search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix numerous compiler warnings and format conversion specifiers.
[dragonfly.git] / sys / contrib / ipfilter / netinet / ip_auth.c
blobde45f31be7627fa6e411f57d57bfb27584d9e917
1 /*
2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $
7 * $FreeBSD: src/sys/contrib/ipfilter/netinet/ip_auth.c,v 1.21.2.7 2003/03/01 03:55:54 darrenr Exp $
8 * $DragonFly: src/sys/contrib/ipfilter/netinet/ip_auth.c,v 1.9 2006/12/23 00:27:02 swildner Exp $
9 */
10 #if defined(__sgi) && (IRIX > 602)
11 # include <sys/ptimers.h>
12 #endif
13 #include <sys/errno.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
16 #include <sys/time.h>
17 #include <sys/file.h>
18 #if !defined(_KERNEL) && !defined(KERNEL)
19 # include <stdio.h>
20 # include <stdlib.h>
21 # include <string.h>
22 #endif
23 #if (defined(KERNEL) || defined(_KERNEL)) && (defined(__DragonFly__) || __FreeBSD_version >= 220000)
24 # include <sys/filio.h>
25 # include <sys/fcntl.h>
26 #else
27 # include <sys/ioctl.h>
28 #endif
29 #ifndef linux
30 # include <sys/protosw.h>
31 #endif
32 #include <sys/socket.h>
33 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
34 # include <sys/systm.h>
35 #endif
36 #if !defined(__SVR4) && !defined(__svr4__)
37 # ifndef linux
38 # include <sys/mbuf.h>
39 # endif
40 #else
41 # include <sys/filio.h>
42 # include <sys/byteorder.h>
43 # ifdef _KERNEL
44 # include <sys/dditypes.h>
45 # endif
46 # include <sys/stream.h>
47 # include <sys/kmem.h>
48 #endif
49 #if defined(__DragonFly__) || (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
50 # include <sys/queue.h>
51 #endif
52 #if defined(__DragonFly__) && defined(_KERNEL)
53 # include <sys/thread2.h>
54 #endif
55 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
56 # include <machine/cpu.h>
57 #endif
58 #include <net/if.h>
59 #ifdef sun
60 # include <net/af.h>
61 #endif
62 #include <net/route.h>
63 #include <netinet/in.h>
64 #include <netinet/in_systm.h>
65 #include <netinet/ip.h>
66 #ifndef KERNEL
67 # define KERNEL
68 # define NOT_KERNEL
69 #endif
70 #ifndef linux
71 # include <netinet/ip_var.h>
72 #endif
73 #ifdef NOT_KERNEL
74 # undef KERNEL
75 #endif
76 #ifdef __sgi
77 # ifdef IFF_DRVRLOCK /* IRIX6 */
78 # include <sys/hashing.h>
79 # endif
80 #endif
81 #include <netinet/tcp.h>
82 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
83 extern struct ifqueue ipintrq; /* ip packet input queue */
84 #else
85 # ifndef linux
86 # if defined(__DragonFly__) || __FreeBSD_version >= 300000
87 # include <net/if_var.h>
88 # endif
89 # include <netinet/in_var.h>
90 # include <netinet/tcp_fsm.h>
91 # endif
92 #endif
93 #include <netinet/udp.h>
94 #include <netinet/ip_icmp.h>
95 #include "ip_compat.h"
96 #include <netinet/tcpip.h>
97 #include "ip_fil.h"
98 #include "ip_auth.h"
99 #if !SOLARIS && !defined(linux)
100 # include <net/netisr.h>
101 # if defined(__DragonFly__) || defined(__FreeBSD__)
102 # include <machine/cpufunc.h>
103 # endif
104 #endif
105 #if defined(__DragonFly__) || (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
107 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
108 # include <sys/libkern.h>
109 # include <sys/systm.h>
110 # endif
111 #endif
112
113 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
114 extern KRWLOCK_T ipf_auth, ipf_mutex;
115 extern kmutex_t ipf_authmx;
116 # if SOLARIS
117 extern kcondvar_t ipfauthwait;
118 # endif
119 #endif
120 #ifdef linux
121 static struct wait_queue *ipfauthwait = NULL;
122 #endif
123
124 #ifndef _KERNEL
125 #define kprintf printf
126 #endif
127
128 int fr_authsize = FR_NUMAUTH;
129 int fr_authused = 0;
130 int fr_defaultauthage = 600;
131 int fr_auth_lock = 0;
132 fr_authstat_t fr_authstats;
133 static frauth_t fr_auth[FR_NUMAUTH];
134 mb_t *fr_authpkts[FR_NUMAUTH];
135 static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
136 static frauthent_t *fae_list = NULL;
137 frentry_t *ipauth = NULL,
138 *fr_authlist = NULL;
139
140
141 /*
142 * Check if a packet has authorization. If the packet is found to match an
143 * authorization result and that would result in a feedback loop (i.e. it
144 * will end up returning FR_AUTH) then return FR_BLOCK instead.
