Deleted Added
full compact
ip_fw_pfil.c (215317) ip_fw_pfil.c (215701)
1/*-
2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
1/*-
2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_pfil.c 215317 2010-11-14 20:38:11Z dim $");
28__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_pfil.c 215701 2010-11-22 19:32:54Z dim $");
29
30#if !defined(KLD_MODULE)
31#include "opt_ipfw.h"
32#include "opt_ipdn.h"
33#include "opt_inet.h"
34#ifndef INET
35#error IPFIREWALL requires INET.
36#endif /* INET */
37#endif /* KLD_MODULE */
38#include "opt_inet6.h"
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/malloc.h>
43#include <sys/mbuf.h>
44#include <sys/module.h>
45#include <sys/kernel.h>
46#include <sys/lock.h>
47#include <sys/rwlock.h>
48#include <sys/socket.h>
49#include <sys/sysctl.h>
50
51#include <net/if.h>
52#include <net/route.h>
53#include <net/pfil.h>
54#include <net/vnet.h>
55
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#include <netinet/ip_var.h>
60#include <netinet/ip_fw.h>
61#include <netinet/ipfw/ip_fw_private.h>
62#include <netgraph/ng_ipfw.h>
63
64#include <machine/in_cksum.h>
65
29
30#if !defined(KLD_MODULE)
31#include "opt_ipfw.h"
32#include "opt_ipdn.h"
33#include "opt_inet.h"
34#ifndef INET
35#error IPFIREWALL requires INET.
36#endif /* INET */
37#endif /* KLD_MODULE */
38#include "opt_inet6.h"
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/malloc.h>
43#include <sys/mbuf.h>
44#include <sys/module.h>
45#include <sys/kernel.h>
46#include <sys/lock.h>
47#include <sys/rwlock.h>
48#include <sys/socket.h>
49#include <sys/sysctl.h>
50
51#include <net/if.h>
52#include <net/route.h>
53#include <net/pfil.h>
54#include <net/vnet.h>
55
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#include <netinet/ip_var.h>
60#include <netinet/ip_fw.h>
61#include <netinet/ipfw/ip_fw_private.h>
62#include <netgraph/ng_ipfw.h>
63
64#include <machine/in_cksum.h>
65
66STATIC_VNET_DEFINE(int, fw_enable) = 1;
66static VNET_DEFINE(int, fw_enable) = 1;
67#define V_fw_enable VNET(fw_enable)
68
69#ifdef INET6
67#define V_fw_enable VNET(fw_enable)
68
69#ifdef INET6
70STATIC_VNET_DEFINE(int, fw6_enable) = 1;
70static VNET_DEFINE(int, fw6_enable) = 1;
71#define V_fw6_enable VNET(fw6_enable)
72#endif
73
74int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
75
76/* Forward declarations. */
77static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int);
78
79#ifdef SYSCTL_NODE
80
81SYSBEGIN(f1)
82
83SYSCTL_DECL(_net_inet_ip_fw);
84SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
85 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
86 ipfw_chg_hook, "I", "Enable ipfw");
87#ifdef INET6
88SYSCTL_DECL(_net_inet6_ip6_fw);
89SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
90 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
91 ipfw_chg_hook, "I", "Enable ipfw+6");
92#endif /* INET6 */
93
94SYSEND
95
96#endif /* SYSCTL_NODE */
97
98/*
99 * The pfilter hook to pass packets to ipfw_chk and then to
100 * dummynet, divert, netgraph or other modules.
101 * The packet may be consumed.
102 */
103int
104ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
105 struct inpcb *inp)
106{
107 struct ip_fw_args args;
108 struct m_tag *tag;
109 int ipfw;
110 int ret;
111
112 /* all the processing now uses ip_len in net format */
113 if (mtod(*m0, struct ip *)->ip_v == 4)
114 SET_NET_IPLEN(mtod(*m0, struct ip *));
115
116 /* convert dir to IPFW values */
117 dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT;
118 bzero(&args, sizeof(args));
119
120again:
121 /*
122 * extract and remove the tag if present. If we are left
123 * with onepass, optimize the outgoing path.
