2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
30 * The FreeBSD IP packet firewall, main file
34 #include "opt_ipdivert.h"
37 #error "IPFIREWALL requires INET"
39 #include "opt_inet6.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/condvar.h>
44 #include <sys/counter.h>
45 #include <sys/eventhandler.h>
46 #include <sys/malloc.h>
48 #include <sys/kernel.h>
51 #include <sys/module.h>
54 #include <sys/rwlock.h>
55 #include <sys/rmlock.h>
56 #include <sys/socket.h>
57 #include <sys/socketvar.h>
58 #include <sys/sysctl.h>
59 #include <sys/syslog.h>
60 #include <sys/ucred.h>
61 #include <net/ethernet.h> /* for ETHERTYPE_IP */
63 #include <net/if_var.h>
64 #include <net/route.h>
68 #include <netpfil/pf/pf_mtag.h>
70 #include <netinet/in.h>
71 #include <netinet/in_var.h>
72 #include <netinet/in_pcb.h>
73 #include <netinet/ip.h>
74 #include <netinet/ip_var.h>
75 #include <netinet/ip_icmp.h>
76 #include <netinet/ip_fw.h>
77 #include <netinet/ip_carp.h>
78 #include <netinet/pim.h>
79 #include <netinet/tcp_var.h>
80 #include <netinet/udp.h>
81 #include <netinet/udp_var.h>
82 #include <netinet/sctp.h>
84 #include <netinet/ip6.h>
85 #include <netinet/icmp6.h>
86 #include <netinet/in_fib.h>
88 #include <netinet6/in6_fib.h>
89 #include <netinet6/in6_pcb.h>
90 #include <netinet6/scope6_var.h>
91 #include <netinet6/ip6_var.h>
94 #include <net/if_gre.h> /* for struct grehdr */
96 #include <netpfil/ipfw/ip_fw_private.h>
98 #include <machine/in_cksum.h> /* XXX for in_cksum */
101 #include <security/mac/mac_framework.h>
105 * static variables followed by global ones.
106 * All ipfw global variables are here.
109 static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
110 #define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs)
112 static VNET_DEFINE(int, fw_permit_single_frag6) = 1;
113 #define V_fw_permit_single_frag6 VNET(fw_permit_single_frag6)
115 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
116 static int default_to_accept = 1;
118 static int default_to_accept;
121 VNET_DEFINE(int, autoinc_step);
122 VNET_DEFINE(int, fw_one_pass) = 1;
124 VNET_DEFINE(unsigned int, fw_tables_max);
125 VNET_DEFINE(unsigned int, fw_tables_sets) = 0; /* Don't use set-aware tables */
126 /* Use 128 tables by default */
127 static unsigned int default_fw_tables = IPFW_TABLES_DEFAULT;
129 #ifndef LINEAR_SKIPTO
130 static int jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num,
131 int tablearg, int jump_backwards);
132 #define JUMP(ch, f, num, targ, back) jump_fast(ch, f, num, targ, back)
134 static int jump_linear(struct ip_fw_chain *chain, struct ip_fw *f, int num,
135 int tablearg, int jump_backwards);
136 #define JUMP(ch, f, num, targ, back) jump_linear(ch, f, num, targ, back)
140 * Each rule belongs to one of 32 different sets (0..31).
141 * The variable set_disable contains one bit per set.
142 * If the bit is set, all rules in the corresponding set
143 * are disabled. Set RESVD_SET(31) is reserved for the default rule
144 * and rules that are not deleted by the flush command,
145 * and CANNOT be disabled.
146 * Rules in set RESVD_SET can only be deleted individually.
148 VNET_DEFINE(u_int32_t, set_disable);
149 #define V_set_disable VNET(set_disable)
151 VNET_DEFINE(int, fw_verbose);
152 /* counter for ipfw_log(NULL...) */
153 VNET_DEFINE(u_int64_t, norule_counter);
154 VNET_DEFINE(int, verbose_limit);
156 /* layer3_chain contains the list of rules for layer 3 */
157 VNET_DEFINE(struct ip_fw_chain, layer3_chain);
159 /* ipfw_vnet_ready controls when we are open for business */
160 VNET_DEFINE(int, ipfw_vnet_ready) = 0;
162 VNET_DEFINE(int, ipfw_nat_ready) = 0;
164 ipfw_nat_t *ipfw_nat_ptr = NULL;
165 struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
166 ipfw_nat_cfg_t *ipfw_nat_cfg_ptr;
167 ipfw_nat_cfg_t *ipfw_nat_del_ptr;
168 ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
169 ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
172 uint32_t dummy_def = IPFW_DEFAULT_RULE;
173 static int sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS);
174 static int sysctl_ipfw_tables_sets(SYSCTL_HANDLER_ARGS);
178 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
179 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
180 CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0,
181 "Only do a single pass through ipfw when using dummynet(4)");
182 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step,
183 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(autoinc_step), 0,
184 "Rule number auto-increment step");
185 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose,
186 CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0,
187 "Log matches to ipfw rules");
188 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit,
189 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(verbose_limit), 0,
190 "Set upper limit of matches of ipfw rules logged");
191 SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD,
193 "The default/max possible rule number.");
194 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, tables_max,
195 CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW, 0, 0, sysctl_ipfw_table_num, "IU",
196 "Maximum number of concurrently used tables");
197 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, tables_sets,
198 CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW,
199 0, 0, sysctl_ipfw_tables_sets, "IU",
200 "Use per-set namespace for tables");
201 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN,
202 &default_to_accept, 0,
203 "Make the default rule accept all packets.");
204 TUNABLE_INT("net.inet.ip.fw.tables_max", (int *)&default_fw_tables);
205 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count,
206 CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,
207 "Number of static rules");
210 SYSCTL_DECL(_net_inet6_ip6);
211 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
212 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs,
213 CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE,
214 &VNET_NAME(fw_deny_unknown_exthdrs), 0,
215 "Deny packets with unknown IPv6 Extension Headers");
216 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, permit_single_frag6,
217 CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE,
218 &VNET_NAME(fw_permit_single_frag6), 0,
219 "Permit single packet IPv6 fragments");
224 #endif /* SYSCTL_NODE */
228 * Some macros used in the various matching options.
229 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T
230 * Other macros just cast void * into the appropriate type
232 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
233 #define TCP(p) ((struct tcphdr *)(p))
234 #define SCTP(p) ((struct sctphdr *)(p))
235 #define UDP(p) ((struct udphdr *)(p))
236 #define ICMP(p) ((struct icmphdr *)(p))
237 #define ICMP6(p) ((struct icmp6_hdr *)(p))
240 icmptype_match(struct icmphdr *icmp, ipfw_insn_u32 *cmd)
242 int type = icmp->icmp_type;
244 return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) );
247 #define TT ( (1 << ICMP_ECHO) | (1 << ICMP_ROUTERSOLICIT) | \
248 (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) )
251 is_icmp_query(struct icmphdr *icmp)
253 int type = icmp->icmp_type;
255 return (type <= ICMP_MAXTYPE && (TT & (1<<type)) );
260 * The following checks use two arrays of 8 or 16 bits to store the
261 * bits that we want set or clear, respectively. They are in the
262 * low and high half of cmd->arg1 or cmd->d[0].
264 * We scan options and store the bits we find set. We succeed if
266 * (want_set & ~bits) == 0 && (want_clear & ~bits) == want_clear
268 * The code is sometimes optimized not to store additional variables.
272 flags_match(ipfw_insn *cmd, u_int8_t bits)
277 if ( ((cmd->arg1 & 0xff) & bits) != 0)
278 return 0; /* some bits we want set were clear */
279 want_clear = (cmd->arg1 >> 8) & 0xff;
280 if ( (want_clear & bits) != want_clear)
281 return 0; /* some bits we want clear were set */
286 ipopts_match(struct ip *ip, ipfw_insn *cmd)
288 int optlen, bits = 0;
289 u_char *cp = (u_char *)(ip + 1);
290 int x = (ip->ip_hl << 2) - sizeof (struct ip);
292 for (; x > 0; x -= optlen, cp += optlen) {
293 int opt = cp[IPOPT_OPTVAL];
295 if (opt == IPOPT_EOL)
297 if (opt == IPOPT_NOP)
300 optlen = cp[IPOPT_OLEN];
301 if (optlen <= 0 || optlen > x)
302 return 0; /* invalid or truncated */
310 bits |= IP_FW_IPOPT_LSRR;
314 bits |= IP_FW_IPOPT_SSRR;
318 bits |= IP_FW_IPOPT_RR;
322 bits |= IP_FW_IPOPT_TS;
326 return (flags_match(cmd, bits));
330 tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd)
332 int optlen, bits = 0;
333 u_char *cp = (u_char *)(tcp + 1);
334 int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
336 for (; x > 0; x -= optlen, cp += optlen) {
338 if (opt == TCPOPT_EOL)
340 if (opt == TCPOPT_NOP)
354 bits |= IP_FW_TCPOPT_MSS;
358 bits |= IP_FW_TCPOPT_WINDOW;
361 case TCPOPT_SACK_PERMITTED:
363 bits |= IP_FW_TCPOPT_SACK;
366 case TCPOPT_TIMESTAMP:
367 bits |= IP_FW_TCPOPT_TS;
372 return (flags_match(cmd, bits));
376 iface_match(struct ifnet *ifp, ipfw_insn_if *cmd, struct ip_fw_chain *chain,
380 if (ifp == NULL) /* no iface with this packet, match fails */
383 /* Check by name or by IP address */
384 if (cmd->name[0] != '\0') { /* match by name */
385 if (cmd->name[0] == '\1') /* use tablearg to match */
386 return ipfw_lookup_table(chain, cmd->p.kidx, 0,
387 &ifp->if_index, tablearg);
390 if (fnmatch(cmd->name, ifp->if_xname, 0) == 0)
393 if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0)
397 #if !defined(USERSPACE) && defined(__FreeBSD__) /* and OSX too ? */
401 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
402 if (ia->ifa_addr->sa_family != AF_INET)
404 if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
405 (ia->ifa_addr))->sin_addr.s_addr) {
406 if_addr_runlock(ifp);
407 return(1); /* match */
410 if_addr_runlock(ifp);
411 #endif /* __FreeBSD__ */
413 return(0); /* no match, fail ... */
417 * The verify_path function checks if a route to the src exists and
418 * if it is reachable via ifp (when provided).
