ip_fw_eaction.c revision 350583 
1/*-
2 * Copyright (c) 2016-2017 Yandex LLC
3 * Copyright (c) 2016-2017 Andrey V. Elsukov <ae@FreeBSD.org>
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: stable/11/sys/netpfil/ipfw/ip_fw_eaction.c 350583 2019-08-05 07:50:25Z ae $");
29
30#include <sys/param.h>
31#include <sys/systm.h>
32#include <sys/malloc.h>
33#include <sys/kernel.h>
34#include <sys/hash.h>
35#include <sys/lock.h>
36#include <sys/rwlock.h>
37#include <sys/rmlock.h>
38#include <sys/socket.h>
39#include <sys/socketvar.h>
40#include <sys/queue.h>
41#include <net/pfil.h>
42
43#include <net/if.h>	/* ip_fw.h requires IFNAMSIZ */
44#include <netinet/in.h>
45#include <netinet/ip_var.h>	/* struct ipfw_rule_ref */
46#include <netinet/ip_fw.h>
47
48#include <netpfil/ipfw/ip_fw_private.h>
49
50#include "opt_ipfw.h"
51
52/*
53 * External actions support for ipfw.
54 *
55 * This code provides KPI for implementing loadable modules, that
56 * can provide handlers for external action opcodes in the ipfw's
57 * rules.
58 * Module should implement opcode handler with type ipfw_eaction_t.
59 * This handler will be called by ipfw_chk() function when
60 * O_EXTERNAL_ACTION opcode is matched. The handler must return
61 * value used as return value in ipfw_chk(), i.e. IP_FW_PASS,
62 * IP_FW_DENY (see ip_fw_private.h).
63 * Also the last argument must be set by handler. If it is zero,
64 * the search continues to the next rule. If it has non zero value,
65 * the search terminates.
66 *
67 * The module that implements external action should register its
68 * handler and name with ipfw_add_eaction() function.
69 * This function will return eaction_id, that can be used by module.
70 *
71 * It is possible to pass some additional information to external
72 * action handler using O_EXTERNAL_INSTANCE and O_EXTERNAL_DATA opcodes.
73 * Such opcodes should be next after the O_EXTERNAL_ACTION opcode.
74 * For the O_EXTERNAL_INSTANCE opcode the cmd->arg1 contains index of named
75 * object related to an instance of external action.
76 * For the O_EXTERNAL_DATA opcode the cmd contains the data that can be used
77 * by external action handler without needing to create named instance.
78 *
79 * In case when eaction module uses named instances, it should register
80 * opcode rewriting routines for O_EXTERNAL_INSTANCE opcode. The
81 * classifier callback can look back into O_EXTERNAL_ACTION opcode (it
82 * must be in the (ipfw_insn *)(cmd - 1)). By arg1 from O_EXTERNAL_ACTION
83 * it can deteremine eaction_id and compare it with its own.
84 * The macro IPFW_TLV_EACTION_NAME(eaction_id) can be used to deteremine
85 * the type of named_object related to external action instance.
86 *
87 * On module unload handler should be deregistered with ipfw_del_eaction()
88 * function using known eaction_id.
89 */
90
91struct eaction_obj {
92	struct named_object	no;
93	ipfw_eaction_t		*handler;
94	char			name[64];
95};
96
97#define	EACTION_OBJ(ch, cmd)			\
98    ((struct eaction_obj *)SRV_OBJECT((ch), (cmd)->arg1))
99
100#if 0
101#define	EACTION_DEBUG(fmt, ...)	do {			\
102	printf("%s: " fmt "\n", __func__, ## __VA_ARGS__);	\
103} while (0)
104#else
105#define	EACTION_DEBUG(fmt, ...)
106#endif
107
108const char *default_eaction_typename = "drop";
109static int
110default_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args,
111    ipfw_insn *cmd, int *done)
112{
113
114	*done = 1; /* terminate the search */
115	return (IP_FW_DENY);
116}
117
118/*
119 * Opcode rewriting callbacks.
