1/* 2 * Copyright (c) 2003-2012 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29/* $FreeBSD: src/sys/netinet6/ip6_fw.c,v 1.2.2.9 2002/04/28 05:40:27 suz Exp $ */ 30/* $KAME: ip6_fw.c,v 1.21 2001/01/24 01:25:32 itojun Exp $ */ 31 32/* 33 * Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project. 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 3. Neither the name of the project nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 51 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * SUCH DAMAGE. 59 */ 60 61/* 62 * Copyright (c) 1993 Daniel Boulet 63 * Copyright (c) 1994 Ugen J.S.Antsilevich 64 * Copyright (c) 1996 Alex Nash 65 * 66 * Redistribution and use in source forms, with and without modification, 67 * are permitted provided that this entire comment appears intact. 68 * 69 * Redistribution in binary form may occur without any restrictions. 70 * Obviously, it would be nice if you gave credit where credit is due 71 * but requiring it would be too onerous. 72 * 73 * This software is provided ``AS IS'' without any warranties of any kind. 74 */ 75 76/* 77 * Implement IPv6 packet firewall 78 */ 79 80 81#ifdef IP6DIVERT 82#error "NOT SUPPORTED IPV6 DIVERT" 83#endif 84#ifdef IP6FW_DIVERT_RESTART 85#error "NOT SUPPORTED IPV6 DIVERT" 86#endif 87 88#include <string.h> 89#include <machine/spl.h> 90 91#include <sys/param.h> 92#include <sys/systm.h> 93#include <sys/malloc.h> 94#include <sys/mbuf.h> 95#include <sys/queue.h> 96#include <sys/kernel.h> 97#include <sys/socket.h> 98#include <sys/socketvar.h> 99#include <sys/syslog.h> 100#include <sys/lock.h> 101#include <sys/time.h> 102#include <sys/kern_event.h> 103 104#include <net/if.h> 105#include <net/route.h> 106#include <netinet/in_systm.h> 107#include <netinet/in.h> 108#include <netinet/ip.h> 109 110#include <netinet/ip6.h> 111#include <netinet6/ip6_var.h> 112#include <netinet6/in6_var.h> 113#include <netinet/icmp6.h> 114 115#include <netinet/in_pcb.h> 116 117#include <netinet6/ip6_fw.h> 118#include <netinet/ip_var.h> 119#include <netinet/tcp.h> 120#include <netinet/tcp_seq.h> 121#include <netinet/tcp_timer.h> 122#include <netinet/tcp_var.h> 123#include <netinet/udp.h> 124 125#include <sys/sysctl.h> 126 127#include <net/net_osdep.h> 128 129MALLOC_DEFINE(M_IP6FW, "Ip6Fw/Ip6Acct", "Ip6Fw/Ip6Acct chain's"); 130 131static int fw6_debug = 0; 132#ifdef IPV6FIREWALL_VERBOSE 133static int fw6_verbose = 1; 134#else 135static int fw6_verbose = 0; 136#endif 137#ifdef IPV6FIREWALL_VERBOSE_LIMIT 138static int fw6_verbose_limit = IPV6FIREWALL_VERBOSE_LIMIT; 139#else 140static int fw6_verbose_limit = 0; 141#endif 142 143LIST_HEAD (ip6_fw_head, ip6_fw_chain) ip6_fw_chain; 144 145static void ip6fw_kev_post_msg(u_int32_t ); 146 147#ifdef SYSCTL_NODE 148static int ip6fw_sysctl SYSCTL_HANDLER_ARGS; 149 150SYSCTL_DECL(_net_inet6_ip6); 151SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW|CTLFLAG_LOCKED, 0, "Firewall"); 152SYSCTL_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, 153 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, 154 &ip6_fw_enable, 0, ip6fw_sysctl, "I", "Enable ip6fw"); 155SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW | CTLFLAG_LOCKED, &fw6_debug, 0, ""); 156SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW | CTLFLAG_LOCKED, &fw6_verbose, 0, ""); 157SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose_limit, CTLFLAG_RW | CTLFLAG_LOCKED, &fw6_verbose_limit, 0, ""); 158 159static int 160ip6fw_sysctl SYSCTL_HANDLER_ARGS 161{ 162#pragma unused(arg1, arg2) 163 int error; 164 165 error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); 166 if (error || !req->newptr) 167 return (error); 168 169 ip6fw_kev_post_msg(KEV_IP6FW_ENABLE); 170 171 return error; 172} 173 174#endif 175 176#define dprintf(a) do { \ 177 if (fw6_debug) \ 178 printf a; \ 179 } while (0) 180#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 181 182static int add_entry6 __P((struct ip6_fw_head *chainptr, struct ip6_fw *frwl)); 183static int del_entry6 __P((struct ip6_fw_head *chainptr, u_short number)); 184static int zero_entry6 __P((struct ip6_fw *frwl)); 185static struct ip6_fw *check_ip6fw_struct __P((struct ip6_fw *m)); 186static int ip6opts_match __P((struct ip6_hdr **ip6, struct ip6_fw *f, 187 struct mbuf **m, 188 int *off, int *nxt, u_short *offset)); 189static int port_match6 __P((u_short *portptr, int nports, u_short port, 190 int range_flag)); 191static int tcp6flg_match __P((struct tcphdr *tcp6, struct ip6_fw *f)); 192static int icmp6type_match __P((struct icmp6_hdr * icmp, struct ip6_fw * f)); 193static void ip6fw_report __P((struct ip6_fw *f, struct ip6_hdr *ip6, 194 struct ifnet *rif, struct ifnet *oif, int off, int nxt)); 195 196static int ip6_fw_chk __P((struct ip6_hdr **pip6, 197 struct ifnet *oif, u_int16_t *cookie, struct mbuf **m)); 198static int ip6_fw_ctl __P((struct sockopt *)); 199static void cp_to_user_64( struct ip6_fw_64 *userrule_64, struct ip6_fw *rule); 200static void cp_from_user_64( struct ip6_fw_64 *userrule_64, struct ip6_fw *rule); 201static void cp_to_user_32( struct ip6_fw_32 *userrule_32, struct ip6_fw *rule); 202static void cp_from_user_32( struct ip6_fw_32 *userrule_32, struct