1219820Sjeff/* $FreeBSD$ */ 2219820Sjeff 3219820Sjeff/* 4219820Sjeff * Copyright (C) 2012 by Darren Reed. 5219820Sjeff * 6219820Sjeff * See the IPFILTER.LICENCE file for details on licencing. 7219820Sjeff */ 8219820Sjeff#if defined(KERNEL) || defined(_KERNEL) 9219820Sjeff# undef KERNEL 10219820Sjeff# undef _KERNEL 11219820Sjeff# define KERNEL 1 12219820Sjeff# define _KERNEL 1 13219820Sjeff#endif 14219820Sjeff#include <sys/errno.h> 15219820Sjeff#include <sys/types.h> 16219820Sjeff#include <sys/param.h> 17219820Sjeff#include <sys/time.h> 18219820Sjeff#include <sys/file.h> 19219820Sjeff#if !defined(_KERNEL) 20219820Sjeff# include <stdio.h> 21219820Sjeff# include <stdlib.h> 22219820Sjeff# ifdef _STDC_C99 23219820Sjeff# include <stdbool.h> 24219820Sjeff# endif 25219820Sjeff# include <string.h> 26219820Sjeff# define _KERNEL 27219820Sjeff# ifdef __OpenBSD__ 28219820Sjeffstruct file; 29219820Sjeff# endif 30219820Sjeff# include <sys/uio.h> 31219820Sjeff# undef _KERNEL 32219820Sjeff#endif 33219820Sjeff#if defined(_KERNEL) && (__FreeBSD_version >= 220000) 34219820Sjeff# include <sys/filio.h> 35219820Sjeff# include <sys/fcntl.h> 36219820Sjeff#else 37219820Sjeff# include <sys/ioctl.h> 38219820Sjeff#endif 39219820Sjeff#if !defined(linux) 40219820Sjeff# include <sys/protosw.h> 41219820Sjeff#endif 42219820Sjeff#include <sys/socket.h> 43219820Sjeff#if defined(_KERNEL) 44219820Sjeff# include <sys/systm.h> 45219820Sjeff# if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 46219820Sjeff# include <sys/mbuf.h> 47219820Sjeff# endif 48219820Sjeff#endif 49219820Sjeff#if defined(__SVR4) || defined(__svr4__) 50219820Sjeff# include <sys/filio.h> 51219820Sjeff# include <sys/byteorder.h> 52219820Sjeff# ifdef _KERNEL 53219820Sjeff# include <sys/dditypes.h> 54219820Sjeff# endif 55219820Sjeff# include <sys/stream.h> 56219820Sjeff# include <sys/kmem.h> 57219820Sjeff#endif 58219820Sjeff#if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 59219820Sjeff (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 60219820Sjeff# include <sys/queue.h> 61219820Sjeff#endif 62219820Sjeff#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 63219820Sjeff# include <machine/cpu.h> 64219820Sjeff#endif 65219820Sjeff#if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 66219820Sjeff# include <sys/proc.h> 67219820Sjeff#endif 68219820Sjeff#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 69219820Sjeff !defined(_KERNEL) 70219820Sjeff# include <stdbool.h> 71219820Sjeff#endif 72219820Sjeff#include <net/if.h> 73219820Sjeff#ifdef sun 74219820Sjeff# include <net/af.h> 75219820Sjeff#endif 76219820Sjeff#include <netinet/in.h> 77219820Sjeff#include <netinet/in_systm.h> 78219820Sjeff#include <netinet/ip.h> 79219820Sjeff#if !defined(linux) 80219820Sjeff# include <netinet/ip_var.h> 81219820Sjeff#endif 82219820Sjeff#if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 83219820Sjeff# define KERNEL 84219820Sjeff# define _KERNEL 85219820Sjeff# define NOT_KERNEL 86219820Sjeff#endif 87219820Sjeff#ifdef NOT_KERNEL 88219820Sjeff# undef _KERNEL 89219820Sjeff# undef KERNEL 90219820Sjeff#endif 91219820Sjeff#include <netinet/tcp.h> 92219820Sjeff#if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 93219820Sjeffextern struct ifqueue ipintrq; /* ip packet input queue */ 94219820Sjeff#else 95219820Sjeff# if !defined(__hpux) && !defined(linux) 96219820Sjeff# if __FreeBSD_version >= 300000 97219820Sjeff# include <net/if_var.h> 98219820Sjeff# if __FreeBSD_version >= 500042 99219820Sjeff# define IF_QFULL _IF_QFULL 100219820Sjeff# define IF_DROP _IF_DROP 101219820Sjeff# endif /* __FreeBSD_version >= 500042 */ 102219820Sjeff# endif 103219820Sjeff# include <netinet/in_var.h> 104219820Sjeff# include <netinet/tcp_fsm.h> 105219820Sjeff# endif 106219820Sjeff#endif 107219820Sjeff#include <netinet/udp.h> 108219820Sjeff#include <netinet/ip_icmp.h> 109219820Sjeff#include "netinet/ip_compat.h" 110219820Sjeff#include <netinet/tcpip.h> 111219820Sjeff#include "netinet/ip_fil.h" 112219820Sjeff#include "netinet/ip_auth.h" 113219820Sjeff#if !defined(MENTAT) && !defined(linux) 114219820Sjeff# include <net/netisr.h> 115219820Sjeff# ifdef __FreeBSD__ 116219820Sjeff# include <machine/cpufunc.h> 117219820Sjeff# endif 118219820Sjeff#endif 119219820Sjeff#if (__FreeBSD_version >= 300000) 120219820Sjeff# include <sys/malloc.h> 121219820Sjeff# if defined(_KERNEL) && !defined(IPFILTER_LKM) 122219820Sjeff# include <sys/libkern.h> 123219820Sjeff# include <sys/systm.h> 124219820Sjeff# endif 125219820Sjeff#endif 126219820Sjeff/* END OF INCLUDES */ 127219820Sjeff 128219820Sjeff#if !defined(lint) 129219820Sjeffstatic const char rcsid[] = "@(#)$FreeBSD$"; 130219820Sjeff/* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */ 131219820Sjeff#endif 132219820Sjeff 133219820Sjeff 134219820Sjeffstatic void ipf_auth_deref __P((frauthent_t **)); 135219820Sjeffstatic void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **)); 136219820Sjeffstatic int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *, 137219820Sjeff ipfgeniter_t *, ipfobj_t *)); 138219820Sjeffstatic int ipf_auth_reply __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 139219820Sjeffstatic int ipf_auth_wait __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *)); 140219820Sjeffstatic int ipf_auth_flush __P((void *)); 141219820Sjeff 142219820Sjeff 143219820Sjeff/* ------------------------------------------------------------------------ */ 144219820Sjeff/* Function: ipf_auth_main_load */ 145219820Sjeff/* Returns: int - 0 == success, else