2 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.6.2.12 2003/04/08 10:42:32 maxim Exp $
26 * $DragonFly: src/sys/net/ipfw/ip_fw2.c,v 1.74 2008/08/21 12:11:34 sephe Exp $
33 * Implement IP packet firewall (new version)
39 #include "opt_ipdivert.h"
42 #error IPFIREWALL requires INET.
46 #include <sys/param.h>
47 #include <sys/systm.h>
48 #include <sys/malloc.h>
50 #include <sys/kernel.h>
52 #include <sys/socket.h>
53 #include <sys/socketvar.h>
54 #include <sys/sysctl.h>
55 #include <sys/syslog.h>
56 #include <sys/thread2.h>
57 #include <sys/ucred.h>
58 #include <sys/in_cksum.h>
62 #include <net/route.h>
63 #include <net/netmsg2.h>
65 #include <netinet/in.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/in_var.h>
68 #include <netinet/in_pcb.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_var.h>
71 #include <netinet/ip_icmp.h>
73 #include <net/dummynet/ip_dummynet.h>
74 #include <netinet/tcp.h>
75 #include <netinet/tcp_timer.h>
76 #include <netinet/tcp_var.h>
77 #include <netinet/tcpip.h>
78 #include <netinet/udp.h>
79 #include <netinet/udp_var.h>
81 #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */
84 * Description about per-CPU rule duplication:
86 * Module loading/unloading and all ioctl operations are serialized
87 * by netisr0, so we don't have any ordering or locking problems.
89 * Following graph shows how operation on per-CPU rule list is
90 * performed [2 CPU case]:
94 * netisr0 <------------------------------------+
105 * forwardmsg---------->ifnet1 |
110 * replymsg--------------+
115 * Rules which will not create states (dyn rules) [2 CPU case]
118 * layer3_chain layer3_chain
121 * +-------+ sibling +-------+ sibling
122 * | rule1 |--------->| rule1 |--------->NULL
123 * +-------+ +-------+
127 * +-------+ sibling +-------+ sibling
128 * | rule2 |--------->| rule2 |--------->NULL
129 * +-------+ +-------+
132 * 1) Ease statistics calculation during IP_FW_GET. We only need to
133 * iterate layer3_chain on CPU0; the current rule's duplication on
134 * the other CPUs could safely be read-only accessed by using
136 * 2) Accelerate rule insertion and deletion, e.g. rule insertion:
137 * a) In netisr0 (on CPU0) rule3 is determined to be inserted between
138 * rule1 and rule2. To make this decision we need to iterate the
139 * layer3_chain on CPU0. The netmsg, which is used to insert the
140 * rule, will contain rule1 on CPU0 as prev_rule and rule2 on CPU0
142 * b) After the insertion on CPU0 is done, we will move on to CPU1.
143 * But instead of relocating the rule3's position on CPU1 by
144 * iterating the layer3_chain on CPU1, we set the netmsg's prev_rule
145 * to rule1->sibling and next_rule to rule2->sibling before the
146 * netmsg is forwarded to CPU1 from CPU0
150 * Rules which will create states (dyn rules) [2 CPU case]
151 * (unnecessary parts are omitted; they are same as in the previous figure)
155 * +-------+ +-------+
156 * | rule1 | | rule1 |
157 * +-------+ +-------+
164 * | +--------------------+ |
166 * | | (read-only shared) | |
168 * | | back pointer array | |
169 * | | (indexed by cpuid) | |
171 * +----|---------[0] | |
172 * | [1]--------|----+
174 * +--------------------+
177 * ........|............|............
181 * : +---------+ +---------+ :
182 * : | state1a | | state1b | .... :
183 * : +---------+ +---------+ :
187 * : (protected by dyn_lock) :
188 * ..................................
190 * [state1a and state1b are states created by rule1]
193 * This structure is introduced so that shared (locked) state table could
194 * work with per-CPU (duplicated) static rules. It mainly bridges states
195 * and static rules and serves as static rule's place holder (a read-only
196 * shared part of duplicated rules) from states point of view.
198 * IPFW_RULE_F_STATE (only for rules which create states):
199 * o During rule installation, this flag is turned on after rule's
200 * duplications reach all CPUs, to avoid at least following race:
201 * 1) rule1 is duplicated on CPU0 and is not duplicated on CPU1 yet
202 * 2) rule1 creates state1
203 * 3) state1 is located on CPU1 by check-state
204 * But rule1 is not duplicated on CPU1 yet
205 * o During rule deletion, this flag is turned off before deleting states
206 * created by the rule and before deleting the rule itself, so no
207 * more states will be created by the to-be-deleted rule even when its
208 * duplication on certain CPUs are not eliminated yet.
211 #define IPFW_AUTOINC_STEP_MIN 1
212 #define IPFW_AUTOINC_STEP_MAX 1000
213 #define IPFW_AUTOINC_STEP_DEF 100
215 #define IPFW_DEFAULT_RULE 65535 /* rulenum for the default rule */
216 #define IPFW_DEFAULT_SET 31 /* set number for the default rule */
220 const struct ipfw_ioc_rule *ioc_rule;
221 struct ip_fw *next_rule;
222 struct ip_fw *prev_rule;
223 struct ip_fw *sibling;
224 struct ip_fw_stub *stub;
229 struct ip_fw *start_rule;
230 struct ip_fw *prev_rule;
238 struct ip_fw *start_rule;
243 struct ipfw_context {
244 struct ip_fw *ipfw_layer3_chain; /* list of rules for layer3 */
245 struct ip_fw *ipfw_default_rule; /* default rule */
246 uint64_t ipfw_norule_counter; /* counter for ipfw_log(NULL) */
249 * ipfw_set_disable contains one bit per set value (0..31).
250 * If the bit is set, all rules with the corresponding set
251 * are disabled. Set IPDW_DEFAULT_SET is reserved for the
252 * default rule and CANNOT be disabled.
254 uint32_t ipfw_set_disable;
255 uint32_t ipfw_gen; /* generation of rule list */
258 static struct ipfw_context *ipfw_ctx[MAXCPU];
262 * Module can not be unloaded, if there are references to
263 * certains rules of ipfw(4), e.g. dummynet(4)
265 static int ipfw_refcnt;
268 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
271 * Following two global variables are accessed and
272 * updated only on CPU0
274 static uint32_t static_count; /* # of static rules */
275 static uint32_t static_ioc_len; /* bytes of static rules */
278 * If 1, then ipfw static rules are being flushed,
279 * ipfw_chk() will skip to the default rule.
281 static int ipfw_flushing;
283 static int fw_verbose;
284 static int verbose_limit;
286 static int fw_debug = 1;
287 static int autoinc_step = IPFW_AUTOINC_STEP_DEF;
289 static int ipfw_sysctl_autoinc_step(SYSCTL_HANDLER_ARGS);
290 static int ipfw_sysctl_dyn_buckets(SYSCTL_HANDLER_ARGS);
291 static int ipfw_sysctl_dyn_fin(SYSCTL_HANDLER_ARGS);
292 static int ipfw_sysctl_dyn_rst(SYSCTL_HANDLER_ARGS);
295 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
296 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
297 &fw_enable, 0, "Enable ipfw");
298 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLTYPE_INT | CTLFLAG_RW,
299 &autoinc_step, 0, ipfw_sysctl_autoinc_step, "I",
300 "Rule number autincrement step");
301 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
303 "Only do a single pass through ipfw when using dummynet(4)");
304 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
305 &fw_debug, 0, "Enable printing of debug ip_fw statements");
306 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW,
307 &fw_verbose, 0, "Log matches to ipfw rules");
308 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
309 &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
312 * Description of dynamic rules.
314 * Dynamic rules are stored in lists accessed through a hash table
315 * (ipfw_dyn_v) whose size is curr_dyn_buckets. This value can
316 * be modified through the sysctl variable dyn_buckets which is
317 * updated when the table becomes empty.
319 * XXX currently there is only one list, ipfw_dyn.
321 * When a packet is received, its address fields are first masked
322 * with the mask defined for the rule, then hashed, then matched
323 * against the entries in the corresponding list.
324 * Dynamic rules can be used for different purposes:
326 * + enforcing limits on the number of sessions;
327 * + in-kernel NAT (not implemented yet)
329 * The lifetime of dynamic rules is regulated by dyn_*_lifetime,
330 * measured in seconds and depending on the flags.
332 * The total number of dynamic rules is stored in dyn_count.
333 * The max number of dynamic rules is dyn_max. When we reach
334 * the maximum number of rules we do not create anymore. This is
335 * done to avoid consuming too much memory, but also too much
336 * time when searching on each packet (ideally, we should try instead
337 * to put a limit on the length of the list on each bucket...).
339 * Each dynamic rule holds a pointer to the parent ipfw rule so
340 * we know what action to perform. Dynamic rules are removed when
341 * the parent rule is deleted. XXX we should make them survive.
343 * There are some limitations with dynamic rules -- we do not
344 * obey the 'randomized match', and we do not do multiple
345 * passes through the firewall. XXX check the latter!!!
347 * NOTE about the SHARED LOCKMGR LOCK during dynamic rule looking up:
348 * Only TCP state transition will change dynamic rule's state and ack
349 * sequences, while all packets of one TCP connection only goes through
350 * one TCP thread, so it is safe to use shared lockmgr lock during dynamic
351 * rule looking up. The keep alive callout uses exclusive lockmgr lock
352 * when it tries to find suitable dynamic rules to send keep alive, so
353 * it will not see half updated state and ack sequences. Though the expire
354 * field updating looks racy for other protocols, the resolution (second)
355 * of expire field makes this kind of race harmless.
356 * XXX statistics' updating is _not_ MPsafe!!!
357 * XXX once UDP output path is fixed, we could use lockless dynamic rule
360 static ipfw_dyn_rule **ipfw_dyn_v = NULL;
361 static uint32_t dyn_buckets = 256; /* must be power of 2 */
362 static uint32_t curr_dyn_buckets = 256; /* must be power of 2 */
363 static uint32_t dyn_buckets_gen; /* generation of dyn buckets array */
364 static struct lock dyn_lock; /* dynamic rules' hash table lock */
365 static struct callout ipfw_timeout_h;
368 * Timeouts for various events in handing dynamic rules.
370 static uint32_t dyn_ack_lifetime = 300;
371 static uint32_t dyn_syn_lifetime = 20;
372 static uint32_t dyn_fin_lifetime = 1;
373 static uint32_t dyn_rst_lifetime = 1;
374 static uint32_t dyn_udp_lifetime = 10;
375 static uint32_t dyn_short_lifetime = 5;
378 * Keepalives are sent if dyn_keepalive is set. They are sent every
379 * dyn_keepalive_period seconds, in the last dyn_keepalive_interval
380 * seconds of lifetime of a rule.
381 * dyn_rst_lifetime and dyn_fin_lifetime should be strictly lower
382 * than dyn_keepalive_period.
385 static uint32_t dyn_keepalive_interval = 20;
386 static uint32_t dyn_keepalive_period = 5;
387 static uint32_t dyn_keepalive = 1; /* do send keepalives */
389 static uint32_t dyn_count; /* # of dynamic rules */
390 static uint32_t dyn_max = 4096; /* max # of dynamic rules */
392 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLTYPE_INT | CTLFLAG_RW,
393 &dyn_buckets, 0, ipfw_sysctl_dyn_buckets, "I", "Number of dyn. buckets");
394 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
395 &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
396 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
397 &dyn_count, 0, "Number of dyn. rules");
398 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
399 &dyn_max, 0, "Max number of dyn. rules");
400 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
401 &static_count, 0, "Number of static rules");
402 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
403 &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
404 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
405 &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
406 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime,
407 CTLTYPE_INT | CTLFLAG_RW, &dyn_fin_lifetime, 0, ipfw_sysctl_dyn_fin, "I",
408 "Lifetime of dyn. rules for fin");
409 SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime,
410 CTLTYPE_INT | CTLFLAG_RW, &dyn_rst_lifetime, 0, ipfw_sysctl_dyn_rst, "I",
411 "Lifetime of dyn. rules for rst");
412 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
413 &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
414 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
415 &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
416 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW,
417 &dyn_keepalive, 0, "Enable keepalives for dyn. rules");
419 #endif /* SYSCTL_NODE */
421 static ip_fw_chk_t ipfw_chk;
424 ipfw_free_rule(struct ip_fw *rule)
426 KASSERT(rule->cpuid == mycpuid, ("rule freed on cpu%d\n", mycpuid));
427 KASSERT(rule->refcnt > 0, ("invalid refcnt %u\n", rule->refcnt));
429 if (rule->refcnt == 0) {
437 ipfw_unref_rule(void *priv)
439 ipfw_free_rule(priv);
441 atomic_subtract_int(&ipfw_refcnt, 1);
446 ipfw_ref_rule(struct ip_fw *rule)
448 KASSERT(rule->cpuid == mycpuid, ("rule used on cpu%d\n", mycpuid));
450 atomic_add_int(&ipfw_refcnt, 1);
456 * This macro maps an ip pointer into a layer3 header pointer of type T
458 #define L3HDR(T, ip) ((T *)((uint32_t *)(ip) + (ip)->ip_hl))
461 icmptype_match(struct ip *ip, ipfw_insn_u32 *cmd)
463 int type = L3HDR(struct icmp,ip)->icmp_type;
465 return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1 << type)));
468 #define TT ((1 << ICMP_ECHO) | \
469 (1 << ICMP_ROUTERSOLICIT) | \
470 (1 << ICMP_TSTAMP) | \
475 is_icmp_query(struct ip *ip)
477 int type = L3HDR(struct icmp, ip)->icmp_type;
479 return (type <= ICMP_MAXTYPE && (TT & (1 << type)));
485 * The following checks use two arrays of 8 or 16 bits to store the
486 * bits that we want set or clear, respectively. They are in the
487 * low and high half of cmd->arg1 or cmd->d[0].
489 * We scan options and store the bits we find set. We succeed if
491 * (want_set & ~bits) == 0 && (want_clear & ~bits) == want_clear
493 * The code is sometimes optimized not to store additional variables.
