1 /* $NetBSD: ip_auth.c,v 1.2 2012/03/23 20:39:49 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 #if defined(KERNEL) || defined(_KERNEL) 9 # undef KERNEL 10 # undef _KERNEL 11 # define KERNEL 1 12 # define _KERNEL 1 13 #endif 14 #include <sys/errno.h> 15 #include <sys/types.h> 16 #include <sys/param.h> 17 #include <sys/time.h> 18 #include <sys/file.h> 19 #if !defined(_KERNEL) 20 # include <stdio.h> 21 # include <stdlib.h> 22 # ifdef _STDC_C99 23 # include <stdbool.h> 24 # endif 25 # include <string.h> 26 # define _KERNEL 27 # ifdef __OpenBSD__ 28 struct file; 29 # endif 30 # include <sys/uio.h> 31 # undef _KERNEL 32 #endif 33 #if defined(_KERNEL) && (__FreeBSD_version >= 220000) 34 # include <sys/filio.h> 35 # include <sys/fcntl.h> 36 #else 37 # include <sys/ioctl.h> 38 #endif 39 #if !defined(linux) 40 # include <sys/protosw.h> 41 #endif 42 #include <sys/socket.h> 43 #if defined(_KERNEL) 44 # include <sys/systm.h> 45 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 46 # include <sys/mbuf.h> 47 # endif 48 #endif 49 #if defined(__SVR4) || defined(__svr4__) 50 # include <sys/filio.h> 51 # include <sys/byteorder.h> 52 # ifdef _KERNEL 53 # include <sys/dditypes.h> 54 # endif 55 # include <sys/stream.h> 56 # include <sys/kmem.h> 57 #endif 58 #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 59 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 60 # include <sys/queue.h> 61 #endif 62 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 63 # include <machine/cpu.h> 64 #endif 65 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 66 # include <sys/proc.h> 67 #endif 68 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 69 !defined(_KERNEL) 70 # include <stdbool.h> 71 #endif 72 #include <net/if.h> 73 #include <net/route.h> 74 #ifdef sun 75 # include <net/af.h> 76 #endif 77 #include <netinet/in.h> 78 #include <netinet/in_systm.h> 79 #include <netinet/ip.h> 80 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 81 # define KERNEL 82 # define _KERNEL 83 # define NOT_KERNEL 84 #endif 85 #if !defined(linux) 86 # include <netinet/ip_var.h> 87 #endif 88 #ifdef NOT_KERNEL 89 # undef _KERNEL 90 # undef KERNEL 91 #endif 92 #include <netinet/tcp.h> 93 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 94 extern struct ifqueue ipintrq; /* ip packet input queue */ 95 #else 96 # if !defined(__hpux) && !defined(linux) 97 # if __FreeBSD_version >= 300000 98 # include <net/if_var.h> 99 # if __FreeBSD_version >= 500042 100 # define IF_QFULL _IF_QFULL 101 # define IF_DROP _IF_DROP 102 # endif /* __FreeBSD_version >= 500042 */ 103 # endif 104 # include <netinet/in_var.h> 105 # include <netinet/tcp_fsm.h> 106 # endif 107 #endif 108 #include <netinet/udp.h> 109 #include <netinet/ip_icmp.h> 110 #include "netinet/ip_compat.h" 111 #include <netinet/tcpip.h> 112 #include "netinet/ip_fil.h" 113 #include "netinet/ip_auth.h" 114 #if !defined(MENTAT) && !defined(linux) 115 # include <net/netisr.h> 116 # ifdef __FreeBSD__ 117 # include <machine/cpufunc.h> 118 # endif 119 #endif 120 #if (__FreeBSD_version >= 300000) 121 # include <sys/malloc.h> 122 # if defined(_KERNEL) && !defined(IPFILTER_LKM) 123 # include <sys/libkern.h> 124 # include <sys/systm.h> 125 # endif 126 #endif 127 /* END OF INCLUDES */ 128 129 #if !defined(lint) 130 #if defined(__NetBSD__) 131 #include <sys/cdefs.h> 132 __KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.2 2012/03/23 20:39:49 christos Exp $"); 133 #else 134 static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.117.2.7 2012/01/29 05:30:35 darrenr Exp"; 135 #endif 136 #endif 137 138 139 140 typedef struct ipf_auth_softc_s { 141 #if SOLARIS && defined(_KERNEL) 142 kcondvar_t ipf_auth_wait; 143 #endif /* SOLARIS */ 144 #if defined(linux) && defined(_KERNEL) 145 wait_queue_head_t ipf_auth_next_linux; 146 #endif 147 ipfrwlock_t ipf_authlk; 148 ipfmutex_t ipf_auth_mx; 149 int ipf_auth_size; 150 int ipf_auth_used; 151 int ipf_auth_replies; 152 int ipf_auth_defaultage; 153 int ipf_auth_lock; 154 ipf_authstat_t ipf_auth_stats; 155 frauth_t *ipf_auth; 156 mb_t **ipf_auth_pkts; 157 int ipf_auth_start; 158 int ipf_auth_end; 159 int ipf_auth_next; 160 frauthent_t *ipf_auth_entries; 161 frentry_t *ipf_auth_ip; 162 frentry_t *ipf_auth_rules; 163 } ipf_auth_softc_t; 164 165 166 static void ipf_auth_deref(frauthent_t **); 167 static void ipf_auth_deref_unlocked(ipf_auth_softc_t *, frauthent_t **); 168 static int ipf_auth_geniter(ipf_main_softc_t *, ipftoken_t *, 169 ipfgeniter_t *, ipfobj_t *); 170 static int ipf_auth_reply(ipf_main_softc_t *, ipf_auth_softc_t *, char *); 171 static int ipf_auth_wait(ipf_main_softc_t *, ipf_auth_softc_t *, char *); 172 static int ipf_auth_flush(void *); 173 174 175 /* ------------------------------------------------------------------------ */ 176 /* Function: ipf_auth_main_load */ 177 /* Returns: int - 0 == success, else error */ 178 /* Parameters: None */ 179 /* */ 180 /* A null-op function that exists as a placeholder so that the flow in */ 181 /* other functions is obvious. */ 182 /* ------------------------------------------------------------------------ */ 183 int 184 ipf_auth_main_load(void) 185 { 186 return 0; 187 } 188 189 190 /* ------------------------------------------------------------------------ */ 191 /* Function: ipf_auth_main_unload */ 192 /* Returns: int - 0 == success, else error */ 193 /* Parameters: None */ 194 /* */ 195 /* A null-op function that exists as a placeholder so that the flow in */ 196 /* other functions is obvious. */ 197 /* ------------------------------------------------------------------------ */ 198 int 199 ipf_auth_main_unload(void) 200 { 201 return 0; 202 } 203 204 205 /* ------------------------------------------------------------------------ */ 206 /* Function: ipf_auth_soft_create */ 207 /* Returns: int - NULL = failure, else success */ 208 /* Parameters: softc(I) - pointer to soft context data */ 209 /* */ 210 /* Create a structre to store all of the run-time data for packet auth in */ 211 /* and initialise some fields to their defaults. */ 212 /* ------------------------------------------------------------------------ */ 213 void * 214 ipf_auth_soft_create(ipf_main_softc_t *softc) 215 { 216 ipf_auth_softc_t *softa; 217 218 KMALLOC(softa, ipf_auth_softc_t *); 219 if (softa == NULL) 220 return NULL; 221 222 bzero((char *)softa, sizeof(*softa)); 223 224 softa->ipf_auth_size = FR_NUMAUTH; 225 softa->ipf_auth_defaultage = 600; 226 227 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 228 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 229 #if SOLARIS && defined(_KERNEL) 230 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 231 #endif 232 233 return softa; 234 } 235 236 /* ------------------------------------------------------------------------ */ 237 /* Function: ipf_auth_soft_init */ 238 /* Returns: int - 0 == success, else error */ 239 /* Parameters: softc(I) - pointer to soft context data */ 240 /* arg(I) - opaque pointer to auth context data */ 241 /* */ 242 /* Allocate memory and initialise data structures used in handling auth */ 243 /* rules. */ 244 /* ------------------------------------------------------------------------ */ 245 int 246 ipf_auth_soft_init(ipf_main_softc_t *softc, void *arg) 247 { 248 ipf_auth_softc_t *softa = arg; 249 250 KMALLOCS(softa->ipf_auth, frauth_t *, 251 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 252 if (softa->ipf_auth == NULL) 253 return -1; 254 bzero((char *)softa->ipf_auth, 255 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 256 257 KMALLOCS(softa->ipf_auth_pkts, mb_t **, 258 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 259 if (softa->ipf_auth_pkts == NULL) 260 return -2; 261 bzero((char *)softa->ipf_auth_pkts, 262 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 263 264 #if defined(linux) && defined(_KERNEL) 265 init_waitqueue_head(&softa->ipf_auth_next_linux); 266 #endif 267 268 return 0; 269 } 270 271 272 /* ------------------------------------------------------------------------ */ 273 /* Function: ipf_auth_soft_fini */ 274 /* Returns: int - 0 == success, else error */ 275 /* Parameters: softc(I) - pointer to soft context data */ 276 /* arg(I) - opaque pointer to auth context data */ 277 /* */ 278 /* Free all network buffer memory used to keep saved packets that have been */ 279 /* connectedd to the soft soft context structure *but* do not free that: it */ 280 /* is free'd by _destroy(). */ 281 /* ------------------------------------------------------------------------ */ 282 int 283 ipf_auth_soft_fini(ipf_main_softc_t *softc, void *arg) 284 { 285 ipf_auth_softc_t *softa = arg; 286 frauthent_t *fae, **faep; 287 frentry_t *fr, **frp; 288 mb_t *m; 289 int i; 290 291 if (softa->ipf_auth != NULL) { 292 KFREES(softa->ipf_auth, 293 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 294 softa->ipf_auth = NULL; 295 } 296 297 if (softa->ipf_auth_pkts != NULL) { 298 for (i = 0; i < softa->ipf_auth_size; i++) { 299 m = softa->ipf_auth_pkts[i]; 300 if (m != NULL) { 301 FREE_MB_T(m); 302 softa->ipf_auth_pkts[i] = NULL; 303 } 304 } 305 KFREES(softa->ipf_auth_pkts, 306 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 307 softa->ipf_auth_pkts = NULL; 308 } 309 310 faep = &softa->ipf_auth_entries; 311 while ((fae = *faep) != NULL) { 312 *faep = fae->fae_next; 313 KFREE(fae); 314 } 315 softa->ipf_auth_ip = NULL; 316 317 if (softa->ipf_auth_rules != NULL) { 318 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 319 if (fr->fr_ref == 1) { 320 *frp = fr->fr_next; 321 MUTEX_DESTROY(&fr->fr_lock); 322 KFREE(fr); 323 } else 324 frp = &fr->fr_next; 325 } 326 } 327 328 return 0; 329 } 330 331 332 /* ------------------------------------------------------------------------ */ 333 /* Function: ipf_auth_soft_destroy */ 334 /* Returns: void */ 335 /* Parameters: softc(I) - pointer to soft context data */ 336 /* arg(I) - opaque pointer to auth context data */ 337 /* */ 338 /* Undo what was done in _create() - i.e. free the soft context data. */ 339 /* ------------------------------------------------------------------------ */ 340 void 341 ipf_auth_soft_destroy(ipf_main_softc_t *softc, void *arg) 342 { 343 ipf_auth_softc_t *softa = arg; 344 345 # if SOLARIS && defined(_KERNEL) 346 cv_destroy(&softa->ipf_auth_wait); 347 # endif 348 MUTEX_DESTROY(&softa->ipf_auth_mx); 349 RW_DESTROY(&softa->ipf_authlk); 350 351 KFREE(softa); 352 } 353 354 355 /* ------------------------------------------------------------------------ */ 356 /* Function: ipf_auth_setlock */ 357 /* Returns: void */ 358 /* Paramters: arg(I) - pointer to soft context data */ 359 /* tmp(I) - value to assign to auth lock */ 360 /* */ 361 /* ------------------------------------------------------------------------ */ 362 void 363 ipf_auth_setlock(void *arg, int tmp) 364 { 365 ipf_auth_softc_t *softa = arg; 366 367 softa->ipf_auth_lock = tmp; 368 } 369 370 371 /* ------------------------------------------------------------------------ */ 372 /* Function: ipf_auth_check */ 373 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 374 /* Parameters: fin(I) - pointer to ipftoken structure */ 375 /* passp(I) - pointer to ipfgeniter structure */ 376 /* */ 377 /* Check if a packet has authorization. If the packet is found to match an */ 378 /* authorization result and that would result in a feedback loop (i.e. it */ 379 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 380 /* ------------------------------------------------------------------------ */ 381 frentry_t * 382 ipf_auth_check(fr_info_t *fin, u_32_t *passp) 383 { 384 ipf_main_softc_t *softc = fin->fin_main_soft; 385 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 386 frentry_t *fr; 387 frauth_t *fra; 388 u_32_t pass; 389 u_short id; 390 ip_t *ip; 391 int i; 392 393 if (softa->ipf_auth_lock || !softa->ipf_auth_used) 394 return NULL; 395 396 ip = fin->fin_ip; 397 id = ip->ip_id; 398 399 READ_ENTER(&softa->ipf_authlk); 400 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 401 /* 402 * index becomes -2 only after an SIOCAUTHW. Check this in 403 * case the same packet gets sent again and it hasn't yet been 404 * auth'd. 405 */ 406 fra = softa->ipf_auth + i; 407 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 408 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 409 /* 410 * Avoid feedback loop. 411 */ 412 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 413 pass = FR_BLOCK; 414 fin->fin_reason = FRB_AUTHFEEDBACK; 415 } 416 /* 417 * Create a dummy rule for the stateful checking to 418 * use and return. Zero out any values we don't 419 * trust from userland! 420 */ 421 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 422 (fin->fin_flx & FI_FRAG))) { 423 KMALLOC(fr, frentry_t *); 424 if (fr) { 425 bcopy((char *)fra->fra_info.fin_fr, 426 (char *)fr, sizeof(*fr)); 427 fr->fr_grp = NULL; 428 fr->fr_ifa = fin->fin_ifp; 429 fr->fr_func = NULL; 430 fr->fr_ref = 1; 431 fr->fr_flags = pass; 432 fr->fr_ifas[1] = NULL; 433 fr->fr_ifas[2] = NULL; 434 fr->fr_ifas[3] = NULL; 435 MUTEX_INIT(&fr->fr_lock, 436 "ipf auth rule"); 437 } 438 } else 439 fr = fra->fra_info.fin_fr; 440 fin->fin_fr = fr; 441 fin->fin_flx |= fra->fra_flx; 442 RWLOCK_EXIT(&softa->ipf_authlk); 443 444 WRITE_ENTER(&softa->ipf_authlk); 445 /* 446 * ipf_auth_rules is populated with the rules malloc'd 447 * above and only those. 