4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
33 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
34 # include <sys/filio.h>
35 # include <sys/fcntl.h>
37 # include <sys/ioctl.h>
40 # include <sys/protosw.h>
42 #include <sys/socket.h>
44 # include <sys/systm.h>
45 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
46 # include <sys/mbuf.h>
49 #if defined(__SVR4) || defined(__svr4__)
50 # include <sys/filio.h>
51 # include <sys/byteorder.h>
53 # include <sys/dditypes.h>
55 # include <sys/stream.h>
56 # include <sys/kmem.h>
58 #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \
59 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000))
60 # include <sys/queue.h>
62 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
63 # include <machine/cpu.h>
65 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
66 # include <sys/proc.h>
68 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \
76 #include <netinet/in.h>
77 #include <netinet/in_systm.h>
78 #include <netinet/ip.h>
80 # include <netinet/ip_var.h>
82 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
91 #include <netinet/tcp.h>
92 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
93 extern struct ifqueue ipintrq; /* ip packet input queue */
95 # if !defined(__hpux) && !defined(linux)
96 # if __FreeBSD_version >= 300000
97 # include <net/if_var.h>
98 # if __FreeBSD_version >= 500042
99 # define IF_QFULL _IF_QFULL
100 # define IF_DROP _IF_DROP
101 # endif /* __FreeBSD_version >= 500042 */
103 # include <netinet/in_var.h>
104 # include <netinet/tcp_fsm.h>
107 #include <netinet/udp.h>
108 #include <netinet/ip_icmp.h>
109 #include "netinet/ip_compat.h"
110 #include <netinet/tcpip.h>
111 #include "netinet/ip_fil.h"
112 #include "netinet/ip_auth.h"
113 #if !defined(MENTAT) && !defined(linux)
114 # include <net/netisr.h>
116 # include <machine/cpufunc.h>
119 #if (__FreeBSD_version >= 300000)
120 # include <sys/malloc.h>
121 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
122 # include <sys/libkern.h>
123 # include <sys/systm.h>
126 /* END OF INCLUDES */
129 static const char rcsid[] = "@(#)$FreeBSD$";
130 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
134 static void ipf_auth_deref __P((frauthent_t **));
135 static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **));
136 static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *,
137 ipfgeniter_t *, ipfobj_t *));
138 static int ipf_auth_reply __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *));
139 static int ipf_auth_wait __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *));
140 static int ipf_auth_flush __P((void *));
143 /* ------------------------------------------------------------------------ */
144 /* Function: ipf_auth_main_load */
145 /* Returns: int - 0 == success, else error */
146 /* Parameters: None */
148 /* A null-op function that exists as a placeholder so that the flow in */
149 /* other functions is obvious. */
150 /* ------------------------------------------------------------------------ */
158 /* ------------------------------------------------------------------------ */
159 /* Function: ipf_auth_main_unload */
160 /* Returns: int - 0 == success, else error */
161 /* Parameters: None */
163 /* A null-op function that exists as a placeholder so that the flow in */
164 /* other functions is obvious. */
165 /* ------------------------------------------------------------------------ */
167 ipf_auth_main_unload()
173 /* ------------------------------------------------------------------------ */
174 /* Function: ipf_auth_soft_create */
175 /* Returns: int - NULL = failure, else success */
176 /* Parameters: softc(I) - pointer to soft context data */
178 /* Create a structre to store all of the run-time data for packet auth in */
179 /* and initialise some fields to their defaults. */
180 /* ------------------------------------------------------------------------ */
182 ipf_auth_soft_create(softc)
183 ipf_main_softc_t *softc;
185 ipf_auth_softc_t *softa;
187 KMALLOC(softa, ipf_auth_softc_t *);
191 bzero((char *)softa, sizeof(*softa));
193 softa->ipf_auth_size = FR_NUMAUTH;
194 softa->ipf_auth_defaultage = 600;
196 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock");
197 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex");
198 #if SOLARIS && defined(_KERNEL)
199 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL);
205 /* ------------------------------------------------------------------------ */
206 /* Function: ipf_auth_soft_init */
207 /* Returns: int - 0 == success, else error */
208 /* Parameters: softc(I) - pointer to soft context data */
