ip_auth.c revision 1.1.1.2
1 /* $NetBSD: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp $ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 #if defined(KERNEL) || defined(_KERNEL) 9 # undef KERNEL 10 # undef _KERNEL 11 # define KERNEL 1 12 # define _KERNEL 1 13 #endif 14 #include <sys/errno.h> 15 #include <sys/types.h> 16 #include <sys/param.h> 17 #include <sys/time.h> 18 #include <sys/file.h> 19 #if !defined(_KERNEL) 20 # include <stdio.h> 21 # include <stdlib.h> 22 # ifdef _STDC_C99 23 # include <stdbool.h> 24 # endif 25 # include <string.h> 26 # define _KERNEL 27 # ifdef __OpenBSD__ 28 struct file; 29 # endif 30 # include <sys/uio.h> 31 # undef _KERNEL 32 #endif 33 #if defined(_KERNEL) && (__FreeBSD_version >= 220000) 34 # include <sys/filio.h> 35 # include <sys/fcntl.h> 36 #else 37 # include <sys/ioctl.h> 38 #endif 39 #if !defined(linux) 40 # include <sys/protosw.h> 41 #endif 42 #include <sys/socket.h> 43 #if defined(_KERNEL) 44 # include <sys/systm.h> 45 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 46 # include <sys/mbuf.h> 47 # endif 48 #endif 49 #if defined(__SVR4) || defined(__svr4__) 50 # include <sys/filio.h> 51 # include <sys/byteorder.h> 52 # ifdef _KERNEL 53 # include <sys/dditypes.h> 54 # endif 55 # include <sys/stream.h> 56 # include <sys/kmem.h> 57 #endif 58 #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 59 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 60 # include <sys/queue.h> 61 #endif 62 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 63 # include <machine/cpu.h> 64 #endif 65 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 66 # include <sys/proc.h> 67 #endif 68 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 69 !defined(_KERNEL) 70 # include <stdbool.h> 71 #endif 72 #include <net/if.h> 73 #ifdef sun 74 # include <net/af.h> 75 #endif 76 #include <netinet/in.h> 77 #include <netinet/in_systm.h> 78 #include <netinet/ip.h> 79 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 80 # define KERNEL 81 # define _KERNEL 82 # define NOT_KERNEL 83 #endif 84 #if !defined(linux) 85 # include <netinet/ip_var.h> 86 #endif 87 #ifdef NOT_KERNEL 88 # undef _KERNEL 89 # undef KERNEL 90 #endif 91 #include <netinet/tcp.h> 92 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 93 extern struct ifqueue ipintrq; /* ip packet input queue */ 94 #else 95 # if !defined(__hpux) && !defined(linux) 96 # if __FreeBSD_version >= 300000 97 # include <net/if_var.h> 98 # if __FreeBSD_version >= 500042 99 # define IF_QFULL _IF_QFULL 100 # define IF_DROP _IF_DROP 101 # endif /* __FreeBSD_version >= 500042 */ 102 # endif 103 # include <netinet/in_var.h> 104 # include <netinet/tcp_fsm.h> 105 # endif 106 #endif 107 #include <netinet/udp.h> 108 #include <netinet/ip_icmp.h> 109 #include "netinet/ip_compat.h" 110 #include <netinet/tcpip.h> 111 #include "netinet/ip_fil.h" 112 #include "netinet/ip_auth.h" 113 #if !defined(MENTAT) && !defined(linux) 114 # include <net/netisr.h> 115 # ifdef __FreeBSD__ 116 # include <machine/cpufunc.h> 117 # endif 118 #endif 119 #if (__FreeBSD_version >= 300000) 120 # include <sys/malloc.h> 121 # if defined(_KERNEL) && !defined(IPFILTER_LKM) 122 # include <sys/libkern.h> 123 # include <sys/systm.h> 124 # endif 125 #endif 126 /* END OF INCLUDES */ 127 128 #if !defined(lint) 129 static const char rcsid[] = "@(#)$Id: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp $"; 130 #endif 131 132 133 134 typedef struct ipf_auth_softc_s { 135 #if SOLARIS && defined(_KERNEL) 136 kcondvar_t ipf_auth_wait; 137 #endif /* SOLARIS */ 138 #if defined(linux) && defined(_KERNEL) 139 wait_queue_head_t ipf_auth_next_linux; 140 #endif 141 ipfrwlock_t ipf_authlk; 142 ipfmutex_t ipf_auth_mx; 143 int ipf_auth_size; 144 int ipf_auth_used; 145 int ipf_auth_replies; 146 int ipf_auth_defaultage; 147 int ipf_auth_lock; 148 ipf_authstat_t ipf_auth_stats; 149 frauth_t *ipf_auth; 150 mb_t **ipf_auth_pkts; 151 int ipf_auth_start; 152 int ipf_auth_end; 153 int ipf_auth_next; 154 frauthent_t *ipf_auth_entries; 155 frentry_t *ipf_auth_ip; 156 frentry_t *ipf_auth_rules; 157 } ipf_auth_softc_t; 158 159 160 static void ipf_auth_deref __P((frauthent_t **)); 161 static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **)); 162 static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *, 163 ipfgeniter_t *, ipfobj_t *)); 164 static int ipf_auth_reply __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 165 static int ipf_auth_wait __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 166 static int ipf_auth_flush __P((void *)); 167 168 169 /* ------------------------------------------------------------------------ */ 170 /* Function: ipf_auth_main_load */ 171 /* Returns: int - 0 == success, else error */ 172 /* Parameters: None */ 173 /* */ 174 /* A null-op function that exists as a placeholder so that the flow in */ 175 /* other functions is obvious. */ 176 /* ------------------------------------------------------------------------ */ 177 int 178 ipf_auth_main_load() 179 { 180 return 0; 181 } 182 183 184 /* ------------------------------------------------------------------------ */ 185 /* Function: ipf_auth_main_unload */ 186 /* Returns: int - 0 == success, else error */ 187 /* Parameters: None */ 188 /* */ 189 /* A null-op function that exists as a placeholder so that the flow in */ 190 /* other functions is obvious. */ 191 /* ------------------------------------------------------------------------ */ 192 int 193 ipf_auth_main_unload() 194 { 195 return 0; 196 } 197 198 199 /* ------------------------------------------------------------------------ */ 200 /* Function: ipf_auth_soft_create */ 201 /* Returns: int - NULL = failure, else success */ 202 /* Parameters: softc(I) - pointer to soft context data */ 203 /* */ 204 /* Create a structre to store all of the run-time data for packet auth in */ 205 /* and initialise some fields to their defaults. */ 206 /* ------------------------------------------------------------------------ */ 207 void * 208 ipf_auth_soft_create(softc) 209 ipf_main_softc_t *softc; 210 { 211 ipf_auth_softc_t *softa; 212 213 KMALLOC(softa, ipf_auth_softc_t *); 214 if (softa == NULL) 215 return NULL; 216 217 bzero((char *)softa, sizeof(*softa)); 218 219 softa->ipf_auth_size = FR_NUMAUTH; 220 softa->ipf_auth_defaultage = 600; 221 222 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 223 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 224 #if SOLARIS && defined(_KERNEL) 225 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 226 #endif 227 228 return softa; 229 } 230 231 /* ------------------------------------------------------------------------ */ 232 /* Function: ipf_auth_soft_init */ 233 /* Returns: int - 0 == success, else error */ 234 /* Parameters: softc(I) - pointer to soft context data */ 235 /* arg(I) - opaque pointer to auth context data */ 236 /* */ 237 /* Allocate memory and initialise data structures used in handling auth */ 238 /* rules. */ 239 /* ------------------------------------------------------------------------ */ 240 int 241 ipf_auth_soft_init(softc, arg) 242 ipf_main_softc_t *softc; 243 void *arg; 244 { 245 ipf_auth_softc_t *softa = arg; 246 247 KMALLOCS(softa->ipf_auth, frauth_t *, 248 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 249 if (softa->ipf_auth == NULL) 250 return -1; 251 bzero((char *)softa->ipf_auth, 252 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 253 254 KMALLOCS(softa->ipf_auth_pkts, mb_t **, 255 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 256 if (softa->ipf_auth_pkts == NULL) 257 return -2; 258 bzero((char *)softa->ipf_auth_pkts, 259 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 260 261 #if defined(linux) && defined(_KERNEL) 262 init_waitqueue_head(&softa->ipf_auth_next_linux); 263 #endif 264 265 return 0; 266 } 267 268 269 /* ------------------------------------------------------------------------ */ 270 /* Function: ipf_auth_soft_fini */ 271 /* Returns: int - 0 == success, else error */ 272 /* Parameters: softc(I) - pointer to soft context data */ 273 /* arg(I) - opaque pointer to auth context data */ 274 /* */ 275 /* Free all network buffer memory used to keep saved packets that have been */ 276 /* connectedd to the soft soft context structure *but* do not free that: it */ 277 /* is free'd by _destroy(). */ 278 /* ------------------------------------------------------------------------ */ 279 int 280 ipf_auth_soft_fini(softc, arg) 281 ipf_main_softc_t *softc; 282 void *arg; 283 { 284 ipf_auth_softc_t *softa = arg; 285 frauthent_t *fae, **faep; 286 frentry_t *fr, **frp; 287 mb_t *m; 288 int i; 289 290 if (softa->ipf_auth != NULL) { 291 KFREES(softa->ipf_auth, 292 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 293 softa->ipf_auth = NULL; 294 } 295 296 if (softa->ipf_auth_pkts != NULL) { 297 for (i = 0; i < softa->ipf_auth_size; i++) { 298 m = softa->ipf_auth_pkts[i]; 299 if (m != NULL) { 300 FREE_MB_T(m); 301 softa->ipf_auth_pkts[i] = NULL; 302 } 303 } 304 KFREES(softa->ipf_auth_pkts, 305 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 306 softa->ipf_auth_pkts = NULL; 307 } 308 309 faep = &softa->ipf_auth_entries; 310 while ((fae = *faep) != NULL) { 311 *faep = fae->fae_next; 312 KFREE(fae); 313 } 314 softa->ipf_auth_ip = NULL; 315 316 if (softa->ipf_auth_rules != NULL) { 317 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 318 if (fr->fr_ref == 1) { 319 *frp = fr->fr_next; 320 MUTEX_DESTROY(&fr->fr_lock); 321 KFREE(fr); 322 } else 323 frp = &fr->fr_next; 324 } 325 } 326 327 return 0; 328 } 329 330 331 /* ------------------------------------------------------------------------ */ 332 /* Function: ipf_auth_soft_destroy */ 333 /* Returns: void */ 334 /* Parameters: softc(I) - pointer to soft context data */ 335 /* arg(I) - opaque pointer to auth context data */ 336 /* */ 337 /* Undo what was done in _create() - i.e. free the soft context data. */ 338 /* ------------------------------------------------------------------------ */ 339 void 340 ipf_auth_soft_destroy(softc, arg) 341 ipf_main_softc_t *softc; 342 void *arg; 343 { 344 ipf_auth_softc_t *softa = arg; 345 346 # if SOLARIS && defined(_KERNEL) 347 cv_destroy(&softa->ipf_auth_wait); 348 # endif 349 MUTEX_DESTROY(&softa->ipf_auth_mx); 350 RW_DESTROY(&softa->ipf_authlk); 351 352 KFREE(softa); 353 } 354 355 356 /* ------------------------------------------------------------------------ */ 357 /* Function: ipf_auth_setlock */ 358 /* Returns: void */ 359 /* Paramters: arg(I) - pointer to soft context data */ 360 /* tmp(I) - value to assign to auth lock */ 361 /* */ 362 /* ------------------------------------------------------------------------ */ 363 void 364 ipf_auth_setlock(arg, tmp) 365 void *arg; 366 int tmp; 367 { 368 ipf_auth_softc_t *softa = arg; 369 370 softa->ipf_auth_lock = tmp; 371 } 372 373 374 /* ------------------------------------------------------------------------ */ 375 /* Function: ipf_auth_check */ 376 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 377 /* Parameters: fin(I) - pointer to ipftoken structure */ 378 /* passp(I) - pointer to ipfgeniter structure */ 379 /* */ 380 /* Check if a packet has authorization. If the packet is found to match an */ 381 /* authorization result and that would result in a feedback loop (i.e. it */ 382 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 383 /* ------------------------------------------------------------------------ */ 384 frentry_t * 385 ipf_auth_check(fin, passp) 386 fr_info_t *fin; 387 u_32_t *passp; 388 { 389 ipf_main_softc_t *softc = fin->fin_main_soft; 390 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 391 frentry_t *fr; 392 frauth_t *fra; 393 u_32_t pass; 394 u_short id; 395 ip_t *ip; 396 int i; 397 398 if (softa->ipf_auth_lock || !softa->ipf_auth_used) 399 return NULL; 400 401 ip = fin->fin_ip; 402 id = ip->ip_id; 403 404 READ_ENTER(&softa->ipf_authlk); 405 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 406 /* 407 * index becomes -2 only after an SIOCAUTHW. Check this in 408 * case the same packet gets sent again and it hasn't yet been 409 * auth'd. 410 */ 411 fra = softa->ipf_auth + i; 412 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 413 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 414 /* 415 * Avoid feedback loop. 416 */ 417 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 418 pass = FR_BLOCK; 419 fin->fin_reason = FRB_AUTHFEEDBACK; 420 } 421 /* 422 * Create a dummy rule for the stateful checking to 423 * use and return. Zero out any values we don't 424 * trust from userland! 425 */ 426 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 427 (fin->fin_flx & FI_FRAG))) { 428 KMALLOC(fr, frentry_t *); 429 if (fr) { 430 bcopy((char *)fra->fra_info.fin_fr, 431 (char *)fr, sizeof(*fr)); 432 fr->fr_grp = NULL; 433 fr->fr_ifa = fin->fin_ifp; 434 fr->fr_func = NULL; 435 fr->fr_ref = 1; 436 fr->fr_flags = pass; 437 fr->fr_ifas[1] = NULL; 438 fr->fr_ifas[2] = NULL; 439 fr->fr_ifas[3] = NULL; 440 MUTEX_INIT(&fr->fr_lock, 441 "ipf auth rule"); 442 } 443 } else 444 fr = fra->fra_info.fin_fr; 445 fin->fin_fr = fr; 446 fin->fin_flx |= fra->fra_flx; 447 RWLOCK_EXIT(&softa->ipf_authlk); 448 449 WRITE_ENTER(&softa->ipf_authlk); 450 /* 451 * ipf_auth_rules is populated with the rules malloc'd 452 * above and only those. 