497 flags_match(ipfw_insn *cmd, uint8_t bits)
502 if (((cmd->arg1 & 0xff) & bits) != 0)
503 return 0; /* some bits we want set were clear */
505 want_clear = (cmd->arg1 >> 8) & 0xff;
506 if ((want_clear & bits) != want_clear)
507 return 0; /* some bits we want clear were set */
512 ipopts_match(struct ip *ip, ipfw_insn *cmd)
514 int optlen, bits = 0;
515 u_char *cp = (u_char *)(ip + 1);
516 int x = (ip->ip_hl << 2) - sizeof(struct ip);
518 for (; x > 0; x -= optlen, cp += optlen) {
519 int opt = cp[IPOPT_OPTVAL];
521 if (opt == IPOPT_EOL)
524 if (opt == IPOPT_NOP) {
527 optlen = cp[IPOPT_OLEN];
528 if (optlen <= 0 || optlen > x)
529 return 0; /* invalid or truncated */
534 bits |= IP_FW_IPOPT_LSRR;
538 bits |= IP_FW_IPOPT_SSRR;
542 bits |= IP_FW_IPOPT_RR;
546 bits |= IP_FW_IPOPT_TS;
553 return (flags_match(cmd, bits));
557 tcpopts_match(struct ip *ip, ipfw_insn *cmd)
559 int optlen, bits = 0;
560 struct tcphdr *tcp = L3HDR(struct tcphdr,ip);
561 u_char *cp = (u_char *)(tcp + 1);
562 int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
564 for (; x > 0; x -= optlen, cp += optlen) {
567 if (opt == TCPOPT_EOL)
570 if (opt == TCPOPT_NOP) {
580 bits |= IP_FW_TCPOPT_MSS;
584 bits |= IP_FW_TCPOPT_WINDOW;
587 case TCPOPT_SACK_PERMITTED:
589 bits |= IP_FW_TCPOPT_SACK;
592 case TCPOPT_TIMESTAMP:
593 bits |= IP_FW_TCPOPT_TS;
599 bits |= IP_FW_TCPOPT_CC;
606 return (flags_match(cmd, bits));
610 iface_match(struct ifnet *ifp, ipfw_insn_if *cmd)
612 if (ifp == NULL) /* no iface with this packet, match fails */
615 /* Check by name or by IP address */
616 if (cmd->name[0] != '\0') { /* match by name */
619 if (kfnmatch(cmd->name, ifp->if_xname, 0) == 0)
622 if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0)
626 struct ifaddr_container *ifac;
628 TAILQ_FOREACH(ifac, &ifp->if_addrheads[mycpuid], ifa_link) {
629 struct ifaddr *ia = ifac->ifa;
631 if (ia->ifa_addr == NULL)
633 if (ia->ifa_addr->sa_family != AF_INET)
635 if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
636 (ia->ifa_addr))->sin_addr.s_addr)
637 return(1); /* match */
640 return(0); /* no match, fail ... */
643 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
646 * We enter here when we have a rule with O_LOG.
647 * XXX this function alone takes about 2Kbytes of code!
650 ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
651 struct mbuf *m, struct ifnet *oif)
654 int limit_reached = 0;
655 char action2[40], proto[48], fragment[28];
660 if (f == NULL) { /* bogus pkt */
661 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
663 if (verbose_limit != 0 &&
664 ctx->ipfw_norule_counter >= verbose_limit)
666 ctx->ipfw_norule_counter++;
667 if (ctx->ipfw_norule_counter == verbose_limit)
668 limit_reached = verbose_limit;
670 } else { /* O_LOG is the first action, find the real one */
671 ipfw_insn *cmd = ACTION_PTR(f);
672 ipfw_insn_log *l = (ipfw_insn_log *)cmd;
674 if (l->max_log != 0 && l->log_left == 0)
677 if (l->log_left == 0)
678 limit_reached = l->max_log;
679 cmd += F_LEN(cmd); /* point to first action */
680 if (cmd->opcode == O_PROB)
684 switch (cmd->opcode) {
690 if (cmd->arg1==ICMP_REJECT_RST) {
692 } else if (cmd->arg1==ICMP_UNREACH_HOST) {
695 ksnprintf(SNPARGS(action2, 0), "Unreach %d",
709 ksnprintf(SNPARGS(action2, 0), "Divert %d", cmd->arg1);
713 ksnprintf(SNPARGS(action2, 0), "Tee %d", cmd->arg1);
717 ksnprintf(SNPARGS(action2, 0), "SkipTo %d", cmd->arg1);
721 ksnprintf(SNPARGS(action2, 0), "Pipe %d", cmd->arg1);
725 ksnprintf(SNPARGS(action2, 0), "Queue %d", cmd->arg1);
730 ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
733 len = ksnprintf(SNPARGS(action2, 0),
735 inet_ntoa(sa->sa.sin_addr));
736 if (sa->sa.sin_port) {
737 ksnprintf(SNPARGS(action2, len), ":%d",
749 if (hlen == 0) { /* non-ip */
750 ksnprintf(SNPARGS(proto, 0), "MAC");
752 struct ip *ip = mtod(m, struct ip *);
753 /* these three are all aliases to the same thing */
754 struct icmp *const icmp = L3HDR(struct icmp, ip);
755 struct tcphdr *const tcp = (struct tcphdr *)icmp;
756 struct udphdr *const udp = (struct udphdr *)icmp;
758 int ip_off, offset, ip_len;
761 if (eh != NULL) { /* layer 2 packets are as on the wire */
762 ip_off = ntohs(ip->ip_off);
763 ip_len = ntohs(ip->ip_len);
768 offset = ip_off & IP_OFFMASK;
771 len = ksnprintf(SNPARGS(proto, 0), "TCP %s",
772 inet_ntoa(ip->ip_src));
774 ksnprintf(SNPARGS(proto, len), ":%d %s:%d",
775 ntohs(tcp->th_sport),
776 inet_ntoa(ip->ip_dst),
777 ntohs(tcp->th_dport));
779 ksnprintf(SNPARGS(proto, len), " %s",
780 inet_ntoa(ip->ip_dst));
785 len = ksnprintf(SNPARGS(proto, 0), "UDP %s",
786 inet_ntoa(ip->ip_src));
788 ksnprintf(SNPARGS(proto, len), ":%d %s:%d",
789 ntohs(udp->uh_sport),
790 inet_ntoa(ip->ip_dst),
791 ntohs(udp->uh_dport));
793 ksnprintf(SNPARGS(proto, len), " %s",
794 inet_ntoa(ip->ip_dst));
800 len = ksnprintf(SNPARGS(proto, 0),
805 len = ksnprintf(SNPARGS(proto, 0), "ICMP ");
807 len += ksnprintf(SNPARGS(proto, len), "%s",
808 inet_ntoa(ip->ip_src));
809 ksnprintf(SNPARGS(proto, len), " %s",
810 inet_ntoa(ip->ip_dst));
814 len = ksnprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p,
815 inet_ntoa(ip->ip_src));
816 ksnprintf(SNPARGS(proto, len), " %s",
817 inet_ntoa(ip->ip_dst));
821 if (ip_off & (IP_MF | IP_OFFMASK)) {
822 ksnprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
823 ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
824 offset << 3, (ip_off & IP_MF) ? "+" : "");
828 if (oif || m->m_pkthdr.rcvif) {
829 log(LOG_SECURITY | LOG_INFO,
830 "ipfw: %d %s %s %s via %s%s\n",
832 action, proto, oif ? "out" : "in",
833 oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname,
836 log(LOG_SECURITY | LOG_INFO,
837 "ipfw: %d %s %s [no if info]%s\n",
839 action, proto, fragment);
843 log(LOG_SECURITY | LOG_NOTICE,
844 "ipfw: limit %d reached on entry %d\n",
845 limit_reached, f ? f->rulenum : -1);
852 * IMPORTANT: the hash function for dynamic rules must be commutative
853 * in source and destination (ip,port), because rules are bidirectional
854 * and we want to find both in the same bucket.
857 hash_packet(struct ipfw_flow_id *id)
861 i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port);
862 i &= (curr_dyn_buckets - 1);
867 * unlink a dynamic rule from a chain. prev is a pointer to
868 * the previous one, q is a pointer to the rule to delete,
869 * head is a pointer to the head of the queue.
870 * Modifies q and potentially also head.
872 #define UNLINK_DYN_RULE(prev, head, q) \
874 ipfw_dyn_rule *old_q = q; \
876 /* remove a refcount to the parent */ \
877 if (q->dyn_type == O_LIMIT) \
878 q->parent->count--; \
879 DEB(kprintf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
880 (q->id.src_ip), (q->id.src_port), \
881 (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); ) \
883 prev->next = q = q->next; \
885 head = q = q->next; \
886 KASSERT(dyn_count > 0, ("invalid dyn count %u\n", dyn_count)); \
888 kfree(old_q, M_IPFW); \
891 #define TIME_LEQ(a, b) ((int)((a) - (b)) <= 0)
894 * Remove dynamic rules pointing to "rule", or all of them if rule == NULL.
896 * If keep_me == NULL, rules are deleted even if not expired,
897 * otherwise only expired rules are removed.
899 * The value of the second parameter is also used to point to identify
900 * a rule we absolutely do not want to remove (e.g. because we are
901 * holding a reference to it -- this is the case with O_LIMIT_PARENT
902 * rules). The pointer is only used for comparison, so any non-null
906 remove_dyn_rule_locked(struct ip_fw *rule, ipfw_dyn_rule *keep_me)
908 static uint32_t last_remove = 0; /* XXX */
910 #define FORCE (keep_me == NULL)
912 ipfw_dyn_rule *prev, *q;
913 int i, pass = 0, max_pass = 0, unlinked = 0;
915 if (ipfw_dyn_v == NULL || dyn_count == 0)
917 /* do not expire more than once per second, it is useless */
918 if (!FORCE && last_remove == time_second)
920 last_remove = time_second;
923 * because O_LIMIT refer to parent rules, during the first pass only
924 * remove child and mark any pending LIMIT_PARENT, and remove
925 * them in a second pass.
928 for (i = 0; i < curr_dyn_buckets; i++) {
929 for (prev = NULL, q = ipfw_dyn_v[i]; q;) {
931 * Logic can become complex here, so we split tests.
935 if (rule != NULL && rule->stub != q->stub)
936 goto next; /* not the one we are looking for */
937 if (q->dyn_type == O_LIMIT_PARENT) {
939 * handle parent in the second pass,
940 * record we need one.
945 if (FORCE && q->count != 0) {
946 /* XXX should not happen! */
947 kprintf("OUCH! cannot remove rule, "
948 "count %d\n", q->count);
951 if (!FORCE && !TIME_LEQ(q->expire, time_second))
955 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
962 if (pass++ < max_pass)
972 * lookup a dynamic rule.
974 static ipfw_dyn_rule *
975 lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
979 * stateful ipfw extensions.
980 * Lookup into dynamic session queue
982 #define MATCH_REVERSE 0
983 #define MATCH_FORWARD 1
985 #define MATCH_UNKNOWN 3
986 int i, dir = MATCH_NONE;
987 ipfw_dyn_rule *prev, *q=NULL;
989 if (ipfw_dyn_v == NULL)
990 goto done; /* not found */
992 i = hash_packet(pkt);
993 for (prev = NULL, q = ipfw_dyn_v[i]; q != NULL;) {
994 if (q->dyn_type == O_LIMIT_PARENT)
997 if (TIME_LEQ(q->expire, time_second)) {
999 * Entry expired; skip.
1000 * Let ipfw_tick() take care of it
1005 if (pkt->proto == q->id.proto) {
1006 if (pkt->src_ip == q->id.src_ip &&
1007 pkt->dst_ip == q->id.dst_ip &&
1008 pkt->src_port == q->id.src_port &&
1009 pkt->dst_port == q->id.dst_port) {
1010 dir = MATCH_FORWARD;
1013 if (pkt->src_ip == q->id.dst_ip &&
1014 pkt->dst_ip == q->id.src_ip &&
1015 pkt->src_port == q->id.dst_port &&
1016 pkt->dst_port == q->id.src_port) {
1017 dir = MATCH_REVERSE;
1026 goto done; /* q = NULL, not found */
1028 if (pkt->proto == IPPROTO_TCP) { /* update state according to flags */
1029 u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
1031 #define BOTH_SYN (TH_SYN | (TH_SYN << 8))
1032 #define BOTH_FIN (TH_FIN | (TH_FIN << 8))
1034 q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
1036 case TH_SYN: /* opening */
1037 q->expire = time_second + dyn_syn_lifetime;
1040 case BOTH_SYN: /* move to established */
1041 case BOTH_SYN | TH_FIN : /* one side tries to close */
1042 case BOTH_SYN | (TH_FIN << 8) :
1044 uint32_t ack = ntohl(tcp->th_ack);
1046 #define _SEQ_GE(a, b) ((int)(a) - (int)(b) >= 0)
1048 if (dir == MATCH_FORWARD) {
1049 if (q->ack_fwd == 0 ||
1050 _SEQ_GE(ack, q->ack_fwd))
1052 else /* ignore out-of-sequence */
1055 if (q->ack_rev == 0 ||
1056 _SEQ_GE(ack, q->ack_rev))
1058 else /* ignore out-of-sequence */
1063 q->expire = time_second + dyn_ack_lifetime;
1066 case BOTH_SYN | BOTH_FIN: /* both sides closed */
1067 KKASSERT(dyn_fin_lifetime < dyn_keepalive_period);
1068 q->expire = time_second + dyn_fin_lifetime;
1074 * reset or some invalid combination, but can also
1075 * occur if we use keep-state the wrong way.
