2 * Copyright (c) 2014 Yandex LLC.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
30 * Kernel interface tracking API.
37 #error IPFIREWALL requires INET.
39 #include "opt_inet6.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/kernel.h>
46 #include <sys/rwlock.h>
47 #include <sys/rmlock.h>
48 #include <sys/socket.h>
49 #include <sys/queue.h>
50 #include <sys/eventhandler.h>
52 #include <net/if_var.h>
56 #include <netinet/in.h>
57 #include <netinet/ip_var.h> /* struct ipfw_rule_ref */
58 #include <netinet/ip_fw.h>
60 #include <netpfil/ipfw/ip_fw_private.h>
62 #define CHAIN_TO_II(ch) ((struct namedobj_instance *)ch->ifcfg)
64 #define DEFAULT_IFACES 128
66 static void handle_ifdetach(struct ip_fw_chain *ch, struct ipfw_iface *iif,
68 static void handle_ifattach(struct ip_fw_chain *ch, struct ipfw_iface *iif,
70 static int list_ifaces(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
71 struct sockopt_data *sd);
73 static struct ipfw_sopt_handler scodes[] = {
74 { IP_FW_XIFLIST, 0, HDIR_GET, list_ifaces },
78 * FreeBSD Kernel interface.
80 static void ipfw_kifhandler(void *arg, struct ifnet *ifp);
81 static int ipfw_kiflookup(char *name);
82 static void iface_khandler_register(void);
83 static void iface_khandler_deregister(void);
85 static eventhandler_tag ipfw_ifdetach_event, ipfw_ifattach_event;
86 static int num_vnets = 0;
87 static struct mtx vnet_mtx;
90 * Checks if kernel interface is contained in our tracked
91 * interface list and calls attach/detach handler.
94 ipfw_kifhandler(void *arg, struct ifnet *ifp)
96 struct ip_fw_chain *ch;
97 struct ipfw_iface *iif;
98 struct namedobj_instance *ii;
101 if (V_ipfw_vnet_ready == 0)
104 ch = &V_layer3_chain;
105 htype = (uintptr_t)arg;
108 ii = CHAIN_TO_II(ch);
113 iif = (struct ipfw_iface*)ipfw_objhash_lookup_name(ii, 0,
117 handle_ifattach(ch, iif, ifp->if_index);
119 handle_ifdetach(ch, iif, ifp->if_index);
125 * Reference current VNET as iface tracking API user.
126 * Registers interface tracking handlers for first VNET.
129 iface_khandler_register()
139 mtx_unlock(&vnet_mtx);
144 printf("IPFW: starting up interface tracker\n");
146 ipfw_ifdetach_event = EVENTHANDLER_REGISTER(
147 ifnet_departure_event, ipfw_kifhandler, NULL,
148 EVENTHANDLER_PRI_ANY);
149 ipfw_ifattach_event = EVENTHANDLER_REGISTER(
150 ifnet_arrival_event, ipfw_kifhandler, (void*)((uintptr_t)1),
151 EVENTHANDLER_PRI_ANY);
156 * Detach interface event handlers on last VNET instance
160 iface_khandler_deregister()
169 mtx_unlock(&vnet_mtx);
174 EVENTHANDLER_DEREGISTER(ifnet_arrival_event,
175 ipfw_ifattach_event);
176 EVENTHANDLER_DEREGISTER(ifnet_departure_event,
177 ipfw_ifdetach_event);
181 * Retrieves ifindex for given @name.
183 * Returns ifindex or 0.
186 ipfw_kiflookup(char *name)
193 if ((ifp = ifunit_ref(name)) != NULL) {
194 ifindex = ifp->if_index;
202 * Global ipfw startup hook.
203 * Since we perform lazy initialization, do nothing except
210 mtx_init(&vnet_mtx, "IPFW ifhandler mtx", NULL, MTX_DEF);
211 IPFW_ADD_SOPT_HANDLER(1, scodes);
216 * Global ipfw destroy hook.
217 * Unregister khandlers iff init has been done.
223 IPFW_DEL_SOPT_HANDLER(1, scodes);
224 mtx_destroy(&vnet_mtx);
228 * Perform actual init on internal request.
229 * Inits both namehash and global khandler.
232 vnet_ipfw_iface_init(struct ip_fw_chain *ch)
234 struct namedobj_instance *ii;
236 ii = ipfw_objhash_create(DEFAULT_IFACES);
238 if (ch->ifcfg == NULL) {
245 /* Already initialized. Free namehash. */
246 ipfw_objhash_destroy(ii);
248 /* We're the first ones. Init kernel hooks. */
249 iface_khandler_register();
254 destroy_iface(struct namedobj_instance *ii, struct named_object *no,
258 /* Assume all consumers have been already detached */
264 * Per-VNET ipfw detach hook.
268 vnet_ipfw_iface_destroy(struct ip_fw_chain *ch)
270 struct namedobj_instance *ii;
273 ii = CHAIN_TO_II(ch);
278 ipfw_objhash_foreach(ii, destroy_iface, ch);
279 ipfw_objhash_destroy(ii);
280 iface_khandler_deregister();
285 * Notify the subsystem that we are interested in tracking
286 * interface @name. This function has to be called without
287 * holding any locks to permit allocating the necessary states
288 * for proper interface tracking.
290 * Returns 0 on success.