error */ 146219820Sjeff/* Parameters: None */ 147219820Sjeff/* */ 148219820Sjeff/* A null-op function that exists as a placeholder so that the flow in */ 149219820Sjeff/* other functions is obvious. */ 150219820Sjeff/* ------------------------------------------------------------------------ */ 151219820Sjeffint 152219820Sjeffipf_auth_main_load() 153219820Sjeff{ 154219820Sjeff return 0; 155219820Sjeff} 156219820Sjeff 157219820Sjeff 158219820Sjeff/* ------------------------------------------------------------------------ */ 159219820Sjeff/* Function: ipf_auth_main_unload */ 160219820Sjeff/* Returns: int - 0 == success, else error */ 161219820Sjeff/* Parameters: None */ 162219820Sjeff/* */ 163219820Sjeff/* A null-op function that exists as a placeholder so that the flow in */ 164219820Sjeff/* other functions is obvious. */ 165219820Sjeff/* ------------------------------------------------------------------------ */ 166219820Sjeffint 167219820Sjeffipf_auth_main_unload() 168219820Sjeff{ 169219820Sjeff return 0; 170219820Sjeff} 171219820Sjeff 172219820Sjeff 173219820Sjeff/* ------------------------------------------------------------------------ */ 174219820Sjeff/* Function: ipf_auth_soft_create */ 175219820Sjeff/* Returns: int - NULL = failure, else success */ 176219820Sjeff/* Parameters: softc(I) - pointer to soft context data */ 177219820Sjeff/* */ 178219820Sjeff/* Create a structre to store all of the run-time data for packet auth in */ 179219820Sjeff/* and initialise some fields to their defaults. */ 180219820Sjeff/* ------------------------------------------------------------------------ */ 181219820Sjeffvoid * 182219820Sjeffipf_auth_soft_create(softc) 183219820Sjeff ipf_main_softc_t *softc; 184219820Sjeff{ 185219820Sjeff ipf_auth_softc_t *softa; 186219820Sjeff 187219820Sjeff KMALLOC(softa, ipf_auth_softc_t *); 188219820Sjeff if (softa == NULL) 189219820Sjeff return NULL; 190219820Sjeff 191219820Sjeff bzero((char *)softa, sizeof(*softa)); 192219820Sjeff 193219820Sjeff softa->ipf_auth_size = FR_NUMAUTH; 194219820Sjeff softa->ipf_auth_defaultage = 600; 195219820Sjeff 196219820Sjeff RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 197219820Sjeff MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 198219820Sjeff#if SOLARIS && defined(_KERNEL) 199219820Sjeff cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 200219820Sjeff#endif 201219820Sjeff 202219820Sjeff return softa; 203219820Sjeff} 204219820Sjeff 205219820Sjeff/* ------------------------------------------------------------------------ */ 206219820Sjeff/* Function: ipf_auth_soft_init */ 207219820Sjeff/* Returns: int - 0 == success, else error */ 208219820Sjeff/* Parameters: softc(I) - pointer to soft context data */ 209219820Sjeff/* arg(I) - opaque pointer to auth context data */ 210219820Sjeff/* */ 211219820Sjeff/* Allocate memory and initialise data structures used in handling auth */ 212219820Sjeff/* rules. */ 213219820Sjeff/* ------------------------------------------------------------------------ */ 214219820Sjeffint 215219820Sjeffipf_auth_soft_init(softc, arg) 216219820Sjeff ipf_main_softc_t *softc; 217219820Sjeff void *arg; 218219820Sjeff{ 219219820Sjeff ipf_auth_softc_t *softa = arg; 220219820Sjeff 221219820Sjeff KMALLOCS(softa->ipf_auth, frauth_t *, 222219820Sjeff softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 223219820Sjeff if (softa->ipf_auth == NULL) 224219820Sjeff return -1; 225219820Sjeff bzero((char *)softa->ipf_auth, 226219820Sjeff softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 227219820Sjeff 228219820Sjeff KMALLOCS(softa->ipf_auth_pkts, mb_t **, 229219820Sjeff softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 230219820Sjeff if (softa->ipf_auth_pkts == NULL) 231219820Sjeff return -2; 232219820Sjeff bzero((char *)softa->ipf_auth_pkts, 233219820Sjeff softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 234219820Sjeff 235219820Sjeff#if defined(linux) && defined(_KERNEL) 236219820Sjeff init_waitqueue_head(&softa->ipf_auth_next_linux); 237219820Sjeff#endif 238219820Sjeff 239219820Sjeff return 0; 240219820Sjeff} 241219820Sjeff 242219820Sjeff 243219820Sjeff/* ------------------------------------------------------------------------ */ 244219820Sjeff/* Function: ipf_auth_soft_fini */ 245219820Sjeff/* Returns: int - 0 == success, else error */ 246219820Sjeff/* Parameters: softc(I) - pointer to soft context data */ 247219820Sjeff/* arg(I) - opaque pointer to auth context data */ 248219820Sjeff/* */ 249219820Sjeff/* Free all network buffer memory used to keep saved packets that have been */ 250219820Sjeff/* connectedd to the soft soft context structure *but* do not free that: it */ 251219820Sjeff/* is free'd by _destroy(). */ 252219820Sjeff/* ------------------------------------------------------------------------ */ 253219820Sjeffint 254219820Sjeffipf_auth_soft_fini(softc, arg) 255219820Sjeff ipf_main_softc_t *softc; 256219820Sjeff void *arg; 257219820Sjeff{ 258219820Sjeff ipf_auth_softc_t *softa = arg; 259219820Sjeff frauthent_t *fae, **faep; 260219820Sjeff frentry_t *fr, **frp; 261219820Sjeff mb_t *m; 262219820Sjeff int i; 263219820Sjeff 264219820Sjeff if (softa->ipf_auth != NULL) { 265219820Sjeff KFREES(softa->ipf_auth, 266219820Sjeff softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 267219820Sjeff softa->ipf_auth = NULL; 268219820Sjeff } 269219820Sjeff 270219820Sjeff if (softa->ipf_auth_pkts != NULL) { 271219820Sjeff for (i = 0; i < softa->ipf_auth_size; i++) { 272219820Sjeff m = softa->ipf_auth_pkts[i]; 273219820Sjeff if (m != NULL) { 274219820Sjeff FREE_MB_T(m); 275219820Sjeff softa->ipf_auth_pkts[i] = NULL; 276219820Sjeff } 277219820Sjeff } 278219820Sjeff KFREES(softa->ipf_auth_pkts, 279219820Sjeff softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 280219820Sjeff softa->ipf_auth_pkts = NULL; 281219820Sjeff } 282219820Sjeff 283219820Sjeff faep = &softa->ipf_auth_entries; 284219820Sjeff while ((fae = *faep) != NULL) { 285219820Sjeff *faep = fae->fae_next; 286219820Sjeff KFREE(fae); 287219820Sjeff } 288219820Sjeff softa->ipf_auth_ip = NULL; 289219820Sjeff 290219820Sjeff if (softa->ipf_auth_rules != NULL) { 291219820Sjeff for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 292219820Sjeff if (fr->fr_ref == 1) { 293219820Sjeff *frp = fr->fr_next; 294219820Sjeff MUTEX_DESTROY(&fr->fr_lock); 295219820Sjeff KFREE(fr); 296219820Sjeff } else 297219820Sjeff frp = &fr->fr_next; 298219820Sjeff } 299219820Sjeff } 300219820Sjeff 301219820Sjeff return 0; 302219820Sjeff} 303219820Sjeff 304219820Sjeff 305219820Sjeff/* ------------------------------------------------------------------------ */ 306219820Sjeff/* Function: ipf_auth_soft_destroy */ 307219820Sjeff/* Returns: void */ 308219820Sjeff/* Parameters: softc(I) - pointer to soft context data */ 309219820Sjeff/* arg(I) - opaque pointer to auth context data */ 310219820Sjeff/* */ 311219820Sjeff/* Undo what was done in _create() - i.e. free the soft context data. */ 312219820Sjeff/* ------------------------------------------------------------------------ */ 313219820Sjeffvoid 314219820Sjeffipf_auth_soft_destroy(softc, arg) 315219820Sjeff ipf_main_softc_t *softc; 316219820Sjeff void *arg; 317219820Sjeff{ 318219820Sjeff ipf_auth_softc_t *softa = arg; 319219820Sjeff 320219820Sjeff# if SOLARIS && defined(_KERNEL) 321219820Sjeff cv_destroy(&softa->ipf_auth_wait); 322219820Sjeff# endif 323219820Sjeff MUTEX_DESTROY(&softa->ipf_auth_mx); 324219820Sjeff RW_DESTROY(&softa->ipf_authlk); 325219820Sjeff 326219820Sjeff KFREE(softa); 327219820Sjeff} 328219820Sjeff 329219820Sjeff 330219820Sjeff/* ------------------------------------------------------------------------ */ 331219820Sjeff/* Function: ipf_auth_setlock */ 332219820Sjeff/* Returns: void */ 333219820Sjeff/* Paramters: arg(I) - pointer to soft context data */ 334219820Sjeff/* tmp(I) - value to assign to auth lock */ 335219820Sjeff/* */ 336219820Sjeff/* ------------------------------------------------------------------------ */ 337219820Sjeffvoid 338219820Sjeffipf_auth_setlock(arg, tmp) 339219820Sjeff void *arg; 340219820Sjeff int tmp; 341219820Sjeff{ 342219820Sjeff ipf_auth_softc_t *softa = arg; 343219820Sjeff 344219820Sjeff softa->ipf_auth_lock = tmp; 345219820Sjeff} 346219820Sjeff 347219820Sjeff 348219820Sjeff/* ------------------------------------------------------------------------ */ 349219820Sjeff/* Function: ipf_auth_check */ 350219820Sjeff/* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 351219820Sjeff/* Parameters: fin(I) - pointer to ipftoken structure */ 352219820Sjeff/* passp(I) - pointer to ipfgeniter structure */ 353219820Sjeff/* */ 354219820Sjeff/* Check if a packet has authorization. If the packet is found to match an */ 355219820Sjeff/* authorization result and that would result in a feedback loop (i.e. it */ 356219820Sjeff/* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 357219820Sjeff/* ------------------------------------------------------------------------ */ 358219820Sjefffrentry_t * 359219820Sjeffipf_auth_check(fin, passp) 360219820Sjeff fr_info_t *fin; 361219820Sjeff u_32_t *passp; 362219820Sjeff{ 363219820Sjeff ipf_main_softc_t *softc = fin->fin_main_soft; 364219820Sjeff ipf_auth_softc_t *softa = softc->ipf_auth_soft; 365219820Sjeff frentry_t *fr; 366219820Sjeff frauth_t *fra; 367219820Sjeff u_32_t pass; 368219820Sjeff u_short id; 369219820Sjeff ip_t *ip; 370219820Sjeff int i; 371219820Sjeff 372219820Sjeff if (softa->ipf_auth_lock || !softa->ipf_auth_used) 373219820Sjeff return NULL; 374219820Sjeff 375219820Sjeff ip = fin->fin_ip; 376219820Sjeff id = ip->ip_id; 377219820Sjeff 378219820Sjeff READ_ENTER(&softa->ipf_authlk); 379219820Sjeff for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 380219820Sjeff /* 381219820Sjeff * index becomes -2 only after an SIOCAUTHW. Check this in 382219820Sjeff * case the same packet gets sent again and it hasn't yet been 383219820Sjeff * auth'd. 384219820Sjeff */ 385219820Sjeff fra = softa->ipf_auth + i; 386219820Sjeff if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 387219820Sjeff !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 388219820Sjeff /* 389219820Sjeff * Avoid feedback loop. 390219820Sjeff */ 391219820Sjeff if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 392219820Sjeff pass = FR_BLOCK; 393219820Sjeff fin->fin_reason = FRB_AUTHFEEDBACK; 394219820Sjeff } 395219820Sjeff /* 396219820Sjeff * Create a dummy rule for the stateful checking to 397219820Sjeff * use and return. Zero out any values we don't 398219820Sjeff * trust from userland! 