sys/net/pf/if_pflog.c

   1 /*      $OpenBSD: if_pflog.c,v 1.27 2007/12/20 02:53:02 brad Exp $      */
   2 /*
   3  * The authors of this code are John Ioannidis (ji@tla.org),
   4  * Angelos D. Keromytis (kermit@csd.uch.gr) and
   5  * Niels Provos (provos@physnet.uni-hamburg.de).
   6  *
   7  * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
   8  * in November 1995.
   9  *
  10  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
  11  * by Angelos D. Keromytis.
  12  *
  13  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
  14  * and Niels Provos.
  15  *
  16  * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
  17  * and Niels Provos.
  18  * Copyright (c) 2001, Angelos D. Keromytis, Niels Provos.
  19  *
  20  * Copyright (c) 2010 The DragonFly Project.  All rights reserved.
  21  *
  22  * Permission to use, copy, and modify this software with or without fee
  23  * is hereby granted, provided that this entire notice is included in
  24  * all copies of any software which is or includes a copy or
  25  * modification of this software.
  26  * You may use this code under the GNU public license if you so wish. Please
  27  * contribute changes back to the authors under this freer than GPL license
  28  * so that we may further the use of strong encryption without limitations to
  29  * all.
  30  *
  31  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
  32  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
  33  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
  34  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
  35  * PURPOSE.
  36  */
  37
  38 #include "opt_inet.h"
  39 #include "opt_inet6.h"
  40 #include "use_bpf.h"
  41
  42 #include <sys/param.h>
  43 #include <sys/systm.h>
  44 #include <sys/in_cksum.h>
  45 #include <sys/mbuf.h>
  46 #include <sys/proc.h>
  47 #include <sys/socket.h>
  48 #include <sys/kernel.h>
  49 #include <sys/malloc.h>
  50 #include <sys/module.h>
  51 #include <sys/sockio.h>
  52 #include <sys/thread2.h>
  53
  54 #include <net/if.h>
  55 #include <net/if_types.h>
  56 #include <net/ifq_var.h>
  57 #include <net/route.h>
  58 #include <net/bpf.h>
  59
  60 #ifdef  INET
  61 #include <netinet/in.h>
  62 #include <netinet/in_var.h>
  63 #include <netinet/in_systm.h>
  64 #include <netinet/ip.h>
  65 #endif
  66
  67 #ifdef INET6
  68 #ifndef INET
  69 #include <netinet/in.h>
  70 #endif
  71 #include <netinet6/nd6.h>
  72 #endif /* INET6 */
  73
  74 #include <net/pf/pfvar.h>
  75 #include <net/pf/if_pflog.h>
  76
  77 #define PFLOGNAME       "pflog"
  78
  79 #define PFLOGMTU        (32768 + MHLEN + MLEN)
  80
  81 #ifdef PFLOGDEBUG
  82 #define DPRINTF(x)      do { if (pflogdebug) kprintf x ; } while (0)
  83 #else
  84 #define DPRINTF(x)
  85 #endif
  86
  87 static void     pflogattach(void);
  88 static int      pflogoutput(struct ifnet *, struct mbuf *,
  89                     struct sockaddr *, struct rtentry *);
  90 static int      pflogioctl(struct ifnet *, u_long, caddr_t __unused,
  91                     struct ucred * __unused);
  92 static void     pflogstart(struct ifnet *, struct ifaltq_subque *);
  93 static int      pflog_clone_create(struct if_clone *, int, caddr_t, caddr_t);
  94 static int      pflog_clone_destroy(struct ifnet *);
  95
  96 static struct if_clone pflog_cloner = IF_CLONE_INITIALIZER(
  97     PFLOGNAME, pflog_clone_create, pflog_clone_destroy, 1, 1);
  98
  99 static LIST_HEAD(, pflog_softc) pflogif_list;
 100 static struct ifnet *pflogifs[PFLOGIFS_MAX]; /* for fast access */
 101
 102 static void
 103 pflogattach(void)
 104 {
 105         int     i;
 106         LIST_INIT(&pflogif_list);
 107         for (i = 0; i < PFLOGIFS_MAX; i++)
 108                 pflogifs[i] = NULL;
