fil.c revision 351468
1/* $FreeBSD: stable/10/sys/contrib/ipfilter/netinet/fil.c 351468 2019-08-25 01:09:31Z cy $ */ 2 3/* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 * 8 * Copyright 2008 Sun Microsystems. 9 * 10 * $Id$ 11 * 12 */ 13#if defined(KERNEL) || defined(_KERNEL) 14# undef KERNEL 15# undef _KERNEL 16# define KERNEL 1 17# define _KERNEL 1 18#endif 19#include <sys/errno.h> 20#include <sys/types.h> 21#include <sys/param.h> 22#include <sys/time.h> 23#if defined(_KERNEL) && defined(__FreeBSD_version) && \ 24 (__FreeBSD_version >= 220000) 25# if (__FreeBSD_version >= 400000) 26# if !defined(IPFILTER_LKM) 27# include "opt_inet6.h" 28# endif 29# if (__FreeBSD_version == 400019) 30# define CSUM_DELAY_DATA 31# endif 32# endif 33# include <sys/filio.h> 34#else 35# include <sys/ioctl.h> 36#endif 37#if (defined(__SVR4) || defined(__svr4__)) && defined(sun) 38# include <sys/filio.h> 39#endif 40#if !defined(_AIX51) 41# include <sys/fcntl.h> 42#endif 43#if defined(_KERNEL) 44# include <sys/systm.h> 45# include <sys/file.h> 46#else 47# include <stdio.h> 48# include <string.h> 49# include <stdlib.h> 50# include <stddef.h> 51# include <sys/file.h> 52# define _KERNEL 53# ifdef __OpenBSD__ 54struct file; 55# endif 56# include <sys/uio.h> 57# undef _KERNEL 58#endif 59#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \ 60 !defined(linux) 61# include <sys/mbuf.h> 62#else 63# if !defined(linux) 64# include <sys/byteorder.h> 65# endif 66# if (SOLARIS2 < 5) && defined(sun) 67# include <sys/dditypes.h> 68# endif 69#endif 70#ifdef __hpux 71# define _NET_ROUTE_INCLUDED 72#endif 73#if !defined(linux) 74# include <sys/protosw.h> 75#endif 76#include <sys/socket.h> 77#include <net/if.h> 78#ifdef sun 79# include <net/af.h> 80#endif 81#include <netinet/in.h> 82#include <netinet/in_systm.h> 83#include <netinet/ip.h> 84#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ 85# include <sys/hashing.h> 86# include <netinet/in_var.h> 87#endif 88#include <netinet/tcp.h> 89#if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL) 90# include <netinet/udp.h> 91# include <netinet/ip_icmp.h> 92#endif 93#ifdef __hpux 94# undef _NET_ROUTE_INCLUDED 95#endif 96#ifdef __osf__ 97# undef _RADIX_H_ 98#endif 99#include "netinet/ip_compat.h" 100#ifdef USE_INET6 101# include <netinet/icmp6.h> 102# if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) 103# include <netinet6/in6_var.h> 104# endif 105#endif 106#include "netinet/ip_fil.h" 107#include "netinet/ip_nat.h" 108#include "netinet/ip_frag.h" 109#include "netinet/ip_state.h" 110#include "netinet/ip_proxy.h" 111#include "netinet/ip_auth.h" 112#ifdef IPFILTER_SCAN 113# include "netinet/ip_scan.h" 114#endif 115#include "netinet/ip_sync.h" 116#include "netinet/ip_lookup.h" 117#include "netinet/ip_pool.h" 118#include "netinet/ip_htable.h" 119#ifdef IPFILTER_COMPILED 120# include "netinet/ip_rules.h" 121#endif 122#if defined(IPFILTER_BPF) && defined(_KERNEL) 123# include <net/bpf.h> 124#endif 125#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) 126# include <sys/malloc.h> 127#endif 128#include "netinet/ipl.h" 129 130#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) 131# include <sys/callout.h> 132extern struct callout ipf_slowtimer_ch; 133#endif 134#if defined(__OpenBSD__) 135# include <sys/timeout.h> 136extern struct timeout ipf_slowtimer_ch; 137#endif 138/* END OF INCLUDES */ 139 140#if !defined(lint) 141static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; 142static const char rcsid[] = "@(#)$FreeBSD: stable/10/sys/contrib/ipfilter/netinet/fil.c 351468 2019-08-25 01:09:31Z cy $"; 143/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.125 2007/10/10 09:27:20 darrenr Exp $"; */ 144#endif 145 146#ifndef _KERNEL 147# include "ipf.h" 148# include "ipt.h" 149extern int opts; 150extern int blockreason; 151#endif /* _KERNEL */ 152 153#define LBUMP(x) softc->x++ 154#define LBUMPD(x, y) do { softc->x.y++; DT(y); } while (0) 155 156static INLINE int ipf_check_ipf __P((fr_info_t *, frentry_t *, int)); 157static u_32_t ipf_checkcipso __P((fr_info_t *, u_char *, int)); 158static u_32_t ipf_checkripso __P((u_char *)); 159static u_32_t ipf_decaps __P((fr_info_t *, u_32_t, int)); 160#ifdef IPFILTER_LOG 161static frentry_t *ipf_dolog __P((fr_info_t *, u_32_t *)); 162#endif 163static int ipf_flushlist __P((ipf_main_softc_t *, int *, 164 frentry_t **)); 165static int ipf_flush_groups __P((ipf_main_softc_t *, frgroup_t **, 166 int)); 167static ipfunc_t ipf_findfunc __P((ipfunc_t)); 168static void *ipf_findlookup __P((ipf_main_softc_t *, int, 169 frentry_t *, 170 i6addr_t *, i6addr_t *)); 171static frentry_t *ipf_firewall __P((fr_info_t *, u_32_t *)); 172static int ipf_fr_matcharray __P((fr_info_t *, int *)); 173static int ipf_frruleiter __P((ipf_main_softc_t *, void *, int, 174 void *)); 175static void ipf_funcfini __P((ipf_main_softc_t *, frentry_t *)); 176static int ipf_funcinit __P((ipf_main_softc_t *, frentry_t *)); 177static int ipf_geniter __P((ipf_main_softc_t *, ipftoken_t *, 178 ipfgeniter_t *)); 179static void ipf_getstat __P((ipf_main_softc_t *, 180 struct friostat *, int)); 181static int ipf_group_flush __P((ipf_main_softc_t *, frgroup_t *)); 182static void ipf_group_free __P((frgroup_t *)); 183static int ipf_grpmapfini __P((struct ipf_main_softc_s *, 184 frentry_t *)); 185static int ipf_grpmapinit __P((struct ipf_main_softc_s *, 186 frentry_t *)); 187static frentry_t *ipf_nextrule __P((ipf_main_softc_t *, int, int, 188 frentry_t *, int)); 189static int ipf_portcheck __P((frpcmp_t *, u_32_t)); 190static INLINE int ipf_pr_ah __P((fr_info_t *)); 191static INLINE void ipf_pr_esp __P((fr_info_t *)); 192static INLINE void ipf_pr_gre __P((fr_info_t *)); 193static INLINE void ipf_pr_udp __P((fr_info_t *)); 194static INLINE void ipf_pr_tcp __P((fr_info_t *)); 195static INLINE void ipf_pr_icmp __P((fr_info_t *)); 196static INLINE void ipf_pr_ipv4hdr __P((fr_info_t *)); 197static INLINE void ipf_pr_short __P((fr_info_t *, int)); 198static INLINE int ipf_pr_tcpcommon __P((fr_info_t *)); 199static INLINE int ipf_pr_udpcommon __P((fr_info_t *)); 200static void ipf_rule_delete __P((ipf_main_softc_t *, frentry_t *f, 201 int, int)); 202static void ipf_rule_expire_insert __P((ipf_main_softc_t *, 203 frentry_t *, int)); 204static int ipf_synclist __P((ipf_main_softc_t *, frentry_t *, 205 void *)); 206static void ipf_token_flush __P((ipf_main_softc_t *)); 207static void ipf_token_unlink __P((ipf_main_softc_t *, 208 ipftoken_t *)); 209static ipftuneable_t *ipf_tune_findbyname __P((ipftuneable_t *, 210 const char *)); 211static ipftuneable_t *ipf_tune_findbycookie __P((ipftuneable_t **, void *, 212 void **)); 213static int ipf_updateipid __P((fr_info_t *)); 214static int ipf_settimeout __P((struct ipf_main_softc_s *, 215 struct ipftuneable *, 216 ipftuneval_t *)); 217#ifdef USE_INET6 218static u_int ipf_pcksum6 __P((fr_info_t *, ip6_t *, 219 u_int32_t, u_int32_t)); 220#endif 221#if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && \ 222 !defined(__FreeBSD__)) || \ 223 FREEBSD_LT_REV(501000) || NETBSD_LT_REV(105000000) || \ 224 OPENBSD_LT_REV(200006) 225static int ppsratecheck(struct timeval *, int *, int); 226#endif 227 228 229/* 230 * bit values for identifying presence of individual IP options 231 * All of these tables should be ordered by increasing key value on the left 232 * hand side to allow for binary searching of the array and include a trailer 233 * with a 0 for the bitmask for linear searches to easily find the end with. 234 */ 235static const struct optlist ipopts[] = { 236 { IPOPT_NOP, 0x000001 }, 237 { IPOPT_RR, 0x000002 }, 238 { IPOPT_ZSU, 0x000004 }, 239 { IPOPT_MTUP, 0x000008 }, 240 { IPOPT_MTUR, 0x000010 }, 241 { IPOPT_ENCODE, 0x000020 }, 242 { IPOPT_TS, 0x000040 }, 243 { IPOPT_TR, 0x000080 }, 244 { IPOPT_SECURITY, 0x000100 }, 245 { IPOPT_LSRR, 0x000200 }, 246 { IPOPT_E_SEC, 0x000400 }, 247 { IPOPT_CIPSO, 0x000800 }, 248 { IPOPT_SATID, 0x001000 }, 249 { IPOPT_SSRR, 0x002000 }, 250 { IPOPT_ADDEXT, 0x004000 }, 251 { IPOPT_VISA, 0x008000 }, 252 { IPOPT_IMITD, 0x010000 }, 253 { IPOPT_EIP, 0x020000 }, 254 { IPOPT_FINN, 0x040000 }, 255 { 0, 0x000000 } 256}; 257 258#ifdef USE_INET6 259static const struct optlist ip6exthdr[] = { 260 { IPPROTO_HOPOPTS, 0x000001 }, 261 { IPPROTO_IPV6, 0x000002 }, 262 { IPPROTO_ROUTING, 0x000004 }, 263 { IPPROTO_FRAGMENT, 0x000008 }, 264 { IPPROTO_ESP, 0x000010 }, 265 { IPPROTO_AH, 0x000020 }, 266 { IPPROTO_NONE, 0x000040 }, 267 { IPPROTO_DSTOPTS, 0x000080 }, 268 { IPPROTO_MOBILITY, 0x000100 }, 269 { 0, 0 } 270}; 271#endif 272 273/* 274 * bit values for identifying presence of individual IP security options 275 */ 276static const struct optlist secopt[] = { 277 { IPSO_CLASS_RES4, 0x01 }, 278 { IPSO_CLASS_TOPS, 0x02 }, 279 { IPSO_CLASS_SECR, 0x04 }, 280 { IPSO_CLASS_RES3, 0x08 }, 281 { IPSO_CLASS_CONF, 0x10 }, 282 { IPSO_CLASS_UNCL, 0x20 }, 283 { IPSO_CLASS_RES2, 0x40 }, 284 { IPSO_CLASS_RES1, 0x80 } 285}; 286 287char ipfilter_version[] = IPL_VERSION; 288 289int ipf_features = 0 290#ifdef IPFILTER_LKM 291 | IPF_FEAT_LKM 292#endif 293#ifdef IPFILTER_LOG 294 | IPF_FEAT_LOG 295#endif 296 | IPF_FEAT_LOOKUP 297#ifdef IPFILTER_BPF 298 | IPF_FEAT_BPF 299#endif 300#ifdef IPFILTER_COMPILED 301 | IPF_FEAT_COMPILED 302#endif 303#ifdef IPFILTER_CKSUM 304 | IPF_FEAT_CKSUM 305#endif 306 | IPF_FEAT_SYNC 307#ifdef IPFILTER_SCAN 308 | IPF_FEAT_SCAN 309#endif 310#ifdef USE_INET6 311 | IPF_FEAT_IPV6 312#endif 313 ; 314 315 316/* 317 * Table of functions available for use with call rules. 318 */ 319static ipfunc_resolve_t ipf_availfuncs[] = { 320 { "srcgrpmap", ipf_srcgrpmap, ipf_grpmapinit, ipf_grpmapfini }, 321 { "dstgrpmap", ipf_dstgrpmap, ipf_grpmapinit, ipf_grpmapfini }, 322 { "", NULL, NULL, NULL } 323}; 324 325static ipftuneable_t ipf_main_tuneables[] = { 326 { { (void *)offsetof(struct ipf_main_softc_s, ipf_flags) }, 327 "ipf_flags", 0, 0xffffffff, 328 stsizeof(ipf_main_softc_t, ipf_flags), 329 0, NULL, NULL }, 330 { { (void *)offsetof(struct ipf_main_softc_s, ipf_active) }, 331 "active", 0, 0, 332 stsizeof(ipf_main_softc_t, ipf_active), 333 IPFT_RDONLY, NULL, NULL }, 334 { { (void *)offsetof(ipf_main_softc_t, ipf_control_forwarding) }, 335 "control_forwarding", 0, 1, 336 stsizeof(ipf_main_softc_t, ipf_control_forwarding), 337 0, NULL, NULL }, 338 { { (void *)offsetof(ipf_main_softc_t, ipf_update_ipid) }, 339 "update_ipid", 0, 1, 340 stsizeof(ipf_main_softc_t, ipf_update_ipid), 341 0, NULL, NULL }, 342 { { (void *)offsetof(ipf_main_softc_t, ipf_chksrc) }, 343 "chksrc", 0, 1, 344 stsizeof(ipf_main_softc_t, ipf_chksrc), 345 0, NULL, NULL }, 346 { { (void *)offsetof(ipf_main_softc_t, ipf_minttl) }, 347 "min_ttl", 0, 1, 348 stsizeof(ipf_main_softc_t, ipf_minttl), 349 0, NULL, NULL }, 350 { { (void *)offsetof(ipf_main_softc_t, ipf_icmpminfragmtu) }, 351 "icmp_minfragmtu", 0, 1, 352 stsizeof(ipf_main_softc_t, ipf_icmpminfragmtu), 353 0, NULL, NULL }, 354 { { (void *)offsetof(ipf_main_softc_t, ipf_pass) }, 355 "default_pass", 0, 0xffffffff, 356 stsizeof(ipf_main_softc_t, ipf_pass), 357 0, NULL, NULL }, 358 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpidletimeout) }, 359 "tcp_idle_timeout", 1, 0x7fffffff, 360 stsizeof(ipf_main_softc_t, ipf_tcpidletimeout), 361 0, NULL, ipf_settimeout }, 362 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpclosewait) }, 363 "tcp_close_wait", 1, 0x7fffffff, 364 stsizeof(ipf_main_softc_t, ipf_tcpclosewait), 365 0, NULL, ipf_settimeout }, 366 { { (void *)offsetof(ipf_main_softc_t, ipf_tcplastack) }, 367 "tcp_last_ack", 1, 0x7fffffff, 368 stsizeof(ipf_main_softc_t, ipf_tcplastack), 369 0, NULL, ipf_settimeout }, 370 { { (void *)offsetof(ipf_main_softc_t, ipf_tcptimeout) }, 371 "tcp_timeout", 1, 0x7fffffff, 372 stsizeof(ipf_main_softc_t, ipf_tcptimeout), 373 0, NULL, ipf_settimeout }, 374 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpsynsent) }, 375 "tcp_syn_sent", 1, 0x7fffffff, 376 stsizeof(ipf_main_softc_t, ipf_tcpsynsent), 377 0, NULL, ipf_settimeout }, 378 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpsynrecv) }, 379 "tcp_syn_received", 1, 0x7fffffff, 380 stsizeof(ipf_main_softc_t, ipf_tcpsynrecv), 381 0, NULL, ipf_settimeout }, 382 { { (void *)offsetof(ipf_main_softc_t, ipf_tcpclosed) }, 383 "tcp_closed", 1, 0x7fffffff, 384 stsizeof(ipf_main_softc_t, ipf_tcpclosed), 385 0, NULL, ipf_settimeout }, 386 { { (void *)offsetof(ipf_main_softc_t, ipf_tcphalfclosed) }, 387 "tcp_half_closed", 1, 0x7fffffff, 388 stsizeof(ipf_main_softc_t, ipf_tcphalfclosed), 389 0, NULL, ipf_settimeout }, 390 { { (void *)offsetof(ipf_main_softc_t, ipf_tcptimewait) }, 391 "tcp_time_wait", 1, 0x7fffffff, 392 stsizeof(ipf_main_softc_t, ipf_tcptimewait), 393 0, NULL, ipf_settimeout }, 394 { { (void *)offsetof(ipf_main_softc_t, ipf_udptimeout) }, 395 "udp_timeout", 1, 0x7fffffff, 396 stsizeof(ipf_main_softc_t, ipf_udptimeout), 397 0, NULL, ipf_settimeout }, 398 { { (void *)offsetof(ipf_main_softc_t, ipf_udpacktimeout) }, 399 "udp_ack_timeout", 1, 0x7fffffff, 400 stsizeof(ipf_main_softc_t, ipf_udpacktimeout), 401 0, NULL, ipf_settimeout }, 402 { { (void *)offsetof(ipf_main_softc_t, ipf_icmptimeout) }, 403 "icmp_timeout", 1, 0x7fffffff, 404 stsizeof(ipf_main_softc_t, ipf_icmptimeout), 405 0, NULL, ipf_settimeout }, 406 { { (void *)offsetof(ipf_main_softc_t, ipf_icmpacktimeout) }, 407 "icmp_ack_timeout", 1, 0x7fffffff, 408 stsizeof(ipf_main_softc_t, ipf_icmpacktimeout), 409 0, NULL, ipf_settimeout }, 410 { { (void *)offsetof(ipf_main_softc_t, ipf_iptimeout) }, 411 "ip_timeout", 1, 0x7fffffff, 412 stsizeof(ipf_main_softc_t, ipf_iptimeout), 413 0, NULL, ipf_settimeout }, 414#if defined(INSTANCES) && defined(_KERNEL) 415 { { (void *)offsetof(ipf_main_softc_t, ipf_get_loopback) }, 416 "intercept_loopback", 0, 1, 417 stsizeof(ipf_main_softc_t, ipf_get_loopback), 418 0, NULL, ipf_set_loopback }, 419#endif 420 { { 0 }, 421 NULL, 0, 0, 422 0, 423 0, NULL, NULL } 424}; 425 426 427/* 428 * The next section of code is a a collection of small routines that set 429 * fields in the fr_info_t structure passed based on properties of the 430 * current packet. There are different routines for the same protocol 431 * for each of IPv4 and IPv6. Adding a new protocol, for which there 432 * will "special" inspection for setup, is now more easily done by adding 433 * a new routine and expanding the ipf_pr_ipinit*() function rather than by 434 * adding more code to a growing switch statement. 435 */ 436#ifdef USE_INET6 437static INLINE int ipf_pr_ah6 __P((fr_info_t *)); 438static INLINE void ipf_pr_esp6 __P((fr_info_t *)); 439static INLINE void ipf_pr_gre6 __P((fr_info_t *)); 440static INLINE void ipf_pr_udp6 __P((fr_info_t *)); 441static INLINE void ipf_pr_tcp6 __P((fr_info_t *)); 442static INLINE void ipf_pr_icmp6 __P((fr_info_t *)); 443static INLINE void ipf_pr_ipv6hdr __P((fr_info_t *)); 444static INLINE void ipf_pr_short6 __P((fr_info_t *, int)); 445static INLINE int ipf_pr_hopopts6 __P((fr_info_t *)); 446static INLINE int ipf_pr_mobility6 __P((fr_info_t *)); 447static INLINE int ipf_pr_routing6 __P((fr_info_t *)); 448static INLINE int ipf_pr_dstopts6 __P((fr_info_t *)); 449static INLINE int ipf_pr_fragment6 __P((fr_info_t *)); 450static INLINE struct ip6_ext *ipf_pr_ipv6exthdr __P((fr_info_t *, int, int)); 451 452 453/* ------------------------------------------------------------------------ */ 454/* Function: ipf_pr_short6 */ 455/* Returns: void */ 456/* Parameters: fin(I) - pointer to packet information */ 457/* xmin(I) - minimum header size */ 458/* */ 459/* IPv6 Only */ 460/* This is function enforces the 'is a packet too short to be legit' rule */ 461/* for IPv6 and marks the packet with FI_SHORT if so. See function comment */ 462/* for ipf_pr_short() for more details. */ 463/* ------------------------------------------------------------------------ */ 464static INLINE void 465ipf_pr_short6(fin, xmin) 466 fr_info_t *fin; 467 int xmin; 468{ 469 470 if (fin->fin_dlen < xmin) 471 fin->fin_flx |= FI_SHORT; 472} 473 474 475/* ------------------------------------------------------------------------ */ 476/* Function: ipf_pr_ipv6hdr */ 477/* Returns: void */ 478/* Parameters: fin(I) - pointer to packet information */ 479/* */ 480/* IPv6 Only */ 481/* Copy values from the IPv6 header into the fr_info_t struct and call the */ 482/* per-protocol analyzer if it exists. In validating the packet, a protocol*/ 483/* analyzer may pullup or free the packet itself so we need to be vigiliant */ 484/* of that possibility arising. */ 485/* ------------------------------------------------------------------------ */ 486static INLINE void 487ipf_pr_ipv6hdr(fin) 488 fr_info_t *fin; 489{ 490 ip6_t *ip6 = (ip6_t *)fin->fin_ip; 491 int p, go = 1, i, hdrcount; 492 fr_ip_t *fi = &fin->fin_fi; 493 494 fin->fin_off = 0; 495 496 fi->fi_tos = 0; 497 fi->fi_optmsk = 0; 498 fi->fi_secmsk = 0; 499 fi->fi_auth = 0; 500 501 p = ip6->ip6_nxt; 502 fin->fin_crc = p; 503 fi->fi_ttl = ip6->ip6_hlim; 504 fi->fi_src.in6 = ip6->ip6_src; 505 fin->fin_crc += fi->fi_src.i6[0]; 506 fin->fin_crc += fi->fi_src.i6[1]; 507 fin->fin_crc += fi->fi_src.i6[2]; 508 fin->fin_crc += fi->fi_src.i6[3]; 509 fi->fi_dst.in6 = ip6->ip6_dst; 510 fin->fin_crc += fi->fi_dst.i6[0]; 511 fin->fin_crc += fi->fi_dst.i6[1]; 512 fin->fin_crc += fi->fi_dst.i6[2]; 513 fin->fin_crc += fi->fi_dst.i6[3]; 514 fin->fin_id = 0; 515 if (IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6)) 516 fin->fin_flx |= FI_MULTICAST|FI_MBCAST; 517 518 hdrcount = 0; 519 while (go && !(fin->fin_flx & FI_SHORT)) { 520 switch (p) 521 { 522 case IPPROTO_UDP : 523 ipf_pr_udp6(fin); 524 go = 0; 525 break; 526 527 case IPPROTO_TCP : 528 ipf_pr_tcp6(fin); 529 go = 0; 530 break; 531 532 case IPPROTO_ICMPV6 : 533 ipf_pr_icmp6(fin); 534 go = 0; 535 break; 536 537 case IPPROTO_GRE : 538 ipf_pr_gre6(fin); 539 go = 0; 540 break; 541 542 case IPPROTO_HOPOPTS : 543 p = ipf_pr_hopopts6(fin); 544 break; 545 546 case IPPROTO_MOBILITY : 547 p = ipf_pr_mobility6(fin); 548 break; 549 550 case IPPROTO_DSTOPTS : 551 p = ipf_pr_dstopts6(fin); 552 break; 553 554 case IPPROTO_ROUTING : 555 p = ipf_pr_routing6(fin); 556 break; 557 558 case IPPROTO_AH : 559 p = ipf_pr_ah6(fin); 560 break; 561 562 case IPPROTO_ESP : 563 ipf_pr_esp6(fin); 564 go = 0; 565 break; 566 567 case IPPROTO_IPV6 : 568 for (i = 0; ip6exthdr[i].ol_bit != 0; i++) 569 if (ip6exthdr[i].ol_val == p) { 570 fin->fin_flx |= ip6exthdr[i].ol_bit; 571 break; 572 } 573 go = 0; 574 break; 575 576 case IPPROTO_NONE : 577 go = 0; 578 break; 579 580 case IPPROTO_FRAGMENT : 581 p = ipf_pr_fragment6(fin); 582 /* 583 * Given that the only fragments we want to let through 584 * (where fin_off != 0) are those where the non-first 585 * fragments only have data, we can safely stop looking 586 * at headers if this is a non-leading fragment. 587 */ 588 if (fin->fin_off != 0) 589 go = 0; 590 break; 591 592 default : 593 go = 0; 594 break; 595 } 596 hdrcount++; 597 598 /* 599 * It is important to note that at this point, for the 600 * extension headers (go != 0), the entire header may not have 601 * been pulled up when the code gets to this point. This is 602 * only done for "go != 0" because the other header handlers 603 * will all pullup their complete header. The other indicator 604 * of an incomplete packet is that this was just an extension 605 * header. 606 */ 607 if ((go != 0) && (p != IPPROTO_NONE) && 608 (ipf_pr_pullup(fin, 0) == -1)) { 609 p = IPPROTO_NONE; 610 break; 611 } 612 } 613 614 /* 615 * Some of the above functions, like ipf_pr_esp6(), can call ipf_pullup 616 * and destroy whatever packet was here. The caller of this function 617 * expects us to return if there is a problem with ipf_pullup. 618 */ 619 if (fin->fin_m == NULL) { 620 ipf_main_softc_t *softc = fin->fin_main_soft; 621 622 LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); 623 return; 624 } 625 626 fi->fi_p = p; 627 628 /* 629 * IPv6 fragment case 1 - see comment for ipf_pr_fragment6(). 630 * "go != 0" imples the above loop hasn't arrived at a layer 4 header. 631 */ 632 if ((go != 0) && (fin->fin_flx & FI_FRAG) && (fin->fin_off == 0)) { 633 ipf_main_softc_t *softc = fin->fin_main_soft; 634 635 fin->fin_flx |= FI_BAD; 636 LBUMPD(ipf_stats[fin->fin_out], fr_v6_badfrag); 637 LBUMP(ipf_stats[fin->fin_out].fr_v6_bad); 638 } 639} 640 641 642/* ------------------------------------------------------------------------ */ 643/* Function: ipf_pr_ipv6exthdr */ 644/* Returns: struct ip6_ext * - pointer to the start of the next header */ 645/* or NULL if there is a prolblem. */ 646/* Parameters: fin(I) - pointer to packet information */ 647/* multiple(I) - flag indicating yes/no if multiple occurances */ 648/* of this extension header are allowed. */ 649/* proto(I) - protocol number for this extension header */ 650/* */ 651/* IPv6 Only */ 652/* This function embodies a number of common checks that all IPv6 extension */ 653/* headers must be subjected to. For example, making sure the packet is */ 654/* big enough for it to be in, checking if it is repeated and setting a */ 655/* flag to indicate its presence. */ 656/* ------------------------------------------------------------------------ */ 657static INLINE struct ip6_ext * 658ipf_pr_ipv6exthdr(fin, multiple, proto) 659 fr_info_t *fin; 660 int multiple, proto; 661{ 662 ipf_main_softc_t *softc = fin->fin_main_soft; 663 struct ip6_ext *hdr; 664 u_short shift; 665 int i; 666 667 fin->fin_flx |= FI_V6EXTHDR; 668 669 /* 8 is default length of extension hdr */ 670 if ((fin->fin_dlen - 8) < 0) { 671 fin->fin_flx |= FI_SHORT; 672 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ext_short); 673 return NULL; 674 } 675 676 if (ipf_pr_pullup(fin, 8) == -1) { 677 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ext_pullup); 678 return NULL; 679 } 680 681 hdr = fin->fin_dp; 682 switch (proto) 683 { 684 case IPPROTO_FRAGMENT : 685 shift = 8; 686 break; 687 default : 688 shift = 8 + (hdr->ip6e_len << 3); 689 break; 690 } 691 692 if (shift > fin->fin_dlen) { /* Nasty extension header length? */ 693 fin->fin_flx |= FI_BAD; 694 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ext_hlen); 695 return NULL; 696 } 697 698 fin->fin_dp = (char *)fin->fin_dp + shift; 699 fin->fin_dlen -= shift; 700 701 /* 702 * If we have seen a fragment header, do not set any flags to indicate 703 * the presence of this extension header as it has no impact on the 704 * end result until after it has been defragmented. 705 */ 706 if (fin->fin_flx & FI_FRAG) 707 return hdr; 708 709 for (i = 0; ip6exthdr[i].ol_bit != 0; i++) 710 if (ip6exthdr[i].ol_val == proto) { 711 /* 712 * Most IPv6 extension headers are only allowed once. 713 */ 714 if ((multiple == 0) && 715 ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0)) 716 fin->fin_flx |= FI_BAD; 717 else 718 fin->fin_optmsk |= ip6exthdr[i].ol_bit; 719 break; 720 } 721 722 return hdr; 723} 724 725 726/* ------------------------------------------------------------------------ */ 727/* Function: ipf_pr_hopopts6 */ 728/* Returns: int - value of the next header or IPPROTO_NONE if error */ 729/* Parameters: fin(I) - pointer to packet information */ 730/* */ 731/* IPv6 Only */ 732/* This is function checks pending hop by hop options extension header */ 733/* ------------------------------------------------------------------------ */ 734static INLINE int 735ipf_pr_hopopts6(fin) 736 fr_info_t *fin; 737{ 738 struct ip6_ext *hdr; 739 740 hdr = ipf_pr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS); 741 if (hdr == NULL) 742 return IPPROTO_NONE; 743 return hdr->ip6e_nxt; 744} 745 746 747/* ------------------------------------------------------------------------ */ 748/* Function: ipf_pr_mobility6 */ 749/* Returns: int - value of the next header or IPPROTO_NONE if error */ 750/* Parameters: fin(I) - pointer to packet information */ 751/* */ 752/* IPv6 Only */ 753/* This is function checks the IPv6 mobility extension header */ 754/* ------------------------------------------------------------------------ */ 755static INLINE int 756ipf_pr_mobility6(fin) 757 fr_info_t *fin; 758{ 759 struct ip6_ext *hdr; 760 761 hdr = ipf_pr_ipv6exthdr(fin, 0, IPPROTO_MOBILITY); 762 if (hdr == NULL) 763 return IPPROTO_NONE; 764 return hdr->ip6e_nxt; 765} 766 767 768/* ------------------------------------------------------------------------ */ 769/* Function: ipf_pr_routing6 */ 770/* Returns: int - value of the next header or IPPROTO_NONE if error */ 771/* Parameters: fin(I) - pointer to packet information */ 772/* */ 773/* IPv6 Only */ 774/* This is function checks pending routing extension header */ 775/* ------------------------------------------------------------------------ */ 776static INLINE int 777ipf_pr_routing6(fin) 778 fr_info_t *fin; 779{ 780 struct ip6_routing *hdr; 781 782 hdr = (struct ip6_routing *)ipf_pr_ipv6exthdr(fin, 0, IPPROTO_ROUTING); 783 if (hdr == NULL) 784 return IPPROTO_NONE; 785 786 switch (hdr->ip6r_type) 787 { 788 case 0 : 789 /* 790 * Nasty extension header length? 791 */ 792 if (((hdr->ip6r_len >> 1) < hdr->ip6r_segleft) || 793 (hdr->ip6r_segleft && (hdr->ip6r_len & 1))) { 794 ipf_main_softc_t *softc = fin->fin_main_soft; 795 796 fin->fin_flx |= FI_BAD; 797 LBUMPD(ipf_stats[fin->fin_out], fr_v6_rh_bad); 798 return IPPROTO_NONE; 799 } 800 break; 801 802 default : 803 break; 804 } 805 806 return hdr->ip6r_nxt; 807} 808 809 810/* ------------------------------------------------------------------------ */ 811/* Function: ipf_pr_fragment6 */ 812/* Returns: int - value of the next header or IPPROTO_NONE if error */ 813/* Parameters: fin(I) - pointer to packet information */ 814/* */ 815/* IPv6 Only */ 816/* Examine the IPv6 fragment header and extract fragment offset information.*/ 817/* */ 818/* Fragments in IPv6 are extraordinarily difficult to deal with - much more */ 819/* so than in IPv4. There are 5 cases of fragments with IPv6 that all */ 820/* packets with a fragment header can fit into. They are as follows: */ 821/* */ 822/* 1. [IPv6][0-n EH][FH][0-n EH] (no L4HDR present) */ 823/* 2. [IPV6][0-n EH][FH][0-n EH][L4HDR part] (short) */ 824/* 3. [IPV6][0-n EH][FH][L4HDR part][0-n data] (short) */ 825/* 4. [IPV6][0-n EH][FH][0-n EH][L4HDR][0-n data] */ 826/* 5. [IPV6][0-n EH][FH][data] */ 827/* */ 828/* IPV6 = IPv6 header, FH = Fragment Header, */ 829/* 0-n EH = 0 or more extension headers, 0-n data = 0 or more bytes of data */ 830/* */ 831/* Packets that match 1, 2, 3 will be dropped as the only reasonable */ 832/* scenario in which they happen is in extreme circumstances that are most */ 833/* likely to be an indication of an attack rather than normal traffic. */ 834/* A type 3 packet may be sent by an attacked after a type 4 packet. There */ 835/* are two rules that can be used to guard against type 3 packets: L4 */ 836/* headers must always be in a packet that has the offset field set to 0 */ 837/* and no packet is allowed to overlay that where offset = 0. */ 838/* ------------------------------------------------------------------------ */ 839static INLINE int 840ipf_pr_fragment6(fin) 841 fr_info_t *fin; 842{ 843 ipf_main_softc_t *softc = fin->fin_main_soft; 844 struct ip6_frag *frag; 845 846 fin->fin_flx |= FI_FRAG; 847 848 frag = (struct ip6_frag *)ipf_pr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT); 849 if (frag == NULL) { 850 LBUMPD(ipf_stats[fin->fin_out], fr_v6_frag_bad); 851 return IPPROTO_NONE; 852 } 853 854 if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0) { 855 /* 856 * Any fragment that isn't the last fragment must have its 857 * length as a multiple of 8. 858 */ 859 if ((fin->fin_plen & 7) != 0) 860 fin->fin_flx |= FI_BAD; 861 } 862 863 fin->fin_fraghdr = frag; 864 fin->fin_id = frag->ip6f_ident; 865 fin->fin_off = ntohs(frag->ip6f_offlg & IP6F_OFF_MASK); 866 if (fin->fin_off != 0) 867 fin->fin_flx |= FI_FRAGBODY; 868 869 /* 870 * Jumbograms aren't handled, so the max. length is 64k 871 */ 872 if ((fin->fin_off << 3) + fin->fin_dlen > 65535) 873 fin->fin_flx |= FI_BAD; 874 875 /* 876 * We don't know where the transport layer header (or whatever is next 877 * is), as it could be behind destination options (amongst others) so 878 * return the fragment header as the type of packet this is. Note that 879 * this effectively disables the fragment cache for > 1 protocol at a 880 * time. 881 */ 882 return frag->ip6f_nxt; 883} 884 885 886/* ------------------------------------------------------------------------ */ 887/* Function: ipf_pr_dstopts6 */ 888/* Returns: int - value of the next header or IPPROTO_NONE if error */ 889/* Parameters: fin(I) - pointer to packet information */ 890/* */ 891/* IPv6 Only */ 892/* This is function checks pending destination options extension header */ 893/* ------------------------------------------------------------------------ */ 894static INLINE int 895ipf_pr_dstopts6(fin) 896 fr_info_t *fin; 897{ 898 ipf_main_softc_t *softc = fin->fin_main_soft; 899 struct ip6_ext *hdr; 900 901 hdr = ipf_pr_ipv6exthdr(fin, 0, IPPROTO_DSTOPTS); 902 if (hdr == NULL) { 903 LBUMPD(ipf_stats[fin->fin_out], fr_v6_dst_bad); 904 return IPPROTO_NONE; 905 } 906 return hdr->ip6e_nxt; 907} 908 909 910/* ------------------------------------------------------------------------ */ 911/* Function: ipf_pr_icmp6 */ 912/* Returns: void */ 913/* Parameters: fin(I) - pointer to packet information */ 914/* */ 915/* IPv6 Only */ 916/* This routine is mainly concerned with determining the minimum valid size */ 917/* for an ICMPv6 packet. */ 918/* ------------------------------------------------------------------------ */ 919static INLINE void 920ipf_pr_icmp6(fin) 921 fr_info_t *fin; 922{ 923 int minicmpsz = sizeof(struct icmp6_hdr); 924 struct icmp6_hdr *icmp6; 925 926 if (ipf_pr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1) { 927 ipf_main_softc_t *softc = fin->fin_main_soft; 928 929 LBUMPD(ipf_stats[fin->fin_out], fr_v6_icmp6_pullup); 930 return; 931 } 932 933 if (fin->fin_dlen > 1) { 934 ip6_t *ip6; 935 936 icmp6 = fin->fin_dp; 937 938 fin->fin_data[0] = *(u_short *)icmp6; 939 940 if ((icmp6->icmp6_type & ICMP6_INFOMSG_MASK) != 0) 941 fin->fin_flx |= FI_ICMPQUERY; 942 943 switch (icmp6->icmp6_type) 944 { 945 case ICMP6_ECHO_REPLY : 946 case ICMP6_ECHO_REQUEST : 947 if (fin->fin_dlen >= 6) 948 fin->fin_data[1] = icmp6->icmp6_id; 949 minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t); 950 break; 951 952 case ICMP6_DST_UNREACH : 953 case ICMP6_PACKET_TOO_BIG : 954 case ICMP6_TIME_EXCEEDED : 955 case ICMP6_PARAM_PROB : 956 fin->fin_flx |= FI_ICMPERR; 957 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t); 958 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) 959 break; 960 961 if (M_LEN(fin->fin_m) < fin->fin_plen) { 962 if (ipf_coalesce(fin) != 1) 963 return; 964 } 965 966 if (ipf_pr_pullup(fin, ICMP6ERR_MINPKTLEN) == -1) 967 return; 968 969 /* 970 * If the destination of this packet doesn't match the 971 * source of the original packet then this packet is 972 * not correct. 973 */ 974 icmp6 = fin->fin_dp; 975 ip6 = (ip6_t *)((char *)icmp6 + ICMPERR_ICMPHLEN); 976 if (IP6_NEQ(&fin->fin_fi.fi_dst, 977 (i6addr_t *)&ip6->ip6_src)) 978 fin->fin_flx |= FI_BAD; 979 break; 980 default : 981 break; 982 } 983 } 984 985 ipf_pr_short6(fin, minicmpsz); 986 if ((fin->fin_flx & (FI_SHORT|FI_BAD)) == 0) { 987 u_char p = fin->fin_p; 988 989 fin->fin_p = IPPROTO_ICMPV6; 990 ipf_checkv6sum(fin); 991 fin->fin_p = p; 992 } 993} 994 995 996/* ------------------------------------------------------------------------ */ 997/* Function: ipf_pr_udp6 */ 998/* Returns: void */ 999/* Parameters: fin(I) - pointer to packet information */ 1000/* */ 1001/* IPv6 Only */ 1002/* Analyse the packet for IPv6/UDP properties. */ 1003/* Is not expected to be called for fragmented packets. */ 1004/* ------------------------------------------------------------------------ */ 1005static INLINE void 1006ipf_pr_udp6(fin) 1007 fr_info_t *fin; 1008{ 1009 1010 if (ipf_pr_udpcommon(fin) == 0) { 1011 u_char p = fin->fin_p; 1012 1013 fin->fin_p = IPPROTO_UDP; 1014 ipf_checkv6sum(fin); 1015 fin->fin_p = p; 1016 } 1017} 1018 1019 1020/* ------------------------------------------------------------------------ */ 1021/* Function: ipf_pr_tcp6 */ 1022/* Returns: void */ 1023/* Parameters: fin(I) - pointer to packet information */ 1024/* */ 1025/* IPv6 Only */ 1026/* Analyse the packet for IPv6/TCP properties. */ 1027/* Is not expected to be called for fragmented packets. */ 1028/* ------------------------------------------------------------------------ */ 1029static INLINE void 1030ipf_pr_tcp6(fin) 1031 fr_info_t *fin; 1032{ 1033 1034 if (ipf_pr_tcpcommon(fin) == 0) { 1035 u_char p = fin->fin_p; 1036 1037 fin->fin_p = IPPROTO_TCP; 1038 ipf_checkv6sum(fin); 1039 fin->fin_p = p; 1040 } 1041} 1042 1043 1044/* ------------------------------------------------------------------------ */ 1045/* Function: ipf_pr_esp6 */ 1046/* Returns: void */ 1047/* Parameters: fin(I) - pointer to packet information */ 1048/* */ 1049/* IPv6 Only */ 1050/* Analyse the packet for ESP properties. */ 1051/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */ 1052/* even though the newer ESP packets must also have a sequence number that */ 1053/* is 32bits as well, it is not possible(?) to determine the version from a */ 1054/* simple packet header. */ 1055/* ------------------------------------------------------------------------ */ 1056static INLINE void 1057ipf_pr_esp6(fin) 1058 fr_info_t *fin; 1059{ 1060 1061 if ((fin->fin_off == 0) && (ipf_pr_pullup(fin, 8) == -1)) { 1062 ipf_main_softc_t *softc = fin->fin_main_soft; 1063 1064 LBUMPD(ipf_stats[fin->fin_out], fr_v6_esp_pullup); 1065 return; 1066 } 1067} 1068 1069 1070/* ------------------------------------------------------------------------ */ 1071/* Function: ipf_pr_ah6 */ 1072/* Returns: int - value of the next header or IPPROTO_NONE if error */ 1073/* Parameters: fin(I) - pointer to packet information */ 1074/* */ 1075/* IPv6 Only */ 1076/* Analyse the packet for AH properties. */ 1077/* The minimum length is taken to be the combination of all fields in the */ 1078/* header being present and no authentication data (null algorithm used.) */ 1079/* ------------------------------------------------------------------------ */ 1080static INLINE int 1081ipf_pr_ah6(fin) 1082 fr_info_t *fin; 1083{ 1084 authhdr_t *ah; 1085 1086 fin->fin_flx |= FI_AH; 1087 1088 ah = (authhdr_t *)ipf_pr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS); 1089 if (ah == NULL) { 1090 ipf_main_softc_t *softc = fin->fin_main_soft; 1091 1092 LBUMPD(ipf_stats[fin->fin_out], fr_v6_ah_bad); 1093 return IPPROTO_NONE; 1094 } 1095 1096 ipf_pr_short6(fin, sizeof(*ah)); 1097 1098 /* 1099 * No need for another pullup, ipf_pr_ipv6exthdr() will pullup 1100 * enough data to satisfy ah_next (the very first one.) 1101 */ 1102 return ah->ah_next; 1103} 1104 1105 1106/* ------------------------------------------------------------------------ */ 1107/* Function: ipf_pr_gre6 */ 1108/* Returns: void */ 1109/* Parameters: fin(I) - pointer to packet information */ 1110/* */ 1111/* Analyse the packet for GRE properties. */ 1112/* ------------------------------------------------------------------------ */ 1113static INLINE void 1114ipf_pr_gre6(fin) 1115 fr_info_t *fin; 1116{ 1117 grehdr_t *gre; 1118 1119 if (ipf_pr_pullup(fin, sizeof(grehdr_t)) == -1) { 1120 ipf_main_softc_t *softc = fin->fin_main_soft; 1121 1122 LBUMPD(ipf_stats[fin->fin_out], fr_v6_gre_pullup); 1123 return; 1124 } 1125 1126 gre = fin->fin_dp; 1127 if (GRE_REV(gre->gr_flags) == 1) 1128 fin->fin_data[0] = gre->gr_call; 1129} 1130#endif /* USE_INET6 */ 1131 1132 1133/* ------------------------------------------------------------------------ */ 1134/* Function: ipf_pr_pullup */ 1135/* Returns: int - 0 == pullup succeeded, -1 == failure */ 1136/* Parameters: fin(I) - pointer to packet information */ 1137/* plen(I) - length (excluding L3 header) to pullup */ 1138/* */ 1139/* Short inline function to cut down on code duplication to perform a call */ 1140/* to ipf_pullup to ensure there is the required amount of data, */ 1141/* consecutively in the packet buffer. */ 1142/* */ 1143/* This function pulls up 'extra' data at the location of fin_dp. fin_dp */ 1144/* points to the first byte after the complete layer 3 header, which will */ 1145/* include all of the known extension headers for IPv6 or options for IPv4. */ 1146/* */ 1147/* Since fr_pullup() expects the total length of bytes to be pulled up, it */ 1148/* is necessary to add those we can already assume to be pulled up (fin_dp */ 1149/* - fin_ip) to what is passed through. */ 1150/* ------------------------------------------------------------------------ */ 1151int 1152ipf_pr_pullup(fin, plen) 1153 fr_info_t *fin; 1154 int plen; 1155{ 1156 ipf_main_softc_t *softc = fin->fin_main_soft; 1157 1158 if (fin->fin_m != NULL) { 1159 if (fin->fin_dp != NULL) 1160 plen += (char *)fin->fin_dp - 1161 ((char *)fin->fin_ip + fin->fin_hlen); 1162 plen += fin->fin_hlen; 1163 if (M_LEN(fin->fin_m) < plen + fin->fin_ipoff) { 1164#if defined(_KERNEL) 1165 if (ipf_pullup(fin->fin_m, fin, plen) == NULL) { 1166 DT(ipf_pullup_fail); 1167 LBUMP(ipf_stats[fin->fin_out].fr_pull[1]); 1168 return -1; 1169 } 1170 LBUMP(ipf_stats[fin->fin_out].fr_pull[0]); 1171#else 1172 LBUMP(ipf_stats[fin->fin_out].fr_pull[1]); 1173 /* 1174 * Fake ipf_pullup failing 1175 */ 1176 fin->fin_reason = FRB_PULLUP; 1177 *fin->fin_mp = NULL; 1178 fin->fin_m = NULL; 1179 fin->fin_ip = NULL; 1180 return -1; 1181#endif 1182 } 1183 } 1184 return 0; 1185} 1186 1187 1188/* ------------------------------------------------------------------------ */ 1189/* Function: ipf_pr_short */ 1190/* Returns: void */ 1191/* Parameters: fin(I) - pointer to packet information */ 1192/* xmin(I) - minimum header size */ 1193/* */ 1194/* Check if a packet is "short" as defined by xmin. The rule we are */ 1195/* applying here is that the packet must not be fragmented within the layer */ 1196/* 4 header. That is, it must not be a fragment that has its offset set to */ 1197/* start within the layer 4 header (hdrmin) or if it is at offset 0, the */ 1198/* entire layer 4 header must be present (min). */ 1199/* ------------------------------------------------------------------------ */ 1200static INLINE void 1201ipf_pr_short(fin, xmin) 1202 fr_info_t *fin; 1203 int xmin; 1204{ 1205 1206 if (fin->fin_off == 0) { 1207 if (fin->fin_dlen < xmin) 1208 fin->fin_flx |= FI_SHORT; 1209 } else if (fin->fin_off < xmin) { 1210 fin->fin_flx |= FI_SHORT; 1211 } 1212} 1213 1214 1215/* ------------------------------------------------------------------------ */ 1216/* Function: ipf_pr_icmp */ 1217/* Returns: void */ 1218/* Parameters: fin(I) - pointer to packet information */ 1219/* */ 1220/* IPv4 Only */ 1221/* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */ 1222/* except extrememly bad packets, both type and code will be present. */ 1223/* The expected minimum size of an ICMP packet is very much dependent on */ 1224/* the type of it. */ 1225/* */ 1226/* XXX - other ICMP sanity checks? */ 1227/* ------------------------------------------------------------------------ */ 1228static INLINE void 1229ipf_pr_icmp(fin) 1230 fr_info_t *fin; 1231{ 1232 ipf_main_softc_t *softc = fin->fin_main_soft; 1233 int minicmpsz = sizeof(struct icmp); 1234 icmphdr_t *icmp; 1235 ip_t *oip; 1236 1237 ipf_pr_short(fin, ICMPERR_ICMPHLEN); 1238 1239 if (fin->fin_off != 0) { 1240 LBUMPD(ipf_stats[fin->fin_out], fr_v4_icmp_frag); 1241 return; 1242 } 1243 1244 if (ipf_pr_pullup(fin, ICMPERR_ICMPHLEN) == -1) { 1245 LBUMPD(ipf_stats[fin->fin_out], fr_v4_icmp_pullup); 1246 return; 1247 } 1248 1249 icmp = fin->fin_dp; 1250 1251 fin->fin_data[0] = *(u_short *)icmp; 1252 fin->fin_data[1] = icmp->icmp_id; 1253 1254 switch (icmp->icmp_type) 1255 { 1256 case ICMP_ECHOREPLY : 1257 case ICMP_ECHO : 1258 /* Router discovery messaes - RFC 1256 */ 1259 case ICMP_ROUTERADVERT : 1260 case ICMP_ROUTERSOLICIT : 1261 fin->fin_flx |= FI_ICMPQUERY; 1262 minicmpsz = ICMP_MINLEN; 1263 break; 1264 /* 1265 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 1266 * 3 * timestamp(3 * 4) 1267 */ 1268 case ICMP_TSTAMP : 1269 case ICMP_TSTAMPREPLY : 1270 fin->fin_flx |= FI_ICMPQUERY; 1271 minicmpsz = 20; 1272 break; 1273 /* 1274 * type(1) + code(1) + cksum(2) + id(2) seq(2) + 1275 * mask(4) 1276 */ 1277 case ICMP_IREQ : 1278 case ICMP_IREQREPLY : 1279 case ICMP_MASKREQ : 1280 case ICMP_MASKREPLY : 1281 fin->fin_flx |= FI_ICMPQUERY; 1282 minicmpsz = 12; 1283 break; 1284 /* 1285 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+) 1286 */ 1287 case ICMP_UNREACH : 1288#ifdef icmp_nextmtu 1289 if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) { 1290 if (icmp->icmp_nextmtu < softc->ipf_icmpminfragmtu) 1291 fin->fin_flx |= FI_BAD; 1292 } 1293#endif 1294 /* FALLTHROUGH */ 1295 case ICMP_SOURCEQUENCH : 1296 case ICMP_REDIRECT : 1297 case ICMP_TIMXCEED : 1298 case ICMP_PARAMPROB : 1299 fin->fin_flx |= FI_ICMPERR; 1300 if (ipf_coalesce(fin) != 1) { 1301 LBUMPD(ipf_stats[fin->fin_out], fr_icmp_coalesce); 1302 return; 1303 } 1304 1305 /* 1306 * ICMP error packets should not be generated for IP 1307 * packets that are a fragment that isn't the first 1308 * fragment. 