1 /*- 2 * Copyright (c) 2016 Yandex LLC 3 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/counter.h> 34 #include <sys/errno.h> 35 #include <sys/kernel.h> 36 #include <sys/lock.h> 37 #include <sys/malloc.h> 38 #include <sys/mbuf.h> 39 #include <sys/module.h> 40 #include <sys/rmlock.h> 41 #include <sys/rwlock.h> 42 #include <sys/socket.h> 43 #include <sys/queue.h> 44 #include <sys/syslog.h> 45 #include <sys/sysctl.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/netisr.h> 50 #include <net/pfil.h> 51 #include <net/vnet.h> 52 53 #include <netinet/in.h> 54 #include <netinet/ip_var.h> 55 #include <netinet/ip_fw.h> 56 #include <netinet/ip6.h> 57 #include <netinet/icmp6.h> 58 #include <netinet6/in6_var.h> 59 #include <netinet6/ip6_var.h> 60 61 #include <netpfil/ipfw/ip_fw_private.h> 62 #include <netpfil/ipfw/nptv6/nptv6.h> 63 64 static VNET_DEFINE(uint16_t, nptv6_eid) = 0; 65 #define V_nptv6_eid VNET(nptv6_eid) 66 #define IPFW_TLV_NPTV6_NAME IPFW_TLV_EACTION_NAME(V_nptv6_eid) 67 68 static struct nptv6_cfg *nptv6_alloc_config(const char *name, uint8_t set); 69 static void nptv6_free_config(struct nptv6_cfg *cfg); 70 static struct nptv6_cfg *nptv6_find(struct namedobj_instance *ni, 71 const char *name, uint8_t set); 72 static int nptv6_rewrite_internal(struct nptv6_cfg *cfg, struct mbuf **mp, 73 int offset); 74 static int nptv6_rewrite_external(struct nptv6_cfg *cfg, struct mbuf **mp, 75 int offset); 76 77 #define NPTV6_LOOKUP(chain, cmd) \ 78 (struct nptv6_cfg *)SRV_OBJECT((chain), (cmd)->arg1) 79 80 #ifndef IN6_MASK_ADDR 81 #define IN6_MASK_ADDR(a, m) do { \ 82 (a)->s6_addr32[0] &= (m)->s6_addr32[0]; \ 83 (a)->s6_addr32[1] &= (m)->s6_addr32[1]; \ 84 (a)->s6_addr32[2] &= (m)->s6_addr32[2]; \ 85 (a)->s6_addr32[3] &= (m)->s6_addr32[3]; \ 86 } while (0) 87 #endif 88 #ifndef IN6_ARE_MASKED_ADDR_EQUAL 89 #define IN6_ARE_MASKED_ADDR_EQUAL(d, a, m) ( \ 90 (((d)->s6_addr32[0] ^ (a)->s6_addr32[0]) & (m)->s6_addr32[0]) == 0 && \ 91 (((d)->s6_addr32[1] ^ (a)->s6_addr32[1]) & (m)->s6_addr32[1]) == 0 && \ 92 (((d)->s6_addr32[2] ^ (a)->s6_addr32[2]) & (m)->s6_addr32[2]) == 0 && \ 93 (((d)->s6_addr32[3] ^ (a)->s6_addr32[3]) & (m)->s6_addr32[3]) == 0 ) 94 #endif 95 96 #if 0 97 #define NPTV6_DEBUG(fmt, ...) do { \ 98 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \ 99 } while (0) 100 #define NPTV6_IPDEBUG(fmt, ...) do { \ 101 char _s[INET6_ADDRSTRLEN], _d[INET6_ADDRSTRLEN]; \ 102 printf("%s: " fmt "\n", __func__, ## __VA_ARGS__); \ 103 } while (0) 104 #else 105 #define NPTV6_DEBUG(fmt, ...) 106 #define NPTV6_IPDEBUG(fmt, ...) 107 #endif 108 109 static int 110 nptv6_getlasthdr(struct nptv6_cfg *cfg, struct mbuf *m, int *offset) 111 { 112 struct ip6_hdr *ip6; 113 struct ip6_hbh *hbh; 114 int proto, hlen; 115 116 hlen = (offset == NULL) ? 