ip_auth.c revision 1.1.1.2
1 1.1 christos /* $NetBSD: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (C) 2012 by Darren Reed. 5 1.1 christos * 6 1.1 christos * See the IPFILTER.LICENCE file for details on licencing. 7 1.1 christos */ 8 1.1 christos #if defined(KERNEL) || defined(_KERNEL) 9 1.1 christos # undef KERNEL 10 1.1 christos # undef _KERNEL 11 1.1 christos # define KERNEL 1 12 1.1 christos # define _KERNEL 1 13 1.1 christos #endif 14 1.1 christos #include <sys/errno.h> 15 1.1 christos #include <sys/types.h> 16 1.1 christos #include <sys/param.h> 17 1.1 christos #include <sys/time.h> 18 1.1 christos #include <sys/file.h> 19 1.1 christos #if !defined(_KERNEL) 20 1.1 christos # include <stdio.h> 21 1.1 christos # include <stdlib.h> 22 1.1 christos # ifdef _STDC_C99 23 1.1 christos # include <stdbool.h> 24 1.1 christos # endif 25 1.1 christos # include <string.h> 26 1.1 christos # define _KERNEL 27 1.1 christos # ifdef __OpenBSD__ 28 1.1 christos struct file; 29 1.1 christos # endif 30 1.1 christos # include <sys/uio.h> 31 1.1 christos # undef _KERNEL 32 1.1 christos #endif 33 1.1 christos #if defined(_KERNEL) && (__FreeBSD_version >= 220000) 34 1.1 christos # include <sys/filio.h> 35 1.1 christos # include <sys/fcntl.h> 36 1.1 christos #else 37 1.1 christos # include <sys/ioctl.h> 38 1.1 christos #endif 39 1.1 christos #if !defined(linux) 40 1.1 christos # include <sys/protosw.h> 41 1.1 christos #endif 42 1.1 christos #include <sys/socket.h> 43 1.1 christos #if defined(_KERNEL) 44 1.1 christos # include <sys/systm.h> 45 1.1 christos # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 46 1.1 christos # include <sys/mbuf.h> 47 1.1 christos # endif 48 1.1 christos #endif 49 1.1 christos #if defined(__SVR4) || defined(__svr4__) 50 1.1 christos # include <sys/filio.h> 51 1.1 christos # include <sys/byteorder.h> 52 1.1 christos # ifdef _KERNEL 53 1.1 christos # include <sys/dditypes.h> 54 1.1 christos # endif 55 1.1 christos # include <sys/stream.h> 56 1.1 christos # include <sys/kmem.h> 57 1.1 christos #endif 58 1.1 christos #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 59 1.1 christos (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 60 1.1 christos # include <sys/queue.h> 61 1.1 christos #endif 62 1.1 christos #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 63 1.1 christos # include <machine/cpu.h> 64 1.1 christos #endif 65 1.1 christos #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 66 1.1 christos # include <sys/proc.h> 67 1.1 christos #endif 68 1.1 christos #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 69 1.1 christos !defined(_KERNEL) 70 1.1 christos # include <stdbool.h> 71 1.1 christos #endif 72 1.1 christos #include <net/if.h> 73 1.1 christos #ifdef sun 74 1.1 christos # include <net/af.h> 75 1.1 christos #endif 76 1.1 christos #include <netinet/in.h> 77 1.1 christos #include <netinet/in_systm.h> 78 1.1 christos #include <netinet/ip.h> 79 1.1 christos #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 80 1.1 christos # define KERNEL 81 1.1 christos # define _KERNEL 82 1.1 christos # define NOT_KERNEL 83 1.1 christos #endif 84 1.1 christos #if !defined(linux) 85 1.1 christos # include <netinet/ip_var.h> 86 1.1 christos #endif 87 1.1 christos #ifdef NOT_KERNEL 88 1.1 christos # undef _KERNEL 89 1.1 christos # undef KERNEL 90 1.1 christos #endif 91 1.1 christos #include <netinet/tcp.h> 92 1.1 christos #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 93 1.1 christos extern struct ifqueue ipintrq; /* ip packet input queue */ 94 1.1 christos #else 95 1.1 christos # if !defined(__hpux) && !defined(linux) 96 1.1 christos # if __FreeBSD_version >= 300000 97 1.1 christos # include <net/if_var.h> 98 1.1 christos # if __FreeBSD_version >= 500042 99 1.1 christos # define IF_QFULL _IF_QFULL 100 1.1 christos # define IF_DROP _IF_DROP 101 1.1 christos # endif /* __FreeBSD_version >= 500042 */ 102 1.1 christos # endif 103 1.1 christos # include <netinet/in_var.h> 104 1.1 christos # include <netinet/tcp_fsm.h> 105 1.1 christos # endif 106 1.1 christos #endif 107 1.1 christos #include <netinet/udp.h> 108 1.1 christos #include <netinet/ip_icmp.h> 109 1.1 christos #include "netinet/ip_compat.h" 110 1.1 christos #include <netinet/tcpip.h> 111 1.1 christos #include "netinet/ip_fil.h" 112 1.1 christos #include "netinet/ip_auth.h" 113 1.1 christos #if !defined(MENTAT) && !defined(linux) 114 1.1 christos # include <net/netisr.h> 115 1.1 christos # ifdef __FreeBSD__ 116 1.1 christos # include <machine/cpufunc.h> 117 1.1 christos # endif 118 1.1 christos #endif 119 1.1 christos #if (__FreeBSD_version >= 300000) 120 1.1 christos # include <sys/malloc.h> 121 1.1 christos # if defined(_KERNEL) && !defined(IPFILTER_LKM) 122 1.1 christos # include <sys/libkern.h> 123 1.1 christos # include <sys/systm.h> 124 1.1 christos # endif 125 1.1 christos #endif 126 1.1 christos /* END OF INCLUDES */ 127 1.1 christos 128 1.1 christos #if !defined(lint) 129 1.1.1.2 darrenr static const char rcsid[] = "@(#)$Id: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp $"; 130 1.1 christos #endif 131 1.1 christos 132 1.1 christos 133 1.1 christos 134 1.1 christos typedef struct ipf_auth_softc_s { 135 1.1 christos #if SOLARIS && defined(_KERNEL) 136 1.1 christos kcondvar_t ipf_auth_wait; 137 1.1 christos #endif /* SOLARIS */ 138 1.1 christos #if defined(linux) && defined(_KERNEL) 139 1.1 christos wait_queue_head_t ipf_auth_next_linux; 140 1.1 christos #endif 141 1.1 christos ipfrwlock_t ipf_authlk; 142 1.1 christos ipfmutex_t ipf_auth_mx; 143 1.1 christos int ipf_auth_size; 144 1.1 christos int ipf_auth_used; 145 1.1 christos int ipf_auth_replies; 146 1.1 christos int ipf_auth_defaultage; 147 1.1 christos int ipf_auth_lock; 148 1.1 christos ipf_authstat_t ipf_auth_stats; 149 1.1 christos frauth_t *ipf_auth; 150 1.1 christos mb_t **ipf_auth_pkts; 151 1.1 christos int ipf_auth_start; 152 1.1 christos int ipf_auth_end; 153 1.1 christos int ipf_auth_next; 154 1.1 christos frauthent_t *ipf_auth_entries; 155 1.1 christos frentry_t *ipf_auth_ip; 156 1.1 christos frentry_t *ipf_auth_rules; 157 1.1 christos } ipf_auth_softc_t; 158 1.1 christos 159 1.1 christos 160 1.1 christos static void ipf_auth_deref __P((frauthent_t **)); 161 1.1 christos static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **)); 162 1.1 christos static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *, 163 1.1 christos ipfgeniter_t *, ipfobj_t *)); 164 1.1 christos static int ipf_auth_reply __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 165 1.1 christos static int ipf_auth_wait __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 166 1.1 christos static int ipf_auth_flush __P((void *)); 167 1.1 christos 168 1.1 christos 169 1.1 christos /* ------------------------------------------------------------------------ */ 170 1.1 christos /* Function: ipf_auth_main_load */ 171 1.1 christos /* Returns: int - 0 == success, else error */ 172 1.1 christos /* Parameters: None */ 173 1.1 christos /* */ 174 1.1 christos /* A null-op function that exists as a placeholder so that the flow in */ 175 1.1 christos /* other functions is obvious. */ 176 1.1 christos /* ------------------------------------------------------------------------ */ 177 1.1 christos int 178 1.1 christos ipf_auth_main_load() 179 1.1 christos { 180 1.1 christos return 0; 181 1.1 christos } 182 1.1 christos 183 1.1 christos 184 1.1 christos /* ------------------------------------------------------------------------ */ 185 1.1 christos /* Function: ipf_auth_main_unload */ 186 1.1 christos /* Returns: int - 0 == success, else error */ 187 1.1 christos /* Parameters: None */ 188 1.1 christos /* */ 189 1.1 christos /* A null-op function that exists as a placeholder so that the flow in */ 190 1.1 christos /* other functions is obvious. */ 191 1.1 christos /* ------------------------------------------------------------------------ */ 192 1.1 christos int 193 1.1 christos ipf_auth_main_unload() 194 1.1 christos { 195 1.1 christos return 0; 196 1.1 christos } 197 1.1 christos 198 1.1 christos 199 1.1 christos /* ------------------------------------------------------------------------ */ 200 1.1 christos /* Function: ipf_auth_soft_create */ 201 1.1 christos /* Returns: int - NULL = failure, else success */ 202 1.1 christos /* Parameters: softc(I) - pointer to soft context data */ 203 1.1 christos /* */ 204 1.1 christos /* Create a structre to store all of the run-time data for packet auth in */ 205 1.1 christos /* and initialise some fields to their defaults. */ 206 1.1 christos /* ------------------------------------------------------------------------ */ 207 1.1 christos void * 208 1.1 christos ipf_auth_soft_create(softc) 209 1.1 christos ipf_main_softc_t *softc; 210 1.1 christos { 211 1.1 christos ipf_auth_softc_t *softa; 212 1.1 christos 213 1.1 christos KMALLOC(softa, ipf_auth_softc_t *); 214 1.1 christos if (softa == NULL) 215 1.1 christos return NULL; 216 1.1 christos 217 1.1 christos bzero((char *)softa, sizeof(*softa)); 218 1.1 christos 219 1.1 christos softa->ipf_auth_size = FR_NUMAUTH; 220 1.1 christos softa->ipf_auth_defaultage = 600; 221 1.1 christos 222 1.1 christos RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 223 1.1 christos MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 224 1.1 christos #if SOLARIS && defined(_KERNEL) 225 1.1 christos cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 226 1.1 christos #endif 227 1.1 christos 228 1.1 christos return softa; 229 1.1 christos } 230 1.1 christos 231 1.1 christos /* ------------------------------------------------------------------------ */ 232 1.1 christos /* Function: ipf_auth_soft_init */ 233 1.1 christos /* Returns: int - 0 == success, else error */ 234 1.1 christos /* Parameters: softc(I) - pointer to soft context data */ 235 1.1 christos /* arg(I) - opaque pointer to auth context data */ 236 1.1 christos /* */ 237 1.1 christos /* Allocate memory and initialise data structures used in handling auth */ 238 1.1 christos /* rules. */ 239 1.1 christos /* ------------------------------------------------------------------------ */ 240 1.1 christos int 241 1.1 christos ipf_auth_soft_init(softc, arg) 242 1.1 christos ipf_main_softc_t *softc; 243 1.1 christos void *arg; 244 1.1 christos { 245 1.1 christos ipf_auth_softc_t *softa = arg; 246 1.1 christos 247 1.1 christos KMALLOCS(softa->ipf_auth, frauth_t *, 248 1.1 christos softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 249 1.1 christos if (softa->ipf_auth == NULL) 250 1.1 christos return -1; 251 1.1 christos bzero((char *)softa->ipf_auth, 252 1.1 christos softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 253 1.1 christos 254 1.1 christos KMALLOCS(softa->ipf_auth_pkts, mb_t **, 255 1.1 christos softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 256 1.1 christos if (softa->ipf_auth_pkts == NULL) 257 1.1 christos return -2; 258 1.1 christos bzero((char *)softa->ipf_auth_pkts, 259 1.1 christos softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 260 1.1 christos 261 1.1 christos #if defined(linux) && defined(_KERNEL) 262 1.1 christos init_waitqueue_head(&softa->ipf_auth_next_linux); 263 1.1 christos #endif 264 1.1 christos 265 1.1 christos return 0; 266 1.1 christos } 267 1.1 christos 268 1.1 christos 269 1.1 christos /* ------------------------------------------------------------------------ */ 270 1.1 christos /* Function: ipf_auth_soft_fini */ 271 1.1 christos /* Returns: int - 0 == success, else error */ 272 1.1 christos /* Parameters: softc(I) - pointer to soft context data */ 273 1.1 christos /* arg(I) - opaque pointer to auth context data */ 274 1.1 christos /* */ 275 1.1 christos /* Free all network buffer memory used to keep saved packets that have been */ 276 1.1 christos /* connectedd to the soft soft context structure *but* do not free that: it */ 277 1.1 christos /* is free'd by _destroy(). */ 278 1.1 christos /* ------------------------------------------------------------------------ */ 279 1.1 christos int 280 1.1 christos ipf_auth_soft_fini(softc, arg) 281 1.1 christos ipf_main_softc_t *softc; 282 1.1 christos void *arg; 283 1.1 christos { 284 1.1 christos ipf_auth_softc_t *softa = arg; 285 1.1 christos frauthent_t *fae, **faep; 286 1.1 christos frentry_t *fr, **frp; 287 1.1 christos mb_t *m; 288 1.1 christos int i; 289 1.1 christos 290 1.1 christos if (softa->ipf_auth != NULL) { 291 1.1 christos KFREES(softa->ipf_auth, 292 1.1 christos softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 293 1.1 christos softa->ipf_auth = NULL; 294 1.1 christos } 295 1.1 christos 296 1.1 christos if (softa->ipf_auth_pkts != NULL) { 297 1.1 christos for (i = 0; i < softa->ipf_auth_size; i++) { 298 1.1 christos m = softa->ipf_auth_pkts[i]; 299 1.1 christos if (m != NULL) { 300 1.1 christos FREE_MB_T(m); 301 1.1 christos softa->ipf_auth_pkts[i] = NULL; 302 1.1 christos } 303 1.1 christos } 304 1.1 christos KFREES(softa->ipf_auth_pkts, 305 1.1 christos softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 306 1.1 christos softa->ipf_auth_pkts = NULL; 307 1.1 christos } 308 1.1 christos 309 1.1 christos faep = &softa->ipf_auth_entries; 310 1.1 christos while ((fae = *faep) != NULL) { 311 1.1 christos *faep = fae->fae_next; 312 1.1 christos KFREE(fae); 313 1.1 christos } 314 1.1 christos softa->ipf_auth_ip = NULL; 315 1.1 christos 316 1.1 christos if (softa->ipf_auth_rules != NULL) { 317 1.1 christos for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 318 1.1 christos if (fr->fr_ref == 1) { 319 1.1 christos *frp = fr->fr_next; 