Function: ipf_tune_findbyname */ 6945/* Returns: NULL = search failed, else pointer to tune struct */ 6946/* Parameters: name(I) - name of the tuneable entry to find. */ 6947/* */ 6948/* Search the static array of tuneables and the list of dynamic tuneables */ 6949/* for an entry with a matching name. If we can find one, return a pointer */ 6950/* to the matching structure. */ 6951/* ------------------------------------------------------------------------ */ 6952static ipftuneable_t * 6953ipf_tune_findbyname(top, name) 6954 ipftuneable_t *top; 6955 const char *name; 6956{ 6957 ipftuneable_t *ta; 6958 6959 for (ta = top; ta != NULL; ta = ta->ipft_next) 6960 if (!strcmp(ta->ipft_name, name)) { 6961 return ta; 6962 } 6963 6964 return NULL; 6965} 6966 6967 6968/* ------------------------------------------------------------------------ */ 6969/* Function: ipf_tune_add_array */ 6970/* Returns: int - 0 == success, else failure */ 6971/* Parameters: newtune - pointer to new tune array to add to tuneables */ 6972/* */ 6973/* Appends tune structures from the array passed in (newtune) to the end of */ 6974/* the current list of "dynamic" tuneable parameters. */ 6975/* If any entry to be added is already present (by name) then the operation */ 6976/* is aborted - entries that have been added are removed before returning. */ 6977/* An entry with no name (NULL) is used as the indication that the end of */ 6978/* the array has been reached. */ 6979/* ------------------------------------------------------------------------ */ 6980int 6981ipf_tune_add_array(softc, newtune) 6982 ipf_main_softc_t *softc; 6983 ipftuneable_t *newtune; 6984{ 6985 ipftuneable_t *nt, *dt; 6986 int error = 0; 6987 6988 for (nt = newtune; nt->ipft_name != NULL; nt++) { 6989 error = ipf_tune_add(softc, nt); 6990 if (error != 0) { 6991 for (dt = newtune; dt != nt; dt++) { 6992 (void) ipf_tune_del(softc, dt); 6993 } 6994 } 6995 } 6996 6997 return error; 6998} 6999 7000 7001/* ------------------------------------------------------------------------ */ 7002/* Function: ipf_tune_array_link */ 7003/* Returns: 0 == success, -1 == failure */ 7004/* Parameters: softc(I) - soft context pointerto work with */ 7005/* array(I) - pointer to an array of tuneables */ 7006/* */ 7007/* Given an array of tunables (array), append them to the current list of */ 7008/* tuneables for this context (softc->ipf_tuners.) To properly prepare the */ 7009/* the array for being appended to the list, initialise all of the next */ 7010/* pointers so we don't need to walk parts of it with ++ and others with */ 7011/* next. The array is expected to have an entry with a NULL name as the */ 7012/* terminator. Trying to add an array with no non-NULL names will return as */ 7013/* a failure. */ 7014/* ------------------------------------------------------------------------ */ 7015int 7016ipf_tune_array_link(softc, array) 7017 ipf_main_softc_t *softc; 7018 ipftuneable_t *array; 7019{ 7020 ipftuneable_t *t, **p; 7021 7022 t = array; 7023 if (t->ipft_name == NULL) 7024 return -1; 7025 7026 for (; t[1].ipft_name != NULL; t++) 7027 t[0].ipft_next = &t[1]; 7028 t->ipft_next = NULL; 7029 7030 /* 7031 * Since a pointer to the last entry isn't kept, we need to find it 7032 * each time we want to add new variables to the list. 7033 */ 7034 for (p = &softc->ipf_tuners; (t = *p) != NULL; p = &t->ipft_next) 7035 if (t->ipft_name == NULL) 7036 break; 7037 *p = array; 7038 7039 return 0; 7040} 7041 7042 7043/* ------------------------------------------------------------------------ */ 7044/* Function: ipf_tune_array_unlink */ 7045/* Returns: 0 == success, -1 == failure */ 7046/* Parameters: softc(I) - soft context pointerto work with */ 7047/* array(I) - pointer to an array of tuneables */ 7048/* */ 7049/* ------------------------------------------------------------------------ */ 7050int 7051ipf_tune_array_unlink(softc, array) 7052 ipf_main_softc_t *softc; 7053 ipftuneable_t *array; 7054{ 7055 ipftuneable_t *t, **p; 7056 7057 for (p = &softc->ipf_tuners; (t = *p) != NULL; p = &t->ipft_next) 7058 if (t == array) 7059 break; 7060 if (t == NULL) 7061 return -1; 7062 7063 for (; t[1].ipft_name != NULL; t++) 7064 ; 7065 7066 *p = t->ipft_next; 7067 7068 return 0; 7069} 7070 7071 7072/* ------------------------------------------------------------------------ */ 7073/* Function: ipf_tune_array_copy */ 7074/* Returns: NULL = failure, else pointer to new array */ 7075/* Parameters: base(I) - pointer to structure base */ 7076/* size(I) - size of the array at template */ 7077/* template(I) - original array to copy */ 7078/* */ 7079/* Allocate memory for a new set of tuneable values and copy everything */ 7080/* from template into the new region of memory. The new region is full of */ 7081/* uninitialised pointers (ipft_next) so set them up. Now, ipftp_offset... */ 7082/* */ 7083/* NOTE: the following assumes that sizeof(long) == sizeof(void *) */ 7084/* In the array template, ipftp_offset is the offset (in bytes) of the */ 7085/* location of the tuneable value inside the structure pointed to by base. */ 7086/* As ipftp_offset is a union over the pointers to the tuneable values, if */ 7087/* we add base to the copy's ipftp_offset, copy ends up with a pointer in */ 7088/* ipftp_void that points to the stored value. */ 7089/* ------------------------------------------------------------------------ */ 7090ipftuneable_t * 7091ipf_tune_array_copy(base, size, template) 7092 void *base; 7093 size_t size; 7094 ipftuneable_t *template; 7095{ 7096 ipftuneable_t *copy; 7097 int i; 7098 7099 7100 KMALLOCS(copy, ipftuneable_t *, size); 7101 if (copy == NULL) { 7102 return NULL; 7103 } 7104 bcopy(template, copy, size); 7105 7106 for (i = 0; copy[i].ipft_name; i++) { 7107 copy[i].ipft_una.ipftp_offset += (u_long)base; 7108 copy[i].ipft_next = copy + i + 1; 7109 } 7110 7111 return copy; 7112} 7113 7114 7115/* ------------------------------------------------------------------------ */ 7116/* Function: ipf_tune_add */ 7117/* Returns: int - 0 == success, else failure */ 7118/* Parameters: newtune - pointer to new tune entry to add to tuneables */ 7119/* */ 7120/* Appends tune structures from the array passed in (newtune) to the end of */ 7121/* the current list of "dynamic" tuneable parameters. Once added, the */ 7122/* owner of the object is not expected to ever change "ipft_next". */ 7123/* ------------------------------------------------------------------------ */ 7124int 7125ipf_tune_add(softc, newtune) 7126 ipf_main_softc_t *softc; 7127 ipftuneable_t *newtune; 7128{ 7129 ipftuneable_t *ta, **tap; 7130 7131 ta = ipf_tune_findbyname(softc->ipf_tuners, newtune->ipft_name); 7132 if (ta != NULL) { 7133 IPFERROR(74); 7134 return EEXIST; 7135 } 7136 7137 for (tap = &softc->ipf_tuners; *tap != NULL; tap = &(*tap)->ipft_next) 7138 ; 7139 7140 newtune->ipft_next = NULL; 7141 *tap = newtune; 7142 return 0; 7143} 7144 7145 7146/* ------------------------------------------------------------------------ */ 7147/* Function: ipf_tune_del */ 7148/* Returns: int - 0 == success, else failure */ 7149/* Parameters: oldtune - pointer to tune entry to remove from the list of */ 7150/* current dynamic tuneables */ 7151/* */ 7152/* Search for the tune structure, by pointer, in the list of those that are */ 7153/* dynamically added at run time. If found, adjust the list so that this */ 7154/* structure is no longer part of it. */ 7155/* ------------------------------------------------------------------------ */ 7156int 7157ipf_tune_del(softc, oldtune) 7158 ipf_main_softc_t *softc; 7159 ipftuneable_t *oldtune; 7160{ 7161 ipftuneable_t *ta, **tap; 7162 int error = 0; 7163 7164 for (tap = &softc->ipf_tuners; (ta = *tap) != NULL; 7165 tap = &ta->ipft_next) { 7166 if (ta == oldtune) { 7167 *tap = oldtune->ipft_next; 7168 oldtune->ipft_next = NULL; 7169 break; 7170 } 7171 } 7172 7173 if (ta == NULL) { 7174 error = ESRCH; 7175 IPFERROR(75); 7176 } 7177 return error; 7178} 7179 7180 7181/* ------------------------------------------------------------------------ */ 7182/* Function: ipf_tune_del_array */ 7183/* Returns: int - 0 == success, else failure */ 7184/* Parameters: oldtune - pointer to tuneables array */ 7185/* */ 7186/* Remove each tuneable entry in the array from the list of "dynamic" */ 7187/* tunables. If one entry should fail to be found, an error will be */ 7188/* returned and no further ones removed. */ 7189/* An entry with a NULL name is used as the indicator of the last entry in */ 7190/* the array. */ 7191/* ------------------------------------------------------------------------ */ 7192int 7193ipf_tune_del_array(softc, oldtune) 7194 ipf_main_softc_t *softc; 7195 ipftuneable_t *oldtune; 7196{ 7197 ipftuneable_t *ot; 7198 int error = 0; 7199 7200 for (ot = oldtune; ot->ipft_name != NULL; ot++) { 7201 error = ipf_tune_del(softc, ot); 7202 if (error != 0) 7203 break; 7204 } 7205 7206 return error; 7207 7208} 7209 7210 7211/* ------------------------------------------------------------------------ */ 7212/* Function: ipf_tune */ 7213/* Returns: int - 0 == success, else failure */ 7214/* Parameters: cmd(I) - ioctl command number */ 7215/* data(I) - pointer to ioctl data structure */ 7216/* */ 7217/* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */ 7218/* three ioctls provide the means to access and control global variables */ 7219/* within IPFilter, allowing (for example) timeouts and table sizes to be */ 7220/* changed without rebooting, reloading or recompiling. The initialisation */ 7221/* and 'destruction' routines of the various components of ipfilter are all */ 7222/* each responsible for handling their own values being too big. */ 7223/* ------------------------------------------------------------------------ */ 7224int 7225ipf_ipftune(softc, cmd, data) 7226 ipf_main_softc_t *softc; 7227 ioctlcmd_t cmd; 7228 void *data; 7229{ 7230 ipftuneable_t *ta; 7231 ipftune_t tu; 7232 void *cookie; 7233 int error; 7234 7235 error = ipf_inobj(softc, data, NULL, &tu, IPFOBJ_TUNEABLE); 7236 if (error != 0) 7237 return error; 7238 7239 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; 7240 cookie = tu.ipft_cookie; 7241 ta = NULL; 7242 7243 switch (cmd) 7244 { 7245 case SIOCIPFGETNEXT : 7246 /* 7247 * If cookie is non-NULL, assume it to be a pointer to the last 7248 * entry we looked at, so find it (if possible) and return a 7249 * pointer to the next one after it. The last entry in the 7250 * the table is a NULL entry, so when we get to it, set cookie 7251 * to NULL and return that, indicating end of list, erstwhile 7252 * if we come in with cookie set to NULL, we are starting anew 7253 * at the front of the list. 7254 */ 7255 if (cookie != NULL) { 7256 ta = ipf_tune_findbycookie(&softc->ipf_tuners, 7257 cookie, &tu.ipft_cookie); 7258 } else { 7259 ta = softc->ipf_tuners; 7260 tu.ipft_cookie = ta + 1; 7261 } 7262 if (ta != NULL) { 7263 /* 7264 * Entry found, but does the data pointed to by that 7265 * row fit in what we can return? 7266 */ 7267 if (ta->ipft_sz > sizeof(tu.ipft_un)) { 7268 IPFERROR(76); 7269 return EINVAL; 7270 } 7271 7272 tu.ipft_vlong = 0; 7273 if (ta->ipft_sz == sizeof(u_long)) 7274 tu.ipft_vlong = *ta->ipft_plong; 7275 else if (ta->ipft_sz == sizeof(u_int)) 7276 tu.ipft_vint = *ta->ipft_pint; 7277 else if (ta->ipft_sz == sizeof(u_short)) 7278 tu.ipft_vshort = *ta->ipft_pshort; 7279 else if (ta->ipft_sz == sizeof(u_char)) 7280 tu.ipft_vchar = *ta->ipft_pchar; 7281 7282 tu.ipft_sz = ta->ipft_sz; 7283 tu.ipft_min = ta->ipft_min; 7284 tu.ipft_max = ta->ipft_max; 7285 tu.ipft_flags = ta->ipft_flags; 7286 bcopy(ta->ipft_name, tu.ipft_name, 7287 MIN(sizeof(tu.ipft_name), 7288 strlen(ta->ipft_name) + 1)); 7289 } 7290 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE); 7291 break; 7292 7293 case SIOCIPFGET : 7294 case SIOCIPFSET : 7295 /* 7296 * Search by name or by cookie value for a particular entry 7297 * in the tuning paramter table. 