1/*
2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6#if defined(__sgi) && (IRIX > 602)
7# include <sys/ptimers.h>
8#endif
9#include <sys/errno.h>
10#include <sys/types.h>
11#include <sys/param.h>
12#include <sys/time.h>
13#include <sys/file.h>
14#if !defined(_KERNEL) && !defined(KERNEL)
15# include <stdio.h>
16# include <stdlib.h>
17# include <string.h>
18#endif
19#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
20# include <sys/filio.h>
21# include <sys/fcntl.h>
22#else
23# include <sys/ioctl.h>
24#endif
25#ifndef linux
26# include <sys/protosw.h>
27#endif
28#include <sys/socket.h>
29#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
30# include <sys/systm.h>
31#endif
32#if !defined(__SVR4) && !defined(__svr4__)
33# ifndef linux
34# include <sys/mbuf.h>
35# endif
36#else
37# include <sys/filio.h>
38# include <sys/byteorder.h>
39# ifdef _KERNEL
40# include <sys/dditypes.h>
41# endif
42# include <sys/stream.h>
43# include <sys/kmem.h>
44#endif
45#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
46# include <sys/queue.h>
47#endif
48#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
49# include <machine/cpu.h>
50#endif
51#include <net/if.h>
52#ifdef sun
53# include <net/af.h>
54#endif
55#include <net/route.h>
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#ifndef KERNEL
60# define KERNEL
61# define NOT_KERNEL
62#endif
63#ifndef linux
64# include <netinet/ip_var.h>
65#endif
66#ifdef NOT_KERNEL
67# undef KERNEL
68#endif
69#ifdef __sgi
70# ifdef IFF_DRVRLOCK /* IRIX6 */
71# include <sys/hashing.h>
72# endif
73#endif
74#include <netinet/tcp.h>
75#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
76extern struct ifqueue ipintrq; /* ip packet input queue */
77#else
78# ifndef linux
79# if __FreeBSD_version >= 300000
80# include <net/if_var.h>
81# endif
82# include <netinet/in_var.h>
83# include <netinet/tcp_fsm.h>
84# endif
85#endif
86#include <netinet/udp.h>
87#include <netinet/ip_icmp.h>
88#include "netinet/ip_compat.h"
89#include <netinet/tcpip.h>
90#include "netinet/ip_fil.h"
91#include "netinet/ip_auth.h"
92#if !SOLARIS && !defined(linux)
93# include <net/netisr.h>
94# ifdef __FreeBSD__
95# include <machine/cpufunc.h>
96# endif
97#endif
98#if (__FreeBSD_version >= 300000)
99# include <sys/malloc.h>
100# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
101# include <sys/libkern.h>
102# include <sys/systm.h>
103# endif
104#endif
105
106#if !defined(lint)
107/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $"; */
108static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_auth.c 139327 2004-12-26 09:09:29Z darrenr $";
109#endif
110
111
112#ifdef USE_MUTEX
113extern KRWLOCK_T ipf_auth, ipf_mutex;
114extern kmutex_t ipf_authmx;
115# if SOLARIS
116extern kcondvar_t ipfauthwait;
117# endif
118#endif
119#ifdef linux
120static struct wait_queue *ipfauthwait = NULL;
121#endif
122
123int fr_authsize = FR_NUMAUTH;
124int fr_authused = 0;
125int fr_defaultauthage = 600;
126int fr_auth_lock = 0;
127fr_authstat_t fr_authstats;
128static frauth_t fr_auth[FR_NUMAUTH];
129mb_t *fr_authpkts[FR_NUMAUTH];
130static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
131static frauthent_t *fae_list = NULL;
132frentry_t *ipauth = NULL,
133 *fr_authlist = NULL;
134
135
136/*
137 * Check if a packet has authorization. If the packet is found to match an
138 * authorization result and that would result in a feedback loop (i.e. it
139 * will end up returning FR_AUTH) then return FR_BLOCK instead.
140 */
141u_32_t fr_checkauth(ip, fin)
142ip_t *ip;
143fr_info_t *fin;
144{
145 u_short id = ip->ip_id;
146 frentry_t *fr;
147 frauth_t *fra;
148 u_32_t pass;
149 int i;
150
151 if (fr_auth_lock || !fr_authused)
152 return 0;
153
154 READ_ENTER(&ipf_auth);
155 for (i = fr_authstart; i != fr_authend; ) {
156 /*
157 * index becomes -2 only after an SIOCAUTHW. Check this in
158 * case the same packet gets sent again and it hasn't yet been
159 * auth'd.
160 */
161 fra = fr_auth + i;
162 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
163 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
164 /*
165 * Avoid feedback loop.
166 */
167 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
168 pass = FR_BLOCK;
169 /*
170 * Create a dummy rule for the stateful checking to
171 * use and return. Zero out any values we don't
172 * trust from userland!
