ip_fw_pfil.c revision 204591
1/*- 2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> 28__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_pfil.c 204591 2010-03-02 17:40:48Z luigi $"); 29 30#if !defined(KLD_MODULE) 31#include "opt_ipfw.h" 32#include "opt_ipdn.h" 33#include "opt_inet.h" 34#ifndef INET 35#error IPFIREWALL requires INET. 36#endif /* INET */ 37#endif /* KLD_MODULE */ 38#include "opt_inet6.h" 39 40#include <sys/param.h> 41#include <sys/systm.h> 42#include <sys/malloc.h> 43#include <sys/mbuf.h> 44#include <sys/module.h> 45#include <sys/kernel.h> 46#include <sys/lock.h> 47#include <sys/rwlock.h> 48#include <sys/socket.h> 49#include <sys/sysctl.h> 50 51#include <net/if.h> 52#include <net/route.h> 53#include <net/pfil.h> 54#include <net/vnet.h> 55 56#include <netinet/in.h> 57#include <netinet/in_systm.h> 58#include <netinet/ip.h> 59#include <netinet/ip_var.h> 60#include <netinet/ip_fw.h> 61#include <netinet/ipfw/ip_fw_private.h> 62#include <netgraph/ng_ipfw.h> 63 64#include <machine/in_cksum.h> 65 66static VNET_DEFINE(int, fw_enable) = 1; 67#define V_fw_enable VNET(fw_enable) 68 69#ifdef INET6 70static VNET_DEFINE(int, fw6_enable) = 1; 71#define V_fw6_enable VNET(fw6_enable) 72#endif 73 74int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); 75 76/* Forward declarations. */ 77static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int); 78 79#ifdef SYSCTL_NODE 80 81SYSBEGIN(f1) 82 83SYSCTL_DECL(_net_inet_ip_fw); 84SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, 85 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, 86 ipfw_chg_hook, "I", "Enable ipfw"); 87#ifdef INET6 88SYSCTL_DECL(_net_inet6_ip6_fw); 89SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, 90 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0, 91 ipfw_chg_hook, "I", "Enable ipfw+6"); 92#endif /* INET6 */ 93 94SYSEND 95 96#endif /* SYSCTL_NODE */ 97 98/* 99 * The pfilter hook to pass packets to ipfw_chk and then to 100 * dummynet, divert, netgraph or other modules. 101 * The packet may be consumed. 102 */ 103int 104ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, 105 struct inpcb *inp) 106{ 107 struct ip_fw_args args; 108 struct m_tag *tag; 109 int ipfw; 110 int ret; 111 112 /* all the processing now uses ip_len in net format */ 113 if (mtod(*m0, struct ip *)->ip_v == 4) 114 SET_NET_IPLEN(mtod(*m0, struct ip *)); 115 116 /* convert dir to IPFW values */ 117 dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT; 118 bzero(&args, sizeof(args)); 119 120again: 121 /* 122 * extract and remove the tag if present. If we are left 123 * with onepass, optimize the outgoing path. 124 */ 125 tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL); 126 if (tag != NULL) { 127 args.rule = *((struct ipfw_rule_ref *)(tag+1)); 128 m_tag_delete(*m0, tag); 129 if (args.rule.info & IPFW_ONEPASS) { 130 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 131 return 0; 132 } 133 } 134 135 args.m = *m0; 136 args.oif = dir == DIR_OUT ? ifp : NULL; 137 args.inp = inp; 138 139 ipfw = ipfw_chk(&args); 140 *m0 = args.m; 141 142 KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", 143 __func__)); 144 145 /* breaking out of the switch means drop */ 146 ret = 0; /* default return value for pass */ 147 switch (ipfw) { 148 case IP_FW_PASS: 149 /* next_hop may be set by ipfw_chk */ 150 if (args.next_hop == NULL) 151 break; /* pass */ 152#ifndef IPFIREWALL_FORWARD 153 ret = EACCES; 154#else 155 { 156 struct m_tag *fwd_tag; 157 158 /* Incoming packets should not be tagged so we do not 159 * m_tag_find. Outgoing packets may be tagged, so we 160 * reuse the tag if present. 