4 * Copyright (C) 2012 by Darren Reed.
7 * See the IPFILTER.LICENCE file for details on licencing.
10 #if defined(KERNEL) || defined(_KERNEL)
17 #include <sys/param.h>
18 #include <sys/systm.h>
19 #include <sys/kernel.h>
20 #include <sys/module.h>
22 #include <sys/socket.h>
23 #include <sys/sysctl.h>
24 #include <sys/select.h>
26 # include <sys/selinfo.h>
27 # include <sys/jail.h>
29 # include <net/vnet.h>
31 # define CURVNET_SET(arg)
32 # define CURVNET_RESTORE()
33 # define VNET_DEFINE(_t, _v) _t _v
34 # define VNET_DECLARE(_t, _v) extern _t _v
35 # define VNET(arg) arg
39 #include <netinet/in_systm.h>
40 #include <netinet/in.h>
43 #include "netinet/ipl.h"
44 #include "netinet/ip_compat.h"
45 #include "netinet/ip_fil.h"
46 #include "netinet/ip_state.h"
47 #include "netinet/ip_nat.h"
48 #include "netinet/ip_auth.h"
49 #include "netinet/ip_frag.h"
50 #include "netinet/ip_sync.h"
52 VNET_DECLARE(ipf_main_softc_t, ipfmain);
53 #define V_ipfmain VNET(ipfmain)
56 static struct cdev *ipf_devs[IPL_LOGSIZE];
58 static dev_t ipf_devs[IPL_LOGSIZE];
61 static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
62 static int sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS );
63 static int sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS );
64 static int sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS );
65 static int sysctl_ipf_int_frag ( SYSCTL_HANDLER_ARGS );
66 static int ipf_modload(void);
67 static int ipf_modunload(void);
68 static int ipf_fbsd_sysctl_create(void);
69 static int ipf_fbsd_sysctl_destroy(void);
72 static int ipfopen(struct cdev*, int, int, struct thread *);
73 static int ipfclose(struct cdev*, int, int, struct thread *);
74 static int ipfread(struct cdev*, struct uio *, int);
75 static int ipfwrite(struct cdev*, struct uio *, int);
77 static int ipfopen(dev_t, int, int, struct proc *);
78 static int ipfclose(dev_t, int, int, struct proc *);
79 static int ipfread(dev_t, struct uio *, int);
80 static int ipfwrite(dev_t, struct uio *, int);
84 SYSCTL_DECL(_net_inet);
85 #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
86 SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|CTLFLAG_VNET|access, \
87 ptr, val, sysctl_ipf_int, "I", descr)
88 #define SYSCTL_DYN_IPF_NAT(parent, nbr, name, access,ptr, val, descr) \
89 SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \
90 CTLTYPE_INT|CTLFLAG_VNET|access, ptr, val, sysctl_ipf_int_nat, "I", descr)
91 #define SYSCTL_DYN_IPF_STATE(parent, nbr, name, access,ptr, val, descr) \
92 SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \
93 CTLTYPE_INT|CTLFLAG_VNET|access, ptr, val, sysctl_ipf_int_state, "I", descr)
94 #define SYSCTL_DYN_IPF_FRAG(parent, nbr, name, access,ptr, val, descr) \
95 SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \
96 CTLTYPE_INT|CTLFLAG_VNET|access, ptr, val, sysctl_ipf_int_frag, "I", descr)
97 #define SYSCTL_DYN_IPF_AUTH(parent, nbr, name, access,ptr, val, descr) \
98 SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \
99 CTLTYPE_INT|CTLFLAG_VNET|access, ptr, val, sysctl_ipf_int_auth, "I", descr)
100 static struct sysctl_ctx_list ipf_clist;
101 #define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */
102 #define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF)
103 SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
104 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_flags), 0, "IPF flags");
105 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_pass), 0, "default pass/block");
106 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &VNET_NAME(ipfmain.ipf_active), 0, "IPF is active");
107 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
108 &VNET_NAME(ipfmain.ipf_tcpidletimeout), 0, "TCP idle timeout in seconds");
109 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
110 &VNET_NAME(ipfmain.ipf_tcphalfclosed), 0, "timeout for half closed TCP sessions");
