ip_auth.c revision 1.1
1 /* $NetBSD: ip_auth.c,v 1.1 2012/03/23 20:36:52 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 #if defined(KERNEL) || defined(_KERNEL) 9 # undef KERNEL 10 # undef _KERNEL 11 # define KERNEL 1 12 # define _KERNEL 1 13 #endif 14 #include <sys/errno.h> 15 #include <sys/types.h> 16 #include <sys/param.h> 17 #include <sys/time.h> 18 #include <sys/file.h> 19 #if !defined(_KERNEL) 20 # include <stdio.h> 21 # include <stdlib.h> 22 # ifdef _STDC_C99 23 # include <stdbool.h> 24 # endif 25 # include <string.h> 26 # define _KERNEL 27 # ifdef __OpenBSD__ 28 struct file; 29 # endif 30 # include <sys/uio.h> 31 # undef _KERNEL 32 #endif 33 #if defined(_KERNEL) && (__FreeBSD_version >= 220000) 34 # include <sys/filio.h> 35 # include <sys/fcntl.h> 36 #else 37 # include <sys/ioctl.h> 38 #endif 39 #if !defined(linux) 40 # include <sys/protosw.h> 41 #endif 42 #include <sys/socket.h> 43 #if defined(_KERNEL) 44 # include <sys/systm.h> 45 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 46 # include <sys/mbuf.h> 47 # endif 48 #endif 49 #if defined(__SVR4) || defined(__svr4__) 50 # include <sys/filio.h> 51 # include <sys/byteorder.h> 52 # ifdef _KERNEL 53 # include <sys/dditypes.h> 54 # endif 55 # include <sys/stream.h> 56 # include <sys/kmem.h> 57 #endif 58 #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 59 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 60 # include <sys/queue.h> 61 #endif 62 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 63 # include <machine/cpu.h> 64 #endif 65 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 66 # include <sys/proc.h> 67 #endif 68 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 69 !defined(_KERNEL) 70 # include <stdbool.h> 71 #endif 72 #include <net/if.h> 73 #ifdef sun 74 # include <net/af.h> 75 #endif 76 #include <netinet/in.h> 77 #include <netinet/in_systm.h> 78 #include <netinet/ip.h> 79 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 80 # define KERNEL 81 # define _KERNEL 82 # define NOT_KERNEL 83 #endif 84 #if !defined(linux) 85 # include <netinet/ip_var.h> 86 #endif 87 #ifdef NOT_KERNEL 88 # undef _KERNEL 89 # undef KERNEL 90 #endif 91 #include <netinet/tcp.h> 92 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 93 extern struct ifqueue ipintrq; /* ip packet input queue */ 94 #else 95 # if !defined(__hpux) && !defined(linux) 96 # if __FreeBSD_version >= 300000 97 # include <net/if_var.h> 98 # if __FreeBSD_version >= 500042 99 # define IF_QFULL _IF_QFULL 100 # define IF_DROP _IF_DROP 101 # endif /* __FreeBSD_version >= 500042 */ 102 # endif 103 # include <netinet/in_var.h> 104 # include <netinet/tcp_fsm.h> 105 # endif 106 #endif 107 #include <netinet/udp.h> 108 #include <netinet/ip_icmp.h> 109 #include "netinet/ip_compat.h" 110 #include <netinet/tcpip.h> 111 #include "netinet/ip_fil.h" 112 #include "netinet/ip_auth.h" 113 #if !defined(MENTAT) && !defined(linux) 114 # include <net/netisr.h> 115 # ifdef __FreeBSD__ 116 # include <machine/cpufunc.h> 117 # endif 118 #endif 119 #if (__FreeBSD_version >= 300000) 120 # include <sys/malloc.h> 121 # if defined(_KERNEL) && !defined(IPFILTER_LKM) 122 # include <sys/libkern.h> 123 # include <sys/systm.h> 124 # endif 125 #endif 126 /* END OF INCLUDES */ 127 128 #if !defined(lint) 129 static const char rcsid[] = "@(#)Id"; 130 #endif 131 132 133 134 typedef struct ipf_auth_softc_s { 135 #if SOLARIS && defined(_KERNEL) 136 kcondvar_t ipf_auth_wait; 137 #endif /* SOLARIS */ 138 #if defined(linux) && defined(_KERNEL) 139 wait_queue_head_t ipf_auth_next_linux; 140 #endif 141 ipfrwlock_t ipf_authlk; 142 ipfmutex_t ipf_auth_mx; 143 int ipf_auth_size; 144 int ipf_auth_used; 145 int ipf_auth_replies; 146 int ipf_auth_defaultage; 147 int ipf_auth_lock; 148 ipf_authstat_t ipf_auth_stats; 149 frauth_t *ipf_auth; 150 mb_t **ipf_auth_pkts; 151 int ipf_auth_start; 152 int ipf_auth_end; 153 int ipf_auth_next; 154 frauthent_t *ipf_auth_entries; 155 frentry_t *ipf_auth_ip; 156 frentry_t *ipf_auth_rules; 157 } ipf_auth_softc_t; 158 159 160 static void ipf_auth_deref __P((frauthent_t **)); 161 static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **)); 162 static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *, 163 ipfgeniter_t *, ipfobj_t *)); 164 static int ipf_auth_reply __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 165 static int ipf_auth_wait __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 166 static int ipf_auth_flush __P((void *)); 167 168 169 /* ------------------------------------------------------------------------ */ 170 /* Function: ipf_auth_main_load */ 171 /* Returns: int - 0 == success, else error */ 