search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
More minor IPI work.
[dragonfly/vkernel-mp.git] / sys / net / ipfw / ip_fw.c
blob47dfb66518620128b672cc642aa98a767d499fc4
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 * Copyright (c) 1996 Alex Nash
5 * Copyright (c) 2000-2001 Luigi Rizzo
6 *
7 * Redistribution and use in source forms, with and without modification,
8 * are permitted provided that this entire comment appears intact.
9 *
10 * Redistribution in binary form may occur without any restrictions.
11 * Obviously, it would be nice if you gave credit where credit is due
12 * but requiring it would be too onerous.
13 *
14 * This software is provided ``AS IS'' without any warranties of any kind.
15 *
16 * $FreeBSD: src/sys/netinet/ip_fw.c,v 1.131.2.39 2003/01/20 02:23:07 iedowse Exp $
17 * $DragonFly: src/sys/net/ipfw/ip_fw.c,v 1.22 2006/12/23 00:44:56 swildner Exp $
18 */
19
20 #define DEB(x)
21 #define DDB(x) x
22
23 /*
24 * Implement IP packet firewall
25 */
26
27 #if !defined(KLD_MODULE)
28 #include "opt_ipfw.h"
29 #include "opt_ipdn.h"
30 #include "opt_ipdivert.h"
31 #include "opt_inet.h"
32 #ifndef INET
33 #error IPFIREWALL requires INET.
34 #endif /* INET */
35 #endif
36
37 #if !(IPFW2)
38
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/malloc.h>
42 #include <sys/mbuf.h>
43 #include <sys/kernel.h>
44 #include <sys/proc.h>
45 #include <sys/socket.h>
46 #include <sys/socketvar.h>
47 #include <sys/sysctl.h>
48 #include <sys/syslog.h>
49 #include <sys/thread2.h>
50 #include <sys/ucred.h>
51 #include <net/if.h>
52 #include <net/route.h>
53 #include <netinet/in.h>
54 #include <netinet/in_systm.h>
55 #include <netinet/in_var.h>
56 #include <netinet/in_pcb.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_var.h>
59 #include <netinet/ip_icmp.h>
60 #include "ip_fw.h"
61 #include <net/dummynet/ip_dummynet.h>
62 #include <netinet/tcp.h>
63 #include <netinet/tcp_timer.h>
64 #include <netinet/tcp_var.h>
65 #include <netinet/tcpip.h>
66 #include <netinet/udp.h>
67 #include <netinet/udp_var.h>
68
69 #include <netinet/if_ether.h> /* XXX ethertype_ip */
70
71 static int fw_debug = 1;
72 #ifdef IPFIREWALL_VERBOSE
73 static int fw_verbose = 1;
74 #else
75 static int fw_verbose = 0;
76 #endif
77 #ifdef IPFIREWALL_VERBOSE_LIMIT
78 static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
79 #else
80 static int fw_verbose_limit = 0;
81 #endif
82
83 /*
84 * Right now, two fields in the IP header are changed to host format
85 * by the IP layer before calling the firewall. Ideally, we would like
86 * to have them in network format so that the packet can be
87 * used as it comes from the device driver (and is thus readonly).
88 */
89
90 static u_int64_t counter; /* counter for ipfw_report(NULL...) */
91
92 #define IPFW_DEFAULT_RULE ((u_int)(u_short)~0)
93
94 LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chain_head;
95
96 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
97
98 #ifdef SYSCTL_NODE
99 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
100 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
101 &fw_enable, 0, "Enable ipfw");
102 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
103 &fw_one_pass, 0,
104 "Only do a single pass through ipfw when using dummynet(4)");
105 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
106 &fw_debug, 0, "Enable printing of debug ip_fw statements");
107 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW,
108 &fw_verbose, 0, "Log matches to ipfw rules");
109 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
110 &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
111
112 /*
113 * Extension for stateful ipfw.
114 *
115 * Dynamic rules are stored in lists accessed through a hash table
116 * (ipfw_dyn_v) whose size is curr_dyn_buckets. This value can
117 * be modified through the sysctl variable dyn_buckets which is
118 * updated when the table becomes empty.
119 *
120 * XXX currently there is only one list, ipfw_dyn.
121 *
122 * When a packet is received, it is first hashed, then matched
123 * against the entries in the corresponding list.
124 * Matching occurs according to the rule type. The default is to
125 * match the four fields and the protocol, and rules are bidirectional.
126 *
127 * For a busy proxy/web server we will have lots of connections to
128 * the server. We could decide for a rule type where we ignore
129 * ports (different hashing) and avoid special SYN/RST/FIN handling.
130 *
131 * XXX when we decide to support more than one rule type, we should
132 * repeat the hashing multiple times uing only the useful fields.
133 * Or, we could run the various tests in parallel, because the
134 * 'move to front' technique should shorten the average search.
135 *
136 * The lifetime of dynamic rules is regulated by dyn_*_lifetime,
137 * measured in seconds and depending on the flags.
138 *
139 * The total number of dynamic rules is stored in dyn_count.
140 * The max number of dynamic rules is dyn_max. When we reach
141 * the maximum number of rules we do not create anymore. This is
142 * done to avoid consuming too much memory, but also too much
143 * time when searching on each packet (ideally, we should try instead
144 * to put a limit on the length of the list on each bucket...).
145 *
146 * Each dynamic rules holds a pointer to the parent ipfw rule so
147 * we know what action to perform. Dynamic rules are removed when
148 * the parent rule is deleted.
149 * There are some limitations with dynamic rules -- we do not
150 * obey the 'randomized match', and we do not do multiple
151 * passes through the firewall.
152 * XXX check the latter!!!
153 */
154 static struct ipfw_dyn_rule **ipfw_dyn_v = NULL ;
155 static u_int32_t dyn_buckets = 256 ; /* must be power of 2 */
156 static u_int32_t curr_dyn_buckets = 256 ; /* must be power of 2 */
157
158 /*
159 * timeouts for various events in handing dynamic rules.
160 */
161 static u_int32_t dyn_ack_lifetime = 300 ;
162 static u_int32_t dyn_syn_lifetime = 20 ;
163 static u_int32_t dyn_fin_lifetime = 1 ;
164 static u_int32_t dyn_rst_lifetime = 1 ;
165 static u_int32_t dyn_udp_lifetime = 10 ;
166 static u_int32_t dyn_short_lifetime = 5 ;
167
168 /*
169 * after reaching 0, dynamic rules are considered still valid for
170 * an additional grace time, unless there is lack of resources.
171 */
172 static u_int32_t dyn_grace_time = 10 ;
173
174 static u_int32_t static_count = 0 ; /* # of static rules */
175 static u_int32_t dyn_count = 0 ; /* # of dynamic rules */
176 static u_int32_t dyn_max = 1000 ; /* max # of dynamic rules */
177
178 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
179 &dyn_buckets, 0, "Number of dyn. buckets");
180 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
181 &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
182 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
183 &dyn_count, 0, "Number of dyn. rules");
184 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
185 &dyn_max, 0, "Max number of dyn. rules");
186 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
187 &static_count, 0, "Number of static rules");
188 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
189 &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
190 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
191 &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
192 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
193 &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
194 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
195 &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
196 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
197 &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
198 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
199 &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
200 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD,
201 &dyn_grace_time, 0, "Grace time for dyn. rules");
202
203 #endif /* SYSCTL_NODE */
204
205 #define dprintf(a) do { \
206 if (fw_debug) \
207 kprintf a; \
208 } while (0)
209 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
210
211 static int add_entry (struct ip_fw_head *chainptr, struct ip_fw *frwl);
212 static int del_entry (struct ip_fw_head *chainptr, u_short number);
213 static int zero_entry (struct ip_fw *, int);
214 static int check_ipfw_struct (struct ip_fw *m);
215 static int iface_match (struct ifnet *ifp, union ip_fw_if *ifu,
216 int byname);
217 static int ipopts_match (struct ip *ip, struct ip_fw *f);
218 static __inline int
219 port_match (u_short *portptr, int nports, u_short port,
220 int range_flag, int mask);
221 static int tcpflg_match (struct tcphdr *tcp, struct ip_fw *f);
222 static int icmptype_match (struct icmp * icmp, struct ip_fw * f);
223 static void ipfw_report (struct ip_fw *f, struct ip *ip, int ip_off,
224 int ip_len, struct ifnet *rif,
225 struct ifnet *oif);
226
227 static void flush_rule_ptrs(void);
228
229 static ip_fw_chk_t ip_fw_chk;
230 static int ip_fw_ctl (struct sockopt *sopt);
231
232 ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;
233
234 static char err_prefix[] = "ip_fw_ctl:";
235
236 /*
237 * Returns 1 if the port is matched by the vector, 0 otherwise
238 */
239 static __inline int
240 port_match(u_short *portptr, int nports, u_short port, int range_flag, int mask)
241 {
242 if (!nports)
243 return 1;
244 if (mask) {
245 if ( 0 == ((portptr[0] ^ port) & portptr[1]) )
246 return 1;
247 nports -= 2;
248 portptr += 2;
249 }
250 if (range_flag) {
251 if (portptr[0] <= port && port <= portptr[1])
252 return 1;
253 nports -= 2;
254 portptr += 2;
255 }
256 while (nports-- > 0)
257 if (*portptr++ == port)
258 return 1;
259 return 0;
260 }
261
262 static int
263 tcpflg_match(struct tcphdr *tcp, struct ip_fw *f)
264 {
265 u_char flg_set, flg_clr;
266
267 /*
268 * If an established connection is required, reject packets that
269 * have only SYN of RST|ACK|SYN set. Otherwise, fall through to
270 * other flag requirements.
