1 /*- 2 * Copyright (c) 2016-2017 Yandex LLC 3 * Copyright (c) 2016-2017 Andrey V. Elsukov <ae@FreeBSD.org> 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/param.h> 28 #include <sys/systm.h> 29 #include <sys/malloc.h> 30 #include <sys/kernel.h> 31 #include <sys/hash.h> 32 #include <sys/lock.h> 33 #include <sys/rwlock.h> 34 #include <sys/rmlock.h> 35 #include <sys/socket.h> 36 #include <sys/socketvar.h> 37 #include <sys/queue.h> 38 39 #include <net/if.h> /* ip_fw.h requires IFNAMSIZ */ 40 #include <net/pfil.h> 41 #include <netinet/in.h> 42 #include <netinet/ip_var.h> /* struct ipfw_rule_ref */ 43 #include <netinet/ip_fw.h> 44 45 #include <netpfil/ipfw/ip_fw_private.h> 46 47 #include "opt_ipfw.h" 48 49 /* 50 * External actions support for ipfw. 51 * 52 * This code provides KPI for implementing loadable modules, that 53 * can provide handlers for external action opcodes in the ipfw's 54 * rules. 55 * Module should implement opcode handler with type ipfw_eaction_t. 56 * This handler will be called by ipfw_chk() function when 57 * O_EXTERNAL_ACTION opcode is matched. The handler must return 58 * value used as return value in ipfw_chk(), i.e. IP_FW_PASS, 59 * IP_FW_DENY (see ip_fw_private.h). 60 * Also the last argument must be set by handler. If it is zero, 61 * the search continues to the next rule. If it has non zero value, 62 * the search terminates. 63 * 64 * The module that implements external action should register its 65 * handler and name with ipfw_add_eaction() function. 66 * This function will return eaction_id, that can be used by module. 67 * 68 * It is possible to pass some additional information to external 69 * action handler using O_EXTERNAL_INSTANCE and O_EXTERNAL_DATA opcodes. 70 * Such opcodes should be next after the O_EXTERNAL_ACTION opcode. 71 * For the O_EXTERNAL_INSTANCE opcode the cmd->arg1 contains index of named 72 * object related to an instance of external action. 73 * For the O_EXTERNAL_DATA opcode the cmd contains the data that can be used 74 * by external action handler without needing to create named instance. 75 * 76 * In case when eaction module uses named instances, it should register 77 * opcode rewriting routines for O_EXTERNAL_INSTANCE opcode. The 78 * classifier callback can look back into O_EXTERNAL_ACTION opcode (it 79 * must be in the (ipfw_insn *)(cmd - 1)). By arg1 from O_EXTERNAL_ACTION 80 * it can deteremine eaction_id and compare it with its own. 81 * The macro IPFW_TLV_EACTION_NAME(eaction_id) can be used to deteremine 82 * the type of named_object related to external action instance. 83 * 84 * On module unload handler should be deregistered with ipfw_del_eaction() 85 * function using known eaction_id. 86 */ 87 88 struct eaction_obj { 89 struct named_object no; 90 ipfw_eaction_t *handler; 91 char name[64]; 92 }; 93 94 #define EACTION_OBJ(ch, cmd) \ 95 ((struct eaction_obj *)SRV_OBJECT((ch), (cmd)->arg1)) 96 97 #if 0 98 #define EACTION_DEBUG(fmt, ...) do { \ 99 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \ 100 } while (0) 101 #else 102 #define EACTION_DEBUG(fmt, ...) 