172 /* Parameters: None */ 173 /* */ 174 /* A null-op function that exists as a placeholder so that the flow in */ 175 /* other functions is obvious. */ 176 /* ------------------------------------------------------------------------ */ 177 int 178 ipf_auth_main_load() 179 { 180 return 0; 181 } 182 183 184 /* ------------------------------------------------------------------------ */ 185 /* Function: ipf_auth_main_unload */ 186 /* Returns: int - 0 == success, else error */ 187 /* Parameters: None */ 188 /* */ 189 /* A null-op function that exists as a placeholder so that the flow in */ 190 /* other functions is obvious. */ 191 /* ------------------------------------------------------------------------ */ 192 int 193 ipf_auth_main_unload() 194 { 195 return 0; 196 } 197 198 199 /* ------------------------------------------------------------------------ */ 200 /* Function: ipf_auth_soft_create */ 201 /* Returns: int - NULL = failure, else success */ 202 /* Parameters: softc(I) - pointer to soft context data */ 203 /* */ 204 /* Create a structre to store all of the run-time data for packet auth in */ 205 /* and initialise some fields to their defaults. */ 206 /* ------------------------------------------------------------------------ */ 207 void * 208 ipf_auth_soft_create(softc) 209 ipf_main_softc_t *softc; 210 { 211 ipf_auth_softc_t *softa; 212 213 KMALLOC(softa, ipf_auth_softc_t *); 214 if (softa == NULL) 215 return NULL; 216 217 bzero((char *)softa, sizeof(*softa)); 218 219 softa->ipf_auth_size = FR_NUMAUTH; 220 softa->ipf_auth_defaultage = 600; 221 222 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 223 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 224 #if SOLARIS && defined(_KERNEL) 225 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 226 #endif 227 228 return softa; 229 } 230 231 /* ------------------------------------------------------------------------ */ 232 /* Function: ipf_auth_soft_init */ 233 /* Returns: int - 0 == success, else error */ 234 /* Parameters: softc(I) - pointer to soft context data */ 235 /* arg(I) - opaque pointer to auth context data */ 236 /* */ 237 /* Allocate memory and initialise data structures used in handling auth */ 238 /* rules. */ 239 /* ------------------------------------------------------------------------ */ 240 int 241 ipf_auth_soft_init(softc, arg) 242 ipf_main_softc_t *softc; 243 void *arg; 244 { 245 ipf_auth_softc_t *softa = arg; 246 247 KMALLOCS(softa->ipf_auth, frauth_t *, 248 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 249 if (softa->ipf_auth == NULL) 250 return -1; 251 bzero((char *)softa->ipf_auth, 252 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 253 254 KMALLOCS(softa->ipf_auth_pkts, mb_t **, 255 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 256 if (softa->ipf_auth_pkts == NULL) 257 return -2; 258 bzero((char *)softa->ipf_auth_pkts, 259 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 260 261 #if defined(linux) && defined(_KERNEL) 262 init_waitqueue_head(&softa->ipf_auth_next_linux); 263 #endif 264 265 return 0; 266 } 267 268 269 /* ------------------------------------------------------------------------ */ 270 /* Function: ipf_auth_soft_fini */ 271 /* Returns: int - 0 == success, else error */ 272 /* Parameters: softc(I) - pointer to soft context data */ 273 /* arg(I) - opaque pointer to auth context data */ 274 /* */ 275 /* Free all network buffer memory used to keep saved packets that have been */ 276 /* connectedd to the soft soft context structure *but* do not free that: it */ 277 /* is free'd by _destroy(). */ 278 /* ------------------------------------------------------------------------ */ 279 int 280 ipf_auth_soft_fini(softc, arg) 281 ipf_main_softc_t *softc; 282 void *arg; 283 { 284 ipf_auth_softc_t *softa = arg; 285 frauthent_t *fae, **faep; 286 frentry_t *fr, **frp; 287 mb_t *m; 288 int i; 289 290 if (softa->ipf_auth != NULL) { 291 KFREES(softa->ipf_auth, 292 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 293 softa->ipf_auth = NULL; 294 } 295 296 if (softa->ipf_auth_pkts != NULL) { 297 for (i = 0; i < softa->ipf_auth_size; i++) { 298 m = softa->ipf_auth_pkts[i]; 299 if (m != NULL) { 300 FREE_MB_T(m); 301 softa->ipf_auth_pkts[i] = NULL; 302 } 303 } 304 KFREES(softa->ipf_auth_pkts, 305 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 306 softa->ipf_auth_pkts = NULL; 307 } 308 309 faep = &softa->ipf_auth_entries; 310 while ((fae = *faep) != NULL) { 311 *faep = fae->fae_next; 312 KFREE(fae); 313 } 314 softa->ipf_auth_ip = NULL; 315 316 if (softa->ipf_auth_rules != NULL) { 317 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 318 if (fr->fr_ref == 1) { 319 *frp = fr->fr_next; 320 MUTEX_DESTROY(&fr->fr_lock); 321 KFREE(fr); 322 } else 323 frp = &fr->fr_next; 324 } 325 } 326 327 return 0; 328 } 329 330 331 /* ------------------------------------------------------------------------ */ 332 /* Function: ipf_auth_soft_destroy */ 333 /* Returns: void */ 334 /* Parameters: softc(I) - pointer to soft context data */ 335 /* arg(I) - opaque pointer to auth context data */ 336 /* */ 337 /* Undo what was done in _create() - i.e. free the soft context data. */ 338 /* ------------------------------------------------------------------------ */ 339 void 340 ipf_auth_soft_destroy(softc, arg) 341 ipf_main_softc_t *softc; 342 void *arg; 343 { 344 ipf_auth_softc_t *softa = arg; 345 346 # if SOLARIS && defined(_KERNEL) 347 cv_destroy(&softa->ipf_auth_wait); 348 # endif 349 MUTEX_DESTROY(&softa->ipf_auth_mx); 350 RW_DESTROY(&softa->ipf_authlk); 351 352 KFREE(softa); 353 } 354 355 356 /* ------------------------------------------------------------------------ */ 357 /* Function: ipf_auth_setlock */ 358 /* Returns: void */ 359 /* Paramters: arg(I) - pointer to soft context data */ 360 /* tmp(I) - value to assign to auth lock */ 361 /* */ 362 /* ------------------------------------------------------------------------ */ 363 void 364 ipf_auth_setlock(arg, tmp) 365 void *arg; 366 int tmp; 367 { 368 ipf_auth_softc_t *softa = arg; 369 370 softa->ipf_auth_lock = tmp; 371 } 372 373 374 /* ------------------------------------------------------------------------ */ 375 /* Function: ipf_auth_check */ 376 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 377 /* Parameters: fin(I) - pointer to ipftoken structure */ 378 /* passp(I) - pointer to ipfgeniter structure */ 379 /* */ 380 /* Check if a packet has authorization. If the packet is found to match an */ 381 /* authorization result and that would result in a feedback loop (i.e. it */ 382 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 383 /* ------------------------------------------------------------------------ */ 384 frentry_t * 385 ipf_auth_check(fin, passp) 386 fr_info_t *fin; 387 u_32_t *passp; 388 { 389 ipf_main_softc_t *softc = fin->fin_main_soft; 390 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 391 frentry_t *fr; 392 frauth_t *fra; 393 u_32_t pass; 394 u_short id; 395 ip_t *ip; 396 int i; 397 398 if (softa->ipf_auth_lock || !softa->ipf_auth_used) 399 return NULL; 400 401 ip = fin->fin_ip; 402 id = ip->ip_id; 403 404 READ_ENTER(&softa->ipf_authlk); 405 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 406 /* 407 * index becomes -2 only after an SIOCAUTHW. Check this in 408 * case the same packet gets sent again and it hasn't yet been 409 * auth'd. 410 */ 411 fra = softa->ipf_auth + i; 412 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 413 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 414 /* 415 * Avoid feedback loop. 416 */ 417 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 418 pass = FR_BLOCK; 419 fin->fin_reason = FRB_AUTHFEEDBACK; 420 } 421 /* 422 * Create a dummy rule for the stateful checking to 423 * use and return. Zero out any values we don't 424 * trust from userland! 425 */ 426 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 427 (fin->fin_flx & FI_FRAG))) { 428 KMALLOC(fr, frentry_t *); 429 if (fr) { 430 bcopy((char *)fra->fra_info.fin_fr, 431 (char *)fr, sizeof(*fr)); 432 fr->fr_grp = NULL; 433 fr->fr_ifa = fin->fin_ifp; 434 fr->fr_func = NULL; 435 fr->fr_ref = 1; 436 fr->fr_flags = pass; 437 fr->fr_ifas[1] = NULL; 438 fr->fr_ifas[2] = NULL; 439 fr->fr_ifas[3] = NULL; 440 MUTEX_INIT(&fr->fr_lock, 441 "ipf auth rule"); 442 } 443 } else 444 fr = fra->fra_info.fin_fr; 445 fin->fin_fr = fr; 446 fin->fin_flx |= fra->fra_flx; 447 RWLOCK_EXIT(&softa->ipf_authlk); 448 449 WRITE_ENTER(&softa->ipf_authlk); 450 /* 451 * ipf_auth_rules is populated with the rules malloc'd 452 * above and only those. 453 */ 454 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 455 fr->fr_next = softa->ipf_auth_rules; 456 softa->ipf_auth_rules = fr; 457 } 458 softa->ipf_auth_stats.fas_hits++; 459 fra->fra_index = -1; 460 softa->ipf_auth_used--; 461 softa->ipf_auth_replies--; 462 if (i == softa->ipf_auth_start) { 463 while (fra->fra_index == -1) { 464 i++; 465 fra++; 466 if (i == softa->ipf_auth_size) { 467 i = 0; 468 fra = softa->ipf_auth; 469 } 470 softa->ipf_auth_start = i; 471 if (i == softa->ipf_auth_end) 472 break; 473 } 474 if (softa->ipf_auth_start == 475 softa->ipf_auth_end) { 476 softa->ipf_auth_next = 0; 477 softa->ipf_auth_start = 0; 478 softa->ipf_auth_end = 0; 479 } 480 } 481 RWLOCK_EXIT(&softa->ipf_authlk); 