1 /*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 __FBSDID("$FreeBSD$"); 28 29 /* 30 * The FreeBSD IP packet firewall, main file 31 */ 32 33 #include "opt_ipfw.h" 34 #include "opt_ipdivert.h" 35 #include "opt_inet.h" 36 #ifndef INET 37 #error "IPFIREWALL requires INET" 38 #endif /* INET */ 39 #include "opt_inet6.h" 40 #include "opt_ipsec.h" 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/condvar.h> 45 #include <sys/counter.h> 46 #include <sys/eventhandler.h> 47 #include <sys/malloc.h> 48 #include <sys/mbuf.h> 49 #include <sys/kernel.h> 50 #include <sys/lock.h> 51 #include <sys/jail.h> 52 #include <sys/module.h> 53 #include <sys/priv.h> 54 #include <sys/proc.h> 55 #include <sys/rwlock.h> 56 #include <sys/rmlock.h> 57 #include <sys/socket.h> 58 #include <sys/socketvar.h> 59 #include <sys/sysctl.h> 60 #include <sys/syslog.h> 61 #include <sys/ucred.h> 62 #include <net/ethernet.h> /* for ETHERTYPE_IP */ 63 #include <net/if.h> 64 #include <net/if_var.h> 65 #include <net/route.h> 66 #include <net/pfil.h> 67 #include <net/vnet.h> 68 69 #include <netpfil/pf/pf_mtag.h> 70 71 #include <netinet/in.h> 72 #include <netinet/in_var.h> 73 #include <netinet/in_pcb.h> 74 #include <netinet/ip.h> 75 #include <netinet/ip_var.h> 76 #include <netinet/ip_icmp.h> 77 #include <netinet/ip_fw.h> 78 #include <netinet/ip_carp.h> 79 #include <netinet/pim.h> 80 #include <netinet/tcp_var.h> 81 #include <netinet/udp.h> 82 #include <netinet/udp_var.h> 83 #include <netinet/sctp.h> 84 85 #include <netinet/ip6.h> 86 #include <netinet/icmp6.h> 87 #ifdef INET6 88 #include <netinet6/in6_pcb.h> 89 #include <netinet6/scope6_var.h> 90 #include <netinet6/ip6_var.h> 91 #endif 92 93 #include <netpfil/ipfw/ip_fw_private.h> 94 95 #include <machine/in_cksum.h> /* XXX for in_cksum */ 96 97 #ifdef MAC 98 #include <security/mac/mac_framework.h> 99 #endif 100 101 /* 102 * static variables followed by global ones. 103 * All ipfw global variables are here. 104 */ 105 106 static VNET_DEFINE(int, fw_deny_unknown_exthdrs); 107 #define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs) 108 109 static VNET_DEFINE(int, fw_permit_single_frag6) = 1; 110 #define V_fw_permit_single_frag6 VNET(fw_permit_single_frag6) 111 112 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT 113 static int default_to_accept = 1; 114 #else 115 static int default_to_accept; 116 #endif 117 118 VNET_DEFINE(int, autoinc_step); 119 VNET_DEFINE(int, fw_one_pass) = 1; 120 121 VNET_DEFINE(unsigned int, fw_tables_max); 122 VNET_DEFINE(unsigned int, fw_tables_sets) = 0; /* Don't use set-aware tables */ 123 /* Use 128 tables by default */ 124 static unsigned int default_fw_tables = IPFW_TABLES_DEFAULT; 125 126 #ifndef LINEAR_SKIPTO 127 static int jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, 128 int tablearg, int jump_backwards); 129 #define JUMP(ch, f, num, targ, back) jump_fast(ch, f, num, targ, back) 130 #else 131 static int jump_linear(struct ip_fw_chain *chain, struct ip_fw *f, int num, 132 int tablearg, int jump_backwards); 133 #define JUMP(ch, f, num, targ, back) jump_linear(ch, f, num, targ, back) 134 #endif 135 136 /* 137 * Each rule belongs to one of 32 different sets (0..31). 138 * The variable set_disable contains one bit per set. 139 * If the bit is set, all rules in the corresponding set 140 * are disabled. Set RESVD_SET(31) is reserved for the default rule 141 * and rules that are not deleted by the flush command, 142 * and CANNOT be disabled. 143 * Rules in set RESVD_SET can only be deleted individually. 144 */ 145 VNET_DEFINE(u_int32_t, set_disable); 146 #define V_set_disable VNET(set_disable) 147 148 VNET_DEFINE(int, fw_verbose); 149 /* counter for ipfw_log(NULL...) */ 150 VNET_DEFINE(u_int64_t, norule_counter); 151 VNET_DEFINE(int, verbose_limit); 152 153 /* layer3_chain contains the list of rules for layer 3 */ 154 VNET_DEFINE(struct ip_fw_chain, layer3_chain); 155 156 /* ipfw_vnet_ready controls when we are open for business */ 157 VNET_DEFINE(int, ipfw_vnet_ready) = 0; 158 159 VNET_DEFINE(int, ipfw_nat_ready) = 0; 160 161 ipfw_nat_t *ipfw_nat_ptr = NULL; 162 struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); 163 ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; 164 ipfw_nat_cfg_t *ipfw_nat_del_ptr; 165 ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; 166 ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; 167 168 #ifdef SYSCTL_NODE 169 uint32_t dummy_def = IPFW_DEFAULT_RULE; 170 static int sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS); 171 static int sysctl_ipfw_tables_sets(SYSCTL_HANDLER_ARGS); 172 173 SYSBEGIN(f3) 174 175 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); 176 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass, 177 CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0, 178 "Only do a single pass through ipfw when using dummynet(4)"); 179 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, 180 CTLFLAG_RW, &VNET_NAME(autoinc_step), 0, 181 "Rule number auto-increment step"); 182 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose, 183 CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0, 184 "Log matches to ipfw rules"); 185 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, 186 CTLFLAG_RW, &VNET_NAME(verbose_limit), 0, 187 "Set upper limit of matches of ipfw rules logged"); 188 SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD, 189 &dummy_def, 0, 190 "The default/max possible rule number."); 191 SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, tables_max, 192 CTLTYPE_UINT|CTLFLAG_RW, 0, 0, sysctl_ipfw_table_num, "IU", 193 "Maximum number of concurrently used tables"); 194 SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, tables_sets, 195 CTLTYPE_UINT|CTLFLAG_RW, 0, 0, sysctl_ipfw_tables_sets, "IU", 196 "Use per-set namespace for tables"); 197 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN, 198 &default_to_accept, 0, 199 "Make the default rule accept all packets."); 200 TUNABLE_INT("net.inet.ip.fw.tables_max", (int *)&default_fw_tables); 201 SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count, 202 CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0, 203 "Number of static rules"); 204 205 #ifdef INET6 206 SYSCTL_DECL(_net_inet6_ip6); 207 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); 208 SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, 209 CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0, 210 "Deny packets with unknown IPv6 Extension Headers"); 211 SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, permit_single_frag6, 212 CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_permit_single_frag6), 0, 213 "Permit single packet IPv6 fragments"); 214 #endif /* INET6 */ 215 216 SYSEND 217 218 #endif /* SYSCTL_NODE */ 219 220 221 /* 222 * Some macros used in the various matching options. 223 * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T 224 * Other macros just cast void * into the appropriate type 225 */ 226 #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) 227 #define TCP(p) ((struct tcphdr *)(p)) 228 #define SCTP(p) ((struct sctphdr *)(p)) 229 #define UDP(p) ((struct udphdr *)(p)) 230 #define ICMP(p) ((struct icmphdr *)(p)) 231 #define ICMP6(p) ((struct icmp6_hdr *)(p)) 232 233 static __inline int 234 icmptype_match(struct icmphdr *icmp, ipfw_insn_u32 *cmd) 235 { 236 int type = icmp->icmp_type; 237 238 return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) ); 239 } 240 241 #define TT ( (1 << ICMP_ECHO) | (1 << ICMP_ROUTERSOLICIT) | \ 242 (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) ) 243 244 static int 245 is_icmp_query(struct icmphdr *icmp) 246 { 247 int type = icmp->icmp_type; 248 249 return (type <= ICMP_MAXTYPE && (TT & (1<<type)) ); 250 } 251 #undef TT 252 253 /* 254 * The following checks use two arrays of 8 or 16 bits to store the 255 * bits that we want set or clear, respectively. They are in the 256 * low and high half of cmd->arg1 or cmd->d[0]. 257 * 258 * We scan options and store the bits we find set. We succeed if 259 * 260 * (want_set & ~bits) == 0 && (want_clear & ~bits) == want_clear 261 * 262 * The code is sometimes optimized not to store additional variables. 263 */ 264 265 static int 266 flags_match(ipfw_insn *cmd, u_int8_t bits) 267 { 268 u_char want_clear; 269 bits = ~bits; 270 271 if ( ((cmd->arg1 & 0xff) & bits) != 0) 272 return 0; /* some bits we want set were clear */ 273 want_clear = (cmd->arg1 >> 8) & 0xff; 274 if ( (want_clear & bits) != want_clear) 275 return 0; /* some bits we want clear were set */ 276 return 1; 277 } 278 279 static int 280 ipopts_match(struct ip *ip, ipfw_insn *cmd) 281 { 282 int optlen, bits = 0; 283 u_char *cp = (u_char *)(ip + 1); 284 int x = (ip->ip_hl << 2) - sizeof (struct ip); 285 286 for (; x > 0; x -= optlen, cp += optlen) { 287 int opt = cp[IPOPT_OPTVAL]; 288 289 if (opt == IPOPT_EOL) 290 break; 291 if (opt == IPOPT_NOP) 292 optlen = 1; 293 else { 294 optlen = cp[IPOPT_OLEN]; 295 if (optlen <= 0 || optlen > x) 296 return 0; /* invalid or truncated */ 297 } 298 switch (opt) { 299 300 default: 301 break; 302 303 case IPOPT_LSRR: 304 bits |= IP_FW_IPOPT_LSRR; 305 break; 306 307 case IPOPT_SSRR: 308 bits |= IP_FW_IPOPT_SSRR; 309 break; 310 311 case IPOPT_RR: 312 bits |= IP_FW_IPOPT_RR; 313 break; 314 315 case IPOPT_TS: 316 bits |= IP_FW_IPOPT_TS; 317 break; 318 } 319 } 320 return (flags_match(cmd, bits)); 321 } 322 323 static int 324 tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd) 325 { 326 int optlen, bits = 0; 327 u_char *cp = (u_char *)(tcp + 1); 328 int x = (tcp->th_off << 2) - sizeof(struct tcphdr); 329 330 for (; x > 0; x -= optlen, cp += optlen) { 331 int opt = cp[0]; 332 if (opt == TCPOPT_EOL) 333 break; 334 if (opt == TCPOPT_NOP) 335 optlen = 1; 336 else { 337 optlen = cp[1]; 338 if (optlen <= 0) 339 break; 340 } 341 342 switch (opt) { 343 344 default: 345 break; 346 347 case TCPOPT_MAXSEG: 348 bits |= IP_FW_TCPOPT_MSS; 349 break; 350 351 case TCPOPT_WINDOW: 352 bits |= IP_FW_TCPOPT_WINDOW; 353 break; 354 355 case TCPOPT_SACK_PERMITTED: 356 case TCPOPT_SACK: 357 bits |= IP_FW_TCPOPT_SACK; 358 break; 359 360 case TCPOPT_TIMESTAMP: 361 bits |= IP_FW_TCPOPT_TS; 362 break; 363 364 } 365 } 366 return (flags_match(cmd, bits)); 367 } 368 369 static int 370 iface_match(struct ifnet *ifp, ipfw_insn_if *cmd, struct ip_fw_chain *chain, 371 uint32_t *tablearg) 372 { 373 374 if (ifp == NULL) /* no iface with this packet, match fails */ 375 return (0); 376 377 /* Check by name or by IP address */ 378 if (cmd->name[0] != '\0') { /* match by name */ 379 if (cmd->name[0] == '\1') /* use tablearg to match */ 380 return ipfw_lookup_table_extended(chain, cmd->p.kidx, 0, 381 &ifp->if_index, tablearg); 382 /* Check name */ 383 if (cmd->p.glob) { 384 if (fnmatch(cmd->name, ifp->if_xname, 0) == 0) 385 return(1); 386 } else { 387 if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0) 388 return(1); 389 } 390 } else { 391 #if !defined(USERSPACE) && defined(__FreeBSD__) /* and OSX too ? */ 392 struct ifaddr *ia; 393 394 if_addr_rlock(ifp); 395 TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { 396 if (ia->ifa_addr->sa_family != AF_INET) 397 continue; 398 if (cmd->p.ip.s_addr == ((struct sockaddr_in *) 399 (ia->ifa_addr))->sin_addr.s_addr) { 400 if_addr_runlock(ifp); 401 return(1); /* match */ 402 } 403 } 404 if_addr_runlock(ifp); 405 #endif /* __FreeBSD__ */ 406 } 407 return(0); /* no match, fail ... */ 408 } 409 410 /* 411 * The verify_path function checks if a route to the src exists and 412 * if it is reachable via ifp (when provided). 