4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
9 static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id$";
13 #if defined(KERNEL) || defined(_KERNEL)
19 #if defined(__FreeBSD__) && \
20 !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
21 # include "opt_inet6.h"
23 #include <sys/param.h>
24 #include <sys/eventhandler.h>
26 #include <sys/errno.h>
27 #include <sys/types.h>
29 #include <sys/fcntl.h>
30 #include <sys/filio.h>
32 #include <sys/systm.h>
33 #include <sys/dirent.h>
34 #if defined(__FreeBSD__)
35 # include <sys/jail.h>
37 #include <sys/malloc.h>
39 #include <sys/sockopt.h>
40 #include <sys/socket.h>
41 #include <sys/selinfo.h>
43 #include <net/if_var.h>
44 #include <net/netisr.h>
45 #include <net/route.h>
46 #include <net/route/nhop.h>
47 #include <netinet/in.h>
48 #include <netinet/in_fib.h>
49 #include <netinet/in_pcb.h>
50 #include <netinet/in_var.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54 #include <netinet/tcp.h>
55 #include <netinet/tcp_var.h>
57 #include <netinet/udp.h>
58 #include <netinet/tcpip.h>
59 #include <netinet/ip_icmp.h>
60 #include "netinet/ip_compat.h"
62 # include <netinet/icmp6.h>
64 #include "netinet/ip_fil.h"
65 #include "netinet/ip_nat.h"
66 #include "netinet/ip_frag.h"
67 #include "netinet/ip_state.h"
68 #include "netinet/ip_proxy.h"
69 #include "netinet/ip_auth.h"
70 #include "netinet/ip_sync.h"
71 #include "netinet/ip_lookup.h"
72 #include "netinet/ip_dstlist.h"
74 # include "netinet/ip_scan.h"
76 #include "netinet/ip_pool.h"
77 #include <sys/malloc.h>
78 #include <sys/kernel.h>
79 #ifdef CSUM_DATA_VALID
80 # include <machine/in_cksum.h>
82 extern int ip_optcopy(struct ip *, struct ip *);
84 #ifdef IPFILTER_M_IPFILTER
85 MALLOC_DEFINE(M_IPFILTER, "ipfilter", "IP Filter packet filter data structures");
89 static int ipf_send_ip(fr_info_t *, mb_t *);
90 static void ipf_timer_func(void *arg);
92 VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
95 #define V_ipfmain VNET(ipfmain)
100 VNET_DEFINE_STATIC(eventhandler_tag, ipf_arrivetag);
101 VNET_DEFINE_STATIC(eventhandler_tag, ipf_departtag);
102 #define V_ipf_arrivetag VNET(ipf_arrivetag)
103 #define V_ipf_departtag VNET(ipf_departtag)
106 * Disable the "cloner" event handler; we are getting interface
107 * events before the firewall is fully initiallized and also no vnet
108 * information thus leading to uninitialised memory accesses.
109 * In addition it is unclear why we need it in first place.
110 * If it turns out to be needed, well need a dedicated event handler
111 * for it to deal with the ifc and the correct vnet.