482 if (passp != NULL) 483 *passp = pass; 484 softa->ipf_auth_stats.fas_hits++; 485 return fr; 486 } 487 i++; 488 if (i == softa->ipf_auth_size) 489 i = 0; 490 } 491 RWLOCK_EXIT(&softa->ipf_authlk); 492 softa->ipf_auth_stats.fas_miss++; 493 return NULL; 494 } 495 496 497 /* ------------------------------------------------------------------------ */ 498 /* Function: ipf_auth_new */ 499 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 500 /* Parameters: m(I) - pointer to mb_t with packet in it */ 501 /* fin(I) - pointer to packet information */ 502 /* */ 503 /* Check if we have room in the auth array to hold details for another */ 504 /* packet. If we do, store it and wake up any user programs which are */ 505 /* waiting to hear about these events. */ 506 /* ------------------------------------------------------------------------ */ 507 int 508 ipf_auth_new(m, fin) 509 mb_t *m; 510 fr_info_t *fin; 511 { 512 ipf_main_softc_t *softc = fin->fin_main_soft; 513 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 514 #if defined(_KERNEL) && defined(MENTAT) 515 qpktinfo_t *qpi = fin->fin_qpi; 516 #endif 517 frauth_t *fra; 518 #if !defined(sparc) && !defined(m68k) 519 ip_t *ip; 520 #endif 521 int i; 522 523 if (softa->ipf_auth_lock) 524 return 0; 525 526 WRITE_ENTER(&softa->ipf_authlk); 527 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 528 softa->ipf_auth_start) { 529 softa->ipf_auth_stats.fas_nospace++; 530 RWLOCK_EXIT(&softa->ipf_authlk); 531 return 0; 532 } 533 534 softa->ipf_auth_stats.fas_added++; 535 softa->ipf_auth_used++; 536 i = softa->ipf_auth_end++; 537 if (softa->ipf_auth_end == softa->ipf_auth_size) 538 softa->ipf_auth_end = 0; 539 540 fra = softa->ipf_auth + i; 541 fra->fra_index = i; 542 if (fin->fin_fr != NULL) 543 fra->fra_pass = fin->fin_fr->fr_flags; 544 else 545 fra->fra_pass = 0; 546 fra->fra_age = softa->ipf_auth_defaultage; 547 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 548 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 549 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 550 #if !defined(sparc) && !defined(m68k) 551 /* 552 * No need to copyback here as we want to undo the changes, not keep 553 * them. 554 */ 555 ip = fin->fin_ip; 556 # if defined(MENTAT) && defined(_KERNEL) 557 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 558 # endif 559 { 560 register u_short bo; 561 562 bo = ip->ip_len; 563 ip->ip_len = htons(bo); 564 bo = ip->ip_off; 565 ip->ip_off = htons(bo); 566 } 567 #endif 568 #if SOLARIS && defined(_KERNEL) 569 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 570 m->b_rptr -= qpi->qpi_off; 571 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 572 fra->fra_m = *fin->fin_mp; 573 fra->fra_info.fin_mp = &fra->fra_m; 574 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 575 RWLOCK_EXIT(&softa->ipf_authlk); 576 cv_signal(&softa->ipf_auth_wait); 577 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 578 #else 579 softa->ipf_auth_pkts[i] = m; 580 RWLOCK_EXIT(&softa->ipf_authlk); 581 WAKEUP(&softa->ipf_auth_next, 0); 582 #endif 583 return 1; 584 } 585 586 587 /* ------------------------------------------------------------------------ */ 588 /* Function: ipf_auth_ioctl */ 589 /* Returns: int - 0 == success, else error */ 590 /* Parameters: data(IO) - pointer to ioctl data */ 591 /* cmd(I) - ioctl command */ 592 /* mode(I) - mode flags associated with open descriptor */ 593 /* uid(I) - uid associatd with application making the call */ 594 /* ctx(I) - pointer for context */ 595 /* */ 596 /* This function handles all of the ioctls recognised by the auth component */ 597 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 598 /* ------------------------------------------------------------------------ */ 599 int 600 ipf_auth_ioctl(softc, data, cmd, mode, uid, ctx) 601 ipf_main_softc_t *softc; 602 caddr_t data; 603 ioctlcmd_t cmd; 604 int mode, uid; 605 void *ctx; 606 { 607 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 608 int error = 0, i; 609 SPL_INT(s); 610 611 switch (cmd) 612 { 613 case SIOCGENITER : 614 { 615 ipftoken_t *token; 616 ipfgeniter_t iter; 617 ipfobj_t obj; 618 619 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 620 if (error != 0) 621 break; 622 623 SPL_SCHED(s); 624 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 625 if (token != NULL) 626 error = ipf_auth_geniter(softc, token, &iter, &obj); 627 else { 628 WRITE_ENTER(&softc->ipf_tokens); 629 if (token->ipt_data == NULL) 630 ipf_token_free(softc, token); 631 else 632 ipf_token_deref(softc, token); 633 RWLOCK_EXIT(&softc->ipf_tokens); 634 IPFERROR(10001); 635 error = ESRCH; 636 } 637 SPL_X(s); 638 639 break; 640 } 641 642 case SIOCADAFR : 643 case SIOCRMAFR : 644 if (!