1 /* $NetBSD: ip_auth.c,v 1.5 2014/05/30 02:16:17 rmind Exp $ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 #if defined(KERNEL) || defined(_KERNEL) 9 # undef KERNEL 10 # undef _KERNEL 11 # define KERNEL 1 12 # define _KERNEL 1 13 #endif 14 #if defined(__NetBSD__) 15 #include <sys/cdefs.h> 16 #endif 17 #include <sys/errno.h> 18 #include <sys/types.h> 19 #include <sys/param.h> 20 #include <sys/time.h> 21 #include <sys/file.h> 22 #if !defined(_KERNEL) 23 # include <stdio.h> 24 # include <stdlib.h> 25 # ifdef _STDC_C99 26 # include <stdbool.h> 27 # endif 28 # include <string.h> 29 # define _KERNEL 30 # ifdef __OpenBSD__ 31 struct file; 32 # endif 33 # include <sys/uio.h> 34 # undef _KERNEL 35 #endif 36 #if defined(_KERNEL) && (__FreeBSD_version >= 220000) 37 # include <sys/filio.h> 38 # include <sys/fcntl.h> 39 #else 40 # include <sys/ioctl.h> 41 #endif 42 #if !defined(linux) 43 # include <sys/protosw.h> 44 #endif 45 #include <sys/socket.h> 46 #if defined(_KERNEL) 47 # include <sys/systm.h> 48 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 49 # include <sys/mbuf.h> 50 # endif 51 #endif 52 #if defined(__SVR4) || defined(__svr4__) 53 # include <sys/filio.h> 54 # include <sys/byteorder.h> 55 # ifdef _KERNEL 56 # include <sys/dditypes.h> 57 # endif 58 # include <sys/stream.h> 59 # include <sys/kmem.h> 60 #endif 61 #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 62 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 63 # include <sys/queue.h> 64 #endif 65 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 66 # include <machine/cpu.h> 67 #endif 68 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 69 # include <sys/proc.h> 70 #endif 71 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 72 !defined(_KERNEL) 73 # include <stdbool.h> 74 #endif 75 #include <net/if.h> 76 #include <net/route.h> 77 #ifdef sun 78 # include <net/af.h> 79 #endif 80 #include <netinet/in.h> 81 #include <netinet/in_systm.h> 82 #include <netinet/ip.h> 83 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 84 # define KERNEL 85 # define _KERNEL 86 # define NOT_KERNEL 87 #endif 88 #if !defined(linux) 89 # include <netinet/ip_var.h> 90 #endif 91 #ifdef NOT_KERNEL 92 # undef _KERNEL 93 # undef KERNEL 94 #endif 95 #include <netinet/tcp.h> 96 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 97 extern struct ifqueue ipintrq; /* ip packet input queue */ 98 #else 99 # if !defined(__hpux) && !defined(linux) 100 # if __FreeBSD_version >= 300000 101 # include <net/if_var.h> 102 # if __FreeBSD_version >= 500042 103 # define IF_QFULL _IF_QFULL 104 # define IF_DROP _IF_DROP 105 # endif /* __FreeBSD_version >= 500042 */ 106 # endif 107 # include <netinet/in_var.h> 108 # include <netinet/tcp_fsm.h> 109 # endif 110 #endif 111 #include <netinet/udp.h> 112 #include <netinet/ip_icmp.h> 113 #include "netinet/ip_compat.h" 114 #include <netinet/tcpip.h> 115 #include "netinet/ip_fil.h" 116 #include "netinet/ip_auth.h" 117 #if !defined(MENTAT) && !defined(linux) 118 # include <net/netisr.h> 119 # ifdef __FreeBSD__ 120 # include <machine/cpufunc.h> 121 # endif 122 #endif 123 #if (__FreeBSD_version >= 300000) 124 # include <sys/malloc.h> 125 # if defined(_KERNEL) && !defined(IPFILTER_LKM) 126 # include <sys/libkern.h> 127 # include <sys/systm.h> 128 # endif 129 #endif 130 /* END OF INCLUDES */ 131 132 #if !defined(lint) 133 #if defined(__NetBSD__) 134 __KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.5 2014/05/30 02:16:17 rmind Exp $"); 135 #else 136 static const char rcsid[] = "@(#)Id: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp"; 137 #endif 138 #endif 139 140 141 typedef struct ipf_auth_softc_s { 142 #if SOLARIS && defined(_KERNEL) 143 kcondvar_t ipf_auth_wait; 144 #endif /* SOLARIS */ 145 #if defined(linux) && defined(_KERNEL) 146 wait_queue_head_t ipf_auth_next_linux; 147 #endif 148 ipfrwlock_t ipf_authlk; 149 ipfmutex_t ipf_auth_mx; 150 int ipf_auth_size; 151 int ipf_auth_used; 152 int ipf_auth_replies; 153 int ipf_auth_defaultage; 154 int ipf_auth_lock; 155 ipf_authstat_t ipf_auth_stats; 156 frauth_t *ipf_auth; 157 mb_t **ipf_auth_pkts; 158 int ipf_auth_start; 159 int ipf_auth_end; 160 int ipf_auth_next; 161 frauthent_t *ipf_auth_entries; 162 frentry_t *ipf_auth_ip; 163 frentry_t *ipf_auth_rules; 164 } ipf_auth_softc_t; 165 166 167 static void ipf_auth_deref(frauthent_t **); 168 static void ipf_auth_deref_unlocked(ipf_auth_softc_t *, frauthent_t **); 169 static int ipf_auth_geniter(ipf_main_softc_t *, ipftoken_t *, 170 ipfgeniter_t *, ipfobj_t *); 171 static int ipf_auth_reply(ipf_main_softc_t *, ipf_auth_softc_t *, char *); 172 