413 * 414 * The 'verrevpath' option checks that the interface that an IP packet 415 * arrives on is the same interface that traffic destined for the 416 * packet's source address would be routed out of. 417 * The 'versrcreach' option just checks that the source address is 418 * reachable via any route (except default) in the routing table. 419 * These two are a measure to block forged packets. This is also 420 * commonly known as "anti-spoofing" or Unicast Reverse Path 421 * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs 422 * is purposely reminiscent of the Cisco IOS command, 423 * 424 * ip verify unicast reverse-path 425 * ip verify unicast source reachable-via any 426 * 427 * which implements the same functionality. But note that the syntax 428 * is misleading, and the check may be performed on all IP packets 429 * whether unicast, multicast, or broadcast. 430 */ 431 static int 432 verify_path(struct in_addr src, struct ifnet *ifp, u_int fib) 433 { 434 #if defined(USERSPACE) || !defined(__FreeBSD__) 435 return 0; 436 #else 437 struct route ro; 438 struct sockaddr_in *dst; 439 440 bzero(&ro, sizeof(ro)); 441 442 dst = (struct sockaddr_in *)&(ro.ro_dst); 443 dst->sin_family = AF_INET; 444 dst->sin_len = sizeof(*dst); 445 dst->sin_addr = src; 446 in_rtalloc_ign(&ro, 0, fib); 447 448 if (ro.ro_rt == NULL) 449 return 0; 450 451 /* 452 * If ifp is provided, check for equality with rtentry. 453 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp, 454 * in order to pass packets injected back by if_simloop(): 455 * routing entry (via lo0) for our own address 456 * may exist, so we need to handle routing assymetry. 457 */ 458 if (ifp != NULL && ro.ro_rt->rt_ifa->ifa_ifp != ifp) { 459 RTFREE(ro.ro_rt); 460 return 0; 461 } 462 463 /* if no ifp provided, check if rtentry is not default route */ 464 if (ifp == NULL && 465 satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) { 466 RTFREE(ro.ro_rt); 467 return 0; 468 } 469 470 /* or if this is a blackhole/reject route */ 471 if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { 472 RTFREE(ro.ro_rt); 473 return 0; 474 } 475 476 /* found valid route */ 477 RTFREE(ro.ro_rt); 478 return 1; 479 #endif /* __FreeBSD__ */ 480 } 481 482 #ifdef INET6 483 /* 484 * ipv6 specific rules here... 485 */ 486 static __inline int 487 icmp6type_match (int type, ipfw_insn_u32 *cmd) 488 { 489 return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) ); 490 } 491 492 static int 493 flow6id_match( int curr_flow, ipfw_insn_u32 *cmd ) 494 { 495 int i; 496 for (i=0; i <= cmd->o.arg1; ++i ) 497 if (curr_flow == cmd->d[i] ) 498 return 1; 499 return 0; 500 } 501 502 /* support for IP6_*_ME opcodes */ 503 static int 504 search_ip6_addr_net (struct in6_addr * ip6_addr) 505 { 506 struct ifnet *mdc; 507 struct ifaddr *mdc2; 508 struct in6_ifaddr *fdm; 509 struct in6_addr copia; 510 511 TAILQ_FOREACH(mdc, &V_ifnet, if_link) { 512 if_addr_rlock(mdc); 513 TAILQ_FOREACH(mdc2, &mdc->if_addrhead, ifa_link) { 514 if (mdc2->ifa_addr->sa_family == AF_INET6) { 515 fdm = (struct in6_ifaddr *)mdc2; 516 copia = fdm->ia_addr.sin6_addr; 517 /* need for leaving scope_id in the sock_addr */ 518 in6_clearscope(&copia); 519 if (IN6_ARE_ADDR_EQUAL(ip6_addr, &copia)) { 520 if_addr_runlock(mdc); 521 return 1; 522 } 523 } 524 } 525 if_addr_runlock(mdc); 526 } 527 return 0; 528 } 529 530 static int 531 verify_path6(struct in6_addr *src, struct ifnet *ifp, u_int fib) 532 { 533 struct route_in6 ro; 534 struct sockaddr_in6 *dst; 535 536 bzero(&ro, sizeof(ro)); 537 538 dst = (struct sockaddr_in6 * )&(ro.ro_dst); 539 dst->sin6_family = AF_INET6; 540 dst->sin6_len = sizeof(*dst); 541 dst->sin6_addr = *src; 542 543 in6_rtalloc_ign(&ro, 0, fib); 544 if (ro.ro_rt == NULL) 545 return 0; 546 547 /* 548 * if ifp is provided, check for equality with rtentry 549 * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp, 550 * to support the case of sending packets to an address of our own. 551 * (where the former interface is the first argument of if_simloop() 552 * (=ifp), the latter is lo0) 553 */ 554 if (ifp != NULL && ro.ro_rt->rt_ifa->ifa_ifp != ifp) { 555 RTFREE(ro.ro_rt); 556 return 0; 557 } 558 559 /* if no ifp provided, check if rtentry is not default route */ 560 if (ifp == NULL && 561 IN6_IS_ADDR_UNSPECIFIED(&satosin6(rt_key(ro.ro_rt))->sin6_addr)) { 562 RTFREE(ro.ro_rt); 563 return 0; 564 } 565 566 /* or if this is a blackhole/reject route */ 567 if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { 568 RTFREE(ro.ro_rt); 569 return 0; 570 } 571 572 /* found valid route */ 573 RTFREE(ro.ro_rt); 574 return 1; 575 576 } 577 578 static int 579 is_icmp6_query(int icmp6_type) 580 { 581 if ((icmp6_type <= ICMP6_MAXTYPE) && 582 (icmp6_type == ICMP6_ECHO_REQUEST || 583 icmp6_type == ICMP6_MEMBERSHIP_QUERY || 584 icmp6_type == ICMP6_WRUREQUEST || 585 icmp6_type == ICMP6_FQDN_QUERY || 586 icmp6_type == ICMP6_NI_QUERY)) 587 return (1); 588 589 return (0); 590 } 591 592 static void 593 send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6) 594 { 595 struct mbuf *m; 596 597 m = args->m; 598 if (code == ICMP6_UNREACH_RST && args->f_id.proto == IPPROTO_TCP) { 599 struct tcphdr *tcp; 600 tcp = (struct tcphdr *)((char *)ip6 + hlen); 601 602 if ((tcp->th_flags & TH_RST) == 0) { 603 struct mbuf *m0; 604 m0 = ipfw_send_pkt(args->m, &(args->f_id), 605 ntohl(tcp->th_seq), ntohl(tcp->th_ack), 606 tcp->th_flags | TH_RST); 607 if (m0 != NULL) 608 ip6_output(m0, NULL, NULL, 0, NULL, NULL, 609 NULL); 610 } 611 FREE_PKT(m); 612 } else if (code != ICMP6_UNREACH_RST) { /* Send an ICMPv6 unreach. */ 613 #if 0 614 /* 615 * Unlike above, the mbufs need to line up with the ip6 hdr, 616 * as the contents are read. We need to m_adj() the 617 * needed amount. 618 * The mbuf will however be thrown away so we can adjust it. 619 * Remember we did an m_pullup on it already so we 620 * can make some assumptions about contiguousness. 621 */ 622 if (args->L3offset) 623 m_adj(m, args->L3offset); 624 #endif 625 icmp6_error(m, ICMP6_DST_UNREACH, code, 0); 626 } else 627 FREE_PKT(m); 628 629 args->m = NULL; 630 } 631 632 #endif /* INET6 */ 633 634 635 /* 636 * sends a reject message, consuming the mbuf passed as an argument. 637 */ 638 static void 639 send_reject(struct ip_fw_args *args, int code, int iplen, struct ip *ip) 640 { 641 642 #if 0 643 /* XXX When ip is not guaranteed to be at mtod() we will 644 * need to account for this */ 645 * The mbuf will however be thrown away so we can adjust it. 646 * Remember we did an m_pullup on it already so we 647 * can make some assumptions about contiguousness. 648 */ 649 if (args->L3offset) 650 m_adj(m, args->L3offset); 651 #endif 652 if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */ 653 icmp_error(args->m, ICMP_UNREACH, code, 0L, 0); 654 } else if (args->f_id.proto == IPPROTO_TCP) { 655 struct tcphdr *const tcp = 656 L3HDR(struct tcphdr, mtod(args->m, struct ip *)); 657 if ( (tcp->th_flags & TH_RST) == 0) { 658 struct mbuf *m; 659 m = ipfw_send_pkt(args->m, &(args->f_id), 660 ntohl(tcp->th_seq), ntohl(tcp->th_ack), 661 tcp->th_flags | TH_RST); 662 if (m != NULL) 663 ip_output(m, NULL, NULL, 0, NULL, NULL); 664 } 665 FREE_PKT(args->m); 666 } else 667 FREE_PKT(args->m); 668 args->m = NULL; 669 } 670 671 /* 672 * Support for uid/gid/jail lookup. These tests are expensive 673 * (because we may need to look into the list of active sockets) 674 * so we cache the results. ugid_lookupp is 0 if we have not 675 * yet done a lookup, 1 if we succeeded, and -1 if we tried 676 * and failed. The function always returns the match value. 677 * We could actually spare the variable and use *uc, setting 678 * it to '(void *)check_uidgid if we have no info, NULL if 679 * we tried and failed, or any other value if successful. 680 */ 681 static int 682 check_uidgid(ipfw_insn_u32 *insn, struct ip_fw_args *args, int *ugid_lookupp, 683 struct ucred **uc) 684 { 685 #if defined(USERSPACE) 686 return 0; // not supported in userspace 687 #else 688 #ifndef __FreeBSD__ 689 /* XXX */ 690 return cred_check(insn, proto, oif, 691 dst_ip, dst_port, src_ip, src_port, 692 (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb); 693 #else /* FreeBSD */ 694 struct in_addr src_ip, dst_ip; 695 struct inpcbinfo *pi; 696 struct ipfw_flow_id *id; 697 struct inpcb *pcb, *inp; 698 struct ifnet *oif; 699 int lookupflags; 700 int match; 701 702 id = &args->f_id; 703 inp = args->inp; 704 oif = args->oif; 705 706 /* 707 * Check to see if the UDP or TCP stack supplied us with 708 * the PCB. If so, rather then holding a lock and looking 709 * up the PCB, we can use the one that was supplied. 