420 * The 'verrevpath' option checks that the interface that an IP packet
421 * arrives on is the same interface that traffic destined for the
422 * packet's source address would be routed out of.
423 * The 'versrcreach' option just checks that the source address is
424 * reachable via any route (except default) in the routing table.
425 * These two are a measure to block forged packets. This is also
426 * commonly known as "anti-spoofing" or Unicast Reverse Path
427 * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs
428 * is purposely reminiscent of the Cisco IOS command,
430 * ip verify unicast reverse-path
431 * ip verify unicast source reachable-via any
433 * which implements the same functionality. But note that the syntax
434 * is misleading, and the check may be performed on all IP packets
435 * whether unicast, multicast, or broadcast.
438 verify_path(struct in_addr src, struct ifnet *ifp, u_int fib)
440 #if defined(USERSPACE) || !defined(__FreeBSD__)
443 struct nhop4_basic nh4;
445 if (fib4_lookup_nh_basic(fib, src, NHR_IFAIF, 0, &nh4) != 0)
449 * If ifp is provided, check for equality with rtentry.
450 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp,
451 * in order to pass packets injected back by if_simloop():
452 * routing entry (via lo0) for our own address
453 * may exist, so we need to handle routing assymetry.
455 if (ifp != NULL && ifp != nh4.nh_ifp)
458 /* if no ifp provided, check if rtentry is not default route */
459 if (ifp == NULL && (nh4.nh_flags & NHF_DEFAULT) != 0)
462 /* or if this is a blackhole/reject route */
463 if (ifp == NULL && (nh4.nh_flags & (NHF_REJECT|NHF_BLACKHOLE)) != 0)
466 /* found valid route */
468 #endif /* __FreeBSD__ */
473 * ipv6 specific rules here...
476 icmp6type_match (int type, ipfw_insn_u32 *cmd)
478 return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) );
482 flow6id_match( int curr_flow, ipfw_insn_u32 *cmd )
485 for (i=0; i <= cmd->o.arg1; ++i )
486 if (curr_flow == cmd->d[i] )
491 /* support for IP6_*_ME opcodes */
492 static const struct in6_addr lla_mask = {{{
493 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
494 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
498 ipfw_localip6(struct in6_addr *in6)
500 struct rm_priotracker in6_ifa_tracker;
501 struct in6_ifaddr *ia;
503 if (IN6_IS_ADDR_MULTICAST(in6))
506 if (!IN6_IS_ADDR_LINKLOCAL(in6))
507 return (in6_localip(in6));
509 IN6_IFADDR_RLOCK(&in6_ifa_tracker);
510 TAILQ_FOREACH(ia, &V_in6_ifaddrhead, ia_link) {
511 if (!IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr))
513 if (IN6_ARE_MASKED_ADDR_EQUAL(&ia->ia_addr.sin6_addr,
515 IN6_IFADDR_RUNLOCK(&in6_ifa_tracker);
519 IN6_IFADDR_RUNLOCK(&in6_ifa_tracker);
524 verify_path6(struct in6_addr *src, struct ifnet *ifp, u_int fib)
526 struct nhop6_basic nh6;
528 if (IN6_IS_SCOPE_LINKLOCAL(src))
531 if (fib6_lookup_nh_basic(fib, src, 0, NHR_IFAIF, 0, &nh6) != 0)
534 /* If ifp is provided, check for equality with route table. */
535 if (ifp != NULL && ifp != nh6.nh_ifp)
538 /* if no ifp provided, check if rtentry is not default route */
539 if (ifp == NULL && (nh6.nh_flags & NHF_DEFAULT) != 0)
542 /* or if this is a blackhole/reject route */
543 if (ifp == NULL && (nh6.nh_flags & (NHF_REJECT|NHF_BLACKHOLE)) != 0)
546 /* found valid route */
551 is_icmp6_query(int icmp6_type)
553 if ((icmp6_type <= ICMP6_MAXTYPE) &&
554 (icmp6_type == ICMP6_ECHO_REQUEST ||
555 icmp6_type == ICMP6_MEMBERSHIP_QUERY ||
556 icmp6_type == ICMP6_WRUREQUEST ||
557 icmp6_type == ICMP6_FQDN_QUERY ||
558 icmp6_type == ICMP6_NI_QUERY))
565 send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6)
570 if (code == ICMP6_UNREACH_RST && args->f_id.proto == IPPROTO_TCP) {
572 tcp = (struct tcphdr *)((char *)ip6 + hlen);
574 if ((tcp->th_flags & TH_RST) == 0) {
576 m0 = ipfw_send_pkt(args->m, &(args->f_id),
577 ntohl(tcp->th_seq), ntohl(tcp->th_ack),
578 tcp->th_flags | TH_RST);
580 ip6_output(m0, NULL, NULL, 0, NULL, NULL,
584 } else if (code != ICMP6_UNREACH_RST) { /* Send an ICMPv6 unreach. */
587 * Unlike above, the mbufs need to line up with the ip6 hdr,
588 * as the contents are read. We need to m_adj() the
590 * The mbuf will however be thrown away so we can adjust it.
591 * Remember we did an m_pullup on it already so we
592 * can make some assumptions about contiguousness.
595 m_adj(m, args->L3offset);
597 icmp6_error(m, ICMP6_DST_UNREACH, code, 0);
608 * sends a reject message, consuming the mbuf passed as an argument.
611 send_reject(struct ip_fw_args *args, int code, int iplen, struct ip *ip)
615 /* XXX When ip is not guaranteed to be at mtod() we will
616 * need to account for this */
617 * The mbuf will however be thrown away so we can adjust it.
618 * Remember we did an m_pullup on it already so we
619 * can make some assumptions about contiguousness.
622 m_adj(m, args->L3offset);
624 if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
625 icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
626 } else if (args->f_id.proto == IPPROTO_TCP) {
627 struct tcphdr *const tcp =
628 L3HDR(struct tcphdr, mtod(args->m, struct ip *));
629 if ( (tcp->th_flags & TH_RST) == 0) {
631 m = ipfw_send_pkt(args->m, &(args->f_id),
632 ntohl(tcp->th_seq), ntohl(tcp->th_ack),
633 tcp->th_flags | TH_RST);
635 ip_output(m, NULL, NULL, 0, NULL, NULL);
644 * Support for uid/gid/jail lookup. These tests are expensive
645 * (because we may need to look into the list of active sockets)
646 * so we cache the results. ugid_lookupp is 0 if we have not
647 * yet done a lookup, 1 if we succeeded, and -1 if we tried
648 * and failed. The function always returns the match value.
649 * We could actually spare the variable and use *uc, setting
650 * it to '(void *)check_uidgid if we have no info, NULL if
651 * we tried and failed, or any other value if successful.
654 check_uidgid(ipfw_insn_u32 *insn, struct ip_fw_args *args, int *ugid_lookupp,
657 #if defined(USERSPACE)
658 return 0; // not supported in userspace
662 return cred_check(insn, proto, oif,
663 dst_ip, dst_port, src_ip, src_port,
664 (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb);
666 struct in_addr src_ip, dst_ip;
667 struct inpcbinfo *pi;
668 struct ipfw_flow_id *id;
669 struct inpcb *pcb, *inp;
679 * Check to see if the UDP or TCP stack supplied us with
680 * the PCB. If so, rather then holding a lock and looking
681 * up the PCB, we can use the one that was supplied.
683 if (inp && *ugid_lookupp == 0) {
684 INP_LOCK_ASSERT(inp);
685 if (inp->inp_socket != NULL) {
686 *uc = crhold(inp->inp_cred);
692 * If we have already been here and the packet has no
693 * PCB entry associated with it, then we can safely
694 * assume that this is a no match.
696 if (*ugid_lookupp == -1)
698 if (id->proto == IPPROTO_TCP) {
701 } else if (id->proto == IPPROTO_UDP) {
702 lookupflags = INPLOOKUP_WILDCARD;
706 lookupflags |= INPLOOKUP_RLOCKPCB;
708 if (*ugid_lookupp == 0) {
709 if (id->addr_type == 6) {
712 pcb = in6_pcblookup_mbuf(pi,
713 &id->src_ip6, htons(id->src_port),
714 &id->dst_ip6, htons(id->dst_port),
715 lookupflags, oif, args->m);
717 pcb = in6_pcblookup_mbuf(pi,
718 &id->dst_ip6, htons(id->dst_port),
719 &id->src_ip6, htons(id->src_port),
720 lookupflags, oif, args->m);
726 src_ip.s_addr = htonl(id->src_ip);
727 dst_ip.s_addr = htonl(id->dst_ip);
729 pcb = in_pcblookup_mbuf(pi,
730 src_ip, htons(id->src_port),
731 dst_ip, htons(id->dst_port),
732 lookupflags, oif, args->m);
734 pcb = in_pcblookup_mbuf(pi,
735 dst_ip, htons(id->dst_port),
736 src_ip, htons(id->src_port),
737 lookupflags, oif, args->m);
740 INP_RLOCK_ASSERT(pcb);
741 *uc = crhold(pcb->inp_cred);
745 if (*ugid_lookupp == 0) {
747 * We tried and failed, set the variable to -1
748 * so we will not try again on this packet.
754 if (insn->o.opcode == O_UID)
755 match = ((*uc)->cr_uid == (uid_t)insn->d[0]);
756 else if (insn->o.opcode == O_GID)
757 match = groupmember((gid_t)insn->d[0], *uc);
758 else if (insn->o.opcode == O_JAIL)
759 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]);
761 #endif /* __FreeBSD__ */
762 #endif /* not supported in userspace */
766 * Helper function to set args with info on the rule after the matching
767 * one. slot is precise, whereas we guess rule_id as they are
768 * assigned sequentially.