320 1.1 christos MUTEX_DESTROY(&fr->fr_lock); 321 1.1 christos KFREE(fr); 322 1.1 christos } else 323 1.1 christos frp = &fr->fr_next; 324 1.1 christos } 325 1.1 christos } 326 1.1 christos 327 1.1 christos return 0; 328 1.1 christos } 329 1.1 christos 330 1.1 christos 331 1.1 christos /* ------------------------------------------------------------------------ */ 332 1.1 christos /* Function: ipf_auth_soft_destroy */ 333 1.1 christos /* Returns: void */ 334 1.1 christos /* Parameters: softc(I) - pointer to soft context data */ 335 1.1 christos /* arg(I) - opaque pointer to auth context data */ 336 1.1 christos /* */ 337 1.1 christos /* Undo what was done in _create() - i.e. free the soft context data. */ 338 1.1 christos /* ------------------------------------------------------------------------ */ 339 1.1 christos void 340 1.1 christos ipf_auth_soft_destroy(softc, arg) 341 1.1 christos ipf_main_softc_t *softc; 342 1.1 christos void *arg; 343 1.1 christos { 344 1.1 christos ipf_auth_softc_t *softa = arg; 345 1.1 christos 346 1.1 christos # if SOLARIS && defined(_KERNEL) 347 1.1 christos cv_destroy(&softa->ipf_auth_wait); 348 1.1 christos # endif 349 1.1 christos MUTEX_DESTROY(&softa->ipf_auth_mx); 350 1.1 christos RW_DESTROY(&softa->ipf_authlk); 351 1.1 christos 352 1.1 christos KFREE(softa); 353 1.1 christos } 354 1.1 christos 355 1.1 christos 356 1.1 christos /* ------------------------------------------------------------------------ */ 357 1.1 christos /* Function: ipf_auth_setlock */ 358 1.1 christos /* Returns: void */ 359 1.1 christos /* Paramters: arg(I) - pointer to soft context data */ 360 1.1 christos /* tmp(I) - value to assign to auth lock */ 361 1.1 christos /* */ 362 1.1 christos /* ------------------------------------------------------------------------ */ 363 1.1 christos void 364 1.1 christos ipf_auth_setlock(arg, tmp) 365 1.1 christos void *arg; 366 1.1 christos int tmp; 367 1.1 christos { 368 1.1 christos ipf_auth_softc_t *softa = arg; 369 1.1 christos 370 1.1 christos softa->ipf_auth_lock = tmp; 371 1.1 christos } 372 1.1 christos 373 1.1 christos 374 1.1 christos /* ------------------------------------------------------------------------ */ 375 1.1 christos /* Function: ipf_auth_check */ 376 1.1 christos /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 377 1.1 christos /* Parameters: fin(I) - pointer to ipftoken structure */ 378 1.1 christos /* passp(I) - pointer to ipfgeniter structure */ 379 1.1 christos /* */ 380 1.1 christos /* Check if a packet has authorization. If the packet is found to match an */ 381 1.1 christos /* authorization result and that would result in a feedback loop (i.e. it */ 382 1.1 christos /* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 383 1.1 christos /* ------------------------------------------------------------------------ */ 384 1.1 christos frentry_t * 385 1.1 christos ipf_auth_check(fin, passp) 386 1.1 christos fr_info_t *fin; 387 1.1 christos u_32_t *passp; 388 1.1 christos { 389 1.1 christos ipf_main_softc_t *softc = fin->fin_main_soft; 390 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 391 1.1 christos frentry_t *fr; 392 1.1 christos frauth_t *fra; 393 1.1 christos u_32_t pass; 394 1.1 christos u_short id; 395 1.1 christos ip_t *ip; 396 1.1 christos int i; 397 1.1 christos 398 1.1 christos if (softa->ipf_auth_lock || !softa->ipf_auth_used) 399 1.1 christos return NULL; 400 1.1 christos 401 1.1 christos ip = fin->fin_ip; 402 1.1 christos id = ip->ip_id; 403 1.1 christos 404 1.1 christos READ_ENTER(&softa->ipf_authlk); 405 1.1 christos for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 406 1.1 christos /* 407 1.1 christos * index becomes -2 only after an SIOCAUTHW. Check this in 408 1.1 christos * case the same packet gets sent again and it hasn't yet been 409 1.1 christos * auth'd. 410 1.1 christos */ 411 1.1 christos fra = softa->ipf_auth + i; 412 1.1 christos if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 413 1.1 christos !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 414 1.1 christos /* 415 1.1 christos * Avoid feedback loop. 416 1.1 christos */ 417 1.1 christos if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 418 1.1 christos pass = FR_BLOCK; 419 1.1 christos fin->fin_reason = FRB_AUTHFEEDBACK; 420 1.1 christos } 421 1.1 christos /* 422 1.1 christos * Create a dummy rule for the stateful checking to 423 1.1 christos * use and return. Zero out any values we don't 424 1.1 christos * trust from userland! 425 1.1 christos */ 426 1.1 christos if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 427 1.1 christos (fin->fin_flx & FI_FRAG))) { 428 1.1 christos KMALLOC(fr, frentry_t *); 429 1.1 christos if (fr) { 430 1.1 christos bcopy((char *)fra->fra_info.fin_fr, 431 1.1 christos (char *)fr, sizeof(*fr)); 432 1.1 christos fr->fr_grp = NULL; 433 1.1 christos fr->fr_ifa = fin->fin_ifp; 434 1.1 christos fr->fr_func = NULL; 435 1.1 christos fr->fr_ref = 1; 436 1.1 christos fr->fr_flags = pass; 437 1.1 christos fr->fr_ifas[1] = NULL; 438 1.1 christos fr->fr_ifas[2] = NULL; 439 1.1 christos fr->fr_ifas[3] = NULL; 440 1.1 christos MUTEX_INIT(&fr->fr_lock, 441 1.1 christos "ipf auth rule"); 442 1.1 christos } 443 1.1 christos } else 444 1.1 christos fr = fra->fra_info.fin_fr; 445 1.1 christos fin->fin_fr = fr; 446 1.1 christos fin->fin_flx |= fra->fra_flx; 447 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 448 1.1 christos 449 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 450 1.1 christos /* 451 1.1 christos * ipf_auth_rules is populated with the rules malloc'd 452 1.1 christos * above and only those. 453 1.1 christos */ 454 1.1 christos if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 455 1.1 christos fr->fr_next = softa->ipf_auth_rules; 456 1.1 christos softa->ipf_auth_rules = fr; 457 1.1 christos } 458 1.1 christos softa->ipf_auth_stats.fas_hits++; 459 1.1 christos fra->fra_index = -1; 460 1.1 christos softa->ipf_auth_used--; 461 1.1 christos softa->ipf_auth_replies--; 462 1.1 christos if (i == softa->ipf_auth_start) { 463 1.1 christos while (fra->fra_index == -1) { 464 1.1 christos i++; 465 1.1 christos fra++; 466 1.1 christos if (i == softa->ipf_auth_size) { 467 1.1 christos i = 0; 468 1.1 christos fra = softa->ipf_auth; 469 1.1 christos } 470 1.1 christos softa->ipf_auth_start = i; 471 1.1 christos if (i == softa->ipf_auth_end) 472 1.1 christos break; 473 1.1 christos } 474 1.1 christos if (softa->ipf_auth_start == 475 1.1 christos softa->ipf_auth_end) { 476 1.1 christos softa->ipf_auth_next = 0; 477 1.1 christos softa->ipf_auth_start = 0; 478 1.1 christos softa->ipf_auth_end = 0; 479 1.1 christos } 480 1.1 christos } 481 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 482 1.1 christos if (passp != NULL) 483 1.1 christos *passp = pass; 