1
2 /*
3 * Copyright (C) 2012 by Darren Reed.
4 *
5 * See the IPFILTER.LICENCE file for details on licencing.
6 */
7 #if defined(KERNEL) || defined(_KERNEL)
8 # undef KERNEL
9 # undef _KERNEL
10 # define KERNEL 1
11 # define _KERNEL 1
12 #endif
13 #include <sys/errno.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
16 #include <sys/time.h>
17 #include <sys/file.h>
18 #if !defined(_KERNEL)
19 # include <stdio.h>
20 # include <stdlib.h>
21 # ifdef _STDC_C99
22 # include <stdbool.h>
23 # endif
24 # include <string.h>
25 # define _KERNEL
26 # include <sys/uio.h>
27 # undef _KERNEL
28 #endif
29 #if defined(_KERNEL) && defined(__FreeBSD__)
30 # include <sys/filio.h>
31 # include <sys/fcntl.h>
32 #else
33 # include <sys/ioctl.h>
34 #endif
35 # include <sys/protosw.h>
36 #include <sys/socket.h>
37 #if defined(_KERNEL)
38 # include <sys/systm.h>
39 # if !defined(__SVR4)
40 # include <sys/mbuf.h>
41 # endif
42 #endif
43 #if defined(__SVR4)
44 # include <sys/filio.h>
45 # include <sys/byteorder.h>
46 # ifdef _KERNEL
47 # include <sys/dditypes.h>
48 # endif
49 # include <sys/stream.h>
50 # include <sys/kmem.h>
51 #endif
52 #if defined(__FreeBSD__)
53 # include <sys/queue.h>
54 #endif
55 #if defined(__NetBSD__)
56 # include <machine/cpu.h>
57 #endif
58 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
59 # include <sys/proc.h>
60 #endif
61 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \
62 !defined(_KERNEL)
63 # include <stdbool.h>
64 #endif
65 #include <net/if.h>
66 #ifdef sun
67 # include <net/af.h>
68 #endif
69 #include <netinet/in.h>
70 #include <netinet/in_systm.h>
71 #include <netinet/ip.h>
72 # include <netinet/ip_var.h>
73 #if !defined(_KERNEL)
74 # define KERNEL
75 # define _KERNEL
76 # define NOT_KERNEL
77 #endif
78 #ifdef NOT_KERNEL
79 # undef _KERNEL
80 # undef KERNEL
81 #endif
82 #include <netinet/tcp.h>
83 #if defined(__FreeBSD__)
84 # include <net/if_var.h>
85 # define IF_QFULL _IF_QFULL
86 # define IF_DROP _IF_DROP
87 #endif
88 #include <netinet/in_var.h>
89 #include <netinet/tcp_fsm.h>
90 #include <netinet/udp.h>
91 #include <netinet/ip_icmp.h>
92 #include "netinet/ip_compat.h"
93 #include <netinet/tcpip.h>
94 #include "netinet/ip_fil.h"
95 #include "netinet/ip_auth.h"
96 #if !SOLARIS
97 # include <net/netisr.h>
98 # ifdef __FreeBSD__
99 # include <machine/cpufunc.h>
100 # endif
101 #endif
102 #if defined(__FreeBSD__)
103 # include <sys/malloc.h>
104 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
105 # include <sys/libkern.h>
106 # include <sys/systm.h>
107 # endif
108 #endif
109 /* END OF INCLUDES */
110
111 #if !defined(lint)
112 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
113 #endif
114
115
116 static void ipf_auth_deref(frauthent_t **);
117 static void ipf_auth_deref_unlocked(ipf_auth_softc_t *, frauthent_t **);
118 static int ipf_auth_geniter(ipf_main_softc_t *, ipftoken_t *,
119 ipfgeniter_t *, ipfobj_t *);
120 static int ipf_auth_reply(ipf_main_softc_t *, ipf_auth_softc_t *, char *);
121 static int ipf_auth_wait(ipf_main_softc_t *, ipf_auth_softc_t *, char *);
122 static int ipf_auth_flush(void *);
123
124
125 /* ------------------------------------------------------------------------ */
126 /* Function: ipf_auth_main_load */
127 /* Returns: int - 0 == success, else error */
128 /* Parameters: None */
129 /* */
130 /* A null-op function that exists as a placeholder so that the flow in */
131 /* other functions is obvious. */
132 /* ------------------------------------------------------------------------ */
133 int
ipf_auth_main_load(void)134 ipf_auth_main_load(void)
135 {
136 return (0);
137 }
138
139
140 /* ------------------------------------------------------------------------ */
141 /* Function: ipf_auth_main_unload */
142 /* Returns: int - 0 == success, else error */
143 /* Parameters: None */
144 /* */
145 /* A null-op function that exists as a placeholder so that the flow in */
146 /* other functions is obvious. */
147 /* ------------------------------------------------------------------------ */
148 int
ipf_auth_main_unload(void)149 ipf_auth_main_unload(void)
150 {
151 return (0);
152 }
153
154
155 /* ------------------------------------------------------------------------ */
156 /* Function: ipf_auth_soft_create */
157 /* Returns: int - NULL = failure, else success */
158 /* Parameters: softc(I) - pointer to soft context data */
159 /* */
160 /* Create a structre to store all of the run-time data for packet auth in */
161 /* and initialise some fields to their defaults. */
162 /* ------------------------------------------------------------------------ */
163 void *
ipf_auth_soft_create(ipf_main_softc_t * softc)164 ipf_auth_soft_create(ipf_main_softc_t *softc)
165 {
166 ipf_auth_softc_t *softa;
167
168 KMALLOC(softa, ipf_auth_softc_t *);
169 if (softa == NULL)
170 return (NULL);
171
172 bzero((char *)softa, sizeof(*softa));
173
174 softa->ipf_auth_size = FR_NUMAUTH;
175 softa->ipf_auth_defaultage = 600;
176
177 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock");
