1/*
2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6#if defined(__sgi) && (IRIX > 602)
7# include <sys/ptimers.h>
8#endif
9#include <sys/errno.h>
10#include <sys/types.h>
11#include <sys/param.h>
12#include <sys/time.h>
13#include <sys/file.h>
14#if !defined(_KERNEL) && !defined(KERNEL)
15# include <stdio.h>
16# include <stdlib.h>
17# include <string.h>
18#endif
19#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
20# include <sys/filio.h>
21# include <sys/fcntl.h>
22#else
23# include <sys/ioctl.h>
24#endif
25#ifndef linux
26# include <sys/protosw.h>
27#endif
28#include <sys/socket.h>
29#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
30# include <sys/systm.h>
31#endif
32#if !defined(__SVR4) && !defined(__svr4__)
33# ifndef linux
34# include <sys/mbuf.h>
35# endif
36#else
37# include <sys/filio.h>
38# include <sys/byteorder.h>
39# ifdef _KERNEL
40# include <sys/dditypes.h>
41# endif
42# include <sys/stream.h>
43# include <sys/kmem.h>
44#endif
45#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
46# include <sys/queue.h>
47#endif
48#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
49# include <machine/cpu.h>
50#endif
51#include <net/if.h>
52#ifdef sun
53# include <net/af.h>
54#endif
55#include <net/route.h>
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#ifndef KERNEL
60# define KERNEL
61# define NOT_KERNEL
62#endif
63#ifndef linux
64# include <netinet/ip_var.h>
65#endif
66#ifdef NOT_KERNEL
67# undef KERNEL
68#endif
69#ifdef __sgi
70# ifdef IFF_DRVRLOCK /* IRIX6 */
71# include <sys/hashing.h>
72# endif
73#endif
74#include <netinet/tcp.h>
75#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
76extern struct ifqueue ipintrq; /* ip packet input queue */
77#else
78# ifndef linux
79# if __FreeBSD_version >= 300000
80# include <net/if_var.h>
81# endif
82# include <netinet/in_var.h>
83# include <netinet/tcp_fsm.h>
84# endif
85#endif
86#include <netinet/udp.h>
87#include <netinet/ip_icmp.h>
88#include "netinet/ip_compat.h"
89#include <netinet/tcpip.h>
90#include "netinet/ip_fil.h"
91#include "netinet/ip_auth.h"
92#if !SOLARIS && !defined(linux)
93# include <net/netisr.h>
94# ifdef __FreeBSD__
95# include <machine/cpufunc.h>
96# endif
97#endif
98#if (__FreeBSD_version >= 300000)
99# include <sys/malloc.h>
100# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
101# include <sys/libkern.h>
102# include <sys/systm.h>
103# endif
104#endif
105
106#if !defined(lint)
107/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $"; */
108static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_auth.c 110916 2003-02-15 06:25:25Z darrenr $";
109#endif
110
111
112#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
113extern KRWLOCK_T ipf_auth, ipf_mutex;
114extern kmutex_t ipf_authmx;
115# if SOLARIS
116extern kcondvar_t ipfauthwait;
117# endif
118#endif
119#ifdef linux
120static struct wait_queue *ipfauthwait = NULL;
121#endif
122
123int fr_authsize = FR_NUMAUTH;
124int fr_authused = 0;
125int fr_defaultauthage = 600;
126int fr_auth_lock = 0;
127fr_authstat_t fr_authstats;
128static frauth_t fr_auth[FR_NUMAUTH];
129mb_t *fr_authpkts[FR_NUMAUTH];
130static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
131static frauthent_t *fae_list = NULL;
132frentry_t *ipauth = NULL,
133 *fr_authlist = NULL;
134
135
136/*
137 * Check if a packet has authorization. If the packet is found to match an
138 * authorization result and that would result in a feedback loop (i.e. it
139 * will end up returning FR_AUTH) then return FR_BLOCK instead.
140 */
141u_32_t fr_checkauth(ip, fin)
142ip_t *ip;
143fr_info_t *fin;
144{
145 u_short id = ip->ip_id;
146 frentry_t *fr;
147 frauth_t *fra;
148 u_32_t pass;
149 int i;
150
151 if (fr_auth_lock || !fr_authused)
152 return 0;
153
154 READ_ENTER(&ipf_auth);
155 for (i = fr_authstart; i != fr_authend; ) {
156 /*
157 * index becomes -2 only after an SIOCAUTHW. Check this in
158 * case the same packet gets sent again and it hasn't yet been
159 * auth'd.
160 */
161 fra = fr_auth + i;
162 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
163 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
164 /*
165 * Avoid feedback loop.
166 */
167 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
168 pass = FR_BLOCK;
169 /*
170 * Create a dummy rule for the stateful checking to
171 * use and return. Zero out any values we don't
172 * trust from userland!
