1 /*- 2 * Copyright (c) 2016 Yandex LLC 3 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/malloc.h> 33 #include <sys/kernel.h> 34 #include <sys/hash.h> 35 #include <sys/lock.h> 36 #include <sys/rwlock.h> 37 #include <sys/rmlock.h> 38 #include <sys/socket.h> 39 #include <sys/socketvar.h> 40 #include <sys/queue.h> 41 #include <net/pfil.h> 42 43 #include <net/if.h> /* ip_fw.h requires IFNAMSIZ */ 44 #include <netinet/in.h> 45 #include <netinet/ip_var.h> /* struct ipfw_rule_ref */ 46 #include <netinet/ip_fw.h> 47 48 #include <netpfil/ipfw/ip_fw_private.h> 49 50 #include "opt_ipfw.h" 51 52 /* 53 * External actions support for ipfw. 54 * 55 * This code provides KPI for implementing loadable modules, that 56 * can provide handlers for external action opcodes in the ipfw's 57 * rules. 58 * Module should implement opcode handler with type ipfw_eaction_t. 59 * This handler will be called by ipfw_chk() function when 60 * O_EXTERNAL_ACTION opcode will be matched. The handler must return 61 * value used as return value in ipfw_chk(), i.e. IP_FW_PASS, 62 * IP_FW_DENY (see ip_fw_private.h). 63 * Also the last argument must be set by handler. If it is zero, 64 * the search continues to the next rule. If it has non zero value, 65 * the search terminates. 66 * 67 * The module that implements external action should register its 68 * handler and name with ipfw_add_eaction() function. 69 * This function will return eaction_id, that can be used by module. 70 * 71 * It is possible to pass some additional information to external 72 * action handler via the O_EXTERNAL_INSTANCE opcode. This opcode 73 * will be next after the O_EXTERNAL_ACTION opcode. cmd->arg1 will 74 * contain index of named object related to instance of external action. 75 * 76 * In case when eaction module uses named instances, it should register 77 * opcode rewriting routines for O_EXTERNAL_INSTANCE opcode. The 78 * classifier callback can look back into O_EXTERNAL_ACTION opcode (it 79 * must be in the (ipfw_insn *)(cmd - 1)). By arg1 from O_EXTERNAL_ACTION 80 * it can deteremine eaction_id and compare it with its own. 81 * The macro IPFW_TLV_EACTION_NAME(eaction_id) can be used to deteremine 82 * the type of named_object related to external action instance. 83 * 84 * On module unload handler should be deregistered with ipfw_del_eaction() 85 * function using known eaction_id. 86 */ 87 88 struct eaction_obj { 89 struct named_object no; 90 ipfw_eaction_t *handler; 91 char name[64]; 92 }; 93 94 #define EACTION_OBJ(ch, cmd) \ 95 ((struct eaction_obj *)SRV_OBJECT((ch), (cmd)->arg1)) 96 97 #if 0 98 #define EACTION_DEBUG(fmt, ...) do { \ 99 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \ 100 } while (0) 101 #else 102 #define EACTION_DEBUG(fmt, ...) 103 #endif 104 105 const char *default_eaction_typename = "drop"; 106 static int 107 default_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args, 108 ipfw_insn *cmd, int *done) 109 { 110 111 *done = 1; /* terminate the search */ 112 return (IP_FW_DENY); 113 } 114 115 /* 116 * Opcode rewriting callbacks. 