ip_auth.c revision 1.6
1/* $NetBSD: ip_auth.c,v 1.6 2018/05/03 07:13:48 maxv Exp $ */ 2 3/* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8#if defined(KERNEL) || defined(_KERNEL) 9# undef KERNEL 10# undef _KERNEL 11# define KERNEL 1 12# define _KERNEL 1 13#endif 14#if defined(__NetBSD__) 15#include <sys/cdefs.h> 16#endif 17#include <sys/errno.h> 18#include <sys/types.h> 19#include <sys/param.h> 20#include <sys/time.h> 21#include <sys/file.h> 22#if !defined(_KERNEL) 23# include <stdio.h> 24# include <stdlib.h> 25# ifdef _STDC_C99 26# include <stdbool.h> 27# endif 28# include <string.h> 29# define _KERNEL 30# ifdef __OpenBSD__ 31struct file; 32# endif 33# include <sys/uio.h> 34# undef _KERNEL 35#endif 36#if defined(_KERNEL) && (__FreeBSD_version >= 220000) 37# include <sys/filio.h> 38# include <sys/fcntl.h> 39#else 40# include <sys/ioctl.h> 41#endif 42#if !defined(linux) 43# include <sys/protosw.h> 44#endif 45#include <sys/socket.h> 46#if defined(_KERNEL) 47# include <sys/systm.h> 48# if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) 49# include <sys/mbuf.h> 50# endif 51#endif 52#if defined(__SVR4) || defined(__svr4__) 53# include <sys/filio.h> 54# include <sys/byteorder.h> 55# ifdef _KERNEL 56# include <sys/dditypes.h> 57# endif 58# include <sys/stream.h> 59# include <sys/kmem.h> 60#endif 61#if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ 62 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) 63# include <sys/queue.h> 64#endif 65#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) 66# include <machine/cpu.h> 67#endif 68#if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) 69# include <sys/proc.h> 70#endif 71#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ 72 !defined(_KERNEL) 73# include <stdbool.h> 74#endif 75#include <net/if.h> 76#include <net/route.h> 77#ifdef sun 78# include <net/af.h> 79#endif 80#include <netinet/in.h> 81#include <netinet/in_systm.h> 82#include <netinet/ip.h> 83#if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) 84# define KERNEL 85# define _KERNEL 86# define NOT_KERNEL 87#endif 88#if !defined(linux) 89# include <netinet/ip_var.h> 90#endif 91#ifdef NOT_KERNEL 92# undef _KERNEL 93# undef KERNEL 94#endif 95#include <netinet/tcp.h> 96#if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ 97extern struct ifqueue ipintrq; /* ip packet input queue */ 98#else 99# if !defined(__hpux) && !defined(linux) 100# if __FreeBSD_version >= 300000 101# include <net/if_var.h> 102# if __FreeBSD_version >= 500042 103# define IF_QFULL _IF_QFULL 104# define IF_DROP _IF_DROP 105# endif /* __FreeBSD_version >= 500042 */ 106# endif 107# include <netinet/in_var.h> 108# include <netinet/tcp_fsm.h> 109# endif 110#endif 111#include <netinet/udp.h> 112#include <netinet/ip_icmp.h> 113#include "netinet/ip_compat.h" 114#include "netinet/ip_fil.h" 115#include "netinet/ip_auth.h" 116#if !defined(MENTAT) && !defined(linux) 117# include <net/netisr.h> 118# ifdef __FreeBSD__ 119# include <machine/cpufunc.h> 120# endif 121#endif 122#if (__FreeBSD_version >= 300000) 123# include <sys/malloc.h> 124# if defined(_KERNEL) && !defined(IPFILTER_LKM) 125# include <sys/libkern.h> 126# include <sys/systm.h> 127# endif 128#endif 129/* END OF INCLUDES */ 130 131#if !defined(lint) 132#if defined(__NetBSD__) 133__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.6 2018/05/03 07:13:48 maxv Exp $"); 134#else 135static const char rcsid[] = "@(#)Id: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp"; 136#endif 137#endif 138 139 140typedef struct ipf_auth_softc_s { 141#if SOLARIS && defined(_KERNEL) 142 kcondvar_t ipf_auth_wait; 143#endif /* SOLARIS */ 144#if defined(linux) && defined(_KERNEL) 145 wait_queue_head_t ipf_auth_next_linux; 146#endif 147 ipfrwlock_t ipf_authlk; 148 ipfmutex_t ipf_auth_mx; 149 int ipf_auth_size; 150 int ipf_auth_used; 151 int ipf_auth_replies; 152 int ipf_auth_defaultage; 153 int ipf_auth_lock; 154 ipf_authstat_t ipf_auth_stats; 155 frauth_t *ipf_auth; 156 mb_t **ipf_auth_pkts; 157 int ipf_auth_start; 158 int ipf_auth_end; 159 int ipf_auth_next; 160 frauthent_t *ipf_auth_entries; 161 frentry_t *ipf_auth_ip; 162 frentry_t *ipf_auth_rules; 163} ipf_auth_softc_t; 164 165 166static void ipf_auth_deref(frauthent_t **); 167static void ipf_auth_deref_unlocked(ipf_auth_softc_t *, frauthent_t **); 168static int ipf_auth_geniter(ipf_main_softc_t *, ipftoken_t *, 169 ipfgeniter_t *, ipfobj_t *); 170static int ipf_auth_reply(ipf_main_softc_t *, ipf_auth_softc_t *, char *); 171static int ipf_auth_wait(ipf_main_softc_t *, ipf_auth_softc_t *, char *); 172static