Gitiles
Code Review Sign In
code.illumos.org / illumos-gate / f4b3ec61df05330d25f55a36b975b4d7519fdeb1 / . / usr / src / uts / common / inet / ipf / fil.c
blob: 0f0b80392fd3f071561931e897f3351d3db6fcc0 [file] [log] [blame]
/*
* Copyright (C) 1993-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/time.h>
#if defined(__NetBSD__)
# if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
# include "opt_ipfilter_log.h"
# endif
#endif
#if defined(_KERNEL) && defined(__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
# if (__FreeBSD_version >= 400000)
# if !defined(IPFILTER_LKM)
# include "opt_inet6.h"
# endif
# if (__FreeBSD_version == 400019)
# define CSUM_DELAY_DATA
# endif
# endif
# include <sys/filio.h>
#else
# include <sys/ioctl.h>
#endif
#if !defined(_AIX51)
# include <sys/fcntl.h>
#endif
#if defined(_KERNEL)
# include <sys/systm.h>
# include <sys/file.h>
#else
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
# include <stddef.h>
# include <sys/file.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#endif
#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
!defined(linux)
# include <sys/mbuf.h>
#else
# if !defined(linux)
# include <sys/byteorder.h>
# endif
# if (SOLARIS2 < 5) && defined(sun)
# include <sys/dditypes.h>
# endif
#endif
#ifdef __hpux
# define _NET_ROUTE_INCLUDED
#endif
#if !defined(linux)
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
#include <net/if.h>
#ifdef sun
# include <net/af.h>
#endif
#if !defined(_KERNEL) && defined(__FreeBSD__)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#if !defined(linux)
# include <netinet/ip_var.h>
#endif
#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
# include <sys/hashing.h>
# include <netinet/in_var.h>
#endif
#include <netinet/tcp.h>
#if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
# include <netinet/udp.h>
# include <netinet/ip_icmp.h>
#endif
#ifdef __hpux
# undef _NET_ROUTE_INCLUDED
#endif
#include "netinet/ip_compat.h"
#ifdef USE_INET6
# include <netinet/icmp6.h>
# if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux)
# include <netinet6/in6_var.h>
# endif
#endif
#include <netinet/tcpip.h>
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_auth.h"
#include "netinet/ipf_stack.h"
#ifdef IPFILTER_SCAN
# include "netinet/ip_scan.h"
#endif
#ifdef IPFILTER_SYNC
# include "netinet/ip_sync.h"
#endif
#include "netinet/ip_pool.h"
#include "netinet/ip_htable.h"
#ifdef IPFILTER_COMPILED
# include "netinet/ip_rules.h"
#endif
#if defined(IPFILTER_BPF) && defined(_KERNEL)
# include <net/bpf.h>
#endif
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
# include "opt_ipfilter.h"
# endif
#endif
#include "netinet/ipl.h"
/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.64 2005/08/13 05:19:59 darrenr Exp $";
#endif
#ifndef _KERNEL
# include "ipf.h"
# include "ipt.h"
# include "bpf-ipf.h"
extern int opts;
# define FR_VERBOSE(verb_pr) verbose verb_pr
# define FR_DEBUG(verb_pr) debug verb_pr
#else /* #ifndef _KERNEL */
# define FR_VERBOSE(verb_pr)
# define FR_DEBUG(verb_pr)
#endif /* _KERNEL */
char ipfilter_version[] = IPL_VERSION;
int fr_features = 0
#ifdef IPFILTER_LKM
| IPF_FEAT_LKM
#endif
#ifdef IPFILTER_LOG
| IPF_FEAT_LOG
#endif
#ifdef IPFILTER_LOOKUP
| IPF_FEAT_LOOKUP
#endif
#ifdef IPFILTER_BPF
| IPF_FEAT_BPF
#endif
#ifdef IPFILTER_COMPILED
| IPF_FEAT_COMPILED
#endif
#ifdef IPFILTER_CKSUM
| IPF_FEAT_CKSUM
#endif
#ifdef IPFILTER_SYNC
| IPF_FEAT_SYNC
#endif
#ifdef IPFILTER_SCAN
| IPF_FEAT_SCAN
#endif
#ifdef USE_INET6
| IPF_FEAT_IPV6
#endif
;
static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
static int fr_portcheck __P((frpcmp_t *, u_short *));
static int frflushlist __P((int, minor_t, int *, frentry_t **,
ipf_stack_t *));
static ipfunc_t fr_findfunc __P((ipfunc_t));
static frentry_t *fr_firewall __P((fr_info_t *, u_32_t *));
static int fr_funcinit __P((frentry_t *fr, ipf_stack_t *));
static INLINE void frpr_ah __P((fr_info_t *));
static INLINE void frpr_esp __P((fr_info_t *));
static INLINE void frpr_gre __P((fr_info_t *));
static INLINE void frpr_udp __P((fr_info_t *));
static INLINE void frpr_tcp __P((fr_info_t *));
static INLINE void frpr_icmp __P((fr_info_t *));
static INLINE void frpr_ipv4hdr __P((fr_info_t *));
static INLINE int frpr_pullup __P((fr_info_t *, int));
static INLINE void frpr_short __P((fr_info_t *, int));
static INLINE void frpr_tcpcommon __P((fr_info_t *));
static INLINE void frpr_udpcommon __P((fr_info_t *));
static INLINE int fr_updateipid __P((fr_info_t *));
#ifdef IPFILTER_LOOKUP
static int fr_grpmapinit __P((frentry_t *fr, ipf_stack_t *));
static INLINE void *fr_resolvelookup __P((u_int, u_int, lookupfunc_t *,
ipf_stack_t *));
#endif
static void frsynclist __P((int, int, void *, char *, frentry_t *,
ipf_stack_t *));
static void *fr_ifsync __P((int, int, char *, char *,
void *, void *, ipf_stack_t *));
static ipftuneable_t *fr_findtunebyname __P((const char *, ipf_stack_t *));
static ipftuneable_t *fr_findtunebycookie __P((void *, void **, ipf_stack_t *));
/*
* bit values for identifying presence of individual IP options
* All of these tables should be ordered by increasing key value on the left
* hand side to allow for binary searching of the array and include a trailer
* with a 0 for the bitmask for linear searches to easily find the end with.
*/
const struct optlist ipopts[20] = {
{ IPOPT_NOP, 0x000001 },
{ IPOPT_RR, 0x000002 },
{ IPOPT_ZSU, 0x000004 },
{ IPOPT_MTUP, 0x000008 },
{ IPOPT_MTUR, 0x000010 },
{ IPOPT_ENCODE, 0x000020 },
{ IPOPT_TS, 0x000040 },
{ IPOPT_TR, 0x000080 },
{ IPOPT_SECURITY, 0x000100 },
{ IPOPT_LSRR, 0x000200 },
{ IPOPT_E_SEC, 0x000400 },
{ IPOPT_CIPSO, 0x000800 },
{ IPOPT_SATID, 0x001000 },
{ IPOPT_SSRR, 0x002000 },
{ IPOPT_ADDEXT, 0x004000 },
{ IPOPT_VISA, 0x008000 },
{ IPOPT_IMITD, 0x010000 },
{ IPOPT_EIP, 0x020000 },
{ IPOPT_FINN, 0x040000 },
{ 0, 0x000000 }
};
#ifdef USE_INET6
struct optlist ip6exthdr[] = {
{ IPPROTO_HOPOPTS, 0x000001 },
{ IPPROTO_IPV6, 0x000002 },
{ IPPROTO_ROUTING, 0x000004 },
{ IPPROTO_FRAGMENT, 0x000008 },
{ IPPROTO_ESP, 0x000010 },
{ IPPROTO_AH, 0x000020 },
{ IPPROTO_NONE, 0x000040 },
{ IPPROTO_DSTOPTS, 0x000080 },
{ 0, 0 }
};
#endif
struct optlist tcpopts[] = {
{ TCPOPT_NOP, 0x000001 },
{ TCPOPT_MAXSEG, 0x000002 },
{ TCPOPT_WINDOW, 0x000004 },
{ TCPOPT_SACK_PERMITTED, 0x000008 },
{ TCPOPT_SACK, 0x000010 },
{ TCPOPT_TIMESTAMP, 0x000020 },
{ 0, 0x000000 }
};
/*
* bit values for identifying presence of individual IP security options
*/
const struct optlist secopt[8] = {
{ IPSO_CLASS_RES4, 0x01 },
{ IPSO_CLASS_TOPS, 0x02 },
{ IPSO_CLASS_SECR, 0x04 },
{ IPSO_CLASS_RES3, 0x08 },
{ IPSO_CLASS_CONF, 0x10 },
{ IPSO_CLASS_UNCL, 0x20 },
{ IPSO_CLASS_RES2, 0x40 },
{ IPSO_CLASS_RES1, 0x80 }
};
/*
* Table of functions available for use with call rules.
*/
static ipfunc_resolve_t fr_availfuncs[] = {
#ifdef IPFILTER_LOOKUP
{ "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
{ "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
#endif
{ "", NULL }
};
/*
* The next section of code is a a collection of small routines that set
* fields in the fr_info_t structure passed based on properties of the
* current packet. There are different routines for the same protocol
* for each of IPv4 and IPv6. Adding a new protocol, for which there
* will "special" inspection for setup, is now more easily done by adding
* a new routine and expanding the frpr_ipinit*() function rather than by
* adding more code to a growing switch statement.
