sys/netpfil/pf/pf_ruleset.c

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause
   3  *
   4  * Copyright (c) 2001 Daniel Hartmeier
   5  * Copyright (c) 2002,2003 Henning Brauer
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  *    - Redistributions of source code must retain the above copyright
  13  *      notice, this list of conditions and the following disclaimer.
  14  *    - Redistributions in binary form must reproduce the above
  15  *      copyright notice, this list of conditions and the following
  16  *      disclaimer in the documentation and/or other materials provided
  17  *      with the distribution.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  22  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  23  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  24  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  25  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  26  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  27  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
  29  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  30  * POSSIBILITY OF SUCH DAMAGE.
  31  *
  32  * Effort sponsored in part by the Defense Advanced Research Projects
  33  * Agency (DARPA) and Air Force Research Laboratory, Air Force
  34  * Materiel Command, USAF, under agreement number F30602-01-2-0537.
  35  *
  36  *      $OpenBSD: pf_ruleset.c,v 1.2 2008/12/18 15:31:37 dhill Exp $
  37  */
  38
  39 #include <sys/cdefs.h>
  40 __FBSDID("$FreeBSD$");
  41
  42 #include <sys/param.h>
  43 #include <sys/socket.h>
  44 #ifdef _KERNEL
  45 # include <sys/systm.h>
  46 # include <sys/refcount.h>
  47 #endif /* _KERNEL */
  48 #include <sys/mbuf.h>
  49
  50 #include <netinet/in.h>
  51 #include <netinet/in_systm.h>
  52 #include <netinet/ip.h>
  53 #include <netinet/tcp.h>
  54
  55 #include <net/if.h>
  56 #include <net/vnet.h>
  57 #include <net/pfvar.h>
  58
  59 #ifdef INET6
  60 #include <netinet/ip6.h>
  61 #endif /* INET6 */
  62
  63 #ifdef _KERNEL
  64 #define DPFPRINTF(format, x...)                         \
  65         if (V_pf_status.debug >= PF_DEBUG_NOISY)        \
  66                 printf(format , ##x)
  67 #define rs_malloc(x)            malloc(x, M_TEMP, M_NOWAIT|M_ZERO)
  68 #define rs_free(x)              free(x, M_TEMP)
  69
  70 #else
  71 /* Userland equivalents so we can lend code to pfctl et al. */
  72
  73 #include <arpa/inet.h>
  74 #include <errno.h>
  75 #include <stdio.h>
  76 #include <stdlib.h>
  77 #include <string.h>
  78 #define rs_malloc(x)             calloc(1, x)
  79 #define rs_free(x)               free(x)
  80
  81 #ifdef PFDEBUG
  82 #include <sys/stdarg.h>
  83 #define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
  84 #else
  85 #define DPFPRINTF(format, x...) ((void)0)
  86 #endif /* PFDEBUG */
  87 #endif /* _KERNEL */
  88
  89 #ifdef _KERNEL
  90 VNET_DEFINE(struct pf_anchor_global,    pf_anchors);
  91 VNET_DEFINE(struct pf_anchor,           pf_main_anchor);
  92 #else /* ! _KERNEL */
  93 struct pf_anchor_global  pf_anchors;
  94 struct pf_anchor         pf_main_anchor;
  95 #undef V_pf_anchors
  96 #define V_pf_anchors             pf_anchors
  97 #undef pf_main_ruleset
  98 #define pf_main_ruleset          pf_main_anchor.ruleset
  99 #endif /* _KERNEL */
 100
 101 static __inline int pf_anchor_compare(struct pf_anchor *, struct pf_anchor *);
 102
 103 static struct pf_anchor         *pf_find_anchor(const char *);
 104
 105 RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
 106 RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
 107
 108 static __inline int
 109 pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b)
 110 {
 111         int c = strcmp(a->path, b->path);
 112
 113         return (c ? (c < 0 ? -1 : 1) : 0);
 114 }
 115
 116 int
 117 pf_get_ruleset_number(u_int8_t action)
 118 {
 119         switch (action) {
 120         case PF_SCRUB:
 121         case PF_NOSCRUB:
 122                 return (PF_RULESET_SCRUB);
 123                 break;
 124         case PF_PASS:
 125         case PF_DROP:
 126                 return (PF_RULESET_FILTER);
 127                 break;
 128         case PF_NAT:
 129         case PF_NONAT:
 130                 return (PF_RULESET_NAT);
 131                 break;
 132         case PF_BINAT:
 133         case PF_NOBINAT:
 134                 return (PF_RULESET_BINAT);
 135                 break;
 136         case PF_RDR:
 137         case PF_NORDR:
 138                 return (PF_RULESET_RDR);
 139                 break;
 140         default:
 141                 return (PF_RULESET_MAX);
 142                 break;
 143         }
 144 }
 145
 146 void
 147 pf_init_ruleset(struct pf_ruleset *ruleset)
 148 {
 149         int     i;
 150
 151         memset(ruleset, 0, sizeof(struct pf_ruleset));
 152         for (i = 0; i < PF_RULESET_MAX; i++) {
 153                 TAILQ_INIT(&ruleset->rules[i].queues[0]);
 154                 TAILQ_INIT(&ruleset->rules[i].queues[1]);
 155                 ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
 156                 ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
 157         }
 158 }
 159
 160 static struct pf_anchor *
 161 pf_find_anchor(const char *path)
 162 {
 163         struct pf_anchor        *key, *found;
 164
 165         key = (struct pf_anchor *)rs_malloc(sizeof(*key));
 166         if (key == NULL)
