The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netgraph/ng_ipfw.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
    3  * All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that the following conditions
    7  * are met:
    8  * 1. Redistributions of source code must retain the above copyright
    9  *    notice, this list of conditions and the following disclaimer.
   10  * 2. Redistributions in binary form must reproduce the above copyright
   11  *    notice, this list of conditions and the following disclaimer in the
   12  *    documentation and/or other materials provided with the distribution.
   13  *
   14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   24  * SUCH DAMAGE.
   25  *
   26  * $FreeBSD: releng/7.3/sys/netgraph/ng_ipfw.c 155681 2006-02-14 15:22:24Z ru $
   27  */
   28 
   29 #include <sys/param.h>
   30 #include <sys/systm.h>
   31 #include <sys/kernel.h>
   32 #include <sys/mbuf.h>
   33 #include <sys/malloc.h>
   34 #include <sys/ctype.h>
   35 #include <sys/errno.h>
   36 #include <sys/socket.h>
   37 #include <sys/syslog.h>
   38 
   39 #include <net/if.h>
   40 
   41 #include <netinet/in.h>
   42 #include <netinet/in_systm.h>
   43 #include <netinet/in_var.h>
   44 #include <netinet/ip_fw.h>
   45 #include <netinet/ip.h>
   46 #include <netinet/ip_var.h>
   47 
   48 #include <netgraph/ng_message.h>
   49 #include <netgraph/ng_parse.h>
   50 #include <netgraph/ng_ipfw.h>
   51 #include <netgraph/netgraph.h>
   52 
   53 static int              ng_ipfw_mod_event(module_t mod, int event, void *data);
   54 static ng_constructor_t ng_ipfw_constructor;
   55 static ng_shutdown_t    ng_ipfw_shutdown;
   56 static ng_newhook_t     ng_ipfw_newhook;
   57 static ng_connect_t     ng_ipfw_connect;
   58 static ng_findhook_t    ng_ipfw_findhook;
   59 static ng_rcvdata_t     ng_ipfw_rcvdata;
   60 static ng_disconnect_t  ng_ipfw_disconnect;
   61 
   62 static hook_p           ng_ipfw_findhook1(node_p, u_int16_t );
   63 static int              ng_ipfw_input(struct mbuf **, int, struct ip_fw_args *,
   64                             int);
   65 
   66 /* We have only one node */
   67 static node_p   fw_node;
   68 
   69 /* Netgraph node type descriptor */
   70 static struct ng_type ng_ipfw_typestruct = {
   71         .version =      NG_ABI_VERSION,
   72         .name =         NG_IPFW_NODE_TYPE,
   73         .mod_event =    ng_ipfw_mod_event,
   74         .constructor =  ng_ipfw_constructor,
   75         .shutdown =     ng_ipfw_shutdown,
   76         .newhook =      ng_ipfw_newhook,
   77         .connect =      ng_ipfw_connect,
   78         .findhook =     ng_ipfw_findhook,
   79         .rcvdata =      ng_ipfw_rcvdata,
   80         .disconnect =   ng_ipfw_disconnect,
   81 };
   82 NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
   83 MODULE_DEPEND(ng_ipfw, ipfw, 2, 2, 2);
   84 
   85 /* Information we store for each hook */
   86 struct ng_ipfw_hook_priv {
   87         hook_p          hook;
   88         u_int16_t       rulenum;
   89 };
   90 typedef struct ng_ipfw_hook_priv *hpriv_p;
   91 
   92 static int
   93 ng_ipfw_mod_event(module_t mod, int event, void *data)
   94 {
   95         int error = 0;
   96 
   97         switch (event) {
   98         case MOD_LOAD:
   99 
  100                 if (ng_ipfw_input_p != NULL) {
  101                         error = EEXIST;
  102                         break;
  103                 }
  104 
  105                 /* Setup node without any private data */
  106                 if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
  107                     != 0) {
  108                         log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
  109                         break;
  110                 };
  111 
  112                 /* Try to name node */
  113                 if (ng_name_node(fw_node, "ipfw") != 0)
  114                         log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
  115                             __func__);
  116 
  117                 /* Register hook */
  118                 ng_ipfw_input_p = ng_ipfw_input;
  119                 break;
  120 
  121         case MOD_UNLOAD:
  122                  /*
  123                   * This won't happen if a node exists.
  124                   * ng_ipfw_input_p is already cleared.
  125                   */
  126                 break;
  127 
  128         default:
  129                 error = EOPNOTSUPP;
  130                 break;
  131         }
  132 
  133         return (error);
  134 }
  135 
  136 static int
  137 ng_ipfw_constructor(node_p node)
  138 {
  139         return (EINVAL);        /* Only one node */
  140 }
  141 
  142 static int
  143 ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
  144 {
  145         hpriv_p hpriv;
  146         u_int16_t rulenum;
  147         const char *cp;
  148         char *endptr;
  149 
  150         /* Protect from leading zero */
  151         if (name[0] == '' && name[1] != '\0')
  152                 return (EINVAL);
  153 
  154         /* Check that name contains only digits */
  155         for (cp = name; *cp != '\0'; cp++)
  156                 if (!isdigit(*cp))
  157                         return (EINVAL);
  158 
  159         /* Convert it to integer */
  160         rulenum = (u_int16_t)strtol(name, &endptr, 10);
  161         if (*endptr != '\0')
  162                 return (EINVAL);
  163 
  164         /* Allocate memory for this hook's private data */
  165         MALLOC(hpriv, hpriv_p, sizeof(*hpriv), M_NETGRAPH, M_NOWAIT | M_ZERO);
  166         if (hpriv== NULL)
  167                 return (ENOMEM);
  168 
  169         hpriv->hook = hook;
  170         hpriv->rulenum = rulenum;
  171 
  172         NG_HOOK_SET_PRIVATE(hook, hpriv);
  173 
  174         return(0);
  175 }
  176 
  177 /*
  178  * Set hooks into queueing mode, to avoid recursion between
  179  * netgraph layer and ip_{input,output}.
