2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
4 * See the IPFILTER.LICENCE file for details on licencing.
11 #if !defined(_KERNEL) && !defined(KERNEL)
16 #if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
17 # include <sys/filio.h>
18 # include <sys/fcntl.h>
20 # include <sys/ioctl.h>
24 # include <sys/protosw.h>
26 #include <sys/socket.h>
27 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
28 # include <sys/systm.h>
30 #if !defined(__SVR4) && !defined(__svr4__)
32 # include <sys/mbuf.h>
35 # include <sys/filio.h>
36 # include <sys/byteorder.h>
38 # include <sys/dditypes.h>
40 # include <sys/stream.h>
41 # include <sys/kmem.h>
43 #if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
44 # include <sys/queue.h>
46 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
47 # include <machine/cpu.h>
53 #include <net/route.h>
54 #include <netinet/in.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/ip.h>
62 # include <netinet/ip_var.h>
68 # ifdef IFF_DRVRLOCK /* IRIX6 */
69 # include <sys/hashing.h>
72 #include <netinet/tcp.h>
73 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
74 extern struct ifqueue ipintrq; /* ip packet input queue */
77 # if __FreeBSD_version >= 300000
78 # include <net/if_var.h>
80 # include <netinet/in_var.h>
81 # include <netinet/tcp_fsm.h>
84 #include <netinet/udp.h>
85 #include <netinet/ip_icmp.h>
86 #include "netinet/ip_compat.h"
87 #include <netinet/tcpip.h>
88 #include "netinet/ip_fil.h"
89 #include "netinet/ip_auth.h"
90 #if !SOLARIS && !defined(linux)
91 # include <net/netisr.h>
93 # include <machine/cpufunc.h>
96 #if (__FreeBSD_version >= 300000)
97 # include <sys/malloc.h>
98 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
99 # include <sys/libkern.h>
100 # include <sys/systm.h>
105 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $"; */
106 static const char rcsid[] = "@(#)$FreeBSD$";
110 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
111 extern KRWLOCK_T ipf_auth, ipf_mutex;
112 extern kmutex_t ipf_authmx;
114 extern kcondvar_t ipfauthwait;
118 static struct wait_queue *ipfauthwait = NULL;
121 int fr_authsize = FR_NUMAUTH;
123 int fr_defaultauthage = 600;
124 int fr_auth_lock = 0;
125 fr_authstat_t fr_authstats;
126 static frauth_t fr_auth[FR_NUMAUTH];
127 mb_t *fr_authpkts[FR_NUMAUTH];
128 static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
129 static frauthent_t *fae_list = NULL;
130 frentry_t *ipauth = NULL,
135 * Check if a packet has authorization. If the packet is found to match an
136 * authorization result and that would result in a feedback loop (i.e. it
137 * will end up returning FR_AUTH) then return FR_BLOCK instead.
139 u_32_t fr_checkauth(ip, fin)
143 u_short id = ip->ip_id;
149 if (fr_auth_lock || !fr_authused)
152 READ_ENTER(&ipf_auth);
153 for (i = fr_authstart; i != fr_authend; ) {
155 * index becomes -2 only after an SIOCAUTHW. Check this in
156 * case the same packet gets sent again and it hasn't yet been
160 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
161 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
163 * Avoid feedback loop.
165 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
168 * Create a dummy rule for the stateful checking to
169 * use and return. Zero out any values we don't
170 * trust from userland!
172 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
173 (fin->fin_fi.fi_fl & FI_FRAG))) {
174 KMALLOC(fr, frentry_t *);
176 bcopy((char *)fra->fra_info.fin_fr,
179 fr->fr_ifa = fin->fin_ifp;
188 fr = fra->fra_info.fin_fr;
190 RWLOCK_EXIT(&ipf_auth);
191 WRITE_ENTER(&ipf_auth);
192 if (fr && fr != fra->fra_info.fin_fr) {
193 fr->fr_next = fr_authlist;
196 fr_authstats.fas_hits++;
199 if (i == fr_authstart) {
200 while (fra->fra_index == -1) {
203 if (i == FR_NUMAUTH) {
211 if (fr_authstart == fr_authend) {
213 fr_authstart = fr_authend = 0;
216 RWLOCK_EXIT(&ipf_auth);
223 fr_authstats.fas_miss++;
224 RWLOCK_EXIT(&ipf_auth);
230 * Check if we have room in the auth array to hold details for another packet.
231 * If we do, store it and wake up any user programs which are waiting to
232 * hear about these events.
