4 * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
6 * See the IPFILTER.LICENCE file for details on licencing.
8 #if defined(KERNEL) || defined(_KERNEL)
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
30 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
31 # include <sys/filio.h>
32 # include <sys/fcntl.h>
34 # include <sys/ioctl.h>
37 # include <sys/protosw.h>
39 #include <sys/socket.h>
41 # include <sys/systm.h>
42 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
43 # include <sys/mbuf.h>
46 #if defined(__SVR4) || defined(__svr4__)
47 # include <sys/filio.h>
48 # include <sys/byteorder.h>
50 # include <sys/dditypes.h>
52 # include <sys/stream.h>
53 # include <sys/kmem.h>
55 #if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199802) || \
56 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000))
57 # include <sys/queue.h>
59 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
60 # include <machine/cpu.h>
62 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
63 # include <sys/proc.h>
69 #include <net/route.h>
70 #include <netinet/in.h>
71 #include <netinet/in_systm.h>
72 #include <netinet/ip.h>
73 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
79 # include <netinet/ip_var.h>
85 #include <netinet/tcp.h>
86 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
87 extern struct ifqueue ipintrq; /* ip packet input queue */
89 # if !defined(__hpux) && !defined(linux)
90 # if __FreeBSD_version >= 300000
91 # include <net/if_var.h>
92 # if __FreeBSD_version >= 500042
93 # define IF_QFULL _IF_QFULL
94 # define IF_DROP _IF_DROP
95 # endif /* __FreeBSD_version >= 500042 */
97 # include <netinet/in_var.h>
98 # include <netinet/tcp_fsm.h>
101 #include <netinet/udp.h>
102 #include <netinet/ip_icmp.h>
103 #include "netinet/ip_compat.h"
104 #include <netinet/tcpip.h>
105 #include "netinet/ip_fil.h"
106 #include "netinet/ip_auth.h"
107 #if !defined(MENTAT) && !defined(linux)
108 # include <net/netisr.h>
110 # include <machine/cpufunc.h>
113 #if (__FreeBSD_version >= 300000)
114 # include <sys/malloc.h>
115 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
116 # include <sys/libkern.h>
117 # include <sys/systm.h>
120 /* END OF INCLUDES */
123 static const char rcsid[] = "@(#)$FreeBSD$";
124 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
128 #if SOLARIS && defined(_KERNEL)
129 extern kcondvar_t ipfauthwait;
130 extern struct pollhead iplpollhead[IPL_LOGSIZE];
132 #if defined(linux) && defined(_KERNEL)
133 wait_queue_head_t fr_authnext_linux;
136 int fr_authsize = FR_NUMAUTH;
138 int fr_defaultauthage = 600;
139 int fr_auth_lock = 0;
140 int fr_auth_init = 0;
141 fr_authstat_t fr_authstats;
142 static frauth_t *fr_auth = NULL;
143 mb_t **fr_authpkts = NULL;
144 int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
145 frauthent_t *fae_list = NULL;
146 frentry_t *ipauth = NULL,
149 void fr_authderef __P((frauthent_t **));
150 int fr_authgeniter __P((ipftoken_t *, ipfgeniter_t *));
151 int fr_authreply __P((char *));
152 int fr_authwait __P((char *));
154 /* ------------------------------------------------------------------------ */
155 /* Function: fr_authinit */
156 /* Returns: int - 0 == success, else error */
157 /* Parameters: None */
159 /* Allocate memory and initialise data structures used in handling auth */
161 /* ------------------------------------------------------------------------ */
164 KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth));
166 bzero((char *)fr_auth, fr_authsize * sizeof(*fr_auth));
170 KMALLOCS(fr_authpkts, mb_t **, fr_authsize * sizeof(*fr_authpkts));
171 if (fr_authpkts != NULL)
172 bzero((char *)fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
176 MUTEX_INIT(&ipf_authmx, "ipf auth log mutex");
177 RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock");
178 #if SOLARIS && defined(_KERNEL)
179 cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
181 #if defined(linux) && defined(_KERNEL)
182 init_waitqueue_head(&fr_authnext_linux);
191 /* ------------------------------------------------------------------------ */
192 /* Function: fr_checkauth */
193 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
194 /* Parameters: fin(I) - pointer to ipftoken structure */
195 /* passp(I) - pointer to ipfgeniter structure */
197 /* Check if a packet has authorization. If the packet is found to match an */
198 /* authorization result and that would result in a feedback loop (i.e. it */
199 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
200 /* ------------------------------------------------------------------------ */
201 frentry_t *fr_checkauth(fin, passp)
212 if (fr_auth_lock || !fr_authused)
218 READ_ENTER(&ipf_auth);
219 for (i = fr_authstart; i != fr_authend; ) {
221 * index becomes -2 only after an SIOCAUTHW. Check this in
222 * case the same packet gets sent again and it hasn't yet been
226 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
227 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
229 * Avoid feedback loop.