173 */
174 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
175 (fin->fin_fi.fi_fl & FI_FRAG))) {
176 KMALLOC(fr, frentry_t *);
177 if (fr) {
178 bcopy((char *)fra->fra_info.fin_fr,
179 fr, sizeof(*fr));
180 fr->fr_grp = NULL;
181 fr->fr_ifa = fin->fin_ifp;
182 fr->fr_func = NULL;
183 fr->fr_ref = 1;
184 fr->fr_flags = pass;
185#if BSD >= 199306
186 fr->fr_oifa = NULL;
187#endif
188 }
189 } else
190 fr = fra->fra_info.fin_fr;
191 fin->fin_fr = fr;
192 RWLOCK_EXIT(&ipf_auth);
193 WRITE_ENTER(&ipf_auth);
194 if (fr && fr != fra->fra_info.fin_fr) {
195 fr->fr_next = fr_authlist;
196 fr_authlist = fr;
197 }
198 fr_authstats.fas_hits++;
199 fra->fra_index = -1;
200 fr_authused--;
201 if (i == fr_authstart) {
202 while (fra->fra_index == -1) {
203 i++;
204 fra++;
205 if (i == FR_NUMAUTH) {
206 i = 0;
207 fra = fr_auth;
208 }
209 fr_authstart = i;
210 if (i == fr_authend)
211 break;
212 }
213 if (fr_authstart == fr_authend) {
214 fr_authnext = 0;
215 fr_authstart = fr_authend = 0;
216 }
217 }
218 RWLOCK_EXIT(&ipf_auth);
219 return pass;
220 }
221 i++;
222 if (i == FR_NUMAUTH)
223 i = 0;
224 }
225 fr_authstats.fas_miss++;
226 RWLOCK_EXIT(&ipf_auth);
227 return 0;
228}
229
230
231/*
232 * Check if we have room in the auth array to hold details for another packet.
233 * If we do, store it and wake up any user programs which are waiting to
234 * hear about these events.
235 */
236int fr_newauth(m, fin, ip)
237mb_t *m;
238fr_info_t *fin;
239ip_t *ip;
240{
241#if defined(_KERNEL) && SOLARIS
242 qif_t *qif = fin->fin_qif;
243#endif
244 frauth_t *fra;
245 int i;
246
247 if (fr_auth_lock)
248 return 0;
249
250 WRITE_ENTER(&ipf_auth);
251 if (fr_authstart > fr_authend) {
252 fr_authstats.fas_nospace++;
253 RWLOCK_EXIT(&ipf_auth);
254 return 0;
255 } else {
256 if (fr_authused == FR_NUMAUTH) {
257 fr_authstats.fas_nospace++;
258 RWLOCK_EXIT(&ipf_auth);
259 return 0;
260 }
261 }
262
263 fr_authstats.fas_added++;
264 fr_authused++;
265 i = fr_authend++;
266 if (fr_authend == FR_NUMAUTH)
267 fr_authend = 0;
268 RWLOCK_EXIT(&ipf_auth);
269 fra = fr_auth + i;
270 fra->fra_index = i;
271 fra->fra_pass = 0;
272 fra->fra_age = fr_defaultauthage;
273 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
274#if SOLARIS && defined(_KERNEL)
275# if !defined(sparc)
276 /*
277 * No need to copyback here as we want to undo the changes, not keep
278 * them.
