4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
30 #if defined(_KERNEL) && defined(__FreeBSD__)
31 # include <sys/filio.h>
32 # include <sys/fcntl.h>
34 # include <sys/ioctl.h>
36 # include <sys/protosw.h>
37 #include <sys/socket.h>
39 # include <sys/systm.h>
41 # include <sys/mbuf.h>
45 # include <sys/filio.h>
46 # include <sys/byteorder.h>
48 # include <sys/dditypes.h>
50 # include <sys/stream.h>
51 # include <sys/kmem.h>
53 #if defined(__FreeBSD__)
54 # include <sys/queue.h>
56 #if defined(__NetBSD__)
57 # include <machine/cpu.h>
59 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
60 # include <sys/proc.h>
62 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \
70 #include <netinet/in.h>
71 #include <netinet/in_systm.h>
72 #include <netinet/ip.h>
73 # include <netinet/ip_var.h>
83 #include <netinet/tcp.h>
84 #if defined(__FreeBSD__)
85 # include <net/if_var.h>
86 # define IF_QFULL _IF_QFULL
87 # define IF_DROP _IF_DROP
89 #include <netinet/in_var.h>
90 #include <netinet/tcp_fsm.h>
91 #include <netinet/udp.h>
92 #include <netinet/ip_icmp.h>
93 #include "netinet/ip_compat.h"
94 #include <netinet/tcpip.h>
95 #include "netinet/ip_fil.h"
96 #include "netinet/ip_auth.h"
98 # include <net/netisr.h>
100 # include <machine/cpufunc.h>
103 #if defined(__FreeBSD__)
104 # include <sys/malloc.h>
105 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
106 # include <sys/libkern.h>
107 # include <sys/systm.h>
110 /* END OF INCLUDES */
113 static const char rcsid[] = "@(#)$FreeBSD$";
114 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
118 static void ipf_auth_deref(frauthent_t **);
119 static void ipf_auth_deref_unlocked(ipf_auth_softc_t *, frauthent_t **);
120 static int ipf_auth_geniter(ipf_main_softc_t *, ipftoken_t *,
121 ipfgeniter_t *, ipfobj_t *);
122 static int ipf_auth_reply(ipf_main_softc_t *, ipf_auth_softc_t *, char *);
123 static int ipf_auth_wait(ipf_main_softc_t *, ipf_auth_softc_t *, char *);
124 static int ipf_auth_flush(void *);
127 /* ------------------------------------------------------------------------ */
128 /* Function: ipf_auth_main_load */
129 /* Returns: int - 0 == success, else error */
130 /* Parameters: None */
132 /* A null-op function that exists as a placeholder so that the flow in */
133 /* other functions is obvious. */
134 /* ------------------------------------------------------------------------ */
142 /* ------------------------------------------------------------------------ */
143 /* Function: ipf_auth_main_unload */
144 /* Returns: int - 0 == success, else error */
145 /* Parameters: None */
147 /* A null-op function that exists as a placeholder so that the flow in */
148 /* other functions is obvious. */
149 /* ------------------------------------------------------------------------ */
151 ipf_auth_main_unload()
157 /* ------------------------------------------------------------------------ */
158 /* Function: ipf_auth_soft_create */
159 /* Returns: int - NULL = failure, else success */
160 /* Parameters: softc(I) - pointer to soft context data */
162 /* Create a structre to store all of the run-time data for packet auth in */
163 /* and initialise some fields to their defaults. */
164 /* ------------------------------------------------------------------------ */
166 ipf_auth_soft_create(softc)
167 ipf_main_softc_t *softc;
169 ipf_auth_softc_t *softa;
171 KMALLOC(softa, ipf_auth_softc_t *);
175 bzero((char *)softa, sizeof(*softa));
177 softa->ipf_auth_size = FR_NUMAUTH;
178 softa->ipf_auth_defaultage = 600;
180 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock");
181 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex");
182 #if SOLARIS && defined(_KERNEL)
183 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL);
189 /* ------------------------------------------------------------------------ */
190 /* Function: ipf_auth_soft_init */
191 /* Returns: int - 0 == success, else error */
192 /* Parameters: softc(I) - pointer to soft context data */
193 /* arg(I) - opaque pointer to auth context data */
195 /* Allocate memory and initialise data structures used in handling auth */
197 /* ------------------------------------------------------------------------ */
199 ipf_auth_soft_init(softc, arg)
