| 1 | /* $NetBSD: ip_auth.c,v 1.5 2014/05/30 02:16:17 rmind Exp $ */ |
| 2 | |
| 3 | /* |
| 4 | * Copyright (C) 2012 by Darren Reed. |
| 5 | * |
| 6 | * See the IPFILTER.LICENCE file for details on licencing. |
| 7 | */ |
| 8 | #if defined(KERNEL) || defined(_KERNEL) |
| 9 | # undef KERNEL |
| 10 | # undef _KERNEL |
| 11 | # define KERNEL 1 |
| 12 | # define _KERNEL 1 |
| 13 | #endif |
| 14 | #if defined(__NetBSD__) |
| 15 | #include <sys/cdefs.h> |
| 16 | #endif |
| 17 | #include <sys/errno.h> |
| 18 | #include <sys/types.h> |
| 19 | #include <sys/param.h> |
| 20 | #include <sys/time.h> |
| 21 | #include <sys/file.h> |
| 22 | #if !defined(_KERNEL) |
| 23 | # include <stdio.h> |
| 24 | # include <stdlib.h> |
| 25 | # ifdef _STDC_C99 |
| 26 | # include <stdbool.h> |
| 27 | # endif |
| 28 | # include <string.h> |
| 29 | # define _KERNEL |
| 30 | # ifdef __OpenBSD__ |
| 31 | struct file; |
| 32 | # endif |
| 33 | # include <sys/uio.h> |
| 34 | # undef _KERNEL |
| 35 | #endif |
| 36 | #if defined(_KERNEL) && (__FreeBSD_version >= 220000) |
| 37 | # include <sys/filio.h> |
| 38 | # include <sys/fcntl.h> |
| 39 | #else |
| 40 | # include <sys/ioctl.h> |
| 41 | #endif |
| 42 | #if !defined(linux) |
| 43 | # include <sys/protosw.h> |
| 44 | #endif |
| 45 | #include <sys/socket.h> |
| 46 | #if defined(_KERNEL) |
| 47 | # include <sys/systm.h> |
| 48 | # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux) |
| 49 | # include <sys/mbuf.h> |
| 50 | # endif |
| 51 | #endif |
| 52 | #if defined(__SVR4) || defined(__svr4__) |
| 53 | # include <sys/filio.h> |
| 54 | # include <sys/byteorder.h> |
| 55 | # ifdef _KERNEL |
| 56 | # include <sys/dditypes.h> |
| 57 | # endif |
| 58 | # include <sys/stream.h> |
| 59 | # include <sys/kmem.h> |
| 60 | #endif |
| 61 | #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \ |
| 62 | (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000)) |
| 63 | # include <sys/queue.h> |
| 64 | #endif |
| 65 | #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) |
| 66 | # include <machine/cpu.h> |
| 67 | #endif |
| 68 | #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000) |
| 69 | # include <sys/proc.h> |
| 70 | #endif |
| 71 | #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \ |
| 72 | !defined(_KERNEL) |
| 73 | # include <stdbool.h> |
| 74 | #endif |
| 75 | #include <net/if.h> |
| 76 | #include <net/route.h> |
| 77 | #ifdef sun |
| 78 | # include <net/af.h> |
| 79 | #endif |
| 80 | #include <netinet/in.h> |
| 81 | #include <netinet/in_systm.h> |
| 82 | #include <netinet/ip.h> |
| 83 | #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi) |
| 84 | # define KERNEL |
| 85 | # define _KERNEL |
| 86 | # define NOT_KERNEL |
| 87 | #endif |
| 88 | #if !defined(linux) |
| 89 | # include <netinet/ip_var.h> |
| 90 | #endif |
| 91 | #ifdef NOT_KERNEL |
| 92 | # undef _KERNEL |
| 93 | # undef KERNEL |
| 94 | #endif |
| 95 | #include <netinet/tcp.h> |
| 96 | #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */ |
| 97 | extern struct ifqueue ipintrq; /* ip packet input queue */ |
| 98 | #else |
| 99 | # if !defined(__hpux) && !defined(linux) |
| 100 | # if __FreeBSD_version >= 300000 |
| 101 | # include <net/if_var.h> |
| 102 | # if __FreeBSD_version >= 500042 |
| 103 | # define IF_QFULL _IF_QFULL |
| 104 | # define IF_DROP _IF_DROP |
| 105 | # endif /* __FreeBSD_version >= 500042 */ |
| 106 | # endif |
| 107 | # include <netinet/in_var.h> |
| 108 | # include <netinet/tcp_fsm.h> |
| 109 | # endif |
| 110 | #endif |
| 111 | #include <netinet/udp.h> |
| 112 | #include <netinet/ip_icmp.h> |
| 113 | #include "netinet/ip_compat.h" |
| 114 | #include <netinet/tcpip.h> |
| 115 | #include "netinet/ip_fil.h" |
| 116 | #include "netinet/ip_auth.h" |
| 117 | #if !defined(MENTAT) && !defined(linux) |
| 118 | # include <net/netisr.h> |
| 119 | # ifdef __FreeBSD__ |
| 120 | # include <machine/cpufunc.h> |
| 121 | # endif |
| 122 | #endif |
| 123 | #if (__FreeBSD_version >= 300000) |
| 124 | # include <sys/malloc.h> |
| 125 | # if defined(_KERNEL) && !defined(IPFILTER_LKM) |
| 126 | # include <sys/libkern.h> |
| 127 | # include <sys/systm.h> |
| 128 | # endif |
| 129 | #endif |
| 130 | /* END OF INCLUDES */ |
| 131 | |
| 132 | #if !defined(lint) |
| 133 | #if defined(__NetBSD__) |
| 134 | __KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.5 2014/05/30 02:16:17 rmind Exp $" ); |
| 135 | #else |
| 136 | static const char rcsid[] = "@(#)Id: ip_auth.c,v 1.1.1.2 2012/07/22 13:45:08 darrenr Exp" ; |
| 137 | #endif |
| 138 | #endif |
| 139 | |
| 140 | |
| 141 | typedef struct ipf_auth_softc_s { |
| 142 | #if SOLARIS && defined(_KERNEL) |
| 143 | kcondvar_t ipf_auth_wait; |
| 144 | #endif /* SOLARIS */ |
| 145 | #if defined(linux) && defined(_KERNEL) |
| 146 | wait_queue_head_t ipf_auth_next_linux; |
| 147 | #endif |
| 148 | ipfrwlock_t ipf_authlk; |
| 149 | ipfmutex_t ipf_auth_mx; |
| 150 | int ipf_auth_size; |
| 151 | int ipf_auth_used; |
| 152 | int ipf_auth_replies; |
| 153 | int ipf_auth_defaultage; |
| 154 | int ipf_auth_lock; |
| 155 | ipf_authstat_t ipf_auth_stats; |
| 156 | frauth_t *ipf_auth; |
| 157 | mb_t **ipf_auth_pkts; |
| 158 | int ipf_auth_start; |
| 159 | int ipf_auth_end; |
| 160 | int ipf_auth_next; |
| 161 | frauthent_t *ipf_auth_entries; |
| 162 | frentry_t *ipf_auth_ip; |
| 163 | frentry_t *ipf_auth_rules; |
| 164 | } ipf_auth_softc_t; |
| 165 | |
| 166 | |
| 167 | static void ipf_auth_deref(frauthent_t **); |
| 168 | static void ipf_auth_deref_unlocked(ipf_auth_softc_t *, frauthent_t **); |
| 169 | static int ipf_auth_geniter(ipf_main_softc_t *, ipftoken_t *, |
| 170 | ipfgeniter_t *, ipfobj_t *); |