209 /* arg(I) - opaque pointer to auth context data */
211 /* Allocate memory and initialise data structures used in handling auth */
213 /* ------------------------------------------------------------------------ */
215 ipf_auth_soft_init(softc, arg)
216 ipf_main_softc_t *softc;
219 ipf_auth_softc_t *softa = arg;
221 KMALLOCS(softa->ipf_auth, frauth_t *,
222 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
223 if (softa->ipf_auth == NULL)
225 bzero((char *)softa->ipf_auth,
226 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
228 KMALLOCS(softa->ipf_auth_pkts, mb_t **,
229 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
230 if (softa->ipf_auth_pkts == NULL)
232 bzero((char *)softa->ipf_auth_pkts,
233 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
235 #if defined(linux) && defined(_KERNEL)
236 init_waitqueue_head(&softa->ipf_auth_next_linux);
243 /* ------------------------------------------------------------------------ */
244 /* Function: ipf_auth_soft_fini */
245 /* Returns: int - 0 == success, else error */
246 /* Parameters: softc(I) - pointer to soft context data */
247 /* arg(I) - opaque pointer to auth context data */
249 /* Free all network buffer memory used to keep saved packets that have been */
250 /* connectedd to the soft soft context structure *but* do not free that: it */
251 /* is free'd by _destroy(). */
252 /* ------------------------------------------------------------------------ */
254 ipf_auth_soft_fini(softc, arg)
255 ipf_main_softc_t *softc;
258 ipf_auth_softc_t *softa = arg;
259 frauthent_t *fae, **faep;
260 frentry_t *fr, **frp;
264 if (softa->ipf_auth != NULL) {
265 KFREES(softa->ipf_auth,
266 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
267 softa->ipf_auth = NULL;
270 if (softa->ipf_auth_pkts != NULL) {
271 for (i = 0; i < softa->ipf_auth_size; i++) {
272 m = softa->ipf_auth_pkts[i];
275 softa->ipf_auth_pkts[i] = NULL;
278 KFREES(softa->ipf_auth_pkts,
279 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
280 softa->ipf_auth_pkts = NULL;
283 faep = &softa->ipf_auth_entries;
284 while ((fae = *faep) != NULL) {
285 *faep = fae->fae_next;
288 softa->ipf_auth_ip = NULL;
290 if (softa->ipf_auth_rules != NULL) {
291 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
292 if (fr->fr_ref == 1) {
294 MUTEX_DESTROY(&fr->fr_lock);
305 /* ------------------------------------------------------------------------ */
306 /* Function: ipf_auth_soft_destroy */
308 /* Parameters: softc(I) - pointer to soft context data */
309 /* arg(I) - opaque pointer to auth context data */
311 /* Undo what was done in _create() - i.e. free the soft context data. */
312 /* ------------------------------------------------------------------------ */
314 ipf_auth_soft_destroy(softc, arg)
315 ipf_main_softc_t *softc;
318 ipf_auth_softc_t *softa = arg;
320 # if SOLARIS && defined(_KERNEL)
321 cv_destroy(&softa->ipf_auth_wait);
323 MUTEX_DESTROY(&softa->ipf_auth_mx);
324 RW_DESTROY(&softa->ipf_authlk);
330 /* ------------------------------------------------------------------------ */
331 /* Function: ipf_auth_setlock */
333 /* Paramters: arg(I) - pointer to soft context data */
334 /* tmp(I) - value to assign to auth lock */
336 /* ------------------------------------------------------------------------ */
338 ipf_auth_setlock(arg, tmp)
342 ipf_auth_softc_t *softa = arg;
344 softa->ipf_auth_lock = tmp;
348 /* ------------------------------------------------------------------------ */
349 /* Function: ipf_auth_check */
350 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
351 /* Parameters: fin(I) - pointer to ipftoken structure */
352 /* passp(I) - pointer to ipfgeniter structure */
354 /* Check if a packet has authorization. If the packet is found to match an */
355 /* authorization result and that would result in a feedback loop (i.e. it */
356 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
357 /* ------------------------------------------------------------------------ */
359 ipf_auth_check(fin, passp)
363 ipf_main_softc_t *softc = fin->fin_main_soft;
364 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
372 if (softa->ipf_auth_lock || !softa->ipf_auth_used)
378 READ_ENTER(&softa->ipf_authlk);
379 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) {
381 * index becomes -2 only after an SIOCAUTHW. Check this in
382 * case the same packet gets sent again and it hasn't yet been
385 fra = softa->ipf_auth + i;
386 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
387 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
389 * Avoid feedback loop.
