FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.c
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 * Copyright (c) 1996 Alex Nash
5 * Copyright (c) 2000-2002 Luigi Rizzo
6 *
7 * Redistribution and use in source forms, with and without modification,
8 * are permitted provided that this entire comment appears intact.
9 *
10 * Redistribution in binary form may occur without any restrictions.
11 * Obviously, it would be nice if you gave credit where credit is due
12 * but requiring it would be too onerous.
13 *
14 * This software is provided ``AS IS'' without any warranties of any kind.
15 *
16 * $FreeBSD: releng/5.1/sys/netinet/ip_fw.c 111119 2003-02-19 05:47:46Z imp $
17 */
18
19 #define DEB(x)
20 #define DDB(x) x
21
22 /*
23 * Implement IP packet firewall
24 */
25
26 #if !defined(KLD_MODULE)
27 #include "opt_ipfw.h"
28 #include "opt_ipdn.h"
29 #include "opt_ipdivert.h"
30 #include "opt_inet.h"
31 #ifndef INET
32 #error IPFIREWALL requires INET.
33 #endif /* INET */
34 #endif
35
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40 #include <sys/kernel.h>
41 #include <sys/proc.h>
42 #include <sys/socket.h>
43 #include <sys/socketvar.h>
44 #include <sys/sysctl.h>
45 #include <sys/syslog.h>
46 #include <sys/ucred.h>
47 #include <net/if.h>
48 #include <net/route.h>
49 #include <netinet/in.h>
50 #include <netinet/in_systm.h>
51 #include <netinet/in_var.h>
52 #include <netinet/in_pcb.h>
53 #include <netinet/ip.h>
54 #include <netinet/ip_var.h>
55 #include <netinet/ip_icmp.h>
56 #include <netinet/ip_fw.h>
57 #include <netinet/ip_dummynet.h>
58 #include <netinet/tcp.h>
59 #include <netinet/tcp_timer.h>
60 #include <netinet/tcp_var.h>
61 #include <netinet/tcpip.h>
62 #include <netinet/udp.h>
63 #include <netinet/udp_var.h>
64
65 #include <netinet/if_ether.h> /* XXX ethertype_ip */
66
67 static int fw_debug = 1;
68 #ifdef IPFIREWALL_VERBOSE
69 static int fw_verbose = 1;
70 #else
71 static int fw_verbose = 0;
72 #endif
73 int fw_one_pass = 1 ;
74 #ifdef IPFIREWALL_VERBOSE_LIMIT
75 static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
76 #else
77 static int fw_verbose_limit = 0;
78 #endif
79 static int fw_permanent_rules = 0;
80
81 /*
82 * Right now, two fields in the IP header are changed to host format
83 * by the IP layer before calling the firewall. Ideally, we would like
84 * to have them in network format so that the packet can be
85 * used as it comes from the device driver (and is thus readonly).
86 */
87
88 static u_int64_t counter; /* counter for ipfw_report(NULL...) */
89
90 #define IPFW_DEFAULT_RULE ((u_int)(u_short)~0)
91
92 LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chain_head;
93
94 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
95
96 #ifdef SYSCTL_NODE
97 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
98 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
99 &fw_enable, 0, "Enable ipfw");
100 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
101 &fw_one_pass, 0,
102 "Only do a single pass through ipfw when using dummynet(4)");
103 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
104 &fw_debug, 0, "Enable printing of debug ip_fw statements");
105 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW,
106 &fw_verbose, 0, "Log matches to ipfw rules");
107 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
108 &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
109 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW,
110 &fw_permanent_rules, 0, "Set rule number, below which rules are permanent");
111
112 /*
113 * Extension for stateful ipfw.
114 *
115 * Dynamic rules are stored in lists accessed through a hash table
116 * (ipfw_dyn_v) whose size is curr_dyn_buckets. This value can
117 * be modified through the sysctl variable dyn_buckets which is
118 * updated when the table becomes empty.
119 *
120 * XXX currently there is only one list, ipfw_dyn.
121 *
122 * When a packet is received, it is first hashed, then matched
123 * against the entries in the corresponding list.
124 * Matching occurs according to the rule type. The default is to
125 * match the four fields and the protocol, and rules are bidirectional.
126 *
127 * For a busy proxy/web server we will have lots of connections to
128 * the server. We could decide for a rule type where we ignore
129 * ports (different hashing) and avoid special SYN/RST/FIN handling.
130 *
131 * XXX when we decide to support more than one rule type, we should
132 * repeat the hashing multiple times uing only the useful fields.
133 * Or, we could run the various tests in parallel, because the
134 * 'move to front' technique should shorten the average search.
135 *
136 * The lifetime of dynamic rules is regulated by dyn_*_lifetime,
137 * measured in seconds and depending on the flags.
138 *
139 * The total number of dynamic rules is stored in dyn_count.
140 * The max number of dynamic rules is dyn_max. When we reach
141 * the maximum number of rules we do not create anymore. This is
142 * done to avoid consuming too much memory, but also too much
143 * time when searching on each packet (ideally, we should try instead
144 * to put a limit on the length of the list on each bucket...).
145 *
146 * Each dynamic rules holds a pointer to the parent ipfw rule so
147 * we know what action to perform. Dynamic rules are removed when
148 * the parent rule is deleted.
149 * There are some limitations with dynamic rules -- we do not
150 * obey the 'randomized match', and we do not do multiple
151 * passes through the firewall.
152 * XXX check the latter!!!
153 */
154 static struct ipfw_dyn_rule **ipfw_dyn_v = NULL ;
155 static u_int32_t dyn_buckets = 256 ; /* must be power of 2 */
156 static u_int32_t curr_dyn_buckets = 256 ; /* must be power of 2 */
157
158 /*
159 * timeouts for various events in handing dynamic rules.
160 */
161 static u_int32_t dyn_ack_lifetime = 300 ;
162 static u_int32_t dyn_syn_lifetime = 20 ;
163 static u_int32_t dyn_fin_lifetime = 1 ;
164 static u_int32_t dyn_rst_lifetime = 1 ;
165 static u_int32_t dyn_udp_lifetime = 10 ;
166 static u_int32_t dyn_short_lifetime = 5 ;
167
168 /*
169 * after reaching 0, dynamic rules are considered still valid for
170 * an additional grace time, unless there is lack of resources.
171 */
172 static u_int32_t dyn_grace_time = 10 ;
173
174 static u_int32_t static_count = 0 ; /* # of static rules */
175 static u_int32_t dyn_count = 0 ; /* # of dynamic rules */
176 static u_int32_t dyn_max = 1000 ; /* max # of dynamic rules */
177
178 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
179 &dyn_buckets, 0, "Number of dyn. buckets");
180 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
181 &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
182 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
183 &dyn_count, 0, "Number of dyn. rules");
184 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
185 &dyn_max, 0, "Max number of dyn. rules");
186 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
187 &static_count, 0, "Number of static rules");
188 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
189 &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
190 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
191 &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
192 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
193 &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
194 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
195 &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
196 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
197 &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
198 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
199 &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
200 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD,
201 &dyn_grace_time, 0, "Grace time for dyn. rules");
202
203 #endif /* SYSCTL_NODE */
204
205 #define dprintf(a) do { \
206 if (fw_debug) \
207 printf a; \
208 } while (0)
209 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
210
211 static int add_entry (struct ip_fw_head *chainptr, struct ip_fw *frwl);
212 static int del_entry (struct ip_fw_head *chainptr, u_short number);
213 static int zero_entry (struct ip_fw *, int);
214 static int check_ipfw_struct (struct ip_fw *m);
215 static int iface_match (struct ifnet *ifp, union ip_fw_if *ifu,
216 int byname);
217 static int ipopts_match (struct ip *ip, struct ip_fw *f);
218 static int iptos_match (struct ip *ip, struct ip_fw *f);
219 static __inline int
220 port_match (u_short *portptr, int nports, u_short port,
221 int range_flag, int mask);
222 static int tcpflg_match (struct tcphdr *tcp, struct ip_fw *f);
223 static int icmptype_match (struct icmp * icmp, struct ip_fw * f);
224 static void ipfw_report (struct ip_fw *f, struct ip *ip, int ip_off,
225 int ip_len, struct ifnet *rif,
226 struct ifnet *oif);
227
228 static void flush_rule_ptrs(void);
229
230 static ip_fw_chk_t ip_fw_chk;
231 static int ip_fw_ctl (struct sockopt *sopt);
232
233 ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;
234
235 static char err_prefix[] = "ip_fw_ctl:";
236
237 /*
238 * Returns 1 if the port is matched by the vector, 0 otherwise
239 */
240 static __inline int
241 port_match(u_short *portptr, int nports, u_short port, int range_flag, int mask)
242 {
243 if (!nports)
244 return 1;
245 if (mask) {
246 if ( 0 == ((portptr[0] ^ port) & portptr[1]) )
247 return 1;
248 nports -= 2;
249 portptr += 2;
250 }
251 if (range_flag) {
252 if (portptr[0] <= port && port <= portptr[1])
253 return 1;
254 nports -= 2;
255 portptr += 2;
256 }
257 while (nports-- > 0)
258 if (*portptr++ == port)
259 return 1;
260 return 0;
261 }
262
263 static int
264 tcpflg_match(struct tcphdr *tcp, struct ip_fw *f)
265 {
266 u_char flg_set, flg_clr;
267
268 /*
269 * If an established connection is required, reject packets that
270 * have only SYN of RST|ACK|SYN set. Otherwise, fall through to
271 * other flag requirements.
