ip_auth.c source code [src/src/sys/external/bsd/ipf/netinet/ip_auth.c]

1	/ $NetBSD: ip_auth.c,v 1.5 2014/05/30 02:16:17 rmind Exp $ /
2
3	/*
4	* Copyright (C) 2012 by Darren Reed.
5	*
6	* See the IPFILTER.LICENCE file for details on licencing.
7	*/
8	#if defined(KERNEL) \|\| defined(_KERNEL)
9	# undef KERNEL
10	# undef _KERNEL
11	# define KERNEL 1
12	# define _KERNEL 1
13	#endif
14	#if defined(__NetBSD__)
15	#include <sys/cdefs.h>
16	#endif
17	#include <sys/errno.h>
18	#include <sys/types.h>
19	#include <sys/param.h>
20	#include <sys/time.h>
21	#include <sys/file.h>
22	#if !defined(_KERNEL)
23	# include <stdio.h>
24	# include <stdlib.h>
25	# ifdef _STDC_C99
26	# include <stdbool.h>
27	# endif
28	# include <string.h>
29	# define _KERNEL
30	# ifdef __OpenBSD__
31	struct file;
32	# endif
33	# include <sys/uio.h>
34	# undef _KERNEL
35	#endif
36	#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
37	# include <sys/filio.h>
38	# include <sys/fcntl.h>
39	#else
40	# include <sys/ioctl.h>
41	#endif
42	#if !defined(linux)
43	# include <sys/protosw.h>
44	#endif
45	#include <sys/socket.h>
46	#if defined(_KERNEL)
47	# include <sys/systm.h>
48	# if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
49	# include <sys/mbuf.h>
50	# endif
51	#endif
52	#if defined(__SVR4) \|\| defined(__svr4__)
53	# include <sys/filio.h>
54	# include <sys/byteorder.h>
55	# ifdef _KERNEL
56	# include <sys/dditypes.h>
57	# endif
58	# include <sys/stream.h>
59	# include <sys/kmem.h>
60	#endif
61	#if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) \|\| \
62	(defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000))
63	# include <sys/queue.h>
64	#endif
65	#if defined(__NetBSD__) \|\| defined(__OpenBSD__) \|\| defined(bsdi)
66	# include <machine/cpu.h>
67	#endif
68	#if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
69	# include <sys/proc.h>
70	#endif
71	#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \
72	!defined(_KERNEL)
73	# include <stdbool.h>
74	#endif
75	#include <net/if.h>
76	#include <net/route.h>
77	#ifdef sun
78	# include <net/af.h>
79	#endif
80	#include <netinet/in.h>
81	#include <netinet/in_systm.h>
82	#include <netinet/ip.h>
83	#if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
84	# define KERNEL
85	# define _KERNEL
86	# define NOT_KERNEL
87	#endif
88	#if !defined(linux)
89	# include <netinet/ip_var.h>
90	#endif
91	#ifdef NOT_KERNEL
92	# undef _KERNEL
93	# undef KERNEL
94	#endif
95	#include <netinet/tcp.h>
96	#if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
97	extern struct ifqueue ipintrq; / ip packet input queue /
98	#else
99	# if !defined(__hpux) && !defined(linux)
100	# if __FreeBSD_version >= 300000
101	# include <net/if_var.h>
102	# if __FreeBSD_version >= 500042
103	# define IF_QFULL _IF_QFULL
104	# define IF_DROP _IF_DROP
105	# endif /* __FreeBSD_version >= 500042 */
106	# endif
107	# include <netinet/in_var.h>
108	# include <netinet/tcp_fsm.h>
109	# endif
110	#endif
111	#include <netinet/udp.h>
112	#include <netinet/ip_icmp.h>
113	#include "netinet/ip_compat.h"
114	#include <netinet/tcpip.h>
115	#include "netinet/ip_fil.h"
116	#include "netinet/ip_auth.h"
117	#if !defined(MENTAT) && !defined(linux)
118	# include <net/netisr.h>
119	# ifdef __FreeBSD__
120	# include <machine/cpufunc.h>
121	# endif
122	#endif
123	#if (__FreeBSD_version >= 300000)
124	# include <sys/malloc.h>
125	# if defined(_KERNEL) && !defined(IPFILTER_LKM)
126	# include <sys/libkern.h>
127	# include <sys/systm.h>
128	# endif
129	#endif
130	/ END OF INCLUDES /
131
132	#if !defined(lint)
133	#if defined(__NetBSD__)
134	__KERNEL_RCSID(`0`, "$NetBSD: ip_auth.c,v 1.5 2014/05/30 02:16:17 rmind Exp $");
135	#else
136	static const char rcsid[] = "@(#)Id: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp";
137	#endif
138	#endif
139
140
141	typedef struct ipf_auth_softc_s {
142	#if SOLARIS && defined(_KERNEL)
143	kcondvar_t ipf_auth_wait;
144	#endif /* SOLARIS */
145	#if defined(linux) && defined(_KERNEL)
146	wait_queue_head_t ipf_auth_next_linux;
147	#endif
148	ipfrwlock_t ipf_authlk;
149	ipfmutex_t ipf_auth_mx;
150	int ipf_auth_size;
151	int ipf_auth_used;
152	int ipf_auth_replies;
153	int ipf_auth_defaultage;
154	int ipf_auth_lock;
155	ipf_authstat_t ipf_auth_stats;
156	frauth_t *ipf_auth;
157	mb_t **ipf_auth_pkts;
158	int ipf_auth_start;
159	int ipf_auth_end;
160	int ipf_auth_next;
161	frauthent_t *ipf_auth_entries;
162	frentry_t *ipf_auth_ip;
163	frentry_t *ipf_auth_rules;
164	} ipf_auth_softc_t;
165
166
