2 * Copyright (c) 2016 Yandex LLC
3 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/malloc.h>
33 #include <sys/kernel.h>
36 #include <sys/rwlock.h>
37 #include <sys/rmlock.h>
38 #include <sys/socket.h>
39 #include <sys/socketvar.h>
40 #include <sys/queue.h>
43 #include <net/if.h> /* ip_fw.h requires IFNAMSIZ */
44 #include <netinet/in.h>
45 #include <netinet/ip_var.h> /* struct ipfw_rule_ref */
46 #include <netinet/ip_fw.h>
48 #include <netpfil/ipfw/ip_fw_private.h>
53 * External actions support for ipfw.
55 * This code provides KPI for implementing loadable modules, that
56 * can provide handlers for external action opcodes in the ipfw's
58 * Module should implement opcode handler with type ipfw_eaction_t.
59 * This handler will be called by ipfw_chk() function when
60 * O_EXTERNAL_ACTION opcode will be matched. The handler must return
61 * value used as return value in ipfw_chk(), i.e. IP_FW_PASS,
62 * IP_FW_DENY (see ip_fw_private.h).
63 * Also the last argument must be set by handler. If it is zero,
64 * the search continues to the next rule. If it has non zero value,
65 * the search terminates.
67 * The module that implements external action should register its
68 * handler and name with ipfw_add_eaction() function.
69 * This function will return eaction_id, that can be used by module.
71 * It is possible to pass some additional information to external
72 * action handler via the O_EXTERNAL_INSTANCE opcode. This opcode
73 * will be next after the O_EXTERNAL_ACTION opcode. cmd->arg1 will
74 * contain index of named object related to instance of external action.
76 * In case when eaction module uses named instances, it should register
77 * opcode rewriting routines for O_EXTERNAL_INSTANCE opcode. The
78 * classifier callback can look back into O_EXTERNAL_ACTION opcode (it
79 * must be in the (ipfw_insn *)(cmd - 1)). By arg1 from O_EXTERNAL_ACTION
80 * it can deteremine eaction_id and compare it with its own.
81 * The macro IPFW_TLV_EACTION_NAME(eaction_id) can be used to deteremine
82 * the type of named_object related to external action instance.
84 * On module unload handler should be deregistered with ipfw_del_eaction()
85 * function using known eaction_id.
89 struct named_object no;
90 ipfw_eaction_t *handler;
94 #define EACTION_OBJ(ch, cmd) \
95 ((struct eaction_obj *)SRV_OBJECT((ch), (cmd)->arg1))
98 #define EACTION_DEBUG(fmt, ...) do { \
99 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \
102 #define EACTION_DEBUG(fmt, ...)
105 const char *default_eaction_typename = "drop";
107 default_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args,
108 ipfw_insn *cmd, int *done)
111 *done = 1; /* terminate the search */
116 * Opcode rewriting callbacks.
119 eaction_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype)
122 EACTION_DEBUG("opcode %d, arg1 %d", cmd->opcode, cmd->arg1);
129 eaction_update(ipfw_insn *cmd, uint16_t idx)
133 EACTION_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1);
137 eaction_findbyname(struct ip_fw_chain *ch, struct tid_info *ti,
138 struct named_object **pno)
142 if (ti->tlvs == NULL)
145 /* Search ntlv in the buffer provided by user */
146 ntlv = ipfw_find_name_tlv_type(ti->tlvs, ti->tlen, ti->uidx,
150 EACTION_DEBUG("name %s, uidx %u, type %u", ntlv->name,
153 * Search named object with corresponding name.
154 * Since eaction objects are global - ignore the set value
155 * and use zero instead.
157 *pno = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch),
158 0, IPFW_TLV_EACTION, ntlv->name);
164 static struct named_object *
165 eaction_findbykidx(struct ip_fw_chain *ch, uint16_t idx)
168 EACTION_DEBUG("kidx %u", idx);
169 return (ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), idx));
172 static struct opcode_obj_rewrite eaction_opcodes[] = {
174 .opcode = O_EXTERNAL_ACTION,
175 .etlv = IPFW_TLV_EACTION,
176 .classifier = eaction_classify,
177 .update = eaction_update,
178 .find_byname = eaction_findbyname,
179 .find_bykidx = eaction_findbykidx,
184 create_eaction_obj(struct ip_fw_chain *ch, ipfw_eaction_t handler,
185 const char *name, uint16_t *eaction_id)
187 struct namedobj_instance *ni;
188 struct eaction_obj *obj;
190 IPFW_UH_UNLOCK_ASSERT(ch);
192 ni = CHAIN_TO_SRV(ch);
193 obj = malloc(sizeof(*obj), M_IPFW, M_WAITOK | M_ZERO);
194 obj->no.name = obj->name;
195 obj->no.etlv = IPFW_TLV_EACTION;
196 obj->handler = handler;
197 strlcpy(obj->name, name, sizeof(obj->name));
200 if (ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION,
203 * Object is already created.
