1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2001 Daniel Hartmeier
5 * Copyright (c) 2002,2003 Henning Brauer
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * - Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * - Redistributions in binary form must reproduce the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer in the documentation and/or other materials provided
17 * with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 *
32 * Effort sponsored in part by the Defense Advanced Research Projects
33 * Agency (DARPA) and Air Force Research Laboratory, Air Force
34 * Materiel Command, USAF, under agreement number F30602-01-2-0537.
35 *
36 * $OpenBSD: pf_ruleset.c,v 1.2 2008/12/18 15:31:37 dhill Exp $
37 */
38
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
41
42 #include <sys/param.h>
43 #include <sys/socket.h>
44 #include <sys/systm.h>
45 #include <sys/refcount.h>
46 #include <sys/mbuf.h>
47
48 #include <netinet/in.h>
49 #include <netinet/in_systm.h>
50 #include <netinet/ip.h>
51 #include <netinet/tcp.h>
52
53 #include <net/if.h>
54 #include <net/vnet.h>
55 #include <net/pfvar.h>
56
57 #ifdef INET6
58 #include <netinet/ip6.h>
59 #endif /* INET6 */
60
61 #ifndef _KERNEL
62 #error "Kernel only file. Please use sbin/pfctl/pf_ruleset.c instead."
63 #endif
64
65 #define DPFPRINTF(format, x...) \
66 if (V_pf_status.debug >= PF_DEBUG_NOISY) \
67 printf(format , ##x)
68 #define rs_malloc(x) malloc(x, M_TEMP, M_NOWAIT|M_ZERO)
69 #define rs_free(x) free(x, M_TEMP)
70
71 VNET_DEFINE(struct pf_kanchor_global, pf_anchors);
72 VNET_DEFINE(struct pf_kanchor, pf_main_anchor);
73
74 static __inline int pf_kanchor_compare(struct pf_kanchor *,
75 struct pf_kanchor *);
76 static struct pf_kanchor *pf_find_kanchor(const char *);
77
78 RB_GENERATE(pf_kanchor_global, pf_kanchor, entry_global, pf_kanchor_compare);
79 RB_GENERATE(pf_kanchor_node, pf_kanchor, entry_node, pf_kanchor_compare);
80
81 static __inline int
pf_kanchor_compare(struct pf_kanchor * a,struct pf_kanchor * b)82 pf_kanchor_compare(struct pf_kanchor *a, struct pf_kanchor *b)
83 {
84 int c = strcmp(a->path, b->path);
85
86 return (c ? (c < 0 ? -1 : 1) : 0);
87 }
88
89 int
pf_get_ruleset_number(u_int8_t action)90 pf_get_ruleset_number(u_int8_t action)
91 {
92 switch (action) {
93 case PF_SCRUB:
94 case PF_NOSCRUB:
95 return (PF_RULESET_SCRUB);
96 break;
97 case PF_PASS:
98 case PF_DROP:
99 return (PF_RULESET_FILTER);
100 break;
101 case PF_NAT:
102 case PF_NONAT:
103 return (PF_RULESET_NAT);
104 break;
105 case PF_BINAT:
106 case PF_NOBINAT:
107 return (PF_RULESET_BINAT);
108 break;
109 case PF_RDR:
110 case PF_NORDR:
111 return (PF_RULESET_RDR);
112 break;
113 default:
114 return (PF_RULESET_MAX);
115 break;
116 }
117 }
118
119 static struct pf_kanchor *
pf_find_kanchor(const char * path)120 pf_find_kanchor(const char *path)
121 {
122 struct pf_kanchor *key, *found;
123
124 key = (struct pf_kanchor *)rs_malloc(sizeof(*key));
125 if (key == NULL)
126 return (NULL);
127 strlcpy(key->path, path, sizeof(key->path));
128 found = RB_FIND(pf_kanchor_global, &V_pf_anchors, key);
129 rs_free(key);
130 return (found);
131 }
132
133 void
pf_init_kruleset(struct pf_kruleset * ruleset)134 pf_init_kruleset(struct pf_kruleset *ruleset)
135 {
136 int i;
137
138 memset(ruleset, 0, sizeof(struct pf_kruleset));
139 for (i = 0; i < PF_RULESET_MAX; i++) {
140 TAILQ_INIT(&ruleset->rules[i].queues[0]);
141 TAILQ_INIT(&ruleset->rules[i].queues[1]);
142 ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0];
