ip_fw_pfil.c revision 204591 
1/*-
2 * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: head/sys/netinet/ipfw/ip_fw_pfil.c 204591 2010-03-02 17:40:48Z luigi $");
29
30#if !defined(KLD_MODULE)
31#include "opt_ipfw.h"
32#include "opt_ipdn.h"
33#include "opt_inet.h"
34#ifndef INET
35#error IPFIREWALL requires INET.
36#endif /* INET */
37#endif /* KLD_MODULE */
38#include "opt_inet6.h"
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/malloc.h>
43#include <sys/mbuf.h>
44#include <sys/module.h>
45#include <sys/kernel.h>
46#include <sys/lock.h>
47#include <sys/rwlock.h>
48#include <sys/socket.h>
49#include <sys/sysctl.h>
50
51#include <net/if.h>
52#include <net/route.h>
53#include <net/pfil.h>
54#include <net/vnet.h>
55
56#include <netinet/in.h>
57#include <netinet/in_systm.h>
58#include <netinet/ip.h>
59#include <netinet/ip_var.h>
60#include <netinet/ip_fw.h>
61#include <netinet/ipfw/ip_fw_private.h>
62#include <netgraph/ng_ipfw.h>
63
64#include <machine/in_cksum.h>
65
66static VNET_DEFINE(int, fw_enable) = 1;
67#define V_fw_enable	VNET(fw_enable)
68
69#ifdef INET6
70static VNET_DEFINE(int, fw6_enable) = 1;
71#define V_fw6_enable	VNET(fw6_enable)
72#endif
73
74int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
75
76/* Forward declarations. */
77static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int);
78
79#ifdef SYSCTL_NODE
80
81SYSBEGIN(f1)
82
83SYSCTL_DECL(_net_inet_ip_fw);
84SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable,
85    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0,
86    ipfw_chg_hook, "I", "Enable ipfw");
87#ifdef INET6
88SYSCTL_DECL(_net_inet6_ip6_fw);
89SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable,
90    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0,
91    ipfw_chg_hook, "I", "Enable ipfw+6");
92#endif /* INET6 */
93
94SYSEND
95
96#endif /* SYSCTL_NODE */
97
98/*
99 * The pfilter hook to pass packets to ipfw_chk and then to
100 * dummynet, divert, netgraph or other modules.
101 * The packet may be consumed.
102 */
103int
104ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
105    struct inpcb *inp)
106{
107	struct ip_fw_args args;
108	struct m_tag *tag;
109	int ipfw;
110	int ret;
111
112	/* all the processing now uses ip_len in net format */
113	if (mtod(*m0, struct ip *)->ip_v == 4)
114		SET_NET_IPLEN(mtod(*m0, struct ip *));
115
116	/* convert dir to IPFW values */
117	dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT;
118	bzero(&args, sizeof(args));
119
120again:
121	/*
122	 * extract and remove the tag if present. If we are left
123	 * with onepass, optimize the outgoing path.
124	 */
125	tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL);
126	if (tag != NULL) {
127		args.rule = *((struct ipfw_rule_ref *)(tag+1));
128		m_tag_delete(*m0, tag);
129		if (args.rule.info & IPFW_ONEPASS) {
130			SET_HOST_IPLEN(mtod(*m0, struct ip *));
131			return 0;
132		}
133	}
134
135	args.m = *m0;
136	args.oif = dir == DIR_OUT ? ifp : NULL;
137	args.inp = inp;
138
139	ipfw = ipfw_chk(&args);
140	*m0 = args.m;
141
142	KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL",
143	    __func__));
144
145	/* breaking out of the switch means drop */
146	ret = 0;	/* default return value for pass */
147	switch (ipfw) {
148	case IP_FW_PASS:
149		/* next_hop may be set by ipfw_chk */
150                if (args.next_hop == NULL)
151                        break; /* pass */
152#ifndef IPFIREWALL_FORWARD
153		ret = EACCES;
154#else
155	    {
156		struct m_tag *fwd_tag;
157
158		/* Incoming packets should not be tagged so we do not
159		 * m_tag_find. Outgoing packets may be tagged, so we
160		 * reuse the tag if present.