279 */
280 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
281 {
282 register u_short bo;
283
284 bo = ip->ip_len;
285 ip->ip_len = htons(bo);
286# if !SOLARIS && !defined(__NetBSD__) && !defined(__FreeBSD__)
287 /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
288 bo = ip->ip_id;
289 ip->ip_id = htons(bo);
290# endif
291 bo = ip->ip_off;
292 ip->ip_off = htons(bo);
293 }
294# endif
295 m->b_rptr -= qif->qf_off;
296 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
297 fra->fra_q = qif->qf_q;
298 cv_signal(&ipfauthwait);
299#else
300# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
301 if (fin->fin_out == 0) {
302 ip->ip_len = htons(ip->ip_len);
303 ip->ip_off = htons(ip->ip_off);
304 }
305# endif
306 fr_authpkts[i] = m;
307 WAKEUP(&fr_authnext);
308#endif
309 return 1;
310}
311
312
313int fr_auth_ioctl(data, mode, cmd)
314caddr_t data;
315int mode;
316#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
317u_long cmd;
318#else
319int cmd;
320#endif
321{
322 mb_t *m;
323#if defined(_KERNEL) && !SOLARIS
324 int s;
325#endif
326 frauth_t auth, *au = &auth, *fra;
327 int i, error = 0;
328
329 switch (cmd)
330 {
331 case SIOCSTLCK :
332 if (!(mode & FWRITE)) {
333 error = EPERM;
334 break;
335 }
336 error = fr_lock(data, &fr_auth_lock);
337 break;
338 case SIOCINIFR :
339 case SIOCRMIFR :
340 case SIOCADIFR :
341 error = EINVAL;
342 break;
343 case SIOCINAFR :
344 error = EINVAL;
345 break;
346 case SIOCRMAFR :
347 case SIOCADAFR :
348 /* These commands go via request to fr_preauthcmd */
349 error = EINVAL;
350 break;
351 case SIOCATHST:
352 fr_authstats.fas_faelist = fae_list;
353 error = IWCOPYPTR((char *)&fr_authstats, data,
354 sizeof(fr_authstats));
355 break;
356 case SIOCAUTHW:
357 if (!(mode & FWRITE)) {
358 error = EPERM;
359 break;
360 }
361fr_authioctlloop:
362 READ_ENTER(&ipf_auth);
363 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
364 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
365 sizeof(frauth_t));
366 RWLOCK_EXIT(&ipf_auth);
367 if (error)
368 break;
369 WRITE_ENTER(&ipf_auth);
370 SPL_NET(s);
371 fr_authnext++;
372 if (fr_authnext == FR_NUMAUTH)
373 fr_authnext = 0;
374 SPL_X(s);
375 RWLOCK_EXIT(&ipf_auth);
376 return 0;
377 }
378 RWLOCK_EXIT(&ipf_auth);
379#ifdef _KERNEL
380# if SOLARIS
381 mutex_enter(&ipf_authmx);
382 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
383 mutex_exit(&ipf_authmx);
384 return EINTR;
385 }
386 mutex_exit(&ipf_authmx);
387# else
388 error = SLEEP(&fr_authnext, "fr_authnext");
389# endif
390#endif
391 if (!error)
392 goto fr_authioctlloop;
393 break;
394 case SIOCAUTHR:
395 if (!(mode & FWRITE)) {
396 error = EPERM;
397 break;
398 }
399 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
400 if (error)
401 return error;
402 WRITE_ENTER(&ipf_auth);
403 SPL_NET(s);
404 i = au->fra_index;
405 fra = fr_auth + i;
406 if ((i < 0) || (i > FR_NUMAUTH) ||
407 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
408 SPL_X(s);
409 RWLOCK_EXIT(&ipf_auth);
410 return EINVAL;
411 }
412 m = fr_authpkts[i];
413 fra->fra_index = -2;
414 fra->fra_pass = au->fra_pass;
415 fr_authpkts[i] = NULL;
416 RWLOCK_EXIT(&ipf_auth);
417#ifdef _KERNEL
418 if (m && au->fra_info.fin_out) {
419# if SOLARIS
420 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
421# else /* SOLARIS */
422 struct route ro;
423
424 bzero((char *)&ro, sizeof(ro));
425# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
426 defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
427 (__FreeBSD_version >= 500042)
428 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
429 NULL);
430# else
431 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
432# endif
433 if (ro.ro_rt) {
434 RTFREE(ro.ro_rt);
435 }
436# endif /* SOLARIS */
437 if (error)
438 fr_authstats.fas_sendfail++;
439 else
440 fr_authstats.fas_sendok++;
441 } else if (m) {
442# if SOLARIS
443 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
444# else /* SOLARIS */
445 if (! IF_HANDOFF(&ipintrq, m, NULL))
446 error = ENOBUFS;
447 else
448 schednetisr(NETISR_IP);
449# endif /* SOLARIS */
450 if (error)
451 fr_authstats.fas_quefail++;
452 else
453 fr_authstats.fas_queok++;
454 } else
455 error = EINVAL;
456# if SOLARIS
457 if (error)
458 error = EINVAL;
459# else
460 /*
461 * If we experience an error which will result in the packet
462 * not being processed, make sure we advance to the next one.
463 */
464 if (error == ENOBUFS) {
465 fr_authused--;
466 fra->fra_index = -1;
467 fra->fra_pass = 0;
468 if (i == fr_authstart) {
469 while (fra->fra_index == -1) {
470 i++;
471 if (i == FR_NUMAUTH)
472 i = 0;
473 fr_authstart = i;
474 if (i == fr_authend)
475 break;
476 }
477 if (fr_authstart == fr_authend) {
478 fr_authnext = 0;
479 fr_authstart = fr_authend = 0;
480 }
481 }
482 }
483# endif
484#endif /* _KERNEL */
485 SPL_X(s);
486 break;
487 default :
488 error = EINVAL;
489 break;
490 }
491 return error;
492}
493
494
495/*
496 * Free all network buffer memory used to keep saved packets.