111 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
112 &VNET_NAME(ipfmain.ipf_tcpclosewait), 0, "timeout for TCP sessions in closewait status");
113 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
114 &VNET_NAME(ipfmain.ipf_tcplastack), 0, "timeout for TCP sessions in last ack status");
115 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
116 &VNET_NAME(ipfmain.ipf_tcptimeout), 0, "");
117 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
118 &VNET_NAME(ipfmain.ipf_tcpclosed), 0, "");
119 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
120 &VNET_NAME(ipfmain.ipf_udptimeout), 0, "UDP timeout");
121 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
122 &VNET_NAME(ipfmain.ipf_udpacktimeout), 0, "");
123 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
124 &VNET_NAME(ipfmain.ipf_icmptimeout), 0, "ICMP timeout");
125 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
126 &VNET_NAME(ipfmain.ipf_running), 0, "IPF is running");
127 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_chksrc), 0, "");
128 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_minttl), 0, "");
130 #define CDEV_MAJOR 79
131 #include <sys/poll.h>
133 # include <sys/select.h>
134 static int ipfpoll(struct cdev *dev, int events, struct thread *td);
136 static struct cdevsw ipf_cdevsw = {
137 .d_version = D_VERSION,
138 .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */
148 static int ipfpoll(dev_t dev, int events, struct proc *td);
150 static struct cdevsw ipf_cdevsw = {
152 /* close */ ipfclose,
154 /* write */ ipfwrite,
155 /* ioctl */ ipfioctl,
158 /* strategy */ nostrategy,
160 /* maj */ CDEV_MAJOR,
167 static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
168 IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };
171 ipfilter_modevent(module_t mod, int type, void *unused)
178 error = ipf_modload();
182 error = ipf_modunload();
198 if (ipf_create_all(&V_ipfmain) == NULL)
201 error = ipfattach(&V_ipfmain);
203 ipf_destroy_all(&V_ipfmain);
207 if (FR_ISPASS(V_ipfmain.ipf_pass))
209 else if (FR_ISBLOCK(V_ipfmain.ipf_pass))
212 defpass = "no-match -> block";
214 if (IS_DEFAULT_VNET(curvnet)) {
215 printf("%s initialized. Default = %s all, Logging = %s%s\n",
216 ipfilter_version, defpass,
222 #ifdef IPFILTER_COMPILED
229 (void)ipf_pfil_hook();
233 VNET_SYSINIT(vnet_ipf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
234 vnet_ipf_init, NULL);
242 if (ipf_load_all() != 0)
245 if (ipf_fbsd_sysctl_create() != 0) {
249 for (i = 0; i < IPL_LOGSIZE; i++)
251 for (i = 0; (str = ipf_devfiles[i]); i++) {
253 for(j = strlen(str); j > 0; j--)
260 ipf_devs[i] = make_dev(&ipf_cdevsw, i, 0, 0, 0600, "%s", c);
263 error = ipf_pfil_hook();
272 vnet_ipf_uninit(void)
275 if (V_ipfmain.ipf_refcnt)
278 if (V_ipfmain.ipf_running >= 0) {
280 if (ipfdetach(&V_ipfmain) != 0)
283 V_ipfmain.ipf_running = -2;
285 ipf_destroy_all(&V_ipfmain);
286 if (!IS_DEFAULT_VNET(curvnet)) {
288 (void)ipf_pfil_unhook();
292 VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
293 vnet_ipf_uninit, NULL);
302 ipf_fbsd_sysctl_destroy();
304 error = ipf_pfil_unhook();
308 for (i = 0; ipf_devfiles[i]; i++) {
309 if (ipf_devs[i] != NULL)
310 destroy_dev(ipf_devs[i]);
315 printf("%s unloaded\n", ipfilter_version);
321 static moduledata_t ipfiltermod = {
328 DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
329 #ifdef MODULE_VERSION
330 MODULE_VERSION(ipfilter, 1);
336 sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
341 error = SYSCTL_OUT(req, arg1, sizeof(int));
343 error = SYSCTL_OUT(req, &arg2, sizeof(int));
345 if (error || !req->newptr)
351 if ((oidp->oid_kind & CTLFLAG_OFF) && (V_ipfmain.ipf_running > 0))
354 error = SYSCTL_IN(req, arg1, sizeof(int));
360 * In the VIMAGE case kern_sysctl.c already adds the vnet base address given
361 * we set CTLFLAG_VNET to get proper access checks. Have to undo this.