271 */
272 if ((f->fw_ipflg & IP_FW_IF_TCPEST) &&
273 ((tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK |
274 IP_FW_TCPF_SYN)) == IP_FW_TCPF_SYN))
275 return 0;
276
277 flg_set = tcp->th_flags & f->fw_tcpf;
278 flg_clr = tcp->th_flags & f->fw_tcpnf;
279
280 if (flg_set != f->fw_tcpf)
281 return 0;
282 if (flg_clr)
283 return 0;
284
285 return 1;
286 }
287
288 static int
289 icmptype_match(struct icmp *icmp, struct ip_fw *f)
290 {
291 int type;
292
293 if (!(f->fw_flg & IP_FW_F_ICMPBIT))
294 return(1);
295
296 type = icmp->icmp_type;
297
298 /* check for matching type in the bitmap */
299 if (type < IP_FW_ICMPTYPES_MAX &&
300 (f->fw_uar.fw_icmptypes[type / (sizeof(unsigned) * NBBY)] &
301 (1U << (type % (sizeof(unsigned) * NBBY)))))
302 return(1);
303
304 return(0); /* no match */
305 }
306
307 static int
308 is_icmp_query(struct ip *ip)
309 {
310 const struct icmp *icmp;
311 int icmp_type;
312
313 icmp = (struct icmp *)((u_int32_t *)ip + ip->ip_hl);
314 icmp_type = icmp->icmp_type;
315
316 if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT ||
317 icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ ||
318 icmp_type == ICMP_MASKREQ)
319 return(1);
320
321 return(0);
322 }
323
324 static int
325 ipopts_match(struct ip *ip, struct ip_fw *f)
326 {
327 u_char *cp;
328 int opt, optlen, cnt;
329 u_char opts, nopts, nopts_sve;
330
331 cp = (u_char *)(ip + 1);
332 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
333 opts = f->fw_ipopt;
334 nopts = nopts_sve = f->fw_ipnopt;
335
336 for (; cnt > 0; cnt -= optlen, cp += optlen) {
337 opt = cp[IPOPT_OPTVAL];
338 if (opt == IPOPT_EOL)
339 break;
340 if (opt == IPOPT_NOP)
341 optlen = 1;
342 else {
343 optlen = cp[IPOPT_OLEN];
344 if (optlen <= 0 || optlen > cnt) {
345 return 0; /*XXX*/
346 }
347 }
348 switch (opt) {
349
350 default:
351 break;
352
353 case IPOPT_LSRR:
354 opts &= ~IP_FW_IPOPT_LSRR;
355 nopts &= ~IP_FW_IPOPT_LSRR;
356 break;
357
358 case IPOPT_SSRR:
359 opts &= ~IP_FW_IPOPT_SSRR;
360 nopts &= ~IP_FW_IPOPT_SSRR;
361 break;
362
363 case IPOPT_RR:
364 opts &= ~IP_FW_IPOPT_RR;
365 nopts &= ~IP_FW_IPOPT_RR;
366 break;
367 case IPOPT_TS:
368 opts &= ~IP_FW_IPOPT_TS;
369 nopts &= ~IP_FW_IPOPT_TS;
370 break;
371 }
372 if (opts == nopts)
373 break;
374 }
375 if (opts == 0 && nopts == nopts_sve)
376 return 1;
377 else
378 return 0;
379 }
380
381 static int
382 tcpopts_match(struct tcphdr *tcp, struct ip_fw *f)
383 {
384 u_char *cp;
385 int opt, optlen, cnt;
386 u_char opts, nopts, nopts_sve;
387
388 cp = (u_char *)(tcp + 1);
389 cnt = (tcp->th_off << 2) - sizeof (struct tcphdr);
390 opts = f->fw_tcpopt;
391 nopts = nopts_sve = f->fw_tcpnopt;
392
393 for (; cnt > 0; cnt -= optlen, cp += optlen) {
394 opt = cp[0];
395 if (opt == TCPOPT_EOL)
396 break;
397 if (opt == TCPOPT_NOP)
398 optlen = 1;
399 else {
400 optlen = cp[1];
401 if (optlen <= 0)
402 break;
403 }
404
405
406 switch (opt) {
407
408 default:
409 break;
410
411 case TCPOPT_MAXSEG:
412 opts &= ~IP_FW_TCPOPT_MSS;
413 nopts &= ~IP_FW_TCPOPT_MSS;
414 break;
415
416 case TCPOPT_WINDOW:
417 opts &= ~IP_FW_TCPOPT_WINDOW;
418 nopts &= ~IP_FW_TCPOPT_WINDOW;
419 break;
420
421 case TCPOPT_SACK_PERMITTED:
422 case TCPOPT_SACK:
423 opts &= ~IP_FW_TCPOPT_SACK;
424 nopts &= ~IP_FW_TCPOPT_SACK;
425 break;
426
427 case TCPOPT_TIMESTAMP:
428 opts &= ~IP_FW_TCPOPT_TS;
429 nopts &= ~IP_FW_TCPOPT_TS;
430 break;
431
432 case TCPOPT_CC:
433 case TCPOPT_CCNEW:
434 case TCPOPT_CCECHO:
435 opts &= ~IP_FW_TCPOPT_CC;
436 nopts &= ~IP_FW_TCPOPT_CC;
437 break;
438 }
439 if (opts == nopts)
440 break;
441 }
442 if (opts == 0 && nopts == nopts_sve)
443 return 1;
444 else
445 return 0;
446 }
447
448 static int
449 iface_match(struct ifnet *ifp, union ip_fw_if *ifu, int byname)
450 {
451 /* Check by name or by IP address */
452 if (byname) {
453 /* Check name */
454 if (ifu->fu_via_if.glob) {
455 if (kfnmatch(ifu->fu_via_if.name, ifp->if_xname, 0)
456 == FNM_NOMATCH)
457 return(0);
458 } else {
459 if (strncmp(ifp->if_xname, ifu->fu_via_if.name,
460 FW_IFNLEN) != 0)
461 return(0);
462 }
463 return(1);
464 } else if (ifu->fu_via_ip.s_addr != 0) { /* Zero == wildcard */
465 struct ifaddr *ia;
466
467 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
468 if (ia->ifa_addr == NULL)
469 continue;
470 if (ia->ifa_addr->sa_family != AF_INET)
471 continue;
472 if (ifu->fu_via_ip.s_addr != ((struct sockaddr_in *)
473 (ia->ifa_addr))->sin_addr.s_addr)
474 continue;
475 return(1);
476 }
477 return(0);
478 }
479 return(1);
480 }
481
482 static void
483 ipfw_report(struct ip_fw *f, struct ip *ip, int ip_off, int ip_len,
484 struct ifnet *rif, struct ifnet *oif)
485 {
486 struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
487 struct udphdr *const udp = (struct udphdr *) ((u_int32_t *) ip+ ip->ip_hl);
488 struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
489 u_int64_t count;
490 char *action;
491 char action2[32], proto[47], name[18], fragment[27];
492 int len;
493 int offset = ip_off & IP_OFFMASK;
494
495 count = f ? f->fw_pcnt : ++counter;
496 if ((f == NULL && fw_verbose_limit != 0 && count > fw_verbose_limit) ||
497 (f && f->fw_logamount != 0 && count > f->fw_loghighest))
498 return;
499
500 /* Print command name */
501 ksnprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
502
503 action = action2;
504 if (!f)
505 action = "Refuse";
506 else {
507 switch (f->fw_flg & IP_FW_F_COMMAND) {
508 case IP_FW_F_DENY:
509 action = "Deny";
510 break;
511 case IP_FW_F_REJECT:
512 if (f->fw_reject_code == IP_FW_REJECT_RST)
513 action = "Reset";
514 else
515 action = "Unreach";
516 break;
517 case IP_FW_F_ACCEPT:
518 action = "Accept";
519 break;
520 case IP_FW_F_COUNT:
521 action = "Count";
522 break;
523 #ifdef IPDIVERT
524 case IP_FW_F_DIVERT:
525 ksnprintf(SNPARGS(action2, 0), "Divert %d",
526 f->fw_divert_port);
527 break;
528 case IP_FW_F_TEE:
529 ksnprintf(SNPARGS(action2, 0), "Tee %d",
530 f->fw_divert_port);
531 break;
532 #endif
533 case IP_FW_F_SKIPTO:
534 ksnprintf(SNPARGS(action2, 0), "SkipTo %d",
535 f->fw_skipto_rule);
536 break;
537 case IP_FW_F_PIPE:
538 ksnprintf(SNPARGS(action2, 0), "Pipe %d",
539 f->fw_skipto_rule);
540 break;
541 case IP_FW_F_QUEUE:
542 ksnprintf(SNPARGS(action2, 0), "Queue %d",
543 f->fw_skipto_rule);
544 break;
545
546 case IP_FW_F_FWD:
547 if (f->fw_fwd_ip.sin_port)
548 ksnprintf(SNPARGS(action2, 0),
549 "Forward to %s:%d",
550 inet_ntoa(f->fw_fwd_ip.sin_addr),
551 f->fw_fwd_ip.sin_port);
552 else
553 ksnprintf(SNPARGS(action2, 0), "Forward to %s",
554 inet_ntoa(f->fw_fwd_ip.sin_addr));
555 break;
556
557 default:
558 action = "UNKNOWN";
559 break;
560 }
561 }
562
563 switch (ip->ip_p) {
564 case IPPROTO_TCP:
565 len = ksnprintf(SNPARGS(proto, 0), "TCP %s",
566 inet_ntoa(ip->ip_src));
567 if (offset == 0)
568 len += ksnprintf(SNPARGS(proto, len), ":%d ",
569 ntohs(tcp->th_sport));
570 else
571 len += ksnprintf(SNPARGS(proto, len), " ");
572 len += ksnprintf(SNPARGS(proto, len), "%s",
573 inet_ntoa(ip->ip_dst));
574 if (offset == 0)
575 ksnprintf(SNPARGS(proto, len), ":%d",
576 ntohs(tcp->th_dport));
577 break;
578 case IPPROTO_UDP:
579 len = ksnprintf(SNPARGS(proto, 0), "UDP %s",
580 inet_ntoa(ip->ip_src));
581 if (offset == 0)
582 len += ksnprintf(SNPARGS(proto, len), ":%d ",
583 ntohs(udp->uh_sport));
584 else
585 len += ksnprintf(SNPARGS(proto, len), " ");
586 len += ksnprintf(SNPARGS(proto, len), "%s",
587 inet_ntoa(ip->ip_dst));
588 if (offset == 0)
589 ksnprintf(SNPARGS(proto, len), ":%d",
590 ntohs(udp->uh_dport));
591 break;
592 case IPPROTO_ICMP:
593 if (offset == 0)
594 len = ksnprintf(SNPARGS(proto, 0), "ICMP:%u.%u ",
595 icmp->icmp_type, icmp->icmp_code);
596 else
597 len = ksnprintf(SNPARGS(proto, 0), "ICMP ");
598 len += ksnprintf(SNPARGS(proto, len), "%s",
599 inet_ntoa(ip->ip_src));
600 ksnprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
601 break;
602 default:
603 len = ksnprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
604 inet_ntoa(ip->ip_src));
605 ksnprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
606 break;
607 }
608
609 if (ip_off & (IP_MF | IP_OFFMASK))
610 ksnprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
611 ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
612 offset << 3,
613 (ip_off & IP_MF) ? "+" : "");
614 else
615 fragment[0] = '\0';
616 if (oif)
617 log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%s\n",
618 name, action, proto, oif->if_xname, fragment);
619 else if (rif)
620 log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%s\n", name,
621 action, proto, rif->if_xname, fragment);
622 else
623 log(LOG_SECURITY | LOG_INFO, "%s %s %s%s\n", name, action,
624 proto, fragment);
625 if ((f ? f->fw_logamount != 0 : 1) &&
626 count == (f ? f->fw_loghighest : fw_verbose_limit))
627 log(LOG_SECURITY | LOG_NOTICE,
628 "ipfw: limit %d reached on entry %d\n",
629 f ? f->fw_logamount : fw_verbose_limit,
630 f ? f->fw_number : -1);
631 }
632
633 static __inline int
634 hash_packet(struct ipfw_flow_id *id)
635 {
636 u_int32_t i ;
637
638 i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port);
639 i &= (curr_dyn_buckets - 1) ;
640 return i ;
641 }
642
643 /**
644 * unlink a dynamic rule from a chain. prev is a pointer to
645 * the previous one, q is a pointer to the rule to delete,
646 * head is a pointer to the head of the queue.