161		 */
162		fwd_tag = (dir == DIR_IN) ? NULL :
163			m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL);
164		if (fwd_tag != NULL) {
165			m_tag_unlink(*m0, fwd_tag);
166		} else {
167			fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD,
168				sizeof(struct sockaddr_in), M_NOWAIT);
169			if (fwd_tag == NULL) {
170				ret = EACCES;
171				break; /* i.e. drop */
172			}
173		}
174		bcopy(args.next_hop, (fwd_tag+1), sizeof(struct sockaddr_in));
175		m_tag_prepend(*m0, fwd_tag);
176
177		if (in_localip(args.next_hop->sin_addr))
178			(*m0)->m_flags |= M_FASTFWD_OURS;
179	    }
180#endif
181		break;
182
183	case IP_FW_DENY:
184		ret = EACCES;
185		break; /* i.e. drop */
186
187	case IP_FW_DUMMYNET:
188		ret = EACCES;
189		if (ip_dn_io_ptr == NULL)
190			break; /* i.e. drop */
191		if (mtod(*m0, struct ip *)->ip_v == 4)
192			ret = ip_dn_io_ptr(m0, dir, &args);
193		else if (mtod(*m0, struct ip *)->ip_v == 6)
194			ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args);
195		else
196			break; /* drop it */
197		/*
198		 * XXX should read the return value.
199		 * dummynet normally eats the packet and sets *m0=NULL
200		 * unless the packet can be sent immediately. In this
201		 * case args is updated and we should re-run the
202		 * check without clearing args.
203		 */
204		if (*m0 != NULL)
205			goto again;
206		break;
207
208	case IP_FW_TEE:
209	case IP_FW_DIVERT:
210		if (ip_divert_ptr == NULL) {
211			ret = EACCES;
212			break; /* i.e. drop */
213		}
214		ret = ipfw_divert(m0, dir, &args.rule,
215			(ipfw == IP_FW_TEE) ? 1 : 0);
216		/* continue processing for the original packet (tee). */
217		if (*m0)
218			goto again;
219		break;
220
221	case IP_FW_NGTEE:
222	case IP_FW_NETGRAPH:
223		if (ng_ipfw_input_p == NULL) {
224			ret = EACCES;
225			break; /* i.e. drop */
226		}
227		ret = ng_ipfw_input_p(m0, dir, &args,
228			(ipfw == IP_FW_NGTEE) ? 1 : 0);
229		if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
230			goto again;	/* continue with packet */
231		break;
232
233	case IP_FW_NAT:
234	case IP_FW_REASS:
235		goto again;		/* continue with packet */
236
237	default:
238		KASSERT(0, ("%s: unknown retval", __func__));
239	}
240
241	if (ret != 0) {
242		if (*m0)
243			FREE_PKT(*m0);
244		*m0 = NULL;
245	}
246	if (*m0 && mtod(*m0, struct ip *)->ip_v == 4)
247		SET_HOST_IPLEN(mtod(*m0, struct ip *));
248	return ret;
249}
250
251/* do the divert, return 1 on error 0 on success */
252static int
253ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule,
254	int tee)
255{
256	/*
257	 * ipfw_chk() has already tagged the packet with the divert tag.
258	 * If tee is set, copy packet and return original.
259	 * If not tee, consume packet and send it to divert socket.
260	 */
261	struct mbuf *clone;
262	struct ip *ip;
263	struct m_tag *tag;
264
265	/* Cloning needed for tee? */
266	if (tee == 0) {
267		clone = *m0;	/* use the original mbuf */
268		*m0 = NULL;
269	} else {
270		clone = m_dup(*m0, M_DONTWAIT);
271		/* If we cannot duplicate the mbuf, we sacrifice the divert
272		 * chain and continue with the tee-ed packet.