ip6_fw *rule); 203 204static char err_prefix[] = "ip6_fw_ctl:"; 205 206/* 207 * Returns 1 if the port is matched by the vector, 0 otherwise 208 */ 209static 210__inline int 211port_match6(u_short *portptr, int nports, u_short port, int range_flag) 212{ 213 if (!nports) 214 return 1; 215 if (range_flag) { 216 if (portptr[0] <= port && port <= portptr[1]) { 217 return 1; 218 } 219 nports -= 2; 220 portptr += 2; 221 } 222 while (nports-- > 0) { 223 if (*portptr++ == port) { 224 return 1; 225 } 226 } 227 return 0; 228} 229 230static int 231tcp6flg_match(struct tcphdr *tcp6, struct ip6_fw *f) 232{ 233 u_char flg_set, flg_clr; 234 235 /* 236 * If an established connection is required, reject packets that 237 * have only SYN of RST|ACK|SYN set. Otherwise, fall through to 238 * other flag requirements. 239 */ 240 if ((f->fw_ipflg & IPV6_FW_IF_TCPEST) && 241 ((tcp6->th_flags & (IPV6_FW_TCPF_RST | IPV6_FW_TCPF_ACK | 242 IPV6_FW_TCPF_SYN)) == IPV6_FW_TCPF_SYN)) 243 return 0; 244 245 flg_set = tcp6->th_flags & f->fw_tcpf; 246 flg_clr = tcp6->th_flags & f->fw_tcpnf; 247 248 if (flg_set != f->fw_tcpf) 249 return 0; 250 if (flg_clr) 251 return 0; 252 253 return 1; 254} 255 256static int 257icmp6type_match(struct icmp6_hdr *icmp6, struct ip6_fw *f) 258{ 259 int type; 260 261 if (!(f->fw_flg & IPV6_FW_F_ICMPBIT)) 262 return(1); 263 264 type = icmp6->icmp6_type; 265 266 /* check for matching type in the bitmap */ 267 if (type < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8 && 268 (f->fw_icmp6types[type / (sizeof(unsigned) * 8)] & 269 (1U << (type % (8 * sizeof(unsigned)))))) 270 return(1); 271 272 return(0); /* no match */ 273} 274 275static int 276is_icmp6_query(struct ip6_hdr *ip6, int off) 277{ 278 const struct icmp6_hdr *icmp6; 279 int icmp6_type; 280 281 icmp6 = (struct icmp6_hdr *)((caddr_t)ip6 + off); 282 icmp6_type = icmp6->icmp6_type; 283 284 if (icmp6_type == ICMP6_ECHO_REQUEST || 285 icmp6_type == ICMP6_MEMBERSHIP_QUERY || 286 icmp6_type == ICMP6_WRUREQUEST || 287 icmp6_type == ICMP6_FQDN_QUERY || 288 icmp6_type == ICMP6_NI_QUERY) 289 return(1); 290 291 return(0); 292} 293 294static int 295ip6opts_match(struct ip6_hdr **pip6, struct ip6_fw *f, struct mbuf **m, 296 int *off, int *nxt, u_short *offset) 297{ 298 int len; 299 struct ip6_hdr *ip6 = *pip6; 300 struct ip6_ext *ip6e; 301 u_char opts, nopts, nopts_sve; 302 303 opts = f->fw_ip6opt; 304 nopts = nopts_sve = f->fw_ip6nopt; 305 306 *nxt = ip6->ip6_nxt; 307 *off = sizeof(struct ip6_hdr); 308 len = ntohs(ip6->ip6_plen) + sizeof(struct ip6_hdr); 309 while (*off < len) { 310 ip6e = (struct ip6_ext *)((caddr_t) ip6 + *off); 311 if ((*m)->m_len < *off + sizeof(*ip6e)) 312 goto opts_check; /* XXX */ 313 314 switch(*nxt) { 315 case IPPROTO_FRAGMENT: 316 if ((*m)->m_len >= *off + sizeof(struct ip6_frag)) { 317 struct ip6_frag *ip6f; 318 319 ip6f = (struct ip6_frag *) ((caddr_t)ip6 + *off); 320 *offset = ip6f->ip6f_offlg & IP6F_OFF_MASK; 321 } 322 opts &= ~IPV6_FW_IP6OPT_FRAG; 323 nopts &= ~IPV6_FW_IP6OPT_FRAG; 324 *off += sizeof(struct ip6_frag); 325 break; 326 case IPPROTO_AH: 327 opts &= ~IPV6_FW_IP6OPT_AH; 328 nopts &= ~IPV6_FW_IP6OPT_AH; 329 *off += (ip6e->ip6e_len + 2) << 2; 330 break; 331 default: 332 switch (*nxt) { 333 case IPPROTO_HOPOPTS: 334 opts &= ~IPV6_FW_IP6OPT_HOPOPT; 335 nopts &= ~IPV6_FW_IP6OPT_HOPOPT; 336 break; 337 case IPPROTO_ROUTING: 338 opts &= ~IPV6_FW_IP6OPT_ROUTE; 339 nopts &= ~IPV6_FW_IP6OPT_ROUTE; 340 break; 341 case IPPROTO_ESP: 342 opts &= ~IPV6_FW_IP6OPT_ESP; 343 nopts &= ~IPV6_FW_IP6OPT_ESP; 344 break; 345 case IPPROTO_NONE: 346 opts &= ~IPV6_FW_IP6OPT_NONXT; 347 nopts &= ~IPV6_FW_IP6OPT_NONXT; 348 goto opts_check; 349 break; 350 case IPPROTO_DSTOPTS: 351 opts &= ~IPV6_FW_IP6OPT_OPTS; 352 nopts &= ~IPV6_FW_IP6OPT_OPTS; 353 break; 354 default: 355 goto opts_check; 356 break; 357 } 358 *off += (ip6e->ip6e_len + 1) << 3; 359 break; 360 } 361 *nxt = ip6e->ip6e_nxt; 362 363 } 364 opts_check: 365 if (f->fw_ip6opt == f->fw_ip6nopt) /* XXX */ 366 return 1; 367 368 if (opts == 0 && nopts == nopts_sve) 369 return 1; 370 else 371 return 0; 372} 373 374static 375__inline int 376iface_match(struct ifnet *ifp, union ip6_fw_if *ifu, int byname) 377{ 378 /* Check by name or by IP address */ 379 if (byname) { 380 /* Check unit number (-1 is wildcard) */ 381 if (ifu->fu_via_if.unit != -1 382 && ifp->if_unit != ifu->fu_via_if.unit) 383 return(0); 384 /* Check name */ 385 if (strncmp(ifp->if_name, ifu->fu_via_if.name, IP6FW_IFNLEN)) 386 return(0); 387 return(1); 388 } else if (!IN6_IS_ADDR_UNSPECIFIED(&ifu->fu_via_ip6)) { /* Zero == wildcard */ 389 struct ifaddr *ia; 390 391 ifnet_lock_shared(ifp); 392 for (ia = ifp->if_addrlist.tqh_first; ia; 393 ia = ia->ifa_list.tqe_next) 394 { 395 IFA_LOCK_SPIN(ia); 396 if (ia->ifa_addr->sa_family != AF_INET6) { 397 IFA_UNLOCK(ia); 398 continue; 399 } 400 if (!IN6_ARE_ADDR_EQUAL(&ifu->fu_via_ip6, 401 &(((struct sockaddr_in6 *) 402 (ia->ifa_addr))->sin6_addr))) { 403 IFA_UNLOCK(ia); 404 continue; 405 } 406 IFA_UNLOCK(ia); 407 ifnet_lock_done(ifp); 408 return(1); 409 } 410 ifnet_lock_done(ifp); 411 return(0); 412 } 413 return(1); 414} 415 416static void 417ip6fw_report(struct