272 */
273 if ((f->fw_ipflg & IP_FW_IF_TCPEST) &&
274 ((tcp->th_flags & (TH_RST | TH_ACK | TH_SYN)) == TH_SYN))
275 return 0;
276
277 flg_set = tcp->th_flags & f->fw_tcpf;
278 flg_clr = tcp->th_flags & f->fw_tcpnf;
279
280 if (flg_set != f->fw_tcpf)
281 return 0;
282 if (flg_clr)
283 return 0;
284
285 return 1;
286 }
287
288 static int
289 icmptype_match(struct icmp *icmp, struct ip_fw *f)
290 {
291 int type;
292
293 if (!(f->fw_flg & IP_FW_F_ICMPBIT))
294 return(1);
295
296 type = icmp->icmp_type;
297
298 /* check for matching type in the bitmap */
299 if (type < IP_FW_ICMPTYPES_MAX &&
300 (f->fw_uar.fw_icmptypes[type / (sizeof(unsigned) * NBBY)] &
301 (1U << (type % (sizeof(unsigned) * NBBY)))))
302 return(1);
303
304 return(0); /* no match */
305 }
306
307 static int
308 is_icmp_query(struct ip *ip)
309 {
310 const struct icmp *icmp;
311 int icmp_type;
312
313 icmp = (struct icmp *)((u_int32_t *)ip + ip->ip_hl);
314 icmp_type = icmp->icmp_type;
315
316 if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT ||
317 icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ ||
318 icmp_type == ICMP_MASKREQ)
319 return(1);
320
321 return(0);
322 }
323
324 static int
325 ipopts_match(struct ip *ip, struct ip_fw *f)
326 {
327 register u_char *cp;
328 int opt, optlen, cnt;
329 u_char opts, nopts, nopts_sve;
330
331 cp = (u_char *)(ip + 1);
332 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
333 opts = f->fw_ipopt;
334 nopts = nopts_sve = f->fw_ipnopt;
335
336 for (; cnt > 0; cnt -= optlen, cp += optlen) {
337 opt = cp[IPOPT_OPTVAL];
338 if (opt == IPOPT_EOL)
339 break;
340 if (opt == IPOPT_NOP)
341 optlen = 1;
342 else {
343 optlen = cp[IPOPT_OLEN];
344 if (optlen <= 0 || optlen > cnt) {
345 return 0; /*XXX*/
346 }
347 }
348 switch (opt) {
349
350 default:
351 break;
352
353 case IPOPT_LSRR:
354 opts &= ~IP_FW_IPOPT_LSRR;
355 nopts &= ~IP_FW_IPOPT_LSRR;
356 break;
357
358 case IPOPT_SSRR:
359 opts &= ~IP_FW_IPOPT_SSRR;
360 nopts &= ~IP_FW_IPOPT_SSRR;
361 break;
362
363 case IPOPT_RR:
364 opts &= ~IP_FW_IPOPT_RR;
365 nopts &= ~IP_FW_IPOPT_RR;
366 break;
367 case IPOPT_TS:
368 opts &= ~IP_FW_IPOPT_TS;
369 nopts &= ~IP_FW_IPOPT_TS;
370 break;
371 }
372 if (opts == nopts)
373 break;
374 }
375 if (opts == 0 && nopts == nopts_sve)
376 return 1;
377 else
378 return 0;
379 }
380
381 static int
382 iptos_match(struct ip *ip, struct ip_fw *f)
383 {
384
385 u_int flags = (ip->ip_tos & 0x1f);
386 u_char opts, nopts, nopts_sve;
387
388 opts = (f->fw_iptos & 0x1f);
389 nopts = nopts_sve = f->fw_ipntos;
390
391 while (flags != 0) {
392 u_int flag;
393
394 flag = 1 << (ffs(flags) -1);
395 opts &= ~flag;
396 nopts &= ~flag;
397 flags &= ~flag;
398 }
399
400 if (opts == 0 && nopts == nopts_sve)
401 return 1;
402 else
403 return 0;
404
405 }
406
407
408 static int
409 tcpopts_match(struct tcphdr *tcp, struct ip_fw *f)
410 {
411 register u_char *cp;
412 int opt, optlen, cnt;
413 u_char opts, nopts, nopts_sve;
414
415 cp = (u_char *)(tcp + 1);
416 cnt = (tcp->th_off << 2) - sizeof (struct tcphdr);
417 opts = f->fw_tcpopt;
418 nopts = nopts_sve = f->fw_tcpnopt;
419
420 for (; cnt > 0; cnt -= optlen, cp += optlen) {
421 opt = cp[0];
422 if (opt == TCPOPT_EOL)
423 break;
424 if (opt == TCPOPT_NOP)
425 optlen = 1;
426 else {
427 optlen = cp[1];
428 if (optlen <= 0)
429 break;
430 }
431
432
433 switch (opt) {
434
435 default:
436 break;
437
438 case TCPOPT_MAXSEG:
439 opts &= ~IP_FW_TCPOPT_MSS;
440 nopts &= ~IP_FW_TCPOPT_MSS;
441 break;
442
443 case TCPOPT_WINDOW:
444 opts &= ~IP_FW_TCPOPT_WINDOW;
445 nopts &= ~IP_FW_TCPOPT_WINDOW;
446 break;
447
448 case TCPOPT_SACK_PERMITTED:
449 case TCPOPT_SACK:
450 opts &= ~IP_FW_TCPOPT_SACK;
451 nopts &= ~IP_FW_TCPOPT_SACK;
452 break;
453
454 case TCPOPT_TIMESTAMP:
455 opts &= ~IP_FW_TCPOPT_TS;
456 nopts &= ~IP_FW_TCPOPT_TS;
457 break;
458
459 case TCPOPT_CC:
460 case TCPOPT_CCNEW:
461 case TCPOPT_CCECHO:
462 opts &= ~IP_FW_TCPOPT_CC;
463 nopts &= ~IP_FW_TCPOPT_CC;
464 break;
465 }
466 if (opts == nopts)
467 break;
468 }
469 if (opts == 0 && nopts == nopts_sve)
470 return 1;
471 else
472 return 0;
473 }
474
475 static int
476 iface_match(struct ifnet *ifp, union ip_fw_if *ifu, int byname)
477 {
478 /* Check by name or by IP address */
479 if (byname) {
480 /* Check unit number (-1 is wildcard) */
481 if (ifu->fu_via_if.unit != -1
482 && ifp->if_unit != ifu->fu_via_if.unit)
483 return(0);
484 /* Check name */
485 if (strncmp(ifp->if_name, ifu->fu_via_if.name, FW_IFNLEN))
486 return(0);
487 return(1);
488 } else if (ifu->fu_via_ip.s_addr != 0) { /* Zero == wildcard */
489 struct ifaddr *ia;
490
491 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
492 if (ia->ifa_addr == NULL)
493 continue;
494 if (ia->ifa_addr->sa_family != AF_INET)
495 continue;
496 if (ifu->fu_via_ip.s_addr != ((struct sockaddr_in *)
497 (ia->ifa_addr))->sin_addr.s_addr)
498 continue;
499 return(1);
500 }
501 return(0);
502 }
503 return(1);
504 }
505
506 static void
507 ipfw_report(struct ip_fw *f, struct ip *ip, int ip_off, int ip_len,
508 struct ifnet *rif, struct ifnet *oif)
509 {
510 struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl);
511 struct udphdr *const udp = (struct udphdr *) ((u_int32_t *) ip+ ip->ip_hl);
512 struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
513 u_int64_t count;
514 char *action;
515 char action2[32], proto[47], name[18], fragment[27];
516 int len;
517 int offset = ip_off & IP_OFFMASK;
518
519 count = f ? f->fw_pcnt : ++counter;
520 if ((f == NULL && fw_verbose_limit != 0 && count > fw_verbose_limit) ||
521 (f && f->fw_logamount != 0 && count > f->fw_loghighest))
522 return;
523
524 /* Print command name */
525 snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
526
527 action = action2;
528 if (!f)
529 action = "Refuse";
530 else {
531 switch (f->fw_flg & IP_FW_F_COMMAND) {
532 case IP_FW_F_DENY:
533 action = "Deny";
534 break;
535 case IP_FW_F_REJECT:
536 if (f->fw_reject_code == IP_FW_REJECT_RST)
537 action = "Reset";
538 else
539 action = "Unreach";
540 break;
541 case IP_FW_F_ACCEPT:
542 action = "Accept";
543 break;
544 case IP_FW_F_COUNT:
545 action = "Count";
546 break;
547 #ifdef IPDIVERT
548 case IP_FW_F_DIVERT:
549 snprintf(SNPARGS(action2, 0), "Divert %d",
550 f->fw_divert_port);
551 break;
552 case IP_FW_F_TEE:
553 snprintf(SNPARGS(action2, 0), "Tee %d",
554 f->fw_divert_port);
555 break;
556 #endif
557 case IP_FW_F_SKIPTO:
558 snprintf(SNPARGS(action2, 0), "SkipTo %d",
559 f->fw_skipto_rule);
560 break;
561 case IP_FW_F_PIPE:
562 snprintf(SNPARGS(action2, 0), "Pipe %d",
563 f->fw_skipto_rule);
564 break;
565 case IP_FW_F_QUEUE:
566 snprintf(SNPARGS(action2, 0), "Queue %d",
567 f->fw_skipto_rule);
568 break;
569
570 case IP_FW_F_FWD:
571 if (f->fw_fwd_ip.sin_port)
572 snprintf(SNPARGS(action2, 0),
573 "Forward to %s:%d",
574 inet_ntoa(f->fw_fwd_ip.sin_addr),
575 f->fw_fwd_ip.sin_port);
576 else
577 snprintf(SNPARGS(action2, 0), "Forward to %s",
578 inet_ntoa(f->fw_fwd_ip.sin_addr));
579 break;
580
581 default:
582 action = "UNKNOWN";
583 break;
584 }
585 }
586
587 switch (ip->ip_p) {
588 case IPPROTO_TCP:
589 len = snprintf(SNPARGS(proto, 0), "TCP %s",
590 inet_ntoa(ip->ip_src));
591 if (offset == 0)
592 len += snprintf(SNPARGS(proto, len), ":%d ",
593 ntohs(tcp->th_sport));
594 else
595 len += snprintf(SNPARGS(proto, len), " ");
596 len += snprintf(SNPARGS(proto, len), "%s",
597 inet_ntoa(ip->ip_dst));
598 if (offset == 0)
599 snprintf(SNPARGS(proto, len), ":%d",
600 ntohs(tcp->th_dport));
601 break;
602 case IPPROTO_UDP:
603 len = snprintf(SNPARGS(proto, 0), "UDP %s",
604 inet_ntoa(ip->ip_src));
605 if (offset == 0)
606 len += snprintf(SNPARGS(proto, len), ":%d ",
607 ntohs(udp->uh_sport));
608 else
609 len += snprintf(SNPARGS(proto, len), " ");
610 len += snprintf(SNPARGS(proto, len), "%s",
611 inet_ntoa(ip->ip_dst));
612 if (offset == 0)
613 snprintf(SNPARGS(proto, len), ":%d",
614 ntohs(udp->uh_dport));
615 break;
616 case IPPROTO_ICMP:
617 if (offset == 0)
618 len = snprintf(SNPARGS(proto, 0), "ICMP:%u.%u ",
619 icmp->icmp_type, icmp->icmp_code);
620 else
621 len = snprintf(SNPARGS(proto, 0), "ICMP ");
622 len += snprintf(SNPARGS(proto, len), "%s",
623 inet_ntoa(ip->ip_src));
624 snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
625 break;
626 default:
627 len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
628 inet_ntoa(ip->ip_src));
629 snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst));
630 break;
631 }
632
633 if (ip_off & (IP_MF | IP_OFFMASK))
634 snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
635 ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
636 offset << 3,
637 (ip_off & IP_MF) ? "+" : "");
638 else
639 fragment[0] = '\0';
640 if (oif)
641 log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
642 name, action, proto, oif->if_name, oif->if_unit, fragment);
643 else if (rif)
644 log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s\n", name,
645 action, proto, rif->if_name, rif->if_unit, fragment);
646 else
647 log(LOG_SECURITY | LOG_INFO, "%s %s %s%s\n", name, action,
648 proto, fragment);
649 if ((f ? f->fw_logamount != 0 : 1) &&
650 count == (f ? f->fw_loghighest : fw_verbose_limit))
651 log(LOG_SECURITY | LOG_NOTICE,
652 "ipfw: limit %d reached on entry %d\n",
653 f ? f->fw_logamount : fw_verbose_limit,
654 f ? f->fw_number : -1);
655 }
656
657 static __inline int
658 hash_packet(struct ipfw_flow_id *id)
659 {
660 u_int32_t i ;
661
662 i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port);
663 i &= (curr_dyn_buckets - 1) ;
664 return i ;
665 }
666
667 /**
668 * unlink a dynamic rule from a chain. prev is a pointer to
669 * the previous one, q is a pointer to the rule to delete,
670 * head is a pointer to the head of the queue.