1077 if ((q->state & ((TH_RST << 8) | TH_RST)) == 0)
1078 kprintf("invalid state: 0x%x\n", q->state);
1080 KKASSERT(dyn_rst_lifetime < dyn_keepalive_period);
1081 q->expire = time_second + dyn_rst_lifetime;
1084 } else if (pkt->proto == IPPROTO_UDP) {
1085 q->expire = time_second + dyn_udp_lifetime;
1087 /* other protocols */
1088 q->expire = time_second + dyn_short_lifetime;
1091 if (match_direction)
1092 *match_direction = dir;
1096 static struct ip_fw *
1097 lookup_rule(struct ipfw_flow_id *pkt, int *match_direction, struct tcphdr *tcp,
1098 uint16_t len, int *deny)
1100 struct ip_fw *rule = NULL;
1102 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
1106 gen = ctx->ipfw_gen;
1108 lockmgr(&dyn_lock, LK_SHARED);
1110 if (ctx->ipfw_gen != gen) {
1112 * Static rules had been change when we were waiting
1113 * for the dynamic hash table lock; deny this packet,
1114 * since it is _not_ known whether it is safe to keep
1115 * iterating the static rules.
1121 q = lookup_dyn_rule(pkt, match_direction, tcp);
1125 rule = q->stub->rule[mycpuid];
1126 KKASSERT(rule->stub == q->stub && rule->cpuid == mycpuid);
1133 lockmgr(&dyn_lock, LK_RELEASE);
1138 realloc_dynamic_table(void)
1140 ipfw_dyn_rule **old_dyn_v;
1141 uint32_t old_curr_dyn_buckets;
1143 KASSERT(dyn_buckets <= 65536 && (dyn_buckets & (dyn_buckets - 1)) == 0,
1144 ("invalid dyn_buckets %d\n", dyn_buckets));
1146 /* Save the current buckets array for later error recovery */
1147 old_dyn_v = ipfw_dyn_v;
1148 old_curr_dyn_buckets = curr_dyn_buckets;
1150 curr_dyn_buckets = dyn_buckets;
1152 ipfw_dyn_v = kmalloc(curr_dyn_buckets * sizeof(ipfw_dyn_rule *),
1153 M_IPFW, M_NOWAIT | M_ZERO);
1154 if (ipfw_dyn_v != NULL || curr_dyn_buckets <= 2)
1157 curr_dyn_buckets /= 2;
1158 if (curr_dyn_buckets <= old_curr_dyn_buckets &&
1159 old_dyn_v != NULL) {
1161 * Don't try allocating smaller buckets array, reuse
1162 * the old one, which alreay contains enough buckets
1168 if (ipfw_dyn_v != NULL) {
1169 if (old_dyn_v != NULL)
1170 kfree(old_dyn_v, M_IPFW);
1172 /* Allocation failed, restore old buckets array */
1173 ipfw_dyn_v = old_dyn_v;
1174 curr_dyn_buckets = old_curr_dyn_buckets;
1177 if (ipfw_dyn_v != NULL)
1182 * Install state of type 'type' for a dynamic session.
1183 * The hash table contains two type of rules:
1184 * - regular rules (O_KEEP_STATE)
1185 * - rules for sessions with limited number of sess per user
1186 * (O_LIMIT). When they are created, the parent is
1187 * increased by 1, and decreased on delete. In this case,
1188 * the third parameter is the parent rule and not the chain.
1189 * - "parent" rules for the above (O_LIMIT_PARENT).
1191 static ipfw_dyn_rule *
1192 add_dyn_rule(struct ipfw_flow_id *id, uint8_t dyn_type, struct ip_fw *rule)
1197 if (ipfw_dyn_v == NULL ||
1198 (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
1199 realloc_dynamic_table();
1200 if (ipfw_dyn_v == NULL)
1201 return NULL; /* failed ! */
1203 i = hash_packet(id);
1205 r = kmalloc(sizeof(*r), M_IPFW, M_NOWAIT | M_ZERO);
1207 kprintf ("sorry cannot allocate state\n");
1211 /* increase refcount on parent, and set pointer */
1212 if (dyn_type == O_LIMIT) {
1213 ipfw_dyn_rule *parent = (ipfw_dyn_rule *)rule;
1215 if (parent->dyn_type != O_LIMIT_PARENT)
1216 panic("invalid parent");
1219 rule = parent->stub->rule[mycpuid];
1220 KKASSERT(rule->stub == parent->stub);
1222 KKASSERT(rule->cpuid == mycpuid && rule->stub != NULL);
1225 r->expire = time_second + dyn_syn_lifetime;
1226 r->stub = rule->stub;
1227 r->dyn_type = dyn_type;
1228 r->pcnt = r->bcnt = 0;
1232 r->next = ipfw_dyn_v[i];
1236 DEB(kprintf("-- add dyn entry ty %d 0x%08x %d -> 0x%08x %d, total %d\n",
1238 (r->id.src_ip), (r->id.src_port),
1239 (r->id.dst_ip), (r->id.dst_port),
1245 * lookup dynamic parent rule using pkt and rule as search keys.
1246 * If the lookup fails, then install one.
1248 static ipfw_dyn_rule *
1249 lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
1255 i = hash_packet(pkt);
1256 for (q = ipfw_dyn_v[i]; q != NULL; q = q->next) {
1257 if (q->dyn_type == O_LIMIT_PARENT &&
1258 rule->stub == q->stub &&
1259 pkt->proto == q->id.proto &&
1260 pkt->src_ip == q->id.src_ip &&
1261 pkt->dst_ip == q->id.dst_ip &&
1262 pkt->src_port == q->id.src_port &&
1263 pkt->dst_port == q->id.dst_port) {
1264 q->expire = time_second + dyn_short_lifetime;
1265 DEB(kprintf("lookup_dyn_parent found 0x%p\n",q);)
1270 return add_dyn_rule(pkt, O_LIMIT_PARENT, rule);
1274 * Install dynamic state for rule type cmd->o.opcode
1276 * Returns 1 (failure) if state is not installed because of errors or because
1277 * session limitations are enforced.
1280 install_state_locked(struct ip_fw *rule, ipfw_insn_limit *cmd,
1281 struct ip_fw_args *args)
1283 static int last_log; /* XXX */
1287 DEB(kprintf("-- install state type %d 0x%08x %u -> 0x%08x %u\n",
1289 (args->f_id.src_ip), (args->f_id.src_port),
1290 (args->f_id.dst_ip), (args->f_id.dst_port) );)
1292 q = lookup_dyn_rule(&args->f_id, NULL, NULL);
1293 if (q != NULL) { /* should never occur */
1294 if (last_log != time_second) {
1295 last_log = time_second;
1296 kprintf(" install_state: entry already present, done\n");
1301 if (dyn_count >= dyn_max) {
1303 * Run out of slots, try to remove any expired rule.
1305 remove_dyn_rule_locked(NULL, (ipfw_dyn_rule *)1);
1306 if (dyn_count >= dyn_max) {
1307 if (last_log != time_second) {
1308 last_log = time_second;
1309 kprintf("install_state: "
1310 "Too many dynamic rules\n");
1312 return 1; /* cannot install, notify caller */
1316 switch (cmd->o.opcode) {
1317 case O_KEEP_STATE: /* bidir rule */
1318 if (add_dyn_rule(&args->f_id, O_KEEP_STATE, rule) == NULL)
1322 case O_LIMIT: /* limit number of sessions */
1324 uint16_t limit_mask = cmd->limit_mask;
1325 struct ipfw_flow_id id;
1326 ipfw_dyn_rule *parent;
1328 DEB(kprintf("installing dyn-limit rule %d\n",
1331 id.dst_ip = id.src_ip = 0;
1332 id.dst_port = id.src_port = 0;
1333 id.proto = args->f_id.proto;
1335 if (limit_mask & DYN_SRC_ADDR)
1336 id.src_ip = args->f_id.src_ip;
1337 if (limit_mask & DYN_DST_ADDR)
1338 id.dst_ip = args->f_id.dst_ip;
1339 if (limit_mask & DYN_SRC_PORT)
1340 id.src_port = args->f_id.src_port;
1341 if (limit_mask & DYN_DST_PORT)
1342 id.dst_port = args->f_id.dst_port;
1344 parent = lookup_dyn_parent(&id, rule);
1345 if (parent == NULL) {
1346 kprintf("add parent failed\n");
1350 if (parent->count >= cmd->conn_limit) {
1352 * See if we can remove some expired rule.
1354 remove_dyn_rule_locked(rule, parent);
1355 if (parent->count >= cmd->conn_limit) {
1357 last_log != time_second) {
1358 last_log = time_second;
1359 log(LOG_SECURITY | LOG_DEBUG,
1361 "too many entries\n");
1366 if (add_dyn_rule(&args->f_id, O_LIMIT,
1367 (struct ip_fw *)parent) == NULL)
1372 kprintf("unknown dynamic rule type %u\n", cmd->o.opcode);
1375 lookup_dyn_rule(&args->f_id, NULL, NULL); /* XXX just set lifetime */
1380 install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
1381 struct ip_fw_args *args, int *deny)
1383 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
1388 gen = ctx->ipfw_gen;
1390 lockmgr(&dyn_lock, LK_EXCLUSIVE);
1391 if (ctx->ipfw_gen != gen) {
1392 /* See the comment in lookup_rule() */
1395 ret = install_state_locked(rule, cmd, args);
1397 lockmgr(&dyn_lock, LK_RELEASE);
1403 * Transmit a TCP packet, containing either a RST or a keepalive.
1404 * When flags & TH_RST, we are sending a RST packet, because of a
1405 * "reset" action matched the packet.
1406 * Otherwise we are sending a keepalive, and flags & TH_
1409 send_pkt(struct ipfw_flow_id *id, uint32_t seq, uint32_t ack, int flags)
1414 struct route sro; /* fake route */
1416 MGETHDR(m, MB_DONTWAIT, MT_HEADER);
1419 m->m_pkthdr.rcvif = NULL;
1420 m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
1421 m->m_data += max_linkhdr;
1423 ip = mtod(m, struct ip *);
1424 bzero(ip, m->m_len);
1425 tcp = (struct tcphdr *)(ip + 1); /* no IP options */
1426 ip->ip_p = IPPROTO_TCP;
1430 * Assume we are sending a RST (or a keepalive in the reverse
1431 * direction), swap src and destination addresses and ports.
1433 ip->ip_src.s_addr = htonl(id->dst_ip);
1434 ip->ip_dst.s_addr = htonl(id->src_ip);
1435 tcp->th_sport = htons(id->dst_port);
1436 tcp->th_dport = htons(id->src_port);
1437 if (flags & TH_RST) { /* we are sending a RST */
1438 if (flags & TH_ACK) {
1439 tcp->th_seq = htonl(ack);
1440 tcp->th_ack = htonl(0);
1441 tcp->th_flags = TH_RST;
1445 tcp->th_seq = htonl(0);
1446 tcp->th_ack = htonl(seq);
1447 tcp->th_flags = TH_RST | TH_ACK;
1451 * We are sending a keepalive. flags & TH_SYN determines
1452 * the direction, forward if set, reverse if clear.
1453 * NOTE: seq and ack are always assumed to be correct
1454 * as set by the caller. This may be confusing...
1456 if (flags & TH_SYN) {
1458 * we have to rewrite the correct addresses!
1460 ip->ip_dst.s_addr = htonl(id->dst_ip);
1461 ip->ip_src.s_addr = htonl(id->src_ip);
1462 tcp->th_dport = htons(id->dst_port);
1463 tcp->th_sport = htons(id->src_port);
1465 tcp->th_seq = htonl(seq);
1466 tcp->th_ack = htonl(ack);
1467 tcp->th_flags = TH_ACK;
1471 * set ip_len to the payload size so we can compute
1472 * the tcp checksum on the pseudoheader
1473 * XXX check this, could save a couple of words ?
1475 ip->ip_len = htons(sizeof(struct tcphdr));
1476 tcp->th_sum = in_cksum(m, m->m_pkthdr.len);
1479 * now fill fields left out earlier
1481 ip->ip_ttl = ip_defttl;
1482 ip->ip_len = m->m_pkthdr.len;
1484 bzero(&sro, sizeof(sro));
1485 ip_rtaddr(ip->ip_dst, &sro);
1487 m->m_pkthdr.fw_flags |= IPFW_MBUF_GENERATED;
1488 ip_output(m, NULL, &sro, 0, NULL, NULL);
1494 * sends a reject message, consuming the mbuf passed as an argument.
1497 send_reject(struct ip_fw_args *args, int code, int offset, int ip_len)
1499 if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
1500 /* We need the IP header in host order for icmp_error(). */
1501 if (args->eh != NULL) {
1502 struct ip *ip = mtod(args->m, struct ip *);
1504 ip->ip_len = ntohs(ip->ip_len);
1505 ip->ip_off = ntohs(ip->ip_off);
1507 icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
1508 } else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
1509 struct tcphdr *const tcp =
1510 L3HDR(struct tcphdr, mtod(args->m, struct ip *));
1512 if ((tcp->th_flags & TH_RST) == 0) {
1513 send_pkt(&args->f_id, ntohl(tcp->th_seq),
1514 ntohl(tcp->th_ack), tcp->th_flags | TH_RST);
1525 * Given an ip_fw *, lookup_next_rule will return a pointer
1526 * to the next rule, which can be either the jump
1527 * target (for skipto instructions) or the next one in the list (in
1528 * all other cases including a missing jump target).
1529 * The result is also written in the "next_rule" field of the rule.
1530 * Backward jumps are not allowed, so start looking from the next
1533 * This never returns NULL -- in case we do not have an exact match,
1534 * the next rule is returned. When the ruleset is changed,
1535 * pointers are flushed so we are always correct.
1538 static struct ip_fw *
1539 lookup_next_rule(struct ip_fw *me)
1541 struct ip_fw *rule = NULL;
1544 /* look for action, in case it is a skipto */
1545 cmd = ACTION_PTR(me);
1546 if (cmd->opcode == O_LOG)
1548 if (cmd->opcode == O_SKIPTO) {
1549 for (rule = me->next; rule; rule = rule->next) {
1550 if (rule->rulenum >= cmd->arg1)
1554 if (rule == NULL) /* failure or not a skipto */
1556 me->next_rule = rule;
1561 * The main check routine for the firewall.