200 ipf_main_softc_t *softc;
203 ipf_auth_softc_t *softa = arg;
205 KMALLOCS(softa->ipf_auth, frauth_t *,
206 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
207 if (softa->ipf_auth == NULL)
209 bzero((char *)softa->ipf_auth,
210 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
212 KMALLOCS(softa->ipf_auth_pkts, mb_t **,
213 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
214 if (softa->ipf_auth_pkts == NULL)
216 bzero((char *)softa->ipf_auth_pkts,
217 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
224 /* ------------------------------------------------------------------------ */
225 /* Function: ipf_auth_soft_fini */
226 /* Returns: int - 0 == success, else error */
227 /* Parameters: softc(I) - pointer to soft context data */
228 /* arg(I) - opaque pointer to auth context data */
230 /* Free all network buffer memory used to keep saved packets that have been */
231 /* connectedd to the soft soft context structure *but* do not free that: it */
232 /* is free'd by _destroy(). */
233 /* ------------------------------------------------------------------------ */
235 ipf_auth_soft_fini(softc, arg)
236 ipf_main_softc_t *softc;
239 ipf_auth_softc_t *softa = arg;
240 frauthent_t *fae, **faep;
241 frentry_t *fr, **frp;
245 if (softa->ipf_auth != NULL) {
246 KFREES(softa->ipf_auth,
247 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
248 softa->ipf_auth = NULL;
251 if (softa->ipf_auth_pkts != NULL) {
252 for (i = 0; i < softa->ipf_auth_size; i++) {
253 m = softa->ipf_auth_pkts[i];
256 softa->ipf_auth_pkts[i] = NULL;
259 KFREES(softa->ipf_auth_pkts,
260 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
261 softa->ipf_auth_pkts = NULL;
264 faep = &softa->ipf_auth_entries;
265 while ((fae = *faep) != NULL) {
266 *faep = fae->fae_next;
269 softa->ipf_auth_ip = NULL;
271 if (softa->ipf_auth_rules != NULL) {
272 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
273 if (fr->fr_ref == 1) {
275 MUTEX_DESTROY(&fr->fr_lock);
286 /* ------------------------------------------------------------------------ */
287 /* Function: ipf_auth_soft_destroy */
289 /* Parameters: softc(I) - pointer to soft context data */
290 /* arg(I) - opaque pointer to auth context data */
292 /* Undo what was done in _create() - i.e. free the soft context data. */
293 /* ------------------------------------------------------------------------ */
295 ipf_auth_soft_destroy(softc, arg)
296 ipf_main_softc_t *softc;
299 ipf_auth_softc_t *softa = arg;
301 #if SOLARIS && defined(_KERNEL)
302 cv_destroy(&softa->ipf_auth_wait);
304 MUTEX_DESTROY(&softa->ipf_auth_mx);
305 RW_DESTROY(&softa->ipf_authlk);
311 /* ------------------------------------------------------------------------ */
312 /* Function: ipf_auth_setlock */
314 /* Paramters: arg(I) - pointer to soft context data */
315 /* tmp(I) - value to assign to auth lock */
317 /* ------------------------------------------------------------------------ */
319 ipf_auth_setlock(arg, tmp)
323 ipf_auth_softc_t *softa = arg;
325 softa->ipf_auth_lock = tmp;
329 /* ------------------------------------------------------------------------ */
330 /* Function: ipf_auth_check */
331 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
332 /* Parameters: fin(I) - pointer to ipftoken structure */
333 /* passp(I) - pointer to ipfgeniter structure */
335 /* Check if a packet has authorization. If the packet is found to match an */
336 /* authorization result and that would result in a feedback loop (i.e. it */
337 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
338 /* ------------------------------------------------------------------------ */
340 ipf_auth_check(fin, passp)
344 ipf_main_softc_t *softc = fin->fin_main_soft;
345 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
353 if (softa->ipf_auth_lock || !softa->ipf_auth_used)
359 READ_ENTER(&softa->ipf_authlk);
360 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) {
362 * index becomes -2 only after an SIOCAUTHW. Check this in
363 * case the same packet gets sent again and it hasn't yet been
366 fra = softa->ipf_auth + i;
367 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
368 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
370 * Avoid feedback loop.
