1 /*
2 * Copyright (c) 2014 - 2018 The DragonFly Project. All rights reserved.
3 *
4 * This code is derived from software contributed to The DragonFly Project
5 * by Bill Yuan <bycn82@dragonflybsd.org>
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 * 3. Neither the name of The DragonFly Project nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific, prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "opt_ipfw.h"
36 #include "opt_inet.h"
37 #ifndef INET
38 #error IPFIREWALL3 requires INET.
39 #endif /* INET */
40
41 #include <sys/systm.h>
42 #include <sys/kernel.h>
43 #include <sys/malloc.h>
44 #include <sys/socketvar.h>
45 #include <sys/sysctl.h>
46 #include <sys/systimer.h>
47 #include <sys/param.h>
48 #include <sys/ucred.h>
49
50 #include <net/if.h>
51 #include <net/bpf.h>
52 #include <net/ethernet.h>
53 #include <net/netmsg2.h>
54 #include <net/netisr2.h>
55 #include <net/route.h>
56
57 #include <netinet/in_var.h>
58 #include <netinet/ip_var.h>
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/in_pcb.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_icmp.h>
64 #include <netinet/tcp.h>
65 #include <netinet/tcp_timer.h>
66 #include <netinet/tcp_var.h>
67 #include <netinet/tcpip.h>
68 #include <netinet/udp.h>
69 #include <netinet/udp_var.h>
70 #include <netinet/if_ether.h>
71
72 #include <net/ipfw3/ip_fw.h>
73
74 #include "ip_fw3_layer4.h"
75
76 void
77 check_tcpflag(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
78 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len);
79 void
80 check_uid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
81 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len);
82 void
83 check_gid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
84 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len);
85 void
86 check_established(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
87 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len);
88 void
89 check_bpf(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
90 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len);
91
92 /*
93 * ip_fw3_match_guid can match the gui and uid
94 */
95 static int
ip_fw3_match_guid(const struct ipfw_flow_id * fid,struct ifnet * oif,int opcode,uid_t uid)96 ip_fw3_match_guid(const struct ipfw_flow_id *fid, struct ifnet *oif,
97 int opcode, uid_t uid)
98 {
99 struct in_addr src_ip, dst_ip;
100 struct inpcbinfo *pi;
101 boolean_t wildcard;
102 struct inpcb *pcb;
103
104 if (fid->proto == IPPROTO_TCP) {
105 wildcard = FALSE;
106 pi = &tcbinfo[mycpuid];
107 } else if (fid->proto == IPPROTO_UDP) {
108 wildcard = TRUE;
109 pi = &udbinfo[mycpuid];
110 } else {
111 return 0;
112 }
113
114 /*
115 * Values in 'fid' are in host byte order
116 */
117 dst_ip.s_addr = htonl(fid->dst_ip);
118 src_ip.s_addr = htonl(fid->src_ip);
119 if (oif) {
120 pcb = in_pcblookup_hash(pi,
121 dst_ip, htons(fid->dst_port),
122 src_ip, htons(fid->src_port),
123 wildcard, oif);
124 } else {
125 pcb = in_pcblookup_hash(pi,
126 src_ip, htons(fid->src_port),
127 dst_ip, htons(fid->dst_port),
128 wildcard, NULL);
129 }
130 if (pcb == NULL || pcb->inp_socket == NULL) {
131 return 0;
132 }
133
134 if (opcode == O_LAYER4_UID) {
135 #define socheckuid(a,b) ((a)->so_cred->cr_uid != (b))
136 return !socheckuid(pcb->inp_socket, uid);
137 #undef socheckuid
138 } else {
139 return groupmember(uid, pcb->inp_socket->so_cred);
140 }
141 }
142
143 void
check_tcpflag(int * cmd_ctl,int * cmd_val,struct ip_fw_args ** args,struct ip_fw ** f,ipfw_insn * cmd,uint16_t ip_len)144 check_tcpflag(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
145 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len)
146 {
147 /* XXX TODO check tcpflag */
148 *cmd_val = 0;
149 *cmd_ctl = IP_FW_CTL_NO;
150 }
151
152 void
check_uid(int * cmd_ctl,int * cmd_val,struct ip_fw_args ** args,struct ip_fw ** f,ipfw_insn * cmd,uint16_t ip_len)153 check_uid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
154 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len)
155 {
156 *cmd_val = ip_fw3_match_guid(&(*args)->f_id, (*args)->oif, cmd->opcode,
157 (uid_t)((ipfw_insn_u32 *)cmd)->d[0]);
158 *cmd_ctl = IP_FW_CTL_NO;
159 }
160
161 void
check_gid(int * cmd_ctl,int * cmd_val,struct ip_fw_args ** args,struct ip_fw ** f,ipfw_insn * cmd,uint16_t ip_len)162 check_gid(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
163 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len)
164 {
165 *cmd_val = ip_fw3_match_guid(&(*args)->f_id, (*args)->oif, cmd->opcode,
166 (gid_t)((ipfw_insn_u32 *)cmd)->d[0]);
167 *cmd_ctl = IP_FW_CTL_NO;
168 }
169
170 /*
171 * match TCP packets which have all tcpflag except SYN.
