The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netgraph/ng_ipfw.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
    3  *
    4  * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
    5  * All rights reserved.
    6  *
    7  * Redistribution and use in source and binary forms, with or without
    8  * modification, are permitted provided that the following conditions
    9  * are met:
   10  * 1. Redistributions of source code must retain the above copyright
   11  *    notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  *    notice, this list of conditions and the following disclaimer in the
   14  *    documentation and/or other materials provided with the distribution.
   15  *
   16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   26  * SUCH DAMAGE.
   27  *
   28  * $FreeBSD: stable/12/sys/netgraph/ng_ipfw.c 326272 2017-11-27 15:23:17Z pfg $
   29  */
   30 
   31 #include "opt_inet.h"
   32 #include "opt_inet6.h"
   33 
   34 #include <sys/param.h>
   35 #include <sys/systm.h>
   36 #include <sys/kernel.h>
   37 #include <sys/lock.h>
   38 #include <sys/mbuf.h>
   39 #include <sys/malloc.h>
   40 #include <sys/ctype.h>
   41 #include <sys/errno.h>
   42 #include <sys/rwlock.h>
   43 #include <sys/socket.h>
   44 #include <sys/syslog.h>
   45 
   46 #include <net/if.h>
   47 #include <net/if_var.h>
   48 
   49 #include <netinet/in.h>
   50 #include <netinet/in_systm.h>
   51 #include <netinet/in_var.h>
   52 #include <netinet/ip_var.h>
   53 #include <netinet/ip_fw.h>
   54 #include <netinet/ip.h>
   55 #include <netinet/ip6.h>
   56 #include <netinet6/ip6_var.h>
   57 
   58 #include <netpfil/ipfw/ip_fw_private.h>
   59 
   60 #include <netgraph/ng_message.h>
   61 #include <netgraph/ng_parse.h>
   62 #include <netgraph/ng_ipfw.h>
   63 #include <netgraph/netgraph.h>
   64 
   65 static int              ng_ipfw_mod_event(module_t mod, int event, void *data);
   66 static ng_constructor_t ng_ipfw_constructor;
   67 static ng_shutdown_t    ng_ipfw_shutdown;
   68 static ng_newhook_t     ng_ipfw_newhook;
   69 static ng_connect_t     ng_ipfw_connect;
   70 static ng_findhook_t    ng_ipfw_findhook;
   71 static ng_rcvdata_t     ng_ipfw_rcvdata;
   72 static ng_disconnect_t  ng_ipfw_disconnect;
   73 
   74 static hook_p           ng_ipfw_findhook1(node_p, u_int16_t );
   75 static int              ng_ipfw_input(struct mbuf **, int, struct ip_fw_args *,
   76                             int);
   77 
   78 /* We have only one node */
   79 static node_p   fw_node;
   80 
   81 /* Netgraph node type descriptor */
   82 static struct ng_type ng_ipfw_typestruct = {
   83         .version =      NG_ABI_VERSION,
   84         .name =         NG_IPFW_NODE_TYPE,
   85         .mod_event =    ng_ipfw_mod_event,
   86         .constructor =  ng_ipfw_constructor,
   87         .shutdown =     ng_ipfw_shutdown,
   88         .newhook =      ng_ipfw_newhook,
   89         .connect =      ng_ipfw_connect,
   90         .findhook =     ng_ipfw_findhook,
   91         .rcvdata =      ng_ipfw_rcvdata,
   92         .disconnect =   ng_ipfw_disconnect,
   93 };
   94 NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
   95 MODULE_DEPEND(ng_ipfw, ipfw, 3, 3, 3);
   96 
   97 /* Information we store for each hook */
   98 struct ng_ipfw_hook_priv {
   99         hook_p          hook;
  100         u_int16_t       rulenum;
  101 };
  102 typedef struct ng_ipfw_hook_priv *hpriv_p;
  103 
  104 static int
  105 ng_ipfw_mod_event(module_t mod, int event, void *data)
  106 {
  107         int error = 0;
  108 
  109         switch (event) {
  110         case MOD_LOAD:
  111 
  112                 if (ng_ipfw_input_p != NULL) {
  113                         error = EEXIST;
  114                         break;
  115                 }
  116 
  117                 /* Setup node without any private data */
  118                 if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
  119                     != 0) {
  120                         log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
  121                         break;
  122                 }
  123 
  124                 /* Try to name node */
  125                 if (ng_name_node(fw_node, "ipfw") != 0)
  126                         log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
  127                             __func__);
  128 
  129                 /* Register hook */
  130                 ng_ipfw_input_p = ng_ipfw_input;
  131                 break;
  132 
  133         case MOD_UNLOAD:
  134                  /*
  135                   * This won't happen if a node exists.
