ip_frag.c revision 1.5.10.1
1 1.5.10.1 pgoyette /* $NetBSD: ip_frag.c,v 1.5.10.1 2018/05/21 04:36:14 pgoyette Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (C) 2012 by Darren Reed. 5 1.1 christos * 6 1.1 christos * See the IPFILTER.LICENCE file for details on licencing. 7 1.1 christos */ 8 1.1 christos #if defined(KERNEL) || defined(_KERNEL) 9 1.1 christos # undef KERNEL 10 1.1 christos # undef _KERNEL 11 1.1 christos # define KERNEL 1 12 1.1 christos # define _KERNEL 1 13 1.1 christos #endif 14 1.1 christos #include <sys/errno.h> 15 1.1 christos #include <sys/types.h> 16 1.1 christos #include <sys/param.h> 17 1.1 christos #include <sys/time.h> 18 1.1 christos #include <sys/file.h> 19 1.1 christos #ifdef __hpux 20 1.1 christos # include <sys/timeout.h> 21 1.1 christos #endif 22 1.1 christos #if !defined(_KERNEL) 23 1.1 christos # include <stdio.h> 24 1.1 christos # include <string.h> 25 1.1 christos # include <stdlib.h> 26 1.1 christos # define _KERNEL 27 1.1 christos # ifdef __OpenBSD__ 28 1.1 christos struct file; 29 1.1 christos # endif 30 1.1 christos # include <sys/uio.h> 31 1.1 christos # undef _KERNEL 32 1.1 christos #endif 33 1.1 christos #if defined(_KERNEL) && \ 34 1.1 christos defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) 35 1.1 christos # include <sys/filio.h> 36 1.1 christos # include <sys/fcntl.h> 37 1.1 christos #else 38 1.1 christos # include <sys/ioctl.h> 39 1.1 christos #endif 40 1.1 christos #if !defined(linux) 41 1.1 christos # include <sys/protosw.h> 42 1.1 christos #endif 43 1.1 christos #include <sys/socket.h> 44 1.1 christos #if defined(_KERNEL) 45 1.1 christos # include <sys/systm.h> 46 1.1 christos # if !defined(__SVR4) && !defined(__svr4__) 47 1.1 christos # include <sys/mbuf.h> 48 1.1 christos # endif 49 1.1 christos #endif 50 1.1 christos #if !defined(__SVR4) && !defined(__svr4__) 51 1.1 christos # if defined(_KERNEL) && !defined(__sgi) && !defined(AIX) 52 1.1 christos # include <sys/kernel.h> 53 1.1 christos # endif 54 1.1 christos #else 55 1.1 christos # include <sys/byteorder.h> 56 1.1 christos # ifdef _KERNEL 57 1.1 christos # include <sys/dditypes.h> 58 1.1 christos # endif 59 1.1 christos # include <sys/stream.h> 60 1.1 christos # include <sys/kmem.h> 61 1.1 christos #endif 62 1.1 christos #include <net/if.h> 63 1.1 christos #ifdef sun 64 1.1 christos # include <net/af.h> 65 1.1 christos #endif 66 1.1 christos #include <netinet/in.h> 67 1.1 christos #include <netinet/in_systm.h> 68 1.1 christos #include <netinet/ip.h> 69 1.1 christos #if !defined(linux) 70 1.1 christos # include <netinet/ip_var.h> 71 1.1 christos #endif 72 1.1 christos #include <netinet/tcp.h> 73 1.1 christos #include <netinet/udp.h> 74 1.1 christos #include <netinet/ip_icmp.h> 75 1.1 christos #include "netinet/ip_compat.h" 76 1.1 christos #include "netinet/ip_fil.h" 77 1.1 christos #include "netinet/ip_nat.h" 78 1.1 christos #include "netinet/ip_frag.h" 79 1.1 christos #include "netinet/ip_state.h" 80 1.1 christos #include "netinet/ip_auth.h" 81 1.1 christos #include "netinet/ip_lookup.h" 82 1.1 christos #include "netinet/ip_proxy.h" 83 1.1 christos #include "netinet/ip_sync.h" 84 1.1 christos /* END OF INCLUDES */ 85 1.1 christos 86 1.1 christos #if !defined(lint) 87 1.2 christos #if defined(__NetBSD__) 88 1.2 christos #include <sys/cdefs.h> 89 1.5.10.1 pgoyette __KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.5.10.1 2018/05/21 04:36:14 pgoyette Exp $"); 90 1.2 christos #else 91 1.1 christos static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; 92 1.3 darrenr static const char rcsid[] = "@(#)Id: ip_frag.c,v 1.1.1.2 2012/07/22 13:45:17 darrenr Exp"; 93 1.2 christos #endif 94 1.1 christos #endif 95 1.1 christos 96 1.1 christos 97 1.1 christos typedef struct ipf_frag_softc_s { 98 1.1 christos ipfrwlock_t ipfr_ipidfrag; 99 1.1 christos ipfrwlock_t ipfr_frag; 100 1.1 christos ipfrwlock_t ipfr_natfrag; 101 1.1 christos int ipfr_size; 102 1.1 christos int ipfr_ttl; 103 1.1 christos int ipfr_lock; 104 1.1 christos int ipfr_inited; 105 1.1 christos ipfr_t *ipfr_list; 106 1.1 christos ipfr_t **ipfr_tail; 107 1.1 christos ipfr_t *ipfr_natlist; 108 1.1 christos ipfr_t **ipfr_nattail; 109 1.1 christos ipfr_t *ipfr_ipidlist; 110 1.1 christos ipfr_t **ipfr_ipidtail; 111 1.1 christos ipfr_t **ipfr_heads; 112 1.1 christos ipfr_t **ipfr_nattab; 113 1.1 christos ipfr_t **ipfr_ipidtab; 114 1.1 christos ipfrstat_t ipfr_stats; 115 1.1 christos } ipf_frag_softc_t; 116 1.1 christos 117 1.1 christos 118 1.1 christos #ifdef USE_MUTEXES 119 1.2 christos static ipfr_t *ipfr_frag_new(ipf_main_softc_t *, ipf_frag_softc_t *, 120 1.1 christos fr_info_t *, u_32_t, ipfr_t **, 121 1.2 christos ipfrwlock_t *); 122 1.2 christos static ipfr_t *ipf_frag_lookup(ipf_main_softc_t *, ipf_frag_softc_t *, fr_info_t *, ipfr_t **, ipfrwlock_t *); 123 1.2 christos static void ipf_frag_deref(void *, ipfr_t **, ipfrwlock_t *); 124 1.2 christos static int ipf_frag_next(ipf_main_softc_t *, ipftoken_t *, ipfgeniter_t *, 125 1.2 christos ipfr_t **, ipfrwlock_t *); 126 1.1 christos #else 127 1.2 christos static ipfr_t *ipfr_frag_new(ipf_main_softc_t *, ipf_frag_softc_t *, 128 1.2 christos fr_info_t *, u_32_t, ipfr_t **); 129 1.2 christos static ipfr_t *ipf_frag_lookup(ipf_main_softc_t *, ipf_frag_softc_t *, fr_info_t *, ipfr_t **); 130 1.2 christos static void ipf_frag_deref(void *, ipfr_t **); 131 1.2 christos static int ipf_frag_next(ipf_main_softc_t *, ipftoken_t *, ipfgeniter_t *, 132 1.2 christos ipfr_t **); 133 1.1 christos #endif 134 1.2 christos static void ipf_frag_delete(ipf_main_softc_t *, ipfr_t *, ipfr_t ***); 135 1.2 christos static void ipf_frag_free(ipf_frag_softc_t *, ipfr_t *); 136 1.1 christos 137 1.1 christos static frentry_t ipfr_block; 138 1.1 christos 139 1.1 christos ipftuneable_t ipf_tuneables[] = { 140 1.1 christos { { (void *)offsetof(ipf_frag_softc_t, ipfr_size) }, 141 1.1 christos "frag_size", 1, 0x7fffffff, 142 1.1 christos stsizeof(ipf_frag_softc_t, ipfr_size), 143 1.1 christos IPFT_WRDISABLED, NULL, NULL }, 144 1.1 christos { { (void *)offsetof(ipf_frag_softc_t, ipfr_ttl) }, 145 1.1 christos "frag_ttl", 1, 0x7fffffff, 146 1.1 christos stsizeof(ipf_frag_softc_t, ipfr_ttl), 147 1.1 christos 0, NULL, NULL }, 148 1.1 christos { { NULL }, 149 1.1 christos NULL, 0, 0, 150 1.1 christos 0, 151 1.1 christos 0, NULL, NULL } 152 1.1 christos }; 153 1.1 christos 154 1.1 christos #define FBUMP(x) softf->ipfr_stats.x++ 155 1.1 christos #define FBUMPD(x) do { softf->ipfr_stats.x++; DT(x); } while (0) 156 1.1 christos 157 1.1 christos 158 1.1 christos /* ------------------------------------------------------------------------ */ 159 1.1 christos /* Function: ipf_frag_main_load */ 160 1.1 christos /* Returns: int - 0 == success, -1 == error */ 161 1.1 christos /* Parameters: Nil */ 162 1.1 christos /* */ 163 1.1 christos /* Initialise the filter rule associted with blocked packets - everyone can */ 164 1.1 christos /* use it. */ 165 1.1 christos /* ------------------------------------------------------------------------ */ 166 1.1 christos int 167 1.2 christos ipf_frag_main_load(void) 168 1.1 christos { 169 1.1 christos bzero((char *)&ipfr_block, sizeof(ipfr_block)); 170 1.1 christos ipfr_block.fr_flags = FR_BLOCK|FR_QUICK; 171 1.1 christos ipfr_block.fr_ref = 1; 172 1.1 christos 173 1.1 christos return 0; 174 1.1 christos } 175 1.1 christos 176 1.1 christos 177 1.1 christos /* ------------------------------------------------------------------------ */ 178 1.1 christos /* Function: ipf_frag_main_unload */ 179 1.1 christos /* Returns: int - 0 == success, -1 == error */ 180 1.1 christos /* Parameters: Nil */ 181 1.1 christos /* */ 182 1.1 christos /* A null-op function that exists as a placeholder so that the flow in */ 183 1.1 christos /* other functions is obvious. */ 184 1.1 christos /* ------------------------------------------------------------------------ */ 185 1.1 christos int 186 1.2 christos ipf_frag_main_unload(void) 187 1.1 christos { 188 1.1 christos return 0; 189 1.1 christos } 190 1.1 christos 191 1.1 christos 192 1.1 christos /* ------------------------------------------------------------------------ */ 193 1.1 christos /* Function: ipf_frag_soft_create */ 194 1.1 christos /* Returns: void * - NULL = failure, else pointer to local context */ 195 1.1 christos /* Parameters: softc(I) - pointer to soft context main structure */ 196 1.1 christos /* */ 197 1.1 christos /* Allocate a new soft context structure to track fragment related info. */ 198 1.1 christos /* ------------------------------------------------------------------------ */ 199 1.1 christos /*ARGSUSED*/ 200 1.1 christos void * 201 1.2 christos ipf_frag_soft_create(ipf_main_softc_t *softc) 202 1.1 christos { 203 1.1 christos ipf_frag_softc_t *softf; 204 1.1 christos 205 1.1 christos KMALLOC(softf, ipf_frag_softc_t *); 206 1.1 christos if (softf == NULL) 207 1.1 christos return NULL; 208 1.1 christos 209 1.1 christos bzero((char *)softf, sizeof(*softf)); 210 1.1 christos 211 1.1 christos RWLOCK_INIT(&softf->ipfr_ipidfrag, "frag ipid lock"); 212 1.1 christos RWLOCK_INIT(&softf->ipfr_frag, "ipf fragment rwlock"); 213 1.1 christos RWLOCK_INIT(&softf->ipfr_natfrag, "ipf NAT fragment rwlock"); 214 1.1 christos 215 1.1 christos softf->ipfr_size = IPFT_SIZE; 216 1.1 christos softf->ipfr_ttl = IPF_TTLVAL(60); 217 1.1 christos softf->ipfr_lock = 1; 218 1.1 christos softf->ipfr_tail = &softf->ipfr_list; 219 1.1 christos softf->ipfr_nattail = &softf->ipfr_natlist; 220 1.1 christos softf->ipfr_ipidtail = &softf->ipfr_ipidlist; 221 1.1 christos 222 1.1 christos return softf; 223 1.1 christos } 224 1.1 christos 225 1.1 christos 226 1.1 christos /* ------------------------------------------------------------------------ */ 227 1.1 christos /* Function: ipf_frag_soft_destroy */ 228 1.1 christos /* Returns: Nil */ 229 1.1 christos /* Parameters: softc(I) - pointer to soft context main structure */ 230 1.1 christos /* arg(I) - pointer to local context to use */ 231 1.1 christos /* */ 232 1.1 christos /* Initialise the hash tables for the fragment cache lookups. */ 233 1.1 christos /* ------------------------------------------------------------------------ */ 234 1.1 christos void 235 1.2 christos ipf_frag_soft_destroy(ipf_main_softc_t *softc, void *arg) 236 1.1 christos { 237 1.1 christos ipf_frag_softc_t *softf = arg; 238 1.1 christos 239 1.1 christos RW_DESTROY(&softf->ipfr_ipidfrag); 240 1.1 christos RW_DESTROY(&softf->ipfr_frag); 241 1.1 christos RW_DESTROY(&softf->ipfr_natfrag); 242 1.1 christos 243 1.1 christos KFREE(softf); 244 1.1 christos } 245 1.1 christos 246 1.1 christos 247 1.1 christos /* ------------------------------------------------------------------------ */ 248 1.1 christos /* Function: ipf_frag_soft_init */ 249 1.1 christos /* Returns: int - 0 == success, -1 == error */ 250 1.1 christos /* Parameters: softc(I) - pointer to soft context main structure */ 251 1.1 christos /* arg(I) - pointer to local context to use */ 252 1.1 christos /* */ 253 1.1 christos /* Initialise the hash tables for the fragment cache lookups. */ 254 1.1 christos /* ------------------------------------------------------------------------ */ 255 1.1 christos /*ARGSUSED*/ 256 1.1 christos int 257 1.2 christos ipf_frag_soft_init(ipf_main_softc_t *softc, void *arg) 258 1.1 christos { 259 1.1 christos ipf_frag_softc_t *softf = arg; 260 1.1 christos 261 1.1 christos KMALLOCS(softf->ipfr_heads, ipfr_t **, 262 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 263 1.1 christos if (softf->ipfr_heads == NULL) 264 1.1 christos return -1; 265 1.1 christos 266 1.1 christos bzero((char *)softf->ipfr_heads, softf->ipfr_size * sizeof(ipfr_t *)); 267 1.1 christos 268 1.1 christos KMALLOCS(softf->ipfr_nattab, ipfr_t **, 269 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 270 1.1 christos if (softf->ipfr_nattab == NULL) 271 1.1 christos return -2; 272 1.1 christos 273 1.1 christos bzero((char *)softf->ipfr_nattab, softf->ipfr_size * sizeof(ipfr_t *)); 274 1.1 christos 275 1.1 christos KMALLOCS(softf->ipfr_ipidtab, ipfr_t **, 276 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 277 1.1 christos if (softf->ipfr_ipidtab == NULL) 278 1.1 christos return -3; 279 1.1 christos 280 1.1 christos bzero((char *)softf->ipfr_ipidtab, 281 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 282 1.1 christos 283 1.1 christos softf->ipfr_lock = 0; 284 1.1 christos softf->ipfr_inited = 1; 285 1.1 christos 286 1.1 christos return 0; 287 1.1 christos } 288 1.1 christos 289 1.1 christos 290 1.1 christos /* ------------------------------------------------------------------------ */ 291 1.1 christos /* Function: ipf_frag_soft_fini */ 292 1.1 christos /* Returns: int - 0 == success, -1 == error */ 293 1.1 christos /* Parameters: softc(I) - pointer to soft context main structure */ 294 1.1 christos /* arg(I) - pointer to local context to use */ 295 1.1 christos /* */ 296 1.1 christos /* Free all memory allocated whilst running and from initialisation. */ 297 1.1 christos /* ------------------------------------------------------------------------ */ 298 1.1 christos int 299 1.2 christos ipf_frag_soft_fini(ipf_main_softc_t *softc, void *arg) 300 1.1 christos { 301 1.1 christos ipf_frag_softc_t *softf = arg; 302 1.1 christos 303 1.1 christos softf->ipfr_lock = 1; 304 1.1 christos 305 1.1 christos if (softf->ipfr_inited == 1) { 306 1.1 christos ipf_frag_clear(softc); 307 1.1 christos 308 1.1 christos softf->ipfr_inited = 0; 309 1.1 christos } 310 1.1 christos 311 1.1 christos if (softf->ipfr_heads != NULL) 312 1.1 christos KFREES(softf->ipfr_heads, 313 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 314 1.1 christos softf->ipfr_heads = NULL; 315 1.1 christos 316 1.1 christos if (softf->ipfr_nattab != NULL) 317 1.1 christos KFREES(softf->ipfr_nattab, 318 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 319 1.1 christos softf->ipfr_nattab = NULL; 320 1.1 christos 321 1.1 christos if (softf->ipfr_ipidtab != NULL) 322 1.1 