| 171 | static int ipf_auth_reply(ipf_main_softc_t *, ipf_auth_softc_t *, char *); |
| 172 | static int ipf_auth_wait(ipf_main_softc_t *, ipf_auth_softc_t *, char *); |
| 173 | static int ipf_auth_flush(void *); |
| 174 | |
| 175 | |
| 176 | /* ------------------------------------------------------------------------ */ |
| 177 | /* Function: ipf_auth_main_load */ |
| 178 | /* Returns: int - 0 == success, else error */ |
| 179 | /* Parameters: None */ |
| 180 | /* */ |
| 181 | /* A null-op function that exists as a placeholder so that the flow in */ |
| 182 | /* other functions is obvious. */ |
| 183 | /* ------------------------------------------------------------------------ */ |
| 184 | int |
| 185 | ipf_auth_main_load(void) |
| 186 | { |
| 187 | return 0; |
| 188 | } |
| 189 | |
| 190 | |
| 191 | /* ------------------------------------------------------------------------ */ |
| 192 | /* Function: ipf_auth_main_unload */ |
| 193 | /* Returns: int - 0 == success, else error */ |
| 194 | /* Parameters: None */ |
| 195 | /* */ |
| 196 | /* A null-op function that exists as a placeholder so that the flow in */ |
| 197 | /* other functions is obvious. */ |
| 198 | /* ------------------------------------------------------------------------ */ |
| 199 | int |
| 200 | ipf_auth_main_unload(void) |
| 201 | { |
| 202 | return 0; |
| 203 | } |
| 204 | |
| 205 | |
| 206 | /* ------------------------------------------------------------------------ */ |
| 207 | /* Function: ipf_auth_soft_create */ |
| 208 | /* Returns: int - NULL = failure, else success */ |
| 209 | /* Parameters: softc(I) - pointer to soft context data */ |
| 210 | /* */ |
| 211 | /* Create a structre to store all of the run-time data for packet auth in */ |
| 212 | /* and initialise some fields to their defaults. */ |
| 213 | /* ------------------------------------------------------------------------ */ |
| 214 | void * |
| 215 | ipf_auth_soft_create(ipf_main_softc_t *softc) |
| 216 | { |
| 217 | ipf_auth_softc_t *softa; |
| 218 | |
| 219 | KMALLOC(softa, ipf_auth_softc_t *); |
| 220 | if (softa == NULL) |
| 221 | return NULL; |
| 222 | |
| 223 | bzero((char *)softa, sizeof(*softa)); |
| 224 | |
| 225 | softa->ipf_auth_size = FR_NUMAUTH; |
| 226 | softa->ipf_auth_defaultage = 600; |
| 227 | |
| 228 | RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock" ); |
| 229 | MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex" ); |
| 230 | #if SOLARIS && defined(_KERNEL) |
| 231 | cv_init(&softa->ipf_auth_wait, "ipf auth condvar" , CV_DRIVER, NULL); |
| 232 | #endif |
| 233 | |
| 234 | return softa; |
| 235 | } |
| 236 | |
| 237 | /* ------------------------------------------------------------------------ */ |
| 238 | /* Function: ipf_auth_soft_init */ |
| 239 | /* Returns: int - 0 == success, else error */ |
| 240 | /* Parameters: softc(I) - pointer to soft context data */ |
| 241 | /* arg(I) - opaque pointer to auth context data */ |
| 242 | /* */ |
| 243 | /* Allocate memory and initialise data structures used in handling auth */ |
| 244 | /* rules. */ |
| 245 | /* ------------------------------------------------------------------------ */ |
| 246 | int |
| 247 | ipf_auth_soft_init(ipf_main_softc_t *softc, void *arg) |
| 248 | { |
| 249 | ipf_auth_softc_t *softa = arg; |
| 250 | |
| 251 | KMALLOCS(softa->ipf_auth, frauth_t *, |
| 252 | softa->ipf_auth_size * sizeof(*softa->ipf_auth)); |
| 253 | if (softa->ipf_auth == NULL) |
| 254 | return -1; |
| 255 | bzero((char *)softa->ipf_auth, |
| 256 | softa->ipf_auth_size * sizeof(*softa->ipf_auth)); |
| 257 | |
| 258 | KMALLOCS(softa->ipf_auth_pkts, mb_t **, |
| 259 | softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); |
| 260 | if (softa->ipf_auth_pkts == NULL) |
| 261 | return -2; |
| 262 | bzero((char *)softa->ipf_auth_pkts, |
| 263 | softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); |
| 264 | |
| 265 | #if defined(linux) && defined(_KERNEL) |
| 266 | init_waitqueue_head(&softa->ipf_auth_next_linux); |
| 267 | #endif |
| 268 | |
| 269 | return 0; |
| 270 | } |
| 271 | |
| 272 | |
| 273 | /* ------------------------------------------------------------------------ */ |
| 274 | /* Function: ipf_auth_soft_fini */ |
| 275 | /* Returns: int - 0 == success, else error */ |
| 276 | /* Parameters: softc(I) - pointer to soft context data */ |
| 277 | /* arg(I) - opaque pointer to auth context data */ |
| 278 | /* */ |
| 279 | /* Free all network buffer memory used to keep saved packets that have been */ |
| 280 | /* connectedd to the soft soft context structure *but* do not free that: it */ |
| 281 | /* is free'd by _destroy(). */ |
| 282 | /* ------------------------------------------------------------------------ */ |
| 283 | int |
| 284 | ipf_auth_soft_fini(ipf_main_softc_t *softc, void *arg) |
| 285 | { |
| 286 | ipf_auth_softc_t *softa = arg; |
| 287 | frauthent_t *fae, **faep; |
| 288 | frentry_t *fr, **frp; |
| 289 | mb_t *m; |
| 290 | int i; |
| 291 | |
| 292 | if (softa->ipf_auth != NULL) { |
| 293 | KFREES(softa->ipf_auth, |
| 294 | softa->ipf_auth_size * sizeof(*softa->ipf_auth)); |
| 295 | softa->ipf_auth = NULL; |
| 296 | } |
| 297 | |
| 298 | if (softa->ipf_auth_pkts != NULL) { |
| 299 | for (i = 0; i < softa->ipf_auth_size; i++) { |
| 300 | m = softa->ipf_auth_pkts[i]; |
| 301 | if (m != NULL) { |
| 302 | FREE_MB_T(m); |
| 303 | softa->ipf_auth_pkts[i] = NULL; |
| 304 | } |
| 305 | } |
| 306 | KFREES(softa->ipf_auth_pkts, |
| 307 | softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts)); |
| 308 | softa->ipf_auth_pkts = NULL; |
| 309 | } |
| 310 | |
| 311 | faep = &softa->ipf_auth_entries; |
| 312 | while ((fae = *faep) != NULL) { |