647 * Modifies q and potentially also head.
648 */
649 #define UNLINK_DYN_RULE(prev, head, q) { \
650 struct ipfw_dyn_rule *old_q = q; \
651 \
652 /* remove a refcount to the parent */ \
653 if (q->dyn_type == DYN_LIMIT) \
654 q->parent->count--; \
655 DEB(kprintf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
656 (q->id.src_ip), (q->id.src_port), \
657 (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); ) \
658 if (prev != NULL) \
659 prev->next = q = q->next ; \
660 else \
661 ipfw_dyn_v[i] = q = q->next ; \
662 dyn_count-- ; \
663 kfree(old_q, M_IPFW); }
664
665 #define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0)
666 /**
667 * Remove all dynamic rules pointing to a given rule, or all
668 * rules if rule == NULL. Second parameter is 1 if we want to
669 * delete unconditionally, otherwise only expired rules are removed.
670 */
671 static void
672 remove_dyn_rule(struct ip_fw *rule, int force)
673 {
674 struct ipfw_dyn_rule *prev, *q;
675 int i, pass, max_pass ;
676 static u_int32_t last_remove = 0 ;
677
678 if (ipfw_dyn_v == NULL || dyn_count == 0)
679 return ;
680 /* do not expire more than once per second, it is useless */
681 if (force == 0 && last_remove == time_second)
682 return ;
683 last_remove = time_second ;
684
685 /*
686 * because DYN_LIMIT refer to parent rules, during the first pass only
687 * remove child and mark any pending LIMIT_PARENT, and remove
688 * them in a second pass.
689 */
690 for (pass = max_pass = 0; pass <= max_pass ; pass++ ) {
691 for (i = 0 ; i < curr_dyn_buckets ; i++) {
692 for (prev=NULL, q = ipfw_dyn_v[i] ; q ; ) {
693 /*
694 * logic can become complex here, so we split tests.
695 * First, test if we match any rule,
696 * then make sure the rule is expired or we want to kill it,
697 * and possibly more in the future.
698 */
699 int zap = ( rule == NULL || rule == q->rule);
700 if (zap)
701 zap = force || TIME_LEQ( q->expire , time_second );
702 /* do not zap parent in first pass, record we need a second pass */
703 if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
704 max_pass = 1; /* we need a second pass */
705 if (pass == 0 || q->count != 0) {
706 zap = 0 ;
707 if (pass == 1 && force) /* should not happen */
708 kprintf("OUCH! cannot remove rule, count %d\n",
709 q->count);
710 }
711 }
712 if (zap) {
713 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
714 } else {
715 prev = q ;
716 q = q->next ;
717 }
718 }
719 }
720 }
721 }
722
723 #define EXPIRE_DYN_CHAIN(rule) remove_dyn_rule(rule, 0 /* expired ones */)
724 #define EXPIRE_DYN_CHAINS() remove_dyn_rule(NULL, 0 /* expired ones */)
725 #define DELETE_DYN_CHAIN(rule) remove_dyn_rule(rule, 1 /* force removal */)
726 #define DELETE_DYN_CHAINS() remove_dyn_rule(NULL, 1 /* force removal */)
727
728 /**
729 * lookup a dynamic rule.
730 */
731 static struct ipfw_dyn_rule *
732 lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction)
733 {
734 /*
735 * stateful ipfw extensions.
736 * Lookup into dynamic session queue
737 */
738 struct ipfw_dyn_rule *prev, *q ;
739 int i, dir = 0;
740 #define MATCH_FORWARD 1
741
742 if (ipfw_dyn_v == NULL)
743 return NULL ;
744 i = hash_packet( pkt );
745 for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
746 if (q->dyn_type == DYN_LIMIT_PARENT)
747 goto next;
748 if (TIME_LEQ( q->expire , time_second ) ) { /* expire entry */
749 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
750 continue;
751 }
752 if ( pkt->proto == q->id.proto) {
753 if (pkt->src_ip == q->id.src_ip &&
754 pkt->dst_ip == q->id.dst_ip &&
755 pkt->src_port == q->id.src_port &&
756 pkt->dst_port == q->id.dst_port ) {
757 dir = MATCH_FORWARD ;
758 goto found ;
759 }
760 if (pkt->src_ip == q->id.dst_ip &&
761 pkt->dst_ip == q->id.src_ip &&
762 pkt->src_port == q->id.dst_port &&
763 pkt->dst_port == q->id.src_port ) {
764 dir = 0 ; /* reverse match */
765 goto found ;
766 }
767 }
768 next:
769 prev = q ;
770 q = q->next ;
771 }
772 return NULL ; /* clearly not found */
773 found:
774 if ( prev != NULL) { /* found and not in front */
775 prev->next = q->next ;
776 q->next = ipfw_dyn_v[i] ;
777 ipfw_dyn_v[i] = q ;
778 }
779 if (pkt->proto == IPPROTO_TCP) {
780 /* update state according to flags */
781 u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
782 q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
783 switch (q->state) {
784 case TH_SYN :
785 /* opening */
786 q->expire = time_second + dyn_syn_lifetime ;
787 break ;
788 case TH_SYN | (TH_SYN << 8) :
789 /* move to established */
790 q->expire = time_second + dyn_ack_lifetime ;
791 break ;
792 case TH_SYN | (TH_SYN << 8) | TH_FIN :
793 case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
794 /* one side tries to close */
795 q->expire = time_second + dyn_ack_lifetime ;
796 break ;
797 case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) :
798 /* both sides closed */
799 q->expire = time_second + dyn_fin_lifetime ;
800 break ;
801 default:
802 #if 0
803 /*
804 * reset or some invalid combination, but can also
805 * occur if we use keep-state the wrong way.
806 */
807 if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
808 kprintf("invalid state: 0x%x\n", q->state);
809 #endif
810 q->expire = time_second + dyn_rst_lifetime ;
811 break ;
812 }
813 } else if (pkt->proto == IPPROTO_UDP) {
814 q->expire = time_second + dyn_udp_lifetime ;
815 } else {
816 /* other protocols */
817 q->expire = time_second + dyn_short_lifetime ;
818 }
819 if (match_direction)
820 *match_direction = dir ;
821 return q ;
822 }
823
824 /**
825 * Install state of type 'type' for a dynamic session.
826 * The hash table contains two type of rules:
827 * - regular rules (DYN_KEEP_STATE)
828 * - rules for sessions with limited number of sess per user
829 * (DYN_LIMIT). When they are created, the parent is
830 * increased by 1, and decreased on delete. In this case,
831 * the third parameter is the parent rule and not the chain.
832 * - "parent" rules for the above (DYN_LIMIT_PARENT).