391 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) {
393 fin->fin_reason = FRB_AUTHFEEDBACK;
396 * Create a dummy rule for the stateful checking to
397 * use and return. Zero out any values we don't
398 * trust from userland!
400 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
401 (fin->fin_flx & FI_FRAG))) {
402 KMALLOC(fr, frentry_t *);
404 bcopy((char *)fra->fra_info.fin_fr,
405 (char *)fr, sizeof(*fr));
407 fr->fr_ifa = fin->fin_ifp;
411 fr->fr_ifas[1] = NULL;
412 fr->fr_ifas[2] = NULL;
413 fr->fr_ifas[3] = NULL;
414 MUTEX_INIT(&fr->fr_lock,
418 fr = fra->fra_info.fin_fr;
420 fin->fin_flx |= fra->fra_flx;
421 RWLOCK_EXIT(&softa->ipf_authlk);
423 WRITE_ENTER(&softa->ipf_authlk);
425 * ipf_auth_rules is populated with the rules malloc'd
426 * above and only those.
428 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
429 fr->fr_next = softa->ipf_auth_rules;
430 softa->ipf_auth_rules = fr;
432 softa->ipf_auth_stats.fas_hits++;
434 softa->ipf_auth_used--;
435 softa->ipf_auth_replies--;
436 if (i == softa->ipf_auth_start) {
437 while (fra->fra_index == -1) {
440 if (i == softa->ipf_auth_size) {
442 fra = softa->ipf_auth;
444 softa->ipf_auth_start = i;
445 if (i == softa->ipf_auth_end)
448 if (softa->ipf_auth_start ==
449 softa->ipf_auth_end) {
450 softa->ipf_auth_next = 0;
451 softa->ipf_auth_start = 0;
452 softa->ipf_auth_end = 0;
455 RWLOCK_EXIT(&softa->ipf_authlk);
458 softa->ipf_auth_stats.fas_hits++;
462 if (i == softa->ipf_auth_size)
465 RWLOCK_EXIT(&softa->ipf_authlk);
466 softa->ipf_auth_stats.fas_miss++;
471 /* ------------------------------------------------------------------------ */
472 /* Function: ipf_auth_new */
473 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
474 /* Parameters: m(I) - pointer to mb_t with packet in it */
475 /* fin(I) - pointer to packet information */
477 /* Check if we have room in the auth array to hold details for another */
478 /* packet. If we do, store it and wake up any user programs which are */
479 /* waiting to hear about these events. */
480 /* ------------------------------------------------------------------------ */
486 ipf_main_softc_t *softc = fin->fin_main_soft;
487 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
488 #if defined(_KERNEL) && defined(MENTAT)
489 qpktinfo_t *qpi = fin->fin_qpi;
492 #if !defined(sparc) && !defined(m68k)
497 if (softa->ipf_auth_lock)
500 WRITE_ENTER(&softa->ipf_authlk);
501 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) ==
502 softa->ipf_auth_start) {
503 softa->ipf_auth_stats.fas_nospace++;
504 RWLOCK_EXIT(&softa->ipf_authlk);
508 softa->ipf_auth_stats.fas_added++;
509 softa->ipf_auth_used++;
510 i = softa->ipf_auth_end++;
511 if (softa->ipf_auth_end == softa->ipf_auth_size)
512 softa->ipf_auth_end = 0;
514 fra = softa->ipf_auth + i;
516 if (fin->fin_fr != NULL)
517 fra->fra_pass = fin->fin_fr->fr_flags;
520 fra->fra_age = softa->ipf_auth_defaultage;
521 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
522 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED);
523 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED);
524 #if !defined(sparc) && !defined(m68k)
526 * No need to copyback here as we want to undo the changes, not keep
530 # if defined(MENTAT) && defined(_KERNEL)
531 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
537 ip->ip_len = htons(bo);
539 ip->ip_off = htons(bo);
542 #if SOLARIS && defined(_KERNEL)
543 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
544 m->b_rptr -= qpi->qpi_off;
545 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
546 fra->fra_m = *fin->fin_mp;
547 fra->fra_info.fin_mp = &fra->fra_m;
548 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp;
549 RWLOCK_EXIT(&softa->ipf_authlk);
550 cv_signal(&softa->ipf_auth_wait);
551 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM);
553 softa->ipf_auth_pkts[i] = m;
554 RWLOCK_EXIT(&softa->ipf_authlk);
555 WAKEUP(&softa->ipf_auth_next, 0);
561 /* ------------------------------------------------------------------------ */
562 /* Function: ipf_auth_ioctl */
