4 * Copyright (C) 1997-2003 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
20 # include <sys/fcntl.h>
22 #if !defined(_KERNEL) && !defined(__KERNEL__)
35 # include <sys/protosw.h>
37 #include <sys/socket.h>
39 # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
40 !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) && \
42 # include <sys/ctype.h>
44 # include <sys/systm.h>
45 # if !defined(__SVR4) && !defined(__svr4__)
46 # include <sys/mbuf.h>
49 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
50 # include <sys/filio.h>
51 # include <sys/fcntl.h>
52 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
53 # include "opt_ipfilter.h"
56 # include <sys/ioctl.h>
58 #if defined(__SVR4) || defined(__svr4__)
59 # include <sys/byteorder.h>
61 # include <sys/dditypes.h>
63 # include <sys/stream.h>
64 # include <sys/kmem.h>
67 # include <sys/queue.h>
73 #include <net/route.h>
74 #include <netinet/in.h>
75 #include <netinet/in_systm.h>
76 #include <netinet/ip.h>
78 # include <netinet/ip_var.h>
80 #include <netinet/tcp.h>
81 #include <netinet/udp.h>
82 #include <netinet/ip_icmp.h>
83 #include "netinet/ip_compat.h"
84 #include <netinet/tcpip.h>
85 #include "netinet/ip_fil.h"
86 #include "netinet/ip_nat.h"
87 #include "netinet/ip_state.h"
88 #include "netinet/ip_proxy.h"
89 #if (__FreeBSD_version >= 300000)
90 # include <sys/malloc.h>
93 #include "netinet/ip_ftp_pxy.c"
94 #include "netinet/ip_rcmd_pxy.c"
95 # include "netinet/ip_pptp_pxy.c"
97 # include "netinet/ip_irc_pxy.c"
98 # include "netinet/ip_raudio_pxy.c"
99 # include "netinet/ip_netbios_pxy.c"
101 #include "netinet/ip_ipsec_pxy.c"
102 #include "netinet/ip_rpcb_pxy.c"
104 /* END OF INCLUDES */
107 static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.20 2007/05/31 12:27:36 darrenr Exp $";
110 static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
112 #define AP_SESS_SIZE 53
115 int ipf_proxy_debug = 0;
117 int ipf_proxy_debug = 2;
119 ap_session_t *ap_sess_tab[AP_SESS_SIZE];
120 ap_session_t *ap_sess_list = NULL;
121 aproxy_t *ap_proxylist = NULL;
122 aproxy_t ap_proxies[] = {
124 { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini,
125 ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL, NULL },
128 { NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini,
129 ippr_irc_new, NULL, NULL, ippr_irc_out, NULL, NULL },
131 #ifdef IPF_RCMD_PROXY
132 { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_fini,
133 ippr_rcmd_new, NULL, ippr_rcmd_in, ippr_rcmd_out, NULL, NULL },
135 #ifdef IPF_RAUDIO_PROXY
136 { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, ippr_raudio_fini,
137 ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL, NULL },
139 #ifdef IPF_MSNRPC_PROXY
140 { NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, ippr_msnrpc_init, ippr_msnrpc_fini,
141 ippr_msnrpc_new, NULL, ippr_msnrpc_in, ippr_msnrpc_out, NULL, NULL },
143 #ifdef IPF_NETBIOS_PROXY
144 { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, ippr_netbios_fini,
145 NULL, NULL, NULL, ippr_netbios_out, NULL, NULL },
147 #ifdef IPF_IPSEC_PROXY
148 { NULL, "ipsec", (char)IPPROTO_UDP, 0, 0,
149 ippr_ipsec_init, ippr_ipsec_fini, ippr_ipsec_new, ippr_ipsec_del,
150 ippr_ipsec_inout, ippr_ipsec_inout, ippr_ipsec_match, NULL },
152 #ifdef IPF_PPTP_PROXY
153 { NULL, "pptp", (char)IPPROTO_TCP, 0, 0,
154 ippr_pptp_init, ippr_pptp_fini, ippr_pptp_new, ippr_pptp_del,
155 ippr_pptp_inout, ippr_pptp_inout, NULL, NULL },
157 #ifdef IPF_H323_PROXY
158 { NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini,
159 ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL, NULL },
160 { NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL,
161 ippr_h245_new, NULL, NULL, ippr_h245_out, NULL, NULL },
163 #ifdef IPF_RPCB_PROXY
165 { NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0,
166 ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
167 ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
169 { NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0,
170 ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
171 ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
173 { NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
177 * Dynamically add a new kernel proxy. Ensure that it is unique in the
178 * collection compiled in and dynamically added.
