1 /* $FreeBSD: stable/9/sys/contrib/ipfilter/netinet/ip_auth.c 207369 2010-04-29 11:52:42Z bz $ */
2
3 /*
4 * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 */
8 #if defined(KERNEL) || defined(_KERNEL)
9 # undef KERNEL
10 # undef _KERNEL
11 # define KERNEL 1
12 # define _KERNEL 1
13 #endif
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
17 #include <sys/time.h>
18 #include <sys/file.h>
19 #if !defined(_KERNEL)
20 # include <stdio.h>
21 # include <stdlib.h>
22 # include <string.h>
23 # define _KERNEL
24 # ifdef __OpenBSD__
25 struct file;
26 # endif
27 # include <sys/uio.h>
28 # undef _KERNEL
29 #endif
30 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
31 # include <sys/filio.h>
32 # include <sys/fcntl.h>
33 #else
34 # include <sys/ioctl.h>
35 #endif
36 #if !defined(linux)
37 # include <sys/protosw.h>
38 #endif
39 #include <sys/socket.h>
40 #if defined(_KERNEL)
41 # include <sys/systm.h>
42 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
43 # include <sys/mbuf.h>
44 # endif
45 #endif
46 #if defined(__SVR4) || defined(__svr4__)
47 # include <sys/filio.h>
48 # include <sys/byteorder.h>
49 # ifdef _KERNEL
50 # include <sys/dditypes.h>
51 # endif
52 # include <sys/stream.h>
53 # include <sys/kmem.h>
54 #endif
55 #if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199802) || \
56 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000))
57 # include <sys/queue.h>
58 #endif
59 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
60 # include <machine/cpu.h>
61 #endif
62 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
63 # include <sys/proc.h>
64 #endif
65 #include <net/if.h>
66 #ifdef sun
67 # include <net/af.h>
68 #endif
69 #include <net/route.h>
70 #include <netinet/in.h>
71 #include <netinet/in_systm.h>
72 #include <netinet/ip.h>
73 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
74 # define KERNEL
75 # define _KERNEL
76 # define NOT_KERNEL
77 #endif
78 #if !defined(linux)
79 # include <netinet/ip_var.h>
80 #endif
81 #ifdef NOT_KERNEL
82 # undef _KERNEL
83 # undef KERNEL
84 #endif
85 #include <netinet/tcp.h>
86 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
87 extern struct ifqueue ipintrq; /* ip packet input queue */
88 #else
89 # if !defined(__hpux) && !defined(linux)
90 # if __FreeBSD_version >= 300000
91 # include <net/if_var.h>
92 # if __FreeBSD_version >= 500042
93 # define IF_QFULL _IF_QFULL
94 # define IF_DROP _IF_DROP
95 # endif /* __FreeBSD_version >= 500042 */
96 # endif
97 # include <netinet/in_var.h>
98 # include <netinet/tcp_fsm.h>
99 # endif
100 #endif
101 #include <netinet/udp.h>
102 #include <netinet/ip_icmp.h>
103 #include "netinet/ip_compat.h"
104 #include <netinet/tcpip.h>
105 #include "netinet/ip_fil.h"
106 #include "netinet/ip_auth.h"
107 #if !defined(MENTAT) && !defined(linux)
108 # include <net/netisr.h>
109 # ifdef __FreeBSD__
110 # include <machine/cpufunc.h>
111 # endif
112 #endif
113 #if (__FreeBSD_version >= 300000)
114 # include <sys/malloc.h>
115 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
116 # include <sys/libkern.h>
117 # include <sys/systm.h>
118 # endif
119 #endif
120 /* END OF INCLUDES */
121
122 #if !defined(lint)
123 static const char rcsid[] = "@(#)$FreeBSD: stable/9/sys/contrib/ipfilter/netinet/ip_auth.c 207369 2010-04-29 11:52:42Z bz $";
124 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
125 #endif
126
127
128 #if SOLARIS && defined(_KERNEL)
129 extern kcondvar_t ipfauthwait;
130 extern struct pollhead iplpollhead[IPL_LOGSIZE];
131 #endif /* SOLARIS */
132 #if defined(linux) && defined(_KERNEL)
133 wait_queue_head_t fr_authnext_linux;
134 #endif
135
136 int fr_authsize = FR_NUMAUTH;
137 int fr_authused = 0;
138 int fr_defaultauthage = 600;
139 int fr_auth_lock = 0;
140 int fr_auth_init = 0;
141 fr_authstat_t fr_authstats;
