![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ip_fw.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to ip_fw.c CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 ! root 1: /* ! 2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved. ! 3: * ! 4: * @APPLE_LICENSE_HEADER_START@ ! 5: * ! 6: * The contents of this file constitute Original Code as defined in and ! 7: * are subject to the Apple Public Source License Version 1.1 (the ! 8: * "License"). You may not use this file except in compliance with the ! 9: * License. Please obtain a copy of the License at ! 10: * http://www.apple.com/publicsource and read it before using this file. ! 11: * ! 12: * This Original Code and all software distributed under the License are ! 13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER ! 14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, ! 15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, ! 16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the ! 17: * License for the specific language governing rights and limitations ! 18: * under the License. ! 19: * ! 20: * @APPLE_LICENSE_HEADER_END@ ! 21: */ ! 22: /* ! 23: * Copyright (c) 1993 Daniel Boulet ! 24: * Copyright (c) 1994 Ugen J.S.Antsilevich ! 25: * Copyright (c) 1996 Alex Nash ! 26: * ! 27: * Redistribution and use in source forms, with and without modification, ! 28: * are permitted provided that this entire comment appears intact. ! 29: * ! 30: * Redistribution in binary form may occur without any restrictions. ! 31: * Obviously, it would be nice if you gave credit where credit is due ! 32: * but requiring it would be too onerous. ! 33: * ! 34: * This software is provided ``AS IS'' without any warranties of any kind. ! 35: * ! 36: */ ! 37: ! 38: /* ! 39: * Implement IP packet firewall ! 40: */ ! 41: #if ISFB31 ! 42: #if !defined(KLD_MODULE) && !defined(IPFIREWALL_MODULE) ! 43: #include "opt_ipfw.h" ! 44: #include "opt_ipdn.h" ! 45: #include "opt_ipdivert.h" ! 46: #include "opt_inet.h" ! 47: #endif ! 48: #endif ! 49: #ifndef INET ! 50: #error IPFIREWALL requires INET. ! 51: #endif /* INET */ ! 52: ! 53: #include <sys/param.h> ! 54: #include <sys/systm.h> ! 55: #include <sys/malloc.h> ! 56: #include <sys/mbuf.h> ! 57: #include <sys/kernel.h> ! 58: #include <sys/socket.h> ! 59: #include <sys/socketvar.h> ! 60: #include <sys/sysctl.h> ! 61: #include <net/if.h> ! 62: #include <netinet/in.h> ! 63: #include <netinet/in_systm.h> ! 64: #include <netinet/ip.h> ! 65: #include <netinet/ip_var.h> ! 66: #include <netinet/ip_icmp.h> ! 67: #include <netinet/ip_fw.h> ! 68: #if DUMMYNET ! 69: #include <net/route.h> ! 70: #include <netinet/ip_dummynet.h> ! 71: #endif ! 72: #include <netinet/tcp.h> ! 73: #include <netinet/tcp_timer.h> ! 74: #include <netinet/tcp_var.h> ! 75: #include <netinet/tcpip.h> ! 76: #include <netinet/udp.h> ! 77: ! 78: #include <netinet/if_ether.h> /* XXX ethertype_ip */ ! 79: ! 80: static int fw_debug = 1; ! 81: #if IPFIREWALL_VERBOSE ! 82: static int fw_verbose = 1; ! 83: #else ! 84: static int fw_verbose = 0; ! 85: #endif ! 86: static int fw_one_pass = 0; /* XXX */ ! 87: #if IPFIREWALL_VERBOSE_LIMIT ! 88: static int fw_verbose_limit = IPFIREWALL_VERBOSE_LIMIT; ! 89: #else ! 90: static int fw_verbose_limit = 0; ! 91: #endif ! 92: ! 93: #define IPFW_DEFAULT_RULE ((u_int)(u_short)~0) ! 94: ! 95: LIST_HEAD (ip_fw_head, ip_fw_chain) ip_fw_chain; ! 96: ! 97: MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); ! 98: ! 99: SYSCTL_DECL(_net_inet_ip); ! 100: SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); ! 101: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, ""); ! 102: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, ""); ! 103: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw_verbose, 0, ""); ! 104: SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw_verbose_limit, 0, ""); ! 105: ! 106: #define dprintf(a) if (!fw_debug); else kprintf a ! 107: ! 108: #define print_ip(a) kprintf("%d.%d.%d.%d", \ ! 109: (int)(ntohl(a.s_addr) >> 24) & 0xFF, \ ! 110: (int)(ntohl(a.s_addr) >> 16) & 0xFF, \ ! 111: (int)(ntohl(a.s_addr) >> 8) & 0xFF, \ ! 112: (int)(ntohl(a.s_addr)) & 0xFF); ! 113: ! 114: #define dprint_ip(a) if (!fw_debug); else print_ip(a) ! 115: ! 116: static int add_entry __P((struct ip_fw_head *chainptr, struct ip_fw *frwl)); ! 117: static int del_entry __P((struct ip_fw_head *chainptr, u_short number)); ! 118: static int zero_entry __P((struct ip_fw *)); ! 119: static int check_ipfw_struct __P((struct ip_fw *m)); ! 120: static __inline int ! 121: iface_match __P((struct ifnet *ifp, union ip_fw_if *ifu, ! 122: int byname)); ! 123: static int ipopts_match __P((struct ip *ip, struct ip_fw *f)); ! 124: static __inline int ! 125: port_match __P((u_short *portptr, int nports, u_short port, ! 126: int range_flag)); ! 127: static int tcpflg_match __P((struct tcphdr *tcp, struct ip_fw *f)); ! 128: static int icmptype_match __P((struct icmp * icmp, struct ip_fw * f)); ! 129: static void ipfw_report __P((struct ip_fw *f, struct ip *ip, ! 130: struct ifnet *rif, struct ifnet *oif)); ! 131: ! 132: static void flush_rule_ptrs(void); ! 133: ! 134: static int ip_fw_chk __P((struct ip **pip, int hlen, ! 135: struct ifnet *oif, u_int16_t *cookie, struct mbuf **m, ! 136: struct ip_fw_chain **flow_id, ! 137: struct sockaddr_in **next_hop)); ! 