145 */
146 u_32_t fr_checkauth(ip, fin)
147 ip_t *ip;
148 fr_info_t *fin;
149 {
150 u_short id = ip->ip_id;
151 frentry_t *fr;
152 frauth_t *fra;
153 u_32_t pass;
154 int i;
155
156 if (fr_auth_lock || !fr_authused)
157 return 0;
158
159 READ_ENTER(&ipf_auth);
160 for (i = fr_authstart; i != fr_authend; ) {
161 /*
162 * index becomes -2 only after an SIOCAUTHW. Check this in
163 * case the same packet gets sent again and it hasn't yet been
164 * auth'd.
165 */
166 fra = fr_auth + i;
167 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
168 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
169 /*
170 * Avoid feedback loop.
171 */
172 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
173 pass = FR_BLOCK;
174 /*
175 * Create a dummy rule for the stateful checking to
176 * use and return. Zero out any values we don't
177 * trust from userland!
178 */
179 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
180 (fin->fin_fi.fi_fl & FI_FRAG))) {
181 KMALLOC(fr, frentry_t *);
182 if (fr) {
183 bcopy((char *)fra->fra_info.fin_fr,
184 fr, sizeof(*fr));
185 fr->fr_grp = NULL;
186 fr->fr_ifa = fin->fin_ifp;
187 fr->fr_func = NULL;
188 fr->fr_ref = 1;
189 fr->fr_flags = pass;
190 #if BSD >= 199306
191 fr->fr_oifa = NULL;
192 #endif
193 }
194 } else
195 fr = fra->fra_info.fin_fr;
196 fin->fin_fr = fr;
197 RWLOCK_EXIT(&ipf_auth);
198 WRITE_ENTER(&ipf_auth);
199 if (fr && fr != fra->fra_info.fin_fr) {
200 fr->fr_next = fr_authlist;
201 fr_authlist = fr;
202 }
203 fr_authstats.fas_hits++;
204 fra->fra_index = -1;
205 fr_authused--;
206 if (i == fr_authstart) {
207 while (fra->fra_index == -1) {
208 i++;
209 fra++;
210 if (i == FR_NUMAUTH) {
211 i = 0;
212 fra = fr_auth;
213 }
214 fr_authstart = i;
215 if (i == fr_authend)
216 break;
217 }
218 if (fr_authstart == fr_authend) {
219 fr_authnext = 0;
220 fr_authstart = fr_authend = 0;
221 }
222 }
223 RWLOCK_EXIT(&ipf_auth);
224 return pass;
225 }
226 i++;
227 if (i == FR_NUMAUTH)
228 i = 0;
229 }
230 fr_authstats.fas_miss++;
231 RWLOCK_EXIT(&ipf_auth);
232 return 0;
233 }
234
235
236 /*
237 * Check if we have room in the auth array to hold details for another packet.
238 * If we do, store it and wake up any user programs which are waiting to
239 * hear about these events.