7298 */ 7299 IPFERROR(77); 7300 error = ESRCH; 7301 if (cookie != NULL) { 7302 ta = ipf_tune_findbycookie(&softc->ipf_tuners, 7303 cookie, NULL); 7304 if (ta != NULL) 7305 error = 0; 7306 } else if (tu.ipft_name[0] != '\0') { 7307 ta = ipf_tune_findbyname(softc->ipf_tuners, 7308 tu.ipft_name); 7309 if (ta != NULL) 7310 error = 0; 7311 } 7312 if (error != 0) 7313 break; 7314 7315 if (cmd == (ioctlcmd_t)SIOCIPFGET) { 7316 /* 7317 * Fetch the tuning parameters for a particular value 7318 */ 7319 tu.ipft_vlong = 0; 7320 if (ta->ipft_sz == sizeof(u_long)) 7321 tu.ipft_vlong = *ta->ipft_plong; 7322 else if (ta->ipft_sz == sizeof(u_int)) 7323 tu.ipft_vint = *ta->ipft_pint; 7324 else if (ta->ipft_sz == sizeof(u_short)) 7325 tu.ipft_vshort = *ta->ipft_pshort; 7326 else if (ta->ipft_sz == sizeof(u_char)) 7327 tu.ipft_vchar = *ta->ipft_pchar; 7328 tu.ipft_cookie = ta; 7329 tu.ipft_sz = ta->ipft_sz; 7330 tu.ipft_min = ta->ipft_min; 7331 tu.ipft_max = ta->ipft_max; 7332 tu.ipft_flags = ta->ipft_flags; 7333 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE); 7334 7335 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) { 7336 /* 7337 * Set an internal parameter. The hard part here is 7338 * getting the new value safely and correctly out of 7339 * the kernel (given we only know its size, not type.) 7340 */ 7341 u_long in; 7342 7343 if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) && 7344 (softc->ipf_running > 0)) { 7345 IPFERROR(78); 7346 error = EBUSY; 7347 break; 7348 } 7349 7350 in = tu.ipft_vlong; 7351 if (in < ta->ipft_min || in > ta->ipft_max) { 7352 IPFERROR(79); 7353 error = EINVAL; 7354 break; 7355 } 7356 7357 if (ta->ipft_func != NULL) { 7358 SPL_INT(s); 7359 7360 SPL_NET(s); 7361 error = (*ta->ipft_func)(softc, ta, 7362 &tu.ipft_un); 7363 SPL_X(s); 7364 7365 } else if (ta->ipft_sz == sizeof(u_long)) { 7366 tu.ipft_vlong = *ta->ipft_plong; 7367 *ta->ipft_plong = in; 7368 7369 } else if (ta->ipft_sz == sizeof(u_int)) { 7370 tu.ipft_vint = *ta->ipft_pint; 7371 *ta->ipft_pint = (u_int)(in & 0xffffffff); 7372 7373 } else if (ta->ipft_sz == sizeof(u_short)) { 7374 tu.ipft_vshort = *ta->ipft_pshort; 7375 *ta->ipft_pshort = (u_short)(in & 0xffff); 7376 7377 } else if (ta->ipft_sz == sizeof(u_char)) { 7378 tu.ipft_vchar = *ta->ipft_pchar; 7379 *ta->ipft_pchar = (u_char)(in & 0xff); 7380 } 7381 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE); 7382 } 7383 break; 7384 7385 default : 7386 IPFERROR(80); 7387 error = EINVAL; 7388 break; 7389 } 7390 7391 return error; 7392} 7393 7394 7395/* ------------------------------------------------------------------------ */ 7396/* Function: ipf_zerostats */ 7397/* Returns: int - 0 = success, else failure */ 7398/* Parameters: data(O) - pointer to pointer for copying data back to */ 7399/* */ 7400/* Copies the current statistics out to userspace and then zero's the */ 7401/* current ones in the kernel. The lock is only held across the bzero() as */ 7402/* the copyout may result in paging (ie network activity.) */ 7403/* ------------------------------------------------------------------------ */ 7404int 7405ipf_zerostats(softc, data) 7406 ipf_main_softc_t *softc; 7407 caddr_t data; 7408{ 7409 friostat_t fio; 7410 ipfobj_t obj; 7411 int error; 7412 7413 error = ipf_inobj(softc, data, &obj, &fio, IPFOBJ_IPFSTAT); 7414 if (error != 0) 7415 return error; 7416 ipf_getstat(softc, &fio, obj.ipfo_rev); 7417 error = ipf_outobj(softc, data, &fio, IPFOBJ_IPFSTAT); 7418 if (error != 0) 7419 return error; 7420 7421 WRITE_ENTER(&softc->ipf_mutex); 7422 bzero(&softc->ipf_stats, sizeof(softc->ipf_stats)); 7423 RWLOCK_EXIT(&softc->ipf_mutex); 7424 7425 return 0; 7426} 7427 7428 7429/* ------------------------------------------------------------------------ */ 7430/* Function: ipf_resolvedest */ 7431/* Returns: Nil */ 7432/* Parameters: softc(I) - pointer to soft context main structure */ 7433/* base(I) - where strings are stored */ 7434/* fdp(IO) - pointer to destination information to resolve */ 7435/* v(I) - IP protocol version to match */ 7436/* */ 7437/* Looks up an interface name in the frdest structure pointed to by fdp and */ 7438/* if a matching name can be found for the particular IP protocol version */ 7439/* then store the interface pointer in the frdest struct. If no match is */ 7440/* found, then set the interface pointer to be -1 as NULL is considered to */ 7441/* indicate there is no information at all in the structure. */ 7442/* ------------------------------------------------------------------------ */ 7443int 7444ipf_resolvedest(softc, base, fdp, v) 7445 ipf_main_softc_t *softc; 7446 char *base; 7447 frdest_t *fdp; 7448 int v; 7449{ 7450 int errval = 0; 7451 void *ifp; 7452 7453 ifp = NULL; 7454 7455 if (fdp->fd_name != -1) { 7456 if (fdp->fd_type == FRD_DSTLIST) { 7457 ifp = ipf_lookup_res_name(softc, IPL_LOGIPF, 7458 IPLT_DSTLIST, 7459 base + fdp->fd_name, 7460 NULL); 7461 if (ifp == NULL) { 7462 IPFERROR(144); 7463 errval = ESRCH; 7464 } 7465 } else { 7466 ifp = GETIFP(base + fdp->fd_name, v); 7467 if (ifp == NULL) 7468 ifp = (void *)-1; 7469 } 7470 } 7471 fdp->fd_ptr = ifp; 7472 7473 if ((ifp != NULL) && (ifp != (void *)-1)) { 7474 fdp->fd_local = ipf_deliverlocal(softc, v, ifp, &fdp->fd_ip6); 7475 } 7476 7477 return errval; 7478} 7479 7480 7481/* ------------------------------------------------------------------------ */ 7482/* Function: ipf_resolvenic */ 7483/* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */ 7484/* pointer to interface structure for NIC */ 7485/* Parameters: softc(I)- pointer to soft context main structure */ 7486/* name(I) - complete interface name */ 7487/* v(I) - IP protocol version */ 7488/* */ 7489/* Look for a network interface structure that firstly has a matching name */ 7490/* to that passed in and that is also being used for that IP protocol */ 7491/* version (necessary on some platforms where there are separate listings */ 7492/* for both IPv4 and IPv6 on the same physical NIC. */ 7493/* ------------------------------------------------------------------------ */ 7494void * 7495ipf_resolvenic(softc, name, v) 7496 ipf_main_softc_t *softc; 7497 char *name; 7498 int v; 7499{ 7500 void *nic; 7501 7502 softc = softc; /* gcc -Wextra */ 7503 if (name[0] == '\0') 7504 return NULL; 7505 7506 if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) { 7507 return NULL; 7508 } 7509 7510 nic = GETIFP(name, v); 7511 if (nic == NULL) 7512 nic = (void *)-1; 7513 return nic; 7514} 7515 7516 7517/* ------------------------------------------------------------------------ */ 7518/* Function: ipf_token_expire */ 7519/* Returns: None. */ 7520/* Parameters: softc(I) - pointer to soft context main structure */ 7521/* */ 7522/* This function is run every ipf tick to see if there are any tokens that */ 7523/* have been held for too long and need to be freed up. */ 7524/* ------------------------------------------------------------------------ */ 7525void 7526ipf_token_expire(softc) 7527 ipf_main_softc_t *softc; 7528{ 7529 ipftoken_t *it; 7530 7531 WRITE_ENTER(&softc->ipf_tokens); 7532 while ((it = softc->ipf_token_head) != NULL) { 7533 if (it->ipt_die > softc->ipf_ticks) 7534 break; 7535 7536 ipf_token_deref(softc, it); 7537 } 7538 RWLOCK_EXIT(&softc->ipf_tokens); 7539} 7540 7541 7542/* ------------------------------------------------------------------------ */ 7543/* Function: ipf_token_flush */ 7544/* Returns: None. */ 7545/* Parameters: softc(I) - pointer to soft context main structure */ 7546/* */ 7547/* Loop through all of the existing tokens and call deref to see if they */ 7548/* can be freed. Normally a function like this might just loop on */ 7549/* ipf_token_head but there is a chance that a token might have a ref count */ 7550/* of greater than one and in that case the the reference would drop twice */ 7551/* by code that is only entitled to drop it once. */ 7552/* ------------------------------------------------------------------------ */ 7553static void 7554ipf_token_flush(softc) 7555 ipf_main_softc_t *softc; 7556{ 7557 ipftoken_t *it, *next; 7558 7559 WRITE_ENTER(&softc->ipf_tokens); 7560 for (it = softc->ipf_token_head; it != NULL; it = next) { 7561 next = it->ipt_next; 7562 (void) ipf_token_deref(softc, it); 7563 } 7564 RWLOCK_EXIT(&softc->ipf_tokens); 7565} 7566 7567 7568/* ------------------------------------------------------------------------ */ 7569/* Function: ipf_token_del */ 7570/* Returns: int - 0 = success, else error */ 7571/* Parameters: softc(I)- pointer to soft context main structure */ 7572/* type(I) - the token type to match */ 7573/* uid(I) - uid owning the token */ 7574/* ptr(I) - context pointer for the token */ 7575/* */ 7576/* This function looks for a a token in the current list that matches up */ 7577/* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */ 7578/* call ipf_token_dewref() to remove it from the list. In the event that */ 7579/* the token has a reference held elsewhere, setting ipt_complete to 2 */ 7580/* enables debugging to distinguish between the two paths that ultimately */ 7581/* lead to a token to be deleted. */ 7582/* ------------------------------------------------------------------------ */ 7583int 7584ipf_token_del(softc, type, uid, ptr) 7585 ipf_main_softc_t *softc; 7586 int type, uid; 7587 void *ptr; 7588{ 7589 ipftoken_t *it; 7590 int error; 7591 7592 IPFERROR(82); 7593 error = ESRCH; 7594 7595 WRITE_ENTER(&softc->ipf_tokens); 7596 for (it = softc->ipf_token_head; it != NULL; it = it->ipt_next) { 7597 if (ptr == it->ipt_ctx && type == it->ipt_type && 7598 uid == it->ipt_uid) { 7599 it->ipt_complete = 2; 7600 ipf_token_deref(softc, it); 7601 error = 0; 7602 break; 7603 } 7604 } 7605 RWLOCK_EXIT(&softc->ipf_tokens); 7606 7607 return error; 7608} 7609 7610 7611/* ------------------------------------------------------------------------ */ 7612/* Function: ipf_token_mark_complete */ 7613/* Returns: None. */ 7614/* Parameters: token(I) - pointer to token structure */ 7615/* */ 7616/* Mark a token as being ineligable for being found with ipf_token_find. */ 7617/* ------------------------------------------------------------------------ */ 7618void 7619ipf_token_mark_complete(token) 7620 ipftoken_t *token; 7621{ 7622 if (token->ipt_complete == 0) 7623 token->ipt_complete = 1; 7624} 7625 7626 7627/* ------------------------------------------------------------------------ */ 7628/* Function: ipf_token_find */ 7629/* Returns: ipftoken_t * - NULL if no memory, else pointer to token */ 7630/* Parameters: softc(I)- pointer to soft context main structure */ 7631/* type(I) - the token type to match */ 7632/* uid(I) - uid owning the token */ 7633/* ptr(I) - context pointer for the token */ 7634/* */ 7635/* This function looks for a live token in the list of current tokens that */ 7636/* matches the tuple (type, uid, ptr). If one cannot be found then one is */ 7637/* allocated. If one is found then it is moved to the top of the list of */ 7638/* currently active tokens. */ 7639/* ------------------------------------------------------------------------ */ 7640ipftoken_t * 7641ipf_token_find(softc, type, uid, ptr) 7642 ipf_main_softc_t *softc; 7643 int type, uid; 7644 void *ptr; 7645{ 7646 ipftoken_t *it, *new; 7647 7648 KMALLOC(new, ipftoken_t *); 7649 if (new != NULL) 7650 bzero((char *)new, sizeof(*new)); 7651 7652 WRITE_ENTER(&softc->ipf_tokens); 7653 for (it = softc->ipf_token_head; it != NULL; it = it->ipt_next) { 7654 if ((ptr == it->ipt_ctx) && (type == it->ipt_type) && 7655 (uid == it->ipt_uid) && (it->ipt_complete < 2)) 7656 break; 7657 } 7658 7659 if (it == NULL) { 7660 it = new; 7661 new = NULL; 7662 if (it == NULL) { 7663 RWLOCK_EXIT(&softc->ipf_tokens); 7664 return NULL; 7665 } 7666 it->ipt_ctx = ptr; 7667 it->ipt_uid = uid; 7668 it->ipt_type = type; 7669 it->ipt_ref = 1; 7670 } else { 7671 if (new != NULL) { 7672 KFREE(new); 7673 new = NULL; 7674 } 7675 7676 if (it->ipt_complete > 0) 7677 it = NULL; 7678 else 7679 ipf_token_unlink(softc, it); 7680 } 7681 7682 if (it != NULL) { 7683 it->ipt_pnext = softc->ipf_token_tail; 7684 *softc->ipf_token_tail = it; 7685 softc->ipf_token_tail = &it->ipt_next; 7686 it->ipt_next = NULL; 7687 it->ipt_ref++; 7688 7689 it->ipt_die = softc->ipf_ticks + 20; 7690 } 7691 7692 RWLOCK_EXIT(&softc->ipf_tokens); 7693 7694 return it; 7695} 7696 7697 7698/* ------------------------------------------------------------------------ */ 7699/* Function: ipf_token_unlink */ 7700/* Returns: None. */ 7701/* Parameters: softc(I) - pointer to soft context main structure */ 7702/* token(I) - pointer to token structure */ 7703/* Write Locks: ipf_tokens */ 7704/* */ 7705/* This function unlinks a token structure from the linked list of tokens */ 7706/* that "own" it. The head pointer never needs to be explicitly adjusted */ 7707/* but the tail does due to the linked list implementation. */ 7708/* ------------------------------------------------------------------------ */ 7709static void 7710ipf_token_unlink(softc, token) 7711 ipf_main_softc_t *softc; 7712 ipftoken_t *token; 7713{ 7714 7715 if (softc->ipf_token_tail == &token->ipt_next) 7716 softc->ipf_token_tail = token->ipt_pnext; 7717 7718 *token->ipt_pnext = token->ipt_next; 7719 if (token->ipt_next != NULL) 7720 token->ipt_next->ipt_pnext = token->ipt_pnext; 7721 token->ipt_next = NULL; 7722 token->ipt_pnext = NULL; 7723} 7724 7725 7726/* ------------------------------------------------------------------------ */ 7727/* Function: ipf_token_deref */ 7728/* Returns: int - 0 == token freed, else reference count */ 7729/* Parameters: softc(I) - pointer to soft context main structure */ 7730/* token(I) - pointer