399219820Sjeff */ 400219820Sjeff if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 401219820Sjeff (fin->fin_flx & FI_FRAG))) { 402219820Sjeff KMALLOC(fr, frentry_t *); 403219820Sjeff if (fr) { 404219820Sjeff bcopy((char *)fra->fra_info.fin_fr, 405219820Sjeff (char *)fr, sizeof(*fr)); 406219820Sjeff fr->fr_grp = NULL; 407219820Sjeff fr->fr_ifa = fin->fin_ifp; 408219820Sjeff fr->fr_func = NULL; 409219820Sjeff fr->fr_ref = 1; 410219820Sjeff fr->fr_flags = pass; 411219820Sjeff fr->fr_ifas[1] = NULL; 412219820Sjeff fr->fr_ifas[2] = NULL; 413219820Sjeff fr->fr_ifas[3] = NULL; 414219820Sjeff MUTEX_INIT(&fr->fr_lock, 415219820Sjeff "ipf auth rule"); 416219820Sjeff } 417219820Sjeff } else 418219820Sjeff fr = fra->fra_info.fin_fr; 419219820Sjeff fin->fin_fr = fr; 420219820Sjeff fin->fin_flx |= fra->fra_flx; 421219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 422219820Sjeff 423219820Sjeff WRITE_ENTER(&softa->ipf_authlk); 424219820Sjeff /* 425219820Sjeff * ipf_auth_rules is populated with the rules malloc'd 426219820Sjeff * above and only those. 427219820Sjeff */ 428219820Sjeff if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 429219820Sjeff fr->fr_next = softa->ipf_auth_rules; 430219820Sjeff softa->ipf_auth_rules = fr; 431219820Sjeff } 432219820Sjeff softa->ipf_auth_stats.fas_hits++; 433219820Sjeff fra->fra_index = -1; 434219820Sjeff softa->ipf_auth_used--; 435219820Sjeff softa->ipf_auth_replies--; 436219820Sjeff if (i == softa->ipf_auth_start) { 437219820Sjeff while (fra->fra_index == -1) { 438219820Sjeff i++; 439219820Sjeff fra++; 440219820Sjeff if (i == softa->ipf_auth_size) { 441219820Sjeff i = 0; 442219820Sjeff fra = softa->ipf_auth; 443219820Sjeff } 444219820Sjeff softa->ipf_auth_start = i; 445219820Sjeff if (i == softa->ipf_auth_end) 446219820Sjeff break; 447219820Sjeff } 448219820Sjeff if (softa->ipf_auth_start == 449219820Sjeff softa->ipf_auth_end) { 450219820Sjeff softa->ipf_auth_next = 0; 451219820Sjeff softa->ipf_auth_start = 0; 452219820Sjeff softa->ipf_auth_end = 0; 453219820Sjeff } 454219820Sjeff } 455219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 456219820Sjeff if (passp != NULL) 457219820Sjeff *passp = pass; 458219820Sjeff softa->ipf_auth_stats.fas_hits++; 459219820Sjeff return fr; 460219820Sjeff } 461219820Sjeff i++; 462219820Sjeff if (i == softa->ipf_auth_size) 463219820Sjeff i = 0; 464219820Sjeff } 465219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 466219820Sjeff softa->ipf_auth_stats.fas_miss++; 467219820Sjeff return NULL; 468219820Sjeff} 469219820Sjeff 470219820Sjeff 471219820Sjeff/* ------------------------------------------------------------------------ */ 472219820Sjeff/* Function: ipf_auth_new */ 473219820Sjeff/* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 474219820Sjeff/* Parameters: m(I) - pointer to mb_t with packet in it */ 475219820Sjeff/* fin(I) - pointer to packet information */ 476219820Sjeff/* */ 477219820Sjeff/* Check if we have room in the auth array to hold details for another */ 478219820Sjeff/* packet. If we do, store it and wake up any user programs which are */ 479219820Sjeff/* waiting to hear about these events. */ 480219820Sjeff/* ------------------------------------------------------------------------ */ 481219820Sjeffint 482219820Sjeffipf_auth_new(m, fin) 483219820Sjeff mb_t *m; 484219820Sjeff fr_info_t *fin; 485219820Sjeff{ 486219820Sjeff ipf_main_softc_t *softc = fin->fin_main_soft; 487219820Sjeff ipf_auth_softc_t *softa = softc->ipf_auth_soft; 488219820Sjeff#if defined(_KERNEL) && defined(MENTAT) 489219820Sjeff qpktinfo_t *qpi = fin->fin_qpi; 490219820Sjeff#endif 491219820Sjeff frauth_t *fra; 492219820Sjeff#if !defined(sparc) && !defined(m68k) 493219820Sjeff ip_t *ip; 494219820Sjeff#endif 495219820Sjeff int i; 496219820Sjeff 497219820Sjeff if (softa->ipf_auth_lock) 498219820Sjeff return 0; 499219820Sjeff 500219820Sjeff WRITE_ENTER(&softa->ipf_authlk); 501219820Sjeff if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 502219820Sjeff softa->ipf_auth_start) { 503219820Sjeff softa->ipf_auth_stats.fas_nospace++; 504219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 505219820Sjeff return 0; 506219820Sjeff } 507219820Sjeff 508219820Sjeff softa->ipf_auth_stats.fas_added++; 509219820Sjeff softa->ipf_auth_used++; 510219820Sjeff i = softa->ipf_auth_end++; 511219820Sjeff if (softa->ipf_auth_end == softa->ipf_auth_size) 512219820Sjeff softa->ipf_auth_end = 0; 513219820Sjeff 514219820Sjeff fra = softa->ipf_auth + i; 515219820Sjeff fra->fra_index = i; 516219820Sjeff if (fin->fin_fr != NULL) 517219820Sjeff fra->fra_pass = fin->fin_fr->fr_flags; 518219820Sjeff else 519219820Sjeff fra->fra_pass = 0; 520219820Sjeff fra->fra_age = softa->ipf_auth_defaultage; 521219820Sjeff bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 522219820Sjeff fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 523219820Sjeff fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 524219820Sjeff#if !defined(sparc) && !defined(m68k) 525219820Sjeff /* 526219820Sjeff * No need to copyback here as we want to undo the changes, not keep 527219820Sjeff * them. 528219820Sjeff */ 529219820Sjeff ip = fin->fin_ip; 530219820Sjeff# if defined(MENTAT) && defined(_KERNEL) 531219820Sjeff if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 532219820Sjeff# endif 533219820Sjeff { 534219820Sjeff register u_short bo; 535219820Sjeff 536219820Sjeff bo = ip->ip_len; 537219820Sjeff ip->ip_len = htons(bo); 538219820Sjeff bo = ip->ip_off; 539219820Sjeff ip->ip_off = htons(bo); 540219820Sjeff } 541219820Sjeff#endif 542219820Sjeff#if SOLARIS && defined(_KERNEL) 543219820Sjeff COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 544219820Sjeff m->b_rptr -= qpi->qpi_off; 545219820Sjeff fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 546219820Sjeff fra->fra_m = *fin->fin_mp; 547219820Sjeff fra->fra_info.fin_mp = &fra->fra_m; 548219820Sjeff softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 549219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 