372 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) {
374 fin->fin_reason = FRB_AUTHFEEDBACK;
377 * Create a dummy rule for the stateful checking to
378 * use and return. Zero out any values we don't
379 * trust from userland!
381 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
382 (fin->fin_flx & FI_FRAG))) {
383 KMALLOC(fr, frentry_t *);
385 bcopy((char *)fra->fra_info.fin_fr,
386 (char *)fr, sizeof(*fr));
388 fr->fr_ifa = fin->fin_ifp;
392 fr->fr_ifas[1] = NULL;
393 fr->fr_ifas[2] = NULL;
394 fr->fr_ifas[3] = NULL;
395 MUTEX_INIT(&fr->fr_lock,
399 fr = fra->fra_info.fin_fr;
401 fin->fin_flx |= fra->fra_flx;
402 RWLOCK_EXIT(&softa->ipf_authlk);
404 WRITE_ENTER(&softa->ipf_authlk);
406 * ipf_auth_rules is populated with the rules malloc'd
407 * above and only those.
409 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
410 fr->fr_next = softa->ipf_auth_rules;
411 softa->ipf_auth_rules = fr;
413 softa->ipf_auth_stats.fas_hits++;
415 softa->ipf_auth_used--;
416 softa->ipf_auth_replies--;
417 if (i == softa->ipf_auth_start) {
418 while (fra->fra_index == -1) {
421 if (i == softa->ipf_auth_size) {
423 fra = softa->ipf_auth;
425 softa->ipf_auth_start = i;
426 if (i == softa->ipf_auth_end)
429 if (softa->ipf_auth_start ==
430 softa->ipf_auth_end) {
431 softa->ipf_auth_next = 0;
432 softa->ipf_auth_start = 0;
433 softa->ipf_auth_end = 0;
436 RWLOCK_EXIT(&softa->ipf_authlk);
439 softa->ipf_auth_stats.fas_hits++;
443 if (i == softa->ipf_auth_size)
446 RWLOCK_EXIT(&softa->ipf_authlk);
447 softa->ipf_auth_stats.fas_miss++;
452 /* ------------------------------------------------------------------------ */
453 /* Function: ipf_auth_new */
454 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
455 /* Parameters: m(I) - pointer to mb_t with packet in it */
456 /* fin(I) - pointer to packet information */
458 /* Check if we have room in the auth array to hold details for another */
459 /* packet. If we do, store it and wake up any user programs which are */
460 /* waiting to hear about these events. */
461 /* ------------------------------------------------------------------------ */
467 ipf_main_softc_t *softc = fin->fin_main_soft;
468 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
469 #if defined(_KERNEL) && SOLARIS
470 qpktinfo_t *qpi = fin->fin_qpi;
473 #if !defined(sparc) && !defined(m68k)
478 if (softa->ipf_auth_lock)
481 WRITE_ENTER(&softa->ipf_authlk);
482 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) ==
483 softa->ipf_auth_start) {
484 softa->ipf_auth_stats.fas_nospace++;
485 RWLOCK_EXIT(&softa->ipf_authlk);
489 softa->ipf_auth_stats.fas_added++;
490 softa->ipf_auth_used++;
491 i = softa->ipf_auth_end++;
492 if (softa->ipf_auth_end == softa->ipf_auth_size)
493 softa->ipf_auth_end = 0;
495 fra = softa->ipf_auth + i;
497 if (fin->fin_fr != NULL)
498 fra->fra_pass = fin->fin_fr->fr_flags;
501 fra->fra_age = softa->ipf_auth_defaultage;
502 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
503 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED);
504 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED);
505 #if !defined(sparc) && !defined(m68k)
507 * No need to copyback here as we want to undo the changes, not keep
511 # if SOLARIS && defined(_KERNEL)
512 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
518 ip->ip_len = htons(bo);
520 ip->ip_off = htons(bo);
523 #if SOLARIS && defined(_KERNEL)
524 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
525 m->b_rptr -= qpi->qpi_off;
526 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
527 fra->fra_m = *fin->fin_mp;
528 fra->fra_info.fin_mp = &fra->fra_m;
529 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp;
530 RWLOCK_EXIT(&softa->ipf_authlk);
531 cv_signal(&softa->ipf_auth_wait);
532 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM);
534 softa->ipf_auth_pkts[i] = m;
535 RWLOCK_EXIT(&softa->ipf_authlk);
536 WAKEUP(&softa->ipf_auth_next, 0);
542 /* ------------------------------------------------------------------------ */
543 /* Function: ipf_auth_ioctl */