*/
#ifdef USE_INET6
static INLINE int frpr_ah6 __P((fr_info_t *));
static INLINE void frpr_esp6 __P((fr_info_t *));
static INLINE void frpr_gre6 __P((fr_info_t *));
static INLINE void frpr_udp6 __P((fr_info_t *));
static INLINE void frpr_tcp6 __P((fr_info_t *));
static INLINE void frpr_icmp6 __P((fr_info_t *));
static INLINE int frpr_ipv6hdr __P((fr_info_t *));
static INLINE void frpr_short6 __P((fr_info_t *, int));
static INLINE int frpr_hopopts6 __P((fr_info_t *));
static INLINE int frpr_routing6 __P((fr_info_t *));
static INLINE int frpr_dstopts6 __P((fr_info_t *));
static INLINE int frpr_fragment6 __P((fr_info_t *));
static INLINE int frpr_ipv6exthdr __P((fr_info_t *, int, int));
/* ------------------------------------------------------------------------ */
/* Function: frpr_short6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* This is function enforces the 'is a packet too short to be legit' rule */
/* for IPv6 and marks the packet with FI_SHORT if so. See function comment */
/* for frpr_short() for more details. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_short6(fin, xmin)
fr_info_t *fin;
int xmin;
{
if (fin->fin_dlen < xmin)
fin->fin_flx |= FI_SHORT;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_ipv6hdr */
/* Returns: int */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* Copy values from the IPv6 header into the fr_info_t struct and call the */
/* per-protocol analyzer if it exists. */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_ipv6hdr(fin)
fr_info_t *fin;
{
ip6_t *ip6 = (ip6_t *)fin->fin_ip;
int p, go = 1, i, hdrcount;
fr_ip_t *fi = &fin->fin_fi;
fin->fin_off = 0;
fi->fi_tos = 0;
fi->fi_optmsk = 0;
fi->fi_secmsk = 0;
fi->fi_auth = 0;
p = ip6->ip6_nxt;
fi->fi_ttl = ip6->ip6_hlim;
fi->fi_src.in6 = ip6->ip6_src;
fi->fi_dst.in6 = ip6->ip6_dst;
fin->fin_id = 0;
hdrcount = 0;
while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
switch (p)
{
case IPPROTO_UDP :
frpr_udp6(fin);
go = 0;
break;
case IPPROTO_TCP :
frpr_tcp6(fin);
go = 0;
break;
case IPPROTO_ICMPV6 :
frpr_icmp6(fin);
go = 0;
break;
case IPPROTO_GRE :
frpr_gre6(fin);
go = 0;
break;
case IPPROTO_HOPOPTS :
/*
* hop by hop ext header is only allowed
* right after IPv6 header.
*/
if (hdrcount != 0) {
fin->fin_flx |= FI_BAD;
p = IPPROTO_NONE;
} else {
p = frpr_hopopts6(fin);
}
break;
case IPPROTO_DSTOPTS :
p = frpr_dstopts6(fin);
break;
case IPPROTO_ROUTING :
p = frpr_routing6(fin);
break;
case IPPROTO_AH :
p = frpr_ah6(fin);
break;
case IPPROTO_ESP :
frpr_esp6(fin);
go = 0;
break;
case IPPROTO_IPV6 :
for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
if (ip6exthdr[i].ol_val == p) {
fin->fin_flx |= ip6exthdr[i].ol_bit;
break;
}
go = 0;
break;
case IPPROTO_NONE :
go = 0;
break;
case IPPROTO_FRAGMENT :
p = frpr_fragment6(fin);
if (fin->fin_off != 0) /* Not the first frag */
go = 0;
break;
default :
go = 0;
break;
}
hdrcount++;
/*
* It is important to note that at this point, for the
* extension headers (go != 0), the entire header may not have
* been pulled up when the code gets to this point. This is
* only done for "go != 0" because the other header handlers
* will all pullup their complete header. The other indicator
* of an incomplete packet is that this was just an extension
* header.
*/
if ((go != 0) && (p != IPPROTO_NONE) &&
(frpr_pullup(fin, 0) == -1)) {
p = IPPROTO_NONE;
go = 0;
}
}
fi->fi_p = p;
if (fin->fin_flx & FI_BAD)
return -1;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_ipv6exthdr */
/* Returns: int - value of the next header or IPPROTO_NONE if error */
/* Parameters: fin(I) - pointer to packet information */
/* multiple(I) - flag indicating yes/no if multiple occurances */
/* of this extension header are allowed. */
/* proto(I) - protocol number for this extension header */
/* */
/* IPv6 Only */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_ipv6exthdr(fin, multiple, proto)
fr_info_t *fin;
int multiple, proto;
{
struct ip6_ext *hdr;
u_short shift;
int i;
fin->fin_flx |= FI_V6EXTHDR;
/* 8 is default length of extension hdr */
if ((fin->fin_dlen - 8) < 0) {
fin->fin_flx |= FI_SHORT;
return IPPROTO_NONE;
}
if (frpr_pullup(fin, 8) == -1)
return IPPROTO_NONE;
hdr = fin->fin_dp;
shift = 8 + (hdr->ip6e_len << 3);
if (shift > fin->fin_dlen) { /* Nasty extension header length? */
fin->fin_flx |= FI_BAD;
return IPPROTO_NONE;
}
for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
if (ip6exthdr[i].ol_val == proto) {
/*
* Most IPv6 extension headers are only allowed once.
*/
if ((multiple == 0) &&
((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0))
fin->fin_flx |= FI_BAD;
else
fin->fin_optmsk |= ip6exthdr[i].ol_bit;
break;
}
fin->fin_dp = (char *)fin->fin_dp + shift;
fin->fin_dlen -= shift;
return hdr->ip6e_nxt;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_hopopts6 */
/* Returns: int - value of the next header or IPPROTO_NONE if error */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* This is function checks pending hop by hop options extension header */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_hopopts6(fin)
fr_info_t *fin;
{
return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_routing6 */
/* Returns: int - value of the next header or IPPROTO_NONE if error */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* This is function checks pending routing extension header */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_routing6(fin)
fr_info_t *fin;
{
struct ip6_ext *hdr;
int shift;
hdr = fin->fin_dp;
if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
return IPPROTO_NONE;
shift = 8 + (hdr->ip6e_len << 3);
/*
* Nasty extension header length?
*/
if ((hdr->ip6e_len << 3) & 15) {
fin->fin_flx |= FI_BAD;
/*
* Compensate for the changes made in frpr_ipv6exthdr()
*/
fin->fin_dlen += shift;
fin->fin_dp = (char *)fin->fin_dp - shift;
return IPPROTO_NONE;
}
return hdr->ip6e_nxt;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_fragment6 */
/* Returns: int - value of the next header or IPPROTO_NONE if error */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* Examine the IPv6 fragment header and extract fragment offset information.*/
/* */
/* We don't know where the transport layer header (or whatever is next is), */
/* as it could be behind destination options (amongst others). Because */
/* there is no fragment cache, there is no knowledge about whether or not an*/
/* upper layer header has been seen (or where it ends) and thus we are not */
/* able to continue processing beyond this header with any confidence. */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_fragment6(fin)
fr_info_t *fin;
{
struct ip6_frag *frag;
int dlen;
fin->fin_flx |= FI_FRAG;
dlen = fin->fin_dlen;
if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
return IPPROTO_NONE;
if (frpr_pullup(fin, sizeof(*frag)) == -1)
return IPPROTO_NONE;
frpr_short6(fin, sizeof(*frag));
if ((fin->fin_flx & FI_SHORT) != 0)
return IPPROTO_NONE;
frag = (struct ip6_frag *)((char *)fin->fin_dp - sizeof(*frag));
/*
* Fragment but no fragmentation info set? Bad packet...
*/
if (frag->ip6f_offlg == 0) {
fin->fin_flx |= FI_BAD;
return IPPROTO_NONE;
}
fin->fin_id = frag->ip6f_ident;
fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK;
fin->fin_off = ntohs(fin->fin_off);
if (fin->fin_off != 0)
fin->fin_flx |= FI_FRAGBODY;
fin->fin_dp = (char *)frag + sizeof(*frag);
fin->fin_dlen = dlen - sizeof(*frag);
/* length of hdrs(after frag hdr) + data */
fin->fin_flen = fin->fin_dlen;
/*
* If the frag is not the last one and the payload length
* is not multiple of 8, it must be dropped.