453 */ 454 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 455 fr->fr_next = softa->ipf_auth_rules; 456 softa->ipf_auth_rules = fr; 457 } 458 softa->ipf_auth_stats.fas_hits++; 459 fra->fra_index = -1; 460 softa->ipf_auth_used--; 461 softa->ipf_auth_replies--; 462 if (i == softa->ipf_auth_start) { 463 while (fra->fra_index == -1) { 464 i++; 465 fra++; 466 if (i == softa->ipf_auth_size) { 467 i = 0; 468 fra = softa->ipf_auth; 469 } 470 softa->ipf_auth_start = i; 471 if (i == softa->ipf_auth_end) 472 break; 473 } 474 if (softa->ipf_auth_start == 475 softa->ipf_auth_end) { 476 softa->ipf_auth_next = 0; 477 softa->ipf_auth_start = 0; 478 softa->ipf_auth_end = 0; 479 } 480 } 481 RWLOCK_EXIT(&softa->ipf_authlk); 482 if (passp != NULL) 483 *passp = pass; 484 softa->ipf_auth_stats.fas_hits++; 485 return fr; 486 } 487 i++; 488 if (i == softa->ipf_auth_size) 489 i = 0; 490 } 491 RWLOCK_EXIT(&softa->ipf_authlk); 492 softa->ipf_auth_stats.fas_miss++; 493 return NULL; 494 } 495 496 497 /* ------------------------------------------------------------------------ */ 498 /* Function: ipf_auth_new */ 499 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 500 /* Parameters: m(I) - pointer to mb_t with packet in it */ 501 /* fin(I) - pointer to packet information */ 502 /* */ 503 /* Check if we have room in the auth array to hold details for another */ 504 /* packet. If we do, store it and wake up any user programs which are */ 505 /* waiting to hear about these events. */ 506 /* ------------------------------------------------------------------------ */ 507 int 508 ipf_auth_new(m, fin) 509 mb_t *m; 510 fr_info_t *fin; 511 { 512 ipf_main_softc_t *softc = fin->fin_main_soft; 513 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 514 #if defined(_KERNEL) && defined(MENTAT) 515 qpktinfo_t *qpi = fin->fin_qpi; 516 #endif 517 frauth_t *fra; 518 #if !defined(sparc) && !defined(m68k) 519 ip_t *ip; 520 #endif 521 int i; 522 523 if (softa->ipf_auth_lock) 524 return 0; 525 526 WRITE_ENTER(&softa->ipf_authlk); 527 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 528 softa->ipf_auth_start) { 529 softa->ipf_auth_stats.fas_nospace++; 530 RWLOCK_EXIT(&softa->ipf_authlk); 531 return 0; 532 } 533 534 softa->ipf_auth_stats.fas_added++; 535 softa->ipf_auth_used++; 536 i = softa->ipf_auth_end++; 537 if (softa->ipf_auth_end == softa->ipf_auth_size) 538 softa->ipf_auth_end = 0; 539 540 fra = softa->ipf_auth + i; 541 fra->fra_index = i; 542 if (fin->fin_fr != NULL) 543 fra->fra_pass = fin->fin_fr->fr_flags; 544 else 545 fra->fra_pass = 0; 546 fra->fra_age = softa->ipf_auth_defaultage; 547 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 548 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 549 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 550 #if !defined(sparc) && !defined(m68k) 551 /* 552 * No need to copyback here as we want to undo the changes, not keep 553 * them. 554 */ 555 ip = fin->fin_ip; 556 # if defined(MENTAT) && defined(_KERNEL) 557 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 558 # endif 559 { 560 register u_short bo; 561 562 bo = ip->ip_len; 563 ip->ip_len = htons(bo); 564 bo = ip->ip_off; 565 ip->ip_off = htons(bo); 566 } 567 #endif 568 #if SOLARIS && defined(_KERNEL) 569 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 570 m->b_rptr -= qpi->qpi_off; 571 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 572 fra->fra_m = *fin->fin_mp; 573 fra->fra_info.fin_mp = &fra->fra_m; 574 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 575 RWLOCK_EXIT(&softa->ipf_authlk); 576 cv_signal(&softa->ipf_auth_wait); 577 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 578 #else 579 softa->ipf_auth_pkts[i] = m; 580 RWLOCK_EXIT(&softa->ipf_authlk); 581 WAKEUP(&softa->ipf_auth_next, 0); 582 #endif 583 return 1; 584 } 585 586 587 /* ------------------------------------------------------------------------ */ 588 /* Function: ipf_auth_ioctl */ 589 /* Returns: int - 0 == success, else error */ 590 /* Parameters: data(IO) - pointer to ioctl data */ 591 /* cmd(I) - ioctl command */ 592 /* mode(I) - mode flags associated with open descriptor */ 593 /* uid(I) - uid associatd with application making the call */ 594 /* ctx(I) - pointer for context */ 595 /* */ 596 /* This function handles all of the ioctls recognised by the auth component */ 597 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 598 /* ------------------------------------------------------------------------ */ 599 int 600 ipf_auth_ioctl(softc, data, cmd, mode, uid, ctx) 601 ipf_main_softc_t *softc; 602 caddr_t data; 603 ioctlcmd_t cmd; 604 int mode, uid; 605 void *ctx; 606 { 607 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 608 int error = 0, i; 609 SPL_INT(s); 610 611 switch (cmd) 612 { 613 case SIOCGENITER : 614 { 615 ipftoken_t *token; 616 ipfgeniter_t iter; 617 ipfobj_t obj; 618 619 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 620 if (error != 0) 621 break; 622 623 SPL_SCHED(s); 624 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 625 if (token != NULL) 626 error = ipf_auth_geniter(softc, token, &iter, &obj); 627 else { 628 WRITE_ENTER(&softc->ipf_tokens); 629 ipf_token_deref(softc, token); 630 RWLOCK_EXIT(&softc->ipf_tokens); 631 IPFERROR(10001); 632 error = ESRCH; 633 } 634 SPL_X(s); 635 636 break; 637 } 638 639 case SIOCADAFR : 640 case SIOCRMAFR : 641 if (!