185 for (a = ap_proxies; a->apr_p; a++)
186 if ((a->apr_p == ap->apr_p) &&
187 !strncmp(a->apr_label, ap->apr_label,
188 sizeof(ap->apr_label))) {
189 if (ipf_proxy_debug > 1)
190 printf("appr_add: %s/%d already present (B)\n",
191 a->apr_label, a->apr_p);
195 for (a = ap_proxylist; (a != NULL); a = a->apr_next)
196 if ((a->apr_p == ap->apr_p) &&
197 !strncmp(a->apr_label, ap->apr_label,
198 sizeof(ap->apr_label))) {
199 if (ipf_proxy_debug > 1)
200 printf("appr_add: %s/%d already present (D)\n",
201 a->apr_label, a->apr_p);
204 ap->apr_next = ap_proxylist;
206 if (ap->apr_init != NULL)
207 return (*ap->apr_init)();
213 * Check to see if the proxy this control request has come through for
214 * exists, and if it does and it has a control function then invoke that
223 a = appr_lookup(ctl->apc_p, ctl->apc_label);
225 if (ipf_proxy_debug > 1)
226 printf("appr_ctl: can't find %s/%d\n",
227 ctl->apc_label, ctl->apc_p);
229 } else if (a->apr_ctl == NULL) {
230 if (ipf_proxy_debug > 1)
231 printf("appr_ctl: no ctl function for %s/%d\n",
232 ctl->apc_label, ctl->apc_p);
235 error = (*a->apr_ctl)(a, ctl);
236 if ((error != 0) && (ipf_proxy_debug > 1))
237 printf("appr_ctl: %s/%d ctl error %d\n",
238 a->apr_label, a->apr_p, error);
245 * Delete a proxy that has been added dynamically from those available.
246 * If it is in use, return 1 (do not destroy NOW), not in use 0 or -1
247 * if it cannot be matched.
254 for (app = &ap_proxylist; ((a = *app) != NULL); app = &a->apr_next)
256 a->apr_flags |= APR_DELETE;
258 if (ap->apr_ref != 0) {
259 if (ipf_proxy_debug > 2)
260 printf("appr_del: orphaning %s/%d\n",
261 ap->apr_label, ap->apr_p);
266 if (ipf_proxy_debug > 1)
267 printf("appr_del: proxy %lx not found\n", (u_long)ap);
273 * Return 1 if the packet is a good match against a proxy, else 0.
275 int appr_ok(fin, tcp, nat)
280 aproxy_t *apr = nat->in_apr;
281 u_short dport = nat->in_dport;
283 if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
284 (fin->fin_p != apr->apr_p))
286 if ((tcp == NULL) && dport)
292 int appr_ioctl(data, cmd, mode, ctx)
302 mode = mode; /* LINT */
307 BCOPYIN(data, &ctl, sizeof(ctl));
310 if (ctl.apc_dsize > 0) {
311 KMALLOCS(ptr, caddr_t, ctl.apc_dsize);
315 error = copyinptr(ctl.apc_data, ptr,
326 error = appr_ctl(&ctl);
329 KFREES(ptr, ctl.apc_dsize);
341 * If a proxy has a match function, call that to do extended packet
344 int appr_match(fin, nat)
353 if (ipf_proxy_debug > 8)
354 printf("appr_match(%lx,%lx) aps %lx ptr %lx\n",
355 (u_long)fin, (u_long)nat, (u_long)nat->nat_aps,
358 if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) {
359 if (ipf_proxy_debug > 0)
360 printf("appr_match: flx 0x%x (BAD|SHORT)\n",
366 if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) {
367 if (ipf_proxy_debug > 0)
368 printf("appr_match:apr %lx apr_flags 0x%x\n",
369 (u_long)apr, apr ? apr->apr_flags : 0);
373 if (apr->apr_match != NULL) {
374 result = (*apr->apr_match)(fin, nat->nat_aps, nat);
376 if (ipf_proxy_debug > 4)
377 printf("appr_match: result %d\n", result);
386 * Allocate a new application proxy structure and fill it in with the
387 * relevant details. call the init function once complete, prior to
390 int appr_new(fin, nat)
394 register ap_session_t *aps;
397 if (ipf_proxy_debug > 8)
398 printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat);
400 if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) {
401 if (ipf_proxy_debug > 0)
402 printf("appr_new: nat_ptr %lx nat_aps %lx\n",
403 (u_long)nat->nat_ptr, (u_long)nat->nat_aps);
407 apr = nat->nat_ptr->in_apr;
409 if ((apr->apr_flags & APR_DELETE) ||
410 (fin->fin_p != apr->apr_p)) {
411 if (ipf_proxy_debug > 2)
412 printf("appr_new: apr_flags 0x%x p %d/%d\n",
413 apr->apr_flags, fin->fin_p, apr->apr_p);
417 KMALLOC(aps, ap_session_t *);
419 if (ipf_proxy_debug > 0)
420 printf("appr_new: malloc failed (%lu)\n",
421 (u_long)sizeof(ap_session_t));
425 bzero((char *)aps, sizeof(*aps));
426 aps->aps_p = fin->fin_p;
427 aps->aps_data = NULL;
430 if (apr->apr_new != NULL)
431 if ((*apr->apr_new)(fin, aps, nat) == -1) {
432 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) {