*/
if ((frag->ip6f_offlg & IP6F_MORE_FRAG) && (dlen % 8)) {
fin->fin_flx |= FI_BAD;
return IPPROTO_NONE;
}
return frag->ip6f_nxt;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_dstopts6 */
/* Returns: int - value of the next header or IPPROTO_NONE if error */
/* Parameters: fin(I) - pointer to packet information */
/* nextheader(I) - stores next header value */
/* */
/* IPv6 Only */
/* This is function checks pending destination options extension header */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_dstopts6(fin)
fr_info_t *fin;
{
return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_icmp6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* This routine is mainly concerned with determining the minimum valid size */
/* for an ICMPv6 packet. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_icmp6(fin)
fr_info_t *fin;
{
int minicmpsz = sizeof(struct icmp6_hdr);
struct icmp6_hdr *icmp6;
if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1)
return;
if (fin->fin_dlen > 1) {
icmp6 = fin->fin_dp;
fin->fin_data[0] = *(u_short *)icmp6;
switch (icmp6->icmp6_type)
{
case ICMP6_ECHO_REPLY :
case ICMP6_ECHO_REQUEST :
minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
break;
case ICMP6_DST_UNREACH :
case ICMP6_PACKET_TOO_BIG :
case ICMP6_TIME_EXCEEDED :
case ICMP6_PARAM_PROB :
if ((fin->fin_m != NULL) &&
(M_LEN(fin->fin_m) < fin->fin_plen)) {
if (fr_coalesce(fin) != 1)
return;
}
fin->fin_flx |= FI_ICMPERR;
minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
break;
default :
break;
}
}
frpr_short6(fin, minicmpsz);
fin->fin_flen -= fin->fin_dlen - minicmpsz;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_udp6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* Analyse the packet for IPv6/UDP properties. */
/* Is not expected to be called for fragmented packets. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_udp6(fin)
fr_info_t *fin;
{
fr_checkv6sum(fin);
frpr_short6(fin, sizeof(struct udphdr));
if (frpr_pullup(fin, sizeof(struct udphdr)) == -1)
return;
fin->fin_flen -= fin->fin_dlen - sizeof(struct udphdr);
frpr_udpcommon(fin);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_tcp6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* Analyse the packet for IPv6/TCP properties. */
/* Is not expected to be called for fragmented packets. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_tcp6(fin)
fr_info_t *fin;
{
fr_checkv6sum(fin);
frpr_short6(fin, sizeof(struct tcphdr));
if (frpr_pullup(fin, sizeof(struct tcphdr)) == -1)
return;
fin->fin_flen -= fin->fin_dlen - sizeof(struct tcphdr);
frpr_tcpcommon(fin);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_esp6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* Analyse the packet for ESP properties. */
/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
/* even though the newer ESP packets must also have a sequence number that */
/* is 32bits as well, it is not possible(?) to determine the version from a */
/* simple packet header. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_esp6(fin)
fr_info_t *fin;
{
int i;
frpr_short6(fin, sizeof(grehdr_t));
(void) frpr_pullup(fin, 8);
for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
if (ip6exthdr[i].ol_val == IPPROTO_ESP) {
fin->fin_optmsk |= ip6exthdr[i].ol_bit;
break;
}
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_ah6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv6 Only */
/* Analyse the packet for AH properties. */
/* The minimum length is taken to be the combination of all fields in the */
/* header being present and no authentication data (null algorithm used.) */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_ah6(fin)
fr_info_t *fin;
{
authhdr_t *ah;
int i, shift;
frpr_short6(fin, 12);
if (frpr_pullup(fin, sizeof(*ah)) == -1)
return IPPROTO_NONE;
for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
if (ip6exthdr[i].ol_val == IPPROTO_AH) {
fin->fin_optmsk |= ip6exthdr[i].ol_bit;
break;
}
ah = (authhdr_t *)fin->fin_dp;
shift = (ah->ah_plen + 2) * 4;
fin->fin_dlen -= shift;
fin->fin_dp = (char*)fin->fin_dp + shift;
return ah->ah_next;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_gre6 */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Analyse the packet for GRE properties. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_gre6(fin)
fr_info_t *fin;
{
grehdr_t *gre;
frpr_short6(fin, sizeof(grehdr_t));
if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
return;
gre = fin->fin_dp;
if (GRE_REV(gre->gr_flags) == 1)
fin->fin_data[0] = gre->gr_call;
}
#endif /* USE_INET6 */
/* ------------------------------------------------------------------------ */
/* Function: frpr_pullup */
/* Returns: int - 0 == pullup succeeded, -1 == failure */
/* Parameters: fin(I) - pointer to packet information */
/* plen(I) - length (excluding L3 header) to pullup */
/* */
/* Short inline function to cut down on code duplication to perform a call */
/* to fr_pullup to ensure there is the required amount of data, */
/* consecutively in the packet buffer. */
/* ------------------------------------------------------------------------ */
static INLINE int frpr_pullup(fin, plen)
fr_info_t *fin;
int plen;
{
#if defined(_KERNEL)
if (fin->fin_m != NULL) {
if (fin->fin_dp != NULL)
plen += (char *)fin->fin_dp -
((char *)fin->fin_ip + fin->fin_hlen);
plen += ((char *)fin->fin_ip - MTOD(fin->fin_m, char *)) +
fin->fin_hlen;
if (M_LEN(fin->fin_m) < plen) {
if (fr_pullup(fin->fin_m, fin, plen) == NULL)
return -1;
}
}
#endif
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_short */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* xmin(I) - minimum header size */
/* */
/* Check if a packet is "short" as defined by xmin. The rule we are */
/* applying here is that the packet must not be fragmented within the layer */
/* 4 header. That is, it must not be a fragment that has its offset set to */
/* start within the layer 4 header (hdrmin) or if it is at offset 0, the */
/* entire layer 4 header must be present (min). */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_short(fin, xmin)
fr_info_t *fin;
int xmin;
{
if (fin->fin_off == 0) {
if (fin->fin_dlen < xmin)
fin->fin_flx |= FI_SHORT;
} else if (fin->fin_off < xmin) {
fin->fin_flx |= FI_SHORT;
}
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_icmp */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv4 Only */
/* Do a sanity check on the packet for ICMP (v4). In nearly all cases, */
/* except extrememly bad packets, both type and code will be present. */
/* The expected minimum size of an ICMP packet is very much dependent on */
/* the type of it. */
/* */
/* XXX - other ICMP sanity checks? */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_icmp(fin)
fr_info_t *fin;
{
int minicmpsz = sizeof(struct icmp);
icmphdr_t *icmp;
ip_t *oip;
ipf_stack_t *ifs = fin->fin_ifs;
if (fin->fin_off != 0) {
frpr_short(fin, ICMPERR_ICMPHLEN);
return;
}
if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
return;
fr_checkv4sum(fin);
if (fin->fin_dlen > 1) {
icmp = fin->fin_dp;
fin->fin_data[0] = *(u_short *)icmp;
switch (icmp->icmp_type)
{
case ICMP_ECHOREPLY :
case ICMP_ECHO :
/* Router discovery messaes - RFC 1256 */
case ICMP_ROUTERADVERT :
case ICMP_ROUTERSOLICIT :
minicmpsz = ICMP_MINLEN;
break;
/*
* type(1) + code(1) + cksum(2) + id(2) seq(2) +
* 3 * timestamp(3 * 4)
*/
case ICMP_TSTAMP :
case ICMP_TSTAMPREPLY :
minicmpsz = 20;
break;
/*
* type(1) + code(1) + cksum(2) + id(2) seq(2) +
* mask(4)
*/
case ICMP_MASKREQ :
case ICMP_MASKREPLY :
minicmpsz = 12;
break;
/*
* type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
*/
case ICMP_UNREACH :
if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) {
if (icmp->icmp_nextmtu < ifs->ifs_fr_icmpminfragmtu)
fin->fin_flx |= FI_BAD;
}
/* FALLTHRU */
case ICMP_SOURCEQUENCH :
case ICMP_REDIRECT :
case ICMP_TIMXCEED :
case ICMP_PARAMPROB :
fin->fin_flx |= FI_ICMPERR;
if (fr_coalesce(fin) != 1)
return;
/*
* ICMP error packets should not be generated for IP
* packets that are a fragment that isn't the first
* fragment.
*/
oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0)
fin->fin_flx |= FI_BAD;
break;
default :
break;
}
if (fin->fin_dlen >= 6) /* ID field */
fin->fin_data[1] = icmp->icmp_id;
}
frpr_short(fin, minicmpsz);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_tcpcommon */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* TCP header sanity checking. Look for bad combinations of TCP flags, */
/* and make some checks with how they interact with other fields. */
/* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is */
/* valid and mark the packet as bad if not. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_tcpcommon(fin)
fr_info_t *fin;
{
int flags, tlen;
tcphdr_t *tcp;
fin->fin_flx |= FI_TCPUDP;
if (fin->fin_off != 0)
return;
if (frpr_pullup(fin, sizeof(*tcp)) == -1)
return;
tcp = fin->fin_dp;
if (fin->fin_dlen > 3) {
fin->fin_sport = ntohs(tcp->th_sport);
fin->fin_dport = ntohs(tcp->th_dport);
}
if ((fin->fin_flx & FI_SHORT) != 0)
return;
/*
* Use of the TCP data offset *must* result in a value that is at
* least the same size as the TCP header.
*/
tlen = TCP_OFF(tcp) << 2;
if (tlen < sizeof(tcphdr_t)) {
fin->fin_flx |= FI_BAD;
return;
}
flags = tcp->th_flags;
fin->fin_tcpf = tcp->th_flags;
/*
* If the urgent flag is set, then the urgent pointer must
* also be set and vice versa. Good TCP packets do not have
* just one of these set.