161 */ 162 fwd_tag = (dir == DIR_IN) ? NULL : 163 m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL); 164 if (fwd_tag != NULL) { 165 m_tag_unlink(*m0, fwd_tag); 166 } else { 167 fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, 168 sizeof(struct sockaddr_in), M_NOWAIT); 169 if (fwd_tag == NULL) { 170 ret = EACCES; 171 break; /* i.e. drop */ 172 } 173 } 174 bcopy(args.next_hop, (fwd_tag+1), sizeof(struct sockaddr_in)); 175 m_tag_prepend(*m0, fwd_tag); 176 177 if (in_localip(args.next_hop->sin_addr)) 178 (*m0)->m_flags |= M_FASTFWD_OURS; 179 } 180#endif 181 break; 182 183 case IP_FW_DENY: 184 ret = EACCES; 185 break; /* i.e. drop */ 186 187 case IP_FW_DUMMYNET: 188 ret = EACCES; 189 if (ip_dn_io_ptr == NULL) 190 break; /* i.e. drop */ 191 if (mtod(*m0, struct ip *)->ip_v == 4) 192 ret = ip_dn_io_ptr(m0, dir, &args); 193 else if (mtod(*m0, struct ip *)->ip_v == 6) 194 ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args); 195 else 196 break; /* drop it */ 197 /* 198 * XXX should read the return value. 199 * dummynet normally eats the packet and sets *m0=NULL 200 * unless the packet can be sent immediately. In this 201 * case args is updated and we should re-run the 202 * check without clearing args. 203 */ 204 if (*m0 != NULL) 205 goto again; 206 break; 207 208 case IP_FW_TEE: 209 case IP_FW_DIVERT: 210 if (ip_divert_ptr == NULL) { 211 ret = EACCES; 212 break; /* i.e. drop */ 213 } 214 ret = ipfw_divert(m0, dir, &args.rule, 215 (ipfw == IP_FW_TEE) ? 1 : 0); 216 /* continue processing for the original packet (tee). */ 217 if (*m0) 218 goto again; 219 break; 220 221 case IP_FW_NGTEE: 222 case IP_FW_NETGRAPH: 223 if (ng_ipfw_input_p == NULL) { 224 ret = EACCES; 225 break; /* i.e. drop */ 226 } 227 ret = ng_ipfw_input_p(m0, dir, &args, 228 (ipfw == IP_FW_NGTEE) ? 1 : 0); 229 if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */ 230 goto again; /* continue with packet */ 231 break; 232 233 case IP_FW_NAT: 234 case IP_FW_REASS: 235 goto again; /* continue with packet */ 236 237 default: 238 KASSERT(0, ("%s: unknown retval", __func__)); 239 } 240 241 if (ret != 0) { 242 if (*m0) 243 FREE_PKT(*m0); 244 *m0 = NULL; 245 } 246 if (*m0 && mtod(*m0, struct ip *)->ip_v == 4) 247 SET_HOST_IPLEN(mtod(*m0, struct ip *)); 248 return ret; 249} 250 251/* do the divert, return 1 on error 0 on success */ 252static int 253ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, 254 int tee) 255{ 256 /* 257 * ipfw_chk() has already tagged the packet with the divert tag. 258 * If tee is set, copy packet and return original. 259 * If not tee, consume packet and send it to divert socket. 260 */ 261 struct mbuf *clone; 262 struct ip *ip; 263 struct m_tag *tag; 264 265 /* Cloning needed for tee? */ 266 if (tee == 0) { 267 clone = *m0; /* use the original mbuf */ 268 *m0 = NULL; 269 } else { 270 clone = m_dup(*m0, M_DONTWAIT); 271 /* If we cannot duplicate the mbuf, we sacrifice the divert 272 * chain and continue with the tee-ed packet. 