671 * Modifies q and potentially also head.
672 */
673 #define UNLINK_DYN_RULE(prev, head, q) { \
674 struct ipfw_dyn_rule *old_q = q; \
675 \
676 /* remove a refcount to the parent */ \
677 if (q->dyn_type == DYN_LIMIT) \
678 q->parent->count--; \
679 DEB(printf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
680 (q->id.src_ip), (q->id.src_port), \
681 (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); ) \
682 if (prev != NULL) \
683 prev->next = q = q->next ; \
684 else \
685 ipfw_dyn_v[i] = q = q->next ; \
686 dyn_count-- ; \
687 free(old_q, M_IPFW); }
688
689 #define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0)
690 /**
691 * Remove all dynamic rules pointing to a given rule, or all
692 * rules if rule == NULL. Second parameter is 1 if we want to
693 * delete unconditionally, otherwise only expired rules are removed.
694 */
695 static void
696 remove_dyn_rule(struct ip_fw *rule, int force)
697 {
698 struct ipfw_dyn_rule *prev, *q;
699 int i, pass, max_pass ;
700 static u_int32_t last_remove = 0 ;
701
702 if (ipfw_dyn_v == NULL || dyn_count == 0)
703 return ;
704 /* do not expire more than once per second, it is useless */
705 if (force == 0 && last_remove == time_second)
706 return ;
707 last_remove = time_second ;
708
709 /*
710 * because DYN_LIMIT refer to parent rules, during the first pass only
711 * remove child and mark any pending LIMIT_PARENT, and remove
712 * them in a second pass.
713 */
714 for (pass = max_pass = 0; pass <= max_pass ; pass++ ) {
715 for (i = 0 ; i < curr_dyn_buckets ; i++) {
716 for (prev=NULL, q = ipfw_dyn_v[i] ; q ; ) {
717 /*
718 * logic can become complex here, so we split tests.
719 * First, test if we match any rule,
720 * then make sure the rule is expired or we want to kill it,
721 * and possibly more in the future.
722 */
723 int zap = ( rule == NULL || rule == q->rule);
724 if (zap)
725 zap = force || TIME_LEQ( q->expire , time_second );
726 /* do not zap parent in first pass, record we need a second pass */
727 if (q->dyn_type == DYN_LIMIT_PARENT) {
728 max_pass = 1; /* we need a second pass */
729 if (zap == 1 && (pass == 0 || q->count != 0) ) {
730 zap = 0 ;
731 if (pass == 1) /* should not happen */
732 printf("OUCH! cannot remove rule, count %d\n",
733 q->count);
734 }
735 }
736 if (zap) {
737 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
738 } else {
739 prev = q ;
740 q = q->next ;
741 }
742 }
743 }
744 }
745 }
746
747 #define EXPIRE_DYN_CHAIN(rule) remove_dyn_rule(rule, 0 /* expired ones */)
748 #define EXPIRE_DYN_CHAINS() remove_dyn_rule(NULL, 0 /* expired ones */)
749 #define DELETE_DYN_CHAIN(rule) remove_dyn_rule(rule, 1 /* force removal */)
750 #define DELETE_DYN_CHAINS() remove_dyn_rule(NULL, 1 /* force removal */)
751
752 /**
753 * lookup a dynamic rule.
754 */
755 static struct ipfw_dyn_rule *
756 lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction)
757 {
758 /*
759 * stateful ipfw extensions.
760 * Lookup into dynamic session queue
761 */
762 struct ipfw_dyn_rule *prev, *q ;
763 int i, dir = 0;
764 #define MATCH_FORWARD 1
765
766 if (ipfw_dyn_v == NULL)
767 return NULL ;
768 i = hash_packet( pkt );
769 for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
770 if (q->dyn_type == DYN_LIMIT_PARENT)
771 goto next;
772 if (TIME_LEQ( q->expire , time_second ) ) { /* expire entry */
773 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
774 continue;
775 }
776 if ( pkt->proto == q->id.proto) {
777 if (pkt->src_ip == q->id.src_ip &&
778 pkt->dst_ip == q->id.dst_ip &&
779 pkt->src_port == q->id.src_port &&
780 pkt->dst_port == q->id.dst_port ) {
781 dir = MATCH_FORWARD ;
782 goto found ;
783 }
784 if (pkt->src_ip == q->id.dst_ip &&
785 pkt->dst_ip == q->id.src_ip &&
786 pkt->src_port == q->id.dst_port &&
787 pkt->dst_port == q->id.src_port ) {
788 dir = 0 ; /* reverse match */
789 goto found ;
790 }
791 }
792 next:
793 prev = q ;
794 q = q->next ;
795 }
796 return NULL ; /* clearly not found */
797 found:
798 if ( prev != NULL) { /* found and not in front */
799 prev->next = q->next ;
800 q->next = ipfw_dyn_v[i] ;
801 ipfw_dyn_v[i] = q ;
802 }
803 if (pkt->proto == IPPROTO_TCP) {
804 /* update state according to flags */
805 u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
806 q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
807 switch (q->state) {
808 case TH_SYN :
809 /* opening */
810 q->expire = time_second + dyn_syn_lifetime ;
811 break ;
812 case TH_SYN | (TH_SYN << 8) :
813 /* move to established */
814 q->expire = time_second + dyn_ack_lifetime ;
815 break ;
816 case TH_SYN | (TH_SYN << 8) | TH_FIN :
817 case TH_SYN | (TH_SYN << 8) | (TH_FIN << 8) :
818 /* one side tries to close */
819 q->expire = time_second + dyn_ack_lifetime ;
820 break ;
821 case TH_SYN | (TH_SYN << 8) | TH_FIN | (TH_FIN << 8) :
822 /* both sides closed */
823 q->expire = time_second + dyn_fin_lifetime ;
824 break ;
825 default:
826 #if 0
827 /*
828 * reset or some invalid combination, but can also
829 * occur if we use keep-state the wrong way.
830 */
831 if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
832 printf("invalid state: 0x%x\n", q->state);
833 #endif
834 q->expire = time_second + dyn_rst_lifetime ;
835 break ;
836 }
837 } else if (pkt->proto == IPPROTO_UDP) {
838 q->expire = time_second + dyn_udp_lifetime ;
839 } else {
840 /* other protocols */
841 q->expire = time_second + dyn_short_lifetime ;
842 }
843 if (match_direction)
844 *match_direction = dir ;
845 return q ;
846 }
847
848 /**
849 * Install state of type 'type' for a dynamic session.
850 * The hash table contains two type of rules:
851 * - regular rules (DYN_KEEP_STATE)
852 * - rules for sessions with limited number of sess per user
853 * (DYN_LIMIT). When they are created, the parent is
854 * increased by 1, and decreased on delete. In this case,
855 * the third parameter is the parent rule and not the chain.
856 * - "parent" rules for the above (DYN_LIMIT_PARENT).
857 */
858
859 static struct ipfw_dyn_rule *
860 add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
861 {
862 struct ipfw_dyn_rule *r ;
863
864 int i ;
865 if (ipfw_dyn_v == NULL ||
866 (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
867 /* try reallocation, make sure we have a power of 2 */
868 u_int32_t i = dyn_buckets ;
869 while ( i > 0 && (i & 1) == 0 )
870 i >>= 1 ;
871 if (i != 1) /* not a power of 2 */
872 dyn_buckets = curr_dyn_buckets ; /* reset */
873 else {
874 curr_dyn_buckets = dyn_buckets ;
875 if (ipfw_dyn_v != NULL)
876 free(ipfw_dyn_v, M_IPFW);
877 ipfw_dyn_v = malloc(curr_dyn_buckets * sizeof r,
878 M_IPFW, M_DONTWAIT | M_ZERO);
879 if (ipfw_dyn_v == NULL)
880 return NULL; /* failed ! */
881 }
882 }
883 i = hash_packet(id);
884
885 r = malloc(sizeof *r, M_IPFW, M_NOWAIT | M_ZERO);
886 if (r == NULL) {
887 printf ("sorry cannot allocate state\n");
888 return NULL ;
889 }
890
891 /* increase refcount on parent, and set pointer */
892 if (dyn_type == DYN_LIMIT) {
893 struct ipfw_dyn_rule *parent = (struct ipfw_dyn_rule *)rule;
894 if ( parent->dyn_type != DYN_LIMIT_PARENT)
895 panic("invalid parent");
896 parent->count++ ;
897 r->parent = parent ;
898 rule = parent->rule;
899 }
900
901 r->id = *id ;
902 r->expire = time_second + dyn_syn_lifetime ;
903 r->rule = rule ;
904 r->dyn_type = dyn_type ;
905 r->pcnt = r->bcnt = 0 ;
906 r->count = 0 ;
907
908 r->bucket = i ;
909 r->next = ipfw_dyn_v[i] ;
910 ipfw_dyn_v[i] = r ;
911 dyn_count++ ;
912 DEB(printf("-- add entry 0x%08x %d -> 0x%08x %d, total %d\n",
913 (r->id.src_ip), (r->id.src_port),
914 (r->id.dst_ip), (r->id.dst_port),
915 dyn_count ); )
916 return r;
917 }
918
919 /**
920 * lookup dynamic parent rule using pkt and rule as search keys.