173 */
174 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
175 (fin->fin_fi.fi_fl & FI_FRAG))) {
176 KMALLOC(fr, frentry_t *);
177 if (fr) {
178 bcopy((char *)fra->fra_info.fin_fr,
179 fr, sizeof(*fr));
180 fr->fr_grp = NULL;
181 fr->fr_ifa = fin->fin_ifp;
182 fr->fr_func = NULL;
183 fr->fr_ref = 1;
184 fr->fr_flags = pass;
185#if BSD >= 199306
186 fr->fr_oifa = NULL;
187#endif
188 }
189 } else
190 fr = fra->fra_info.fin_fr;
191 fin->fin_fr = fr;
192 RWLOCK_EXIT(&ipf_auth);
193 WRITE_ENTER(&ipf_auth);
194 if (fr && fr != fra->fra_info.fin_fr) {
195 fr->fr_next = fr_authlist;
196 fr_authlist = fr;
197 }
198 fr_authstats.fas_hits++;
199 fra->fra_index = -1;
200 fr_authused--;
201 if (i == fr_authstart) {
202 while (fra->fra_index == -1) {
203 i++;
204 fra++;
205 if (i == FR_NUMAUTH) {
206 i = 0;
207 fra = fr_auth;
208 }
209 fr_authstart = i;
210 if (i == fr_authend)
211 break;
212 }
213 if (fr_authstart == fr_authend) {
214 fr_authnext = 0;
215 fr_authstart = fr_authend = 0;
216 }
217 }
218 RWLOCK_EXIT(&ipf_auth);
219 return pass;
220 }
221 i++;
222 if (i == FR_NUMAUTH)
223 i = 0;
224 }
225 fr_authstats.fas_miss++;
226 RWLOCK_EXIT(&ipf_auth);
227 return 0;
228}
229
230
231/*
232 * Check if we have room in the auth array to hold details for another packet.
233 * If we do, store it and wake up any user programs which are waiting to
234 * hear about these events.
235 */
236int fr_newauth(m, fin, ip)
237mb_t *m;
238fr_info_t *fin;
239ip_t *ip;
240{
241#if defined(_KERNEL) && SOLARIS
242 qif_t *qif = fin->fin_qif;
243#endif
244 frauth_t *fra;
245 int i;
246
247 if (fr_auth_lock)
248 return 0;
249
250 WRITE_ENTER(&ipf_auth);
251 if (fr_authstart > fr_authend) {
252 fr_authstats.fas_nospace++;
253 RWLOCK_EXIT(&ipf_auth);
254 return 0;
255 } else {
256 if (fr_authused == FR_NUMAUTH) {
257 fr_authstats.fas_nospace++;
258 RWLOCK_EXIT(&ipf_auth);
259 return 0;
260 }
261 }
262
263 fr_authstats.fas_added++;
264 fr_authused++;
265 i = fr_authend++;
266 if (fr_authend == FR_NUMAUTH)
267 fr_authend = 0;
268 RWLOCK_EXIT(&ipf_auth);
269 fra = fr_auth + i;
270 fra->fra_index = i;
271 fra->fra_pass = 0;
272 fra->fra_age = fr_defaultauthage;
273 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
274#if SOLARIS && defined(_KERNEL)
275# if !defined(sparc)
276 /*
277 * No need to copyback here as we want to undo the changes, not keep
278 * them.