142 static frauth_t *fr_auth = NULL;
143 mb_t **fr_authpkts = NULL;
144 int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
145 frauthent_t *fae_list = NULL;
146 frentry_t *ipauth = NULL,
147 *fr_authlist = NULL;
148
149 void fr_authderef __P((frauthent_t **));
150 int fr_authgeniter __P((ipftoken_t *, ipfgeniter_t *));
151 int fr_authreply __P((char *));
152 int fr_authwait __P((char *));
153
154 /* ------------------------------------------------------------------------ */
155 /* Function: fr_authinit */
156 /* Returns: int - 0 == success, else error */
157 /* Parameters: None */
158 /* */
159 /* Allocate memory and initialise data structures used in handling auth */
160 /* rules. */
161 /* ------------------------------------------------------------------------ */
fr_authinit()162 int fr_authinit()
163 {
164 KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth));
165 if (fr_auth != NULL)
166 bzero((char *)fr_auth, fr_authsize * sizeof(*fr_auth));
167 else
168 return -1;
169
170 KMALLOCS(fr_authpkts, mb_t **, fr_authsize * sizeof(*fr_authpkts));
171 if (fr_authpkts != NULL)
172 bzero((char *)fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
173 else
174 return -2;
175
176 MUTEX_INIT(&ipf_authmx, "ipf auth log mutex");
177 RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock");
178 #if SOLARIS && defined(_KERNEL)
179 cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
180 #endif
181 #if defined(linux) && defined(_KERNEL)
182 init_waitqueue_head(&fr_authnext_linux);
183 #endif
184
185 fr_auth_init = 1;
186
187 return 0;
188 }
189
190
191 /* ------------------------------------------------------------------------ */
192 /* Function: fr_checkauth */
193 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
194 /* Parameters: fin(I) - pointer to ipftoken structure */
195 /* passp(I) - pointer to ipfgeniter structure */
196 /* */
197 /* Check if a packet has authorization. If the packet is found to match an */
198 /* authorization result and that would result in a feedback loop (i.e. it */
199 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
200 /* ------------------------------------------------------------------------ */
fr_checkauth(fin,passp)201 frentry_t *fr_checkauth(fin, passp)
202 fr_info_t *fin;
203 u_32_t *passp;
204 {
205 frentry_t *fr;
206 frauth_t *fra;
207 u_32_t pass;
208 u_short id;
209 ip_t *ip;
210 int i;
211
212 if (fr_auth_lock || !fr_authused)
213 return NULL;
214
215 ip = fin->fin_ip;
216 id = ip->ip_id;
217
218 READ_ENTER(&ipf_auth);
219 for (i = fr_authstart; i != fr_authend; ) {
220 /*
221 * index becomes -2 only after an SIOCAUTHW. Check this in
222 * case the same packet gets sent again and it hasn't yet been
223 * auth'd.
224 */
225 fra = fr_auth + i;
226 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
227 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
228 /*
229 * Avoid feedback loop.
230 */
231 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass)))
232 pass = FR_BLOCK;
233 /*
234 * Create a dummy rule for the stateful checking to
235 * use and return. Zero out any values we don't
236 * trust from userland!
237 */
238 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
239 (fin->fin_flx & FI_FRAG))) {
240 KMALLOC(fr, frentry_t *);
241 if (fr) {
242 bcopy((char *)fra->fra_info.fin_fr,
243 (char *)fr, sizeof(*fr));
244 fr->fr_grp = NULL;
245 fr->fr_ifa = fin->fin_ifp;
246 fr->fr_func = NULL;
247 fr->fr_ref = 1;
248 fr->fr_flags = pass;
249 fr->fr_ifas[1] = NULL;
250 fr->fr_ifas[2] = NULL;
251 fr->fr_ifas[3] = NULL;
252 }
253 } else
254 fr = fra->fra_info.fin_fr;
255 fin->fin_fr = fr;
256 RWLOCK_EXIT(&ipf_auth);
257
258 WRITE_ENTER(&ipf_auth);
259 /*
260 * fr_authlist is populated with the rules malloc'd
261 * above and only those.