| 313 | *faep = fae->fae_next; |
| 314 | KFREE(fae); |
| 315 | } |
| 316 | softa->ipf_auth_ip = NULL; |
| 317 | |
| 318 | if (softa->ipf_auth_rules != NULL) { |
| 319 | for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { |
| 320 | if (fr->fr_ref == 1) { |
| 321 | *frp = fr->fr_next; |
| 322 | MUTEX_DESTROY(&fr->fr_lock); |
| 323 | KFREE(fr); |
| 324 | } else |
| 325 | frp = &fr->fr_next; |
| 326 | } |
| 327 | } |
| 328 | |
| 329 | return 0; |
| 330 | } |
| 331 | |
| 332 | |
| 333 | /* ------------------------------------------------------------------------ */ |
| 334 | /* Function: ipf_auth_soft_destroy */ |
| 335 | /* Returns: void */ |
| 336 | /* Parameters: softc(I) - pointer to soft context data */ |
| 337 | /* arg(I) - opaque pointer to auth context data */ |
| 338 | /* */ |
| 339 | /* Undo what was done in _create() - i.e. free the soft context data. */ |
| 340 | /* ------------------------------------------------------------------------ */ |
| 341 | void |
| 342 | ipf_auth_soft_destroy(ipf_main_softc_t *softc, void *arg) |
| 343 | { |
| 344 | ipf_auth_softc_t *softa = arg; |
| 345 | |
| 346 | # if SOLARIS && defined(_KERNEL) |
| 347 | cv_destroy(&softa->ipf_auth_wait); |
| 348 | # endif |
| 349 | MUTEX_DESTROY(&softa->ipf_auth_mx); |
| 350 | RW_DESTROY(&softa->ipf_authlk); |
| 351 | |
| 352 | KFREE(softa); |
| 353 | } |
| 354 | |
| 355 | |
| 356 | /* ------------------------------------------------------------------------ */ |
| 357 | /* Function: ipf_auth_setlock */ |
| 358 | /* Returns: void */ |
| 359 | /* Paramters: arg(I) - pointer to soft context data */ |
| 360 | /* tmp(I) - value to assign to auth lock */ |
| 361 | /* */ |
| 362 | /* ------------------------------------------------------------------------ */ |
| 363 | void |
| 364 | ipf_auth_setlock(void *arg, int tmp) |
| 365 | { |
| 366 | ipf_auth_softc_t *softa = arg; |
| 367 | |
| 368 | softa->ipf_auth_lock = tmp; |
| 369 | } |
| 370 | |
| 371 | |
| 372 | /* ------------------------------------------------------------------------ */ |
| 373 | /* Function: ipf_auth_check */ |
| 374 | /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */ |
| 375 | /* Parameters: fin(I) - pointer to ipftoken structure */ |
| 376 | /* passp(I) - pointer to ipfgeniter structure */ |
| 377 | /* */ |
| 378 | /* Check if a packet has authorization. If the packet is found to match an */ |
| 379 | /* authorization result and that would result in a feedback loop (i.e. it */ |
| 380 | /* will end up returning FR_AUTH) then return FR_BLOCK instead. */ |
| 381 | /* ------------------------------------------------------------------------ */ |
| 382 | frentry_t * |
| 383 | ipf_auth_check(fr_info_t *fin, u_32_t *passp) |
| 384 | { |
| 385 | ipf_main_softc_t *softc = fin->fin_main_soft; |
| 386 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 387 | frentry_t *fr; |
| 388 | frauth_t *fra; |
| 389 | u_32_t pass; |
| 390 | u_short id; |
| 391 | ip_t *ip; |
| 392 | int i; |
| 393 | |
| 394 | if (softa->ipf_auth_lock || !softa->ipf_auth_used) |
| 395 | return NULL; |
| 396 | |
| 397 | ip = fin->fin_ip; |
| 398 | id = ip->ip_id; |
| 399 | |
| 400 | READ_ENTER(&softa->ipf_authlk); |
| 401 | for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) { |
| 402 | /* |
| 403 | * index becomes -2 only after an SIOCAUTHW. Check this in |
| 404 | * case the same packet gets sent again and it hasn't yet been |
| 405 | * auth'd. |
| 406 | */ |
| 407 | fra = softa->ipf_auth + i; |
| 408 | if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && |
| 409 | !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { |
| 410 | /* |
| 411 | * Avoid feedback loop. |
| 412 | */ |
| 413 | if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) { |
| 414 | pass = FR_BLOCK; |
| 415 | fin->fin_reason = FRB_AUTHFEEDBACK; |
| 416 | } |
| 417 | /* |
| 418 | * Create a dummy rule for the stateful checking to |
| 419 | * use and return. Zero out any values we don't |
| 420 | * trust from userland! |
| 421 | */ |
| 422 | if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && |
| 423 | (fin->fin_flx & FI_FRAG))) { |
| 424 | KMALLOC(fr, frentry_t *); |
| 425 | if (fr) { |
| 426 | bcopy((char *)fra->fra_info.fin_fr, |
| 427 | (char *)fr, sizeof(*fr)); |
| 428 | fr->fr_grp = NULL; |
| 429 | fr->fr_ifa = fin->fin_ifp; |
| 430 | fr->fr_func = NULL; |
| 431 | fr->fr_ref = 1; |
| 432 | fr->fr_flags = pass; |
| 433 | fr->fr_ifas[1] = NULL; |
| 434 | fr->fr_ifas[2] = NULL; |
| 435 | fr->fr_ifas[3] = NULL; |
| 436 | MUTEX_INIT(&fr->fr_lock, |
| 437 | "ipf auth rule" ); |
| 438 | } |
| 439 | } else |
| 440 | fr = fra->fra_info.fin_fr; |
| 441 | fin->fin_fr = fr; |
| 442 | fin->fin_flx |= fra->fra_flx; |
| 443 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 444 | |
| 445 | WRITE_ENTER(&softa->ipf_authlk); |
| 446 | /* |
| 447 | * ipf_auth_rules is populated with the rules malloc'd |
| 448 | * above and only those. |
| 449 | */ |
| 450 | if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) { |
| 451 | fr->fr_next = softa->ipf_auth_rules; |
| 452 | softa->ipf_auth_rules = fr; |
| 453 | } |
| 454 | softa->ipf_auth_stats.fas_hits++; |
| 455 | fra->fra_index = -1; |
| 456 | softa->ipf_auth_used--; |
| 457 | softa->ipf_auth_replies--; |
| 458 | if (i == softa->ipf_auth_start) { |
| 459 | while (fra->fra_index == -1) { |
| 460 | i++; |
| 461 | fra++; |
| 462 | if (i == softa->ipf_auth_size) { |
| 463 | i = 0; |
| 464 | fra = softa->ipf_auth; |
| 465 | } |
| 466 | softa->ipf_auth_start = i; |
| 467 | if (i == softa->ipf_auth_end) |
| 468 | break; |
| 469 | } |
| 470 | if (softa->ipf_auth_start == |
| 471 | softa->ipf_auth_end) { |