279 */
280 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
281 {
282 register u_short bo;
283
284 bo = ip->ip_len;
285 ip->ip_len = htons(bo);
286 bo = ip->ip_off;
287 ip->ip_off = htons(bo);
288 }
289# endif
290 m->b_rptr -= qif->qf_off;
291 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
292 fra->fra_q = qif->qf_q;
293 cv_signal(&ipfauthwait);
294#else
295# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
296 if (fin->fin_out == 0) {
297 ip->ip_len = htons(ip->ip_len);
298 ip->ip_off = htons(ip->ip_off);
299 }
300# endif
301 fr_authpkts[i] = m;
302 WAKEUP(&fr_authnext);
303#endif
304 return 1;
305}
306
307
308int fr_auth_ioctl(data, mode, cmd)
309caddr_t data;
310int mode;
311#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
312u_long cmd;
313#else
314int cmd;
315#endif
316{
317 mb_t *m;
318#if defined(_KERNEL) && !SOLARIS
319# if !defined(__FreeBSD_version) || (__FreeBSD_version < 501104)
320 struct ifqueue *ifq;
321# endif
322 int s;
323#endif
324 frauth_t auth, *au = &auth, *fra;
325 int i, error = 0;
326
327 switch (cmd)
328 {
329 case SIOCSTLCK :
330 if (!(mode & FWRITE)) {
331 error = EPERM;
332 break;
333 }
334 error = fr_lock(data, &fr_auth_lock);
335 break;
336 case SIOCINIFR :
337 case SIOCRMIFR :
338 case SIOCADIFR :
339 error = EINVAL;
340 break;
341 case SIOCINAFR :
342 error = EINVAL;
343 break;
344 case SIOCRMAFR :
345 case SIOCADAFR :
346 /* These commands go via request to fr_preauthcmd */
347 error = EINVAL;
348 break;
349 case SIOCATHST:
350 fr_authstats.fas_faelist = fae_list;
351 error = IWCOPYPTR((char *)&fr_authstats, data,
352 sizeof(fr_authstats));
353 break;
354 case SIOCAUTHW:
355 if (!(mode & FWRITE)) {
356 error = EPERM;
357 break;
358 }
359fr_authioctlloop:
360 READ_ENTER(&ipf_auth);
361 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
362 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
363 sizeof(frauth_t));
364 RWLOCK_EXIT(&ipf_auth);
365 if (error)
366 break;
367 WRITE_ENTER(&ipf_auth);
368 SPL_NET(s);
369 fr_authnext++;
370 if (fr_authnext == FR_NUMAUTH)
371 fr_authnext = 0;
372 SPL_X(s);
373 RWLOCK_EXIT(&ipf_auth);
374 return 0;
375 }
376 RWLOCK_EXIT(&ipf_auth);
377#ifdef _KERNEL
378# if SOLARIS
379 mutex_enter(&ipf_authmx);
380 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
381 mutex_exit(&ipf_authmx);
382 return EINTR;
383 }
384 mutex_exit(&ipf_authmx);
385# else
386 error = SLEEP(&fr_authnext, "fr_authnext");
387# endif
388#endif
389 if (!error)
390 goto fr_authioctlloop;
391 break;
392 case SIOCAUTHR:
393 if (!(mode & FWRITE)) {
394 error = EPERM;
395 break;
396 }
397 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
398 if (error)
399 return error;
400 WRITE_ENTER(&ipf_auth);
401 SPL_NET(s);
402 i = au->fra_index;
403 fra = fr_auth + i;
404 if ((i < 0) || (i > FR_NUMAUTH) ||
405 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
406 SPL_X(s);
407 RWLOCK_EXIT(&ipf_auth);
408 return EINVAL;
409 }
410 m = fr_authpkts[i];
411 fra->fra_index = -2;
412 fra->fra_pass = au->fra_pass;
413 fr_authpkts[i] = NULL;
414 RWLOCK_EXIT(&ipf_auth);
415#ifdef _KERNEL
416 if (m && au->fra_info.fin_out) {
417# if SOLARIS
418 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
419# else /* SOLARIS */
420 struct route ro;
421
422 bzero((char *)&ro, sizeof(ro));
423# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
424 defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
425 (__FreeBSD_version >= 470102)
426 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
427 NULL);
428# else
429 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
430# endif
431 if (ro.ro_rt) {
432 RTFREE(ro.ro_rt);
433 }
434# endif /* SOLARIS */
435 if (error)
436 fr_authstats.fas_sendfail++;
437 else
438 fr_authstats.fas_sendok++;
439 } else if (m) {
440# if SOLARIS
441 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
442# else /* SOLARIS */
443 if (! netisr_queue(NETISR_IP, m))
444 error = ENOBUFS;
445# endif /* SOLARIS */
446 if (error)
447 fr_authstats.fas_quefail++;
448 else
449 fr_authstats.fas_queok++;
450 } else
451 error = EINVAL;
452# if SOLARIS
453 if (error)
454 error = EINVAL;
455# else
456 /*
457 * If we experience an error which will result in the packet
458 * not being processed, make sure we advance to the next one.
459 */
460 if (error == ENOBUFS) {
461 fr_authused--;
462 fra->fra_index = -1;
463 fra->fra_pass = 0;
464 if (i == fr_authstart) {
465 while (fra->fra_index == -1) {
466 i++;
467 if (i == FR_NUMAUTH)
468 i = 0;
469 fr_authstart = i;
470 if (i == fr_authend)
471 break;
472 }
473 if (fr_authstart == fr_authend) {
474 fr_authnext = 0;
475 fr_authstart = fr_authend = 0;
476 }
477 }
478 }
479# endif
480#endif /* _KERNEL */
481 SPL_X(s);
482 break;
483 default :
484 error = EINVAL;
485 break;
486 }
487 return error;
488}
489
490
491/*
492 * Free all network buffer memory used to keep saved packets.