167	static void ipf_auth_deref(frauthent_t **);
168	static void ipf_auth_deref_unlocked(ipf_auth_softc_t , frauthent_t *);
169	static int ipf_auth_geniter(ipf_main_softc_t , ipftoken_t ,
170	ipfgeniter_t , ipfobj_t );
171	static int ipf_auth_reply(ipf_main_softc_t , ipf_auth_softc_t , char *);
172	static int ipf_auth_wait(ipf_main_softc_t , ipf_auth_softc_t , char *);
173	static int ipf_auth_flush(void *);
174
175
176	/ ------------------------------------------------------------------------ /
177	/ Function: ipf_auth_main_load /
178	/ Returns: int - 0 == success, else error /
179	/ Parameters: None /
180	/ /
181	/ A null-op function that exists as a placeholder so that the flow in /
182	/ other functions is obvious. /
183	/ ------------------------------------------------------------------------ /
184	int
185	ipf_auth_main_load(void)
186	{
187	return `0`;
188	}
189
190
191	/ ------------------------------------------------------------------------ /
192	/ Function: ipf_auth_main_unload /
193	/ Returns: int - 0 == success, else error /
194	/ Parameters: None /
195	/ /
196	/ A null-op function that exists as a placeholder so that the flow in /
197	/ other functions is obvious. /
198	/ ------------------------------------------------------------------------ /
199	int
200	ipf_auth_main_unload(void)
201	{
202	return `0`;
203	}
204
205
206	/ ------------------------------------------------------------------------ /
207	/ Function: ipf_auth_soft_create /
208	/ Returns: int - NULL = failure, else success /
209	/ Parameters: softc(I) - pointer to soft context data /
210	/ /
211	/ Create a structre to store all of the run-time data for packet auth in /
212	/ and initialise some fields to their defaults. /
213	/ ------------------------------------------------------------------------ /
214	void *
215	ipf_auth_soft_create(ipf_main_softc_t *softc)
216	{
217	ipf_auth_softc_t *softa;
218
219	KMALLOC(softa, ipf_auth_softc_t *);
220	if (softa == NULL)
221	return NULL;
222
223	bzero((char )softa, sizeof(softa));
224
225	softa->ipf_auth_size = FR_NUMAUTH;
226	softa->ipf_auth_defaultage = `600`;
227
228	RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock");
229	MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex");
230	#if SOLARIS && defined(_KERNEL)
231	cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL);
232	#endif
233
234	return softa;
235	}
236
237	/ ------------------------------------------------------------------------ /
238	/ Function: ipf_auth_soft_init /
239	/ Returns: int - 0 == success, else error /
240	/ Parameters: softc(I) - pointer to soft context data /
241	/ arg(I) - opaque pointer to auth context data /
242	/ /
243	/ Allocate memory and initialise data structures used in handling auth /
244	/ rules. /
245	/ ------------------------------------------------------------------------ /
246	int
247	ipf_auth_soft_init(ipf_main_softc_t softc, void* *arg)
248	{
249	ipf_auth_softc_t *softa = arg;
250
251	KMALLOCS(softa->ipf_auth, frauth_t *,
252	softa->ipf_auth_size * sizeof(*softa->ipf_auth));
253	if (softa->ipf_auth == NULL)
254	return -`1`;
255	bzero((char *)softa->ipf_auth,
256	softa->ipf_auth_size * sizeof(*softa->ipf_auth));
257
258	KMALLOCS(softa->ipf_auth_pkts, mb_t **,
259	softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
260	if (softa->ipf_auth_pkts == NULL)
261	return -`2`;
262	bzero((char *)softa->ipf_auth_pkts,
263	softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
264
265	#if defined(linux) && defined(_KERNEL)
266	init_waitqueue_head(&softa->ipf_auth_next_linux);
267	#endif
268
269	return `0`;
270	}
271
272
273	/ ------------------------------------------------------------------------ /
274	/ Function: ipf_auth_soft_fini /
275	/ Returns: int - 0 == success, else error /
276	/ Parameters: softc(I) - pointer to soft context data /
277	/ arg(I) - opaque pointer to auth context data /
278	/ /
279	/ Free all network buffer memory used to keep saved packets that have been /
280	/ connectedd to the soft soft context structure but do not free that: it /
281	/ is free'd by _destroy(). /
282	/ ------------------------------------------------------------------------ /
283	int
284	ipf_auth_soft_fini(ipf_main_softc_t softc, void* *arg)
285	{
286	ipf_auth_softc_t *softa = arg;
287	frauthent_t fae, *faep;
288	frentry_t fr, *frp;
289	mb_t *m;
290	int i;
291
292	if (softa->ipf_auth != NULL) {
293	KFREES(softa->ipf_auth,
294	softa->ipf_auth_size * sizeof(*softa->ipf_auth));
295	softa->ipf_auth = NULL;
296	}