117 */ 118 static int 119 eaction_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype) 120 { 121 122 EACTION_DEBUG("opcode %d, arg1 %d", cmd->opcode, cmd->arg1); 123 *puidx = cmd->arg1; 124 *ptype = 0; 125 return (0); 126 } 127 128 static void 129 eaction_update(ipfw_insn *cmd, uint16_t idx) 130 { 131 132 cmd->arg1 = idx; 133 EACTION_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1); 134 } 135 136 static int 137 eaction_findbyname(struct ip_fw_chain *ch, struct tid_info *ti, 138 struct named_object **pno) 139 { 140 141 EACTION_DEBUG("uidx %u, type %u", ti->uidx, ti->type); 142 return (ipfw_objhash_find_type(CHAIN_TO_SRV(ch), ti, 143 IPFW_TLV_EACTION, pno)); 144 } 145 146 static struct named_object * 147 eaction_findbykidx(struct ip_fw_chain *ch, uint16_t idx) 148 { 149 150 EACTION_DEBUG("kidx %u", idx); 151 return (ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), idx)); 152 } 153 154 static int 155 eaction_create_compat(struct ip_fw_chain *ch, struct tid_info *ti, 156 uint16_t *pkidx) 157 { 158 159 return (EOPNOTSUPP); 160 } 161 162 static struct opcode_obj_rewrite eaction_opcodes[] = { 163 { 164 O_EXTERNAL_ACTION, IPFW_TLV_EACTION, 165 eaction_classify, eaction_update, 166 eaction_findbyname, eaction_findbykidx, 167 eaction_create_compat 168 }, 169 }; 170 171 static int 172 create_eaction_obj(struct ip_fw_chain *ch, ipfw_eaction_t handler, 173 const char *name, uint16_t *eaction_id) 174 { 175 struct namedobj_instance *ni; 176 struct eaction_obj *obj; 177 178 IPFW_UH_UNLOCK_ASSERT(ch); 179 180 ni = CHAIN_TO_SRV(ch); 181 obj = malloc(sizeof(*obj), M_IPFW, M_WAITOK | M_ZERO); 182 obj->no.name = obj->name; 183 obj->no.etlv = IPFW_TLV_EACTION; 184 obj->handler = handler; 185 strlcpy(obj->name, name, sizeof(obj->name)); 186 187 IPFW_UH_WLOCK(ch); 188 if (ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION, 189 name) != NULL) { 190 /* 191 * Object is already created. 192 * We don't allow eactions with the same name. 193 */ 194 IPFW_UH_WUNLOCK(ch); 195 free(obj, M_IPFW); 196 EACTION_DEBUG("External action with typename " 197 "'%s' already exists", name); 198 return (EEXIST); 199 } 200 if (ipfw_objhash_alloc_idx(ni, &obj->no.kidx) != 0) { 201 IPFW_UH_WUNLOCK(ch); 202 free(obj, M_IPFW); 203 EACTION_DEBUG("alloc_idx failed"); 204 return (ENOSPC); 205 } 206 ipfw_objhash_add(ni, &obj->no); 207 IPFW_WLOCK(ch); 208 SRV_OBJECT(ch, obj->no.kidx) = obj; 209 IPFW_WUNLOCK(ch); 210 obj->no.refcnt++; 211 IPFW_UH_WUNLOCK(ch); 212 213 if (eaction_id != NULL) 214 *eaction_id = obj->no.kidx; 215 return (0); 216 } 217 218 static void 219 destroy_eaction_obj(struct ip_fw_chain *ch, struct named_object *no) 220 { 221 struct namedobj_instance *ni; 222 struct eaction_obj *obj; 223 224 IPFW_UH_WLOCK_ASSERT(ch); 225 226 ni = CHAIN_TO_SRV(ch); 227 IPFW_WLOCK(ch); 228 obj = SRV_OBJECT(ch, no->kidx); 229 SRV_OBJECT(ch, no->kidx) = NULL; 230 IPFW_WUNLOCK(ch); 231 ipfw_objhash_del(ni, no); 232 ipfw_objhash_free_idx(ni, no->kidx); 233 free(obj, M_IPFW); 234 } 235 236 /* 237 * Resets all eaction opcodes to default handlers. 