240 */
241 int fr_newauth(m, fin, ip)
242 mb_t *m;
243 fr_info_t *fin;
244 ip_t *ip;
245 {
246 #if defined(_KERNEL) && SOLARIS
247 qif_t *qif = fin->fin_qif;
248 #endif
249 frauth_t *fra;
250 int i;
251
252 if (fr_auth_lock)
253 return 0;
254
255 WRITE_ENTER(&ipf_auth);
256 if (fr_authstart > fr_authend) {
257 fr_authstats.fas_nospace++;
258 RWLOCK_EXIT(&ipf_auth);
259 return 0;
260 } else {
261 if (fr_authused == FR_NUMAUTH) {
262 fr_authstats.fas_nospace++;
263 RWLOCK_EXIT(&ipf_auth);
264 return 0;
265 }
266 }
267
268 fr_authstats.fas_added++;
269 fr_authused++;
270 i = fr_authend++;
271 if (fr_authend == FR_NUMAUTH)
272 fr_authend = 0;
273 RWLOCK_EXIT(&ipf_auth);
274 fra = fr_auth + i;
275 fra->fra_index = i;
276 fra->fra_pass = 0;
277 fra->fra_age = fr_defaultauthage;
278 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
279 #if SOLARIS && defined(_KERNEL)
280 # if !defined(sparc)
281 /*
282 * No need to copyback here as we want to undo the changes, not keep
283 * them.
284 */
285 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
286 {
287 u_short bo;
288
289 bo = ip->ip_len;
290 ip->ip_len = htons(bo);
291 bo = ip->ip_off;
292 ip->ip_off = htons(bo);
293 }
294 # endif
295 m->b_rptr -= qif->qf_off;
296 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
297 fra->fra_q = qif->qf_q;
298 cv_signal(&ipfauthwait);
299 #else
300 # if defined(BSD) && !defined(sparc) && (BSD >= 199306)
301 if (fin->fin_out == 0) {
302 ip->ip_len = htons(ip->ip_len);
303 ip->ip_off = htons(ip->ip_off);
304 }
305 # endif
306 fr_authpkts[i] = m;
307 WAKEUP(&fr_authnext);
308 #endif
309 return 1;
310 }
311
312
313 int fr_auth_ioctl(data, mode, cmd)
314 caddr_t data;
315 int mode;
316 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
317 u_long cmd;
318 #else
319 int cmd;
320 #endif
321 {
322 mb_t *m;
323 #if defined(_KERNEL) && !SOLARIS
324 #if !defined(__DragonFly__) && !defined(__FreeBSD__)
325 struct ifqueue *ifq;
326 #endif
327 #if !defined(__DragonFly__)
328 int s;
329 #endif
330 #endif
331 frauth_t auth, *au = &auth, *fra;
332 int i, error = 0;
333
334 switch (cmd)
335 {
336 case SIOCSTLCK :
337 if (!(mode & FWRITE)) {
338 error = EPERM;
339 break;
340 }
341 error = fr_lock(data, &fr_auth_lock);
342 break;
343 case SIOCINIFR :
344 case SIOCRMIFR :
345 case SIOCADIFR :
346 error = EINVAL;
347 break;
348 case SIOCINAFR :
349 error = EINVAL;
350 break;
351 case SIOCRMAFR :
352 case SIOCADAFR :
353 /* These commands go via request to fr_preauthcmd */
354 error = EINVAL;
355 break;
356 case SIOCATHST:
357 fr_authstats.fas_faelist = fae_list;
358 error = IWCOPYPTR((char *)&fr_authstats, data,
359 sizeof(fr_authstats));
360 break;
361 case SIOCAUTHW:
362 if (!(mode & FWRITE)) {
363 error = EPERM;
364 break;
365 }
366 fr_authioctlloop:
367 READ_ENTER(&ipf_auth);
368 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
369 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
370 sizeof(frauth_t));
371 RWLOCK_EXIT(&ipf_auth);
372 if (error)
373 break;
374 WRITE_ENTER(&ipf_auth);
375 SPL_NET(s);
376 fr_authnext++;
377 if (fr_authnext == FR_NUMAUTH)
378 fr_authnext = 0;
379 SPL_X(s);
380 RWLOCK_EXIT(&ipf_auth);
381 return 0;
382 }
383 RWLOCK_EXIT(&ipf_auth);
384 #ifdef _KERNEL
385 # if SOLARIS
386 mutex_enter(&ipf_authmx);
387 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
388 mutex_exit(&ipf_authmx);
389 return EINTR;
390 }
391 mutex_exit(&ipf_authmx);