297
298	if (softa->ipf_auth_pkts != NULL) {
299	for (i = `0`; i < softa->ipf_auth_size; i++) {
300	m = softa->ipf_auth_pkts[i];
301	if (m != NULL) {
302	FREE_MB_T(m);
303	softa->ipf_auth_pkts[i] = NULL;
304	}
305	}
306	KFREES(softa->ipf_auth_pkts,
307	softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
308	softa->ipf_auth_pkts = NULL;
309	}
310
311	faep = &softa->ipf_auth_entries;
312	while ((fae = *faep) != NULL) {
313	*faep = fae->fae_next;
314	KFREE(fae);
315	}
316	softa->ipf_auth_ip = NULL;
317
318	if (softa->ipf_auth_rules != NULL) {
319	for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
320	if (fr->fr_ref == `1`) {
321	*frp = fr->fr_next;
322	MUTEX_DESTROY(&fr->fr_lock);
323	KFREE(fr);
324	} else
325	frp = &fr->fr_next;
326	}
327	}
328
329	return `0`;
330	}
331
332
333	/ ------------------------------------------------------------------------ /
334	/ Function: ipf_auth_soft_destroy /
335	/ Returns: void /
336	/ Parameters: softc(I) - pointer to soft context data /
337	/ arg(I) - opaque pointer to auth context data /
338	/ /
339	/ Undo what was done in _create() - i.e. free the soft context data. /
340	/ ------------------------------------------------------------------------ /
341	void
342	ipf_auth_soft_destroy(ipf_main_softc_t softc, void* *arg)
343	{
344	ipf_auth_softc_t *softa = arg;
345
346	# if SOLARIS && defined(_KERNEL)
347	cv_destroy(&softa->ipf_auth_wait);
348	# endif
349	MUTEX_DESTROY(&softa->ipf_auth_mx);
350	RW_DESTROY(&softa->ipf_authlk);
351
352	KFREE(softa);
353	}
354
355
356	/ ------------------------------------------------------------------------ /
357	/ Function: ipf_auth_setlock /
358	/ Returns: void /
359	/ Paramters: arg(I) - pointer to soft context data /
360	/ tmp(I) - value to assign to auth lock /
361	/ /
362	/ ------------------------------------------------------------------------ /
363	void
364	ipf_auth_setlock(void arg, int* tmp)
365	{
366	ipf_auth_softc_t *softa = arg;
367
368	softa->ipf_auth_lock = tmp;
369	}
370
371
372	/ ------------------------------------------------------------------------ /
373	/ Function: ipf_auth_check /
374	/ Returns: frentry_t* - pointer to ipf rule if match found, else NULL /
375	/ Parameters: fin(I) - pointer to ipftoken structure /
376	/ passp(I) - pointer to ipfgeniter structure /
377	/ /
378	/ Check if a packet has authorization. If the packet is found to match an /
379	/ authorization result and that would result in a feedback loop (i.e. it /
380	/ will end up returning FR_AUTH) then return FR_BLOCK instead. /
381	/ ------------------------------------------------------------------------ /
382	frentry_t *
383	ipf_auth_check(fr_info_t fin, u_32_t passp)
384	{
385	ipf_main_softc_t *softc = fin->fin_main_soft;
386	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
387	frentry_t *fr;
388	frauth_t *fra;
389	u_32_t pass;
390	u_short id;
391	ip_t *ip;
392	int i;
393
394	if (softa->ipf_auth_lock \|\| !softa->ipf_auth_used)
395	return NULL;
396
397	ip = fin->fin_ip;
398	id = ip->ip_id;
399
400	READ_ENTER(&softa->ipf_authlk);
401	for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) {
402	/*
403	* index becomes -2 only after an SIOCAUTHW. Check this in
404	* case the same packet gets sent again and it hasn't yet been
405	* auth'd.
406	*/
407	fra = softa->ipf_auth + i;
408	if ((fra->fra_index == -`2`) && (id == fra->fra_info.fin_id) &&
409	!bcmp((char )fin, (char* *)&fra->fra_info, FI_CSIZE)) {
410	/*
411	* Avoid feedback loop.
412	*/
413	if (!(pass = fra->fra_pass) \|\| (FR_ISAUTH(pass))) {
414	pass = FR_BLOCK;
415	fin->fin_reason = FRB_AUTHFEEDBACK;
416	}
417	/*
418	* Create a dummy rule for the stateful checking to
419	* use and return. Zero out any values we don't
420	* trust from userland!
421	*/
422	if ((pass & FR_KEEPSTATE) \|\| ((pass & FR_KEEPFRAG) &&
423	(fin->fin_flx & FI_FRAG))) {
424	KMALLOC(fr, frentry_t *);
425	if (fr) {
426	bcopy((char *)fra->fra_info.fin_fr,
427	(char )fr, sizeof(fr));
428	fr->fr_grp = NULL;
429	fr->fr_ifa = fin->fin_ifp;
430	fr->fr_func = NULL;
431	fr->fr_ref = `1`;
432	fr->fr_flags = pass;
433	fr->fr_ifas[`1`] = NULL;
434	fr->fr_ifas[`2`] = NULL;
435	fr->fr_ifas[`3`] = NULL;
436	MUTEX_INIT(&fr->fr_lock,
437	"ipf auth rule");
438	}
439	} else
440	fr = fra->fra_info.fin_fr;
441	fin->fin_fr = fr;
442	fin->fin_flx \|= fra->fra_flx;
443	RWLOCK_EXIT(&softa->ipf_authlk);
444
445	WRITE_ENTER(&softa->ipf_authlk);
446	/*
447	* ipf_auth_rules is populated with the rules malloc'd
448	* above and only those.
