[dragonfly.git] / sys / netgraph7 / ng_ipfw.c

/*-
 * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $FreeBSD: src/sys/netgraph/ng_ipfw.c,v 1.9 2006/02/14 15:22:24 ru Exp $
 * $DragonFly: src/sys/netgraph7/ng_ipfw.c,v 1.2 2008/06/26 23:05:35 dillon Exp $
 */

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/mbuf.h>
#include <sys/malloc.h>
#include <sys/ctype.h>
#include <sys/errno.h>
#include <sys/socket.h>
#include <sys/syslog.h>

#include <net/if.h>

#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip_fw.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>

#include "ng_message.h"
#include "ng_parse.h"
#include "ng_ipfw.h"
#include "netgraph.h"

static int		ng_ipfw_mod_event(module_t mod, int event, void *data);
static ng_constructor_t	ng_ipfw_constructor;
static ng_shutdown_t	ng_ipfw_shutdown;
static ng_newhook_t	ng_ipfw_newhook;
static ng_connect_t	ng_ipfw_connect;
static ng_findhook_t	ng_ipfw_findhook;
static ng_rcvdata_t	ng_ipfw_rcvdata;
static ng_disconnect_t	ng_ipfw_disconnect;

static hook_p		ng_ipfw_findhook1(node_p, u_int16_t );
static int		ng_ipfw_input(struct mbuf **, int, struct ip_fw_args *,
			    int);

/* We have only one node */
static node_p	fw_node;

/* Netgraph node type descriptor */
static struct ng_type ng_ipfw_typestruct = {
	.version =	NG_ABI_VERSION,
	.name =		NG_IPFW_NODE_TYPE,
	.mod_event =	ng_ipfw_mod_event,
	.constructor =	ng_ipfw_constructor,
	.shutdown =	ng_ipfw_shutdown,
	.newhook =	ng_ipfw_newhook,
	.connect =	ng_ipfw_connect,
	.findhook =	ng_ipfw_findhook,
	.rcvdata =	ng_ipfw_rcvdata,
	.disconnect =	ng_ipfw_disconnect,
};
NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
MODULE_DEPEND(ng_ipfw, ipfw, 2, 2, 2);

/* Information we store for each hook */
struct ng_ipfw_hook_priv {
        hook_p		hook;
	u_int16_t	rulenum;
};
typedef struct ng_ipfw_hook_priv *hpriv_p;

static int
ng_ipfw_mod_event(module_t mod, int event, void *data)
{
	int error = 0;

	switch (event) {
	case MOD_LOAD:

		if (ng_ipfw_input_p != NULL) {
			error = EEXIST;
			break;
		}

		/* Setup node without any private data */
		if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
		    != 0) {
			log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
                	break;
		};

		/* Try to name node */
		if (ng_name_node(fw_node, "ipfw") != 0)
			log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
			    __func__);

		/* Register hook */
		ng_ipfw_input_p = ng_ipfw_input;
		break;

	case MOD_UNLOAD:
		 /*
		  * This won't happen if a node exists.
		  * ng_ipfw_input_p is already cleared.
		  */
		break;

	default:
		error = EOPNOTSUPP;
		break;
	}

	return (error);
}

static int
ng_ipfw_constructor(node_p node)
{
	return (EINVAL);	/* Only one node */
}

static int
ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
{
	hpriv_p	hpriv;
	u_int16_t rulenum;
	const char *cp;
	char *endptr;

	/* Protect from leading zero */
	if (name[0] == '0' && name[1] != '\0')
		return (EINVAL);

	/* Check that name contains only digits */
	for (cp = name; *cp != '\0'; cp++)
		if (!isdigit(*cp))
			return (EINVAL);

	/* Convert it to integer */
	rulenum = (u_int16_t)strtol(name, &endptr, 10);
	if (*endptr != '\0')
		return (EINVAL);