103 #endif 104 105 const char *default_eaction_typename = "drop"; 106 static int 107 default_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args, 108 ipfw_insn *cmd, int *done) 109 { 110 111 *done = 1; /* terminate the search */ 112 return (IP_FW_DENY); 113 } 114 115 /* 116 * Opcode rewriting callbacks. 117 */ 118 static int 119 eaction_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype) 120 { 121 122 EACTION_DEBUG("opcode %d, arg1 %d", cmd->opcode, cmd->arg1); 123 *puidx = cmd->arg1; 124 *ptype = 0; 125 return (0); 126 } 127 128 static void 129 eaction_update(ipfw_insn *cmd, uint16_t idx) 130 { 131 132 cmd->arg1 = idx; 133 EACTION_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1); 134 } 135 136 static int 137 eaction_findbyname(struct ip_fw_chain *ch, struct tid_info *ti, 138 struct named_object **pno) 139 { 140 ipfw_obj_ntlv *ntlv; 141 142 if (ti->tlvs == NULL) 143 return (EINVAL); 144 145 /* Search ntlv in the buffer provided by user */ 146 ntlv = ipfw_find_name_tlv_type(ti->tlvs, ti->tlen, ti->uidx, 147 IPFW_TLV_EACTION); 148 if (ntlv == NULL) 149 return (EINVAL); 150 EACTION_DEBUG("name %s, uidx %u, type %u", ntlv->name, 151 ti->uidx, ti->type); 152 /* 153 * Search named object with corresponding name. 154 * Since eaction objects are global - ignore the set value 155 * and use zero instead. 156 */ 157 *pno = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch), 158 0, IPFW_TLV_EACTION, ntlv->name); 159 if (*pno == NULL) 160 return (ESRCH); 161 return (0); 162 } 163 164 static struct named_object * 165 eaction_findbykidx(struct ip_fw_chain *ch, uint16_t idx) 166 { 167 168 EACTION_DEBUG("kidx %u", idx); 169 return (ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), idx)); 170 } 171 172 static struct opcode_obj_rewrite eaction_opcodes[] = { 173 { 174 .opcode = O_EXTERNAL_ACTION, 175 .etlv = IPFW_TLV_EACTION, 176 .classifier = eaction_classify, 177 .update = eaction_update, 178 .find_byname = eaction_findbyname, 179 .find_bykidx = eaction_findbykidx, 180 }, 181 }; 182 183 static int 184 create_eaction_obj(struct ip_fw_chain *ch, ipfw_eaction_t handler, 185 const char *name, uint16_t *eaction_id) 186 { 187 struct namedobj_instance *ni; 188 struct eaction_obj *obj; 189 190 IPFW_UH_UNLOCK_ASSERT(ch); 191 192 ni = CHAIN_TO_SRV(ch); 193 obj = malloc(sizeof(*obj), M_IPFW, M_WAITOK | M_ZERO); 194 obj->no.name = obj->name; 195 obj->no.etlv = IPFW_TLV_EACTION; 196 obj->handler = handler; 197 strlcpy(obj->name, name, sizeof(obj->name)); 198 199 IPFW_UH_WLOCK(ch); 200 if (ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION, 201 name) != NULL) { 202 /* 203 * Object is already created. 204 * We don't allow eactions with the same name. 205 */ 206 IPFW_UH_WUNLOCK(ch); 207 free(obj, M_IPFW); 208 EACTION_DEBUG("External action with typename " 209 "'%s' already exists", name); 210 return (EEXIST); 211 } 212 if (ipfw_objhash_alloc_idx(ni, &obj->no.kidx) != 0) { 213 IPFW_UH_WUNLOCK(ch); 214 free(obj, M_IPFW); 215 EACTION_DEBUG("alloc_idx failed"); 216 return (ENOSPC); 217 } 218 ipfw_objhash_add(ni, &obj->no); 219 IPFW_WLOCK(ch); 220 SRV_OBJECT(ch, obj->no.kidx) = obj; 221 IPFW_WUNLOCK(ch); 222 obj->no.refcnt++; 223 IPFW_UH_WUNLOCK(ch); 224 225 if (eaction_id != NULL) 226 *eaction_id = obj->no.kidx; 227 return (0); 