0: *offset; 117 if (m->m_len < hlen) 118 return (-1); 119 ip6 = mtodo(m, hlen); 120 hlen += sizeof(*ip6); 121 proto = ip6->ip6_nxt; 122 while (proto == IPPROTO_HOPOPTS || proto == IPPROTO_ROUTING || 123 proto == IPPROTO_DSTOPTS) { 124 hbh = mtodo(m, hlen); 125 if (m->m_len < hlen) 126 return (-1); 127 proto = hbh->ip6h_nxt; 128 hlen += (hbh->ip6h_len + 1) << 3; 129 } 130 if (offset != NULL) 131 *offset = hlen; 132 return (proto); 133 } 134 135 static int 136 nptv6_translate_icmpv6(struct nptv6_cfg *cfg, struct mbuf **mp, int offset) 137 { 138 struct icmp6_hdr *icmp6; 139 struct ip6_hdr *ip6; 140 struct mbuf *m; 141 142 m = *mp; 143 if (offset > m->m_len) 144 return (-1); 145 icmp6 = mtodo(m, offset); 146 NPTV6_DEBUG("ICMPv6 type %d", icmp6->icmp6_type); 147 switch (icmp6->icmp6_type) { 148 case ICMP6_DST_UNREACH: 149 case ICMP6_PACKET_TOO_BIG: 150 case ICMP6_TIME_EXCEEDED: 151 case ICMP6_PARAM_PROB: 152 break; 153 case ICMP6_ECHO_REQUEST: 154 case ICMP6_ECHO_REPLY: 155 /* nothing to translate */ 156 return (0); 157 default: 158 /* 159 * XXX: We can add some checks to not translate NDP and MLD 160 * messages. Currently user must explicitly allow these message 161 * types, otherwise packets will be dropped. 162 */ 163 return (-1); 164 } 165 offset += sizeof(*icmp6); 166 if (offset + sizeof(*ip6) > m->m_pkthdr.len) 167 return (-1); 168 if (offset + sizeof(*ip6) > m->m_len) 169 *mp = m = m_pullup(m, offset + sizeof(*ip6)); 170 if (m == NULL) 171 return (-1); 172 ip6 = mtodo(m, offset); 173 NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset, 174 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 175 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 176 ip6->ip6_nxt); 177 if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_src, 178 &cfg->external, &cfg->mask)) 179 return (nptv6_rewrite_external(cfg, mp, offset)); 180 else if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst, 181 &cfg->internal, &cfg->mask)) 182 return (nptv6_rewrite_internal(cfg, mp, offset)); 183 /* 184 * Addresses in the inner IPv6 header doesn't matched to 185 * our prefixes. 186 */ 187 return (-1); 188 } 189 190 static int 191 nptv6_search_index(struct nptv6_cfg *cfg, struct in6_addr *a) 192 { 193 int idx; 194 195 if (cfg->flags & NPTV6_48PLEN) 196 return (3); 197 198 /* Search suitable word index for adjustment */ 199 for (idx = 4; idx < 8; idx++) 200 if (a->s6_addr16[idx] != 0xffff) 201 break; 202 /* 203 * RFC 6296 p3.7: If an NPTv6 Translator discovers a datagram with 204 * an IID of all-zeros while performing address mapping, that 205 * datagram MUST be dropped, and an ICMPv6 Parameter Problem error 206 * SHOULD be generated. 207 */ 208 if (idx == 8 || 209 (a->s6_addr32[2] == 0 && a->s6_addr32[3] == 0)) 210 return (-1); 211 return (idx); 212 } 213 214 static void 215 nptv6_copy_addr(struct in6_addr *src, struct in6_addr *dst, 216 struct in6_addr *mask) 217 { 218 int i; 219 220 for (i = 0; i < 8 && mask->s6_addr8[i] != 0; i++) { 221 dst->s6_addr8[i] &= ~mask->s6_addr8[i]; 222 dst->s6_addr8[i] |= src->s6_addr8[i] & mask->s6_addr8[i]; 223 } 224 } 225 226 static int 227 nptv6_rewrite_internal(struct nptv6_cfg *cfg, struct mbuf **mp, int offset) 228 { 229 struct in6_addr *addr; 230 struct ip6_hdr *ip6; 231 int idx, proto; 232 uint16_t adj; 233 234 ip6 = mtodo(*mp, offset); 235 NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset, 236 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 237 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 238 ip6->ip6_nxt); 239 if (offset == 0) 240 addr = &ip6->ip6_src; 241 else { 242 /* 243 * When we rewriting inner IPv6 header, we need to rewrite 244 * destination address back to external prefix. The datagram in 245 * the ICMPv6 payload should looks like it was send from 246 * external prefix. 