231 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass)))
234 * Create a dummy rule for the stateful checking to
235 * use and return. Zero out any values we don't
236 * trust from userland!
238 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
239 (fin->fin_flx & FI_FRAG))) {
240 KMALLOC(fr, frentry_t *);
242 bcopy((char *)fra->fra_info.fin_fr,
243 (char *)fr, sizeof(*fr));
245 fr->fr_ifa = fin->fin_ifp;
249 fr->fr_ifas[1] = NULL;
250 fr->fr_ifas[2] = NULL;
251 fr->fr_ifas[3] = NULL;
254 fr = fra->fra_info.fin_fr;
256 RWLOCK_EXIT(&ipf_auth);
258 WRITE_ENTER(&ipf_auth);
260 * fr_authlist is populated with the rules malloc'd
261 * above and only those.
263 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
264 fr->fr_next = fr_authlist;
267 fr_authstats.fas_hits++;
270 if (i == fr_authstart) {
271 while (fra->fra_index == -1) {
274 if (i == fr_authsize) {
282 if (fr_authstart == fr_authend) {
284 fr_authstart = fr_authend = 0;
287 RWLOCK_EXIT(&ipf_auth);
290 ATOMIC_INC64(fr_authstats.fas_hits);
294 if (i == fr_authsize)
297 fr_authstats.fas_miss++;
298 RWLOCK_EXIT(&ipf_auth);
299 ATOMIC_INC64(fr_authstats.fas_miss);
304 /* ------------------------------------------------------------------------ */
305 /* Function: fr_newauth */
306 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
307 /* Parameters: m(I) - pointer to mb_t with packet in it */
308 /* fin(I) - pointer to packet information */
310 /* Check if we have room in the auth array to hold details for another */
311 /* packet. If we do, store it and wake up any user programs which are */
312 /* waiting to hear about these events. */
313 /* ------------------------------------------------------------------------ */
314 int fr_newauth(m, fin)
318 #if defined(_KERNEL) && defined(MENTAT)
319 qpktinfo_t *qpi = fin->fin_qpi;
322 #if !defined(sparc) && !defined(m68k)
330 WRITE_ENTER(&ipf_auth);
331 if (((fr_authend + 1) % fr_authsize) == fr_authstart) {
332 fr_authstats.fas_nospace++;
333 RWLOCK_EXIT(&ipf_auth);
337 fr_authstats.fas_added++;
340 if (fr_authend == fr_authsize)
344 RWLOCK_EXIT(&ipf_auth);
346 if (fin->fin_fr != NULL)
347 fra->fra_pass = fin->fin_fr->fr_flags;
350 fra->fra_age = fr_defaultauthage;
351 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
352 #if !defined(sparc) && !defined(m68k)
354 * No need to copyback here as we want to undo the changes, not keep
358 # if defined(MENTAT) && defined(_KERNEL)
359 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
365 ip->ip_len = htons(bo);
367 ip->ip_off = htons(bo);
370 #if SOLARIS && defined(_KERNEL)
371 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
372 m->b_rptr -= qpi->qpi_off;
373 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
374 # if !defined(_INET_IP_STACK_H)
375 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
377 fra->fra_m = *fin->fin_mp;
378 fra->fra_info.fin_mp = &fra->fra_m;
379 cv_signal(&ipfauthwait);
380 pollwakeup(&iplpollhead[IPL_LOGAUTH], POLLIN|POLLRDNORM);
383 WAKEUP(&fr_authnext,0);
389 /* ------------------------------------------------------------------------ */
390 /* Function: fr_auth_ioctl */
391 /* Returns: int - 0 == success, else error */
392 /* Parameters: data(IO) - pointer to ioctl data */
393 /* cmd(I) - ioctl command */
394 /* mode(I) - mode flags associated with open descriptor */
395 /* uid(I) - uid associatd with application making the call */
396 /* ctx(I) - pointer for context */
398 /* This function handles all of the ioctls recognised by the auth component */
399 /* in IPFilter - ie ioctls called on an open fd for /dev/ipauth */
400 /* ------------------------------------------------------------------------ */
401 int fr_auth_ioctl(data, cmd, mode, uid, ctx)
417 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
422 token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx);
424 error = fr_authgeniter(token, &iter);
427 RWLOCK_EXIT(&ipf_tokens);