138: static int ip_fw_ctl __P((struct sockopt *sopt)); ! 139: ! 140: static char err_prefix[] = "ip_fw_ctl:"; ! 141: ! 142: /* ! 143: * Returns 1 if the port is matched by the vector, 0 otherwise ! 144: */ ! 145: static __inline int ! 146: port_match(u_short *portptr, int nports, u_short port, int range_flag) ! 147: { ! 148: if (!nports) ! 149: return 1; ! 150: if (range_flag) { ! 151: if (portptr[0] <= port && port <= portptr[1]) { ! 152: return 1; ! 153: } ! 154: nports -= 2; ! 155: portptr += 2; ! 156: } ! 157: while (nports-- > 0) { ! 158: if (*portptr++ == port) { ! 159: return 1; ! 160: } ! 161: } ! 162: return 0; ! 163: } ! 164: ! 165: static int ! 166: tcpflg_match(struct tcphdr *tcp, struct ip_fw *f) ! 167: { ! 168: u_char flg_set, flg_clr; ! 169: ! 170: if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) && ! 171: (tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK))) ! 172: return 1; ! 173: ! 174: flg_set = tcp->th_flags & f->fw_tcpf; ! 175: flg_clr = tcp->th_flags & f->fw_tcpnf; ! 176: ! 177: if (flg_set != f->fw_tcpf) ! 178: return 0; ! 179: if (flg_clr) ! 180: return 0; ! 181: ! 182: return 1; ! 183: } ! 184: ! 185: static int ! 186: icmptype_match(struct icmp *icmp, struct ip_fw *f) ! 187: { ! 188: int type; ! 189: ! 190: if (!(f->fw_flg & IP_FW_F_ICMPBIT)) ! 191: return(1); ! 192: ! 193: type = icmp->icmp_type; ! 194: ! 195: /* check for matching type in the bitmap */ ! 196: if (type < IP_FW_ICMPTYPES_MAX && ! 197: (f->fw_uar.fw_icmptypes[type / (sizeof(unsigned) * 8)] & ! 198: (1U << (type % (8 * sizeof(unsigned)))))) ! 199: return(1); ! 200: ! 201: return(0); /* no match */ ! 202: } ! 203: ! 204: static int ! 205: is_icmp_query(struct ip *ip) ! 206: { ! 207: const struct icmp *icmp; ! 208: int icmp_type; ! 209: ! 210: icmp = (struct icmp *)((u_int32_t *)ip + ip->ip_hl); ! 211: icmp_type = icmp->icmp_type; ! 212: ! 213: if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT || ! 214: icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ || ! 215: icmp_type == ICMP_MASKREQ) ! 216: return(1); ! 217: ! 218: return(0); ! 219: } ! 220: ! 221: static int ! 222: ipopts_match(struct ip *ip, struct ip_fw *f) ! 223: { ! 224: register u_char *cp; ! 225: int opt, optlen, cnt; ! 226: u_char opts, nopts, nopts_sve; ! 227: ! 228: cp = (u_char *)(ip + 1); ! 229: cnt = (ip->ip_hl << 2) - sizeof (struct ip); ! 230: opts = f->fw_ipopt; ! 231: nopts = nopts_sve = f->fw_ipnopt; ! 232: ! 233: for (; cnt > 0; cnt -= optlen, cp += optlen) { ! 234: opt = cp[IPOPT_OPTVAL]; ! 235: if (opt == IPOPT_EOL) ! 236: break; ! 237: if (opt == IPOPT_NOP) ! 238: optlen = 1; ! 239: else { ! 240: optlen = cp[IPOPT_OLEN]; ! 241: if (optlen <= 0 || optlen > cnt) { ! 242: return 0; /*XXX*/ ! 243: } ! 244: } ! 245: switch (opt) { ! 246: ! 247: default: ! 248: break; ! 249: ! 250: case IPOPT_LSRR: ! 251: opts &= ~IP_FW_IPOPT_LSRR; ! 252: nopts &= ~IP_FW_IPOPT_LSRR; ! 253: break; ! 254: ! 255: case IPOPT_SSRR: ! 256: opts &= ~IP_FW_IPOPT_SSRR; ! 257: nopts &= ~IP_FW_IPOPT_SSRR; ! 258: break; ! 259: ! 260: case IPOPT_RR: ! 261: opts &= ~IP_FW_IPOPT_RR; ! 262: nopts &= ~IP_FW_IPOPT_RR; ! 263: break; ! 264: case IPOPT_TS: ! 265: opts &= ~IP_FW_IPOPT_TS; ! 266: nopts &= ~IP_FW_IPOPT_TS; ! 267: break; ! 268: } ! 269: if (opts == nopts) ! 270: break; ! 271: } ! 272: if (opts == 0 && nopts == nopts_sve) ! 273: return 1; ! 274: else ! 275: return 0; ! 276: } ! 277: ! 278: static __inline int ! 279: iface_match(struct ifnet *ifp, union ip_fw_if *ifu, int byname) ! 280: { ! 281: /* Check by name or by IP address */ ! 282: if (byname) { ! 283: /* Check unit number (-1 is wildcard) */ ! 284: if (ifu->fu_via_if.unit != -1 ! 285: && ifp->if_unit != ifu->fu_via_if.unit) ! 286: return(0); ! 287: /* Check name */ ! 288: if (strncmp(ifp->if_name, ifu->fu_via_if.name, FW_IFNLEN)) ! 289: return(0); ! 290: return(1); ! 291: } else if (ifu->fu_via_ip.s_addr != 0) { /* Zero == wildcard */ ! 292: struct ifaddr *ia; ! 293: ! 294: for (ia = ifp->if_addrhead.tqh_first; ! 295: ia != NULL; ia = ia->ifa_link.tqe_next) { ! 296: if (ia->ifa_addr == NULL) ! 297: continue; ! 298: if (ia->ifa_addr->sa_family != AF_INET) ! 299: continue; ! 300: if (ifu->fu_via_ip.s_addr != ((struct sockaddr_in *) ! 301: (ia->ifa_addr))->sin_addr.s_addr) ! 302: continue; ! 303: return(1); ! 304: } ! 305: return(0); ! 306: } ! 307: return(1); ! 308: } ! 309: ! 310: static void ! 311: ipfw_report(struct ip_fw *f, struct ip *ip, ! 312: struct ifnet *rif, struct ifnet *oif) ! 313: { ! 314: if (ip) { ! 315: static u_int64_t counter; ! 316: struct tcphdr *const tcp = (struct tcphdr *) ((u_int32_t *) ip+ ip->ip_hl); ! 317: struct udphdr *const udp = (struct udphdr *) ((u_int32_t *) ip+ ip->ip_hl); ! 318: struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl); ! 319: int count; ! 320: ! 321: count = f ? f->fw_pcnt : ++counter; ! 322: if (fw_verbose_limit != 0 && count > fw_verbose_limit) ! 323: return; ! 324: ! 325: /* Print command name */ ! 326: kprintf("ipfw: %d ", f ? f->fw_number : -1); ! 327: if (!f) ! 328: kprintf("Refuse"); ! 329: else ! 330: switch (f->fw_flg & IP_FW_F_COMMAND) { ! 331: case IP_FW_F_DENY: ! 332: kprintf("Deny"); ! 333: break; ! 334: case IP_FW_F_REJECT: ! 335: if (f->fw_reject_code == IP_FW_REJECT_RST) ! 336: kprintf("Reset"); ! 337: else ! 338: kprintf("Unreach"); ! 