228 } 229 230 static void 231 destroy_eaction_obj(struct ip_fw_chain *ch, struct named_object *no) 232 { 233 struct namedobj_instance *ni; 234 struct eaction_obj *obj; 235 236 IPFW_UH_WLOCK_ASSERT(ch); 237 238 ni = CHAIN_TO_SRV(ch); 239 IPFW_WLOCK(ch); 240 obj = SRV_OBJECT(ch, no->kidx); 241 SRV_OBJECT(ch, no->kidx) = NULL; 242 IPFW_WUNLOCK(ch); 243 ipfw_objhash_del(ni, no); 244 ipfw_objhash_free_idx(ni, no->kidx); 245 free(obj, M_IPFW); 246 } 247 248 /* 249 * Resets all eaction opcodes to default handlers. 250 */ 251 static void 252 reset_eaction_rules(struct ip_fw_chain *ch, uint16_t eaction_id, 253 uint16_t instance_id, bool reset_rules) 254 { 255 struct named_object *no; 256 int i; 257 258 IPFW_UH_WLOCK_ASSERT(ch); 259 260 no = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch), 0, 261 IPFW_TLV_EACTION, default_eaction_typename); 262 if (no == NULL) 263 panic("Default external action handler is not found"); 264 if (eaction_id == no->kidx) 265 panic("Wrong eaction_id"); 266 267 EACTION_DEBUG("Going to replace id %u with %u", eaction_id, no->kidx); 268 IPFW_WLOCK(ch); 269 /* 270 * Reset eaction objects only if it is referenced by rules. 271 * But always reset objects for orphaned dynamic states. 272 */ 273 if (reset_rules) { 274 for (i = 0; i < ch->n_rules; i++) { 275 /* 276 * Refcount on the original object will be just 277 * ignored on destroy. Refcount on default_eaction 278 * will be decremented on rule deletion, thus we 279 * need to reference default_eaction object. 280 */ 281 if (ipfw_reset_eaction(ch, ch->map[i], eaction_id, 282 no->kidx, instance_id) != 0) 283 no->refcnt++; 284 } 285 } 286 /* 287 * Reset eaction opcodes for orphaned dynamic states. 288 * Since parent rules are already deleted, we don't need to 289 * reference named object of default_eaction. 290 */ 291 ipfw_dyn_reset_eaction(ch, eaction_id, no->kidx, instance_id); 292 IPFW_WUNLOCK(ch); 293 } 294 295 /* 296 * Initialize external actions framework. 297 * Create object with default eaction handler "drop". 298 */ 299 int 300 ipfw_eaction_init(struct ip_fw_chain *ch, int first) 301 { 302 int error; 303 304 error = create_eaction_obj(ch, default_eaction, 305 default_eaction_typename, NULL); 306 if (error != 0) 307 return (error); 308 IPFW_ADD_OBJ_REWRITER(first, eaction_opcodes); 309 EACTION_DEBUG("External actions support initialized"); 310 return (0); 311 } 312 313 void 314 ipfw_eaction_uninit(struct ip_fw_chain *ch, int last) 315 { 316 struct namedobj_instance *ni; 317 struct named_object *no; 318 319 ni = CHAIN_TO_SRV(ch); 320 321 IPFW_UH_WLOCK(ch); 322 no = ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION, 323 default_eaction_typename); 324 if (no != NULL) 325 destroy_eaction_obj(ch, no); 326 IPFW_UH_WUNLOCK(ch); 327 IPFW_DEL_OBJ_REWRITER(last, eaction_opcodes); 328 EACTION_DEBUG("External actions support uninitialized"); 329 } 330 331 /* 332 * Registers external action handler to the global array. 