172 */
check_established(int * cmd_ctl,int * cmd_val,struct ip_fw_args ** args,struct ip_fw ** f,ipfw_insn * cmd,uint16_t ip_len)173 void check_established(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
174 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len)
175 {
176 struct ipfw_flow_id *fid;
177 struct mbuf *m = (*args)->m;
178 struct ip *ip = mtod(m, struct ip *);
179
180 *cmd_ctl = IP_FW_CTL_NO;
181 fid = &(*args)->f_id;
182 if (fid->proto == IPPROTO_TCP) {
183 /* offset == 0 && */
184 if ((L3HDR(struct tcphdr, ip)->th_flags &
185 (TH_RST | TH_ACK | TH_SYN)) != TH_SYN) {
186 *cmd_val = IP_FW_MATCH;
187 return;
188 }
189 }
190 *cmd_val = IP_FW_NOT_MATCH;
191 }
192
193 void
check_bpf(int * cmd_ctl,int * cmd_val,struct ip_fw_args ** args,struct ip_fw ** f,ipfw_insn * cmd,uint16_t ip_len)194 check_bpf(int *cmd_ctl, int *cmd_val, struct ip_fw_args **args,
195 struct ip_fw **f, ipfw_insn *cmd, uint16_t ip_len)
196 {
197 u_int slen = 0;
198 struct mbuf *m = (*args)->m;
199 ipfw_insn_bpf *bpf = (ipfw_insn_bpf *)cmd;
200 *cmd_ctl = IP_FW_CTL_NO;
201 slen = bpf_filter(bpf->bf_insn, (u_char *)m, m_lengthm(m, NULL), 0);
202 if (slen != 0)
203 *cmd_val = IP_FW_MATCH;
204 else
205 *cmd_val = IP_FW_NOT_MATCH;
206 }
207
208
209 static int
ip_fw3_layer4_init(void)210 ip_fw3_layer4_init(void)
211 {
212 ip_fw3_register_module(MODULE_LAYER4_ID, MODULE_LAYER4_NAME);
213 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_TCPFLAG,
214 (filter_func)check_tcpflag);
215 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_UID,
216 (filter_func)check_uid);
217 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_GID,
218 (filter_func)check_gid);
219 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_ESTABLISHED,
220 (filter_func)check_established);
221 ip_fw3_register_filter_funcs(MODULE_LAYER4_ID, O_LAYER4_BPF,
222 (filter_func)check_bpf);
223 return 0;
224 }
225
226 static int
ip_fw3_layer4_stop(void)227 ip_fw3_layer4_stop(void)
228 {
229 return ip_fw3_unregister_module(MODULE_LAYER4_ID);
230 }
231
232 static int
ipfw3_layer4_modevent(module_t mod,int type,void * data)233 ipfw3_layer4_modevent(module_t mod, int type, void *data)
234 {
235 switch (type) {
236 case MOD_LOAD:
237 return ip_fw3_layer4_init();
238 case MOD_UNLOAD:
239 return ip_fw3_layer4_stop();
240 default:
241 break;
242 }
243 return 0;
244 }
245
246 static moduledata_t ipfw3_layer4_mod = {
247 "ipfw3_layer4",
248 ipfw3_layer4_modevent,
249 NULL
250 };
251 DECLARE_MODULE(ipfw3_layer4, ipfw3_layer4_mod, SI_SUB_PROTO_END, SI_ORDER_ANY);
252 MODULE_DEPEND(ipfw3_layer4, ipfw3_basic, 1, 1, 1);
253 MODULE_VERSION(ipfw3_layer4, 1);
254