1563 * All arguments are in args so we can modify them and return them
1564 * back to the caller.
1568 * args->m (in/out) The packet; we set to NULL when/if we nuke it.
1569 * Starts with the IP header.
1570 * args->eh (in) Mac header if present, or NULL for layer3 packet.
1571 * args->oif Outgoing interface, or NULL if packet is incoming.
1572 * The incoming interface is in the mbuf. (in)
1574 * args->rule Pointer to the last matching rule (in/out)
1575 * args->next_hop Socket we are forwarding to (out).
1576 * args->f_id Addresses grabbed from the packet (out)
1580 * IP_FW_PORT_DENY_FLAG the packet must be dropped.
1581 * 0 The packet is to be accepted and routed normally OR
1582 * the packet was denied/rejected and has been dropped;
1583 * in the latter case, *m is equal to NULL upon return.
1584 * port Divert the packet to port, with these caveats:
1586 * - If IP_FW_PORT_TEE_FLAG is set, tee the packet instead
1587 * of diverting it (ie, 'ipfw tee').
1589 * - If IP_FW_PORT_DYNT_FLAG is set, interpret the lower
1590 * 16 bits as a dummynet pipe number instead of diverting
1594 ipfw_chk(struct ip_fw_args *args)
1597 * Local variables hold state during the processing of a packet.
1599 * IMPORTANT NOTE: to speed up the processing of rules, there
1600 * are some assumption on the values of the variables, which
1601 * are documented here. Should you change them, please check
1602 * the implementation of the various instructions to make sure
1603 * that they still work.
1605 * args->eh The MAC header. It is non-null for a layer2
1606 * packet, it is NULL for a layer-3 packet.
1608 * m | args->m Pointer to the mbuf, as received from the caller.
1609 * It may change if ipfw_chk() does an m_pullup, or if it
1610 * consumes the packet because it calls send_reject().
1611 * XXX This has to change, so that ipfw_chk() never modifies
1612 * or consumes the buffer.
1613 * ip is simply an alias of the value of m, and it is kept
1614 * in sync with it (the packet is supposed to start with
1617 struct mbuf *m = args->m;
1618 struct ip *ip = mtod(m, struct ip *);
1621 * oif | args->oif If NULL, ipfw_chk has been called on the
1622 * inbound path (ether_input, ip_input).
1623 * If non-NULL, ipfw_chk has been called on the outbound path
1624 * (ether_output, ip_output).
1626 struct ifnet *oif = args->oif;
1628 struct ip_fw *f = NULL; /* matching rule */
1633 * hlen The length of the IPv4 header.
1634 * hlen >0 means we have an IPv4 packet.
1636 u_int hlen = 0; /* hlen >0 means we have an IP pkt */
1639 * offset The offset of a fragment. offset != 0 means that
1640 * we have a fragment at this offset of an IPv4 packet.
1641 * offset == 0 means that (if this is an IPv4 packet)
1642 * this is the first or only fragment.
1647 * Local copies of addresses. They are only valid if we have
1650 * proto The protocol. Set to 0 for non-ip packets,
1651 * or to the protocol read from the packet otherwise.
1652 * proto != 0 means that we have an IPv4 packet.
1654 * src_port, dst_port port numbers, in HOST format. Only
1655 * valid for TCP and UDP packets.
1657 * src_ip, dst_ip ip addresses, in NETWORK format.
1658 * Only valid for IPv4 packets.
1661 uint16_t src_port = 0, dst_port = 0; /* NOTE: host format */
1662 struct in_addr src_ip, dst_ip; /* NOTE: network format */
1663 uint16_t ip_len = 0;
1666 * dyn_dir = MATCH_UNKNOWN when rules unchecked,
1667 * MATCH_NONE when checked and not matched (dyn_f = NULL),
1668 * MATCH_FORWARD or MATCH_REVERSE otherwise (dyn_f != NULL)
1670 int dyn_dir = MATCH_UNKNOWN;
1671 struct ip_fw *dyn_f = NULL;
1672 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
1674 if (m->m_pkthdr.fw_flags & IPFW_MBUF_GENERATED)
1675 return 0; /* accept */
1677 if (args->eh == NULL || /* layer 3 packet */
1678 (m->m_pkthdr.len >= sizeof(struct ip) &&
1679 ntohs(args->eh->ether_type) == ETHERTYPE_IP))
1680 hlen = ip->ip_hl << 2;
1683 * Collect parameters into local variables for faster matching.
1685 if (hlen == 0) { /* do not grab addresses for non-ip pkts */
1686 proto = args->f_id.proto = 0; /* mark f_id invalid */
1687 goto after_ip_checks;
1690 proto = args->f_id.proto = ip->ip_p;
1691 src_ip = ip->ip_src;
1692 dst_ip = ip->ip_dst;
1693 if (args->eh != NULL) { /* layer 2 packets are as on the wire */
1694 offset = ntohs(ip->ip_off) & IP_OFFMASK;
1695 ip_len = ntohs(ip->ip_len);
1697 offset = ip->ip_off & IP_OFFMASK;
1698 ip_len = ip->ip_len;
1701 #define PULLUP_TO(len) \
1703 if (m->m_len < (len)) { \
1704 args->m = m = m_pullup(m, (len));\
1706 goto pullup_failed; \
1707 ip = mtod(m, struct ip *); \
1717 PULLUP_TO(hlen + sizeof(struct tcphdr));
1718 tcp = L3HDR(struct tcphdr, ip);
1719 dst_port = tcp->th_dport;
1720 src_port = tcp->th_sport;
1721 args->f_id.flags = tcp->th_flags;
1729 PULLUP_TO(hlen + sizeof(struct udphdr));
1730 udp = L3HDR(struct udphdr, ip);
1731 dst_port = udp->uh_dport;
1732 src_port = udp->uh_sport;
1737 PULLUP_TO(hlen + 4); /* type, code and checksum. */
1738 args->f_id.flags = L3HDR(struct icmp, ip)->icmp_type;
1748 args->f_id.src_ip = ntohl(src_ip.s_addr);
1749 args->f_id.dst_ip = ntohl(dst_ip.s_addr);
1750 args->f_id.src_port = src_port = ntohs(src_port);
1751 args->f_id.dst_port = dst_port = ntohs(dst_port);
1756 * Packet has already been tagged. Look for the next rule
1757 * to restart processing.
1759 * If fw_one_pass != 0 then just accept it.
1760 * XXX should not happen here, but optimized out in
1766 /* This rule is being/has been flushed */
1768 return IP_FW_PORT_DENY_FLAG;
1770 KASSERT(args->rule->cpuid == mycpuid,
1771 ("rule used on cpu%d\n", mycpuid));
1773 /* This rule was deleted */
1774 if (args->rule->rule_flags & IPFW_RULE_F_INVALID)
1775 return IP_FW_PORT_DENY_FLAG;
1777 f = args->rule->next_rule;
1779 f = lookup_next_rule(args->rule);
1782 * Find the starting rule. It can be either the first
1783 * one, or the one after divert_rule if asked so.
1787 mtag = m_tag_find(m, PACKET_TAG_IPFW_DIVERT, NULL);
1789 skipto = *(uint16_t *)m_tag_data(mtag);
1793 f = ctx->ipfw_layer3_chain;
1794 if (args->eh == NULL && skipto != 0) {
1795 /* No skipto during rule flushing */
1797 return IP_FW_PORT_DENY_FLAG;
1799 if (skipto >= IPFW_DEFAULT_RULE)
1800 return(IP_FW_PORT_DENY_FLAG); /* invalid */
1802 while (f && f->rulenum <= skipto)
1804 if (f == NULL) /* drop packet */
1805 return(IP_FW_PORT_DENY_FLAG);
1806 } else if (ipfw_flushing) {
1807 /* Rules are being flushed; skip to default rule */
1808 f = ctx->ipfw_default_rule;
1811 if ((mtag = m_tag_find(m, PACKET_TAG_IPFW_DIVERT, NULL)) != NULL)
1812 m_tag_delete(m, mtag);
1815 * Now scan the rules, and parse microinstructions for each rule.
1817 for (; f; f = f->next) {
1820 int skip_or; /* skip rest of OR block */
1823 if (ctx->ipfw_set_disable & (1 << f->set))
1827 for (l = f->cmd_len, cmd = f->cmd; l > 0;
1828 l -= cmdlen, cmd += cmdlen) {
1832 * check_body is a jump target used when we find a
1833 * CHECK_STATE, and need to jump to the body of
1838 cmdlen = F_LEN(cmd);
1840 * An OR block (insn_1 || .. || insn_n) has the
1841 * F_OR bit set in all but the last instruction.
1842 * The first match will set "skip_or", and cause
1843 * the following instructions to be skipped until
1844 * past the one with the F_OR bit clear.
1846 if (skip_or) { /* skip this instruction */
1847 if ((cmd->len & F_OR) == 0)
1848 skip_or = 0; /* next one is good */
1851 match = 0; /* set to 1 if we succeed */
1853 switch (cmd->opcode) {
1855 * The first set of opcodes compares the packet's
1856 * fields with some pattern, setting 'match' if a
1857 * match is found. At the end of the loop there is
1858 * logic to deal with F_NOT and F_OR flags associated
1866 kprintf("ipfw: opcode %d unimplemented\n",
1873 * We only check offset == 0 && proto != 0,
1874 * as this ensures that we have an IPv4
1875 * packet with the ports info.
1880 struct inpcbinfo *pi;
1884 if (proto == IPPROTO_TCP) {
1886 pi = &tcbinfo[mycpu->gd_cpuid];
1887 } else if (proto == IPPROTO_UDP) {
1894 in_pcblookup_hash(pi,
1895 dst_ip, htons(dst_port),
1896 src_ip, htons(src_port),
1898 in_pcblookup_hash(pi,
1899 src_ip, htons(src_port),
1900 dst_ip, htons(dst_port),
1903 if (pcb == NULL || pcb->inp_socket == NULL)
1906 if (cmd->opcode == O_UID) {
1907 #define socheckuid(a,b) ((a)->so_cred->cr_uid != (b))
1909 !socheckuid(pcb->inp_socket,
1910 (uid_t)((ipfw_insn_u32 *)cmd)->d[0]);
1913 match = groupmember(
1914 (uid_t)((ipfw_insn_u32 *)cmd)->d[0],
1915 pcb->inp_socket->so_cred);
1921 match = iface_match(m->m_pkthdr.rcvif,
1922 (ipfw_insn_if *)cmd);
1926 match = iface_match(oif, (ipfw_insn_if *)cmd);
1930 match = iface_match(oif ? oif :
1931 m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd);
1935 if (args->eh != NULL) { /* have MAC header */
1936 uint32_t *want = (uint32_t *)
1937 ((ipfw_insn_mac *)cmd)->addr;
1938 uint32_t *mask = (uint32_t *)
1939 ((ipfw_insn_mac *)cmd)->mask;
1940 uint32_t *hdr = (uint32_t *)args->eh;
1943 (want[0] == (hdr[0] & mask[0]) &&
1944 want[1] == (hdr[1] & mask[1]) &&
1945 want[2] == (hdr[2] & mask[2]));
1950 if (args->eh != NULL) {
1952 ntohs(args->eh->ether_type);
1954 ((ipfw_insn_u16 *)cmd)->ports;
1957 /* Special vlan handling */
1958 if (m->m_flags & M_VLANTAG)
1961 for (i = cmdlen - 1; !match && i > 0;
1964 (t >= p[0] && t <= p[1]);
1970 match = (hlen > 0 && offset != 0);
1973 case O_IN: /* "out" is "not in" */
1974 match = (oif == NULL);
1978 match = (args->eh != NULL);
1983 * We do not allow an arg of 0 so the
1984 * check of "proto" only suffices.
1986 match = (proto == cmd->arg1);
1990 match = (hlen > 0 &&
1991 ((ipfw_insn_ip *)cmd)->addr.s_addr ==
1996 match = (hlen > 0 &&
1997 ((ipfw_insn_ip *)cmd)->addr.s_addr ==
1999 ((ipfw_insn_ip *)cmd)->mask.s_addr));
2006 tif = INADDR_TO_IFP(&src_ip);
2007 match = (tif != NULL);
2014 uint32_t *d = (uint32_t *)(cmd + 1);
2016 cmd->opcode == O_IP_DST_SET ?
2022 addr -= d[0]; /* subtract base */
2024 (addr < cmd->arg1) &&
2025 (d[1 + (addr >> 5)] &
2026 (1 << (addr & 0x1f)));
2031 match = (hlen > 0 &&
2032 ((ipfw_insn_ip *)cmd)->addr.s_addr ==
2037 match = (hlen > 0) &&
2038 (((ipfw_insn_ip *)cmd)->addr.s_addr ==
2040 ((ipfw_insn_ip *)cmd)->mask.s_addr));
2047 tif = INADDR_TO_IFP(&dst_ip);
2048 match = (tif != NULL);
2055 * offset == 0 && proto != 0 is enough
2056 * to guarantee that we have an IPv4
2057 * packet with port info.
2059 if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP)
2062 (cmd->opcode == O_IP_SRCPORT) ?
