2 * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 #if defined(__sgi) && (IRIX > 602)
7 # include <sys/ptimers.h>
10 #include <sys/types.h>
11 #include <sys/param.h>
14 #if !defined(_KERNEL) && !defined(KERNEL)
19 #if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
20 # include <sys/filio.h>
21 # include <sys/fcntl.h>
23 # include <sys/ioctl.h>
26 # include <sys/protosw.h>
28 #include <sys/socket.h>
29 #if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
30 # include <sys/systm.h>
32 #if !defined(__SVR4) && !defined(__svr4__)
34 # include <sys/mbuf.h>
37 # include <sys/filio.h>
38 # include <sys/byteorder.h>
40 # include <sys/dditypes.h>
42 # include <sys/stream.h>
43 # include <sys/kmem.h>
45 #if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
46 # include <sys/queue.h>
48 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
49 # include <machine/cpu.h>
55 #include <net/route.h>
56 #include <netinet/in.h>
57 #include <netinet/in_systm.h>
58 #include <netinet/ip.h>
64 # include <netinet/ip_var.h>
70 # ifdef IFF_DRVRLOCK /* IRIX6 */
71 # include <sys/hashing.h>
74 #include <netinet/tcp.h>
75 #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
76 extern struct ifqueue ipintrq; /* ip packet input queue */
79 # if __FreeBSD_version >= 300000
80 # include <net/if_var.h>
82 # include <netinet/in_var.h>
83 # include <netinet/tcp_fsm.h>
86 #include <netinet/udp.h>
87 #include <netinet/ip_icmp.h>
88 #include "netinet/ip_compat.h"
89 #include <netinet/tcpip.h>
90 #include "netinet/ip_fil.h"
91 #include "netinet/ip_auth.h"
92 #if !SOLARIS && !defined(linux)
93 # include <net/netisr.h>
95 # include <machine/cpufunc.h>
98 #if (__FreeBSD_version >= 300000)
99 # include <sys/malloc.h>
100 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
101 # include <sys/libkern.h>
102 # include <sys/systm.h>
107 static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $";
111 #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
112 extern KRWLOCK_T ipf_auth, ipf_mutex;
113 extern kmutex_t ipf_authmx;
115 extern kcondvar_t ipfauthwait;
119 static struct wait_queue *ipfauthwait = NULL;
122 int fr_authsize = FR_NUMAUTH;
124 int fr_defaultauthage = 600;
125 int fr_auth_lock = 0;
126 fr_authstat_t fr_authstats;
127 static frauth_t fr_auth[FR_NUMAUTH];
128 mb_t *fr_authpkts[FR_NUMAUTH];
129 static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
130 static frauthent_t *fae_list = NULL;
131 frentry_t *ipauth = NULL,
136 * Check if a packet has authorization. If the packet is found to match an
137 * authorization result and that would result in a feedback loop (i.e. it
138 * will end up returning FR_AUTH) then return FR_BLOCK instead.
140 u_32_t fr_checkauth(ip, fin)
144 u_short id = ip->ip_id;
150 if (fr_auth_lock || !fr_authused)
153 READ_ENTER(&ipf_auth);
154 for (i = fr_authstart; i != fr_authend; ) {
156 * index becomes -2 only after an SIOCAUTHW. Check this in
157 * case the same packet gets sent again and it hasn't yet been
161 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
162 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
164 * Avoid feedback loop.
166 if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
169 * Create a dummy rule for the stateful checking to
170 * use and return. Zero out any values we don't
171 * trust from userland!
