2 * Copyright (C) 1997 by Darren Reed & Guido van Rooij.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 static const char rcsid[] = "@(#)$Id: ip_auth.c,v 1.2 1998/03/21 11:33:59 peter Exp $";
12 #if defined(KERNEL) && !defined(_KERNEL)
15 #define __FreeBSD_version 300000 /* just a hack - no <sys/osreldate.h> */
17 #if !defined(_KERNEL) && !defined(KERNEL)
21 #include <sys/errno.h>
22 #include <sys/types.h>
23 #include <sys/param.h>
26 #if defined(KERNEL) && (__FreeBSD_version >= 220000)
27 # include <sys/filio.h>
28 # include <sys/fcntl.h>
30 # include <sys/ioctl.h>
34 # include <sys/protosw.h>
36 #include <sys/socket.h>
37 #if defined(_KERNEL) && !defined(linux)
38 # include <sys/systm.h>
40 #if !defined(__SVR4) && !defined(__svr4__)
42 # include <sys/mbuf.h>
45 # include <sys/filio.h>
46 # include <sys/byteorder.h>
47 # include <sys/dditypes.h>
48 # include <sys/stream.h>
49 # include <sys/kmem.h>
51 #if defined(KERNEL) && (__FreeBSD_version >= 300000)
52 # include <sys/malloc.h>
54 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
55 # include <machine/cpu.h>
61 #if !defined(KERNEL) && (__FreeBSD_version >= 300000)
62 # include <net/if_var.h>
64 #include <net/route.h>
65 #include <netinet/in.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/ip.h>
73 # include <netinet/ip_var.h>
79 # ifdef IFF_DRVRLOCK /* IRIX6 */
80 #include <sys/hashing.h>
83 #include <netinet/tcp.h>
84 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
85 extern struct ifqueue ipintrq; /* ip packet input queue */
88 # include <netinet/in_var.h>
89 # include <netinet/tcp_fsm.h>
92 #include <netinet/udp.h>
93 #include <netinet/ip_icmp.h>
94 #include "netinet/ip_compat.h"
95 #include <netinet/tcpip.h>
96 #include "netinet/ip_fil.h"
97 #include "netinet/ip_auth.h"
98 #if !SOLARIS && !defined(linux)
99 # include <net/netisr.h>
103 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
104 extern kmutex_t ipf_auth;
106 extern kcondvar_t ipfauthwait;
110 static struct wait_queue *ipfauthwait = NULL;
113 int fr_authsize = FR_NUMAUTH;
115 int fr_defaultauthage = 600;
116 fr_authstat_t fr_authstats;
117 frauth_t fr_auth[FR_NUMAUTH];
118 mb_t *fr_authpkts[FR_NUMAUTH];
119 int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
120 frauthent_t *fae_list = NULL;
121 frentry_t *ipauth = NULL;
125 * Check if a packet has authorization. If the packet is found to match an
126 * authorization result and that would result in a feedback loop (i.e. it
127 * will end up returning FR_AUTH) then return FR_BLOCK instead.
129 int fr_checkauth(ip, fin)
133 u_short id = ip->ip_id;
137 MUTEX_ENTER(&ipf_auth);
138 for (i = fr_authstart; i != fr_authend; ) {
140 * index becomes -2 only after an SIOCAUTHW. Check this in
141 * case the same packet gets sent again and it hasn't yet been
144 if ((fr_auth[i].fra_index == -2) &&
145 (id == fr_auth[i].fra_info.fin_id) &&
146 !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
148 * Avoid feedback loop.
150 if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
152 fr_authstats.fas_hits++;
153 fr_auth[i].fra_index = -1;
155 if (i == fr_authstart) {
156 while (fr_auth[i].fra_index == -1) {
164 if (fr_authstart == fr_authend) {
166 fr_authstart = fr_authend = 0;
169 MUTEX_EXIT(&ipf_auth);
176 fr_authstats.fas_miss++;
177 MUTEX_EXIT(&ipf_auth);
183 * Check if we have room in the auth array to hold details for another packet.
184 * If we do, store it and wake up any user programs which are waiting to
185 * hear about these events.