273 */ 274 if (clone == NULL) 275 return 1; 276 } 277 278 /* 279 * Divert listeners can normally handle non-fragmented packets, 280 * but we can only reass in the non-tee case. 281 * This means that listeners on a tee rule may get fragments, 282 * and have to live with that. 283 * Note that we now have the 'reass' ipfw option so if we care 284 * we can do it before a 'tee'. 285 */ 286 ip = mtod(clone, struct ip *); 287 if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { 288 int hlen; 289 struct mbuf *reass; 290 291 SET_HOST_IPLEN(ip); /* ip_reass wants host order */ 292 reass = ip_reass(clone); /* Reassemble packet. */ 293 if (reass == NULL) 294 return 0; /* not an error */ 295 /* if reass = NULL then it was consumed by ip_reass */ 296 /* 297 * IP header checksum fixup after reassembly and leave header 298 * in network byte order. 299 */ 300 ip = mtod(reass, struct ip *); 301 hlen = ip->ip_hl << 2; 302 SET_NET_IPLEN(ip); 303 ip->ip_sum = 0; 304 if (hlen == sizeof(struct ip)) 305 ip->ip_sum = in_cksum_hdr(ip); 306 else 307 ip->ip_sum = in_cksum(reass, hlen); 308 clone = reass; 309 } 310 /* attach a tag to the packet with the reinject info */ 311 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, 312 sizeof(struct ipfw_rule_ref), M_NOWAIT); 313 if (tag == NULL) { 314 FREE_PKT(clone); 315 return 1; 316 } 317 *((struct ipfw_rule_ref *)(tag+1)) = *rule; 318 m_tag_prepend(clone, tag); 319 320 /* Do the dirty job... */ 321 ip_divert_ptr(clone, incoming); 322 return 0; 323} 324 325/* 326 * attach or detach hooks for a given protocol family 327 */ 328static int 329ipfw_hook(int onoff, int pf) 330{ 331 struct pfil_head *pfh; 332 333 pfh = pfil_head_get(PFIL_TYPE_AF, pf); 334 if (pfh == NULL) 335 return ENOENT; 336 337 (void) (onoff ? pfil_add_hook : pfil_remove_hook) 338 (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); 339 340 return 0; 341} 342 343int 344ipfw_attach_hooks(int arg) 345{ 346 int error = 0; 347 348 if (arg == 0) /* detach */ 349 ipfw_hook(0, AF_INET); 350 else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) { 351 error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ 352 printf("ipfw_hook() error\n"); 353 } 354#ifdef INET6 355 if (arg == 0) /* detach */ 356 ipfw_hook(0, AF_INET6); 357 else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) { 358 error = ENOENT; 359 printf("ipfw6_hook() error\n"); 360 } 361#endif 362 return error; 363} 364 365int 366ipfw_chg_hook(SYSCTL_HANDLER_ARGS) 367{ 368 int enable; 369 int oldenable; 370 int error; 371 int af; 372 373 if (arg1 == &VNET_NAME(fw_enable)) { 374 enable = V_fw_enable; 375 af = AF_INET; 376 } 377#ifdef INET6 378 else if (arg1 == &VNET_NAME(fw6_enable)) { 379 enable = V_fw6_enable; 380 af = AF_INET6; 381 } 382#endif 383 else 384 return (EINVAL); 385 386 oldenable = enable; 387 388 error = sysctl_handle_int(oidp, &enable, 0, req); 389 390 if (error) 391 return (error); 392 393 enable = (enable) ? 1 : 0; 394 395 if (enable == oldenable) 396 return (0); 397 398 error = ipfw_hook(enable, af); 399 if (error) 400 return (error); 401 if (af == AF_INET) 402 V_fw_enable = enable; 403#ifdef INET6 404 else if (af == AF_INET6) 405 V_fw6_enable = enable; 406#endif 407 408 return (0); 409} 410/* end of file */ 411