339: break; ! 340: case IP_FW_F_ACCEPT: ! 341: kprintf("Accept"); ! 342: break; ! 343: case IP_FW_F_COUNT: ! 344: kprintf("Count"); ! 345: break; ! 346: case IP_FW_F_DIVERT: ! 347: kprintf("Divert %d", f->fw_divert_port); ! 348: break; ! 349: case IP_FW_F_TEE: ! 350: kprintf("Tee %d", f->fw_divert_port); ! 351: break; ! 352: case IP_FW_F_SKIPTO: ! 353: kprintf("SkipTo %d", f->fw_skipto_rule); ! 354: break; ! 355: #if DUMMYNET ! 356: case IP_FW_F_PIPE: ! 357: kprintf("Pipe %d", f->fw_skipto_rule); ! 358: break; ! 359: #endif ! 360: #if IPFIREWALL_FORWARD ! 361: case IP_FW_F_FWD: ! 362: kprintf("Forward to "); ! 363: print_ip(f->fw_fwd_ip.sin_addr); ! 364: if (f->fw_fwd_ip.sin_port) ! 365: kprintf(":%d", f->fw_fwd_ip.sin_port); ! 366: break; ! 367: #endif ! 368: default: ! 369: kprintf("UNKNOWN"); ! 370: break; ! 371: } ! 372: kprintf(" "); ! 373: ! 374: switch (ip->ip_p) { ! 375: case IPPROTO_TCP: ! 376: kprintf("TCP "); ! 377: print_ip(ip->ip_src); ! 378: if ((ip->ip_off & IP_OFFMASK) == 0) ! 379: kprintf(":%d ", ntohs(tcp->th_sport)); ! 380: else ! 381: kprintf(" "); ! 382: print_ip(ip->ip_dst); ! 383: if ((ip->ip_off & IP_OFFMASK) == 0) ! 384: kprintf(":%d", ntohs(tcp->th_dport)); ! 385: break; ! 386: case IPPROTO_UDP: ! 387: kprintf("UDP "); ! 388: print_ip(ip->ip_src); ! 389: if ((ip->ip_off & IP_OFFMASK) == 0) ! 390: kprintf(":%d ", ntohs(udp->uh_sport)); ! 391: else ! 392: kprintf(" "); ! 393: print_ip(ip->ip_dst); ! 394: if ((ip->ip_off & IP_OFFMASK) == 0) ! 395: kprintf(":%d", ntohs(udp->uh_dport)); ! 396: break; ! 397: case IPPROTO_ICMP: ! 398: if ((ip->ip_off & IP_OFFMASK) == 0) ! 399: kprintf("ICMP:%u.%u ", icmp->icmp_type, icmp->icmp_code); ! 400: else ! 401: kprintf("ICMP "); ! 402: print_ip(ip->ip_src); ! 403: kprintf(" "); ! 404: print_ip(ip->ip_dst); ! 405: break; ! 406: default: ! 407: kprintf("P:%d ", ip->ip_p); ! 408: print_ip(ip->ip_src); ! 409: kprintf(" "); ! 410: print_ip(ip->ip_dst); ! 411: break; ! 412: } ! 413: if (oif) ! 414: kprintf(" out via %s%d", oif->if_name, oif->if_unit); ! 415: else if (rif) ! 416: kprintf(" in via %s%d", rif->if_name, rif->if_unit); ! 417: if ((ip->ip_off & IP_OFFMASK)) ! 418: kprintf(" Fragment = %d",ip->ip_off & IP_OFFMASK); ! 419: kprintf("\n"); ! 420: if (fw_verbose_limit != 0 && count == fw_verbose_limit) ! 421: kprintf("ipfw: limit reached on rule #%d\n", ! 422: f ? f->fw_number : -1); ! 423: } ! 424: } ! 425: ! 426: /* ! 427: * given an ip_fw_chain *, lookup_next_rule will return a pointer ! 428: * of the same type to the next one. This can be either the jump ! 429: * target (for skipto instructions) or the next one in the chain (in ! 430: * all other cases including a missing jump target). ! 431: * Backward jumps are not allowed, so start looking from the next ! 432: * rule... ! 433: */ ! 434: static struct ip_fw_chain * lookup_next_rule(struct ip_fw_chain *me); ! 435: ! 436: static struct ip_fw_chain * ! 437: lookup_next_rule(struct ip_fw_chain *me) ! 438: { ! 439: struct ip_fw_chain *chain ; ! 440: int rule = me->rule->fw_skipto_rule ; /* guess... */ ! 441: ! 442: if ( (me->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_SKIPTO ) ! 443: for (chain = me->chain.le_next; chain ; chain = chain->chain.le_next ) ! 444: if (chain->rule->fw_number >= rule) ! 445: return chain ; ! 446: return me->chain.le_next ; /* failure or not a skipto */ ! 447: } ! 448: ! 449: /* ! 450: * Parameters: ! 451: * ! 452: * pip Pointer to packet header (struct ip **) ! 453: * bridge_ipfw extension: pip = NULL means a complete ethernet packet ! 454: * including ethernet header in the mbuf. Other fields ! 455: * are ignored/invalid. ! 456: * ! 457: * hlen Packet header length ! 458: * oif Outgoing interface, or NULL if packet is incoming ! 459: * *cookie Skip up to the first rule past this rule number; ! 460: * *m The packet; we set to NULL when/if we nuke it. ! 461: * *flow_id pointer to the last matching rule (in/out) ! 462: * *next_hop socket we are forwarding to (in/out). ! 463: * ! 464: * Return value: ! 465: * ! 466: * 0 The packet is to be accepted and routed normally OR ! 467: * the packet was denied/rejected and has been dropped; ! 468: * in the latter case, *m is equal to NULL upon return. ! 469: * port Divert the packet to port. ! 470: */ ! 471: ! 472: static int ! 473: ip_fw_chk(struct ip **pip, int hlen, ! 474: struct ifnet *oif, u_int16_t *cookie, struct mbuf **m, ! 475: struct ip_fw_chain **flow_id, ! 476: struct sockaddr_in **next_hop) ! 477: { ! 478: struct ip_fw_chain *chain; ! 479: struct ip_fw *rule = NULL; ! 480: struct ip *ip = NULL ; ! 481: struct ifnet *const rif = (*m)->m_pkthdr.rcvif; ! 482: u_short offset = 0 ; ! 483: u_short src_port, dst_port; ! 484: u_int16_t skipto = *cookie; ! 485: ! 486: if (pip) { /* normal ip packet */ ! 487: ip = *pip; ! 488: offset = (ip->ip_off & IP_OFFMASK); ! 489: } else { /* bridged or non-ip packet */ ! 490: struct ether_header *eh = mtod(*m, struct ether_header *); ! 491: switch (ntohs(eh->ether_type)) { ! 492: case ETHERTYPE_IP : ! 493: if ((*m)->m_len<sizeof(struct ether_header) + sizeof(struct ip)) ! 494: goto non_ip ; ! 495: ip = (struct ip *)(eh + 1 ); ! 496: if (ip->ip_v != IPVERSION) ! 497: goto non_ip ; ! 498: hlen = ip->ip_hl << 2; ! 499: if (hlen < sizeof(struct ip)) /* minimum header length */ ! 500: goto non_ip ; ! 