124 */
125 tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL);
126 if (tag != NULL) {
127 args.rule = *((struct ipfw_rule_ref *)(tag+1));
128 m_tag_delete(*m0, tag);
129 if (args.rule.info & IPFW_ONEPASS) {
130 SET_HOST_IPLEN(mtod(*m0, struct ip *));
131 return 0;
132 }
133 }
134
135 args.m = *m0;
136 args.oif = dir == DIR_OUT ? ifp : NULL;
137 args.inp = inp;
138
139 ipfw = ipfw_chk(&args);
140 *m0 = args.m;
141
142 KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL",
143 __func__));
144
145 /* breaking out of the switch means drop */
146 ret = 0; /* default return value for pass */
147 switch (ipfw) {
148 case IP_FW_PASS:
149 /* next_hop may be set by ipfw_chk */
150 if (args.next_hop == NULL)
151 break; /* pass */
152#ifndef IPFIREWALL_FORWARD
153 ret = EACCES;
154#else
155 {
156 struct m_tag *fwd_tag;
157
158 /* Incoming packets should not be tagged so we do not
159 * m_tag_find. Outgoing packets may be tagged, so we
160 * reuse the tag if present.
161 */
162 fwd_tag = (dir == DIR_IN) ? NULL :
163 m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL);
164 if (fwd_tag != NULL) {
165 m_tag_unlink(*m0, fwd_tag);
166 } else {
167 fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
168 sizeof(struct sockaddr_in), M_NOWAIT);
169 if (fwd_tag == NULL) {
170 ret = EACCES;
171 break; /* i.e. drop */
172 }
173 }
174 bcopy(args.next_hop, (fwd_tag+1), sizeof(struct sockaddr_in));
175 m_tag_prepend(*m0, fwd_tag);
176
177 if (in_localip(args.next_hop->sin_addr))
178 (*m0)->m_flags |= M_FASTFWD_OURS;
179 }
180#endif
181 break;
182
183 case IP_FW_DENY:
184 ret = EACCES;
185 break; /* i.e. drop */
186
187 case IP_FW_DUMMYNET:
188 ret = EACCES;
189 if (ip_dn_io_ptr == NULL)
190 break; /* i.e. drop */
191 if (mtod(*m0, struct ip *)->ip_v == 4)
192 ret = ip_dn_io_ptr(m0, dir, &args);
193 else if (mtod(*m0, struct ip *)->ip_v == 6)
194 ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args);
195 else
196 break; /* drop it */
197 /*
198 * XXX should read the return value.
199 * dummynet normally eats the packet and sets *m0=NULL
200 * unless the packet can be sent immediately. In this
201 * case args is updated and we should re-run the
202 * check without clearing args.
203 */
204 if (*m0 != NULL)
205 goto again;
206 break;
207
208 case IP_FW_TEE:
209 case IP_FW_DIVERT:
210 if (ip_divert_ptr == NULL) {
211 ret = EACCES;
212 break; /* i.e. drop */
213 }
214 ret = ipfw_divert(m0, dir, &args.rule,
215 (ipfw == IP_FW_TEE) ? 1 : 0);
216 /* continue processing for the original packet (tee). */
217 if (*m0)
218 goto again;
219 break;
220
221 case IP_FW_NGTEE:
222 case IP_FW_NETGRAPH:
223 if (ng_ipfw_input_p == NULL) {
224 ret = EACCES;
225 break; /* i.e. drop */
226 }
227 ret = ng_ipfw_input_p(m0, dir, &args,
228 (ipfw == IP_FW_NGTEE) ? 1 : 0);
229 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
230 goto again; /* continue with packet */
231 break;
232
233 case IP_FW_NAT:
234 /* honor one-pass in case of successful nat */
235 if (V_fw_one_pass)
236 break; /* ret is already 0 */
237 goto again;
238
239 case IP_FW_REASS:
240 goto again; /* continue with packet */
241
242 default:
243 KASSERT(0, ("%s: unknown retval", __func__));
244 }
245
246 if (ret != 0) {
247 if (*m0)
248 FREE_PKT(*m0);
249 *m0 = NULL;
250 }
251 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4)
252 SET_HOST_IPLEN(mtod(*m0, struct ip *));
253 return ret;
254}
255
256/* do the divert, return 1 on error 0 on success */
257static int
258ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule,
259 int tee)
260{
261 /*
262 * ipfw_chk() has already tagged the packet with the divert tag.
263 * If tee is set, copy packet and return original.
264 * If not tee, consume packet and send it to divert socket.
265 */
266 struct mbuf *clone;
267 struct ip *ip;
268 struct m_tag *tag;
269
270 /* Cloning needed for tee? */
271 if (tee == 0) {
272 clone = *m0; /* use the original mbuf */
273 *m0 = NULL;
274 } else {
275 clone = m_dup(*m0, M_DONTWAIT);
276 /* If we cannot duplicate the mbuf, we sacrifice the divert
277 * chain and continue with the tee-ed packet.
278 */
279 if (clone == NULL)
280 return 1;
281 }
282
283 /*
284 * Divert listeners can normally handle non-fragmented packets,
285 * but we can only reass in the non-tee case.