christos KFREES(softf->ipfr_ipidtab, 323 1.1 christos softf->ipfr_size * sizeof(ipfr_t *)); 324 1.1 christos softf->ipfr_ipidtab = NULL; 325 1.1 christos 326 1.1 christos return 0; 327 1.1 christos } 328 1.1 christos 329 1.1 christos 330 1.1 christos /* ------------------------------------------------------------------------ */ 331 1.1 christos /* Function: ipf_frag_set_lock */ 332 1.1 christos /* Returns: Nil */ 333 1.1 christos /* Parameters: arg(I) - pointer to local context to use */ 334 1.1 christos /* tmp(I) - new value for lock */ 335 1.1 christos /* */ 336 1.1 christos /* Stub function that allows for external manipulation of ipfr_lock */ 337 1.1 christos /* ------------------------------------------------------------------------ */ 338 1.1 christos void 339 1.2 christos ipf_frag_setlock(void *arg, int tmp) 340 1.1 christos { 341 1.1 christos ipf_frag_softc_t *softf = arg; 342 1.1 christos 343 1.1 christos softf->ipfr_lock = tmp; 344 1.1 christos } 345 1.1 christos 346 1.1 christos 347 1.1 christos /* ------------------------------------------------------------------------ */ 348 1.1 christos /* Function: ipf_frag_stats */ 349 1.1 christos /* Returns: ipfrstat_t* - pointer to struct with current frag stats */ 350 1.1 christos /* Parameters: arg(I) - pointer to local context to use */ 351 1.1 christos /* */ 352 1.1 christos /* Updates ipfr_stats with current information and returns a pointer to it */ 353 1.1 christos /* ------------------------------------------------------------------------ */ 354 1.1 christos ipfrstat_t * 355 1.2 christos ipf_frag_stats(void *arg) 356 1.1 christos { 357 1.1 christos ipf_frag_softc_t *softf = arg; 358 1.1 christos 359 1.1 christos softf->ipfr_stats.ifs_table = softf->ipfr_heads; 360 1.1 christos softf->ipfr_stats.ifs_nattab = softf->ipfr_nattab; 361 1.1 christos return &softf->ipfr_stats; 362 1.1 christos } 363 1.1 christos 364 1.1 christos 365 1.1 christos /* ------------------------------------------------------------------------ */ 366 1.1 christos /* Function: ipfr_frag_new */ 367 1.1 christos /* Returns: ipfr_t * - pointer to fragment cache state info or NULL */ 368 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 369 1.1 christos /* table(I) - pointer to frag table to add to */ 370 1.1 christos /* lock(I) - pointer to lock to get a write hold of */ 371 1.1 christos /* */ 372 1.1 christos /* Add a new entry to the fragment cache, registering it as having come */ 373 1.1 christos /* through this box, with the result of the filter operation. */ 374 1.1 christos /* */ 375 1.1 christos /* If this function succeeds, it returns with a write lock held on "lock". */ 376 1.1 christos /* If it fails, no lock is held on return. */ 377 1.1 christos /* ------------------------------------------------------------------------ */ 378 1.1 christos static ipfr_t * 379 1.2 christos ipfr_frag_new( 380 1.2 christos ipf_main_softc_t *softc, 381 1.2 christos ipf_frag_softc_t *softf, 382 1.2 christos fr_info_t *fin, 383 1.2 christos u_32_t pass, 384 1.2 christos ipfr_t *table[] 385 1.1 christos #ifdef USE_MUTEXES 386 1.2 christos , ipfrwlock_t *lock 387 1.1 christos #endif 388 1.1 christos ) 389 1.1 christos { 390 1.1 christos ipfr_t *fra, frag, *fran; 391 1.1 christos u_int idx, off; 392 1.1 christos frentry_t *fr; 393 1.1 christos 394 1.1 christos if (softf->ipfr_stats.ifs_inuse >= softf->ipfr_size) { 395 1.1 christos FBUMPD(ifs_maximum); 396 1.1 christos return NULL; 397 1.1 christos } 398 1.1 christos 399 1.1 christos if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG) { 400 1.1 christos FBUMPD(ifs_newbad); 401 1.1 christos return NULL; 402 1.1 christos } 403 1.1 christos 404 1.1 christos if (pass & FR_FRSTRICT) { 405 1.1 christos if (fin->fin_off != 0) { 406 1.1 christos FBUMPD(ifs_newrestrictnot0); 407 1.1 christos return NULL; 408 1.1 christos } 409 1.1 christos } 410 1.1 christos 411 1.1 christos frag.ipfr_v = fin->fin_v; 412 1.1 christos idx = fin->fin_v; 413 1.1 christos frag.ipfr_p = fin->fin_p; 414 1.1 christos idx += fin->fin_p; 415 1.1 christos frag.ipfr_id = fin->fin_id; 416 1.1 christos idx += fin->fin_id; 417 1.1 christos frag.ipfr_source = fin->fin_fi.fi_src; 418 1.1 christos idx += frag.ipfr_src.s_addr; 419 1.1 christos frag.ipfr_dest = fin->fin_fi.fi_dst; 420 1.1 christos idx += frag.ipfr_dst.s_addr; 421 1.1 christos frag.ipfr_ifp = fin->fin_ifp; 422 1.1 christos idx *= 127; 423 1.1 christos idx %= softf->ipfr_size; 424 1.1 christos 425 1.1 christos frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY; 426 1.1 christos frag.ipfr_secmsk = fin->fin_fi.fi_secmsk; 427 1.1 christos frag.ipfr_auth = fin->fin_fi.fi_auth; 428 1.1 christos 429 1.1 christos off = fin->fin_off >> 3; 430 1.3 darrenr if (off == 0) { 431 1.1 christos char *ptr; 432 1.1 christos int end; 433 1.1 christos 434 1.3 darrenr #ifdef USE_INET6 435 1.3 darrenr if (fin->fin_v == 6) { 436 1.3 darrenr 437 1.3 darrenr ptr = (char *)fin->fin_fraghdr + 438 1.3 darrenr sizeof(struct ip6_frag); 439 1.3 darrenr } else 440 1.3 darrenr #endif 441 1.3 darrenr { 442 1.3 darrenr ptr = fin->fin_dp; 443 1.3 darrenr } 444 1.1 christos end = fin->fin_plen - (ptr - (char *)fin->fin_ip); 445 1.1 christos frag.ipfr_firstend = end >> 3; 446 1.3 darrenr } else { 447 1.1 christos frag.ipfr_firstend = 0; 448 1.3 darrenr } 449 1.1 christos 450 1.1 christos /* 451 1.1 christos * allocate some memory, if possible, if not, just record that we 452 1.1 christos * failed to do so. 453 1.1 christos */ 454 1.1 christos KMALLOC(fran, ipfr_t *); 455 1.1 christos if (fran == NULL) { 456 1.1 christos FBUMPD(ifs_nomem); 457 1.1 christos return NULL; 458 1.1 christos } 459 1.1 christos 460 1.1 christos WRITE_ENTER(lock); 461 1.1 christos 462 1.1 christos /* 463 1.1 christos * first, make sure it isn't already there... 464 1.1 christos */ 465 1.1 christos for (fra = table[idx]; (fra != NULL); fra = fra->ipfr_hnext) 466 1.1 christos if (!bcmp((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp, 467 1.1 christos IPFR_CMPSZ)) { 468 1.1 christos RWLOCK_EXIT(lock); 469 1.1 christos FBUMPD(ifs_exists); 470 1.5 christos KFREE(fran); 471 1.1 christos return NULL; 472 1.1 christos } 473 1.1 christos 474 1.1 christos fra = fran; 475 1.1 christos fran = NULL; 476 1.1 christos fr = fin->fin_fr; 477 1.1 christos fra->ipfr_rule = fr; 478 1.1 christos if (fr != NULL) { 479 1.1 christos MUTEX_ENTER(&fr->fr_lock); 480 1.1 christos fr->fr_ref++; 481 1.1 christos MUTEX_EXIT(&fr->fr_lock); 482 1.1 christos } 483 1.1 christos 484 1.1 christos /* 485 1.1 christos * Insert the fragment into the fragment table, copy the struct used 486 1.1 christos * in the search using bcopy rather than reassign each field. 487 1.1 christos * Set the ttl to the default. 