ip6_fw *f, struct ip6_hdr *ip6, 418 struct ifnet *rif, struct ifnet *oif, int off, int nxt) 419{ 420 static int counter; 421 struct tcphdr *const tcp6 = (struct tcphdr *) ((caddr_t) ip6+ off); 422 struct udphdr *const udp = (struct udphdr *) ((caddr_t) ip6+ off); 423 struct icmp6_hdr *const icmp6 = (struct icmp6_hdr *) ((caddr_t) ip6+ off); 424 int count; 425 const char *action; 426 char action2[32], proto[102], name[18]; 427 int len; 428 429 count = f ? f->fw_pcnt : ++counter; 430 if (fw6_verbose_limit != 0 && count > fw6_verbose_limit) 431 return; 432 433 /* Print command name */ 434 snprintf(SNPARGS(name, 0), "ip6fw: %d", f ? f->fw_number : -1); 435 436 action = action2; 437 if (!f) 438 action = "Refuse"; 439 else { 440 switch (f->fw_flg & IPV6_FW_F_COMMAND) { 441 case IPV6_FW_F_DENY: 442 action = "Deny"; 443 break; 444 case IPV6_FW_F_REJECT: 445 if (f->fw_reject_code == IPV6_FW_REJECT_RST) 446 action = "Reset"; 447 else 448 action = "Unreach"; 449 break; 450 case IPV6_FW_F_ACCEPT: 451 action = "Accept"; 452 break; 453 case IPV6_FW_F_COUNT: 454 action = "Count"; 455 break; 456 case IPV6_FW_F_DIVERT: 457 snprintf(SNPARGS(action2, 0), "Divert %d", 458 f->fw_divert_port); 459 break; 460 case IPV6_FW_F_TEE: 461 snprintf(SNPARGS(action2, 0), "Tee %d", 462 f->fw_divert_port); 463 break; 464 case IPV6_FW_F_SKIPTO: 465 snprintf(SNPARGS(action2, 0), "SkipTo %d", 466 f->fw_skipto_rule); 467 break; 468 default: 469 action = "UNKNOWN"; 470 break; 471 } 472 } 473 474 switch (nxt) { 475 case IPPROTO_TCP: 476 len = snprintf(SNPARGS(proto, 0), "TCP [%s]", 477 ip6_sprintf(&ip6->ip6_src)); 478 if (off > 0) 479 len += snprintf(SNPARGS(proto, len), ":%d ", 480 ntohs(tcp6->th_sport)); 481 else 482 len += snprintf(SNPARGS(proto, len), " "); 483 len += snprintf(SNPARGS(proto, len), "[%s]", 484 ip6_sprintf(&ip6->ip6_dst)); 485 if (off > 0) 486 snprintf(SNPARGS(proto, len), ":%d", 487 ntohs(tcp6->th_dport)); 488 break; 489 case IPPROTO_UDP: 490 len = snprintf(SNPARGS(proto, 0), "UDP [%s]", 491 ip6_sprintf(&ip6->ip6_src)); 492 if (off > 0) 493 len += snprintf(SNPARGS(proto, len), ":%d ", 494 ntohs(udp->uh_sport)); 495 else 496 len += snprintf(SNPARGS(proto, len), " "); 497 len += snprintf(SNPARGS(proto, len), "[%s]", 498 ip6_sprintf(&ip6->ip6_dst)); 499 if (off > 0) 500 snprintf(SNPARGS(proto, len), ":%d", 501 ntohs(udp->uh_dport)); 502 break; 503 case IPPROTO_ICMPV6: 504 if (off > 0) 505 len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP:%u.%u ", 506 icmp6->icmp6_type, icmp6->icmp6_code); 507 else 508 len = snprintf(SNPARGS(proto, 0), "IPV6-ICMP "); 509 len += snprintf(SNPARGS(proto, len), "[%s]", 510 ip6_sprintf(&ip6->ip6_src)); 511 snprintf(SNPARGS(proto, len), " [%s]", 512 ip6_sprintf(&ip6->ip6_dst)); 513 break; 514 default: 515 len = snprintf(SNPARGS(proto, 0), "P:%d [%s]", nxt, 516 ip6_sprintf(&ip6->ip6_src)); 517 snprintf(SNPARGS(proto, len), " [%s]", 518 ip6_sprintf(&ip6->ip6_dst)); 519 break; 520 } 521 522 if (oif) 523 log(LOG_AUTHPRIV | LOG_INFO, "%s %s %s out via %s\n", 524 name, action, proto, if_name(oif)); 525 else if (rif) 526 log(LOG_AUTHPRIV | LOG_INFO, "%s %s %s in via %s\n", 527 name, action, proto, if_name(rif)); 528 else 529 log(LOG_AUTHPRIV | LOG_INFO, "%s %s %s", 530 name, action, proto); 531 if (fw6_verbose_limit != 0 && count == fw6_verbose_limit) 532 log(LOG_AUTHPRIV | LOG_INFO, "ip6fw: limit reached on entry %d\n", 533 f ? f->fw_number : -1); 534} 535 536/* 537 * Parameters: 538 * 539 * ip Pointer to packet header (struct ip6_hdr *) 540 * hlen Packet header length 541 * oif Outgoing interface, or NULL if packet is incoming 542 * #ifndef IP6FW_DIVERT_RESTART 543 * *cookie Ignore all divert/tee rules to this port (if non-zero) 544 * #else 545 * *cookie Skip up to the first rule past this rule number; 546 * #endif 547 * *m The packet; we set to NULL when/if we nuke it. 548 * 549 * Return value: 550 * 551 * 0 The packet is to be accepted and routed normally OR 552 * the packet was denied/rejected and has been dropped; 553 * in the latter case, *m is equal to NULL upon return. 554 * port Divert the packet to port. 555 */ 556 557static int 558ip6_fw_chk(struct ip6_hdr **pip6, 559 struct ifnet *oif, u_int16_t *cookie, struct mbuf **m) 560{ 561 struct ip6_fw_chain *chain; 562 struct ip6_fw *rule = NULL; 563 struct ip6_hdr *ip6 = *pip6; 564 struct ifnet *const rif = ((*m)->m_flags & M_LOOP) ? lo_ifp : (*m)->m_pkthdr.rcvif; 565 u_short offset = 0; 566 int off = sizeof(struct ip6_hdr), nxt = ip6->ip6_nxt; 567 u_short src_port, dst_port; 568#ifdef IP6FW_DIVERT_RESTART 569 u_int16_t skipto = *cookie; 570#else 571 u_int16_t ignport = ntohs(*cookie); 572#endif 573 struct timeval timenow; 574 575 getmicrotime(&timenow); 576 577 *cookie = 0; 578 /* 579 * Go down the chain, looking for enlightment 580 * #ifdef IP6FW_DIVERT_RESTART 581 * If we've been asked to start at a given rule immediatly, do so. 582 * #endif 583 */ 584 chain = LIST_FIRST(&ip6_fw_chain); 585#ifdef IP6FW_DIVERT_RESTART 586 if (skipto) { 587 if (skipto >= 65535) 588 goto dropit; 589 while (chain && (chain->rule->fw_number <= skipto)) { 590 chain = LIST_NEXT(chain, chain); 591 } 592 if (! chain) goto dropit; 593 } 594#endif /* IP6FW_DIVERT_RESTART */ 595 for (; chain; chain = LIST_NEXT(chain, chain)) { 596 struct ip6_fw *const f = chain->rule; 597 598 if (oif) { 599 /* Check direction outbound */ 600 if (!