435 if (!(mode & FWRITE))
438 error = frrequest(IPL_LOGAUTH, cmd, data,
443 if (!(mode & FWRITE)) {
447 error = fr_lock(data, &fr_auth_lock);
451 fr_authstats.fas_faelist = fae_list;
452 error = fr_outobj(data, &fr_authstats, IPFOBJ_AUTHSTAT);
457 WRITE_ENTER(&ipf_auth);
459 RWLOCK_EXIT(&ipf_auth);
461 error = BCOPYOUT((char *)&i, data, sizeof(i));
467 error = fr_authwait(data);
471 error = fr_authreply(data);
482 /* ------------------------------------------------------------------------ */
483 /* Function: fr_authunload */
485 /* Parameters: None */
487 /* Free all network buffer memory used to keep saved packets. */
488 /* ------------------------------------------------------------------------ */
492 register frauthent_t *fae, **faep;
493 frentry_t *fr, **frp;
496 if (fr_auth != NULL) {
497 KFREES(fr_auth, fr_authsize * sizeof(*fr_auth));
501 if (fr_authpkts != NULL) {
502 for (i = 0; i < fr_authsize; i++) {
506 fr_authpkts[i] = NULL;
509 KFREES(fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
514 while ((fae = *faep) != NULL) {
515 *faep = fae->fae_next;
520 if (fr_authlist != NULL) {
521 for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
522 if (fr->fr_ref == 1) {
530 if (fr_auth_init == 1) {
531 # if SOLARIS && defined(_KERNEL)
532 cv_destroy(&ipfauthwait);
534 MUTEX_DESTROY(&ipf_authmx);
535 RW_DESTROY(&ipf_auth);
542 /* ------------------------------------------------------------------------ */
543 /* Function: fr_authexpire */
545 /* Parameters: None */
547 /* Slowly expire held auth records. Timeouts are set in expectation of */
548 /* this being called twice per second. */
549 /* ------------------------------------------------------------------------ */
552 frauthent_t *fae, **faep;
553 frentry_t *fr, **frp;
563 WRITE_ENTER(&ipf_auth);
564 for (i = 0, fra = fr_auth; i < fr_authsize; i++, fra++) {
566 if ((fra->fra_age == 0) && (m = fr_authpkts[i])) {
568 fr_authpkts[i] = NULL;
569 fr_auth[i].fra_index = -1;
570 fr_authstats.fas_expire++;
576 * Expire pre-auth rules
578 for (faep = &fae_list; ((fae = *faep) != NULL); ) {
580 if (fae->fae_age == 0) {
582 fr_authstats.fas_expire++;
584 faep = &fae->fae_next;
586 if (fae_list != NULL)
587 ipauth = &fae_list->fae_fr;
591 for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
592 if (fr->fr_ref == 1) {
598 RWLOCK_EXIT(&ipf_auth);
603 /* ------------------------------------------------------------------------ */
604 /* Function: fr_preauthcmd */
605 /* Returns: int - 0 == success, else error */
606 /* Parameters: cmd(I) - ioctl command for rule */
607 /* fr(I) - pointer to ipf rule */
608 /* fptr(I) - pointer to caller's 'fr' */
610 /* ------------------------------------------------------------------------ */
611 int fr_preauthcmd(cmd, fr, frptr)
613 frentry_t *fr, **frptr;
615 frauthent_t *fae, **faep;
619 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
622 for (faep = &fae_list; ((fae = *faep) != NULL); ) {
623 if (&fae->fae_fr == fr)
626 faep = &fae->fae_next;
629 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
630 if (fr == NULL || frptr == NULL)
632 else if (fae == NULL)
636 WRITE_ENTER(&ipf_auth);
637 *faep = fae->fae_next;
638 if (ipauth == &fae->fae_fr)
639 ipauth = fae_list ? &fae_list->fae_fr : NULL;
640 RWLOCK_EXIT(&ipf_auth);
645 } else if (fr != NULL && frptr != NULL) {
646 KMALLOC(fae, frauthent_t *);
648 bcopy((char *)fr, (char *)&fae->fae_fr,
651 WRITE_ENTER(&ipf_auth);
652 fae->fae_age = fr_defaultauthage;
653 fae->fae_fr.fr_hits = 0;
654 fae->fae_fr.fr_next = *frptr;
656 *frptr = &fae->fae_fr;
657 fae->fae_next = *faep;
659 ipauth = &fae_list->fae_fr;
660 RWLOCK_EXIT(&ipf_auth);
670 /* ------------------------------------------------------------------------ */
671 /* Function: fr_authflush */
672 /* Returns: int - number of auth entries flushed */
673 /* Parameters: None */
674 /* Locks: WRITE(ipf_auth) */