173 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
174 (fin->fin_fi.fi_fl & FI_FRAG))) {
175 KMALLOC(fr, frentry_t *);
177 bcopy((char *)fra->fra_info.fin_fr,
180 fr->fr_ifa = fin->fin_ifp;
189 fr = fra->fra_info.fin_fr;
191 RWLOCK_EXIT(&ipf_auth);
192 WRITE_ENTER(&ipf_auth);
193 if (fr && fr != fra->fra_info.fin_fr) {
194 fr->fr_next = fr_authlist;
197 fr_authstats.fas_hits++;
200 if (i == fr_authstart) {
201 while (fra->fra_index == -1) {
204 if (i == FR_NUMAUTH) {
212 if (fr_authstart == fr_authend) {
214 fr_authstart = fr_authend = 0;
217 RWLOCK_EXIT(&ipf_auth);
224 fr_authstats.fas_miss++;
225 RWLOCK_EXIT(&ipf_auth);
231 * Check if we have room in the auth array to hold details for another packet.
232 * If we do, store it and wake up any user programs which are waiting to
233 * hear about these events.
235 int fr_newauth(m, fin, ip)
240 #if defined(_KERNEL) && SOLARIS
241 qif_t *qif = fin->fin_qif;
249 WRITE_ENTER(&ipf_auth);
250 if (fr_authstart > fr_authend) {
251 fr_authstats.fas_nospace++;
252 RWLOCK_EXIT(&ipf_auth);
255 if (fr_authused == FR_NUMAUTH) {
256 fr_authstats.fas_nospace++;
257 RWLOCK_EXIT(&ipf_auth);
262 fr_authstats.fas_added++;
265 if (fr_authend == FR_NUMAUTH)
267 RWLOCK_EXIT(&ipf_auth);
271 fra->fra_age = fr_defaultauthage;
272 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
273 #if SOLARIS && defined(_KERNEL)
276 * No need to copyback here as we want to undo the changes, not keep
279 if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
284 ip->ip_len = htons(bo);
286 ip->ip_off = htons(bo);
289 m->b_rptr -= qif->qf_off;
290 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
291 fra->fra_q = qif->qf_q;
292 cv_signal(&ipfauthwait);
294 # if defined(BSD) && !defined(sparc) && (BSD >= 199306)
295 if (fin->fin_out == 0) {
296 ip->ip_len = htons(ip->ip_len);
297 ip->ip_off = htons(ip->ip_off);
301 WAKEUP(&fr_authnext);
307 int fr_auth_ioctl(data, mode, cmd)
310 #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
317 #if defined(_KERNEL) && !SOLARIS
321 frauth_t auth, *au = &auth, *fra;
327 if (!(mode & FWRITE)) {
331 error = fr_lock(data, &fr_auth_lock);
343 /* These commands go via request to fr_preauthcmd */
347 fr_authstats.fas_faelist = fae_list;
348 error = IWCOPYPTR((char *)&fr_authstats, data,
349 sizeof(fr_authstats));
352 if (!(mode & FWRITE)) {
357 READ_ENTER(&ipf_auth);
358 if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
359 error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
361 RWLOCK_EXIT(&ipf_auth);
364 WRITE_ENTER(&ipf_auth);
367 if (fr_authnext == FR_NUMAUTH)
370 RWLOCK_EXIT(&ipf_auth);
373 RWLOCK_EXIT(&ipf_auth);
376 mutex_enter(&ipf_authmx);
377 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
378 mutex_exit(&ipf_authmx);
381 mutex_exit(&ipf_authmx);
383 error = SLEEP(&fr_authnext, "fr_authnext");
387 goto fr_authioctlloop;
390 if (!(mode & FWRITE)) {
394 error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
397 WRITE_ENTER(&ipf_auth);
401 if ((i < 0) || (i > FR_NUMAUTH) ||
402 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
404 RWLOCK_EXIT(&ipf_auth);
409 fra->fra_pass = au->fra_pass;
410 fr_authpkts[i] = NULL;
411 RWLOCK_EXIT(&ipf_auth);
413 if (m && au->fra_info.fin_out) {
415 error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
419 bzero((char *)&ro, sizeof(ro));
420 # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
421 defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605))
422 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
425 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
430 # endif /* SOLARIS */
432 fr_authstats.fas_sendfail++;
434 fr_authstats.fas_sendok++;
437 error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
447 schednetisr(NETISR_IP);
450 # endif /* SOLARIS */
452 fr_authstats.fas_quefail++;
454 fr_authstats.fas_queok++;
462 * If we experience an error which will result in the packet
463 * not being processed, make sure we advance to the next one.