187 int fr_newauth(m, fin, ip
188 #if defined(_KERNEL) && SOLARIS
200 MUTEX_ENTER(&ipf_auth);
201 if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) {
202 fr_authstats.fas_nospace++;
203 MUTEX_EXIT(&ipf_auth);
206 if (fr_authend - fr_authstart == FR_NUMAUTH - 1) {
207 fr_authstats.fas_nospace++;
208 MUTEX_EXIT(&ipf_auth);
212 fr_authstats.fas_added++;
215 if (fr_authend == FR_NUMAUTH)
217 MUTEX_EXIT(&ipf_auth);
218 fr_auth[i].fra_index = i;
219 fr_auth[i].fra_pass = 0;
220 fr_auth[i].fra_age = fr_defaultauthage;
221 bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
222 #if !defined(sparc) && !defined(m68k)
224 * No need to copyback here as we want to undo the changes, not keep
227 # if SOLARIS && defined(_KERNEL)
228 if (ip == (ip_t *)m->b_rptr)
234 ip->ip_len = htons(bo);
235 # if !SOLARIS /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
237 ip->ip_id = htons(bo);
240 ip->ip_off = htons(bo);
243 #if SOLARIS && defined(_KERNEL)
244 m->b_rptr -= qif->qf_off;
245 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
246 fr_auth[i].fra_q = qif->qf_q;
247 cv_signal(&ipfauthwait);
250 # if defined(linux) && defined(_KERNEL)
251 wake_up_interruptible(&ipfauthwait);
253 WAKEUP(&fr_authnext);
260 int fr_auth_ioctl(data, cmd, fr, frptr)
262 #if defined(__NetBSD__) || defined(__OpenBSD__)
267 frentry_t *fr, **frptr;
276 frauth_t auth, *au = &auth;
277 frauthent_t *fae, **faep;
290 for (faep = &fae_list; (fae = *faep); )
291 if (&fae->fae_fr == fr)
294 faep = &fae->fae_next;
295 if (cmd == SIOCRMAFR) {
299 *faep = fae->fae_next;
300 *frptr = fr->fr_next;
304 KMALLOC(fae, frauthent_t *, sizeof(*fae));
306 IRCOPY((char *)data, (char *)&fae->fae_fr,
307 sizeof(fae->fae_fr));
309 fae->fae_age = fr_defaultauthage;
310 fae->fae_fr.fr_hits = 0;
311 fae->fae_fr.fr_next = *frptr;
312 *frptr = &fae->fae_fr;
313 fae->fae_next = *faep;
320 IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
324 MUTEX_ENTER(&ipf_auth);
325 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
326 IWCOPY((char *)&fr_auth[fr_authnext++], data,
328 if (fr_authnext == FR_NUMAUTH)
330 MUTEX_EXIT(&ipf_auth);
335 if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) {
336 mutex_exit(&ipf_auth);
341 interruptible_sleep_on(&ipfauthwait);
342 if (current->signal & ~current->blocked)
345 error = SLEEP(&fr_authnext, "fr_authnext");
349 MUTEX_EXIT(&ipf_auth);
351 goto fr_authioctlloop;
354 IRCOPY(data, (caddr_t)&auth, sizeof(auth));
355 MUTEX_ENTER(&ipf_auth);
357 if ((i < 0) || (i > FR_NUMAUTH) ||
358 (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
359 MUTEX_EXIT(&ipf_auth);
363 fr_auth[i].fra_index = -2;
364 fr_auth[i].fra_pass = au->fra_pass;
365 fr_authpkts[i] = NULL;
367 MUTEX_EXIT(&ipf_auth);
370 if (m && au->fra_info.fin_out) {
372 error = fr_qout(fr_auth[i].fra_q, m);
374 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
375 # endif /* SOLARIS */
377 fr_authstats.fas_sendfail++;
379 fr_authstats.fas_sendok++;
382 error = fr_qin(fr_auth[i].fra_q, m);
391 schednetisr(NETISR_IP);
393 # endif /* SOLARIS */
395 fr_authstats.fas_quefail++;
397 fr_authstats.fas_queok++;
406 * If we experience an error which will result in the packet
407 * not being processed, make sure we advance to the next one.
409 if (error == ENOBUFS) {
411 fr_auth[i].fra_index = -1;
412 fr_auth[i].fra_pass = 0;
413 if (i == fr_authstart) {
414 while (fr_auth[i].fra_index == -1) {
422 if (fr_authstart == fr_authend) {
424 fr_authstart = fr_authend = 0;
442 * Free all network buffer memory used to keep saved packets.
447 register frauthent_t *fae, **faep;
450 MUTEX_ENTER(&ipf_auth);
451 for (i = 0; i < FR_NUMAUTH; i++) {
452 if ((m = fr_authpkts[i])) {
454 fr_authpkts[i] = NULL;
455 fr_auth[i].fra_index = -1;
460 for (faep = &fae_list; (fae = *faep); ) {
461 *faep = fae->fae_next;
464 MUTEX_EXIT(&ipf_auth);
469 * Slowly expire held auth records. Timeouts are set
470 * in expectation of this being called twice per second.
475 register frauth_t *fra;
476 register frauthent_t *fae, **faep;
483 MUTEX_ENTER(&ipf_auth);
484 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
485 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
487 fr_authpkts[i] = NULL;
488 fr_auth[i].fra_index = -1;
489 fr_authstats.fas_expire++;
494 for (faep = &fae_list; (fae = *faep); ) {
495 if (!--fra->fra_age) {
496 *faep = fae->fae_next;
498 fr_authstats.fas_expire++;
500 faep = &fae->fae_next;
502 MUTEX_EXIT(&ipf_auth);