286 * This means that listeners on a tee rule may get fragments,
287 * and have to live with that.
288 * Note that we now have the 'reass' ipfw option so if we care
289 * we can do it before a 'tee'.
290 */
291 ip = mtod(clone, struct ip *);
292 if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) {
293 int hlen;
294 struct mbuf *reass;
295
296 SET_HOST_IPLEN(ip); /* ip_reass wants host order */
297 reass = ip_reass(clone); /* Reassemble packet. */
298 if (reass == NULL)
299 return 0; /* not an error */
300 /* if reass = NULL then it was consumed by ip_reass */
301 /*
302 * IP header checksum fixup after reassembly and leave header
303 * in network byte order.
304 */
305 ip = mtod(reass, struct ip *);
306 hlen = ip->ip_hl << 2;
307 SET_NET_IPLEN(ip);
308 ip->ip_sum = 0;
309 if (hlen == sizeof(struct ip))
310 ip->ip_sum = in_cksum_hdr(ip);
311 else
312 ip->ip_sum = in_cksum(reass, hlen);
313 clone = reass;
314 }
315 /* attach a tag to the packet with the reinject info */
316 tag = m_tag_alloc(MTAG_IPFW_RULE, 0,
317 sizeof(struct ipfw_rule_ref), M_NOWAIT);
318 if (tag == NULL) {
319 FREE_PKT(clone);
320 return 1;
321 }
322 *((struct ipfw_rule_ref *)(tag+1)) = *rule;
323 m_tag_prepend(clone, tag);
324
325 /* Do the dirty job... */
326 ip_divert_ptr(clone, incoming);
327 return 0;
328}
329
330/*
331 * attach or detach hooks for a given protocol family
332 */
333static int
334ipfw_hook(int onoff, int pf)
335{
336 struct pfil_head *pfh;
337
338 pfh = pfil_head_get(PFIL_TYPE_AF, pf);
339 if (pfh == NULL)
340 return ENOENT;
341
342 (void) (onoff ? pfil_add_hook : pfil_remove_hook)
343 (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh);
344
345 return 0;
346}
347
348int
349ipfw_attach_hooks(int arg)
350{
351 int error = 0;
352
353 if (arg == 0) /* detach */
354 ipfw_hook(0, AF_INET);
355 else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) {
356 error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
357 printf("ipfw_hook() error\n");
358 }
359#ifdef INET6
360 if (arg == 0) /* detach */
361 ipfw_hook(0, AF_INET6);
362 else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) {
363 error = ENOENT;
364 printf("ipfw6_hook() error\n");
365 }
366#endif
367 return error;
368}
369
370int
371ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
372{
373 int enable;
374 int oldenable;
375 int error;
376 int af;
377
378 if (arg1 == &VNET_NAME(fw_enable)) {
379 enable = V_fw_enable;
380 af = AF_INET;
381 }
382#ifdef INET6
383 else if (arg1 == &VNET_NAME(fw6_enable)) {
384 enable = V_fw6_enable;
385 af = AF_INET6;
386 }
387#endif
388 else
389 return (EINVAL);
390
391 oldenable = enable;
392
393 error = sysctl_handle_int(oidp, &enable, 0, req);
394
395 if (error)
396 return (error);
397
398 enable = (enable) ? 1 : 0;
399
400 if (enable == oldenable)
401 return (0);
402
403 error = ipfw_hook(enable, af);
404 if (error)
405 return (error);
406 if (af == AF_INET)
407 V_fw_enable = enable;
408#ifdef INET6
409 else if (af == AF_INET6)
410 V_fw6_enable = enable;
411#endif
412
413 return (0);
414}
415/* end of file */
71#define V_fw6_enable VNET(fw6_enable)
72#endif
73
74int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
75
76/* Forward declarations. */
77static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int);
78
79#ifdef SYSCTL_NODE
80
81SYSBEGIN(f1)
82
83SYSCTL_DECL(_net_inet_ip_fw);
84SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
85 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
86 ipfw_chg_hook, "I", "Enable ipfw");
87#ifdef INET6
88SYSCTL_DECL(_net_inet6_ip6_fw);
89SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
90 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
91 ipfw_chg_hook, "I", "Enable ipfw+6");
92#endif /* INET6 */
93
94SYSEND
95
96#endif /* SYSCTL_NODE */
97
98/*
99 * The pfilter hook to pass packets to ipfw_chk and then to
100 * dummynet, divert, netgraph or other modules.
101 * The packet may be consumed.