(f->fw_flg & IPV6_FW_F_OUT)) 601 continue; 602 } else { 603 /* Check direction inbound */ 604 if (!(f->fw_flg & IPV6_FW_F_IN)) 605 continue; 606 } 607 608#define IN6_ARE_ADDR_MASKEQUAL(x,y,z) (\ 609 (((x)->s6_addr32[0] & (y)->s6_addr32[0]) == (z)->s6_addr32[0]) && \ 610 (((x)->s6_addr32[1] & (y)->s6_addr32[1]) == (z)->s6_addr32[1]) && \ 611 (((x)->s6_addr32[2] & (y)->s6_addr32[2]) == (z)->s6_addr32[2]) && \ 612 (((x)->s6_addr32[3] & (y)->s6_addr32[3]) == (z)->s6_addr32[3])) 613 614 /* If src-addr doesn't match, not this rule. */ 615 if (((f->fw_flg & IPV6_FW_F_INVSRC) != 0) ^ 616 (!IN6_ARE_ADDR_MASKEQUAL(&ip6->ip6_src,&f->fw_smsk,&f->fw_src))) 617 continue; 618 619 /* If dest-addr doesn't match, not this rule. */ 620 if (((f->fw_flg & IPV6_FW_F_INVDST) != 0) ^ 621 (!IN6_ARE_ADDR_MASKEQUAL(&ip6->ip6_dst,&f->fw_dmsk,&f->fw_dst))) 622 continue; 623 624#undef IN6_ARE_ADDR_MASKEQUAL 625 /* Interface check */ 626 if ((f->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) { 627 struct ifnet *const iface = oif ? oif : rif; 628 629 /* Backwards compatibility hack for "via" */ 630 if (!iface || !iface_match(iface, 631 &f->fw_in_if, f->fw_flg & IPV6_FW_F_OIFNAME)) 632 continue; 633 } else { 634 /* Check receive interface */ 635 if ((f->fw_flg & IPV6_FW_F_IIFACE) 636 && (!rif || !iface_match(rif, 637 &f->fw_in_if, f->fw_flg & IPV6_FW_F_IIFNAME))) 638 continue; 639 /* Check outgoing interface */ 640 if ((f->fw_flg & IPV6_FW_F_OIFACE) 641 && (!oif || !iface_match(oif, 642 &f->fw_out_if, f->fw_flg & IPV6_FW_F_OIFNAME))) 643 continue; 644 } 645 646 /* Check IP options */ 647 if (!ip6opts_match(&ip6, f, m, &off, &nxt, &offset)) 648 continue; 649 650 /* Fragments */ 651 if ((f->fw_flg & IPV6_FW_F_FRAG) && !offset) 652 continue; 653 654 /* Check protocol; if wildcard, match */ 655 if (f->fw_prot == IPPROTO_IPV6) 656 goto got_match; 657 658 /* If different, don't match */ 659 if (nxt != f->fw_prot) 660 continue; 661 662#define PULLUP_TO(len) do { \ 663 if ((*m)->m_len < (len) \ 664 && (*m = m_pullup(*m, (len))) == 0) { \ 665 goto dropit; \ 666 } \ 667 *pip6 = ip6 = mtod(*m, struct ip6_hdr *); \ 668 } while (0) 669 670 /* Protocol specific checks */ 671 switch (nxt) { 672 case IPPROTO_TCP: 673 { 674 struct tcphdr *tcp6; 675 676 if (offset == 1) { /* cf. RFC 1858 */ 677 PULLUP_TO(off + 4); /* XXX ? */ 678 goto bogusfrag; 679 } 680 if (offset != 0) { 681 /* 682 * TCP flags and ports aren't available in this 683 * packet -- if this rule specified either one, 684 * we consider the rule a non-match. 685 */ 686 if (f->fw_nports != 0 || 687 f->fw_tcpf != f->fw_tcpnf) 688 continue; 689 690 break; 691 } 692 PULLUP_TO(off + 14); 693 tcp6 = (struct tcphdr *) ((caddr_t)ip6 + off); 694 if (((f->fw_tcpf != f->fw_tcpnf) || 695 (f->fw_ipflg & IPV6_FW_IF_TCPEST)) && 696 !tcp6flg_match(tcp6, f)) 697 continue; 698 src_port = ntohs(tcp6->th_sport); 699 dst_port = ntohs(tcp6->th_dport); 700 goto check_ports; 701 } 702 703 case IPPROTO_UDP: 704 { 705 struct udphdr *udp; 706 707 if (offset != 0) { 708 /* 709 * Port specification is unavailable -- if this 710 * rule specifies a port, we consider the rule 711 * a non-match. 712 */ 713 if (f->fw_nports != 0) 714 continue; 715 716 break; 717 } 718 PULLUP_TO(off + 4); 719 udp = (struct udphdr *) ((caddr_t)ip6 + off); 720 src_port = ntohs(udp->uh_sport); 721 dst_port = ntohs(udp->uh_dport); 722check_ports: 723 if (!port_match6(&f->fw_pts[0], 724 IPV6_FW_GETNSRCP(f), src_port, 725 f->fw_flg & IPV6_FW_F_SRNG)) 726 continue; 727 if (!port_match6(&f->fw_pts[IPV6_FW_GETNSRCP(f)], 728 IPV6_FW_GETNDSTP(f), dst_port, 729 f->fw_flg & IPV6_FW_F_DRNG)) 730 continue; 731 break; 732 } 733 734 case IPPROTO_ICMPV6: 735 { 736 struct icmp6_hdr *icmp; 737 738 if (offset != 0) /* Type isn't valid */ 739 break; 740 PULLUP_TO(off + 2); 741 icmp = (struct icmp6_hdr *) ((caddr_t)ip6 + off); 742 if (!icmp6type_match(icmp, f)) 743 continue; 744 break; 745 } 746#undef PULLUP_TO 747 748bogusfrag: 749 if (fw6_verbose) 750 ip6fw_report(NULL, ip6, rif, oif, off, nxt); 751 goto dropit; 752 } 753 754got_match: 755#ifndef IP6FW_DIVERT_RESTART 756 /* Ignore divert/tee rule if socket port is "ignport" */ 757 switch (f->fw_flg & IPV6_FW_F_COMMAND) { 758 case IPV6_FW_F_DIVERT: 759 case IPV6_FW_F_TEE: 760 if (f->fw_divert_port == ignport) 761 continue; /* ignore this rule */ 762 break; 763 } 764 765#endif /* IP6FW_DIVERT_RESTART */ 766 /* Update statistics */ 767 f->fw_pcnt += 1; 768 f->fw_bcnt += ntohs(ip6->ip6_plen); 769 f->timestamp = timenow.tv_sec; 770 771 /* Log to console if desired */ 772 if ((f->fw_flg & IPV6_FW_F_PRN) && fw6_verbose) 773 ip6fw_report(f, ip6, rif, oif, off, nxt); 774 775 /* Take appropriate action */ 776 switch (f->fw_flg & IPV6_FW_F_COMMAND) { 777 case IPV6_FW_F_ACCEPT: 778 return(0); 779 case IPV6_FW_F_COUNT: 780 continue; 781 case IPV6_FW_F_DIVERT: 782#ifdef IP6FW_DIVERT_RESTART 783 *cookie = f->fw_number; 784#else 785 *cookie = htons(f->fw_divert_port); 786#endif /* IP6FW_DIVERT_RESTART */ 787 return(f->fw_divert_port); 788 case IPV6_FW_F_TEE: 789 /* 790 * XXX someday tee packet here, but beware that you 791 * can't use m_copym() or m_copypacket() because 792 * the divert input routine modifies the mbuf 793 * (and these routines only increment reference 794 * counts in the case of mbuf clusters), so need 795 * to write custom routine. 