  180  */
  181 static int
  182 ng_ipfw_connect(hook_p hook)
  183 {
  184         NG_HOOK_FORCE_QUEUE(hook);
  185         return (0);
  186 }
  187 
  188 /* Look up hook by name */
  189 hook_p
  190 ng_ipfw_findhook(node_p node, const char *name)
  191 {
  192         u_int16_t n;    /* numeric representation of hook */
  193         char *endptr;
  194 
  195         n = (u_int16_t)strtol(name, &endptr, 10);
  196         if (*endptr != '\0')
  197                 return NULL;
  198         return ng_ipfw_findhook1(node, n);
  199 }
  200 
  201 /* Look up hook by rule number */
  202 static hook_p
  203 ng_ipfw_findhook1(node_p node, u_int16_t rulenum)
  204 {
  205         hook_p  hook;
  206         hpriv_p hpriv;
  207 
  208         LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
  209                 hpriv = NG_HOOK_PRIVATE(hook);
  210                 if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum))
  211                         return (hook);
  212         }
  213 
  214         return (NULL);
  215 }
  216 
  217 
  218 static int
  219 ng_ipfw_rcvdata(hook_p hook, item_p item)
  220 {
  221         struct ng_ipfw_tag      *ngit;
  222         struct mbuf *m;
  223 
  224         NGI_GET_M(item, m);
  225         NG_FREE_ITEM(item);
  226 
  227         if ((ngit = (struct ng_ipfw_tag *)m_tag_locate(m, NGM_IPFW_COOKIE, 0,
  228             NULL)) == NULL) {
  229                 NG_FREE_M(m);
  230                 return (EINVAL);        /* XXX: find smth better */
  231         };
  232 
  233         switch (ngit->dir) {
  234         case NG_IPFW_OUT:
  235             {
  236                 struct ip *ip;
  237 
  238                 if (m->m_len < sizeof(struct ip) &&
  239                     (m = m_pullup(m, sizeof(struct ip))) == NULL)
  240                         return (EINVAL);
  241 
  242                 ip = mtod(m, struct ip *);
  243 
  244                 ip->ip_len = ntohs(ip->ip_len);
  245                 ip->ip_off = ntohs(ip->ip_off);
  246 
  247                 return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
  248             }
  249         case NG_IPFW_IN:
  250                 ip_input(m);
  251                 return (0);
  252         default:
  253                 panic("ng_ipfw_rcvdata: bad dir %u", ngit->dir);
  254         }       
  255 
  256         /* not reached */
  257         return (0);
  258 }
  259 
  260 static int
  261 ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee)
  262 {
  263         struct mbuf *m;
  264         struct ng_ipfw_tag *ngit;
  265         struct ip *ip;
  266         hook_p  hook;
  267         int error = 0;
  268 
  269         /*
  270          * Node must be loaded and corresponding hook must be present.
  271          */
  272         if (fw_node == NULL || 
  273            (hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) {
  274                 if (tee == 0)
  275                         m_freem(*m0);
  276                 return (ESRCH);         /* no hook associated with this rule */
  277         }
  278 
  279         /*
  280          * We have two modes: in normal mode we add a tag to packet, which is
  281          * important to return packet back to IP stack. In tee mode we make
  282          * a copy of a packet and forward it into netgraph without a tag.
  283          */
  284         if (tee == 0) {
  285                 m = *m0;
  286                 *m0 = NULL;     /* it belongs now to netgraph */
  287 
  288                 if ((ngit = (struct ng_ipfw_tag *)m_tag_alloc(NGM_IPFW_COOKIE,
  289                     0, TAGSIZ, M_NOWAIT|M_ZERO)) == NULL) {
  290                         m_freem(m);
  291                         return (ENOMEM);
  292                 }
  293                 ngit->rule = fwa->rule;
  294                 ngit->dir = dir;
  295                 ngit->ifp = fwa->oif;
  296                 m_tag_prepend(m, &ngit->mt);
  297 
  298         } else
  299                 if ((m = m_dup(*m0, M_DONTWAIT)) == NULL)
  300                         return (ENOMEM);        /* which is ignored */
  301 
  302         if (m->m_len < sizeof(struct ip) &&
  303             (m = m_pullup(m, sizeof(struct ip))) == NULL)
  304                 return (EINVAL);
  305 
  306         ip = mtod(m, struct ip *);
  307         ip->ip_len = htons(ip->ip_len);
  308         ip->ip_off = htons(ip->ip_off);
  309 
  310         NG_SEND_DATA_ONLY(error, hook, m);
  311 
  312         return (error);
  313 }
  314 
  315 static int
  316 ng_ipfw_shutdown(node_p node)
  317 {
  318 
  319         /*
  320          * After our single node has been removed,
  321          * the only thing that can be done is
  322          * 'kldunload ng_ipfw.ko'
  323          */
  324         ng_ipfw_input_p = NULL;
  325         NG_NODE_UNREF(node);
  326         return (0);
  327 }
  328 
  329 static int
  330 ng_ipfw_disconnect(hook_p hook)
  331 {
  332         const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);
  333 
  334         FREE(hpriv, M_NETGRAPH);
  335         NG_HOOK_SET_PRIVATE(hook, NULL);
  336 
  337         return (0);
  338 }

Cache object: e798ba6fe3d9a99125931f5e325f60a7


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.