| 472 | softa->ipf_auth_next = 0; |
| 473 | softa->ipf_auth_start = 0; |
| 474 | softa->ipf_auth_end = 0; |
| 475 | } |
| 476 | } |
| 477 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 478 | if (passp != NULL) |
| 479 | *passp = pass; |
| 480 | softa->ipf_auth_stats.fas_hits++; |
| 481 | return fr; |
| 482 | } |
| 483 | i++; |
| 484 | if (i == softa->ipf_auth_size) |
| 485 | i = 0; |
| 486 | } |
| 487 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 488 | softa->ipf_auth_stats.fas_miss++; |
| 489 | return NULL; |
| 490 | } |
| 491 | |
| 492 | |
| 493 | /* ------------------------------------------------------------------------ */ |
| 494 | /* Function: ipf_auth_new */ |
| 495 | /* Returns: int - 1 == success, 0 = did not put packet on auth queue */ |
| 496 | /* Parameters: m(I) - pointer to mb_t with packet in it */ |
| 497 | /* fin(I) - pointer to packet information */ |
| 498 | /* */ |
| 499 | /* Check if we have room in the auth array to hold details for another */ |
| 500 | /* packet. If we do, store it and wake up any user programs which are */ |
| 501 | /* waiting to hear about these events. */ |
| 502 | /* ------------------------------------------------------------------------ */ |
| 503 | int |
| 504 | ipf_auth_new(mb_t *m, fr_info_t *fin) |
| 505 | { |
| 506 | ipf_main_softc_t *softc = fin->fin_main_soft; |
| 507 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 508 | #if defined(_KERNEL) && defined(MENTAT) |
| 509 | qpktinfo_t *qpi = fin->fin_qpi; |
| 510 | #endif |
| 511 | frauth_t *fra; |
| 512 | #if !defined(sparc) && !defined(m68k) |
| 513 | ip_t *ip; |
| 514 | #endif |
| 515 | int i; |
| 516 | |
| 517 | if (softa->ipf_auth_lock) |
| 518 | return 0; |
| 519 | |
| 520 | WRITE_ENTER(&softa->ipf_authlk); |
| 521 | if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) == |
| 522 | softa->ipf_auth_start) { |
| 523 | softa->ipf_auth_stats.fas_nospace++; |
| 524 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 525 | return 0; |
| 526 | } |
| 527 | |
| 528 | softa->ipf_auth_stats.fas_added++; |
| 529 | softa->ipf_auth_used++; |
| 530 | i = softa->ipf_auth_end++; |
| 531 | if (softa->ipf_auth_end == softa->ipf_auth_size) |
| 532 | softa->ipf_auth_end = 0; |
| 533 | |
| 534 | fra = softa->ipf_auth + i; |
| 535 | fra->fra_index = i; |
| 536 | if (fin->fin_fr != NULL) |
| 537 | fra->fra_pass = fin->fin_fr->fr_flags; |
| 538 | else |
| 539 | fra->fra_pass = 0; |
| 540 | fra->fra_age = softa->ipf_auth_defaultage; |
| 541 | bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); |
| 542 | fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED); |
| 543 | fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED); |
| 544 | #if !defined(sparc) && !defined(m68k) |
| 545 | /* |
| 546 | * No need to copyback here as we want to undo the changes, not keep |
| 547 | * them. |
| 548 | */ |
| 549 | ip = fin->fin_ip; |
| 550 | # if defined(MENTAT) && defined(_KERNEL) |
| 551 | if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4)) |
| 552 | # endif |
| 553 | { |
| 554 | register u_short bo; |
| 555 | |
| 556 | bo = ip->ip_len; |
| 557 | ip->ip_len = htons(bo); |
| 558 | bo = ip->ip_off; |
| 559 | ip->ip_off = htons(bo); |
| 560 | } |
| 561 | #endif |
| 562 | #if SOLARIS && defined(_KERNEL) |
| 563 | COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname); |
| 564 | m->b_rptr -= qpi->qpi_off; |
| 565 | fra->fra_q = qpi->qpi_q; /* The queue can disappear! */ |
| 566 | fra->fra_m = *fin->fin_mp; |
| 567 | fra->fra_info.fin_mp = &fra->fra_m; |
| 568 | softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp; |
| 569 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 570 | cv_signal(&softa->ipf_auth_wait); |
| 571 | pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM); |
| 572 | #else |
| 573 | softa->ipf_auth_pkts[i] = m; |
| 574 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 575 | WAKEUP(&softa->ipf_auth_next, 0); |
| 576 | #endif |
| 577 | return 1; |
| 578 | } |
| 579 | |
| 580 | |
| 581 | /* ------------------------------------------------------------------------ */ |
| 582 | /* Function: ipf_auth_ioctl */ |
| 583 | /* Returns: int - 0 == success, else error */ |
| 584 | /* Parameters: data(IO) - pointer to ioctl data */ |
| 585 | /* cmd(I) - ioctl command */ |
| 586 | /* mode(I) - mode flags associated with open descriptor */ |
| 587 | /* uid(I) - uid associatd with application making the call */ |
| 588 | /* ctx(I) - pointer for context */ |
| 589 | /* */ |
| 590 | /* This function handles all of the ioctls recognised by the auth component */ |
| 591 | /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */ |
| 592 | /* ------------------------------------------------------------------------ */ |
| 593 | int |
| 594 | ipf_auth_ioctl(ipf_main_softc_t *softc, void *data, ioctlcmd_t cmd, int mode, |
| 595 | int uid, void *ctx) |
| 596 | { |
| 597 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 598 | int error = 0, i; |
| 599 | SPL_INT(s); |
| 600 | |
| 601 | switch (cmd) |
| 602 | { |
| 603 | case SIOCGENITER : |
| 604 | { |
| 605 | ipftoken_t *token; |
| 606 | ipfgeniter_t iter; |
| 607 | ipfobj_t obj; |
| 608 | |
| 609 | error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER); |
| 610 | if (error != 0) |
| 611 | break; |
| 612 | |
| 613 | SPL_SCHED(s); |
| 614 | token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx); |
| 615 | if (token != NULL) |
| 616 | error = ipf_auth_geniter(softc, token, &iter, &obj); |
| 617 | else { |
| 618 | WRITE_ENTER(&softc->ipf_tokens); |
| 619 | ipf_token_deref(softc, token); |
| 620 | RWLOCK_EXIT(&softc->ipf_tokens); |
| 621 | IPFERROR(10001); |