static int ipf_auth_wait(ipf_main_softc_t *, ipf_auth_softc_t *, char *); 173 static int ipf_auth_flush(void *); 174 175 176 /* ------------------------------------------------------------------------ */ 177 /* Function: ipf_auth_main_load */ 178 /* Returns: int - 0 == success, else error */ 179 /* Parameters: None */ 180 /* */ 181 /* A null-op function that exists as a placeholder so that the flow in */ 182 /* other functions is obvious. */ 183 /* ------------------------------------------------------------------------ */ 184 int 185 ipf_auth_main_load(void) 186 { 187 return 0; 188 } 189 190 191 /* ------------------------------------------------------------------------ */ 192 /* Function: ipf_auth_main_unload */ 193 /* Returns: int - 0 == success, else error */ 194 /* Parameters: None */ 195 /* */ 196 /* A null-op function that exists as a placeholder so that the flow in */ 197 /* other functions is obvious. */ 198 /* ------------------------------------------------------------------------ */ 199 int 200 ipf_auth_main_unload(void) 201 { 202 return 0; 203 } 204 205 206 /* ------------------------------------------------------------------------ */ 207 /* Function: ipf_auth_soft_create */ 208 /* Returns: int - NULL = failure, else success */ 209 /* Parameters: softc(I) - pointer to soft context data */ 210 /* */ 211 /* Create a structre to store all of the run-time data for packet auth in */ 212 /* and initialise some fields to their defaults. */ 213 /* ------------------------------------------------------------------------ */ 214 void * 215 ipf_auth_soft_create(ipf_main_softc_t *softc) 216 { 217 ipf_auth_softc_t *softa; 218 219 KMALLOC(softa, ipf_auth_softc_t *); 220 if (softa == NULL) 221 return NULL; 222 223 bzero((char *)softa, sizeof(*softa)); 224 225 softa->ipf_auth_size = FR_NUMAUTH; 226 softa->ipf_auth_defaultage = 600; 227 228 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 229 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 230 #if SOLARIS && defined(_KERNEL) 231 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 232 #endif 233 234 return softa; 235 } 236 237 /* ------------------------------------------------------------------------ */ 238 /* Function: ipf_auth_soft_init */ 239 /* Returns: int - 0 == success, else error */ 240 /* Parameters: softc(I) - pointer to soft context data */ 241 /* arg(I) - opaque pointer to auth context data */ 242 /* */ 243 /* Allocate memory and initialise data structures used in handling auth */ 244 /* rules. */ 245 /* ------------------------------------------------------------------------ */ 246 int 247 ipf_auth_soft_init(ipf_main_softc_t *softc, void *arg) 248 { 249 ipf_auth_softc_t *softa = arg; 250 251 KMALLOCS(softa->ipf_auth, frauth_t *, 252 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 253 if (softa->ipf_auth == NULL) 254 return -1; 255 bzero((char *)softa->ipf_auth, 256 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 257 258 KMALLOCS(softa->ipf_auth_pkts, mb_t **, 259 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 260 if (softa->ipf_auth_pkts == NULL) 261 return -2; 262 bzero((char *)softa->ipf_auth_pkts, 263 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 264 265 #if defined(linux) && defined(_KERNEL) 266 init_waitqueue_head(&softa->ipf_auth_next_linux); 267 #endif 268 269 return 0; 270 } 271 272 273 /* ------------------------------------------------------------------------ */ 274 /* Function: ipf_auth_soft_fini */ 275 /* Returns: int - 0 == success, else error */ 276 /* Parameters: softc(I) - pointer to soft context data */ 277 /* arg(I) - opaque pointer to auth context data */ 278 /* */ 279 /* Free all network buffer memory used to keep saved packets that have been */ 280 /* connectedd to the soft soft context structure *but* do not free that: it */ 281 /* is free'd by _destroy(). */ 282 /* ------------------------------------------------------------------------ */ 283 int 284 ipf_auth_soft_fini(ipf_main_softc_t *softc, void *arg) 285 { 286 ipf_auth_softc_t *softa = arg; 287 frauthent_t *fae, **faep; 288 frentry_t *fr, **frp; 289 mb_t *m; 290 int i; 291 292 if (softa->ipf_auth != NULL) { 293 KFREES(softa->ipf_auth, 294 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 295 softa->ipf_auth = NULL; 296 } 297 298 if (softa->ipf_auth_pkts != NULL) { 299 for (i = 0; i < softa->ipf_auth_size; i++) { 300 m = softa->ipf_auth_pkts[i]; 301 if (m != NULL) { 302 FREE_MB_T(m); 303 softa->ipf_auth_pkts[i] = NULL; 304 } 305 } 306 KFREES(softa->ipf_auth_pkts, 307 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 308 softa->ipf_auth_pkts = NULL; 309 } 310 311 faep = &softa->ipf_auth_entries; 312 while ((fae = *faep) != NULL) { 313 *faep = fae->fae_next; 314 KFREE(fae); 315 } 316 softa->ipf_auth_ip = NULL; 317 318 if (softa->ipf_auth_rules != NULL) { 319 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 320 if (fr->fr_ref == 1) { 321 *frp = fr->fr_next; 322 MUTEX_DESTROY(&fr->fr_lock); 323 KFREE(fr); 324 } else 325 frp = &fr->fr_next; 326 } 327 } 328 329 return 0; 330 } 331 332 333 /* ------------------------------------------------------------------------ */ 334 /* Function: ipf_auth_soft_destroy */ 335 /* Returns: void */ 336 /* Parameters: softc(I) - pointer to soft context data */ 337 /* arg(I) - opaque pointer to auth context data */ 338 /* */ 339 /* Undo what was done in _create() - i.e. free the soft context data. */ 340 /* ------------------------------------------------------------------------ */ 341 void 342 ipf_auth_soft_destroy(ipf_main_softc_t *softc, void *arg) 343 { 344 ipf_auth_softc_t *softa = arg; 345 346 # if SOLARIS && defined(_KERNEL) 347 cv_destroy(&softa->ipf_auth_wait); 348 # endif 349 MUTEX_DESTROY(&softa->ipf_auth_mx); 350 RW_DESTROY(&softa->ipf_authlk); 351 352 KFREE(softa); 353 } 354 355 356 /* ------------------------------------------------------------------------ */ 357 /* Function: ipf_auth_setlock */ 358 /* Returns: void */ 359 /* Paramters: arg(I) - pointer to soft context data */ 360 /* tmp(I) - value to assign to auth lock */ 361 /* */ 362 /* ------------------------------------------------------------------------ */ 363 void 364 ipf_auth_setlock(void *arg, int tmp) 365 { 366 ipf_auth_softc_t *softa = arg; 367 368 softa->ipf_auth_lock = tmp; 369 } 370 371 372 /* ------------------------------------------------------------------------ */ 373 /* Function: ipf_auth_check */ 374 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 375 /* Parameters: fin(I) - pointer to ipftoken structure */ 376 /* passp(I) - pointer to ipfgeniter structure */ 377 /* */ 378 /* Check if a packet has authorization. If the packet is found to match an */ 379 /* authorization result and that would result in a feedback loop (i.e. it */ 380 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 381 /* ------------------------------------------------------------------------ */ 382 frentry_t * 383 ipf_auth_check(fr_info_t *fin, u_32_t *passp) 384 { 385 ipf_main_softc_t *softc = fin->fin_main_soft; 386 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 387 frentry_t *fr; 388 frauth_t *fra; 389 u_32_t pass; 390 u_short id; 391 ip_t *ip; 392 int i; 393 394 if (softa->ipf_auth_lock || !softa->ipf_auth_used) 395 return NULL; 396 397 ip = fin->fin_ip; 398 id = ip->ip_id; 399 400 READ_ENTER(&softa->ipf_authlk); 401 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 402 /* 403 * index becomes -2 only after an SIOCAUTHW. Check this in 404 * case the same packet gets sent again and it hasn't yet been 405 * auth'd. 406 */ 407 fra = softa->ipf_auth + i; 408 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 409 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 410 /* 411 * Avoid feedback loop. 412 */ 413 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 414 pass = FR_BLOCK; 415 fin->fin_reason = FRB_AUTHFEEDBACK; 416 } 417 /* 418 * Create a dummy rule for the stateful checking to 419 * use and return. Zero out any values we don't 420 * trust from userland! 421 */ 422 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 423 (fin->fin_flx & FI_FRAG))) { 424 KMALLOC(fr, frentry_t *); 425 if (fr) { 426 bcopy((char *)fra->fra_info.fin_fr, 427 (char *)fr, sizeof(*fr)); 428 fr->fr_grp = NULL; 429 fr->fr_ifa = fin->fin_ifp; 430 fr->fr_func = NULL; 431 fr->fr_ref = 1; 432 fr->fr_flags = pass; 433 fr->fr_ifas[1] = NULL; 434 fr->fr_ifas[2] = NULL; 435 fr->fr_ifas[3] = NULL; 436 MUTEX_INIT(&fr->fr_lock, 437 "ipf auth rule"); 438 } 439 } else 440 fr = fra->fra_info.fin_fr; 441 fin->fin_fr = fr; 442 fin->fin_flx |= fra->fra_flx; 443 RWLOCK_EXIT(&softa->ipf_authlk); 444 445 WRITE_ENTER(&softa->ipf_authlk); 446 /* 447 * ipf_auth_rules is populated with the rules malloc'd 448 * above and only those. 