113 VNET_DEFINE_STATIC(eventhandler_tag, ipf_clonetag);
114 #define V_ipf_clonetag VNET(ipf_clonetag)
117 static void ipf_ifevent(void *arg, struct ifnet *ifp);
119 static void ipf_ifevent(void *arg, struct ifnet *ifp)
122 CURVNET_SET(ifp->if_vnet);
123 if (V_ipfmain.ipf_running > 0)
124 ipf_sync(&V_ipfmain, NULL);
131 ipf_check_wrapper(struct mbuf **mp, struct ifnet *ifp, int flags,
132 void *ruleset __unused, struct inpcb *inp)
134 struct ip *ip = mtod(*mp, struct ip *);
137 CURVNET_SET(ifp->if_vnet);
138 rv = ipf_check(&V_ipfmain, ip, ip->ip_hl << 2, ifp,
139 !!(flags & PFIL_OUT), mp);
141 return (rv == 0 ? PFIL_PASS : PFIL_DROPPED);
146 ipf_check_wrapper6(struct mbuf **mp, struct ifnet *ifp, int flags,
147 void *ruleset __unused, struct inpcb *inp)
151 CURVNET_SET(ifp->if_vnet);
152 rv = ipf_check(&V_ipfmain, mtod(*mp, struct ip *),
153 sizeof(struct ip6_hdr), ifp, !!(flags & PFIL_OUT), mp);
156 return (rv == 0 ? PFIL_PASS : PFIL_DROPPED);
159 #if defined(IPFILTER_LKM)
160 int ipf_identify(char *s)
162 if (strcmp(s, "ipl") == 0)
166 #endif /* IPFILTER_LKM */
170 ipf_timer_func(void *arg)
172 ipf_main_softc_t *softc = arg;
176 READ_ENTER(&softc->ipf_global);
178 if (softc->ipf_running > 0)
179 ipf_slowtimer(softc);
181 if (softc->ipf_running == -1 || softc->ipf_running == 1) {
183 softc->ipf_slow_ch = timeout(ipf_timer_func, softc, hz/2);
185 callout_init(&softc->ipf_slow_ch, 1);
186 callout_reset(&softc->ipf_slow_ch,
187 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
188 ipf_timer_func, softc);
190 RWLOCK_EXIT(&softc->ipf_global);
196 ipfattach(ipf_main_softc_t *softc)
203 if (softc->ipf_running > 0) {
208 if (ipf_init_all(softc) < 0) {
214 bzero((char *)V_ipfmain.ipf_selwait, sizeof(V_ipfmain.ipf_selwait));
215 softc->ipf_running = 1;
217 if (softc->ipf_control_forwarding & 1)
222 softc->ipf_slow_ch = timeout(ipf_timer_func, softc,
223 (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
225 callout_init(&softc->ipf_slow_ch, 1);
226 callout_reset(&softc->ipf_slow_ch, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT,
227 ipf_timer_func, softc);
233 * Disable the filter by removing the hooks from the IP input/output
237 ipfdetach(ipf_main_softc_t *softc)
243 if (softc->ipf_control_forwarding & 2)
249 if (softc->ipf_slow_ch.callout != NULL)
250 untimeout(ipf_timer_func, softc, softc->ipf_slow_ch);
251 bzero(&softc->ipf_slow, sizeof(softc->ipf_slow));
253 callout_drain(&softc->ipf_slow_ch);
257 softc->ipf_running = -2;
266 * Filter ioctl interface.
269 ipfioctl(struct cdev *dev, ioctlcmd_t cmd, caddr_t data,
270 int mode, struct thread *p)
271 #define p_cred td_ucred
272 #define p_uid td_ucred->cr_ruid
274 int error = 0, unit = 0;
277 CURVNET_SET(TD_TO_VNET(p));
278 if (securelevel_ge(p->p_cred, 3) && (mode & FWRITE))
280 V_ipfmain.ipf_interror = 130001;
285 if (jailed_without_vnet(p->p_cred)) {
286 V_ipfmain.ipf_interror = 130018;
291 unit = GET_MINOR(dev);
292 if ((IPL_LOGMAX < unit) || (unit < 0)) {
293 V_ipfmain.ipf_interror = 130002;
298 if (V_ipfmain.ipf_running <= 0) {
299 if (unit != IPL_LOGIPF && cmd != SIOCIPFINTERROR) {
300 V_ipfmain.ipf_interror = 130003;
304 if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
305 cmd != SIOCIPFSET && cmd != SIOCFRENB &&
306 cmd != SIOCGETFS && cmd != SIOCGETFF &&
307 cmd != SIOCIPFINTERROR) {
308 V_ipfmain.ipf_interror = 130004;
316 error = ipf_ioctlswitch(&V_ipfmain, unit, data, cmd, mode, p->p_uid, p);
330 * ipf_send_reset - this could conceivably be a call to tcp_respond(), but that
331 * requires a large amount of setting up and isn't any more efficient.