501: if ((*m)->m_len < 14 + hlen + 14) { ! 502: kprintf("-- m_len %d, need more...\n", (*m)->m_len); ! 503: goto non_ip ; ! 504: } ! 505: offset = (ip->ip_off & IP_OFFMASK); ! 506: break ; ! 507: default : ! 508: non_ip: ip = NULL ; ! 509: break ; ! 510: } ! 511: } ! 512: ! 513: if (*flow_id) { ! 514: if (fw_one_pass) ! 515: return 0 ; /* accept if passed first test */ ! 516: /* ! 517: * pkt has already been tagged. Look for the next rule ! 518: * to restart processing ! 519: */ ! 520: chain = LIST_NEXT( *flow_id, chain); ! 521: ! 522: if ( (chain = (*flow_id)->rule->next_rule_ptr) == NULL ) ! 523: chain = (*flow_id)->rule->next_rule_ptr = ! 524: lookup_next_rule(*flow_id) ; ! 525: if (! chain) goto dropit; ! 526: } else { ! 527: /* ! 528: * Go down the chain, looking for enlightment ! 529: * If we've been asked to start at a given rule immediatly, do so. ! 530: */ ! 531: chain = LIST_FIRST(&ip_fw_chain); ! 532: if ( skipto ) { ! 533: if (skipto >= IPFW_DEFAULT_RULE) ! 534: goto dropit; ! 535: while (chain && (chain->rule->fw_number <= skipto)) { ! 536: chain = LIST_NEXT(chain, chain); ! 537: } ! 538: if (! chain) goto dropit; ! 539: } ! 540: } ! 541: *cookie = 0; ! 542: for (; chain; chain = LIST_NEXT(chain, chain)) { ! 543: register struct ip_fw * f ; ! 544: again: ! 545: f = chain->rule; ! 546: ! 547: if (oif) { ! 548: /* Check direction outbound */ ! 549: if (!(f->fw_flg & IP_FW_F_OUT)) ! 550: continue; ! 551: } else { ! 552: /* Check direction inbound */ ! 553: if (!(f->fw_flg & IP_FW_F_IN)) ! 554: continue; ! 555: } ! 556: if (ip == NULL ) { ! 557: /* ! 558: * do relevant checks for non-ip packets: ! 559: * after this, only goto got_match or continue ! 560: */ ! 561: struct ether_header *eh = mtod(*m, struct ether_header *); ! 562: ! 563: /* ! 564: * make default rule always match or we have a panic ! 565: */ ! 566: if (f->fw_number == IPFW_DEFAULT_RULE) ! 567: goto got_match ; ! 568: /* ! 569: * temporary hack: ! 570: * udp from 0.0.0.0 means this rule applies. ! 571: * 1 src port is match ether type ! 572: * 2 src ports (interval) is match ether type ! 573: * 3 src ports is match ether address ! 574: */ ! 575: if ( f->fw_src.s_addr != 0 || f->fw_prot != IPPROTO_UDP ! 576: || f->fw_smsk.s_addr != 0xffffffff ) ! 577: continue; ! 578: switch (IP_FW_GETNSRCP(f)) { ! 579: case 1: /* match one type */ ! 580: if ( /* ( (f->fw_flg & IP_FW_F_INVSRC) != 0) ^ */ ! 581: ( f->fw_uar.fw_pts[0] == ntohs(eh->ether_type) ) ) { ! 582: goto got_match ; ! 583: } ! 584: break ; ! 585: default: ! 586: break ; ! 587: } ! 588: continue ; ! 589: } ! 590: ! 591: /* Fragments */ ! 592: if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 ) ! 593: continue; ! 594: ! 595: /* If src-addr doesn't match, not this rule. */ ! 596: if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((ip->ip_src.s_addr ! 597: & f->fw_smsk.s_addr) != f->fw_src.s_addr)) ! 598: continue; ! 599: ! 600: /* If dest-addr doesn't match, not this rule. */ ! 601: if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ ((ip->ip_dst.s_addr ! 602: & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)) ! 603: continue; ! 604: ! 605: /* Interface check */ ! 606: if ((f->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) { ! 607: struct ifnet *const iface = oif ? oif : rif; ! 608: ! 609: /* Backwards compatibility hack for "via" */ ! 610: if (!iface || !iface_match(iface, ! 611: &f->fw_in_if, f->fw_flg & IP_FW_F_OIFNAME)) ! 612: continue; ! 613: } else { ! 614: /* Check receive interface */ ! 615: if ((f->fw_flg & IP_FW_F_IIFACE) ! 616: && (!rif || !iface_match(rif, ! 617: &f->fw_in_if, f->fw_flg & IP_FW_F_IIFNAME))) ! 618: continue; ! 619: /* Check outgoing interface */ ! 620: if ((f->fw_flg & IP_FW_F_OIFACE) ! 621: && (!oif || !iface_match(oif, ! 622: &f->fw_out_if, f->fw_flg & IP_FW_F_OIFNAME))) ! 623: continue; ! 624: } ! 625: ! 626: /* Check IP options */ ! 627: if (f->fw_ipopt != f->fw_ipnopt && !ipopts_match(ip, f)) ! 628: continue; ! 629: ! 630: /* Check protocol; if wildcard, match */ ! 631: if (f->fw_prot == IPPROTO_IP) ! 632: goto got_match; ! 633: ! 634: /* If different, don't match */ ! 635: if (ip->ip_p != f->fw_prot) ! 636: continue; ! 637: ! 638: /* ! 639: * here, pip==NULL for bridged pkts -- they include the ethernet ! 640: * header so i have to adjust lengths accordingly ! 641: */ ! 642: #define PULLUP_TO(l) do { \ ! 643: int len = (pip ? l : l + 14 ) ; \ ! 644: if ((*m)->m_len < (len) ) { \ ! 645: if ( (*m = m_pullup(*m, (len))) == 0) \ ! 646: goto bogusfrag; \ ! 647: ip = mtod(*m, struct ip *); \ ! 648: if (pip) \ ! 649: *pip = ip ; \ ! 650: else \ ! 651: ip = (struct ip *)((int)ip + 14); \ ! 652: offset = (ip->ip_off & IP_OFFMASK); \ ! 653: } \ ! 654: } while (0) ! 655: ! 656: /* Protocol specific checks */ ! 657: switch (ip->ip_p) { ! 658: case IPPROTO_TCP: ! 659: { ! 660: struct tcphdr *tcp; ! 661: ! 662: if (offset == 1) /* cf. RFC 1858 */ ! 663: goto bogusfrag; ! 664: if (offset != 0) { ! 665: /* ! 666: * TCP flags and ports aren't available in this ! 667: * packet -- if this rule specified either one, ! 668: * we consider the rule a non-match. ! 669: */ ! 670: if (f->fw_nports != 0 || ! 671: f->fw_tcpf != f->fw_tcpnf) ! 672: continue; ! 673: ! 674: break; ! 675: } ! 676: PULLUP_TO(hlen + 14); ! 677: tcp = (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl); ! 