(mode & FWRITE)) { 645 IPFERROR(10002); 646 error = EPERM; 647 } else 648 error = frrequest(softc, IPL_LOGAUTH, cmd, data, 649 softc->ipf_active, 1); 650 break; 651 652 case SIOCSTLCK : 653 if (!(mode & FWRITE)) { 654 IPFERROR(10003); 655 error = EPERM; 656 } else { 657 error = ipf_lock(data, &softa->ipf_auth_lock); 658 } 659 break; 660 661 case SIOCATHST: 662 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 663 error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 664 IPFOBJ_AUTHSTAT); 665 break; 666 667 case SIOCIPFFL: 668 SPL_NET(s); 669 WRITE_ENTER(&softa->ipf_authlk); 670 i = ipf_auth_flush(softa); 671 RWLOCK_EXIT(&softa->ipf_authlk); 672 SPL_X(s); 673 error = BCOPYOUT(&i, data, sizeof(i)); 674 if (error != 0) { 675 IPFERROR(10004); 676 error = EFAULT; 677 } 678 break; 679 680 case SIOCAUTHW: 681 error = ipf_auth_wait(softc, softa, data); 682 break; 683 684 case SIOCAUTHR: 685 error = ipf_auth_reply(softc, softa, data); 686 break; 687 688 default : 689 IPFERROR(10005); 690 error = EINVAL; 691 break; 692 } 693 return error; 694 } 695 696 697 /* ------------------------------------------------------------------------ */ 698 /* Function: ipf_auth_expire */ 699 /* Returns: None */ 700 /* Parameters: None */ 701 /* */ 702 /* Slowly expire held auth records. Timeouts are set in expectation of */ 703 /* this being called twice per second. */ 704 /* ------------------------------------------------------------------------ */ 705 void 706 ipf_auth_expire(softc) 707 ipf_main_softc_t *softc; 708 { 709 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 710 frauthent_t *fae, **faep; 711 frentry_t *fr, **frp; 712 frauth_t *fra; 713 mb_t *m; 714 int i; 715 SPL_INT(s); 716 717 if (softa->ipf_auth_lock) 718 return; 719 SPL_NET(s); 720 WRITE_ENTER(&softa->ipf_authlk); 721 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 722 i++, fra++) { 723 fra->fra_age--; 724 if ((fra->fra_age == 0) && 725 (softa->ipf_auth[i].fra_index != -1)) { 726 if ((m = softa->ipf_auth_pkts[i]) != NULL) { 727 FREE_MB_T(m); 728 softa->ipf_auth_pkts[i] = NULL; 729 } else if (softa->ipf_auth[i].fra_index == -2) { 730 softa->ipf_auth_replies--; 731 } 732 softa->ipf_auth[i].fra_index = -1; 733 softa->ipf_auth_stats.fas_expire++; 734 softa->ipf_auth_used--; 735 } 736 } 737 738 /* 739 * Expire pre-auth rules 740 */ 741 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 742 fae->fae_age--; 743 if (fae->fae_age == 0) { 744 ipf_auth_deref(&fae); 745 softa->ipf_auth_stats.fas_expire++; 746 } else 747 faep = &fae->fae_next; 748 } 749 if (softa->ipf_auth_entries != NULL) 750 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 751 else 752 softa->ipf_auth_ip = NULL; 753 754 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 755 if (fr->fr_ref == 1) { 756 *frp = fr->fr_next; 757 MUTEX_DESTROY(&fr->fr_lock); 758 KFREE(fr); 759 } else 760 frp = &fr->fr_next; 761 } 762 RWLOCK_EXIT(&softa->ipf_authlk); 763 SPL_X(s); 764 } 765 766 767 /* ------------------------------------------------------------------------ */ 768 /* Function: ipf_auth_precmd */ 769 /* Returns: int - 0 == success, else error */ 770 /* Parameters: cmd(I) - ioctl command for rule */ 771 /* fr(I) - pointer to ipf rule */ 772 /* fptr(I) - pointer to caller's 'fr' */ 773 /* */ 774 /* ------------------------------------------------------------------------ */ 775 int 776 ipf_auth_precmd(softc, cmd, fr, frptr) 777 ipf_main_softc_t *softc; 778 ioctlcmd_t cmd; 779 frentry_t *fr, **frptr; 780 { 781 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 782 frauthent_t *fae, **faep; 783 int error = 0; 784 SPL_INT(s); 785 786 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 787 IPFERROR(10006); 788 return EIO; 789 } 790 791 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 792 if (&fae->fae_fr == fr) 793 break; 794 else 795 faep = &fae->fae_next; 796 } 797 798 if (cmd == (ioctlcmd_t)SIOCRMAFR) { 799 if (fr == NULL || frptr == NULL) { 800 IPFERROR(10007); 801 error = EINVAL; 802 803 } else if (fae == NULL) { 804 IPFERROR(10008); 805 error = ESRCH; 806 807 } else { 808 SPL_NET(s); 809 WRITE_ENTER(&softa->ipf_authlk); 810 *faep = fae->fae_next; 811 if (softa->ipf_auth_ip == &fae->fae_fr) 812 softa->ipf_auth_ip = softa->ipf_auth_entries ? 