484 1.1 christos softa->ipf_auth_stats.fas_hits++; 485 1.1 christos return fr; 486 1.1 christos } 487 1.1 christos i++; 488 1.1 christos if (i == softa->ipf_auth_size) 489 1.1 christos i = 0; 490 1.1 christos } 491 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 492 1.1 christos softa->ipf_auth_stats.fas_miss++; 493 1.1 christos return NULL; 494 1.1 christos } 495 1.1 christos 496 1.1 christos 497 1.1 christos /* ------------------------------------------------------------------------ */ 498 1.1 christos /* Function: ipf_auth_new */ 499 1.1 christos /* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 500 1.1 christos /* Parameters: m(I) - pointer to mb_t with packet in it */ 501 1.1 christos /* fin(I) - pointer to packet information */ 502 1.1 christos /* */ 503 1.1 christos /* Check if we have room in the auth array to hold details for another */ 504 1.1 christos /* packet. If we do, store it and wake up any user programs which are */ 505 1.1 christos /* waiting to hear about these events. */ 506 1.1 christos /* ------------------------------------------------------------------------ */ 507 1.1 christos int 508 1.1 christos ipf_auth_new(m, fin) 509 1.1 christos mb_t *m; 510 1.1 christos fr_info_t *fin; 511 1.1 christos { 512 1.1 christos ipf_main_softc_t *softc = fin->fin_main_soft; 513 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 514 1.1 christos #if defined(_KERNEL) && defined(MENTAT) 515 1.1 christos qpktinfo_t *qpi = fin->fin_qpi; 516 1.1 christos #endif 517 1.1 christos frauth_t *fra; 518 1.1 christos #if !defined(sparc) && !defined(m68k) 519 1.1 christos ip_t *ip; 520 1.1 christos #endif 521 1.1 christos int i; 522 1.1 christos 523 1.1 christos if (softa->ipf_auth_lock) 524 1.1 christos return 0; 525 1.1 christos 526 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 527 1.1 christos if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 528 1.1 christos softa->ipf_auth_start) { 529 1.1 christos softa->ipf_auth_stats.fas_nospace++; 530 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 531 1.1 christos return 0; 532 1.1 christos } 533 1.1 christos 534 1.1 christos softa->ipf_auth_stats.fas_added++; 535 1.1 christos softa->ipf_auth_used++; 536 1.1 christos i = softa->ipf_auth_end++; 537 1.1 christos if (softa->ipf_auth_end == softa->ipf_auth_size) 538 1.1 christos softa->ipf_auth_end = 0; 539 1.1 christos 540 1.1 christos fra = softa->ipf_auth + i; 541 1.1 christos fra->fra_index = i; 542 1.1 christos if (fin->fin_fr != NULL) 543 1.1 christos fra->fra_pass = fin->fin_fr->fr_flags; 544 1.1 christos else 545 1.1 christos fra->fra_pass = 0; 546 1.1 christos fra->fra_age = softa->ipf_auth_defaultage; 547 1.1 christos bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 548 1.1 christos fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 549 1.1 christos fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 550 1.1 christos #if !defined(sparc) && !defined(m68k) 551 1.1 christos /* 552 1.1 christos * No need to copyback here as we want to undo the changes, not keep 553 1.1 christos * them. 554 1.1 christos */ 555 1.1 christos ip = fin->fin_ip; 556 1.1 christos # if defined(MENTAT) && defined(_KERNEL) 557 1.1 christos if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 558 1.1 christos # endif 559 1.1 christos { 560 1.1 christos register u_short bo; 561 1.1 christos 562 1.1 christos bo = ip->ip_len; 563 1.1 christos ip->ip_len = htons(bo); 564 1.1 christos bo = ip->ip_off; 565 1.1 christos ip->ip_off = htons(bo); 566 1.1 christos } 567 1.1 christos #endif 568 1.1 christos #if SOLARIS && defined(_KERNEL) 569 1.1 christos COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 570 1.1 christos m->b_rptr -= qpi->qpi_off; 571 1.1 christos fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 572 1.1 christos fra->fra_m = *fin->fin_mp; 573 1.1 christos fra->fra_info.fin_mp = &fra->fra_m; 574 1.1 christos softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 575 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 576 1.1 christos cv_signal(&softa->ipf_auth_wait); 577 1.1 christos pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 578 1.1 christos #else 579 1.1 christos softa->ipf_auth_pkts[i] = m; 580 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 581 1.1 christos WAKEUP(&softa->ipf_auth_next, 0); 582 1.1 christos #endif 583 1.1 christos return 1; 584 1.1 christos } 585 1.1 christos 586 1.1 christos 587 1.1 christos /* ------------------------------------------------------------------------ */ 588 1.1 christos /* Function: ipf_auth_ioctl */ 589 1.1 christos /* Returns: int - 0 == success, else error */ 590 1.1 christos /* Parameters: data(IO) - pointer to ioctl data */ 591 1.1 christos /* cmd(I) - ioctl command */ 592 1.1 christos /* mode(I) - mode flags associated with open descriptor */ 593 1.1 christos /* uid(I) - uid associatd with application making the call */ 594 1.1 christos /* ctx(I) - pointer for context */ 595 1.1 christos /* */ 596 1.1 christos /* This function handles all of the ioctls recognised by the auth component */ 597 1.1 christos /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 598 1.1 christos /* ------------------------------------------------------------------------ */ 599 1.1 christos int 600 1.1 christos ipf_auth_ioctl(softc, data, cmd, mode, uid, ctx) 601 1.1 christos ipf_main_softc_t *softc; 602 1.1 christos caddr_t data; 603 1.1 christos ioctlcmd_t cmd; 604 1.1 christos int mode, uid; 605 1.1 christos void *ctx; 606 1.1 christos { 607 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 608 1.1 christos int error = 0, i; 609 1.1 christos SPL_INT(s); 610 1.1 christos 611 1.1 christos switch (cmd) 612 1.1 christos { 613 1.1 christos case SIOCGENITER : 614 1.1 christos { 615 1.1 christos ipftoken_t *token; 616 1.1 christos ipfgeniter_t iter; 617 1.1 christos ipfobj_t obj; 618 1.1 christos 619 1.1 christos error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 620 1.1 christos if (error != 0) 621 1.1 christos break; 622 1.1 christos 623 1.1 christos SPL_SCHED(s); 624 1.1 christos token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 625 1.1 christos if (token != NULL) 626 1.1 christos error = ipf_auth_geniter(softc, token, &iter, &obj); 627 1.1 christos else { 628 1.1 christos WRITE_ENTER(&softc->ipf_tokens); 629 1.1.1.2 darrenr ipf_token_deref(softc, token); 630 1.1 christos RWLOCK_EXIT(&softc->ipf_tokens); 631 1.1 christos IPFERROR(10001); 632 1.1 christos error = ESRCH; 633 1.1 christos } 634 1.1 christos SPL_X(s); 635 1.1 christos 636 1.1 christos break; 637 1.1 christos } 638 1.1 christos 639 1.1 christos case SIOCADAFR : 640 1.1 christos case SIOCRMAFR : 641 1.1 christos if (!