	/* Allocate memory for this hook's private data */
	hpriv = kmalloc(sizeof(*hpriv), M_NETGRAPH,
			M_WAITOK | M_NULLOK | M_ZERO);
	if (hpriv== NULL)
		return (ENOMEM);

	hpriv->hook = hook;
	hpriv->rulenum = rulenum;

	NG_HOOK_SET_PRIVATE(hook, hpriv);

	return(0);
}

/*
 * Set hooks into queueing mode, to avoid recursion between
 * netgraph layer and ip_{input,output}.
 */
static int
ng_ipfw_connect(hook_p hook)
{
	NG_HOOK_FORCE_QUEUE(hook);
	return (0);
}

/* Look up hook by name */
hook_p
ng_ipfw_findhook(node_p node, const char *name)
{
	u_int16_t n;	/* numeric representation of hook */
	char *endptr;

	n = (u_int16_t)strtol(name, &endptr, 10);
	if (*endptr != '\0')
		return NULL;
	return ng_ipfw_findhook1(node, n);
}

/* Look up hook by rule number */
static hook_p
ng_ipfw_findhook1(node_p node, u_int16_t rulenum)
{
	hook_p	hook;
	hpriv_p	hpriv;

	LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
		hpriv = NG_HOOK_PRIVATE(hook);
		if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum))
                        return (hook);
	}

	return (NULL);
}


static int
ng_ipfw_rcvdata(hook_p hook, item_p item)
{
	struct ng_ipfw_tag	*ngit;
	struct mbuf *m;

	NGI_GET_M(item, m);
	NG_FREE_ITEM(item);

	if ((ngit = (struct ng_ipfw_tag *)m_tag_locate(m, NGM_IPFW_COOKIE, 0,
	    NULL)) == NULL) {
		NG_FREE_M(m);
		return (EINVAL);	/* XXX: find smth better */
	};

	switch (ngit->dir) {
	case NG_IPFW_OUT:
	    {
		struct ip *ip;

		if (m->m_len < sizeof(struct ip) &&
		    (m = m_pullup(m, sizeof(struct ip))) == NULL)
			return (EINVAL);

		ip = mtod(m, struct ip *);

		ip->ip_len = ntohs(ip->ip_len);
		ip->ip_off = ntohs(ip->ip_off);

		return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
	    }
	case NG_IPFW_IN:
		ip_input(m);
		return (0);
	default:
		panic("ng_ipfw_rcvdata: bad dir %u", ngit->dir);
	}	

	/* not reached */
	return (0);
}

static int
ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee)
{
	struct mbuf *m;
	struct ng_ipfw_tag *ngit;
	struct ip *ip;
	hook_p	hook;
	int error = 0;

	/*
	 * Node must be loaded and corresponding hook must be present.
	 */
	if (fw_node == NULL || 
	   (hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) {
		if (tee == 0)
			m_freem(*m0);
		return (ESRCH);		/* no hook associated with this rule */
	}

	/*
	 * We have two modes: in normal mode we add a tag to packet, which is
	 * important to return packet back to IP stack. In tee mode we make
	 * a copy of a packet and forward it into netgraph without a tag.
	 */
	if (tee == 0) {
		m = *m0;
		*m0 = NULL;	/* it belongs now to netgraph */

		if ((ngit = (struct ng_ipfw_tag *)m_tag_alloc(NGM_IPFW_COOKIE,
		    0, TAGSIZ, MB_DONTWAIT)) == NULL) {
			m_freem(m);
			return (ENOMEM);
		}
		ngit->rule = fwa->rule;
		ngit->dir = dir;
		ngit->ifp = fwa->oif;
		m_tag_prepend(m, &ngit->mt);

	} else
		if ((m = m_dup(*m0, MB_DONTWAIT)) == NULL)
			return (ENOMEM);	/* which is ignored */

	if (m->m_len < sizeof(struct ip) &&
	    (m = m_pullup(m, sizeof(struct ip))) == NULL)
		return (EINVAL);

	ip = mtod(m, struct ip *);
	ip->ip_len = htons(ip->ip_len);
	ip->ip_off = htons(ip->ip_off);