392 # else
393 error = SLEEP(&fr_authnext, "fr_authnext");
394 # endif
395 #endif
396 if (!error)
397 goto fr_authioctlloop;
398 break;
399 case SIOCAUTHR:
400 if (!(mode & FWRITE)) {
401 error = EPERM;
402 break;
403 }
404 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
405 if (error)
406 return error;
407 WRITE_ENTER(&ipf_auth);
408 SPL_NET(s);
409 i = au->fra_index;
410 fra = fr_auth + i;
411 if ((i < 0) || (i > FR_NUMAUTH) ||
412 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
413 SPL_X(s);
414 RWLOCK_EXIT(&ipf_auth);
415 return EINVAL;
416 }
417 m = fr_authpkts[i];
418 fra->fra_index = -2;
419 fra->fra_pass = au->fra_pass;
420 fr_authpkts[i] = NULL;
421 RWLOCK_EXIT(&ipf_auth);
422 #ifdef _KERNEL
423 if (m && au->fra_info.fin_out) {
424 # if SOLARIS
425 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
426 # else /* SOLARIS */
427 struct route ro;
428
429 bzero((char *)&ro, sizeof(ro));
430 # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
431 defined(__DragonFly__) || defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
432 (__FreeBSD_version >= 470102)
433 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
434 NULL);
435 # else
436 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
437 # endif
438 if (ro.ro_rt) {
439 RTFREE(ro.ro_rt);
440 }
441 # endif /* SOLARIS */
442 if (error)
443 fr_authstats.fas_sendfail++;
444 else
445 fr_authstats.fas_sendok++;
446 } else if (m) {
447 # if SOLARIS
448 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
449 # else /* SOLARIS */
450 # if defined(__DragonFly__) || defined(__FreeBSD__)
451 error = netisr_queue(NETISR_IP, m);
452 # else
453 ifq = &ipintrq;
454 if (IF_QFULL(ifq)) {
455 IF_DROP(ifq);
456 m_freem(m);
457 error = ENOBUFS;
458 } else {
459 IF_ENQUEUE(ifq, m);
460 # if IRIX < 605
461 schednetisr(NETISR_IP);
462 # endif
463 }
464 # endif
465 # endif /* !SOLARIS */
466 if (error)
467 fr_authstats.fas_quefail++;
468 else
469 fr_authstats.fas_queok++;
470 } else
471 error = EINVAL;
472 # if SOLARIS
473 if (error)
474 error = EINVAL;
475 # else
476 /*
477 * If we experience an error which will result in the packet
478 * not being processed, make sure we advance to the next one.
479 */
480 if (error == ENOBUFS) {
481 fr_authused--;
482 fra->fra_index = -1;
483 fra->fra_pass = 0;
484 if (i == fr_authstart) {
485 while (fra->fra_index == -1) {
486 i++;
487 if (i == FR_NUMAUTH)
488 i = 0;
489 fr_authstart = i;
490 if (i == fr_authend)
491 break;
492 }
493 if (fr_authstart == fr_authend) {
494 fr_authnext = 0;
495 fr_authstart = fr_authend = 0;
496 }
497 }
498 }
499 # endif
500 #endif /* _KERNEL */
501 SPL_X(s);
502 break;
503 default :
504 error = EINVAL;
505 break;
506 }
507 return error;
508 }
509
510
511 /*
512 * Free all network buffer memory used to keep saved packets.
513 */
514 void fr_authunload()
515 {
516 int i;
517 frauthent_t *fae, **faep;
518 frentry_t *fr, **frp;
519 mb_t *m;
520
521 WRITE_ENTER(&ipf_auth);
522 for (i = 0; i < FR_NUMAUTH; i++) {
523 if ((m = fr_authpkts[i])) {
524 FREE_MB_T(m);
525 fr_authpkts[i] = NULL;
526 fr_auth[i].fra_index = -1;
527 }
528 }
529
530
531 for (faep = &fae_list; (fae = *faep); ) {
532 *faep = fae->fae_next;
533 KFREE(fae);
534 }
535 ipauth = NULL;
536 RWLOCK_EXIT(&ipf_auth);
537
538 if (fr_authlist) {
539 /*
540 * We *MuST* reget ipf_auth because otherwise we won't get the
541 * locks in the right order and risk deadlock.