678: if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f)) ! 679: continue; ! 680: src_port = ntohs(tcp->th_sport); ! 681: dst_port = ntohs(tcp->th_dport); ! 682: goto check_ports; ! 683: } ! 684: ! 685: case IPPROTO_UDP: ! 686: { ! 687: struct udphdr *udp; ! 688: ! 689: if (offset != 0) { ! 690: /* ! 691: * Port specification is unavailable -- if this ! 692: * rule specifies a port, we consider the rule ! 693: * a non-match. ! 694: */ ! 695: if (f->fw_nports != 0) ! 696: continue; ! 697: ! 698: break; ! 699: } ! 700: PULLUP_TO(hlen + 4); ! 701: udp = (struct udphdr *) ((u_int32_t *)ip + ip->ip_hl); ! 702: src_port = ntohs(udp->uh_sport); ! 703: dst_port = ntohs(udp->uh_dport); ! 704: check_ports: ! 705: if (!port_match(&f->fw_uar.fw_pts[0], ! 706: IP_FW_GETNSRCP(f), src_port, ! 707: f->fw_flg & IP_FW_F_SRNG)) ! 708: continue; ! 709: if (!port_match(&f->fw_uar.fw_pts[IP_FW_GETNSRCP(f)], ! 710: IP_FW_GETNDSTP(f), dst_port, ! 711: f->fw_flg & IP_FW_F_DRNG)) ! 712: continue; ! 713: break; ! 714: } ! 715: ! 716: case IPPROTO_ICMP: ! 717: { ! 718: struct icmp *icmp; ! 719: ! 720: if (offset != 0) /* Type isn't valid */ ! 721: break; ! 722: PULLUP_TO(hlen + 2); ! 723: icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl); ! 724: if (!icmptype_match(icmp, f)) ! 725: continue; ! 726: break; ! 727: } ! 728: #undef PULLUP_TO ! 729: ! 730: bogusfrag: ! 731: if (fw_verbose) ! 732: ipfw_report(NULL, ip, rif, oif); ! 733: goto dropit; ! 734: } ! 735: ! 736: got_match: ! 737: *flow_id = chain ; /* XXX set flow id */ ! 738: /* Update statistics */ ! 739: f->fw_pcnt += 1; ! 740: if (ip) { ! 741: f->fw_bcnt += ip->ip_len; ! 742: } ! 743: f->timestamp = time_second; ! 744: ! 745: /* Log to console if desired */ ! 746: if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose) ! 747: ipfw_report(f, ip, rif, oif); ! 748: ! 749: /* Take appropriate action */ ! 750: switch (f->fw_flg & IP_FW_F_COMMAND) { ! 751: case IP_FW_F_ACCEPT: ! 752: return(0); ! 753: case IP_FW_F_COUNT: ! 754: continue; ! 755: #if IPDIVERT ! 756: case IP_FW_F_DIVERT: ! 757: *cookie = f->fw_number; ! 758: return(f->fw_divert_port); ! 759: #endif ! 760: case IP_FW_F_TEE: ! 761: /* ! 762: * XXX someday tee packet here, but beware that you ! 763: * can't use m_copym() or m_copypacket() because ! 764: * the divert input routine modifies the mbuf ! 765: * (and these routines only increment reference ! 766: * counts in the case of mbuf clusters), so need ! 767: * to write custom routine. ! 768: */ ! 769: continue; ! 770: case IP_FW_F_SKIPTO: /* XXX check */ ! 771: if ( f->next_rule_ptr ) ! 772: chain = f->next_rule_ptr ; ! 773: else ! 774: chain = lookup_next_rule(chain) ; ! 775: if (! chain) goto dropit; ! 776: goto again ; ! 777: #if DUMMYNET ! 778: case IP_FW_F_PIPE: ! 779: return(f->fw_pipe_nr | 0x10000 ); ! 780: #endif ! 781: #if IPFIREWALL_FORWARD ! 782: case IP_FW_F_FWD: ! 783: /* Change the next-hop address for this packet. ! 784: * Initially we'll only worry about directly ! 785: * reachable next-hop's, but ultimately ! 786: * we will work out for next-hops that aren't ! 787: * direct the route we would take for it. We ! 788: * [cs]ould leave this latter problem to ! 789: * ip_output.c. We hope to high [name the abode of ! 790: * your favourite deity] that ip_output doesn't modify ! 791: * the new value of next_hop (which is dst there) ! 792: */ ! 793: if (next_hop != NULL) /* Make sure, first... */ ! 794: *next_hop = &(f->fw_fwd_ip); ! 795: return(0); /* Allow the packet */ ! 796: #endif ! 797: } ! 798: ! 799: /* Deny/reject this packet using this rule */ ! 800: rule = f; ! 801: break; ! 802: ! 803: } ! 804: ! 805: #if DIAGNOSTIC ! 806: /* Rule IPFW_DEFAULT_RULE should always be there and should always match */ ! 807: if (!chain) ! 808: panic("ip_fw: chain"); ! 809: #endif ! 810: ! 811: /* ! 812: * At this point, we're going to drop the packet. ! 813: * Send a reject notice if all of the following are true: ! 814: * ! 815: * - The packet matched a reject rule ! 816: * - The packet is not an ICMP packet, or is an ICMP query packet ! 817: * - The packet is not a multicast or broadcast packet ! 818: */ ! 819: if ((rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT ! 820: && ip ! 821: && (ip->ip_p != IPPROTO_ICMP || is_icmp_query(ip)) ! 822: && !((*m)->m_flags & (M_BCAST|M_MCAST)) ! 823: && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { ! 824: switch (rule->fw_reject_code) { ! 825: case IP_FW_REJECT_RST: ! 826: { ! 827: struct tcphdr *const tcp = ! 828: (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl); ! 829: struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip; ! 830: ! 831: if (offset != 0 || (tcp->th_flags & TH_RST)) ! 832: break; ! 833: ti.ti_i = *((struct ipovly *) ip); ! 834: ti.ti_t = *tcp; ! 835: bcopy(&ti, ip, sizeof(ti)); ! 836: NTOHL(tip->ti_seq); ! 837: NTOHL(tip->ti_ack); ! 838: tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2); ! 839: if (tcp->th_flags & TH_ACK) { ! 840: tcp_respond(NULL, tip, *m, ! 841: (tcp_seq)0, ntohl(tcp->th_ack), TH_RST); ! 842: } else { ! 843: if (tcp->th_flags & TH_SYN) ! 844: tip->ti_len++; ! 845: tcp_respond(NULL, tip, *m, tip->ti_seq ! 846: + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK); ! 847: } ! 848: *m = NULL; ! 849: break; ! 850: } ! 851: default: /* Send an ICMP unreachable using code */ ! 