563 /* Returns: int - 0 == success, else error */
564 /* Parameters: data(IO) - pointer to ioctl data */
565 /* cmd(I) - ioctl command */
566 /* mode(I) - mode flags associated with open descriptor */
567 /* uid(I) - uid associatd with application making the call */
568 /* ctx(I) - pointer for context */
570 /* This function handles all of the ioctls recognised by the auth component */
571 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */
572 /* ------------------------------------------------------------------------ */
574 ipf_auth_ioctl(softc, data, cmd, mode, uid, ctx)
575 ipf_main_softc_t *softc;
581 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
593 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER);
598 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx);
600 error = ipf_auth_geniter(softc, token, &iter, &obj);
602 WRITE_ENTER(&softc->ipf_tokens);
603 ipf_token_deref(softc, token);
604 RWLOCK_EXIT(&softc->ipf_tokens);
615 if (!(mode & FWRITE)) {
619 error = frrequest(softc, IPL_LOGAUTH, cmd, data,
620 softc->ipf_active, 1);
624 if (!(mode & FWRITE)) {
628 error = ipf_lock(data, &softa->ipf_auth_lock);
633 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries;
634 error = ipf_outobj(softc, data, &softa->ipf_auth_stats,
640 WRITE_ENTER(&softa->ipf_authlk);
641 i = ipf_auth_flush(softa);
642 RWLOCK_EXIT(&softa->ipf_authlk);
644 error = BCOPYOUT(&i, data, sizeof(i));
652 error = ipf_auth_wait(softc, softa, data);
656 error = ipf_auth_reply(softc, softa, data);
668 /* ------------------------------------------------------------------------ */
669 /* Function: ipf_auth_expire */
671 /* Parameters: None */
673 /* Slowly expire held auth records. Timeouts are set in expectation of */
674 /* this being called twice per second. */
675 /* ------------------------------------------------------------------------ */
677 ipf_auth_expire(softc)
678 ipf_main_softc_t *softc;
680 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
681 frauthent_t *fae, **faep;
682 frentry_t *fr, **frp;
688 if (softa->ipf_auth_lock)
691 WRITE_ENTER(&softa->ipf_authlk);
692 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size;
695 if ((fra->fra_age == 0) &&
696 (softa->ipf_auth[i].fra_index != -1)) {
697 if ((m = softa->ipf_auth_pkts[i]) != NULL) {
699 softa->ipf_auth_pkts[i] = NULL;
700 } else if (softa->ipf_auth[i].fra_index == -2) {
701 softa->ipf_auth_replies--;
703 softa->ipf_auth[i].fra_index = -1;
704 softa->ipf_auth_stats.fas_expire++;
705 softa->ipf_auth_used--;
710 * Expire pre-auth rules
712 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
714 if (fae->fae_age == 0) {
715 ipf_auth_deref(&fae);
716 softa->ipf_auth_stats.fas_expire++;
718 faep = &fae->fae_next;
720 if (softa->ipf_auth_entries != NULL)
721 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
723 softa->ipf_auth_ip = NULL;
725 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
726 if (fr->fr_ref == 1) {
728 MUTEX_DESTROY(&fr->fr_lock);
733 RWLOCK_EXIT(&softa->ipf_authlk);
738 /* ------------------------------------------------------------------------ */
739 /* Function: ipf_auth_precmd */
740 /* Returns: int - 0 == success, else error */
741 /* Parameters: cmd(I) - ioctl command for rule */
742 /* fr(I) - pointer to ipf rule */
743 /* fptr(I) - pointer to caller's 'fr' */
745 /* ------------------------------------------------------------------------ */
747 ipf_auth_precmd(softc, cmd, fr, frptr)
748 ipf_main_softc_t *softc;
750 frentry_t *fr, **frptr;
752 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
753 frauthent_t *fae, **faep;
757 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
762 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
763 if (&fae->fae_fr == fr)
766 faep = &fae->fae_next;
769 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
770 if (fr == NULL || frptr == NULL) {
774 } else if (fae == NULL) {
780 WRITE_ENTER(&softa->ipf_authlk);
781 *faep = fae->fae_next;
782 if (softa->ipf_auth_ip == &fae->fae_fr)
783 softa->ipf_auth_ip = softa->ipf_auth_entries ?