449	*/
450	if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
451	fr->fr_next = softa->ipf_auth_rules;
452	softa->ipf_auth_rules = fr;
453	}
454	softa->ipf_auth_stats.fas_hits++;
455	fra->fra_index = -`1`;
456	softa->ipf_auth_used--;
457	softa->ipf_auth_replies--;
458	if (i == softa->ipf_auth_start) {
459	while (fra->fra_index == -`1`) {
460	i++;
461	fra++;
462	if (i == softa->ipf_auth_size) {
463	i = `0`;
464	fra = softa->ipf_auth;
465	}
466	softa->ipf_auth_start = i;
467	if (i == softa->ipf_auth_end)
468	break;
469	}
470	if (softa->ipf_auth_start ==
471	softa->ipf_auth_end) {
472	softa->ipf_auth_next = `0`;
473	softa->ipf_auth_start = `0`;
474	softa->ipf_auth_end = `0`;
475	}
476	}
477	RWLOCK_EXIT(&softa->ipf_authlk);
478	if (passp != NULL)
479	*passp = pass;
480	softa->ipf_auth_stats.fas_hits++;
481	return fr;
482	}
483	i++;
484	if (i == softa->ipf_auth_size)
485	i = `0`;
486	}
487	RWLOCK_EXIT(&softa->ipf_authlk);
488	softa->ipf_auth_stats.fas_miss++;
489	return NULL;
490	}
491
492
493	/ ------------------------------------------------------------------------ /
494	/ Function: ipf_auth_new /
495	/ Returns: int - 1 == success, 0 = did not put packet on auth queue /
496	/ Parameters: m(I) - pointer to mb_t with packet in it /
497	/ fin(I) - pointer to packet information /
498	/ /
499	/ Check if we have room in the auth array to hold details for another /
500	/ packet. If we do, store it and wake up any user programs which are /
501	/ waiting to hear about these events. /
502	/ ------------------------------------------------------------------------ /
503	int
504	ipf_auth_new(mb_t m, fr_info_t fin)
505	{
506	ipf_main_softc_t *softc = fin->fin_main_soft;
507	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
508	#if defined(_KERNEL) && defined(MENTAT)
509	qpktinfo_t *qpi = fin->fin_qpi;
510	#endif
511	frauth_t *fra;
512	#if !defined(sparc) && !defined(m68k)
513	ip_t *ip;
514	#endif
515	int i;
516
517	if (softa->ipf_auth_lock)
518	return `0`;
519
520	WRITE_ENTER(&softa->ipf_authlk);
521	if (((softa->ipf_auth_end + `1`) % softa->ipf_auth_size) ==
522	softa->ipf_auth_start) {
523	softa->ipf_auth_stats.fas_nospace++;
524	RWLOCK_EXIT(&softa->ipf_authlk);
525	return `0`;
526	}
527
528	softa->ipf_auth_stats.fas_added++;
529	softa->ipf_auth_used++;
530	i = softa->ipf_auth_end++;
531	if (softa->ipf_auth_end == softa->ipf_auth_size)
532	softa->ipf_auth_end = `0`;
533
534	fra = softa->ipf_auth + i;
535	fra->fra_index = i;
536	if (fin->fin_fr != NULL)
537	fra->fra_pass = fin->fin_fr->fr_flags;
538	else
539	fra->fra_pass = `0`;
540	fra->fra_age = softa->ipf_auth_defaultage;
541	bcopy((char )fin, (char* )&fra->fra_info, sizeof(fin));
542	fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE\|FI_NATED);
543	fra->fra_info.fin_flx &= ~(FI_STATE\|FI_NATED);
544	#if !defined(sparc) && !defined(m68k)
545	/*
546	* No need to copyback here as we want to undo the changes, not keep
547	* them.
548	*/
549	ip = fin->fin_ip;
550	# if defined(MENTAT) && defined(_KERNEL)
551	if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == `4`))
552	# endif
553	{
554	register u_short bo;
555
556	bo = ip->ip_len;
557	ip->ip_len = htons(bo);
558	bo = ip->ip_off;
559	ip->ip_off = htons(bo);
560	}
561	#endif
562	#if SOLARIS && defined(_KERNEL)
563	COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
564	m->b_rptr -= qpi->qpi_off;
565	fra->fra_q = qpi->qpi_q; / The queue can disappear! /
566	fra->fra_m = *fin->fin_mp;
567	fra->fra_info.fin_mp = &fra->fra_m;
568	softa->ipf_auth_pkts[i] = (mblk_t *)fin->fin_mp;
569	RWLOCK_EXIT(&softa->ipf_authlk);
570	cv_signal(&softa->ipf_auth_wait);
571	pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN\|POLLRDNORM);
572	#else
573	softa->ipf_auth_pkts[i] = m;
574	RWLOCK_EXIT(&softa->ipf_authlk);
575	WAKEUP(&softa->ipf_auth_next, `0`);
576	#endif
577	return `1`;
578	}
579
580
581	/ ------------------------------------------------------------------------ /
582	/ Function: ipf_auth_ioctl /
583	/ Returns: int - 0 == success, else error /
584	/ Parameters: data(IO) - pointer to ioctl data /
585	/ cmd(I) - ioctl command /
586	/ mode(I) - mode flags associated with open descriptor /
587	/ uid(I) - uid associatd with application making the call /
588	/ ctx(I) - pointer for context /
589	/ /
590	/ This function handles all of the ioctls recognised by the auth component /
591	/ in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth /
592	/ ------------------------------------------------------------------------ /
593	int
594	ipf_auth_ioctl(ipf_main_softc_t softc, void* data, ioctlcmd_t cmd, int* mode,
595	int uid, void *ctx)
596	{
597	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
598	int error = `0`, i;
599	SPL_INT(s);
600
601	switch (cmd)
602	{
603	case SIOCGENITER :
604	{
605	ipftoken_t *token;