433 KFREES(aps->aps_data, aps->aps_psiz);
436 if (ipf_proxy_debug > 2)
437 printf("appr_new: new(%lx) failed\n",
438 (u_long)apr->apr_new);
442 aps->aps_next = ap_sess_list;
451 * Check to see if a packet should be passed through an active proxy routine
452 * if one has been setup for it. We don't need to check the checksum here if
453 * IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD
456 int appr_check(fin, nat)
460 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
461 # if defined(ICK_VALID)
466 tcphdr_t *tcp = NULL;
467 udphdr_t *udp = NULL;
473 #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
477 if (fin->fin_flx & FI_BAD) {
478 if (ipf_proxy_debug > 0)
479 printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx);
483 #ifndef IPFILTER_CKSUM
484 if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
485 if (ipf_proxy_debug > 0)
486 printf("appr_check: l4 checksum failure %d\n",
488 if (fin->fin_p == IPPROTO_TCP)
489 frstats[fin->fin_out].fr_tcpbad++;
495 if ((aps != NULL) && (aps->aps_p == fin->fin_p)) {
497 * If there is data in this packet to be proxied then try and
498 * get it all into the one buffer, else drop it.
500 #if defined(MENTAT) || defined(HAVE_M_PULLDOWN)
501 if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE))
502 if (fr_coalesce(fin) == -1) {
503 if (ipf_proxy_debug > 0)
504 printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
513 tcp = (tcphdr_t *)fin->fin_dp;
515 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
517 if (dohwcksum && (m->b_ick_flag == ICK_VALID))
521 * Don't bother the proxy with these...or in fact,
522 * should we free up proxy stuff when seen?
524 if ((fin->fin_tcpf & TH_RST) != 0)
528 udp = (udphdr_t *)fin->fin_dp;
536 if (fin->fin_out != 0) {
537 if (apr->apr_outpkt != NULL)
538 err = (*apr->apr_outpkt)(fin, aps, nat);
540 if (apr->apr_inpkt != NULL)
541 err = (*apr->apr_inpkt)(fin, aps, nat);
545 if (((ipf_proxy_debug > 0) && (rv != 0)) ||
546 (ipf_proxy_debug > 8))
547 printf("appr_check: out %d err %x rv %d\n",
548 fin->fin_out, err, rv);
559 * If err != 0 then the data size of the packet has changed
560 * so we need to recalculate the header checksums for the
563 #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
565 short adjlen = err & 0xffff;
567 s1 = LONG_SUM(fin->fin_plen - adjlen);
568 s2 = LONG_SUM(fin->fin_plen);
569 CALC_SUMD(s1, s2, sd);
570 fix_outcksum(fin, &ip->ip_sum, sd);
575 * For TCP packets, we may need to adjust the sequence and
576 * acknowledgement numbers to reflect changes in size of the
579 * For both TCP and UDP, recalculate the layer 4 checksum,
580 * regardless, as we can't tell (here) if data has been
584 err = appr_fixseqack(fin, ip, aps, APR_INC(err));
585 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
587 tcp->th_sum = fr_cksum(fin->fin_qfm, ip,
591 tcp->th_sum = fr_cksum(fin->fin_m, ip,
595 } else if ((udp != NULL) && (udp->uh_sum != 0)) {
596 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
598 udp->uh_sum = fr_cksum(fin->fin_qfm, ip,
602 udp->uh_sum = fr_cksum(fin->fin_m, ip,
607 aps->aps_bytes += fin->fin_plen;
616 * Search for an proxy by the protocol it is being used with and its name.
618 aproxy_t *appr_lookup(pr, name)
624 if (ipf_proxy_debug > 8)
625 printf("appr_lookup(%d,%s)\n", pr, name);
627 for (ap = ap_proxies; ap->apr_p; ap++)
628 if ((ap->apr_p == pr) &&
629 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
634 for (ap = ap_proxylist; ap; ap = ap->apr_next)
635 if ((ap->apr_p == pr) &&
636 !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
640 if (ipf_proxy_debug > 2)
641 printf("appr_lookup: failed for %d/%s\n", pr, name);
656 ap_session_t *a, **ap;
662 for (ap = &ap_sess_list; ((a = *ap) != NULL); ap = &a->aps_next)
669 if ((apr != NULL) && (apr->apr_del != NULL))
670 (*apr->apr_del)(aps);
672 if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
673 KFREES(aps->aps_data, aps->aps_psiz);
679 * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise
681 static int appr_fixseqack(fin, ip, aps, inc)
687 int sel, ch = 0, out, nlen;
692 tcp = (tcphdr_t *)fin->fin_dp;
695 * fin->fin_plen has already been adjusted by 'inc'.
