2 * Copyright (C) 1998 by Darren Reed & Guido van Rooij.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 /*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $";*/
10 static const char rcsid[] = "@(#)$FreeBSD$";
13 #include <sys/errno.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
18 #if !defined(_KERNEL) && !defined(KERNEL)
23 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
24 # include <sys/filio.h>
25 # include <sys/fcntl.h>
27 # include <sys/ioctl.h>
31 # include <sys/protosw.h>
33 #include <sys/socket.h>
34 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
35 # include <sys/systm.h>
37 #if !defined(__SVR4) && !defined(__svr4__)
39 # include <sys/mbuf.h>
42 # include <sys/filio.h>
43 # include <sys/byteorder.h>
45 # include <sys/dditypes.h>
47 # include <sys/stream.h>
48 # include <sys/kmem.h>
50 #if _BSDI_VERSION >= 199802
51 # include <sys/queue.h>
53 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
54 # include <machine/cpu.h>
60 #include <net/route.h>
61 #include <netinet/in.h>
62 #include <netinet/in_systm.h>
63 #include <netinet/ip.h>
69 # include <netinet/ip_var.h>
75 # ifdef IFF_DRVRLOCK /* IRIX6 */
76 # include <sys/hashing.h>
79 #include <netinet/tcp.h>
80 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
81 extern struct ifqueue ipintrq; /* ip packet input queue */
84 # if __FreeBSD_version >= 300000
85 # include <net/if_var.h>
87 # include <netinet/in_var.h>
88 # include <netinet/tcp_fsm.h>
91 #include <netinet/udp.h>
92 #include <netinet/ip_icmp.h>
93 #include "netinet/ip_compat.h"
94 #include <netinet/tcpip.h>
95 #include "netinet/ip_fil.h"
96 #include "netinet/ip_auth.h"
97 #if !SOLARIS && !defined(linux)
98 # include <net/netisr.h>
100 # include <machine/cpufunc.h>
103 #if (__FreeBSD_version >= 300000)
104 # include <sys/malloc.h>
105 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
106 # include <sys/libkern.h>
107 # include <sys/systm.h>
113 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
114 extern KRWLOCK_T ipf_auth;
115 extern kmutex_t ipf_authmx;
117 extern kcondvar_t ipfauthwait;
121 static struct wait_queue *ipfauthwait = NULL;
124 int fr_authsize = FR_NUMAUTH;
126 int fr_defaultauthage = 600;
127 fr_authstat_t fr_authstats;
128 frauth_t fr_auth[FR_NUMAUTH];
129 mb_t *fr_authpkts[FR_NUMAUTH];
130 int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
131 frauthent_t *fae_list = NULL;
132 frentry_t *ipauth = NULL;
136 * Check if a packet has authorization. If the packet is found to match an
137 * authorization result and that would result in a feedback loop (i.e. it
138 * will end up returning FR_AUTH) then return FR_BLOCK instead.
140 u_32_t fr_checkauth(ip, fin)
144 u_short id = ip->ip_id;
148 READ_ENTER(&ipf_auth);
149 for (i = fr_authstart; i != fr_authend; ) {
151 * index becomes -2 only after an SIOCAUTHW. Check this in
152 * case the same packet gets sent again and it hasn't yet been
155 if ((fr_auth[i].fra_index == -2) &&
156 (id == fr_auth[i].fra_info.fin_id) &&
157 !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
159 * Avoid feedback loop.
161 if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
163 RWLOCK_EXIT(&ipf_auth);
164 WRITE_ENTER(&ipf_auth);
165 fr_authstats.fas_hits++;
166 fr_auth[i].fra_index = -1;
168 if (i == fr_authstart) {
169 while (fr_auth[i].fra_index == -1) {
177 if (fr_authstart == fr_authend) {
179 fr_authstart = fr_authend = 0;
182 RWLOCK_EXIT(&ipf_auth);
189 fr_authstats.fas_miss++;
190 RWLOCK_EXIT(&ipf_auth);
196 * Check if we have room in the auth array to hold details for another packet.
197 * If we do, store it and wake up any user programs which are waiting to
198 * hear about these events.