784 &softa->ipf_auth_entries->fae_fr : NULL;
785 RWLOCK_EXIT(&softa->ipf_authlk);
790 } else if (fr != NULL && frptr != NULL) {
791 KMALLOC(fae, frauthent_t *);
793 bcopy((char *)fr, (char *)&fae->fae_fr,
796 WRITE_ENTER(&softa->ipf_authlk);
797 fae->fae_age = softa->ipf_auth_defaultage;
798 fae->fae_fr.fr_hits = 0;
799 fae->fae_fr.fr_next = *frptr;
801 *frptr = &fae->fae_fr;
802 fae->fae_next = *faep;
804 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
805 RWLOCK_EXIT(&softa->ipf_authlk);
819 /* ------------------------------------------------------------------------ */
820 /* Function: ipf_auth_flush */
821 /* Returns: int - number of auth entries flushed */
822 /* Parameters: None */
823 /* Locks: WRITE(ipf_authlk) */
825 /* This function flushs the ipf_auth_pkts array of any packet data with */
826 /* references still there. */
827 /* It is expected that the caller has already acquired the correct locks or */
828 /* set the priority level correctly for this to block out other code paths */
829 /* into these data structures. */
830 /* ------------------------------------------------------------------------ */
835 ipf_auth_softc_t *softa = arg;
839 if (softa->ipf_auth_lock)
844 for (i = 0 ; i < softa->ipf_auth_size; i++) {
845 if (softa->ipf_auth[i].fra_index != -1) {
846 m = softa->ipf_auth_pkts[i];
849 softa->ipf_auth_pkts[i] = NULL;
852 softa->ipf_auth[i].fra_index = -1;
853 /* perhaps add & use a flush counter inst.*/
854 softa->ipf_auth_stats.fas_expire++;
859 softa->ipf_auth_start = 0;
860 softa->ipf_auth_end = 0;
861 softa->ipf_auth_next = 0;
862 softa->ipf_auth_used = 0;
863 softa->ipf_auth_replies = 0;
869 /* ------------------------------------------------------------------------ */
870 /* Function: ipf_auth_waiting */
871 /* Returns: int - number of packets in the auth queue */
872 /* Parameters: None */
874 /* Simple truth check to see if there are any packets waiting in the auth */
876 /* ------------------------------------------------------------------------ */
878 ipf_auth_waiting(softc)
879 ipf_main_softc_t *softc;
881 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
883 return (softa->ipf_auth_used != 0);
887 /* ------------------------------------------------------------------------ */
888 /* Function: ipf_auth_geniter */
889 /* Returns: int - 0 == success, else error */
890 /* Parameters: token(I) - pointer to ipftoken structure */
891 /* itp(I) - pointer to ipfgeniter structure */
892 /* objp(I) - pointer to ipf object destription */
894 /* Iterate through the list of entries in the auth queue list. */
895 /* objp is used here to get the location of where to do the copy out to. */
896 /* Stomping over various fields with new information will not harm anything */
897 /* ------------------------------------------------------------------------ */
899 ipf_auth_geniter(softc, token, itp, objp)
900 ipf_main_softc_t *softc;
905 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
906 frauthent_t *fae, *next, zero;
909 if (itp->igi_data == NULL) {
914 if (itp->igi_type != IPFGENITER_AUTH) {
919 objp->ipfo_type = IPFOBJ_FRAUTH;
920 objp->ipfo_ptr = itp->igi_data;
921 objp->ipfo_size = sizeof(frauth_t);
923 READ_ENTER(&softa->ipf_authlk);
925 fae = token->ipt_data;
927 next = softa->ipf_auth_entries;
929 next = fae->fae_next;
933 * If we found an auth entry to use, bump its reference count
934 * so that it can be used for is_next when we come back.