262 */
263 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
264 fr->fr_next = fr_authlist;
265 fr_authlist = fr;
266 }
267 fr_authstats.fas_hits++;
268 fra->fra_index = -1;
269 fr_authused--;
270 if (i == fr_authstart) {
271 while (fra->fra_index == -1) {
272 i++;
273 fra++;
274 if (i == fr_authsize) {
275 i = 0;
276 fra = fr_auth;
277 }
278 fr_authstart = i;
279 if (i == fr_authend)
280 break;
281 }
282 if (fr_authstart == fr_authend) {
283 fr_authnext = 0;
284 fr_authstart = fr_authend = 0;
285 }
286 }
287 RWLOCK_EXIT(&ipf_auth);
288 if (passp != NULL)
289 *passp = pass;
290 ATOMIC_INC64(fr_authstats.fas_hits);
291 return fr;
292 }
293 i++;
294 if (i == fr_authsize)
295 i = 0;
296 }
297 fr_authstats.fas_miss++;
298 RWLOCK_EXIT(&ipf_auth);
299 ATOMIC_INC64(fr_authstats.fas_miss);
300 return NULL;
301 }
302
303
304 /* ------------------------------------------------------------------------ */
305 /* Function: fr_newauth */
306 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
307 /* Parameters: m(I) - pointer to mb_t with packet in it */
308 /* fin(I) - pointer to packet information */
309 /* */
310 /* Check if we have room in the auth array to hold details for another */
311 /* packet. If we do, store it and wake up any user programs which are */
312 /* waiting to hear about these events. */
313 /* ------------------------------------------------------------------------ */
fr_newauth(m,fin)314 int fr_newauth(m, fin)
315 mb_t *m;
316 fr_info_t *fin;
317 {
318 #if defined(_KERNEL) && defined(MENTAT)
319 qpktinfo_t *qpi = fin->fin_qpi;
320 #endif
321 frauth_t *fra;
322 #if !defined(sparc) && !defined(m68k)
323 ip_t *ip;
324 #endif
325 int i;
326
327 if (fr_auth_lock)
328 return 0;
329
330 WRITE_ENTER(&ipf_auth);
331 if (((fr_authend + 1) % fr_authsize) == fr_authstart) {
332 fr_authstats.fas_nospace++;
333 RWLOCK_EXIT(&ipf_auth);
334 return 0;
335 }
336
337 fr_authstats.fas_added++;
338 fr_authused++;
339 i = fr_authend++;
340 if (fr_authend == fr_authsize)
341 fr_authend = 0;
342 fra = fr_auth + i;
343 fra->fra_index = i;
344 RWLOCK_EXIT(&ipf_auth);
345
346 if (fin->fin_fr != NULL)
347 fra->fra_pass = fin->fin_fr->fr_flags;
348 else
349 fra->fra_pass = 0;
350 fra->fra_age = fr_defaultauthage;
351 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
352 #if !defined(sparc) && !defined(m68k)
353 /*
354 * No need to copyback here as we want to undo the changes, not keep
355 * them.