143 ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1];
144 }
145 }
146
147 struct pf_kruleset *
pf_find_kruleset(const char * path)148 pf_find_kruleset(const char *path)
149 {
150 struct pf_kanchor *anchor;
151
152 while (*path == '/')
153 path++;
154 if (!*path)
155 return (&pf_main_ruleset);
156 anchor = pf_find_kanchor(path);
157 if (anchor == NULL)
158 return (NULL);
159 else
160 return (&anchor->ruleset);
161 }
162
163 struct pf_kruleset *
pf_find_or_create_kruleset(const char * path)164 pf_find_or_create_kruleset(const char *path)
165 {
166 char *p, *q, *r;
167 struct pf_kruleset *ruleset;
168 struct pf_kanchor *anchor = NULL, *dup, *parent = NULL;
169
170 if (path[0] == 0)
171 return (&pf_main_ruleset);
172 while (*path == '/')
173 path++;
174 ruleset = pf_find_kruleset(path);
175 if (ruleset != NULL)
176 return (ruleset);
177 p = (char *)rs_malloc(MAXPATHLEN);
178 if (p == NULL)
179 return (NULL);
180 strlcpy(p, path, MAXPATHLEN);
181 while (parent == NULL && (q = strrchr(p, '/')) != NULL) {
182 *q = 0;
183 if ((ruleset = pf_find_kruleset(p)) != NULL) {
184 parent = ruleset->anchor;
185 break;
186 }
187 }
188 if (q == NULL)
189 q = p;
190 else
191 q++;
192 strlcpy(p, path, MAXPATHLEN);
193 if (!*q) {
194 rs_free(p);
195 return (NULL);
196 }
197 while ((r = strchr(q, '/')) != NULL || *q) {
198 if (r != NULL)
199 *r = 0;
200 if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE ||
201 (parent != NULL && strlen(parent->path) >=
202 MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) {
203 rs_free(p);
204 return (NULL);
205 }
206 anchor = (struct pf_kanchor *)rs_malloc(sizeof(*anchor));
207 if (anchor == NULL) {
208 rs_free(p);
209 return (NULL);
210 }
211 RB_INIT(&anchor->children);
212 strlcpy(anchor->name, q, sizeof(anchor->name));
213 if (parent != NULL) {
214 strlcpy(anchor->path, parent->path,
215 sizeof(anchor->path));
216 strlcat(anchor->path, "/", sizeof(anchor->path));
217 }
218 strlcat(anchor->path, anchor->name, sizeof(anchor->path));
219 if ((dup = RB_INSERT(pf_kanchor_global, &V_pf_anchors, anchor)) !=
220 NULL) {
221 printf("pf_find_or_create_ruleset: RB_INSERT1 "
222 "'%s' '%s' collides with '%s' '%s'\n",
223 anchor->path, anchor->name, dup->path, dup->name);
224 rs_free(anchor);
225 rs_free(p);
226 return (NULL);
227 }
228 if (parent != NULL) {
229 anchor->parent = parent;
230 if ((dup = RB_INSERT(pf_kanchor_node, &parent->children,
231 anchor)) != NULL) {
232 printf("pf_find_or_create_ruleset: "
233 "RB_INSERT2 '%s' '%s' collides with "
234 "'%s' '%s'\n", anchor->path, anchor->name,
235 dup->path, dup->name);
236 RB_REMOVE(pf_kanchor_global, &V_pf_anchors,
237 anchor);
238 rs_free(anchor);
239 rs_free(p);
240 return (NULL);
241 }
242 }
243 pf_init_kruleset(&anchor->ruleset);
244 anchor->ruleset.anchor = anchor;
245 parent = anchor;
246 if (r != NULL)
247 q = r + 1;
248 else
249 *q = 0;
250 }
251 rs_free(p);
252 return (&anchor->ruleset);
253 }
254
255 void
pf_remove_if_empty_kruleset(struct pf_kruleset * ruleset)256 pf_remove_if_empty_kruleset(struct pf_kruleset *ruleset)
257 {
258 struct pf_kanchor *parent;
259 int i;
260
261 while (ruleset != NULL) {
262 if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL ||
263 !RB_EMPTY(&ruleset->anchor->children) ||
264 ruleset->anchor->refcnt > 0 || ruleset->tables > 0 ||
265 ruleset->topen)
266 return;
267 for (i = 0; i < PF_RULESET_MAX; ++i)
268 if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) ||
269 !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