937 ATOMIC_INC(next->fae_ref);
938 token->ipt_data = next;
940 bzero(&zero, sizeof(zero));
942 token->ipt_data = NULL;
945 RWLOCK_EXIT(&softa->ipf_authlk);
947 error = ipf_outobjk(softc, objp, next);
949 ipf_auth_deref_unlocked(softa, &fae);
951 if (next->fae_next == NULL)
952 ipf_token_mark_complete(token);
957 /* ------------------------------------------------------------------------ */
958 /* Function: ipf_auth_deref_unlocked */
960 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
962 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */
964 /* ------------------------------------------------------------------------ */
966 ipf_auth_deref_unlocked(softa, faep)
967 ipf_auth_softc_t *softa;
970 WRITE_ENTER(&softa->ipf_authlk);
971 ipf_auth_deref(faep);
972 RWLOCK_EXIT(&softa->ipf_authlk);
976 /* ------------------------------------------------------------------------ */
977 /* Function: ipf_auth_deref */
979 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
980 /* Locks: WRITE(ipf_authlk) */
982 /* This function unconditionally sets the pointer in the caller to NULL, */
983 /* to make it clear that it should no longer use that pointer, and drops */
984 /* the reference count on the structure by 1. If it reaches 0, free it up. */
985 /* ------------------------------------------------------------------------ */
996 if (fae->fae_ref == 0) {
1002 /* ------------------------------------------------------------------------ */
1003 /* Function: ipf_auth_wait_pkt */
1004 /* Returns: int - 0 == success, else error */
1005 /* Parameters: data(I) - pointer to data from ioctl call */
1007 /* This function is called when an application is waiting for a packet to */
1008 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
1009 /* a packet waiting on the queue then we will return that _one_ immediately.*/
1010 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */
1012 /* ------------------------------------------------------------------------ */
1014 ipf_auth_wait(softc, softa, data)
1015 ipf_main_softc_t *softc;
1016 ipf_auth_softc_t *softa;
1019 frauth_t auth, *au = &auth;
1026 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH);
1031 * XXX Locks are held below over calls to copyout...a better
1032 * solution needs to be found so this isn't necessary. The situation
1033 * we are trying to guard against here is an error in the copyout
1034 * steps should not cause the packet to "disappear" from the queue.
1037 READ_ENTER(&softa->ipf_authlk);
1040 * If ipf_auth_next is not equal to ipf_auth_end it will be because
1041 * there is a packet waiting to be delt with in the ipf_auth_pkts
1042 * array. We copy as much of that out to user space as requested.
1044 if (softa->ipf_auth_used > 0) {
1045 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) {
1046 softa->ipf_auth_next++;
1047 if (softa->ipf_auth_next == softa->ipf_auth_size)
1048 softa->ipf_auth_next = 0;
1051 error = ipf_outobj(softc, data,
1052 &softa->ipf_auth[softa->ipf_auth_next],
1055 RWLOCK_EXIT(&softa->ipf_authlk);
1060 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
1062 * Copy packet contents out to user space if
1063 * requested. Bail on an error.