813 &softa->ipf_auth_entries->fae_fr : NULL; 814 RWLOCK_EXIT(&softa->ipf_authlk); 815 SPL_X(s); 816 817 KFREE(fae); 818 } 819 } else if (fr != NULL && frptr != NULL) { 820 KMALLOC(fae, frauthent_t *); 821 if (fae != NULL) { 822 bcopy((char *)fr, (char *)&fae->fae_fr, 823 sizeof(*fr)); 824 SPL_NET(s); 825 WRITE_ENTER(&softa->ipf_authlk); 826 fae->fae_age = softa->ipf_auth_defaultage; 827 fae->fae_fr.fr_hits = 0; 828 fae->fae_fr.fr_next = *frptr; 829 fae->fae_ref = 1; 830 *frptr = &fae->fae_fr; 831 fae->fae_next = *faep; 832 *faep = fae; 833 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 834 RWLOCK_EXIT(&softa->ipf_authlk); 835 SPL_X(s); 836 } else { 837 IPFERROR(10009); 838 error = ENOMEM; 839 } 840 } else { 841 IPFERROR(10010); 842 error = EINVAL; 843 } 844 return error; 845 } 846 847 848 /* ------------------------------------------------------------------------ */ 849 /* Function: ipf_auth_flush */ 850 /* Returns: int - number of auth entries flushed */ 851 /* Parameters: None */ 852 /* Locks: WRITE(ipf_authlk) */ 853 /* */ 854 /* This function flushs the ipf_auth_pkts array of any packet data with */ 855 /* references still there. */ 856 /* It is expected that the caller has already acquired the correct locks or */ 857 /* set the priority level correctly for this to block out other code paths */ 858 /* into these data structures. */ 859 /* ------------------------------------------------------------------------ */ 860 static int 861 ipf_auth_flush(arg) 862 void *arg; 863 { 864 ipf_auth_softc_t *softa = arg; 865 int i, num_flushed; 866 mb_t *m; 867 868 if (softa->ipf_auth_lock) 869 return -1; 870 871 num_flushed = 0; 872 873 for (i = 0 ; i < softa->ipf_auth_size; i++) { 874 if (softa->ipf_auth[i].fra_index != -1) { 875 m = softa->ipf_auth_pkts[i]; 876 if (m != NULL) { 877 FREE_MB_T(m); 878 softa->ipf_auth_pkts[i] = NULL; 879 } 880 881 softa->ipf_auth[i].fra_index = -1; 882 /* perhaps add & use a flush counter inst.*/ 883 softa->ipf_auth_stats.fas_expire++; 884 num_flushed++; 885 } 886 } 887 888 softa->ipf_auth_start = 0; 889 softa->ipf_auth_end = 0; 890 softa->ipf_auth_next = 0; 891 softa->ipf_auth_used = 0; 892 softa->ipf_auth_replies = 0; 893 894 return num_flushed; 895 } 896 897 898 /* ------------------------------------------------------------------------ */ 899 /* Function: ipf_auth_waiting */ 900 /* Returns: int - number of packets in the auth queue */ 901 /* Parameters: None */ 902 /* */ 903 /* Simple truth check to see if there are any packets waiting in the auth */ 904 /* queue. */ 905 /* ------------------------------------------------------------------------ */ 906 int 907 ipf_auth_waiting(softc) 908 ipf_main_softc_t *softc; 909 { 910 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 911 912 return (softa->ipf_auth_used != 0); 913 } 914 915 916 /* ------------------------------------------------------------------------ */ 917 /* Function: ipf_auth_geniter */ 918 /* Returns: int - 0 == success, else error */ 919 /* Parameters: token(I) - pointer to ipftoken structure */ 920 /* itp(I) - pointer to ipfgeniter structure */ 921 /* objp(I) - pointer to ipf object destription */ 922 /* */ 923 /* Iterate through the list of entries in the auth queue list. */ 924 /* objp is used here to get the location of where to do the copy out to. */ 925 /* Stomping over various fields with new information will not harm anything */ 926 /* ------------------------------------------------------------------------ */ 927 static int 928 ipf_auth_geniter(softc, token, itp, objp) 929 ipf_main_softc_t *softc; 930 ipftoken_t *token; 931 ipfgeniter_t *itp; 932 ipfobj_t *objp; 933 { 934 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 935 frauthent_t *fae, *next, zero; 936 int error; 937 938 if (itp->igi_data == NULL) { 939 IPFERROR(10011); 940 return EFAULT; 941 } 942 943 if (itp->igi_type != IPFGENITER_AUTH) { 944 IPFERROR(10012); 945 return EINVAL; 946 } 947 948 objp->ipfo_type = IPFOBJ_FRAUTH; 949 objp->ipfo_ptr = itp->igi_data; 950 objp->ipfo_size = sizeof(frauth_t); 951 952 READ_ENTER(&softa->ipf_authlk); 953 954 fae = token->ipt_data; 955 if (fae == NULL) { 956 next = softa->ipf_auth_entries; 957 } else { 958 next = fae->fae_next; 959 } 960 961 /* 962 * If we found an auth entry to use, bump its reference count 963 * so that it can be used for is_next when we come back. 964 */ 965 if (next != NULL) { 966 ATOMIC_INC(next->fae_ref); 967 token->ipt_data = next; 968 } else { 969 bzero(&zero, sizeof(zero)); 970 next = &zero; 971 token->ipt_data = NULL; 972 } 973 974 RWLOCK_EXIT(&softa->ipf_authlk); 975 976 error = ipf_outobjk(softc, objp, next); 977 if (fae != NULL) 978 ipf_auth_deref_unlocked(softa, &fae); 979 980 if (next->fae_next == NULL) 981 ipf_token_mark_complete(token); 982 return error; 983 } 984 985 986 /* ------------------------------------------------------------------------ */ 987 /* Function: ipf_auth_deref_unlocked */ 988 /* Returns: None */ 989 