852: icmp_error(*m, ICMP_UNREACH, ! 853: rule->fw_reject_code, 0L, 0); ! 854: *m = NULL; ! 855: break; ! 856: } ! 857: } ! 858: ! 859: dropit: ! 860: /* ! 861: * Finally, drop the packet. ! 862: */ ! 863: /* *cookie = 0; */ /* XXX is this necessary ? */ ! 864: if (*m) { ! 865: m_freem(*m); ! 866: *m = NULL; ! 867: } ! 868: return(0); ! 869: } ! 870: ! 871: /* ! 872: * when a rule is added/deleted, zero the direct pointers within ! 873: * all firewall rules. These will be reconstructed on the fly ! 874: * as packets are matched. ! 875: * Must be called at splnet(). ! 876: */ ! 877: static void ! 878: flush_rule_ptrs() ! 879: { ! 880: struct ip_fw_chain *fcp ; ! 881: ! 882: for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next) { ! 883: fcp->rule->next_rule_ptr = NULL ; ! 884: } ! 885: } ! 886: ! 887: static int ! 888: add_entry(struct ip_fw_head *chainptr, struct ip_fw *frwl) ! 889: { ! 890: struct ip_fw *ftmp = 0; ! 891: struct ip_fw_chain *fwc = 0, *fcp, *fcpl = 0; ! 892: u_short nbr = 0; ! 893: int s; ! 894: ! 895: fwc = _MALLOC(sizeof *fwc, M_IPFW, M_DONTWAIT); ! 896: ftmp = _MALLOC(sizeof *ftmp, M_IPFW, M_DONTWAIT); ! 897: if (!fwc || !ftmp) { ! 898: dprintf(("%s MALLOC said no\n", err_prefix)); ! 899: if (fwc) FREE(fwc, M_IPFW); ! 900: if (ftmp) FREE(ftmp, M_IPFW); ! 901: return (ENOSPC); ! 902: } ! 903: ! 904: bcopy(frwl, ftmp, sizeof(struct ip_fw)); ! 905: ftmp->fw_in_if.fu_via_if.name[FW_IFNLEN - 1] = '\0'; ! 906: ftmp->fw_pcnt = 0L; ! 907: ftmp->fw_bcnt = 0L; ! 908: ftmp->next_rule_ptr = NULL ; ! 909: ftmp->pipe_ptr = NULL ; ! 910: fwc->rule = ftmp; ! 911: ! 912: s = splnet(); ! 913: ! 914: if (chainptr->lh_first == 0) { ! 915: LIST_INSERT_HEAD(chainptr, fwc, chain); ! 916: splx(s); ! 917: return(0); ! 918: } ! 919: ! 920: /* If entry number is 0, find highest numbered rule and add 100 */ ! 921: if (ftmp->fw_number == 0) { ! 922: for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { ! 923: if (fcp->rule->fw_number != (u_short)-1) ! 924: nbr = fcp->rule->fw_number; ! 925: else ! 926: break; ! 927: } ! 928: if (nbr < IPFW_DEFAULT_RULE - 100) ! 929: nbr += 100; ! 930: ftmp->fw_number = nbr; ! 931: } ! 932: ! 933: /* Got a valid number; now insert it, keeping the list ordered */ ! 934: for (fcp = LIST_FIRST(chainptr); fcp; fcp = LIST_NEXT(fcp, chain)) { ! 935: if (fcp->rule->fw_number > ftmp->fw_number) { ! 936: if (fcpl) { ! 937: LIST_INSERT_AFTER(fcpl, fwc, chain); ! 938: } else { ! 939: LIST_INSERT_HEAD(chainptr, fwc, chain); ! 940: } ! 941: break; ! 942: } else { ! 943: fcpl = fcp; ! 944: } ! 945: } ! 946: flush_rule_ptrs(); ! 947: ! 948: splx(s); ! 949: return (0); ! 950: } ! 951: ! 952: static int ! 953: del_entry(struct ip_fw_head *chainptr, u_short number) ! 954: { ! 955: struct ip_fw_chain *fcp; ! 956: ! 957: fcp = LIST_FIRST(chainptr); ! 958: if (number != (u_short)-1) { ! 959: for (; fcp; fcp = LIST_NEXT(fcp, chain)) { ! 960: if (fcp->rule->fw_number == number) { ! 961: int s; ! 962: ! 963: /* prevent access to rules while removing them */ ! 964: s = splnet(); ! 965: while (fcp && fcp->rule->fw_number == number) { ! 966: struct ip_fw_chain *next; ! 967: ! 968: next = LIST_NEXT(fcp, chain); ! 969: LIST_REMOVE(fcp, chain); ! 970: #if DUMMYNET ! 971: dn_rule_delete(fcp) ; ! 972: #endif ! 973: flush_rule_ptrs(); ! 974: FREE(fcp->rule, M_IPFW); ! 975: FREE(fcp, M_IPFW); ! 976: fcp = next; ! 977: } ! 978: splx(s); ! 979: return 0; ! 980: } ! 981: } ! 982: } ! 983: ! 984: return (EINVAL); ! 985: } ! 986: ! 987: static int ! 988: zero_entry(struct ip_fw *frwl) ! 989: { ! 990: struct ip_fw_chain *fcp; ! 991: int s, cleared; ! 992: ! 993: if (frwl == 0) { ! 994: s = splnet(); ! 995: for (fcp = LIST_FIRST(&ip_fw_chain); fcp; fcp = LIST_NEXT(fcp, chain)) { ! 996: fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0; ! 997: fcp->rule->timestamp = 0; ! 998: } ! 999: splx(s); ! 1000: } ! 1001: else { ! 1002: cleared = 0; ! 1003: ! 1004: /* ! 1005: * It's possible to insert multiple chain entries with the ! 1006: * same number, so we don't stop after finding the first ! 1007: * match if zeroing a specific entry. ! 1008: */ ! 1009: for (fcp = LIST_FIRST(&ip_fw_chain); fcp; fcp = LIST_NEXT(fcp, chain)) ! 1010: if (frwl->fw_number == fcp->rule->fw_number) { ! 1011: s = splnet(); ! 1012: while (fcp && frwl->fw_number == fcp->rule->fw_number) { ! 1013: fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0; ! 1014: fcp->rule->timestamp = 0; ! 1015: fcp = LIST_NEXT(fcp, chain); ! 1016: } ! 1017: splx(s); ! 1018: cleared = 1; ! 1019: break; ! 1020: } ! 1021: if (!cleared) /* we didn't find any matching rules */ ! 1022: return (EINVAL); ! 1023: } ! 1024: ! 1025: if (fw_verbose) { ! 1026: if (frwl) ! 1027: kprintf("ipfw: Entry %d cleared.\n", frwl->fw_number); ! 1028: else ! 1029: kprintf("ipfw: Accounting cleared.\n"); ! 1030: } ! 1031: ! 1032: return (0); ! 1033: } ! 1034: ! 1035: static int ! 1036: check_ipfw_struct(struct ip_fw *frwl) ! 1037: { ! 1038: /* Check for invalid flag bits */ ! 1039: if ((frwl->fw_flg & ~IP_FW_F_MASK) != 0) { ! 1040: dprintf(("%s undefined flag bits set (flags=%x)\n", ! 1041: err_prefix, frwl->fw_flg)); ! 1042: return (EINVAL); ! 1043: } ! 1044: /* Must apply to incoming or outgoing (or both) */ ! 1045: if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT))) { ! 