550219820Sjeff cv_signal(&softa->ipf_auth_wait); 551219820Sjeff pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 552219820Sjeff#else 553219820Sjeff softa->ipf_auth_pkts[i] = m; 554219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 555219820Sjeff WAKEUP(&softa->ipf_auth_next, 0); 556219820Sjeff#endif 557219820Sjeff return 1; 558219820Sjeff} 559219820Sjeff 560219820Sjeff 561219820Sjeff/* ------------------------------------------------------------------------ */ 562219820Sjeff/* Function: ipf_auth_ioctl */ 563219820Sjeff/* Returns: int - 0 == success, else error */ 564219820Sjeff/* Parameters: data(IO) - pointer to ioctl data */ 565219820Sjeff/* cmd(I) - ioctl command */ 566219820Sjeff/* mode(I) - mode flags associated with open descriptor */ 567219820Sjeff/* uid(I) - uid associatd with application making the call */ 568219820Sjeff/* ctx(I) - pointer for context */ 569219820Sjeff/* */ 570219820Sjeff/* This function handles all of the ioctls recognised by the auth component */ 571219820Sjeff/* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 572219820Sjeff/* ------------------------------------------------------------------------ */ 573219820Sjeffint 574219820Sjeffipf_auth_ioctl(softc, data, cmd, mode, uid, ctx) 575219820Sjeff ipf_main_softc_t *softc; 576219820Sjeff caddr_t data; 577219820Sjeff ioctlcmd_t cmd; 578219820Sjeff int mode, uid; 579219820Sjeff void *ctx; 580219820Sjeff{ 581219820Sjeff ipf_auth_softc_t *softa = softc->ipf_auth_soft; 582219820Sjeff int error = 0, i; 583219820Sjeff SPL_INT(s); 584219820Sjeff 585219820Sjeff switch (cmd) 586219820Sjeff { 587219820Sjeff case SIOCGENITER : 588219820Sjeff { 589219820Sjeff ipftoken_t *token; 590219820Sjeff ipfgeniter_t iter; 591219820Sjeff ipfobj_t obj; 592219820Sjeff 593219820Sjeff error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 594219820Sjeff if (error != 0) 595219820Sjeff break; 596219820Sjeff 597219820Sjeff SPL_SCHED(s); 598219820Sjeff token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 599219820Sjeff if (token != NULL) 600219820Sjeff error = ipf_auth_geniter(softc, token, &iter, &obj); 601219820Sjeff else { 602219820Sjeff WRITE_ENTER(&softc->ipf_tokens); 603219820Sjeff ipf_token_deref(softc, token); 604219820Sjeff RWLOCK_EXIT(&softc->ipf_tokens); 605219820Sjeff IPFERROR(10001); 606219820Sjeff error = ESRCH; 607219820Sjeff } 608219820Sjeff SPL_X(s); 609219820Sjeff 610219820Sjeff break; 611219820Sjeff } 612219820Sjeff 613219820Sjeff case SIOCADAFR : 614219820Sjeff case SIOCRMAFR : 615219820Sjeff if (!(mode & FWRITE)) { 616219820Sjeff IPFERROR(10002); 617219820Sjeff error = EPERM; 618219820Sjeff } else 619219820Sjeff error = frrequest(softc, IPL_LOGAUTH, cmd, data, 620219820Sjeff softc->ipf_active, 1); 621219820Sjeff break; 622219820Sjeff 623219820Sjeff case SIOCSTLCK : 624219820Sjeff if (!(mode & FWRITE)) { 625219820Sjeff IPFERROR(10003); 626219820Sjeff error = EPERM; 627219820Sjeff } else { 628219820Sjeff error = ipf_lock(data, &softa->ipf_auth_lock); 629219820Sjeff } 630219820Sjeff break; 631219820Sjeff 632219820Sjeff case SIOCATHST: 633219820Sjeff softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 634219820Sjeff error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 635219820Sjeff IPFOBJ_AUTHSTAT); 636219820Sjeff break; 637219820Sjeff 638219820Sjeff case SIOCIPFFL: 639219820Sjeff SPL_NET(s); 640219820Sjeff WRITE_ENTER(&softa->ipf_authlk); 641219820Sjeff i = ipf_auth_flush(softa); 642219820Sjeff RWLOCK_EXIT(&softa->ipf_authlk); 643219820Sjeff SPL_X(s); 644219820Sjeff error = BCOPYOUT(&i, data, sizeof(i)); 645219820Sjeff if (error != 0) { 646219820Sjeff IPFERROR(10004); 647219820Sjeff error = EFAULT; 648219820Sjeff } 649219820Sjeff break; 650219820Sjeff 651219820Sjeff case SIOCAUTHW: 652219820Sjeff error = ipf_auth_wait(softc, softa, data); 653219820Sjeff break; 654219820Sjeff 655219820Sjeff case SIOCAUTHR: 656219820Sjeff error = ipf_auth_reply(softc, softa, data); 657219820Sjeff break; 658219820Sjeff 659219820Sjeff default : 660219820Sjeff IPFERROR(10005); 661219820Sjeff error = EINVAL; 662219820Sjeff break; 663219820Sjeff } 664219820Sjeff return error; 665219820Sjeff} 666219820Sjeff 667219820Sjeff 668219820Sjeff/* ------------------------------------------------------------------------ */ 669219820Sjeff/* Function: ipf_auth_expire */ 670219820Sjeff/* Returns: None */ 671219820Sjeff/* Parameters: None */ 672219820Sjeff/* */ 673219820Sjeff/* Slowly expire held auth records. Timeouts are set in expectation of */ 674219820Sjeff/* this being called twice per second. */ 675219820Sjeff/* ------------------------------------------------------------------------ */ 676219820Sjeffvoid 677219820Sjeffipf_auth_expire(softc) 678219820Sjeff ipf_main_softc_t *softc; 679219820Sjeff{ 680219820Sjeff ipf_auth_softc_t *softa = softc->ipf_auth_soft; 681219820Sjeff frauthent_t *fae, **faep; 682219820Sjeff frentry_t *fr, **frp; 683219820Sjeff frauth_t *fra; 684219820Sjeff mb_t *m; 685219820Sjeff int i; 686219820Sjeff SPL_INT(s); 687219820Sjeff 688219820Sjeff if (softa->ipf_auth_lock) 689219820Sjeff return; 690219820Sjeff SPL_NET(s); 691219820Sjeff WRITE_ENTER(&softa->ipf_authlk); 692219820Sjeff for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 693219820Sjeff i++, fra++) { 694219820Sjeff fra->fra_age--; 695219820Sjeff if ((fra->fra_age == 0) && 696219820Sjeff (softa->ipf_auth[i].fra_index != -1)) { 697219820Sjeff if ((m = softa->ipf_auth_pkts[i]) != NULL) { 698219820Sjeff FREE_MB_T(m); 699219820Sjeff