FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.c
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 * Copyright (c) 1996 Alex Nash
5 * Copyright (c) 2000-2002 Luigi Rizzo
6 *
7 * Redistribution and use in source forms, with and without modification,
8 * are permitted provided that this entire comment appears intact.
9 *
10 * Redistribution in binary form may occur without any restrictions.
11 * Obviously, it would be nice if you gave credit where credit is due
12 * but requiring it would be too onerous.
13 *
14 * This software is provided ``AS IS'' without any warranties of any kind.
15 *
16 * $FreeBSD: releng/5.0/sys/netinet/ip_fw.c 98613 2002-06-22 11:51:02Z luigi $
17 */
18
19 #define DEB(x)
20 #define DDB(x) x
21
22 /*
23 * Implement IP packet firewall
24 */
25
26 #if !defined(KLD_MODULE)
27 #include "opt_ipfw.h"
28 #include "opt_ipdn.h"
29 #include "opt_ipdivert.h"
30 #include "opt_inet.h"
31 #ifndef INET
32 #error IPFIREWALL requires INET.
33 #endif /* INET */
34 #endif
35
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40 #include <sys/kernel.h>
41 #include <sys/proc.h>
42 #include <sys/socket.h>
43 #include <sys/socketvar.h>
44 #include <sys/sysctl.h>
45 #include <sys/syslog.h>
46 #include <sys/ucred.h>
47 #include <net/if.h>
48 #include <net/route.h>
49 #include <netinet/in.h>
50 #include <netinet/in_systm.h>
51 #include <netinet/in_var.h>
52 #include <netinet/in_pcb.h>
53 #include <netinet/ip.h>
54 #include <netinet/ip_var.h>
55 #include <netinet/ip_icmp.h>
56 #include <netinet/ip_fw.h>
57 #include <netinet/ip_dummynet.h>
58 #include <netinet/tcp.h>
59 #include <netinet/tcp_timer.h>
60 #include <netinet/tcp_var.h>
61 #include <netinet/tcpip.h>
62 #include <netinet/udp.h>
63 #include <netinet/udp_var.h>
64
65 #include <netinet/if_ether.h> /* XXX ethertype_ip */
66
67 static int fw_debug = 1;
68 #ifdef IPFIREWALL_VERBOSE
69 static int fw_verbose = 1;
70 #else
71 static int fw_verbose = 0;
72 #endif
73 int fw_one_pass = 1 ;
74 #ifdef IPFIREWALL_VERBOSE_LIMIT
75 static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
76 #else
77 static int fw_verbose_limit = 0;
78 #endif
79 static int fw_permanent_rules = 0;
80
81 /*
82 * Right now, two fields in the IP header are changed to host format
83 * by the IP layer before calling the firewall. Ideally, we would like
84 * to have them in network format so that the packet can be
85 * used as it comes from the device driver (and is thus readonly).
86 */
87
88 static u_int64_t counter; /* counter for ipfw_report(NULL...) */
89
90 #define IPFW_DEFAULT_RULE ((u_int)(u_short)~0)
91
92 LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chain_head;
93
94 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
95
96 #ifdef SYSCTL_NODE
97 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
98 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
99 &fw_enable, 0, "Enable ipfw");
100 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
101 &fw_one_pass, 0,
102 "Only do a single pass through ipfw when using dummynet(4)");
103 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
104 &fw_debug, 0, "Enable printing of debug ip_fw statements");
105 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW,
106 &fw_verbose, 0, "Log matches to ipfw rules");
107 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
108 &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
109 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW,
110 &fw_permanent_rules, 0, "Set rule number, below which rules are permanent");
111
112 /*
113 * Extension for stateful ipfw.
114 *
115 * Dynamic rules are stored in lists accessed through a hash table
116 * (ipfw_dyn_v) whose size is curr_dyn_buckets. This value can
117 * be modified through the sysctl variable dyn_buckets which is
118 * updated when the table becomes empty.
119 *
120 * XXX currently there is only one list, ipfw_dyn.
121 *
122 * When a packet is received, it is first hashed, then matched
123 * against the entries in the corresponding list.
124 * Matching occurs according to the rule type. The default is to
125 * match the four fields and the protocol, and rules are bidirectional.
126 *
127 * For a busy proxy/web server we will have lots of connections to
128 * the server. We could decide for a rule type where we ignore
129 * ports (different hashing) and avoid special SYN/RST/FIN handling.
130 *
131 * XXX when we decide to support more than one rule type, we should
132 * repeat the hashing multiple times uing only the useful fields.
133 * Or, we could run the various tests in parallel, because the
134 * 'move to front' technique should shorten the average search.
135 *
136 * The lifetime of dynamic rules is regulated by dyn_*_lifetime,
137 * measured in seconds and depending on the flags.
138 *
139 * The total number of dynamic rules is stored in dyn_count.
140 * The max number of dynamic rules is dyn_max. When we reach
141 * the maximum number of rules we do not create anymore. This is
142 * done to avoid consuming too much memory, but also too much
143 * time when searching on each packet (ideally, we should try instead
144 * to put a limit on the length of the list on each bucket...).
145 *
146 * Each dynamic rules holds a pointer to the parent ipfw rule so
147 * we know what action to perform. Dynamic rules are removed when
148 * the parent rule is deleted.
149 * There are some limitations with dynamic rules -- we do not
150 * obey the 'randomized match', and we do not do multiple
151 * passes through the firewall.
152 * XXX check the latter!!!
153 */
154 static struct ipfw_dyn_rule **ipfw_dyn_v = NULL ;
155 static u_int32_t dyn_buckets = 256 ; /* must be power of 2 */
156 static u_int32_t curr_dyn_buckets = 256 ; /* must be power of 2 */
157
158 /*
159 * timeouts for various events in handing dynamic rules.
160 */
161 static u_int32_t dyn_ack_lifetime = 300 ;
162 static u_int32_t dyn_syn_lifetime = 20 ;
163 static u_int32_t dyn_fin_lifetime = 1 ;
164 static u_int32_t dyn_rst_lifetime = 1 ;
165 static u_int32_t dyn_udp_lifetime = 10 ;
166 static u_int32_t dyn_short_lifetime = 5 ;
167
168 /*
169 * after reaching 0, dynamic rules are considered still valid for
170 * an additional grace time, unless there is lack of resources.
171 */
172 static u_int32_t dyn_grace_time = 10 ;
173
174 static u_int32_t static_count = 0 ; /* # of static rules */
175 static u_int32_t dyn_count = 0 ; /* # of dynamic rules */
176 static u_int32_t dyn_max = 1000 ; /* max # of dynamic rules */
177
178 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
179 &dyn_buckets, 0, "Number of dyn. buckets");
180 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
181 &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
182 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
183 &dyn_count, 0, "Number of dyn. rules");
184 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
185 &dyn_max, 0, "Max number of dyn. rules");
186 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
187 &static_count, 0, "Number of static rules");
188 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
189 &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
190 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
191 &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
192 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
193 &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
194 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
195 &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
196 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
197 &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
198 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
199 &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
200 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD,
201 &dyn_grace_time, 0, "Grace time for dyn. rules");
202
203 #endif /* SYSCTL_NODE */
204
205 #define dprintf(a) do { \
206 if (fw_debug) \
207 printf a; \
208 } while (0)
209 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
210
211 static int add_entry (struct ip_fw_head *chainptr, struct ip_fw *frwl);
212 static int del_entry (struct ip_fw_head *chainptr, u_short number);
213 static int zero_entry (struct ip_fw *, int);
214 static int check_ipfw_struct (struct ip_fw *m);
215 static int iface_match (struct ifnet *ifp, union ip_fw_if *ifu,
216 int byname);
217 static int ipopts_match (struct ip *ip, struct ip_fw *f);
218 static int iptos_match (struct ip *ip, struct ip_fw *f);
219 static __inline int
220 port_match (u_short *portptr, int nports, u_short port,
221 int range_flag, int mask);
222 static int tcpflg_match (struct tcphdr *tcp, struct ip_fw *f);
223 static int icmptype_match (struct icmp * icmp, struct ip_fw * f);
224 static void ipfw_report (struct ip_fw *f, struct ip *ip, int ip_off,
225 int ip_len, struct ifnet *rif,
226 struct ifnet *oif);
227
228 static void flush_rule_ptrs(void);
229
230 static ip_fw_chk_t ip_fw_chk;
231 static int ip_fw_ctl (struct sockopt *sopt);
232
233 ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;
234
235 static char err_prefix[] = "ip_fw_ctl:";
236
237 /*
238 * Returns 1 if the port is matched by the vector, 0 otherwise
239 */
240 static __inline int
241 port_match(u_short *portptr, int nports, u_short port, int range_flag, int mask)
242 {
243 if (!nports)
244 return 1;
245 if (mask) {
246 if ( 0 == ((portptr[0] ^ port) & portptr[1]) )
247 return 1;
248 nports -= 2;
249 portptr += 2;
250 }
251 if (range_flag) {
252 if (portptr[0] <= port && port <= portptr[1])
253 return 1;
254 nports -= 2;
255 portptr += 2;
256 }
257 while (nports-- > 0)
258 if (*portptr++ == port)
259 return 1;
260 return 0;
261 }
262
263 static int
264 tcpflg_match(struct tcphdr *tcp, struct ip_fw *f)
265 {
266 u_char flg_set, flg_clr;
267
268 /*
269 * If an established connection is required, reject packets that
270 * have only SYN of RST|ACK|SYN set. Otherwise, fall through to
271 * other flag requirements.