int ipf_auth_flush(void *); 173 174 175/* ------------------------------------------------------------------------ */ 176/* Function: ipf_auth_main_load */ 177/* Returns: int - 0 == success, else error */ 178/* Parameters: None */ 179/* */ 180/* A null-op function that exists as a placeholder so that the flow in */ 181/* other functions is obvious. */ 182/* ------------------------------------------------------------------------ */ 183int 184ipf_auth_main_load(void) 185{ 186 return 0; 187} 188 189 190/* ------------------------------------------------------------------------ */ 191/* Function: ipf_auth_main_unload */ 192/* Returns: int - 0 == success, else error */ 193/* Parameters: None */ 194/* */ 195/* A null-op function that exists as a placeholder so that the flow in */ 196/* other functions is obvious. */ 197/* ------------------------------------------------------------------------ */ 198int 199ipf_auth_main_unload(void) 200{ 201 return 0; 202} 203 204 205/* ------------------------------------------------------------------------ */ 206/* Function: ipf_auth_soft_create */ 207/* Returns: int - NULL = failure, else success */ 208/* Parameters: softc(I) - pointer to soft context data */ 209/* */ 210/* Create a structre to store all of the run-time data for packet auth in */ 211/* and initialise some fields to their defaults. */ 212/* ------------------------------------------------------------------------ */ 213void * 214ipf_auth_soft_create(ipf_main_softc_t *softc) 215{ 216 ipf_auth_softc_t *softa; 217 218 KMALLOC(softa, ipf_auth_softc_t *); 219 if (softa == NULL) 220 return NULL; 221 222 bzero((char *)softa, sizeof(*softa)); 223 224 softa->ipf_auth_size = FR_NUMAUTH; 225 softa->ipf_auth_defaultage = 600; 226 227 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock"); 228 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex"); 229#if SOLARIS && defined(_KERNEL) 230 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL); 231#endif 232 233 return softa; 234} 235 236/* ------------------------------------------------------------------------ */ 237/* Function: ipf_auth_soft_init */ 238/* Returns: int - 0 == success, else error */ 239/* Parameters: softc(I) - pointer to soft context data */ 240/* arg(I) - opaque pointer to auth context data */ 241/* */ 242/* Allocate memory and initialise data structures used in handling auth */ 243/* rules. */ 244/* ------------------------------------------------------------------------ */ 245int 246ipf_auth_soft_init(ipf_main_softc_t *softc, void *arg) 247{ 248 ipf_auth_softc_t *softa = arg; 249 250 KMALLOCS(softa->ipf_auth, frauth_t *, 251 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 252 if (softa->ipf_auth == NULL) 253 return -1; 254 bzero((char *)softa->ipf_auth, 255 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 256 257 KMALLOCS(softa->ipf_auth_pkts, mb_t **, 258 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 259 if (softa->ipf_auth_pkts == NULL) 260 return -2; 261 bzero((char *)softa->ipf_auth_pkts, 262 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 263 264#if defined(linux) && defined(_KERNEL) 265 init_waitqueue_head(&softa->ipf_auth_next_linux); 266#endif 267 268 return 0; 269} 270 271 272/* ------------------------------------------------------------------------ */ 273/* Function: ipf_auth_soft_fini */ 274/* Returns: int - 0 == success, else error */ 275/* Parameters: softc(I) - pointer to soft context data */ 276/* arg(I) - opaque pointer to auth context data */ 277/* */ 278/* Free all network buffer memory used to keep saved packets that have been */ 279/* connectedd to the soft soft context structure *but* do not free that: it */ 280/* is free'd by _destroy(). */ 281/* ------------------------------------------------------------------------ */ 282int 283ipf_auth_soft_fini(ipf_main_softc_t *softc, void *arg) 284{ 285 ipf_auth_softc_t *softa = arg; 286 frauthent_t *fae, **faep; 287 frentry_t *fr, **frp; 288 mb_t *m; 289 int i; 290 291 if (softa->ipf_auth != NULL) { 292 KFREES(softa->ipf_auth, 293 softa->ipf_auth_size * sizeof(*softa->ipf_auth)); 294 softa->ipf_auth = NULL; 295 } 296 297 if (softa->ipf_auth_pkts != NULL) { 298 for (i = 0; i < softa->ipf_auth_size; i++) { 299 m = softa->ipf_auth_pkts[i]; 300 if (m != NULL) { 301 FREE_MB_T(m); 302 softa->ipf_auth_pkts[i] = NULL; 303 } 304 } 305 KFREES(softa->ipf_auth_pkts, 306 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); 307 softa->ipf_auth_pkts = NULL; 308 } 309 310 faep = &softa->ipf_auth_entries; 311 while ((fae = *faep) != NULL) { 312 *faep = fae->fae_next; 313 KFREE(fae); 314 } 315 softa->ipf_auth_ip = NULL; 316 317 if (softa->ipf_auth_rules != NULL) { 318 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 319 if (fr->fr_ref == 1) { 320 *frp = fr->fr_next; 321 MUTEX_DESTROY(&fr->fr_lock); 322 KFREE(fr); 323 } else 324 frp = &fr->fr_next; 325 } 326 } 327 328 return 0; 329} 330 331 332/* ------------------------------------------------------------------------ */ 333/* Function: ipf_auth_soft_destroy */ 334/* Returns: void */ 335/* Parameters: softc(I) - pointer to soft context data */ 336/* arg(I) - opaque pointer to auth context data */ 337/* */ 338/* Undo what was done in _create() - i.e. free the soft context data. */ 339/* ------------------------------------------------------------------------ */ 340void 341ipf_auth_soft_destroy(ipf_main_softc_t *softc, void *arg) 342{ 343 ipf_auth_softc_t *softa = arg; 344 345# if SOLARIS && defined(_KERNEL) 346 cv_destroy(&softa->ipf_auth_wait); 347# endif 348 MUTEX_DESTROY(&softa->ipf_auth_mx); 349 RW_DESTROY(&softa->ipf_authlk); 350 351 KFREE(softa); 352} 353 354 355/* ------------------------------------------------------------------------ */ 356/* Function: ipf_auth_setlock */ 357/* Returns: void */ 358/* Paramters: arg(I) - pointer to soft context data */ 359/* tmp(I) - value to assign to auth lock */ 360/* */ 361/* ------------------------------------------------------------------------ */ 362void 363ipf_auth_setlock(void *arg, int tmp) 364{ 365 ipf_auth_softc_t *softa = arg; 366 367 softa->ipf_auth_lock = tmp; 368} 369 370 371/* ------------------------------------------------------------------------ */ 372/* Function: ipf_auth_check */ 373/* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ 374/* Parameters: fin(I) - pointer to ipftoken structure */ 375/* passp(I) - pointer to ipfgeniter structure */ 376/* */ 377/* Check if a packet has authorization. If the packet is found to match an */ 378/* authorization result and that would result in a feedback loop (i.e. it */ 379/* will end up returning FR_AUTH) then return FR_BLOCK instead. */ 380/* ------------------------------------------------------------------------ */ 381frentry_t * 382ipf_auth_check(fr_info_t *fin, u_32_t *passp) 383{ 384 ipf_main_softc_t *softc = fin->fin_main_soft; 385 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 386 frentry_t *fr; 387 frauth_t *fra; 388 u_32_t pass; 389 u_short id; 390 ip_t *ip; 391 int i; 392 393 if (softa->ipf_auth_lock || !softa->ipf_auth_used) 394 return NULL; 395 396 ip = fin->fin_ip; 397 id = ip->ip_id; 398 399 READ_ENTER(&softa->ipf_authlk); 400 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { 401 /* 402 * index becomes -2 only after an SIOCAUTHW. Check this in 403 * case the same packet gets sent again and it hasn't yet been 404 * auth'd. 405 */ 406 fra = softa->ipf_auth + i; 407 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && 408 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { 409 /* 410 * Avoid feedback loop. 411 */ 412 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { 413 pass = FR_BLOCK; 414 fin->fin_reason = FRB_AUTHFEEDBACK; 415 } 416 /* 417 * Create a dummy rule for the stateful checking to 418 * use and return. Zero out any values we don't 419 * trust from userland! 420 */ 421 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && 422 (fin->fin_flx & FI_FRAG))) { 423 KMALLOC(fr, frentry_t *); 424 if (fr) { 425 bcopy((char *)fra->fra_info.fin_fr, 426 (char *)fr, sizeof(*fr)); 427 fr->fr_grp = NULL; 428 fr->fr_ifa = fin->fin_ifp; 429 fr->fr_func = NULL; 430 fr->fr_ref = 1; 431 fr->fr_flags = pass; 432 fr->fr_ifas[1] = NULL; 433 fr->fr_ifas[2] = NULL; 434 fr->fr_ifas[3] = NULL; 435 MUTEX_INIT(&fr->fr_lock, 436 "ipf auth rule"); 437 } 438 } else 439 fr = fra->fra_info.fin_fr; 440 fin->fin_fr = fr; 441 fin->fin_flx |= fra->fra_flx; 442 RWLOCK_EXIT(&softa->ipf_authlk); 443 444 WRITE_ENTER(&softa->ipf_authlk); 445 /* 446 * ipf_auth_rules is populated with the rules malloc'd 447 * above and only those. 