1046: dprintf(("%s neither in nor out\n", err_prefix)); ! 1047: return (EINVAL); ! 1048: } ! 1049: /* Empty interface name is no good */ ! 1050: if (((frwl->fw_flg & IP_FW_F_IIFNAME) ! 1051: && !*frwl->fw_in_if.fu_via_if.name) ! 1052: || ((frwl->fw_flg & IP_FW_F_OIFNAME) ! 1053: && !*frwl->fw_out_if.fu_via_if.name)) { ! 1054: dprintf(("%s empty interface name\n", err_prefix)); ! 1055: return (EINVAL); ! 1056: } ! 1057: /* Sanity check interface matching */ ! 1058: if ((frwl->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) { ! 1059: ; /* allow "via" backwards compatibility */ ! 1060: } else if ((frwl->fw_flg & IP_FW_F_IN) ! 1061: && (frwl->fw_flg & IP_FW_F_OIFACE)) { ! 1062: dprintf(("%s outgoing interface check on incoming\n", ! 1063: err_prefix)); ! 1064: return (EINVAL); ! 1065: } ! 1066: /* Sanity check port ranges */ ! 1067: if ((frwl->fw_flg & IP_FW_F_SRNG) && IP_FW_GETNSRCP(frwl) < 2) { ! 1068: dprintf(("%s src range set but n_src_p=%d\n", ! 1069: err_prefix, IP_FW_GETNSRCP(frwl))); ! 1070: return (EINVAL); ! 1071: } ! 1072: if ((frwl->fw_flg & IP_FW_F_DRNG) && IP_FW_GETNDSTP(frwl) < 2) { ! 1073: dprintf(("%s dst range set but n_dst_p=%d\n", ! 1074: err_prefix, IP_FW_GETNDSTP(frwl))); ! 1075: return (EINVAL); ! 1076: } ! 1077: if (IP_FW_GETNSRCP(frwl) + IP_FW_GETNDSTP(frwl) > IP_FW_MAX_PORTS) { ! 1078: dprintf(("%s too many ports (%d+%d)\n", ! 1079: err_prefix, IP_FW_GETNSRCP(frwl), IP_FW_GETNDSTP(frwl))); ! 1080: return (EINVAL); ! 1081: } ! 1082: /* ! 1083: * Protocols other than TCP/UDP don't use port range ! 1084: */ ! 1085: if ((frwl->fw_prot != IPPROTO_TCP) && ! 1086: (frwl->fw_prot != IPPROTO_UDP) && ! 1087: (IP_FW_GETNSRCP(frwl) || IP_FW_GETNDSTP(frwl))) { ! 1088: dprintf(("%s port(s) specified for non TCP/UDP rule\n", ! 1089: err_prefix)); ! 1090: return (EINVAL); ! 1091: } ! 1092: ! 1093: /* ! 1094: * Rather than modify the entry to make such entries work, ! 1095: * we reject this rule and require user level utilities ! 1096: * to enforce whatever policy they deem appropriate. ! 1097: */ ! 1098: if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) || ! 1099: (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) { ! 1100: dprintf(("%s rule never matches\n", err_prefix)); ! 1101: return (EINVAL); ! 1102: } ! 1103: ! 1104: if ((frwl->fw_flg & IP_FW_F_FRAG) && ! 1105: (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) { ! 1106: if (frwl->fw_nports) { ! 1107: dprintf(("%s cannot mix 'frag' and ports\n", err_prefix)); ! 1108: return (EINVAL); ! 1109: } ! 1110: if (frwl->fw_prot == IPPROTO_TCP && ! 1111: frwl->fw_tcpf != frwl->fw_tcpnf) { ! 1112: dprintf(("%s cannot mix 'frag' and TCP flags\n", err_prefix)); ! 1113: return (EINVAL); ! 1114: } ! 1115: } ! 1116: ! 1117: /* Check command specific stuff */ ! 1118: switch (frwl->fw_flg & IP_FW_F_COMMAND) ! 1119: { ! 1120: case IP_FW_F_REJECT: ! 1121: if (frwl->fw_reject_code >= 0x100 ! 1122: && !(frwl->fw_prot == IPPROTO_TCP ! 1123: && frwl->fw_reject_code == IP_FW_REJECT_RST)) { ! 1124: dprintf(("%s unknown reject code\n", err_prefix)); ! 1125: return (EINVAL); ! 1126: } ! 1127: break; ! 1128: case IP_FW_F_DIVERT: /* Diverting to port zero is invalid */ ! 1129: case IP_FW_F_PIPE: /* piping through 0 is invalid */ ! 1130: case IP_FW_F_TEE: ! 1131: if (frwl->fw_divert_port == 0) { ! 1132: dprintf(("%s can't divert to port 0\n", err_prefix)); ! 1133: return (EINVAL); ! 1134: } ! 1135: break; ! 1136: case IP_FW_F_DENY: ! 1137: case IP_FW_F_ACCEPT: ! 1138: case IP_FW_F_COUNT: ! 1139: case IP_FW_F_SKIPTO: ! 1140: #if IPFIREWALL_FORWARD ! 1141: case IP_FW_F_FWD: ! 1142: #endif ! 1143: break; ! 1144: default: ! 1145: dprintf(("%s invalid command\n", err_prefix)); ! 1146: return (EINVAL); ! 1147: } ! 1148: ! 1149: return 0; ! 1150: } ! 1151: ! 1152: static int ! 1153: ip_fw_ctl(struct sockopt *sopt) ! 1154: { ! 1155: int error, s; ! 1156: size_t size; ! 1157: char *buf, *bp; ! 1158: struct ip_fw_chain *fcp; ! 1159: struct ip_fw frwl; ! 1160: ! 1161: /* Disallow sets in really-really secure mode. */ ! 1162: if (sopt->sopt_dir == SOPT_SET && securelevel >= 3) ! 1163: return (EPERM); ! 1164: error = 0; ! 1165: ! 1166: switch (sopt->sopt_name) { ! 1167: case IP_FW_GET: ! 1168: for (fcp = LIST_FIRST(&ip_fw_chain), size = 0; fcp; ! 1169: fcp = LIST_NEXT(fcp, chain)) ! 1170: size += sizeof *fcp->rule; ! 1171: buf = _MALLOC(size, M_TEMP, M_WAITOK); ! 1172: if (buf == 0) { ! 1173: error = ENOBUFS; ! 1174: break; ! 1175: } ! 1176: ! 1177: for (fcp = LIST_FIRST(&ip_fw_chain), bp = buf; fcp; ! 1178: fcp = LIST_NEXT(fcp, chain)) { ! 1179: bcopy(fcp->rule, bp, sizeof *fcp->rule); ! 1180: bp += sizeof *fcp->rule; ! 1181: } ! 1182: error = sooptcopyout(sopt, buf, size); ! 1183: FREE(buf, M_TEMP); ! 1184: break; ! 1185: ! 1186: case IP_FW_FLUSH: ! 1187: for (fcp = ip_fw_chain.lh_first; ! 1188: fcp != 0 && fcp->rule->fw_number != IPFW_DEFAULT_RULE; ! 1189: fcp = ip_fw_chain.lh_first) { ! 1190: s = splnet(); ! 1191: LIST_REMOVE(fcp, chain); ! 1192: FREE(fcp->rule, M_IPFW); ! 1193: FREE(fcp, M_IPFW); ! 1194: splx(s); ! 1195: } ! 1196: break; ! 1197: ! 1198: case IP_FW_ZERO: ! 1199: if (sopt->sopt_val != 0) { ! 1200: error = sooptcopyin(sopt, &frwl, sizeof frwl, ! 1201: sizeof frwl); ! 1202: if (error || (error = zero_entry(&frwl))) ! 1203: break; ! 1204: } else { ! 1205: error = zero_entry(0); ! 1206: } ! 