544 /* Returns: int - 0 == success, else error */
545 /* Parameters: data(IO) - pointer to ioctl data */
546 /* cmd(I) - ioctl command */
547 /* mode(I) - mode flags associated with open descriptor */
548 /* uid(I) - uid associatd with application making the call */
549 /* ctx(I) - pointer for context */
551 /* This function handles all of the ioctls recognised by the auth component */
552 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */
553 /* ------------------------------------------------------------------------ */
555 ipf_auth_ioctl(softc, data, cmd, mode, uid, ctx)
556 ipf_main_softc_t *softc;
562 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
574 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER);
579 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx);
581 error = ipf_auth_geniter(softc, token, &iter, &obj);
583 WRITE_ENTER(&softc->ipf_tokens);
584 ipf_token_deref(softc, token);
585 RWLOCK_EXIT(&softc->ipf_tokens);
596 if (!(mode & FWRITE)) {
600 error = frrequest(softc, IPL_LOGAUTH, cmd, data,
601 softc->ipf_active, 1);
605 if (!(mode & FWRITE)) {
609 error = ipf_lock(data, &softa->ipf_auth_lock);
614 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries;
615 error = ipf_outobj(softc, data, &softa->ipf_auth_stats,
621 WRITE_ENTER(&softa->ipf_authlk);
622 i = ipf_auth_flush(softa);
623 RWLOCK_EXIT(&softa->ipf_authlk);
625 error = BCOPYOUT(&i, data, sizeof(i));
633 error = ipf_auth_wait(softc, softa, data);
637 error = ipf_auth_reply(softc, softa, data);
649 /* ------------------------------------------------------------------------ */
650 /* Function: ipf_auth_expire */
652 /* Parameters: None */
654 /* Slowly expire held auth records. Timeouts are set in expectation of */
655 /* this being called twice per second. */
656 /* ------------------------------------------------------------------------ */
658 ipf_auth_expire(softc)
659 ipf_main_softc_t *softc;
661 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
662 frauthent_t *fae, **faep;
663 frentry_t *fr, **frp;
669 if (softa->ipf_auth_lock)
672 WRITE_ENTER(&softa->ipf_authlk);
673 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size;
676 if ((fra->fra_age == 0) &&
677 (softa->ipf_auth[i].fra_index != -1)) {
678 if ((m = softa->ipf_auth_pkts[i]) != NULL) {
680 softa->ipf_auth_pkts[i] = NULL;
681 } else if (softa->ipf_auth[i].fra_index == -2) {
682 softa->ipf_auth_replies--;
684 softa->ipf_auth[i].fra_index = -1;
685 softa->ipf_auth_stats.fas_expire++;
686 softa->ipf_auth_used--;
691 * Expire pre-auth rules
693 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
695 if (fae->fae_age == 0) {
696 ipf_auth_deref(&fae);
697 softa->ipf_auth_stats.fas_expire++;
699 faep = &fae->fae_next;
701 if (softa->ipf_auth_entries != NULL)
702 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
704 softa->ipf_auth_ip = NULL;
706 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
707 if (fr->fr_ref == 1) {
709 MUTEX_DESTROY(&fr->fr_lock);
714 RWLOCK_EXIT(&softa->ipf_authlk);
719 /* ------------------------------------------------------------------------ */
720 /* Function: ipf_auth_precmd */
721 /* Returns: int - 0 == success, else error */
722 /* Parameters: cmd(I) - ioctl command for rule */
723 /* fr(I) - pointer to ipf rule */
724 /* fptr(I) - pointer to caller's 'fr' */
726 /* ------------------------------------------------------------------------ */
728 ipf_auth_precmd(softc, cmd, fr, frptr)
729 ipf_main_softc_t *softc;
731 frentry_t *fr, **frptr;
733 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
734 frauthent_t *fae, **faep;
738 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
743 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
744 if (&fae->fae_fr == fr)
747 faep = &fae->fae_next;
750 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
751 if (fr == NULL || frptr == NULL) {
755 } else if (fae == NULL) {
761 WRITE_ENTER(&softa->ipf_authlk);
762 *faep = fae->fae_next;
763 if (softa->ipf_auth_ip == &fae->fae_fr)
764 softa->ipf_auth_ip = softa->ipf_auth_entries ?
