1 /*-
2 * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: releng/9.1/sys/netgraph/ng_ipfw.c 225586 2011-09-15 12:28:17Z ae $
27 */
28
29 #include "opt_inet.h"
30 #include "opt_inet6.h"
31
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/kernel.h>
35 #include <sys/lock.h>
36 #include <sys/mbuf.h>
37 #include <sys/malloc.h>
38 #include <sys/ctype.h>
39 #include <sys/errno.h>
40 #include <sys/rwlock.h>
41 #include <sys/socket.h>
42 #include <sys/syslog.h>
43
44 #include <net/if.h>
45
46 #include <netinet/in.h>
47 #include <netinet/in_systm.h>
48 #include <netinet/in_var.h>
49 #include <netinet/ip_var.h>
50 #include <netinet/ip_fw.h>
51 #include <netinet/ipfw/ip_fw_private.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip6.h>
54 #include <netinet6/ip6_var.h>
55
56 #include <netgraph/ng_message.h>
57 #include <netgraph/ng_parse.h>
58 #include <netgraph/ng_ipfw.h>
59 #include <netgraph/netgraph.h>
60
61 static int ng_ipfw_mod_event(module_t mod, int event, void *data);
62 static ng_constructor_t ng_ipfw_constructor;
63 static ng_shutdown_t ng_ipfw_shutdown;
64 static ng_newhook_t ng_ipfw_newhook;
65 static ng_connect_t ng_ipfw_connect;
66 static ng_findhook_t ng_ipfw_findhook;
67 static ng_rcvdata_t ng_ipfw_rcvdata;
68 static ng_disconnect_t ng_ipfw_disconnect;
69
70 static hook_p ng_ipfw_findhook1(node_p, u_int16_t );
71 static int ng_ipfw_input(struct mbuf **, int, struct ip_fw_args *,
72 int);
73
74 /* We have only one node */
75 static node_p fw_node;
76
77 /* Netgraph node type descriptor */
78 static struct ng_type ng_ipfw_typestruct = {
79 .version = NG_ABI_VERSION,
80 .name = NG_IPFW_NODE_TYPE,
81 .mod_event = ng_ipfw_mod_event,
82 .constructor = ng_ipfw_constructor,
83 .shutdown = ng_ipfw_shutdown,
84 .newhook = ng_ipfw_newhook,
85 .connect = ng_ipfw_connect,
86 .findhook = ng_ipfw_findhook,
87 .rcvdata = ng_ipfw_rcvdata,
88 .disconnect = ng_ipfw_disconnect,
89 };
90 NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
91 MODULE_DEPEND(ng_ipfw, ipfw, 2, 2, 2);
92
93 /* Information we store for each hook */
94 struct ng_ipfw_hook_priv {
95 hook_p hook;
96 u_int16_t rulenum;
97 };
98 typedef struct ng_ipfw_hook_priv *hpriv_p;
99
100 static int
101 ng_ipfw_mod_event(module_t mod, int event, void *data)
102 {
103 int error = 0;
104
105 switch (event) {
106 case MOD_LOAD:
107
108 if (ng_ipfw_input_p != NULL) {
109 error = EEXIST;
110 break;
111 }
112
113 /* Setup node without any private data */
114 if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
115 != 0) {
116 log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
117 break;
118 };
119
120 /* Try to name node */
121 if (ng_name_node(fw_node, "ipfw") != 0)
122 log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
123 __func__);
124
125 /* Register hook */
126 ng_ipfw_input_p = ng_ipfw_input;
127 break;
128
129 case MOD_UNLOAD:
130 /*
131 * This won't happen if a node exists.
132 * ng_ipfw_input_p is already cleared.
133 */
134 break;
135
136 default:
137 error = EOPNOTSUPP;
138 break;
139 }
140
141 return (error);
142 }
143
144 static int
145 ng_ipfw_constructor(node_p node)
146 {
147 return (EINVAL); /* Only one node */
148 }
149
150 static int
151 ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
152 {
153 hpriv_p hpriv;
154 u_int16_t rulenum;
155 const char *cp;
156 char *endptr;
157
158 /* Protect from leading zero */
159 if (name[0] == '' && name[1] != '\0')
160 return (EINVAL);
161
162 /* Check that name contains only digits */
163 for (cp = name; *cp != '\0'; cp++)
164 if (!isdigit(*cp))
165 return (EINVAL);
166
167 /* Convert it to integer */
168 rulenum = (u_int16_t)strtol(name, &endptr, 10);
169 if (*endptr != '\0')
170 return (EINVAL);
171
172 /* Allocate memory for this hook's private data */
173 hpriv = malloc(sizeof(*hpriv), M_NETGRAPH, M_NOWAIT | M_ZERO);
174 if (hpriv== NULL)
175 return (ENOMEM);
176
177 hpriv->hook = hook;
178 hpriv->rulenum = rulenum;
179
180 NG_HOOK_SET_PRIVATE(hook, hpriv);
181
182 return(0);
183 }
184
185 /*
186 * Set hooks into queueing mode, to avoid recursion between
187 * netgraph layer and ip_{input,output}.