606	ipfgeniter_t iter;
607	ipfobj_t obj;
608
609	error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER);
610	if (error != `0`)
611	break;
612
613	SPL_SCHED(s);
614	token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx);
615	if (token != NULL)
616	error = ipf_auth_geniter(softc, token, &iter, &obj);
617	else {
618	WRITE_ENTER(&softc->ipf_tokens);
619	ipf_token_deref(softc, token);
620	RWLOCK_EXIT(&softc->ipf_tokens);
621	IPFERROR(`10001`);
622	error = ESRCH;
623	}
624	SPL_X(s);
625
626	break;
627	}
628
629	case SIOCADAFR :
630	case SIOCRMAFR :
631	if (!(mode & FWRITE)) {
632	IPFERROR(`10002`);
633	error = EPERM;
634	} else
635	error = frrequest(softc, IPL_LOGAUTH, cmd, data,
636	softc->ipf_active, `1`);
637	break;
638
639	case SIOCSTLCK :
640	if (!(mode & FWRITE)) {
641	IPFERROR(`10003`);
642	error = EPERM;
643	} else {
644	error = ipf_lock(data, &softa->ipf_auth_lock);
645	}
646	break;
647
648	case SIOCATHST:
649	softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries;
650	error = ipf_outobj(softc, data, &softa->ipf_auth_stats,
651	IPFOBJ_AUTHSTAT);
652	break;
653
654	case SIOCIPFFL:
655	SPL_NET(s);
656	WRITE_ENTER(&softa->ipf_authlk);
657	i = ipf_auth_flush(softa);
658	RWLOCK_EXIT(&softa->ipf_authlk);
659	SPL_X(s);
660	error = BCOPYOUT(&i, data, sizeof(i));
661	if (error != `0`) {
662	IPFERROR(`10004`);
663	error = EFAULT;
664	}
665	break;
666
667	case SIOCAUTHW:
668	error = ipf_auth_wait(softc, softa, data);
669	break;
670
671	case SIOCAUTHR:
672	error = ipf_auth_reply(softc, softa, data);
673	break;
674
675	default :
676	IPFERROR(`10005`);
677	error = EINVAL;
678	break;
679	}
680	return error;
681	}
682
683
684	/ ------------------------------------------------------------------------ /
685	/ Function: ipf_auth_expire /
686	/ Returns: None /
687	/ Parameters: None /
688	/ /
689	/ Slowly expire held auth records. Timeouts are set in expectation of /
690	/ this being called twice per second. /
691	/ ------------------------------------------------------------------------ /
692	void
693	ipf_auth_expire(ipf_main_softc_t *softc)
694	{
695	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
696	frauthent_t fae, *faep;
697	frentry_t fr, *frp;
698	frauth_t *fra;
699	mb_t *m;
700	int i;
701	SPL_INT(s);
702
703	if (softa->ipf_auth_lock)
704	return;
705	SPL_NET(s);
706	WRITE_ENTER(&softa->ipf_authlk);
707	for (i = `0`, fra = softa->ipf_auth; i < softa->ipf_auth_size;
708	i++, fra++) {
709	fra->fra_age--;
710	if ((fra->fra_age == `0`) &&
711	(softa->ipf_auth[i].fra_index != -`1`)) {
712	if ((m = softa->ipf_auth_pkts[i]) != NULL) {
713	FREE_MB_T(m);
714	softa->ipf_auth_pkts[i] = NULL;
715	} else if (softa->ipf_auth[i].fra_index == -`2`) {
716	softa->ipf_auth_replies--;
717	}
718	softa->ipf_auth[i].fra_index = -`1`;
719	softa->ipf_auth_stats.fas_expire++;
720	softa->ipf_auth_used--;
721	}
722	}
723
724	/*
725	* Expire pre-auth rules
726	*/
727	for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
728	fae->fae_age--;
729	if (fae->fae_age == `0`) {
730	ipf_auth_deref(&fae);
731	softa->ipf_auth_stats.fas_expire++;
732	} else
733	faep = &fae->fae_next;
734	}
735	if (softa->ipf_auth_entries != NULL)
736	softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
737	else
738	softa->ipf_auth_ip = NULL;
739
740	for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
741	if (fr->fr_ref == `1`) {
742	*frp = fr->fr_next;
743	MUTEX_DESTROY(&fr->fr_lock);
744	KFREE(fr);
745	} else
746	frp = &fr->fr_next;
747	}
748	RWLOCK_EXIT(&softa->ipf_authlk);
749	SPL_X(s);
750	}
751
752
753	/ ------------------------------------------------------------------------ /
754	/ Function: ipf_auth_precmd /
755	/ Returns: int - 0 == success, else error /
756	/ Parameters: cmd(I) - ioctl command for rule /
757	/ fr(I) - pointer to ipf rule /
758	/ fptr(I) - pointer to caller's 'fr' /
759	/ /
760	/ ------------------------------------------------------------------------ /
761	int
762	ipf_auth_precmd(ipf_main_softc_t softc, ioctlcmd_t cmd, frentry_t fr,
763	frentry_t **frptr)
764	{
765	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
766	frauthent_t fae, *faep;
767	int error = `0`;
768	SPL_INT(s);
769
770	if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
771	IPFERROR(`10006`);
772	return EIO;
773	}
774
775	for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
776	if (&fae->fae_fr == fr)
777	break;
778	else
779	faep = &fae->fae_next;
780	}
781
782	if (cmd == (ioctlcmd_t)SIOCRMAFR) {
783	if (fr == NULL \|\| frptr == NULL) {
784	IPFERROR(`10007`);
785	error = EINVAL;
786
787	} else if (fae == NULL) {
788	IPFERROR(`10008`);
789	error = ESRCH;
790
791	} else {
792	SPL_NET(s);
793	WRITE_ENTER(&softa->ipf_authlk);
794	*faep = fae->fae_next;
795	if (softa->ipf_auth_ip == &fae->fae_fr)
796	softa->ipf_auth_ip = softa->ipf_auth_entries ?