  136                   * ng_ipfw_input_p is already cleared.
  137                   */
  138                 break;
  139 
  140         default:
  141                 error = EOPNOTSUPP;
  142                 break;
  143         }
  144 
  145         return (error);
  146 }
  147 
  148 static int
  149 ng_ipfw_constructor(node_p node)
  150 {
  151         return (EINVAL);        /* Only one node */
  152 }
  153 
  154 static int
  155 ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
  156 {
  157         hpriv_p hpriv;
  158         u_int16_t rulenum;
  159         const char *cp;
  160         char *endptr;
  161 
  162         /* Protect from leading zero */
  163         if (name[0] == '' && name[1] != '\0')
  164                 return (EINVAL);
  165 
  166         /* Check that name contains only digits */
  167         for (cp = name; *cp != '\0'; cp++)
  168                 if (!isdigit(*cp))
  169                         return (EINVAL);
  170 
  171         /* Convert it to integer */
  172         rulenum = (u_int16_t)strtol(name, &endptr, 10);
  173         if (*endptr != '\0')
  174                 return (EINVAL);
  175 
  176         /* Allocate memory for this hook's private data */
  177         hpriv = malloc(sizeof(*hpriv), M_NETGRAPH, M_NOWAIT | M_ZERO);
  178         if (hpriv== NULL)
  179                 return (ENOMEM);
  180 
  181         hpriv->hook = hook;
  182         hpriv->rulenum = rulenum;
  183 
  184         NG_HOOK_SET_PRIVATE(hook, hpriv);
  185 
  186         return(0);
  187 }
  188 
  189 /*
  190  * Set hooks into queueing mode, to avoid recursion between
  191  * netgraph layer and ip_{input,output}.
  192  */
  193 static int
  194 ng_ipfw_connect(hook_p hook)
  195 {
  196         NG_HOOK_FORCE_QUEUE(hook);
  197         return (0);
  198 }
  199 
  200 /* Look up hook by name */
  201 static hook_p
  202 ng_ipfw_findhook(node_p node, const char *name)
  203 {
  204         u_int16_t n;    /* numeric representation of hook */
  205         char *endptr;
  206 
  207         n = (u_int16_t)strtol(name, &endptr, 10);
  208         if (*endptr != '\0')
  209                 return NULL;
  210         return ng_ipfw_findhook1(node, n);
  211 }
  212 
  213 /* Look up hook by rule number */
  214 static hook_p
  215 ng_ipfw_findhook1(node_p node, u_int16_t rulenum)
  216 {
  217         hook_p  hook;
  218         hpriv_p hpriv;
  219 
  220         LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
  221                 hpriv = NG_HOOK_PRIVATE(hook);
  222                 if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum))
  223                         return (hook);
  224         }
  225 
  226         return (NULL);
  227 }
  228 
  229 
  230 static int
  231 ng_ipfw_rcvdata(hook_p hook, item_p item)
  232 {
  233         struct m_tag *tag;
  234         struct ipfw_rule_ref *r;
  235         struct mbuf *m;
  236         struct ip *ip;
  237 
  238         NGI_GET_M(item, m);
  239         NG_FREE_ITEM(item);
  240 
  241         tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
  242         if (tag == NULL) {
  243                 NG_FREE_M(m);
  244                 return (EINVAL);        /* XXX: find smth better */
  245         }
  246 
  247         if (m->m_len < sizeof(struct ip) &&
  248             (m = m_pullup(m, sizeof(struct ip))) == NULL)
  249                 return (ENOBUFS);
  250 
  251         ip = mtod(m, struct ip *);
  252 
  253         r = (struct ipfw_rule_ref *)(tag + 1);
  254         if (r->info & IPFW_INFO_IN) {
  255                 switch (ip->ip_v) {
  256 #ifdef INET
  257                 case IPVERSION:
  258                         ip_input(m);