334 ipf_send_reset(fr_info_t *fin)
336 struct tcphdr *tcp, *tcp2;
345 if (tcp->th_flags & TH_RST)
346 return (-1); /* feedback loop */
348 if (ipf_checkl4sum(fin) == -1)
351 tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
352 ((tcp->th_flags & TH_SYN) ? 1 : 0) +
353 ((tcp->th_flags & TH_FIN) ? 1 : 0);
356 hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
361 MGETHDR(m, M_NOWAIT, MT_HEADER);
363 MGET(m, M_NOWAIT, MT_HEADER);
367 if (sizeof(*tcp2) + hlen > MLEN) {
368 if (!(MCLGET(m, M_NOWAIT))) {
374 m->m_len = sizeof(*tcp2) + hlen;
375 m->m_data += max_linkhdr;
376 m->m_pkthdr.len = m->m_len;
377 m->m_pkthdr.rcvif = (struct ifnet *)0;
378 ip = mtod(m, struct ip *);
379 bzero((char *)ip, hlen);
383 tcp2 = (struct tcphdr *)((char *)ip + hlen);
384 tcp2->th_sport = tcp->th_dport;
385 tcp2->th_dport = tcp->th_sport;
387 if (tcp->th_flags & TH_ACK) {
388 tcp2->th_seq = tcp->th_ack;
389 tcp2->th_flags = TH_RST;
393 tcp2->th_ack = ntohl(tcp->th_seq);
394 tcp2->th_ack += tlen;
395 tcp2->th_ack = htonl(tcp2->th_ack);
396 tcp2->th_flags = TH_RST|TH_ACK;
399 TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
400 tcp2->th_win = tcp->th_win;
405 if (fin->fin_v == 6) {
406 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
407 ip6->ip6_plen = htons(sizeof(struct tcphdr));
408 ip6->ip6_nxt = IPPROTO_TCP;
410 ip6->ip6_src = fin->fin_dst6.in6;
411 ip6->ip6_dst = fin->fin_src6.in6;
412 tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
413 sizeof(*ip6), sizeof(*tcp2));
414 return (ipf_send_ip(fin, m));
417 ip->ip_p = IPPROTO_TCP;
418 ip->ip_len = htons(sizeof(struct tcphdr));
419 ip->ip_src.s_addr = fin->fin_daddr;
420 ip->ip_dst.s_addr = fin->fin_saddr;
421 tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
422 ip->ip_len = htons(hlen + sizeof(*tcp2));
423 return (ipf_send_ip(fin, m));
428 * ip_len must be in network byte order when called.
431 ipf_send_ip(fr_info_t *fin, mb_t *m)
437 ip = mtod(m, ip_t *);
438 bzero((char *)&fnew, sizeof(fnew));
439 fnew.fin_main_soft = fin->fin_main_soft;
441 IP_V_A(ip, fin->fin_v);
448 fnew.fin_p = ip->ip_p;
449 fnew.fin_plen = ntohs(ip->ip_len);
450 IP_HL_A(ip, sizeof(*oip) >> 2);
451 ip->ip_tos = oip->ip_tos;
452 ip->ip_id = fin->fin_ip->ip_id;
453 ip->ip_off = htons(V_path_mtu_discovery ? IP_DF : 0);
454 ip->ip_ttl = V_ip_defttl;
460 ip6_t *ip6 = (ip6_t *)ip;
463 ip6->ip6_hlim = IPDEFTTL;
466 fnew.fin_p = ip6->ip6_nxt;
468 fnew.fin_plen = ntohs(ip6->ip6_plen) + hlen;
476 m->m_pkthdr.rcvif = NULL;
479 fnew.fin_ifp = fin->fin_ifp;
480 fnew.fin_flx = FI_NOCKSUM;
484 fnew.fin_hlen = hlen;
485 fnew.fin_dp = (char *)ip + hlen;
486 (void) ipf_makefrip(hlen, ip, &fnew);
488 return (ipf_fastroute(m, &m, &fnew, NULL));
493 ipf_send_icmp_err(int type, fr_info_t *fin, int dst)
495 int err, hlen, xtra, iclen, ohlen, avail, code;
506 if ((type < 0) || (type >= ICMP_MAXTYPE))
509 code = fin->fin_icode;
511 /* See NetBSD ip_fil_netbsd.c r1.4: */
512 if ((code < 0) || (code >= sizeof(icmptoicmp6unreach)/sizeof(int)))
516 if (ipf_checkl4sum(fin) == -1)
519 MGETHDR(m, M_NOWAIT, MT_HEADER);