to token structure */ 7731/* Write Locks: ipf_tokens */ 7732/* */ 7733/* Drop the reference count on the token structure and if it drops to zero, */ 7734/* call the dereference function for the token type because it is then */ 7735/* possible to free the token data structure. */ 7736/* ------------------------------------------------------------------------ */ 7737int 7738ipf_token_deref(softc, token) 7739 ipf_main_softc_t *softc; 7740 ipftoken_t *token; 7741{ 7742 void *data, **datap; 7743 7744 ASSERT(token->ipt_ref > 0); 7745 token->ipt_ref--; 7746 if (token->ipt_ref > 0) 7747 return token->ipt_ref; 7748 7749 data = token->ipt_data; 7750 datap = &data; 7751 7752 if ((data != NULL) && (data != (void *)-1)) { 7753 switch (token->ipt_type) 7754 { 7755 case IPFGENITER_IPF : 7756 (void) ipf_derefrule(softc, (frentry_t **)datap); 7757 break; 7758 case IPFGENITER_IPNAT : 7759 WRITE_ENTER(&softc->ipf_nat); 7760 ipf_nat_rule_deref(softc, (ipnat_t **)datap); 7761 RWLOCK_EXIT(&softc->ipf_nat); 7762 break; 7763 case IPFGENITER_NAT : 7764 ipf_nat_deref(softc, (nat_t **)datap); 7765 break; 7766 case IPFGENITER_STATE : 7767 ipf_state_deref(softc, (ipstate_t **)datap); 7768 break; 7769 case IPFGENITER_FRAG : 7770 ipf_frag_pkt_deref(softc, (ipfr_t **)datap); 7771 break; 7772 case IPFGENITER_NATFRAG : 7773 ipf_frag_nat_deref(softc, (ipfr_t **)datap); 7774 break; 7775 case IPFGENITER_HOSTMAP : 7776 WRITE_ENTER(&softc->ipf_nat); 7777 ipf_nat_hostmapdel(softc, (hostmap_t **)datap); 7778 RWLOCK_EXIT(&softc->ipf_nat); 7779 break; 7780 default : 7781 ipf_lookup_iterderef(softc, token->ipt_type, data); 7782 break; 7783 } 7784 } 7785 7786 ipf_token_unlink(softc, token); 7787 KFREE(token); 7788 return 0; 7789} 7790 7791 7792/* ------------------------------------------------------------------------ */ 7793/* Function: ipf_nextrule */ 7794/* Returns: frentry_t * - NULL == no more rules, else pointer to next */ 7795/* Parameters: softc(I) - pointer to soft context main structure */ 7796/* fr(I) - pointer to filter rule */ 7797/* out(I) - 1 == out rules, 0 == input rules */ 7798/* */ 7799/* Starting with "fr", find the next rule to visit. This includes visiting */ 7800/* the list of rule groups if either fr is NULL (empty list) or it is the */ 7801/* last rule in the list. When walking rule lists, it is either input or */ 7802/* output rules that are returned, never both. */ 7803/* ------------------------------------------------------------------------ */ 7804static frentry_t * 7805ipf_nextrule(softc, active, unit, fr, out) 7806 ipf_main_softc_t *softc; 7807 int active, unit; 7808 frentry_t *fr; 7809 int out; 7810{ 7811 frentry_t *next; 7812 frgroup_t *fg; 7813 7814 if (fr != NULL && fr->fr_group != -1) { 7815 fg = ipf_findgroup(softc, fr->fr_names + fr->fr_group, 7816 unit, active, NULL); 7817 if (fg != NULL) 7818 fg = fg->fg_next; 7819 } else { 7820 fg = softc->ipf_groups[unit][active]; 7821 } 7822 7823 while (fg != NULL) { 7824 next = fg->fg_start; 7825 while (next != NULL) { 7826 if (out) { 7827 if (next->fr_flags & FR_OUTQUE) 7828 return next; 7829 } else if (next->fr_flags & FR_INQUE) { 7830 return next; 7831 } 7832 next = next->fr_next; 7833 } 7834 if (next == NULL) 7835 fg = fg->fg_next; 7836 } 7837 7838 return NULL; 7839} 7840 7841/* ------------------------------------------------------------------------ */ 7842/* Function: ipf_getnextrule */ 7843/* Returns: int - 0 = success, else error */ 7844/* Parameters: softc(I)- pointer to soft context main structure */ 7845/* t(I) - pointer to destination information to resolve */ 7846/* ptr(I) - pointer to ipfobj_t to copyin from user space */ 7847/* */ 7848/* This function's first job is to bring in the ipfruleiter_t structure via */ 7849/* the ipfobj_t structure to determine what should be the next rule to */ 7850/* return. Once the ipfruleiter_t has been brought in, it then tries to */ 7851/* find the 'next rule'. This may include searching rule group lists or */ 7852/* just be as simple as looking at the 'next' field in the rule structure. */ 7853/* When we have found the rule to return, increase its reference count and */ 7854/* if we used an existing rule to get here, decrease its reference count. */ 7855/* ------------------------------------------------------------------------ */ 7856int 7857ipf_getnextrule(softc, t, ptr) 7858 ipf_main_softc_t *softc; 7859 ipftoken_t *t; 7860 void *ptr; 7861{ 7862 frentry_t *fr, *next, zero; 7863 ipfruleiter_t it; 7864 int error, out; 7865 frgroup_t *fg; 7866 ipfobj_t obj; 7867 int predict; 7868 char *dst; 7869 int unit; 7870 7871 if (t == NULL || ptr == NULL) { 7872 IPFERROR(84); 7873 return EFAULT; 7874 } 7875 7876 error = ipf_inobj(softc, ptr, &obj, &it, IPFOBJ_IPFITER); 7877 if (error != 0) 7878 return error; 7879 7880 if ((it.iri_inout < 0) || (it.iri_inout > 3)) { 7881 IPFERROR(85); 7882 return EINVAL; 7883 } 7884 if ((it.iri_active != 0) && (it.iri_active != 1)) { 7885 IPFERROR(86); 7886 return EINVAL; 7887 } 7888 if (it.iri_nrules == 0) { 7889 IPFERROR(87); 7890 return ENOSPC; 7891 } 7892 if (it.iri_rule == NULL) { 7893 IPFERROR(88); 7894 return EFAULT; 7895 } 7896 7897 fg = NULL; 7898 fr = t->ipt_data; 7899 if ((it.iri_inout & F_OUT) != 0) 7900 out = 1; 7901 else 7902 out = 0; 7903 if ((it.iri_inout & F_ACIN) != 0) 7904 unit = IPL_LOGCOUNT; 7905 else 7906 unit = IPL_LOGIPF; 7907 7908 READ_ENTER(&softc->ipf_mutex); 7909 if (fr == NULL) { 7910 if (*it.iri_group == '\0') { 7911 if (unit == IPL_LOGCOUNT) { 7912 next = softc->ipf_acct[out][it.iri_active]; 7913 } else { 7914 next = softc->ipf_rules[out][it.iri_active]; 7915 } 7916 if (next == NULL) 7917 next = ipf_nextrule(softc, it.iri_active, 7918 unit, NULL, out); 7919 } else { 7920 fg = ipf_findgroup(softc, it.iri_group, unit, 7921 it.iri_active, NULL); 7922 if (fg != NULL) 7923 next = fg->fg_start; 7924 else 7925 next = NULL; 7926 } 7927 } else { 7928 next = fr->fr_next; 7929 if (next == NULL) 7930 next = ipf_nextrule(softc, it.iri_active, unit, 7931 fr, out); 7932 } 7933 7934 if (next != NULL && next->fr_next != NULL) 7935 predict = 1; 7936 else if (ipf_nextrule(softc, it.iri_active, unit, next, out) != NULL) 7937 predict = 1; 7938 else 7939 predict = 0; 7940 7941 if (fr != NULL) 7942 (void) ipf_derefrule(softc, &fr); 7943 7944 obj.ipfo_type = IPFOBJ_FRENTRY; 7945 dst = (char *)it.iri_rule; 7946 7947 if (next != NULL) { 7948 obj.ipfo_size = next->fr_size; 7949 MUTEX_ENTER(&next->fr_lock); 7950 next->fr_ref++; 7951 MUTEX_EXIT(&next->fr_lock); 7952 t->ipt_data = next; 7953 } else { 7954 obj.ipfo_size = sizeof(frentry_t); 7955 bzero(&zero, sizeof(zero)); 7956 next = &zero; 7957 t->ipt_data = NULL; 7958 } 7959 it.iri_rule = predict ? next : NULL; 7960 if (predict == 0) 7961 ipf_token_mark_complete(t); 7962 7963 RWLOCK_EXIT(&softc->ipf_mutex); 7964 7965 obj.ipfo_ptr = dst; 7966 error = ipf_outobjk(softc, &obj, next); 7967 if (error == 0 && t->ipt_data != NULL) { 7968 dst += obj.ipfo_size; 7969 if (next->fr_data != NULL) { 7970 ipfobj_t dobj; 7971 7972 if (next->fr_type == FR_T_IPFEXPR) 7973 dobj.ipfo_type = IPFOBJ_IPFEXPR; 7974 else 7975 dobj.ipfo_type = IPFOBJ_FRIPF; 7976 dobj.ipfo_size = next->fr_dsize; 7977 dobj.ipfo_rev = obj.ipfo_rev; 7978 dobj.ipfo_ptr = dst; 7979 error = ipf_outobjk(softc, &dobj, next->fr_data); 7980 } 7981 } 7982 7983 if ((fr != NULL) && (next == &zero)) 7984 (void) ipf_derefrule(softc, &fr); 7985 7986 return error; 7987} 7988 7989 7990/* ------------------------------------------------------------------------ */ 7991/* Function: ipf_frruleiter */ 7992/* Returns: int - 0 = success, else error */ 7993/* Parameters: softc(I)- pointer to soft context main structure */ 7994/* data(I) - the token type to match */ 7995/* uid(I) - uid owning the token */ 7996/* ptr(I) - context pointer for the token */ 7997/* */ 7998/* This function serves as a stepping stone between ipf_ipf_ioctl and */ 7999/* ipf_getnextrule. It's role is to find the right token in the kernel for */ 8000/* the process doing the ioctl and use that to ask for the next rule. */ 8001/* ------------------------------------------------------------------------ */ 8002static int 8003ipf_frruleiter(softc, data, uid, ctx) 8004 ipf_main_softc_t *softc; 8005 void *data, *ctx; 8006 int uid; 8007{ 8008 ipftoken_t *token; 8009 ipfruleiter_t it; 8010 ipfobj_t obj; 8011 int error; 8012 8013 token = ipf_token_find(softc, IPFGENITER_IPF, uid, ctx); 8014 if (token != NULL) { 8015 error = ipf_getnextrule(softc, token, data); 8016 WRITE_ENTER(&softc->ipf_tokens); 8017 ipf_token_deref(softc, token); 8018 RWLOCK_EXIT(&softc->ipf_tokens); 8019 } else { 8020 error = ipf_inobj(softc, data, &obj, &it, IPFOBJ_IPFITER); 8021 if (error != 0) 8022 return error; 8023 it.iri_rule = NULL; 8024 error = ipf_outobj(softc, data, &it, IPFOBJ_IPFITER); 8025 } 8026 8027 return error; 8028} 8029 8030 8031/* ------------------------------------------------------------------------ */ 8032/* Function: ipf_geniter */ 8033/* Returns: int - 0 = success, else error */ 8034/* Parameters: softc(I) - pointer to soft context main structure */ 8035/* token(I) - pointer to ipftoken_t structure */ 8036/* itp(I) - pointer to iterator data */ 8037/* */ 8038/* Decide which iterator function to call using information passed through */ 8039/* the ipfgeniter_t structure at itp. */ 8040/* ------------------------------------------------------------------------ */ 8041static int 8042ipf_geniter(softc, token, itp) 8043 ipf_main_softc_t *softc; 8044 ipftoken_t *token; 8045 ipfgeniter_t *itp; 8046{ 8047 int error; 8048 8049 switch (itp->igi_type) 8050 { 8051 case IPFGENITER_FRAG : 8052 error = ipf_frag_pkt_next(softc, token, itp); 8053 break; 8054 default : 8055 IPFERROR(92); 8056 error = EINVAL; 8057 break; 8058 } 8059 8060 return error; 8061} 8062 8063 8064/* ------------------------------------------------------------------------ */ 8065/* Function: ipf_genericiter */ 8066/* Returns: int - 0 = success, else error */ 8067/* Parameters: softc(I)- pointer to soft context main structure */ 8068/* data(I) - the token type to match */ 8069/* uid(I) - uid owning the token */ 8070/* ptr(I) - context pointer for the token */ 8071/* */ 8072/* Handle the SIOCGENITER ioctl for the ipfilter device. The primary role */ 8073/* ------------------------------------------------------------------------ */ 8074int 8075ipf_genericiter(softc, data, uid, ctx) 8076 ipf_main_softc_t *softc; 8077 void *data, *ctx; 8078 int uid; 8079{ 8080 ipftoken_t *token; 8081 ipfgeniter_t iter; 8082 int error; 8083 8084 error = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_GENITER); 8085 if (error != 0) 8086 return error; 8087 8088 token = ipf_token_find(softc, iter.igi_type, uid, ctx); 8089 if (token != NULL) { 8090 token->ipt_subtype = iter.igi_type; 8091 error = ipf_geniter(softc, token, &iter); 8092 WRITE_ENTER(&softc->ipf_tokens); 8093 ipf_token_deref(softc, token); 8094 RWLOCK_EXIT(&softc->ipf_tokens); 8095 } else { 8096 IPFERROR(93); 8097 error = 0; 8098 } 8099 8100 return error; 8101} 8102 8103 8104/* ------------------------------------------------------------------------ */ 8105/* Function: ipf_ipf_ioctl */ 8106/* Returns: int - 0 = success, else error */ 8107/* Parameters: softc(I)- pointer to soft context main structure */ 8108/* data(I) - the token type to match */ 8109/* cmd(I) - the ioctl command number */ 8110/* mode(I) - mode flags for the ioctl */ 8111/* uid(I) - uid owning the token */ 8112/* ptr(I) - context pointer for the token */ 8113/* */ 8114/* This function handles all of the ioctl command that are actually isssued */ 8115/* to the /dev/ipl device. */ 8116/* ------------------------------------------------------------------------ */ 8117int 8118ipf_ipf_ioctl(softc, data, cmd, mode, uid, ctx) 8119 ipf_main_softc_t *softc; 8120 caddr_t data; 8121 ioctlcmd_t cmd; 8122 int mode, uid; 8123 void *ctx; 8124{ 8125 friostat_t fio; 8126 int error, tmp; 8127 ipfobj_t obj; 8128 SPL_INT(s); 8129 8130 switch (cmd) 8131 { 8132 case SIOCFRENB : 8133 if (!(mode & FWRITE)) { 8134 IPFERROR(94); 8135 error = EPERM; 8136 } else { 8137 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8138 if (error != 0) { 8139 IPFERROR(95); 8140 error = EFAULT; 8141 break; 8142 } 8143 8144 WRITE_ENTER(&softc->ipf_global); 8145 if (tmp) { 8146 if (softc->ipf_running > 0) 8147 error = 0; 8148 else 8149 error = ipfattach(softc); 8150 if (error == 0) 8151 softc->ipf_running = 1; 8152 else 8153 (void) ipfdetach(softc); 8154 } else { 8155 if (softc->ipf_running == 1) 8156 error = ipfdetach(softc); 8157 else 8158 error = 0; 8159 if (error == 0) 8160 softc->ipf_running = -1; 8161 } 8162 RWLOCK_EXIT(&softc->ipf_global); 8163 } 8164 break; 8165 8166 case SIOCIPFSET : 8167 if (!