465 if (error == ENOBUFS) {
469 if (i == fr_authstart) {
470 while (fra->fra_index == -1) {
478 if (fr_authstart == fr_authend) {
480 fr_authstart = fr_authend = 0;
497 * Free all network buffer memory used to keep saved packets.
502 register frauthent_t *fae, **faep;
503 frentry_t *fr, **frp;
506 WRITE_ENTER(&ipf_auth);
507 for (i = 0; i < FR_NUMAUTH; i++) {
508 if ((m = fr_authpkts[i])) {
510 fr_authpkts[i] = NULL;
511 fr_auth[i].fra_index = -1;
516 for (faep = &fae_list; (fae = *faep); ) {
517 *faep = fae->fae_next;
521 RWLOCK_EXIT(&ipf_auth);
525 * We *MuST* reget ipf_auth because otherwise we won't get the
526 * locks in the right order and risk deadlock.
527 * We need ipf_mutex here to prevent a rule from using it
530 WRITE_ENTER(&ipf_mutex);
531 WRITE_ENTER(&ipf_auth);
532 for (frp = &fr_authlist; (fr = *frp); ) {
533 if (fr->fr_ref == 1) {
539 RWLOCK_EXIT(&ipf_auth);
540 RWLOCK_EXIT(&ipf_mutex);
546 * Slowly expire held auth records. Timeouts are set
547 * in expectation of this being called twice per second.
552 register frauth_t *fra;
553 register frauthent_t *fae, **faep;
554 register frentry_t *fr, **frp;
556 #if !SOLARIS && defined(_KERNEL)
564 WRITE_ENTER(&ipf_auth);
565 for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
566 if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
568 fr_authpkts[i] = NULL;
569 fr_auth[i].fra_index = -1;
570 fr_authstats.fas_expire++;
575 for (faep = &fae_list; (fae = *faep); ) {
576 if (!--fae->fae_age) {
577 *faep = fae->fae_next;
579 fr_authstats.fas_expire++;
581 faep = &fae->fae_next;
583 if (fae_list != NULL)
584 ipauth = &fae_list->fae_fr;
588 for (frp = &fr_authlist; (fr = *frp); ) {
589 if (fr->fr_ref == 1) {
595 RWLOCK_EXIT(&ipf_auth);
599 int fr_preauthcmd(cmd, fr, frptr)
600 #if defined(__NetBSD__) || defined(__OpenBSD__) || \
601 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
606 frentry_t *fr, **frptr;
608 frauthent_t *fae, **faep;
610 #if defined(KERNEL) && !SOLARIS
614 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
615 /* Should not happen */
616 printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
620 for (faep = &fae_list; (fae = *faep); )
621 if (&fae->fae_fr == fr)
624 faep = &fae->fae_next;
625 if (cmd == SIOCRMAFR) {
631 WRITE_ENTER(&ipf_auth);
633 *faep = fae->fae_next;
634 *frptr = fr->fr_next;
636 RWLOCK_EXIT(&ipf_auth);
639 } else if (fr && frptr) {
640 KMALLOC(fae, frauthent_t *);
642 bcopy((char *)fr, (char *)&fae->fae_fr,
644 WRITE_ENTER(&ipf_auth);
646 fae->fae_age = fr_defaultauthage;
647 fae->fae_fr.fr_hits = 0;
648 fae->fae_fr.fr_next = *frptr;
649 *frptr = &fae->fae_fr;
650 fae->fae_next = *faep;
652 ipauth = &fae_list->fae_fr;
654 RWLOCK_EXIT(&ipf_auth);