448 */ 449 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 450 fr->fr_next = softa->ipf_auth_rules; 451 softa->ipf_auth_rules = fr; 452 } 453 softa->ipf_auth_stats.fas_hits++; 454 fra->fra_index = -1; 455 softa->ipf_auth_used--; 456 softa->ipf_auth_replies--; 457 if (i == softa->ipf_auth_start) { 458 while (fra->fra_index == -1) { 459 i++; 460 fra++; 461 if (i == softa->ipf_auth_size) { 462 i = 0; 463 fra = softa->ipf_auth; 464 } 465 softa->ipf_auth_start = i; 466 if (i == softa->ipf_auth_end) 467 break; 468 } 469 if (softa->ipf_auth_start == 470 softa->ipf_auth_end) { 471 softa->ipf_auth_next = 0; 472 softa->ipf_auth_start = 0; 473 softa->ipf_auth_end = 0; 474 } 475 } 476 RWLOCK_EXIT(&softa->ipf_authlk); 477 if (passp != NULL) 478 *passp = pass; 479 softa->ipf_auth_stats.fas_hits++; 480 return fr; 481 } 482 i++; 483 if (i == softa->ipf_auth_size) 484 i = 0; 485 } 486 RWLOCK_EXIT(&softa->ipf_authlk); 487 softa->ipf_auth_stats.fas_miss++; 488 return NULL; 489 } 490 491 492 /* ------------------------------------------------------------------------ */ 493 /* Function: ipf_auth_new */ 494 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 495 /* Parameters: m(I) - pointer to mb_t with packet in it */ 496 /* fin(I) - pointer to packet information */ 497 /* */ 498 /* Check if we have room in the auth array to hold details for another */ 499 /* packet. If we do, store it and wake up any user programs which are */ 500 /* waiting to hear about these events. */ 501 /* ------------------------------------------------------------------------ */ 502 int 503 ipf_auth_new(mb_t *m, fr_info_t *fin) 504 { 505 ipf_main_softc_t *softc = fin->fin_main_soft; 506 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 507 #if defined(_KERNEL) && defined(MENTAT) 508 qpktinfo_t *qpi = fin->fin_qpi; 509 #endif 510 frauth_t *fra; 511 #if !defined(sparc) && !defined(m68k) 512 ip_t *ip; 513 #endif 514 int i; 515 516 if (softa->ipf_auth_lock) 517 return 0; 518 519 WRITE_ENTER(&softa->ipf_authlk); 520 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 521 softa->ipf_auth_start) { 522 softa->ipf_auth_stats.fas_nospace++; 523 RWLOCK_EXIT(&softa->ipf_authlk); 524 return 0; 525 } 526 527 softa->ipf_auth_stats.fas_added++; 528 softa->ipf_auth_used++; 529 i = softa->ipf_auth_end++; 530 if (softa->ipf_auth_end == softa->ipf_auth_size) 531 softa->ipf_auth_end = 0; 532 533 fra = softa->ipf_auth + i; 534 fra->fra_index = i; 535 if (fin->fin_fr != NULL) 536 fra->fra_pass = fin->fin_fr->fr_flags; 537 else 538 fra->fra_pass = 0; 539 fra->fra_age = softa->ipf_auth_defaultage; 540 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 541 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 542 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 543 #if !defined(sparc) && !defined(m68k) 544 /* 545 * No need to copyback here as we want to undo the changes, not keep 546 * them. 547 */ 548 ip = fin->fin_ip; 549 # if defined(MENTAT) && defined(_KERNEL) 550 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 551 # endif 552 { 553 register u_short bo; 554 555 bo = ip->ip_len; 556 ip->ip_len = htons(bo); 557 bo = ip->ip_off; 558 ip->ip_off = htons(bo); 559 } 560 #endif 561 #if SOLARIS && defined(_KERNEL) 562 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 563 m->b_rptr -= qpi->qpi_off; 564 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 565 fra->fra_m = *fin->fin_mp; 566 fra->fra_info.fin_mp = &fra->fra_m; 567 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 568 RWLOCK_EXIT(&softa->ipf_authlk); 569 cv_signal(&softa->ipf_auth_wait); 570 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 571 #else 572 softa->ipf_auth_pkts[i] = m; 573 RWLOCK_EXIT(&softa->ipf_authlk); 574 WAKEUP(&softa->ipf_auth_next, 0); 575 #endif 576 return 1; 577 } 578 579 580 /* ------------------------------------------------------------------------ */ 581 /* Function: ipf_auth_ioctl */ 582 /* Returns: int - 0 == success, else error */ 583 /* Parameters: data(IO) - pointer to ioctl data */ 584 /* cmd(I) - ioctl command */ 585 /* mode(I) - mode flags associated with open descriptor */ 586 /* uid(I) - uid associatd with application making the call */ 587 /* ctx(I) - pointer for context */ 588 /* */ 589 /* This function handles all of the ioctls recognised by the auth component */ 590 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 591 /* ------------------------------------------------------------------------ */ 592 int 593 ipf_auth_ioctl(ipf_main_softc_t *softc, void *data, ioctlcmd_t cmd, int mode, 594 int uid, void *ctx) 595 { 596 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 597 int error = 0, i; 598 SPL_INT(s); 599 600 switch (cmd) 601 { 602 case SIOCGENITER : 603 { 604 ipftoken_t *token; 605 ipfgeniter_t iter; 606 ipfobj_t obj; 607 608 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 609 if (error != 0) 610 break; 611 612 SPL_SCHED(s); 613 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 614 if (token != NULL) 615 error = ipf_auth_geniter(softc, token, &iter, &obj); 616 else { 617 WRITE_ENTER(&softc->ipf_tokens); 618 if (token->ipt_data == NULL) 619 ipf_token_free(softc, token); 620 else 621 ipf_token_deref(softc, token); 622 RWLOCK_EXIT(&softc->ipf_tokens); 623 IPFERROR(10001); 624 error = ESRCH; 625 } 626 SPL_X(s); 627 628 break; 629 } 630 631 case SIOCADAFR : 632 case SIOCRMAFR : 633 if (!