710 */ 711 if (inp && *ugid_lookupp == 0) { 712 INP_LOCK_ASSERT(inp); 713 if (inp->inp_socket != NULL) { 714 *uc = crhold(inp->inp_cred); 715 *ugid_lookupp = 1; 716 } else 717 *ugid_lookupp = -1; 718 } 719 /* 720 * If we have already been here and the packet has no 721 * PCB entry associated with it, then we can safely 722 * assume that this is a no match. 723 */ 724 if (*ugid_lookupp == -1) 725 return (0); 726 if (id->proto == IPPROTO_TCP) { 727 lookupflags = 0; 728 pi = &V_tcbinfo; 729 } else if (id->proto == IPPROTO_UDP) { 730 lookupflags = INPLOOKUP_WILDCARD; 731 pi = &V_udbinfo; 732 } else 733 return 0; 734 lookupflags |= INPLOOKUP_RLOCKPCB; 735 match = 0; 736 if (*ugid_lookupp == 0) { 737 if (id->addr_type == 6) { 738 #ifdef INET6 739 if (oif == NULL) 740 pcb = in6_pcblookup_mbuf(pi, 741 &id->src_ip6, htons(id->src_port), 742 &id->dst_ip6, htons(id->dst_port), 743 lookupflags, oif, args->m); 744 else 745 pcb = in6_pcblookup_mbuf(pi, 746 &id->dst_ip6, htons(id->dst_port), 747 &id->src_ip6, htons(id->src_port), 748 lookupflags, oif, args->m); 749 #else 750 *ugid_lookupp = -1; 751 return (0); 752 #endif 753 } else { 754 src_ip.s_addr = htonl(id->src_ip); 755 dst_ip.s_addr = htonl(id->dst_ip); 756 if (oif == NULL) 757 pcb = in_pcblookup_mbuf(pi, 758 src_ip, htons(id->src_port), 759 dst_ip, htons(id->dst_port), 760 lookupflags, oif, args->m); 761 else 762 pcb = in_pcblookup_mbuf(pi, 763 dst_ip, htons(id->dst_port), 764 src_ip, htons(id->src_port), 765 lookupflags, oif, args->m); 766 } 767 if (pcb != NULL) { 768 INP_RLOCK_ASSERT(pcb); 769 *uc = crhold(pcb->inp_cred); 770 *ugid_lookupp = 1; 771 INP_RUNLOCK(pcb); 772 } 773 if (*ugid_lookupp == 0) { 774 /* 775 * We tried and failed, set the variable to -1 776 * so we will not try again on this packet. 777 */ 778 *ugid_lookupp = -1; 779 return (0); 780 } 781 } 782 if (insn->o.opcode == O_UID) 783 match = ((*uc)->cr_uid == (uid_t)insn->d[0]); 784 else if (insn->o.opcode == O_GID) 785 match = groupmember((gid_t)insn->d[0], *uc); 786 else if (insn->o.opcode == O_JAIL) 787 match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]); 788 return (match); 789 #endif /* __FreeBSD__ */ 790 #endif /* not supported in userspace */ 791 } 792 793 /* 794 * Helper function to set args with info on the rule after the matching 795 * one. slot is precise, whereas we guess rule_id as they are 796 * assigned sequentially. 797 */ 798 static inline void 799 set_match(struct ip_fw_args *args, int slot, 800 struct ip_fw_chain *chain) 801 { 802 args->rule.chain_id = chain->id; 803 args->rule.slot = slot + 1; /* we use 0 as a marker */ 804 args->rule.rule_id = 1 + chain->map[slot]->id; 805 args->rule.rulenum = chain->map[slot]->rulenum; 806 } 807 808 #ifndef LINEAR_SKIPTO 809 /* 810 * Helper function to enable cached rule lookups using 811 * cached_id and cached_pos fields in ipfw rule. 812 */ 813 static int 814 jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, 815 int tablearg, int jump_backwards) 816 { 817 int f_pos; 818 819 /* If possible use cached f_pos (in f->cached_pos), 820 * whose version is written in f->cached_id 821 * (horrible hacks to avoid changing the ABI). 822 */ 823 if (num != IP_FW_TARG && f->cached_id == chain->id) 824 f_pos = f->cached_pos; 825 else { 826 int i = IP_FW_ARG_TABLEARG(chain, num, skipto); 827 /* make sure we do not jump backward */ 828 if (jump_backwards == 0 && i <= f->rulenum) 829 i = f->rulenum + 1; 830 if (chain->idxmap != NULL) 831 f_pos = chain->idxmap[i]; 832 else 833 f_pos = ipfw_find_rule(chain, i, 0); 834 /* update the cache */ 835 if (num != IP_FW_TARG) { 836 f->cached_id = chain->id; 837 f->cached_pos = f_pos; 838 } 839 } 840 841 return (f_pos); 842 } 843 #else 844 /* 845 * Helper function to enable real fast rule lookups. 846 */ 847 static int 848 jump_linear(struct ip_fw_chain *chain, struct ip_fw *f, int num, 849 int tablearg, int jump_backwards) 850 { 851 int f_pos; 852 853 num = IP_FW_ARG_TABLEARG(chain, num, skipto); 854 /* make sure we do not jump backward */ 855 if (jump_backwards == 0 && num <= f->rulenum) 856 num = f->rulenum + 1; 857 f_pos = chain->idxmap[num]; 858 859 return (f_pos); 860 } 861 #endif 862 863 #define TARG(k, f) IP_FW_ARG_TABLEARG(chain, k, f) 864 /* 865 * The main check routine for the firewall. 866 * 867 * All arguments are in args so we can modify them and return them 868 * back to the caller. 869 * 870 * Parameters: 871 * 872 * args->m (in/out) The packet; we set to NULL when/if we nuke it. 873 * Starts with the IP header. 874 * args->eh (in) Mac header if present, NULL for layer3 packet. 875 * args->L3offset Number of bytes bypassed if we came from L2. 876 * e.g. often sizeof(eh) ** NOTYET ** 877 * args->oif Outgoing interface, NULL if packet is incoming. 878 * The incoming interface is in the mbuf. (in) 879 * args->divert_rule (in/out) 880 * Skip up to the first rule past this rule number; 881 * upon return, non-zero port number for divert or tee. 882 * 883 * args->rule Pointer to the last matching rule (in/out) 884 * args->next_hop Socket we are forwarding to (out). 885 * args->next_hop6 IPv6 next hop we are forwarding to (out). 886 * args->f_id Addresses grabbed from the packet (out) 887 * args->rule.info a cookie depending on rule action 888 * 889 * Return value: 890 * 891 * IP_FW_PASS the packet must be accepted 892 * IP_FW_DENY the packet must be dropped 893 * IP_FW_DIVERT divert packet, port in m_tag 894 * IP_FW_TEE tee packet, port in m_tag 895 * IP_FW_DUMMYNET to dummynet, pipe in args->cookie 896 * IP_FW_NETGRAPH into netgraph, cookie args->cookie 897 * args->rule contains the matching rule, 898 * args->rule.info has additional information. 899 * 900 */ 901 int 902 ipfw_chk(struct ip_fw_args *args) 903 { 904 905 /* 906 * Local variables holding state while processing a packet: 907 * 908 * IMPORTANT NOTE: to speed up the processing of rules, there 909 * are some assumption on the values of the variables, which 910 * are documented here. Should you change them, please check 911 * the implementation of the various instructions to make sure 912 * that they still work. 913 * 914 * args->eh The MAC header. It is non-null for a layer2 915 * packet, it is NULL for a layer-3 packet. 916 * **notyet** 917 * args->L3offset Offset in the packet to the L3 (IP or equiv.) header. 918 * 919 * m | args->m Pointer to the mbuf, as received from the caller. 920 * It may change if ipfw_chk() does an m_pullup, or if it 921 * consumes the packet because it calls send_reject(). 922 * XXX This has to change, so that ipfw_chk() never modifies 923 * or consumes the buffer. 924 * ip is the beginning of the ip(4 or 6) header. 925 * Calculated by adding the L3offset to the start of data. 926 * (Until we start using L3offset, the packet is 927 * supposed to start with the ip header). 928 */ 929 struct mbuf *m = args->m; 930 struct ip *ip = mtod(m, struct ip *); 931 932 /* 933 * For rules which contain uid/gid or jail constraints, cache 934 * a copy of the users credentials after the pcb lookup has been 935 * executed. This will speed up the processing of rules with 936 * these types of constraints, as well as decrease contention 937 * on pcb related locks. 938 */ 939 #ifndef __FreeBSD__ 940 struct bsd_ucred ucred_cache; 941 #else 942 struct ucred *ucred_cache = NULL; 943 #endif 944 int ucred_lookup = 0; 945 946 /* 947 * oif | args->oif If NULL, ipfw_chk has been called on the 948 * inbound path (ether_input, ip_input). 949 * If non-NULL, ipfw_chk has been called on the outbound path 950 * (ether_output, ip_output). 951 */ 952 struct ifnet *oif = args->oif; 953 954 int f_pos = 0; /* index of current rule in the array */ 955 int retval = 0; 956 957 /* 958 * hlen The length of the IP header. 959 */ 960 u_int hlen = 0; /* hlen >0 means we have an IP pkt */ 961 962 /* 963 * offset The offset of a fragment. offset != 0 means that 964 * we have a fragment at this offset of an IPv4 packet. 965 * offset == 0 means that (if this is an IPv4 packet) 966 * this is the first or only fragment. 967 * For IPv6 offset|ip6f_mf == 0 means there is no Fragment Header 968 * or there is a single packet fragement (fragement header added 969 * without needed). We will treat a single packet fragment as if 970 * there was no fragment header (or log/block depending on the 971 * V_fw_permit_single_frag6 sysctl setting). 972 */ 973 u_short offset = 0; 974 u_short ip6f_mf = 0; 975 976 /* 977 * Local copies of addresses. They are only valid if we have 978 * an IP packet. 979 * 980 * proto The protocol. Set to 0 for non-ip packets, 981 * or to the protocol read from the packet otherwise. 982 * proto != 0 means that we have an IPv4 packet. 983 * 984 * src_port, dst_port port numbers, in HOST format. Only 985 * valid for TCP and UDP packets. 986 * 987 * src_ip, dst_ip ip addresses, in NETWORK format. 988 * Only valid for IPv4 packets. 989 */ 990 uint8_t proto; 991 uint16_t src_port = 0, dst_port = 0; /* NOTE: host format */ 992 struct in_addr src_ip, dst_ip; /* NOTE: network format */ 993 uint16_t iplen=0; 994 int pktlen; 995 uint16_t etype = 0; /* Host order stored ether type */ 996 997 /* 998 * dyn_dir = MATCH_UNKNOWN when rules unchecked, 999 * MATCH_NONE when checked and not matched (q = NULL), 1000 * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL) 1001 */ 1002 int dyn_dir = MATCH_UNKNOWN; 1003 ipfw_dyn_rule *q = NULL; 1004 struct ip_fw_chain *chain = &V_layer3_chain; 1005 1006 /* 1007 * We store in ulp a pointer to the upper layer protocol header. 1008 * In the ipv4 case this is easy to determine from the header, 1009 * but for ipv6 we might have some additional headers in the middle. 1010 * ulp is NULL if not found. 