 109         if_clone_attach(&pflog_cloner);
 110 }
 111
 112 static int
 113 pflog_clone_create(struct if_clone *ifc, int unit,
 114                    caddr_t params __unused, caddr_t data __unused)
 115 {
 116         struct ifnet *ifp;
 117         struct pflog_softc *pflogif;
 118
 119         lwkt_gettoken(&pf_token);
 120
 121         if (unit >= PFLOGIFS_MAX) {
 122                 lwkt_reltoken(&pf_token);
 123                 return (EINVAL);
 124         }
 125
 126         pflogif = kmalloc(sizeof(*pflogif), M_DEVBUF, M_WAITOK | M_ZERO);
 127         pflogif->sc_unit = unit;
 128         lwkt_reltoken(&pf_token);
 129
 130         ifp = &pflogif->sc_if;
 131         if_initname(ifp, ifc->ifc_name, unit);
 132         ifp->if_softc = pflogif;
 133         ifp->if_mtu = PFLOGMTU;
 134         ifp->if_ioctl = pflogioctl;
 135         ifp->if_output = pflogoutput;
 136         ifp->if_start = pflogstart;
 137         ifp->if_type = IFT_PFLOG;
 138         ifq_set_maxlen(&ifp->if_snd, ifqmaxlen);
 139         ifp->if_hdrlen = PFLOG_HDRLEN;
 140
 141         if_attach(ifp, NULL);
 142 #if NBPF > 0
 143         bpfattach(&pflogif->sc_if, DLT_PFLOG, PFLOG_HDRLEN);
 144 #endif
 145
 146         lwkt_gettoken(&pf_token);
 147         crit_enter();
 148         LIST_INSERT_HEAD(&pflogif_list, pflogif, sc_list);
 149         pflogifs[unit] = ifp;
 150         crit_exit();
 151         lwkt_reltoken(&pf_token);
 152
 153         return (0);
 154 }
 155
 156 static int
 157 pflog_clone_destroy(struct ifnet *ifp)
 158 {
 159         struct pflog_softc      *pflogif = ifp->if_softc;
 160
 161         lwkt_gettoken(&pf_token);
 162
 163         crit_enter();
 164         pflogifs[pflogif->sc_unit] = NULL;
 165         LIST_REMOVE(pflogif, sc_list);
 166         crit_exit();
 167
 168         lwkt_reltoken(&pf_token);
 169 #if NBPF > 0
 170         bpfdetach(ifp);
 171 #endif
 172         if_detach(ifp);
 173         lwkt_gettoken(&pf_token);
 174         kfree(pflogif, M_DEVBUF);
 175         lwkt_reltoken(&pf_token);
 176
 177         return 0;
 178 }
 179
 180 /*
 181  * Start output on the pflog interface.
 182  */
 183 static void
 184 pflogstart(struct ifnet *ifp, struct ifaltq_subque *ifsq)
 185 {
 186         struct mbuf *m;
 187
 188         ASSERT_ALTQ_SQ_DEFAULT(ifp, ifsq);
 189         ASSERT_LWKT_TOKEN_HELD(&pf_token);
 190
 191         for (;;) {
 192                 m = ifsq_dequeue(ifsq);
 193                 if (m == NULL)
 194                         return;
 195                 else
 196                         m_freem(m);
 197         }
 198 }
 199
 200 static int
 201 pflogoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
 202             struct rtentry *rt)
 203 {
 204         m_freem(m);
 205         return (0);
 206 }
 207
 208 static int
 209 pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data __unused,
 210            struct ucred *cr __unused)
 211 {
 212
 213         lwkt_gettoken(&pf_token);
 214
 215         switch (cmd) {
 216         case SIOCSIFFLAGS:
 217                 lwkt_reltoken(&pf_token);
 218                 if (ifp->if_flags & IFF_UP)
 219                         ifp->if_flags |= IFF_RUNNING;
 220                 else
 221                         ifp->if_flags &= ~IFF_RUNNING;
 222                 lwkt_gettoken(&pf_token);
 223                 break;
 224         default:
 225                 lwkt_reltoken(&pf_token);
 226                 return (EINVAL);
 227         }
 228
 229         lwkt_reltoken(&pf_token);
 230         return (0);
 231 }
 232
 233 int
 234 pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
 235              u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
 236              struct pf_ruleset *ruleset, struct pf_pdesc *pd)