247 */ 248 addr = &ip6->ip6_dst; 249 } 250 idx = nptv6_search_index(cfg, addr); 251 if (idx < 0) { 252 /* 253 * Do not send ICMPv6 error when offset isn't zero. 254 * This means we are rewriting inner IPv6 header in the 255 * ICMPv6 error message. 256 */ 257 if (offset == 0) { 258 icmp6_error2(*mp, ICMP6_DST_UNREACH, 259 ICMP6_DST_UNREACH_ADDR, 0, (*mp)->m_pkthdr.rcvif); 260 *mp = NULL; 261 } 262 return (IP_FW_DENY); 263 } 264 adj = addr->s6_addr16[idx]; 265 nptv6_copy_addr(&cfg->external, addr, &cfg->mask); 266 adj = cksum_add(adj, cfg->adjustment); 267 if (adj == 0xffff) 268 adj = 0; 269 addr->s6_addr16[idx] = adj; 270 if (offset == 0) { 271 /* 272 * We may need to translate addresses in the inner IPv6 273 * header for ICMPv6 error messages. 274 */ 275 proto = nptv6_getlasthdr(cfg, *mp, &offset); 276 if (proto < 0 || (proto == IPPROTO_ICMPV6 && 277 nptv6_translate_icmpv6(cfg, mp, offset) != 0)) 278 return (IP_FW_DENY); 279 NPTV6STAT_INC(cfg, in2ex); 280 } 281 return (0); 282 } 283 284 static int 285 nptv6_rewrite_external(struct nptv6_cfg *cfg, struct mbuf **mp, int offset) 286 { 287 struct in6_addr *addr; 288 struct ip6_hdr *ip6; 289 int idx, proto; 290 uint16_t adj; 291 292 ip6 = mtodo(*mp, offset); 293 NPTV6_IPDEBUG("offset %d, %s -> %s %d", offset, 294 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 295 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 296 ip6->ip6_nxt); 297 if (offset == 0) 298 addr = &ip6->ip6_dst; 299 else { 300 /* 301 * When we rewriting inner IPv6 header, we need to rewrite 302 * source address back to internal prefix. The datagram in 303 * the ICMPv6 payload should looks like it was send from 304 * internal prefix. 305 */ 306 addr = &ip6->ip6_src; 307 } 308 idx = nptv6_search_index(cfg, addr); 309 if (idx < 0) { 310 /* 311 * Do not send ICMPv6 error when offset isn't zero. 312 * This means we are rewriting inner IPv6 header in the 313 * ICMPv6 error message. 314 */ 315 if (offset == 0) { 316 icmp6_error2(*mp, ICMP6_DST_UNREACH, 317 ICMP6_DST_UNREACH_ADDR, 0, (*mp)->m_pkthdr.rcvif); 318 *mp = NULL; 319 } 320 return (IP_FW_DENY); 321 } 322 adj = addr->s6_addr16[idx]; 323 nptv6_copy_addr(&cfg->internal, addr, &cfg->mask); 324 adj = cksum_add(adj, ~cfg->adjustment); 325 if (adj == 0xffff) 326 adj = 0; 327 addr->s6_addr16[idx] = adj; 328 if (offset == 0) { 329 /* 330 * We may need to translate addresses in the inner IPv6 331 * header for ICMPv6 error messages. 332 */ 333 proto = nptv6_getlasthdr(cfg, *mp, &offset); 334 if (proto < 0 || (proto == IPPROTO_ICMPV6 && 335 nptv6_translate_icmpv6(cfg, mp, offset) != 0)) 336 return (IP_FW_DENY); 337 NPTV6STAT_INC(cfg, ex2in); 338 } 339 return (0); 340 } 341 342 /* 343 * ipfw external action handler. 