542 * We need ipf_mutex here to prevent a rule from using it
543 * inside fr_check().
544 */
545 WRITE_ENTER(&ipf_mutex);
546 WRITE_ENTER(&ipf_auth);
547 for (frp = &fr_authlist; (fr = *frp); ) {
548 if (fr->fr_ref == 1) {
549 *frp = fr->fr_next;
550 KFREE(fr);
551 } else
552 frp = &fr->fr_next;
553 }
554 RWLOCK_EXIT(&ipf_auth);
555 RWLOCK_EXIT(&ipf_mutex);
556 }
557 }
558
559
560 /*
561 * Slowly expire held auth records. Timeouts are set
562 * in expectation of this being called twice per second.
563 */
564 void fr_authexpire()
565 {
566 int i;
567 frauth_t *fra;
568 frauthent_t *fae, **faep;
569 frentry_t *fr, **frp;
570 mb_t *m;
571 #if !SOLARIS && defined(_KERNEL) && !defined(__DragonFly__)
572 int s;
573 #endif
574
575 if (fr_auth_lock)
576 return;
577
578 SPL_NET(s);
579 WRITE_ENTER(&ipf_auth);
580 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
581 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
582 FREE_MB_T(m);
583 fr_authpkts[i] = NULL;
584 fr_auth[i].fra_index = -1;
585 fr_authstats.fas_expire++;
586 fr_authused--;
587 }
588 }
589
590 for (faep = &fae_list; (fae = *faep); ) {
591 if (!--fae->fae_age) {
592 *faep = fae->fae_next;
593 KFREE(fae);
594 fr_authstats.fas_expire++;
595 } else
596 faep = &fae->fae_next;
597 }
598 if (fae_list != NULL)
599 ipauth = &fae_list->fae_fr;
600 else
601 ipauth = NULL;
602
603 for (frp = &fr_authlist; (fr = *frp); ) {
604 if (fr->fr_ref == 1) {
605 *frp = fr->fr_next;
606 KFREE(fr);
607 } else
608 frp = &fr->fr_next;
609 }
610 RWLOCK_EXIT(&ipf_auth);
611 SPL_X(s);
612 }
613
614 int fr_preauthcmd(cmd, fr, frptr)
615 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || \
616 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
617 u_long cmd;
618 #else
619 int cmd;
620 #endif
621 frentry_t *fr, **frptr;
622 {
623 frauthent_t *fae, **faep;
624 int error = 0;
625 #if defined(KERNEL) && !SOLARIS && !defined(__DragonFly__)
626 int s;
627 #endif
628
629 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
630 /* Should not happen */
631 kprintf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
632 return EIO;
633 }
634
635 for (faep = &fae_list; (fae = *faep); )
636 if (&fae->fae_fr == fr)
637 break;
638 else
639 faep = &fae->fae_next;
640 if (cmd == SIOCRMAFR) {
641 if (!fr || !frptr)
642 error = EINVAL;
643 else if (!fae)
644 error = ESRCH;
645 else {
646 WRITE_ENTER(&ipf_auth);
647 SPL_NET(s);
648 *faep = fae->fae_next;
649 *frptr = fr->fr_next;
650 SPL_X(s);
651 RWLOCK_EXIT(&ipf_auth);
652 KFREE(fae);
653 }
654 } else if (fr && frptr) {
655 KMALLOC(fae, frauthent_t *);
656 if (fae != NULL) {
657 bcopy((char *)fr, (char *)&fae->fae_fr,
658 sizeof(*fr));
659 WRITE_ENTER(&ipf_auth);
660 SPL_NET(s);
661 fae->fae_age = fr_defaultauthage;
662 fae->fae_fr.fr_hits = 0;
663 fae->fae_fr.fr_next = *frptr;
664 *frptr = &fae->fae_fr;
665 fae->fae_next = *faep;
666 *faep = fae;
667 ipauth = &fae_list->fae_fr;
668 SPL_X(s);
669 RWLOCK_EXIT(&ipf_auth);
670 } else
671 error = ENOMEM;
672 } else
673 error = EINVAL;
674 return error;
675 }
DragonFly BSD