softa->ipf_auth_pkts[i] = NULL; 700219820Sjeff } else if (softa->ipf_auth[i].fra_index == -2) { 701219820Sjeff softa->ipf_auth_replies--; 702219820Sjeff } 703219820Sjeff softa->ipf_auth[i].fra_index = -1; 704219820Sjeff softa->ipf_auth_stats.fas_expire++; 705219820Sjeff softa->ipf_auth_used--; 706219820Sjeff } 707219820Sjeff } 708219820Sjeff 709219820Sjeff /* 710219820Sjeff * Expire pre-auth rules 711219820Sjeff */ 712219820Sjeff for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 713219820Sjeff fae->fae_age--; 714219820Sjeff if (fae->fae_age == 0) { 715219820Sjeff ipf_auth_deref(&fae); 716219820Sjeff softa->ipf_auth_stats.fas_expire++; 717219820Sjeff } else 718219820Sjeff faep = &fae->fae_next; 719219820Sjeff } 720219820Sjeff if (softa->ipf_auth_entries != NULL) 721219820Sjeff softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 722219820Sjeff else 723219820Sjeff softa->ipf_auth_ip = NULL; 724 725 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 726 if (fr->fr_ref == 1) { 727 *frp = fr->fr_next; 728 MUTEX_DESTROY(&fr->fr_lock); 729 KFREE(fr); 730 } else 731 frp = &fr->fr_next; 732 } 733 RWLOCK_EXIT(&softa->ipf_authlk); 734 SPL_X(s); 735} 736 737 738/* ------------------------------------------------------------------------ */ 739/* Function: ipf_auth_precmd */ 740/* Returns: int - 0 == success, else error */ 741/* Parameters: cmd(I) - ioctl command for rule */ 742/* fr(I) - pointer to ipf rule */ 743/* fptr(I) - pointer to caller's 'fr' */ 744/* */ 745/* ------------------------------------------------------------------------ */ 746int 747ipf_auth_precmd(softc, cmd, fr, frptr) 748 ipf_main_softc_t *softc; 749 ioctlcmd_t cmd; 750 frentry_t *fr, **frptr; 751{ 752 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 753 frauthent_t *fae, **faep; 754 int error = 0; 755 SPL_INT(s); 756 757 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 758 IPFERROR(10006); 759 return EIO; 760 } 761 762 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 763 if (&fae->fae_fr == fr) 764 break; 765 else 766 faep = &fae->fae_next; 767 } 768 769 if (cmd == (ioctlcmd_t)SIOCRMAFR) { 770 if (fr == NULL || frptr == NULL) { 771 IPFERROR(10007); 772 error = EINVAL; 773 774 } else if (fae == NULL) { 775 IPFERROR(10008); 776 error = ESRCH; 777 778 } else { 779 SPL_NET(s); 780 WRITE_ENTER(&softa->ipf_authlk); 781 *faep = fae->fae_next; 782 if (softa->ipf_auth_ip == &fae->fae_fr) 783 softa->ipf_auth_ip = softa->ipf_auth_entries ? 784 &softa->ipf_auth_entries->fae_fr : NULL; 785 RWLOCK_EXIT(&softa->ipf_authlk); 786 SPL_X(s); 787 788 KFREE(fae); 789 } 790 } else if (fr != NULL && frptr != NULL) { 791 KMALLOC(fae, frauthent_t *); 792 if (fae != NULL) { 793 bcopy((char *)fr, (char *)&fae->fae_fr, 794 sizeof(*fr)); 795 SPL_NET(s); 796 WRITE_ENTER(&softa->ipf_authlk); 797 fae->fae_age = softa->ipf_auth_defaultage; 798 fae->fae_fr.fr_hits = 0; 799 fae->fae_fr.fr_next = *frptr; 800 fae->fae_ref = 1; 801 *frptr = &fae->fae_fr; 802 fae->fae_next = *faep; 803 *faep = fae; 804 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 805 RWLOCK_EXIT(&softa->ipf_authlk); 806 SPL_X(s); 807 } else { 808 IPFERROR(10009); 809 error = ENOMEM; 810 } 811 } else { 812 IPFERROR(10010); 813 error = EINVAL; 814 } 815 return error; 816} 817 818 819/* ------------------------------------------------------------------------ */ 820/* Function: ipf_auth_flush */ 821/* Returns: int - number of auth entries flushed */ 822/* Parameters: None */ 823/* Locks: WRITE(ipf_authlk) */ 824/* */ 825/* This function flushs the ipf_auth_pkts array of any packet data with */ 826/* references still there. */ 827/* It is expected that the caller has already acquired the correct locks or */ 828/* set the priority level correctly for this to block out other code paths */ 829/* into these data structures. */ 830/* ------------------------------------------------------------------------ */ 831static int 832ipf_auth_flush(arg) 833 void *arg; 834{ 835 ipf_auth_softc_t *softa = arg; 836 int i, num_flushed; 837 mb_t *m; 838 839 if (softa->ipf_auth_lock) 840 return -1; 841 842 num_flushed = 0; 843 844 for (i = 0 ; i < softa->ipf_auth_size; i++) { 845 if (softa->ipf_auth[i].fra_index != -1) { 846 m = softa->ipf_auth_pkts[i]; 847 if (m != NULL) { 848 FREE_MB_T(m); 849 softa->ipf_auth_pkts[i] = NULL; 850 } 851 852 softa->ipf_auth[i].fra_index = -1; 853 /* perhaps add & use a flush counter inst.*/ 854 softa->ipf_auth_stats.fas_expire++; 855 num_flushed++; 856 } 857 } 858 859 softa->ipf_auth_start = 0; 860 softa->ipf_auth_end = 0; 861 softa->ipf_auth_next = 0; 862 softa->ipf_auth_used = 0; 863 softa->ipf_auth_replies = 0; 864 865 return num_flushed; 866} 867 868 869/* ------------------------------------------------------------------------ */ 870/* Function: ipf_auth_waiting */ 871/* Returns: int - number of packets in the auth queue */ 872/* Parameters: None */ 873/* */ 874/* Simple truth check to see if there are any packets waiting in the auth */ 875/* queue. */ 876/* ------------------------------------------------------------------------ */ 877int 878ipf_auth_waiting(softc) 879 ipf_main_softc_t *softc; 880{ 881 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 882 883 return (softa->ipf_auth_used != 0); 884} 885 886 887/* ------------------------------------------------------------------------ */ 888/* Function: ipf_auth_geniter */ 889/* Returns: int - 0 == success, else error */ 890/* Parameters: token(I) - pointer to ipftoken structure */ 891/* itp(I) - pointer to