521 MGET(m, M_NOWAIT, MT_HEADER);
532 if (fin->fin_v == 4) {
533 if ((fin->fin_p == IPPROTO_ICMP) && !(fin->fin_flx & FI_SHORT))
534 switch (ntohs(fin->fin_data[0]) >> 8)
547 if (ipf_ifpaddr(&V_ipfmain, 4, FRI_NORMAL, ifp,
548 &dst6, NULL) == -1) {
554 dst4.s_addr = fin->fin_daddr;
557 ohlen = fin->fin_hlen;
558 iclen = hlen + offsetof(struct icmp, icmp_ip) + ohlen;
559 if (fin->fin_hlen < fin->fin_plen)
560 xtra = MIN(fin->fin_dlen, 8);
566 else if (fin->fin_v == 6) {
567 hlen = sizeof(ip6_t);
568 ohlen = sizeof(ip6_t);
569 iclen = hlen + offsetof(struct icmp, icmp_ip) + ohlen;
570 type = icmptoicmp6types[type];
571 if (type == ICMP6_DST_UNREACH)
572 code = icmptoicmp6unreach[code];
574 if (iclen + max_linkhdr + fin->fin_plen > avail) {
575 if (!(MCLGET(m, M_NOWAIT))) {
581 xtra = MIN(fin->fin_plen, avail - iclen - max_linkhdr);
582 xtra = MIN(xtra, IPV6_MMTU - iclen);
584 if (ipf_ifpaddr(&V_ipfmain, 6, FRI_NORMAL, ifp,
585 &dst6, NULL) == -1) {
590 dst6 = fin->fin_dst6;
598 avail -= (max_linkhdr + iclen);
606 m->m_data += max_linkhdr;
607 m->m_pkthdr.rcvif = (struct ifnet *)0;
608 m->m_pkthdr.len = iclen;
610 ip = mtod(m, ip_t *);
611 icmp = (struct icmp *)((char *)ip + hlen);
612 ip2 = (ip_t *)&icmp->icmp_ip;
614 icmp->icmp_type = type;
615 icmp->icmp_code = fin->fin_icode;
616 icmp->icmp_cksum = 0;
618 if (type == ICMP_UNREACH && fin->fin_icode == ICMP_UNREACH_NEEDFRAG) {
619 if (fin->fin_mtu != 0) {
620 icmp->icmp_nextmtu = htons(fin->fin_mtu);
622 } else if (ifp != NULL) {
623 icmp->icmp_nextmtu = htons(GETIFMTU_4(ifp));
625 } else { /* make up a number... */
626 icmp->icmp_nextmtu = htons(fin->fin_plen - 20);
631 bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
635 if (fin->fin_v == 6) {
636 ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
637 ip6->ip6_plen = htons(iclen - hlen);
638 ip6->ip6_nxt = IPPROTO_ICMPV6;
640 ip6->ip6_src = dst6.in6;
641 ip6->ip6_dst = fin->fin_src6.in6;
643 bcopy((char *)fin->fin_ip + ohlen,
644 (char *)&icmp->icmp_ip + ohlen, xtra);
645 icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
646 sizeof(*ip6), iclen - hlen);
650 ip->ip_p = IPPROTO_ICMP;
651 ip->ip_src.s_addr = dst4.s_addr;
652 ip->ip_dst.s_addr = fin->fin_saddr;
655 bcopy((char *)fin->fin_ip + ohlen,
656 (char *)&icmp->icmp_ip + ohlen, xtra);
657 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
659 ip->ip_len = htons(iclen);
660 ip->ip_p = IPPROTO_ICMP;
662 err = ipf_send_ip(fin, m);
670 * m0 - pointer to mbuf where the IP packet starts
671 * mpp - pointer to the mbuf pointer that is the start of the mbuf chain
674 ipf_fastroute(mb_t *m0, mb_t **mpp, fr_info_t *fin, frdest_t *fdp)
676 register struct ip *ip, *mhip;
677 register struct mbuf *m = *mpp;
678 int len, off, error = 0, hlen, code;
679 struct ifnet *ifp, *sifp;
681 struct sockaddr_in *dst;
682 const struct sockaddr *gw;
683 struct nhop_object *nh;
693 * If the mbuf we're about to send is not writable (because of
694 * a cluster reference, for example) we'll need to make a copy
695 * of it since this routine modifies the contents.
