1/*- 2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 */ 25 26#include <sys/cdefs.h> |
27__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw2.c 194498 2009-06-19 17:10:35Z brooks $"); |
28 29#define DEB(x) 30#define DDB(x) x 31 32/* 33 * Implement IP packet firewall (new version) 34 */ 35 --- 94 unchanged lines hidden (view full) --- 130#else 131static int default_to_accept; 132#endif 133static uma_zone_t ipfw_dyn_rule_zone; 134 135struct ip_fw *ip_fw_default_rule; 136 137/* |
138 * list of rules for layer 3 139 */ 140#ifdef VIMAGE_GLOBALS 141struct ip_fw_chain layer3_chain; 142#endif 143 144MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); 145MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables"); --- 1845 unchanged lines hidden (view full) --- 1991 if (tbl->tbl >= IPFW_TABLES_MAX) 1992 return (EINVAL); 1993 rnh = ch->tables[tbl->tbl]; 1994 tbl->cnt = 0; 1995 rnh->rnh_walktree(rnh, dump_table_entry, tbl); 1996 return (0); 1997} 1998 |
1999static int 2000check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, 2001 struct in_addr dst_ip, u_int16_t dst_port, struct in_addr src_ip, |
2002 u_int16_t src_port, struct ucred **uc, int *ugid_lookupp, |
2003 struct inpcb *inp) 2004{ 2005 INIT_VNET_INET(curvnet); 2006 struct inpcbinfo *pi; 2007 int wildcard; 2008 struct inpcb *pcb; 2009 int match; |
2010 2011 /* 2012 * Check to see if the UDP or TCP stack supplied us with 2013 * the PCB. If so, rather then holding a lock and looking 2014 * up the PCB, we can use the one that was supplied. 2015 */ 2016 if (inp && *ugid_lookupp == 0) { 2017 INP_LOCK_ASSERT(inp); 2018 if (inp->inp_socket != NULL) { |
2019 *uc = crhold(inp->inp_cred); |
2020 *ugid_lookupp = 1; 2021 } else 2022 *ugid_lookupp = -1; 2023 } 2024 /* 2025 * If we have already been here and the packet has no 2026 * PCB entry associated with it, then we can safely 2027 * assume that this is a no match. --- 16 unchanged lines hidden (view full) --- 2044 dst_ip, htons(dst_port), 2045 src_ip, htons(src_port), 2046 wildcard, oif) : 2047 in_pcblookup_hash(pi, 2048 src_ip, htons(src_port), 2049 dst_ip, htons(dst_port), 2050 wildcard, NULL); 2051 if (pcb != NULL) { |
2052 *uc = crhold(inp->inp_cred); |
2053 *ugid_lookupp = 1; 2054 } 2055 INP_INFO_RUNLOCK(pi); 2056 if (*ugid_lookupp == 0) { 2057 /* 2058 * If the lookup did not yield any results, there 2059 * is no sense in coming back and trying again. So 2060 * we can set lookup to -1 and ensure that we wont 2061 * bother the pcb system again. 2062 */ 2063 *ugid_lookupp = -1; 2064 return (0); 2065 } 2066 } 2067 if (insn->o.opcode == O_UID) |
2068 match = ((*uc)->cr_uid == (uid_t)insn->d[0]); 2069 else if (insn->o.opcode == O_GID) 2070 match = groupmember((gid_t)insn->d[0], *uc); 2071 else if (insn->o.opcode == O_JAIL) 2072 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]); |
2073 return match; 2074} 2075 2076/* 2077 * The main check routine for the firewall. 2078 * 2079 * All arguments are in args so we can modify them and return them 2080 * back to the caller. --- 61 unchanged lines hidden (view full) --- 2142 2143 /* 2144 * For rules which contain uid/gid or jail constraints, cache 2145 * a copy of the users credentials after the pcb lookup has been 2146 * executed. This will speed up the processing of rules with 2147 * these types of constraints, as well as decrease contention 2148 * on pcb related locks. 2149 */ |
2150 struct ucred *ucred_cache = NULL; 2151 int ucred_lookup = 0; |
2152 2153 /* 2154 * divinput_flags If non-zero, set to the IP_FW_DIVERT_*_FLAG 2155 * associated with a packet input on a divert socket. This 2156 * will allow to distinguish traffic and its direction when 2157 * it originates from a divert socket. 2158 */ 2159 u_int divinput_flags = 0; --- 445 unchanged lines hidden (view full) --- 2605 if (is_ipv6) /* XXX to be fixed later */ 2606 break; 2607 if (proto == IPPROTO_TCP || 2608 proto == IPPROTO_UDP) 2609 match = check_uidgid( 2610 (ipfw_insn_u32 *)cmd, 2611 proto, oif, 2612 dst_ip, dst_port, |
2613 src_ip, src_port, &ucred_cache, 2614 &ucred_lookup, args->inp); |
2615 break; 2616 2617 case O_RECV: 2618 match = iface_match(m->m_pkthdr.rcvif, 2619 (ipfw_insn_if *)cmd); 2620 break; 2621 2622 case O_XMIT: --- 611 unchanged lines hidden (view full) --- 3234 break; 3235 mtag = m_tag_get(PACKET_TAG_DIVERT, 3236 sizeof(struct divert_tag), 3237 M_NOWAIT); 3238 if (mtag == NULL) { 3239 /* XXX statistic */ 3240 /* drop packet */ 3241 IPFW_RUNLOCK(chain); |
3242 if (ucred_cache != NULL) 3243 crfree(ucred_cache); |
3244 return (IP_FW_DENY); 3245 } 3246 dt = (struct divert_tag *)(mtag+1); 3247 dt->cookie = f->rulenum; 3248 if (cmd->arg1 == IP_FW_TABLEARG) 3249 dt->info = tablearg; 3250 else 3251 dt->info = cmd->arg1; --- 189 unchanged lines hidden (view full) --- 3441 3442 } /* end of inner for, scan opcodes */ 3443 3444next_rule:; /* try next rule */ 3445 3446 } /* end of outer for, scan rules */ 3447 printf("ipfw: ouch!, skip past end of rules, denying packet\n"); 3448 IPFW_RUNLOCK(chain); |
3449 if (ucred_cache != NULL) 3450 crfree(ucred_cache); |
3451 return (IP_FW_DENY); 3452 3453done: 3454 /* Update statistics */ 3455 f->pcnt++; 3456 f->bcnt += pktlen; 3457 f->timestamp = time_uptime; 3458 IPFW_RUNLOCK(chain); |
3459 if (ucred_cache != NULL) 3460 crfree(ucred_cache); |
3461 return (retval); 3462 3463pullup_failed: 3464 if (V_fw_verbose) 3465 printf("ipfw: pullup failed\n"); 3466 return (IP_FW_DENY); 3467} 3468 --- 1260 unchanged lines hidden --- |