	NG_SEND_DATA_ONLY(error, hook, m);

	return (error);
}

static int
ng_ipfw_shutdown(node_p node)
{

	/*
	 * After our single node has been removed,
	 * the only thing that can be done is
	 * 'kldunload ng_ipfw.ko'
	 */
	ng_ipfw_input_p = NULL;
	NG_NODE_UNREF(node);
	return (0);
}

static int
ng_ipfw_disconnect(hook_p hook)
{
	const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);

	kfree(hpriv, M_NETGRAPH);
	NG_HOOK_SET_PRIVATE(hook, NULL);

	return (0);
}
Commit	Line	Data
b06ebda0 MD	1	/*-
	2	* Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org>
	3	* All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	15	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	16	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	17	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	18	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	19	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	20	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	21	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	22	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	23	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	24	* SUCH DAMAGE.
	25	*
	26	* $FreeBSD: src/sys/netgraph/ng_ipfw.c,v 1.9 2006/02/14 15:22:24 ru Exp $
5a975a3d	27	* $DragonFly: src/sys/netgraph7/ng_ipfw.c,v 1.2 2008/06/26 23:05:35 dillon Exp $
b06ebda0 MD	28	*/
	29
	30	#include <sys/param.h>
	31	#include <sys/systm.h>
	32	#include <sys/kernel.h>
	33	#include <sys/mbuf.h>
	34	#include <sys/malloc.h>
	35	#include <sys/ctype.h>
	36	#include <sys/errno.h>
	37	#include <sys/socket.h>
	38	#include <sys/syslog.h>
	39
	40	#include <net/if.h>
	41
	42	#include <netinet/in.h>
	43	#include <netinet/in_systm.h>
	44	#include <netinet/in_var.h>
	45	#include <netinet/ip_fw.h>
	46	#include <netinet/ip.h>
	47	#include <netinet/ip_var.h>
	48
5a975a3d MD	49	#include "ng_message.h"
	50	#include "ng_parse.h"
	51	#include "ng_ipfw.h"
	52	#include "netgraph.h"
b06ebda0 MD	53
	54	static int ng_ipfw_mod_event(module_t mod, int event, void *data);
	55	static ng_constructor_t ng_ipfw_constructor;
	56	static ng_shutdown_t ng_ipfw_shutdown;
	57	static ng_newhook_t ng_ipfw_newhook;
	58	static ng_connect_t ng_ipfw_connect;
	59	static ng_findhook_t ng_ipfw_findhook;
	60	static ng_rcvdata_t ng_ipfw_rcvdata;
	61	static ng_disconnect_t ng_ipfw_disconnect;
	62
	63	static hook_p ng_ipfw_findhook1(node_p, u_int16_t );
	64	static int ng_ipfw_input(struct mbuf *, int, struct ip_fw_args ,
	65	int);
	66
	67	/* We have only one node */
	68	static node_p fw_node;
	69
	70	/* Netgraph node type descriptor */
	71	static struct ng_type ng_ipfw_typestruct = {
	72	.version = NG_ABI_VERSION,
	73	.name = NG_IPFW_NODE_TYPE,
	74	.mod_event = ng_ipfw_mod_event,
	75	.constructor = ng_ipfw_constructor,
	76	.shutdown = ng_ipfw_shutdown,
	77	.newhook = ng_ipfw_newhook,
	78	.connect = ng_ipfw_connect,
	79	.findhook = ng_ipfw_findhook,
	80	.rcvdata = ng_ipfw_rcvdata,
	81	.disconnect = ng_ipfw_disconnect,
	82	};
	83	NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct);