833 */
834
835 static struct ipfw_dyn_rule *
836 add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
837 {
838 struct ipfw_dyn_rule *r ;
839
840 int i ;
841 if (ipfw_dyn_v == NULL ||
842 (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
843 /* try reallocation, make sure we have a power of 2 */
844 u_int32_t i = dyn_buckets ;
845 while ( i > 0 && (i & 1) == 0 )
846 i >>= 1 ;
847 if (i != 1) /* not a power of 2 */
848 dyn_buckets = curr_dyn_buckets ; /* reset */
849 else {
850 curr_dyn_buckets = dyn_buckets ;
851 if (ipfw_dyn_v != NULL)
852 kfree(ipfw_dyn_v, M_IPFW);
853 ipfw_dyn_v = kmalloc(curr_dyn_buckets * sizeof r,
854 M_IPFW, M_WAITOK | M_ZERO);
855 if (ipfw_dyn_v == NULL)
856 return NULL; /* failed ! */
857 }
858 }
859 i = hash_packet(id);
860
861 r = kmalloc(sizeof *r, M_IPFW, M_WAITOK | M_ZERO);
862 if (r == NULL) {
863 kprintf ("sorry cannot allocate state\n");
864 return NULL ;
865 }
866
867 /* increase refcount on parent, and set pointer */
868 if (dyn_type == DYN_LIMIT) {
869 struct ipfw_dyn_rule *parent = (struct ipfw_dyn_rule *)rule;
870 if ( parent->dyn_type != DYN_LIMIT_PARENT)
871 panic("invalid parent");
872 parent->count++ ;
873 r->parent = parent ;
874 rule = parent->rule;
875 }
876
877 r->id = *id ;
878 r->expire = time_second + dyn_syn_lifetime ;
879 r->rule = rule ;
880 r->dyn_type = dyn_type ;
881 r->pcnt = r->bcnt = 0 ;
882 r->count = 0 ;
883
884 r->bucket = i ;
885 r->next = ipfw_dyn_v[i] ;
886 ipfw_dyn_v[i] = r ;
887 dyn_count++ ;
888 DEB(kprintf("-- add entry 0x%08x %d -> 0x%08x %d, total %d\n",
889 (r->id.src_ip), (r->id.src_port),
890 (r->id.dst_ip), (r->id.dst_port),
891 dyn_count ); )
892 return r;
893 }
894
895 /**
896 * lookup dynamic parent rule using pkt and rule as search keys.
897 * If the lookup fails, then install one.
898 */
899 static struct ipfw_dyn_rule *
900 lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
901 {
902 struct ipfw_dyn_rule *q;
903 int i;
904
905 if (ipfw_dyn_v) {
906 i = hash_packet( pkt );
907 for (q = ipfw_dyn_v[i] ; q != NULL ; q=q->next)
908 if (q->dyn_type == DYN_LIMIT_PARENT && rule == q->rule &&
909 pkt->proto == q->id.proto &&
910 pkt->src_ip == q->id.src_ip &&
911 pkt->dst_ip == q->id.dst_ip &&
912 pkt->src_port == q->id.src_port &&
913 pkt->dst_port == q->id.dst_port) {
914 q->expire = time_second + dyn_short_lifetime ;
915 DEB(kprintf("lookup_dyn_parent found 0x%p\n", q);)
916 return q;
917 }
918 }
919 return add_dyn_rule(pkt, DYN_LIMIT_PARENT, rule);
920 }
921
922 /*
923 * Install dynamic state.
924 * There are different types of dynamic rules which can be installed.
925 * The type is in rule->dyn_type.
926 * Type 0 (default) is a bidirectional rule
927 *
928 * Returns 1 (failure) if state is not installed because of errors or because
929 * session limitations are enforced.
930 */
931 static int
932 install_state(struct ip_fw *rule, struct ip_fw_args *args)
933 {
934 struct ipfw_dyn_rule *q ;
935 static int last_log ;
936
937 u_int8_t type = rule->dyn_type ;
938
939 DEB(kprintf("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
940 type,
941 (args->f_id.src_ip), (args->f_id.src_port),
942 (args->f_id.dst_ip), (args->f_id.dst_port) );)
943
944 q = lookup_dyn_rule(&args->f_id, NULL) ;
945 if (q != NULL) { /* should never occur */
946 if (last_log != time_second) {
947 last_log = time_second ;
948 kprintf(" entry already present, done\n");
949 }
950 return 0 ;
951 }
952 if (dyn_count >= dyn_max) /* try remove old ones... */
953 EXPIRE_DYN_CHAINS();
954 if (dyn_count >= dyn_max) {
955 if (last_log != time_second) {
956 last_log = time_second ;
957 kprintf(" Too many dynamic rules, sorry\n");
958 }
959 return 1; /* cannot install, notify caller */
960 }
961
962 switch (type) {
963 case DYN_KEEP_STATE: /* bidir rule */
964 add_dyn_rule(&args->f_id, DYN_KEEP_STATE, rule);
965 break ;
966 case DYN_LIMIT: /* limit number of sessions */
967 {
968 u_int16_t limit_mask = rule->limit_mask ;
969 u_int16_t conn_limit = rule->conn_limit ;
970 struct ipfw_flow_id id;
971 struct ipfw_dyn_rule *parent;
972
973 DEB(kprintf("installing dyn-limit rule %d\n", conn_limit);)
974
975 id.dst_ip = id.src_ip = 0;
976 id.dst_port = id.src_port = 0 ;
977 id.proto = args->f_id.proto ;
978
979 if (limit_mask & DYN_SRC_ADDR)
980 id.src_ip = args->f_id.src_ip;
981 if (limit_mask & DYN_DST_ADDR)
982 id.dst_ip = args->f_id.dst_ip;
983 if (limit_mask & DYN_SRC_PORT)
984 id.src_port = args->f_id.src_port;
985 if (limit_mask & DYN_DST_PORT)
986 id.dst_port = args->f_id.dst_port;
987 parent = lookup_dyn_parent(&id, rule);
988 if (parent == NULL) {
989 kprintf("add parent failed\n");
990 return 1;
991 }
992 if (parent->count >= conn_limit) {
993 EXPIRE_DYN_CHAIN(rule); /* try to expire some */
994 /*
995 * The expiry might have removed the parent too.
996 * We lookup again, which will re-create if necessary.
997 */
998 parent = lookup_dyn_parent(&id, rule);
999 if (parent == NULL) {
1000 kprintf("add parent failed\n");
1001 return 1;
1002 }
1003 if (parent->count >= conn_limit) {
1004 if (fw_verbose && last_log != time_second) {
1005 last_log = time_second;
1006 log(LOG_SECURITY | LOG_DEBUG,
1007 "drop session, too many entries\n");
1008 }
1009 return 1;
1010 }
1011 }
1012 add_dyn_rule(&args->f_id, DYN_LIMIT, (struct ip_fw *)parent);
1013 }
1014 break ;
1015 default:
1016 kprintf("unknown dynamic rule type %u\n", type);
1017 return 1 ;
1018 }
1019 lookup_dyn_rule(&args->f_id, NULL) ; /* XXX just set the lifetime */
1020 return 0;
1021 }
1022
1023 /*
1024 * given an ip_fw *, lookup_next_rule will return a pointer
1025 * of the same type to the next one. This can be either the jump
1026 * target (for skipto instructions) or the next one in the list (in
1027 * all other cases including a missing jump target).
1028 * Backward jumps are not allowed, so start looking from the next
1029 * rule...
1030 */
1031 static struct ip_fw * lookup_next_rule(struct ip_fw *me);
1032
1033 static struct ip_fw *
1034 lookup_next_rule(struct ip_fw *me)
1035 {
1036 struct ip_fw *rule ;
1037 int rulenum = me->fw_skipto_rule ; /* guess... */
1038
1039 if ( (me->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_SKIPTO )
1040 for (rule = LIST_NEXT(me,next); rule ; rule = LIST_NEXT(rule,next))
1041 if (rule->fw_number >= rulenum)
1042 return rule ;
1043 return LIST_NEXT(me,next) ; /* failure or not a skipto */
1044 }
1045
1046 /*
1047 * Parameters:
1048 *
1049 * *m The packet; we set to NULL when/if we nuke it.
1050 * oif Outgoing interface, or NULL if packet is incoming
1051 * *cookie Skip up to the first rule past this rule number;
1052 * upon return, non-zero port number for divert or tee.
1053 * Special case: cookie == NULL on input for bridging.
1054 * *flow_id pointer to the last matching rule (in/out)
1055 * *next_hop socket we are forwarding to (in/out).
1056 *
1057 * Return value:
1058 *
1059 * IP_FW_PORT_DENY_FLAG the packet must be dropped.
1060 * 0 The packet is to be accepted and routed normally OR
1061 * the packet was denied/rejected and has been dropped;
1062 * in the latter case, *m is equal to NULL upon return.
1063 * port Divert the packet to port, with these caveats:
1064 *
1065 * - If IP_FW_PORT_TEE_FLAG is set, tee the packet instead
1066 * of diverting it (ie, 'ipfw tee').
1067 *
1068 * - If IP_FW_PORT_DYNT_FLAG is set, interpret the lower
1069 * 16 bits as a dummynet pipe number instead of diverting
1070 */
1071
1072 static int
1073 ip_fw_chk(struct ip_fw_args *args)
1074 {
1075 /*
1076 * grab things into variables to minimize diffs.
1077 * XXX this has to be cleaned up later.