(mode & FWRITE)) { 642 IPFERROR(10002); 643 error = EPERM; 644 } else 645 error = frrequest(softc, IPL_LOGAUTH, cmd, data, 646 softc->ipf_active, 1); 647 break; 648 649 case SIOCSTLCK : 650 if (!(mode & FWRITE)) { 651 IPFERROR(10003); 652 error = EPERM; 653 } else { 654 error = ipf_lock(data, &softa->ipf_auth_lock); 655 } 656 break; 657 658 case SIOCATHST: 659 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 660 error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 661 IPFOBJ_AUTHSTAT); 662 break; 663 664 case SIOCIPFFL: 665 SPL_NET(s); 666 WRITE_ENTER(&softa->ipf_authlk); 667 i = ipf_auth_flush(softa); 668 RWLOCK_EXIT(&softa->ipf_authlk); 669 SPL_X(s); 670 error = BCOPYOUT(&i, data, sizeof(i)); 671 if (error != 0) { 672 IPFERROR(10004); 673 error = EFAULT; 674 } 675 break; 676 677 case SIOCAUTHW: 678 error = ipf_auth_wait(softc, softa, data); 679 break; 680 681 case SIOCAUTHR: 682 error = ipf_auth_reply(softc, softa, data); 683 break; 684 685 default : 686 IPFERROR(10005); 687 error = EINVAL; 688 break; 689 } 690 return error; 691 } 692 693 694 /* ------------------------------------------------------------------------ */ 695 /* Function: ipf_auth_expire */ 696 /* Returns: None */ 697 /* Parameters: None */ 698 /* */ 699 /* Slowly expire held auth records. Timeouts are set in expectation of */ 700 /* this being called twice per second. */ 701 /* ------------------------------------------------------------------------ */ 702 void 703 ipf_auth_expire(softc) 704 ipf_main_softc_t *softc; 705 { 706 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 707 frauthent_t *fae, **faep; 708 frentry_t *fr, **frp; 709 frauth_t *fra; 710 mb_t *m; 711 int i; 712 SPL_INT(s); 713 714 if (softa->ipf_auth_lock) 715 return; 716 SPL_NET(s); 717 WRITE_ENTER(&softa->ipf_authlk); 718 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 719 i++, fra++) { 720 fra->fra_age--; 721 if ((fra->fra_age == 0) && 722 (softa->ipf_auth[i].fra_index != -1)) { 723 if ((m = softa->ipf_auth_pkts[i]) != NULL) { 724 FREE_MB_T(m); 725 softa->ipf_auth_pkts[i] = NULL; 726 } else if (softa->ipf_auth[i].fra_index == -2) { 727 softa->ipf_auth_replies--; 728 } 729 softa->ipf_auth[i].fra_index = -1; 730 softa->ipf_auth_stats.fas_expire++; 731 softa->ipf_auth_used--; 732 } 733 } 734 735 /* 736 * Expire pre-auth rules 737 */ 738 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 739 fae->fae_age--; 740 if (fae->fae_age == 0) { 741 ipf_auth_deref(&fae); 742 softa->ipf_auth_stats.fas_expire++; 743 } else 744 faep = &fae->fae_next; 745 } 746 if (softa->ipf_auth_entries != NULL) 747 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 748 else 749 softa->ipf_auth_ip = NULL; 750 751 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 752 if (fr->fr_ref == 1) { 753 *frp = fr->fr_next; 754 MUTEX_DESTROY(&fr->fr_lock); 755 KFREE(fr); 756 } else 757 frp = &fr->fr_next; 758 } 759 RWLOCK_EXIT(&softa->ipf_authlk); 760 SPL_X(s); 761 } 762 763 764 /* ------------------------------------------------------------------------ */ 765 /* Function: ipf_auth_precmd */ 766 /* Returns: int - 0 == success, else error */ 767 /* Parameters: cmd(I) - ioctl command for rule */ 768 /* fr(I) - pointer to ipf rule */ 769 /* fptr(I) - pointer to caller's 'fr' */ 770 /* */ 771 /* ------------------------------------------------------------------------ */ 772 int 773 ipf_auth_precmd(softc, cmd, fr, frptr) 774 ipf_main_softc_t *softc; 775 ioctlcmd_t cmd; 776 frentry_t *fr, **frptr; 777 { 778 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 779 frauthent_t *fae, **faep; 780 int error = 0; 781 SPL_INT(s); 782 783 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 784 IPFERROR(10006); 785 return EIO; 786 } 787 788 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 789 if (&fae->fae_fr == fr) 790 break; 791 else 792 faep = &fae->fae_next; 793 } 794 795 if (cmd == (ioctlcmd_t)SIOCRMAFR) { 796 if (fr == NULL || frptr == NULL) { 797 IPFERROR(10007); 798 error = EINVAL; 799 800 } else if (fae == NULL) { 801 IPFERROR(10008); 802 error = ESRCH; 803 804 } else { 805 SPL_NET(s); 806 WRITE_ENTER(&softa->ipf_authlk); 807 *faep = fae->fae_next; 808 if (softa->ipf_auth_ip == &fae->fae_fr) 809 softa->ipf_auth_ip = softa->ipf_auth_entries ? 