771 set_match(struct ip_fw_args *args, int slot,
772 struct ip_fw_chain *chain)
774 args->rule.chain_id = chain->id;
775 args->rule.slot = slot + 1; /* we use 0 as a marker */
776 args->rule.rule_id = 1 + chain->map[slot]->id;
777 args->rule.rulenum = chain->map[slot]->rulenum;
780 #ifndef LINEAR_SKIPTO
782 * Helper function to enable cached rule lookups using
783 * cached_id and cached_pos fields in ipfw rule.
786 jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num,
787 int tablearg, int jump_backwards)
791 /* If possible use cached f_pos (in f->cached_pos),
792 * whose version is written in f->cached_id
793 * (horrible hacks to avoid changing the ABI).
795 if (num != IP_FW_TARG && f->cached_id == chain->id)
796 f_pos = f->cached_pos;
798 int i = IP_FW_ARG_TABLEARG(chain, num, skipto);
799 /* make sure we do not jump backward */
800 if (jump_backwards == 0 && i <= f->rulenum)
802 if (chain->idxmap != NULL)
803 f_pos = chain->idxmap[i];
805 f_pos = ipfw_find_rule(chain, i, 0);
806 /* update the cache */
807 if (num != IP_FW_TARG) {
808 f->cached_id = chain->id;
809 f->cached_pos = f_pos;
817 * Helper function to enable real fast rule lookups.
820 jump_linear(struct ip_fw_chain *chain, struct ip_fw *f, int num,
821 int tablearg, int jump_backwards)
825 num = IP_FW_ARG_TABLEARG(chain, num, skipto);
826 /* make sure we do not jump backward */
827 if (jump_backwards == 0 && num <= f->rulenum)
828 num = f->rulenum + 1;
829 f_pos = chain->idxmap[num];
835 #define TARG(k, f) IP_FW_ARG_TABLEARG(chain, k, f)
837 * The main check routine for the firewall.
839 * All arguments are in args so we can modify them and return them
840 * back to the caller.
844 * args->m (in/out) The packet; we set to NULL when/if we nuke it.
845 * Starts with the IP header.
846 * args->eh (in) Mac header if present, NULL for layer3 packet.
847 * args->L3offset Number of bytes bypassed if we came from L2.
848 * e.g. often sizeof(eh) ** NOTYET **
849 * args->oif Outgoing interface, NULL if packet is incoming.
850 * The incoming interface is in the mbuf. (in)
851 * args->divert_rule (in/out)
852 * Skip up to the first rule past this rule number;
853 * upon return, non-zero port number for divert or tee.
855 * args->rule Pointer to the last matching rule (in/out)
856 * args->next_hop Socket we are forwarding to (out).
857 * args->next_hop6 IPv6 next hop we are forwarding to (out).
858 * args->f_id Addresses grabbed from the packet (out)
859 * args->rule.info a cookie depending on rule action
863 * IP_FW_PASS the packet must be accepted
864 * IP_FW_DENY the packet must be dropped
865 * IP_FW_DIVERT divert packet, port in m_tag
866 * IP_FW_TEE tee packet, port in m_tag
867 * IP_FW_DUMMYNET to dummynet, pipe in args->cookie
868 * IP_FW_NETGRAPH into netgraph, cookie args->cookie
869 * args->rule contains the matching rule,
870 * args->rule.info has additional information.
874 ipfw_chk(struct ip_fw_args *args)
878 * Local variables holding state while processing a packet:
880 * IMPORTANT NOTE: to speed up the processing of rules, there
881 * are some assumption on the values of the variables, which
882 * are documented here. Should you change them, please check
883 * the implementation of the various instructions to make sure
884 * that they still work.
886 * args->eh The MAC header. It is non-null for a layer2
887 * packet, it is NULL for a layer-3 packet.
889 * args->L3offset Offset in the packet to the L3 (IP or equiv.) header.
891 * m | args->m Pointer to the mbuf, as received from the caller.
892 * It may change if ipfw_chk() does an m_pullup, or if it
893 * consumes the packet because it calls send_reject().
894 * XXX This has to change, so that ipfw_chk() never modifies
895 * or consumes the buffer.
896 * ip is the beginning of the ip(4 or 6) header.
897 * Calculated by adding the L3offset to the start of data.
898 * (Until we start using L3offset, the packet is
899 * supposed to start with the ip header).
901 struct mbuf *m = args->m;
902 struct ip *ip = mtod(m, struct ip *);
905 * For rules which contain uid/gid or jail constraints, cache
906 * a copy of the users credentials after the pcb lookup has been
907 * executed. This will speed up the processing of rules with
908 * these types of constraints, as well as decrease contention
909 * on pcb related locks.
912 struct bsd_ucred ucred_cache;
914 struct ucred *ucred_cache = NULL;
916 int ucred_lookup = 0;
919 * oif | args->oif If NULL, ipfw_chk has been called on the
920 * inbound path (ether_input, ip_input).
921 * If non-NULL, ipfw_chk has been called on the outbound path
922 * (ether_output, ip_output).
924 struct ifnet *oif = args->oif;
926 int f_pos = 0; /* index of current rule in the array */
930 * hlen The length of the IP header.
932 u_int hlen = 0; /* hlen >0 means we have an IP pkt */
935 * offset The offset of a fragment. offset != 0 means that
936 * we have a fragment at this offset of an IPv4 packet.
937 * offset == 0 means that (if this is an IPv4 packet)
938 * this is the first or only fragment.
939 * For IPv6 offset|ip6f_mf == 0 means there is no Fragment Header
940 * or there is a single packet fragment (fragment header added
941 * without needed). We will treat a single packet fragment as if
942 * there was no fragment header (or log/block depending on the
943 * V_fw_permit_single_frag6 sysctl setting).
949 * Local copies of addresses. They are only valid if we have
952 * proto The protocol. Set to 0 for non-ip packets,
953 * or to the protocol read from the packet otherwise.
954 * proto != 0 means that we have an IPv4 packet.
956 * src_port, dst_port port numbers, in HOST format. Only
957 * valid for TCP and UDP packets.
959 * src_ip, dst_ip ip addresses, in NETWORK format.
960 * Only valid for IPv4 packets.
963 uint16_t src_port = 0, dst_port = 0; /* NOTE: host format */
964 struct in_addr src_ip, dst_ip; /* NOTE: network format */
967 uint16_t etype = 0; /* Host order stored ether type */
970 * dyn_dir = MATCH_UNKNOWN when rules unchecked,
971 * MATCH_NONE when checked and not matched (q = NULL),
972 * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL)
974 int dyn_dir = MATCH_UNKNOWN;
975 uint16_t dyn_name = 0;
976 ipfw_dyn_rule *q = NULL;
977 struct ip_fw_chain *chain = &V_layer3_chain;
980 * We store in ulp a pointer to the upper layer protocol header.
981 * In the ipv4 case this is easy to determine from the header,
982 * but for ipv6 we might have some additional headers in the middle.
983 * ulp is NULL if not found.
985 void *ulp = NULL; /* upper layer protocol pointer. */
987 /* XXX ipv6 variables */
989 uint8_t icmp6_type = 0;
990 uint16_t ext_hd = 0; /* bits vector for extension header filtering */
991 /* end of ipv6 variables */
995 int done = 0; /* flag to exit the outer loop */
997 if (m->m_flags & M_SKIP_FIREWALL || (! V_ipfw_vnet_ready))
998 return (IP_FW_PASS); /* accept */
1000 dst_ip.s_addr = 0; /* make sure it is initialized */
1001 src_ip.s_addr = 0; /* make sure it is initialized */
1002 pktlen = m->m_pkthdr.len;
1003 args->f_id.fib = M_GETFIB(m); /* note mbuf not altered) */
1004 proto = args->f_id.proto = 0; /* mark f_id invalid */
1005 /* XXX 0 is a valid proto: IP/IPv6 Hop-by-Hop Option */
1008 * PULLUP_TO(len, p, T) makes sure that len + sizeof(T) is contiguous,
1009 * then it sets p to point at the offset "len" in the mbuf. WARNING: the
1010 * pointer might become stale after other pullups (but we never use it
1013 #define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
1014 #define PULLUP_LEN(_len, p, T) \
1016 int x = (_len) + T; \
1017 if ((m)->m_len < x) { \
1018 args->m = m = m_pullup(m, x); \
1020 goto pullup_failed; \
1022 p = (mtod(m, char *) + (_len)); \
1026 * if we have an ether header,
1029 etype = ntohs(args->eh->ether_type);
1031 /* Identify IP packets and fill up variables. */
1032 if (pktlen >= sizeof(struct ip6_hdr) &&
1033 (args->eh == NULL || etype == ETHERTYPE_IPV6) && ip->ip_v == 6) {
1034 struct ip6_hdr *ip6 = (struct ip6_hdr *)ip;
1036 args->f_id.addr_type = 6;
1037 hlen = sizeof(struct ip6_hdr);
1038 proto = ip6->ip6_nxt;
1040 /* Search extension headers to find upper layer protocols */
1041 while (ulp == NULL && offset == 0) {
1043 case IPPROTO_ICMPV6:
1044 PULLUP_TO(hlen, ulp, struct icmp6_hdr);
1045 icmp6_type = ICMP6(ulp)->icmp6_type;
1049 PULLUP_TO(hlen, ulp, struct tcphdr);
1050 dst_port = TCP(ulp)->th_dport;
1051 src_port = TCP(ulp)->th_sport;
1052 /* save flags for dynamic rules */
1053 args->f_id._flags = TCP(ulp)->th_flags;
1057 PULLUP_TO(hlen, ulp, struct sctphdr);
1058 src_port = SCTP(ulp)->src_port;
1059 dst_port = SCTP(ulp)->dest_port;
1063 PULLUP_TO(hlen, ulp, struct udphdr);
1064 dst_port = UDP(ulp)->uh_dport;
1065 src_port = UDP(ulp)->uh_sport;
1068 case IPPROTO_HOPOPTS: /* RFC 2460 */
1069 PULLUP_TO(hlen, ulp, struct ip6_hbh);
1070 ext_hd |= EXT_HOPOPTS;
1071 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3;
1072 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt;
1076 case IPPROTO_ROUTING: /* RFC 2460 */
1077 PULLUP_TO(hlen, ulp, struct ip6_rthdr);
1078 switch (((struct ip6_rthdr *)ulp)->ip6r_type) {
1080 ext_hd |= EXT_RTHDR0;
1083 ext_hd |= EXT_RTHDR2;
1087 printf("IPFW2: IPV6 - Unknown "
1088 "Routing Header type(%d)\n",
1089 ((struct ip6_rthdr *)
1091 if (V_fw_deny_unknown_exthdrs)
1092 return (IP_FW_DENY);
1095 ext_hd |= EXT_ROUTING;
1096 hlen += (((struct ip6_rthdr *)ulp)->ip6r_len + 1) << 3;
1097 proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt;
1101 case IPPROTO_FRAGMENT: /* RFC 2460 */
1102 PULLUP_TO(hlen, ulp, struct ip6_frag);
1103 ext_hd |= EXT_FRAGMENT;
1104 hlen += sizeof (struct ip6_frag);
1105 proto = ((struct ip6_frag *)ulp)->ip6f_nxt;
1106 offset = ((struct ip6_frag *)ulp)->ip6f_offlg &
1108 ip6f_mf = ((struct ip6_frag *)ulp)->ip6f_offlg &
1110 if (V_fw_permit_single_frag6 == 0 &&
1111 offset == 0 && ip6f_mf == 0) {
1113 printf("IPFW2: IPV6 - Invalid "
1114 "Fragment Header\n");
1115 if (V_fw_deny_unknown_exthdrs)
1116 return (IP_FW_DENY);
1120 ntohl(((struct ip6_frag *)ulp)->ip6f_ident);
1124 case IPPROTO_DSTOPTS: /* RFC 2460 */
1125 PULLUP_TO(hlen, ulp, struct ip6_hbh);
1126 ext_hd |= EXT_DSTOPTS;
1127 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3;
1128 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt;
1132 case IPPROTO_AH: /* RFC 2402 */
1133 PULLUP_TO(hlen, ulp, struct ip6_ext);
1135 hlen += (((struct ip6_ext *)ulp)->ip6e_len + 2) << 2;
1136 proto = ((struct ip6_ext *)ulp)->ip6e_nxt;
1140 case IPPROTO_ESP: /* RFC 2406 */
1141 PULLUP_TO(hlen, ulp, uint32_t); /* SPI, Seq# */
1142 /* Anything past Seq# is variable length and
1143 * data past this ext. header is encrypted. */
1147 case IPPROTO_NONE: /* RFC 2460 */
1149 * Packet ends here, and IPv6 header has
1150 * already been pulled up. If ip6e_len!=0
1151 * then octets must be ignored.