(mode & FWRITE)) { 642 1.1 christos IPFERROR(10002); 643 1.1 christos error = EPERM; 644 1.1 christos } else 645 1.1 christos error = frrequest(softc, IPL_LOGAUTH, cmd, data, 646 1.1 christos softc->ipf_active, 1); 647 1.1 christos break; 648 1.1 christos 649 1.1 christos case SIOCSTLCK : 650 1.1 christos if (!(mode & FWRITE)) { 651 1.1 christos IPFERROR(10003); 652 1.1 christos error = EPERM; 653 1.1 christos } else { 654 1.1 christos error = ipf_lock(data, &softa->ipf_auth_lock); 655 1.1 christos } 656 1.1 christos break; 657 1.1 christos 658 1.1 christos case SIOCATHST: 659 1.1 christos softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 660 1.1 christos error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 661 1.1 christos IPFOBJ_AUTHSTAT); 662 1.1 christos break; 663 1.1 christos 664 1.1 christos case SIOCIPFFL: 665 1.1 christos SPL_NET(s); 666 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 667 1.1 christos i = ipf_auth_flush(softa); 668 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 669 1.1 christos SPL_X(s); 670 1.1 christos error = BCOPYOUT(&i, data, sizeof(i)); 671 1.1 christos if (error != 0) { 672 1.1 christos IPFERROR(10004); 673 1.1 christos error = EFAULT; 674 1.1 christos } 675 1.1 christos break; 676 1.1 christos 677 1.1 christos case SIOCAUTHW: 678 1.1 christos error = ipf_auth_wait(softc, softa, data); 679 1.1 christos break; 680 1.1 christos 681 1.1 christos case SIOCAUTHR: 682 1.1 christos error = ipf_auth_reply(softc, softa, data); 683 1.1 christos break; 684 1.1 christos 685 1.1 christos default : 686 1.1 christos IPFERROR(10005); 687 1.1 christos error = EINVAL; 688 1.1 christos break; 689 1.1 christos } 690 1.1 christos return error; 691 1.1 christos } 692 1.1 christos 693 1.1 christos 694 1.1 christos /* ------------------------------------------------------------------------ */ 695 1.1 christos /* Function: ipf_auth_expire */ 696 1.1 christos /* Returns: None */ 697 1.1 christos /* Parameters: None */ 698 1.1 christos /* */ 699 1.1 christos /* Slowly expire held auth records. Timeouts are set in expectation of */ 700 1.1 christos /* this being called twice per second. */ 701 1.1 christos /* ------------------------------------------------------------------------ */ 702 1.1 christos void 703 1.1 christos ipf_auth_expire(softc) 704 1.1 christos ipf_main_softc_t *softc; 705 1.1 christos { 706 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 707 1.1 christos frauthent_t *fae, **faep; 708 1.1 christos frentry_t *fr, **frp; 709 1.1 christos frauth_t *fra; 710 1.1 christos mb_t *m; 711 1.1 christos int i; 712 1.1 christos SPL_INT(s); 713 1.1 christos 714 1.1 christos if (softa->ipf_auth_lock) 715 1.1 christos return; 716 1.1 christos SPL_NET(s); 717 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 718 1.1 christos for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 719 1.1 christos i++, fra++) { 720 1.1 christos fra->fra_age--; 721 1.1 christos if ((fra->fra_age == 0) && 722 1.1 christos (softa->ipf_auth[i].fra_index != -1)) { 723 1.1 christos if ((m = softa->ipf_auth_pkts[i]) != NULL) { 724 1.1 christos FREE_MB_T(m); 725 1.1 christos softa->ipf_auth_pkts[i] = NULL; 726 1.1 christos } else if (softa->ipf_auth[i].fra_index == -2) { 727 1.1 christos softa->ipf_auth_replies--; 728 1.1 christos } 729 1.1 christos softa->ipf_auth[i].fra_index = -1; 730 1.1 christos softa->ipf_auth_stats.fas_expire++; 731 1.1 christos softa->ipf_auth_used--; 732 1.1 christos } 733 1.1 christos } 734 1.1 christos 735 1.1 christos /* 736 1.1 christos * Expire pre-auth rules 737 1.1 christos */ 738 1.1 christos for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 739 1.1 christos fae->fae_age--; 740 1.1 christos if (fae->fae_age == 0) { 741 1.1 christos ipf_auth_deref(&fae); 742 1.1 christos softa->ipf_auth_stats.fas_expire++; 743 1.1 christos } else 744 1.1 christos faep = &fae->fae_next; 745 1.1 christos } 746 1.1 christos if (softa->ipf_auth_entries != NULL) 747 1.1 christos softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 748 1.1 christos else 749 1.1 christos softa->ipf_auth_ip = NULL; 750 1.1 christos 751 1.1 christos for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 752 1.1 christos if (fr->fr_ref == 1) { 753 1.1 christos *frp = fr->fr_next; 754 1.1 christos MUTEX_DESTROY(&fr->fr_lock); 755 1.1 christos KFREE(fr); 756 1.1 christos } else 757 1.1 christos frp = &fr->fr_next; 758 1.1 christos } 759 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 760 1.1 christos SPL_X(s); 761 1.1 christos } 762 1.1 christos 763 1.1 christos 764 1.1 christos /* ------------------------------------------------------------------------ */ 765 1.1 christos /* Function: ipf_auth_precmd */ 766 1.1 christos /* Returns: int - 0 == success, else error */ 767 1.1 christos /* Parameters: cmd(I) - ioctl command for rule */ 768 1.1 christos /* fr(I) - pointer to ipf rule */ 769 1.1 christos /* fptr(I) - pointer to caller's 'fr' */ 770 1.1 christos /* */ 771 1.1 christos /* ------------------------------------------------------------------------ */ 772 1.1 christos int 773 1.1 christos ipf_auth_precmd(softc, cmd, fr, frptr) 774 1.1 christos ipf_main_softc_t *softc; 775 1.1 christos ioctlcmd_t cmd; 776 1.1 christos frentry_t *fr, **frptr; 777 1.1 christos { 778 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 779 1.1 christos frauthent_t *fae, **faep; 780 1.1 christos int error = 0; 781 1.1 christos SPL_INT(s); 782 1.1 christos 783 1.1 christos if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 784 1.1 christos IPFERROR(10006); 785 1.1 christos return EIO; 786 1.1 christos } 787 1.1 christos 788 1.1 christos for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 789 1.1 christos if (&fae->fae_fr == fr) 790 1.1 christos break; 791 1.1 christos else 792 1.1 christos faep = &fae->fae_next; 793 1.1 christos } 794 1.1 christos 795 1.1 christos if (cmd == (ioctlcmd_t)SIOCRMAFR) { 796 1.1 christos if (fr == NULL || frptr == NULL) { 797 1.1 christos IPFERROR(10007); 798 1.1 christos error = EINVAL; 799 1.1 christos 800 1.1 christos } else if (fae == NULL) { 801 1.1 christos IPFERROR(10008); 802 1.1 christos error = ESRCH; 803 1.1 christos 804 1.1 christos } else { 805 1.1 christos SPL_NET(s); 806 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 807 1.1 christos *faep = fae->fae_next; 808 1.1 christos if (softa->ipf_auth_ip == &fae->fae_fr) 809 1.1 christos softa->ipf_auth_ip = softa->ipf_auth_entries ? 