4 * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
30 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
31 # include <sys/filio.h>
32 # include <sys/fcntl.h>
34 # include <sys/ioctl.h>
37 # include <sys/protosw.h>
39 #include <sys/socket.h>
41 # include <sys/systm.h>
42 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
43 # include <sys/mbuf.h>
46 #if defined(__SVR4) || defined(__svr4__)
47 # include <sys/filio.h>
48 # include <sys/byteorder.h>
50 # include <sys/dditypes.h>
52 # include <sys/stream.h>
53 # include <sys/kmem.h>
55 #if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199802) || \
56 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000))
57 # include <sys/queue.h>
59 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
60 # include <machine/cpu.h>
62 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
63 # include <sys/proc.h>
69 #include <net/route.h>
70 #include <netinet/in.h>
71 #include <netinet/in_systm.h>
72 #include <netinet/ip.h>
73 #if !defined(_KERNEL) && defined(__FreeBSD_version) && \
74 __FreeBSD_version >= 800049
75 # define V_ip_do_randomid ip_do_randomid
76 # define V_ip_id ip_id
78 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
84 # include <netinet/ip_var.h>
90 #include <netinet/tcp.h>
91 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
92 extern struct ifqueue ipintrq; /* ip packet input queue */
94 # if !defined(__hpux) && !defined(linux)
95 # if __FreeBSD_version >= 300000
96 # include <net/if_var.h>
97 # if __FreeBSD_version >= 500042
98 # define IF_QFULL _IF_QFULL
99 # define IF_DROP _IF_DROP
100 # endif /* __FreeBSD_version >= 500042 */
102 # include <netinet/in_var.h>
103 # include <netinet/tcp_fsm.h>
106 #include <netinet/udp.h>
107 #include <netinet/ip_icmp.h>
108 #include "netinet/ip_compat.h"
109 #include <netinet/tcpip.h>
110 #include "netinet/ip_fil.h"
111 #include "netinet/ip_auth.h"
112 #if !defined(MENTAT) && !defined(linux)
113 # include <net/netisr.h>
115 # include <machine/cpufunc.h>
118 #if (__FreeBSD_version >= 300000)
119 # include <sys/malloc.h>
120 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
121 # include <sys/libkern.h>
122 # include <sys/systm.h>
125 /* END OF INCLUDES */
128 static const char rcsid[] = "@(#)$FreeBSD$";
129 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
133 #if SOLARIS && defined(_KERNEL)
134 extern kcondvar_t ipfauthwait;
135 extern struct pollhead iplpollhead[IPL_LOGSIZE];
137 #if defined(linux) && defined(_KERNEL)
138 wait_queue_head_t fr_authnext_linux;
141 int fr_authsize = FR_NUMAUTH;
143 int fr_defaultauthage = 600;
144 int fr_auth_lock = 0;
145 int fr_auth_init = 0;
146 fr_authstat_t fr_authstats;
147 static frauth_t *fr_auth = NULL;
148 mb_t **fr_authpkts = NULL;
149 int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
150 frauthent_t *fae_list = NULL;
151 frentry_t *ipauth = NULL,
154 void fr_authderef __P((frauthent_t **));
155 int fr_authgeniter __P((ipftoken_t *, ipfgeniter_t *));
156 int fr_authreply __P((char *));
157 int fr_authwait __P((char *));
159 /* ------------------------------------------------------------------------ */
160 /* Function: fr_authinit */
161 /* Returns: int - 0 == success, else error */
162 /* Parameters: None */
164 /* Allocate memory and initialise data structures used in handling auth */
166 /* ------------------------------------------------------------------------ */
169 KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth));
171 bzero((char *)fr_auth, fr_authsize * sizeof(*fr_auth));
175 KMALLOCS(fr_authpkts, mb_t **, fr_authsize * sizeof(*fr_authpkts));
176 if (fr_authpkts != NULL)
177 bzero((char *)fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
181 MUTEX_INIT(&ipf_authmx, "ipf auth log mutex");
182 RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock");
183 #if SOLARIS && defined(_KERNEL)
184 cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
186 #if defined(linux) && defined(_KERNEL)
187 init_waitqueue_head(&fr_authnext_linux);
196 /* ------------------------------------------------------------------------ */
197 /* Function: fr_checkauth */
198 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
199 /* Parameters: fin(I) - pointer to ipftoken structure */
200 /* passp(I) - pointer to ipfgeniter structure */
202 /* Check if a packet has authorization. If the packet is found to match an */
203 /* authorization result and that would result in a feedback loop (i.e. it */
204 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
205 /* ------------------------------------------------------------------------ */
206 frentry_t *fr_checkauth(fin, passp)
217 if (fr_auth_lock || !fr_authused)
223 READ_ENTER(&ipf_auth);
224 for (i = fr_authstart; i != fr_authend; ) {
226 * index becomes -2 only after an SIOCAUTHW. Check this in
227 * case the same packet gets sent again and it hasn't yet been
231 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
232 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
234 * Avoid feedback loop.