1309 */ 1310 oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); 1311 if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0) 1312 fin->fin_flx |= FI_BAD; 1313 1314 /* 1315 * If the destination of this packet doesn't match the 1316 * source of the original packet then this packet is 1317 * not correct. 1318 */ 1319 if (oip->ip_src.s_addr != fin->fin_daddr) 1320 fin->fin_flx |= FI_BAD; 1321 break; 1322 default : 1323 break; 1324 } 1325 1326 ipf_pr_short(fin, minicmpsz); 1327 1328 ipf_checkv4sum(fin); 1329} 1330 1331 1332/* ------------------------------------------------------------------------ */ 1333/* Function: ipf_pr_tcpcommon */ 1334/* Returns: int - 0 = header ok, 1 = bad packet, -1 = buffer error */ 1335/* Parameters: fin(I) - pointer to packet information */ 1336/* */ 1337/* TCP header sanity checking. Look for bad combinations of TCP flags, */ 1338/* and make some checks with how they interact with other fields. */ 1339/* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */ 1340/* valid and mark the packet as bad if not. */ 1341/* ------------------------------------------------------------------------ */ 1342static INLINE int 1343ipf_pr_tcpcommon(fin) 1344 fr_info_t *fin; 1345{ 1346 ipf_main_softc_t *softc = fin->fin_main_soft; 1347 int flags, tlen; 1348 tcphdr_t *tcp; 1349 1350 fin->fin_flx |= FI_TCPUDP; 1351 if (fin->fin_off != 0) { 1352 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_frag); 1353 return 0; 1354 } 1355 1356 if (ipf_pr_pullup(fin, sizeof(*tcp)) == -1) { 1357 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_pullup); 1358 return -1; 1359 } 1360 1361 tcp = fin->fin_dp; 1362 if (fin->fin_dlen > 3) { 1363 fin->fin_sport = ntohs(tcp->th_sport); 1364 fin->fin_dport = ntohs(tcp->th_dport); 1365 } 1366 1367 if ((fin->fin_flx & FI_SHORT) != 0) { 1368 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_short); 1369 return 1; 1370 } 1371 1372 /* 1373 * Use of the TCP data offset *must* result in a value that is at 1374 * least the same size as the TCP header. 1375 */ 1376 tlen = TCP_OFF(tcp) << 2; 1377 if (tlen < sizeof(tcphdr_t)) { 1378 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_small); 1379 fin->fin_flx |= FI_BAD; 1380 return 1; 1381 } 1382 1383 flags = tcp->th_flags; 1384 fin->fin_tcpf = tcp->th_flags; 1385 1386 /* 1387 * If the urgent flag is set, then the urgent pointer must 1388 * also be set and vice versa. Good TCP packets do not have 1389 * just one of these set. 1390 */ 1391 if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) { 1392 fin->fin_flx |= FI_BAD; 1393#if 0 1394 } else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) { 1395 /* 1396 * Ignore this case (#if 0) as it shows up in "real" 1397 * traffic with bogus values in the urgent pointer field. 1398 */ 1399 fin->fin_flx |= FI_BAD; 1400#endif 1401 } else if (((flags & (TH_SYN|TH_FIN)) != 0) && 1402 ((flags & (TH_RST|TH_ACK)) == TH_RST)) { 1403 /* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */ 1404 fin->fin_flx |= FI_BAD; 1405#if 1 1406 } else if (((flags & TH_SYN) != 0) && 1407 ((flags & (TH_URG|TH_PUSH)) != 0)) { 1408 /* 1409 * SYN with URG and PUSH set is not for normal TCP but it is 1410 * possible(?) with T/TCP...but who uses T/TCP? 1411 */ 1412 fin->fin_flx |= FI_BAD; 1413#endif 1414 } else if (!(flags & TH_ACK)) { 1415 /* 1416 * If the ack bit isn't set, then either the SYN or 1417 * RST bit must be set. If the SYN bit is set, then 1418 * we expect the ACK field to be 0. If the ACK is 1419 * not set and if URG, PSH or FIN are set, consdier 1420 * that to indicate a bad TCP packet. 1421 */ 1422 if ((flags == TH_SYN) && (tcp->th_ack != 0)) { 1423 /* 1424 * Cisco PIX sets the ACK field to a random value. 1425 * In light of this, do not set FI_BAD until a patch 1426 * is available from Cisco to ensure that 1427 * interoperability between existing systems is 1428 * achieved. 1429 */ 1430 /*fin->fin_flx |= FI_BAD*/; 1431 } else if (!(flags & (TH_RST|TH_SYN))) { 1432 fin->fin_flx |= FI_BAD; 1433 } else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) { 1434 fin->fin_flx |= FI_BAD; 1435 } 1436 } 1437 if (fin->fin_flx & FI_BAD) { 1438 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_bad_flags); 1439 return 1; 1440 } 1441 1442 /* 1443 * At this point, it's not exactly clear what is to be gained by 1444 * marking up which TCP options are and are not present. The one we 1445 * are most interested in is the TCP window scale. This is only in 1446 * a SYN packet [RFC1323] so we don't need this here...? 1447 * Now if we were to analyse the header for passive fingerprinting, 1448 * then that might add some weight to adding this... 1449 */ 1450 if (tlen == sizeof(tcphdr_t)) { 1451 return 0; 1452 } 1453 1454 if (ipf_pr_pullup(fin, tlen) == -1) { 1455 LBUMPD(ipf_stats[fin->fin_out], fr_tcp_pullup); 1456 return -1; 1457 } 1458 1459#if 0 1460 tcp = fin->fin_dp; 1461 ip = fin->fin_ip; 1462 s = (u_char *)(tcp + 1); 1463 off = IP_HL(ip) << 2; 1464# ifdef _KERNEL 1465 if (fin->fin_mp != NULL) { 1466 mb_t *m = *fin->fin_mp; 1467 1468 if (off + tlen > M_LEN(m)) 1469 return; 1470 } 1471# endif 1472 for (tlen -= (int)sizeof(*tcp); tlen > 0; ) { 1473 opt = *s; 1474 if (opt == '\0') 1475 break; 1476 else if (opt == TCPOPT_NOP) 1477 ol = 1; 1478 else { 1479 if (tlen < 2) 1480 break; 1481 ol = (int)*(s + 1); 1482 if (ol < 2 || ol > tlen) 1483 break; 1484 } 1485 1486 for (i = 9, mv = 4; mv >= 0; ) { 1487 op = ipopts + i; 1488 if (opt == (u_char)op->ol_val) { 1489 optmsk |= op->ol_bit; 1490 break; 1491 } 1492 } 1493 tlen -= ol; 1494 s += ol; 1495 } 1496#endif /* 0 */ 1497 1498 return 0; 1499} 1500 1501 1502 1503/* ------------------------------------------------------------------------ */ 1504/* Function: ipf_pr_udpcommon */ 1505/* Returns: int - 0 = header ok, 1 = bad packet */ 1506/* Parameters: fin(I) - pointer to packet information */ 1507/* */ 1508/* Extract the UDP source and destination ports, if present. If compiled */ 1509/* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */ 1510/* ------------------------------------------------------------------------ */ 1511static INLINE int 1512ipf_pr_udpcommon(fin) 1513 fr_info_t *fin; 1514{ 1515 udphdr_t *udp; 1516 1517 fin->fin_flx |= FI_TCPUDP; 1518 1519 if (!fin->fin_off && (fin->fin_dlen > 3)) { 1520 if (ipf_pr_pullup(fin, sizeof(*udp)) == -1) { 1521 ipf_main_softc_t *softc = fin->fin_main_soft; 1522 1523 fin->fin_flx |= FI_SHORT; 1524 LBUMPD(ipf_stats[fin->fin_out], fr_udp_pullup); 1525 return 1; 1526 } 1527 1528 udp = fin->fin_dp; 1529 1530 fin->fin_sport = ntohs(udp->uh_sport); 1531 fin->fin_dport = ntohs(udp->uh_dport); 1532 } 1533 1534 return 0; 1535} 1536 1537 1538/* ------------------------------------------------------------------------ */ 1539/* Function: ipf_pr_tcp */ 1540/* Returns: void */ 1541/* Parameters: fin(I) - pointer to packet information */ 1542/* */ 1543/* IPv4 Only */ 1544/* Analyse the packet for IPv4/TCP properties. */ 1545/* ------------------------------------------------------------------------ */ 1546static INLINE void 1547ipf_pr_tcp(fin) 1548 fr_info_t *fin; 1549{ 1550 1551 ipf_pr_short(fin, sizeof(tcphdr_t)); 1552 1553 if (ipf_pr_tcpcommon(fin) == 0) 1554 ipf_checkv4sum(fin); 1555} 1556 1557 1558/* ------------------------------------------------------------------------ */ 1559/* Function: ipf_pr_udp */ 1560/* Returns: void */ 1561/* Parameters: fin(I) - pointer to packet information */ 1562/* */ 1563/* IPv4 Only */ 1564/* Analyse the packet for IPv4/UDP properties. */ 1565/* ------------------------------------------------------------------------ */ 1566static INLINE void 1567ipf_pr_udp(fin) 1568 fr_info_t *fin; 1569{ 1570 1571 ipf_pr_short(fin, sizeof(udphdr_t)); 1572 1573 if (ipf_pr_udpcommon(fin) == 0) 1574 ipf_checkv4sum(fin); 1575} 1576 1577 1578/* ------------------------------------------------------------------------ */ 1579/* Function: ipf_pr_esp */ 1580/* Returns: void */ 1581/* Parameters: fin(I) - pointer to packet information */ 1582/* */ 1583/* Analyse the packet for ESP properties. */ 1584/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */ 1585/* even though the newer ESP packets must also have a sequence number that */ 1586/* is 32bits as well, it is not possible(?) to determine the version from a */ 1587/* simple packet header. */ 1588/* ------------------------------------------------------------------------ */ 1589static INLINE void 1590ipf_pr_esp(fin) 1591 fr_info_t *fin; 1592{ 1593 1594 if (fin->fin_off == 0) { 1595 ipf_pr_short(fin, 8); 1596 if (ipf_pr_pullup(fin, 8) == -1) { 1597 ipf_main_softc_t *softc = fin->fin_main_soft; 1598 1599 LBUMPD(ipf_stats[fin->fin_out], fr_v4_esp_pullup); 1600 } 1601 } 1602} 1603 1604 1605/* ------------------------------------------------------------------------ */ 1606/* Function: ipf_pr_ah */ 1607/* Returns: int - value of the next header or IPPROTO_NONE if error */ 1608/* Parameters: fin(I) - pointer to packet information */ 1609/* */ 1610/* Analyse the packet for AH properties. */ 1611/* The minimum length is taken to be the combination of all fields in the */ 1612/* header being present and no authentication data (null algorithm used.) */ 1613/* ------------------------------------------------------------------------ */ 1614static INLINE int 1615ipf_pr_ah(fin) 1616 fr_info_t *fin; 1617{ 1618 ipf_main_softc_t *softc = fin->fin_main_soft; 1619 authhdr_t *ah; 1620 int len; 1621 1622 fin->fin_flx |= FI_AH; 1623 ipf_pr_short(fin, sizeof(*ah)); 1624 1625 if (((fin->fin_flx & FI_SHORT) != 0) || (fin->fin_off != 0)) { 1626 LBUMPD(ipf_stats[fin->fin_out], fr_v4_ah_bad); 1627 return IPPROTO_NONE; 1628 } 1629 1630 if (ipf_pr_pullup(fin, sizeof(*ah)) == -1) { 1631 DT(fr_v4_ah_pullup_1); 1632 LBUMP(ipf_stats[fin->fin_out].fr_v4_ah_pullup); 1633 return IPPROTO_NONE; 1634 } 1635 1636 ah = (authhdr_t *)fin->fin_dp; 1637 1638 len = (ah->ah_plen + 2) << 2; 1639 ipf_pr_short(fin, len); 1640 if (ipf_pr_pullup(fin, len) == -1) { 1641 DT(fr_v4_ah_pullup_2); 1642 LBUMP(ipf_stats[fin->fin_out].fr_v4_ah_pullup); 1643 return IPPROTO_NONE; 1644 } 1645 1646 /* 1647 * Adjust fin_dp and fin_dlen for skipping over the authentication 1648 * header. 1649 */ 1650 fin->fin_dp = (char *)fin->fin_dp + len; 1651 fin->fin_dlen -= len; 1652 return ah->ah_next; 1653} 1654 1655 1656/* ------------------------------------------------------------------------ */ 1657/* Function: ipf_pr_gre */ 1658/* Returns: void */ 1659/* Parameters: fin(I) - pointer to packet information */ 1660/* */ 1661/* Analyse the packet for GRE properties. */ 1662/* ------------------------------------------------------------------------ */ 1663static INLINE void 1664ipf_pr_gre(fin) 1665 fr_info_t *fin; 1666{ 1667 ipf_main_softc_t *softc = fin->fin_main_soft; 1668 grehdr_t *gre; 1669 1670 ipf_pr_short(fin, sizeof(grehdr_t)); 1671 1672 if (fin->fin_off != 0) { 1673 LBUMPD(ipf_stats[fin->fin_out], fr_v4_gre_frag); 1674 return; 1675 } 1676 1677 if (ipf_pr_pullup(fin, sizeof(grehdr_t)) == -1) { 1678 LBUMPD(ipf_stats[fin->fin_out], fr_v4_gre_pullup); 1679 return; 1680 } 1681 1682 gre = fin->fin_dp; 1683 if (GRE_REV(gre->gr_flags) == 1) 1684 fin->fin_data[0] = gre->gr_call; 1685} 1686 1687 1688/* ------------------------------------------------------------------------ */ 1689/* Function: ipf_pr_ipv4hdr */ 1690/* Returns: void */ 1691/* Parameters: fin(I) - pointer to packet information */ 1692/* */ 1693/* IPv4 Only */ 1694/* Analyze the IPv4 header and set fields in the fr_info_t structure. */ 1695/* Check all options present and flag their presence if any exist. */ 1696/* ------------------------------------------------------------------------ */ 1697static INLINE void 1698ipf_pr_ipv4hdr(fin) 1699 fr_info_t *fin; 1700{ 1701 u_short optmsk = 0, secmsk = 0, auth = 0; 1702 int hlen, ol, mv, p, i; 1703 const struct optlist *op; 1704 u_char *s, opt; 1705 u_short off; 1706 fr_ip_t *fi; 1707 ip_t *ip; 1708 1709 fi = &fin->fin_fi; 1710 hlen = fin->fin_hlen; 1711 1712 ip = fin->fin_ip; 1713 p = ip->ip_p; 1714 fi->fi_p = p; 1715 fin->fin_crc = p; 1716 fi->fi_tos = ip->ip_tos; 1717 fin->fin_id = ip->ip_id; 1718 off = ntohs(ip->ip_off); 1719 1720 /* Get both TTL and protocol */ 1721 fi->fi_p = ip->ip_p; 1722 fi->fi_ttl = ip->ip_ttl; 1723 1724 /* Zero out bits not used in IPv6 address */ 1725 fi->fi_src.i6[1] = 0; 1726 fi->fi_src.i6[2] = 0; 1727 fi->fi_src.i6[3] = 0; 1728 fi->fi_dst.i6[1] = 0; 1729 fi->fi_dst.i6[2] = 0; 1730 fi->fi_dst.i6[3] = 0; 1731 1732 fi->fi_saddr = ip->ip_src.s_addr; 1733 fin->fin_crc += fi->fi_saddr; 1734 fi->fi_daddr = ip->ip_dst.s_addr; 1735 fin->fin_crc += fi->fi_daddr; 1736 if (IN_CLASSD(ntohl(fi->fi_daddr))) 1737 fin->fin_flx |= FI_MULTICAST|FI_MBCAST; 1738 1739 /* 1740 * set packet attribute flags based on the offset and 1741 * calculate the byte offset that it represents. 1742 */ 1743 off &= IP_MF|IP_OFFMASK; 1744 if (off != 0) { 1745 int morefrag = off & IP_MF; 1746 1747 fi->fi_flx |= FI_FRAG; 1748 off &= IP_OFFMASK; 1749 if (off != 0) { 1750 fin->fin_flx |= FI_FRAGBODY; 1751 off <<= 3; 1752 if ((off + fin->fin_dlen > 65535) || 1753 (fin->fin_dlen == 0) || 1754 ((morefrag != 0) && ((fin->fin_dlen & 7) != 0))) { 1755 /* 1756 * The length of the packet, starting at its 1757 * offset cannot exceed 65535 (0xffff) as the 1758 * length of an IP packet is only 16 bits. 1759 * 1760 * Any fragment that isn't the last fragment 1761 * must have a length greater than 0 and it 1762 * must be an even multiple of 8. 1763 */ 1764 fi->fi_flx |= FI_BAD; 1765 } 1766 } 1767 } 1768 fin->fin_off = off; 1769 1770 /* 1771 * Call per-protocol setup and checking 1772 */ 1773 if (p == IPPROTO_AH) { 1774 /* 1775 * Treat AH differently because we expect there to be another 1776 * layer 4 header after it. 1777 */ 1778 p = ipf_pr_ah(fin); 1779 } 1780 1781 switch (p) 1782 { 1783 case IPPROTO_UDP : 1784 ipf_pr_udp(fin); 1785 break; 1786 case IPPROTO_TCP : 1787 ipf_pr_tcp(fin); 1788 break; 1789 case IPPROTO_ICMP : 1790 ipf_pr_icmp(fin); 1791 break; 1792 case IPPROTO_ESP : 1793 ipf_pr_esp(fin); 1794 break; 1795 case IPPROTO_GRE : 1796 ipf_pr_gre(fin); 1797 break; 1798 } 1799 1800 ip = fin->fin_ip; 1801 if (ip == NULL) 1802 return; 1803 1804 /* 1805 * If it is a standard IP header (no options), set the flag fields 1806 * which relate to options to 0. 1807 */ 1808 if (hlen == sizeof(*ip)) { 1809 fi->fi_optmsk = 0; 1810 fi->fi_secmsk = 0; 1811 fi->fi_auth = 0; 1812 return; 1813 } 1814 1815 /* 1816 * So the IP header has some IP options attached. Walk the entire 1817 * list of options present with this packet and set flags to indicate 1818 * which ones are here and which ones are not. For the somewhat out 1819 * of date and obscure security classification options, set a flag to 1820 * represent which classification is present. 1821 */ 1822 fi->fi_flx |= FI_OPTIONS; 1823 1824 for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) { 1825 opt = *s; 1826 if (opt == '\0') 1827 break; 1828 else if (opt == IPOPT_NOP) 1829 ol = 1; 1830 else { 1831 if (hlen < 2) 1832 break; 1833 ol = (int)*(s + 1); 1834 if (ol < 2 || ol > hlen) 1835 break; 1836 } 1837 for (i = 9, mv = 4; mv >= 0; ) { 1838 op = ipopts + i; 1839 1840 if ((opt == (u_char)op->ol_val) && (ol > 4)) { 1841 u_32_t doi; 1842 1843 switch (opt) 1844 { 1845 case IPOPT_SECURITY : 1846 if (optmsk & op->ol_bit) { 1847 fin->fin_flx |= FI_BAD; 1848 } else { 1849 doi = ipf_checkripso(s); 1850 secmsk = doi >> 16; 1851 auth = doi & 0xffff; 1852 } 1853 break; 1854 1855 case IPOPT_CIPSO : 1856 1857 if (optmsk & op->ol_bit) { 1858 fin->fin_flx |= FI_BAD; 1859 } else { 1860 doi = ipf_checkcipso(fin, 1861 s, ol); 1862 secmsk = doi >> 16; 1863 auth = doi & 0xffff; 1864 } 1865 break; 1866 } 1867 optmsk |= op->ol_bit; 1868 } 1869 1870 if (opt < op->ol_val) 1871 i -= mv; 1872 else 1873 i += mv; 1874 mv--; 1875 } 1876 hlen -= ol; 1877 s += ol; 1878 } 1879 1880 /* 1881 * 1882 */ 1883 if (auth && !(auth & 0x0100)) 1884 auth &= 0xff00; 1885 fi->fi_optmsk = optmsk; 1886 fi->fi_secmsk = secmsk; 1887 fi->fi_auth = auth; 1888} 1889 1890 1891/* ------------------------------------------------------------------------ */ 1892/* Function: ipf_checkripso */ 1893/* Returns: void */ 1894/* Parameters: s(I) - pointer to start of RIPSO option */ 1895/* */ 1896/* ------------------------------------------------------------------------ */ 1897static u_32_t 1898ipf_checkripso(s) 1899 u_char *s; 1900{ 1901 const struct optlist *sp; 1902 u_short secmsk = 0, auth = 0; 1903 u_char sec; 1904 int j, m; 1905 1906 sec = *(s + 2); /* classification */ 1907 for (j = 3, m = 2; m >= 0; ) { 1908 sp = secopt + j; 1909 if (sec == sp->ol_val) { 1910 secmsk |= sp->ol_bit; 1911 auth = *(s + 3); 1912 auth *= 256; 1913 auth += *(s + 4); 1914 break; 1915 } 1916 if (sec < sp->ol_val) 1917 j -= m; 1918 else 1919 j += m; 1920 m--; 1921 } 1922 1923 return (secmsk << 16) | auth; 1924} 1925 1926 1927/* ------------------------------------------------------------------------ */ 1928/* Function: ipf_checkcipso */ 1929/* Returns: u_32_t - 0 = failure, else the doi from the header */ 1930/* Parameters: fin(IO) - pointer to packet information */ 1931/* s(I) - pointer to start of CIPSO option */ 1932/* ol(I) - length of CIPSO option field */ 1933/* */ 1934/* This function returns the domain of integrity (DOI) field from the CIPSO */ 1935/* header and returns that whilst also storing the highest sensitivity */ 1936/* value found in the fr_info_t structure. */ 1937/* */ 1938/* No attempt is made to extract the category bitmaps as these are defined */ 1939/* by the user (rather than the protocol) and can be rather numerous on the */ 1940/* end nodes. */ 1941/* ------------------------------------------------------------------------ */ 1942static u_32_t 1943ipf_checkcipso(fin, s, ol) 1944 fr_info_t *fin; 1945 u_char *s; 1946 int ol; 1947{ 1948 ipf_main_softc_t *softc = fin->fin_main_soft; 1949 fr_ip_t *fi; 1950 u_32_t doi; 1951 u_char *t, tag, tlen, sensitivity; 1952 int len; 1953 1954 if (ol < 6 || ol > 40) { 1955 LBUMPD(ipf_stats[fin->fin_out], fr_v4_cipso_bad); 1956 fin->fin_flx |= FI_BAD; 1957 return 0; 1958 } 1959 1960 fi = &fin->fin_fi; 1961 fi->fi_sensitivity = 0; 1962 /* 1963 * The DOI field MUST be there. 1964 */ 1965 bcopy(s + 2, &doi, sizeof(doi)); 1966 1967 t = (u_char *)s + 6; 1968 for (len = ol - 6; len >= 2; len -= tlen, t+= tlen) { 1969 tag = *t; 1970 tlen = *(t + 1); 1971 if (tlen > len || tlen < 4 || tlen > 34) { 1972 LBUMPD(ipf_stats[fin->fin_out], fr_v4_cipso_tlen); 1973 fin->fin_flx |= FI_BAD; 1974 return 0; 1975 } 1976 1977 sensitivity = 0; 1978 /* 1979 * Tag numbers 0, 1, 2, 5 are laid out in the CIPSO Internet 1980 * draft (16 July 1992) that has expired. 1981 */ 1982 if (tag == 0) { 1983 fin->fin_flx |= FI_BAD; 1984 continue; 1985 } else if (tag == 1) { 1986 if (*(t + 2) != 0) { 1987 fin->fin_flx |= FI_BAD; 1988 continue; 1989 } 1990 sensitivity = *(t + 3); 1991 /* Category bitmap for categories 0-239 */ 1992 1993 } else if (tag == 4) { 1994 if (*(t + 2) != 0) { 1995 fin->fin_flx |= FI_BAD; 1996 continue; 1997 } 1998 sensitivity = *(t + 3); 1999 /* Enumerated categories, 16bits each, upto 15 */ 2000 2001 } else if (tag == 5) { 2002 if (*(t + 2) != 0) { 2003 fin->fin_flx |= FI_BAD; 2004 continue; 2005 } 2006 sensitivity = *(t + 3); 2007 /* Range of categories (2*16bits), up to 7 pairs */ 2008 2009 } else if (tag > 127) { 2010 /* Custom defined DOI */ 2011 ; 2012 } else { 2013 fin->fin_flx |= FI_BAD; 2014 continue; 2015 } 2016 2017 if (sensitivity > fi->fi_sensitivity) 2018 fi->fi_sensitivity = sensitivity; 2019 } 2020 2021 return doi; 2022} 2023 2024 2025/* ------------------------------------------------------------------------ */ 2026/* Function: ipf_makefrip */ 2027/* Returns: int - 0 == packet ok, -1 == packet freed */ 2028/* Parameters: hlen(I) - length of IP packet header */ 2029/* ip(I) - pointer to the IP header */ 2030/* fin(IO) - pointer to packet information */ 2031/* */ 2032/* Compact the IP header into a structure which contains just the info. */ 2033/* which is useful for comparing IP headers with and store this information */ 2034/* in the fr_info_t structure pointer to by fin. At present, it is assumed */ 2035/* this function will be called with either an IPv4 or IPv6 packet. */ 2036/* ------------------------------------------------------------------------ */ 2037int 2038ipf_makefrip(hlen, ip, fin) 2039 int hlen; 2040 ip_t *ip; 2041 fr_info_t *fin; 2042{ 2043 ipf_main_softc_t *softc = fin->fin_main_soft; 2044 int v; 2045 2046 fin->fin_depth = 0; 2047 fin->fin_hlen = (u_short)hlen; 2048 fin->fin_ip = ip; 2049 fin->fin_rule = 0xffffffff; 2050 fin->fin_group[0] = -1; 2051 fin->fin_group[1] = '\0'; 2052 fin->fin_dp = (char *)ip + hlen; 2053 2054 v = fin->fin_v; 2055 if (v == 4) { 2056 fin->fin_plen = ntohs(ip->ip_len); 2057 fin->fin_dlen = fin->fin_plen - hlen; 2058 ipf_pr_ipv4hdr(fin); 2059#ifdef USE_INET6 2060 } else if (v == 6) { 2061 fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); 2062 fin->fin_dlen = fin->fin_plen; 2063 fin->fin_plen += hlen; 2064 2065 ipf_pr_ipv6hdr(fin); 2066#endif 2067 } 2068 if (fin->fin_ip == NULL) { 2069 LBUMP(ipf_stats[fin->fin_out].fr_ip_freed); 2070 return -1; 2071 } 2072 return 0; 2073} 2074 2075 2076/* ------------------------------------------------------------------------ */ 2077/* Function: ipf_portcheck */ 2078/* Returns: int - 1 == port matched, 0 == port match failed */ 2079/* Parameters: frp(I) - pointer to port check `expression' */ 2080/* pop(I) - port number to evaluate */ 2081/* */ 2082/* Perform a comparison of a port number against some other(s), using a */ 2083/* structure with compare information stored in it. */ 2084/* ------------------------------------------------------------------------ */ 2085static INLINE int 2086ipf_portcheck(frp, pop) 2087 frpcmp_t *frp; 2088 u_32_t pop; 2089{ 2090 int err = 1; 2091 u_32_t po; 2092 2093 po = frp->frp_port; 2094 2095 /* 2096 * Do opposite test to that required and continue if that succeeds. 2097 */ 2098 switch (frp->frp_cmp) 2099 { 2100 case FR_EQUAL : 2101 if (pop != po) /* EQUAL */ 2102 err = 0; 2103 break; 2104 case FR_NEQUAL : 2105 if (pop == po) /* NOTEQUAL */ 2106 err = 0; 2107 break; 2108 case FR_LESST : 2109 if (pop >= po) /* LESSTHAN */ 2110 err = 0; 2111 break; 2112 case FR_GREATERT : 2113 if (pop <= po) /* GREATERTHAN */ 2114 err = 0; 2115 break; 2116 case FR_LESSTE : 2117 if (pop > po) /* LT or EQ */ 2118 err = 0; 2119 break; 2120 case FR_GREATERTE : 2121 if (pop < po) /* GT or EQ */ 2122 err = 0; 2123 break; 2124 case FR_OUTRANGE : 2125 if (pop >= po && pop <= frp->frp_top) /* Out of range */ 2126 err = 0; 2127 break; 2128 case FR_INRANGE : 2129 if (pop <= po || pop >= frp->frp_top) /* In range */ 2130 err = 0; 2131 break; 2132 case FR_INCRANGE : 2133 if (pop < po || pop > frp->frp_top) /* Inclusive range */ 2134 err = 0; 2135 break; 2136 default : 2137 break; 2138 } 2139 return err; 2140} 2141 2142 2143/* ------------------------------------------------------------------------ */ 2144/* Function: ipf_tcpudpchk */ 2145/* Returns: int - 1 == protocol matched, 0 == check failed */ 2146/* Parameters: fda(I) - pointer to packet information */ 2147/* ft(I) - pointer to structure with comparison data */ 2148/* */ 2149/* Compares the current pcket (assuming it is TCP/UDP) information with a */ 2150/* structure containing information that we want to match against. */ 2151/* ------------------------------------------------------------------------ */ 2152int 2153ipf_tcpudpchk(fi, ft) 2154 fr_ip_t *fi; 2155 frtuc_t *ft; 2156{ 2157 int err = 1; 2158 2159 /* 2160 * Both ports should *always* be in the first fragment. 2161 * So far, I cannot find any cases where they can not be. 2162 * 2163 * compare destination ports 2164 */ 2165 if (ft->ftu_dcmp) 2166 err = ipf_portcheck(&ft->ftu_dst, fi->fi_ports[1]); 2167 2168 /* 2169 * compare source ports 2170 */ 2171 if (err && ft->ftu_scmp) 2172 err = ipf_portcheck(&ft->ftu_src, fi->fi_ports[0]); 2173 2174 /* 2175 * If we don't have all the TCP/UDP header, then how can we 2176 * expect to do any sort of match on it ? If we were looking for 2177 * TCP flags, then NO match. If not, then match (which should 2178 * satisfy the "short" class too). 2179 */ 2180 if (err && (fi->fi_p == IPPROTO_TCP)) { 2181 if (fi->fi_flx & FI_SHORT) 2182 return !(ft->ftu_tcpf | ft->ftu_tcpfm); 2183 /* 2184 * Match the flags ? If not, abort this match. 2185 */ 2186 if (ft->ftu_tcpfm && 2187 ft->ftu_tcpf != (fi->fi_tcpf & ft->ftu_tcpfm)) { 2188 FR_DEBUG(("f. %#x & %#x != %#x\n", fi->fi_tcpf, 2189 ft->ftu_tcpfm, ft->ftu_tcpf)); 2190 err = 0; 2191 } 2192 } 2193 return err; 2194} 2195 2196 2197/* ------------------------------------------------------------------------ */ 2198/* Function: ipf_check_ipf */ 2199/* Returns: int - 0 == match, else no match */ 2200/* Parameters: fin(I) - pointer to packet information */ 2201/* fr(I) - pointer to filter rule */ 2202/* portcmp(I) - flag indicating whether to attempt matching on */ 2203/* TCP/UDP port data. */ 2204/* */ 2205/* Check to see if a packet matches an IPFilter rule. Checks of addresses, */ 2206/* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */ 2207/* this function. */ 2208/* ------------------------------------------------------------------------ */ 2209static INLINE int 2210ipf_check_ipf(fin, fr, portcmp) 2211 fr_info_t *fin; 2212 frentry_t *fr; 2213 int portcmp; 2214{ 2215 u_32_t *ld, *lm, *lip; 2216 fripf_t *fri; 2217 fr_ip_t *fi; 2218 int i; 2219 2220 fi = &fin->fin_fi; 2221 fri = fr->fr_ipf; 2222 lip = (u_32_t *)fi; 2223 lm = (u_32_t *)&fri->fri_mip; 2224 ld = (u_32_t *)&fri->fri_ip; 2225 2226 /* 2227 * first 32 bits to check coversion: 2228 * IP version, TOS, TTL, protocol 2229 */ 2230 i = ((*lip & *lm) != *ld); 2231 FR_DEBUG(("0. %#08x & %#08x != %#08x\n", 2232 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2233 if (i) 2234 return 1; 2235 2236 /* 2237 * Next 32 bits is a constructed bitmask indicating which IP options 2238 * are present (if any) in this packet. 2239 */ 2240 lip++, lm++, ld++; 2241 i = ((*lip & *lm) != *ld); 2242 FR_DEBUG(("1. %#08x & %#08x != %#08x\n", 2243 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2244 if (i != 0) 2245 return 1; 2246 2247 lip++, lm++, ld++; 2248 /* 2249 * Unrolled loops (4 each, for 32 bits) for address checks. 2250 */ 2251 /* 2252 * Check the source address. 2253 */ 2254 if (fr->fr_satype == FRI_LOOKUP) { 2255 i = (*fr->fr_srcfunc)(fin->fin_main_soft, fr->fr_srcptr, 2256 fi->fi_v, lip, fin->fin_plen); 2257 if (i == -1) 2258 return 1; 2259 lip += 3; 2260 lm += 3; 2261 ld += 3; 2262 } else { 2263 i = ((*lip & *lm) != *ld); 2264 FR_DEBUG(("2a. %#08x & %#08x != %#08x\n", 2265 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2266 if (fi->fi_v == 6) { 2267 lip++, lm++, ld++; 2268 i |= ((*lip & *lm) != *ld); 2269 FR_DEBUG(("2b. %#08x & %#08x != %#08x\n", 2270 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2271 lip++, lm++, ld++; 2272 i |= ((*lip & *lm) != *ld); 2273 FR_DEBUG(("2c. %#08x & %#08x != %#08x\n", 2274 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2275 lip++, lm++, ld++; 2276 i |= ((*lip & *lm) != *ld); 2277 FR_DEBUG(("2d. %#08x & %#08x != %#08x\n", 2278 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2279 } else { 2280 lip += 3; 2281 lm += 3; 2282 ld += 3; 2283 } 2284 } 2285 i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6; 2286 if (i != 0) 2287 return 1; 2288 2289 /* 2290 * Check the destination address. 2291 */ 2292 lip++, lm++, ld++; 2293 if (fr->fr_datype == FRI_LOOKUP) { 2294 i = (*fr->fr_dstfunc)(fin->fin_main_soft, fr->fr_dstptr, 2295 fi->fi_v, lip, fin->fin_plen); 2296 if (i == -1) 2297 return 1; 2298 lip += 3; 2299 lm += 3; 2300 ld += 3; 2301 } else { 2302 i = ((*lip & *lm) != *ld); 2303 FR_DEBUG(("3a. %#08x & %#08x != %#08x\n", 2304 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2305 if (fi->fi_v == 6) { 2306 lip++, lm++, ld++; 2307 i |= ((*lip & *lm) != *ld); 2308 FR_DEBUG(("3b. %#08x & %#08x != %#08x\n", 2309 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2310 lip++, lm++, ld++; 2311 i |= ((*lip & *lm) != *ld); 2312 FR_DEBUG(("3c. %#08x & %#08x != %#08x\n", 2313 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2314 lip++, lm++, ld++; 2315 i |= ((*lip & *lm) != *ld); 2316 FR_DEBUG(("3d. %#08x & %#08x != %#08x\n", 2317 ntohl(*lip), ntohl(*lm), ntohl(*ld))); 2318 } else { 2319 lip += 3; 2320 lm += 3; 2321 ld += 3; 2322 } 2323 } 2324 i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7; 2325 if (i != 0) 2326 return 1; 2327 /* 2328 * IP addresses matched. The next 32bits contains: 2329 * mast of old IP header security & authentication bits. 2330 */ 2331 lip++, lm++, ld++; 2332 i = (*ld - (*lip & *lm)); 2333 FR_DEBUG(("4. %#08x & %#08x != %#08x\n", *lip, *lm, *ld)); 2334 2335 /* 2336 * Next we have 32 bits of packet flags. 2337 */ 2338 lip++, lm++, ld++; 2339 i |= (*ld - (*lip & *lm)); 2340 FR_DEBUG(("5. %#08x & %#08x != %#08x\n", *lip, *lm, *ld)); 2341 2342 if (i == 0) { 2343 /* 2344 * If a fragment, then only the first has what we're 2345 * looking for here... 2346 */ 2347 if (portcmp) { 2348 if (!ipf_tcpudpchk(&fin->fin_fi, &fr->fr_tuc)) 2349 i = 1; 2350 } else { 2351 if (fr->fr_dcmp || fr->fr_scmp || 2352 fr->fr_tcpf || fr->fr_tcpfm) 2353 i = 1; 2354 if (fr->fr_icmpm || fr->fr_icmp) { 2355 if (((fi->fi_p != IPPROTO_ICMP) && 2356 (fi->fi_p != IPPROTO_ICMPV6)) || 2357 fin->fin_off || (fin->fin_dlen < 2)) 2358 i = 1; 2359 else if ((fin->fin_data[0] & fr->fr_icmpm) != 2360 fr->fr_icmp) { 2361 FR_DEBUG(("i. %#x & %#x != %#x\n", 2362 fin->fin_data[0], 2363 fr->fr_icmpm, fr->fr_icmp)); 2364 i = 1; 2365 } 2366 } 2367 } 2368 } 2369 return i; 2370} 2371 2372 2373/* ------------------------------------------------------------------------ */ 2374/* Function: ipf_scanlist */ 2375/* Returns: int - result flags of scanning filter list */ 2376/* Parameters: fin(I) - pointer to packet information */ 2377/* pass(I) - default result to return for filtering */ 2378/* */ 2379/* Check the input/output list of rules for a match to the current packet. */ 2380/* If a match is found, the value of fr_flags from the rule becomes the */ 2381/* return value and fin->fin_fr points to the matched rule. */ 2382/* */ 2383/* This function may be called recusively upto 16 times (limit inbuilt.) */ 2384/* When unwinding, it should finish up with fin_depth as 0. */ 2385/* */ 2386/* Could be per interface, but this gets real nasty when you don't have, */ 2387/* or can't easily change, the kernel source code to . */ 2388/* ------------------------------------------------------------------------ */ 2389int 2390ipf_scanlist(fin, pass) 2391 fr_info_t *fin; 2392 u_32_t pass; 2393{ 2394 ipf_main_softc_t *softc = fin->fin_main_soft; 2395 int rulen, portcmp, off, skip; 2396 struct frentry *fr, *fnext; 2397 u_32_t passt, passo; 2398 2399 /* 2400 * Do not allow nesting deeper than 16 levels. 2401 */ 2402 if (fin->fin_depth >= 16) 2403 return pass; 2404 2405 fr = fin->fin_fr; 2406 2407 /* 2408 * If there are no rules in this list, return now. 2409 */ 2410 if (fr == NULL) 2411 return pass; 2412 2413 skip = 0; 2414 portcmp = 0; 2415 fin->fin_depth++; 2416 fin->fin_fr = NULL; 2417 off = fin->fin_off; 2418 2419 if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) 2420 portcmp = 1; 2421 2422 for (rulen = 0; fr; fr = fnext, rulen++) { 2423 fnext = fr->fr_next; 2424 if (skip != 0) { 2425 FR_VERBOSE(("SKIP %d (%#x)\n", skip, fr->fr_flags)); 2426 skip--; 2427 continue; 2428 } 2429 2430 /* 2431 * In all checks below, a null (zero) value in the 2432 * filter struture is taken to mean a wildcard. 2433 * 2434 * check that we are working for the right interface 2435 */ 2436#ifdef _KERNEL 2437 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) 2438 continue; 2439#else 2440 if (opts & (OPT_VERBOSE|OPT_DEBUG)) 2441 printf("\n"); 2442 FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' : 2443 FR_ISPASS(pass) ? 'p' : 2444 FR_ISACCOUNT(pass) ? 'A' : 2445 FR_ISAUTH(pass) ? 'a' : 2446 (pass & FR_NOMATCH) ? 'n' :'b')); 2447 if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) 2448 continue; 2449 FR_VERBOSE((":i")); 2450#endif 2451 2452 switch (fr->fr_type) 2453 { 2454 case FR_T_IPF : 2455 case FR_T_IPF_BUILTIN : 2456 if (ipf_check_ipf(fin, fr, portcmp)) 2457 continue; 2458 break; 2459#if defined(IPFILTER_BPF) 2460 case FR_T_BPFOPC : 2461 case FR_T_BPFOPC_BUILTIN : 2462 { 2463 u_char *mc; 2464 int wlen; 2465 2466 if (*fin->fin_mp == NULL) 2467 continue; 2468 if (fin->fin_family != fr->fr_family) 2469 continue; 2470 mc = (u_char *)fin->fin_m; 2471 wlen = fin->fin_dlen + fin->fin_hlen; 2472 if (!bpf_filter(fr->fr_data, mc, wlen, 0)) 2473 continue; 2474 break; 2475 } 2476#endif 2477 case FR_T_CALLFUNC_BUILTIN : 2478 { 2479 frentry_t *f; 2480 2481 f = (*fr->fr_func)(fin, &pass); 2482 if (f != NULL) 2483 fr = f; 2484 else 2485 continue; 2486 break; 2487 } 2488 2489 case FR_T_IPFEXPR : 2490 case FR_T_IPFEXPR_BUILTIN : 2491 if (fin->fin_family != fr->fr_family) 2492 continue; 2493 if (ipf_fr_matcharray(fin, fr->fr_data) == 0) 2494 continue; 2495 break; 2496 2497 default : 2498 break; 2499 } 2500 2501 if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) { 2502 if (fin->fin_nattag == NULL) 2503 continue; 2504 if (ipf_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0) 2505 continue; 2506 } 2507 FR_VERBOSE(("=%d/%d.%d *", fr->fr_grhead, fr->fr_group, rulen)); 2508 2509 passt = fr->fr_flags; 2510 2511 /* 2512 * If the rule is a "call now" rule, then call the function 2513 * in the rule, if it exists and use the results from that. 2514 * If the function pointer is bad, just make like we ignore 2515 * it, except for increasing the hit counter. 2516 */ 2517 if ((passt & FR_CALLNOW) != 0) { 2518 frentry_t *frs; 2519 2520 ATOMIC_INC64(fr->fr_hits); 2521 if ((fr->fr_func == NULL) || 2522 (fr->fr_func == (ipfunc_t)-1)) 2523 continue; 2524 2525 frs = fin->fin_fr; 2526 fin->fin_fr = fr; 2527 fr = (*fr->fr_func)(fin, &passt); 2528 if (fr == NULL) { 2529 fin->fin_fr = frs; 2530 continue; 2531 } 2532 passt = fr->fr_flags; 2533 } 2534 fin->fin_fr = fr; 2535 2536#ifdef IPFILTER_LOG 2537 /* 2538 * Just log this packet... 2539 */ 2540 if ((passt & FR_LOGMASK) == FR_LOG) { 2541 if (ipf_log_pkt(fin, passt) == -1) { 2542 if (passt & FR_LOGORBLOCK) { 2543 DT(frb_logfail); 2544 passt &= ~FR_CMDMASK; 2545 passt |= FR_BLOCK|FR_QUICK; 2546 fin->fin_reason = FRB_LOGFAIL; 2547 } 2548 } 2549 } 2550#endif /* IPFILTER_LOG */ 2551 2552 MUTEX_ENTER(&fr->fr_lock); 2553 fr->fr_bytes += (U_QUAD_T)fin->fin_plen; 2554 fr->fr_hits++; 2555 MUTEX_EXIT(&fr->fr_lock); 2556 fin->fin_rule = rulen; 2557 2558 passo = pass; 2559 if (FR_ISSKIP(passt)) { 2560 skip = fr->fr_arg; 2561 continue; 2562 } else if (((passt & FR_LOGMASK) != FR_LOG) && 2563 ((passt & FR_LOGMASK) != FR_DECAPSULATE)) { 2564 pass = passt; 2565 } 2566 2567 if (passt & (FR_RETICMP|FR_FAKEICMP)) 2568 fin->fin_icode = fr->fr_icode; 2569 2570 if (fr->fr_group != -1) { 2571 (void) strncpy(fin->fin_group, 2572 FR_NAME(fr, fr_group), 2573 strlen(FR_NAME(fr, fr_group))); 2574 } else { 2575 fin->fin_group[0] = '\0'; 2576 } 2577 2578 FR_DEBUG(("pass %#x/%#x/%x\n", passo, pass, passt)); 2579 2580 if (fr->fr_grphead != NULL) { 2581 fin->fin_fr = fr->fr_grphead->fg_start; 2582 FR_VERBOSE(("group %s\n", FR_NAME(fr, fr_grhead))); 2583 2584 if (FR_ISDECAPS(passt)) 2585 passt = ipf_decaps(fin, pass, fr->fr_icode); 2586 else 2587 passt = ipf_scanlist(fin, pass); 2588 2589 if (fin->fin_fr == NULL) { 2590 fin->fin_rule = rulen; 2591 if (fr->fr_group != -1) 2592 (void) strncpy(fin->fin_group, 2593 fr->fr_names + 2594 fr->fr_group, 2595 strlen(fr->fr_names + 2596 fr->fr_group)); 2597 fin->fin_fr = fr; 2598 passt = pass; 2599 } 2600 pass = passt; 2601 } 2602 2603 if (pass & FR_QUICK) { 2604 /* 2605 * Finally, if we've asked to track state for this 2606 * packet, set it up. Add state for "quick" rules 2607 * here so that if the action fails we can consider 2608 * the rule to "not match" and keep on processing 2609 * filter rules. 2610 */ 2611 if ((pass & FR_KEEPSTATE) && !FR_ISAUTH(pass) && 2612 !