120 */
121static int
122eaction_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype)
123{
124
125	EACTION_DEBUG("opcode %d, arg1 %d", cmd->opcode, cmd->arg1);
126	*puidx = cmd->arg1;
127	*ptype = 0;
128	return (0);
129}
130
131static void
132eaction_update(ipfw_insn *cmd, uint16_t idx)
133{
134
135	cmd->arg1 = idx;
136	EACTION_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1);
137}
138
139static int
140eaction_findbyname(struct ip_fw_chain *ch, struct tid_info *ti,
141    struct named_object **pno)
142{
143	ipfw_obj_ntlv *ntlv;
144
145	if (ti->tlvs == NULL)
146		return (EINVAL);
147
148	/* Search ntlv in the buffer provided by user */
149	ntlv = ipfw_find_name_tlv_type(ti->tlvs, ti->tlen, ti->uidx,
150	    IPFW_TLV_EACTION);
151	if (ntlv == NULL)
152		return (EINVAL);
153	EACTION_DEBUG("name %s, uidx %u, type %u", ntlv->name,
154	    ti->uidx, ti->type);
155	/*
156	 * Search named object with corresponding name.
157	 * Since eaction objects are global - ignore the set value
158	 * and use zero instead.
159	 */
160	*pno = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch),
161	    0, IPFW_TLV_EACTION, ntlv->name);
162	if (*pno == NULL)
163		return (ESRCH);
164	return (0);
165}
166
167static struct named_object *
168eaction_findbykidx(struct ip_fw_chain *ch, uint16_t idx)
169{
170
171	EACTION_DEBUG("kidx %u", idx);
172	return (ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), idx));
173}
174
175static struct opcode_obj_rewrite eaction_opcodes[] = {
176	{
177		.opcode = O_EXTERNAL_ACTION,
178		.etlv = IPFW_TLV_EACTION,
179		.classifier = eaction_classify,
180		.update = eaction_update,
181		.find_byname = eaction_findbyname,
182		.find_bykidx = eaction_findbykidx,
183	},
184};
185
186static int
187create_eaction_obj(struct ip_fw_chain *ch, ipfw_eaction_t handler,
188    const char *name, uint16_t *eaction_id)
189{
190	struct namedobj_instance *ni;
191	struct eaction_obj *obj;
192
193	IPFW_UH_UNLOCK_ASSERT(ch);
194
195	ni = CHAIN_TO_SRV(ch);
196	obj = malloc(sizeof(*obj), M_IPFW, M_WAITOK | M_ZERO);
197	obj->no.name = obj->name;
198	obj->no.etlv = IPFW_TLV_EACTION;
199	obj->handler = handler;
200	strlcpy(obj->name, name, sizeof(obj->name));
201
202	IPFW_UH_WLOCK(ch);
203	if (ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION,
204	    name) != NULL) {
205		/*
206		 * Object is already created.
207		 * We don't allow eactions with the same name.
208		 */
209		IPFW_UH_WUNLOCK(ch);
210		free(obj, M_IPFW);
211		EACTION_DEBUG("External action with typename "
212		    "'%s' already exists", name);
213		return (EEXIST);
214	}
215	if (ipfw_objhash_alloc_idx(ni, &obj->no.kidx) != 0) {
216		IPFW_UH_WUNLOCK(ch);
217		free(obj, M_IPFW);
218		EACTION_DEBUG("alloc_idx failed");
219		return (ENOSPC);
220	}
221	ipfw_objhash_add(ni, &obj->no);
222	IPFW_WLOCK(ch);
223	SRV_OBJECT(ch, obj->no.kidx) = obj;
224	IPFW_WUNLOCK(ch);
225	obj->no.refcnt++;
226	IPFW_UH_WUNLOCK(ch);
227
228	if (eaction_id != NULL)
229		*eaction_id = obj->no.kidx;
230	return (0);
231}
232
233static void
234destroy_eaction_obj(struct ip_fw_chain *ch, struct named_object *no)
235{
236	struct namedobj_instance *ni;
237	struct eaction_obj *obj;
238
239	IPFW_UH_WLOCK_ASSERT(ch);
240
241	ni = CHAIN_TO_SRV(ch);
242	IPFW_WLOCK(ch);
243	obj = SRV_OBJECT(ch, no->kidx);
244	SRV_OBJECT(ch, no->kidx) = NULL;
245	IPFW_WUNLOCK(ch);
246	ipfw_objhash_del(ni, no);
247	ipfw_objhash_free_idx(ni, no->kidx);
248	free(obj, M_IPFW);
249}
250
251/*
252 * Resets all eaction opcodes to default handlers.
