search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'master' of ssh://swildner@crater.dragonflybsd.org/repository/git/dragonfly
[dragonfly.git] / contrib / ipfilter / ip_sfil.c
blob9e995d9b85c8d23c59e92cb0ce99a5a711a39f22
1 /*
2 * Copyright (C) 1993-2001 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * I hate legaleese, don't you ?
7 */
8 #if !defined(lint)
9 static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
10 static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.27 2003/06/12 16:03:14 darrenr Exp $";
11 #endif
12
13 #include <sys/types.h>
14 #include <sys/errno.h>
15 #include <sys/param.h>
16 #include <sys/cpuvar.h>
17 #include <sys/open.h>
18 #include <sys/ioctl.h>
19 #include <sys/filio.h>
20 #include <sys/systm.h>
21 #include <sys/cred.h>
22 #include <sys/ddi.h>
23 #include <sys/sunddi.h>
24 #include <sys/ksynch.h>
25 #include <sys/kmem.h>
26 #include <sys/mkdev.h>
27 #include <sys/protosw.h>
28 #include <sys/socket.h>
29 #include <sys/dditypes.h>
30 #include <sys/cmn_err.h>
31 #include <net/if.h>
32 #include <net/af.h>
33 #include <net/route.h>
34 #include <netinet/in.h>
35 #include <netinet/in_systm.h>
36 #include <netinet/ip.h>
37 #include <netinet/ip_var.h>
38 #include <netinet/tcp.h>
39 #include <netinet/udp.h>
40 #include <netinet/tcpip.h>
41 #include <netinet/ip_icmp.h>
42 #include "ip_compat.h"
43 #ifdef USE_INET6
44 # include <netinet/icmp6.h>
45 #endif
46 #include "ip_fil.h"
47 #include "ip_state.h"
48 #include "ip_nat.h"
49 #include "ip_frag.h"
50 #include "ip_auth.h"
51 #include "ip_proxy.h"
52 #include <inet/ip_ire.h>
53 #ifndef MIN
54 #define MIN(a,b) (((a)<(b))?(a):(b))
55 #endif
56
57
58 extern fr_flags, fr_active;
59
60 int fr_running = 0;
61 int ipl_unreach = ICMP_UNREACH_HOST;
62 u_long ipl_frouteok[2] = {0, 0};
63 static int frzerostats __P((caddr_t));
64 #if SOLARIS2 >= 7
65 static u_int *ip_ttl_ptr;
66 static u_int *ip_mtudisc;
67 #else
68 static u_long *ip_ttl_ptr;
69 static u_long *ip_mtudisc;
70 #endif
71
72 static int frrequest __P((minor_t, int, caddr_t, int));
73 static int send_ip __P((fr_info_t *fin, mblk_t *m));
74 kmutex_t ipl_mutex, ipf_authmx, ipf_rw;
75 KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris;
76 KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
77 kcondvar_t iplwait, ipfauthwait;
78
79
80 int ipldetach()
81 {
82 int i;
83
84 #ifdef IPFDEBUG
85 cmn_err(CE_CONT, "ipldetach()\n");
86 #endif
87 #ifdef IPFILTER_LOG
88 for (i = IPL_LOGMAX; i >= 0; i--)
89 ipflog_clear(i);
90 #endif
91 i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
92 i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
93 ipfr_unload();
94 fr_stateunload();
95 ip_natunload();
96 cv_destroy(&iplwait);
97 cv_destroy(&ipfauthwait);
98 mutex_destroy(&ipf_authmx);
99 mutex_destroy(&ipl_mutex);
100 mutex_destroy(&ipf_rw);
101 RW_DESTROY(&ipf_mutex);
102 RW_DESTROY(&ipf_frag);
103 RW_DESTROY(&ipf_state);
104 RW_DESTROY(&ipf_natfrag);
105 RW_DESTROY(&ipf_nat);
106 RW_DESTROY(&ipf_auth);
107 RW_DESTROY(&ipfs_mutex);
108 /* NOTE: This lock is acquired in ipf_detach */
109 RWLOCK_EXIT(&ipf_solaris);
110 RW_DESTROY(&ipf_solaris);
111 return 0;
112 }
113
114
115 int iplattach __P((void))
116 {
117 int i;