178 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex");
179 #if SOLARIS && defined(_KERNEL)
180 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL);
181 #endif
182
183 return (softa);
184 }
185
186 /* ------------------------------------------------------------------------ */
187 /* Function: ipf_auth_soft_init */
188 /* Returns: int - 0 == success, else error */
189 /* Parameters: softc(I) - pointer to soft context data */
190 /* arg(I) - opaque pointer to auth context data */
191 /* */
192 /* Allocate memory and initialise data structures used in handling auth */
193 /* rules. */
194 /* ------------------------------------------------------------------------ */
195 int
ipf_auth_soft_init(ipf_main_softc_t * softc,void * arg)196 ipf_auth_soft_init(ipf_main_softc_t *softc, void *arg)
197 {
198 ipf_auth_softc_t *softa = arg;
199
200 KMALLOCS(softa->ipf_auth, frauth_t *,
201 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
202 if (softa->ipf_auth == NULL)
203 return (-1);
204 bzero((char *)softa->ipf_auth,
205 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
206
207 KMALLOCS(softa->ipf_auth_pkts, mb_t **,
208 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
209 if (softa->ipf_auth_pkts == NULL)
210 return (-2);
211 bzero((char *)softa->ipf_auth_pkts,
212 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
213
214
215 return (0);
216 }
217
218
219 /* ------------------------------------------------------------------------ */
220 /* Function: ipf_auth_soft_fini */
221 /* Returns: int - 0 == success, else error */
222 /* Parameters: softc(I) - pointer to soft context data */
223 /* arg(I) - opaque pointer to auth context data */
224 /* */
225 /* Free all network buffer memory used to keep saved packets that have been */
226 /* connectedd to the soft soft context structure *but* do not free that: it */
227 /* is free'd by _destroy(). */
228 /* ------------------------------------------------------------------------ */
229 int
ipf_auth_soft_fini(ipf_main_softc_t * softc,void * arg)230 ipf_auth_soft_fini(ipf_main_softc_t *softc, void *arg)
231 {
232 ipf_auth_softc_t *softa = arg;
233 frauthent_t *fae, **faep;
234 frentry_t *fr, **frp;
235 mb_t *m;
236 int i;
237
238 if (softa->ipf_auth != NULL) {
239 KFREES(softa->ipf_auth,
240 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
241 softa->ipf_auth = NULL;
242 }
243
244 if (softa->ipf_auth_pkts != NULL) {
245 for (i = 0; i < softa->ipf_auth_size; i++) {
246 m = softa->ipf_auth_pkts[i];
247 if (m != NULL) {
248 FREE_MB_T(m);
249 softa->ipf_auth_pkts[i] = NULL;
250 }
251 }
252 KFREES(softa->ipf_auth_pkts,
253 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
254 softa->ipf_auth_pkts = NULL;
255 }
256
257 faep = &softa->ipf_auth_entries;
258 while ((fae = *faep) != NULL) {
259 *faep = fae->fae_next;
260 KFREE(fae);
261 }
262 softa->ipf_auth_ip = NULL;
263
264 if (softa->ipf_auth_rules != NULL) {
265 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
266 if (fr->fr_ref == 1) {
267 *frp = fr->fr_next;
268 MUTEX_DESTROY(&fr->fr_lock);
269 KFREE(fr);
270 } else
271 frp = &fr->fr_next;
272 }
273 }
274
275 return (0);
276 }
277
278
279 /* ------------------------------------------------------------------------ */
280 /* Function: ipf_auth_soft_destroy */
281 /* Returns: void */
282 /* Parameters: softc(I) - pointer to soft context data */
283 /* arg(I) - opaque pointer to auth context data */
284 /* */
285 /* Undo what was done in _create() - i.e. free the soft context data. */
286 /* ------------------------------------------------------------------------ */
287 void
ipf_auth_soft_destroy(ipf_main_softc_t * softc,void * arg)288 ipf_auth_soft_destroy(ipf_main_softc_t *softc, void *arg)
289 {
290 ipf_auth_softc_t *softa = arg;
291
292 #if SOLARIS && defined(_KERNEL)
293 cv_destroy(&softa->ipf_auth_wait);
294 #endif
295 MUTEX_DESTROY(&softa->ipf_auth_mx);
296 RW_DESTROY(&softa->ipf_authlk);
297
298 KFREE(softa);
299 }
300
301
302 /* ------------------------------------------------------------------------ */
303 /* Function: ipf_auth_setlock */
304 /* Returns: void */
305 /* Paramters: arg(I) - pointer to soft context data */
306 /* tmp(I) - value to assign to auth lock */
307 /* */
308 /* ------------------------------------------------------------------------ */
309 void
ipf_auth_setlock(void * arg,int tmp)310 ipf_auth_setlock(void *arg, int tmp)
311 {
312 ipf_auth_softc_t *softa = arg;
313
314 softa->ipf_auth_lock = tmp;
315 }
316
317
318 /* ------------------------------------------------------------------------ */
319 /* Function: ipf_auth_check */
320 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
321 /* Parameters: fin(I) - pointer to ipftoken structure */
322 /* passp(I) - pointer to ipfgeniter structure */
323 /* */
324 /* Check if a packet has authorization. If the packet is found to match an */
325 /* authorization result and that would result in a feedback loop (i.e. it */