765 &softa->ipf_auth_entries->fae_fr : NULL;
766 RWLOCK_EXIT(&softa->ipf_authlk);
771 } else if (fr != NULL && frptr != NULL) {
772 KMALLOC(fae, frauthent_t *);
774 bcopy((char *)fr, (char *)&fae->fae_fr,
777 WRITE_ENTER(&softa->ipf_authlk);
778 fae->fae_age = softa->ipf_auth_defaultage;
779 fae->fae_fr.fr_hits = 0;
780 fae->fae_fr.fr_next = *frptr;
782 *frptr = &fae->fae_fr;
783 fae->fae_next = *faep;
785 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
786 RWLOCK_EXIT(&softa->ipf_authlk);
800 /* ------------------------------------------------------------------------ */
801 /* Function: ipf_auth_flush */
802 /* Returns: int - number of auth entries flushed */
803 /* Parameters: None */
804 /* Locks: WRITE(ipf_authlk) */
806 /* This function flushs the ipf_auth_pkts array of any packet data with */
807 /* references still there. */
808 /* It is expected that the caller has already acquired the correct locks or */
809 /* set the priority level correctly for this to block out other code paths */
810 /* into these data structures. */
811 /* ------------------------------------------------------------------------ */
816 ipf_auth_softc_t *softa = arg;
820 if (softa->ipf_auth_lock)
825 for (i = 0 ; i < softa->ipf_auth_size; i++) {
826 if (softa->ipf_auth[i].fra_index != -1) {
827 m = softa->ipf_auth_pkts[i];
830 softa->ipf_auth_pkts[i] = NULL;
833 softa->ipf_auth[i].fra_index = -1;
834 /* perhaps add & use a flush counter inst.*/
835 softa->ipf_auth_stats.fas_expire++;
840 softa->ipf_auth_start = 0;
841 softa->ipf_auth_end = 0;
842 softa->ipf_auth_next = 0;
843 softa->ipf_auth_used = 0;
844 softa->ipf_auth_replies = 0;
850 /* ------------------------------------------------------------------------ */
851 /* Function: ipf_auth_waiting */
852 /* Returns: int - number of packets in the auth queue */
853 /* Parameters: None */
855 /* Simple truth check to see if there are any packets waiting in the auth */
857 /* ------------------------------------------------------------------------ */
859 ipf_auth_waiting(softc)
860 ipf_main_softc_t *softc;
862 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
864 return (softa->ipf_auth_used != 0);
868 /* ------------------------------------------------------------------------ */
869 /* Function: ipf_auth_geniter */
870 /* Returns: int - 0 == success, else error */
871 /* Parameters: token(I) - pointer to ipftoken structure */
872 /* itp(I) - pointer to ipfgeniter structure */
873 /* objp(I) - pointer to ipf object destription */
875 /* Iterate through the list of entries in the auth queue list. */
876 /* objp is used here to get the location of where to do the copy out to. */
877 /* Stomping over various fields with new information will not harm anything */
878 /* ------------------------------------------------------------------------ */
880 ipf_auth_geniter(softc, token, itp, objp)
881 ipf_main_softc_t *softc;
886 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
887 frauthent_t *fae, *next, zero;
890 if (itp->igi_data == NULL) {
895 if (itp->igi_type != IPFGENITER_AUTH) {
900 objp->ipfo_type = IPFOBJ_FRAUTH;
901 objp->ipfo_ptr = itp->igi_data;
902 objp->ipfo_size = sizeof(frauth_t);
904 READ_ENTER(&softa->ipf_authlk);
906 fae = token->ipt_data;
908 next = softa->ipf_auth_entries;
910 next = fae->fae_next;
914 * If we found an auth entry to use, bump its reference count
915 * so that it can be used for is_next when we come back.
