2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * @(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $
7 * $FreeBSD: src/sys/contrib/ipfilter/netinet/ip_auth.c,v 1.21.2.7 2003/03/01 03:55:54 darrenr Exp $
8 * $DragonFly: src/sys/contrib/ipfilter/netinet/ip_auth.c,v 1.8 2005/06/05 12:17:46 corecode Exp $
10 #if defined(__sgi) && (IRIX > 602)
11 # include <sys/ptimers.h>
13 #include <sys/errno.h>
14 #include <sys/types.h>
15 #include <sys/param.h>
18 #if !defined(_KERNEL) && !defined(KERNEL)
23 #if (defined(KERNEL) || defined(_KERNEL)) && (defined(__DragonFly__) || __FreeBSD_version >= 220000)
24 # include <sys/filio.h>
25 # include <sys/fcntl.h>
27 # include <sys/ioctl.h>
30 # include <sys/protosw.h>
32 #include <sys/socket.h>
33 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
34 # include <sys/systm.h>
36 #if !defined(__SVR4) && !defined(__svr4__)
38 # include <sys/mbuf.h>
41 # include <sys/filio.h>
42 # include <sys/byteorder.h>
44 # include <sys/dditypes.h>
46 # include <sys/stream.h>
47 # include <sys/kmem.h>
49 #if defined(__DragonFly__) || (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
50 # include <sys/queue.h>
52 #if defined(__DragonFly__) && defined(_KERNEL)
53 # include <sys/thread2.h>
55 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
56 # include <machine/cpu.h>
62 #include <net/route.h>
63 #include <netinet/in.h>
64 #include <netinet/in_systm.h>
65 #include <netinet/ip.h>
71 # include <netinet/ip_var.h>
77 # ifdef IFF_DRVRLOCK /* IRIX6 */
78 # include <sys/hashing.h>
81 #include <netinet/tcp.h>
82 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
83 extern struct ifqueue ipintrq; /* ip packet input queue */
86 # if defined(__DragonFly__) || __FreeBSD_version >= 300000
87 # include <net/if_var.h>
89 # include <netinet/in_var.h>
90 # include <netinet/tcp_fsm.h>
93 #include <netinet/udp.h>
94 #include <netinet/ip_icmp.h>
95 #include "ip_compat.h"
96 #include <netinet/tcpip.h>
99 #if !SOLARIS && !defined(linux)
100 # include <net/netisr.h>
101 # if defined(__DragonFly__) || defined(__FreeBSD__)
102 # include <machine/cpufunc.h>
105 #if defined(__DragonFly__) || (__FreeBSD_version >= 300000)
106 # include <sys/malloc.h>
107 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
108 # include <sys/libkern.h>
109 # include <sys/systm.h>
113 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
114 extern KRWLOCK_T ipf_auth, ipf_mutex;
115 extern kmutex_t ipf_authmx;
117 extern kcondvar_t ipfauthwait;
121 static struct wait_queue *ipfauthwait = NULL;
124 int fr_authsize = FR_NUMAUTH;
126 int fr_defaultauthage = 600;
127 int fr_auth_lock = 0;
128 fr_authstat_t fr_authstats;
129 static frauth_t fr_auth[FR_NUMAUTH];
130 mb_t *fr_authpkts[FR_NUMAUTH];
131 static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
132 static frauthent_t *fae_list = NULL;
133 frentry_t *ipauth = NULL,
138 * Check if a packet has authorization. If the packet is found to match an
139 * authorization result and that would result in a feedback loop (i.e. it
140 * will end up returning FR_AUTH) then return FR_BLOCK instead.
142 u_32_t fr_checkauth(ip, fin)
146 u_short id = ip->ip_id;
152 if (fr_auth_lock || !fr_authused)
155 READ_ENTER(&ipf_auth);
156 for (i = fr_authstart; i != fr_authend; ) {
158 * index becomes -2 only after an SIOCAUTHW. Check this in
159 * case the same packet gets sent again and it hasn't yet been
163 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
164 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
166 * Avoid feedback loop.
168 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
171 * Create a dummy rule for the stateful checking to
172 * use and return. Zero out any values we don't
173 * trust from userland!