697 * If you have non-crappy network hardware that can transmit data
698 * from the mbuf, rather than making a copy, this is gonna be a
701 if (M_WRITABLE(m) == 0) {
702 m0 = m_dup(m, M_NOWAIT);
716 if (fin->fin_v == 6) {
718 * currently "to <if>" and "to <if>:ip#" are not supported
721 return (ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL));
725 hlen = fin->fin_hlen;
726 ip = mtod(m0, struct ip *);
732 bzero(&ro, sizeof (ro));
733 dst = (struct sockaddr_in *)&ro.ro_dst;
734 dst->sin_family = AF_INET;
735 dst->sin_addr = ip->ip_dst;
736 dst->sin_len = sizeof(dst);
737 gw = (const struct sockaddr *)dst;
740 if ((fr != NULL) && !(fr->fr_flags & FR_KEEPSTATE) && (fdp != NULL) &&
741 (fdp->fd_type == FRD_DSTLIST)) {
742 if (ipf_dstlist_select_node(fin, fdp->fd_ptr, NULL, &node) == 0)
751 if ((ifp == NULL) && ((fr == NULL) || !(fr->fr_flags & FR_FASTROUTE))) {
756 if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
757 dst->sin_addr = fdp->fd_ip;
759 fibnum = M_GETFIB(m0);
761 nh = fib4_lookup(fibnum, dst->sin_addr, 0, NHR_NONE, 0);
763 if (in_localaddr(ip->ip_dst))
764 error = EHOSTUNREACH;
772 if (nh->nh_flags & NHF_GATEWAY) {
774 ro.ro_flags |= RT_HAS_GW;
778 * For input packets which are being "fastrouted", they won't
779 * go back through output filtering and miss their chance to get
780 * NAT'd and counted. Duplicated packets aren't considered to be
781 * part of the normal packet stream, so do not NAT them or pass
782 * them through stateful checking, etc.
784 if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {
788 (void) ipf_acctpkt(fin, NULL);
790 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
793 (void) ipf_state_check(fin, &pass);
796 switch (ipf_nat_checkout(fin, NULL))
814 * If small enough for interface, can just send directly.
816 if (ntohs(ip->ip_len) <= ifp->if_mtu) {
818 ip->ip_sum = in_cksum(m, hlen);
819 error = (*ifp->if_output)(ifp, m, gw, &ro);
823 * Too large for interface; fragment if possible.
824 * Must be able to put at least 8 bytes per fragment.
826 ip_off = ntohs(ip->ip_off);
827 if (ip_off & IP_DF) {
831 len = (ifp->if_mtu - hlen) &~ 7;
838 int mhlen, firstlen = len;
839 struct mbuf **mnext = &m->m_act;
842 * Loop through length of segment after first fragment,
843 * make new header and copy data of each part and link onto chain.
846 mhlen = sizeof (struct ip);
847 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) {
849 MGETHDR(m, M_NOWAIT, MT_HEADER);
851 MGET(m, M_NOWAIT, MT_HEADER);
858 m->m_data += max_linkhdr;
859 mhip = mtod(m, struct ip *);
860 bcopy((char *)ip, (char *)mhip, sizeof(*ip));
861 if (hlen > sizeof (struct ip)) {
862 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
863 IP_HL_A(mhip, mhlen >> 2);
866 mhip->ip_off = ((off - hlen) >> 3) + ip_off;
867 if (off + len >= ntohs(ip->ip_len))
868 len = ntohs(ip->ip_len) - off;
870 mhip->ip_off |= IP_MF;
871 mhip->ip_len = htons((u_short)(len + mhlen));
873 m->m_next = m_copym(m0, off, len, M_NOWAIT);
874 if (m->m_next == 0) {
875 error = ENOBUFS; /* ??? */
878 m->m_pkthdr.len = mhlen + len;
879 m->m_pkthdr.rcvif = NULL;
880 mhip->ip_off = htons((u_short)mhip->ip_off);
882 mhip->ip_sum = in_cksum(m, mhlen);
886 * Update first fragment by trimming what's been copied out
887 * and updating header, then send each fragment (in order).