918 ATOMIC_INC(next->fae_ref);
919 token->ipt_data = next;
921 bzero(&zero, sizeof(zero));
923 token->ipt_data = NULL;
926 RWLOCK_EXIT(&softa->ipf_authlk);
928 error = ipf_outobjk(softc, objp, next);
930 ipf_auth_deref_unlocked(softa, &fae);
932 if (next->fae_next == NULL)
933 ipf_token_mark_complete(token);
938 /* ------------------------------------------------------------------------ */
939 /* Function: ipf_auth_deref_unlocked */
941 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
943 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */
945 /* ------------------------------------------------------------------------ */
947 ipf_auth_deref_unlocked(softa, faep)
948 ipf_auth_softc_t *softa;
951 WRITE_ENTER(&softa->ipf_authlk);
952 ipf_auth_deref(faep);
953 RWLOCK_EXIT(&softa->ipf_authlk);
957 /* ------------------------------------------------------------------------ */
958 /* Function: ipf_auth_deref */
960 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
961 /* Locks: WRITE(ipf_authlk) */
963 /* This function unconditionally sets the pointer in the caller to NULL, */
964 /* to make it clear that it should no longer use that pointer, and drops */
965 /* the reference count on the structure by 1. If it reaches 0, free it up. */
966 /* ------------------------------------------------------------------------ */
977 if (fae->fae_ref == 0) {
983 /* ------------------------------------------------------------------------ */
984 /* Function: ipf_auth_wait_pkt */
985 /* Returns: int - 0 == success, else error */
986 /* Parameters: data(I) - pointer to data from ioctl call */
988 /* This function is called when an application is waiting for a packet to */
989 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
990 /* a packet waiting on the queue then we will return that _one_ immediately.*/
991 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */
993 /* ------------------------------------------------------------------------ */
995 ipf_auth_wait(softc, softa, data)
996 ipf_main_softc_t *softc;
997 ipf_auth_softc_t *softa;
1000 frauth_t auth, *au = &auth;
1007 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH);
1012 * XXX Locks are held below over calls to copyout...a better
1013 * solution needs to be found so this isn't necessary. The situation
1014 * we are trying to guard against here is an error in the copyout
1015 * steps should not cause the packet to "disappear" from the queue.
1018 READ_ENTER(&softa->ipf_authlk);
1021 * If ipf_auth_next is not equal to ipf_auth_end it will be because
1022 * there is a packet waiting to be delt with in the ipf_auth_pkts
1023 * array. We copy as much of that out to user space as requested.
1025 if (softa->ipf_auth_used > 0) {
1026 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) {
1027 softa->ipf_auth_next++;
1028 if (softa->ipf_auth_next == softa->ipf_auth_size)
1029 softa->ipf_auth_next = 0;
1032 error = ipf_outobj(softc, data,
1033 &softa->ipf_auth[softa->ipf_auth_next],
1036 RWLOCK_EXIT(&softa->ipf_authlk);
1041 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
1043 * Copy packet contents out to user space if
1044 * requested. Bail on an error.