356 */
357 ip = fin->fin_ip;
358 # if defined(MENTAT) && defined(_KERNEL)
359 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
360 # endif
361 {
362 register u_short bo;
363
364 bo = ip->ip_len;
365 ip->ip_len = htons(bo);
366 bo = ip->ip_off;
367 ip->ip_off = htons(bo);
368 }
369 #endif
370 #if SOLARIS && defined(_KERNEL)
371 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
372 m->b_rptr -= qpi->qpi_off;
373 fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
374 # if !defined(_INET_IP_STACK_H)
375 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
376 # endif
377 fra->fra_m = *fin->fin_mp;
378 fra->fra_info.fin_mp = &fra->fra_m;
379 cv_signal(&ipfauthwait);
380 pollwakeup(&iplpollhead[IPL_LOGAUTH], POLLIN|POLLRDNORM);
381 #else
382 fr_authpkts[i] = m;
383 WAKEUP(&fr_authnext,0);
384 #endif
385 return 1;
386 }
387
388
389 /* ------------------------------------------------------------------------ */
390 /* Function: fr_auth_ioctl */
391 /* Returns: int - 0 == success, else error */
392 /* Parameters: data(IO) - pointer to ioctl data */
393 /* cmd(I) - ioctl command */
394 /* mode(I) - mode flags associated with open descriptor */
395 /* uid(I) - uid associatd with application making the call */
396 /* ctx(I) - pointer for context */
397 /* */
398 /* This function handles all of the ioctls recognised by the auth component */
399 /* in IPFilter - ie ioctls called on an open fd for /dev/ipauth */
400 /* ------------------------------------------------------------------------ */
fr_auth_ioctl(data,cmd,mode,uid,ctx)401 int fr_auth_ioctl(data, cmd, mode, uid, ctx)
402 caddr_t data;
403 ioctlcmd_t cmd;
404 int mode, uid;
405 void *ctx;
406 {
407 int error = 0, i;
408 SPL_INT(s);
409
410 switch (cmd)
411 {
412 case SIOCGENITER :
413 {
414 ipftoken_t *token;
415 ipfgeniter_t iter;
416
417 error = fr_inobj(data, &iter, IPFOBJ_GENITER);
418 if (error != 0)
419 break;
420
421 SPL_SCHED(s);
422 token = ipf_findtoken(IPFGENITER_AUTH, uid, ctx);
423 if (token != NULL)
424 error = fr_authgeniter(token, &iter);
425 else
426 error = ESRCH;
427 RWLOCK_EXIT(&ipf_tokens);
428 SPL_X(s);
429
430 break;
431 }
432
433 case SIOCADAFR :
434 case SIOCRMAFR :
435 if (!(mode & FWRITE))
436 error = EPERM;
437 else
438 error = frrequest(IPL_LOGAUTH, cmd, data,
439 fr_active, 1);
440 break;
441
442 case SIOCSTLCK :
443 if (!(mode & FWRITE)) {
444 error = EPERM;
445 break;
446 }
447 error = fr_lock(data, &fr_auth_lock);
448 break;
449
450 case SIOCATHST:
451 fr_authstats.fas_faelist = fae_list;
452 error = fr_outobj(data, &fr_authstats, IPFOBJ_AUTHSTAT);
453 break;
454
455 case SIOCIPFFL:
456 SPL_NET(s);
457 WRITE_ENTER(&ipf_auth);
458 i = fr_authflush();
459 RWLOCK_EXIT(&ipf_auth);
460 SPL_X(s);
461 error = BCOPYOUT((char *)&i, data, sizeof(i));
462 if (error != 0)
463 error = EFAULT;
464 break;
465
466 case SIOCAUTHW:
467 error = fr_authwait(data);
468 break;
469
470 case SIOCAUTHR:
471 error = fr_authreply(data);
472 break;
473
474 default :
475 error = EINVAL;
476 break;
477 }
478 return error;
479 }
480
481
482 /* ------------------------------------------------------------------------ */
483 /* Function: fr_authunload */
484 /* Returns: None */
485 /* Parameters: None */
486 /* */
487 /* Free all network buffer memory used to keep saved packets. */
488 /* ------------------------------------------------------------------------ */
fr_authunload()489 void fr_authunload()
490 {
491 register int i;
492 register frauthent_t *fae, **faep;
493 frentry_t *fr, **frp;
494 mb_t *m;
495
496 if (fr_auth != NULL) {
497 KFREES(fr_auth, fr_authsize * sizeof(*fr_auth));
498 fr_auth = NULL;
499 }
500
