Commit | Line | Data |
---|---|---|
b06ebda0 MD |
1 | /*- |
2 | * Copyright 2005, Gleb Smirnoff <glebius@FreeBSD.org> | |
3 | * All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions | |
7 | * are met: | |
8 | * 1. Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * 2. Redistributions in binary form must reproduce the above copyright | |
11 | * notice, this list of conditions and the following disclaimer in the | |
12 | * documentation and/or other materials provided with the distribution. | |
13 | * | |
14 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
15 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
17 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
18 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
19 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
20 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
21 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
22 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
23 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
24 | * SUCH DAMAGE. | |
25 | * | |
26 | * $FreeBSD: src/sys/netgraph/ng_ipfw.c,v 1.9 2006/02/14 15:22:24 ru Exp $ | |
27 | */ | |
28 | ||
29 | #include <sys/param.h> | |
30 | #include <sys/systm.h> | |
31 | #include <sys/kernel.h> | |
32 | #include <sys/mbuf.h> | |
33 | #include <sys/malloc.h> | |
34 | #include <sys/ctype.h> | |
35 | #include <sys/errno.h> | |
36 | #include <sys/socket.h> | |
37 | #include <sys/syslog.h> | |
38 | ||
39 | #include <net/if.h> | |
40 | ||
41 | #include <netinet/in.h> | |
42 | #include <netinet/in_systm.h> | |
43 | #include <netinet/in_var.h> | |
44 | #include <netinet/ip_fw.h> | |
45 | #include <netinet/ip.h> | |
46 | #include <netinet/ip_var.h> | |
47 | ||
5a975a3d MD |
48 | #include "ng_message.h" |
49 | #include "ng_parse.h" | |
50 | #include "ng_ipfw.h" | |
51 | #include "netgraph.h" | |
b06ebda0 MD |
52 | |
53 | static int ng_ipfw_mod_event(module_t mod, int event, void *data); | |
54 | static ng_constructor_t ng_ipfw_constructor; | |
55 | static ng_shutdown_t ng_ipfw_shutdown; | |
56 | static ng_newhook_t ng_ipfw_newhook; | |
57 | static ng_connect_t ng_ipfw_connect; | |
58 | static ng_findhook_t ng_ipfw_findhook; | |
59 | static ng_rcvdata_t ng_ipfw_rcvdata; | |
60 | static ng_disconnect_t ng_ipfw_disconnect; | |
61 | ||
62 | static hook_p ng_ipfw_findhook1(node_p, u_int16_t ); | |
63 | static int ng_ipfw_input(struct mbuf **, int, struct ip_fw_args *, | |
64 | int); | |
65 | ||
66 | /* We have only one node */ | |
67 | static node_p fw_node; | |
68 | ||
69 | /* Netgraph node type descriptor */ | |
70 | static struct ng_type ng_ipfw_typestruct = { | |
71 | .version = NG_ABI_VERSION, | |
72 | .name = NG_IPFW_NODE_TYPE, | |
73 | .mod_event = ng_ipfw_mod_event, | |
74 | .constructor = ng_ipfw_constructor, | |
75 | .shutdown = ng_ipfw_shutdown, | |
76 | .newhook = ng_ipfw_newhook, | |
77 | .connect = ng_ipfw_connect, | |
78 | .findhook = ng_ipfw_findhook, | |
79 | .rcvdata = ng_ipfw_rcvdata, | |
80 | .disconnect = ng_ipfw_disconnect, | |
81 | }; | |
82 | NETGRAPH_INIT(ipfw, &ng_ipfw_typestruct); | |
83 | MODULE_DEPEND(ng_ipfw, ipfw, 2, 2, 2); | |
84 | ||
85 | /* Information we store for each hook */ | |
86 | struct ng_ipfw_hook_priv { | |
87 | hook_p hook; | |
88 | u_int16_t rulenum; | |
89 | }; | |
90 | typedef struct ng_ipfw_hook_priv *hpriv_p; | |
91 | ||
92 | static int | |
93 | ng_ipfw_mod_event(module_t mod, int event, void *data) | |