2063 src_port : dst_port ;
2065 ((ipfw_insn_u16 *)cmd)->ports;
2068 for (i = cmdlen - 1; !match && i > 0;
2071 (x >= p[0] && x <= p[1]);
2077 match = (offset == 0 && proto==IPPROTO_ICMP &&
2078 icmptype_match(ip, (ipfw_insn_u32 *)cmd));
2082 match = (hlen > 0 && ipopts_match(ip, cmd));
2086 match = (hlen > 0 && cmd->arg1 == ip->ip_v);
2090 match = (hlen > 0 && cmd->arg1 == ip->ip_ttl);
2094 match = (hlen > 0 &&
2095 cmd->arg1 == ntohs(ip->ip_id));
2099 match = (hlen > 0 && cmd->arg1 == ip_len);
2102 case O_IPPRECEDENCE:
2103 match = (hlen > 0 &&
2104 (cmd->arg1 == (ip->ip_tos & 0xe0)));
2108 match = (hlen > 0 &&
2109 flags_match(cmd, ip->ip_tos));
2113 match = (proto == IPPROTO_TCP && offset == 0 &&
2115 L3HDR(struct tcphdr,ip)->th_flags));
2119 match = (proto == IPPROTO_TCP && offset == 0 &&
2120 tcpopts_match(ip, cmd));
2124 match = (proto == IPPROTO_TCP && offset == 0 &&
2125 ((ipfw_insn_u32 *)cmd)->d[0] ==
2126 L3HDR(struct tcphdr,ip)->th_seq);
2130 match = (proto == IPPROTO_TCP && offset == 0 &&
2131 ((ipfw_insn_u32 *)cmd)->d[0] ==
2132 L3HDR(struct tcphdr,ip)->th_ack);
2136 match = (proto == IPPROTO_TCP && offset == 0 &&
2138 L3HDR(struct tcphdr,ip)->th_win);
2142 /* reject packets which have SYN only */
2143 /* XXX should i also check for TH_ACK ? */
2144 match = (proto == IPPROTO_TCP && offset == 0 &&
2145 (L3HDR(struct tcphdr,ip)->th_flags &
2146 (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
2151 ipfw_log(f, hlen, args->eh, m, oif);
2156 match = (krandom() <
2157 ((ipfw_insn_u32 *)cmd)->d[0]);
2161 * The second set of opcodes represents 'actions',
2162 * i.e. the terminal part of a rule once the packet
2163 * matches all previous patterns.
2164 * Typically there is only one action for each rule,
2165 * and the opcode is stored at the end of the rule
2166 * (but there are exceptions -- see below).
2168 * In general, here we set retval and terminate the
2169 * outer loop (would be a 'break 3' in some language,
2170 * but we need to do a 'goto done').
2173 * O_COUNT and O_SKIPTO actions:
2174 * instead of terminating, we jump to the next rule
2175 * ('goto next_rule', equivalent to a 'break 2'),
2176 * or to the SKIPTO target ('goto again' after
2177 * having set f, cmd and l), respectively.
2179 * O_LIMIT and O_KEEP_STATE: these opcodes are
2180 * not real 'actions', and are stored right
2181 * before the 'action' part of the rule.
2182 * These opcodes try to install an entry in the
2183 * state tables; if successful, we continue with
2184 * the next opcode (match=1; break;), otherwise
2185 * the packet must be dropped ('goto done' after
2186 * setting retval). If static rules are changed
2187 * during the state installation, the packet will
2188 * be dropped ('return IP_FW_PORT_DENY_FLAG').
2190 * O_PROBE_STATE and O_CHECK_STATE: these opcodes
2191 * cause a lookup of the state table, and a jump
2192 * to the 'action' part of the parent rule
2193 * ('goto check_body') if an entry is found, or
2194 * (CHECK_STATE only) a jump to the next rule if
2195 * the entry is not found ('goto next_rule').
2196 * The result of the lookup is cached to make
2197 * further instances of these opcodes are
2198 * effectively NOPs. If static rules are changed
2199 * during the state looking up, the packet will
2200 * be dropped ('return IP_FW_PORT_DENY_FLAG').
2204 if (!(f->rule_flags & IPFW_RULE_F_STATE)) {
2205 kprintf("%s rule (%d) is not ready "
2207 cmd->opcode == O_LIMIT ?
2208 "limit" : "keep state",
2209 f->rulenum, f->cpuid);
2212 if (install_state(f,
2213 (ipfw_insn_limit *)cmd, args, &deny)) {
2215 return IP_FW_PORT_DENY_FLAG;
2217 retval = IP_FW_PORT_DENY_FLAG;
2218 goto done; /* error/limit violation */
2221 return IP_FW_PORT_DENY_FLAG;
2228 * dynamic rules are checked at the first
2229 * keep-state or check-state occurrence,
2230 * with the result being stored in dyn_dir.
2231 * The compiler introduces a PROBE_STATE
2232 * instruction for us when we have a
2233 * KEEP_STATE (because PROBE_STATE needs
2236 if (dyn_dir == MATCH_UNKNOWN) {
2237 dyn_f = lookup_rule(&args->f_id,
2239 proto == IPPROTO_TCP ?
2240 L3HDR(struct tcphdr, ip) : NULL,
2243 return IP_FW_PORT_DENY_FLAG;
2244 if (dyn_f != NULL) {
2246 * Found a rule from a dynamic
2247 * entry; jump to the 'action'
2251 cmd = ACTION_PTR(f);
2252 l = f->cmd_len - f->act_ofs;
2257 * Dynamic entry not found. If CHECK_STATE,
2258 * skip to next rule, if PROBE_STATE just
2259 * ignore and continue with next opcode.
2261 if (cmd->opcode == O_CHECK_STATE)
2263 else if (!(f->rule_flags & IPFW_RULE_F_STATE))
2264 goto next_rule; /* not ready yet */
2269 retval = 0; /* accept */
2274 args->rule = f; /* report matching rule */
2275 retval = cmd->arg1 | IP_FW_PORT_DYNT_FLAG;
2280 if (args->eh) /* not on layer 2 */
2283 mtag = m_tag_get(PACKET_TAG_IPFW_DIVERT,
2284 sizeof(uint16_t), MB_DONTWAIT);
2286 retval = IP_FW_PORT_DENY_FLAG;
2289 *(uint16_t *)m_tag_data(mtag) = f->rulenum;
2290 m_tag_prepend(m, mtag);
2291 retval = (cmd->opcode == O_DIVERT) ?
2293 cmd->arg1 | IP_FW_PORT_TEE_FLAG;
2298 f->pcnt++; /* update stats */
2300 f->timestamp = time_second;
2301 if (cmd->opcode == O_COUNT)
2304 if (f->next_rule == NULL)
2305 lookup_next_rule(f);
2311 * Drop the packet and send a reject notice
2312 * if the packet is not ICMP (or is an ICMP
2313 * query), and it is not multicast/broadcast.
2316 (proto != IPPROTO_ICMP ||
2317 is_icmp_query(ip)) &&
2318 !(m->m_flags & (M_BCAST|M_MCAST)) &&
2319 !IN_MULTICAST(ntohl(dst_ip.s_addr))) {
2321 * Update statistics before the possible
2322 * blocking 'send_reject'
2326 f->timestamp = time_second;
2328 send_reject(args, cmd->arg1,
2333 * Return directly here, rule stats
2334 * have been updated above.
2336 return IP_FW_PORT_DENY_FLAG;
2340 retval = IP_FW_PORT_DENY_FLAG;
2344 if (args->eh) /* not valid on layer2 pkts */
2346 if (!dyn_f || dyn_dir == MATCH_FORWARD) {
2348 &((ipfw_insn_sa *)cmd)->sa;
2354 panic("-- unknown opcode %d\n", cmd->opcode);
2355 } /* end of switch() on opcodes */
2357 if (cmd->len & F_NOT)
2361 if (cmd->len & F_OR)
2364 if (!(cmd->len & F_OR)) /* not an OR block, */
2365 break; /* try next rule */
2368 } /* end of inner for, scan opcodes */
2370 next_rule:; /* try next rule */
2372 } /* end of outer for, scan rules */
2373 kprintf("+++ ipfw: ouch!, skip past end of rules, denying packet\n");
2374 return(IP_FW_PORT_DENY_FLAG);
2377 /* Update statistics */
2380 f->timestamp = time_second;
2385 kprintf("pullup failed\n");
2386 return(IP_FW_PORT_DENY_FLAG);
2390 ipfw_dummynet_io(struct mbuf *m, int pipe_nr, int dir, struct ip_fw_args *fwa)
2395 const struct ipfw_flow_id *id;
2396 struct dn_flow_id *fid;
2400 mtag = m_tag_get(PACKET_TAG_DUMMYNET, sizeof(*pkt), MB_DONTWAIT);
2405 m_tag_prepend(m, mtag);
2407 pkt = m_tag_data(mtag);
2408 bzero(pkt, sizeof(*pkt));
2410 cmd = fwa->rule->cmd + fwa->rule->act_ofs;
2411 if (cmd->opcode == O_LOG)
2413 KASSERT(cmd->opcode == O_PIPE || cmd->opcode == O_QUEUE,
2414 ("Rule is not PIPE or QUEUE, opcode %d\n", cmd->opcode));
2417 pkt->dn_flags = (dir & DN_FLAGS_DIR_MASK);
2418 pkt->ifp = fwa->oif;
2419 pkt->cpuid = mycpu->gd_cpuid;
2420 pkt->pipe_nr = pipe_nr;
2424 fid->fid_dst_ip = id->dst_ip;
2425 fid->fid_src_ip = id->src_ip;
2426 fid->fid_dst_port = id->dst_port;
2427 fid->fid_src_port = id->src_port;
2428 fid->fid_proto = id->proto;
2429 fid->fid_flags = id->flags;
2431 ipfw_ref_rule(fwa->rule);
2432 pkt->dn_priv = fwa->rule;
2433 pkt->dn_unref_priv = ipfw_unref_rule;
2435 if (cmd->opcode == O_PIPE)
2436 pkt->dn_flags |= DN_FLAGS_IS_PIPE;
2438 if (dir == DN_TO_IP_OUT) {
2440 * We need to copy *ro because for ICMP pkts (and maybe
2441 * others) the caller passed a pointer into the stack;
2442 * dst might also be a pointer into *ro so it needs to
2445 pkt->ro = *(fwa->ro);
2447 fwa->ro->ro_rt->rt_refcnt++;
2448 if (fwa->dst == (struct sockaddr_in *)&fwa->ro->ro_dst) {
2449 /* 'dst' points into 'ro' */
2450 fwa->dst = (struct sockaddr_in *)&(pkt->ro.ro_dst);
2452 pkt->dn_dst = fwa->dst;
2453 pkt->flags = fwa->flags;
2456 m->m_pkthdr.fw_flags |= DUMMYNET_MBUF_TAGGED;
2461 * When a rule is added/deleted, clear the next_rule pointers in all rules.
2462 * These will be reconstructed on the fly as packets are matched.
2463 * Must be called at splimp().
2466 ipfw_flush_rule_ptrs(struct ipfw_context *ctx)
2470 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next)
2471 rule->next_rule = NULL;
2474 static __inline void
2475 ipfw_inc_static_count(struct ip_fw *rule)
2477 KKASSERT(mycpuid == 0);
2480 static_ioc_len += IOC_RULESIZE(rule);
2483 static __inline void
2484 ipfw_dec_static_count(struct ip_fw *rule)
2486 int l = IOC_RULESIZE(rule);
2488 KKASSERT(mycpuid == 0);
2490 KASSERT(static_count > 0, ("invalid static count %u\n", static_count));
2493 KASSERT(static_ioc_len >= l,
2494 ("invalid static len %u\n", static_ioc_len));
2495 static_ioc_len -= l;
2499 ipfw_link_sibling(struct netmsg_ipfw *fwmsg, struct ip_fw *rule)
2501 if (fwmsg->sibling != NULL) {
2502 KKASSERT(mycpuid > 0 && fwmsg->sibling->cpuid == mycpuid - 1);
2503 fwmsg->sibling->sibling = rule;
2505 fwmsg->sibling = rule;
2508 static struct ip_fw *
2509 ipfw_create_rule(const struct ipfw_ioc_rule *ioc_rule, struct ip_fw_stub *stub)
2513 rule = kmalloc(RULESIZE(ioc_rule), M_IPFW, M_WAITOK | M_ZERO);
2515 rule->act_ofs = ioc_rule->act_ofs;
2516 rule->cmd_len = ioc_rule->cmd_len;
2517 rule->rulenum = ioc_rule->rulenum;
2518 rule->set = ioc_rule->set;
2519 rule->usr_flags = ioc_rule->usr_flags;
2521 bcopy(ioc_rule->cmd, rule->cmd, rule->cmd_len * 4 /* XXX */);
2524 rule->cpuid = mycpuid;
2528 stub->rule[mycpuid] = rule;
2534 ipfw_add_rule_dispatch(struct netmsg *nmsg)
2536 struct netmsg_ipfw *fwmsg = (struct netmsg_ipfw *)nmsg;
2537 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2540 rule = ipfw_create_rule(fwmsg->ioc_rule, fwmsg->stub);
2543 * Bump generation after ipfw_create_rule(),
2544 * since this function is blocking
2549 * Insert rule into the pre-determined position
2551 if (fwmsg->prev_rule != NULL) {
2552 struct ip_fw *prev, *next;
2554 prev = fwmsg->prev_rule;
2555 KKASSERT(prev->cpuid == mycpuid);
2557 next = fwmsg->next_rule;
2558 KKASSERT(next->cpuid == mycpuid);
2564 * Move to the position on the next CPU
2565 * before the msg is forwarded.
2567 fwmsg->prev_rule = prev->sibling;
2568 fwmsg->next_rule = next->sibling;
2570 KKASSERT(fwmsg->next_rule == NULL);
2571 rule->next = ctx->ipfw_layer3_chain;
2572 ctx->ipfw_layer3_chain = rule;
2575 /* Link rule CPU sibling */
2576 ipfw_link_sibling(fwmsg, rule);
2578 ipfw_flush_rule_ptrs(ctx);
2581 /* Statistics only need to be updated once */
2582 ipfw_inc_static_count(rule);
2584 /* Return the rule on CPU0 */
2585 nmsg->nm_lmsg.u.ms_resultp = rule;
2588 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
2592 ipfw_enable_state_dispatch(struct netmsg *nmsg)
2594 struct lwkt_msg *lmsg = &nmsg->nm_lmsg;
2595 struct ip_fw *rule = lmsg->u.ms_resultp;
2597 KKASSERT(rule->cpuid == mycpuid);
2598 KKASSERT(rule->stub != NULL && rule->stub->rule[mycpuid] == rule);
2599 KKASSERT(!(rule->rule_flags & IPFW_RULE_F_STATE));
2600 rule->rule_flags |= IPFW_RULE_F_STATE;
2601 lmsg->u.ms_resultp = rule->sibling;
2603 ifnet_forwardmsg(lmsg, mycpuid + 1);
2607 * Add a new rule to the list. Copy the rule into a malloc'ed area,
2608 * then possibly create a rule number and add the rule to the list.