236 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass)))
239 * Create a dummy rule for the stateful checking to
240 * use and return. Zero out any values we don't
241 * trust from userland!
243 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
244 (fin->fin_flx & FI_FRAG))) {
245 KMALLOC(fr, frentry_t *);
247 bcopy((char *)fra->fra_info.fin_fr,
248 (char *)fr, sizeof(*fr));
250 fr->fr_ifa = fin->fin_ifp;
254 fr->fr_ifas[1] = NULL;
255 fr->fr_ifas[2] = NULL;
256 fr->fr_ifas[3] = NULL;
259 fr = fra->fra_info.fin_fr;
261 RWLOCK_EXIT(&ipf_auth);
263 WRITE_ENTER(&ipf_auth);
265 * fr_authlist is populated with the rules malloc'd
266 * above and only those.
268 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
269 fr->fr_next = fr_authlist;
272 fr_authstats.fas_hits++;
275 if (i == fr_authstart) {
276 while (fra->fra_index == -1) {
279 if (i == fr_authsize) {
287 if (fr_authstart == fr_authend) {
289 fr_authstart = fr_authend = 0;
292 RWLOCK_EXIT(&ipf_auth);
295 ATOMIC_INC64(fr_authstats.fas_hits);
299 if (i == fr_authsize)
302 fr_authstats.fas_miss++;
303 RWLOCK_EXIT(&ipf_auth);
304 ATOMIC_INC64(fr_authstats.fas_miss);
309 /* ------------------------------------------------------------------------ */
310 /* Function: fr_newauth */
311 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
312 /* Parameters: m(I) - pointer to mb_t with packet in it */
313 /* fin(I) - pointer to packet information */
315 /* Check if we have room in the auth array to hold details for another */
316 /* packet. If we do, store it and wake up any user programs which are */
317 /* waiting to hear about these events. */
318 /* ------------------------------------------------------------------------ */
319 int fr_newauth(m, fin)
323 #if defined(_KERNEL) && defined(MENTAT)
324 qpktinfo_t *qpi = fin->fin_qpi;
327 #if !defined(sparc) && !defined(m68k)
335 WRITE_ENTER(&ipf_auth);
336 if (((fr_authend + 1) % fr_authsize) == fr_authstart) {
337 fr_authstats.fas_nospace++;
338 RWLOCK_EXIT(&ipf_auth);
342 fr_authstats.fas_added++;
345 if (fr_authend == fr_authsize)
349 RWLOCK_EXIT(&ipf_auth);
351 if (fin->fin_fr != NULL)
352 fra->fra_pass = fin->fin_fr->fr_flags;
355 fra->fra_age = fr_defaultauthage;
356 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
357 #if !defined(sparc) && !defined(m68k)
359 * No need to copyback here as we want to undo the changes, not keep
363 # if defined(MENTAT) && defined(_KERNEL)
364 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
370 ip->ip_len = htons(bo);
372 ip->ip_off = htons(bo);
375 #if SOLARIS && defined(_KERNEL)
376 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
377 m->b_rptr -= qpi->qpi_off;
378 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
379 # if !defined(_INET_IP_STACK_H)
380 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
382 fra->fra_m = *fin->fin_mp;
383 fra->fra_info.fin_mp = &fra->fra_m;
384 cv_signal(&ipfauthwait);
385 pollwakeup(&iplpollhead[IPL_LOGAUTH], POLLIN|POLLRDNORM);
388 WAKEUP(&fr_authnext,0);
394 /* ------------------------------------------------------------------------ */
395 /* Function: fr_auth_ioctl */
396 /* Returns: int - 0 == success, else error */
397 /* Parameters: data(IO) - pointer to ioctl data */
398 /* cmd(I) - ioctl command */
399 /* mode(I) - mode flags associated with open descriptor */
400 /* uid(I) - uid associatd with application making the call */
401 /* ctx(I) - pointer for context */
403 /* This function handles all of the ioctls recognised by the auth component */
404 /* in IPFilter - ie ioctls called on an open fd for /dev/ipauth */
405 /* ------------------------------------------------------------------------ */
406 int fr_auth_ioctl(data, cmd, mode, uid, ctx)
422 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
427 token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx);
429 error = fr_authgeniter(token, &iter);
432 RWLOCK_EXIT(&ipf_tokens);