493 */
494void fr_authunload()
495{
496 register int i;
497 register frauthent_t *fae, **faep;
498 frentry_t *fr, **frp;
499 mb_t *m;
500
501 WRITE_ENTER(&ipf_auth);
502 for (i = 0; i < FR_NUMAUTH; i++) {
503 if ((m = fr_authpkts[i])) {
504 FREE_MB_T(m);
505 fr_authpkts[i] = NULL;
506 fr_auth[i].fra_index = -1;
507 }
508 }
509
510
511 for (faep = &fae_list; (fae = *faep); ) {
512 *faep = fae->fae_next;
513 KFREE(fae);
514 }
515 ipauth = NULL;
516 RWLOCK_EXIT(&ipf_auth);
517
518 if (fr_authlist) {
519 /*
520 * We *MuST* reget ipf_auth because otherwise we won't get the
521 * locks in the right order and risk deadlock.
522 * We need ipf_mutex here to prevent a rule from using it
523 * inside fr_check().
524 */
525 WRITE_ENTER(&ipf_mutex);
526 WRITE_ENTER(&ipf_auth);
527 for (frp = &fr_authlist; (fr = *frp); ) {
528 if (fr->fr_ref == 1) {
529 *frp = fr->fr_next;
530 KFREE(fr);
531 } else
532 frp = &fr->fr_next;
533 }
534 RWLOCK_EXIT(&ipf_auth);
535 RWLOCK_EXIT(&ipf_mutex);
536 }
537}
538
539
540/*
541 * Slowly expire held auth records. Timeouts are set
542 * in expectation of this being called twice per second.
543 */
544void fr_authexpire()
545{
546 register int i;
547 register frauth_t *fra;
548 register frauthent_t *fae, **faep;
549 register frentry_t *fr, **frp;
550 mb_t *m;
551#if !SOLARIS && defined(_KERNEL)
552 int s;
553#endif
554
555 if (fr_auth_lock)
556 return;
557
558 SPL_NET(s);
559 WRITE_ENTER(&ipf_auth);
560 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
561 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
562 FREE_MB_T(m);
563 fr_authpkts[i] = NULL;
564 fr_auth[i].fra_index = -1;
565 fr_authstats.fas_expire++;
566 fr_authused--;
567 }
568 }
569
570 for (faep = &fae_list; (fae = *faep); ) {
571 if (!--fae->fae_age) {
572 *faep = fae->fae_next;
573 KFREE(fae);
574 fr_authstats.fas_expire++;
575 } else
576 faep = &fae->fae_next;
577 }
578 if (fae_list != NULL)
579 ipauth = &fae_list->fae_fr;
580 else
581 ipauth = NULL;
582
583 for (frp = &fr_authlist; (fr = *frp); ) {
584 if (fr->fr_ref == 1) {
585 *frp = fr->fr_next;
586 KFREE(fr);
587 } else
588 frp = &fr->fr_next;
589 }
590 RWLOCK_EXIT(&ipf_auth);
591 SPL_X(s);
592}
593
594int fr_preauthcmd(cmd, fr, frptr)
595#if defined(__NetBSD__) || defined(__OpenBSD__) || \
596 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
597u_long cmd;
598#else
599int cmd;
600#endif
601frentry_t *fr, **frptr;
602{
603 frauthent_t *fae, **faep;
604 int error = 0;
605#if defined(KERNEL) && !SOLARIS
606 int s;
607#endif
608
609 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
610 /* Should not happen */
611 printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
612 return EIO;
613 }
614
615 for (faep = &fae_list; (fae = *faep); )
616 if (&fae->fae_fr == fr)
617 break;
618 else
619 faep = &fae->fae_next;
620 if (cmd == SIOCRMAFR) {
621 if (!fr || !frptr)
622 error = EINVAL;
623 else if (!fae)
624 error = ESRCH;
625 else {
626 WRITE_ENTER(&ipf_auth);
627 SPL_NET(s);
628 *faep = fae->fae_next;
629 *frptr = fr->fr_next;
630 SPL_X(s);
631 RWLOCK_EXIT(&ipf_auth);
632 KFREE(fae);
633 }
634 } else if (fr && frptr) {
635 KMALLOC(fae, frauthent_t *);
636 if (fae != NULL) {
637 bcopy((char *)fr, (char *)&fae->fae_fr,
638 sizeof(*fr));
639 WRITE_ENTER(&ipf_auth);
640 SPL_NET(s);
641 fae->fae_age = fr_defaultauthage;
642 fae->fae_fr.fr_hits = 0;
643 fae->fae_fr.fr_next = *frptr;
644 *frptr = &fae->fae_fr;
645 fae->fae_next = *faep;
646 *faep = fae;
647 ipauth = &fae_list->fae_fr;
648 SPL_X(s);
649 RWLOCK_EXIT(&ipf_auth);
650 } else
651 error = ENOMEM;
652 } else
653 error = EINVAL;
654 return error;
655}
2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6#if defined(__sgi) && (IRIX > 602)
7# include <sys/ptimers.h>
8#endif
9#include <sys/errno.h>
10#include <sys/types.h>
11#include <sys/param.h>
12#include <sys/time.h>
13#include <sys/file.h>
14#if !defined(_KERNEL) && !defined(KERNEL)
15# include <stdio.h>
16# include <stdlib.h>
17# include <string.h>
