The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netgraph/ng_ipfw.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
    3  * All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that the following conditions
    7  * are met:
    8  * 1. Redistributions of source code must retain the above copyright
    9  *    notice, this list of conditions and the following disclaimer.
   10  * 2. Redistributions in binary form must reproduce the above copyright
   11  *    notice, this list of conditions and the following disclaimer in the
   12  *    documentation and/or other materials provided with the distribution.
   13  *
   14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   24  * SUCH DAMAGE.
   25  *
   26  * $FreeBSD: releng/9.1/sys/netgraph/ng_ipfw.c 225586 2011-09-15 12:28:17Z ae $
   27  */
   28 
   29 #include "opt_inet.h"
   30 #include "opt_inet6.h"
   31 
   32 #include <sys/param.h>
   33 #include <sys/systm.h>
   34 #include <sys/kernel.h>
   35 #include <sys/lock.h>
   36 #include <sys/mbuf.h>
   37 #include <sys/malloc.h>
   38 #include <sys/ctype.h>
   39 #include <sys/errno.h>
   40 #include <sys/rwlock.h>
   41 #include <sys/socket.h>
   42 #include <sys/syslog.h>
   43 
   44 #include <net/if.h>
   45 
   46 #include <netinet/in.h>
   47 #include <netinet/in_systm.h>
   48 #include <netinet/in_var.h>
   49 #include <netinet/ip_var.h>
   50 #include <netinet/ip_fw.h>
   51 #include <netinet/ipfw/ip_fw_private.h>
   52 #include <netinet/ip.h>
   53 #include <netinet/ip6.h>
   54 #include <netinet6/ip6_var.h>
   55 
   56 #include <netgraph/ng_message.h>
   57 #include <netgraph/ng_parse.h>
   58 #include <netgraph/ng_ipfw.h>
   59 #include <netgraph/netgraph.h>
   60 
   61 static int              ng_ipfw_mod_event(module_t mod, int event, void *data);
   62 static ng_constructor_t ng_ipfw_constructor;
   63 static ng_shutdown_t    ng_ipfw_shutdown;
   64 static ng_newhook_t     ng_ipfw_newhook;
   65 static ng_connect_t     ng_ipfw_connect;
   66 static ng_findhook_t    ng_ipfw_findhook;
   67 static ng_rcvdata_t     ng_ipfw_rcvdata;
   68 static ng_disconnect_t  ng_ipfw_disconnect;
   69 
   70 static hook_p           ng_ipfw_findhook1(node_p, u_int16_t );
   71 static int              ng_ipfw_input(struct mbuf **, int, struct ip_fw_args *,
   72                             int);
   73 
   74 /* We have only one node */
   75 static node_p   fw_node;
   76 
   77 /* Netgraph node type descriptor */
   78 static struct ng_type ng_ipfw_typestruct = {
   79         .version =      NG_ABI_VERSION,
   80         .name =         NG_IPFW_NODE_TYPE,
   81         .mod_event =    ng_ipfw_mod_event,
   82         .constructor =  ng_ipfw_constructor,
   83         .shutdown =     ng_ipfw_shutdown,
   84         .newhook =      ng_ipfw_newhook,
   85         .connect =      ng_ipfw_connect,
   86         .findhook =     ng_ipfw_findhook,
   87         .rcvdata =      ng_ipfw_rcvdata,
   88         .disconnect =   ng_ipfw_disconnect,
   89 };
   90 NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
   91 MODULE_DEPEND(ng_ipfw, ipfw, 2, 2, 2);
   92 
   93 /* Information we store for each hook */
   94 struct ng_ipfw_hook_priv {
   95         hook_p          hook;
   96         u_int16_t       rulenum;
   97 };
   98 typedef struct ng_ipfw_hook_priv *hpriv_p;
   99 
  100 static int
  101 ng_ipfw_mod_event(module_t mod, int event, void *data)
  102 {
  103         int error = 0;
  104 
  105         switch (event) {
  106         case MOD_LOAD:
  107 
  108                 if (ng_ipfw_input_p != NULL) {
  109                         error = EEXIST;
  110                         break;
  111                 }
  112 
  113                 /* Setup node without any private data */
  114                 if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
  115                     != 0) {
  116                         log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
  117                         break;
  118                 };
  119 
  120                 /* Try to name node */
  121                 if (ng_name_node(fw_node, "ipfw") != 0)
  122                         log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
  123                             __func__);
  124 
  125                 /* Register hook */
  126                 ng_ipfw_input_p = ng_ipfw_input;
  127                 break;
  128 
  129         case MOD_UNLOAD:
  130                  /*
  131                   * This won't happen if a node exists.
