FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.c
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 * Copyright (c) 1996 Alex Nash
5 * Copyright (c) 2000-2001 Luigi Rizzo
6 *
7 * Redistribution and use in source forms, with and without modification,
8 * are permitted provided that this entire comment appears intact.
9 *
10 * Redistribution in binary form may occur without any restrictions.
11 * Obviously, it would be nice if you gave credit where credit is due
12 * but requiring it would be too onerous.
13 *
14 * This software is provided ``AS IS'' without any warranties of any kind.
15 *
16 * $FreeBSD$
17 */
18
19 #define DEB(x)
20 #define DDB(x) x
21
22 /*
23 * Implement IP packet firewall
24 */
25
26 #if !defined(KLD_MODULE)
27 #include "opt_ipfw.h"
28 #include "opt_ipdn.h"
29 #include "opt_ipdivert.h"
30 #include "opt_inet.h"
31 #ifndef INET
32 #error IPFIREWALL requires INET.
33 #endif /* INET */
34 #endif
35
36 #if !(IPFW2)
37
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/malloc.h>
41 #include <sys/mbuf.h>
42 #include <sys/kernel.h>
43 #include <sys/proc.h>
44 #include <sys/socket.h>
45 #include <sys/socketvar.h>
46 #include <sys/sysctl.h>
47 #include <sys/syslog.h>
48 #include <sys/ucred.h>
49 #include <net/if.h>
50 #include <net/route.h>
51 #include <netinet/in.h>
52 #include <netinet/in_systm.h>
53 #include <netinet/in_var.h>
54 #include <netinet/in_pcb.h>
55 #include <netinet/ip.h>
56 #include <netinet/ip_var.h>
57 #include <netinet/ip_icmp.h>
58 #include <netinet/ip_fw.h>
59 #include <netinet/ip_dummynet.h>
60 #include <netinet/tcp.h>
61 #include <netinet/tcp_timer.h>
62 #include <netinet/tcp_var.h>
63 #include <netinet/tcpip.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66
67 #include <netinet/if_ether.h> /* XXX ethertype_ip */
68
69 static int fw_debug = 1;
70 #ifdef IPFIREWALL_VERBOSE
71 static int fw_verbose = 1;
72 #else
73 static int fw_verbose = 0;
74 #endif
75 #ifdef IPFIREWALL_VERBOSE_LIMIT
76 static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
77 #else
78 static int fw_verbose_limit = 0;
79 #endif
80
81 /*
82 * Right now, two fields in the IP header are changed to host format
83 * by the IP layer before calling the firewall. Ideally, we would like
84 * to have them in network format so that the packet can be
85 * used as it comes from the device driver (and is thus readonly).
86 */
87
88 static u_int64_t counter; /* counter for ipfw_report(NULL...) */
89
90 #define IPFW_DEFAULT_RULE ((u_int)(u_short)~0)
91
92 LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chain_head;
93
94 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
95
96 #ifdef SYSCTL_NODE
97 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
98 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
99 &fw_enable, 0, "Enable ipfw");
100 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
101 &fw_one_pass, 0,
102 "Only do a single pass through ipfw when using dummynet(4)");
103 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
104 &fw_debug, 0, "Enable printing of debug ip_fw statements");
105 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW,
106 &fw_verbose, 0, "Log matches to ipfw rules");
107 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
108 &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
109
110 /*
111 * Extension for stateful ipfw.
112 *
113 * Dynamic rules are stored in lists accessed through a hash table
114 * (ipfw_dyn_v) whose size is curr_dyn_buckets. This value can
115 * be modified through the sysctl variable dyn_buckets which is
116 * updated when the table becomes empty.
117 *
118 * XXX currently there is only one list, ipfw_dyn.
119 *
120 * When a packet is received, it is first hashed, then matched
121 * against the entries in the corresponding list.
122 * Matching occurs according to the rule type. The default is to
123 * match the four fields and the protocol, and rules are bidirectional.
124 *
125 * For a busy proxy/web server we will have lots of connections to
126 * the server. We could decide for a rule type where we ignore
127 * ports (different hashing) and avoid special SYN/RST/FIN handling.
128 *
129 * XXX when we decide to support more than one rule type, we should
130 * repeat the hashing multiple times uing only the useful fields.
131 * Or, we could run the various tests in parallel, because the
132 * 'move to front' technique should shorten the average search.
133 *
134 * The lifetime of dynamic rules is regulated by dyn_*_lifetime,
135 * measured in seconds and depending on the flags.
136 *
137 * The total number of dynamic rules is stored in dyn_count.
138 * The max number of dynamic rules is dyn_max. When we reach
139 * the maximum number of rules we do not create anymore. This is
140 * done to avoid consuming too much memory, but also too much
141 * time when searching on each packet (ideally, we should try instead
142 * to put a limit on the length of the list on each bucket...).
143 *
144 * Each dynamic rules holds a pointer to the parent ipfw rule so
145 * we know what action to perform. Dynamic rules are removed when
146 * the parent rule is deleted.
147 * There are some limitations with dynamic rules -- we do not
148 * obey the 'randomized match', and we do not do multiple
149 * passes through the firewall.
150 * XXX check the latter!!!
151 */
152 static struct ipfw_dyn_rule **ipfw_dyn_v = NULL ;
153 static u_int32_t dyn_buckets = 256 ; /* must be power of 2 */
154 static u_int32_t curr_dyn_buckets = 256 ; /* must be power of 2 */
155
156 /*
157 * timeouts for various events in handing dynamic rules.
158 */
159 static u_int32_t dyn_ack_lifetime = 300 ;
160 static u_int32_t dyn_syn_lifetime = 20 ;
161 static u_int32_t dyn_fin_lifetime = 1 ;
162 static u_int32_t dyn_rst_lifetime = 1 ;
163 static u_int32_t dyn_udp_lifetime = 10 ;
164 static u_int32_t dyn_short_lifetime = 5 ;
165
166 /*
167 * after reaching 0, dynamic rules are considered still valid for
168 * an additional grace time, unless there is lack of resources.
169 */
170 static u_int32_t dyn_grace_time = 10 ;
171
172 static u_int32_t static_count = 0 ; /* # of static rules */
173 static u_int32_t dyn_count = 0 ; /* # of dynamic rules */
174 static u_int32_t dyn_max = 1000 ; /* max # of dynamic rules */
175
176 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
177 &dyn_buckets, 0, "Number of dyn. buckets");
178 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
179 &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
180 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
181 &dyn_count, 0, "Number of dyn. rules");
182 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
183 &dyn_max, 0, "Max number of dyn. rules");
184 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
185 &static_count, 0, "Number of static rules");
186 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
187 &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
188 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
189 &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
190 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
191 &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
192 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
193 &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
194 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
195 &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
196 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
197 &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
198 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD,
199 &dyn_grace_time, 0, "Grace time for dyn. rules");
200
201 #endif /* SYSCTL_NODE */
202
203 #define dprintf(a) do { \
204 if (fw_debug) \
205 printf a; \
206 } while (0)
207 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
208
209 static int add_entry (struct ip_fw_head *chainptr, struct ip_fw *frwl);
210 static int del_entry (struct ip_fw_head *chainptr, u_short number);
211 static int zero_entry (struct ip_fw *, int);
212 static int check_ipfw_struct (struct ip_fw *m);
213 static int iface_match (struct ifnet *ifp, union ip_fw_if *ifu,
214 int byname);
215 static int ipopts_match (struct ip *ip, struct ip_fw *f);
216 static __inline int
217 port_match (u_short *portptr, int nports, u_short port,
218 int range_flag, int mask);
219 static int tcpflg_match (struct tcphdr *tcp, struct ip_fw *f);
220 static int icmptype_match (struct icmp * icmp, struct ip_fw * f);
221 static void ipfw_report (struct ip_fw *f, struct ip *ip, int ip_off,
222 int ip_len, struct ifnet *rif,
223 struct ifnet *oif);
224
225 static void flush_rule_ptrs(void);
226
227 static ip_fw_chk_t ip_fw_chk;
228 static int ip_fw_ctl (struct sockopt *sopt);
229
230 ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;
231
232 static char err_prefix[] = "ip_fw_ctl:";
233
234 /*
235 * Returns 1 if the port is matched by the vector, 0 otherwise
236 */
237 static __inline int
238 port_match(u_short *portptr, int nports, u_short port, int range_flag, int mask)
239 {
240 if (!nports)
241 return 1;
242 if (mask) {
243 if ( 0 == ((portptr[0] ^ port) & portptr[1]) )
244 return 1;
245 nports -= 2;
246 portptr += 2;
247 }
248 if (range_flag) {
249 if (portptr[0] <= port && port <= portptr[1])
250 return 1;
251 nports -= 2;
252 portptr += 2;
253 }
254 while (nports-- > 0)
255 if (*portptr++ == port)
256 return 1;
257 return 0;
258 }
259
260 static int
261 tcpflg_match(struct tcphdr *tcp, struct ip_fw *f)
262 {
263 u_char flg_set, flg_clr;
264
265 /*
266 * If an established connection is required, reject packets that
267 * have only SYN of RST|ACK|SYN set. Otherwise, fall through to
268 * other flag requirements.