ipfgeniter structure */ 892/* objp(I) - pointer to ipf object destription */ 893/* */ 894/* Iterate through the list of entries in the auth queue list. */ 895/* objp is used here to get the location of where to do the copy out to. */ 896/* Stomping over various fields with new information will not harm anything */ 897/* ------------------------------------------------------------------------ */ 898static int 899ipf_auth_geniter(softc, token, itp, objp) 900 ipf_main_softc_t *softc; 901 ipftoken_t *token; 902 ipfgeniter_t *itp; 903 ipfobj_t *objp; 904{ 905 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 906 frauthent_t *fae, *next, zero; 907 int error; 908 909 if (itp->igi_data == NULL) { 910 IPFERROR(10011); 911 return EFAULT; 912 } 913 914 if (itp->igi_type != IPFGENITER_AUTH) { 915 IPFERROR(10012); 916 return EINVAL; 917 } 918 919 objp->ipfo_type = IPFOBJ_FRAUTH; 920 objp->ipfo_ptr = itp->igi_data; 921 objp->ipfo_size = sizeof(frauth_t); 922 923 READ_ENTER(&softa->ipf_authlk); 924 925 fae = token->ipt_data; 926 if (fae == NULL) { 927 next = softa->ipf_auth_entries; 928 } else { 929 next = fae->fae_next; 930 } 931 932 /* 933 * If we found an auth entry to use, bump its reference count 934 * so that it can be used for is_next when we come back. 935 */ 936 if (next != NULL) { 937 ATOMIC_INC(next->fae_ref); 938 token->ipt_data = next; 939 } else { 940 bzero(&zero, sizeof(zero)); 941 next = &zero; 942 token->ipt_data = NULL; 943 } 944 945 RWLOCK_EXIT(&softa->ipf_authlk); 946 947 error = ipf_outobjk(softc, objp, next); 948 if (fae != NULL) 949 ipf_auth_deref_unlocked(softa, &fae); 950 951 if (next->fae_next == NULL) 952 ipf_token_mark_complete(token); 953 return error; 954} 955 956 957/* ------------------------------------------------------------------------ */ 958/* Function: ipf_auth_deref_unlocked */ 959/* Returns: None */ 960/* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 961/* */ 962/* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 963/* held. */ 964/* ------------------------------------------------------------------------ */ 965static void 966ipf_auth_deref_unlocked(softa, faep) 967 ipf_auth_softc_t *softa; 968 frauthent_t **faep; 969{ 970 WRITE_ENTER(&softa->ipf_authlk); 971 ipf_auth_deref(faep); 972 RWLOCK_EXIT(&softa->ipf_authlk); 973} 974 975 976/* ------------------------------------------------------------------------ */ 977/* Function: ipf_auth_deref */ 978/* Returns: None */ 979/* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 980/* Locks: WRITE(ipf_authlk) */ 981/* */ 982/* This function unconditionally sets the pointer in the caller to NULL, */ 983/* to make it clear that it should no longer use that pointer, and drops */ 984/* the reference count on the structure by 1. If it reaches 0, free it up. */ 985/* ------------------------------------------------------------------------ */ 986static void 987ipf_auth_deref(faep) 988 frauthent_t **faep; 989{ 990 frauthent_t *fae; 991 992 fae = *faep; 993 *faep = NULL; 994 995 fae->fae_ref--; 996 if (fae->fae_ref == 0) { 997 KFREE(fae); 998 } 999} 1000 1001 1002/* ------------------------------------------------------------------------ */ 1003/* Function: ipf_auth_wait_pkt */ 1004/* Returns: int - 0 == success, else error */ 1005/* Parameters: data(I) - pointer to data from ioctl call */ 1006/* */ 1007/* This function is called when an application is waiting for a packet to */ 1008/* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1009/* a packet waiting on the queue then we will return that _one_ immediately.*/ 1010/* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1011/* to sleep. */ 1012/* ------------------------------------------------------------------------ */ 1013static int 1014ipf_auth_wait(softc, softa, data) 1015 ipf_main_softc_t *softc; 1016 ipf_auth_softc_t *softa; 1017 char *data; 1018{ 1019 frauth_t auth, *au = &auth; 1020 int error, len, i; 1021 mb_t *m; 1022 char *t; 1023 SPL_INT(s); 1024 1025ipf_auth_ioctlloop: 1026 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1027 if (error != 0) 1028 return error; 1029 1030 /* 1031 * XXX Locks are held below over calls to copyout...a better 1032 * solution needs to be found so this isn't necessary. The situation 1033 * we are trying to guard against here is an error in the copyout 1034 * steps should not cause the packet to "disappear" from the queue. 1035 */ 1036 SPL_NET(s); 1037 READ_ENTER(&softa->ipf_authlk); 1038 1039 /* 1040 * If ipf_auth_next is not equal to ipf_auth_end it will be because 1041 * there is a packet waiting to be delt with in the ipf_auth_pkts 1042 * array. We copy as much of that out to user space as requested. 1043 */ 1044 if (softa->ipf_auth_used > 0) { 1045 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1046 softa->ipf_auth_next++; 1047 if (softa->ipf_auth_next == softa->ipf_auth_size) 1048 softa->ipf_auth_next = 0; 1049 } 1050 1051 error = ipf_outobj(softc, data, 1052 &softa->ipf_auth[softa->ipf_auth_next], 1053 IPFOBJ_FRAUTH); 1054 if (error != 0) { 1055 RWLOCK_EXIT(&softa->ipf_authlk); 1056 SPL_X(s); 1057 return error; 1058 } 1059 1060 if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1061 /* 1062 * Copy packet contents out to user space if 1063 * requested. Bail on an error. 