npf_os.c revision 1.3
1 /* $NetBSD: npf_os.c,v 1.3 2017/01/02 21:49:51 rmind Exp $ */ 2 3 /*- 4 * Copyright (c) 2009-2016 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This material is based upon work partially supported by The 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * NPF main: dynamic load/initialisation and unload routines. 34 */ 35 36 #ifdef _KERNEL 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: npf_os.c,v 1.3 2017/01/02 21:49:51 rmind Exp $"); 39 40 #ifdef _KERNEL_OPT 41 #include "pf.h" 42 #if NPF > 0 43 #error "NPF and PF are mutually exclusive; please select one" 44 #endif 45 #endif 46 47 #include <sys/param.h> 48 #include <sys/types.h> 49 50 #include <sys/conf.h> 51 #include <sys/kauth.h> 52 #include <sys/kmem.h> 53 #include <sys/lwp.h> 54 #include <sys/module.h> 55 #include <sys/socketvar.h> 56 #include <sys/uio.h> 57 #endif 58 59 #include "npf_impl.h" 60 #include "npfkern.h" 61 62 #ifdef _KERNEL 63 #ifndef _MODULE 64 #include "opt_modular.h" 65 #endif 66 #include "ioconf.h" 67 #endif 68 69 /* 70 * Module and device structures. 71 */ 72 #ifndef _MODULE 73 /* 74 * Modular kernels load drivers too early, and we need percpu to be inited 75 * So we make this misc; a better way would be to have early boot and late 76 * boot drivers. 77 */ 78 MODULE(MODULE_CLASS_MISC, npf, NULL); 79 #else 80 /* This module autoloads via /dev/npf so it needs to be a driver */ 81 MODULE(MODULE_CLASS_DRIVER, npf, NULL); 82 #endif 83 84 static int npf_dev_open(dev_t, int, int, lwp_t *); 85 static int npf_dev_close(dev_t, int, int, lwp_t *); 86 static int npf_dev_ioctl(dev_t, u_long, void *, int, lwp_t *); 87 static int npf_dev_poll(dev_t, int, lwp_t *); 88 static int npf_dev_read(dev_t, struct uio *, int); 89 90 const struct cdevsw npf_cdevsw = { 91 .d_open = npf_dev_open, 92 .d_close = npf_dev_close, 93 .d_read = npf_dev_read, 94 .d_write = nowrite, 95 .d_ioctl = npf_dev_ioctl, 96 .d_stop = nostop, 97 .d_tty = notty, 98 .d_poll = npf_dev_poll, 99 .d_mmap = nommap, 100 .d_kqfilter = nokqfilter, 101 .d_discard = nodiscard, 102 .d_flag = D_OTHER | D_MPSAFE 103 }; 104 105 static const char * npf_ifop_getname(ifnet_t *); 106 static ifnet_t * npf_ifop_lookup(const char *); 107 static void npf_ifop_flush(void *); 108 static void * npf_ifop_getmeta(const ifnet_t *); 109 static void npf_ifop_setmeta(ifnet_t *, void *); 110 111 static const unsigned nworkers = 1; 112 113 static bool pfil_registered = false; 114 static pfil_head_t * npf_ph_if = NULL; 115 static pfil_head_t * npf_ph_inet = NULL; 116 static pfil_head_t * npf_ph_inet6 = NULL; 117 118 static const npf_ifops_t kern_ifops = { 119 .getname = npf_ifop_getname, 120 .lookup = npf_ifop_lookup, 121 .flush = npf_ifop_flush, 122 .getmeta = npf_ifop_getmeta, 123 .setmeta = npf_ifop_setmeta, 124 }; 125 126 static int 127 npf_fini(void) 128 { 129 npf_t *npf = npf_getkernctx(); 130 131 /* At first, detach device and remove pfil hooks. */ 132 #ifdef _MODULE 133 devsw_detach(NULL, &npf_cdevsw); 134 #endif 135 npf_pfil_unregister(true); 136 npf_destroy(npf); 137 npf_sysfini(); 138 return 0; 139 } 140 141 static int 142 npf_init(void) 143 { 144 npf_t *npf; 145 int error = 0; 146 147 error = npf_sysinit(nworkers); 148 if (error) 149 return error; 150 npf = npf_create(0, NULL, &kern_ifops); 151 npf_setkernctx(npf); 152 npf_pfil_register(true); 153 npf_ifaddr_init(npf); 154 155 #ifdef _MODULE 156 devmajor_t bmajor = NODEVMAJOR, cmajor = NODEVMAJOR; 157 158 /* Attach /dev/npf device. */ 159 error = devsw_attach("npf", NULL, &bmajor, &npf_cdevsw, &cmajor); 160 if (error) { 161 /* It will call devsw_detach(), which is safe. */ 162 (void)npf_fini(); 163 } 164 #endif 165 return error; 166 } 167 168 169 /* 170 * Module interface. 