344 */ 345 static int 346 ipfw_nptv6(struct ip_fw_chain *chain, struct ip_fw_args *args, 347 ipfw_insn *cmd, int *done) 348 { 349 struct ip6_hdr *ip6; 350 struct nptv6_cfg *cfg; 351 ipfw_insn *icmd; 352 int ret; 353 354 *done = 0; /* try next rule if not matched */ 355 ret = IP_FW_DENY; 356 icmd = cmd + 1; 357 if (cmd->opcode != O_EXTERNAL_ACTION || 358 cmd->arg1 != V_nptv6_eid || 359 icmd->opcode != O_EXTERNAL_INSTANCE || 360 (cfg = NPTV6_LOOKUP(chain, icmd)) == NULL) 361 return (ret); 362 /* 363 * We need act as router, so when forwarding is disabled - 364 * do nothing. 365 */ 366 if (V_ip6_forwarding == 0 || args->f_id.addr_type != 6) 367 return (ret); 368 /* 369 * NOTE: we expect ipfw_chk() did m_pullup() up to upper level 370 * protocol's headers. Also we skip some checks, that ip6_input(), 371 * ip6_forward(), ip6_fastfwd() and ipfw_chk() already did. 372 */ 373 ip6 = mtod(args->m, struct ip6_hdr *); 374 NPTV6_IPDEBUG("eid %u, oid %u, %s -> %s %d", 375 cmd->arg1, icmd->arg1, 376 inet_ntop(AF_INET6, &ip6->ip6_src, _s, sizeof(_s)), 377 inet_ntop(AF_INET6, &ip6->ip6_dst, _d, sizeof(_d)), 378 ip6->ip6_nxt); 379 if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_src, 380 &cfg->internal, &cfg->mask)) { 381 /* 382 * XXX: Do not translate packets when both src and dst 383 * are from internal prefix. 384 */ 385 if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst, 386 &cfg->internal, &cfg->mask)) 387 return (ret); 388 ret = nptv6_rewrite_internal(cfg, &args->m, 0); 389 } else if (IN6_ARE_MASKED_ADDR_EQUAL(&ip6->ip6_dst, 390 &cfg->external, &cfg->mask)) 391 ret = nptv6_rewrite_external(cfg, &args->m, 0); 392 else 393 return (ret); 394 /* 395 * If address wasn't rewrited - free mbuf and terminate the search. 396 */ 397 if (ret != 0) { 398 if (args->m != NULL) { 399 m_freem(args->m); 400 args->m = NULL; /* mark mbuf as consumed */ 401 } 402 NPTV6STAT_INC(cfg, dropped); 403 *done = 1; 404 } else { 405 /* Terminate the search if one_pass is set */ 406 *done = V_fw_one_pass; 407 /* Update args->f_id when one_pass is off */ 408 if (*done == 0) { 409 ip6 = mtod(args->m, struct ip6_hdr *); 410 args->f_id.src_ip6 = ip6->ip6_src; 411 args->f_id.dst_ip6 = ip6->ip6_dst; 412 } 413 } 414 return (ret); 415 } 416 417 static struct nptv6_cfg * 418 nptv6_alloc_config(const char *name, uint8_t set) 419 { 420 struct nptv6_cfg *cfg; 421 422 cfg = malloc(sizeof(struct nptv6_cfg), M_IPFW, M_WAITOK | M_ZERO); 423 COUNTER_ARRAY_ALLOC(cfg->stats, NPTV6STATS, M_WAITOK); 424 cfg->no.name = cfg->name; 425 cfg->no.etlv = IPFW_TLV_NPTV6_NAME; 426 cfg->no.set = set; 427 strlcpy(cfg->name, name, sizeof(cfg->name)); 428 return (cfg); 429 } 430 431 static void 432 nptv6_free_config(struct nptv6_cfg *cfg) 433 { 434 435 COUNTER_ARRAY_FREE(cfg->stats, NPTV6STATS); 436 free(cfg, M_IPFW); 437 } 438 439 static void 440 nptv6_export_config(struct ip_fw_chain *ch, struct nptv6_cfg *cfg, 441 ipfw_nptv6_cfg *uc) 442 { 443 444 uc->internal = cfg->internal; 