269 */
270 if ((f->fw_ipflg & IP_FW_IF_TCPEST) &&
271 ((tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK |
272 IP_FW_TCPF_SYN)) == IP_FW_TCPF_SYN))
273 return 0;
274
275 flg_set = tcp->th_flags & f->fw_tcpf;
276 flg_clr = tcp->th_flags & f->fw_tcpnf;
277
278 if (flg_set != f->fw_tcpf)
279 return 0;
280 if (flg_clr)
281 return 0;
282
283 return 1;
284 }
285
286 static int
287 icmptype_match(struct icmp *icmp, struct ip_fw *f)
288 {
289 int type;
290
291 if (!(f->fw_flg & IP_FW_F_ICMPBIT))
292 return(1);
293
294 type = icmp->icmp_type;
295
296 /* check for matching type in the bitmap */
297 if (type < IP_FW_ICMPTYPES_MAX &&
298 (f->fw_uar.fw_icmptypes[type / (sizeof(unsigned) * NBBY)] &
299 (1U << (type % (sizeof(unsigned) * NBBY)))))
300 return(1);
301
302 return(0); /* no match */
303 }
304
305 static int
306 is_icmp_query(struct ip *ip)
307 {
308 const struct icmp *icmp;
309 int icmp_type;
310
311 icmp = (struct icmp *)((u_int32_t *)ip + ip->ip_hl);
312 icmp_type = icmp->icmp_type;
313
314 if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT ||
315 icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ ||
316 icmp_type == ICMP_MASKREQ)
317 return(1);
318
319 return(0);
320 }
321
322 static int
323 ipopts_match(struct ip *ip, struct ip_fw *f)
324 {
325 register u_char *cp;
326 int opt, optlen, cnt;
327 u_char opts, nopts, nopts_sve;
328
329 cp = (u_char *)(ip + 1);
330 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
331 opts = f->fw_ipopt;
332 nopts = nopts_sve = f->fw_ipnopt;
333
334 for (; cnt > 0; cnt -= optlen, cp += optlen) {
335 opt = cp[IPOPT_OPTVAL];
336 if (opt == IPOPT_EOL)
337 break;
338 if (opt == IPOPT_NOP)
339 optlen = 1;
340 else {
341 optlen = cp[IPOPT_OLEN];
342 if (optlen <= 0 || optlen > cnt) {
343 return 0; /*XXX*/
344 }
345 }
346 switch (opt) {
347
348 default:
349 break;
350
351 case IPOPT_LSRR:
352 opts &= ~IP_FW_IPOPT_LSRR;
353 nopts &= ~IP_FW_IPOPT_LSRR;
354 break;
355
356 case IPOPT_SSRR:
357 opts &= ~IP_FW_IPOPT_SSRR;
358 nopts &= ~IP_FW_IPOPT_SSRR;
359 break;
360
361 case IPOPT_RR:
362 opts &= ~IP_FW_IPOPT_RR;
363 nopts &= ~IP_FW_IPOPT_RR;
364 break;
365 case IPOPT_TS:
366 opts &= ~IP_FW_IPOPT_TS;
367 nopts &= ~IP_FW_IPOPT_TS;
368 break;
369 }
370 if (opts == nopts)
371 break;
372 }
373 if (opts == 0 && nopts == nopts_sve)
374 return 1;
375 else
376 return 0;
377 }
378
379 static int
380 tcpopts_match(struct tcphdr *tcp, struct ip_fw *f)
381 {
382 register u_char *cp;
383 int opt, optlen, cnt;
384 u_char opts, nopts, nopts_sve;
385
386 cp = (u_char *)(tcp + 1);
387 cnt = (tcp->th_off << 2) - sizeof (struct tcphdr);
388 opts = f->fw_tcpopt;
389 nopts = nopts_sve = f->fw_tcpnopt;
390
391 for (; cnt > 0; cnt -= optlen, cp += optlen) {
392 opt = cp[0];
393 if (opt == TCPOPT_EOL)
394 break;
395 if (opt == TCPOPT_NOP)
396 optlen = 1;
397 else {
398 optlen = cp[1];
399 if (optlen <= 0)
400 break;
401 }
402
403
404 switch (opt) {
405
406 default:
407 break;
408
409 case TCPOPT_MAXSEG:
410 opts &= ~IP_FW_TCPOPT_MSS;
411 nopts &= ~IP_FW_TCPOPT_MSS;
412 break;
413
414 case TCPOPT_WINDOW:
415 opts &= ~IP_FW_TCPOPT_WINDOW;
416 nopts &= ~IP_FW_TCPOPT_WINDOW;
417 break;
418
419 case TCPOPT_SACK_PERMITTED:
420 case TCPOPT_SACK:
421 opts &= ~IP_FW_TCPOPT_SACK;
422 nopts &= ~IP_FW_TCPOPT_SACK;
423 break;
424
425 case TCPOPT_TIMESTAMP:
426 opts &= ~IP_FW_TCPOPT_TS;
427 nopts &= ~IP_FW_TCPOPT_TS;
428 break;
429
430 case TCPOPT_CC:
431 case TCPOPT_CCNEW:
432 case TCPOPT_CCECHO:
433 opts &= ~IP_FW_TCPOPT_CC;
434 nopts &= ~IP_FW_TCPOPT_CC;
435 break;
436 }
437 if (opts == nopts)
438 break;
439 }
440 if (opts == 0 && nopts == nopts_sve)
441 return 1;
442 else
443 return 0;
444 }
445
446 static int
447 iface_match(struct ifnet *ifp, union ip_fw_if *ifu, int byname)
448 {
449 /* Check by name or by IP address */
450 if (byname) {
451 /* Check unit number (-1 is wildcard) */
452 if (ifu->fu_via_if.unit != -1
453 && ifp->if_unit != ifu->fu_via_if.unit)
454 return(0);
455 /* Check name */
456 if (strncmp(ifp->if_name, ifu->fu_via_if.name, FW_IFNLEN))
457 return(0);
458 return(1);
459 } else if (ifu->fu_via_ip.s_addr != 0) { /* Zero == wildcard */
460 struct ifaddr *ia;
461
462 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
463 if (ia->ifa_addr == NULL)
464 continue;
465 if (ia->ifa_addr->sa_family != AF_INET)
466 continue;
467 if (ifu->fu_via_ip.s_addr != ((struct sockaddr_in *)
468 (ia->ifa_addr))->sin_addr.s_addr)
469 continue;
470 return(1);
471 }
472 return(0);
473 }
474 return(1);
475 }
476
477 static void
478 ipfw_report(struct ip_fw *f, struct ip *ip, int ip_off, int ip_len,
479 struct ifnet *rif, struct ifnet *oif)
480 {
481 struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
482 struct udphdr *const udp = (struct udphdr *) ((u_int32_t *) ip+ ip->ip_hl);
483 struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
484 u_int64_t count;
485 char *action;
486 char action2[32], proto[47], name[18], fragment[27];
487 int len;
488 int offset = ip_off & IP_OFFMASK;
489
490 count = f ? f->fw_pcnt : ++counter;
491 if ((f == NULL && fw_verbose_limit != 0 && count > fw_verbose_limit) ||
492 (f && f->fw_logamount != 0 && count > f->fw_loghighest))
493 return;
494
495 /* Print command name */
496 snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
497
498 action = action2;
499 if (!f)
500 action = "Refuse";
501 else {
502 switch (f->fw_flg & IP_FW_F_COMMAND) {
503 case IP_FW_F_DENY:
504 action = "Deny";
505 break;
506 case IP_FW_F_REJECT:
507 if (f->fw_reject_code == IP_FW_REJECT_RST)
508 action = "Reset";
509 else
510 action = "Unreach";
511 break;
512 case IP_FW_F_ACCEPT:
513 action = "Accept";
514 break;
515 case IP_FW_F_COUNT:
516 action = "Count";
517 break;
518 #ifdef IPDIVERT
519 case IP_FW_F_DIVERT:
520 snprintf(SNPARGS(action2, 0), "Divert %d",
521 f->fw_divert_port);
522 break;
523 case IP_FW_F_TEE:
524 snprintf(SNPARGS(action2, 0), "Tee %d",
525 f->fw_divert_port);
526 break;
527 #endif
528 case IP_FW_F_SKIPTO:
529 snprintf(SNPARGS(action2, 0), "SkipTo %d",
530 f->fw_skipto_rule);
531 break;
532 case IP_FW_F_PIPE:
533 snprintf(SNPARGS(action2, 0), "Pipe %d",
534 f->fw_skipto_rule);
535 break;
536 case IP_FW_F_QUEUE:
537 snprintf(SNPARGS(action2, 0), "Queue %d",
538 f->fw_skipto_rule);
539 break;
540
541 case IP_FW_F_FWD:
542 if (f->fw_fwd_ip.sin_port)
543 snprintf(SNPARGS(action2, 0),
544 "Forward to %s:%d",
545 inet_ntoa(f->fw_fwd_ip.sin_addr),
546 f->fw_fwd_ip.sin_port);
547 else
548 snprintf(SNPARGS(action2, 0), "Forward to %s",
549 inet_ntoa(f->fw_fwd_ip.sin_addr));
550 break;
551
552 default:
553 action = "UNKNOWN";
554 break;
555 }
556 }
557
558 switch (ip->ip_p) {
559 case IPPROTO_TCP:
560 len = snprintf(SNPARGS(proto, 0), "TCP %s",
561 inet_ntoa(ip->ip_src));
562 if (offset == 0)
563 len += snprintf(SNPARGS(proto, len), ":%d ",
564 ntohs(tcp->th_sport));
565 else
566 len += snprintf(SNPARGS(proto, len), " ");
567 len += snprintf(SNPARGS(proto, len), "%s",
568 inet_ntoa(ip->ip_dst));
569 if (offset == 0)
570 snprintf(SNPARGS(proto, len), ":%d",
571 ntohs(tcp->th_dport));
572 break;
573 case IPPROTO_UDP:
574 len = snprintf(SNPARGS(proto, 0), "UDP %s",
575 inet_ntoa(ip->ip_src));
576 if (offset == 0)
577 len += snprintf(SNPARGS(proto, len), ":%d ",
578 ntohs(udp->uh_sport));
579 else
580 len += snprintf(SNPARGS(proto, len), " ");
581 len += snprintf(SNPARGS(proto, len), "%s",
582 inet_ntoa(ip->ip_dst));
583 if (offset == 0)
584 snprintf(SNPARGS(proto, len), ":%d",
585 ntohs(udp->uh_dport));
586 break;
587 case IPPROTO_ICMP:
588 if (offset == 0)
589 len = snprintf(SNPARGS(proto, 0), "ICMP:%u.%u ",
590 icmp->icmp_type, icmp->icmp_code);
591 else
592 len = snprintf(SNPARGS(proto, 0), "ICMP ");
593 len += snprintf(SNPARGS(proto, len), "%s",
594 inet_ntoa(ip->ip_src));
595 snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
596 break;
597 default:
598 len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
599 inet_ntoa(ip->ip_src));
600 snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
601 break;
602 }
603
604 if (ip_off & (IP_MF | IP_OFFMASK))
605 snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
606 ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
607 offset << 3,
608 (ip_off & IP_MF) ? "+" : "");
609 else
610 fragment[0] = '\0';
611 if (oif)
612 log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
613 name, action, proto, oif->if_name, oif->if_unit, fragment);
614 else if (rif)
615 log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s\n", name,
616 action, proto, rif->if_name, rif->if_unit, fragment);
617 else
618 log(LOG_SECURITY | LOG_INFO, "%s %s %s%s\n", name, action,
619 proto, fragment);
620 if ((f ? f->fw_logamount != 0 : 1) &&
621 count == (f ? f->fw_loghighest : fw_verbose_limit))
622 log(LOG_SECURITY | LOG_NOTICE,
623 "ipfw: limit %d reached on entry %d\n",
624 f ? f->fw_logamount : fw_verbose_limit,
625 f ? f->fw_number : -1);
626 }
627
628 static __inline int
629 hash_packet(struct ipfw_flow_id *id)
630 {
631 u_int32_t i ;
632
633 i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port);
634 i &= (curr_dyn_buckets - 1) ;
635 return i ;
636 }
637
638 /**
639 * unlink a dynamic rule from a chain. prev is a pointer to
640 * the previous one, q is a pointer to the rule to delete,
641 * head is a pointer to the head of the queue.
