1 /* $FreeBSD: src/sys/contrib/pf/net/pf_subr.c,v 1.1 2004/06/16 23:24:00 mlaier Exp $ */
2 /* from $OpenBSD: kern_subr.c,v 1.26 2003/10/31 11:10:41 markus Exp $ */
3 /* $NetBSD: kern_subr.c,v 1.15 1996/04/09 17:21:56 ragge Exp $ */
4 /* $DragonFly: src/sys/net/pf/pf_subr.c,v 1.2 2006/09/05 00:55:47 dillon Exp $ */
7 * Copyright (c) 2004 The DragonFly Project. All rights reserved.
9 * Copyright (c) 1982, 1986, 1991, 1993
10 * The Regents of the University of California. All rights reserved.
11 * (c) UNIX System Laboratories, Inc.
12 * All or some portions of this file are derived from material licensed
13 * to the University of California by American Telephone and Telegraph
14 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
15 * the permission of UNIX System Laboratories, Inc.
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 * 3. Neither the name of the University nor the names of its contributors
26 * may be used to endorse or promote products derived from this software
27 * without specific prior written permission.
29 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 * @(#)kern_subr.c 8.3 (Berkeley) 1/21/94
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/socket.h>
47 #include <sys/socketvar.h>
49 #include <sys/malloc.h>
50 #include <sys/queue.h>
51 #include <sys/kernel.h>
52 #include <sys/resourcevar.h>
53 #include <vm/vm_zone.h>
57 #include <netinet/in.h>
58 #include <netinet/in_var.h>
59 #include <netinet/tcp.h>
61 #include <net/pf/pfvar.h>
63 #include <sys/random.h>
66 * This implements additional functions used by pf which can not be ported
67 * easyly. At this point it boils down to mostly the Net/OpenBSD hook
70 * BEWARE: this is not locked! Required locking is done by the caller.
74 hook_establish(struct hook_desc_head *head, int tail, void (*fn)(void *),
77 struct hook_desc *hdp;
79 hdp = kmalloc(sizeof (*hdp), M_DEVBUF, M_WAITOK);
86 TAILQ_INSERT_TAIL(head, hdp, hd_list);
88 TAILQ_INSERT_HEAD(head, hdp, hd_list);
94 hook_disestablish(struct hook_desc_head *head, void *vhook)
96 struct hook_desc *hdp;
99 for (hdp = TAILQ_FIRST(head); hdp != NULL;
100 hdp = TAILQ_NEXT(hdp, hd_list))
104 panic("hook_disestablish: hook not established");
107 TAILQ_REMOVE(head, hdp, hd_list);
108 kfree(hdp, M_DEVBUF);
112 * Run hooks. Startup hooks are invoked right after scheduler_start but
113 * before root is mounted. Shutdown hooks are invoked immediately before the
114 * system is halted or rebooted, i.e. after file systems unmounted,
115 * after crash dump done, etc.
118 dohooks(struct hook_desc_head *head, int flags)
120 struct hook_desc *hdp;
122 if ((flags & HOOK_REMOVE) == 0) {
123 TAILQ_FOREACH(hdp, head, hd_list) {
124 (*hdp->hd_fn)(hdp->hd_arg);
127 while ((hdp = TAILQ_FIRST(head)) != NULL) {
128 TAILQ_REMOVE(head, hdp, hd_list);
129 (*hdp->hd_fn)(hdp->hd_arg);
130 if ((flags & HOOK_FREE) != 0)
131 kfree(hdp, M_DEVBUF);
138 * Following is where TCP initial sequence number generation occurs.
140 * There are two places where we must use initial sequence numbers:
141 * 1. In SYN-ACK packets.
144 * All ISNs for SYN-ACK packets are generated by the syncache. See
145 * tcp_syncache.c for details.
147 * The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
148 * depends on this property. In addition, these ISNs should be
149 * unguessable so as to prevent connection hijacking. To satisfy
150 * the requirements of this situation, the algorithm outlined in
151 * RFC 1948 is used, with only small modifications.
153 * Implementation details:
155 * Time is based off the system timer, and is corrected so that it
156 * increases by one megabyte per second. This allows for proper
157 * recycling on high speed LANs while still leaving over an hour
160 * As reading the *exact* system time is too expensive to be done
161 * whenever setting up a TCP connection, we increment the time
162 * offset in two ways. First, a small random positive increment
163 * is added to isn_offset for each connection that is set up.
164 * Second, the function tcp_isn_tick fires once per clock tick
165 * and increments isn_offset as necessary so that sequence numbers
166 * are incremented at approximately ISN_BYTES_PER_SECOND. The
167 * random positive increments serve only to ensure that the same
168 * exact sequence number is never sent out twice (as could otherwise
169 * happen when a port is recycled in less than the system tick
172 * net.inet.tcp.isn_reseed_interval controls the number of seconds
173 * between seeding of isn_secret. This is normally set to zero,
174 * as reseeding should not be necessary.
176 * Locking of the global variables isn_secret, isn_last_reseed, isn_offset,
177 * isn_offset_old, and isn_ctx is performed using the TCP pcbinfo lock. In
178 * general, this means holding an exclusive (write) lock.
181 #define ISN_BYTES_PER_SECOND 1048576
182 #define ISN_STATIC_INCREMENT 4096
183 #define ISN_RANDOM_INCREMENT (4096 - 1)
185 static u_char pf_isn_secret[32];
186 static int pf_isn_last_reseed;
187 static u_int32_t pf_isn_offset;
190 pf_new_isn(struct pf_state *s) /* From FreeBSD */
193 u_int32_t md5_buffer[4];
195 struct pf_state_host *src, *dst;
197 /* Seed if this is the first use, reseed if requested. */
198 if (pf_isn_last_reseed == 0) {
199 read_random_unlimited(&pf_isn_secret, sizeof(pf_isn_secret));
200 pf_isn_last_reseed = ticks;
203 if (s->direction == PF_IN) {
211 /* Compute the md5 hash and return the ISN. */
213 MD5Update(&isn_ctx, (u_char *) &dst->port, sizeof(u_short));
214 MD5Update(&isn_ctx, (u_char *) &src->port, sizeof(u_short));
216 if (s->af == AF_INET6) {
217 MD5Update(&isn_ctx, (u_char *) &dst->addr,
218 sizeof(struct in6_addr));
219 MD5Update(&isn_ctx, (u_char *) &src->addr,
220 sizeof(struct in6_addr));
224 MD5Update(&isn_ctx, (u_char *) &dst->addr,
225 sizeof(struct in_addr));
226 MD5Update(&isn_ctx, (u_char *) &src->addr,
227 sizeof(struct in_addr));
229 MD5Update(&isn_ctx, (u_char *) &pf_isn_secret, sizeof(pf_isn_secret));
230 MD5Final((u_char *) &md5_buffer, &isn_ctx);
231 new_isn = (tcp_seq) md5_buffer[0];
232 pf_isn_offset += ISN_STATIC_INCREMENT +
233 (karc4random() & ISN_RANDOM_INCREMENT);
234 new_isn += pf_isn_offset;