| 622 | error = ESRCH; |
| 623 | } |
| 624 | SPL_X(s); |
| 625 | |
| 626 | break; |
| 627 | } |
| 628 | |
| 629 | case SIOCADAFR : |
| 630 | case SIOCRMAFR : |
| 631 | if (!(mode & FWRITE)) { |
| 632 | IPFERROR(10002); |
| 633 | error = EPERM; |
| 634 | } else |
| 635 | error = frrequest(softc, IPL_LOGAUTH, cmd, data, |
| 636 | softc->ipf_active, 1); |
| 637 | break; |
| 638 | |
| 639 | case SIOCSTLCK : |
| 640 | if (!(mode & FWRITE)) { |
| 641 | IPFERROR(10003); |
| 642 | error = EPERM; |
| 643 | } else { |
| 644 | error = ipf_lock(data, &softa->ipf_auth_lock); |
| 645 | } |
| 646 | break; |
| 647 | |
| 648 | case SIOCATHST: |
| 649 | softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries; |
| 650 | error = ipf_outobj(softc, data, &softa->ipf_auth_stats, |
| 651 | IPFOBJ_AUTHSTAT); |
| 652 | break; |
| 653 | |
| 654 | case SIOCIPFFL: |
| 655 | SPL_NET(s); |
| 656 | WRITE_ENTER(&softa->ipf_authlk); |
| 657 | i = ipf_auth_flush(softa); |
| 658 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 659 | SPL_X(s); |
| 660 | error = BCOPYOUT(&i, data, sizeof(i)); |
| 661 | if (error != 0) { |
| 662 | IPFERROR(10004); |
| 663 | error = EFAULT; |
| 664 | } |
| 665 | break; |
| 666 | |
| 667 | case SIOCAUTHW: |
| 668 | error = ipf_auth_wait(softc, softa, data); |
| 669 | break; |
| 670 | |
| 671 | case SIOCAUTHR: |
| 672 | error = ipf_auth_reply(softc, softa, data); |
| 673 | break; |
| 674 | |
| 675 | default : |
| 676 | IPFERROR(10005); |
| 677 | error = EINVAL; |
| 678 | break; |
| 679 | } |
| 680 | return error; |
| 681 | } |
| 682 | |
| 683 | |
| 684 | /* ------------------------------------------------------------------------ */ |
| 685 | /* Function: ipf_auth_expire */ |
| 686 | /* Returns: None */ |
| 687 | /* Parameters: None */ |
| 688 | /* */ |
| 689 | /* Slowly expire held auth records. Timeouts are set in expectation of */ |
| 690 | /* this being called twice per second. */ |
| 691 | /* ------------------------------------------------------------------------ */ |
| 692 | void |
| 693 | ipf_auth_expire(ipf_main_softc_t *softc) |
| 694 | { |
| 695 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 696 | frauthent_t *fae, **faep; |
| 697 | frentry_t *fr, **frp; |
| 698 | frauth_t *fra; |
| 699 | mb_t *m; |
| 700 | int i; |
| 701 | SPL_INT(s); |
| 702 | |
| 703 | if (softa->ipf_auth_lock) |
| 704 | return; |
| 705 | SPL_NET(s); |
| 706 | WRITE_ENTER(&softa->ipf_authlk); |
| 707 | for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size; |
| 708 | i++, fra++) { |
| 709 | fra->fra_age--; |
| 710 | if ((fra->fra_age == 0) && |
| 711 | (softa->ipf_auth[i].fra_index != -1)) { |
| 712 | if ((m = softa->ipf_auth_pkts[i]) != NULL) { |
| 713 | FREE_MB_T(m); |
| 714 | softa->ipf_auth_pkts[i] = NULL; |
| 715 | } else if (softa->ipf_auth[i].fra_index == -2) { |
| 716 | softa->ipf_auth_replies--; |
| 717 | } |
| 718 | softa->ipf_auth[i].fra_index = -1; |
| 719 | softa->ipf_auth_stats.fas_expire++; |
| 720 | softa->ipf_auth_used--; |
| 721 | } |
| 722 | } |
| 723 | |
| 724 | /* |
| 725 | * Expire pre-auth rules |
| 726 | */ |
| 727 | for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { |
| 728 | fae->fae_age--; |
| 729 | if (fae->fae_age == 0) { |
| 730 | ipf_auth_deref(&fae); |
| 731 | softa->ipf_auth_stats.fas_expire++; |
| 732 | } else |
| 733 | faep = &fae->fae_next; |
| 734 | } |
| 735 | if (softa->ipf_auth_entries != NULL) |
| 736 | softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; |
| 737 | else |
| 738 | softa->ipf_auth_ip = NULL; |
| 739 | |
| 740 | for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) { |
| 741 | if (fr->fr_ref == 1) { |
| 742 | *frp = fr->fr_next; |
| 743 | MUTEX_DESTROY(&fr->fr_lock); |
| 744 | KFREE(fr); |
| 745 | } else |
| 746 | frp = &fr->fr_next; |
| 747 | } |
| 748 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 749 | SPL_X(s); |
| 750 | } |
| 751 | |
| 752 | |
| 753 | /* ------------------------------------------------------------------------ */ |
| 754 | /* Function: ipf_auth_precmd */ |
| 755 | /* Returns: int - 0 == success, else error */ |
| 756 | /* Parameters: cmd(I) - ioctl command for rule */ |
| 757 | /* fr(I) - pointer to ipf rule */ |
| 758 | /* fptr(I) - pointer to caller's 'fr' */ |
| 759 | /* */ |
| 760 | /* ------------------------------------------------------------------------ */ |
| 761 | int |
| 762 | ipf_auth_precmd(ipf_main_softc_t *softc, ioctlcmd_t cmd, frentry_t *fr, |
| 763 | frentry_t **frptr) |
| 764 | { |
| 765 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 766 | frauthent_t *fae, **faep; |
| 767 | int error = 0; |
| 768 | SPL_INT(s); |
| 769 | |
| 770 | if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) { |
| 771 | IPFERROR(10006); |
| 772 | return EIO; |
| 773 | } |
| 774 | |
| 775 | for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) { |
| 776 | if (&fae->fae_fr == fr) |
| 777 | break; |
| 778 | else |
| 779 | faep = &fae->fae_next; |
| 780 | } |
| 781 | |
| 782 | if (cmd == (ioctlcmd_t)SIOCRMAFR) { |
| 783 | if (fr == NULL || frptr == NULL) { |
| 784 | IPFERROR(10007); |
| 785 | error = EINVAL; |
| 786 | |
| 787 | } else if (fae == NULL) { |
| 788 | IPFERROR(10008); |
| 789 | error = ESRCH; |
| 790 | |
| 791 | } else { |
| 792 | SPL_NET(s); |
| 793 | WRITE_ENTER(&softa->ipf_authlk); |
| 794 | *faep = fae->fae_next; |
| 795 | if (softa->ipf_auth_ip == &fae->fae_fr) |
| 796 | softa->ipf_auth_ip = softa->ipf_auth_entries ? |
| 797 | &softa->ipf_auth_entries->fae_fr : NULL; |
| 798 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 799 | SPL_X(s); |
| 800 | |
| 801 | KFREE(fae); |
| 802 | } |
| 803 | } else if (fr != NULL && frptr != NULL) { |