501 if (fr_authpkts != NULL) {
502 for (i = 0; i < fr_authsize; i++) {
503 m = fr_authpkts[i];
504 if (m != NULL) {
505 FREE_MB_T(m);
506 fr_authpkts[i] = NULL;
507 }
508 }
509 KFREES(fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
510 fr_authpkts = NULL;
511 }
512
513 faep = &fae_list;
514 while ((fae = *faep) != NULL) {
515 *faep = fae->fae_next;
516 KFREE(fae);
517 }
518 ipauth = NULL;
519
520 if (fr_authlist != NULL) {
521 for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
522 if (fr->fr_ref == 1) {
523 *frp = fr->fr_next;
524 KFREE(fr);
525 } else
526 frp = &fr->fr_next;
527 }
528 }
529
530 if (fr_auth_init == 1) {
531 # if SOLARIS && defined(_KERNEL)
532 cv_destroy(&ipfauthwait);
533 # endif
534 MUTEX_DESTROY(&ipf_authmx);
535 RW_DESTROY(&ipf_auth);
536
537 fr_auth_init = 0;
538 }
539 }
540
541
542 /* ------------------------------------------------------------------------ */
543 /* Function: fr_authexpire */
544 /* Returns: None */
545 /* Parameters: None */
546 /* */
547 /* Slowly expire held auth records. Timeouts are set in expectation of */
548 /* this being called twice per second. */
549 /* ------------------------------------------------------------------------ */
fr_authexpire()550 void fr_authexpire()
551 {
552 frauthent_t *fae, **faep;
553 frentry_t *fr, **frp;
554 frauth_t *fra;
555 mb_t *m;
556 int i;
557 SPL_INT(s);
558
559 if (fr_auth_lock)
560 return;
561
562 SPL_NET(s);
563 WRITE_ENTER(&ipf_auth);
564 for (i = 0, fra = fr_auth; i < fr_authsize; i++, fra++) {
565 fra->fra_age--;
566 if ((fra->fra_age == 0) && (m = fr_authpkts[i])) {
567 FREE_MB_T(m);
568 fr_authpkts[i] = NULL;
569 fr_auth[i].fra_index = -1;
570 fr_authstats.fas_expire++;
571 fr_authused--;
572 }
573 }
574
575 /*
576 * Expire pre-auth rules
577 */
578 for (faep = &fae_list; ((fae = *faep) != NULL); ) {
579 fae->fae_age--;
580 if (fae->fae_age == 0) {
581 fr_authderef(&fae);
582 fr_authstats.fas_expire++;
583 } else
584 faep = &fae->fae_next;
585 }
586 if (fae_list != NULL)
587 ipauth = &fae_list->fae_fr;
588 else
589 ipauth = NULL;
590
591 for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
592 if (fr->fr_ref == 1) {
593 *frp = fr->fr_next;
594 KFREE(fr);
595 } else
596 frp = &fr->fr_next;
597 }
598 RWLOCK_EXIT(&ipf_auth);
599 SPL_X(s);
600 }
601
602
603 /* ------------------------------------------------------------------------ */
604 /* Function: fr_preauthcmd */
605 /* Returns: int - 0 == success, else error */
606 /* Parameters: cmd(I) - ioctl command for rule */
607 /* fr(I) - pointer to ipf rule */
608 /* fptr(I) - pointer to caller's 'fr' */
609 /* */
610 /* ------------------------------------------------------------------------ */
fr_preauthcmd(cmd,fr,frptr)611 int fr_preauthcmd(cmd, fr, frptr)
612 ioctlcmd_t cmd;
613 frentry_t *fr, **frptr;
614 {
615 frauthent_t *fae, **faep;
616 int error = 0;
617 SPL_INT(s);
618
619 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
620 return EIO;
621
622 for (faep = &fae_list; ((fae = *faep) != NULL); ) {
623 if (&fae->fae_fr == fr)
624 break;
625 else
626 faep = &fae->fae_next;
627 }
628
629 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
630 if (fr == NULL || frptr == NULL)
631 error = EINVAL;
632 else if (fae == NULL)
633 error = ESRCH;
634 else {
635 SPL_NET(s);
636 WRITE_ENTER(&ipf_auth);
637 *faep = fae->fae_next;
638 if (ipauth == &fae->fae_fr)
639 ipauth = fae_list ? &fae_list->fae_fr : NULL;
640 RWLOCK_EXIT(&ipf_auth);
641 SPL_X(s);
642
643 KFREE(fae);
644 }
645 } else if (fr != NULL && frptr != NULL) {
646 KMALLOC(fae, frauthent_t *);
647 if (fae != NULL) {
648 bcopy((char *)fr, (char *)&fae->fae_fr,
649 sizeof(*fr));