1046 m = softa->ipf_auth_pkts[softa->ipf_auth_next];
1048 if (len > auth.fra_len)
1052 for (t = auth.fra_buf; m && (len > 0); ) {
1053 i = MIN(M_LEN(m), len);
1054 error = copyoutptr(softc, MTOD(m, char *),
1059 RWLOCK_EXIT(&softa->ipf_authlk);
1066 RWLOCK_EXIT(&softa->ipf_authlk);
1069 WRITE_ENTER(&softa->ipf_authlk);
1070 softa->ipf_auth_next++;
1071 if (softa->ipf_auth_next == softa->ipf_auth_size)
1072 softa->ipf_auth_next = 0;
1073 RWLOCK_EXIT(&softa->ipf_authlk);
1078 RWLOCK_EXIT(&softa->ipf_authlk);
1081 MUTEX_ENTER(&softa->ipf_auth_mx);
1085 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) {
1089 # else /* SOLARIS */
1090 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next");
1091 # endif /* SOLARIS */
1093 MUTEX_EXIT(&softa->ipf_auth_mx);
1095 goto ipf_auth_ioctlloop;
1100 /* ------------------------------------------------------------------------ */
1101 /* Function: ipf_auth_reply */
1102 /* Returns: int - 0 == success, else error */
1103 /* Parameters: data(I) - pointer to data from ioctl call */
1105 /* This function is called by an application when it wants to return a */
1106 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
1107 /* received information using an SIOCAUTHW. The decision returned in the */
1108 /* form of flags, the same as those used in each rule. */
1109 /* ------------------------------------------------------------------------ */
1111 ipf_auth_reply(softc, softa, data)
1112 ipf_main_softc_t *softc;
1113 ipf_auth_softc_t *softa;
1116 frauth_t auth, *au = &auth, *fra;
1122 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1127 WRITE_ENTER(&softa->ipf_authlk);
1130 fra = softa->ipf_auth + i;
1134 * Check the validity of the information being returned with two simple
1135 * checks. First, the auth index value should be within the size of
1136 * the array and second the packet id being returned should also match.
1138 if ((i < 0) || (i >= softa->ipf_auth_size)) {
1139 RWLOCK_EXIT(&softa->ipf_authlk);
1144 if (fra->fra_info.fin_id != au->fra_info.fin_id) {
1145 RWLOCK_EXIT(&softa->ipf_authlk);
1151 m = softa->ipf_auth_pkts[i];
1152 fra->fra_index = -2;
1153 fra->fra_pass = au->fra_pass;
1154 softa->ipf_auth_pkts[i] = NULL;
1155 softa->ipf_auth_replies++;
1156 bcopy(&fra->fra_info, &fin, sizeof(fin));
1158 RWLOCK_EXIT(&softa->ipf_authlk);
1161 * Re-insert the packet back into the packet stream flowing through
1162 * the kernel in a manner that will mean IPFilter sees the packet
1163 * again. This is not the same as is done with fastroute,
1164 * deliberately, as we want to resume the normal packet processing
1168 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
1169 error = ipf_inject(&fin, m);
1173 softa->ipf_auth_stats.fas_sendfail++;
1175 softa->ipf_auth_stats.fas_sendok++;
1178 error = ipf_inject(&fin, m);
1182 softa->ipf_auth_stats.fas_quefail++;
1184 softa->ipf_auth_stats.fas_queok++;
1192 * If we experience an error which will result in the packet
1193 * not being processed, make sure we advance to the next one.
1195 if (error == ENOBUFS) {
1196 WRITE_ENTER(&softa->ipf_authlk);
1197 softa->ipf_auth_used--;
1198 fra->fra_index = -1;
1200 if (i == softa->ipf_auth_start) {
1201 while (fra->fra_index == -1) {
1203 if (i == softa->ipf_auth_size)
1205 softa->ipf_auth_start = i;
1206 if (i == softa->ipf_auth_end)
1209 if (softa->ipf_auth_start == softa->ipf_auth_end) {
1210 softa->ipf_auth_next = 0;
1211 softa->ipf_auth_start = 0;
1212 softa->ipf_auth_end = 0;
1215 RWLOCK_EXIT(&softa->ipf_authlk);
1217 #endif /* _KERNEL */
1225 ipf_auth_pre_scanlist(softc, fin, pass)
1226 ipf_main_softc_t *softc;
1230 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1232 if (softa->ipf_auth_ip != NULL)
1233 return ipf_scanlist(fin, softc->ipf_pass);
1240 ipf_auth_rulehead(softc)
1241 ipf_main_softc_t *softc;
1243 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1245 return &softa->ipf_auth_ip;