440 if (!(mode & FWRITE))
443 error = frrequest(IPL_LOGAUTH, cmd, data,
448 if (!(mode & FWRITE)) {
452 error = fr_lock(data, &fr_auth_lock);
456 fr_authstats.fas_faelist = fae_list;
457 error = fr_outobj(data, &fr_authstats, IPFOBJ_AUTHSTAT);
462 WRITE_ENTER(&ipf_auth);
464 RWLOCK_EXIT(&ipf_auth);
466 error = BCOPYOUT((char *)&i, data, sizeof(i));
472 error = fr_authwait(data);
476 error = fr_authreply(data);
487 /* ------------------------------------------------------------------------ */
488 /* Function: fr_authunload */
490 /* Parameters: None */
492 /* Free all network buffer memory used to keep saved packets. */
493 /* ------------------------------------------------------------------------ */
497 register frauthent_t *fae, **faep;
498 frentry_t *fr, **frp;
501 if (fr_auth != NULL) {
502 KFREES(fr_auth, fr_authsize * sizeof(*fr_auth));
506 if (fr_authpkts != NULL) {
507 for (i = 0; i < fr_authsize; i++) {
511 fr_authpkts[i] = NULL;
514 KFREES(fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
519 while ((fae = *faep) != NULL) {
520 *faep = fae->fae_next;
525 if (fr_authlist != NULL) {
526 for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
527 if (fr->fr_ref == 1) {
535 if (fr_auth_init == 1) {
536 # if SOLARIS && defined(_KERNEL)
537 cv_destroy(&ipfauthwait);
539 MUTEX_DESTROY(&ipf_authmx);
540 RW_DESTROY(&ipf_auth);
547 /* ------------------------------------------------------------------------ */
548 /* Function: fr_authexpire */
550 /* Parameters: None */
552 /* Slowly expire held auth records. Timeouts are set in expectation of */
553 /* this being called twice per second. */
554 /* ------------------------------------------------------------------------ */
557 frauthent_t *fae, **faep;
558 frentry_t *fr, **frp;
568 WRITE_ENTER(&ipf_auth);
569 for (i = 0, fra = fr_auth; i < fr_authsize; i++, fra++) {
571 if ((fra->fra_age == 0) && (m = fr_authpkts[i])) {
573 fr_authpkts[i] = NULL;
574 fr_auth[i].fra_index = -1;
575 fr_authstats.fas_expire++;
581 * Expire pre-auth rules
583 for (faep = &fae_list; ((fae = *faep) != NULL); ) {
585 if (fae->fae_age == 0) {
587 fr_authstats.fas_expire++;
589 faep = &fae->fae_next;
591 if (fae_list != NULL)
592 ipauth = &fae_list->fae_fr;
596 for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
597 if (fr->fr_ref == 1) {
603 RWLOCK_EXIT(&ipf_auth);
608 /* ------------------------------------------------------------------------ */
609 /* Function: fr_preauthcmd */
610 /* Returns: int - 0 == success, else error */
611 /* Parameters: cmd(I) - ioctl command for rule */
612 /* fr(I) - pointer to ipf rule */
613 /* fptr(I) - pointer to caller's 'fr' */
615 /* ------------------------------------------------------------------------ */
616 int fr_preauthcmd(cmd, fr, frptr)
618 frentry_t *fr, **frptr;
620 frauthent_t *fae, **faep;
624 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
627 for (faep = &fae_list; ((fae = *faep) != NULL); ) {
628 if (&fae->fae_fr == fr)
631 faep = &fae->fae_next;
634 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
635 if (fr == NULL || frptr == NULL)
637 else if (fae == NULL)
641 WRITE_ENTER(&ipf_auth);
642 *faep = fae->fae_next;
643 if (ipauth == &fae->fae_fr)
644 ipauth = fae_list ? &fae_list->fae_fr : NULL;
645 RWLOCK_EXIT(&ipf_auth);
650 } else if (fr != NULL && frptr != NULL) {
651 KMALLOC(fae, frauthent_t *);
653 bcopy((char *)fr, (char *)&fae->fae_fr,
656 WRITE_ENTER(&ipf_auth);
657 fae->fae_age = fr_defaultauthage;
658 fae->fae_fr.fr_hits = 0;
659 fae->fae_fr.fr_next = *frptr;
661 *frptr = &fae->fae_fr;
662 fae->fae_next = *faep;
664 ipauth = &fae_list->fae_fr;
665 RWLOCK_EXIT(&ipf_auth);
675 /* ------------------------------------------------------------------------ */
676 /* Function: fr_authflush */
677 /* Returns: int - number of auth entries flushed */
678 /* Parameters: None */
679 /* Locks: WRITE(ipf_auth) */