273		 */
274		if (clone == NULL)
275			return 1;
276	}
277
278	/*
279	 * Divert listeners can normally handle non-fragmented packets,
280	 * but we can only reass in the non-tee case.
281	 * This means that listeners on a tee rule may get fragments,
282	 * and have to live with that.
283	 * Note that we now have the 'reass' ipfw option so if we care
284	 * we can do it before a 'tee'.
285	 */
286	ip = mtod(clone, struct ip *);
287	if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) {
288		int hlen;
289		struct mbuf *reass;
290
291		SET_HOST_IPLEN(ip); /* ip_reass wants host order */
292		reass = ip_reass(clone); /* Reassemble packet. */
293		if (reass == NULL)
294			return 0; /* not an error */
295		/* if reass = NULL then it was consumed by ip_reass */
296		/*
297		 * IP header checksum fixup after reassembly and leave header
298		 * in network byte order.
299		 */
300		ip = mtod(reass, struct ip *);
301		hlen = ip->ip_hl << 2;
302		SET_NET_IPLEN(ip);
303		ip->ip_sum = 0;
304		if (hlen == sizeof(struct ip))
305			ip->ip_sum = in_cksum_hdr(ip);
306		else
307			ip->ip_sum = in_cksum(reass, hlen);
308		clone = reass;
309	}
310	/* attach a tag to the packet with the reinject info */
311	tag = m_tag_alloc(MTAG_IPFW_RULE, 0,
312		    sizeof(struct ipfw_rule_ref), M_NOWAIT);
313	if (tag == NULL) {
314		FREE_PKT(clone);
315		return 1;
316	}
317	*((struct ipfw_rule_ref *)(tag+1)) = *rule;
318	m_tag_prepend(clone, tag);
319
320	/* Do the dirty job... */
321	ip_divert_ptr(clone, incoming);
322	return 0;
323}
324
325/*
326 * attach or detach hooks for a given protocol family
327 */
328static int
329ipfw_hook(int onoff, int pf)
330{
331	struct pfil_head *pfh;
332
333	pfh = pfil_head_get(PFIL_TYPE_AF, pf);
334	if (pfh == NULL)
335		return ENOENT;
336
337	(void) (onoff ? pfil_add_hook : pfil_remove_hook)
338	    (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh);
339
340	return 0;
341}
342
343int
344ipfw_attach_hooks(int arg)
345{
346	int error = 0;
347
348	if (arg == 0) /* detach */
349		ipfw_hook(0, AF_INET);
350        else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) {
351                error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
352                printf("ipfw_hook() error\n");
353        }
354#ifdef INET6
355	if (arg == 0) /* detach */
356		ipfw_hook(0, AF_INET6);
357        else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) {
358                error = ENOENT;
359                printf("ipfw6_hook() error\n");
360        }
361#endif
362	return error;
363}
364
365int
366ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
367{
368	int enable;
369	int oldenable;
370	int error;
371	int af;
372
373	if (arg1 == &VNET_NAME(fw_enable)) {
374		enable = V_fw_enable;
375		af = AF_INET;
376	}
377#ifdef INET6
378	else if (arg1 == &VNET_NAME(fw6_enable)) {
379		enable = V_fw6_enable;
380		af = AF_INET6;
381	}
382#endif
383	else
384		return (EINVAL);
385
386	oldenable = enable;
387
388	error = sysctl_handle_int(oidp, &enable, 0, req);
389
390	if (error)
391		return (error);
392
393	enable = (enable) ? 1 : 0;
394
395	if (enable == oldenable)
396		return (0);
397
398	error = ipfw_hook(enable, af);
399	if (error)
400		return (error);
401	if (af == AF_INET)
402		V_fw_enable = enable;
403#ifdef INET6
404	else if (af == AF_INET6)
405		V_fw6_enable = enable;
406#endif
407
408	return (0);
409}
410/* end of file */
411