1011 */ 1012 void *ulp = NULL; /* upper layer protocol pointer. */ 1013 1014 /* XXX ipv6 variables */ 1015 int is_ipv6 = 0; 1016 uint8_t icmp6_type = 0; 1017 uint16_t ext_hd = 0; /* bits vector for extension header filtering */ 1018 /* end of ipv6 variables */ 1019 1020 int is_ipv4 = 0; 1021 1022 int done = 0; /* flag to exit the outer loop */ 1023 IPFW_RLOCK_TRACKER; 1024 1025 if (m->m_flags & M_SKIP_FIREWALL || (! V_ipfw_vnet_ready)) 1026 return (IP_FW_PASS); /* accept */ 1027 1028 dst_ip.s_addr = 0; /* make sure it is initialized */ 1029 src_ip.s_addr = 0; /* make sure it is initialized */ 1030 pktlen = m->m_pkthdr.len; 1031 args->f_id.fib = M_GETFIB(m); /* note mbuf not altered) */ 1032 proto = args->f_id.proto = 0; /* mark f_id invalid */ 1033 /* XXX 0 is a valid proto: IP/IPv6 Hop-by-Hop Option */ 1034 1035 /* 1036 * PULLUP_TO(len, p, T) makes sure that len + sizeof(T) is contiguous, 1037 * then it sets p to point at the offset "len" in the mbuf. WARNING: the 1038 * pointer might become stale after other pullups (but we never use it 1039 * this way). 1040 */ 1041 #define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) 1042 #define PULLUP_LEN(_len, p, T) \ 1043 do { \ 1044 int x = (_len) + T; \ 1045 if ((m)->m_len < x) { \ 1046 args->m = m = m_pullup(m, x); \ 1047 if (m == NULL) \ 1048 goto pullup_failed; \ 1049 } \ 1050 p = (mtod(m, char *) + (_len)); \ 1051 } while (0) 1052 1053 /* 1054 * if we have an ether header, 1055 */ 1056 if (args->eh) 1057 etype = ntohs(args->eh->ether_type); 1058 1059 /* Identify IP packets and fill up variables. */ 1060 if (pktlen >= sizeof(struct ip6_hdr) && 1061 (args->eh == NULL || etype == ETHERTYPE_IPV6) && ip->ip_v == 6) { 1062 struct ip6_hdr *ip6 = (struct ip6_hdr *)ip; 1063 is_ipv6 = 1; 1064 args->f_id.addr_type = 6; 1065 hlen = sizeof(struct ip6_hdr); 1066 proto = ip6->ip6_nxt; 1067 1068 /* Search extension headers to find upper layer protocols */ 1069 while (ulp == NULL && offset == 0) { 1070 switch (proto) { 1071 case IPPROTO_ICMPV6: 1072 PULLUP_TO(hlen, ulp, struct icmp6_hdr); 1073 icmp6_type = ICMP6(ulp)->icmp6_type; 1074 break; 1075 1076 case IPPROTO_TCP: 1077 PULLUP_TO(hlen, ulp, struct tcphdr); 1078 dst_port = TCP(ulp)->th_dport; 1079 src_port = TCP(ulp)->th_sport; 1080 /* save flags for dynamic rules */ 1081 args->f_id._flags = TCP(ulp)->th_flags; 1082 break; 1083 1084 case IPPROTO_SCTP: 1085 PULLUP_TO(hlen, ulp, struct sctphdr); 1086 src_port = SCTP(ulp)->src_port; 1087 dst_port = SCTP(ulp)->dest_port; 1088 break; 1089 1090 case IPPROTO_UDP: 1091 PULLUP_TO(hlen, ulp, struct udphdr); 1092 dst_port = UDP(ulp)->uh_dport; 1093 src_port = UDP(ulp)->uh_sport; 1094 break; 1095 1096 case IPPROTO_HOPOPTS: /* RFC 2460 */ 1097 PULLUP_TO(hlen, ulp, struct ip6_hbh); 1098 ext_hd |= EXT_HOPOPTS; 1099 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; 1100 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; 1101 ulp = NULL; 1102 break; 1103 1104 case IPPROTO_ROUTING: /* RFC 2460 */ 1105 PULLUP_TO(hlen, ulp, struct ip6_rthdr); 1106 switch (((struct ip6_rthdr *)ulp)->ip6r_type) { 1107 case 0: 1108 ext_hd |= EXT_RTHDR0; 1109 break; 1110 case 2: 1111 ext_hd |= EXT_RTHDR2; 1112 break; 1113 default: 1114 if (V_fw_verbose) 1115 printf("IPFW2: IPV6 - Unknown " 1116 "Routing Header type(%d)\n", 1117 ((struct ip6_rthdr *) 1118 ulp)->ip6r_type); 1119 if (V_fw_deny_unknown_exthdrs) 1120 return (IP_FW_DENY); 1121 break; 1122 } 1123 ext_hd |= EXT_ROUTING; 1124 hlen += (((struct ip6_rthdr *)ulp)->ip6r_len + 1) << 3; 1125 proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt; 1126 ulp = NULL; 1127 break; 1128 1129 case IPPROTO_FRAGMENT: /* RFC 2460 */ 1130 PULLUP_TO(hlen, ulp, struct ip6_frag); 1131 ext_hd |= EXT_FRAGMENT; 1132 hlen += sizeof (struct ip6_frag); 1133 proto = ((struct ip6_frag *)ulp)->ip6f_nxt; 1134 offset = ((struct ip6_frag *)ulp)->ip6f_offlg & 1135 IP6F_OFF_MASK; 1136 ip6f_mf = ((struct ip6_frag *)ulp)->ip6f_offlg & 1137 IP6F_MORE_FRAG; 1138 if (V_fw_permit_single_frag6 == 0 && 1139 offset == 0 && ip6f_mf == 0) { 1140 if (V_fw_verbose) 1141 printf("IPFW2: IPV6 - Invalid " 1142 "Fragment Header\n"); 1143 if (V_fw_deny_unknown_exthdrs) 1144 return (IP_FW_DENY); 1145 break; 1146 } 1147 args->f_id.extra = 1148 ntohl(((struct ip6_frag *)ulp)->ip6f_ident); 1149 ulp = NULL; 1150 break; 1151 1152 case IPPROTO_DSTOPTS: /* RFC 2460 */ 1153 PULLUP_TO(hlen, ulp, struct ip6_hbh); 1154 ext_hd |= EXT_DSTOPTS; 1155 hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; 1156 proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; 1157 ulp = NULL; 1158 break; 1159 1160 case IPPROTO_AH: /* RFC 2402 */ 1161 PULLUP_TO(hlen, ulp, struct ip6_ext); 1162 ext_hd |= EXT_AH; 1163 hlen += (((struct ip6_ext *)ulp)->ip6e_len + 2) << 2; 1164 proto = ((struct ip6_ext *)ulp)->ip6e_nxt; 1165 ulp = NULL; 1166 break; 1167 1168 case IPPROTO_ESP: /* RFC 2406 */ 1169 PULLUP_TO(hlen, ulp, uint32_t); /* SPI, Seq# */ 1170 /* Anything past Seq# is variable length and 1171 * data past this ext. header is encrypted. */ 1172 ext_hd |= EXT_ESP; 1173 break; 1174 1175 case IPPROTO_NONE: /* RFC 2460 */ 1176 /* 1177 * Packet ends here, and IPv6 header has 1178 * already been pulled up. If ip6e_len!=0 1179 * then octets must be ignored. 1180 */ 1181 ulp = ip; /* non-NULL to get out of loop. */ 1182 break; 1183 1184 case IPPROTO_OSPFIGP: 1185 /* XXX OSPF header check? */ 1186 PULLUP_TO(hlen, ulp, struct ip6_ext); 1187 break; 1188 1189 case IPPROTO_PIM: 1190 /* XXX PIM header check? */ 1191 PULLUP_TO(hlen, ulp, struct pim); 1192 break; 1193 1194 case IPPROTO_CARP: 1195 PULLUP_TO(hlen, ulp, struct carp_header); 1196 if (((struct carp_header *)ulp)->carp_version != 1197 CARP_VERSION) 1198 return (IP_FW_DENY); 1199 if (((struct carp_header *)ulp)->carp_type != 1200 CARP_ADVERTISEMENT) 1201 return (IP_FW_DENY); 1202 break; 1203 1204 case IPPROTO_IPV6: /* RFC 2893 */ 1205 PULLUP_TO(hlen, ulp, struct ip6_hdr); 1206 break; 1207 1208 case IPPROTO_IPV4: /* RFC 2893 */ 1209 PULLUP_TO(hlen, ulp, struct ip); 1210 break; 1211 1212 default: 1213 if (V_fw_verbose) 1214 printf("IPFW2: IPV6 - Unknown " 1215 "Extension Header(%d), ext_hd=%x\n", 1216 proto, ext_hd); 1217 if (V_fw_deny_unknown_exthdrs) 1218 return (IP_FW_DENY); 1219 PULLUP_TO(hlen, ulp, struct ip6_ext); 1220 break; 1221 } /*switch */ 1222 } 1223 ip = mtod(m, struct ip *); 1224 ip6 = (struct ip6_hdr *)ip; 1225 args->f_id.src_ip6 = ip6->ip6_src; 1226 args->f_id.dst_ip6 = ip6->ip6_dst; 1227 args->f_id.src_ip = 0; 1228 args->f_id.dst_ip = 0; 1229 args->f_id.flow_id6 = ntohl(ip6->ip6_flow); 1230 } else if (pktlen >= sizeof(struct ip) && 1231 (args->eh == NULL || etype == ETHERTYPE_IP) && ip->ip_v == 4) { 1232 is_ipv4 = 1; 1233 hlen = ip->ip_hl << 2; 1234 args->f_id.addr_type = 4; 1235 1236 /* 1237 * Collect parameters into local variables for faster matching. 1238 */ 1239 proto = ip->ip_p; 1240 src_ip = ip->ip_src; 1241 dst_ip = ip->ip_dst; 1242 offset = ntohs(ip->ip_off) & IP_OFFMASK; 1243 iplen = ntohs(ip->ip_len); 1244 pktlen = iplen < pktlen ? iplen : pktlen; 1245 1246 if (offset == 0) { 1247 switch (proto) { 1248 case IPPROTO_TCP: 1249 PULLUP_TO(hlen, ulp, struct tcphdr); 1250 dst_port = TCP(ulp)->th_dport; 1251 src_port = TCP(ulp)->th_sport; 1252 /* save flags for dynamic rules */ 1253 args->f_id._flags = TCP(ulp)->th_flags; 1254 break; 1255 1256 case IPPROTO_SCTP: 1257 PULLUP_TO(hlen, ulp, struct sctphdr); 1258 src_port = SCTP(ulp)->src_port; 1259 dst_port = SCTP(ulp)->dest_port; 1260 break; 1261 1262 case IPPROTO_UDP: 1263 PULLUP_TO(hlen, ulp, struct udphdr); 1264 dst_port = UDP(ulp)->uh_dport; 1265 src_port = UDP(ulp)->uh_sport; 1266 break; 1267 1268 case IPPROTO_ICMP: 1269 PULLUP_TO(hlen, ulp, struct icmphdr); 1270 //args->f_id.flags = ICMP(ulp)->icmp_type; 1271 break; 1272 1273 default: 1274 break; 1275 } 1276 } 1277 1278 ip = mtod(m, struct ip *); 1279 args->f_id.src_ip = ntohl(src_ip.s_addr); 1280 args->f_id.dst_ip = ntohl(dst_ip.s_addr); 1281 } 1282 #undef PULLUP_TO 1283 if (proto) { /* we may have port numbers, store them */ 1284 args->f_id.proto = proto; 1285 args->f_id.src_port = src_port = ntohs(src_port); 1286 args->f_id.dst_port = dst_port = ntohs(dst_port); 1287 } 1288 1289 IPFW_PF_RLOCK(chain); 1290 if (! V_ipfw_vnet_ready) { /* shutting down, leave NOW. */ 1291 IPFW_PF_RUNLOCK(chain); 1292 return (IP_FW_PASS); /* accept */ 1293 } 1294 if (args->rule.slot) { 1295 /* 1296 * Packet has already been tagged as a result of a previous 1297 * match on rule args->rule aka args->rule_id (PIPE, QUEUE, 1298 * REASS, NETGRAPH, DIVERT/TEE...) 1299 * Validate the slot and continue from the next one 1300 * if still present, otherwise do a lookup. 1301 */ 1302 f_pos = (args->rule.chain_id == chain->id) ? 1303 args->rule.slot : 1304 ipfw_find_rule(chain, args->rule.rulenum, 1305 args->rule.rule_id); 1306 } else { 1307 f_pos = 0; 1308 } 1309 1310 /* 1311 * Now scan the rules, and parse microinstructions for each rule. 1312 * We have two nested loops and an inner switch. Sometimes we 1313 * need to break out of one or both loops, or re-enter one of 1314 * the loops with updated variables. Loop variables are: 1315 * 1316 * f_pos (outer loop) points to the current rule. 1317 * On output it points to the matching rule. 1318 * done (outer loop) is used as a flag to break the loop. 1319 * l (inner loop) residual length of current rule. 1320 * cmd points to the current microinstruction. 1321 * 1322 * We break the inner loop by setting l=0 and possibly 1323 * cmdlen=0 if we don't want to advance cmd. 1324 * We break the outer loop by setting done=1 1325 * We can restart the inner loop by setting l>0 and f_pos, f, cmd 1326 * as needed. 1327 */ 1328 for (; f_pos < chain->n_rules; f_pos++) { 1329 ipfw_insn *cmd; 1330 uint32_t tablearg = 0; 1331 int l, cmdlen, skip_or; /* skip rest of OR block */ 1332 struct ip_fw *f; 1333 1334 f = chain->map[f_pos]; 1335 if (V_set_disable & (1 << f->set) ) 1336 continue; 1337 1338 skip_or = 0; 1339 for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; 1340 l -= cmdlen, cmd += cmdlen) { 1341 int match; 1342 1343 /* 1344 * check_body is a jump target used when we find a 1345 * CHECK_STATE, and need to jump to the body of 1346 * the target rule. 1347 */ 1348 1349 /* check_body: */ 1350 cmdlen = F_LEN(cmd); 1351 /* 1352 * An OR block (insn_1 || .. || insn_n) has the 1353 * F_OR bit set in all but the last instruction. 