(mode & FWRITE)) { 8168 IPFERROR(96); 8169 error = EPERM; 8170 break; 8171 } 8172 /* FALLTHRU */ 8173 case SIOCIPFGETNEXT : 8174 case SIOCIPFGET : 8175 error = ipf_ipftune(softc, cmd, (void *)data); 8176 break; 8177 8178 case SIOCSETFF : 8179 if (!(mode & FWRITE)) { 8180 IPFERROR(97); 8181 error = EPERM; 8182 } else { 8183 error = BCOPYIN(data, &softc->ipf_flags, 8184 sizeof(softc->ipf_flags)); 8185 if (error != 0) { 8186 IPFERROR(98); 8187 error = EFAULT; 8188 } 8189 } 8190 break; 8191 8192 case SIOCGETFF : 8193 error = BCOPYOUT(&softc->ipf_flags, data, 8194 sizeof(softc->ipf_flags)); 8195 if (error != 0) { 8196 IPFERROR(99); 8197 error = EFAULT; 8198 } 8199 break; 8200 8201 case SIOCFUNCL : 8202 error = ipf_resolvefunc(softc, (void *)data); 8203 break; 8204 8205 case SIOCINAFR : 8206 case SIOCRMAFR : 8207 case SIOCADAFR : 8208 case SIOCZRLST : 8209 if (!(mode & FWRITE)) { 8210 IPFERROR(100); 8211 error = EPERM; 8212 } else { 8213 error = frrequest(softc, IPL_LOGIPF, cmd, (caddr_t)data, 8214 softc->ipf_active, 1); 8215 } 8216 break; 8217 8218 case SIOCINIFR : 8219 case SIOCRMIFR : 8220 case SIOCADIFR : 8221 if (!(mode & FWRITE)) { 8222 IPFERROR(101); 8223 error = EPERM; 8224 } else { 8225 error = frrequest(softc, IPL_LOGIPF, cmd, (caddr_t)data, 8226 1 - softc->ipf_active, 1); 8227 } 8228 break; 8229 8230 case SIOCSWAPA : 8231 if (!(mode & FWRITE)) { 8232 IPFERROR(102); 8233 error = EPERM; 8234 } else { 8235 WRITE_ENTER(&softc->ipf_mutex); 8236 error = BCOPYOUT(&softc->ipf_active, data, 8237 sizeof(softc->ipf_active)); 8238 if (error != 0) { 8239 IPFERROR(103); 8240 error = EFAULT; 8241 } else { 8242 softc->ipf_active = 1 - softc->ipf_active; 8243 } 8244 RWLOCK_EXIT(&softc->ipf_mutex); 8245 } 8246 break; 8247 8248 case SIOCGETFS : 8249 error = ipf_inobj(softc, (void *)data, &obj, &fio, 8250 IPFOBJ_IPFSTAT); 8251 if (error != 0) 8252 break; 8253 ipf_getstat(softc, &fio, obj.ipfo_rev); 8254 error = ipf_outobj(softc, (void *)data, &fio, IPFOBJ_IPFSTAT); 8255 break; 8256 8257 case SIOCFRZST : 8258 if (!(mode & FWRITE)) { 8259 IPFERROR(104); 8260 error = EPERM; 8261 } else 8262 error = ipf_zerostats(softc, (caddr_t)data); 8263 break; 8264 8265 case SIOCIPFFL : 8266 if (!(mode & FWRITE)) { 8267 IPFERROR(105); 8268 error = EPERM; 8269 } else { 8270 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8271 if (!error) { 8272 tmp = ipf_flush(softc, IPL_LOGIPF, tmp); 8273 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8274 if (error != 0) { 8275 IPFERROR(106); 8276 error = EFAULT; 8277 } 8278 } else { 8279 IPFERROR(107); 8280 error = EFAULT; 8281 } 8282 } 8283 break; 8284 8285#ifdef USE_INET6 8286 case SIOCIPFL6 : 8287 if (!(mode & FWRITE)) { 8288 IPFERROR(108); 8289 error = EPERM; 8290 } else { 8291 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8292 if (!error) { 8293 tmp = ipf_flush(softc, IPL_LOGIPF, tmp); 8294 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8295 if (error != 0) { 8296 IPFERROR(109); 8297 error = EFAULT; 8298 } 8299 } else { 8300 IPFERROR(110); 8301 error = EFAULT; 8302 } 8303 } 8304 break; 8305#endif 8306 8307 case SIOCSTLCK : 8308 if (!(mode & FWRITE)) { 8309 IPFERROR(122); 8310 error = EPERM; 8311 } else { 8312 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8313 if (error == 0) { 8314 ipf_state_setlock(softc->ipf_state_soft, tmp); 8315 ipf_nat_setlock(softc->ipf_nat_soft, tmp); 8316 ipf_frag_setlock(softc->ipf_frag_soft, tmp); 8317 ipf_auth_setlock(softc->ipf_auth_soft, tmp); 8318 } else { 8319 IPFERROR(111); 8320 error = EFAULT; 8321 } 8322 } 8323 break; 8324 8325#ifdef IPFILTER_LOG 8326 case SIOCIPFFB : 8327 if (!(mode & FWRITE)) { 8328 IPFERROR(112); 8329 error = EPERM; 8330 } else { 8331 tmp = ipf_log_clear(softc, IPL_LOGIPF); 8332 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8333 if (error) { 8334 IPFERROR(113); 8335 error = EFAULT; 8336 } 8337 } 8338 break; 8339#endif /* IPFILTER_LOG */ 8340 8341 case SIOCFRSYN : 8342 if (!(mode & FWRITE)) { 8343 IPFERROR(114); 8344 error = EPERM; 8345 } else { 8346 WRITE_ENTER(&softc->ipf_global); 8347#if (defined(MENTAT) && defined(_KERNEL)) && !defined(INSTANCES) 8348 error = ipfsync(); 8349#else 8350 ipf_sync(softc, NULL); 8351 error = 0; 8352#endif 8353 RWLOCK_EXIT(&softc->ipf_global); 8354 8355 } 8356 break; 8357 8358 case SIOCGFRST : 8359 error = ipf_outobj(softc, (void *)data, 8360 ipf_frag_stats(softc->ipf_frag_soft), 8361 IPFOBJ_FRAGSTAT); 8362 break; 8363 8364#ifdef IPFILTER_LOG 8365 case FIONREAD : 8366 tmp = ipf_log_bytesused(softc, IPL_LOGIPF); 8367 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8368 break; 8369#endif 8370 8371 case SIOCIPFITER : 8372 SPL_SCHED(s); 8373 error = ipf_frruleiter(softc, data, uid, ctx); 8374 SPL_X(s); 8375 break; 8376 8377 case SIOCGENITER : 8378 SPL_SCHED(s); 8379 error = ipf_genericiter(softc, data, uid, ctx); 8380 SPL_X(s); 8381 break; 8382 8383 case SIOCIPFDELTOK : 8384 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8385 if (error == 0) { 8386 SPL_SCHED(s); 8387 error = ipf_token_del(softc, tmp, uid, ctx); 8388 SPL_X(s); 8389 } 8390 break; 8391 8392 default : 8393 IPFERROR(115); 8394 error = EINVAL; 8395 break; 8396 } 8397 8398 return error; 8399} 8400 8401 8402/* ------------------------------------------------------------------------ */ 8403/* Function: ipf_decaps */ 8404/* Returns: int - -1 == decapsulation failed, else bit mask of */ 8405/* flags indicating packet filtering decision. */ 8406/* Parameters: fin(I) - pointer to packet information */ 8407/* pass(I) - IP protocol version to match */ 8408/* l5proto(I) - layer 5 protocol to decode UDP data as. */ 8409/* */ 8410/* This function is called for packets that are wrapt up in other packets, */ 8411/* for example, an IP packet that is the entire data segment for another IP */ 8412/* packet. If the basic constraints for this are satisfied, change the */ 8413/* buffer to point to the start of the inner packet and start processing */ 8414/* rules belonging to the head group this rule specifies. */ 8415/* ------------------------------------------------------------------------ */ 8416u_32_t 8417ipf_decaps(fin, pass, l5proto) 8418 fr_info_t *fin; 8419 u_32_t pass; 8420 int l5proto; 8421{ 8422 fr_info_t fin2, *fino = NULL; 8423 int elen, hlen, nh; 8424 grehdr_t gre; 8425 ip_t *ip; 8426 mb_t *m; 8427 8428 if ((fin->fin_flx & FI_COALESCE) == 0) 8429 if (ipf_coalesce(fin) == -1) 8430 goto cantdecaps; 8431 8432 m = fin->fin_m; 8433 hlen = fin->fin_hlen; 8434 8435 switch (fin->fin_p) 8436 { 8437 case IPPROTO_UDP : 8438 /* 8439 * In this case, the specific protocol being decapsulated 8440 * inside UDP frames comes from the rule. 8441 */ 8442 nh = fin->fin_fr->fr_icode; 8443 break; 8444 8445 case IPPROTO_GRE : /* 47 */ 8446 bcopy(fin->fin_dp, (char *)&gre, sizeof(gre)); 8447 hlen += sizeof(grehdr_t); 8448 if (gre.gr_R|gre.gr_s) 8449 goto cantdecaps; 8450 if (gre.gr_C) 8451 hlen += 4; 8452 if (gre.gr_K) 8453 hlen += 4; 8454 if (gre.gr_S) 8455 hlen += 4; 8456 8457 nh = IPPROTO_IP; 8458 8459 /* 8460 * If the routing options flag is set, validate that it is 8461 * there and bounce over it. 8462 */ 8463#if 0 8464 /* This is really heavy weight and lots of room for error, */ 8465 /* so for now, put it off and get the simple stuff right. */ 8466 if (gre.gr_R) { 8467 u_char off, len, *s; 8468 u_short af; 8469 int end; 8470 8471 end = 0; 8472 s = fin->fin_dp; 8473 s += hlen; 8474 aplen = fin->fin_plen - hlen; 8475 while (aplen > 3) { 8476 af = (s[0] << 8) | s[1]; 8477 off = s[2]; 8478 len = s[3]; 8479 aplen -= 4; 8480 s += 4; 8481 if (af == 0 && len == 0) { 8482 end = 1; 8483 break; 8484 } 8485 if (aplen < len) 8486 break; 8487 s += len; 8488 aplen -= len; 8489 } 8490 if (end != 1) 8491 goto cantdecaps; 8492 hlen = s - (u_char *)fin->fin_dp; 8493 } 8494#endif 8495 break; 8496 8497#ifdef IPPROTO_IPIP 8498 case IPPROTO_IPIP : /* 4 */ 8499#endif 8500 nh = IPPROTO_IP; 8501 break; 8502 8503 default : /* Includes ESP, AH is special for IPv4 */ 8504 goto cantdecaps; 8505 } 8506 8507 switch (nh) 8508 { 8509 case IPPROTO_IP : 8510 case IPPROTO_IPV6 : 8511 break; 8512 default : 8513 goto cantdecaps; 8514 } 8515 8516 bcopy((char *)fin, (char *)&fin2, sizeof(fin2)); 8517 fino = fin; 8518 fin = &fin2; 8519 elen = hlen; 8520#if defined(MENTAT) && defined(_KERNEL) 8521 m->b_rptr += elen; 8522#else 8523 m->m_data += elen; 8524 m->m_len -= elen; 8525#endif 8526 fin->fin_plen -= elen; 8527 8528 ip = (ip_t *)((char *)fin->fin_ip + elen); 8529 8530 /* 8531 * Make sure we have at least enough data for the network layer 8532 * header. 8533 */ 8534 if (IP_V(ip) == 4) 8535 hlen = IP_HL(ip) << 2; 8536#ifdef USE_INET6 8537 else if (IP_V(ip) == 6) 8538 hlen = sizeof(ip6_t); 8539#endif 8540 else 8541 goto cantdecaps2; 8542 8543 if (fin->fin_plen < hlen) 8544 goto cantdecaps2; 8545 8546 fin->fin_dp = (char *)ip + hlen; 8547 8548 if (IP_V(ip) == 4) { 8549 /* 8550 * Perform IPv4 header checksum validation. 8551 */ 8552 if (ipf_cksum((u_short *)ip, hlen)) 8553 goto cantdecaps2; 8554 } 8555 8556 if (ipf_makefrip(hlen, ip, fin) == -1) { 8557cantdecaps2: 8558 if (m != NULL) { 8559#if defined(MENTAT) && defined(_KERNEL) 8560 m->b_rptr -= elen; 8561#else 8562 m->m_data -= elen; 8563 m->m_len += elen; 8564#endif 8565 } 8566cantdecaps: 8567 DT1(frb_decapfrip, fr_info_t *, fin); 8568 pass &= ~FR_CMDMASK; 8569 pass |= FR_BLOCK|FR_QUICK; 8570 fin->fin_reason = FRB_DECAPFRIP; 8571 return -1; 8572 } 8573 8574 pass = ipf_scanlist(fin, pass); 8575 8576 /* 8577 * Copy the packet filter "result" fields out of the fr_info_t struct 8578 * that is local to the decapsulation processing and back into the 8579 * one we were called with. 8580 */ 8581 fino->fin_flx = fin->fin_flx; 8582 fino->fin_rev = fin->fin_rev; 8583 fino->fin_icode = fin->fin_icode; 8584 fino->fin_rule = fin->fin_rule; 8585 (void) strncpy(fino->fin_group, fin->fin_group, FR_GROUPLEN); 8586 fino->fin_fr = fin->fin_fr; 8587 fino->fin_error = fin->fin_error; 8588 fino->fin_mp = fin->fin_mp; 8589 fino->fin_m = fin->fin_m; 8590 m = fin->fin_m; 8591 if (m != NULL) { 8592#if defined(MENTAT) && defined(_KERNEL) 8593 m->b_rptr -= elen; 8594#else 8595 m->m_data -= elen; 8596 m->m_len += elen; 8597#endif 8598 } 8599 return pass; 8600} 8601 8602 8603/* ------------------------------------------------------------------------ */ 8604/* Function: ipf_matcharray_load */ 8605/* Returns: int - 0 = success, else error */ 8606/* Parameters: softc(I) - pointer to soft context main structure */ 8607/* data(I) - pointer to ioctl data */ 8608/* objp(I) - ipfobj_t structure to load data into */ 8609/* arrayptr(I) - pointer to location to store array pointer */ 8610/* */ 8611/* This function loads in a mathing array through the ipfobj_t struct that */ 8612/* describes it. Sanity checking and array size limitations are enforced */ 8613/* in this function to prevent userspace from trying to load in something */ 8614/* that is insanely big. Once the size of the array is known, the memory */ 8615/* required is malloc'd and returned through changing *arrayptr. The */ 8616/* contents of the array are verified before returning. Only in the event */ 8617/* of a successful call is the caller required to free up the malloc area. */ 8618/* ------------------------------------------------------------------------ */ 8619int 8620ipf_matcharray_load(softc, data, objp, arrayptr) 8621 ipf_main_softc_t *softc; 8622 caddr_t data; 8623 ipfobj_t *objp; 8624 int **arrayptr; 8625{ 8626 int arraysize, *array, error; 8627 8628 *arrayptr = NULL; 8629 8630 error = BCOPYIN(data, objp, sizeof(*objp)); 8631 if (error != 0) { 8632 IPFERROR(116); 8633 return EFAULT; 8634 } 8635 8636 if (objp->ipfo_type != IPFOBJ_IPFEXPR) { 8637 IPFERROR(117); 8638 return EINVAL; 8639 } 8640 8641 if (((objp->ipfo_size & 3) != 0) || (objp->ipfo_size == 0) || 8642 (objp->ipfo_size > 1024)) { 8643 IPFERROR(118); 8644 return EINVAL; 8645 } 8646 8647 arraysize = objp->ipfo_size * sizeof(*array); 8648 KMALLOCS(array, int *, arraysize); 8649 if (array == NULL) { 8650 IPFERROR(119); 8651 return ENOMEM; 8652 } 8653 8654 error = COPYIN(objp->ipfo_ptr, array, arraysize); 8655 if (error != 0) { 8656 KFREES(array, arraysize); 8657 IPFERROR(120); 8658 return EFAULT; 8659 } 8660 8661 if (ipf_matcharray_verify(array, arraysize) != 0) { 8662 KFREES(array, arraysize); 8663 IPFERROR(121); 8664 return EINVAL; 8665 } 8666 8667 *arrayptr = array; 8668 return 0; 8669} 8670 8671 8672/* ------------------------------------------------------------------------ */ 8673/* Function: ipf_matcharray_verify */ 8674/* Returns: Nil */ 8675/* Parameters: array(I) - pointer to matching array */ 8676/* arraysize(I) - number of elements in the array */ 8677/* */ 8678/* Verify the contents of a matching array by stepping through each element */ 8679/* in it. The actual commands in the array are not verified for */ 8680/* correctness, only that all of the sizes are correctly within limits. */ 8681/* ------------------------------------------------------------------------ */ 8682int 8683ipf_matcharray_verify(array, arraysize) 8684 int *array, arraysize; 8685{ 8686 int i, nelem, maxidx; 8687 ipfexp_t *e; 8688 8689 nelem = arraysize / sizeof(*array); 8690 8691 /* 8692 * Currently, it makes no sense to have an array less than 6 8693 * elements long - the initial size at the from, a single operation 8694 * (minimum 4 in length) and a trailer, for a total of 6. 