204 * We don't allow eactions with the same name.
208 EACTION_DEBUG("External action with typename "
209 "'%s' already exists", name);
212 if (ipfw_objhash_alloc_idx(ni, &obj->no.kidx) != 0) {
215 EACTION_DEBUG("alloc_idx failed");
218 ipfw_objhash_add(ni, &obj->no);
220 SRV_OBJECT(ch, obj->no.kidx) = obj;
225 if (eaction_id != NULL)
226 *eaction_id = obj->no.kidx;
231 destroy_eaction_obj(struct ip_fw_chain *ch, struct named_object *no)
233 struct namedobj_instance *ni;
234 struct eaction_obj *obj;
236 IPFW_UH_WLOCK_ASSERT(ch);
238 ni = CHAIN_TO_SRV(ch);
240 obj = SRV_OBJECT(ch, no->kidx);
241 SRV_OBJECT(ch, no->kidx) = NULL;
243 ipfw_objhash_del(ni, no);
244 ipfw_objhash_free_idx(ni, no->kidx);
249 * Resets all eaction opcodes to default handlers.
252 reset_eaction_obj(struct ip_fw_chain *ch, uint16_t eaction_id)
254 struct named_object *no;
259 IPFW_UH_WLOCK_ASSERT(ch);
261 no = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch), 0,
262 IPFW_TLV_EACTION, default_eaction_typename);
264 panic("Default external action handler is not found");
265 if (eaction_id == no->kidx)
266 panic("Wrong eaction_id");
267 EACTION_DEBUG("replace id %u with %u", eaction_id, no->kidx);
269 for (i = 0; i < ch->n_rules; i++) {
271 cmd = ACTION_PTR(rule);
272 if (cmd->opcode != O_EXTERNAL_ACTION)
274 if (cmd->arg1 != eaction_id)
276 cmd->arg1 = no->kidx; /* Set to default id */
278 * XXX: we only bump refcount on default_eaction.
279 * Refcount on the original object will be just
280 * ignored on destroy. But on default_eaction it
281 * will be decremented on rule deletion.
285 * Since named_object related to this instance will be
286 * also destroyed, truncate the chain of opcodes to
287 * remove O_EXTERNAL_INSTANCE opcode.
289 if (rule->act_ofs < rule->cmd_len - 1) {
290 EACTION_DEBUG("truncate rule %d", rule->rulenum);
298 * Initialize external actions framework.
299 * Create object with default eaction handler "drop".
302 ipfw_eaction_init(struct ip_fw_chain *ch, int first)
306 error = create_eaction_obj(ch, default_eaction,
307 default_eaction_typename, NULL);
310 IPFW_ADD_OBJ_REWRITER(first, eaction_opcodes);
311 EACTION_DEBUG("External actions support initialized");
316 ipfw_eaction_uninit(struct ip_fw_chain *ch, int last)
318 struct namedobj_instance *ni;
319 struct named_object *no;
321 ni = CHAIN_TO_SRV(ch);
324 no = ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION,
325 default_eaction_typename);
327 destroy_eaction_obj(ch, no);
329 IPFW_DEL_OBJ_REWRITER(last, eaction_opcodes);
330 EACTION_DEBUG("External actions support uninitialized");
334 * Registers external action handler to the global array.
335 * On success it returns eaction id, otherwise - zero.
338 ipfw_add_eaction(struct ip_fw_chain *ch, ipfw_eaction_t handler,
344 if (ipfw_check_object_name_generic(name) == 0) {
345 create_eaction_obj(ch, handler, name, &eaction_id);
346 EACTION_DEBUG("Registered external action '%s' with id %u",
353 * Deregisters external action handler with id eaction_id.
356 ipfw_del_eaction(struct ip_fw_chain *ch, uint16_t eaction_id)
358 struct named_object *no;
361 no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id);
362 if (no == NULL || no->etlv != IPFW_TLV_EACTION) {
367 reset_eaction_obj(ch, eaction_id);
368 EACTION_DEBUG("External action '%s' with id %u unregistered",
369 no->name, eaction_id);
370 destroy_eaction_obj(ch, no);
376 ipfw_run_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args,
377 ipfw_insn *cmd, int *done)
380 return (EACTION_OBJ(ch, cmd)->handler(ch, args, cmd, done));