1354 * The first match will set "skip_or", and cause 1355 * the following instructions to be skipped until 1356 * past the one with the F_OR bit clear. 1357 */ 1358 if (skip_or) { /* skip this instruction */ 1359 if ((cmd->len & F_OR) == 0) 1360 skip_or = 0; /* next one is good */ 1361 continue; 1362 } 1363 match = 0; /* set to 1 if we succeed */ 1364 1365 switch (cmd->opcode) { 1366 /* 1367 * The first set of opcodes compares the packet's 1368 * fields with some pattern, setting 'match' if a 1369 * match is found. At the end of the loop there is 1370 * logic to deal with F_NOT and F_OR flags associated 1371 * with the opcode. 1372 */ 1373 case O_NOP: 1374 match = 1; 1375 break; 1376 1377 case O_FORWARD_MAC: 1378 printf("ipfw: opcode %d unimplemented\n", 1379 cmd->opcode); 1380 break; 1381 1382 case O_GID: 1383 case O_UID: 1384 case O_JAIL: 1385 /* 1386 * We only check offset == 0 && proto != 0, 1387 * as this ensures that we have a 1388 * packet with the ports info. 1389 */ 1390 if (offset != 0) 1391 break; 1392 if (proto == IPPROTO_TCP || 1393 proto == IPPROTO_UDP) 1394 match = check_uidgid( 1395 (ipfw_insn_u32 *)cmd, 1396 args, &ucred_lookup, 1397 #ifdef __FreeBSD__ 1398 &ucred_cache); 1399 #else 1400 (void *)&ucred_cache); 1401 #endif 1402 break; 1403 1404 case O_RECV: 1405 match = iface_match(m->m_pkthdr.rcvif, 1406 (ipfw_insn_if *)cmd, chain, &tablearg); 1407 break; 1408 1409 case O_XMIT: 1410 match = iface_match(oif, (ipfw_insn_if *)cmd, 1411 chain, &tablearg); 1412 break; 1413 1414 case O_VIA: 1415 match = iface_match(oif ? oif : 1416 m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, 1417 chain, &tablearg); 1418 break; 1419 1420 case O_MACADDR2: 1421 if (args->eh != NULL) { /* have MAC header */ 1422 u_int32_t *want = (u_int32_t *) 1423 ((ipfw_insn_mac *)cmd)->addr; 1424 u_int32_t *mask = (u_int32_t *) 1425 ((ipfw_insn_mac *)cmd)->mask; 1426 u_int32_t *hdr = (u_int32_t *)args->eh; 1427 1428 match = 1429 ( want[0] == (hdr[0] & mask[0]) && 1430 want[1] == (hdr[1] & mask[1]) && 1431 want[2] == (hdr[2] & mask[2]) ); 1432 } 1433 break; 1434 1435 case O_MAC_TYPE: 1436 if (args->eh != NULL) { 1437 u_int16_t *p = 1438 ((ipfw_insn_u16 *)cmd)->ports; 1439 int i; 1440 1441 for (i = cmdlen - 1; !match && i>0; 1442 i--, p += 2) 1443 match = (etype >= p[0] && 1444 etype <= p[1]); 1445 } 1446 break; 1447 1448 case O_FRAG: 1449 match = (offset != 0); 1450 break; 1451 1452 case O_IN: /* "out" is "not in" */ 1453 match = (oif == NULL); 1454 break; 1455 1456 case O_LAYER2: 1457 match = (args->eh != NULL); 1458 break; 1459 1460 case O_DIVERTED: 1461 { 1462 /* For diverted packets, args->rule.info 1463 * contains the divert port (in host format) 1464 * reason and direction. 1465 */ 1466 uint32_t i = args->rule.info; 1467 match = (i&IPFW_IS_MASK) == IPFW_IS_DIVERT && 1468 cmd->arg1 & ((i & IPFW_INFO_IN) ? 1 : 2); 1469 } 1470 break; 1471 1472 case O_PROTO: 1473 /* 1474 * We do not allow an arg of 0 so the 1475 * check of "proto" only suffices. 1476 */ 1477 match = (proto == cmd->arg1); 1478 break; 1479 1480 case O_IP_SRC: 1481 match = is_ipv4 && 1482 (((ipfw_insn_ip *)cmd)->addr.s_addr == 1483 src_ip.s_addr); 1484 break; 1485 1486 case O_IP_SRC_LOOKUP: 1487 case O_IP_DST_LOOKUP: 1488 if (is_ipv4) { 1489 uint32_t key = 1490 (cmd->opcode == O_IP_DST_LOOKUP) ? 1491 dst_ip.s_addr : src_ip.s_addr; 1492 uint32_t v = 0; 1493 1494 if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) { 1495 /* generic lookup. The key must be 1496 * in 32bit big-endian format. 1497 */ 1498 v = ((ipfw_insn_u32 *)cmd)->d[1]; 1499 if (v == 0) 1500 key = dst_ip.s_addr; 1501 else if (v == 1) 1502 key = src_ip.s_addr; 1503 else if (v == 6) /* dscp */ 1504 key = (ip->ip_tos >> 2) & 0x3f; 1505 else if (offset != 0) 1506 break; 1507 else if (proto != IPPROTO_TCP && 1508 proto != IPPROTO_UDP) 1509 break; 1510 else if (v == 2) 1511 key = dst_port; 1512 else if (v == 3) 1513 key = src_port; 1514 #ifndef USERSPACE 1515 else if (v == 4 || v == 5) { 1516 check_uidgid( 1517 (ipfw_insn_u32 *)cmd, 1518 args, &ucred_lookup, 1519 #ifdef __FreeBSD__ 1520 &ucred_cache); 1521 if (v == 4 /* O_UID */) 1522 key = ucred_cache->cr_uid; 1523 else if (v == 5 /* O_JAIL */) 1524 key = ucred_cache->cr_prison->pr_id; 1525 #else /* !__FreeBSD__ */ 1526 (void *)&ucred_cache); 1527 if (v ==4 /* O_UID */) 1528 key = ucred_cache.uid; 1529 else if (v == 5 /* O_JAIL */) 1530 key = ucred_cache.xid; 1531 #endif /* !__FreeBSD__ */ 1532 } else 1533 #endif /* !USERSPACE */ 1534 break; 1535 } 1536 match = ipfw_lookup_table(chain, 1537 cmd->arg1, key, &v); 1538 if (!match) 1539 break; 1540 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 1541 match = 1542 ((ipfw_insn_u32 *)cmd)->d[0] == v; 1543 else 1544 tablearg = v; 1545 } else if (is_ipv6) { 1546 uint32_t v = 0; 1547 void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ? 1548 &args->f_id.dst_ip6: &args->f_id.src_ip6; 1549 match = ipfw_lookup_table_extended(chain, 1550 cmd->arg1, 1551 sizeof(struct in6_addr), 1552 pkey, &v); 1553 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 1554 match = ((ipfw_insn_u32 *)cmd)->d[0] == v; 1555 if (match) 1556 tablearg = v; 1557 } 1558 break; 1559 1560 case O_IP_FLOW_LOOKUP: 1561 { 1562 uint32_t v = 0; 1563 match = ipfw_lookup_table_extended(chain, 1564 cmd->arg1, 0, &args->f_id, &v); 1565 if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) 1566 match = ((ipfw_insn_u32 *)cmd)->d[0] == v; 1567 if (match) 1568 tablearg = v; 1569 } 1570 break; 1571 case O_IP_SRC_MASK: 1572 case O_IP_DST_MASK: 1573 if (is_ipv4) { 1574 uint32_t a = 1575 (cmd->opcode == O_IP_DST_MASK) ? 1576 dst_ip.s_addr : src_ip.s_addr; 1577 uint32_t *p = ((ipfw_insn_u32 *)cmd)->d; 1578 int i = cmdlen-1; 1579 1580 for (; !match && i>0; i-= 2, p+= 2) 1581 match = (p[0] == (a & p[1])); 1582 } 1583 break; 1584 1585 case O_IP_SRC_ME: 1586 if (is_ipv4) { 1587 struct ifnet *tif; 1588 1589 INADDR_TO_IFP(src_ip, tif); 1590 match = (tif != NULL); 1591 break; 1592 } 1593 #ifdef INET6 1594 /* FALLTHROUGH */ 1595 case O_IP6_SRC_ME: 1596 match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6); 1597 #endif 1598 break; 1599 1600 case O_IP_DST_SET: 1601 case O_IP_SRC_SET: 1602 if (is_ipv4) { 1603 u_int32_t *d = (u_int32_t *)(cmd+1); 1604 u_int32_t addr = 1605 cmd->opcode == O_IP_DST_SET ? 1606 args->f_id.dst_ip : 1607 args->f_id.src_ip; 1608 1609 if (addr < d[0]) 1610 break; 1611 addr -= d[0]; /* subtract base */ 1612 match = (addr < cmd->arg1) && 1613 ( d[ 1 + (addr>>5)] & 1614 (1<<(addr & 0x1f)) ); 1615 } 1616 break; 1617 1618 case O_IP_DST: 1619 match = is_ipv4 && 1620 (((ipfw_insn_ip *)cmd)->addr.s_addr == 1621 dst_ip.s_addr); 1622 break; 1623 1624 case O_IP_DST_ME: 1625 if (is_ipv4) { 1626 struct ifnet *tif; 1627 1628 INADDR_TO_IFP(dst_ip, tif); 1629 match = (tif != NULL); 1630 break; 1631 } 1632 #ifdef INET6 1633 /* FALLTHROUGH */ 1634 case O_IP6_DST_ME: 1635 match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6); 1636 #endif 1637 break; 1638 1639 1640 case O_IP_SRCPORT: 1641 case O_IP_DSTPORT: 1642 /* 1643 * offset == 0 && proto != 0 is enough 1644 * to guarantee that we have a 1645 * packet with port info. 1646 */ 1647 if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP) 1648 && offset == 0) { 1649 u_int16_t x = 1650 (cmd->opcode == O_IP_SRCPORT) ? 1651 src_port : dst_port ; 1652 u_int16_t *p = 1653 ((ipfw_insn_u16 *)cmd)->ports; 1654 int i; 1655 1656 for (i = cmdlen - 1; !match && i>0; 1657 i--, p += 2) 1658 match = (x>=p[0] && x<=p[1]); 1659 } 1660 break; 1661 1662 case O_ICMPTYPE: 1663 match = (offset == 0 && proto==IPPROTO_ICMP && 1664 icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) ); 1665 break; 1666 1667 #ifdef INET6 1668 case O_ICMP6TYPE: 1669 match = is_ipv6 && offset == 0 && 1670 proto==IPPROTO_ICMPV6 && 1671 icmp6type_match( 1672 ICMP6(ulp)->icmp6_type, 1673 (ipfw_insn_u32 *)cmd); 1674 break; 1675 #endif /* INET6 */ 1676 1677 case O_IPOPT: 1678 match = (is_ipv4 && 1679 ipopts_match(ip, cmd) ); 1680 break; 1681 1682 case O_IPVER: 1683 match = (is_ipv4 && 1684 cmd->arg1 == ip->ip_v); 1685 break; 1686 1687 case O_IPID: 1688 case O_IPLEN: 1689 case O_IPTTL: 1690 if (is_ipv4) { /* only for IP packets */ 1691 uint16_t x; 1692 uint16_t *p; 1693 int i; 1694 1695 if (cmd->opcode == O_IPLEN) 1696 x = iplen; 1697 else if (cmd->opcode == O_IPTTL) 1698 x = ip->ip_ttl; 1699 else /* must be IPID */ 1700 x = ntohs(ip->ip_id); 1701 if (cmdlen == 1) { 1702 match = (cmd->arg1 == x); 1703 break; 1704 } 1705 /* otherwise we have ranges */ 1706 p = ((ipfw_insn_u16 *)cmd)->ports; 1707 i = cmdlen - 1; 1708 for (; !match && i>0; i--, p += 2) 1709 match = (x >= p[0] && x <= p[1]); 1710 } 1711 break; 1712 1713 case O_IPPRECEDENCE: 1714 match = (is_ipv4 && 1715 (cmd->arg1 == (ip->ip_tos & 0xe0)) ); 1716 break; 1717 1718 case O_IPTOS: 1719 match = (is_ipv4 && 1720 flags_match(cmd, ip->ip_tos)); 1721 break; 1722 1723 case O_DSCP: 1724 { 1725 uint32_t *p; 1726 uint16_t x; 1727 1728 p = ((ipfw_insn_u32 *)cmd)->d; 1729 1730 if (is_ipv4) 1731 x = ip->ip_tos >> 2; 1732 else if (is_ipv6) { 1733 uint8_t *v; 1734 v = &((struct ip6_hdr *)ip)->ip6_vfc; 1735 x = (*v & 0x0F) << 2; 1736 v++; 1737 x |= *v >> 6; 1738 } else 1739 break; 1740 1741 /* DSCP bitmask is stored as low_u32 high_u32 */ 1742 if (x > 32) 1743 match = *(p + 1) & (1 << (x - 32)); 1744 else 1745 match = *p & (1 << x); 1746 } 1747 break; 1748 1749 case O_TCPDATALEN: 1750 if (proto == IPPROTO_TCP && offset == 0) { 1751 struct tcphdr *tcp; 1752 uint16_t x; 1753 uint16_t *p; 1754 int i; 1755 1756 tcp = TCP(ulp); 1757 x = iplen - 1758 ((ip->ip_hl + tcp->th_off) << 2); 1759 if (cmdlen == 1) { 1760 match = (cmd->arg1 == x); 1761 break; 1762 } 1763 /* otherwise we have ranges */ 1764 p = ((ipfw_insn_u16 *)cmd)->ports; 1765 i = cmdlen - 1; 1766 for (; !match && i>0; i--, p += 2) 1767 match = (x >= p[0] && x <= p[1]); 1768 } 1769 break; 1770 1771 case O_TCPFLAGS: 1772 match = (proto == IPPROTO_TCP && offset == 0 && 1773 flags_match(cmd, TCP(ulp)->th_flags)); 1774 break; 1775 1776 case O_TCPOPTS: 1777 if (proto == IPPROTO_TCP && offset == 0 && ulp){ 1778 PULLUP_LEN(hlen, ulp, 1779 (TCP(ulp)->th_off << 2)); 1780 match = tcpopts_match(TCP(ulp), cmd); 1781 } 1782 break; 1783 1784 case O_TCPSEQ: 1785 match = (proto == IPPROTO_TCP && offset == 0 && 1786 ((ipfw_insn_u32 *)cmd)->d[0] == 1787 TCP(ulp)->th_seq); 1788 break; 1789 1790 case O_TCPACK: 1791 match = (proto == IPPROTO_TCP && offset == 0 && 1792 ((ipfw_insn_u32 *)cmd)->d[0] == 1793 TCP(ulp)->th_ack); 1794 break; 1795 1796 case O_TCPWIN: 1797 if (proto == IPPROTO_TCP && offset == 0) { 1798 uint16_t x; 1799 uint16_t *p; 1800 int i; 1801 1802 x = ntohs(TCP(ulp)->th_win); 1803 if (cmdlen == 1) { 1804 match = (cmd->arg1 == x); 1805 break; 1806 } 1807 /* Otherwise we have ranges. */ 1808 p = ((ipfw_insn_u16 *)cmd)->ports; 1809 i = cmdlen - 1; 1810 for (; !match && i > 0; i--, p += 2) 1811 match = (x >= p[0] && x <= p[1]); 1812 } 1813 break; 1814 1815 case O_ESTAB: 1816 /* reject packets which have SYN only */ 1817 /* XXX should i also check for TH_ACK ? */ 1818 match = (proto == IPPROTO_TCP && offset == 0 && 1819 (TCP(ulp)->th_flags & 1820 (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); 1821 break; 1822 1823 case O_ALTQ: { 1824 struct pf_mtag *at; 1825 struct m_tag *mtag; 1826 ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; 1827 1828 /* 1829 * ALTQ uses mbuf tags from another 1830 * packet filtering system - pf(4). 