497 */
498void fr_authunload()
499{
500 register int i;
501 register frauthent_t *fae, **faep;
502 frentry_t *fr, **frp;
503 mb_t *m;
504
505 WRITE_ENTER(&ipf_auth);
506 for (i = 0; i < FR_NUMAUTH; i++) {
507 if ((m = fr_authpkts[i])) {
508 FREE_MB_T(m);
509 fr_authpkts[i] = NULL;
510 fr_auth[i].fra_index = -1;
511 }
512 }
513
514
515 for (faep = &fae_list; (fae = *faep); ) {
516 *faep = fae->fae_next;
517 KFREE(fae);
518 }
519 ipauth = NULL;
520 RWLOCK_EXIT(&ipf_auth);
521
522 if (fr_authlist) {
523 /*
524 * We *MuST* reget ipf_auth because otherwise we won't get the
525 * locks in the right order and risk deadlock.
526 * We need ipf_mutex here to prevent a rule from using it
527 * inside fr_check().
528 */
529 WRITE_ENTER(&ipf_mutex);
530 WRITE_ENTER(&ipf_auth);
531 for (frp = &fr_authlist; (fr = *frp); ) {
532 if (fr->fr_ref == 1) {
533 *frp = fr->fr_next;
534 KFREE(fr);
535 } else
536 frp = &fr->fr_next;
537 }
538 RWLOCK_EXIT(&ipf_auth);
539 RWLOCK_EXIT(&ipf_mutex);
540 }
541}
542
543
544/*
545 * Slowly expire held auth records. Timeouts are set
546 * in expectation of this being called twice per second.
547 */
548void fr_authexpire()
549{
550 register int i;
551 register frauth_t *fra;
552 register frauthent_t *fae, **faep;
553 register frentry_t *fr, **frp;
554 mb_t *m;
555#if !SOLARIS && defined(_KERNEL)
556 int s;
557#endif
558
559 if (fr_auth_lock)
560 return;
561
562 SPL_NET(s);
563 WRITE_ENTER(&ipf_auth);
564 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
565 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
566 FREE_MB_T(m);
567 fr_authpkts[i] = NULL;
568 fr_auth[i].fra_index = -1;
569 fr_authstats.fas_expire++;
570 fr_authused--;
571 }
572 }
573
574 for (faep = &fae_list; (fae = *faep); ) {
575 if (!--fae->fae_age) {
576 *faep = fae->fae_next;
577 KFREE(fae);
578 fr_authstats.fas_expire++;
579 } else
580 faep = &fae->fae_next;
581 }
582 if (fae_list != NULL)
583 ipauth = &fae_list->fae_fr;
584 else
585 ipauth = NULL;
586
587 for (frp = &fr_authlist; (fr = *frp); ) {
588 if (fr->fr_ref == 1) {
589 *frp = fr->fr_next;
590 KFREE(fr);
591 } else
592 frp = &fr->fr_next;
593 }
594 RWLOCK_EXIT(&ipf_auth);
595 SPL_X(s);
596}
597
598int fr_preauthcmd(cmd, fr, frptr)
599#if defined(__NetBSD__) || defined(__OpenBSD__) || \
600 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
601u_long cmd;
602#else
603int cmd;
604#endif
605frentry_t *fr, **frptr;
606{
607 frauthent_t *fae, **faep;
608 int error = 0;
609#if defined(KERNEL) && !SOLARIS
610 int s;
611#endif
612
613 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
614 /* Should not happen */
615 printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
616 return EIO;
617 }
618
619 for (faep = &fae_list; (fae = *faep); )
620 if (&fae->fae_fr == fr)
621 break;
622 else
623 faep = &fae->fae_next;
624 if (cmd == SIOCRMAFR) {
625 if (!fr || !frptr)
626 error = EINVAL;
627 else if (!fae)
628 error = ESRCH;
629 else {
630 WRITE_ENTER(&ipf_auth);
631 SPL_NET(s);
632 *faep = fae->fae_next;
633 *frptr = fr->fr_next;
634 SPL_X(s);
635 RWLOCK_EXIT(&ipf_auth);
636 KFREE(fae);
637 }
638 } else if (fr && frptr) {
639 KMALLOC(fae, frauthent_t *);
640 if (fae != NULL) {
641 bcopy((char *)fr, (char *)&fae->fae_fr,
642 sizeof(*fr));
643 WRITE_ENTER(&ipf_auth);
644 SPL_NET(s);
645 fae->fae_age = fr_defaultauthage;
646 fae->fae_fr.fr_hits = 0;
647 fae->fae_fr.fr_next = *frptr;
648 *frptr = &fae->fae_fr;
649 fae->fae_next = *faep;
650 *faep = fae;
651 ipauth = &fae_list->fae_fr;
652 SPL_X(s);
653 RWLOCK_EXIT(&ipf_auth);
654 } else
655 error = ENOMEM;
656 } else
657 error = EINVAL;
658 return error;
659}
2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 */
6#if defined(__sgi) && (IRIX > 602)
7# include <sys/ptimers.h>
8#endif
9#include <sys/errno.h>
10#include <sys/types.h>
11#include <sys/param.h>
12#include <sys/time.h>
13#include <sys/file.h>
14#if !defined(_KERNEL) && !defined(KERNEL)
15# include <stdio.h>
16# include <stdlib.h>
17# include <string.h>
18#endif