676 /* This function flushs the fr_authpkts array of any packet data with */
677 /* references still there. */
678 /* It is expected that the caller has already acquired the correct locks or */
679 /* set the priority level correctly for this to block out other code paths */
680 /* into these data structures. */
681 /* ------------------------------------------------------------------------ */
684 register int i, num_flushed;
692 for (i = 0 ; i < fr_authsize; i++) {
696 fr_authpkts[i] = NULL;
697 fr_auth[i].fra_index = -1;
698 /* perhaps add & use a flush counter inst.*/
699 fr_authstats.fas_expire++;
713 /* ------------------------------------------------------------------------ */
714 /* Function: fr_auth_waiting */
715 /* Returns: int - 0 = no pakcets wiating, 1 = packets waiting. */
716 /* Parameters: None */
718 /* Simple truth check to see if there are any packets waiting in the auth */
720 /* ------------------------------------------------------------------------ */
721 int fr_auth_waiting()
723 return (fr_authused != 0);
727 /* ------------------------------------------------------------------------ */
728 /* Function: fr_authgeniter */
729 /* Returns: int - 0 == success, else error */
730 /* Parameters: token(I) - pointer to ipftoken structure */
731 /* itp(I) - pointer to ipfgeniter structure */
733 /* ------------------------------------------------------------------------ */
734 int fr_authgeniter(token, itp)
738 frauthent_t *fae, *next, zero;
741 if (itp->igi_data == NULL)
744 if (itp->igi_type != IPFGENITER_AUTH)
747 fae = token->ipt_data;
748 READ_ENTER(&ipf_auth);
752 next = fae->fae_next;
757 * If we find an auth entry to use, bump its reference count
758 * so that it can be used for is_next when we come back.
760 ATOMIC_INC(next->fae_ref);
761 if (next->fae_next == NULL) {
762 ipf_freetoken(token);
765 token->ipt_data = next;
768 bzero(&zero, sizeof(zero));
771 RWLOCK_EXIT(&ipf_auth);
774 * If we had a prior pointer to an auth entry, release it.
777 WRITE_ENTER(&ipf_auth);
779 RWLOCK_EXIT(&ipf_auth);
783 * This should arguably be via fr_outobj() so that the auth
784 * structure can (if required) be massaged going out.
786 error = COPYOUT(next, itp->igi_data, sizeof(*next));
794 /* ------------------------------------------------------------------------ */
795 /* Function: fr_authderef */
797 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
798 /* Locks: WRITE(ipf_auth) */
800 /* This function unconditionally sets the pointer in the caller to NULL, */
801 /* to make it clear that it should no longer use that pointer, and drops */
802 /* the reference count on the structure by 1. If it reaches 0, free it up. */
803 /* ------------------------------------------------------------------------ */
804 void fr_authderef(faep)
813 if (fae->fae_ref == 0) {
819 /* ------------------------------------------------------------------------ */
820 /* Function: fr_authwait */
821 /* Returns: int - 0 == success, else error */
822 /* Parameters: data(I) - pointer to data from ioctl call */
824 /* This function is called when an application is waiting for a packet to */
825 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
826 /* a packet waiting on the queue then we will return that _one_ immediately.*/
827 /* If there are no packets present in the queue (fr_authpkts) then we go to */
829 /* ------------------------------------------------------------------------ */
830 int fr_authwait(data)
833 frauth_t auth, *au = &auth;
837 #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
838 (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
843 error = fr_inobj(data, au, IPFOBJ_FRAUTH);
848 * XXX Locks are held below over calls to copyout...a better
849 * solution needs to be found so this isn't necessary. The situation
850 * we are trying to guard against here is an error in the copyout
851 * steps should not cause the packet to "disappear" from the queue.