272 */
273 if ((f->fw_ipflg & IP_FW_IF_TCPEST) &&
274 ((tcp->th_flags & (TH_RST | TH_ACK | TH_SYN)) == TH_SYN))
275 return 0;
276
277 flg_set = tcp->th_flags & f->fw_tcpf;
278 flg_clr = tcp->th_flags & f->fw_tcpnf;
279
280 if (flg_set != f->fw_tcpf)
281 return 0;
282 if (flg_clr)
283 return 0;
284
285 return 1;
286 }
287
288 static int
289 icmptype_match(struct icmp *icmp, struct ip_fw *f)
290 {
291 int type;
292
293 if (!(f->fw_flg & IP_FW_F_ICMPBIT))
294 return(1);
295
296 type = icmp->icmp_type;
297
298 /* check for matching type in the bitmap */
299 if (type < IP_FW_ICMPTYPES_MAX &&
300 (f->fw_uar.fw_icmptypes[type / (sizeof(unsigned) * NBBY)] &
301 (1U << (type % (sizeof(unsigned) * NBBY)))))
302 return(1);
303
304 return(0); /* no match */
305 }
306
307 static int
308 is_icmp_query(struct ip *ip)
309 {
310 const struct icmp *icmp;
311 int icmp_type;
312
313 icmp = (struct icmp *)((u_int32_t *)ip + ip->ip_hl);
314 icmp_type = icmp->icmp_type;
315
316 if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT ||
317 icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ ||
318 icmp_type == ICMP_MASKREQ)
319 return(1);
320
321 return(0);
322 }
323
324 static int
325 ipopts_match(struct ip *ip, struct ip_fw *f)
326 {
327 register u_char *cp;
328 int opt, optlen, cnt;
329 u_char opts, nopts, nopts_sve;
330
331 cp = (u_char *)(ip + 1);
332 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
333 opts = f->fw_ipopt;
334 nopts = nopts_sve = f->fw_ipnopt;
335
336 for (; cnt > 0; cnt -= optlen, cp += optlen) {
337 opt = cp[IPOPT_OPTVAL];
338 if (opt == IPOPT_EOL)
339 break;
340 if (opt == IPOPT_NOP)
341 optlen = 1;
342 else {
343 optlen = cp[IPOPT_OLEN];
344 if (optlen <= 0 || optlen > cnt) {
345 return 0; /*XXX*/
346 }
347 }
348 switch (opt) {
349
350 default:
351 break;
352
353 case IPOPT_LSRR:
354 opts &= ~IP_FW_IPOPT_LSRR;
355 nopts &= ~IP_FW_IPOPT_LSRR;
356 break;
357
358 case IPOPT_SSRR:
359 opts &= ~IP_FW_IPOPT_SSRR;
360 nopts &= ~IP_FW_IPOPT_SSRR;
361 break;
362
363 case IPOPT_RR:
364 opts &= ~IP_FW_IPOPT_RR;
365 nopts &= ~IP_FW_IPOPT_RR;
366 break;
367 case IPOPT_TS:
368 opts &= ~IP_FW_IPOPT_TS;
369 nopts &= ~IP_FW_IPOPT_TS;
370 break;
371 }
372 if (opts == nopts)
373 break;
374 }
375 if (opts == 0 && nopts == nopts_sve)
376 return 1;
377 else
378 return 0;
379 }
380
381 static int
382 iptos_match(struct ip *ip, struct ip_fw *f)
383 {
384
385 u_int flags = (ip->ip_tos & 0x1f);
386 u_char opts, nopts, nopts_sve;
387
388 opts = (f->fw_iptos & 0x1f);
389 nopts = nopts_sve = f->fw_ipntos;
390
391 while (flags != 0) {
392 u_int flag;
393
394 flag = 1 << (ffs(flags) -1);
395 opts &= ~flag;
396 nopts &= ~flag;
397 flags &= ~flag;
398 }
399
400 if (opts == 0 && nopts == nopts_sve)
401 return 1;
402 else
403 return 0;
404
405 }
406
407
408 static int
409 tcpopts_match(struct tcphdr *tcp, struct ip_fw *f)
410 {
411 register u_char *cp;
412 int opt, optlen, cnt;
413 u_char opts, nopts, nopts_sve;
414
415 cp = (u_char *)(tcp + 1);
416 cnt = (tcp->th_off << 2) - sizeof (struct tcphdr);
417 opts = f->fw_tcpopt;
418 nopts = nopts_sve = f->fw_tcpnopt;
419
420 for (; cnt > 0; cnt -= optlen, cp += optlen) {
421 opt = cp[0];
422 if (opt == TCPOPT_EOL)
423 break;
424 if (opt == TCPOPT_NOP)
425 optlen = 1;
426 else {
427 optlen = cp[1];
428 if (optlen <= 0)
429 break;
430 }
431
432
433 switch (opt) {
434
435 default:
436 break;
437
438 case TCPOPT_MAXSEG:
439 opts &= ~IP_FW_TCPOPT_MSS;
440 nopts &= ~IP_FW_TCPOPT_MSS;
441 break;
442
443 case TCPOPT_WINDOW:
444 opts &= ~IP_FW_TCPOPT_WINDOW;
445 nopts &= ~IP_FW_TCPOPT_WINDOW;
446 break;
447
448 case TCPOPT_SACK_PERMITTED:
449 case TCPOPT_SACK:
450 opts &= ~IP_FW_TCPOPT_SACK;
451 nopts &= ~IP_FW_TCPOPT_SACK;
452 break;
453
454 case TCPOPT_TIMESTAMP:
455 opts &= ~IP_FW_TCPOPT_TS;
456 nopts &= ~IP_FW_TCPOPT_TS;
457 break;
458
459 case TCPOPT_CC:
460 case TCPOPT_CCNEW:
461 case TCPOPT_CCECHO:
462 opts &= ~IP_FW_TCPOPT_CC;
463 nopts &= ~IP_FW_TCPOPT_CC;
464 break;
465 }
466 if (opts == nopts)
467 break;
468 }
469 if (opts == 0 && nopts == nopts_sve)
470 return 1;
471 else
472 return 0;
473 }
474
475 static int
476 iface_match(struct ifnet *ifp, union ip_fw_if *ifu, int byname)
477 {
478 /* Check by name or by IP address */
479 if (byname) {
480 /* Check unit number (-1 is wildcard) */
481 if (ifu->fu_via_if.unit != -1
482 && ifp->if_unit != ifu->fu_via_if.unit)
483 return(0);
484 /* Check name */
485 if (strncmp(ifp->if_name, ifu->fu_via_if.name, FW_IFNLEN))
486 return(0);
487 return(1);
488 } else if (ifu->fu_via_ip.s_addr != 0) { /* Zero == wildcard */
489 struct ifaddr *ia;
490
491 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
492 if (ia->ifa_addr == NULL)
493 continue;
494 if (ia->ifa_addr->sa_family != AF_INET)
495 continue;
496 if (ifu->fu_via_ip.s_addr != ((struct sockaddr_in *)
497 (ia->ifa_addr))->sin_addr.s_addr)
498 continue;
499 return(1);
500 }
501 return(0);
502 }
503 return(1);
504 }
505
506 static void
507 ipfw_report(struct ip_fw *f, struct ip *ip, int ip_off, int ip_len,
508 struct ifnet *rif, struct ifnet *oif)
509 {
510 struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
511 struct udphdr *const udp = (struct udphdr *) ((u_int32_t *) ip+ ip->ip_hl);
512 struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
513 u_int64_t count;
514 char *action;
515 char action2[32], proto[47], name[18], fragment[27];
516 int len;
517 int offset = ip_off & IP_OFFMASK;
518
519 count = f ? f->fw_pcnt : ++counter;
520 if ((f == NULL && fw_verbose_limit != 0 && count > fw_verbose_limit) ||
521 (f && f->fw_logamount != 0 && count > f->fw_loghighest))
522 return;
523
524 /* Print command name */
525 snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
526
527 action = action2;
528 if (!f)
529 action = "Refuse";
530 else {
531 switch (f->fw_flg & IP_FW_F_COMMAND) {
532 case IP_FW_F_DENY:
533 action = "Deny";
534 break;
535 case IP_FW_F_REJECT:
536 if (f->fw_reject_code == IP_FW_REJECT_RST)
537 action = "Reset";
538 else
539 action = "Unreach";
540 break;
541 case IP_FW_F_ACCEPT:
542 action = "Accept";
543 break;
544 case IP_FW_F_COUNT:
545 action = "Count";
546 break;
547 #ifdef IPDIVERT
548 case IP_FW_F_DIVERT:
549 snprintf(SNPARGS(action2, 0), "Divert %d",
550 f->fw_divert_port);
551 break;
552 case IP_FW_F_TEE:
553 snprintf(SNPARGS(action2, 0), "Tee %d",
554 f->fw_divert_port);
555 break;
556 #endif
557 case IP_FW_F_SKIPTO:
558 snprintf(SNPARGS(action2, 0), "SkipTo %d",
559 f->fw_skipto_rule);
560 break;
561 case IP_FW_F_PIPE:
562 snprintf(SNPARGS(action2, 0), "Pipe %d",
563 f->fw_skipto_rule);
564 break;
565 case IP_FW_F_QUEUE:
566 snprintf(SNPARGS(action2, 0), "Queue %d",
567 f->fw_skipto_rule);
568 break;
569
570 case IP_FW_F_FWD:
571 if (f->fw_fwd_ip.sin_port)
572 snprintf(SNPARGS(action2, 0),
573 "Forward to %s:%d",
574 inet_ntoa(f->fw_fwd_ip.sin_addr),
575 f->fw_fwd_ip.sin_port);
576 else
577 snprintf(SNPARGS(action2, 0), "Forward to %s",
578 inet_ntoa(f->fw_fwd_ip.sin_addr));
579 break;
580
581 default:
582 action = "UNKNOWN";
583 break;
584 }
585 }
586
587 switch (ip->ip_p) {
588 case IPPROTO_TCP:
589 len = snprintf(SNPARGS(proto, 0), "TCP %s",
590 inet_ntoa(ip->ip_src));
591 if (offset == 0)
592 len += snprintf(SNPARGS(proto, len), ":%d ",
593 ntohs(tcp->th_sport));
594 else
595 len += snprintf(SNPARGS(proto, len), " ");
596 len += snprintf(SNPARGS(proto, len), "%s",
597 inet_ntoa(ip->ip_dst));
598 if (offset == 0)
599 snprintf(SNPARGS(proto, len), ":%d",
600 ntohs(tcp->th_dport));
601 break;
602 case IPPROTO_UDP:
603 len = snprintf(SNPARGS(proto, 0), "UDP %s",
604 inet_ntoa(ip->ip_src));
605 if (offset == 0)
606 len += snprintf(SNPARGS(proto, len), ":%d ",
607 ntohs(udp->uh_sport));
608 else
609 len += snprintf(SNPARGS(proto, len), " ");
610 len += snprintf(SNPARGS(proto, len), "%s",
611 inet_ntoa(ip->ip_dst));
612 if (offset == 0)
613 snprintf(SNPARGS(proto, len), ":%d",
614 ntohs(udp->uh_dport));
615 break;
616 case IPPROTO_ICMP:
617 if (offset == 0)
618 len = snprintf(SNPARGS(proto, 0), "ICMP:%u.%u ",
619 icmp->icmp_type, icmp->icmp_code);
620 else
621 len = snprintf(SNPARGS(proto, 0), "ICMP ");
622 len += snprintf(SNPARGS(proto, len), "%s",
623 inet_ntoa(ip->ip_src));
624 snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
625 break;
626 default:
627 len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
628 inet_ntoa(ip->ip_src));
629 snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
630 break;
631 }
632
633 if (ip_off & (IP_MF | IP_OFFMASK))
634 snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
635 ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
636 offset << 3,
637 (ip_off & IP_MF) ? "+" : "");
638 else
639 fragment[0] = '\0';
640 if (oif)
641 log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
642 name, action, proto, oif->if_name, oif->if_unit, fragment);
643 else if (rif)
644 log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s\n", name,
645 action, proto, rif->if_name, rif->if_unit, fragment);
646 else
647 log(LOG_SECURITY | LOG_INFO, "%s %s %s%s\n", name, action,
648 proto, fragment);
649 if ((f ? f->fw_logamount != 0 : 1) &&
650 count == (f ? f->fw_loghighest : fw_verbose_limit))
651 log(LOG_SECURITY | LOG_NOTICE,
652 "ipfw: limit %d reached on entry %d\n",
653 f ? f->fw_logamount : fw_verbose_limit,
654 f ? f->fw_number : -1);
655 }
656
657 static __inline int
658 hash_packet(struct ipfw_flow_id *id)
659 {
660 u_int32_t i ;
661
662 i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port);
663 i &= (curr_dyn_buckets - 1) ;
664 return i ;
665 }
666
667 /**
668 * unlink a dynamic rule from a chain. prev is a pointer to
669 * the previous one, q is a pointer to the rule to delete,
670 * head is a pointer to the head of the queue.