1831 * We allocate a tag in its format 1832 * and fill it in, pretending to be pf(4). 1833 */ 1834 match = 1; 1835 at = pf_find_mtag(m); 1836 if (at != NULL && at->qid != 0) 1837 break; 1838 mtag = m_tag_get(PACKET_TAG_PF, 1839 sizeof(struct pf_mtag), M_NOWAIT | M_ZERO); 1840 if (mtag == NULL) { 1841 /* 1842 * Let the packet fall back to the 1843 * default ALTQ. 1844 */ 1845 break; 1846 } 1847 m_tag_prepend(m, mtag); 1848 at = (struct pf_mtag *)(mtag + 1); 1849 at->qid = altq->qid; 1850 at->hdr = ip; 1851 break; 1852 } 1853 1854 case O_LOG: 1855 ipfw_log(chain, f, hlen, args, m, 1856 oif, offset | ip6f_mf, tablearg, ip); 1857 match = 1; 1858 break; 1859 1860 case O_PROB: 1861 match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); 1862 break; 1863 1864 case O_VERREVPATH: 1865 /* Outgoing packets automatically pass/match */ 1866 match = ((oif != NULL) || 1867 (m->m_pkthdr.rcvif == NULL) || 1868 ( 1869 #ifdef INET6 1870 is_ipv6 ? 1871 verify_path6(&(args->f_id.src_ip6), 1872 m->m_pkthdr.rcvif, args->f_id.fib) : 1873 #endif 1874 verify_path(src_ip, m->m_pkthdr.rcvif, 1875 args->f_id.fib))); 1876 break; 1877 1878 case O_VERSRCREACH: 1879 /* Outgoing packets automatically pass/match */ 1880 match = (hlen > 0 && ((oif != NULL) || 1881 #ifdef INET6 1882 is_ipv6 ? 1883 verify_path6(&(args->f_id.src_ip6), 1884 NULL, args->f_id.fib) : 1885 #endif 1886 verify_path(src_ip, NULL, args->f_id.fib))); 1887 break; 1888 1889 case O_ANTISPOOF: 1890 /* Outgoing packets automatically pass/match */ 1891 if (oif == NULL && hlen > 0 && 1892 ( (is_ipv4 && in_localaddr(src_ip)) 1893 #ifdef INET6 1894 || (is_ipv6 && 1895 in6_localaddr(&(args->f_id.src_ip6))) 1896 #endif 1897 )) 1898 match = 1899 #ifdef INET6 1900 is_ipv6 ? verify_path6( 1901 &(args->f_id.src_ip6), 1902 m->m_pkthdr.rcvif, 1903 args->f_id.fib) : 1904 #endif 1905 verify_path(src_ip, 1906 m->m_pkthdr.rcvif, 1907 args->f_id.fib); 1908 else 1909 match = 1; 1910 break; 1911 1912 case O_IPSEC: 1913 #ifdef IPSEC 1914 match = (m_tag_find(m, 1915 PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); 1916 #endif 1917 /* otherwise no match */ 1918 break; 1919 1920 #ifdef INET6 1921 case O_IP6_SRC: 1922 match = is_ipv6 && 1923 IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6, 1924 &((ipfw_insn_ip6 *)cmd)->addr6); 1925 break; 1926 1927 case O_IP6_DST: 1928 match = is_ipv6 && 1929 IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6, 1930 &((ipfw_insn_ip6 *)cmd)->addr6); 1931 break; 1932 case O_IP6_SRC_MASK: 1933 case O_IP6_DST_MASK: 1934 if (is_ipv6) { 1935 int i = cmdlen - 1; 1936 struct in6_addr p; 1937 struct in6_addr *d = 1938 &((ipfw_insn_ip6 *)cmd)->addr6; 1939 1940 for (; !match && i > 0; d += 2, 1941 i -= F_INSN_SIZE(struct in6_addr) 1942 * 2) { 1943 p = (cmd->opcode == 1944 O_IP6_SRC_MASK) ? 1945 args->f_id.src_ip6: 1946 args->f_id.dst_ip6; 1947 APPLY_MASK(&p, &d[1]); 1948 match = 1949 IN6_ARE_ADDR_EQUAL(&d[0], 1950 &p); 1951 } 1952 } 1953 break; 1954 1955 case O_FLOW6ID: 1956 match = is_ipv6 && 1957 flow6id_match(args->f_id.flow_id6, 1958 (ipfw_insn_u32 *) cmd); 1959 break; 1960 1961 case O_EXT_HDR: 1962 match = is_ipv6 && 1963 (ext_hd & ((ipfw_insn *) cmd)->arg1); 1964 break; 1965 1966 case O_IP6: 1967 match = is_ipv6; 1968 break; 1969 #endif 1970 1971 case O_IP4: 1972 match = is_ipv4; 1973 break; 1974 1975 case O_TAG: { 1976 struct m_tag *mtag; 1977 uint32_t tag = TARG(cmd->arg1, tag); 1978 1979 /* Packet is already tagged with this tag? */ 1980 mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL); 1981 1982 /* We have `untag' action when F_NOT flag is 1983 * present. And we must remove this mtag from 1984 * mbuf and reset `match' to zero (`match' will 1985 * be inversed later). 1986 * Otherwise we should allocate new mtag and 1987 * push it into mbuf. 1988 */ 1989 if (cmd->len & F_NOT) { /* `untag' action */ 1990 if (mtag != NULL) 1991 m_tag_delete(m, mtag); 1992 match = 0; 1993 } else { 1994 if (mtag == NULL) { 1995 mtag = m_tag_alloc( MTAG_IPFW, 1996 tag, 0, M_NOWAIT); 1997 if (mtag != NULL) 1998 m_tag_prepend(m, mtag); 1999 } 2000 match = 1; 2001 } 2002 break; 2003 } 2004 2005 case O_FIB: /* try match the specified fib */ 2006 if (args->f_id.fib == cmd->arg1) 2007 match = 1; 2008 break; 2009 2010 case O_SOCKARG: { 2011 #ifndef USERSPACE /* not supported in userspace */ 2012 struct inpcb *inp = args->inp; 2013 struct inpcbinfo *pi; 2014 2015 if (is_ipv6) /* XXX can we remove this ? */ 2016 break; 2017 2018 if (proto == IPPROTO_TCP) 2019 pi = &V_tcbinfo; 2020 else if (proto == IPPROTO_UDP) 2021 pi = &V_udbinfo; 2022 else 2023 break; 2024 2025 /* 2026 * XXXRW: so_user_cookie should almost 2027 * certainly be inp_user_cookie? 2028 */ 2029 2030 /* For incomming packet, lookup up the 2031 inpcb using the src/dest ip/port tuple */ 2032 if (inp == NULL) { 2033 inp = in_pcblookup(pi, 2034 src_ip, htons(src_port), 2035 dst_ip, htons(dst_port), 2036 INPLOOKUP_RLOCKPCB, NULL); 2037 if (inp != NULL) { 2038 tablearg = 2039 inp->inp_socket->so_user_cookie; 2040 if (tablearg) 2041 match = 1; 2042 INP_RUNLOCK(inp); 2043 } 2044 } else { 2045 if (inp->inp_socket) { 2046 tablearg = 2047 inp->inp_socket->so_user_cookie; 2048 if (tablearg) 2049 match = 1; 2050 } 2051 } 2052 #endif /* !USERSPACE */ 2053 break; 2054 } 2055 2056 case O_TAGGED: { 2057 struct m_tag *mtag; 2058 uint32_t tag = TARG(cmd->arg1, tag); 2059 2060 if (cmdlen == 1) { 2061 match = m_tag_locate(m, MTAG_IPFW, 2062 tag, NULL) != NULL; 2063 break; 2064 } 2065 2066 /* we have ranges */ 2067 for (mtag = m_tag_first(m); 2068 mtag != NULL && !match; 2069 mtag = m_tag_next(m, mtag)) { 2070 uint16_t *p; 2071 int i; 2072 2073 if (mtag->m_tag_cookie != MTAG_IPFW) 2074 continue; 2075 2076 p = ((ipfw_insn_u16 *)cmd)->ports; 2077 i = cmdlen - 1; 2078 for(; !match && i > 0; i--, p += 2) 2079 match = 2080 mtag->m_tag_id >= p[0] && 2081 mtag->m_tag_id <= p[1]; 2082 } 2083 break; 2084 } 2085 2086 /* 2087 * The second set of opcodes represents 'actions', 2088 * i.e. the terminal part of a rule once the packet 2089 * matches all previous patterns. 2090 * Typically there is only one action for each rule, 2091 * and the opcode is stored at the end of the rule 2092 * (but there are exceptions -- see below). 2093 * 2094 * In general, here we set retval and terminate the 2095 * outer loop (would be a 'break 3' in some language, 2096 * but we need to set l=0, done=1) 2097 * 2098 * Exceptions: 2099 * O_COUNT and O_SKIPTO actions: 2100 * instead of terminating, we jump to the next rule 2101 * (setting l=0), or to the SKIPTO target (setting 2102 * f/f_len, cmd and l as needed), respectively. 2103 * 2104 * O_TAG, O_LOG and O_ALTQ action parameters: 2105 * perform some action and set match = 1; 2106 * 2107 * O_LIMIT and O_KEEP_STATE: these opcodes are 2108 * not real 'actions', and are stored right 2109 * before the 'action' part of the rule. 2110 * These opcodes try to install an entry in the 2111 * state tables; if successful, we continue with 2112 * the next opcode (match=1; break;), otherwise 2113 * the packet must be dropped (set retval, 2114 * break loops with l=0, done=1) 2115 * 2116 * O_PROBE_STATE and O_CHECK_STATE: these opcodes 2117 * cause a lookup of the state table, and a jump 2118 * to the 'action' part of the parent rule 2119 * if an entry is found, or 2120 * (CHECK_STATE only) a jump to the next rule if 2121 * the entry is not found. 2122 * The result of the lookup is cached so that 2123 * further instances of these opcodes become NOPs. 2124 * The jump to the next rule is done by setting 2125 * l=0, cmdlen=0. 2126 */ 2127 case O_LIMIT: 2128 case O_KEEP_STATE: 2129 if (ipfw_install_state(chain, f, 2130 (ipfw_insn_limit *)cmd, args, tablearg)) { 2131 /* error or limit violation */ 2132 retval = IP_FW_DENY; 2133 l = 0; /* exit inner loop */ 2134 done = 1; /* exit outer loop */ 2135 } 2136 match = 1; 2137 break; 2138 2139 case O_PROBE_STATE: 2140 case O_CHECK_STATE: 2141 /* 2142 * dynamic rules are checked at the first 2143 * keep-state or check-state occurrence, 2144 * with the result being stored in dyn_dir. 2145 * The compiler introduces a PROBE_STATE 2146 * instruction for us when we have a 2147 * KEEP_STATE (because PROBE_STATE needs 2148 * to be run first). 2149 */ 2150 if (dyn_dir == MATCH_UNKNOWN && 2151 (q = ipfw_lookup_dyn_rule(&args->f_id, 2152 &dyn_dir, proto == IPPROTO_TCP ? 2153 TCP(ulp) : NULL)) 2154 != NULL) { 2155 /* 2156 * Found dynamic entry, update stats 2157 * and jump to the 'action' part of 2158 * the parent rule by setting 2159 * f, cmd, l and clearing cmdlen. 