| 804 | KMALLOC(fae, frauthent_t *); |
| 805 | if (fae != NULL) { |
| 806 | bcopy((char *)fr, (char *)&fae->fae_fr, |
| 807 | sizeof(*fr)); |
| 808 | SPL_NET(s); |
| 809 | WRITE_ENTER(&softa->ipf_authlk); |
| 810 | fae->fae_age = softa->ipf_auth_defaultage; |
| 811 | fae->fae_fr.fr_hits = 0; |
| 812 | fae->fae_fr.fr_next = *frptr; |
| 813 | fae->fae_ref = 1; |
| 814 | *frptr = &fae->fae_fr; |
| 815 | fae->fae_next = *faep; |
| 816 | *faep = fae; |
| 817 | softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr; |
| 818 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 819 | SPL_X(s); |
| 820 | } else { |
| 821 | IPFERROR(10009); |
| 822 | error = ENOMEM; |
| 823 | } |
| 824 | } else { |
| 825 | IPFERROR(10010); |
| 826 | error = EINVAL; |
| 827 | } |
| 828 | return error; |
| 829 | } |
| 830 | |
| 831 | |
| 832 | /* ------------------------------------------------------------------------ */ |
| 833 | /* Function: ipf_auth_flush */ |
| 834 | /* Returns: int - number of auth entries flushed */ |
| 835 | /* Parameters: None */ |
| 836 | /* Locks: WRITE(ipf_authlk) */ |
| 837 | /* */ |
| 838 | /* This function flushs the ipf_auth_pkts array of any packet data with */ |
| 839 | /* references still there. */ |
| 840 | /* It is expected that the caller has already acquired the correct locks or */ |
| 841 | /* set the priority level correctly for this to block out other code paths */ |
| 842 | /* into these data structures. */ |
| 843 | /* ------------------------------------------------------------------------ */ |
| 844 | static int |
| 845 | ipf_auth_flush(void *arg) |
| 846 | { |
| 847 | ipf_auth_softc_t *softa = arg; |
| 848 | int i, num_flushed; |
| 849 | mb_t *m; |
| 850 | |
| 851 | if (softa->ipf_auth_lock) |
| 852 | return -1; |
| 853 | |
| 854 | num_flushed = 0; |
| 855 | |
| 856 | for (i = 0 ; i < softa->ipf_auth_size; i++) { |
| 857 | if (softa->ipf_auth[i].fra_index != -1) { |
| 858 | m = softa->ipf_auth_pkts[i]; |
| 859 | if (m != NULL) { |
| 860 | FREE_MB_T(m); |
| 861 | softa->ipf_auth_pkts[i] = NULL; |
| 862 | } |
| 863 | |
| 864 | softa->ipf_auth[i].fra_index = -1; |
| 865 | /* perhaps add & use a flush counter inst.*/ |
| 866 | softa->ipf_auth_stats.fas_expire++; |
| 867 | num_flushed++; |
| 868 | } |
| 869 | } |
| 870 | |
| 871 | softa->ipf_auth_start = 0; |
| 872 | softa->ipf_auth_end = 0; |
| 873 | softa->ipf_auth_next = 0; |
| 874 | softa->ipf_auth_used = 0; |
| 875 | softa->ipf_auth_replies = 0; |
| 876 | |
| 877 | return num_flushed; |
| 878 | } |
| 879 | |
| 880 | |
| 881 | /* ------------------------------------------------------------------------ */ |
| 882 | /* Function: ipf_auth_waiting */ |
| 883 | /* Returns: int - number of packets in the auth queue */ |
| 884 | /* Parameters: None */ |
| 885 | /* */ |
| 886 | /* Simple truth check to see if there are any packets waiting in the auth */ |
| 887 | /* queue. */ |
| 888 | /* ------------------------------------------------------------------------ */ |
| 889 | int |
| 890 | ipf_auth_waiting(ipf_main_softc_t *softc) |
| 891 | { |
| 892 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 893 | |
| 894 | return (softa->ipf_auth_used != 0); |
| 895 | } |
| 896 | |
| 897 | |
| 898 | /* ------------------------------------------------------------------------ */ |
| 899 | /* Function: ipf_auth_geniter */ |
| 900 | /* Returns: int - 0 == success, else error */ |
| 901 | /* Parameters: token(I) - pointer to ipftoken structure */ |
| 902 | /* itp(I) - pointer to ipfgeniter structure */ |
| 903 | /* objp(I) - pointer to ipf object destription */ |
| 904 | /* */ |
| 905 | /* Iterate through the list of entries in the auth queue list. */ |
| 906 | /* objp is used here to get the location of where to do the copy out to. */ |
| 907 | /* Stomping over various fields with new information will not harm anything */ |
| 908 | /* ------------------------------------------------------------------------ */ |
| 909 | static int |
| 910 | ipf_auth_geniter(ipf_main_softc_t *softc, ipftoken_t *token, ipfgeniter_t *itp, |
| 911 | ipfobj_t *objp) |
| 912 | { |
| 913 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 914 | frauthent_t *fae, *next, zero; |
| 915 | int error; |
| 916 | |
| 917 | if (itp->igi_data == NULL) { |
| 918 | IPFERROR(10011); |
| 919 | return EFAULT; |
| 920 | } |
| 921 | |
| 922 | if (itp->igi_type != IPFGENITER_AUTH) { |
| 923 | IPFERROR(10012); |
| 924 | return EINVAL; |
| 925 | } |
| 926 | |
| 927 | objp->ipfo_type = IPFOBJ_FRAUTH; |
| 928 | objp->ipfo_ptr = itp->igi_data; |
| 929 | objp->ipfo_size = sizeof(frauth_t); |
| 930 | |
| 931 | READ_ENTER(&softa->ipf_authlk); |
| 932 | |
| 933 | fae = token->ipt_data; |
| 934 | if (fae == NULL) { |
| 935 | next = softa->ipf_auth_entries; |
| 936 | } else { |
| 937 | next = fae->fae_next; |
| 938 | } |
| 939 | |
| 940 | /* |
| 941 | * If we found an auth entry to use, bump its reference count |
| 942 | * so that it can be used for is_next when we come back. |
| 943 | */ |
| 944 | if (next != NULL) { |
| 945 | ATOMIC_INC(next->fae_ref); |
| 946 | token->ipt_data = next; |
| 947 | } else { |
| 948 | bzero(&zero, sizeof(zero)); |
| 949 | next = &zero; |
| 950 | token->ipt_data = NULL; |
| 951 | } |
| 952 | |
| 953 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 954 | |
| 955 | error = ipf_outobjk(softc, objp, next); |
| 956 | if (fae != NULL) |
| 957 | ipf_auth_deref_unlocked(softa, &fae); |
| 958 | |
| 959 | if (next->fae_next == NULL) |
| 960 | ipf_token_mark_complete(token); |
| 961 | return error; |
| 962 | } |
| 963 | |
| 964 | |
| 965 | /* ------------------------------------------------------------------------ */ |