448 */ 449 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { 450 fr->fr_next = softa->ipf_auth_rules; 451 softa->ipf_auth_rules = fr; 452 } 453 softa->ipf_auth_stats.fas_hits++; 454 fra->fra_index = -1; 455 softa->ipf_auth_used--; 456 softa->ipf_auth_replies--; 457 if (i == softa->ipf_auth_start) { 458 while (fra->fra_index == -1) { 459 i++; 460 fra++; 461 if (i == softa->ipf_auth_size) { 462 i = 0; 463 fra = softa->ipf_auth; 464 } 465 softa->ipf_auth_start = i; 466 if (i == softa->ipf_auth_end) 467 break; 468 } 469 if (softa->ipf_auth_start == 470 softa->ipf_auth_end) { 471 softa->ipf_auth_next = 0; 472 softa->ipf_auth_start = 0; 473 softa->ipf_auth_end = 0; 474 } 475 } 476 RWLOCK_EXIT(&softa->ipf_authlk); 477 if (passp != NULL) 478 *passp = pass; 479 softa->ipf_auth_stats.fas_hits++; 480 return fr; 481 } 482 i++; 483 if (i == softa->ipf_auth_size) 484 i = 0; 485 } 486 RWLOCK_EXIT(&softa->ipf_authlk); 487 softa->ipf_auth_stats.fas_miss++; 488 return NULL; 489} 490 491 492/* ------------------------------------------------------------------------ */ 493/* Function: ipf_auth_new */ 494/* Returns: int - 1 == success, 0 = did not put packet on auth queue */ 495/* Parameters: m(I) - pointer to mb_t with packet in it */ 496/* fin(I) - pointer to packet information */ 497/* */ 498/* Check if we have room in the auth array to hold details for another */ 499/* packet. If we do, store it and wake up any user programs which are */ 500/* waiting to hear about these events. */ 501/* ------------------------------------------------------------------------ */ 502int 503ipf_auth_new(mb_t *m, fr_info_t *fin) 504{ 505 ipf_main_softc_t *softc = fin->fin_main_soft; 506 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 507#if defined(_KERNEL) && defined(MENTAT) 508 qpktinfo_t *qpi = fin->fin_qpi; 509#endif 510 frauth_t *fra; 511#if !defined(sparc) && !defined(m68k) 512 ip_t *ip; 513#endif 514 int i; 515 516 if (softa->ipf_auth_lock) 517 return 0; 518 519 WRITE_ENTER(&softa->ipf_authlk); 520 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == 521 softa->ipf_auth_start) { 522 softa->ipf_auth_stats.fas_nospace++; 523 RWLOCK_EXIT(&softa->ipf_authlk); 524 return 0; 525 } 526 527 softa->ipf_auth_stats.fas_added++; 528 softa->ipf_auth_used++; 529 i = softa->ipf_auth_end++; 530 if (softa->ipf_auth_end == softa->ipf_auth_size) 531 softa->ipf_auth_end = 0; 532 533 fra = softa->ipf_auth + i; 534 fra->fra_index = i; 535 if (fin->fin_fr != NULL) 536 fra->fra_pass = fin->fin_fr->fr_flags; 537 else 538 fra->fra_pass = 0; 539 fra->fra_age = softa->ipf_auth_defaultage; 540 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); 541 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); 542 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); 543#if !defined(sparc) && !defined(m68k) 544 /* 545 * No need to copyback here as we want to undo the changes, not keep 546 * them. 547 */ 548 ip = fin->fin_ip; 549# if defined(MENTAT) && defined(_KERNEL) 550 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) 551# endif 552 { 553 register u_short bo; 554 555 bo = ip->ip_len; 556 ip->ip_len = htons(bo); 557 bo = ip->ip_off; 558 ip->ip_off = htons(bo); 559 } 560#endif 561#if SOLARIS && defined(_KERNEL) 562 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); 563 m->b_rptr -= qpi->qpi_off; 564 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ 565 fra->fra_m = *fin->fin_mp; 566 fra->fra_info.fin_mp = &fra->fra_m; 567 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; 568 RWLOCK_EXIT(&softa->ipf_authlk); 569 cv_signal(&softa->ipf_auth_wait); 570 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); 571#else 572 softa->ipf_auth_pkts[i] = m; 573 RWLOCK_EXIT(&softa->ipf_authlk); 574 WAKEUP(&softa->ipf_auth_next, 0); 575#endif 576 return 1; 577} 578 579 580/* ------------------------------------------------------------------------ */ 581/* Function: ipf_auth_ioctl */ 582/* Returns: int - 0 == success, else error */ 583/* Parameters: data(IO) - pointer to ioctl data */ 584/* cmd(I) - ioctl command */ 585/* mode(I) - mode flags associated with open descriptor */ 586/* uid(I) - uid associatd with application making the call */ 587/* ctx(I) - pointer for context */ 588/* */ 589/* This function handles all of the ioctls recognised by the auth component */ 590/* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ 591/* ------------------------------------------------------------------------ */ 592int 593ipf_auth_ioctl(ipf_main_softc_t *softc, void *data, ioctlcmd_t cmd, int mode, 594 int uid, void *ctx) 595{ 596 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 597 int error = 0, i; 598 SPL_INT(s); 599 600 switch (cmd) 601 { 602 case SIOCGENITER : 603 { 604 ipftoken_t *token; 605 ipfgeniter_t iter; 606 ipfobj_t obj; 607 608 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); 609 if (error != 0) 610 break; 611 612 SPL_SCHED(s); 613 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); 614 if (token != NULL) 615 error = ipf_auth_geniter(softc, token, &iter, &obj); 616 else { 617 WRITE_ENTER(&softc->ipf_tokens); 618 ipf_token_deref(softc, token); 619 RWLOCK_EXIT(&softc->ipf_tokens); 620 IPFERROR(10001); 621 error = ESRCH; 622 } 623 SPL_X(s); 624 625 break; 626 } 627 628 case SIOCADAFR : 629 case SIOCRMAFR : 630 if (!