2160 */ 2161 IPFW_INC_DYN_COUNTER(q, pktlen); 2162 /* XXX we would like to have f_pos 2163 * readily accessible in the dynamic 2164 * rule, instead of having to 2165 * lookup q->rule. 2166 */ 2167 f = q->rule; 2168 f_pos = ipfw_find_rule(chain, 2169 f->rulenum, f->id); 2170 cmd = ACTION_PTR(f); 2171 l = f->cmd_len - f->act_ofs; 2172 ipfw_dyn_unlock(q); 2173 cmdlen = 0; 2174 match = 1; 2175 break; 2176 } 2177 /* 2178 * Dynamic entry not found. If CHECK_STATE, 2179 * skip to next rule, if PROBE_STATE just 2180 * ignore and continue with next opcode. 2181 */ 2182 if (cmd->opcode == O_CHECK_STATE) 2183 l = 0; /* exit inner loop */ 2184 match = 1; 2185 break; 2186 2187 case O_ACCEPT: 2188 retval = 0; /* accept */ 2189 l = 0; /* exit inner loop */ 2190 done = 1; /* exit outer loop */ 2191 break; 2192 2193 case O_PIPE: 2194 case O_QUEUE: 2195 set_match(args, f_pos, chain); 2196 args->rule.info = TARG(cmd->arg1, pipe); 2197 if (cmd->opcode == O_PIPE) 2198 args->rule.info |= IPFW_IS_PIPE; 2199 if (V_fw_one_pass) 2200 args->rule.info |= IPFW_ONEPASS; 2201 retval = IP_FW_DUMMYNET; 2202 l = 0; /* exit inner loop */ 2203 done = 1; /* exit outer loop */ 2204 break; 2205 2206 case O_DIVERT: 2207 case O_TEE: 2208 if (args->eh) /* not on layer 2 */ 2209 break; 2210 /* otherwise this is terminal */ 2211 l = 0; /* exit inner loop */ 2212 done = 1; /* exit outer loop */ 2213 retval = (cmd->opcode == O_DIVERT) ? 2214 IP_FW_DIVERT : IP_FW_TEE; 2215 set_match(args, f_pos, chain); 2216 args->rule.info = TARG(cmd->arg1, divert); 2217 break; 2218 2219 case O_COUNT: 2220 IPFW_INC_RULE_COUNTER(f, pktlen); 2221 l = 0; /* exit inner loop */ 2222 break; 2223 2224 case O_SKIPTO: 2225 IPFW_INC_RULE_COUNTER(f, pktlen); 2226 f_pos = JUMP(chain, f, cmd->arg1, tablearg, 0); 2227 /* 2228 * Skip disabled rules, and re-enter 2229 * the inner loop with the correct 2230 * f_pos, f, l and cmd. 2231 * Also clear cmdlen and skip_or 2232 */ 2233 for (; f_pos < chain->n_rules - 1 && 2234 (V_set_disable & 2235 (1 << chain->map[f_pos]->set)); 2236 f_pos++) 2237 ; 2238 /* Re-enter the inner loop at the skipto rule. */ 2239 f = chain->map[f_pos]; 2240 l = f->cmd_len; 2241 cmd = f->cmd; 2242 match = 1; 2243 cmdlen = 0; 2244 skip_or = 0; 2245 continue; 2246 break; /* not reached */ 2247 2248 case O_CALLRETURN: { 2249 /* 2250 * Implementation of `subroutine' call/return, 2251 * in the stack carried in an mbuf tag. This 2252 * is different from `skipto' in that any call 2253 * address is possible (`skipto' must prevent 2254 * backward jumps to avoid endless loops). 2255 * We have `return' action when F_NOT flag is 2256 * present. The `m_tag_id' field is used as 2257 * stack pointer. 2258 */ 2259 struct m_tag *mtag; 2260 uint16_t jmpto, *stack; 2261 2262 #define IS_CALL ((cmd->len & F_NOT) == 0) 2263 #define IS_RETURN ((cmd->len & F_NOT) != 0) 2264 /* 2265 * Hand-rolled version of m_tag_locate() with 2266 * wildcard `type'. 2267 * If not already tagged, allocate new tag. 2268 */ 2269 mtag = m_tag_first(m); 2270 while (mtag != NULL) { 2271 if (mtag->m_tag_cookie == 2272 MTAG_IPFW_CALL) 2273 break; 2274 mtag = m_tag_next(m, mtag); 2275 } 2276 if (mtag == NULL && IS_CALL) { 2277 mtag = m_tag_alloc(MTAG_IPFW_CALL, 0, 2278 IPFW_CALLSTACK_SIZE * 2279 sizeof(uint16_t), M_NOWAIT); 2280 if (mtag != NULL) 2281 m_tag_prepend(m, mtag); 2282 } 2283 2284 /* 2285 * On error both `call' and `return' just 2286 * continue with next rule. 2287 */ 2288 if (IS_RETURN && (mtag == NULL || 2289 mtag->m_tag_id == 0)) { 2290 l = 0; /* exit inner loop */ 2291 break; 2292 } 2293 if (IS_CALL && (mtag == NULL || 2294 mtag->m_tag_id >= IPFW_CALLSTACK_SIZE)) { 2295 printf("ipfw: call stack error, " 2296 "go to next rule\n"); 2297 l = 0; /* exit inner loop */ 2298 break; 2299 } 2300 2301 IPFW_INC_RULE_COUNTER(f, pktlen); 2302 stack = (uint16_t *)(mtag + 1); 2303 2304 /* 2305 * The `call' action may use cached f_pos 2306 * (in f->next_rule), whose version is written 2307 * in f->next_rule. 2308 * The `return' action, however, doesn't have 2309 * fixed jump address in cmd->arg1 and can't use 2310 * cache. 2311 */ 2312 if (IS_CALL) { 2313 stack[mtag->m_tag_id] = f->rulenum; 2314 mtag->m_tag_id++; 2315 f_pos = JUMP(chain, f, cmd->arg1, 2316 tablearg, 1); 2317 } else { /* `return' action */ 2318 mtag->m_tag_id--; 2319 jmpto = stack[mtag->m_tag_id] + 1; 2320 f_pos = ipfw_find_rule(chain, jmpto, 0); 2321 } 2322 2323 /* 2324 * Skip disabled rules, and re-enter 2325 * the inner loop with the correct 2326 * f_pos, f, l and cmd. 2327 * Also clear cmdlen and skip_or 2328 */ 2329 for (; f_pos < chain->n_rules - 1 && 2330 (V_set_disable & 2331 (1 << chain->map[f_pos]->set)); f_pos++) 2332 ; 2333 /* Re-enter the inner loop at the dest rule. */ 2334 f = chain->map[f_pos]; 2335 l = f->cmd_len; 2336 cmd = f->cmd; 2337 cmdlen = 0; 2338 skip_or = 0; 2339 continue; 2340 break; /* NOTREACHED */ 2341 } 2342 #undef IS_CALL 2343 #undef IS_RETURN 2344 2345 case O_REJECT: 2346 /* 2347 * Drop the packet and send a reject notice 2348 * if the packet is not ICMP (or is an ICMP 2349 * query), and it is not multicast/broadcast. 2350 */ 2351 if (hlen > 0 && is_ipv4 && offset == 0 && 2352 (proto != IPPROTO_ICMP || 2353 is_icmp_query(ICMP(ulp))) && 2354 !(m->m_flags & (M_BCAST|M_MCAST)) && 2355 !IN_MULTICAST(ntohl(dst_ip.s_addr))) { 2356 send_reject(args, cmd->arg1, iplen, ip); 2357 m = args->m; 2358 } 2359 /* FALLTHROUGH */ 2360 #ifdef INET6 2361 case O_UNREACH6: 2362 if (hlen > 0 && is_ipv6 && 2363 ((offset & IP6F_OFF_MASK) == 0) && 2364 (proto != IPPROTO_ICMPV6 || 2365 (is_icmp6_query(icmp6_type) == 1)) && 2366 !(m->m_flags & (M_BCAST|M_MCAST)) && 2367 !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) { 2368 send_reject6( 2369 args, cmd->arg1, hlen, 2370 (struct ip6_hdr *)ip); 2371 m = args->m; 2372 } 2373 /* FALLTHROUGH */ 2374 #endif 2375 case O_DENY: 2376 retval = IP_FW_DENY; 2377 l = 0; /* exit inner loop */ 2378 done = 1; /* exit outer loop */ 2379 break; 2380 2381 case O_FORWARD_IP: 2382 if (args->eh) /* not valid on layer2 pkts */ 2383 break; 2384 if (q == NULL || q->rule != f || 2385 dyn_dir == MATCH_FORWARD) { 2386 struct sockaddr_in *sa; 2387 sa = &(((ipfw_insn_sa *)cmd)->sa); 2388 if (sa->sin_addr.s_addr == INADDR_ANY) { 2389 bcopy(sa, &args->hopstore, 2390 sizeof(*sa)); 2391 args->hopstore.sin_addr.s_addr = 2392 htonl(tablearg); 2393 args->next_hop = &args->hopstore; 2394 } else { 2395 args->next_hop = sa; 2396 } 2397 } 2398 retval = IP_FW_PASS; 2399 l = 0; /* exit inner loop */ 2400 done = 1; /* exit outer loop */ 2401 break; 2402 2403 #ifdef INET6 2404 case O_FORWARD_IP6: 2405 if (args->eh) /* not valid on layer2 pkts */ 2406 break; 2407 if (q == NULL || q->rule != f || 2408 dyn_dir == MATCH_FORWARD) { 2409 struct sockaddr_in6 *sin6; 2410 2411 sin6 = &(((ipfw_insn_sa6 *)cmd)->sa); 2412 args->next_hop6 = sin6; 2413 } 2414 retval = IP_FW_PASS; 2415 l = 0; /* exit inner loop */ 2416 done = 1; /* exit outer loop */ 2417 break; 2418 #endif 2419 2420 case O_NETGRAPH: 2421 case O_NGTEE: 2422 set_match(args, f_pos, chain); 2423 args->rule.info = TARG(cmd->arg1, netgraph); 2424 if (V_fw_one_pass) 2425 args->rule.info |= IPFW_ONEPASS; 2426 retval = (cmd->opcode == O_NETGRAPH) ? 2427 IP_FW_NETGRAPH : IP_FW_NGTEE; 2428 l = 0; /* exit inner loop */ 2429 done = 1; /* exit outer loop */ 2430 break; 2431 2432 case O_SETFIB: { 2433 uint32_t fib; 2434 2435 IPFW_INC_RULE_COUNTER(f, pktlen); 2436 fib = TARG(cmd->arg1, fib) & 0x7FFFF; 2437 if (fib >= rt_numfibs) 2438 fib = 0; 2439 M_SETFIB(m, fib); 2440 args->f_id.fib = fib; 2441 l = 0; /* exit inner loop */ 2442 break; 2443 } 2444 2445 case O_SETDSCP: { 2446 uint16_t code; 2447 2448 code = TARG(cmd->arg1, dscp) & 0x3F; 2449 l = 0; /* exit inner loop */ 2450 if (is_ipv4) { 2451 uint16_t a; 2452 2453 a = ip->ip_tos; 2454 ip->ip_tos = (code << 2) | (ip->ip_tos & 0x03); 2455 a += ntohs(ip->ip_sum) - ip->ip_tos; 2456 ip->ip_sum = htons(a); 2457 } else if (is_ipv6) { 2458 uint8_t *v; 2459 2460 v = &((struct ip6_hdr *)ip)->ip6_vfc; 2461 *v = (*v & 0xF0) | (code >> 2); 2462 v++; 2463 *v = (*v & 0x3F) | ((code & 0x03) << 6); 2464 } else 2465 break; 2466 2467 IPFW_INC_RULE_COUNTER(f, pktlen); 2468 break; 2469 } 2470 2471 case O_NAT: 2472 l = 0; /* exit inner loop */ 2473 done = 1; /* exit outer loop */ 2474 if (!IPFW_NAT_LOADED) { 2475 retval = IP_FW_DENY; 2476 break; 2477 } 2478 2479 struct cfg_nat *t; 2480 int nat_id; 2481 2482 set_match(args, f_pos, chain); 2483 /* Check if this is 'global' nat rule */ 2484 if (cmd->arg1 == 0) { 2485 retval = ipfw_nat_ptr(args, NULL, m); 2486 break; 2487 } 2488 t = ((ipfw_insn_nat *)cmd)->nat; 2489 if (t == NULL) { 2490 nat_id = TARG(cmd->arg1, nat); 2491 t = (*lookup_nat_ptr)(&chain->nat, nat_id); 2492 2493 if (t == NULL) { 2494 retval = IP_FW_DENY; 2495 break; 2496 } 2497 if (cmd->arg1 != IP_FW_TARG) 2498 ((ipfw_insn_nat *)cmd)->nat = t; 2499 } 2500 retval = ipfw_nat_ptr(args, t, m); 2501 break; 2502 2503 case O_REASS: { 2504 int ip_off; 2505 2506 IPFW_INC_RULE_COUNTER(f, pktlen); 2507 l = 0; /* in any case exit inner loop */ 2508 ip_off = ntohs(ip->ip_off); 2509 2510 /* if not fragmented, go to next rule */ 2511 if ((ip_off & (IP_MF | IP_OFFMASK)) == 0) 2512 break; 2513 2514 args->m = m = ip_reass(m); 2515 2516 /* 2517 * do IP header checksum fixup. 2518 */ 2519 if (m == NULL) { /* fragment got swallowed */ 2520 retval = IP_FW_DENY; 2521 } else { /* good, packet complete */ 2522 int hlen; 2523 2524 ip = mtod(m, struct ip *); 2525 hlen = ip->ip_hl << 2; 2526 ip->ip_sum = 0; 2527 if (hlen == sizeof(struct ip)) 2528 ip->ip_sum = in_cksum_hdr(ip); 2529 else 2530 ip->ip_sum = in_cksum(m, hlen); 2531 retval = IP_FW_REASS; 2532 set_match(args, f_pos, chain); 2533 } 2534 done = 1; /* exit outer loop */ 2535 break; 2536 } 2537 2538 default: 2539 panic("-- unknown opcode %d\n", cmd->opcode); 2540 } /* end of switch() on opcodes */ 2541 /* 2542 * if we get here with l=0, then match is irrelevant. 2543 */ 2544 2545 if (cmd->len & F_NOT) 2546 match = !match; 2547 2548 if (match) { 2549 if (cmd->len & F_OR) 2550 skip_or = 1; 2551 } else { 2552 if (!