19#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
20# include <sys/filio.h>
21# include <sys/fcntl.h>
22#else
23# include <sys/ioctl.h>
24#endif
25#ifndef linux
26# include <sys/protosw.h>
27#endif
28#include <sys/socket.h>
29#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
30# include <sys/systm.h>
31#endif
32#if !defined(__SVR4) && !defined(__svr4__)
33# ifndef linux
34# include <sys/mbuf.h>
35# endif
36#else
37# include <sys/filio.h>
38# include <sys/byteorder.h>
39# ifdef _KERNEL
40# include <sys/dditypes.h>
41# endif
42# include <sys/stream.h>
43# include <sys/kmem.h>
44#endif
45#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
46# include <sys/queue.h>
47#endif
48#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
49# include <machine/cpu.h>
50#endif
51#include <net/if.h>
52#ifdef sun
53# include <net/af.h>
54#endif
55#include <net/route.h>
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#ifndef KERNEL
60# define KERNEL
61# define NOT_KERNEL
62#endif
63#ifndef linux
64# include <netinet/ip_var.h>
65#endif
66#ifdef NOT_KERNEL
67# undef KERNEL
68#endif
69#ifdef __sgi
70# ifdef IFF_DRVRLOCK /* IRIX6 */
71# include <sys/hashing.h>
72# endif
73#endif
74#include <netinet/tcp.h>
75#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
76extern struct ifqueue ipintrq; /* ip packet input queue */
77#else
78# ifndef linux
79# if __FreeBSD_version >= 300000
80# include <net/if_var.h>
81# endif
82# include <netinet/in_var.h>
83# include <netinet/tcp_fsm.h>
84# endif
85#endif
86#include <netinet/udp.h>
87#include <netinet/ip_icmp.h>
88#include "netinet/ip_compat.h"
89#include <netinet/tcpip.h>
90#include "netinet/ip_fil.h"
91#include "netinet/ip_auth.h"
92#if !SOLARIS && !defined(linux)
93# include <net/netisr.h>
94# ifdef __FreeBSD__
95# include <machine/cpufunc.h>
96# endif
97#endif
98#if (__FreeBSD_version >= 300000)
99# include <sys/malloc.h>
100# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
101# include <sys/libkern.h>
102# include <sys/systm.h>
103# endif
104#endif
105
106#if !defined(lint)
107/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $"; */
108static const char rcsid[] = "@(#)$FreeBSD: head/sys/contrib/ipfilter/netinet/ip_auth.c 110916 2003-02-15 06:25:25Z darrenr $";
109#endif
110
111
112#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
113extern KRWLOCK_T ipf_auth, ipf_mutex;
114extern kmutex_t ipf_authmx;
115# if SOLARIS
116extern kcondvar_t ipfauthwait;
117# endif
118#endif
119#ifdef linux
120static struct wait_queue *ipfauthwait = NULL;
121#endif
122
123int fr_authsize = FR_NUMAUTH;
124int fr_authused = 0;
125int fr_defaultauthage = 600;
126int fr_auth_lock = 0;
127fr_authstat_t fr_authstats;
128static frauth_t fr_auth[FR_NUMAUTH];
129mb_t *fr_authpkts[FR_NUMAUTH];
130static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
131static frauthent_t *fae_list = NULL;
132frentry_t *ipauth = NULL,
133 *fr_authlist = NULL;
134
135
136/*
137 * Check if a packet has authorization. If the packet is found to match an
138 * authorization result and that would result in a feedback loop (i.e. it
139 * will end up returning FR_AUTH) then return FR_BLOCK instead.
140 */
141u_32_t fr_checkauth(ip, fin)
142ip_t *ip;
143fr_info_t *fin;
144{
145 u_short id = ip->ip_id;
146 frentry_t *fr;
147 frauth_t *fra;
148 u_32_t pass;
149 int i;
150
151 if (fr_auth_lock || !fr_authused)
152 return 0;
153
154 READ_ENTER(&ipf_auth);
155 for (i = fr_authstart; i != fr_authend; ) {
156 /*
157 * index becomes -2 only after an SIOCAUTHW. Check this in
158 * case the same packet gets sent again and it hasn't yet been
159 * auth'd.
160 */
161 fra = fr_auth + i;
162 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
163 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
164 /*
165 * Avoid feedback loop.
166 */
167 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
168 pass = FR_BLOCK;
169 /*
170 * Create a dummy rule for the stateful checking to
171 * use and return. Zero out any values we don't
172 * trust from userland!