2609 * Update the rule_number in the input struct so the caller knows
2613 ipfw_add_rule(struct ipfw_ioc_rule *ioc_rule, uint32_t rule_flags)
2615 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2616 struct netmsg_ipfw fwmsg;
2617 struct netmsg *nmsg;
2618 struct ip_fw *f, *prev, *rule;
2619 struct ip_fw_stub *stub;
2621 IPFW_ASSERT_CFGPORT(&curthread->td_msgport);
2626 * If rulenum is 0, find highest numbered rule before the
2627 * default rule, and add rule number incremental step.
2629 if (ioc_rule->rulenum == 0) {
2630 int step = autoinc_step;
2632 KKASSERT(step >= IPFW_AUTOINC_STEP_MIN &&
2633 step <= IPFW_AUTOINC_STEP_MAX);
2636 * Locate the highest numbered rule before default
2638 for (f = ctx->ipfw_layer3_chain; f; f = f->next) {
2639 if (f->rulenum == IPFW_DEFAULT_RULE)
2641 ioc_rule->rulenum = f->rulenum;
2643 if (ioc_rule->rulenum < IPFW_DEFAULT_RULE - step)
2644 ioc_rule->rulenum += step;
2646 KASSERT(ioc_rule->rulenum != IPFW_DEFAULT_RULE &&
2647 ioc_rule->rulenum != 0,
2648 ("invalid rule num %d\n", ioc_rule->rulenum));
2651 * Now find the right place for the new rule in the sorted list.
2653 for (prev = NULL, f = ctx->ipfw_layer3_chain; f;
2654 prev = f, f = f->next) {
2655 if (f->rulenum > ioc_rule->rulenum) {
2656 /* Found the location */
2660 KASSERT(f != NULL, ("no default rule?!\n"));
2662 if (rule_flags & IPFW_RULE_F_STATE) {
2666 * If the new rule will create states, then allocate
2667 * a rule stub, which will be referenced by states
2670 size = sizeof(*stub) + ((ncpus - 1) * sizeof(struct ip_fw *));
2671 stub = kmalloc(size, M_IPFW, M_WAITOK | M_ZERO);
2677 * Duplicate the rule onto each CPU.
2678 * The rule duplicated on CPU0 will be returned.
2680 bzero(&fwmsg, sizeof(fwmsg));
2682 netmsg_init(nmsg, &curthread->td_msgport, 0, ipfw_add_rule_dispatch);
2683 fwmsg.ioc_rule = ioc_rule;
2684 fwmsg.prev_rule = prev;
2685 fwmsg.next_rule = prev == NULL ? NULL : f;
2688 ifnet_domsg(&nmsg->nm_lmsg, 0);
2689 KKASSERT(fwmsg.prev_rule == NULL && fwmsg.next_rule == NULL);
2691 rule = nmsg->nm_lmsg.u.ms_resultp;
2692 KKASSERT(rule != NULL && rule->cpuid == mycpuid);
2694 if (rule_flags & IPFW_RULE_F_STATE) {
2696 * Turn on state flag, _after_ everything on all
2697 * CPUs have been setup.
2699 bzero(nmsg, sizeof(*nmsg));
2700 netmsg_init(nmsg, &curthread->td_msgport, 0,
2701 ipfw_enable_state_dispatch);
2702 nmsg->nm_lmsg.u.ms_resultp = rule;
2704 ifnet_domsg(&nmsg->nm_lmsg, 0);
2705 KKASSERT(nmsg->nm_lmsg.u.ms_resultp == NULL);
2710 DEB(kprintf("++ installed rule %d, static count now %d\n",
2711 rule->rulenum, static_count);)
2715 * Free storage associated with a static rule (including derived
2717 * The caller is in charge of clearing rule pointers to avoid
2718 * dangling pointers.
2719 * @return a pointer to the next entry.
2720 * Arguments are not checked, so they better be correct.
2721 * Must be called at splimp().
2723 static struct ip_fw *
2724 ipfw_delete_rule(struct ipfw_context *ctx,
2725 struct ip_fw *prev, struct ip_fw *rule)
2728 struct ip_fw_stub *stub;
2732 /* STATE flag should have been cleared before we reach here */
2733 KKASSERT((rule->rule_flags & IPFW_RULE_F_STATE) == 0);
2738 ctx->ipfw_layer3_chain = n;
2742 /* Mark the rule as invalid */
2743 rule->rule_flags |= IPFW_RULE_F_INVALID;
2744 rule->next_rule = NULL;
2745 rule->sibling = NULL;
2748 /* Don't reset cpuid here; keep various assertion working */
2752 /* Statistics only need to be updated once */
2754 ipfw_dec_static_count(rule);
2756 /* Free 'stub' on the last CPU */
2757 if (stub != NULL && mycpuid == ncpus - 1)
2758 kfree(stub, M_IPFW);
2760 /* Try to free this rule */
2761 ipfw_free_rule(rule);
2763 /* Return the next rule */
2768 ipfw_flush_dispatch(struct netmsg *nmsg)
2770 struct lwkt_msg *lmsg = &nmsg->nm_lmsg;
2771 int kill_default = lmsg->u.ms_result;
2772 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2775 ipfw_flush_rule_ptrs(ctx); /* more efficient to do outside the loop */
2777 while ((rule = ctx->ipfw_layer3_chain) != NULL &&
2778 (kill_default || rule->rulenum != IPFW_DEFAULT_RULE))
2779 ipfw_delete_rule(ctx, NULL, rule);
2781 ifnet_forwardmsg(lmsg, mycpuid + 1);
2785 ipfw_disable_rule_state_dispatch(struct netmsg *nmsg)
2787 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
2790 rule = dmsg->start_rule;
2792 KKASSERT(rule->cpuid == mycpuid);
2795 * Move to the position on the next CPU
2796 * before the msg is forwarded.
2798 dmsg->start_rule = rule->sibling;
2800 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2802 KKASSERT(dmsg->rulenum == 0);
2803 rule = ctx->ipfw_layer3_chain;
2806 while (rule != NULL) {
2807 if (dmsg->rulenum && rule->rulenum != dmsg->rulenum)
2809 rule->rule_flags &= ~IPFW_RULE_F_STATE;
2813 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
2817 * Deletes all rules from a chain (including the default rule
2818 * if the second argument is set).
2819 * Must be called at splimp().
2822 ipfw_flush(int kill_default)
2824 struct netmsg_del dmsg;
2826 struct lwkt_msg *lmsg;
2828 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2830 IPFW_ASSERT_CFGPORT(&curthread->td_msgport);
2833 * If 'kill_default' then caller has done the necessary
2834 * msgport syncing; unnecessary to do it again.
2836 if (!kill_default) {
2838 * Let ipfw_chk() know the rules are going to
2839 * be flushed, so it could jump directly to
2843 netmsg_service_sync();
2847 * Clear STATE flag on rules, so no more states (dyn rules)
2850 bzero(&dmsg, sizeof(dmsg));
2851 netmsg_init(&dmsg.nmsg, &curthread->td_msgport, 0,
2852 ipfw_disable_rule_state_dispatch);
2853 ifnet_domsg(&dmsg.nmsg.nm_lmsg, 0);
2856 * This actually nukes all states (dyn rules)
2858 lockmgr(&dyn_lock, LK_EXCLUSIVE);
2859 for (rule = ctx->ipfw_layer3_chain; rule != NULL; rule = rule->next) {
2861 * Can't check IPFW_RULE_F_STATE here,
2862 * since it has been cleared previously.
2863 * Check 'stub' instead.
2865 if (rule->stub != NULL) {
2867 remove_dyn_rule_locked(rule, NULL);
2870 lockmgr(&dyn_lock, LK_RELEASE);
2873 * Press the 'flush' button
2875 bzero(&nmsg, sizeof(nmsg));
2876 netmsg_init(&nmsg, &curthread->td_msgport, 0, ipfw_flush_dispatch);
2877 lmsg = &nmsg.nm_lmsg;
2878 lmsg->u.ms_result = kill_default;
2879 ifnet_domsg(lmsg, 0);
2881 KASSERT(dyn_count == 0, ("%u dyn rule remains\n", dyn_count));
2884 if (ipfw_dyn_v != NULL) {
2886 * Free dynamic rules(state) hash table
2888 kfree(ipfw_dyn_v, M_IPFW);
2892 KASSERT(static_count == 0,
2893 ("%u static rules remains\n", static_count));
2894 KASSERT(static_ioc_len == 0,
2895 ("%u bytes of static rules remains\n", static_ioc_len));
2897 KASSERT(static_count == 1,
2898 ("%u static rules remains\n", static_count));
2899 KASSERT(static_ioc_len == IOC_RULESIZE(ctx->ipfw_default_rule),
2900 ("%u bytes of static rules remains, should be %u\n",
2901 static_ioc_len, IOC_RULESIZE(ctx->ipfw_default_rule)));
2909 ipfw_alt_delete_rule_dispatch(struct netmsg *nmsg)
2911 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
2912 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2913 struct ip_fw *rule, *prev;
2915 rule = dmsg->start_rule;
2916 KKASSERT(rule->cpuid == mycpuid);
2917 dmsg->start_rule = rule->sibling;
2919 prev = dmsg->prev_rule;
2921 KKASSERT(prev->cpuid == mycpuid);
2924 * Move to the position on the next CPU
2925 * before the msg is forwarded.
2927 dmsg->prev_rule = prev->sibling;
2931 * flush pointers outside the loop, then delete all matching
2932 * rules. 'prev' remains the same throughout the cycle.
2934 ipfw_flush_rule_ptrs(ctx);
2935 while (rule && rule->rulenum == dmsg->rulenum)
2936 rule = ipfw_delete_rule(ctx, prev, rule);
2938 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
2942 ipfw_alt_delete_rule(uint16_t rulenum)
2944 struct ip_fw *prev, *rule, *f;
2945 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
2946 struct netmsg_del dmsg;
2947 struct netmsg *nmsg;
2951 * Locate first rule to delete
2953 for (prev = NULL, rule = ctx->ipfw_layer3_chain;
2954 rule && rule->rulenum < rulenum;
2955 prev = rule, rule = rule->next)
2957 if (rule->rulenum != rulenum)
2961 * Check whether any rules with the given number will
2965 for (f = rule; f && f->rulenum == rulenum; f = f->next) {
2966 if (f->rule_flags & IPFW_RULE_F_STATE) {
2974 * Clear the STATE flag, so no more states will be
2975 * created based the rules numbered 'rulenum'.
2977 bzero(&dmsg, sizeof(dmsg));
2979 netmsg_init(nmsg, &curthread->td_msgport, 0,
2980 ipfw_disable_rule_state_dispatch);
2981 dmsg.start_rule = rule;
2982 dmsg.rulenum = rulenum;
2984 ifnet_domsg(&nmsg->nm_lmsg, 0);
2985 KKASSERT(dmsg.start_rule == NULL);
2988 * Nuke all related states
2990 lockmgr(&dyn_lock, LK_EXCLUSIVE);
2991 for (f = rule; f && f->rulenum == rulenum; f = f->next) {
2993 * Can't check IPFW_RULE_F_STATE here,
2994 * since it has been cleared previously.
2995 * Check 'stub' instead.
2997 if (f->stub != NULL) {
2999 remove_dyn_rule_locked(f, NULL);
3002 lockmgr(&dyn_lock, LK_RELEASE);
3006 * Get rid of the rule duplications on all CPUs
3008 bzero(&dmsg, sizeof(dmsg));
3010 netmsg_init(nmsg, &curthread->td_msgport, 0,
3011 ipfw_alt_delete_rule_dispatch);
3012 dmsg.prev_rule = prev;
3013 dmsg.start_rule = rule;
3014 dmsg.rulenum = rulenum;
3016 ifnet_domsg(&nmsg->nm_lmsg, 0);
3017 KKASSERT(dmsg.prev_rule == NULL && dmsg.start_rule == NULL);
3022 ipfw_alt_delete_ruleset_dispatch(struct netmsg *nmsg)
3024 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
3025 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3026 struct ip_fw *prev, *rule;
3031 ipfw_flush_rule_ptrs(ctx);
3034 rule = ctx->ipfw_layer3_chain;
3035 while (rule != NULL) {
3036 if (rule->set == dmsg->from_set) {
3037 rule = ipfw_delete_rule(ctx, prev, rule);
3046 KASSERT(del, ("no match set?!\n"));
3048 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
3052 ipfw_disable_ruleset_state_dispatch(struct netmsg *nmsg)
3054 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
3055 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3061 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next) {
3062 if (rule->set == dmsg->from_set) {
3066 rule->rule_flags &= ~IPFW_RULE_F_STATE;
3069 KASSERT(cleared, ("no match set?!\n"));
3071 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
3075 ipfw_alt_delete_ruleset(uint8_t set)
3077 struct netmsg_del dmsg;
3078 struct netmsg *nmsg;
3081 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3084 * Check whether the 'set' exists. If it exists,
3085 * then check whether any rules within the set will
3086 * try to create states.
3090 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next) {
3091 if (rule->set == set) {
3093 if (rule->rule_flags & IPFW_RULE_F_STATE) {
3100 return 0; /* XXX EINVAL? */
3104 * Clear the STATE flag, so no more states will be
3105 * created based the rules in this set.
3107 bzero(&dmsg, sizeof(dmsg));
3109 netmsg_init(nmsg, &curthread->td_msgport, 0,
3110 ipfw_disable_ruleset_state_dispatch);
3111 dmsg.from_set = set;
3113 ifnet_domsg(&nmsg->nm_lmsg, 0);
3116 * Nuke all related states
3118 lockmgr(&dyn_lock, LK_EXCLUSIVE);
3119 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next) {
3120 if (rule->set != set)
3124 * Can't check IPFW_RULE_F_STATE here,
3125 * since it has been cleared previously.