642 * Modifies q and potentially also head.
643 */
644 #define UNLINK_DYN_RULE(prev, head, q) { \
645 struct ipfw_dyn_rule *old_q = q; \
646 \
647 /* remove a refcount to the parent */ \
648 if (q->dyn_type == DYN_LIMIT) \
649 q->parent->count--; \
650 DEB(printf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
651 (q->id.src_ip), (q->id.src_port), \
652 (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); ) \
653 if (prev != NULL) \
654 prev->next = q = q->next ; \
655 else \
656 ipfw_dyn_v[i] = q = q->next ; \
657 dyn_count-- ; \
658 free(old_q, M_IPFW); }
659
660 #define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0)
661 /**
662 * Remove all dynamic rules pointing to a given rule, or all
663 * rules if rule == NULL. Second parameter is 1 if we want to
664 * delete unconditionally, otherwise only expired rules are removed.
665 */
666 static void
667 remove_dyn_rule(struct ip_fw *rule, int force)
668 {
669 struct ipfw_dyn_rule *prev, *q;
670 int i, pass, max_pass ;
671 static u_int32_t last_remove = 0 ;
672
673 if (ipfw_dyn_v == NULL || dyn_count == 0)
674 return ;
675 /* do not expire more than once per second, it is useless */
676 if (force == 0 && last_remove == time_second)
677 return ;
678 last_remove = time_second ;
679
680 /*
681 * because DYN_LIMIT refer to parent rules, during the first pass only
682 * remove child and mark any pending LIMIT_PARENT, and remove
683 * them in a second pass.
684 */
685 for (pass = max_pass = 0; pass <= max_pass ; pass++ ) {
686 for (i = 0 ; i < curr_dyn_buckets ; i++) {
687 for (prev=NULL, q = ipfw_dyn_v[i] ; q ; ) {
688 /*
689 * logic can become complex here, so we split tests.
690 * First, test if we match any rule,
691 * then make sure the rule is expired or we want to kill it,
692 * and possibly more in the future.
693 */
694 int zap = ( rule == NULL || rule == q->rule);
695 if (zap)
696 zap = force || TIME_LEQ( q->expire , time_second );
697 /* do not zap parent in first pass, record we need a second pass */
698 if (zap && q->dyn_type == DYN_LIMIT_PARENT) {
699 max_pass = 1; /* we need a second pass */
700 if (pass == 0 || q->count != 0) {
701 zap = 0 ;
702 if (pass == 1 && force) /* should not happen */
703 printf("OUCH! cannot remove rule, count %d\n",
704 q->count);
705 }
706 }
707 if (zap) {
708 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
709 } else {
710 prev = q ;
711 q = q->next ;
712 }
713 }
714 }
715 }
716 }
717
718 #define EXPIRE_DYN_CHAIN(rule) remove_dyn_rule(rule, 0 /* expired ones */)
719 #define EXPIRE_DYN_CHAINS() remove_dyn_rule(NULL, 0 /* expired ones */)
720 #define DELETE_DYN_CHAIN(rule) remove_dyn_rule(rule, 1 /* force removal */)
721 #define DELETE_DYN_CHAINS() remove_dyn_rule(NULL, 1 /* force removal */)
722
723 /**
724 * lookup a dynamic rule.
725 */
726 static struct ipfw_dyn_rule *
727 lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction)
728 {
729 /*
730 * stateful ipfw extensions.
731 * Lookup into dynamic session queue
732 */
733 struct ipfw_dyn_rule *prev, *q ;
734 int i, dir = 0;
735 #define MATCH_FORWARD 1
736
737 if (ipfw_dyn_v == NULL)
738 return NULL ;
739 i = hash_packet( pkt );
740 for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
741 if (q->dyn_type == DYN_LIMIT_PARENT)
742 goto next;
743 if (TIME_LEQ( q->expire , time_second ) ) { /* expire entry */
744 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
745 continue;
746 }
747 if ( pkt->proto == q->id.proto) {
748 if (pkt->src_ip == q->id.src_ip &&
749 pkt->dst_ip == q->id.dst_ip &&
750 pkt->src_port == q->id.src_port &&
751 pkt->dst_port == q->id.dst_port ) {
752 dir = MATCH_FORWARD ;
753 goto found ;
754 }
755 if (pkt->src_ip == q->id.dst_ip &&
756 pkt->dst_ip == q->id.src_ip &&
757 pkt->src_port == q->id.dst_port &&
758 pkt->dst_port == q->id.src_port ) {
759 dir = 0 ; /* reverse match */
760 goto found ;
761 }
762 }
763 next:
764 prev = q ;
765 q = q->next ;
766 }
767 return NULL ; /* clearly not found */
768 found:
769 if ( prev != NULL) { /* found and not in front */
770 prev->next = q->next ;
771 q->next = ipfw_dyn_v[i] ;
772 ipfw_dyn_v[i] = q ;
773 }
774 if (pkt->proto == IPPROTO_TCP) {
775 /* update state according to flags */
776 u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
777 q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
778 switch (q->state) {
779 case TH_SYN :
780 /* opening */
781 q->expire = time_second + dyn_syn_lifetime ;
782 break ;
783 case TH_SYN | (TH_SYN << 8) :
784 /* move to established */
785 q->expire = time_second + dyn_ack_lifetime ;
786 break ;
787 case TH_SYN | (TH_SYN << 8) | TH_FIN :
788 case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
789 /* one side tries to close */
790 q->expire = time_second + dyn_ack_lifetime ;
791 break ;
792 case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) :
793 /* both sides closed */
794 q->expire = time_second + dyn_fin_lifetime ;
795 break ;
796 default:
797 #if 0
798 /*
799 * reset or some invalid combination, but can also
800 * occur if we use keep-state the wrong way.
801 */
802 if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
803 printf("invalid state: 0x%x\n", q->state);
804 #endif
805 q->expire = time_second + dyn_rst_lifetime ;
806 break ;
807 }
808 } else if (pkt->proto == IPPROTO_UDP) {
809 q->expire = time_second + dyn_udp_lifetime ;
810 } else {
811 /* other protocols */
812 q->expire = time_second + dyn_short_lifetime ;
813 }
814 if (match_direction)
815 *match_direction = dir ;
816 return q ;
817 }
818
819 /**
820 * Install state of type 'type' for a dynamic session.
821 * The hash table contains two type of rules:
822 * - regular rules (DYN_KEEP_STATE)
823 * - rules for sessions with limited number of sess per user
824 * (DYN_LIMIT). When they are created, the parent is
825 * increased by 1, and decreased on delete. In this case,
826 * the third parameter is the parent rule and not the chain.
827 * - "parent" rules for the above (DYN_LIMIT_PARENT).