 167                 return (NULL);
 168         strlcpy(key->path, path, sizeof(key->path));
 169         found = RB_FIND(pf_anchor_global, &V_pf_anchors, key);
 170         rs_free(key);
 171         return (found);
 172 }
 173
 174 struct pf_ruleset *
 175 pf_find_ruleset(const char *path)
 176 {
 177         struct pf_anchor        *anchor;
 178
 179         while (*path == '/')
 180                 path++;
 181         if (!*path)
 182                 return (&pf_main_ruleset);
 183         anchor = pf_find_anchor(path);
 184         if (anchor == NULL)
 185                 return (NULL);
 186         else
 187                 return (&anchor->ruleset);
 188 }
 189
 190 struct pf_ruleset *
 191 pf_find_or_create_ruleset(const char *path)
 192 {
 193         char                    *p, *q, *r;
 194         struct pf_ruleset       *ruleset;
 195         struct pf_anchor        *anchor = NULL, *dup, *parent = NULL;
 196
 197         if (path[0] == 0)
 198                 return (&pf_main_ruleset);
 199         while (*path == '/')
 200                 path++;
 201         ruleset = pf_find_ruleset(path);
 202         if (ruleset != NULL)
 203                 return (ruleset);
 204         p = (char *)rs_malloc(MAXPATHLEN);
 205         if (p == NULL)
 206                 return (NULL);
 207         strlcpy(p, path, MAXPATHLEN);
 208         while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
 209                 *q = 0;
 210                 if ((ruleset = pf_find_ruleset(p)) != NULL) {
 211                         parent = ruleset->anchor;
 212                         break;
 213                 }
 214         }
 215         if (q == NULL)
 216                 q = p;
 217         else
 218                 q++;
 219         strlcpy(p, path, MAXPATHLEN);
 220         if (!*q) {
 221                 rs_free(p);
 222                 return (NULL);
 223         }
 224         while ((r = strchr(q, '/')) != NULL || *q) {
 225                 if (r != NULL)
 226                         *r = 0;
 227                 if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE ||
 228                     (parent != NULL && strlen(parent->path) >=
 229                     MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) {
 230                         rs_free(p);
 231                         return (NULL);
 232                 }
 233                 anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor));
 234                 if (anchor == NULL) {
 235                         rs_free(p);
 236                         return (NULL);
 237                 }
 238                 RB_INIT(&anchor->children);
 239                 strlcpy(anchor->name, q, sizeof(anchor->name));
 240                 if (parent != NULL) {
 241                         strlcpy(anchor->path, parent->path,
 242                             sizeof(anchor->path));
 243                         strlcat(anchor->path, "/", sizeof(anchor->path));
 244                 }
 245                 strlcat(anchor->path, anchor->name, sizeof(anchor->path));
 246                 if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) !=
 247                     NULL) {
 248                         printf("pf_find_or_create_ruleset: RB_INSERT1 "
 249                             "'%s' '%s' collides with '%s' '%s'\n",
 250                             anchor->path, anchor->name, dup->path, dup->name);
 251                         rs_free(anchor);
 252                         rs_free(p);
 253                         return (NULL);
 254                 }
 255                 if (parent != NULL) {
 256                         anchor->parent = parent;
 257                         if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
 258                             anchor)) != NULL) {
 259                                 printf("pf_find_or_create_ruleset: "
 260                                     "RB_INSERT2 '%s' '%s' collides with "
 261                                     "'%s' '%s'\n", anchor->path, anchor->name,
 262                                     dup->path, dup->name);
 263                                 RB_REMOVE(pf_anchor_global, &V_pf_anchors,
 264                                     anchor);
 265                                 rs_free(anchor);
 266                                 rs_free(p);
 267                                 return (NULL);
 268                         }
 269                 }
 270                 pf_init_ruleset(&anchor->ruleset);
 271                 anchor->ruleset.anchor = anchor;
 272                 parent = anchor;
 273                 if (r != NULL)
 274                         q = r + 1;
 275                 else
 276                         *q = 0;
 277         }
 278         rs_free(p);
 279         return (&anchor->ruleset);
 280 }
 281
 282 void
 283 pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
 284 {
 285         struct pf_anchor        *parent;
 286         int                      i;
 287
 288         while (ruleset != NULL) {
 289                 if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
 290                     !RB_EMPTY(&ruleset->anchor->children) ||
 291                     ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
 292                     ruleset->topen)
 293                         return;
 294                 for (i = 0; i < PF_RULESET_MAX; ++i)