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 990 /* */ 991 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 992 /* held. */ 993 /* ------------------------------------------------------------------------ */ 994 static void 995 ipf_auth_deref_unlocked(softa, faep) 996 ipf_auth_softc_t *softa; 997 frauthent_t **faep; 998 { 999 WRITE_ENTER(&softa->ipf_authlk); 1000 ipf_auth_deref(faep); 1001 RWLOCK_EXIT(&softa->ipf_authlk); 1002 } 1003 1004 1005 /* ------------------------------------------------------------------------ */ 1006 /* Function: ipf_auth_deref */ 1007 /* Returns: None */ 1008 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 1009 /* Locks: WRITE(ipf_authlk) */ 1010 /* */ 1011 /* This function unconditionally sets the pointer in the caller to NULL, */ 1012 /* to make it clear that it should no longer use that pointer, and drops */ 1013 /* the reference count on the structure by 1. If it reaches 0, free it up. */ 1014 /* ------------------------------------------------------------------------ */ 1015 static void 1016 ipf_auth_deref(faep) 1017 frauthent_t **faep; 1018 { 1019 frauthent_t *fae; 1020 1021 fae = *faep; 1022 *faep = NULL; 1023 1024 fae->fae_ref--; 1025 if (fae->fae_ref == 0) { 1026 KFREE(fae); 1027 } 1028 } 1029 1030 1031 /* ------------------------------------------------------------------------ */ 1032 /* Function: ipf_auth_wait_pkt */ 1033 /* Returns: int - 0 == success, else error */ 1034 /* Parameters: data(I) - pointer to data from ioctl call */ 1035 /* */ 1036 /* This function is called when an application is waiting for a packet to */ 1037 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1038 /* a packet waiting on the queue then we will return that _one_ immediately.*/ 1039 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1040 /* to sleep. */ 1041 /* ------------------------------------------------------------------------ */ 1042 static int 1043 ipf_auth_wait(softc, softa, data) 1044 ipf_main_softc_t *softc; 1045 ipf_auth_softc_t *softa; 1046 char *data; 1047 { 1048 frauth_t auth, *au = &auth; 1049 int error, len, i; 1050 mb_t *m; 1051 char *t; 1052 SPL_INT(s); 1053 1054 ipf_auth_ioctlloop: 1055 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1056 if (error != 0) 1057 return error; 1058 1059 /* 1060 * XXX Locks are held below over calls to copyout...a better 1061 * solution needs to be found so this isn't necessary. The situation 1062 * we are trying to guard against here is an error in the copyout 1063 * steps should not cause the packet to "disappear" from the queue. 1064 */ 1065 SPL_NET(s); 1066 READ_ENTER(&softa->ipf_authlk); 1067 1068 /* 1069 * If ipf_auth_next is not equal to ipf_auth_end it will be because 1070 * there is a packet waiting to be delt with in the ipf_auth_pkts 1071 * array. We copy as much of that out to user space as requested. 1072 */ 1073 if (softa->ipf_auth_used > 0) { 1074 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1075 softa->ipf_auth_next++; 1076 if (softa->ipf_auth_next == softa->ipf_auth_size) 1077 softa->ipf_auth_next = 0; 1078 } 1079 1080 error = ipf_outobj(softc, data, 1081 &softa->ipf_auth[softa->ipf_auth_next], 1082 IPFOBJ_FRAUTH); 1083 if (error != 0) { 1084 RWLOCK_EXIT(&softa->ipf_authlk); 1085 SPL_X(s); 1086 return error; 1087 } 1088 1089 if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1090 /* 1091 * Copy packet contents out to user space if 1092 * requested. Bail on an error. 1093 */ 1094 m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1095 len = MSGDSIZE(m); 1096 if (len > auth.fra_len) 1097 len = auth.fra_len; 1098 auth.fra_len = len; 1099 1100 for (t = auth.fra_buf; m && (len > 0); ) { 1101 i = MIN(M_LEN(m), len); 1102 error = copyoutptr(softc, MTOD(m, char *), 1103 &t, i); 1104 len -= i; 1105 t += i; 1106 if (error != 0) { 1107 RWLOCK_EXIT(&softa->ipf_authlk); 1108 SPL_X(s); 1109 return error; 1110 } 1111 m = m->m_next; 1112 } 1113 } 1114 RWLOCK_EXIT(&softa->ipf_authlk); 1115 1116 SPL_NET(s); 1117 WRITE_ENTER(&softa->ipf_authlk); 1118 softa->ipf_auth_next++; 1119 if (softa->ipf_auth_next == softa->ipf_auth_size) 1120 softa->ipf_auth_next = 0; 1121 RWLOCK_EXIT(&softa->ipf_authlk); 1122 SPL_X(s); 1123 1124 return 0; 1125 } 1126 RWLOCK_EXIT(&softa->ipf_authlk); 1127 SPL_X(s); 1128 1129 MUTEX_ENTER(&softa->ipf_auth_mx); 1130 #ifdef _KERNEL 1131 # if SOLARIS 1132 error = 0; 1133 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1134 IPFERROR(10014); 1135 error = EINTR; 1136 } 1137 # else /* SOLARIS */ 1138 # ifdef __hpux 1139 { 1140 lock_t *l; 1141 1142 l = get_sleep_lock(&softa->ipf_auth_next); 1143 error = sleep(&softa->ipf_auth_next, PZERO+1); 