828 */
829
830 static struct ipfw_dyn_rule *
831 add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
832 {
833 struct ipfw_dyn_rule *r ;
834
835 int i ;
836 if (ipfw_dyn_v == NULL ||
837 (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
838 /* try reallocation, make sure we have a power of 2 */
839 u_int32_t i = dyn_buckets ;
840 while ( i > 0 && (i & 1) == 0 )
841 i >>= 1 ;
842 if (i != 1) /* not a power of 2 */
843 dyn_buckets = curr_dyn_buckets ; /* reset */
844 else {
845 curr_dyn_buckets = dyn_buckets ;
846 if (ipfw_dyn_v != NULL)
847 free(ipfw_dyn_v, M_IPFW);
848 ipfw_dyn_v = malloc(curr_dyn_buckets * sizeof r,
849 M_IPFW, M_DONTWAIT | M_ZERO);
850 if (ipfw_dyn_v == NULL)
851 return NULL; /* failed ! */
852 }
853 }
854 i = hash_packet(id);
855
856 r = malloc(sizeof *r, M_IPFW, M_DONTWAIT | M_ZERO);
857 if (r == NULL) {
858 printf ("sorry cannot allocate state\n");
859 return NULL ;
860 }
861
862 /* increase refcount on parent, and set pointer */
863 if (dyn_type == DYN_LIMIT) {
864 struct ipfw_dyn_rule *parent = (struct ipfw_dyn_rule *)rule;
865 if ( parent->dyn_type != DYN_LIMIT_PARENT)
866 panic("invalid parent");
867 parent->count++ ;
868 r->parent = parent ;
869 rule = parent->rule;
870 }
871
872 r->id = *id ;
873 r->expire = time_second + dyn_syn_lifetime ;
874 r->rule = rule ;
875 r->dyn_type = dyn_type ;
876 r->pcnt = r->bcnt = 0 ;
877 r->count = 0 ;
878
879 r->bucket = i ;
880 r->next = ipfw_dyn_v[i] ;
881 ipfw_dyn_v[i] = r ;
882 dyn_count++ ;
883 DEB(printf("-- add entry 0x%08x %d -> 0x%08x %d, total %d\n",
884 (r->id.src_ip), (r->id.src_port),
885 (r->id.dst_ip), (r->id.dst_port),
886 dyn_count ); )
887 return r;
888 }
889
890 /**
891 * lookup dynamic parent rule using pkt and rule as search keys.
892 * If the lookup fails, then install one.
893 */
894 static struct ipfw_dyn_rule *
895 lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
896 {
897 struct ipfw_dyn_rule *q;
898 int i;
899
900 if (ipfw_dyn_v) {
901 i = hash_packet( pkt );
902 for (q = ipfw_dyn_v[i] ; q != NULL ; q=q->next)
903 if (q->dyn_type == DYN_LIMIT_PARENT && rule == q->rule &&
904 pkt->proto == q->id.proto &&
905 pkt->src_ip == q->id.src_ip &&
906 pkt->dst_ip == q->id.dst_ip &&
907 pkt->src_port == q->id.src_port &&
908 pkt->dst_port == q->id.dst_port) {
909 q->expire = time_second + dyn_short_lifetime ;
910 DEB(printf("lookup_dyn_parent found 0x%p\n", q);)
911 return q;
912 }
913 }
914 return add_dyn_rule(pkt, DYN_LIMIT_PARENT, rule);
915 }
916
917 /*
918 * Install dynamic state.
919 * There are different types of dynamic rules which can be installed.
920 * The type is in rule->dyn_type.
921 * Type 0 (default) is a bidirectional rule
922 *
923 * Returns 1 (failure) if state is not installed because of errors or because
924 * session limitations are enforced.
925 */
926 static int
927 install_state(struct ip_fw *rule, struct ip_fw_args *args)
928 {
929 struct ipfw_dyn_rule *q ;
930 static int last_log ;
931
932 u_int8_t type = rule->dyn_type ;
933
934 DEB(printf("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
935 type,
936 (args->f_id.src_ip), (args->f_id.src_port),
937 (args->f_id.dst_ip), (args->f_id.dst_port) );)
938
939 q = lookup_dyn_rule(&args->f_id, NULL) ;
940 if (q != NULL) { /* should never occur */
941 if (last_log != time_second) {
942 last_log = time_second ;
943 printf(" entry already present, done\n");
944 }
945 return 0 ;
946 }
947 if (dyn_count >= dyn_max) /* try remove old ones... */
948 EXPIRE_DYN_CHAINS();
949 if (dyn_count >= dyn_max) {
950 if (last_log != time_second) {
951 last_log = time_second ;
952 printf(" Too many dynamic rules, sorry\n");
953 }
954 return 1; /* cannot install, notify caller */
955 }
956
957 switch (type) {
958 case DYN_KEEP_STATE: /* bidir rule */
959 add_dyn_rule(&args->f_id, DYN_KEEP_STATE, rule);
960 break ;
961 case DYN_LIMIT: /* limit number of sessions */
962 {
963 u_int16_t limit_mask = rule->limit_mask ;
964 u_int16_t conn_limit = rule->conn_limit ;
965 struct ipfw_flow_id id;
966 struct ipfw_dyn_rule *parent;
967
968 DEB(printf("installing dyn-limit rule %d\n", conn_limit);)
969
970 id.dst_ip = id.src_ip = 0;
971 id.dst_port = id.src_port = 0 ;
972 id.proto = args->f_id.proto ;
973
974 if (limit_mask & DYN_SRC_ADDR)
975 id.src_ip = args->f_id.src_ip;
976 if (limit_mask & DYN_DST_ADDR)
977 id.dst_ip = args->f_id.dst_ip;
978 if (limit_mask & DYN_SRC_PORT)
979 id.src_port = args->f_id.src_port;
980 if (limit_mask & DYN_DST_PORT)
981 id.dst_port = args->f_id.dst_port;
982 parent = lookup_dyn_parent(&id, rule);
983 if (parent == NULL) {
984 printf("add parent failed\n");
985 return 1;
986 }
987 if (parent->count >= conn_limit) {
988 EXPIRE_DYN_CHAIN(rule); /* try to expire some */
989 /*
990 * The expiry might have removed the parent too.
991 * We lookup again, which will re-create if necessary.
992 */
993 parent = lookup_dyn_parent(&id, rule);
994 if (parent == NULL) {
995 printf("add parent failed\n");
996 return 1;
997 }
998 if (parent->count >= conn_limit) {
999 if (fw_verbose && last_log != time_second) {
1000 last_log = time_second;
1001 log(LOG_SECURITY | LOG_DEBUG,
1002 "drop session, too many entries\n");
1003 }
1004 return 1;
1005 }
1006 }
1007 add_dyn_rule(&args->f_id, DYN_LIMIT, (struct ip_fw *)parent);
1008 }
1009 break ;
1010 default:
1011 printf("unknown dynamic rule type %u\n", type);
1012 return 1 ;
1013 }
1014 lookup_dyn_rule(&args->f_id, NULL) ; /* XXX just set the lifetime */
1015 return 0;
1016 }
1017
1018 /*
1019 * given an ip_fw *, lookup_next_rule will return a pointer
1020 * of the same type to the next one. This can be either the jump
1021 * target (for skipto instructions) or the next one in the list (in
1022 * all other cases including a missing jump target).
1023 * Backward jumps are not allowed, so start looking from the next
1024 * rule...
1025 */
1026 static struct ip_fw * lookup_next_rule(struct ip_fw *me);
1027
1028 static struct ip_fw *
1029 lookup_next_rule(struct ip_fw *me)
1030 {
1031 struct ip_fw *rule ;
1032 int rulenum = me->fw_skipto_rule ; /* guess... */
1033
1034 if ( (me->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_SKIPTO )
1035 for (rule = LIST_NEXT(me,next); rule ; rule = LIST_NEXT(rule,next))
1036 if (rule->fw_number >= rulenum)
1037 return rule ;
1038 return LIST_NEXT(me,next) ; /* failure or not a skipto */
1039 }
1040
1041 /*
1042 * Parameters:
1043 *
1044 * *m The packet; we set to NULL when/if we nuke it.
1045 * oif Outgoing interface, or NULL if packet is incoming
1046 * *cookie Skip up to the first rule past this rule number;
1047 * upon return, non-zero port number for divert or tee.
1048 * Special case: cookie == NULL on input for bridging.
1049 * *flow_id pointer to the last matching rule (in/out)
1050 * *next_hop socket we are forwarding to (in/out).
1051 *
1052 * Return value:
1053 *
1054 * IP_FW_PORT_DENY_FLAG the packet must be dropped.
1055 * 0 The packet is to be accepted and routed normally OR
1056 * the packet was denied/rejected and has been dropped;
1057 * in the latter case, *m is equal to NULL upon return.
1058 * port Divert the packet to port, with these caveats:
1059 *
1060 * - If IP_FW_PORT_TEE_FLAG is set, tee the packet instead
1061 * of diverting it (ie, 'ipfw tee').
1062 *
1063 * - If IP_FW_PORT_DYNT_FLAG is set, interpret the lower
1064 * 16 bits as a dummynet pipe number instead of diverting
1065 */
1066
1067 static int
1068 ip_fw_chk(struct ip_fw_args *args)
1069 {
1070 /*
1071 * grab things into variables to minimize diffs.
1072 * XXX this has to be cleaned up later.