449 */ 450 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 451 fr->fr_next = softa->ipf_auth_rules; 452 softa->ipf_auth_rules = fr; 453 } 454 softa->ipf_auth_stats.fas_hits++; 455 fra->fra_index = -1; 456 softa->ipf_auth_used--; 457 softa->ipf_auth_replies--; 458 if (i == softa->ipf_auth_start) { 459 while (fra->fra_index == -1) { 460 i++; 461 fra++; 462 if (i == softa->ipf_auth_size) { 463 i = 0; 464 fra = softa->ipf_auth; 465 } 466 softa->ipf_auth_start = i; 467 if (i == softa->ipf_auth_end) 468 break; 469 } 470 if (softa->ipf_auth_start == 471 softa->ipf_auth_end) { 472 softa->ipf_auth_next = 0; 473 softa->ipf_auth_start = 0; 474 softa->ipf_auth_end = 0; 475 } 476 } 477 RWLOCK_EXIT(&softa->ipf_authlk); 478 if (passp != NULL) 479 *passp = pass; 480 softa->ipf_auth_stats.fas_hits++; 481 return fr; 482 } 483 i++; 484 if (i == softa->ipf_auth_size) 485 i = 0; 486 } 487 RWLOCK_EXIT(&softa->ipf_authlk); 488 softa->ipf_auth_stats.fas_miss++; 489 return NULL; 490 } 491 492 493 /* ------------------------------------------------------------------------ */ 494 /* Function: ipf_auth_new */ 495 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 496 /* Parameters: m(I) - pointer to mb_t with packet in it */ 497 /* fin(I) - pointer to packet information */ 498 /* */ 499 /* Check if we have room in the auth array to hold details for another */ 500 /* packet. If we do, store it and wake up any user programs which are */ 501 /* waiting to hear about these events. */ 502 /* ------------------------------------------------------------------------ */ 503 int 504 ipf_auth_new(mb_t *m, fr_info_t *fin) 505 { 506 ipf_main_softc_t *softc = fin->fin_main_soft; 507 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 508 #if defined(_KERNEL) && defined(MENTAT) 509 qpktinfo_t *qpi = fin->fin_qpi; 510 #endif 511 frauth_t *fra; 512 #if !defined(sparc) && !defined(m68k) 513 ip_t *ip; 514 #endif 515 int i; 516 517 if (softa->ipf_auth_lock) 518 return 0; 519 520 WRITE_ENTER(&softa->ipf_authlk); 521 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 522 softa->ipf_auth_start) { 523 softa->ipf_auth_stats.fas_nospace++; 524 RWLOCK_EXIT(&softa->ipf_authlk); 525 return 0; 526 } 527 528 softa->ipf_auth_stats.fas_added++; 529 softa->ipf_auth_used++; 530 i = softa->ipf_auth_end++; 531 if (softa->ipf_auth_end == softa->ipf_auth_size) 532 softa->ipf_auth_end = 0; 533 534 fra = softa->ipf_auth + i; 535 fra->fra_index = i; 536 if (fin->fin_fr != NULL) 537 fra->fra_pass = fin->fin_fr->fr_flags; 538 else 539 fra->fra_pass = 0; 540 fra->fra_age = softa->ipf_auth_defaultage; 541 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 542 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 543 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 544 #if !defined(sparc) && !defined(m68k) 545 /* 546 * No need to copyback here as we want to undo the changes, not keep 547 * them. 548 */ 549 ip = fin->fin_ip; 550 # if defined(MENTAT) && defined(_KERNEL) 551 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 552 # endif 553 { 554 register u_short bo; 555 556 bo = ip->ip_len; 557 ip->ip_len = htons(bo); 558 bo = ip->ip_off; 559 ip->ip_off = htons(bo); 560 } 561 #endif 562 #if SOLARIS && defined(_KERNEL) 563 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 564 m->b_rptr -= qpi->qpi_off; 565 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 566 fra->fra_m = *fin->fin_mp; 567 fra->fra_info.fin_mp = &fra->fra_m; 568 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 569 RWLOCK_EXIT(&softa->ipf_authlk); 570 cv_signal(&softa->ipf_auth_wait); 571 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 572 #else 573 softa->ipf_auth_pkts[i] = m; 574 RWLOCK_EXIT(&softa->ipf_authlk); 575 WAKEUP(&softa->ipf_auth_next, 0); 576 #endif 577 return 1; 578 } 579 580 581 /* ------------------------------------------------------------------------ */ 582 /* Function: ipf_auth_ioctl */ 583 /* Returns: int - 0 == success, else error */ 584 /* Parameters: data(IO) - pointer to ioctl data */ 585 /* cmd(I) - ioctl command */ 586 /* mode(I) - mode flags associated with open descriptor */ 587 /* uid(I) - uid associatd with application making the call */ 588 /* ctx(I) - pointer for context */ 589 /* */ 590 /* This function handles all of the ioctls recognised by the auth component */ 591 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 592 /* ------------------------------------------------------------------------ */ 593 int 594 ipf_auth_ioctl(ipf_main_softc_t *softc, void *data, ioctlcmd_t cmd, int mode, 595 int uid, void *ctx) 596 { 597 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 598 int error = 0, i; 599 SPL_INT(s); 600 601 switch (cmd) 602 { 603 case SIOCGENITER : 604 { 605 ipftoken_t *token; 606 ipfgeniter_t iter; 607 ipfobj_t obj; 608 609 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 610 if (error != 0) 611 break; 612 613 SPL_SCHED(s); 614 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 615 if (token != NULL) 616 error = ipf_auth_geniter(softc, token, &iter, &obj); 617 else { 618 WRITE_ENTER(&softc->ipf_tokens); 619 ipf_token_deref(softc, token); 620 RWLOCK_EXIT(&softc->ipf_tokens); 621 IPFERROR(10001); 622 error = ESRCH; 623 } 624 SPL_X(s); 625 626 break; 627 } 628 629 case SIOCADAFR : 630 case SIOCRMAFR : 631 if (!