171 */ 172 static int 173 npf_modcmd(modcmd_t cmd, void *arg) 174 { 175 switch (cmd) { 176 case MODULE_CMD_INIT: 177 return npf_init(); 178 case MODULE_CMD_FINI: 179 return npf_fini(); 180 case MODULE_CMD_AUTOUNLOAD: 181 if (npf_autounload_p()) { 182 return EBUSY; 183 } 184 break; 185 default: 186 return ENOTTY; 187 } 188 return 0; 189 } 190 191 void 192 npfattach(int nunits) 193 { 194 /* Nothing */ 195 } 196 197 static int 198 npf_dev_open(dev_t dev, int flag, int mode, lwp_t *l) 199 { 200 /* Available only for super-user. */ 201 if (kauth_authorize_network(l->l_cred, KAUTH_NETWORK_FIREWALL, 202 KAUTH_REQ_NETWORK_FIREWALL_FW, NULL, NULL, NULL)) { 203 return EPERM; 204 } 205 return 0; 206 } 207 208 static int 209 npf_dev_close(dev_t dev, int flag, int mode, lwp_t *l) 210 { 211 return 0; 212 } 213 214 static int 215 npf_stats_export(npf_t *npf, void *data) 216 { 217 uint64_t *fullst, *uptr = *(uint64_t **)data; 218 int error; 219 220 fullst = kmem_alloc(NPF_STATS_SIZE, KM_SLEEP); 221 npf_stats(npf, fullst); /* will zero the buffer */ 222 error = copyout(fullst, uptr, NPF_STATS_SIZE); 223 kmem_free(fullst, NPF_STATS_SIZE); 224 return error; 225 } 226 227 static int 228 npf_dev_ioctl(dev_t dev, u_long cmd, void *data, int flag, lwp_t *l) 229 { 230 npf_t *npf = npf_getkernctx(); 231 int error; 232 233 /* Available only for super-user. */ 234 if (kauth_authorize_network(l->l_cred, KAUTH_NETWORK_FIREWALL, 235 KAUTH_REQ_NETWORK_FIREWALL_FW, NULL, NULL, NULL)) { 236 return EPERM; 237 } 238 239 switch (cmd) { 240 case IOC_NPF_TABLE: 241 error = npfctl_table(npf, data); 242 break; 243 case IOC_NPF_RULE: 244 error = npfctl_rule(npf, cmd, data); 245 break; 246 case IOC_NPF_STATS: 247 error = npf_stats_export(npf, data); 248 break; 249 case IOC_NPF_SAVE: 250 error = npfctl_save(npf, cmd, data); 251 break; 252 case IOC_NPF_SWITCH: 253 error = npfctl_switch(data); 254 break; 255 case IOC_NPF_LOAD: 256 error = npfctl_load(npf, cmd, data); 257 break; 258 case IOC_NPF_CONN_LOOKUP: 259 error = npfctl_conn_lookup(npf, cmd, data); 260 break; 261 case IOC_NPF_VERSION: 262 *(int *)data = NPF_VERSION; 263 error = 0; 264 break; 265 default: 266 error = ENOTTY; 267 break; 268 } 269 return error; 270 } 271 272 static int 273 npf_dev_poll(dev_t dev, int events, lwp_t *l) 274 { 275 return ENOTSUP; 276 } 277 278 static int 279 npf_dev_read(dev_t dev, struct uio *uio, int flag) 280 { 281 return ENOTSUP; 282 } 283 284 bool 285 npf_autounload_p(void) 286 { 287 npf_t *npf = npf_getkernctx(); 288 return !npf_pfil_registered_p() && npf_default_pass(npf); 289 } 290 291 /* 292 * Interface operations. 293 */ 294 295 static const char * 296 npf_ifop_getname(ifnet_t *ifp) 297 { 298 return ifp->if_xname; 299 } 300 301 static ifnet_t * 302 npf_ifop_lookup(const char *name) 303 { 304 return ifunit(name); 305 } 306 307 static void 308 npf_ifop_flush(void *arg) 309 { 310 ifnet_t *ifp; 311 312 KERNEL_LOCK(1, NULL); 313 IFNET_LOCK(); 314 IFNET_WRITER_FOREACH(ifp) { 315 ifp->if_pf_kif = arg; 316 } 317 IFNET_UNLOCK(); 318 KERNEL_UNLOCK_ONE(NULL); 319 } 320 321 static void * 322 npf_ifop_getmeta(const ifnet_t *ifp) 323 { 324 return ifp->if_pf_kif; 325 } 326 327 static void 328 npf_ifop_setmeta(ifnet_t *ifp, void *arg) 329 { 330 ifp->if_pf_kif = arg; 331 } 332 333 #ifdef _KERNEL 334 335 /* 336 * Wrapper of the main packet handler to pass the kernel NPF context. 