921 * If the lookup fails, then install one.
922 */
923 static struct ipfw_dyn_rule *
924 lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
925 {
926 struct ipfw_dyn_rule *q;
927 int i;
928
929 if (ipfw_dyn_v) {
930 i = hash_packet( pkt );
931 for (q = ipfw_dyn_v[i] ; q != NULL ; q=q->next)
932 if (q->dyn_type == DYN_LIMIT_PARENT && rule == q->rule &&
933 pkt->proto == q->id.proto &&
934 pkt->src_ip == q->id.src_ip &&
935 pkt->dst_ip == q->id.dst_ip &&
936 pkt->src_port == q->id.src_port &&
937 pkt->dst_port == q->id.dst_port) {
938 q->expire = time_second + dyn_short_lifetime ;
939 DEB(printf("lookup_dyn_parent found 0x%p\n", q);)
940 return q;
941 }
942 }
943 return add_dyn_rule(pkt, DYN_LIMIT_PARENT, rule);
944 }
945
946 /*
947 * Install dynamic state.
948 * There are different types of dynamic rules which can be installed.
949 * The type is in rule->dyn_type.
950 * Type 0 (default) is a bidirectional rule
951 *
952 * Returns 1 (failure) if state is not installed because of errors or because
953 * session limitations are enforced.
954 */
955 static int
956 install_state(struct ip_fw *rule, struct ip_fw_args *args)
957 {
958 struct ipfw_dyn_rule *q ;
959 static int last_log ;
960
961 u_int8_t type = rule->dyn_type ;
962
963 DEB(printf("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
964 type,
965 (args->f_id.src_ip), (args->f_id.src_port),
966 (args->f_id.dst_ip), (args->f_id.dst_port) );)
967
968 q = lookup_dyn_rule(&args->f_id, NULL) ;
969 if (q != NULL) { /* should never occur */
970 if (last_log != time_second) {
971 last_log = time_second ;
972 printf(" entry already present, done\n");
973 }
974 return 0 ;
975 }
976 if (dyn_count >= dyn_max) /* try remove old ones... */
977 EXPIRE_DYN_CHAINS();
978 if (dyn_count >= dyn_max) {
979 if (last_log != time_second) {
980 last_log = time_second ;
981 printf(" Too many dynamic rules, sorry\n");
982 }
983 return 1; /* cannot install, notify caller */
984 }
985
986 switch (type) {
987 case DYN_KEEP_STATE: /* bidir rule */
988 add_dyn_rule(&args->f_id, DYN_KEEP_STATE, rule);
989 break ;
990 case DYN_LIMIT: /* limit number of sessions */
991 {
992 u_int16_t limit_mask = rule->limit_mask ;
993 u_int16_t conn_limit = rule->conn_limit ;
994 struct ipfw_flow_id id;
995 struct ipfw_dyn_rule *parent;
996
997 DEB(printf("installing dyn-limit rule %d\n", conn_limit);)
998
999 id.dst_ip = id.src_ip = 0;
1000 id.dst_port = id.src_port = 0 ;
1001 id.proto = args->f_id.proto ;
1002
1003 if (limit_mask & DYN_SRC_ADDR)
1004 id.src_ip = args->f_id.src_ip;
1005 if (limit_mask & DYN_DST_ADDR)
1006 id.dst_ip = args->f_id.dst_ip;
1007 if (limit_mask & DYN_SRC_PORT)
1008 id.src_port = args->f_id.src_port;
1009 if (limit_mask & DYN_DST_PORT)
1010 id.dst_port = args->f_id.dst_port;
1011 parent = lookup_dyn_parent(&id, rule);
1012 if (parent == NULL) {
1013 printf("add parent failed\n");
1014 return 1;
1015 }
1016 if (parent->count >= conn_limit) {
1017 EXPIRE_DYN_CHAIN(rule); /* try to expire some */
1018 if (parent->count >= conn_limit) {
1019 printf("drop session, too many entries\n");
1020 return 1;
1021 }
1022 }
1023 add_dyn_rule(&args->f_id, DYN_LIMIT, (struct ip_fw *)parent);
1024 }
1025 break ;
1026 default:
1027 printf("unknown dynamic rule type %u\n", type);
1028 return 1 ;
1029 }
1030 lookup_dyn_rule(&args->f_id, NULL) ; /* XXX just set the lifetime */
1031 return 0;
1032 }
1033
1034 /*
1035 * given an ip_fw *, lookup_next_rule will return a pointer
1036 * of the same type to the next one. This can be either the jump
1037 * target (for skipto instructions) or the next one in the list (in
1038 * all other cases including a missing jump target).
1039 * Backward jumps are not allowed, so start looking from the next
1040 * rule...
1041 */
1042 static struct ip_fw * lookup_next_rule(struct ip_fw *me);
1043
1044 static struct ip_fw *
1045 lookup_next_rule(struct ip_fw *me)
1046 {
1047 struct ip_fw *rule ;
1048 int rulenum = me->fw_skipto_rule ; /* guess... */
1049
1050 if ( (me->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_SKIPTO )
1051 for (rule = LIST_NEXT(me,next); rule ; rule = LIST_NEXT(rule,next))
1052 if (rule->fw_number >= rulenum)
1053 return rule ;
1054 return LIST_NEXT(me,next) ; /* failure or not a skipto */
1055 }
1056
1057 /*
1058 * Parameters:
1059 *
1060 * *m The packet; we set to NULL when/if we nuke it.
1061 * oif Outgoing interface, or NULL if packet is incoming
1062 * *cookie Skip up to the first rule past this rule number;
1063 * upon return, non-zero port number for divert or tee.
1064 * Special case: cookie == NULL on input for bridging.
1065 * *flow_id pointer to the last matching rule (in/out)
1066 * *next_hop socket we are forwarding to (in/out).
1067 * For bridged packets, this is a pointer to the MAC header.
1068 *
1069 * Return value:
1070 *
1071 * IP_FW_PORT_DENY_FLAG the packet must be dropped.
1072 * 0 The packet is to be accepted and routed normally OR
1073 * the packet was denied/rejected and has been dropped;
1074 * in the latter case, *m is equal to NULL upon return.
1075 * port Divert the packet to port, with these caveats:
1076 *
1077 * - If IP_FW_PORT_TEE_FLAG is set, tee the packet instead
1078 * of diverting it (ie, 'ipfw tee').
1079 *
1080 * - If IP_FW_PORT_DYNT_FLAG is set, interpret the lower
1081 * 16 bits as a dummynet pipe number instead of diverting
1082 */
1083
1084 static int
1085 ip_fw_chk(struct ip_fw_args *args)
1086 #if 0 /* the old interface was this: */
1087 struct mbuf **m, struct ifnet *oif, u_int16_t *cookie,
1088 struct ip_fw **flow_id, struct sockaddr_in **next_hop)
1089 #endif
1090 {
1091 /*
1092 * grab things into variables to minimize diffs.
1093 * XXX this has to be cleaned up later.
1094 */
1095 struct mbuf **m = &(args->m);
1096 struct ifnet *oif = args->oif;
1097 u_int16_t *cookie = &(args->divert_rule);
1098 struct ip_fw **flow_id = &(args->rule);
1099 struct sockaddr_in **next_hop = &(args->next_hop);
1100
1101 struct ip_fw *f = NULL; /* matching rule */
1102 struct ip *ip = mtod(*m, struct ip *);
1103 struct ifnet *const rif = (*m)->m_pkthdr.rcvif;
1104 struct ifnet *tif;
1105 u_int hlen = ip->ip_hl << 2;
1106 struct ether_header * eh = NULL;
1107
1108 u_short ip_off=0, offset = 0 ;
1109 /* local copy of addresses for faster matching */
1110 u_short src_port = 0, dst_port = 0;
1111 struct in_addr src_ip, dst_ip;
1112 u_int8_t proto= 0, flags = 0;
1113
1114 u_int16_t skipto;
1115 u_int16_t ip_len=0;
1116
1117 int dyn_checked = 0 ; /* set after dyn.rules have been checked. */
1118 int direction = MATCH_FORWARD ; /* dirty trick... */
1119 struct ipfw_dyn_rule *q = NULL ;
1120
1121 #define BRIDGED (args->eh != NULL)
1122 if (BRIDGED) { /* this is a bridged packet */
1123 eh = args->eh;
1124 if ( (*m)->m_pkthdr.len >= sizeof(struct ip) &&
1125 ntohs(eh->ether_type) == ETHERTYPE_IP)
1126 hlen = ip->ip_hl << 2;
1127 } else
1128 hlen = ip->ip_hl << 2;
1129
1130 /* Grab and reset cookie */
1131 skipto = *cookie;
1132 *cookie = 0;
1133
1134 /*
1135 * Collect parameters into local variables for faster matching.