796 */ 797 continue; 798 case IPV6_FW_F_SKIPTO: 799#ifdef DIAGNOSTIC 800 while (chain->chain.le_next 801 && chain->chain.le_next->rule->fw_number 802 < f->fw_skipto_rule) 803#else 804 while (chain->chain.le_next->rule->fw_number 805 < f->fw_skipto_rule) 806#endif 807 chain = chain->chain.le_next; 808 continue; 809 } 810 811 /* Deny/reject this packet using this rule */ 812 rule = f; 813 break; 814 } 815 816#ifdef DIAGNOSTIC 817 /* Rule 65535 should always be there and should always match */ 818 if (!chain) 819 panic("ip6_fw: chain"); 820#endif 821 822 /* 823 * At this point, we're going to drop the packet. 824 * Send a reject notice if all of the following are true: 825 * 826 * - The packet matched a reject rule 827 * - The packet is not an ICMP packet, or is an ICMP query packet 828 * - The packet is not a multicast or broadcast packet 829 */ 830 if ((rule->fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT 831 && (nxt != IPPROTO_ICMPV6 || is_icmp6_query(ip6, off)) 832 && !((*m)->m_flags & (M_BCAST|M_MCAST)) 833 && !IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 834 switch (rule->fw_reject_code) { 835 case IPV6_FW_REJECT_RST: 836 { 837 struct tcphdr *const tcp = 838 (struct tcphdr *) ((caddr_t)ip6 + off); 839 struct { 840 struct ip6_hdr ip6; 841 struct tcphdr th; 842 } ti; 843 tcp_seq ack, seq; 844 int flags; 845 846 if (offset != 0 || (tcp->th_flags & TH_RST)) 847 break; 848 849 ti.ip6 = *ip6; 850 ti.th = *tcp; 851 ti.th.th_seq = ntohl(ti.th.th_seq); 852 ti.th.th_ack = ntohl(ti.th.th_ack); 853 ti.ip6.ip6_nxt = IPPROTO_TCP; 854 if (ti.th.th_flags & TH_ACK) { 855 ack = 0; 856 seq = ti.th.th_ack; 857 flags = TH_RST; 858 } else { 859 ack = ti.th.th_seq; 860 if (((*m)->m_flags & M_PKTHDR) != 0) { 861 ack += (*m)->m_pkthdr.len - off 862 - (ti.th.th_off << 2); 863 } else if (ip6->ip6_plen) { 864 ack += ntohs(ip6->ip6_plen) + sizeof(*ip6) 865 - off - (ti.th.th_off << 2); 866 } else { 867 m_freem(*m); 868 *m = 0; 869 break; 870 } 871 seq = 0; 872 flags = TH_RST|TH_ACK; 873 } 874 bcopy(&ti, ip6, sizeof(ti)); 875 tcp_respond(NULL, ip6, (struct tcphdr *)(ip6 + 1), 876 *m, ack, seq, flags, IFSCOPE_NONE, 0); 877 *m = NULL; 878 break; 879 } 880 default: /* Send an ICMP unreachable using code */ 881 if (oif) 882 (*m)->m_pkthdr.rcvif = oif; 883 icmp6_error(*m, ICMP6_DST_UNREACH, 884 rule->fw_reject_code, 0); 885 *m = NULL; 886 break; 887 } 888 } 889 890dropit: 891 /* 892 * Finally, drop the packet. 893 */ 894 if (*m) { 895 m_freem(*m); 896 *m = NULL; 897 } 898 return(0); 899} 900 901static int 902add_entry6(struct ip6_fw_head *chainptr, struct ip6_fw *frwl) 903{ 904 struct ip6_fw *ftmp = 0; 905 struct ip6_fw_chain *fwc = 0, *fcp, *fcpl = 0; 906 u_short nbr = 0; 907 int s; 908 909 fwc = _MALLOC(sizeof *fwc, M_IP6FW, M_WAITOK); 910 ftmp = _MALLOC(sizeof *ftmp, M_IP6FW, M_WAITOK); 911 if (!fwc || !ftmp) { 912 dprintf(("%s malloc said no\n", err_prefix)); 913 if (fwc) FREE(fwc, M_IP6FW); 914 if (ftmp) FREE(ftmp, M_IP6FW); 915 return (ENOSPC); 916 } 917 918 bcopy(frwl, ftmp, sizeof(struct ip6_fw)); 919 ftmp->fw_in_if.fu_via_if.name[IP6FW_IFNLEN - 1] = '\0'; 920 ftmp->fw_pcnt = 0L; 921 ftmp->fw_bcnt = 0L; 922 fwc->rule = ftmp; 923 924 s = splnet(); 925 926 if (!chainptr->lh_first) { 927 LIST_INSERT_HEAD(chainptr, fwc, chain); 928 splx(s); 929 return(0); 930 } else if (ftmp->fw_number == (u_short)-1) { 931 if (fwc) FREE(fwc, M_IP6FW); 932 if (ftmp) FREE(ftmp, M_IP6FW); 933 splx(s); 934 dprintf(("%s bad rule number\n", err_prefix)); 935 return (EINVAL); 936 } 937 938 /* If entry number is 0, find highest numbered rule and add 100 */ 939 if (ftmp->fw_number == 0) { 940 for (fcp = chainptr->lh_first; fcp; fcp = fcp->chain.le_next) { 941 if (fcp->rule->fw_number != (u_short)-1) 942 nbr = fcp->rule->fw_number; 943 else 944 break; 945 } 946 if (nbr < (u_short)-1 - 100) 947 nbr += 100; 948 ftmp->fw_number = nbr; 949 } 950 951 /* Got a valid number; now insert it, keeping the list ordered */ 952 for (fcp = chainptr->lh_first; fcp; fcp = fcp->chain.le_next) { 953 if (fcp->rule->fw_number > ftmp->fw_number) { 954 if (fcpl) { 955 LIST_INSERT_AFTER(fcpl, fwc, chain); 956 } else { 957 LIST_INSERT_HEAD(chainptr, fwc, chain); 958 } 959 break; 960 } else { 961 fcpl = fcp; 962 } 963 } 964 965 bcopy(ftmp, frwl, sizeof(struct ip6_fw)); 966 splx(s); 967 return (0); 968} 969 970static int 971del_entry6(struct ip6_fw_head *chainptr, u_short number) 972{ 973 struct ip6_fw_chain *fcp; 974 int s; 975 976 s = splnet(); 977 978 fcp = chainptr->lh_first; 979 if (number != (u_short)-1) { 980 for (; fcp; fcp = fcp->chain.le_next) { 981 if (fcp->rule->fw_number == number) { 982 LIST_REMOVE(fcp, chain); 983 splx(s); 984 FREE(fcp->rule, M_IP6FW); 985 FREE(fcp, M_IP6FW); 986 return 0; 987 } 988 } 989 } 990 991 splx(s); 992 return (EINVAL); 993} 994 995static int 996zero_entry6(struct ip6_fw *frwl) 997{ 998 struct ip6_fw_chain *fcp; 999 int s; 1000 1001 /* 1002 * It's possible to insert multiple chain entries with the 1003 * same number, so we don't stop after finding the first 1004 * match if zeroing a specific entry. 