671 * Modifies q and potentially also head.
672 */
673 #define UNLINK_DYN_RULE(prev, head, q) { \
674 struct ipfw_dyn_rule *old_q = q; \
675 \
676 /* remove a refcount to the parent */ \
677 if (q->dyn_type == DYN_LIMIT) \
678 q->parent->count--; \
679 DEB(printf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
680 (q->id.src_ip), (q->id.src_port), \
681 (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); ) \
682 if (prev != NULL) \
683 prev->next = q = q->next ; \
684 else \
685 ipfw_dyn_v[i] = q = q->next ; \
686 dyn_count-- ; \
687 free(old_q, M_IPFW); }
688
689 #define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0)
690 /**
691 * Remove all dynamic rules pointing to a given rule, or all
692 * rules if rule == NULL. Second parameter is 1 if we want to
693 * delete unconditionally, otherwise only expired rules are removed.
694 */
695 static void
696 remove_dyn_rule(struct ip_fw *rule, int force)
697 {
698 struct ipfw_dyn_rule *prev, *q;
699 int i, pass, max_pass ;
700 static u_int32_t last_remove = 0 ;
701
702 if (ipfw_dyn_v == NULL || dyn_count == 0)
703 return ;
704 /* do not expire more than once per second, it is useless */
705 if (force == 0 && last_remove == time_second)
706 return ;
707 last_remove = time_second ;
708
709 /*
710 * because DYN_LIMIT refer to parent rules, during the first pass only
711 * remove child and mark any pending LIMIT_PARENT, and remove
712 * them in a second pass.
713 */
714 for (pass = max_pass = 0; pass <= max_pass ; pass++ ) {
715 for (i = 0 ; i < curr_dyn_buckets ; i++) {
716 for (prev=NULL, q = ipfw_dyn_v[i] ; q ; ) {
717 /*
718 * logic can become complex here, so we split tests.
719 * First, test if we match any rule,
720 * then make sure the rule is expired or we want to kill it,
721 * and possibly more in the future.
722 */
723 int zap = ( rule == NULL || rule == q->rule);
724 if (zap)
725 zap = force || TIME_LEQ( q->expire , time_second );
726 /* do not zap parent in first pass, record we need a second pass */
727 if (q->dyn_type == DYN_LIMIT_PARENT) {
728 max_pass = 1; /* we need a second pass */
729 if (zap == 1 && (pass == 0 || q->count != 0) ) {
730 zap = 0 ;
731 if (pass == 1) /* should not happen */
732 printf("OUCH! cannot remove rule, count %d\n",
733 q->count);
734 }
735 }
736 if (zap) {
737 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
738 } else {
739 prev = q ;
740 q = q->next ;
741 }
742 }
743 }
744 }
745 }
746
747 #define EXPIRE_DYN_CHAIN(rule) remove_dyn_rule(rule, 0 /* expired ones */)
748 #define EXPIRE_DYN_CHAINS() remove_dyn_rule(NULL, 0 /* expired ones */)
749 #define DELETE_DYN_CHAIN(rule) remove_dyn_rule(rule, 1 /* force removal */)
750 #define DELETE_DYN_CHAINS() remove_dyn_rule(NULL, 1 /* force removal */)
751
752 /**
753 * lookup a dynamic rule.
754 */
755 static struct ipfw_dyn_rule *
756 lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction)
757 {
758 /*
759 * stateful ipfw extensions.
760 * Lookup into dynamic session queue
761 */
762 struct ipfw_dyn_rule *prev, *q ;
763 int i, dir = 0;
764 #define MATCH_FORWARD 1
765
766 if (ipfw_dyn_v == NULL)
767 return NULL ;
768 i = hash_packet( pkt );
769 for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
770 if (q->dyn_type == DYN_LIMIT_PARENT)
771 goto next;
772 if (TIME_LEQ( q->expire , time_second ) ) { /* expire entry */
773 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
774 continue;
775 }
776 if ( pkt->proto == q->id.proto) {
777 if (pkt->src_ip == q->id.src_ip &&
778 pkt->dst_ip == q->id.dst_ip &&
779 pkt->src_port == q->id.src_port &&
780 pkt->dst_port == q->id.dst_port ) {
781 dir = MATCH_FORWARD ;
782 goto found ;
783 }
784 if (pkt->src_ip == q->id.dst_ip &&
785 pkt->dst_ip == q->id.src_ip &&
786 pkt->src_port == q->id.dst_port &&
787 pkt->dst_port == q->id.src_port ) {
788 dir = 0 ; /* reverse match */
789 goto found ;
790 }
791 }
792 next:
793 prev = q ;
794 q = q->next ;
795 }
796 return NULL ; /* clearly not found */
797 found:
798 if ( prev != NULL) { /* found and not in front */
799 prev->next = q->next ;
800 q->next = ipfw_dyn_v[i] ;
801 ipfw_dyn_v[i] = q ;
802 }
803 if (pkt->proto == IPPROTO_TCP) {
804 /* update state according to flags */
805 u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
806 q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
807 switch (q->state) {
808 case TH_SYN :
809 /* opening */
810 q->expire = time_second + dyn_syn_lifetime ;
811 break ;
812 case TH_SYN | (TH_SYN << 8) :
813 /* move to established */
814 q->expire = time_second + dyn_ack_lifetime ;
815 break ;
816 case TH_SYN | (TH_SYN << 8) | TH_FIN :
817 case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
818 /* one side tries to close */
819 q->expire = time_second + dyn_ack_lifetime ;
820 break ;
821 case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) :
822 /* both sides closed */
823 q->expire = time_second + dyn_fin_lifetime ;
824 break ;
825 default:
826 #if 0
827 /*
828 * reset or some invalid combination, but can also
829 * occur if we use keep-state the wrong way.
830 */
831 if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
832 printf("invalid state: 0x%x\n", q->state);
833 #endif
834 q->expire = time_second + dyn_rst_lifetime ;
835 break ;
836 }
837 } else if (pkt->proto == IPPROTO_UDP) {
838 q->expire = time_second + dyn_udp_lifetime ;
839 } else {
840 /* other protocols */
841 q->expire = time_second + dyn_short_lifetime ;
842 }
843 if (match_direction)
844 *match_direction = dir ;
845 return q ;
846 }
847
848 /**
849 * Install state of type 'type' for a dynamic session.
850 * The hash table contains two type of rules:
851 * - regular rules (DYN_KEEP_STATE)
852 * - rules for sessions with limited number of sess per user
853 * (DYN_LIMIT). When they are created, the parent is
854 * increased by 1, and decreased on delete. In this case,
855 * the third parameter is the parent rule and not the chain.
856 * - "parent" rules for the above (DYN_LIMIT_PARENT).
857 */
858
859 static struct ipfw_dyn_rule *
860 add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
861 {
862 struct ipfw_dyn_rule *r ;
863
864 int i ;
865 if (ipfw_dyn_v == NULL ||
866 (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
867 /* try reallocation, make sure we have a power of 2 */
868 u_int32_t i = dyn_buckets ;
869 while ( i > 0 && (i & 1) == 0 )
870 i >>= 1 ;
871 if (i != 1) /* not a power of 2 */
872 dyn_buckets = curr_dyn_buckets ; /* reset */
873 else {
874 curr_dyn_buckets = dyn_buckets ;
875 if (ipfw_dyn_v != NULL)
876 free(ipfw_dyn_v, M_IPFW);
877 ipfw_dyn_v = malloc(curr_dyn_buckets * sizeof r,
878 M_IPFW, M_DONTWAIT | M_ZERO);
879 if (ipfw_dyn_v == NULL)
880 return NULL; /* failed ! */
881 }
882 }
883 i = hash_packet(id);
884
885 r = malloc(sizeof *r, M_IPFW, M_DONTWAIT | M_ZERO);
886 if (r == NULL) {
887 printf ("sorry cannot allocate state\n");
888 return NULL ;
889 }
890
891 /* increase refcount on parent, and set pointer */
892 if (dyn_type == DYN_LIMIT) {
893 struct ipfw_dyn_rule *parent = (struct ipfw_dyn_rule *)rule;
894 if ( parent->dyn_type != DYN_LIMIT_PARENT)
895 panic("invalid parent");
896 parent->count++ ;
897 r->parent = parent ;
898 rule = parent->rule;
899 }
900
901 r->id = *id ;
902 r->expire = time_second + dyn_syn_lifetime ;
903 r->rule = rule ;
904 r->dyn_type = dyn_type ;
905 r->pcnt = r->bcnt = 0 ;
906 r->count = 0 ;
907
908 r->bucket = i ;
909 r->next = ipfw_dyn_v[i] ;
910 ipfw_dyn_v[i] = r ;
911 dyn_count++ ;
912 DEB(printf("-- add entry 0x%08x %d -> 0x%08x %d, total %d\n",
913 (r->id.src_ip), (r->id.src_port),
914 (r->id.dst_ip), (r->id.dst_port),
915 dyn_count ); )
916 return r;
917 }
918
919 /**
920 * lookup dynamic parent rule using pkt and rule as search keys.