| 966 | /* Function: ipf_auth_deref_unlocked */ |
| 967 | /* Returns: None */ |
| 968 | /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ |
| 969 | /* */ |
| 970 | /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */ |
| 971 | /* held. */ |
| 972 | /* ------------------------------------------------------------------------ */ |
| 973 | static void |
| 974 | ipf_auth_deref_unlocked(ipf_auth_softc_t *softa, frauthent_t **faep) |
| 975 | { |
| 976 | WRITE_ENTER(&softa->ipf_authlk); |
| 977 | ipf_auth_deref(faep); |
| 978 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 979 | } |
| 980 | |
| 981 | |
| 982 | /* ------------------------------------------------------------------------ */ |
| 983 | /* Function: ipf_auth_deref */ |
| 984 | /* Returns: None */ |
| 985 | /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */ |
| 986 | /* Locks: WRITE(ipf_authlk) */ |
| 987 | /* */ |
| 988 | /* This function unconditionally sets the pointer in the caller to NULL, */ |
| 989 | /* to make it clear that it should no longer use that pointer, and drops */ |
| 990 | /* the reference count on the structure by 1. If it reaches 0, free it up. */ |
| 991 | /* ------------------------------------------------------------------------ */ |
| 992 | static void |
| 993 | ipf_auth_deref(frauthent_t **faep) |
| 994 | { |
| 995 | frauthent_t *fae; |
| 996 | |
| 997 | fae = *faep; |
| 998 | *faep = NULL; |
| 999 | |
| 1000 | fae->fae_ref--; |
| 1001 | if (fae->fae_ref == 0) { |
| 1002 | KFREE(fae); |
| 1003 | } |
| 1004 | } |
| 1005 | |
| 1006 | |
| 1007 | /* ------------------------------------------------------------------------ */ |
| 1008 | /* Function: ipf_auth_wait_pkt */ |
| 1009 | /* Returns: int - 0 == success, else error */ |
| 1010 | /* Parameters: data(I) - pointer to data from ioctl call */ |
| 1011 | /* */ |
| 1012 | /* This function is called when an application is waiting for a packet to */ |
| 1013 | /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */ |
| 1014 | /* a packet waiting on the queue then we will return that _one_ immediately.*/ |
| 1015 | /* If there are no packets present in the queue (ipf_auth_pkts) then we go */ |
| 1016 | /* to sleep. */ |
| 1017 | /* ------------------------------------------------------------------------ */ |
| 1018 | static int |
| 1019 | ipf_auth_wait(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) |
| 1020 | { |
| 1021 | frauth_t auth, *au = &auth; |
| 1022 | int error, len, i; |
| 1023 | mb_t *m; |
| 1024 | char *t; |
| 1025 | SPL_INT(s); |
| 1026 | |
| 1027 | ipf_auth_ioctlloop: |
| 1028 | error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH); |
| 1029 | if (error != 0) |
| 1030 | return error; |
| 1031 | |
| 1032 | /* |
| 1033 | * XXX Locks are held below over calls to copyout...a better |
| 1034 | * solution needs to be found so this isn't necessary. The situation |
| 1035 | * we are trying to guard against here is an error in the copyout |
| 1036 | * steps should not cause the packet to "disappear" from the queue. |
| 1037 | */ |
| 1038 | SPL_NET(s); |
| 1039 | READ_ENTER(&softa->ipf_authlk); |
| 1040 | |
| 1041 | /* |
| 1042 | * If ipf_auth_next is not equal to ipf_auth_end it will be because |
| 1043 | * there is a packet waiting to be delt with in the ipf_auth_pkts |
| 1044 | * array. We copy as much of that out to user space as requested. |
| 1045 | */ |
| 1046 | if (softa->ipf_auth_used > 0) { |
| 1047 | while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) { |
| 1048 | softa->ipf_auth_next++; |
| 1049 | if (softa->ipf_auth_next == softa->ipf_auth_size) |
| 1050 | softa->ipf_auth_next = 0; |
| 1051 | } |
| 1052 | |
| 1053 | error = ipf_outobj(softc, data, |
| 1054 | &softa->ipf_auth[softa->ipf_auth_next], |
| 1055 | IPFOBJ_FRAUTH); |
| 1056 | if (error != 0) { |
| 1057 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1058 | SPL_X(s); |
| 1059 | return error; |
| 1060 | } |
| 1061 | |
| 1062 | if (auth.fra_len != 0 && auth.fra_buf != NULL) { |
| 1063 | /* |
| 1064 | * Copy packet contents out to user space if |
| 1065 | * requested. Bail on an error. |
| 1066 | */ |
| 1067 | m = softa->ipf_auth_pkts[softa->ipf_auth_next]; |
| 1068 | len = MSGDSIZE(m); |
| 1069 | if (len > auth.fra_len) |
| 1070 | len = auth.fra_len; |
| 1071 | auth.fra_len = len; |
| 1072 | |
| 1073 | for (t = auth.fra_buf; m && (len > 0); ) { |
| 1074 | i = MIN(M_LEN(m), len); |
| 1075 | error = copyoutptr(softc, MTOD(m, char *), |
| 1076 | &t, i); |
| 1077 | len -= i; |
| 1078 | t += i; |
| 1079 | if (error != 0) { |
| 1080 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1081 | SPL_X(s); |
| 1082 | return error; |
| 1083 | } |
| 1084 | m = m->m_next; |
| 1085 | } |
| 1086 | } |
| 1087 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1088 | |
| 1089 | SPL_NET(s); |
| 1090 | WRITE_ENTER(&softa->ipf_authlk); |
| 1091 | softa->ipf_auth_next++; |
| 1092 | if (softa->ipf_auth_next == softa->ipf_auth_size) |
| 1093 | softa->ipf_auth_next = 0; |
| 1094 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1095 | SPL_X(s); |
| 1096 | |
| 1097 | return 0; |
| 1098 | } |
| 1099 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1100 | SPL_X(s); |
| 1101 | |
| 1102 | MUTEX_ENTER(&softa->ipf_auth_mx); |
| 1103 | #ifdef _KERNEL |
| 1104 | # if SOLARIS |
| 1105 | error = 0; |
| 1106 | if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) { |
| 1107 | IPFERROR(10014); |
| 1108 | error = EINTR; |
| 1109 | } |
| 1110 | # else /* SOLARIS */ |
| 1111 | # ifdef __hpux |
| 1112 | { |
| 1113 | lock_t *l; |
| 1114 | |
| 1115 | l = get_sleep_lock(&softa->ipf_auth_next); |
| 1116 | error = sleep(&softa->ipf_auth_next, PZERO+1); |