697 nlen = fin->fin_plen;
698 nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
704 seq1 = (u_32_t)ntohl(tcp->th_seq);
705 sel = aps->aps_sel[out];
707 /* switch to other set ? */
708 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
709 (seq1 > aps->aps_seqmin[!sel])) {
710 if (ipf_proxy_debug > 7)
711 printf("proxy out switch set seq %d -> %d %x > %x\n",
713 aps->aps_seqmin[!sel]);
714 sel = aps->aps_sel[out] = !sel;
717 if (aps->aps_seqoff[sel]) {
718 seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
720 seq2 = aps->aps_seqoff[sel];
722 tcp->th_seq = htonl(seq1);
727 if (inc && (seq1 > aps->aps_seqmin[!sel])) {
728 aps->aps_seqmin[sel] = seq1 + nlen - 1;
729 aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
730 if (ipf_proxy_debug > 7)
731 printf("proxy seq set %d at %x to %d + %d\n",
732 sel, aps->aps_seqmin[sel],
733 aps->aps_seqoff[sel], inc);
738 seq1 = ntohl(tcp->th_ack);
739 sel = aps->aps_sel[1 - out];
741 /* switch to other set ? */
742 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
743 (seq1 > aps->aps_ackmin[!sel])) {
744 if (ipf_proxy_debug > 7)
745 printf("proxy out switch set ack %d -> %d %x > %x\n",
747 aps->aps_ackmin[!sel]);
748 sel = aps->aps_sel[1 - out] = !sel;
751 if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
752 seq2 = aps->aps_ackoff[sel];
753 tcp->th_ack = htonl(seq1 - seq2);
757 seq1 = ntohl(tcp->th_seq);
758 sel = aps->aps_sel[out];
760 /* switch to other set ? */
761 if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
762 (seq1 > aps->aps_ackmin[!sel])) {
763 if (ipf_proxy_debug > 7)
764 printf("proxy in switch set ack %d -> %d %x > %x\n",
765 sel, !sel, seq1, aps->aps_ackmin[!sel]);
766 sel = aps->aps_sel[out] = !sel;
769 if (aps->aps_ackoff[sel]) {
770 seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
772 seq2 = aps->aps_ackoff[sel];
774 tcp->th_seq = htonl(seq1);
779 if (inc && (seq1 > aps->aps_ackmin[!sel])) {
780 aps->aps_ackmin[!sel] = seq1 + nlen - 1;
781 aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
783 if (ipf_proxy_debug > 7)
784 printf("proxy ack set %d at %x to %d + %d\n",
785 !sel, aps->aps_seqmin[!sel],
786 aps->aps_seqoff[sel], inc);
791 seq1 = ntohl(tcp->th_ack);
792 sel = aps->aps_sel[1 - out];
794 /* switch to other set ? */
795 if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
796 (seq1 > aps->aps_seqmin[!sel])) {
797 if (ipf_proxy_debug > 7)
798 printf("proxy in switch set seq %d -> %d %x > %x\n",
799 sel, !sel, seq1, aps->aps_seqmin[!sel]);
800 sel = aps->aps_sel[1 - out] = !sel;
803 if (aps->aps_seqoff[sel] != 0) {
804 if (ipf_proxy_debug > 7)
805 printf("sel %d seqoff %d seq1 %x seqmin %x\n",
806 sel, aps->aps_seqoff[sel], seq1,
807 aps->aps_seqmin[sel]);
808 if (seq1 > aps->aps_seqmin[sel]) {
809 seq2 = aps->aps_seqoff[sel];
810 tcp->th_ack = htonl(seq1 - seq2);
816 if (ipf_proxy_debug > 8)
817 printf("appr_fixseqack: seq %x ack %x\n",
818 (u_32_t)ntohl(tcp->th_seq), (u_32_t)ntohl(tcp->th_ack));
824 * Initialise hook for kernel application proxies.
825 * Call the initialise routine for all the compiled in kernel proxies.
832 for (ap = ap_proxies; ap->apr_p; ap++) {
833 if (ap->apr_init != NULL) {
834 err = (*ap->apr_init)();
844 * Unload hook for kernel application proxies.
845 * Call the finialise routine for all the compiled in kernel proxies.
851 for (ap = ap_proxies; ap->apr_p; ap++)
852 if (ap->apr_fini != NULL)
854 for (ap = ap_proxylist; ap; ap = ap->apr_next)
855 if (ap->apr_fini != NULL)
projects / FreeBSD / FreeBSD.git / blob