921 * If the lookup fails, then install one.
922 */
923 static struct ipfw_dyn_rule *
924 lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
925 {
926 struct ipfw_dyn_rule *q;
927 int i;
928
929 if (ipfw_dyn_v) {
930 i = hash_packet( pkt );
931 for (q = ipfw_dyn_v[i] ; q != NULL ; q=q->next)
932 if (q->dyn_type == DYN_LIMIT_PARENT && rule == q->rule &&
933 pkt->proto == q->id.proto &&
934 pkt->src_ip == q->id.src_ip &&
935 pkt->dst_ip == q->id.dst_ip &&
936 pkt->src_port == q->id.src_port &&
937 pkt->dst_port == q->id.dst_port) {
938 q->expire = time_second + dyn_short_lifetime ;
939 DEB(printf("lookup_dyn_parent found 0x%p\n", q);)
940 return q;
941 }
942 }
943 return add_dyn_rule(pkt, DYN_LIMIT_PARENT, rule);
944 }
945
946 /*
947 * Install dynamic state.
948 * There are different types of dynamic rules which can be installed.
949 * The type is in rule->dyn_type.
950 * Type 0 (default) is a bidirectional rule
951 *
952 * Returns 1 (failure) if state is not installed because of errors or because
953 * session limitations are enforced.
954 */
955 static int
956 install_state(struct ip_fw *rule, struct ip_fw_args *args)
957 {
958 struct ipfw_dyn_rule *q ;
959 static int last_log ;
960
961 u_int8_t type = rule->dyn_type ;
962
963 DEB(printf("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
964 type,
965 (args->f_id.src_ip), (args->f_id.src_port),
966 (args->f_id.dst_ip), (args->f_id.dst_port) );)
967
968 q = lookup_dyn_rule(&args->f_id, NULL) ;
969 if (q != NULL) { /* should never occur */
970 if (last_log != time_second) {
971 last_log = time_second ;
972 printf(" entry already present, done\n");
973 }
974 return 0 ;
975 }
976 if (dyn_count >= dyn_max) /* try remove old ones... */
977 EXPIRE_DYN_CHAINS();
978 if (dyn_count >= dyn_max) {
979 if (last_log != time_second) {
980 last_log = time_second ;
981 printf(" Too many dynamic rules, sorry\n");
982 }
983 return 1; /* cannot install, notify caller */
984 }
985
986 switch (type) {
987 case DYN_KEEP_STATE: /* bidir rule */
988 add_dyn_rule(&args->f_id, DYN_KEEP_STATE, rule);
989 break ;
990 case DYN_LIMIT: /* limit number of sessions */
991 {
992 u_int16_t limit_mask = rule->limit_mask ;
993 u_int16_t conn_limit = rule->conn_limit ;
994 struct ipfw_flow_id id;
995 struct ipfw_dyn_rule *parent;
996
997 DEB(printf("installing dyn-limit rule %d\n", conn_limit);)
998
999 id.dst_ip = id.src_ip = 0;
1000 id.dst_port = id.src_port = 0 ;
1001 id.proto = args->f_id.proto ;
1002
1003 if (limit_mask & DYN_SRC_ADDR)
1004 id.src_ip = args->f_id.src_ip;
1005 if (limit_mask & DYN_DST_ADDR)
1006 id.dst_ip = args->f_id.dst_ip;
1007 if (limit_mask & DYN_SRC_PORT)
1008 id.src_port = args->f_id.src_port;
1009 if (limit_mask & DYN_DST_PORT)
1010 id.dst_port = args->f_id.dst_port;
1011 parent = lookup_dyn_parent(&id, rule);
1012 if (parent == NULL) {
1013 printf("add parent failed\n");
1014 return 1;
1015 }
1016 if (parent->count >= conn_limit) {
1017 EXPIRE_DYN_CHAIN(rule); /* try to expire some */
1018 if (parent->count >= conn_limit) {
1019 printf("drop session, too many entries\n");
1020 return 1;
1021 }
1022 }
1023 add_dyn_rule(&args->f_id, DYN_LIMIT, (struct ip_fw *)parent);
1024 }
1025 break ;
1026 default:
1027 printf("unknown dynamic rule type %u\n", type);
1028 return 1 ;
1029 }
1030 lookup_dyn_rule(&args->f_id, NULL) ; /* XXX just set the lifetime */
1031 return 0;
1032 }
1033
1034 /*
1035 * given an ip_fw *, lookup_next_rule will return a pointer
1036 * of the same type to the next one. This can be either the jump
1037 * target (for skipto instructions) or the next one in the list (in
1038 * all other cases including a missing jump target).
1039 * Backward jumps are not allowed, so start looking from the next
1040 * rule...
1041 */
1042 static struct ip_fw * lookup_next_rule(struct ip_fw *me);
1043
1044 static struct ip_fw *
1045 lookup_next_rule(struct ip_fw *me)
1046 {
1047 struct ip_fw *rule ;
1048 int rulenum = me->fw_skipto_rule ; /* guess... */
1049
1050 if ( (me->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_SKIPTO )
1051 for (rule = LIST_NEXT(me,next); rule ; rule = LIST_NEXT(rule,next))
1052 if (rule->fw_number >= rulenum)
1053 return rule ;
1054 return LIST_NEXT(me,next) ; /* failure or not a skipto */
1055 }
1056
1057 /*
1058 * Parameters:
1059 *
1060 * *m The packet; we set to NULL when/if we nuke it.
1061 * oif Outgoing interface, or NULL if packet is incoming
1062 * *cookie Skip up to the first rule past this rule number;
1063 * upon return, non-zero port number for divert or tee.
1064 * Special case: cookie == NULL on input for bridging.
1065 * *flow_id pointer to the last matching rule (in/out)
1066 * *next_hop socket we are forwarding to (in/out).
1067 * For bridged packets, this is a pointer to the MAC header.
1068 *
1069 * Return value:
1070 *
1071 * IP_FW_PORT_DENY_FLAG the packet must be dropped.
1072 * 0 The packet is to be accepted and routed normally OR
1073 * the packet was denied/rejected and has been dropped;
1074 * in the latter case, *m is equal to NULL upon return.
1075 * port Divert the packet to port, with these caveats:
1076 *
1077 * - If IP_FW_PORT_TEE_FLAG is set, tee the packet instead
1078 * of diverting it (ie, 'ipfw tee').
1079 *
1080 * - If IP_FW_PORT_DYNT_FLAG is set, interpret the lower
1081 * 16 bits as a dummynet pipe number instead of diverting
1082 */
1083
1084 static int
1085 ip_fw_chk(struct ip_fw_args *args)
1086 #if 0 /* the old interface was this: */
1087 struct mbuf **m, struct ifnet *oif, u_int16_t *cookie,
1088 struct ip_fw **flow_id, struct sockaddr_in **next_hop)
1089 #endif
1090 {
1091 /*
1092 * grab things into variables to minimize diffs.
1093 * XXX this has to be cleaned up later.
1094 */
1095 struct mbuf **m = &(args->m);
1096 struct ifnet *oif = args->oif;
1097 u_int16_t *cookie = &(args->divert_rule);
1098 struct ip_fw **flow_id = &(args->rule);
1099 struct sockaddr_in **next_hop = &(args->next_hop);
1100
1101 struct ip_fw *f = NULL; /* matching rule */
1102 struct ip *ip = mtod(*m, struct ip *);
1103 struct ifnet *const rif = (*m)->m_pkthdr.rcvif;
1104 struct ifnet *tif;
1105 u_int hlen = ip->ip_hl << 2;
1106 struct ether_header * eh = NULL;
1107
1108 u_short ip_off=0, offset = 0 ;
1109 /* local copy of addresses for faster matching */
1110 u_short src_port = 0, dst_port = 0;
1111 struct in_addr src_ip, dst_ip;
1112 u_int8_t proto= 0, flags = 0;
1113
1114 u_int16_t skipto;
1115 u_int16_t ip_len=0;
1116
1117 int dyn_checked = 0 ; /* set after dyn.rules have been checked. */
1118 int direction = MATCH_FORWARD ; /* dirty trick... */
1119 struct ipfw_dyn_rule *q = NULL ;
1120
1121 #define BRIDGED (args->eh != NULL)
1122 if (BRIDGED) { /* this is a bridged packet */
1123 eh = args->eh;
1124 if ( (*m)->m_pkthdr.len >= sizeof(struct ip) &&
1125 ntohs(eh->ether_type) == ETHERTYPE_IP)
1126 hlen = ip->ip_hl << 2;
1127 } else
1128 hlen = ip->ip_hl << 2;
1129
1130 /* Grab and reset cookie */
1131 skipto = *cookie;
1132 *cookie = 0;
1133
1134 /*
1135 * Collect parameters into local variables for faster matching.