810 1.1 christos &softa->ipf_auth_entries->fae_fr : NULL; 811 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 812 1.1 christos SPL_X(s); 813 1.1 christos 814 1.1 christos KFREE(fae); 815 1.1 christos } 816 1.1 christos } else if (fr != NULL && frptr != NULL) { 817 1.1 christos KMALLOC(fae, frauthent_t *); 818 1.1 christos if (fae != NULL) { 819 1.1 christos bcopy((char *)fr, (char *)&fae->fae_fr, 820 1.1 christos sizeof(*fr)); 821 1.1 christos SPL_NET(s); 822 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 823 1.1 christos fae->fae_age = softa->ipf_auth_defaultage; 824 1.1 christos fae->fae_fr.fr_hits = 0; 825 1.1 christos fae->fae_fr.fr_next = *frptr; 826 1.1 christos fae->fae_ref = 1; 827 1.1 christos *frptr = &fae->fae_fr; 828 1.1 christos fae->fae_next = *faep; 829 1.1 christos *faep = fae; 830 1.1 christos softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 831 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 832 1.1 christos SPL_X(s); 833 1.1 christos } else { 834 1.1 christos IPFERROR(10009); 835 1.1 christos error = ENOMEM; 836 1.1 christos } 837 1.1 christos } else { 838 1.1 christos IPFERROR(10010); 839 1.1 christos error = EINVAL; 840 1.1 christos } 841 1.1 christos return error; 842 1.1 christos } 843 1.1 christos 844 1.1 christos 845 1.1 christos /* ------------------------------------------------------------------------ */ 846 1.1 christos /* Function: ipf_auth_flush */ 847 1.1 christos /* Returns: int - number of auth entries flushed */ 848 1.1 christos /* Parameters: None */ 849 1.1 christos /* Locks: WRITE(ipf_authlk) */ 850 1.1 christos /* */ 851 1.1 christos /* This function flushs the ipf_auth_pkts array of any packet data with */ 852 1.1 christos /* references still there. */ 853 1.1 christos /* It is expected that the caller has already acquired the correct locks or */ 854 1.1 christos /* set the priority level correctly for this to block out other code paths */ 855 1.1 christos /* into these data structures. */ 856 1.1 christos /* ------------------------------------------------------------------------ */ 857 1.1 christos static int 858 1.1 christos ipf_auth_flush(arg) 859 1.1 christos void *arg; 860 1.1 christos { 861 1.1 christos ipf_auth_softc_t *softa = arg; 862 1.1 christos int i, num_flushed; 863 1.1 christos mb_t *m; 864 1.1 christos 865 1.1 christos if (softa->ipf_auth_lock) 866 1.1 christos return -1; 867 1.1 christos 868 1.1 christos num_flushed = 0; 869 1.1 christos 870 1.1 christos for (i = 0 ; i < softa->ipf_auth_size; i++) { 871 1.1 christos if (softa->ipf_auth[i].fra_index != -1) { 872 1.1 christos m = softa->ipf_auth_pkts[i]; 873 1.1 christos if (m != NULL) { 874 1.1 christos FREE_MB_T(m); 875 1.1 christos softa->ipf_auth_pkts[i] = NULL; 876 1.1 christos } 877 1.1 christos 878 1.1 christos softa->ipf_auth[i].fra_index = -1; 879 1.1 christos /* perhaps add & use a flush counter inst.*/ 880 1.1 christos softa->ipf_auth_stats.fas_expire++; 881 1.1 christos num_flushed++; 882 1.1 christos } 883 1.1 christos } 884 1.1 christos 885 1.1 christos softa->ipf_auth_start = 0; 886 1.1 christos softa->ipf_auth_end = 0; 887 1.1 christos softa->ipf_auth_next = 0; 888 1.1 christos softa->ipf_auth_used = 0; 889 1.1 christos softa->ipf_auth_replies = 0; 890 1.1 christos 891 1.1 christos return num_flushed; 892 1.1 christos } 893 1.1 christos 894 1.1 christos 895 1.1 christos /* ------------------------------------------------------------------------ */ 896 1.1 christos /* Function: ipf_auth_waiting */ 897 1.1 christos /* Returns: int - number of packets in the auth queue */ 898 1.1 christos /* Parameters: None */ 899 1.1 christos /* */ 900 1.1 christos /* Simple truth check to see if there are any packets waiting in the auth */ 901 1.1 christos /* queue. */ 902 1.1 christos /* ------------------------------------------------------------------------ */ 903 1.1 christos int 904 1.1 christos ipf_auth_waiting(softc) 905 1.1 christos ipf_main_softc_t *softc; 906 1.1 christos { 907 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 908 1.1 christos 909 1.1 christos return (softa->ipf_auth_used != 0); 910 1.1 christos } 911 1.1 christos 912 1.1 christos 913 1.1 christos /* ------------------------------------------------------------------------ */ 914 1.1 christos /* Function: ipf_auth_geniter */ 915 1.1 christos /* Returns: int - 0 == success, else error */ 916 1.1 christos /* Parameters: token(I) - pointer to ipftoken structure */ 917 1.1 christos /* itp(I) - pointer to ipfgeniter structure */ 918 1.1 christos /* objp(I) - pointer to ipf object destription */ 919 1.1 christos /* */ 920 1.1 christos /* Iterate through the list of entries in the auth queue list. */ 921 1.1 christos /* objp is used here to get the location of where to do the copy out to. */ 922 1.1 christos /* Stomping over various fields with new information will not harm anything */ 923 1.1 christos /* ------------------------------------------------------------------------ */ 924 1.1 christos static int 925 1.1 christos ipf_auth_geniter(softc, token, itp, objp) 926 1.1 christos ipf_main_softc_t *softc; 927 1.1 christos ipftoken_t *token; 928 1.1 christos ipfgeniter_t *itp; 929 1.1 christos ipfobj_t *objp; 930 1.1 christos { 931 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 932 1.1 christos frauthent_t *fae, *next, zero; 933 1.1 christos int error; 934 1.1 christos 935 1.1 christos if (itp->igi_data == NULL) { 936 1.1 christos IPFERROR(10011); 937 1.1 christos return EFAULT; 938 1.1 christos } 939 1.1 christos 940 1.1 christos if (itp->igi_type != IPFGENITER_AUTH) { 941 1.1 christos IPFERROR(10012); 942 1.1 christos return EINVAL; 943 1.1 christos } 944 1.1 christos 945 1.1 christos objp->ipfo_type = IPFOBJ_FRAUTH; 946 1.1 christos objp->ipfo_ptr = itp->igi_data; 947 1.1 christos objp->ipfo_size = sizeof(frauth_t); 948 1.1 christos 949 1.1 christos READ_ENTER(&softa->ipf_authlk); 950 1.1 christos 951 1.1 christos fae = token->ipt_data; 952 1.1 christos if (fae == NULL) { 953 1.1 christos next = softa->ipf_auth_entries; 954 1.1 christos } else { 955 1.1 christos next = fae->fae_next; 956 1.1 christos } 957 1.1 christos 958 1.1 christos /* 959 1.1 christos * If we found an auth entry to use, bump its reference count 960 1.1 christos * so that it can be used for is_next when we come back. 961 1.1 christos */ 962 1.1 christos if (next != NULL) { 963 1.1 christos ATOMIC_INC(next->fae_ref); 964 1.1 christos token->ipt_data = next; 965 1.1 christos } else { 966 1.1 christos bzero(&zero, sizeof(zero)); 967 1.1 christos next = &zero; 968 1.1 christos token->ipt_data = NULL; 969 1.1 christos } 970 1.1 christos 971 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 972 1.1 christos 973 1.1 christos error = ipf_outobjk(softc, objp, next); 974 1.1 christos if (fae != NULL) 975 1.1 christos ipf_auth_deref_unlocked(softa, &fae); 976 1.1 christos 977 1.1 christos if (next->fae_next == NULL) 978 1.1 christos ipf_token_mark_complete(token); 979 1.1 christos return error; 980 1.1 christos } 981 1.1 christos 982 1.1 christos 983 1.1 christos /* ------------------------------------------------------------------------ */ 984 1.1 christos /* Function: ipf_auth_deref_unlocked */ 985 1.1 christos /* Returns: None */ 986 1.1 christos /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 987 1.1 christos /* */ 988 1.1 christos /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 989 1.1 christos /* held. */ 990 1.1 christos /* ------------------------------------------------------------------------ */ 991 1.1 christos static void 992 1.1 christos ipf_auth_deref_unlocked(softa, faep) 993 1.1 christos ipf_auth_softc_t *softa; 994 1.1 christos frauthent_t **faep; 995 1.1 christos { 996 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 997 1.1 christos ipf_auth_deref(faep); 998 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 999 1.1 christos } 1000 1.1 christos 1001 1.1 christos 1002 1.1 christos /* ------------------------------------------------------------------------ */ 1003 1.1 christos /* Function: ipf_auth_deref */ 1004 1.1 christos /* Returns: None */ 1005 1.1 christos /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 1006 1.1 christos /* Locks: WRITE(ipf_authlk) */ 1007 1.1 christos /* */ 1008 1.1 christos /* This function unconditionally sets the pointer in the caller to NULL, */ 1009 1.1 christos /* to make it clear that it should no longer use that pointer, and drops */ 1010 1.1 christos /* the reference count on the structure by 1. If it reaches 0, free it up. */ 1011 1.1 christos /* ------------------------------------------------------------------------ */ 1012 1.1 christos static void 1013 1.1 christos ipf_auth_deref(faep) 1014 1.1 christos frauthent_t **faep; 1015 1.1 christos { 1016 1.1 christos frauthent_t *fae; 1017 1.1 christos 1018 1.1 christos fae = *faep; 1019 1.1 christos *faep = NULL; 1020 1.1 christos 1021 1.1 christos fae->fae_ref--; 1022 1.1 christos if (fae->fae_ref == 0) { 1023 1.1 christos KFREE(fae); 1024 1.1 christos } 1025 1.1 christos } 1026 1.1 christos 1027 1.1 christos 1028 1.1 christos /* ------------------------------------------------------------------------ */ 1029 1.1 christos /* Function: ipf_auth_wait_pkt */ 1030 1.1 christos /* Returns: int - 0 == success, else error */ 1031 1.1 christos /* Parameters: data(I) - pointer to data from ioctl call */ 1032 1.1 christos /* */ 1033 1.1 christos /* This function is called when an application is waiting for a packet to */ 1034 1.1 christos /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1035 1.1 christos /* a packet waiting on the queue then we will return that _one_ immediately.*/ 1036 1.1 christos /* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1037 1.1 christos /* to sleep. */ 1038 1.1 christos /* ------------------------------------------------------------------------ */ 1039 1.1 christos static int 1040 1.1 christos ipf_auth_wait(softc, softa, data) 1041 1.1 christos ipf_main_softc_t *softc; 1042 1.1 christos ipf_auth_softc_t *softa; 1043 1.1 christos char *data; 1044 1.1 christos { 1045 1.1 christos frauth_t auth, *au = &auth; 1046 1.1 christos int error, len, i; 1047 1.1 christos mb_t *m; 1048 1.1 christos char *t; 1049 1.1 christos SPL_INT(s); 1050 1.1 christos 1051 1.1 christos ipf_auth_ioctlloop: 1052 1.1 christos error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1053 1.1 christos if (error != 0) 1054 1.1 christos return error; 1055 1.1 christos 1056 1.1 christos /* 1057 1.1 christos * XXX Locks are held below over calls to copyout...a better 1058 1.1 christos * solution needs to be found so this isn't necessary. The situation 1059 1.1 christos * we are trying to guard against here is an error in the copyout 1060 1.1 christos * steps should not cause the packet to "disappear" from the queue. 1061 1.1 christos */ 1062 1.1 christos SPL_NET(s); 1063 1.1 christos READ_ENTER(&softa->ipf_authlk); 1064 1.1 christos 1065 1.1 christos /* 1066 1.1 christos * If ipf_auth_next is not equal to ipf_auth_end it will be because 1067 1.1 christos * there is a packet waiting to be delt with in the ipf_auth_pkts 1068 1.1 christos * array. We copy as much of that out to user space as requested. 1069 1.1 christos */ 1070 1.1 christos if (softa->ipf_auth_used > 0) { 1071 1.1 christos while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1072 1.1 christos softa->ipf_auth_next++; 1073 1.1 christos if (softa->ipf_auth_next == softa->ipf_auth_size) 1074 1.1 christos softa->ipf_auth_next = 0; 1075 1.1 christos } 1076 1.1 christos 1077 1.1 christos error = ipf_outobj(softc, data, 1078 1.1 christos &softa->ipf_auth[softa->ipf_auth_next], 1079 1.1 christos IPFOBJ_FRAUTH); 1080 1.1 christos if (error != 0) { 1081 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1082 1.1 christos SPL_X(s); 1083 1.1 christos return error; 1084 1.1 christos } 1085 1.1 christos 1086 1.1 christos if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1087 1.1 christos /* 1088 1.1 christos * Copy packet contents out to user space if 1089 1.1 christos * requested. Bail on an error. 1090 1.1 christos */ 1091 1.1 christos m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1092 1.1 christos len = MSGDSIZE(m); 1093 1.1 christos if (len > auth.fra_len) 1094 1.1 christos len = auth.fra_len; 1095 1.1 christos auth.fra_len = len; 1096 1.1 christos 1097 1.1 christos for (t = auth.fra_buf; m && (len > 0); ) { 1098 1.1 christos i = MIN(M_LEN(m), len); 1099 1.1 christos error = copyoutptr(softc, MTOD(m, char *), 1100 1.1 christos &t, i); 1101 1.1 christos len -= i; 1102 1.1 christos t += i; 1103 1.1 christos if (error != 0) { 1104 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1105 1.1 christos SPL_X(s); 1106 1.1 christos return error; 1107 1.1 christos } 1108 1.1 christos m = m->m_next; 1109 1.1 christos } 1110 1.1 christos } 1111 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1112 1.1 christos 1113 1.1 christos SPL_NET(s); 1114 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 1115 1.1 christos softa->ipf_auth_next++; 1116 1.1 christos if (softa->ipf_auth_next == softa->ipf_auth_size) 1117 1.1 christos softa->ipf_auth_next = 0; 1118 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1119 1.1 christos SPL_X(s); 1120 1.1 christos 1121 1.1 christos return 0; 1122 1.1 christos } 1123 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1124 1.1 christos SPL_X(s); 1125 1.1 christos 1126 1.1 christos MUTEX_ENTER(&softa->ipf_auth_mx); 1127 1.1 christos #ifdef _KERNEL 1128 1.1 christos # if SOLARIS 1129 1.1 christos error = 0; 1130 1.1 christos if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1131 1.1 christos IPFERROR(10014); 1132 1.1 christos error = EINTR; 1133 1.1 christos } 1134 1.1 christos # else /* SOLARIS */ 1135 1.1 christos # ifdef __hpux 1136 1.1 christos { 1137 1.1 christos lock_t *l; 1138 1.1 christos 1139 1.1 christos l = get_sleep_lock(&softa->ipf_auth_next); 1140 1.1 christos error = sleep(&softa->ipf_auth_next, PZERO+1); 1141 1.1 christos spinunlock(l); 