1153 ulp = ip; /* non-NULL to get out of loop. */
1156 case IPPROTO_OSPFIGP:
1157 /* XXX OSPF header check? */
1158 PULLUP_TO(hlen, ulp, struct ip6_ext);
1162 /* XXX PIM header check? */
1163 PULLUP_TO(hlen, ulp, struct pim);
1166 case IPPROTO_GRE: /* RFC 1701 */
1167 /* XXX GRE header check? */
1168 PULLUP_TO(hlen, ulp, struct grehdr);
1172 PULLUP_TO(hlen, ulp, struct carp_header);
1173 if (((struct carp_header *)ulp)->carp_version !=
1175 return (IP_FW_DENY);
1176 if (((struct carp_header *)ulp)->carp_type !=
1178 return (IP_FW_DENY);
1181 case IPPROTO_IPV6: /* RFC 2893 */
1182 PULLUP_TO(hlen, ulp, struct ip6_hdr);
1185 case IPPROTO_IPV4: /* RFC 2893 */
1186 PULLUP_TO(hlen, ulp, struct ip);
1191 printf("IPFW2: IPV6 - Unknown "
1192 "Extension Header(%d), ext_hd=%x\n",
1194 if (V_fw_deny_unknown_exthdrs)
1195 return (IP_FW_DENY);
1196 PULLUP_TO(hlen, ulp, struct ip6_ext);
1200 ip = mtod(m, struct ip *);
1201 ip6 = (struct ip6_hdr *)ip;
1202 args->f_id.src_ip6 = ip6->ip6_src;
1203 args->f_id.dst_ip6 = ip6->ip6_dst;
1204 args->f_id.src_ip = 0;
1205 args->f_id.dst_ip = 0;
1206 args->f_id.flow_id6 = ntohl(ip6->ip6_flow);
1207 iplen = ntohs(ip6->ip6_plen) + sizeof(*ip6);
1208 } else if (pktlen >= sizeof(struct ip) &&
1209 (args->eh == NULL || etype == ETHERTYPE_IP) && ip->ip_v == 4) {
1211 hlen = ip->ip_hl << 2;
1212 args->f_id.addr_type = 4;
1215 * Collect parameters into local variables for faster matching.
1218 src_ip = ip->ip_src;
1219 dst_ip = ip->ip_dst;
1220 offset = ntohs(ip->ip_off) & IP_OFFMASK;
1221 iplen = ntohs(ip->ip_len);
1226 PULLUP_TO(hlen, ulp, struct tcphdr);
1227 dst_port = TCP(ulp)->th_dport;
1228 src_port = TCP(ulp)->th_sport;
1229 /* save flags for dynamic rules */
1230 args->f_id._flags = TCP(ulp)->th_flags;
1234 PULLUP_TO(hlen, ulp, struct sctphdr);
1235 src_port = SCTP(ulp)->src_port;
1236 dst_port = SCTP(ulp)->dest_port;
1240 PULLUP_TO(hlen, ulp, struct udphdr);
1241 dst_port = UDP(ulp)->uh_dport;
1242 src_port = UDP(ulp)->uh_sport;
1246 PULLUP_TO(hlen, ulp, struct icmphdr);
1247 //args->f_id.flags = ICMP(ulp)->icmp_type;
1255 ip = mtod(m, struct ip *);
1256 args->f_id.src_ip = ntohl(src_ip.s_addr);
1257 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1260 pktlen = iplen < pktlen ? iplen: pktlen;
1261 if (proto) { /* we may have port numbers, store them */
1262 args->f_id.proto = proto;
1263 args->f_id.src_port = src_port = ntohs(src_port);
1264 args->f_id.dst_port = dst_port = ntohs(dst_port);
1267 IPFW_PF_RLOCK(chain);
1268 if (! V_ipfw_vnet_ready) { /* shutting down, leave NOW. */
1269 IPFW_PF_RUNLOCK(chain);
1270 return (IP_FW_PASS); /* accept */
1272 if (args->rule.slot) {
1274 * Packet has already been tagged as a result of a previous
1275 * match on rule args->rule aka args->rule_id (PIPE, QUEUE,
1276 * REASS, NETGRAPH, DIVERT/TEE...)
1277 * Validate the slot and continue from the next one
1278 * if still present, otherwise do a lookup.
1280 f_pos = (args->rule.chain_id == chain->id) ?
1282 ipfw_find_rule(chain, args->rule.rulenum,
1283 args->rule.rule_id);
1289 * Now scan the rules, and parse microinstructions for each rule.
1290 * We have two nested loops and an inner switch. Sometimes we
1291 * need to break out of one or both loops, or re-enter one of
1292 * the loops with updated variables. Loop variables are:
1294 * f_pos (outer loop) points to the current rule.
1295 * On output it points to the matching rule.
1296 * done (outer loop) is used as a flag to break the loop.
1297 * l (inner loop) residual length of current rule.
1298 * cmd points to the current microinstruction.
1300 * We break the inner loop by setting l=0 and possibly
1301 * cmdlen=0 if we don't want to advance cmd.
1302 * We break the outer loop by setting done=1
1303 * We can restart the inner loop by setting l>0 and f_pos, f, cmd
1306 for (; f_pos < chain->n_rules; f_pos++) {
1308 uint32_t tablearg = 0;
1309 int l, cmdlen, skip_or; /* skip rest of OR block */
1312 f = chain->map[f_pos];
1313 if (V_set_disable & (1 << f->set) )
1317 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ;
1318 l -= cmdlen, cmd += cmdlen) {
1322 * check_body is a jump target used when we find a
1323 * CHECK_STATE, and need to jump to the body of
1328 cmdlen = F_LEN(cmd);
1330 * An OR block (insn_1 || .. || insn_n) has the
1331 * F_OR bit set in all but the last instruction.
1332 * The first match will set "skip_or", and cause
1333 * the following instructions to be skipped until
1334 * past the one with the F_OR bit clear.
1336 if (skip_or) { /* skip this instruction */
1337 if ((cmd->len & F_OR) == 0)
1338 skip_or = 0; /* next one is good */
1341 match = 0; /* set to 1 if we succeed */
1343 switch (cmd->opcode) {
1345 * The first set of opcodes compares the packet's
1346 * fields with some pattern, setting 'match' if a
1347 * match is found. At the end of the loop there is
1348 * logic to deal with F_NOT and F_OR flags associated
1356 printf("ipfw: opcode %d unimplemented\n",
1364 * We only check offset == 0 && proto != 0,
1365 * as this ensures that we have a
1366 * packet with the ports info.
