2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * @(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $
7 * $FreeBSD: src/sys/contrib/ipfilter/netinet/ip_auth.c,v 1.21.2.7 2003/03/01 03:55:54 darrenr Exp $
8 * $DragonFly: src/sys/contrib/ipfilter/netinet/ip_auth.c,v 1.9 2006/12/23 00:27:02 swildner Exp $
10 #if defined(__sgi) && (IRIX > 602)
11 # include <sys/ptimers.h>
13 #include <sys/errno.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
18 #if !defined(_KERNEL) && !defined(KERNEL)
23 #if (defined(KERNEL) || defined(_KERNEL)) && (defined(__DragonFly__) || __FreeBSD_version >= 220000)
24 # include <sys/filio.h>
25 # include <sys/fcntl.h>
27 # include <sys/ioctl.h>
30 # include <sys/protosw.h>
32 #include <sys/socket.h>
33 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
34 # include <sys/systm.h>
36 #if !defined(__SVR4) && !defined(__svr4__)
38 # include <sys/mbuf.h>
41 # include <sys/filio.h>
42 # include <sys/byteorder.h>
44 # include <sys/dditypes.h>
46 # include <sys/stream.h>
47 # include <sys/kmem.h>
49 #if defined(__DragonFly__) || (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
50 # include <sys/queue.h>
52 #if defined(__DragonFly__) && defined(_KERNEL)
53 # include <sys/thread2.h>
55 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
56 # include <machine/cpu.h>
62 #include <net/route.h>
63 #include <netinet/in.h>
64 #include <netinet/in_systm.h>
65 #include <netinet/ip.h>
71 # include <netinet/ip_var.h>
77 # ifdef IFF_DRVRLOCK /* IRIX6 */
78 # include <sys/hashing.h>
81 #include <netinet/tcp.h>
82 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
83 extern struct ifqueue ipintrq
; /* ip packet input queue */
86 # if defined(__DragonFly__) || __FreeBSD_version >= 300000
87 # include <net/if_var.h>
89 # include <netinet/in_var.h>
90 # include <netinet/tcp_fsm.h>
93 #include <netinet/udp.h>
94 #include <netinet/ip_icmp.h>
95 #include "ip_compat.h"
96 #include <netinet/tcpip.h>
99 #if !SOLARIS && !defined(linux)
100 # include <net/netisr.h>
101 # if defined(__DragonFly__) || defined(__FreeBSD__)
102 # include <machine/cpufunc.h>
105 #if defined(__DragonFly__) || (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
107 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
108 # include <sys/libkern.h>
109 # include <sys/systm.h>
113 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
114 extern KRWLOCK_T ipf_auth
, ipf_mutex
;
115 extern kmutex_t ipf_authmx
;
117 extern kcondvar_t ipfauthwait
;
121 static struct wait_queue
*ipfauthwait
= NULL
;
125 #define kprintf printf
128 int fr_authsize
= FR_NUMAUTH
;
130 int fr_defaultauthage
= 600;
131 int fr_auth_lock
= 0;
132 fr_authstat_t fr_authstats
;
133 static frauth_t fr_auth
[FR_NUMAUTH
];
134 mb_t
*fr_authpkts
[FR_NUMAUTH
];
135 static int fr_authstart
= 0, fr_authend
= 0, fr_authnext
= 0;
136 static frauthent_t
*fae_list
= NULL
;
137 frentry_t
*ipauth
= NULL
,
142 * Check if a packet has authorization. If the packet is found to match an
143 * authorization result and that would result in a feedback loop (i.e. it
144 * will end up returning FR_AUTH) then return FR_BLOCK instead.
146 u_32_t
fr_checkauth(ip
, fin
)
150 u_short id
= ip
->ip_id
;
156 if (fr_auth_lock
|| !fr_authused
)
159 READ_ENTER(&ipf_auth
);
160 for (i
= fr_authstart
; i
!= fr_authend
; ) {
162 * index becomes -2 only after an SIOCAUTHW. Check this in
163 * case the same packet gets sent again and it hasn't yet been
167 if ((fra
->fra_index
== -2) && (id
== fra
->fra_info
.fin_id
) &&
168 !bcmp((char *)fin
, (char *)&fra
->fra_info
, FI_CSIZE
)) {
170 * Avoid feedback loop.
172 if (!(pass
= fra
->fra_pass
) || (pass
& FR_AUTH
))
175 * Create a dummy rule for the stateful checking to
176 * use and return. Zero out any values we don't
177 * trust from userland!