102 */
103int
104ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
105 struct inpcb *inp)
106{
107 struct ip_fw_args args;
108 struct m_tag *tag;
109 int ipfw;
110 int ret;
111
112 /* all the processing now uses ip_len in net format */
113 if (mtod(*m0, struct ip *)->ip_v == 4)
114 SET_NET_IPLEN(mtod(*m0, struct ip *));
115
116 /* convert dir to IPFW values */
117 dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT;
118 bzero(&args, sizeof(args));
119
120again:
121 /*
122 * extract and remove the tag if present. If we are left
123 * with onepass, optimize the outgoing path.
124 */
125 tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL);
126 if (tag != NULL) {
127 args.rule = *((struct ipfw_rule_ref *)(tag+1));
128 m_tag_delete(*m0, tag);
129 if (args.rule.info & IPFW_ONEPASS) {
130 SET_HOST_IPLEN(mtod(*m0, struct ip *));
131 return 0;
132 }
133 }
134
135 args.m = *m0;
136 args.oif = dir == DIR_OUT ? ifp : NULL;
137 args.inp = inp;
138
139 ipfw = ipfw_chk(&args);
140 *m0 = args.m;
141
142 KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL",
143 __func__));
144
145 /* breaking out of the switch means drop */
146 ret = 0; /* default return value for pass */
147 switch (ipfw) {
148 case IP_FW_PASS:
149 /* next_hop may be set by ipfw_chk */
150 if (args.next_hop == NULL)
151 break; /* pass */
152#ifndef IPFIREWALL_FORWARD
153 ret = EACCES;
154#else
155 {
156 struct m_tag *fwd_tag;
157
158 /* Incoming packets should not be tagged so we do not
159 * m_tag_find. Outgoing packets may be tagged, so we
160 * reuse the tag if present.
161 */
162 fwd_tag = (dir == DIR_IN) ? NULL :
163 m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL);
164 if (fwd_tag != NULL) {
165 m_tag_unlink(*m0, fwd_tag);
166 } else {
167 fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
168 sizeof(struct sockaddr_in), M_NOWAIT);
169 if (fwd_tag == NULL) {
170 ret = EACCES;
171 break; /* i.e. drop */
172 }
173 }
174 bcopy(args.next_hop, (fwd_tag+1), sizeof(struct sockaddr_in));
175 m_tag_prepend(*m0, fwd_tag);
176
177 if (in_localip(args.next_hop->sin_addr))
178 (*m0)->m_flags |= M_FASTFWD_OURS;
179 }
180#endif
181 break;
182
183 case IP_FW_DENY:
184 ret = EACCES;
185 break; /* i.e. drop */
186
187 case IP_FW_DUMMYNET:
188 ret = EACCES;
189 if (ip_dn_io_ptr == NULL)
190 break; /* i.e. drop */
191 if (mtod(*m0, struct ip *)->ip_v == 4)
192 ret = ip_dn_io_ptr(m0, dir, &args);
193 else if (mtod(*m0, struct ip *)->ip_v == 6)
194 ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args);
195 else
196 break; /* drop it */
197 /*
198 * XXX should read the return value.
199 * dummynet normally eats the packet and sets *m0=NULL
200 * unless the packet can be sent immediately. In this
201 * case args is updated and we should re-run the
202 * check without clearing args.
203 */
204 if (*m0 != NULL)
205 goto again;
206 break;
207
208 case IP_FW_TEE:
209 case IP_FW_DIVERT:
210 if (ip_divert_ptr == NULL) {
211 ret = EACCES;
212 break; /* i.e. drop */
213 }
214 ret = ipfw_divert(m0, dir, &args.rule,
215 (ipfw == IP_FW_TEE) ? 1 : 0);
216 /* continue processing for the original packet (tee). */
217 if (*m0)
218 goto again;
219 break;
220
221 case IP_FW_NGTEE:
222 case IP_FW_NETGRAPH:
223 if (ng_ipfw_input_p == NULL) {
224 ret = EACCES;
225 break; /* i.e. drop */
226 }
227 ret = ng_ipfw_input_p(m0, dir, &args,
228 (ipfw == IP_FW_NGTEE) ? 1 : 0);
229 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
230 goto again; /* continue with packet */
231 break;
232
233 case IP_FW_NAT:
234 /* honor one-pass in case of successful nat */
235 if (V_fw_one_pass)
236 break; /* ret is already 0 */
237 goto again;
238
239 case IP_FW_REASS:
240 goto again; /* continue with packet */
241
242 default:
243 KASSERT(0, ("%s: unknown retval", __func__));
244 }
245
246 if (ret != 0) {
247 if (*m0)
248 FREE_PKT(*m0);
249 *m0 = NULL;
250 }
251 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4)
252 SET_HOST_IPLEN(mtod(*m0, struct ip *));
253 return ret;
254}
255
256/* do the divert, return 1 on error 0 on success */
257static int
258ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule,
259 int tee)
260{
261 /*
262 * ipfw_chk() has already tagged the packet with the divert tag.