118
119 #ifdef IPFDEBUG
120 cmn_err(CE_CONT, "iplattach()\n");
121 #endif
122 bzero((char *)frcache, sizeof(frcache));
123 mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL);
124 mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL);
125 mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL);
126 RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL);
127 RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL);
128 RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL);
129 RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock", NULL);
130 RWLOCK_INIT(&ipf_state, "ipf IP state rwlock", NULL);
131 RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock", NULL);
132 RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock", NULL);
133 RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock", NULL);
134 cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
135 cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
136 #ifdef IPFILTER_LOG
137 ipflog_init();
138 #endif
139 if (nat_init() == -1)
140 return -1;
141 if (fr_stateinit() == -1)
142 return -1;
143 if (appr_init() == -1)
144 return -1;
145
146 ip_ttl_ptr = NULL;
147 ip_mtudisc = NULL;
148 /*
149 * XXX - There is no terminator for this array, so it is not possible
150 * to tell if what we are looking for is missing and go off the end
151 * of the array.
152 */
153 for (i = 0; ; i++) {
154 if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
155 ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
156 } else if (strcmp(ip_param_arr[i].ip_param_name,
157 "ip_path_mtu_discovery") == 0) {
158 ip_mtudisc = &ip_param_arr[i].ip_param_value;
159 }
160
161 if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
162 break;
163 }
164 return 0;
165 }
166
167
168 static int frzerostats(data)
169 caddr_t data;
170 {
171 friostat_t fio;
172 int error;
173
174 fr_getstat(&fio);
175 error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
176 if (error)
177 return error;
178
179 bzero((char *)frstats, sizeof(*frstats) * 2);
180
181 return 0;
182 }
183
184
185 /*
186 * Filter ioctl interface.
187 */
188 int iplioctl(dev, cmd, data, mode, cp, rp)
189 dev_t dev;
190 int cmd;
191 #if SOLARIS2 >= 7
192 intptr_t data;
193 #else
194 int *data;
195 #endif
196 int mode;
197 cred_t *cp;
198 int *rp;
199 {
200 int error = 0, tmp;
201 minor_t unit;
202
203 #ifdef IPFDEBUG
204 cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n",
205 dev, cmd, data, mode, cp, rp);
206 #endif
207 unit = getminor(dev);
208 if (IPL_LOGMAX < unit)
209 return ENXIO;
210
211 if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
212 return ENODEV;
213
214 if (fr_running <= 0)
215 return 0;
216
217 READ_ENTER(&ipf_solaris);
218 if (unit == IPL_LOGNAT) {
219 error = nat_ioctl((caddr_t)data, cmd, mode);
220 RWLOCK_EXIT(&ipf_solaris);
221 return error;
222 }
223 if (unit == IPL_LOGSTATE) {
224 error = fr_state_ioctl((caddr_t)data, cmd, mode);
225 RWLOCK_EXIT(&ipf_solaris);
226 return error;
227 }
228 if (unit == IPL_LOGAUTH) {
229 if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
230 if (!(mode & FWRITE)) {
231 error = EPERM;
232 } else {
233 error = frrequest(unit, cmd, (caddr_t)data,
234 fr_active);
235 }