1073 */
1074 struct mbuf **m = &(args->m);
1075 struct ifnet *oif = args->oif;
1076 u_int16_t *cookie = &(args->divert_rule);
1077 struct ip_fw **flow_id = &(args->rule);
1078 struct sockaddr_in **next_hop = &(args->next_hop);
1079
1080 struct ip_fw *f = NULL; /* matching rule */
1081 struct ip *ip = mtod(*m, struct ip *);
1082 struct ifnet *const rif = (*m)->m_pkthdr.rcvif;
1083 struct ifnet *tif;
1084 u_int hlen = 0;
1085
1086 u_short ip_off=0, offset = 0;
1087 /* local copy of addresses for faster matching */
1088 u_short src_port = 0, dst_port = 0;
1089 struct in_addr src_ip, dst_ip;
1090 u_int8_t proto= 0, flags = 0;
1091 u_int16_t skipto;
1092 u_int16_t ip_len=0;
1093
1094 int dyn_checked = 0 ; /* set after dyn.rules have been checked. */
1095 int direction = MATCH_FORWARD ; /* dirty trick... */
1096 struct ipfw_dyn_rule *q = NULL ;
1097
1098 /* Special hack for bridging (as usual) */
1099 #define BRIDGED (args->eh != NULL)
1100 if (BRIDGED) { /* this is a bridged packet */
1101 if ( (*m)->m_pkthdr.len >= sizeof(struct ip) &&
1102 ntohs(args->eh->ether_type) == ETHERTYPE_IP)
1103 hlen = ip->ip_hl << 2;
1104 else
1105 return 0; /* XXX ipfw1 always accepts non-ip pkts */
1106 } else
1107 hlen = ip->ip_hl << 2;
1108
1109 /* Grab and reset cookie */
1110 skipto = *cookie;
1111 *cookie = 0;
1112
1113 #define PULLUP_TO(len) do { \
1114 if ((*m)->m_len < (len)) { \
1115 if ((*m = m_pullup(*m, (len))) == 0) \
1116 goto bogusfrag; \
1117 ip = mtod(*m, struct ip *); \
1118 } \
1119 } while (0)
1120
1121 if (hlen > 0) { /* this is an IP packet */
1122 /*
1123 * Collect parameters into local variables for faster matching.
1124 */
1125 proto = ip->ip_p;
1126 src_ip = ip->ip_src;
1127 dst_ip = ip->ip_dst;
1128 if (BRIDGED) { /* bridged packets are as on the wire */
1129 ip_off = ntohs(ip->ip_off);
1130 ip_len = ntohs(ip->ip_len);
1131 } else {
1132 ip_off = ip->ip_off;
1133 ip_len = ip->ip_len;
1134 }
1135 offset = ip_off & IP_OFFMASK;
1136 if (offset == 0) {
1137 switch (proto) {
1138 case IPPROTO_TCP : {
1139 struct tcphdr *tcp;
1140
1141 PULLUP_TO(hlen + sizeof(struct tcphdr));
1142 tcp =(struct tcphdr *)((u_int32_t *)ip + ip->ip_hl);
1143 dst_port = tcp->th_dport ;
1144 src_port = tcp->th_sport ;
1145 flags = tcp->th_flags ;
1146 }
1147 break ;
1148
1149 case IPPROTO_UDP : {
1150 struct udphdr *udp;
1151
1152 PULLUP_TO(hlen + sizeof(struct udphdr));
1153 udp =(struct udphdr *)((u_int32_t *)ip + ip->ip_hl);
1154 dst_port = udp->uh_dport ;
1155 src_port = udp->uh_sport ;
1156 }
1157 break;
1158
1159 case IPPROTO_ICMP:
1160 PULLUP_TO(hlen + 4); /* type, code and checksum. */
1161 flags = ((struct icmp *)
1162 ((u_int32_t *)ip + ip->ip_hl))->icmp_type ;
1163 break ;
1164
1165 default :
1166 break;
1167 }
1168 }
1169 }
1170 #undef PULLUP_TO
1171 args->f_id.src_ip = ntohl(src_ip.s_addr);
1172 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1173 args->f_id.proto = proto;
1174 args->f_id.src_port = ntohs(src_port);
1175 args->f_id.dst_port = ntohs(dst_port);
1176 args->f_id.flags = flags;
1177
1178 if (*flow_id) {
1179 /*
1180 * Packet has already been tagged. Look for the next rule
1181 * to restart processing.
1182 */
1183 if (fw_one_pass) /* just accept if fw_one_pass is set */
1184 return 0;
1185
1186 f = (*flow_id)->next_rule_ptr ;
1187 if (f == NULL)
1188 f = (*flow_id)->next_rule_ptr = lookup_next_rule(*flow_id);
1189 if (f == NULL)
1190 goto dropit;
1191 } else {
1192 /*
1193 * Go down the list, looking for enlightment.
1194 * If we've been asked to start at a given rule, do so.
1195 */
1196 f = LIST_FIRST(&ip_fw_chain_head);
1197 if (skipto != 0) {
1198 if (skipto >= IPFW_DEFAULT_RULE)
1199 goto dropit;
1200 while (f && f->fw_number <= skipto)
1201 f = LIST_NEXT(f, next);
1202 if (f == NULL)
1203 goto dropit;
1204 }
1205 }
1206
1207 for (; f; f = LIST_NEXT(f, next)) {
1208 again:
1209 if (f->fw_number == IPFW_DEFAULT_RULE)
1210 goto got_match ;
1211
1212 /*
1213 * dynamic rules are checked at the first keep-state or
1214 * check-state occurrence.
1215 */
1216 if (f->fw_flg & (IP_FW_F_KEEP_S|IP_FW_F_CHECK_S) &&
1217 dyn_checked == 0 ) {
1218 dyn_checked = 1 ;
1219 q = lookup_dyn_rule(&args->f_id, &direction);
1220 if (q != NULL) {
1221 DEB(printf("-- dynamic match 0x%08x %d %s 0x%08x %d\n",
1222 (q->id.src_ip), (q->id.src_port),
1223 (direction == MATCH_FORWARD ? "-->" : "<--"),
1224 (q->id.dst_ip), (q->id.dst_port) ); )
1225 f = q->rule ;
1226 q->pcnt++ ;
1227 q->bcnt += ip_len;
1228 goto got_match ; /* random not allowed here */
1229 }
1230 /* if this was a check-only rule, continue with next */
1231 if (f->fw_flg & IP_FW_F_CHECK_S)
1232 continue ;
1233 }
1234
1235 /* Check if rule only valid for bridged packets */
1236 if ((f->fw_flg & IP_FW_BRIDGED) != 0 && !(BRIDGED))
1237 continue;
1238
1239 if (oif) {
1240 /* Check direction outbound */
1241 if (!(f->fw_flg & IP_FW_F_OUT))
1242 continue;
1243 } else {
1244 /* Check direction inbound */
1245 if (!(f->fw_flg & IP_FW_F_IN))
1246 continue;
1247 }
1248
1249 /* Fragments */
1250 if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 )
1251 continue;
1252
1253 if (f->fw_flg & IP_FW_F_SME) {
1254 INADDR_TO_IFP(src_ip, tif);
1255 if (tif == NULL)
1256 continue;
1257 }
1258 if (f->fw_flg & IP_FW_F_DME) {
1259 INADDR_TO_IFP(dst_ip, tif);
1260 if (tif == NULL)
1261 continue;
1262 }
1263 /* If src-addr doesn't match, not this rule. */
1264 if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr
1265 & f->fw_smsk.s_addr) != f->fw_src.s_addr))
1266 continue;
1267
1268 /* If dest-addr doesn't match, not this rule. */
1269 if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ ((dst_ip.s_addr
1270 & f->fw_dmsk.s_addr) != f->fw_dst.s_addr))
1271 continue;
1272
1273 /* Interface check */
1274 if ((f->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1275 struct ifnet *const iface = oif ? oif : rif;
1276
1277 /* Backwards compatibility hack for "via" */
1278 if (!iface || !iface_match(iface,
1279 &f->fw_in_if, f->fw_flg & IP_FW_F_OIFNAME))
1280 continue;
1281 } else {
1282 /* Check receive interface */
1283 if ((f->fw_flg & IP_FW_F_IIFACE)
1284 && (!rif || !iface_match(rif,
1285 &f->fw_in_if, f->fw_flg & IP_FW_F_IIFNAME)))
1286 continue;
1287 /* Check outgoing interface */
1288 if ((f->fw_flg & IP_FW_F_OIFACE)
1289 && (!oif || !iface_match(oif,
1290 &f->fw_out_if, f->fw_flg & IP_FW_F_OIFNAME)))
1291 continue;
1292 }
1293
1294 /* Check IP options */
1295 if (f->fw_ipopt != f->fw_ipnopt && !ipopts_match(ip, f))
1296 continue;
1297
1298 /* Check protocol; if wildcard, and no [ug]id, match */
1299 if (f->fw_prot == IPPROTO_IP) {
1300 if (!(f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)))
1301 goto rnd_then_got_match;
1302 } else
1303 /* If different, don't match */
1304 if (proto != f->fw_prot)
1305 continue;
1306
1307 /* Protocol specific checks for uid only */
1308 if (f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)) {
1309 switch (proto) {
1310 case IPPROTO_TCP:
1311 {
1312 struct inpcb *P;
1313
1314 if (offset == 1) /* cf. RFC 1858 */
1315 goto bogusfrag;
1316 if (offset != 0)
1317 continue;
1318
1319 if (oif)
1320 P = in_pcblookup_hash(&tcbinfo, dst_ip,
1321 dst_port, src_ip, src_port, 0,
1322 oif);
1323 else
1324 P = in_pcblookup_hash(&tcbinfo, src_ip,
1325 src_port, dst_ip, dst_port, 0,
1326 NULL);
1327
1328 if (P && P->inp_socket) {
1329 if (f->fw_flg & IP_FW_F_UID) {
1330 if (P->inp_socket->so_cred->cr_uid !=
1331 f->fw_uid)
1332 continue;
1333 } else if (!groupmember(f->fw_gid,
1334 P->inp_socket->so_cred))
1335 continue;
1336 } else
1337 continue;
1338 break;
1339 }
1340
1341 case IPPROTO_UDP:
1342 {
1343 struct inpcb *P;
1344
1345 if (offset != 0)
1346 continue;
1347
1348 if (oif)
1349 P = in_pcblookup_hash(&udbinfo, dst_ip,
1350 dst_port, src_ip, src_port, 1,
1351 oif);
1352 else
1353 P = in_pcblookup_hash(&udbinfo, src_ip,
1354 src_port, dst_ip, dst_port, 1,
1355 NULL);
1356
1357 if (P && P->inp_socket) {
1358 if (f->fw_flg & IP_FW_F_UID) {
1359 if (P->inp_socket->so_cred->cr_uid !=
1360 f->fw_uid)
1361 continue;
1362 } else if (!groupmember(f->fw_gid,
1363 P->inp_socket->so_cred))
1364 continue;
1365 } else
1366 continue;
1367 break;
1368 }
1369
1370 default:
1371 continue;
1372 }
1373 }
1374
1375 /* Protocol specific checks */
1376 switch (proto) {
1377 case IPPROTO_TCP:
1378 {
1379 struct tcphdr *tcp;
1380
1381 if (offset == 1) /* cf. RFC 1858 */
1382 goto bogusfrag;
1383 if (offset != 0) {
1384 /*
1385 * TCP flags and ports aren't available in this
1386 * packet -- if this rule specified either one,
1387 * we consider the rule a non-match.