188 */
189 static int
190 ng_ipfw_connect(hook_p hook)
191 {
192 NG_HOOK_FORCE_QUEUE(hook);
193 return (0);
194 }
195
196 /* Look up hook by name */
197 hook_p
198 ng_ipfw_findhook(node_p node, const char *name)
199 {
200 u_int16_t n; /* numeric representation of hook */
201 char *endptr;
202
203 n = (u_int16_t)strtol(name, &endptr, 10);
204 if (*endptr != '\0')
205 return NULL;
206 return ng_ipfw_findhook1(node, n);
207 }
208
209 /* Look up hook by rule number */
210 static hook_p
211 ng_ipfw_findhook1(node_p node, u_int16_t rulenum)
212 {
213 hook_p hook;
214 hpriv_p hpriv;
215
216 LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
217 hpriv = NG_HOOK_PRIVATE(hook);
218 if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum))
219 return (hook);
220 }
221
222 return (NULL);
223 }
224
225
226 static int
227 ng_ipfw_rcvdata(hook_p hook, item_p item)
228 {
229 struct m_tag *tag;
230 struct ipfw_rule_ref *r;
231 struct mbuf *m;
232 struct ip *ip;
233
234 NGI_GET_M(item, m);
235 NG_FREE_ITEM(item);
236
237 tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
238 if (tag == NULL) {
239 NG_FREE_M(m);
240 return (EINVAL); /* XXX: find smth better */
241 };
242
243 if (m->m_len < sizeof(struct ip) &&
244 (m = m_pullup(m, sizeof(struct ip))) == NULL)
245 return (EINVAL);
246
247 ip = mtod(m, struct ip *);
248
249 r = (struct ipfw_rule_ref *)(tag + 1);
250 if (r->info & IPFW_INFO_IN) {
251 switch (ip->ip_v) {
252 #ifdef INET
253 case IPVERSION:
254 ip_input(m);
255 break;
256 #endif
257 #ifdef INET6
258 case IPV6_VERSION >> 4:
259 ip6_input(m);
260 break;
261 #endif
262 default:
263 NG_FREE_M(m);
264 return (EINVAL);
265 }
266 return (0);
267 } else {
268 switch (ip->ip_v) {
269 #ifdef INET
270 case IPVERSION:
271 SET_HOST_IPLEN(ip);
272 return (ip_output(m, NULL, NULL, IP_FORWARDING,
273 NULL, NULL));
274 #endif
275 #ifdef INET6
276 case IPV6_VERSION >> 4:
277 return (ip6_output(m, NULL, NULL, 0, NULL,
278 NULL, NULL));
279 #endif
280 default:
281 return (EINVAL);
282 }
283 }
284 }
285
286 static int
287 ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee)
288 {
289 struct mbuf *m;
290 struct ip *ip;
291 hook_p hook;
292 int error = 0;
293
294 /*
295 * Node must be loaded and corresponding hook must be present.
296 */
297 if (fw_node == NULL ||
298 (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
299 return (ESRCH); /* no hook associated with this rule */
300
301 /*
302 * We have two modes: in normal mode we add a tag to packet, which is
303 * important to return packet back to IP stack. In tee mode we make
304 * a copy of a packet and forward it into netgraph without a tag.
305 */
306 if (tee == 0) {
307 struct m_tag *tag;
308 struct ipfw_rule_ref *r;
309 m = *m0;
310 *m0 = NULL; /* it belongs now to netgraph */
311
312 tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r),
313 M_NOWAIT|M_ZERO);
314 if (tag == NULL) {
315 m_freem(m);
316 return (ENOMEM);
317 }
318 r = (struct ipfw_rule_ref *)(tag + 1);
319 *r = fwa->rule;
320 r->info &= IPFW_ONEPASS; /* keep this info */
321 r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
322 m_tag_prepend(m, tag);
323
324 } else
325 if ((m = m_dup(*m0, M_DONTWAIT)) == NULL)
326 return (ENOMEM); /* which is ignored */
327
328 if (m->m_len < sizeof(struct ip) &&
329 (m = m_pullup(m, sizeof(struct ip))) == NULL)
330 return (EINVAL);
331
332 ip = mtod(m, struct ip *);
333
334 NG_SEND_DATA_ONLY(error, hook, m);
335
336 return (error);
337 }
338
339 static int
340 ng_ipfw_shutdown(node_p node)
341 {
342
343 /*
344 * After our single node has been removed,
345 * the only thing that can be done is
346 * 'kldunload ng_ipfw.ko'
347 */
348 ng_ipfw_input_p = NULL;
349 NG_NODE_UNREF(node);
350 return (0);
351 }
352
353 static int
354 ng_ipfw_disconnect(hook_p hook)
355 {
356 const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);
357
358 free(hpriv, M_NETGRAPH);
359 NG_HOOK_SET_PRIVATE(hook, NULL);
360
361 return (0);
362 }
Cache object: d3f8163f0f8d3b8189140cb9c79e0cfe
|