488 1.1 christos */ 489 1.1 christos if ((fra->ipfr_hnext = table[idx]) != NULL) 490 1.1 christos table[idx]->ipfr_hprev = &fra->ipfr_hnext; 491 1.1 christos fra->ipfr_hprev = table + idx; 492 1.1 christos fra->ipfr_data = NULL; 493 1.1 christos table[idx] = fra; 494 1.1 christos bcopy((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp, IPFR_CMPSZ); 495 1.1 christos fra->ipfr_v = fin->fin_v; 496 1.1 christos fra->ipfr_ttl = softc->ipf_ticks + softf->ipfr_ttl; 497 1.1 christos fra->ipfr_firstend = frag.ipfr_firstend; 498 1.1 christos 499 1.1 christos /* 500 1.1 christos * Compute the offset of the expected start of the next packet. 501 1.1 christos */ 502 1.1 christos if (off == 0) 503 1.1 christos fra->ipfr_seen0 = 1; 504 1.1 christos fra->ipfr_off = off + (fin->fin_dlen >> 3); 505 1.1 christos fra->ipfr_pass = pass; 506 1.1 christos fra->ipfr_ref = 1; 507 1.1 christos fra->ipfr_pkts = 1; 508 1.1 christos fra->ipfr_bytes = fin->fin_plen; 509 1.1 christos FBUMP(ifs_inuse); 510 1.1 christos FBUMP(ifs_new); 511 1.1 christos return fra; 512 1.1 christos } 513 1.1 christos 514 1.1 christos 515 1.1 christos /* ------------------------------------------------------------------------ */ 516 1.1 christos /* Function: ipf_frag_new */ 517 1.1 christos /* Returns: int - 0 == success, -1 == error */ 518 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 519 1.1 christos /* */ 520 1.1 christos /* Add a new entry to the fragment cache table based on the current packet */ 521 1.1 christos /* ------------------------------------------------------------------------ */ 522 1.1 christos int 523 1.2 christos ipf_frag_new(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass) 524 1.1 christos { 525 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 526 1.1 christos ipfr_t *fra; 527 1.1 christos 528 1.1 christos if (softf->ipfr_lock != 0) 529 1.1 christos return -1; 530 1.1 christos 531 1.1 christos #ifdef USE_MUTEXES 532 1.1 christos fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_heads, &softc->ipf_frag); 533 1.1 christos #else 534 1.1 christos fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_heads); 535 1.1 christos #endif 536 1.1 christos if (fra != NULL) { 537 1.1 christos *softf->ipfr_tail = fra; 538 1.1 christos fra->ipfr_prev = softf->ipfr_tail; 539 1.1 christos softf->ipfr_tail = &fra->ipfr_next; 540 1.1 christos fra->ipfr_next = NULL; 541 1.1 christos RWLOCK_EXIT(&softc->ipf_frag); 542 1.1 christos } 543 1.1 christos return fra ? 0 : -1; 544 1.1 christos } 545 1.1 christos 546 1.1 christos 547 1.1 christos /* ------------------------------------------------------------------------ */ 548 1.1 christos /* Function: ipf_frag_natnew */ 549 1.1 christos /* Returns: int - 0 == success, -1 == error */ 550 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 551 1.1 christos /* nat(I) - pointer to NAT structure */ 552 1.1 christos /* */ 553 1.1 christos /* Create a new NAT fragment cache entry based on the current packet and */ 554 1.1 christos /* the NAT structure for this "session". */ 555 1.1 christos /* ------------------------------------------------------------------------ */ 556 1.1 christos int 557 1.2 christos ipf_frag_natnew(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass, 558 1.2 christos nat_t *nat) 559 1.1 christos { 560 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 561 1.1 christos ipfr_t *fra; 562 1.1 christos 563 1.3 darrenr if (softf->ipfr_lock != 0) 564 1.1 christos return 0; 565 1.1 christos 566 1.1 christos #ifdef USE_MUTEXES 567 1.1 christos fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_nattab, 568 1.1 christos &softf->ipfr_natfrag); 569 1.1 christos #else 570 1.1 christos fra = ipfr_frag_new(softc, softf, fin, pass, softf->ipfr_nattab); 571 1.1 christos #endif 572 1.1 christos if (fra != NULL) { 573 1.1 christos fra->ipfr_data = nat; 574 1.1 christos nat->nat_data = fra; 575 1.1 christos *softf->ipfr_nattail = fra; 576 1.1 christos fra->ipfr_prev = softf->ipfr_nattail; 577 1.1 christos softf->ipfr_nattail = &fra->ipfr_next; 578 1.1 christos fra->ipfr_next = NULL; 579 1.1 christos RWLOCK_EXIT(&softf->ipfr_natfrag); 580 1.3 darrenr return 0; 581 1.1 christos } 582 1.3 darrenr return -1; 583 1.1 christos } 584 1.1 christos 585 1.1 christos 586 1.1 christos /* ------------------------------------------------------------------------ */ 587 1.1 christos /* Function: ipf_frag_ipidnew */ 588 1.1 christos /* Returns: int - 0 == success, -1 == error */ 589 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 590 1.1 christos /* ipid(I) - new IP ID for this fragmented packet */ 591 1.1 christos /* */ 592 1.1 christos /* Create a new fragment cache entry for this packet and store, as a data */ 593 1.1 christos /* pointer, the new IP ID value. */ 594 1.1 christos /* ------------------------------------------------------------------------ */ 595 1.1 christos int 596 1.2 christos ipf_frag_ipidnew(fr_info_t *fin, u_32_t ipid) 597 1.1 christos { 598 1.1 christos ipf_main_softc_t *softc = fin->fin_main_soft; 599 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 600 1.1 christos ipfr_t *fra; 601 1.1 christos 602 1.1 christos if (softf->ipfr_lock) 603 1.1 christos return 0; 604 1.1 christos 605 1.1 christos #ifdef USE_MUTEXES 606 1.1 christos fra = ipfr_frag_new(softc, softf, fin, 0, softf->ipfr_ipidtab, &softf->ipfr_ipidfrag); 607 1.1 christos #else 608 1.1 christos fra = ipfr_frag_new(softc, softf, fin, 0, softf->ipfr_ipidtab); 609 1.1 christos #endif 610 1.1 christos if (fra != NULL) { 611 1.1 christos fra->ipfr_data = (void *)(intptr_t)ipid; 612 1.1 christos *softf->ipfr_ipidtail = fra; 613 1.1 christos fra->ipfr_prev = softf->ipfr_ipidtail; 614 1.1 christos softf->ipfr_ipidtail = &fra->ipfr_next; 615 1.1 christos fra->ipfr_next = NULL; 616 1.1 christos RWLOCK_EXIT(&softf->ipfr_ipidfrag); 617 1.1 christos } 618 1.1 christos return fra ? 0 : -1; 619 1.1 christos } 620 1.1 christos 621 1.1 christos 622 1.1 christos /* ------------------------------------------------------------------------ */ 623 1.1 christos /* Function: ipf_frag_lookup */ 624 1.1 christos /* Returns: ipfr_t * - pointer to ipfr_t structure if there's a */ 625 1.1 christos /* matching entry in the frag table, else NULL */ 626 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 627 1.1 christos /* table(I) - pointer to fragment cache table to search */ 628 1.1 christos /* */ 629 1.1 christos /* Check the fragment cache to see if there is already a record of this */ 630 1.1 christos /* packet with its filter result known. */ 631 1.1 christos /* */ 632 1.1 christos /* If this function succeeds, it returns with a write lock held on "lock". */ 633 1.1 christos /* If it fails, no lock is held on return. */ 634 1.1 christos /* ------------------------------------------------------------------------ */ 635 1.1 christos static ipfr_t * 636 1.2 christos ipf_frag_lookup( 637 1.2 christos ipf_main_softc_t *softc, 638 1.2 christos ipf_frag_softc_t *softf, 639 1.2 christos fr_info_t *fin, 640 1.2 christos ipfr_t *table[] 641 1.1 christos #ifdef USE_MUTEXES 642 1.2 christos , ipfrwlock_t *lock 643 1.1 christos #endif 644 1.1 christos ) 645 1.1 christos { 646 1.1 christos ipfr_t *f, frag; 647 1.1 christos u_int idx; 648 1.1 christos 649 1.1 christos /* 650 1.1 christos * We don't want to let short packets match because they could be 651 1.1 christos * compromising the security of other rules that want to match on 652 1.1 christos * layer 4 fields (and can't because they have been fragmented off.) 653 1.1 christos * Why do this check here? The counter acts as an indicator of this 654 1.1 christos * kind of attack, whereas if it was elsewhere, it wouldn't know if 655 1.1 christos * other matching packets had been seen. 656 1.1 christos */ 657 1.1 christos if (fin->fin_flx & FI_SHORT) { 658 1.1 christos FBUMPD(ifs_short); 659 1.1 christos return NULL; 660 1.1 christos } 661 1.1 christos 662 1.1 christos if ((fin->fin_flx & FI_BAD) != 0) { 663 1.1 christos FBUMPD(ifs_bad); 664 1.1 christos return NULL; 665 1.1 christos } 666 1.1 christos 667 1.1 christos /* 668 1.1 christos * For fragments, we record protocol, packet id, TOS and both IP#'s 669 1.1 christos * (these should all be the same for all fragments of a packet). 