*/
if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
fin->fin_flx |= FI_BAD;
} else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
/* Ignore this case, it shows up in "real" traffic with */
/* bogus values in the urgent pointer field. */
flags = flags; /* LINT */
} else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
((flags & (TH_RST|TH_ACK)) == TH_RST)) {
/* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
fin->fin_flx |= FI_BAD;
} else if (!(flags & TH_ACK)) {
/*
* If the ack bit isn't set, then either the SYN or
* RST bit must be set. If the SYN bit is set, then
* we expect the ACK field to be 0. If the ACK is
* not set and if URG, PSH or FIN are set, consdier
* that to indicate a bad TCP packet.
*/
if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
/*
* Cisco PIX sets the ACK field to a random value.
* In light of this, do not set FI_BAD until a patch
* is available from Cisco to ensure that
* interoperability between existing systems is
* achieved.
*/
/*fin->fin_flx |= FI_BAD*/;
flags = flags; /* LINT */
} else if (!(flags & (TH_RST|TH_SYN))) {
fin->fin_flx |= FI_BAD;
} else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
fin->fin_flx |= FI_BAD;
}
}
/*
* At this point, it's not exactly clear what is to be gained by
* marking up which TCP options are and are not present. The one we
* are most interested in is the TCP window scale. This is only in
* a SYN packet [RFC1323] so we don't need this here...?
* Now if we were to analyse the header for passive fingerprinting,
* then that might add some weight to adding this...
*/
if (tlen == sizeof(tcphdr_t))
return;
if (frpr_pullup(fin, tlen) == -1)
return;
#if 0
ip = fin->fin_ip;
s = (u_char *)(tcp + 1);
off = IP_HL(ip) << 2;
# ifdef _KERNEL
if (fin->fin_mp != NULL) {
mb_t *m = *fin->fin_mp;
if (off + tlen > M_LEN(m))
return;
}
# endif
for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
opt = *s;
if (opt == '\0')
break;
else if (opt == TCPOPT_NOP)
ol = 1;
else {
if (tlen < 2)
break;
ol = (int)*(s + 1);
if (ol < 2 || ol > tlen)
break;
}
for (i = 9, mv = 4; mv >= 0; ) {
op = ipopts + i;
if (opt == (u_char)op->ol_val) {
optmsk |= op->ol_bit;
break;
}
}
tlen -= ol;
s += ol;
}
#endif /* 0 */
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_udpcommon */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Extract the UDP source and destination ports, if present. If compiled */
/* with IPFILTER_CKSUM, check to see if the UDP checksum is valid. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_udpcommon(fin)
fr_info_t *fin;
{
udphdr_t *udp;
fin->fin_flx |= FI_TCPUDP;
if (!fin->fin_off && (fin->fin_dlen > 3)) {
if (frpr_pullup(fin, sizeof(*udp)) == -1) {
fin->fin_flx |= FI_SHORT;
return;
}
udp = fin->fin_dp;
fin->fin_sport = ntohs(udp->uh_sport);
fin->fin_dport = ntohs(udp->uh_dport);
}
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_tcp */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv4 Only */
/* Analyse the packet for IPv4/TCP properties. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_tcp(fin)
fr_info_t *fin;
{
fr_checkv4sum(fin);
frpr_short(fin, sizeof(tcphdr_t));
frpr_tcpcommon(fin);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_udp */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv4 Only */
/* Analyse the packet for IPv4/UDP properties. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_udp(fin)
fr_info_t *fin;
{
fr_checkv4sum(fin);
frpr_short(fin, sizeof(udphdr_t));
frpr_udpcommon(fin);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_esp */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Analyse the packet for ESP properties. */
/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits) */
/* even though the newer ESP packets must also have a sequence number that */
/* is 32bits as well, it is not possible(?) to determine the version from a */
/* simple packet header. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_esp(fin)
fr_info_t *fin;
{
if ((fin->fin_off == 0) && (frpr_pullup(fin, 8) == -1))
return;
frpr_short(fin, 8);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_ah */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Analyse the packet for AH properties. */
/* The minimum length is taken to be the combination of all fields in the */
/* header being present and no authentication data (null algorithm used.) */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_ah(fin)
fr_info_t *fin;
{
authhdr_t *ah;
int len;
if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(*ah)) == -1))
return;
ah = (authhdr_t *)fin->fin_dp;
len = (ah->ah_plen + 2) << 2;
frpr_short(fin, len);
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_gre */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* Analyse the packet for GRE properties. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_gre(fin)
fr_info_t *fin;
{
grehdr_t *gre;
if ((fin->fin_off == 0) && (frpr_pullup(fin, sizeof(grehdr_t)) == -1))
return;
frpr_short(fin, sizeof(grehdr_t));
if (fin->fin_off == 0) {
gre = fin->fin_dp;
if (GRE_REV(gre->gr_flags) == 1)
fin->fin_data[0] = gre->gr_call;
}
}
/* ------------------------------------------------------------------------ */
/* Function: frpr_ipv4hdr */
/* Returns: void */
/* Parameters: fin(I) - pointer to packet information */
/* */
/* IPv4 Only */
/* Analyze the IPv4 header and set fields in the fr_info_t structure. */
/* Check all options present and flag their presence if any exist. */
/* ------------------------------------------------------------------------ */
static INLINE void frpr_ipv4hdr(fin)
fr_info_t *fin;
{
u_short optmsk = 0, secmsk = 0, auth = 0;
int hlen, ol, mv, p, i;
const struct optlist *op;
u_char *s, opt;
u_short off;
fr_ip_t *fi;
ip_t *ip;
fi = &fin->fin_fi;
hlen = fin->fin_hlen;
ip = fin->fin_ip;
p = ip->ip_p;
fi->fi_p = p;
fi->fi_tos = ip->ip_tos;
fin->fin_id = ip->ip_id;
off = ip->ip_off;
/* Get both TTL and protocol */
fi->fi_p = ip->ip_p;
fi->fi_ttl = ip->ip_ttl;
#if 0
(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
#endif
/* Zero out bits not used in IPv6 address */
fi->fi_src.i6[1] = 0;
fi->fi_src.i6[2] = 0;
fi->fi_src.i6[3] = 0;
fi->fi_dst.i6[1] = 0;
fi->fi_dst.i6[2] = 0;
fi->fi_dst.i6[3] = 0;
fi->fi_saddr = ip->ip_src.s_addr;
fi->fi_daddr = ip->ip_dst.s_addr;
/*
* set packet attribute flags based on the offset and
* calculate the byte offset that it represents.
*/
off &= IP_MF|IP_OFFMASK;
if (off != 0) {
fi->fi_flx |= FI_FRAG;
off &= IP_OFFMASK;
if (off != 0) {
fin->fin_flx |= FI_FRAGBODY;
off <<= 3;
if ((off + fin->fin_dlen > 65535) ||
(fin->fin_dlen == 0) ||
((ip->ip_off & IP_MF) && (fin->fin_dlen & 7))) {
/*
* The length of the packet, starting at its
* offset cannot exceed 65535 (0xffff) as the
* length of an IP packet is only 16 bits.
*
* Any fragment that isn't the last fragment
* must have a length greater than 0 and it
* must be an even multiple of 8.
*/
fi->fi_flx |= FI_BAD;
}
}
}
fin->fin_off = off;
/*
* Call per-protocol setup and checking
*/
switch (p)
{
case IPPROTO_UDP :
frpr_udp(fin);
break;
case IPPROTO_TCP :
frpr_tcp(fin);
break;
case IPPROTO_ICMP :
frpr_icmp(fin);
break;
case IPPROTO_AH :
frpr_ah(fin);
break;
case IPPROTO_ESP :
frpr_esp(fin);
break;
case IPPROTO_GRE :
frpr_gre(fin);
break;
}
ip = fin->fin_ip;
if (ip == NULL)
return;
/*
* If it is a standard IP header (no options), set the flag fields
* which relate to options to 0.
*/
if (hlen == sizeof(*ip)) {
fi->fi_optmsk = 0;
fi->fi_secmsk = 0;
fi->fi_auth = 0;
return;
}
/*
* So the IP header has some IP options attached. Walk the entire
* list of options present with this packet and set flags to indicate
* which ones are here and which ones are not. For the somewhat out
* of date and obscure security classification options, set a flag to
* represent which classification is present.