94 | { | |
95 | int error = 0; | |
96 | ||
97 | switch (event) { | |
98 | case MOD_LOAD: | |
99 | ||
100 | if (ng_ipfw_input_p != NULL) { | |
101 | error = EEXIST; | |
102 | break; | |
103 | } | |
104 | ||
105 | /* Setup node without any private data */ | |
106 | if ((error = ng_make_node_common(&ng_ipfw_typestruct, &fw_node)) | |
107 | != 0) { | |
108 | log(LOG_ERR, "%s: can't create ng_ipfw node", __func__); | |
109 | break; | |
0fdb7d01 | 110 | } |
b06ebda0 MD |
111 | |
112 | /* Try to name node */ | |
113 | if (ng_name_node(fw_node, "ipfw") != 0) | |
114 | log(LOG_WARNING, "%s: failed to name node \"ipfw\"", | |
115 | __func__); | |
116 | ||
117 | /* Register hook */ | |
118 | ng_ipfw_input_p = ng_ipfw_input; | |
119 | break; | |
120 | ||
121 | case MOD_UNLOAD: | |
122 | /* | |
123 | * This won't happen if a node exists. | |
124 | * ng_ipfw_input_p is already cleared. | |
125 | */ | |
126 | break; | |
127 | ||
128 | default: | |
129 | error = EOPNOTSUPP; | |
130 | break; | |
131 | } | |
132 | ||
133 | return (error); | |
134 | } | |
135 | ||
136 | static int | |
137 | ng_ipfw_constructor(node_p node) | |
138 | { | |
139 | return (EINVAL); /* Only one node */ | |
140 | } | |
141 | ||
142 | static int | |
143 | ng_ipfw_newhook(node_p node, hook_p hook, const char *name) | |
144 | { | |
145 | hpriv_p hpriv; | |
146 | u_int16_t rulenum; | |
147 | const char *cp; | |
148 | char *endptr; | |
149 | ||
150 | /* Protect from leading zero */ | |
151 | if (name[0] == '0' && name[1] != '\0') | |
152 | return (EINVAL); | |
153 | ||
154 | /* Check that name contains only digits */ | |
155 | for (cp = name; *cp != '\0'; cp++) | |
156 | if (!isdigit(*cp)) | |
157 | return (EINVAL); | |
158 | ||
159 | /* Convert it to integer */ | |
160 | rulenum = (u_int16_t)strtol(name, &endptr, 10); | |
161 | if (*endptr != '\0') | |
162 | return (EINVAL); | |
163 | ||
164 | /* Allocate memory for this hook's private data */ | |
fc025606 SW |
165 | hpriv = kmalloc(sizeof(*hpriv), M_NETGRAPH, |
166 | M_WAITOK | M_NULLOK | M_ZERO); | |
b06ebda0 MD |
167 | if (hpriv== NULL) |
168 | return (ENOMEM); | |
169 | ||
170 | hpriv->hook = hook; | |
171 | hpriv->rulenum = rulenum; | |
172 | ||
173 | NG_HOOK_SET_PRIVATE(hook, hpriv); | |
174 | ||
175 | return(0); | |
176 | } | |
177 | ||
178 | /* | |
179 | * Set hooks into queueing mode, to avoid recursion between | |
180 | * netgraph layer and ip_{input,output}. | |
181 | */ | |
182 | static int | |
183 | ng_ipfw_connect(hook_p hook) | |
184 | { | |
185 | NG_HOOK_FORCE_QUEUE(hook); | |
186 | return (0); | |
187 | } | |
188 | ||
189 | /* Look up hook by name */ | |
190 | hook_p | |
191 | ng_ipfw_findhook(node_p node, const char *name) | |
192 | { | |
193 | u_int16_t n; /* numeric representation of hook */ | |
194 | char *endptr; | |
195 | ||
196 | n = (u_int16_t)strtol(name, &endptr, 10); | |
197 | if (*endptr != '\0') | |
198 | return NULL; | |
199 | return ng_ipfw_findhook1(node, n); | |
200 | } | |
201 | ||
202 | /* Look up hook by rule number */ | |
203 | static hook_p | |
204 | ng_ipfw_findhook1(node_p node, u_int16_t rulenum) | |
205 | { | |
206 | hook_p hook; | |
207 | hpriv_p hpriv; | |
208 | ||
209 | LIST_FOREACH(hook, &node->nd_hooks, hk_hooks) { | |
210 | hpriv = NG_HOOK_PRIVATE(hook); | |
211 | if (NG_HOOK_IS_VALID(hook) && (hpriv->rulenum == rulenum)) | |
212 | return (hook); | |
213 | } | |
214 | ||
215 | return (NULL); | |
216 | } | |
217 | ||
218 | ||