236 } else {
237 error = fr_auth_ioctl((caddr_t)data, mode, cmd);
238 }
239 RWLOCK_EXIT(&ipf_solaris);
240 return error;
241 }
242
243 switch (cmd) {
244 case SIOCFRENB :
245 {
246 u_int enable;
247
248 if (!(mode & FWRITE))
249 error = EPERM;
250 else
251 error = IRCOPY((caddr_t)data, (caddr_t)&enable,
252 sizeof(enable));
253 break;
254 }
255 case SIOCSETFF :
256 if (!(mode & FWRITE))
257 error = EPERM;
258 else {
259 WRITE_ENTER(&ipf_mutex);
260 error = IRCOPY((caddr_t)data, (caddr_t)&fr_flags,
261 sizeof(fr_flags));
262 RWLOCK_EXIT(&ipf_mutex);
263 }
264 break;
265 case SIOCGETFF :
266 error = IWCOPY((caddr_t)&fr_flags, (caddr_t)data,
267 sizeof(fr_flags));
268 if (error)
269 error = EFAULT;
270 break;
271 case SIOCINAFR :
272 case SIOCRMAFR :
273 case SIOCADAFR :
274 case SIOCZRLST :
275 if (!(mode & FWRITE))
276 error = EPERM;
277 else
278 error = frrequest(unit, cmd, (caddr_t)data, fr_active);
279 break;
280 case SIOCINIFR :
281 case SIOCRMIFR :
282 case SIOCADIFR :
283 if (!(mode & FWRITE))
284 error = EPERM;
285 else
286 error = frrequest(unit, cmd, (caddr_t)data,
287 1 - fr_active);
288 break;
289 case SIOCSWAPA :
290 if (!(mode & FWRITE))
291 error = EPERM;
292 else {
293 WRITE_ENTER(&ipf_mutex);
294 bzero((char *)frcache, sizeof(frcache[0]) * 2);
295 error = IWCOPY((caddr_t)&fr_active, (caddr_t)data,
296 sizeof(fr_active));
297 if (error)
298 error = EFAULT;
299 fr_active = 1 - fr_active;
300 RWLOCK_EXIT(&ipf_mutex);
301 }
302 break;
303 case SIOCGETFS :
304 {
305 friostat_t fio;
306
307 READ_ENTER(&ipf_mutex);
308 fr_getstat(&fio);
309 RWLOCK_EXIT(&ipf_mutex);
310 error = IWCOPYPTR((caddr_t)&fio, (caddr_t)data, sizeof(fio));
311 if (error)
312 error = EFAULT;
313 break;
314 }
315 case SIOCFRZST :
316 if (!(mode & FWRITE))
317 error = EPERM;
318 else
319 error = frzerostats((caddr_t)data);
320 break;
321 case SIOCIPFFL :
322 if (!(mode & FWRITE))
323 error = EPERM;
324 else {
325 error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
326 sizeof(tmp));
327 if (!error) {
328 tmp = frflush(unit, 4, tmp);
329 error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
330 sizeof(tmp));
331 if (error)
332 error = EFAULT;
333 }
334 }
335 break;
336 #ifdef USE_INET6
337 case SIOCIPFL6 :
338 if (!(mode & FWRITE))
339 error = EPERM;
340 else {
341 error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
342 sizeof(tmp));
343 if (!error) {
344 tmp = frflush(unit, 6, tmp);
345 error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
346 sizeof(tmp));
347 if (error)
348 error = EFAULT;
349 }
350 }
351 break;
352 #endif
353 case SIOCSTLCK :
354 error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
355 if (!error) {
356 fr_state_lock = tmp;
357 fr_nat_lock = tmp;
358 fr_frag_lock = tmp;
359 fr_auth_lock = tmp;
360 } else
361 error = EFAULT;
362 break;
363 #ifdef IPFILTER_LOG
364 case SIOCIPFFB :
365 if (!(mode & FWRITE))
366 error = EPERM;
367 else {
368 tmp = ipflog_clear(unit);
369 error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
370 sizeof(tmp));
371 if (error)
372 error = EFAULT;
373 }
374 break;
375 #endif /* IPFILTER_LOG */
376 case SIOCFRSYN :
377 if (!(mode & FWRITE))
378 error = EPERM;
379 else
380 error = ipfsync();