293 ipfw_iface_ref(struct ip_fw_chain *ch, char *name,
296 struct namedobj_instance *ii;
297 struct ipfw_iface *iif, *tmp;
299 if (strlen(name) >= sizeof(iif->ifname))
304 ii = CHAIN_TO_II(ch);
308 * First request to subsystem.
309 * Let's perform init.
312 vnet_ipfw_iface_init(ch);
314 ii = CHAIN_TO_II(ch);
317 iif = (struct ipfw_iface *)ipfw_objhash_lookup_name(ii, 0, name);
328 /* Not found. Let's create one */
329 iif = malloc(sizeof(struct ipfw_iface), M_IPFW, M_WAITOK | M_ZERO);
330 TAILQ_INIT(&iif->consumers);
331 iif->no.name = iif->ifname;
332 strlcpy(iif->ifname, name, sizeof(iif->ifname));
335 * Ref & link to the list.
337 * We assume ifnet_arrival_event / ifnet_departure_event
338 * are not holding any locks.
343 tmp = (struct ipfw_iface *)ipfw_objhash_lookup_name(ii, 0, name);
345 /* Interface has been created since unlock. Ref and return */
353 iif->ifindex = ipfw_kiflookup(name);
354 if (iif->ifindex != 0)
357 ipfw_objhash_add(ii, &iif->no);
366 * Adds @ic to the list of iif interface consumers.
367 * Must be called with holding both UH+WLOCK.
368 * Callback may be immediately called (if interface exists).
371 ipfw_iface_add_notify(struct ip_fw_chain *ch, struct ipfw_ifc *ic)
373 struct ipfw_iface *iif;
375 IPFW_UH_WLOCK_ASSERT(ch);
376 IPFW_WLOCK_ASSERT(ch);
380 TAILQ_INSERT_TAIL(&iif->consumers, ic, next);
381 if (iif->resolved != 0)
382 ic->cb(ch, ic->cbdata, iif->ifindex);
386 * Unlinks interface tracker object @ic from interface.
387 * Must be called while holding UH lock.
390 ipfw_iface_del_notify(struct ip_fw_chain *ch, struct ipfw_ifc *ic)
392 struct ipfw_iface *iif;
394 IPFW_UH_WLOCK_ASSERT(ch);
397 TAILQ_REMOVE(&iif->consumers, ic, next);
401 * Unreference interface specified by @ic.
402 * Must be called while holding UH lock.
405 ipfw_iface_unref(struct ip_fw_chain *ch, struct ipfw_ifc *ic)
407 struct ipfw_iface *iif;
409 IPFW_UH_WLOCK_ASSERT(ch);
415 /* TODO: check for references & delete */
419 * Interface arrival handler.
422 handle_ifattach(struct ip_fw_chain *ch, struct ipfw_iface *iif,
427 IPFW_UH_WLOCK_ASSERT(ch);
431 iif->ifindex = ifindex;
434 TAILQ_FOREACH(ic, &iif->consumers, next)
435 ic->cb(ch, ic->cbdata, iif->ifindex);
440 * Interface departure handler.
443 handle_ifdetach(struct ip_fw_chain *ch, struct ipfw_iface *iif,
448 IPFW_UH_WLOCK_ASSERT(ch);
451 TAILQ_FOREACH(ic, &iif->consumers, next)
452 ic->cb(ch, ic->cbdata, 0);
460 struct dump_iface_args {
461 struct ip_fw_chain *ch;
462 struct sockopt_data *sd;
466 export_iface_internal(struct namedobj_instance *ii, struct named_object *no,
470 struct dump_iface_args *da;
471 struct ipfw_iface *iif;
473 da = (struct dump_iface_args *)arg;
475 i = (ipfw_iface_info *)ipfw_get_sopt_space(da->sd, sizeof(*i));
476 KASSERT(i != NULL, ("previously checked buffer is not enough"));
478 iif = (struct ipfw_iface *)no;
480 strlcpy(i->ifname, iif->ifname, sizeof(i->ifname));
482 i->flags |= IPFW_IFFLAG_RESOLVED;
483 i->ifindex = iif->ifindex;
484 i->refcnt = iif->no.refcnt;
485 i->gencnt = iif->gencnt;
490 * Lists all interface currently tracked by ipfw.
491 * Data layout (v0)(current):
492 * Request: [ ipfw_obj_lheader ], size = ipfw_obj_lheader.size
493 * Reply: [ ipfw_obj_lheader ipfw_iface_info x N ]
495 * Returns 0 on success
498 list_ifaces(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
499 struct sockopt_data *sd)
501 struct namedobj_instance *ii;
502 struct _ipfw_obj_lheader *olh;
503 struct dump_iface_args da;
504 uint32_t count, size;
506 olh = (struct _ipfw_obj_lheader *)ipfw_get_sopt_header(sd,sizeof(*olh));
509 if (sd->valsize < olh->size)
513 ii = CHAIN_TO_II(ch);
515 count = ipfw_objhash_count(ii);
518 size = count * sizeof(ipfw_iface_info) + sizeof(ipfw_obj_lheader);
520 /* Fill in header regadless of buffer size */
522 olh->objsize = sizeof(ipfw_iface_info);
524 if (size > olh->size) {
535 ipfw_objhash_foreach(ii, export_iface_internal, &da);