(mode & FWRITE)) { 632 IPFERROR(10002); 633 error = EPERM; 634 } else 635 error = frrequest(softc, IPL_LOGAUTH, cmd, data, 636 softc->ipf_active, 1); 637 break; 638 639 case SIOCSTLCK : 640 if (!(mode & FWRITE)) { 641 IPFERROR(10003); 642 error = EPERM; 643 } else { 644 error = ipf_lock(data, &softa->ipf_auth_lock); 645 } 646 break; 647 648 case SIOCATHST: 649 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 650 error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 651 IPFOBJ_AUTHSTAT); 652 break; 653 654 case SIOCIPFFL: 655 SPL_NET(s); 656 WRITE_ENTER(&softa->ipf_authlk); 657 i = ipf_auth_flush(softa); 658 RWLOCK_EXIT(&softa->ipf_authlk); 659 SPL_X(s); 660 error = BCOPYOUT(&i, data, sizeof(i)); 661 if (error != 0) { 662 IPFERROR(10004); 663 error = EFAULT; 664 } 665 break; 666 667 case SIOCAUTHW: 668 error = ipf_auth_wait(softc, softa, data); 669 break; 670 671 case SIOCAUTHR: 672 error = ipf_auth_reply(softc, softa, data); 673 break; 674 675 default : 676 IPFERROR(10005); 677 error = EINVAL; 678 break; 679 } 680 return error; 681 } 682 683 684 /* ------------------------------------------------------------------------ */ 685 /* Function: ipf_auth_expire */ 686 /* Returns: None */ 687 /* Parameters: None */ 688 /* */ 689 /* Slowly expire held auth records. Timeouts are set in expectation of */ 690 /* this being called twice per second. */ 691 /* ------------------------------------------------------------------------ */ 692 void 693 ipf_auth_expire(ipf_main_softc_t *softc) 694 { 695 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 696 frauthent_t *fae, **faep; 697 frentry_t *fr, **frp; 698 frauth_t *fra; 699 mb_t *m; 700 int i; 701 SPL_INT(s); 702 703 if (softa->ipf_auth_lock) 704 return; 705 SPL_NET(s); 706 WRITE_ENTER(&softa->ipf_authlk); 707 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 708 i++, fra++) { 709 fra->fra_age--; 710 if ((fra->fra_age == 0) && 711 (softa->ipf_auth[i].fra_index != -1)) { 712 if ((m = softa->ipf_auth_pkts[i]) != NULL) { 713 FREE_MB_T(m); 714 softa->ipf_auth_pkts[i] = NULL; 715 } else if (softa->ipf_auth[i].fra_index == -2) { 716 softa->ipf_auth_replies--; 717 } 718 softa->ipf_auth[i].fra_index = -1; 719 softa->ipf_auth_stats.fas_expire++; 720 softa->ipf_auth_used--; 721 } 722 } 723 724 /* 725 * Expire pre-auth rules 726 */ 727 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 728 fae->fae_age--; 729 if (fae->fae_age == 0) { 730 ipf_auth_deref(&fae); 731 softa->ipf_auth_stats.fas_expire++; 732 } else 733 faep = &fae->fae_next; 734 } 735 if (softa->ipf_auth_entries != NULL) 736 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 737 else 738 softa->ipf_auth_ip = NULL; 739 740 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 741 if (fr->fr_ref == 1) { 742 *frp = fr->fr_next; 743 MUTEX_DESTROY(&fr->fr_lock); 744 KFREE(fr); 745 } else 746 frp = &fr->fr_next; 747 } 748 RWLOCK_EXIT(&softa->ipf_authlk); 749 SPL_X(s); 750 } 751 752 753 /* ------------------------------------------------------------------------ */ 754 /* Function: ipf_auth_precmd */ 755 /* Returns: int - 0 == success, else error */ 756 /* Parameters: cmd(I) - ioctl command for rule */ 757 /* fr(I) - pointer to ipf rule */ 758 /* fptr(I) - pointer to caller's 'fr' */ 759 /* */ 760 /* ------------------------------------------------------------------------ */ 761 int 762 ipf_auth_precmd(ipf_main_softc_t *softc, ioctlcmd_t cmd, frentry_t *fr, 763 frentry_t **frptr) 764 { 765 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 766 frauthent_t *fae, **faep; 767 int error = 0; 768 SPL_INT(s); 769 770 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 771 IPFERROR(10006); 772 return EIO; 773 } 774 775 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 776 if (&fae->fae_fr == fr) 777 break; 778 else 779 faep = &fae->fae_next; 780 } 781 782 if (cmd == (ioctlcmd_t)SIOCRMAFR) { 783 if (fr == NULL || frptr == NULL) { 784 IPFERROR(10007); 785 error = EINVAL; 786 787 } else if (fae == NULL) { 788 IPFERROR(10008); 789 error = ESRCH; 790 791 } else { 792 SPL_NET(s); 793 WRITE_ENTER(&softa->ipf_authlk); 794 *faep = fae->fae_next; 795 if (softa->ipf_auth_ip == &fae->fae_fr) 796 softa->ipf_auth_ip = softa->ipf_auth_entries ? 