200 int fr_newauth(m, fin, ip
201 #if defined(_KERNEL) && SOLARIS
213 WRITE_ENTER(&ipf_auth);
214 if (fr_authstart > fr_authend) {
215 fr_authstats.fas_nospace++;
216 RWLOCK_EXIT(&ipf_auth);
219 if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) {
220 fr_authstats.fas_nospace++;
221 RWLOCK_EXIT(&ipf_auth);
226 fr_authstats.fas_added++;
229 if (fr_authend == FR_NUMAUTH)
231 RWLOCK_EXIT(&ipf_auth);
232 fr_auth[i].fra_index = i;
233 fr_auth[i].fra_pass = 0;
234 fr_auth[i].fra_age = fr_defaultauthage;
235 bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
236 #if !defined(sparc) && !defined(m68k)
238 * No need to copyback here as we want to undo the changes, not keep
241 # if SOLARIS && defined(_KERNEL)
242 if (ip == (ip_t *)m->b_rptr)
248 ip->ip_len = htons(bo);
249 # if !SOLARIS /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
251 ip->ip_id = htons(bo);
254 ip->ip_off = htons(bo);
257 #if SOLARIS && defined(_KERNEL)
258 m->b_rptr -= qif->qf_off;
259 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
260 fr_auth[i].fra_q = qif->qf_q;
261 cv_signal(&ipfauthwait);
264 # if defined(linux) && defined(_KERNEL)
265 wake_up_interruptible(&ipfauthwait);
267 WAKEUP(&fr_authnext);
274 int fr_auth_ioctl(data, cmd, fr, frptr)
276 #if defined(__NetBSD__) || defined(__OpenBSD__)
281 frentry_t *fr, **frptr;
290 frauth_t auth, *au = &auth;
291 frauthent_t *fae, **faep;
304 for (faep = &fae_list; (fae = *faep); )
305 if (&fae->fae_fr == fr)
308 faep = &fae->fae_next;
309 if (cmd == SIOCRMAFR) {
313 WRITE_ENTER(&ipf_auth);
314 *faep = fae->fae_next;
315 *frptr = fr->fr_next;
316 RWLOCK_EXIT(&ipf_auth);
320 KMALLOC(fae, frauthent_t *);
322 IRCOPY((char *)data, (char *)&fae->fae_fr,
323 sizeof(fae->fae_fr));
324 WRITE_ENTER(&ipf_auth);
325 fae->fae_age = fr_defaultauthage;
326 fae->fae_fr.fr_hits = 0;
327 fae->fae_fr.fr_next = *frptr;
328 *frptr = &fae->fae_fr;
329 fae->fae_next = *faep;
331 ipauth = &fae_list->fae_fr;
332 RWLOCK_EXIT(&ipf_auth);
338 READ_ENTER(&ipf_auth);
339 fr_authstats.fas_faelist = fae_list;
340 RWLOCK_EXIT(&ipf_auth);
341 IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
345 READ_ENTER(&ipf_auth);
346 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
347 IWCOPY((char *)&fr_auth[fr_authnext], data,
349 RWLOCK_EXIT(&ipf_auth);
350 WRITE_ENTER(&ipf_auth);
352 if (fr_authnext == FR_NUMAUTH)
354 RWLOCK_EXIT(&ipf_auth);
359 mutex_enter(&ipf_authmx);
360 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
361 mutex_exit(&ipf_authmx);
364 mutex_exit(&ipf_authmx);
367 interruptible_sleep_on(&ipfauthwait);
368 if (current->signal & ~current->blocked)
371 error = SLEEP(&fr_authnext, "fr_authnext");
375 RWLOCK_EXIT(&ipf_auth);
377 goto fr_authioctlloop;
380 IRCOPY(data, (caddr_t)&auth, sizeof(auth));
381 WRITE_ENTER(&ipf_auth);
383 if ((i < 0) || (i > FR_NUMAUTH) ||
384 (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
385 RWLOCK_EXIT(&ipf_auth);
389 fr_auth[i].fra_index = -2;
390 fr_auth[i].fra_pass = au->fra_pass;
391 fr_authpkts[i] = NULL;
393 RWLOCK_EXIT(&ipf_auth);
396 if (m && au->fra_info.fin_out) {
398 error = fr_qout(fr_auth[i].fra_q, m);
400 # if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__)
401 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
404 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
406 # endif /* SOLARIS */
408 fr_authstats.fas_sendfail++;
410 fr_authstats.fas_sendok++;
413 error = fr_qin(fr_auth[i].fra_q, m);
422 schednetisr(NETISR_IP);
424 # endif /* SOLARIS */
426 fr_authstats.fas_quefail++;
428 fr_authstats.fas_queok++;
437 * If we experience an error which will result in the packet
438 * not being processed, make sure we advance to the next one.
440 if (error == ENOBUFS) {
442 fr_auth[i].fra_index = -1;
443 fr_auth[i].fra_pass = 0;
444 if (i == fr_authstart) {
445 while (fr_auth[i].fra_index == -1) {
453 if (fr_authstart == fr_authend) {
455 fr_authstart = fr_authend = 0;
473 * Free all network buffer memory used to keep saved packets.
478 register frauthent_t *fae, **faep;
481 WRITE_ENTER(&ipf_auth);
482 for (i = 0; i < FR_NUMAUTH; i++) {
483 if ((m = fr_authpkts[i])) {
485 fr_authpkts[i] = NULL;
486 fr_auth[i].fra_index = -1;
491 for (faep = &fae_list; (fae = *faep); ) {
492 *faep = fae->fae_next;
496 RWLOCK_EXIT(&ipf_auth);
501 * Slowly expire held auth records. Timeouts are set
502 * in expectation of this being called twice per second.
507 register frauth_t *fra;
508 register frauthent_t *fae, **faep;
515 WRITE_ENTER(&ipf_auth);
516 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
517 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
519 fr_authpkts[i] = NULL;
520 fr_auth[i].fra_index = -1;
521 fr_authstats.fas_expire++;
526 for (faep = &fae_list; (fae = *faep); ) {
527 if (!--fae->fae_age) {
528 *faep = fae->fae_next;
530 fr_authstats.fas_expire++;
532 faep = &fae->fae_next;
534 ipauth = &fae_list->fae_fr;
535 RWLOCK_EXIT(&ipf_auth);