 295                         if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
 296                             !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
 297                             ruleset->rules[i].inactive.open)
 298                                 return;
 299                 RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor);
 300                 if ((parent = ruleset->anchor->parent) != NULL)
 301                         RB_REMOVE(pf_anchor_node, &parent->children,
 302                             ruleset->anchor);
 303                 rs_free(ruleset->anchor);
 304                 if (parent == NULL)
 305                         return;
 306                 ruleset = &parent->ruleset;
 307         }
 308 }
 309
 310 int
 311 pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s,
 312     const char *name)
 313 {
 314         char                    *p, *path;
 315         struct pf_ruleset       *ruleset;
 316
 317         r->anchor = NULL;
 318         r->anchor_relative = 0;
 319         r->anchor_wildcard = 0;
 320         if (!name[0])
 321                 return (0);
 322         path = (char *)rs_malloc(MAXPATHLEN);
 323         if (path == NULL)
 324                 return (1);
 325         if (name[0] == '/')
 326                 strlcpy(path, name + 1, MAXPATHLEN);
 327         else {
 328                 /* relative path */
 329                 r->anchor_relative = 1;
 330                 if (s->anchor == NULL || !s->anchor->path[0])
 331                         path[0] = 0;
 332                 else
 333                         strlcpy(path, s->anchor->path, MAXPATHLEN);
 334                 while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
 335                         if (!path[0]) {
 336                                 printf("pf_anchor_setup: .. beyond root\n");
 337                                 rs_free(path);
 338                                 return (1);
 339                         }
 340                         if ((p = strrchr(path, '/')) != NULL)
 341                                 *p = 0;
 342                         else
 343                                 path[0] = 0;
 344                         r->anchor_relative++;
 345                         name += 3;
 346                 }
 347                 if (path[0])
 348                         strlcat(path, "/", MAXPATHLEN);
 349                 strlcat(path, name, MAXPATHLEN);
 350         }
 351         if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) {
 352                 r->anchor_wildcard = 1;
 353                 *p = 0;
 354         }
 355         ruleset = pf_find_or_create_ruleset(path);
 356         rs_free(path);
 357         if (ruleset == NULL || ruleset->anchor == NULL) {
 358                 printf("pf_anchor_setup: ruleset\n");
 359                 return (1);
 360         }
 361         r->anchor = ruleset->anchor;
 362         r->anchor->refcnt++;
 363         return (0);
 364 }
 365
 366 int
 367 pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r,
 368     struct pfioc_rule *pr)
 369 {
 370         pr->anchor_call[0] = 0;
 371         if (r->anchor == NULL)
 372                 return (0);
 373         if (!r->anchor_relative) {
 374                 strlcpy(pr->anchor_call, "/", sizeof(pr->anchor_call));
 375                 strlcat(pr->anchor_call, r->anchor->path,
 376                     sizeof(pr->anchor_call));
 377         } else {
 378                 char    *a, *p;
 379                 int      i;
 380
 381                 a = (char *)rs_malloc(MAXPATHLEN);
 382                 if (a == NULL)
 383                         return (1);
 384                 if (rs->anchor == NULL)
 385                         a[0] = 0;
 386                 else
 387                         strlcpy(a, rs->anchor->path, MAXPATHLEN);
 388                 for (i = 1; i < r->anchor_relative; ++i) {
 389                         if ((p = strrchr(a, '/')) == NULL)
 390                                 p = a;
 391                         *p = 0;
 392                         strlcat(pr->anchor_call, "../",
 393                             sizeof(pr->anchor_call));
 394                 }
 395                 if (strncmp(a, r->anchor->path, strlen(a))) {
 396                         printf("pf_anchor_copyout: '%s' '%s'\n", a,
 397                             r->anchor->path);
 398                         rs_free(a);
 399                         return (1);
 400                 }
 401                 if (strlen(r->anchor->path) > strlen(a))
 402                         strlcat(pr->anchor_call, r->anchor->path + (a[0] ?
 403                             strlen(a) + 1 : 0), sizeof(pr->anchor_call));
 404                 rs_free(a);
 405         }
 406         if (r->anchor_wildcard)
 407                 strlcat(pr->anchor_call, pr->anchor_call[0] ? "/*" : "*",
 408                     sizeof(pr->anchor_call));
 409         return (0);
 410 }
 411
 412 void
 413 pf_anchor_remove(struct pf_rule *r)
 414 {
 415         if (r->anchor == NULL)
 416                 return;
 417         if (r->anchor->refcnt <= 0) {
 418                 printf("pf_anchor_remove: broken refcount\n");
 419                 r->anchor = NULL;
 420                 return;
 421         }
 422         if (!--r->anchor->refcnt)
 423                 pf_remove_if_empty_ruleset(&r->anchor->ruleset);
 424         r->anchor = NULL;
 425 }