270 ruleset->rules[i].inactive.open)
271 return;
272 RB_REMOVE(pf_kanchor_global, &V_pf_anchors, ruleset->anchor);
273 if ((parent = ruleset->anchor->parent) != NULL)
274 RB_REMOVE(pf_kanchor_node, &parent->children,
275 ruleset->anchor);
276 rs_free(ruleset->anchor);
277 if (parent == NULL)
278 return;
279 ruleset = &parent->ruleset;
280 }
281 }
282
283 int
pf_kanchor_setup(struct pf_krule * r,const struct pf_kruleset * s,const char * name)284 pf_kanchor_setup(struct pf_krule *r, const struct pf_kruleset *s,
285 const char *name)
286 {
287 char *p, *path;
288 struct pf_kruleset *ruleset;
289
290 r->anchor = NULL;
291 r->anchor_relative = 0;
292 r->anchor_wildcard = 0;
293 if (!name[0])
294 return (0);
295 path = (char *)rs_malloc(MAXPATHLEN);
296 if (path == NULL)
297 return (1);
298 if (name[0] == '/')
299 strlcpy(path, name + 1, MAXPATHLEN);
300 else {
301 /* relative path */
302 r->anchor_relative = 1;
303 if (s->anchor == NULL || !s->anchor->path[0])
304 path[0] = 0;
305 else
306 strlcpy(path, s->anchor->path, MAXPATHLEN);
307 while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
308 if (!path[0]) {
309 DPFPRINTF("pf_anchor_setup: .. beyond root\n");
310 rs_free(path);
311 return (1);
312 }
313 if ((p = strrchr(path, '/')) != NULL)
314 *p = 0;
315 else
316 path[0] = 0;
317 r->anchor_relative++;
318 name += 3;
319 }
320 if (path[0])
321 strlcat(path, "/", MAXPATHLEN);
322 strlcat(path, name, MAXPATHLEN);
323 }
324 if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) {
325 r->anchor_wildcard = 1;
326 *p = 0;
327 }
328 ruleset = pf_find_or_create_kruleset(path);
329 rs_free(path);
330 if (ruleset == NULL || ruleset->anchor == NULL) {
331 DPFPRINTF("pf_anchor_setup: ruleset\n");
332 return (1);
333 }
334 r->anchor = ruleset->anchor;
335 r->anchor->refcnt++;
336 return (0);
337 }
338
339 int
pf_kanchor_copyout(const struct pf_kruleset * rs,const struct pf_krule * r,struct pfioc_rule * pr)340 pf_kanchor_copyout(const struct pf_kruleset *rs, const struct pf_krule *r,
341 struct pfioc_rule *pr)
342 {
343 pr->anchor_call[0] = 0;
344 if (r->anchor == NULL)
345 return (0);
346 if (!r->anchor_relative) {
347 strlcpy(pr->anchor_call, "/", sizeof(pr->anchor_call));
348 strlcat(pr->anchor_call, r->anchor->path,
349 sizeof(pr->anchor_call));
350 } else {
351 char *a, *p;
352 int i;
353
354 a = (char *)rs_malloc(MAXPATHLEN);
355 if (a == NULL)
356 return (1);
357 if (rs->anchor == NULL)
358 a[0] = 0;
359 else
360 strlcpy(a, rs->anchor->path, MAXPATHLEN);
361 for (i = 1; i < r->anchor_relative; ++i) {
362 if ((p = strrchr(a, '/')) == NULL)
363 p = a;
364 *p = 0;
365 strlcat(pr->anchor_call, "../",
366 sizeof(pr->anchor_call));
367 }
368 if (strncmp(a, r->anchor->path, strlen(a))) {
369 printf("pf_anchor_copyout: '%s' '%s'\n", a,
370 r->anchor->path);
371 rs_free(a);
372 return (1);
373 }
374 if (strlen(r->anchor->path) > strlen(a))
375 strlcat(pr->anchor_call, r->anchor->path + (a[0] ?
376 strlen(a) + 1 : 0), sizeof(pr->anchor_call));
377 rs_free(a);
378 }
379 if (r->anchor_wildcard)
380 strlcat(pr->anchor_call, pr->anchor_call[0] ? "/*" : "*",
381 sizeof(pr->anchor_call));
382 return (0);
383 }
384
385 void
pf_kanchor_remove(struct pf_krule * r)386 pf_kanchor_remove(struct pf_krule *r)
387 {
388 if (r->anchor == NULL)
389 return;
390 if (r->anchor->refcnt <= 0) {
391 printf("pf_anchor_remove: broken refcount\n");
392 r->anchor = NULL;
393 return;
394 }
395 if (!--r->anchor->refcnt)
396 pf_remove_if_empty_kruleset(&r->anchor->ruleset);
397 r->anchor = NULL;
398 }
399