(fin->fin_flx & FI_STATE)) { 2613 int out = fin->fin_out; 2614 2615 fin->fin_fr = fr; 2616 if (ipf_state_add(softc, fin, NULL, 0) == 0) { 2617 LBUMPD(ipf_stats[out], fr_ads); 2618 } else { 2619 LBUMPD(ipf_stats[out], fr_bads); 2620 pass = passo; 2621 continue; 2622 } 2623 } 2624 break; 2625 } 2626 } 2627 fin->fin_depth--; 2628 return pass; 2629} 2630 2631 2632/* ------------------------------------------------------------------------ */ 2633/* Function: ipf_acctpkt */ 2634/* Returns: frentry_t* - always returns NULL */ 2635/* Parameters: fin(I) - pointer to packet information */ 2636/* passp(IO) - pointer to current/new filter decision (unused) */ 2637/* */ 2638/* Checks a packet against accounting rules, if there are any for the given */ 2639/* IP protocol version. */ 2640/* */ 2641/* N.B.: this function returns NULL to match the prototype used by other */ 2642/* functions called from the IPFilter "mainline" in ipf_check(). */ 2643/* ------------------------------------------------------------------------ */ 2644frentry_t * 2645ipf_acctpkt(fin, passp) 2646 fr_info_t *fin; 2647 u_32_t *passp; 2648{ 2649 ipf_main_softc_t *softc = fin->fin_main_soft; 2650 char group[FR_GROUPLEN]; 2651 frentry_t *fr, *frsave; 2652 u_32_t pass, rulen; 2653 2654 passp = passp; 2655 fr = softc->ipf_acct[fin->fin_out][softc->ipf_active]; 2656 2657 if (fr != NULL) { 2658 frsave = fin->fin_fr; 2659 bcopy(fin->fin_group, group, FR_GROUPLEN); 2660 rulen = fin->fin_rule; 2661 fin->fin_fr = fr; 2662 pass = ipf_scanlist(fin, FR_NOMATCH); 2663 if (FR_ISACCOUNT(pass)) { 2664 LBUMPD(ipf_stats[0], fr_acct); 2665 } 2666 fin->fin_fr = frsave; 2667 bcopy(group, fin->fin_group, FR_GROUPLEN); 2668 fin->fin_rule = rulen; 2669 } 2670 return NULL; 2671} 2672 2673 2674/* ------------------------------------------------------------------------ */ 2675/* Function: ipf_firewall */ 2676/* Returns: frentry_t* - returns pointer to matched rule, if no matches */ 2677/* were found, returns NULL. */ 2678/* Parameters: fin(I) - pointer to packet information */ 2679/* passp(IO) - pointer to current/new filter decision (unused) */ 2680/* */ 2681/* Applies an appropriate set of firewall rules to the packet, to see if */ 2682/* there are any matches. The first check is to see if a match can be seen */ 2683/* in the cache. If not, then search an appropriate list of rules. Once a */ 2684/* matching rule is found, take any appropriate actions as defined by the */ 2685/* rule - except logging. */ 2686/* ------------------------------------------------------------------------ */ 2687static frentry_t * 2688ipf_firewall(fin, passp) 2689 fr_info_t *fin; 2690 u_32_t *passp; 2691{ 2692 ipf_main_softc_t *softc = fin->fin_main_soft; 2693 frentry_t *fr; 2694 u_32_t pass; 2695 int out; 2696 2697 out = fin->fin_out; 2698 pass = *passp; 2699 2700 /* 2701 * This rule cache will only affect packets that are not being 2702 * statefully filtered. 2703 */ 2704 fin->fin_fr = softc->ipf_rules[out][softc->ipf_active]; 2705 if (fin->fin_fr != NULL) 2706 pass = ipf_scanlist(fin, softc->ipf_pass); 2707 2708 if ((pass & FR_NOMATCH)) { 2709 LBUMPD(ipf_stats[out], fr_nom); 2710 } 2711 fr = fin->fin_fr; 2712 2713 /* 2714 * Apply packets per second rate-limiting to a rule as required. 2715 */ 2716 if ((fr != NULL) && (fr->fr_pps != 0) && 2717 !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) { 2718 DT2(frb_ppsrate, fr_info_t *, fin, frentry_t *, fr); 2719 pass &= ~(FR_CMDMASK|FR_RETICMP|FR_RETRST); 2720 pass |= FR_BLOCK; 2721 LBUMPD(ipf_stats[out], fr_ppshit); 2722 fin->fin_reason = FRB_PPSRATE; 2723 } 2724 2725 /* 2726 * If we fail to add a packet to the authorization queue, then we 2727 * drop the packet later. However, if it was added then pretend 2728 * we've dropped it already. 2729 */ 2730 if (FR_ISAUTH(pass)) { 2731 if (ipf_auth_new(fin->fin_m, fin) != 0) { 2732 DT1(frb_authnew, fr_info_t *, fin); 2733 fin->fin_m = *fin->fin_mp = NULL; 2734 fin->fin_reason = FRB_AUTHNEW; 2735 fin->fin_error = 0; 2736 } else { 2737 IPFERROR(1); 2738 fin->fin_error = ENOSPC; 2739 } 2740 } 2741 2742 if ((fr != NULL) && (fr->fr_func != NULL) && 2743 (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW)) 2744 (void) (*fr->fr_func)(fin, &pass); 2745 2746 /* 2747 * If a rule is a pre-auth rule, check again in the list of rules 2748 * loaded for authenticated use. It does not particulary matter 2749 * if this search fails because a "preauth" result, from a rule, 2750 * is treated as "not a pass", hence the packet is blocked. 2751 */ 2752 if (FR_ISPREAUTH(pass)) { 2753 pass = ipf_auth_pre_scanlist(softc, fin, pass); 2754 } 2755 2756 /* 2757 * If the rule has "keep frag" and the packet is actually a fragment, 2758 * then create a fragment state entry. 2759 */ 2760 if (pass & FR_KEEPFRAG) { 2761 if (fin->fin_flx & FI_FRAG) { 2762 if (ipf_frag_new(softc, fin, pass) == -1) { 2763 LBUMP(ipf_stats[out].fr_bnfr); 2764 } else { 2765 LBUMP(ipf_stats[out].fr_nfr); 2766 } 2767 } else { 2768 LBUMP(ipf_stats[out].fr_cfr); 2769 } 2770 } 2771 2772 fr = fin->fin_fr; 2773 *passp = pass; 2774 2775 return fr; 2776} 2777 2778 2779/* ------------------------------------------------------------------------ */ 2780/* Function: ipf_check */ 2781/* Returns: int - 0 == packet allowed through, */ 2782/* User space: */ 2783/* -1 == packet blocked */ 2784/* 1 == packet not matched */ 2785/* -2 == requires authentication */ 2786/* Kernel: */ 2787/* > 0 == filter error # for packet */ 2788/* Parameters: ctx(I) - pointer to the instance context */ 2789/* ip(I) - pointer to start of IPv4/6 packet */ 2790/* hlen(I) - length of header */ 2791/* ifp(I) - pointer to interface this packet is on */ 2792/* out(I) - 0 == packet going in, 1 == packet going out */ 2793/* mp(IO) - pointer to caller's buffer pointer that holds this */ 2794/* IP packet. */ 2795/* Solaris & HP-UX ONLY : */ 2796/* qpi(I) - pointer to STREAMS queue information for this */ 2797/* interface & direction. */ 2798/* */ 2799/* ipf_check() is the master function for all IPFilter packet processing. */ 2800/* It orchestrates: Network Address Translation (NAT), checking for packet */ 2801/* authorisation (or pre-authorisation), presence of related state info., */ 2802/* generating log entries, IP packet accounting, routing of packets as */ 2803/* directed by firewall rules and of course whether or not to allow the */ 2804/* packet to be further processed by the kernel. */ 2805/* */ 2806/* For packets blocked, the contents of "mp" will be NULL'd and the buffer */ 2807/* freed. Packets passed may be returned with the pointer pointed to by */ 2808/* by "mp" changed to a new buffer. */ 2809/* ------------------------------------------------------------------------ */ 2810int 2811ipf_check(ctx, ip, hlen, ifp, out 2812#if defined(_KERNEL) && defined(MENTAT) 2813 , qif, mp) 2814 void *qif; 2815#else 2816 , mp) 2817#endif 2818 mb_t **mp; 2819 ip_t *ip; 2820 int hlen; 2821 void *ifp; 2822 int out; 2823 void *ctx; 2824{ 2825 /* 2826 * The above really sucks, but short of writing a diff 2827 */ 2828 ipf_main_softc_t *softc = ctx; 2829 fr_info_t frinfo; 2830 fr_info_t *fin = &frinfo; 2831 u_32_t pass = softc->ipf_pass; 2832 frentry_t *fr = NULL; 2833 int v = IP_V(ip); 2834 mb_t *mc = NULL; 2835 mb_t *m; 2836 /* 2837 * The first part of ipf_check() deals with making sure that what goes 2838 * into the filtering engine makes some sense. Information about the 2839 * the packet is distilled, collected into a fr_info_t structure and 2840 * the an attempt to ensure the buffer the packet is in is big enough 2841 * to hold all the required packet headers. 2842 */ 2843#ifdef _KERNEL 2844# ifdef MENTAT 2845 qpktinfo_t *qpi = qif; 2846 2847# ifdef __sparc 2848 if ((u_int)ip & 0x3) 2849 return 2; 2850# endif 2851# else 2852 SPL_INT(s); 2853# endif 2854 2855 if (softc->ipf_running <= 0) { 2856 return 0; 2857 } 2858 2859 bzero((char *)fin, sizeof(*fin)); 2860 2861# ifdef MENTAT 2862 if (qpi->qpi_flags & QF_BROADCAST) 2863 fin->fin_flx |= FI_MBCAST|FI_BROADCAST; 2864 if (qpi->qpi_flags & QF_MULTICAST) 2865 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2866 m = qpi->qpi_m; 2867 fin->fin_qfm = m; 2868 fin->fin_qpi = qpi; 2869# else /* MENTAT */ 2870 2871 m = *mp; 2872 2873# if defined(M_MCAST) 2874 if ((m->m_flags & M_MCAST) != 0) 2875 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2876# endif 2877# if defined(M_MLOOP) 2878 if ((m->m_flags & M_MLOOP) != 0) 2879 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2880# endif 2881# if defined(M_BCAST) 2882 if ((m->m_flags & M_BCAST) != 0) 2883 fin->fin_flx |= FI_MBCAST|FI_BROADCAST; 2884# endif 2885# ifdef M_CANFASTFWD 2886 /* 2887 * XXX For now, IP Filter and fast-forwarding of cached flows 2888 * XXX are mutually exclusive. Eventually, IP Filter should 2889 * XXX get a "can-fast-forward" filter rule. 2890 */ 2891 m->m_flags &= ~M_CANFASTFWD; 2892# endif /* M_CANFASTFWD */ 2893# if defined(CSUM_DELAY_DATA) && (!defined(__FreeBSD_version) || \ 2894 (__FreeBSD_version < 501108)) 2895 /* 2896 * disable delayed checksums. 2897 */ 2898 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 2899 in_delayed_cksum(m); 2900 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 2901 } 2902# endif /* CSUM_DELAY_DATA */ 2903# endif /* MENTAT */ 2904#else 2905 bzero((char *)fin, sizeof(*fin)); 2906 m = *mp; 2907# if defined(M_MCAST) 2908 if ((m->m_flags & M_MCAST) != 0) 2909 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2910# endif 2911# if defined(M_MLOOP) 2912 if ((m->m_flags & M_MLOOP) != 0) 2913 fin->fin_flx |= FI_MBCAST|FI_MULTICAST; 2914# endif 2915# if defined(M_BCAST) 2916 if ((m->m_flags & M_BCAST) != 0) 2917 fin->fin_flx |= FI_MBCAST|FI_BROADCAST; 2918# endif 2919#endif /* _KERNEL */ 2920 2921 fin->fin_v = v; 2922 fin->fin_m = m; 2923 fin->fin_ip = ip; 2924 fin->fin_mp = mp; 2925 fin->fin_out = out; 2926 fin->fin_ifp = ifp; 2927 fin->fin_error = ENETUNREACH; 2928 fin->fin_hlen = (u_short)hlen; 2929 fin->fin_dp = (char *)ip + hlen; 2930 fin->fin_main_soft = softc; 2931 2932 fin->fin_ipoff = (char *)ip - MTOD(m, char *); 2933 2934 SPL_NET(s); 2935 2936#ifdef USE_INET6 2937 if (v == 6) { 2938 LBUMP(ipf_stats[out].fr_ipv6); 2939 /* 2940 * Jumbo grams are quite likely too big for internal buffer 2941 * structures to handle comfortably, for now, so just drop 2942 * them. 2943 */ 2944 if (((ip6_t *)ip)->ip6_plen == 0) { 2945 DT1(frb_jumbo, ip6_t *, (ip6_t *)ip); 2946 pass = FR_BLOCK|FR_NOMATCH; 2947 fin->fin_reason = FRB_JUMBO; 2948 goto finished; 2949 } 2950 fin->fin_family = AF_INET6; 2951 } else 2952#endif 2953 { 2954 fin->fin_family = AF_INET; 2955 } 2956 2957 if (ipf_makefrip(hlen, ip, fin) == -1) { 2958 DT1(frb_makefrip, fr_info_t *, fin); 2959 pass = FR_BLOCK|FR_NOMATCH; 2960 fin->fin_reason = FRB_MAKEFRIP; 2961 goto finished; 2962 } 2963 2964 /* 2965 * For at least IPv6 packets, if a m_pullup() fails then this pointer 2966 * becomes NULL and so we have no packet to free. 2967 */ 2968 if (*fin->fin_mp == NULL) 2969 goto finished; 2970 2971 if (!out) { 2972 if (v == 4) { 2973 if (softc->ipf_chksrc && !ipf_verifysrc(fin)) { 2974 LBUMPD(ipf_stats[0], fr_v4_badsrc); 2975 fin->fin_flx |= FI_BADSRC; 2976 } 2977 if (fin->fin_ip->ip_ttl < softc->ipf_minttl) { 2978 LBUMPD(ipf_stats[0], fr_v4_badttl); 2979 fin->fin_flx |= FI_LOWTTL; 2980 } 2981 } 2982#ifdef USE_INET6 2983 else if (v == 6) { 2984 if (((ip6_t *)ip)->ip6_hlim < softc->ipf_minttl) { 2985 LBUMPD(ipf_stats[0], fr_v6_badttl); 2986 fin->fin_flx |= FI_LOWTTL; 2987 } 2988 } 2989#endif 2990 } 2991 2992 if (fin->fin_flx & FI_SHORT) { 2993 LBUMPD(ipf_stats[out], fr_short); 2994 } 2995 2996 READ_ENTER(&softc->ipf_mutex); 2997 2998 if (!out) { 2999 switch (fin->fin_v) 3000 { 3001 case 4 : 3002 if (ipf_nat_checkin(fin, &pass) == -1) { 3003 goto filterdone; 3004 } 3005 break; 3006#ifdef USE_INET6 3007 case 6 : 3008 if (ipf_nat6_checkin(fin, &pass) == -1) { 3009 goto filterdone; 3010 } 3011 break; 3012#endif 3013 default : 3014 break; 3015 } 3016 } 3017 /* 3018 * Check auth now. 3019 * If a packet is found in the auth table, then skip checking 3020 * the access lists for permission but we do need to consider 3021 * the result as if it were from the ACL's. In addition, being 3022 * found in the auth table means it has been seen before, so do 3023 * not pass it through accounting (again), lest it be counted twice. 3024 */ 3025 fr = ipf_auth_check(fin, &pass); 3026 if (!out && (fr == NULL)) 3027 (void) ipf_acctpkt(fin, NULL); 3028 3029 if (fr == NULL) { 3030 if ((fin->fin_flx & FI_FRAG) != 0) 3031 fr = ipf_frag_known(fin, &pass); 3032 3033 if (fr == NULL) 3034 fr = ipf_state_check(fin, &pass); 3035 } 3036 3037 if ((pass & FR_NOMATCH) || (fr == NULL)) 3038 fr = ipf_firewall(fin, &pass); 3039 3040 /* 3041 * If we've asked to track state for this packet, set it up. 3042 * Here rather than ipf_firewall because ipf_checkauth may decide 3043 * to return a packet for "keep state" 3044 */ 3045 if ((pass & FR_KEEPSTATE) && (fin->fin_m != NULL) && 3046 !(fin->fin_flx & FI_STATE)) { 3047 if (ipf_state_add(softc, fin, NULL, 0) == 0) { 3048 LBUMP(ipf_stats[out].fr_ads); 3049 } else { 3050 LBUMP(ipf_stats[out].fr_bads); 3051 if (FR_ISPASS(pass)) { 3052 DT(frb_stateadd); 3053 pass &= ~FR_CMDMASK; 3054 pass |= FR_BLOCK; 3055 fin->fin_reason = FRB_STATEADD; 3056 } 3057 } 3058 } 3059 3060 fin->fin_fr = fr; 3061 if ((fr != NULL) && !(fin->fin_flx & FI_STATE)) { 3062 fin->fin_dif = &fr->fr_dif; 3063 fin->fin_tif = &fr->fr_tifs[fin->fin_rev]; 3064 } 3065 3066 /* 3067 * Only count/translate packets which will be passed on, out the 3068 * interface. 3069 */ 3070 if (out && FR_ISPASS(pass)) { 3071 (void) ipf_acctpkt(fin, NULL); 3072 3073 switch (fin->fin_v) 3074 { 3075 case 4 : 3076 if (ipf_nat_checkout(fin, &pass) == -1) { 3077 ; 3078 } else if ((softc->ipf_update_ipid != 0) && (v == 4)) { 3079 if (ipf_updateipid(fin) == -1) { 3080 DT(frb_updateipid); 3081 LBUMP(ipf_stats[1].fr_ipud); 3082 pass &= ~FR_CMDMASK; 3083 pass |= FR_BLOCK; 3084 fin->fin_reason = FRB_UPDATEIPID; 3085 } else { 3086 LBUMP(ipf_stats[0].fr_ipud); 3087 } 3088 } 3089 break; 3090#ifdef USE_INET6 3091 case 6 : 3092 (void) ipf_nat6_checkout(fin, &pass); 3093 break; 3094#endif 3095 default : 3096 break; 3097 } 3098 } 3099 3100filterdone: 3101#ifdef IPFILTER_LOG 3102 if ((softc->ipf_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { 3103 (void) ipf_dolog(fin, &pass); 3104 } 3105#endif 3106 3107 /* 3108 * The FI_STATE flag is cleared here so that calling ipf_state_check 3109 * will work when called from inside of fr_fastroute. Although 3110 * there is a similar flag, FI_NATED, for NAT, it does have the same 3111 * impact on code execution. 3112 */ 3113 fin->fin_flx &= ~FI_STATE; 3114 3115#if defined(FASTROUTE_RECURSION) 3116 /* 3117 * Up the reference on fr_lock and exit ipf_mutex. The generation of 3118 * a packet below can sometimes cause a recursive call into IPFilter. 3119 * On those platforms where that does happen, we need to hang onto 3120 * the filter rule just in case someone decides to remove or flush it 3121 * in the meantime. 3122 */ 3123 if (fr != NULL) { 3124 MUTEX_ENTER(&fr->fr_lock); 3125 fr->fr_ref++; 3126 MUTEX_EXIT(&fr->fr_lock); 3127 } 3128 3129 RWLOCK_EXIT(&softc->ipf_mutex); 3130#endif 3131 3132 if ((pass & FR_RETMASK) != 0) { 3133 /* 3134 * Should we return an ICMP packet to indicate error 3135 * status passing through the packet filter ? 3136 * WARNING: ICMP error packets AND TCP RST packets should 3137 * ONLY be sent in repsonse to incoming packets. Sending 3138 * them in response to outbound packets can result in a 3139 * panic on some operating systems. 3140 */ 3141 if (!out) { 3142 if (pass & FR_RETICMP) { 3143 int dst; 3144 3145 if ((pass & FR_RETMASK) == FR_FAKEICMP) 3146 dst = 1; 3147 else 3148 dst = 0; 3149 (void) ipf_send_icmp_err(ICMP_UNREACH, fin, 3150 dst); 3151 LBUMP(ipf_stats[0].fr_ret); 3152 } else if (((pass & FR_RETMASK) == FR_RETRST) && 3153 !(fin->fin_flx & FI_SHORT)) { 3154 if (((fin->fin_flx & FI_OOW) != 0) || 3155 (ipf_send_reset(fin) == 0)) { 3156 LBUMP(ipf_stats[1].fr_ret); 3157 } 3158 } 3159 3160 /* 3161 * When using return-* with auth rules, the auth code 3162 * takes over disposing of this packet. 3163 */ 3164 if (FR_ISAUTH(pass) && (fin->fin_m != NULL)) { 3165 DT1(frb_authcapture, fr_info_t *, fin); 3166 fin->fin_m = *fin->fin_mp = NULL; 3167 fin->fin_reason = FRB_AUTHCAPTURE; 3168 m = NULL; 3169 } 3170 } else { 3171 if (pass & FR_RETRST) { 3172 fin->fin_error = ECONNRESET; 3173 } 3174 } 3175 } 3176 3177 /* 3178 * After the above so that ICMP unreachables and TCP RSTs get 3179 * created properly. 3180 */ 3181 if (FR_ISBLOCK(pass) && (fin->fin_flx & FI_NEWNAT)) 3182 ipf_nat_uncreate(fin); 3183 3184 /* 3185 * If we didn't drop off the bottom of the list of rules (and thus 3186 * the 'current' rule fr is not NULL), then we may have some extra 3187 * instructions about what to do with a packet. 3188 * Once we're finished return to our caller, freeing the packet if 3189 * we are dropping it. 3190 */ 3191 if (fr != NULL) { 3192 frdest_t *fdp; 3193 3194 /* 3195 * Generate a duplicated packet first because ipf_fastroute 3196 * can lead to fin_m being free'd... not good. 3197 */ 3198 fdp = fin->fin_dif; 3199 if ((fdp != NULL) && (fdp->fd_ptr != NULL) && 3200 (fdp->fd_ptr != (void *)-1)) { 3201 mc = M_COPY(fin->fin_m); 3202 if (mc != NULL) 3203 ipf_fastroute(mc, &mc, fin, fdp); 3204 } 3205 3206 fdp = fin->fin_tif; 3207 if (!out && (pass & FR_FASTROUTE)) { 3208 /* 3209 * For fastroute rule, no destination interface defined 3210 * so pass NULL as the frdest_t parameter 3211 */ 3212 (void) ipf_fastroute(fin->fin_m, mp, fin, NULL); 3213 m = *mp = NULL; 3214 } else if ((fdp != NULL) && (fdp->fd_ptr != NULL) && 3215 (fdp->fd_ptr != (struct ifnet *)-1)) { 3216 /* this is for to rules: */ 3217 ipf_fastroute(fin->fin_m, mp, fin, fdp); 3218 m = *mp = NULL; 3219 } 3220 3221#if defined(FASTROUTE_RECURSION) 3222 (void) ipf_derefrule(softc, &fr); 3223#endif 3224 } 3225#if !defined(FASTROUTE_RECURSION) 3226 RWLOCK_EXIT(&softc->ipf_mutex); 3227#endif 3228 3229finished: 3230 if (!FR_ISPASS(pass)) { 3231 LBUMP(ipf_stats[out].fr_block); 3232 if (*mp != NULL) { 3233#ifdef _KERNEL 3234 FREE_MB_T(*mp); 3235#endif 3236 m = *mp = NULL; 3237 } 3238 } else { 3239 LBUMP(ipf_stats[out].fr_pass); 3240#if defined(_KERNEL) && defined(__sgi) 3241 if ((fin->fin_hbuf != NULL) && 3242 (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) { 3243 COPYBACK(fin->fin_m, 0, fin->fin_plen, fin->fin_hbuf); 3244 } 3245#endif 3246 } 3247 3248 SPL_X(s); 3249 3250#ifdef _KERNEL 3251 if (FR_ISPASS(pass)) 3252 return 0; 3253 LBUMP(ipf_stats[out].fr_blocked[fin->fin_reason]); 3254 return fin->fin_error; 3255#else /* _KERNEL */ 3256 if (*mp != NULL) 3257 (*mp)->mb_ifp = fin->fin_ifp; 3258 blockreason = fin->fin_reason; 3259 FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass)); 3260 /*if ((pass & FR_CMDMASK) == (softc->ipf_pass & FR_CMDMASK))*/ 3261 if ((pass & FR_NOMATCH) != 0) 3262 return 1; 3263 3264 if ((pass & FR_RETMASK) != 0) 3265 switch (pass & FR_RETMASK) 3266 { 3267 case FR_RETRST : 3268 return 3; 3269 case FR_RETICMP : 3270 return 4; 3271 case FR_FAKEICMP : 3272 return 5; 3273 } 3274 3275 switch (pass & FR_CMDMASK) 3276 { 3277 case FR_PASS : 3278 return 0; 3279 case FR_BLOCK : 3280 return -1; 3281 case FR_AUTH : 3282 return -2; 3283 case FR_ACCOUNT : 3284 return -3; 3285 case FR_PREAUTH : 3286 return -4; 3287 } 3288 return 2; 3289#endif /* _KERNEL */ 3290} 3291 3292 3293#ifdef IPFILTER_LOG 3294/* ------------------------------------------------------------------------ */ 3295/* Function: ipf_dolog */ 3296/* Returns: frentry_t* - returns contents of fin_fr (no change made) */ 3297/* Parameters: fin(I) - pointer to packet information */ 3298/* passp(IO) - pointer to current/new filter decision (unused) */ 3299/* */ 3300/* Checks flags set to see how a packet should be logged, if it is to be */ 3301/* logged. Adjust statistics based on its success or not. */ 3302/* ------------------------------------------------------------------------ */ 3303frentry_t * 3304ipf_dolog(fin, passp) 3305 fr_info_t *fin; 3306 u_32_t *passp; 3307{ 3308 ipf_main_softc_t *softc = fin->fin_main_soft; 3309 u_32_t pass; 3310 int out; 3311 3312 out = fin->fin_out; 3313 pass = *passp; 3314 3315 if ((softc->ipf_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { 3316 pass |= FF_LOGNOMATCH; 3317 LBUMPD(ipf_stats[out], fr_npkl); 3318 goto logit; 3319 3320 } else if (((pass & FR_LOGMASK) == FR_LOGP) || 3321 (FR_ISPASS(pass) && (softc->ipf_flags & FF_LOGPASS))) { 3322 if ((pass & FR_LOGMASK) != FR_LOGP) 3323 pass |= FF_LOGPASS; 3324 LBUMPD(ipf_stats[out], fr_ppkl); 3325 goto logit; 3326 3327 } else if (((pass & FR_LOGMASK) == FR_LOGB) || 3328 (FR_ISBLOCK(pass) && (softc->ipf_flags & FF_LOGBLOCK))) { 3329 if ((pass & FR_LOGMASK) != FR_LOGB) 3330 pass |= FF_LOGBLOCK; 3331 LBUMPD(ipf_stats[out], fr_bpkl); 3332 3333logit: 3334 if (ipf_log_pkt(fin, pass) == -1) { 3335 /* 3336 * If the "or-block" option has been used then 3337 * block the packet if we failed to log it. 3338 */ 3339 if ((pass & FR_LOGORBLOCK) && FR_ISPASS(pass)) { 3340 DT1(frb_logfail2, u_int, pass); 3341 pass &= ~FR_CMDMASK; 3342 pass |= FR_BLOCK; 3343 fin->fin_reason = FRB_LOGFAIL2; 3344 } 3345 } 3346 *passp = pass; 3347 } 3348 3349 return fin->fin_fr; 3350} 3351#endif /* IPFILTER_LOG */ 3352 3353 3354/* ------------------------------------------------------------------------ */ 3355/* Function: ipf_cksum */ 3356/* Returns: u_short - IP header checksum */ 3357/* Parameters: addr(I) - pointer to start of buffer to checksum */ 3358/* len(I) - length of buffer in bytes */ 3359/* */ 3360/* Calculate the two's complement 16 bit checksum of the buffer passed. */ 3361/* */ 3362/* N.B.: addr should be 16bit aligned. */ 3363/* ------------------------------------------------------------------------ */ 3364u_short 3365ipf_cksum(addr, len) 3366 u_short *addr; 3367 int len; 3368{ 3369 u_32_t sum = 0; 3370 3371 for (sum = 0; len > 1; len -= 2) 3372 sum += *addr++; 3373 3374 /* mop up an odd byte, if necessary */ 3375 if (len == 1) 3376 sum += *(u_char *)addr; 3377 3378 /* 3379 * add back carry outs from top 16 bits to low 16 bits 3380 */ 3381 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ 3382 sum += (sum >> 16); /* add carry */ 3383 return (u_short)(~sum); 3384} 3385 3386 3387/* ------------------------------------------------------------------------ */ 3388/* Function: fr_cksum */ 3389/* Returns: u_short - layer 4 checksum */ 3390/* Parameters: fin(I) - pointer to packet information */ 3391/* ip(I) - pointer to IP header */ 3392/* l4proto(I) - protocol to caclulate checksum for */ 3393/* l4hdr(I) - pointer to layer 4 header */ 3394/* */ 3395/* Calculates the TCP checksum for the packet held in "m", using the data */ 3396/* in the IP header "ip" to seed it. */ 3397/* */ 3398/* NB: This function assumes we've pullup'd enough for all of the IP header */ 3399/* and the TCP header. We also assume that data blocks aren't allocated in */ 3400/* odd sizes. */ 3401/* */ 3402/* Expects ip_len and ip_off to be in network byte order when called. */ 3403/* ------------------------------------------------------------------------ */ 3404u_short 3405fr_cksum(fin, ip, l4proto, l4hdr) 3406 fr_info_t *fin; 3407 ip_t *ip; 3408 int l4proto; 3409 void *l4hdr; 3410{ 3411 u_short *sp, slen, sumsave, *csump; 3412 u_int sum, sum2; 3413 int hlen; 3414 int off; 3415#ifdef USE_INET6 3416 ip6_t *ip6; 3417#endif 3418 3419 csump = NULL; 3420 sumsave = 0; 3421 sp = NULL; 3422 slen = 0; 3423 hlen = 0; 3424 sum = 0; 3425 3426 sum = htons((u_short)l4proto); 3427 /* 3428 * Add up IP Header portion 3429 */ 3430#ifdef USE_INET6 3431 if (IP_V(ip) == 4) { 3432#endif 3433 hlen = IP_HL(ip) << 2; 3434 off = hlen; 3435 sp = (u_short *)&ip->ip_src; 3436 sum += *sp++; /* ip_src */ 3437 sum += *sp++; 3438 sum += *sp++; /* ip_dst */ 3439 sum += *sp++; 3440 slen = fin->fin_plen - off; 3441 sum += htons(slen); 3442#ifdef USE_INET6 3443 } else if (IP_V(ip) == 6) { 3444 mb_t *m; 3445 3446 m = fin->fin_m; 3447 ip6 = (ip6_t *)ip; 3448 off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); 3449 int len = ntohs(ip6->ip6_plen) - (off - sizeof(*ip6)); 3450 return(ipf_pcksum6(fin, ip6, off, len)); 3451 } else { 3452 return 0xffff; 3453 } 3454#endif 3455 3456 switch (l4proto) 3457 { 3458 case IPPROTO_UDP : 3459 csump = &((udphdr_t *)l4hdr)->uh_sum; 3460 break; 3461 3462 case IPPROTO_TCP : 3463 csump = &((tcphdr_t *)l4hdr)->th_sum; 3464 break; 3465 case IPPROTO_ICMP : 3466 csump = &((icmphdr_t *)l4hdr)->icmp_cksum; 3467 sum = 0; /* Pseudo-checksum is not included */ 3468 break; 3469#ifdef USE_INET6 3470 case IPPROTO_ICMPV6 : 3471 csump = &((struct icmp6_hdr *)l4hdr)->icmp6_cksum; 3472 break; 3473#endif 3474 default : 3475 break; 3476 } 3477 3478 if (csump != NULL) { 3479 sumsave = *csump; 3480 *csump = 0; 3481 } 3482 3483 sum2 = ipf_pcksum(fin, off, sum); 3484 if (csump != NULL) 3485 *csump = sumsave; 3486 return sum2; 3487} 3488 3489 3490/* ------------------------------------------------------------------------ */ 3491/* Function: ipf_findgroup */ 3492/* Returns: frgroup_t * - NULL = group not found, else pointer to group */ 3493/* Parameters: softc(I) - pointer to soft context main structure */ 3494/* group(I) - group name to search for */ 3495/* unit(I) - device to which this group belongs */ 3496/* set(I) - which set of rules (inactive/inactive) this is */ 3497/* fgpp(O) - pointer to place to store pointer to the pointer */ 3498/* to where to add the next (last) group or where */ 3499/* to delete group from. */ 3500/* */ 3501/* Search amongst the defined groups for a particular group number. */ 3502/* ------------------------------------------------------------------------ */ 3503frgroup_t * 3504ipf_findgroup(softc, group, unit, set, fgpp) 3505 ipf_main_softc_t *softc; 3506 char *group; 3507 minor_t unit; 3508 int set; 3509 frgroup_t ***fgpp; 3510{ 3511 frgroup_t *fg, **fgp; 3512 3513 /* 3514 * Which list of groups to search in is dependent on which list of 3515 * rules are being operated on. 3516 */ 3517 fgp = &softc->ipf_groups[unit][set]; 3518 3519 while ((fg = *fgp) != NULL) { 3520 if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0) 3521 break; 3522 else 3523 fgp = &fg->fg_next; 3524 } 3525 if (fgpp != NULL) 3526 *fgpp = fgp; 3527 return fg; 3528} 3529 3530 3531/* ------------------------------------------------------------------------ */ 3532/* Function: ipf_group_add */ 3533/* Returns: frgroup_t * - NULL == did not create group, */ 3534/* != NULL == pointer to the group */ 3535/* Parameters: softc(I) - pointer to soft context main structure */ 3536/* num(I) - group number to add */ 3537/* head(I) - rule pointer that is using this as the head */ 3538/* flags(I) - rule flags which describe the type of rule it is */ 3539/* unit(I) - device to which this group will belong to */ 3540/* set(I) - which set of rules (inactive/inactive) this is */ 3541/* Write Locks: ipf_mutex */ 3542/* */ 3543/* Add a new group head, or if it already exists, increase the reference */ 3544/* count to it. */ 3545/* ------------------------------------------------------------------------ */ 3546frgroup_t * 3547ipf_group_add(softc, group, head, flags, unit, set) 3548 ipf_main_softc_t *softc; 3549 char *group; 3550 void *head; 3551 u_32_t flags; 3552 minor_t unit; 3553 int set; 3554{ 3555 frgroup_t *fg, **fgp; 3556 u_32_t gflags; 3557 3558 if (group == NULL) 3559 return NULL; 3560 3561 if (unit == IPL_LOGIPF && *group == '\0') 3562 return NULL; 3563 3564 fgp = NULL; 3565 gflags = flags & FR_INOUT; 3566 3567 fg = ipf_findgroup(softc, group, unit, set, &fgp); 3568 if (fg != NULL) { 3569 if (fg->fg_head == NULL && head != NULL) 3570 fg->fg_head = head; 3571 if (fg->fg_flags == 0) 3572 fg->fg_flags = gflags; 3573 else if (gflags != fg->fg_flags) 3574 return NULL; 3575 fg->fg_ref++; 3576 return fg; 3577 } 3578 3579 KMALLOC(fg, frgroup_t *); 3580 if (fg != NULL) { 3581 fg->fg_head = head; 3582 fg->fg_start = NULL; 3583 fg->fg_next = *fgp; 3584 bcopy(group, fg->fg_name, strlen(group) + 1); 3585 fg->fg_flags = gflags; 3586 fg->fg_ref = 1; 3587 fg->fg_set = &softc->ipf_groups[unit][set]; 3588 *fgp = fg; 3589 } 3590 return fg; 3591} 3592 3593 3594/* ------------------------------------------------------------------------ */ 3595/* Function: ipf_group_del */ 3596/* Returns: int - number of rules deleted */ 3597/* Parameters: softc(I) - pointer to soft context main structure */ 3598/* group(I) - group name to delete */ 3599/* fr(I) - filter rule from which group is referenced */ 3600/* Write Locks: ipf_mutex */ 3601/* */ 3602/* This function is called whenever a reference to a group is to be dropped */ 3603/* and thus its reference count needs to be lowered and the group free'd if */ 3604/* the reference count reaches zero. Passing in fr is really for the sole */ 3605/* purpose of knowing when the head rule is being deleted. */ 3606/* ------------------------------------------------------------------------ */ 3607void 3608ipf_group_del(softc, group, fr) 3609 ipf_main_softc_t *softc; 3610 frgroup_t *group; 3611 frentry_t *fr; 3612{ 3613 3614 if (group->fg_head == fr) 3615 group->fg_head = NULL; 3616 3617 group->fg_ref--; 3618 if ((group->fg_ref == 0) && (group->fg_start == NULL)) 3619 ipf_group_free(group); 3620} 3621 3622 3623/* ------------------------------------------------------------------------ */ 3624/* Function: ipf_group_free */ 3625/* Returns: Nil */ 3626/* Parameters: group(I) - pointer to filter rule group */ 3627/* */ 3628/* Remove the group from the list of groups and free it. */ 3629/* ------------------------------------------------------------------------ */ 3630static void 3631ipf_group_free(group) 3632 frgroup_t *group; 3633{ 3634 frgroup_t **gp; 3635 3636 for (gp = group->fg_set; *gp != NULL; gp = &(*gp)->fg_next) { 3637 if (*gp == group) { 3638 *gp = group->fg_next; 3639 break; 3640 } 3641 } 3642 KFREE(group); 3643} 3644 3645 3646/* ------------------------------------------------------------------------ */ 3647/* Function: ipf_group_flush */ 3648/* Returns: int - number of rules flush from group */ 3649/* Parameters: softc(I) - pointer to soft context main structure */ 3650/* Parameters: group(I) - pointer to filter rule group */ 3651/* */ 3652/* Remove all of the rules that currently are listed under the given group. */ 3653/* ------------------------------------------------------------------------ */ 3654static int 3655ipf_group_flush(softc, group) 3656 ipf_main_softc_t *softc; 3657 frgroup_t *group; 3658{ 3659 int gone = 0; 3660 3661 (void) ipf_flushlist(softc, &gone, &group->fg_start); 3662 3663 return gone; 3664} 3665 3666 3667/* ------------------------------------------------------------------------ */ 3668/* Function: ipf_getrulen */ 3669/* Returns: frentry_t * - NULL == not found, else pointer to rule n */ 3670/* Parameters: softc(I) - pointer to soft context main structure */ 3671/* Parameters: unit(I) - device for which to count the rule's number */ 3672/* flags(I) - which set of rules to find the rule in */ 3673/* group(I) - group name */ 3674/* n(I) - rule number to find */ 3675/* */ 3676/* Find rule # n in group # g and return a pointer to it. Return NULl if */ 3677/* group # g doesn't exist or there are less than n rules in the group. */ 3678/* ------------------------------------------------------------------------ */ 3679frentry_t * 3680ipf_getrulen(softc, unit, group, n) 3681 ipf_main_softc_t *softc; 3682 int unit; 3683 char *group; 3684 u_32_t n; 3685{ 3686 frentry_t *fr; 3687 frgroup_t *fg; 3688 3689 fg = ipf_findgroup(softc, group, unit, softc->ipf_active, NULL); 3690 if (fg == NULL) 3691 return NULL; 3692 for (fr = fg->fg_start; fr && n; fr = fr->fr_next, n--) 3693 ; 3694 if (n != 0) 3695 return NULL; 3696 return fr; 3697} 3698 3699 3700/* ------------------------------------------------------------------------ */ 3701/* Function: ipf_flushlist */ 3702/* Returns: int - >= 0 - number of flushed rules */ 3703/* Parameters: softc(I) - pointer to soft context main structure */ 3704/* nfreedp(O) - pointer to int where flush count is stored */ 3705/* listp(I) - pointer to list to flush pointer */ 3706/* Write Locks: ipf_mutex */ 3707/* */ 3708/* Recursively flush rules from the list, descending groups as they are */ 3709/* encountered. if a rule is the head of a group and it has lost all its */ 3710/* group members, then also delete the group reference. nfreedp is needed */ 3711/* to store the accumulating count of rules removed, whereas the returned */ 3712/* value is just the number removed from the current list. The latter is */ 3713/* needed to correctly adjust reference counts on rules that define groups. */ 3714/* */ 3715/* NOTE: Rules not loaded from user space cannot be flushed. */ 3716/* ------------------------------------------------------------------------ */ 3717static int 3718ipf_flushlist(softc, nfreedp, listp) 3719 ipf_main_softc_t *softc; 3720 int *nfreedp; 3721 frentry_t **listp; 3722{ 3723 int freed = 0; 3724 frentry_t *fp; 3725 3726 while ((fp = *listp) != NULL) { 3727 if ((fp->fr_type & FR_T_BUILTIN) || 3728 !(fp->fr_flags & FR_COPIED)) { 3729 listp = &fp->fr_next; 3730 continue; 3731 } 3732 *listp = fp->fr_next; 3733 if (fp->fr_next != NULL) 3734 fp->fr_next->fr_pnext = fp->fr_pnext; 3735 fp->fr_pnext = NULL; 3736 3737 if (fp->fr_grphead != NULL) { 3738 freed += ipf_group_flush(softc, fp->fr_grphead); 3739 fp->fr_names[fp->fr_grhead] = '\0'; 3740 } 3741 3742 if (fp->fr_icmpgrp != NULL) { 3743 freed += ipf_group_flush(softc, fp->fr_icmpgrp); 3744 fp->fr_names[fp->fr_icmphead] = '\0'; 3745 } 3746 3747 if (fp->fr_srctrack.ht_max_nodes) 3748 ipf_rb_ht_flush(&fp->fr_srctrack); 3749 3750 fp->fr_next = NULL; 3751 3752 ASSERT(fp->fr_ref > 0); 3753 if (ipf_derefrule(softc, &fp) == 0) 3754 freed++; 3755 } 3756 *nfreedp += freed; 3757 return freed; 3758} 3759 3760 3761/* ------------------------------------------------------------------------ */ 3762/* Function: ipf_flush */ 3763/* Returns: int - >= 0 - number of flushed rules */ 3764/* Parameters: softc(I) - pointer to soft context main structure */ 3765/* unit(I) - device for which to flush rules */ 3766/* flags(I) - which set of rules to flush */ 3767/* */ 3768/* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */ 3769/* and IPv6) as defined by the value of flags. */ 3770/* ------------------------------------------------------------------------ */ 3771int 3772ipf_flush(softc, unit, flags) 3773 ipf_main_softc_t *softc; 3774 minor_t unit; 3775 int flags; 3776{ 3777 int flushed = 0, set; 3778 3779 WRITE_ENTER(&softc->ipf_mutex); 3780 3781 set = softc->ipf_active; 3782 if ((flags & FR_INACTIVE) == FR_INACTIVE) 3783 set = 1 - set; 3784 3785 if (flags & FR_OUTQUE) { 3786 ipf_flushlist(softc, &flushed, &softc->ipf_rules[1][set]); 3787 ipf_flushlist(softc, &flushed, &softc->ipf_acct[1][set]); 3788 } 3789 if (flags & FR_INQUE) { 3790 ipf_flushlist(softc, &flushed, &softc->ipf_rules[0][set]); 3791 ipf_flushlist(softc, &flushed, &softc->ipf_acct[0][set]); 3792 } 3793 3794 flushed += ipf_flush_groups(softc, &softc->ipf_groups[unit][set], 3795 flags & (FR_INQUE|FR_OUTQUE)); 3796 3797 RWLOCK_EXIT(&softc->ipf_mutex); 3798 3799 if (unit == IPL_LOGIPF) { 3800 int tmp; 3801 3802 tmp = ipf_flush(softc, IPL_LOGCOUNT, flags); 3803 if (tmp >= 0) 3804 flushed += tmp; 3805 } 3806 return flushed; 3807} 3808 3809 3810/* ------------------------------------------------------------------------ */ 3811/* Function: ipf_flush_groups */ 3812/* Returns: int - >= 0 - number of flushed rules */ 3813/* Parameters: softc(I) - soft context pointerto work with */ 3814/* grhead(I) - pointer to the start of the group list to flush */ 3815/* flags(I) - which set of rules to flush */ 3816/* */ 3817/* Walk through all of the groups under the given group head and remove all */ 3818/* of those that match the flags passed in. The for loop here is bit more */ 3819/* complicated than usual because the removal of a rule with ipf_derefrule */ 3820/* may end up removing not only the structure pointed to by "fg" but also */ 3821/* what is fg_next and fg_next after that. So if a filter rule is actually */ 3822/* removed from the group then it is necessary to start again. */ 3823/* ------------------------------------------------------------------------ */ 3824static int 3825ipf_flush_groups(softc, grhead, flags) 3826 ipf_main_softc_t *softc; 3827 frgroup_t **grhead; 3828 int flags; 3829{ 3830 frentry_t *fr, **frp; 3831 frgroup_t *fg, **fgp; 3832 int flushed = 0; 3833 int removed = 0; 3834 3835 for (fgp = grhead; (fg = *fgp) != NULL; ) { 3836 while ((fg != NULL) && ((fg->fg_flags & flags) == 0)) 3837 fg = fg->fg_next; 3838 if (fg == NULL) 3839 break; 3840 removed = 0; 3841 frp = &fg->fg_start; 3842 while ((removed == 0) && ((fr = *frp) != NULL)) { 3843 if ((fr->fr_flags & flags) == 0) { 3844 frp = &fr->fr_next; 3845 } else { 3846 if (fr->fr_next != NULL) 3847 fr->fr_next->fr_pnext = fr->fr_pnext; 3848 *frp = fr->fr_next; 3849 fr->fr_pnext = NULL; 3850 fr->fr_next = NULL; 3851 (void) ipf_derefrule(softc, &fr); 3852 flushed++; 3853 removed++; 3854 } 3855 } 3856 if (removed == 0) 3857 fgp = &fg->fg_next; 3858 } 3859 return flushed; 3860} 3861 3862 3863/* ------------------------------------------------------------------------ */ 3864/* Function: memstr */ 3865/* Returns: char * - NULL if failed, != NULL pointer to matching bytes */ 3866/* Parameters: src(I) - pointer to byte sequence to match */ 3867/* dst(I) - pointer to byte sequence to search */ 3868/* slen(I) - match length */ 3869/* dlen(I) - length available to search in */ 3870/* */ 3871/* Search dst for a sequence of bytes matching those at src and extend for */ 3872/* slen bytes. */ 3873/* ------------------------------------------------------------------------ */ 3874char * 3875memstr(src, dst, slen, dlen) 3876 const char *src; 3877 char *dst; 3878 size_t slen, dlen; 3879{ 3880 char *s = NULL; 3881 3882 while (dlen >= slen) { 3883 if (bcmp(src, dst, slen) == 0) { 3884 s = dst; 3885 break; 3886 } 3887 dst++; 3888 dlen--; 3889 } 3890 return s; 3891} 3892/* ------------------------------------------------------------------------ */ 3893/* Function: ipf_fixskip */ 3894/* Returns: Nil */ 3895/* Parameters: listp(IO) - pointer to start of list with skip rule */ 3896/* rp(I) - rule added/removed with skip in it. */ 3897/* addremove(I) - adjustment (-1/+1) to make to skip count, */ 3898/* depending on whether a rule was just added */ 3899/* or removed. */ 3900/* */ 3901/* Adjust all the rules in a list which would have skip'd past the position */ 3902/* where we are inserting to skip to the right place given the change. */ 3903/* ------------------------------------------------------------------------ */ 3904void 3905ipf_fixskip(listp, rp, addremove) 3906 frentry_t **listp, *rp; 3907 int addremove; 3908{ 3909 int rules, rn; 3910 frentry_t *fp; 3911 3912 rules = 0; 3913 for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next) 3914 rules++; 3915 3916 if (!fp) 3917 return; 3918 3919 for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) 3920 if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules)) 3921 fp->fr_arg += addremove; 3922} 3923 3924 3925#ifdef _KERNEL 3926/* ------------------------------------------------------------------------ */ 3927/* Function: count4bits */ 3928/* Returns: int - >= 0 - number of consecutive bits in input */ 3929/* Parameters: ip(I) - 32bit IP address */ 3930/* */ 3931/* IPv4 ONLY */ 3932/* count consecutive 1's in bit mask. If the mask generated by counting */ 3933/* consecutive 1's is different to that passed, return -1, else return # */ 3934/* of bits. */ 3935/* ------------------------------------------------------------------------ */ 