1144 spinunlock(l); 1145 } 1146 # else 1147 # ifdef __osf__ 1148 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1149 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1150 # else 1151 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1152 # endif /* __osf__ */ 1153 # endif /* __hpux */ 1154 # endif /* SOLARIS */ 1155 #endif 1156 MUTEX_EXIT(&softa->ipf_auth_mx); 1157 if (error == 0) 1158 goto ipf_auth_ioctlloop; 1159 return error; 1160 } 1161 1162 1163 /* ------------------------------------------------------------------------ */ 1164 /* Function: ipf_auth_reply */ 1165 /* Returns: int - 0 == success, else error */ 1166 /* Parameters: data(I) - pointer to data from ioctl call */ 1167 /* */ 1168 /* This function is called by an application when it wants to return a */ 1169 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1170 /* received information using an SIOCAUTHW. The decision returned in the */ 1171 /* form of flags, the same as those used in each rule. */ 1172 /* ------------------------------------------------------------------------ */ 1173 static int 1174 ipf_auth_reply(softc, softa, data) 1175 ipf_main_softc_t *softc; 1176 ipf_auth_softc_t *softa; 1177 char *data; 1178 { 1179 frauth_t auth, *au = &auth, *fra; 1180 fr_info_t fin; 1181 int error, i; 1182 mb_t *m; 1183 SPL_INT(s); 1184 1185 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1186 if (error != 0) 1187 return error; 1188 1189 SPL_NET(s); 1190 WRITE_ENTER(&softa->ipf_authlk); 1191 1192 i = au->fra_index; 1193 fra = softa->ipf_auth + i; 1194 error = 0; 1195 1196 /* 1197 * Check the validity of the information being returned with two simple 1198 * checks. First, the auth index value should be within the size of 1199 * the array and second the packet id being returned should also match. 1200 */ 1201 if ((i < 0) || (i >= softa->ipf_auth_size)) { 1202 RWLOCK_EXIT(&softa->ipf_authlk); 1203 SPL_X(s); 1204 IPFERROR(10015); 1205 return ESRCH; 1206 } 1207 if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1208 RWLOCK_EXIT(&softa->ipf_authlk); 1209 SPL_X(s); 1210 IPFERROR(10019); 1211 return ESRCH; 1212 } 1213 1214 m = softa->ipf_auth_pkts[i]; 1215 fra->fra_index = -2; 1216 fra->fra_pass = au->fra_pass; 1217 softa->ipf_auth_pkts[i] = NULL; 1218 softa->ipf_auth_replies++; 1219 bcopy(&fra->fra_info, &fin, sizeof(fin)); 1220 1221 RWLOCK_EXIT(&softa->ipf_authlk); 1222 1223 /* 1224 * Re-insert the packet back into the packet stream flowing through 1225 * the kernel in a manner that will mean IPFilter sees the packet 1226 * again. This is not the same as is done with fastroute, 1227 * deliberately, as we want to resume the normal packet processing 1228 * path for it. 1229 */ 1230 #ifdef _KERNEL 1231 if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1232 error = ipf_inject(&fin, m); 1233 if (error != 0) { 1234 IPFERROR(10016); 1235 error = ENOBUFS; 1236 softa->ipf_auth_stats.fas_sendfail++; 1237 } else { 1238 softa->ipf_auth_stats.fas_sendok++; 1239 } 1240 } else if (m) { 1241 error = ipf_inject(&fin, m); 1242 if (error != 0) { 1243 IPFERROR(10017); 1244 error = ENOBUFS; 1245 softa->ipf_auth_stats.fas_quefail++; 1246 } else { 1247 softa->ipf_auth_stats.fas_queok++; 1248 } 1249 } else { 1250 IPFERROR(10018); 1251 error = EINVAL; 1252 } 1253 1254 /* 1255 * If we experience an error which will result in the packet 1256 * not being processed, make sure we advance to the next one. 1257 */ 1258 if (error == ENOBUFS) { 1259 WRITE_ENTER(&softa->ipf_authlk); 1260 softa->ipf_auth_used--; 1261 fra->fra_index = -1; 1262 fra->fra_pass = 0; 1263 if (i == softa->ipf_auth_start) { 1264 while (fra->fra_index == -1) { 1265 i++; 1266 if (i == softa->ipf_auth_size) 1267 i = 0; 1268 softa->ipf_auth_start = i; 1269 if (i == softa->ipf_auth_end) 1270 break; 1271 } 1272 if (softa->ipf_auth_start == softa->ipf_auth_end) { 1273 softa->ipf_auth_next = 0; 1274 softa->ipf_auth_start = 0; 1275 softa->ipf_auth_end = 0; 1276 } 1277 } 1278 RWLOCK_EXIT(&softa->ipf_authlk); 1279 } 1280 #endif /* _KERNEL */ 1281 SPL_X(s); 1282 1283 return 0; 1284 } 1285 1286 1287 u_32_t 1288 ipf_auth_pre_scanlist(softc, fin, pass) 1289 ipf_main_softc_t *softc; 1290 fr_info_t *fin; 1291 u_32_t pass; 1292 { 1293 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1294 1295 if (softa->ipf_auth_ip != NULL) 1296 return ipf_scanlist(fin, softc->ipf_pass); 1297 1298 return pass; 1299 } 1300 1301 1302 frentry_t ** 1303 ipf_auth_rulehead(softc) 1304 ipf_main_softc_t *softc; 1305 { 1306 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1307 1308 return &softa->ipf_auth_ip; 1309 } 1310
Indexes created Mon Sep 22 13:09:51 GMT 2025