(mode & FWRITE)) { 634 IPFERROR(10002); 635 error = EPERM; 636 } else 637 error = frrequest(softc, IPL_LOGAUTH, cmd, data, 638 softc->ipf_active, 1); 639 break; 640 641 case SIOCSTLCK : 642 if (!(mode & FWRITE)) { 643 IPFERROR(10003); 644 error = EPERM; 645 } else { 646 error = ipf_lock(data, &softa->ipf_auth_lock); 647 } 648 break; 649 650 case SIOCATHST: 651 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 652 error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 653 IPFOBJ_AUTHSTAT); 654 break; 655 656 case SIOCIPFFL: 657 SPL_NET(s); 658 WRITE_ENTER(&softa->ipf_authlk); 659 i = ipf_auth_flush(softa); 660 RWLOCK_EXIT(&softa->ipf_authlk); 661 SPL_X(s); 662 error = BCOPYOUT(&i, data, sizeof(i)); 663 if (error != 0) { 664 IPFERROR(10004); 665 error = EFAULT; 666 } 667 break; 668 669 case SIOCAUTHW: 670 error = ipf_auth_wait(softc, softa, data); 671 break; 672 673 case SIOCAUTHR: 674 error = ipf_auth_reply(softc, softa, data); 675 break; 676 677 default : 678 IPFERROR(10005); 679 error = EINVAL; 680 break; 681 } 682 return error; 683 } 684 685 686 /* ------------------------------------------------------------------------ */ 687 /* Function: ipf_auth_expire */ 688 /* Returns: None */ 689 /* Parameters: None */ 690 /* */ 691 /* Slowly expire held auth records. Timeouts are set in expectation of */ 692 /* this being called twice per second. */ 693 /* ------------------------------------------------------------------------ */ 694 void 695 ipf_auth_expire(ipf_main_softc_t *softc) 696 { 697 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 698 frauthent_t *fae, **faep; 699 frentry_t *fr, **frp; 700 frauth_t *fra; 701 mb_t *m; 702 int i; 703 SPL_INT(s); 704 705 if (softa->ipf_auth_lock) 706 return; 707 SPL_NET(s); 708 WRITE_ENTER(&softa->ipf_authlk); 709 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 710 i++, fra++) { 711 fra->fra_age--; 712 if ((fra->fra_age == 0) && 713 (softa->ipf_auth[i].fra_index != -1)) { 714 if ((m = softa->ipf_auth_pkts[i]) != NULL) { 715 FREE_MB_T(m); 716 softa->ipf_auth_pkts[i] = NULL; 717 } else if (softa->ipf_auth[i].fra_index == -2) { 718 softa->ipf_auth_replies--; 719 } 720 softa->ipf_auth[i].fra_index = -1; 721 softa->ipf_auth_stats.fas_expire++; 722 softa->ipf_auth_used--; 723 } 724 } 725 726 /* 727 * Expire pre-auth rules 728 */ 729 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 730 fae->fae_age--; 731 if (fae->fae_age == 0) { 732 ipf_auth_deref(&fae); 733 softa->ipf_auth_stats.fas_expire++; 734 } else 735 faep = &fae->fae_next; 736 } 737 if (softa->ipf_auth_entries != NULL) 738 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 739 else 740 softa->ipf_auth_ip = NULL; 741 742 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 743 if (fr->fr_ref == 1) { 744 *frp = fr->fr_next; 745 MUTEX_DESTROY(&fr->fr_lock); 746 KFREE(fr); 747 } else 748 frp = &fr->fr_next; 749 } 750 RWLOCK_EXIT(&softa->ipf_authlk); 751 SPL_X(s); 752 } 753 754 755 /* ------------------------------------------------------------------------ */ 756 /* Function: ipf_auth_precmd */ 757 /* Returns: int - 0 == success, else error */ 758 /* Parameters: cmd(I) - ioctl command for rule */ 759 /* fr(I) - pointer to ipf rule */ 760 /* fptr(I) - pointer to caller's 'fr' */ 761 /* */ 762 /* ------------------------------------------------------------------------ */ 763 int 764 ipf_auth_precmd(ipf_main_softc_t *softc, ioctlcmd_t cmd, frentry_t *fr, 765 frentry_t **frptr) 766 { 767 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 768 frauthent_t *fae, **faep; 769 int error = 0; 770 SPL_INT(s); 771 772 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 773 IPFERROR(10006); 774 return EIO; 775 } 776 777 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 778 if (&fae->fae_fr == fr) 779 break; 780 else 781 faep = &fae->fae_next; 782 } 783 784 if (cmd == (ioctlcmd_t)SIOCRMAFR) { 785 if (fr == NULL || frptr == NULL) { 786 IPFERROR(10007); 787 error = EINVAL; 788 789 } else if (fae == NULL) { 790 IPFERROR(10008); 791 error = ESRCH; 792 793 } else { 794 SPL_NET(s); 795 WRITE_ENTER(&softa->ipf_authlk); 796 *faep = fae->fae_next; 797 if (softa->ipf_auth_ip == &fae->fae_fr) 798 softa->ipf_auth_ip = softa->ipf_auth_entries ? 