219 | static int | |
220 | ng_ipfw_rcvdata(hook_p hook, item_p item) | |
221 | { | |
222 | struct ng_ipfw_tag *ngit; | |
223 | struct mbuf *m; | |
224 | ||
225 | NGI_GET_M(item, m); | |
226 | NG_FREE_ITEM(item); | |
227 | ||
228 | if ((ngit = (struct ng_ipfw_tag *)m_tag_locate(m, NGM_IPFW_COOKIE, 0, | |
229 | NULL)) == NULL) { | |
230 | NG_FREE_M(m); | |
231 | return (EINVAL); /* XXX: find smth better */ | |
0fdb7d01 | 232 | } |
b06ebda0 MD |
233 | |
234 | switch (ngit->dir) { | |
235 | case NG_IPFW_OUT: | |
236 | { | |
237 | struct ip *ip; | |
238 | ||
239 | if (m->m_len < sizeof(struct ip) && | |
240 | (m = m_pullup(m, sizeof(struct ip))) == NULL) | |
241 | return (EINVAL); | |
242 | ||
243 | ip = mtod(m, struct ip *); | |
244 | ||
b06ebda0 MD |
245 | return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); |
246 | } | |
247 | case NG_IPFW_IN: | |
248 | ip_input(m); | |
249 | return (0); | |
250 | default: | |
251 | panic("ng_ipfw_rcvdata: bad dir %u", ngit->dir); | |
252 | } | |
253 | ||
254 | /* not reached */ | |
255 | return (0); | |
256 | } | |
257 | ||
258 | static int | |
259 | ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) | |
260 | { | |
261 | struct mbuf *m; | |
262 | struct ng_ipfw_tag *ngit; | |
263 | struct ip *ip; | |
264 | hook_p hook; | |
265 | int error = 0; | |
266 | ||
267 | /* | |
268 | * Node must be loaded and corresponding hook must be present. | |
269 | */ | |
270 | if (fw_node == NULL || | |
271 | (hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) { | |
272 | if (tee == 0) | |
273 | m_freem(*m0); | |
274 | return (ESRCH); /* no hook associated with this rule */ | |
275 | } | |
276 | ||
277 | /* | |
278 | * We have two modes: in normal mode we add a tag to packet, which is | |
279 | * important to return packet back to IP stack. In tee mode we make | |
280 | * a copy of a packet and forward it into netgraph without a tag. | |
281 | */ | |
282 | if (tee == 0) { | |
283 | m = *m0; | |
284 | *m0 = NULL; /* it belongs now to netgraph */ | |
285 | ||
286 | if ((ngit = (struct ng_ipfw_tag *)m_tag_alloc(NGM_IPFW_COOKIE, | |
b5523eac | 287 | 0, TAGSIZ, M_NOWAIT)) == NULL) { |
b06ebda0 MD |
288 | m_freem(m); |
289 | return (ENOMEM); | |
290 | } | |
291 | ngit->rule = fwa->rule; | |
292 | ngit->dir = dir; | |
293 | ngit->ifp = fwa->oif; | |
294 | m_tag_prepend(m, &ngit->mt); | |
295 | ||
296 | } else | |
b5523eac | 297 | if ((m = m_dup(*m0, M_NOWAIT)) == NULL) |
b06ebda0 MD |
298 | return (ENOMEM); /* which is ignored */ |
299 | ||
300 | if (m->m_len < sizeof(struct ip) && | |
301 | (m = m_pullup(m, sizeof(struct ip))) == NULL) | |
302 | return (EINVAL); | |
303 | ||
304 | ip = mtod(m, struct ip *); | |
b06ebda0 MD |
305 | |
306 | NG_SEND_DATA_ONLY(error, hook, m); | |
307 | ||
308 | return (error); | |
309 | } | |
310 | ||
311 | static int | |
312 | ng_ipfw_shutdown(node_p node) | |
313 | { | |
314 | ||
315 | /* | |
316 | * After our single node has been removed, | |
317 | * the only thing that can be done is | |
318 | * 'kldunload ng_ipfw.ko' | |
319 | */ | |
320 | ng_ipfw_input_p = NULL; | |
321 | NG_NODE_UNREF(node); | |
322 | return (0); | |
323 | } | |
324 | ||
325 | static int | |
326 | ng_ipfw_disconnect(hook_p hook) | |
327 | { | |
328 | const hpriv_p hpriv = NG_HOOK_PRIVATE(hook); | |
329 | ||
fc025606 | 330 | kfree(hpriv, M_NETGRAPH); |
b06ebda0 MD |
331 | NG_HOOK_SET_PRIVATE(hook, NULL); |
332 | ||
333 | return (0); | |
334 | } |