1078 */
1079 struct mbuf **m = &(args->m);
1080 struct ifnet *oif = args->oif;
1081 struct m_tag *mtag;
1082 struct ip_fw **flow_id = &(args->rule);
1083 struct sockaddr_in **next_hop = &(args->next_hop);
1084
1085 struct ip_fw *f = NULL; /* matching rule */
1086 struct ip *ip = mtod(*m, struct ip *);
1087 struct ifnet *const rif = (*m)->m_pkthdr.rcvif;
1088 struct ifnet *tif;
1089 u_int hlen = 0;
1090
1091 u_short ip_off=0, offset = 0;
1092 /* local copy of addresses for faster matching */
1093 u_short src_port = 0, dst_port = 0;
1094 struct in_addr src_ip, dst_ip;
1095 u_int8_t proto= 0, flags = 0;
1096 u_int16_t skipto;
1097 u_int16_t ip_len=0;
1098
1099 int dyn_checked = 0 ; /* set after dyn.rules have been checked. */
1100 int direction = MATCH_FORWARD ; /* dirty trick... */
1101 struct ipfw_dyn_rule *q = NULL ;
1102
1103 hlen = ip->ip_hl << 2;
1104
1105 /* Grab and reset cookie */
1106 if ((mtag = m_tag_find(*m, PACKET_TAG_IPFW_DIVERT, NULL)) != NULL) {
1107 skipto = *(u_int16_t *)m_tag_data(mtag);
1108 m_tag_delete(*m, mtag);
1109 mtag = NULL;
1110 } else {
1111 skipto = 0;
1112 }
1113
1114 #define PULLUP_TO(len) do { \
1115 if ((*m)->m_len < (len)) { \
1116 if ((*m = m_pullup(*m, (len))) == 0) \
1117 goto bogusfrag; \
1118 ip = mtod(*m, struct ip *); \
1119 } \
1120 } while (0)
1121
1122 if (hlen > 0) { /* this is an IP packet */
1123 /*
1124 * Collect parameters into local variables for faster matching.
1125 */
1126 proto = ip->ip_p;
1127 src_ip = ip->ip_src;
1128 dst_ip = ip->ip_dst;
1129 ip_off = ip->ip_off;
1130 ip_len = ip->ip_len;
1131 offset = ip_off & IP_OFFMASK;
1132 if (offset == 0) {
1133 switch (proto) {
1134 case IPPROTO_TCP : {
1135 struct tcphdr *tcp;
1136
1137 PULLUP_TO(hlen + sizeof(struct tcphdr));
1138 tcp =(struct tcphdr *)((u_int32_t *)ip + ip->ip_hl);
1139 dst_port = tcp->th_dport ;
1140 src_port = tcp->th_sport ;
1141 flags = tcp->th_flags ;
1142 }
1143 break ;
1144
1145 case IPPROTO_UDP : {
1146 struct udphdr *udp;
1147
1148 PULLUP_TO(hlen + sizeof(struct udphdr));
1149 udp =(struct udphdr *)((u_int32_t *)ip + ip->ip_hl);
1150 dst_port = udp->uh_dport ;
1151 src_port = udp->uh_sport ;
1152 }
1153 break;
1154
1155 case IPPROTO_ICMP:
1156 PULLUP_TO(hlen + 4); /* type, code and checksum. */
1157 flags = ((struct icmp *)
1158 ((u_int32_t *)ip + ip->ip_hl))->icmp_type ;
1159 break ;
1160
1161 default :
1162 break;
1163 }
1164 }
1165 }
1166 #undef PULLUP_TO
1167 args->f_id.src_ip = ntohl(src_ip.s_addr);
1168 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1169 args->f_id.proto = proto;
1170 args->f_id.src_port = ntohs(src_port);
1171 args->f_id.dst_port = ntohs(dst_port);
1172 args->f_id.flags = flags;
1173
1174 if (*flow_id) {
1175 /*
1176 * Packet has already been tagged. Look for the next rule
1177 * to restart processing.
1178 */
1179 if (fw_one_pass) /* just accept if fw_one_pass is set */
1180 return 0;
1181
1182 f = (*flow_id)->next_rule_ptr ;
1183 if (f == NULL)
1184 f = (*flow_id)->next_rule_ptr = lookup_next_rule(*flow_id);
1185 if (f == NULL)
1186 goto dropit;
1187 } else {
1188 /*
1189 * Go down the list, looking for enlightment.
1190 * If we've been asked to start at a given rule, do so.
1191 */
1192 f = LIST_FIRST(&ip_fw_chain_head);
1193 if (skipto != 0) {
1194 if (skipto >= IPFW_DEFAULT_RULE)
1195 goto dropit;
1196 while (f && f->fw_number <= skipto)
1197 f = LIST_NEXT(f, next);
1198 if (f == NULL)
1199 goto dropit;
1200 }
1201 }
1202
1203 for (; f; f = LIST_NEXT(f, next)) {
1204 again:
1205 if (f->fw_number == IPFW_DEFAULT_RULE)
1206 goto got_match ;
1207
1208 /*
1209 * dynamic rules are checked at the first keep-state or
1210 * check-state occurrence.
1211 */
1212 if (f->fw_flg & (IP_FW_F_KEEP_S|IP_FW_F_CHECK_S) &&
1213 dyn_checked == 0 ) {
1214 dyn_checked = 1 ;
1215 q = lookup_dyn_rule(&args->f_id, &direction);
1216 if (q != NULL) {
1217 DEB(kprintf("-- dynamic match 0x%08x %d %s 0x%08x %d\n",
1218 (q->id.src_ip), (q->id.src_port),
1219 (direction == MATCH_FORWARD ? "-->" : "<--"),
1220 (q->id.dst_ip), (q->id.dst_port) ); )
1221 f = q->rule ;
1222 q->pcnt++ ;
1223 q->bcnt += ip_len;
1224 goto got_match ; /* krandom not allowed here */
1225 }
1226 /* if this was a check-only rule, continue with next */
1227 if (f->fw_flg & IP_FW_F_CHECK_S)
1228 continue ;
1229 }
1230
1231 if (oif) {
1232 /* Check direction outbound */
1233 if (!(f->fw_flg & IP_FW_F_OUT))
1234 continue;
1235 } else {
1236 /* Check direction inbound */
1237 if (!(f->fw_flg & IP_FW_F_IN))
1238 continue;
1239 }
1240
1241 /* Fragments */
1242 if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 )
1243 continue;
1244
1245 if (f->fw_flg & IP_FW_F_SME) {
1246 INADDR_TO_IFP(src_ip, tif);
1247 if (tif == NULL)
1248 continue;
1249 }
1250 if (f->fw_flg & IP_FW_F_DME) {
1251 INADDR_TO_IFP(dst_ip, tif);
1252 if (tif == NULL)
1253 continue;
1254 }
1255 /* If src-addr doesn't match, not this rule. */
1256 if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr
1257 & f->fw_smsk.s_addr) != f->fw_src.s_addr))
1258 continue;
1259
1260 /* If dest-addr doesn't match, not this rule. */
1261 if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ ((dst_ip.s_addr
1262 & f->fw_dmsk.s_addr) != f->fw_dst.s_addr))
1263 continue;
1264
1265 /* Interface check */
1266 if ((f->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1267 struct ifnet *const iface = oif ? oif : rif;
1268
1269 /* Backwards compatibility hack for "via" */
1270 if (!iface || !iface_match(iface,
1271 &f->fw_in_if, f->fw_flg & IP_FW_F_OIFNAME))
1272 continue;
1273 } else {
1274 /* Check receive interface */
1275 if ((f->fw_flg & IP_FW_F_IIFACE)
1276 && (!rif || !iface_match(rif,
1277 &f->fw_in_if, f->fw_flg & IP_FW_F_IIFNAME)))
1278 continue;
1279 /* Check outgoing interface */
1280 if ((f->fw_flg & IP_FW_F_OIFACE)
1281 && (!oif || !iface_match(oif,
1282 &f->fw_out_if, f->fw_flg & IP_FW_F_OIFNAME)))
1283 continue;
1284 }
1285
1286 /* Check IP options */
1287 if (f->fw_ipopt != f->fw_ipnopt && !ipopts_match(ip, f))
1288 continue;
1289
1290 /* Check protocol; if wildcard, and no [ug]id, match */
1291 if (f->fw_prot == IPPROTO_IP) {
1292 if (!(f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)))
1293 goto rnd_then_got_match;
1294 } else
1295 /* If different, don't match */
1296 if (proto != f->fw_prot)
1297 continue;
1298
1299 /* Protocol specific checks for uid only */
1300 if (f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)) {
1301 switch (proto) {
1302 case IPPROTO_TCP:
1303 {
1304 struct inpcb *P;
1305
1306 if (offset == 1) /* cf. RFC 1858 */
1307 goto bogusfrag;
1308 if (offset != 0)
1309 continue;
1310
1311 if (oif)
1312 P = in_pcblookup_hash(&tcbinfo[mycpu->gd_cpuid],
1313 dst_ip, dst_port, src_ip, src_port, 0, oif);
1314 else
1315 P = in_pcblookup_hash(&tcbinfo[mycpu->gd_cpuid],
1316 src_ip, src_port, dst_ip, dst_port, 0, NULL);
1317
1318 if (P && P->inp_socket) {
1319 if (f->fw_flg & IP_FW_F_UID) {
1320 if (P->inp_socket->so_cred->cr_uid !=
1321 f->fw_uid)
1322 continue;
1323 } else if (!groupmember(f->fw_gid,
1324 P->inp_socket->so_cred))
1325 continue;
1326 } else
1327 continue;
1328 break;
1329 }
1330
1331 case IPPROTO_UDP:
1332 {
1333 struct inpcb *P;
1334
1335 if (offset != 0)
1336 continue;
1337
1338 if (oif)
1339 P = in_pcblookup_hash(&udbinfo, dst_ip,
1340 dst_port, src_ip, src_port, 1,
1341 oif);
1342 else
1343 P = in_pcblookup_hash(&udbinfo, src_ip,
1344 src_port, dst_ip, dst_port, 1,
1345 NULL);
1346
1347 if (P && P->inp_socket) {
1348 if (f->fw_flg & IP_FW_F_UID) {
1349 if (P->inp_socket->so_cred->cr_uid !=
1350 f->fw_uid)
1351 continue;
1352 } else if (!groupmember(f->fw_gid,
1353 P->inp_socket->so_cred))
1354 continue;
1355 } else
1356 continue;
1357 break;
1358 }
1359
1360 default:
1361 continue;
1362 }
1363 }
1364
1365 /* Protocol specific checks */
1366 switch (proto) {
1367 case IPPROTO_TCP:
1368 {
1369 struct tcphdr *tcp;
1370
1371 if (offset == 1) /* cf. RFC 1858 */
1372 goto bogusfrag;
1373 if (offset != 0) {
1374 /*
1375 * TCP flags and ports aren't available in this
1376 * packet -- if this rule specified either one,
1377 * we consider the rule a non-match.