3936int 3937count4bits(ip) 3938 u_32_t ip; 3939{ 3940 u_32_t ipn; 3941 int cnt = 0, i, j; 3942 3943 ip = ipn = ntohl(ip); 3944 for (i = 32; i; i--, ipn *= 2) 3945 if (ipn & 0x80000000) 3946 cnt++; 3947 else 3948 break; 3949 ipn = 0; 3950 for (i = 32, j = cnt; i; i--, j--) { 3951 ipn *= 2; 3952 if (j > 0) 3953 ipn++; 3954 } 3955 if (ipn == ip) 3956 return cnt; 3957 return -1; 3958} 3959 3960 3961/* ------------------------------------------------------------------------ */ 3962/* Function: count6bits */ 3963/* Returns: int - >= 0 - number of consecutive bits in input */ 3964/* Parameters: msk(I) - pointer to start of IPv6 bitmask */ 3965/* */ 3966/* IPv6 ONLY */ 3967/* count consecutive 1's in bit mask. */ 3968/* ------------------------------------------------------------------------ */ 3969# ifdef USE_INET6 3970int 3971count6bits(msk) 3972 u_32_t *msk; 3973{ 3974 int i = 0, k; 3975 u_32_t j; 3976 3977 for (k = 3; k >= 0; k--) 3978 if (msk[k] == 0xffffffff) 3979 i += 32; 3980 else { 3981 for (j = msk[k]; j; j <<= 1) 3982 if (j & 0x80000000) 3983 i++; 3984 } 3985 return i; 3986} 3987# endif 3988#endif /* _KERNEL */ 3989 3990 3991/* ------------------------------------------------------------------------ */ 3992/* Function: ipf_synclist */ 3993/* Returns: int - 0 = no failures, else indication of first failure */ 3994/* Parameters: fr(I) - start of filter list to sync interface names for */ 3995/* ifp(I) - interface pointer for limiting sync lookups */ 3996/* Write Locks: ipf_mutex */ 3997/* */ 3998/* Walk through a list of filter rules and resolve any interface names into */ 3999/* pointers. Where dynamic addresses are used, also update the IP address */ 4000/* used in the rule. The interface pointer is used to limit the lookups to */ 4001/* a specific set of matching names if it is non-NULL. */ 4002/* Errors can occur when resolving the destination name of to/dup-to fields */ 4003/* when the name points to a pool and that pool doest not exist. If this */ 4004/* does happen then it is necessary to check if there are any lookup refs */ 4005/* that need to be dropped before returning with an error. */ 4006/* ------------------------------------------------------------------------ */ 4007static int 4008ipf_synclist(softc, fr, ifp) 4009 ipf_main_softc_t *softc; 4010 frentry_t *fr; 4011 void *ifp; 4012{ 4013 frentry_t *frt, *start = fr; 4014 frdest_t *fdp; 4015 char *name; 4016 int error; 4017 void *ifa; 4018 int v, i; 4019 4020 error = 0; 4021 4022 for (; fr; fr = fr->fr_next) { 4023 if (fr->fr_family == AF_INET) 4024 v = 4; 4025 else if (fr->fr_family == AF_INET6) 4026 v = 6; 4027 else 4028 v = 0; 4029 4030 /* 4031 * Lookup all the interface names that are part of the rule. 4032 */ 4033 for (i = 0; i < 4; i++) { 4034 if ((ifp != NULL) && (fr->fr_ifas[i] != ifp)) 4035 continue; 4036 if (fr->fr_ifnames[i] == -1) 4037 continue; 4038 name = FR_NAME(fr, fr_ifnames[i]); 4039 fr->fr_ifas[i] = ipf_resolvenic(softc, name, v); 4040 } 4041 4042 if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) { 4043 if (fr->fr_satype != FRI_NORMAL && 4044 fr->fr_satype != FRI_LOOKUP) { 4045 ifa = ipf_resolvenic(softc, fr->fr_names + 4046 fr->fr_sifpidx, v); 4047 ipf_ifpaddr(softc, v, fr->fr_satype, ifa, 4048 &fr->fr_src6, &fr->fr_smsk6); 4049 } 4050 if (fr->fr_datype != FRI_NORMAL && 4051 fr->fr_datype != FRI_LOOKUP) { 4052 ifa = ipf_resolvenic(softc, fr->fr_names + 4053 fr->fr_sifpidx, v); 4054 ipf_ifpaddr(softc, v, fr->fr_datype, ifa, 4055 &fr->fr_dst6, &fr->fr_dmsk6); 4056 } 4057 } 4058 4059 fdp = &fr->fr_tifs[0]; 4060 if ((ifp == NULL) || (fdp->fd_ptr == ifp)) { 4061 error = ipf_resolvedest(softc, fr->fr_names, fdp, v); 4062 if (error != 0) 4063 goto unwind; 4064 } 4065 4066 fdp = &fr->fr_tifs[1]; 4067 if ((ifp == NULL) || (fdp->fd_ptr == ifp)) { 4068 error = ipf_resolvedest(softc, fr->fr_names, fdp, v); 4069 if (error != 0) 4070 goto unwind; 4071 } 4072 4073 fdp = &fr->fr_dif; 4074 if ((ifp == NULL) || (fdp->fd_ptr == ifp)) { 4075 error = ipf_resolvedest(softc, fr->fr_names, fdp, v); 4076 if (error != 0) 4077 goto unwind; 4078 } 4079 4080 if (((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4081 (fr->fr_satype == FRI_LOOKUP) && (fr->fr_srcptr == NULL)) { 4082 fr->fr_srcptr = ipf_lookup_res_num(softc, 4083 fr->fr_srctype, 4084 IPL_LOGIPF, 4085 fr->fr_srcnum, 4086 &fr->fr_srcfunc); 4087 } 4088 if (((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4089 (fr->fr_datype == FRI_LOOKUP) && (fr->fr_dstptr == NULL)) { 4090 fr->fr_dstptr = ipf_lookup_res_num(softc, 4091 fr->fr_dsttype, 4092 IPL_LOGIPF, 4093 fr->fr_dstnum, 4094 &fr->fr_dstfunc); 4095 } 4096 } 4097 return 0; 4098 4099unwind: 4100 for (frt = start; frt != fr; fr = fr->fr_next) { 4101 if (((frt->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4102 (frt->fr_satype == FRI_LOOKUP) && (frt->fr_srcptr != NULL)) 4103 ipf_lookup_deref(softc, frt->fr_srctype, 4104 frt->fr_srcptr); 4105 if (((frt->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) && 4106 (frt->fr_datype == FRI_LOOKUP) && (frt->fr_dstptr != NULL)) 4107 ipf_lookup_deref(softc, frt->fr_dsttype, 4108 frt->fr_dstptr); 4109 } 4110 return error; 4111} 4112 4113 4114/* ------------------------------------------------------------------------ */ 4115/* Function: ipf_sync */ 4116/* Returns: void */ 4117/* Parameters: Nil */ 4118/* */ 4119/* ipf_sync() is called when we suspect that the interface list or */ 4120/* information about interfaces (like IP#) has changed. Go through all */ 4121/* filter rules, NAT entries and the state table and check if anything */ 4122/* needs to be changed/updated. */ 4123/* ------------------------------------------------------------------------ */ 4124int 4125ipf_sync(softc, ifp) 4126 ipf_main_softc_t *softc; 4127 void *ifp; 4128{ 4129 int i; 4130 4131# if !SOLARIS 4132 ipf_nat_sync(softc, ifp); 4133 ipf_state_sync(softc, ifp); 4134 ipf_lookup_sync(softc, ifp); 4135# endif 4136 4137 WRITE_ENTER(&softc->ipf_mutex); 4138 (void) ipf_synclist(softc, softc->ipf_acct[0][softc->ipf_active], ifp); 4139 (void) ipf_synclist(softc, softc->ipf_acct[1][softc->ipf_active], ifp); 4140 (void) ipf_synclist(softc, softc->ipf_rules[0][softc->ipf_active], ifp); 4141 (void) ipf_synclist(softc, softc->ipf_rules[1][softc->ipf_active], ifp); 4142 4143 for (i = 0; i < IPL_LOGSIZE; i++) { 4144 frgroup_t *g; 4145 4146 for (g = softc->ipf_groups[i][0]; g != NULL; g = g->fg_next) 4147 (void) ipf_synclist(softc, g->fg_start, ifp); 4148 for (g = softc->ipf_groups[i][1]; g != NULL; g = g->fg_next) 4149 (void) ipf_synclist(softc, g->fg_start, ifp); 4150 } 4151 RWLOCK_EXIT(&softc->ipf_mutex); 4152 4153 return 0; 4154} 4155 4156 4157/* 4158 * In the functions below, bcopy() is called because the pointer being 4159 * copied _from_ in this instance is a pointer to a char buf (which could 4160 * end up being unaligned) and on the kernel's local stack. 4161 */ 4162/* ------------------------------------------------------------------------ */ 4163/* Function: copyinptr */ 4164/* Returns: int - 0 = success, else failure */ 4165/* Parameters: src(I) - pointer to the source address */ 4166/* dst(I) - destination address */ 4167/* size(I) - number of bytes to copy */ 4168/* */ 4169/* Copy a block of data in from user space, given a pointer to the pointer */ 4170/* to start copying from (src) and a pointer to where to store it (dst). */ 4171/* NB: src - pointer to user space pointer, dst - kernel space pointer */ 4172/* ------------------------------------------------------------------------ */ 4173int 4174copyinptr(softc, src, dst, size) 4175 ipf_main_softc_t *softc; 4176 void *src, *dst; 4177 size_t size; 4178{ 4179 caddr_t ca; 4180 int error; 4181 4182# if SOLARIS 4183 error = COPYIN(src, &ca, sizeof(ca)); 4184 if (error != 0) 4185 return error; 4186# else 4187 bcopy(src, (caddr_t)&ca, sizeof(ca)); 4188# endif 4189 error = COPYIN(ca, dst, size); 4190 if (error != 0) { 4191 IPFERROR(3); 4192 error = EFAULT; 4193 } 4194 return error; 4195} 4196 4197 4198/* ------------------------------------------------------------------------ */ 4199/* Function: copyoutptr */ 4200/* Returns: int - 0 = success, else failure */ 4201/* Parameters: src(I) - pointer to the source address */ 4202/* dst(I) - destination address */ 4203/* size(I) - number of bytes to copy */ 4204/* */ 4205/* Copy a block of data out to user space, given a pointer to the pointer */ 4206/* to start copying from (src) and a pointer to where to store it (dst). */ 4207/* NB: src - kernel space pointer, dst - pointer to user space pointer. */ 4208/* ------------------------------------------------------------------------ */ 4209int 4210copyoutptr(softc, src, dst, size) 4211 ipf_main_softc_t *softc; 4212 void *src, *dst; 4213 size_t size; 4214{ 4215 caddr_t ca; 4216 int error; 4217 4218 bcopy(dst, (caddr_t)&ca, sizeof(ca)); 4219 error = COPYOUT(src, ca, size); 4220 if (error != 0) { 4221 IPFERROR(4); 4222 error = EFAULT; 4223 } 4224 return error; 4225} 4226 4227 4228/* ------------------------------------------------------------------------ */ 4229/* Function: ipf_lock */ 4230/* Returns: int - 0 = success, else error */ 4231/* Parameters: data(I) - pointer to lock value to set */ 4232/* lockp(O) - pointer to location to store old lock value */ 4233/* */ 4234/* Get the new value for the lock integer, set it and return the old value */ 4235/* in *lockp. */ 4236/* ------------------------------------------------------------------------ */ 4237int 4238ipf_lock(data, lockp) 4239 caddr_t data; 4240 int *lockp; 4241{ 4242 int arg, err; 4243 4244 err = BCOPYIN(data, &arg, sizeof(arg)); 4245 if (err != 0) 4246 return EFAULT; 4247 err = BCOPYOUT(lockp, data, sizeof(*lockp)); 4248 if (err != 0) 4249 return EFAULT; 4250 *lockp = arg; 4251 return 0; 4252} 4253 4254 4255/* ------------------------------------------------------------------------ */ 4256/* Function: ipf_getstat */ 4257/* Returns: Nil */ 4258/* Parameters: softc(I) - pointer to soft context main structure */ 4259/* fiop(I) - pointer to ipfilter stats structure */ 4260/* rev(I) - version claim by program doing ioctl */ 4261/* */ 4262/* Stores a copy of current pointers, counters, etc, in the friostat */ 4263/* structure. */ 4264/* If IPFILTER_COMPAT is compiled, we pretend to be whatever version the */ 4265/* program is looking for. This ensure that validation of the version it */ 4266/* expects will always succeed. Thus kernels with IPFILTER_COMPAT will */ 4267/* allow older binaries to work but kernels without it will not. */ 4268/* ------------------------------------------------------------------------ */ 4269/*ARGSUSED*/ 4270static void 4271ipf_getstat(softc, fiop, rev) 4272 ipf_main_softc_t *softc; 4273 friostat_t *fiop; 4274 int rev; 4275{ 4276 int i; 4277 4278 bcopy((char *)softc->ipf_stats, (char *)fiop->f_st, 4279 sizeof(ipf_statistics_t) * 2); 4280 fiop->f_locks[IPL_LOGSTATE] = -1; 4281 fiop->f_locks[IPL_LOGNAT] = -1; 4282 fiop->f_locks[IPL_LOGIPF] = -1; 4283 fiop->f_locks[IPL_LOGAUTH] = -1; 4284 4285 fiop->f_ipf[0][0] = softc->ipf_rules[0][0]; 4286 fiop->f_acct[0][0] = softc->ipf_acct[0][0]; 4287 fiop->f_ipf[0][1] = softc->ipf_rules[0][1]; 4288 fiop->f_acct[0][1] = softc->ipf_acct[0][1]; 4289 fiop->f_ipf[1][0] = softc->ipf_rules[1][0]; 4290 fiop->f_acct[1][0] = softc->ipf_acct[1][0]; 4291 fiop->f_ipf[1][1] = softc->ipf_rules[1][1]; 4292 fiop->f_acct[1][1] = softc->ipf_acct[1][1]; 4293 4294 fiop->f_ticks = softc->ipf_ticks; 4295 fiop->f_active = softc->ipf_active; 4296 fiop->f_froute[0] = softc->ipf_frouteok[0]; 4297 fiop->f_froute[1] = softc->ipf_frouteok[1]; 4298 fiop->f_rb_no_mem = softc->ipf_rb_no_mem; 4299 fiop->f_rb_node_max = softc->ipf_rb_node_max; 4300 4301 fiop->f_running = softc->ipf_running; 4302 for (i = 0; i < IPL_LOGSIZE; i++) { 4303 fiop->f_groups[i][0] = softc->ipf_groups[i][0]; 4304 fiop->f_groups[i][1] = softc->ipf_groups[i][1]; 4305 } 4306#ifdef IPFILTER_LOG 4307 fiop->f_log_ok = ipf_log_logok(softc, IPL_LOGIPF); 4308 fiop->f_log_fail = ipf_log_failures(softc, IPL_LOGIPF); 4309 fiop->f_logging = 1; 4310#else 4311 fiop->f_log_ok = 0; 4312 fiop->f_log_fail = 0; 4313 fiop->f_logging = 0; 4314#endif 4315 fiop->f_defpass = softc->ipf_pass; 4316 fiop->f_features = ipf_features; 4317 4318#ifdef IPFILTER_COMPAT 4319 sprintf(fiop->f_version, "IP Filter: v%d.%d.%d", 4320 (rev / 1000000) % 100, 4321 (rev / 10000) % 100, 4322 (rev / 100) % 100); 4323#else 4324 rev = rev; 4325 (void) strncpy(fiop->f_version, ipfilter_version, 4326 sizeof(fiop->f_version)); 4327#endif 4328} 4329 4330 4331#ifdef USE_INET6 4332int icmptoicmp6types[ICMP_MAXTYPE+1] = { 4333 ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */ 4334 -1, /* 1: UNUSED */ 4335 -1, /* 2: UNUSED */ 4336 ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */ 4337 -1, /* 4: ICMP_SOURCEQUENCH */ 4338 ND_REDIRECT, /* 5: ICMP_REDIRECT */ 4339 -1, /* 6: UNUSED */ 4340 -1, /* 7: UNUSED */ 4341 ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */ 4342 -1, /* 9: UNUSED */ 4343 -1, /* 10: UNUSED */ 4344 ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */ 4345 ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */ 4346 -1, /* 13: ICMP_TSTAMP */ 4347 -1, /* 14: ICMP_TSTAMPREPLY */ 4348 -1, /* 15: ICMP_IREQ */ 4349 -1, /* 16: ICMP_IREQREPLY */ 4350 -1, /* 17: ICMP_MASKREQ */ 4351 -1, /* 18: ICMP_MASKREPLY */ 4352}; 4353 4354 4355int icmptoicmp6unreach[ICMP_MAX_UNREACH] = { 4356 ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */ 4357 ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */ 4358 -1, /* 2: ICMP_UNREACH_PROTOCOL */ 4359 ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */ 4360 -1, /* 4: ICMP_UNREACH_NEEDFRAG */ 4361 ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */ 4362 ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */ 4363 ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */ 4364 -1, /* 8: ICMP_UNREACH_ISOLATED */ 4365 ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */ 4366 ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */ 4367 -1, /* 11: ICMP_UNREACH_TOSNET */ 4368 -1, /* 12: ICMP_UNREACH_TOSHOST */ 4369 ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */ 4370}; 4371int icmpreplytype6[ICMP6_MAXTYPE + 1]; 4372#endif 4373 4374int icmpreplytype4[ICMP_MAXTYPE + 1]; 4375 4376 4377/* ------------------------------------------------------------------------ */ 4378/* Function: ipf_matchicmpqueryreply */ 4379/* Returns: int - 1 if "icmp" is a valid reply to "ic" else 0. */ 4380/* Parameters: v(I) - IP protocol version (4 or 6) */ 4381/* ic(I) - ICMP information */ 4382/* icmp(I) - ICMP packet header */ 4383/* rev(I) - direction (0 = forward/1 = reverse) of packet */ 4384/* */ 4385/* Check if the ICMP packet defined by the header pointed to by icmp is a */ 4386/* reply to one as described by what's in ic. If it is a match, return 1, */ 4387/* else return 0 for no match. */ 4388/* ------------------------------------------------------------------------ */ 4389int 4390ipf_matchicmpqueryreply(v, ic, icmp, rev) 4391 int v; 4392 icmpinfo_t *ic; 4393 icmphdr_t *icmp; 4394 int rev; 4395{ 4396 int ictype; 4397 4398 ictype = ic->ici_type; 4399 4400 if (v == 4) { 4401 /* 4402 * If we matched its type on the way in, then when going out 4403 * it will still be the same type. 4404 */ 4405 if ((!rev && (icmp->icmp_type == ictype)) || 4406 (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) { 4407 if (icmp->icmp_type != ICMP_ECHOREPLY) 4408 return 1; 4409 if (icmp->icmp_id == ic->ici_id) 4410 return 1; 4411 } 4412 } 4413#ifdef USE_INET6 4414 else if (v == 6) { 4415 if ((!rev && (icmp->icmp_type == ictype)) || 4416 (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) { 4417 if (icmp->icmp_type != ICMP6_ECHO_REPLY) 4418 return 1; 4419 if (icmp->icmp_id == ic->ici_id) 4420 return 1; 4421 } 4422 } 4423#endif 4424 return 0; 4425} 4426 4427 4428/* ------------------------------------------------------------------------ */ 4429/* Function: ipf_rule_compare */ 4430/* Parameters: fr1(I) - first rule structure to compare */ 4431/* fr2(I) - second rule structure to compare */ 4432/* Returns: int - 0 == rules are the same, else mismatch */ 4433/* */ 4434/* Compare two rules and return 0 if they match or a number indicating */ 4435/* which of the individual checks failed. */ 4436/* ------------------------------------------------------------------------ */ 4437static int 4438ipf_rule_compare(frentry_t *fr1, frentry_t *fr2) 4439{ 4440 if (fr1->fr_cksum != fr2->fr_cksum) 4441 return 1; 4442 if (fr1->fr_size != fr2->fr_size) 4443 return 2; 4444 if (fr1->fr_dsize != fr2->fr_dsize) 4445 return 3; 4446 if (bcmp((char *)&fr1->fr_func, (char *)&fr2->fr_func, 4447 fr1->fr_size - offsetof(struct frentry, fr_func)) != 0) 4448 return 4; 4449 if (fr1->fr_data && !fr2->fr_data) 4450 return 5; 4451 if (!fr1->fr_data && fr2->fr_data) 4452 return 6; 4453 if (fr1->fr_data) { 4454 if (bcmp(fr1->fr_caddr, fr2->fr_caddr, fr1->fr_dsize)) 4455 return 7; 4456 } 4457 return 0; 4458} 4459 4460 4461/* ------------------------------------------------------------------------ */ 4462/* Function: frrequest */ 4463/* Returns: int - 0 == success, > 0 == errno value */ 4464/* Parameters: unit(I) - device for which this is for */ 4465/* req(I) - ioctl command (SIOC*) */ 4466/* data(I) - pointr to ioctl data */ 4467/* set(I) - 1 or 0 (filter set) */ 4468/* makecopy(I) - flag indicating whether data points to a rule */ 4469/* in kernel space & hence doesn't need copying. */ 4470/* */ 4471/* This function handles all the requests which operate on the list of */ 4472/* filter rules. This includes adding, deleting, insertion. It is also */ 4473/* responsible for creating groups when a "head" rule is loaded. Interface */ 4474/* names are resolved here and other sanity checks are made on the content */ 4475/* of the rule structure being loaded. If a rule has user defined timeouts */ 4476/* then make sure they are created and initialised before exiting. */ 4477/* ------------------------------------------------------------------------ */ 4478int 4479frrequest(softc, unit, req, data, set, makecopy) 4480 ipf_main_softc_t *softc; 4481 int unit; 4482 ioctlcmd_t req; 4483 int set, makecopy; 4484 caddr_t data; 4485{ 4486 int error = 0, in, family, addrem, need_free = 0; 4487 frentry_t frd, *fp, *f, **fprev, **ftail; 4488 void *ptr, *uptr, *cptr; 4489 u_int *p, *pp; 4490 frgroup_t *fg; 4491 char *group; 4492 4493 ptr = NULL; 4494 cptr = NULL; 4495 fg = NULL; 4496 fp = &frd; 4497 if (makecopy != 0) { 4498 bzero(fp, sizeof(frd)); 4499 error = ipf_inobj(softc, data, NULL, fp, IPFOBJ_FRENTRY); 4500 if (error) { 4501 return error; 4502 } 4503 if ((fp->fr_type & FR_T_BUILTIN) != 0) { 4504 IPFERROR(6); 4505 return EINVAL; 4506 } 4507 KMALLOCS(f, frentry_t *, fp->fr_size); 4508 if (f == NULL) { 4509 IPFERROR(131); 4510 return ENOMEM; 4511 } 4512 bzero(f, fp->fr_size); 4513 error = ipf_inobjsz(softc, data, f, IPFOBJ_FRENTRY, 4514 fp->fr_size); 4515 if (error) { 4516 KFREES(f, fp->fr_size); 4517 return error; 4518 } 4519 4520 fp = f; 4521 f = NULL; 4522 fp->fr_next = NULL; 4523 fp->fr_dnext = NULL; 4524 fp->fr_pnext = NULL; 4525 fp->fr_pdnext = NULL; 4526 fp->fr_grp = NULL; 4527 fp->fr_grphead = NULL; 4528 fp->fr_icmpgrp = NULL; 4529 fp->fr_isc = (void *)-1; 4530 fp->fr_ptr = NULL; 4531 fp->fr_ref = 0; 4532 fp->fr_flags |= FR_COPIED; 4533 } else { 4534 fp = (frentry_t *)data; 4535 if ((fp->fr_type & FR_T_BUILTIN) == 0) { 4536 IPFERROR(7); 4537 return EINVAL; 4538 } 4539 fp->fr_flags &= ~FR_COPIED; 4540 } 4541 4542 if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) || 4543 ((fp->fr_dsize != 0) && (fp->fr_data == NULL))) { 4544 IPFERROR(8); 4545 error = EINVAL; 4546 goto donenolock; 4547 } 4548 4549 family = fp->fr_family; 4550 uptr = fp->fr_data; 4551 4552 if (req == (ioctlcmd_t)SIOCINAFR || req == (ioctlcmd_t)SIOCINIFR || 4553 req == (ioctlcmd_t)SIOCADAFR || req == (ioctlcmd_t)SIOCADIFR) 4554 addrem = 0; 4555 else if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) 4556 addrem = 1; 4557 else if (req == (ioctlcmd_t)SIOCZRLST) 4558 addrem = 2; 4559 else { 4560 IPFERROR(9); 4561 error = EINVAL; 4562 goto donenolock; 4563 } 4564 4565 /* 4566 * Only filter rules for IPv4 or IPv6 are accepted. 4567 */ 4568 if (family == AF_INET) { 4569 /*EMPTY*/; 4570#ifdef USE_INET6 4571 } else if (family == AF_INET6) { 4572 /*EMPTY*/; 4573#endif 4574 } else if (family != 0) { 4575 IPFERROR(10); 4576 error = EINVAL; 4577 goto donenolock; 4578 } 4579 4580 /* 4581 * If the rule is being loaded from user space, i.e. we had to copy it 4582 * into kernel space, then do not trust the function pointer in the 4583 * rule. 4584 */ 4585 if ((makecopy == 1) && (fp->fr_func != NULL)) { 4586 if (ipf_findfunc(fp->fr_func) == NULL) { 4587 IPFERROR(11); 4588 error = ESRCH; 4589 goto donenolock; 4590 } 4591 4592 if (addrem == 0) { 4593 error = ipf_funcinit(softc, fp); 4594 if (error != 0) 4595 goto donenolock; 4596 } 4597 } 4598 if ((fp->fr_flags & FR_CALLNOW) && 4599 ((fp->fr_func == NULL) || (fp->fr_func == (ipfunc_t)-1))) { 4600 IPFERROR(142); 4601 error = ESRCH; 4602 goto donenolock; 4603 } 4604 if (((fp->fr_flags & FR_CMDMASK) == FR_CALL) && 4605 ((fp->fr_func == NULL) || (fp->fr_func == (ipfunc_t)-1))) { 4606 IPFERROR(143); 4607 error = ESRCH; 4608 goto donenolock; 4609 } 4610 4611 ptr = NULL; 4612 cptr = NULL; 4613 4614 if (FR_ISACCOUNT(fp->fr_flags)) 4615 unit = IPL_LOGCOUNT; 4616 4617 /* 4618 * Check that each group name in the rule has a start index that 4619 * is valid. 4620 */ 4621 if (fp->fr_icmphead != -1) { 4622 if ((fp->fr_icmphead < 0) || 4623 (fp->fr_icmphead >= fp->fr_namelen)) { 4624 IPFERROR(136); 4625 error = EINVAL; 4626 goto donenolock; 4627 } 4628 if (!strcmp(FR_NAME(fp, fr_icmphead), "0")) 4629 fp->fr_names[fp->fr_icmphead] = '\0'; 4630 } 4631 4632 if (fp->fr_grhead != -1) { 4633 if ((fp->fr_grhead < 0) || 4634 (fp->fr_grhead >= fp->fr_namelen)) { 4635 IPFERROR(137); 4636 error = EINVAL; 4637 goto donenolock; 4638 } 4639 if (!strcmp(FR_NAME(fp, fr_grhead), "0")) 4640 fp->fr_names[fp->fr_grhead] = '\0'; 4641 } 4642 4643 if (fp->fr_group != -1) { 4644 if ((fp->fr_group < 0) || 4645 (fp->fr_group >= fp->fr_namelen)) { 4646 IPFERROR(138); 4647 error = EINVAL; 4648 goto donenolock; 4649 } 4650 if ((req != (int)SIOCZRLST) && (fp->fr_group != -1)) { 4651 /* 4652 * Allow loading rules that are in groups to cause 4653 * them to be created if they don't already exit. 4654 */ 4655 group = FR_NAME(fp, fr_group); 4656 if (addrem == 0) { 4657 fg = ipf_group_add(softc, group, NULL, 4658 fp->fr_flags, unit, set); 4659 fp->fr_grp = fg; 4660 } else { 4661 fg = ipf_findgroup(softc, group, unit, 4662 set, NULL); 4663 if (fg == NULL) { 4664 IPFERROR(12); 4665 error = ESRCH; 4666 goto donenolock; 4667 } 4668 } 4669 4670 if (fg->fg_flags == 0) { 4671 fg->fg_flags = fp->fr_flags & FR_INOUT; 4672 } else if (fg->fg_flags != (fp->fr_flags & FR_INOUT)) { 4673 IPFERROR(13); 4674 error = ESRCH; 4675 goto donenolock; 4676 } 4677 } 4678 } else { 4679 /* 4680 * If a rule is going to be part of a group then it does 4681 * not matter whether it is an in or out rule, but if it 4682 * isn't in a group, then it does... 4683 */ 4684 if ((fp->fr_flags & (FR_INQUE|FR_OUTQUE)) == 0) { 4685 IPFERROR(14); 4686 error = EINVAL; 4687 goto donenolock; 4688 } 4689 } 4690 in = (fp->fr_flags & FR_INQUE) ? 0 : 1; 4691 4692 /* 4693 * Work out which rule list this change is being applied to. 4694 */ 4695 ftail = NULL; 4696 fprev = NULL; 4697 if (unit == IPL_LOGAUTH) { 4698 if ((fp->fr_tifs[0].fd_ptr != NULL) || 4699 (fp->fr_tifs[1].fd_ptr != NULL) || 4700 (fp->fr_dif.fd_ptr != NULL) || 4701 (fp->fr_flags & FR_FASTROUTE)) { 4702 softc->ipf_interror = 145; 4703 error = EINVAL; 4704 goto donenolock; 4705 } 4706 fprev = ipf_auth_rulehead(softc); 4707 } else { 4708 if (FR_ISACCOUNT(fp->fr_flags)) 4709 fprev = &softc->ipf_acct[in][set]; 4710 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0) 4711 fprev = &softc->ipf_rules[in][set]; 4712 } 4713 if (fprev == NULL) { 4714 IPFERROR(15); 4715 error = ESRCH; 4716 goto donenolock; 4717 } 4718 4719 if (fg != NULL) 4720 fprev = &fg->fg_start; 4721 4722 /* 4723 * Copy in extra data for the rule. 4724 */ 4725 if (fp->fr_dsize != 0) { 4726 if (makecopy != 0) { 4727 KMALLOCS(ptr, void *, fp->fr_dsize); 4728 if (ptr == NULL) { 4729 IPFERROR(16); 4730 error = ENOMEM; 4731 goto donenolock; 4732 } 4733 4734 /* 4735 * The bcopy case is for when the data is appended 4736 * to the rule by ipf_in_compat(). 4737 */ 4738 if (uptr >= (void *)fp && 4739 uptr < (void *)((char *)fp + fp->fr_size)) { 4740 bcopy(uptr, ptr, fp->fr_dsize); 4741 error = 0; 4742 } else { 4743 error = COPYIN(uptr, ptr, fp->fr_dsize); 4744 if (error != 0) { 4745 IPFERROR(17); 4746 error = EFAULT; 4747 goto donenolock; 4748 } 4749 } 4750 } else { 4751 ptr = uptr; 4752 } 4753 fp->fr_data = ptr; 4754 } else { 4755 fp->fr_data = NULL; 4756 } 4757 4758 /* 4759 * Perform per-rule type sanity checks of their members. 4760 * All code after this needs to be aware that allocated memory 4761 * may need to be free'd before exiting. 4762 */ 4763 switch (fp->fr_type & ~FR_T_BUILTIN) 4764 { 4765#if defined(IPFILTER_BPF) 4766 case FR_T_BPFOPC : 4767 if (fp->fr_dsize == 0) { 4768 IPFERROR(19); 4769 error = EINVAL; 4770 break; 4771 } 4772 if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) { 4773 IPFERROR(20); 4774 error = EINVAL; 4775 break; 4776 } 4777 break; 4778#endif 4779 case FR_T_IPF : 4780 /* 4781 * Preparation for error case at the bottom of this function. 4782 */ 4783 if (fp->fr_datype == FRI_LOOKUP) 4784 fp->fr_dstptr = NULL; 4785 if (fp->fr_satype == FRI_LOOKUP) 4786 fp->fr_srcptr = NULL; 4787 4788 if (fp->fr_dsize != sizeof(fripf_t)) { 4789 IPFERROR(21); 4790 error = EINVAL; 4791 break; 4792 } 4793 4794 /* 4795 * Allowing a rule with both "keep state" and "with oow" is 4796 * pointless because adding a state entry to the table will 4797 * fail with the out of window (oow) flag set. 4798 */ 4799 if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW)) { 4800 IPFERROR(22); 4801 error = EINVAL; 4802 break; 4803 } 4804 4805 switch (fp->fr_satype) 4806 { 4807 case FRI_BROADCAST : 4808 case FRI_DYNAMIC : 4809 case FRI_NETWORK : 4810 case FRI_NETMASKED : 4811 case FRI_PEERADDR : 4812 if (fp->fr_sifpidx < 0) { 4813 IPFERROR(23); 4814 error = EINVAL; 4815 } 4816 break; 4817 case FRI_LOOKUP : 4818 fp->fr_srcptr = ipf_findlookup(softc, unit, fp, 4819 &fp->fr_src6, 4820 &fp->fr_smsk6); 4821 if (fp->fr_srcfunc == NULL) { 4822 IPFERROR(132); 4823 error = ESRCH; 4824 break; 4825 } 4826 break; 4827 case FRI_NORMAL : 4828 break; 4829 default : 4830 IPFERROR(133); 4831 error = EINVAL; 4832 break; 4833 } 4834 if (error != 0) 4835 break; 4836 4837 switch (fp->fr_datype) 4838 { 4839 case FRI_BROADCAST : 4840 case FRI_DYNAMIC : 4841 case FRI_NETWORK : 4842 case FRI_NETMASKED : 4843 case FRI_PEERADDR : 4844 if (fp->fr_difpidx < 0) { 4845 IPFERROR(24); 4846 error = EINVAL; 4847 } 4848 break; 4849 case FRI_LOOKUP : 4850 fp->fr_dstptr = ipf_findlookup(softc, unit, fp, 4851 &fp->fr_dst6, 4852 &fp->fr_dmsk6); 4853 if (fp->fr_dstfunc == NULL) { 4854 IPFERROR(134); 4855 error = ESRCH; 4856 } 4857 break; 4858 case FRI_NORMAL : 4859 break; 4860 default : 4861 IPFERROR(135); 4862 error = EINVAL; 4863 } 4864 break; 4865 4866 case FR_T_NONE : 4867 case FR_T_CALLFUNC : 4868 case FR_T_COMPIPF : 4869 break; 4870 4871 case FR_T_IPFEXPR : 4872 if (ipf_matcharray_verify(fp->fr_data, fp->fr_dsize) == -1) { 4873 IPFERROR(25); 4874 error = EINVAL; 4875 } 4876 break; 4877 4878 default : 4879 IPFERROR(26); 4880 error = EINVAL; 4881 break; 4882 } 4883 if (error != 0) 4884 goto donenolock; 4885 4886 if (fp->fr_tif.fd_name != -1) { 4887 if ((fp->fr_tif.fd_name < 0) || 4888 (fp->fr_tif.fd_name >= fp->fr_namelen)) { 4889 IPFERROR(139); 4890 error = EINVAL; 4891 goto donenolock; 4892 } 4893 } 4894 4895 if (fp->fr_dif.fd_name != -1) { 4896 if ((fp->fr_dif.fd_name < 0) || 4897 (fp->fr_dif.fd_name >= fp->fr_namelen)) { 4898 IPFERROR(140); 4899 error = EINVAL; 4900 goto donenolock; 4901 } 4902 } 4903 4904 if (fp->fr_rif.fd_name != -1) { 4905 if ((fp->fr_rif.fd_name < 0) || 4906 (fp->fr_rif.fd_name >= fp->fr_namelen)) { 4907 IPFERROR(141); 4908 error = EINVAL; 4909 goto donenolock; 4910 } 4911 } 4912 4913 /* 4914 * Lookup all the interface names that are part of the rule. 4915 */ 4916 error = ipf_synclist(softc, fp, NULL); 4917 if (error != 0) 4918 goto donenolock; 4919 fp->fr_statecnt = 0; 4920 if (fp->fr_srctrack.ht_max_nodes != 0) 4921 ipf_rb_ht_init(&fp->fr_srctrack); 4922 4923 /* 4924 * Look for an existing matching filter rule, but don't include the 4925 * next or interface pointer in the comparison (fr_next, fr_ifa). 4926 * This elminates rules which are indentical being loaded. Checksum 4927 * the constant part of the filter rule to make comparisons quicker 4928 * (this meaning no pointers are included). 4929 */ 4930 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum; 4931 p < pp; p++) 4932 fp->fr_cksum += *p; 4933 pp = (u_int *)(fp->fr_caddr + fp->fr_dsize); 4934 for (p = (u_int *)fp->fr_data; p < pp; p++) 4935 fp->fr_cksum += *p; 4936 4937 WRITE_ENTER(&softc->ipf_mutex); 4938 4939 /* 4940 * Now that the filter rule lists are locked, we can walk the 4941 * chain of them without fear. 4942 */ 4943 ftail = fprev; 4944 for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) { 4945 if (fp->fr_collect <= f->fr_collect) { 4946 ftail = fprev; 4947 f = NULL; 4948 break; 4949 } 4950 fprev = ftail; 4951 } 4952 4953 for (; (f = *ftail) != NULL; ftail = &f->fr_next) { 4954 if (ipf_rule_compare(fp, f) == 0) 4955 break; 4956 } 4957 4958 /* 4959 * If zero'ing statistics, copy current to caller and zero. 4960 */ 4961 if (addrem == 2) { 4962 if (f == NULL) { 4963 IPFERROR(27); 4964 error = ESRCH; 4965 } else { 4966 /* 4967 * Copy and reduce lock because of impending copyout. 4968 * Well we should, but if we do then the atomicity of 4969 * this call and the correctness of fr_hits and 4970 * fr_bytes cannot be guaranteed. As it is, this code 4971 * only resets them to 0 if they are successfully 4972 * copied out into user space. 4973 */ 4974 bcopy((char *)f, (char *)fp, f->fr_size); 4975 /* MUTEX_DOWNGRADE(&softc->ipf_mutex); */ 4976 4977 /* 4978 * When we copy this rule back out, set the data 4979 * pointer to be what it was in user space. 4980 */ 4981 fp->fr_data = uptr; 4982 error = ipf_outobj(softc, data, fp, IPFOBJ_FRENTRY); 4983 4984 if (error == 0) { 4985 if ((f->fr_dsize != 0) && (uptr != NULL)) 4986 error = COPYOUT(f->fr_data, uptr, 4987 f->fr_dsize); 4988 if (error != 0) { 4989 IPFERROR(28); 4990 error = EFAULT; 4991 } 4992 if (error == 0) { 4993 f->fr_hits = 0; 4994 f->fr_bytes = 0; 4995 } 4996 } 4997 } 4998 4999 if (makecopy != 0) { 5000 if (ptr != NULL) { 5001 KFREES(ptr, fp->fr_dsize); 5002 } 5003 KFREES(fp, fp->fr_size); 5004 } 5005 RWLOCK_EXIT(&softc->ipf_mutex); 5006 return error; 5007 } 5008 5009 if (!f) { 5010 /* 5011 * At the end of this, ftail must point to the place where the 5012 * new rule is to be saved/inserted/added. 5013 * For SIOCAD*FR, this should be the last rule in the group of 5014 * rules that have equal fr_collect fields. 5015 * For SIOCIN*FR, ... 5016 */ 5017 if (req == (ioctlcmd_t)SIOCADAFR || 5018 req == (ioctlcmd_t)SIOCADIFR) { 5019 5020 for (ftail = fprev; (f = *ftail) != NULL; ) { 5021 if (f->fr_collect > fp->fr_collect) 5022 break; 5023 ftail = &f->fr_next; 5024 fprev = ftail; 5025 } 5026 ftail = fprev; 5027 f = NULL; 5028 ptr = NULL; 5029 } else if (req == (ioctlcmd_t)SIOCINAFR || 5030 req == (ioctlcmd_t)SIOCINIFR) { 5031 while ((f = *fprev) != NULL) { 5032 if (f->fr_collect >= fp->fr_collect) 5033 break; 5034 fprev = &f->fr_next; 5035 } 5036 ftail = fprev; 5037 if (fp->fr_hits != 0) { 5038 while (fp->fr_hits && (f = *ftail)) { 5039 if (f->fr_collect != fp->fr_collect) 5040 break; 5041 fprev = ftail; 5042 ftail = &f->fr_next; 5043 fp->fr_hits--; 5044 } 5045 } 5046 f = NULL; 5047 ptr = NULL; 5048 } 5049 } 5050 5051 /* 5052 * Request to remove a rule. 5053 */ 5054 if (addrem == 1) { 5055 if (!f) { 5056 IPFERROR(29); 5057 error = ESRCH; 5058 } else { 5059 /* 5060 * Do not allow activity from user space to interfere 5061 * with rules not loaded that way. 5062 */ 5063 if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) { 5064 IPFERROR(30); 5065 error = EPERM; 5066 goto done; 5067 } 5068 5069 /* 5070 * Return EBUSY if the rule is being reference by 5071 * something else (eg state information.) 5072 */ 5073 if (f->fr_ref > 1) { 5074 IPFERROR(31); 5075 error = EBUSY; 5076 goto done; 5077 } 5078#ifdef IPFILTER_SCAN 5079 if (f->fr_isctag != -1 && 5080 (f->fr_isc != (struct ipscan *)-1)) 5081 ipf_scan_detachfr(f); 5082#endif 5083 5084 if (unit == IPL_LOGAUTH) { 5085 error = ipf_auth_precmd(softc, req, f, ftail); 5086 goto done; 5087 } 5088 5089 ipf_rule_delete(softc, f, unit, set); 5090 5091 need_free = makecopy; 5092 } 5093 } else { 5094 /* 5095 * Not removing, so we must be adding/inserting a rule. 5096 */ 5097 if (f != NULL) { 5098 IPFERROR(32); 5099 error = EEXIST; 5100 goto done; 5101 } 5102 if (unit == IPL_LOGAUTH) { 5103 error = ipf_auth_precmd(softc, req, fp, ftail); 5104 goto done; 5105 } 5106 5107 MUTEX_NUKE(&fp->fr_lock); 5108 MUTEX_INIT(&fp->fr_lock, "filter rule lock"); 5109 if (fp->fr_die != 0) 5110 ipf_rule_expire_insert(softc, fp, set); 5111 5112 fp->fr_hits = 0; 5113 if (makecopy != 0) 5114 fp->fr_ref = 1; 5115 fp->fr_pnext = ftail; 5116 fp->fr_next = *ftail; 5117 if (fp->fr_next != NULL) 5118 fp->fr_next->fr_pnext = &fp->fr_next; 5119 *ftail = fp; 5120 if (addrem == 0) 5121 ipf_fixskip(ftail, fp, 1); 5122 5123 fp->fr_icmpgrp = NULL; 5124 if (fp->fr_icmphead != -1) { 5125 group = FR_NAME(fp, fr_icmphead); 5126 fg = ipf_group_add(softc, group, fp, 0, unit, set); 5127 fp->fr_icmpgrp = fg; 5128 } 5129 5130 fp->fr_grphead = NULL; 5131 if (fp->fr_grhead != -1) { 5132 group = FR_NAME(fp, fr_grhead); 5133 fg = ipf_group_add(softc, group, fp, fp->fr_flags, 5134 unit, set); 5135 fp->fr_grphead = fg; 5136 } 5137 } 5138done: 5139 RWLOCK_EXIT(&softc->ipf_mutex); 5140donenolock: 5141 if (need_free || (error != 0)) { 5142 if ((fp->fr_type & ~FR_T_BUILTIN) == FR_T_IPF) { 5143 if ((fp->fr_satype == FRI_LOOKUP) && 5144 (fp->fr_srcptr != NULL)) 5145 ipf_lookup_deref(softc, fp->fr_srctype, 5146 fp->fr_srcptr); 5147 if ((fp->fr_datype == FRI_LOOKUP) && 5148 (fp->fr_dstptr != NULL)) 5149 ipf_lookup_deref(softc, fp->fr_dsttype, 5150 fp->fr_dstptr); 5151 } 5152 if (fp->fr_grp != NULL) { 5153 WRITE_ENTER(&softc->ipf_mutex); 5154 ipf_group_del(softc, fp->fr_grp, fp); 5155 RWLOCK_EXIT(&softc->ipf_mutex); 5156 } 5157 if ((ptr != NULL) && (makecopy != 0)) { 5158 KFREES(ptr, fp->fr_dsize); 5159 } 5160 KFREES(fp, fp->fr_size); 5161 } 5162 return (error); 5163} 5164 5165 5166/* ------------------------------------------------------------------------ */ 5167/* Function: ipf_rule_delete */ 5168/* Returns: Nil */ 5169/* Parameters: softc(I) - pointer to soft context main structure */ 5170/* f(I) - pointer to the rule being deleted */ 5171/* ftail(I) - pointer to the pointer to f */ 5172/* unit(I) - device for which this is for */ 5173/* set(I) - 1 or 0 (filter set) */ 5174/* */ 5175/* This function attempts to do what it can to delete a filter rule: remove */ 5176/* it from any linked lists and remove any groups it is responsible for. */ 5177/* But in the end, removing a rule can only drop the reference count - we */ 5178/* must use that as the guide for whether or not it can be freed. */ 5179/* ------------------------------------------------------------------------ */ 5180static void 5181ipf_rule_delete(softc, f, unit, set) 5182 ipf_main_softc_t *softc; 5183 frentry_t *f; 5184 int unit, set; 5185{ 5186 5187 /* 5188 * If fr_pdnext is set, then the rule is on the expire list, so 5189 * remove it from there. 