445 uc->external = cfg->external; 446 uc->plen = cfg->plen; 447 uc->flags = cfg->flags & NPTV6_FLAGSMASK; 448 uc->set = cfg->no.set; 449 strlcpy(uc->name, cfg->no.name, sizeof(uc->name)); 450 } 451 452 struct nptv6_dump_arg { 453 struct ip_fw_chain *ch; 454 struct sockopt_data *sd; 455 }; 456 457 static int 458 export_config_cb(struct namedobj_instance *ni, struct named_object *no, 459 void *arg) 460 { 461 struct nptv6_dump_arg *da = (struct nptv6_dump_arg *)arg; 462 ipfw_nptv6_cfg *uc; 463 464 uc = (ipfw_nptv6_cfg *)ipfw_get_sopt_space(da->sd, sizeof(*uc)); 465 nptv6_export_config(da->ch, (struct nptv6_cfg *)no, uc); 466 return (0); 467 } 468 469 static struct nptv6_cfg * 470 nptv6_find(struct namedobj_instance *ni, const char *name, uint8_t set) 471 { 472 struct nptv6_cfg *cfg; 473 474 cfg = (struct nptv6_cfg *)ipfw_objhash_lookup_name_type(ni, set, 475 IPFW_TLV_NPTV6_NAME, name); 476 477 return (cfg); 478 } 479 480 static void 481 nptv6_calculate_adjustment(struct nptv6_cfg *cfg) 482 { 483 uint16_t i, e; 484 uint16_t *p; 485 486 /* Calculate checksum of internal prefix */ 487 for (i = 0, p = (uint16_t *)&cfg->internal; 488 p < (uint16_t *)(&cfg->internal + 1); p++) 489 i = cksum_add(i, *p); 490 491 /* Calculate checksum of external prefix */ 492 for (e = 0, p = (uint16_t *)&cfg->external; 493 p < (uint16_t *)(&cfg->external + 1); p++) 494 e = cksum_add(e, *p); 495 496 /* Adjustment value for Int->Ext direction */ 497 cfg->adjustment = cksum_add(~e, i); 498 } 499 500 /* 501 * Creates new NPTv6 instance. 502 * Data layout (v0)(current): 503 * Request: [ ipfw_obj_lheader ipfw_nptv6_cfg ] 504 * 505 * Returns 0 on success 506 */ 507 static int 508 nptv6_create(struct ip_fw_chain *ch, ip_fw3_opheader *op3, 509 struct sockopt_data *sd) 510 { 511 struct in6_addr mask; 512 ipfw_obj_lheader *olh; 513 ipfw_nptv6_cfg *uc; 514 struct namedobj_instance *ni; 515 struct nptv6_cfg *cfg; 516 517 if (sd->valsize != sizeof(*olh) + sizeof(*uc)) 518 return (EINVAL); 519 520 olh = (ipfw_obj_lheader *)sd->kbuf; 521 uc = (ipfw_nptv6_cfg *)(olh + 1); 522 if (ipfw_check_object_name_generic(uc->name) != 0) 523 return (EINVAL); 524 if (uc->plen < 8 || uc->plen > 64 || uc->set >= IPFW_MAX_SETS) 525 return (EINVAL); 526 if (IN6_IS_ADDR_MULTICAST(&uc->internal) || 527 IN6_IS_ADDR_MULTICAST(&uc->external) || 528 IN6_IS_ADDR_UNSPECIFIED(&uc->internal) || 529 IN6_IS_ADDR_UNSPECIFIED(&uc->external) || 530 IN6_IS_ADDR_LINKLOCAL(&uc->internal) || 531 IN6_IS_ADDR_LINKLOCAL(&uc->external)) 532 return (EINVAL); 533 in6_prefixlen2mask(&mask, uc->plen); 534 if (IN6_ARE_MASKED_ADDR_EQUAL(&uc->internal, &uc->external, &mask)) 535 return (EINVAL); 536 537 ni = CHAIN_TO_SRV(ch); 538 IPFW_UH_RLOCK(ch); 539 if (nptv6_find(ni, uc->name, uc->set) != NULL) { 540 IPFW_UH_RUNLOCK(ch); 541 return (EEXIST); 542 } 543 IPFW_UH_RUNLOCK(ch); 544 545 cfg = nptv6_alloc_config(uc->name, uc->set); 546 cfg->plen = uc->plen; 547 if (cfg->plen <= 48) 548 cfg->flags |= NPTV6_48PLEN; 549 cfg->internal = uc->internal; 550 cfg->external = uc->external; 551 cfg->mask = mask; 552 