799 &softa->ipf_auth_entries->fae_fr : NULL; 800 RWLOCK_EXIT(&softa->ipf_authlk); 801 SPL_X(s); 802 803 KFREE(fae); 804 } 805 } else if (fr != NULL && frptr != NULL) { 806 KMALLOC(fae, frauthent_t *); 807 if (fae != NULL) { 808 bcopy((char *)fr, (char *)&fae->fae_fr, 809 sizeof(*fr)); 810 SPL_NET(s); 811 WRITE_ENTER(&softa->ipf_authlk); 812 fae->fae_age = softa->ipf_auth_defaultage; 813 fae->fae_fr.fr_hits = 0; 814 fae->fae_fr.fr_next = *frptr; 815 fae->fae_ref = 1; 816 *frptr = &fae->fae_fr; 817 fae->fae_next = *faep; 818 *faep = fae; 819 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 820 RWLOCK_EXIT(&softa->ipf_authlk); 821 SPL_X(s); 822 } else { 823 IPFERROR(10009); 824 error = ENOMEM; 825 } 826 } else { 827 IPFERROR(10010); 828 error = EINVAL; 829 } 830 return error; 831 } 832 833 834 /* ------------------------------------------------------------------------ */ 835 /* Function: ipf_auth_flush */ 836 /* Returns: int - number of auth entries flushed */ 837 /* Parameters: None */ 838 /* Locks: WRITE(ipf_authlk) */ 839 /* */ 840 /* This function flushs the ipf_auth_pkts array of any packet data with */ 841 /* references still there. */ 842 /* It is expected that the caller has already acquired the correct locks or */ 843 /* set the priority level correctly for this to block out other code paths */ 844 /* into these data structures. */ 845 /* ------------------------------------------------------------------------ */ 846 static int 847 ipf_auth_flush(void *arg) 848 { 849 ipf_auth_softc_t *softa = arg; 850 int i, num_flushed; 851 mb_t *m; 852 853 if (softa->ipf_auth_lock) 854 return -1; 855 856 num_flushed = 0; 857 858 for (i = 0 ; i < softa->ipf_auth_size; i++) { 859 if (softa->ipf_auth[i].fra_index != -1) { 860 m = softa->ipf_auth_pkts[i]; 861 if (m != NULL) { 862 FREE_MB_T(m); 863 softa->ipf_auth_pkts[i] = NULL; 864 } 865 866 softa->ipf_auth[i].fra_index = -1; 867 /* perhaps add & use a flush counter inst.*/ 868 softa->ipf_auth_stats.fas_expire++; 869 num_flushed++; 870 } 871 } 872 873 softa->ipf_auth_start = 0; 874 softa->ipf_auth_end = 0; 875 softa->ipf_auth_next = 0; 876 softa->ipf_auth_used = 0; 877 softa->ipf_auth_replies = 0; 878 879 return num_flushed; 880 } 881 882 883 /* ------------------------------------------------------------------------ */ 884 /* Function: ipf_auth_waiting */ 885 /* Returns: int - number of packets in the auth queue */ 886 /* Parameters: None */ 887 /* */ 888 /* Simple truth check to see if there are any packets waiting in the auth */ 889 /* queue. */ 890 /* ------------------------------------------------------------------------ */ 891 int 892 ipf_auth_waiting(ipf_main_softc_t *softc) 893 { 894 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 895 896 return (softa->ipf_auth_used != 0); 897 } 898 899 900 /* ------------------------------------------------------------------------ */ 901 /* Function: ipf_auth_geniter */ 902 /* Returns: int - 0 == success, else error */ 903 /* Parameters: token(I) - pointer to ipftoken structure */ 904 /* itp(I) - pointer to ipfgeniter structure */ 905 /* objp(I) - pointer to ipf object destription */ 906 /* */ 907 /* Iterate through the list of entries in the auth queue list. */ 908 /* objp is used here to get the location of where to do the copy out to. */ 909 /* Stomping over various fields with new information will not harm anything */ 910 /* ------------------------------------------------------------------------ */ 911 static int 912 ipf_auth_geniter(ipf_main_softc_t *softc, ipftoken_t *token, ipfgeniter_t *itp, 913 ipfobj_t *objp) 914 { 915 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 916 frauthent_t *fae, *next, zero; 917 int error; 918 919 if (itp->igi_data == NULL) { 920 IPFERROR(10011); 921 return EFAULT; 922 } 923 924 if (itp->igi_type != IPFGENITER_AUTH) { 925 IPFERROR(10012); 926 return EINVAL; 927 } 928 929 objp->ipfo_type = IPFOBJ_FRAUTH; 930 objp->ipfo_ptr = itp->igi_data; 931 objp->ipfo_size = sizeof(frauth_t); 932 933 READ_ENTER(&softa->ipf_authlk); 934 935 fae = token->ipt_data; 936 if (fae == NULL) { 937 next = softa->ipf_auth_entries; 938 } else { 939 next = fae->fae_next; 940 } 941 942 /* 943 * If we found an auth entry to use, bump its reference count 944 * so that it can be used for is_next when we come back. 945 */ 946 if (next != NULL) { 947 ATOMIC_INC(next->fae_ref); 948 token->ipt_data = next; 949 } else { 950 bzero(&zero, sizeof(zero)); 951 next = &zero; 952 token->ipt_data = NULL; 953 } 954 955 RWLOCK_EXIT(&softa->ipf_authlk); 956 957 error = ipf_outobjk(softc, objp, next); 958 if (fae != NULL) 959 ipf_auth_deref_unlocked(softa, &fae); 960 961 if (next->fae_next == NULL) 962 ipf_token_mark_complete(token); 963 return error; 964 } 