3126 * Check 'stub' instead.
3128 if (rule->stub != NULL) {
3130 remove_dyn_rule_locked(rule, NULL);
3133 lockmgr(&dyn_lock, LK_RELEASE);
3139 bzero(&dmsg, sizeof(dmsg));
3141 netmsg_init(nmsg, &curthread->td_msgport, 0,
3142 ipfw_alt_delete_ruleset_dispatch);
3143 dmsg.from_set = set;
3145 ifnet_domsg(&nmsg->nm_lmsg, 0);
3150 ipfw_alt_move_rule_dispatch(struct netmsg *nmsg)
3152 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
3155 rule = dmsg->start_rule;
3156 KKASSERT(rule->cpuid == mycpuid);
3159 * Move to the position on the next CPU
3160 * before the msg is forwarded.
3162 dmsg->start_rule = rule->sibling;
3164 while (rule && rule->rulenum <= dmsg->rulenum) {
3165 if (rule->rulenum == dmsg->rulenum)
3166 rule->set = dmsg->to_set;
3169 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
3173 ipfw_alt_move_rule(uint16_t rulenum, uint8_t set)
3175 struct netmsg_del dmsg;
3176 struct netmsg *nmsg;
3178 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3181 * Locate first rule to move
3183 for (rule = ctx->ipfw_layer3_chain; rule && rule->rulenum <= rulenum;
3184 rule = rule->next) {
3185 if (rule->rulenum == rulenum && rule->set != set)
3188 if (rule == NULL || rule->rulenum > rulenum)
3189 return 0; /* XXX error? */
3191 bzero(&dmsg, sizeof(dmsg));
3193 netmsg_init(nmsg, &curthread->td_msgport, 0,
3194 ipfw_alt_move_rule_dispatch);
3195 dmsg.start_rule = rule;
3196 dmsg.rulenum = rulenum;
3199 ifnet_domsg(&nmsg->nm_lmsg, 0);
3200 KKASSERT(dmsg.start_rule == NULL);
3205 ipfw_alt_move_ruleset_dispatch(struct netmsg *nmsg)
3207 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
3208 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3211 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next) {
3212 if (rule->set == dmsg->from_set)
3213 rule->set = dmsg->to_set;
3215 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
3219 ipfw_alt_move_ruleset(uint8_t from_set, uint8_t to_set)
3221 struct netmsg_del dmsg;
3222 struct netmsg *nmsg;
3224 bzero(&dmsg, sizeof(dmsg));
3226 netmsg_init(nmsg, &curthread->td_msgport, 0,
3227 ipfw_alt_move_ruleset_dispatch);
3228 dmsg.from_set = from_set;
3229 dmsg.to_set = to_set;
3231 ifnet_domsg(&nmsg->nm_lmsg, 0);
3236 ipfw_alt_swap_ruleset_dispatch(struct netmsg *nmsg)
3238 struct netmsg_del *dmsg = (struct netmsg_del *)nmsg;
3239 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3242 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next) {
3243 if (rule->set == dmsg->from_set)
3244 rule->set = dmsg->to_set;
3245 else if (rule->set == dmsg->to_set)
3246 rule->set = dmsg->from_set;
3248 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
3252 ipfw_alt_swap_ruleset(uint8_t set1, uint8_t set2)
3254 struct netmsg_del dmsg;
3255 struct netmsg *nmsg;
3257 bzero(&dmsg, sizeof(dmsg));
3259 netmsg_init(nmsg, &curthread->td_msgport, 0,
3260 ipfw_alt_swap_ruleset_dispatch);
3261 dmsg.from_set = set1;
3264 ifnet_domsg(&nmsg->nm_lmsg, 0);
3269 * Remove all rules with given number, and also do set manipulation.
3271 * The argument is an uint32_t. The low 16 bit are the rule or set number,
3272 * the next 8 bits are the new set, the top 8 bits are the command:
3274 * 0 delete rules with given number
3275 * 1 delete rules with given set number
3276 * 2 move rules with given number to new set
3277 * 3 move rules with given set number to new set
3278 * 4 swap sets with given numbers
3281 ipfw_ctl_alter(uint32_t arg)
3284 uint8_t cmd, new_set;
3287 rulenum = arg & 0xffff;
3288 cmd = (arg >> 24) & 0xff;
3289 new_set = (arg >> 16) & 0xff;
3293 if (new_set >= IPFW_DEFAULT_SET)
3295 if (cmd == 0 || cmd == 2) {
3296 if (rulenum == IPFW_DEFAULT_RULE)
3299 if (rulenum >= IPFW_DEFAULT_SET)
3304 case 0: /* delete rules with given number */
3305 error = ipfw_alt_delete_rule(rulenum);
3308 case 1: /* delete all rules with given set number */
3309 error = ipfw_alt_delete_ruleset(rulenum);
3312 case 2: /* move rules with given number to new set */
3313 error = ipfw_alt_move_rule(rulenum, new_set);
3316 case 3: /* move rules with given set number to new set */
3317 error = ipfw_alt_move_ruleset(rulenum, new_set);
3320 case 4: /* swap two sets */
3321 error = ipfw_alt_swap_ruleset(rulenum, new_set);
3328 * Clear counters for a specific rule.
3331 clear_counters(struct ip_fw *rule, int log_only)
3333 ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule);
3335 if (log_only == 0) {
3336 rule->bcnt = rule->pcnt = 0;
3337 rule->timestamp = 0;
3339 if (l->o.opcode == O_LOG)
3340 l->log_left = l->max_log;
3344 ipfw_zero_entry_dispatch(struct netmsg *nmsg)
3346 struct netmsg_zent *zmsg = (struct netmsg_zent *)nmsg;
3347 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3350 if (zmsg->rulenum == 0) {
3351 KKASSERT(zmsg->start_rule == NULL);
3353 ctx->ipfw_norule_counter = 0;
3354 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next)
3355 clear_counters(rule, zmsg->log_only);
3357 struct ip_fw *start = zmsg->start_rule;
3359 KKASSERT(start->cpuid == mycpuid);
3360 KKASSERT(start->rulenum == zmsg->rulenum);
3363 * We can have multiple rules with the same number, so we
3364 * need to clear them all.
3366 for (rule = start; rule && rule->rulenum == zmsg->rulenum;
3368 clear_counters(rule, zmsg->log_only);
3371 * Move to the position on the next CPU
3372 * before the msg is forwarded.
3374 zmsg->start_rule = start->sibling;
3376 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
3380 * Reset some or all counters on firewall rules.
3381 * @arg frwl is null to clear all entries, or contains a specific
3383 * @arg log_only is 1 if we only want to reset logs, zero otherwise.
3386 ipfw_ctl_zero_entry(int rulenum, int log_only)
3388 struct netmsg_zent zmsg;
3389 struct netmsg *nmsg;
3391 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3393 bzero(&zmsg, sizeof(zmsg));
3395 netmsg_init(nmsg, &curthread->td_msgport, 0, ipfw_zero_entry_dispatch);
3396 zmsg.log_only = log_only;
3399 msg = log_only ? "ipfw: All logging counts reset.\n"
3400 : "ipfw: Accounting cleared.\n";
3405 * Locate the first rule with 'rulenum'
3407 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next) {
3408 if (rule->rulenum == rulenum)
3411 if (rule == NULL) /* we did not find any matching rules */
3413 zmsg.start_rule = rule;
3414 zmsg.rulenum = rulenum;
3416 msg = log_only ? "ipfw: Entry %d logging count reset.\n"
3417 : "ipfw: Entry %d cleared.\n";
3419 ifnet_domsg(&nmsg->nm_lmsg, 0);
3420 KKASSERT(zmsg.start_rule == NULL);
3423 log(LOG_SECURITY | LOG_NOTICE, msg, rulenum);
3428 * Check validity of the structure before insert.
3429 * Fortunately rules are simple, so this mostly need to check rule sizes.
3432 ipfw_check_ioc_rule(struct ipfw_ioc_rule *rule, int size, uint32_t *rule_flags)
3435 int have_action = 0;
3440 /* Check for valid size */
3441 if (size < sizeof(*rule)) {
3442 kprintf("ipfw: rule too short\n");
3445 l = IOC_RULESIZE(rule);
3447 kprintf("ipfw: size mismatch (have %d want %d)\n", size, l);
3451 /* Check rule number */
3452 if (rule->rulenum == IPFW_DEFAULT_RULE) {
3453 kprintf("ipfw: invalid rule number\n");
3458 * Now go for the individual checks. Very simple ones, basically only
3459 * instruction sizes.
3461 for (l = rule->cmd_len, cmd = rule->cmd; l > 0;
3462 l -= cmdlen, cmd += cmdlen) {
3463 cmdlen = F_LEN(cmd);
3465 kprintf("ipfw: opcode %d size truncated\n",
3470 DEB(kprintf("ipfw: opcode %d\n", cmd->opcode);)
3472 if (cmd->opcode == O_KEEP_STATE || cmd->opcode == O_LIMIT) {
3473 /* This rule will create states */
3474 *rule_flags |= IPFW_RULE_F_STATE;
3477 switch (cmd->opcode) {
3491 case O_IPPRECEDENCE:
3498 if (cmdlen != F_INSN_SIZE(ipfw_insn))
3510 if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
3515 if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
3520 if (cmdlen != F_INSN_SIZE(ipfw_insn_log))
3523 ((ipfw_insn_log *)cmd)->log_left =
3524 ((ipfw_insn_log *)cmd)->max_log;
3530 if (cmdlen != F_INSN_SIZE(ipfw_insn_ip))
3532 if (((ipfw_insn_ip *)cmd)->mask.s_addr == 0) {
3533 kprintf("ipfw: opcode %d, useless rule\n",
3541 if (cmd->arg1 == 0 || cmd->arg1 > 256) {
3542 kprintf("ipfw: invalid set size %d\n",
3546 if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
3552 if (cmdlen != F_INSN_SIZE(ipfw_insn_mac))
3558 case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */
3559 if (cmdlen < 2 || cmdlen > 31)
3566 if (cmdlen != F_INSN_SIZE(ipfw_insn_if))
3572 if (cmdlen != F_INSN_SIZE(ipfw_insn_pipe))
3577 if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
3581 case O_FORWARD_MAC: /* XXX not implemented yet */
3590 if (cmdlen != F_INSN_SIZE(ipfw_insn))
3594 kprintf("ipfw: opcode %d, multiple actions"
3601 kprintf("ipfw: opcode %d, action must be"
3608 kprintf("ipfw: opcode %d, unknown opcode\n",
3613 if (have_action == 0) {
3614 kprintf("ipfw: missing action\n");
3620 kprintf("ipfw: opcode %d size %d wrong\n",
3621 cmd->opcode, cmdlen);
3626 ipfw_ctl_add_rule(struct sockopt *sopt)
3628 struct ipfw_ioc_rule *ioc_rule;
3630 uint32_t rule_flags;
3633 size = sopt->sopt_valsize;
3634 if (size > (sizeof(uint32_t) * IPFW_RULE_SIZE_MAX) ||
3635 size < sizeof(*ioc_rule)) {
3638 if (size != (sizeof(uint32_t) * IPFW_RULE_SIZE_MAX)) {
3639 sopt->sopt_val = krealloc(sopt->sopt_val, sizeof(uint32_t) *
3640 IPFW_RULE_SIZE_MAX, M_TEMP, M_WAITOK);
3642 ioc_rule = sopt->sopt_val;
3644 error = ipfw_check_ioc_rule(ioc_rule, size, &rule_flags);
3648 ipfw_add_rule(ioc_rule, rule_flags);
3650 if (sopt->sopt_dir == SOPT_GET)
3651 sopt->sopt_valsize = IOC_RULESIZE(ioc_rule);
3656 ipfw_copy_rule(const struct ip_fw *rule, struct ipfw_ioc_rule *ioc_rule)
3658 const struct ip_fw *sibling;
3663 KKASSERT(rule->cpuid == 0);
3665 ioc_rule->act_ofs = rule->act_ofs;
3666 ioc_rule->cmd_len = rule->cmd_len;
3667 ioc_rule->rulenum = rule->rulenum;
3668 ioc_rule->set = rule->set;
3669 ioc_rule->usr_flags = rule->usr_flags;
3671 ioc_rule->set_disable = ipfw_ctx[mycpuid]->ipfw_set_disable;
3672 ioc_rule->static_count = static_count;
3673 ioc_rule->static_len = static_ioc_len;
3676 * Visit (read-only) all of the rule's duplications to get
3677 * the necessary statistics
3684 ioc_rule->timestamp = 0;
3685 for (sibling = rule; sibling != NULL; sibling = sibling->sibling) {
3686 ioc_rule->pcnt += sibling->pcnt;
3687 ioc_rule->bcnt += sibling->bcnt;
3688 if (sibling->timestamp > ioc_rule->timestamp)
3689 ioc_rule->timestamp = sibling->timestamp;
3694 KASSERT(i == ncpus, ("static rule is not duplicated on every cpu\n"));
3696 bcopy(rule->cmd, ioc_rule->cmd, ioc_rule->cmd_len * 4 /* XXX */);
3698 return ((uint8_t *)ioc_rule + IOC_RULESIZE(ioc_rule));
3702 ipfw_copy_state(const ipfw_dyn_rule *dyn_rule,
3703 struct ipfw_ioc_state *ioc_state)
3705 const struct ipfw_flow_id *id;
3706 struct ipfw_ioc_flowid *ioc_id;
3708 ioc_state->expire = TIME_LEQ(dyn_rule->expire, time_second) ?