18#endif
19#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
20# include <sys/filio.h>
21# include <sys/fcntl.h>
22#else
23# include <sys/ioctl.h>
24#endif
25#ifndef linux
26# include <sys/protosw.h>
27#endif
28#include <sys/socket.h>
29#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
30# include <sys/systm.h>
31#endif
32#if !defined(__SVR4) && !defined(__svr4__)
33# ifndef linux
34# include <sys/mbuf.h>
35# endif
36#else
37# include <sys/filio.h>
38# include <sys/byteorder.h>
39# ifdef _KERNEL
40# include <sys/dditypes.h>
41# endif
42# include <sys/stream.h>
43# include <sys/kmem.h>
44#endif
45#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
46# include <sys/queue.h>
47#endif
48#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
49# include <machine/cpu.h>
50#endif
51#include <net/if.h>
52#ifdef sun
53# include <net/af.h>
54#endif
55#include <net/route.h>
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#ifndef KERNEL
60# define KERNEL
61# define NOT_KERNEL
62#endif
63#ifndef linux
64# include <netinet/ip_var.h>
65#endif
66#ifdef NOT_KERNEL
67# undef KERNEL
68#endif
69#ifdef __sgi
70# ifdef IFF_DRVRLOCK /* IRIX6 */
71# include <sys/hashing.h>
72# endif
73#endif
74#include <netinet/tcp.h>
75#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
76extern struct ifqueue ipintrq; /* ip packet input queue */
77#else
78# ifndef linux
79# if __FreeBSD_version >= 300000
80# include <net/if_var.h>
81# endif
82# include <netinet/in_var.h>
83# include <netinet/tcp_fsm.h>
84# endif
85#endif
86#include <netinet/udp.h>
87#include <netinet/ip_icmp.h>
88#include "netinet/ip_compat.h"
89#include <netinet/tcpip.h>
90#include "netinet/ip_fil.h"
91#include "netinet/ip_auth.h"
92#if !SOLARIS && !defined(linux)
93# include <net/netisr.h>
94# ifdef __FreeBSD__
95# include <machine/cpufunc.h>
96# endif
97#endif
98#if (__FreeBSD_version >= 300000)
99# include <sys/malloc.h>
100# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
101# include <sys/libkern.h>
102# include <sys/systm.h>
103# endif
104#endif
105
106#if !defined(lint)
107/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $"; */
108static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_auth.c 139327 2004-12-26 09:09:29Z darrenr $";
109#endif
110
111
112#ifdef USE_MUTEX
113extern KRWLOCK_T ipf_auth, ipf_mutex;
114extern kmutex_t ipf_authmx;
115# if SOLARIS
116extern kcondvar_t ipfauthwait;
117# endif
118#endif
119#ifdef linux
120static struct wait_queue *ipfauthwait = NULL;
121#endif
122
123int fr_authsize = FR_NUMAUTH;
124int fr_authused = 0;
125int fr_defaultauthage = 600;
126int fr_auth_lock = 0;
127fr_authstat_t fr_authstats;
128static frauth_t fr_auth[FR_NUMAUTH];
129mb_t *fr_authpkts[FR_NUMAUTH];
130static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
131static frauthent_t *fae_list = NULL;
132frentry_t *ipauth = NULL,
133 *fr_authlist = NULL;
134
135
136/*
137 * Check if a packet has authorization. If the packet is found to match an
138 * authorization result and that would result in a feedback loop (i.e. it
139 * will end up returning FR_AUTH) then return FR_BLOCK instead.
140 */
141u_32_t fr_checkauth(ip, fin)
142ip_t *ip;
143fr_info_t *fin;
144{
145 u_short id = ip->ip_id;
146 frentry_t *fr;
147 frauth_t *fra;
148 u_32_t pass;
149 int i;
150
151 if (fr_auth_lock || !fr_authused)
152 return 0;
153
154 READ_ENTER(&ipf_auth);
155 for (i = fr_authstart; i != fr_authend; ) {
156 /*
157 * index becomes -2 only after an SIOCAUTHW. Check this in
158 * case the same packet gets sent again and it hasn't yet been
159 * auth'd.
160 */
161 fra = fr_auth + i;
162 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
163 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
164 /*
165 * Avoid feedback loop.
166 */
167 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
168 pass = FR_BLOCK;
169 /*
170 * Create a dummy rule for the stateful checking to
171 * use and return. Zero out any values we don't
172 * trust from userland!