650 SPL_NET(s);
651 WRITE_ENTER(&ipf_auth);
652 fae->fae_age = fr_defaultauthage;
653 fae->fae_fr.fr_hits = 0;
654 fae->fae_fr.fr_next = *frptr;
655 fae->fae_ref = 1;
656 *frptr = &fae->fae_fr;
657 fae->fae_next = *faep;
658 *faep = fae;
659 ipauth = &fae_list->fae_fr;
660 RWLOCK_EXIT(&ipf_auth);
661 SPL_X(s);
662 } else
663 error = ENOMEM;
664 } else
665 error = EINVAL;
666 return error;
667 }
668
669
670 /* ------------------------------------------------------------------------ */
671 /* Function: fr_authflush */
672 /* Returns: int - number of auth entries flushed */
673 /* Parameters: None */
674 /* Locks: WRITE(ipf_auth) */
675 /* */
676 /* This function flushs the fr_authpkts array of any packet data with */
677 /* references still there. */
678 /* It is expected that the caller has already acquired the correct locks or */
679 /* set the priority level correctly for this to block out other code paths */
680 /* into these data structures. */
681 /* ------------------------------------------------------------------------ */
fr_authflush()682 int fr_authflush()
683 {
684 register int i, num_flushed;
685 mb_t *m;
686
687 if (fr_auth_lock)
688 return -1;
689
690 num_flushed = 0;
691
692 for (i = 0 ; i < fr_authsize; i++) {
693 m = fr_authpkts[i];
694 if (m != NULL) {
695 FREE_MB_T(m);
696 fr_authpkts[i] = NULL;
697 fr_auth[i].fra_index = -1;
698 /* perhaps add & use a flush counter inst.*/
699 fr_authstats.fas_expire++;
700 fr_authused--;
701 num_flushed++;
702 }
703 }
704
705 fr_authstart = 0;
706 fr_authend = 0;
707 fr_authnext = 0;
708
709 return num_flushed;
710 }
711
712
713 /* ------------------------------------------------------------------------ */
714 /* Function: fr_auth_waiting */
715 /* Returns: int - 0 = no pakcets wiating, 1 = packets waiting. */
716 /* Parameters: None */
717 /* */
718 /* Simple truth check to see if there are any packets waiting in the auth */
719 /* queue. */
720 /* ------------------------------------------------------------------------ */
fr_auth_waiting()721 int fr_auth_waiting()
722 {
723 return (fr_authused != 0);
724 }
725
726
727 /* ------------------------------------------------------------------------ */
728 /* Function: fr_authgeniter */
729 /* Returns: int - 0 == success, else error */
730 /* Parameters: token(I) - pointer to ipftoken structure */
731 /* itp(I) - pointer to ipfgeniter structure */
732 /* */
733 /* ------------------------------------------------------------------------ */
fr_authgeniter(token,itp)734 int fr_authgeniter(token, itp)
735 ipftoken_t *token;
736 ipfgeniter_t *itp;
737 {
738 frauthent_t *fae, *next, zero;
739 int error;
740
741 if (itp->igi_data == NULL)
742 return EFAULT;
743
744 if (itp->igi_type != IPFGENITER_AUTH)
745 return EINVAL;
746
747 fae = token->ipt_data;
748 READ_ENTER(&ipf_auth);
749 if (fae == NULL) {
750 next = fae_list;
751 } else {
752 next = fae->fae_next;
753 }
754
755 if (next != NULL) {
756 /*
757 * If we find an auth entry to use, bump its reference count
758 * so that it can be used for is_next when we come back.
759 */
760 ATOMIC_INC(next->fae_ref);
761 if (next->fae_next == NULL) {
762 ipf_freetoken(token);
763 token = NULL;
764 } else {
765 token->ipt_data = next;
766 }
767 } else {
768 bzero(&zero, sizeof(zero));
769 next = &zero;
770 }
771 RWLOCK_EXIT(&ipf_auth);
772
773 /*
774 * If we had a prior pointer to an auth entry, release it.
775 */
776 if (fae != NULL) {
777 WRITE_ENTER(&ipf_auth);
778 fr_authderef(&fae);
779 RWLOCK_EXIT(&ipf_auth);
780 }
781
782 /*
783 * This should arguably be via fr_outobj() so that the auth
784 * structure can (if required) be massaged going out.