1064 */ 1065 m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1066 len = MSGDSIZE(m); 1067 if (len > auth.fra_len) 1068 len = auth.fra_len; 1069 auth.fra_len = len; 1070 1071 for (t = auth.fra_buf; m && (len > 0); ) { 1072 i = MIN(M_LEN(m), len); 1073 error = copyoutptr(softc, MTOD(m, char *), 1074 &t, i); 1075 len -= i; 1076 t += i; 1077 if (error != 0) { 1078 RWLOCK_EXIT(&softa->ipf_authlk); 1079 SPL_X(s); 1080 return error; 1081 } 1082 m = m->m_next; 1083 } 1084 } 1085 RWLOCK_EXIT(&softa->ipf_authlk); 1086 1087 SPL_NET(s); 1088 WRITE_ENTER(&softa->ipf_authlk); 1089 softa->ipf_auth_next++; 1090 if (softa->ipf_auth_next == softa->ipf_auth_size) 1091 softa->ipf_auth_next = 0; 1092 RWLOCK_EXIT(&softa->ipf_authlk); 1093 SPL_X(s); 1094 1095 return 0; 1096 } 1097 RWLOCK_EXIT(&softa->ipf_authlk); 1098 SPL_X(s); 1099 1100 MUTEX_ENTER(&softa->ipf_auth_mx); 1101#ifdef _KERNEL 1102# if SOLARIS 1103 error = 0; 1104 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1105 IPFERROR(10014); 1106 error = EINTR; 1107 } 1108# else /* SOLARIS */ 1109# ifdef __hpux 1110 { 1111 lock_t *l; 1112 1113 l = get_sleep_lock(&softa->ipf_auth_next); 1114 error = sleep(&softa->ipf_auth_next, PZERO+1); 1115 spinunlock(l); 1116 } 1117# else 1118# ifdef __osf__ 1119 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1120 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1121# else 1122 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1123# endif /* __osf__ */ 1124# endif /* __hpux */ 1125# endif /* SOLARIS */ 1126#endif 1127 MUTEX_EXIT(&softa->ipf_auth_mx); 1128 if (error == 0) 1129 goto ipf_auth_ioctlloop; 1130 return error; 1131} 1132 1133 1134/* ------------------------------------------------------------------------ */ 1135/* Function: ipf_auth_reply */ 1136/* Returns: int - 0 == success, else error */ 1137/* Parameters: data(I) - pointer to data from ioctl call */ 1138/* */ 1139/* This function is called by an application when it wants to return a */ 1140/* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1141/* received information using an SIOCAUTHW. The decision returned in the */ 1142/* form of flags, the same as those used in each rule. */ 1143/* ------------------------------------------------------------------------ */ 1144static int 1145ipf_auth_reply(softc, softa, data) 1146 ipf_main_softc_t *softc; 1147 ipf_auth_softc_t *softa; 1148 char *data; 1149{ 1150 frauth_t auth, *au = &auth, *fra; 1151 fr_info_t fin; 1152 int error, i; 1153 mb_t *m; 1154 SPL_INT(s); 1155 1156 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1157 if (error != 0) 1158 return error; 1159 1160 SPL_NET(s); 1161 WRITE_ENTER(&softa->ipf_authlk); 1162 1163 i = au->fra_index; 1164 fra = softa->ipf_auth + i; 1165 error = 0; 1166 1167 /* 1168 * Check the validity of the information being returned with two simple 1169 * checks. First, the auth index value should be within the size of 1170 * the array and second the packet id being returned should also match. 1171 */ 1172 if ((i < 0) || (i >= softa->ipf_auth_size)) { 1173 RWLOCK_EXIT(&softa->ipf_authlk); 1174 SPL_X(s); 1175 IPFERROR(10015); 1176 return ESRCH; 1177 } 1178 if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1179 RWLOCK_EXIT(&softa->ipf_authlk); 1180 SPL_X(s); 1181 IPFERROR(10019); 1182 return ESRCH; 1183 } 1184 1185 m = softa->ipf_auth_pkts[i]; 1186 fra->fra_index = -2; 1187 fra->fra_pass = au->fra_pass; 1188 softa->ipf_auth_pkts[i] = NULL; 1189 softa->ipf_auth_replies++; 1190 bcopy(&fra->fra_info, &fin, sizeof(fin)); 1191 1192 RWLOCK_EXIT(&softa->ipf_authlk); 1193 1194 /* 1195 * Re-insert the packet back into the packet stream flowing through 1196 * the kernel in a manner that will mean IPFilter sees the packet 1197 * again. This is not the same as is done with fastroute, 1198 * deliberately, as we want to resume the normal packet processing 1199 * path for it. 1200 */ 1201#ifdef _KERNEL 1202 if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1203 error = ipf_inject(&fin, m); 1204 if (error != 0) { 1205 IPFERROR(10016); 1206 error = ENOBUFS; 1207 softa->ipf_auth_stats.fas_sendfail++; 1208 } else { 1209 softa->ipf_auth_stats.fas_sendok++; 1210 } 1211 } else if (m) { 1212 error = ipf_inject(&fin, m); 1213 if (error != 0) { 1214 IPFERROR(10017); 1215 error = ENOBUFS; 1216 softa->ipf_auth_stats.fas_quefail++; 1217 } else { 1218 softa->ipf_auth_stats.fas_queok++; 1219 } 1220 } else { 1221 IPFERROR(10018); 1222 error = EINVAL; 1223 } 1224 1225 /* 1226 * If we experience an error which will result in the packet 1227 * not being processed, make sure we advance to the next one. 1228 */ 1229 if (error == ENOBUFS) { 1230 WRITE_ENTER(&softa->ipf_authlk); 1231 softa->ipf_auth_used--; 1232 fra->fra_index = -1; 1233 fra->fra_pass = 0; 1234 if (i == softa->ipf_auth_start) { 1235 while (fra->fra_index == -1) { 1236 i++; 1237 if (i == softa->ipf_auth_size) 1238 i = 0; 1239 softa->ipf_auth_start = i; 1240 if (i == softa->ipf_auth_end) 1241 break; 1242 } 1243 if (softa->ipf_auth_start == softa->ipf_auth_end) { 1244 softa->ipf_auth_next = 0; 1245 softa->ipf_auth_start = 0; 1246 softa->ipf_auth_end = 0; 1247 } 1248 } 1249 RWLOCK_EXIT(&softa->ipf_authlk); 1250 } 1251#endif /* _KERNEL */ 1252 SPL_X(s); 1253 1254 return 0; 1255} 1256 1257 1258u_32_t 1259ipf_auth_pre_scanlist(softc, fin, pass) 1260 ipf_main_softc_t *softc; 1261 fr_info_t *fin; 1262 u_32_t pass; 1263{ 1264 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1265 1266 if (softa->ipf_auth_ip != NULL) 1267 return ipf_scanlist(fin, softc->ipf_pass); 1268 1269 return pass; 1270} 1271 1272 1273frentry_t ** 1274ipf_auth_rulehead(softc) 1275 ipf_main_softc_t *softc; 1276{ 1277 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1278 1279 return &softa->ipf_auth_ip; 1280} 1281