1005 */ 1006 s = splnet(); 1007 for (fcp = ip6_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next) 1008 if (!frwl || frwl->fw_number == 0 || frwl->fw_number == fcp->rule->fw_number) { 1009 fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0; 1010 fcp->rule->timestamp = 0; 1011 } 1012 splx(s); 1013 1014 if (fw6_verbose) { 1015 if (frwl) 1016 log(LOG_AUTHPRIV | LOG_NOTICE, 1017 "ip6fw: Entry %d cleared.\n", frwl->fw_number); 1018 else 1019 log(LOG_AUTHPRIV | LOG_NOTICE, 1020 "ip6fw: Accounting cleared.\n"); 1021 } 1022 1023 return(0); 1024} 1025 1026static struct ip6_fw * 1027check_ip6fw_struct(struct ip6_fw *frwl) 1028{ 1029 /* Check for invalid flag bits */ 1030 if ((frwl->fw_flg & ~IPV6_FW_F_MASK) != 0) { 1031 dprintf(("%s undefined flag bits set (flags=%x)\n", 1032 err_prefix, frwl->fw_flg)); 1033 return (NULL); 1034 } 1035 /* Must apply to incoming or outgoing (or both) */ 1036 if (!(frwl->fw_flg & (IPV6_FW_F_IN | IPV6_FW_F_OUT))) { 1037 dprintf(("%s neither in nor out\n", err_prefix)); 1038 return (NULL); 1039 } 1040 /* Empty interface name is no good */ 1041 if (((frwl->fw_flg & IPV6_FW_F_IIFNAME) 1042 && !*frwl->fw_in_if.fu_via_if.name) 1043 || ((frwl->fw_flg & IPV6_FW_F_OIFNAME) 1044 && !*frwl->fw_out_if.fu_via_if.name)) { 1045 dprintf(("%s empty interface name\n", err_prefix)); 1046 return (NULL); 1047 } 1048 /* Sanity check interface matching */ 1049 if ((frwl->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) { 1050 ; /* allow "via" backwards compatibility */ 1051 } else if ((frwl->fw_flg & IPV6_FW_F_IN) 1052 && (frwl->fw_flg & IPV6_FW_F_OIFACE)) { 1053 dprintf(("%s outgoing interface check on incoming\n", 1054 err_prefix)); 1055 return (NULL); 1056 } 1057 /* Sanity check port ranges */ 1058 if ((frwl->fw_flg & IPV6_FW_F_SRNG) && IPV6_FW_GETNSRCP(frwl) < 2) { 1059 dprintf(("%s src range set but n_src_p=%d\n", 1060 err_prefix, IPV6_FW_GETNSRCP(frwl))); 1061 return (NULL); 1062 } 1063 if ((frwl->fw_flg & IPV6_FW_F_DRNG) && IPV6_FW_GETNDSTP(frwl) < 2) { 1064 dprintf(("%s dst range set but n_dst_p=%d\n", 1065 err_prefix, IPV6_FW_GETNDSTP(frwl))); 1066 return (NULL); 1067 } 1068 if (IPV6_FW_GETNSRCP(frwl) + IPV6_FW_GETNDSTP(frwl) > IPV6_FW_MAX_PORTS) { 1069 dprintf(("%s too many ports (%d+%d)\n", 1070 err_prefix, IPV6_FW_GETNSRCP(frwl), IPV6_FW_GETNDSTP(frwl))); 1071 return (NULL); 1072 } 1073 /* 1074 * Protocols other than TCP/UDP don't use port range 1075 */ 1076 if ((frwl->fw_prot != IPPROTO_TCP) && 1077 (frwl->fw_prot != IPPROTO_UDP) && 1078 (IPV6_FW_GETNSRCP(frwl) || IPV6_FW_GETNDSTP(frwl))) { 1079 dprintf(("%s port(s) specified for non TCP/UDP rule\n", 1080 err_prefix)); 1081 return(NULL); 1082 } 1083 1084 /* 1085 * Rather than modify the entry to make such entries work, 1086 * we reject this rule and require user level utilities 1087 * to enforce whatever policy they deem appropriate. 1088 */ 1089 if ((frwl->fw_src.s6_addr32[0] & (~frwl->fw_smsk.s6_addr32[0])) || 1090 (frwl->fw_src.s6_addr32[1] & (~frwl->fw_smsk.s6_addr32[1])) || 1091 (frwl->fw_src.s6_addr32[2] & (~frwl->fw_smsk.s6_addr32[2])) || 1092 (frwl->fw_src.s6_addr32[3] & (~frwl->fw_smsk.s6_addr32[3])) || 1093 (frwl->fw_dst.s6_addr32[0] & (~frwl->fw_dmsk.s6_addr32[0])) || 1094 (frwl->fw_dst.s6_addr32[1] & (~frwl->fw_dmsk.s6_addr32[1])) || 1095 (frwl->fw_dst.s6_addr32[2] & (~frwl->fw_dmsk.s6_addr32[2])) || 1096 (frwl->fw_dst.s6_addr32[3] & (~frwl->fw_dmsk.s6_addr32[3]))) { 1097 dprintf(("%s rule never matches\n", err_prefix)); 1098 return(NULL); 1099 } 1100 1101 if ((frwl->fw_flg & IPV6_FW_F_FRAG) && 1102 (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) { 1103 if (frwl->fw_nports) { 1104 dprintf(("%s cannot mix 'frag' and ports\n", err_prefix)); 1105 return(NULL); 1106 } 1107 if (frwl->fw_prot == IPPROTO_TCP && 1108 frwl->fw_tcpf != frwl->fw_tcpnf) { 1109 dprintf(("%s cannot mix 'frag' with TCP flags\n", err_prefix)); 1110 return(NULL); 1111 } 1112 } 1113 1114 /* Check command specific stuff */ 1115 switch (frwl->fw_flg & IPV6_FW_F_COMMAND) 1116 { 1117 case IPV6_FW_F_REJECT: 1118 if (frwl->fw_reject_code >= 0x100 1119 && !(frwl->fw_prot == IPPROTO_TCP 1120 && frwl->fw_reject_code == IPV6_FW_REJECT_RST)) { 1121 dprintf(("%s unknown reject code\n", err_prefix)); 1122 return(NULL); 1123 } 1124 break; 1125 case IPV6_FW_F_DIVERT: /* Diverting to port zero is invalid */ 1126 case IPV6_FW_F_TEE: 1127 if (frwl->fw_divert_port == 0) { 1128 dprintf(("%s can't divert to port 0\n", err_prefix)); 1129 return (NULL); 1130 } 1131 break; 1132 case IPV6_FW_F_DENY: 1133 case IPV6_FW_F_ACCEPT: 1134 case IPV6_FW_F_COUNT: 1135 case IPV6_FW_F_SKIPTO: 1136 break; 1137 default: 1138 dprintf(("%s invalid command\n", err_prefix)); 1139 return(NULL); 1140 } 1141 1142 return frwl; 1143} 1144 1145static void 1146ip6fw_kev_post_msg(u_int32_t event_code) 1147{ 1148 struct kev_msg ev_msg; 1149 1150 bzero(&ev_msg, sizeof(struct kev_msg)); 1151 1152 ev_msg.vendor_code = KEV_VENDOR_APPLE; 1153 ev_msg.kev_class = KEV_FIREWALL_CLASS; 1154 ev_msg.kev_subclass = KEV_IP6FW_SUBCLASS; 1155 ev_msg.event_code = event_code; 1156 1157 kev_post_msg(&ev_msg); 1158 1159} 1160 1161 1162static void 1163cp_to_user_64( struct ip6_fw_64 *userrule_64, struct ip6_fw *rule) 1164{ 1165 userrule_64->version = rule->version; 1166 userrule_64->context = CAST_USER_ADDR_T(rule->context); 1167 userrule_64->fw_pcnt = rule->fw_pcnt; 1168 userrule_64->fw_bcnt = rule->fw_bcnt; 1169 userrule_64->fw_src = rule->fw_src; 1170 userrule_64->fw_dst = rule->fw_dst; 1171 userrule_64->fw_smsk = rule->fw_smsk; 1172 userrule_64->fw_dmsk = rule->fw_dmsk; 1173 userrule_64->fw_number = rule->fw_number; 1174 userrule_64->fw_flg = rule->fw_flg; 1175 userrule_64->fw_ipflg = rule->fw_ipflg; 1176 bcopy( rule->fw_pts, userrule_64->fw_pts, IPV6_FW_MAX_PORTS); 1177 userrule_64->fw_ip6opt= rule->fw_ip6opt; 1178 userrule_64->fw_ip6nopt = rule->fw_ip6nopt; 1179 userrule_64->fw_tcpf = rule->fw_tcpf; 1180 userrule_64->fw_tcpnf = rule->fw_tcpnf; 1181 bcopy( rule->fw_icmp6types, userrule_64->fw_icmp6types, sizeof(userrule_64->fw_icmp6types)); 1182 userrule_64->fw_in_if = rule->fw_in_if; 1183 userrule_64->fw_out_if = rule->fw_out_if; 1184 userrule_64->timestamp = rule->timestamp; 1185 userrule_64->fw_un.fu_divert_port = rule->fw_un.fu_divert_port; 1186 userrule_64->fw_prot = rule->fw_prot; 1187 userrule_64->fw_nports = rule->fw_nports; 1188} 1189 1190 1191static void 1192cp_from_user_64( struct ip6_fw_64 *userrule_64, struct ip6_fw *rule) 1193{ 1194 rule->version = userrule_64->version; 1195 rule->context = CAST_DOWN(void *, userrule_64->context); 1196 rule->fw_pcnt = userrule_64->fw_pcnt; 1197 rule->fw_bcnt = userrule_64->fw_bcnt; 1198 rule->fw_src = userrule_64->fw_src; 1199 rule->fw_dst = userrule_64->fw_dst; 1200 rule->fw_smsk = userrule_64->fw_smsk; 1201 rule->fw_dmsk = userrule_64->fw_dmsk; 1202 rule->fw_number = userrule_64->fw_number; 1203 rule->fw_flg = userrule_64->fw_flg; 1204 rule->fw_ipflg = userrule_64->fw_ipflg; 1205 bcopy( userrule_64->fw_pts, rule->fw_pts, IPV6_FW_MAX_PORTS); 1206 rule->fw_ip6opt = userrule_64->fw_ip6opt; 1207 rule->fw_ip6nopt = userrule_64->fw_ip6nopt; 1208 rule->fw_tcpf = userrule_64->fw_tcpf; 1209 rule->fw_tcpnf = userrule_64->fw_tcpnf; 1210 bcopy( userrule_64->fw_icmp6types, rule->fw_icmp6types, sizeof(userrule_64->fw_icmp6types)); 1211 rule->fw_in_if = userrule_64->fw_in_if; 1212 rule->fw_out_if = userrule_64->fw_out_if; 1213 rule->timestamp = CAST_DOWN( long, userrule_64->timestamp); 1214 rule->fw_un.fu_divert_port = userrule_64->fw_un.fu_divert_port; 1215 rule->fw_prot = userrule_64->fw_prot; 1216 rule->fw_nports = userrule_64->fw_nports; 1217} 1218 1219 1220static void 1221cp_to_user_32( struct ip6_fw_32 *userrule_32, struct ip6_fw *rule) 1222{ 1223 userrule_32->version = rule->version; 1224 userrule_32->context = CAST_DOWN_EXPLICIT( user32_addr_t, rule->context); 1225 userrule_32->fw_pcnt = rule->fw_pcnt; 1226 userrule_32->fw_bcnt = rule->fw_bcnt; 1227 userrule_32->fw_src = rule->fw_src; 1228 userrule_32->fw_dst = rule->fw_dst; 1229 userrule_32->fw_smsk = rule->fw_smsk; 1230 userrule_32->fw_dmsk = rule->fw_dmsk; 1231 userrule_32->fw_number = rule->fw_number; 1232 userrule_32->fw_flg = rule->fw_flg; 1233 userrule_32->fw_ipflg = rule->fw_ipflg; 1234 bcopy( rule->fw_pts, userrule_32->fw_pts, IPV6_FW_MAX_PORTS); 1235 userrule_32->fw_ip6opt = rule->fw_ip6opt ; 1236 userrule_32->fw_ip6nopt = rule->fw_ip6nopt; 1237 userrule_32->fw_tcpf = rule->fw_tcpf; 1238 userrule_32->fw_tcpnf = rule->fw_tcpnf; 1239 bcopy( rule->fw_icmp6types, userrule_32->fw_icmp6types, sizeof(rule->fw_icmp6types)); 1240 userrule_32->fw_in_if = rule->fw_in_if; 1241 userrule_32->fw_out_if = rule->fw_out_if; 1242 userrule_32->timestamp = rule->timestamp; 1243 userrule_32->fw_un.fu_divert_port = rule->fw_un.fu_divert_port; 1244 userrule_32->fw_prot = rule->fw_prot; 1245 userrule_32->fw_nports = rule->fw_nports; 1246} 1247 1248 1249static void 1250cp_from_user_32( struct ip6_fw_32 *userrule_32, struct ip6_fw *rule) 1251{ 1252 rule->version = userrule_32->version; 1253 rule->context = CAST_DOWN(void *, userrule_32->context); 1254 rule->fw_pcnt = userrule_32->fw_pcnt; 1255 rule->fw_bcnt = userrule_32->fw_bcnt; 1256 rule->fw_src = userrule_32->fw_src; 1257 rule->fw_dst = userrule_32->fw_dst; 1258 rule->fw_smsk = userrule_32->fw_smsk; 1259 rule->fw_dmsk = userrule_32->fw_dmsk; 1260 rule->fw_number = userrule_32->fw_number; 1261 rule->fw_flg = userrule_32->fw_flg; 1262 rule->fw_ipflg = userrule_32->fw_ipflg; 1263 bcopy( userrule_32->fw_pts, rule->fw_pts, IPV6_FW_MAX_PORTS); 1264 rule->fw_ip6opt = userrule_32->fw_ip6opt; 1265 rule->fw_ip6nopt = userrule_32->fw_ip6nopt; 1266 rule->fw_tcpf = userrule_32->fw_tcpf; 1267 rule->fw_tcpnf = userrule_32->fw_tcpnf; 1268 bcopy( userrule_32->fw_icmp6types, rule->fw_icmp6types, sizeof(userrule_32->fw_icmp6types)); 1269 rule->fw_in_if = userrule_32->fw_in_if; 1270 rule->fw_out_if = userrule_32->fw_out_if; 1271 rule->timestamp = CAST_DOWN(long, userrule_32->timestamp); 1272 rule->fw_un.fu_divert_port = userrule_32->fw_un.fu_divert_port; 1273 rule->fw_prot = userrule_32->fw_prot; 1274 