179 if ((pass
& FR_KEEPSTATE
) || ((pass
& FR_KEEPFRAG
) &&
180 (fin
->fin_fi
.fi_fl
& FI_FRAG
))) {
181 KMALLOC(fr
, frentry_t
*);
183 bcopy((char *)fra
->fra_info
.fin_fr
,
186 fr
->fr_ifa
= fin
->fin_ifp
;
195 fr
= fra
->fra_info
.fin_fr
;
197 RWLOCK_EXIT(&ipf_auth
);
198 WRITE_ENTER(&ipf_auth
);
199 if (fr
&& fr
!= fra
->fra_info
.fin_fr
) {
200 fr
->fr_next
= fr_authlist
;
203 fr_authstats
.fas_hits
++;
206 if (i
== fr_authstart
) {
207 while (fra
->fra_index
== -1) {
210 if (i
== FR_NUMAUTH
) {
218 if (fr_authstart
== fr_authend
) {
220 fr_authstart
= fr_authend
= 0;
223 RWLOCK_EXIT(&ipf_auth
);
230 fr_authstats
.fas_miss
++;
231 RWLOCK_EXIT(&ipf_auth
);
237 * Check if we have room in the auth array to hold details for another packet.
238 * If we do, store it and wake up any user programs which are waiting to
239 * hear about these events.
241 int fr_newauth(m
, fin
, ip
)
246 #if defined(_KERNEL) && SOLARIS
247 qif_t
*qif
= fin
->fin_qif
;
255 WRITE_ENTER(&ipf_auth
);
256 if (fr_authstart
> fr_authend
) {
257 fr_authstats
.fas_nospace
++;
258 RWLOCK_EXIT(&ipf_auth
);
261 if (fr_authused
== FR_NUMAUTH
) {
262 fr_authstats
.fas_nospace
++;
263 RWLOCK_EXIT(&ipf_auth
);
268 fr_authstats
.fas_added
++;
271 if (fr_authend
== FR_NUMAUTH
)
273 RWLOCK_EXIT(&ipf_auth
);
277 fra
->fra_age
= fr_defaultauthage
;
278 bcopy((char *)fin
, (char *)&fra
->fra_info
, sizeof(*fin
));
279 #if SOLARIS && defined(_KERNEL)
282 * No need to copyback here as we want to undo the changes, not keep
285 if ((ip
== (ip_t
*)m
->b_rptr
) && (ip
->ip_v
== 4))
290 ip
->ip_len
= htons(bo
);
292 ip
->ip_off
= htons(bo
);
295 m
->b_rptr
-= qif
->qf_off
;
296 fr_authpkts
[i
] = *(mblk_t
**)fin
->fin_mp
;
297 fra
->fra_q
= qif
->qf_q
;
298 cv_signal(&ipfauthwait
);
300 # if defined(BSD) && !defined(sparc) && (BSD >= 199306)
301 if (fin
->fin_out
== 0) {
302 ip
->ip_len
= htons(ip
->ip_len
);
303 ip
->ip_off
= htons(ip
->ip_off
);
307 WAKEUP(&fr_authnext
);
313 int fr_auth_ioctl(data
, mode
, cmd
)
316 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
323 #if defined(_KERNEL) && !SOLARIS
324 #if !defined(__DragonFly__) && !defined(__FreeBSD__)
327 #if !defined(__DragonFly__)
331 frauth_t auth
, *au
= &auth
, *fra
;
337 if (!(mode
& FWRITE
)) {
341 error
= fr_lock(data
, &fr_auth_lock
);
353 /* These commands go via request to fr_preauthcmd */
357 fr_authstats
.fas_faelist
= fae_list
;
358 error
= IWCOPYPTR((char *)&fr_authstats
, data
,
359 sizeof(fr_authstats
));
362 if (!(mode
& FWRITE
)) {
367 READ_ENTER(&ipf_auth
);
368 if ((fr_authnext
!= fr_authend
) && fr_authpkts
[fr_authnext
]) {
369 error
= IWCOPYPTR((char *)&fr_auth
[fr_authnext
], data
,
371 RWLOCK_EXIT(&ipf_auth
);
374 WRITE_ENTER(&ipf_auth
);
377 if (fr_authnext
== FR_NUMAUTH
)
380 RWLOCK_EXIT(&ipf_auth
);
383 RWLOCK_EXIT(&ipf_auth
);
386 mutex_enter(&ipf_authmx
);
387 if (!cv_wait_sig(&ipfauthwait
, &ipf_authmx
)) {
388 mutex_exit(&ipf_authmx
);
391 mutex_exit(&ipf_authmx
);
393 error
= SLEEP(&fr_authnext
, "fr_authnext");
397 goto fr_authioctlloop
;
400 if (!(mode
& FWRITE
)) {
404 error
= IRCOPYPTR(data
, (caddr_t
)&auth
, sizeof(auth
));
407 WRITE_ENTER(&ipf_auth
);
411 if ((i
< 0) || (i
> FR_NUMAUTH
) ||
412 (fra
->fra_info
.fin_id
!= au
->fra_info
.fin_id
)) {
414 RWLOCK_EXIT(&ipf_auth
);
419 fra
->fra_pass
= au
->fra_pass
;
420 fr_authpkts
[i
] = NULL
;
421 RWLOCK_EXIT(&ipf_auth
);
423 if (m
&& au
->fra_info
.fin_out
) {
425 error
= (fr_qout(fra
->fra_q
, m
) == 0) ? EINVAL
: 0;
429 bzero((char *)&ro
, sizeof(ro
));
430 # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
431 defined(__DragonFly__) || defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
432 (__FreeBSD_version >= 470102)
433 error
= ip_output(m
, NULL
, &ro
, IP_FORWARDING
, NULL
,
436 error
= ip_output(m
, NULL
, &ro
, IP_FORWARDING
, NULL
);
441 # endif /* SOLARIS */
443 fr_authstats
.fas_sendfail
++;
445 fr_authstats
.fas_sendok
++;
448 error
= (fr_qin(fra
->fra_q
, m
) == 0) ? EINVAL
: 0;
450 # if defined(__DragonFly__) || defined(__FreeBSD__)
451 error
= netisr_queue(NETISR_IP
, m
);
461 schednetisr(NETISR_IP
);
465 # endif /* !SOLARIS */
467 fr_authstats
.fas_quefail
++;
469 fr_authstats
.fas_queok
++;
477 * If we experience an error which will result in the packet
478 * not being processed, make sure we advance to the next one.