785 */
786 error = COPYOUT(next, itp->igi_data, sizeof(*next));
787 if (error != 0)
788 error = EFAULT;
789
790 return error;
791 }
792
793
794 /* ------------------------------------------------------------------------ */
795 /* Function: fr_authderef */
796 /* Returns: None */
797 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
798 /* Locks: WRITE(ipf_auth) */
799 /* */
800 /* This function unconditionally sets the pointer in the caller to NULL, */
801 /* to make it clear that it should no longer use that pointer, and drops */
802 /* the reference count on the structure by 1. If it reaches 0, free it up. */
803 /* ------------------------------------------------------------------------ */
fr_authderef(faep)804 void fr_authderef(faep)
805 frauthent_t **faep;
806 {
807 frauthent_t *fae;
808
809 fae = *faep;
810 *faep = NULL;
811
812 fae->fae_ref--;
813 if (fae->fae_ref == 0) {
814 KFREE(fae);
815 }
816 }
817
818
819 /* ------------------------------------------------------------------------ */
820 /* Function: fr_authwait */
821 /* Returns: int - 0 == success, else error */
822 /* Parameters: data(I) - pointer to data from ioctl call */
823 /* */
824 /* This function is called when an application is waiting for a packet to */
825 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
826 /* a packet waiting on the queue then we will return that _one_ immediately.*/
827 /* If there are no packets present in the queue (fr_authpkts) then we go to */
828 /* sleep. */
829 /* ------------------------------------------------------------------------ */
fr_authwait(data)830 int fr_authwait(data)
831 char *data;
832 {
833 frauth_t auth, *au = &auth;
834 int error, len, i;
835 mb_t *m;
836 char *t;
837 #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
838 (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
839 SPL_INT(s);
840 #endif
841
842 fr_authioctlloop:
843 error = fr_inobj(data, au, IPFOBJ_FRAUTH);
844 if (error != 0)
845 return error;
846
847 /*
848 * XXX Locks are held below over calls to copyout...a better
849 * solution needs to be found so this isn't necessary. The situation
850 * we are trying to guard against here is an error in the copyout
851 * steps should not cause the packet to "disappear" from the queue.
852 */
853 READ_ENTER(&ipf_auth);
854
855 /*
856 * If fr_authnext is not equal to fr_authend it will be because there
857 * is a packet waiting to be delt with in the fr_authpkts array. We
858 * copy as much of that out to user space as requested.
859 */
860 if (fr_authused > 0) {
861 while (fr_authpkts[fr_authnext] == NULL) {
862 fr_authnext++;
863 if (fr_authnext == fr_authsize)
864 fr_authnext = 0;
865 }
866
867 error = fr_outobj(data, &fr_auth[fr_authnext], IPFOBJ_FRAUTH);
868 if (error != 0)
869 return error;
870
871 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
872 /*
873 * Copy packet contents out to user space if
874 * requested. Bail on an error.