1370 if (proto == IPPROTO_TCP ||
1371 proto == IPPROTO_UDP)
1372 match = check_uidgid(
1373 (ipfw_insn_u32 *)cmd,
1374 args, &ucred_lookup,
1378 (void *)&ucred_cache);
1383 match = iface_match(m->m_pkthdr.rcvif,
1384 (ipfw_insn_if *)cmd, chain, &tablearg);
1388 match = iface_match(oif, (ipfw_insn_if *)cmd,
1393 match = iface_match(oif ? oif :
1394 m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd,
1399 if (args->eh != NULL) { /* have MAC header */
1400 u_int32_t *want = (u_int32_t *)
1401 ((ipfw_insn_mac *)cmd)->addr;
1402 u_int32_t *mask = (u_int32_t *)
1403 ((ipfw_insn_mac *)cmd)->mask;
1404 u_int32_t *hdr = (u_int32_t *)args->eh;
1407 ( want[0] == (hdr[0] & mask[0]) &&
1408 want[1] == (hdr[1] & mask[1]) &&
1409 want[2] == (hdr[2] & mask[2]) );
1414 if (args->eh != NULL) {
1416 ((ipfw_insn_u16 *)cmd)->ports;
1419 for (i = cmdlen - 1; !match && i>0;
1421 match = (etype >= p[0] &&
1427 match = (offset != 0);
1430 case O_IN: /* "out" is "not in" */
1431 match = (oif == NULL);
1435 match = (args->eh != NULL);
1440 /* For diverted packets, args->rule.info
1441 * contains the divert port (in host format)
1442 * reason and direction.
1444 uint32_t i = args->rule.info;
1445 match = (i&IPFW_IS_MASK) == IPFW_IS_DIVERT &&
1446 cmd->arg1 & ((i & IPFW_INFO_IN) ? 1 : 2);
1452 * We do not allow an arg of 0 so the
1453 * check of "proto" only suffices.
1455 match = (proto == cmd->arg1);
1460 (((ipfw_insn_ip *)cmd)->addr.s_addr ==
1464 case O_IP_DST_LOOKUP:
1470 if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) {
1471 /* Determine lookup key type */
1472 vidx = ((ipfw_insn_u32 *)cmd)->d[1];
1473 if (vidx != 4 /* uid */ &&
1474 vidx != 5 /* jail */ &&
1475 is_ipv6 == 0 && is_ipv4 == 0)
1477 /* Determine key length */
1478 if (vidx == 0 /* dst-ip */ ||
1479 vidx == 1 /* src-ip */)
1481 sizeof(struct in6_addr):
1484 keylen = sizeof(key);
1487 if (vidx == 0 /* dst-ip */)
1488 pkey = is_ipv4 ? (void *)&dst_ip:
1489 (void *)&args->f_id.dst_ip6;
1490 else if (vidx == 1 /* src-ip */)
1491 pkey = is_ipv4 ? (void *)&src_ip:
1492 (void *)&args->f_id.src_ip6;
1493 else if (vidx == 6 /* dscp */) {
1495 key = ip->ip_tos >> 2;
1497 key = args->f_id.flow_id6;
1498 key = (key & 0x0f) << 2 |
1499 (key & 0xf000) >> 14;
1502 } else if (vidx == 2 /* dst-port */ ||
1503 vidx == 3 /* src-port */) {
1504 /* Skip fragments */
1507 /* Skip proto without ports */
1508 if (proto != IPPROTO_TCP &&
1509 proto != IPPROTO_UDP &&
1510 proto != IPPROTO_SCTP)
1512 if (vidx == 2 /* dst-port */)
1518 else if (vidx == 4 /* uid */ ||
1519 vidx == 5 /* jail */) {
1521 (ipfw_insn_u32 *)cmd,
1522 args, &ucred_lookup,
1525 if (vidx == 4 /* uid */)
1526 key = ucred_cache->cr_uid;
1527 else if (vidx == 5 /* jail */)
1528 key = ucred_cache->cr_prison->pr_id;
1529 #else /* !__FreeBSD__ */
1530 (void *)&ucred_cache);
1531 if (vidx == 4 /* uid */)
1532 key = ucred_cache.uid;
1533 else if (vidx == 5 /* jail */)
1534 key = ucred_cache.xid;
1535 #endif /* !__FreeBSD__ */
1537 #endif /* !USERSPACE */
1540 match = ipfw_lookup_table(chain,
1541 cmd->arg1, keylen, pkey, &vidx);
1547 /* cmdlen =< F_INSN_SIZE(ipfw_insn_u32) */
1550 case O_IP_SRC_LOOKUP:
1557 keylen = sizeof(in_addr_t);
1558 if (cmd->opcode == O_IP_DST_LOOKUP)
1562 } else if (is_ipv6) {
1563 keylen = sizeof(struct in6_addr);
1564 if (cmd->opcode == O_IP_DST_LOOKUP)
1565 pkey = &args->f_id.dst_ip6;
1567 pkey = &args->f_id.src_ip6;
1570 match = ipfw_lookup_table(chain, cmd->arg1,
1571 keylen, pkey, &vidx);
1574 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) {
1575 match = ((ipfw_insn_u32 *)cmd)->d[0] ==
1576 TARG_VAL(chain, vidx, tag);
1584 case O_IP_FLOW_LOOKUP:
1587 match = ipfw_lookup_table(chain,
1588 cmd->arg1, 0, &args->f_id, &v);
1589 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32))
1590 match = ((ipfw_insn_u32 *)cmd)->d[0] ==
1591 TARG_VAL(chain, v, tag);
1600 (cmd->opcode == O_IP_DST_MASK) ?
1601 dst_ip.s_addr : src_ip.s_addr;
1602 uint32_t *p = ((ipfw_insn_u32 *)cmd)->d;
1605 for (; !match && i>0; i-= 2, p+= 2)
1606 match = (p[0] == (a & p[1]));
1612 match = in_localip(src_ip);
1618 match= is_ipv6 && ipfw_localip6(&args->f_id.src_ip6);
1625 u_int32_t *d = (u_int32_t *)(cmd+1);
1627 cmd->opcode == O_IP_DST_SET ?
1633 addr -= d[0]; /* subtract base */
1634 match = (addr < cmd->arg1) &&
1635 ( d[ 1 + (addr>>5)] &
1636 (1<<(addr & 0x1f)) );
1642 (((ipfw_insn_ip *)cmd)->addr.s_addr ==
1648 match = in_localip(dst_ip);
1654 match= is_ipv6 && ipfw_localip6(&args->f_id.dst_ip6);
1662 * offset == 0 && proto != 0 is enough
1663 * to guarantee that we have a
1664 * packet with port info.
1666 if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP ||
1667 proto==IPPROTO_SCTP) && offset == 0) {
1669 (cmd->opcode == O_IP_SRCPORT) ?
1670 src_port : dst_port ;
1672 ((ipfw_insn_u16 *)cmd)->ports;
1675 for (i = cmdlen - 1; !match && i>0;
1677 match = (x>=p[0] && x<=p[1]);
1682 match = (offset == 0 && proto==IPPROTO_ICMP &&
1683 icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) );
1688 match = is_ipv6 && offset == 0 &&
1689 proto==IPPROTO_ICMPV6 &&
1691 ICMP6(ulp)->icmp6_type,
1692 (ipfw_insn_u32 *)cmd);
1698 ipopts_match(ip, cmd) );
1703 cmd->arg1 == ip->ip_v);
1709 if (is_ipv4) { /* only for IP packets */
1714 if (cmd->opcode == O_IPLEN)
1716 else if (cmd->opcode == O_IPTTL)
1718 else /* must be IPID */
1719 x = ntohs(ip->ip_id);
1721 match = (cmd->arg1 == x);
1724 /* otherwise we have ranges */
1725 p = ((ipfw_insn_u16 *)cmd)->ports;
1727 for (; !match && i>0; i--, p += 2)
1728 match = (x >= p[0] && x <= p[1]);
1732 case O_IPPRECEDENCE:
1734 (cmd->arg1 == (ip->ip_tos & 0xe0)) );
1739 flags_match(cmd, ip->ip_tos));
1747 p = ((ipfw_insn_u32 *)cmd)->d;
1750 x = ip->ip_tos >> 2;
1753 v = &((struct ip6_hdr *)ip)->ip6_vfc;
1754 x = (*v & 0x0F) << 2;
1760 /* DSCP bitmask is stored as low_u32 high_u32 */
1762 match = *(p + 1) & (1 << (x - 32));
1764 match = *p & (1 << x);
1769 if (proto == IPPROTO_TCP && offset == 0) {
1776 struct ip6_hdr *ip6;
1778 ip6 = (struct ip6_hdr *)ip;
1779 if (ip6->ip6_plen == 0) {
1781 * Jumbo payload is not
1790 x = iplen - (ip->ip_hl << 2);
1792 x -= tcp->th_off << 2;
1794 match = (cmd->arg1 == x);
1797 /* otherwise we have ranges */
1798 p = ((ipfw_insn_u16 *)cmd)->ports;
1800 for (; !match && i>0; i--, p += 2)
1801 match = (x >= p[0] && x <= p[1]);
1806 match = (proto == IPPROTO_TCP && offset == 0 &&
1807 flags_match(cmd, TCP(ulp)->th_flags));
1811 if (proto == IPPROTO_TCP && offset == 0 && ulp){
1812 PULLUP_LEN(hlen, ulp,
1813 (TCP(ulp)->th_off << 2));
1814 match = tcpopts_match(TCP(ulp), cmd);
1819 match = (proto == IPPROTO_TCP && offset == 0 &&
1820 ((ipfw_insn_u32 *)cmd)->d[0] ==
1825 match = (proto == IPPROTO_TCP && offset == 0 &&
1826 ((ipfw_insn_u32 *)cmd)->d[0] ==
1831 if (proto == IPPROTO_TCP && offset == 0) {
1836 x = ntohs(TCP(ulp)->th_win);
1838 match = (cmd->arg1 == x);
1841 /* Otherwise we have ranges. */
1842 p = ((ipfw_insn_u16 *)cmd)->ports;
1844 for (; !match && i > 0; i--, p += 2)
1845 match = (x >= p[0] && x <= p[1]);
1850 /* reject packets which have SYN only */
1851 /* XXX should i also check for TH_ACK ? */
1852 match = (proto == IPPROTO_TCP && offset == 0 &&
1853 (TCP(ulp)->th_flags &
1854 (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
1860 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
1863 * ALTQ uses mbuf tags from another
1864 * packet filtering system - pf(4).
1865 * We allocate a tag in its format
1866 * and fill it in, pretending to be pf(4).