	84	MODULE_DEPEND(ng_ipfw, ipfw, 2, 2, 2);
	85
	86	/* Information we store for each hook */
	87	struct ng_ipfw_hook_priv {
	88	hook_p hook;
	89	u_int16_t rulenum;
	90	};
	91	typedef struct ng_ipfw_hook_priv *hpriv_p;
	92
	93	static int
	94	ng_ipfw_mod_event(module_t mod, int event, void *data)
	95	{
	96	int error = 0;
	97
	98	switch (event) {
	99	case MOD_LOAD:
	100
	101	if (ng_ipfw_input_p != NULL) {
	102	error = EEXIST;
	103	break;
	104	}
	105
	106	/* Setup node without any private data */
	107	if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node))
	108	!= 0) {
	109	log(LOG_ERR, "%s: can't create ng_ipfw node", __func__);
	110	break;
	111	};
	112
	113	/* Try to name node */
	114	if (ng_name_node(fw_node, "ipfw") != 0)
	115	log(LOG_WARNING, "%s: failed to name node \"ipfw\"",
	116	__func__);
117
118	/* Register hook */
119	ng_ipfw_input_p = ng_ipfw_input;
120	break;
121
122	case MOD_UNLOAD:
123	/*
124	* This won't happen if a node exists.
125	* ng_ipfw_input_p is already cleared.
126	*/
127	break;
128
129	default:
130	error = EOPNOTSUPP;
131	break;
132	}
133
134	return (error);
135	}
136
137	static int
138	ng_ipfw_constructor(node_p node)
139	{
140	return (EINVAL); /* Only one node */
141	}
142
143	static int
144	ng_ipfw_newhook(node_p node, hook_p hook, const char *name)
145	{
146	hpriv_p hpriv;
147	u_int16_t rulenum;
148	const char *cp;
149	char *endptr;
150
151	/* Protect from leading zero */
152	if (name[0] == '0' && name[1] != '\0')
153	return (EINVAL);
154
155	/* Check that name contains only digits */
156	for (cp = name; *cp != '\0'; cp++)
157	if (!isdigit(*cp))
158	return (EINVAL);
159
160	/* Convert it to integer */
161	rulenum = (u_int16_t)strtol(name, &endptr, 10);
162	if (*endptr != '\0')
163	return (EINVAL);
164
165	/* Allocate memory for this hook's private data */
fc025606 SW	166	hpriv = kmalloc(sizeof(*hpriv), M_NETGRAPH,
fc025606 SW	167	M_WAITOK \| M_NULLOK \| M_ZERO);
b06ebda0 MD	168	if (hpriv== NULL)
	169	return (ENOMEM);
	170
	171	hpriv->hook = hook;
	172	hpriv->rulenum = rulenum;
	173
	174	NG_HOOK_SET_PRIVATE(hook, hpriv);
	175
	176	return(0);
	177	}
	178
	179	/*
	180	* Set hooks into queueing mode, to avoid recursion between
	181	* netgraph layer and ip_{input,output}.
	182	*/
	183	static int
	184	ng_ipfw_connect(hook_p hook)
	185	{
	186	NG_HOOK_FORCE_QUEUE(hook);
	187	return (0);
	188	}
	189
	190	/* Look up hook by name */
	191	hook_p
	192	ng_ipfw_findhook(node_p node, const char *name)
	193	{
	194	u_int16_t n; /* numeric representation of hook */
	195	char *endptr;
	196
	197	n = (u_int16_t)strtol(name, &endptr, 10);
	198	if (*endptr != '\0')
	199	return NULL;
	200	return ng_ipfw_findhook1(node, n);
	201	}
	202
	203	/* Look up hook by rule number */
	204	static hook_p
	205	ng_ipfw_findhook1(node_p node, u_int16_t rulenum)
	206	{
	207	hook_p hook;
	208	hpriv_p hpriv;
	209
	210	LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) {
	211	hpriv = NG_HOOK_PRIVATE(hook);
	212	if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum))