381 break;
382 case SIOCGFRST :
383 error = IWCOPYPTR((caddr_t)ipfr_fragstats(), (caddr_t)data,
384 sizeof(ipfrstat_t));
385 break;
386 case FIONREAD :
387 {
388 #ifdef IPFILTER_LOG
389 int copy = (int)iplused[IPL_LOGIPF];
390
391 error = IWCOPY((caddr_t)&copy, (caddr_t)data, sizeof(copy));
392 if (error)
393 error = EFAULT;
394 #endif
395 break;
396 }
397 default :
398 error = EINVAL;
399 break;
400 }
401 RWLOCK_EXIT(&ipf_solaris);
402 return error;
403 }
404
405
406 ill_t *get_unit(name, v)
407 char *name;
408 int v;
409 {
410 size_t len = strlen(name) + 1; /* includes \0 */
411 ill_t *il;
412 #if SOLARIS2 >= 10
413 ill_walk_context_t ctx;
414 #endif
415 int sap;
416
417 if (v == 4)
418 sap = 0x0800;
419 else if (v == 6)
420 sap = 0x86dd;
421 else
422 return NULL;
423 #if SOLARIS2 >= 10
424 for (il = ILL_START_WALK_ALL(&ctx); il; il = ill_next(&ctx, il))
425 #else
426 for (il = ill_g_head; il; il = il->ill_next)
427 #endif
428 if ((len == il->ill_name_length) && (il->ill_sap == sap) &&
429 !strncmp(il->ill_name, name, len))
430 return il;
431 return NULL;
432 }
433
434
435 static int frrequest(unit, req, data, set)
436 minor_t unit;
437 int req, set;
438 caddr_t data;
439 {
440 register frentry_t *fp, *f, **fprev;
441 register frentry_t **ftail;
442 frgroup_t *fg = NULL;
443 int error = 0, in, i;
444 u_int *p, *pp;
445 frdest_t *fdp;
446 frentry_t fr;
447 u_32_t group;
448 ipif_t *ipif;
449 ill_t *ill;
450 ire_t *ire;
451
452 fp = &fr;
453 error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
454 if (error)
455 return EFAULT;
456 fp->fr_ref = 0;
457 #if SOLARIS2 >= 8
458 if (fp->fr_v == 4)
459 fp->fr_sap = IP_DL_SAP;
460 else if (fp->fr_v == 6)
461 fp->fr_sap = IP6_DL_SAP;
462 else
463 return EINVAL;
464 #else
465 fp->fr_sap = 0;
466 #endif
467
468 WRITE_ENTER(&ipf_mutex);
469 /*
470 * Check that the group number does exist and that if a head group
471 * has been specified, doesn't exist.
472 */
473 if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
474 (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
475 fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) {
476 error = EEXIST;
477 goto out;
478 }
479 if ((req != SIOCZRLST) && fp->fr_group &&
480 !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) {
481 error = ESRCH;
482 goto out;
483 }
484
485 in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
486
487 if (unit == IPL_LOGAUTH)
488 ftail = fprev = &ipauth;
489 else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
490 ftail = fprev = &ipacct[in][set];
491 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
492 ftail = fprev = &ipfilter[in][set];
493 #ifdef USE_INET6
494 else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
495 ftail = fprev = &ipacct6[in][set];
496 else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
497 ftail = fprev = &ipfilter6[in][set];
498 #endif
499 else {
500 error = ESRCH;
501 goto out;
502 }
503
504 group = fp->fr_group;
505 if (group != 0) {
506 fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL);
507 if (fg == NULL) {
508 error = ESRCH;
509 goto out;
510 }
511 ftail = fprev = fg->fg_start;
512 }
513
514 bzero((char *)frcache, sizeof(frcache[0]) * 2);
515
516 for (i = 0; i < 4; i++) {
