1 /* 2 * Copyright (c) 2014 - 2018 The DragonFly Project. All rights reserved. 3 * 4 * This code is derived from software contributed to The DragonFly Project 5 * by Bill Yuan <bycn82@dragonflybsd.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * 3. Neither the name of The DragonFly Project nor the names of its 18 * contributors may be used to endorse or promote products derived 19 * from this software without specific, prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include "opt_ipfw.h" 36 #include "opt_inet.h" 37 #ifndef INET 38 #error IPFIREWALL3 requires INET. 39 #endif /* INET */ 40 41 #include <sys/systm.h> 42 #include <sys/kernel.h> 43 #include <sys/malloc.h> 44 #include <sys/socketvar.h> 45 #include <sys/sysctl.h> 46 #include <sys/systimer.h> 47 #include <sys/param.h> 48 #include <sys/ucred.h> 49 50 #include <net/if.h> 51 #include <net/bpf.h> 52 #include <net/ethernet.h> 53 #include <net/netmsg2.h> 54 #include <net/netisr2.h> 55 #include <net/route.h> 56 57 #include <netinet/in_var.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/in_var.h> 62 #include <netinet/in_pcb.h> 63 #include <netinet/ip.h> 64 #include <netinet/ip_var.h> 65 #include <netinet/ip_icmp.h> 66 #include <netinet/tcp.h> 67 #include <netinet/tcp_timer.h> 68 #include <netinet/tcp_var.h> 69 #include <netinet/tcpip.h> 70 #include <netinet/udp.h> 71 #include <netinet/udp_var.h> 72 #include <netinet/if_ether.h> 73 74 #include <net/ipfw3/ip_fw.h> 75 76 #include "ip_fw3_layer4.h" 77 78 void 79 check_tcpflag(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 80 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 81 void 82 check_uid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 83 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 84 void 85 check_gid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 86 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 87 void 88 check_established(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 89 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 90 void 91 check_bpf(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 92 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len); 93 94 /* 95 * ip_fw3_match_guid can match the gui and uid 96 */ 97 static int 98 ip_fw3_match_guid(const struct ipfw_flow_id *fid, struct ifnet *oif, 99 int opcode, uid_t uid) 100 { 101 struct in_addr src_ip, dst_ip; 102 struct inpcbinfo *pi; 103 boolean_t wildcard; 104 struct inpcb *pcb; 105 106 if (fid->proto == IPPROTO_TCP) { 107 wildcard = FALSE; 108 pi = &tcbinfo[mycpuid]; 109 } else if (fid->proto == IPPROTO_UDP) { 110 wildcard = TRUE; 111 pi = &udbinfo[mycpuid]; 112 } else { 113 return 0; 114 } 115 116 /* 117 * Values in 'fid' are in host byte order 118 */ 119 dst_ip.s_addr = htonl(fid->dst_ip); 120 src_ip.s_addr = htonl(fid->src_ip); 121 if (oif) { 122 pcb = in_pcblookup_hash(pi, 123 dst_ip, htons(fid->dst_port), 124 src_ip, htons(fid->src_port), 125 wildcard, oif); 126 } else { 127 pcb = in_pcblookup_hash(pi, 128 src_ip, htons(fid->src_port), 129 dst_ip, htons(fid->dst_port), 130 wildcard, NULL); 131 } 132 if (pcb == NULL || pcb->inp_socket == NULL) { 133 return 0; 134 } 135 136 if (opcode == O_LAYER4_UID) { 137 #define socheckuid(a,b) ((a)->so_cred->cr_uid != (b)) 138 return !socheckuid(pcb->inp_socket, uid); 139 #undef socheckuid 140 } else { 141 return groupmember(uid, pcb->inp_socket->so_cred); 142 } 143 } 144 145 void 146 check_tcpflag(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 147 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 148 { 149 /* XXX TODO check tcpflag */ 150 *cmd_val = 0; 151 *cmd_ctl = IP_FW_CTL_NO; 152 } 153 154 void 155 check_uid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 156 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 157 { 158 *cmd_val = ip_fw3_match_guid(&(*args)->f_id, (*args)->oif, cmd->opcode, 159 (uid_t)((ipfw_insn_u32 *)cmd)->d[0]); 160 *cmd_ctl = IP_FW_CTL_NO; 161 } 162 163 void 164 check_gid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 165 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 166 { 167 *cmd_val = ip_fw3_match_guid(&(*args)->f_id, (*args)->oif, cmd->opcode, 168 (gid_t)((ipfw_insn_u32 *)cmd)->d[0]); 169 *cmd_ctl = IP_FW_CTL_NO; 170 } 171 172 /* 173 * match TCP packets which have all tcpflag except SYN. 174 */ 175 void check_established(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 176 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 177 { 178 struct ipfw_flow_id *fid; 179 struct mbuf *m = (*args)->m; 180 struct ip *ip = mtod(m, struct ip *); 181 182 *cmd_ctl = IP_FW_CTL_NO; 183 fid = &(*args)->f_id; 184 if (fid->proto == IPPROTO_TCP) { 185 /* offset == 0 && */ 186 if ((L3HDR(struct tcphdr, ip)->th_flags & 187 (TH_RST | TH_ACK | TH_SYN)) != TH_SYN) { 188 *cmd_val = IP_FW_MATCH; 189 return; 190 } 191 } 192 *cmd_val = IP_FW_NOT_MATCH; 193 } 194 195 void 196 check_bpf(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args, 197 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len) 198 { 199 u_int slen = 0; 200 struct mbuf *m = (*args)->m; 201 ipfw_insn_bpf *bpf = (ipfw_insn_bpf *)cmd; 202 *cmd_ctl = IP_FW_CTL_NO; 203 slen = bpf_filter(bpf->bf_insn, (u_char *)m, m_lengthm(m, NULL), 0); 204 if (slen != 0) 205 *cmd_val = IP_FW_MATCH; 206 else 207 *cmd_val = IP_FW_NOT_MATCH; 208 } 209 210 211 static int 212 ip_fw3_layer4_init(void) 213 { 214 ip_fw3_register_module(MODULE_LAYER4_ID, MODULE_LAYER4_NAME); 215 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_TCPFLAG, 216 (filter_func)check_tcpflag); 217 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_UID, 218 (filter_func)check_uid); 219 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_GID, 220 (filter_func)check_gid); 221 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_ESTABLISHED, 222 (filter_func)check_established); 223 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_BPF, 224 (filter_func)check_bpf); 225 return 0; 226 } 227 228 static int 229 ip_fw3_layer4_stop(void) 230 { 231 return ip_fw3_unregister_module(MODULE_LAYER4_ID); 232 } 233 234 static int 235 ipfw3_layer4_modevent(module_t mod, int type, void *data) 236 { 237 switch (type) { 238 case MOD_LOAD: 239 return ip_fw3_layer4_init(); 240 case MOD_UNLOAD: 241 return ip_fw3_layer4_stop(); 242 default: 243 break; 244 } 245 return 0; 246 } 247 248 static moduledata_t ipfw3_layer4_mod = { 249 "ipfw3_layer4", 250 ipfw3_layer4_modevent, 251 NULL 252 }; 253 DECLARE_MODULE(ipfw3_layer4, ipfw3_layer4_mod, SI_SUB_PROTO_END, SI_ORDER_ANY); 254 MODULE_DEPEND(ipfw3_layer4, ipfw3_basic, 1, 1, 1); 255 MODULE_VERSION(ipfw3_layer4, 1); 256