253 */
254static void
255reset_eaction_rules(struct ip_fw_chain *ch, uint16_t eaction_id,
256    uint16_t instance_id, bool reset_rules)
257{
258	struct named_object *no;
259	int i;
260
261	IPFW_UH_WLOCK_ASSERT(ch);
262
263	no = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch), 0,
264	    IPFW_TLV_EACTION, default_eaction_typename);
265	if (no == NULL)
266		panic("Default external action handler is not found");
267	if (eaction_id == no->kidx)
268		panic("Wrong eaction_id");
269
270	EACTION_DEBUG("Going to replace id %u with %u", eaction_id, no->kidx);
271	IPFW_WLOCK(ch);
272	/*
273	 * Reset eaction objects only if it is referenced by rules.
274	 * But always reset objects for orphaned dynamic states.
275	 */
276	if (reset_rules) {
277		for (i = 0; i < ch->n_rules; i++) {
278			/*
279			 * Refcount on the original object will be just
280			 * ignored on destroy. Refcount on default_eaction
281			 * will be decremented on rule deletion, thus we
282			 * need to reference default_eaction object.
283			 */
284			if (ipfw_reset_eaction(ch, ch->map[i], eaction_id,
285			    no->kidx, instance_id) != 0)
286				no->refcnt++;
287		}
288	}
289	/*
290	 * Reset eaction opcodes for orphaned dynamic states.
291	 * Since parent rules are already deleted, we don't need to
292	 * reference named object of default_eaction.
293	 */
294	ipfw_dyn_reset_eaction(ch, eaction_id, no->kidx, instance_id);
295	IPFW_WUNLOCK(ch);
296}
297
298/*
299 * Initialize external actions framework.
300 * Create object with default eaction handler "drop".
301 */
302int
303ipfw_eaction_init(struct ip_fw_chain *ch, int first)
304{
305	int error;
306
307	error = create_eaction_obj(ch, default_eaction,
308	    default_eaction_typename, NULL);
309	if (error != 0)
310		return (error);
311	IPFW_ADD_OBJ_REWRITER(first, eaction_opcodes);
312	EACTION_DEBUG("External actions support initialized");
313	return (0);
314}
315
316void
317ipfw_eaction_uninit(struct ip_fw_chain *ch, int last)
318{
319	struct namedobj_instance *ni;
320	struct named_object *no;
321
322	ni = CHAIN_TO_SRV(ch);
323
324	IPFW_UH_WLOCK(ch);
325	no = ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION,
326	    default_eaction_typename);
327	if (no != NULL)
328		destroy_eaction_obj(ch, no);
329	IPFW_UH_WUNLOCK(ch);
330	IPFW_DEL_OBJ_REWRITER(last, eaction_opcodes);
331	EACTION_DEBUG("External actions support uninitialized");
332}
333
334/*
335 * Registers external action handler to the global array.
336 * On success it returns eaction id, otherwise - zero.
337 */
338uint16_t
339ipfw_add_eaction(struct ip_fw_chain *ch, ipfw_eaction_t handler,
340    const char *name)
341{
342	uint16_t eaction_id;
343
344	eaction_id = 0;
345	if (ipfw_check_object_name_generic(name) == 0) {
346		create_eaction_obj(ch, handler, name, &eaction_id);
347		EACTION_DEBUG("Registered external action '%s' with id %u",
348		    name, eaction_id);
349	}
350	return (eaction_id);
351}
352
353/*
354 * Deregisters external action handler with id eaction_id.