1378 */
1379 if (IP_FW_HAVEPORTS(f) != 0 ||
1380 f->fw_tcpopt != f->fw_tcpnopt ||
1381 f->fw_tcpf != f->fw_tcpnf)
1382 continue;
1383
1384 break;
1385 }
1386 tcp = (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1387
1388 if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f))
1389 continue;
1390 if (((f->fw_tcpf != f->fw_tcpnf) ||
1391 (f->fw_ipflg & IP_FW_IF_TCPEST)) &&
1392 !tcpflg_match(tcp, f))
1393 continue;
1394 goto check_ports;
1395 }
1396
1397 case IPPROTO_UDP:
1398 if (offset != 0) {
1399 /*
1400 * Port specification is unavailable -- if this
1401 * rule specifies a port, we consider the rule
1402 * a non-match.
1403 */
1404 if (IP_FW_HAVEPORTS(f) )
1405 continue;
1406
1407 break;
1408 }
1409 check_ports:
1410 if (!port_match(&f->fw_uar.fw_pts[0],
1411 IP_FW_GETNSRCP(f), ntohs(src_port),
1412 f->fw_flg & IP_FW_F_SRNG,
1413 f->fw_flg & IP_FW_F_SMSK))
1414 continue;
1415 if (!port_match(&f->fw_uar.fw_pts[IP_FW_GETNSRCP(f)],
1416 IP_FW_GETNDSTP(f), ntohs(dst_port),
1417 f->fw_flg & IP_FW_F_DRNG,
1418 f->fw_flg & IP_FW_F_DMSK))
1419 continue;
1420 break;
1421
1422 case IPPROTO_ICMP:
1423 {
1424 struct icmp *icmp;
1425
1426 if (offset != 0) /* Type isn't valid */
1427 break;
1428 icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
1429 if (!icmptype_match(icmp, f))
1430 continue;
1431 break;
1432 }
1433
1434 default:
1435 break;
1436
1437 bogusfrag:
1438 if (fw_verbose) {
1439 if (m != NULL)
1440 ipfw_report(NULL, ip, ip_off, ip_len, rif, oif);
1441 else
1442 kprintf("pullup failed\n");
1443 }
1444 goto dropit;
1445
1446 }
1447
1448 rnd_then_got_match:
1449 if ( f->dont_match_prob && krandom() < f->dont_match_prob )
1450 continue ;
1451 got_match:
1452 /*
1453 * If not a dynamic match (q == NULL) and keep-state, install
1454 * a new dynamic entry.
1455 */
1456 if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
1457 if (install_state(f, args)) /* error or limit violation */
1458 goto dropit;
1459 }
1460 /* Update statistics */
1461 f->fw_pcnt += 1;
1462 f->fw_bcnt += ip_len;
1463 f->timestamp = time_second;
1464
1465 /* Log to console if desired */
1466 if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && hlen > 0)
1467 ipfw_report(f, ip, offset, ip_len, rif, oif);
1468
1469 /* Take appropriate action */
1470 switch (f->fw_flg & IP_FW_F_COMMAND) {
1471 case IP_FW_F_ACCEPT:
1472 return(0);
1473 case IP_FW_F_COUNT:
1474 continue;
1475 #ifdef IPDIVERT
1476 case IP_FW_F_DIVERT:
1477 mtag = m_tag_get(PACKET_TAG_IPFW_DIVERT,
1478 sizeof(u_int16_t), M_NOWAIT);
1479 if (mtag == NULL)
1480 goto dropit;
1481 *(u_int16_t *)m_tag_data(mtag) = f->fw_number;
1482 m_tag_prepend(*m, mtag);
1483 return(f->fw_divert_port);
1484 case IP_FW_F_TEE:
1485 mtag = m_tag_get(PACKET_TAG_IPFW_DIVERT,
1486 sizeof(u_int16_t), M_NOWAIT);
1487 if (mtag == NULL)
1488 goto dropit;
1489 *(u_int16_t *)m_tag_data(mtag) = f->fw_number;
1490 m_tag_prepend(*m, mtag);
1491 return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
1492 #endif
1493 case IP_FW_F_SKIPTO: /* XXX check */
1494 if (f->next_rule_ptr == NULL)
1495 f->next_rule_ptr = lookup_next_rule(f) ;
1496 f = f->next_rule_ptr;
1497 if (!f)
1498 goto dropit;
1499 goto again ;
1500
1501 case IP_FW_F_PIPE:
1502 case IP_FW_F_QUEUE:
1503 *flow_id = f ; /* XXX set flow id */
1504 return(f->fw_pipe_nr | IP_FW_PORT_DYNT_FLAG);
1505
1506 case IP_FW_F_FWD:
1507 /* Change the next-hop address for this packet.
1508 * Initially we'll only worry about directly
1509 * reachable next-hop's, but ultimately
1510 * we will work out for next-hops that aren't
1511 * direct the route we would take for it. We
1512 * [cs]ould leave this latter problem to
1513 * ip_output.c. We hope to high [name the abode of
1514 * your favourite deity] that ip_output doesn't modify
1515 * the new value of next_hop (which is dst there)
1516 * XXX warning-- there is a dangerous reference here
1517 * from next_hop to a field within the rule. If the
1518 * rule is deleted, weird things might occur.
1519 */
1520 if (next_hop != NULL /* Make sure, first... */
1521 && (q == NULL || direction == MATCH_FORWARD) )
1522 *next_hop = &(f->fw_fwd_ip);
1523 return(0); /* Allow the packet */
1524
1525 }
1526
1527 /* Deny/reject this packet using this rule */
1528 break;
1529 }
1530
1531 /* Rule IPFW_DEFAULT_RULE should always be there and match */
1532 KASSERT(f != NULL, ("ip_fw: no chain"));
1533
1534 /*
1535 * At this point, we're going to drop the packet.
1536 * Send a reject notice if all of the following are true:
1537 *
1538 * - The packet matched a reject rule
1539 * - The packet is not an ICMP packet, or is an ICMP query packet
1540 * - The packet is not a multicast or broadcast packet
1541 */
1542 if ((f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
1543 && (proto != IPPROTO_ICMP || is_icmp_query(ip))
1544 && !((*m)->m_flags & (M_BCAST|M_MCAST))
1545 && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
1546 switch (f->fw_reject_code) {
1547 case IP_FW_REJECT_RST:
1548 {
1549 /* XXX warning, this code writes into the mbuf */
1550 struct tcphdr *const tcp =
1551 (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1552 struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
1553
1554 if (offset != 0 || (tcp->th_flags & TH_RST))
1555 break;
1556 ti.ti_i = *((struct ipovly *) ip);
1557 ti.ti_t = *tcp;
1558 bcopy(&ti, ip, sizeof(ti));
1559 tip->ti_seq = ntohl(tip->ti_seq);
1560 tip->ti_ack = ntohl(tip->ti_ack);
1561 tip->ti_len = ip_len - hlen - (tip->ti_off << 2);
1562 if (tcp->th_flags & TH_ACK) {
1563 tcp_respond(NULL, (void *)ip, tcp, *m,
1564 (tcp_seq)0, tcp->th_ack, TH_RST);
1565 } else {
1566 if (tcp->th_flags & TH_SYN)
1567 tip->ti_len++;
1568 tcp_respond(NULL, (void *)ip, tcp, *m,
1569 tip->ti_seq + tip->ti_len,
1570 (tcp_seq)0, TH_RST|TH_ACK);
1571 }
1572 *m = NULL;
1573 break;
1574 }
1575 default: /* Send an ICMP unreachable using code */
1576 icmp_error(*m, ICMP_UNREACH,
1577 f->fw_reject_code, 0L, 0);
1578 *m = NULL;
1579 break;
1580 }
1581 }
1582
1583 dropit:
1584 /*
1585 * Finally, drop the packet.
1586 */
1587 return(IP_FW_PORT_DENY_FLAG);
1588 }
1589
1590 /*
1591 * when a rule is added/deleted, zero the direct pointers within
1592 * all firewall rules. These will be reconstructed on the fly
1593 * as packets are matched.
1594 * Must be called at splimp().