173 */
174 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
175 (fin->fin_fi.fi_fl & FI_FRAG))) {
176 KMALLOC(fr, frentry_t *);
177 if (fr) {
178 bcopy((char *)fra->fra_info.fin_fr,
179 fr, sizeof(*fr));
180 fr->fr_grp = NULL;
181 fr->fr_ifa = fin->fin_ifp;
182 fr->fr_func = NULL;
183 fr->fr_ref = 1;
184 fr->fr_flags = pass;
185#if BSD >= 199306
186 fr->fr_oifa = NULL;
187#endif
188 }
189 } else
190 fr = fra->fra_info.fin_fr;
191 fin->fin_fr = fr;
192 RWLOCK_EXIT(&ipf_auth);
193 WRITE_ENTER(&ipf_auth);
194 if (fr && fr != fra->fra_info.fin_fr) {
195 fr->fr_next = fr_authlist;
196 fr_authlist = fr;
197 }
198 fr_authstats.fas_hits++;
199 fra->fra_index = -1;
200 fr_authused--;
201 if (i == fr_authstart) {
202 while (fra->fra_index == -1) {
203 i++;
204 fra++;
205 if (i == FR_NUMAUTH) {
206 i = 0;
207 fra = fr_auth;
208 }
209 fr_authstart = i;
210 if (i == fr_authend)
211 break;
212 }
213 if (fr_authstart == fr_authend) {
214 fr_authnext = 0;
215 fr_authstart = fr_authend = 0;
216 }
217 }
218 RWLOCK_EXIT(&ipf_auth);
219 return pass;
220 }
221 i++;
222 if (i == FR_NUMAUTH)
223 i = 0;
224 }
225 fr_authstats.fas_miss++;
226 RWLOCK_EXIT(&ipf_auth);
227 return 0;
228}
229
230
231/*
232 * Check if we have room in the auth array to hold details for another packet.
233 * If we do, store it and wake up any user programs which are waiting to
234 * hear about these events.
235 */
236int fr_newauth(m, fin, ip)
237mb_t *m;
238fr_info_t *fin;
239ip_t *ip;
240{
241#if defined(_KERNEL) && SOLARIS
242 qif_t *qif = fin->fin_qif;
243#endif
244 frauth_t *fra;
245 int i;
246
247 if (fr_auth_lock)
248 return 0;
249
250 WRITE_ENTER(&ipf_auth);
251 if (fr_authstart > fr_authend) {
252 fr_authstats.fas_nospace++;
253 RWLOCK_EXIT(&ipf_auth);
254 return 0;
255 } else {
256 if (fr_authused == FR_NUMAUTH) {
257 fr_authstats.fas_nospace++;
258 RWLOCK_EXIT(&ipf_auth);
259 return 0;
260 }
261 }
262
263 fr_authstats.fas_added++;
264 fr_authused++;
265 i = fr_authend++;
266 if (fr_authend == FR_NUMAUTH)
267 fr_authend = 0;
268 RWLOCK_EXIT(&ipf_auth);
269 fra = fr_auth + i;
270 fra->fra_index = i;
271 fra->fra_pass = 0;
272 fra->fra_age = fr_defaultauthage;
273 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
274#if SOLARIS && defined(_KERNEL)
275# if !defined(sparc)
276 /*
277 * No need to copyback here as we want to undo the changes, not keep
278 * them.