797	&softa->ipf_auth_entries->fae_fr : NULL;
798	RWLOCK_EXIT(&softa->ipf_authlk);
799	SPL_X(s);
800
801	KFREE(fae);
802	}
803	} else if (fr != NULL && frptr != NULL) {
804	KMALLOC(fae, frauthent_t *);
805	if (fae != NULL) {
806	bcopy((char )fr, (char* *)&fae->fae_fr,
807	sizeof(*fr));
808	SPL_NET(s);
809	WRITE_ENTER(&softa->ipf_authlk);
810	fae->fae_age = softa->ipf_auth_defaultage;
811	fae->fae_fr.fr_hits = `0`;
812	fae->fae_fr.fr_next = *frptr;
813	fae->fae_ref = `1`;
814	*frptr = &fae->fae_fr;
815	fae->fae_next = *faep;
816	*faep = fae;
817	softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
818	RWLOCK_EXIT(&softa->ipf_authlk);
819	SPL_X(s);
820	} else {
821	IPFERROR(`10009`);
822	error = ENOMEM;
823	}
824	} else {
825	IPFERROR(`10010`);
826	error = EINVAL;
827	}
828	return error;
829	}
830
831
832	/ ------------------------------------------------------------------------ /
833	/ Function: ipf_auth_flush /
834	/ Returns: int - number of auth entries flushed /
835	/ Parameters: None /
836	/ Locks: WRITE(ipf_authlk) /
837	/ /
838	/ This function flushs the ipf_auth_pkts array of any packet data with /
839	/ references still there. /
840	/ It is expected that the caller has already acquired the correct locks or /
841	/ set the priority level correctly for this to block out other code paths /
842	/ into these data structures. /
843	/ ------------------------------------------------------------------------ /
844	static int
845	ipf_auth_flush(void *arg)
846	{
847	ipf_auth_softc_t *softa = arg;
848	int i, num_flushed;
849	mb_t *m;
850
851	if (softa->ipf_auth_lock)
852	return -`1`;
853
854	num_flushed = `0`;
855
856	for (i = `0` ; i < softa->ipf_auth_size; i++) {
857	if (softa->ipf_auth[i].fra_index != -`1`) {
858	m = softa->ipf_auth_pkts[i];
859	if (m != NULL) {
860	FREE_MB_T(m);
861	softa->ipf_auth_pkts[i] = NULL;
862	}
863
864	softa->ipf_auth[i].fra_index = -`1`;
865	/ perhaps add & use a flush counter inst./
866	softa->ipf_auth_stats.fas_expire++;
867	num_flushed++;
868	}
869	}
870
871	softa->ipf_auth_start = `0`;
872	softa->ipf_auth_end = `0`;
873	softa->ipf_auth_next = `0`;
874	softa->ipf_auth_used = `0`;
875	softa->ipf_auth_replies = `0`;
876
877	return num_flushed;
878	}
879
880
881	/ ------------------------------------------------------------------------ /
882	/ Function: ipf_auth_waiting /
883	/ Returns: int - number of packets in the auth queue /
884	/ Parameters: None /
885	/ /
886	/ Simple truth check to see if there are any packets waiting in the auth /
887	/ queue. /
888	/ ------------------------------------------------------------------------ /
889	int
890	ipf_auth_waiting(ipf_main_softc_t *softc)
891	{
892	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
893
894	return (softa->ipf_auth_used != `0`);
895	}
896
897
898	/ ------------------------------------------------------------------------ /
899	/ Function: ipf_auth_geniter /
900	/ Returns: int - 0 == success, else error /
901	/ Parameters: token(I) - pointer to ipftoken structure /
902	/ itp(I) - pointer to ipfgeniter structure /
903	/ objp(I) - pointer to ipf object destription /
904	/ /
905	/ Iterate through the list of entries in the auth queue list. /
906	/ objp is used here to get the location of where to do the copy out to. /
907	/ Stomping over various fields with new information will not harm anything /
908	/ ------------------------------------------------------------------------ /
909	static int
910	ipf_auth_geniter(ipf_main_softc_t softc, ipftoken_t token, ipfgeniter_t *itp,
911	ipfobj_t *objp)
912	{
913	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
914	frauthent_t fae, next, zero;
915	int error;
916
917	if (itp->igi_data == NULL) {
918	IPFERROR(`10011`);
919	return EFAULT;
920	}
921
922	if (itp->igi_type != IPFGENITER_AUTH) {
923	IPFERROR(`10012`);
924	return EINVAL;
925	}
926
927	objp->ipfo_type = IPFOBJ_FRAUTH;
928	objp->ipfo_ptr = itp->igi_data;
929	objp->ipfo_size = sizeof(frauth_t);
930
931	READ_ENTER(&softa->ipf_authlk);
932
933	fae = token->ipt_data;
934	if (fae == NULL) {
935	next = softa->ipf_auth_entries;
936	} else {
937	next = fae->fae_next;
938	}
939
940	/*
941	* If we found an auth entry to use, bump its reference count
942	* so that it can be used for is_next when we come back.