1136 */
1137 if (hlen > 0) { /* this is an IP packet */
1138 proto = ip->ip_p;
1139 src_ip = ip->ip_src;
1140 dst_ip = ip->ip_dst;
1141 if (BRIDGED) { /* bridged packets are as on the wire */
1142 ip_off = ntohs(ip->ip_off);
1143 ip_len = ntohs(ip->ip_len);
1144 } else {
1145 ip_off = ip->ip_off;
1146 ip_len = ip->ip_len;
1147 }
1148 offset = ip_off & IP_OFFMASK;
1149 if (offset == 0) {
1150
1151 #define PULLUP_TO(len) \
1152 do { \
1153 if ((*m)->m_len < (len)) { \
1154 *m = m_pullup(*m, (len)); \
1155 if (*m == 0) \
1156 goto bogusfrag; \
1157 ip = mtod(*m, struct ip *); \
1158 } \
1159 } while (0)
1160
1161 switch (proto) {
1162 case IPPROTO_TCP : {
1163 struct tcphdr *tcp;
1164
1165 PULLUP_TO(hlen + sizeof(struct tcphdr));
1166 tcp =(struct tcphdr *)((u_int32_t *)ip + ip->ip_hl);
1167 dst_port = tcp->th_dport ;
1168 src_port = tcp->th_sport ;
1169 flags = tcp->th_flags ;
1170 }
1171 break ;
1172
1173 case IPPROTO_UDP : {
1174 struct udphdr *udp;
1175
1176 PULLUP_TO(hlen + sizeof(struct udphdr));
1177 udp =(struct udphdr *)((u_int32_t *)ip + ip->ip_hl);
1178 dst_port = udp->uh_dport ;
1179 src_port = udp->uh_sport ;
1180 }
1181 break;
1182
1183 case IPPROTO_ICMP:
1184 PULLUP_TO(hlen + 4); /* type, code and checksum. */
1185 flags = ((struct icmp *)
1186 ((u_int32_t *)ip + ip->ip_hl))->icmp_type ;
1187 break ;
1188
1189 default :
1190 break;
1191 }
1192 #undef PULLUP_TO
1193 }
1194 }
1195 args->f_id.src_ip = ntohl(src_ip.s_addr);
1196 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1197 args->f_id.proto = proto;
1198 args->f_id.src_port = ntohs(src_port);
1199 args->f_id.dst_port = ntohs(dst_port);
1200 args->f_id.flags = flags;
1201
1202 if (*flow_id) {
1203 /*
1204 * Packet has already been tagged. Look for the next rule
1205 * to restart processing.
1206 */
1207 if (fw_one_pass) /* just accept if fw_one_pass is set */
1208 return 0;
1209
1210 f = (*flow_id)->next_rule_ptr ;
1211 if (f == NULL)
1212 f = (*flow_id)->next_rule_ptr = lookup_next_rule(*flow_id);
1213 if (f == NULL)
1214 goto dropit;
1215 } else {
1216 /*
1217 * Go down the list, looking for enlightment.
1218 * If we've been asked to start at a given rule, do so.
1219 */
1220 f = LIST_FIRST(&ip_fw_chain_head);
1221 if (skipto != 0) {
1222 if (skipto >= IPFW_DEFAULT_RULE)
1223 goto dropit;
1224 while (f && f->fw_number <= skipto)
1225 f = LIST_NEXT(f, next);
1226 if (f == NULL)
1227 goto dropit;
1228 }
1229 }
1230
1231 for (; f; f = LIST_NEXT(f, next)) {
1232 again:
1233 if (f->fw_number == IPFW_DEFAULT_RULE)
1234 goto got_match ;
1235
1236 /* Check if rule only valid for bridged packets */
1237 if ((f->fw_flg & IP_FW_BRIDGED) != 0 && !(BRIDGED))
1238 continue;
1239
1240 if (oif) {
1241 /* Check direction outbound */
1242 if (!(f->fw_flg & IP_FW_F_OUT))
1243 continue;
1244 } else {
1245 /* Check direction inbound */
1246 if (!(f->fw_flg & IP_FW_F_IN))
1247 continue;
1248 }
1249
1250 if (f->fw_flg & IP_FW_F_MAC) {
1251 u_int32_t *want, *mask, *hdr;
1252
1253 if (eh == NULL) /* header not available */
1254 continue;
1255
1256 want = (void *)&(f->fw_mac_hdr);
1257 mask = (void *)&(f->fw_mac_mask);
1258 hdr = (void *)eh;
1259
1260 if ( want[0] != (hdr[0] & mask[0]) )
1261 continue;
1262 if ( want[1] != (hdr[1] & mask[1]) )
1263 continue;
1264 if ( want[2] != (hdr[2] & mask[2]) )
1265 continue;
1266 if (f->fw_flg & IP_FW_F_SRNG) {
1267 u_int16_t type = ntohs(eh->ether_type);
1268 if (type < (u_int16_t)(f->fw_mac_type) ||
1269 type > (u_int16_t)(f->fw_mac_mask_type) )
1270 continue;
1271 } else {
1272 if ((u_int16_t)(f->fw_mac_type) != (eh->ether_type &
1273 (u_int16_t)(f->fw_mac_mask_type)) )
1274 continue;
1275 }
1276 }
1277
1278 /* Interface check */
1279 if ((f->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1280 struct ifnet *const iface = oif ? oif : rif;
1281
1282 /* Backwards compatibility hack for "via" */
1283 if (!iface || !iface_match(iface,
1284 &f->fw_in_if, f->fw_flg & IP_FW_F_OIFNAME))
1285 continue;
1286 } else {
1287 /* Check receive interface */
1288 if ((f->fw_flg & IP_FW_F_IIFACE)
1289 && (!rif || !iface_match(rif,
1290 &f->fw_in_if, f->fw_flg & IP_FW_F_IIFNAME)))
1291 continue;
1292 /* Check outgoing interface */
1293 if ((f->fw_flg & IP_FW_F_OIFACE)
1294 && (!oif || !iface_match(oif,
1295 &f->fw_out_if, f->fw_flg & IP_FW_F_OIFNAME)))
1296 continue;
1297 }
1298
1299 /*
1300 * For packets which matched the MAC check, we do not need
1301 * to continue, this is a valid match.
1302 * For not-ip packets, the rule does not apply.
1303 */
1304 if (f->fw_flg & IP_FW_F_MAC)
1305 goto rnd_then_got_match;
1306
1307 if (hlen == 0)
1308 continue;
1309
1310 /*
1311 * dynamic rules are checked at the first keep-state or
1312 * check-state occurrence.
1313 */
1314 if (f->fw_flg & (IP_FW_F_KEEP_S|IP_FW_F_CHECK_S) &&
1315 dyn_checked == 0 ) {
1316 dyn_checked = 1 ;
1317 q = lookup_dyn_rule(&args->f_id, &direction);
1318 if (q != NULL) {
1319 DEB(printf("-- dynamic match 0x%08x %d %s 0x%08x %d\n",
1320 (q->id.src_ip), (q->id.src_port),
1321 (direction == MATCH_FORWARD ? "-->" : "<--"),
1322 (q->id.dst_ip), (q->id.dst_port) ); )
1323 f = q->rule ;
1324 q->pcnt++ ;
1325 q->bcnt += ip_len;
1326 goto got_match ; /* random not allowed here */
1327 }
1328 /* if this was a check-only rule, continue with next */
1329 if (f->fw_flg & IP_FW_F_CHECK_S)
1330 continue ;
1331 }
1332
1333 /* Fragments */
1334 if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 )
1335 continue;
1336
1337 /*
1338 * For matching addresses, tif != NULL means we matched
1339 * the address we requested (either "me" or addr/mask).
1340 * Then the check for "xxx" or "not xxx" can be done
1341 * with an XOR.
1342 */
1343
1344 /* source address -- mandatory */
1345 if (f->fw_flg & IP_FW_F_SME) {
1346 INADDR_TO_IFP(src_ip, tif);
1347 } else
1348 (int)tif = f->fw_src.s_addr ==
1349 (src_ip.s_addr & f->fw_smsk.s_addr);
1350 if ( ((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ (tif == NULL) )
1351 continue;
1352
1353 /* dst address -- mandatory */
1354 if (f->fw_flg & IP_FW_F_DME) {
1355 INADDR_TO_IFP(dst_ip, tif);
1356 } else
1357 (int)tif = f->fw_dst.s_addr ==
1358 (dst_ip.s_addr & f->fw_dmsk.s_addr);
1359 if ( ((f->fw_flg & IP_FW_F_INVDST) != 0) ^ (tif == NULL) )
1360 continue;
1361
1362 /* Check IP header values */
1363 if (f->fw_ipflg & IP_FW_IF_IPOPT && !ipopts_match(ip, f))
1364 continue;
1365 if (f->fw_ipflg & IP_FW_IF_IPLEN && f->fw_iplen != ip_len)
1366 continue;
1367 if (f->fw_ipflg & IP_FW_IF_IPID && f->fw_ipid != ntohs(ip->ip_id))
1368 continue;
1369 if (f->fw_ipflg & IP_FW_IF_IPPRE &&
1370 (f->fw_iptos & 0xe0) != (ip->ip_tos & 0xe0))
1371 continue;
1372 if (f->fw_ipflg & IP_FW_IF_IPTOS && !iptos_match(ip, f))
1373 continue;
1374 if (f->fw_ipflg & IP_FW_IF_IPTTL && f->fw_ipttl != ip->ip_ttl)
1375 continue;
1376 if (f->fw_ipflg & IP_FW_IF_IPVER && f->fw_ipver != ip->ip_v)
1377 continue;
1378
1379 /* Check protocol; if wildcard, and no [ug]id, match */
1380 if (f->fw_prot == IPPROTO_IP) {
1381 if (!(f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)))
1382 goto rnd_then_got_match;
1383 } else
1384 /* If different, don't match */
1385 if (proto != f->fw_prot)
1386 continue;
1387
1388 /* Protocol specific checks for uid only */
1389 if (f->fw_flg & (IP_FW_F_UID|IP_FW_F_GID)) {
1390 switch (proto) {
1391 case IPPROTO_TCP:
1392 {
1393 struct inpcb *P;
1394
1395 if (offset == 1) /* cf. RFC 1858 */
1396 goto bogusfrag;
1397 if (offset != 0)
1398 continue;
1399
1400 if (oif)
1401 P = in_pcblookup_hash(&tcbinfo, dst_ip,
1402 dst_port, src_ip, src_port, 0,
1403 oif);
1404 else
1405 P = in_pcblookup_hash(&tcbinfo, src_ip,
1406 src_port, dst_ip, dst_port, 0,
1407 NULL);
1408
1409 if (P && P->inp_socket) {
1410 if (f->fw_flg & IP_FW_F_UID) {
1411 if (socheckuid(P->inp_socket, f->fw_uid))
1412 continue;
1413 } else if (!groupmember(f->fw_gid,
1414 P->inp_socket->so_cred))
1415 continue;
1416 } else
1417 continue;
1418 break;
1419 }
1420
1421 case IPPROTO_UDP:
1422 {
1423 struct inpcb *P;
1424
1425 if (offset != 0)
1426 continue;
1427
1428 if (oif)
1429 P = in_pcblookup_hash(&udbinfo, dst_ip,
1430 dst_port, src_ip, src_port, 1,
1431 oif);
1432 else
1433 P = in_pcblookup_hash(&udbinfo, src_ip,
1434 src_port, dst_ip, dst_port, 1,
1435 NULL);
1436
1437 if (P && P->inp_socket) {
1438 if (f->fw_flg & IP_FW_F_UID) {
1439 if (socheckuid(P->inp_socket, f->fw_uid))
1440 continue;
1441 } else if (!groupmember(f->fw_gid,
1442 P->inp_socket->so_cred))
1443 continue;
1444 } else
1445 continue;
1446 break;
1447 }
1448
1449 default:
1450 continue;
1451 }
1452 }
1453
1454 /* Protocol specific checks */
1455 switch (proto) {
1456 case IPPROTO_TCP:
1457 {
1458 struct tcphdr *tcp;
1459
1460 if (offset == 1) /* cf. RFC 1858 */
1461 goto bogusfrag;
1462 if (offset != 0) {
1463 /*
1464 * TCP flags and ports aren't available in this
1465 * packet -- if this rule specified either one,
1466 * we consider the rule a non-match.