670 1.1 christos * 671 1.1 christos * build up a hash value to index the table with. 672 1.1 christos */ 673 1.1 christos frag.ipfr_v = fin->fin_v; 674 1.1 christos idx = fin->fin_v; 675 1.1 christos frag.ipfr_p = fin->fin_p; 676 1.1 christos idx += fin->fin_p; 677 1.1 christos frag.ipfr_id = fin->fin_id; 678 1.1 christos idx += fin->fin_id; 679 1.1 christos frag.ipfr_source = fin->fin_fi.fi_src; 680 1.1 christos idx += frag.ipfr_src.s_addr; 681 1.1 christos frag.ipfr_dest = fin->fin_fi.fi_dst; 682 1.1 christos idx += frag.ipfr_dst.s_addr; 683 1.1 christos frag.ipfr_ifp = fin->fin_ifp; 684 1.1 christos idx *= 127; 685 1.1 christos idx %= softf->ipfr_size; 686 1.1 christos 687 1.1 christos frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY; 688 1.1 christos frag.ipfr_secmsk = fin->fin_fi.fi_secmsk; 689 1.1 christos frag.ipfr_auth = fin->fin_fi.fi_auth; 690 1.1 christos 691 1.1 christos READ_ENTER(lock); 692 1.1 christos 693 1.1 christos /* 694 1.1 christos * check the table, careful to only compare the right amount of data 695 1.1 christos */ 696 1.1 christos for (f = table[idx]; f; f = f->ipfr_hnext) { 697 1.1 christos if (!bcmp((char *)&frag.ipfr_ifp, (char *)&f->ipfr_ifp, 698 1.1 christos IPFR_CMPSZ)) { 699 1.1 christos u_short off; 700 1.1 christos 701 1.1 christos /* 702 1.1 christos * XXX - We really need to be guarding against the 703 1.1 christos * retransmission of (src,dst,id,offset-range) here 704 1.1 christos * because a fragmented packet is never resent with 705 1.1 christos * the same IP ID# (or shouldn't). 706 1.1 christos */ 707 1.1 christos off = fin->fin_off >> 3; 708 1.1 christos if (f->ipfr_seen0) { 709 1.1 christos if (off == 0) { 710 1.1 christos FBUMPD(ifs_retrans0); 711 1.1 christos continue; 712 1.1 christos } 713 1.1 christos 714 1.1 christos /* 715 1.1 christos * Case 3. See comment for frpr_fragment6. 716 1.1 christos */ 717 1.1 christos if ((f->ipfr_firstend != 0) && 718 1.1 christos (off < f->ipfr_firstend)) { 719 1.3 darrenr FBUMP(ifs_overlap); 720 1.3 darrenr DT2(ifs_overlap, u_short, off, 721 1.3 darrenr ipfr_t *, f); 722 1.1 christos fin->fin_flx |= FI_BAD; 723 1.1 christos break; 724 1.1 christos } 725 1.1 christos } else if (off == 0) 726 1.1 christos f->ipfr_seen0 = 1; 727 1.1 christos 728 1.4 christos #if 0 729 1.4 christos /* We can't do this, since we only have a read lock! */ 730 1.1 christos if (f != table[idx]) { 731 1.1 christos ipfr_t **fp; 732 1.1 christos 733 1.1 christos /* 734 1.1 christos * Move fragment info. to the top of the list 735 1.1 christos * to speed up searches. First, delink... 736 1.1 christos */ 737 1.1 christos fp = f->ipfr_hprev; 738 1.1 christos (*fp) = f->ipfr_hnext; 739 1.1 christos if (f->ipfr_hnext != NULL) 740 1.1 christos f->ipfr_hnext->ipfr_hprev = fp; 741 1.1 christos /* 742 1.1 christos * Then put back at the top of the chain. 743 1.1 christos */ 744 1.1 christos f->ipfr_hnext = table[idx]; 745 1.1 christos table[idx]->ipfr_hprev = &f->ipfr_hnext; 746 1.1 christos f->ipfr_hprev = table + idx; 747 1.1 christos table[idx] = f; 748 1.1 christos } 749 1.4 christos #endif 750 1.1 christos 751 1.1 christos /* 752 1.4 christos * If we've followed the fragments, and this is the 753 1.1 christos * last (in order), shrink expiration time. 754 1.1 christos */ 755 1.1 christos if (off == f->ipfr_off) { 756 1.1 christos f->ipfr_off = (fin->fin_dlen >> 3) + off; 757 1.1 christos 758 1.1 christos /* 759 1.1 christos * Well, we could shrink the expiration time 760 1.1 christos * but only if every fragment has been seen 761 1.1 christos * in order upto this, the last. ipfr_badorder 762 1.1 christos * is used here to count those out of order 763 1.1 christos * and if it equals 0 when we get to the last 764 1.1 christos * fragment then we can assume all of the 765 1.1 christos * fragments have been seen and in order. 766 1.1 christos */ 767 1.1 christos #if 0 768 1.1 christos /* 769 1.1 christos * Doing this properly requires moving it to 770 1.1 christos * the head of the list which is infesible. 771 1.1 christos */ 772 1.1 christos if ((more == 0) && (f->ipfr_badorder == 0)) 773 1.1 christos f->ipfr_ttl = softc->ipf_ticks + 1; 774 1.1 christos #endif 775 1.1 christos } else { 776 1.1 christos f->ipfr_badorder++; 777 1.1 christos FBUMPD(ifs_unordered); 778 1.1 christos if (f->ipfr_pass & FR_FRSTRICT) { 779 1.1 christos FBUMPD(ifs_strict); 780 1.1 christos continue; 781 1.1 christos } 782 1.1 christos } 783 1.1 christos f->ipfr_pkts++; 784 1.1 christos f->ipfr_bytes += fin->fin_plen; 785 1.1 christos FBUMP(ifs_hits); 786 1.1 christos return f; 787 1.1 christos } 788 1.1 christos } 789 1.1 christos 790 1.1 christos RWLOCK_EXIT(lock); 791 1.1 christos FBUMP(ifs_miss); 792 1.1 christos return NULL; 793 1.1 christos } 794 1.1 christos 795 1.1 christos 796 1.1 christos /* ------------------------------------------------------------------------ */ 797 1.1 christos /* Function: ipf_frag_natknown */ 798 1.1 christos /* Returns: nat_t* - pointer to 'parent' NAT structure if frag table */ 799 1.1 christos /* match found, else NULL */ 800 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 801 1.1 christos /* */ 802 1.1 christos /* Functional interface for NAT lookups of the NAT fragment cache */ 803 1.1 christos /* ------------------------------------------------------------------------ */ 804 1.1 christos nat_t * 805 1.2 christos ipf_frag_natknown(fr_info_t *fin) 806 1.1 christos { 807 1.1 christos ipf_main_softc_t *softc = fin->fin_main_soft; 808 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 809 1.1 christos nat_t *nat; 810 1.1 christos ipfr_t *ipf; 811 1.1 christos 812 1.1 christos if ((softf->ipfr_lock) || !softf->ipfr_natlist) 813 1.1 christos return NULL; 814 1.1 christos #ifdef USE_MUTEXES 815 1.1 christos ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_nattab, 816 1.1 christos &softf->ipfr_natfrag); 817 1.1 christos #else 818 1.1 christos ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_nattab); 819 1.1 christos #endif 820 1.1 christos if (ipf != NULL) { 821 1.1 christos nat = ipf->ipfr_data; 822 1.1 christos /* 823 1.1 christos * This is the last fragment for this packet. 