875 */
876 m = fr_authpkts[fr_authnext];
877 len = MSGDSIZE(m);
878 if (len > auth.fra_len)
879 len = auth.fra_len;
880 auth.fra_len = len;
881
882 for (t = auth.fra_buf; m && (len > 0); ) {
883 i = MIN(M_LEN(m), len);
884 error = copyoutptr(MTOD(m, char *), &t, i);
885 len -= i;
886 t += i;
887 if (error != 0)
888 return error;
889 m = m->m_next;
890 }
891 }
892 RWLOCK_EXIT(&ipf_auth);
893
894 SPL_NET(s);
895 WRITE_ENTER(&ipf_auth);
896 fr_authnext++;
897 if (fr_authnext == fr_authsize)
898 fr_authnext = 0;
899 RWLOCK_EXIT(&ipf_auth);
900 SPL_X(s);
901
902 return 0;
903 }
904 RWLOCK_EXIT(&ipf_auth);
905
906 MUTEX_ENTER(&ipf_authmx);
907 #ifdef _KERNEL
908 # if SOLARIS
909 error = 0;
910 if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk))
911 error = EINTR;
912 # else /* SOLARIS */
913 # ifdef __hpux
914 {
915 lock_t *l;
916
917 l = get_sleep_lock(&fr_authnext);
918 error = sleep(&fr_authnext, PZERO+1);
919 spinunlock(l);
920 }
921 # else
922 # ifdef __osf__
923 error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0,
924 &ipf_authmx, MS_LOCK_SIMPLE);
925 # else
926 error = SLEEP(&fr_authnext, "fr_authnext");
927 # endif /* __osf__ */
928 # endif /* __hpux */
929 # endif /* SOLARIS */
930 #endif
931 MUTEX_EXIT(&ipf_authmx);
932 if (error == 0)
933 goto fr_authioctlloop;
934 return error;
935 }
936
937
938 /* ------------------------------------------------------------------------ */
939 /* Function: fr_authreply */
940 /* Returns: int - 0 == success, else error */
941 /* Parameters: data(I) - pointer to data from ioctl call */
942 /* */
943 /* This function is called by an application when it wants to return a */
944 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
945 /* received information using an SIOCAUTHW. The decision returned in the */
946 /* form of flags, the same as those used in each rule. */
947 /* ------------------------------------------------------------------------ */
fr_authreply(data)948 int fr_authreply(data)
949 char *data;
950 {
951 frauth_t auth, *au = &auth, *fra;
952 int error, i;
953 mb_t *m;
954 SPL_INT(s);
955
956 error = fr_inobj(data, &auth, IPFOBJ_FRAUTH);
957 if (error != 0)
958 return error;
959
960 SPL_NET(s);
961 WRITE_ENTER(&ipf_auth);
962
963 i = au->fra_index;
964 fra = fr_auth + i;
965 error = 0;
966
967 /*
968 * Check the validity of the information being returned with two simple
969 * checks. First, the auth index value should be within the size of
970 * the array and second the packet id being returned should also match.
971 */
972 if ((i < 0) || (i >= fr_authsize) ||
973 (fra->fra_info.fin_id != au->fra_info.fin_id)) {
974 RWLOCK_EXIT(&ipf_auth);
975 SPL_X(s);
976 return ESRCH;
977 }
978
979 m = fr_authpkts[i];
980 fra->fra_index = -2;
981 fra->fra_pass = au->fra_pass;
982 fr_authpkts[i] = NULL;
983
984 RWLOCK_EXIT(&ipf_auth);
985
986 /*
987 * Re-insert the packet back into the packet stream flowing through
988 * the kernel in a manner that will mean IPFilter sees the packet
989 * again. This is not the same as is done with fastroute,
990 * deliberately, as we want to resume the normal packet processing
991 * path for it.
992 */
993 #ifdef _KERNEL
994 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
995 error = ipf_inject(&fra->fra_info, m);
996 if (error != 0) {
997 error = ENOBUFS;
998 fr_authstats.fas_sendfail++;
999 } else {
1000 fr_authstats.fas_sendok++;
1001 }
1002 } else if (m) {
1003 error = ipf_inject(&fra->fra_info, m);
1004 if (error != 0) {
1005 error = ENOBUFS;
1006 fr_authstats.fas_quefail++;
1007 } else {
1008 fr_authstats.fas_queok++;
1009 }
1010 } else {
1011 error = EINVAL;
1012 }
1013
1014 /*
1015 * If we experience an error which will result in the packet
1016 * not being processed, make sure we advance to the next one.
1017 */
1018 if (error == ENOBUFS) {
1019 WRITE_ENTER(&ipf_auth);
1020 fr_authused--;
1021 fra->fra_index = -1;
1022 fra->fra_pass = 0;
1023 if (i == fr_authstart) {
1024 while (fra->fra_index == -1) {
1025 i++;
1026 if (i == fr_authsize)
1027 i = 0;
1028 fr_authstart = i;
1029 if (i == fr_authend)
1030 break;
1031 }
1032 if (fr_authstart == fr_authend) {
1033 fr_authnext = 0;
1034 fr_authstart = fr_authend = 0;
1035 }
1036 }
1037 RWLOCK_EXIT(&ipf_auth);
1038 }
1039 #endif /* _KERNEL */
1040 SPL_X(s);
1041
1042 return 0;
1043 }
1044