3709 0 : dyn_rule->expire - time_second;
3710 ioc_state->pcnt = dyn_rule->pcnt;
3711 ioc_state->bcnt = dyn_rule->bcnt;
3713 ioc_state->dyn_type = dyn_rule->dyn_type;
3714 ioc_state->count = dyn_rule->count;
3716 ioc_state->rulenum = dyn_rule->stub->rule[mycpuid]->rulenum;
3719 ioc_id = &ioc_state->id;
3721 ioc_id->type = ETHERTYPE_IP;
3722 ioc_id->u.ip.dst_ip = id->dst_ip;
3723 ioc_id->u.ip.src_ip = id->src_ip;
3724 ioc_id->u.ip.dst_port = id->dst_port;
3725 ioc_id->u.ip.src_port = id->src_port;
3726 ioc_id->u.ip.proto = id->proto;
3730 ipfw_ctl_get_rules(struct sockopt *sopt)
3732 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3736 uint32_t dcount = 0;
3739 * pass up a copy of the current rules. Static rules
3740 * come first (the last of which has number IPFW_DEFAULT_RULE),
3741 * followed by a possibly empty list of dynamic rule.
3745 size = static_ioc_len; /* size of static rules */
3746 if (ipfw_dyn_v) { /* add size of dyn.rules */
3748 size += dcount * sizeof(struct ipfw_ioc_state);
3751 if (sopt->sopt_valsize < size) {
3752 /* short length, no need to return incomplete rules */
3753 /* XXX: if superuser, no need to zero buffer */
3754 bzero(sopt->sopt_val, sopt->sopt_valsize);
3757 bp = sopt->sopt_val;
3759 for (rule = ctx->ipfw_layer3_chain; rule; rule = rule->next)
3760 bp = ipfw_copy_rule(rule, bp);
3762 if (ipfw_dyn_v && dcount != 0) {
3763 struct ipfw_ioc_state *ioc_state = bp;
3764 uint32_t dcount2 = 0;
3766 size_t old_size = size;
3770 lockmgr(&dyn_lock, LK_SHARED);
3772 /* Check 'ipfw_dyn_v' again with lock held */
3773 if (ipfw_dyn_v == NULL)
3776 for (i = 0; i < curr_dyn_buckets; i++) {
3780 * The # of dynamic rules may have grown after the
3781 * snapshot of 'dyn_count' was taken, so we will have
3782 * to check 'dcount' (snapshot of dyn_count) here to
3783 * make sure that we don't overflow the pre-allocated
3786 for (p = ipfw_dyn_v[i]; p != NULL && dcount != 0;
3787 p = p->next, ioc_state++, dcount--, dcount2++)
3788 ipfw_copy_state(p, ioc_state);
3791 lockmgr(&dyn_lock, LK_RELEASE);
3794 * The # of dynamic rules may be shrinked after the
3795 * snapshot of 'dyn_count' was taken. To give user a
3796 * correct dynamic rule count, we use the 'dcount2'
3797 * calculated above (with shared lockmgr lock held).
3799 size = static_ioc_len +
3800 (dcount2 * sizeof(struct ipfw_ioc_state));
3801 KKASSERT(size <= old_size);
3806 sopt->sopt_valsize = size;
3811 ipfw_set_disable_dispatch(struct netmsg *nmsg)
3813 struct lwkt_msg *lmsg = &nmsg->nm_lmsg;
3814 struct ipfw_context *ctx = ipfw_ctx[mycpuid];
3817 ctx->ipfw_set_disable = lmsg->u.ms_result32;
3819 ifnet_forwardmsg(lmsg, mycpuid + 1);
3823 ipfw_ctl_set_disable(uint32_t disable, uint32_t enable)
3826 struct lwkt_msg *lmsg;
3827 uint32_t set_disable;
3829 /* IPFW_DEFAULT_SET is always enabled */
3830 enable |= (1 << IPFW_DEFAULT_SET);
3831 set_disable = (ipfw_ctx[mycpuid]->ipfw_set_disable | disable) & ~enable;
3833 bzero(&nmsg, sizeof(nmsg));
3834 netmsg_init(&nmsg, &curthread->td_msgport, 0, ipfw_set_disable_dispatch);
3835 lmsg = &nmsg.nm_lmsg;
3836 lmsg->u.ms_result32 = set_disable;
3838 ifnet_domsg(lmsg, 0);
3842 * {set|get}sockopt parser.
3845 ipfw_ctl(struct sockopt *sopt)
3853 switch (sopt->sopt_name) {
3855 error = ipfw_ctl_get_rules(sopt);
3860 * Normally we cannot release the lock on each iteration.
3861 * We could do it here only because we start from the head all
3862 * the times so there is no risk of missing some entries.
3863 * On the other hand, the risk is that we end up with
3864 * a very inconsistent ruleset, so better keep the lock
3865 * around the whole cycle.
3867 * XXX this code can be improved by resetting the head of
3868 * the list to point to the default rule, and then freeing
3869 * the old list without the need for a lock.
3873 ipfw_flush(0 /* keep default rule */);
3878 error = ipfw_ctl_add_rule(sopt);
3883 * IP_FW_DEL is used for deleting single rules or sets,
3884 * and (ab)used to atomically manipulate sets.
3885 * Argument size is used to distinguish between the two:
3887 * delete single rule or set of rules,
3888 * or reassign rules (or sets) to a different set.
3889 * 2 * sizeof(uint32_t)
3890 * atomic disable/enable sets.
3891 * first uint32_t contains sets to be disabled,
3892 * second uint32_t contains sets to be enabled.
3894 masks = sopt->sopt_val;
3895 size = sopt->sopt_valsize;
3896 if (size == sizeof(*masks)) {
3898 * Delete or reassign static rule
3900 error = ipfw_ctl_alter(masks[0]);
3901 } else if (size == (2 * sizeof(*masks))) {
3903 * Set enable/disable
3905 ipfw_ctl_set_disable(masks[0], masks[1]);
3912 case IP_FW_RESETLOG: /* argument is an int, the rule number */
3915 if (sopt->sopt_val != 0) {
3916 error = soopt_to_kbuf(sopt, &rulenum,
3917 sizeof(int), sizeof(int));
3921 error = ipfw_ctl_zero_entry(rulenum,
3922 sopt->sopt_name == IP_FW_RESETLOG);
3926 kprintf("ipfw_ctl invalid option %d\n", sopt->sopt_name);
3933 * This procedure is only used to handle keepalives. It is invoked
3934 * every dyn_keepalive_period
3937 ipfw_tick(void *dummy __unused)
3943 if (ipfw_dyn_v == NULL || dyn_count == 0)
3946 keep_alive = time_second;
3948 lockmgr(&dyn_lock, LK_EXCLUSIVE);
3950 if (ipfw_dyn_v == NULL || dyn_count == 0) {
3951 lockmgr(&dyn_lock, LK_RELEASE);
3954 gen = dyn_buckets_gen;
3956 for (i = 0; i < curr_dyn_buckets; i++) {
3957 ipfw_dyn_rule *q, *prev;
3959 for (prev = NULL, q = ipfw_dyn_v[i]; q != NULL;) {
3960 uint32_t ack_rev, ack_fwd;
3961 struct ipfw_flow_id id;
3963 if (q->dyn_type == O_LIMIT_PARENT)
3966 if (TIME_LEQ(q->expire, time_second)) {
3968 UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
3973 * Keep alive processing
3978 if (q->id.proto != IPPROTO_TCP)
3980 if ((q->state & BOTH_SYN) != BOTH_SYN)
3982 if (TIME_LEQ(time_second + dyn_keepalive_interval,
3984 goto next; /* too early */
3985 if (q->keep_alive == keep_alive)
3986 goto next; /* alreay done */
3989 * Save necessary information, so that they could
3990 * survive after possible blocking in send_pkt()
3993 ack_rev = q->ack_rev;
3994 ack_fwd = q->ack_fwd;
3996 /* Sending has been started */
3997 q->keep_alive = keep_alive;
3999 /* Release lock to avoid possible dead lock */
4000 lockmgr(&dyn_lock, LK_RELEASE);
4001 send_pkt(&id, ack_rev - 1, ack_fwd, TH_SYN);
4002 send_pkt(&id, ack_fwd - 1, ack_rev, 0);
4003 lockmgr(&dyn_lock, LK_EXCLUSIVE);
4005 if (gen != dyn_buckets_gen) {
4007 * Dyn bucket array has been changed during
4008 * the above two sending; reiterate.
4017 lockmgr(&dyn_lock, LK_RELEASE);
4019 callout_reset(&ipfw_timeout_h, dyn_keepalive_period * hz,
4024 ipfw_sysctl_autoinc_step(SYSCTL_HANDLER_ARGS)
4026 return sysctl_int_range(oidp, arg1, arg2, req,
4027 IPFW_AUTOINC_STEP_MIN, IPFW_AUTOINC_STEP_MAX);
4031 ipfw_sysctl_dyn_buckets(SYSCTL_HANDLER_ARGS)
4035 lockmgr(&dyn_lock, LK_EXCLUSIVE);
4037 value = dyn_buckets;
4038 error = sysctl_handle_int(oidp, &value, 0, req);
4039 if (error || !req->newptr)
4043 * Make sure we have a power of 2 and
4044 * do not allow more than 64k entries.
4047 if (value <= 1 || value > 65536)
4049 if ((value & (value - 1)) != 0)
4053 dyn_buckets = value;
4055 lockmgr(&dyn_lock, LK_RELEASE);
4060 ipfw_sysctl_dyn_fin(SYSCTL_HANDLER_ARGS)
4062 return sysctl_int_range(oidp, arg1, arg2, req,
4063 1, dyn_keepalive_period - 1);
4067 ipfw_sysctl_dyn_rst(SYSCTL_HANDLER_ARGS)
4069 return sysctl_int_range(oidp, arg1, arg2, req,
4070 1, dyn_keepalive_period - 1);
4074 ipfw_ctx_init_dispatch(struct netmsg *nmsg)
4076 struct netmsg_ipfw *fwmsg = (struct netmsg_ipfw *)nmsg;
4077 struct ipfw_context *ctx;
4078 struct ip_fw *def_rule;
4080 ctx = kmalloc(sizeof(*ctx), M_IPFW, M_WAITOK | M_ZERO);
4081 ipfw_ctx[mycpuid] = ctx;
4083 def_rule = kmalloc(sizeof(*def_rule), M_IPFW, M_WAITOK | M_ZERO);
4085 def_rule->act_ofs = 0;
4086 def_rule->rulenum = IPFW_DEFAULT_RULE;
4087 def_rule->cmd_len = 1;
4088 def_rule->set = IPFW_DEFAULT_SET;
4090 def_rule->cmd[0].len = 1;
4091 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
4092 def_rule->cmd[0].opcode = O_ACCEPT;
4094 def_rule->cmd[0].opcode = O_DENY;
4097 def_rule->refcnt = 1;
4098 def_rule->cpuid = mycpuid;
4100 /* Install the default rule */
4101 ctx->ipfw_default_rule = def_rule;
4102 ctx->ipfw_layer3_chain = def_rule;
4104 /* Link rule CPU sibling */
4105 ipfw_link_sibling(fwmsg, def_rule);
4107 /* Statistics only need to be updated once */
4109 ipfw_inc_static_count(def_rule);
4111 ifnet_forwardmsg(&nmsg->nm_lmsg, mycpuid + 1);
4115 ipfw_init_dispatch(struct netmsg *nmsg)
4117 struct netmsg_ipfw fwmsg;
4123 kprintf("IP firewall already loaded\n");
4128 bzero(&fwmsg, sizeof(fwmsg));
4129 netmsg_init(&fwmsg.nmsg, &curthread->td_msgport, 0,
4130 ipfw_ctx_init_dispatch);
4131 ifnet_domsg(&fwmsg.nmsg.nm_lmsg, 0);
4133 ip_fw_chk_ptr = ipfw_chk;
4134 ip_fw_ctl_ptr = ipfw_ctl;
4135 ip_fw_dn_io_ptr = ipfw_dummynet_io;
4137 kprintf("ipfw2 initialized, divert %s, "
4138 "rule-based forwarding enabled, default to %s, logging ",
4144 ipfw_ctx[mycpuid]->ipfw_default_rule->cmd[0].opcode ==
4145 O_ACCEPT ? "accept" : "deny");
4147 #ifdef IPFIREWALL_VERBOSE
4150 #ifdef IPFIREWALL_VERBOSE_LIMIT
4151 verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
4153 if (fw_verbose == 0) {
4154 kprintf("disabled\n");
4155 } else if (verbose_limit == 0) {
4156 kprintf("unlimited\n");
4158 kprintf("limited to %d packets/entry by default\n",
4162 callout_init(&ipfw_timeout_h);
4163 lockinit(&dyn_lock, "ipfw_dyn", 0, 0);
4166 callout_reset(&ipfw_timeout_h, hz, ipfw_tick, NULL);
4169 lwkt_replymsg(&nmsg->nm_lmsg, error);
4177 netmsg_init(&smsg, &curthread->td_msgport, 0, ipfw_init_dispatch);
4178 return lwkt_domsg(IPFW_CFGPORT, &smsg.nm_lmsg, 0);
4184 ipfw_fini_dispatch(struct netmsg *nmsg)
4190 if (ipfw_refcnt != 0) {
4195 callout_stop(&ipfw_timeout_h);
4198 netmsg_service_sync();
4200 ip_fw_chk_ptr = NULL;
4201 ip_fw_ctl_ptr = NULL;
4202 ip_fw_dn_io_ptr = NULL;
4203 ipfw_flush(1 /* kill default rule */);
4205 /* Free pre-cpu context */
4206 for (cpu = 0; cpu < ncpus; ++cpu)
4207 kfree(ipfw_ctx[cpu], M_IPFW);
4209 kprintf("IP firewall unloaded\n");
4212 lwkt_replymsg(&nmsg->nm_lmsg, error);
4220 netmsg_init(&smsg, &curthread->td_msgport, 0, ipfw_fini_dispatch);
4221 return lwkt_domsg(IPFW_CFGPORT, &smsg.nm_lmsg, 0);
4224 #endif /* KLD_MODULE */
4227 ipfw_modevent(module_t mod, int type, void *unused)
4238 kprintf("ipfw statically compiled, cannot unload\n");
4250 static moduledata_t ipfwmod = {
4255 DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PROTO_END, SI_ORDER_ANY);
4256 MODULE_VERSION(ipfw, 1);
projects / dragonfly.git / blob