517 if ((fp->fr_ifnames[i][1] == '\0') &&
518 ((fp->fr_ifnames[i][0] == '-') ||
519 (fp->fr_ifnames[i][0] == '*'))) {
520 fp->fr_ifas[i] = NULL;
521 } else if (*fp->fr_ifnames[i]) {
522 fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
523 if (!fp->fr_ifas[i])
524 fp->fr_ifas[i] = (void *)-1;
525 }
526 }
527
528 fdp = &fp->fr_dif;
529 fdp->fd_mp = NULL;
530 fp->fr_flags &= ~FR_DUP;
531 if (*fdp->fd_ifname) {
532 ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
533 if (!ill)
534 ire = (ire_t *)-1;
535 else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
536 #if SOLARIS2 > 5
537 ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
538 IRE_LOCAL, NULL, NULL,
539 MATCH_IRE_TYPE);
540 #else
541 ire = ire_lookup_myaddr(ipif->ipif_local_addr);
542 #endif
543 if (!ire)
544 ire = (ire_t *)-1;
545 else
546 fp->fr_flags |= FR_DUP;
547 }
548 #ifdef USE_INET6
549 else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
550 ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
551 IRE_LOCAL, NULL, NULL,
552 MATCH_IRE_TYPE);
553 if (!ire)
554 ire = (ire_t *)-1;
555 else
556 fp->fr_flags |= FR_DUP;
557 }
558 #endif
559 fdp->fd_ifp = (struct ifnet *)ire;
560 }
561
562 fdp = &fp->fr_tif;
563 fdp->fd_mp = NULL;
564 if (*fdp->fd_ifname) {
565 ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
566 if (!ill)
567 ire = (ire_t *)-1;
568 else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
569 #if SOLARIS2 > 5
570 ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
571 IRE_LOCAL, NULL, NULL,
572 MATCH_IRE_TYPE);
573 #else
574 ire = ire_lookup_myaddr(ipif->ipif_local_addr);
575 #endif
576 if (!ire)
577 ire = (ire_t *)-1;
578 }
579 #ifdef USE_INET6
580 else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
581 ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
582 IRE_LOCAL, NULL, NULL,
583 MATCH_IRE_TYPE);
584 if (!ire)
585 ire = (ire_t *)-1;
586 }
587 #endif
588 fdp->fd_ifp = (struct ifnet *)ire;
589 }
590
591 /*
592 * Look for a matching filter rule, but don't include the next or
593 * interface pointer in the comparison (fr_next, fr_ifa).
594 */
595 for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
596 p < pp; p++)
597 fp->fr_cksum += *p;
598
599 for (; (f = *ftail); ftail = &f->fr_next)
600 if ((fp->fr_cksum == f->fr_cksum) &&
601 !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
602 break;
603
604 /*
605 * If zero'ing statistics, copy current to caller and zero.
606 */
607 if (req == SIOCZRLST) {
608 if (!f) {
609 error = ESRCH;
610 goto out;
611 }
612 MUTEX_DOWNGRADE(&ipf_mutex);
613 error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
614 if (error)
615 goto out;
616 f->fr_hits = 0;
617 f->fr_bytes = 0;
618 goto out;
619 }
620
621 if (!f) {
622 if (req != SIOCINAFR && req != SIOCINIFR)
623 while ((f = *ftail))
624 ftail = &f->fr_next;
625 else {
626 ftail = fprev;
627 if (fp->fr_hits) {
628 while (--fp->fr_hits && (f = *ftail))
629 ftail = &f->fr_next;
630 }
631 f = NULL;
632 }
633 }
634
635 if (req == SIOCRMAFR || req == SIOCRMIFR) {
636 if (!f)
637 error = ESRCH;
638 else {
639 /*
640 * Only return EBUSY if there is a group list, else
641 * it's probably just state information referencing
642 * the rule.