234 int fr_newauth(m, fin, ip)
239 #if defined(_KERNEL) && SOLARIS
240 qif_t *qif = fin->fin_qif;
248 WRITE_ENTER(&ipf_auth);
249 if (fr_authstart > fr_authend) {
250 fr_authstats.fas_nospace++;
251 RWLOCK_EXIT(&ipf_auth);
254 if (fr_authused == FR_NUMAUTH) {
255 fr_authstats.fas_nospace++;
256 RWLOCK_EXIT(&ipf_auth);
261 fr_authstats.fas_added++;
264 if (fr_authend == FR_NUMAUTH)
266 RWLOCK_EXIT(&ipf_auth);
270 fra->fra_age = fr_defaultauthage;
271 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
272 #if SOLARIS && defined(_KERNEL)
275 * No need to copyback here as we want to undo the changes, not keep
278 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
283 ip->ip_len = htons(bo);
284 # if !SOLARIS && !defined(__NetBSD__) && !defined(__FreeBSD__)
285 /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
287 ip->ip_id = htons(bo);
290 ip->ip_off = htons(bo);
293 m->b_rptr -= qif->qf_off;
294 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
295 fra->fra_q = qif->qf_q;
296 cv_signal(&ipfauthwait);
298 # if defined(BSD) && !defined(sparc) && (BSD >= 199306)
305 WAKEUP(&fr_authnext);
311 int fr_auth_ioctl(data, mode, cmd, fr, frptr)
314 #if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003)
319 frentry_t *fr, **frptr;
322 #if defined(_KERNEL) && !SOLARIS
326 frauth_t auth, *au = &auth, *fra;
327 frauthent_t *fae, **faep;
333 error = fr_lock(data, &fr_auth_lock);
345 for (faep = &fae_list; (fae = *faep); )
346 if (&fae->fae_fr == fr)
349 faep = &fae->fae_next;
350 if (cmd == SIOCRMAFR) {
356 WRITE_ENTER(&ipf_auth);
358 *faep = fae->fae_next;
359 *frptr = fr->fr_next;
361 RWLOCK_EXIT(&ipf_auth);
364 } else if (fr && frptr) {
365 KMALLOC(fae, frauthent_t *);
367 bcopy((char *)fr, (char *)&fae->fae_fr,
369 WRITE_ENTER(&ipf_auth);
371 fae->fae_age = fr_defaultauthage;
372 fae->fae_fr.fr_hits = 0;
373 fae->fae_fr.fr_next = *frptr;
374 *frptr = &fae->fae_fr;
375 fae->fae_next = *faep;
377 ipauth = &fae_list->fae_fr;
379 RWLOCK_EXIT(&ipf_auth);
386 READ_ENTER(&ipf_auth);
387 fr_authstats.fas_faelist = fae_list;
388 RWLOCK_EXIT(&ipf_auth);
389 error = IWCOPYPTR((char *)&fr_authstats, data,
390 sizeof(fr_authstats));
393 if (!(mode & FWRITE)) {
398 READ_ENTER(&ipf_auth);
399 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
400 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
402 RWLOCK_EXIT(&ipf_auth);
405 WRITE_ENTER(&ipf_auth);
408 if (fr_authnext == FR_NUMAUTH)
411 RWLOCK_EXIT(&ipf_auth);
416 mutex_enter(&ipf_authmx);
417 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
418 mutex_exit(&ipf_authmx);
421 mutex_exit(&ipf_authmx);
423 error = SLEEP(&fr_authnext, "fr_authnext");
426 RWLOCK_EXIT(&ipf_auth);
428 goto fr_authioctlloop;
431 if (!(mode & FWRITE)) {
435 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
438 WRITE_ENTER(&ipf_auth);
442 if ((i < 0) || (i > FR_NUMAUTH) ||
443 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
445 RWLOCK_EXIT(&ipf_auth);
450 fra->fra_pass = au->fra_pass;
451 fr_authpkts[i] = NULL;
452 RWLOCK_EXIT(&ipf_auth);
454 if (m && au->fra_info.fin_out) {
456 error = fr_qout(fra->fra_q, m);
460 bzero((char *)&ro, sizeof(ro));
461 # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
463 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
466 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
471 # endif /* SOLARIS */
473 fr_authstats.fas_sendfail++;
475 fr_authstats.fas_sendok++;
478 error = fr_qin(fra->fra_q, m);
480 if (! IF_HANDOFF(&ipintrq, m, NULL))
483 schednetisr(NETISR_IP);
484 # endif /* SOLARIS */
486 fr_authstats.fas_quefail++;
488 fr_authstats.fas_queok++;
496 * If we experience an error which will result in the packet
497 * not being processed, make sure we advance to the next one.
499 if (error == ENOBUFS) {
503 if (i == fr_authstart) {
504 while (fra->fra_index == -1) {
512 if (fr_authstart == fr_authend) {
514 fr_authstart = fr_authend = 0;
532 * Free all network buffer memory used to keep saved packets.
537 register frauthent_t *fae, **faep;
538 frentry_t *fr, **frp;
541 WRITE_ENTER(&ipf_auth);
542 for (i = 0; i < FR_NUMAUTH; i++) {
543 if ((m = fr_authpkts[i])) {
545 fr_authpkts[i] = NULL;
546 fr_auth[i].fra_index = -1;
551 for (faep = &fae_list; (fae = *faep); ) {
552 *faep = fae->fae_next;
556 RWLOCK_EXIT(&ipf_auth);
560 * We *MuST* reget ipf_auth because otherwise we won't get the
561 * locks in the right order and risk deadlock.
562 * We need ipf_mutex here to prevent a rule from using it
565 WRITE_ENTER(&ipf_mutex);
566 WRITE_ENTER(&ipf_auth);
567 for (frp = &fr_authlist; (fr = *frp); ) {
568 if (fr->fr_ref == 1) {
574 RWLOCK_EXIT(&ipf_auth);
575 RWLOCK_EXIT(&ipf_mutex);
581 * Slowly expire held auth records. Timeouts are set
582 * in expectation of this being called twice per second.
587 register frauth_t *fra;
588 register frauthent_t *fae, **faep;
589 register frentry_t *fr, **frp;
599 WRITE_ENTER(&ipf_auth);
600 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
601 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
603 fr_authpkts[i] = NULL;
604 fr_auth[i].fra_index = -1;
605 fr_authstats.fas_expire++;
610 for (faep = &fae_list; (fae = *faep); ) {
611 if (!--fae->fae_age) {
612 *faep = fae->fae_next;
614 fr_authstats.fas_expire++;
616 faep = &fae->fae_next;
618 ipauth = &fae_list->fae_fr;
620 for (frp = &fr_authlist; (fr = *frp); ) {
621 if (fr->fr_ref == 1) {
627 RWLOCK_EXIT(&ipf_auth);