175 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
176 (fin->fin_fi.fi_fl & FI_FRAG))) {
177 KMALLOC(fr, frentry_t *);
179 bcopy((char *)fra->fra_info.fin_fr,
182 fr->fr_ifa = fin->fin_ifp;
191 fr = fra->fra_info.fin_fr;
193 RWLOCK_EXIT(&ipf_auth);
194 WRITE_ENTER(&ipf_auth);
195 if (fr && fr != fra->fra_info.fin_fr) {
196 fr->fr_next = fr_authlist;
199 fr_authstats.fas_hits++;
202 if (i == fr_authstart) {
203 while (fra->fra_index == -1) {
206 if (i == FR_NUMAUTH) {
214 if (fr_authstart == fr_authend) {
216 fr_authstart = fr_authend = 0;
219 RWLOCK_EXIT(&ipf_auth);
226 fr_authstats.fas_miss++;
227 RWLOCK_EXIT(&ipf_auth);
233 * Check if we have room in the auth array to hold details for another packet.
234 * If we do, store it and wake up any user programs which are waiting to
235 * hear about these events.
237 int fr_newauth(m, fin, ip)
242 #if defined(_KERNEL) && SOLARIS
243 qif_t *qif = fin->fin_qif;
251 WRITE_ENTER(&ipf_auth);
252 if (fr_authstart > fr_authend) {
253 fr_authstats.fas_nospace++;
254 RWLOCK_EXIT(&ipf_auth);
257 if (fr_authused == FR_NUMAUTH) {
258 fr_authstats.fas_nospace++;
259 RWLOCK_EXIT(&ipf_auth);
264 fr_authstats.fas_added++;
267 if (fr_authend == FR_NUMAUTH)
269 RWLOCK_EXIT(&ipf_auth);
273 fra->fra_age = fr_defaultauthage;
274 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
275 #if SOLARIS && defined(_KERNEL)
278 * No need to copyback here as we want to undo the changes, not keep
281 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
286 ip->ip_len = htons(bo);
288 ip->ip_off = htons(bo);
291 m->b_rptr -= qif->qf_off;
292 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
293 fra->fra_q = qif->qf_q;
294 cv_signal(&ipfauthwait);
296 # if defined(BSD) && !defined(sparc) && (BSD >= 199306)
297 if (fin->fin_out == 0) {
298 ip->ip_len = htons(ip->ip_len);
299 ip->ip_off = htons(ip->ip_off);
303 WAKEUP(&fr_authnext);
309 int fr_auth_ioctl(data, mode, cmd)
312 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
319 #if defined(_KERNEL) && !SOLARIS
320 #if !defined(__DragonFly__) && !defined(__FreeBSD__)
323 #if !defined(__DragonFly__)
327 frauth_t auth, *au = &auth, *fra;
333 if (!(mode & FWRITE)) {
337 error = fr_lock(data, &fr_auth_lock);
349 /* These commands go via request to fr_preauthcmd */
353 fr_authstats.fas_faelist = fae_list;
354 error = IWCOPYPTR((char *)&fr_authstats, data,
355 sizeof(fr_authstats));
358 if (!(mode & FWRITE)) {
363 READ_ENTER(&ipf_auth);
364 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
365 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
367 RWLOCK_EXIT(&ipf_auth);
370 WRITE_ENTER(&ipf_auth);
373 if (fr_authnext == FR_NUMAUTH)
376 RWLOCK_EXIT(&ipf_auth);
379 RWLOCK_EXIT(&ipf_auth);
382 mutex_enter(&ipf_authmx);
383 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
384 mutex_exit(&ipf_authmx);
387 mutex_exit(&ipf_authmx);
389 error = SLEEP(&fr_authnext, "fr_authnext");
393 goto fr_authioctlloop;
396 if (!(mode & FWRITE)) {
400 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
403 WRITE_ENTER(&ipf_auth);
407 if ((i < 0) || (i > FR_NUMAUTH) ||
408 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
410 RWLOCK_EXIT(&ipf_auth);
415 fra->fra_pass = au->fra_pass;
416 fr_authpkts[i] = NULL;
417 RWLOCK_EXIT(&ipf_auth);
419 if (m && au->fra_info.fin_out) {
421 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
425 bzero((char *)&ro, sizeof(ro));
426 # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
427 defined(__DragonFly__) || defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \
428 (__FreeBSD_version >= 470102)
429 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
432 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
437 # endif /* SOLARIS */
439 fr_authstats.fas_sendfail++;
441 fr_authstats.fas_sendok++;
444 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
446 # if defined(__DragonFly__) || defined(__FreeBSD__)
447 error = netisr_queue(NETISR_IP, m);
457 schednetisr(NETISR_IP);
461 # endif /* !SOLARIS */
463 fr_authstats.fas_quefail++;
465 fr_authstats.fas_queok++;
473 * If we experience an error which will result in the packet
474 * not being processed, make sure we advance to the next one.