889 m_adj(m0, hlen + firstlen - ip->ip_len);
890 ip->ip_len = htons((u_short)(hlen + firstlen));
891 ip->ip_off = htons((u_short)IP_MF);
893 ip->ip_sum = in_cksum(m0, hlen);
895 for (m = m0; m; m = m0) {
899 error = (*ifp->if_output)(ifp, m, gw, &ro);
906 V_ipfmain.ipf_frouteok[0]++;
908 V_ipfmain.ipf_frouteok[1]++;
912 if (error == EMSGSIZE) {
914 code = fin->fin_icode;
915 fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
917 (void) ipf_send_icmp_err(ICMP_UNREACH, fin, 1);
919 fin->fin_icode = code;
927 ipf_verifysrc(fr_info_t *fin)
929 struct nhop_object *nh;
932 nh = fib4_lookup(RT_DEFAULT_FIB, fin->fin_src, 0, NHR_NONE, 0);
935 return (fin->fin_ifp == nh->nh_ifp);
940 * return the first IP Address associated with an interface
943 ipf_ifpaddr(ipf_main_softc_t *softc, int v, int atype, void *ifptr,
944 i6addr_t *inp, i6addr_t *inpmask)
947 struct in6_addr *ia6 = NULL;
949 struct sockaddr *sock, *mask;
950 struct sockaddr_in *sin;
954 if ((ifptr == NULL) || (ifptr == (void *)-1))
964 bzero((char *)inp, sizeof(*inp));
966 ifa = CK_STAILQ_FIRST(&ifp->if_addrhead);
968 sock = ifa->ifa_addr;
969 while (sock != NULL && ifa != NULL) {
970 sin = (struct sockaddr_in *)sock;
971 if ((v == 4) && (sin->sin_family == AF_INET))
974 if ((v == 6) && (sin->sin_family == AF_INET6)) {
975 ia6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
976 if (!IN6_IS_ADDR_LINKLOCAL(ia6) &&
977 !IN6_IS_ADDR_LOOPBACK(ia6))
981 ifa = CK_STAILQ_NEXT(ifa, ifa_link);
983 sock = ifa->ifa_addr;
986 if (ifa == NULL || sin == NULL)
989 mask = ifa->ifa_netmask;
990 if (atype == FRI_BROADCAST)
991 sock = ifa->ifa_broadaddr;
992 else if (atype == FRI_PEERADDR)
993 sock = ifa->ifa_dstaddr;
1000 return (ipf_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
1001 (struct sockaddr_in6 *)mask,
1005 return (ipf_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
1006 (struct sockaddr_in *)mask,
1007 &inp->in4, &inpmask->in4));
1012 ipf_newisn(fr_info_t *fin)
1015 newiss = arc4random();
1021 ipf_checkv4sum(fr_info_t *fin)
1023 #ifdef CSUM_DATA_VALID
1029 if ((fin->fin_flx & FI_NOCKSUM) != 0)
1032 if ((fin->fin_flx & FI_SHORT) != 0)
1035 if (fin->fin_cksum != FI_CK_NEEDED)
1036 return (fin->fin_cksum > FI_CK_NEEDED) ? 0 : -1;
1045 if ((m->m_pkthdr.csum_flags & (CSUM_IP_CHECKED|CSUM_IP_VALID)) ==
1047 fin->fin_cksum = FI_CK_BAD;
1048 fin->fin_flx |= FI_BAD;
1049 DT2(ipf_fi_bad_checkv4sum_csum_ip_checked, fr_info_t *, fin, u_int, m->m_pkthdr.csum_flags & (CSUM_IP_CHECKED|CSUM_IP_VALID));
1052 if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
1053 /* Depending on the driver, UDP may have zero checksum */
1054 if (fin->fin_p == IPPROTO_UDP && (fin->fin_flx &
1055 (FI_FRAG|FI_SHORT|FI_BAD)) == 0) {
1056 udphdr_t *udp = fin->fin_dp;
1057 if (udp->uh_sum == 0) {
1059 * we're good no matter what the hardware
1060 * checksum flags and csum_data say (handling
1061 * of csum_data for zero UDP checksum is not
1062 * consistent across all drivers)
1069 if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
1070 sum = m->m_pkthdr.csum_data;
1072 sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
1073 htonl(m->m_pkthdr.csum_data +
1074 fin->fin_dlen + fin->fin_p));
1077 fin->fin_cksum = FI_CK_BAD;