362 * Then we add the given offset to the specific malloced struct hanging off
363 * virtualized ipmain struct.
366 sysctl_ipf_int_nat ( SYSCTL_HANDLER_ARGS )
370 ipf_nat_softc_t *nat_softc;
372 nat_softc = V_ipfmain.ipf_nat_soft;
374 arg1 = (void *)((uintptr_t)arg1 - curvnet->vnet_data_base);
376 arg1 = (void *)((uintptr_t)nat_softc + (uintptr_t)arg1);
379 return (sysctl_ipf_int(oidp, arg1, arg2, req));
383 sysctl_ipf_int_state ( SYSCTL_HANDLER_ARGS )
387 ipf_state_softc_t *state_softc;
389 state_softc = V_ipfmain.ipf_state_soft;
391 arg1 = (void *)((uintptr_t)arg1 - curvnet->vnet_data_base);
393 arg1 = (void *)((uintptr_t)state_softc + (uintptr_t)arg1);
396 return (sysctl_ipf_int(oidp, arg1, arg2, req));
400 sysctl_ipf_int_auth ( SYSCTL_HANDLER_ARGS )
404 ipf_auth_softc_t *auth_softc;
406 auth_softc = V_ipfmain.ipf_auth_soft;
408 arg1 = (void *)((uintptr_t)arg1 - curvnet->vnet_data_base);
410 arg1 = (void *)((uintptr_t)auth_softc + (uintptr_t)arg1);
413 return (sysctl_ipf_int(oidp, arg1, arg2, req));
417 sysctl_ipf_int_frag ( SYSCTL_HANDLER_ARGS )
421 ipf_frag_softc_t *frag_softc;
423 frag_softc = V_ipfmain.ipf_frag_soft;
425 arg1 = (void *)((uintptr_t)arg1 - curvnet->vnet_data_base);
427 arg1 = (void *)((uintptr_t)frag_softc + (uintptr_t)arg1);
430 return (sysctl_ipf_int(oidp, arg1, arg2, req));
437 ipfpoll(struct cdev *dev, int events, struct thread *td)
439 ipfpoll(dev_t dev, int events, struct proc *td)
442 int unit = GET_MINOR(dev);
445 if (unit < 0 || unit > IPL_LOGMAX)
450 CURVNET_SET(TD_TO_VNET(td));
457 if ((events & (POLLIN | POLLRDNORM)) && ipf_log_canread(&V_ipfmain, unit))
458 revents |= events & (POLLIN | POLLRDNORM);
462 if ((events & (POLLIN | POLLRDNORM)) && ipf_auth_waiting(&V_ipfmain))
463 revents |= events & (POLLIN | POLLRDNORM);
466 if ((events & (POLLIN | POLLRDNORM)) && ipf_sync_canread(&V_ipfmain))
467 revents |= events & (POLLIN | POLLRDNORM);
468 if ((events & (POLLOUT | POLLWRNORM)) && ipf_sync_canwrite(&V_ipfmain))
469 revents |= events & (POLLOUT | POLLWRNORM);
477 if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0))
478 selrecord(td, &V_ipfmain.ipf_selwait[unit]);
486 * routines below for saving IP headers to buffer
488 static int ipfopen(dev, flags
500 int unit = GET_MINOR(dev);
503 if (IPL_LOGMAX < unit)
528 static int ipfclose(dev, flags
540 int unit = GET_MINOR(dev);
542 if (IPL_LOGMAX < unit)
551 * both of these must operate with at least splnet() lest they be
552 * called during packet processing and cause an inconsistancy to appear in