*/
fi->fi_flx |= FI_OPTIONS;
for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
opt = *s;
if (opt == '\0')
break;
else if (opt == IPOPT_NOP)
ol = 1;
else {
if (hlen < 2)
break;
ol = (int)*(s + 1);
if (ol < 2 || ol > hlen)
break;
}
for (i = 9, mv = 4; mv >= 0; ) {
op = ipopts + i;
if ((opt == (u_char)op->ol_val) && (ol > 4)) {
optmsk |= op->ol_bit;
if (opt == IPOPT_SECURITY) {
const struct optlist *sp;
u_char sec;
int j, m;
sec = *(s + 2); /* classification */
for (j = 3, m = 2; m >= 0; ) {
sp = secopt + j;
if (sec == sp->ol_val) {
secmsk |= sp->ol_bit;
auth = *(s + 3);
auth *= 256;
auth += *(s + 4);
break;
}
if (sec < sp->ol_val)
j -= m;
else
j += m;
m--;
}
}
break;
}
if (opt < op->ol_val)
i -= mv;
else
i += mv;
mv--;
}
hlen -= ol;
s += ol;
}
/*
*
*/
if (auth && !(auth & 0x0100))
auth &= 0xff00;
fi->fi_optmsk = optmsk;
fi->fi_secmsk = secmsk;
fi->fi_auth = auth;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_makefrip */
/* Returns: int - 1 == hdr checking error, 0 == OK */
/* Parameters: hlen(I) - length of IP packet header */
/* ip(I) - pointer to the IP header */
/* fin(IO) - pointer to packet information */
/* */
/* Compact the IP header into a structure which contains just the info. */
/* which is useful for comparing IP headers with and store this information */
/* in the fr_info_t structure pointer to by fin. At present, it is assumed */
/* this function will be called with either an IPv4 or IPv6 packet. */
/* ------------------------------------------------------------------------ */
int fr_makefrip(hlen, ip, fin)
int hlen;
ip_t *ip;
fr_info_t *fin;
{
int v;
fin->fin_nat = NULL;
fin->fin_state = NULL;
fin->fin_depth = 0;
fin->fin_hlen = (u_short)hlen;
fin->fin_ip = ip;
fin->fin_rule = 0xffffffff;
fin->fin_group[0] = -1;
fin->fin_group[1] = '\0';
fin->fin_dlen = fin->fin_plen - hlen;
fin->fin_dp = (char *)ip + hlen;
v = fin->fin_v;
if (v == 4)
frpr_ipv4hdr(fin);
#ifdef USE_INET6
else if (v == 6) {
if (frpr_ipv6hdr(fin) == -1)
return -1;
}
#endif
if (fin->fin_ip == NULL)
return -1;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_portcheck */
/* Returns: int - 1 == port matched, 0 == port match failed */
/* Parameters: frp(I) - pointer to port check `expression' */
/* pop(I) - pointer to port number to evaluate */
/* */
/* Perform a comparison of a port number against some other(s), using a */
/* structure with compare information stored in it. */
/* ------------------------------------------------------------------------ */
static INLINE int fr_portcheck(frp, pop)
frpcmp_t *frp;
u_short *pop;
{
u_short tup, po;
int err = 1;
tup = *pop;
po = frp->frp_port;
/*
* Do opposite test to that required and continue if that succeeds.
*/
switch (frp->frp_cmp)
{
case FR_EQUAL :
if (tup != po) /* EQUAL */
err = 0;
break;
case FR_NEQUAL :
if (tup == po) /* NOTEQUAL */
err = 0;
break;
case FR_LESST :
if (tup >= po) /* LESSTHAN */
err = 0;
break;
case FR_GREATERT :
if (tup <= po) /* GREATERTHAN */
err = 0;
break;
case FR_LESSTE :
if (tup > po) /* LT or EQ */
err = 0;
break;
case FR_GREATERTE :
if (tup < po) /* GT or EQ */
err = 0;
break;
case FR_OUTRANGE :
if (tup >= po && tup <= frp->frp_top) /* Out of range */
err = 0;
break;
case FR_INRANGE :
if (tup <= po || tup >= frp->frp_top) /* In range */
err = 0;
break;
case FR_INCRANGE :
if (tup < po || tup > frp->frp_top) /* Inclusive range */
err = 0;
break;
default :
break;
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_tcpudpchk */
/* Returns: int - 1 == protocol matched, 0 == check failed */
/* Parameters: fin(I) - pointer to packet information */
/* ft(I) - pointer to structure with comparison data */
/* */
/* Compares the current pcket (assuming it is TCP/UDP) information with a */
/* structure containing information that we want to match against. */
/* ------------------------------------------------------------------------ */
int fr_tcpudpchk(fin, ft)
fr_info_t *fin;
frtuc_t *ft;
{
int err = 1;
/*
* Both ports should *always* be in the first fragment.
* So far, I cannot find any cases where they can not be.
*
* compare destination ports
*/
if (ft->ftu_dcmp)
err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
/*
* compare source ports
*/
if (err && ft->ftu_scmp)
err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
/*
* If we don't have all the TCP/UDP header, then how can we
* expect to do any sort of match on it ? If we were looking for
* TCP flags, then NO match. If not, then match (which should
* satisfy the "short" class too).
*/
if (err && (fin->fin_p == IPPROTO_TCP)) {
if (fin->fin_flx & FI_SHORT)
return !(ft->ftu_tcpf | ft->ftu_tcpfm);
/*
* Match the flags ? If not, abort this match.
*/
if (ft->ftu_tcpfm &&
ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
ft->ftu_tcpfm, ft->ftu_tcpf));
err = 0;
}
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_ipfcheck */
/* Returns: int - 0 == match, 1 == no match */
/* Parameters: fin(I) - pointer to packet information */
/* fr(I) - pointer to filter rule */
/* portcmp(I) - flag indicating whether to attempt matching on */
/* TCP/UDP port data. */
/* */
/* Check to see if a packet matches an IPFilter rule. Checks of addresses, */
/* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
/* this function. */
/* ------------------------------------------------------------------------ */
static INLINE int fr_ipfcheck(fin, fr, portcmp)
fr_info_t *fin;
frentry_t *fr;
int portcmp;
{
u_32_t *ld, *lm, *lip;
fripf_t *fri;
fr_ip_t *fi;
int i;
ipf_stack_t *ifs = fin->fin_ifs;
fi = &fin->fin_fi;
fri = fr->fr_ipf;
lip = (u_32_t *)fi;
lm = (u_32_t *)&fri->fri_mip;
ld = (u_32_t *)&fri->fri_ip;
/*
* first 32 bits to check coversion:
* IP version, TOS, TTL, protocol
*/
i = ((*lip & *lm) != *ld);
FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
if (i)
return 1;
/*
* Next 32 bits is a constructed bitmask indicating which IP options
* are present (if any) in this packet.
*/
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
if (i)
return 1;
lip++, lm++, ld++;
/*
* Unrolled loops (4 each, for 32 bits) for address checks.
*/
/*
* Check the source address.
*/
#ifdef IPFILTER_LOOKUP
if (fr->fr_satype == FRI_LOOKUP) {
i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip, ifs);
if (i == -1)
return 1;
lip += 3;
lm += 3;
ld += 3;
} else {
#endif
i = ((*lip & *lm) != *ld);
FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
if (fi->fi_v == 6) {
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
} else {
lip += 3;
lm += 3;
ld += 3;
}
#ifdef IPFILTER_LOOKUP
}
#endif
i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
if (i)
return 1;
/*
* Check the destination address.
*/
lip++, lm++, ld++;
#ifdef IPFILTER_LOOKUP
if (fr->fr_datype == FRI_LOOKUP) {
i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip, ifs);
if (i == -1)
return 1;
lip += 3;
lm += 3;
ld += 3;
} else {
#endif
i = ((*lip & *lm) != *ld);
FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
if (fi->fi_v == 6) {
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
} else {
lip += 3;
lm += 3;
ld += 3;
}
#ifdef IPFILTER_LOOKUP
}
#endif
i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
if (i)
return 1;
/*
* IP addresses matched. The next 32bits contains:
* mast of old IP header security & authentication bits.
*/
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
/*
* Next we have 32 bits of packet flags.
*/
lip++, lm++, ld++;
i |= ((*lip & *lm) != *ld);
FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
*lip, *lm, *ld));
if (i == 0) {
/*
* If a fragment, then only the first has what we're
* looking for here...
*/
if (portcmp) {
if (!fr_tcpudpchk(fin, &fr->fr_tuc))
i = 1;
} else {
if (fr->fr_dcmp || fr->fr_scmp ||
fr->fr_tcpf || fr->fr_tcpfm)
i = 1;
if (fr->fr_icmpm || fr->fr_icmp) {
if (((fi->fi_p != IPPROTO_ICMP) &&
(fi->fi_p != IPPROTO_ICMPV6)) ||
fin->fin_off || (fin->fin_dlen < 2))
i = 1;
else if ((fin->fin_data[0] & fr->fr_icmpm) !=
fr->fr_icmp) {
FR_DEBUG(("i. %#x & %#x != %#x\n",
fin->fin_data[0],
fr->fr_icmpm, fr->fr_icmp));
i = 1;
}
}
}
}
return i;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_scanlist */
/* Returns: int - result flags of scanning filter list */
/* Parameters: fin(I) - pointer to packet information */
/* pass(I) - default result to return for filtering */
/* */
/* Check the input/output list of rules for a match to the current packet. */
/* If a match is found, the value of fr_flags from the rule becomes the */
/* return value and fin->fin_fr points to the matched rule. */
/* */
/* This function may be called recusively upto 16 times (limit inbuilt.) */
/* When unwinding, it should finish up with fin_depth as 0. */
/* */
/* Could be per interface, but this gets real nasty when you don't have, */
/* or can't easily change, the kernel source code to . */
/* ------------------------------------------------------------------------ */
int fr_scanlist(fin, pass)
fr_info_t *fin;
u_32_t pass;
{
int rulen, portcmp, off, logged, skip;
struct frentry *fr, *fnext;
u_32_t passt, passo;
ipf_stack_t *ifs = fin->fin_ifs;
/*
* Do not allow nesting deeper than 16 levels.