  259                         return (0);
  260 #endif
  261 #ifdef INET6
  262                 case IPV6_VERSION >> 4:
  263                         ip6_input(m);
  264                         return (0);
  265 #endif
  266                 }
  267         } else {
  268                 switch (ip->ip_v) {
  269 #ifdef INET
  270                 case IPVERSION:
  271                         return (ip_output(m, NULL, NULL, IP_FORWARDING,
  272                             NULL, NULL));
  273 #endif
  274 #ifdef INET6
  275                 case IPV6_VERSION >> 4:
  276                         return (ip6_output(m, NULL, NULL, 0, NULL,
  277                             NULL, NULL));
  278 #endif
  279                 }
  280         }
  281 
  282         /* unknown IP protocol version */
  283         NG_FREE_M(m);
  284         return (EPROTONOSUPPORT);
  285 }
  286 
  287 static int
  288 ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee)
  289 {
  290         struct mbuf *m;
  291         struct ip *ip;
  292         hook_p  hook;
  293         int error = 0;
  294 
  295         /*
  296          * Node must be loaded and corresponding hook must be present.
  297          */
  298         if (fw_node == NULL || 
  299            (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
  300                 return (ESRCH);         /* no hook associated with this rule */
  301 
  302         /*
  303          * We have two modes: in normal mode we add a tag to packet, which is
  304          * important to return packet back to IP stack. In tee mode we make
  305          * a copy of a packet and forward it into netgraph without a tag.
  306          */
  307         if (tee == 0) {
  308                 struct m_tag *tag;
  309                 struct ipfw_rule_ref *r;
  310                 m = *m0;
  311                 *m0 = NULL;     /* it belongs now to netgraph */
  312 
  313                 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r),
  314                         M_NOWAIT|M_ZERO);
  315                 if (tag == NULL) {
  316                         m_freem(m);
  317                         return (ENOMEM);
  318                 }
  319                 r = (struct ipfw_rule_ref *)(tag + 1);
  320                 *r = fwa->rule;
  321                 r->info &= IPFW_ONEPASS;  /* keep this info */
  322                 r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
  323                 m_tag_prepend(m, tag);
  324 
  325         } else
  326                 if ((m = m_dup(*m0, M_NOWAIT)) == NULL)
  327                         return (ENOMEM);        /* which is ignored */
  328 
  329         if (m->m_len < sizeof(struct ip) &&
  330             (m = m_pullup(m, sizeof(struct ip))) == NULL)
  331                 return (EINVAL);
  332 
  333         ip = mtod(m, struct ip *);
  334 
  335         NG_SEND_DATA_ONLY(error, hook, m);
  336 
  337         return (error);
  338 }
  339 
  340 static int
  341 ng_ipfw_shutdown(node_p node)
  342 {
  343 
  344         /*
  345          * After our single node has been removed,
  346          * the only thing that can be done is
  347          * 'kldunload ng_ipfw.ko'
  348          */
  349         ng_ipfw_input_p = NULL;
  350         NG_NODE_UNREF(node);
  351         return (0);
  352 }
  353 
  354 static int
  355 ng_ipfw_disconnect(hook_p hook)
  356 {
  357         const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);
  358 
  359         free(hpriv, M_NETGRAPH);
  360         NG_HOOK_SET_PRIVATE(hook, NULL);
  361 
  362         return (0);
  363 }

Cache object: 1682b134b8597139dea94bc6b3a6e54f


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.