1467 */
1468 if (IP_FW_HAVEPORTS(f) != 0 ||
1469 f->fw_ipflg & IP_FW_IF_TCPMSK)
1470 continue;
1471
1472 break;
1473 }
1474 tcp = (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1475
1476 if (f->fw_ipflg & IP_FW_IF_TCPOPT && !tcpopts_match(tcp, f))
1477 continue;
1478 if (((f->fw_ipflg & IP_FW_IF_TCPFLG) ||
1479 (f->fw_ipflg & IP_FW_IF_TCPEST)) &&
1480 !tcpflg_match(tcp, f))
1481 continue;
1482 if (f->fw_ipflg & IP_FW_IF_TCPSEQ && tcp->th_seq != f->fw_tcpseq)
1483 continue;
1484 if (f->fw_ipflg & IP_FW_IF_TCPACK && tcp->th_ack != f->fw_tcpack)
1485 continue;
1486 if (f->fw_ipflg & IP_FW_IF_TCPWIN && tcp->th_win != f->fw_tcpwin)
1487 continue;
1488 goto check_ports;
1489 }
1490
1491 case IPPROTO_UDP:
1492 if (offset != 0) {
1493 /*
1494 * Port specification is unavailable -- if this
1495 * rule specifies a port, we consider the rule
1496 * a non-match.
1497 */
1498 if (IP_FW_HAVEPORTS(f) )
1499 continue;
1500
1501 break;
1502 }
1503 check_ports:
1504 if (!port_match(&f->fw_uar.fw_pts[0],
1505 IP_FW_GETNSRCP(f), ntohs(src_port),
1506 f->fw_flg & IP_FW_F_SRNG,
1507 f->fw_flg & IP_FW_F_SMSK))
1508 continue;
1509 if (!port_match(&f->fw_uar.fw_pts[IP_FW_GETNSRCP(f)],
1510 IP_FW_GETNDSTP(f), ntohs(dst_port),
1511 f->fw_flg & IP_FW_F_DRNG,
1512 f->fw_flg & IP_FW_F_DMSK))
1513 continue;
1514 break;
1515
1516 case IPPROTO_ICMP:
1517 {
1518 struct icmp *icmp;
1519
1520 if (offset != 0) /* Type isn't valid */
1521 break;
1522 icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
1523 if (!icmptype_match(icmp, f))
1524 continue;
1525 break;
1526 }
1527
1528 default:
1529 break;
1530
1531 bogusfrag:
1532 if (fw_verbose) {
1533 if (*m != NULL)
1534 ipfw_report(NULL, ip, ip_off, ip_len, rif, oif);
1535 else
1536 printf("pullup failed\n");
1537 }
1538 goto dropit;
1539
1540 }
1541
1542 rnd_then_got_match:
1543 if ( f->dont_match_prob && random() < f->dont_match_prob )
1544 continue ;
1545 got_match:
1546 /*
1547 * If not a dynamic match (q == NULL) and keep-state, install
1548 * a new dynamic entry.
1549 */
1550 if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
1551 if (install_state(f, args)) /* error or limit violation */
1552 goto dropit;
1553 }
1554 /* Update statistics */
1555 f->fw_pcnt += 1;
1556 f->fw_bcnt += ip_len;
1557 f->timestamp = time_second;
1558
1559 /* Log to console if desired */
1560 if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && hlen >0)
1561 ipfw_report(f, ip, ip_off, ip_len, rif, oif);
1562
1563 /* Take appropriate action */
1564 switch (f->fw_flg & IP_FW_F_COMMAND) {
1565 case IP_FW_F_ACCEPT:
1566 return(0);
1567 case IP_FW_F_COUNT:
1568 continue;
1569 #ifdef IPDIVERT
1570 case IP_FW_F_DIVERT:
1571 *cookie = f->fw_number;
1572 return(f->fw_divert_port);
1573 case IP_FW_F_TEE:
1574 *cookie = f->fw_number;
1575 return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
1576 #endif
1577 case IP_FW_F_SKIPTO: /* XXX check */
1578 if (f->next_rule_ptr == NULL)
1579 f->next_rule_ptr = lookup_next_rule(f) ;
1580 f = f->next_rule_ptr;
1581 if (!f)
1582 goto dropit;
1583 goto again ;
1584
1585 case IP_FW_F_PIPE:
1586 case IP_FW_F_QUEUE:
1587 *flow_id = f; /* XXX set flow id */
1588 return(f->fw_pipe_nr | IP_FW_PORT_DYNT_FLAG);
1589
1590 case IP_FW_F_FWD:
1591 /* Change the next-hop address for this packet.
1592 * Initially we'll only worry about directly
1593 * reachable next-hop's, but ultimately
1594 * we will work out for next-hops that aren't
1595 * direct the route we would take for it. We
1596 * [cs]ould leave this latter problem to
1597 * ip_output.c. We hope to high [name the abode of
1598 * your favourite deity] that ip_output doesn't modify
1599 * the new value of next_hop (which is dst there)
1600 * XXX warning-- there is a dangerous reference here
1601 * from next_hop to a field within the rule. If the
1602 * rule is deleted, weird things might occur.
1603 */
1604 if (next_hop != NULL /* Make sure, first... */
1605 && (q == NULL || direction == MATCH_FORWARD) )
1606 *next_hop = &(f->fw_fwd_ip);
1607 return(0); /* Allow the packet */
1608
1609 }
1610
1611 /* Deny/reject this packet using this rule */
1612 break;
1613 }
1614
1615 /* Rule IPFW_DEFAULT_RULE should always be there and match */
1616 KASSERT(f != NULL, ("ip_fw: no chain"));
1617
1618 /*
1619 * At this point, we're going to drop the packet.
1620 * Send a reject notice if all of the following are true:
1621 *
1622 * - The packet matched a reject rule
1623 * - The packet is not an ICMP packet, or is an ICMP query packet
1624 * - The packet is not a multicast or broadcast packet
1625 */
1626 if ((f->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
1627 && (proto != IPPROTO_ICMP || is_icmp_query(ip))
1628 && !((*m)->m_flags & (M_BCAST|M_MCAST))
1629 && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
1630 /* Must convert to host order for icmp_error() etc. */
1631 if (BRIDGED) {
1632 ip->ip_len = ntohs(ip->ip_len);
1633 ip->ip_off = ntohs(ip->ip_off);
1634 }
1635 switch (f->fw_reject_code) {
1636 case IP_FW_REJECT_RST:
1637 {
1638 /* XXX warning, this code writes into the mbuf */
1639 struct tcphdr *const tcp =
1640 (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl);
1641 struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
1642
1643 if (offset != 0 || (tcp->th_flags & TH_RST))
1644 break;
1645 ti.ti_i = *((struct ipovly *) ip);
1646 ti.ti_t = *tcp;
1647 bcopy(&ti, ip, sizeof(ti));
1648 tip->ti_seq = ntohl(tip->ti_seq);
1649 tip->ti_ack = ntohl(tip->ti_ack);
1650 tip->ti_len = ip_len - hlen - (tip->ti_off << 2);
1651 if (tcp->th_flags & TH_ACK) {
1652 tcp_respond(NULL, (void *)ip, tcp, *m,
1653 (tcp_seq)0, tcp->th_ack, TH_RST);
1654 } else {
1655 if (tcp->th_flags & TH_SYN)
1656 tip->ti_len++;
1657 tcp_respond(NULL, (void *)ip, tcp, *m,
1658 tip->ti_seq + tip->ti_len,
1659 (tcp_seq)0, TH_RST|TH_ACK);
1660 }
1661 *m = NULL;
1662 break;
1663 }
1664 default: /* Send an ICMP unreachable using code */
1665 icmp_error(*m, ICMP_UNREACH,
1666 f->fw_reject_code, 0L, 0);
1667 *m = NULL;
1668 break;
1669 }
1670 }
1671
1672 dropit:
1673 /*
1674 * Finally, drop the packet.
1675 */
1676 return(IP_FW_PORT_DENY_FLAG);
1677 #undef BRIDGED
1678 }
1679
1680 /*
1681 * when a rule is added/deleted, zero the direct pointers within
1682 * all firewall rules. These will be reconstructed on the fly
1683 * as packets are matched.
1684 * Must be called at splimp().