643 */
644 if ((f->fr_ref > 1) && f->fr_grp) {
645 error = EBUSY;
646 goto out;
647 }
648 if (fg && fg->fg_head)
649 fg->fg_head->fr_ref--;
650 if (unit == IPL_LOGAUTH) {
651 return fr_preauthcmd(req, f, ftail);
652 }
653 if (f->fr_grhead)
654 fr_delgroup(f->fr_grhead, fp->fr_flags,
655 unit, set);
656 fixskip(fprev, f, -1);
657 *ftail = f->fr_next;
658 f->fr_next = NULL;
659 f->fr_ref--;
660 if (f->fr_ref == 0)
661 KFREE(f);
662 }
663 } else {
664 if (f) {
665 error = EEXIST;
666 } else {
667 if (unit == IPL_LOGAUTH) {
668 return fr_preauthcmd(req, fp, ftail);
669 }
670 KMALLOC(f, frentry_t *);
671 if (f != NULL) {
672 if (fg && fg->fg_head)
673 fg->fg_head->fr_ref++;
674 bcopy((char *)fp, (char *)f, sizeof(*f));
675 f->fr_ref = 1;
676 f->fr_hits = 0;
677 f->fr_next = *ftail;
678 *ftail = f;
679 if (req == SIOCINIFR || req == SIOCINAFR)
680 fixskip(fprev, f, 1);
681 f->fr_grp = NULL;
682 group = f->fr_grhead;
683 if (group != 0)
684 fg = fr_addgroup(group, f, unit, set);
685 } else
686 error = ENOMEM;
687 }
688 }
689 out:
690 RWLOCK_EXIT(&ipf_mutex);
691 return (error);
692 }
693
694
695 /*
696 * routines below for saving IP headers to buffer
697 */
698 int iplopen(devp, flags, otype, cred)
699 dev_t *devp;
700 int flags, otype;
701 cred_t *cred;
702 {
703 minor_t min = getminor(*devp);
704
705 #ifdef IPFDEBUG
706 cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred);
707 #endif
708 if ((fr_running <= 0) || !(otype & OTYP_CHR))
709 return ENXIO;
710 min = (IPL_LOGMAX < min) ? ENXIO : 0;
711 return min;
712 }
713
714
715 int iplclose(dev, flags, otype, cred)
716 dev_t dev;
717 int flags, otype;
718 cred_t *cred;
719 {
720 minor_t min = getminor(dev);
721
722 #ifdef IPFDEBUG
723 cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred);
724 #endif
725 min = (IPL_LOGMAX < min) ? ENXIO : 0;
726 return min;
727 }
728
729 #ifdef IPFILTER_LOG
730 /*
731 * iplread/ipllog
732 * both of these must operate with at least splnet() lest they be
733 * called during packet processing and cause an inconsistancy to appear in
734 * the filter lists.
735 */
736 int iplread(dev, uio, cp)
737 dev_t dev;
738 register struct uio *uio;
739 cred_t *cp;
740 {
741 #ifdef IPFDEBUG
742 cmn_err(CE_CONT, "iplread(%x,%x,%x)\n", dev, uio, cp);
743 #endif
744 return ipflog_read(getminor(dev), uio);
745 }
746 #endif /* IPFILTER_LOG */
747
748
749 /*
750 * send_reset - this could conceivably be a call to tcp_respond(), but that
751 * requires a large amount of setting up and isn't any more efficient.
752 */
753 int send_reset(oip, fin)
754 ip_t *oip;
755 fr_info_t *fin;
756 {
757 tcphdr_t *tcp, *tcp2;
758 int tlen, hlen;
759 mblk_t *m;
760 #ifdef USE_INET6
761 ip6_t *ip6, *oip6 = (ip6_t *)oip;
762 #endif
763 ip_t *ip;
764
765 tcp = (struct tcphdr *)fin->fin_dp;
766 if (tcp->th_flags & TH_RST)
767 return -1;
768 tlen = (tcp->th_flags & (TH_SYN|TH_FIN)) ? 1 : 0;
769 #ifdef USE_INET6
770 if (fin->fin_v == 6)
771 hlen = sizeof(ip6_t);
772 else
773 #endif
774 hlen = sizeof(ip_t);
775 hlen += sizeof(*tcp2);
776 if ((m = (mblk_t *)allocb(hlen + 16, BPRI_HI)) == NULL)
777 return -1;
778
779 m->b_rptr += 16;
780 MTYPE(m) = M_DATA;
781 m->b_wptr = m->b_rptr + hlen;
782 bzero((char *)m->b_rptr, hlen);
783 tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2));
784 tcp2->th_dport = tcp->th_sport;
785 tcp2->th_sport = tcp->th_dport;
786 if (tcp->th_flags & TH_ACK) {
787 tcp2->th_seq = tcp->th_ack;
788 tcp2->th_flags = TH_RST;
789 } else {
790 tcp2->th_ack = ntohl(tcp->th_seq);
791 tcp2->th_ack += tlen;
792 tcp2->th_ack = htonl(tcp2->th_ack);
793 tcp2->th_flags = TH_RST|TH_ACK;
794 }
795 tcp2->th_off = sizeof(struct tcphdr) >> 2;
796
797 /*
798 * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum
799 * computation that is done by their put routine.