810 &softa->ipf_auth_entries->fae_fr : NULL; 811 RWLOCK_EXIT(&softa->ipf_authlk); 812 SPL_X(s); 813 814 KFREE(fae); 815 } 816 } else if (fr != NULL && frptr != NULL) { 817 KMALLOC(fae, frauthent_t *); 818 if (fae != NULL) { 819 bcopy((char *)fr, (char *)&fae->fae_fr, 820 sizeof(*fr)); 821 SPL_NET(s); 822 WRITE_ENTER(&softa->ipf_authlk); 823 fae->fae_age = softa->ipf_auth_defaultage; 824 fae->fae_fr.fr_hits = 0; 825 fae->fae_fr.fr_next = *frptr; 826 fae->fae_ref = 1; 827 *frptr = &fae->fae_fr; 828 fae->fae_next = *faep; 829 *faep = fae; 830 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 831 RWLOCK_EXIT(&softa->ipf_authlk); 832 SPL_X(s); 833 } else { 834 IPFERROR(10009); 835 error = ENOMEM; 836 } 837 } else { 838 IPFERROR(10010); 839 error = EINVAL; 840 } 841 return error; 842 } 843 844 845 /* ------------------------------------------------------------------------ */ 846 /* Function: ipf_auth_flush */ 847 /* Returns: int - number of auth entries flushed */ 848 /* Parameters: None */ 849 /* Locks: WRITE(ipf_authlk) */ 850 /* */ 851 /* This function flushs the ipf_auth_pkts array of any packet data with */ 852 /* references still there. */ 853 /* It is expected that the caller has already acquired the correct locks or */ 854 /* set the priority level correctly for this to block out other code paths */ 855 /* into these data structures. */ 856 /* ------------------------------------------------------------------------ */ 857 static int 858 ipf_auth_flush(arg) 859 void *arg; 860 { 861 ipf_auth_softc_t *softa = arg; 862 int i, num_flushed; 863 mb_t *m; 864 865 if (softa->ipf_auth_lock) 866 return -1; 867 868 num_flushed = 0; 869 870 for (i = 0 ; i < softa->ipf_auth_size; i++) { 871 if (softa->ipf_auth[i].fra_index != -1) { 872 m = softa->ipf_auth_pkts[i]; 873 if (m != NULL) { 874 FREE_MB_T(m); 875 softa->ipf_auth_pkts[i] = NULL; 876 } 877 878 softa->ipf_auth[i].fra_index = -1; 879 /* perhaps add & use a flush counter inst.*/ 880 softa->ipf_auth_stats.fas_expire++; 881 num_flushed++; 882 } 883 } 884 885 softa->ipf_auth_start = 0; 886 softa->ipf_auth_end = 0; 887 softa->ipf_auth_next = 0; 888 softa->ipf_auth_used = 0; 889 softa->ipf_auth_replies = 0; 890 891 return num_flushed; 892 } 893 894 895 /* ------------------------------------------------------------------------ */ 896 /* Function: ipf_auth_waiting */ 897 /* Returns: int - number of packets in the auth queue */ 898 /* Parameters: None */ 899 /* */ 900 /* Simple truth check to see if there are any packets waiting in the auth */ 901 /* queue. */ 902 /* ------------------------------------------------------------------------ */ 903 int 904 ipf_auth_waiting(softc) 905 ipf_main_softc_t *softc; 906 { 907 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 908 909 return (softa->ipf_auth_used != 0); 910 } 911 912 913 /* ------------------------------------------------------------------------ */ 914 /* Function: ipf_auth_geniter */ 915 /* Returns: int - 0 == success, else error */ 916 /* Parameters: token(I) - pointer to ipftoken structure */ 917 /* itp(I) - pointer to ipfgeniter structure */ 918 /* objp(I) - pointer to ipf object destription */ 919 /* */ 920 /* Iterate through the list of entries in the auth queue list. */ 921 /* objp is used here to get the location of where to do the copy out to. */ 922 /* Stomping over various fields with new information will not harm anything */ 923 /* ------------------------------------------------------------------------ */ 924 static int 925 ipf_auth_geniter(softc, token, itp, objp) 926 ipf_main_softc_t *softc; 927 ipftoken_t *token; 928 ipfgeniter_t *itp; 929 ipfobj_t *objp; 930 { 931 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 932 frauthent_t *fae, *next, zero; 933 int error; 934 935 if (itp->igi_data == NULL) { 936 IPFERROR(10011); 937 return EFAULT; 938 } 939 940 if (itp->igi_type != IPFGENITER_AUTH) { 941 IPFERROR(10012); 942 return EINVAL; 943 } 944 945 objp->ipfo_type = IPFOBJ_FRAUTH; 946 objp->ipfo_ptr = itp->igi_data; 947 objp->ipfo_size = sizeof(frauth_t); 948 949 READ_ENTER(&softa->ipf_authlk); 950 951 fae = token->ipt_data; 952 if (fae == NULL) { 953 next = softa->ipf_auth_entries; 954 } else { 955 next = fae->fae_next; 956 } 957 958 /* 959 * If we found an auth entry to use, bump its reference count 960 * so that it can be used for is_next when we come back. 961 */ 962 if (next != NULL) { 963 ATOMIC_INC(next->fae_ref); 964 token->ipt_data = next; 965 } else { 966 bzero(&zero, sizeof(zero)); 967 next = &zero; 968 token->ipt_data = NULL; 969 } 970 971 RWLOCK_EXIT(&softa->ipf_authlk); 972 973 error = ipf_outobjk(softc, objp, next); 974 if (fae != NULL) 975 ipf_auth_deref_unlocked(softa, &fae); 976 977 if (next->fae_next == NULL) 978 ipf_token_mark_complete(token); 979 return error; 980 } 981 982 983 /* ------------------------------------------------------------------------ */ 984 /* Function: ipf_auth_deref_unlocked */ 985 /* Returns: None */ 986 