8695 */ 8696 if ((array[0] < 6) || (arraysize < 24) || (arraysize > 4096)) { 8697 return -1; 8698 } 8699 8700 /* 8701 * Verify the size of data pointed to by array with how long 8702 * the array claims to be itself. 8703 */ 8704 if (array[0] * sizeof(*array) != arraysize) { 8705 return -1; 8706 } 8707 8708 maxidx = nelem - 1; 8709 /* 8710 * The last opcode in this array should be an IPF_EXP_END. 8711 */ 8712 if (array[maxidx] != IPF_EXP_END) { 8713 return -1; 8714 } 8715 8716 for (i = 1; i < maxidx; ) { 8717 e = (ipfexp_t *)(array + i); 8718 8719 /* 8720 * The length of the bits to check must be at least 1 8721 * (or else there is nothing to comapre with!) and it 8722 * cannot exceed the length of the data present. 8723 */ 8724 if ((e->ipfe_size < 1 ) || 8725 (e->ipfe_size + i > maxidx)) { 8726 return -1; 8727 } 8728 i += e->ipfe_size; 8729 } 8730 return 0; 8731} 8732 8733 8734/* ------------------------------------------------------------------------ */ 8735/* Function: ipf_fr_matcharray */ 8736/* Returns: int - 0 = match failed, else positive match */ 8737/* Parameters: fin(I) - pointer to packet information */ 8738/* array(I) - pointer to matching array */ 8739/* */ 8740/* This function is used to apply a matching array against a packet and */ 8741/* return an indication of whether or not the packet successfully matches */ 8742/* all of the commands in it. */ 8743/* ------------------------------------------------------------------------ */ 8744static int 8745ipf_fr_matcharray(fin, array) 8746 fr_info_t *fin; 8747 int *array; 8748{ 8749 int i, n, *x, rv, p; 8750 ipfexp_t *e; 8751 8752 rv = 0; 8753 n = array[0]; 8754 x = array + 1; 8755 8756 for (; n > 0; x += 3 + x[3], rv = 0) { 8757 e = (ipfexp_t *)x; 8758 if (e->ipfe_cmd == IPF_EXP_END) 8759 break; 8760 n -= e->ipfe_size; 8761 8762 /* 8763 * The upper 16 bits currently store the protocol value. 8764 * This is currently used with TCP and UDP port compares and 8765 * allows "tcp.port = 80" without requiring an explicit 8766 " "ip.pr = tcp" first. 8767 */ 8768 p = e->ipfe_cmd >> 16; 8769 if ((p != 0) && (p != fin->fin_p)) 8770 break; 8771 8772 switch (e->ipfe_cmd) 8773 { 8774 case IPF_EXP_IP_PR : 8775 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8776 rv |= (fin->fin_p == e->ipfe_arg0[i]); 8777 } 8778 break; 8779 8780 case IPF_EXP_IP_SRCADDR : 8781 if (fin->fin_v != 4) 8782 break; 8783 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8784 rv |= ((fin->fin_saddr & 8785 e->ipfe_arg0[i * 2 + 1]) == 8786 e->ipfe_arg0[i * 2]); 8787 } 8788 break; 8789 8790 case IPF_EXP_IP_DSTADDR : 8791 if (fin->fin_v != 4) 8792 break; 8793 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8794 rv |= ((fin->fin_daddr & 8795 e->ipfe_arg0[i * 2 + 1]) == 8796 e->ipfe_arg0[i * 2]); 8797 } 8798 break; 8799 8800 case IPF_EXP_IP_ADDR : 8801 if (fin->fin_v != 4) 8802 break; 8803 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8804 rv |= ((fin->fin_saddr & 8805 e->ipfe_arg0[i * 2 + 1]) == 8806 e->ipfe_arg0[i * 2]) || 8807 ((fin->fin_daddr & 8808 e->ipfe_arg0[i * 2 + 1]) == 8809 e->ipfe_arg0[i * 2]); 8810 } 8811 break; 8812 8813#ifdef USE_INET6 8814 case IPF_EXP_IP6_SRCADDR : 8815 if (fin->fin_v != 6) 8816 break; 8817 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8818 rv |= IP6_MASKEQ(&fin->fin_src6, 8819 &e->ipfe_arg0[i * 8 + 4], 8820 &e->ipfe_arg0[i * 8]); 8821 } 8822 break; 8823 8824 case IPF_EXP_IP6_DSTADDR : 8825 if (fin->fin_v != 6) 8826 break; 8827 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8828 rv |= IP6_MASKEQ(&fin->fin_dst6, 8829 &e->ipfe_arg0[i * 8 + 4], 8830 &e->ipfe_arg0[i * 8]); 8831 } 8832 break; 8833 8834 case IPF_EXP_IP6_ADDR : 8835 if (fin->fin_v != 6) 8836 break; 8837 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8838 rv |= IP6_MASKEQ(&fin->fin_src6, 8839 &e->ipfe_arg0[i * 8 + 4], 8840 &e->ipfe_arg0[i * 8]) || 8841 IP6_MASKEQ(&fin->fin_dst6, 8842 &e->ipfe_arg0[i * 8 + 4], 8843 &e->ipfe_arg0[i * 8]); 8844 } 8845 break; 8846#endif 8847 8848 case IPF_EXP_UDP_PORT : 8849 case IPF_EXP_TCP_PORT : 8850 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8851 rv |= (fin->fin_sport == e->ipfe_arg0[i]) || 8852 (fin->fin_dport == e->ipfe_arg0[i]); 8853 } 8854 break; 8855 8856 case IPF_EXP_UDP_SPORT : 8857 case IPF_EXP_TCP_SPORT : 8858 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8859 rv |= (fin->fin_sport == e->ipfe_arg0[i]); 8860 } 8861 break; 8862 8863 case IPF_EXP_UDP_DPORT : 8864 case IPF_EXP_TCP_DPORT : 8865 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8866 rv |= (fin->fin_dport == e->ipfe_arg0[i]); 8867 } 8868 break; 8869 8870 case IPF_EXP_TCP_FLAGS : 8871 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8872 rv |= ((fin->fin_tcpf & 8873 e->ipfe_arg0[i * 2 + 1]) == 8874 e->ipfe_arg0[i * 2]); 8875 } 8876 break; 8877 } 8878 rv ^= e->ipfe_not; 8879 8880 if (rv == 0) 8881 break; 8882 } 8883 8884 return rv; 8885} 8886 8887 8888/* ------------------------------------------------------------------------ */ 8889/* Function: ipf_queueflush */ 8890/* Returns: int - number of entries flushed (0 = none) */ 8891/* Parameters: softc(I) - pointer to soft context main structure */ 8892/* deletefn(I) - function to call to delete entry */ 8893/* ipfqs(I) - top of the list of ipf internal queues */ 8894/* userqs(I) - top of the list of user defined timeouts */ 8895/* */ 8896/* This fucntion gets called when the state/NAT hash tables fill up and we */ 8897/* need to try a bit harder to free up some space. The algorithm used here */ 8898/* split into two parts but both halves have the same goal: to reduce the */ 8899/* number of connections considered to be "active" to the low watermark. */ 8900/* There are two steps in doing this: */ 8901/* 1) Remove any TCP connections that are already considered to be "closed" */ 8902/* but have not yet been removed from the state table. The two states */ 8903/* TCPS_TIME_WAIT and TCPS_CLOSED are considered to be the perfect */ 8904/* candidates for this style of removal. If freeing up entries in */ 8905/* CLOSED or both CLOSED and TIME_WAIT brings us to the low watermark, */ 8906/* we do not go on to step 2. */ 8907/* */ 8908/* 2) Look for the oldest entries on each timeout queue and free them if */ 8909/* they are within the given window we are considering. Where the */ 8910/* window starts and the steps taken to increase its size depend upon */ 8911/* how long ipf has been running (ipf_ticks.) Anything modified in the */ 8912/* last 30 seconds is not touched. */ 8913/* touched */ 8914/* die ipf_ticks 30*1.5 1800*1.5 | 43200*1.5 */ 8915/* | | | | | | */ 8916/* future <--+----------+--------+-----------+-----+-----+-----------> past */ 8917/* now \_int=30s_/ \_int=1hr_/ \_int=12hr */ 8918/* */ 8919/* Points to note: */ 8920/* - tqe_die is the time, in the future, when entries die. */ 8921/* - tqe_die - ipf_ticks is how long left the connection has to live in ipf */ 8922/* ticks. */ 8923/* - tqe_touched is when the entry was last used by NAT/state */ 8924/* - the closer tqe_touched is to ipf_ticks, the further tqe_die will be */ 8925/* ipf_ticks any given timeout queue and vice versa. */ 8926/* - both tqe_die and tqe_touched increase over time */ 8927/* - timeout queues are sorted with the highest value of tqe_die at the */ 8928/* bottom and therefore the smallest values of each are at the top */ 8929/* - the pointer passed in as ipfqs should point to an array of timeout */ 8930/* queues representing each of the TCP states */ 8931/* */ 8932/* We start by setting up a maximum range to scan for things to move of */ 8933/* iend (newest) to istart (oldest) in chunks of "interval". If nothing is */ 8934/* found in that range, "interval" is adjusted (so long as it isn't 30) and */ 8935/* we start again with a new value for "iend" and "istart". This is */ 8936/* continued until we either finish the scan of 30 second intervals or the */ 8937/* low water mark is reached. */ 8938/* ------------------------------------------------------------------------ */ 8939int 8940ipf_queueflush(softc, deletefn, ipfqs, userqs, activep, size, low) 8941 ipf_main_softc_t *softc; 8942 ipftq_delete_fn_t deletefn; 8943 ipftq_t *ipfqs, *userqs; 8944 u_int *activep; 8945 int size, low; 8946{ 8947 u_long interval, istart, iend; 8948 ipftq_t *ifq, *ifqnext; 8949 ipftqent_t *tqe, *tqn; 8950 int removed = 0; 8951 8952 for (tqn = ipfqs[IPF_TCPS_CLOSED].ifq_head; ((tqe = tqn) != NULL); ) { 8953 tqn = tqe->tqe_next; 8954 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 8955 removed++; 8956 } 8957 if ((*activep * 100 / size) > low) { 8958 for (tqn = ipfqs[IPF_TCPS_TIME_WAIT].ifq_head; 8959 ((tqe = tqn) != NULL); ) { 8960 tqn = tqe->tqe_next; 8961 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 8962 removed++; 8963 } 8964 } 8965 8966 if ((*activep * 100 / size) <= low) { 8967 return removed; 8968 } 8969 8970 /* 8971 * NOTE: Use of "* 15 / 10" is required here because if "* 1.5" is 8972 * used then the operations are upgraded to floating point 8973 * and kernels don't like floating point... 8974 */ 8975 if (softc->ipf_ticks > IPF_TTLVAL(43200 * 15 / 10)) { 8976 istart = IPF_TTLVAL(86400 * 4); 8977 interval = IPF_TTLVAL(43200); 8978 } else if (softc->ipf_ticks > IPF_TTLVAL(1800 * 15 / 10)) { 8979 istart = IPF_TTLVAL(43200); 8980 interval = IPF_TTLVAL(1800); 8981 } else if (softc->ipf_ticks > IPF_TTLVAL(30 * 15 / 10)) { 8982 istart = IPF_TTLVAL(1800); 8983 interval = IPF_TTLVAL(30); 8984 } else { 8985 return 0; 8986 } 8987 if (istart > softc->ipf_ticks) { 8988 if (softc->ipf_ticks - interval < interval) 8989 istart = interval; 8990 else 8991 istart = (softc->ipf_ticks / interval) * interval; 8992 } 8993 8994 iend = softc->ipf_ticks - interval; 8995 8996 while ((*activep * 100 / size) > low) { 8997 u_long try; 8998 8999 try = softc->ipf_ticks - istart; 9000 9001 for (ifq = ipfqs; ifq != NULL; ifq = ifq->ifq_next) { 9002 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { 9003 if (try < tqe->tqe_touched) 9004 break; 9005 tqn = tqe->tqe_next; 9006 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 9007 removed++; 9008 } 9009 } 9010 9011 for (ifq = userqs; ifq != NULL; ifq = ifqnext) { 9012 ifqnext = ifq->ifq_next; 9013 9014 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { 9015 if (try < tqe->tqe_touched) 9016 break; 9017 tqn = tqe->tqe_next; 9018 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 9019 removed++; 9020 } 9021 } 9022 9023 if (try >= iend) { 9024 if (interval == IPF_TTLVAL(43200)) { 9025 interval = IPF_TTLVAL(1800); 9026 } else if (interval == IPF_TTLVAL(1800)) { 9027 interval = IPF_TTLVAL(30); 9028 } else { 9029 break; 9030 } 9031 if (interval >= softc->ipf_ticks) 9032 break; 9033 9034 iend = softc->ipf_ticks - interval; 9035 } 9036 istart -= interval; 9037 } 9038 9039 return removed; 9040} 9041 9042 9043/* ------------------------------------------------------------------------ */ 9044/* Function: ipf_deliverlocal */ 9045/* Returns: int - 1 = local address, 0 = non-local address */ 9046/* Parameters: softc(I) - pointer to soft context main structure */ 9047/* ipversion(I) - IP protocol version (4 or 6) */ 9048/* ifp(I) - network interface pointer */ 9049/* ipaddr(I) - IPv4/6 destination address */ 9050/* */ 9051/* This fucntion is used to determine in the address "ipaddr" belongs to */ 9052/* the network interface represented by ifp. */ 9053/* ------------------------------------------------------------------------ */ 9054int 9055ipf_deliverlocal(softc, ipversion, ifp, ipaddr) 9056 ipf_main_softc_t *softc; 9057 int ipversion; 9058 void *ifp; 9059 i6addr_t *ipaddr; 9060{ 9061 i6addr_t addr; 9062 int islocal = 0; 9063 9064 if (ipversion == 4) { 9065 if (ipf_ifpaddr(softc, 4, FRI_NORMAL, ifp, &addr, NULL) == 0) { 9066 if (addr.in4.s_addr == ipaddr->in4.s_addr) 9067 islocal = 1; 9068 } 9069 9070#ifdef USE_INET6 9071 } else if (ipversion == 6) { 9072 if (ipf_ifpaddr(softc, 6, FRI_NORMAL, ifp, &addr, NULL) == 0) { 9073 if (IP6_EQ(&addr, ipaddr)) 9074 islocal = 1; 9075 } 9076#endif 9077 } 9078 9079 return islocal; 9080} 9081 9082 9083/* ------------------------------------------------------------------------ */ 9084/* Function: ipf_settimeout */ 9085/* Returns: int - 0 = success, -1 = failure */ 9086/* Parameters: softc(I) - pointer to soft context main structure */ 9087/* t(I) - pointer to tuneable array entry */ 9088/* p(I) - pointer to values passed in to apply */ 9089/* */ 9090/* This function is called to set the timeout values for each distinct */ 9091/* queue timeout that is available. When called, it calls into both the */ 9092/* state and NAT code, telling them to update their timeout queues. */ 9093/* ------------------------------------------------------------------------ */ 9094static int 9095ipf_settimeout(softc, t, p) 9096 struct ipf_main_softc_s *softc; 9097 ipftuneable_t *t; 9098 ipftuneval_t *p; 9099{ 9100 9101 /* 9102 * ipf_interror should be set by the functions called here, not 9103 * by this function - it's just a middle man. 9104 */ 9105 if (ipf_state_settimeout(softc, t, p) == -1) 9106 return -1; 9107 if (ipf_nat_settimeout(softc, t, p) == -1) 9108 return -1; 9109 return 0; 9110} 9111 9112 9113/* ------------------------------------------------------------------------ */ 9114/* Function: ipf_apply_timeout */ 9115/* Returns: int - 0 = success, -1 = failure */ 9116/* Parameters: head(I) - pointer to tuneable array entry */ 9117/* seconds(I) - pointer to values passed in to apply */ 9118/* */ 9119/* This function applies a timeout of "seconds" to the timeout queue that */ 9120/* is pointed to by "head". All entries on this list have an expiration */ 9121/* set to be the current tick value of ipf plus the ttl. Given that this */ 9122/* function should only be called when the delta is non-zero, the task is */ 9123/* to walk the entire list and apply the change. The sort order will not */ 9124/* change. The only catch is that this is O(n) across the list, so if the */ 9125/* queue has lots of entries (10s of thousands or 100s of thousands), it */ 9126/* could take a relatively long time to work through them all. */ 9127/* ------------------------------------------------------------------------ */ 9128void 9129ipf_apply_timeout(head, seconds) 9130 ipftq_t *head; 9131 u_int seconds; 9132{ 9133 u_int oldtimeout, newtimeout; 9134 ipftqent_t *tqe; 9135 int delta; 9136 9137 MUTEX_ENTER(&head->ifq_lock); 9138 oldtimeout = head->ifq_ttl; 9139 newtimeout = IPF_TTLVAL(seconds); 9140 delta = oldtimeout - newtimeout; 9141 9142 head->ifq_ttl = newtimeout; 9143 9144 for (tqe = head->ifq_head; tqe != NULL; tqe = tqe->tqe_next) { 9145 tqe->tqe_die += delta; 9146 } 9147 MUTEX_EXIT(&head->ifq_lock); 9148} 9149 9150 9151/* ------------------------------------------------------------------------ */ 9152/* Function: ipf_settimeout_tcp */ 9153/* Returns: int - 0 = successfully applied, -1 = failed */ 9154/* Parameters: t(I) - pointer to tuneable to change */ 9155/* p(I) - pointer to new timeout information */ 9156/* tab(I) - pointer to table of TCP queues */ 9157/* */ 9158/* This function applies the new timeout (p) to the TCP tunable (t) and */ 9159/* updates all of the entries on the relevant timeout queue by calling */ 9160/* ipf_apply_timeout(). */ 9161/* ------------------------------------------------------------------------ */ 9162int 9163ipf_settimeout_tcp(t, p, tab) 9164 ipftuneable_t *t; 9165 ipftuneval_t *p; 9166 ipftq_t *tab; 9167{ 9168 if (!strcmp(t->ipft_name, "tcp_idle_timeout") || 9169 !strcmp(t->ipft_name, "tcp_established")) { 9170 ipf_apply_timeout(&tab[IPF_TCPS_ESTABLISHED], p->ipftu_int); 9171 } else if (!strcmp(t->ipft_name, "tcp_close_wait")) { 9172 ipf_apply_timeout(&tab[IPF_TCPS_CLOSE_WAIT], p->ipftu_int); 9173 } else if (!strcmp(t->ipft_name, "tcp_last_ack")) { 9174 ipf_apply_timeout(&tab[IPF_TCPS_LAST_ACK], p->ipftu_int); 9175 } else if (!strcmp(t->ipft_name, "tcp_timeout")) { 9176 ipf_apply_timeout(&tab[IPF_TCPS_LISTEN], p->ipftu_int); 9177 ipf_apply_timeout(&tab[IPF_TCPS_HALF_ESTAB], p->ipftu_int); 9178 ipf_apply_timeout(&tab[IPF_TCPS_CLOSING], p->ipftu_int); 9179 } else if (!strcmp(t->ipft_name, "tcp_listen")) { 9180 ipf_apply_timeout(&tab[IPF_TCPS_LISTEN], p->ipftu_int); 9181 } else if (!strcmp(t->ipft_name, "tcp_half_established")) { 9182 ipf_apply_timeout(&tab[IPF_TCPS_HALF_ESTAB], p->ipftu_int); 9183 } else if (!strcmp(t->ipft_name, "tcp_closing")) { 9184 ipf_apply_timeout(&tab[IPF_TCPS_CLOSING], p->ipftu_int); 9185 } else if (!strcmp(t->ipft_name, "tcp_syn_received")) { 9186 ipf_apply_timeout(&tab[IPF_TCPS_SYN_RECEIVED], p->ipftu_int); 9187 } else if (!strcmp(t->ipft_name, "tcp_syn_sent")) { 9188 ipf_apply_timeout(&tab[IPF_TCPS_SYN_SENT], p->ipftu_int); 9189 } else if (!strcmp(t->ipft_name, "tcp_closed")) { 9190 ipf_apply_timeout(&tab[IPF_TCPS_CLOSED], p->ipftu_int); 9191 } else if (!strcmp(t->ipft_name, "tcp_half_closed")) { 9192 ipf_apply_timeout(&tab[IPF_TCPS_CLOSED], p->ipftu_int); 9193 } else if (!strcmp(t->ipft_name, "tcp_time_wait")) { 9194 ipf_apply_timeout(&tab[IPF_TCPS_TIME_WAIT], p->ipftu_int); 9195 } else { 9196 /* 9197 * ipf_interror isn't set here because it should be set 9198 * by whatever called this function. 9199 */ 9200 return -1; 9201 } 9202 return 0; 9203} 9204 9205 9206/* ------------------------------------------------------------------------ */ 9207/* Function: ipf_main_soft_create */ 9208/* Returns: NULL = failure, else success */ 9209/* Parameters: arg(I) - pointer to soft context structure if already allocd */ 9210/* */ 9211/* Create the foundation soft context structure. In circumstances where it */ 9212/* is not required to dynamically allocate the context, a pointer can be */ 9213/* passed in (rather than NULL) to a structure to be initialised. */ 9214/* The main thing of interest is that a number of locks are initialised */ 9215/* here instead of in the where might be expected - in the relevant create */ 9216/* function elsewhere. This is done because the current locking design has */ 9217/* some areas where these locks are used outside of their module. */ 9218/* Possibly the most important exercise that is done here is setting of all */ 9219/* the timeout values, allowing them to be changed before init(). */ 9220/* ------------------------------------------------------------------------ */ 9221void * 9222ipf_main_soft_create(arg) 9223 void *arg; 9224{ 9225 ipf_main_softc_t *softc; 9226 9227 if (arg == NULL) { 9228 KMALLOC(softc, ipf_main_softc_t *); 9229 if (softc == NULL) 9230 return NULL; 9231 } else { 9232 softc = arg; 9233 } 9234 9235 bzero((char *)softc, sizeof(*softc)); 9236 9237 /* 9238 * This serves as a flag as to whether or not the softc should be 9239 * free'd when _destroy is called. 9240 */ 9241 softc->ipf_dynamic_softc = (arg == NULL) ? 1 : 0; 9242 9243 softc->ipf_tuners = ipf_tune_array_copy(softc, 9244 sizeof(ipf_main_tuneables), 9245 ipf_main_tuneables); 9246 if (softc->ipf_tuners == NULL) { 9247 ipf_main_soft_destroy(softc); 9248 return NULL; 9249 } 9250 9251 MUTEX_INIT(&softc->ipf_rw, "ipf rw mutex"); 9252 MUTEX_INIT(&softc->ipf_timeoutlock, "ipf timeout lock"); 9253 RWLOCK_INIT(&softc->ipf_global, "ipf filter load/unload mutex"); 9254 RWLOCK_INIT(&softc->ipf_mutex, "ipf filter rwlock"); 9255 RWLOCK_INIT(&softc->ipf_tokens, "ipf token rwlock"); 9256 RWLOCK_INIT(&softc->ipf_state, "ipf state rwlock"); 9257 RWLOCK_INIT(&softc->ipf_nat, "ipf IP NAT rwlock"); 9258 RWLOCK_INIT(&softc->ipf_poolrw, "ipf pool rwlock"); 9259 RWLOCK_INIT(&softc->ipf_frag, "ipf frag rwlock"); 9260 9261 softc->ipf_token_head = NULL; 9262 softc->ipf_token_tail = &softc->ipf_token_head; 9263 9264 softc->ipf_tcpidletimeout = FIVE_DAYS; 9265 softc->ipf_tcpclosewait = IPF_TTLVAL(2 * TCP_MSL); 9266 softc->ipf_tcplastack = IPF_TTLVAL(30); 9267 softc->ipf_tcptimewait = IPF_TTLVAL(2 * TCP_MSL); 9268 softc->ipf_tcptimeout = IPF_TTLVAL(2 * TCP_MSL); 9269 softc->ipf_tcpsynsent = IPF_TTLVAL(2 * TCP_MSL); 9270 softc->ipf_tcpsynrecv = IPF_TTLVAL(2 * TCP_MSL); 9271 softc->ipf_tcpclosed = IPF_TTLVAL(30); 9272 softc->ipf_tcphalfclosed = IPF_TTLVAL(2 * 3600); 9273 softc->ipf_udptimeout = IPF_TTLVAL(120); 9274 softc->ipf_udpacktimeout = IPF_TTLVAL(12); 9275 softc->ipf_icmptimeout = IPF_TTLVAL(60); 9276 softc->ipf_icmpacktimeout = IPF_TTLVAL(6); 9277 softc->ipf_iptimeout = IPF_TTLVAL(60); 9278 9279#if defined(IPFILTER_DEFAULT_BLOCK) 9280 softc->ipf_pass = FR_BLOCK|FR_NOMATCH; 9281#else 9282 softc->ipf_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH; 9283#endif 9284 softc->ipf_minttl = 4; 9285 softc->ipf_icmpminfragmtu = 68; 9286 softc->ipf_flags = IPF_LOGGING; 9287 9288 return softc; 9289} 9290 9291/* ------------------------------------------------------------------------ */ 9292/* Function: ipf_main_soft_init */ 9293/* Returns: 0 = success, -1 = failure */ 9294/* Parameters: softc(I) - pointer to soft context main structure */ 9295/* */ 9296/* A null-op function that exists as a placeholder so that the flow in */ 9297/* other functions is obvious. */ 9298/* ------------------------------------------------------------------------ */ 9299/*ARGSUSED*/ 9300int 9301ipf_main_soft_init(softc) 9302 ipf_main_softc_t *softc; 9303{ 9304 return 0; 9305} 9306 9307 9308/* ------------------------------------------------------------------------ */ 9309/* Function: ipf_main_soft_destroy */ 9310/* Returns: void */ 9311/* Parameters: softc(I) - pointer to soft context main structure */ 9312/* */ 9313/* Undo everything that we did in ipf_main_soft_create. */ 9314/* */ 9315/* The most important check that needs to be made here is whether or not */ 9316/* the structure was allocated by ipf_main_soft_create() by checking what */ 9317/* value is stored in ipf_dynamic_main. */ 9318/* ------------------------------------------------------------------------ */ 9319/*ARGSUSED*/ 9320void 9321ipf_main_soft_destroy(softc) 9322 ipf_main_softc_t *softc; 9323{ 9324 9325 RW_DESTROY(&softc->ipf_frag); 9326 RW_DESTROY(&softc->ipf_poolrw); 9327 RW_DESTROY(&softc->ipf_nat); 9328 RW_DESTROY(&softc->ipf_state); 9329 RW_DESTROY(&softc->ipf_tokens); 9330 RW_DESTROY(&softc->ipf_mutex); 9331 RW_DESTROY(&softc->ipf_global); 9332 MUTEX_DESTROY(&softc->ipf_timeoutlock); 9333 MUTEX_DESTROY(&softc->ipf_rw); 9334 9335 if (softc->ipf_tuners != NULL) { 9336 KFREES(softc->ipf_tuners, sizeof(ipf_main_tuneables)); 9337 } 9338 if (softc->ipf_dynamic_softc == 1) { 9339 KFREE(softc); 9340 } 9341} 9342 9343 9344/* ------------------------------------------------------------------------ */ 9345/* Function: ipf_main_soft_fini */ 9346/* Returns: 0 = success, -1 = failure */ 9347/* Parameters: softc(I) - pointer to soft context main structure */ 9348/* */ 9349/* Clean out the rules which have been added since _init was last called, */ 9350/* the only dynamic part of the mainline. */ 9351/* ------------------------------------------------------------------------ */ 9352int 9353ipf_main_soft_fini(softc) 9354 ipf_main_softc_t *softc; 9355{ 9356 (void) ipf_flush(softc, IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); 9357 (void) ipf_flush(softc, IPL_LOGIPF, FR_INQUE|FR_OUTQUE); 9358 (void) ipf_flush(softc, IPL_LOGCOUNT, FR_INQUE|FR_OUTQUE|FR_INACTIVE); 9359 (void) ipf_flush(softc, IPL_LOGCOUNT, FR_INQUE|FR_OUTQUE); 9360 9361 return 0; 9362} 9363 9364 9365/* ------------------------------------------------------------------------ */ 9366/* Function: ipf_main_load */ 9367/* Returns: 0 = success, -1 = failure */ 9368/* Parameters: none */ 9369/* */ 9370/* Handle global initialisation that needs to be done for the base part of */ 9371/* IPFilter. At present this just amounts to initialising some ICMP lookup */ 9372/* arrays that get used by the state/NAT code. */ 9373/* ------------------------------------------------------------------------ */ 9374int 9375ipf_main_load() 9376{ 9377 int i; 9378 9379 /* fill icmp reply type table */ 9380 for (i = 0; i <= ICMP_MAXTYPE; i++) 9381 icmpreplytype4[i] = -1; 9382 icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY; 9383 icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY; 9384 icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY; 9385 icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY; 9386 9387#ifdef USE_INET6 9388 /* fill icmp reply type table */ 9389 for (i = 0; i <= ICMP6_MAXTYPE; i++) 9390 icmpreplytype6[i] = -1; 9391 icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY; 9392 icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT; 9393 icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY; 9394 icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT; 9395 icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT; 9396#endif 9397 9398 return 0; 9399} 9400 9401 9402/* ------------------------------------------------------------------------ */ 9403/* Function: ipf_main_unload */ 9404/* Returns: 0 = success, -1 = failure */ 9405/* Parameters: none */ 9406/* */ 9407/* A null-op function that exists as a placeholder so that the flow in */ 9408/* other functions is obvious. */ 9409/* ------------------------------------------------------------------------ */ 9410int 9411ipf_main_unload() 9412{ 9413 return 0; 9414} 9415 9416 9417/* ------------------------------------------------------------------------ */ 9418/* Function: ipf_load_all */ 9419/* Returns: 0 = success, -1 = failure */ 9420/* Parameters: none */ 9421/* */ 9422/* Work through all of the subsystems inside IPFilter and call the load */ 9423/* function for each in an order that won't lead to a crash :) */ 9424/* ------------------------------------------------------------------------ */ 9425int 9426ipf_load_all() 9427{ 9428 if (ipf_main_load() == -1) 9429 return -1; 9430 9431 if (ipf_state_main_load() == -1) 9432 return -1; 9433 9434 if (ipf_nat_main_load() == -1) 9435 return -1; 9436 9437 if (ipf_frag_main_load() == -1) 9438 return -1; 9439 9440 if (ipf_auth_main_load() == -1) 9441 return -1; 9442 9443 if (ipf_proxy_main_load() == -1) 9444 return -1; 9445 9446 return 0; 9447} 9448 9449 9450/* ------------------------------------------------------------------------ */ 9451/* Function: ipf_unload_all */ 9452/* Returns: 0 = success, -1 = failure */ 9453/* Parameters: none */ 9454/* */ 9455/* Work through all of the subsystems inside IPFilter and call the unload */ 9456/* function for each in an order that won't lead to a crash :) */ 9457/* ------------------------------------------------------------------------ */ 9458int 9459ipf_unload_all() 9460{ 9461 if (ipf_proxy_main_unload() == -1) 9462 return -1; 9463 9464 if (ipf_auth_main_unload() == -1) 9465 return -1; 9466 9467 if (ipf_frag_main_unload() == -1) 9468 return -1; 9469 9470 if (ipf_nat_main_unload() == -1) 9471 return -1; 9472 9473 if (ipf_state_main_unload() == -1) 9474 return -1; 9475 9476 if (ipf_main_unload() == -1) 9477 return -1; 9478 9479 return 0; 9480} 9481 9482 9483/* ------------------------------------------------------------------------ */ 9484/* Function: ipf_create_all */ 9485/* Returns: NULL = failure, else success */ 9486/* Parameters: arg(I) - pointer to soft context main structure */ 9487/* */ 9488/* Work through all of the subsystems inside IPFilter and call the create */ 9489/* function for each in an order that won't lead to a crash :) */ 9490/* ------------------------------------------------------------------------ */ 9491ipf_main_softc_t * 9492ipf_create_all(arg) 9493 void *arg; 9494{ 9495 ipf_main_softc_t *softc; 9496 9497 softc = ipf_main_soft_create(arg); 9498 if (softc == NULL) 9499 return NULL; 9500 9501#ifdef IPFILTER_LOG 9502 softc->ipf_log_soft = ipf_log_soft_create(softc); 9503 if (softc->ipf_log_soft == NULL) { 9504 ipf_destroy_all(softc); 9505 return NULL; 9506 } 9507#endif 9508 9509 softc->ipf_lookup_soft = ipf_lookup_soft_create(softc); 9510 if (softc->ipf_lookup_soft == NULL) { 9511 ipf_destroy_all(softc); 9512 return NULL; 9513 } 9514 9515 softc->ipf_sync_soft = ipf_sync_soft_create(softc); 9516 if (softc->ipf_sync_soft == NULL) { 9517 ipf_destroy_all(softc); 9518 return NULL; 9519 } 9520 9521 softc->ipf_state_soft = ipf_state_soft_create(softc); 9522 if (softc->ipf_state_soft == NULL) { 9523 ipf_destroy_all(softc); 9524 return NULL; 9525 } 9526 9527 softc->ipf_nat_soft = ipf_nat_soft_create(softc); 9528 if (softc->ipf_nat_soft == NULL) { 9529 ipf_destroy_all(softc); 9530 return NULL; 9531 } 9532 9533 softc->ipf_frag_soft = ipf_frag_soft_create(softc); 9534 if (softc->ipf_frag_soft == NULL) { 9535 ipf_destroy_all(softc); 9536 return NULL; 9537 } 9538 9539 softc->ipf_auth_soft = ipf_auth_soft_create(softc); 9540 if (softc->ipf_auth_soft == NULL) { 9541 ipf_destroy_all(softc); 9542 return NULL; 9543 } 9544 9545 softc->ipf_proxy_soft = ipf_proxy_soft_create(softc); 9546 if (softc->ipf_proxy_soft == NULL) { 9547 ipf_destroy_all(softc); 9548 return NULL; 9549 } 9550 9551 return softc; 9552} 9553 9554 9555/* ------------------------------------------------------------------------ */ 9556/* Function: ipf_destroy_all */ 9557/* Returns: void */ 9558/* Parameters: softc(I) - pointer to soft context main structure */ 9559/* */ 9560/* Work through all of the subsystems inside IPFilter and call the destroy */ 9561/* function for each in an order that won't lead to a crash :) */ 9562/* */ 9563/* Every one of these functions is expected to succeed, so there is no */ 9564/* checking of return values. */ 9565/* ------------------------------------------------------------------------ */ 9566void 9567ipf_destroy_all(softc) 9568 ipf_main_softc_t *softc; 9569{ 9570 9571 if (softc->ipf_state_soft != NULL) { 9572 ipf_state_soft_destroy(softc, softc->ipf_state_soft); 9573 softc->ipf_state_soft = NULL; 9574 } 9575 9576 if (softc->ipf_nat_soft != NULL) { 9577 ipf_nat_soft_destroy(softc, softc->ipf_nat_soft); 9578 softc->ipf_nat_soft = NULL; 9579 } 9580 9581 if (softc->ipf_frag_soft != NULL) { 9582 ipf_frag_soft_destroy(softc, softc->ipf_frag_soft); 9583 softc->ipf_frag_soft = NULL; 9584 } 9585 9586 if (softc->ipf_auth_soft != NULL) { 9587 ipf_auth_soft_destroy(softc, softc->ipf_auth_soft); 9588 softc->ipf_auth_soft = NULL; 9589 } 9590 9591 if (softc->ipf_proxy_soft != NULL) { 9592 ipf_proxy_soft_destroy(softc, softc->ipf_proxy_soft); 9593 softc->ipf_proxy_soft = NULL; 9594 } 9595 9596 if (softc->ipf_sync_soft != NULL) { 9597 ipf_sync_soft_destroy(softc, softc->ipf_sync_soft); 9598 softc->ipf_sync_soft = NULL; 9599 } 9600 9601 if (softc->ipf_lookup_soft != NULL) { 9602 ipf_lookup_soft_destroy(softc, softc->ipf_lookup_soft); 9603 softc->ipf_lookup_soft = NULL; 9604 } 9605 9606#ifdef IPFILTER_LOG 9607 if (softc->ipf_log_soft != NULL) { 9608 ipf_log_soft_destroy(softc, softc->ipf_log_soft); 9609 softc->ipf_log_soft = NULL; 9610 } 9611#endif 9612 9613 ipf_main_soft_destroy(softc); 9614} 9615 9616 9617/* ------------------------------------------------------------------------ */ 9618/* Function: ipf_init_all */ 9619/* Returns: 0 = success, -1 = failure */ 9620/* Parameters: softc(I) - pointer to soft context main structure */ 9621/* */ 9622/* Work through all of the subsystems inside IPFilter and call the init */ 9623/* function for each in an order that won't lead to a crash :) */ 9624/* ------------------------------------------------------------------------ */ 9625int 9626ipf_init_all(softc) 9627 ipf_main_softc_t *softc; 9628{ 9629 9630 if (ipf_main_soft_init(softc) == -1) 9631 return -1; 9632 9633#ifdef IPFILTER_LOG 9634 if (ipf_log_soft_init(softc, softc->ipf_log_soft) == -1) 9635 return -1; 9636#endif 9637 9638 if (ipf_lookup_soft_init(softc, softc->ipf_lookup_soft) == -1) 9639 return -1; 9640 9641 if (ipf_sync_soft_init(softc, softc->ipf_sync_soft) == -1) 9642 return -1; 9643 9644 if (ipf_state_soft_init(softc, softc->ipf_state_soft) == -1) 9645 return -1; 9646 9647 if (ipf_nat_soft_init(softc, softc->ipf_nat_soft) == -1) 9648 return -1; 9649 9650 if (ipf_frag_soft_init(softc, softc->ipf_frag_soft) == -1) 9651 return -1; 9652 9653 if (ipf_auth_soft_init(softc, softc->ipf_auth_soft) == -1) 9654 return -1; 9655 9656 if (ipf_proxy_soft_init(softc, softc->ipf_proxy_soft) == -1) 9657 return -1; 9658 9659 return 0; 9660} 9661 9662 9663/* ------------------------------------------------------------------------ */ 9664/* Function: ipf_fini_all */ 9665/* Returns: 0 = success, -1 = failure */ 9666/* Parameters: softc(I) - pointer to soft context main structure */ 9667/* */ 9668/* Work through all of the subsystems inside IPFilter and call the fini */ 9669/* function for each in an order that won't lead to a crash :) */ 9670/* ------------------------------------------------------------------------ */ 9671int 9672ipf_fini_all(softc) 9673 ipf_main_softc_t *softc; 9674{ 9675 9676 ipf_token_flush(softc); 9677 9678 if (ipf_proxy_soft_fini(softc, softc->ipf_proxy_soft) == -1) 9679 return -1; 9680 9681 if (ipf_auth_soft_fini(softc, softc->ipf_auth_soft) == -1) 9682 return -1; 9683 9684 if (ipf_frag_soft_fini(softc, softc->ipf_frag_soft) == -1) 9685 return -1; 9686 9687 if (ipf_nat_soft_fini(softc, softc->ipf_nat_soft) == -1) 9688 return -1; 9689 9690 if (ipf_state_soft_fini(softc, softc->ipf_state_soft) == -1) 9691 return -1; 9692 9693 if (ipf_sync_soft_fini(softc, softc->ipf_sync_soft) == -1) 9694 return -1; 9695 9696 if (ipf_lookup_soft_fini(softc, softc->ipf_lookup_soft) == -1) 9697 return -1; 9698 9699#ifdef IPFILTER_LOG 9700 if (ipf_log_soft_fini(softc, softc->ipf_log_soft) == -1) 9701 return -1; 9702#endif 9703 9704 if (ipf_main_soft_fini(softc) == -1) 9705 return -1; 9706 9707 return 0; 9708} 9709 9710 9711/* ------------------------------------------------------------------------ */ 9712/* Function: ipf_rule_expire */ 9713/* Returns: Nil */ 9714/* Parameters: softc(I) - pointer to soft context main structure */ 9715/* */ 9716/* At present this function exists just to support temporary addition of */ 9717/* firewall rules. Both inactive and active lists are scanned for items to */ 9718/* purge, as by rights, the expiration is computed as soon as the rule is */ 9719/* loaded in. */ 9720/* ------------------------------------------------------------------------ */ 9721void 9722ipf_rule_expire(softc) 9723 ipf_main_softc_t *softc; 9724{ 9725 frentry_t *fr; 9726 9727 if ((softc->ipf_rule_explist[0] == NULL) && 9728 (softc->ipf_rule_explist[1] == NULL)) 9729 return; 9730 9731 WRITE_ENTER(&softc->ipf_mutex); 9732 9733 while ((fr = softc->ipf_rule_explist[0]) != NULL) { 9734 /* 9735 * Because the list is kept sorted on insertion, the fist 9736 * one that dies in the future means no more work to do. 9737 */ 9738 if (fr->fr_die > softc->ipf_ticks) 9739 break; 9740 ipf_rule_delete(softc, fr, IPL_LOGIPF, 0); 9741 } 9742 9743 while ((fr = softc->ipf_rule_explist[1]) != NULL) { 9744 /* 9745 * Because the list is kept sorted on insertion, the fist 9746 * one that dies in the future means no more work to do. 9747 */ 9748 if (fr->fr_die > softc->ipf_ticks) 9749 break; 9750 ipf_rule_delete(softc, fr, IPL_LOGIPF, 1); 9751 } 9752 9753 RWLOCK_EXIT(&softc->ipf_mutex); 9754} 9755 9756 9757static int ipf_ht_node_cmp __P((struct host_node_s *, struct host_node_s *)); 9758static void ipf_ht_node_make_key __P((host_track_t *, host_node_t *, int, 9759 i6addr_t *)); 9760 9761host_node_t RBI_ZERO(ipf_rb); 9762RBI_CODE(ipf_rb, host_node_t, hn_entry, ipf_ht_node_cmp) 9763 9764 9765/* ------------------------------------------------------------------------ */ 9766/* Function: ipf_ht_node_cmp */ 9767/* Returns: int - 0 == nodes are the same, .. */ 9768/* Parameters: k1(I) - pointer to first key to compare */ 9769/* k2(I) - pointer to second key to compare */ 9770/* */ 9771/* The "key" for the node is a combination of two fields: the address */ 9772/* family and the address itself. */ 9773/* */ 9774/* Because we're not actually interpreting the address data, it isn't */ 9775/* necessary to convert them to/from network/host byte order. The mask is */ 9776/* just used to remove bits that aren't significant - it doesn't matter */ 9777/* where they are, as long as they're always in the same place. */ 9778/* */ 9779/* As with IP6_EQ, comparing IPv6 addresses starts at the bottom because */ 9780/* this is where individual ones will differ the most - but not true for */ 9781/* for /48's, etc. */ 9782/* ------------------------------------------------------------------------ */ 9783static int 9784ipf_ht_node_cmp(k1, k2) 9785 struct host_node_s *k1, *k2; 9786{ 9787 int i; 9788 9789 i = (k2->hn_addr.adf_family - k1->hn_addr.adf_family); 9790 if (i != 0) 9791 return i; 9792 9793 if (k1->hn_addr.adf_family == AF_INET) 9794 return (k2->hn_addr.adf_addr.in4.s_addr - 9795 k1->hn_addr.adf_addr.in4.s_addr); 9796 9797 i = k2->hn_addr.adf_addr.i6[3] - k1->hn_addr.adf_addr.i6[3]; 9798 if (i != 0) 9799 return i; 9800 i = k2->hn_addr.adf_addr.i6[2] - k1->hn_addr.adf_addr.i6[2]; 9801 if (i != 0) 9802 return i; 9803 i = k2->hn_addr.adf_addr.i6[1] - k1->hn_addr.adf_addr.i6[1]; 9804 if (i != 0) 9805 return i; 9806 i = k2->hn_addr.adf_addr.i6[0] - k1->hn_addr.adf_addr.i6[0]; 9807 return i; 9808} 9809 9810 9811/* ------------------------------------------------------------------------ */ 9812/* Function: ipf_ht_node_make_key */ 9813/* Returns: Nil */ 9814/* parameters: htp(I) - pointer to address tracking structure */ 9815/* key(I) - where to store masked address for lookup */ 9816/* family(I) - protocol family of address */ 9817/* addr(I) - pointer to network address */ 9818/* */ 9819/* Using the "netmask" (number of bits) stored parent host tracking struct, */ 9820/* copy the address passed in into the key structure whilst masking out the */ 9821/* bits that we don't want. */ 9822/* */ 9823/* Because the parser will set ht_netmask to 128 if there is no protocol */ 9824/* specified (the parser doesn't know if it should be a v4 or v6 rule), we */ 9825/* have to be wary of that and not allow 32-128 to