1685 */
1686 static void
1687 flush_rule_ptrs()
1688 {
1689 struct ip_fw *fcp ;
1690
1691 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
1692 fcp->next_rule_ptr = NULL ;
1693 }
1694 }
1695
1696 static int
1697 add_entry(struct ip_fw_head *head, struct ip_fw *rule)
1698 {
1699 struct ip_fw *ftmp, *fcp, *fcpl;
1700 u_short nbr = 0;
1701 int s;
1702
1703 ftmp = malloc(sizeof *ftmp, M_IPFW, M_NOWAIT | M_ZERO);
1704 if (!ftmp)
1705 return (ENOSPC);
1706 bcopy(rule, ftmp, sizeof(*ftmp));
1707
1708 ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0';
1709 ftmp->fw_pcnt = 0L;
1710 ftmp->fw_bcnt = 0L;
1711 ftmp->next_rule_ptr = NULL ;
1712 ftmp->pipe_ptr = NULL ;
1713
1714 s = splimp();
1715
1716 if (LIST_FIRST(head) == 0) {
1717 LIST_INSERT_HEAD(head, ftmp, next);
1718 goto done;
1719 }
1720
1721 /* If entry number is 0, find highest numbered rule and add 100 */
1722 if (ftmp->fw_number == 0) {
1723 LIST_FOREACH(fcp, head, next) {
1724 if (fcp->fw_number != IPFW_DEFAULT_RULE)
1725 nbr = fcp->fw_number;
1726 else
1727 break;
1728 }
1729 if (nbr < IPFW_DEFAULT_RULE - 100)
1730 nbr += 100;
1731 ftmp->fw_number = rule->fw_number = nbr;
1732 }
1733
1734 /* Got a valid number; now insert it, keeping the list ordered */
1735 fcpl = NULL ;
1736 LIST_FOREACH(fcp, head, next) {
1737 if (fcp->fw_number > ftmp->fw_number) {
1738 if (fcpl) {
1739 LIST_INSERT_AFTER(fcpl, ftmp, next);
1740 } else {
1741 LIST_INSERT_HEAD(head, ftmp, next);
1742 }
1743 break;
1744 } else {
1745 fcpl = fcp;
1746 }
1747 }
1748 flush_rule_ptrs();
1749 done:
1750 static_count++;
1751 splx(s);
1752 DEB(printf("++ installed rule %d, static count now %d\n",
1753 ftmp->fw_number, static_count);)
1754 return (0);
1755 }
1756
1757 /**
1758 * free storage associated with a static rule entry (including
1759 * dependent dynamic rules), and zeroes rule pointers to avoid
1760 * dangling pointer dereferences.
1761 * @return a pointer to the next entry.
1762 * Must be called at splimp() and with a non-null argument.
1763 */
1764 static struct ip_fw *
1765 free_chain(struct ip_fw *fcp)
1766 {
1767 struct ip_fw *n;
1768
1769 n = LIST_NEXT(fcp, next);
1770 DELETE_DYN_CHAIN(fcp);
1771 LIST_REMOVE(fcp, next);
1772 static_count--;
1773 if (DUMMYNET_LOADED)
1774 ip_dn_ruledel_ptr(fcp) ;
1775 flush_rule_ptrs(); /* more efficient to do outside the loop */
1776 free(fcp, M_IPFW);
1777 return n;
1778 }
1779
1780 /**
1781 * remove all rules with given number.
1782 */
1783 static int
1784 del_entry(struct ip_fw_head *chainptr, u_short number)
1785 {
1786 struct ip_fw *rule;
1787
1788 if (number != IPFW_DEFAULT_RULE) {
1789 LIST_FOREACH(rule, chainptr, next) {
1790 if (rule->fw_number == number) {
1791 int s ;
1792
1793 s = splimp(); /* prevent access to rules while removing */
1794 while (rule && rule->fw_number == number)
1795 rule = free_chain(rule);
1796 /* XXX could move flush_rule_ptrs() here */
1797 splx(s);
1798 return 0 ;
1799 }
1800 }
1801 }
1802 return (EINVAL);
1803 }
1804
1805 /**
1806 * Reset some or all counters on firewall rules.
1807 * @arg frwl is null to clear all entries, or contains a specific
1808 * rule number.
1809 * @arg log_only is 1 if we only want to reset logs, zero otherwise.
1810 */
1811
1812 static int
1813 zero_entry(struct ip_fw *frwl, int log_only)
1814 {
1815 struct ip_fw *rule;
1816 int s;
1817 u_short number = 0 ;
1818 char *msg ;
1819
1820 if (frwl == 0) {
1821 s = splimp();
1822 LIST_FOREACH(rule, &ip_fw_chain_head, next) {
1823 if (log_only == 0) {
1824 rule->fw_bcnt = rule->fw_pcnt = 0;
1825 rule->timestamp = 0;
1826 }
1827 rule->fw_loghighest = rule->fw_pcnt+rule->fw_logamount;
1828 }
1829 splx(s);
1830 msg = log_only ? "ipfw: All logging counts cleared.\n" :
1831 "ipfw: Accounting cleared.\n";
1832 } else {
1833 int cleared = 0;
1834 number = frwl->fw_number ;
1835 /*
1836 * It is possible to insert multiple chain entries with the
1837 * same number, so we don't stop after finding the first
1838 * match if zeroing a specific entry.
1839 */
1840 LIST_FOREACH(rule, &ip_fw_chain_head, next)
1841 if (number == rule->fw_number) {
1842 s = splimp();
1843 while (rule && number == rule->fw_number) {
1844 if (log_only == 0) {
1845 rule->fw_bcnt = rule->fw_pcnt = 0;
1846 rule->timestamp = 0;
1847 }
1848 rule->fw_loghighest = rule->fw_pcnt+ rule->fw_logamount;
1849 rule = LIST_NEXT(rule, next);
1850 }
1851 splx(s);
1852 cleared = 1;
1853 break;
1854 }
1855 if (!cleared) /* we did not find any matching rules */
1856 return (EINVAL);
1857 msg = log_only ? "ipfw: Entry %d logging count reset.\n" :
1858 "ipfw: Entry %d cleared.\n";
1859 }
1860 if (fw_verbose)
1861 log(LOG_SECURITY | LOG_NOTICE, msg, number);
1862 return (0);
1863 }
1864
1865 static int
1866 check_ipfw_struct(struct ip_fw *frwl)
1867 {
1868 /* Check for invalid flag bits */
1869 if ((frwl->fw_flg & ~IP_FW_F_MASK) != 0) {
1870 dprintf(("%s undefined flag bits set (flags=%x)\n",
1871 err_prefix, frwl->fw_flg));
1872 return (EINVAL);
1873 }
1874 if ( (frwl->fw_flg & IP_FW_F_MAC) ) { /* match MAC address */
1875 return 0;
1876 }
1877 if (frwl->fw_flg == IP_FW_F_CHECK_S) {
1878 /* check-state */
1879 return 0 ;
1880 }
1881 /* Must apply to incoming or outgoing (or both) */
1882 if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT))) {
1883 dprintf(("%s neither in nor out\n", err_prefix));
1884 return (EINVAL);
1885 }
1886 /* Empty interface name is no good */
1887 if (((frwl->fw_flg & IP_FW_F_IIFNAME)
1888 && !*frwl->fw_in_if.fu_via_if.name)
1889 || ((frwl->fw_flg & IP_FW_F_OIFNAME)
1890 && !*frwl->fw_out_if.fu_via_if.name)) {
1891 dprintf(("%s empty interface name\n", err_prefix));
1892 return (EINVAL);
1893 }
1894 /* Sanity check interface matching */
1895 if ((frwl->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
1896 ; /* allow "via" backwards compatibility */
1897 } else if ((frwl->fw_flg & IP_FW_F_IN)
1898 && (frwl->fw_flg & IP_FW_F_OIFACE)) {
1899 dprintf(("%s outgoing interface check on incoming\n",
1900 err_prefix));
1901 return (EINVAL);
1902 }
1903 /* Sanity check port ranges */
1904 if ((frwl->fw_flg & IP_FW_F_SRNG) && IP_FW_GETNSRCP(frwl) < 2) {
1905 dprintf(("%s src range set but n_src_p=%d\n",
1906 err_prefix, IP_FW_GETNSRCP(frwl)));
1907 return (EINVAL);
1908 }
1909 if ((frwl->fw_flg & IP_FW_F_DRNG) && IP_FW_GETNDSTP(frwl) < 2) {
1910 dprintf(("%s dst range set but n_dst_p=%d\n",
1911 err_prefix, IP_FW_GETNDSTP(frwl)));
1912 return (EINVAL);
1913 }
1914 if (IP_FW_GETNSRCP(frwl) + IP_FW_GETNDSTP(frwl) > IP_FW_MAX_PORTS) {
1915 dprintf(("%s too many ports (%d+%d)\n",
1916 err_prefix, IP_FW_GETNSRCP(frwl), IP_FW_GETNDSTP(frwl)));
1917 return (EINVAL);
1918 }
1919 /*
1920 * Protocols other than TCP/UDP don't use port range
1921 */
1922 if ((frwl->fw_prot != IPPROTO_TCP) &&
1923 (frwl->fw_prot != IPPROTO_UDP) &&
1924 (IP_FW_GETNSRCP(frwl) || IP_FW_GETNDSTP(frwl))) {
1925 dprintf(("%s port(s) specified for non TCP/UDP rule\n",
1926 err_prefix));
1927 return (EINVAL);
1928 }
1929
1930 /*
1931 * Rather than modify the entry to make such entries work,
1932 * we reject this rule and require user level utilities
1933 * to enforce whatever policy they deem appropriate.