(mode & FWRITE)) { 631 IPFERROR(10002); 632 error = EPERM; 633 } else 634 error = frrequest(softc, IPL_LOGAUTH, cmd, data, 635 softc->ipf_active, 1); 636 break; 637 638 case SIOCSTLCK : 639 if (!(mode & FWRITE)) { 640 IPFERROR(10003); 641 error = EPERM; 642 } else { 643 error = ipf_lock(data, &softa->ipf_auth_lock); 644 } 645 break; 646 647 case SIOCATHST: 648 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; 649 error = ipf_outobj(softc, data, &softa->ipf_auth_stats, 650 IPFOBJ_AUTHSTAT); 651 break; 652 653 case SIOCIPFFL: 654 SPL_NET(s); 655 WRITE_ENTER(&softa->ipf_authlk); 656 i = ipf_auth_flush(softa); 657 RWLOCK_EXIT(&softa->ipf_authlk); 658 SPL_X(s); 659 error = BCOPYOUT(&i, data, sizeof(i)); 660 if (error != 0) { 661 IPFERROR(10004); 662 error = EFAULT; 663 } 664 break; 665 666 case SIOCAUTHW: 667 error = ipf_auth_wait(softc, softa, data); 668 break; 669 670 case SIOCAUTHR: 671 error = ipf_auth_reply(softc, softa, data); 672 break; 673 674 default : 675 IPFERROR(10005); 676 error = EINVAL; 677 break; 678 } 679 return error; 680} 681 682 683/* ------------------------------------------------------------------------ */ 684/* Function: ipf_auth_expire */ 685/* Returns: None */ 686/* Parameters: None */ 687/* */ 688/* Slowly expire held auth records. Timeouts are set in expectation of */ 689/* this being called twice per second. */ 690/* ------------------------------------------------------------------------ */ 691void 692ipf_auth_expire(ipf_main_softc_t *softc) 693{ 694 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 695 frauthent_t *fae, **faep; 696 frentry_t *fr, **frp; 697 frauth_t *fra; 698 mb_t *m; 699 int i; 700 SPL_INT(s); 701 702 if (softa->ipf_auth_lock) 703 return; 704 SPL_NET(s); 705 WRITE_ENTER(&softa->ipf_authlk); 706 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; 707 i++, fra++) { 708 fra->fra_age--; 709 if ((fra->fra_age == 0) && 710 (softa->ipf_auth[i].fra_index != -1)) { 711 if ((m = softa->ipf_auth_pkts[i]) != NULL) { 712 FREE_MB_T(m); 713 softa->ipf_auth_pkts[i] = NULL; 714 } else if (softa->ipf_auth[i].fra_index == -2) { 715 softa->ipf_auth_replies--; 716 } 717 softa->ipf_auth[i].fra_index = -1; 718 softa->ipf_auth_stats.fas_expire++; 719 softa->ipf_auth_used--; 720 } 721 } 722 723 /* 724 * Expire pre-auth rules 725 */ 726 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 727 fae->fae_age--; 728 if (fae->fae_age == 0) { 729 ipf_auth_deref(&fae); 730 softa->ipf_auth_stats.fas_expire++; 731 } else 732 faep = &fae->fae_next; 733 } 734 if (softa->ipf_auth_entries != NULL) 735 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 736 else 737 softa->ipf_auth_ip = NULL; 738 739 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { 740 if (fr->fr_ref == 1) { 741 *frp = fr->fr_next; 742 MUTEX_DESTROY(&fr->fr_lock); 743 KFREE(fr); 744 } else 745 frp = &fr->fr_next; 746 } 747 RWLOCK_EXIT(&softa->ipf_authlk); 748 SPL_X(s); 749} 750 751 752/* ------------------------------------------------------------------------ */ 753/* Function: ipf_auth_precmd */ 754/* Returns: int - 0 == success, else error */ 755/* Parameters: cmd(I) - ioctl command for rule */ 756/* fr(I) - pointer to ipf rule */ 757/* fptr(I) - pointer to caller's 'fr' */ 758/* */ 759/* ------------------------------------------------------------------------ */ 760int 761ipf_auth_precmd(ipf_main_softc_t *softc, ioctlcmd_t cmd, frentry_t *fr, 762 frentry_t **frptr) 763{ 764 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 765 frauthent_t *fae, **faep; 766 int error = 0; 767 SPL_INT(s); 768 769 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { 770 IPFERROR(10006); 771 return EIO; 772 } 773 774 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { 775 if (&fae->fae_fr == fr) 776 break; 777 else 778 faep = &fae->fae_next; 779 } 780 781 if (cmd == (ioctlcmd_t)SIOCRMAFR) { 782 if (fr == NULL || frptr == NULL) { 783 IPFERROR(10007); 784 error = EINVAL; 785 786 } else if (fae == NULL) { 787 IPFERROR(10008); 788 error = ESRCH; 789 790 } else { 791 SPL_NET(s); 792 WRITE_ENTER(&softa->ipf_authlk); 793 *faep = fae->fae_next; 794 if (softa->ipf_auth_ip == &fae->fae_fr) 795 softa->ipf_auth_ip = softa->ipf_auth_entries ? 