797 &softa->ipf_auth_entries->fae_fr : NULL; 798 RWLOCK_EXIT(&softa->ipf_authlk); 799 SPL_X(s); 800 801 KFREE(fae); 802 } 803 } else if (fr != NULL && frptr != NULL) { 804 KMALLOC(fae, frauthent_t *); 805 if (fae != NULL) { 806 bcopy((char *)fr, (char *)&fae->fae_fr, 807 sizeof(*fr)); 808 SPL_NET(s); 809 WRITE_ENTER(&softa->ipf_authlk); 810 fae->fae_age = softa->ipf_auth_defaultage; 811 fae->fae_fr.fr_hits = 0; 812 fae->fae_fr.fr_next = *frptr; 813 fae->fae_ref = 1; 814 *frptr = &fae->fae_fr; 815 fae->fae_next = *faep; 816 *faep = fae; 817 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 818 RWLOCK_EXIT(&softa->ipf_authlk); 819 SPL_X(s); 820 } else { 821 IPFERROR(10009); 822 error = ENOMEM; 823 } 824 } else { 825 IPFERROR(10010); 826 error = EINVAL; 827 } 828 return error; 829 } 830 831 832 /* ------------------------------------------------------------------------ */ 833 /* Function: ipf_auth_flush */ 834 /* Returns: int - number of auth entries flushed */ 835 /* Parameters: None */ 836 /* Locks: WRITE(ipf_authlk) */ 837 /* */ 838 /* This function flushs the ipf_auth_pkts array of any packet data with */ 839 /* references still there. */ 840 /* It is expected that the caller has already acquired the correct locks or */ 841 /* set the priority level correctly for this to block out other code paths */ 842 /* into these data structures. */ 843 /* ------------------------------------------------------------------------ */ 844 static int 845 ipf_auth_flush(void *arg) 846 { 847 ipf_auth_softc_t *softa = arg; 848 int i, num_flushed; 849 mb_t *m; 850 851 if (softa->ipf_auth_lock) 852 return -1; 853 854 num_flushed = 0; 855 856 for (i = 0 ; i < softa->ipf_auth_size; i++) { 857 if (softa->ipf_auth[i].fra_index != -1) { 858 m = softa->ipf_auth_pkts[i]; 859 if (m != NULL) { 860 FREE_MB_T(m); 861 softa->ipf_auth_pkts[i] = NULL; 862 } 863 864 softa->ipf_auth[i].fra_index = -1; 865 /* perhaps add & use a flush counter inst.*/ 866 softa->ipf_auth_stats.fas_expire++; 867 num_flushed++; 868 } 869 } 870 871 softa->ipf_auth_start = 0; 872 softa->ipf_auth_end = 0; 873 softa->ipf_auth_next = 0; 874 softa->ipf_auth_used = 0; 875 softa->ipf_auth_replies = 0; 876 877 return num_flushed; 878 } 879 880 881 /* ------------------------------------------------------------------------ */ 882 /* Function: ipf_auth_waiting */ 883 /* Returns: int - number of packets in the auth queue */ 884 /* Parameters: None */ 885 /* */ 886 /* Simple truth check to see if there are any packets waiting in the auth */ 887 /* queue. */ 888 /* ------------------------------------------------------------------------ */ 889 int 890 ipf_auth_waiting(ipf_main_softc_t *softc) 891 { 892 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 893 894 return (softa->ipf_auth_used != 0); 895 } 896 897 898 /* ------------------------------------------------------------------------ */ 899 /* Function: ipf_auth_geniter */ 900 /* Returns: int - 0 == success, else error */ 901 /* Parameters: token(I) - pointer to ipftoken structure */ 902 /* itp(I) - pointer to ipfgeniter structure */ 903 /* objp(I) - pointer to ipf object destription */ 904 /* */ 905 /* Iterate through the list of entries in the auth queue list. */ 906 /* objp is used here to get the location of where to do the copy out to. */ 907 /* Stomping over various fields with new information will not harm anything */ 908 /* ------------------------------------------------------------------------ */ 909 static int 910 ipf_auth_geniter(ipf_main_softc_t *softc, ipftoken_t *token, ipfgeniter_t *itp, 911 ipfobj_t *objp) 912 { 913 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 914 frauthent_t *fae, *next, zero; 915 int error; 916 917 if (itp->igi_data == NULL) { 918 IPFERROR(10011); 919 return EFAULT; 920 } 921 922 if (itp->igi_type != IPFGENITER_AUTH) { 923 IPFERROR(10012); 924 return EINVAL; 925 } 926 927 objp->ipfo_type = IPFOBJ_FRAUTH; 928 objp->ipfo_ptr = itp->igi_data; 929 objp->ipfo_size = sizeof(frauth_t); 930 931 READ_ENTER(&softa->ipf_authlk); 932 933 fae = token->ipt_data; 934 if (fae == NULL) { 935 next = softa->ipf_auth_entries; 936 } else { 937 next = fae->fae_next; 938 } 939 940 /* 941 * If we found an auth entry to use, bump its reference count 942 * so that it can be used for is_next when we come back. 943 */ 944 if (next != NULL) { 945 ATOMIC_INC(next->fae_ref); 946 token->ipt_data = next; 947 } else { 948 bzero(&zero, sizeof(zero)); 949 next = &zero; 950 token->ipt_data = NULL; 951 } 952 953 RWLOCK_EXIT(&softa->ipf_authlk); 954 955 error = ipf_outobjk(softc, objp, next); 956 if (fae != NULL) 957 ipf_auth_deref_unlocked(softa, &fae); 958 959 if (next->fae_next == NULL) 960 ipf_token_mark_complete(token); 961 return error; 962 } 963 964 965 /* ------------------------------------------------------------------------ */ 966 /* Function: ipf_auth_deref_unlocked */ 967 /* Returns: None */ 968 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 969 /* */ 970 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 971 /* held. */ 972 /* ------------------------------------------------------------------------ */ 973 static void 974 ipf_auth_deref_unlocked(ipf_auth_softc_t *softa, frauthent_t **faep) 975 { 976 WRITE_ENTER(&softa->ipf_authlk); 977 ipf_auth_deref(faep); 978 RWLOCK_EXIT(&softa->ipf_authlk); 979 } 980 981 982 /* ------------------------------------------------------------------------ */ 983 /* Function: ipf_auth_deref */ 984 /* Returns: None */ 985 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 986 /* Locks: WRITE(ipf_authlk) */ 987 /* */ 988 /* This function unconditionally sets the pointer in the caller to NULL, */ 989 /* to make it clear that it should no longer use that pointer, and drops */ 990 /* the reference count on the structure by 1. If it reaches 0, free it up. */ 991 /* ------------------------------------------------------------------------ */ 992 static void 993 ipf_auth_deref(frauthent_t **faep) 994 { 995 frauthent_t *fae; 996 997 fae = *faep; 998 *faep = NULL; 999 1000 fae->fae_ref--; 1001 if (fae->fae_ref == 0) { 1002 KFREE(fae); 1003 } 1004 } 1005 1006 1007 /* ------------------------------------------------------------------------ */ 1008 /* Function: ipf_auth_wait_pkt */ 1009 /* Returns: int - 0 == success, else error */ 1010 /* Parameters: data(I) - pointer to data from ioctl call */ 1011 /* */ 1012 /* This function is called when an application is waiting for a packet to */ 1013 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1014 /* a packet waiting on the queue then we will return that _one_ immediately.*/ 1015 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1016 /* to sleep. */ 1017 /* ------------------------------------------------------------------------ */ 1018 static int 1019 ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) 1020 { 1021 frauth_t auth, *au = &auth; 1022 int error, len, i; 1023 mb_t *m; 1024 char *t; 1025 SPL_INT(s); 1026 1027 ipf_auth_ioctlloop: 1028 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1029 if (error != 0) 1030 return error; 1031 1032 /* 1033 * XXX Locks are held below over calls to copyout...a better 1034 * solution needs to be found so this isn't necessary. The situation 1035 * we are trying to guard against here is an error in the copyout 1036 * steps should not cause the packet to "disappear" from the queue. 1037 */ 1038 SPL_NET(s); 1039 READ_ENTER(&softa->ipf_authlk); 1040 1041 /* 1042 * If ipf_auth_next is not equal to ipf_auth_end it will be because 1043 * there is a packet waiting to be delt with in the ipf_auth_pkts 1044 * array. We copy as much of that out to user space as requested. 1045 */ 1046 if (softa->ipf_auth_used > 0) { 1047 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1048 softa->ipf_auth_next++; 1049 if (softa->ipf_auth_next == softa->ipf_auth_size) 1050 softa->ipf_auth_next = 0; 1051 } 1052 1053 error = ipf_outobj(softc, data, 1054 &softa->ipf_auth[softa->ipf_auth_next], 1055 IPFOBJ_FRAUTH); 1056 if (error != 0) { 1057 RWLOCK_EXIT(&softa->ipf_authlk); 1058 SPL_X(s); 1059 return error; 1060 } 1061 1062 if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1063 /* 1064 * Copy packet contents out to user space if 1065 * requested. Bail on an error. 1066 */ 1067 m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1068 len = MSGDSIZE(m); 1069 if (len > auth.fra_len) 1070 len = auth.fra_len; 1071 auth.fra_len = len; 1072 1073 for (t = auth.fra_buf; m && (len > 0); ) { 1074 i = MIN(M_LEN(m), len); 1075 error = copyoutptr(softc, MTOD(m, char *), 1076 &t, i); 1077 len -= i; 1078 t += i; 1079 if (error != 0) { 1080 RWLOCK_EXIT(&softa->ipf_authlk); 1081 SPL_X(s); 1082 return error; 1083 } 1084 m = m->m_next; 1085 } 1086 } 1087 RWLOCK_EXIT(&softa->ipf_authlk); 1088 1089 SPL_NET(s); 1090 WRITE_ENTER(&softa->ipf_authlk); 1091 softa->ipf_auth_next++; 1092 if (softa->ipf_auth_next == softa->ipf_auth_size) 1093 softa->ipf_auth_next = 0; 1094 RWLOCK_EXIT(&softa->ipf_authlk); 1095 SPL_X(s); 1096 1097 return 0; 1098 } 1099 RWLOCK_EXIT(&softa->ipf_authlk); 1100 SPL_X(s); 1101 1102 MUTEX_ENTER(&softa->ipf_auth_mx); 1103 #ifdef _KERNEL 1104 # if SOLARIS 1105 error = 0; 1106 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1107 IPFERROR(10014); 1108 error = EINTR; 1109 } 1110 # else /* SOLARIS */ 1111 # ifdef __hpux 1112 { 1113 lock_t *l; 1114 1115 l = get_sleep_lock(&softa->ipf_auth_next); 1116 error = sleep(&softa->ipf_auth_next, PZERO+1); 1117 spinunlock(l); 1118 } 1119 # else 1120 # ifdef __osf__ 1121 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1122 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1123 # else 1124 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1125 # endif /* __osf__ */ 1126 # endif /* __hpux */ 1127 # endif /* SOLARIS */ 1128 #endif 1129 MUTEX_EXIT(&softa->ipf_auth_mx); 1130 if (error == 0) 1131 goto ipf_auth_ioctlloop; 1132 return error; 1133 } 1134 1135 1136 /* ------------------------------------------------------------------------ */ 1137 /* Function: ipf_auth_reply */ 1138 /* Returns: int - 0 == success, else error */ 1139 /* Parameters: data(I) - pointer to data from ioctl call */ 1140 /* */ 1141 /* This function is called by an application when it wants to return a */ 1142 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1143 /* received information using an SIOCAUTHW. The decision returned in the */ 1144 /* form of flags, the same as those used in each rule. */ 1145 /* ------------------------------------------------------------------------ */ 1146 static int 1147 ipf_auth_reply(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) 1148 { 1149 frauth_t auth, *au = &auth, *fra; 1150 fr_info_t fin; 1151 int error, i; 1152 #ifdef _KERNEL 1153 mb_t *m; 1154 #endif 1155 SPL_INT(s); 1156 1157 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1158 if (error != 0) 1159 return error; 1160 1161 SPL_NET(s); 1162 WRITE_ENTER(&softa->ipf_authlk); 1163 1164 i = au->fra_index; 1165 fra = softa->ipf_auth + i; 1166 error = 0; 1167 1168 /* 1169 * Check the validity of the information being returned with two simple 1170 * checks. First, the auth index value should be within the size of 1171 * the array and second the packet id being returned should also match. 1172 */ 1173 if ((i < 0) || (i >= softa->ipf_auth_size)) { 1174 RWLOCK_EXIT(&softa->ipf_authlk); 1175 SPL_X(s); 1176 IPFERROR(10015); 1177 return ESRCH; 1178 } 1179 if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1180 RWLOCK_EXIT(&softa->ipf_authlk); 1181 SPL_X(s); 1182 IPFERROR(10019); 1183 return ESRCH; 1184 } 1185 1186 fra->fra_index = -2; 1187 fra->fra_pass = au->fra_pass; 1188 #ifdef _KERNEL 1189 m = softa->ipf_auth_pkts[i]; 1190 #endif 1191 softa->ipf_auth_pkts[i] = NULL; 1192 softa->ipf_auth_replies++; 1193 bcopy(&fra->fra_info, &fin, sizeof(fin)); 1194 1195 RWLOCK_EXIT(&softa->ipf_authlk); 1196 1197 /* 1198 * Re-insert the packet back into the packet stream flowing through 1199 * the kernel in a manner that will mean IPFilter sees the packet 1200 * again. This is not the same as is done with fastroute, 1201 * deliberately, as we want to resume the normal packet processing 1202 * path for it. 1203 */ 1204 #ifdef _KERNEL 1205 if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1206 error = ipf_inject(&fin, m); 1207 if (error != 0) { 1208 IPFERROR(10016); 1209 error = ENOBUFS; 1210 softa->ipf_auth_stats.fas_sendfail++; 1211 } else { 1212 softa->ipf_auth_stats.fas_sendok++; 1213 } 1214 } else if (m) { 1215 error = ipf_inject(&fin, m); 1216 if (error != 0) { 1217 IPFERROR(10017); 1218 error = ENOBUFS; 1219 softa->ipf_auth_stats.fas_quefail++; 1220 } else { 1221 softa->ipf_auth_stats.fas_queok++; 1222 } 1223 } else { 1224 IPFERROR(10018); 1225 error = EINVAL; 1226 } 1227 1228 /* 1229 * If we experience an error which will result in the packet 1230 * not being processed, make sure we advance to the next one. 1231 */ 1232 if (error == ENOBUFS) { 1233 WRITE_ENTER(&softa->ipf_authlk); 1234 softa->ipf_auth_used--; 1235 fra->fra_index = -1; 1236 fra->fra_pass = 0; 1237 if (i == softa->ipf_auth_start) { 1238 while (fra->fra_index == -1) { 1239 i++; 1240 if (i == softa->ipf_auth_size) 1241 i = 0; 1242 softa->ipf_auth_start = i; 1243 if (i == softa->ipf_auth_end) 1244 break; 1245 } 1246 if (softa->ipf_auth_start == softa->ipf_auth_end) { 1247 softa->ipf_auth_next = 0; 1248 softa->ipf_auth_start = 0; 1249 softa->ipf_auth_end = 0; 1250 } 1251 } 1252 RWLOCK_EXIT(&softa->ipf_authlk); 1253 } 1254 #endif /* _KERNEL */ 1255 SPL_X(s); 1256 1257 return 0; 1258 } 1259 1260 1261 u_32_t 1262 ipf_auth_pre_scanlist(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass) 1263 { 1264 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1265 1266 if (softa->ipf_auth_ip != NULL) 1267 return ipf_scanlist(fin, softc->ipf_pass); 1268 1269 return pass; 1270 } 1271 1272 1273 frentry_t ** 1274 ipf_auth_rulehead(ipf_main_softc_t *softc) 1275 { 1276 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1277 1278 return &softa->ipf_auth_ip; 1279 } 1280