476 if (error == ENOBUFS) {
480 if (i == fr_authstart) {
481 while (fra->fra_index == -1) {
489 if (fr_authstart == fr_authend) {
491 fr_authstart = fr_authend = 0;
508 * Free all network buffer memory used to keep saved packets.
513 frauthent_t *fae, **faep;
514 frentry_t *fr, **frp;
517 WRITE_ENTER(&ipf_auth);
518 for (i = 0; i < FR_NUMAUTH; i++) {
519 if ((m = fr_authpkts[i])) {
521 fr_authpkts[i] = NULL;
522 fr_auth[i].fra_index = -1;
527 for (faep = &fae_list; (fae = *faep); ) {
528 *faep = fae->fae_next;
532 RWLOCK_EXIT(&ipf_auth);
536 * We *MuST* reget ipf_auth because otherwise we won't get the
537 * locks in the right order and risk deadlock.
538 * We need ipf_mutex here to prevent a rule from using it
541 WRITE_ENTER(&ipf_mutex);
542 WRITE_ENTER(&ipf_auth);
543 for (frp = &fr_authlist; (fr = *frp); ) {
544 if (fr->fr_ref == 1) {
550 RWLOCK_EXIT(&ipf_auth);
551 RWLOCK_EXIT(&ipf_mutex);
557 * Slowly expire held auth records. Timeouts are set
558 * in expectation of this being called twice per second.
564 frauthent_t *fae, **faep;
565 frentry_t *fr, **frp;
567 #if !SOLARIS && defined(_KERNEL) && !defined(__DragonFly__)
575 WRITE_ENTER(&ipf_auth);
576 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
577 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
579 fr_authpkts[i] = NULL;
580 fr_auth[i].fra_index = -1;
581 fr_authstats.fas_expire++;
586 for (faep = &fae_list; (fae = *faep); ) {
587 if (!--fae->fae_age) {
588 *faep = fae->fae_next;
590 fr_authstats.fas_expire++;
592 faep = &fae->fae_next;
594 if (fae_list != NULL)
595 ipauth = &fae_list->fae_fr;
599 for (frp = &fr_authlist; (fr = *frp); ) {
600 if (fr->fr_ref == 1) {
606 RWLOCK_EXIT(&ipf_auth);
610 int fr_preauthcmd(cmd, fr, frptr)
611 #if defined(__DragonFly__) || defined(__NetBSD__) || defined(__OpenBSD__) || \
612 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
617 frentry_t *fr, **frptr;
619 frauthent_t *fae, **faep;
621 #if defined(KERNEL) && !SOLARIS && !defined(__DragonFly__)
625 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
626 /* Should not happen */
627 printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
631 for (faep = &fae_list; (fae = *faep); )
632 if (&fae->fae_fr == fr)
635 faep = &fae->fae_next;
636 if (cmd == SIOCRMAFR) {
642 WRITE_ENTER(&ipf_auth);
644 *faep = fae->fae_next;
645 *frptr = fr->fr_next;
647 RWLOCK_EXIT(&ipf_auth);
650 } else if (fr && frptr) {
651 KMALLOC(fae, frauthent_t *);
653 bcopy((char *)fr, (char *)&fae->fae_fr,
655 WRITE_ENTER(&ipf_auth);
657 fae->fae_age = fr_defaultauthage;
658 fae->fae_fr.fr_hits = 0;
659 fae->fae_fr.fr_next = *frptr;
660 *frptr = &fae->fae_fr;
661 fae->fae_next = *faep;
663 ipauth = &fae_list->fae_fr;
665 RWLOCK_EXIT(&ipf_auth);