1934 */
1935 if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
1936 (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
1937 dprintf(("%s rule never matches\n", err_prefix));
1938 return (EINVAL);
1939 }
1940
1941 if ((frwl->fw_flg & IP_FW_F_FRAG) &&
1942 (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) {
1943 if (IP_FW_HAVEPORTS(frwl)) {
1944 dprintf(("%s cannot mix 'frag' and ports\n", err_prefix));
1945 return (EINVAL);
1946 }
1947 if (frwl->fw_prot == IPPROTO_TCP &&
1948 frwl->fw_tcpf != frwl->fw_tcpnf) {
1949 dprintf(("%s cannot mix 'frag' and TCP flags\n", err_prefix));
1950 return (EINVAL);
1951 }
1952 }
1953
1954 if (frwl->fw_flg & (IP_FW_F_UID | IP_FW_F_GID)) {
1955 if ((frwl->fw_prot != IPPROTO_TCP) &&
1956 (frwl->fw_prot != IPPROTO_UDP) &&
1957 (frwl->fw_prot != IPPROTO_IP)) {
1958 dprintf(("%s cannot use uid/gid logic on non-TCP/UDP\n", err_prefix));
1959 return (EINVAL);
1960 }
1961 }
1962
1963 /* Check command specific stuff */
1964 switch (frwl->fw_flg & IP_FW_F_COMMAND) {
1965 case IP_FW_F_REJECT:
1966 if (frwl->fw_reject_code >= 0x100
1967 && !(frwl->fw_prot == IPPROTO_TCP
1968 && frwl->fw_reject_code == IP_FW_REJECT_RST)) {
1969 dprintf(("%s unknown reject code\n", err_prefix));
1970 return (EINVAL);
1971 }
1972 break;
1973 #ifdef IPDIVERT
1974 case IP_FW_F_DIVERT: /* Diverting to port zero is invalid */
1975 case IP_FW_F_TEE:
1976 #endif
1977 case IP_FW_F_PIPE: /* pipe 0 is invalid */
1978 case IP_FW_F_QUEUE: /* queue 0 is invalid */
1979 if (frwl->fw_divert_port == 0) {
1980 dprintf(("%s 0 is an invalid argument\n", err_prefix));
1981 return (EINVAL);
1982 }
1983 break;
1984 case IP_FW_F_DENY:
1985 case IP_FW_F_ACCEPT:
1986 case IP_FW_F_COUNT:
1987 case IP_FW_F_SKIPTO:
1988 case IP_FW_F_FWD:
1989 break;
1990 default:
1991 dprintf(("%s invalid command\n", err_prefix));
1992 return (EINVAL);
1993 }
1994
1995 return 0;
1996 }
1997
1998 static int
1999 ip_fw_ctl(struct sockopt *sopt)
2000 {
2001 int error, s;
2002 size_t size;
2003 struct ip_fw *fcp;
2004 struct ip_fw frwl, *bp , *buf;
2005
2006 /*
2007 * Disallow modifications in really-really secure mode, but still allow
2008 * the logging counters to be reset.
2009 */
2010 if (sopt->sopt_name == IP_FW_ADD ||
2011 (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) {
2012 error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
2013 if (error)
2014 return (error);
2015 }
2016
2017 error = 0;
2018
2019 switch (sopt->sopt_name) {
2020 case IP_FW_GET:
2021 /*
2022 * pass up a copy of the current rules. Static rules
2023 * come first (the last of which has number 65535),
2024 * followed by a possibly empty list of dynamic rule.
2025 * The last dynamic rule has NULL in the "next" field.
2026 */
2027 s = splimp();
2028 /* size of static rules */
2029 size = static_count * sizeof(struct ip_fw) ;
2030 if (ipfw_dyn_v) /* add size of dyn.rules */
2031 size += (dyn_count * sizeof(struct ipfw_dyn_rule));
2032
2033 /*
2034 * XXX todo: if the user passes a short length to know how
2035 * much room is needed, do not
2036 * bother filling up the buffer, just jump to the
2037 * sooptcopyout.
2038 */
2039 buf = malloc(size, M_TEMP, M_WAITOK);
2040 if (buf == 0) {
2041 splx(s);
2042 error = ENOBUFS;
2043 break;
2044 }
2045
2046 bp = buf ;
2047 LIST_FOREACH(fcp, &ip_fw_chain_head, next) {
2048 bcopy(fcp, bp, sizeof *fcp);
2049 bp++;
2050 }
2051 if (ipfw_dyn_v) {
2052 int i ;
2053 struct ipfw_dyn_rule *p, *dst, *last = NULL ;
2054
2055 dst = (struct ipfw_dyn_rule *)bp ;
2056 for (i = 0 ; i < curr_dyn_buckets ; i++ )
2057 for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next, dst++ ) {
2058 bcopy(p, dst, sizeof *p);
2059 (int)dst->rule = p->rule->fw_number ;
2060 /*
2061 * store a non-null value in "next". The userland
2062 * code will interpret a NULL here as a marker
2063 * for the last dynamic rule.
2064 */
2065 dst->next = dst ;
2066 last = dst ;
2067 if (TIME_LEQ(dst->expire, time_second) )
2068 dst->expire = 0 ;
2069 else
2070 dst->expire -= time_second ;
2071 }
2072 if (last != NULL)
2073 last->next = NULL ; /* mark last dynamic rule */
2074 }
2075 splx(s);
2076
2077 error = sooptcopyout(sopt, buf, size);
2078 free(buf, M_TEMP);
2079 break;
2080
2081 case IP_FW_FLUSH:
2082 /*
2083 * Normally we cannot release the lock on each iteration.
2084 * We could do it here only because we start from the head all
2085 * the times so there is no risk of missing some entries.
2086 * On the other hand, the risk is that we end up with
2087 * a very inconsistent ruleset, so better keep the lock
2088 * around the whole cycle.
2089 *
2090 * XXX this code can be improved by resetting the head of
2091 * the list to point to the default rule, and then freeing
2092 * the old list without the need for a lock.
2093 */
2094
2095 s = splimp();
2096 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) &&
2097 fcp->fw_number != IPFW_DEFAULT_RULE )
2098 free_chain(fcp);
2099 splx(s);
2100 break;
2101
2102 case IP_FW_ADD:
2103 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2104 if (error || (error = check_ipfw_struct(&frwl)))
2105 break;
2106
2107 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2108 dprintf(("%s can't add rule %u\n", err_prefix,
2109 (unsigned)IPFW_DEFAULT_RULE));
2110 error = EINVAL;
2111 } else {
2112 error = add_entry(&ip_fw_chain_head, &frwl);
2113 if (!error && sopt->sopt_dir == SOPT_GET)
2114 error = sooptcopyout(sopt, &frwl, sizeof frwl);
2115 }
2116 break;
2117
2118 case IP_FW_DEL:
2119 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2120 if (error)
2121 break;
2122
2123 if (frwl.fw_number == IPFW_DEFAULT_RULE) {
2124 dprintf(("%s can't delete rule %u\n", err_prefix,
2125 (unsigned)IPFW_DEFAULT_RULE));
2126 error = EINVAL;
2127 } else {
2128 error = del_entry(&ip_fw_chain_head, frwl.fw_number);
2129 }
2130 break;
2131
2132 case IP_FW_ZERO:
2133 case IP_FW_RESETLOG:
2134 {
2135 int cmd = (sopt->sopt_name == IP_FW_RESETLOG );
2136 void *arg = NULL ;
2137
2138 if (sopt->sopt_val != 0) {
2139 error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
2140 if (error)
2141 break;
2142 arg = &frwl ;
2143 }
2144 error = zero_entry(arg, cmd);
2145 }
2146 break;
2147
2148 default:
2149 printf("ip_fw_ctl invalid option %d\n", sopt->sopt_name);
2150 error = EINVAL ;
2151 }
2152
2153 return (error);
2154 }
2155
2156 /**
2157 * dummynet needs a reference to the default rule, because rules can
2158 * be deleted while packets hold a reference to them (e.g. to resume
2159 * processing at the next rule). When this happens, dummynet changes
2160 * the reference to the default rule (probably it could well be a
2161 * NULL pointer, but this way we do not need to check for the special
2162 * case, plus here he have info on the default behaviour.
2163 */
2164 struct ip_fw *ip_fw_default_rule ;
2165
2166 void
2167 ip_fw_init(void)
2168 {
2169 struct ip_fw default_rule;
2170
2171 ip_fw_chk_ptr = ip_fw_chk;
2172 ip_fw_ctl_ptr = ip_fw_ctl;
2173 LIST_INIT(&ip_fw_chain_head);
2174
2175 bzero(&default_rule, sizeof default_rule);
2176 default_rule.fw_prot = IPPROTO_IP;
2177 default_rule.fw_number = IPFW_DEFAULT_RULE;
2178 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2179 default_rule.fw_flg |= IP_FW_F_ACCEPT;
2180 #else
2181 default_rule.fw_flg |= IP_FW_F_DENY;
2182 #endif
2183 default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
2184 if (check_ipfw_struct(&default_rule) != 0 ||
2185 add_entry(&ip_fw_chain_head, &default_rule))
2186 panic("ip_fw_init");
2187
2188 ip_fw_default_rule = LIST_FIRST(&ip_fw_chain_head) ;
2189 printf("IP packet filtering initialized, "
2190 #ifdef IPDIVERT
2191 "divert enabled, "
2192 #else
2193 "divert disabled, "
2194 #endif
2195 "rule-based forwarding enabled, "
2196 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
2197 "default to accept, ");
2198 #else
2199 "default to deny, " );
2200 #endif
2201 #ifndef IPFIREWALL_VERBOSE
2202 printf("logging disabled\n");
2203 #else
2204 if (fw_verbose_limit == 0)
2205 printf("unlimited logging\n");
2206 else
2207 printf("logging limited to %d packets/entry by default\n",
2208 fw_verbose_limit);
2209 #endif
2210 }
2211
2212 static int
2213 ipfw_modevent(module_t mod, int type, void *unused)
2214 {
2215 int s;
2216 int err = 0 ;
2217 #if defined(KLD_MODULE)
2218 struct ip_fw *fcp;
2219 #endif
2220
2221 switch (type) {
2222 case MOD_LOAD:
2223 s = splimp();
2224 if (IPFW_LOADED) {
2225 splx(s);
2226 printf("IP firewall already loaded\n");
2227 err = EEXIST ;
2228 } else {
2229 ip_fw_init();
2230 splx(s);
2231 }
2232 break ;
2233 case MOD_UNLOAD:
2234 #if !defined(KLD_MODULE)
2235 printf("ipfw statically compiled, cannot unload\n");
2236 err = EBUSY;
2237 #else
2238 s = splimp();
2239 ip_fw_chk_ptr = NULL ;
2240 ip_fw_ctl_ptr = NULL ;
2241 while ( (fcp = LIST_FIRST(&ip_fw_chain_head)) != NULL)
2242 free_chain(fcp);
2243 splx(s);
2244 printf("IP firewall unloaded\n");
2245 #endif
2246 break;
2247 default:
2248 break;
2249 }
2250 return err;
2251 }
2252
2253 static moduledata_t ipfwmod = {
2254 "ipfw",
2255 ipfw_modevent,
2256 0
2257 };
2258 DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY);
2259 MODULE_VERSION(ipfw, 1);
Cache object: a5f7cf9ec4f1a6fd297f9bf18b9eab9f
|