IN6_MASK_ADDR(&cfg->internal, &mask); 553 IN6_MASK_ADDR(&cfg->external, &mask); 554 nptv6_calculate_adjustment(cfg); 555 556 IPFW_UH_WLOCK(ch); 557 if (ipfw_objhash_alloc_idx(ni, &cfg->no.kidx) != 0) { 558 IPFW_UH_WUNLOCK(ch); 559 nptv6_free_config(cfg); 560 return (ENOSPC); 561 } 562 ipfw_objhash_add(ni, &cfg->no); 563 IPFW_WLOCK(ch); 564 SRV_OBJECT(ch, cfg->no.kidx) = cfg; 565 IPFW_WUNLOCK(ch); 566 IPFW_UH_WUNLOCK(ch); 567 return (0); 568 } 569 570 /* 571 * Destroys NPTv6 instance. 572 * Data layout (v0)(current): 573 * Request: [ ipfw_obj_header ] 574 * 575 * Returns 0 on success 576 */ 577 static int 578 nptv6_destroy(struct ip_fw_chain *ch, ip_fw3_opheader *op3, 579 struct sockopt_data *sd) 580 { 581 ipfw_obj_header *oh; 582 struct nptv6_cfg *cfg; 583 584 if (sd->valsize != sizeof(*oh)) 585 return (EINVAL); 586 587 oh = (ipfw_obj_header *)sd->kbuf; 588 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0) 589 return (EINVAL); 590 591 IPFW_UH_WLOCK(ch); 592 cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set); 593 if (cfg == NULL) { 594 IPFW_UH_WUNLOCK(ch); 595 return (ESRCH); 596 } 597 if (cfg->no.refcnt > 0) { 598 IPFW_UH_WUNLOCK(ch); 599 return (EBUSY); 600 } 601 602 IPFW_WLOCK(ch); 603 SRV_OBJECT(ch, cfg->no.kidx) = NULL; 604 IPFW_WUNLOCK(ch); 605 606 ipfw_objhash_del(CHAIN_TO_SRV(ch), &cfg->no); 607 ipfw_objhash_free_idx(CHAIN_TO_SRV(ch), cfg->no.kidx); 608 IPFW_UH_WUNLOCK(ch); 609 610 nptv6_free_config(cfg); 611 return (0); 612 } 613 614 /* 615 * Get or change nptv6 instance config. 616 * Request: [ ipfw_obj_header [ ipfw_nptv6_cfg ] ] 617 */ 618 static int 619 nptv6_config(struct ip_fw_chain *chain, ip_fw3_opheader *op, 620 struct sockopt_data *sd) 621 { 622 623 return (EOPNOTSUPP); 624 } 625 626 /* 627 * Lists all NPTv6 instances currently available in kernel. 628 * Data layout (v0)(current): 629 * Request: [ ipfw_obj_lheader ] 630 * Reply: [ ipfw_obj_lheader ipfw_nptv6_cfg x N ] 631 * 632 * Returns 0 on success 633 */ 634 static int 635 nptv6_list(struct ip_fw_chain *ch, ip_fw3_opheader *op3, 636 struct sockopt_data *sd) 637 { 638 ipfw_obj_lheader *olh; 639 struct nptv6_dump_arg da; 640 641 /* Check minimum header size */ 642 if (sd->valsize < sizeof(ipfw_obj_lheader)) 643 return (EINVAL); 644 645 olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh)); 646 647 IPFW_UH_RLOCK(ch); 648 olh->count = ipfw_objhash_count_type(CHAIN_TO_SRV(ch), 649 IPFW_TLV_NPTV6_NAME); 650 olh->objsize = sizeof(ipfw_nptv6_cfg); 651 olh->size = sizeof(*olh) + olh->count * olh->objsize; 652 653 if (sd->valsize < olh->size) { 654 IPFW_UH_RUNLOCK(ch); 655 return (ENOMEM); 656 } 657 memset(&da, 0, sizeof(da)); 658 da.ch = ch; 659 da.sd = sd; 660 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), export_config_cb, 661 &da, IPFW_TLV_NPTV6_NAME); 662 IPFW_UH_RUNLOCK(ch); 663 664 return (0); 665 } 666 667 #define __COPY_STAT_FIELD(_cfg, _stats, _field) \ 668 (_stats)->_field = NPTV6STAT_FETCH(_cfg, _field) 669 static void 670 export_stats(struct ip_fw_chain *ch, struct nptv6_cfg *cfg, 671 struct ipfw_nptv6_stats *stats) 672 { 673 674 __COPY_STAT_FIELD(cfg, stats, in2ex); 675 __COPY_STAT_FIELD(cfg, stats, ex2in); 676 __COPY_STAT_FIELD(cfg, stats, dropped); 677 } 678 679 /* 680 * Get NPTv6 statistics. 