796 &softa->ipf_auth_entries->fae_fr : NULL; 797 RWLOCK_EXIT(&softa->ipf_authlk); 798 SPL_X(s); 799 800 KFREE(fae); 801 } 802 } else if (fr != NULL && frptr != NULL) { 803 KMALLOC(fae, frauthent_t *); 804 if (fae != NULL) { 805 bcopy((char *)fr, (char *)&fae->fae_fr, 806 sizeof(*fr)); 807 SPL_NET(s); 808 WRITE_ENTER(&softa->ipf_authlk); 809 fae->fae_age = softa->ipf_auth_defaultage; 810 fae->fae_fr.fr_hits = 0; 811 fae->fae_fr.fr_next = *frptr; 812 fae->fae_ref = 1; 813 *frptr = &fae->fae_fr; 814 fae->fae_next = *faep; 815 *faep = fae; 816 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; 817 RWLOCK_EXIT(&softa->ipf_authlk); 818 SPL_X(s); 819 } else { 820 IPFERROR(10009); 821 error = ENOMEM; 822 } 823 } else { 824 IPFERROR(10010); 825 error = EINVAL; 826 } 827 return error; 828} 829 830 831/* ------------------------------------------------------------------------ */ 832/* Function: ipf_auth_flush */ 833/* Returns: int - number of auth entries flushed */ 834/* Parameters: None */ 835/* Locks: WRITE(ipf_authlk) */ 836/* */ 837/* This function flushs the ipf_auth_pkts array of any packet data with */ 838/* references still there. */ 839/* It is expected that the caller has already acquired the correct locks or */ 840/* set the priority level correctly for this to block out other code paths */ 841/* into these data structures. */ 842/* ------------------------------------------------------------------------ */ 843static int 844ipf_auth_flush(void *arg) 845{ 846 ipf_auth_softc_t *softa = arg; 847 int i, num_flushed; 848 mb_t *m; 849 850 if (softa->ipf_auth_lock) 851 return -1; 852 853 num_flushed = 0; 854 855 for (i = 0 ; i < softa->ipf_auth_size; i++) { 856 if (softa->ipf_auth[i].fra_index != -1) { 857 m = softa->ipf_auth_pkts[i]; 858 if (m != NULL) { 859 FREE_MB_T(m); 860 softa->ipf_auth_pkts[i] = NULL; 861 } 862 863 softa->ipf_auth[i].fra_index = -1; 864 /* perhaps add & use a flush counter inst.*/ 865 softa->ipf_auth_stats.fas_expire++; 866 num_flushed++; 867 } 868 } 869 870 softa->ipf_auth_start = 0; 871 softa->ipf_auth_end = 0; 872 softa->ipf_auth_next = 0; 873 softa->ipf_auth_used = 0; 874 softa->ipf_auth_replies = 0; 875 876 return num_flushed; 877} 878 879 880/* ------------------------------------------------------------------------ */ 881/* Function: ipf_auth_waiting */ 882/* Returns: int - number of packets in the auth queue */ 883/* Parameters: None */ 884/* */ 885/* Simple truth check to see if there are any packets waiting in the auth */ 886/* queue. */ 887/* ------------------------------------------------------------------------ */ 888int 889ipf_auth_waiting(ipf_main_softc_t *softc) 890{ 891 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 892 893 return (softa->ipf_auth_used != 0); 894} 895 896 897/* ------------------------------------------------------------------------ */ 898/* Function: ipf_auth_geniter */ 899/* Returns: int - 0 == success, else error */ 900/* Parameters: token(I) - pointer to ipftoken structure */ 901/* itp(I) - pointer to ipfgeniter structure */ 902/* objp(I) - pointer to ipf object destription */ 903/* */ 904/* Iterate through the list of entries in the auth queue list. */ 905/* objp is used here to get the location of where to do the copy out to. */ 906/* Stomping over various fields with new information will not harm anything */ 907/* ------------------------------------------------------------------------ */ 908static int 909ipf_auth_geniter(ipf_main_softc_t *softc, ipftoken_t *token, ipfgeniter_t *itp, 910 ipfobj_t *objp) 911{ 912 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 913 frauthent_t *fae, *next, zero; 914 int error; 915 916 if (itp->igi_data == NULL) { 917 IPFERROR(10011); 918 return EFAULT; 919 } 920 921 if (itp->igi_type != IPFGENITER_AUTH) { 922 IPFERROR(10012); 923 return EINVAL; 924 } 925 926 objp->ipfo_type = IPFOBJ_FRAUTH; 927 objp->ipfo_ptr = itp->igi_data; 928 objp->ipfo_size = sizeof(frauth_t); 929 930 READ_ENTER(&softa->ipf_authlk); 931 932 fae = token->ipt_data; 933 if (fae == NULL) { 934 next = softa->ipf_auth_entries; 935 } else { 936 next = fae->fae_next; 937 } 938 939 /* 940 * If we found an auth entry to use, bump its reference count 941 * so that it can be used for is_next when we come back. 942 */ 943 if (next != NULL) { 944 ATOMIC_INC(next->fae_ref); 945 token->ipt_data = next; 946 } else { 947 bzero(&zero, sizeof(zero)); 948 next = &zero; 949 token->ipt_data = NULL; 950 } 951 952 RWLOCK_EXIT(&softa->ipf_authlk); 953 954 error = ipf_outobjk(softc, objp, next); 955 if (fae != NULL) 956 ipf_auth_deref_unlocked(softa, &fae); 957 958 if (next->fae_next == NULL) 959 ipf_token_mark_complete(token); 960 return error; 961} 962 963 964/* ------------------------------------------------------------------------ */ 