  132                   * ng_ipfw_input_p is already cleared.
  133                   */
  134                 break;
  135 
  136         default:
  137                 error = EOPNOTSUPP;
  138                 break;
  139         }
  140 
  141         return (error);
  142 }
  143 
  144 static int
  145 ng_ipfw_constructor(node_p node)
  146 {
  147         return (EINVAL);        /* Only one node */
  148 }
  149 
  150 static int
  151 ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
  152 {
  153         hpriv_p hpriv;
  154         u_int16_t rulenum;
  155         const char *cp;
  156         char *endptr;
  157 
  158         /* Protect from leading zero */
  159         if (name[0] == '' && name[1] != '\0')
  160                 return (EINVAL);
  161 
  162         /* Check that name contains only digits */
  163         for (cp = name; *cp != '\0'; cp++)
  164                 if (!isdigit(*cp))
  165                         return (EINVAL);
  166 
  167         /* Convert it to integer */
  168         rulenum = (u_int16_t)strtol(name, &endptr, 10);
  169         if (*endptr != '\0')
  170                 return (EINVAL);
  171 
  172         /* Allocate memory for this hook's private data */
  173         hpriv = malloc(sizeof(*hpriv), M_NETGRAPH, M_NOWAIT | M_ZERO);
  174         if (hpriv== NULL)
  175                 return (ENOMEM);
  176 
  177         hpriv->hook = hook;
  178         hpriv->rulenum = rulenum;
  179 
  180         NG_HOOK_SET_PRIVATE(hook, hpriv);
  181 
  182         return(0);
  183 }
  184 
  185 /*
  186  * Set hooks into queueing mode, to avoid recursion between
  187  * netgraph layer and ip_{input,output}.
  188  */
  189 static int
  190 ng_ipfw_connect(hook_p hook)
  191 {
  192         NG_HOOK_FORCE_QUEUE(hook);
  193         return (0);
  194 }
  195 
  196 /* Look up hook by name */
  197 hook_p
  198 ng_ipfw_findhook(node_p node, const char *name)
  199 {
  200         u_int16_t n;    /* numeric representation of hook */
  201         char *endptr;
  202 
  203         n = (u_int16_t)strtol(name, &endptr, 10);
  204         if (*endptr != '\0')
  205                 return NULL;
  206         return ng_ipfw_findhook1(node, n);
  207 }
  208 
  209 /* Look up hook by rule number */
  210 static hook_p
  211 ng_ipfw_findhook1(node_p node, u_int16_t rulenum)
  212 {
  213         hook_p  hook;
  214         hpriv_p hpriv;
  215 
  216         LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
  217                 hpriv = NG_HOOK_PRIVATE(hook);
  218                 if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum))
  219                         return (hook);
  220         }
  221 
  222         return (NULL);
  223 }
  224 
  225 
  226 static int
  227 ng_ipfw_rcvdata(hook_p hook, item_p item)
  228 {
  229         struct m_tag *tag;
  230         struct ipfw_rule_ref *r;
  231         struct mbuf *m;
  232         struct ip *ip;
  233 
  234         NGI_GET_M(item, m);
  235         NG_FREE_ITEM(item);
  236 
  237         tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
  238         if (tag == NULL) {
  239                 NG_FREE_M(m);
  240                 return (EINVAL);        /* XXX: find smth better */
  241         };
  242 
  243         if (m->m_len < sizeof(struct ip) &&
  244             (m = m_pullup(m, sizeof(struct ip))) == NULL)
  245                 return (EINVAL);
  246 
  247         ip = mtod(m, struct ip *);
  248 
  249         r = (struct ipfw_rule_ref *)(tag + 1);
  250         if (r->info & IPFW_INFO_IN) {
  251                 switch (ip->ip_v) {
  252 #ifdef INET
  253                 case IPVERSION:
  254                         ip_input(m);
  255                         break;
  256 #endif
  257 #ifdef INET6