	213	return (hook);
	214	}
	215
	216	return (NULL);
	217	}
	218
	219
	220	static int
	221	ng_ipfw_rcvdata(hook_p hook, item_p item)
	222	{
	223	struct ng_ipfw_tag *ngit;
	224	struct mbuf *m;
	225
	226	NGI_GET_M(item, m);
	227	NG_FREE_ITEM(item);
	228
	229	if ((ngit = (struct ng_ipfw_tag *)m_tag_locate(m, NGM_IPFW_COOKIE, 0,
	230	NULL)) == NULL) {
	231	NG_FREE_M(m);
232	return (EINVAL); /* XXX: find smth better */
233	};
234
235	switch (ngit->dir) {
236	case NG_IPFW_OUT:
237	{
238	struct ip *ip;
239
240	if (m->m_len < sizeof(struct ip) &&
241	(m = m_pullup(m, sizeof(struct ip))) == NULL)
242	return (EINVAL);
243
244	ip = mtod(m, struct ip *);
245
246	ip->ip_len = ntohs(ip->ip_len);
247	ip->ip_off = ntohs(ip->ip_off);
248
249	return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
250	}
251	case NG_IPFW_IN:
252	ip_input(m);
253	return (0);
254	default:
255	panic("ng_ipfw_rcvdata: bad dir %u", ngit->dir);
256	}
257
258	/* not reached */
259	return (0);
260	}
261
262	static int
263	ng_ipfw_input(struct mbuf *m0, int dir, struct ip_fw_args fwa, int tee)
264	{
265	struct mbuf *m;
266	struct ng_ipfw_tag *ngit;
267	struct ip *ip;
268	hook_p hook;
269	int error = 0;
270
271	/*
272	* Node must be loaded and corresponding hook must be present.
273	*/
274	if (fw_node == NULL \|\|
275	(hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) {
276	if (tee == 0)
277	m_freem(*m0);
278	return (ESRCH); /* no hook associated with this rule */
279	}
280
281	/*
282	* We have two modes: in normal mode we add a tag to packet, which is
283	* important to return packet back to IP stack. In tee mode we make
284	* a copy of a packet and forward it into netgraph without a tag.
285	*/
286	if (tee == 0) {
287	m = *m0;
288	m0 = NULL; / it belongs now to netgraph */
289
290	if ((ngit = (struct ng_ipfw_tag *)m_tag_alloc(NGM_IPFW_COOKIE,
5a975a3d	291	0, TAGSIZ, MB_DONTWAIT)) == NULL) {
b06ebda0 MD	292	m_freem(m);
	293	return (ENOMEM);
	294	}
	295	ngit->rule = fwa->rule;
	296	ngit->dir = dir;
	297	ngit->ifp = fwa->oif;
	298	m_tag_prepend(m, &ngit->mt);
	299
	300	} else
5a975a3d	301	if ((m = m_dup(*m0, MB_DONTWAIT)) == NULL)
b06ebda0 MD	302	return (ENOMEM); /* which is ignored */
	303
	304	if (m->m_len < sizeof(struct ip) &&
	305	(m = m_pullup(m, sizeof(struct ip))) == NULL)
	306	return (EINVAL);
	307
	308	ip = mtod(m, struct ip *);
	309	ip->ip_len = htons(ip->ip_len);
	310	ip->ip_off = htons(ip->ip_off);
	311
	312	NG_SEND_DATA_ONLY(error, hook, m);
	313
	314	return (error);
	315	}
	316
	317	static int
	318	ng_ipfw_shutdown(node_p node)
	319	{
	320
	321	/*
	322	* After our single node has been removed,
	323	* the only thing that can be done is
	324	* 'kldunload ng_ipfw.ko'
	325	*/
	326	ng_ipfw_input_p = NULL;
	327	NG_NODE_UNREF(node);
	328	return (0);
	329	}
	330
	331	static int
	332	ng_ipfw_disconnect(hook_p hook)
	333	{
	334	const hpriv_p hpriv = NG_HOOK_PRIVATE(hook);
	335
fc025606	336	kfree(hpriv, M_NETGRAPH);
b06ebda0 MD	337	NG_HOOK_SET_PRIVATE(hook, NULL);
	338
	339	return (0);
	340	}