| 1117 | spinunlock(l); |
| 1118 | } |
| 1119 | # else |
| 1120 | # ifdef __osf__ |
| 1121 | error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next" , |
| 1122 | 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE); |
| 1123 | # else |
| 1124 | error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next" ); |
| 1125 | # endif /* __osf__ */ |
| 1126 | # endif /* __hpux */ |
| 1127 | # endif /* SOLARIS */ |
| 1128 | #endif |
| 1129 | MUTEX_EXIT(&softa->ipf_auth_mx); |
| 1130 | if (error == 0) |
| 1131 | goto ipf_auth_ioctlloop; |
| 1132 | return error; |
| 1133 | } |
| 1134 | |
| 1135 | |
| 1136 | /* ------------------------------------------------------------------------ */ |
| 1137 | /* Function: ipf_auth_reply */ |
| 1138 | /* Returns: int - 0 == success, else error */ |
| 1139 | /* Parameters: data(I) - pointer to data from ioctl call */ |
| 1140 | /* */ |
| 1141 | /* This function is called by an application when it wants to return a */ |
| 1142 | /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */ |
| 1143 | /* received information using an SIOCAUTHW. The decision returned in the */ |
| 1144 | /* form of flags, the same as those used in each rule. */ |
| 1145 | /* ------------------------------------------------------------------------ */ |
| 1146 | static int |
| 1147 | ipf_auth_reply(ipf_main_softc_t *softc, ipf_auth_softc_t *softa, char *data) |
| 1148 | { |
| 1149 | frauth_t auth, *au = &auth, *fra; |
| 1150 | fr_info_t fin; |
| 1151 | int error, i; |
| 1152 | #ifdef _KERNEL |
| 1153 | mb_t *m; |
| 1154 | #endif |
| 1155 | SPL_INT(s); |
| 1156 | |
| 1157 | error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH); |
| 1158 | if (error != 0) |
| 1159 | return error; |
| 1160 | |
| 1161 | SPL_NET(s); |
| 1162 | WRITE_ENTER(&softa->ipf_authlk); |
| 1163 | |
| 1164 | i = au->fra_index; |
| 1165 | fra = softa->ipf_auth + i; |
| 1166 | error = 0; |
| 1167 | |
| 1168 | /* |
| 1169 | * Check the validity of the information being returned with two simple |
| 1170 | * checks. First, the auth index value should be within the size of |
| 1171 | * the array and second the packet id being returned should also match. |
| 1172 | */ |
| 1173 | if ((i < 0) || (i >= softa->ipf_auth_size)) { |
| 1174 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1175 | SPL_X(s); |
| 1176 | IPFERROR(10015); |
| 1177 | return ESRCH; |
| 1178 | } |
| 1179 | if (fra->fra_info.fin_id != au->fra_info.fin_id) { |
| 1180 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1181 | SPL_X(s); |
| 1182 | IPFERROR(10019); |
| 1183 | return ESRCH; |
| 1184 | } |
| 1185 | |
| 1186 | fra->fra_index = -2; |
| 1187 | fra->fra_pass = au->fra_pass; |
| 1188 | #ifdef _KERNEL |
| 1189 | m = softa->ipf_auth_pkts[i]; |
| 1190 | #endif |
| 1191 | softa->ipf_auth_pkts[i] = NULL; |
| 1192 | softa->ipf_auth_replies++; |
| 1193 | bcopy(&fra->fra_info, &fin, sizeof(fin)); |
| 1194 | |
| 1195 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1196 | |
| 1197 | /* |
| 1198 | * Re-insert the packet back into the packet stream flowing through |
| 1199 | * the kernel in a manner that will mean IPFilter sees the packet |
| 1200 | * again. This is not the same as is done with fastroute, |
| 1201 | * deliberately, as we want to resume the normal packet processing |
| 1202 | * path for it. |
| 1203 | */ |
| 1204 | #ifdef _KERNEL |
| 1205 | if ((m != NULL) && (au->fra_info.fin_out != 0)) { |
| 1206 | error = ipf_inject(&fin, m); |
| 1207 | if (error != 0) { |
| 1208 | IPFERROR(10016); |
| 1209 | error = ENOBUFS; |
| 1210 | softa->ipf_auth_stats.fas_sendfail++; |
| 1211 | } else { |
| 1212 | softa->ipf_auth_stats.fas_sendok++; |
| 1213 | } |
| 1214 | } else if (m) { |
| 1215 | error = ipf_inject(&fin, m); |
| 1216 | if (error != 0) { |
| 1217 | IPFERROR(10017); |
| 1218 | error = ENOBUFS; |
| 1219 | softa->ipf_auth_stats.fas_quefail++; |
| 1220 | } else { |
| 1221 | softa->ipf_auth_stats.fas_queok++; |
| 1222 | } |
| 1223 | } else { |
| 1224 | IPFERROR(10018); |
| 1225 | error = EINVAL; |
| 1226 | } |
| 1227 | |
| 1228 | /* |
| 1229 | * If we experience an error which will result in the packet |
| 1230 | * not being processed, make sure we advance to the next one. |
| 1231 | */ |
| 1232 | if (error == ENOBUFS) { |
| 1233 | WRITE_ENTER(&softa->ipf_authlk); |
| 1234 | softa->ipf_auth_used--; |
| 1235 | fra->fra_index = -1; |
| 1236 | fra->fra_pass = 0; |
| 1237 | if (i == softa->ipf_auth_start) { |
| 1238 | while (fra->fra_index == -1) { |
| 1239 | i++; |
| 1240 | if (i == softa->ipf_auth_size) |
| 1241 | i = 0; |
| 1242 | softa->ipf_auth_start = i; |
| 1243 | if (i == softa->ipf_auth_end) |
| 1244 | break; |
| 1245 | } |
| 1246 | if (softa->ipf_auth_start == softa->ipf_auth_end) { |
| 1247 | softa->ipf_auth_next = 0; |
| 1248 | softa->ipf_auth_start = 0; |
| 1249 | softa->ipf_auth_end = 0; |
| 1250 | } |
| 1251 | } |
| 1252 | RWLOCK_EXIT(&softa->ipf_authlk); |
| 1253 | } |
| 1254 | #endif /* _KERNEL */ |
| 1255 | SPL_X(s); |
| 1256 | |
| 1257 | return 0; |
| 1258 | } |
| 1259 | |
| 1260 | |
| 1261 | u_32_t |
| 1262 | ipf_auth_pre_scanlist(ipf_main_softc_t *softc, fr_info_t *fin, u_32_t pass) |
| 1263 | { |
| 1264 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 1265 | |
| 1266 | if (softa->ipf_auth_ip != NULL) |
| 1267 | return ipf_scanlist(fin, softc->ipf_pass); |
| 1268 | |
| 1269 | return pass; |
| 1270 | } |
| 1271 | |
| 1272 | |
| 1273 | frentry_t ** |
| 1274 | ipf_auth_rulehead(ipf_main_softc_t *softc) |
| 1275 | { |
| 1276 | ipf_auth_softc_t *softa = softc->ipf_auth_soft; |
| 1277 | |
| 1278 | return &softa->ipf_auth_ip; |
| 1279 | } |
| 1280 | |