337 */ 338 static int 339 npfkern_packet_handler(void *arg, struct mbuf **mp, ifnet_t *ifp, int di) 340 { 341 npf_t *npf = npf_getkernctx(); 342 return npf_packet_handler(npf, mp, ifp, di); 343 } 344 345 /* 346 * npf_ifhook: hook handling interface changes. 347 */ 348 static void 349 npf_ifhook(void *arg, unsigned long cmd, void *arg2) 350 { 351 npf_t *npf = npf_getkernctx(); 352 ifnet_t *ifp = arg2; 353 354 switch (cmd) { 355 case PFIL_IFNET_ATTACH: 356 npf_ifmap_attach(npf, ifp); 357 npf_ifaddr_sync(npf, ifp); 358 break; 359 case PFIL_IFNET_DETACH: 360 npf_ifmap_detach(npf, ifp); 361 npf_ifaddr_flush(npf, ifp); 362 break; 363 } 364 } 365 366 static void 367 npf_ifaddrhook(void *arg, u_long cmd, void *arg2) 368 { 369 npf_t *npf = npf_getkernctx(); 370 struct ifaddr *ifa = arg2; 371 372 switch (cmd) { 373 case SIOCSIFADDR: 374 case SIOCAIFADDR: 375 case SIOCDIFADDR: 376 #ifdef INET6 377 case SIOCSIFADDR_IN6: 378 case SIOCAIFADDR_IN6: 379 case SIOCDIFADDR_IN6: 380 #endif 381 break; 382 default: 383 return; 384 } 385 npf_ifaddr_sync(npf, ifa->ifa_ifp); 386 } 387 388 /* 389 * npf_pfil_register: register pfil(9) hooks. 390 */ 391 int 392 npf_pfil_register(bool init) 393 { 394 npf_t *npf = npf_getkernctx(); 395 int error = 0; 396 397 mutex_enter(softnet_lock); 398 KERNEL_LOCK(1, NULL); 399 400 /* Init: interface re-config and attach/detach hook. */ 401 if (!npf_ph_if) { 402 npf_ph_if = pfil_head_get(PFIL_TYPE_IFNET, 0); 403 if (!npf_ph_if) { 404 error = ENOENT; 405 goto out; 406 } 407 408 error = pfil_add_ihook(npf_ifhook, NULL, 409 PFIL_IFNET, npf_ph_if); 410 KASSERT(error == 0); 411 412 error = pfil_add_ihook(npf_ifaddrhook, NULL, 413 PFIL_IFADDR, npf_ph_if); 414 KASSERT(error == 0); 415 } 416 if (init) { 417 goto out; 418 } 419 420 /* Check if pfil hooks are not already registered. */ 421 if (pfil_registered) { 422 error = EEXIST; 423 goto out; 424 } 425 426 /* Capture points of the activity in the IP layer. */ 427 npf_ph_inet = pfil_head_get(PFIL_TYPE_AF, (void *)AF_INET); 428 npf_ph_inet6 = pfil_head_get(PFIL_TYPE_AF, (void *)AF_INET6); 429 if (!npf_ph_inet && !npf_ph_inet6) { 430 error = ENOENT; 431 goto out; 432 } 433 434 /* Packet IN/OUT handlers for IP layer. */ 435 if (npf_ph_inet) { 436 error = pfil_add_hook(npfkern_packet_handler, npf, 437 PFIL_ALL, npf_ph_inet); 438 KASSERT(error == 0); 439 } 440 if (npf_ph_inet6) { 441 error = pfil_add_hook(npfkern_packet_handler, npf, 442 PFIL_ALL, npf_ph_inet6); 443 KASSERT(error == 0); 444 } 445 pfil_registered = true; 446 out: 447 KERNEL_UNLOCK_ONE(NULL); 448 mutex_exit(softnet_lock); 449 450 return error; 451 } 452 453 /* 454 * npf_pfil_unregister: unregister pfil(9) hooks. 455 */ 456 void 457 npf_pfil_unregister(bool fini) 458 { 459 npf_t *npf = npf_getkernctx(); 460 461 mutex_enter(softnet_lock); 462 KERNEL_LOCK(1, NULL); 463 464 if (fini && npf_ph_if) { 465 (void)pfil_remove_ihook(npf_ifhook, NULL, 466 PFIL_IFNET, npf_ph_if); 467 (void)pfil_remove_ihook(npf_ifaddrhook, NULL, 468 PFIL_IFADDR, npf_ph_if); 469 } 470 if (npf_ph_inet) { 471 (void)pfil_remove_hook(npfkern_packet_handler, npf, 472 PFIL_ALL, npf_ph_inet); 473 } 474 if (npf_ph_inet6) { 475 (void)pfil_remove_hook(npfkern_packet_handler, npf, 476 PFIL_ALL, npf_ph_inet6); 477 } 478 pfil_registered = false; 479 480 KERNEL_UNLOCK_ONE(NULL); 481 mutex_exit(softnet_lock); 482 } 483 484 bool 485 npf_pfil_registered_p(void) 486 { 487 return pfil_registered; 488 } 489 #endif 490
Indexes created Mon Sep 22 13:09:51 GMT 2025