824 1.1 christos */ 825 1.1 christos if ((ipf->ipfr_ttl == softc->ipf_ticks + 1) && (nat != NULL)) { 826 1.1 christos nat->nat_data = NULL; 827 1.1 christos ipf->ipfr_data = NULL; 828 1.1 christos } 829 1.1 christos RWLOCK_EXIT(&softf->ipfr_natfrag); 830 1.1 christos } else 831 1.1 christos nat = NULL; 832 1.1 christos return nat; 833 1.1 christos } 834 1.1 christos 835 1.1 christos 836 1.1 christos /* ------------------------------------------------------------------------ */ 837 1.1 christos /* Function: ipf_frag_ipidknown */ 838 1.1 christos /* Returns: u_32_t - IPv4 ID for this packet if match found, else */ 839 1.1 christos /* return 0xfffffff to indicate no match. */ 840 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 841 1.1 christos /* */ 842 1.1 christos /* Functional interface for IP ID lookups of the IP ID fragment cache */ 843 1.1 christos /* ------------------------------------------------------------------------ */ 844 1.1 christos u_32_t 845 1.2 christos ipf_frag_ipidknown(fr_info_t *fin) 846 1.1 christos { 847 1.1 christos ipf_main_softc_t *softc = fin->fin_main_soft; 848 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 849 1.1 christos ipfr_t *ipf; 850 1.1 christos u_32_t id; 851 1.1 christos 852 1.3 darrenr if (softf->ipfr_lock || !softf->ipfr_ipidlist) 853 1.1 christos return 0xffffffff; 854 1.1 christos 855 1.1 christos #ifdef USE_MUTEXES 856 1.1 christos ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_ipidtab, 857 1.1 christos &softf->ipfr_ipidfrag); 858 1.1 christos #else 859 1.1 christos ipf = ipf_frag_lookup(softc, softf, fin, softf->ipfr_ipidtab); 860 1.1 christos #endif 861 1.1 christos if (ipf != NULL) { 862 1.1 christos id = (u_32_t)(intptr_t)ipf->ipfr_data; 863 1.1 christos RWLOCK_EXIT(&softf->ipfr_ipidfrag); 864 1.1 christos } else 865 1.1 christos id = 0xffffffff; 866 1.1 christos return id; 867 1.1 christos } 868 1.1 christos 869 1.1 christos 870 1.1 christos /* ------------------------------------------------------------------------ */ 871 1.1 christos /* Function: ipf_frag_known */ 872 1.1 christos /* Returns: frentry_t* - pointer to filter rule if a match is found in */ 873 1.1 christos /* the frag cache table, else NULL. */ 874 1.1 christos /* Parameters: fin(I) - pointer to packet information */ 875 1.1 christos /* passp(O) - pointer to where to store rule flags resturned */ 876 1.1 christos /* */ 877 1.1 christos /* Functional interface for normal lookups of the fragment cache. If a */ 878 1.1 christos /* match is found, return the rule pointer and flags from the rule, except */ 879 1.1 christos /* that if FR_LOGFIRST is set, reset FR_LOG. */ 880 1.1 christos /* ------------------------------------------------------------------------ */ 881 1.1 christos frentry_t * 882 1.2 christos ipf_frag_known(fr_info_t *fin, u_32_t *passp) 883 1.1 christos { 884 1.1 christos ipf_main_softc_t *softc = fin->fin_main_soft; 885 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 886 1.1 christos frentry_t *fr = NULL; 887 1.1 christos ipfr_t *fra; 888 1.1 christos u_32_t pass; 889 1.1 christos 890 1.1 christos if ((softf->ipfr_lock) || (softf->ipfr_list == NULL)) 891 1.1 christos return NULL; 892 1.1 christos 893 1.1 christos #ifdef USE_MUTEXES 894 1.1 christos fra = ipf_frag_lookup(softc, softf, fin, softf->ipfr_heads, 895 1.1 christos &softc->ipf_frag); 896 1.1 christos #else 897 1.1 christos fra = ipf_frag_lookup(softc, softf, fin, softf->ipfr_heads); 898 1.1 christos #endif 899 1.1 christos if (fra != NULL) { 900 1.1 christos if (fin->fin_flx & FI_BAD) { 901 1.1 christos fr = &ipfr_block; 902 1.1 christos fin->fin_reason = FRB_BADFRAG; 903 1.1 christos } else { 904 1.1 christos fr = fra->ipfr_rule; 905 1.1 christos } 906 1.1 christos fin->fin_fr = fr; 907 1.1 christos if (fr != NULL) { 908 1.1 christos pass = fr->fr_flags; 909 1.1 christos if ((pass & FR_KEEPSTATE) != 0) { 910 1.1 christos fin->fin_flx |= FI_STATE; 911 1.1 christos /* 912 1.1 christos * Reset the keep state flag here so that we 913 1.1 christos * don't try and add a new state entry because 914 1.1 christos * of a match here. That leads to blocking of 915 1.1 christos * the packet later because the add fails. 916 1.1 christos */ 917 1.1 christos pass &= ~FR_KEEPSTATE; 918 1.1 christos } 919 1.1 christos if ((pass & FR_LOGFIRST) != 0) 920 1.1 christos pass &= ~(FR_LOGFIRST|FR_LOG); 921 1.1 christos *passp = pass; 922 1.1 christos } 923 1.1 christos RWLOCK_EXIT(&softc->ipf_frag); 924 1.1 christos } 925 1.1 christos return fr; 926 1.1 christos } 927 1.1 christos 928 1.1 christos 929 1.1 christos /* ------------------------------------------------------------------------ */ 930 1.1 christos /* Function: ipf_frag_natforget */ 931 1.1 christos /* Returns: Nil */ 932 1.1 christos /* Parameters: ptr(I) - pointer to data structure */ 933 1.1 christos /* */ 934 1.1 christos /* Search through all of the fragment cache entries for NAT and wherever a */ 935 1.1 christos /* pointer is found to match ptr, reset it to NULL. */ 936 1.1 christos /* ------------------------------------------------------------------------ */ 937 1.1 christos void 938 1.2 christos ipf_frag_natforget(ipf_main_softc_t *softc, void *ptr) 939 1.1 christos { 940 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 941 1.1 christos ipfr_t *fr; 942 1.1 christos 943 1.1 christos WRITE_ENTER(&softf->ipfr_natfrag); 944 1.1 christos for (fr = softf->ipfr_natlist; fr; fr = fr->ipfr_next) 945 1.1 christos if (fr->ipfr_data == ptr) 946 1.1 christos fr->ipfr_data = NULL; 947 1.1 christos RWLOCK_EXIT(&softf->ipfr_natfrag); 948 1.1 christos } 949 1.1 christos 950 1.1 christos 951 1.1 christos /* ------------------------------------------------------------------------ */ 952 1.1 christos /* Function: ipf_frag_delete */ 953 1.1 christos /* Returns: Nil */ 954 1.1 christos /* Parameters: fra(I) - pointer to fragment structure to delete */ 955 1.1 christos /* tail(IO) - pointer to the pointer to the tail of the frag */ 956 1.1 christos /* list */ 957 1.1 christos /* */ 958 1.1 christos /* Remove a fragment cache table entry from the table & list. Also free */ 959 1.1 christos /* the filter rule it is associated with it if it is no longer used as a */ 960 1.1 christos /* result of decreasing the reference count. */ 961 1.1 christos /* ------------------------------------------------------------------------ */ 962 1.1 christos static void 963 1.2 christos ipf_frag_delete(ipf_main_softc_t *softc, ipfr_t *fra, ipfr_t ***tail) 964 1.1 christos { 965 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 966 1.1 christos 967 1.1 christos if (fra->ipfr_next) 968 1.1 christos fra->ipfr_next->ipfr_prev = fra->ipfr_prev; 969 1.1 christos *fra->ipfr_prev = fra->ipfr_next; 970 1.1 christos if (*tail == &fra->ipfr_next) 971 1.1 christos *tail = fra->ipfr_prev; 972 1.1 christos 973 