happen. */ 9826/* ------------------------------------------------------------------------ */ 9827static void 9828ipf_ht_node_make_key(htp, key, family, addr) 9829 host_track_t *htp; 9830 host_node_t *key; 9831 int family; 9832 i6addr_t *addr; 9833{ 9834 key->hn_addr.adf_family = family; 9835 if (family == AF_INET) { 9836 u_32_t mask; 9837 int bits; 9838 9839 key->hn_addr.adf_len = sizeof(key->hn_addr.adf_addr.in4); 9840 bits = htp->ht_netmask; 9841 if (bits >= 32) { 9842 mask = 0xffffffff; 9843 } else { 9844 mask = htonl(0xffffffff << (32 - bits)); 9845 } 9846 key->hn_addr.adf_addr.in4.s_addr = addr->in4.s_addr & mask; 9847#ifdef USE_INET6 9848 } else { 9849 int bits = htp->ht_netmask; 9850 9851 key->hn_addr.adf_len = sizeof(key->hn_addr.adf_addr.in6); 9852 if (bits > 96) { 9853 key->hn_addr.adf_addr.i6[3] = addr->i6[3] & 9854 htonl(0xffffffff << (128 - bits)); 9855 key->hn_addr.adf_addr.i6[2] = addr->i6[2]; 9856 key->hn_addr.adf_addr.i6[1] = addr->i6[2]; 9857 key->hn_addr.adf_addr.i6[0] = addr->i6[2]; 9858 } else if (bits > 64) { 9859 key->hn_addr.adf_addr.i6[3] = 0; 9860 key->hn_addr.adf_addr.i6[2] = addr->i6[2] & 9861 htonl(0xffffffff << (96 - bits)); 9862 key->hn_addr.adf_addr.i6[1] = addr->i6[1]; 9863 key->hn_addr.adf_addr.i6[0] = addr->i6[0]; 9864 } else if (bits > 32) { 9865 key->hn_addr.adf_addr.i6[3] = 0; 9866 key->hn_addr.adf_addr.i6[2] = 0; 9867 key->hn_addr.adf_addr.i6[1] = addr->i6[1] & 9868 htonl(0xffffffff << (64 - bits)); 9869 key->hn_addr.adf_addr.i6[0] = addr->i6[0]; 9870 } else { 9871 key->hn_addr.adf_addr.i6[3] = 0; 9872 key->hn_addr.adf_addr.i6[2] = 0; 9873 key->hn_addr.adf_addr.i6[1] = 0; 9874 key->hn_addr.adf_addr.i6[0] = addr->i6[0] & 9875 htonl(0xffffffff << (32 - bits)); 9876 } 9877#endif 9878 } 9879} 9880 9881 9882/* ------------------------------------------------------------------------ */ 9883/* Function: ipf_ht_node_add */ 9884/* Returns: int - 0 == success, -1 == failure */ 9885/* Parameters: softc(I) - pointer to soft context main structure */ 9886/* htp(I) - pointer to address tracking structure */ 9887/* family(I) - protocol family of address */ 9888/* addr(I) - pointer to network address */ 9889/* */ 9890/* NOTE: THIS FUNCTION MUST BE CALLED WITH AN EXCLUSIVE LOCK THAT PREVENTS */ 9891/* ipf_ht_node_del FROM RUNNING CONCURRENTLY ON THE SAME htp. */ 9892/* */ 9893/* After preparing the key with the address information to find, look in */ 9894/* the red-black tree to see if the address is known. A successful call to */ 9895/* this function can mean one of two things: a new node was added to the */ 9896/* tree or a matching node exists and we're able to bump up its activity. */ 9897/* ------------------------------------------------------------------------ */ 9898int 9899ipf_ht_node_add(softc, htp, family, addr) 9900 ipf_main_softc_t *softc; 9901 host_track_t *htp; 9902 int family; 9903 i6addr_t *addr; 9904{ 9905 host_node_t *h; 9906 host_node_t k; 9907 9908 ipf_ht_node_make_key(htp, &k, family, addr); 9909 9910 h = RBI_SEARCH(ipf_rb, &htp->ht_root, &k); 9911 if (h == NULL) { 9912 if (htp->ht_cur_nodes >= htp->ht_max_nodes) 9913 return -1; 9914 KMALLOC(h, host_node_t *); 9915 if (h == NULL) { 9916 DT(ipf_rb_no_mem); 9917 LBUMP(ipf_rb_no_mem); 9918 return -1; 9919 } 9920 9921 /* 9922 * If there was a macro to initialise the RB node then that 9923 * would get used here, but there isn't... 9924 */ 9925 bzero((char *)h, sizeof(*h)); 9926 h->hn_addr = k.hn_addr; 9927 h->hn_addr.adf_family = k.hn_addr.adf_family; 9928 RBI_INSERT(ipf_rb, &htp->ht_root, h); 9929 htp->ht_cur_nodes++; 9930 } else { 9931 if ((htp->ht_max_per_node != 0) && 9932 (h->hn_active >= htp->ht_max_per_node)) { 9933 DT(ipf_rb_node_max); 9934 LBUMP(ipf_rb_node_max); 9935 return -1; 9936 } 9937 } 9938 9939 h->hn_active++; 9940 9941 return 0; 9942} 9943 9944 9945/* ------------------------------------------------------------------------ */ 9946/* Function: ipf_ht_node_del */ 9947/* Returns: int - 0 == success, -1 == failure */ 9948/* parameters: htp(I) - pointer to address tracking structure */ 9949/* family(I) - protocol family of address */ 9950/* addr(I) - pointer to network address */ 9951/* */ 9952/* NOTE: THIS FUNCTION MUST BE CALLED WITH AN EXCLUSIVE LOCK THAT PREVENTS */ 9953/* ipf_ht_node_add FROM RUNNING CONCURRENTLY ON THE SAME htp. */ 9954/* */ 9955/* Try and find the address passed in amongst the leavese on this tree to */ 9956/* be friend. If found then drop the active account for that node drops by */ 9957/* one. If that count reaches 0, it is time to free it all up. */ 9958/* ------------------------------------------------------------------------ */ 9959int 9960ipf_ht_node_del(htp, family, addr) 9961 host_track_t *htp; 9962 int family; 9963 i6addr_t *addr; 9964{ 9965 host_node_t *h; 9966 host_node_t k; 9967 9968 ipf_ht_node_make_key(htp, &k, family, addr); 9969 9970 h = RBI_SEARCH(ipf_rb, &htp->ht_root, &k); 9971 if (h == NULL) { 9972 return -1; 9973 } else { 9974 h->hn_active--; 9975 if (h->hn_active == 0) { 9976 (void) RBI_DELETE(ipf_rb, &htp->ht_root, h); 9977 htp->ht_cur_nodes--; 9978 KFREE(h); 9979 } 9980 } 9981 9982 return 0; 9983} 9984 9985 9986/* ------------------------------------------------------------------------ */ 9987/* Function: ipf_rb_ht_init */ 9988/* Returns: Nil */ 9989/* Parameters: head(I) - pointer to host tracking structure */ 9990/* */ 9991/* Initialise the host tracking structure to be ready for use above. */ 9992/* ------------------------------------------------------------------------ */ 9993void 9994ipf_rb_ht_init(head) 9995 host_track_t *head; 9996{ 9997 RBI_INIT(ipf_rb, &head->ht_root); 9998} 9999 10000 10001/* ------------------------------------------------------------------------ */ 10002/* Function: ipf_rb_ht_freenode */ 10003/* Returns: Nil */ 10004/* Parameters: head(I) - pointer to host tracking structure */ 10005/* arg(I) - additional argument from walk caller */ 10006/* */ 10007/* Free an actual host_node_t structure. */ 10008/* ------------------------------------------------------------------------ */ 10009void 10010ipf_rb_ht_freenode(node, arg) 10011 host_node_t *node; 10012 void *arg; 10013{ 10014 KFREE(node); 10015} 10016 10017 10018/* ------------------------------------------------------------------------ */ 10019/* Function: ipf_rb_ht_flush */ 10020/* Returns: Nil */ 10021/* Parameters: head(I) - pointer to host tracking structure */ 10022/* */ 10023/* Remove all of the nodes in the tree tracking hosts by calling a walker */ 10024/* and free'ing each one. */ 10025/* ------------------------------------------------------------------------ */ 10026void 10027ipf_rb_ht_flush(head) 10028 host_track_t *head; 10029{ 10030 RBI_WALK(ipf_rb, &head->ht_root, ipf_rb_ht_freenode, NULL); 10031} 10032 10033 10034/* ------------------------------------------------------------------------ */ 10035/* Function: ipf_slowtimer */ 10036/* Returns: Nil */ 10037/* Parameters: ptr(I) - pointer to main ipf soft context structure */ 10038/* */ 10039/* Slowly expire held state for fragments. Timeouts are set * in */ 10040/* expectation of this being called twice per second. */ 10041/* ------------------------------------------------------------------------ */ 10042void 10043ipf_slowtimer(softc) 10044 ipf_main_softc_t *softc; 10045{ 10046 10047 ipf_token_expire(softc); 10048 ipf_frag_expire(softc); 10049 ipf_state_expire(softc); 10050 ipf_nat_expire(softc); 10051 ipf_auth_expire(softc); 10052 ipf_lookup_expire(softc); 10053 ipf_rule_expire(softc); 10054 ipf_sync_expire(softc); 10055 softc->ipf_ticks++; 10056# if defined(__OpenBSD__) 10057 timeout_add(&ipf_slowtimer_ch, hz/2); 10058# endif 10059} 10060 10061 10062/* ------------------------------------------------------------------------ */ 10063/* Function: ipf_inet_mask_add */ 10064/* Returns: Nil */ 10065/* Parameters: bits(I) - pointer to nat context information */ 10066/* mtab(I) - pointer to mask hash table structure */ 10067/* */ 10068/* When called, bits represents the mask of a new NAT rule that has just */ 10069/* been added. This function inserts a bitmask into the array of masks to */ 10070/* search when searching for a matching NAT rule for a packet. */ 10071/* Prevention of duplicate masks is achieved by checking the use count for */ 10072/* a given netmask. */ 10073/* ------------------------------------------------------------------------ */ 10074void 10075ipf_inet_mask_add(bits, mtab) 10076 int bits; 10077 ipf_v4_masktab_t *mtab; 10078{ 10079 u_32_t mask; 10080 int i, j; 10081 10082 mtab->imt4_masks[bits]++; 10083 if (mtab->imt4_masks[bits] > 1) 10084 return; 10085 10086 if (bits == 0) 10087 mask = 0; 10088 else 10089 mask = 0xffffffff << (32 - bits); 10090 10091 for (i = 0; i < 33; i++) { 10092 if (ntohl(mtab->imt4_active[i]) < mask) { 10093 for (j = 32; j > i; j--) 10094 mtab->imt4_active[j] = mtab->imt4_active[j - 1]; 10095 mtab->imt4_active[i] = htonl(mask); 10096 break; 10097 } 10098 } 10099 mtab->imt4_max++; 10100} 10101 10102 10103/* ------------------------------------------------------------------------ */ 10104/* Function: ipf_inet_mask_del */ 10105/* Returns: Nil */ 10106/* Parameters: bits(I) - number of bits set in the netmask */ 10107/* mtab(I) - pointer to mask hash table structure */ 10108/* */ 10109/* Remove the 32bit bitmask represented by "bits" from the collection of */ 10110/* netmasks stored inside of mtab. */ 10111/* ------------------------------------------------------------------------ */ 10112void 10113ipf_inet_mask_del(bits, mtab) 10114 int bits; 10115 ipf_v4_masktab_t *mtab; 10116{ 10117 u_32_t mask; 10118 int i, j; 10119 10120 mtab->imt4_masks[bits]--; 10121 if (mtab->imt4_masks[bits] > 0) 10122 return; 10123 10124 mask = htonl(0xffffffff << (32 - bits)); 10125 for (i = 0; i < 33; i++) { 10126 if (mtab->imt4_active[i] == mask) { 10127 for (j = i + 1; j < 33; j++) 10128 mtab->imt4_active[j - 1] = mtab->imt4_active[j]; 10129 break; 10130 } 10131 } 10132 mtab->imt4_max--; 10133 ASSERT(mtab->imt4_max >= 0); 10134} 10135 10136 10137#ifdef USE_INET6 10138/* ------------------------------------------------------------------------ */ 10139/* Function: ipf_inet6_mask_add */ 10140/* Returns: Nil */ 10141/* Parameters: bits(I) - number of bits set in mask */ 10142/* mask(I) - pointer to mask to add */ 10143/* mtab(I) - pointer to mask hash table structure */ 10144/* */ 10145/* When called, bitcount represents the mask of a IPv6 NAT map rule that */ 10146/* has just been added. This function inserts a bitmask into the array of */ 10147/* masks to search when searching for a matching NAT rule for a packet. */ 10148/* Prevention of duplicate masks is achieved by checking the use count for */ 10149/* a given netmask. */ 10150/* ------------------------------------------------------------------------ */ 10151void 10152ipf_inet6_mask_add(bits, mask, mtab) 10153 int bits; 10154 i6addr_t *mask; 10155 ipf_v6_masktab_t *mtab; 10156{ 10157 i6addr_t zero; 10158 int i, j; 10159 10160 mtab->imt6_masks[bits]++; 10161 if (mtab->imt6_masks[bits] > 1) 10162 return; 10163 10164 if (bits == 0) { 10165 mask = &zero; 10166 zero.i6[0] = 0; 10167 zero.i6[1] = 0; 10168 zero.i6[2] = 0; 10169 zero.i6[3] = 0; 10170 } 10171 10172 for (i = 0; i < 129; i++) { 10173 if (IP6_LT(&mtab->imt6_active[i], mask)) { 10174 for (j = 128; j > i; j--) 10175 mtab->imt6_active[j] = mtab->imt6_active[j - 1]; 10176 mtab->imt6_active[i] = *mask; 10177 break; 10178 } 10179 } 10180 mtab->imt6_max++; 10181} 10182 10183 10184/* ------------------------------------------------------------------------ */ 10185/* Function: ipf_inet6_mask_del */ 10186/* Returns: Nil */ 10187/* Parameters: bits(I) - number of bits set in mask */ 10188/* mask(I) - pointer to mask to remove */ 10189/* mtab(I) - pointer to mask hash table structure */ 10190/* */ 10191/* Remove the 128bit bitmask represented by "bits" from the collection of */ 10192/* netmasks stored inside of mtab. */ 10193/* ------------------------------------------------------------------------ */ 10194void 10195ipf_inet6_mask_del(bits, mask, mtab) 10196 int bits; 10197 i6addr_t *mask; 10198 ipf_v6_masktab_t *mtab; 10199{ 10200 i6addr_t zero; 10201 int i, j; 10202 10203 mtab->imt6_masks[bits]--; 10204 if (mtab->imt6_masks[bits] > 0) 10205 return; 10206 10207 if (bits == 0) 10208 mask = &zero; 10209 zero.i6[0] = 0; 10210 zero.i6[1] = 0; 10211 zero.i6[2] = 0; 10212 zero.i6[3] = 0; 10213 10214 for (i = 0; i < 129; i++) { 10215 if (IP6_EQ(&mtab->imt6_active[i], mask)) { 10216 for (j = i + 1; j < 129; j++) { 10217 mtab->imt6_active[j - 1] = mtab->imt6_active[j]; 10218 if (IP6_EQ(&mtab->imt6_active[j - 1], &zero)) 10219 break; 10220 } 10221 break; 10222 } 10223 } 10224 mtab->imt6_max--; 10225 ASSERT(mtab->imt6_max >= 0); 10226} 10227#endif 10228