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 987 /* */ 988 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 989 /* held. */ 990 /* ------------------------------------------------------------------------ */ 991 static void 992 ipf_auth_deref_unlocked(softa, faep) 993 ipf_auth_softc_t *softa; 994 frauthent_t **faep; 995 { 996 WRITE_ENTER(&softa->ipf_authlk); 997 ipf_auth_deref(faep); 998 RWLOCK_EXIT(&softa->ipf_authlk); 999 } 1000 1001 1002 /* ------------------------------------------------------------------------ */ 1003 /* Function: ipf_auth_deref */ 1004 /* Returns: None */ 1005 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 1006 /* Locks: WRITE(ipf_authlk) */ 1007 /* */ 1008 /* This function unconditionally sets the pointer in the caller to NULL, */ 1009 /* to make it clear that it should no longer use that pointer, and drops */ 1010 /* the reference count on the structure by 1. If it reaches 0, free it up. */ 1011 /* ------------------------------------------------------------------------ */ 1012 static void 1013 ipf_auth_deref(faep) 1014 frauthent_t **faep; 1015 { 1016 frauthent_t *fae; 1017 1018 fae = *faep; 1019 *faep = NULL; 1020 1021 fae->fae_ref--; 1022 if (fae->fae_ref == 0) { 1023 KFREE(fae); 1024 } 1025 } 1026 1027 1028 /* ------------------------------------------------------------------------ */ 1029 /* Function: ipf_auth_wait_pkt */ 1030 /* Returns: int - 0 == success, else error */ 1031 /* Parameters: data(I) - pointer to data from ioctl call */ 1032 /* */ 1033 /* This function is called when an application is waiting for a packet to */ 1034 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1035 /* a packet waiting on the queue then we will return that _one_ immediately.*/ 1036 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1037 /* to sleep. */ 1038 /* ------------------------------------------------------------------------ */ 1039 static int 1040 ipf_auth_wait(softc, softa, data) 1041 ipf_main_softc_t *softc; 1042 ipf_auth_softc_t *softa; 1043 char *data; 1044 { 1045 frauth_t auth, *au = &auth; 1046 int error, len, i; 1047 mb_t *m; 1048 char *t; 1049 SPL_INT(s); 1050 1051 ipf_auth_ioctlloop: 1052 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1053 if (error != 0) 1054 return error; 1055 1056 /* 1057 * XXX Locks are held below over calls to copyout...a better 1058 * solution needs to be found so this isn't necessary. The situation 1059 * we are trying to guard against here is an error in the copyout 1060 * steps should not cause the packet to "disappear" from the queue. 1061 */ 1062 SPL_NET(s); 1063 READ_ENTER(&softa->ipf_authlk); 1064 1065 /* 1066 * If ipf_auth_next is not equal to ipf_auth_end it will be because 1067 * there is a packet waiting to be delt with in the ipf_auth_pkts 1068 * array. We copy as much of that out to user space as requested. 1069 */ 1070 if (softa->ipf_auth_used > 0) { 1071 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1072 softa->ipf_auth_next++; 1073 if (softa->ipf_auth_next == softa->ipf_auth_size) 1074 softa->ipf_auth_next = 0; 1075 } 1076 1077 error = ipf_outobj(softc, data, 1078 &softa->ipf_auth[softa->ipf_auth_next], 1079 IPFOBJ_FRAUTH); 1080 if (error != 0) { 1081 RWLOCK_EXIT(&softa->ipf_authlk); 1082 SPL_X(s); 1083 return error; 1084 } 1085 1086 if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1087 /* 1088 * Copy packet contents out to user space if 1089 * requested. Bail on an error. 1090 */ 1091 m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1092 len = MSGDSIZE(m); 1093 if (len > auth.fra_len) 1094 len = auth.fra_len; 1095 auth.fra_len = len; 1096 1097 for (t = auth.fra_buf; m && (len > 0); ) { 1098 i = MIN(M_LEN(m), len); 1099 error = copyoutptr(softc, MTOD(m, char *), 1100 &t, i); 1101 len -= i; 1102 t += i; 1103 if (error != 0) { 1104 RWLOCK_EXIT(&softa->ipf_authlk); 1105 SPL_X(s); 1106 return error; 1107 } 1108 m = m->m_next; 1109 } 1110 } 1111 RWLOCK_EXIT(&softa->ipf_authlk); 1112 1113 SPL_NET(s); 1114 WRITE_ENTER(&softa->ipf_authlk); 1115 softa->ipf_auth_next++; 1116 if (softa->ipf_auth_next == softa->ipf_auth_size) 1117 softa->ipf_auth_next = 0; 1118 RWLOCK_EXIT(&softa->ipf_authlk); 1119 SPL_X(s); 1120 1121 return 0; 1122 } 1123 RWLOCK_EXIT(&softa->ipf_authlk); 1124 SPL_X(s); 1125 1126 MUTEX_ENTER(&softa->ipf_auth_mx); 1127 #ifdef _KERNEL 1128 # if SOLARIS 1129 error = 0; 1130 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1131 IPFERROR(10014); 1132 error = EINTR; 1133 } 1134 # else /* SOLARIS */ 1135 # ifdef __hpux 1136 { 1137 lock_t *l; 1138 1139 l = get_sleep_lock(&softa->ipf_auth_next); 1140 error = sleep(&softa->ipf_auth_next, PZERO+1); 