5190 */ 5191 if (f->fr_pdnext != NULL) { 5192 *f->fr_pdnext = f->fr_dnext; 5193 if (f->fr_dnext != NULL) 5194 f->fr_dnext->fr_pdnext = f->fr_pdnext; 5195 f->fr_pdnext = NULL; 5196 f->fr_dnext = NULL; 5197 } 5198 5199 ipf_fixskip(f->fr_pnext, f, -1); 5200 if (f->fr_pnext != NULL) 5201 *f->fr_pnext = f->fr_next; 5202 if (f->fr_next != NULL) 5203 f->fr_next->fr_pnext = f->fr_pnext; 5204 f->fr_pnext = NULL; 5205 f->fr_next = NULL; 5206 5207 (void) ipf_derefrule(softc, &f); 5208} 5209 5210/* ------------------------------------------------------------------------ */ 5211/* Function: ipf_rule_expire_insert */ 5212/* Returns: Nil */ 5213/* Parameters: softc(I) - pointer to soft context main structure */ 5214/* f(I) - pointer to rule to be added to expire list */ 5215/* set(I) - 1 or 0 (filter set) */ 5216/* */ 5217/* If the new rule has a given expiration time, insert it into the list of */ 5218/* expiring rules with the ones to be removed first added to the front of */ 5219/* the list. The insertion is O(n) but it is kept sorted for quick scans at */ 5220/* expiration interval checks. */ 5221/* ------------------------------------------------------------------------ */ 5222static void 5223ipf_rule_expire_insert(softc, f, set) 5224 ipf_main_softc_t *softc; 5225 frentry_t *f; 5226 int set; 5227{ 5228 frentry_t *fr; 5229 5230 /* 5231 */ 5232 5233 f->fr_die = softc->ipf_ticks + IPF_TTLVAL(f->fr_die); 5234 for (fr = softc->ipf_rule_explist[set]; fr != NULL; 5235 fr = fr->fr_dnext) { 5236 if (f->fr_die < fr->fr_die) 5237 break; 5238 if (fr->fr_dnext == NULL) { 5239 /* 5240 * We've got to the last rule and everything 5241 * wanted to be expired before this new node, 5242 * so we have to tack it on the end... 5243 */ 5244 fr->fr_dnext = f; 5245 f->fr_pdnext = &fr->fr_dnext; 5246 fr = NULL; 5247 break; 5248 } 5249 } 5250 5251 if (softc->ipf_rule_explist[set] == NULL) { 5252 softc->ipf_rule_explist[set] = f; 5253 f->fr_pdnext = &softc->ipf_rule_explist[set]; 5254 } else if (fr != NULL) { 5255 f->fr_dnext = fr; 5256 f->fr_pdnext = fr->fr_pdnext; 5257 fr->fr_pdnext = &f->fr_dnext; 5258 } 5259} 5260 5261 5262/* ------------------------------------------------------------------------ */ 5263/* Function: ipf_findlookup */ 5264/* Returns: NULL = failure, else success */ 5265/* Parameters: softc(I) - pointer to soft context main structure */ 5266/* unit(I) - ipf device we want to find match for */ 5267/* fp(I) - rule for which lookup is for */ 5268/* addrp(I) - pointer to lookup information in address struct */ 5269/* maskp(O) - pointer to lookup information for storage */ 5270/* */ 5271/* When using pools and hash tables to store addresses for matching in */ 5272/* rules, it is necessary to resolve both the object referred to by the */ 5273/* name or address (and return that pointer) and also provide the means by */ 5274/* which to determine if an address belongs to that object to make the */ 5275/* packet matching quicker. */ 5276/* ------------------------------------------------------------------------ */ 5277static void * 5278ipf_findlookup(softc, unit, fr, addrp, maskp) 5279 ipf_main_softc_t *softc; 5280 int unit; 5281 frentry_t *fr; 5282 i6addr_t *addrp, *maskp; 5283{ 5284 void *ptr = NULL; 5285 5286 switch (addrp->iplookupsubtype) 5287 { 5288 case 0 : 5289 ptr = ipf_lookup_res_num(softc, unit, addrp->iplookuptype, 5290 addrp->iplookupnum, 5291 &maskp->iplookupfunc); 5292 break; 5293 case 1 : 5294 if (addrp->iplookupname < 0) 5295 break; 5296 if (addrp->iplookupname >= fr->fr_namelen) 5297 break; 5298 ptr = ipf_lookup_res_name(softc, unit, addrp->iplookuptype, 5299 fr->fr_names + addrp->iplookupname, 5300 &maskp->iplookupfunc); 5301 break; 5302 default : 5303 break; 5304 } 5305 5306 return ptr; 5307} 5308 5309 5310/* ------------------------------------------------------------------------ */ 5311/* Function: ipf_funcinit */ 5312/* Returns: int - 0 == success, else ESRCH: cannot resolve rule details */ 5313/* Parameters: softc(I) - pointer to soft context main structure */ 5314/* fr(I) - pointer to filter rule */ 5315/* */ 5316/* If a rule is a call rule, then check if the function it points to needs */ 5317/* an init function to be called now the rule has been loaded. */ 5318/* ------------------------------------------------------------------------ */ 5319static int 5320ipf_funcinit(softc, fr) 5321 ipf_main_softc_t *softc; 5322 frentry_t *fr; 5323{ 5324 ipfunc_resolve_t *ft; 5325 int err; 5326 5327 IPFERROR(34); 5328 err = ESRCH; 5329 5330 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5331 if (ft->ipfu_addr == fr->fr_func) { 5332 err = 0; 5333 if (ft->ipfu_init != NULL) 5334 err = (*ft->ipfu_init)(softc, fr); 5335 break; 5336 } 5337 return err; 5338} 5339 5340 5341/* ------------------------------------------------------------------------ */ 5342/* Function: ipf_funcfini */ 5343/* Returns: Nil */ 5344/* Parameters: softc(I) - pointer to soft context main structure */ 5345/* fr(I) - pointer to filter rule */ 5346/* */ 5347/* For a given filter rule, call the matching "fini" function if the rule */ 5348/* is using a known function that would have resulted in the "init" being */ 5349/* called for ealier. */ 5350/* ------------------------------------------------------------------------ */ 5351static void 5352ipf_funcfini(softc, fr) 5353 ipf_main_softc_t *softc; 5354 frentry_t *fr; 5355{ 5356 ipfunc_resolve_t *ft; 5357 5358 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5359 if (ft->ipfu_addr == fr->fr_func) { 5360 if (ft->ipfu_fini != NULL) 5361 (void) (*ft->ipfu_fini)(softc, fr); 5362 break; 5363 } 5364} 5365 5366 5367/* ------------------------------------------------------------------------ */ 5368/* Function: ipf_findfunc */ 5369/* Returns: ipfunc_t - pointer to function if found, else NULL */ 5370/* Parameters: funcptr(I) - function pointer to lookup */ 5371/* */ 5372/* Look for a function in the table of known functions. */ 5373/* ------------------------------------------------------------------------ */ 5374static ipfunc_t 5375ipf_findfunc(funcptr) 5376 ipfunc_t funcptr; 5377{ 5378 ipfunc_resolve_t *ft; 5379 5380 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5381 if (ft->ipfu_addr == funcptr) 5382 return funcptr; 5383 return NULL; 5384} 5385 5386 5387/* ------------------------------------------------------------------------ */ 5388/* Function: ipf_resolvefunc */ 5389/* Returns: int - 0 == success, else error */ 5390/* Parameters: data(IO) - ioctl data pointer to ipfunc_resolve_t struct */ 5391/* */ 5392/* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */ 5393/* This will either be the function name (if the pointer is set) or the */ 5394/* function pointer if the name is set. When found, fill in the other one */ 5395/* so that the entire, complete, structure can be copied back to user space.*/ 5396/* ------------------------------------------------------------------------ */ 5397int 5398ipf_resolvefunc(softc, data) 5399 ipf_main_softc_t *softc; 5400 void *data; 5401{ 5402 ipfunc_resolve_t res, *ft; 5403 int error; 5404 5405 error = BCOPYIN(data, &res, sizeof(res)); 5406 if (error != 0) { 5407 IPFERROR(123); 5408 return EFAULT; 5409 } 5410 5411 if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') { 5412 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5413 if (strncmp(res.ipfu_name, ft->ipfu_name, 5414 sizeof(res.ipfu_name)) == 0) { 5415 res.ipfu_addr = ft->ipfu_addr; 5416 res.ipfu_init = ft->ipfu_init; 5417 if (COPYOUT(&res, data, sizeof(res)) != 0) { 5418 IPFERROR(35); 5419 return EFAULT; 5420 } 5421 return 0; 5422 } 5423 } 5424 if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') { 5425 for (ft = ipf_availfuncs; ft->ipfu_addr != NULL; ft++) 5426 if (ft->ipfu_addr == res.ipfu_addr) { 5427 (void) strncpy(res.ipfu_name, ft->ipfu_name, 5428 sizeof(res.ipfu_name)); 5429 res.ipfu_init = ft->ipfu_init; 5430 if (COPYOUT(&res, data, sizeof(res)) != 0) { 5431 IPFERROR(36); 5432 return EFAULT; 5433 } 5434 return 0; 5435 } 5436 } 5437 IPFERROR(37); 5438 return ESRCH; 5439} 5440 5441 5442#if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && \ 5443 !defined(__FreeBSD__)) || \ 5444 FREEBSD_LT_REV(501000) || NETBSD_LT_REV(105000000) || \ 5445 OPENBSD_LT_REV(200006) 5446/* 5447 * From: NetBSD 5448 * ppsratecheck(): packets (or events) per second limitation. 5449 */ 5450int 5451ppsratecheck(lasttime, curpps, maxpps) 5452 struct timeval *lasttime; 5453 int *curpps; 5454 int maxpps; /* maximum pps allowed */ 5455{ 5456 struct timeval tv, delta; 5457 int rv; 5458 5459 GETKTIME(&tv); 5460 5461 delta.tv_sec = tv.tv_sec - lasttime->tv_sec; 5462 delta.tv_usec = tv.tv_usec - lasttime->tv_usec; 5463 if (delta.tv_usec < 0) { 5464 delta.tv_sec--; 5465 delta.tv_usec += 1000000; 5466 } 5467 5468 /* 5469 * check for 0,0 is so that the message will be seen at least once. 5470 * if more than one second have passed since the last update of 5471 * lasttime, reset the counter. 5472 * 5473 * we do increment *curpps even in *curpps < maxpps case, as some may 5474 * try to use *curpps for stat purposes as well. 5475 */ 5476 if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) || 5477 delta.tv_sec >= 1) { 5478 *lasttime = tv; 5479 *curpps = 0; 5480 rv = 1; 5481 } else if (maxpps < 0) 5482 rv = 1; 5483 else if (*curpps < maxpps) 5484 rv = 1; 5485 else 5486 rv = 0; 5487 *curpps = *curpps + 1; 5488 5489 return (rv); 5490} 5491#endif 5492 5493 5494/* ------------------------------------------------------------------------ */ 5495/* Function: ipf_derefrule */ 5496/* Returns: int - 0 == rule freed up, else rule not freed */ 5497/* Parameters: fr(I) - pointer to filter rule */ 5498/* */ 5499/* Decrement the reference counter to a rule by one. If it reaches zero, */ 5500/* free it and any associated storage space being used by it. */ 5501/* ------------------------------------------------------------------------ */ 5502int 5503ipf_derefrule(softc, frp) 5504 ipf_main_softc_t *softc; 5505 frentry_t **frp; 5506{ 5507 frentry_t *fr; 5508 frdest_t *fdp; 5509 5510 fr = *frp; 5511 *frp = NULL; 5512 5513 MUTEX_ENTER(&fr->fr_lock); 5514 fr->fr_ref--; 5515 if (fr->fr_ref == 0) { 5516 MUTEX_EXIT(&fr->fr_lock); 5517 MUTEX_DESTROY(&fr->fr_lock); 5518 5519 ipf_funcfini(softc, fr); 5520 5521 fdp = &fr->fr_tif; 5522 if (fdp->fd_type == FRD_DSTLIST) 5523 ipf_lookup_deref(softc, IPLT_DSTLIST, fdp->fd_ptr); 5524 5525 fdp = &fr->fr_rif; 5526 if (fdp->fd_type == FRD_DSTLIST) 5527 ipf_lookup_deref(softc, IPLT_DSTLIST, fdp->fd_ptr); 5528 5529 fdp = &fr->fr_dif; 5530 if (fdp->fd_type == FRD_DSTLIST) 5531 ipf_lookup_deref(softc, IPLT_DSTLIST, fdp->fd_ptr); 5532 5533 if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF && 5534 fr->fr_satype == FRI_LOOKUP) 5535 ipf_lookup_deref(softc, fr->fr_srctype, fr->fr_srcptr); 5536 if ((fr->fr_type & ~FR_T_BUILTIN) == FR_T_IPF && 5537 fr->fr_datype == FRI_LOOKUP) 5538 ipf_lookup_deref(softc, fr->fr_dsttype, fr->fr_dstptr); 5539 5540 if (fr->fr_grp != NULL) 5541 ipf_group_del(softc, fr->fr_grp, fr); 5542 5543 if (fr->fr_grphead != NULL) 5544 ipf_group_del(softc, fr->fr_grphead, fr); 5545 5546 if (fr->fr_icmpgrp != NULL) 5547 ipf_group_del(softc, fr->fr_icmpgrp, fr); 5548 5549 if ((fr->fr_flags & FR_COPIED) != 0) { 5550 if (fr->fr_dsize) { 5551 KFREES(fr->fr_data, fr->fr_dsize); 5552 } 5553 KFREES(fr, fr->fr_size); 5554 return 0; 5555 } 5556 return 1; 5557 } else { 5558 MUTEX_EXIT(&fr->fr_lock); 5559 } 5560 return -1; 5561} 5562 5563 5564/* ------------------------------------------------------------------------ */ 5565/* Function: ipf_grpmapinit */ 5566/* Returns: int - 0 == success, else ESRCH because table entry not found*/ 5567/* Parameters: fr(I) - pointer to rule to find hash table for */ 5568/* */ 5569/* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr. */ 5570/* fr_ptr is later used by ipf_srcgrpmap and ipf_dstgrpmap. */ 5571/* ------------------------------------------------------------------------ */ 5572static int 5573ipf_grpmapinit(softc, fr) 5574 ipf_main_softc_t *softc; 5575 frentry_t *fr; 5576{ 5577 char name[FR_GROUPLEN]; 5578 iphtable_t *iph; 5579 5580#if defined(SNPRINTF) && defined(_KERNEL) 5581 SNPRINTF(name, sizeof(name), "%d", fr->fr_arg); 5582#else 5583 (void) sprintf(name, "%d", fr->fr_arg); 5584#endif 5585 iph = ipf_lookup_find_htable(softc, IPL_LOGIPF, name); 5586 if (iph == NULL) { 5587 IPFERROR(38); 5588 return ESRCH; 5589 } 5590 if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT)) { 5591 IPFERROR(39); 5592 return ESRCH; 5593 } 5594 iph->iph_ref++; 5595 fr->fr_ptr = iph; 5596 return 0; 5597} 5598 5599 5600/* ------------------------------------------------------------------------ */ 5601/* Function: ipf_grpmapfini */ 5602/* Returns: int - 0 == success, else ESRCH because table entry not found*/ 5603/* Parameters: softc(I) - pointer to soft context main structure */ 5604/* fr(I) - pointer to rule to release hash table for */ 5605/* */ 5606/* For rules that have had ipf_grpmapinit called, ipf_lookup_deref needs to */ 5607/* be called to undo what ipf_grpmapinit caused to be done. */ 5608/* ------------------------------------------------------------------------ */ 5609static int 5610ipf_grpmapfini(softc, fr) 5611 ipf_main_softc_t *softc; 5612 frentry_t *fr; 5613{ 5614 iphtable_t *iph; 5615 iph = fr->fr_ptr; 5616 if (iph != NULL) 5617 ipf_lookup_deref(softc, IPLT_HASH, iph); 5618 return 0; 5619} 5620 5621 5622/* ------------------------------------------------------------------------ */ 5623/* Function: ipf_srcgrpmap */ 5624/* Returns: frentry_t * - pointer to "new last matching" rule or NULL */ 5625/* Parameters: fin(I) - pointer to packet information */ 5626/* passp(IO) - pointer to current/new filter decision (unused) */ 5627/* */ 5628/* Look for a rule group head in a hash table, using the source address as */ 5629/* the key, and descend into that group and continue matching rules against */ 5630/* the packet. */ 5631/* ------------------------------------------------------------------------ */ 5632frentry_t * 5633ipf_srcgrpmap(fin, passp) 5634 fr_info_t *fin; 5635 u_32_t *passp; 5636{ 5637 frgroup_t *fg; 5638 void *rval; 5639 5640 rval = ipf_iphmfindgroup(fin->fin_main_soft, fin->fin_fr->fr_ptr, 5641 &fin->fin_src); 5642 if (rval == NULL) 5643 return NULL; 5644 5645 fg = rval; 5646 fin->fin_fr = fg->fg_start; 5647 (void) ipf_scanlist(fin, *passp); 5648 return fin->fin_fr; 5649} 5650 5651 5652/* ------------------------------------------------------------------------ */ 5653/* Function: ipf_dstgrpmap */ 5654/* Returns: frentry_t * - pointer to "new last matching" rule or NULL */ 5655/* Parameters: fin(I) - pointer to packet information */ 5656/* passp(IO) - pointer to current/new filter decision (unused) */ 5657/* */ 5658/* Look for a rule group head in a hash table, using the destination */ 5659/* address as the key, and descend into that group and continue matching */ 5660/* rules against the packet. */ 5661/* ------------------------------------------------------------------------ */ 5662frentry_t * 5663ipf_dstgrpmap(fin, passp) 5664 fr_info_t *fin; 5665 u_32_t *passp; 5666{ 5667 frgroup_t *fg; 5668 void *rval; 5669 5670 rval = ipf_iphmfindgroup(fin->fin_main_soft, fin->fin_fr->fr_ptr, 5671 &fin->fin_dst); 5672 if (rval == NULL) 5673 return NULL; 5674 5675 fg = rval; 5676 fin->fin_fr = fg->fg_start; 5677 (void) ipf_scanlist(fin, *passp); 5678 return fin->fin_fr; 5679} 5680 5681/* 5682 * Queue functions 5683 * =============== 5684 * These functions manage objects on queues for efficient timeouts. There 5685 * are a number of system defined queues as well as user defined timeouts. 5686 * It is expected that a lock is held in the domain in which the queue 5687 * belongs (i.e. either state or NAT) when calling any of these functions 5688 * that prevents ipf_freetimeoutqueue() from being called at the same time 5689 * as any other. 5690 */ 5691 5692 5693/* ------------------------------------------------------------------------ */ 5694/* Function: ipf_addtimeoutqueue */ 5695/* Returns: struct ifqtq * - NULL if malloc fails, else pointer to */ 5696/* timeout queue with given interval. */ 5697/* Parameters: parent(I) - pointer to pointer to parent node of this list */ 5698/* of interface queues. */ 5699/* seconds(I) - timeout value in seconds for this queue. */ 5700/* */ 5701/* This routine first looks for a timeout queue that matches the interval */ 5702/* being requested. If it finds one, increments the reference counter and */ 5703/* returns a pointer to it. If none are found, it allocates a new one and */ 5704/* inserts it at the top of the list. */ 5705/* */ 5706/* Locking. */ 5707/* It is assumed that the caller of this function has an appropriate lock */ 5708/* held (exclusively) in the domain that encompases 'parent'. */ 5709/* ------------------------------------------------------------------------ */ 5710ipftq_t * 5711ipf_addtimeoutqueue(softc, parent, seconds) 5712 ipf_main_softc_t *softc; 5713 ipftq_t **parent; 5714 u_int seconds; 5715{ 5716 ipftq_t *ifq; 5717 u_int period; 5718 5719 period = seconds * IPF_HZ_DIVIDE; 5720 5721 MUTEX_ENTER(&softc->ipf_timeoutlock); 5722 for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) { 5723 if (ifq->ifq_ttl == period) { 5724 /* 5725 * Reset the delete flag, if set, so the structure 5726 * gets reused rather than freed and reallocated. 5727 */ 5728 MUTEX_ENTER(&ifq->ifq_lock); 5729 ifq->ifq_flags &= ~IFQF_DELETE; 5730 ifq->ifq_ref++; 5731 MUTEX_EXIT(&ifq->ifq_lock); 5732 MUTEX_EXIT(&softc->ipf_timeoutlock); 5733 5734 return ifq; 5735 } 5736 } 5737 5738 KMALLOC(ifq, ipftq_t *); 5739 if (ifq != NULL) { 5740 MUTEX_NUKE(&ifq->ifq_lock); 5741 IPFTQ_INIT(ifq, period, "ipftq mutex"); 5742 ifq->ifq_next = *parent; 5743 ifq->ifq_pnext = parent; 5744 ifq->ifq_flags = IFQF_USER; 5745 ifq->ifq_ref++; 5746 *parent = ifq; 5747 softc->ipf_userifqs++; 5748 } 5749 MUTEX_EXIT(&softc->ipf_timeoutlock); 5750 return ifq; 5751} 5752 5753 5754/* ------------------------------------------------------------------------ */ 5755/* Function: ipf_deletetimeoutqueue */ 5756/* Returns: int - new reference count value of the timeout queue */ 5757/* Parameters: ifq(I) - timeout queue which is losing a reference. */ 5758/* Locks: ifq->ifq_lock */ 5759/* */ 5760/* This routine must be called when we're discarding a pointer to a timeout */ 5761/* queue object, taking care of the reference counter. */ 5762/* */ 5763/* Now that this just sets a DELETE flag, it requires the expire code to */ 5764/* check the list of user defined timeout queues and call the free function */ 5765/* below (currently commented out) to stop memory leaking. It is done this */ 5766/* way because the locking may not be sufficient to safely do a free when */ 5767/* this function is called. */ 5768/* ------------------------------------------------------------------------ */ 5769int 5770ipf_deletetimeoutqueue(ifq) 5771 ipftq_t *ifq; 5772{ 5773 5774 ifq->ifq_ref--; 5775 if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) { 5776 ifq->ifq_flags |= IFQF_DELETE; 5777 } 5778 5779 return ifq->ifq_ref; 5780} 5781 5782 5783/* ------------------------------------------------------------------------ */ 5784/* Function: ipf_freetimeoutqueue */ 5785/* Parameters: ifq(I) - timeout queue which is losing a reference. */ 5786/* Returns: Nil */ 5787/* */ 5788/* Locking: */ 5789/* It is assumed that the caller of this function has an appropriate lock */ 5790/* held (exclusively) in the domain that encompases the callers "domain". */ 5791/* The ifq_lock for this structure should not be held. */ 5792/* */ 5793/* Remove a user defined timeout queue from the list of queues it is in and */ 5794/* tidy up after this is done. */ 5795/* ------------------------------------------------------------------------ */ 5796void 5797ipf_freetimeoutqueue(softc, ifq) 5798 ipf_main_softc_t *softc; 5799 ipftq_t *ifq; 5800{ 5801 5802 if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) || 5803 ((ifq->ifq_flags & IFQF_USER) == 0)) { 5804 printf("ipf_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n", 5805 (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl, 5806 ifq->ifq_ref); 5807 return; 5808 } 5809 5810 /* 5811 * Remove from its position in the list. 5812 */ 5813 *ifq->ifq_pnext = ifq->ifq_next; 5814 if (ifq->ifq_next != NULL) 5815 ifq->ifq_next->ifq_pnext = ifq->ifq_pnext; 5816 ifq->ifq_next = NULL; 5817 ifq->ifq_pnext = NULL; 5818 5819 MUTEX_DESTROY(&ifq->ifq_lock); 5820 ATOMIC_DEC(softc->ipf_userifqs); 5821 KFREE(ifq); 5822} 5823 5824 5825/* ------------------------------------------------------------------------ */ 5826/* Function: ipf_deletequeueentry */ 5827/* Returns: Nil */ 5828/* Parameters: tqe(I) - timeout queue entry to delete */ 5829/* */ 5830/* Remove a tail queue entry from its queue and make it an orphan. */ 5831/* ipf_deletetimeoutqueue is called to make sure the reference count on the */ 5832/* queue is correct. We can't, however, call ipf_freetimeoutqueue because */ 5833/* the correct lock(s) may not be held that would make it safe to do so. */ 5834/* ------------------------------------------------------------------------ */ 5835void 5836ipf_deletequeueentry(tqe) 5837 ipftqent_t *tqe; 5838{ 5839 ipftq_t *ifq; 5840 5841 ifq = tqe->tqe_ifq; 5842 5843 MUTEX_ENTER(&ifq->ifq_lock); 5844 5845 if (tqe->tqe_pnext != NULL) { 5846 *tqe->tqe_pnext = tqe->tqe_next; 5847 if (tqe->tqe_next != NULL) 5848 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 5849 else /* we must be the tail anyway */ 5850 ifq->ifq_tail = tqe->tqe_pnext; 5851 5852 tqe->tqe_pnext = NULL; 5853 tqe->tqe_ifq = NULL; 5854 } 5855 5856 (void) ipf_deletetimeoutqueue(ifq); 5857 ASSERT(ifq->ifq_ref > 0); 5858 5859 MUTEX_EXIT(&ifq->ifq_lock); 5860} 5861 5862 5863/* ------------------------------------------------------------------------ */ 5864/* Function: ipf_queuefront */ 5865/* Returns: Nil */ 5866/* Parameters: tqe(I) - pointer to timeout queue entry */ 5867/* */ 5868/* Move a queue entry to the front of the queue, if it isn't already there. */ 5869/* ------------------------------------------------------------------------ */ 5870void 5871ipf_queuefront(tqe) 5872 ipftqent_t *tqe; 5873{ 5874 ipftq_t *ifq; 5875 5876 ifq = tqe->tqe_ifq; 5877 if (ifq == NULL) 5878 return; 5879 5880 MUTEX_ENTER(&ifq->ifq_lock); 5881 if (ifq->ifq_head != tqe) { 5882 *tqe->tqe_pnext = tqe->tqe_next; 5883 if (tqe->tqe_next) 5884 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 5885 else 5886 ifq->ifq_tail = tqe->tqe_pnext; 5887 5888 tqe->tqe_next = ifq->ifq_head; 5889 ifq->ifq_head->tqe_pnext = &tqe->tqe_next; 5890 ifq->ifq_head = tqe; 5891 tqe->tqe_pnext = &ifq->ifq_head; 5892 } 5893 MUTEX_EXIT(&ifq->ifq_lock); 5894} 5895 5896 5897/* ------------------------------------------------------------------------ */ 5898/* Function: ipf_queueback */ 5899/* Returns: Nil */ 5900/* Parameters: ticks(I) - ipf tick time to use with this call */ 5901/* tqe(I) - pointer to timeout queue entry */ 5902/* */ 5903/* Move a queue entry to the back of the queue, if it isn't already there. */ 5904/* We use use ticks to calculate the expiration and mark for when we last */ 5905/* touched the structure. */ 5906/* ------------------------------------------------------------------------ */ 5907void 5908ipf_queueback(ticks, tqe) 5909 u_long ticks; 5910 ipftqent_t *tqe; 5911{ 5912 ipftq_t *ifq; 5913 5914 ifq = tqe->tqe_ifq; 5915 if (ifq == NULL) 5916 return; 5917 tqe->tqe_die = ticks + ifq->ifq_ttl; 5918 tqe->tqe_touched = ticks; 5919 5920 MUTEX_ENTER(&ifq->ifq_lock); 5921 if (tqe->tqe_next != NULL) { /* at the end already ? */ 5922 /* 5923 * Remove from list 5924 */ 5925 *tqe->tqe_pnext = tqe->tqe_next; 5926 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 5927 5928 /* 5929 * Make it the last entry. 5930 */ 5931 tqe->tqe_next = NULL; 5932 tqe->tqe_pnext = ifq->ifq_tail; 5933 *ifq->ifq_tail = tqe; 5934 ifq->ifq_tail = &tqe->tqe_next; 5935 } 5936 MUTEX_EXIT(&ifq->ifq_lock); 5937} 5938 5939 5940/* ------------------------------------------------------------------------ */ 5941/* Function: ipf_queueappend */ 5942/* Returns: Nil */ 5943/* Parameters: ticks(I) - ipf tick time to use with this call */ 5944/* tqe(I) - pointer to timeout queue entry */ 5945/* ifq(I) - pointer to timeout queue */ 5946/* parent(I) - owing object pointer */ 5947/* */ 5948/* Add a new item to this queue and put it on the very end. */ 5949/* We use use ticks to calculate the expiration and mark for when we last */ 5950/* touched the structure. */ 5951/* ------------------------------------------------------------------------ */ 5952void 5953ipf_queueappend(ticks, tqe, ifq, parent) 5954 u_long ticks; 5955 ipftqent_t *tqe; 5956 ipftq_t *ifq; 5957 void *parent; 5958{ 5959 5960 MUTEX_ENTER(&ifq->ifq_lock); 5961 tqe->tqe_parent = parent; 5962 tqe->tqe_pnext = ifq->ifq_tail; 5963 *ifq->ifq_tail = tqe; 5964 ifq->ifq_tail = &tqe->tqe_next; 5965 tqe->tqe_next = NULL; 5966 tqe->tqe_ifq = ifq; 5967 tqe->tqe_die = ticks + ifq->ifq_ttl; 5968 tqe->tqe_touched = ticks; 5969 ifq->ifq_ref++; 5970 MUTEX_EXIT(&ifq->ifq_lock); 5971} 5972 5973 5974/* ------------------------------------------------------------------------ */ 5975/* Function: ipf_movequeue */ 5976/* Returns: Nil */ 5977/* Parameters: tq(I) - pointer to timeout queue information */ 5978/* oifp(I) - old timeout queue entry was on */ 5979/* nifp(I) - new timeout queue to put entry on */ 5980/* */ 5981/* Move a queue entry from one timeout queue to another timeout queue. */ 5982/* If it notices that the current entry is already last and does not need */ 5983/* to move queue, the return. */ 5984/* ------------------------------------------------------------------------ */ 5985void 5986ipf_movequeue(ticks, tqe, oifq, nifq) 5987 u_long ticks; 5988 ipftqent_t *tqe; 5989 ipftq_t *oifq, *nifq; 5990{ 5991 5992 /* 5993 * If the queue hasn't changed and we last touched this entry at the 5994 * same ipf time, then we're not going to achieve anything by either 5995 * changing the ttl or moving it on the queue. 5996 */ 5997 if (oifq == nifq && tqe->tqe_touched == ticks) 5998 return; 5999 6000 /* 6001 * For any of this to be outside the lock, there is a risk that two 6002 * packets entering simultaneously, with one changing to a different 6003 * queue and one not, could end up with things in a bizarre state. 6004 */ 6005 MUTEX_ENTER(&oifq->ifq_lock); 6006 6007 tqe->tqe_touched = ticks; 6008 tqe->tqe_die = ticks + nifq->ifq_ttl; 6009 /* 6010 * Is the operation here going to be a no-op ? 6011 */ 6012 if (oifq == nifq) { 6013 if ((tqe->tqe_next == NULL) || 6014 (tqe->tqe_next->tqe_die == tqe->tqe_die)) { 6015 MUTEX_EXIT(&oifq->ifq_lock); 6016 return; 6017 } 6018 } 6019 6020 /* 6021 * Remove from the old queue 6022 */ 6023 *tqe->tqe_pnext = tqe->tqe_next; 6024 if (tqe->tqe_next) 6025 tqe->tqe_next->tqe_pnext = tqe->tqe_pnext; 6026 else 6027 oifq->ifq_tail = tqe->tqe_pnext; 6028 tqe->tqe_next = NULL; 6029 6030 /* 6031 * If we're moving from one queue to another, release the 6032 * lock on the old queue and get a lock on the new queue. 6033 * For user defined queues, if we're moving off it, call 6034 * delete in case it can now be freed. 6035 */ 6036 if (oifq != nifq) { 6037 tqe->tqe_ifq = NULL; 6038 6039 (void) ipf_deletetimeoutqueue(oifq); 6040 6041 MUTEX_EXIT(&oifq->ifq_lock); 6042 6043 MUTEX_ENTER(&nifq->ifq_lock); 6044 6045 tqe->tqe_ifq = nifq; 6046 nifq->ifq_ref++; 6047 } 6048 6049 /* 6050 * Add to the bottom of the new queue 6051 */ 6052 tqe->tqe_pnext = nifq->ifq_tail; 6053 *nifq->ifq_tail = tqe; 6054 nifq->ifq_tail = &tqe->tqe_next; 6055 MUTEX_EXIT(&nifq->ifq_lock); 6056} 6057 6058 6059/* ------------------------------------------------------------------------ */ 6060/* Function: ipf_updateipid */ 6061/* Returns: int - 0 == success, -1 == error (packet should be droppped) */ 6062/* Parameters: fin(I) - pointer to packet information */ 6063/* */ 6064/* When we are doing NAT, change the IP of every packet to represent a */ 6065/* single sequence of packets coming from the host, hiding any host */ 6066/* specific sequencing that might otherwise be revealed. If the packet is */ 6067/* a fragment, then store the 'new' IPid in the fragment cache and look up */ 6068/* the fragment cache for non-leading fragments. If a non-leading fragment */ 6069/* has no match in the cache, return an error. */ 6070/* ------------------------------------------------------------------------ */ 6071static int 6072ipf_updateipid(fin) 6073 fr_info_t *fin; 6074{ 6075 u_short id, ido, sums; 6076 u_32_t sumd, sum; 6077 ip_t *ip; 6078 6079 if (fin->fin_off != 0) { 6080 sum = ipf_frag_ipidknown(fin); 6081 if (sum == 0xffffffff) 6082 return -1; 6083 sum &= 0xffff; 6084 id = (u_short)sum; 6085 } else { 6086 id = ipf_nextipid(fin); 6087 if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0) 6088 (void) ipf_frag_ipidnew(fin, (u_32_t)id); 6089 } 6090 6091 ip = fin->fin_ip; 6092 ido = ntohs(ip->ip_id); 6093 if (id == ido) 6094 return 0; 6095 ip->ip_id = htons(id); 6096 CALC_SUMD(ido, id, sumd); /* DESTRUCTIVE MACRO! id,ido change */ 6097 sum = (~ntohs(ip->ip_sum)) & 0xffff; 6098 sum += sumd; 6099 sum = (sum >> 16) + (sum & 0xffff); 6100 sum = (sum >> 16) + (sum & 0xffff); 6101 sums = ~(u_short)sum; 6102 ip->ip_sum = htons(sums); 6103 return 0; 6104} 6105 6106 6107#ifdef NEED_FRGETIFNAME 6108/* ------------------------------------------------------------------------ */ 6109/* Function: ipf_getifname */ 6110/* Returns: char * - pointer to interface name */ 6111/* Parameters: ifp(I) - pointer to network interface */ 6112/* buffer(O) - pointer to where to store interface name */ 6113/* */ 6114/* Constructs an interface name in the buffer passed. The buffer passed is */ 6115/* expected to be at least LIFNAMSIZ in bytes big. If buffer is passed in */ 6116/* as a NULL pointer then return a pointer to a static array. */ 6117/* ------------------------------------------------------------------------ */ 6118char * 6119ipf_getifname(ifp, buffer) 6120 struct ifnet *ifp; 6121 char *buffer; 6122{ 6123 static char namebuf[LIFNAMSIZ]; 6124# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ 6125 defined(__sgi) || defined(linux) || defined(_AIX51) || \ 6126 (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) 6127 int unit, space; 6128 char temp[20]; 6129 char *s; 6130# endif 6131 6132 if (buffer == NULL) 6133 buffer = namebuf; 6134 (void) strncpy(buffer, ifp->if_name, LIFNAMSIZ); 6135 buffer[LIFNAMSIZ - 1] = '\0'; 6136# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \ 6137 defined(__sgi) || defined(_AIX51) || \ 6138 (defined(sun) && !defined(__SVR4) && !defined(__svr4__)) 6139 for (s = buffer; *s; s++) 6140 ; 6141 unit = ifp->if_unit; 6142 space = LIFNAMSIZ - (s - buffer); 6143 if ((space > 0) && (unit >= 0)) { 6144# if defined(SNPRINTF) && defined(_KERNEL) 6145 SNPRINTF(temp, sizeof(temp), "%d", unit); 6146# else 6147 (void) sprintf(temp, "%d", unit); 6148# endif 6149 (void) strncpy(s, temp, space); 6150 } 6151# endif 6152 return buffer; 6153} 6154#endif 6155 6156 6157/* ------------------------------------------------------------------------ */ 6158/* Function: ipf_ioctlswitch */ 6159/* Returns: int - -1 continue processing, else ioctl return value */ 6160/* Parameters: unit(I) - device unit opened */ 6161/* data(I) - pointer to ioctl data */ 6162/* cmd(I) - ioctl command */ 6163/* mode(I) - mode value */ 6164/* uid(I) - uid making the ioctl call */ 6165/* ctx(I) - pointer to context data */ 6166/* */ 6167/* Based on the value of unit, call the appropriate ioctl handler or return */ 6168/* EIO if ipfilter is not running. Also checks if write perms are req'd */ 6169/* for the device in order to execute the ioctl. A special case is made */ 6170/* SIOCIPFINTERROR so that the same code isn't required in every handler. */ 6171/* The context data pointer is passed through as this is used as the key */ 6172/* for locating a matching token for continued access for walking lists, */ 6173/* etc. */ 6174/* ------------------------------------------------------------------------ */ 6175int 6176ipf_ioctlswitch(softc, unit, data, cmd, mode, uid, ctx) 6177 ipf_main_softc_t *softc; 6178 int unit, mode, uid; 6179 ioctlcmd_t cmd; 6180 void *data, *ctx; 6181{ 6182 int error = 0; 6183 6184 switch (cmd) 6185 { 6186 case SIOCIPFINTERROR : 6187 error = BCOPYOUT(&softc->ipf_interror, data, 6188 sizeof(softc->ipf_interror)); 6189 if (error != 0) { 6190 IPFERROR(40); 6191 error = EFAULT; 6192 } 6193 return error; 6194 default : 6195 break; 6196 } 6197 6198 switch (unit) 6199 { 6200 case IPL_LOGIPF : 6201 error = ipf_ipf_ioctl(softc, data, cmd, mode, uid, ctx); 6202 break; 6203 case IPL_LOGNAT : 6204 if (softc->ipf_running > 0) { 6205 error = ipf_nat_ioctl(softc, data, cmd, mode, 6206 uid, ctx); 6207 } else { 6208 IPFERROR(42); 6209 error = EIO; 6210 } 6211 break; 6212 case IPL_LOGSTATE : 6213 if (softc->ipf_running > 0) { 6214 error = ipf_state_ioctl(softc, data, cmd, mode, 6215 uid, ctx); 6216 } else { 6217 IPFERROR(43); 6218 error = EIO; 6219 } 6220 break; 6221 case IPL_LOGAUTH : 6222 if (softc->ipf_running > 0) { 6223 error = ipf_auth_ioctl(softc, data, cmd, mode, 6224 uid, ctx); 6225 } else { 6226 IPFERROR(44); 6227 error = EIO; 6228 } 6229 break; 6230 case IPL_LOGSYNC : 6231 if (softc->ipf_running > 0) { 6232 error = ipf_sync_ioctl(softc, data, cmd, mode, 6233 uid, ctx); 6234 } else { 6235 error = EIO; 6236 IPFERROR(45); 6237 } 6238 break; 6239 case IPL_LOGSCAN : 6240#ifdef IPFILTER_SCAN 6241 if (softc->ipf_running > 0) 6242 error = ipf_scan_ioctl(softc, data, cmd, mode, 6243 uid, ctx); 6244 else 6245#endif 6246 { 6247 error = EIO; 6248 IPFERROR(46); 6249 } 6250 break; 6251 case IPL_LOGLOOKUP : 6252 if (softc->ipf_running > 0) { 6253 error = ipf_lookup_ioctl(softc, data, cmd, mode, 6254 uid, ctx); 6255 } else { 6256 error = EIO; 6257 IPFERROR(47); 6258 } 6259 break; 6260 default : 6261 IPFERROR(48); 6262 error = EIO; 6263 break; 6264 } 6265 6266 return error; 6267} 6268 6269 6270/* 6271 * This array defines the expected size of objects coming into the kernel 6272 * for the various recognised object types. The first column is flags (see 6273 * below), 2nd column is current size, 3rd column is the version number of 6274 * when the current size became current. 6275 * Flags: 6276 * 1 = minimum size, not absolute size 6277 */ 6278static int ipf_objbytes[IPFOBJ_COUNT][3] = { 6279 { 1, sizeof(struct frentry), 5010000 }, /* 0 */ 6280 { 1, sizeof(struct friostat), 5010000 }, 6281 { 0, sizeof(struct fr_info), 5010000 }, 6282 { 0, sizeof(struct ipf_authstat), 4010100 }, 6283 { 0, sizeof(struct ipfrstat), 5010000 }, 6284 { 1, sizeof(struct ipnat), 5010000 }, /* 5 */ 6285 { 0, sizeof(struct natstat), 5010000 }, 6286 { 0, sizeof(struct ipstate_save), 5010000 }, 6287 { 1, sizeof(struct nat_save), 5010000 }, 6288 { 0, sizeof(struct natlookup), 5010000 }, 6289 { 1, sizeof(struct ipstate), 5010000 }, /* 10 */ 6290 { 0, sizeof(struct ips_stat), 5010000 }, 6291 { 0, sizeof(struct frauth), 5010000 }, 6292 { 0, sizeof(struct ipftune), 4010100 }, 6293 { 0, sizeof(struct nat), 5010000 }, 6294 { 0, sizeof(struct ipfruleiter), 4011400 }, /* 15 */ 6295 { 0, sizeof(struct ipfgeniter), 4011400 }, 6296 { 0, sizeof(struct ipftable), 4011400 }, 6297 { 0, sizeof(struct ipflookupiter), 4011400 }, 6298 { 0, sizeof(struct ipftq) * IPF_TCP_NSTATES }, 6299 { 1, 0, 0 }, /* IPFEXPR */ 6300 { 0, 0, 0 }, /* PROXYCTL */ 6301 { 0, sizeof (struct fripf), 5010000 } 6302}; 6303 6304 6305/* ------------------------------------------------------------------------ */ 6306/* Function: ipf_inobj */ 6307/* Returns: int - 0 = success, else failure */ 6308/* Parameters: softc(I) - soft context pointerto work with */ 6309/* data(I) - pointer to ioctl data */ 6310/* objp(O) - where to store ipfobj structure */ 6311/* ptr(I) - pointer to data to copy out */ 6312/* type(I) - type of structure being moved */ 6313/* */ 6314/* Copy in the contents of what the ipfobj_t points to. In future, we */ 6315/* add things to check for version numbers, sizes, etc, to make it backward */ 6316/* compatible at the ABI for user land. */ 6317/* If objp is not NULL then we assume that the caller wants to see what is */ 6318/* in the ipfobj_t structure being copied in. As an example, this can tell */ 6319/* the caller what version of ipfilter the ioctl program was written to. */ 6320/* ------------------------------------------------------------------------ */ 6321int 6322ipf_inobj(softc, data, objp, ptr, type) 6323 ipf_main_softc_t *softc; 6324 void *data; 6325 ipfobj_t *objp; 6326 void *ptr; 6327 int type; 6328{ 6329 ipfobj_t obj; 6330 int error; 6331 int size; 6332 6333 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6334 IPFERROR(49); 6335 return EINVAL; 6336 } 6337 6338 if (objp == NULL) 6339 objp = &obj; 6340 error = BCOPYIN(data, objp, sizeof(*objp)); 6341 if (error != 0) { 6342 IPFERROR(124); 6343 return EFAULT; 6344 } 6345 6346 if (objp->ipfo_type != type) { 6347 IPFERROR(50); 6348 return EINVAL; 6349 } 6350 6351 if (objp->ipfo_rev >= ipf_objbytes[type][2]) { 6352 if ((ipf_objbytes[type][0] & 1) != 0) { 6353 if (objp->ipfo_size < ipf_objbytes[type][1]) { 6354 IPFERROR(51); 6355 return EINVAL; 6356 } 6357 size = ipf_objbytes[type][1]; 6358 } else if (objp->ipfo_size == ipf_objbytes[type][1]) { 6359 size = objp->ipfo_size; 6360 } else { 6361 IPFERROR(52); 6362 return EINVAL; 6363 } 6364 error = COPYIN(objp->ipfo_ptr, ptr, size); 6365 if (error != 0) { 6366 IPFERROR(55); 6367 error = EFAULT; 6368 } 6369 } else { 6370#ifdef IPFILTER_COMPAT 6371 error = ipf_in_compat(softc, objp, ptr, 0); 6372#else 6373 IPFERROR(54); 6374 error = EINVAL; 6375#endif 6376 } 6377 return error; 6378} 6379 6380 6381/* ------------------------------------------------------------------------ */ 6382/* Function: ipf_inobjsz */ 6383/* Returns: int - 0 = success, else failure */ 6384/* Parameters: softc(I) - soft context pointerto work with */ 6385/* data(I) - pointer to ioctl data */ 6386/* ptr(I) - pointer to store real data in */ 6387/* type(I) - type of structure being moved */ 6388/* sz(I) - size of data to copy */ 6389/* */ 6390/* As per ipf_inobj, except the size of the object to copy in is passed in */ 6391/* but it must not be smaller than the size defined for the type and the */ 6392/* type must allow for varied sized objects. The extra requirement here is */ 6393/* that sz must match the size of the object being passed in - this is not */ 6394/* not possible nor required in ipf_inobj(). */ 6395/* ------------------------------------------------------------------------ */ 6396int 6397ipf_inobjsz(softc, data, ptr, type, sz) 6398 ipf_main_softc_t *softc; 6399 void *data; 6400 void *ptr; 6401 int type, sz; 6402{ 6403 ipfobj_t obj; 6404 int error; 6405 6406 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6407 IPFERROR(56); 6408 return EINVAL; 6409 } 6410 6411 error = BCOPYIN(data, &obj, sizeof(obj)); 6412 if (error != 0) { 6413 IPFERROR(125); 6414 return EFAULT; 6415 } 6416 6417 if (obj.ipfo_type != type) { 6418 IPFERROR(58); 6419 return EINVAL; 6420 } 6421 6422 if (obj.ipfo_rev >= ipf_objbytes[type][2]) { 6423 if (((ipf_objbytes[type][0] & 1) == 0) || 6424 (sz < ipf_objbytes[type][1])) { 6425 IPFERROR(57); 6426 return EINVAL; 6427 } 6428 error = COPYIN(obj.ipfo_ptr, ptr, sz); 6429 if (error != 0) { 6430 IPFERROR(61); 6431 error = EFAULT; 6432 } 6433 } else { 6434#ifdef IPFILTER_COMPAT 6435 error = ipf_in_compat(softc, &obj, ptr, sz); 6436#else 6437 IPFERROR(60); 6438 error = EINVAL; 6439#endif 6440 } 6441 return error; 6442} 6443 6444 6445/* ------------------------------------------------------------------------ */ 6446/* Function: ipf_outobjsz */ 6447/* Returns: int - 0 = success, else failure */ 6448/* Parameters: data(I) - pointer to ioctl data */ 6449/* ptr(I) - pointer to store real data in */ 6450/* type(I) - type of structure being moved */ 6451/* sz(I) - size of data to copy */ 6452/* */ 6453/* As per ipf_outobj, except the size of the object to copy out is passed in*/ 6454/* but it must not be smaller than the size defined for the type and the */ 6455/* type must allow for varied sized objects. The extra requirement here is */ 6456/* that sz must match the size of the object being passed in - this is not */ 6457/* not possible nor required in ipf_outobj(). */ 6458/* ------------------------------------------------------------------------ */ 6459int 6460ipf_outobjsz(softc, data, ptr, type, sz) 6461 ipf_main_softc_t *softc; 6462 void *data; 6463 void *ptr; 6464 int type, sz; 6465{ 6466 ipfobj_t obj; 6467 int error; 6468 6469 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6470 IPFERROR(62); 6471 return EINVAL; 6472 } 6473 6474 error = BCOPYIN(data, &obj, sizeof(obj)); 6475 if (error != 0) { 6476 IPFERROR(127); 6477 return EFAULT; 6478 } 6479 6480 if (obj.ipfo_type != type) { 6481 IPFERROR(63); 6482 return EINVAL; 6483 } 6484 6485 if (obj.ipfo_rev >= ipf_objbytes[type][2]) { 6486 if (((ipf_objbytes[type][0] & 1) == 0) || 6487 (sz < ipf_objbytes[type][1])) { 6488 IPFERROR(146); 6489 return EINVAL; 6490 } 6491 error = COPYOUT(ptr, obj.ipfo_ptr, sz); 6492 if (error != 0) { 6493 IPFERROR(66); 6494 error = EFAULT; 6495 } 6496 } else { 6497#ifdef IPFILTER_COMPAT 6498 error = ipf_out_compat(softc, &obj, ptr); 6499#else 6500 IPFERROR(65); 6501 error = EINVAL; 6502#endif 6503 } 6504 return error; 6505} 6506 6507 6508/* ------------------------------------------------------------------------ */ 6509/* Function: ipf_outobj */ 6510/* Returns: int - 0 = success, else failure */ 6511/* Parameters: data(I) - pointer to ioctl data */ 6512/* ptr(I) - pointer to store real data in */ 6513/* type(I) - type of structure being moved */ 6514/* */ 6515/* Copy out the contents of what ptr is to where ipfobj points to. In */ 6516/* future, we add things to check for version numbers, sizes, etc, to make */ 6517/* it backward compatible at the ABI for user land. */ 6518/* ------------------------------------------------------------------------ */ 6519int 6520ipf_outobj(softc, data, ptr, type) 6521 ipf_main_softc_t *softc; 6522 void *data; 6523 void *ptr; 6524 int type; 6525{ 6526 ipfobj_t obj; 6527 int error; 6528 6529 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6530 IPFERROR(67); 6531 return EINVAL; 6532 } 6533 6534 error = BCOPYIN(data, &obj, sizeof(obj)); 6535 if (error != 0) { 6536 IPFERROR(126); 6537 return EFAULT; 6538 } 6539 6540 if (obj.ipfo_type != type) { 6541 IPFERROR(68); 6542 return EINVAL; 6543 } 6544 6545 if (obj.ipfo_rev >= ipf_objbytes[type][2]) { 6546 if ((ipf_objbytes[type][0] & 1) != 0) { 6547 if (obj.ipfo_size < ipf_objbytes[type][1]) { 6548 IPFERROR(69); 6549 return EINVAL; 6550 } 6551 } else if (obj.ipfo_size != ipf_objbytes[type][1]) { 6552 IPFERROR(70); 6553 return EINVAL; 6554 } 6555 6556 error = COPYOUT(ptr, obj.ipfo_ptr, obj.ipfo_size); 6557 if (error != 0) { 6558 IPFERROR(73); 6559 error = EFAULT; 6560 } 6561 } else { 6562#ifdef IPFILTER_COMPAT 6563 error = ipf_out_compat(softc, &obj, ptr); 6564#else 6565 IPFERROR(72); 6566 error = EINVAL; 6567#endif 6568 } 6569 return error; 6570} 6571 6572 6573/* ------------------------------------------------------------------------ */ 6574/* Function: ipf_outobjk */ 6575/* Returns: int - 0 = success, else failure */ 6576/* Parameters: obj(I) - pointer to data description structure */ 6577/* ptr(I) - pointer to kernel data to copy out */ 6578/* */ 6579/* In the above functions, the ipfobj_t structure is copied into the kernel,*/ 6580/* telling ipfilter how to copy out data. In this instance, the ipfobj_t is */ 6581/* already populated with information and now we just need to use it. */ 6582/* There is no need for this function to have a "type" parameter as there */ 6583/* is no point in validating information that comes from the kernel with */ 6584/* itself. */ 6585/* ------------------------------------------------------------------------ */ 6586int 6587ipf_outobjk(softc, obj, ptr) 6588 ipf_main_softc_t *softc; 6589 ipfobj_t *obj; 6590 void *ptr; 6591{ 6592 int type = obj->ipfo_type; 6593 int error; 6594 6595 if ((type < 0) || (type >= IPFOBJ_COUNT)) { 6596 IPFERROR(147); 6597 return EINVAL; 6598 } 6599 6600 if (obj->ipfo_rev >= ipf_objbytes[type][2]) { 6601 if ((ipf_objbytes[type][0] & 1) != 0) { 6602 if (obj->ipfo_size < ipf_objbytes[type][1]) { 6603 IPFERROR(148); 6604 return EINVAL; 6605 } 6606 6607 } else if (obj->ipfo_size != ipf_objbytes[type][1]) { 6608 IPFERROR(149); 6609 return EINVAL; 6610 } 6611 6612 error = COPYOUT(ptr, obj->ipfo_ptr, obj->ipfo_size); 6613 if (error != 0) { 6614 IPFERROR(150); 6615 error = EFAULT; 6616 } 6617 } else { 6618#ifdef IPFILTER_COMPAT 6619 error = ipf_out_compat(softc, obj, ptr); 6620#else 6621 IPFERROR(151); 6622 error = EINVAL; 6623#endif 6624 } 6625 return error; 6626} 6627 6628 6629/* ------------------------------------------------------------------------ */ 6630/* Function: ipf_checkl4sum */ 6631/* Returns: int - 0 = good, -1 = bad, 1 = cannot check */ 6632/* Parameters: fin(I) - pointer to packet information */ 6633/* */ 6634/* If possible, calculate the layer 4 checksum for the packet. If this is */ 6635/* not possible, return without indicating a failure or success but in a */ 6636/* way that is ditinguishable. This function should only be called by the */ 6637/* ipf_checkv6sum() for each platform. */ 6638/* ------------------------------------------------------------------------ */ 6639INLINE int 6640ipf_checkl4sum(fin) 6641 fr_info_t *fin; 6642{ 6643 u_short sum, hdrsum, *csump; 6644 udphdr_t *udp; 6645 int dosum; 6646 6647 /* 6648 * If the TCP packet isn't a fragment, isn't too short and otherwise 6649 * isn't already considered "bad", then validate the checksum. If 6650 * this check fails then considered the packet to be "bad". 