800 */
801 tcp2->th_sum = htons(0x14);
802 #ifdef USE_INET6
803 if (fin->fin_v == 6) {
804 ip6 = (ip6_t *)m->b_rptr;
805 ip6->ip6_src = oip6->ip6_dst;
806 ip6->ip6_dst = oip6->ip6_src;
807 ip6->ip6_plen = htons(sizeof(*tcp));
808 ip6->ip6_nxt = IPPROTO_TCP;
809 } else
810 #endif
811 {
812 ip = (ip_t *)m->b_rptr;
813 ip->ip_src.s_addr = oip->ip_dst.s_addr;
814 ip->ip_dst.s_addr = oip->ip_src.s_addr;
815 ip->ip_hl = sizeof(*ip) >> 2;
816 ip->ip_p = IPPROTO_TCP;
817 ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp));
818 ip->ip_tos = oip->ip_tos;
819 }
820 return send_ip(fin, m);
821 }
822
823
824 int static send_ip(fin, m)
825 fr_info_t *fin;
826 mblk_t *m;
827 {
828 RWLOCK_EXIT(&ipfs_mutex);
829 RWLOCK_EXIT(&ipf_solaris);
830 #ifdef USE_INET6
831 if (fin->fin_v == 6) {
832 extern void ip_wput_v6 __P((queue_t *, mblk_t *));
833 ip6_t *ip6;
834
835 ip6 = (ip6_t *)m->b_rptr;
836 ip6->ip6_flow = 0;
837 ip6->ip6_vfc = 0x60;
838 ip6->ip6_hlim = 127;
839 ip_wput_v6(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
840 } else
841 #endif
842 {
843 ip_t *ip;
844
845 ip = (ip_t *)m->b_rptr;
846 ip->ip_v = IPVERSION;
847 ip->ip_ttl = (u_char)(*ip_ttl_ptr);
848 ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
849 ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
850 }
851 READ_ENTER(&ipf_solaris);
852 READ_ENTER(&ipfs_mutex);
853 return 0;
854 }
855
856
857 int send_icmp_err(oip, type, fin, dst)
858 ip_t *oip;
859 int type;
860 fr_info_t *fin;
861 int dst;
862 {
863 struct in_addr dst4;
864 struct icmp *icmp;
865 mblk_t *m, *mb;
866 int hlen, code;
867 qif_t *qif;
868 u_short sz;
869 ill_t *il;
870 #ifdef USE_INET6
871 ip6_t *ip6, *oip6;
872 #endif
873 ip_t *ip;
874
875 if ((type < 0) || (type > ICMP_MAXTYPE))
876 return -1;
877
878 code = fin->fin_icode;
879 #ifdef USE_INET6
880 if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
881 return -1;
882 #endif
883
884 qif = fin->fin_qif;
885 m = fin->fin_qfm;
886
887 #ifdef USE_INET6
888 if (oip->ip_v == 6) {
889 oip6 = (ip6_t *)oip;
890 sz = sizeof(ip6_t);
891 sz += MIN(m->b_wptr - m->b_rptr, 512);
892 hlen = sizeof(ip6_t);
893 type = icmptoicmp6types[type];
894 if (type == ICMP6_DST_UNREACH)
895 code = icmptoicmp6unreach[code];
896 } else
897 #endif
898 {
899 if ((oip->ip_p == IPPROTO_ICMP) &&
900 !(fin->fin_fi.fi_fl & FI_SHORT))
901 switch (ntohs(fin->fin_data[0]) >> 8)