853 READ_ENTER(&ipf_auth);
856 * If fr_authnext is not equal to fr_authend it will be because there
857 * is a packet waiting to be delt with in the fr_authpkts array. We
858 * copy as much of that out to user space as requested.
860 if (fr_authused > 0) {
861 while (fr_authpkts[fr_authnext] == NULL) {
863 if (fr_authnext == fr_authsize)
867 error = fr_outobj(data, &fr_auth[fr_authnext], IPFOBJ_FRAUTH);
871 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
873 * Copy packet contents out to user space if
874 * requested. Bail on an error.
876 m = fr_authpkts[fr_authnext];
878 if (len > auth.fra_len)
882 for (t = auth.fra_buf; m && (len > 0); ) {
883 i = MIN(M_LEN(m), len);
884 error = copyoutptr(MTOD(m, char *), &t, i);
892 RWLOCK_EXIT(&ipf_auth);
895 WRITE_ENTER(&ipf_auth);
897 if (fr_authnext == fr_authsize)
899 RWLOCK_EXIT(&ipf_auth);
904 RWLOCK_EXIT(&ipf_auth);
906 MUTEX_ENTER(&ipf_authmx);
910 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk))
917 l = get_sleep_lock(&fr_authnext);
918 error = sleep(&fr_authnext, PZERO+1);
923 error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0,
924 &ipf_authmx, MS_LOCK_SIMPLE);
926 error = SLEEP(&fr_authnext, "fr_authnext");
927 # endif /* __osf__ */
929 # endif /* SOLARIS */
931 MUTEX_EXIT(&ipf_authmx);
933 goto fr_authioctlloop;
938 /* ------------------------------------------------------------------------ */
939 /* Function: fr_authreply */
940 /* Returns: int - 0 == success, else error */
941 /* Parameters: data(I) - pointer to data from ioctl call */
943 /* This function is called by an application when it wants to return a */
944 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
945 /* received information using an SIOCAUTHW. The decision returned in the */
946 /* form of flags, the same as those used in each rule. */
947 /* ------------------------------------------------------------------------ */
948 int fr_authreply(data)
951 frauth_t auth, *au = &auth, *fra;
956 error = fr_inobj(data, &auth, IPFOBJ_FRAUTH);
961 WRITE_ENTER(&ipf_auth);
968 * Check the validity of the information being returned with two simple
969 * checks. First, the auth index value should be within the size of
970 * the array and second the packet id being returned should also match.
972 if ((i < 0) || (i >= fr_authsize) ||
973 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
974 RWLOCK_EXIT(&ipf_auth);
981 fra->fra_pass = au->fra_pass;
982 fr_authpkts[i] = NULL;
984 RWLOCK_EXIT(&ipf_auth);
987 * Re-insert the packet back into the packet stream flowing through
988 * the kernel in a manner that will mean IPFilter sees the packet
989 * again. This is not the same as is done with fastroute,
990 * deliberately, as we want to resume the normal packet processing
994 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
995 error = ipf_inject(&fra->fra_info, m);
998 fr_authstats.fas_sendfail++;
1000 fr_authstats.fas_sendok++;
1003 error = ipf_inject(&fra->fra_info, m);
1006 fr_authstats.fas_quefail++;
1008 fr_authstats.fas_queok++;
1015 * If we experience an error which will result in the packet
1016 * not being processed, make sure we advance to the next one.
1018 if (error == ENOBUFS) {
1019 WRITE_ENTER(&ipf_auth);
1021 fra->fra_index = -1;
1023 if (i == fr_authstart) {
1024 while (fra->fra_index == -1) {
1026 if (i == fr_authsize)
1029 if (i == fr_authend)
1032 if (fr_authstart == fr_authend) {
1034 fr_authstart = fr_authend = 0;
1037 RWLOCK_EXIT(&ipf_auth);
1039 #endif /* _KERNEL */