1388 */
1389 if (IP_FW_HAVEPORTS(f) != 0 ||
1390 f->fw_tcpopt != f->fw_tcpnopt ||
1391 f->fw_tcpf != f->fw_tcpnf)
1392 continue;
1393
1394 break;
1395 }
1396 tcp = (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1397
1398 if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f))
1399 continue;
1400 if (((f->fw_tcpf != f->fw_tcpnf) ||
1401 (f->fw_ipflg & IP_FW_IF_TCPEST)) &&
1402 !tcpflg_match(tcp, f))
1403 continue;
1404 goto check_ports;
1405 }
1406
1407 case IPPROTO_UDP:
1408 if (offset != 0) {
1409 /*
1410 * Port specification is unavailable -- if this
1411 * rule specifies a port, we consider the rule
1412 * a non-match.
1413 */
1414 if (IP_FW_HAVEPORTS(f) )
1415 continue;
1416
1417 break;
1418 }
1419 check_ports:
1420 if (!port_match(&f->fw_uar.fw_pts[0],
1421 IP_FW_GETNSRCP(f), ntohs(src_port),
1422 f->fw_flg & IP_FW_F_SRNG,
1423 f->fw_flg & IP_FW_F_SMSK))
1424 continue;
1425 if (!port_match(&f->fw_uar.fw_pts[IP_FW_GETNSRCP(f)],
1426 IP_FW_GETNDSTP(f), ntohs(dst_port),
1427 f->fw_flg & IP_FW_F_DRNG,
1428 f->fw_flg & IP_FW_F_DMSK))
1429 continue;
1430 break;
1431
1432 case IPPROTO_ICMP:
1433 {
1434 struct icmp *icmp;
1435
1436 if (offset != 0) /* Type isn't valid */
1437 break;
1438 icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
1439 if (!icmptype_match(icmp, f))
1440 continue;
1441 break;
1442 }
1443
1444 default:
1445 break;
1446
1447 bogusfrag:
1448 if (fw_verbose) {
1449 if (m != NULL)
1450 ipfw_report(NULL, ip, ip_off, ip_len, rif, oif);
1451 else
1452 printf("pullup failed\n");
1453 }
1454 goto dropit;
1455
1456 }
1457
1458 rnd_then_got_match:
1459 if ( f->dont_match_prob && random() < f->dont_match_prob )
1460 continue ;
1461 got_match:
1462 /*
1463 * If not a dynamic match (q == NULL) and keep-state, install
1464 * a new dynamic entry.
1465 */
1466 if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
1467 if (install_state(f, args)) /* error or limit violation */
1468 goto dropit;
1469 }
1470 /* Update statistics */
1471 f->fw_pcnt += 1;
1472 f->fw_bcnt += ip_len;
1473 f->timestamp = time_second;
1474
1475 /* Log to console if desired */
1476 if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && hlen > 0)
1477 ipfw_report(f, ip, offset, ip_len, rif, oif);
1478
1479 /* Take appropriate action */
1480 switch (f->fw_flg & IP_FW_F_COMMAND) {
1481 case IP_FW_F_ACCEPT:
1482 return(0);
1483 case IP_FW_F_COUNT:
1484 continue;
1485 #ifdef IPDIVERT
1486 case IP_FW_F_DIVERT:
1487 *cookie = f->fw_number;
1488 return(f->fw_divert_port);
1489 case IP_FW_F_TEE:
1490 *cookie = f->fw_number;
1491 return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
1492 #endif
1493 case IP_FW_F_SKIPTO: /* XXX check */
1494 if (f->next_rule_ptr == NULL)
1495 f->next_rule_ptr = lookup_next_rule(f) ;
1496 f = f->next_rule_ptr;
1497 if (!f)
1498 goto dropit;
1499 goto again ;
1500
1501 case IP_FW_F_PIPE:
1502 case IP_FW_F_QUEUE:
1503 *flow_id = f ; /* XXX set flow id */
1504 return(f->fw_pipe_nr | IP_FW_PORT_DYNT_FLAG);
1505
1506 case IP_FW_F_FWD:
1507 /* Change the next-hop address for this packet.
1508 * Initially we'll only worry about directly
1509 * reachable next-hop's, but ultimately
1510 * we will work out for next-hops that aren't
1511 * direct the route we would take for it. We
1512 * [cs]ould leave this latter problem to
1513 * ip_output.c. We hope to high [name the abode of
1514 * your favourite deity] that ip_output doesn't modify
1515 * the new value of next_hop (which is dst there)
1516 * XXX warning-- there is a dangerous reference here
1517 * from next_hop to a field within the rule. If the
1518 * rule is deleted, weird things might occur.
1519 */
1520 if (next_hop != NULL /* Make sure, first... */
1521 && (q == NULL || direction == MATCH_FORWARD) )
1522 *next_hop = &(f->fw_fwd_ip);
1523 return(0); /* Allow the packet */
1524
1525 }
1526
1527 /* Deny/reject this packet using this rule */
1528 break;
1529 }
1530
1531 /* Rule IPFW_DEFAULT_RULE should always be there and match */
1532 KASSERT(f != NULL, ("ip_fw: no chain"));
1533
1534 /*
1535 * At this point, we're going to drop the packet.
1536 * Send a reject notice if all of the following are true:
1537 *
1538 * - The packet matched a reject rule
1539 * - The packet is not an ICMP packet, or is an ICMP query packet
1540 * - The packet is not a multicast or broadcast packet
1541 */
1542 if ((f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
1543 && (proto != IPPROTO_ICMP || is_icmp_query(ip))
1544 && !((*m)->m_flags & (M_BCAST|M_MCAST))
1545 && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
1546 /* Must convert to host order for icmp_error() etc. */
1547 if (BRIDGED) {
1548 ip->ip_len = ntohs(ip->ip_len);
1549 ip->ip_off = ntohs(ip->ip_off);
1550 }
1551 switch (f->fw_reject_code) {
1552 case IP_FW_REJECT_RST:
1553 {
1554 /* XXX warning, this code writes into the mbuf */
1555 struct tcphdr *const tcp =
1556 (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1557 struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
1558
1559 if (offset != 0 || (tcp->th_flags & TH_RST))
1560 break;
1561 ti.ti_i = *((struct ipovly *) ip);
1562 ti.ti_t = *tcp;
1563 bcopy(&ti, ip, sizeof(ti));
1564 NTOHL(tip->ti_seq);
1565 NTOHL(tip->ti_ack);
1566 tip->ti_len = ip_len - hlen - (tip->ti_off << 2);
1567 if (tcp->th_flags & TH_ACK) {
1568 tcp_respond(NULL, (void *)ip, tcp, *m,
1569 (tcp_seq)0, tcp->th_ack, TH_RST);
1570 } else {
1571 if (tcp->th_flags & TH_SYN)
1572 tip->ti_len++;
1573 tcp_respond(NULL, (void *)ip, tcp, *m,
1574 tip->ti_seq + tip->ti_len,
1575 (tcp_seq)0, TH_RST|TH_ACK);
1576 }
1577 *m = NULL;
1578 break;
1579 }
1580 default: /* Send an ICMP unreachable using code */
1581 icmp_error(*m, ICMP_UNREACH,
1582 f->fw_reject_code, 0L, 0);
1583 *m = NULL;
1584 break;
1585 }
1586 }
1587
1588 dropit:
1589 /*
1590 * Finally, drop the packet.
1591 */
1592 return(IP_FW_PORT_DENY_FLAG);
1593 #undef BRIDGED
1594 }
1595
1596 /*
1597 * when a rule is added/deleted, zero the direct pointers within
1598 * all firewall rules. These will be reconstructed on the fly
1599 * as packets are matched.
1600 * Must be called at splimp().