173 */
174 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
175 (fin->fin_fi.fi_fl & FI_FRAG))) {
176 KMALLOC(fr, frentry_t *);
177 if (fr) {
178 bcopy((char *)fra->fra_info.fin_fr,
179 fr, sizeof(*fr));
180 fr->fr_grp = NULL;
181 fr->fr_ifa = fin->fin_ifp;
182 fr->fr_func = NULL;
183 fr->fr_ref = 1;
184 fr->fr_flags = pass;
185#if BSD >= 199306
186 fr->fr_oifa = NULL;
187#endif
188 }
189 } else
190 fr = fra->fra_info.fin_fr;
191 fin->fin_fr = fr;
192 RWLOCK_EXIT(&ipf_auth);
193 WRITE_ENTER(&ipf_auth);
194 if (fr && fr != fra->fra_info.fin_fr) {
195 fr->fr_next = fr_authlist;
196 fr_authlist = fr;
197 }
198 fr_authstats.fas_hits++;
199 fra->fra_index = -1;
200 fr_authused--;
201 if (i == fr_authstart) {
202 while (fra->fra_index == -1) {
203 i++;
204 fra++;
205 if (i == FR_NUMAUTH) {
206 i = 0;
207 fra = fr_auth;
208 }
209 fr_authstart = i;
210 if (i == fr_authend)
211 break;
212 }
213 if (fr_authstart == fr_authend) {
214 fr_authnext = 0;
215 fr_authstart = fr_authend = 0;
216 }
217 }
218 RWLOCK_EXIT(&ipf_auth);
219 return pass;
220 }
221 i++;
222 if (i == FR_NUMAUTH)
223 i = 0;
224 }
225 fr_authstats.fas_miss++;
226 RWLOCK_EXIT(&ipf_auth);
227 return 0;
228}
229
230
231/*
232 * Check if we have room in the auth array to hold details for another packet.
233 * If we do, store it and wake up any user programs which are waiting to
234 * hear about these events.
235 */
236int fr_newauth(m, fin, ip)
237mb_t *m;
238fr_info_t *fin;
239ip_t *ip;
240{
241#if defined(_KERNEL) && SOLARIS
242 qif_t *qif = fin->fin_qif;
243#endif
244 frauth_t *fra;
245 int i;
246
247 if (fr_auth_lock)
248 return 0;
249
250 WRITE_ENTER(&ipf_auth);
251 if (fr_authstart > fr_authend) {
252 fr_authstats.fas_nospace++;
253 RWLOCK_EXIT(&ipf_auth);
254 return 0;
255 } else {
256 if (fr_authused == FR_NUMAUTH) {
257 fr_authstats.fas_nospace++;
258 RWLOCK_EXIT(&ipf_auth);
259 return 0;
260 }
261 }
262
263 fr_authstats.fas_added++;
264 fr_authused++;
265 i = fr_authend++;
266 if (fr_authend == FR_NUMAUTH)
267 fr_authend = 0;
268 RWLOCK_EXIT(&ipf_auth);
269 fra = fr_auth + i;
270 fra->fra_index = i;
271 fra->fra_pass = 0;
272 fra->fra_age = fr_defaultauthage;
273 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
274#if SOLARIS && defined(_KERNEL)
275# if !defined(sparc)
276 /*
277 * No need to copyback here as we want to undo the changes, not keep
278 * them.