480 if (error
== ENOBUFS
) {
484 if (i
== fr_authstart
) {
485 while (fra
->fra_index
== -1) {
493 if (fr_authstart
== fr_authend
) {
495 fr_authstart
= fr_authend
= 0;
512 * Free all network buffer memory used to keep saved packets.
517 frauthent_t
*fae
, **faep
;
518 frentry_t
*fr
, **frp
;
521 WRITE_ENTER(&ipf_auth
);
522 for (i
= 0; i
< FR_NUMAUTH
; i
++) {
523 if ((m
= fr_authpkts
[i
])) {
525 fr_authpkts
[i
] = NULL
;
526 fr_auth
[i
].fra_index
= -1;
531 for (faep
= &fae_list
; (fae
= *faep
); ) {
532 *faep
= fae
->fae_next
;
536 RWLOCK_EXIT(&ipf_auth
);
540 * We *MuST* reget ipf_auth because otherwise we won't get the
541 * locks in the right order and risk deadlock.
542 * We need ipf_mutex here to prevent a rule from using it
545 WRITE_ENTER(&ipf_mutex
);
546 WRITE_ENTER(&ipf_auth
);
547 for (frp
= &fr_authlist
; (fr
= *frp
); ) {
548 if (fr
->fr_ref
== 1) {
554 RWLOCK_EXIT(&ipf_auth
);
555 RWLOCK_EXIT(&ipf_mutex
);
561 * Slowly expire held auth records. Timeouts are set
562 * in expectation of this being called twice per second.
568 frauthent_t
*fae
, **faep
;
569 frentry_t
*fr
, **frp
;
571 #if !SOLARIS && defined(_KERNEL) && !defined(__DragonFly__)
579 WRITE_ENTER(&ipf_auth
);
580 for (i
= 0, fra
= fr_auth
; i
< FR_NUMAUTH
; i
++, fra
++) {
581 if ((!--fra
->fra_age
) && (m
= fr_authpkts
[i
])) {
583 fr_authpkts
[i
] = NULL
;
584 fr_auth
[i
].fra_index
= -1;
585 fr_authstats
.fas_expire
++;
590 for (faep
= &fae_list
; (fae
= *faep
); ) {
591 if (!--fae
->fae_age
) {
592 *faep
= fae
->fae_next
;
594 fr_authstats
.fas_expire
++;
596 faep
= &fae
->fae_next
;
598 if (fae_list
!= NULL
)
599 ipauth
= &fae_list
->fae_fr
;
603 for (frp
= &fr_authlist
; (fr
= *frp
); ) {
604 if (fr
->fr_ref
== 1) {
610 RWLOCK_EXIT(&ipf_auth
);
614 int fr_preauthcmd(cmd
, fr
, frptr
)
615 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || \
616 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
621 frentry_t
*fr
, **frptr
;
623 frauthent_t
*fae
, **faep
;
625 #if defined(KERNEL) && !SOLARIS && !defined(__DragonFly__)
629 if ((cmd
!= SIOCADAFR
) && (cmd
!= SIOCRMAFR
)) {
630 /* Should not happen */
631 kprintf("fr_preauthcmd called with bad cmd 0x%lx", (u_long
)cmd
);
635 for (faep
= &fae_list
; (fae
= *faep
); )
636 if (&fae
->fae_fr
== fr
)
639 faep
= &fae
->fae_next
;
640 if (cmd
== SIOCRMAFR
) {
646 WRITE_ENTER(&ipf_auth
);
648 *faep
= fae
->fae_next
;
649 *frptr
= fr
->fr_next
;
651 RWLOCK_EXIT(&ipf_auth
);
654 } else if (fr
&& frptr
) {
655 KMALLOC(fae
, frauthent_t
*);
657 bcopy((char *)fr
, (char *)&fae
->fae_fr
,
659 WRITE_ENTER(&ipf_auth
);
661 fae
->fae_age
= fr_defaultauthage
;
662 fae
->fae_fr
.fr_hits
= 0;
663 fae
->fae_fr
.fr_next
= *frptr
;
664 *frptr
= &fae
->fae_fr
;
665 fae
->fae_next
= *faep
;
667 ipauth
= &fae_list
->fae_fr
;
669 RWLOCK_EXIT(&ipf_auth
);