555 static int ipfread(dev, uio, ioflag)
565 int unit = GET_MINOR(dev);
570 CURVNET_SET(TD_TO_VNET(curthread));
571 if (V_ipfmain.ipf_running < 1) {
576 if (unit == IPL_LOGSYNC) {
577 error = ipf_sync_read(&V_ipfmain, uio);
583 error = ipf_log_read(&V_ipfmain, unit, uio);
594 * both of these must operate with at least splnet() lest they be
595 * called during packet processing and cause an inconsistancy to appear in
598 static int ipfwrite(dev, uio, ioflag)
609 CURVNET_SET(TD_TO_VNET(curthread));
610 if (V_ipfmain.ipf_running < 1) {
615 if (GET_MINOR(dev) == IPL_LOGSYNC) {
616 error = ipf_sync_write(&V_ipfmain, uio);
624 ipf_fbsd_sysctl_create(void)
627 sysctl_ctx_init(&ipf_clist);
629 SYSCTL_DYN_IPF_NAT(_net_inet_ipf, OID_AUTO, "fr_defnatage", CTLFLAG_RWO,
630 (void *)offsetof(ipf_nat_softc_t, ipf_nat_defage), 0, "");
631 SYSCTL_DYN_IPF_STATE(_net_inet_ipf, OID_AUTO, "fr_statesize", CTLFLAG_RWO,
632 (void *)offsetof(ipf_state_softc_t, ipf_state_size), 0, "");
633 SYSCTL_DYN_IPF_STATE(_net_inet_ipf, OID_AUTO, "fr_statemax", CTLFLAG_RWO,
634 (void *)offsetof(ipf_state_softc_t, ipf_state_max), 0, "");
635 SYSCTL_DYN_IPF_NAT(_net_inet_ipf, OID_AUTO, "ipf_nattable_max", CTLFLAG_RWO,
636 (void *)offsetof(ipf_nat_softc_t, ipf_nat_table_max), 0, "");
637 SYSCTL_DYN_IPF_NAT(_net_inet_ipf, OID_AUTO, "ipf_nattable_sz", CTLFLAG_RWO,
638 (void *)offsetof(ipf_nat_softc_t, ipf_nat_table_sz), 0, "");
639 SYSCTL_DYN_IPF_NAT(_net_inet_ipf, OID_AUTO, "ipf_natrules_sz", CTLFLAG_RWO,
640 (void *)offsetof(ipf_nat_softc_t, ipf_nat_maprules_sz), 0, "");
641 SYSCTL_DYN_IPF_NAT(_net_inet_ipf, OID_AUTO, "ipf_rdrrules_sz", CTLFLAG_RWO,
642 (void *)offsetof(ipf_nat_softc_t, ipf_nat_rdrrules_sz), 0, "");
643 SYSCTL_DYN_IPF_NAT(_net_inet_ipf, OID_AUTO, "ipf_hostmap_sz", CTLFLAG_RWO,
644 (void *)offsetof(ipf_nat_softc_t, ipf_nat_hostmap_sz), 0, "");
645 SYSCTL_DYN_IPF_AUTH(_net_inet_ipf, OID_AUTO, "fr_authsize", CTLFLAG_RWO,
646 (void *)offsetof(ipf_auth_softc_t, ipf_auth_size), 0, "");
647 SYSCTL_DYN_IPF_AUTH(_net_inet_ipf, OID_AUTO, "fr_authused", CTLFLAG_RD,
648 (void *)offsetof(ipf_auth_softc_t, ipf_auth_used), 0, "");
649 SYSCTL_DYN_IPF_AUTH(_net_inet_ipf, OID_AUTO, "fr_defaultauthage", CTLFLAG_RW,
650 (void *)offsetof(ipf_auth_softc_t, ipf_auth_defaultage), 0, "");
651 SYSCTL_DYN_IPF_FRAG(_net_inet_ipf, OID_AUTO, "fr_ipfrttl", CTLFLAG_RW,
652 (void *)offsetof(ipf_frag_softc_t, ipfr_ttl), 0, "");
657 ipf_fbsd_sysctl_destroy(void)
659 if (sysctl_ctx_free(&ipf_clist)) {
660 printf("sysctl_ctx_free failed");