*/
if (fin->fin_depth >= 16)
return pass;
fr = fin->fin_fr;
/*
* If there are no rules in this list, return now.
*/
if (fr == NULL)
return pass;
skip = 0;
logged = 0;
portcmp = 0;
fin->fin_depth++;
fin->fin_fr = NULL;
off = fin->fin_off;
if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
portcmp = 1;
for (rulen = 0; fr; fr = fnext, rulen++) {
fnext = fr->fr_next;
if (skip != 0) {
FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
skip--;
continue;
}
/*
* In all checks below, a null (zero) value in the
* filter struture is taken to mean a wildcard.
*
* check that we are working for the right interface
*/
#ifdef _KERNEL
if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
continue;
#else
if (opts & (OPT_VERBOSE|OPT_DEBUG))
printf("\n");
FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
FR_ISPASS(pass) ? 'p' :
FR_ISACCOUNT(pass) ? 'A' :
FR_ISAUTH(pass) ? 'a' :
(pass & FR_NOMATCH) ? 'n' :'b'));
if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
continue;
FR_VERBOSE((":i"));
#endif
switch (fr->fr_type)
{
case FR_T_IPF :
case FR_T_IPF|FR_T_BUILTIN :
if (fr_ipfcheck(fin, fr, portcmp))
continue;
break;
#if defined(IPFILTER_BPF)
case FR_T_BPFOPC :
case FR_T_BPFOPC|FR_T_BUILTIN :
{
u_char *mc;
if (*fin->fin_mp == NULL)
continue;
if (fin->fin_v != fr->fr_v)
continue;
mc = (u_char *)fin->fin_m;
if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0))
continue;
break;
}
#endif
case FR_T_CALLFUNC|FR_T_BUILTIN :
{
frentry_t *f;
f = (*fr->fr_func)(fin, &pass);
if (f != NULL)
fr = f;
else
continue;
break;
}
default :
break;
}
if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
if (fin->fin_nattag == NULL)
continue;
if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
continue;
}
FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
passt = fr->fr_flags;
/*
* Allowing a rule with the "keep state" flag set to match
* packets that have been tagged "out of window" by the TCP
* state tracking is foolish as the attempt to add a new
* state entry to the table will fail.
*/
if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
continue;
/*
* If the rule is a "call now" rule, then call the function
* in the rule, if it exists and use the results from that.
* If the function pointer is bad, just make like we ignore
* it, except for increasing the hit counter.
*/
if ((passt & FR_CALLNOW) != 0) {
ATOMIC_INC64(fr->fr_hits);
if ((fr->fr_func != NULL) &&
(fr->fr_func != (ipfunc_t)-1)) {
frentry_t *frs;
frs = fin->fin_fr;
fin->fin_fr = fr;
fr = (*fr->fr_func)(fin, &passt);
if (fr == NULL) {
fin->fin_fr = frs;
continue;
}
passt = fr->fr_flags;
fin->fin_fr = fr;
}
} else {
fin->fin_fr = fr;
}
#ifdef IPFILTER_LOG
/*
* Just log this packet...
*/
if ((passt & FR_LOGMASK) == FR_LOG) {
if (ipflog(fin, passt) == -1) {
if (passt & FR_LOGORBLOCK) {
passt &= ~FR_CMDMASK;
passt |= FR_BLOCK|FR_QUICK;
}
ATOMIC_INCL(ifs->ifs_frstats[fin->fin_out].fr_skip);
}
ATOMIC_INCL(ifs->ifs_frstats[fin->fin_out].fr_pkl);
logged = 1;
}
#endif /* IPFILTER_LOG */
fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
passo = pass;
if (FR_ISSKIP(passt))
skip = fr->fr_arg;
else if ((passt & FR_LOGMASK) != FR_LOG)
pass = passt;
if (passt & (FR_RETICMP|FR_FAKEICMP))
fin->fin_icode = fr->fr_icode;
FR_DEBUG(("pass %#x\n", pass));
ATOMIC_INC64(fr->fr_hits);
fin->fin_rule = rulen;
(void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
if (fr->fr_grp != NULL) {
fin->fin_fr = *fr->fr_grp;
pass = fr_scanlist(fin, pass);
if (fin->fin_fr == NULL) {
fin->fin_rule = rulen;
(void) strncpy(fin->fin_group, fr->fr_group,
FR_GROUPLEN);
fin->fin_fr = fr;
}
if (fin->fin_flx & FI_DONTCACHE)
logged = 1;
}
if (pass & FR_QUICK) {
/*
* Finally, if we've asked to track state for this
* packet, set it up. Add state for "quick" rules
* here so that if the action fails we can consider
* the rule to "not match" and keep on processing
* filter rules.
*/
if ((pass & FR_KEEPSTATE) &&
!(fin->fin_flx & FI_STATE)) {
int out = fin->fin_out;
if (fr_addstate(fin, NULL, 0) != NULL) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_ads);
} else {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_bads);
pass = passo;
continue;
}
}
break;
}
}
if (logged)
fin->fin_flx |= FI_DONTCACHE;
fin->fin_depth--;
return pass;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_acctpkt */
/* Returns: frentry_t* - always returns NULL */
/* Parameters: fin(I) - pointer to packet information */
/* passp(IO) - pointer to current/new filter decision (unused) */
/* */
/* Checks a packet against accounting rules, if there are any for the given */
/* IP protocol version. */
/* */
/* N.B.: this function returns NULL to match the prototype used by other */
/* functions called from the IPFilter "mainline" in fr_check(). */
/* ------------------------------------------------------------------------ */
frentry_t *fr_acctpkt(fin, passp)
fr_info_t *fin;
u_32_t *passp;
{
char group[FR_GROUPLEN];
frentry_t *fr, *frsave;
u_32_t pass, rulen;
ipf_stack_t *ifs = fin->fin_ifs;
passp = passp;
#ifdef USE_INET6
if (fin->fin_v == 6)
fr = ifs->ifs_ipacct6[fin->fin_out][ifs->ifs_fr_active];
else
#endif
fr = ifs->ifs_ipacct[fin->fin_out][ifs->ifs_fr_active];
if (fr != NULL) {
frsave = fin->fin_fr;
bcopy(fin->fin_group, group, FR_GROUPLEN);
rulen = fin->fin_rule;
fin->fin_fr = fr;
pass = fr_scanlist(fin, FR_NOMATCH);
if (FR_ISACCOUNT(pass)) {
ATOMIC_INCL(ifs->ifs_frstats[0].fr_acct);
}
fin->fin_fr = frsave;
bcopy(group, fin->fin_group, FR_GROUPLEN);
fin->fin_rule = rulen;
}
return NULL;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_firewall */
/* Returns: frentry_t* - returns pointer to matched rule, if no matches */
/* were found, returns NULL. */
/* Parameters: fin(I) - pointer to packet information */
/* passp(IO) - pointer to current/new filter decision (unused) */
/* */
/* Applies an appropriate set of firewall rules to the packet, to see if */
/* there are any matches. The first check is to see if a match can be seen */
/* in the cache. If not, then search an appropriate list of rules. Once a */
/* matching rule is found, take any appropriate actions as defined by the */
/* rule - except logging. */
/* ------------------------------------------------------------------------ */
static frentry_t *fr_firewall(fin, passp)
fr_info_t *fin;
u_32_t *passp;
{
frentry_t *fr;
fr_info_t *fc;
u_32_t pass;
int out;
ipf_stack_t *ifs = fin->fin_ifs;
out = fin->fin_out;
pass = *passp;
/*
* If a packet is found in the auth table, then skip checking
* the access lists for permission but we do need to consider
* the result as if it were from the ACL's.
*/
fc = &ifs->ifs_frcache[out][CACHE_HASH(fin)];
READ_ENTER(&ifs->ifs_ipf_frcache);
if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
/*
* copy cached data so we can unlock the mutexes earlier.
*/
bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
ATOMIC_INCL(ifs->ifs_frstats[out].fr_chit);
if ((fr = fin->fin_fr) != NULL) {
ATOMIC_INC64(fr->fr_hits);
pass = fr->fr_flags;
}
} else {
RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
#ifdef USE_INET6
if (fin->fin_v == 6)
fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active];
else
#endif
fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active];
if (fin->fin_fr != NULL)
pass = fr_scanlist(fin, ifs->ifs_fr_pass);
if (((pass & FR_KEEPSTATE) == 0) &&
((fin->fin_flx & FI_DONTCACHE) == 0)) {
WRITE_ENTER(&ifs->ifs_ipf_frcache);
bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
}
if ((pass & FR_NOMATCH)) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_nom);
}
fr = fin->fin_fr;
}
/*
* Apply packets per second rate-limiting to a rule as required.
*/
if ((fr != NULL) && (fr->fr_pps != 0) &&
!ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
pass |= FR_BLOCK;
ATOMIC_INCL(ifs->ifs_frstats[out].fr_ppshit);
}
/*
* If we fail to add a packet to the authorization queue, then we
* drop the packet later. However, if it was added then pretend
* we've dropped it already.