1207: break; ! 1208: ! 1209: case IP_FW_ADD: ! 1210: error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl); ! 1211: if (error || (error = check_ipfw_struct(&frwl))) ! 1212: break; ! 1213: ! 1214: if (frwl.fw_number == IPFW_DEFAULT_RULE) { ! 1215: dprintf(("%s can't add rule %u\n", err_prefix, ! 1216: (unsigned)IPFW_DEFAULT_RULE)); ! 1217: error = EINVAL; ! 1218: } else { ! 1219: error = add_entry(&ip_fw_chain, &frwl); ! 1220: } ! 1221: break; ! 1222: ! 1223: case IP_FW_DEL: ! 1224: error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl); ! 1225: if (error) ! 1226: break; ! 1227: ! 1228: if (frwl.fw_number == IPFW_DEFAULT_RULE) { ! 1229: dprintf(("%s can't delete rule %u\n", err_prefix, ! 1230: (unsigned)IPFW_DEFAULT_RULE)); ! 1231: error = EINVAL; ! 1232: } else { ! 1233: error = del_entry(&ip_fw_chain, frwl.fw_number); ! 1234: } ! 1235: break; ! 1236: ! 1237: default: ! 1238: kprintf("ip_fw_ctl invalid option %d\n", sopt->sopt_name); ! 1239: error = EINVAL ; ! 1240: } ! 1241: ! 1242: return (error); ! 1243: } ! 1244: ! 1245: struct ip_fw_chain *ip_fw_default_rule ; ! 1246: ! 1247: void ! 1248: ip_fw_init(void) ! 1249: { ! 1250: struct ip_fw default_rule; ! 1251: ! 1252: ip_fw_chk_ptr = ip_fw_chk; ! 1253: ip_fw_ctl_ptr = ip_fw_ctl; ! 1254: LIST_INIT(&ip_fw_chain); ! 1255: ! 1256: bzero(&default_rule, sizeof default_rule); ! 1257: default_rule.fw_prot = IPPROTO_IP; ! 1258: default_rule.fw_number = IPFW_DEFAULT_RULE; ! 1259: #if IPFIREWALL_DEFAULT_TO_ACCEPT ! 1260: default_rule.fw_flg |= IP_FW_F_ACCEPT; ! 1261: #else ! 1262: default_rule.fw_flg |= IP_FW_F_DENY; ! 1263: #endif ! 1264: default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT; ! 1265: if (check_ipfw_struct(&default_rule) != 0 || ! 1266: add_entry(&ip_fw_chain, &default_rule)) ! 1267: panic("ip_fw_init"); ! 1268: ! 1269: ip_fw_default_rule = ip_fw_chain.lh_first ; ! 1270: kprintf("IP packet filtering initialized, " ! 1271: #if IPDIVERT ! 1272: "divert enabled, "); ! 1273: #else ! 1274: "divert disabled, "); ! 1275: #endif ! 1276: #if IPFIREWALL_FORWARD ! 1277: kprintf("rule-based forwarding enabled, "); ! 1278: #else ! 1279: kprintf("rule-based forwarding disabled, "); ! 1280: #endif ! 1281: #if IPFIREWALL_DEFAULT_TO_ACCEPT ! 1282: kprintf("default to accept, "); ! 1283: #endif ! 1284: #ifndef IPFIREWALL_VERBOSE ! 1285: kprintf("logging disabled\n"); ! 1286: #else ! 1287: if (fw_verbose_limit == 0) ! 1288: kprintf("unlimited logging\n"); ! 1289: else ! 1290: kprintf("logging limited to %d packets/entry\n", ! 1291: fw_verbose_limit); ! 1292: #endif ! 1293: } ! 1294: ! 1295: #if ISFB31 ! 1296: ! 1297: /* ! 1298: * ### LD 08/04/99: This is used if IPFIREWALL is a FreeBSD "KLD" module ! 1299: * Right now, we're linked to the kernel all the time ! 1300: * will be fixed with the use of an NKE? ! 1301: * ! 1302: * Note: ip_fw_init is called from div_init() in xnu ! 1303: */ ! 1304: ! 1305: static ip_fw_chk_t *old_chk_ptr; ! 1306: static ip_fw_ctl_t *old_ctl_ptr; ! 1307: ! 1308: #if defined(IPFIREWALL_MODULE) && !defined(KLD_MODULE) ! 1309: ! 1310: #include <sys/exec.h> ! 1311: #include <sys/sysent.h> ! 1312: #include <sys/lkm.h> ! 1313: ! 1314: MOD_MISC(ipfw); ! 1315: ! 1316: static int ! 1317: ipfw_load(struct lkm_table *lkmtp, int cmd) ! 1318: { ! 1319: int s=splnet(); ! 1320: ! 1321: old_chk_ptr = ip_fw_chk_ptr; ! 1322: old_ctl_ptr = ip_fw_ctl_ptr; ! 1323: ! 1324: ip_fw_init(); ! 1325: splx(s); ! 1326: return 0; ! 1327: } ! 1328: ! 1329: static int ! 1330: ipfw_unload(struct lkm_table *lkmtp, int cmd) ! 1331: { ! 1332: int s=splnet(); ! 1333: ! 1334: ip_fw_chk_ptr = old_chk_ptr; ! 1335: ip_fw_ctl_ptr = old_ctl_ptr; ! 1336: ! 1337: while (LIST_FIRST(&ip_fw_chain) != NULL) { ! 1338: struct ip_fw_chain *fcp = LIST_FIRST(&ip_fw_chain); ! 1339: LIST_REMOVE(LIST_FIRST(&ip_fw_chain), chain); ! 1340: FREE(fcp->rule, M_IPFW); ! 1341: FREE(fcp, M_IPFW); ! 1342: } ! 1343: ! 1344: splx(s); ! 1345: kprintf("IP firewall unloaded\n"); ! 1346: return 0; ! 1347: } ! 1348: ! 1349: int ! 1350: ipfw_mod(struct lkm_table *lkmtp, int cmd, int ver) ! 1351: { ! 1352: MOD_DISPATCH(ipfw, lkmtp, cmd, ver, ! 1353: ipfw_load, ipfw_unload, lkm_nullcmd); ! 1354: } ! 1355: #else ! 1356: static int ! 1357: ipfw_modevent(module_t mod, int type, void *unused) ! 1358: { ! 1359: int s; ! 1360: ! 1361: switch (type) { ! 1362: case MOD_LOAD: ! 1363: s = splnet(); ! 1364: ! 1365: old_chk_ptr = ip_fw_chk_ptr; ! 1366: old_ctl_ptr = ip_fw_ctl_ptr; ! 1367: ! 1368: ip_fw_init(); ! 1369: splx(s); ! 1370: return 0; ! 1371: case MOD_UNLOAD: ! 1372: s = splnet(); ! 1373: ! 1374: ip_fw_chk_ptr = old_chk_ptr; ! 1375: ip_fw_ctl_ptr = old_ctl_ptr; ! 1376: ! 1377: while (LIST_FIRST(&ip_fw_chain) != NULL) { ! 1378: struct ip_fw_chain *fcp = LIST_FIRST(&ip_fw_chain); ! 1379: LIST_REMOVE(LIST_FIRST(&ip_fw_chain), chain); ! 1380: FREE(fcp->rule, M_IPFW); ! 1381: FREE(fcp, M_IPFW); ! 1382: } ! 1383: ! 1384: splx(s); ! 1385: kprintf("IP firewall unloaded\n"); ! 1386: return 0; ! 1387: default: ! 1388: break; ! 1389: } ! 1390: return 0; ! 1391: } ! 1392: ! 1393: static moduledata_t ipfwmod = { ! 1394: "ipfw", ! 1395: ipfw_modevent, ! 1396: 0 ! 1397: }; ! 1398: DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY); ! 1399: #endif ! 1400: #endif /* ISFB31 */
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.