6651 */ 6652 if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0) 6653 return 1; 6654 6655 DT2(l4sumo, int, fin->fin_out, int, (int)fin->fin_p); 6656 if (fin->fin_out == 1) { 6657 fin->fin_cksum = FI_CK_SUMOK; 6658 return 0; 6659 } 6660 6661 csump = NULL; 6662 hdrsum = 0; 6663 dosum = 0; 6664 sum = 0; 6665 6666 switch (fin->fin_p) 6667 { 6668 case IPPROTO_TCP : 6669 csump = &((tcphdr_t *)fin->fin_dp)->th_sum; 6670 dosum = 1; 6671 break; 6672 6673 case IPPROTO_UDP : 6674 udp = fin->fin_dp; 6675 if (udp->uh_sum != 0) { 6676 csump = &udp->uh_sum; 6677 dosum = 1; 6678 } 6679 break; 6680 6681#ifdef USE_INET6 6682 case IPPROTO_ICMPV6 : 6683 csump = &((struct icmp6_hdr *)fin->fin_dp)->icmp6_cksum; 6684 dosum = 1; 6685 break; 6686#endif 6687 6688 case IPPROTO_ICMP : 6689 csump = &((struct icmp *)fin->fin_dp)->icmp_cksum; 6690 dosum = 1; 6691 break; 6692 6693 default : 6694 return 1; 6695 /*NOTREACHED*/ 6696 } 6697 6698 if (csump != NULL) 6699 hdrsum = *csump; 6700 6701 if (dosum) { 6702 sum = fr_cksum(fin, fin->fin_ip, fin->fin_p, fin->fin_dp); 6703 } 6704#if !defined(_KERNEL) 6705 if (sum == hdrsum) { 6706 FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum)); 6707 } else { 6708 FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum)); 6709 } 6710#endif 6711 DT2(l4sums, u_short, hdrsum, u_short, sum); 6712#ifdef USE_INET6 6713 if (hdrsum == sum || (sum == 0 && fin->fin_p == IPPROTO_ICMPV6)) { 6714#else 6715 if (hdrsum == sum) { 6716#endif 6717 fin->fin_cksum = FI_CK_SUMOK; 6718 return 0; 6719 } 6720 fin->fin_cksum = FI_CK_BAD; 6721 return -1; 6722} 6723 6724 6725/* ------------------------------------------------------------------------ */ 6726/* Function: ipf_ifpfillv4addr */ 6727/* Returns: int - 0 = address update, -1 = address not updated */ 6728/* Parameters: atype(I) - type of network address update to perform */ 6729/* sin(I) - pointer to source of address information */ 6730/* mask(I) - pointer to source of netmask information */ 6731/* inp(I) - pointer to destination address store */ 6732/* inpmask(I) - pointer to destination netmask store */ 6733/* */ 6734/* Given a type of network address update (atype) to perform, copy */ 6735/* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */ 6736/* netmask update is performed unless FRI_NETMASKED is passed as atype, in */ 6737/* which case the operation fails. For all values of atype other than */ 6738/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */ 6739/* value. */ 6740/* ------------------------------------------------------------------------ */ 6741int 6742ipf_ifpfillv4addr(atype, sin, mask, inp, inpmask) 6743 int atype; 6744 struct sockaddr_in *sin, *mask; 6745 struct in_addr *inp, *inpmask; 6746{ 6747 if (inpmask != NULL && atype != FRI_NETMASKED) 6748 inpmask->s_addr = 0xffffffff; 6749 6750 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) { 6751 if (atype == FRI_NETMASKED) { 6752 if (inpmask == NULL) 6753 return -1; 6754 inpmask->s_addr = mask->sin_addr.s_addr; 6755 } 6756 inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr; 6757 } else { 6758 inp->s_addr = sin->sin_addr.s_addr; 6759 } 6760 return 0; 6761} 6762 6763 6764#ifdef USE_INET6 6765/* ------------------------------------------------------------------------ */ 6766/* Function: ipf_ifpfillv6addr */ 6767/* Returns: int - 0 = address update, -1 = address not updated */ 6768/* Parameters: atype(I) - type of network address update to perform */ 6769/* sin(I) - pointer to source of address information */ 6770/* mask(I) - pointer to source of netmask information */ 6771/* inp(I) - pointer to destination address store */ 6772/* inpmask(I) - pointer to destination netmask store */ 6773/* */ 6774/* Given a type of network address update (atype) to perform, copy */ 6775/* information from sin/mask into inp/inpmask. If ipnmask is NULL then no */ 6776/* netmask update is performed unless FRI_NETMASKED is passed as atype, in */ 6777/* which case the operation fails. For all values of atype other than */ 6778/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s */ 6779/* value. */ 6780/* ------------------------------------------------------------------------ */ 6781int 6782ipf_ifpfillv6addr(atype, sin, mask, inp, inpmask) 6783 int atype; 6784 struct sockaddr_in6 *sin, *mask; 6785 i6addr_t *inp, *inpmask; 6786{ 6787 i6addr_t *src, *and; 6788 6789 src = (i6addr_t *)&sin->sin6_addr; 6790 and = (i6addr_t *)&mask->sin6_addr; 6791 6792 if (inpmask != NULL && atype != FRI_NETMASKED) { 6793 inpmask->i6[0] = 0xffffffff; 6794 inpmask->i6[1] = 0xffffffff; 6795 inpmask->i6[2] = 0xffffffff; 6796 inpmask->i6[3] = 0xffffffff; 6797 } 6798 6799 if (atype == FRI_NETWORK || atype == FRI_NETMASKED) { 6800 if (atype == FRI_NETMASKED) { 6801 if (inpmask == NULL) 6802 return -1; 6803 inpmask->i6[0] = and->i6[0]; 6804 inpmask->i6[1] = and->i6[1]; 6805 inpmask->i6[2] = and->i6[2]; 6806 inpmask->i6[3] = and->i6[3]; 6807 } 6808 6809 inp->i6[0] = src->i6[0] & and->i6[0]; 6810 inp->i6[1] = src->i6[1] & and->i6[1]; 6811 inp->i6[2] = src->i6[2] & and->i6[2]; 6812 inp->i6[3] = src->i6[3] & and->i6[3]; 6813 } else { 6814 inp->i6[0] = src->i6[0]; 6815 inp->i6[1] = src->i6[1]; 6816 inp->i6[2] = src->i6[2]; 6817 inp->i6[3] = src->i6[3]; 6818 } 6819 return 0; 6820} 6821#endif 6822 6823 6824/* ------------------------------------------------------------------------ */ 6825/* Function: ipf_matchtag */ 6826/* Returns: 0 == mismatch, 1 == match. */ 6827/* Parameters: tag1(I) - pointer to first tag to compare */ 6828/* tag2(I) - pointer to second tag to compare */ 6829/* */ 6830/* Returns true (non-zero) or false(0) if the two tag structures can be */ 6831/* considered to be a match or not match, respectively. The tag is 16 */ 6832/* bytes long (16 characters) but that is overlayed with 4 32bit ints so */ 6833/* compare the ints instead, for speed. tag1 is the master of the */ 6834/* comparison. This function should only be called with both tag1 and tag2 */ 6835/* as non-NULL pointers. */ 6836/* ------------------------------------------------------------------------ */ 6837int 6838ipf_matchtag(tag1, tag2) 6839 ipftag_t *tag1, *tag2; 6840{ 6841 if (tag1 == tag2) 6842 return 1; 6843 6844 if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0)) 6845 return 1; 6846 6847 if ((tag1->ipt_num[0] == tag2->ipt_num[0]) && 6848 (tag1->ipt_num[1] == tag2->ipt_num[1]) && 6849 (tag1->ipt_num[2] == tag2->ipt_num[2]) && 6850 (tag1->ipt_num[3] == tag2->ipt_num[3])) 6851 return 1; 6852 return 0; 6853} 6854 6855 6856/* ------------------------------------------------------------------------ */ 6857/* Function: ipf_coalesce */ 6858/* Returns: 1 == success, -1 == failure, 0 == no change */ 6859/* Parameters: fin(I) - pointer to packet information */ 6860/* */ 6861/* Attempt to get all of the packet data into a single, contiguous buffer. */ 6862/* If this call returns a failure then the buffers have also been freed. */ 6863/* ------------------------------------------------------------------------ */ 6864int 6865ipf_coalesce(fin) 6866 fr_info_t *fin; 6867{ 6868 6869 if ((fin->fin_flx & FI_COALESCE) != 0) 6870 return 1; 6871 6872 /* 6873 * If the mbuf pointers indicate that there is no mbuf to work with, 6874 * return but do not indicate success or failure. 6875 */ 6876 if (fin->fin_m == NULL || fin->fin_mp == NULL) 6877 return 0; 6878 6879#if defined(_KERNEL) 6880 if (ipf_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) { 6881 ipf_main_softc_t *softc = fin->fin_main_soft; 6882 6883 DT1(frb_coalesce, fr_info_t *, fin); 6884 LBUMP(ipf_stats[fin->fin_out].fr_badcoalesces); 6885# ifdef MENTAT 6886 FREE_MB_T(*fin->fin_mp); 6887# endif 6888 fin->fin_reason = FRB_COALESCE; 6889 *fin->fin_mp = NULL; 6890 fin->fin_m = NULL; 6891 return -1; 6892 } 6893#else 6894 fin = fin; /* LINT */ 6895#endif 6896 return 1; 6897} 6898 6899 6900/* 6901 * The following table lists all of the tunable variables that can be 6902 * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXt. The format of each row 6903 * in the table below is as follows: 6904 * 6905 * pointer to value, name of value, minimum, maximum, size of the value's 6906 * container, value attribute flags 6907 * 6908 * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED 6909 * means the value can only be written to when IPFilter is loaded but disabled. 6910 * The obvious implication is if neither of these are set then the value can be 6911 * changed at any time without harm. 6912 */ 6913 6914 6915/* ------------------------------------------------------------------------ */ 6916/* Function: ipf_tune_findbycookie */ 6917/* Returns: NULL = search failed, else pointer to tune struct */ 6918/* Parameters: cookie(I) - cookie value to search for amongst tuneables */ 6919/* next(O) - pointer to place to store the cookie for the */ 6920/* "next" tuneable, if it is desired. */ 6921/* */ 6922/* This function is used to walk through all of the existing tunables with */ 6923/* successive calls. It searches the known tunables for the one which has */ 6924/* a matching value for "cookie" - ie its address. When returning a match, */ 6925/* the next one to be found may be returned inside next. */ 6926/* ------------------------------------------------------------------------ */ 6927static ipftuneable_t * 6928ipf_tune_findbycookie(ptop, cookie, next) 6929 ipftuneable_t **ptop; 6930 void *cookie, **next; 6931{ 6932 ipftuneable_t *ta, **tap; 6933 6934 for (ta = *ptop; ta->ipft_name != NULL; ta++) 6935 if (ta == cookie) { 6936 if (next != NULL) { 6937 /* 6938 * If the next entry in the array has a name 6939 * present, then return a pointer to it for 6940 * where to go next, else return a pointer to 6941 * the dynaminc list as a key to search there 6942 * next. This facilitates a weak linking of 6943 * the two "lists" together. 6944 */ 6945 if ((ta + 1)->ipft_name != NULL) 6946 *next = ta + 1; 6947 else 6948 *next = ptop; 6949 } 6950 return ta; 6951 } 6952 6953 for (tap = ptop; (ta = *tap) != NULL; tap = &ta->ipft_next) 6954 if (tap == cookie) { 6955 if (next != NULL) 6956 *next = &ta->ipft_next; 6957 return ta; 6958 } 6959 6960 if (next != NULL) 6961 *next = NULL; 6962 return NULL; 6963} 6964 6965 6966/* ------------------------------------------------------------------------ */ 6967/* Function: ipf_tune_findbyname */ 6968/* Returns: NULL = search failed, else pointer to tune struct */ 6969/* Parameters: name(I) - name of the tuneable entry to find. */ 6970/* */ 6971/* Search the static array of tuneables and the list of dynamic tuneables */ 6972/* for an entry with a matching name. If we can find one, return a pointer */ 6973/* to the matching structure. */ 6974/* ------------------------------------------------------------------------ */ 6975static ipftuneable_t * 6976ipf_tune_findbyname(top, name) 6977 ipftuneable_t *top; 6978 const char *name; 6979{ 6980 ipftuneable_t *ta; 6981 6982 for (ta = top; ta != NULL; ta = ta->ipft_next) 6983 if (!strcmp(ta->ipft_name, name)) { 6984 return ta; 6985 } 6986 6987 return NULL; 6988} 6989 6990 6991/* ------------------------------------------------------------------------ */ 6992/* Function: ipf_tune_add_array */ 6993/* Returns: int - 0 == success, else failure */ 6994/* Parameters: newtune - pointer to new tune array to add to tuneables */ 6995/* */ 6996/* Appends tune structures from the array passed in (newtune) to the end of */ 6997/* the current list of "dynamic" tuneable parameters. */ 6998/* If any entry to be added is already present (by name) then the operation */ 6999/* is aborted - entries that have been added are removed before returning. */ 7000/* An entry with no name (NULL) is used as the indication that the end of */ 7001/* the array has been reached. */ 7002/* ------------------------------------------------------------------------ */ 7003int 7004ipf_tune_add_array(softc, newtune) 7005 ipf_main_softc_t *softc; 7006 ipftuneable_t *newtune; 7007{ 7008 ipftuneable_t *nt, *dt; 7009 int error = 0; 7010 7011 for (nt = newtune; nt->ipft_name != NULL; nt++) { 7012 error = ipf_tune_add(softc, nt); 7013 if (error != 0) { 7014 for (dt = newtune; dt != nt; dt++) { 7015 (void) ipf_tune_del(softc, dt); 7016 } 7017 } 7018 } 7019 7020 return error; 7021} 7022 7023 7024/* ------------------------------------------------------------------------ */ 7025/* Function: ipf_tune_array_link */ 7026/* Returns: 0 == success, -1 == failure */ 7027/* Parameters: softc(I) - soft context pointerto work with */ 7028/* array(I) - pointer to an array of tuneables */ 7029/* */ 7030/* Given an array of tunables (array), append them to the current list of */ 7031/* tuneables for this context (softc->ipf_tuners.) To properly prepare the */ 7032/* the array for being appended to the list, initialise all of the next */ 7033/* pointers so we don't need to walk parts of it with ++ and others with */ 7034/* next. The array is expected to have an entry with a NULL name as the */ 7035/* terminator. Trying to add an array with no non-NULL names will return as */ 7036/* a failure. */ 7037/* ------------------------------------------------------------------------ */ 7038int 7039ipf_tune_array_link(softc, array) 7040 ipf_main_softc_t *softc; 7041 ipftuneable_t *array; 7042{ 7043 ipftuneable_t *t, **p; 7044 7045 t = array; 7046 if (t->ipft_name == NULL) 7047 return -1; 7048 7049 for (; t[1].ipft_name != NULL; t++) 7050 t[0].ipft_next = &t[1]; 7051 t->ipft_next = NULL; 7052 7053 /* 7054 * Since a pointer to the last entry isn't kept, we need to find it 7055 * each time we want to add new variables to the list. 7056 */ 7057 for (p = &softc->ipf_tuners; (t = *p) != NULL; p = &t->ipft_next) 7058 if (t->ipft_name == NULL) 7059 break; 7060 *p = array; 7061 7062 return 0; 7063} 7064 7065 7066/* ------------------------------------------------------------------------ */ 7067/* Function: ipf_tune_array_unlink */ 7068/* Returns: 0 == success, -1 == failure */ 7069/* Parameters: softc(I) - soft context pointerto work with */ 7070/* array(I) - pointer to an array of tuneables */ 7071/* */ 7072/* ------------------------------------------------------------------------ */ 7073int 7074ipf_tune_array_unlink(softc, array) 7075 ipf_main_softc_t *softc; 7076 ipftuneable_t *array; 7077{ 7078 ipftuneable_t *t, **p; 7079 7080 for (p = &softc->ipf_tuners; (t = *p) != NULL; p = &t->ipft_next) 7081 if (t == array) 7082 break; 7083 if (t == NULL) 7084 return -1; 7085 7086 for (; t[1].ipft_name != NULL; t++) 7087 ; 7088 7089 *p = t->ipft_next; 7090 7091 return 0; 7092} 7093 7094 7095/* ------------------------------------------------------------------------ */ 7096/* Function: ipf_tune_array_copy */ 7097/* Returns: NULL = failure, else pointer to new array */ 7098/* Parameters: base(I) - pointer to structure base */ 7099/* size(I) - size of the array at template */ 7100/* template(I) - original array to copy */ 7101/* */ 7102/* Allocate memory for a new set of tuneable values and copy everything */ 7103/* from template into the new region of memory. The new region is full of */ 7104/* uninitialised pointers (ipft_next) so set them up. Now, ipftp_offset... */ 7105/* */ 7106/* NOTE: the following assumes that sizeof(long) == sizeof(void *) */ 7107/* In the array template, ipftp_offset is the offset (in bytes) of the */ 7108/* location of the tuneable value inside the structure pointed to by base. */ 7109/* As ipftp_offset is a union over the pointers to the tuneable values, if */ 7110/* we add base to the copy's ipftp_offset, copy ends up with a pointer in */ 7111/* ipftp_void that points to the stored value. */ 7112/* ------------------------------------------------------------------------ */ 7113ipftuneable_t * 7114ipf_tune_array_copy(base, size, template) 7115 void *base; 7116 size_t size; 7117 ipftuneable_t *template; 7118{ 7119 ipftuneable_t *copy; 7120 int i; 7121 7122 7123 KMALLOCS(copy, ipftuneable_t *, size); 7124 if (copy == NULL) { 7125 return NULL; 7126 } 7127 bcopy(template, copy, size); 7128 7129 for (i = 0; copy[i].ipft_name; i++) { 7130 copy[i].ipft_una.ipftp_offset += (u_long)base; 7131 copy[i].ipft_next = copy + i + 1; 7132 } 7133 7134 return copy; 7135} 7136 7137 7138/* ------------------------------------------------------------------------ */ 7139/* Function: ipf_tune_add */ 7140/* Returns: int - 0 == success, else failure */ 7141/* Parameters: newtune - pointer to new tune entry to add to tuneables */ 7142/* */ 7143/* Appends tune structures from the array passed in (newtune) to the end of */ 7144/* the current list of "dynamic" tuneable parameters. Once added, the */ 7145/* owner of the object is not expected to ever change "ipft_next". */ 7146/* ------------------------------------------------------------------------ */ 7147int 7148ipf_tune_add(softc, newtune) 7149 ipf_main_softc_t *softc; 7150 ipftuneable_t *newtune; 7151{ 7152 ipftuneable_t *ta, **tap; 7153 7154 ta = ipf_tune_findbyname(softc->ipf_tuners, newtune->ipft_name); 7155 if (ta != NULL) { 7156 IPFERROR(74); 7157 return EEXIST; 7158 } 7159 7160 for (tap = &softc->ipf_tuners; *tap != NULL; tap = &(*tap)->ipft_next) 7161 ; 7162 7163 newtune->ipft_next = NULL; 7164 *tap = newtune; 7165 return 0; 7166} 7167 7168 7169/* ------------------------------------------------------------------------ */ 7170/* Function: ipf_tune_del */ 7171/* Returns: int - 0 == success, else failure */ 7172/* Parameters: oldtune - pointer to tune entry to remove from the list of */ 7173/* current dynamic tuneables */ 7174/* */ 7175/* Search for the tune structure, by pointer, in the list of those that are */ 7176/* dynamically added at run time. If found, adjust the list so that this */ 7177/* structure is no longer part of it. */ 7178/* ------------------------------------------------------------------------ */ 7179int 7180ipf_tune_del(softc, oldtune) 7181 ipf_main_softc_t *softc; 7182 ipftuneable_t *oldtune; 7183{ 7184 ipftuneable_t *ta, **tap; 7185 int error = 0; 7186 7187 for (tap = &softc->ipf_tuners; (ta = *tap) != NULL; 7188 tap = &ta->ipft_next) { 7189 if (ta == oldtune) { 7190 *tap = oldtune->ipft_next; 7191 oldtune->ipft_next = NULL; 7192 break; 7193 } 7194 } 7195 7196 if (ta == NULL) { 7197 error = ESRCH; 7198 IPFERROR(75); 7199 } 7200 return error; 7201} 7202 7203 7204/* ------------------------------------------------------------------------ */ 7205/* Function: ipf_tune_del_array */ 7206/* Returns: int - 0 == success, else failure */ 7207/* Parameters: oldtune - pointer to tuneables array */ 7208/* */ 7209/* Remove each tuneable entry in the array from the list of "dynamic" */ 7210/* tunables. If one entry should fail to be found, an error will be */ 7211/* returned and no further ones removed. */ 7212/* An entry with a NULL name is used as the indicator of the last entry in */ 7213/* the array. */ 7214/* ------------------------------------------------------------------------ */ 7215int 7216ipf_tune_del_array(softc, oldtune) 7217 ipf_main_softc_t *softc; 7218 ipftuneable_t *oldtune; 7219{ 7220 ipftuneable_t *ot; 7221 int error = 0; 7222 7223 for (ot = oldtune; ot->ipft_name != NULL; ot++) { 7224 error = ipf_tune_del(softc, ot); 7225 if (error != 0) 7226 break; 7227 } 7228 7229 return error; 7230 7231} 7232 7233 7234/* ------------------------------------------------------------------------ */ 7235/* Function: ipf_tune */ 7236/* Returns: int - 0 == success, else failure */ 7237/* Parameters: cmd(I) - ioctl command number */ 7238/* data(I) - pointer to ioctl data structure */ 7239/* */ 7240/* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET. These */ 7241/* three ioctls provide the means to access and control global variables */ 7242/* within IPFilter, allowing (for example) timeouts and table sizes to be */ 7243/* changed without rebooting, reloading or recompiling. The initialisation */ 7244/* and 'destruction' routines of the various components of ipfilter are all */ 7245/* each responsible for handling their own values being too big. */ 7246/* ------------------------------------------------------------------------ */ 7247int 7248ipf_ipftune(softc, cmd, data) 7249 ipf_main_softc_t *softc; 7250 ioctlcmd_t cmd; 7251 void *data; 7252{ 7253 ipftuneable_t *ta; 7254 ipftune_t tu; 7255 void *cookie; 7256 int error; 7257 7258 error = ipf_inobj(softc, data, NULL, &tu, IPFOBJ_TUNEABLE); 7259 if (error != 0) 7260 return error; 7261 7262 tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; 7263 cookie = tu.ipft_cookie; 7264 ta = NULL; 7265 7266 switch (cmd) 7267 { 7268 case SIOCIPFGETNEXT : 7269 /* 7270 * If cookie is non-NULL, assume it to be a pointer to the last 7271 * entry we looked at, so find it (if possible) and return a 7272 * pointer to the next one after it. The last entry in the 7273 * the table is a NULL entry, so when we get to it, set cookie 7274 * to NULL and return that, indicating end of list, erstwhile 7275 * if we come in with cookie set to NULL, we are starting anew 7276 * at the front of the list. 7277 */ 7278 if (cookie != NULL) { 7279 ta = ipf_tune_findbycookie(&softc->ipf_tuners, 7280 cookie, &tu.ipft_cookie); 7281 } else { 7282 ta = softc->ipf_tuners; 7283 tu.ipft_cookie = ta + 1; 7284 } 7285 if (ta != NULL) { 7286 /* 7287 * Entry found, but does the data pointed to by that 7288 * row fit in what we can return? 7289 */ 7290 if (ta->ipft_sz > sizeof(tu.ipft_un)) { 7291 IPFERROR(76); 7292 return EINVAL; 7293 } 7294 7295 tu.ipft_vlong = 0; 7296 if (ta->ipft_sz == sizeof(u_long)) 7297 tu.ipft_vlong = *ta->ipft_plong; 7298 else if (ta->ipft_sz == sizeof(u_int)) 7299 tu.ipft_vint = *ta->ipft_pint; 7300 else if (ta->ipft_sz == sizeof(u_short)) 7301 tu.ipft_vshort = *ta->ipft_pshort; 7302 else if (ta->ipft_sz == sizeof(u_char)) 7303 tu.ipft_vchar = *ta->ipft_pchar; 7304 7305 tu.ipft_sz = ta->ipft_sz; 7306 tu.ipft_min = ta->ipft_min; 7307 tu.ipft_max = ta->ipft_max; 7308 tu.ipft_flags = ta->ipft_flags; 7309 bcopy(ta->ipft_name, tu.ipft_name, 7310 MIN(sizeof(tu.ipft_name), 7311 strlen(ta->ipft_name) + 1)); 7312 } 7313 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE); 7314 break; 7315 7316 case SIOCIPFGET : 7317 case SIOCIPFSET : 7318 /* 7319 * Search by name or by cookie value for a particular entry 7320 * in the tuning paramter table. 7321 */ 7322 IPFERROR(77); 7323 error = ESRCH; 7324 if (cookie != NULL) { 7325 ta = ipf_tune_findbycookie(&softc->ipf_tuners, 7326 cookie, NULL); 7327 if (ta != NULL) 7328 error = 0; 7329 } else if (tu.ipft_name[0] != '\0') { 7330 ta = ipf_tune_findbyname(softc->ipf_tuners, 7331 tu.ipft_name); 7332 if (ta != NULL) 7333 error = 0; 7334 } 7335 if (error != 0) 7336 break; 7337 7338 if (cmd == (ioctlcmd_t)SIOCIPFGET) { 7339 /* 7340 * Fetch the tuning parameters for a particular value 7341 */ 7342 tu.ipft_vlong = 0; 7343 if (ta->ipft_sz == sizeof(u_long)) 7344 tu.ipft_vlong = *ta->ipft_plong; 7345 else if (ta->ipft_sz == sizeof(u_int)) 7346 tu.ipft_vint = *ta->ipft_pint; 7347 else if (ta->ipft_sz == sizeof(u_short)) 7348 tu.ipft_vshort = *ta->ipft_pshort; 7349 else if (ta->ipft_sz == sizeof(u_char)) 7350 tu.ipft_vchar = *ta->ipft_pchar; 7351 tu.ipft_cookie = ta; 7352 tu.ipft_sz = ta->ipft_sz; 7353 tu.ipft_min = ta->ipft_min; 7354 tu.ipft_max = ta->ipft_max; 7355 tu.ipft_flags = ta->ipft_flags; 7356 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE); 7357 7358 } else if (cmd == (ioctlcmd_t)SIOCIPFSET) { 7359 /* 7360 * Set an internal parameter. The hard part here is 7361 * getting the new value safely and correctly out of 7362 * the kernel (given we only know its size, not type.) 7363 */ 7364 u_long in; 7365 7366 if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) && 7367 (softc->ipf_running > 0)) { 7368 IPFERROR(78); 7369 error = EBUSY; 7370 break; 7371 } 7372 7373 in = tu.ipft_vlong; 7374 if (in < ta->ipft_min || in > ta->ipft_max) { 7375 IPFERROR(79); 7376 error = EINVAL; 7377 break; 7378 } 7379 7380 if (ta->ipft_func != NULL) { 7381 SPL_INT(s); 7382 7383 SPL_NET(s); 7384 error = (*ta->ipft_func)(softc, ta, 7385 &tu.ipft_un); 7386 SPL_X(s); 7387 7388 } else if (ta->ipft_sz == sizeof(u_long)) { 7389 tu.ipft_vlong = *ta->ipft_plong; 7390 *ta->ipft_plong = in; 7391 7392 } else if (ta->ipft_sz == sizeof(u_int)) { 7393 tu.ipft_vint = *ta->ipft_pint; 7394 *ta->ipft_pint = (u_int)(in & 0xffffffff); 7395 7396 } else if (ta->ipft_sz == sizeof(u_short)) { 7397 tu.ipft_vshort = *ta->ipft_pshort; 7398 *ta->ipft_pshort = (u_short)(in & 0xffff); 7399 7400 } else if (ta->ipft_sz == sizeof(u_char)) { 7401 tu.ipft_vchar = *ta->ipft_pchar; 7402 *ta->ipft_pchar = (u_char)(in & 0xff); 7403 } 7404 error = ipf_outobj(softc, data, &tu, IPFOBJ_TUNEABLE); 7405 } 7406 break; 7407 7408 default : 7409 IPFERROR(80); 7410 error = EINVAL; 7411 break; 7412 } 7413 7414 return error; 7415} 7416 7417 7418/* ------------------------------------------------------------------------ */ 7419/* Function: ipf_zerostats */ 7420/* Returns: int - 0 = success, else failure */ 7421/* Parameters: data(O) - pointer to pointer for copying data back to */ 7422/* */ 7423/* Copies the current statistics out to userspace and then zero's the */ 7424/* current ones in the kernel. The lock is only held across the bzero() as */ 7425/* the copyout may result in paging (ie network activity.) */ 7426/* ------------------------------------------------------------------------ */ 7427int 7428ipf_zerostats(softc, data) 7429 ipf_main_softc_t *softc; 7430 caddr_t data; 7431{ 7432 friostat_t fio; 7433 ipfobj_t obj; 7434 int error; 7435 7436 error = ipf_inobj(softc, data, &obj, &fio, IPFOBJ_IPFSTAT); 7437 if (error != 0) 7438 return error; 7439 ipf_getstat(softc, &fio, obj.ipfo_rev); 7440 error = ipf_outobj(softc, data, &fio, IPFOBJ_IPFSTAT); 7441 if (error != 0) 7442 return error; 7443 7444 WRITE_ENTER(&softc->ipf_mutex); 7445 bzero(&softc->ipf_stats, sizeof(softc->ipf_stats)); 7446 RWLOCK_EXIT(&softc->ipf_mutex); 7447 7448 return 0; 7449} 7450 7451 7452/* ------------------------------------------------------------------------ */ 7453/* Function: ipf_resolvedest */ 7454/* Returns: Nil */ 7455/* Parameters: softc(I) - pointer to soft context main structure */ 7456/* base(I) - where strings are stored */ 7457/* fdp(IO) - pointer to destination information to resolve */ 7458/* v(I) - IP protocol version to match */ 7459/* */ 7460/* Looks up an interface name in the frdest structure pointed to by fdp and */ 7461/* if a matching name can be found for the particular IP protocol version */ 7462/* then store the interface pointer in the frdest struct. If no match is */ 7463/* found, then set the interface pointer to be -1 as NULL is considered to */ 7464/* indicate there is no information at all in the structure. */ 7465/* ------------------------------------------------------------------------ */ 7466int 7467ipf_resolvedest(softc, base, fdp, v) 7468 ipf_main_softc_t *softc; 7469 char *base; 7470 frdest_t *fdp; 7471 int v; 7472{ 7473 int errval = 0; 7474 void *ifp; 7475 7476 ifp = NULL; 7477 7478 if (fdp->fd_name != -1) { 7479 if (fdp->fd_type == FRD_DSTLIST) { 7480 ifp = ipf_lookup_res_name(softc, IPL_LOGIPF, 7481 IPLT_DSTLIST, 7482 base + fdp->fd_name, 7483 NULL); 7484 if (ifp == NULL) { 7485 IPFERROR(144); 7486 errval = ESRCH; 7487 } 7488 } else { 7489 ifp = GETIFP(base + fdp->fd_name, v); 7490 if (ifp == NULL) 7491 ifp = (void *)-1; 7492 } 7493 } 7494 fdp->fd_ptr = ifp; 7495 7496 if ((ifp != NULL) && (ifp != (void *)-1)) { 7497 fdp->fd_local = ipf_deliverlocal(softc, v, ifp, &fdp->fd_ip6); 7498 } 7499 7500 return errval; 7501} 7502 7503 7504/* ------------------------------------------------------------------------ */ 7505/* Function: ipf_resolvenic */ 7506/* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */ 7507/* pointer to interface structure for NIC */ 7508/* Parameters: softc(I)- pointer to soft context main structure */ 7509/* name(I) - complete interface name */ 7510/* v(I) - IP protocol version */ 7511/* */ 7512/* Look for a network interface structure that firstly has a matching name */ 7513/* to that passed in and that is also being used for that IP protocol */ 7514/* version (necessary on some platforms where there are separate listings */ 7515/* for both IPv4 and IPv6 on the same physical NIC. */ 7516/* ------------------------------------------------------------------------ */ 7517void * 7518ipf_resolvenic(softc, name, v) 7519 ipf_main_softc_t *softc; 7520 char *name; 7521 int v; 7522{ 7523 void *nic; 7524 7525 softc = softc; /* gcc -Wextra */ 7526 if (name[0] == '\0') 7527 return NULL; 7528 7529 if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) { 7530 return NULL; 7531 } 7532 7533 nic = GETIFP(name, v); 7534 if (nic == NULL) 7535 nic = (void *)-1; 7536 return nic; 7537} 7538 7539 7540/* ------------------------------------------------------------------------ */ 7541/* Function: ipf_token_expire */ 7542/* Returns: None. */ 7543/* Parameters: softc(I) - pointer to soft context main structure */ 7544/* */ 7545/* This function is run every ipf tick to see if there are any tokens that */ 7546/* have been held for too long and need to be freed up. */ 7547/* ------------------------------------------------------------------------ */ 7548void 7549ipf_token_expire(softc) 7550 ipf_main_softc_t *softc; 7551{ 7552 ipftoken_t *it; 7553 7554 WRITE_ENTER(&softc->ipf_tokens); 7555 while ((it = softc->ipf_token_head) != NULL) { 7556 if (it->ipt_die > softc->ipf_ticks) 7557 break; 7558 7559 ipf_token_deref(softc, it); 7560 } 7561 RWLOCK_EXIT(&softc->ipf_tokens); 7562} 7563 7564 7565/* ------------------------------------------------------------------------ */ 7566/* Function: ipf_token_flush */ 7567/* Returns: None. */ 7568/* Parameters: softc(I) - pointer to soft context main structure */ 7569/* */ 7570/* Loop through all of the existing tokens and call deref to see if they */ 7571/* can be freed. Normally a function like this might just loop on */ 7572/* ipf_token_head but there is a chance that a token might have a ref count */ 7573/* of greater than one and in that case the the reference would drop twice */ 7574/* by code that is only entitled to drop it once. */ 7575/* ------------------------------------------------------------------------ */ 7576static void 7577ipf_token_flush(softc) 7578 ipf_main_softc_t *softc; 7579{ 7580 ipftoken_t *it, *next; 7581 7582 WRITE_ENTER(&softc->ipf_tokens); 7583 for (it = softc->ipf_token_head; it != NULL; it = next) { 7584 next = it->ipt_next; 7585 (void) ipf_token_deref(softc, it); 7586 } 7587 RWLOCK_EXIT(&softc->ipf_tokens); 7588} 7589 7590 7591/* ------------------------------------------------------------------------ */ 7592/* Function: ipf_token_del */ 7593/* Returns: int - 0 = success, else error */ 7594/* Parameters: softc(I)- pointer to soft context main structure */ 7595/* type(I) - the token type to match */ 7596/* uid(I) - uid owning the token */ 7597/* ptr(I) - context pointer for the token */ 7598/* */ 7599/* This function looks for a a token in the current list that matches up */ 7600/* the fields (type, uid, ptr). If none is found, ESRCH is returned, else */ 7601/* call ipf_token_dewref() to remove it from the list. In the event that */ 7602/* the token has a reference held elsewhere, setting ipt_complete to 2 */ 7603/* enables debugging to distinguish between the two paths that ultimately */ 7604/* lead to a token to be deleted. */ 7605/* ------------------------------------------------------------------------ */ 7606int 7607ipf_token_del(softc, type, uid, ptr) 7608 ipf_main_softc_t *softc; 7609 int type, uid; 7610 void *ptr; 7611{ 7612 ipftoken_t *it; 7613 int error; 7614 7615 IPFERROR(82); 7616 error = ESRCH; 7617 7618 WRITE_ENTER(&softc->ipf_tokens); 7619 for (it = softc->ipf_token_head; it != NULL; it = it->ipt_next) { 7620 if (ptr == it->ipt_ctx && type == it->ipt_type && 7621 uid == it->ipt_uid) { 7622 it->ipt_complete = 2; 7623 ipf_token_deref(softc, it); 7624 error = 0; 7625 break; 7626 } 7627 } 7628 RWLOCK_EXIT(&softc->ipf_tokens); 7629 7630 return error; 7631} 7632 7633 7634/* ------------------------------------------------------------------------ */ 7635/* Function: ipf_token_mark_complete */ 7636/* Returns: None. */ 7637/* Parameters: token(I) - pointer to token structure */ 7638/* */ 7639/* Mark a token as being ineligable for being found with ipf_token_find. */ 7640/* ------------------------------------------------------------------------ */ 7641void 7642ipf_token_mark_complete(token) 7643 ipftoken_t *token; 7644{ 7645 if (token->ipt_complete == 0) 7646 token->ipt_complete = 1; 7647} 7648 7649 7650/* ------------------------------------------------------------------------ */ 7651/* Function: ipf_token_find */ 7652/* Returns: ipftoken_t * - NULL if no memory, else pointer to token */ 7653/* Parameters: softc(I)- pointer to soft context main structure */ 7654/* type(I) - the token type to match */ 7655/* uid(I) - uid owning the token */ 7656/* ptr(I) - context pointer for the token */ 7657/* */ 7658/* This function looks for a live token in the list of current tokens that */ 7659/* matches the tuple (type, uid, ptr). If one cannot be found then one is */ 7660/* allocated. If one is found then it is moved to the top of the list of */ 7661/* currently active tokens. */ 7662/* ------------------------------------------------------------------------ */ 7663ipftoken_t * 7664ipf_token_find(softc, type, uid, ptr) 7665 ipf_main_softc_t *softc; 7666 int type, uid; 7667 void *ptr; 7668{ 7669 ipftoken_t *it, *new; 7670 7671 KMALLOC(new, ipftoken_t *); 7672 if (new != NULL) 7673 bzero((char *)new, sizeof(*new)); 7674 7675 WRITE_ENTER(&softc->ipf_tokens); 7676 for (it = softc->ipf_token_head; it != NULL; it = it->ipt_next) { 7677 if ((ptr == it->ipt_ctx) && (type == it->ipt_type) && 7678 (uid == it->ipt_uid) && (it->ipt_complete < 2)) 7679 break; 7680 } 7681 7682 if (it == NULL) { 7683 it = new; 7684 new = NULL; 7685 if (it == NULL) { 7686 RWLOCK_EXIT(&softc->ipf_tokens); 7687 return NULL; 7688 } 7689 it->ipt_ctx = ptr; 7690 it->ipt_uid = uid; 7691 it->ipt_type = type; 7692 it->ipt_ref = 1; 7693 } else { 7694 if (new != NULL) { 7695 KFREE(new); 7696 new = NULL; 7697 } 7698 7699 if (it->ipt_complete > 0) 7700 it = NULL; 7701 else 7702 ipf_token_unlink(softc, it); 7703 } 7704 7705 if (it != NULL) { 7706 it->ipt_pnext = softc->ipf_token_tail; 7707 *softc->ipf_token_tail = it; 7708 softc->ipf_token_tail = &it->ipt_next; 7709 it->ipt_next = NULL; 7710 it->ipt_ref++; 7711 7712 it->ipt_die = softc->ipf_ticks + 20; 7713 } 7714 7715 RWLOCK_EXIT(&softc->ipf_tokens); 7716 7717 return it; 7718} 7719 7720 7721/* ------------------------------------------------------------------------ */ 7722/* Function: ipf_token_unlink */ 7723/* Returns: None. */ 7724/* Parameters: softc(I) - pointer to soft context main structure */ 7725/* token(I) - pointer to token structure */ 7726/* Write Locks: ipf_tokens */ 7727/* */ 7728/* This function unlinks a token structure from the linked list of tokens */ 7729/* that "own" it. The head pointer never needs to be explicitly adjusted */ 7730/* but the tail does due to the linked list implementation. */ 7731/* ------------------------------------------------------------------------ */ 7732static void 7733ipf_token_unlink(softc, token) 7734 ipf_main_softc_t *softc; 7735 ipftoken_t *token; 7736{ 7737 7738 if (softc->ipf_token_tail == &token->ipt_next) 7739 softc->ipf_token_tail = token->ipt_pnext; 7740 7741 *token->ipt_pnext = token->ipt_next; 7742 if (token->ipt_next != NULL) 7743 token->ipt_next->ipt_pnext = token->ipt_pnext; 7744 token->ipt_next = NULL; 7745 token->ipt_pnext = NULL; 7746} 7747 7748 7749/* ------------------------------------------------------------------------ */ 7750/* Function: ipf_token_deref */ 7751/* Returns: int - 0 == token freed, else reference count */ 7752/* Parameters: softc(I) - pointer to soft context main structure */ 7753/* token(I) - pointer to token structure */ 7754/* Write Locks: ipf_tokens */ 7755/* */ 7756/* Drop the reference count on the token structure and if it drops to zero, */ 7757/* call the dereference function for the token type because it is then */ 7758/* possible to free the token data structure. */ 7759/* ------------------------------------------------------------------------ */ 7760int 7761ipf_token_deref(softc, token) 7762 ipf_main_softc_t *softc; 7763 ipftoken_t *token; 7764{ 7765 void *data, **datap; 7766 7767 ASSERT(token->ipt_ref > 0); 7768 token->ipt_ref--; 7769 if (token->ipt_ref > 0) 7770 return token->ipt_ref; 7771 7772 data = token->ipt_data; 7773 datap = &data; 7774 7775 if ((data != NULL) && (data != (void *)-1)) { 7776 switch (token->ipt_type) 7777 { 7778 case IPFGENITER_IPF : 7779 (void) ipf_derefrule(softc, (frentry_t **)datap); 7780 break; 7781 case IPFGENITER_IPNAT : 7782 WRITE_ENTER(&softc->ipf_nat); 7783 ipf_nat_rule_deref(softc, (ipnat_t **)datap); 7784 RWLOCK_EXIT(&softc->ipf_nat); 7785 break; 7786 case IPFGENITER_NAT : 7787 ipf_nat_deref(softc, (nat_t **)datap); 7788 break; 7789 case IPFGENITER_STATE : 7790 ipf_state_deref(softc, (ipstate_t **)datap); 7791 break; 7792 case IPFGENITER_FRAG : 7793 ipf_frag_pkt_deref(softc, (ipfr_t **)datap); 7794 break; 7795 case IPFGENITER_NATFRAG : 7796 ipf_frag_nat_deref(softc, (ipfr_t **)datap); 7797 break; 7798 case IPFGENITER_HOSTMAP : 7799 WRITE_ENTER(&softc->ipf_nat); 7800 ipf_nat_hostmapdel(softc, (hostmap_t **)datap); 7801 RWLOCK_EXIT(&softc->ipf_nat); 7802 break; 7803 default : 7804 ipf_lookup_iterderef(softc, token->ipt_type, data); 7805 break; 7806 } 7807 } 7808 7809 ipf_token_unlink(softc, token); 7810 KFREE(token); 7811 return 0; 7812} 7813 7814 7815/* ------------------------------------------------------------------------ */ 7816/* Function: ipf_nextrule */ 7817/* Returns: frentry_t * - NULL == no more rules, else pointer to next */ 7818/* Parameters: softc(I) - pointer to soft context main structure */ 7819/* fr(I) - pointer to filter rule */ 7820/* out(I) - 1 == out rules, 0 == input rules */ 7821/* */ 7822/* Starting with "fr", find the next rule to visit. This includes visiting */ 7823/* the list of rule groups if either fr is NULL (empty list) or it is the */ 7824/* last rule in the list. When walking rule lists, it is either input or */ 7825/* output rules that are returned, never both. */ 7826/* ------------------------------------------------------------------------ */ 7827static frentry_t * 7828ipf_nextrule(softc, active, unit, fr, out) 7829 ipf_main_softc_t *softc; 7830 int active, unit; 7831 frentry_t *fr; 7832 int out; 7833{ 7834 frentry_t *next; 7835 frgroup_t *fg; 7836 7837 if (fr != NULL && fr->fr_group != -1) { 7838 fg = ipf_findgroup(softc, fr->fr_names + fr->fr_group, 7839 unit, active, NULL); 7840 if (fg != NULL) 7841 fg = fg->fg_next; 7842 } else { 7843 fg = softc->ipf_groups[unit][active]; 7844 } 7845 7846 while (fg != NULL) { 7847 next = fg->fg_start; 7848 while (next != NULL) { 7849 if (out) { 7850 if (next->fr_flags & FR_OUTQUE) 7851 return next; 7852 } else if (next->fr_flags & FR_INQUE) { 7853 return next; 7854 } 7855 next = next->fr_next; 7856 } 7857 if (next == NULL) 7858 fg = fg->fg_next; 7859 } 7860 7861 return NULL; 7862} 7863 7864/* ------------------------------------------------------------------------ */ 7865/* Function: ipf_getnextrule */ 7866/* Returns: int - 0 = success, else error */ 7867/* Parameters: softc(I)- pointer to soft context main structure */ 7868/* t(I) - pointer to destination information to resolve */ 7869/* ptr(I) - pointer to ipfobj_t to copyin from user space */ 7870/* */ 7871/* This function's first job is to bring in the ipfruleiter_t structure via */ 7872/* the ipfobj_t structure to determine what should be the next rule to */ 7873/* return. Once the ipfruleiter_t has been brought in, it then tries to */ 7874/* find the 'next rule'. This may include searching rule group lists or */ 7875/* just be as simple as looking at the 'next' field in the rule structure. */ 7876/* When we have found the rule to return, increase its reference count and */ 7877/* if we used an existing rule to get here, decrease its reference count. */ 7878/* ------------------------------------------------------------------------ */ 7879int 7880ipf_getnextrule(softc, t, ptr) 7881 ipf_main_softc_t *softc; 7882 ipftoken_t *t; 7883 void *ptr; 7884{ 7885 frentry_t *fr, *next, zero; 7886 ipfruleiter_t it; 7887 int error, out; 7888 frgroup_t *fg; 7889 ipfobj_t obj; 7890 int predict; 7891 char *dst; 7892 int unit; 7893 7894 if (t == NULL || ptr == NULL) { 7895 IPFERROR(84); 7896 return EFAULT; 7897 } 7898 7899 error = ipf_inobj(softc, ptr, &obj, &it, IPFOBJ_IPFITER); 7900 if (error != 0) 7901 return error; 7902 7903 if ((it.iri_inout < 0) || (it.iri_inout > 3)) { 7904 IPFERROR(85); 7905 return EINVAL; 7906 } 7907 if ((it.iri_active != 0) && (it.iri_active != 1)) { 7908 IPFERROR(86); 7909 return EINVAL; 7910 } 7911 if (it.iri_nrules == 0) { 7912 IPFERROR(87); 7913 return ENOSPC; 7914 } 7915 if (it.iri_rule == NULL) { 7916 IPFERROR(88); 7917 return EFAULT; 7918 } 7919 7920 fg = NULL; 7921 fr = t->ipt_data; 7922 if ((it.iri_inout & F_OUT) != 0) 7923 out = 1; 7924 else 7925 out = 0; 7926 if ((it.iri_inout & F_ACIN) != 0) 7927 unit = IPL_LOGCOUNT; 7928 else 7929 unit = IPL_LOGIPF; 7930 7931 READ_ENTER(&softc->ipf_mutex); 7932 if (fr == NULL) { 7933 if (*it.iri_group == '\0') { 7934 if (unit == IPL_LOGCOUNT) { 7935 next = softc->ipf_acct[out][it.iri_active]; 7936 } else { 7937 next = softc->ipf_rules[out][it.iri_active]; 7938 } 7939 if (next == NULL) 7940 next = ipf_nextrule(softc, it.iri_active, 7941 unit, NULL, out); 7942 } else { 7943 fg = ipf_findgroup(softc, it.iri_group, unit, 7944 it.iri_active, NULL); 7945 if (fg != NULL) 7946 next = fg->fg_start; 7947 else 7948 next = NULL; 7949 } 7950 } else { 7951 next = fr->fr_next; 7952 if (next == NULL) 7953 next = ipf_nextrule(softc, it.iri_active, unit, 7954 fr, out); 7955 } 7956 7957 if (next != NULL && next->fr_next != NULL) 7958 predict = 1; 7959 else if (ipf_nextrule(softc, it.iri_active, unit, next, out) != NULL) 7960 predict = 1; 7961 else 7962 predict = 0; 7963 7964 if (fr != NULL) 7965 (void) ipf_derefrule(softc, &fr); 7966 7967 obj.ipfo_type = IPFOBJ_FRENTRY; 7968 dst = (char *)it.iri_rule; 7969 7970 if (next != NULL) { 7971 obj.ipfo_size = next->fr_size; 7972 MUTEX_ENTER(&next->fr_lock); 7973 next->fr_ref++; 7974 MUTEX_EXIT(&next->fr_lock); 7975 t->ipt_data = next; 7976 } else { 7977 obj.ipfo_size = sizeof(frentry_t); 7978 bzero(&zero, sizeof(zero)); 7979 next = &zero; 7980 t->ipt_data = NULL; 7981 } 7982 it.iri_rule = predict ? next : NULL; 7983 if (predict == 0) 7984 ipf_token_mark_complete(t); 7985 7986 RWLOCK_EXIT(&softc->ipf_mutex); 7987 7988 obj.ipfo_ptr = dst; 7989 error = ipf_outobjk(softc, &obj, next); 7990 if (error == 0 && t->ipt_data != NULL) { 7991 dst += obj.ipfo_size; 7992 if (next->fr_data != NULL) { 7993 ipfobj_t dobj; 7994 7995 if (next->fr_type == FR_T_IPFEXPR) 7996 dobj.ipfo_type = IPFOBJ_IPFEXPR; 7997 else 7998 dobj.ipfo_type = IPFOBJ_FRIPF; 7999 dobj.ipfo_size = next->fr_dsize; 8000 dobj.ipfo_rev = obj.ipfo_rev; 8001 dobj.ipfo_ptr = dst; 8002 error = ipf_outobjk(softc, &dobj, next->fr_data); 8003 } 8004 } 8005 8006 if ((fr != NULL) && (next == &zero)) 8007 (void) ipf_derefrule(softc, &fr); 8008 8009 return error; 8010} 8011 8012 8013/* ------------------------------------------------------------------------ */ 8014/* Function: ipf_frruleiter */ 8015/* Returns: int - 0 = success, else error */ 8016/* Parameters: softc(I)- pointer to soft context main structure */ 8017/* data(I) - the token type to match */ 8018/* uid(I) - uid owning the token */ 8019/* ptr(I) - context pointer for the token */ 8020/* */ 8021/* This function serves as a stepping stone between ipf_ipf_ioctl and */ 8022/* ipf_getnextrule. It's role is to find the right token in the kernel for */ 8023/* the process doing the ioctl and use that to ask for the next rule. */ 8024/* ------------------------------------------------------------------------ */ 8025static int 8026ipf_frruleiter(softc, data, uid, ctx) 8027 ipf_main_softc_t *softc; 8028 void *data, *ctx; 8029 int uid; 8030{ 8031 ipftoken_t *token; 8032 ipfruleiter_t it; 8033 ipfobj_t obj; 8034 int error; 8035 8036 token = ipf_token_find(softc, IPFGENITER_IPF, uid, ctx); 8037 if (token != NULL) { 8038 error = ipf_getnextrule(softc, token, data); 8039 WRITE_ENTER(&softc->ipf_tokens); 8040 ipf_token_deref(softc, token); 8041 RWLOCK_EXIT(&softc->ipf_tokens); 8042 } else { 8043 error = ipf_inobj(softc, data, &obj, &it, IPFOBJ_IPFITER); 8044 if (error != 0) 8045 return error; 8046 it.iri_rule = NULL; 8047 error = ipf_outobj(softc, data, &it, IPFOBJ_IPFITER); 8048 } 8049 8050 return error; 8051} 8052 8053 8054/* ------------------------------------------------------------------------ */ 8055/* Function: ipf_geniter */ 8056/* Returns: int - 0 = success, else error */ 8057/* Parameters: softc(I) - pointer to soft context main structure */ 8058/* token(I) - pointer to ipftoken_t structure */ 8059/* itp(I) - pointer to iterator data */ 8060/* */ 8061/* Decide which iterator function to call using information passed through */ 8062/* the ipfgeniter_t structure at itp. */ 8063/* ------------------------------------------------------------------------ */ 8064static int 8065ipf_geniter(softc, token, itp) 8066 ipf_main_softc_t *softc; 8067 ipftoken_t *token; 8068 ipfgeniter_t *itp; 8069{ 8070 int error; 8071 8072 switch (itp->igi_type) 8073 { 8074 case IPFGENITER_FRAG : 8075 error = ipf_frag_pkt_next(softc, token, itp); 8076 break; 8077 default : 8078 IPFERROR(92); 8079 error = EINVAL; 8080 break; 8081 } 8082 8083 return error; 8084} 8085 8086 8087/* ------------------------------------------------------------------------ */ 8088/* Function: ipf_genericiter */ 8089/* Returns: int - 0 = success, else error */ 8090/* Parameters: softc(I)- pointer to soft context main structure */ 8091/* data(I) - the token type to match */ 8092/* uid(I) - uid owning the token */ 8093/* ptr(I) - context pointer for the token */ 8094/* */ 8095/* Handle the SIOCGENITER ioctl for the ipfilter device. The primary role */ 8096/* ------------------------------------------------------------------------ */ 8097int 8098ipf_genericiter(softc, data, uid, ctx) 8099 ipf_main_softc_t *softc; 8100 void *data, *ctx; 8101 int uid; 8102{ 8103 ipftoken_t *token; 8104 ipfgeniter_t iter; 8105 int error; 8106 8107 error = ipf_inobj(softc, data, NULL, &iter, IPFOBJ_GENITER); 8108 if (error != 0) 8109 return error; 8110 8111 token = ipf_token_find(softc, iter.igi_type, uid, ctx); 8112 if (token != NULL) { 8113 token->ipt_subtype = iter.igi_type; 8114 error = ipf_geniter(softc, token, &iter); 8115 WRITE_ENTER(&softc->ipf_tokens); 8116 ipf_token_deref(softc, token); 8117 RWLOCK_EXIT(&softc->ipf_tokens); 8118 } else { 8119 IPFERROR(93); 8120 error = 0; 8121 } 8122 8123 return error; 8124} 8125 8126 8127/* ------------------------------------------------------------------------ */ 8128/* Function: ipf_ipf_ioctl */ 8129/* Returns: int - 0 = success, else error */ 8130/* Parameters: softc(I)- pointer to soft context main structure */ 8131/* data(I) - the token type to match */ 8132/* cmd(I) - the ioctl command number */ 8133/* mode(I) - mode flags for the ioctl */ 8134/* uid(I) - uid owning the token */ 8135/* ptr(I) - context pointer for the token */ 8136/* */ 8137/* This function handles all of the ioctl command that are actually isssued */ 8138/* to the /dev/ipl device. */ 8139/* ------------------------------------------------------------------------ */ 8140int 8141ipf_ipf_ioctl(softc, data, cmd, mode, uid, ctx) 8142 ipf_main_softc_t *softc; 8143 caddr_t data; 8144 ioctlcmd_t cmd; 8145 int mode, uid; 8146 void *ctx; 8147{ 8148 friostat_t fio; 8149 int error, tmp; 8150 ipfobj_t obj; 8151 SPL_INT(s); 8152 8153 switch (cmd) 8154 { 8155 case SIOCFRENB : 8156 if (!(mode & FWRITE)) { 8157 IPFERROR(94); 8158 error = EPERM; 8159 } else { 8160 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8161 if (error != 0) { 8162 IPFERROR(95); 8163 error = EFAULT; 8164 break; 8165 } 8166 8167 WRITE_ENTER(&softc->ipf_global); 8168 if (tmp) { 8169 if (softc->ipf_running > 0) 8170 error = 0; 8171 else 8172 error = ipfattach(softc); 8173 if (error == 0) 8174 softc->ipf_running = 1; 8175 else 8176 (void) ipfdetach(softc); 8177 } else { 8178 if (softc->ipf_running == 1) 8179 error = ipfdetach(softc); 8180 else 8181 error = 0; 8182 if (error == 0) 8183 softc->ipf_running = -1; 8184 } 8185 RWLOCK_EXIT(&softc->ipf_global); 8186 } 8187 break; 8188 8189 case SIOCIPFSET : 8190 if (!(mode & FWRITE)) { 8191 IPFERROR(96); 8192 error = EPERM; 8193 break; 8194 } 8195 /* FALLTHRU */ 8196 case SIOCIPFGETNEXT : 8197 case SIOCIPFGET : 8198 error = ipf_ipftune(softc, cmd, (void *)data); 8199 break; 8200 8201 case SIOCSETFF : 8202 if (!(mode & FWRITE)) { 8203 IPFERROR(97); 8204 error = EPERM; 8205 } else { 8206 error = BCOPYIN(data, &softc->ipf_flags, 8207 sizeof(softc->ipf_flags)); 8208 if (error != 0) { 8209 IPFERROR(98); 8210 error = EFAULT; 8211 } 8212 } 8213 break; 8214 8215 case SIOCGETFF : 8216 error = BCOPYOUT(&softc->ipf_flags, data, 8217 sizeof(softc->ipf_flags)); 8218 if (error != 0) { 8219 IPFERROR(99); 8220 error = EFAULT; 8221 } 8222 break; 8223 8224 case SIOCFUNCL : 8225 error = ipf_resolvefunc(softc, (void *)data); 8226 break; 8227 8228 case SIOCINAFR : 8229 case SIOCRMAFR : 8230 case SIOCADAFR : 8231 case SIOCZRLST : 8232 if (!(mode & FWRITE)) { 8233 IPFERROR(100); 8234 error = EPERM; 8235 } else { 8236 error = frrequest(softc, IPL_LOGIPF, cmd, (caddr_t)data, 8237 softc->ipf_active, 1); 8238 } 8239 break; 8240 8241 case SIOCINIFR : 8242 case SIOCRMIFR : 8243 case SIOCADIFR : 8244 if (!(mode & FWRITE)) { 8245 IPFERROR(101); 8246 error = EPERM; 8247 } else { 8248 error = frrequest(softc, IPL_LOGIPF, cmd, (caddr_t)data, 8249 1 - softc->ipf_active, 1); 8250 } 8251 break; 8252 8253 case SIOCSWAPA : 8254 if (!(mode & FWRITE)) { 8255 IPFERROR(102); 8256 error = EPERM; 8257 } else { 8258 WRITE_ENTER(&softc->ipf_mutex); 8259 error = BCOPYOUT(&softc->ipf_active, data, 8260 sizeof(softc->ipf_active)); 8261 if (error != 0) { 8262 IPFERROR(103); 8263 error = EFAULT; 8264 } else { 8265 softc->ipf_active = 1 - softc->ipf_active; 8266 } 8267 RWLOCK_EXIT(&softc->ipf_mutex); 8268 } 8269 break; 8270 8271 case SIOCGETFS : 8272 error = ipf_inobj(softc, (void *)data, &obj, &fio, 8273 IPFOBJ_IPFSTAT); 8274 if (error != 0) 8275 break; 8276 ipf_getstat(softc, &fio, obj.ipfo_rev); 8277 error = ipf_outobj(softc, (void *)data, &fio, IPFOBJ_IPFSTAT); 8278 break; 8279 8280 case SIOCFRZST : 8281 if (!(mode & FWRITE)) { 8282 IPFERROR(104); 8283 error = EPERM; 8284 } else 8285 error = ipf_zerostats(softc, (caddr_t)data); 8286 break; 8287 8288 case SIOCIPFFL : 8289 if (!(mode & FWRITE)) { 8290 IPFERROR(105); 8291 error = EPERM; 8292 } else { 8293 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8294 if (!error) { 8295 tmp = ipf_flush(softc, IPL_LOGIPF, tmp); 8296 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8297 if (error != 0) { 8298 IPFERROR(106); 8299 error = EFAULT; 8300 } 8301 } else { 8302 IPFERROR(107); 8303 error = EFAULT; 8304 } 8305 } 8306 break; 8307 8308#ifdef USE_INET6 8309 case SIOCIPFL6 : 8310 if (!(mode & FWRITE)) { 8311 IPFERROR(108); 8312 error = EPERM; 8313 } else { 8314 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8315 if (!error) { 8316 tmp = ipf_flush(softc, IPL_LOGIPF, tmp); 8317 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8318 if (error != 0) { 8319 IPFERROR(109); 8320 error = EFAULT; 8321 } 8322 } else { 8323 IPFERROR(110); 8324 error = EFAULT; 8325 } 8326 } 8327 break; 8328#endif 8329 8330 case SIOCSTLCK : 8331 if (!(mode & FWRITE)) { 8332 IPFERROR(122); 8333 error = EPERM; 8334 } else { 8335 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8336 if (error == 0) { 8337 ipf_state_setlock(softc->ipf_state_soft, tmp); 8338 ipf_nat_setlock(softc->ipf_nat_soft, tmp); 8339 ipf_frag_setlock(softc->ipf_frag_soft, tmp); 8340 ipf_auth_setlock(softc->ipf_auth_soft, tmp); 8341 } else { 8342 IPFERROR(111); 8343 error = EFAULT; 8344 } 8345 } 8346 break; 8347 8348#ifdef IPFILTER_LOG 8349 case SIOCIPFFB : 8350 if (!(mode & FWRITE)) { 8351 IPFERROR(112); 8352 error = EPERM; 8353 } else { 8354 tmp = ipf_log_clear(softc, IPL_LOGIPF); 8355 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8356 if (error) { 8357 IPFERROR(113); 8358 error = EFAULT; 8359 } 8360 } 8361 break; 8362#endif /* IPFILTER_LOG */ 8363 8364 case SIOCFRSYN : 8365 if (!(mode & FWRITE)) { 8366 IPFERROR(114); 8367 error = EPERM; 8368 } else { 8369 WRITE_ENTER(&softc->ipf_global); 8370#if (defined(MENTAT) && defined(_KERNEL)) && !defined(INSTANCES) 8371 error = ipfsync(); 8372#else 8373 ipf_sync(softc, NULL); 8374 error = 0; 8375#endif 8376 RWLOCK_EXIT(&softc->ipf_global); 8377 8378 } 8379 break; 8380 8381 case SIOCGFRST : 8382 error = ipf_outobj(softc, (void *)data, 8383 ipf_frag_stats(softc->ipf_frag_soft), 8384 IPFOBJ_FRAGSTAT); 8385 break; 8386 8387#ifdef IPFILTER_LOG 8388 case FIONREAD : 8389 tmp = ipf_log_bytesused(softc, IPL_LOGIPF); 8390 error = BCOPYOUT(&tmp, data, sizeof(tmp)); 8391 break; 8392#endif 8393 8394 case SIOCIPFITER : 8395 SPL_SCHED(s); 8396 error = ipf_frruleiter(softc, data, uid, ctx); 8397 SPL_X(s); 8398 break; 8399 8400 case SIOCGENITER : 8401 SPL_SCHED(s); 8402 error = ipf_genericiter(softc, data, uid, ctx); 8403 SPL_X(s); 8404 break; 8405 8406 case SIOCIPFDELTOK : 8407 error = BCOPYIN(data, &tmp, sizeof(tmp)); 8408 if (error == 0) { 8409 SPL_SCHED(s); 8410 error = ipf_token_del(softc, tmp, uid, ctx); 8411 SPL_X(s); 8412 } 8413 break; 8414 8415 default : 8416 IPFERROR(115); 8417 error = EINVAL; 8418 break; 8419 } 8420 8421 return error; 8422} 8423 8424 8425/* ------------------------------------------------------------------------ */ 8426/* Function: ipf_decaps */ 8427/* Returns: int - -1 == decapsulation failed, else bit mask of */ 8428/* flags indicating packet filtering decision. */ 8429/* Parameters: fin(I) - pointer to packet information */ 8430/* pass(I) - IP protocol version to match */ 8431/* l5proto(I) - layer 5 protocol to decode UDP data as. */ 8432/* */ 8433/* This function is called for packets that are wrapt up in other packets, */ 8434/* for example, an IP packet that is the entire data segment for another IP */ 8435/* packet. If the basic constraints for this are satisfied, change the */ 8436/* buffer to point to the start of the inner packet and start processing */ 8437/* rules belonging to the head group this rule specifies. */ 8438/* ------------------------------------------------------------------------ */ 8439u_32_t 8440ipf_decaps(fin, pass, l5proto) 8441 fr_info_t *fin; 8442 u_32_t pass; 8443 int l5proto; 8444{ 8445 fr_info_t fin2, *fino = NULL; 8446 int elen, hlen, nh; 8447 grehdr_t gre; 8448 ip_t *ip; 8449 mb_t *m; 8450 8451 if ((fin->fin_flx & FI_COALESCE) == 0) 8452 if (ipf_coalesce(fin) == -1) 8453 goto cantdecaps; 8454 8455 m = fin->fin_m; 8456 hlen = fin->fin_hlen; 8457 8458 switch (fin->fin_p) 8459 { 8460 case IPPROTO_UDP : 8461 /* 8462 * In this case, the specific protocol being decapsulated 8463 * inside UDP frames comes from the rule. 8464 */ 8465 nh = fin->fin_fr->fr_icode; 8466 break; 8467 8468 case IPPROTO_GRE : /* 47 */ 8469 bcopy(fin->fin_dp, (char *)&gre, sizeof(gre)); 8470 hlen += sizeof(grehdr_t); 8471 if (gre.gr_R|gre.gr_s) 8472 goto cantdecaps; 8473 if (gre.gr_C) 8474 hlen += 4; 8475 if (gre.gr_K) 8476 hlen += 4; 8477 if (gre.gr_S) 8478 hlen += 4; 8479 8480 nh = IPPROTO_IP; 8481 8482 /* 8483 * If the routing options flag is set, validate that it is 8484 * there and bounce over it. 8485 */ 8486#if 0 8487 /* This is really heavy weight and lots of room for error, */ 8488 /* so for now, put it off and get the simple stuff right. */ 8489 if (gre.gr_R) { 8490 u_char off, len, *s; 8491 u_short af; 8492 int end; 8493 8494 end = 0; 8495 s = fin->fin_dp; 8496 s += hlen; 8497 aplen = fin->fin_plen - hlen; 8498 while (aplen > 3) { 8499 af = (s[0] << 8) | s[1]; 8500 off = s[2]; 8501 len = s[3]; 8502 aplen -= 4; 8503 s += 4; 8504 if (af == 0 && len == 0) { 8505 end = 1; 8506 break; 8507 } 8508 if (aplen < len) 8509 break; 8510 s += len; 8511 aplen -= len; 8512 } 8513 if (end != 1) 8514 goto cantdecaps; 8515 hlen = s - (u_char *)fin->fin_dp; 8516 } 8517#endif 8518 break; 8519 8520#ifdef IPPROTO_IPIP 8521 case IPPROTO_IPIP : /* 4 */ 8522#endif 8523 nh = IPPROTO_IP; 8524 break; 8525 8526 default : /* Includes ESP, AH is special for IPv4 */ 8527 goto cantdecaps; 8528 } 8529 8530 switch (nh) 8531 { 8532 case IPPROTO_IP : 8533 case IPPROTO_IPV6 : 8534 break; 8535 default : 8536 goto cantdecaps; 8537 } 8538 8539 bcopy((char *)fin, (char *)&fin2, sizeof(fin2)); 8540 fino = fin; 8541 fin = &fin2; 8542 elen = hlen; 8543#if defined(MENTAT) && defined(_KERNEL) 8544 m->b_rptr += elen; 8545#else 8546 m->m_data += elen; 8547 m->m_len -= elen; 8548#endif 8549 fin->fin_plen -= elen; 8550 8551 ip = (ip_t *)((char *)fin->fin_ip + elen); 8552 8553 /* 8554 * Make sure we have at least enough data for the network layer 8555 * header. 8556 */ 8557 if (IP_V(ip) == 4) 8558 hlen = IP_HL(ip) << 2; 8559#ifdef USE_INET6 8560 else if (IP_V(ip) == 6) 8561 hlen = sizeof(ip6_t); 8562#endif 8563 else 8564 goto cantdecaps2; 8565 8566 if (fin->fin_plen < hlen) 8567 goto cantdecaps2; 8568 8569 fin->fin_dp = (char *)ip + hlen; 8570 8571 if (IP_V(ip) == 4) { 8572 /* 8573 * Perform IPv4 header checksum validation. 8574 */ 8575 if (ipf_cksum((u_short *)ip, hlen)) 8576 goto cantdecaps2; 8577 } 8578 8579 if (ipf_makefrip(hlen, ip, fin) == -1) { 8580cantdecaps2: 8581 if (m != NULL) { 8582#if defined(MENTAT) && defined(_KERNEL) 8583 m->b_rptr -= elen; 8584#else 8585 m->m_data -= elen; 8586 m->m_len += elen; 8587#endif 8588 } 8589cantdecaps: 8590 DT1(frb_decapfrip, fr_info_t *, fin); 8591 pass &= ~FR_CMDMASK; 8592 pass |= FR_BLOCK|FR_QUICK; 8593 fin->fin_reason = FRB_DECAPFRIP; 8594 return -1; 8595 } 8596 8597 pass = ipf_scanlist(fin, pass); 8598 8599 /* 8600 * Copy the packet filter "result" fields out of the fr_info_t struct 8601 * that is local to the decapsulation processing and back into the 8602 * one we were called with. 8603 */ 8604 fino->fin_flx = fin->fin_flx; 8605 fino->fin_rev = fin->fin_rev; 8606 fino->fin_icode = fin->fin_icode; 8607 fino->fin_rule = fin->fin_rule; 8608 (void) strncpy(fino->fin_group, fin->fin_group, FR_GROUPLEN); 8609 fino->fin_fr = fin->fin_fr; 8610 fino->fin_error = fin->fin_error; 8611 fino->fin_mp = fin->fin_mp; 8612 fino->fin_m = fin->fin_m; 8613 m = fin->fin_m; 8614 if (m != NULL) { 8615#if defined(MENTAT) && defined(_KERNEL) 8616 m->b_rptr -= elen; 8617#else 8618 m->m_data -= elen; 8619 m->m_len += elen; 8620#endif 8621 } 8622 return pass; 8623} 8624 8625 8626/* ------------------------------------------------------------------------ */ 8627/* Function: ipf_matcharray_load */ 8628/* Returns: int - 0 = success, else error */ 8629/* Parameters: softc(I) - pointer to soft context main structure */ 8630/* data(I) - pointer to ioctl data */ 8631/* objp(I) - ipfobj_t structure to load data into */ 8632/* arrayptr(I) - pointer to location to store array pointer */ 8633/* */ 8634/* This function loads in a mathing array through the ipfobj_t struct that */ 8635/* describes it. Sanity checking and array size limitations are enforced */ 8636/* in this function to prevent userspace from trying to load in something */ 8637/* that is insanely big. Once the size of the array is known, the memory */ 8638/* required is malloc'd and returned through changing *arrayptr. The */ 8639/* contents of the array are verified before returning. Only in the event */ 8640/* of a successful call is the caller required to free up the malloc area. */ 8641/* ------------------------------------------------------------------------ */ 8642int 8643ipf_matcharray_load(softc, data, objp, arrayptr) 8644 ipf_main_softc_t *softc; 8645 caddr_t data; 8646 ipfobj_t *objp; 8647 int **arrayptr; 8648{ 8649 int arraysize, *array, error; 8650 8651 *arrayptr = NULL; 8652 8653 error = BCOPYIN(data, objp, sizeof(*objp)); 8654 if (error != 0) { 8655 IPFERROR(116); 8656 return EFAULT; 8657 } 8658 8659 if (objp->ipfo_type != IPFOBJ_IPFEXPR) { 8660 IPFERROR(117); 8661 return EINVAL; 8662 } 8663 8664 if (((objp->ipfo_size & 3) != 0) || (objp->ipfo_size == 0) || 8665 (objp->ipfo_size > 1024)) { 8666 IPFERROR(118); 8667 return EINVAL; 8668 } 8669 8670 arraysize = objp->ipfo_size * sizeof(*array); 8671 KMALLOCS(array, int *, arraysize); 8672 if (array == NULL) { 8673 IPFERROR(119); 8674 return ENOMEM; 8675 } 8676 8677 error = COPYIN(objp->ipfo_ptr, array, arraysize); 8678 if (error != 0) { 8679 KFREES(array, arraysize); 8680 IPFERROR(120); 8681 return EFAULT; 8682 } 8683 8684 if (ipf_matcharray_verify(array, arraysize) != 0) { 8685 KFREES(array, arraysize); 8686 IPFERROR(121); 8687 return EINVAL; 8688 } 8689 8690 *arrayptr = array; 8691 return 0; 8692} 8693 8694 8695/* ------------------------------------------------------------------------ */ 8696/* Function: ipf_matcharray_verify */ 8697/* Returns: Nil */ 8698/* Parameters: array(I) - pointer to matching array */ 8699/* arraysize(I) - number of elements in the array */ 8700/* */ 8701/* Verify the contents of a matching array by stepping through each element */ 8702/* in it. The actual commands in the array are not verified for */ 8703/* correctness, only that all of the sizes are correctly within limits. */ 8704/* ------------------------------------------------------------------------ */ 8705int 8706ipf_matcharray_verify(array, arraysize) 8707 int *array, arraysize; 8708{ 8709 int i, nelem, maxidx; 8710 ipfexp_t *e; 8711 8712 nelem = arraysize / sizeof(*array); 8713 8714 /* 8715 * Currently, it makes no sense to have an array less than 6 8716 * elements long - the initial size at the from, a single operation 8717 * (minimum 4 in length) and a trailer, for a total of 6. 8718 */ 8719 if ((array[0] < 6) || (arraysize < 24) || (arraysize > 4096)) { 8720 return -1; 8721 } 8722 8723 /* 8724 * Verify the size of data pointed to by array with how long 8725 * the array claims to be itself. 8726 */ 8727 if (array[0] * sizeof(*array) != arraysize) { 8728 return -1; 8729 } 8730 8731 maxidx = nelem - 1; 8732 /* 8733 * The last opcode in this array should be an IPF_EXP_END. 8734 */ 8735 if (array[maxidx] != IPF_EXP_END) { 8736 return -1; 8737 } 8738 8739 for (i = 1; i < maxidx; ) { 8740 e = (ipfexp_t *)(array + i); 8741 8742 /* 8743 * The length of the bits to check must be at least 1 8744 * (or else there is nothing to comapre with!) and it 8745 * cannot exceed the length of the data present. 8746 */ 8747 if ((e->ipfe_size < 1 ) || 8748 (e->ipfe_size + i > maxidx)) { 8749 return -1; 8750 } 8751 i += e->ipfe_size; 8752 } 8753 return 0; 8754} 8755 8756 8757/* ------------------------------------------------------------------------ */ 8758/* Function: ipf_fr_matcharray */ 8759/* Returns: int - 0 = match failed, else positive match */ 8760/* Parameters: fin(I) - pointer to packet information */ 8761/* array(I) - pointer to matching array */ 8762/* */ 8763/* This function is used to apply a matching array against a packet and */ 8764/* return an indication of whether or not the packet successfully matches */ 8765/* all of the commands in it. */ 8766/* ------------------------------------------------------------------------ */ 8767static int 8768ipf_fr_matcharray(fin, array) 8769 fr_info_t *fin; 8770 int *array; 8771{ 8772 int i, n, *x, rv, p; 8773 ipfexp_t *e; 8774 8775 rv = 0; 8776 n = array[0]; 8777 x = array + 1; 8778 8779 for (; n > 0; x += 3 + x[3], rv = 0) { 8780 e = (ipfexp_t *)x; 8781 if (e->ipfe_cmd == IPF_EXP_END) 8782 break; 8783 n -= e->ipfe_size; 8784 8785 /* 8786 * The upper 16 bits currently store the protocol value. 8787 * This is currently used with TCP and UDP port compares and 8788 * allows "tcp.port = 80" without requiring an explicit 8789 " "ip.pr = tcp" first. 8790 */ 8791 p = e->ipfe_cmd >> 16; 8792 if ((p != 0) && (p != fin->fin_p)) 8793 break; 8794 8795 switch (e->ipfe_cmd) 8796 { 8797 case IPF_EXP_IP_PR : 8798 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8799 rv |= (fin->fin_p == e->ipfe_arg0[i]); 8800 } 8801 break; 8802 8803 case IPF_EXP_IP_SRCADDR : 8804 if (fin->fin_v != 4) 8805 break; 8806 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8807 rv |= ((fin->fin_saddr & 8808 e->ipfe_arg0[i * 2 + 1]) == 8809 e->ipfe_arg0[i * 2]); 8810 } 8811 break; 8812 8813 case IPF_EXP_IP_DSTADDR : 8814 if (fin->fin_v != 4) 8815 break; 8816 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8817 rv |= ((fin->fin_daddr & 8818 e->ipfe_arg0[i * 2 + 1]) == 8819 e->ipfe_arg0[i * 2]); 8820 } 8821 break; 8822 8823 case IPF_EXP_IP_ADDR : 8824 if (fin->fin_v != 4) 8825 break; 8826 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8827 rv |= ((fin->fin_saddr & 8828 e->ipfe_arg0[i * 2 + 1]) == 8829 e->ipfe_arg0[i * 2]) || 8830 ((fin->fin_daddr & 8831 e->ipfe_arg0[i * 2 + 1]) == 8832 e->ipfe_arg0[i * 2]); 8833 } 8834 break; 8835 8836#ifdef USE_INET6 8837 case IPF_EXP_IP6_SRCADDR : 8838 if (fin->fin_v != 6) 8839 break; 8840 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8841 rv |= IP6_MASKEQ(&fin->fin_src6, 8842 &e->ipfe_arg0[i * 8 + 4], 8843 &e->ipfe_arg0[i * 8]); 8844 } 8845 break; 8846 8847 case IPF_EXP_IP6_DSTADDR : 8848 if (fin->fin_v != 6) 8849 break; 8850 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8851 rv |= IP6_MASKEQ(&fin->fin_dst6, 8852 &e->ipfe_arg0[i * 8 + 4], 8853 &e->ipfe_arg0[i * 8]); 8854 } 8855 break; 8856 8857 case IPF_EXP_IP6_ADDR : 8858 if (fin->fin_v != 6) 8859 break; 8860 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8861 rv |= IP6_MASKEQ(&fin->fin_src6, 8862 &e->ipfe_arg0[i * 8 + 4], 8863 &e->ipfe_arg0[i * 8]) || 8864 IP6_MASKEQ(&fin->fin_dst6, 8865 &e->ipfe_arg0[i * 8 + 4], 8866 &e->ipfe_arg0[i * 8]); 8867 } 8868 break; 8869#endif 8870 8871 case IPF_EXP_UDP_PORT : 8872 case IPF_EXP_TCP_PORT : 8873 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8874 rv |= (fin->fin_sport == e->ipfe_arg0[i]) || 8875 (fin->fin_dport == e->ipfe_arg0[i]); 8876 } 8877 break; 8878 8879 case IPF_EXP_UDP_SPORT : 8880 case IPF_EXP_TCP_SPORT : 8881 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8882 rv |= (fin->fin_sport == e->ipfe_arg0[i]); 8883 } 8884 break; 8885 8886 case IPF_EXP_UDP_DPORT : 8887 case IPF_EXP_TCP_DPORT : 8888 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8889 rv |= (fin->fin_dport == e->ipfe_arg0[i]); 8890 } 8891 break; 8892 8893 case IPF_EXP_TCP_FLAGS : 8894 for (i = 0; !rv && i < e->ipfe_narg; i++) { 8895 rv |= ((fin->fin_tcpf & 8896 e->ipfe_arg0[i * 2 + 1]) == 8897 e->ipfe_arg0[i * 2]); 8898 } 8899 break; 8900 } 8901 rv ^= e->ipfe_not; 8902 8903 if (rv == 0) 8904 break; 8905 } 8906 8907 return rv; 8908} 8909 8910 8911/* ------------------------------------------------------------------------ */ 8912/* Function: ipf_queueflush */ 8913/* Returns: int - number of entries flushed (0 = none) */ 8914/* Parameters: softc(I) - pointer to soft context main structure */ 8915/* deletefn(I) - function to call to delete entry */ 8916/* ipfqs(I) - top of the list of ipf internal queues */ 8917/* userqs(I) - top of the list of user defined timeouts */ 8918/* */ 8919/* This fucntion gets called when the state/NAT hash tables fill up and we */ 8920/* need to try a bit harder to free up some space. The algorithm used here */ 8921/* split into two parts but both halves have the same goal: to reduce the */ 8922/* number of connections considered to be "active" to the low watermark. */ 8923/* There are two steps in doing this: */ 8924/* 1) Remove any TCP connections that are already considered to be "closed" */ 8925/* but have not yet been removed from the state table. The two states */ 8926/* TCPS_TIME_WAIT and TCPS_CLOSED are considered to be the perfect */ 8927/* candidates for this style of removal. If freeing up entries in */ 8928/* CLOSED or both CLOSED and TIME_WAIT brings us to the low watermark, */ 8929/* we do not go on to step 2. */ 8930/* */ 8931/* 2) Look for the oldest entries on each timeout queue and free them if */ 8932/* they are within the given window we are considering. Where the */ 8933/* window starts and the steps taken to increase its size depend upon */ 8934/* how long ipf has been running (ipf_ticks.) Anything modified in the */ 8935/* last 30 seconds is not touched. */ 8936/* touched */ 8937/* die ipf_ticks 30*1.5 1800*1.5 | 43200*1.5 */ 8938/* | | | | | | */ 8939/* future <--+----------+--------+-----------+-----+-----+-----------> past */ 8940/* now \_int=30s_/ \_int=1hr_/ \_int=12hr */ 8941/* */ 8942/* Points to note: */ 8943/* - tqe_die is the time, in the future, when entries die. */ 8944/* - tqe_die - ipf_ticks is how long left the connection has to live in ipf */ 8945/* ticks. */ 8946/* - tqe_touched is when the entry was last used by NAT/state */ 8947/* - the closer tqe_touched is to ipf_ticks, the further tqe_die will be */ 8948/* ipf_ticks any given timeout queue and vice versa. */ 8949/* - both tqe_die and tqe_touched increase over time */ 8950/* - timeout queues are sorted with the highest value of tqe_die at the */ 8951/* bottom and therefore the smallest values of each are at the top */ 8952/* - the pointer passed in as ipfqs should point to an array of timeout */ 8953/* queues representing each of the TCP states */ 8954/* */ 8955/* We start by setting up a maximum range to scan for things to move of */ 8956/* iend (newest) to istart (oldest) in chunks of "interval". If nothing is */ 8957/* found in that range, "interval" is adjusted (so long as it isn't 30) and */ 8958/* we start again with a new value for "iend" and "istart". This is */ 8959/* continued until we either finish the scan of 30 second intervals or the */ 8960/* low water mark is reached. */ 8961/* ------------------------------------------------------------------------ */ 8962int 8963ipf_queueflush(softc, deletefn, ipfqs, userqs, activep, size, low) 8964 ipf_main_softc_t *softc; 8965 ipftq_delete_fn_t deletefn; 8966 ipftq_t *ipfqs, *userqs; 8967 u_int *activep; 8968 int size, low; 8969{ 8970 u_long interval, istart, iend; 8971 ipftq_t *ifq, *ifqnext; 8972 ipftqent_t *tqe, *tqn; 8973 int removed = 0; 8974 8975 for (tqn = ipfqs[IPF_TCPS_CLOSED].ifq_head; ((tqe = tqn) != NULL); ) { 8976 tqn = tqe->tqe_next; 8977 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 8978 removed++; 8979 } 8980 if ((*activep * 100 / size) > low) { 8981 for (tqn = ipfqs[IPF_TCPS_TIME_WAIT].ifq_head; 8982 ((tqe = tqn) != NULL); ) { 8983 tqn = tqe->tqe_next; 8984 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 8985 removed++; 8986 } 8987 } 8988 8989 if ((*activep * 100 / size) <= low) { 8990 return removed; 8991 } 8992 8993 /* 8994 * NOTE: Use of "* 15 / 10" is required here because if "* 1.5" is 8995 * used then the operations are upgraded to floating point 8996 * and kernels don't like floating point... 