681 /* This function flushs the fr_authpkts array of any packet data with */
682 /* references still there. */
683 /* It is expected that the caller has already acquired the correct locks or */
684 /* set the priority level correctly for this to block out other code paths */
685 /* into these data structures. */
686 /* ------------------------------------------------------------------------ */
689 register int i, num_flushed;
697 for (i = 0 ; i < fr_authsize; i++) {
701 fr_authpkts[i] = NULL;
702 fr_auth[i].fra_index = -1;
703 /* perhaps add & use a flush counter inst.*/
704 fr_authstats.fas_expire++;
718 /* ------------------------------------------------------------------------ */
719 /* Function: fr_auth_waiting */
720 /* Returns: int - 0 = no pakcets wiating, 1 = packets waiting. */
721 /* Parameters: None */
723 /* Simple truth check to see if there are any packets waiting in the auth */
725 /* ------------------------------------------------------------------------ */
726 int fr_auth_waiting()
728 return (fr_authused != 0);
732 /* ------------------------------------------------------------------------ */
733 /* Function: fr_authgeniter */
734 /* Returns: int - 0 == success, else error */
735 /* Parameters: token(I) - pointer to ipftoken structure */
736 /* itp(I) - pointer to ipfgeniter structure */
738 /* ------------------------------------------------------------------------ */
739 int fr_authgeniter(token, itp)
743 frauthent_t *fae, *next, zero;
746 if (itp->igi_data == NULL)
749 if (itp->igi_type != IPFGENITER_AUTH)
752 fae = token->ipt_data;
753 READ_ENTER(&ipf_auth);
757 next = fae->fae_next;
762 * If we find an auth entry to use, bump its reference count
763 * so that it can be used for is_next when we come back.
765 ATOMIC_INC(next->fae_ref);
766 if (next->fae_next == NULL) {
767 ipf_freetoken(token);
770 token->ipt_data = next;
773 bzero(&zero, sizeof(zero));
776 RWLOCK_EXIT(&ipf_auth);
779 * If we had a prior pointer to an auth entry, release it.
782 WRITE_ENTER(&ipf_auth);
784 RWLOCK_EXIT(&ipf_auth);
788 * This should arguably be via fr_outobj() so that the auth
789 * structure can (if required) be massaged going out.
791 error = COPYOUT(next, itp->igi_data, sizeof(*next));
799 /* ------------------------------------------------------------------------ */
800 /* Function: fr_authderef */
802 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
803 /* Locks: WRITE(ipf_auth) */
805 /* This function unconditionally sets the pointer in the caller to NULL, */
806 /* to make it clear that it should no longer use that pointer, and drops */
807 /* the reference count on the structure by 1. If it reaches 0, free it up. */
808 /* ------------------------------------------------------------------------ */
809 void fr_authderef(faep)
818 if (fae->fae_ref == 0) {
824 /* ------------------------------------------------------------------------ */
825 /* Function: fr_authwait */
826 /* Returns: int - 0 == success, else error */
827 /* Parameters: data(I) - pointer to data from ioctl call */
829 /* This function is called when an application is waiting for a packet to */
830 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
831 /* a packet waiting on the queue then we will return that _one_ immediately.*/
832 /* If there are no packets present in the queue (fr_authpkts) then we go to */
834 /* ------------------------------------------------------------------------ */
835 int fr_authwait(data)
838 frauth_t auth, *au = &auth;
842 #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
843 (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
848 error = fr_inobj(data, au, IPFOBJ_FRAUTH);
853 * XXX Locks are held below over calls to copyout...a better
854 * solution needs to be found so this isn't necessary. The situation
855 * we are trying to guard against here is an error in the copyout
856 * steps should not cause the packet to "disappear" from the queue.