355 */
356int
357ipfw_del_eaction(struct ip_fw_chain *ch, uint16_t eaction_id)
358{
359	struct named_object *no;
360
361	IPFW_UH_WLOCK(ch);
362	no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id);
363	if (no == NULL || no->etlv != IPFW_TLV_EACTION) {
364		IPFW_UH_WUNLOCK(ch);
365		return (EINVAL);
366	}
367	reset_eaction_rules(ch, eaction_id, 0, (no->refcnt > 1));
368	EACTION_DEBUG("External action '%s' with id %u unregistered",
369	    no->name, eaction_id);
370	destroy_eaction_obj(ch, no);
371	IPFW_UH_WUNLOCK(ch);
372	return (0);
373}
374
375int
376ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_fw *rule,
377    uint16_t eaction_id, uint16_t default_id, uint16_t instance_id)
378{
379	ipfw_insn *cmd, *icmd;
380	int l;
381
382	IPFW_UH_WLOCK_ASSERT(ch);
383	IPFW_WLOCK_ASSERT(ch);
384
385	/*
386	 * Return if there is not O_EXTERNAL_ACTION or its id is
387	 * different.
388	 */
389	cmd = ipfw_get_action(rule);
390	if (cmd->opcode != O_EXTERNAL_ACTION ||
391	    cmd->arg1 != eaction_id)
392		return (0);
393	/*
394	 * If instance_id is specified, we need to truncate the
395	 * rule length. Check if there is O_EXTERNAL_INSTANCE opcode.
396	 *
397	 * NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode,
398	 *  and rule length should be enough to keep O_EXTERNAL_INSTANCE
399	 *  opcode, thus we do check for l > 1.
400	 */
401	l = rule->cmd + rule->cmd_len - cmd;
402	if (instance_id != 0 && l > 1) {
403		MPASS(F_LEN(cmd) == 1);
404		icmd = cmd + 1;
405		if (icmd->opcode != O_EXTERNAL_INSTANCE ||
406		    icmd->arg1 != instance_id)
407			return (0);
408		/*
409		 * Since named_object related to this instance will be
410		 * destroyed, truncate the chain of opcodes to remove
411		 * the rest of cmd chain just after O_EXTERNAL_ACTION
412		 * opcode.
413		 */
414		EACTION_DEBUG("truncate rule %d: len %u -> %u",
415		    rule->rulenum, rule->cmd_len,
416		    rule->cmd_len - F_LEN(icmd));
417		rule->cmd_len -= F_LEN(icmd);
418		MPASS(((uint32_t *)icmd -
419		    (uint32_t *)rule->cmd) == rule->cmd_len);
420	}
421
422	cmd->arg1 = default_id; /* Set to default id */
423	/*
424	 * Return 1 when reset successfully happened.
425	 */
426	return (1);
427}
428
429/*
430 * This function should be called before external action instance is
431 * destroyed. It will reset eaction_id to default_id for rules, where
432 * eaction has instance with id == kidx.
433 */
434int
435ipfw_reset_eaction_instance(struct ip_fw_chain *ch, uint16_t eaction_id,
436    uint16_t kidx)
437{
438	struct named_object *no;
439
440	IPFW_UH_WLOCK_ASSERT(ch);
441	no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id);
442	if (no == NULL || no->etlv != IPFW_TLV_EACTION)
443		return (EINVAL);
444
445	reset_eaction_rules(ch, eaction_id, kidx, 0);
446	return (0);
447}
448
449int
450ipfw_run_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args,
451    ipfw_insn *cmd, int *done)
452{
453
454	return (EACTION_OBJ(ch, cmd)->handler(ch, args, cmd, done));
455}
456