1595 */
1596 static void
1597 flush_rule_ptrs(void)
1598 {
1599 struct ip_fw *fcp ;
1600
1601 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1602 fcp->next_rule_ptr = NULL ;
1603 }
1604 }
1605
1606 void
1607 flush_pipe_ptrs(struct dn_flow_set *match)
1608 {
1609 struct ip_fw *fcp ;
1610
1611 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1612 if (match == NULL || fcp->pipe_ptr == match)
1613 fcp->pipe_ptr = NULL;
1614 }
1615 }
1616
1617 static int
1618 add_entry(struct ip_fw_head *head, struct ip_fw *rule)
1619 {
1620 struct ip_fw *ftmp, *fcp, *fcpl;
1621 u_short nbr = 0;
1622
1623 ftmp = kmalloc(sizeof *ftmp, M_IPFW, M_WAITOK | M_ZERO);
1624 if (!ftmp)
1625 return (ENOSPC);
1626 bcopy(rule, ftmp, sizeof(*ftmp));
1627
1628 ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0';
1629 ftmp->fw_pcnt = 0L;
1630 ftmp->fw_bcnt = 0L;
1631 ftmp->next_rule_ptr = NULL ;
1632 ftmp->pipe_ptr = NULL ;
1633
1634 crit_enter();
1635
1636 if (LIST_FIRST(head) == 0) {
1637 LIST_INSERT_HEAD(head, ftmp, next);
1638 goto done;
1639 }
1640
1641 /* If entry number is 0, find highest numbered rule and add 100 */
1642 if (ftmp->fw_number == 0) {
1643 LIST_FOREACH(fcp, head, next) {
1644 if (fcp->fw_number != IPFW_DEFAULT_RULE)
1645 nbr = fcp->fw_number;
1646 else
1647 break;
1648 }
1649 if (nbr < IPFW_DEFAULT_RULE - 100)
1650 nbr += 100;
1651 ftmp->fw_number = rule->fw_number = nbr;
1652 }
1653
1654 /* Got a valid number; now insert it, keeping the list ordered */
1655 fcpl = NULL ;
1656 LIST_FOREACH(fcp, head, next) {
1657 if (fcp->fw_number > ftmp->fw_number) {
1658 if (fcpl) {
1659 LIST_INSERT_AFTER(fcpl, ftmp, next);
1660 } else {
1661 LIST_INSERT_HEAD(head, ftmp, next);
1662 }
1663 break;
1664 } else {
1665 fcpl = fcp;
1666 }
1667 }
1668 flush_rule_ptrs();
1669 done:
1670 static_count++;
1671 crit_exit();
1672 DEB(kprintf("++ installed rule %d, static count now %d\n",
1673 ftmp->fw_number, static_count);)
1674 return (0);
1675 }
1676
1677 /**
1678 * free storage associated with a static rule entry (including
1679 * dependent dynamic rules), and zeroes rule pointers to avoid
1680 * dangling pointer dereferences.
1681 * @return a pointer to the next entry.
1682 * Must be called at splimp() and with a non-null argument.
1683 */
1684 static struct ip_fw *
1685 free_chain(struct ip_fw *fcp)
1686 {
1687 struct ip_fw *n;
1688
1689 n = LIST_NEXT(fcp, next);
1690 DELETE_DYN_CHAIN(fcp);
1691 LIST_REMOVE(fcp, next);
1692 static_count--;
1693 if (DUMMYNET_LOADED)
1694 ip_dn_ruledel_ptr(fcp) ;
1695 flush_rule_ptrs(); /* more efficient to do outside the loop */
1696 kfree(fcp, M_IPFW);
1697 return n;
1698 }
1699
1700 /**
1701 * remove all rules with given number.
1702 */
1703 static int
1704 del_entry(struct ip_fw_head *chainptr, u_short number)
1705 {
1706 struct ip_fw *rule;
1707
1708 if (number != IPFW_DEFAULT_RULE) {
1709 LIST_FOREACH(rule, chainptr, next) {
1710 if (rule->fw_number == number) {
1711 crit_enter(); /* prevent access to rules while removing */
1712 while (rule && rule->fw_number == number)
1713 rule = free_chain(rule);
1714 /* XXX could move flush_rule_ptrs() here */
1715 crit_exit();
1716 return 0 ;
1717 }
1718 }
1719 }
1720 return (EINVAL);
1721 }
1722
1723 /**
1724 * Reset some or all counters on firewall rules.
1725 * @arg frwl is null to clear all entries, or contains a specific
1726 * rule number.
1727 * @arg log_only is 1 if we only want to reset logs, zero otherwise.
1728 */
1729
1730 static int
1731 zero_entry(struct ip_fw *frwl, int log_only)
1732 {
1733 struct ip_fw *rule;
1734 u_short number = 0 ;
1735 char *msg ;
1736
1737 if (frwl == 0) {
1738 crit_enter();
1739 LIST_FOREACH(rule, &ip_fw_chain_head, next) {
1740 if (log_only == 0) {
1741 rule->fw_bcnt = rule->fw_pcnt = 0;
1742 rule->timestamp = 0;
1743 }
1744 rule->fw_loghighest = rule->fw_pcnt+rule->fw_logamount;
1745 }
1746 crit_exit();
1747 msg = log_only ? "ipfw: All logging counts cleared.\n" :
1748 "ipfw: Accounting cleared.\n";
1749 } else {
1750 int cleared = 0;
1751 number = frwl->fw_number ;
1752 /*
1753 * It is possible to insert multiple chain entries with the
1754 * same number, so we don't stop after finding the first
1755 * match if zeroing a specific entry.
1756 */
1757 LIST_FOREACH(rule, &ip_fw_chain_head, next)
1758 if (number == rule->fw_number) {
1759 crit_enter();
1760 while (rule && number == rule->fw_number) {
1761 if (log_only == 0) {
1762 rule->fw_bcnt = rule->fw_pcnt = 0;
1763 rule->timestamp = 0;
1764 }
1765 rule->fw_loghighest = rule->fw_pcnt+ rule->fw_logamount;
1766 rule = LIST_NEXT(rule, next);
1767 }
1768 crit_exit();
1769 cleared = 1;
1770 break;
1771 }
1772 if (!cleared) /* we did not find any matching rules */
1773 return (EINVAL);
1774 msg = log_only ? "ipfw: Entry %d logging count reset.\n" :
1775 "ipfw: Entry %d cleared.\n";
1776 }
1777 if (fw_verbose)
1778 log(LOG_SECURITY | LOG_NOTICE, msg, number);
1779 return (0);
1780 }
1781
1782 static int
1783 check_ipfw_struct(struct ip_fw *frwl)
1784 {
1785 /* Check for invalid flag bits */
1786 if ((frwl->fw_flg & ~IP_FW_F_MASK) != 0) {
1787 dprintf(("%s undefined flag bits set (flags=%x)\n",
1788 err_prefix, frwl->fw_flg));
1789 return (EINVAL);
1790 }
1791 if (frwl->fw_flg == IP_FW_F_CHECK_S) {
1792 /* check-state */
1793 return 0 ;
1794 }
1795 /* Must apply to incoming or outgoing (or both) */
1796 if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT))) {
1797 dprintf(("%s neither in nor out\n", err_prefix));
1798 return (EINVAL);
1799 }
1800 /* Empty interface name is no good */
1801 if (((frwl->fw_flg & IP_FW_F_IIFNAME)
1802 && !*frwl->fw_in_if.fu_via_if.name)
1803 || ((frwl->fw_flg & IP_FW_F_OIFNAME)
1804 && !*frwl->fw_out_if.fu_via_if.name)) {
1805 dprintf(("%s empty interface name\n", err_prefix));
1806 return (EINVAL);
1807 }
1808 /* Sanity check interface matching */
1809 if ((frwl->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1810 ; /* allow "via" backwards compatibility */
1811 } else if ((frwl->fw_flg & IP_FW_F_IN)
1812 && (frwl->fw_flg & IP_FW_F_OIFACE)) {
1813 dprintf(("%s outgoing interface check on incoming\n",
1814 err_prefix));
1815 return (EINVAL);
1816 }
1817 /* Sanity check port ranges */
1818 if ((frwl->fw_flg & IP_FW_F_SRNG) && IP_FW_GETNSRCP(frwl) < 2) {
1819 dprintf(("%s src range set but n_src_p=%d\n",
1820 err_prefix, IP_FW_GETNSRCP(frwl)));
1821 return (EINVAL);
1822 }
1823 if ((frwl->fw_flg & IP_FW_F_DRNG) && IP_FW_GETNDSTP(frwl) < 2) {
1824 dprintf(("%s dst range set but n_dst_p=%d\n",
1825 err_prefix, IP_FW_GETNDSTP(frwl)));
1826 return (EINVAL);
1827 }
1828 if (IP_FW_GETNSRCP(frwl) + IP_FW_GETNDSTP(frwl) > IP_FW_MAX_PORTS) {
1829 dprintf(("%s too many ports (%d+%d)\n",
1830 err_prefix, IP_FW_GETNSRCP(frwl), IP_FW_GETNDSTP(frwl)));
1831 return (EINVAL);
1832 }
1833 /*
1834 * Protocols other than TCP/UDP don't use port range
1835 */
1836 if ((frwl->fw_prot != IPPROTO_TCP) &&
1837 (frwl->fw_prot != IPPROTO_UDP) &&
1838 (IP_FW_GETNSRCP(frwl) || IP_FW_GETNDSTP(frwl))) {
1839 dprintf(("%s port(s) specified for non TCP/UDP rule\n",
1840 err_prefix));
1841 return (EINVAL);
1842 }
1843
1844 /*
1845 * Rather than modify the entry to make such entries work,
1846 * we reject this rule and require user level utilities
1847 * to enforce whatever policy they deem appropriate.