1869 at = pf_find_mtag(m);
1870 if (at != NULL && at->qid != 0)
1872 mtag = m_tag_get(PACKET_TAG_PF,
1873 sizeof(struct pf_mtag), M_NOWAIT | M_ZERO);
1876 * Let the packet fall back to the
1881 m_tag_prepend(m, mtag);
1882 at = (struct pf_mtag *)(mtag + 1);
1883 at->qid = altq->qid;
1889 ipfw_log(chain, f, hlen, args, m,
1890 oif, offset | ip6f_mf, tablearg, ip);
1895 match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
1899 /* Outgoing packets automatically pass/match */
1900 match = ((oif != NULL) ||
1901 (m->m_pkthdr.rcvif == NULL) ||
1905 verify_path6(&(args->f_id.src_ip6),
1906 m->m_pkthdr.rcvif, args->f_id.fib) :
1908 verify_path(src_ip, m->m_pkthdr.rcvif,
1913 /* Outgoing packets automatically pass/match */
1914 match = (hlen > 0 && ((oif != NULL) ||
1917 verify_path6(&(args->f_id.src_ip6),
1918 NULL, args->f_id.fib) :
1920 verify_path(src_ip, NULL, args->f_id.fib)));
1924 /* Outgoing packets automatically pass/match */
1925 if (oif == NULL && hlen > 0 &&
1926 ( (is_ipv4 && in_localaddr(src_ip))
1929 in6_localaddr(&(args->f_id.src_ip6)))
1934 is_ipv6 ? verify_path6(
1935 &(args->f_id.src_ip6),
1947 match = (m_tag_find(m,
1948 PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
1949 /* otherwise no match */
1955 IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6,
1956 &((ipfw_insn_ip6 *)cmd)->addr6);
1961 IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6,
1962 &((ipfw_insn_ip6 *)cmd)->addr6);
1964 case O_IP6_SRC_MASK:
1965 case O_IP6_DST_MASK:
1969 struct in6_addr *d =
1970 &((ipfw_insn_ip6 *)cmd)->addr6;
1972 for (; !match && i > 0; d += 2,
1973 i -= F_INSN_SIZE(struct in6_addr)
1979 APPLY_MASK(&p, &d[1]);
1981 IN6_ARE_ADDR_EQUAL(&d[0],
1989 flow6id_match(args->f_id.flow_id6,
1990 (ipfw_insn_u32 *) cmd);
1995 (ext_hd & ((ipfw_insn *) cmd)->arg1);
2009 uint32_t tag = TARG(cmd->arg1, tag);
2011 /* Packet is already tagged with this tag? */
2012 mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL);
2014 /* We have `untag' action when F_NOT flag is
2015 * present. And we must remove this mtag from
2016 * mbuf and reset `match' to zero (`match' will
2017 * be inversed later).
2018 * Otherwise we should allocate new mtag and
2019 * push it into mbuf.
2021 if (cmd->len & F_NOT) { /* `untag' action */
2023 m_tag_delete(m, mtag);
2027 mtag = m_tag_alloc( MTAG_IPFW,
2030 m_tag_prepend(m, mtag);
2037 case O_FIB: /* try match the specified fib */
2038 if (args->f_id.fib == cmd->arg1)
2043 #ifndef USERSPACE /* not supported in userspace */
2044 struct inpcb *inp = args->inp;
2045 struct inpcbinfo *pi;
2047 if (is_ipv6) /* XXX can we remove this ? */
2050 if (proto == IPPROTO_TCP)
2052 else if (proto == IPPROTO_UDP)
2058 * XXXRW: so_user_cookie should almost
2059 * certainly be inp_user_cookie?
2062 /* For incoming packet, lookup up the
2063 inpcb using the src/dest ip/port tuple */
2065 inp = in_pcblookup(pi,
2066 src_ip, htons(src_port),
2067 dst_ip, htons(dst_port),
2068 INPLOOKUP_RLOCKPCB, NULL);
2071 inp->inp_socket->so_user_cookie;
2077 if (inp->inp_socket) {
2079 inp->inp_socket->so_user_cookie;
2084 #endif /* !USERSPACE */
2090 uint32_t tag = TARG(cmd->arg1, tag);
2093 match = m_tag_locate(m, MTAG_IPFW,
2098 /* we have ranges */
2099 for (mtag = m_tag_first(m);
2100 mtag != NULL && !match;
2101 mtag = m_tag_next(m, mtag)) {
2105 if (mtag->m_tag_cookie != MTAG_IPFW)
2108 p = ((ipfw_insn_u16 *)cmd)->ports;
2110 for(; !match && i > 0; i--, p += 2)
2112 mtag->m_tag_id >= p[0] &&
2113 mtag->m_tag_id <= p[1];
2119 * The second set of opcodes represents 'actions',
2120 * i.e. the terminal part of a rule once the packet
2121 * matches all previous patterns.
2122 * Typically there is only one action for each rule,
2123 * and the opcode is stored at the end of the rule
2124 * (but there are exceptions -- see below).
2126 * In general, here we set retval and terminate the
2127 * outer loop (would be a 'break 3' in some language,
2128 * but we need to set l=0, done=1)
2131 * O_COUNT and O_SKIPTO actions:
2132 * instead of terminating, we jump to the next rule
2133 * (setting l=0), or to the SKIPTO target (setting
2134 * f/f_len, cmd and l as needed), respectively.
2136 * O_TAG, O_LOG and O_ALTQ action parameters:
2137 * perform some action and set match = 1;
2139 * O_LIMIT and O_KEEP_STATE: these opcodes are
2140 * not real 'actions', and are stored right
2141 * before the 'action' part of the rule.
2142 * These opcodes try to install an entry in the
2143 * state tables; if successful, we continue with
2144 * the next opcode (match=1; break;), otherwise
2145 * the packet must be dropped (set retval,
2146 * break loops with l=0, done=1)
2148 * O_PROBE_STATE and O_CHECK_STATE: these opcodes
2149 * cause a lookup of the state table, and a jump
2150 * to the 'action' part of the parent rule
2151 * if an entry is found, or
2152 * (CHECK_STATE only) a jump to the next rule if
2153 * the entry is not found.
2154 * The result of the lookup is cached so that
2155 * further instances of these opcodes become NOPs.
2156 * The jump to the next rule is done by setting
2161 if (ipfw_install_state(chain, f,
2162 (ipfw_insn_limit *)cmd, args, tablearg)) {
2163 /* error or limit violation */
2164 retval = IP_FW_DENY;
2165 l = 0; /* exit inner loop */
2166 done = 1; /* exit outer loop */
2174 * dynamic rules are checked at the first
2175 * keep-state or check-state occurrence,
2176 * with the result being stored in dyn_dir
2178 * The compiler introduces a PROBE_STATE
2179 * instruction for us when we have a
2180 * KEEP_STATE (because PROBE_STATE needs
2183 * (dyn_dir == MATCH_UNKNOWN) means this is
2184 * first lookup for such f_id. Do lookup.
2186 * (dyn_dir != MATCH_UNKNOWN &&
2187 * dyn_name != 0 && dyn_name != cmd->arg1)
2188 * means previous lookup didn't find dynamic
2189 * rule for specific state name and current
2190 * lookup will search rule with another state
2191 * name. Redo lookup.
2193 * (dyn_dir != MATCH_UNKNOWN && dyn_name == 0)
2194 * means previous lookup was for `any' name
2195 * and it didn't find rule. No need to do
2198 if ((dyn_dir == MATCH_UNKNOWN ||
2200 dyn_name != cmd->arg1)) &&
2201 (q = ipfw_lookup_dyn_rule(&args->f_id,
2202 &dyn_dir, proto == IPPROTO_TCP ?
2204 (dyn_name = cmd->arg1))) != NULL) {
2206 * Found dynamic entry, update stats
2207 * and jump to the 'action' part of
2208 * the parent rule by setting
2209 * f, cmd, l and clearing cmdlen.
2211 IPFW_INC_DYN_COUNTER(q, pktlen);
2212 /* XXX we would like to have f_pos
2213 * readily accessible in the dynamic
2214 * rule, instead of having to
2218 f_pos = ipfw_find_rule(chain,
2220 cmd = ACTION_PTR(f);
2221 l = f->cmd_len - f->act_ofs;
2228 * Dynamic entry not found. If CHECK_STATE,
2229 * skip to next rule, if PROBE_STATE just
2230 * ignore and continue with next opcode.
2232 if (cmd->opcode == O_CHECK_STATE)
2233 l = 0; /* exit inner loop */
2238 retval = 0; /* accept */
2239 l = 0; /* exit inner loop */
2240 done = 1; /* exit outer loop */
2245 set_match(args, f_pos, chain);
2246 args->rule.info = TARG(cmd->arg1, pipe);
2247 if (cmd->opcode == O_PIPE)
2248 args->rule.info |= IPFW_IS_PIPE;
2250 args->rule.info |= IPFW_ONEPASS;
2251 retval = IP_FW_DUMMYNET;
2252 l = 0; /* exit inner loop */
2253 done = 1; /* exit outer loop */
2258 if (args->eh) /* not on layer 2 */
2260 /* otherwise this is terminal */
2261 l = 0; /* exit inner loop */
2262 done = 1; /* exit outer loop */
2263 retval = (cmd->opcode == O_DIVERT) ?
2264 IP_FW_DIVERT : IP_FW_TEE;
2265 set_match(args, f_pos, chain);
2266 args->rule.info = TARG(cmd->arg1, divert);
2270 IPFW_INC_RULE_COUNTER(f, pktlen);
2271 l = 0; /* exit inner loop */
2275 IPFW_INC_RULE_COUNTER(f, pktlen);
2276 f_pos = JUMP(chain, f, cmd->arg1, tablearg, 0);
2278 * Skip disabled rules, and re-enter
2279 * the inner loop with the correct
2280 * f_pos, f, l and cmd.