279 */
280 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
281 {
282 register u_short bo;
283
284 bo = ip->ip_len;
285 ip->ip_len = htons(bo);
286 bo = ip->ip_off;
287 ip->ip_off = htons(bo);
288 }
289# endif
290 m->b_rptr -= qif->qf_off;
291 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
292 fra->fra_q = qif->qf_q;
293 cv_signal(&ipfauthwait);
294#else
295# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
296 if (fin->fin_out == 0) {
297 ip->ip_len = htons(ip->ip_len);
298 ip->ip_off = htons(ip->ip_off);
299 }
300# endif
301 fr_authpkts[i] = m;
302 WAKEUP(&fr_authnext);
303#endif
304 return 1;
305}
306
307
308int fr_auth_ioctl(data, mode, cmd)
309caddr_t data;
310int mode;
311#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
312u_long cmd;
313#else
314int cmd;
315#endif
316{
317 mb_t *m;
318#if defined(_KERNEL) && !SOLARIS
319# if !defined(__FreeBSD_version) || (__FreeBSD_version < 501104)
320 struct ifqueue *ifq;
321# endif
322 int s;
323#endif
324 frauth_t auth, *au = &auth, *fra;
325 int i, error = 0;
326
327 switch (cmd)
328 {
329 case SIOCSTLCK :
330 if (!(mode & FWRITE)) {
331 error = EPERM;
332 break;
333 }
334 error = fr_lock(data, &fr_auth_lock);
335 break;
336 case SIOCINIFR :
337 case SIOCRMIFR :
338 case SIOCADIFR :
339 error = EINVAL;
340 break;
341 case SIOCINAFR :
342 error = EINVAL;
343 break;
344 case SIOCRMAFR :
345 case SIOCADAFR :
346 /* These commands go via request to fr_preauthcmd */
347 error = EINVAL;
348 break;
349 case SIOCATHST:
350 fr_authstats.fas_faelist = fae_list;
351 error = IWCOPYPTR((char *)&fr_authstats, data,
352 sizeof(fr_authstats));
353 break;
354 case SIOCAUTHW:
355 if (!(mode & FWRITE)) {
356 error = EPERM;
357 break;
358 }
359fr_authioctlloop:
360 READ_ENTER(&ipf_auth);
361 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
362 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
363 sizeof(frauth_t));
364 RWLOCK_EXIT(&ipf_auth);
365 if (error)
366 break;
367 WRITE_ENTER(&ipf_auth);
368 SPL_NET(s);
369 fr_authnext++;
370 if (fr_authnext == FR_NUMAUTH)
371 fr_authnext = 0;
372 SPL_X(s);
373 RWLOCK_EXIT(&ipf_auth);
374 return 0;
375 }
376 RWLOCK_EXIT(&ipf_auth);
377#ifdef _KERNEL
378# if SOLARIS
379 mutex_enter(&ipf_authmx);
380 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
381 mutex_exit(&ipf_authmx);
382 return EINTR;
383 }
384 mutex_exit(&ipf_authmx);
385# else
386 error = SLEEP(&fr_authnext, "fr_authnext");
387# endif
388#endif
389 if (!error)
390 goto fr_authioctlloop;
391 break;
392 case SIOCAUTHR:
393 if (!(mode & FWRITE)) {
394 error = EPERM;
395 break;
396 }
397 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
398 if (error)
399 return error;
400 WRITE_ENTER(&ipf_auth);
401 SPL_NET(s);
402 i = au->fra_index;
403 fra = fr_auth + i;
404 if ((i < 0) || (i > FR_NUMAUTH) ||
405 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
406 SPL_X(s);
407 RWLOCK_EXIT(&ipf_auth);
408 return EINVAL;
409 }
410 m = fr_authpkts[i];
411 fra->fra_index = -2;
412 fra->fra_pass = au->fra_pass;
413 fr_authpkts[i] = NULL;
414 RWLOCK_EXIT(&ipf_auth);
415#ifdef _KERNEL
416 if (m && au->fra_info.fin_out) {
417# if SOLARIS
418 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
419# else /* SOLARIS */
420 struct route ro;
421
422 bzero((char *)&ro, sizeof(ro));
423# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
424 defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
425 (__FreeBSD_version >= 470102)
426 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
427 NULL);
428# else
429 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
430# endif
431 if (ro.ro_rt) {
432 RTFREE(ro.ro_rt);
433 }
434# endif /* SOLARIS */
435 if (error)
436 fr_authstats.fas_sendfail++;
437 else
438 fr_authstats.fas_sendok++;
439 } else if (m) {
440# if SOLARIS
441 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
442# else /* SOLARIS */
443 if (! netisr_queue(NETISR_IP, m))
444 error = ENOBUFS;
445# endif /* SOLARIS */
446 if (error)
447 fr_authstats.fas_quefail++;
448 else
449 fr_authstats.fas_queok++;
450 } else
451 error = EINVAL;
452# if SOLARIS
453 if (error)
454 error = EINVAL;
455# else
456 /*
457 * If we experience an error which will result in the packet
458 * not being processed, make sure we advance to the next one.
459 */
460 if (error == ENOBUFS) {
461 fr_authused--;
462 fra->fra_index = -1;
463 fra->fra_pass = 0;
464 if (i == fr_authstart) {
465 while (fra->fra_index == -1) {
466 i++;
467 if (i == FR_NUMAUTH)
468 i = 0;
469 fr_authstart = i;
470 if (i == fr_authend)
471 break;
472 }
473 if (fr_authstart == fr_authend) {
474 fr_authnext = 0;
475 fr_authstart = fr_authend = 0;
476 }
477 }
478 }
479# endif
480#endif /* _KERNEL */
481 SPL_X(s);
482 break;
483 default :
484 error = EINVAL;
485 break;
486 }
487 return error;
488}
489
490
491/*
492 * Free all network buffer memory used to keep saved packets.