681 * Data layout (v0)(current): 682 * Request: [ ipfw_obj_header ] 683 * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ]] 684 * 685 * Returns 0 on success 686 */ 687 static int 688 nptv6_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op, 689 struct sockopt_data *sd) 690 { 691 struct ipfw_nptv6_stats stats; 692 struct nptv6_cfg *cfg; 693 ipfw_obj_header *oh; 694 ipfw_obj_ctlv *ctlv; 695 size_t sz; 696 697 sz = sizeof(ipfw_obj_header) + sizeof(ipfw_obj_ctlv) + sizeof(stats); 698 if (sd->valsize % sizeof(uint64_t)) 699 return (EINVAL); 700 if (sd->valsize < sz) 701 return (ENOMEM); 702 oh = (ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); 703 if (oh == NULL) 704 return (EINVAL); 705 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 || 706 oh->ntlv.set >= IPFW_MAX_SETS) 707 return (EINVAL); 708 memset(&stats, 0, sizeof(stats)); 709 710 IPFW_UH_RLOCK(ch); 711 cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set); 712 if (cfg == NULL) { 713 IPFW_UH_RUNLOCK(ch); 714 return (ESRCH); 715 } 716 export_stats(ch, cfg, &stats); 717 IPFW_UH_RUNLOCK(ch); 718 719 ctlv = (ipfw_obj_ctlv *)(oh + 1); 720 memset(ctlv, 0, sizeof(*ctlv)); 721 ctlv->head.type = IPFW_TLV_COUNTERS; 722 ctlv->head.length = sz - sizeof(ipfw_obj_header); 723 ctlv->count = sizeof(stats) / sizeof(uint64_t); 724 ctlv->objsize = sizeof(uint64_t); 725 ctlv->version = 1; 726 memcpy(ctlv + 1, &stats, sizeof(stats)); 727 return (0); 728 } 729 730 /* 731 * Reset NPTv6 statistics. 732 * Data layout (v0)(current): 733 * Request: [ ipfw_obj_header ] 734 * 735 * Returns 0 on success 736 */ 737 static int 738 nptv6_reset_stats(struct ip_fw_chain *ch, ip_fw3_opheader *op, 739 struct sockopt_data *sd) 740 { 741 struct nptv6_cfg *cfg; 742 ipfw_obj_header *oh; 743 744 if (sd->valsize != sizeof(*oh)) 745 return (EINVAL); 746 oh = (ipfw_obj_header *)sd->kbuf; 747 if (ipfw_check_object_name_generic(oh->ntlv.name) != 0 || 748 oh->ntlv.set >= IPFW_MAX_SETS) 749 return (EINVAL); 750 751 IPFW_UH_WLOCK(ch); 752 cfg = nptv6_find(CHAIN_TO_SRV(ch), oh->ntlv.name, oh->ntlv.set); 753 if (cfg == NULL) { 754 IPFW_UH_WUNLOCK(ch); 755 return (ESRCH); 756 } 757 COUNTER_ARRAY_ZERO(cfg->stats, NPTV6STATS); 758 IPFW_UH_WUNLOCK(ch); 759 return (0); 760 } 761 762 static struct ipfw_sopt_handler scodes[] = { 763 { IP_FW_NPTV6_CREATE, 0, HDIR_SET, nptv6_create }, 764 { IP_FW_NPTV6_DESTROY,0, HDIR_SET, nptv6_destroy }, 765 { IP_FW_NPTV6_CONFIG, 0, HDIR_BOTH, nptv6_config }, 766 { IP_FW_NPTV6_LIST, 0, HDIR_GET, nptv6_list }, 767 { IP_FW_NPTV6_STATS, 0, HDIR_GET, nptv6_stats }, 768 { IP_FW_NPTV6_RESET_STATS,0, HDIR_SET, nptv6_reset_stats }, 769 }; 770 771 static int 772 nptv6_classify(ipfw_insn *cmd, uint16_t *puidx, uint8_t *ptype) 773 { 774 ipfw_insn *icmd; 775 776 icmd = cmd - 1; 777 NPTV6_DEBUG("opcode %d, arg1 %d, opcode0 %d, arg1 %d", 778 cmd->opcode, cmd->arg1, icmd->opcode, icmd->arg1); 