965/* Function: ipf_auth_deref_unlocked */ 966/* Returns: None */ 967/* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 968/* */ 969/* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ 970/* held. */ 971/* ------------------------------------------------------------------------ */ 972static void 973ipf_auth_deref_unlocked(ipf_auth_softc_t *softa, frauthent_t **faep) 974{ 975 WRITE_ENTER(&softa->ipf_authlk); 976 ipf_auth_deref(faep); 977 RWLOCK_EXIT(&softa->ipf_authlk); 978} 979 980 981/* ------------------------------------------------------------------------ */ 982/* Function: ipf_auth_deref */ 983/* Returns: None */ 984/* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ 985/* Locks: WRITE(ipf_authlk) */ 986/* */ 987/* This function unconditionally sets the pointer in the caller to NULL, */ 988/* to make it clear that it should no longer use that pointer, and drops */ 989/* the reference count on the structure by 1. If it reaches 0, free it up. */ 990/* ------------------------------------------------------------------------ */ 991static void 992ipf_auth_deref(frauthent_t **faep) 993{ 994 frauthent_t *fae; 995 996 fae = *faep; 997 *faep = NULL; 998 999 fae->fae_ref--; 1000 if (fae->fae_ref == 0) { 1001 KFREE(fae); 1002 } 1003} 1004 1005 1006/* ------------------------------------------------------------------------ */ 1007/* Function: ipf_auth_wait_pkt */ 1008/* Returns: int - 0 == success, else error */ 1009/* Parameters: data(I) - pointer to data from ioctl call */ 1010/* */ 1011/* This function is called when an application is waiting for a packet to */ 1012/* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ 1013/* a packet waiting on the queue then we will return that _one_ immediately.*/ 1014/* If there are no packets present in the queue (ipf_auth_pkts) then we go */ 1015/* to sleep. */ 1016/* ------------------------------------------------------------------------ */ 1017static int 1018ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) 1019{ 1020 frauth_t auth, *au = &auth; 1021 int error, len, i; 1022 mb_t *m; 1023 char *t; 1024 SPL_INT(s); 1025 1026ipf_auth_ioctlloop: 1027 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); 1028 if (error != 0) 1029 return error; 1030 1031 /* 1032 * XXX Locks are held below over calls to copyout...a better 1033 * solution needs to be found so this isn't necessary. The situation 1034 * we are trying to guard against here is an error in the copyout 1035 * steps should not cause the packet to "disappear" from the queue. 1036 */ 1037 SPL_NET(s); 1038 READ_ENTER(&softa->ipf_authlk); 1039 1040 /* 1041 * If ipf_auth_next is not equal to ipf_auth_end it will be because 1042 * there is a packet waiting to be delt with in the ipf_auth_pkts 1043 * array. We copy as much of that out to user space as requested. 1044 */ 1045 if (softa->ipf_auth_used > 0) { 1046 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { 1047 softa->ipf_auth_next++; 1048 if (softa->ipf_auth_next == softa->ipf_auth_size) 1049 softa->ipf_auth_next = 0; 1050 } 1051 1052 error = ipf_outobj(softc, data, 1053 &softa->ipf_auth[softa->ipf_auth_next], 1054 IPFOBJ_FRAUTH); 1055 if (error != 0) { 1056 RWLOCK_EXIT(&softa->ipf_authlk); 1057 SPL_X(s); 1058 return error; 1059 } 1060 1061 if (auth.fra_len != 0 && auth.fra_buf != NULL) { 1062 /* 1063 * Copy packet contents out to user space if 1064 * requested. Bail on an error. 1065 */ 1066 m = softa->ipf_auth_pkts[softa->ipf_auth_next]; 1067 len = MSGDSIZE(m); 1068 if (len > auth.fra_len) 1069 len = auth.fra_len; 1070 auth.fra_len = len; 1071 1072 for (t = auth.fra_buf; m && (len > 0); ) { 1073 i = MIN(M_LEN(m), len); 1074 error = copyoutptr(softc, MTOD(m, char *), 1075 &t, i); 1076 len -= i; 1077 t += i; 1078 if (error != 0) { 1079 RWLOCK_EXIT(&softa->ipf_authlk); 1080 SPL_X(s); 1081 return error; 1082 } 1083 m = m->m_next; 1084 } 1085 } 1086 RWLOCK_EXIT(&softa->ipf_authlk); 1087 1088 SPL_NET(s); 1089 WRITE_ENTER(&softa->ipf_authlk); 1090 softa->ipf_auth_next++; 1091 if (softa->ipf_auth_next == softa->ipf_auth_size) 1092 softa->ipf_auth_next = 0; 1093 RWLOCK_EXIT(&softa->ipf_authlk); 1094 SPL_X(s); 1095 1096 return 0; 1097 } 1098 RWLOCK_EXIT(&softa->ipf_authlk); 1099 SPL_X(s); 1100 1101 MUTEX_ENTER(&softa->ipf_auth_mx); 1102#ifdef _KERNEL 1103# if SOLARIS 1104 error = 0; 1105 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { 1106 IPFERROR(10014); 1107 error = EINTR; 1108 } 1109# else /* SOLARIS */ 1110# ifdef __hpux 1111 { 1112 lock_t *l; 1113 1114 l = get_sleep_lock(&softa->ipf_auth_next); 1115 error = sleep(&softa->ipf_auth_next, PZERO+1); 1116 spinunlock(l); 1117 } 1118# else 1119# ifdef __osf__ 1120 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next", 1121 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); 1122# else 1123 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next"); 1124# endif /* __osf__ */ 1125# endif /* __hpux */ 1126# endif /* SOLARIS */ 1127#endif 1128 MUTEX_EXIT(&softa->ipf_auth_mx); 1129 if (error == 0) 1130 goto ipf_auth_ioctlloop; 1131 return error; 1132} 1133 1134 1135/* ------------------------------------------------------------------------ */ 1136/* Function: ipf_auth_reply */ 1137/* Returns: int - 0 == success, else error */ 1138/* Parameters: data(I) - pointer to data from ioctl call */ 1139/* */ 1140/* This function is called by an application when it wants to return a */ 1141/* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ 1142/* received information using an SIOCAUTHW. The decision returned in the */ 1143/* form of flags, the same as those used in each rule. */ 1144/* ------------------------------------------------------------------------ */ 1145static int 1146ipf_auth_reply(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) 1147{ 1148 frauth_t auth, *au = &auth, *fra; 1149 fr_info_t fin; 1150 int error, i; 1151#ifdef _KERNEL 1152 mb_t *m; 1153#endif 1154 SPL_INT(s); 1155 1156 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); 1157 if (error != 0) 1158 return error; 1159 1160 SPL_NET(s); 1161 WRITE_ENTER(&softa->ipf_authlk); 1162 1163 i = au->fra_index; 1164 fra = softa->ipf_auth + i; 1165 error = 0; 1166 1167 /* 1168 * Check the validity of the information being returned with two simple 1169 * checks. First, the auth index value should be within the size of 1170 * the array and second the packet id being returned should also match. 1171 */ 1172 if ((i < 0) || (i >= softa->ipf_auth_size)) { 1173 RWLOCK_EXIT(&softa->ipf_authlk); 1174 SPL_X(s); 1175 IPFERROR(10015); 1176 return ESRCH; 1177 } 1178 if (fra->fra_info.fin_id != au->fra_info.fin_id) { 1179 RWLOCK_EXIT(&softa->ipf_authlk); 1180 SPL_X(s); 1181 IPFERROR(10019); 1182 return ESRCH; 1183 } 1184 1185 fra->fra_index = -2; 1186 fra->fra_pass = au->fra_pass; 1187#ifdef _KERNEL 1188 m = softa->ipf_auth_pkts[i]; 1189#endif 1190 softa->ipf_auth_pkts[i] = NULL; 1191 softa->ipf_auth_replies++; 1192 bcopy(&fra->fra_info, &fin, sizeof(fin)); 1193 1194 RWLOCK_EXIT(&softa->ipf_authlk); 1195 1196 /* 1197 * Re-insert the packet back into the packet stream flowing through 1198 * the kernel in a manner that will mean IPFilter sees the packet 1199 * again. This is not the same as is done with fastroute, 1200 * deliberately, as we want to resume the normal packet processing 1201 * path for it. 1202 */ 1203#ifdef _KERNEL 1204 if ((m != NULL) && (au->fra_info.fin_out != 0)) { 1205 error = ipf_inject(&fin, m); 1206 if (error != 0) { 1207 IPFERROR(10016); 1208 error = ENOBUFS; 1209 softa->ipf_auth_stats.fas_sendfail++; 1210 } else { 1211 softa->ipf_auth_stats.fas_sendok++; 1212 } 1213 } else if (m) { 1214 error = ipf_inject(&fin, m); 1215 if (error != 0) { 1216 IPFERROR(10017); 1217 error = ENOBUFS; 1218 softa->ipf_auth_stats.fas_quefail++; 1219 } else { 1220 softa->ipf_auth_stats.fas_queok++; 1221 } 1222 } else { 1223 IPFERROR(10018); 1224 error = EINVAL; 1225 } 1226 1227 /* 1228 * If we experience an error which will result in the packet 1229 * not being processed, make sure we advance to the next one. 1230 */ 1231 if (error == ENOBUFS) { 1232 WRITE_ENTER(&softa->ipf_authlk); 1233 softa->ipf_auth_used--; 1234 fra->fra_index = -1; 1235 fra->fra_pass = 0; 1236 if (i == softa->ipf_auth_start) { 1237 while (fra->fra_index == -1) { 1238 i++; 1239 if (i == softa->ipf_auth_size) 1240 i = 0; 1241 softa->ipf_auth_start = i; 1242 if (i == softa->ipf_auth_end) 1243 break; 1244 } 1245 if (softa->ipf_auth_start == softa->ipf_auth_end) { 1246 softa->ipf_auth_next = 0; 1247 softa->ipf_auth_start = 0; 1248 softa->ipf_auth_end = 0; 1249 } 1250 } 1251 RWLOCK_EXIT(&softa->ipf_authlk); 1252 } 1253#endif /* _KERNEL */ 1254 SPL_X(s); 1255 1256 return 0; 1257} 1258 1259 1260u_32_t 1261ipf_auth_pre_scanlist(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass) 1262{ 1263 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1264 1265 if (softa->ipf_auth_ip != NULL) 1266 return ipf_scanlist(fin, softc->ipf_pass); 1267 1268 return pass; 1269} 1270 1271 1272frentry_t ** 1273ipf_auth_rulehead(ipf_main_softc_t *softc) 1274{ 1275 ipf_auth_softc_t *softa = softc->ipf_auth_soft; 1276 1277 return &softa->ipf_auth_ip; 1278} 1279