1142 1.1 christos } 1143 1.1 christos # else 1144 1.1 christos # ifdef __osf__ 1145 1.1 christos error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1146 1.1 christos 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1147 1.1 christos # else 1148 1.1 christos error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1149 1.1 christos # endif /* __osf__ */ 1150 1.1 christos # endif /* __hpux */ 1151 1.1 christos # endif /* SOLARIS */ 1152 1.1 christos #endif 1153 1.1 christos MUTEX_EXIT(&softa->ipf_auth_mx); 1154 1.1 christos if (error == 0) 1155 1.1 christos goto ipf_auth_ioctlloop; 1156 1.1 christos return error; 1157 1.1 christos } 1158 1.1 christos 1159 1.1 christos 1160 1.1 christos /* ------------------------------------------------------------------------ */ 1161 1.1 christos /* Function: ipf_auth_reply */ 1162 1.1 christos /* Returns: int - 0 == success, else error */ 1163 1.1 christos /* Parameters: data(I) - pointer to data from ioctl call */ 1164 1.1 christos /* */ 1165 1.1 christos /* This function is called by an application when it wants to return a */ 1166 1.1 christos /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1167 1.1 christos /* received information using an SIOCAUTHW. The decision returned in the */ 1168 1.1 christos /* form of flags, the same as those used in each rule. */ 1169 1.1 christos /* ------------------------------------------------------------------------ */ 1170 1.1 christos static int 1171 1.1 christos ipf_auth_reply(softc, softa, data) 1172 1.1 christos ipf_main_softc_t *softc; 1173 1.1 christos ipf_auth_softc_t *softa; 1174 1.1 christos char *data; 1175 1.1 christos { 1176 1.1 christos frauth_t auth, *au = &auth, *fra; 1177 1.1 christos fr_info_t fin; 1178 1.1 christos int error, i; 1179 1.1 christos mb_t *m; 1180 1.1 christos SPL_INT(s); 1181 1.1 christos 1182 1.1 christos error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1183 1.1 christos if (error != 0) 1184 1.1 christos return error; 1185 1.1 christos 1186 1.1 christos SPL_NET(s); 1187 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 1188 1.1 christos 1189 1.1 christos i = au->fra_index; 1190 1.1 christos fra = softa->ipf_auth + i; 1191 1.1 christos error = 0; 1192 1.1 christos 1193 1.1 christos /* 1194 1.1 christos * Check the validity of the information being returned with two simple 1195 1.1 christos * checks. First, the auth index value should be within the size of 1196 1.1 christos * the array and second the packet id being returned should also match. 1197 1.1 christos */ 1198 1.1 christos if ((i < 0) || (i >= softa->ipf_auth_size)) { 1199 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1200 1.1 christos SPL_X(s); 1201 1.1 christos IPFERROR(10015); 1202 1.1 christos return ESRCH; 1203 1.1 christos } 1204 1.1 christos if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1205 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1206 1.1 christos SPL_X(s); 1207 1.1 christos IPFERROR(10019); 1208 1.1 christos return ESRCH; 1209 1.1 christos } 1210 1.1 christos 1211 1.1 christos m = softa->ipf_auth_pkts[i]; 1212 1.1 christos fra->fra_index = -2; 1213 1.1 christos fra->fra_pass = au->fra_pass; 1214 1.1 christos softa->ipf_auth_pkts[i] = NULL; 1215 1.1 christos softa->ipf_auth_replies++; 1216 1.1 christos bcopy(&fra->fra_info, &fin, sizeof(fin)); 1217 1.1 christos 1218 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1219 1.1 christos 1220 1.1 christos /* 1221 1.1 christos * Re-insert the packet back into the packet stream flowing through 1222 1.1 christos * the kernel in a manner that will mean IPFilter sees the packet 1223 1.1 christos * again. This is not the same as is done with fastroute, 1224 1.1 christos * deliberately, as we want to resume the normal packet processing 1225 1.1 christos * path for it. 1226 1.1 christos */ 1227 1.1 christos #ifdef _KERNEL 1228 1.1 christos if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1229 1.1 christos error = ipf_inject(&fin, m); 1230 1.1 christos if (error != 0) { 1231 1.1 christos IPFERROR(10016); 1232 1.1 christos error = ENOBUFS; 1233 1.1 christos softa->ipf_auth_stats.fas_sendfail++; 1234 1.1 christos } else { 1235 1.1 christos softa->ipf_auth_stats.fas_sendok++; 1236 1.1 christos } 1237 1.1 christos } else if (m) { 1238 1.1 christos error = ipf_inject(&fin, m); 1239 1.1 christos if (error != 0) { 1240 1.1 christos IPFERROR(10017); 1241 1.1 christos error = ENOBUFS; 1242 1.1 christos softa->ipf_auth_stats.fas_quefail++; 1243 1.1 christos } else { 1244 1.1 christos softa->ipf_auth_stats.fas_queok++; 1245 1.1 christos } 1246 1.1 christos } else { 1247 1.1 christos IPFERROR(10018); 1248 1.1 christos error = EINVAL; 1249 1.1 christos } 1250 1.1 christos 1251 1.1 christos /* 1252 1.1 christos * If we experience an error which will result in the packet 1253 1.1 christos * not being processed, make sure we advance to the next one. 1254 1.1 christos */ 1255 1.1 christos if (error == ENOBUFS) { 1256 1.1 christos WRITE_ENTER(&softa->ipf_authlk); 1257 1.1 christos softa->ipf_auth_used--; 1258 1.1 christos fra->fra_index = -1; 1259 1.1 christos fra->fra_pass = 0; 1260 1.1 christos if (i == softa->ipf_auth_start) { 1261 1.1 christos while (fra->fra_index == -1) { 1262 1.1 christos i++; 1263 1.1 christos if (i == softa->ipf_auth_size) 1264 1.1 christos i = 0; 1265 1.1 christos softa->ipf_auth_start = i; 1266 1.1 christos if (i == softa->ipf_auth_end) 1267 1.1 christos break; 1268 1.1 christos } 1269 1.1 christos if (softa->ipf_auth_start == softa->ipf_auth_end) { 1270 1.1 christos softa->ipf_auth_next = 0; 1271 1.1 christos softa->ipf_auth_start = 0; 1272 1.1 christos softa->ipf_auth_end = 0; 1273 1.1 christos } 1274 1.1 christos } 1275 1.1 christos RWLOCK_EXIT(&softa->ipf_authlk); 1276 1.1 christos } 1277 1.1 christos #endif /* _KERNEL */ 1278 1.1 christos SPL_X(s); 1279 1.1 christos 1280 1.1 christos return 0; 1281 1.1 christos } 1282 1.1 christos 1283 1.1 christos 1284 1.1 christos u_32_t 1285 1.1 christos ipf_auth_pre_scanlist(softc, fin, pass) 1286 1.1 christos ipf_main_softc_t *softc; 1287 1.1 christos fr_info_t *fin; 1288 1.1 christos u_32_t pass; 1289 1.1 christos { 1290 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1291 1.1 christos 1292 1.1 christos if (softa->ipf_auth_ip != NULL) 1293 1.1 christos return ipf_scanlist(fin, softc->ipf_pass); 1294 1.1 christos 1295 1.1 christos return pass; 1296 1.1 christos } 1297 1.1 christos 1298 1.1 christos 1299 1.1 christos frentry_t ** 1300 1.1 christos ipf_auth_rulehead(softc) 1301 1.1 christos ipf_main_softc_t *softc; 1302 1.1 christos { 1303 1.1 christos ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1304 1.1 christos 1305 1.1 christos return &softa->ipf_auth_ip; 1306 1.1 christos } 1307
Indexes created Fri Oct 03 02:09:57 GMT 2025