779 if (icmd->opcode != O_EXTERNAL_ACTION || 780 icmd->arg1 != V_nptv6_eid) 781 return (1); 782 783 *puidx = cmd->arg1; 784 *ptype = 0; 785 return (0); 786 } 787 788 static void 789 nptv6_update_arg1(ipfw_insn *cmd, uint16_t idx) 790 { 791 792 cmd->arg1 = idx; 793 NPTV6_DEBUG("opcode %d, arg1 -> %d", cmd->opcode, cmd->arg1); 794 } 795 796 static int 797 nptv6_findbyname(struct ip_fw_chain *ch, struct tid_info *ti, 798 struct named_object **pno) 799 { 800 int err; 801 802 err = ipfw_objhash_find_type(CHAIN_TO_SRV(ch), ti, 803 IPFW_TLV_NPTV6_NAME, pno); 804 NPTV6_DEBUG("uidx %u, type %u, err %d", ti->uidx, ti->type, err); 805 return (err); 806 } 807 808 static struct named_object * 809 nptv6_findbykidx(struct ip_fw_chain *ch, uint16_t idx) 810 { 811 struct namedobj_instance *ni; 812 struct named_object *no; 813 814 IPFW_UH_WLOCK_ASSERT(ch); 815 ni = CHAIN_TO_SRV(ch); 816 no = ipfw_objhash_lookup_kidx(ni, idx); 817 KASSERT(no != NULL, ("NPT with index %d not found", idx)); 818 819 NPTV6_DEBUG("kidx %u -> %s", idx, no->name); 820 return (no); 821 } 822 823 static int 824 nptv6_manage_sets(struct ip_fw_chain *ch, uint16_t set, uint8_t new_set, 825 enum ipfw_sets_cmd cmd) 826 { 827 828 return (ipfw_obj_manage_sets(CHAIN_TO_SRV(ch), IPFW_TLV_NPTV6_NAME, 829 set, new_set, cmd)); 830 } 831 832 static struct opcode_obj_rewrite opcodes[] = { 833 { 834 .opcode = O_EXTERNAL_INSTANCE, 835 .etlv = IPFW_TLV_EACTION /* just show it isn't table */, 836 .classifier = nptv6_classify, 837 .update = nptv6_update_arg1, 838 .find_byname = nptv6_findbyname, 839 .find_bykidx = nptv6_findbykidx, 840 .manage_sets = nptv6_manage_sets, 841 }, 842 }; 843 844 static int 845 destroy_config_cb(struct namedobj_instance *ni, struct named_object *no, 846 void *arg) 847 { 848 struct nptv6_cfg *cfg; 849 struct ip_fw_chain *ch; 850 851 ch = (struct ip_fw_chain *)arg; 852 IPFW_UH_WLOCK_ASSERT(ch); 853 854 cfg = (struct nptv6_cfg *)SRV_OBJECT(ch, no->kidx); 855 SRV_OBJECT(ch, no->kidx) = NULL; 856 ipfw_objhash_del(ni, &cfg->no); 857 ipfw_objhash_free_idx(ni, cfg->no.kidx); 858 nptv6_free_config(cfg); 859 return (0); 860 } 861 862 int 863 nptv6_init(struct ip_fw_chain *ch, int first) 864 { 865 866 V_nptv6_eid = ipfw_add_eaction(ch, ipfw_nptv6, "nptv6"); 867 if (V_nptv6_eid == 0) 868 return (ENXIO); 869 IPFW_ADD_SOPT_HANDLER(first, scodes); 870 IPFW_ADD_OBJ_REWRITER(first, opcodes); 871 return (0); 872 } 873 874 void 875 nptv6_uninit(struct ip_fw_chain *ch, int last) 876 { 877 878 IPFW_DEL_OBJ_REWRITER(last, opcodes); 879 IPFW_DEL_SOPT_HANDLER(last, scodes); 880 ipfw_del_eaction(ch, V_nptv6_eid); 881 /* 882 * Since we already have deregistered external action, 883 * our named objects become unaccessible via rules, because 884 * all rules were truncated by ipfw_del_eaction(). 885 * So, we can unlink and destroy our named objects without holding 886 * IPFW_WLOCK(). 887 */ 888 IPFW_UH_WLOCK(ch); 889 ipfw_objhash_foreach_type(CHAIN_TO_SRV(ch), destroy_config_cb, ch, 890 IPFW_TLV_NPTV6_NAME); 891 V_nptv6_eid = 0; 892 IPFW_UH_WUNLOCK(ch); 893 } 894 895