  258                 case IPV6_VERSION >> 4:
  259                         ip6_input(m);
  260                         break;
  261 #endif
  262                 default:
  263                         NG_FREE_M(m);
  264                         return (EINVAL);
  265                 }
  266                 return (0);
  267         } else {
  268                 switch (ip->ip_v) {
  269 #ifdef INET
  270                 case IPVERSION:
  271                         SET_HOST_IPLEN(ip);
  272                         return (ip_output(m, NULL, NULL, IP_FORWARDING,
  273                             NULL, NULL));
  274 #endif
  275 #ifdef INET6
  276                 case IPV6_VERSION >> 4:
  277                         return (ip6_output(m, NULL, NULL, 0, NULL,
  278                             NULL, NULL));
  279 #endif
  280                 default:
  281                         return (EINVAL);
  282                 }
  283         }
  284 }
  285 
  286 static int
  287 ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee)
  288 {
  289         struct mbuf *m;
  290         struct ip *ip;
  291         hook_p  hook;
  292         int error = 0;
  293 
  294         /*
  295          * Node must be loaded and corresponding hook must be present.
  296          */
  297         if (fw_node == NULL || 
  298            (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
  299                 return (ESRCH);         /* no hook associated with this rule */
  300 
  301         /*
  302          * We have two modes: in normal mode we add a tag to packet, which is
  303          * important to return packet back to IP stack. In tee mode we make
  304          * a copy of a packet and forward it into netgraph without a tag.
  305          */
  306         if (tee == 0) {
  307                 struct m_tag *tag;
  308                 struct ipfw_rule_ref *r;
  309                 m = *m0;
  310                 *m0 = NULL;     /* it belongs now to netgraph */
  311 
  312                 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r),
  313                         M_NOWAIT|M_ZERO);
  314                 if (tag == NULL) {
  315                         m_freem(m);
  316                         return (ENOMEM);
  317                 }
  318                 r = (struct ipfw_rule_ref *)(tag + 1);
  319                 *r = fwa->rule;
  320                 r->info &= IPFW_ONEPASS;  /* keep this info */
  321                 r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
  322                 m_tag_prepend(m, tag);
  323 
  324         } else
  325                 if ((m = m_dup(*m0, M_DONTWAIT)) == NULL)
  326                         return (ENOMEM);        /* which is ignored */
  327 
  328         if (m->m_len < sizeof(struct ip) &&
  329             (m = m_pullup(m, sizeof(struct ip))) == NULL)
  330                 return (EINVAL);
  331 
  332         ip = mtod(m, struct ip *);
  333 
  334         NG_SEND_DATA_ONLY(error, hook, m);
  335 
  336         return (error);
  337 }
  338 
  339 static int
  340 ng_ipfw_shutdown(node_p node)
  341 {
  342 
  343         /*
  344          * After our single node has been removed,
  345          * the only thing that can be done is
  346          * 'kldunload ng_ipfw.ko'
  347          */
  348         ng_ipfw_input_p = NULL;
  349         NG_NODE_UNREF(node);
  350         return (0);
  351 }
  352 
  353 static int
  354 ng_ipfw_disconnect(hook_p hook)
  355 {
  356         const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);
  357 
  358         free(hpriv, M_NETGRAPH);
  359         NG_HOOK_SET_PRIVATE(hook, NULL);
  360 
  361         return (0);
  362 }

Cache object: d3f8163f0f8d3b8189140cb9c79e0cfe


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.