1141 spinunlock(l); 1142 } 1143 # else 1144 # ifdef __osf__ 1145 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1146 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1147 # else 1148 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1149 # endif /* __osf__ */ 1150 # endif /* __hpux */ 1151 # endif /* SOLARIS */ 1152 #endif 1153 MUTEX_EXIT(&softa->ipf_auth_mx); 1154 if (error == 0) 1155 goto ipf_auth_ioctlloop; 1156 return error; 1157 } 1158 1159 1160 /* ------------------------------------------------------------------------ */ 1161 /* Function: ipf_auth_reply */ 1162 /* Returns: int - 0 == success, else error */ 1163 /* Parameters: data(I) - pointer to data from ioctl call */ 1164 /* */ 1165 /* This function is called by an application when it wants to return a */ 1166 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1167 /* received information using an SIOCAUTHW. The decision returned in the */ 1168 /* form of flags, the same as those used in each rule. */ 1169 /* ------------------------------------------------------------------------ */ 1170 static int 1171 ipf_auth_reply(softc, softa, data) 1172 ipf_main_softc_t *softc; 1173 ipf_auth_softc_t *softa; 1174 char *data; 1175 { 1176 frauth_t auth, *au = &auth, *fra; 1177 fr_info_t fin; 1178 int error, i; 1179 mb_t *m; 1180 SPL_INT(s); 1181 1182 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1183 if (error != 0) 1184 return error; 1185 1186 SPL_NET(s); 1187 WRITE_ENTER(&softa->ipf_authlk); 1188 1189 i = au->fra_index; 1190 fra = softa->ipf_auth + i; 1191 error = 0; 1192 1193 /* 1194 * Check the validity of the information being returned with two simple 1195 * checks. First, the auth index value should be within the size of 1196 * the array and second the packet id being returned should also match. 1197 */ 1198 if ((i < 0) || (i >= softa->ipf_auth_size)) { 1199 RWLOCK_EXIT(&softa->ipf_authlk); 1200 SPL_X(s); 1201 IPFERROR(10015); 1202 return ESRCH; 1203 } 1204 if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1205 RWLOCK_EXIT(&softa->ipf_authlk); 1206 SPL_X(s); 1207 IPFERROR(10019); 1208 return ESRCH; 1209 } 1210 1211 m = softa->ipf_auth_pkts[i]; 1212 fra->fra_index = -2; 1213 fra->fra_pass = au->fra_pass; 1214 softa->ipf_auth_pkts[i] = NULL; 1215 softa->ipf_auth_replies++; 1216 bcopy(&fra->fra_info, &fin, sizeof(fin)); 1217 1218 RWLOCK_EXIT(&softa->ipf_authlk); 1219 1220 /* 1221 * Re-insert the packet back into the packet stream flowing through 1222 * the kernel in a manner that will mean IPFilter sees the packet 1223 * again. This is not the same as is done with fastroute, 1224 * deliberately, as we want to resume the normal packet processing 1225 * path for it. 1226 */ 1227 #ifdef _KERNEL 1228 if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1229 error = ipf_inject(&fin, m); 1230 if (error != 0) { 1231 IPFERROR(10016); 1232 error = ENOBUFS; 1233 softa->ipf_auth_stats.fas_sendfail++; 1234 } else { 1235 softa->ipf_auth_stats.fas_sendok++; 1236 } 1237 } else if (m) { 1238 error = ipf_inject(&fin, m); 1239 if (error != 0) { 1240 IPFERROR(10017); 1241 error = ENOBUFS; 1242 softa->ipf_auth_stats.fas_quefail++; 1243 } else { 1244 softa->ipf_auth_stats.fas_queok++; 1245 } 1246 } else { 1247 IPFERROR(10018); 1248 error = EINVAL; 1249 } 1250 1251 /* 1252 * If we experience an error which will result in the packet 1253 * not being processed, make sure we advance to the next one. 1254 */ 1255 if (error == ENOBUFS) { 1256 WRITE_ENTER(&softa->ipf_authlk); 1257 softa->ipf_auth_used--; 1258 fra->fra_index = -1; 1259 fra->fra_pass = 0; 1260 if (i == softa->ipf_auth_start) { 1261 while (fra->fra_index == -1) { 1262 i++; 1263 if (i == softa->ipf_auth_size) 1264 i = 0; 1265 softa->ipf_auth_start = i; 1266 if (i == softa->ipf_auth_end) 1267 break; 1268 } 1269 if (softa->ipf_auth_start == softa->ipf_auth_end) { 1270 softa->ipf_auth_next = 0; 1271 softa->ipf_auth_start = 0; 1272 softa->ipf_auth_end = 0; 1273 } 1274 } 1275 RWLOCK_EXIT(&softa->ipf_authlk); 1276 } 1277 #endif /* _KERNEL */ 1278 SPL_X(s); 1279 1280 return 0; 1281 } 1282 1283 1284 u_32_t 1285 ipf_auth_pre_scanlist(softc, fin, pass) 1286 ipf_main_softc_t *softc; 1287 fr_info_t *fin; 1288 u_32_t pass; 1289 { 1290 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1291 1292 if (softa->ipf_auth_ip != NULL) 1293 return ipf_scanlist(fin, softc->ipf_pass); 1294 1295 return pass; 1296 } 1297 1298 1299 frentry_t ** 1300 ipf_auth_rulehead(softc) 1301 ipf_main_softc_t *softc; 1302 { 1303 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1304 1305 return &softa->ipf_auth_ip; 1306 } 1307
Indexes created Thu Oct 02 14:10:14 GMT 2025