2281 * Also clear cmdlen and skip_or
2283 for (; f_pos < chain->n_rules - 1 &&
2285 (1 << chain->map[f_pos]->set));
2288 /* Re-enter the inner loop at the skipto rule. */
2289 f = chain->map[f_pos];
2296 break; /* not reached */
2298 case O_CALLRETURN: {
2300 * Implementation of `subroutine' call/return,
2301 * in the stack carried in an mbuf tag. This
2302 * is different from `skipto' in that any call
2303 * address is possible (`skipto' must prevent
2304 * backward jumps to avoid endless loops).
2305 * We have `return' action when F_NOT flag is
2306 * present. The `m_tag_id' field is used as
2310 uint16_t jmpto, *stack;
2312 #define IS_CALL ((cmd->len & F_NOT) == 0)
2313 #define IS_RETURN ((cmd->len & F_NOT) != 0)
2315 * Hand-rolled version of m_tag_locate() with
2317 * If not already tagged, allocate new tag.
2319 mtag = m_tag_first(m);
2320 while (mtag != NULL) {
2321 if (mtag->m_tag_cookie ==
2324 mtag = m_tag_next(m, mtag);
2326 if (mtag == NULL && IS_CALL) {
2327 mtag = m_tag_alloc(MTAG_IPFW_CALL, 0,
2328 IPFW_CALLSTACK_SIZE *
2329 sizeof(uint16_t), M_NOWAIT);
2331 m_tag_prepend(m, mtag);
2335 * On error both `call' and `return' just
2336 * continue with next rule.
2338 if (IS_RETURN && (mtag == NULL ||
2339 mtag->m_tag_id == 0)) {
2340 l = 0; /* exit inner loop */
2343 if (IS_CALL && (mtag == NULL ||
2344 mtag->m_tag_id >= IPFW_CALLSTACK_SIZE)) {
2345 printf("ipfw: call stack error, "
2346 "go to next rule\n");
2347 l = 0; /* exit inner loop */
2351 IPFW_INC_RULE_COUNTER(f, pktlen);
2352 stack = (uint16_t *)(mtag + 1);
2355 * The `call' action may use cached f_pos
2356 * (in f->next_rule), whose version is written
2358 * The `return' action, however, doesn't have
2359 * fixed jump address in cmd->arg1 and can't use
2363 stack[mtag->m_tag_id] = f->rulenum;
2365 f_pos = JUMP(chain, f, cmd->arg1,
2367 } else { /* `return' action */
2369 jmpto = stack[mtag->m_tag_id] + 1;
2370 f_pos = ipfw_find_rule(chain, jmpto, 0);
2374 * Skip disabled rules, and re-enter
2375 * the inner loop with the correct
2376 * f_pos, f, l and cmd.
2377 * Also clear cmdlen and skip_or
2379 for (; f_pos < chain->n_rules - 1 &&
2381 (1 << chain->map[f_pos]->set)); f_pos++)
2383 /* Re-enter the inner loop at the dest rule. */
2384 f = chain->map[f_pos];
2390 break; /* NOTREACHED */
2397 * Drop the packet and send a reject notice
2398 * if the packet is not ICMP (or is an ICMP
2399 * query), and it is not multicast/broadcast.
2401 if (hlen > 0 && is_ipv4 && offset == 0 &&
2402 (proto != IPPROTO_ICMP ||
2403 is_icmp_query(ICMP(ulp))) &&
2404 !(m->m_flags & (M_BCAST|M_MCAST)) &&
2405 !IN_MULTICAST(ntohl(dst_ip.s_addr))) {
2406 send_reject(args, cmd->arg1, iplen, ip);
2412 if (hlen > 0 && is_ipv6 &&
2413 ((offset & IP6F_OFF_MASK) == 0) &&
2414 (proto != IPPROTO_ICMPV6 ||
2415 (is_icmp6_query(icmp6_type) == 1)) &&
2416 !(m->m_flags & (M_BCAST|M_MCAST)) &&
2417 !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) {
2419 args, cmd->arg1, hlen,
2420 (struct ip6_hdr *)ip);
2426 retval = IP_FW_DENY;
2427 l = 0; /* exit inner loop */
2428 done = 1; /* exit outer loop */
2432 if (args->eh) /* not valid on layer2 pkts */
2434 if (q == NULL || q->rule != f ||
2435 dyn_dir == MATCH_FORWARD) {
2436 struct sockaddr_in *sa;
2438 sa = &(((ipfw_insn_sa *)cmd)->sa);
2439 if (sa->sin_addr.s_addr == INADDR_ANY) {
2442 * We use O_FORWARD_IP opcode for
2443 * fwd rule with tablearg, but tables
2444 * now support IPv6 addresses. And
2445 * when we are inspecting IPv6 packet,
2446 * we can use nh6 field from
2447 * table_value as next_hop6 address.
2450 struct sockaddr_in6 *sa6;
2452 sa6 = args->next_hop6 =
2454 sa6->sin6_family = AF_INET6;
2455 sa6->sin6_len = sizeof(*sa6);
2456 sa6->sin6_addr = TARG_VAL(
2457 chain, tablearg, nh6);
2458 sa6->sin6_port = sa->sin_port;
2460 * Set sin6_scope_id only for
2461 * link-local unicast addresses.
2463 if (IN6_IS_ADDR_LINKLOCAL(
2465 sa6->sin6_scope_id =
2472 args->hopstore.sin_port =
2474 sa = args->next_hop =
2476 sa->sin_family = AF_INET;
2477 sa->sin_len = sizeof(*sa);
2478 sa->sin_addr.s_addr = htonl(
2479 TARG_VAL(chain, tablearg,
2483 args->next_hop = sa;
2486 retval = IP_FW_PASS;
2487 l = 0; /* exit inner loop */
2488 done = 1; /* exit outer loop */
2493 if (args->eh) /* not valid on layer2 pkts */
2495 if (q == NULL || q->rule != f ||
2496 dyn_dir == MATCH_FORWARD) {
2497 struct sockaddr_in6 *sin6;
2499 sin6 = &(((ipfw_insn_sa6 *)cmd)->sa);
2500 args->next_hop6 = sin6;
2502 retval = IP_FW_PASS;
2503 l = 0; /* exit inner loop */
2504 done = 1; /* exit outer loop */
2510 set_match(args, f_pos, chain);
2511 args->rule.info = TARG(cmd->arg1, netgraph);
2513 args->rule.info |= IPFW_ONEPASS;
2514 retval = (cmd->opcode == O_NETGRAPH) ?
2515 IP_FW_NETGRAPH : IP_FW_NGTEE;
2516 l = 0; /* exit inner loop */
2517 done = 1; /* exit outer loop */
2523 IPFW_INC_RULE_COUNTER(f, pktlen);
2524 fib = TARG(cmd->arg1, fib) & 0x7FFF;
2525 if (fib >= rt_numfibs)
2528 args->f_id.fib = fib;
2529 l = 0; /* exit inner loop */
2536 code = TARG(cmd->arg1, dscp) & 0x3F;
2537 l = 0; /* exit inner loop */
2541 old = *(uint16_t *)ip;
2542 ip->ip_tos = (code << 2) |
2543 (ip->ip_tos & 0x03);
2544 ip->ip_sum = cksum_adjust(ip->ip_sum,
2545 old, *(uint16_t *)ip);
2546 } else if (is_ipv6) {
2549 v = &((struct ip6_hdr *)ip)->ip6_vfc;
2550 *v = (*v & 0xF0) | (code >> 2);
2552 *v = (*v & 0x3F) | ((code & 0x03) << 6);
2556 IPFW_INC_RULE_COUNTER(f, pktlen);
2561 l = 0; /* exit inner loop */
2562 done = 1; /* exit outer loop */
2564 * Ensure that we do not invoke NAT handler for
2565 * non IPv4 packets. Libalias expects only IPv4.
2567 if (!is_ipv4 || !IPFW_NAT_LOADED) {
2568 retval = IP_FW_DENY;
2575 set_match(args, f_pos, chain);
2576 /* Check if this is 'global' nat rule */
2577 if (cmd->arg1 == IP_FW_NAT44_GLOBAL) {
2578 retval = ipfw_nat_ptr(args, NULL, m);
2581 t = ((ipfw_insn_nat *)cmd)->nat;
2583 nat_id = TARG(cmd->arg1, nat);
2584 t = (*lookup_nat_ptr)(&chain->nat, nat_id);
2587 retval = IP_FW_DENY;
2590 if (cmd->arg1 != IP_FW_TARG)
2591 ((ipfw_insn_nat *)cmd)->nat = t;
2593 retval = ipfw_nat_ptr(args, t, m);
2599 IPFW_INC_RULE_COUNTER(f, pktlen);
2600 l = 0; /* in any case exit inner loop */
2601 ip_off = ntohs(ip->ip_off);
2603 /* if not fragmented, go to next rule */
2604 if ((ip_off & (IP_MF | IP_OFFMASK)) == 0)
2607 args->m = m = ip_reass(m);
2610 * do IP header checksum fixup.
2612 if (m == NULL) { /* fragment got swallowed */
2613 retval = IP_FW_DENY;
2614 } else { /* good, packet complete */
2617 ip = mtod(m, struct ip *);
2618 hlen = ip->ip_hl << 2;
2620 if (hlen == sizeof(struct ip))
2621 ip->ip_sum = in_cksum_hdr(ip);
2623 ip->ip_sum = in_cksum(m, hlen);
2624 retval = IP_FW_REASS;
2625 set_match(args, f_pos, chain);
2627 done = 1; /* exit outer loop */
2630 case O_EXTERNAL_ACTION:
2631 l = 0; /* in any case exit inner loop */
2632 retval = ipfw_run_eaction(chain, args,
2635 * If both @retval and @done are zero,
2636 * consider this as rule matching and
2639 if (retval == 0 && done == 0) {
2640 IPFW_INC_RULE_COUNTER(f, pktlen);
2642 * Reset the result of the last
2643 * dynamic state lookup.
2644 * External action can change
2645 * @args content, and it may be
2646 * used for new state lookup later.