8997 */ 8998 if (softc->ipf_ticks > IPF_TTLVAL(43200 * 15 / 10)) { 8999 istart = IPF_TTLVAL(86400 * 4); 9000 interval = IPF_TTLVAL(43200); 9001 } else if (softc->ipf_ticks > IPF_TTLVAL(1800 * 15 / 10)) { 9002 istart = IPF_TTLVAL(43200); 9003 interval = IPF_TTLVAL(1800); 9004 } else if (softc->ipf_ticks > IPF_TTLVAL(30 * 15 / 10)) { 9005 istart = IPF_TTLVAL(1800); 9006 interval = IPF_TTLVAL(30); 9007 } else { 9008 return 0; 9009 } 9010 if (istart > softc->ipf_ticks) { 9011 if (softc->ipf_ticks - interval < interval) 9012 istart = interval; 9013 else 9014 istart = (softc->ipf_ticks / interval) * interval; 9015 } 9016 9017 iend = softc->ipf_ticks - interval; 9018 9019 while ((*activep * 100 / size) > low) { 9020 u_long try; 9021 9022 try = softc->ipf_ticks - istart; 9023 9024 for (ifq = ipfqs; ifq != NULL; ifq = ifq->ifq_next) { 9025 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { 9026 if (try < tqe->tqe_touched) 9027 break; 9028 tqn = tqe->tqe_next; 9029 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 9030 removed++; 9031 } 9032 } 9033 9034 for (ifq = userqs; ifq != NULL; ifq = ifqnext) { 9035 ifqnext = ifq->ifq_next; 9036 9037 for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) { 9038 if (try < tqe->tqe_touched) 9039 break; 9040 tqn = tqe->tqe_next; 9041 if ((*deletefn)(softc, tqe->tqe_parent) == 0) 9042 removed++; 9043 } 9044 } 9045 9046 if (try >= iend) { 9047 if (interval == IPF_TTLVAL(43200)) { 9048 interval = IPF_TTLVAL(1800); 9049 } else if (interval == IPF_TTLVAL(1800)) { 9050 interval = IPF_TTLVAL(30); 9051 } else { 9052 break; 9053 } 9054 if (interval >= softc->ipf_ticks) 9055 break; 9056 9057 iend = softc->ipf_ticks - interval; 9058 } 9059 istart -= interval; 9060 } 9061 9062 return removed; 9063} 9064 9065 9066/* ------------------------------------------------------------------------ */ 9067/* Function: ipf_deliverlocal */ 9068/* Returns: int - 1 = local address, 0 = non-local address */ 9069/* Parameters: softc(I) - pointer to soft context main structure */ 9070/* ipversion(I) - IP protocol version (4 or 6) */ 9071/* ifp(I) - network interface pointer */ 9072/* ipaddr(I) - IPv4/6 destination address */ 9073/* */ 9074/* This fucntion is used to determine in the address "ipaddr" belongs to */ 9075/* the network interface represented by ifp. */ 9076/* ------------------------------------------------------------------------ */ 9077int 9078ipf_deliverlocal(softc, ipversion, ifp, ipaddr) 9079 ipf_main_softc_t *softc; 9080 int ipversion; 9081 void *ifp; 9082 i6addr_t *ipaddr; 9083{ 9084 i6addr_t addr; 9085 int islocal = 0; 9086 9087 if (ipversion == 4) { 9088 if (ipf_ifpaddr(softc, 4, FRI_NORMAL, ifp, &addr, NULL) == 0) { 9089 if (addr.in4.s_addr == ipaddr->in4.s_addr) 9090 islocal = 1; 9091 } 9092 9093#ifdef USE_INET6 9094 } else if (ipversion == 6) { 9095 if (ipf_ifpaddr(softc, 6, FRI_NORMAL, ifp, &addr, NULL) == 0) { 9096 if (IP6_EQ(&addr, ipaddr)) 9097 islocal = 1; 9098 } 9099#endif 9100 } 9101 9102 return islocal; 9103} 9104 9105 9106/* ------------------------------------------------------------------------ */ 9107/* Function: ipf_settimeout */ 9108/* Returns: int - 0 = success, -1 = failure */ 9109/* Parameters: softc(I) - pointer to soft context main structure */ 9110/* t(I) - pointer to tuneable array entry */ 9111/* p(I) - pointer to values passed in to apply */ 9112/* */ 9113/* This function is called to set the timeout values for each distinct */ 9114/* queue timeout that is available. When called, it calls into both the */ 9115/* state and NAT code, telling them to update their timeout queues. */ 9116/* ------------------------------------------------------------------------ */ 9117static int 9118ipf_settimeout(softc, t, p) 9119 struct ipf_main_softc_s *softc; 9120 ipftuneable_t *t; 9121 ipftuneval_t *p; 9122{ 9123 9124 /* 9125 * ipf_interror should be set by the functions called here, not 9126 * by this function - it's just a middle man. 9127 */ 9128 if (ipf_state_settimeout(softc, t, p) == -1) 9129 return -1; 9130 if (ipf_nat_settimeout(softc, t, p) == -1) 9131 return -1; 9132 return 0; 9133} 9134 9135 9136/* ------------------------------------------------------------------------ */ 9137/* Function: ipf_apply_timeout */ 9138/* Returns: int - 0 = success, -1 = failure */ 9139/* Parameters: head(I) - pointer to tuneable array entry */ 9140/* seconds(I) - pointer to values passed in to apply */ 9141/* */ 9142/* This function applies a timeout of "seconds" to the timeout queue that */ 9143/* is pointed to by "head". All entries on this list have an expiration */ 9144/* set to be the current tick value of ipf plus the ttl. Given that this */ 9145/* function should only be called when the delta is non-zero, the task is */ 9146/* to walk the entire list and apply the change. The sort order will not */ 9147/* change. The only catch is that this is O(n) across the list, so if the */ 9148/* queue has lots of entries (10s of thousands or 100s of thousands), it */ 9149/* could take a relatively long time to work through them all. */ 9150/* ------------------------------------------------------------------------ */ 9151void 9152ipf_apply_timeout(head, seconds) 9153 ipftq_t *head; 9154 u_int seconds; 9155{ 9156 u_int oldtimeout, newtimeout; 9157 ipftqent_t *tqe; 9158 int delta; 9159 9160 MUTEX_ENTER(&head->ifq_lock); 9161 oldtimeout = head->ifq_ttl; 9162 newtimeout = IPF_TTLVAL(seconds); 9163 delta = oldtimeout - newtimeout; 9164 9165 head->ifq_ttl = newtimeout; 9166 9167 for (tqe = head->ifq_head; tqe != NULL; tqe = tqe->tqe_next) { 9168 tqe->tqe_die += delta; 9169 } 9170 MUTEX_EXIT(&head->ifq_lock); 9171} 9172 9173 9174/* ------------------------------------------------------------------------ */ 9175/* Function: ipf_settimeout_tcp */ 9176/* Returns: int - 0 = successfully applied, -1 = failed */ 9177/* Parameters: t(I) - pointer to tuneable to change */ 9178/* p(I) - pointer to new timeout information */ 9179/* tab(I) - pointer to table of TCP queues */ 9180/* */ 9181/* This function applies the new timeout (p) to the TCP tunable (t) and */ 9182/* updates all of the entries on the relevant timeout queue by calling */ 9183/* ipf_apply_timeout(). */ 9184/* ------------------------------------------------------------------------ */ 9185int 9186ipf_settimeout_tcp(t, p, tab) 9187 ipftuneable_t *t; 9188 ipftuneval_t *p; 9189 ipftq_t *tab; 9190{ 9191 if (!strcmp(t->ipft_name, "tcp_idle_timeout") || 9192 !strcmp(t->ipft_name, "tcp_established")) { 9193 ipf_apply_timeout(&tab[IPF_TCPS_ESTABLISHED], p->ipftu_int); 9194 } else if (!strcmp(t->ipft_name, "tcp_close_wait")) { 9195 ipf_apply_timeout(&tab[IPF_TCPS_CLOSE_WAIT], p->ipftu_int); 9196 } else if (!strcmp(t->ipft_name, "tcp_last_ack")) { 9197 ipf_apply_timeout(&tab[IPF_TCPS_LAST_ACK], p->ipftu_int); 9198 } else if (!strcmp(t->ipft_name, "tcp_timeout")) { 9199 ipf_apply_timeout(&tab[IPF_TCPS_LISTEN], p->ipftu_int); 9200 ipf_apply_timeout(&tab[IPF_TCPS_HALF_ESTAB], p->ipftu_int); 9201 ipf_apply_timeout(&tab[IPF_TCPS_CLOSING], p->ipftu_int); 9202 } else if (!strcmp(t->ipft_name, "tcp_listen")) { 9203 ipf_apply_timeout(&tab[IPF_TCPS_LISTEN], p->ipftu_int); 9204 } else if (!strcmp(t->ipft_name, "tcp_half_established")) { 9205 ipf_apply_timeout(&tab[IPF_TCPS_HALF_ESTAB], p->ipftu_int); 9206 } else if (!strcmp(t->ipft_name, "tcp_closing")) { 9207 ipf_apply_timeout(&tab[IPF_TCPS_CLOSING], p->ipftu_int); 9208 } else if (!strcmp(t->ipft_name, "tcp_syn_received")) { 9209 ipf_apply_timeout(&tab[IPF_TCPS_SYN_RECEIVED], p->ipftu_int); 9210 } else if (!strcmp(t->ipft_name, "tcp_syn_sent")) { 9211 ipf_apply_timeout(&tab[IPF_TCPS_SYN_SENT], p->ipftu_int); 9212 } else if (!strcmp(t->ipft_name, "tcp_closed")) { 9213 ipf_apply_timeout(&tab[IPF_TCPS_CLOSED], p->ipftu_int); 9214 } else if (!strcmp(t->ipft_name, "tcp_half_closed")) { 9215 ipf_apply_timeout(&tab[IPF_TCPS_CLOSED], p->ipftu_int); 9216 } else if (!strcmp(t->ipft_name, "tcp_time_wait")) { 9217 ipf_apply_timeout(&tab[IPF_TCPS_TIME_WAIT], p->ipftu_int); 9218 } else { 9219 /* 9220 * ipf_interror isn't set here because it should be set 9221 * by whatever called this function. 9222 */ 9223 return -1; 9224 } 9225 return 0; 9226} 9227 9228 9229/* ------------------------------------------------------------------------ */ 9230/* Function: ipf_main_soft_create */ 9231/* Returns: NULL = failure, else success */ 9232/* Parameters: arg(I) - pointer to soft context structure if already allocd */ 9233/* */ 9234/* Create the foundation soft context structure. In circumstances where it */ 9235/* is not required to dynamically allocate the context, a pointer can be */ 9236/* passed in (rather than NULL) to a structure to be initialised. */ 9237/* The main thing of interest is that a number of locks are initialised */ 9238/* here instead of in the where might be expected - in the relevant create */ 9239/* function elsewhere. This is done because the current locking design has */ 9240/* some areas where these locks are used outside of their module. */ 9241/* Possibly the most important exercise that is done here is setting of all */ 9242/* the timeout values, allowing them to be changed before init(). */ 9243/* ------------------------------------------------------------------------ */ 9244void * 9245ipf_main_soft_create(arg) 9246 void *arg; 9247{ 9248 ipf_main_softc_t *softc; 9249 9250 if (arg == NULL) { 9251 KMALLOC(softc, ipf_main_softc_t *); 9252 if (softc == NULL) 9253 return NULL; 9254 } else { 9255 softc = arg; 9256 } 9257 9258 bzero((char *)softc, sizeof(*softc)); 9259 9260 /* 9261 * This serves as a flag as to whether or not the softc should be 9262 * free'd when _destroy is called. 9263 */ 9264 softc->ipf_dynamic_softc = (arg == NULL) ? 1 : 0; 9265 9266 softc->ipf_tuners = ipf_tune_array_copy(softc, 9267 sizeof(ipf_main_tuneables), 9268 ipf_main_tuneables); 9269 if (softc->ipf_tuners == NULL) { 9270 ipf_main_soft_destroy(softc); 9271 return NULL; 9272 } 9273 9274 MUTEX_INIT(&softc->ipf_rw, "ipf rw mutex"); 9275 MUTEX_INIT(&softc->ipf_timeoutlock, "ipf timeout lock"); 9276 RWLOCK_INIT(&softc->ipf_global, "ipf filter load/unload mutex"); 9277 RWLOCK_INIT(&softc->ipf_mutex, "ipf filter rwlock"); 9278 RWLOCK_INIT(&softc->ipf_tokens, "ipf token rwlock"); 9279 RWLOCK_INIT(&softc->ipf_state, "ipf state rwlock"); 9280 RWLOCK_INIT(&softc->ipf_nat, "ipf IP NAT rwlock"); 9281 RWLOCK_INIT(&softc->ipf_poolrw, "ipf pool rwlock"); 9282 RWLOCK_INIT(&softc->ipf_frag, "ipf frag rwlock"); 9283 9284 softc->ipf_token_head = NULL; 9285 softc->ipf_token_tail = &softc->ipf_token_head; 9286 9287 softc->ipf_tcpidletimeout = FIVE_DAYS; 9288 softc->ipf_tcpclosewait = IPF_TTLVAL(2 * TCP_MSL); 9289 softc->ipf_tcplastack = IPF_TTLVAL(30); 9290 softc->ipf_tcptimewait = IPF_TTLVAL(2 * TCP_MSL); 9291 softc->ipf_tcptimeout = IPF_TTLVAL(2 * TCP_MSL); 9292 softc->ipf_tcpsynsent = IPF_TTLVAL(2 * TCP_MSL); 9293 softc->ipf_tcpsynrecv = IPF_TTLVAL(2 * TCP_MSL); 9294 softc->ipf_tcpclosed = IPF_TTLVAL(30); 9295 softc->ipf_tcphalfclosed = IPF_TTLVAL(2 * 3600); 9296 softc->ipf_udptimeout = IPF_TTLVAL(120); 9297 softc->ipf_udpacktimeout = IPF_TTLVAL(12); 9298 softc->ipf_icmptimeout = IPF_TTLVAL(60); 9299 softc->ipf_icmpacktimeout = IPF_TTLVAL(6); 9300 softc->ipf_iptimeout = IPF_TTLVAL(60); 9301 9302#if defined(IPFILTER_DEFAULT_BLOCK) 9303 softc->ipf_pass = FR_BLOCK|FR_NOMATCH; 9304#else 9305 softc->ipf_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH; 9306#endif 9307 softc->ipf_minttl = 4; 9308 softc->ipf_icmpminfragmtu = 68; 9309 softc->ipf_flags = IPF_LOGGING; 9310 9311 return softc; 9312} 9313 9314/* ------------------------------------------------------------------------ */ 9315/* Function: ipf_main_soft_init */ 9316/* Returns: 0 = success, -1 = failure */ 9317/* Parameters: softc(I) - pointer to soft context main structure */ 9318/* */ 9319/* A null-op function that exists as a placeholder so that the flow in */ 9320/* other functions is obvious. */ 9321/* ------------------------------------------------------------------------ */ 9322/*ARGSUSED*/ 9323int 9324ipf_main_soft_init(softc) 9325 ipf_main_softc_t *softc; 9326{ 9327 return 0; 9328} 9329 9330 9331/* ------------------------------------------------------------------------ */ 9332/* Function: ipf_main_soft_destroy */ 9333/* Returns: void */ 9334/* Parameters: softc(I) - pointer to soft context main structure */ 9335/* */ 9336/* Undo everything that we did in ipf_main_soft_create. */ 9337/* */ 9338/* The most important check that needs to be made here is whether or not */ 9339/* the structure was allocated by ipf_main_soft_create() by checking what */ 9340/* value is stored in ipf_dynamic_main. */ 9341/* ------------------------------------------------------------------------ */ 9342/*ARGSUSED*/ 9343void 9344ipf_main_soft_destroy(softc) 9345 ipf_main_softc_t *softc; 9346{ 9347 9348 RW_DESTROY(&softc->ipf_frag); 9349 RW_DESTROY(&softc->ipf_poolrw); 9350 RW_DESTROY(&softc->ipf_nat); 9351 RW_DESTROY(&softc->ipf_state); 9352 RW_DESTROY(&softc->ipf_tokens); 9353 RW_DESTROY(&softc->ipf_mutex); 9354 RW_DESTROY(&softc->ipf_global); 9355 MUTEX_DESTROY(&softc->ipf_timeoutlock); 9356 MUTEX_DESTROY(&softc->ipf_rw); 9357 9358 if (softc->ipf_tuners != NULL) { 9359 KFREES(softc->ipf_tuners, sizeof(ipf_main_tuneables)); 9360 } 9361 if (softc->ipf_dynamic_softc == 1) { 9362 KFREE(softc); 9363 } 9364} 9365 9366 9367/* ------------------------------------------------------------------------ */ 9368/* Function: ipf_main_soft_fini */ 9369/* Returns: 0 = success, -1 = failure */ 9370/* Parameters: softc(I) - pointer to soft context main structure */ 9371/* */ 9372/* Clean out the rules which have been added since _init was last called, */ 9373/* the only dynamic part of the mainline. */ 9374/* ------------------------------------------------------------------------ */ 9375int 9376ipf_main_soft_fini(softc) 9377 ipf_main_softc_t *softc; 9378{ 9379 (void) ipf_flush(softc, IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); 9380 (void) ipf_flush(softc, IPL_LOGIPF, FR_INQUE|FR_OUTQUE); 9381 (void) ipf_flush(softc, IPL_LOGCOUNT, FR_INQUE|FR_OUTQUE|FR_INACTIVE); 9382 (void) ipf_flush(softc, IPL_LOGCOUNT, FR_INQUE|FR_OUTQUE); 9383 9384 return 0; 9385} 9386 9387 9388/* ------------------------------------------------------------------------ */ 9389/* Function: ipf_main_load */ 9390/* Returns: 0 = success, -1 = failure */ 9391/* Parameters: none */ 9392/* */ 9393/* Handle global initialisation that needs to be done for the base part of */ 9394/* IPFilter. At present this just amounts to initialising some ICMP lookup */ 9395/* arrays that get used by the state/NAT code. */ 9396/* ------------------------------------------------------------------------ */ 9397int 9398ipf_main_load() 9399{ 9400 int i; 9401 9402 /* fill icmp reply type table */ 9403 for (i = 0; i <= ICMP_MAXTYPE; i++) 9404 icmpreplytype4[i] = -1; 9405 icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY; 9406 icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY; 9407 icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY; 9408 icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY; 9409 9410#ifdef USE_INET6 9411 /* fill icmp reply type table */ 9412 for (i = 0; i <= ICMP6_MAXTYPE; i++) 9413 icmpreplytype6[i] = -1; 9414 icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY; 9415 icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT; 9416 icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY; 9417 icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT; 9418 icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT; 9419#endif 9420 9421 return 0; 9422} 9423 9424 9425/* ------------------------------------------------------------------------ */ 9426/* Function: ipf_main_unload */ 9427/* Returns: 0 = success, -1 = failure */ 9428/* Parameters: none */ 9429/* */ 9430/* A null-op function that exists as a placeholder so that the flow in */ 9431/* other functions is obvious. */ 9432/* ------------------------------------------------------------------------ */ 9433int 9434ipf_main_unload() 9435{ 9436 return 0; 9437} 9438 9439 9440/* ------------------------------------------------------------------------ */ 9441/* Function: ipf_load_all */ 9442/* Returns: 0 = success, -1 = failure */ 9443/* Parameters: none */ 9444/* */ 9445/* Work through all of the subsystems inside IPFilter and call the load */ 9446/* function for each in an order that won't lead to a crash :) */ 9447/* ------------------------------------------------------------------------ */ 9448int 9449ipf_load_all() 9450{ 9451 if (ipf_main_load() == -1) 9452 return -1; 9453 9454 if (ipf_state_main_load() == -1) 9455 return -1; 9456 9457 if (ipf_nat_main_load() == -1) 9458 return -1; 9459 9460 if (ipf_frag_main_load() == -1) 9461 return -1; 9462 9463 if (ipf_auth_main_load() == -1) 9464 return -1; 9465 9466 if (ipf_proxy_main_load() == -1) 9467 return -1; 9468 9469 return 0; 9470} 9471 9472 9473/* ------------------------------------------------------------------------ */ 9474/* Function: ipf_unload_all */ 9475/* Returns: 0 = success, -1 = failure */ 9476/* Parameters: none */ 9477/* */ 9478/* Work through all of the subsystems inside IPFilter and call the unload */ 9479/* function for each in an order that won't lead to a crash :) */ 9480/* ------------------------------------------------------------------------ */ 9481int 9482ipf_unload_all() 9483{ 9484 if (ipf_proxy_main_unload() == -1) 9485 return -1; 9486 9487 if (ipf_auth_main_unload() == -1) 9488 return -1; 9489 9490 if (ipf_frag_main_unload() == -1) 9491 return -1; 9492 9493 if (ipf_nat_main_unload() == -1) 9494 return -1; 9495 9496 if (ipf_state_main_unload() == -1) 9497 return -1; 9498 9499 if (ipf_main_unload() == -1) 9500 return -1; 9501 9502 return 0; 9503} 9504 9505 9506/* ------------------------------------------------------------------------ */ 9507/* Function: ipf_create_all */ 9508/* Returns: NULL = failure, else success */ 9509/* Parameters: arg(I) - pointer to soft context main structure */ 9510/* */ 9511/* Work through all of the subsystems inside IPFilter and call the create */ 9512/* function for each in an order that won't lead to a crash :) */ 9513/* ------------------------------------------------------------------------ */ 9514ipf_main_softc_t * 9515ipf_create_all(arg) 9516 void *arg; 9517{ 9518 ipf_main_softc_t *softc; 9519 9520 softc = ipf_main_soft_create(arg); 9521 if (softc == NULL) 9522 return NULL; 9523 9524#ifdef IPFILTER_LOG 9525 softc->ipf_log_soft = ipf_log_soft_create(softc); 9526 if (softc->ipf_log_soft == NULL) { 9527 ipf_destroy_all(softc); 9528 return NULL; 9529 } 9530#endif 9531 9532 softc->ipf_lookup_soft = ipf_lookup_soft_create(softc); 9533 if (softc->ipf_lookup_soft == NULL) { 9534 ipf_destroy_all(softc); 9535 return NULL; 9536 } 9537 9538 softc->ipf_sync_soft = ipf_sync_soft_create(softc); 9539 if (softc->ipf_sync_soft == NULL) { 9540 ipf_destroy_all(softc); 9541 return NULL; 9542 } 9543 9544 softc->ipf_state_soft = ipf_state_soft_create(softc); 9545 if (softc->ipf_state_soft == NULL) { 9546 ipf_destroy_all(softc); 9547 return NULL; 9548 } 9549 9550 softc->ipf_nat_soft = ipf_nat_soft_create(softc); 9551 if (softc->ipf_nat_soft == NULL) { 9552 ipf_destroy_all(softc); 9553 return NULL; 9554 } 9555 9556 softc->ipf_frag_soft = ipf_frag_soft_create(softc); 9557 if (softc->ipf_frag_soft == NULL) { 9558 ipf_destroy_all(softc); 9559 return NULL; 9560 } 9561 9562 softc->ipf_auth_soft = ipf_auth_soft_create(softc); 9563 if (softc->ipf_auth_soft == NULL) { 9564 ipf_destroy_all(softc); 9565 return NULL; 9566 } 9567 9568 softc->ipf_proxy_soft = ipf_proxy_soft_create(softc); 9569 if (softc->ipf_proxy_soft == NULL) { 9570 ipf_destroy_all(softc); 9571 return NULL; 9572 } 9573 9574 return softc; 9575} 9576 9577 9578/* ------------------------------------------------------------------------ */ 9579/* Function: ipf_destroy_all */ 9580/* Returns: void */ 9581/* Parameters: softc(I) - pointer to soft context main structure */ 9582/* */ 9583/* Work through all of the subsystems inside IPFilter and call the destroy */ 9584/* function for each in an order that won't lead to a crash :) */ 9585/* */ 9586/* Every one of these functions is expected to succeed, so there is no */ 9587/* checking of return values. */ 9588/* ------------------------------------------------------------------------ */ 9589void 9590ipf_destroy_all(softc) 9591 ipf_main_softc_t *softc; 9592{ 9593 9594 if (softc->ipf_state_soft != NULL) { 9595 ipf_state_soft_destroy(softc, softc->ipf_state_soft); 9596 softc->ipf_state_soft = NULL; 9597 } 9598 9599 if (softc->ipf_nat_soft != NULL) { 9600 ipf_nat_soft_destroy(softc, softc->ipf_nat_soft); 9601 softc->ipf_nat_soft = NULL; 9602 } 9603 9604 if (softc->ipf_frag_soft != NULL) { 9605 ipf_frag_soft_destroy(softc, softc->ipf_frag_soft); 9606 softc->ipf_frag_soft = NULL; 9607 } 9608 9609 if (softc->ipf_auth_soft != NULL) { 9610 ipf_auth_soft_destroy(softc, softc->ipf_auth_soft); 9611 softc->ipf_auth_soft = NULL; 9612 } 9613 9614 if (softc->ipf_proxy_soft != NULL) { 9615 ipf_proxy_soft_destroy(softc, softc->ipf_proxy_soft); 9616 softc->ipf_proxy_soft = NULL; 9617 } 9618 9619 if (softc->ipf_sync_soft != NULL) { 9620 ipf_sync_soft_destroy(softc, softc->ipf_sync_soft); 9621 softc->ipf_sync_soft = NULL; 9622 } 9623 9624 if (softc->ipf_lookup_soft != NULL) { 9625 ipf_lookup_soft_destroy(softc, softc->ipf_lookup_soft); 9626 softc->ipf_lookup_soft = NULL; 9627 } 9628 9629#ifdef IPFILTER_LOG 9630 if (softc->ipf_log_soft != NULL) { 9631 ipf_log_soft_destroy(softc, softc->ipf_log_soft); 9632 softc->ipf_log_soft = NULL; 9633 } 9634#endif 9635 9636 ipf_main_soft_destroy(softc); 9637} 9638 9639 9640/* ------------------------------------------------------------------------ */ 9641/* Function: ipf_init_all */ 9642/* Returns: 0 = success, -1 = failure */ 9643/* Parameters: softc(I) - pointer to soft context main structure */ 9644/* */ 9645/* Work through all of the subsystems inside IPFilter and call the init */ 9646/* function for each in an order that won't lead to a crash :) */ 9647/* ------------------------------------------------------------------------ */ 9648int 9649ipf_init_all(softc) 9650 ipf_main_softc_t *softc; 9651{ 9652 9653 if (ipf_main_soft_init(softc) == -1) 9654 return -1; 9655 9656#ifdef IPFILTER_LOG 9657 if (ipf_log_soft_init(softc, softc->ipf_log_soft) == -1) 9658 return -1; 9659#endif 9660 9661 if (ipf_lookup_soft_init(softc, softc->ipf_lookup_soft) == -1) 9662 return -1; 9663 9664 if (ipf_sync_soft_init(softc, softc->ipf_sync_soft) == -1) 9665 return -1; 9666 9667 if (ipf_state_soft_init(softc, softc->ipf_state_soft) == -1) 9668 return -1; 9669 9670 if (ipf_nat_soft_init(softc, softc->ipf_nat_soft) == -1) 9671 return -1; 9672 9673 if (ipf_frag_soft_init(softc, softc->ipf_frag_soft) == -1) 9674 return -1; 9675 9676 if (ipf_auth_soft_init(softc, softc->ipf_auth_soft) == -1) 9677 return -1; 9678 9679 if (ipf_proxy_soft_init(softc, softc->ipf_proxy_soft) == -1) 9680 return -1; 9681 9682 return 0; 9683} 9684 9685 9686/* ------------------------------------------------------------------------ */ 9687/* Function: ipf_fini_all */ 9688/* Returns: 0 = success, -1 = failure */ 9689/* Parameters: softc(I) - pointer to soft context main structure */ 9690/* */ 9691/* Work through all of the subsystems inside IPFilter and call the fini */ 9692/* function for each in an order that won't lead to a crash :) */ 9693/* ------------------------------------------------------------------------ */ 9694int 9695ipf_fini_all(softc) 9696 ipf_main_softc_t *softc; 9697{ 9698 9699 ipf_token_flush(softc); 9700 9701 if (ipf_proxy_soft_fini(softc, softc->ipf_proxy_soft) == -1) 9702 return -1; 9703 9704 if (ipf_auth_soft_fini(softc, softc->ipf_auth_soft) == -1) 9705 return -1; 9706 9707 if (ipf_frag_soft_fini(softc, softc->ipf_frag_soft) == -1) 9708 return -1; 9709 9710 if (ipf_nat_soft_fini(softc, softc->ipf_nat_soft) == -1) 9711 return -1; 9712 9713 if (ipf_state_soft_fini(softc, softc->ipf_state_soft) == -1) 9714 return -1; 9715 9716 if (ipf_sync_soft_fini(softc, softc->ipf_sync_soft) == -1) 9717 return -1; 9718 9719 if (ipf_lookup_soft_fini(softc, softc->ipf_lookup_soft) == -1) 9720 return -1; 9721 9722#ifdef IPFILTER_LOG 9723 if (ipf_log_soft_fini(softc, softc->ipf_log_soft) == -1) 9724 return -1; 9725#endif 9726 9727 if (ipf_main_soft_fini(softc) == -1) 9728 return -1; 9729 9730 return 0; 9731} 9732 9733 9734/* ------------------------------------------------------------------------ */ 9735/* Function: ipf_rule_expire */ 9736/* Returns: Nil */ 9737/* Parameters: softc(I) - pointer to soft context main structure */ 9738/* */ 9739/* At present this function exists just to support temporary addition of */ 9740/* firewall rules. Both inactive and active lists are scanned for items to */ 9741/* purge, as by rights, the expiration is computed as soon as the rule is */ 9742/* loaded in. */ 9743/* ------------------------------------------------------------------------ */ 9744void 9745ipf_rule_expire(softc) 9746 ipf_main_softc_t *softc; 9747{ 9748 frentry_t *fr; 9749 9750 if ((softc->ipf_rule_explist[0] == NULL) && 9751 (softc->ipf_rule_explist[1] == NULL)) 9752 return; 9753 9754 WRITE_ENTER(&softc->ipf_mutex); 9755 9756 while ((fr = softc->ipf_rule_explist[0]) != NULL) { 9757 /* 9758 * Because the list is kept sorted on insertion, the fist 9759 * one that dies in the future means no more work to do. 9760 */ 9761 if (fr->fr_die > softc->ipf_ticks) 9762 break; 9763 ipf_rule_delete(softc, fr, IPL_LOGIPF, 0); 9764 } 9765 9766 while ((fr = softc->ipf_rule_explist[1]) != NULL) { 9767 /* 9768 * Because the list is kept sorted on insertion, the fist 9769 * one that dies in the future means no more work to do. 9770 */ 9771 if (fr->fr_die > softc->ipf_ticks) 9772 break; 9773 ipf_rule_delete(softc, fr, IPL_LOGIPF, 1); 9774 } 9775 9776 RWLOCK_EXIT(&softc->ipf_mutex); 9777} 9778 9779 9780static int ipf_ht_node_cmp __P((struct host_node_s *, struct host_node_s *)); 9781static void ipf_ht_node_make_key __P((host_track_t *, host_node_t *, int, 9782 i6addr_t *)); 9783 9784host_node_t RBI_ZERO(ipf_rb); 9785RBI_CODE(ipf_rb, host_node_t, hn_entry, ipf_ht_node_cmp) 9786 9787 9788/* ------------------------------------------------------------------------ */ 9789/* Function: ipf_ht_node_cmp */ 9790/* Returns: int - 0 == nodes are the same, .. */ 9791/* Parameters: k1(I) - pointer to first key to compare */ 9792/* k2(I) - pointer to second key to compare */ 9793/* */ 9794/* The "key" for the node is a combination of two fields: the address */ 9795/* family and the address itself. */ 9796/* */ 9797/* Because we're not actually interpreting the address data, it isn't */ 9798/* necessary to convert them to/from network/host byte order. The mask is */ 9799/* just used to remove bits that aren't significant - it doesn't matter */ 9800/* where they are, as long as they're always in the same place. */ 9801/* */ 9802/* As with IP6_EQ, comparing IPv6 addresses starts at the bottom because */ 9803/* this is where individual ones will differ the most - but not true for */ 9804/* for /48's, etc. */ 9805/* ------------------------------------------------------------------------ */ 9806static int 9807ipf_ht_node_cmp(k1, k2) 9808 struct host_node_s *k1, *k2; 9809{ 9810 int i; 9811 9812 i = (k2->hn_addr.adf_family - k1->hn_addr.adf_family); 9813 if (i != 0) 9814 return i; 9815 9816 if (k1->hn_addr.adf_family == AF_INET) 9817 return (k2->hn_addr.adf_addr.in4.s_addr - 9818 k1->hn_addr.adf_addr.in4.s_addr); 9819 9820 i = k2->hn_addr.adf_addr.i6[3] - k1->hn_addr.adf_addr.i6[3]; 9821 if (i != 0) 9822 return i; 9823 i = k2->hn_addr.adf_addr.i6[2] - k1->hn_addr.adf_addr.i6[2]; 9824 if (i != 0) 9825 return i; 9826 i = k2->hn_addr.adf_addr.i6[1] - k1->hn_addr.adf_addr.i6[1]; 9827 if (i != 0) 9828 return i; 9829 i = k2->hn_addr.adf_addr.i6[0] - k1->hn_addr.adf_addr.i6[0]; 9830 return i; 9831} 9832 9833 9834/* ------------------------------------------------------------------------ */ 9835/* Function: ipf_ht_node_make_key */ 9836/* Returns: Nil */ 9837/* parameters: htp(I) - pointer to address tracking structure */ 9838/* key(I) - where to store masked address for lookup */ 9839/* family(I) - protocol family of address */ 9840/* addr(I) - pointer to network address */ 9841/* */ 9842/* Using the "netmask" (number of bits) stored parent host tracking struct, */ 9843/* copy the address passed in into the key structure whilst masking out the */ 9844/* bits that we don't want. */ 9845/* */ 9846/* Because the parser will set ht_netmask to 128 if there is no protocol */ 9847/* specified (the parser doesn't know if it should be a v4 or v6 rule), we */ 9848/* have to be wary of that and not allow 32-128 to happen. */ 9849/* ------------------------------------------------------------------------ */ 9850static void 9851ipf_ht_node_make_key(htp, key, family, addr) 9852 host_track_t *htp; 9853 host_node_t *key; 9854 int family; 9855 i6addr_t *addr; 9856{ 9857 key->hn_addr.adf_family = family; 9858 if (family == AF_INET) { 9859 u_32_t mask; 9860 int bits; 9861 9862 key->hn_addr.adf_len = sizeof(key->hn_addr.adf_addr.in4); 9863 bits = htp->ht_netmask; 9864 if (bits >= 32) { 9865 mask = 0xffffffff; 9866 } else { 9867 mask = htonl(0xffffffff << (32 - bits)); 9868 } 9869 key->hn_addr.adf_addr.in4.s_addr = addr->in4.s_addr & mask; 9870#ifdef USE_INET6 9871 } else { 9872 int bits = htp->ht_netmask; 9873 9874 key->hn_addr.adf_len = sizeof(key->hn_addr.adf_addr.in6); 9875 if (bits > 96) { 9876 key->hn_addr.adf_addr.i6[3] = addr->i6[3] & 9877 htonl(0xffffffff << (128 - bits)); 9878 key->hn_addr.adf_addr.i6[2] = addr->i6[2]; 9879 key->hn_addr.adf_addr.i6[1] = addr->i6[2]; 9880 key->hn_addr.adf_addr.i6[0] = addr->i6[2]; 9881 } else if (bits > 64) { 9882 key->hn_addr.adf_addr.i6[3] = 0; 9883 key->hn_addr.adf_addr.i6[2] = addr->i6[2] & 9884 htonl(0xffffffff << (96 - bits)); 9885 key->hn_addr.adf_addr.i6[1] = addr->i6[1]; 9886 key->hn_addr.adf_addr.i6[0] = addr->i6[0]; 9887 } else if (bits > 32) { 9888 key->hn_addr.adf_addr.i6[3] = 0; 9889 key->hn_addr.adf_addr.i6[2] = 0; 9890 key->hn_addr.adf_addr.i6[1] = addr->i6[1] & 9891 htonl(0xffffffff << (64 - bits)); 9892 key->hn_addr.adf_addr.i6[0] = addr->i6[0]; 9893 } else { 9894 key->hn_addr.adf_addr.i6[3] = 0; 9895 key->hn_addr.adf_addr.i6[2] = 0; 9896 key->hn_addr.adf_addr.i6[1] = 0; 9897 key->hn_addr.adf_addr.i6[0] = addr->i6[0] & 9898 htonl(0xffffffff << (32 - bits)); 9899 } 9900#endif 9901 } 9902} 9903 9904 9905/* ------------------------------------------------------------------------ */ 9906/* Function: ipf_ht_node_add */ 9907/* Returns: int - 0 == success, -1 == failure */ 9908/* Parameters: softc(I) - pointer to soft context main structure */ 9909/* htp(I) - pointer to address tracking structure */ 9910/* family(I) - protocol family of address */ 9911/* addr(I) - pointer to network address */ 9912/* */ 9913/* NOTE: THIS FUNCTION MUST BE CALLED WITH AN EXCLUSIVE LOCK THAT PREVENTS */ 9914/* ipf_ht_node_del FROM RUNNING CONCURRENTLY ON THE SAME htp. */ 9915/* */ 9916/* After preparing the key with the address information to find, look in */ 9917/* the red-black tree to see if the address is known. A successful call to */ 9918/* this function can mean one of two things: a new node was added to the */ 9919/* tree or a matching node exists and we're able to bump up its activity. */ 9920/* ------------------------------------------------------------------------ */ 9921int 9922ipf_ht_node_add(softc, htp, family, addr) 9923 ipf_main_softc_t *softc; 9924 host_track_t *htp; 9925 int family; 9926 i6addr_t *addr; 9927{ 9928 host_node_t *h; 9929 host_node_t k; 9930 9931 ipf_ht_node_make_key(htp, &k, family, addr); 9932 9933 h = RBI_SEARCH(ipf_rb, &htp->ht_root, &k); 9934 if (h == NULL) { 9935 if (htp->ht_cur_nodes >= htp->ht_max_nodes) 9936 return -1; 9937 KMALLOC(h, host_node_t *); 9938 if (h == NULL) { 9939 DT(ipf_rb_no_mem); 9940 LBUMP(ipf_rb_no_mem); 9941 return -1; 9942 } 9943 9944 /* 9945 * If there was a macro to initialise the RB node then that 9946 * would get used here, but there isn't... 9947 */ 9948 bzero((char *)h, sizeof(*h)); 9949 h->hn_addr = k.hn_addr; 9950 h->hn_addr.adf_family = k.hn_addr.adf_family; 9951 RBI_INSERT(ipf_rb, &htp->ht_root, h); 9952 htp->ht_cur_nodes++; 9953 } else { 9954 if ((htp->ht_max_per_node != 0) && 9955 (h->hn_active >= htp->ht_max_per_node)) { 9956 DT(ipf_rb_node_max); 9957 LBUMP(ipf_rb_node_max); 9958 return -1; 9959 } 9960 } 9961 9962 h->hn_active++; 9963 9964 return 0; 9965} 9966 9967 9968/* ------------------------------------------------------------------------ */ 9969/* Function: ipf_ht_node_del */ 9970/* Returns: int - 0 == success, -1 == failure */ 9971/* parameters: htp(I) - pointer to address tracking structure */ 9972/* family(I) - protocol family of address */ 9973/* addr(I) - pointer to network address */ 9974/* */ 9975/* NOTE: THIS FUNCTION MUST BE CALLED WITH AN EXCLUSIVE LOCK THAT PREVENTS */ 9976/* ipf_ht_node_add FROM RUNNING CONCURRENTLY ON THE SAME htp. */ 9977/* */ 9978/* Try and find the address passed in amongst the leavese on this tree to */ 9979/* be friend. If found then drop the active account for that node drops by */ 9980/* one. If that count reaches 0, it is time to free it all up. */ 9981/* ------------------------------------------------------------------------ */ 9982int 9983ipf_ht_node_del(htp, family, addr) 9984 host_track_t *htp; 9985 int family; 9986 i6addr_t *addr; 9987{ 9988 host_node_t *h; 9989 host_node_t k; 9990 9991 ipf_ht_node_make_key(htp, &k, family, addr); 9992 9993 h = RBI_SEARCH(ipf_rb, &htp->ht_root, &k); 9994 if (h == NULL) { 9995 return -1; 9996 } else { 9997 h->hn_active--; 9998 if (h->hn_active == 0) { 9999 (void) RBI_DELETE(ipf_rb, &htp->ht_root, h); 10000 htp->ht_cur_nodes--; 10001 KFREE(h); 10002 } 10003 } 10004 10005 return 0; 10006} 10007 10008 10009/* ------------------------------------------------------------------------ */ 10010/* Function: ipf_rb_ht_init */ 10011/* Returns: Nil */ 10012/* Parameters: head(I) - pointer to host tracking structure */ 10013/* */ 10014/* Initialise the host tracking structure to be ready for use above. */ 10015/* ------------------------------------------------------------------------ */ 10016void 10017ipf_rb_ht_init(head) 10018 host_track_t *head; 10019{ 10020 RBI_INIT(ipf_rb, &head->ht_root); 10021} 10022 10023 10024/* ------------------------------------------------------------------------ */ 10025/* Function: ipf_rb_ht_freenode */ 10026/* Returns: Nil */ 10027/* Parameters: head(I) - pointer to host tracking structure */ 10028/* arg(I) - additional argument from walk caller */ 10029/* */ 10030/* Free an actual host_node_t structure. */ 10031/* ------------------------------------------------------------------------ */ 10032void 10033ipf_rb_ht_freenode(node, arg) 10034 host_node_t *node; 10035 void *arg; 10036{ 10037 KFREE(node); 10038} 10039 10040 10041/* ------------------------------------------------------------------------ */ 10042/* Function: ipf_rb_ht_flush */ 10043/* Returns: Nil */ 10044/* Parameters: head(I) - pointer to host tracking structure */ 10045/* */ 10046/* Remove all of the nodes in the tree tracking hosts by calling a walker */ 10047/* and free'ing each one. */ 10048/* ------------------------------------------------------------------------ */ 10049void 10050ipf_rb_ht_flush(head) 10051 host_track_t *head; 10052{ 10053 RBI_WALK(ipf_rb, &head->ht_root, ipf_rb_ht_freenode, NULL); 10054} 10055 10056 10057/* ------------------------------------------------------------------------ */ 10058/* Function: ipf_slowtimer */ 10059/* Returns: Nil */ 10060/* Parameters: ptr(I) - pointer to main ipf soft context structure */ 10061/* */ 10062/* Slowly expire held state for fragments. Timeouts are set * in */ 10063/* expectation of this being called twice per second. */ 10064/* ------------------------------------------------------------------------ */ 10065void 10066ipf_slowtimer(softc) 10067 ipf_main_softc_t *softc; 10068{ 10069 10070 ipf_token_expire(softc); 10071 ipf_frag_expire(softc); 10072 ipf_state_expire(softc); 10073 ipf_nat_expire(softc); 10074 ipf_auth_expire(softc); 10075 ipf_lookup_expire(softc); 10076 ipf_rule_expire(softc); 10077 ipf_sync_expire(softc); 10078 softc->ipf_ticks++; 10079# if defined(__OpenBSD__) 10080 timeout_add(&ipf_slowtimer_ch, hz/2); 10081# endif 10082} 10083 10084 10085/* ------------------------------------------------------------------------ */ 10086/* Function: ipf_inet_mask_add */ 10087/* Returns: Nil */ 10088/* Parameters: bits(I) - pointer to nat context information */ 10089/* mtab(I) - pointer to mask hash table structure */ 10090/* */ 10091/* When called, bits represents the mask of a new NAT rule that has just */ 10092/* been added. This function inserts a bitmask into the array of masks to */ 10093/* search when searching for a matching NAT rule for a packet. */ 10094/* Prevention of duplicate masks is achieved by checking the use count for */ 10095/* a given netmask. */ 10096/* ------------------------------------------------------------------------ */ 10097void 10098ipf_inet_mask_add(bits, mtab) 10099 int bits; 10100 ipf_v4_masktab_t *mtab; 10101{ 10102 u_32_t mask; 10103 int i, j; 10104 10105 mtab->imt4_masks[bits]++; 10106 if (mtab->imt4_masks[bits] > 1) 10107 return; 10108 10109 if (bits == 0) 10110 mask = 0; 10111 else 10112 mask = 0xffffffff << (32 - bits); 10113 10114 for (i = 0; i < 33; i++) { 10115 if (ntohl(mtab->imt4_active[i]) < mask) { 10116 for (j = 32; j > i; j--) 10117 mtab->imt4_active[j] = mtab->imt4_active[j - 1]; 10118 mtab->imt4_active[i] = htonl(mask); 10119 break; 10120 } 10121 } 10122 mtab->imt4_max++; 10123} 10124 10125 10126/* ------------------------------------------------------------------------ */ 10127/* Function: ipf_inet_mask_del */ 10128/* Returns: Nil */ 10129/* Parameters: bits(I) - number of bits set in the netmask */ 10130/* mtab(I) - pointer to mask hash table structure */ 10131/* */ 10132/* Remove the 32bit bitmask represented by "bits" from the collection of */ 10133/* netmasks stored inside of mtab. */ 10134/* ------------------------------------------------------------------------ */ 10135void 10136ipf_inet_mask_del(bits, mtab) 10137 int bits; 10138 ipf_v4_masktab_t *mtab; 10139{ 10140 u_32_t mask; 10141 int i, j; 10142 10143 mtab->imt4_masks[bits]--; 10144 if (mtab->imt4_masks[bits] > 0) 10145 return; 10146 10147 mask = htonl(0xffffffff << (32 - bits)); 10148 for (i = 0; i < 33; i++) { 10149 if (mtab->imt4_active[i] == mask) { 10150 for (j = i + 1; j < 33; j++) 10151 mtab->imt4_active[j - 1] = mtab->imt4_active[j]; 10152 break; 10153 } 10154 } 10155 mtab->imt4_max--; 10156 ASSERT(mtab->imt4_max >= 0); 10157} 10158 10159 10160#ifdef USE_INET6 10161/* ------------------------------------------------------------------------ */ 10162/* Function: ipf_inet6_mask_add */ 10163/* Returns: Nil */ 10164/* Parameters: bits(I) - number of bits set in mask */ 10165/* mask(I) - pointer to mask to add */ 10166/* mtab(I) - pointer to mask hash table structure */ 10167/* */ 10168/* When called, bitcount represents the mask of a IPv6 NAT map rule that */ 10169/* has just been added. This function inserts a bitmask into the array of */ 10170/* masks to search when searching for a matching NAT rule for a packet. */ 10171/* Prevention of duplicate masks is achieved by checking the use count for */ 10172/* a given netmask. */ 10173/* ------------------------------------------------------------------------ */ 10174void 10175ipf_inet6_mask_add(bits, mask, mtab) 10176 int bits; 10177 i6addr_t *mask; 10178 ipf_v6_masktab_t *mtab; 10179{ 10180 i6addr_t zero; 10181 int i, j; 10182 10183 mtab->imt6_masks[bits]++; 10184 if (mtab->imt6_masks[bits] > 1) 10185 return; 10186 10187 if (bits == 0) { 10188 mask = &zero; 10189 zero.i6[0] = 0; 10190 zero.i6[1] = 0; 10191 zero.i6[2] = 0; 10192 zero.i6[3] = 0; 10193 } 10194 10195 for (i = 0; i < 129; i++) { 10196 if (IP6_LT(&mtab->imt6_active[i], mask)) { 10197 for (j = 128; j > i; j--) 10198 mtab->imt6_active[j] = mtab->imt6_active[j - 1]; 10199 mtab->imt6_active[i] = *mask; 10200 break; 10201 } 10202 } 10203 mtab->imt6_max++; 10204} 10205 10206 10207/* ------------------------------------------------------------------------ */ 10208/* Function: ipf_inet6_mask_del */ 10209/* Returns: Nil */ 10210/* Parameters: bits(I) - number of bits set in mask */ 10211/* mask(I) - pointer to mask to remove */ 10212/* mtab(I) - pointer to mask hash table structure */ 10213/* */ 10214/* Remove the 128bit bitmask represented by "bits" from the collection of */ 10215/* netmasks stored inside of mtab. */ 10216/* ------------------------------------------------------------------------ */ 10217void 10218ipf_inet6_mask_del(bits, mask, mtab) 10219 int bits; 10220 i6addr_t *mask; 10221 ipf_v6_masktab_t *mtab; 10222{ 10223 i6addr_t zero; 10224 int i, j; 10225 10226 mtab->imt6_masks[bits]--; 10227 if (mtab->imt6_masks[bits] > 0) 10228 return; 10229 10230 if (bits == 0) 10231 mask = &zero; 10232 zero.i6[0] = 0; 10233 zero.i6[1] = 0; 10234 zero.i6[2] = 0; 10235 zero.i6[3] = 0; 10236 10237 for (i = 0; i < 129; i++) { 10238 if (IP6_EQ(&mtab->imt6_active[i], mask)) { 10239 for (j = i + 1; j < 129; j++) { 10240 mtab->imt6_active[j - 1] = mtab->imt6_active[j]; 10241 if (IP6_EQ(&mtab->imt6_active[j - 1], &zero)) 10242 break; 10243 } 10244 break; 10245 } 10246 } 10247 mtab->imt6_max--; 10248 ASSERT(mtab->imt6_max >= 0); 10249} 10250 10251#ifdef _KERNEL 10252static u_int 10253ipf_pcksum6(fin, ip6, off, len) 10254 fr_info_t *fin; 10255 ip6_t *ip6; 10256 u_int32_t off; 10257 u_int32_t len; 10258{ 10259 struct mbuf *m; 10260 int sum; 10261 10262 m = fin->fin_m; 10263 if (m->m_len < sizeof(struct ip6_hdr)) { 10264 return 0xffff; 10265 } 10266 10267 sum = in6_cksum(m, ip6->ip6_nxt, off, len); 10268 return(sum); 10269} 10270#else 10271static u_int 10272ipf_pcksum6(fin, ip6, off, len) 10273 fr_info_t *fin; 10274 ip6_t *ip6; 10275 u_int32_t off; 10276 u_int32_t len; 10277{ 10278 u_short *sp; 10279 u_int sum; 10280 10281 sp = (u_short *)&ip6->ip6_src; 10282 sum = *sp++; /* ip6_src */ 10283 sum += *sp++; 10284 sum += *sp++; 10285 sum += *sp++; 10286 sum += *sp++; 10287 sum += *sp++; 10288 sum += *sp++; 10289 sum += *sp++; 10290 sum += *sp++; /* ip6_dst */ 10291 sum += *sp++; 10292 sum += *sp++; 10293 sum += *sp++; 10294 sum += *sp++; 10295 sum += *sp++; 10296 sum += *sp++; 10297 sum += *sp++; 10298 return(ipf_pcksum(fin, off, sum)); 10299} 10300#endif 10301#endif 10302