858 READ_ENTER(&ipf_auth);
861 * If fr_authnext is not equal to fr_authend it will be because there
862 * is a packet waiting to be delt with in the fr_authpkts array. We
863 * copy as much of that out to user space as requested.
865 if (fr_authused > 0) {
866 while (fr_authpkts[fr_authnext] == NULL) {
868 if (fr_authnext == fr_authsize)
872 error = fr_outobj(data, &fr_auth[fr_authnext], IPFOBJ_FRAUTH);
876 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
878 * Copy packet contents out to user space if
879 * requested. Bail on an error.
881 m = fr_authpkts[fr_authnext];
883 if (len > auth.fra_len)
887 for (t = auth.fra_buf; m && (len > 0); ) {
888 i = MIN(M_LEN(m), len);
889 error = copyoutptr(MTOD(m, char *), &t, i);
897 RWLOCK_EXIT(&ipf_auth);
900 WRITE_ENTER(&ipf_auth);
902 if (fr_authnext == fr_authsize)
904 RWLOCK_EXIT(&ipf_auth);
909 RWLOCK_EXIT(&ipf_auth);
911 MUTEX_ENTER(&ipf_authmx);
915 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk))
922 l = get_sleep_lock(&fr_authnext);
923 error = sleep(&fr_authnext, PZERO+1);
928 error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0,
929 &ipf_authmx, MS_LOCK_SIMPLE);
931 error = SLEEP(&fr_authnext, "fr_authnext");
932 # endif /* __osf__ */
934 # endif /* SOLARIS */
936 MUTEX_EXIT(&ipf_authmx);
938 goto fr_authioctlloop;
943 /* ------------------------------------------------------------------------ */
944 /* Function: fr_authreply */
945 /* Returns: int - 0 == success, else error */
946 /* Parameters: data(I) - pointer to data from ioctl call */
948 /* This function is called by an application when it wants to return a */
949 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
950 /* received information using an SIOCAUTHW. The decision returned in the */
951 /* form of flags, the same as those used in each rule. */
952 /* ------------------------------------------------------------------------ */
953 int fr_authreply(data)
956 frauth_t auth, *au = &auth, *fra;
961 error = fr_inobj(data, &auth, IPFOBJ_FRAUTH);
966 WRITE_ENTER(&ipf_auth);
973 * Check the validity of the information being returned with two simple
974 * checks. First, the auth index value should be within the size of
975 * the array and second the packet id being returned should also match.
977 if ((i < 0) || (i >= fr_authsize) ||
978 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
979 RWLOCK_EXIT(&ipf_auth);
986 fra->fra_pass = au->fra_pass;
987 fr_authpkts[i] = NULL;
989 RWLOCK_EXIT(&ipf_auth);
992 * Re-insert the packet back into the packet stream flowing through
993 * the kernel in a manner that will mean IPFilter sees the packet
994 * again. This is not the same as is done with fastroute,
995 * deliberately, as we want to resume the normal packet processing
999 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
1000 error = ipf_inject(&fra->fra_info, m);
1003 fr_authstats.fas_sendfail++;
1005 fr_authstats.fas_sendok++;
1008 error = ipf_inject(&fra->fra_info, m);
1011 fr_authstats.fas_quefail++;
1013 fr_authstats.fas_queok++;
1020 * If we experience an error which will result in the packet
1021 * not being processed, make sure we advance to the next one.
1023 if (error == ENOBUFS) {
1024 WRITE_ENTER(&ipf_auth);
1026 fra->fra_index = -1;
1028 if (i == fr_authstart) {
1029 while (fra->fra_index == -1) {
1031 if (i == fr_authsize)
1034 if (i == fr_authend)
1037 if (fr_authstart == fr_authend) {
1039 fr_authstart = fr_authend = 0;
1042 RWLOCK_EXIT(&ipf_auth);
1044 #endif /* _KERNEL */