1601 */
1602 static void
1603 flush_rule_ptrs()
1604 {
1605 struct ip_fw *fcp ;
1606
1607 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1608 fcp->next_rule_ptr = NULL ;
1609 }
1610 }
1611
1612 void
1613 flush_pipe_ptrs(struct dn_flow_set *match)
1614 {
1615 struct ip_fw *fcp ;
1616
1617 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1618 if (match == NULL || fcp->pipe_ptr == match)
1619 fcp->pipe_ptr = NULL;
1620 }
1621 }
1622
1623 static int
1624 add_entry(struct ip_fw_head *head, struct ip_fw *rule)
1625 {
1626 struct ip_fw *ftmp, *fcp, *fcpl;
1627 u_short nbr = 0;
1628 int s;
1629
1630 ftmp = malloc(sizeof *ftmp, M_IPFW, M_DONTWAIT | M_ZERO);
1631 if (!ftmp)
1632 return (ENOSPC);
1633 bcopy(rule, ftmp, sizeof(*ftmp));
1634
1635 ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0';
1636 ftmp->fw_pcnt = 0L;
1637 ftmp->fw_bcnt = 0L;
1638 ftmp->next_rule_ptr = NULL ;
1639 ftmp->pipe_ptr = NULL ;
1640
1641 s = splimp();
1642
1643 if (LIST_FIRST(head) == 0) {
1644 LIST_INSERT_HEAD(head, ftmp, next);
1645 goto done;
1646 }
1647
1648 /* If entry number is 0, find highest numbered rule and add 100 */
1649 if (ftmp->fw_number == 0) {
1650 LIST_FOREACH(fcp, head, next) {
1651 if (fcp->fw_number != IPFW_DEFAULT_RULE)
1652 nbr = fcp->fw_number;
1653 else
1654 break;
1655 }
1656 if (nbr < IPFW_DEFAULT_RULE - 100)
1657 nbr += 100;
1658 ftmp->fw_number = rule->fw_number = nbr;
1659 }
1660
1661 /* Got a valid number; now insert it, keeping the list ordered */
1662 fcpl = NULL ;
1663 LIST_FOREACH(fcp, head, next) {
1664 if (fcp->fw_number > ftmp->fw_number) {
1665 if (fcpl) {
1666 LIST_INSERT_AFTER(fcpl, ftmp, next);
1667 } else {
1668 LIST_INSERT_HEAD(head, ftmp, next);
1669 }
1670 break;
1671 } else {
1672 fcpl = fcp;
1673 }
1674 }
1675 flush_rule_ptrs();
1676 done:
1677 static_count++;
1678 splx(s);
1679 DEB(printf("++ installed rule %d, static count now %d\n",
1680 ftmp->fw_number, static_count);)
1681 return (0);
1682 }
1683
1684 /**
1685 * free storage associated with a static rule entry (including
1686 * dependent dynamic rules), and zeroes rule pointers to avoid
1687 * dangling pointer dereferences.
1688 * @return a pointer to the next entry.
1689 * Must be called at splimp() and with a non-null argument.
1690 */
1691 static struct ip_fw *
1692 free_chain(struct ip_fw *fcp)
1693 {
1694 struct ip_fw *n;
1695
1696 n = LIST_NEXT(fcp, next);
1697 DELETE_DYN_CHAIN(fcp);
1698 LIST_REMOVE(fcp, next);
1699 static_count--;
1700 if (DUMMYNET_LOADED)
1701 ip_dn_ruledel_ptr(fcp) ;
1702 flush_rule_ptrs(); /* more efficient to do outside the loop */
1703 free(fcp, M_IPFW);
1704 return n;
1705 }
1706
1707 /**
1708 * remove all rules with given number.
1709 */
1710 static int
1711 del_entry(struct ip_fw_head *chainptr, u_short number)
1712 {
1713 struct ip_fw *rule;
1714
1715 if (number != IPFW_DEFAULT_RULE) {
1716 LIST_FOREACH(rule, chainptr, next) {
1717 if (rule->fw_number == number) {
1718 int s ;
1719
1720 s = splimp(); /* prevent access to rules while removing */
1721 while (rule && rule->fw_number == number)
1722 rule = free_chain(rule);
1723 /* XXX could move flush_rule_ptrs() here */
1724 splx(s);
1725 return 0 ;
1726 }
1727 }
1728 }
1729 return (EINVAL);
1730 }
1731
1732 /**
1733 * Reset some or all counters on firewall rules.
1734 * @arg frwl is null to clear all entries, or contains a specific
1735 * rule number.
1736 * @arg log_only is 1 if we only want to reset logs, zero otherwise.
1737 */
1738
1739 static int
1740 zero_entry(struct ip_fw *frwl, int log_only)
1741 {
1742 struct ip_fw *rule;
1743 int s;
1744 u_short number = 0 ;
1745 char *msg ;
1746
1747 if (frwl == 0) {
1748 s = splimp();
1749 LIST_FOREACH(rule, &ip_fw_chain_head, next) {
1750 if (log_only == 0) {
1751 rule->fw_bcnt = rule->fw_pcnt = 0;
1752 rule->timestamp = 0;
1753 }
1754 rule->fw_loghighest = rule->fw_pcnt+rule->fw_logamount;
1755 }
1756 splx(s);
1757 msg = log_only ? "ipfw: All logging counts cleared.\n" :
1758 "ipfw: Accounting cleared.\n";
1759 } else {
1760 int cleared = 0;
1761 number = frwl->fw_number ;
1762 /*
1763 * It is possible to insert multiple chain entries with the
1764 * same number, so we don't stop after finding the first
1765 * match if zeroing a specific entry.
1766 */
1767 LIST_FOREACH(rule, &ip_fw_chain_head, next)
1768 if (number == rule->fw_number) {
1769 s = splimp();
1770 while (rule && number == rule->fw_number) {
1771 if (log_only == 0) {
1772 rule->fw_bcnt = rule->fw_pcnt = 0;
1773 rule->timestamp = 0;
1774 }
1775 rule->fw_loghighest = rule->fw_pcnt+ rule->fw_logamount;
1776 rule = LIST_NEXT(rule, next);
1777 }
1778 splx(s);
1779 cleared = 1;
1780 break;
1781 }
1782 if (!cleared) /* we did not find any matching rules */
1783 return (EINVAL);
1784 msg = log_only ? "ipfw: Entry %d logging count reset.\n" :
1785 "ipfw: Entry %d cleared.\n";
1786 }
1787 if (fw_verbose)
1788 log(LOG_SECURITY | LOG_NOTICE, msg, number);
1789 return (0);
1790 }
1791
1792 static int
1793 check_ipfw_struct(struct ip_fw *frwl)
1794 {
1795 /* Check for invalid flag bits */
1796 if ((frwl->fw_flg & ~IP_FW_F_MASK) != 0) {
1797 dprintf(("%s undefined flag bits set (flags=%x)\n",
1798 err_prefix, frwl->fw_flg));
1799 return (EINVAL);
1800 }
1801 if (frwl->fw_flg == IP_FW_F_CHECK_S) {
1802 /* check-state */
1803 return 0 ;
1804 }
1805 /* Must apply to incoming or outgoing (or both) */
1806 if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT))) {
1807 dprintf(("%s neither in nor out\n", err_prefix));
1808 return (EINVAL);
1809 }
1810 /* Empty interface name is no good */
1811 if (((frwl->fw_flg & IP_FW_F_IIFNAME)
1812 && !*frwl->fw_in_if.fu_via_if.name)
1813 || ((frwl->fw_flg & IP_FW_F_OIFNAME)
1814 && !*frwl->fw_out_if.fu_via_if.name)) {
1815 dprintf(("%s empty interface name\n", err_prefix));
1816 return (EINVAL);
1817 }
1818 /* Sanity check interface matching */
1819 if ((frwl->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1820 ; /* allow "via" backwards compatibility */
1821 } else if ((frwl->fw_flg & IP_FW_F_IN)
1822 && (frwl->fw_flg & IP_FW_F_OIFACE)) {
1823 dprintf(("%s outgoing interface check on incoming\n",
1824 err_prefix));
1825 return (EINVAL);
1826 }
1827 /* Sanity check port ranges */
1828 if ((frwl->fw_flg & IP_FW_F_SRNG) && IP_FW_GETNSRCP(frwl) < 2) {
1829 dprintf(("%s src range set but n_src_p=%d\n",
1830 err_prefix, IP_FW_GETNSRCP(frwl)));
1831 return (EINVAL);
1832 }
1833 if ((frwl->fw_flg & IP_FW_F_DRNG) && IP_FW_GETNDSTP(frwl) < 2) {
1834 dprintf(("%s dst range set but n_dst_p=%d\n",
1835 err_prefix, IP_FW_GETNDSTP(frwl)));
1836 return (EINVAL);
1837 }
1838 if (IP_FW_GETNSRCP(frwl) + IP_FW_GETNDSTP(frwl) > IP_FW_MAX_PORTS) {
1839 dprintf(("%s too many ports (%d+%d)\n",
1840 err_prefix, IP_FW_GETNSRCP(frwl), IP_FW_GETNDSTP(frwl)));
1841 return (EINVAL);
1842 }
1843 /*
1844 * Protocols other than TCP/UDP don't use port range
1845 */
1846 if ((frwl->fw_prot != IPPROTO_TCP) &&
1847 (frwl->fw_prot != IPPROTO_UDP) &&
1848 (IP_FW_GETNSRCP(frwl) || IP_FW_GETNDSTP(frwl))) {
1849 dprintf(("%s port(s) specified for non TCP/UDP rule\n",
1850 err_prefix));
1851 return (EINVAL);
1852 }
1853
1854 /*
1855 * Rather than modify the entry to make such entries work,
1856 * we reject this rule and require user level utilities
1857 * to enforce whatever policy they deem appropriate.