1065 m = softa->ipf_auth_pkts[softa->ipf_auth_next];
1067 if (len > auth.fra_len)
1071 for (t = auth.fra_buf; m && (len > 0); ) {
1072 i = MIN(M_LEN(m), len);
1073 error = copyoutptr(softc, MTOD(m, char *),
1078 RWLOCK_EXIT(&softa->ipf_authlk);
1085 RWLOCK_EXIT(&softa->ipf_authlk);
1088 WRITE_ENTER(&softa->ipf_authlk);
1089 softa->ipf_auth_next++;
1090 if (softa->ipf_auth_next == softa->ipf_auth_size)
1091 softa->ipf_auth_next = 0;
1092 RWLOCK_EXIT(&softa->ipf_authlk);
1097 RWLOCK_EXIT(&softa->ipf_authlk);
1100 MUTEX_ENTER(&softa->ipf_auth_mx);
1104 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) {
1108 # else /* SOLARIS */
1113 l = get_sleep_lock(&softa->ipf_auth_next);
1114 error = sleep(&softa->ipf_auth_next, PZERO+1);
1119 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next",
1120 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE);
1122 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next");
1123 # endif /* __osf__ */
1124 # endif /* __hpux */
1125 # endif /* SOLARIS */
1127 MUTEX_EXIT(&softa->ipf_auth_mx);
1129 goto ipf_auth_ioctlloop;
1134 /* ------------------------------------------------------------------------ */
1135 /* Function: ipf_auth_reply */
1136 /* Returns: int - 0 == success, else error */
1137 /* Parameters: data(I) - pointer to data from ioctl call */
1139 /* This function is called by an application when it wants to return a */
1140 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
1141 /* received information using an SIOCAUTHW. The decision returned in the */
1142 /* form of flags, the same as those used in each rule. */
1143 /* ------------------------------------------------------------------------ */
1145 ipf_auth_reply(softc, softa, data)
1146 ipf_main_softc_t *softc;
1147 ipf_auth_softc_t *softa;
1150 frauth_t auth, *au = &auth, *fra;
1156 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1161 WRITE_ENTER(&softa->ipf_authlk);
1164 fra = softa->ipf_auth + i;
1168 * Check the validity of the information being returned with two simple
1169 * checks. First, the auth index value should be within the size of
1170 * the array and second the packet id being returned should also match.
1172 if ((i < 0) || (i >= softa->ipf_auth_size)) {
1173 RWLOCK_EXIT(&softa->ipf_authlk);
1178 if (fra->fra_info.fin_id != au->fra_info.fin_id) {
1179 RWLOCK_EXIT(&softa->ipf_authlk);
1185 m = softa->ipf_auth_pkts[i];
1186 fra->fra_index = -2;
1187 fra->fra_pass = au->fra_pass;
1188 softa->ipf_auth_pkts[i] = NULL;
1189 softa->ipf_auth_replies++;
1190 bcopy(&fra->fra_info, &fin, sizeof(fin));
1192 RWLOCK_EXIT(&softa->ipf_authlk);
1195 * Re-insert the packet back into the packet stream flowing through
1196 * the kernel in a manner that will mean IPFilter sees the packet
1197 * again. This is not the same as is done with fastroute,
1198 * deliberately, as we want to resume the normal packet processing
1202 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
1203 error = ipf_inject(&fin, m);
1207 softa->ipf_auth_stats.fas_sendfail++;
1209 softa->ipf_auth_stats.fas_sendok++;
1212 error = ipf_inject(&fin, m);
1216 softa->ipf_auth_stats.fas_quefail++;
1218 softa->ipf_auth_stats.fas_queok++;
1226 * If we experience an error which will result in the packet
1227 * not being processed, make sure we advance to the next one.
1229 if (error == ENOBUFS) {
1230 WRITE_ENTER(&softa->ipf_authlk);
1231 softa->ipf_auth_used--;
1232 fra->fra_index = -1;
1234 if (i == softa->ipf_auth_start) {
1235 while (fra->fra_index == -1) {
1237 if (i == softa->ipf_auth_size)
1239 softa->ipf_auth_start = i;
1240 if (i == softa->ipf_auth_end)
1243 if (softa->ipf_auth_start == softa->ipf_auth_end) {
1244 softa->ipf_auth_next = 0;
1245 softa->ipf_auth_start = 0;
1246 softa->ipf_auth_end = 0;
1249 RWLOCK_EXIT(&softa->ipf_authlk);
1251 #endif /* _KERNEL */
1259 ipf_auth_pre_scanlist(softc, fin, pass)
1260 ipf_main_softc_t *softc;
1264 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1266 if (softa->ipf_auth_ip != NULL)
1267 return ipf_scanlist(fin, softc->ipf_pass);
1274 ipf_auth_rulehead(softc)
1275 ipf_main_softc_t *softc;
1277 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1279 return &softa->ipf_auth_ip;