1/*-
2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
--- 10 unchanged lines hidden (view full) ---
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 */
25
26#include <sys/cdefs.h>
27__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 194498 2009-06-19 17:10:35Z brooks $");
28
29#define DEB(x)
30#define DDB(x) x
31
32/*
33 * Implement IP packet firewall (new version)
34 */
35
--- 94 unchanged lines hidden (view full) ---
130#else
131static int default_to_accept;
132#endif
133static uma_zone_t ipfw_dyn_rule_zone;
134
135struct ip_fw *ip_fw_default_rule;
136
137/*
138 * list of rules for layer 3
139 */
140#ifdef VIMAGE_GLOBALS
141struct ip_fw_chain layer3_chain;
142#endif
143
144MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
145MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables");
--- 1845 unchanged lines hidden (view full) ---
1991 if (tbl->tbl >= IPFW_TABLES_MAX)
1992 return (EINVAL);
1993 rnh = ch->tables[tbl->tbl];
1994 tbl->cnt = 0;
1995 rnh->rnh_walktree(rnh, dump_table_entry, tbl);
1996 return (0);
1997}
1998
1999static int
2000check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
2001 struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip,
2002 u_int16_t src_port, struct ucred **uc, int *ugid_lookupp,
2003 struct inpcb *inp)
2004{
2005 INIT_VNET_INET(curvnet);
2006 struct inpcbinfo *pi;
2007 int wildcard;
2008 struct inpcb *pcb;
2009 int match;
2010
2011 /*
2012 * Check to see if the UDP or TCP stack supplied us with
2013 * the PCB. If so, rather then holding a lock and looking
2014 * up the PCB, we can use the one that was supplied.
2015 */
2016 if (inp && *ugid_lookupp == 0) {
2017 INP_LOCK_ASSERT(inp);
2018 if (inp->inp_socket != NULL) {
2019 *uc = crhold(inp->inp_cred);
2020 *ugid_lookupp = 1;
2021 } else
2022 *ugid_lookupp = -1;
2023 }
2024 /*
2025 * If we have already been here and the packet has no
2026 * PCB entry associated with it, then we can safely
2027 * assume that this is a no match.
--- 16 unchanged lines hidden (view full) ---
2044 dst_ip, htons(dst_port),
2045 src_ip, htons(src_port),
2046 wildcard, oif) :
2047 in_pcblookup_hash(pi,
2048 src_ip, htons(src_port),
2049 dst_ip, htons(dst_port),
2050 wildcard, NULL);
2051 if (pcb != NULL) {
2052 *uc = crhold(inp->inp_cred);
2053 *ugid_lookupp = 1;
2054 }
2055 INP_INFO_RUNLOCK(pi);
2056 if (*ugid_lookupp == 0) {
2057 /*
2058 * If the lookup did not yield any results, there
2059 * is no sense in coming back and trying again. So
2060 * we can set lookup to -1 and ensure that we wont
2061 * bother the pcb system again.
2062 */
2063 *ugid_lookupp = -1;
2064 return (0);
2065 }
2066 }
2067 if (insn->o.opcode == O_UID)
2068 match = ((*uc)->cr_uid == (uid_t)insn->d[0]);
2069 else if (insn->o.opcode == O_GID)
2070 match = groupmember((gid_t)insn->d[0], *uc);
2071 else if (insn->o.opcode == O_JAIL)
2072 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]);
2073 return match;
2074}
2075
2076/*
2077 * The main check routine for the firewall.
2078 *
2079 * All arguments are in args so we can modify them and return them
2080 * back to the caller.
--- 61 unchanged lines hidden (view full) ---
2142
2143 /*
2144 * For rules which contain uid/gid or jail constraints, cache
2145 * a copy of the users credentials after the pcb lookup has been
2146 * executed. This will speed up the processing of rules with
2147 * these types of constraints, as well as decrease contention
2148 * on pcb related locks.
2149 */
2150 struct ucred *ucred_cache = NULL;
2151 int ucred_lookup = 0;
2152
2153 /*
2154 * divinput_flags If non-zero, set to the IP_FW_DIVERT_*_FLAG
2155 * associated with a packet input on a divert socket. This
2156 * will allow to distinguish traffic and its direction when
2157 * it originates from a divert socket.