263 * If tee is set, copy packet and return original.
264 * If not tee, consume packet and send it to divert socket.
265 */
266 struct mbuf *clone;
267 struct ip *ip;
268 struct m_tag *tag;
269
270 /* Cloning needed for tee? */
271 if (tee == 0) {
272 clone = *m0; /* use the original mbuf */
273 *m0 = NULL;
274 } else {
275 clone = m_dup(*m0, M_DONTWAIT);
276 /* If we cannot duplicate the mbuf, we sacrifice the divert
277 * chain and continue with the tee-ed packet.
278 */
279 if (clone == NULL)
280 return 1;
281 }
282
283 /*
284 * Divert listeners can normally handle non-fragmented packets,
285 * but we can only reass in the non-tee case.
286 * This means that listeners on a tee rule may get fragments,
287 * and have to live with that.
288 * Note that we now have the 'reass' ipfw option so if we care
289 * we can do it before a 'tee'.
290 */
291 ip = mtod(clone, struct ip *);
292 if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) {
293 int hlen;
294 struct mbuf *reass;
295
296 SET_HOST_IPLEN(ip); /* ip_reass wants host order */
297 reass = ip_reass(clone); /* Reassemble packet. */
298 if (reass == NULL)
299 return 0; /* not an error */
300 /* if reass = NULL then it was consumed by ip_reass */
301 /*
302 * IP header checksum fixup after reassembly and leave header
303 * in network byte order.
304 */
305 ip = mtod(reass, struct ip *);
306 hlen = ip->ip_hl << 2;
307 SET_NET_IPLEN(ip);
308 ip->ip_sum = 0;
309 if (hlen == sizeof(struct ip))
310 ip->ip_sum = in_cksum_hdr(ip);
311 else
312 ip->ip_sum = in_cksum(reass, hlen);
313 clone = reass;
314 }
315 /* attach a tag to the packet with the reinject info */
316 tag = m_tag_alloc(MTAG_IPFW_RULE, 0,
317 sizeof(struct ipfw_rule_ref), M_NOWAIT);
318 if (tag == NULL) {
319 FREE_PKT(clone);
320 return 1;
321 }
322 *((struct ipfw_rule_ref *)(tag+1)) = *rule;
323 m_tag_prepend(clone, tag);
324
325 /* Do the dirty job... */
326 ip_divert_ptr(clone, incoming);
327 return 0;
328}
329
330/*
331 * attach or detach hooks for a given protocol family
332 */
333static int
334ipfw_hook(int onoff, int pf)
335{
336 struct pfil_head *pfh;
337
338 pfh = pfil_head_get(PFIL_TYPE_AF, pf);
339 if (pfh == NULL)
340 return ENOENT;
341
342 (void) (onoff ? pfil_add_hook : pfil_remove_hook)
343 (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh);
344
345 return 0;
346}
347
348int
349ipfw_attach_hooks(int arg)
350{
351 int error = 0;
352
353 if (arg == 0) /* detach */
354 ipfw_hook(0, AF_INET);
355 else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) {
356 error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
357 printf("ipfw_hook() error\n");
358 }
359#ifdef INET6
360 if (arg == 0) /* detach */
361 ipfw_hook(0, AF_INET6);
362 else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) {
363 error = ENOENT;
364 printf("ipfw6_hook() error\n");
365 }
366#endif
367 return error;
368}
369
370int
371ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
372{
373 int enable;
374 int oldenable;
375 int error;
376 int af;
377
378 if (arg1 == &VNET_NAME(fw_enable)) {
379 enable = V_fw_enable;
380 af = AF_INET;
381 }
382#ifdef INET6
383 else if (arg1 == &VNET_NAME(fw6_enable)) {
384 enable = V_fw6_enable;
385 af = AF_INET6;
386 }
387#endif
388 else
389 return (EINVAL);
390
391 oldenable = enable;
392
393 error = sysctl_handle_int(oidp, &enable, 0, req);
394
395 if (error)
396 return (error);
397
398 enable = (enable) ? 1 : 0;
399
400 if (enable == oldenable)
401 return (0);
402
403 error = ipfw_hook(enable, af);
404 if (error)
405 return (error);
406 if (af == AF_INET)
407 V_fw_enable = enable;
408#ifdef INET6
409 else if (af == AF_INET6)
410 V_fw6_enable = enable;
411#endif
412
413 return (0);
414}
415/* end of file */