1136 */
1137 if (hlen > 0) { /* this is an IP packet */
1138 proto = ip->ip_p;
1139 src_ip = ip->ip_src;
1140 dst_ip = ip->ip_dst;
1141 if (BRIDGED) { /* bridged packets are as on the wire */
1142 ip_off = ntohs(ip->ip_off);
1143 ip_len = ntohs(ip->ip_len);
1144 } else {
1145 ip_off = ip->ip_off;
1146 ip_len = ip->ip_len;
1147 }
1148 offset = ip_off & IP_OFFMASK;
1149 if (offset == 0) {
1150
1151 #define PULLUP_TO(len) \
1152 do { \
1153 if ((*m)->m_len < (len)) { \
1154 *m = m_pullup(*m, (len)); \
1155 if (*m == 0) \
1156 goto bogusfrag; \
1157 ip = mtod(*m, struct ip *); \
1158 } \
1159 } while (0)
1160
1161 switch (proto) {
1162 case IPPROTO_TCP : {
1163 struct tcphdr *tcp;
1164
1165 PULLUP_TO(hlen + sizeof(struct tcphdr));
1166 tcp =(struct tcphdr *)((u_int32_t *)ip + ip->ip_hl);
1167 dst_port = tcp->th_dport ;
1168 src_port = tcp->th_sport ;
1169 flags = tcp->th_flags ;
1170 }
1171 break ;
1172
1173 case IPPROTO_UDP : {
1174 struct udphdr *udp;
1175
1176 PULLUP_TO(hlen + sizeof(struct udphdr));
1177 udp =(struct udphdr *)((u_int32_t *)ip + ip->ip_hl);
1178 dst_port = udp->uh_dport ;
1179 src_port = udp->uh_sport ;
1180 }
1181 break;
1182
1183 case IPPROTO_ICMP:
1184 PULLUP_TO(hlen + 4); /* type, code and checksum. */
1185 flags = ((struct icmp *)
1186 ((u_int32_t *)ip + ip->ip_hl))->icmp_type ;
1187 break ;
1188
1189 default :
1190 break;
1191 }
1192 #undef PULLUP_TO
1193 }
1194 }
1195 args->f_id.src_ip = ntohl(src_ip.s_addr);
1196 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1197 args->f_id.proto = proto;
1198 args->f_id.src_port = ntohs(src_port);
1199 args->f_id.dst_port = ntohs(dst_port);
1200 args->f_id.flags = flags;
1201
1202 if (*flow_id) {
1203 /*
1204 * Packet has already been tagged. Look for the next rule
1205 * to restart processing.
1206 */
1207 if (fw_one_pass) /* just accept if fw_one_pass is set */
1208 return 0;
1209
1210 f = (*flow_id)->next_rule_ptr ;
1211 if (f == NULL)
1212 f = (*flow_id)->next_rule_ptr = lookup_next_rule(*flow_id);
1213 if (f == NULL)
1214 goto dropit;
1215 } else {
1216 /*
1217 * Go down the list, looking for enlightment.
1218 * If we've been asked to start at a given rule, do so.
1219 */
1220 f = LIST_FIRST(&ip_fw_chain_head);
1221 if (skipto != 0) {
1222 if (skipto >= IPFW_DEFAULT_RULE)
1223 goto dropit;
1224 while (f && f->fw_number <= skipto)
1225 f = LIST_NEXT(f, next);
1226 if (f == NULL)
1227 goto dropit;
1228 }
1229 }
1230
1231 for (; f; f = LIST_NEXT(f, next)) {
1232 again:
1233 if (f->fw_number == IPFW_DEFAULT_RULE)
1234 goto got_match ;
1235
1236 /* Check if rule only valid for bridged packets */
1237 if ((f->fw_flg & IP_FW_BRIDGED) != 0 && !(BRIDGED))
1238 continue;
1239 #undef BRIDGED
1240
1241 if (oif) {
1242 /* Check direction outbound */
1243 if (!(f->fw_flg & IP_FW_F_OUT))
1244 continue;
1245 } else {
1246 /* Check direction inbound */
1247 if (!(f->fw_flg & IP_FW_F_IN))
1248 continue;
1249 }
1250
1251 if (f->fw_flg & IP_FW_F_MAC) {
1252 u_int32_t *want, *mask, *hdr;
1253
1254 if (eh == NULL) /* header not available */
1255 continue;
1256
1257 want = (void *)&(f->fw_mac_hdr);
1258 mask = (void *)&(f->fw_mac_mask);
1259 hdr = (void *)eh;
1260
1261 if ( want[0] != (hdr[0] & mask[0]) )
1262 continue;
1263 if ( want[1] != (hdr[1] & mask[1]) )
1264 continue;
1265 if ( want[2] != (hdr[2] & mask[2]) )
1266 continue;
1267 if (f->fw_flg & IP_FW_F_SRNG) {
1268 u_int16_t type = ntohs(eh->ether_type);
1269 if (type < (u_int16_t)(f->fw_mac_type) ||
1270 type > (u_int16_t)(f->fw_mac_mask_type) )
1271 continue;
1272 } else {
1273 if ((u_int16_t)(f->fw_mac_type) != (eh->ether_type &
1274 (u_int16_t)(f->fw_mac_mask_type)) )
1275 continue;
1276 }
1277 }
1278
1279 /* Interface check */
1280 if ((f->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1281 struct ifnet *const iface = oif ? oif : rif;
1282
1283 /* Backwards compatibility hack for "via" */
1284 if (!iface || !iface_match(iface,
1285 &f->fw_in_if, f->fw_flg & IP_FW_F_OIFNAME))
1286 continue;
1287 } else {
1288 /* Check receive interface */
1289 if ((f->fw_flg & IP_FW_F_IIFACE)
1290 && (!rif || !iface_match(rif,
1291 &f->fw_in_if, f->fw_flg & IP_FW_F_IIFNAME)))
1292 continue;
1293 /* Check outgoing interface */
1294 if ((f->fw_flg & IP_FW_F_OIFACE)
1295 && (!oif || !iface_match(oif,
1296 &f->fw_out_if, f->fw_flg & IP_FW_F_OIFNAME)))
1297 continue;
1298 }
1299
1300 /*
1301 * For packets which matched the MAC check, we do not need
1302 * to continue, this is a valid match.
1303 * For not-ip packets, the rule does not apply.
1304 */
1305 if (f->fw_flg & IP_FW_F_MAC)
1306 goto rnd_then_got_match;
1307
1308 if (hlen == 0)
1309 continue;
1310
1311 /*
1312 * dynamic rules are checked at the first keep-state or
1313 * check-state occurrence.
1314 */
1315 if (f->fw_flg & (IP_FW_F_KEEP_S|IP_FW_F_CHECK_S) &&
1316 dyn_checked == 0 ) {
1317 dyn_checked = 1 ;
1318 q = lookup_dyn_rule(&args->f_id, &direction);
1319 if (q != NULL) {
1320 DEB(printf("-- dynamic match 0x%08x %d %s 0x%08x %d\n",
1321 (q->id.src_ip), (q->id.src_port),
1322 (direction == MATCH_FORWARD ? "-->" : "<--"),
1323 (q->id.dst_ip), (q->id.dst_port) ); )
1324 f = q->rule ;
1325 q->pcnt++ ;
1326 q->bcnt += ip_len;
1327 goto got_match ; /* random not allowed here */
1328 }
1329 /* if this was a check-only rule, continue with next */
1330 if (f->fw_flg & IP_FW_F_CHECK_S)
1331 continue ;
1332 }
1333
1334 /* Fragments */
1335 if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 )
1336 continue;
1337
1338 /*
1339 * For matching addresses, tif != NULL means we matched
1340 * the address we requested (either "me" or addr/mask).
1341 * Then the check for "xxx" or "not xxx" can be done
1342 * with an XOR.
1343 */
1344
1345 /* source address -- mandatory */
1346 if (f->fw_flg & IP_FW_F_SME) {
1347 INADDR_TO_IFP(src_ip, tif);
1348 } else
1349 (int)tif = f->fw_src.s_addr ==
1350 (src_ip.s_addr & f->fw_smsk.s_addr);
1351 if ( ((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ (tif == NULL) )
1352 continue;
1353
1354 /* dst address -- mandatory */
1355 if (f->fw_flg & IP_FW_F_DME) {
1356 INADDR_TO_IFP(dst_ip, tif);
1357 } else
1358 (int)tif = f->fw_dst.s_addr ==
1359 (dst_ip.s_addr & f->fw_dmsk.s_addr);
1360 if ( ((f->fw_flg & IP_FW_F_INVDST) != 0) ^ (tif == NULL) )
1361 continue;
1362
1363 /* Check IP header values */
1364 if (f->fw_ipflg & IP_FW_IF_IPOPT && !ipopts_match(ip, f))
1365 continue;
1366 if (f->fw_ipflg & IP_FW_IF_IPLEN && f->fw_iplen != ip_len)
1367 continue;
1368 if (f->fw_ipflg & IP_FW_IF_IPID && f->fw_ipid != ntohs(ip->ip_id))
1369 continue;
1370 if (f->fw_ipflg & IP_FW_IF_IPPRE &&
1371 (f->fw_iptos & 0xe0) != (ip->ip_tos & 0xe0))
1372 continue;
1373 if (f->fw_ipflg & IP_FW_IF_IPTOS && !iptos_match(ip, f))
1374 continue;
1375 if (f->fw_ipflg & IP_FW_IF_IPTTL && f->fw_ipttl != ip->ip_ttl)
1376 continue;
1377 if (f->fw_ipflg & IP_FW_IF_IPVER && f->fw_ipver != ip->ip_v)
1378 continue;
1379
1380 /* Check protocol; if wildcard, and no [ug]id, match */
1381 if (f->fw_prot == IPPROTO_IP) {
1382 if (!(f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)))
1383 goto rnd_then_got_match;
1384 } else
1385 /* If different, don't match */
1386 if (proto != f->fw_prot)
1387 continue;
1388
1389 /* Protocol specific checks for uid only */
1390 if (f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)) {
1391 switch (proto) {
1392 case IPPROTO_TCP:
1393 {
1394 struct inpcb *P;
1395
1396 if (offset == 1) /* cf. RFC 1858 */
1397 goto bogusfrag;
1398 if (offset != 0)
1399 continue;
1400
1401 if (oif)
1402 P = in_pcblookup_hash(&tcbinfo, dst_ip,
1403 dst_port, src_ip, src_port, 0,
1404 oif);
1405 else
1406 P = in_pcblookup_hash(&tcbinfo, src_ip,
1407 src_port, dst_ip, dst_port, 0,
1408 NULL);
1409
1410 if (P && P->inp_socket) {
1411 if (f->fw_flg & IP_FW_F_UID) {
1412 if (socheckuid(P->inp_socket, f->fw_uid))
1413 continue;
1414 } else if (!groupmember(f->fw_gid,
1415 P->inp_socket->so_cred))
1416 continue;
1417 } else
1418 continue;
1419 break;
1420 }
1421
1422 case IPPROTO_UDP:
1423 {
1424 struct inpcb *P;
1425
1426 if (offset != 0)
1427 continue;
1428
1429 if (oif)
1430 P = in_pcblookup_hash(&udbinfo, dst_ip,
1431 dst_port, src_ip, src_port, 1,
1432 oif);
1433 else
1434 P = in_pcblookup_hash(&udbinfo, src_ip,
1435 src_port, dst_ip, dst_port, 1,
1436 NULL);
1437
1438 if (P && P->inp_socket) {
1439 if (f->fw_flg & IP_FW_F_UID) {
1440 if (socheckuid(P->inp_socket, f->fw_uid))
1441 continue;
1442 } else if (!groupmember(f->fw_gid,
1443 P->inp_socket->so_cred))
1444 continue;
1445 } else
1446 continue;
1447 break;
1448 }
1449
1450 default:
1451 continue;
1452 }
1453 }
1454
1455 /* Protocol specific checks */
1456 switch (proto) {
1457 case IPPROTO_TCP:
1458 {
1459 struct tcphdr *tcp;
1460
1461 if (offset == 1) /* cf. RFC 1858 */
1462 goto bogusfrag;
1463 if (offset != 0) {
1464 /*
1465 * TCP flags and ports aren't available in this
1466 * packet -- if this rule specified either one,
1467 * we consider the rule a non-match.