965 966 967 /* ------------------------------------------------------------------------ */ 968 /* Function: ipf_auth_deref_unlocked */ 969 /* Returns: None */ 970 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 971 /* */ 972 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 973 /* held. */ 974 /* ------------------------------------------------------------------------ */ 975 static void 976 ipf_auth_deref_unlocked(ipf_auth_softc_t *softa, frauthent_t **faep) 977 { 978 WRITE_ENTER(&softa->ipf_authlk); 979 ipf_auth_deref(faep); 980 RWLOCK_EXIT(&softa->ipf_authlk); 981 } 982 983 984 /* ------------------------------------------------------------------------ */ 985 /* Function: ipf_auth_deref */ 986 /* Returns: None */ 987 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 988 /* Locks: WRITE(ipf_authlk) */ 989 /* */ 990 /* This function unconditionally sets the pointer in the caller to NULL, */ 991 /* to make it clear that it should no longer use that pointer, and drops */ 992 /* the reference count on the structure by 1. If it reaches 0, free it up. */ 993 /* ------------------------------------------------------------------------ */ 994 static void 995 ipf_auth_deref(frauthent_t **faep) 996 { 997 frauthent_t *fae; 998 999 fae = *faep; 1000 *faep = NULL; 1001 1002 fae->fae_ref--; 1003 if (fae->fae_ref == 0) { 1004 KFREE(fae); 1005 } 1006 } 1007 1008 1009 /* ------------------------------------------------------------------------ */ 1010 /* Function: ipf_auth_wait_pkt */ 1011 /* Returns: int - 0 == success, else error */ 1012 /* Parameters: data(I) - pointer to data from ioctl call */ 1013 /* */ 1014 /* This function is called when an application is waiting for a packet to */ 1015 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1016 /* a packet waiting on the queue then we will return that _one_ immediately.*/ 1017 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1018 /* to sleep. */ 1019 /* ------------------------------------------------------------------------ */ 1020 static int 1021 ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) 1022 { 1023 frauth_t auth, *au = &auth; 1024 int error, len, i; 1025 mb_t *m; 1026 char *t; 1027 SPL_INT(s); 1028 1029 ipf_auth_ioctlloop: 1030 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1031 if (error != 0) 1032 return error; 1033 1034 /* 1035 * XXX Locks are held below over calls to copyout...a better 1036 * solution needs to be found so this isn't necessary. The situation 1037 * we are trying to guard against here is an error in the copyout 1038 * steps should not cause the packet to "disappear" from the queue. 1039 */ 1040 SPL_NET(s); 1041 READ_ENTER(&softa->ipf_authlk); 1042 1043 /* 1044 * If ipf_auth_next is not equal to ipf_auth_end it will be because 1045 * there is a packet waiting to be delt with in the ipf_auth_pkts 1046 * array. We copy as much of that out to user space as requested. 1047 */ 1048 if (softa->ipf_auth_used > 0) { 1049 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1050 softa->ipf_auth_next++; 1051 if (softa->ipf_auth_next == softa->ipf_auth_size) 1052 softa->ipf_auth_next = 0; 1053 } 1054 1055 error = ipf_outobj(softc, data, 1056 &softa->ipf_auth[softa->ipf_auth_next], 1057 IPFOBJ_FRAUTH); 1058 if (error != 0) { 1059 RWLOCK_EXIT(&softa->ipf_authlk); 1060 SPL_X(s); 1061 return error; 1062 } 1063 1064 if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1065 /* 1066 * Copy packet contents out to user space if 1067 * requested. Bail on an error. 1068 */ 1069 m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1070 len = MSGDSIZE(m); 1071 if (len > auth.fra_len) 1072 len = auth.fra_len; 1073 auth.fra_len = len; 1074 1075 for (t = auth.fra_buf; m && (len > 0); ) { 1076 i = MIN(M_LEN(m), len); 1077 error = copyoutptr(softc, MTOD(m, char *), 1078 &t, i); 1079 len -= i; 1080 t += i; 1081 if (error != 0) { 1082 RWLOCK_EXIT(&softa->ipf_authlk); 1083 SPL_X(s); 1084 return error; 1085 } 1086 m = m->m_next; 1087 } 1088 } 1089 RWLOCK_EXIT(&softa->ipf_authlk); 1090 1091 SPL_NET(s); 1092 WRITE_ENTER(&softa->ipf_authlk); 1093 softa->ipf_auth_next++; 1094 if (softa->ipf_auth_next == softa->ipf_auth_size) 1095 softa->ipf_auth_next = 0; 1096 RWLOCK_EXIT(&softa->ipf_authlk); 1097 SPL_X(s); 1098 1099 return 0; 1100 } 1101 RWLOCK_EXIT(&softa->ipf_authlk); 1102 SPL_X(s); 1103 1104 MUTEX_ENTER(&softa->ipf_auth_mx); 1105 #ifdef _KERNEL 1106 # if SOLARIS 1107 error = 0; 1108 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1109 IPFERROR(10014); 1110 error = EINTR; 1111 } 1112 # else /* SOLARIS */ 1113 # ifdef __hpux 1114 { 1115 lock_t *l; 1116 