279 */
280 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
281 {
282 register u_short bo;
283
284 bo = ip->ip_len;
285 ip->ip_len = htons(bo);
286# if !SOLARIS && !defined(__NetBSD__) && !defined(__FreeBSD__)
287 /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
288 bo = ip->ip_id;
289 ip->ip_id = htons(bo);
290# endif
291 bo = ip->ip_off;
292 ip->ip_off = htons(bo);
293 }
294# endif
295 m->b_rptr -= qif->qf_off;
296 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
297 fra->fra_q = qif->qf_q;
298 cv_signal(&ipfauthwait);
299#else
300# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
301 if (fin->fin_out == 0) {
302 ip->ip_len = htons(ip->ip_len);
303 ip->ip_off = htons(ip->ip_off);
304 }
305# endif
306 fr_authpkts[i] = m;
307 WAKEUP(&fr_authnext);
308#endif
309 return 1;
310}
311
312
313int fr_auth_ioctl(data, mode, cmd)
314caddr_t data;
315int mode;
316#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
317u_long cmd;
318#else
319int cmd;
320#endif
321{
322 mb_t *m;
323#if defined(_KERNEL) && !SOLARIS
324 int s;
325#endif
326 frauth_t auth, *au = &auth, *fra;
327 int i, error = 0;
328
329 switch (cmd)
330 {
331 case SIOCSTLCK :
332 if (!(mode & FWRITE)) {
333 error = EPERM;
334 break;
335 }
336 error = fr_lock(data, &fr_auth_lock);
337 break;
338 case SIOCINIFR :
339 case SIOCRMIFR :
340 case SIOCADIFR :
341 error = EINVAL;
342 break;
343 case SIOCINAFR :
344 error = EINVAL;
345 break;
346 case SIOCRMAFR :
347 case SIOCADAFR :
348 /* These commands go via request to fr_preauthcmd */
349 error = EINVAL;
350 break;
351 case SIOCATHST:
352 fr_authstats.fas_faelist = fae_list;
353 error = IWCOPYPTR((char *)&fr_authstats, data,
354 sizeof(fr_authstats));
355 break;
356 case SIOCAUTHW:
357 if (!(mode & FWRITE)) {
358 error = EPERM;
359 break;
360 }
361fr_authioctlloop:
362 READ_ENTER(&ipf_auth);
363 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
364 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
365 sizeof(frauth_t));
366 RWLOCK_EXIT(&ipf_auth);
367 if (error)
368 break;
369 WRITE_ENTER(&ipf_auth);
370 SPL_NET(s);
371 fr_authnext++;
372 if (fr_authnext == FR_NUMAUTH)
373 fr_authnext = 0;
374 SPL_X(s);
375 RWLOCK_EXIT(&ipf_auth);
376 return 0;
377 }
378 RWLOCK_EXIT(&ipf_auth);
379#ifdef _KERNEL
380# if SOLARIS
381 mutex_enter(&ipf_authmx);
382 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
383 mutex_exit(&ipf_authmx);
384 return EINTR;
385 }
386 mutex_exit(&ipf_authmx);
387# else
388 error = SLEEP(&fr_authnext, "fr_authnext");
389# endif
390#endif
391 if (!error)
392 goto fr_authioctlloop;
393 break;
394 case SIOCAUTHR:
395 if (!(mode & FWRITE)) {
396 error = EPERM;
397 break;
398 }
399 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
400 if (error)
401 return error;
402 WRITE_ENTER(&ipf_auth);
403 SPL_NET(s);
404 i = au->fra_index;
405 fra = fr_auth + i;
406 if ((i < 0) || (i > FR_NUMAUTH) ||
407 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
408 SPL_X(s);
409 RWLOCK_EXIT(&ipf_auth);
410 return EINVAL;
411 }
412 m = fr_authpkts[i];
413 fra->fra_index = -2;
414 fra->fra_pass = au->fra_pass;
415 fr_authpkts[i] = NULL;
416 RWLOCK_EXIT(&ipf_auth);
417#ifdef _KERNEL
418 if (m && au->fra_info.fin_out) {
419# if SOLARIS
420 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
421# else /* SOLARIS */
422 struct route ro;
423
424 bzero((char *)&ro, sizeof(ro));
425# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
426 defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
427 (__FreeBSD_version >= 500042)
428 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
429 NULL);
430# else
431 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
432# endif
433 if (ro.ro_rt) {
434 RTFREE(ro.ro_rt);
435 }
436# endif /* SOLARIS */
437 if (error)
438 fr_authstats.fas_sendfail++;
439 else
440 fr_authstats.fas_sendok++;
441 } else if (m) {
442# if SOLARIS
443 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
444# else /* SOLARIS */
445 if (! IF_HANDOFF(&ipintrq, m, NULL))
446 error = ENOBUFS;
447 else
448 schednetisr(NETISR_IP);
449# endif /* SOLARIS */
450 if (error)
451 fr_authstats.fas_quefail++;
452 else
453 fr_authstats.fas_queok++;
454 } else
455 error = EINVAL;
456# if SOLARIS
457 if (error)
458 error = EINVAL;
459# else
460 /*
461 * If we experience an error which will result in the packet
462 * not being processed, make sure we advance to the next one.
463 */
464 if (error == ENOBUFS) {
465 fr_authused--;
466 fra->fra_index = -1;
467 fra->fra_pass = 0;
468 if (i == fr_authstart) {
469 while (fra->fra_index == -1) {
470 i++;
471 if (i == FR_NUMAUTH)
472 i = 0;
473 fr_authstart = i;
474 if (i == fr_authend)
475 break;
476 }
477 if (fr_authstart == fr_authend) {
478 fr_authnext = 0;
479 fr_authstart = fr_authend = 0;
480 }
481 }
482 }
483# endif
484#endif /* _KERNEL */
485 SPL_X(s);
486 break;
487 default :
488 error = EINVAL;
489 break;
490 }
491 return error;
492}
493
494
495/*
496 * Free all network buffer memory used to keep saved packets.