 237 {
 238         struct ifnet *ifn = NULL;
 239         struct pfloghdr hdr;
 240
 241         ASSERT_LWKT_TOKEN_HELD(&pf_token);
 242
 243         if (kif == NULL || m == NULL || rm == NULL)
 244                 return (-1);
 245
 246         if ((ifn = pflogifs[rm->logif]) == NULL || !ifn->if_bpf)
 247                 return (0);
 248
 249         bzero(&hdr, sizeof(hdr));
 250         hdr.length = PFLOG_REAL_HDRLEN;
 251         hdr.af = af;
 252         hdr.action = rm->action;
 253         hdr.reason = reason;
 254         memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
 255
 256         if (am == NULL) {
 257                 hdr.rulenr = htonl(rm->nr);
 258                 hdr.subrulenr = -1;
 259         } else {
 260                 hdr.rulenr = htonl(am->nr);
 261                 hdr.subrulenr = htonl(rm->nr);
 262                 if (ruleset != NULL && ruleset->anchor != NULL)
 263                         strlcpy(hdr.ruleset, ruleset->anchor->name,
 264                             sizeof(hdr.ruleset));
 265         }
 266         if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
 267                 pd->lookup.done = pf_socket_lookup(dir, pd);
 268         if (pd->lookup.done > 0) {
 269                 hdr.uid = pd->lookup.uid;
 270                 hdr.pid = pd->lookup.pid;
 271         } else {
 272                 hdr.uid = UID_MAX;
 273                 hdr.pid = NO_PID;
 274         }
 275         hdr.rule_uid = rm->cuid;
 276         hdr.rule_pid = rm->cpid;
 277         hdr.dir = dir;
 278
 279 #ifdef INET
 280         if (af == AF_INET) {
 281                 struct ip *ip;
 282                 ip = mtod(m, struct ip *);
 283
 284                 if (dir == PF_OUT) {
 285                         ip->ip_sum = 0;
 286                         ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
 287                 }
 288         }
 289 #endif /* INET */
 290
 291         IFNET_STAT_INC(ifn, opackets, 1);
 292         IFNET_STAT_INC(ifn, obytes, m->m_pkthdr.len);
 293         if (ifn->if_bpf) {
 294                 bpf_gettoken();
 295                 if (ifn->if_bpf) {
 296                         bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, PFLOG_HDRLEN, m,
 297                             BPF_DIRECTION_OUT);
 298                 }
 299                 bpf_reltoken();
 300         }
 301
 302         return (0);
 303 }
 304
 305 static int
 306 pflog_modevent(module_t mod, int type, void *data)
 307 {
 308         int error = 0;
 309
 310         struct pflog_softc *pflogif, *tmp;
 311
 312         lwkt_gettoken(&pf_token);
 313
 314         switch (type) {
 315         case MOD_LOAD:
 316                 lwkt_reltoken(&pf_token);
 317                 pflogattach();
 318                 lwkt_gettoken(&pf_token);
 319                 break;
 320
 321         case MOD_UNLOAD:
 322                 lwkt_reltoken(&pf_token);
 323                 if_clone_detach(&pflog_cloner);
 324                 LIST_FOREACH_MUTABLE(pflogif, &pflogif_list, sc_list, tmp)
 325                         pflog_clone_destroy(&pflogif->sc_if);
 326                 lwkt_gettoken(&pf_token);
 327                 break;
 328
 329         default:
 330                 error = EINVAL;
 331                 break;
 332         }
 333         lwkt_reltoken(&pf_token);
 334         return error;
 335 }
 336
 337 static moduledata_t pflog_mod = {
 338         "pflog",
 339         pflog_modevent,
 340         0
 341 };
 342
 343 DECLARE_MODULE(pflog, pflog_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
 344 MODULE_VERSION(pflog, PFLOG_MODVER);
 345 /* Do not run before pf is initialized. */
 346 MODULE_DEPEND(pflog, pf, PF_MODVER, PF_MODVER, PF_MODVER);