1848 */
1849 if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
1850 (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
1851 dprintf(("%s rule never matches\n", err_prefix));
1852 return (EINVAL);
1853 }
1854
1855 if ((frwl->fw_flg & IP_FW_F_FRAG) &&
1856 (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
1857 if (IP_FW_HAVEPORTS(frwl)) {
1858 dprintf(("%s cannot mix 'frag' and ports\n", err_prefix));
1859 return (EINVAL);
1860 }
1861 if (frwl->fw_prot == IPPROTO_TCP &&
1862 frwl->fw_tcpf != frwl->fw_tcpnf) {
1863 dprintf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
1864 return (EINVAL);
1865 }
1866 }
1867
1868 /* Check command specific stuff */
1869 switch (frwl->fw_flg & IP_FW_F_COMMAND) {
1870 case IP_FW_F_REJECT:
1871 if (frwl->fw_reject_code >= 0x100
1872 && !(frwl->fw_prot == IPPROTO_TCP
1873 && frwl->fw_reject_code == IP_FW_REJECT_RST)) {
1874 dprintf(("%s unknown reject code\n", err_prefix));
1875 return (EINVAL);
1876 }
1877 break;
1878 #ifdef IPDIVERT
1879 case IP_FW_F_DIVERT: /* Diverting to port zero is invalid */
1880 case IP_FW_F_TEE:
1881 #endif
1882 case IP_FW_F_PIPE: /* pipe 0 is invalid */
1883 case IP_FW_F_QUEUE: /* queue 0 is invalid */
1884 if (frwl->fw_divert_port == 0) {
1885 dprintf(("%s 0 is an invalid argument\n", err_prefix));
1886 return (EINVAL);
1887 }
1888 break;
1889 case IP_FW_F_DENY:
1890 case IP_FW_F_ACCEPT:
1891 case IP_FW_F_COUNT:
1892 case IP_FW_F_SKIPTO:
1893 case IP_FW_F_FWD:
1894 case IP_FW_F_UID:
1895 case IP_FW_F_GID:
1896 break;
1897 default:
1898 dprintf(("%s invalid command\n", err_prefix));
1899 return (EINVAL);
1900 }
1901
1902 return 0;
1903 }
1904
1905 static int
1906 ip_fw_ctl(struct sockopt *sopt)
1907 {
1908 int error;
1909 size_t size;
1910 struct ip_fw *fcp;
1911 struct ip_fw frwl, *bp , *buf;
1912
1913 /*
1914 * Disallow modifications in really-really secure mode, but still allow
1915 * the logging counters to be reset.
1916 */
1917 if (securelevel >= 3 && (sopt->sopt_name == IP_FW_ADD ||
1918 (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)))
1919 return (EPERM);
1920 error = 0;
1921
1922 switch (sopt->sopt_name) {
1923 case IP_FW_GET:
1924 /*
1925 * pass up a copy of the current rules. Static rules
1926 * come first (the last of which has number 65535),
1927 * followed by a possibly empty list of dynamic rule.
1928 * The last dynamic rule has NULL in the "next" field.
1929 */
1930 crit_enter();
1931 /* size of static rules */
1932 size = static_count * sizeof(struct ip_fw) ;
1933 if (ipfw_dyn_v) /* add size of dyn.rules */
1934 size += (dyn_count * sizeof(struct ipfw_dyn_rule));
1935
1936 /*
1937 * XXX todo: if the user passes a short length to know how
1938 * much room is needed, do not
1939 * bother filling up the buffer, just jump to the
1940 * sooptcopyout.
1941 */
1942 buf = kmalloc(size, M_TEMP, M_WAITOK);
1943
1944 bp = buf ;
1945 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1946 bcopy(fcp, bp, sizeof *fcp);
1947 bp++;
1948 }
1949 if (ipfw_dyn_v) {
1950 int i ;
1951 struct ipfw_dyn_rule *p, *dst, *last = NULL ;
1952
1953 dst = (struct ipfw_dyn_rule *)bp ;
1954 for (i = 0 ; i < curr_dyn_buckets ; i++ )
1955 for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next, dst++ ) {
1956 bcopy(p, dst, sizeof *p);
1957 dst->rule = (void *)(int)p->rule->fw_number;
1958 /*
1959 * store a non-null value in "next". The userland
1960 * code will interpret a NULL here as a marker
1961 * for the last dynamic rule.
1962 */
1963 dst->next = dst ;
1964 last = dst ;
1965 if (TIME_LEQ(dst->expire, time_second) )
1966 dst->expire = 0 ;
1967 else
1968 dst->expire -= time_second ;
1969 }
1970 if (last != NULL)
1971 last->next = NULL ; /* mark last dynamic rule */
1972 }
1973 crit_exit();
1974
1975 error = sooptcopyout(sopt, buf, size);
1976 kfree(buf, M_TEMP);
1977 break;
1978
1979 case IP_FW_FLUSH:
1980 /*
1981 * Normally we cannot release the lock on each iteration.
1982 * We could do it here only because we start from the head all
1983 * the times so there is no risk of missing some entries.
1984 * On the other hand, the risk is that we end up with
1985 * a very inconsistent ruleset, so better keep the lock
1986 * around the whole cycle.
1987 *
1988 * XXX this code can be improved by resetting the head of
1989 * the list to point to the default rule, and then freeing
1990 * the old list without the need for a lock.
1991 */
1992
1993 crit_enter();
1994 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) &&
1995 fcp->fw_number != IPFW_DEFAULT_RULE )
1996 free_chain(fcp);
1997 crit_exit();
1998 break;
1999
2000 case IP_FW_ADD:
2001 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2002 if (error || (error = check_ipfw_struct(&frwl)))
2003 break;
2004
2005 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2006 dprintf(("%s can't add rule %u\n", err_prefix,
2007 (unsigned)IPFW_DEFAULT_RULE));
2008 error = EINVAL;
2009 } else {
2010 error = add_entry(&ip_fw_chain_head, &frwl);
2011 if (!error && sopt->sopt_dir == SOPT_GET)
2012 error = sooptcopyout(sopt, &frwl, sizeof frwl);
2013 }
2014 break;
2015
2016 case IP_FW_DEL:
2017 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2018 if (error)
2019 break;
2020
2021 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2022 dprintf(("%s can't delete rule %u\n", err_prefix,
2023 (unsigned)IPFW_DEFAULT_RULE));
2024 error = EINVAL;
2025 } else {
2026 error = del_entry(&ip_fw_chain_head, frwl.fw_number);
2027 }
2028 break;
2029
2030 case IP_FW_ZERO:
2031 case IP_FW_RESETLOG:
2032 {
2033 int cmd = (sopt->sopt_name == IP_FW_RESETLOG );
2034 void *arg = NULL ;
2035
2036 if (sopt->sopt_val != 0) {
2037 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2038 if (error)
2039 break;
2040 arg = &frwl ;
2041 }
2042 error = zero_entry(arg, cmd);
2043 }
2044 break;
2045
2046 default:
2047 kprintf("ip_fw_ctl invalid option %d\n", sopt->sopt_name);
2048 error = EINVAL ;
2049 }
2050
2051 return (error);
2052 }
2053
2054 /**
2055 * dummynet needs a reference to the default rule, because rules can
2056 * be deleted while packets hold a reference to them (e.g. to resume
2057 * processing at the next rule). When this happens, dummynet changes
2058 * the reference to the default rule (probably it could well be a
2059 * NULL pointer, but this way we do not need to check for the special
2060 * case, plus here he have info on the default behaviour.
2061 */
2062 struct ip_fw *ip_fw_default_rule ;
2063
2064 void
2065 ip_fw_init(void)
2066 {
2067 struct ip_fw default_rule;
2068
2069 ip_fw_chk_ptr = ip_fw_chk;
2070 ip_fw_ctl_ptr = ip_fw_ctl;
2071 LIST_INIT(&ip_fw_chain_head);
2072
2073 bzero(&default_rule, sizeof default_rule);
2074 default_rule.fw_prot = IPPROTO_IP;
2075 default_rule.fw_number = IPFW_DEFAULT_RULE;
2076 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2077 default_rule.fw_flg |= IP_FW_F_ACCEPT;
2078 #else
2079 default_rule.fw_flg |= IP_FW_F_DENY;
2080 #endif
2081 default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
2082 if (check_ipfw_struct(&default_rule) != 0 ||
2083 add_entry(&ip_fw_chain_head, &default_rule))
2084 panic("ip_fw_init");
2085
2086 ip_fw_default_rule = LIST_FIRST(&ip_fw_chain_head) ;
2087 kprintf("IP packet filtering initialized, "
2088 #ifdef IPDIVERT
2089 "divert enabled, "
2090 #else
2091 "divert disabled, "
2092 #endif
2093 "rule-based forwarding enabled, "
2094 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2095 "default to accept, ");
2096 #else
2097 "default to deny, " );
2098 #endif
2099 #ifndef IPFIREWALL_VERBOSE
2100 kprintf("logging disabled\n");
2101 #else
2102 if (fw_verbose_limit == 0)
2103 kprintf("unlimited logging\n");
2104 else
2105 kprintf("logging limited to %d packets/entry by default\n",
2106 fw_verbose_limit);
2107 #endif
2108 }
2109
2110 static int
2111 ipfw_modevent(module_t mod, int type, void *unused)
2112 {
2113 int err = 0 ;
2114 #if defined(KLD_MODULE)
2115 struct ip_fw *fcp;
2116 #endif
2117
2118 switch (type) {
2119 case MOD_LOAD:
2120 crit_enter();
2121 if (IPFW_LOADED) {
2122 crit_exit();
2123 kprintf("IP firewall already loaded\n");
2124 err = EEXIST ;
2125 } else {
2126 ip_fw_init();
2127 crit_exit();
2128 }
2129 break ;
2130 case MOD_UNLOAD:
2131 #if !defined(KLD_MODULE)
2132 kprintf("ipfw statically compiled, cannot unload\n");
2133 err = EBUSY;
2134 #else
2135 crit_enter();
2136 ip_fw_chk_ptr = NULL ;
2137 ip_fw_ctl_ptr = NULL ;
2138 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) != NULL)
2139 free_chain(fcp);
2140 crit_exit();
2141 kprintf("IP firewall unloaded\n");
2142 #endif
2143 break ;
2144
2145 default:
2146 break;
2147 }
2148 return err;
2149 }
2150
2151 static moduledata_t ipfwmod = {
2152 "ipfw",
2153 ipfw_modevent,
2154 0
2155 };
2156 DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY);
2157 #endif /* !IPFW2 */
DragonFly vkernel multiprocessor port