(cmd->len & F_OR)) /* not an OR block, */ 2553 break; /* try next rule */ 2554 } 2555 2556 } /* end of inner loop, scan opcodes */ 2557 #undef PULLUP_LEN 2558 2559 if (done) 2560 break; 2561 2562 /* next_rule:; */ /* try next rule */ 2563 2564 } /* end of outer for, scan rules */ 2565 2566 if (done) { 2567 struct ip_fw *rule = chain->map[f_pos]; 2568 /* Update statistics */ 2569 IPFW_INC_RULE_COUNTER(rule, pktlen); 2570 } else { 2571 retval = IP_FW_DENY; 2572 printf("ipfw: ouch!, skip past end of rules, denying packet\n"); 2573 } 2574 IPFW_PF_RUNLOCK(chain); 2575 #ifdef __FreeBSD__ 2576 if (ucred_cache != NULL) 2577 crfree(ucred_cache); 2578 #endif 2579 return (retval); 2580 2581 pullup_failed: 2582 if (V_fw_verbose) 2583 printf("ipfw: pullup failed\n"); 2584 return (IP_FW_DENY); 2585 } 2586 2587 /* 2588 * Set maximum number of tables that can be used in given VNET ipfw instance. 2589 */ 2590 #ifdef SYSCTL_NODE 2591 static int 2592 sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS) 2593 { 2594 int error; 2595 unsigned int ntables; 2596 2597 ntables = V_fw_tables_max; 2598 2599 error = sysctl_handle_int(oidp, &ntables, 0, req); 2600 /* Read operation or some error */ 2601 if ((error != 0) || (req->newptr == NULL)) 2602 return (error); 2603 2604 return (ipfw_resize_tables(&V_layer3_chain, ntables)); 2605 } 2606 2607 /* 2608 * Switches table namespace between global and per-set. 2609 */ 2610 static int 2611 sysctl_ipfw_tables_sets(SYSCTL_HANDLER_ARGS) 2612 { 2613 int error; 2614 unsigned int sets; 2615 2616 sets = V_fw_tables_sets; 2617 2618 error = sysctl_handle_int(oidp, &sets, 0, req); 2619 /* Read operation or some error */ 2620 if ((error != 0) || (req->newptr == NULL)) 2621 return (error); 2622 2623 return (ipfw_switch_tables_namespace(&V_layer3_chain, sets)); 2624 } 2625 #endif 2626 2627 /* 2628 * Module and VNET glue 2629 */ 2630 2631 /* 2632 * Stuff that must be initialised only on boot or module load 2633 */ 2634 static int 2635 ipfw_init(void) 2636 { 2637 int error = 0; 2638 2639 /* 2640 * Only print out this stuff the first time around, 2641 * when called from the sysinit code. 2642 */ 2643 printf("ipfw2 " 2644 #ifdef INET6 2645 "(+ipv6) " 2646 #endif 2647 "initialized, divert %s, nat %s, " 2648 "default to %s, logging ", 2649 #ifdef IPDIVERT 2650 "enabled", 2651 #else 2652 "loadable", 2653 #endif 2654 #ifdef IPFIREWALL_NAT 2655 "enabled", 2656 #else 2657 "loadable", 2658 #endif 2659 default_to_accept ? "accept" : "deny"); 2660 2661 /* 2662 * Note: V_xxx variables can be accessed here but the vnet specific 2663 * initializer may not have been called yet for the VIMAGE case. 2664 * Tuneables will have been processed. We will print out values for 2665 * the default vnet. 2666 * XXX This should all be rationalized AFTER 8.0 2667 */ 2668 if (V_fw_verbose == 0) 2669 printf("disabled\n"); 2670 else if (V_verbose_limit == 0) 2671 printf("unlimited\n"); 2672 else 2673 printf("limited to %d packets/entry by default\n", 2674 V_verbose_limit); 2675 2676 /* Check user-supplied table count for validness */ 2677 if (default_fw_tables > IPFW_TABLES_MAX) 2678 default_fw_tables = IPFW_TABLES_MAX; 2679 2680 ipfw_init_sopt_handler(); 2681 ipfw_log_bpf(1); /* init */ 2682 ipfw_iface_init(); 2683 return (error); 2684 } 2685 2686 /* 2687 * Called for the removal of the last instance only on module unload. 2688 */ 2689 static void 2690 ipfw_destroy(void) 2691 { 2692 2693 ipfw_iface_destroy(); 2694 ipfw_log_bpf(0); /* uninit */ 2695 ipfw_destroy_sopt_handler(); 2696 printf("IP firewall unloaded\n"); 2697 } 2698 2699 /* 2700 * Stuff that must be initialized for every instance 2701 * (including the first of course). 2702 */ 2703 static int 2704 vnet_ipfw_init(const void *unused) 2705 { 2706 int error, first; 2707 struct ip_fw *rule = NULL; 2708 struct ip_fw_chain *chain; 2709 2710 chain = &V_layer3_chain; 2711 2712 first = IS_DEFAULT_VNET(curvnet) ? 1 : 0; 2713 2714 /* First set up some values that are compile time options */ 2715 V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ 2716 V_fw_deny_unknown_exthdrs = 1; 2717 #ifdef IPFIREWALL_VERBOSE 2718 V_fw_verbose = 1; 2719 #endif 2720 #ifdef IPFIREWALL_VERBOSE_LIMIT 2721 V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT; 2722 #endif 2723 #ifdef IPFIREWALL_NAT 2724 LIST_INIT(&chain->nat); 2725 #endif 2726 2727 ipfw_init_counters(); 2728 /* insert the default rule and create the initial map */ 2729 chain->n_rules = 1; 2730 chain->map = malloc(sizeof(struct ip_fw *), M_IPFW, M_WAITOK | M_ZERO); 2731 rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw)); 2732 2733 /* Set initial number of tables */ 2734 V_fw_tables_max = default_fw_tables; 2735 error = ipfw_init_tables(chain, first); 2736 if (error) { 2737 printf("ipfw2: setting up tables failed\n"); 2738 free(chain->map, M_IPFW); 2739 free(rule, M_IPFW); 2740 return (ENOSPC); 2741 } 2742 2743 /* fill and insert the default rule */ 2744 rule->act_ofs = 0; 2745 rule->rulenum = IPFW_DEFAULT_RULE; 2746 rule->cmd_len = 1; 2747 rule->set = RESVD_SET; 2748 rule->cmd[0].len = 1; 2749 rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; 2750 chain->default_rule = chain->map[0] = rule; 2751 chain->id = rule->id = 1; 2752 /* Pre-calculate rules length for legacy dump format */ 2753 chain->static_len = sizeof(struct ip_fw_rule0); 2754 2755 IPFW_LOCK_INIT(chain); 2756 ipfw_dyn_init(chain); 2757 #ifdef LINEAR_SKIPTO 2758 ipfw_init_skipto_cache(chain); 2759 #endif 2760 2761 /* First set up some values that are compile time options */ 2762 V_ipfw_vnet_ready = 1; /* Open for business */ 2763 2764 /* 2765 * Hook the sockopt handler and pfil hooks for ipv4 and ipv6. 2766 * Even if the latter two fail we still keep the module alive 2767 * because the sockopt and layer2 paths are still useful. 2768 * ipfw[6]_hook return 0 on success, ENOENT on failure, 2769 * so we can ignore the exact return value and just set a flag. 2770 * 2771 * Note that V_fw[6]_enable are manipulated by a SYSCTL_PROC so 2772 * changes in the underlying (per-vnet) variables trigger 2773 * immediate hook()/unhook() calls. 2774 * In layer2 we have the same behaviour, except that V_ether_ipfw 2775 * is checked on each packet because there are no pfil hooks. 2776 */ 2777 V_ip_fw_ctl_ptr = ipfw_ctl3; 2778 error = ipfw_attach_hooks(1); 2779 return (error); 2780 } 2781 2782 /* 2783 * Called for the removal of each instance. 2784 */ 2785 static int 2786 vnet_ipfw_uninit(const void *unused) 2787 { 2788 struct ip_fw *reap; 2789 struct ip_fw_chain *chain = &V_layer3_chain; 2790 int i, last; 2791 2792 V_ipfw_vnet_ready = 0; /* tell new callers to go away */ 2793 /* 2794 * disconnect from ipv4, ipv6, layer2 and sockopt. 2795 * Then grab, release and grab again the WLOCK so we make 2796 * sure the update is propagated and nobody will be in. 2797 */ 2798 (void)ipfw_attach_hooks(0 /* detach */); 2799 V_ip_fw_ctl_ptr = NULL; 2800 2801 last = IS_DEFAULT_VNET(curvnet) ? 1 : 0; 2802 2803 IPFW_UH_WLOCK(chain); 2804 IPFW_UH_WUNLOCK(chain); 2805 IPFW_UH_WLOCK(chain); 2806 2807 IPFW_WLOCK(chain); 2808 ipfw_dyn_uninit(0); /* run the callout_drain */ 2809 IPFW_WUNLOCK(chain); 2810 2811 reap = NULL; 2812 IPFW_WLOCK(chain); 2813 for (i = 0; i < chain->n_rules; i++) 2814 ipfw_reap_add(chain, &reap, chain->map[i]); 2815 free(chain->map, M_IPFW); 2816 #ifdef LINEAR_SKIPTO 2817 ipfw_destroy_skipto_cache(chain); 2818 #endif 2819 IPFW_WUNLOCK(chain); 2820 IPFW_UH_WUNLOCK(chain); 2821 ipfw_destroy_tables(chain, last); 2822 if (reap != NULL) 2823 ipfw_reap_rules(reap); 2824 vnet_ipfw_iface_destroy(chain); 2825 IPFW_LOCK_DESTROY(chain); 2826 ipfw_dyn_uninit(1); /* free the remaining parts */ 2827 ipfw_destroy_counters(); 2828 return (0); 2829 } 2830 2831 /* 2832 * Module event handler. 2833 * In general we have the choice of handling most of these events by the 2834 * event handler or by the (VNET_)SYS(UN)INIT handlers. I have chosen to 2835 * use the SYSINIT handlers as they are more capable of expressing the 2836 * flow of control during module and vnet operations, so this is just 2837 * a skeleton. Note there is no SYSINIT equivalent of the module 2838 * SHUTDOWN handler, but we don't have anything to do in that case anyhow. 2839 */ 2840 static int 2841 ipfw_modevent(module_t mod, int type, void *unused) 2842 { 2843 int err = 0; 2844 2845 switch (type) { 2846 case MOD_LOAD: 2847 /* Called once at module load or 2848 * system boot if compiled in. */ 2849 break; 2850 case MOD_QUIESCE: 2851 /* Called before unload. May veto unloading. */ 2852 break; 2853 case MOD_UNLOAD: 2854 /* Called during unload. */ 2855 break; 2856 case MOD_SHUTDOWN: 2857 /* Called during system shutdown. */ 2858 break; 2859 default: 2860 err = EOPNOTSUPP; 2861 break; 2862 } 2863 return err; 2864 } 2865 2866 static moduledata_t ipfwmod = { 2867 "ipfw", 2868 ipfw_modevent, 2869 0 2870 }; 2871 2872 /* Define startup order. */ 2873 #define IPFW_SI_SUB_FIREWALL SI_SUB_PROTO_IFATTACHDOMAIN 2874 #define IPFW_MODEVENT_ORDER (SI_ORDER_ANY - 255) /* On boot slot in here. */ 2875 #define IPFW_MODULE_ORDER (IPFW_MODEVENT_ORDER + 1) /* A little later. */ 2876 #define IPFW_VNET_ORDER (IPFW_MODEVENT_ORDER + 2) /* Later still. */ 2877 2878 DECLARE_MODULE(ipfw, ipfwmod, IPFW_SI_SUB_FIREWALL, IPFW_MODEVENT_ORDER); 2879 FEATURE(ipfw_ctl3, "ipfw new sockopt calls"); 2880 MODULE_VERSION(ipfw, 3); 2881 /* should declare some dependencies here */ 2882 2883 /* 2884 * Starting up. Done in order after ipfwmod() has been called. 2885 * VNET_SYSINIT is also called for each existing vnet and each new vnet. 2886 */ 2887 SYSINIT(ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER, 2888 ipfw_init, NULL); 2889 VNET_SYSINIT(vnet_ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER, 2890 vnet_ipfw_init, NULL); 2891 2892 /* 2893 * Closing up shop. These are done in REVERSE ORDER, but still 2894 * after ipfwmod() has been called. Not called on reboot. 2895 * VNET_SYSUNINIT is also called for each exiting vnet as it exits. 2896 * or when the module is unloaded. 2897 */ 2898 SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER, 2899 ipfw_destroy, NULL); 2900 VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER, 2901 vnet_ipfw_uninit, NULL); 2902 /* end of file */ 2903