2158 */
2159 u_int divinput_flags = 0;
--- 445 unchanged lines hidden (view full) ---
2605 if (is_ipv6) /* XXX to be fixed later */
2606 break;
2607 if (proto == IPPROTO_TCP ||
2608 proto == IPPROTO_UDP)
2609 match = check_uidgid(
2610 (ipfw_insn_u32 *)cmd,
2611 proto, oif,
2612 dst_ip, dst_port,
2613 src_ip, src_port, &ucred_cache,
2614 &ucred_lookup, args->inp);
2615 break;
2616
2617 case O_RECV:
2618 match = iface_match(m->m_pkthdr.rcvif,
2619 (ipfw_insn_if *)cmd);
2620 break;
2621
2622 case O_XMIT:
--- 611 unchanged lines hidden (view full) ---
3234 break;
3235 mtag = m_tag_get(PACKET_TAG_DIVERT,
3236 sizeof(struct divert_tag),
3237 M_NOWAIT);
3238 if (mtag == NULL) {
3239 /* XXX statistic */
3240 /* drop packet */
3241 IPFW_RUNLOCK(chain);
3242 if (ucred_cache != NULL)
3243 crfree(ucred_cache);
3244 return (IP_FW_DENY);
3245 }
3246 dt = (struct divert_tag *)(mtag+1);
3247 dt->cookie = f->rulenum;
3248 if (cmd->arg1 == IP_FW_TABLEARG)
3249 dt->info = tablearg;
3250 else
3251 dt->info = cmd->arg1;
--- 189 unchanged lines hidden (view full) ---
3441
3442 } /* end of inner for, scan opcodes */
3443
3444next_rule:; /* try next rule */
3445
3446 } /* end of outer for, scan rules */
3447 printf("ipfw: ouch!, skip past end of rules, denying packet\n");
3448 IPFW_RUNLOCK(chain);
3449 if (ucred_cache != NULL)
3450 crfree(ucred_cache);
3451 return (IP_FW_DENY);
3452
3453done:
3454 /* Update statistics */
3455 f->pcnt++;
3456 f->bcnt += pktlen;
3457 f->timestamp = time_uptime;
3458 IPFW_RUNLOCK(chain);
3459 if (ucred_cache != NULL)
3460 crfree(ucred_cache);
3461 return (retval);
3462
3463pullup_failed:
3464 if (V_fw_verbose)
3465 printf("ipfw: pullup failed\n");
3466 return (IP_FW_DENY);
3467}
3468
--- 1260 unchanged lines hidden ---
2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
--- 10 unchanged lines hidden (view full) ---
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23 * SUCH DAMAGE.
24 */
25
26#include <sys/cdefs.h>
27__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 194498 2009-06-19 17:10:35Z brooks $");
28
29#define DEB(x)
30#define DDB(x) x
31
32/*
33 * Implement IP packet firewall (new version)
34 */
35
--- 94 unchanged lines hidden (view full) ---
130#else
131static int default_to_accept;
132#endif
133static uma_zone_t ipfw_dyn_rule_zone;
134
135struct ip_fw *ip_fw_default_rule;
136
137/*
138 * list of rules for layer 3
139 */
140#ifdef VIMAGE_GLOBALS
141struct ip_fw_chain layer3_chain;
142#endif
143
144MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
145MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables");
--- 1845 unchanged lines hidden (view full) ---
1991 if (tbl->tbl >= IPFW_TABLES_MAX)
1992 return (EINVAL);
1993 rnh = ch->tables[tbl->tbl];
1994 tbl->cnt = 0;
1995 rnh->rnh_walktree(rnh, dump_table_entry, tbl);
1996 return (0);
1997}
1998
1999static int
2000check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif,
2001 struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip,
2002 u_int16_t src_port, struct ucred **uc, int *ugid_lookupp,
2003 struct inpcb *inp)
2004{
2005 INIT_VNET_INET(curvnet);
2006 struct inpcbinfo *pi;
2007 int wildcard;
2008 struct inpcb *pcb;
2009 int match;
2010
2011 /*
2012 * Check to see if the UDP or TCP stack supplied us with
2013 * the PCB. If so, rather then holding a lock and looking
2014 * up the PCB, we can use the one that was supplied.
2015 */
2016 if (inp && *ugid_lookupp == 0) {
2017 INP_LOCK_ASSERT(inp);
2018 if (inp->inp_socket != NULL) {
2019 *uc = crhold(inp->inp_cred);
2020 *ugid_lookupp = 1;
2021 } else
2022 *ugid_lookupp = -1;
2023 }
2024 /*
2025 * If we have already been here and the packet has no
2026 * PCB entry associated with it, then we can safely
2027 * assume that this is a no match.