1.1 christos if (fra->ipfr_hnext) 974 1.1 christos fra->ipfr_hnext->ipfr_hprev = fra->ipfr_hprev; 975 1.1 christos *fra->ipfr_hprev = fra->ipfr_hnext; 976 1.1 christos 977 1.1 christos if (fra->ipfr_rule != NULL) { 978 1.1 christos (void) ipf_derefrule(softc, &fra->ipfr_rule); 979 1.1 christos } 980 1.1 christos 981 1.1 christos if (fra->ipfr_ref <= 0) 982 1.1 christos ipf_frag_free(softf, fra); 983 1.1 christos } 984 1.1 christos 985 1.1 christos 986 1.1 christos /* ------------------------------------------------------------------------ */ 987 1.1 christos /* Function: ipf_frag_free */ 988 1.1 christos /* Returns: Nil */ 989 1.1 christos /* */ 990 1.1 christos /* ------------------------------------------------------------------------ */ 991 1.1 christos static void 992 1.2 christos ipf_frag_free(ipf_frag_softc_t *softf, ipfr_t *fra) 993 1.1 christos { 994 1.1 christos KFREE(fra); 995 1.1 christos FBUMP(ifs_expire); 996 1.1 christos softf->ipfr_stats.ifs_inuse--; 997 1.1 christos } 998 1.1 christos 999 1.1 christos 1000 1.1 christos /* ------------------------------------------------------------------------ */ 1001 1.1 christos /* Function: ipf_frag_clear */ 1002 1.1 christos /* Returns: Nil */ 1003 1.1 christos /* Parameters: Nil */ 1004 1.1 christos /* */ 1005 1.1 christos /* Free memory in use by fragment state information kept. Do the normal */ 1006 1.1 christos /* fragment state stuff first and then the NAT-fragment table. */ 1007 1.1 christos /* ------------------------------------------------------------------------ */ 1008 1.1 christos void 1009 1.2 christos ipf_frag_clear(ipf_main_softc_t *softc) 1010 1.1 christos { 1011 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 1012 1.1 christos ipfr_t *fra; 1013 1.1 christos nat_t *nat; 1014 1.1 christos 1015 1.1 christos WRITE_ENTER(&softc->ipf_frag); 1016 1.1 christos while ((fra = softf->ipfr_list) != NULL) { 1017 1.1 christos fra->ipfr_ref--; 1018 1.1 christos ipf_frag_delete(softc, fra, &softf->ipfr_tail); 1019 1.1 christos } 1020 1.1 christos softf->ipfr_tail = &softf->ipfr_list; 1021 1.1 christos RWLOCK_EXIT(&softc->ipf_frag); 1022 1.1 christos 1023 1.1 christos WRITE_ENTER(&softc->ipf_nat); 1024 1.1 christos WRITE_ENTER(&softf->ipfr_natfrag); 1025 1.1 christos while ((fra = softf->ipfr_natlist) != NULL) { 1026 1.1 christos nat = fra->ipfr_data; 1027 1.1 christos if (nat != NULL) { 1028 1.1 christos if (nat->nat_data == fra) 1029 1.1 christos nat->nat_data = NULL; 1030 1.1 christos } 1031 1.1 christos fra->ipfr_ref--; 1032 1.1 christos ipf_frag_delete(softc, fra, &softf->ipfr_nattail); 1033 1.1 christos } 1034 1.1 christos softf->ipfr_nattail = &softf->ipfr_natlist; 1035 1.1 christos RWLOCK_EXIT(&softf->ipfr_natfrag); 1036 1.1 christos RWLOCK_EXIT(&softc->ipf_nat); 1037 1.1 christos } 1038 1.1 christos 1039 1.1 christos 1040 1.1 christos /* ------------------------------------------------------------------------ */ 1041 1.1 christos /* Function: ipf_frag_expire */ 1042 1.1 christos /* Returns: Nil */ 1043 1.1 christos /* Parameters: Nil */ 1044 1.1 christos /* */ 1045 1.1 christos /* Expire entries in the fragment cache table that have been there too long */ 1046 1.1 christos /* ------------------------------------------------------------------------ */ 1047 1.1 christos void 1048 1.2 christos ipf_frag_expire(ipf_main_softc_t *softc) 1049 1.1 christos { 1050 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 1051 1.1 christos ipfr_t **fp, *fra; 1052 1.1 christos nat_t *nat; 1053 1.1 christos SPL_INT(s); 1054 1.1 christos 1055 1.1 christos if (softf->ipfr_lock) 1056 1.1 christos return; 1057 1.1 christos 1058 1.1 christos SPL_NET(s); 1059 1.1 christos WRITE_ENTER(&softc->ipf_frag); 1060 1.1 christos /* 1061 1.1 christos * Go through the entire table, looking for entries to expire, 1062 1.1 christos * which is indicated by the ttl being less than or equal to ipf_ticks. 1063 1.1 christos */ 1064 1.1 christos for (fp = &softf->ipfr_list; ((fra = *fp) != NULL); ) { 1065 1.1 christos if (fra->ipfr_ttl > softc->ipf_ticks) 1066 1.1 christos break; 1067 1.1 christos fra->ipfr_ref--; 1068 1.1 christos ipf_frag_delete(softc, fra, &softf->ipfr_tail); 1069 1.1 christos } 1070 1.1 christos RWLOCK_EXIT(&softc->ipf_frag); 1071 1.1 christos 1072 1.1 christos WRITE_ENTER(&softf->ipfr_ipidfrag); 1073 1.1 christos for (fp = &softf->ipfr_ipidlist; ((fra = *fp) != NULL); ) { 1074 1.1 christos if (fra->ipfr_ttl > softc->ipf_ticks) 1075 1.1 christos break; 1076 1.1 christos fra->ipfr_ref--; 1077 1.1 christos ipf_frag_delete(softc, fra, &softf->ipfr_ipidtail); 1078 1.1 christos } 1079 1.1 christos RWLOCK_EXIT(&softf->ipfr_ipidfrag); 1080 1.1 christos 1081 1.1 christos /* 1082 1.1 christos * Same again for the NAT table, except that if the structure also 1083 1.1 christos * still points to a NAT structure, and the NAT structure points back 1084 1.1 christos * at the one to be free'd, NULL the reference from the NAT struct. 1085 1.1 christos * NOTE: We need to grab both mutex's early, and in this order so as 1086 1.1 christos * to prevent a deadlock if both try to expire at the same time. 1087 1.1 christos * The extra if() statement here is because it locks out all NAT 1088 1.1 christos * operations - no need to do that if there are no entries in this 1089 1.1 christos * list, right? 1090 1.1 christos */ 1091 1.1 christos if (softf->ipfr_natlist != NULL) { 1092 1.1 christos WRITE_ENTER(&softc->ipf_nat); 1093 1.1 christos WRITE_ENTER(&softf->ipfr_natfrag); 1094 1.1 christos for (fp = &softf->ipfr_natlist; ((fra = *fp) != NULL); ) { 1095 1.1 christos if (fra->ipfr_ttl > softc->ipf_ticks) 1096 1.1 christos break; 1097 1.1 christos nat = fra->ipfr_data; 1098 1.1 christos if (nat != NULL) { 1099 1.1 christos if (nat->nat_data == fra) 1100 1.1 christos nat->nat_data = NULL; 1101 1.1 christos } 1102 1.1 christos fra->ipfr_ref--; 1103 1.1 christos ipf_frag_delete(softc, fra, &softf->ipfr_nattail); 1104 1.1 christos } 1105 1.1 christos RWLOCK_EXIT(&softf->ipfr_natfrag); 1106 1.1 christos RWLOCK_EXIT(&softc->ipf_nat); 1107 1.1 christos } 1108 1.1 christos SPL_X(s); 1109 1.1 christos } 1110 1.1 christos 1111 1.1 christos 1112 1.1 christos /* ------------------------------------------------------------------------ */ 1113 1.1 christos /* Function: ipf_frag_pkt_next */ 1114 1.1 christos /* ------------------------------------------------------------------------ */ 1115 1.1 christos int 1116 1.2 christos ipf_frag_pkt_next(ipf_main_softc_t *softc, ipftoken_t *token, ipfgeniter_t *itp) 1117 1.1 christos { 1118 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 1119 1.1 christos 1120 1.1 christos #ifdef USE_MUTEXES 1121 1.1 christos return ipf_frag_next(softc, token, itp, &softf->ipfr_list, 1122 1.1 christos &softf->ipfr_frag); 1123 1.1 christos #else 1124 1.1 christos return ipf_frag_next(softc, token, itp, &softf->ipfr_list); 1125 1.1 christos #endif 1126 1.1 christos } 1127 1.1 christos 1128 1.1 christos 1129 1.1 christos /* ------------------------------------------------------------------------ */ 1130 1.1 christos /* Function: ipf_frag_nat_next */ 1131 1.1 christos /* ------------------------------------------------------------------------ */ 1132 1.1 christos int 1133 1.2 christos ipf_frag_nat_next(ipf_main_softc_t *softc, ipftoken_t *token, ipfgeniter_t *itp) 1134 1.1 christos { 1135 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft;; 1136 1.1 christos 1137 1.1 christos #ifdef USE_MUTEXES 1138 1.1 christos return ipf_frag_next(softc, token, itp, &softf->ipfr_natlist, 1139 1.1 christos &softf->ipfr_natfrag); 1140 1.1 christos #else 1141 1.1 christos return ipf_frag_next(softc, token, itp, &softf->ipfr_natlist); 1142 1.1 christos #endif 1143 1.1 christos } 1144 1.1 christos 1145 1.1 christos /* ------------------------------------------------------------------------ */ 1146 1.1 christos /* Function: ipf_frag_next */ 1147 1.1 christos /* Returns: int - 0 == success, else error */ 1148 1.1 christos /* Parameters: token(I) - pointer to token information for this caller */ 1149 1.1 christos /* itp(I) - pointer to generic iterator from caller */ 1150 1.1 christos /* top(I) - top of the fragment list */ 1151 1.1 christos /* lock(I) - fragment cache lock */ 1152 1.1 christos /* */ 1153 1.1 christos /* This function is used to interate through the list of entries in the */ 1154 1.1 christos /* fragment cache. It increases the reference count on the one currently */ 1155 1.1 christos /* being returned so that the caller can come back and resume from it later.*/ 1156 1.1 christos /* */ 1157 1.1 christos /* This function is used for both the NAT fragment cache as well as the ipf */ 1158 1.1 christos /* fragment cache - hence the reason for passing in top and lock. */ 1159 1.1 christos /* ------------------------------------------------------------------------ */ 1160 1.1 christos static int 1161 1.2 christos ipf_frag_next( 1162 1.2 christos ipf_main_softc_t *softc, 1163 1.2 christos ipftoken_t *token, 1164 1.2 christos ipfgeniter_t *itp, 1165 1.2 christos ipfr_t **top 1166 1.1 christos #ifdef USE_MUTEXES 1167 1.2 christos , ipfrwlock_t *lock 1168 1.1 christos #endif 1169 1.1 christos ) 1170 1.1 christos { 1171 1.1 christos ipfr_t *frag, *next, zero; 1172 1.1 christos int error = 0; 1173 1.1 christos 1174 1.1 christos if (itp->igi_data == NULL) { 1175 1.1 christos IPFERROR(20001); 1176 1.1 christos return EFAULT; 1177 1.1 christos } 1178 1.1 christos 1179 1.1 christos if (itp->igi_nitems != 1) { 1180 1.1 christos IPFERROR(20003); 1181 1.1 christos return EFAULT; 1182 1.1 christos } 1183 1.1 christos 1184 1.1 christos frag = token->ipt_data; 1185 1.1 christos 1186 1.1 christos READ_ENTER(lock); 1187 1.1 christos 1188 1.1 christos if (frag == NULL) 1189 1.1 christos next = *top; 1190 1.1 christos else 1191 1.1 christos next = frag->ipfr_next; 1192 1.1 christos 1193 1.1 christos if (next != NULL) { 1194 1.1 christos ATOMIC_INC(next->ipfr_ref); 1195 1.1 christos token->ipt_data = next; 1196 1.1 christos } else { 1197 1.1 christos bzero(&zero, sizeof(zero)); 1198 1.1 christos next = &zero; 1199 1.1 christos token->ipt_data = NULL; 1200 1.1 christos } 1201 1.1 christos if (next->ipfr_next == NULL) 1202 1.1 christos ipf_token_mark_complete(token); 1203 1.1 christos 1204 1.1 christos RWLOCK_EXIT(lock); 1205 1.1 christos 1206 1.1 christos error = COPYOUT(next, itp->igi_data, sizeof(*next)); 1207 1.1 christos if (error != 0) 1208 1.1 christos IPFERROR(20002); 1209 1.1 christos 1210 1.1 christos if (frag != NULL) { 1211 1.1 christos #ifdef USE_MUTEXES 1212 1.1 christos ipf_frag_deref(softc, &frag, lock); 1213 1.1 christos #else 1214 1.1 christos ipf_frag_deref(softc, &frag); 1215 1.1 christos #endif 1216 1.1 christos } 1217 1.1 christos return error; 1218 1.1 christos } 1219 1.1 christos 1220 1.1 christos 1221 1.1 christos /* ------------------------------------------------------------------------ */ 1222 1.1 christos /* Function: ipf_frag_pkt_deref */ 1223 1.1 christos /* Returns: Nil */ 1224 1.1 christos /* */ 1225 1.1 christos /* ------------------------------------------------------------------------ */ 1226 1.1 christos void 1227 1.2 christos ipf_frag_pkt_deref(ipf_main_softc_t *softc, void *data) 1228 1.1 christos { 1229 1.1 christos ipfr_t **frp = data; 1230 1.1 christos 1231 1.1 christos #ifdef USE_MUTEXES 1232 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 1233 1.1 christos 1234 1.1 christos ipf_frag_deref(softc->ipf_frag_soft, frp, &softf->ipfr_frag); 1235 1.1 christos #else 1236 1.1 christos ipf_frag_deref(softc->ipf_frag_soft, frp); 1237 1.1 christos #endif 1238 1.1 christos } 1239 1.1 christos 1240 1.1 christos 1241 1.1 christos /* ------------------------------------------------------------------------ */ 1242 1.1 christos /* Function: ipf_frag_nat_deref */ 1243 1.1 christos /* Returns: Nil */ 1244 1.1 christos /* */ 1245 1.1 christos /* ------------------------------------------------------------------------ */ 1246 1.1 christos void 1247 1.2 christos ipf_frag_nat_deref(ipf_main_softc_t *softc, void *data) 1248 1.1 christos { 1249 1.1 christos ipfr_t **frp = data; 1250 1.1 christos 1251 1.1 christos #ifdef USE_MUTEXES 1252 1.1 christos ipf_frag_softc_t *softf = softc->ipf_frag_soft; 1253 1.1 christos 1254 1.1 christos ipf_frag_deref(softc->ipf_frag_soft, frp, &softf->ipfr_natfrag); 1255 1.1 christos #else 1256 1.1 christos ipf_frag_deref(softc->ipf_frag_soft, frp); 1257 1.1 christos #endif 1258 1.1 christos } 1259 1.1 christos 1260 1.1 christos 1261 1.1 christos /* ------------------------------------------------------------------------ */ 1262 1.1 christos /* Function: ipf_frag_deref */ 1263 1.1 christos /* Returns: Nil */ 1264 1.1 christos /* Parameters: frp(IO) - pointer to fragment structure to deference */ 1265 1.1 christos /* lock(I) - lock associated with the fragment */ 1266 1.1 christos /* */ 1267 1.1 christos /* This function dereferences a fragment structure (ipfr_t). The pointer */ 1268 1.1 christos /* passed in will always be reset back to NULL, even if the structure is */ 1269 1.1 christos /* not freed, to enforce the notion that the caller is no longer entitled */ 1270 1.1 christos /* to use the pointer it is dropping the reference to. */ 1271 1.1 christos /* ------------------------------------------------------------------------ */ 1272 1.1 christos static void 1273 1.2 christos ipf_frag_deref(void *arg, ipfr_t **frp 1274 1.1 christos #ifdef USE_MUTEXES 1275 1.2 christos , ipfrwlock_t *lock 1276 1.1 christos #endif 1277 1.1 christos ) 1278 1.1 christos { 1279 1.1 christos ipf_frag_softc_t *softf = arg; 1280 1.1 christos ipfr_t *fra; 1281 1.1 christos 1282 1.1 christos fra = *frp; 1283 1.1 christos *frp = NULL; 1284 1.1 christos 1285 1.1 christos WRITE_ENTER(lock); 1286 1.1 christos fra->ipfr_ref--; 1287 1.1 christos if (fra->ipfr_ref <= 0) 1288 1.1 christos ipf_frag_free(softf, fra); 1289 1.1 christos RWLOCK_EXIT(lock); 1290 1.1 christos } 1291
Indexes created Fri Oct 17 17:09:57 GMT 2025