*/
if (FR_ISAUTH(pass)) {
if (fr_newauth(fin->fin_m, fin) != 0) {
#ifdef _KERNEL
fin->fin_m = *fin->fin_mp = NULL;
#else
;
#endif
fin->fin_error = 0;
} else
fin->fin_error = ENOSPC;
}
if ((fr != NULL) && (fr->fr_func != NULL) &&
(fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
(void) (*fr->fr_func)(fin, &pass);
/*
* If a rule is a pre-auth rule, check again in the list of rules
* loaded for authenticated use. It does not particulary matter
* if this search fails because a "preauth" result, from a rule,
* is treated as "not a pass", hence the packet is blocked.
*/
if (FR_ISPREAUTH(pass)) {
if ((fin->fin_fr = ifs->ifs_ipauth) != NULL)
pass = fr_scanlist(fin, ifs->ifs_fr_pass);
}
/*
* If the rule has "keep frag" and the packet is actually a fragment,
* then create a fragment state entry.
*/
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (fin->fin_flx & FI_FRAG) {
if (fr_newfrag(fin, pass) == -1) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_bnfr);
} else {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_nfr);
}
} else {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_cfr);
}
}
/*
* Finally, if we've asked to track state for this packet, set it up.
*/
if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
if (fr_addstate(fin, NULL, 0) != NULL) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_ads);
} else {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_bads);
if (FR_ISPASS(pass)) {
pass &= ~FR_CMDMASK;
pass |= FR_BLOCK;
}
}
}
fr = fin->fin_fr;
if (passp != NULL)
*passp = pass;
return fr;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_check */
/* Returns: int - 0 == packet allowed through, */
/* User space: */
/* -1 == packet blocked */
/* 1 == packet not matched */
/* -2 == requires authentication */
/* Kernel: */
/* > 0 == filter error # for packet */
/* Parameters: ip(I) - pointer to start of IPv4/6 packet */
/* hlen(I) - length of header */
/* ifp(I) - pointer to interface this packet is on */
/* out(I) - 0 == packet going in, 1 == packet going out */
/* mp(IO) - pointer to caller's buffer pointer that holds this */
/* IP packet. */
/* Solaris & HP-UX ONLY : */
/* qpi(I) - pointer to STREAMS queue information for this */
/* interface & direction. */
/* */
/* fr_check() is the master function for all IPFilter packet processing. */
/* It orchestrates: Network Address Translation (NAT), checking for packet */
/* authorisation (or pre-authorisation), presence of related state info., */
/* generating log entries, IP packet accounting, routing of packets as */
/* directed by firewall rules and of course whether or not to allow the */
/* packet to be further processed by the kernel. */
/* */
/* For packets blocked, the contents of "mp" will be NULL'd and the buffer */
/* freed. Packets passed may be returned with the pointer pointed to by */
/* by "mp" changed to a new buffer. */
/* ------------------------------------------------------------------------ */
int fr_check(ip, hlen, ifp, out
#if defined(_KERNEL) && defined(MENTAT)
, qif, mp, ifs)
void *qif;
#else
, mp, ifs)
#endif
mb_t **mp;
ip_t *ip;
int hlen;
void *ifp;
int out;
ipf_stack_t *ifs;
{
/*
* The above really sucks, but short of writing a diff
*/
fr_info_t frinfo;
fr_info_t *fin = &frinfo;
u_32_t pass;
frentry_t *fr = NULL;
int v = IP_V(ip);
mb_t *mc = NULL;
mb_t *m;
#ifdef USE_INET6
ip6_t *ip6;
#endif
#ifdef _KERNEL
# ifdef MENTAT
qpktinfo_t *qpi = qif;
#endif
#endif
SPL_INT(s);
pass = ifs->ifs_fr_pass;
/*
* The first part of fr_check() deals with making sure that what goes
* into the filtering engine makes some sense. Information about the
* the packet is distilled, collected into a fr_info_t structure and
* the an attempt to ensure the buffer the packet is in is big enough
* to hold all the required packet headers.
*/
#ifdef _KERNEL
# ifdef MENTAT
if (!OK_32PTR(ip))
return 2;
# endif
READ_ENTER(&ifs->ifs_ipf_global);
if (ifs->ifs_fr_running <= 0) {
RWLOCK_EXIT(&ifs->ifs_ipf_global);
return 0;
}
bzero((char *)fin, sizeof(*fin));
# ifdef MENTAT
if (qpi->qpi_flags & QPI_NOCKSUM)
fin->fin_flx |= FI_NOCKSUM;
m = qpi->qpi_m;
fin->fin_qfm = m;
fin->fin_qpi = qpi;
# else /* MENTAT */
m = *mp;
# if defined(M_MCAST)
if ((m->m_flags & M_MCAST) != 0)
fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
# endif
# if defined(M_MLOOP)
if ((m->m_flags & M_MLOOP) != 0)
fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
# endif
# if defined(M_BCAST)
if ((m->m_flags & M_BCAST) != 0)
fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
# endif
# ifdef M_CANFASTFWD
/*
* XXX For now, IP Filter and fast-forwarding of cached flows
* XXX are mutually exclusive. Eventually, IP Filter should
* XXX get a "can-fast-forward" filter rule.
*/
m->m_flags &= ~M_CANFASTFWD;
# endif /* M_CANFASTFWD */
# ifdef CSUM_DELAY_DATA
/*
* disable delayed checksums.
*/
if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
in_delayed_cksum(m);
m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
}
# endif /* CSUM_DELAY_DATA */
# endif /* MENTAT */
#else
READ_ENTER(&ifs->ifs_ipf_global);
bzero((char *)fin, sizeof(*fin));
m = *mp;
#endif /* _KERNEL */
fin->fin_v = v;
fin->fin_m = m;
fin->fin_ip = ip;
fin->fin_mp = mp;
fin->fin_out = out;
fin->fin_ifp = ifp;
fin->fin_error = ENETUNREACH;
fin->fin_hlen = (u_short)hlen;
fin->fin_dp = (char *)ip + hlen;
fin->fin_ipoff = (char *)ip - MTOD(m, char *);
fin->fin_ifs = ifs;
SPL_NET(s);
#ifdef USE_INET6
if (v == 6) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_ipv6);
/*
* Jumbo grams are quite likely too big for internal buffer
* structures to handle comfortably, for now, so just drop
* them.
*/
ip6 = (ip6_t *)ip;
fin->fin_plen = ntohs(ip6->ip6_plen);
if (fin->fin_plen == 0) {
READ_ENTER(&ifs->ifs_ipf_mutex);
pass = FR_BLOCK|FR_NOMATCH;
goto filtered;
}
fin->fin_plen += sizeof(ip6_t);
} else
#endif
{
#if (OpenBSD >= 200311) && defined(_KERNEL)
ip->ip_len = ntohs(ip->ip_len);
ip->ip_off = ntohs(ip->ip_off);
#endif
fin->fin_plen = ip->ip_len;
}
if (fr_makefrip(hlen, ip, fin) == -1) {
READ_ENTER(&ifs->ifs_ipf_mutex);
pass = FR_BLOCK;
goto filtered;
}
/*
* For at least IPv6 packets, if a m_pullup() fails then this pointer
* becomes NULL and so we have no packet to free.
*/
if (*fin->fin_mp == NULL)
goto finished;
if (!out) {
if (v == 4) {
#ifdef _KERNEL
if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
ATOMIC_INCL(ifs->ifs_frstats[0].fr_badsrc);
fin->fin_flx |= FI_BADSRC;
}
#endif
if (fin->fin_ip->ip_ttl < ifs->ifs_fr_minttl) {
ATOMIC_INCL(ifs->ifs_frstats[0].fr_badttl);
fin->fin_flx |= FI_LOWTTL;
}
}
#ifdef USE_INET6
else if (v == 6) {
ip6 = (ip6_t *)ip;
#ifdef _KERNEL
if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
ATOMIC_INCL(ifs->ifs_frstats[0].fr_badsrc);
fin->fin_flx |= FI_BADSRC;
}
#endif
if (ip6->ip6_hlim < ifs->ifs_fr_minttl) {
ATOMIC_INCL(ifs->ifs_frstats[0].fr_badttl);
fin->fin_flx |= FI_LOWTTL;
}
}
#endif
}
if (fin->fin_flx & FI_SHORT) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_short);
}
READ_ENTER(&ifs->ifs_ipf_mutex);
/*
* Check auth now. This, combined with the check below to see if apass
* is 0 is to ensure that we don't count the packet twice, which can
* otherwise occur when we reprocess it. As it is, we only count it
* after it has no auth. table matchup. This also stops NAT from
* occuring until after the packet has been auth'd.
*/
fr = fr_checkauth(fin, &pass);
if (!out) {
if (fr_checknatin(fin, &pass) == -1) {
RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
goto finished;
}
}
if (!out)
(void) fr_acctpkt(fin, NULL);
if (fr == NULL)
if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG)
fr = fr_knownfrag(fin, &pass);
if (fr == NULL)
fr = fr_checkstate(fin, &pass);
if ((pass & FR_NOMATCH) || (fr == NULL))
fr = fr_firewall(fin, &pass);
fin->fin_fr = fr;
/*
* Only count/translate packets which will be passed on, out the
* interface.