2648 dyn_dir = MATCH_UNKNOWN;
2653 panic("-- unknown opcode %d\n", cmd->opcode);
2654 } /* end of switch() on opcodes */
2656 * if we get here with l=0, then match is irrelevant.
2659 if (cmd->len & F_NOT)
2663 if (cmd->len & F_OR)
2666 if (!(cmd->len & F_OR)) /* not an OR block, */
2667 break; /* try next rule */
2670 } /* end of inner loop, scan opcodes */
2676 /* next_rule:; */ /* try next rule */
2678 } /* end of outer for, scan rules */
2681 struct ip_fw *rule = chain->map[f_pos];
2682 /* Update statistics */
2683 IPFW_INC_RULE_COUNTER(rule, pktlen);
2685 retval = IP_FW_DENY;
2686 printf("ipfw: ouch!, skip past end of rules, denying packet\n");
2688 IPFW_PF_RUNLOCK(chain);
2690 if (ucred_cache != NULL)
2691 crfree(ucred_cache);
2697 printf("ipfw: pullup failed\n");
2698 return (IP_FW_DENY);
2702 * Set maximum number of tables that can be used in given VNET ipfw instance.
2706 sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS)
2709 unsigned int ntables;
2711 ntables = V_fw_tables_max;
2713 error = sysctl_handle_int(oidp, &ntables, 0, req);
2714 /* Read operation or some error */
2715 if ((error != 0) || (req->newptr == NULL))
2718 return (ipfw_resize_tables(&V_layer3_chain, ntables));
2722 * Switches table namespace between global and per-set.
2725 sysctl_ipfw_tables_sets(SYSCTL_HANDLER_ARGS)
2730 sets = V_fw_tables_sets;
2732 error = sysctl_handle_int(oidp, &sets, 0, req);
2733 /* Read operation or some error */
2734 if ((error != 0) || (req->newptr == NULL))
2737 return (ipfw_switch_tables_namespace(&V_layer3_chain, sets));
2742 * Module and VNET glue
2746 * Stuff that must be initialised only on boot or module load
2754 * Only print out this stuff the first time around,
2755 * when called from the sysinit code.
2761 "initialized, divert %s, nat %s, "
2762 "default to %s, logging ",
2768 #ifdef IPFIREWALL_NAT
2773 default_to_accept ? "accept" : "deny");
2776 * Note: V_xxx variables can be accessed here but the vnet specific
2777 * initializer may not have been called yet for the VIMAGE case.
2778 * Tuneables will have been processed. We will print out values for
2780 * XXX This should all be rationalized AFTER 8.0
2782 if (V_fw_verbose == 0)
2783 printf("disabled\n");
2784 else if (V_verbose_limit == 0)
2785 printf("unlimited\n");
2787 printf("limited to %d packets/entry by default\n",
2790 /* Check user-supplied table count for validness */
2791 if (default_fw_tables > IPFW_TABLES_MAX)
2792 default_fw_tables = IPFW_TABLES_MAX;
2794 ipfw_init_sopt_handler();
2795 ipfw_init_obj_rewriter();
2801 * Called for the removal of the last instance only on module unload.
2807 ipfw_iface_destroy();
2808 ipfw_destroy_sopt_handler();
2809 ipfw_destroy_obj_rewriter();
2810 printf("IP firewall unloaded\n");
2814 * Stuff that must be initialized for every instance
2815 * (including the first of course).
2818 vnet_ipfw_init(const void *unused)
2821 struct ip_fw *rule = NULL;
2822 struct ip_fw_chain *chain;
2824 chain = &V_layer3_chain;
2826 first = IS_DEFAULT_VNET(curvnet) ? 1 : 0;
2828 /* First set up some values that are compile time options */
2829 V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
2830 V_fw_deny_unknown_exthdrs = 1;
2831 #ifdef IPFIREWALL_VERBOSE
2834 #ifdef IPFIREWALL_VERBOSE_LIMIT
2835 V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
2837 #ifdef IPFIREWALL_NAT
2838 LIST_INIT(&chain->nat);
2841 /* Init shared services hash table */
2842 ipfw_init_srv(chain);
2844 ipfw_init_counters();
2845 /* insert the default rule and create the initial map */
2847 chain->map = malloc(sizeof(struct ip_fw *), M_IPFW, M_WAITOK | M_ZERO);
2848 rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw));
2850 /* Set initial number of tables */
2851 V_fw_tables_max = default_fw_tables;
2852 error = ipfw_init_tables(chain, first);
2854 printf("ipfw2: setting up tables failed\n");
2855 free(chain->map, M_IPFW);
2860 /* fill and insert the default rule */
2862 rule->rulenum = IPFW_DEFAULT_RULE;
2864 rule->set = RESVD_SET;
2865 rule->cmd[0].len = 1;
2866 rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY;
2867 chain->default_rule = chain->map[0] = rule;
2868 chain->id = rule->id = 1;
2869 /* Pre-calculate rules length for legacy dump format */
2870 chain->static_len = sizeof(struct ip_fw_rule0);
2872 IPFW_LOCK_INIT(chain);
2873 ipfw_dyn_init(chain);
2874 ipfw_eaction_init(chain, first);
2875 #ifdef LINEAR_SKIPTO
2876 ipfw_init_skipto_cache(chain);
2878 ipfw_bpf_init(first);
2880 /* First set up some values that are compile time options */
2881 V_ipfw_vnet_ready = 1; /* Open for business */
2884 * Hook the sockopt handler and pfil hooks for ipv4 and ipv6.
2885 * Even if the latter two fail we still keep the module alive
2886 * because the sockopt and layer2 paths are still useful.
2887 * ipfw[6]_hook return 0 on success, ENOENT on failure,
2888 * so we can ignore the exact return value and just set a flag.
2890 * Note that V_fw[6]_enable are manipulated by a SYSCTL_PROC so
2891 * changes in the underlying (per-vnet) variables trigger
2892 * immediate hook()/unhook() calls.
2893 * In layer2 we have the same behaviour, except that V_ether_ipfw
2894 * is checked on each packet because there are no pfil hooks.
2896 V_ip_fw_ctl_ptr = ipfw_ctl3;
2897 error = ipfw_attach_hooks(1);
2902 * Called for the removal of each instance.
2905 vnet_ipfw_uninit(const void *unused)
2908 struct ip_fw_chain *chain = &V_layer3_chain;
2911 V_ipfw_vnet_ready = 0; /* tell new callers to go away */
2913 * disconnect from ipv4, ipv6, layer2 and sockopt.
2914 * Then grab, release and grab again the WLOCK so we make
2915 * sure the update is propagated and nobody will be in.
2917 (void)ipfw_attach_hooks(0 /* detach */);
2918 V_ip_fw_ctl_ptr = NULL;
2920 last = IS_DEFAULT_VNET(curvnet) ? 1 : 0;
2922 IPFW_UH_WLOCK(chain);
2923 IPFW_UH_WUNLOCK(chain);
2925 ipfw_dyn_uninit(0); /* run the callout_drain */
2927 IPFW_UH_WLOCK(chain);
2931 for (i = 0; i < chain->n_rules; i++)
2932 ipfw_reap_add(chain, &reap, chain->map[i]);
2933 free(chain->map, M_IPFW);
2934 #ifdef LINEAR_SKIPTO
2935 ipfw_destroy_skipto_cache(chain);
2937 IPFW_WUNLOCK(chain);
2938 IPFW_UH_WUNLOCK(chain);
2939 ipfw_destroy_tables(chain, last);
2940 ipfw_eaction_uninit(chain, last);
2942 ipfw_reap_rules(reap);
2943 vnet_ipfw_iface_destroy(chain);
2944 ipfw_destroy_srv(chain);
2945 IPFW_LOCK_DESTROY(chain);
2946 ipfw_dyn_uninit(1); /* free the remaining parts */
2947 ipfw_destroy_counters();
2948 ipfw_bpf_uninit(last);
2953 * Module event handler.
2954 * In general we have the choice of handling most of these events by the
2955 * event handler or by the (VNET_)SYS(UN)INIT handlers. I have chosen to
2956 * use the SYSINIT handlers as they are more capable of expressing the
2957 * flow of control during module and vnet operations, so this is just
2958 * a skeleton. Note there is no SYSINIT equivalent of the module
2959 * SHUTDOWN handler, but we don't have anything to do in that case anyhow.
2962 ipfw_modevent(module_t mod, int type, void *unused)
2968 /* Called once at module load or
2969 * system boot if compiled in. */
2972 /* Called before unload. May veto unloading. */
2975 /* Called during unload. */
2978 /* Called during system shutdown. */
2987 static moduledata_t ipfwmod = {
2993 /* Define startup order. */
2994 #define IPFW_SI_SUB_FIREWALL SI_SUB_PROTO_FIREWALL
2995 #define IPFW_MODEVENT_ORDER (SI_ORDER_ANY - 255) /* On boot slot in here. */
2996 #define IPFW_MODULE_ORDER (IPFW_MODEVENT_ORDER + 1) /* A little later. */
2997 #define IPFW_VNET_ORDER (IPFW_MODEVENT_ORDER + 2) /* Later still. */
2999 DECLARE_MODULE(ipfw, ipfwmod, IPFW_SI_SUB_FIREWALL, IPFW_MODEVENT_ORDER);
3000 FEATURE(ipfw_ctl3, "ipfw new sockopt calls");
3001 MODULE_VERSION(ipfw, 3);
3002 /* should declare some dependencies here */
3005 * Starting up. Done in order after ipfwmod() has been called.
3006 * VNET_SYSINIT is also called for each existing vnet and each new vnet.
3008 SYSINIT(ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER,
3010 VNET_SYSINIT(vnet_ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER,
3011 vnet_ipfw_init, NULL);
3014 * Closing up shop. These are done in REVERSE ORDER, but still
3015 * after ipfwmod() has been called. Not called on reboot.
3016 * VNET_SYSUNINIT is also called for each exiting vnet as it exits.
3017 * or when the module is unloaded.
3019 SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER,
3020 ipfw_destroy, NULL);
3021 VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER,
3022 vnet_ipfw_uninit, NULL);