326 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
327 /* ------------------------------------------------------------------------ */
328 frentry_t *
ipf_auth_check(fr_info_t * fin,u_32_t * passp)329 ipf_auth_check(fr_info_t *fin, u_32_t *passp)
330 {
331 ipf_main_softc_t *softc = fin->fin_main_soft;
332 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
333 frentry_t *fr;
334 frauth_t *fra;
335 u_32_t pass;
336 u_short id;
337 ip_t *ip;
338 int i;
339
340 if (softa->ipf_auth_lock || !softa->ipf_auth_used)
341 return (NULL);
342
343 ip = fin->fin_ip;
344 id = ip->ip_id;
345
346 READ_ENTER(&softa->ipf_authlk);
347 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) {
348 /*
349 * index becomes -2 only after an SIOCAUTHW. Check this in
350 * case the same packet gets sent again and it hasn't yet been
351 * auth'd.
352 */
353 fra = softa->ipf_auth + i;
354 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
355 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
356 /*
357 * Avoid feedback loop.
358 */
359 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) {
360 pass = FR_BLOCK;
361 fin->fin_reason = FRB_AUTHFEEDBACK;
362 }
363 /*
364 * Create a dummy rule for the stateful checking to
365 * use and return. Zero out any values we don't
366 * trust from userland!
367 */
368 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
369 (fin->fin_flx & FI_FRAG))) {
370 KMALLOC(fr, frentry_t *);
371 if (fr) {
372 bcopy((char *)fra->fra_info.fin_fr,
373 (char *)fr, sizeof(*fr));
374 fr->fr_grp = NULL;
375 fr->fr_ifa = fin->fin_ifp;
376 fr->fr_func = NULL;
377 fr->fr_ref = 1;
378 fr->fr_flags = pass;
379 fr->fr_ifas[1] = NULL;
380 fr->fr_ifas[2] = NULL;
381 fr->fr_ifas[3] = NULL;
382 MUTEX_INIT(&fr->fr_lock,
383 "ipf auth rule");
384 }
385 } else
386 fr = fra->fra_info.fin_fr;
387 fin->fin_fr = fr;
388 fin->fin_flx |= fra->fra_flx;
389 RWLOCK_EXIT(&softa->ipf_authlk);
390
391 WRITE_ENTER(&softa->ipf_authlk);
392 /*
393 * ipf_auth_rules is populated with the rules malloc'd
394 * above and only those.
395 */
396 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
397 fr->fr_next = softa->ipf_auth_rules;
398 softa->ipf_auth_rules = fr;
399 }
400 softa->ipf_auth_stats.fas_hits++;
401 fra->fra_index = -1;
402 softa->ipf_auth_used--;
403 softa->ipf_auth_replies--;
404 if (i == softa->ipf_auth_start) {
405 while (fra->fra_index == -1) {
406 i++;
407 fra++;
408 if (i == softa->ipf_auth_size) {
409 i = 0;
410 fra = softa->ipf_auth;
411 }
412 softa->ipf_auth_start = i;
413 if (i == softa->ipf_auth_end)
414 break;
415 }
416 if (softa->ipf_auth_start ==
417 softa->ipf_auth_end) {
418 softa->ipf_auth_next = 0;
419 softa->ipf_auth_start = 0;
420 softa->ipf_auth_end = 0;
421 }
422 }
423 RWLOCK_EXIT(&softa->ipf_authlk);
424 if (passp != NULL)
425 *passp = pass;
426 softa->ipf_auth_stats.fas_hits++;
427 return (fr);
428 }
429 i++;
430 if (i == softa->ipf_auth_size)
431 i = 0;
432 }
433 RWLOCK_EXIT(&softa->ipf_authlk);
434 softa->ipf_auth_stats.fas_miss++;
435 return (NULL);
436 }
437
438
439 /* ------------------------------------------------------------------------ */
440 /* Function: ipf_auth_new */
441 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
442 /* Parameters: m(I) - pointer to mb_t with packet in it */
443 /* fin(I) - pointer to packet information */
444 /* */
445 /* Check if we have room in the auth array to hold details for another */
446 /* packet. If we do, store it and wake up any user programs which are */
447 /* waiting to hear about these events. */
448 /* ------------------------------------------------------------------------ */
449 int
ipf_auth_new(mb_t * m,fr_info_t * fin)450 ipf_auth_new(mb_t *m, fr_info_t *fin)
451 {
452 ipf_main_softc_t *softc = fin->fin_main_soft;
453 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
454 #if defined(_KERNEL) && SOLARIS
455 qpktinfo_t *qpi = fin->fin_qpi;
456 #endif
457 frauth_t *fra;
458 #if !defined(sparc) && !defined(m68k)
459 ip_t *ip;
460 #endif
461 int i;
462
463 if (softa->ipf_auth_lock)
464 return (0);
465
466 WRITE_ENTER(&softa->ipf_authlk);
467 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) ==
468 softa->ipf_auth_start) {
469 softa->ipf_auth_stats.fas_nospace++;
470 RWLOCK_EXIT(&softa->ipf_authlk);
471 return (0);
472 }
473
474 softa->ipf_auth_stats.fas_added++;
475 softa->ipf_auth_used++;
476 i = softa->ipf_auth_end++;
477 if (softa->ipf_auth_end == softa->ipf_auth_size)
478 softa->ipf_auth_end = 0;
479
480 fra = softa->ipf_auth + i;
481 fra->fra_index = i;
482 if (fin->fin_fr != NULL)
483 fra->fra_pass = fin->fin_fr->fr_flags;
484 else
485 fra->fra_pass = 0;
486 fra->fra_age = softa->ipf_auth_defaultage;
487 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
488 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED);
489 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED);
490 #if !defined(sparc) && !defined(m68k)
491 /*
492 * No need to copyback here as we want to undo the changes, not keep
493 * them.