943	*/
944	if (next != NULL) {
945	ATOMIC_INC(next->fae_ref);
946	token->ipt_data = next;
947	} else {
948	bzero(&zero, sizeof(zero));
949	next = &zero;
950	token->ipt_data = NULL;
951	}
952
953	RWLOCK_EXIT(&softa->ipf_authlk);
954
955	error = ipf_outobjk(softc, objp, next);
956	if (fae != NULL)
957	ipf_auth_deref_unlocked(softa, &fae);
958
959	if (next->fae_next == NULL)
960	ipf_token_mark_complete(token);
961	return error;
962	}
963
964
965	/ ------------------------------------------------------------------------ /
966	/ Function: ipf_auth_deref_unlocked /
967	/ Returns: None /
968	/ Parameters: faep(IO) - pointer to caller's frauthent_t pointer /
969	/ /
970	/ Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not /
971	/ held. /
972	/ ------------------------------------------------------------------------ /
973	static void
974	ipf_auth_deref_unlocked(ipf_auth_softc_t softa, frauthent_t *faep)
975	{
976	WRITE_ENTER(&softa->ipf_authlk);
977	ipf_auth_deref(faep);
978	RWLOCK_EXIT(&softa->ipf_authlk);
979	}
980
981
982	/ ------------------------------------------------------------------------ /
983	/ Function: ipf_auth_deref /
984	/ Returns: None /
985	/ Parameters: faep(IO) - pointer to caller's frauthent_t pointer /
986	/ Locks: WRITE(ipf_authlk) /
987	/ /
988	/ This function unconditionally sets the pointer in the caller to NULL, /
989	/ to make it clear that it should no longer use that pointer, and drops /
990	/ the reference count on the structure by 1. If it reaches 0, free it up. /
991	/ ------------------------------------------------------------------------ /
992	static void
993	ipf_auth_deref(frauthent_t **faep)
994	{
995	frauthent_t *fae;
996
997	fae = *faep;
998	*faep = NULL;
999
1000	fae->fae_ref--;
1001	if (fae->fae_ref == `0`) {
1002	KFREE(fae);
1003	}
1004	}
1005
1006
1007	/ ------------------------------------------------------------------------ /
1008	/ Function: ipf_auth_wait_pkt /
1009	/ Returns: int - 0 == success, else error /
1010	/ Parameters: data(I) - pointer to data from ioctl call /
1011	/ /
1012	/ This function is called when an application is waiting for a packet to /
1013	/ match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already /
1014	/ a packet waiting on the queue then we will return that _one_ immediately./
1015	/ If there are no packets present in the queue (ipf_auth_pkts) then we go /
1016	/ to sleep. /
1017	/ ------------------------------------------------------------------------ /
1018	static int
1019	ipf_auth_wait(ipf_main_softc_t softc, ipf_auth_softc_t softa, char *data)
1020	{
1021	frauth_t auth, *au = &auth;
1022	int error, len, i;
1023	mb_t *m;
1024	char *t;
1025	SPL_INT(s);
1026
1027	ipf_auth_ioctlloop:
1028	error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH);
1029	if (error != `0`)
1030	return error;
1031
1032	/*
1033	* XXX Locks are held below over calls to copyout...a better
1034	* solution needs to be found so this isn't necessary. The situation
1035	* we are trying to guard against here is an error in the copyout
1036	* steps should not cause the packet to "disappear" from the queue.
1037	*/
1038	SPL_NET(s);
1039	READ_ENTER(&softa->ipf_authlk);
1040
1041	/*
1042	* If ipf_auth_next is not equal to ipf_auth_end it will be because
1043	* there is a packet waiting to be delt with in the ipf_auth_pkts
1044	* array. We copy as much of that out to user space as requested.
1045	*/
1046	if (softa->ipf_auth_used > `0`) {
1047	while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) {
1048	softa->ipf_auth_next++;
1049	if (softa->ipf_auth_next == softa->ipf_auth_size)
1050	softa->ipf_auth_next = `0`;
1051	}
1052
1053	error = ipf_outobj(softc, data,
1054	&softa->ipf_auth[softa->ipf_auth_next],
1055	IPFOBJ_FRAUTH);
1056	if (error != `0`) {
1057	RWLOCK_EXIT(&softa->ipf_authlk);
1058	SPL_X(s);
1059	return error;
1060	}
1061
1062	if (auth.fra_len != `0` && auth.fra_buf != NULL) {
1063	/*
1064	* Copy packet contents out to user space if
1065	* requested. Bail on an error.
1066	*/
1067	m = softa->ipf_auth_pkts[softa->ipf_auth_next];
1068	len = MSGDSIZE(m);
1069	if (len > auth.fra_len)
1070	len = auth.fra_len;
1071	auth.fra_len = len;
1072
1073	for (t = auth.fra_buf; m && (len > `0`); ) {
1074	i = MIN(M_LEN(m), len);
1075	error = copyoutptr(softc, MTOD(m, char *),
1076	&t, i);
1077	len -= i;
1078	t += i;
1079	if (error != `0`) {
1080	RWLOCK_EXIT(&softa->ipf_authlk);
1081	SPL_X(s);
1082	return error;
1083	}
1084	m = m->m_next;
1085	}
1086	}
1087	RWLOCK_EXIT(&softa->ipf_authlk);
1088
1089	SPL_NET(s);
1090	WRITE_ENTER(&softa->ipf_authlk);
1091	softa->ipf_auth_next++;
1092	if (softa->ipf_auth_next == softa->ipf_auth_size)
1093	softa->ipf_auth_next = `0`;
1094	RWLOCK_EXIT(&softa->ipf_authlk);
1095	SPL_X(s);
1096
1097	return `0`;
1098	}
1099	RWLOCK_EXIT(&softa->ipf_authlk);
1100	SPL_X(s);
1101
1102	MUTEX_ENTER(&softa->ipf_auth_mx);
1103	#ifdef _KERNEL
1104	# if SOLARIS
1105	error = `0`;
1106	if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) {