1468 */
1469 if (IP_FW_HAVEPORTS(f) != 0 ||
1470 f->fw_ipflg & IP_FW_IF_TCPMSK)
1471 continue;
1472
1473 break;
1474 }
1475 tcp = (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1476
1477 if (f->fw_ipflg & IP_FW_IF_TCPOPT && !tcpopts_match(tcp, f))
1478 continue;
1479 if (((f->fw_ipflg & IP_FW_IF_TCPFLG) ||
1480 (f->fw_ipflg & IP_FW_IF_TCPEST)) &&
1481 !tcpflg_match(tcp, f))
1482 continue;
1483 if (f->fw_ipflg & IP_FW_IF_TCPSEQ && tcp->th_seq != f->fw_tcpseq)
1484 continue;
1485 if (f->fw_ipflg & IP_FW_IF_TCPACK && tcp->th_ack != f->fw_tcpack)
1486 continue;
1487 if (f->fw_ipflg & IP_FW_IF_TCPWIN && tcp->th_win != f->fw_tcpwin)
1488 continue;
1489 goto check_ports;
1490 }
1491
1492 case IPPROTO_UDP:
1493 if (offset != 0) {
1494 /*
1495 * Port specification is unavailable -- if this
1496 * rule specifies a port, we consider the rule
1497 * a non-match.
1498 */
1499 if (IP_FW_HAVEPORTS(f) )
1500 continue;
1501
1502 break;
1503 }
1504 check_ports:
1505 if (!port_match(&f->fw_uar.fw_pts[0],
1506 IP_FW_GETNSRCP(f), ntohs(src_port),
1507 f->fw_flg & IP_FW_F_SRNG,
1508 f->fw_flg & IP_FW_F_SMSK))
1509 continue;
1510 if (!port_match(&f->fw_uar.fw_pts[IP_FW_GETNSRCP(f)],
1511 IP_FW_GETNDSTP(f), ntohs(dst_port),
1512 f->fw_flg & IP_FW_F_DRNG,
1513 f->fw_flg & IP_FW_F_DMSK))
1514 continue;
1515 break;
1516
1517 case IPPROTO_ICMP:
1518 {
1519 struct icmp *icmp;
1520
1521 if (offset != 0) /* Type isn't valid */
1522 break;
1523 icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
1524 if (!icmptype_match(icmp, f))
1525 continue;
1526 break;
1527 }
1528
1529 default:
1530 break;
1531
1532 bogusfrag:
1533 if (fw_verbose) {
1534 if (*m != NULL)
1535 ipfw_report(NULL, ip, ip_off, ip_len, rif, oif);
1536 else
1537 printf("pullup failed\n");
1538 }
1539 goto dropit;
1540
1541 }
1542
1543 rnd_then_got_match:
1544 if ( f->dont_match_prob && random() < f->dont_match_prob )
1545 continue ;
1546 got_match:
1547 /*
1548 * If not a dynamic match (q == NULL) and keep-state, install
1549 * a new dynamic entry.
1550 */
1551 if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
1552 if (install_state(f, args)) /* error or limit violation */
1553 goto dropit;
1554 }
1555 /* Update statistics */
1556 f->fw_pcnt += 1;
1557 f->fw_bcnt += ip_len;
1558 f->timestamp = time_second;
1559
1560 /* Log to console if desired */
1561 if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && hlen >0)
1562 ipfw_report(f, ip, ip_off, ip_len, rif, oif);
1563
1564 /* Take appropriate action */
1565 switch (f->fw_flg & IP_FW_F_COMMAND) {
1566 case IP_FW_F_ACCEPT:
1567 return(0);
1568 case IP_FW_F_COUNT:
1569 continue;
1570 #ifdef IPDIVERT
1571 case IP_FW_F_DIVERT:
1572 *cookie = f->fw_number;
1573 return(f->fw_divert_port);
1574 case IP_FW_F_TEE:
1575 *cookie = f->fw_number;
1576 return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
1577 #endif
1578 case IP_FW_F_SKIPTO: /* XXX check */
1579 if (f->next_rule_ptr == NULL)
1580 f->next_rule_ptr = lookup_next_rule(f) ;
1581 f = f->next_rule_ptr;
1582 if (!f)
1583 goto dropit;
1584 goto again ;
1585
1586 case IP_FW_F_PIPE:
1587 case IP_FW_F_QUEUE:
1588 *flow_id = f; /* XXX set flow id */
1589 return(f->fw_pipe_nr | IP_FW_PORT_DYNT_FLAG);
1590
1591 case IP_FW_F_FWD:
1592 /* Change the next-hop address for this packet.
1593 * Initially we'll only worry about directly
1594 * reachable next-hop's, but ultimately
1595 * we will work out for next-hops that aren't
1596 * direct the route we would take for it. We
1597 * [cs]ould leave this latter problem to
1598 * ip_output.c. We hope to high [name the abode of
1599 * your favourite deity] that ip_output doesn't modify
1600 * the new value of next_hop (which is dst there)
1601 * XXX warning-- there is a dangerous reference here
1602 * from next_hop to a field within the rule. If the
1603 * rule is deleted, weird things might occur.
1604 */
1605 if (next_hop != NULL /* Make sure, first... */
1606 && (q == NULL || direction == MATCH_FORWARD) )
1607 *next_hop = &(f->fw_fwd_ip);
1608 return(0); /* Allow the packet */
1609
1610 }
1611
1612 /* Deny/reject this packet using this rule */
1613 break;
1614 }
1615
1616 /* Rule IPFW_DEFAULT_RULE should always be there and match */
1617 KASSERT(f != NULL, ("ip_fw: no chain"));
1618
1619 /*
1620 * At this point, we're going to drop the packet.
1621 * Send a reject notice if all of the following are true:
1622 *
1623 * - The packet matched a reject rule
1624 * - The packet is not an ICMP packet, or is an ICMP query packet
1625 * - The packet is not a multicast or broadcast packet
1626 */
1627 if ((f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
1628 && (proto != IPPROTO_ICMP || is_icmp_query(ip))
1629 && !((*m)->m_flags & (M_BCAST|M_MCAST))
1630 && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
1631 switch (f->fw_reject_code) {
1632 case IP_FW_REJECT_RST:
1633 {
1634 /* XXX warning, this code writes into the mbuf */
1635 struct tcphdr *const tcp =
1636 (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1637 struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
1638
1639 if (offset != 0 || (tcp->th_flags & TH_RST))
1640 break;
1641 ti.ti_i = *((struct ipovly *) ip);
1642 ti.ti_t = *tcp;
1643 bcopy(&ti, ip, sizeof(ti));
1644 tip->ti_seq = ntohl(tip->ti_seq);
1645 tip->ti_ack = ntohl(tip->ti_ack);
1646 tip->ti_len = ip_len - hlen - (tip->ti_off << 2);
1647 if (tcp->th_flags & TH_ACK) {
1648 tcp_respond(NULL, (void *)ip, tcp, *m,
1649 (tcp_seq)0, tcp->th_ack, TH_RST);
1650 } else {
1651 if (tcp->th_flags & TH_SYN)
1652 tip->ti_len++;
1653 tcp_respond(NULL, (void *)ip, tcp, *m,
1654 tip->ti_seq + tip->ti_len,
1655 (tcp_seq)0, TH_RST|TH_ACK);
1656 }
1657 *m = NULL;
1658 break;
1659 }
1660 default: /* Send an ICMP unreachable using code */
1661 icmp_error(*m, ICMP_UNREACH,
1662 f->fw_reject_code, 0L, 0);
1663 *m = NULL;
1664 break;
1665 }
1666 }
1667
1668 dropit:
1669 /*
1670 * Finally, drop the packet.
1671 */
1672 return(IP_FW_PORT_DENY_FLAG);
1673 }
1674
1675 /*
1676 * when a rule is added/deleted, zero the direct pointers within
1677 * all firewall rules. These will be reconstructed on the fly
1678 * as packets are matched.
1679 * Must be called at splimp().