493 */
494void fr_authunload()
495{
496 register int i;
497 register frauthent_t *fae, **faep;
498 frentry_t *fr, **frp;
499 mb_t *m;
500
501 WRITE_ENTER(&ipf_auth);
502 for (i = 0; i < FR_NUMAUTH; i++) {
503 if ((m = fr_authpkts[i])) {
504 FREE_MB_T(m);
505 fr_authpkts[i] = NULL;
506 fr_auth[i].fra_index = -1;
507 }
508 }
509
510
511 for (faep = &fae_list; (fae = *faep); ) {
512 *faep = fae->fae_next;
513 KFREE(fae);
514 }
515 ipauth = NULL;
516 RWLOCK_EXIT(&ipf_auth);
517
518 if (fr_authlist) {
519 /*
520 * We *MuST* reget ipf_auth because otherwise we won't get the
521 * locks in the right order and risk deadlock.
522 * We need ipf_mutex here to prevent a rule from using it
523 * inside fr_check().
524 */
525 WRITE_ENTER(&ipf_mutex);
526 WRITE_ENTER(&ipf_auth);
527 for (frp = &fr_authlist; (fr = *frp); ) {
528 if (fr->fr_ref == 1) {
529 *frp = fr->fr_next;
530 KFREE(fr);
531 } else
532 frp = &fr->fr_next;
533 }
534 RWLOCK_EXIT(&ipf_auth);
535 RWLOCK_EXIT(&ipf_mutex);
536 }
537}
538
539
540/*
541 * Slowly expire held auth records. Timeouts are set
542 * in expectation of this being called twice per second.
543 */
544void fr_authexpire()
545{
546 register int i;
547 register frauth_t *fra;
548 register frauthent_t *fae, **faep;
549 register frentry_t *fr, **frp;
550 mb_t *m;
551#if !SOLARIS && defined(_KERNEL)
552 int s;
553#endif
554
555 if (fr_auth_lock)
556 return;
557
558 SPL_NET(s);
559 WRITE_ENTER(&ipf_auth);
560 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
561 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
562 FREE_MB_T(m);
563 fr_authpkts[i] = NULL;
564 fr_auth[i].fra_index = -1;
565 fr_authstats.fas_expire++;
566 fr_authused--;
567 }
568 }
569
570 for (faep = &fae_list; (fae = *faep); ) {
571 if (!--fae->fae_age) {
572 *faep = fae->fae_next;
573 KFREE(fae);
574 fr_authstats.fas_expire++;
575 } else
576 faep = &fae->fae_next;
577 }
578 if (fae_list != NULL)
579 ipauth = &fae_list->fae_fr;
580 else
581 ipauth = NULL;
582
583 for (frp = &fr_authlist; (fr = *frp); ) {
584 if (fr->fr_ref == 1) {
585 *frp = fr->fr_next;
586 KFREE(fr);
587 } else
588 frp = &fr->fr_next;
589 }
590 RWLOCK_EXIT(&ipf_auth);
591 SPL_X(s);
592}
593
594int fr_preauthcmd(cmd, fr, frptr)
595#if defined(__NetBSD__) || defined(__OpenBSD__) || \
596 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
597u_long cmd;
598#else
599int cmd;
600#endif
601frentry_t *fr, **frptr;
602{
603 frauthent_t *fae, **faep;
604 int error = 0;
605#if defined(KERNEL) && !SOLARIS
606 int s;
607#endif
608
609 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
610 /* Should not happen */
611 printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
612 return EIO;
613 }
614
615 for (faep = &fae_list; (fae = *faep); )
616 if (&fae->fae_fr == fr)
617 break;
618 else
619 faep = &fae->fae_next;
620 if (cmd == SIOCRMAFR) {
621 if (!fr || !frptr)
622 error = EINVAL;
623 else if (!fae)
624 error = ESRCH;
625 else {
626 WRITE_ENTER(&ipf_auth);
627 SPL_NET(s);
628 *faep = fae->fae_next;
629 *frptr = fr->fr_next;
630 SPL_X(s);
631 RWLOCK_EXIT(&ipf_auth);
632 KFREE(fae);
633 }
634 } else if (fr && frptr) {
635 KMALLOC(fae, frauthent_t *);
636 if (fae != NULL) {
637 bcopy((char *)fr, (char *)&fae->fae_fr,
638 sizeof(*fr));
639 WRITE_ENTER(&ipf_auth);
640 SPL_NET(s);
641 fae->fae_age = fr_defaultauthage;
642 fae->fae_fr.fr_hits = 0;
643 fae->fae_fr.fr_next = *frptr;
644 *frptr = &fae->fae_fr;
645 fae->fae_next = *faep;
646 *faep = fae;
647 ipauth = &fae_list->fae_fr;
648 SPL_X(s);
649 RWLOCK_EXIT(&ipf_auth);
650 } else
651 error = ENOMEM;
652 } else
653 error = EINVAL;
654 return error;
655}