494 */
495 ip = fin->fin_ip;
496 # if SOLARIS && defined(_KERNEL)
497 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
498 # endif
499 {
500 register u_short bo;
501
502 bo = ip->ip_len;
503 ip->ip_len = htons(bo);
504 bo = ip->ip_off;
505 ip->ip_off = htons(bo);
506 }
507 #endif
508 #if SOLARIS && defined(_KERNEL)
509 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
510 m->b_rptr -= qpi->qpi_off;
511 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
512 fra->fra_m = *fin->fin_mp;
513 fra->fra_info.fin_mp = &fra->fra_m;
514 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp;
515 RWLOCK_EXIT(&softa->ipf_authlk);
516 cv_signal(&softa->ipf_auth_wait);
517 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM);
518 #else
519 softa->ipf_auth_pkts[i] = m;
520 RWLOCK_EXIT(&softa->ipf_authlk);
521 WAKEUP(&softa->ipf_auth_next, 0);
522 #endif
523 return (1);
524 }
525
526
527 /* ------------------------------------------------------------------------ */
528 /* Function: ipf_auth_ioctl */
529 /* Returns: int - 0 == success, else error */
530 /* Parameters: data(IO) - pointer to ioctl data */
531 /* cmd(I) - ioctl command */
532 /* mode(I) - mode flags associated with open descriptor */
533 /* uid(I) - uid associatd with application making the call */
534 /* ctx(I) - pointer for context */
535 /* */
536 /* This function handles all of the ioctls recognised by the auth component */
537 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */
538 /* ------------------------------------------------------------------------ */
539 int
ipf_auth_ioctl(ipf_main_softc_t * softc,caddr_t data,ioctlcmd_t cmd,int mode,int uid,void * ctx)540 ipf_auth_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
541 int mode, int uid, void *ctx)
542 {
543 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
544 int error = 0, i;
545 SPL_INT(s);
546
547 switch (cmd)
548 {
549 case SIOCGENITER :
550 {
551 ipftoken_t *token;
552 ipfgeniter_t iter;
553 ipfobj_t obj;
554
555 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER);
556 if (error != 0)
557 break;
558
559 SPL_SCHED(s);
560 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx);
561 if (token != NULL)
562 error = ipf_auth_geniter(softc, token, &iter, &obj);
563 else {
564 WRITE_ENTER(&softc->ipf_tokens);
565 ipf_token_deref(softc, token);
566 RWLOCK_EXIT(&softc->ipf_tokens);
567 IPFERROR(10001);
568 error = ESRCH;
569 }
570 SPL_X(s);
571
572 break;
573 }
574
575 case SIOCADAFR :
576 case SIOCRMAFR :
577 if (!(mode & FWRITE)) {
578 IPFERROR(10002);
579 error = EPERM;
580 } else
581 error = frrequest(softc, IPL_LOGAUTH, cmd, data,
582 softc->ipf_active, 1);
583 break;
584
585 case SIOCSTLCK :
586 if (!(mode & FWRITE)) {
587 IPFERROR(10003);
588 error = EPERM;
589 } else {
590 error = ipf_lock(data, &softa->ipf_auth_lock);
591 }
592 break;
593
594 case SIOCATHST:
595 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries;
596 error = ipf_outobj(softc, data, &softa->ipf_auth_stats,
597 IPFOBJ_AUTHSTAT);
598 break;
599
600 case SIOCIPFFL:
601 SPL_NET(s);
602 WRITE_ENTER(&softa->ipf_authlk);
603 i = ipf_auth_flush(softa);
604 RWLOCK_EXIT(&softa->ipf_authlk);
605 SPL_X(s);
606 error = BCOPYOUT(&i, data, sizeof(i));
607 if (error != 0) {
608 IPFERROR(10004);
609 error = EFAULT;
610 }
611 break;
612
613 case SIOCAUTHW:
614 error = ipf_auth_wait(softc, softa, data);
615 break;
616
617 case SIOCAUTHR:
618 error = ipf_auth_reply(softc, softa, data);