1117 l = get_sleep_lock(&softa->ipf_auth_next); 1118 error = sleep(&softa->ipf_auth_next, PZERO+1); 1119 spinunlock(l); 1120 } 1121 # else 1122 # ifdef __osf__ 1123 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1124 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1125 # else 1126 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1127 # endif /* __osf__ */ 1128 # endif /* __hpux */ 1129 # endif /* SOLARIS */ 1130 #endif 1131 MUTEX_EXIT(&softa->ipf_auth_mx); 1132 if (error == 0) 1133 goto ipf_auth_ioctlloop; 1134 return error; 1135 } 1136 1137 1138 /* ------------------------------------------------------------------------ */ 1139 /* Function: ipf_auth_reply */ 1140 /* Returns: int - 0 == success, else error */ 1141 /* Parameters: data(I) - pointer to data from ioctl call */ 1142 /* */ 1143 /* This function is called by an application when it wants to return a */ 1144 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1145 /* received information using an SIOCAUTHW. The decision returned in the */ 1146 /* form of flags, the same as those used in each rule. */ 1147 /* ------------------------------------------------------------------------ */ 1148 static int 1149 ipf_auth_reply(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) 1150 { 1151 frauth_t auth, *au = &auth, *fra; 1152 fr_info_t fin; 1153 int error, i; 1154 mb_t *m; 1155 SPL_INT(s); 1156 1157 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1158 if (error != 0) 1159 return error; 1160 1161 SPL_NET(s); 1162 WRITE_ENTER(&softa->ipf_authlk); 1163 1164 i = au->fra_index; 1165 fra = softa->ipf_auth + i; 1166 error = 0; 1167 1168 /* 1169 * Check the validity of the information being returned with two simple 1170 * checks. First, the auth index value should be within the size of 1171 * the array and second the packet id being returned should also match. 1172 */ 1173 if ((i < 0) || (i >= softa->ipf_auth_size)) { 1174 RWLOCK_EXIT(&softa->ipf_authlk); 1175 SPL_X(s); 1176 IPFERROR(10015); 1177 return ESRCH; 1178 } 1179 if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1180 RWLOCK_EXIT(&softa->ipf_authlk); 1181 SPL_X(s); 1182 IPFERROR(10019); 1183 return ESRCH; 1184 } 1185 1186 m = softa->ipf_auth_pkts[i]; 1187 fra->fra_index = -2; 1188 fra->fra_pass = au->fra_pass; 1189 softa->ipf_auth_pkts[i] = NULL; 1190 softa->ipf_auth_replies++; 1191 bcopy(&fra->fra_info, &fin, sizeof(fin)); 1192 1193 RWLOCK_EXIT(&softa->ipf_authlk); 1194 1195 /* 1196 * Re-insert the packet back into the packet stream flowing through 1197 * the kernel in a manner that will mean IPFilter sees the packet 1198 * again. This is not the same as is done with fastroute, 1199 * deliberately, as we want to resume the normal packet processing 1200 * path for it. 1201 */ 1202 #ifdef _KERNEL 1203 if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1204 error = ipf_inject(&fin, m); 1205 if (error != 0) { 1206 IPFERROR(10016); 1207 error = ENOBUFS; 1208 softa->ipf_auth_stats.fas_sendfail++; 1209 } else { 1210 softa->ipf_auth_stats.fas_sendok++; 1211 } 1212 } else if (m) { 1213 error = ipf_inject(&fin, m); 1214 if (error != 0) { 1215 IPFERROR(10017); 1216 error = ENOBUFS; 1217 softa->ipf_auth_stats.fas_quefail++; 1218 } else { 1219 softa->ipf_auth_stats.fas_queok++; 1220 } 1221 } else { 1222 IPFERROR(10018); 1223 error = EINVAL; 1224 } 1225 1226 /* 1227 * If we experience an error which will result in the packet 1228 * not being processed, make sure we advance to the next one. 1229 */ 1230 if (error == ENOBUFS) { 1231 WRITE_ENTER(&softa->ipf_authlk); 1232 softa->ipf_auth_used--; 1233 fra->fra_index = -1; 1234 fra->fra_pass = 0; 1235 if (i == softa->ipf_auth_start) { 1236 while (fra->fra_index == -1) { 1237 i++; 1238 if (i == softa->ipf_auth_size) 1239 i = 0; 1240 softa->ipf_auth_start = i; 1241 if (i == softa->ipf_auth_end) 1242 break; 1243 } 1244 if (softa->ipf_auth_start == softa->ipf_auth_end) { 1245 softa->ipf_auth_next = 0; 1246 softa->ipf_auth_start = 0; 1247 softa->ipf_auth_end = 0; 1248 } 1249 } 1250 RWLOCK_EXIT(&softa->ipf_authlk); 1251 } 1252 #endif /* _KERNEL */ 1253 SPL_X(s); 1254 1255 return 0; 1256 } 1257 1258 1259 u_32_t 1260 ipf_auth_pre_scanlist(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass) 1261 { 1262 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1263 1264 if (softa->ipf_auth_ip != NULL) 1265 return ipf_scanlist(fin, softc->ipf_pass); 1266 1267 return pass; 1268 } 1269 1270 1271 frentry_t ** 1272 ipf_auth_rulehead(ipf_main_softc_t *softc) 1273 { 1274 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1275 1276 return &softa->ipf_auth_ip; 1277 } 1278