1858 */
1859 if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
1860 (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
1861 dprintf(("%s rule never matches\n", err_prefix));
1862 return (EINVAL);
1863 }
1864
1865 if ((frwl->fw_flg & IP_FW_F_FRAG) &&
1866 (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
1867 if (IP_FW_HAVEPORTS(frwl)) {
1868 dprintf(("%s cannot mix 'frag' and ports\n", err_prefix));
1869 return (EINVAL);
1870 }
1871 if (frwl->fw_prot == IPPROTO_TCP &&
1872 frwl->fw_tcpf != frwl->fw_tcpnf) {
1873 dprintf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
1874 return (EINVAL);
1875 }
1876 }
1877
1878 /* Check command specific stuff */
1879 switch (frwl->fw_flg & IP_FW_F_COMMAND) {
1880 case IP_FW_F_REJECT:
1881 if (frwl->fw_reject_code >= 0x100
1882 && !(frwl->fw_prot == IPPROTO_TCP
1883 && frwl->fw_reject_code == IP_FW_REJECT_RST)) {
1884 dprintf(("%s unknown reject code\n", err_prefix));
1885 return (EINVAL);
1886 }
1887 break;
1888 #ifdef IPDIVERT
1889 case IP_FW_F_DIVERT: /* Diverting to port zero is invalid */
1890 case IP_FW_F_TEE:
1891 #endif
1892 case IP_FW_F_PIPE: /* pipe 0 is invalid */
1893 case IP_FW_F_QUEUE: /* queue 0 is invalid */
1894 if (frwl->fw_divert_port == 0) {
1895 dprintf(("%s 0 is an invalid argument\n", err_prefix));
1896 return (EINVAL);
1897 }
1898 break;
1899 case IP_FW_F_DENY:
1900 case IP_FW_F_ACCEPT:
1901 case IP_FW_F_COUNT:
1902 case IP_FW_F_SKIPTO:
1903 case IP_FW_F_FWD:
1904 case IP_FW_F_UID:
1905 case IP_FW_F_GID:
1906 break;
1907 default:
1908 dprintf(("%s invalid command\n", err_prefix));
1909 return (EINVAL);
1910 }
1911
1912 return 0;
1913 }
1914
1915 static int
1916 ip_fw_ctl(struct sockopt *sopt)
1917 {
1918 int error, s;
1919 size_t size;
1920 struct ip_fw *fcp;
1921 struct ip_fw frwl, *bp , *buf;
1922
1923 /*
1924 * Disallow modifications in really-really secure mode, but still allow
1925 * the logging counters to be reset.
1926 */
1927 if (securelevel >= 3 && (sopt->sopt_name == IP_FW_ADD ||
1928 (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)))
1929 return (EPERM);
1930 error = 0;
1931
1932 switch (sopt->sopt_name) {
1933 case IP_FW_GET:
1934 /*
1935 * pass up a copy of the current rules. Static rules
1936 * come first (the last of which has number 65535),
1937 * followed by a possibly empty list of dynamic rule.
1938 * The last dynamic rule has NULL in the "next" field.
1939 */
1940 s = splimp();
1941 /* size of static rules */
1942 size = static_count * sizeof(struct ip_fw) ;
1943 if (ipfw_dyn_v) /* add size of dyn.rules */
1944 size += (dyn_count * sizeof(struct ipfw_dyn_rule));
1945
1946 /*
1947 * XXX todo: if the user passes a short length to know how
1948 * much room is needed, do not
1949 * bother filling up the buffer, just jump to the
1950 * sooptcopyout.
1951 */
1952 buf = malloc(size, M_TEMP, M_WAITOK);
1953 if (buf == 0) {
1954 splx(s);
1955 error = ENOBUFS;
1956 break;
1957 }
1958
1959 bp = buf ;
1960 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1961 bcopy(fcp, bp, sizeof *fcp);
1962 bp++;
1963 }
1964 if (ipfw_dyn_v) {
1965 int i ;
1966 struct ipfw_dyn_rule *p, *dst, *last = NULL ;
1967
1968 dst = (struct ipfw_dyn_rule *)bp ;
1969 for (i = 0 ; i < curr_dyn_buckets ; i++ )
1970 for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next, dst++ ) {
1971 bcopy(p, dst, sizeof *p);
1972 (int)dst->rule = p->rule->fw_number ;
1973 /*
1974 * store a non-null value in "next". The userland
1975 * code will interpret a NULL here as a marker
1976 * for the last dynamic rule.
1977 */
1978 dst->next = dst ;
1979 last = dst ;
1980 if (TIME_LEQ(dst->expire, time_second) )
1981 dst->expire = 0 ;
1982 else
1983 dst->expire -= time_second ;
1984 }
1985 if (last != NULL)
1986 last->next = NULL ; /* mark last dynamic rule */
1987 }
1988 splx(s);
1989
1990 error = sooptcopyout(sopt, buf, size);
1991 free(buf, M_TEMP);
1992 break;
1993
1994 case IP_FW_FLUSH:
1995 /*
1996 * Normally we cannot release the lock on each iteration.
1997 * We could do it here only because we start from the head all
1998 * the times so there is no risk of missing some entries.
1999 * On the other hand, the risk is that we end up with
2000 * a very inconsistent ruleset, so better keep the lock
2001 * around the whole cycle.
2002 *
2003 * XXX this code can be improved by resetting the head of
2004 * the list to point to the default rule, and then freeing
2005 * the old list without the need for a lock.
2006 */
2007
2008 s = splimp();
2009 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) &&
2010 fcp->fw_number != IPFW_DEFAULT_RULE )
2011 free_chain(fcp);
2012 splx(s);
2013 break;
2014
2015 case IP_FW_ADD:
2016 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2017 if (error || (error = check_ipfw_struct(&frwl)))
2018 break;
2019
2020 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2021 dprintf(("%s can't add rule %u\n", err_prefix,
2022 (unsigned)IPFW_DEFAULT_RULE));
2023 error = EINVAL;
2024 } else {
2025 error = add_entry(&ip_fw_chain_head, &frwl);
2026 if (!error && sopt->sopt_dir == SOPT_GET)
2027 error = sooptcopyout(sopt, &frwl, sizeof frwl);
2028 }
2029 break;
2030
2031 case IP_FW_DEL:
2032 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2033 if (error)
2034 break;
2035
2036 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2037 dprintf(("%s can't delete rule %u\n", err_prefix,
2038 (unsigned)IPFW_DEFAULT_RULE));
2039 error = EINVAL;
2040 } else {
2041 error = del_entry(&ip_fw_chain_head, frwl.fw_number);
2042 }
2043 break;
2044
2045 case IP_FW_ZERO:
2046 case IP_FW_RESETLOG:
2047 {
2048 int cmd = (sopt->sopt_name == IP_FW_RESETLOG );
2049 void *arg = NULL ;
2050
2051 if (sopt->sopt_val != 0) {
2052 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2053 if (error)
2054 break;
2055 arg = &frwl ;
2056 }
2057 error = zero_entry(arg, cmd);
2058 }
2059 break;
2060
2061 default:
2062 printf("ip_fw_ctl invalid option %d\n", sopt->sopt_name);
2063 error = EINVAL ;
2064 }
2065
2066 return (error);
2067 }
2068
2069 /**
2070 * dummynet needs a reference to the default rule, because rules can
2071 * be deleted while packets hold a reference to them (e.g. to resume
2072 * processing at the next rule). When this happens, dummynet changes
2073 * the reference to the default rule (probably it could well be a
2074 * NULL pointer, but this way we do not need to check for the special
2075 * case, plus here he have info on the default behaviour.
2076 */
2077 struct ip_fw *ip_fw_default_rule ;
2078
2079 void
2080 ip_fw_init(void)
2081 {
2082 struct ip_fw default_rule;
2083
2084 ip_fw_chk_ptr = ip_fw_chk;
2085 ip_fw_ctl_ptr = ip_fw_ctl;
2086 LIST_INIT(&ip_fw_chain_head);
2087
2088 bzero(&default_rule, sizeof default_rule);
2089 default_rule.fw_prot = IPPROTO_IP;
2090 default_rule.fw_number = IPFW_DEFAULT_RULE;
2091 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2092 default_rule.fw_flg |= IP_FW_F_ACCEPT;
2093 #else
2094 default_rule.fw_flg |= IP_FW_F_DENY;
2095 #endif
2096 default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
2097 if (check_ipfw_struct(&default_rule) != 0 ||
2098 add_entry(&ip_fw_chain_head, &default_rule))
2099 panic("ip_fw_init");
2100
2101 ip_fw_default_rule = LIST_FIRST(&ip_fw_chain_head) ;
2102 printf("IP packet filtering initialized, "
2103 #ifdef IPDIVERT
2104 "divert enabled, "
2105 #else
2106 "divert disabled, "
2107 #endif
2108 "rule-based forwarding enabled, "
2109 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2110 "default to accept, ");
2111 #else
2112 "default to deny, " );
2113 #endif
2114 #ifndef IPFIREWALL_VERBOSE
2115 printf("logging disabled\n");
2116 #else
2117 if (fw_verbose_limit == 0)
2118 printf("unlimited logging\n");
2119 else
2120 printf("logging limited to %d packets/entry by default\n",
2121 fw_verbose_limit);
2122 #endif
2123 }
2124
2125 static int
2126 ipfw_modevent(module_t mod, int type, void *unused)
2127 {
2128 int s;
2129 int err = 0 ;
2130 #if defined(KLD_MODULE)
2131 struct ip_fw *fcp;
2132 #endif
2133
2134 switch (type) {
2135 case MOD_LOAD:
2136 s = splimp();
2137 if (IPFW_LOADED) {
2138 splx(s);
2139 printf("IP firewall already loaded\n");
2140 err = EEXIST ;
2141 } else {
2142 ip_fw_init();
2143 splx(s);
2144 }
2145 break ;
2146 case MOD_UNLOAD:
2147 #if !defined(KLD_MODULE)
2148 printf("ipfw statically compiled, cannot unload\n");
2149 err = EBUSY;
2150 #else
2151 s = splimp();
2152 ip_fw_chk_ptr = NULL ;
2153 ip_fw_ctl_ptr = NULL ;
2154 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) != NULL)
2155 free_chain(fcp);
2156 splx(s);
2157 printf("IP firewall unloaded\n");
2158 #endif
2159 break ;
2160
2161 default:
2162 break;
2163 }
2164 return err;
2165 }
2166
2167 static moduledata_t ipfwmod = {
2168 "ipfw",
2169 ipfw_modevent,
2170 0
2171 };
2172 DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY);
2173 #endif /* !IPFW2 */
Cache object: 0614e7e46e64e6533743d87e888e1535
|