619 break;
620
621 default :
622 IPFERROR(10005);
623 error = EINVAL;
624 break;
625 }
626 return (error);
627 }
628
629
630 /* ------------------------------------------------------------------------ */
631 /* Function: ipf_auth_expire */
632 /* Returns: None */
633 /* Parameters: None */
634 /* */
635 /* Slowly expire held auth records. Timeouts are set in expectation of */
636 /* this being called twice per second. */
637 /* ------------------------------------------------------------------------ */
638 void
ipf_auth_expire(ipf_main_softc_t * softc)639 ipf_auth_expire(ipf_main_softc_t *softc)
640 {
641 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
642 frauthent_t *fae, **faep;
643 frentry_t *fr, **frp;
644 frauth_t *fra;
645 mb_t *m;
646 int i;
647 SPL_INT(s);
648
649 if (softa->ipf_auth_lock)
650 return;
651 SPL_NET(s);
652 WRITE_ENTER(&softa->ipf_authlk);
653 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size;
654 i++, fra++) {
655 fra->fra_age--;
656 if ((fra->fra_age == 0) &&
657 (softa->ipf_auth[i].fra_index != -1)) {
658 if ((m = softa->ipf_auth_pkts[i]) != NULL) {
659 FREE_MB_T(m);
660 softa->ipf_auth_pkts[i] = NULL;
661 } else if (softa->ipf_auth[i].fra_index == -2) {
662 softa->ipf_auth_replies--;
663 }
664 softa->ipf_auth[i].fra_index = -1;
665 softa->ipf_auth_stats.fas_expire++;
666 softa->ipf_auth_used--;
667 }
668 }
669
670 /*
671 * Expire pre-auth rules
672 */
673 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
674 fae->fae_age--;
675 if (fae->fae_age == 0) {
676 ipf_auth_deref(&fae);
677 softa->ipf_auth_stats.fas_expire++;
678 } else
679 faep = &fae->fae_next;
680 }
681 if (softa->ipf_auth_entries != NULL)
682 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
683 else
684 softa->ipf_auth_ip = NULL;
685
686 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
687 if (fr->fr_ref == 1) {
688 *frp = fr->fr_next;
689 MUTEX_DESTROY(&fr->fr_lock);
690 KFREE(fr);
691 } else
692 frp = &fr->fr_next;
693 }
694 RWLOCK_EXIT(&softa->ipf_authlk);
695 SPL_X(s);
696 }
697
698
699 /* ------------------------------------------------------------------------ */
700 /* Function: ipf_auth_precmd */
701 /* Returns: int - 0 == success, else error */
702 /* Parameters: cmd(I) - ioctl command for rule */
703 /* fr(I) - pointer to ipf rule */
704 /* fptr(I) - pointer to caller's 'fr' */
705 /* */
706 /* ------------------------------------------------------------------------ */
707 int
ipf_auth_precmd(ipf_main_softc_t * softc,ioctlcmd_t cmd,frentry_t * fr,frentry_t ** frptr)708 ipf_auth_precmd(ipf_main_softc_t *softc, ioctlcmd_t cmd, frentry_t *fr,
709 frentry_t **frptr)
710 {
711 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
712 frauthent_t *fae, **faep;
713 int error = 0;
714 SPL_INT(s);
715
716 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
717 IPFERROR(10006);
718 return (EIO);
719 }
720
721 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
722 if (&fae->fae_fr == fr)
723 break;
724 else
725 faep = &fae->fae_next;
726 }
727
728 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
729 if (fr == NULL || frptr == NULL) {
730 IPFERROR(10007);
731 error = EINVAL;
732
733 } else if (fae == NULL) {
734 IPFERROR(10008);
735 error = ESRCH;
736
737 } else {
738 SPL_NET(s);
739 WRITE_ENTER(&softa->ipf_authlk);
740 *faep = fae->fae_next;
741 if (softa->ipf_auth_ip == &fae->fae_fr)
742 softa->ipf_auth_ip = softa->ipf_auth_entries ?