497 */
498void fr_authunload()
499{
500 register int i;
501 register frauthent_t *fae, **faep;
502 frentry_t *fr, **frp;
503 mb_t *m;
504
505 WRITE_ENTER(&ipf_auth);
506 for (i = 0; i < FR_NUMAUTH; i++) {
507 if ((m = fr_authpkts[i])) {
508 FREE_MB_T(m);
509 fr_authpkts[i] = NULL;
510 fr_auth[i].fra_index = -1;
511 }
512 }
513
514
515 for (faep = &fae_list; (fae = *faep); ) {
516 *faep = fae->fae_next;
517 KFREE(fae);
518 }
519 ipauth = NULL;
520 RWLOCK_EXIT(&ipf_auth);
521
522 if (fr_authlist) {
523 /*
524 * We *MuST* reget ipf_auth because otherwise we won't get the
525 * locks in the right order and risk deadlock.
526 * We need ipf_mutex here to prevent a rule from using it
527 * inside fr_check().
528 */
529 WRITE_ENTER(&ipf_mutex);
530 WRITE_ENTER(&ipf_auth);
531 for (frp = &fr_authlist; (fr = *frp); ) {
532 if (fr->fr_ref == 1) {
533 *frp = fr->fr_next;
534 KFREE(fr);
535 } else
536 frp = &fr->fr_next;
537 }
538 RWLOCK_EXIT(&ipf_auth);
539 RWLOCK_EXIT(&ipf_mutex);
540 }
541}
542
543
544/*
545 * Slowly expire held auth records. Timeouts are set
546 * in expectation of this being called twice per second.
547 */
548void fr_authexpire()
549{
550 register int i;
551 register frauth_t *fra;
552 register frauthent_t *fae, **faep;
553 register frentry_t *fr, **frp;
554 mb_t *m;
555#if !SOLARIS && defined(_KERNEL)
556 int s;
557#endif
558
559 if (fr_auth_lock)
560 return;
561
562 SPL_NET(s);
563 WRITE_ENTER(&ipf_auth);
564 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
565 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
566 FREE_MB_T(m);
567 fr_authpkts[i] = NULL;
568 fr_auth[i].fra_index = -1;
569 fr_authstats.fas_expire++;
570 fr_authused--;
571 }
572 }
573
574 for (faep = &fae_list; (fae = *faep); ) {
575 if (!--fae->fae_age) {
576 *faep = fae->fae_next;
577 KFREE(fae);
578 fr_authstats.fas_expire++;
579 } else
580 faep = &fae->fae_next;
581 }
582 if (fae_list != NULL)
583 ipauth = &fae_list->fae_fr;
584 else
585 ipauth = NULL;
586
587 for (frp = &fr_authlist; (fr = *frp); ) {
588 if (fr->fr_ref == 1) {
589 *frp = fr->fr_next;
590 KFREE(fr);
591 } else
592 frp = &fr->fr_next;
593 }
594 RWLOCK_EXIT(&ipf_auth);
595 SPL_X(s);
596}
597
598int fr_preauthcmd(cmd, fr, frptr)
599#if defined(__NetBSD__) || defined(__OpenBSD__) || \
600 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
601u_long cmd;
602#else
603int cmd;
604#endif
605frentry_t *fr, **frptr;
606{
607 frauthent_t *fae, **faep;
608 int error = 0;
609#if defined(KERNEL) && !SOLARIS
610 int s;
611#endif
612
613 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
614 /* Should not happen */
615 printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
616 return EIO;
617 }
618
619 for (faep = &fae_list; (fae = *faep); )
620 if (&fae->fae_fr == fr)
621 break;
622 else
623 faep = &fae->fae_next;
624 if (cmd == SIOCRMAFR) {
625 if (!fr || !frptr)
626 error = EINVAL;
627 else if (!fae)
628 error = ESRCH;
629 else {
630 WRITE_ENTER(&ipf_auth);
631 SPL_NET(s);
632 *faep = fae->fae_next;
633 *frptr = fr->fr_next;
634 SPL_X(s);
635 RWLOCK_EXIT(&ipf_auth);
636 KFREE(fae);
637 }
638 } else if (fr && frptr) {
639 KMALLOC(fae, frauthent_t *);
640 if (fae != NULL) {
641 bcopy((char *)fr, (char *)&fae->fae_fr,
642 sizeof(*fr));
643 WRITE_ENTER(&ipf_auth);
644 SPL_NET(s);
645 fae->fae_age = fr_defaultauthage;
646 fae->fae_fr.fr_hits = 0;
647 fae->fae_fr.fr_next = *frptr;
648 *frptr = &fae->fae_fr;
649 fae->fae_next = *faep;
650 *faep = fae;
651 ipauth = &fae_list->fae_fr;
652 SPL_X(s);
653 RWLOCK_EXIT(&ipf_auth);
654 } else
655 error = ENOMEM;
656 } else
657 error = EINVAL;
658 return error;
659}