rule->fw_nports = userrule_32->fw_nports; 1275} 1276 1277static int 1278ip6_fw_ctl(struct sockopt *sopt) 1279{ 1280 int error = 0; 1281 int spl; 1282 int valsize; 1283 struct ip6_fw rule; 1284 int is64user=0; 1285 size_t userrulesize; 1286 1287 if (securelevel >= 3 && 1288 (sopt->sopt_dir != SOPT_GET || sopt->sopt_name != IPV6_FW_GET)) 1289 return (EPERM); 1290 1291 if ( proc_is64bit(sopt->sopt_p) ){ 1292 is64user = 1; 1293 userrulesize = sizeof( struct ip6_fw_64 ); 1294 } else 1295 userrulesize = sizeof( struct ip6_fw_32 ); 1296 1297 /* We ALWAYS expect the client to pass in a rule structure so that we can 1298 * check the version of the API that they are using. In the case of a 1299 * IPV6_FW_GET operation, the first rule of the output buffer passed to us 1300 * must have the version set. */ 1301 if (!sopt->sopt_val || sopt->sopt_valsize < userrulesize) return EINVAL; 1302 1303 /* save sopt->sopt_valsize */ 1304 valsize = sopt->sopt_valsize; 1305 1306 if (is64user){ 1307 struct ip6_fw_64 userrule_64; 1308 1309 if ((error = sooptcopyin(sopt, &userrule_64, userrulesize, userrulesize))) 1310 return error; 1311 1312 cp_from_user_64( &userrule_64, &rule ); 1313 } 1314 else { 1315 struct ip6_fw_32 userrule_32; 1316 1317 if ((error = sooptcopyin(sopt, &userrule_32, userrulesize, userrulesize))) 1318 return error; 1319 1320 cp_from_user_32( &userrule_32, &rule ); 1321 } 1322 1323 if (rule.version != IPV6_FW_CURRENT_API_VERSION) return EINVAL; 1324 rule.version = 0xFFFFFFFF; /* version is meaningless once rules "make it in the door". */ 1325 1326 switch (sopt->sopt_name) 1327 { 1328 case IPV6_FW_GET: 1329 { 1330 struct ip6_fw_chain *fcp; 1331 struct ip6_fw *buf; 1332 size_t size = 0; 1333 size_t rulesize = 0; 1334 1335 spl = splnet(); 1336 1337 if ( is64user ) 1338 rulesize = sizeof(struct ip6_fw_64 ); 1339 else 1340 rulesize = sizeof(struct ip6_fw_32 ); 1341 1342 LIST_FOREACH(fcp, &ip6_fw_chain, chain) 1343 size += rulesize; 1344 1345 buf = _MALLOC(size, M_TEMP, M_WAITOK); 1346 if (!buf) error = ENOBUFS; 1347 else 1348 { 1349 //struct ip6_fw *bp = buf; 1350 caddr_t bp = (caddr_t)buf; 1351 1352 LIST_FOREACH(fcp, &ip6_fw_chain, chain) 1353 { 1354 //bcopy(fcp->rule, bp, sizeof *bp); 1355 if ( is64user ){ 1356 cp_to_user_64( (struct ip6_fw_64*)bp, fcp->rule); 1357 } 1358 else { 1359 cp_to_user_32( (struct ip6_fw_32*)bp, fcp->rule); 1360 } 1361 1362 ( (struct ip6_fw*)bp)->version = IPV6_FW_CURRENT_API_VERSION; 1363 //bp++; 1364 bp += rulesize; 1365 } 1366 } 1367 1368 splx(spl); 1369 if (buf) 1370 { 1371 sopt->sopt_valsize = valsize; 1372 error = sooptcopyout(sopt, buf, size); 1373 FREE(buf, M_TEMP); 1374 } 1375 1376 break; 1377 } 1378 1379 case IPV6_FW_FLUSH: 1380 spl = splnet(); 1381 while (ip6_fw_chain.lh_first && 1382 ip6_fw_chain.lh_first->rule->fw_number != (u_short)-1) 1383 { 1384 struct ip6_fw_chain *fcp = ip6_fw_chain.lh_first; 1385 LIST_REMOVE(ip6_fw_chain.lh_first, chain); 1386 FREE(fcp->rule, M_IP6FW); 1387 FREE(fcp, M_IP6FW); 1388 } 1389 splx(spl); 1390 ip6fw_kev_post_msg(KEV_IP6FW_FLUSH); 1391 break; 1392 1393 case IPV6_FW_ZERO: 1394 error = zero_entry6(&rule); 1395 break; 1396 1397 case IPV6_FW_ADD: 1398 if (check_ip6fw_struct(&rule)) { 1399 error = add_entry6(&ip6_fw_chain, &rule); 1400 1401 ip6fw_kev_post_msg(KEV_IP6FW_ADD); 1402 } else 1403 error = EINVAL; 1404 1405 if (is64user){ 1406 struct ip6_fw_64 userrule_64; 1407 cp_to_user_64( &userrule_64, &rule); 1408 error = sooptcopyout(sopt, &userrule_64, userrulesize); 1409 } 1410 else { 1411 struct ip6_fw_32 userrule_32; 1412 cp_to_user_32( &userrule_32, &rule); 1413 error = sooptcopyout(sopt, &userrule_32, userrulesize); 1414 } 1415 break; 1416 1417 case IPV6_FW_DEL: 1418 if (rule.fw_number == (u_short)-1) 1419 { 1420 dprintf(("%s can't delete rule 65535\n", err_prefix)); 1421 error = EINVAL; 1422 } 1423 else { 1424 error = del_entry6(&ip6_fw_chain, rule.fw_number); 1425 1426 ip6fw_kev_post_msg(KEV_IP6FW_DEL); 1427 } 1428 break; 1429 1430 default: 1431 dprintf(("%s invalid option %d\n", err_prefix, sopt->sopt_name)); 1432 error = EINVAL; 1433 } 1434 1435 return error; 1436} 1437 1438void 1439ip6_fw_init(void) 1440{ 1441 struct ip6_fw default_rule; 1442 1443 ip6_fw_chk_ptr = ip6_fw_chk; 1444 ip6_fw_ctl_ptr = ip6_fw_ctl; 1445 LIST_INIT(&ip6_fw_chain); 1446 1447 bzero(&default_rule, sizeof default_rule); 1448 default_rule.fw_prot = IPPROTO_IPV6; 1449 default_rule.fw_number = (u_short)-1; 1450#ifdef IPV6FIREWALL_DEFAULT_TO_ACCEPT 1451 default_rule.fw_flg |= IPV6_FW_F_ACCEPT; 1452#else 1453 default_rule.fw_flg |= IPV6_FW_F_DENY; 1454#endif 1455 default_rule.fw_flg |= IPV6_FW_F_IN | IPV6_FW_F_OUT; 1456 if (check_ip6fw_struct(&default_rule) == NULL || 1457 add_entry6(&ip6_fw_chain, &default_rule)) 1458 panic("%s", __FUNCTION__); 1459 1460 printf("IPv6 packet filtering initialized, "); 1461#ifdef IPV6FIREWALL_DEFAULT_TO_ACCEPT 1462 printf("default to accept, "); 1463#endif 1464#ifndef IPV6FIREWALL_VERBOSE 1465 printf("logging disabled\n"); 1466#else 1467 if (fw6_verbose_limit == 0) 1468 printf("unlimited logging\n"); 1469 else 1470 printf("logging limited to %d packets/entry\n", 1471 fw6_verbose_limit); 1472#endif 1473} 1474 1475