1680 */
1681 static void
1682 flush_rule_ptrs()
1683 {
1684 struct ip_fw *fcp ;
1685
1686 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1687 fcp->next_rule_ptr = NULL ;
1688 }
1689 }
1690
1691 static int
1692 add_entry(struct ip_fw_head *head, struct ip_fw *rule)
1693 {
1694 struct ip_fw *ftmp, *fcp, *fcpl;
1695 u_short nbr = 0;
1696 int s;
1697
1698 ftmp = malloc(sizeof *ftmp, M_IPFW, M_DONTWAIT | M_ZERO);
1699 if (!ftmp)
1700 return (ENOSPC);
1701 bcopy(rule, ftmp, sizeof(*ftmp));
1702
1703 ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0';
1704 ftmp->fw_pcnt = 0L;
1705 ftmp->fw_bcnt = 0L;
1706 ftmp->next_rule_ptr = NULL ;
1707 ftmp->pipe_ptr = NULL ;
1708
1709 s = splimp();
1710
1711 if (LIST_FIRST(head) == 0) {
1712 LIST_INSERT_HEAD(head, ftmp, next);
1713 goto done;
1714 }
1715
1716 /* If entry number is 0, find highest numbered rule and add 100 */
1717 if (ftmp->fw_number == 0) {
1718 LIST_FOREACH(fcp, head, next) {
1719 if (fcp->fw_number != IPFW_DEFAULT_RULE)
1720 nbr = fcp->fw_number;
1721 else
1722 break;
1723 }
1724 if (nbr < IPFW_DEFAULT_RULE - 100)
1725 nbr += 100;
1726 ftmp->fw_number = rule->fw_number = nbr;
1727 }
1728
1729 /* Got a valid number; now insert it, keeping the list ordered */
1730 fcpl = NULL ;
1731 LIST_FOREACH(fcp, head, next) {
1732 if (fcp->fw_number > ftmp->fw_number) {
1733 if (fcpl) {
1734 LIST_INSERT_AFTER(fcpl, ftmp, next);
1735 } else {
1736 LIST_INSERT_HEAD(head, ftmp, next);
1737 }
1738 break;
1739 } else {
1740 fcpl = fcp;
1741 }
1742 }
1743 flush_rule_ptrs();
1744 done:
1745 static_count++;
1746 splx(s);
1747 DEB(printf("++ installed rule %d, static count now %d\n",
1748 ftmp->fw_number, static_count);)
1749 return (0);
1750 }
1751
1752 /**
1753 * free storage associated with a static rule entry (including
1754 * dependent dynamic rules), and zeroes rule pointers to avoid
1755 * dangling pointer dereferences.
1756 * @return a pointer to the next entry.
1757 * Must be called at splimp() and with a non-null argument.
1758 */
1759 static struct ip_fw *
1760 free_chain(struct ip_fw *fcp)
1761 {
1762 struct ip_fw *n;
1763
1764 n = LIST_NEXT(fcp, next);
1765 DELETE_DYN_CHAIN(fcp);
1766 LIST_REMOVE(fcp, next);
1767 static_count--;
1768 if (DUMMYNET_LOADED)
1769 ip_dn_ruledel_ptr(fcp) ;
1770 flush_rule_ptrs(); /* more efficient to do outside the loop */
1771 free(fcp, M_IPFW);
1772 return n;
1773 }
1774
1775 /**
1776 * remove all rules with given number.
1777 */
1778 static int
1779 del_entry(struct ip_fw_head *chainptr, u_short number)
1780 {
1781 struct ip_fw *rule;
1782
1783 if (number != IPFW_DEFAULT_RULE) {
1784 LIST_FOREACH(rule, chainptr, next) {
1785 if (rule->fw_number == number) {
1786 int s ;
1787
1788 s = splimp(); /* prevent access to rules while removing */
1789 while (rule && rule->fw_number == number)
1790 rule = free_chain(rule);
1791 /* XXX could move flush_rule_ptrs() here */
1792 splx(s);
1793 return 0 ;
1794 }
1795 }
1796 }
1797 return (EINVAL);
1798 }
1799
1800 /**
1801 * Reset some or all counters on firewall rules.
1802 * @arg frwl is null to clear all entries, or contains a specific
1803 * rule number.
1804 * @arg log_only is 1 if we only want to reset logs, zero otherwise.
1805 */
1806
1807 static int
1808 zero_entry(struct ip_fw *frwl, int log_only)
1809 {
1810 struct ip_fw *rule;
1811 int s;
1812 u_short number = 0 ;
1813 char *msg ;
1814
1815 if (frwl == 0) {
1816 s = splimp();
1817 LIST_FOREACH(rule, &ip_fw_chain_head, next) {
1818 if (log_only == 0) {
1819 rule->fw_bcnt = rule->fw_pcnt = 0;
1820 rule->timestamp = 0;
1821 }
1822 rule->fw_loghighest = rule->fw_pcnt+rule->fw_logamount;
1823 }
1824 splx(s);
1825 msg = log_only ? "ipfw: All logging counts cleared.\n" :
1826 "ipfw: Accounting cleared.\n";
1827 } else {
1828 int cleared = 0;
1829 number = frwl->fw_number ;
1830 /*
1831 * It is possible to insert multiple chain entries with the
1832 * same number, so we don't stop after finding the first
1833 * match if zeroing a specific entry.
1834 */
1835 LIST_FOREACH(rule, &ip_fw_chain_head, next)
1836 if (number == rule->fw_number) {
1837 s = splimp();
1838 while (rule && number == rule->fw_number) {
1839 if (log_only == 0) {
1840 rule->fw_bcnt = rule->fw_pcnt = 0;
1841 rule->timestamp = 0;
1842 }
1843 rule->fw_loghighest = rule->fw_pcnt+ rule->fw_logamount;
1844 rule = LIST_NEXT(rule, next);
1845 }
1846 splx(s);
1847 cleared = 1;
1848 break;
1849 }
1850 if (!cleared) /* we did not find any matching rules */
1851 return (EINVAL);
1852 msg = log_only ? "ipfw: Entry %d logging count reset.\n" :
1853 "ipfw: Entry %d cleared.\n";
1854 }
1855 if (fw_verbose)
1856 log(LOG_SECURITY | LOG_NOTICE, msg, number);
1857 return (0);
1858 }
1859
1860 static int
1861 check_ipfw_struct(struct ip_fw *frwl)
1862 {
1863 /* Check for invalid flag bits */
1864 if ((frwl->fw_flg & ~IP_FW_F_MASK) != 0) {
1865 dprintf(("%s undefined flag bits set (flags=%x)\n",
1866 err_prefix, frwl->fw_flg));
1867 return (EINVAL);
1868 }
1869 if ( (frwl->fw_flg & IP_FW_F_MAC) ) { /* match MAC address */
1870 return 0;
1871 }
1872 if (frwl->fw_flg == IP_FW_F_CHECK_S) {
1873 /* check-state */
1874 return 0 ;
1875 }
1876 /* Must apply to incoming or outgoing (or both) */
1877 if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT))) {
1878 dprintf(("%s neither in nor out\n", err_prefix));
1879 return (EINVAL);
1880 }
1881 /* Empty interface name is no good */
1882 if (((frwl->fw_flg & IP_FW_F_IIFNAME)
1883 && !*frwl->fw_in_if.fu_via_if.name)
1884 || ((frwl->fw_flg & IP_FW_F_OIFNAME)
1885 && !*frwl->fw_out_if.fu_via_if.name)) {
1886 dprintf(("%s empty interface name\n", err_prefix));
1887 return (EINVAL);
1888 }
1889 /* Sanity check interface matching */
1890 if ((frwl->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1891 ; /* allow "via" backwards compatibility */
1892 } else if ((frwl->fw_flg & IP_FW_F_IN)
1893 && (frwl->fw_flg & IP_FW_F_OIFACE)) {
1894 dprintf(("%s outgoing interface check on incoming\n",
1895 err_prefix));
1896 return (EINVAL);
1897 }
1898 /* Sanity check port ranges */
1899 if ((frwl->fw_flg & IP_FW_F_SRNG) && IP_FW_GETNSRCP(frwl) < 2) {
1900 dprintf(("%s src range set but n_src_p=%d\n",
1901 err_prefix, IP_FW_GETNSRCP(frwl)));
1902 return (EINVAL);
1903 }
1904 if ((frwl->fw_flg & IP_FW_F_DRNG) && IP_FW_GETNDSTP(frwl) < 2) {
1905 dprintf(("%s dst range set but n_dst_p=%d\n",
1906 err_prefix, IP_FW_GETNDSTP(frwl)));
1907 return (EINVAL);
1908 }
1909 if (IP_FW_GETNSRCP(frwl) + IP_FW_GETNDSTP(frwl) > IP_FW_MAX_PORTS) {
1910 dprintf(("%s too many ports (%d+%d)\n",
1911 err_prefix, IP_FW_GETNSRCP(frwl), IP_FW_GETNDSTP(frwl)));
1912 return (EINVAL);
1913 }
1914 /*
1915 * Protocols other than TCP/UDP don't use port range
1916 */
1917 if ((frwl->fw_prot != IPPROTO_TCP) &&
1918 (frwl->fw_prot != IPPROTO_UDP) &&
1919 (IP_FW_GETNSRCP(frwl) || IP_FW_GETNDSTP(frwl))) {
1920 dprintf(("%s port(s) specified for non TCP/UDP rule\n",
1921 err_prefix));
1922 return (EINVAL);
1923 }
1924
1925 /*
1926 * Rather than modify the entry to make such entries work,
1927 * we reject this rule and require user level utilities
1928 * to enforce whatever policy they deem appropriate.