1078 fin->fin_flx |= FI_BAD;
1079 DT2(ipf_fi_bad_checkv4sum_sum, fr_info_t *, fin, u_int, sum);
1081 fin->fin_cksum = FI_CK_SUMOK;
1085 if (m->m_pkthdr.csum_flags == CSUM_DELAY_DATA) {
1086 fin->fin_cksum = FI_CK_L4FULL;
1088 } else if (m->m_pkthdr.csum_flags == CSUM_TCP ||
1089 m->m_pkthdr.csum_flags == CSUM_UDP ||
1090 m->m_pkthdr.csum_flags == CSUM_IP) {
1091 fin->fin_cksum = FI_CK_L4PART;
1099 if (ipf_checkl4sum(fin) == -1) {
1100 fin->fin_flx |= FI_BAD;
1101 DT2(ipf_fi_bad_checkv4sum_manual, fr_info_t *, fin, u_int, manual);
1106 if (ipf_checkl4sum(fin) == -1) {
1107 fin->fin_flx |= FI_BAD;
1108 DT2(ipf_fi_bad_checkv4sum_checkl4sum, fr_info_t *, fin, u_int, -1);
1118 ipf_checkv6sum(fr_info_t *fin)
1120 if ((fin->fin_flx & FI_NOCKSUM) != 0) {
1121 DT(ipf_checkv6sum_fi_nocksum);
1125 if ((fin->fin_flx & FI_SHORT) != 0) {
1126 DT(ipf_checkv6sum_fi_short);
1130 if (fin->fin_cksum != FI_CK_NEEDED) {
1131 DT(ipf_checkv6sum_fi_ck_needed);
1132 return (fin->fin_cksum > FI_CK_NEEDED) ? 0 : -1;
1135 if (ipf_checkl4sum(fin) == -1) {
1136 fin->fin_flx |= FI_BAD;
1137 DT2(ipf_fi_bad_checkv6sum_checkl4sum, fr_info_t *, fin, u_int, -1);
1142 #endif /* USE_INET6 */
1146 mbufchainlen(struct mbuf *m0)
1150 if ((m0->m_flags & M_PKTHDR) != 0) {
1151 len = m0->m_pkthdr.len;
1155 for (m = m0, len = 0; m != NULL; m = m->m_next)
1162 /* ------------------------------------------------------------------------ */
1163 /* Function: ipf_pullup */
1164 /* Returns: NULL == pullup failed, else pointer to protocol header */
1165 /* Parameters: xmin(I)- pointer to buffer where data packet starts */
1166 /* fin(I) - pointer to packet information */
1167 /* len(I) - number of bytes to pullup */
1169 /* Attempt to move at least len bytes (from the start of the buffer) into a */
1170 /* single buffer for ease of access. Operating system native functions are */
1171 /* used to manage buffers - if necessary. If the entire packet ends up in */
1172 /* a single buffer, set the FI_COALESCE flag even though ipf_coalesce() has */
1173 /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */
1174 /* and ONLY if the pullup succeeds. */
1176 /* We assume that 'xmin' is a pointer to a buffer that is part of the chain */
1177 /* of buffers that starts at *fin->fin_mp. */
1178 /* ------------------------------------------------------------------------ */
1180 ipf_pullup(mb_t *xmin, fr_info_t *fin, int len)
1190 if ((fin->fin_flx & FI_COALESCE) != 0)
1193 ipoff = fin->fin_ipoff;
1194 if (fin->fin_dp != NULL)
1195 dpoff = (char *)fin->fin_dp - (char *)ip;
1199 if (M_LEN(m) < len) {
1200 mb_t *n = *fin->fin_mp;
1202 * Assume that M_PKTHDR is set and just work with what is left
1203 * rather than check..
1204 * Should not make any real difference, anyway.
1208 * Record the mbuf that points to the mbuf that we're
1209 * about to go to work on so that we can update the
1210 * m_next appropriately later.
1212 for (; n->m_next != m; n = n->m_next)
1224 #ifdef HAVE_M_PULLDOWN
1225 if (m_pulldown(m, 0, len, NULL) == NULL)
1228 FREE_MB_T(*fin->fin_mp);
1235 m = m_pullup(m, len);
1241 * When n is non-NULL, it indicates that m pointed to
1242 * a sub-chain (tail) of the mbuf and that the head
1243 * of this chain has not yet been free'd.