*/
if (out && FR_ISPASS(pass)) {
(void) fr_acctpkt(fin, NULL);
if (fr_checknatout(fin, &pass) == -1) {
RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
goto finished;
} else if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
if (fr_updateipid(fin) == -1) {
ATOMIC_INCL(ifs->ifs_frstats[1].fr_ipud);
pass &= ~FR_CMDMASK;
pass |= FR_BLOCK;
} else {
ATOMIC_INCL(ifs->ifs_frstats[0].fr_ipud);
}
}
}
#ifdef IPFILTER_LOG
if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
(void) fr_dolog(fin, &pass);
}
#endif
if (fin->fin_state != NULL)
fr_statederef(fin, (ipstate_t **)&fin->fin_state, ifs);
if (fin->fin_nat != NULL)
fr_natderef((nat_t **)&fin->fin_nat, ifs);
/*
* Only allow FR_DUP to work if a rule matched - it makes no sense to
* set FR_DUP as a "default" as there are no instructions about where
* to send the packet. Use fin_m here because it may have changed
* (without an update of 'm') in prior processing.
*/
if ((fr != NULL) && (pass & FR_DUP)) {
mc = M_DUPLICATE(fin->fin_m);
}
if (pass & (FR_RETRST|FR_RETICMP)) {
/*
* Should we return an ICMP packet to indicate error
* status passing through the packet filter ?
* WARNING: ICMP error packets AND TCP RST packets should
* ONLY be sent in repsonse to incoming packets. Sending them
* in response to outbound packets can result in a panic on
* some operating systems.
*/
if (!out) {
if (pass & FR_RETICMP) {
int dst;
if ((pass & FR_RETMASK) == FR_FAKEICMP)
dst = 1;
else
dst = 0;
(void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
ATOMIC_INCL(ifs->ifs_frstats[0].fr_ret);
} else if (((pass & FR_RETMASK) == FR_RETRST) &&
!(fin->fin_flx & FI_SHORT)) {
if (fr_send_reset(fin) == 0) {
ATOMIC_INCL(ifs->ifs_frstats[1].fr_ret);
}
}
} else {
if (pass & FR_RETRST)
fin->fin_error = ECONNRESET;
}
}
/*
* If we didn't drop off the bottom of the list of rules (and thus
* the 'current' rule fr is not NULL), then we may have some extra
* instructions about what to do with a packet.
* Once we're finished return to our caller, freeing the packet if
* we are dropping it (* BSD ONLY *).
* Reassign m from fin_m as we may have a new buffer, now.
*/
filtered:
m = fin->fin_m;
if (fr != NULL) {
frdest_t *fdp;
fdp = &fr->fr_tifs[fin->fin_rev];
if (!out && (pass & FR_FASTROUTE)) {
/*
* For fastroute rule, no destioation interface defined
* so pass NULL as the frdest_t parameter
*/
(void) fr_fastroute(m, mp, fin, NULL);
m = *mp = NULL;
} else if ((fdp->fd_ifp != NULL) &&
(fdp->fd_ifp != (struct ifnet *)-1)) {
/* this is for to rules: */
(void) fr_fastroute(m, mp, fin, fdp);
m = *mp = NULL;
}
/*
* Generate a duplicated packet.
*/
if (mc != NULL)
(void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
}
/*
* This late because the likes of fr_fastroute() use fin_fr.
*/
RWLOCK_EXIT(&ifs->ifs_ipf_mutex);
finished:
if (!FR_ISPASS(pass)) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_block);
if (*mp != NULL) {
FREE_MB_T(*mp);
m = *mp = NULL;
}
} else {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_pass);
#if defined(_KERNEL) && defined(__sgi)
if ((fin->fin_hbuf != NULL) &&
(mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
}
#endif
}
SPL_X(s);
RWLOCK_EXIT(&ifs->ifs_ipf_global);
#ifdef _KERNEL
# if OpenBSD >= 200311
if (FR_ISPASS(pass) && (v == 4)) {
ip = fin->fin_ip;
ip->ip_len = ntohs(ip->ip_len);
ip->ip_off = ntohs(ip->ip_off);
}
# endif
return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
#else /* _KERNEL */
FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
if ((pass & FR_NOMATCH) != 0)
return 1;
if ((pass & FR_RETMASK) != 0)
switch (pass & FR_RETMASK)
{
case FR_RETRST :
return 3;
case FR_RETICMP :
return 4;
case FR_FAKEICMP :
return 5;
}
switch (pass & FR_CMDMASK)
{
case FR_PASS :
return 0;
case FR_BLOCK :
return -1;
case FR_AUTH :
return -2;
case FR_ACCOUNT :
return -3;
case FR_PREAUTH :
return -4;
}
return 2;
#endif /* _KERNEL */
}
#ifdef IPFILTER_LOG
/* ------------------------------------------------------------------------ */
/* Function: fr_dolog */
/* Returns: frentry_t* - returns contents of fin_fr (no change made) */
/* Parameters: fin(I) - pointer to packet information */
/* passp(IO) - pointer to current/new filter decision (unused) */
/* */
/* Checks flags set to see how a packet should be logged, if it is to be */
/* logged. Adjust statistics based on its success or not. */
/* ------------------------------------------------------------------------ */
frentry_t *fr_dolog(fin, passp)
fr_info_t *fin;
u_32_t *passp;
{
u_32_t pass;
int out;
ipf_stack_t *ifs = fin->fin_ifs;
out = fin->fin_out;
pass = *passp;
if ((ifs->ifs_fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
pass |= FF_LOGNOMATCH;
ATOMIC_INCL(ifs->ifs_frstats[out].fr_npkl);
goto logit;
} else if (((pass & FR_LOGMASK) == FR_LOGP) ||
(FR_ISPASS(pass) && (ifs->ifs_fr_flags & FF_LOGPASS))) {
if ((pass & FR_LOGMASK) != FR_LOGP)
pass |= FF_LOGPASS;
ATOMIC_INCL(ifs->ifs_frstats[out].fr_ppkl);
goto logit;
} else if (((pass & FR_LOGMASK) == FR_LOGB) ||
(FR_ISBLOCK(pass) && (ifs->ifs_fr_flags & FF_LOGBLOCK))) {
if ((pass & FR_LOGMASK) != FR_LOGB)
pass |= FF_LOGBLOCK;
ATOMIC_INCL(ifs->ifs_frstats[out].fr_bpkl);
logit:
if (ipflog(fin, pass) == -1) {
ATOMIC_INCL(ifs->ifs_frstats[out].fr_skip);
/*
* If the "or-block" option has been used then
* block the packet if we failed to log it.
*/
if ((pass & FR_LOGORBLOCK) &&
FR_ISPASS(pass)) {
pass &= ~FR_CMDMASK;
pass |= FR_BLOCK;
}
}
*passp = pass;
}
return fin->fin_fr;
}
#endif /* IPFILTER_LOG */
/* ------------------------------------------------------------------------ */
/* Function: ipf_cksum */
/* Returns: u_short - IP header checksum */
/* Parameters: addr(I) - pointer to start of buffer to checksum */
/* len(I) - length of buffer in bytes */
/* */
/* Calculate the two's complement 16 bit checksum of the buffer passed. */
/* */
/* N.B.: addr should be 16bit aligned. */
/* ------------------------------------------------------------------------ */
u_short ipf_cksum(addr, len)
u_short *addr;
int len;
{
u_32_t sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
/* mop up an odd byte, if necessary */
if (len == 1)
sum += *(u_char *)addr;
/*
* add back carry outs from top 16 bits to low 16 bits
*/
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
return (u_short)(~sum);
}
/* ------------------------------------------------------------------------ */
/* Function: fr_cksum */
/* Returns: u_short - layer 4 checksum */
/* Parameters: m(I ) - pointer to buffer holding packet */
/* ip(I) - pointer to IP header */
/* l4proto(I) - protocol to caclulate checksum for */
/* l4hdr(I) - pointer to layer 4 header */
/* */
/* Calculates the TCP checksum for the packet held in "m", using the data */
/* in the IP header "ip" to seed it. */
/* */
/* NB: This function assumes we've pullup'd enough for all of the IP header */
/* and the TCP header. We also assume that data blocks aren't allocated in */
/* odd sizes. */
/* */
/* Expects ip_len to be in host byte order when called. */
/* ------------------------------------------------------------------------ */
u_short fr_cksum(m, ip, l4proto, l4hdr)
mb_t *m;
ip_t *ip;
int l4proto;
void *l4hdr;
{
u_short *sp, slen, sumsave, l4hlen, *csump;
u_int sum, sum2;
int hlen;
#ifdef USE_INET6
ip6_t *ip6;
#endif
csump = NULL;
sumsave = 0;
l4hlen = 0;
sp = NULL;
slen = 0;
hlen = 0;
sum = 0;
/*
* Add up IP Header portion
*/
#ifdef USE_INET6
if (IP_V(ip) == 4) {
#endif
hlen = IP_HL(ip) << 2;
slen = ip->ip_len - hlen;
sum = htons