902 {
903 case ICMP_ECHO :
904 case ICMP_TSTAMP :
905 case ICMP_IREQ :
906 case ICMP_MASKREQ :
907 break;
908 default :
909 return 0;
910 }
911
912 sz = sizeof(ip_t) * 2;
913 sz += 8; /* 64 bits of data */
914 hlen = sz;
915 }
916
917 sz += offsetof(struct icmp, icmp_ip);
918 if ((mb = (mblk_t *)allocb((size_t)sz + 16, BPRI_HI)) == NULL)
919 return -1;
920 MTYPE(mb) = M_DATA;
921 mb->b_rptr += 16;
922 mb->b_wptr = mb->b_rptr + sz;
923 bzero((char *)mb->b_rptr, (size_t)sz);
924 icmp = (struct icmp *)(mb->b_rptr + sizeof(*ip));
925 icmp->icmp_type = type;
926 icmp->icmp_code = code;
927 icmp->icmp_cksum = 0;
928 #ifdef icmp_nextmtu
929 if (type == ICMP_UNREACH && (il = qif->qf_ill) &&
930 fin->fin_icode == ICMP_UNREACH_NEEDFRAG)
931 icmp->icmp_nextmtu = htons(il->ill_max_frag);
932 #endif
933
934 #ifdef USE_INET6
935 if (oip->ip_v == 6) {
936 struct in6_addr dst6;
937 int csz;
938
939 if (dst == 0) {
940 if (fr_ifpaddr(6, ((qif_t *)fin->fin_qif)->qf_ill,
941 (struct in_addr *)&dst6) == -1)
942 return -1;
943 } else
944 dst6 = oip6->ip6_dst;
945
946 csz = sz;
947 sz -= sizeof(ip6_t);
948 ip6 = (ip6_t *)mb->b_rptr;
949 ip6->ip6_flow = 0;
950 ip6->ip6_vfc = 0x60;
951 ip6->ip6_hlim = 127;
952 ip6->ip6_plen = htons(sz);
953 ip6->ip6_nxt = IPPROTO_ICMPV6;
954 ip6->ip6_src = dst6;
955 ip6->ip6_dst = oip6->ip6_src;
956 sz -= offsetof(struct icmp, icmp_ip);
957 bcopy((char *)m->b_rptr, (char *)&icmp->icmp_ip, sz);
958 icmp->icmp_cksum = csz - sizeof(ip6_t);
959 } else
960 #endif
961 {
962 ip = (ip_t *)mb->b_rptr;
963 ip->ip_v = IPVERSION;
964 ip->ip_hl = (sizeof(*ip) >> 2);
965 ip->ip_p = IPPROTO_ICMP;
966 ip->ip_id = oip->ip_id;
967 ip->ip_sum = 0;
968 ip->ip_ttl = (u_char)(*ip_ttl_ptr);
969 ip->ip_tos = oip->ip_tos;
970 ip->ip_len = (u_short)htons(sz);
971 if (dst == 0) {
972 if (fr_ifpaddr(4, ((qif_t *)fin->fin_qif)->qf_ill,
973 &dst4) == -1)
974 return -1;
975 } else
976 dst4 = oip->ip_dst;
977 ip->ip_src = dst4;
978 ip->ip_dst = oip->ip_src;
979 bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip));
980 bcopy((char *)oip + (oip->ip_hl << 2),
981 (char *)&icmp->icmp_ip + sizeof(*oip), 8);
982 icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
983 sizeof(*icmp) + 8);
984 }
985
986 /*
987 * Need to exit out of these so we don't recursively call rw_enter
988 * from fr_qout.
989 */
990 return send_ip(fin, mb);
991 }
DragonFly BSD