--- 16 unchanged lines hidden (view full) ---
2044 dst_ip, htons(dst_port),
2045 src_ip, htons(src_port),
2046 wildcard, oif) :
2047 in_pcblookup_hash(pi,
2048 src_ip, htons(src_port),
2049 dst_ip, htons(dst_port),
2050 wildcard, NULL);
2051 if (pcb != NULL) {
2052 *uc = crhold(inp->inp_cred);
2053 *ugid_lookupp = 1;
2054 }
2055 INP_INFO_RUNLOCK(pi);
2056 if (*ugid_lookupp == 0) {
2057 /*
2058 * If the lookup did not yield any results, there
2059 * is no sense in coming back and trying again. So
2060 * we can set lookup to -1 and ensure that we wont
2061 * bother the pcb system again.
2062 */
2063 *ugid_lookupp = -1;
2064 return (0);
2065 }
2066 }
2067 if (insn->o.opcode == O_UID)
2068 match = ((*uc)->cr_uid == (uid_t)insn->d[0]);
2069 else if (insn->o.opcode == O_GID)
2070 match = groupmember((gid_t)insn->d[0], *uc);
2071 else if (insn->o.opcode == O_JAIL)
2072 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]);
2073 return match;
2074}
2075
2076/*
2077 * The main check routine for the firewall.
2078 *
2079 * All arguments are in args so we can modify them and return them
2080 * back to the caller.
--- 61 unchanged lines hidden (view full) ---
2142
2143 /*
2144 * For rules which contain uid/gid or jail constraints, cache
2145 * a copy of the users credentials after the pcb lookup has been
2146 * executed. This will speed up the processing of rules with
2147 * these types of constraints, as well as decrease contention
2148 * on pcb related locks.
2149 */
2150 struct ucred *ucred_cache = NULL;
2151 int ucred_lookup = 0;
2152
2153 /*
2154 * divinput_flags If non-zero, set to the IP_FW_DIVERT_*_FLAG
2155 * associated with a packet input on a divert socket. This
2156 * will allow to distinguish traffic and its direction when
2157 * it originates from a divert socket.
2158 */
2159 u_int divinput_flags = 0;
--- 445 unchanged lines hidden (view full) ---
2605 if (is_ipv6) /* XXX to be fixed later */
2606 break;
2607 if (proto == IPPROTO_TCP ||
2608 proto == IPPROTO_UDP)
2609 match = check_uidgid(
2610 (ipfw_insn_u32 *)cmd,
2611 proto, oif,
2612 dst_ip, dst_port,
2613 src_ip, src_port, &ucred_cache,
2614 &ucred_lookup, args->inp);
2615 break;
2616
2617 case O_RECV:
2618 match = iface_match(m->m_pkthdr.rcvif,
2619 (ipfw_insn_if *)cmd);
2620 break;
2621
2622 case O_XMIT:
--- 611 unchanged lines hidden (view full) ---
3234 break;
3235 mtag = m_tag_get(PACKET_TAG_DIVERT,
3236 sizeof(struct divert_tag),
3237 M_NOWAIT);
3238 if (mtag == NULL) {
3239 /* XXX statistic */
3240 /* drop packet */
3241 IPFW_RUNLOCK(chain);
3242 if (ucred_cache != NULL)
3243 crfree(ucred_cache);
3244 return (IP_FW_DENY);
3245 }
3246 dt = (struct divert_tag *)(mtag+1);
3247 dt->cookie = f->rulenum;
3248 if (cmd->arg1 == IP_FW_TABLEARG)
3249 dt->info = tablearg;
3250 else
3251 dt->info = cmd->arg1;
--- 189 unchanged lines hidden (view full) ---
3441
3442 } /* end of inner for, scan opcodes */
3443
3444next_rule:; /* try next rule */
3445
3446 } /* end of outer for, scan rules */
3447 printf("ipfw: ouch!, skip past end of rules, denying packet\n");
3448 IPFW_RUNLOCK(chain);
3449 if (ucred_cache != NULL)
3450 crfree(ucred_cache);
3451 return (IP_FW_DENY);
3452
3453done:
3454 /* Update statistics */
3455 f->pcnt++;
3456 f->bcnt += pktlen;
3457 f->timestamp = time_uptime;
3458 IPFW_RUNLOCK(chain);
3459 if (ucred_cache != NULL)
3460 crfree(ucred_cache);
3461 return (retval);
3462
3463pullup_failed:
3464 if (V_fw_verbose)
3465 printf("ipfw: pullup failed\n");
3466 return (IP_FW_DENY);
3467}
3468
--- 1260 unchanged lines hidden ---