238 */ 239 static void 240 reset_eaction_obj(struct ip_fw_chain *ch, uint16_t eaction_id) 241 { 242 struct named_object *no; 243 struct ip_fw *rule; 244 ipfw_insn *cmd; 245 int i; 246 247 IPFW_UH_WLOCK_ASSERT(ch); 248 249 no = ipfw_objhash_lookup_name_type(CHAIN_TO_SRV(ch), 0, 250 IPFW_TLV_EACTION, default_eaction_typename); 251 if (no == NULL) 252 panic("Default external action handler is not found"); 253 if (eaction_id == no->kidx) 254 panic("Wrong eaction_id"); 255 EACTION_DEBUG("replace id %u with %u", eaction_id, no->kidx); 256 IPFW_WLOCK(ch); 257 for (i = 0; i < ch->n_rules; i++) { 258 rule = ch->map[i]; 259 cmd = ACTION_PTR(rule); 260 if (cmd->opcode != O_EXTERNAL_ACTION) 261 continue; 262 if (cmd->arg1 != eaction_id) 263 continue; 264 cmd->arg1 = no->kidx; /* Set to default id */ 265 /* 266 * XXX: we only bump refcount on default_eaction. 267 * Refcount on the original object will be just 268 * ignored on destroy. But on default_eaction it 269 * will be decremented on rule deletion. 270 */ 271 no->refcnt++; 272 /* 273 * Since named_object related to this instance will be 274 * also destroyed, truncate the chain of opcodes to 275 * remove O_EXTERNAL_INSTANCE opcode. 276 */ 277 if (rule->act_ofs < rule->cmd_len - 1) { 278 EACTION_DEBUG("truncate rule %d", rule->rulenum); 279 rule->cmd_len--; 280 } 281 } 282 IPFW_WUNLOCK(ch); 283 } 284 285 /* 286 * Initialize external actions framework. 287 * Create object with default eaction handler "drop". 288 */ 289 int 290 ipfw_eaction_init(struct ip_fw_chain *ch, int first) 291 { 292 int error; 293 294 error = create_eaction_obj(ch, default_eaction, 295 default_eaction_typename, NULL); 296 if (error != 0) 297 return (error); 298 IPFW_ADD_OBJ_REWRITER(first, eaction_opcodes); 299 EACTION_DEBUG("External actions support initialized"); 300 return (0); 301 } 302 303 void 304 ipfw_eaction_uninit(struct ip_fw_chain *ch, int last) 305 { 306 struct namedobj_instance *ni; 307 struct named_object *no; 308 309 ni = CHAIN_TO_SRV(ch); 310 311 IPFW_UH_WLOCK(ch); 312 no = ipfw_objhash_lookup_name_type(ni, 0, IPFW_TLV_EACTION, 313 default_eaction_typename); 314 if (no != NULL) 315 destroy_eaction_obj(ch, no); 316 IPFW_UH_WUNLOCK(ch); 317 IPFW_DEL_OBJ_REWRITER(last, eaction_opcodes); 318 EACTION_DEBUG("External actions support uninitialized"); 319 } 320 321 /* 322 * Registers external action handler to the global array. 323 * On success it returns eaction id, otherwise - zero. 324 */ 325 uint16_t 326 ipfw_add_eaction(struct ip_fw_chain *ch, ipfw_eaction_t handler, 327 const char *name) 328 { 329 uint16_t eaction_id; 330 331 eaction_id = 0; 332 if (ipfw_check_object_name_generic(name) == 0) { 333 create_eaction_obj(ch, handler, name, &eaction_id); 334 EACTION_DEBUG("Registered external action '%s' with id %u", 335 name, eaction_id); 336 } 337 return (eaction_id); 338 } 339 340 /* 341 * Deregisters external action handler with id eaction_id. 342 */ 343 int 344 ipfw_del_eaction(struct ip_fw_chain *ch, uint16_t eaction_id) 345 { 346 struct named_object *no; 347 348 IPFW_UH_WLOCK(ch); 349 no = ipfw_objhash_lookup_kidx(CHAIN_TO_SRV(ch), eaction_id); 350 if (no == NULL || no->etlv != IPFW_TLV_EACTION) { 351 IPFW_UH_WUNLOCK(ch); 352 return (EINVAL); 353 } 354 if (no->refcnt > 1) 355 reset_eaction_obj(ch, eaction_id); 356 EACTION_DEBUG("External action '%s' with id %u unregistered", 357 no->name, eaction_id); 358 destroy_eaction_obj(ch, no); 359 IPFW_UH_WUNLOCK(ch); 360 return (0); 361 } 362 363 int 364 ipfw_run_eaction(struct ip_fw_chain *ch, struct ip_fw_args *args, 365 ipfw_insn *cmd, int *done) 366 { 367 368 return (EACTION_OBJ(ch, cmd)->handler(ch, args, cmd, done)); 369 } 370