1246 FREE_MB_T(*fin->fin_mp);
1249 *fin->fin_mp = NULL;
1257 while (M_LEN(m) == 0) {
1261 ip = MTOD(m, ip_t *) + ipoff;
1264 if (fin->fin_dp != NULL)
1265 fin->fin_dp = (char *)fin->fin_ip + dpoff;
1266 if (fin->fin_fraghdr != NULL)
1267 fin->fin_fraghdr = (char *)ip +
1268 ((char *)fin->fin_fraghdr -
1269 (char *)fin->fin_ip);
1272 if (len == fin->fin_plen)
1273 fin->fin_flx |= FI_COALESCE;
1279 ipf_inject(fr_info_t *fin, mb_t *m)
1281 struct epoch_tracker et;
1284 NET_EPOCH_ENTER(et);
1285 if (fin->fin_out == 0) {
1286 netisr_dispatch(NETISR_IP, m);
1288 fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len);
1289 fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off);
1290 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
1297 VNET_DEFINE_STATIC(pfil_hook_t, ipf_inet_hook);
1298 VNET_DEFINE_STATIC(pfil_hook_t, ipf_inet6_hook);
1299 #define V_ipf_inet_hook VNET(ipf_inet_hook)
1300 #define V_ipf_inet6_hook VNET(ipf_inet6_hook)
1302 int ipf_pfil_unhook(void) {
1304 pfil_remove_hook(V_ipf_inet_hook);
1307 pfil_remove_hook(V_ipf_inet6_hook);
1313 int ipf_pfil_hook(void) {
1316 struct pfil_hook_args pha = {
1317 .pa_version = PFIL_VERSION,
1318 .pa_flags = PFIL_IN | PFIL_OUT,
1319 .pa_modname = "ipfilter",
1320 .pa_rulname = "default-ip4",
1321 .pa_mbuf_chk = ipf_check_wrapper,
1322 .pa_type = PFIL_TYPE_IP4,
1324 V_ipf_inet_hook = pfil_add_hook(&pha);
1327 pha.pa_rulname = "default-ip6";
1328 pha.pa_mbuf_chk = ipf_check_wrapper6;
1329 pha.pa_type = PFIL_TYPE_IP6;
1330 V_ipf_inet6_hook = pfil_add_hook(&pha);
1333 struct pfil_link_args pla = {
1334 .pa_version = PFIL_VERSION,
1335 .pa_flags = PFIL_IN | PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR,
1336 .pa_head = V_inet_pfil_head,
1337 .pa_hook = V_ipf_inet_hook,
1339 error = pfil_link(&pla);
1343 pla.pa_head = V_inet6_pfil_head;
1344 pla.pa_hook = V_ipf_inet6_hook;
1345 error6 = pfil_link(&pla);
1348 if (error || error6)
1359 V_ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
1360 ipf_ifevent, NULL, \
1361 EVENTHANDLER_PRI_ANY);
1362 V_ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
1363 ipf_ifevent, NULL, \
1364 EVENTHANDLER_PRI_ANY);
1366 V_ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
1367 NULL, EVENTHANDLER_PRI_ANY);
1372 ipf_event_dereg(void)
1374 if (V_ipf_arrivetag != NULL) {
1375 EVENTHANDLER_DEREGISTER(ifnet_arrival_event, V_ipf_arrivetag);
1377 if (V_ipf_departtag != NULL) {
1378 EVENTHANDLER_DEREGISTER(ifnet_departure_event, V_ipf_departtag);
1381 if (V_ipf_clonetag != NULL) {
1382 EVENTHANDLER_DEREGISTER(if_clone_event, V_ipf_clonetag);
1391 return (arc4random());
1396 ipf_pcksum(fr_info_t *fin, int hlen, u_int sum)
1403 off = (char *)fin->fin_dp - (char *)fin->fin_ip;
1406 sum2 = in_cksum(fin->fin_m, fin->fin_plen - off);
1411 * Both sum and sum2 are partial sums, so combine them together.
1413 sum += ~sum2 & 0xffff;
1414 while (sum > 0xffff)
1415 sum = (sum & 0xffff) + (sum >> 16);
1416 sum2 = ~sum & 0xffff;
1422 ipf_pcksum6(struct mbuf *m, ip6_t *ip6, u_int32_t off, u_int32_t len)
1427 if (m->m_len < sizeof(struct ip6_hdr)) {
1431 sum = in6_cksum(m, ip6->ip6_nxt, off, len);
1437 sp = (u_short *)&ip6->ip6_src;
1438 sum = *sp++; /* ip6_src */
1446 sum += *sp++; /* ip6_dst */
1454 return (ipf_pcksum(fin, off, sum));
1460 ipf_fbsd_kenv_get(ipf_main_softc_t *softc)
1462 TUNABLE_INT_FETCH("net.inet.ipf.large_nat",
1463 &softc->ipf_large_nat);