1929 */
1930 if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
1931 (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
1932 dprintf(("%s rule never matches\n", err_prefix));
1933 return (EINVAL);
1934 }
1935
1936 if ((frwl->fw_flg & IP_FW_F_FRAG) &&
1937 (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
1938 if (IP_FW_HAVEPORTS(frwl)) {
1939 dprintf(("%s cannot mix 'frag' and ports\n", err_prefix));
1940 return (EINVAL);
1941 }
1942 if (frwl->fw_prot == IPPROTO_TCP &&
1943 frwl->fw_tcpf != frwl->fw_tcpnf) {
1944 dprintf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
1945 return (EINVAL);
1946 }
1947 }
1948
1949 if (frwl->fw_flg & (IP_FW_F_UID | IP_FW_F_GID)) {
1950 if ((frwl->fw_prot != IPPROTO_TCP) &&
1951 (frwl->fw_prot != IPPROTO_UDP) &&
1952 (frwl->fw_prot != IPPROTO_IP)) {
1953 dprintf(("%s cannot use uid/gid logic on non-TCP/UDP\n", err_prefix));
1954 return (EINVAL);
1955 }
1956 }
1957
1958 /* Check command specific stuff */
1959 switch (frwl->fw_flg & IP_FW_F_COMMAND) {
1960 case IP_FW_F_REJECT:
1961 if (frwl->fw_reject_code >= 0x100
1962 && !(frwl->fw_prot == IPPROTO_TCP
1963 && frwl->fw_reject_code == IP_FW_REJECT_RST)) {
1964 dprintf(("%s unknown reject code\n", err_prefix));
1965 return (EINVAL);
1966 }
1967 break;
1968 #ifdef IPDIVERT
1969 case IP_FW_F_DIVERT: /* Diverting to port zero is invalid */
1970 case IP_FW_F_TEE:
1971 #endif
1972 case IP_FW_F_PIPE: /* pipe 0 is invalid */
1973 case IP_FW_F_QUEUE: /* queue 0 is invalid */
1974 if (frwl->fw_divert_port == 0) {
1975 dprintf(("%s 0 is an invalid argument\n", err_prefix));
1976 return (EINVAL);
1977 }
1978 break;
1979 case IP_FW_F_DENY:
1980 case IP_FW_F_ACCEPT:
1981 case IP_FW_F_COUNT:
1982 case IP_FW_F_SKIPTO:
1983 case IP_FW_F_FWD:
1984 break;
1985 default:
1986 dprintf(("%s invalid command\n", err_prefix));
1987 return (EINVAL);
1988 }
1989
1990 return 0;
1991 }
1992
1993 static int
1994 ip_fw_ctl(struct sockopt *sopt)
1995 {
1996 int error, s;
1997 size_t size;
1998 struct ip_fw *fcp;
1999 struct ip_fw frwl, *bp , *buf;
2000
2001 /*
2002 * Disallow modifications in really-really secure mode, but still allow
2003 * the logging counters to be reset.
2004 */
2005 if (sopt->sopt_name == IP_FW_ADD ||
2006 (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) {
2007 error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
2008 if (error)
2009 return (error);
2010 }
2011
2012 error = 0;
2013
2014 switch (sopt->sopt_name) {
2015 case IP_FW_GET:
2016 /*
2017 * pass up a copy of the current rules. Static rules
2018 * come first (the last of which has number 65535),
2019 * followed by a possibly empty list of dynamic rule.
2020 * The last dynamic rule has NULL in the "next" field.
2021 */
2022 s = splimp();
2023 /* size of static rules */
2024 size = static_count * sizeof(struct ip_fw) ;
2025 if (ipfw_dyn_v) /* add size of dyn.rules */
2026 size += (dyn_count * sizeof(struct ipfw_dyn_rule));
2027
2028 /*
2029 * XXX todo: if the user passes a short length to know how
2030 * much room is needed, do not
2031 * bother filling up the buffer, just jump to the
2032 * sooptcopyout.
2033 */
2034 buf = malloc(size, M_TEMP, M_WAITOK);
2035 if (buf == 0) {
2036 splx(s);
2037 error = ENOBUFS;
2038 break;
2039 }
2040
2041 bp = buf ;
2042 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
2043 bcopy(fcp, bp, sizeof *fcp);
2044 bp++;
2045 }
2046 if (ipfw_dyn_v) {
2047 int i ;
2048 struct ipfw_dyn_rule *p, *dst, *last = NULL ;
2049
2050 dst = (struct ipfw_dyn_rule *)bp ;
2051 for (i = 0 ; i < curr_dyn_buckets ; i++ )
2052 for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next, dst++ ) {
2053 bcopy(p, dst, sizeof *p);
2054 (int)dst->rule = p->rule->fw_number ;
2055 /*
2056 * store a non-null value in "next". The userland
2057 * code will interpret a NULL here as a marker
2058 * for the last dynamic rule.
2059 */
2060 dst->next = dst ;
2061 last = dst ;
2062 if (TIME_LEQ(dst->expire, time_second) )
2063 dst->expire = 0 ;
2064 else
2065 dst->expire -= time_second ;
2066 }
2067 if (last != NULL)
2068 last->next = NULL ; /* mark last dynamic rule */
2069 }
2070 splx(s);
2071
2072 error = sooptcopyout(sopt, buf, size);
2073 free(buf, M_TEMP);
2074 break;
2075
2076 case IP_FW_FLUSH:
2077 /*
2078 * Normally we cannot release the lock on each iteration.
2079 * We could do it here only because we start from the head all
2080 * the times so there is no risk of missing some entries.
2081 * On the other hand, the risk is that we end up with
2082 * a very inconsistent ruleset, so better keep the lock
2083 * around the whole cycle.
2084 *
2085 * XXX this code can be improved by resetting the head of
2086 * the list to point to the default rule, and then freeing
2087 * the old list without the need for a lock.
2088 */
2089
2090 s = splimp();
2091 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) &&
2092 fcp->fw_number != IPFW_DEFAULT_RULE )
2093 free_chain(fcp);
2094 splx(s);
2095 break;
2096
2097 case IP_FW_ADD:
2098 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2099 if (error || (error = check_ipfw_struct(&frwl)))
2100 break;
2101
2102 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2103 dprintf(("%s can't add rule %u\n", err_prefix,
2104 (unsigned)IPFW_DEFAULT_RULE));
2105 error = EINVAL;
2106 } else {
2107 error = add_entry(&ip_fw_chain_head, &frwl);
2108 if (!error && sopt->sopt_dir == SOPT_GET)
2109 error = sooptcopyout(sopt, &frwl, sizeof frwl);
2110 }
2111 break;
2112
2113 case IP_FW_DEL:
2114 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2115 if (error)
2116 break;
2117
2118 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2119 dprintf(("%s can't delete rule %u\n", err_prefix,
2120 (unsigned)IPFW_DEFAULT_RULE));
2121 error = EINVAL;
2122 } else {
2123 error = del_entry(&ip_fw_chain_head, frwl.fw_number);
2124 }
2125 break;
2126
2127 case IP_FW_ZERO:
2128 case IP_FW_RESETLOG:
2129 {
2130 int cmd = (sopt->sopt_name == IP_FW_RESETLOG );
2131 void *arg = NULL ;
2132
2133 if (sopt->sopt_val != 0) {
2134 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2135 if (error)
2136 break;
2137 arg = &frwl ;
2138 }
2139 error = zero_entry(arg, cmd);
2140 }
2141 break;
2142
2143 default:
2144 printf("ip_fw_ctl invalid option %d\n", sopt->sopt_name);
2145 error = EINVAL ;
2146 }
2147
2148 return (error);
2149 }
2150
2151 /**
2152 * dummynet needs a reference to the default rule, because rules can
2153 * be deleted while packets hold a reference to them (e.g. to resume
2154 * processing at the next rule). When this happens, dummynet changes
2155 * the reference to the default rule (probably it could well be a
2156 * NULL pointer, but this way we do not need to check for the special
2157 * case, plus here he have info on the default behaviour.
2158 */
2159 struct ip_fw *ip_fw_default_rule ;
2160
2161 void
2162 ip_fw_init(void)
2163 {
2164 struct ip_fw default_rule;
2165
2166 ip_fw_chk_ptr = ip_fw_chk;
2167 ip_fw_ctl_ptr = ip_fw_ctl;
2168 LIST_INIT(&ip_fw_chain_head);
2169
2170 bzero(&default_rule, sizeof default_rule);
2171 default_rule.fw_prot = IPPROTO_IP;
2172 default_rule.fw_number = IPFW_DEFAULT_RULE;
2173 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2174 default_rule.fw_flg |= IP_FW_F_ACCEPT;
2175 #else
2176 default_rule.fw_flg |= IP_FW_F_DENY;
2177 #endif
2178 default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
2179 if (check_ipfw_struct(&default_rule) != 0 ||
2180 add_entry(&ip_fw_chain_head, &default_rule))
2181 panic("ip_fw_init");
2182
2183 ip_fw_default_rule = LIST_FIRST(&ip_fw_chain_head) ;
2184 printf("IP packet filtering initialized, "
2185 #ifdef IPDIVERT
2186 "divert enabled, "
2187 #else
2188 "divert disabled, "
2189 #endif
2190 "rule-based forwarding enabled, "
2191 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2192 "default to accept, ");
2193 #else
2194 "default to deny, " );
2195 #endif
2196 #ifndef IPFIREWALL_VERBOSE
2197 printf("logging disabled\n");
2198 #else
2199 if (fw_verbose_limit == 0)
2200 printf("unlimited logging\n");
2201 else
2202 printf("logging limited to %d packets/entry by default\n",
2203 fw_verbose_limit);
2204 #endif
2205 }
2206
2207 static int
2208 ipfw_modevent(module_t mod, int type, void *unused)
2209 {
2210 int s;
2211 int err = 0 ;
2212 #if defined(KLD_MODULE)
2213 struct ip_fw *fcp;
2214 #endif
2215
2216 switch (type) {
2217 case MOD_LOAD:
2218 s = splimp();
2219 if (IPFW_LOADED) {
2220 splx(s);
2221 printf("IP firewall already loaded\n");
2222 err = EEXIST ;
2223 } else {
2224 ip_fw_init();
2225 splx(s);
2226 }
2227 break ;
2228 case MOD_UNLOAD:
2229 #if !defined(KLD_MODULE)
2230 printf("ipfw statically compiled, cannot unload\n");
2231 err = EBUSY;
2232 #else
2233 s = splimp();
2234 ip_fw_chk_ptr = NULL ;
2235 ip_fw_ctl_ptr = NULL ;
2236 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) != NULL)
2237 free_chain(fcp);
2238 splx(s);
2239 printf("IP firewall unloaded\n");
2240 #endif
2241 break;
2242 default:
2243 break;
2244 }
2245 return err;
2246 }
2247
2248 static moduledata_t ipfwmod = {
2249 "ipfw",
2250 ipfw_modevent,
2251 0
2252 };
2253 DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY);
2254 MODULE_VERSION(ipfw, 1);
Cache object: 8173a8e57876cc175d7e69dbf1fd2ce0
|