743 &softa->ipf_auth_entries->fae_fr : NULL;
744 RWLOCK_EXIT(&softa->ipf_authlk);
745 SPL_X(s);
746
747 KFREE(fae);
748 }
749 } else if (fr != NULL && frptr != NULL) {
750 KMALLOC(fae, frauthent_t *);
751 if (fae != NULL) {
752 bcopy((char *)fr, (char *)&fae->fae_fr,
753 sizeof(*fr));
754 SPL_NET(s);
755 WRITE_ENTER(&softa->ipf_authlk);
756 fae->fae_age = softa->ipf_auth_defaultage;
757 fae->fae_fr.fr_hits = 0;
758 fae->fae_fr.fr_next = *frptr;
759 fae->fae_ref = 1;
760 *frptr = &fae->fae_fr;
761 fae->fae_next = *faep;
762 *faep = fae;
763 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
764 RWLOCK_EXIT(&softa->ipf_authlk);
765 SPL_X(s);
766 } else {
767 IPFERROR(10009);
768 error = ENOMEM;
769 }
770 } else {
771 IPFERROR(10010);
772 error = EINVAL;
773 }
774 return (error);
775 }
776
777
778 /* ------------------------------------------------------------------------ */
779 /* Function: ipf_auth_flush */
780 /* Returns: int - number of auth entries flushed */
781 /* Parameters: None */
782 /* Locks: WRITE(ipf_authlk) */
783 /* */
784 /* This function flushs the ipf_auth_pkts array of any packet data with */
785 /* references still there. */
786 /* It is expected that the caller has already acquired the correct locks or */
787 /* set the priority level correctly for this to block out other code paths */
788 /* into these data structures. */
789 /* ------------------------------------------------------------------------ */
790 static int
ipf_auth_flush(void * arg)791 ipf_auth_flush(void *arg)
792 {
793 ipf_auth_softc_t *softa = arg;
794 int i, num_flushed;
795 mb_t *m;
796
797 if (softa->ipf_auth_lock)
798 return (-1);
799
800 num_flushed = 0;
801
802 for (i = 0 ; i < softa->ipf_auth_size; i++) {
803 if (softa->ipf_auth[i].fra_index != -1) {
804 m = softa->ipf_auth_pkts[i];
805 if (m != NULL) {
806 FREE_MB_T(m);
807 softa->ipf_auth_pkts[i] = NULL;
808 }
809
810 softa->ipf_auth[i].fra_index = -1;
811 /* perhaps add & use a flush counter inst.*/
812 softa->ipf_auth_stats.fas_expire++;
813 num_flushed++;
814 }
815 }
816
817 softa->ipf_auth_start = 0;
818 softa->ipf_auth_end = 0;
819 softa->ipf_auth_next = 0;
820 softa->ipf_auth_used = 0;
821 softa->ipf_auth_replies = 0;
822
823 return (num_flushed);
824 }
825
826
827 /* ------------------------------------------------------------------------ */
828 /* Function: ipf_auth_waiting */
829 /* Returns: int - number of packets in the auth queue */
830 /* Parameters: None */
831 /* */
832 /* Simple truth check to see if there are any packets waiting in the auth */
833 /* queue. */
834 /* ------------------------------------------------------------------------ */
835 int
ipf_auth_waiting(ipf_main_softc_t * softc)836 ipf_auth_waiting(ipf_main_softc_t *softc)
837 {
838 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
839
840 return (softa->ipf_auth_used != 0);
841 }
842
843
844 /* ------------------------------------------------------------------------ */
845 /* Function: ipf_auth_geniter */
846 /* Returns: int - 0 == success, else error */
847 /* Parameters: token(I) - pointer to ipftoken structure */
848 /* itp(I) - pointer to ipfgeniter structure */
849 /* objp(I) - pointer to ipf object destription */
850 /* */
851 /* Iterate through the list of entries in the auth queue list. */
852 /* objp is used here to get the location of where to do the copy out to. */
853 /* Stomping over various fields with new information will not harm anything */
854 /* ------------------------------------------------------------------------ */
855 static int
ipf_auth_geniter(ipf_main_softc_t * softc,ipftoken_t * token,ipfgeniter_t * itp,ipfobj_t * objp)856 ipf_auth_geniter(ipf_main_softc_t *softc, ipftoken_t *token,
857 ipfgeniter_t *itp, ipfobj_t *objp)
858 {
859 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
860 frauthent_t *fae, *next, zero;
861 int error;
862
863 if (itp->igi_data == NULL) {
864 IPFERROR(10011);
865 return (EFAULT);
866 }
867
868 if (itp->igi_type != IPFGENITER_AUTH) {
869 IPFERROR(10012);
870 return (EINVAL);
871 }
872
873 objp->ipfo_type = IPFOBJ_FRAUTH;
874 objp->ipfo_ptr = itp->igi_data;
875 objp->ipfo_size = sizeof(frauth_t);
876
877 READ_ENTER(&softa->ipf_authlk);
878
879 fae = token->ipt_data;
880 if (fae == NULL) {
881 next = softa->ipf_auth_entries;
882 } else {
883 next = fae->fae_next;
884 }
885
886 /*
887 * If we found an auth entry to use, bump its reference count
888 * so that it can be used for is_next when we come back.