333 * On success it returns eaction id, otherwise - zero. 334 */ 335 uint16_t 336 ipfw_add_eaction(struct ip_fw_chain *ch, ipfw_eaction_t handler, 337 const char *name) 338 { 339 uint16_t eaction_id; 340 341 eaction_id = 0; 342 if (ipfw_check_object_name_generic(name) == 0) { 343 create_eaction_obj(ch, handler, name, &eaction_id); 344 EACTION_DEBUG("Registered external action '%s' with id %u", 345 name, eaction_id); 346 } 347 return (eaction_id); 348 } 349 350 /* 351 * Deregisters external action handler with id eaction_id. 352 */ 353 int 354 ipfw_del_eaction(struct ip_fw_chain *ch, uint16_t eaction_id) 355 { 356 struct named_object *no; 357 358 IPFW_UH_WLOCK(ch); 359 no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id); 360 if (no == NULL || no->etlv != IPFW_TLV_EACTION) { 361 IPFW_UH_WUNLOCK(ch); 362 return (EINVAL); 363 } 364 reset_eaction_rules(ch, eaction_id, 0, (no->refcnt > 1)); 365 EACTION_DEBUG("External action '%s' with id %u unregistered", 366 no->name, eaction_id); 367 destroy_eaction_obj(ch, no); 368 IPFW_UH_WUNLOCK(ch); 369 return (0); 370 } 371 372 int 373 ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_fw *rule, 374 uint16_t eaction_id, uint16_t default_id, uint16_t instance_id) 375 { 376 ipfw_insn *cmd, *icmd; 377 int l; 378 379 IPFW_UH_WLOCK_ASSERT(ch); 380 IPFW_WLOCK_ASSERT(ch); 381 382 /* 383 * Return if there is not O_EXTERNAL_ACTION or its id is 384 * different. 385 */ 386 cmd = ipfw_get_action(rule); 387 if (cmd->opcode != O_EXTERNAL_ACTION || 388 cmd->arg1 != eaction_id) 389 return (0); 390 /* 391 * Check if there is O_EXTERNAL_INSTANCE opcode, we need 392 * to truncate the rule length. 393 * 394 * NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode, 395 * and rule length should be enough to keep O_EXTERNAL_INSTANCE 396 * opcode, thus we do check for l > 1. 397 */ 398 l = rule->cmd + rule->cmd_len - cmd; 399 if (l > 1) { 400 MPASS(F_LEN(cmd) == 1); 401 icmd = cmd + 1; 402 if (icmd->opcode == O_EXTERNAL_INSTANCE && 403 instance_id != 0 && icmd->arg1 != instance_id) 404 return (0); 405 /* 406 * Since named_object related to this instance will be 407 * destroyed, truncate the chain of opcodes to remove 408 * the rest of cmd chain just after O_EXTERNAL_ACTION 409 * opcode. 410 */ 411 EACTION_DEBUG("truncate rule %d: len %u -> %u", 412 rule->rulenum, rule->cmd_len, 413 rule->cmd_len - F_LEN(icmd)); 414 rule->cmd_len -= F_LEN(icmd); 415 MPASS(((uint32_t *)icmd - 416 (uint32_t *)rule->cmd) == rule->cmd_len); 417 } 418 419 cmd->arg1 = default_id; /* Set to default id */ 420 /* 421 * Return 1 when reset successfully happened. 422 */ 423 return (1); 424 } 425 426 /* 427 * This function should be called before external action instance is 428 * destroyed. It will reset eaction_id to default_id for rules, where 429 * eaction has instance with id == kidx. 430 */ 431 int 432 ipfw_reset_eaction_instance(struct ip_fw_chain *ch, uint16_t eaction_id, 433 uint16_t kidx) 434 { 435 struct named_object *no; 436 437 IPFW_UH_WLOCK_ASSERT(ch); 438 no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id); 439 if (no == NULL || no->etlv != IPFW_TLV_EACTION) 440 return (EINVAL); 441 442 reset_eaction_rules(ch, eaction_id, kidx, 0); 443 return (0); 444 } 445 446 int 447 ipfw_run_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args, 448 ipfw_insn *cmd, int *done) 449 { 450 451 return (EACTION_OBJ(ch, cmd)->handler(ch, args, cmd, done)); 452 } 453