1107	IPFERROR(`10014`);
1108	error = EINTR;
1109	}
1110	# else /* SOLARIS */
1111	# ifdef __hpux
1112	{
1113	lock_t *l;
1114
1115	l = get_sleep_lock(&softa->ipf_auth_next);
1116	error = sleep(&softa->ipf_auth_next, PZERO+`1`);
1117	spinunlock(l);
1118	}
1119	# else
1120	# ifdef __osf__
1121	error = mpsleep(&softa->ipf_auth_next, PSUSP\|PCATCH, "ipf_auth_next",
1122	`0`, &softa->ipf_auth_mx, MS_LOCK_SIMPLE);
1123	# else
1124	error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next");
1125	# endif /* __osf__ */
1126	# endif /* __hpux */
1127	# endif /* SOLARIS */
1128	#endif
1129	MUTEX_EXIT(&softa->ipf_auth_mx);
1130	if (error == `0`)
1131	goto ipf_auth_ioctlloop;
1132	return error;
1133	}
1134
1135
1136	/ ------------------------------------------------------------------------ /
1137	/ Function: ipf_auth_reply /
1138	/ Returns: int - 0 == success, else error /
1139	/ Parameters: data(I) - pointer to data from ioctl call /
1140	/ /
1141	/ This function is called by an application when it wants to return a /
1142	/ decision on a packet using the SIOCAUTHR ioctl. This is after it has /
1143	/ received information using an SIOCAUTHW. The decision returned in the /
1144	/ form of flags, the same as those used in each rule. /
1145	/ ------------------------------------------------------------------------ /
1146	static int
1147	ipf_auth_reply(ipf_main_softc_t softc, ipf_auth_softc_t softa, char *data)
1148	{
1149	frauth_t auth, au = &auth, fra;
1150	fr_info_t fin;
1151	int error, i;
1152	#ifdef _KERNEL
1153	mb_t *m;
1154	#endif
1155	SPL_INT(s);
1156
1157	error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1158	if (error != `0`)
1159	return error;
1160
1161	SPL_NET(s);
1162	WRITE_ENTER(&softa->ipf_authlk);
1163
1164	i = au->fra_index;
1165	fra = softa->ipf_auth + i;
1166	error = `0`;
1167
1168	/*
1169	* Check the validity of the information being returned with two simple
1170	* checks. First, the auth index value should be within the size of
1171	* the array and second the packet id being returned should also match.
1172	*/
1173	if ((i < `0`) \|\| (i >= softa->ipf_auth_size)) {
1174	RWLOCK_EXIT(&softa->ipf_authlk);
1175	SPL_X(s);
1176	IPFERROR(`10015`);
1177	return ESRCH;
1178	}
1179	if (fra->fra_info.fin_id != au->fra_info.fin_id) {
1180	RWLOCK_EXIT(&softa->ipf_authlk);
1181	SPL_X(s);
1182	IPFERROR(`10019`);
1183	return ESRCH;
1184	}
1185
1186	fra->fra_index = -`2`;
1187	fra->fra_pass = au->fra_pass;
1188	#ifdef _KERNEL
1189	m = softa->ipf_auth_pkts[i];
1190	#endif
1191	softa->ipf_auth_pkts[i] = NULL;
1192	softa->ipf_auth_replies++;
1193	bcopy(&fra->fra_info, &fin, sizeof(fin));
1194
1195	RWLOCK_EXIT(&softa->ipf_authlk);
1196
1197	/*
1198	* Re-insert the packet back into the packet stream flowing through
1199	* the kernel in a manner that will mean IPFilter sees the packet
1200	* again. This is not the same as is done with fastroute,
1201	* deliberately, as we want to resume the normal packet processing
1202	* path for it.
1203	*/
1204	#ifdef _KERNEL
1205	if ((m != NULL) && (au->fra_info.fin_out != `0`)) {
1206	error = ipf_inject(&fin, m);
1207	if (error != `0`) {
1208	IPFERROR(`10016`);
1209	error = ENOBUFS;
1210	softa->ipf_auth_stats.fas_sendfail++;
1211	} else {
1212	softa->ipf_auth_stats.fas_sendok++;
1213	}
1214	} else if (m) {
1215	error = ipf_inject(&fin, m);
1216	if (error != `0`) {
1217	IPFERROR(`10017`);
1218	error = ENOBUFS;
1219	softa->ipf_auth_stats.fas_quefail++;
1220	} else {
1221	softa->ipf_auth_stats.fas_queok++;
1222	}
1223	} else {
1224	IPFERROR(`10018`);
1225	error = EINVAL;
1226	}
1227
1228	/*
1229	* If we experience an error which will result in the packet
1230	* not being processed, make sure we advance to the next one.
1231	*/
1232	if (error == ENOBUFS) {
1233	WRITE_ENTER(&softa->ipf_authlk);
1234	softa->ipf_auth_used--;
1235	fra->fra_index = -`1`;
1236	fra->fra_pass = `0`;
1237	if (i == softa->ipf_auth_start) {
1238	while (fra->fra_index == -`1`) {
1239	i++;
1240	if (i == softa->ipf_auth_size)
1241	i = `0`;
1242	softa->ipf_auth_start = i;
1243	if (i == softa->ipf_auth_end)
1244	break;
1245	}
1246	if (softa->ipf_auth_start == softa->ipf_auth_end) {
1247	softa->ipf_auth_next = `0`;
1248	softa->ipf_auth_start = `0`;
1249	softa->ipf_auth_end = `0`;
1250	}
1251	}
1252	RWLOCK_EXIT(&softa->ipf_authlk);
1253	}
1254	#endif /* _KERNEL */
1255	SPL_X(s);
1256
1257	return `0`;
1258	}
1259
1260
1261	u_32_t
1262	ipf_auth_pre_scanlist(ipf_main_softc_t softc, fr_info_t fin, u_32_t pass)
1263	{
1264	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1265
1266	if (softa->ipf_auth_ip != NULL)
1267	return ipf_scanlist(fin, softc->ipf_pass);
1268
1269	return pass;
1270	}
1271
1272
1273	frentry_t **
1274	ipf_auth_rulehead(ipf_main_softc_t *softc)
1275	{
1276	ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1277
1278	return &softa->ipf_auth_ip;
1279	}
1280

Browse the source code of src/src/sys/external/bsd/ipf/netinet/ip_auth.c