889 */
890 if (next != NULL) {
891 ATOMIC_INC(next->fae_ref);
892 token->ipt_data = next;
893 } else {
894 bzero(&zero, sizeof(zero));
895 next = &zero;
896 token->ipt_data = NULL;
897 }
898
899 RWLOCK_EXIT(&softa->ipf_authlk);
900
901 error = ipf_outobjk(softc, objp, next);
902 if (fae != NULL)
903 ipf_auth_deref_unlocked(softa, &fae);
904
905 if (next->fae_next == NULL)
906 ipf_token_mark_complete(token);
907 return (error);
908 }
909
910
911 /* ------------------------------------------------------------------------ */
912 /* Function: ipf_auth_deref_unlocked */
913 /* Returns: None */
914 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
915 /* */
916 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */
917 /* held. */
918 /* ------------------------------------------------------------------------ */
919 static void
ipf_auth_deref_unlocked(ipf_auth_softc_t * softa,frauthent_t ** faep)920 ipf_auth_deref_unlocked(ipf_auth_softc_t *softa, frauthent_t **faep)
921 {
922 WRITE_ENTER(&softa->ipf_authlk);
923 ipf_auth_deref(faep);
924 RWLOCK_EXIT(&softa->ipf_authlk);
925 }
926
927
928 /* ------------------------------------------------------------------------ */
929 /* Function: ipf_auth_deref */
930 /* Returns: None */
931 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
932 /* Locks: WRITE(ipf_authlk) */
933 /* */
934 /* This function unconditionally sets the pointer in the caller to NULL, */
935 /* to make it clear that it should no longer use that pointer, and drops */
936 /* the reference count on the structure by 1. If it reaches 0, free it up. */
937 /* ------------------------------------------------------------------------ */
938 static void
ipf_auth_deref(frauthent_t ** faep)939 ipf_auth_deref(frauthent_t **faep)
940 {
941 frauthent_t *fae;
942
943 fae = *faep;
944 *faep = NULL;
945
946 fae->fae_ref--;
947 if (fae->fae_ref == 0) {
948 KFREE(fae);
949 }
950 }
951
952
953 /* ------------------------------------------------------------------------ */
954 /* Function: ipf_auth_wait_pkt */
955 /* Returns: int - 0 == success, else error */
956 /* Parameters: data(I) - pointer to data from ioctl call */
957 /* */
958 /* This function is called when an application is waiting for a packet to */
959 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
960 /* a packet waiting on the queue then we will return that _one_ immediately.*/
961 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */
962 /* to sleep. */
963 /* ------------------------------------------------------------------------ */
964 static int
ipf_auth_wait(ipf_main_softc_t * softc,ipf_auth_softc_t * softa,char * data)965 ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data)
966 {
967 frauth_t auth, *au = &auth;
968 int error, len, i;
969 mb_t *m;
970 char *t;
971 SPL_INT(s);
972
973 ipf_auth_ioctlloop:
974 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH);
975 if (error != 0)
976 return (error);
977
978 /*
979 * XXX Locks are held below over calls to copyout...a better
980 * solution needs to be found so this isn't necessary. The situation
981 * we are trying to guard against here is an error in the copyout
982 * steps should not cause the packet to "disappear" from the queue.
983 */
984 SPL_NET(s);
985 READ_ENTER(&softa->ipf_authlk);
986
987 /*
988 * If ipf_auth_next is not equal to ipf_auth_end it will be because
989 * there is a packet waiting to be delt with in the ipf_auth_pkts
990 * array. We copy as much of that out to user space as requested.
991 */
992 if (softa->ipf_auth_used > 0) {
993 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) {
994 softa->ipf_auth_next++;
995 if (softa->ipf_auth_next == softa->ipf_auth_size)
996 softa->ipf_auth_next = 0;
997 }
998
999 error = ipf_outobj(softc, data,
1000 &softa->ipf_auth[softa->ipf_auth_next],
1001 IPFOBJ_FRAUTH);
1002 if (error != 0) {
1003 RWLOCK_EXIT(&softa->ipf_authlk);
1004 SPL_X(s);
1005 return (error);
1006 }
1007
1008 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
1009 /*
1010 * Copy packet contents out to user space if
1011 * requested. Bail on an error.
1012 */
1013 m = softa->ipf_auth_pkts[softa->ipf_auth_next];
1014 len = MSGDSIZE(m);
1015 if (len > auth.fra_len)
1016 len = auth.fra_len;
1017 auth.fra_len = len;
1018
1019 for (t = auth.fra_buf; m && (len > 0); ) {
1020 i = MIN(M_LEN(m), len);
1021 error = copyoutptr(softc, MTOD(m, char *),
1022 &t, i);
1023 len -= i;
1024 t += i;
1025 if (error != 0) {
1026 RWLOCK_EXIT(&softa->ipf_authlk);
1027 SPL_X(s);
1028 return (error);
1029 }
1030 m = m->m_next;
1031 }
1032 }
1033 RWLOCK_EXIT(&softa->ipf_authlk);
1034
1035 SPL_NET(s);
1036 WRITE_ENTER(&softa->ipf_authlk);
1037 softa->ipf_auth_next++;
1038 if (softa->ipf_auth_next == softa->ipf_auth_size)
1039 softa->ipf_auth_next = 0;
1040 RWLOCK_EXIT(&softa->ipf_authlk);
1041 SPL_X(s);
1042
1043 return (0);
1044 }
1045 RWLOCK_EXIT(&softa->ipf_authlk);
1046 SPL_X(s);
1047
1048 MUTEX_ENTER(&softa->ipf_auth_mx);
1049 #ifdef _KERNEL
1050 # if SOLARIS
1051 error = 0;
1052 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) {
1053 IPFERROR(10014);
1054 error = EINTR;
1055 }
1056 # else /* SOLARIS */
1057 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next");
1058 # endif /* SOLARIS */
1059 #endif
1060 MUTEX_EXIT(&softa->ipf_auth_mx);
1061 if (error == 0)
1062 goto ipf_auth_ioctlloop;
1063 return (error);
1064 }
1065
1066
1067 /* ------------------------------------------------------------------------ */
1068 /* Function: ipf_auth_reply */
1069 /* Returns: int - 0 == success, else error */
1070 /* Parameters: data(I) - pointer to data from ioctl call */
1071 /* */
1072 /* This function is called by an application when it wants to return a */
1073 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
1074 /* received information using an SIOCAUTHW. The decision returned in the */
1075 /* form of flags, the same as those used in each rule. */
1076 /* ------------------------------------------------------------------------ */
1077 static int
ipf_auth_reply(ipf_main_softc_t * softc,ipf_auth_softc_t * softa,char * data)1078 ipf_auth_reply(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data)
1079 {
1080 frauth_t auth, *au = &auth, *fra;
1081 fr_info_t fin;
1082 int error, i;
1083 mb_t *m;
1084 SPL_INT(s);
1085
1086 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1087 if (error != 0)
1088 return (error);
1089
1090 SPL_NET(s);
1091 WRITE_ENTER(&softa->ipf_authlk);
1092
1093 i = au->fra_index;
1094 fra = softa->ipf_auth + i;
1095 error = 0;
1096
1097 /*
1098 * Check the validity of the information being returned with two simple
1099 * checks. First, the auth index value should be within the size of
1100 * the array and second the packet id being returned should also match.
1101 */
1102 if ((i < 0) || (i >= softa->ipf_auth_size)) {
1103 RWLOCK_EXIT(&softa->ipf_authlk);
1104 SPL_X(s);
1105 IPFERROR(10015);
1106 return (ESRCH);
1107 }
1108 if (fra->fra_info.fin_id != au->fra_info.fin_id) {
1109 RWLOCK_EXIT(&softa->ipf_authlk);
1110 SPL_X(s);
1111 IPFERROR(10019);
1112 return (ESRCH);
1113 }
1114
1115 m = softa->ipf_auth_pkts[i];
1116 fra->fra_index = -2;
1117 fra->fra_pass = au->fra_pass;
1118 softa->ipf_auth_pkts[i] = NULL;
1119 softa->ipf_auth_replies++;
1120 bcopy(&fra->fra_info, &fin, sizeof(fin));
1121
1122 RWLOCK_EXIT(&softa->ipf_authlk);
1123
1124 /*
1125 * Re-insert the packet back into the packet stream flowing through
1126 * the kernel in a manner that will mean IPFilter sees the packet
1127 * again. This is not the same as is done with fastroute,
1128 * deliberately, as we want to resume the normal packet processing
1129 * path for it.
1130 */
1131 #ifdef _KERNEL
1132 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
1133 error = ipf_inject(&fin, m);
1134 if (error != 0) {
1135 IPFERROR(10016);
1136 error = ENOBUFS;
1137 softa->ipf_auth_stats.fas_sendfail++;
1138 } else {
1139 softa->ipf_auth_stats.fas_sendok++;
1140 }
1141 } else if (m) {
1142 error = ipf_inject(&fin, m);
1143 if (error != 0) {
1144 IPFERROR(10017);
1145 error = ENOBUFS;
1146 softa->ipf_auth_stats.fas_quefail++;
1147 } else {
1148 softa->ipf_auth_stats.fas_queok++;
1149 }
1150 } else {
1151 IPFERROR(10018);
1152 error = EINVAL;
1153 }
1154
1155 /*
1156 * If we experience an error which will result in the packet
1157 * not being processed, make sure we advance to the next one.
1158 */
1159 if (error == ENOBUFS) {
1160 WRITE_ENTER(&softa->ipf_authlk);
1161 softa->ipf_auth_used--;
1162 fra->fra_index = -1;
1163 fra->fra_pass = 0;
1164 if (i == softa->ipf_auth_start) {
1165 while (fra->fra_index == -1) {
1166 i++;
1167 if (i == softa->ipf_auth_size)
1168 i = 0;
1169 softa->ipf_auth_start = i;
1170 if (i == softa->ipf_auth_end)
1171 break;
1172 }
1173 if (softa->ipf_auth_start == softa->ipf_auth_end) {
1174 softa->ipf_auth_next = 0;
1175 softa->ipf_auth_start = 0;
1176 softa->ipf_auth_end = 0;
1177 }
1178 }
1179 RWLOCK_EXIT(&softa->ipf_authlk);
1180 }
1181 #endif /* _KERNEL */
1182 SPL_X(s);
1183
1184 return (0);
1185 }
1186
1187
1188 u_32_t
ipf_auth_pre_scanlist(ipf_main_softc_t * softc,fr_info_t * fin,u_32_t pass)1189 ipf_auth_pre_scanlist(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass)
1190 {
1191 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1192
1193 if (softa->ipf_auth_ip != NULL)
1194 return (ipf_scanlist(fin, softc->ipf_pass));
1195
1196 return (pass);
1197 }
1198
1199
1200 frentry_t **
ipf_auth_rulehead(ipf_main_softc_t * softc)1201 ipf_auth_rulehead(ipf_main_softc_t *softc)
1202 {
1203 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1204
1205 return (&softa->ipf_auth_ip);
1206 }
1207